# Primitive roots of prime moduli

In this post we show that if $m$ is prime, then there exists a primitive root modulo $m$. It follows that there exist $\phi(m-1)$ primitive roots modulo $m$ where $\phi$ is Euler’s phi function.

For a basic discussion of the notion of primitive roots, see Defining Primitive Root. A basic discussion of the phi function is found in the post Euler’s phi function, part 1 and in the post Euler’s phi function, part 2.

In modular arithmetic, not all moduli have primitive roots. For example, for the modulus $m=8$, the least residues that are relatively prime are $a=1,3,5,7$. Thus $\phi(8)=4$. For each one of these values of $a$, $a^2 \equiv 1 \ (\text{mod} \ 8)$. Thus every one of them has order $2 < \phi(8)$. Thus there are no primitive roots modulo $m=8$. We prove the following results.

Theorem 1

Let $p$ be a prime number. Then there exists a primitive root modulo $p$.

$\text{ }$

Theorem 2

Let $p$ be a prime number. Then there are exactly $\phi(m-1)$ many primitive roots modulo $m$.

$\text{ }$

Theorem 1 is the main theorem in this post. Theorem 2 follows from Theorem 1 and from a result proved in a previous post. The previous result is that if there exists a primitive root modulo $m$ (not necessarily prime), then there exist exactly $\phi(\phi(m))$ many primitive roots modulo $m$ (see Theorem 6 and Corollary 7 in Defining Primitive Root). Since Theorem 1 provides the existence of a primitive root, Theorem 2 follows from Theorem 1 and from the previous result and from the fact that $\phi(p)=p-1$ for any prime number.

___________________________________________________________________________________________________________________

Proving the Main Theorem

Our proof of the existence of a primitive root of any prime modulus uses only elementary techniques. Most of the results we need are developed here in this post. The first result is proved in a previous post (see Theorem 4 in Defining Primitive Root).

Lemma 3

Let $a$ be an integer with $0 \le a \le m-1$ such that $a$ is relaively prime to the modulus $m$. Let $k$ be the order of $a$ modulo $m$. Then the following two conditions are equivalent for any positive integer $n$.

1. The congruence condition $a^n \equiv 1 \ (\text{mod} \ m)$ holds.
2. The number $k$ is a divisor of $n$.

The second result is that of polynomial congruence. Let $f(x)$ be a polynomial with integer coefficients. In the next lemma, we are interested in solving the polynomial congruence equation $f(x) \equiv 0 \ (\text{mod} \ m)$.

Lemma 4

Let $m$ be a prime number. Let $f(x)$ be a polynomial of degree $n$. Then the equation

$f(x) \equiv 0 \ (\text{mod} \ m) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

$\text{ }$

has at most $n$ solutions.

Proof of Lemma 4

Suppose $f(x)=a_n x^n +a_{n-1} x^{n-1} + \cdots+a_2 x^2+a_1 x + a_0$ where $a_n \not \equiv 0 \ (\text{mod} \ m)$. We prove the lemma by induction on the degree $n$.

Suppose $n=1$. We have $f(x)=a_1 x +a_0 \equiv 0 \ (\text{mod} \ m)$. Since $m$ is prime and $a_1 \not \equiv 0 \ (\text{mod} \ m)$, the coefficient $a_1$ must be relatively prime to $m$. Then the congruence equation $a_1 x +a_0 \equiv 0 \ (\text{mod} \ m)$ has exactly one solution. The number of solutions of a linear congruence is the same as the greatest common divisor of the coefficient of $x$ and the modulus $m$ (see Theorem 2 in the post Solving Linear Congruences).

Suppose the lemma is true for polynomials of degree $n-1$. Consider two cases – either equation (1) has no solution or equation (1) has a solution. If the first case is true, then the conclusion of the lemma is true.

Suppose the second case is true. Suppose $b$ is a solution to equation (1). It follows that $f(b) \equiv 0 \ (\text{mod} \ m)$ and that $b$ is a least residue modulo $m$.

Our next goal is to factor the polynomial $f(x)$ into a product of a first degree polynomial and a polynomial of degree $n-1$. To this end, note that $x-b$ is a factor of $x^w-b^w$ for $w=1,2,3,\cdots,n$. We have the following derivation

\displaystyle \begin{aligned} f(x)&\equiv f(x)-f(b) \\&\equiv a_n (x^n-b^n) +a_{n-1} (x^{n-1}-b^{n-1}) + \cdots+a_2 (x^2-b^2)+a_1 (x-b) \\&\equiv (x-b) \cdot h(x) \ (\text{mod} \ m) \end{aligned}

where $h(x)$ is a polynomial of degree $n-1$.

Whenever $f(x) \equiv 0 \ (\text{mod} \ m)$, we have $m \ \lvert \ (x-b) \cdot h(x)$. Using the fact that $m$ is prime and Euclid’s lemma, either $m \ \lvert \ (x-b)$ or $m \ \lvert \ h(x)$. In terms of congruence, either $x-b \equiv 0 \ (\text{mod} \ m)$ or $h(x) \equiv 0 \ (\text{mod} \ m)$. The first congruence has exactly one solution. By induction hypothesis, the second congruence has at most $n-1$ solutions. Together, equation (1) has at most $n$ solutions. $\blacksquare$

Lemma 5

Let $m$ be a prime number. If $d \ \lvert \ (p-1)$, then the congruence equation $x^d \equiv 1 \ (\text{mod} \ m)$ has exactly $d$ many solutions.

Proof of Lemma 5

Suppose $d \ \lvert \ (p-1)$. Fermat’s little theorem tells us that $x^{m-1}-1 \equiv 0 \ (\text{mod} \ m)$ has exactly $m-1$ solutions, namely $1,2,3,\cdots,m-1$. We can factor the polynomial $x^{m-1}-1$ as follows:

$g(x)=x^{m-1}-1=(x^d-1) \cdot (x^{m-1-d}+x^{m-1-2d}+x^{m-1-3d}+\cdots+x^{d}+1)$

Let $t(x)=(x^{m-1-d}+x^{m-1-2d}+x^{m-1-3d}+\cdots+x^{d}+1)$. Whenever $g(x) \equiv 0 \ (\text{mod} \ m)$, $m \ \lvert \ g(x)=x^{m-1}-1=(x^d-1) \cdot t(x)$. By Euclid’s lemma, $m \ \lvert \ (x^d-1)$ or $m \ \lvert \ t(x)$. In terms of congruence, $x^d \equiv 1 \ (\text{mod} \ m)$ or $t(x) \equiv 0 \ (\text{mod} \ m)$.

By Lemma 4, the congruence $t(x) \equiv 0 \ (\text{mod} \ m)$ has at most $m-1-d$ solutions. Since $x^{m-1}-1 \equiv 0 \ (\text{mod} \ m)$ has exactly $m-1$ solutions, the congruence equation $x^d \equiv 1 \ (\text{mod} \ m)$ has at least $d$ many solutions.

By Lemma 4, the congruence equation $x^d \equiv 1 \ (\text{mod} \ m)$ has at most $d$ solutions. Thus $x^d \equiv 1 \ (\text{mod} \ m)$ has exactly $d$ many solutions. $\blacksquare$

We need one more lemma before proving Theorem 1.

Lemma 6

Let $a$ and $b$ be integers with $0 \le a,b \le m-1$. Let $\alpha$ be the order of $a$ modulo $m$. Let $\beta$ be the order of $b$ modulo $m$.

Suppose that $\alpha$ and $\beta$ are relatively prime. Then $\alpha \cdot \beta$ is the order of $a \cdot b$ modulo $m$.

Proof of Lemma 6

Let $\gamma$ be the order of $a \cdot b$ modulo $m$. We show that $\gamma=\alpha \beta$. The following derivation shows that $\alpha \ \lvert \ \gamma$.

$1 \equiv 1^\beta \equiv ((ab)^\gamma)^\beta =(ab)^{\gamma \beta}=(a)^{\gamma \beta} (b)^{\gamma \beta}=(a)^{\gamma \beta} (b^{\gamma})^{\beta} \equiv a^{\gamma \beta} \ (\text{mod} \ m)$

Since $a^{\gamma \beta} \equiv 1 \ (\text{mod} \ m)$, we have $\alpha \ \lvert \ \gamma \beta$ (by Lemma 3). Since $\alpha$ and $\beta$ are relatively prime, $\alpha \ \lvert \ \gamma$. By a symmetrical argument, it can also be shown that $\beta \ \lvert \ \gamma$.

