Lecture 23 - Primitive Roots mod p

# Summary

In today's class we began by paying back some IOUs from last class, particular proving a lemma and a corollary which allow us to compute the order of a power of a once you know the order of a itself. Afterwards we settled on trying to determine which numbers have primitive roots, and we began our hunt with prime numbers. In particular we saw that polynomials "behave nicely" modulo p, in the sense that the number of solutions to a congruence $f(x) \equiv 0 \mod{p}$ is bounded by the degree of f (at least when the coefficients of f aren't all multiples of p). We used this to count exactly the number of solutions to a certain equation, which is a key step in showing that primitive roots exist modulo p.

# Paying back IOUs

Last class period we finished by stating the following

Lemma: Suppose that m and a are integers satisfying $(a,m) = 1$. Then we have

$\displaystyle \mbox{ord}_m(a^i) = \frac{\mbox{ord}_m(a)}{(\mbox{ord}_m(a),i)}$

Proof: Let's write d in place of $(\mbox{ord}_m(a),i)$. We'll also write $\mbox{ord}_m(a) = d \cdot b$ and $i = d\cdot k$. Notice that when we do this, we have $(b,k) = 1$. Now to compute the order of $a^i$, we need to find the smallest exponent which send this element to 1 mod m.

To start, notice that we have

(1)
\begin{align} (a^i)^b \equiv (a^i)^{\frac{\mbox{\tiny{ord}}_m(a)}{d}} \equiv (a)^{\frac{i\cdot \mbox{\tiny{ord}}_m(a)}{d}} \equiv \left(a^{\mbox{\tiny{ord}}_m(a)}\right)^{\frac{i}{d}} \equiv \left(a^{\mbox{\tiny{ord}}_m(a)}\right)^{k} \equiv 1^k \equiv 1. \end{align}

This implies that we have

(2)
\begin{align} \mbox{ord}_m(a^i) \mid b. \end{align}

On the other hand, we know that

(3)
\begin{align} (a)^{i \cdot \mbox{\tiny{ord}}_m(a^i)} \equiv (a^i)^{\mbox{\tiny{ord}}_m(a)} \equiv 1 \mod{m} \end{align}

by definition. Hence we know that $\mbox{ord}_m(a) \mid i \mbox{ord}_m(a^i).$ Considering $bd = \mbox{ord}_m(a)$ and $kd = i$, this means we get $bd \mid (kd)\mbox{ord}_m(a^i).$ Canceling the "d" on both sides then gives $b \mid k \mbox{ord}_m(a^i)$, and since $(b,k) = 1$ we conclude that

(4)
\begin{align} b \mid \mbox{ord}_m(a^i). \end{align}

Putting together Equations (2) and (4) gives $b = \mbox{ord}_m(a^i)$. $\square$

## Counting Primitive Roots

A nice consequence of the previous result is that we can count primitive roots — at least when they exist.

Corollary: Suppose that a primitive root exists mod m. Then there are $\phi(\phi(m))$ many primitive roots.

Proof: Let a be a primitive root. We already know that all reduced residues take the form $a^k$ where $1 \leq k \leq \phi(m)$, and the previous result tells us that

(5)
\begin{align} \mbox{ord}_m(a^k) = \frac{\mbox{ord}_m(a)}{(\mbox{ord}_m(a),k)} = \frac{\phi(m)}{(\phi(m),k)}. \end{align}

Hence we see that $a^k$ has order equal to $\phi(m)$ precisely when $(\phi(m),k) = 1$. By the definition of the $\phi$ function, there are precisely $\phi(\phi(m))$ many choices for k that satisfy this criterion. $\square$

# Which numbers have primitive roots?

Now that we have these results, it's natural to ask: for what values of m are there primitive roots mod m? We'll start answering this question by investigating the situation when we have a prime modulus p.

To begin this investigation, we need to think about solutions to polynomials mod p. To motivate things, let's think about our usual experiences in solving equations of the form $f(x) = 0$. In this case, we have a result that tells us that a polynomial of a given degree doesn't have too many roots.

Fundamental Theorem of Algebra: A polynomial of degree n with real coefficients has exactly n complex solutions, and therefore at most n real solutions.

If we consider polynomials mod a given integer, though, this kind of result might not still hold.

##### Example

Consider the polynomial $f(x) = x^2-1$. How many solutions does it have mod 15? It turns out that there will be 4 solutions to this equation, which is more than we might typically expect since the polynomial has degree 2. $\square$

Though we might get more solutions to a given polynomial for a general modulus m, the situation for a prime modulus p is more in line with what we're used to.

Lagrange's Theorem: Let p be prime and let

$f(x) = a_nx^n + a_{n-1}x^{n-1} + \cdots + a_1x + a_0$

be a polynomial of degree $n \geq 1$ with integer coefficients so that not every coefficient is divisible by p. Then $f(x)$ has at most n distinct solutions mod p.

