Jay Daigle Occidental College Math 322: Number Theory

6 Primitive Roots and the Discrete Logarithm

For further reading on the material in this subsection, consult Rosen 9.1.
In section 3.2 we studied the problem of extending division to modular arithmetic. We
noted that trying to find b/a is equivalent to solving the equation ax = b, and so we worked
on the congruence ax ≡ b mod m.
In this section we will be applying a similar analysis to the logarithm. The real number
logarithm loga (b) is the solution to the equation ax = b; we wish to study the congruence
equation ax ≡ b mod m.

6.1 The order of an integer

We’re going to start with the very simplest case: computing the logarithm of 1. In particular
we want to consider the equation ax ≡ 1 mod n and see if it has any solutions at all, and if
so, how many.
It is of course true that x = 0 solves this congruence. But we can find more solutions!
Recall that Euler’s theorem tells us that if n is a natural number and (a, n) = 1, then
aφ(n) ≡ 1 mod n. Thus x = φ(n) is also a solution to this congruence. That means there is
at least one positive solution, and so (by the well-ordering principle) we can ask for the least
positive solution.

Definition 6.1. Let a, n be relatively prime integers with a 6= 0 and n positive. Then the
least positive integer x such that ax ≡ 1 mod n is called the order of a modulo n, written
ordn a.

Example 6.2. Let’s compute the orders of 2 and 3 modulo 7. We see

21 ≡ 2 mod 7 31 ≡ 3 mod 7
22 ≡ 4 mod 7 32 ≡ 9 ≡ 2 mod 7
23 ≡ 1 mod 7 33 ≡ 27 ≡ 6 mod 7
34 ≡ 81 ≡ 4 mod 7
35 ≡ 4 · 3 ≡ 12 ≡ 5 mod 7
36 ≡ 5 · 3 ≡ 15 ≡ 1 mod 7.

Thus ord7 2 = 3 and ord7 3 = 6.

Lemma 6.3. If a, n are relatively prime integers with a 6= 0 and n > 0, then a positive
integer x is a solution to the congruence ax ≡ 1 mod n if and ony if ordn a|x.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 66
Jay Daigle Occidental College Math 322: Number Theory

Proof. First suppose ordn a|x. Then we can write x = m · ordn a for some integer m, and we
have

m
ax ≡ am·ordn a ≡ aordn a ≡ 1m ≡ 1 mod n.

Conversely, suppose ax ≡ 1 mod n, we can use the division algorithm divide x by ordn a
and write
x = q · ordn a + r, 0 ⇒ r < ordn a.

Then we compute

1 ≡ ax ≡ aq·ordn a+r ≡ aq·ordn a · ar ≡ ar mod n

so we have ar ≡ 1 mod n but 0 ≤ r < ordn a. But ordn a is by definition the least positive
integer with this property, so r cannot be positive and must be 0. Thus x = q · ordn a as
desired.

Remark 6.4. This should remind you of the proof that since (a, b) is the least linear combi-
nation of a and b, we know that m is a linear combination of a and b if and only if (a, b)|m.

Example 6.5. Let’s see if 10, 20, or 30 are solutions to 3x ≡ 1 mod 7. We saw that
ord7 3 = 6, so 330 ≡ 1 mod 7 since 6|30. But 320 6≡ 1 mod 7 and 310 6≡ 1 mod 7 since
66 |10, 20.

Corollary 6.6. If (a, n) = 1 with n > 0, then ordn a|φ(n).

Proof. Since (a, n) = 1 we know that aφ(n) ≡ 1 mod n, thus ordn a|φ(n).

We can use this to make it easier to compute orders: we only need to check numbers that
divide φ(n).

Example 6.7. Let’s find the order of 7 modulo 9. We can compute that φ(9) = 3(3−1) = 6,
so we just need to check 1, 2, 3, 6. We see

71 ≡ 7 6≡ 1 mod 9
72 ≡ 49 ≡ 4 6≡ 1 mod 9
73 ≡ 4 · 7 ≡ 28 ≡ 1 mod 9

We don’t need to check 6.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 67
Jay Daigle Occidental College Math 322: Number Theory

Example 6.8. Let’s find ord11 3. We know that φ(11) = 10 so we just need to check
1, 2, 5, 10. We have

31 ≡ 3 6≡ 1 mod 11
32 ≡ 9 6≡ 1 mod 11
35 ≡ 243 = 11(22) + 1 ≡ 1 mod 11

so ord11 3 = 5. This saves us from checking 3 or 4 since we know they can’t be the answer.

