A Unified Method for Selecting Parameters and Primitive Elements in 2 × 2 Matrix Fields for Cryptographic Protocols

Abstract

This paper introduces a novel method for selecting parameters of finite fields formed by 2 × 2 matrices over a finite field of integers modulo a prime p. The method aims to simultaneously determine both the field parameters and primitive elements, thereby optimizing the construction of cryptographic algorithms. The proposed approach leverages the properties of quadratic residues and non-residues, simplifying the process of finding matrix field parameters while maintaining computational efficiency. The method is particularly effective when the prime number p is either a Mersenne prime or (p + 1)/2 is also a prime. This study demonstrates that the resulting matrix fields can be practically computed, offering a high degree of flexibility for cryptographic protocols such as key agreement and secure data transmission. Compared to previous methods, the new method reduces the parameter search space and provides a structured way to identify primitive elements without the need for a separate search procedure. The findings have significant implications for the development of efficient cryptographic systems using matrix-based finite fields.

1. Introduction

Finite fields are fundamental to cryptography since they provide the mathematical foundation for various cryptographic algorithms and protocols. They enable computations over a limited set of elements, ensuring operation completeness, the absence of overflow errors, and efficient implementation. For instance, asymmetric cryptographic algorithms, such as RSA [1], elliptic curves [2], and lattice-based cryptography [3] rely on the properties of finite fields to ensure the computational complexity of inverse problems, e.g., discrete logarithms and factorization of large numbers, which are critical to their security.

A well-known example of applying finite fields in symmetric cryptography is the Advanced Encryption Standard (AES) [4]. The AES utilizes a finite field $GF\left(2^8\right)$ that enables efficient operations on data bytes. The SubBytes transformation is based on computing multiplicative inverses in $GF\left(2^8\right)$, ensuring non-linearity, while the MixColumns operation relies on matrix multiplication in a finite field.

Matrices themselves are a powerful tool in cryptographic applications. Beyond AES, they are deployed in various data encryption methods, including public-key encryption [5], image encryption [6,7,8,9,10], group cryptographic transformations [11], homomorphic encryption [12], key agreement protocols [13,14], network coding [15], etc. On the other hand, matrix applications in cryptography present challenges such as computational complexity, security vulnerabilities, high implementation-related costs, and key management. These challenges highlight the demand for continuous research and development to enhance the security and efficiency of matrix-based cryptographic systems.

In our previous studies [16,17] we have examined the principles for constructing Galois fields of square $2\times 2$ matrices over a prime field of integers ${\mathbb{Z}}_p$. This approach aims to enhance the reliability of cryptographic systems operating in finite fields by increasing the order of the multiplicative group while preserving the order $p$ of the base field ${\mathbb{Z}}_p$ used for transformations. The latter assertion refers to the fact that the complexity of algorithms solving the discrete logarithm problem depends significantly on the order of the cyclic group [18,19,20,21,22,23]. By utilizing the proposed field of square matrices over ${\mathbb{Z}}_p$, the order of the multiplicative group can be increased to $p^2-1$ compared to the base field ${\mathbb{Z}}_p$.

The study [16] investigates the properties of a commutative (abelian) group under the multiplication of $2\times 2$ square matrices over ${\mathbb{Z}}_p$, as follows:

$$CG{L}_{b,k}\left(2,{\mathbb{Z}}_p\right)=\left\{t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right),s·\left(\begin{array}{cc}1& 0\\ 0& 1\end{array}\right),\begin{array}{c}t,s,a,b,k\in {\mathbb{Z}}_p,t,s\ne 0,\\ a\left(a+k\right)-b\ne 0\end{array}\right\},$$

(1)

where $b,k$ represent fixed group parameters.

The $CG{L}_{b,k}\left(2,{\mathbb{Z}}_p\right)$ group order is $p^2-1$ if $D=k^2+4b\ne u^2\in {\mathbb{Z}}_p$ and $p>2$. We will also assume further in this research that $p>2$.

The study [16] also demonstrates that a simple algebraic expansion $F_{p^2}={\mathbb{Z}}_p\left[\sqrt{D}\right]$ is a decomposition field for characteristic polynomials of matrices from the group $CG{L}_{b,k}\left(2,{\mathbb{Z}}_p\right)$. Eigenvalues of the group $CG{L}_{b,k}\left(2,{\mathbb{Z}}_p\right)$ matrix over the field $F_{p^2}={\mathbb{Z}}_p\left[\sqrt{D}\right]$ are ${\lambda }_{1,2}\left(a,t\right)=\frac{t}{2}\left(2a+k\pm \sqrt{D}\right)$, $t\ne 0$.

Evidence from the study [16] also demonstrates that the commutative family of matrices $CG{L}_{b,k}\left(2,{\mathbb{Z}}_p\right)$ over the field $F_{p^2}={\mathbb{Z}}_p\left[\sqrt{D}\right]$ is simultaneously diagonalizable [24,25]. Then the following family of matrices:

$$F_{b,k}=\left\{t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right),s·\left(\begin{array}{cc}1& 0\\ 0& 1\end{array}\right),\begin{array}{c}t,s,a,b,k\in {\mathbb{Z}}_p,\\ D=k^2+4b\ne u^2\in {\mathbb{Z}}_p\end{array}\right\}$$

(2)

with fixed $b$ and $k$ values is a Galois field of order $p^2$ with standard matrix addition and multiplication operations.

The survey [17] addresses the perspectives of deploying a finite field $F_{b,k}$ in cryptographic applications, in particular, in the Diffie–Hellman key agreement protocol [26]. For this purpose, the study [17] presents an approach to defining matrices $t·A=t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$, which are primitive elements of a finite field $F_{b,k}$, along with demonstrating the set structure of such primitive elements in $F_{b,k}$. The study [17] presents an algorithm that efficiently identifies all such primitive elements by iterating through possible values and verifying their suitability using number-theoretical criteria such as quadratic residue testing.

In cases when parameters $b$ and $k$ of a field $F_{b,k}$ are not previously specified, its use in cryptographic applications requires solving two independent tasks: selecting parameters $b$ and $k$ to satisfy condition $k^2+4b\ne u^2\in {\mathbb{Z}}_p$ and finding primitive elements of $F_{b,k}$ for the found parameters. This approach is demanding in terms of required resources and hence motivates the search for methods that would allow a single procedure to simultaneously determine both the necessary parameters of the field $F_{b,k}$ and its primitive elements.

Thus, the major objective of this study is to develop and investigate a method for selecting parameters of the finite field of $2\times 2$ matrices while simultaneously generating primitive elements for them.

This paper is organized as follows: Section 2 will present the materials and methods, including the mathematical foundations of finite fields of $2\times 2$ matrices over the prime field of integers and the proposed parameter selection algorithm; Section 3 will present the theoretical results and practical applications of the proposed method; Section 4 will discuss the efficiency and cryptographic relevance of the method compared to existing approaches; and Section 5 will conclude this paper.

2. Materials and Methods

2.1. Characteristics and Conditions for $F_{b,k}$

Theorem 5 from [17] proves that there exist exactly $\phi \left(p+1\right)$ different matrices $A_j=\left(\begin{array}{cc}{a}_j& 1\\ b& a_j+k\end{array}\right)\in F_{b,k}$ over ${\mathbb{Z}}_p$ with $period\left(A_j\right)=p+1$ and $\det \left(A_j\right)\ne u^2\in {\mathbb{Z}}_p$, that define all $\phi \left(p^2-1\right)$ primitive elements of $F_{b,k}$ over ${\mathbb{Z}}_p$, i.e.,:

$$t_{ji}·A_j,$$

(3)

where $t_{ji}\in {\mathrm{T}}_j=\left\{\pm {\sigma }^{\frac{i-{\gamma }_j}{2}}:〈i,p-1〉=1,{\gamma }_j=ind\left(\det \left(A_j\right)\right)\right\}$, $1\le j\le \phi \left(p+1\right)$;

$\sigma$ is the smallest primitive root in ${\mathbb{Z}}_p$;

$ind\left(\det \left(A_j\right)\right)=\gamma$ is the index of $\det \left(A_j\right)$ number by $\sigma$ base: $\det \left(A_j\right)\equiv {\sigma }^{\gamma }\left(\mathrm{mod}p\right)$, $0\le \gamma \le p-2$.

In order to simplify computational procedures, this situation justifies the relevance of studying the special case of a primitive element of the form $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ for $t=1$.

Theorem 5 from the study [17] includes the following definitions, which we will use in this study.

Definition 1. 

The $A,A^2,\dots ,A^L=\delta ·E$ power sequence of the matrix $A\in F_{b,k}$ is termed as a power chain of length $L$, if for $i<L$: $A^i\ne s·E$, where $\delta ,s\in {\mathbb{Z}}_p$. $L=1$ if $A=\delta ·E$.

Definition 2. 

The period of the matrix $A$ is defined as the length $L$ of its power chain: $period\left(A\right)=L$.

The order of the matrix $A$ as an element of the multiplicative group $F_{b,k}^{*}$ has the notation $ord\left(A\right)$.

Consider matrix $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$. Thus $\left|A\right|={\Delta }_a=a\left(a+k\right)-b\ne 0$.

The characteristic equation of the matrix $A$ has the following notation: ${\lambda }^2-\left(2a+k\right)\lambda +\left[a\left(a+k\right)-b\right]=0$, or ${\lambda }^2-\left(2a+k\right)\lambda +{\Delta }_a=0$.

The roots of the characteristic equation ${\lambda }_{1,2}\left(a\right)$ are the eigenvalues of the matrix $A$. Further, we will abbreviate ${\lambda }_{1,2}\left(a\right)$ values through ${\lambda }_{1,2}$.

In order for a matrix to acquire the maximum number of linearly independent eigenvectors, a sufficient condition is that all roots of its characteristic equation be distinct [24,25]. For the matrix $A$, the necessary and sufficient condition is $D=k^2+4b\ne 0$.

The study [17] has demonstrated the following:

• For $D=u^2\in {\mathbb{Z}}_p$, $u\ne 0$, the values are $ord\left(A\right)=LCM\left(ord\left({\lambda }_1\right),ord\left({\lambda }_2\right)\right)$ in ${\mathbb{Z}}_p$ and $ord\left(A\right)\le p-1$. The maximum limit of $ord\left(A\right)$ can be reached if and only if the smallest common multiple of the ${\lambda }_{1,2}$ orders is $p-1$, for example, when at least one of the elements ${\lambda }_{1,2}$ is primitive in ${\mathbb{Z}}_p$;
• For $D\ne u^2\in {\mathbb{Z}}_p$, $u\ne 0$, the following equality holds:

$$A^{p+1}=C\left(\begin{array}{cc}{\lambda }_1^{p+1}& 0\\ 0& {\lambda }_2^{p+1}\end{array}\right)C^{-1}=C\left(\begin{array}{cc}{\Delta }_a& 0\\ 0& {\Delta }_a\end{array}\right)C^{-1}={\Delta }_{a}E,$$

(4)

where ${\Delta }_a\in {\mathbb{Z}}_p$.

For the element $A$ of the matrix field $F_{b,k}$ with the order $\left|F_{b,k}\right|=p^2$, the value $ord\left(A\right)\le p^2-1$ (see Formula (25)). According to Theorem 4 in [17], the maximum limit $ord\left(A\right)=p^2-1$ is achieved if $period\left(A\right)=p+1$ while ${\lambda }_1^{p+1}={\lambda }_2^{p+1}={\Delta }_a$ is a primitive element of the field ${\mathbb{Z}}_p$ with order $p-1$.

Remark 1. 

For the eigenvalues ${\lambda }_{1,2}$ of the matrix $A$, $D\ne u^2\in {\mathbb{Z}}_p$, the equality ${\lambda }_1^i={\lambda }_2^i=\delta$ holds if and only if ${\lambda }_1^i=\delta \in {\mathbb{Z}}_p$.

Proof of Remark 1. 

Let us represent the matrix $A$ as $A=C\left(\begin{array}{cc}{\lambda }_1& 0\\ 0& {\lambda }_2\end{array}\right)C^{-1}$, where $C=‖c_{ij}‖$, $c_{ij}\in {\mathbb{Z}}_p\left(\sqrt{D}\right)$, is the diagonalizing matrix for $A=‖a_{ij}‖$, $a_{ij}\in {\mathbb{Z}}_p$.

If ${\lambda }_1^i={\lambda }_2^i$, then $A^i=C·\left(\begin{array}{cc}{\lambda }_1^i& 0\\ 0& {\lambda }_2^i\end{array}\right)·C^{-1}=C·{\lambda }_1^i·E·C^{-1}={\lambda }_1^i·E=\delta ·E=\left(\begin{array}{cc}\delta & 0\\ 0& \delta \end{array}\right)$, where ${\lambda }_1^i=\delta \in {\mathbb{Z}}_p$.

Now, ${\lambda }_1^i=\delta \in {\mathbb{Z}}_p$. Since the characteristic polynomial of matrix $A$ is irreducible over ${\mathbb{Z}}_p$, the eigenvalue is ${\lambda }_2={\lambda }_1^p$. By Fermat’s theorem [27], for the elements of ${\mathbb{Z}}_p$, the following holds: ${\lambda }_2^i={\left({\lambda }_1^p\right)}^i={\left({\lambda }_1^i\right)}^p={\delta }^p=\delta$, i.e., ${\lambda }_1^i={\lambda }_2^i=\delta$. □

Corollary 1. 

Power $A^i=\delta ·E$ if and only if ${\lambda }_1^i=\delta \in {\mathbb{Z}}_p$.

Note that the condition of primitiveness ${\Delta }_a$ in ${\mathbb{Z}}_p$ is necessary, even though this condition is not sufficient for ensuring the maximum order of the cyclic subgroup generated by the matrix $A$. The latter is due to the fact that the equality ${\lambda }_1^{p+1}={\lambda }_2^{p+1}$ does not exclude cases where ${\lambda }_1^i={\lambda }_2^i$ for $i<p+1$ (see Example 1).

