4.

Basics from Algebra: Groups, Rings, and

Fields

In this chapter we develop basic algebraic notions and facts to the extent
needed for the applications in this book. Equally important are the examples
for such structures from number theory. At the center of attention are basic
facts from group theory, especially about cyclic groups, which are central in
the analysis of the deterministic primality test. We discuss (commutative)
rings (with 1), with the central example being Zm . Finally, we develop the
basic facts about finite fields, in particular we establish that in finite fields
the multiplicative group is cyclic.

4.1 Groups and Subgroups

If A is a set, a binary operation ◦ on A is a mapping ◦ : A × A → A.

In the context of groups, we use infix notation for binary operations, i.e., we
write a ◦ b for ◦(a, b). Examples of binary operations are the addition and the
multiplication operation on the set of positive integers or on the set Z.

Definition 4.1.1. A group is a set G together with a binary operation ◦ on

G with the following properties:
(i) (Associativity ) (a ◦ b) ◦ c = a ◦ (b ◦ c), for all a, b, c ∈ G.
(ii) (Neutral element) There is an element e ∈ G that satisfies a ◦ e =
e ◦ a = a for each a ∈ G. (In particular, G is not empty.)
(iii) (Inverse element) For each a ∈ G there is some b ∈ G such that
a ◦ b = b ◦ a = e (for the neutral element e from (b)).
In short, we write (G, ◦, e) for a group with these components.

In view of the associative law, we can put parentheses at any place we

want in expressions involving elements a1 , . . . , ar of G and the operation ◦,
without changing the element denoted by such an expression. For example,
(a1 ◦ a2 ) ◦ (a3 ◦ (a4 ◦ a5 )) = a1 ◦ ((a2 ◦ (a3 ◦ a4 )) ◦ a5 ). In consequence, we will
usually omit parentheses altogether, and simply write a1 ◦ a2 ◦ a3 ◦ a4 ◦ a5 for
this element.
Groups are abundant in mathematics (and in computer science). Here are
a few examples.

M. Dietzfelbinger: Primality Testing in Polynomial Time, LNCS 3000, pp. 55-71, 2004.
 Springer-Verlag Berlin Heidelberg 2004
56 4. Basics from Algebra: Groups, Rings, and Fields

Example 4.1.2. (a) The set Z with integer addition as operation and 0 as
neutral element is a group.
(b) For each positive integer m, the set mZ = {m · z | z ∈ Z} of all multiples
of m, with integer addition as operation and 0 as neutral element, is a
group.
(c) For each integer n > 1 the set Zn = {0, 1, . . . , n − 1} with addition
modulo n as operation and 0 as neutral element is a group. (See Defini-
tion 3.3.1.) The set {0} with the operation 0 ◦ 0 = 0 also is a group (the
trivial group).
(d) For each integer n > 1 the set Z∗n = {a | 0 ≤ a < n, gcd(a, n) = 1}
with multiplication modulo n and 1 as neutral element is a group. (See
Definition 3.3.7 and Example 3.3.9.)
(e) Let S be an arbitrary set, and consider the set Bij(S) of all bijective
mappings f : S → S. The operation ◦ denotes the composition of mappings
(i.e., f ◦ g(x) = f (g(x)) for all x ∈ S, f, g ∈ G). Then (Bij(S), ◦, idS ) forms
a group, with idS : S  x → x ∈ S, the identity map, as neutral element.
(f) Let GLn (Q) denote the set of all invertible n×n-matrices over the field Q
of rational numbers. Let ◦n denote the multiplication of such matrices, and
let In denote the n × n identity matrix (1 on all positions of the diagonal,
0 everywhere else). Then (GLn (Q), ◦n , In ) is a group.
Notation: In the cases (a), (b), and (c), the group operation is written as
“+” or +m , and the neutral element as 0.
For small groups, we may describe the group operation by writing down
or storing a table with rows and columns indexed by the elements of G, the
element in row a and column b being a ◦ b. For example, the group table of
(Z∗9 , ·9 , 1) looks as follows.

·9 1 2 4 5 7 8
1 1 2 4 5 7 8
2 2 4 8 1 5 7
4 4 8 7 2 1 5
5 5 1 2 7 8 4
7 7 5 1 8 4 2
8 8 7 5 4 2 1

Table 4.1. Operation table of a group. The group operation is ·9 , multiplication

modulo 9 on the set {1, 2, 4, 5, 7, 8}

Obviously, for larger groups such an explicit representation is unfeasi-

ble; and as soon as the number of elements of the group is a number with
20 decimal digits, not even one line of the group table can be stored in a
computer.
We remark that there are many extremely important groups in mathe-
matics and in application areas that are not commutative in the sense that
 4.1 Groups and Subgroups 57