Proof: We'll prove the result by induction. In the case that $n=1$, we're looking to count the roots of a linear polynomial $a_1x + a_0 \equiv 0 \mod{p}$. Now if $p \nmid a_1$ then we get $(a_1,p) = 1$, and so the linear congruence

(6)
\begin{align} a_1x^1 \equiv -a_0 \mod{p} \end{align}

has exactly one solution. In the case $p \nmid a_1$, then, we've established what we wanted to prove. If, on the other hand, we have $p \mid a_1$ then we can conclude that $p \nmid a_0$ (since not all the coefficients are allowed to be divisible by p). In this case we get

(7)
\begin{align} f(x) \equiv a_1x + a_0 \equiv a_0 \not\equiv 0 \mod{p}. \end{align}

So the polynomial is a non-zero constant function, and hence has no solutions. In this case, then, we again have that the linear polynomial has no more than 1 solution mod p.

So suppose that we know the result for polynomials of degree n, and let $f(x)$ be a polynomial of degree n+1 where not every coefficient of f is divisible by p. If f has no roots mod p then we're done. Otherwise, suppose that a is a solution; i.e., that $f(a) \equiv 0 \mod{p}$. Dividing the polynomial $f(x)$ by $x-a$ then gives

(8)
$$f(x) = (x-a)q(x)+r$$

where r is a polynomial of degree 0 (i.e., r is just an integer) and $q(x)$ is a polynomial of degree n. Taking this equation mod p and evaluating at $x = a$ then shows that that

(9)
\begin{align} 0 \equiv f(a) \equiv (a-a)q(a)+r \mod{p}, \end{align}

and hence we know $r \equiv 0 \mod{p}$.

Because of this, we can conclude that not every coefficient of q can be divisible by p. To see that this is true, notice that otherwise (i.e., if every coefficient of q was divisible by p), this would force every coefficient of f to be divisible by p — something we know doesn't hold.

Now if b is any solution to $f(x) \equiv 0 \mod{p}$ then we have $0 \equiv f(b) \equiv (b-a)q(b) \mod{p}$, meaning that $p \mid (b-a)q(b)$. By Euclid's Lemma we conclude that $p \mid b-a$ or $p \mid q(b)$. In the first case we have $b \equiv a \mod{p}$, and in the second we get that b is a root of $q(x)$ mod p. So we see that any root of f is either a root of $x-a$ or a root of $q(x)$, so that

(10)
\begin{align} \#\mbox{roots of }f(x) \leq \#\mbox{roots of }(x-a) + \#\mbox{roots of }q(x) \end{align}

Since $q(x)$ is a polynomial of degree n which doesn't have all its coefficients divisible by p, there are at most n roots of $q(x)$ mod p. Equation (10) then says that there are at most n+1 solutions to $f(x)$ mod p. $\square$

Though this result gives an upper bound on the number of solutions a particular polynomial can have mod p, for certain special polynomials this is enough to count solutions exactly.

Lemma: For $d \mid p-1$, the polynomial $x^d-1$ has exactly d roots mod p.

Proof:
Fermat's Little Theorem says that $a^{p-1} \equiv 1 \mod{p}$ whenever $(a,p) = 1$. This means that the polynomial $x^{p-1} - 1$ has $p-1$ distinct solutions mod p.

Now if $d \mid p-1$ then we get $de \ p-1$ for some integer e. Hence we can factor the polynomial $x^{p-1}-1$ has

(11)
\begin{align} x^{p-1}-1 = (x^d-1)(x^{p-1-d}+x^{p-1-2d}+\cdots+x^{p-1-(e-1)d}+x^{p-1-ed} = (x^d-1)(x^{d(e-1)}+x^{d(e-2)}+\cdots+x^{d(1)}+1). \end{align}

Now the polynomial on the left hand side has exactly p-1 roots. By Lagrange's theorem, the first polynomial in the factorization on the right hand side has at most d roots, and the second polynomial on the right hand side has at most $d(e-1)$ roots.

(12)
\begin{align} \underbrace{x^{p-1}-1}_{p-1\mbox{\tiny{ roots}}} = \underbrace{(x^d-1)}_{\leq d\mbox{\tiny{ roots}}}\underbrace{(x^{d(e-1)}+x^{d(e-2)}+\cdots+x^{d(1)}+1).}_{\leq d(e-1)\mbox{\tiny{ roots}}} \end{align}

Notice that if $x^d-1$ has fewer than d distinct solutions, this means that the right side has at most $d-1+d(e-1) = d-1+de-d=p-2$ solutions — contrary to the fact that we know it has $p-1$ solutions because it's equal to the right-hand side of the equation. We conclude, then, that $x^d-1$ has d distinct solutions, as desired. $\square$

The benefit of the previous theorem is that it provides a means for calculating precisely how many elements of a given order exists mod p.

Here are the important consequences:

Theorem: If $d \mid p-1$, then there are precisely $\phi(d)$ elements of order d mod p.

As a corollary to this result we have

Corollary: For any prime p, there are exactly $\phi(p-1)$ many primitive roots. In particular, primitive roots exist for every prime p.

We'll prove these results at the beginning of next class.