Recall that the next expression from [28] serves to raise a square matrix $A=\left(\begin{array}{cc}a& b\\ c& d\end{array}\right)$ to a power, as follows:

$$A^i=\left(\begin{array}{cc}{\vartheta }_{i+1}-d{\vartheta }_i& b{\vartheta }_i\\ c{\vartheta }_i& {\vartheta }_{i+1}-a{\vartheta }_i\end{array}\right),$$

(5)

where

$${\vartheta }_{i+1}=tr\left(A\right){\vartheta }_i-\det \left(A\right){\vartheta }_{i-1},$$

(6)

$tr\left(A\right)$ denotes the trace of the matrix $A$ [29]; ${\vartheta }_0=0$, ${\vartheta }_1=1$.

Also recall that Theorem 1 in [17] proves that if $A\in F_{b,k}$, $period\left(A\right)=p+1$ if and only if $A\ne s·E$ and

$${\vartheta }_i\ne 0 \mathrm{for} 1\le i\le \frac{p+1}{2}.$$

(7)

On the other hand, Theorem 2 in [17] states that the following is true for $A\in F_{b,k}$ and $\det \left(A\right)={\Delta }_a\ne u^2\in {\mathbb{Z}}_p$:

If a prime $p$ is a Mersenne prime $\left(p=2^m-1\right)$, then $period\left(A\right)=p+1$;

3.

If $p\ne 2^m-1$, then $period\left(A\right)=p+1$ if and only if

$${\vartheta }_i\ne 0 \mathrm{for} 1\le i\le \frac{p+1}{\gamma },$$

(8)

where $\gamma =\min \left\{f=2c+1:c\ge 1,\left(p+1\right)⋮ f\right\}$.

Example 1. 

(a) Let us assume that $p=11$, $b=10$, $k=5$, and matrix $A=\left(\begin{array}{cc}a& 1\\ 10& a+5\end{array}\right)\in F_{10,5}$ over ${\mathbb{Z}}_{11}$.

The value $D=k^2+4b=10\ne u^2\in {\mathbb{Z}}_{11}$. For $a=8$, the determinant ${\Delta }_a=6D\ne u^2\in {\mathbb{Z}}_{11}$. Here $\frac{p+1}{2}=6$ is not a prime number.

To find $period\left(A\right)$, we shall apply Theorem 1 from [17]. By calculating $tr\left(A\right)=10=-1$, $\det \left(A\right)={\Delta }_a=-5$, we find the values of elements ${\vartheta }_i$ of sequence (6) for $1\le i\le 6$ by the Formula (7): 0, 1, −1, 6, 0, 8,…. We obtain ${\vartheta }_4=0$, ${\vartheta }_5=8$, from whence $period\left(A\right)\ne p+1$. The characteristic polynomial of the matrix $A=\left(\begin{array}{cc}8& 1\\ 10& 2\end{array}\right)$ is ${\lambda }^2+\lambda +6$, it has a discriminant $D=10\ne u^2\in {\mathbb{Z}}_{11}$ and is irreducible over the field ${\mathbb{Z}}_{11}$. The decomposition field of ${\lambda }^2+\lambda +6$ is the quadratic extension of the field ${\mathbb{Z}}_{11}\left[\sqrt{10}\right]$, in which the eigenvalues of matrix $A$ are equal to ${\lambda }_{1,2}=\frac{1}{2}\left(-1\pm \sqrt{10}\right)$.

Equation (5) for the $A^i$ power yields the following result: $A^4=\left(\begin{array}{cc}8& 0\\ 0& 8\end{array}\right)=8E$, i.e., $period\left(A\right)=4=\frac{p+1}{3}$ and ${\lambda }_1^4={\lambda }_2^4=8\in {\mathbb{Z}}_{11}$.

(b) Let $p=13$, $b=7$, $k=4$, and the matrix $A=\left(\begin{array}{cc}a& 1\\ 7& a+4\end{array}\right)\in F_{7,4}$ over ${\mathbb{Z}}_{13}$.

The discriminant is $D=k^2+4b=5\ne u^2\in {\mathbb{Z}}_{13}$. For $a=5$, the matrix $A=\left(\begin{array}{cc}5& 1\\ 7& 9\end{array}\right)$ has $tr\left(A\right)=1$ and $\det \left(A\right)={\Delta }_a=-1$. The decomposition field of the characteristic polynomial ${\lambda }^2-\lambda +1$ for the matrix $A$ is the simple quadratic extension of the field ${\mathbb{Z}}_{13}\left[\sqrt{5}\right]$, where eigenvalues are ${\lambda }_{1,2}=\frac{1}{2}\left(-1\pm \sqrt{5}\right)$. The value $\frac{p+1}{2}=7$ is a prime number; whereas the determinant ${\Delta }_a=-1=5^2\in {\mathbb{Z}}_{13}$. Hence, to determine the period of the matrix $A$, it is impossible to apply Theorem 2 from the study [17] and condition (8). Therefore, Theorem 1 proved in [17] will be applied, having calculated the sequence (6) for $1\le i\le 7$ with expression (7): 0, 1, 1, 2, 3, 5, 8, 0, 8, …, where ${\vartheta }_7=0$, ${\vartheta }_8=8$.

According to the Equation (5): $A^7=8E$, whence $period\left(A\right)=7=\frac{p+1}{2}$ and ${\lambda }_1^7={\lambda }_2^7=8\in {\mathbb{Z}}_{13}$.

(c) Let $p=19$, $b=11$, $k=3$, and matrix $A=\left(\begin{array}{cc}a& 1\\ 11& a+3\end{array}\right)\in F_{11,3}$ over ${\mathbb{Z}}_{19}$.

Discriminant $D=k^2+4b=15\ne u^2\in {\mathbb{Z}}_{19}$. For $a=9$, the matrix $A=\left(\begin{array}{cc}9& 1\\ 11& 12\end{array}\right)$ acquires $tr\left(A\right)=2$, $\det \left(A\right)={\Delta }_a=2$ and a characteristic polynomial ${\lambda }^2-2\lambda +2$. Since $\frac{1}{4}D=18\ne u^2\in {\mathbb{Z}}_{19}$, the extension field of the polynomial ${\lambda }^2-2\lambda +2$ will be a quadratic extension of the field ${\mathbb{Z}}_{19}\left[\sqrt{18}\right]$. The eigenvalues of the matrix $A$ are ${\lambda }_{1,2}=1\pm \sqrt{18}\in {\mathbb{Z}}_{19}\left[\sqrt{18}\right]$. To determine $period\left(A\right)$, we will calculate ${\vartheta }_i$ values by Equation (6) for $1\le i\le 4$ according to (8): 0, 1, 2, 2, 0, −4, …, wherein ${\vartheta }_4=0$, ${\vartheta }_5=-4$. This implies that $A^4=-4E$, whence $period\left(A\right)=4=\frac{p+1}{5}$ and ${\lambda }_1^4={\lambda }_2^4=-4\in {\mathbb{Z}}_{19}$.

2.2. Selecting $F_{b,k}$ Parameters

Let $r\equiv m\equiv n\left(\mathrm{mod}p+1\right)$, $0\le r\le p$.

Thus, $\left\{\begin{array}{l}n=\nu \left(p+1\right)+r,\\ m=\mu \left(p+1\right)+r.\end{array}\right.$ Considering (4) $A^n=A^{\nu \left(p+1\right)+r}={\left(A^{p+1}\right)}^{\nu }·A^r={\Delta }_a^{\nu }·A^r$ $A^m=A^{\mu \left(p+1\right)+r}={\left(A^{p+1}\right)}^{\mu }·A^r={\Delta }_a^{\mu }·A^r$.

Thus $A^m=\frac{{\Delta }_a^{\mu }}{{\Delta }_a^{\nu }}·A^n={\Delta }_a^{\mu -\nu }·A^n$ or

$$A^m={\Delta }_a^{\frac{m-n}{p+1}}·A^n.$$

(9)

Note that Equation (9) indicates the “periodicity” of the power values of the matrix $A$ in the field $F_{b,k}$ with an accuracy of up to a defined coefficient from ${\mathbb{Z}}_p$.

Here we consider in more detail the issue of selecting parameters for the matrix $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ with $D\ne u^2\in {\mathbb{Z}}_p$, to achieve maximum for the order of the generated cyclic subgroup.

Recall that according to Theorem 4 in [17], it is necessary for ${\Delta }_a$ to be primitive in ${\mathbb{Z}}_p$ with order $p-1$ to ensure the maximum value of $ord\left(A\right)$ for $D=k^2+4b\ne u^2\in {\mathbb{Z}}_p$. For the smallest primitive root ${\sigma }_0$ in ${\mathbb{Z}}_p$, that implies that ${\Delta }_a={\sigma }_0^i$, where $GCF\left(i,p-1\right)=1$. If $t\ne 0$, it can be expressed as a power of ${\sigma }_0$: $t={\sigma }_0^{\nu }$, $0<\nu <p$. A primitive ${\Delta }_a$ in the equation ${\Delta }_a=t^j$, $0<j<p$ yields ${\sigma }_0^{\nu j}={\sigma }_0^i$. This equality is equivalent to the comparison $\nu ·j\equiv i\left(\mathrm{mod}p-1\right)$, where $GCF\left(i,p-1\right)=1$. For $GCF\left(\nu ·j,p-1\right)\ne 1$, the specified comparison has no solutions, in particular for $GCF\left(j,p-1\right)\ne 1$. Therefore, a necessary condition for primitiveness is the requirement:

$${\Delta }_a=a\left(a+k\right)-b\ne t^j\in {\mathbb{Z}}_p,$$

(10)

where $1<j<p$, $GCF\left(j,p-1\right)\ne 1$.

In this study, we shall confine ourselves to considering the base case for prime $p>2$, when

$$\left\{\begin{array}{l}D=k^2+4b\ne u^2\in {\mathbb{Z}}_p,\\ {\Delta }_a=a\left(a+k\right)-b\ne t^2\in {\mathbb{Z}}_p.\end{array}\right.$$

(11)

As is evident from the above, ${\Delta }_a=a\left(a+k\right)-b\ne t^2\in {\mathbb{Z}}_p$ is a necessary condition. However, this condition cannot be considered sufficient.

It follows from $D=k^2+4b\ne u^2\in {\mathbb{Z}}_p$ that $b\ne 0$. Therefore, for an arbitrary quadratic non-residue $q$ in ${\mathbb{Z}}_p$ the equalities $k^2+4b=q$ or $b=\frac{q-k^2}{4}$ hold.

Substituting the final expression into ${\Delta }_a=a\left(a+k\right)-b\ne t^2\in {\mathbb{Z}}_p$ yields ${\left(a+\frac{k}{2}\right)}^2-{\left(\frac{1}{2}\right)}^{2}q\ne t^2\in {\mathbb{Z}}_p$ or ${\left(2a+k\right)}^2-q\ne {\left(2t\right)}^2\in {\mathbb{Z}}_p$. Thus, the final expression reduces the problem of selecting the matrix field parameters to finding a quadratic non-residue $r$ in ${\mathbb{Z}}_p$, which defines the difference ${\left(2a+k\right)}^2-q=r$ or

$${\left(2a+k\right)}^2=q+r$$

(12)

for a given a fixed quadratic non-residue $q$ in ${\mathbb{Z}}_p$.

Remark 2. 

For the simplest case, when $2a+k=0$ or $a=-\frac{k}{2}$, the following equalities hold for the values of the Legendre symbol (see [30]):

$$\left(\frac{p-q}{p}\right)=\left(\frac{-q}{p}\right)=\left(\frac{-1}{p}\right)·\left(\frac{q}{p}\right)={\left(-1\right)}^{\frac{p-1}{2}}·\left(\frac{q}{p}\right).$$

(13)

Therefore, the pair $\left(q;r=p-q\right)$ constitutes quadratic non-residues in ${\mathbb{Z}}_p$ only for $p=4w+1$, since for $p=4w+3$, the value $r=p-q$ is always a quadratic residue for a given quadratic non-residue $q$ [30]. The matrix $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ for $a=-\frac{k}{2}$ has a notation $A=\left(\begin{array}{cc}-k/2& 1\\ b& k/2\end{array}\right)$ without variable parameters. In this case $A^2=\left(\frac{k^2}{4}+b\right)·E=\frac{D}{4}·E$, while $period\left(A\right)=2$. The multiplicative group has a simple structure $CG{L}_p\left(b,k\right)=\left\{\begin{array}{cc}t·\left(\begin{array}{cc}-k/2& 1\\ b& k/2\end{array}\right),sE,& t,s,k\in {\mathbb{Z}}_p,t,s\ne 0\end{array}\right\}$ and order $2\left(p-1\right)$.

Further, we consider the case where $2a+k\ne 0$.

The solution for the Equation (12) reduces to a search for quadratic non-residues $r$ in ${\mathbb{Z}}_p$ that satisfy the equality $q+r=t^2\in {\mathbb{Z}}_p$ for a given fixed quadratic non-residue $q$ in ${\mathbb{Z}}_p$. Here we determine the number of such pairs $q$ and $r$ that exist.

To solve the problem of finding quadratic non-residues $q,r\in {\mathbb{Z}}_p$ such that $q+r=t^2\in {\mathbb{Z}}_p$, we first consider the problem of finding quadratic residues $q,r\in {\mathbb{Z}}_p$ such that $q+r=t^2\in {\mathbb{Z}}_p$. The latter expression can be rewritten in the field ${\mathbb{Z}}_p$ as follows:

$$q^2+r^2=t^2.$$

(14)

Here we consider the following cases:

• $qr=0$;
• $\left\{\begin{array}{l}qr\ne 0;\\ t=0;\end{array}\right.$;
• $qrt\ne 0$.

Case 1. 

If $qr=0$, then $\left[\begin{array}{l}\left\{\begin{array}{l}q=0;\\ r^2-t^2=0;\end{array}\right.\\ \left\{\begin{array}{l}r=0;\\ q^2-t^2=0;\end{array}\right.\end{array}\right.$ or $\left[\begin{array}{l}\left\{\begin{array}{l}q=0;\\ r=\pm t;\end{array}\right.\\ \left\{\begin{array}{l}r=0;\\ q=\pm t.\end{array}\right.\end{array}\right.$

The number of pairs $\left(q;r\right)$: $qr=0$, that are the solution of Equation (14) for an arbitrary $t\in {\mathbb{Z}}_p$, equals $2p$. The number of distinct pairs $\left(q;r\right)$ with precision up to their permutation is equal to $p$.

