Fixed points for discrete logarithms

Fixed points for discrete logarithms Mariana Levin and Carl Pomerance Abstract: We establish a conjecture of Brizolis that for every prime p > 3 there is a primitive root r and an integer t in the interval [1, p − 1] with logr t = t. Here, logr is the discrete logarithm function to the base r for the cyclic group (Z/pZ)× . Tools include a numerically explicit version of the P´ olya–Vinogradov inequality for the sum of values of a Dirichlet character on an interval, some combinatorial sieving techniques, plus an exhaustive search over small cases. Keywords: Dirichlet character, Gauss sum, P´ olya–Vinogradov inequality, Bonferroni inequalities 1. Introduction If g is an element in a group G and t ∈ hgi, there is some integer n with gn = t. Finding a valid choice for n is known as the discrete logarithm problem. Note that if g has finite order m, then n is actually a residue class modulo m. We write logg t = n (or logg t ≡ n (mod m)) in analogy to usual logarithmic notation. Thus, the problem in the title of this paper does not seem to make good sense, since if logg x = x, then the first x is a member of the group hgi and the second x is either an integer or a residue class modulo m. However, sense is made of the equation through the traditional conflation of members of the ring Z/kZ with least nonnegative members of residue classes. In particular, suppose G = (Z/pZ)∗ , where p is a prime number. This is known to be a cyclic group of order p − 1. Suppose g is a cyclic generator of this group, known as a primitive root for p. A fixed point for the discrete logarithm modulo p to the base g is then an integer x in the interval [1, p−1] such that logg x = x, that is, gx ≡ x (mod p). (Note that if x is not restricted to the interval [1, p − 1] it is easy to find fixed points. Namely, if x is a solution to the Chinese remainder problem x ≡ 1 (mod p − 1), x ≡ g (mod p), then gx = x.) Brizolis (see Guy [5, Section F9]) made the conjecture that for every prime p > 3 there is a primitive root g and an integer x in [1, p − 1] with 2010 Mathematics Subject Classification: 11A07 (11L40, 11N36). The work for this paper was begun at Bell Laboratories in 2001 while the first author was a summer student working with the second author. A version of this work was presented as the 2003 Master’s Thesis of the first author at U. C. Berkeley. The second author was supported in part by NSF grant DMS-0703850. 1

2

Mariana Levin and Carl Pomerance

logg x = x, that is, gx ≡ x (mod p). In this paper we prove this conjecture in a somewhat stronger form. Brizolis had noticed that if there is a primitive root x for p with x in [1, p − 1] and gcd(x, p − 1) = 1, then with y the multiplicative inverse of x modulo p − 1 and g = xy , we would have that g is a primitive root for p as well, and gx ≡ xxy ≡ x (mod p), that is, there is a solution to the fixed point problem. We shall prove then the stronger result that for each prime p > 3 there is a primitive root x for p in [1, p − 1] that is coprime to p − 1. Several authors have shown that the Brizolis property holds for all sufficiently large primes p. In particular, Zhang [10] showed the strong conjecture holds for all sufficiently large primes p, but did not give an estimate of what “sufficiently large” is. Cobeli and Zaharescu [3] also showed that the strong conjecture holds for sufficiently large primes p, and gave the details that it holds for all p > 102070 , but they indicated that their method would support a bound around 1050 . Our method is similar to that of Zhang, who used the P´ olya–Vinogradov inequality for character sums. We use a numerically explicit version of this inequality that was recently proved by the second author in [9]. The primary new idea is to combine the traditional character-sum approach with a combinatorial lower bound sieve. There is still some need for direct calculation for smaller values of p, but now they are easily handled by some simple Mathematica programs. In particular, we directly verified the strong conjecture for each prime p < 6.6 · 109 , and also for some larger primes that satisfy some congruence conditions. We mention the article by Holden and Moree [7], which considers some related problems. Guy [5] Some notation: Pk denotes the product of the first k primes and ω(n) denotes the number of distinct primes that divide n. ´ lya–Vinogradov inequality 2. The Po Let χ be a non-principal Dirichlet character to the modulus q and let N X χ(a) . S(χ) = max M,N a=M

The P´ olya–Vinogradov inequality (independently discovered by P´ olya and Vinogradov in 1918) asserts that there is a universal constant c such that S(χ) ≤ cq 1/2 log q.

(1)

Elaborating on the work in an early paper of Landau [8], plus an idea of Bateman as mentioned in Hildebrand [6], the second author in [9] recently proved the following numerically explicit version of (1).