there are elements a, b ∈ G with a◦b = b◦a. For example, in Example 4.1.2(d)
(set of bijections from S to S) there are such elements as soon as |S| ≥ 3;
in Example 4.1.2(e) (invertible matrices) there are such elements as soon as
n ≥ 2. In this book, though, we will be dealing exclusively with groups in
which such a thing does not occur.
Definition 4.1.3. We say a group (G, ◦, e) is commutative or abelian if
a ◦ b = b ◦ a for all a, b ∈ G.
The groups from Example 4.1.2(a), (b), and (c) are abelian. In abelian
groups, in expressions involving elements of G and the operation ◦, we may
change the order arbitrarily without affecting the result.
We list some facts that hold for all groups, commutative or not, and follow
easily from the definitions.
Proposition 4.1.4. (a) In a group, there is exactly one neutral element
(called e or 1 from here on).
(b) For each element a of a group G, there is exactly one b ∈ G such that
a ◦ b = b ◦ a = e. (This element is denoted a−1 from here on.)
(c) (Cancellation rule) If a ◦ c = b ◦ c, then a = b. Likewise, if c ◦ a = c ◦ b,
then a = b.
Proof. (a) If e and e are neutral elements, i.e., satisfy (ii) from Defini-
tion 4.1.1, then we get e = e ◦ e = e by using first that e is neutral and then
that e is neutral.
(b) If b and b are inverse to a, i.e. satisfy (iii) from Definition 4.1.1, then we
get
b = b ◦ e = b ◦ (a ◦ b ) = (b ◦ a) ◦ b = e ◦ b = b ,
by using in addition that e is neutral and associativity.
(c) Assume a ◦ c = b ◦ c. Then, by associativity,
a = a ◦ (c ◦ c−1 ) = (a ◦ c) ◦ c−1 = (b ◦ c) ◦ c−1 = b ◦ (c ◦ c−1 ) = b.
In the other case, we multiply with c−1 from the left.
Let a ∈ G, and consider a−1 . Since a ◦ a−1 = a−1 ◦ a = e, a is the inverse
of a−1 , in short (a−1 )−1 = a.
Notation: In the situation of Example 4.1.2(a), (b), and (c), where we use
additive notation for the groups, the inverse of a is denoted by −a. Thus,
a + (−a) = (−a) + a = 0. For a + (−b) we write a − b.
Definition 4.1.5. Let (G, ◦, e) be a group. A set H ⊆ G is called a subgroup
of G if H together with the operation ◦ and the neutral element inherited from
(G, ◦, e) forms a group. More exactly, we require that
(i) e ∈ H,
(ii) a ◦ b ∈ H for all a, b ∈ H,
(iii) a−1 ∈ H for all a ∈ H.
58 4. Basics from Algebra: Groups, Rings, and Fields

In Example 4.1.2(b), mZ is a subgroup of (Z, +, 0), for each positive

integer m. In contrast, mZ is a subgroup of nZ if and only if n | m.
Quite often, we will have to prove that some subset H of a finite group
G is in fact a subgroup. For this, we provide an easy-to-apply criterion.

Lemma 4.1.6. If (G, ◦, e) is a finite group, and H is a subset of G with

(i) e ∈ H, and
(ii) H is closed under the group operation ◦,
then H is a subgroup of G.

Note that the condition that G is finite is necessary to draw this conclu-
sion, since, for example, N is a subset of Z that contains 0 and is closed under
addition, but N is not a subgroup of (Z, +, 0).

Proof. We must check condition (iii) of Definition 4.1.5. For an arbitrary

element a ∈ H, consider the mapping

fa : H → H, b → a ◦ b,

which is well defined by (ii). Since G is a group, fa is one-to-one (indeed, if

fa (b1 ) = fa (b2 ), i.e., a ◦ b1 = a ◦ b2 , then b1 = b2 by the cancellation rule).
Because H is finite, fa is a bijection of H onto itself. Using (i) it follows
that there is an element c ∈ H with a ◦ c = fa (c) = e; this means that
c = a−1 ∈ H, and condition (iii) in Definition 4.1.5 is established.
A subgroup H splits the elements of a group G into disjoint classes.

Definition 4.1.7. Let H be a subgroup of a group G. Define

a ∼H b , if b−1 ◦ a ∈ H.

Lemma 4.1.8. (a) ∼H is an equivalence relation.

(b) For each b ∈ G, there is a bijection between H and the equivalence class
[b]H of b.

Proof. (a) Reflexivity: a−1 ◦ a = e ∈ H. Symmetry: If b−1 ◦ a ∈ H, then

a−1 ◦ b = (b−1 ◦ a)−1 ∈ H. Transitivity: b−1 ◦ a ∈ H and c−1 ◦ b ∈ H implies
c−1 ◦ a = (c−1 ◦ b) ◦ (b−1 ◦ a) ∈ H.
(b) Let [b]H = {a ∈ G | a ∼H b} be the equivalence class of b. Consider the
mapping

gb : [b]H → G, a → b−1 ◦ a.

By the very definition of [b]H and of ∼H we have that gb (a) ∈ H for all
a ∈ [b]H . We show that actually gb maps [b]H one-to-one onto H: Every c ∈ H
occurs in the image gb ([b]H ), since b ◦ c ∈ [b]H and gb (b ◦ c) = c. Further, gb
is one-to-one, since gb (a) = gb (a ) implies a = b ◦ gb (a) = b ◦ gb (a ) = a .
 4.2 Cyclic Groups 59

Note that the bijection gb depends on b, but this is not important. We

mention two examples. — As noted above, for m ≥ 1 the group mZ is a
subgroup of Z. Two elements a and b are equivalent if (−b) + a ∈ mZ, i.e.,
if m is a divisor of a − b. This is the case if and only if a ≡ b (mod m).
The equivalence classes are just the classes of numbers that are congruent
modulo m. The bijection gb from [b] to mZ is given by a → a − b. — As
a second example, consider the group Z24 with addition modulo 24. Then
the set {0, 6, 12, 18} forms a subgroup, since it is closed under the group
operation. The equivalence class of 11 is {5, 11, 17, 23}, and the bijection g11
is given by

5 → 5 − 11 mod 24 = 18, 11 → 0, 17 → 6, 23 → 12.