The number of distinct pairs $\left(q^2;r^2\right)$: $qr=0$, with precision up to their permutation for a given $t\in {\mathbb{Z}}_p$ is equal to the number of quadratic residues in ${\mathbb{Z}}_p$, including zero residue: $\left(p-1\right)/2+1=\left(p+1\right)/2$.

Case 2. 

If $\left\{\begin{array}{l}qr\ne 0,\\ t=0;\end{array}\right.$ then $q^2+r^2=0$, where $q^2,r^2\in \left\{1,2,3,\dots ,p-1\right\}$. Since $q\ne 0$, $1+{\left(r/q\right)}^2=0$.

Let us assume that $w=r/q$. Then $1+w^2=0$ or

$$w^2=-1.$$

(15)

According to Corollary 3 from Chapter 5 of §1 [30], Equation (15) has a solution for prime $p$ if and only if $p=4l+1$.

We shall accept that $w_0$ is the solution to Equation (15), i.e., $1+w_0^2=0$, $p=4l+1$. Therefore, for every $q\in {\mathbb{Z}}_p$: $q^2\left(1+w_0^2\right)=q^2+{\left(q{w}_0\right)}^2=0$, which implies that the set of pairs $\left\{\left(q;q{w}_0\right)\right\}=\left\{\left(q;r\right)\right\}$ defines all possible solutions in the field ${\mathbb{Z}}_p$ of the equation $q^2+r^2=0$, $p=4l+1$. In addition, since $w_0\in {\mathbb{Z}}_p$, $w_0^2=p-1$ or $w_0=\pm {\left(p-1\right)}^{\frac{1}{2}}$.

For $\left\{\begin{array}{l}qr\ne 0;\\ p=4l+3\end{array}\right.$, $q^2+r^2\ne 0$ always holds.

Therefore, the number of pairs $\left(q;r\right)$: $qr\ne 0$, that are the solution to Equation (14) for $t=0$, equals $2\left(p-1\right)$ for $p=4l+1$, and zero for $p=4l+3$, whereas the number of distinct pairs $\left(q;r\right)$ with precision up to their permutation for $p=4l+1$ is equal to $p-1$.

Corollary 2. 

The number of distinct pairs $\left(q^2;r^2\right)$: $qr\ne 0$ with precision up to their permutation that are the solution to Equation (14) for $t=0$, equals $\left(p-1\right)/4$ for $p=4l+1$ and zero for $p=4l+3$.

It is important to notice that the system of nonzero quadratic residues in ${\mathbb{Z}}_p$, $p=4l+1$, possesses the property of symmetric distribution within the ordered set of residues modulo $p$: $1;\dots ;q^2;\dots ;p-q^2;\dots ;p-1=w_0^2$, $q^2\le \left(p-1\right)/2$ (see Equation (13)).

Corollary 3. 

The number of nonzero quadratic residues $r^2$ in ${\mathbb{Z}}_p$ for a fixed nonzero quadratic residue $q^2$, which satisfy the condition $q^2+r^2=0$, is equal to one for $p=4l+1$ and zero for $p=4l+3$.

Remark 2 states that quadratic non-residues possess a similar symmetry property in ${\mathbb{Z}}_p$, $p=4l+1$: for every quadratic non-residue $\eta$ there is a quadratic non-residue $f$, such that $\eta +f=0$, i.e., $f=p-\eta$.

Corollary 4. 

The number of quadratic residues $\eta$ in ${\mathbb{Z}}_p$ for a fixed quadratic residue $f$ to satisfy the condition $\eta +f=0$ is equal to one for $p=4l+1$ and zero for $p=4l+3$.

Example 2. 

Let $p=4l+1=13$, $w_0^2=12$. Therefore, $w_0=\pm 5=\left\{5;8\right\}$. Thus, the following values of pairs $\left(q;r\right)$ are obtained for $q^2+r^2=0$: $\left(1;\pm 5\right)$, $\left(2;\pm 10\right)$, $\left(3;\pm 2\right)$, $\left(4;\pm 7\right)$, $\left(5;\pm 12\right)$, $\left(6;\pm 4\right)$, $\left(7;\pm 9\right)$, $\left(8;\pm 1\right)$, $\left(9;\pm 6\right)$, $\left(10;\pm 11\right)$, $\left(11;\pm 3\right)$, and $\left(12;\pm 8\right)$.

The number of pairs $\left(q;r\right)$ is equal to $2\left(p-1\right)=24$. The number of distinct pairs $\left(q;r\right)$ up to their permutation will be $p-1=12$: $\left(1;5\right)$, $\left(1;8\right)$, $\left(2;3\right)$, $\left(2;10\right)$, $\left(3;11\right)$, $\left(4;6\right)$, $\left(4;7\right)$, $\left(5;12\right)$, $\left(6;9\right)$, $\left(7;9\right)$, $\left(8;12\right)$, and $\left(10;11\right)$.

The number of distinct pairs $\left(q^2;r^2\right)$ up to their permutation constitutes $\left(p-1\right)/4=3$: $\left(1;12\right)$, $\left(3;10\right)$, and $\left(4;9\right)$.

Case 3. 

If $qrt\ne 0$, the expression $q^2+r^2=t^2$ is equivalent to the expression ${\left(\frac{q}{t}\right)}^2+{\left(\frac{r}{t}\right)}^2=1$. Substitution $x=\frac{q}{t}$, $y=\frac{r}{t}$ results in the following system:

$$\left\{\begin{array}{l}xy\ne 0;\\ x^2+y^2=1.\end{array}\right.$$

(16)

It is widely known ([30], Chapter 8 of §3) that the number $N\left(x^2+y^2=1\right)$ of solutions of the equation $x^2+y^2=1$ over ${\mathbb{Z}}_p$ is expressed in terms of Jacobi sums and is equal to

$$N\left(x^2+y^2=1\right)=\left\{\begin{array}{c}p-1,\hspace{0.17em}\hspace{0.17em}if\hspace{0.17em}\hspace{0.17em}p\equiv 1\left(\mathrm{mod}4\right);\\ p+1,\hspace{0.17em}\hspace{0.17em}if\hspace{0.17em}\hspace{0.17em}p\equiv 3\left(\mathrm{mod}4\right).\end{array}\right.$$

(17)

We are interested in the ‘location’ of solutions of the equation $x^2+y^2=1$ in the multiplicative group ${\mathbb{Z}}_p^{*}$.

To solve system (16), we shall apply a known method for finding Pythagorean triples in ${\mathbb{Z}}_p$, which deploys Riemann stereographic projection [31,32,33].

Consider the “line” $1-y=nx$ and map the parameter $n$ on each pair $\left(x;y\right)$ of $x^2+y^2=1$ solutions over ${\mathbb{Z}}_p$.

If a pair $\left(x_0;y_0\right)$ is the solution to the system (16) then $x_0\ne \pm 1\ne y_0$. There is a unique value of the $n\in {\mathbb{Z}}_p$ parameter, for which the point $\left(x_0;y_0\right)$ lies on the “line” $1-y_0=n{x}_0$ and which constitutes

$$n=\frac{1-y_0}{x_0}.$$

At the same time, the following statement holds for any given value of $n\in Z_p$:

$$\left\{\begin{array}{l}1-y=nx;\\ x^2+y^2=1;\\ xy\ne 0;\end{array}\right.\iff \left\{\begin{array}{l}1-y=nx;\\ x^2=\left(1-y\right)\left(1+y\right);\\ xy\ne 0;\end{array}\right.\iff \left\{\begin{array}{l}1-y=nx;\\ x^2=nx\left(1+y\right);\\ xy\ne 0;\end{array}\right.\iff \left\{\begin{array}{l}1-y=nx;\\ 1+y=\frac{1}{n}x;\\ n\ne 0;\\ xy\ne 0.\end{array}\right.$$

Since $2=x\frac{n^2+1}{n}\ne 0$, then $x=\frac{2n}{n^2+1}$ and $y=\frac{1-n^2}{n^2+1}$, where $n^2+1\ne 0$, $n\ne 0$, $n\ne \pm 1$.

Remark 3. 

The sets ${\mathbb{Z}}_3\backslash \left\{0;\pm 1\right\}=\varnothing$ and ${\mathbb{Z}}_5\backslash \left\{0;\pm 1;n^2+1=0\right\}=\varnothing$.

Therefore, if the pair of numbers $\left(x;y\right)$ is the solution to the system (16), then $p\ge 7$ is always true and there exist $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, $n^2+1\ne 0$, such that $\left\{\begin{array}{l}x=\frac{2n}{n^2+1};\\ y=\frac{1-n^2}{n^2+1}.\end{array}\right.$. By substituting the values $\left(x;y\right)$ into the equation $x^2+y^2=1$, we obtain ${\left(\frac{2n}{n^2+1}\right)}^2+{\left(\frac{1-n^2}{n^2+1}\right)}^2=1$. Multiplying the latter equation by ${\left(\frac{n^2+1}{n}\right)}^2$, we rewrite Equations (15) and (16) in ${\mathbb{Z}}_p$ for $p\ge 7$ as one equation, as follows:

$$2^2+{\left(n-\frac{1}{n}\right)}^2={\left(n+\frac{1}{n}\right)}^2.$$

(18)

Remark 4. 

Let $f$ and $g$ be quadratic residues in ${\mathbb{Z}}_p$. In this case, the Equation (14) $q^2+r^2=t^2$ for $q=2$ takes the following notation: $2^2+f=g$.

Corollary 5. 

Since Equations (14) and (18) are equivalent for $qr\ne 0$ and $n-\frac{1}{n}\ne 0$, equation $2^2+f=g$, where $f\ne 0$ and $g$ denotes quadratic residues in ${\mathbb{Z}}_p$, $p\ge 7$, is only feasible if $f={\left(n-\frac{1}{n}\right)}^2$ and $g={\left(n+\frac{1}{n}\right)}^2$, where $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$.

Next, consider function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, $p\ge 7$. It is evident that in ${\mathbb{Z}}_p$, the roots of this function are represented by solutions to the equation $n^2-1=0$, i.e., $n=\pm 1$, whereas there exist no roots in ${\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$.

Remark 5. 

Function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, $p\ge 7$, acquires each of its values $f\left(n\right)\ne -4$ in ${\mathbb{Z}}_p$ precisely 4 times. The function acquires the value $f\left(n\right)=-4$ in ${\mathbb{Z}}_p$ twice for $p=4l+1$, and never for $p=4l+3$.

Proof of Remark 5. 

Let $f\left(n_0\right)={\left(n_0-\frac{1}{n_0}\right)}^2$. Now, it is necessary to find all $n$, for which $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2=f\left(n_0\right)={\left(n_0-\frac{1}{n_0}\right)}^2$. It follows from the latter expression that ${\left(n-\frac{1}{n}\right)}^2-{\left(n_0-\frac{1}{n_0}\right)}^2=\left(n-n_0+\frac{n-n_0}{n{n}_0}\right)\left(n+n_0-\frac{n+n_0}{n{n}_0}\right)=0$.

The solution to the latter equation is the set $\left[\begin{array}{l}\left(n-n_0\right)\left(1+\frac{1}{n{n}_0}\right)=0;\\ \left(n+n_0\right)\left(1-\frac{1}{n{n}_0}\right)=0\end{array}\right.$ or $\left[\begin{array}{l}n=\pm n_0;\\ n=\pm \frac{1}{n_0}.\end{array}\right.$

Thus, for the arguments $n\in \left\{n_0;-n_0;\frac{1}{n_0};-\frac{1}{n_0}\right\}$, the function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ repeats its values: $f\left(n_0\right)=f\left(-n_0\right)=f\left(\frac{1}{n_0}\right)=f\left(-\frac{1}{n_0}\right)$. For the remaining argument values $n\notin \left\{n_0;-n_0;\frac{1}{n_0};-\frac{1}{n_0}\right\}$: $f\left(n\right)\ne f\left(n_0\right)$.

Let us now consider the question of the number of distinct elements of the set $\left\{n;-n;\frac{1}{n};-\frac{1}{n}\right\}$ in ${\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$.

Since $n\ne 0$: $\left[\begin{array}{l}n=-n;\\ n=\frac{1}{n}\end{array}\right.\iff \left[\begin{array}{l}\frac{1}{n}=-\frac{1}{n};\\ -n=-\frac{1}{n}\end{array}\right.\iff n=\pm 1,$ the solution requires to solve the system $\left[\begin{array}{l}n=-\frac{1}{n};\\ -n=\frac{1}{n}\end{array}\right.$ or $n^2=-1$.

The final equation in ${\mathbb{Z}}_p$ has solutions only for $p=4l+1$ [30] (see Case 2 for $\left\{\begin{array}{l}qr\ne 0;\\ t=0\end{array}\right.$). Let the solutions have the notation $\pm n_0$. From the foregoing, it is evident that $f\left(\pm n_0\right)={\left(n_0-\frac{1}{n_0}\right)}^2=\frac{{\left(n_0^2-1\right)}^2}{n_0^2}=\frac{{\left(-1-1\right)}^2}{-1}=-4$. □

Example 3. 

Consider the distribution of function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ values for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, $p=4l+1=13$, and $p=4l+3=11$, by performing a direct calculation of $f\left(n\right)$.

Table 1. Values of $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ in ${\mathbb{Z}}_{13}$.

n	f(n)	n	f(n)
2	12	7	12
3	10	8	9
4	10	9	10
5	9	10	10
6	12	11	12

and

Table 2. Values of $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ in ${\mathbb{Z}}_{11}$.

n	f(n)	n	f(n)
2	5	6	5
3	1	7	1
4	1	8	1
5	5	9	5

present the results.