Fixed points for discrete logarithms

3

Theorem 1. For χ a primitive character to the modulus q > 1, we have  2 1/2 4 3   q log q + 2 q 1/2 log log q + q 1/2 , χ even,   π2 π 2 S(χ) ≤     1 q 1/2 log q + 1 q 1/2 log log q + q 1/2 , χ odd. 2π π Note that a character χ is called even if it is an even function and odd if it is an odd function. Previously, the best known explicit version of the P´ olya–Vinogradov inequality was that of [1]; a slight improvement of that result was used in the first incarnation of this paper in [2]. Let N X χ(a) , S0 (χ) = max N a=0

so that we always have S(χ) ≤ 2S0 (χ) via the triangle inequality. In the case of even characters, this may be reversed, that is, S(χ) = 2S0 (χ). Indeed, 2

N X a=0

χ(a) =

N X

χ(a),

a=−N

so that 2S0 (χ) ≤ S(χ). Thus, the inequality for S(χ) above may be divided by 2 for χ even when considering an initial interval. We also remark that we have the same bounds when the variable a runs over odd integers. That is, we have the following consequence of Theorem 1. Corollary 2. For χ a primitive character to the modulus q > 1 and for N a positive integer, we have   1 1/2 2 3  q log q + 2 q 1/2 log log q + q 1/2 , χ even,  π2  X π 4 χ(a) ≤    0≤a≤N  1 q 1/2 log q + 1 q 1/2 log log q + q 1/2 , χ odd. a odd 2π π Proof. If the modulus q is even, then χ(a) = 0 when a is even, so the result follows immediately from Theorem 1 and the subsequent remark. Suppose q is odd. We may write the sum as X X χ(a + q) = χ(2) χ(b), 0≤a≤N a odd

q/2≤b≤(q+N )/2

so when χ is odd, the result follows from the estimate for S(χ) in the theorem. If χ is even, the sum is X X χ(2) χ(b), χ(b) = χ(2) 2 q/2≤b≤(q+N )/2

(q−N )/2≤b≤(q+N )/2

and the result follows again from the theorem.



Mariana Levin and Carl Pomerance

4

3. The infinite interval In this section we establish an asymptotic formula for N (p), the number of primitive roots for the prime p in the interval [1, p − 1] that are coprime to p − 1. This formula shows that N (p) > 0 for all sufficiently large values of p. As we have seen, if N (p) > 0, then p has the Brizolis property. Being coprime to p−1 and being a primitive root for p may both separately be expressed as an inclusion-exclusion. In particular, as is well-known, X µ(d) d| gcd(g,p−1)

is 1 if g is coprime to p − 1 and is 0 otherwise. Here µ is the M¨obius function. To write a similar expression which identifies primitive roots, let χ be a character modulo p of order p − 1. Then m X µ(m) X χ(g)j(p−1)/m m j=1

m|p−1

is 1 if g is a primitive root for p and is 0 otherwise. To see this, note that the inner sum is m if g(p−1)/m ≡ 1 (mod p) and is 0 otherwise. In addition, the property of being a primitive root may be expressed as gp−1 ≡ 1 (mod p) and g(p−1)/q 6≡ 1 (mod p) for all prime divisors q of p − 1, so that we may set up an inclusion-exclusion over divisors of p − 1. Multiplying these two characteristic functions, we have that m X X µ(m) X χ(g)j(p−1)/m µ(d) m d| gcd(g,p−1)

m|p−1

j=1

is 1 if g is a primitive root modulo p that is coprime to p − 1 and is 0 otherwise. Hence m X µ(m) X X X N (p) = µ(d) χ(g)j(p−1)/m . m d|p−1

1≤g≤p−1 m|p−1 d|g

j=1

Writing g = dh in the inner sum and rearranging, we have N (p) =

X

d,m|p−1

(p−1)/d m X µ(d)µ(m) X j(p−1)/m χ(h)j(p−1)/m . χ(d) m j=1

(2)

h=1

The contribution to N (p) in (2) when j = m is X µ(d)µ(m) p − 1 ϕ(p − 1)2 = . m d p−1 d,m|p−1

Thus, 2 N (p) − ϕ(p − 1) ≤ p−1

X |µ(d)µ(m)| m−1 X S0 (χj(p−1)/m ). m

d,m|p−1

j=1

(3)

