Math 312: Introduction to Number Theory Lecture Notes. Lior Silberman

Transcription

1 Math 31: Introduction to Number Theory Lecture Notes Lior Silberman

2 These are rough notes for the summer 018 course. Problem sets were osted on the course website; solutions on an internal website.

3 Contents Introduction Cold oen Administrivia More on roblems of number theory Course lan subject to revision 7 Chater 1. The Integers The axioms; the well-ordering rincile; induction Divisibility and the GCD Primes 14 Chater. Congruences Arithmetic in congruences 18.. Linear Congruences The multilicative grou Primality testing 19 Chater 3. Arithmetic functions Dirichlet convolution Mersenne rimes and erfect numbers 1 Chater 4. Crytology Introduction Character and block cihers Asymmetric encrytion: RSA 4 Chater 5. Primitive roots Primitive roots Primitive roots mod Primitive roots mod, k Discrete Log and ElGamal 6 Chater 6. Quadratic recirocity Quadratic residues Quadratic recirocity The Jacobi Symbol 30 Chater 7. Secial toics The Gaussian integers Ellitic curves 33 3

4 Bibliograhy 33 Bibliograhy 34 4

5 Introduction Lior Silberman, htt:// Office: Math Building 9B Phone: Cold oen Theory of numbers, mainly meaning whole numbers, that is the integers. Crytograhy. Do you use the internet? Can use number theory to establish identity The erson who knows the factorization N = q Key 1: There are arithmetic roblems that only the erson who knows the factorization can solve. Key : I can rove to you that I know to factor N without revealing this number. How do you know that htts:// is really controlled by your bank? Roughly seaking: The manufacturer of your browser equis it with a list of 30 numbers and told to trust those eole who know how to factor them. Those eole are called certificate authorities. For simlicity assume there was only one CA, with its number N CA built into the browser. Your bank creates a number N bank for itself. It goes to the CA and gets a digital certificate, which says: the eole who know how to factor N CA say that the server at htts:// knows how to factor the number N bank. Moreover, the certificate includes a number calculated using the details in it and also CA,q CA so it cannot be forged. When you access htts:// the website rovides your browser with the certificate. Your comuter can verify the signature using the number N CA that it knows. If this is ok it then challenges the machine on the other side to rove that it can really factor the number N bank secified in the certificate. If that works too the browser is hay. I m Lying a little here When you tye your assword on htts:// ca, what your browser sends is not simly the characters you tye that would be bad if there were eavesdroers. What it sends instead is the result of a calculation involving the number N bank. The calculation is done in such a way that the bank can check that you tyed the correct assword using its secret knowledge bank, q bank whereas the eavesdroer who only knows N bank can t learn what the assword was. 5

6 There are ractical roblems with this scheme, but we won t discuss internet security. What we will discuss is the number theory that makes secure websites ossible. Summary for those reading the notes: Underlying fact of life: arithmetic is easy but solving equations is hard. There is a method for me to convince others that I know,q without revealing them. This allows me to rove my identity I m the erson who knows to factor N. But revents forgery The method extends to verifiable signatures This was written by the erson who knows how to factor N. No-one can forge my signature, but they can check I m the erson who signed signing requires knowing, q but checking only requires knowing N. The method extends to secure communication: you can take a message m and send me Fm,N. Knowing,q solving Fm,N = C is actually easy. But it is believed imossible to solve the equation knowing only N. We will discuss how to do all these things signature rotocol, secure communications rotocol. Other examles Software roduct activation key verification. Syllabus distributed. Other key oints: 0.. Administrivia Webwork will be osted in the roer lace. Problem sets will be osted on the course website. Solutions will be osted on a secure system exlanation will be sent. Deending on time, the grader may only mark selected roblems. Solutions will be comlete. Absolutely essential to Read ahead according to the osted schedule. Lectures after the first will assume that you had done your reading. Do homework. Office hours on Wednesdays and Thursdays after class. Also by aointment. Course website is imortant. Contains notes, roblem sets, announcements, reading assignments etc. Some arithmetic More on roblems of number theory It is now 10am. What hour will it be 5 hours from now? Today is Tuesday, May 15th. What day was it 4 days ago? What day of the week did 15/5/017 fall on? Hint: 365 = What about July 1st, 1867? [don t wait for answer] Proerties of individual numbers. Can we find integers a,b so that a b =? 6

