Fact-checked by Grok 2 weeks ago

Primitive root modulo n

In , a primitive root modulo n is an g coprime to the positive n such that the multiplicative order of g modulo n—the smallest positive k for which gk ≡ 1 (mod n)—equals φ(n), which counts the number of up to n that are coprime to n. Equivalently, the powers of g modulo n generate every element of the of modulo n, denoted (Z/nZ)×, making g a of this group when it is cyclic. Primitive roots modulo n do not exist for every n; they exist if and only if n = 2, n = 4, n = pr, or n = 2pr, where p is an odd prime and r is a positive integer. For prime p, the number of primitive roots modulo p is exactly φ(p - 1). When they exist, primitive roots characterize the cyclicity of (Z/nZ)×, a property that holds precisely under the above conditions on n. Primitive roots play a central role in analytic and , enabling the definition of discrete logarithms modulo n—the problem of finding k such that agk (mod n) for a in (Z/nZ)×—which underpins algorithms for solving congruences and studying the structure of finite abelian groups. They also facilitate computations like indices (discrete logs base g) and appear in applications such as analyzing expansions and modeling random processes like card shuffling via riffle shuffles.

Fundamentals

Definition

In , \phi(n) counts the number of positive integers up to n that are relatively prime to n, and is given by the formula \phi(n) = n \prod_{p \mid n} \left(1 - \frac{1}{p}\right), where the product is over the distinct prime factors p of n. An integer g is a primitive root modulo n if \gcd(g, n) = 1 and the multiplicative order of g modulo n is exactly \phi(n). The multiplicative order of g modulo n is defined as the smallest positive integer k such that g^k \equiv 1 \pmod{n}. In the context of , a primitive root g modulo n generates the of integers modulo n, denoted (\mathbb{Z}/n\mathbb{Z})^*, which consists of the residue classes coprime to n under multiplication modulo n. This group has order \phi(n), and the powers g^0, g^1, \dots, g^{\phi(n)-1} modulo n are all distinct and comprise every element of (\mathbb{Z}/n\mathbb{Z})^*, thereby making the group cyclic.

Elementary Example

A simple illustration of a primitive root occurs modulo 5, a for which φ(5) equals 4, meaning the of integers modulo 5 consists of the four units {1, 2, 3, 4} that are coprime to 5. Consider g = 2. The successive powers of 2 modulo 5 are computed as follows:
k2^k mod 5
01
12
24
33
These powers generate all four units exactly once before repeating, confirming that the multiplicative order of 2 modulo 5 is 4, equal to φ(5), so 2 is a primitive root 5. In contrast, consider g = 4. The powers of 4 5 are:
k4^k mod 5
01
14
21
Here, the powers cycle every 2 steps, giving 4 a multiplicative of 2, which is less than φ(5) = 4, so 4 is not a primitive root 5.

Existence Conditions

For Prime Moduli

When n = p is a prime number, primitive roots always exist modulo p. This follows from the fact that the multiplicative group (\mathbb{Z}/p\mathbb{Z})^\times is cyclic of order p-1, as established by Fermat's Little Theorem, which states that every non-zero element modulo p satisfies a^{p-1} \equiv 1 \pmod{p}, implying the group order is \phi(p) = p-1. A primitive root modulo p is then a generator of this cyclic group. The cyclicity of (\mathbb{Z}/p\mathbb{Z})^\times for prime p was rigorously proved by Carl Friedrich Gauss in 1801, utilizing properties of quadratic residues to demonstrate the existence of generators. Gauss's proof in Disquisitiones Arithmeticae shows that the group structure ensures elements of order exactly p-1, confirming the presence of primitive roots. A standard proof of existence uses the factorization x^{p-1} - 1 = \prod_{d \mid p-1} \Phi_d(x) over \mathbb{F}_p, where \Phi_d(x) is the d-th cyclotomic polynomial of degree \phi(d). Since x^{p-1} - 1 has exactly p-1 distinct roots (all nonzero elements by Fermat's Little Theorem) and the total degree is \sum_{d \mid p-1} \phi(d) = p-1, each \Phi_d(x) must have exactly \phi(d) roots in \mathbb{F}_p. In particular, \Phi_{p-1}(x) has \phi(p-1) roots, which are elements of order exactly p-1, i.e., primitive roots. Thus, the number of primitive roots modulo p is exactly \phi(p-1) > 0.