Fixed points for discrete logarithms

5

Using the larger of the two bounds from Corollary 2 (we shall later refine the argument to take advantage of even characters), we have   2 N (p) − ϕ(p − 1) ≤ τ0 (p − 1)2 p1/2 1 (log p + 2 log log p) + 1 , (4) p−1 2π

where τ0 (n) denotes the number of squarefree divisors of n. Since ϕ(n) > cn/ log log n for all n > 2 and some positive constant c, and since τ0 (n) = Oǫ (nǫ ) for each fixed ǫ > 0, it follows that

ϕ(p − 1)2 + Oǫ (p1/2+ǫ ) (5) p−1 for each fixed ǫ > 0. With ǫ < 1/2, (5) is thus a true asymptotic formula for N (p), showing that it is positive for all sufficiently large primes p. To make “sufficiently large” explicit, note that Y 4 Y 4 τ0 (n)2 = ≤ < 1404. n1/3 pa/3 p1/3 a 3 N (p) =

p kn

p for p > P11 . 2 log log p Thus, using (6), we have for p > P11 (≈ 2 × 1011 ) that   p−1 1 5/6 N (p) > − 1404p (log p + 2 log log p) + 1 . 4(log log p)2 2π

A simple calculation shows that this last expression is positive for p > 1038 . That is, we have proved that N (p) > 0 for all primes p > 1038 . 4. Dyads, tetrads, and the start of the descent Let Ad,m

(p−1)/d m X 1 X j(p−1)/m = χ(h)j(p−1)/m , χ(d) m j=1

h=1

so that from (2), we have N (p) =

X

µ(d)µ(m)Ad,m .

d,m|p−1

We note that Ad,m is not just a complicated expression, it counts something. Namely, it is the number of integers g in the interval [1, p − 1] such that d | g and g(p−1)/m ≡ 1 (mod p). The latter condition can be expressed in words

Mariana Levin and Carl Pomerance

6

as m divides the index of g. (The index of g is the index of the subgroup hgi in (Z/pZ)× .) If d, m are both odd, we organize the four terms Ald,km where l, k | 2 as a dyad: Bd,m = Ad,m − A2d,m − Ad,2m + A2d,2m , so that N (p) =

X

µ(d)µ(m)Bd,m .

d,m|p−1 dm odd

Again, Bd,m counts something, namely the number of integers g in [1, p − 1] such that gcd(g, p−1) is odd and divisible by d and g has odd index divisible by m. Separating out the j = km terms in Bd,m from the other terms, we have Bd,m =

p−1 + Dd,m , 4dm

where Dd,m =

X

l,k|2

km−1 (p−1)/ld 1 X X χ(ldh)j(p−1)/km . µ(l)µ(k) km j=1

h=1

Note that the terms in the double sum with l = k = 1 and h even exactly cancel the terms in the double sum with l = 2, k = 1, and the terms in the double sum with l = 1, k = 2 with h even exactly cancel the terms in the double sum with l = k = 2. Thus, Dd,m =

m−1 (p−1)/d 2m−1 (p−1)/d 1 X X 1 X X χ(dh)j(p−1)/m − χ(dh)j(p−1)/2m . m 2m j=1

j=1

h=1 h odd

h=1 h odd

There is further cancellation with the terms in the second double sum with j even: these can be combined with terms in the first double sum. We get Dd,m

(p−1)/d m−1 X 1 X j(p−1)/m χ(d) χ(h)j(p−1)/m = 2m j=1

h=1 h odd

(p−1)/d 2m−1 X 1 X j(p−1)/2m χ(d) χ(h)j(p−1)/2m . − 2m j=1 j odd

h=1 h odd

The characters χj(p−1)/m in the first sum are all even, since m is odd, while the characters in the second sum are either even or odd depending on whether p ≡ 1 (mod 4). Let    1 1 1 + (log p + 2 log log p) + 1.75 , PVA = PVA(p) = p1/2 2 π 2 2π

Fixed points for discrete logarithms

7

the average of the even and odd upper bounds in Corollary 2. We conclude that p − 1 = |Dd,m | ≤ PVA. Bd,m − 4dm

(7)

The cancellation involved with dyads allows us to get a numerical improvement on the bound in the previous section, but before pursuing this, we introduce a further reorganization. Assume that p − 1 has an odd prime factor, and let q denote the least of these. For d, m | p − 1 with dm coprime to 2q, we combine the four terms Bld,km where l, k | q into a tetrad: Cd,m = Bd,m − Bqd,m − Bd,qm + Bqd,qm . Note that Cd,m counts the number of integers g in [1, p − 1] such that gcd(g, p − 1) is divisible by d, and coprime to 2q and the index of g is divisible by m and coprime to 2q. We have N (p) =

X

µ(d)µ(m)Cd,m .

