Primitive root modulo n

In modular arithmetic, a number g is a primitive root modulo n if every number a coprime to n is congruent to a power of g modulo n. That is, g is a primitive root modulo n if for every integer a coprime to n, there is some integer k for which g^k ≡ a (mod n). Such a value k is called the index or discrete logarithm of a to the base g modulo n. So g is a primitive root modulo n if and only if g is a generator of the multiplicative group of integers modulo n.

Gauss defined primitive roots in Article 57 of the Disquisitiones Arithmeticae (1801), where he credited Euler with coining the term. In Article 56 he stated that Lambert and Euler knew of them, but he was the first to rigorously demonstrate that primitive roots exist for a prime n. In fact, the Disquisitiones contains two proofs: The one in Article 54 is a nonconstructive existence proof, while the proof in Article 55 is constructive.

A primitive root exists if and only if n is 1, 2, 4, p^k or 2p^k, where p is an odd prime and k > 0. For all other values of n the multiplicative group of integers modulo n is not cyclic.^[1][2][3] This was first proved by Gauss.^[4]

The number 3 is a primitive root modulo 7^[5] because $${\displaystyle {\begin{array}{rcrcrcrcrcr}3^{1}&=&3^{0}\times 3&\equiv &1\times 3&=&3&\equiv &3{\pmod {7}}\\3^{2}&=&3^{1}\times 3&\equiv &3\times 3&=&9&\equiv &2{\pmod {7}}\\3^{3}&=&3^{2}\times 3&\equiv &2\times 3&=&6&\equiv &6{\pmod {7}}\\3^{4}&=&3^{3}\times 3&\equiv &6\times 3&=&18&\equiv &4{\pmod {7}}\\3^{5}&=&3^{4}\times 3&\equiv &4\times 3&=&12&\equiv &5{\pmod {7}}\\3^{6}&=&3^{5}\times 3&\equiv &5\times 3&=&15&\equiv &1{\pmod {7}}\end{array}}}$$

Here we see that the period of 3^k modulo 7 is 6. The remainders in the period, which are 3, 2, 6, 4, 5, 1, form a rearrangement of all nonzero remainders modulo 7, implying that 3 is indeed a primitive root modulo 7. This derives from the fact that a sequence (g^k modulo n) always repeats after some value of k, since modulo n produces a finite number of values. If g is a primitive root modulo n and n is prime, then the period of repetition is n − 1. Permutations created in this way (and their circular shifts) have been shown to be Costas arrays.

If n is a positive integer, the integers from 1 to n − 1 that are coprime to n (or equivalently, the congruence classes coprime to n) form a group, with multiplication modulo n as the operation; it is denoted by ${\displaystyle \mathbb {Z} }$^×
_n, and is called the group of units modulo n, or the group of primitive classes modulo n. As explained in the article multiplicative group of integers modulo n, this multiplicative group (${\displaystyle \mathbb {Z} }$^×
_n) is cyclic if and only if n is equal to 2, 4, p^k, or 2p^k where p^k is a power of an odd prime number.^[6][2][7] When (and only when) this group ${\displaystyle \mathbb {Z} }$^×
_n is cyclic, a generator of this cyclic group is called a primitive root modulo n^[8] (or in fuller language primitive root of unity modulo n, emphasizing its role as a fundamental solution of the roots of unity polynomial equations X^m
− 1 in the ring ${\displaystyle \mathbb {Z} }$_n), or simply a primitive element of ${\displaystyle \mathbb {Z} }$^×
_n.

When ${\displaystyle \mathbb {Z} }$^×
_n is non-cyclic, such primitive elements mod n do not exist. Instead, each prime component of n has its own sub-primitive roots (see 15 in the examples below).

For any n (whether or not ${\displaystyle \mathbb {Z} }$^×
_n is cyclic), the order of ${\displaystyle \mathbb {Z} }$^×
_n is given by Euler's totient function φ(n) (sequence A000010 in the OEIS). And then, Euler's theorem says that a^φ(n) ≡ 1 (mod n) for every a coprime to n; the lowest power of a that is congruent to 1 modulo n is called the multiplicative order of a modulo n. In particular, for a to be a primitive root modulo n, a^φ(n) has to be the smallest power of a that is congruent to 1 modulo n.