The results provide an illustration for Remark 5:

• The function $f\left(n\right)$ acquires each its value $f\left(n\right)\ne -4$ in ${\mathbb{Z}}_p$ precisely 4 times for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$;
• The function $f\left(n\right)$ acquires the value $f\left(n\right)=-4$ in ${\mathbb{Z}}_p$ twice for $p=4l+1=13$, and never for $p=4l+3=11$.

Remark 6. 

The number of distinct values of the function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$ for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, $p\ge 7$, is equal to the number $l=\left[\frac{p-1}{4}\right]$, where $\left[x\right]$ is the floor function of $x$.

Proof of Remark 6. 

Let $k$ be a number of distinct values of the function $f\left(n\right)\ne -4$ for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$. Then, by Remark 5, the upper bound estimation for the number of distinct values of the argument of the function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$, $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, is $\left\{\begin{array}{l}2+4k\le p-3, if p=4l+1;\\ 4k\le p-3, if p=4l+3\end{array}\right.$ or $\left\{\begin{array}{l}k\le l-1, if p=4l+1;\\ k\le l, if p=4l+3.\end{array}\right.$

We shall denote elements from ${\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$ by $\left\{n_{j1},n_{j2},n_{j3},n_{j4}\right\}$, $1\le j\le k$, for which the values are $f\left(n_{j1}\right)=f\left(n_{j2}\right)=f\left(n_{j3}\right)=f\left(n_{j4}\right)=f_j\ne -4$.

Since $k$ is the number of distinct values of $f\left(n\right)\ne -4$ for $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, $\left\{\begin{array}{l}{\displaystyle \underset{j=1}{\overset{k}{\cup }}\left\{n_{j1},n_{j2},n_{j3},n_{j4}\right\}}{\displaystyle \cup \left\{\pm n_0:f\left(\pm n_0\right)=-4\right\}}={\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\} if p=4l+1;\\ {\displaystyle \underset{j=1}{\overset{k}{\cup }}\left\{n_{j1},n_{j2},n_{j3},n_{j4}\right\}}={\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\} if p=4l+3\end{array}\right.$.

It follows that $\left\{\begin{array}{l}k=l-1, if p=4l+1;\\ k=l, if p=4l+3,\end{array}\right.$ and the number of distinct values of the function $f\left(n\right)={\left(n-\frac{1}{n}\right)}^2$, $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$, constitutes $\left\{\begin{array}{l}k+1=l, if p=4l+1;\\ k=l, if p=4l+3,\end{array}\right.$ whereas $l=\left[\frac{p-1}{4}\right]$. □

Corollary 6. 

Out of $\frac{p-1}{2}$ nonzero quadratic residues in ${\mathbb{Z}}_p$, $p\ge 7$, precisely $l=\left[\frac{p-1}{4}\right]$ residues can be presented as ${\left(n-\frac{1}{n}\right)}^2$, $n\in {\mathbb{Z}}_p\backslash \left\{0;\pm 1\right\}$. Note that $\frac{p-1}{2}=\left\{\begin{array}{l}2l, if p=4l+1;\\ 2l+1, if p=4l+3\end{array}\right.$.

Corollary 7. 

Let $f$ alternately take on the values of all nonzero quadratic residues in ${\mathbb{Z}}_p$, $p\ge 7$. Then, the sum $2^2+f=g$ is a nonzero quadratic residue exactly $l-1=\left[\frac{p-1}{4}\right]-1$ times for $p=4l+1$ and $l=\left[\frac{p-1}{4}\right]$ times for $p=4l+3$. The sum $2^2+f=g$ is a quadratic non-residue exactly $l$ times for $p=4l+1$ and $l+1$ times for $p=4l+3$.

To prove Corollary 7, it is sufficient to apply Equation (18) and Corollaries 5 and 6, taking into account that the sum $g$ becomes zero when $g={\left(n+\frac{1}{n}\right)}^2$ or $n^2=-1$. While proving Remark 5, it was shown that $n^2=-1$ has solutions $\pm n_0$ only for $p=4l+1$, and $f\left(\pm n_0\right)={\left(\pm n_0-\frac{1}{\pm n_0}\right)}^2=-4$. Hence, $f=-4$ decreases by 1 times the number of nonzero quadratic residues $f$, which form a nonzero quadratic residue by the sum $2^2+f=g$.

Based on the solved cases for Equation (14), we formulate the theorem.

Theorem 1. 

The following holds true:

Let $h$ be a nonzero quadratic residue in ${\mathbb{Z}}_p$, and let $f$ take on all nonzero quadratic residues in ${\mathbb{Z}}_p$. Then the sum $h+f=g$ is a quadratic residue exactly $l$ times and is a quadratic non-residue $l$ times for a prime $p=4l+1$ and $l+1$ times for a prime $p=4l+3$.

Let $h$ be a quadratic non-residue in ${\mathbb{Z}}_p$, and let $f$ take on all quadratic residues in ${\mathbb{Z}}_p$. Then the sum $h+f=g$ is a quadratic residue exactly $l+1$ times and is a quadratic non-residue $l-1$ times for a prime $p=4l+1$ and $l$ times for a prime $p=4l+3$.

Proof of Theorem 1. 

In clause 1 of the theorem, consider cases $p=3$ and $p=5$ separately.

For $p=3=4·0+3$, the value $l=0$.

For $u\in {\mathbb{Z}}_3=\left\{0;1;2\right\}$, the value $u^2\in \left\{0;1\right\}$. Then $h=f=1$ and $g=1+1=2\ne u^2\in {\mathbb{Z}}_3$

Thus, the value $g=h+f$ acquires the following:

• A quadratic residue—zero times, $0=l$;
• A quadratic non-residue—one time, $1=l+1$.

The value $l=1$ for $p=5=4·1+1$. For $u\in {\mathbb{Z}}_5=\left\{0;1;2;3;4\right\}$, $u^2\in \left\{0;1;4\right\}$.

The value of the sum $g=h+f$ for a fixed $h$ is once a quadratic residue and once a quadratic non-residue, i.e., $1=l$.

Now consider the case of prime $p\ge 7$ in clause 1 of the theorem.

Let $\left\{QR\right\}$, $\left\{QNR\right\}$ be sets of quadratic residues and non-residues in ${\mathbb{Z}}_p$, respectively. We shall operate with the notation of Corollary 7: $f\ne 0$, $f,g\in \left\{QR\right\}$, $2^2+f=g$. For arbitrary $u\in {\mathbb{Z}}_p$, $u\ne 0$, the sets are $u^2·\left\{QR\right\}\equiv \left\{QR\right\}$, $u^2·\left\{QNR\right\}\equiv \left\{QNR\right\}$, while $2^2·\left\{1,2,\dots ,p-1\right\}\equiv \left\{1,2,\dots ,p-1\right\}$. Thus, $\left\{2^2·u^2\right\}\equiv \left\{QR\right\}\backslash 0$. Let residues $f·u^2$ take the values of all nonzero quadratic residues in ${\mathbb{Z}}_p$ for a given quadratic residue $h=2^2·u^2$ in the equality $2^2·u^2+f·u^2=g·u^2$. Therefore, clause 1 of Theorem 1 follows from Corollary 7 and Corollary 3.

In clause 2, we shall first consider cases for $p=3$ and $p=5$.

For $v\ne u^2\in {\mathbb{Z}}_3$ the value $v=2$ and $l=\left[3/4\right]=0$. Consequently, $h=f=2$ and $g=2+2=1^2$.

The value of the sum $g$ acquires the following:

• A quadratic residue—one time, $1=l+1$;
• A quadratic non-residue—zero times, $0=l$.

For $v\ne u^2\in {\mathbb{Z}}_5$, the value $v\in \left\{2;3\right\}$. The values $l=\left[5/4\right]=1$ and $g$ for a fixed $h$ acquire the following:

• A quadratic residue—two times, $2=l+1$;
• A quadratic non-residue—zero times, $0=l-1$.

Next, we consider the case with prime $p\ge 7$ in clause 2.

Now, let $f$ acquire those nonzero values of quadratic residues in ${\mathbb{Z}}_p$, for which the sum $2^2+f=g$ is a quadratic non-residue according to Corollary 7.

For an arbitrary quadratic non-residue $u\in \left\{QNR\right\}\subset {\mathbb{Z}}_p$, the following equality holds: $2^2·u+f·u=g·u\ne 0$.

From the multiplicative property of the Legendre symbol, the sets $u·\left\{QR\right\}=\left\{QNR\right\}$ and $u·\left\{QNR\right\}=\left\{QR\right\}$ (see Corollary 2, Chapter 5, §1 [30]).

Let a fixed quadratic non-residue $h=2^2·u$ be given, and let the quadratic non-residue $f·u$ take all values from the set $\left\{QNR\right\}$.

According to Corollary 7, for a prime $p=4l+1$, the sum $2^2+f$ results in a quadratic non-residue $g$ exactly $l$ times, while for $p=4l+3$, it occurs $l+1$ times. Consequently, the sum $\left(2^2+f\right)·u=h+f·u=g·u$ for a prime $p=4l+1$ yields a quadratic residue $g·u\ne 0$ exactly $l$ times, and for $p=4l+3$, it occurs $l+1$ times. Taking into account Corollary 4 regarding the symmetry property of the distribution of quadratic residues and non-residues in an ordered set of residues modulo a prime $p=4l+1$, we deduce that the value $f·u=p-h$ is also a quadratic non-residue for a given quadratic non-residue $h$. Thus, the following statement holds: the sum $g·u=h+f·u$ of a quadratic non-residue $h$ with all possible quadratic non-residues $f·u$ in ${\mathbb{Z}}_p$ results in a quadratic residue exactly $l+1$ times.

To complete the proof of the second clause of the theorem, recall that for $p=4l+1$ in ${\mathbb{Z}}_p$, there exist $2l$ quadratic non-residues $f$, while for $p=4l+3$, the number of such values $f$ is $2l+1$. As demonstrated above, for a fixed non-residue $h$, the sum $h+f=g$ is a residue exactly $l+1$ times in ${\mathbb{Z}}_p$. Therefore, the sum $h+f=g$ is a quadratic non-residue $2l-\left(l+1\right)=l-1$ times for $p=4l+1$ and $2l+1-\left(l+1\right)=l$ times for $p=4l+3$.

Theorem 1 is proven. □

Theorem 2. 

Let $h$ be a nonzero quadratic residue (non-residue), and $f$ acquires all possible quadratic non-residues (nonzero residues) in ${\mathbb{Z}}_p$. Therefore, the sum $h+f=g$ is

• $l$ times quadratic residue and non-residue for a prime $p=4l+1$;
• $l+1$ times quadratic residue and $l$ times quadratic non-residue for a prime $p=4l+3$.

Proof of Theorem 2. 

First, consider cases where $p=3$ and $p=5$.

For ${\mathbb{Z}}_3$, the value $l=\left[3/4\right]=0$, quadratic residue is $h=1$, and quadratic non-residue is $f=2$. Thus, $g=h+f$ results in a quadratic residue once $1=l+1$, and in a quadratic non-residue zero times, $0=l$.

For ${\mathbb{Z}}_5$, the value $l=\left[5/4\right]=1$, quadratic residues $h\in \left\{1;4\right\}$, and quadratic non-residues $f\in \left\{2;3\right\}$. The value $g$ for a fixed $h$ is a quadratic residue once and a quadratic non-residue once, i.e., $1=l$.

Now we consider a case of prime $p\ge 7$.

Let $h\ne 0$ and $f\in \left\{1;2;\dots ;p-1\right\}$. The possible values of the sum $h+f=g$ form a set $F_h=\left\{0;1;2;\dots ;p-1\right\}\backslash h$.

Let the prime $p=4l+1$.

If $h\ne 0$ is a quadratic residue, $F_h$ has $2l$ quadratic residues and quadratic non-residues.

According to clause 1 of Theorem 1, for quadratic residues $f\ne 0$, the value of $g=h+f$ becomes a quadratic residue exactly $l$ times and a quadratic non-residue $l$ times. In accordance with Corollary 4, $g=h+f\ne 0$ for quadratic non-residues $f$. Therefore, by Dirichlet’s principle, the value of $g$ in the set $F_h$ for $2·l$ quadratic non-residues $f$ becomes a quadratic residue exactly $2·l-l=l$ times and a quadratic non-residue $2·l-l=l$ times.

If $h$ is a quadratic non-residue, then in $F_h$, there exist $2l+1$ quadratic residues and $2l-1$ quadratic non-residues.

According to clause 2 of Theorem 1, for quadratic non-residues $f$, the value $g=h+f$ becomes a quadratic residue exactly $l+1$ times and a quadratic non-residue $l-1$ times. Thus, summing a quadratic non-residue $h$ sequentially with $2·l$ quadratic residues $f\ne 0$, the sum $g=h+f$ will be a quadratic residue $\left(2·l+1\right)-\left(l+1\right)=l$ times and a quadratic non-residue $\left(2·l-1\right)-\left(l-1\right)=l$ times.

Now, consider the case when the prime $p=4l+3$.

If $h\ne 0$ is a quadratic residue, then in $F_h$, there are equal numbers of quadratic residues and non-residues, both being $2l+1$.

According to clause 1 of Theorem 1, the sum $g=h+f$ for quadratic residues $f\ne 0$ becomes a quadratic residue $l$ times and a quadratic non-residue $l+1$ times. Consequently, for $2·l$ quadratic non-residues $f$, the sum $g=h+f$ is a quadratic residue $\left(2·l+1\right)-l=l+1$ times and a quadratic non-residue $\left(2·l+1\right)-\left(l+1\right)=l$ times.

If $h$ is a quadratic non-residue, then in $F_h$, there are exactly $2l+2$ quadratic residues and $2l$ non-residues. According to clause 2 of Theorem 1, the sum for quadratic non-residues $f$ is a quadratic residue $l+1$ times and a quadratic non-residue $l$ times. Consequently, for $2·l+1$ quadratic residues $f\ne 0$, the sum $g=h+f$ becomes a quadratic residue $\left(2·l+2\right)-\left(l+1\right)=l+1$ times and a quadratic non-residue $2·l-l=l$ times.

Thus, Theorem 2 is proven. □

To summarize Theorems 1 and 2,

Table 3. The number of quadratic residues and non-residues for $p=4l+1$.