7 We want to at least find integers a,b so that a b is close to. How well can we do this without taking b too large? Consider the decimal exansion of π or e, or your favourite number. Do all the digits 0,1,...,9 aear 10 1 th of the time? What about all sequences 00,01,...,99? We already saw that rimes are useful. We need to make rimes. How many rimes are there? Are they easy to find? Secifically: how does one tell if a given number n is rime? Main focus: finding integer solutions to equations. All integer solutions to x + y = z known to the Greeks lots! Only obvious integer solutions to x 4 + y 4 = z 4 Fermat Only obvious solutions to x 3 + y 3 = z 3 Euler... Only obvious solutions to x n + y n = z n, n 3 Ribet, Wiles Other equations to solve: xy = N factorization. Very imortant we will discuss this. y = x + d, z = x + d, w = x + 3d arithmetic rogression Szemeredi: if A {1,...,N} is large enough then for some d 0, A it contains x,y,z,w solving the above equation. Green, Green-Tao: can take A to be the set of rimes, or even a dense subset of the rimes. 1 = twin rimes 1 + = N Goldbach Conjecture Counting solutions to equations #{1 x rime} logx x Hadamard, de la Vallée-Poussin 1896 following Riemann 1859 #{1 x rime} x C xlogx 100 Riemann hyothesis Much more. Not for today. logx 0.4. Course lan subject to revision The integers Definition: induction and the well-ordering rincile; Multilication: divisibility and the GCD, rimes and unique factorization. Congruences [major oint of the course] Algebra: rimitive roots The multilicative grou Primality testing Discrete log crytosystems Alication: ublic-key crytograhy, RSA Multilicative functions Quadratic recirocity 7

8 References. Any book with the title Elementary Number Theory or Introduction to Number Theory will cover the material. I will generally follow the textbook Elementary Number Theory and its alications by K. Rosen. 8

9 CHAPTER 1 The Integers 1.1. The axioms; the well-ordering rincile; induction We record here the usual roerties of the integers. DEFINITION 1. The integers are the sextule Z, +,, 0, 1, < satisfying: +: Z Z Z addition and : Z Z multilication are binary oerations; 0,1 Z are elements zero, one and < is a binary relation less than. Addition is commutative and associative; a + 0 = a and for all a Z there is a Z so that a + a = 0. Multilication is commutative and associative; a 1 = a. The relation < is transitive, and for all a,b Z exactly one of a < b, a = b, b > a holds. For a,b > 0 we have a + b,a b > 0. Well-ordering roerty: every non-emty subset A N = Z 0 has a least element. Note that we interchangeably write N or Z 0 for the set of natural numbers, those being the non-negative integers 0 is a natural number for us. Some books also uses the notation Z + for the set Z >0 = Z 1 of ositive integers. The most imortant roerty is the last one. We illustrate it with several calculations. We first justify the last equality: LEMMA. Discreteness There is no integer b satisfying 0 < b < 1. PROOF. Let A = {n Z 0 < n < 1} Z 0. Assume by contradiction that A is non-emty and let a be its minimal element. Then 0 < a < 1. Multilying both sides by a we find that 0 < a < a < 1. But then a is an integer satisfying 0 < a < 1 so a A and a < a, a contradiction to a being the smallest member of A. COROLLARY 3. For any integer n there is no integer a satisfying n < a < n + 1. PROOF. If a existed set b = a n. Then 0 < b < 1. THEOREM 4. Princiles of induction 1 Weak induction Let P N. Assume that 0 P and that for any number n, n P n + 1 P. Then P = N. Strong induction Let P N. Assume that for any n N, {a N a < n} P n P. Then P = N. PROOF. 1 Assume by contradiction that P N. Then the set A = N \ P of counterexamles is non-emty. Let m be its minimal element. Then m 0 0 P so m 1 and m 1 N. Since m was minimal, m 1 / A so m 1 P. But then m = m P, a contradiction. Let Q be the set of n N such that {a N a < n} P. Then 0 Q the set of natural numbers smaller than zero is emty. Also, if n N then {a N a < n} P so n P. But then 9