Since $\alpha \ \lvert \ \gamma$, we have $\gamma=\alpha \cdot t$ for some integer $t$. Since $\beta \ \lvert \alpha \cdot t$, it follows that $\beta \ \lvert t$ (Euclid’s lemma). So $t=\beta \cdot z$ for some integer $z$. Now $\gamma=\alpha \cdot \beta \cdot z$. This means that $\alpha \beta \ \lvert \ \gamma$.

On the other hand, we have $\gamma \ \lvert \alpha \beta$. This follows from the following derivation and from Lemma 3.

$(ab)^{\alpha \beta}=(a^\alpha)^\beta \cdot (b^\beta)^\alpha \equiv 1 \ (\text{mod} \ m)$

It follows that $\gamma= \alpha \beta$. $\blacksquare$

Remark
Lemma 6 indicates that the orders of two numbers are multiplicative as long as the two orders are relatively prime. As a corollary of Lemma 6, it follows that the order of a product of finitely many numbers (for the same modulus) is the product of the individual orders provided that the orders are pairwise relatively prime. This fact will be used in the proof of Theorem 1 below.

Proof of Theorem 1

We start off with a prime factorization of the number $p-1$.

$\displaystyle p-1=w_1^{e_1} \cdot w_2^{e_2} \cdot w_3^{e_3} \cdots w_n^{e_n}$

In the above factorization, the numbers $w_i$ are distinct prime numbers and the exponents $e_i \ge 1$.

For each $i$, it is clear that $w_i^{e_i} \ \lvert \ (p-1)$. By Lemma 5, the congruence equation

$\displaystyle x^{w_i^{e_i}} \equiv 1 \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (2)$

has exactly $w_i^{e_i}$ many solutions. Note that the $w_i^{e_i}$ many solutions are integers in the interval $0 \le x \le p-1$. Furthermore, the order modulo $p$ of each of these solutions to (2) is a divisor of $w_i^{e_i}$ (by Lemma 3).

In fact, from Lemma 3, we can say that for any integer $x$ in the interval $0 \le x \le p-1$, the number $x$ is a solution of equation (2) if and only if the order modulo $p$ of $x$ is a divisor of $w_i^{e_i}$. We have the following claim.

Claim
For each $i$, we claim that there exists at least one integer $a_i$ in the interval $0 \le x \le p-1$ such that the order of $a_i$ modulo $p$ is $w_i^{e_i}$.

To see the above claim, the congruence equation

$\displaystyle x^{w_i^{e_i-1}} \equiv 1 \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (3)$

has exactly $w_i^{e_i-1}$ many solutions in the interval $0 \le x \le p-1$ (using Lemma 5). Furthermore, the order of each of the solutions of (3) is a divisor of $w_i^{e_i-1}$.

In fact, from Lemma 3, we can also say that for any integer $x$ in the interval $0 \le x \le p-1$, the number $x$ is a solution of equation (3) if and only if the order modulo $p$ of $x$ is a divisor of $w_i^{e_i-1}$.

Note that the solutions of (3) are also solutions of (2). This is clear since we know that divisors of $w_i^{e_i-1}$ are also divisors of $w_i^{e_i}$.

Thus there are $w_i^{e_i}-w_i^{e_i-1}$ many of the solutions to (2) that are not solutions to equation (3). Pick one such solution and call it $a_i$. Let $k$ be the order of $a_i$ modulo $p$. There are three possibilities for $k$:

$k \le w_i^{e_i-1} \ \ \ \ \ w_i^{e_i-1}

Since $a_i$ is a solution to (2), the number $k$ is a divisor of $w_i^{e_i}$. Note that there are no divisors of $w_i^{e_i}$ within the interval $w_i^{e_i-1} since $w_i$ is a prime number. So $w_i^{e_i-1} is not possible.

Since $a_i$ is not a solution to (3), the number $k$ is not a divisor of $w_i^{e_i-1}$. This means that $k \le w_i^{e_i-1}$ is not possible. Since $w_i$ is prime, $k$ must be a power of $w_i$. Since $k$ must be a power of $w_i$, if $k \le w_i^{e_i-1}$, $k$ is then a divisor of $w_i^{e_i-1}$.

So the only possibility is that $k=w_i^{e_i}$. This establishes the above claim.

Let $g=a_1 \cdot a_2 \cdots a_n$. The primitive root modulo $p$ we are looking for is either $g$ if $g or the least residue of $g$ if $g \ge p$.

According to the above claim, the order modulo $p$ of $a_i$ is $w_i^{e_i}$. Clearly $w_i^{e_i}$ and $w_j^{e_j}$ are relatively prime for $i \ne j$. As a corollary of Lemma 6, the order of the product $g=a_1 \cdot a_2 \cdots a_n$ is the products of $w_i^{e_i}$, namely $p-1$. Thus $g=a_1 \cdot a_2 \cdots a_n$ or its least residue modulo $p$ is a primitive root. $\blacksquare$

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

# An elementary algorithm for finding primitive roots

In the previous post Finding Primitive Roots, we demonstrate one approach for finding all primitive roots of a prime modulus. In this post, we summarize the ideas behind that example.

Throughout this discussion $m$ is a positive integer that is used as the modulus for modular arithmetic, and $a$ is assumed to be a positive integer that is relatively prime to $m$ such that $0 \le a \le m-1$.

According to Fermat’s little theorem, if the modulus $m$ is prime, then $a^{m-1} \equiv 1 \ (\text{mod} \ m)$. If the modulus is relaxed to include non-prime integers as well, then we have Euler’s theorem which states that $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ where $\phi(m)$ is Euler’s phi function. For any modulus $m$, $\phi(m)$ is simply the numbers of possible values of $a$ that are relatively prime to $m$. For example, $\phi(m)=10$ if $m=11$ and $\phi(m)=4$ if $m=10$.

So it is always the case that $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$. Another way to say this is that the number $\phi(m)$ is always a solution to the following congruence equation.

$\displaystyle a^x \equiv 1 \ (\text{mod} \ m) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

With this above discussion in mind, we define the notion of order. The order of $a$ modulo $m$ is the least positive integer solution to the congruence equation (1).

Furthermore, the number $a$ is said to be a primitive root modulo $m$ if the least positive integer solution to (1) is $\phi(m)$.

Note that even though the notions of order and primitive root are defined here for integers $a$ that are relatively prime to $m$ with $0 \le a \le m-1$, the definitions are also valid for positive $a$ outside the range $0 \le a \le m-1$. Relaxing the definitions can make some proofs go easier (e.g. Theorem 2 below).

___________________________________________________________________________________________________________________

An Approach in Finding Primitive Roots

We now summarize the ideas discussed in the previous post Finding Primitive Roots.

Recall that $a$ is a positive integer less than $m$ that is relatively prime to $m$. How do we check if $a$ is a primitive root? On the face of it, we need to check that no positive integer less than $\phi(m)$ is a solution to equation (1). It turns out that we only need to check positive integers less than $\phi(m)$ that are divisors of $\phi(m)$. We have the following theorem.

Theorem 1

The following conditions are equivalent.

1. The number $a$ is a primitive root modulo $m$.
2. Every positive divisor $k$ of $\phi(m)$ with $k < \phi(m)$ is not a solution of the congruence equation (1).

$\text{ }$
If we know that there exists a primitive root for a modulus, the followng theorem tells us how to find the other primitive roots.

Theorem 2

Suppose the number $a$ is a primitive root modulo $m$. Then there are exactly $\phi(\phi(m))$ many primitive roots modulo $m$. They are obtained by finding the least residues of the numbers $a^j$ where the exponents $j$ are taken from the following set.

$\left\{j: 1 \le j \le \phi(m) \text{ and } j \text{ is relatively prime to } \phi(m) \right\} \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (2)$

Thus the above two theorems taken together form an algorithm for finding primitve roots of a modulus (if one is known to exist to begin with). We can use Theorem 1 to find a primitive root. Once we have found one, we can raise it to exponents that are relatively prime to the number $\phi(m)$ to find the remaining primitive roots. Since there are $\phi(\phi(m))$ many positive integers that are less than $\phi(m)$ and relatively prime to $\phi(m)$, there are $\phi(\phi(m))$ many primitive roots modulo $m$ (if one exists).

Before proving the theorems, let’s look at a quick example.

For $m=11$, $\phi(11)=10$. The candidates for primitive roots modulo $m=11$ are in the set $\left\{2,3,4,\cdots,10 \right\}$. The divisors of $\phi(11)=10$ are $1,2,5$. According to Theorem 1, we only need to raise these numbers to exponents that are divisors of $\phi(11)=10$.

Note that $2^1 \equiv 2 \ (\text{mod} \ 11)$, $2^2 \equiv 4 \ (\text{mod} \ 11)$ and $2^5 \equiv 10 \ (\text{mod} \ 11)$. Thus $a=2$ is a primitive root modulo $m=11$.

