Prime Numbers. Difficulties in Factoring a Number: from the Perspective of Computation. Computation Theory. Turing Machine 電 腦 安 全

Transcription

1 Prime Numbers Difficulties in Factoring a Number: from the Perspective of Computation 電 腦 安 全 海 洋 大 學 資 訊 工 程 系 丁 培 毅 Prime number: an integer p> that is divisible only by and itself, ex., 3, 5, 7,, 3, 7 Composite number: an integer n> that is not prime; can be expressible as a product a b of integers with < a, b< n; the prime factorization of n is unique Fact: there are infinitely many prime numbers. (by Euclid) Prime Number Theorem: the number of primes less than x, π(x) x/ln x How difficult is it to certify a prime number? How difficult is it to factor a composite number? Computation Theory Turing Machine Complexity Theory: central problem What makes some problems computationally hard and others easy? major achievements. Schemes for classifying problems of different computational difficulties. Options in confronting a difficult problem What is the most difficult part of a problem? Can we alter this part to avoid that problem? ComplexityComputability Are there sub-optimal or heuristic solutions to a problem? Theory Theory What kind of instance of a problem is hard? Is there a randomized computable algorithm for a problem? Automata Computability Theory: Theory central problem What is computable? What is not computable? in what model? major achievements. Theoretical models of computers (ex. LBA, DTM, NTM, ). Classify problems as solvable or non-solvable Automata Theory: definitions and properties of mathematical models of computation Finite automata: text processing, compilers, H/W design Push down automata: programming language, artificial intelligence 3 Complexity / Computability is defined w.r.t. a certain model of computation state read/write head Turing Machine Alan Turing, 936 d a c b a Similar to finite automaton but with an unlimited and unrestricted memory Formally, a 7-tuple (Q, Σ, Γ, δ, q 0, q accept, q reject ). Q is the set of states. Σ is the input alphabet not containing the special blank symbol 3. Γ is the tape alphabet, where Γand Σ Γ 4. δ: Q Γ Q Γ {L, R} is the transition function 5. q 0 Q is the initial state 6. q accept Q is the accept state 7. q reject Q is the reject state, where q reject q accept 4

2 Turing Machine (cont d) TM computes as follows: M s input w = w w w n Σ * on the leftmost n squares of the tape, the rest of the tape are blanks (the first marks the end) Initial state is q 0 read/write head starts on the leftmost square Computation proceeds according to the transition function δ If M tries to move its head to the left off the left hand end of the tape, the read/write head stays at the same place for that move state The computation continues until it enters either the accept or reject state. If neither occurs, M goes on forever. d read/write head a c b a 5 DTM vs. NTM Deterministic Turing Machine: at any time, a DTM knows its next configuration (the state, the tape head, the tape content) for sure; a single configuration specified by its transition function δ: Q Γ Q Γ {L, R} Non-deterministic Turing Machine: at each moment, an NTM has several choices to proceed as the next configurations. i.e. the range of the transition function is modified to be a set: δ: Q Γ P (Q Γ {L, R}) NTM has two equivalent evaluation ways if you only consider the capability: Process in a parallel fashion Process in a probabilistic fashion Probabilistic one seems slower. If you consider the time complexity, in polynomial time, the parallel one defines class NP, and the probabilistic one defines class BPP. Security professionals surely believe that BPP NP. NTM can be proved to be equivalent to DTM 6 Deterministic vs. Nondeterministic Many-One (Mapping) Reducibility Def: Given two problems P and Q, P is reducible to Q iff there exists a TM M τ (computable function, algorithm, program, etc) which can transform every instance in P to an instance of Q Mτ x x P x x Q x accept or reject accept or reject Properties: capture the difficulties between problems If Q is solvable, then P is also solvable If P is a well known unsolvable problem and can be reduced to Q, then Q is also unsolvable Extension: Efficient mapping reducibility - M τ is poly-time Note that an NTM decider halts on all branches. 7 8