For example, if n = 14 then the elements of ${\displaystyle \mathbb {Z} }$^×
_n are the congruence classes {1, 3, 5, 9, 11, 13}; there are φ(14) = 6 of them. Here is a table of their powers modulo 14:

 x     x, x2, x3, ... (mod 14)
 1 :   1
 3 :   3,  9, 13, 11,  5,  1 
 5 :   5, 11, 13,  9,  3,  1
 9 :   9, 11,  1
11 :  11,  9,  1
13 :  13,  1

The order of 1 is 1, the orders of 3 and 5 are 6, the orders of 9 and 11 are 3, and the order of 13 is 2. Thus, 3 and 5 are the primitive roots modulo 14.

For a second example let n = 15 . The elements of ${\displaystyle \mathbb {Z} }$^×
₁₅ are the congruence classes {1, 2, 4, 7, 8, 11, 13, 14}; there are φ(15) = 8 of them.

 x     x, x2, x3, ... (mod 15)
 1 :   1
 2 :   2,  4,  8, 1 
 4 :   4,  1
 7 :   7,  4, 13, 1
 8 :   8,  4,  2, 1
11 :  11,  1
13 :  13,  4,  7, 1
14 :  14,  1

Since there is no number whose order is 8, there are no primitive roots modulo 15. Indeed, λ(15) = 4, where λ is the Carmichael function. (sequence A002322 in the OEIS)

Numbers ${\displaystyle n}$ that have a primitive root are of the shape

${\displaystyle n\in \{1,2,4,p^{k},2\cdot p^{k}\;\;|\;\;2<p{\text{ prime}};\;k\in \mathbb {N} \},}$

= {1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 13, 14, 17, 18, 19, ...}.^[9]

These are the numbers ${\displaystyle n}$ with ${\displaystyle \varphi (n)=\lambda (n),}$ kept also in the sequence A033948 in the OEIS.

The following table lists the primitive roots modulo n up to ${\displaystyle n=31}$:

⁠${\displaystyle n}$⁠	primitive roots modulo ⁠${\displaystyle n}$⁠	order ${\displaystyle \varphi (n),}$ (OEIS: A000010)	exponent ${\displaystyle \lambda (n),}$ (OEIS: A002322)
1	0	1	1
2	1	1	1
3	2	2	2
4	3	2	2
5	2, 3	4	4
6	5	2	2
7	3, 5	6	6
8		4	2
9	2, 5	6	6
10	3, 7	4	4
11	2, 6, 7, 8	10	10
12		4	2
13	2, 6, 7, 11	12	12
14	3, 5	6	6
15		8	4
16		8	4
17	3, 5, 6, 7, 10, 11, 12, 14	16	16
18	5, 11	6	6
19	2, 3, 10, 13, 14, 15	18	18
20		8	4
21		12	6
22	7, 13, 17, 19	10	10
23	5, 7, 10, 11, 14, 15, 17, 19, 20, 21	22	22
24		8	2
25	2, 3, 8, 12, 13, 17, 22, 23	20	20
26	7, 11, 15, 19	12	12
27	2, 5, 11, 14, 20, 23	18	18
28		12	6
29	2, 3, 8, 10, 11, 14, 15, 18, 19, 21, 26, 27	28	28
30		8	4
31	3, 11, 12, 13, 17, 21, 22, 24	30	30

Gauss proved^[10] that for any prime number p (with the sole exception of p = 3), the product of its primitive roots is congruent to 1 modulo p.

He also proved^[11] that for any prime number p, the sum of its primitive roots is congruent to μ(p − 1) modulo p, where μ is the Möbius function.

For example,

p = 3,	μ(2) = −1.	The primitive root is 2.
p = 5,	μ(4) = 0.	The primitive roots are 2 and 3.
p = 7,	μ(6) = 1.	The primitive roots are 3 and 5.
p = 31,	μ(30) = −1.	The primitive roots are 3, 11, 12, 13, 17, 21, 22 and 24.