For Composite Moduli

Primitive roots exist modulo a composite n if and only if n = 2, n = 4, n = p^k, or n = 2p^k, where p is an odd prime and k \geq 1. For other composite forms, such as higher powers of 2 or products involving multiple distinct odd primes, the (\mathbb{Z}/n\mathbb{Z})^* is not cyclic, so no element achieves order \phi(n). Non-existence arises in cases like powers of 2 greater than 4; for n = 8, \phi(8) = 4, but every residue 8 satisfies a^2 \equiv 1 \pmod{8}, so the maximum is 2. Similarly, for products of distinct primes like n = [15](/page/15) = 3 \times 5, \phi(15) = 8, but the maximum is \operatorname{lcm}(\phi(3), \phi(5)) = \operatorname{lcm}(2, 4) = 4 < 8. The Chinese Remainder Theorem plays a key role, as (\mathbb{Z}/n\mathbb{Z})^* \cong \prod (\mathbb{Z}/p_i^{k_i}\mathbb{Z})^* when n = \prod p_i^{k_i}, and the order of an element modulo n is the least common multiple of its orders modulo each prime power factor. Thus, (\mathbb{Z}/n\mathbb{Z})^* is cyclic if and only if each component group is cyclic, which fails for $2^k with k \geq 3 or when multiple odd prime powers are present, as their exponent structures do not align to yield a single generator of full order \phi(n). Explicit constructions of primitive roots for allowable composite moduli often involve lifting from lower powers via or direct adjustments. For prime powers p^k with odd prime p, if g is a primitive root modulo p^k, then g + t p^k for suitable t (0 to p-1) yields the primitive roots modulo p^{k+1} that are congruent to g modulo p^k; specifically, there are p-1 such t when k=1 and p such t when k \geq 2. For forms like $2p^k, a primitive root modulo p^k can be adjusted (e.g., adding p^k if necessary to make it odd) to serve modulo $2p^k, combining via the .

Examples and Data

Specific Examples

A classic example of a primitive root occurs modulo 7, where \phi(7)=6 and the integer 3 generates the multiplicative group. To verify, compute the powers of 3 modulo 7: $3^1 \equiv 3, $3^2 \equiv 2, $3^3 \equiv 6, $3^4 \equiv 4, $3^5 \equiv 5, and $3^6 \equiv 1. Since the order is 6, matching \phi(7), 3 is primitive. Alternatively, confirm the order by checking that $3^{6/q} \not\equiv 1 \pmod{7} for each prime q dividing 6 (i.e., q=2,3): $3^3 \equiv 6 \not\equiv 1 and $3^2 \equiv 2 \not\equiv 1. Modulo 9, where \phi(9)=6, the integer 2 serves as a primitive root. The powers are $2^1 \equiv 2, $2^2 \equiv 4, $2^3 \equiv 8, $2^4 \equiv 7, $2^5 \equiv 5, and $2^6 \equiv 1 \pmod{9}, yielding order 6. Checking against divisors: $2^3 \equiv 8 \not\equiv 1 and $2^2 \equiv 4 \not\equiv 1 \pmod{9}. For modulo 14, with \phi(14)=6, 3 is again a primitive root. Compute: $3^1 \equiv 3, $3^2 \equiv 9, $3^3 \equiv 13, $3^4 \equiv 11, $3^5 \equiv 5, $3^6 \equiv 1 \pmod{14}. The order is 6, as $3^3 \equiv 13 \not\equiv 1 and $3^2 \equiv 9 \not\equiv 1 \pmod{14}. Primitive roots do not exist for all n; consider modulo 8, where \phi(8)=4 but the unit group \{1,3,5,7\} has maximum order 2. For instance, $3^2 \equiv 1, $5^2 \equiv 1, and $7^2 \equiv 1 \pmod{8}, so no element achieves order 4. Similarly, modulo 15 with \phi(15)=8, the maximum order is 4, as the group is isomorphic to C_4 \times C_2. Elements like 2 yield $2^4 \equiv 1 \pmod{15}, and 7 gives $7^4 \equiv 1 \pmod{15}, but no order reaches 8.