(8)

d,m|p−1 gcd(dm,2q)=1

Separating the contribution to Cd,m from the j = km term in each Bld,km we get Cd,m =

(q − 1)2 p − 1 · + Td,m , 4q 2 dm

(9)

where

Td,m =

X

l,k|q

−

(p−1)/ld  1 km−1 X X j(p−1)/km χ(ld) χ(h)j(p−1)/km µ(l)µ(k) 2km j=1

h=1

(p−1)/ld 2km−1  X X 1 χ(ld)j(p−1)/km χ(h)j(p−1)/2km . 2km j=1 j odd

h=1 h odd

There is a small amount of consolidation that can be had here, where terms in the sums with k = q, l = 1 and j a multiple of q can be collected in the k = l = 1 sums, and similarly, the terms in the sums with k = q, l = q and

Mariana Levin and Carl Pomerance

8

j is a multiple of q can be collected in the k = 1, l = q sums. We thus have Td,m

(p−1)/d m−1 X q−1 X j(p−1)/m = χ(h)j(p−1)/m χ(d) 2qm j=1

1 − 2qm

−

h=1

2qm−1 X

(p−1)/d j(p−1)/m

χ(d)

j=1 gcd(j,2q)=1

X

χ(h)j(p−1)/2qm

h=1 h odd

(p−1)/qd m−1 X q−1 X χ(qd)j(p−1)/m χ(h)j(p−1)/m 2qm j=1

1 + 2qm

2qm−1 X

h=1

(p−1)/qd j(p−1)/qm

χ(qd)

j=1 gcd(j,2q)=1

X

χ(h)j(p−1)/2qm .

h=1 h odd

We conclude that 2 p − 1 (q − 1) Cd,m − = |Td,m | ≤ 4(q − 1) PVA. · 2 4q dm q

(10)

We now show how these ideas can be used to make progress over the previous section. From now on we proceed by eliminating choices for ω(p−1). Since P26 > 1038 , if p is a counterexample, then ω(p − 1) ≤ 25. Suppose ω(p − 1) = 25. It follows that ϕ(p − 1)/(p − 1) ≥ ϕ(P25 )/P25 ≥ 0.1203. Thus, from (8), (10), and p > P25 , N (p) ≥ (0.1203)2 p − 423 · 4 · PVA(p) ≥ (0.1203)2 P25 − 423 · 4 · PVA(P25 ) > 3.3366 · 1034 − 5.5275 · 1033 > 0. The power 423 here is the square of the number of squarefree divisors of p−1 that are coprime to 2q. We conclude that N (p) > 0 for ω(p − 1) = 25. To proceed further, we will need to reduce the error term and to do this we introduce a sieve. 5. A sieve lower bound and the grand descent Starting from (8), we have X N (p) =

d|p−1 gcd(d,2q)=1

µ(d)

X

µ(m)Cd,m .

m|p−1 gcd(m,2q)=1

Call the inner sum Id (p). We have that Id (p) is the number of primitive roots g for p in the interval [1, p − 1] such that gcd(g, p − 1) is divisible by d and coprime to 2q (where we have been denoting by q the least odd prime

Fixed points for discrete logarithms

9

factor of p − 1). By the Bonferroni inequalities, we have for each positive integer j that X N (p) ≥ µ(d)Id (p). d|p−1 gcd(d,2q)=1 ω(d)≤2j−1

A further application of the Bonferroni inequalities gives us that for positive integers k, l we have X X µ(m)Cd,m (p) ≤ Id (p) ≤ µ(m)Cd,m (p). m|p−1 gcd(m,2q)=1 ω(m)≤2k−1

m|p−1 gcd(m,2q)=1 ω(m)≤2l

Putting these inequalities together, we have the j, k, l lower bound sieve: X X µ(m)Cd,m (p) N (p) ≥ m|p−1 d|p−1 gcd(d,2q)=1 gcd(m,2q)=1 ω(d)≤2j−1 ω(m)≤2k−1 ω(d) even

−

X

X

ω(m)Cd,m (p).