10 {a N a < n + 1} = {a N a < n} {n} P so n+1 Q. By art 1 it follows that Q = N. Now for any n Nwe have that n + 1 Q and so that n P. DEFINITION 5. Call an integer n even if it is of the form n = k for some k Z. Call it odd otherwise. THEOREM 6. Division by Among every two consecutive natural numbers at least one is even. PROOF USING WELL-ORDERING. Let A be the set of n 0 such that n,n + 1 are both odd, and let m be a minimal member of A. Then both m,m + 1 are odd so m > 0 zero is even! and m 1 0. Since m is minimal, m 1 / A, one of m 1,m is even. m is odd so m 1 = k for some k Z. But then m+1 = m 1+ = k +1 is even, a contradiction. Since A cannot have a least member it is emty. PROOF USING WEAK INDUCTION. Let P be the set of n 0 such that at least one of n,n + 1 is even. 0 P since it is even. Assume that n P. If n + 1 is even then one of n + 1,n + is even so n + 1 P. Otherwise n must be even, so n + is also even and again n + 1 P. Examle in how to use well-ordering: THEOREM 7. Division with remainder Let n,a Z with a > 0. Then there are unique q,r Z with 0 r < a such that n = qa + r. PROOF. Let T = {m N k Z : m = n ka}. In other words, T is the set of all natural numbers which differ from n by a multile of a. T is non-emty, since by taking k sufficiently negative we can make n ka as large as we want e.g. take k = n. By the well-ordering rincile there is r = mint. By definition of T, we have 0 r and there is q Z such that r = n qa. Assume that r a. Then r a 0 and r a = n q+1a so r a T, a contradiction. It follows that n = qa + r for some q, r as claimed. Assume next that also n = q a + r. Then Assume first that r > r. Then q a + r = n = qa + r. r r = q q a, so by the Lemma, a > r r r a, a contradiction. By symmetry we can t have r > r either, so r = r. It follows that q q a = 0 and since a 0 this means q = q. COROLLARY 8. An integer n is odd iff it can be written in the form n = k + 1 for some k Z Divisibility. 1.. Divisibility and the GCD DEFINITION 9. Let a,b Z. We say a divides b and that b is a multile of a if there is c Z such that b = ac. When this holds we write a b. Otherwise we say a does not divide b and write a b. REMARK 10. Another way to hrase a b is that the equation ax = b has a solution in Z. 10

11 NOTATION 11. If a b with a 0 we write a b for the unique integer x such that a x = b. Note that if a b we don t give b a any meaning. EXAMPLE 1. 1 b for all b. 0 b iff b = For any a,b Z we have a b a b. In articular, n 1 n+1 1. LEMMA 13. Let a 0 and let a b. Then b a. PROOF. If b = ac we have b = a c. Also, c 1 since c 0 so a c a. LEMMA 14. Euclid If a divides b and c then a divides b ± c. PROOF. We have a b a ± a c = a b a ± a c a = b ± c so the equations a x = b ± c have an integer solution. COROLLARY 15. Let n 1. Then the only ositive common divisor of n,n + 1 is 1. LEMMA 16. If a b and b c then a c. PROOF. By the associative law, a b a cb = a b a c b = b cb = b. LEMMA 17. Units a b iff a b. Because of this, we will only consider ositive divisors. First roblem of factorization. PROBLEM 18. Find all divisors of a given integer. This turns out to be really hard. We don t know an efficient way to do this The GCD, Two integers. Let a,b Z be non-zero. Let D be the set of common divisors of a and b non-emty since 1 D. D is bounded since every divisor of a is no larger than a. Let M be the set of ositive common multiles of a,b non-emty since ab = ±ab M. DEFINITION 19. a,b def = gcd{a,b} = maxd ; [a,b] def = lcm{a,b} = minm. Also, for all a Z, set a,0 = a and [a,0] = 0. FACT 0. Every common divisor of a,b divides a,b. Every common multile of a,b is divisible by [a,b]. PROBLEM 1. Given a,b find a,b and [a,b]. ALGORITHM. Naive Try all elements of the finite sets D,M. Entirely imractical since finding the divisors is hard. Euclid discussed a much better idea: LEMMA 3. Euclid Let a,b Z. Then a,b = a b,b. PROOF. We rove that both airs have the same set of common divisors. Indeed, let d divide b. If d also divides a then By Lemma 14 d divides a b. Conversely, if d divides a b then by that Lemma d divides a = a b + b. 11