3 Turing Reducibility There are some intuitive reducibility cases that cannot be captured by mapping reduction, e.g. A TM and A TM seem to be reducible to one another (a solution to either one could be used to solve the other by simply reversing the answer). However, A TM is not mapping reducible to A TM because it is not Turingrecognizable (find a solution to map each unacceptable <M, w> to an acceptable <M, w> is clearly not possible) Need a general notation that captures more problem reductions. Def: Given two problems P and Q, P is Turing reducible to Q iff there exists an oracle TM M A,which given an oracle A for solving problem Q, can solve every instance in P i.e. M A using A as a subroutine (a blackbox) and can invoke A for regular regular expression Language Classes context sensitive grammar regular context free grammar context free grammar push down automata (PDA) recursive recursive enumerable Not Turing recognizable, Nor co-recognizable context sensitive grammar linear bounded automata (LBA) Semi-solvable solvable (problem) Recursive enumerable recursive (language) Turing recognizable Turing decidable Turing enumerable? µ-recursive function decidable? Primitive recursive function (TM can decide)? Unrestricted grammar computable (function) (TM can semi-decide) (polynomially) many times 9 * Unsolvable means undecidable (includes semi-solvable and totally unsolvable) 0 co-turing recognizable Language Examples regular: closed under union, intersection, and complement Σ = {0, }, 0*0*, Σ*Σ*, Σ*00Σ*, (ΣΣ)*, 0 0, (0 ε)* D={w w has an equal number of occurrence of 0 and 0 as substrings}, B n ={a k where k is a multiple of n, n }, C n ={x x is a binary number that is a multiple of n} CFL: closed under union B={0 n n n 0}, C={w w has equal number of 0 s and s} D={ n n 0}, E={0 i j i j}, {0 n m 0 n m, n 0} {0 m n m n}, {a i b j c k i,j,k 0 and i=j or i=k}, {ww R w {0,}*}, {w w {0,}* and w is not a palindrome} CSL: {w w w {0,}*}, {w # w w {0,}*}, {w w w w {0,}*}, {a n b n c n n 0}, {a i b j c k 0 i j k}, {a n n 0}, {a i b j c k i j=k, i, j, k }, {#x #x # #x l x i {0,}*, x i x j, i j}, {<G> G is a connected undirected graph}, {w w is a palindrome}, Language Examples (cont d) Recursive (Turing computable, infinite tape required) or or {p p is a polynomial with two or more variables with an integral root} Hilbert s 0th E LBA, E TM, REGULAR TM, CFL TM (Rice Thm: Testing any property (ex. CS, CF, regular, finite decidable) of L(M), M is a TM, is non-decidable), ALL CFG, PCP, {incompressible strings} Recursive Enumerable (Turing recognizable) A TM, HALT TM co-turing recognizable A TM, HALT TM, EQ CFG, MIN TM, Th(N, +, ), Not Turing recognizable nor co-turing recognizable EQ TM, EQ TM, A REX, E REX, EQ REX, A NFA, E NFA, EQ NFA, A DFA, E DFA, A CFG, E CFG, A LBA

4 P: O(n k ) Complexity Classes the class of problems that can be polynomially decided by a DTM NP: polynomially decided by an NTM (has a polynomial time verifier) P NP worst case is difficult to solve, general instances might be easy witness can be verified in polynomial time BPP: polynomially decided by a probabilistic TM (a sort of NTM) BPP NP (BPP =? NP) RP: BPP with one-sided error probability (accept with error prob < /, reject with prob. ) RP BPP NP 3 Complexity Classes (cont d) EXPTIME: O( nk ) decided by a DTM in exponential time steps P NP EXPTIME n! is larger than e n ; however TSP EXPTIME NP-hard: (non-deterministic polynomial time hard) For all decision problems in NP, there is a polynomial-time many-one reduction to H, which is in NP-hard the problem H is NP-hard if for every decision problem L in NP there is an oracle machine that has an oracle for solving H and this oracle machine can solve L in polynomial time (poly-time Turing reduction) NP-complete: NP-hard NP 4 Complexity Classes (cont d) Refining Complexity Classes PSPACE: can be solved by a deterministic TM with the memory requirement a polynomial in n NPSPACE: nondeterministic TM, polynomial space P NP PSPACE=NPSPACE EXPTIME PSPACE-complete IP: IP = PSPACE EXPSPACE: exponential space is required L: sublinear space, deterministic TM NL: sublinear space, nondeterministic TM NL-complete 5 TM recognizable TM decidable NP BPP NPC P EXPTIME NPHard co-np PSPACE/IP EXPSPACE co-tm recognizable 6