Remark 6.9. Note that sometimes ordn a = φ(n). For instance, you can check that ord11 2 =
10.

Lemma 6.10. If (a, n) = 1, then ai ≡ aj mod n if and only if i ≡ j mod ordn a.

Proof. First, let’s suppose i ≡ j mod ordn a, and assume that i ≥ j. Then there is some k
such that i = j + k · ordn a, and we have

ai ≡ aj+k·ordn a ≡ aj · ak·ordn a
≡ aj · (aordn a )k ≡ aj · 1k ≡ aj mod n.

Conversely, suppose ai ≡ aj mod n, and again without loss of generality assume i ≥ j.

Then we have

ai ≡ aj mod n
aj · ai−j ≡ aj mod n
ai−j ≡ 1 mod n

since (a, n) = 1 and thus (aj , n) = 1 so we can use the cancellation lemma. But if ai−j ≡ 1
mod n then by lemma 6.3 we know that ordn a|i − j, and so by defnition i ≡ j mod ordn a.

6.2 Primitive Roots

For further reading on the material in this subsection, consult Rosen 9.1.
We’ve shown that the order of any integer modulo n will divide φ(n). In this subsection
we’re interested in elements whose order is exactly φ(n).

Definition 6.11. If (a, n) = 1, and ordn a = φ(n), we say that a is a primitive root modulo
n, and we say that n has a primitive root.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 68
Jay Daigle Occidental College Math 322: Number Theory

Example 6.12. We showed that ord7 3 = 6 = φ(7) so 3 is a primitive root modulo 7.

However, ord7 2 = 3 6= φ(7), so 2 is not a primitive root modulo 7.

Example 6.13. The number 8 does not have a primitive root. The integers relatively prime
to 8 are 1,3,5,7. We can compute ord8 1 = 1 and ord8 3 = ord8 5 = ord8 7 = 2, but φ(8) = 4.

Every prime number has a primitive root; we will prove this in subsection 6.3. Not every
composite number has a primitive root, but some, like 6 and 10, do.

Theorem 6.14. If (r, n) = 1 and n > 0, and r is a primitive root modulo n, then the set
{r1 , r2 , . . . , rφ(n) } is a reduced residue system modulo n.

Proof. This set clearly has the correct size, so we need to prove that these numbers are all
relatively prime to n and that no two are congruent modulo n.
Because (r, n) = 1 we know that (rk , n) = 1 for any natural number k. This satisfies the
first requirement.
Suppose ri ≡ rj mod n. Then by lemma 6.10 we know that i ≡ j mod ordn r. But r is
a primitive root, which means that ordn r = φ(n). Thus φ(n)|i − j but 1 ≤ i, j ≤ φ(n) and
thus i = j.

Example 6.15. We showed that ord7 3 = 6 so 3 is a primitive root modulo 7. Thus the set

{3, 32 , 33 , 34 , 35 , 36 } = {3, 9, 27, 81, 243, 729}

is a reduced residue system modulo 7.

We can check that ord9 2 = 6 = φ(9). Thus the set

{2, 22 , 23 , 24 , 25 , 26 } = {2, 4, 8, 16, 32, 64}

is a reduced residue system modulo 9.

We already noted that not every integer has a primitive root. But if an integer has a
primitive root it usually has several more. We will spend the rest of this subsection making
that statement more precise.

Lemma 6.16. Let n be a natural number, and (a, n) = 1, and set ordn a = t. Then for any
u ∈ N we have
t
ordn au = .
(u, t)

http://jaydaigle.net/teaching/courses/2019-fall-322/ 69
Jay Daigle Occidental College Math 322: Number Theory

Proof. First set t1 = t/(u, t) and u1 = u/(u, t), and set s = ordn au . We know that (t1 , u1 ) =
1. Now we want to show that s = t1 .
First we want to show that (au )t1 ≡ 1 mod n. But

(au )t1 = aut1 = aut/(u,t) = (at )u1 ≡ 1u1 ≡ 1 mod n.