The positive integers that are less than $\phi(11)=10$ and that are relatively prime to $\phi(11)=10$ are $1, 3, 7, 9$. So there are four primitive roots modulo $m=11$. They are:

\displaystyle \begin{aligned} \text{ }&2^1 \equiv 2 \ (\text{mod} \ 11) \\&2^3 \equiv 8 \ (\text{mod} \ 11) \\&2^7 \equiv 7 \ (\text{mod} \ 11) \\&2^9 \equiv 6 \ (\text{mod} \ 11) \end{aligned}

___________________________________________________________________________________________________________________

Proof of Theorems

Proof of Theorem 1

The direction $1 \Longrightarrow 2$ is clear. If $a$ is a primitive root modulo $m$, then by definition, no positive integer less than $\phi(m)$ can be a solution to the congruence equation (1).

$2 \Longrightarrow 1$
Let $h$ be the order of $a$ modulo $m$. The key to the proof is that $h$ must be a divisor of $\phi(m)$ (see Theorem 4 and Corollary 5 in the post Defining Primitive Root). For the sake of completeness, we provide the proof here.

Since $h$ is the least positive solution of the congruence equation (1), $h \le \phi(m)$. Using the division algorithm, we have $\phi(m)=q \cdot h+r$ for some integers $q$ and $r$ where $0 \le r . We have the following calculation.

$1 \equiv a^{\phi(m)}=(a^h)^q \cdot a^r \equiv (1)^q \cdot a^r \equiv a^r \ (\text{mod} \ m)$

So we have $a^r \equiv 1 \ (\text{mod} \ m)$ and $0 \le r . Since $h$ is the least positive solution of (1), the only possibility is that $r=0$. Hence $\phi(m)=q \cdot h$ and $h$ is a divisor of $\phi(m)$.

Now back to the proof for $2 \Longrightarrow 1$. We claim that $h=\phi(m)$, implying that $a$ is a primitive root modulo $m$. If $h<\phi(m)$, then $h$ is a positive divisor of $\phi(m)$ with $h<\phi(m)$ such that $h$ is a solution of the congruence equation (1) (i.e. the condition 2 does not hold). Thus if condition 2 holds, condition 1 must hold. $\blacksquare$

Proof of Theorem 2
Theorem 2 is the combined result of Theorem 6 and Corollary 7 in the post Defining Primitive Root. To make this post as self contained as possible, we repeat the proof, showing just the essential parts.

We do need one theorem from the previous post Defining Primitive Root. Let $w$ be a positive integer that is relatively prime to the modulus $m$. Let $k$ be the order of $w$ modulo $m$. Theorem 4 in this post states that for any , $w^n \equiv 1 \ (\text{mod} \ m)$ if and only if $k \ \lvert \ n$.

There are exactly $\phi(\phi(m))$ many elements in the above set indicated by (2). So there are these many powers of $a$. The first thing to show is that the powers $a^j$ are all distinct congruent modulo $m$. Hence their least residues are also distinct.

To see this, suppose $a^j \equiv a^i \ (\text{mod} \ m)$ where $i, j \le \phi(m)$ with $i \le j$. We want to show $i=j$. Suppose that $i. Since $a^i$ is relatively prime to $m$, we can cancel out $a^i$ on both sides and obtain $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. Since $j-i<\phi(m)$ and $a$ is a primitive root modulo $m$, $a^{j-i} \not \equiv 1 \ (\text{mod} \ m)$. So $i=j$. Thus if $i \ne j$, then $a^j \not \equiv a^i \ (\text{mod} \ m)$.

The next thing to show is that $a^j$ is a primitive root modulo $m$ for any $j$ in the above set (2). Suppose $j$ is one such element of the set (2). Then $j$ and $\phi(m)$ are relatively prime.

Let $h$ be the order of $a^j$ modulo $m$. We have $a^{j \cdot h}=(a^h)^j \equiv 1 \ (\text{mod} \ m)$. Since $a$ is a primitive root modulo $m$, it follows that $\phi(m) \ \lvert \ j \cdot h$ (according Theorem 4 in Defining Primitive Root). Since $\phi(m)$ and $j$ are relatively prime, $\phi(m) \ \lvert \ h$.

On the other hand, $(a^j)^{\phi(m)}=(a^{\phi(m)})^j \equiv 1 \ (\text{mod} \ m)$. Since $h$ is the order of $a^j$, it follows that $h \ \lvert \ \phi(m)$ (also using Theorem 4 in Defining Primitive Root).

With $\phi(m) \ \lvert \ h$ and $h \ \lvert \ \phi(m)$, we have $h=\phi(m)$. Thus $a^j$ is a primitive root modulo $m$ and so is its least residue. $\blacksquare$

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

# Finding Primitive Roots

In the previous post called Defining Primitive Root, we define and discuss the notion of primitive roots and prove some elementary theorems. In this post we use these theorems to find primitive roots modulo a prime number. The algorithm demonstrated here is further described in An elementary algorithm for finding primitive roots.

It is a theorem that if the modulus $m$ is a prime number, there exist primitive roots modulo $m$. But the theorem does not provide an algorithm of how to find one. We demonstrate a process of how to find all the primitive roots of a prime modulus. We use the prime modulus $m=277$, a number that is small enough to make the calculation not too lengthy and is big enough to make the demonstration meaningful.

The modular arithmetic calculation discussed below can be programmed in a computer or done using a hand-held calculator using the fast powering algorithm (which is discussed in this post).

__________________________________________________________________________________________________________________

Background

For any positive integer $m$, let $\mathbb{Z}_m$ be the set $\left\{0,1,2,\cdots,m-1 \right\}$. Let $(\mathbb{Z}_m)^*$ be the set of all numbers $a$ in $\mathbb{Z}_m$ that is relatively prime to $m$. Euler’s phi function $\phi(m)$ is the count of the elements in the set $(\mathbb{Z}_m)^*$. Euler’s theorem states that for any $a \in (\mathbb{Z}_m)^*$, $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$.

Euler’s theorem establishes a solution for the congruence equation $a^{x} \equiv 1 \ (\text{mod} \ m)$ where $x$ is a positive integer. Whenever $\phi(m)$ is the smallest positive solution to $a^{x} \equiv 1 \ (\text{mod} \ m)$, the number $a$ is said to be a primitive root modulo $m$.

In general, the smallest positive solution to the equation $a^{x} \equiv 1 \ (\text{mod} \ m)$ is called the order of $a$ modulo $m$. Thus, in terms of the notion of order, any number $a \in (\mathbb{Z}_m)^*$ is a primitive root modulo $m$ whenever the order of $a$ and $\phi(m)$ coincide.

__________________________________________________________________________________________________________________

Finding One Primitive Root

For the modulus $m=277$, $\mathbb{Z}_m=\left\{0,1,2,\cdots,276 \right\}$ and $(\mathbb{Z}_m)^*=\left\{1,2,3,\cdots,276 \right\}$. So $\phi(277)=276$. According to Euler’s theorem, $a^{\phi(m)}=a^{276} \equiv 1 \ (\text{mod} \ 277)$ for all $a \in (\mathbb{Z}_m)^*=\left\{1,2,3,\cdots,276 \right\}$.

Obviously $a=1$ can never be a primitive root. Thus candidates for primitive roots are the $275$ numbers in the set $\left\{2,3,\cdots,276 \right\}$. As we will see below, we only need to find one primitive root $a$ from this list. Our plan is to find the smallest primitive root $a$ from this list.

Since $a^{\phi(m)}=a^{276} \equiv 1 \ (\text{mod} \ 277)$, showing that $a$ is a primitive root modulo $m=277$ requires verifying that $a^j \not \equiv 1 \ (\text{mod} \ 277)$ for each $j \in \left\{2,3,\cdots,275 \right\}$. We can get by with less computation.

If $x=k$ is the smallest positive integer solution to $a^{x} \equiv 1 \ (\text{mod} \ m)$, then $k \ \lvert \ \phi(m)$ (see Theorem 4 and Corollary 5 in the post Defining Primitive Root).

So the order of a number $a$ can only be the numbers $j$ in the set $\left\{2,3,\cdots,275 \right\}$ that are divisors of $\phi(277)=276$. If $a^j \not \equiv 1 \ (\text{mod} \ 277)$ for all such $j$, then the number $a$ is a primitive root modulo $m=277$. If $a^j \equiv 1 \ (\text{mod} \ 277)$ for one such $j$, then the number $a$ is not a primitive root modulo $m=277$. This is the approach we take to find one primitive root modulo $m=277$.