	{QR}∖0	{QNR}
{qr}∖0	$\left\{QR\right\}:l$$; \left\{QNR\right\}:l$	$\left\{QR\right\}:l$$; \left\{QNR\right\}:l$
{qnr}	$\left\{QR\right\}:l$$; \left\{QNR\right\}:l$	$\left\{QR\right\}:l+1$$; \left\{QNR\right\}:l-1$

and

Table 4. The number of quadratic residues and non-residues for $p=4l+3$.

	{QR}∖0	{QNR}
{qr}∖0	$\left\{QR\right\}:l$$; \left\{QNR\right\}:l+1$	$\left\{QR\right\}:l+1$$; \left\{QNR\right\}:l$
{qnr}	$\left\{QR\right\}:l+1$$; \left\{QNR\right\}:l$	$\left\{QR\right\}:l+1$$; \left\{QNR\right\}:l$

will demonstrate how the numbers of quadratic residues and non-residues are distributed for the sums $\left\{qr\right\}\backslash 0+\left\{QR\right\}\backslash 0$, $\left\{qnr\right\}+\left\{QNR\right\}$, and $\left\{qr\right\}\backslash 0+\left\{QNR\right\}$, when the first term is fixed (it is denoted by lowercase letters), and the second term acquires all possible values from the definition set, for prime $p=4l+1$ and $p=4l+3$.

Table 3 and Table 4 are some analogues of Formula (17). According to the proof of Theorem 1 and 2 using relation (18), a regularity is established for the sum of two nonzero elements from ${\mathbb{Z}}_p$, which can be either quadratic residue or non-residue.

Here, consider examples for $p=4l+1$ and $p=4l+3$.

Example 4. 

Let us construct possible combinations $\left\{QR\right\}\backslash 0+\left\{QR\right\}\backslash 0$, $\left\{QNR\right\}+\left\{QNR\right\}$, and $\left\{QR\right\}\backslash 0+\left\{QNR\right\}$, and determine the frequency with which values of the sets $\left\{QR\right\}$ and $\left\{QNR\right\}$ occur in these sums.

(a) $p=4l+1$.

Let $p=4l+1=4·4+1=17$.

For $p=17$, nonzero quadratic residues are $\left\{1;2;4;8;9;13;15;16\right\}$. Accordingly, quadratic non-residues are $\left\{3;5;6;7;10;11;12;14\right\}$.

The possible sums $\left\{QR\right\}\backslash 0+\left\{QR\right\}\backslash 0$, $\left\{QNR\right\}+\left\{QNR\right\}$, and $\left\{QR\right\}\backslash 0+\left\{QNR\right\}$ will be summarized in

Table 5. The values of $\left\{QR\right\}\backslash 0+\left\{QR\right\}\backslash 0$ in ${\mathbb{Z}}_{17}$.

	{QR}∖0	1	2	4	8	9	13	15	16
{QR}∖0
1		2	3	5	9	10	14	16	0
2		3	4	6	10	11	15	0	1
4		5	6	8	12	13	0	2	3
8		9	10	12	16	0	4	6	7
9		10	11	13	0	1	5	7	8
13		14	15	0	4	5	9	11	12
15		16	0	2	6	7	11	13	14
16		0	1	3	7	8	12	14	15

,

Table 6. The values of $\left\{QNR\right\}+\left\{QNR\right\}$ in ${\mathbb{Z}}_{17}$.

	{QNR}	3	5	6	7	10	11	12	14
{QNR}
3		6	8	9	10	13	14	15	0
5		8	10	11	12	15	16	0	2
6		9	11	12	13	16	0	1	3
7		10	12	13	14	0	1	2	4
10		13	15	16	0	3	4	5	7
11		14	16	0	1	4	5	6	8
12		15	0	1	2	5	6	7	9
14		0	2	3	4	7	8	9	11

and

Table 7. The values of $\left\{QR\right\}\backslash 0+\left\{QNR\right\}$ in ${\mathbb{Z}}_{17}$.

	{QNR}	3	5	6	7	10	11	12	14
{QR}∖0
1		4	6	7	8	11	12	13	15
2		5	7	8	9	12	13	14	16
4		7	9	10	11	14	15	16	1
8		11	13	14	15	1	2	3	5
9		12	14	15	16	2	3	4	6
13		16	1	2	3	6	7	8	10
15		1	3	4	5	8	9	10	12
16		2	4	5	6	9	10	11	13

.

Grey shading in Table 5, Table 6 and Table 7 highlights the cases when the sum is a quadratic residue in ${\mathbb{Z}}_{17}$.

The obtained result corroborates Theorems 1 and 2 as follows:

Each row (column) of Table 5 contains exactly $l=4$ quadratic residues and $l=4$ quadratic non-residues.

Each row (column) of Table 6 contains exactly $l+1=5$ quadratic residues and $l-1=3$ quadratic non-residues.

Each row (column) of Table 7 contains exactly $l=4$ quadratic residues and $l=4$ quadratic non-residues. (b) $p=4l+3$.

Let $p=4l+3=4·4+3=19$.

For $p=19$, nonzero quadratic residues are $\left\{1;4;5;6;7;9;11;16;17\right\}$. Accordingly, quadratic non-residues are $\left\{2;3;8;10;12;13;14;15;18\right\}$.

The possible sums $\left\{QR\right\}\backslash 0+\left\{QR\right\}\backslash 0$, $\left\{QNR\right\}+\left\{QNR\right\}$, and $\left\{QR\right\}\backslash 0+\left\{QNR\right\}$ will be totaled up in

Table 8. The values of $\left\{QR\right\}\backslash 0+\left\{QR\right\}\backslash 0$ in ${\mathbb{Z}}_{19}$.

	{QR}∖0	1	4	5	6	7	9	11	16	17
{QR}∖0
1		2	5	6	7	8	10	12	17	18
4		5	8	9	10	11	13	15	1	2
5		6	9	10	11	12	14	16	2	3
6		7	10	11	12	13	15	17	3	4
7		8	11	12	13	14	16	18	4	5
9		10	13	14	15	16	18	1	6	7
11		12	15	16	17	18	1	3	8	9
16		17	1	2	3	4	6	8	13	14
17		18	2	3	4	5	7	9	14	15

,

Table 9. The values of $\left\{QNR\right\}+\left\{QNR\right\}$ in ${\mathbb{Z}}_{19}$.

	{QNR}	2	3	8	10	12	13	14	15	18
{QNR}
2		4	5	10	12	14	15	16	17	1
3		5	6	11	13	15	16	17	18	2
8		10	11	16	18	1	2	3	4	7
10		12	13	18	1	3	4	5	6	9
12		14	15	1	3	5	6	7	8	11
13		15	16	2	4	6	7	8	9	12
14		16	17	3	5	7	8	9	10	13
15		17	18	4	6	8	9	10	11	14
18		1	2	7	9	11	12	13	14	17

and

Table 10. The values of $\left\{QR\right\}\backslash 0+\left\{QNR\right\}$ in ${\mathbb{Z}}_{19}$.

	{QNR}	2	3	8	10	12	13	14	15	18
{QR}∖0
1		3	4	9	11	13	14	15	16	0
4		6	7	12	14	16	17	18	0	3
5		7	8	13	15	17	18	0	1	4
6		8	9	14	16	18	0	1	2	5
7		9	10	15	17	0	1	2	3	6
9		11	12	17	0	2	3	4	5	8
11		13	14	0	2	4	5	6	7	10
16		18	0	5	7	9	10	11	12	15
17		0	1	6	8	10	11	12	13	16

.

In Table 8, Table 9 and Table 10, cases where the sum is a quadratic residue in ${\mathbb{Z}}_{19}$ are highlighted in grey.

The obtained result also illustrates Theorems 1 and 2:

Each row (column) of Table 8 contains exactly $l=4$ quadratic residues and $l+1=5$ quadratic non-residues.

Each row (column) of Table 9 contains exactly $l+1=5$ quadratic residues and $l=4$ quadratic non-residues.

Each row (column) of Table 10 contains exactly $l+1=5$ quadratic residues and $l=4$ quadratic non-residues.

Remark 7. 

Matrix $A$ acquires maximum order $ord\left(A\right)$ if and only if $\frac{r}{4}$ is a primitive element in ${\mathbb{Z}}_p$.

Proof of Remark 7. 

From relation (4), $ord\left(A\right)$ acquires maximum value if and only if ${\Delta }_a$ is primitive in ${\mathbb{Z}}_p$ with order $p-1$.

Note that ${\Delta }_a={\lambda }_1{\lambda }_2=a\left(a+k\right)-b$. Since $b=\frac{q-k^2}{4}$, we obtain ${\Delta }_a=a\left(a+k\right)-b=\frac{{\left(2a+k\right)}^2-q}{4}$. Considering expression (12) ${\left(2a+k\right)}^2=q+r$, the value ${\Delta }_a=\frac{r}{4}$. □

The previous example proves that Remark 7 is correct.

Remark 8. 

Since the mapping $\frac{\left\{QNR\right\}}{4}$ is a transformation of the set $\left\{QNR\right\}$: $\frac{\left\{QNR\right\}}{4}=\left\{QNR\right\}$, the value of $r$ for the maximum order $ord\left(A\right)$ is computed by multiplying the primitive elements ${\mathbb{Z}}_p$ by 4.

Remark 9. 

The order $ord\left(A\right)$ is determined by the pair of values $\left\{q;r\right\}$ for arbitrary $k\in {\mathbb{Z}}_p$, $b=\frac{q-k^2}{4}$, and $a\in {\mathbb{Z}}_p$: ${\left(2a+k\right)}^2=q+r$.

Proof of Remark 9. 

The characteristic equation of matrix $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ has the form ${\lambda }^2-\left(2a+k\right)\lambda +{\Delta }_a=0$. Since, according to (12), ${\left(2a+k\right)}^2=q+r$ and ${\Delta }_a=\frac{r}{4}$, the characteristic equation can be rewritten as ${\lambda }^2-{\left(q+r\right)}^{\frac{1}{2}}\lambda +4^{-1}r=0$. Thus, the eigenvalues ${\lambda }_{1,2}$ of matrix $A$ depend solely on the values of $q$ and $r$.

Given that $ord\left(A\right)$ values determine the eigenvalues ${\lambda }_{1,2}$ of matrix $A$, as well as the value of ${\Delta }_a=\frac{r}{4}$, the selection of $k$ does not affect $ord\left(A\right)$. □

3. Results

The theoretical basis developed in the previous section allows us to create a method for selecting parameters $b$ and $k$ of the matrix field $F_{b,k}$ and a primitive element in it.

We first consider the case where the prime $p$ is a Mersenne number or $3\le \frac{p+1}{2}=\rho$ is a prime number.

3.1. A Special Important Case of the Method for Selecting Parameters $b$ and $k$ of the Matrix Field $F_{b,k}$ and a Primitive Element in It, When $p$ Is a Mersenne Number or $3\le \frac{p+1}{2}=\rho$ Is a Prime

According to Remark 4 in [17], matrix $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ with $a\ne -\frac{k}{2}$ will be a primitive element of the matrix field $F_{b,k}$ if and only if its determinant $\det \left(A\right)={\Delta }_a$ is a primitive element in the field ${\mathbb{Z}}_p$.

Therefore, the method for selecting the parameters $b$ and $k$ of the matrix field $F_{b,k}$, as well as a primitive element in it, will include the following five steps:

• Find the primitive root ${\sigma }_0$ in ${\mathbb{Z}}_p$ and select the primitive element $\sigma$ in ${\mathbb{Z}}_p$: $\sigma ={\sigma }_0^i$, $GCF\left(i,p-1\right)=1$; assign the value $r=4\sigma$, i.e., choose ${\Delta }_a=\sigma$;
• For the $2a+k=y\in {\mathbb{Z}}_p^{*}$ value, i.e., $y=1,2,\dots ,p-1$, calculate $q=y^2-4\sigma$;
• Using the law of quadratic reciprocity [30], verify whether the value $q$ is a quadratic non-residue in ${\mathbb{Z}}_p$: according to the definition of the Legendre symbol, verify the equality as follows:

  $$\left(\frac{q}{p}\right)=-1\mathrm{or} \left(\frac{y^2-4\sigma }{p}\right)=-1;$$

  (19)
• For solution $y_0$ of Equation (19), and for an arbitrary value of parameter $k\in {\mathbb{Z}}_p$, compute the parameters as follows:

  $$q_0=y_0^2-4\sigma , b_0=\frac{q_0-k^2}{4}, a_0=\frac{y_0-k}{2};$$

  (20)
• Matrix

  $$A\left(k\right)=\left(\begin{array}{cc}{a}_0& 1\\ b_0& a_0+k\end{array}\right)=\left(\begin{array}{cc}\frac{y_0-k}{2}& 1\\ \frac{y_0^2-k^2-4\sigma }{4}& \frac{y_0+k}{2}\end{array}\right)$$

  is a primitive element $F_{b,k}$ for every $k\in {\mathbb{Z}}_p$.

Recall that the law of quadratic reciprocity has the following formulation in terms of Legendre symbols: $\left(\frac{q}{p}\right)={\left(-1\right)}^{\frac{p-1}{2}·\frac{q-1}{2}}·\left(\frac{p}{q}\right)$ for two distinct odd prime numbers $p$ and $q$. Moreover, $\left(\frac{-1}{p}\right)={\left(-1\right)}^{\frac{p-1}{2}}$ and $\left(\frac{2}{p}\right)={\left(-1\right)}^{\frac{p^2-1}{8}}$.

Remark 10. 

The number $N_q\left(\sigma \right)$ of Equation (19) solutions with respect to $y$ for the given primitive element $\sigma \in {\mathbb{Z}}_p$ is estimated as follows:

$$\left[\frac{p}{4}\right]\le N_q\left(\sigma \right)\le \left[\frac{p}{4}\right]+1.$$

(21)

Proof of Remark 10. 