E.g., the product of the latter primitive roots is ${\displaystyle 2^{6}\cdot 3^{4}\cdot 7\cdot 11^{2}\cdot 13\cdot 17=970377408\equiv 1{\pmod {31}}}$, and their sum is ${\displaystyle 123\equiv -1\equiv \mu (31-1){\pmod {31}}}$.

If ${\displaystyle a}$ is a primitive root modulo the prime ${\displaystyle p}$, then ${\displaystyle a^{\frac {p-1}{2}}\equiv -1{\pmod {p}}}$.

Artin's conjecture on primitive roots states that a given integer a that is neither a perfect square nor −1 is a primitive root modulo infinitely many primes.

No simple general formula to compute primitive roots modulo n is known.^[a][b] There are however methods to locate a primitive root that are faster than simply trying out all candidates. If the multiplicative order (its exponent) of a number m modulo n is equal to ${\displaystyle \varphi (n)}$ (the order of ${\displaystyle \mathbb {Z} }$^×
_n), then it is a primitive root. In fact the converse is true: If m is a primitive root modulo n, then the multiplicative order of m is ${\displaystyle \varphi (n)=\lambda (n)~.}$ We can use this to test a candidate m to see if it is primitive.

For ${\displaystyle n>1}$ first, compute ${\displaystyle \varphi (n)~.}$ Then determine the different prime factors of ${\displaystyle \varphi (n)}$, say p₁, ..., p_k. Finally, compute

${\displaystyle g^{\varphi (n)/p_{i}}{\bmod {n}}\qquad {\mbox{ for }}i=1,\ldots ,k}$

using a fast algorithm for modular exponentiation such as exponentiation by squaring. A number g for which these k results are all different from 1 is a primitive root.

The number of primitive roots modulo n, if there are any, is equal to^[12]

${\displaystyle \varphi \left(\varphi (n)\right)}$

since, in general, a cyclic group with r elements has ${\displaystyle \varphi (r)}$ generators.

For prime n, this equals ${\displaystyle \varphi (n-1)}$, and since ${\displaystyle n/\varphi (n-1)\in O(\log \log n)}$ the generators are very common among {2, ..., n−1} and thus it is relatively easy to find one.^[13]

If g is a primitive root modulo p, then g is also a primitive root modulo all powers p^k unless g^p−1 ≡ 1 (mod p²); in that case, g + p is.^[14]

If g is a primitive root modulo p^k, then g is also a primitive root modulo all smaller powers of p.

If g is a primitive root modulo p^k, then either g or g + p^k (whichever one is odd) is a primitive root modulo 2p^k.^[14]

Finding primitive roots modulo p is also equivalent to finding the roots of the (p − 1)st cyclotomic polynomial modulo p.

The least primitive root g_p modulo p (in the range 1, 2, ..., p − 1) is generally small.

Burgess (1962) proved^[15][16] that for every ε > 0 there is a C such that ${\displaystyle g_{p}\leq C\,p^{{\frac {1}{4}}+\varepsilon }.}$

Grosswald (1981) proved^[15][17] that if ${\displaystyle p>e^{e^{24}}\approx 10^{11504079571}}$, then ${\displaystyle g_{p}<p^{0.499}.}$

Shoup (1990, 1992) proved,^[18] assuming the generalized Riemann hypothesis, that g_p = O(log⁶ p).

Fridlander (1949) and Salié (1950) proved^[15] that there is a positive constant C such that for infinitely many primes g_p > C log p.

It can be proved^[15] in an elementary manner that for any positive integer M there are infinitely many primes such that M < g_p < p − M.

A primitive root modulo n is often used in pseudorandom number generators^[19] and cryptography, including the Diffie–Hellman key exchange scheme. Sound diffusers have been based on number-theoretic concepts such as primitive roots and quadratic residues.^[20][21]

• Ore, Oystein (1988). Number Theory and Its History. Dover. pp. 284–302. ISBN 978-0-486-65620-5..

• Weisstein, Eric W. "Primitive Root". MathWorld.
• Holt. "Quadratic residues and primitive roots". Mathematics. Michigan Tech.
• "Primitive roots calculator". BlueTulip.