Note that $276=2^2 \cdot 3 \cdot 23$, which has eleven divisors that are less than $276$. They are:

\displaystyle \begin{aligned} \text{divisors of } 276&=1 \\&=2 \\&=3 \\&=4 \\&=6 \\&=12 \\&=23 \\&=46 \\&=69 \\&=92 \\&=138 \end{aligned}

We start with $a=2$ and check $a^j$ where $j$ is from the above list of divisors. The first $a$ where $a^j \not \equiv 1 \ (\text{mod} \ 277)$ for all eleven $j$ is a primitive root.

We have the following calculation:

$2^{92} \equiv 1 \ (\text{mod} \ 277)$

$3^{69} \equiv 1 \ (\text{mod} \ 277)$

$4^{46} \equiv 1 \ (\text{mod} \ 277)$

So $a=2,3,4$ are not primitive root modulo $m=277$. For $a=5$, $a^j \not \equiv 1 \ (\text{mod} \ 277)$ for all eleven $j$. Thus $a=5$ is the smallest primitive root modulo $m=277$.

__________________________________________________________________________________________________________________

Finding the Other Primitive Roots

If there is one primitive root for a modulus $m$, there are exactly $\phi(\phi(m))$ many primitive roots (see Corollary 7 in the post Defining Primitive Root). For the modulus $m=277$, there are $\phi(\phi(277))=\phi(276)=88$ primitive roots.

Theorem 6 in that same post says that if $a$ is a primitive root modulo $m$, then $a^j$ (or the least residue of it) is also a primitive root for all integers $j$ that are relatively prime to $\phi(m)$.

So in this example, for the exponents we only need to find the numbers in the set $\left\{1,2,3,\cdots,276 \right\}$ that are relatively prime to $\phi(277)=276$.

To find the $88$ numbers that are relatively prime to $\phi(277)=276$, we can list out the numbers $1,2,3,\cdots,276$. Since the prime factors of $276$ are $2,3,23$, we cross out the multiples of $2$, the multiples of $3$, and finally the multiples of $23$. The following matrix shows the $88$ numbers that remain.

$\displaystyle \begin{bmatrix} 1&5&7&11&13&17&19&25&29&31 \\ 35&37&41&43&47&49&53&55&59&61 \\ 65&67&71&73&77&79&83&85&89&91 \\ 95&97&101&103&107&109&113&119&121&125 \\ 127&131&133&137&139&143&145&149&151&155 \\ 157&163&167&169&173&175&179&181&185&187 \\ 191&193&197&199&203&205&209&211&215&217 \\ 221&223&227&229&233&235&239&241&245&247 \\ 251&257&259&263&265&269&271&275&\text{ }&\text{ } \end{bmatrix}$

From the last section, we know that $a=5$ is a primitive root modulo $m=277$. For each number $j$ in the above matrix, we calculate the least residue of $5^j$ modulo $m=277$. The following shows the results.

$\displaystyle \begin{bmatrix} 5&78&11&227&135&167&20&44&77&263 \\ 114&80&140&176&31&221&179&43&6&150 \\ 124&53&162&172&24&46&219&212&94&134 \\ 96&184&45&17&99&259&107&180&68&119 \\ 205&151&174&166&272&199&266&50&142&110 \\ 257&233&200&14&163&197&137&101&246&56 \\ 98&234&271&127&153&224&115&105&253&231 \\ 58&65&183&143&181&93&232&260&178&18 \\ 170&97&209&158&72&126&103&111&\text{ }&\text{ } \end{bmatrix}$

For example, the following calculation gives the ten results in the first row of the above matrix.

$5^{1} \equiv 5 \ (\text{mod} \ 277)$

$5^{5} \equiv 78 \ (\text{mod} \ 277)$

$5^{7} \equiv 11 \ (\text{mod} \ 277)$

$5^{11} \equiv 227 \ (\text{mod} \ 277)$

$5^{13} \equiv 135 \ (\text{mod} \ 277)$

$5^{17} \equiv 167 \ (\text{mod} \ 277)$

$5^{19} \equiv 20 \ (\text{mod} \ 277)$

$5^{25} \equiv 44 \ (\text{mod} \ 277)$

$5^{29} \equiv 77 \ (\text{mod} \ 277)$

$5^{31} \equiv 263 \ (\text{mod} \ 277)$

The following matrix shows the $88$ primitive roots sorted in increasing order.

$\displaystyle \begin{bmatrix} 5&6&11&14&17&18&20&24&31&43 \\ 44&45&46&50&53&56&58&65&68&72 \\ 77&78&80&93&94&96&97&98&99&101 \\ 103&105&107&110&111&114&115&119&124&126 \\ 127&134&135&137&140&142&143&150&151&153 \\ 158&162&163&166&167&170&172&174&176&178 \\ 179&180&181&183&184&197&199&200&205&209 \\ 212&219&221&224&227&231&232&233&234&246 \\ 253&257&259&260&263&266&271&272&\text{ }&\text{ } \end{bmatrix}$

__________________________________________________________________________________________________________________

Exercise

We leave with an exercise (for any interested reader).

Find all the primitive roots modulo $m=127$. Answers are show below.

$\text{ }$

$\text{ }$

$\text{ }$

$\text{ }$

$\displaystyle \begin{bmatrix} 3&6&7&12&14&23&29&39&43&45 \\ 46&48&53&55&56&57&58&65&67&78 \\ 83&85&86&91&92&93&96&97&101&106 \\ 109&110&112&114&116&118&\text{ }&\text{ }&\text{ }&\text{ } \end{bmatrix}$

The algorithm demonstrated here is further described in An elementary algorithm for finding primitive roots.

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

# Defining Primitive Root

In this post, we define the notion of primitive root and prove some elementary results. Instead of jumping right into the definition, we take a leisurely approach by first looking at some of the related basic notions.

___________________________________________________________________________________________________________________

Setting Up the Scene

Two positive integers $a$ and $b$ are relatively prime if they do not share any prime factors, i.e., their greatest common divisor is one (the only positive integer that can divide both numbers is one). For example, $a=9$ and $b=14$ are relatively prime, as are $a=9$ and $b=35$. If $a$ and $b$ are relatively prime, we also say that $a$ is relatively prime to $b$ or $b$ is relatively prime to $a$. Our notation for greatest common divisor is $\text{GCD}(a,b)$.

In working with modular arithmetic where the modulus is the positive integer $m$, every integer is congruent modulo $m$ to exactly one number in the set $\left\{0,1,2,\cdots,m-1 \right\}$. The numbers in this set are called the least residues modulo $m$. In doing modulus $m$ calculation, for some purposes we only need to reduce the result to one number in this set. For convenience, we use the notation $\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$.

An even more interesting set is the set of all integers $a$ in $\mathbb{Z}_m$ such that $a$ and the modulus $m$ are relatively prime. To facilitate the discussion, we describe this set as follows:

\displaystyle \begin{aligned} (\mathbb{Z}_m)^*&=\left\{a \in \mathbb{Z}_m: a \text{ is relatively prime to } m \right\} \\&=\left\{a \in \mathbb{Z}_m:\text{GCD}(a,m) =1 \right\} \end{aligned}

When the modulus $m$ is a prime number, $(\mathbb{Z}_m)^*=\left\{1,2,\cdots,m-1 \right\}$, the non-zero elements of $\mathbb{Z}_m$. The following theorem gives some indication why $(\mathbb{Z}_m)^*$ is an interesting set, which provides alternative characterizations of $(\mathbb{Z}_m)^*$.

Theorem 1

Let $a$ be an integer in $\mathbb{Z}_m$. The following conditions are equivalent.

1. $\text{GCD}(a,m)=1$.
2. There is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.
3. Some positive power of $a$ modulo $m$ is $1$, i.e., $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$.

$\text{ }$

The proof of Theorem 1 can be found in the post Euler’s phi function, part 1.

The Euler’s phi function, denoted by $\phi(m)$, is the number of integers $a$ where $0 \le a \le m-1$ such that $a$ and the modulus $m$ are relatively prime. In light of the above discussion, $\phi(m)$ is the number of elements in the set $(\mathbb{Z}_m)^*$. It is also the case that $\phi(m)$ is the number of elements in $\mathbb{Z}_m$ that satisfies any one of the three conditions in Theorem 1.

___________________________________________________________________________________________________________________

Defining Primitive Root

When we are interested in the power of a number being one congruence modulo $m$, according to Theorem 1, the base has to be a number that is relatively prime to the modulus. We have already come across two such situations – Fermat’s little theorem and its generalization, Euler’s theorem.

Theorem 2 (Fermat’s little theorem)

Let the modulus $m$ be a prime number. Then $a^{m-1} \equiv 1 \ (\text{mod} \ m)$ for any integer $a$ that is relatively prime to $m$.