12 Since a,0 = a for all a, and since changing the signs of a,b does not change their gcd why? we get a method for calculating the gcd of any two integers. For examle: 4, 153 = 153, 4 = 19, 4 = 105, 4 = 81, 4 = 57, 4 = 33, 4 = 4, 9 = 15, 9 = 9, 6 = 6, 3 = 3, 3 = 3, 0 = 3. ALGORITHM 4. Euclid Given two integers a,b, outut their gcd: 1 Relace a with a, b with b. If a < b exchange a and b. 3 If b = 0, terminate and outut a. 4 Else, relace a with a b and go to ste. THEOREM 5. The algorithm terminates after finitely many stes and oututs the gcd of a, b. PROOF. Consider the changes in the quantity a + b during the course of the algorithm. Every time we reach ste 4, we know that a b > 0. It follows that at the conclusion of ste 4, the quantity has decreased by at least b 1. Since there is no infinite strictly decreasing sequence of natural numbers well-ordering, we can reach ste 4 only finitely many times. In articular, at some oint b = 0 and we terminate. Finally, by Lemma 3, the relacements and exchanges never change the gcd of the two numbers. In fact, more can be said. CLAIM 6. Bezout Every intermediate value considered by Euclid s Algorithm is of the form xa + yb for some x,y Z. PROOF. We rove this by induction on the stes of the algorithm. Certainly this is true at the start, and also changing signs and exchanging a,b doesn t matter. Now assume that at the nth time we reach ste 3, we are looking at the numbers a = xa + yb > b = za + wb 0, where a,b are the initial values and x,y,z,w Z. At ste 4 we will then relace a with a b = x za + y wb which is indeed also of this form, so the situation will hold when we reach ste 3 for the n + 1st time. We have thus roven by algorithm the following fact: 1

13 THEOREM 7. Bezout Given a,b Z the exist x,y Z such that a,b = xa + yb. Bezout s theorem admits a direct roof: PROOF. If a = b = 0 there is nothing to rove, so we assume that at least one of a,b is nonzero, and let I = {ax + by a,b Z}. Note that I is closed under addition and under multilication by elements of Z: ax + by + qcx + dy = a + qcx + b + qdy I. By assumtion I contains ositive numbers at least one of a, b is ositive, so let m be the smallest ositive element of I. Every common divisor of a,b divides every element of I; in articular a,b m. Conversely, we rove that m divides every element of I. Since a,b I it will follow that m is a common divisor of a,b, hence the greatest common divisor. Let n I. Dividing with remainder Theorem 7, we can write n = qm + r for some 0 r < m and q Z. Then r = n qm I. It must be the case that r = 0 else we d have a ositive member of I smaller than m. Then n = qm and m divides n. COROLLARY 8. Every common divisor of a,b divides their GCD. PROOF. Let d divide both a,b. Then for any x,y Z d xa and d yb so d xa + yb. Now choose x,y so that the xa + yb = a,b The LCM. DEFINITION 9. Say a,b are relatively rime if a,b = 1. PROPOSITION 30. If a,b are relatively rime then [a,b] = ab. PROOF. By Bezout s Theorem there exist x,y such that xa + yb = 1. Say that az is also a multile of b. Then z = z 1 = zxa + yb = xaz + zyb so z is a multile of b. It follows that az is a multile of ab, so ab is the least ositive common multile. LEMMA 31. [da,db] = d [a,b]. PROOF. If m is a common multile of a,b then dm is a common multile of da,db. Conversely, if m is a common multile of da,db then m is divisible by d, and m d is a common multile of a,b. THEOREM 3. Let a,b be non-zero. Then a,b[a,b] = ab. [ ] PROOF. We have [a, b] = a,b a a,b,a,b b a,b Sets of integers. = a,b[ a a,b, ] b a,b = a,b ab. a,b DEFINITION 33. Let S be non-emty finite set of integers. We say that a Z is a common divisor of S if a divides every member of S. We say that a Zis a common multile of S if it is a multile of every element of S. EXAMPLE 34. For any non-emty S, 1 is a common divisor for the elements of S and the roducts of the elements of S is a multile of all of them. 13