The primitive element $\sigma \in {\mathbb{Z}}_p$ is obviously a quadratic non-residue, otherwise all elements ${\mathbb{Z}}_p$ would be quadratic residues (see also (10)). Therefore, the value of Legendre symbol is $\left(\frac{-4\sigma }{p}\right)=\left(\frac{-1}{p}\right)·\left(\frac{2^2}{p}\right)·\left(\frac{\sigma }{p}\right)={\left(-1\right)}^{\frac{p-1}{2}}·1·\left(-1\right)={\left(-1\right)}^{\frac{p+1}{2}}$.

Thus, element $-4\sigma$ is a non-residue for $p=4l+1$ and a residue for $p=4l+3$. Hence, by virtue of Theorem 2 and clause 1 of Theorem 1, it follows that

• The sum $\left(-4\sigma +y^2\right)$ of the element $-4\sigma$ as a quadratic non-residue for $p=4l+1$ with all nonzero quadratic residues $y^2$ from ${\mathbb{Z}}_p^{*}$ will be a non-residue exactly $l=\left[p/4\right]$ times;
• The sum $\left(-4\sigma +y^2\right)$ of the element $-4\sigma$ as a quadratic residue for $p=4l+3$ with all nonzero quadratic residues $y^2$ will be a non-residue in ${\mathbb{Z}}_p$ exactly $\left(l+1\right)$ times. □

Algorithm 1 is used for selecting parameters $b$ and $k$ of the field $F_{b,k}$ and the primitive element in it.

Algorithm 1. The algorithm for selecting parameters $b$ and $k$ of the field $F_{b,k}$ and the primitive element in it for prime $p=2^m-1$ or prime $\frac{p+1}{2}\ge 3$.

Set prime $p$: $p=2^m-1$ or $3\le \frac{p+1}{2}=\rho$ is a prime Factorize $p-1$, find the primitive root ${\sigma }_0$ in ${\mathbb{Z}}_p$ $\sigma \leftarrow {\sigma }_0^i$, $GCF\left(i,p-1\right)=1$ $r\leftarrow 4\sigma$ for $y=1$ to $p-1$     $q\leftarrow y^2-4\sigma$     if $\left(\frac{q}{p}\right)=-1$ then       $y_0\leftarrow y$       break     end if end for $q_0\leftarrow y_0^2-4\sigma$ $b_0\leftarrow \frac{q_0-k^2}{4}$ $a_0\leftarrow \frac{y_0-k}{2}$ $A\left(k\right)\leftarrow \left(\begin{array}{cc}\frac{y_0-k}{2}& 1\\ \frac{y_0^2-k^2-4\sigma }{4}& \frac{y_0+k}{2}\end{array}\right)$, $k\in {\mathbb{Z}}_p$

Let us estimate the time complexity of this algorithm.

To do this, we will use well-known estimates of the complexity of operations in a finite field [21,34,35,36].

In addition, the results presented in Table 3 and Table 4 play a significant role for estimating the predicted time for constructing the matrix field and finding the primitive element of this field. They show that by arbitrarily choosing a quadratic residue or non-residue on the interval $\left(0;p\right)$ and adding it to a predetermined residue or non-residue, we obtain a non-residue (residue) with a probability close to 0.5 (for large $p$).

Therefore,

• The complexity of the probabilistic algorithm for calculating the primitive root modulo $p$ for a given factorization of $p-1$ is equal to $O\left({\log }^{2}p\right)$;
• The complexity of factoring a number into prime factors using the fast general number field sieve (GNFS) method [37] is equal to $L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]=O\left(\exp \left(\left(\sqrt[3]{\frac{64}{9}}+o\left(1\right)\right){\left(\log p\right)}^{\frac{1}{3}}{\left(\log \log p\right)}^{\frac{2}{3}}\right)\right)$;
• The complexity of finding the inverse element in ${\mathbb{Z}}_p$ is equal to $O\left(\log p\right)$;
• The complexity of finding the Legendre symbol is equal to $O\left(\log p\right)$;

The predicted time of the algorithm (number of arithmetic operations) in Algorithm 1 is $L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]+O\left({\log }^{2}p\right)+O\left(\log p\right)+O\left(\log p\right)=L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]$.

Example 5. 

Let $p=2^5-1=31$. Thus,

• Let $\sigma =3$ be the smallest primitive root.
• Let $y=1$, hence $q=1-4·3=-11=20$;
• $\left(\frac{q}{p}\right)=\left(\frac{20}{31}\right)=\left(\frac{2^2·5}{31}\right)={\left(\frac{2}{31}\right)}^2·\left(\frac{5}{31}\right)=1·{\left(-1\right)}^{\frac{30}{2}·\frac{4}{2}}·\left(\frac{31}{5}\right)=\left(\frac{1}{5}\right)=1$. We return to Step 2 of the proposed method.
• Let $y=2$, hence $q=2^2-4·3=-8$.
• $\left(\frac{q}{p}\right)=\left(\frac{-2^3}{31}\right)=\left(\frac{-1}{31}\right)·{\left(\frac{2}{31}\right)}^3={\left(-1\right)}^{\frac{30}{2}}·{\left(-1\right)}^{\frac{30·32}{8}}=-1$. Therefore, select $y=2$ as a solution to Equation (19).
• Based on (20), the parameters are calculated as $q_0=-8=23$, $b_0=\frac{23-k^2}{4}$, and $a_0=\frac{2-k}{2}$.
• Matrix $A\left(k\right)=\left(\begin{array}{cc}\frac{2-k}{2}& 1\\ \frac{23-k^2}{4}& \frac{2+k}{2}\end{array}\right)$ is a primitive element of the matrix field $F_{b_0,k}$ for every $k\in {\mathbb{Z}}_{31}$. For example, for $k=12$, value $A\left(12\right)=\left(\begin{array}{cc}26& 1\\ 24& 7\end{array}\right)$ is a primitive element of the matrix field $F_{24,12}$ of order $\left|F_{24,12}\right|=p^2={31}^2$.

Example 6. 

Let $p=61$, and let $3\le \frac{p+1}{2}=31$ be a prime. Thus:

• $\sigma =2$ is the smallest primitive root.
• Let $y=1$, thus $q=1-4·2=-7=54$.
• Calculate $\left(\frac{q}{p}\right)=\left(\frac{54}{61}\right)=\left(\frac{2}{61}\right)·{\left(\frac{3}{61}\right)}^3={\left(-1\right)}^{\frac{60·62}{8}}·{\left(-1\right)}^{\frac{30}{2}·\frac{2}{2}}·\left(\frac{61}{3}\right)=-1·\left(-1\right)·\left(\frac{1}{3}\right)=1$. We return to Step 2 of the method.
• Let $y=2$, thus $q=2^2-4·2=-4$.
• $\left(\frac{q}{p}\right)=\left(\frac{-2^2}{61}\right)=1$. We return to Step 2 of the method.
• Let $y=3$, then $q=3^2-4·2=1$.
• $\left(\frac{q}{p}\right)=\left(\frac{1}{61}\right)=1$. We return to Step 2 of the method.
• Let $y=4$, thus $q=4^2-4·2=8$.
• $\left(\frac{q}{p}\right)=\left(\frac{2^3}{61}\right)=-1$. Hence, select $y=4$ as a solution to Equation (19).
• In accordance with (20), $q_0=8$, $b_0=\frac{8-k^2}{4}$, $a_0=\frac{4-k}{2}$.
• Matrix $A\left(k\right)=\left(\begin{array}{cc}\frac{4-k}{2}& 1\\ \frac{8-k^2}{4}& \frac{4+k}{2}\end{array}\right)$ is a primitive element of the matrix field $F_{b_0,k}$ for every $k\in {\mathbb{Z}}_{61}$. In particular, value $A\left(5\right)=\left(\begin{array}{cc}30& 1\\ 11& 35\end{array}\right)$ is a primitive element for the matrix field $F_{11,5}$ of order $\left|F_{11,5}\right|=p^2={61}^2$.

Definition 3. 

Counting function $N_q$ of non-residues is a number of different values of non-residues $q\in {\mathbb{Z}}_p$ that the function $q=y^2-4\sigma$ takes for different $y\in \left\{\pm 1;\pm 2;\dots ;\pm \frac{p-1}{2}\right\}$ and primitive elements $\sigma \in {\mathbb{Z}}_p$ (see (20)).

Definition 4. 

Frequency $n_q$ of non-residue $q\in {\mathbb{Z}}_p$ as a value of the function $q=y^2-4\sigma$ denotes a number of different values of primitive elements $\sigma \in {\mathbb{Z}}_p$, which result in this non-residue.

Definition 5. 

Multiplicity ${\kappa }_q$ of non-residue $q\in {\mathbb{Z}}_p$ as a value of the function $q=y^2-4\sigma$ denotes a number of different values of $y\in \left\{\pm 1;\pm 2;\dots ;\pm \frac{p-1}{2}\right\}$, which result in this non-residue.

Here we introduce notation $N_{b,k}$ for the number of distinct pairs of parameters $\left(b;k\right)$ selected by the proposed method and set all matrix fields $F_{b,k}$ over ${\mathbb{Z}}_p$. Based on Formula (20), the parameter $b=\left(q-k^2\right)/4$. For a fixed parameter $k$, function $f=q-k^2$ is a bijection with respect to argument $q$. Therefore, according to Definition 3, number $N_{b,k}$ settles the equality $N_{b,k}=N_q·p$, where $N_q\le \left(p-1\right)/2$.

By Remark 10, among the values of function $q=y^2-4\sigma$, for each primitive element $\sigma \in {\mathbb{Z}}_p$, there are at least $l=\left[p/4\right]$ quadratic non-residues. Therefore, from estimate (21) it follows that $N_q\ge N_q\left(\sigma \right)\ge \left[p/4\right]$.

Remark 11. 

If prime $p$ is a Mersenne prime or $3\le \left(p+1\right)/2=\rho$ is a prime, then the cardinality of the family $\left\{F_{b,k}\right\}$ of the finite matrix fields over ${\mathbb{Z}}_p$ constructed by the proposed method, satisfies the following equation:

$$\left[\frac{p}{4}\right]·p\le \left|\left\{F_{b,k}\right\}\right|=N_q·p\le \frac{p-1}{2}·p.$$

(22)

In accordance with (20), parameter $a=\left(y-k\right)/2$. Thus, for non-residue $q$ as a value of the function $q=y^2-4\sigma$, multiplicity ${\kappa }_q$ indicates the number of primitive elements in the matrix field $F_{b,k}$ of form $A\left(k\right)=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$.

By Theorem 5 in [17] (see Equation (3)), there exist exactly $\phi \left(p+1\right)$ matrices $A\left(k\right)$, $k\in {\mathbb{Z}}_p$, that generate primitive elements in the field $F_{b,k}$. Therefore, for multiplicity ${\kappa }_q$, the following inequality holds:

$${\kappa }_q\le \phi \left(p+1\right).$$

(23)

If for a fixed value $y^2\in {\mathbb{Z}}_p$ of the quadratic residue, the values of the function $q=y^2-4\sigma$ coincide for primitive elements ${\sigma }_1$, ${\sigma }_2$ from ${\mathbb{Z}}_p$, then ${\sigma }_1={\sigma }_2$ is true. Thus, the frequency $n_q$ of the non-residue $q\in {\mathbb{Z}}_p$ is equal to the number of distinct quadratic residues $y^2$ that set this $q$ as the function value. Equality $y^2=z^2$ in ${\mathbb{Z}}_p$ holds if and only if $z=\pm y$. Hence, each non-residue $q\in {\mathbb{Z}}_p$ for $y\ne 0$ can be a value of the function $q=y^2-4\sigma$ for a fixed primitive $\sigma \in {\mathbb{Z}}_p$ only for two values of $\pm y\in \left\{\pm 1;\pm 2;\dots ;\pm \left(p-1\right)/2\right\}$. Thus, the following statements are obtained.

Remark 12. 

Multiplicity ${\kappa }_q$ of non-residue $q\in {\mathbb{Z}}_p$ as a value of the function $q=y^2-4\sigma$ equals double the frequency $n_q$, i.e.,

$${\kappa }_q=2n_q.$$

(24)

Corollary 8. 

Multiplicity ${\kappa }_q$ of quadratic non-residue $q\in {\mathbb{Z}}_p$ is equal to the number of distinct pairs $\left(y;\sigma \right)$, for which $q=y^2-4\sigma$.

Corollary 9. 

To calculate the counting function $N_q$ of non-residues $q\in {\mathbb{Z}}_p$ and frequency values $n_q$ (as well as multiplicities ${\kappa }_q$ according to (24)), it is sufficient to explore the set of values of the function $q=y^2-4\sigma$ for $y\in \left\{1;2;\dots ;\frac{p-1}{2}\right\}$, $\sigma \in {\mathbb{Z}}_p$.

Example 7. 

Let the prime number $p=37$. Then $\left(p+1\right)/2=19$ is also a prime number.

To describe the family of finite fields $F_{b,k}$ over ${\mathbb{Z}}_{37}$, we define all possible pairs of parameters $\left(b;k\right)$. We also note all primitive elements $A\left(k\right)$ in matrix fields $F_{b,k}$ of form $\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$.

The smallest primitive root in ${\mathbb{Z}}_{37}$ is ${\sigma }_0=2$, and the number of all primitive elements in the field ${\mathbb{Z}}_{37}$ is $\phi \left(p-1\right)=12$. The set of all primitive elements ${\mathbb{Z}}_{37}$ is $\sum =\left\{2^j:〈j,36〉=1\right\}=\left\{2;32;17;13;15;18;35;5;20;24;22;19\right\}$. Number the elements of set $\sum$ in sequential order: $\sum =\left\{{\sigma }_i:1\le i\le 12\right\}=\left\{2;32;17;13;15;18;35;5;20;24;22;19\right\}$. Then the set of $4{\sigma }_i$ values builds a set $\left\{4{\sigma }_i:1\le i\le 12\right\}=\left\{8;17;31;15;23;35;29;20;6;22;14;2\right\}$.

In Formula (20), element $q_{yi}=y^2-4{\sigma }_i$ must be a non-residue in ${\mathbb{Z}}_{37}$ (to satisfy Equation (19). Squares $y^2$, $1\le y\le 18$, set all the residues in ${\mathbb{Z}}_{37}$.