Thus we know that s = ordn au |t1 by lemma 6.3.

Conversely, we know that (au )s ≡ 1 mod n, and thus aus ≡ 1 mod n, which implies
that t|us, again by lemma 6.3. Dividing on both sides by (u, t) gives t1 |u1 s, but (t1 , u1 ) = 1,
so by Euclid’s lemma this gives us t1 |s.
ordn a
Since t1 |s and s|t1 , we know that s = t1 , which gives us ordn (au ) = (ordn a,u)
, or s =
t/(u, t), as desired.

Corollary 6.17. Let r be a primitive root modulo n. Then ru is a primitive root modulo n
if and only if (u, φ(n)) = 1.

Proof. We know that

ordn r φ(n)
ordn ru = = .
(u, ordn r) (u, φ(n))
Thus ru is a primitive root if and only if ordn ru = φ(n) if and only if (u, φ(n)) = 1.

So if a number n has a primitive root, how many does it have? It must have one for
every exponent that’s relatively prime to φ(n).

Corollary 6.18. If a positive integer n has a primitive root, it has exactly φ(φ(n)) primitive
roots.

Proof. Let r be a primitive root modulo n. Then ru is a primitive root if and only if
(u, φ(n)) = 1; there are φ(φ(n)) numbers relatively prime to φ(n).
(Every primitive root must have the form ru for some u, since these are all the numbers
relatively prime to n).

Example 6.19. We claimed earlier that ord11 2 = 10, and thus 2 is a primitive root modulo
11. This tells us that 11 has φ(φ(11)) = φ(10) = 4 incongruent primitive roots. In particular,
these roots are 2, 23 = 8, 27 = 128 ≡ 7, 29 = 512 ≡ 6. Thus {2, 6, 7, 8} is a complete set of
incongruent primitive roots modulo 11.

This result does have one weakness: it tells us what happens if there are any primitive
roots modulo n, but doesn’t tell us which integers n have any primitive roots at all.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 70
Jay Daigle Occidental College Math 322: Number Theory

6.3 Primitive Roots for Primes

In this section we’d like to prove that every prime number has a primitive root. The basic
idea is that for a fixed prime p, there are a lot of numbers relatively prime to p. In fact,
there are so many that we run out of “room” for non-primitive roots, so some of them have
to be primitive roots.
In order to do this, we have to return to looking at polynomial congruences.

Definition 6.20. Let f (x) be a polynomial with integer coefficients. We say c is a root of f
modulo m if f (c) ≡ 0 mod m. (This is the same idea as a root in the integers, except we’re
thinking about everything as belonging to the integers modulo m).

Example 6.21. The polynomial f (x) = x2 + 1 has no roots in the integers, but it has two
roots modulo 5: f (2) = 5 ≡ 0 mod 5, and f (3) = 10 ≡ 0 mod 5.

Example 6.22. Let f (x) = xp−1 − 1 for a fixed prime p. Then by Fermat’s little theorem,
f has p − 1 incongruent roots modulo p: 1, 2, 3, . . . , p − 1.

It’s a famous result in the real numbers that a polynomial of degree n has at most n
distinct roots. A similar result holds modulo p.

Theorem 6.23 (Lagrange’s Theorem). Let f (x) = an xn + · · · + a1 x + a0 be a polynomial

with integer coefficients, and p6 |an . Then f (x) has at most n incongruent roots modulo p.

Proof. We prove this by induction. (Yay!) When n = 1, we have f (x) = a1 x + a0 with

p6|a1 . By our results on linear congruences, we know that a1 x ≡ −a0 mod p has exactly one
solution modulo p, since (a1 , p) = 1. Thus f has exactly one root, and thus at most one
root.
Suppose the theorem is true for n − 1, that is, any polynomial of degree n − 1 has at most
n − 1 incongruent solutions. Now let f (x) = an xn + · · · + a1 x + a0 . Suppose f (x) has n + 1
incongruent solutions modulo p, which we can call c0 , c1 , . . . , cn . Then f (ci ) ≡ 0 mod p for
0 ≤ i ≤ n. Then

f (x) − f (c0 ) = an (xn − cn0 ) + an−1 (xn−1 − c0n−1 ) + · · · + a1 (x − c0 ).