$\text{ }$

Theorem 3 (Euler’s theorem)

It is the case that $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ for any integer $a$ that is relatively prime to $m$.

$\text{ }$

Theorem 2 follows from Theorem 3, which is proved in the post Euler’s phi function, part 1.

Definitions
We now define the notion of primitive root. Let $a$ be an integer in $\mathbb{Z}_m$ that is relatively prime to the modulus $m$. Based on the above theorems, $a^k \equiv 1 \ (\text{mod} \ m)$ for some positive integer $k$. By the order of $a$ modulo $m$, we mean the least positive integer $k$ such that $a^k \equiv 1 \ (\text{mod} \ m)$. The number $a$ is a primitive root modulo $m$ if the order of $a$ modulo $m$ is the number $\phi(m)$.

By Theorem 3, the order of $a$ modulo $m$ is always $\le \phi(m)$. We will see below that the order always divides $\phi(m)$ (see Theorem 4).

One comment. The notions of order and primitive roots are defined above for integers in $\mathbb{Z}_m$. In actuality, the two notations can be defined for all positive integers. It is just that we are interested in finding primitive roots among the residues, i.e., the elements of the set $\mathbb{Z}_m$. In some cases, it will be helpful to think of orders of numbers outside of $\mathbb{Z}_m$ and think of numbers outside of $\mathbb{Z}_m$ as primitive roots (e.g. in the proof of Theorem 6 below).

Suppose that the modulus $m$ is a prime number. Fermat’s little theorem tells us that $a^{m-1} \equiv 1 \ (\text{mod} \ m)$ for any $a$ that is relatively prime to $m$. Is $m-1$ the only exponent for which the power of $a$ is one? Take $m=11$. The following table gives the powers of $a$ modulus $m=11$ where $1 \le a \le 10$.

$\displaystyle \begin{bmatrix} a^1&a^2&a^3&a^4&a^5&a^6&a^7&a^8&a^9&a^{10} \\\text{ }&\text{ }&\text{ } \\ 1&1&1&1&1&1&1&1&1&1 \\ 2&4&8&5&10&9&7&3&6&1 \\ 3&9&5&4&1&3&9&5&4&1 \\ 4&5&9&3&1&4&5&9&3&1 \\ 5&3&4&9&1&5&3&4&9&1 \\ 6&3&7&9&10&5&8&4&2&1 \\ 7&5&2&3&10&4&6&9&8&1 \\ 8&9&6&4&10&3&2&5&7&1 \\ 9&4&3&5&1&9&4&3&5&1 \\ 10&1&10&1&10&1&10&1&10&1 \end{bmatrix}$

The above table shows that for $a=2,6,7,8$, the number $10$ is the least exponent for which the power of $a$ is one. In other words, the order for these $a$ is $\phi(11)=10$. The numbers $a=2,6,7,8$ are primitive roots modulo $m=11$. The other values of $a$ are not primitive roots. The order for $a=1$ is $1$. The order for $a=10$ is $2$. The order for $a=3,4,5,9$ is $5$.

Note that in the above table, for the numbers $a$ that are primitive roots, the set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(11)} \right\}$ equals the set $\left\{1,2,3,\cdots,10 \right\}$. So a primitive root generates by powering all the least residues that are relatively prime to the modulus.

Let’s look at a modulus that is not prime. Take $m=10$. The following table gives the powers of $a$ modulus $m=10$ where $1 \le a \le 9$.

$\displaystyle \begin{bmatrix} a^1&a^2&a^3&a^4&a^5&a^6&a^7&a^8&a^9 \\\text{ }&\text{ }&\text{ } \\ 1&1&1&1&1&1&1&1&1 \\ 2&4&8&6&2&4&8&6&2 \\ 3&9&7&1&3&9&7&1&3 \\ 4&6&4&6&4&6&4&6&4 \\ 5&5&5&5&5&5&5&5&5 \\ 6&6&6&6&6&6&6&6&6 \\ 7&9&3&1&7&9&3&1&7 \\ 8&4&2&6&8&4&2&6&8 \\ 9&1&9&1&9&1&9&1&9 \end{bmatrix}$

Note that $\phi(10)=4$ since $(\mathbb{Z}_{10})^*=\left\{1,3,7,9 \right\}$ is the set of all the least residues that are relatively prime to $m=10$. In terms of powers of $a$, we should only focus on $\left\{1,3,7,9 \right\}$. The following is the reduced table.

$\displaystyle \begin{bmatrix} a^1&a^2&a^3&a^4&a^5&a^6&a^7&a^8&a^9 \\\text{ }&\text{ }&\text{ } \\ 1&1&1&1&1&1&1&1&1 \\ 3&9&7&1&3&9&7&1&3 \\ 7&9&3&1&7&9&3&1&7 \\ 9&1&9&1&9&1&9&1&9 \end{bmatrix}$

Note that $a^4 \equiv 1 \ (\text{mod} \ 10)$ for all four $a$. But only $a=3,7$ are primitive roots modulo $m=10$.

Also note that in the above table, for the numbers $a$ that are primitive roots, the set $\left\{a^1,a^2,a^3,a^4 \right\}$ equals the set $\left\{1,3,7,9 \right\}$. So a primitive root generates by powering all the least residues that are relatively prime to the modulus.

Not all moduli have primitive roots. Take $m=8$. The least residues that are relatively prime to $m=8$ are the set $\left\{1,3,5,7 \right\}$. Note that $a^2 \equiv 1 \ (\text{mod} \ 8)$ for every $a$ in this set. Thus no number $a$ in this set can have order = $\phi(8)=4$.

___________________________________________________________________________________________________________________

Elementary Results

One observation can be made about the above small tables for $m=11$ and $m=10$ is that all exponents for which the power of $a$ is one are the multiples of the order. We have the following theorem.

Theorem 4

Let $a$ be an integer where $0 \le a \le m-1$ such that $a$ is relatively prime to the modulus $m$. Suppose $k$ is the order of the number $a$ modulo $m$. Then $a^n \equiv 1 \ (\text{mod} \ m)$ if and only if $n$ is a multiple of $k$.

Proof of Theorem 4

$\Longleftarrow$
This direction is clear. If $n=q \cdot k$ for some integer $q$, then $a^n=(a^k)^q \equiv 1 \ (\text{mod} \ m)$.

$\Longrightarrow$
Suppose that $a^n \equiv 1 \ (\text{mod} \ m)$. By the division algorithm, we have $n=q \cdot k+r$ for some integers $q$ and $r$ where $0 \le r . We have the following:

$a^n=(a^k)^q \cdot a^r \equiv a^r \ (\text{mod} \ m)$

Since $r and $a^r \equiv 1 \ (\text{mod} \ m)$, it must be the case that $r=0$, implying that $n=q \cdot k$. $\blacksquare$

We have the following corollary.

Corollary 5

Let $a$ be an integer where $0 \le a \le m-1$ such that $a$ is relatively prime to the modulus $m$. Suppose $k$ is the order of the number $a$ modulo $m$. Then $\phi(m)$ is a multiple of $k$.

Another observation from the above small tables is that a primitive root, through powering, is a generator of the least residues that are relatively prime to the modulus.

Theorem 5

Let $a$ be an integer where $0 \le a \le m-1$ such that $a$ is relatively prime to the modulus $m$. The following conditions are equivalent.

1. The number $a$ is a primitive root modulo $m$.
2. The set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$, where each $a^j$ is considered as the least residues modulo $m$, is precisely the set $(\mathbb{Z}_m)^*$.

$\text{ }$

Recall that $(\mathbb{Z}_m)^*$ is the set of all $a \in \mathbb{Z}_m=\left\{0,1,2,3,\cdots,m-1 \right\}$ such that $a$ is relatively prime to $m$.

Proof of Theorem 5

$1 \Longrightarrow 2$
Suppose that the number $a$ is a primitive root modulo $m$. The first step in showing condition 2 is to show that the $\phi(m)$ numbers in the set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ are distinct congruent modulo $m$. Then it follows that their least residues modulo $m$ are distinct too.

Suppose $a^j \equiv a^i \ (\text{mod} \ m)$ where $i,j \le \phi(m)$. We want to show that $i=j$. Suppose $i. Then cancel out $a^i$ on both sides of the equation since $a^i$ is relatively prime to $m$. We have $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. But $j-i<\phi(m)$. Since $a$ is a primitive root modulo $m$, we cannot have $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. So it must be the case that $j=i$. So if $a^j \equiv a^i \ (\text{mod} \ m)$, then $i=j$. Equivalently, if $i \ne j$, $a^j \not \equiv a^i \ (\text{mod} \ m)$. Thus the least residues modulo $m$ of the values in $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ are distinct too.