Table of Primitive Roots

The smallest primitive root modulo a prime p is the least positive integer g such that the multiplicative order of g modulo p is \phi(p) = p-1, where \phi denotes . For each such p, there are exactly \phi(p-1) primitive roots modulo p. The following table lists the primes p \leq 200, their \phi(p), and the smallest primitive root g for each, based on verified computational data.
p\phi(p)Smallest g
211
322
542
763
11102
13122
17163
19182
23225
29282
31303
37362
41406
43423
47465
53522
59582
61602
67662
71707
73725
79783
83822
89883
97965
1011002
1031025
1071062
1091086
1131123
1271263
1311302
1371363
1391382
1491482
1511506
1571565
1631622
1671665
1731722
1791782
1811802
19119019
1931925
1971962
1991983
Primitive roots also exist modulo certain composite numbers, specifically powers of odd primes p^k (k \geq 1) and twice such powers ($2p^k). The following table provides examples for small prime powers, including their \phi(n) and smallest primitive root g.
n\phi(n)Smallest g
423
962
25202
27182
49423
Among the smallest primitive roots for primes, small values such as 2, 3, and 5 appear frequently; for instance, 2 serves as the smallest primitive root for 22 of the 46 primes up to 199. Artin's conjecture posits that 2 is a primitive root modulo infinitely many primes, a statement that holds under the generalized Riemann hypothesis.

Properties

Basic Properties

A primitive root modulo n, denoted g, generates the multiplicative group of integers modulo n, denoted (\mathbb{Z}/n\mathbb{Z})^\times. Specifically, the set \{g^k \mod n \mid k = 0, 1, \dots, \phi(n)-1\} equals (\mathbb{Z}/n\mathbb{Z})^\times, where \phi is , meaning every element coprime to n can be expressed uniquely as a power of g modulo n. Among the powers of a primitive root g, the element g^k \mod n is itself a primitive root if and only if \gcd(k, \phi(n)) = 1. This follows from the order of g^k being \phi(n)/\gcd(k, \phi(n)), which equals \phi(n) precisely when k is coprime to \phi(n). In particular, the modular inverse g^{-1} \mod n is a primitive root, as it equals g^{\phi(n)-1} \mod n and \gcd(\phi(n)-1, \phi(n)) = 1. When primitive roots exist modulo n, their total number is exactly \phi(\phi(n)). This count arises because the primitive roots are precisely the generators of (\mathbb{Z}/n\mathbb{Z})^\times, and the number of such generators in a cyclic group of order \phi(n) is given by Euler's totient function applied to the group order. The concept of a primitive root enables the definition of the index (or discrete logarithm) base g modulo n. For any a \in (\mathbb{Z}/n\mathbb{Z})^\times, the index \operatorname{ind}_g(a) is the unique integer k with $0 \leq k < \phi(n) such that a \equiv g^k \pmod{n}. This provides a logarithmic encoding of the group elements, satisfying properties like \operatorname{ind}_g(ab) \equiv \operatorname{ind}_g(a) + \operatorname{ind}_g(b) \pmod{\phi(n)}.

Advanced Properties

One advanced property concerns the extension of primitive roots from a prime modulus to higher powers of that prime. For an odd prime p and a primitive root g modulo p, Hensel's lemma can be applied to lift g to a primitive root modulo p^k for any k \geq 2. Specifically, there exists an integer t with $0 \leq t < p such that g + t p is a primitive root modulo p^2, and this construction extends inductively to higher powers, ensuring the order remains \phi(p^k) = p^{k-1}(p-1). Primitive roots modulo a prime p are intimately connected to cyclotomic polynomials. Since the multiplicative group (\mathbb{Z}/p\mathbb{Z})^\times is cyclic of order p-1, the primitive roots are exactly the elements of order p-1, which correspond to the roots of the (p-1)-th \Phi_{p-1}(x) over the finite field \mathbb{F}_p. This polynomial, irreducible over the rationals, splits completely into \phi(p-1) linear factors in \mathbb{F}_p, with each root generating the group. For specific small integers like 2 or 5, determining when they serve as primitive roots modulo an odd prime p relies on checking their order against the prime factors of p-1. In particular, 2 is a primitive root modulo p if and only if $2^{(p-1)/q} \not\equiv 1 \pmod{p} for every prime q dividing p-1, which includes conditions such as 2 being a quadratic non-residue modulo p (for q=2) and similar higher-order checks for other q. Analogous criteria apply to 5, requiring $5^{(p-1)/q} \not\equiv 1 \pmod{p} for all such q. Under the generalized Riemann hypothesis (GRH), the proportion of primes p for which 2 is a primitive root is given by Artin's constant C = \prod_{q \geq 2} \left(1 - \frac{1}{q(q-1)}\right) \approx 0.3739558136, confirming a positive density for such primes.

