How to check if a number is a generator of a cyclic multiplicative group

Ankeet Saha

7/14/24, 7:25 AM

Suppose I have a 2048 bit prime number p. Now for the group $Z_p$, could someone please tell me an efficient algorithm to check whether a randomly chosen number is a generator for the group or not

319

2 + 0

group-theory

Score:4

Crypto

fgrieu

7/14/24, 8:00 AM

Preliminary: $\mathbb Z_p$ is not a group under multiplication modulo $p$, for it contains the neutral element for addition modulo $p$, and that has no multiplicative inverse modulo $p$. What's wanted is an algorithm to check if $g\pmod p$ is a generator of the multiplicative subgroup of $\mathbb Z_p$, noted $\mathbb Z_p^*$, which has $p-1$ elements.

To determine that, we want to find the full factorization of $p-1=\prod{p_i}^{r_i}$. Then the desired necessary and sufficient condition is that $g\bmod p\ne0$, and for each prime $p_i$ dividing $p-1$ it holds $g^{(p-1)/p_i}\bmod p\ne1$. That easily translates to an algorithm.

Note: when $p=2$ there is no prime $p_i$ dividing $p-1$.

Note: When $p$ is a safe prime, the condition can be simplified to $g\bmod p\,\not\in\{0,1,p-1\}$ and $g^{(p-1)/2}\bmod p\,=p-1$. The corresponding algorithm is simpler.

+ 0

Score:3

Crypto

poncho

7/14/24, 2:08 PM

In addition to fgrieu's correct answer, even if you don't know the factorization of $p-1$, you can still get an answer that has a high probability of being correct (assuming that the value you're testing $g$ was chosen randomly and not maliciously).

Here's how you do it: you obtain a partial factorization of $p-1$, finding all small prime factors $q_0 = 2, q_1, q_2, ...$ which are less than $\lambda$, that is $p-1 = q_0 q_1 q_2 ... q_n C$ where $C$ has no factors $< \lambda$ (and is presumably composite - if it is prime or one, you have a complete factorization and can use fgrieu answer, which always gives you the right answer). The Elliptic Curve Method of factorization can give you such a partial factorization with $\lambda \approx 2^{128}$ being practical, and even larger $\lambda$s are possible (depending on your computing resources).

Once you have that, you compute (just as fgrieu stated) $g^{(p-1)/q_i} \bmod p$, and if they are all something other than 1, then you have a generator, with a maximum probability of being wrong (assuming $g$ was chosen randomly) $< \frac{\log p} {\lambda \log \lambda}$ - for $\lambda$ in the range that ECM allows you, this may be adequately small...

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to check if a number is a generator of a cyclic multiplicative group

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.