# Homework 3

## Problem 1: Order of an Element

In this problem, given a unit $a \in (\Z/m\Z)^\times$, for some $m >1$ not necessarily prime, we will compute the order $|a|$ of $a$ in $\Z /m \Z$.  **Of course, you cannot use Sage's** `.multiplicative_order()`!  (But only in this problem.  You can and should use it in the other problems!)

A few observations are necessary.

First, your input will be already in $\Z / m\Z$ and not an integer.  You *will* need to check it is a unit, but that is already in the code below (you can simply use the method `.is_unit()`.).  In that case the function will return $-1$.

You will also need to find the $m$, as we are only given an element *already* in $\Z/m \Z$.  This can be done with the function `parent` (that given $a$ gives back its "parent" structure, namely $\Z/m\Z$ in this case) and the method `.characteristic()` (which given $\Z / m\Z$ returns the $m$), and it is also done below.

Here is an example of the use of `parent` and `.characteristic`:

In [None]:
a = Mod(7, 18)  # 7 in Z/8Z
a

In [None]:
parent(a)

In [None]:
parent(a).characteristic()

**Hint:** Remember that the order of a unit in $(\Z/m\Z)^{\times}$ is a *divisor* of $\phi(m)$.  This can simplify the computation *if computing $\phi(m)$ is easy*.  If not, "brute force" (i.e., checking powers of $a$ until we get $1$) is probably better.  You can implement either method here.

**Important:** If you use the brute force method, you **have** to compute the powers efficiently, as described in the section [Computing Successive Powers](https://luisfinotti.org/pcimc/05-Powers.html#successive-powers) in the [book](https://luisfinotti.org/pcimc/).  *Points will be taken if you do not follow it!*

In [None]:
def my_order(a):
    """
    Given a unit a of Zmod(m), returns the multiplicative order of a.

    INPUT:
    a: a unit of Zmod(m).

    OUTPUT:
    The order of a as a unit.
    """
    if not a.is_unit():
        return -1
    ...

Let's test it:

In [None]:
number_of_tests = 30
minm = 100
maxm = 200


# to compare with Sage's
def check_order(a):
    if not a.is_unit():
        return -1
    return a.multiplicative_order()


for _ in range(number_of_tests):
    m = randint(minm, maxm)
    R = Zmod(m)

    stop = True
    for a in R:
        result = my_order(a)
        expected = check_order(a)

        if result != expected:
            print(
                f"Fails for {a = } and {m = }.  It give {result}, but it should be {expected}."
            )
            break  # break out of the inner loop
    else:
        stop = False  # did not break, so keep testing
    if stop:
        break  # break out of the outer/main loop
else:
    print("It works!")

## Problem 2: Find All Primitive Roots

Now, given a $p$ prime, find *all* primitive roots, i.e., elements of order $p-1$.  The output should be a list in *increasing order*.  (You can use the function `sorted` to return a sorted version of a list.)

**Important:** Note that the entries should be in $\Z/p\Z$, not in $\Z$.

Use Sage's method `.multiplicative_order()` instead of your own `my_order` function.

In [None]:
def find_prim_roots(p):
    """
    Given a prime number p, gives the list of primitive roots of Zmod(p)
    in increasing order.

    INPUT:
    p: a prime.

    OUTPUT:
    A sorted list of integers modulo p with all primitive roots of Zmod(p).
    """
    ...

Testing:

In [None]:
number_of_tests = 30
minp = 100
maxp = 2000

for _ in range(number_of_tests):
    p = random_prime(maxp, lbound=minp)
    result = find_prim_roots(p)

    stop = False

    # test if sorted
    if result != sorted(result):
        print(f"Result is not sorted: {result}.")
        stop = True
        break

    # test if elements in Zmod(p)
    for x in result:
        if parent(x) != Zmod(p):
            print("Entries of the output not in Zmod(p)!")
            stop = True
            break

    if len(result) != euler_phi(p - 1):  # missing any?
        print(f"Fails for {p =  }.  The result has the wrong number of elements: {result}.")
        stop = True
        break

    if stop:
        break  # break out main loop

    stop = True
    for x in result:
        x_order = x.multiplicative_order()
        if x_order != p - 1:  # false positives?
            print(
                f"Fails for {p = }.  Element {x} is has order {x_order}, not {p - 1}."
            )
            break  # break out of the inner loop
    else:  # did not break
        stop = False
    if stop:
        break  # break out of the outer/main loop
else:
    print("It works!")

## Problem 3: Proportion of Elements of Order $q$

In this problem we verify computationally the a [proposition from the book](https://luisfinotti.org/pcimc/06-DH_and_ElGamal.html#find_g), restated below:

**Proposition:** Given primes $p$ and $q$, with $q$ dividing $p-1$, and a random element $a \in \mathbb{F}_p^{\times}$, then the probability that $a^{\frac{p-1}{q}}$ has order $q$ is $(q-1)/q$.

So, given $p$ and $q$ primes with $q \mid (p-1)$, and remembering that if $S$ is a set, then $|S|$ is the *number of elements* of $S$, compute the proportion (a rational number)
$$
\frac{|\{ a \in \mathbb{F}_p^{\times} \; : \; a^{(p-1)/q} \neq 1 \}|}{|\mathbb{F}_p^{\times}|}.
$$
(This proportion is the probability above!)