14 DEFINITION 35. Assume that S is finite and has a non-zero member. The greatest common divisor of S, written gcds is the largest integer which is a common divisor of S. The least common multile of S, written lcms is the smallest ositive integer which is a multile of all elements of S. NOTATION 36. If a 1,...,a k are integers we also write a 1,...,a k for their GCD and [a 1,...,a k ] for their LCM. Note that every common divisor of {a 1,...,a k } is at most a 1, so only finitely many integers can be the GCD. Similarly, the least common multile is somewhere between zero and k j=1 a j. LEMMA 37. a 1,...,a k+1 = a 1,...,a k,a k+1. PROOF. Let d be a common divisor of a k+1 and a 1,...,a k. Then d divides each of a 1,...,a k it divides a common divisor of theirs so d a 1,...,a k+1. It follows that a 1,...,a k,a k+1 a 1,...,a k+1. Conversely, let d = a 1,...,a k+1. Then d is a common divisor of a 1,...,a k so d a 1,...,a k. Also, d a k+1. It follows that d is a common divisor of both a 1,...,a k,a k+1 and hence that d divides their GCD, that is that a 1,...,a k+1 a 1,...,a k,a k+1. Now two ositive integers that divide each other are equal. COROLLARY 38. Algorithm to find the GCD of a list of numbers Linear Diohantine equations. THEOREM 39. The set of integral solutions to ax + by = c is as follows: 1 If a = b = 0 then the set is emty if c 0, all of Z if c = 0. Otherwise, let d = gcda, b. Then a If d c the set is emty. b If d c, let s,t be such that as+bt = d. Then the set of solutions is { sc d + b d z, tc d a d z} z Z. REMARK 40. Note that solving an equation requires doing two tings: showing that every solution is in the set, and showing that every member of the set is a solution Irreducibles Primes DEFINITION 41. Call Z >1 rime if in every factorization = ab, one of a,b is 1. EXAMPLE 4. 1,,3,5 are irreducible. 4 = isn t. THEOREM 43. Every ositive integer can be written as a roduct of rimes. PROOF. Let n be the smallest ositive integer which cannot be written as a roduct of ositive rimes. Then n itself is not irreducible nor 1, so n = ab with 1 < a,b < n. But then both a,b are roduct of irreducibles, hence so is n. EXAMPLE = 5 1 = = 5 3. THEOREM 45. Euclid There are infinitely many rimes. PROOF. Consider P + 1 where P is the roduct of all rimes. REMARK 46. This only shows that there are about C loglogx rimes u to x. 14