In the case of finite groups, the existence of a bijection between H and

[b]H has an important consequence that will be essential in the analysis of
the randomized primality tests.

Proposition 4.1.9. If H is a subgroup of the finite group G, then |H| divides

|G|.

Proof. Let C1 , . . . , Cr be the distinct equivalence classes w.r.t. ∼H . They

partition G, hence |G| = |C1 | + · · · + |Cr |. Clearly, H appears as one of the
equivalence classes (namely [e]H = H), so we may assume that C1 = H. By
Lemma 4.1.8(b) we have |C1 | = · · · = |Cr |, and conclude |G| = r · |H|.

4.2 Cyclic Groups

The concept of a cyclic group is omnipresent in the remainder of the book,

because it is central in the analysis of the deterministic primality test.

4.2.1 Definitions, Examples, and Basic Facts

We start by considering powers of an element in arbitrary groups. Let (G, ◦, e)

be a group. As an abbreviation, we define for every a ∈ G:

◦ ·
ai = a · · ◦ a and a−i = a −1
· · ◦ a−1 ,

◦ ·
i times i times

for i ≥ 0, or, more formally, by induction,

a0 = e,
ai = a ◦ ai−1 , for i ≥ 1,
and a−i = (a−1 )i , for i ≥ 1. It is a matter of routine to establish the usual
laws of calculating with exponents.
60 4. Basics from Algebra: Groups, Rings, and Fields

Lemma 4.2.1. (a) (ai )−1 = a−i , for a ∈ G, i ∈ Z;

(b) ai+j = ai ◦ aj , for a ∈ G, i, j ∈ Z;
(c) if a, b ∈ G satisfy a ◦ b = b ◦ a, then (a ◦ b)i = ai ◦ bi , for i ∈ Z.
Proof. (a) If i = 0, there is nothing to show. We first turn to the case i > 0.
Consider c = ai ◦a−i = a◦· · ·◦a◦a−1 ◦· · ·◦a−1 , with a and a−1 each repeated
i times. We can combine a ◦ a−1 to obtain e and then omit the factor e to see
that c = ai ◦ a−i = a ◦ · · · ◦ a ◦ a−1 ◦ · · · ◦ a−1 , with a and a−1 each repeated
i − 1 times. Iterating this process we obtain c = e. This means that a−i is the
(unique) inverse of ai , as claimed. Finally, if i < 0, we apply the claim for the
positive exponent −i to get (a−i )−1 = a−(−i) = ai . By Proposition 4.1.4(b)
we conclude that a−i is the unique inverse of ai in this case as well.
(b) If i = 0 or j = 0, there is nothing to show. If i, j > 0 or i, j < 0,
the definition and the associative law are enough to prove the claim. Thus,
assume i > 0 and j < 0. Let k = −j. We must show that ai ◦ a−k = ai−k .
If i = k, this was proved in (a). Now consider the case i > k. Then, using
associativity and (a), we get
ai ◦ a−k = (ai−k ◦ ak ) · a−k = ai−k ◦ (ak ◦ a−k ) = ai−k ◦ e = ai−k .
Finally, if i < k, then
ai ◦ a−k = (ai ◦ (a−1 )i ) ◦ (a−1 )k−i = (a−1 )k−i = a−(k−i) = ai−k .
(c) If i = 0, there is nothing to show. If i > 0, then
(a ◦ b)i = (a ◦ b) ◦ · · · ◦ (a ◦ b) .

 
i times

By using associativity and the fact that we can interchange a and b, this can
be transformed into a ◦ · · · ◦ a ◦ b ◦ · · · ◦ b = ai ◦ bi . Now we turn to the case
of negative exponents. Note first that (b ◦ a) ◦ (a−1 ◦ b−1 ) = e, which means
that (a ◦ b)−1 = (b ◦ a)−1 = a−1 ◦ b−1 . By symmetry, (b ◦ a)−1 = b−1 ◦ a−1 ,
which means that also a−1 ◦ b−1 = b−1 ◦ a−1 . Thus, for i = −k < 0, we may
apply our result for positive exponents to get
(a ◦ b)i = ((a ◦ b)−1 )k = (a−1 ◦ b−1 )k = (a−1 )k ◦ (b−1 )k = ai ◦ bi ,
as desired.
Note that (b) in particular says that ai ◦ aj = aj ◦ ai for all integers i
and j, so among arbitrary powers of a we have commutativity. Because they
are so natural, the rules listed in Lemma 4.2.1 will be used without further
comment in what follows.
Proposition 4.2.2. Let (G, ◦, e) be a group. For a ∈ G define
a = {ai | i ∈ Z} = {e, a, a−1 , a2 , (a−1 )2 , a3 , (a−1 )3 , . . . }.
Then a is a (commutative) subgroup of G and it contains a. In fact, it
is the smallest subgroup of G with this property. (It is called the subgroup
generated by a.)
 4.2 Cyclic Groups 61

Proof. Clearly, a contains a = a1 and e = a0 . From the previous lemma it

follows that it is a subgroup (with ai and aj it contains ai · aj = ai+j ; and
with ai it contains the inverse a−i ). If H is any subgroup of G that contains
a, then all elements ai must be in H, hence we have a ⊆ H.