Since $a^i$ is relatively prime to $m$, its least residue is also relatively prime to $m$. Now the least residues modulo $m$ of the values in $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ consist of $\phi(m)$ numbers inside $(\mathbb{Z}_m)^*$, which is also a set of $\phi(m)$ many numbers. So the two sets must equal.

$2 \Longrightarrow 1$
We show the contrapositive of $2 \Longrightarrow 1$. Suppose that the order of $a$ modulo $m$ is $j$ where $1 \le j<\phi(m)$. So $a^j \equiv 1 \ (\text{mod} \ m)$ and $a^{j+1} \equiv a \ (\text{mod} \ m)$. So $a$ and $a^{j+1}$ are two elements in the set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ that are congruent to each other. This means that the least residues of $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ have less than $\phi(m)$ many values. In other words, the number $a$, through powering, cannot generate all the least residues that are relatively prime to the modulus $m$. $\blacksquare$

The following theorem and corollary give the number of primitive root modulo $m$ as long as it is known that there is a primitive root modulo $m$.

Theorem 6

Let $a$ be a primitive root modulo $m$. Then for any positive integer $k$, the least residue of $a^k$ is a primitive root modulo $m$ if and only if $k$ is relatively prime to $\phi(m)$.

Proof of Theorem 6

$\Longrightarrow$
Suppose that $k$ is not relatively prime to $\phi(m)$. So $d=\text{GCD}(k,\phi(m))>1$. Then we have:

$\displaystyle (a^k)^{\frac{\phi(m)}{d}}=(a^{\phi(m)})^{\frac{k}{d}} \equiv 1 \ (\text{mod} \ m)$

With $\displaystyle b=\frac{\phi(m)}{d}<\phi(m)$ and $(a^k)^b \equiv 1 \ (\text{mod} \ m)$, it follows that $a^k$ is not a primitive root modulo $m$. Hence the least residue of $a^k$ modulo $m$ is also not a primitive root. Thus if the least residue of $a^k$ is a primitive root modulo $m$, it must be that $\text{GCD}(k,\phi(m))=1$.

$\Longleftarrow$
Suppose $\text{GCD}(k,\phi(m))=1$. Let $\alpha$ be the order of $a^k$ modulo $m$. By the definition of order, $a^{k \cdot \alpha}=(a^k)^\alpha \equiv 1 \ (\text{mod} \ m)$. Based on the fact that the order of $a$ modulo $m$ is $\phi(m)$, we have $\phi(m) \ \lvert \ k \cdot \alpha$ (also using Theorem 4). Since $\text{GCD}(k,\phi(m))=1$, it must be the case that $\phi(m) \ \lvert \ \alpha$.

On the other hand, $(a^k)^{\phi(m)}=(a^{\phi(m)})^k \equiv 1 \ (\text{mod} \ m)$. Using the fact that the order of $a^k$ is $\alpha$ (and using Theorem 4), $\alpha \ \lvert \ \phi(m)$.

With $\phi(m) \ \lvert \ \alpha$ and $\alpha \ \lvert \ \phi(m)$, it follows that $\alpha = \phi(m)$. This implies that $a^k$ is a primitive root modulo $m$, and so is its least residue modulo $m$. $\blacksquare$

Corollary 7

Suppose that there exists a primitive root modulo $m$. Then there are exactly $\phi(\phi(m))$ many primitive roots modulo $m$.

Proof of Corollary 7

Let $a$ be a primitive root modulo $m$. By Theorem 6, the least residue of $a^k$ is a primitive roots modulo $m$ if and only if $k$ is relatively prime to the number $\phi(m)$. There are precisely $\phi(\phi(m))$ many such numbers $k$.

Furthermore, according to Theorem 5, the least residues of the values in $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ are all distinct. Thus the least residues of the powers $a^k$ for the $\phi(\phi(m))$ many $k$ are primitive roots modulo $m$. $\blacksquare$

___________________________________________________________________________________________________________________

An Algorithm

The theorems and corollaries in this post form an elementary algorithm for finding primitive roots of a modulus (if one is known to exist). The algorithm is described in the post An elementary algorithm for finding primitive roots. An example is given in the post Finding Primitive Roots.

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

# Euler’s phi function, part 2

This is the part 2 of an introductory discussion on Euler’s phi function. See part 1 for a background discussion on the phi function $\phi$.

In computing modular arithmetic where the modulus is $m$, the following two sets of integers are of interest.

$\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$

$(\mathbb{Z}_m)^*=\left\{a \in \mathbb{Z}_m: a \text{ is relatively prime to } m \right\}$

The first set $\mathbb{Z}_m$ is a representative set under the arithmetic modulo $m$ since every integer is congruent mod $m$ to exactly one number in $\mathbb{Z}_m$. In many settings, the only results of interest for modulo $m$ calculations are values in $\mathbb{Z}_m$ (also called least residues).

The second set $(\mathbb{Z}_m)^*$ consists of all integers in $\mathbb{Z}_m$ that are relatively prime to the modulus $m$ (as the set is defined). So any integer that is relatively prime to the modulus $m$ is congruent to exactly one number in $(\mathbb{Z}_m)^*$. Furthermore, the set $(\mathbb{Z}_m)^*$ is closed under multiplication modulo $m$. It is also the case that every number in $(\mathbb{Z}_m)^*$ has a multiplicative inverse modulo $m$. If we look for numbers a where $a^n \equiv 1 \ (\text{mod} \ m)$, we do not need to look further than the set $(\mathbb{Z}_m)^*$. We have the following theorem.

Theorem 1

Let $a$ be an integer in $\mathbb{Z}_m$. The following conditions are equivalent.

1. $\text{GCD}(a,m)=1$.
2. There is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.
3. Some positive power of $a$ modulo $m$ is $1$, i.e., $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$.

$\text{ }$

The proof of Theorem 1 is found in Euler’s phi function, part 1.

Euler’s phi function $\phi(m)$ is defined to be the number of elements in the set $(\mathbb{Z}_m)^*$. In this post, we prove two elementary properties of the function $\phi$. We have the following two results.

Theorem 2

Let $p$ be a prime number. Let $n$ be a positive integer. Then $\phi(p^n)=p^{n-1}(p-1)$.

Theorem 3

Let $m$ and $n$ be two positive integers that are relatively prime. Then $\phi(m n)=\phi(m) \cdot \phi(n)$.

Example

Before proving the theorems, we work some examples. Find $\phi(299376)$. We factor $299376$ into its prime factors.

$299376=2^4 \cdot 3^5 \cdot 7 \cdot 11$

By Theorem 3, the function $\phi$ is multiplicative among integers that are relatively prime. Now we have $\phi(299376)=\phi(2^4) \cdot \phi(3^5) \cdot \phi(7) \cdot \phi(11)$. Applying Theorem 2, we have:

\displaystyle \begin{aligned} \phi(299376)&=\phi(2^4) \cdot \phi(3^5) \cdot \phi(7) \cdot \phi(11) \\&=2^3 (2-1) \cdot 3^4 (3-1) \cdot (7-1) \cdot (11-1) \\&=8 \cdot 162 \cdot 6 \cdot 10 \\&=77760 \end{aligned}

Proof of Theorem 2

Among the integers $1,2,3,\cdots, p^n-1,p^n$, the only ones that are not relatively prime to $p^n$ are multiples of $p$ (since $p$ is a prime number). There are $p^{n-1}$ many multiples of $p$. They are:

$p, 2 \cdot p, 3 \cdot p, \cdots, p^{n-1} \cdot p$

Thus among the integers $1,2,3,\cdots, p^n-1,p^n$, the number of integers that are relatively prime to $p^n$ must be $\phi(p^n)=p^n-p^{n-1}=p^{n-1}(p-1)$. $\blacksquare$

Lemma 4 will be helpful in proving Theorem 3.

Lemma 4

If $a$ is relatively prime to $m$ and $a$ is relatively prime to $n$, then $a$ is relatively prime to $mn$.

Proof of Lemma 4

Since $a$ is relatively prime to $m$, their greatest common divisor is one. Using the extended Euclidean algorithm, $ax+my=1$ for some integers $x$ and $y$. Since $a$ is relatively prime to $n$, $ah+nk=1$ for some integers $h$ and $k$. Multiplying these two equations, we get:

$(ax+my) \cdot (ah+nk)=a(xah+xnk+myh)+mn(yk)=1$

The above equation means that $a(xah+xnk+myh) \equiv 1 \ (\text{mod} \ mn)$. This shows that $xah+xnk+myh$ is the multiplicative inverse of $a$ modulo $mn$. By Theorem 1, $a$ is relatively prime to $mn$. $\blacksquare$

Proof of Theorem 3

Suppose $m$ and $n$ are relatively prime. We show that among the integers $1,2,3,\cdots,mn-1,mn$, there are exactly $\phi(m) \cdot \phi(n)$ many numbers that are relatively prime to $mn$. To facilitate the argument, we enumerate the integers $1,2,3,\cdots,mn-1,mn$ as in the following matrix.