(11)

d|p−1 m|p−1 gcd(d,2q)=1 gcd(m,2q)=1 ω(d)≤2j−1 ω(m)≤2l ω(d) odd

The advantage of (11) is that there are fewer terms than in the complete inclusion-exclusion of (8), while the disadvantage is that the contribution of the main terms in (9) is smaller than in the full inclusion-exclusion. We shall see that for judicious choices of j, k, l, the advantage outweighs the disadvantage for a big range. For positive integers i ≤ n, let σi (x1 , . . . , xn ) denote the ith elementary symmetric function in the variables x1 , . . . , xn . Suppose the distinct prime factors of p − 1 bigger than q are q1 , . . . , qn . If 2j − 1, 2k − 1, 2l ≤ n, it follows from (11) and (9) that N (p) ≥

(q − 1)2 4(q − 1) (p − 1)Sj,k,l (p) − PVA(p)Bj,k,l (p), 4q 2 q

(12)

where Sj,k,l (p) =

X

σi1 (1/q1 , . . . , 1/qn )

0≤i1 ≤2j−1 i1 even

−

X

0≤i1 ≤2j−1 i1 odd

X

σi2 (1/q1 , . . . , 1/qn )

0≤i2 ≤2k−1

σi1 (1/q1 , . . . , 1/qn )

X

0≤i2 ≤2l

σi2 (1/q1 , . . . , 1/qn )

Mariana Levin and Carl Pomerance

10

(we take σ0 to be identically 1) and 2j−1 2l   X n X X  n  2j−1 X  n  2k−1 n + . Bj,k,l (n) = i2 i2 i1 i1 i=0 i1 even

i2 =0

i1 =0 i1 odd

i2 =0

In applying (12), if we do not know the value of q, only that q ≥ q0 ≥ 3, we use q = q0 in the positive term and ignore the factor (q − 1)/q in the negative term. We now apply (12) with j = k = l = 2. Suppressing the variables 1/q1 , . . . , 1/qn , we have in this case that S2,2,2 = ((1 + σ2 )(1 − σ1 + σ2 − σ3 ) − (σ1 + σ3 )(1 − σ1 + σ2 − σ3 + σ4 )) and 

       n n n B2,2,2 = 1 + 1+n+ + 2 2 3           n n n n + n+ 1+n+ + + . 3 2 3 4 A calculation shows that the function S2,2,2 is increasing in the variables q1 , . . . , qn , so the expression is minimized by taking these primes as small as possible. Suppose ω(p − 1) = 24. We have then n = 22, B2,2,2 = 14,644,466, and S2,2,2 > 0.1003. Thus, using (12) with q = 3 in the positive term and ignored in the negative term, 0.1003 (p − 1) − (14,644,466) · 4 · PVA(p). N (p) > 9 Replacing p with P24 , we have N (p) > 0. Hence we may assume that ω(p − 1) ≤ 23. We proceed in exactly the same way to eliminate each choice of ω(p − 1) down to 16. Here are the key data for 24 ≥ ω(p − 1) ≥ 16: ω(p − 1) = n + 2 24 23 22 21 20 19 18 17 16

B2,2,2 (n) 14,644,466 10,525,579 7,445,401 5,175,088 3,528,184 2,354,416 1,534,129 973,326 599,278

S2,2,2 .1003 .1054 .1109 .1166 .1227 .1290 .1356 .1430 .1506

PVA(Pn+2 ) 1.8998 · 1018 1.9573 · 1017 1.9968 · 1016 2.1283 · 1015 2.3548 · 1014 2.6338 · 1013 3.0234 · 1012 3.6270 · 1011 4.4059 · 1010

The 2, 2, 2 lower bound sieve can be carried a little further, but we shall switch to the 1, 2, 1 lower bound sieve, since at the current level, it is superior. Here we have S1,2,1 = 1 − σ1 + σ2 − σ3 − σ1 (1 − σ1 + σ2 )

Fixed points for discrete logarithms

11

and        n n n B1,2,1 = 1 + n + + +n 1+n+ . 2 3 2 Again the function S1,2,1 is increasing in the variables q1 , . . . , qn . At 15 primes, we have p > P15 and 0.0180 (p − 1) − 1574 · 4 · PVA(p) > 0. 9 This similarly works for ω(p − 1) down to 12. Here are the highlights for the range 15 to 12: N (p) >

ω(p − 1) = n + 2 15 14 13 12

B1,2,1 (n) 1574 1247 969 736

S1,2,1 .0180 .0349 .0531 .0720

PVA(Pn+2 ) 5.6235 · 109 7.5806 · 108 1.0691 · 108 1.5303 · 107

We thus have only to consider the cases ω(p − 1) ≤ 11, and here we begin to make better use of “q” in our formula, plus a number of other tricks. 6. The case ω(p − 1) = 11 The techniques of the previous section allow us to get a numerical upper bound for possible counterexamples for each fixed value of ω(p − 1). Till now, this upper bound has been below the very first prime p with such a value for ω(p − 1), so we could conclude that there are no counterexamples with exactly this number of primes dividing p − 1. In the case of 11 primes and lower we shall find that the counterexample upper bound is too large to immediately guarantee our result. So, we shall have to combine the sieving technique with more ad hoc methods. With 11 primes we are able to complete the case with essentially a hand calculation. Assuming ω(p − 1) = 11, we have B1,2,1 = 544,