5 Refining Complexity Classes NP vs. co-np Four possibilities: REX P P = NP = co-np NP = co-np P CFL P most unlikely NP might be closed under complement NL=coNL co-np P = NP co-np NP co-np NP co-np P NP most likely 7 8 NP-Complete problems CIRCUIT-SAT ALL-NPs SAT Bounded-Tiling 3SAT CLIQUE SUBSET-SUM VERTEX-COVER HAM-CYCLE TSP 9 PRIMES: Problem Definitions the problem to decide if an integer is a prime number in terms of language decidability, the language L is {the set of all prime numbers} COMPOSITES: the problem to decide if an integer is composite (i.e. not prime) PAPP: (Prime Absolute Pseudo Prime) the problem to decide if an integer passes Fermat tests to all bases (i.e. an absolute pseudoprime (Carmichael number) or a prime) FACTORING: (this is a search problem) the problem to find factors of a composite integer 0

6 Pseudoprimes Def: a pseudoprime to the base b is a composite positive integer n such that the integer b satisfies b n- (mod n) Ex. 34= 3, 56=3 7, and 645= are pseudoprimes to the base There are 455,05,5 primes less than 0 0 but only 4884 pseudoprimes to the base. There are infinitely many pseudoprimes to any given base. Note: 34 is not a pseudoprime to the base 7 Def: a Carmichael Number (an absolute pseudoprime) is a composite integer that satisfies b n- (mod n) for all positive integers b where gcd(b,n) = Pseudoprimes (cont d) Ex. 56=3 7 and 660=7 3 4 are Carmichael numbers If gcd(b, 56) = then gcd(b,3)=gcd(b,)=gcd(b,7)=. From Fermat s Little Theorem, b 3, b 0, and b 6 7. Consequently, b (b ) 80 3, b 560 (b 0 ) 56, and b (b 6 ) By CRT, b If n=q q q k, q j are distinct primes that satisfy (q j -) (n-) for all j, then n is a Carmichael number There are infinitely many Carmichael numbers. (conjectured 9 by Carmichael, proved 99 Alford, Granville and Pomerance) 43 Carmichael numbers not exceeding 0 6, and 05, of them not exceeding 0 5 Carmichael numbers cannot be distinguished from a prime number by Fermat Test with respect to any integer base PAPP Def: PAPP={p p is a prime number or an absolute pseudoprime} Claim: PAPP is a decidable problem Fermat Test a probabilistic poly-time algorithm to decide PAPP: given an integer p, step. randomly pick a < p and compute b p a p- step. if b p reject (i.e. declare p PAPP), else repeat for k times step 3. accept (declare p PAPP) otherwise This PPT algorithm decides PAPP with a one-sided error rate, Pr{Fermat Test declares x PAPP x PAPP}= -k Error Probability of the Fermat Test Lemma: for any integer n >, if n fails the Fermat test to some base a in Z n, then n fails the Fermat test to at least half of all numbers in Z n i.e. n PAPP Proof: given a Z n such that a n- n, ( i.e. a is a witness for the composite number n) we want to prove that for any non-witness h, i.e. h n- n, there exists a unique witness t such that t n- n i.e. #witnesses n/ let n = q r and gcd(q, r) = (for applying CRT) t n-. Construct t q h r a, in that case, t n- n q r i.e. t is a witness (note that we assume a n- n kr + ; otherwise construct t r h q a) Pr{Fermat Test declares x PAPP x PAPP}=0 3. if h' h then t' t from CRT, i.e. t is a distinct witness 4