**Notes:**
  - You do *not* need to check that the $p$ and $q$ given are prime or that $q \mid p-1$.
  - You can work, in your computation, with either $\mathbb{F}_p$ (`Zmod(p)`, or `FiniteField(p)`, or `GF(p)`) itself or with $\mathbb{F}_p^{\times}$ (e.g., `Zmod(p).unit_group()`).
  - We know that the answer should be $(q-1) / q$, but, of course, you have to compute this number without assuming that!

(This problem is really simple!)

In [None]:
def ord_q_prop(p, q):
    """
    Given p and q primes, with q dividing p, gives the proportion of elements
    whose (p-1)/q-th power is not 1, inside the unit group.

    INPUTS:
    p: a prime.
    q: a prime dividing (p - 1).

    OUTPUT:
    The proportion of elments that raised to the power (p - 1)/q is equal to
    one in the units of Zmod(p).
    """
    ...

Let's run a few examples:

In [None]:
number_of_tests = 20
minq = 2
maxq = 1000

prev_qs = [] # avoid repeated q's

for _ in range(number_of_tests):
    # find p and q
    found_q = False
    while not found_q: # find q (not in found_q)
        q = random_prime(maxq, lbound=minq)
        found_q = (q not in prev_qs)
    prev_qs.append(q)
    p = q + 1
    while not is_prime(p): # find p
        p += q

    result = ord_q_prop(p, q)
    expected = (q - 1) / q
    if result != expected:
        print(f"Failed for {p = }, {q = }.  The result was {result} when it should have been {expected}.")
        break
else:
    print("It works!")

## Problem 4: Find Random Element of Order $q$

This is related to the previous problem and the section ["Finding $q$ and $g$"](https://luisfinotti.org/pcimc/06-DH_and_ElGamal.html#finding-q-and-g) from the book.

Given $p$ and $q$ primes with $q \mid (p-1)$, we will need to find a **random** element of order $q$ in $\Z/p\Z$ using the following method:

1) Take a *random* element $a$ of $\mathbb{F}_p^{\times}$.
2) If $a^{(p-1)/q}$ is $1$ (in $\mathbb{F}_p$), then return $a$.  If not, go back to step 1.

You can use Sage's `randint` function.  Remember `randint(a, b)` gives a random integer between `a` and `b` (with `a` and `b` being possible outputs).  In Python, this function would have to be imported, but in Sage it is built in.

**Note:** Your output has to be in $\mathbb{F}_p$ (i.e., in `Zmod(p)` or `FiniteFiled(p)` or `GF(p)`).

In [None]:
def find_elem_ord_q(p, q):
    """
    Given primes p and q with q dividing (p-1), finds a random element of order
    q in unit group of Zmod(p).

    INPUTS:
    p: a prime.
    q: a prime dividing (p - 1).

    OUTPUT:
    A random element of Zmod(p) of order q.
    """
    ...

Let's test it:

In [None]:
number_of_primes = 20
number_of_tests = 20
minq = 2000
maxq = 10000

for _ in range(number_of_primes):
    # find p and q
    q = random_prime(maxq, lbound=minq)
    p = q + 1
    while not is_prime(p):
        p += q
    stop = True
    for _ in range(number_of_tests):
        a = find_elem_ord_q(p, q)
        result = a.multiplicative_order()
        if result != q:
            print(f"It gives that {a} modulo {p} has order {q}, but it actually has order {result}.")
            break
    else:
        stop = False
    if stop:
        break
else:
    print("It works!")

## Problem 5: Find Primitive Root (Special Case)

We have the following theoretical result:

**Proposition:** Let $p$ be a prime such that $q = (p-1)/2$ is also prime, and $g \in \mathbb{F}_p^{\times}$ such that $g \neq 1, -1$ and $g^q \neq 1$.  Then $g$ is a primitive root (i.e., $|g| = p - 1$).

Given $p$ a prime such that $q = (p-1)/2$ is also prime, write a function that tests if the proposition is true.  So, given such $p$ it must check if *all* $g$'s satisfying the conditions in the statement are primitive roots.

The output of your function should be `True` if it is true, or `False` if it finds a counter-example.

**Notes:**

1) Of course, the proposition *tells* you that the output should always be `True`.  This just verifies it.
2) In your function you do *not* need to check that $(p-1)/2$ is prime.

In [None]:
def check_prim_root(p):
    """
    Given p a prime such that q=(p-1)/2 is also prime, checks if every element
    in the unit group different from 1 and -1 and whose q-th power is not 1 is
    a primitive root.

    INPUT:
    p: a prime such that (p-1)/2 is also prime.

    OUTPUT:
    True if *every* element g in the unit group of Zmod(p) different from 1 and
    -1 and such that g^((p-1)/2) is not 1 is a primitive root, and False
    otherwise.
    """
    ...

Test it:

In [None]:
number_of_tests = 30
minq = 100
maxq = 1000

tried_qs = []  # avoid repeated q's

for _ in range(number_of_tests):
    # find p and q
    q = random_prime(maxq, lbound=minq)
    p = 2 * q + 1
    while not is_prime(p) and (q not in tried_qs):
        q = random_prime(maxq, lbound=minq)
        p = 2 * q + 1
    tried_qs.append(q)
    result = check_prim_root(p)
    if not result:
        print(f"Something went wrong for {p = }, as it returned False.")
        break
else:
    print("It works!")