S1,2,1 > 0.09347,

using the notation from the last section. At the bound 1.3 · 1012 , 0.09347 (1.3 · 1012 ) > 1.350 · 1010 9 and 4 · 544 · PVA(1.3 · 1012 ) < 1.334 · 1010 . It follows then from (12) that N (p) > 0 for ω(p − 1) = 11 and p > 1.3 · 1012 . However a lower bound for p with ω(p − 1) = 11 is P11 ≈ 2 · 1011 and there are many primes between this lower bound and 1.3 · 1012 . We can make some headway as follows. First notice that if 3 ∤ p − 1, then p>

37 P11 > 2.4 · 1012 > 1.3 · 1012 , 3

12

Mariana Levin and Carl Pomerance

using ω(p − 1) = 11. Thus, we may assume that 3 | p − 1. And this allows us to use q = 3 in the negative term in (12). At 5.4 · 1011 , we have 0.09347 (5.4 · 1011 ) > 5.608 · 109 9 and

2 · 4 · 544 · PVA(5.4 · 1011 ) < 5.599 · 109 . 3 We conclude that any counterexamples with ω(p−1) = 11 are in the interval (P11 , 5.4 · 1011 ). For such a prime p, if 5 ∤ p − 1, then 37 P11 > 1.48 · 1012 > 5.4 · 1011 , 5 so that we must have 5 | p − 1. Similarly we must have each of 7, 11, 13 dividing p − 1. Assume 17 ∤ p−1. The last idea no longer takes us above 5.4·1011 , but we can redo the sieve argument with the prime 17 missing and with the extra prime 37. This gives us a new lower bound of p>

S1,2,1 > 0.1162, which in turn shows that we may assume that p < 3.5 · 1011 . But then, such a prime p must satisfy 37 P11 > 4.3 · 1011 , 17 so we are done with this possibility. That is, we may assume that 17 | p − 1. We may use the same idea for 19. If 19 ∤ p − 1, then redoing the sieve, we have S1,2,1 > 0.1113 p>

and we find that any counterexample must have p < 3.9 · 1011 . But 37 P11 > 3.9 · 1011 , 19 so we conclude that 19 | p − 1. We now show that we may assume that p−1 is squarefree. Since our upper bound of 5.3 · 1011 is smaller than 3 times the lower bound of P11 , we need only worry about 4 | p − 1. But if p ≡ 1 (mod 4), all of the characters we are dealing with in the argument are even, and so we may replace PVA(p), the average of the even and odd estimates in Corollary 2, with   1 1/2 (log p + 2 log log p) + .75 . PVE(p) := p π2 Evaluating at 4 · 1011 , we see that any counterexample must be below this bound, but also it must be > 2P11 , which exceeds this bound. Thus, p − 1 may be assumed squarefree.

Fixed points for discrete logarithms

13

We have that any counterexample p must be of the form p = 1 + jP8 , where gcd(j, P8 ) = 1, j < (5.4 · 1011 )/P8 , and ω(j) = 3. The possibilities for j are 23·29 r, 23·31 r, 23·37 r, 23·41 r, 29·31 r, 29·37 r,

where where where where where where

31 ≤ r 37 ≤ r 41 ≤ r 43 ≤ r 37 ≤ r 41 ≤ r

≤ 73, ≤ 71, ≤ 59, ≤ 53, ≤ 53, ≤ 47,

plus the cases 23·43·47, 29·41·43, 23·43·47, 31·37·41, 31·37·43, 31·41·43. Of these 39 possibilities, 12 of them correspond to primes, namely 23·29 r, r = 31, 37, 43, 67, 71, 23·31 r, r = 43, 61, 23·37·41, 23·41·53, 23·43·47, 29·31·37, 29·31·41. We found in each case a small prime which is a primitive root not dividing p − 1, thus showing that N (p) > 0. In particular, 79 works for 23·29·31, 23·29·37, 23·29·71, 23·43·47, 43 works for 23·29·43, 23·37·41, 127 works for 23·31·61, 23·41·53, 83 works for 23·29·43, 73 works for 23·31·43, 53 works for 29·31·37, and 59 works for 29·31·41. This completes the argument for ω(p − 1) = 11. 7. The remaining cases The remaining cases involve an interplay of the sieving ideas we have used, ad hoc arguments similar to what we did with ω(p − 1) = 11, plus some exhaustive computer runs. Using the functions Prime[ ] and PrimitiveRoot[ ] in Mathematica, we were able to directly exhibit a primitive root r for each prime 3 < p < 6.6·109 with r in [1, p − 1] and coprime to p − 1. Note that Prime[n] returns the nth prime, while PrimitiveRoot[p] for a prime p returns the least positive primitive root for p.