$\displaystyle \begin{bmatrix} 1&\text{ }&1 \cdot m+1&\text{ }&2 \cdot m+1&\text{ }&\cdots&k \cdot m+1&\cdots&(n-1) \cdot m+1 \\\text{ }&\text{ }&\text{ } \\2&\text{ }&1 \cdot m+2&\text{ }&2 \cdot m+2&\text{ }&\cdots&k \cdot m+2&\cdots&(n-1) \cdot m+2 \\\text{ }&\text{ }&\text{ } \\3&\text{ }&1 \cdot m+3&\text{ }&2 \cdot m+3&\text{ }&\cdots&k \cdot m+3&\cdots&(n-1) \cdot m+3 \\\text{ }&\text{ }&\text{ } \\\cdots&\text{ }&\cdots&\text{ }&\cdots&\text{ }&\text{ }&\cdots&\text{ }&\cdots \\\text{ }&\text{ }&\text{ } \\h&\text{ }&1 \cdot m+h&\text{ }&2 \cdot m+h&\text{ }&\cdots&k \cdot m+h&\cdots&(n-1) \cdot m+h \\\text{ }&\text{ }&\text{ } \\\cdots&\text{ }&\cdots&\text{ }&\cdots&\text{ }&\text{ }&\cdots&\text{ }&\cdots \\\text{ }&\text{ }&\text{ } \\m&\text{ }&1 \cdot m+m&\text{ }&2 \cdot m+m&\text{ }&\cdots&k \cdot m+m&\cdots&(n-1) \cdot m+m \end{bmatrix}$

There are $m$ rows and $n$ columns in the matrix. The first observation is that if the first number of a row is $h$ and if $h$ and $m$ are not relatively prime, then there is $d>1$ that is a common divisor of $h$ and $m$. Then $d$ also divides any other number on that row. So if the first number of a row is $h$ and if $h$ and $m$ are not relatively prime, then any number on the $h^{th}$ row is not relatively prime to $m$, hence is not relatively prime to $mn$.

Based on the above observation, to look for numbers that are relatively prime to $mn$, we only need to look at rows where the first number $h$ is relatively prime to $m$. There are exactly $\phi(m)$ many such rows.

We claim that in each of these $\phi(m)$ rows, there are exactly $\phi(n)$ many numbers that are relatively prime to $mn$. It follows that there are exactly $\phi(m) \cdot \phi(n)$ many numbers in the entire matrix that are relatively prime to $mn$. Thus the theorem will be established.

To establish the claim in the above paragraph, consider one such row where the first number $h$ is relatively prime to $m$. First observe that the $n$ numbers in the $h^{th}$ row are distinct congruent modulo $m$. Suppose that $k \cdot m+h \equiv j \cdot m+h \ (\text{mod} \ n)$. Cancel out $h$, we have $k \cdot m \equiv j \cdot m \ (\text{mod} \ n)$. Since $m$ and $n$ are relatively prime, we can cancel out $m$ and obtain $k \equiv j \ (\text{mod} \ n)$. Since both $k$ and $j$ are less than $n$, it must be that $k=j$. So if $k \ne j$, $k \cdot m+h \not \equiv j \cdot m+h \ (\text{mod} \ n)$.

Based on the observation in the above paragraph, the least residues modulo $n$ of the numbers in the $h^{th}$ row must be the set $\left\{0,1,2,\cdots,n \right\}$. This follows from the fact that the $n$ numbers in the $h^{th}$ row are distinct congruent modulo $n$. Hence their least residues must be $n$ distinct numbers too.

So in terms of congruence modulo $n$, the $h^{th}$ row in the matrix is a mirror image of the least resides $\left\{0,1,2,\cdots,n \right\}$. There are exactly $\phi(n)$ many least residues that are relatively prime to $n$. Likewise, there are exactly $\phi(n)$ many numbers in the $h^{th}$ row that are relatively prime to $n$. Furthermore, every number in the $h^{th}$ row is relatively prime to $m$. By Lemma 4, there are exactly $\phi(n)$ many numbers in the $h^{th}$ row that are relatively prime to $mn$. Thus the above claim is established. It follows that the theorem is established. $\blacksquare$

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

# Euler’s phi function, part 1

This is our first post of an introductory discussion on Euler’s phi function. The next post on phi function is here.

___________________________________________________________________________________________________________________

Setting Up the Scene

The starting point of this discussion is the relative primality of two integers. Two positive integers $a$ and $b$ are relatively prime if $1$ is the only common divisor of $a$ and $b$. Note that $a$ and $b$ need not be prime. For example, $a=9$ and $b=14$ are relatively prime, as are $a=9$ and $b=35$. It is clear that $a$ and $b$ are relatively prime if and only if they share no common prime factors. The last point is equivalent to the condition that the greatest common divisor of $a$ and $b$ is $1$. Our notation for greatest common divisor is $\text{GCD}(a,b)$.

If $a$ and $b$ are relatively prime, we also say that $a$ is relatively prime to $b$ or $b$ is relatively prime to $a$. In the remainder of the blog post, $m$ is always a positive integer that is the modulus used for modular arithmetic.

In modular arithmetic where the modulus is $m$, we only need to focus on $m$ distinct numbers, namely the elements in the set $\left\{0,1,2,\cdots,m-1 \right\}$. Any integer is congruent modulo $m$ to exactly one element of this set (the elements of this set are also called the least residues modulo $m$). For convenience, we use the notation $\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$.

An even more interesting set is the set of all integers $a$ in $\mathbb{Z}_m$ such that $a$ and the modulus $m$ are relatively prime. To facilitate the discussion, we describe this set as follows:

$(\mathbb{Z}_m)^*=\left\{a \in \mathbb{Z}_m:\text{GCD}(a,m) =1 \right\}$

When the modulus $m$ is a prime number, $(\mathbb{Z}_m)^*=\left\{1,2,\cdots,m-1 \right\}$, the non-zero elements of $\mathbb{Z}_m$. When the modulus is not prime, there are fewer least residues that are relatively prime to the modulus. The following shows $(\mathbb{Z}_m)^*$ for the first several integers.

$(\mathbb{Z}_{2})^*=\left\{1 \right\}$

$(\mathbb{Z}_{3})^*=\left\{1,2 \right\}$

$(\mathbb{Z}_{4})^*=\left\{1,3 \right\}$

$(\mathbb{Z}_{5})^*=\left\{1,2,3,4 \right\}$

$(\mathbb{Z}_{6})^*=\left\{1,5 \right\}$

$(\mathbb{Z}_{7})^*=\left\{1,2,3,4,5,6 \right\}$

$(\mathbb{Z}_{8})^*=\left\{1,3,5,7 \right\}$

$(\mathbb{Z}_{9})^*=\left\{1,2,4,5,7,8 \right\}$

$(\mathbb{Z}_{10})^*=\left\{1,3,7,9 \right\}$

$(\mathbb{Z}_{11})^*=\left\{1,2,3,4,5,6,7,8,9,10 \right\}$

The following theorem gives some indication why $(\mathbb{Z}_m)^*$ is an interesting set, which provides alternative characterizations of $(\mathbb{Z}_m)^*$.

Theorem 1

Let $a$ be an integer in $\mathbb{Z}_m$. The following conditions are equivalent.

1. $\text{GCD}(a,m)=1$.
2. There is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.
3. Some positive power of $a$ modulo $m$ is $1$, i.e., $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$.

$\text{ }$

The number $b$ indicated in condition 2 is said to be the multiplicative inverse of $a$. Theorem 1 says that only the least residues that are relatively prime to the modulus have multiplicative inverses. Condition 3 tells us that to have a power congruent to one, which is of interest in many situations, the base must be relatively prime to the modulus.

We need the following lemma to prove Theorem 1.

Lemma 2

If $\text{GCD}(a,m)=1$, then for any positive integer $n$, $a^n$ is also relatively prime to $m$.

Proof of Lemma 2
Suppose $\text{GCD}(a,m)=1$. By the extended Euclidean algorithm, we have the following:

$ax+my=1 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

for some integers and $x$ and $y$.