Definition 4.2.3. We say a group (G, ◦, e) is cyclic if there is an a ∈ G

such that G = a. An element a ∈ G with this property is called a generat-
ing element of G.

Example 4.2.4. (a) (Z, +, 0) is a cyclic group, with generating elements 1

and −1.
(b) For m ≥ 1, the additive group (Zm , +m , 0) is a cyclic group, where
+m denotes addition modulo m. Clearly, 1 is a generator, but there are
others: Let i ∈ Zm with gcd(i, m) = 1. (We know that there are ϕ(m) such
numbers.) Now 0, i, (i+i) mod m, (i+i+i) mod m, . . . , (
i + ·
· · + i ) mod m
m−1 times
are all different, and hence exhaust Zm . Indeed, if ki mod m = i mod m,
with 0 ≤ k <  < m, then ( − k)i ≡ 0 (mod m). Since gcd(i, m) = 1, we
must have that m divides  − k and hence that  = k. On the other hand, if
d = gcd(i, m) > 1, then we get (m/d)i = (m/d) · (qd) = mq ≡ 0 (mod m),
and hence i cannot generate Zm .
(c) A not so obvious cyclic group is Z∗9 = {1, 2, 4, 5, 7, 8} with multiplication
modulo 9 (see Table 4.1). By direct calculation we see that the powers
5i mod 9, 0 ≤ i < 6, in this order are 1, 5, 7, 8, 4, 2, and hence that 5 is a
generator. This observation makes it clear that the structure of this group
is quite simple, which also becomes apparent in the operation table if the
elements are arranged in a suitable order, as in Table 4.2.

·9 1 5 7 8 4 2
1 1 5 7 8 4 2
5 5 7 8 4 2 1
7 7 8 4 2 1 5
8 8 4 2 1 5 7
4 4 2 1 5 7 8
2 2 1 5 7 8 4

Table 4.2. A group operation table of a cyclic group. The group operation is
multiplication modulo 9 on the set {1, 2, 4, 5, 7, 8}

Although we do not prove it here, it is a fact that all groups Z∗p
, where p
is an odd prime number, are cyclic.
(d) The set Ur of “rth roots of unity” in the field C is the set of all solutions
of the equation xr = 1 in C. It is well known that

Ur = {ei·s·2π/r | 0 ≤ s < r},

62 4. Basics from Algebra: Groups, Rings, and Fields

where i is the imaginary unit. If C is depicted as the Euclidean plane,

the set Ur appears as an equidistant grid of r points on the unit circle,
containing 1. The elements are multiplied according to the rule
ei·s·2π/r · ei·t·2π/r = ei·(s+t)·2π/r = ei·((s+t) mod r)·2π/r ,
which corresponds to the addition of angles, ignoring multiples of 2π.

3
i=ζ
4
ζ ζ
2

5 ζ
ζ

6 0 12
ζ 1= ζ = ζ
0

11
ζ
7
ζ

8 10
ζ ζ
ζ9

Fig. 4.1. The cyclic group of the rth roots of unity in C, for r = 12

With ζ = ei·2π/r the natural generating element, we have Ur = {1, ζ, ζ 2 , . . . ,

ζ r−1 }. We shall see later that all cyclic groups of size r are isomorphic; thus,
the depiction given in Fig. 4.1 applies for every finite cyclic group.
Clearly, for an arbitrary group G and every a ∈ G the subgroup a is
cyclic.
Definition 4.2.5. Let (G, ◦, e) be a group. The order ordG (a) of an element
a ∈ G is defined as

|a| , if a is finite,
∞ , otherwise.

4.2.2 Structure of Cyclic Groups

The following proposition shows that in fact there are only two different types
of cyclic groups: finite and infinite ones. The infinite ones have the same
 4.2 Cyclic Groups 63

structure as (Z, +, 0), the finite ones have the structure of some (Zm , +, 0).
In this text, only finite groups are relevant.

Lemma 4.2.6. Let (G, ◦, e) be a group, and let a ∈ G.

(a) If all elements ai , i ∈ Z, are different, then ordG (a) = ∞ and the group
a is isomorphic to Z via the mapping i → ai , i ∈ Z.
(b) If ai = aj for integers i < j, then ordG (a) is finite and ordG (a) ≤ j − i.

Proof. (a) Assume that all ai , i ∈ Z, are different. Then the mapping i → ai
is a bijection between Z and a. That it is also an isomorphism between
(Z, +, 0) and (a, ◦, e), i.e., that 0 is mapped to e and i + j to ai ◦ aj and −i
to (ai )−1 , corresponds to the rules in Lemma 4.2.1(a) and (b).
(b) Assume that ai = aj for i < j. Then for k = j − i > 0 we have ak =
aj+(−i) = aj ◦ (aj )−1 = e. Now for  ∈ Z arbitrary, we may write  = qk + r
for some integer q and some r with 0 ≤ r < k, by Proposition 3.1.8. Hence

a = aqk ◦ ar = (ak )q ◦ ar = eq ◦ ar = e ◦ ar = ar .

This implies a = {a0 , a1 , . . . , ak−1 }, hence |a| ≤ k. (Warning: In the list
a0 , . . . , ak−1 there may be repetitions, so k need not be the order of a.)

