3. CAPITULO 3
5.2 RECOMENDACIONES
Theorem 7.13 Let p be prime. Then the group U(p)is cyclic.
What about the converse? It can be shown that the following is true (but I will not do so here):
Theorem 7.14 Let n be a positive integer which is not a prime number. Suppose that U(n)is a cyclic group (that is, there exists a primitive root of n). Then n=pa or n=2pa for some odd prime p and integer a>1, or n=4. Conversely, for these values of n, the group U(n)is cyclic.
One can go on and determine the structure of the abelian groupU(n)for every positive integern.
Carmichael’s lambda-function λ(n) is defined to be the largest order of any
element ofU(n). So we have λ(n) =φ(n) if and only if U(n) is cyclic. This
function has applications in cryptography, but we do not discuss it further here.
7.7
Appendix: Cryptography
Letg be a primitive root of p. Then, for any non-zero element hof Zp, there is
an exponentmin the range 0≤m≤ p−2 such thatgm=h. However, findingm is difficult, especially for large primes. If I asked you to find the numbermsuch that 2m≡6 mod 11, you would probably have to resort to calculating powers of 2 mod 11 until 6 occurs.
This problem is known as the discrete logarithm problem, since we are in essence finding the logarithm ofhto basegin the finite fieldZp. Its difficulty is
the basis for some of the earliestpublic-key cryptosystems, such as Diffie–Hellman key exchange and the El-Gamal cryptosystem. I will briefly describe the former of these.
Alice and Bob, who have never met, need to exchange a secret message. If they both possessed some random information which nobody else knew, they could use this as a key to encrypt and decrypt the message (for example, using a one-time pad). But they can only communicate over an insecure line, and if Alice sent Bob the key, then all the world would know it.
So they choose a (large) prime pand a primitive rootgofp, and share these – so everyone knows pandg. Then
• Alice chooses a random numberain the range 0≤a≤p−2, calculatesga mod p, and sends this to Bob.
• Bob chooses a random numberbin the range 0≤b≤p−2, calculatesgb mod p, and sends this to Alice.
76 CHAPTER 7. EULER’S TOTIENT FUNCTION
• Then both Alice and Bob can compute(ga)b= (gb)a; they use this as their secret key.
Any interceptor is faced with the job of calculatinggab fromgaandgb. The obvi- ous approach (and nothing better has been found) is to solve the discrete logarithm problem to find, for example,afromga, and then do Alice’s calculation(gb)a.
Thus it is the difficulty of the discrete logarithm problem that keeps the secret secure!
Exercises
7.1 (a) Show thatφ(n)is even ifn>2.
(b) Find all integersnsatisfyingφ(n) =4.
(c) For any positive integerd, show that there are only finitely many integersn satisfyingφ(n) =d.
7.2 (a) How many primitive roots of 17 are there? (b) Find them all.
Chapter 8
Quadratic residues and non-residues
Letpbe an odd prime. In this section we are going to show how to decide whether the congruencex2≡amod p
has integer solutions, for any integeranot divisible by p.
8.1
Definition and basic properties
First, a definition: we say thatais aquadratic residuemod pif this congruence has a solution, and a quadratic non-residue mod p if it does not. Clearly, if a≡bmodp, then a is a quadratic residue mod p if and only ifb is a quadratic residue modp; so we may (and often will) restrict our attention toa=1, . . . ,p−1.
Example Letp=7. The squares mod 7 are
12=1, 22=4, 32=2, 42=2, 52=4, 62=1; so 1,2,4 are quadratic residues and 3,5,6 are non-residues.
Proposition 8.1 Of the p−1numbers1,2, . . . ,p−1, half of them are quadratic residues and half are quadratic non-residues.
Proof Letgbe a primitive root ofp. (Recall that this means thatghas orderp−1 mod p.) Then the p−1 numbersg0,g1, . . . ,gp−2are all distinct, and so must be congruent to 1,2, . . . ,p−1 in some order. We claim thatgiis a quadratic residue if and only ifiis even. The result obviously follows.
Ifiis even, sayi=2j, thengi≡(gj)2is a quadratic residue.
Conversely, suppose thata=giis a quadratic residue, saya=b2. Letb≡gj. Thengi=g2j, soi≡2jmod p−1. But p−1 and 2jare even; soimust also be
even.
78 CHAPTER 8. QUADRATIC RESIDUES AND NON-RESIDUES We learn something very important from the proof:
Proposition 8.2 Let g be a primitive root of the odd prime p. Let a be an integer not divisible by p. Then a is a quadratic residue if and only if it is an even power of g, and is a quadratic non-residue if and only if it is an odd power of g.
However, this is not a practical method. For both finding a primitive rootgof p, and expressing an arbitrary element ofZpas a power ofg, are hard problems.
The second of these problems is thediscrete logarithm problem, which we met in the last chapter in connection with cryptography; it is the difficulty of this problem which keeps information secure!
Example For p=7, it can be checked that 3 is a primitive root. The powers of 3 mod 7 are
30=1, 31=3, 32=2, 33=6, 34=4, 35=5. The even powers of 3 are thus 1,2,4, agreeing with what we found earlier.