Computation Methods

Testing Procedures

To determine whether a given integer g (with \gcd(g, n) = 1) is a primitive root modulo n, where primitive roots exist, the multiplicative order of g modulo n must equal \phi(n), with \phi denoting . The multiplicative order is the smallest positive integer k such that g^k \equiv 1 \pmod{n}. A prerequisite for testing is the complete factorization of \phi(n) into its prime factors. The standard deterministic procedure verifies that the order is exactly \phi(n) by checking that g^{\phi(n)/q} \not\equiv 1 \pmod{n} for every distinct prime divisor q of \phi(n). If this condition holds for all such q, then g is a primitive root modulo n. For example, test g = 2 modulo n = 11. Here, \phi(11) = 10 = 2 \times 5, so the prime divisors are q = 2 and q = 5. Compute $2^{10/2} = 2^5 = 32 \equiv -1 \not\equiv 1 \pmod{11} and $2^{10/5} = 2^2 = 4 \not\equiv 1 \pmod{11}. Since both checks pass, $2 is a primitive root modulo $11. The time complexity of this test is O(\omega(\phi(n)) \cdot \log n), where \omega(\phi(n)) is the number of distinct prime factors of \phi(n), as it involves \omega(\phi(n)) modular exponentiations, each performed in O(\log n) time using efficient methods like binary exponentiation.

Efficient Algorithms

One efficient approach to finding a primitive root modulo a prime p is the probabilistic random selection method. Select a random integer g with $1 < g < p and \gcd(g, p) = 1, then test whether g is a primitive root using the standard order verification procedure (which assumes the factorization of p-1). The probability of success is \phi(p-1)/(p-1), which is asymptotically equal to Artin's constant A \approx 0.3739558136 under the generalized Riemann hypothesis (GRH). Unconditionally, this proportion is positive for sufficiently large p, ensuring that the expected number of trials is bounded by a constant. Each test requires computing a small number of modular exponentiations, leading to an overall expected time complexity of O(\log^2 p) per trial assuming fast exponentiation, or O(\log^4 p) in more conservative models without precomputed factorizations. For deterministic methods, a sequential search starting from small candidates g = 2, 3, 5, \dots is optimized under GRH. The smallest primitive root g(p) satisfies g(p) = O(\log^6 p), allowing the algorithm to test only up to this bound before guaranteeing success. With the factorization of p-1 available, the total time is polynomial in \log p, specifically O((\log p)^7 \cdot \omega(p-1) \cdot \log^2 p), where \omega(p-1) is the number of distinct prime factors of p-1 (typically O(\log p / \log \log p). This yields a deterministic polynomial-time algorithm under GRH, improving on unconditional searches that may require testing up to p^{1/4 + o(1)} candidates. Recent advancements include pseudo-deterministic algorithms that find a primitive root with high probability using a fixed seed, matching the O(\log^2 p) expected time of Las Vegas methods without randomness. These construct a primitive root by combining quadratic non-residues for each prime factor of p-1, using sequential testing for large factors and deterministic selection for small ones; the approach is unconditional but leverages GRH bounds for efficiency in verification. For composite moduli n where primitive roots exist (e.g., n = 2, 4, p^k, or $2p^k for odd prime p), similar strategies apply by adapting the search to the structure of \phi(n) and testing against its prime factors, though the success probability decreases with the number of prime power factors.

Asymptotic Bounds

Upper Bounds on Smallest Primitive Root

The study of upper bounds on the smallest primitive root g(p) modulo a prime p has evolved through key theoretical advances in analytic number theory, focusing on character sum estimates to guarantee the existence of small generators of the multiplicative group modulo p. Early results relied on the Pólya–Vinogradov inequality for non-trivial Dirichlet characters, yielding g(p) \ll p^{1/2} (\log p)^2, but Vinogradov improved this in 1952 to g(p) < p^{c / \log \log p} for some absolute constant c > 0, marking the first subpolynomial unconditional bound. This exponent approaching 0 as p \to \infty highlighted the potential for even smaller primitive roots, though the constant c remained unspecified. A major breakthrough came with Burgess's 1962 theorem, which uses higher-degree character sum estimates to establish g(p) \ll p^{1/4 + \epsilon} for any \epsilon > 0. The method's optimal exponent was later refined to $1/(4\sqrt{e}) + \epsilon \approx 0.1518 + \epsilon, applicable to all odd primes p, by leveraging the full strength of Burgess's inequality on sums over intervals. Unconditionally, these results imply g(p) \leq p^{o(1)} as p \to \infty. Recent explicit versions, such as those by McGown and Trudgian in 2019, provide concrete constants tightening the Burgess bound for practical ranges of p, with further refinements in 2023 by Kerr and others optimizing the character sum constants for denser sets of primes. Under the Generalized Riemann Hypothesis (GRH), Ankeny proved in 1952 that g(p) = O(\log^2 p), a polylogarithmic bound derived from zero-free regions of Dirichlet L-functions associated to characters modulo p-1. This conditional result aligns with expectations that g(p) is typically around \log p, and it has influenced algorithmic approaches despite remaining unproven .