Proposition 4.2.7. Let (G, ◦, e) be a group, and let a ∈ G with ordG (a) =
m, for some m ≥ 1. Then the following holds:
(a) a = {e, a, a2 , . . . , am−1 }.
(b) ai = aj if and only if m | j − i. (This implies that ai = ai mod m for all
i ∈ Z.)
(c) The group a is isomorphic to Zm = {0, . . . , m−1} with addition modulo
m via the mapping i → ai , i ∈ Zm . In particular, (ai )−1 = am−i .

Proof. (a) In Lemma 4.2.6(b) we have seen that if i < j and ai = aj then
ordG (a) ≤ j − i. This implies that the elements a0 , a1 , . . . , am−1 must be
different, and hence must exhaust a.
(b) By (a), we have am ∈ {a0 , . . . , am−1 }. If am were equal to ai for some i,
1 ≤ i < m, then by Lemma 4.2.6(b) we would have ordG (a) ≤ m − i < m,
which is impossible. Hence am = a0 = e. Now if j −i = mq, then ai = ai ◦eq =
ai ◦ (am )q = ai ◦ amq = ai+mq = aj . Conversely, assume that ai = aj . Then
aj−i = e = a0 . Find q and r, 0 ≤ r < m, with j − i = mq + r. Then
e = aj−i = amq+r = (am )q ◦ ar = eq ◦ ar = ar . Since a0 = e and a0 , . . . , am−1
are distinct, this implies that r = 0, which means that j − i = mq.
(c) By (a), the mapping h : {0, . . . , m − 1}  i → ai ∈ a is a bijection.
Clearly, a0 = e. Now assume 0 ≤ i, j < m. Then a(i+j) mod m = ai+j = ai ◦aj ,
by (b). Finally, the inverse of i in Zm is m − i, and ai ◦ am−i = am = e, by
(b). Hence (am )−1 = am−i .
For later use, we note two simple, but important consequences of this
proposition.
64 4. Basics from Algebra: Groups, Rings, and Fields

Proposition 4.2.8. If (G, ◦, e) is a finite group and a ∈ G then a|G| = e.

Proof. The group a is a subgroup of G. Proposition 4.1.9 implies that

ordG (a) = |a| is a divisor of |G|. By Proposition 4.2.7(b) this implies that
a|G| = a0 = e.

Theorem 4.2.9 (Euler). If m ≥ 2, then all elements a ∈ Z∗m satisfy

aϕ(m) mod m = 1.

Proof. Apply Proposition 4.2.8 to the finite group Z∗m , which has cardinality
ϕ(m).
If m = p is a prime number, we have Z∗p = {1, 2, . . . , p − 1}, a set with
p − 1 elements, and the previous theorem turns into the following.

Theorem 4.2.10 (Fermat’s Little Theorem). If p is a prime number

and 1 ≤ a < p, then ap−1 mod p = 1. (Consequently, ap mod p = a for all a,
0 ≤ a < p.)

4.2.3 Subgroups of Cyclic Groups

Now we have understood the structure of finite cyclic groups (they look like
some Zm ), we gather more information by analyzing their subgroup structure
and the order of their elements. By Proposition 4.1.9 we know that if G is a
finite cyclic group and H is a subgroup of G, then |H| is a divisor of |G|. We
will see that indeed there is exactly one subgroup of size d for each divisor d
of m.

Lemma 4.2.11. Assume G = a is a cyclic group of size m and H is a

subgroup of G. Then
(a) H is cyclic;
(b) H = {a0 , az , a2z , . . . , a(d−1)z } for some divisor z of m and d = m/z;
(c) H = {b ∈ G | bd = e}, for d = m/z from (b).

Proof. We know that G = {a0 , a1 , . . . , am−1 } for m = |G|. If |H| = 1, then

H = {e} = e, and all claims are true for z = m and d = 1. Thus assume
that d > 1, and let 1 ≤ z < m be minimal with az ∈ H.
(a) Now assume ai ∈ H is arbitrary. Write i = qz + r for some r, 0 ≤ r < z.
Then ar = ai ◦ (az )−q ∈ H. Since z was chosen minimal, this implies that
r = 0. In other words, i = qz, or ai = (az )q . Hence H = az , and (a) is
proved.
(b) We only have to show that z is a divisor of m. (Then with d =
m/z we get adz = am = e, from which it is clear that H = az  =
{a0 , az , a2z , . . . , a(d−1)z }, a set with d distinct elements.) Let r = gcd(z, m).
Then we may write r = jz + km for some integers j, k, by Proposition 3.1.11.
We get ar = (az )j ◦ (am )k = (az )j ∈ H. Since z was chosen minimal in
{1, 2, 3, . . .} with az ∈ H, this entails that r = z, or z divides m.
 4.2 Cyclic Groups 65

(c) Since m is a divisor of jzd for 0 ≤ j < d, we have (ajz )d = e for all
elements ajz ∈ H. Conversely, if bd = e, for b = ai , then aid = e, and hence
m is a divisor of id = im/z. This implies that i/z is an integer, and hence
that ai ∈ H, by (b).
We consider a converse of part (c) of Lemma 4.2.11.

Lemma 4.2.12. Assume G = a is a cyclic group of size m and s ≥ 0 is

arbitrary. Then

Hs = {a ∈ G | as = e}

is a subgroup of G with gcd(m, s) elements.

(In particular, every divisor s of m gives rise to the subgroup Hs = {a ∈ G |
as = e} of size s.)