According to Corollary 9, we will compute $q_{yi}$ values, $1\le y\le 18$, $1\le i\le 12$, and build

Table 11. Values of $q_{yi}$.

	${\mathit{\sigma }}_{\mathit{i}}$	2	32	17	13	15	18	35	5	20	24	22	19
	$\mathbf{4}{\mathit{\sigma }}_{\mathit{i}}$	8	17	31	15	23	35	29	20	6	22	14	2
$\mathit{y}$	${\mathit{y}}^{\mathbf{2}}$
1	1	30	21	7	23	15	3	9	18	32	16	24	36
2	4	33	24	10	26	18	6	12	21	35	19	27	2
3	9	1	29	15	31	23	11	17	26	3	24	32	7
4	16	8	36	22	1	30	18	24	33	10	31	2	14
5	25	17	8	31	10	2	27	33	5	19	3	11	23
6	36	28	19	5	21	13	1	7	16	30	14	22	34
7	12	4	32	18	34	26	14	20	29	6	27	35	10
8	27	19	10	33	12	4	29	35	7	21	5	13	25
9	7	36	27	13	29	21	9	15	24	1	22	30	5
10	26	18	9	32	11	3	28	34	6	20	4	12	24
11	10	2	30	16	32	24	12	18	27	4	25	33	8
12	33	25	16	2	18	10	35	4	13	27	11	19	31
13	21	13	4	27	6	35	23	29	1	15	36	7	19
14	11	3	31	17	33	25	13	19	28	5	26	34	9
15	3	32	23	9	25	17	5	11	20	34	18	26	1
16	34	26	17	3	19	11	36	5	14	28	12	20	32
17	30	22	13	36	15	7	32	1	10	24	8	16	28
18	28	20	11	34	13	5	30	36	8	22	6	14	26

.

Each column for $4{\sigma }_i$ of Table 11 contains a non-residue for values $q_{yi}$ exactly $l=9$ times $\left(p=4·9+1\right)$. This corresponds exactly to Remark 10.

Let us calculate the values of the function $N_q$ and frequency $n_q$ for non-residues $q\in {\mathbb{Z}}_{37}$ as function $q=y^2-4\sigma$ values. As per Corollary 9, we will compile

Table 12. Values of $y$.

${\mathit{\sigma }}_{\mathit{i}}$	2	32	17	13	15	18	35	5	20	24	22	19
$\mathbf{4}{\mathit{\sigma }}_{\mathit{i}}$	8	17	31	15	23	35	29	20	6	22	14	2
$\mathit{q}$													${\mathit{n}}_{\mathit{q}}$
2	11		12		5						4	2	5
5			3		18	15	16	5	14	8		9	8
6				13		2		10	7	18			5
8	4	5						18		17		11	5
13	13	17	9	18	6	14		12			8		8
14						7		16		6	18	4	5
1			3	17	1		9		13				5
17	5	16	14		15		3						5
18	10		7	12	2	4	11	1		15			8
19	8	6		16			14		5	2	12	13	8
20	18						7	15	10		16		5
22	17		4						18	9	6		5
23		15		1	3	13						5	5
24		2			11		4	9	17	3	1	10	8
29		3		9		8	13	7					5
31		14	5	3						4		12	5
32	15	7	10	11		17			1		3	16	8
35					13	12	8		2		7		5

for possible values $y$, $1\le y\le 18$, respective to all quadratic residues $q\in \left\{2;5;6;8;13;14;15;17;18;19;20;22;23;24;29;31;32;35\right\}\subset {\mathbb{Z}}_{37}$ and primitive elements ${\sigma }_i\in \left\{2;32;17;13;15;18;35;5;20;24;22;19\right\}\subset {\mathbb{Z}}_{37}$.

Each of the 13 quadratic non-residues $q\in {\mathbb{Z}}_{37}$ is a solution for system (20), which determines the corresponding parameter $b=\frac{q-k^2}{4}$ value for a given parameter $k\in {\mathbb{Z}}_{37}$. Therefore, $N_q=18$ for $p=37$.

The cardinality of the matrix field family is $\left|\left\{F_{b,k}\right\}\right|=18·37$. This satisfies the equality $\left|\left\{F_{b,k}\right\}\right|=\frac{p-1}{2}·p$, which indicates that the upper bound established in (22) is attainable.

In the matrix field $F_{b,k}$ there exist exactly ${\kappa }_q$ primitive elements of the form $A\left(k\right)=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$. According to estimate (23), the multiplicity ${\kappa }_q\le \phi \left(38\right)=18$. Based on Formula (24) in Example 7, we obtain the following:

• For $q\in \left\{2;6;8;14;15;17;20;22;23;29;31;35\right\}$, there are exactly $2·5=10$ of such matrices;
• For $q\in \left\{5;13;18;19;24;32\right\}$ there are exactly $2·8=16$ of such matrices.

Specifically, for $q=2$, the field $F_{b,k}$ with parameter $b=\frac{2-k^2}{4}$ has 10 primitive elements $A_y\left(k\right)=\left(\begin{array}{cc}\frac{y-k}{2}& 1\\ \frac{2-k^2}{4}& \frac{y+k}{2}\end{array}\right)$, $y\in \left\{\pm 11;\pm 12;\pm 5;\pm 4;\pm 2\right\}$, namely, $A_{11}\left(k\right)=\left(\begin{array}{cc}\frac{\pm 11-k}{2}& 1\\ \frac{2-k^2}{4}& \frac{\pm 11+k}{2}\end{array}\right)$, $A_{12}\left(k\right)=\left(\begin{array}{cc}\frac{\pm 12-k}{2}& 1\\ \frac{2-k^2}{4}& \frac{\pm 12+k}{2}\end{array}\right)$, $A_5\left(k\right)=\left(\begin{array}{cc}\frac{\pm 5-k}{2}& 1\\ \frac{2-k^2}{4}& \frac{\pm 5+k}{2}\end{array}\right)$, $A_4\left(k\right)=\left(\begin{array}{cc}\frac{\pm 4-k}{2}& 1\\ \frac{2-k^2}{4}& \frac{\pm 4+k}{2}\end{array}\right)$, and $A_2\left(k\right)=\left(\begin{array}{cc}\frac{\pm 2-k}{2}& 1\\ \frac{2-k^2}{4}& \frac{\pm 2+k}{2}\end{array}\right)$.

3.2. General Case of the Method for Selecting Parameters $b$ and $k$ of the Matrix Field $F_{b,k}$ and a Primitive Element in It

For a general case, when the prime number $p$ is not a Mersenne number $\left(p\ne 2^m-1\right)$ or $3\le \frac{p+1}{2}=\rho$ is not a prime number, the method for selecting parameters $b$ and $k$ of the matrix field $F_{b,k}$ and a primitive element in it involves the following steps:

• For a given prime $p$, arbitrarily choose quadratic non-residues $q$ and $r$ in ${\mathbb{Z}}_p$, such that $\frac{r}{4}$ is a primitive element in ${\mathbb{Z}}_p$, and $q+r\in \left\{QR\right\}\backslash 0$;
• Arbitrarily select a value for $k\in {\mathbb{Z}}_p$;
• Compute $b=\frac{q-k^2}{4}\in {\mathbb{Z}}_p$;
• Find the value of $a\in {\mathbb{Z}}_p$ from the expression ${\left(2a+k\right)}^2=q+r$;
• Check $period\left(A\right)=p+1$.

We should note that the proposed method does not guarantee achieving the maximum order of the cyclic subgroup generated by matrix $A$, but it significantly reduces the search space for the matrix parameters.

To check the condition $period\left(A\right)=p+1$, it is necessary to factor the number $p+1$ and for $a=0,1,\dots ,p-1$, to check the inequality $A^{\frac{p+1}{n}}\left(a\right)\ne s·E$ for all prime divisors of $p+1$, where $s\in {\mathbb{Z}}_p$, $E$ is the identity matrix (see statement 1 of [17]).

For this case, Algorithm 2 is used for selecting parameters $b$ and $k$ of the field $F_{b,k}$ and searching for a primitive element in it.

Algorithm 2. The algorithm for selecting parameters $b$ and $k$ of the field $F_{b,k}$ and searching for a primitive element in it for arbitrary prime $p$.

Set prime $p$, $k\in {\mathbb{Z}}_p$ Factorize $p-1$, find $\frac{r}{4}$ as a primitive root in ${\mathbb{Z}}_p$, find quadratic non-residue $q$ in ${\mathbb{Z}}_p$: $q+r$ is a non-zero quadratic residue in ${\mathbb{Z}}_p$ $b\leftarrow \frac{q-k^2}{4}$ Find $a\in {\mathbb{Z}}_p$: ${\left(2a+k\right)}^2=q+r$ Factorize $p+1$ for $a=0$ to $p-1$     $check\leftarrow success$     for $n\in \left\{\left(p+1\right) deviders\right\}$       if $A^{\frac{p+1}{n}}\left(a\right)=s·E$ then         $check\leftarrow fail$       end if     end for     if $check=success$ then       $A\leftarrow \left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$       break     end if end for

Using the above estimates of the complexity of field operations, the predicted time of the algorithm in Algorithm 2 is $L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]+O\left({\log }^{2}p\right)+O\left(\log p\right)+O\left(\log p\right)+O\left(\log p\right)=L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]$.

Example 8. 

Let us first assume $p=4l+1$.

Let $p=17$.

For $p=17$, nonzero quadratic residues are $\left\{QR\right\}\backslash 0=\left\{1;2;4;8;9;13;15;16\right\}$. Consequently, quadratic non-residues are $\left\{QNR\right\}=\left\{3;5;6;7;10;11;12;14\right\}$.

Thus $q\in \left\{3;5;6;7;10;11;12;14\right\}$.

Primitive elements in ${\mathbb{Z}}_{17}$ from $\left\{QNR\right\}$ are $\left\{3;5;6;7;10;11;12;14\right\}$. Thus $r\in \left\{3;5;6;7;10;11;12;14\right\}$.

Table 13. The number of matrix $A$ parameter sets to achieve maximum order $ord\left(A\right)={17}^2-1$.

	r	3	5	6	7	10	11	12	14
q
3		-	0	34	-	34	-	34	-
5		34	-	-	-	34	34	-	0
6		34	-	-	34	0	-	34	-
7		-	-	0	-	-	34	34	34
10		34	34	34	-	-	0	-	-
11		-	34	-	0	34	-	-	34
12		0	-	34	34	-	-	-	34
14		-	34	-	34	-	34	0	-

provides information on the number of matrix $A$ parameter sets: $q,r\in \left\{3;5;6;7;10;11;12;14\right\}$, $k\in {\mathbb{Z}}_{17}$, and $a\in {\mathbb{Z}}_{17}:{\left(2a+k\right)}^2=q+r$ to achieve maximum order $ord\left(A\right)=p^2-1$. The data are grouped for pairs $\left(q;r\right)$, and cases $q+r\in \left\{QR\right\}\backslash 0$ are highlighted in grey.

The presence of zeros in Table 13 for certain pairs $\left(q;r\right)$ indicates that, for these parameter combinations, the matrix $A$ cannot serve as a generator of a multiplicative cyclic group of maximal order $p^2-1$. This is due to the fact that the developed method accounts for the basic case (11) ${\Delta }_a=a\left(a+k\right)-b\ne t^2\in {\mathbb{Z}}_p$, but does not encompass the general condition (see Equation (10)).

It should be noted that, according to Fermat’s theorem [27], $t^{p-1}\in \left\{0;1\right\}$, while $GCF\left(p-2,p-1\right)=GCF\left(p-2,1\right)=1$. Therefore, for $p\ge 5$ Equation (10) is rewritten as ${\Delta }_a\ne t^j\in {\mathbb{Z}}_p$, $2\le j\le p-3$, $GCF\left(j,p-1\right)\ne 1$.

For example, for $q=7$, $r=6$, and $k=0$, the value ${\Delta }_a=a\left(a+k\right)-b=4\left(4+0\right)-6=10$. On the other hand, $10\equiv 3^3\left(\mathrm{mod}17\right)$, whence $A^{\frac{18}{3}}=3·E$ and $A^{18}={\left(A^6\right)}^3=10·E$.

This example confirms the necessity but not the sufficiency of condition (11) for achieving the maximal order of matrix $A$. At the same time, as noted above, the proposed method significantly narrows the search space for matrix parameters compared to an exhaustive search.

The cardinality of the set of possible parameter values of matrix $A=\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ in ${\mathbb{Z}}_{17}$ amounts to 32 pairs $\left(q;r\right)$, whereas a complete brute-force search over parameters $a,b,k\in {\mathbb{Z}}_{17}$ would require analyzing ${17}^3=4913$ combinations. The probability of selecting the desired matrix $A$ in ${\mathbb{Z}}_{17}$ using the proposed method is $\frac{24}{32}=0.75$ as opposed to $\frac{816}{4913}\approx 0.166$ in the case of a full enumeration.

Here we consider examples where $p=4l+3$.

Let $p=11$.

Nonzero quadratic residues are $\left\{1;3;4;5;9\right\}$. Therefore, quadratic non-residues are $\left\{2;6;7;8;10\right\}$.

Thus $q\in \left\{2;6;7;8;10\right\}$.

Primitive elements in ${\mathbb{Z}}_{11}$ from $\left\{QNR\right\}$ are $\left\{2;6;7;8\right\}$. Thus, $r\in \left\{2;6;8;10\right\}$.

Table 14. The number of matrix $A$ parameter sets to achieve maximum order $ord\left(A\right)={11}^2-1$.

	r	2	6	8	10
q
2		22	-	-	22
6		-	22	22	0
7		22	-	0	-
8		-	0	22	-
10		0	22	-	22

presents information on the number of matrix $A$ parameter sets: $q\in \left\{2;6;7;8;10\right\}$, $r\in \left\{2;6;8;10\right\}$, $k\in {\mathbb{Z}}_{11}$, and $a\in {\mathbb{Z}}_{11}:{\left(2a+k\right)}^2=q+r$ to achieve maximum order $ord\left(A\right)={11}^2-1$. The data are grouped for pairs $\left(q;r\right)$, and cases $q+r\in \left\{QR\right\}\backslash 0$ are highlighted in grey.