Lower Bounds on Smallest Primitive Root

The smallest primitive root g(n) satisfies the trivial lower bound g(n) \ge 2 for n > 2, since 1 has multiplicative order 1 and cannot generate the full group (\mathbb{Z}/n\mathbb{Z})^\times. For prime moduli p, this bound is sharp in the sense that g(p) = 2 for some primes (e.g., p = 5, 11, 29), but more substantial lower bounds hold for infinitely many primes, showing that g(p) can be forced to be relatively large. In 1944, S. S. Pillai established that there exists a positive constant c such that g(p) > c \log \log p for infinitely many primes p. This was improved by V. Fridlender (1949) and H. Salié (1957) to g(p) > c \log p for infinitely many p, using Linnik's theorem on primes in arithmetic progressions. Further progress was made by and V. K. Ram Murty in 1984, who showed that g(p) > c (\log p \log \log p) / \log \log \log p for some c > 0 and infinitely many primes p. These omega results demonstrate that \limsup_{p \to \infty} g(p) / ((\log p \log \log p) / \log \log \log p) > 0, highlighting that the smallest primitive root can be asymptotically as large as the conjectured upper bound up to lower-order terms. Artin's conjecture, proposed in 1927, asserts that for any integer a > 1 that is not -1 or a , the density of primes p for which a is a primitive root modulo p is the positive constant A = \prod_q (1 - 1/(q(q-1))) \approx 0.3739558, known as Artin's constant. This implies that g(p) = O(\log p \log \log p) for all primes p, with the constant e^\gamma in the leading term under the conjecture, where \gamma is the Euler-Mascheroni constant. However, the conjecture remains unresolved as of 2025. Under the generalized (GRH), C. Hooley proved in 1967 that the conjecture holds with the exact density A. Unconditionally, D. R. Heath-Brown showed in 1986 that at most two prime numbers fail to be primitive roots modulo a positive proportion of primes, implying that for all but at most two exceptions among small primes, the Artin density holds. Additionally, under GRH, H. L. Montgomery showed that g(p) > c \log p \log \log p for infinitely many p, nearly matching the conjectured upper bound. Unconditionally, it is known that g(p) > (\log p)^{1-\varepsilon} for any \varepsilon > 0 and all but o(\pi(x)) primes p \le x, reflecting that the smallest primitive root tends to grow with p for the majority of primes, though exceptions where g(p) is small occur with positive density under Artin's conjecture.

Applications

In

Primitive roots modulo n are fundamental in the problem within . For a prime p admitting a primitive root g, the discrete logarithm \mathrm{ind}_g(a) of an a not divisible by p is the unique exponent k with $0 \leq k < p-1 satisfying g^k \equiv a \pmod{p}. This representation transforms multiplicative relations into additive ones modulo \phi(p) = p-1, aiding the analysis of congruences and cyclic group structures. The baby-step giant-step algorithm, introduced by Daniel Shanks, computes \mathrm{ind}_g(a) in O(\sqrt{p} \log p) time and O(\sqrt{p}) space by dividing the search into small "baby steps" of powers g^j for j < \sqrt{p-1} and "giant steps" of a \cdot (g^{-m \sqrt{p-1}}) for steps m, matching via a hash table to resolve the exponent. For prime moduli, index calculus algorithms further accelerate discrete logarithm computation by factoring smooth elements in the field \mathbb{F}_p, using a primitive root to express bases in logarithmic form and solving a linear system over the exponents modulo p-1. These methods achieve subexponential time complexity L_p[1/2, c] for some constant c > 0, leveraging the cyclicity ensured by the primitive root. In the study of character sums, primitive roots facilitate the evaluation and properties of s, which are central to . For a multiplicative \chi modulo a prime p, the is G(\chi) = \sum_{k=1}^{p-1} \chi(k) e^{2\pi i k / p}. When \chi is (not induced from a proper subfield) and the sum is reindexed using a primitive root g via k = g^j \pmod{p}, it becomes G(\chi) = \sum_{j=0}^{p-2} \chi(g^j) \zeta^j where \zeta = e^{2\pi i / p}; for non-principal \chi, |G(\chi)| = \sqrt{p}, with the exact value involving the or roots of unity. This structure enables Stickelberger's theorem, which determines G(\chi) explicitly in cyclotomic fields, and underpins and estimates for incomplete sums like \sum \chi(n) e^{2\pi i \alpha n}. Primitive roots ensure the uniform distribution of indices, crucial for bounding error terms in these evaluations. Primitive roots also contribute indirectly to primality testing algorithms in . Since every odd prime p has a cyclic (\mathbb{Z}/p\mathbb{Z})^\times of p-1, it admits primitive roots, whereas composite moduli often do not. Lucas's 1876 tests verify primality by checking the of a a n: if a has dividing n-1 but not any proper , and similar conditions hold for factors of n-1, it certifies n prime by implying the of a of n-1. These criteria exploit the absence of primitive roots for certain composites (e.g., twice odd primes) to rule out non-primes efficiently, without explicitly finding a primitive root, though the tests align with the cyclic structure confirmed by one. Modern variants, like the Lucas-Lehmer test for Mersenne primes, generalize this order-checking approach. Artin's primitive root conjecture provides a profound link between primitive roots and , particularly number problems. The conjecture asserts that for any integer a \neq -1 that is not a , there are infinitely many primes p such that a is a primitive root modulo p, with a of \prod_{q \prime} (1 - 1/(q(q-1))) under suitable conditions. Proving a positive requires the generalized for Artin L-functions L(s, \chi, K), where \chi are characters induced by the Galois representation attached to the extension generated by roots of x^p - a = 0; non-vanishing at s=1 implies the infinitude via arguments. This connects to numbers of number fields, as the residue of L(s, \chi, K) at s=1 relates to the h_K = w_K \sqrt{|\Delta_K|} \mathrm{Res}_{s=1} L(s, K) / (2\pi)^{[K:\mathbb{Q}]/2}, influencing bounds on primitive root distribution and analytic continuations in .