We see that we can factor (x − c0 ) out of each term, so we can write

f (x) − f (c0 ) = (x − c0 )g(x)

for some polynomial g(x) with degree ≤ n − 1.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 71
Jay Daigle Occidental College Math 322: Number Theory

We claim that g(ci ) ≡ 0 mod p for any 1 ≤ i ≤ n. For we have

(ci − c0 )g(ci ) = f (ci ) − f (c0 ) ≡ 0 − 0 ≡ 0 mod p.

Thus since p is prime, either p|g(ci ) or p|(ci − c0 ). But by hypothesis we know that ci 6= c0
mod p so p6 |ci − c0 , and thus we have p|g(ci ) and g(ci ) ≡ 0 mod p. Thus ci is a root of g
modulo p for 1 ≤ i ≤ n.
Thus g is a polynomial of degree ≤ n − 1 with n incongruent solutions, which contradicts
the inductive hypothesis.

Remark 6.24. This theorem does not hold for composite moduli. For instance, if we take
g(x) = x2 − 3x + 2, then modulo 6 we see that g(1) = 0 ≡ 0 mod 6, and g(2) = 0 ≡ 0
mod 6, and g(4) = 6 ≡ 0 mod 6.
We want to use Lagrange’s Theorem to put limits on how many elements can have a
given order modulo p.

Proposition 6.25. Let p be a prime and let d be a divisor of p − 1. Then the polynomial
f (x) = xd − 1 has exactly d incongruent roots modulo p.

Proof. We know that d|p − 1, so by the difference of nth powers formula we have (xd −
1)|xp−1 − 1. In particular

xp−1 − 1 = (xd − 1)(1 + xd + x2d + · · · + xp−1−d ).

Set g(x) = 1 + xd + · · · + xp−1−d ; this is a polynomial of degree p − 1 − d.

By Fermat’s Little Theorem, we know that xp−1 − 1 has exactly p − 1 incongruent roots.
We can see that every root of xp−1 − 1 that is not a root of g must be a root of xd − 1 (since
if p|xp−1 − 1 then either p|g(x) or p|xd − 1).
But by Lagrange’s theorem we know that g has at most p − 1 − d incongruent roots, so
xd − 1 must have at least p − 1 − (p − 1 − d) = d incongruent roots. But again we know that
xd − 1 has at most d incongruent roots, so it has exactly d incongruent roots.

Lemma 6.26. Let p be a prime and let d|p − 1. Then there are fewer than φ(d) positive
integers less than p that have order d modulo p.

Proof. Let F (d) be the number of positive integers of order d modulo p that are less than p.
We wish to prove that F (d) ≤ φ(d).
If there are no roots of order d modulo p then it’s clear that F (d) = 0 ≤ φ(d). So suppose
there is an integer a of order d modulo p. Then the integers a, a2 , . . . , ad are all incongruent
modulo p.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 72
Jay Daigle Occidental College Math 322: Number Theory

Further, we see that for any k ∈ N, we compute that (ak )d = (ad )k ≡ 1k ≡ 1 mod p, so
ak is a root of xd − 1 modulo p for any k. Thus we have d incongruent roots of xd − 1 on
this list. Since we know xd − 1 has exactly d incongruent roots modulo p, we know that the
set of roots is exactly the set a, a2 , . . . , ad .
ordp a d
By lemma 6.16, we see that ordp ak = (k,ordp a)
= (k,d)
, and thus ak has order d if and only
if (k, d) = 1. There are exactly φ(d) such integers k with 1 ≤ k ≤ d, and thus if there is one
element of order d modulo p, there are exactly φ(d) positive integers less than p of order d
modulo p. Thus F (d) ≤ φ(d).

Remark 6.27. This theorem proves that for a given d|p − 1, either there are φ(d) elements
of order d or there are 0. But we didn’t state it that way because we are about to leverage
it into an even better result.