7 Error Probability (cont d) The previous lemma implies that for an n PAPP if you randomly pick a number a Z n and perform the Fermat test to this base on n, you have a probability greater than 0.5 for getting a witness in Z n i.e. Pr{a single repetition of FT declares n PAPP n PAPP} / with k repetitions (each picks independently a base), Pr{Fermat Test declares n PAPP n PAPP} -k 5 Miller-Rabin Test Fermat test cannot distinguish Carmichael numbers from true prime numbers while the Miller-Rabin Test can. Miller-Rabin test for primality utilizes another number theory property: The number has exactly two square roots, and, modulo any prime number p For a composite number c, could be a Carmichael number, has four or more square roots modulo c One pass in Miller-Rabin test: if a number p passes the Fermat test to the base a, the algorithm finds one of the square roots of modulo p at random and determines whether that square root is or -. If it is not, we know that the number p is not a prime i.e. starting from p a p-, a (p-)/ is a square root of, a (p-)/4 6 Basic Factoring Principle Let n be an integer and suppose there exist integers x and y with x y (mod n), but x ±y (mod n). Then n is composite, both gcd(x-y, n) and gcd(x+y, n) are nontrivial factors of n. Proof: let d = gcd(x-y, n). Case : assume d = n x y (mod n) contradiction Case : assume d is (the trivial factor) x y (mod n) x -y = (x-y)(x+y) = k n d= means gcd(x-y, n)= n x+y x -y (mod n) contradiction Case and implies that < d < n i.e. d must be a nontrivial factor of n 7 One Pass of Miller-Rabin Primality Test Is n a composite number? Let n > be odd, write n- = k m with m being odd Choose a random integer a with < a < n- n will pass Fermat test Compute b 0 a m (mod n) n is a pseudoprime if b 0 ± (mod n), stop, n is probably prime Compute b b 0 (mod n) if b (mod n), stop, gcd(b 0 -, n) is a factor of n if b - (mod n), stop, n is probably prime Compute b b (mod n).. Compute b k- b k- (mod n) if b k- (mod n), stop, gcd(b k- -, n) is a factor of n if b k- - (mod n), stop, n is probably prime Compute b k b k- (mod n) if b k (mod n), stop, gcd(b k- -, n) is a factor of n otherwise n is composite (Fermat Little Thm, b k a n- (mod n)) 8

8 One Pass of MRP Test (cont d) In summary: there are 4 possible sorts of sequences for b 0, b, b, b i-, b i, b k : 34,, 5,,,,,, composite, factored 45, 5634, 35, 3, -,,, possibly prime ±,,,, possibly prime 4, 987,, 893, 3, 34 composite 9 Strong Pseudoprime If n passes the Miller-Rabin test with base a (without being identified as a composite), we say that n is a strong pseudoprime number to the base a. Ex. 047 is a strong pseudoprime to the base Up to 0 0, there are only 39 strong pseudoprime numbers to the base There are infinitely many strong pseudoprimes to the base There is no parallel set in strong pseudoprimes to the Carmichael numbers as to the pseudoprime. 30 Error Probability of MRP-Test Def: PRIMES = {p p is a prime number} The Miller Rabin Primality test selects a,, a k randomly in Z p, and repeats the previous square root test for k times, is a probabilistic polynomial time algorithm The maximum error probability is Pr{MR declares x PRIMES x PRIMES} = -k even stronger Pr{MR declares x PRIMES x PRIMES} = 4 -k On the other hand Pr{MR declares x PRIMES x PRIMES} = 3 Error Probability (cont d) Lemma : Pr{MR declares x PRIMES x PRIMES} = the MR algorithm rejects x only when ) a x- x and ) successive square roots of a x- ever x ; however, both cases imply that x must be a composite, contradiction with the assumption x PRIME Lemma : Pr{MR declares x PRIMES x PRIMES} = -k We want to show that if p is an odd composite number and a is selected randomly in Z p, Pr{a is a composite witness} > / i.e. we would like to demonstrate that at least as many witnesses as non-witnesses exist in Z p ; we could prove that for any non-witness h, i.e., there exists a unique witness b i.e. #witnesses>p/ 3

9 Error Probability (cont d) Ken Rose, Elementary Number Theory, 4-th Ed. A/W Thm 6.0 (in Ken. Rosen): If n is an odd composite positive integer, then n passes Miller-Rabin s test for at most (n-)/4 bases b with b n- Stronger convergence property Thm 6.: Pr{MR declares x PRIMES x PRIMES} = 4 -k Conjecture 6.: Generalized Riemann hypothesis For every composite positive integer n, there is a base b with b < (log n), such that n fails Miller-Rabin s test for the base b Error Probability (cont d) Thm 6.: If the generalized Riemann hypothesis is valid, then there is an algorithm to determine whether a positive integer n is prime using O((log n) ) bit operations One Pass of Miller-Rabin Primality Test Both of these two tests can identify subsets of composite numbers I = P C I: integers C = SPP a SPP a = PP a PP a SPP a PP a PP a SPP a C P: prime numbers SPP a PP a SPP a : strong pseudo prime numbers for base a, the set of composite n where M-T test says probably prime C: composite numbers PP a : pseudo prime numbers for base a, the set of composite : mysterious part n where a n- (mod n) not prime, but cannot be identified as composite 35 Miller-Rabin Primality Test Both of these two tests can identify subsets of composite numbers I = P C I: integers C = SPP SPP = CM CM φ =? SPP CM CM SPP C P: prime numbers SPP CM SPP: strong pseudo prime numbers for all base a, the set of composite n where M-T test says probably prime C: composite numbers CM: Carmichael numbers the set of composite n where a n- (mod n)? : mysterious part for all base a not prime, but cannot be identified as composite 36