Mariana Levin and Carl Pomerance

14

Here is a simplified version of the program that we used: Do[ p = Prime[n]; r = PrimitiveRoot[p]; s = Mod[r2 , p]; j = 1; While[GCD[j ∗ r, p − 1] > 1, j = j + 2; r = Mod[s ∗ r, p]]; If[Mod[n, 10000] == 0, Print[n, , p]], {n, 3, 306 137 611} ]; Note that the primitive root r gets sequentially replaced with r 1 , r 3 , r 5 , . . . until both the exponent and the residue of this power modulo p are relatively prime to p − 1. This guarantees then a primitive root in [1, p − 1] coprime to p. If none exists, this algorithm would not terminate, but it did, thus verifying the Brizolis property for the given range. We were able to speed things up slightly by putting in steps before the While loop such as: If[(r == 2) && (Mod[p, 12] 6= 7), Continue[ ]]; since it is easy to see that if 2 is a primitive root for p, then p − 2 is too when p ≡ 1 (mod 4) and p − 4 is too when p ≡ 3 (mod 4). The first of these is always coprime to p − 1 while the second is if p 6≡ 1 (mod 3). Suppose now that ω(p − 1) = 10. We have B1,2,1 = 389. Suppose that neither 3 nor 5 divide p − 1. We find S1,2,1 > 0.3763, and using (12) with q ≥ 7, we get to assume that p < 1.2 · 1010 . But 31 37 p> P10 > 4.9 · 1011 . 3 5 Hence it must be that gcd(15, p − 1) > 1. If 5 ∤ p − 1, then S1,2,1 > 0.2597 and using (12) with q = 3, we find that we may assume that p < 3.1 · 1010 . But 31 p > P10 > 4 · 1010 , 5 so it must be that 5 | p − 1. If 3 ∤ p − 1, then S1,2,1 > 0.2597 (yes, the same as the case 5 ∤ p − 1), and using (12) with q = 5 we find too that we may assume p < 3.1 · 1010 , and again we reach a contradiction. So, we have learned that we may assume that 30 | p − 1. We find an upper bound for p using (12) with q = 3 and S1,2,1 > 0.1188: it is 1.6 · 1011 . Suppose 7 ∤ p − 1. Then S1,2,1 > 0.1715 and we find that we may assume that p < 7.4 · 1010 . Now if both 7 and 13 do not divide p − 1, then 31 37 p> P10 > 8.1 · 1010 . 7 13