Theorem 6.28. Let p be a prime, and let d be a positive divisor of p − 1. Then the number
of incongruent ingeters of order d modulo p is exactly φ(d).

Proof. This is essentially a counting argument. For any d|p − 1, let F (d) be the number of
positive integers of order d modulo p that are less than p. Because every integer from 1 to
p − 1 has an order dividing p − 1, we see that
X
p−1= F (d).
d|p−1

But we also know that

X
p−1= φ(d),
d|p−1
so
X X
F (d) = φ(d).
d|p−1 d|p−1

From lemma 6.26 we know that F (d) ≤ φ(d), but their sums are equal; the only way this is
possible is if F (d) = φ(d) for each d|p − 1. Thus there are exactly φ(d) incongruent integers
of order d modulo p.

Corollary 6.29. Every prime has a primitive root.

Proof. Let p be a prime. Then there are exactly φ(p − 1) incongruent integers of order p − 1
modulo p by theorem 6.28. But these are all primitive roots by definition. Since φ(p−1) ≥ 1,
this completes the proof.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 73
Jay Daigle Occidental College Math 322: Number Theory

This proves that every prime has a primitive root, but doesn’t give us a way to find them.
In fact locating primitive roots is not trivial; on the other hand, 2 appears to be a primitive
root quite often. But we don’t know whether it is a primitive root infinitely often.
Conjecture 6.30 (Artin). Any integer a such that a 6= ±1 and a is not a perfect square is
a primitive root of infinitely many primes.
Proposition 6.31 (Hooley 1967). The Generalized Riemann Hypothesis implies Artin’s con-
jecture.
Proposition 6.32 (Heath-Brown 1985). There are at most three positive square-free integers
a such that a is a primitive root of only finitely many primes. Thus at least one of 2, 3, 5 is
a primitive root for infinitely many primes.

6.4 Primitive Roots for Composites

We now understand exactly when a prime number has a primitive root (always), and how
many it has (φ(p − 1)). What about composite numbers?
We start with the simplest kind of composite numbers: the prime powers.
Lemma 6.33. Let p be an odd prime, with primitieve root r. Then either r or r + p is a
primitive root modulo p2 .
Remark 6.34. This means that there is some integer that is a primitive root modulo p and
also modulo p2 , since p + r is a primitive root modulo p.

Proof. We know that ordp r = φ(p) = p − 1. Let n = ordp2 r. By definition rn ≡ 1 mod p2 ,

and thus rn ≡ 1 mod p. This implies that p − 1 = ordp r|n.
But we know that ordp2 r|φ(p2 ) = p(p − 1), so we have p − 1|n|p(p − 1). Thus either
n = p − 1 or n = p(p − 1). If n = p(p − 1) then r is a primitive root modulo p2 ; so suppose
n = p − 1.
Let s = r + p. Then since s is also a primitive root modulo p, by the same logic we know
that ordp2 s is either p − 1 or p(p − 1). We wish to show that ordp2 s 6= p − 1.
By the binomial theorem, we compute
p−1  
p−1 p−1
X p − 1 i p−1−i
s = (r + p) = pr
i=0
i

= rp−1 + (p − 1)prp−2 + · · · + (p − 1)pp−2 r + pp−1

≡ rp−1 + (p − 1)prp−2 mod p2
≡ 1 + (p − 1)prp−2 mod p2 .

http://jaydaigle.net/teaching/courses/2019-fall-322/ 74
Jay Daigle Occidental College Math 322: Number Theory

But since p6 |r we see that (p − 1)prp−2 6≡ 0 mod p2 so sp−1 6≡ 1 mod p2 as desired.

Thus ordp2 s 6= p − 1, and the only remaining possibility is that ordp2 s = p(p − 1) =
2
φ(p ).

Example 6.35. We have seen that 2 is a primitive root modulo 11. But 210 = 1024 ≡ 56
mod 121 so ord121 2 6= 10. Thus we must have ord121 2 = 110 = φ(121) so 2 is a primitive
root modulo 121.
We have seen that 3 is a primitive root modulo 7. But 36 = 729 ≡ 43 6≡ 1 mod 49. Thus
ord49 3 6= 6 so ord49 3 = 42 = φ(49) and 3 is a primitive root modulo 49.