10 Practical Question Consider a composite number n = p q, where p and q are two large prime numbers, each with k/ bits Applying Miller-Rabin test on n for k times, the probability that n is not detected as a composite is less than -k which is extremely small if k is say 04 Note that n must at least satisfy n PAPP otherwise Miller-Rabin test will factor n in the process of identifying its compositeness But there is still some chance that for some base a, n passes the Fermat test but detected by the Miller-Rabin test Is n still hard to be factored? Actually, factoring n is a hard non-poly time problem: COMPOSITES NP COMPOSITES There are several kinds of witnesses for a composite number (an instance of COMPOSITES), ex: A factor of it (one of them is enough) or A positive integer a such that a n- (mod n) or A positive integer a such that a n- (mod n) and a s j ± (mod n) and a s j+ (mod n) where n- = s k and s is an odd integer, 0 j<k actually, COMPOSITES RP BPP NP use the probabilistic Miller-Rabin algorithm to decide if a number is a composite number the error probability: If x COMPOSITES, Pr{accept x} > / GNFS: exp{(.93+o())}(ln(n)) /3 (ln(ln(n))) /3 If x COMPOSITES, Pr{reject x} = PRIMES The complement of COMPOSITES PRIMES CoNP by definition PRIMES NP There are several kinds of witnesses for a prime number (an instance of PRIMES) ex. Pratt certificate Atkin-Goldwasser-Kilian-Morain certificate PRIMES RP BPP NP use the probabilistic Miller-Rabin algorithm to decide if a number is a prime number the error probability: If x PRIMES, Pr{accept x} = If x PRIMES, Pr{reject x} > / 39 Prime Witness: Pratt Certificate By applying Fermat s little theorem converse to n and recursively to each purported factor of n-, a certificate for a given prime number n can be generated. (for prime < 0 0 ) ex. n = 799, n- = 798 = 37 07, let a = , 7 798/ 799, 7 798/37 799, 7 798/ n = is called self-witness n = 37, n- = 36 = 3, let a =, 36 37, 36/ 37, 36/3 37 n = 07, n- = 06 = 53, let a =, 06 07, 06/ 07, 06/53 07 n = 53, n- = 5 = 3 let a =, 5 53, 5/ 53, 5/3 53 n = 3, n- = = 3 let a =, 3, / 3, /3 3 n = 3, n- = = let a =, 3, / 3 40

11 Pratt Certificate: an example Atkin-Goldwasser-Kilian-Morain Certificate = = 3 06= 53 5= 3 = 3 is a self witness A recursive primality certificate: (for prime > 0 0 ) A point on an elliptic curve C y = x 3 + g x + g 3 (mod p) for some number g and g 3 A prime q with q > (p /4 + ), such that for some other number k and m=kq with k, mc(x,y,g,g3,p) is the identity on the curve, but kc(x,y,g,g 3,p) is not the identity. This guarantees primality of p by a theorem of Goldwasser and Killian (986). Each q has its recursive certificate following it. So if the smallest q is known to be prime, all the numbers are certified prime up the chain. 4 4 Related Theorems Fermat s Little Theorem Euler s Theorem Carmichael Theorem Fermat Little Theorem Converse 43 Fermat s Little Theorem If p is a prime, pfa then a p- (mod p) Proof: let S = {,, 3,, p-} (Z p* ), define ψ(x) a x (mod p) be a mapping ψ: S Z x S, ψ(x) 0 (mod p) x S, ψ(x) S, i.e. ψ: S S x, y S, if x y then ψ(x) ψ(y) since ( Fair-MAH ) if ψ(x) a x 0 (mod p) x 0 (mod p) since gcd(a, p) = if ψ(x) ψ(y) a x a y x y since gcd(a, p) = from the above two observations, ψ(), ψ(),... ψ(p-) are distinct elements of S... (p-) ψ() ψ()... ψ(p-) (a ) (a ) (a (p-)) a p- (... (p-)) (mod p) since gcd(j, p) = for j S, we can divide both side by,, 3, p-, and obtain a p- (mod p) 44