In Cryptography

Primitive roots modulo n play a central role in cryptographic protocols that rely on the hardness of the problem (DLP) in multiplicative groups. In these systems, a primitive root g generates a cyclic of \phi(n), where \phi is , ensuring maximal cycle length and of powers for secure and . This property is particularly exploited when n = p is a large prime, making the group \mathbb{Z}_p^\times cyclic of order p-1. The Diffie-Hellman key exchange, introduced by and Martin E. Hellman in 1976, uses a primitive root g a large prime p to enable two parties to compute a key K = g^{ab} \mod p without transmitting it directly: one party sends g^a \mod p after selecting private exponent a, and the other responds with g^b \mod p using private b. The choice of g as a primitive root guarantees that the subgroup spans the full group order p-1, maximizing the key space and resisting certain factoring-based attacks on the DLP. This mechanism underpins secure key agreement in protocols like TLS and . ElGamal encryption, proposed by Taher ElGamal in 1985, extends this idea for public-key encryption. The recipient generates a key pair with primitive root g modulo prime p, private exponent x, and public key h = g^x \mod p. To encrypt message m, a sender chooses random k and computes ciphertext (g^k \mod p, m \cdot h^k \mod p); decryption recovers m via m = (m \cdot h^k) \cdot (g^k)^{-x} \mod p. The primitive root ensures the DLP in \langle g \rangle is hard, providing under the decisional Diffie-Hellman assumption. The Digital Signature Algorithm (DSA), specified in NIST's FIPS 186-4 standard, employs a prime q dividing p-1 and a g of q in \mathbb{Z}_p^\times (equivalent to a primitive root when q = p-1). Signers use private key x to produce signatures (r, s) where r = (g^k \mod p) \mod q and s = k^{-1}(H(m) + x r) \mod q for H(m) of m and random k; verification checks g^{H(m) s^{-1}} \mod p = r after projection. This leverages the DLP hardness in the order-q subgroup for unforgeability. The security of these protocols derives from the computational difficulty of the DLP in subgroups generated by primitive roots, where solving g^y \equiv h \mod p for y requires subexponential time for large prime-order subgroups, thwarting generic attacks like (cost \sqrt{p-1}) and index calculus. Using prime q near p mitigates the Pohlig-Hellman algorithm, which reduces DLP security to the largest prime factor of the group order. However, quantum algorithms like Shor's threaten this foundation by solving DLP in polynomial time on quantum computers. As of 2025, NIST has addressed these vulnerabilities through standards that diminish reliance on primitive roots and discrete logs. FIPS 203 (ML-KEM, based on CRYSTALS-Kyber) provides key encapsulation for , replacing Diffie-Hellman; FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium) and FIPS 205 (SLH-DSA, based on SPHINCS+) offer digital signatures supplanting ; and HQC was selected in March 2025 as a encryption mechanism. These lattice- and hash-based algorithms ensure quantum resistance without structures.