Proof. It is a simple consequence of the subgroup criterion Lemma 4.1.6 that

Hs is indeed a subgroup of G. Which elements ai , 0 ≤ i < m, are in this
subgroup? They must satisfy (ai )s = e, which means that m is a divisor of
is. This is the case if and only if i is a multiple of m/gcd(m, s). Of these,
there are m/(m/gcd(m, s)) = gcd(m, s) many in {0, 1, . . . , m − 1}.
As an example, consider the group (Z20 , +20 , 0), with generator 1. This
group has six subgroups Hd = {a ∈ Z20 | d · a ≡ 0 (mod 20)}, for d a
divisor of 20. One generator of Hd is 20/d. This yields the subgroups shown
in Table 4.3.

d 20/d Hd
1 20 {0}
2 10 {0, 10}
4 5 {0, 5, 10, 15}
5 4 {0, 4, 8, 12, 16}
10 2 {0, 2, 4, 6, 8, 10, 12, 14, 16, 18}
20 1 {0, 1, 2, 3, . . . , 19}

Table 4.3. Subgroups of (Z20 , +20 ) and their orders

Lemma 4.2.13. Let G = a be a cyclic group of size m. Then we have:

(a) If b ∈ G, then ordG (b) is a divisor of m.
(b) The order of ai ∈ G is m/gcd(i, m).
(c) For each divisor d of m, G contains exactly ϕ(d) elements of order d.
66 4. Basics from Algebra: Groups, Rings, and Fields

Proof. (a) ordG (b) = |b| is a divisor of |G|, by Proposition 4.1.9.

(b) Assume ai has order d. Then aid = (ai )d = e, but ai , a2i , . . . , a(d−1)i are
different from e. By Proposition 4.2.7(b) this means that d is the smallest
number k ≥ 1 such that m divides ki. Write i = i/gcd(i, m) and m =
m/gcd(i, m). Then

m | ki ⇔ m | ki ⇔ m | k,

since m and i are relatively prime. The smallest k ≥ 1 that is divisible by

m is m = m/gcd(i, m) itself.
(c) By (b), we need to count the numbers i ∈ {0, 1, . . . , m − 1} such that
d = m/gcd(i, m), or gcd(i, m) = m/d. Only numbers i of the form j · (m/d),
0 ≤ j < d, can have this property. Now gcd(j(m/d), m) = (m/d) · gcd(j, d)
equals m/d if and only if gcd(j, d) = 1. Thus, exactly the numbers j · (m/d),
0 ≤ j < d, with gcd(j, d) = 1 are as required. There are exactly ϕ(d) of
them.
As an example, we consider the group Z∗25 . This group of size ϕ(25) = 20
is cyclic with 2 as generator, since the powers 2i mod m, 0 ≤ i < 20, in this
order, are 1, 2, 4, 8, 16, 7, 14, 3, 6, 12, 24, 23, 21, 17, 9, 18, 11, 22, 19, 13.

d ϕ(d) elements of order d

1 1 {220 } = {20 } = {1}
2 1 {210 } = {24}
4 2 {25 , 215 } = {7, 18}
5 4 {24 , 28 , 212 , 216 } = {16, 6, 21, 11}
10 4 {22 , 26 , 214 , 218 } = {4, 14, 9, 19}
20 8 {21 , 23 , 27 , 29 , 211 , 213 , 217 , 219 } = {2, 8, 3, 12, 23, 17, 22, 13}

Table 4.4. The elements of Z∗25 and their orders

4.3 Rings and Fields

Definition 4.3.1. A monoid is a set M together with a binary operation ◦
on M with the following properties:
(i) (Associativity) (a ◦ b) ◦ c = a ◦ (b ◦ c), for all a, b, c ∈ M .
(ii) (Neutral element ) There is an element e ∈ M that satisfies a◦e = e◦a =
a for each m ∈ M . (In particular, M is not empty.)
A monoid (M, ◦, 1) is called commutative if all a, b ∈ M satisfy a ◦ b = b ◦ a.
 4.3 Rings and Fields 67

An elementary and important example of a monoid is the set N of natural

numbers with the addition operation. The neutral element is the number 0.
Note that also the set N with the multiplication operation is a monoid, with
neutral element 1.

Definition 4.3.2. A ring (with 1) is a set R together with two binary

operations ⊕ and  on R and two distinct elements 0 and 1 of R with the
following properties:
(i) (R, ⊕, 0) is an abelian group (the additive group of the ring);
(ii) (R, , 1) is a monoid (the multiplicative monoid of the ring);
(iii) (Distributive law ) For all a, b, c ∈ R: (a ⊕ b)  c = (a  c) ⊕ (b  c).
In short, we write (R, ⊕, , 0, 1) for such a ring.
If (R, , 1) is a commutative monoid, the ring (with 1) is called commuta-
tive.

Notation. In this text, we are dealing exclusively with commutative rings

with 1. For convenience, we call these structures simply rings. (The reader
should be aware that in different contexts “ring” is a wider concept.)

Proposition 4.3.3. If m ≥ 2 is an integer, then the structure Zm =

{0, 1, . . . , m − 1} with the binary operations

a ⊕ b = (a + b) mod m and a  b = (a · b) mod m,

for which the numbers 0 and 1 are neutral elements, is a ring.