12 Fermat s Little Theorem Converse For an odd integer n, if a, a n- (mod n) and p i, where n- = Π i p i r i, a (n-)/p i (mod n) then. ord n (a) = n-. n is a prime number 3. a is a primitive in Z n * Proof: let ord n (a) be the smallest integer d such that a d n, i.e. a ord n (a) n, ord n (a) n-, let n- = k ord n (a) + r a n- n a n- n a k ord n (a)+r n n k a r r=0 i.e. ord n (a) (n-) ord n (a)=n- or p i, n-=π i p i r i s.t. ordn (a) (n-)/p i i.e. a (n-)/p i n (a ord n (a) ) k n a n- n and r p i, where n-=π i p i,a (n-)/p i i n ord n (a)=n- n is a prime number (for a composite number, the order of any a is at most φ(n), which is strictly less than n-) and a is a primitive 45 Euler s Theorem If gcd(a,n)= then a φ(n) (mod n) Proof: let S be the set of integers x n, with gcd(x, n) =, define ψ(x) a x (mod n) be a mapping ψ: S Z x S and gcd(a, n) =, ψ(x) 0 (mod n) gcd(a, n)= and gcd(x, n) = gcd(ψ(x), n) = x S, ψ(x) S, i.e. ψ: S S x, y S, if x y then ψ(x) ψ(y) (mod n) from the above two observations, x S, ψ(x) are distinct elements of S (i.e. {ψ(x) x S} is S) This is true even when n = p if ψ(x) a x 0 (mod n) x 0 (mod n) if ψ(x) ψ(y) a x a y x y since gcd(a, n) = x ψ(x) a φ(n) x (mod n) x S x S x S since gcd(x, n) = for x S, we can divide both side by x S one after another, and obtain a φ(n) (mod n) 46 Carmichael Theorem Carmichael s Theorem: a Z n*,a λ (n) (mod n) and a n λ(n) (mod n ) where n=p q, p q, λ(n) = lcm(p-, q-), λ(n) φ(n) like Euler s Theorem, we can prove it through Fermat s Little Theorem, consider n = p q, where p q, a Z p*,a p- (mod p) (a p- ) (q-)/gcd(p-,q-) a λ (n) (mod p) a Z q*,a q- (mod q) (a q- ) (p-)/gcd(p-,q-) a λ (n) (mod q) from CRT, a Z * p Z q* = Z n*, a λ (n) (mod n) therefore, a Z n*,a λ (n) = + k n raise both side to the n-th power, we get a n λ(n) = ( + k n) n, a n λ(n) = + n k n +... a Zn * (or Z n *), a n λ(n) (mod n ) 47 Primitive Roots modulo p When p is a prime number, a primitive root modulo p is a number whose powers yield every nonzero element mod p. (equivalently, the order of a primitive root is p-) ex: 3 3, 3, 3 3 6, 3 4 4, 3 5 5, 3 6 (mod 7) 3 is a primitive root mod 7 sometimes called a multiplicative generator there are plenty of primitive roots, actually φ(p-) ex. p=0, φ(p-)=00 (-/) (-/5)=40 p=43537, φ(p-)=43536 (-/) (-/897)=

13 Primitive Testing Procedure How do we test whether h is a primitive root modulo p? naïve method: go through all powers h, h 3,, h p-, and make sure modulo p faster method: assume p- has prime factors q, q,, q n, for all q i, make sure h (p-)/q i modulo p is not, then h is a primitive root Intuition: let h g a (mod p), if gcd(a, p-)=d (i.e. g a is not a primitive root), (g a ) (p-)/q i (g a/q i) (p-) (mod p) for some q i d Primitive Testing Procedure (cont d) Procedure to test a primitive g: assuming p- has prime factors q, q,, q n, (i.e. p- =q r...q r n n) for all q i, make sure g (p-)/q i (mod p) is not Proof: (a) by definition, g ord p (g) (mod p), g φ(p) (mod p) therefore ord p (g) φ(p) if φ(p) = ord p (g) * k + s with s < ord p (g) g φ(p) g ord p (g) * k g s g s (mod p), but s < ord p (g) s = 0 ord p (g) φ(p) and ord p (g) φ(p) (b) assume g is not a primitive root i.e ord p (g) < φ(p)=p- then i, such that ord p (g) (p-)/q i i.e. g (p-)/q i (mod p) for some q i (c) if for all q i, g (p-)/q i (mod p) then ord p (g) = φ(p) and g is a primitive root modulo p 49 50