0

algorithm to find the order of $a$ in $(\mathbb{Z}/n\mathbb{Z})^*$ where $n$ is not prime.

Now I know a naive algorithm where you just keep multiplying $a$ by itself until you find it equals $1 \mod n$. When $n$ is a prime, there is an easy algorithm as the order of $a$ must divide the size of $(\mathbb{Z}/n\mathbb{Z})^*$, thus we need only search for $\operatorname{ord}_{a}(n)$ in the set of factors of $n$ which is not so hard to find. Does this result somehow extend to non-prime $n$ if you know its prime factorization for instance? Thanks in advance for any help!

EDIT: I know that I do not even need to search for $\operatorname{ord}_a(n)$ if $\gcd (a,n) \neq 1$ in which case the order will be infinite.

Slugger
  • 5,556

2 Answers2

2

Finding the order of $a \in \mathbb{Z}/n\mathbb{Z}^\times$ is not so easy even when $n = p$ is prime. We know that the order of $a$ must divide $p-1$, but if $p$ is large this may be incredibly hard to factor. The primitive root theorem says that there exists an element of order $p-1$ in $\mathbb{Z}/p\mathbb{Z}$, but there are not really any great algorithms for computing a generator in practice aside from obvious things like not checking squares, cubes, etc. There are conjectures out there on bounding the smallest generator of this group, but they depend on difficult to prove assumptions.

If you want to do it for practice with small numbers, you can use the Chinese remainder theorem and Hensel's lemma to compute the order of $a$ in $\mathbb{Z}/n\mathbb{Z}^\times$ knowing it first in $\mathbb{Z}/p\mathbb{Z}$ for all $p \mid n$, since the property that $a$ is of order $m$ is equivalent to $a^m - 1 \equiv 0 \bmod n$ and $a^k - 1 \not\equiv 0 \bmod n$ for all $0 < k < m$.

Supersingularity
  • 1,035
  • I was afraid of this, thanks for your answer, unfortunately I will be checking for quite large $n$ going up to $2^{32}$ or so. Thanks again for your answer! – Slugger Sep 18 '14 at 22:21
1

If the prime factorizations of the Carmichael function $\lambda(n)\;$ or the Euler totient function $\varphi(n)\;$ are known, there are effective algorithms, see e.g. Algorithm 1.4.3 in H. Cohen's book A Course in Computational Algebraic Number Theory or Algorithm 4.79: Determining the order of a group element from Applied Cryptography by A.J. Menezes et al. (you can download a pdf of ch. 4 from http://cacr.uwaterloo.ca/hac/).

BTW: $2^{32}$ is not that large and the mentioned prime factorizations are easy to compute.

gammatester
  • 18,827