We prove by induction on $n$. When $n=1$, lemma is true. Suppose that $a^n$ is relatively prime to $m$ where $n \ge 1$. We show that $a^{n+1}$ is relatively prime to $m$. Multiple both sides of (1) by $a^n$. We have $a^{n+1} x+m (ya^n)=a^n$. Let $d=\text{GCD}(a^{n+1},m)$. Note that $d$ is a divisor of the left-hand side of $a^{n+1} x+m (ya^n)=a^n$. So $d$ is a divisor of $a^n$. Now we know that $d$ is a common divisor of $a^n$ and $m$. Then $d=1$, which means that $a^{n+1}$ is relatively prime to $m$. $\blacksquare$

Proof of Theorem 1

$\bold 3 \bold \Longrightarrow \bold 2$
Suppose that $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$. If $n=1$, then let $b=1$. If $n>1$, then let $b=a^{n-1}$. Either way, there is $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.

$\bold 2 \bold \Longrightarrow \bold 1$
Suppose there is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$. Then we have

$ab+my=1 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (2)$

for some integer $y$.

Let $d=\text{GCD}(a,m)$. Since $d$ divides both numbers in the left-hand side of (2), $d \ \lvert \ 1$. Then $d=1$.

$\bold 1 \bold \Longrightarrow \bold 3$
Suppose $\text{GCD}(a,m)=1$. Consider the $a^1,a^2,a^3,\cdots$ and then consider their least residues modulo $m$. By Lemma 2, each $a^n$ and $m$ are relatively prime. Hence the least residue of $a^n$ and $m$ are also relatively prime. But there are only finitely many least residues modulo $m$. So there exist positive integers $i the least residues of $a^i$ and $a^j$ are identical.

We have $a^j \equiv a^i \ (\text{mod} \ m)$. Since $a^i$ and $m$ are relatively prime, we can cancel out $a^i$ on both sides. Thus $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. $\blacksquare$

___________________________________________________________________________________________________________________

Euler’s Phi Function

The Euler’s phi function, denoted by $\phi(m)$, is the number of integers $a$ where $0 \le a \le m-1$ such that $a$ and the modulus $m$ are relatively prime. In light of the above discussion, $\phi(m)$ is the number of elements in the set $(\mathbb{Z}_m)^*$. It is also the case that $\phi(m)$ is the number of elements in $\mathbb{Z}_m$ that satisfies any one of the three conditions in Theorem 1.

If the modulus $m$ is a prime number, then $\phi(m)=m-1$. The following shows several values of $\phi(m)$.

\displaystyle \begin{aligned} &\phi(2)=1 \\&\phi(3)=2 \\&\phi(4)=2 \\&\phi(5)=4 \\&\phi(6)=2 \\&\phi(7)=6 \\&\phi(8)=4 \\&\phi(9)=6 \\&\phi(10)=4 \\&\phi(11)=10 \end{aligned}

When the modulus $m$ is a prime number, Fermat’s little theorem tells us that $a^{\phi(m)}=a^{m-1} \equiv 1 \ (\text{mod} \ m)$ for any $a \in (\mathbb{Z}_m)^*=\left\{1,2,3,\cdots,m-1 \right\}$. This fact is true even when the modulus is not prime if the power is kept as $\phi(m)$. We have the following theorem.

Theorem 3 (Euler’s Theorem)

We have $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ for any integer $a$ that is relatively prime to the modulus $m$.

Theorem 3 can also be stated as: $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ for any $a \in (\mathbb{Z}_m)^*$. The proof is amazingly similar to that of Fermat’s little theorem (see the post Proving Fermat’s Little Theorem). We use the following lemma in proving Theorem 3.

Lemma 4

If integers $h$ and $k$ satisfy any condition in Theorem 1, then so does the product $h \cdot k$.

Proof of Lemma 4

Since the 3 conditions in Theorem 1 are equivalent, it does not matter which one we pick. Condition 2 is probably the most convenient. So we show that if $h$ has a multiplicative inverse and $k$ has a multiplicative inverse, then $h \cdot k$ has a multiplicative inverse modulo $m$.

Suppose $h \cdot h_0 \equiv 1 \ (\text{mod} \ m)$ and $k \cdot k_0 \equiv 1 \ (\text{mod} \ m)$ for some integers $h_0$ and $k_0$ in $\mathbb{Z}_m$. We multiply the two congruences and obtain:

$h \cdot h_0 \cdot k \cdot k_0=(h \cdot k) \cdot (h_0 \cdot k_0) \equiv 1 \ (\text{mod} \ m)$

if $h_0 \cdot k_0$ is in $\mathbb{Z}_m$, then it is the multiplicative inverse of $h \cdot k$. If not, then take the least residue mod $m$. $\blacksquare$

Proof of Theorem 3

Let $a$ be an integer that is relatively prime to the modulus $m$, i.e., $\text{GCD}(a,m)=1$. Let $\left\{t_1,t_2,t_3,\cdots,t_{\phi(m)} \right\}$ enumerate the $\phi(m)$ many elements of $(\mathbb{Z}_m)^*$. Multiply these elements by $a$ and we have the following set:

$A=\left\{a \cdot t_1,a \cdot t_2,a \cdot t_3,\cdots,a \cdot t_{\phi(m)} \right\}$

Consider the least residues modulo $m$ of the members of the set $A$. We have:

$B=\left\{b_1,b_2,b_3,\cdots,b_{\phi(m)} \right\}$

Note that for each $b_j \in B$, $b_j \in \mathbb{Z}_m$ and $b_j \equiv a \cdot t_j \ (\text{mod} \ m)$. We have two claims.

• The numbers $b_i$ and $b_j$ are distinct whenever $i \ne j$.
• Each $b_j$ is relatively prime to the modulus $m$, i.e., $b_j \in (\mathbb{Z}_m)^*$ for each $j$.

The first claims tells us that the set $B$ has $\phi(m)$ many distinct elements. The second claims tells us that the set $B$ is a subset of $(\mathbb{Z}_m)^*=\left\{t_1,t_2,t_3,\cdots,t_{\phi(m)} \right\}$. Since the subset $B$ has $\phi(m)$ many distinct elements and $(\mathbb{Z}_m)^*$ has $\phi(m)$ many distinct elements, they must equal. So we have $B=(\mathbb{Z}_m)^*$. With this information, we have the following congruence equation.

$\displaystyle at_1 \cdot a t_2 \cdot a t_3 \cdots a t_{\phi(m)} \equiv t_1 \cdot t_2 \cdot t_3 \cdots t_{\phi(m)} \ (\text{mod} \ m)$

Because each $t_j$ is relatively prime to the modulus, we can cancel out all $t_j$ and obtain:

$\displaystyle a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$

So the theorem hinges on the two claims listed above. We now prove them one by one. To show the first claim, suppose $b_i=b_j$. Then $a \cdot t_i \equiv a \cdot t_j \ (\text{mod} \ m)$. We can cancel out $a$ on both sides since $a$ is relatively prime to $m$. We have $t_i \equiv t_j \ (\text{mod} \ m)$. Since both $t_i$ and $t_j$ are least residues mod $m$, for them to be congruent to each other, the only possibility is $t_i=t_j$. Thus $i=j$. The contrapositive of what we just show is that if $i \ne j$, then $b_i \ne b_j$. So the numbers $b_j$ are all distinct.

To show the second claim, note that $b_j \equiv a \cdot t_j \ (\text{mod} \ m)$. Both $a$ and $t_j$ are relatively prime to $m$. So by Lemma 4, $a \cdot t_j$ is relatively prime to $m$. Hence $b_j$ is relatively prime to the modulus $m$. $\blacksquare$

___________________________________________________________________________________________________________________

The setting for the phi function deserves some comments. The sets $\mathbb{Z}_m$ and $(\mathbb{Z}_m)^*$ defined above can be considered as algebraic objects.

The set $\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$ along with addition and multiplication modulo $m$ is a ring. Thus $\mathbb{Z}_m$ is often called the ring of integers modulo $m$.

Based on Theorem 1 and Lemma 4, the set $(\mathbb{Z}_m)^*$ with the multiplication modulo $m$ is a group, i.e., it is a set with a binary operation called multiplication such that every element has an inverse.

Let the modulus $m$ is a prime number. As indicated above, $(\mathbb{Z}_m)^*=\left\{1,2,\cdots,m-1 \right\}$. An interesting angle is that $\mathbb{Z}_m$ can be considered a commutative ring in which every non-zero element has a multiplicative inverse, i.e., $\mathbb{Z}_m$ is a field (in fact a finite field).

Though we do not focus too much on the algebraic side of things in this blog, $\mathbb{Z}_m$, as a field, plays an important role in number theory and has applications in cryptography.

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$