References

  1. [1]
    [PDF] PRIMITIVE ROOTS: A SURVEY - Dartmouth Mathematics
    That is, a primitive root modulo n is an integer coprime to n such that the multiplicative order of this integer modulo n is the maximum over all integers ...
  2. [2]
    [PDF] Math 580/780I Notes 14
    Definition. If an integer a has order φ(n) modulo a positive integer n, then we say that a is a primitive root modulo n.Missing: theory | Show results with:theory
  3. [3]
    [PDF] Primitive Roots Modulo Prime Powers - Trinity University
    Given n ∈ N, a primitive root modulo n is an integer a so that. (Z/nZ)× = ha + nZi. Equivalently, for any b ∈ Z with (b,n) = 1, there exists a k ∈ N so that ak ...
  4. [4]
    [PDF] 3 Primitive Roots, Indices and the Discrete Logarithm
    n is a primitive root modulo n if en(g) = ϕ(n). Equivalently, g is a generator of the group of units: hgi = Z× n .
  5. [5]
    [PDF] Math 3110: Existence of Primitive Roots
    Apr 11, 2019 · Theorem 1. There are φ(p − 1) primitive roots modulo p. Proof. Primitive roots are to be found amongst the invertible elements modulo p.
  6. [6]
    [PDF] Cyclic Groups and Primitive Roots - Trinity University
    An integer a ∈ Z for which ha + nZi = (Z/nZ)× is called a primitive root modulo n. Example. Based on the previous slide, 2 and 3 are primitive roots modulo 5, ...
  7. [7]
    [PDF] Contents 2 Modular Arithmetic in Z - Evan Dummit
    We finish with a brief discussion of some applications of these ideas to repeating decimal expansions, and give a brief discussion of primitive roots and ...
  8. [8]
    [PDF] 6.8. Primitive Roots and Card Shuffling
    Mar 6, 2022 · We use the primitive root concept to revisit the riffle shuffle introduced in Chapter 5. Note. Recall that for x ≡ r (mod m), r is the residue ...
  9. [9]
    https://math.libretexts.org/Bookshelves/Combinatorics_and_Discrete_Mathematics/Yet_Another_Introductory_Number_Theory_Textbook_-_Cryptology_Emphasis_(Poritz)/05%3A_Indices__Discrete_Logarithms/5.03%3A_Primitive_Roots
  10. [10]
    Totient Function -- from Wolfram MathWorld
    The totient function phi(n), also called Euler's totient function, is defined as the number of positive integers <=n that are relatively prime to.
  11. [11]
    Primitive Root -- from Wolfram MathWorld
    A primitive root of a prime p is an integer g such that g (mod p ) has multiplicative order p-1 (Ribenboim 1996, p. 22).
  12. [12]
    Multiplicative Order -- from Wolfram MathWorld
    mu=ind_ga (mod n). (4). For example, the number 7 is the least positive primitive root of n=41 , and since 15=7^3 (mod 41) , the number 15 has multiplicative ...
  13. [13]
    primitive root - PlanetMath.org
    Mar 22, 2013 · modulo n n . For example, 2 is a primitive root modulo 5, since 1,2,22=4 ... mod 5 ) are all with 5 coprime ...
  14. [14]
    Disquisitiones arithmeticae : Gauss, Carl Friedrich, 1777-1855
    Aug 11, 2018 · Disquisitiones arithmeticae. by: Gauss, Carl Friedrich, 1777-1855 ... PDF download · download 1 file · SEGMENT DATA download · download 1 file.
  15. [15]
    10.4 Prime Numbers Have Primitive Roots
    🔗. Theorem 10.4.1. Primitive Roots Exist for Primes. Every prime has a primitive root. In other words, the order p − 1 group U p is always cyclic. Proof.<|control11|><|separator|>
  16. [16]
    https://math.libretexts.org/Bookshelves/Combinatorics_and_Discrete_Mathematics/Elementary_Number_Theory_(Raji)/05:_Primitive_Roots_and_Quadratic_Residues/5.03:_The_Existence_of_Primitive_Roots
  17. [17]
    10.3When Does a Primitive Root Exist?¶ permalink
    By induction we are done; because the highest possible order of an element is less than \(\phi\), there are no primitive roots modulo \(2^k\) for \(k>2\).
  18. [18]
    [PDF] Notes for Lecture 15 | Armin Straub
    Oct 13, 2020 · Then there are ( (n)) primitive roots modulo n. Proof. Let x be a primitive root. It has order φ(п). All other invertible residues are of the ...
  19. [19]