Example 6.36. Let p = 487 be prime, and we compute that ord487 10 = 486. (We do not
do this by hand). But 10486 ≡ 1 mod 4872 so 10 is not a primitive root modulo 4872 . Thus
we know that 497 = 10 + 487 is a primitive root modulo 4872 .

Lemma 6.37. Let p be an odd prime. Then pk has a primitive root for any k ∈ N. Moreover,
if r is a primitive root modulo p2 , then r is a primitive root modulo pk for any k ∈ N.

Proof. By lemma 6.33 we know that p has a primitive root r that is also a primitive root
modulo p2 , and thus rp−1 6≡ 1 mod p2 .
k−2 (p−1)
First we will prove by induction that rp 6≡ 1 mod pk for any k ≥ 2. The base
case when k = 2 follows from Lemma 6.33. Suppose the assertion is true for k, and we will
prove it for k + 1.
By inductive hypothesis, we know that
k−2 (p−1)
rp 6≡ 1 mod pk .

But also (r, p) = 1 since r is a primitive root, and thus (r, pk−1 ) = 1. Thus φ(pk−1 ) =
pk−2 (p − 1) and thus
k−2 (p−1) k−1 )
rp = rφ(p ≡1 mod pk−1 .

Thus we can find some integer such that

k−2 (p−1)
rp = 1 + dpk−1

where p6 |d since otherwise the congruence would hold moduldo pk . We can raise both sides

http://jaydaigle.net/teaching/courses/2019-fall-322/ 75
Jay Daigle Occidental College Math 322: Number Theory

of this to the pth power, which gives

p  
pk−2 (p−1)(p)
X p
r = (dp)(k−1)i
i=0
i
k−1 (p−1)
rp = 1 + dpk + pk+1 (stuff)
k−1 (p−1)
rp ≡ 1 + dpk mod pk+1
6≡ 1 mod pk+1

since p6 |d. Thus by induction, for any k ≥ 2 we have

k−1 (p−1)
rp 6≡ 1 mod pk+1 .

Now we wish to show that r is a primtiive root modulo pk . Let n = ordpk r. We know
that n|φ(pk ) = pk−1 (p − 1). Further, we know that ordp r = p − 1 so we must have p − 1|n.
So n = pt (p − 1) for some 0 ≤ t ≤ k − 1.
But we know that
k−2 (p−1)
rp 6≡ 1 mod pk ,
so we must have t < k − 2. Thus t = k − 1 and so ordr = pk−1 (p − 1) = φ(pk ), and r is a
primitive root modulo pk .

Example 6.38. We saw that 2 is a primitive root modulo 11 and also modulo 121. Thus 2
is a primitive root modulo 11k for any k ∈ N.

Now we turn our attention to powers of even primes.

Lemma 6.39. If a is an odd integer and k is an integer with k ≥ 3, then

k )/2 k−2
aφ(2 = a2 ≡1 mod 2k .

Thus there are no primitive roots modulo 2k for k ≥ 3.

Proof. We prove this by induction, again.

Our base case is k = 3, which you checked for homework: we saw that φ(23 ) = φ(8) = 4,
but a2 ≡ 1 mod 8 for any odd a.
k−2 k−2
Now suppose a2 ≡ 1 mod 2k . Then there is an integer d with a2 = 1 + d2k .
Squaring both sides gives
k−2 ·2
a2 = (1 + d2k )2
k−1
a2 = 1 + 2k+1 d + d2 22k
k−1
a2 ≡1 mod 2k+1

http://jaydaigle.net/teaching/courses/2019-fall-322/ 76
Jay Daigle Occidental College Math 322: Number Theory

as desried.

This shows that there is never a primitive root modulo 2k if k ≥ 3. However, there is
always an “almost primitive root”–a number whose order is as big as possible without being
a primitive root. In fact, 5 is always such a number. The proof is very similar to the last
two proofs we did.

Exercise 6.40. Let k ≥ 3 be an integer. Then

ord2k 5 = φ(2k )/2 = 2k−2 .

6.4.1 Primitive roots modulo not prime powers

We now have a pretty thorough understanding of when a prime power has a primitive root.
What about other composite numbers? Mostly they don’t have primitive roots.