Proof. We just have to check the basic rules of operation of modular addition
and multiplication:
– (a + b) mod m = (b + a) mod m.
– ((a + b) mod m + c) mod m = (a + (b + c) mod m) mod m.
– Existence of inverses: (a + (m − a)) mod m = 0.
– (a + 0) mod m = (0 + a) mod m = a.
– (a · b) mod m = (b · a) mod m.
– (((a · b) mod m) · c) mod m = (a · (b · c) mod m) mod m.
– (a · 1) mod m = (1 · a) mod m = a.
– (a · (b + c) mod m) mod m = ((a · b mod m) + (a · c mod m)) mod m.
The straightforward proofs are left to the reader.

Definition 4.3.4. (a) If (R, ⊕, , 0, 1) is a ring, then we let

R∗ = {a ∈ R | there is some b ∈ R with a  b = 1 };

the elements of R∗ are called the units of R.

(b) An element a ∈ R − {0} is called a zero divisor if there is some c ∈
R − {0} such that a  c = 0 in R.
68 4. Basics from Algebra: Groups, Rings, and Fields

It is an easy exercise to show that (R∗ , , 1) is an abelian group. Note

that R∗ and the set of zero divisors are disjoint: if a  b = 1 and a  c = 0,
then c = c  (a  b) = (c  a)  b = 0  b = 0.

Definition 4.3.5. A field is a set F together with two binary operations

⊕ and  on F and two distinct elements 0 and 1 of F with the following
properties:
(i) (F, ⊕, , 0, 1) is a ring;
(ii) (F − {0}, , 1) is an abelian group (the multiplicative group of the
field ), denoted by F ∗ .
In short, we write (F, ⊕, , 0, 1) for such a field.

In fields, all rules for addition, multiplication, subtraction, and division

apply that we know to hold in the fields R and Q. Here, we do not prove
these rules systematically, but simply use them. Readers who worry about
the admissibility of one or other transformation are referred to algebra texts
that develop the rules for computation in fields more systematically.
The inverse of a ∈ F in the additive group is denoted by a, the inverse of
a ∈ F ∗ in the multiplicative group is denoted by a−1 . The binary operation
 is defined by a  b = a ⊕ (b); the binary operation  by a  b = a  b−1 ,
for a ∈ F , b ∈ F ∗ .

Example 4.3.6. Some infinite fields are well known, viz., the rational num-
bers Q, the real numbers R, and the complex numbers C, with the standard
operations.

In this book, however, finite fields are at the center of interest. The sim-
plest finite fields are obtained by considering Zp for a prime number p.

Proposition 4.3.7. Let m ≥ 2 be an integer. Then the following are equiv-

alent:
(i) The ring Zm = {0, 1, . . . , m − 1} is a field.
(ii) m is a prime number.

Proof. “(i) ⇒ (ii)”: If m is not a prime number, we can write r · s = m ≡ 0

(mod m) with 2 ≤ r, s < m. This means that {1, . . . , m − 1} is not closed
under multiplication modulo m; in particular, this set does not form a group
under this operation.
“(ii) ⇒ (i)”: Conversely, assume that m is a prime number. Then Z∗m =
{1, . . . , m−1}, since no number of the latter set can have a nontrivial common
factor with m. We have seen in Proposition 3.3.8 that Z∗m is a group with
respect to multiplication modulo m for every integer m ≥ 2, so this is also
true for the prime number m.
Note that in the case where m is a prime number, and 0 < a < m,
an inverse of a, i.e., a number x that satisfies x · a ≡ 1 (mod m), can be
 4.4 Generators in Finite Fields 69

calculated using the Extended Euclidean Algorithm 3.2.4 (see the remarks
after Proposition 3.3.8).
We illustrate these observations by little numerical examples. Z12 =
{0, 1, . . . , 11} with arithmetic modulo 12 is not a field, since, for example,
3 · 4 = 12 ≡ 0 (mod 12), and hence {1, . . . , 11} is not closed under multipli-
cation. On the other hand, Z13 is a field. We find the multiplicative inverse of
6 by applying the Extended Euclidean Algorithm to 6 and 13, which shows
that (−2) · 6 + 1 · 13 = 1, from which we get that (−2) mod 13 = 11 is an
inverse of 6 modulo 13.
To close the section, we note that monoids really are the natural structures
in which to carry out fast exponentiation.

Proposition 4.3.8. Let (M, ◦, 1) be a monoid. There is an algorithm that

for every a ∈ M and n ≥ 0 computes an in M with O(log n) multiplications
in M .

Proof. We use Algorithm 2.3.3 in the formulation for monoids M :

Algorithm 4.3.9 (Fast Modular Exponentiation in Monoids)

Input: Element a of monoid (M, ◦, 1) and n ≥ 0.
Method:
0 s, c: M ; u: integer;
1 u ← n;
2 s ← a;
3 c ← 1;
4 while u ≥ 1 repeat
5 if u is odd then c ← c ◦ s;
6 s ← s · s mod m;
7 u ← u div 2;
8 return c;

The analysis is exactly the same as that for Algorithm 2.3.3. On input a and
n it carries out no more than 2n = O(log n) multiplications of elements of
M , and the result is correct.
Of course, if the elements of M are structured elements (like polynomials),
then the total cost of carrying out Algorithm 4.3.9 is O(log n) multiplied with
the cost of one such multiplication.