    [PDF] Constructing the Primitive Roots of Prime Powers - arXiv
    Sep 12, 2008 · Their result (Lemma 4) gives an explicit construction of all the primitive roots of p2 from the primitive roots of p, where p is any prime. This ...Missing: composite | Show results with:composite
  20. [20]
    [PDF] Primitive Roots mod p
    p = 5 p = 7 p = 13 p = 23 a = 2 a = 2 a = 3 a = 2 a = 3 a = 2 a = 3 a = 5. 20 ≡ 1 20 ≡ 1 30 ≡ 1 20 ≡ 1 30 ≡ 1 20 ≡ 1 30 ≡ 1 50 ≡ 1.
  21. [21]
    [PDF] 1 Order
    Example 9 2 is a primitive root modulo 9. 21 ≡ 2, 22 ≡ 4, 23 ≡ 8, 24 ≡ 7, 25 ≡ 5, 26 ≡ 1 (mod 9). The order of 2 is 6 = φ(9) and hence 2 is primitive root.
  22. [22]
    [PDF] Math 580/780I: Test 3, Fall 2010
    (b) Is 3 a primitive root modulo 14? Explain your answer. Answer: YES. (YES or NO). 14 pts. (a) The order of 3 modulo 14 divides φ(14) = φ(2)φ(7) = (2 − 1)(7 ...
  23. [23]
    [PDF] Primitive Roots - UBC Math
    Aug 9, 2022 · If m is divisible by 4p with p an odd prime, then there are no primitive roots modulo m. Proof. We can write m = 24per with d≥ 2, (2p,r) = 1.
  24. [24]
    Section 10.3: When is There a Primitive Root?
    In this section, we shall consider the problem of determining which integers n have primitive roots, and which do not.
  25. [25]
    A001918 - OEIS
    If k is a primitive root of p=4m+1, then pk is too. If k is a primitive root of p=4m+3, then pk isn't, but has order 2m+1.
  26. [26]
    Artin's Conjecture -- from Wolfram MathWorld
    L -series. The second conjecture states that every integer not equal to -1 or a square number is a primitive root modulo p for infinitely many p and ...Missing: class | Show results with:class
  27. [27]
    5.3: Primitive Roots - Mathematics LibreTexts
    Jul 18, 2021 · We shall also call an integer \(x\in\ZZ\) a primitive root mod \(n\) if \([x]_n\) is a primitive root in the sense just defined. Example \(\ ...
  28. [28]
    [PDF] Primitive Roots (Prime Powers), Index Calculus, Lecture 8 Notes
    How many primitive roots mod m are there? We want the order to be exactly φ(m). If we look at the integers 1, g, g2, ..
  29. [29]
    [PDF] Cyclotomic Polynomials and Primitive Roots - garsia at york
    Apr 1, 2010 · Theorem 2.4 If a is a primitive root mod p then the set of primitive roots mod p may be con- structed as the set of powers. {ar | (r, p − 1) ...
  30. [30]
    [PDF] ARTIN'S PRIMITIVE ROOT CONJECTURE - a survey -
    (1 − 1/n(q)) as the density of primes p for which g is a primitive root mod p. This heuristic argument was thought to be plausible until about 1960, when ...
  31. [31]
    [PDF] Elementary Number Theory: Primes, Congruences, and Secrets
    Feb 5, 2014 · smallest positive integer that is a primitive root modulo n. For example, below we compute primitive roots modulo p for each prime p < 20.
  32. [32]
    Primitive Root - Algorithms for Competitive Programming
    Jun 6, 2022 · In modular arithmetic, a number is called a primitive root modulo n if every number coprime to is congruent to a power of modulo.
  33. [33]
    [PDF] Searching for Primitive Roots in Finite Fields - Victor Shoup
    By a search procedure for primitive roots in GF(pn ), we mean an algorithm that generates a subset of GF(pn ) that contains. (with high probability, in the case ...
  34. [34]
    [PDF] Finding Primitive Roots Pseudo-Deterministically
    Dec 22, 2015 · Figure 1: A pseudo-deterministic algorithm finding a primitive root modulo a given prime p. Correctness of the algorithm follows immediately ...
  35. [35]
    [PDF] Discrete logarithms in finite fields and their cryptographic significance
    Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u ∈ GF(q) is that integer k, 1 ≤ k ≤ q −1, for which u = gk ...<|control11|><|separator|>
  36. [36]
    Primitive Roots and a Test for Primality - SpringerLink
    In this chapter we will be examining the notion of primitive roots which will lead us to several primality tests developed by Edouard Lucas in 1876. Perhaps ...