Fixed points for discrete logarithms

15

We conclude that in our entire range of [6.6 · 109 , 1.6 · 1011 ], we have either 7 | p − 1 or 13 | p − 1, and the former definitely occurs below 7.4 · 1010 . Playing the game again with PVE as in the case with ω(p − 1) = 11, we find that we may assume that p ≡ 3 (mod 4) above 9.72 · 1010 . Further tricks might be tried, but at this point we ran a simple Mathematica routine that searched over the progression 1 (mod 210) for primes p in the range [6.6·109 , 9.32·1010 ], over primes p ≡ 1 (mod 390) with p 6≡ 1 (mod 7) in the range [6.6 · 109 , 7.4 · 1010 ], and over primes p ≡ 211 (mod 420) in the range [9.32 · 1010 , 1.6 · 1011 ]. No counterexamples were found, which concludes the case ω(p − 1) = 10. (Note that the Mathematica routines here also used the function PrimeQ[ ], which returns True if the argument is prime and False otherwise. This function uses a probabilistic test, so it is remotely conceivable that some non-primes were also tested.) To attack the case ω(p − 1) = 9, we first note that B1,2,1 = 296. If gcd(15, p − 1) = 1, then S1,2,1 > 0.4058 and a computation using (12) (using q ≥ 7 in the positive term) shows that there are no counterexamples above 6.6 · 109 . Thus we may assume that either 3 | p − 1 or 5 | p − 1. If 3 ∤ p − 1, then we get S1,2,1 > 0.2900, and a calculation with (12) with q = 5 shows that we may assume that p < 9.3·109 . If 3 | p − 1, then S1,2,1 > 0.1462 and a calculation with (12) with q = 3 show that we may assume that p < 5.8·1010 . If 3 | p − 1 and 5 ∤ p − 1, then S1,2,1 > 0.2900 and our usual calculation shows that we may assume that p < 1.35 · 1010 . Suppose 3 | p − 1 and both 5 ∤ p − 1, 7 ∤ p − 1. We have S1,2,1 > 0.4058 and our usual calculation at 6.6 · 109 shows that there are no counterexamples above this point. Here is a synopsis of where we are for ω(p − 1) = 9. For p in the interval [6.6 · 109 , 9.3 · 109 ] we may assume either 30, 42, or 70 divides p − 1 and for p in the interval [9.3 · 109 , 5.8 · 1010 ] we may assume that either 30 or 42 divides p − 1. Note that in connection with the case ω(p − 1) = 10, we have already handled all primes p in these intervals with 210 | p − 1. We ran some Mathematica routines over the remaining cases and found no counterexamples. This concludes the case ω(p − 1) = 9. We will find that with smaller values of ω(p − 1), we have already covered the open cases, so our argument will be complete. When ω(p − 1) = 8, we have B1,2,1 = 196. If gcd(15, p − 1) = 1, then S1,2,1 > 0.4426 and our usual argument with (12) shows that we may assume p < 6.6·1010 , which has already been covered. If 3 | p−1, then S1,2,1 > 0.1814 and we may assume p < 1.53 · 1010 . If 3 ∤ p − 1, then S1,2,1 > 0.32368 and the only cases have p < 6.6 · 109 , which have already been covered. Thus, we may assume 30 | p − 1 and p < 1.53 · 1010 . However, these values of p have already been checked in the previous case. This concludes the case ω(p − 1) = 8. For the case ω(p − 1) = 7, we have B1,2,1 = 122 and S1,2,1 > 0.2256. We take the formula in (12) first with q ≥ 5 in the positive term, and next with

16

Mariana Levin and Carl Pomerance

q = 3 in both terms, finding that N (p) > 0 for p > 6.6 · 109 . This concludes the case ω(p − 1) = 7. For the cases 6 ≥ ω(p − 1) ≥ 2, we have B1,2,1 ≤ 70 and S1,2,1 > 0.2777. Using (12) with q = 3 in the positive term shows that N (p) > 0 for p > 6.6 · 109 . This leaves the case ω(p − 1) = 1, that is, p is a Fermat prime. It is known (Pepin’s test, see [4, Theorem 4.1.2]) that 3 is a primitive root for any such p > 3, so that N (p) > 0. This concludes our proof. Acknowledgment. We thank Richard Crandall for some technical assistance with one of the Mathematica programs. References [1] G. Bachman and L. Rachakonda, On a problem of Dobrowolski and Williams and the P´ olya–Vinogradov inequality, Ramanujan J. 5 (2001), 65–71. [2] M. E. Campbell, On fixed points for discrete logarithms, Master’s Thesis, U. C. Berkeley Department of Mathematics, 2003. [3] C. Cobeli and A. Zaharescu, An exponential congruence with solutions in primitive roots, Rev. Romaine Math. Pures Appl. 44 (1999), 15–22. [4] R. Crandall and C. Pomerance, Prime numbers: a computational perspective, Second ed., Springer, New York, 2005. [5] R. K. Guy, Unsolved problems in number theory, Springer, New York–Berlin, 1984. [6] A. Hildebrand, On the constant in the P´ olya–Vinogradov inequality, Canad. Math. Bull. 31 (1988), 347–352. [7] J. Holden and P. Moree, Some heuristics and results for small cycles of the discrete logarithm, Math. Comp. 75 (2006), 419–449. [8] E. Landau, Absch¨ atzungen von Charaktersummen, Einheiten und Klassenzahlen, Nachrichten K¨ onigl. Ges. Wiss. G¨ ottingen (1918), 79–97. [9] C. Pomerance, Remarks on the P´ olya–Vinogradov inequality, submitted for publication, 2010. [10] W.-P. Zhang, On a problem of Brizolis. (Chinese. English, Chinese summary.) Pure Appl. Math. 11 (1995) suppl., 1–3.

Mariana Levin Graduate Group in Science and Mathematics Education University of California Berkeley, CA 94720, USA E-mail: [email protected] Carl Pomerance Department of Mathematics Dartmouth College Hanover, NH 03755, USA E-mail: [email protected]