The cardinality of the set of possible matrix $A$ parameters values in ${\mathbb{Z}}_{11}$ amounts to 12 pairs $\left(q;r\right)$, whereas a complete brute-force search over parameters $a,b,k\in {\mathbb{Z}}_{11}$ would require analyzing ${11}^3=1331$ combinations. The probability of selecting the desired matrix $A$ in ${\mathbb{Z}}_{11}$ using the proposed method is $8/12\approx 0.667$ as opposed to $176/1331\approx 0.132$ in the case of a full enumeration.

Now let $p=19$.

Nonzero quadratic residues are $\left\{1;4;5;6;7;9;11;16;17\right\}$. Therefore, quadratic non-residues are $\left\{2;3;8;10;12;13;14;15;18\right\}$.

Thus $q\in \left\{2;3;8;10;12;13;14;15;18\right\}$.

Primitive elements in ${\mathbb{Z}}_{19}$ from $\left\{QNR\right\}$ are $\left\{2;3;10;13;14;15\right\}$. Hence, $r\in \left\{2;3;8;12;14;18\right\}$.

Table 15. The number of matrix $A$ parameter sets to achieve maximum order $ord\left(A\right)={19}^2-1$.

	r	2	3	8	12	14	18
q
2		38	38	-	-	38	38
3		38	38	38	-	38	-
8		-	0	38	38	-	38
10		-	-	-	-	38	0
12		-	-	38	38	0	38
13		-	38	-	0	-	-
14		38	38	-	38	38	-
15		38	-	0	-	-	-
18		0	-	38	38	-	38

summarizes information on the number of matrix $A$ parameter sets: $q\in \left\{2;3;8;10;12;13;14;15;18\right\}$, $r\in \left\{2;3;8;12;14;18\right\}$, $k\in {\mathbb{Z}}_{19}$, and $a\in {\mathbb{Z}}_{19}:{\left(2a+k\right)}^2=q+r$ to achieve maximum order $ord\left(A\right)={19}^2-1$. The data are grouped for pairs $\left(q;r\right)$, and cases $q+r\in \left\{QR\right\}\backslash 0$ are highlighted in grey.

The cardinality of the set of possible values for the matrix $A$ parameters in ${\mathbb{Z}}_{19}$ is 30 $\left(q;r\right)$ pairs, whereas an exhaustive search for parameters $a,b,k\in {\mathbb{Z}}_{19}$ would require analyzing ${19}^3=6859$ combinations. The probability of selecting the desired matrix $A$ using the proposed method is $24/30=0.8$ as compared to $912/6859\approx 0.133$ for complete enumeration.

Remark 13. 

The algorithm for selecting the parameters of the field $F_{b,k}$ and searching for a primitive element in it, considered in Section 3.2, does not guarantee achieving the maximum order of the cyclic subgroup generated by the matrix $A$ as a special case of a primitive element of the form $t·A=t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ for $t=1$. At the same time, all $\phi \left(p^2-1\right)$ primitive elements of the field $F_{b,k}$ over ${\mathbb{Z}}_p$ for its given parameters are determined by expression (3). Taking into account the above algorithms, the method for selecting parameters $b$ and $k$ of the field $F_{b,k}$ from (2) for an arbitrary $t$, as well as selecting a primitive element in it, is as follows:

• For a given prime $p$, arbitrarily choose a quadratic non-residual $q$ in ${\mathbb{Z}}_p$;
• Arbitrarily choose $k\in {\mathbb{Z}}_p$;
• Calculate $b=\frac{q-k^2}{4}\in {\mathbb{Z}}_p$;
• Find $a\in {\mathbb{Z}}_p$: $period\left(A\left(a\right)\right)=p+1$;
• Find $t\in {\mathbb{Z}}_p\backslash 0$: $t^2\frac{r}{4}$ is a primitive element in ${\mathbb{Z}}_p$;
• Matrix $t·A=t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$ is a primitive element in $F_{b,k}$ (see Theorem 4 from [17]).

Note that to find $t$ in point 5 of the presented method, the following procedure must be performed. Since the determinant $\det \left(A\right)=\frac{r}{4}$ is a quadratic non-residue (see (2)), the values of $\det \left(tA\right)=t^2\frac{r}{4}$ form the entire set of non-residues in ${\mathbb{Z}}_p$ for $t=1,2,\dots ,p-1$. Therefore, in order to $t^2\frac{r}{4}$ be a primitive element in ${\mathbb{Z}}_p$, it is necessary to factorize $p-1$ and for successive values $t=1,2,\dots ,p-1$, check the inequalities ${\left(t^2\frac{r}{4}\right)}^{\frac{p-1}{m}}\ne 1\left(\mathrm{mod}p\right)$ for all prime divisors of $p-1$, until a primitive element $t^2\frac{r}{4}$ in ${\mathbb{Z}}_p$ is determined.

In this case, the algorithm for selecting parameters $b$ and $k$ of the field $F_{b,k}$ and the primitive element in it has form of the Algorithm 3.

Algorithm 3. The algorithm for selecting parameters $b$ and $k$ of the field $F_{b,k}$ and a primitive element in it for arbitrary $t$.

Set prime $p$, $k\in {\mathbb{Z}}_p$ Find quadratic non-residue $q$ in ${\mathbb{Z}}_p$ $b\leftarrow \frac{q-k^2}{4}$ Factorize $p+1$ for $a=0$ to $p-1$     $check\leftarrow success$     for $n\in \left\{\left(p+1\right) deviders\right\}$       if $A^{\frac{p+1}{n}}\left(a\right)=s·E$ then         $check\leftarrow fail$       end if     end for     if $check=success$ then       break     end if end for Factorize $p-1$ for $t=1$ to $p-1$     $check\leftarrow success$     for $m\in \left\{\left(p-1\right) deviders\right\}$       if ${\left(t^2\frac{r}{4}\right)}^{\frac{p-1}{m}}=1\left(\mathrm{mod}p\right)$ then         $check\leftarrow fail$       end if     end for     if $check=success$ then       break     end if end for $A\leftarrow t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$

The predicted time of Algorithm 3 for large $p$ is determined by the factorization time of numbers $p+1$ and $p-1$ and is equal to $O\left(\log p\right)+O\left(\log p\right)+L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]+O\left({\log }^{2}p\right)+L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]+O\left({\log }^{2}p\right)=L_p\left[\frac{1}{3},\sqrt[3]{\frac{64}{9}}\right]$.

4. Discussion

The findings of this study confirm the efficiency of the proposed method for selecting the parameters of finite matrix fields of order 2. The main advantage of this approach lies in the simultaneous determination of both the field parameters and its primitive elements. This method significantly simplifies the process for constructing cryptographically reliable systems based on finite fields.

The fundamental differences between the results of this study and those presented in the study [17] are as follows:

• The approach to $F_{b,k}$ construction outlined in [17] was developed for scenarios with known parameters $b$ and $k$ when $D=k^2+4b\ne u^2\in {\mathbb{Z}}_p$. In contrast, this study considers the case when $b$ and $k$ are not predefined.
• The method described in [17] enables the identification of primitive elements of the form $t_{ji}·A_j$. On the other hand, the approach proposed in this study eliminates the need for selecting specific coefficients $t_{ji}\in {\mathbb{Z}}_p$ and allows for the direct specification of primitive elements in the form $A\left(k\right)$, where $t=1$. However, given that the algorithm does not guarantee achieving the maximum order of the cyclic subgroup generated by the matrix $A$ for $t=1$ and arbitrary $p$, Remark 13 extends the obtained approaches to the case of arbitrary $p$ and $t$.
• This study simultaneously determines both the parameters of the finite matrix field family and the set of its primitive elements as a function of a single parameter $k$.

In contrast to the findings described in the earlier study [17], which proposed to first determine the $F_{b,k}$ parameters and then to initiate a separate procedure to search for its primitive elements, the method proposed in this study eliminates this additional step. The present approach reduces computational overhead and enhances the efficiency of cryptographic algorithms. In particular, the process of identifying primitive elements has been simplified by utilizing the Legendre symbol instead of solving quadratic equations in the field. Consequently, the proposed method demonstrates high efficiency even for large values of the parameters $b$ and $k$, which is crucial for modern cryptographic protocols where large field sizes are essential for attack resistance.

The increase in the complexity of discrete logarithms for cyclic groups in ${\mathbb{Z}}_p$ and $F_{b,k}$ is due to the following. In ${\mathbb{Z}}_p$, some of the fastest discrete logarithm algorithms are the COS algorithm [22] and the number field sieve algorithm [38]. The complexity of the COS algorithm is $L_p\left[\frac{1}{2},1\right]$, and the complexity of the number field sieve algorithm is $L_p\left[\frac{1}{3},1.902\right]$. The cyclic group of the field $F_{b,k}$ from (2) is a special group of matrices and has order $p^2-1$. In this case, we can use well-known algorithms for an arbitrary finite field to estimate the complexity of discrete logarithm algorithms. In particular, for $F_{b,k}$, the index calculus algorithm [39] and El Gamal algorithm [23] have complexity $L_p\left[\frac{1}{2},c\right]$. However, the index calculus algorithm is efficient if $p$ is small, and the El Gamal algorithm is applicable to $GF\left(p^2\right)$ and can be used in this research, but not for fields of higher-order matrices $GF\left(q\right)$, where $q=p^m$, $m>2$. Then the complexity of the discrete logarithm algorithm can be estimated only as $O\left(\sqrt{q}\right)$ [40].

Considering the above, the logical continuation of the presented research is the creation of matrix fields of higher orders, in particular $3\times 3$ and higher. At the same time, the results obtained in this work are of extreme importance, since they are basic and key for future research. The principles for constructing $2\times 2$ matrix fields are the basis for constructing other fields.

Another important finding was the analysis of the number of possible parameter values that satisfy the condition of the cyclic subgroup’s maximum order. The obtained analytical estimates indicate that the family of such fields is sufficiently large, ensuring a broad selection of parameters for designing cryptographic systems with diverse characteristics.

It should be noted that modern communication technologies, including those applied in lightweight cryptography [41], have developed various alternative approaches to information representation. Specifically, such representations include arrays, vectors, trees, elliptic curve points [42,43], and permutations [44,45,46]. This diversity necessitates harmonizing data structures to facilitate integration of different methods within a unified system for information processing and transmission.

When utilizing a matrix field of the form $t·\left(\begin{array}{cc}a& 1\\ b& a+k\end{array}\right)$, a bijective transformation of a field element into a permutation can be performed as follows. The notation (2) for the matrix field $F_{b,k}$ is equivalent to the following notation:

$$F_{b,k}=\left\{\left(\begin{array}{cc}{x}_1& x_2\\ b{x}_2& x_1+k{x}_2\end{array}\right),\begin{array}{c}{x}_1,x_2,a,b,k\in {\mathbb{Z}}_p,\\ D=k^2+4b\ne u^2\in {\mathbb{Z}}_p\end{array}\right\}.$$

(25)

Thus, if $x_2\ne 0$, we obtain $\left(\begin{array}{cc}{x}_1& x_2\\ b{x}_2& x_1+k{x}_2\end{array}\right)=x_2\left(\begin{array}{cc}{x}_1/x_2& 1\\ b& x_1/x_2+k\end{array}\right)$. If $x_2=0$, we obtain $\left(\begin{array}{cc}{x}_1& x_2\\ b{x}_2& x_1+k{x}_2\end{array}\right)=\left(\begin{array}{cc}{x}_1& 0\\ 0& x_1\end{array}\right)=x_1·\left(\begin{array}{cc}1& 0\\ 0& 1\end{array}\right)$.

Therefore, any matrix $\left(\begin{array}{cc}{x}_1& x_2\\ b{x}_2& x_1+k{x}_2\end{array}\right)$ in the field $F_{b,k}$ can be defined by the elements $x_1,x_2\in {\mathbb{Z}}_p$ in its upper row. In turn, a pair of numbers $\left\{x_1;x_2\right\}$ can form a $p$-adic number $x_2·p+x_1$. This number can be easily transformed into a permutation by converting it into a factorial number. Consequently, it is possible to establish a bijection between the elements of the $F_{b,k}$, represented in the notation (25), and permutations of the factorial code.

A separate issue is the estimation of the computational complexity of breaking the proposed scheme and its comparison with the estimates of existing methods. This will be the subject of a separate subsequent work.

5. Conclusions

This study has presented an efficient method for selecting parameters that ensure a commutative ring of $2\times 2$ square matrices form a field over a given ${\mathbb{Z}}_p$. This method eliminates the need to separately search for a primitive element in a matrix field of order $p^2$. Additionally, the procedure for solving a quadratic equation in the given field ${\mathbb{Z}}_p$ has been replaced with a significantly faster computation using the Legendre symbol.

For an arbitrary prime $p$, the proposed method substantially narrows the search space for both the parameters of matrix fields $F_{b,k}$ and their primitive elements.

A particularly important case has been examined, involving prime numbers $p$ that are either Mersenne primes, or $3\le \frac{p+1}{2}=\rho$ is also a prime number. It has been demonstrated that such $p$ values are particularly suitable for constructing matrix fields $F_{b,k}$, while the cardinality of the family of finite matrix fields under these conditions is no less than a given threshold $\left[\frac{p}{4}\right]·p$.

To develop this parameter selection method for finite fields of $2\times 2$ square matrices and to construct primitive elements, the properties of the sum of quadratic residues and non-residues in ${\mathbb{Z}}_p$ were thoroughly investigated. This aspect is crucial for ensuring the required statistical properties of the field.

The proposed approach to constructing a family of finite fields of $2\times 2$ square matrices over ${\mathbb{Z}}_p$, along with their primitive elements, is universal and can be applied in various cryptographic protocols, including key agreement schemes and secure encryption algorithms. One example of this universality is the ability to establish a bijection between elements of the matrix field $F_{b,k}$ and permutations in factorial coding.

The obtained results have laid a foundation for further research aimed at optimizing cryptographic algorithms and developing new methods for constructing finite fields with predefined properties.