Lemma 6.41. If n is a positive integer that is not a prime power or twice a prime power,
then n does not have a primitive root.

Proof. Let n = pt11 . . . ptmm , and suppose r is a primitive root modulo n. Then (r, n) = 1 and
ordn r = φ(n).
We know that (r, pt ) = 1 for any p in the prime factorization of n, and for any t ∈ N.
t−1 (p−1) t
Thus rp = rφ(p ) ≡ 1 mod pt .
Let U be the least common multiple of φ(ptii ) i.e.

U = lcm φ(pt11 ), . . . , φ(ptmm ) .

Then since φ(ptii )|U we know that rU ≡ 1 mod ptii for every i. Thus, by the Chinese
Remainder Theorem, rU ≡ 1 mod n.
Then we must have φ(n) = ordn r ≤ U . But since φ is multiplicative, this must imply
that
φ(pt1i ) . . . φ(ptmm ) ≤ U = lcm φ(pt11 ), . . . , φ(ptmm ) .

But the product of a set of integers is always at least their least common multiple, with
equality only when all the numbers are relatively prime. So we must have the φ(ptii ) all
pairwise relatively prime.
But recall that φ(`) is even unless ` is 1 or 2. Thus in order for the φ(ptii ) to all be
pairwise relatively prime, there can be at most one ptii that is not equal to 2. Thus either
n = pt1i and is a prime power, or n = 2pt11 and is two times a prime power, as desired.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 77
Jay Daigle Occidental College Math 322: Number Theory

This lemma limits which numbers can have primitive roots. We’ve shown that many of
the possibilities do in fact have primitive roots: we know that prime powers have primitive
roots as long as the prime is not 2. But we haven’t checked this case of “twice a prime
power,” so we do that now.

Lemma 6.42. If p is an odd prime and t is a positive integer, then 2pt has a primitive root.
In particular, if r is an odd primitive root modulo pt then it is also a primitive root modulo
2pt . If r is an even primitive root modulo pt then r + pt is a primitive root modulo 2pt .

Proof. If r is a primitive root modulo pt , then ordpt r = φ(pt ) = pt−1 (p − 1). We observe that
φ(2pt ) = φ(2)φ(pt ) = φ(pt ), so ordpt r = φ(2pt ) as well.
t t
If r is odd, then r ≡ 1 mod 2 so rφ(2p ) ≡ 1 mod 2. Since rφ(2p ) ≡ 1 mod pt , by the
t
Chinese Remainder Theorem we have rφ(2p ) ≡ 1 mod 2pt . But if rn ≡ 1 mod 2pt then
rn ≡ 1 mod pt , and we know ordpt r = φ(2pt ) so n ≥ 2pt . Thus ord2pt r = φ(2pt ) and thus
r is a primitive root modulo 2pt .
If r is even, then r + pt is odd and a primitive root modulo pt , and by the same argument
we see that r + pt is a primitive root modulo 2pt .

Example 6.43. We showed that 2 is a primitive root modulo 11k for any k ∈ N. Since 2 is
even, we know that 2 + 11k is a primitive root modulo 2 · 11k for any k ∈ N.

Combining everything we have shown, we can state the following theorem:

Theorem 6.44. Let n be a positive integer greater than 1. Then n possesses a primitive
root if and only if n = 2, 4, pt , or 2pt for some odd prime p and natural number t.

6.5 Discrete Logarithms

For further reading on the material in this subsection, consult Rosen 9.4, Shoup 11.1-11.2.
Recall from theorem 6.14 that if r is a primitive root modulo m, then {rk : 1 ≤ k ≤ φ(m)}
is a reduced residue system modulo m. Thus the equation rx ≡ a mod m has a solution
whenever (a, m) = 1, and this solution is unique modulo φ(m).

Definition 6.45. Let m be a natural number with primitive root r, and let a be a positive
integer with (a, m) = 1. the unique integer x with 1 ≤ x ≤ φ(m) and rx ≡ a mod m is
called the index or discrete logarithm of a to the base r modulo m, and is denoted indr a or
logr a.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 78
Jay Daigle Occidental College Math 322: Number Theory

Clearly rindr a ≡ a mod m. Further, by lemma 6.10 we see that a ≡ b mod m if and
only if indr a ≡ indr b mod φ(m), indeed if and only if indr a = indr b since the index is
always between 1 and φ(m).