4.4 Generators in Finite Fields

In this section we shall establish the basic fact that the multiplicative groups
in finite fields are cyclic.
70 4. Basics from Algebra: Groups, Rings, and Fields

Example 4.4.1. In the field Z19 , consider the powers g 0 , g 1 , . . . , g 17 of the

element g = 2 (of course, all calculations are modulo 19):
1, 2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10.
This sequence exhausts the whole multiplicative group Z∗19 = {1, 2, . . . , 18}.
This means that Z∗19 is a cyclic group with generator 2.
It is the purpose of this section to show that in every finite field F the
multiplicative group is cyclic. A generating element g of this group is called
a generator for F . If F happens to be a field Zp for a prime number p, a
generator for Zp is also called a primitive element modulo p. (Thus, 2 is
a primitive element modulo 19.)
As a preparation, we need a lemma concerning Euler’s totient function ϕ.
The following example (from [21]) should make this lemma appear “obvious”.
Consider the 12 fractions with denominator 12 and numerator in {1, . . . , 12}:
1 2 3 4 5 6 7 8 9 10 11 12
12 , 12 , 12 , 12 , 12 , 12 , 12 , 12 , 12 , 12 , 12 , 12 .

Now reduce these fractions to lowest terms, by dividing numerator and de-
nominator by their greatest common divisor:
1 1 1 1 5 1 7 2 3 5 11 1
12 , 6 , 4 , 3 , 12 , 2 , 12 , 3 , 4 , 6 , 12 , 1 ,

and group them according to their denominators:

1 1 1 2 1 3 1 5 1 5 7 11
1; 2; 3, 3; 4, 4; 6, 6; 12 , 12 , 12 , 12 .

It is immediately clear that the denominators are just the divisors 1, 2, 3, 4, 6,

12 of 12, and that there are exactly ϕ(d) fractions with denominator d, for
d a divisor of 12, viz., those fractions di , 1 ≤ i ≤ d, with i and d relatively
prime. Since we started with 12 fractions, we have
ϕ(1) + ϕ(2) + ϕ(3) + ϕ(4) + ϕ(6) + ϕ(12) = 12.
More generally, we can show the corresponding statement for every number
n in place of 12.
Lemma 4.4.2. For every n ∈ N we have

ϕ(d) = n.
d|n

Proof. Consider the sequence

 i n 
(ai , bi ) = , , 1 ≤ i ≤ n.
gcd(i, n) gcd(i, n)
Then each bi is a divisor of n. Further, for each divisor d of n the pair (j, d)
appears in the sequence if and only if 1 ≤ j ≤ d and j and d are relatively
prime. Hence there are exactly ϕ(d) indices i with bi = d. Summing up, we
obtain d | n ϕ(d) = n, as claimed.
 4.4 Generators in Finite Fields 71

Theorem 4.4.3. If F is a finite field, then F ∗ is a cyclic group. In other

words, there is some g ∈ F ∗ with F ∗ = {1, g, g 2, . . . , g |F |−2 }.
Proof. Let q = |F |. Then |F ∗ | = |F − {0}| = q − 1.
For each divisor d of q − 1, let

Bd = {b ∈ F ∗ | ordF ∗ (b) = d}.

Claim: |Bd | = 0 or |Bd | = ϕ(d).

Proof of Claim: Assume Bd = ∅, and choose some element a of Bd . By Propo-
sition 4.2.7, this element generates the subgroup a = {a0 , a1 , . . . , ad−1 } of
size d. Clearly, for 0 ≤ i < d we have (ai )d = (ad )i = 1. Hence each of the
d elements of a is a root of the polynomial X d − 1 in F . We now allow
ourselves to use Theorem 7.5.1, to be proved later in Sect. 7.5, to note that
the polynomial X d − 1 does not have more than d roots in F , hence a com-
prises exactly the set of roots of X d − 1. Since each element b of Bd satisfies
bd = 1, hence is a root of X d − 1, we obtain Bd ⊆ a. Now applying Propo-
sition 4.2.13(c) we note that a contains exactly ϕ(d) elements of order d in
a, which is the same as the order in F ∗ . Thus, |Bd | = ϕ(d), and the claim
is proved.
By Proposition 4.1.9, the order of each element a ∈ F ∗ is a divisor of
|F | = q − 1. Thus, the sets Bd , d | q − 1, form a partition of F ∗ into disjoint
∗

subsets. Hence we have


q − 1 = |F ∗ | = |Bd |. (4.4.1)
d | q−1

If we apply Lemma 4.4.2 to q − 1, we obtain


q−1= ϕ(d). (4.4.2)
d | q−1

Combining (4.4.1) and (4.4.2) with the claim, we see that in fact none of the
Bd ’s can be empty. In particular Bq−1 = ∅, and each of the ϕ(q − 1) elements
g ∈ Bq−1 is a primitive element of F .
Corollary 4.4.4. If p is a prime number, then Z∗p is a cyclic group with
ϕ(p − 1) generators (called “primitive elements modulo p”).
Example 4.4.5. The ϕ(12) = 4 primitive elements modulo 13 are 2, 6, 7, and
11.
Definition 4.4.6. If p is a prime number, and n is an integer not divisible
by p, we write ordp (n) for ordZ∗p (n mod p), and call this number the order
of n modulo p.
Clearly, ordp (n) is the smallest i ≥ 1 that satisfies ni mod p = 1, and ordp (n)
is a divisor of |Z∗p | = p − 1.