Example 6.46. Earlier we worked out the table

31 ≡ 3 mod 7 32 ≡ 9 ≡ 2 mod 7
33 ≡ 27 ≡ 6 mod 7 34 ≡ 81 ≡ 4 mod 7
35 ≡ 4 · 3 ≡ 12 ≡ 5 mod 7 36 ≡ 5 · 3 ≡ 15 ≡ 1 mod 7.

Thus modulo 7 we have

ind3 1 = 6 ind3 2 = 2 ind3 3 = 1

ind3 4 = 4 ind3 5 = 5 ind3 6 = 3.

If we use a different base we get different indices. For instance, we see that 5 is a primitive
root modulo 7, and we have

ind5 1 = 6 ind5 2 = 4 ind5 3 = 5

ind5 4 = 2 ind5 5 = 1 ind5 6 = 3.

We can prove that the “index” operation has most of the properties of logarithms.

Exercise 6.47. Let m be a natural number with primitive root r, and let a, b be relatively
prime to m. Then

1. indr 1 ≡ 0 mod φ(m)

2. indr (ab) ≡ indr a + indr b mod φ(m)

3. indr ak ≡ k indr a mod φ(m).

Example 6.48. We know that modulo 7, we have ind5 2 = 4 and ind5 3 = 5. We compute
that ind5 (2 · 3) = ind5 2 + ind3 = 4 + 5, and modulo φ(7) = 6 this is indeed equivalent to
ind5 6 = 3.

Example 6.49. We can use this to solve exponential congruences. Suppose we wish to find
all solutions of 6x12 ≡ 11 mod 17. We can compute that 3 is a primitive root modulo 17,
and can compute (or look up) a table of indices of integers modulo 17.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 79
Jay Daigle Occidental College Math 322: Number Theory

a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
ind3 a 16 14 1 12 5 15 11 10 2 3 7 13 4 9 6 8
Then we have

ind3 (6x12 ) ≡ ind3 (11) mod φ(17)

ind3 6 + ind3 x12 ≡ ind3 11 mod 16
ind3 6 + 12 ind3 x ≡ ind3 11 mod 16
15 + 12 ind3 x ≡ 7 mod 16
12 ind3 x ≡ 8 mod 16
3 ind3 x ≡ 2 mod 4
ind3 x ≡ 2 · 3 ≡ 2 mod 4.

Thus we have ind3 x ∈ {2, 6, 10, 14} and thus

x ≡ 32 , 36 , 310 , 314 ≡ 9, 15, 8, 2 mod 17.

Example 6.50. Find all solutions of 7x ≡ 6 mod 17.

We have

ind3 (7x ) ≡ ind3 6 mod 16

x · ind3 7 ≡ 15 mod 16
11x ≡ 15 mod 16
x ≡ 11−1 · 15 ≡ 3 · 15 ≡ 13 mod 16.

Thus 7x ≡ 6 mod 17 if and only if x ≡ 13 mod 16.

Remark 6.51. You might notice that we did a lot of work with the cavalier statement “we
can compute a table of indices.” In fact, computing indexes or discrete logarithms is quite
computationally intensive, and there isn’t much of a better way of computing ind3 12 than
just raising 3 to a bunch of powers and seeing which one gives you 12. (Thus if you’re
computing indices at all you might as well build a table).
The fact that this problem is computationally difficult underlies the security of much
cryptography currently in use; it is comparable to the problem of factoring large integers.
Like integer factorization, the discrete logarithm problem can be solved quickly on a
quantum computer. We don’t currently have useful quantum computers, but researchers

http://jaydaigle.net/teaching/courses/2019-fall-322/ 80
Jay Daigle Occidental College Math 322: Number Theory

are worried that they will be practical in the near-to-medium future, and we are starting to
move to “lattice-based” encryption methods that do not depend on the discrete logarithm
problem.

http://jaydaigle.net/teaching/courses/2019-fall-322/ 81