15 LEMMA 47. If n 1 is reducible, it has a roer factor n. PROOF. This is true about any non-trivial factorization. COROLLARY 48. Factorization and rimality testing by trial division. EXAMPLE = 63 = 3 1 = Primes. THEOREM 50. Let Z >1 be rime. Then if ab then divides at least one of a,b. REMARK 51. This is equivalent to the imlication: for all a, b we have a, b ab. It is more natural to remove the requirement that be ositive, but it is not traditional to do so. EXAMPLE 5. is rime. PROOF. Assume that a,b are odd. Then there are k,l Z such that a = k + 1, b = l + 1 so ab = k + 1l + 1 = kl + k + l + 1 is also odd. EXAMPLE is rime. PROOF. Let a,b Z not be divisible by 3. Then a = 3q + r and b = 3q + r for some q,q Z and r,r Z with 1 r,r < 3. Then r,r {1,}. Since ab = 33qq + r q + rq + rr we have 3 ab iff 3 rr. But rr equals one of 1,,4 and neither is divisible by 3. PROOF OF THEOREM 50. Conversely, let be a rime which divides the roduct ab. Assume that a and consider the GCD d = a,. Since d, d = 1 or d =. Since does not divide a, d so d = 1. It follows that there exist x,y such that x + ya = 1, at which oint b = xb + yab. Then divides b since it divides both xb and yab. REMARK 54. Conversely, let be a number such that ab imlies a or b. Then either is a unit or rime. Indeed, if = ab then divides one of the factors, so without loss of generality we have a. This forces a and hence b 1. It follows that b = 1 so b is a unit. THEOREM 55. Fundamental Theorem of Arithmetic Every ositive integer has a factorization into rimes, unique u to reordering the factors. PROOF. What we need to show is: assume that n = I i=1 i = J j=1 q j with { i }, { } q j rimes. Then I = J and there is a ermutation π S n for which i = q πi. Let n be the smallest ositive integer for which this fails. Let be a rime divisor of n. Then there is i such that i = and j such that q j =... NOTATION 56. We may uniquely write every non-zero integer in the form n = ε e where ε {±1} and e are non-negative integers, equal to zero for all but finitely many. EXAMPLE 57. v n! = n + n + n +. 3 PROPOSITION 58. Every ositive divisor of e is of the form f where 0 f e. THEOREM 59. e, f = min{e, f } while [ e, f ] = max{e, f }. COROLLARY 60. a,b[a,b] = ab. PROOF. min { e, f } + max { e, f } = e + f. 15

16 x Distribution of rimes not examinable. DEFINITION 61. πx = #{1 x rime}. CONJECTURE 6. Gauss circa 1800 lim x πx log x 1 integers are rime with robability logt dt logt THEOREM 63. Chebychev 1850 For all large enough x, def = 1. More recisely, πx Lix = x logx πx 1.1 x logx. THEOREM 64. de la Vallée-Poussin, Hadamard 1896, following Riemann 1859 πx Lix Cxe c logx. CONJECTURE 65. Riemann 1859 πx Lix C xlogx. THEOREM 66. Dirichlet 1837 Barring local obstruction, every AP contains infinitely many rimes. Chebotarev Let πq,a;x = #{1 x aq rime}. Then πx 1 φq Lix Cxe c logx. CONJECTURE 67. ERH For a, q = 1, Secial rimes. πq,a;x 1 φq Lix C xlogx. Twin rimes. Fermat numbers: F n = n + 1. Prime for n = 0,1,,3,4. Fermat Conj all rime; Euler showed No other Fermat rimes known. F n,f m = 1 if n m, so infinitely many rimes. Mersenne numbers: 1. Many known; robably there are many but it is oen. Cole, October 1903 meeting of the AMS: 67 1 = 193,707,71 761,838,57,87. Euclid: 1 rime then 1 1 erfect. Euler: converse. PROPOSITION 68. F n,f m = 1 if n > m 0. PROOF. For any integer x we have x + 1,x + 1 = x + 1 x + 1 +,x + 1 =,x + 1. In articular, for x = m which is even we find F m+1,f m = 1. Assume now that n > m + 1, and for 0 j < n m 1 write F n, j = n j m+1 +1 so that F n,0 = F n and F n, n m 1 1 = m+1 +1 = F m+1. 16

17 Then, for 0 j < n m 1 1 we have n j m+1 + 1, m + 1 = n j m+1 m, m + 1 Euclid s Lemma = m n j m+1 m 1, m + 1 Common factor = n j m+1 m 1, m + 1 m, m + 1 = 1 = n j m+1 m + m, m + 1 Euclid s Lemma = n j m+1 m + 1, m + 1 Common factor = n j+1 m+1 + 1, m + 1, that is F n, j,f m = Fn, j+1,f m. It follows by induction that Fn,F m = F m+1,f m = 1. COROLLARY 69. There are infinitely many rimes. PROOF. No rime divides two of the F n. REMARK 70. Note that this roof only roduces n rimes u to n + 1, i.e. about loglogx rimes u to x. 17

18 CHAPTER Congruences and.1. Arithmetic in congruences DEFINITION 71. For a,b,m Z with m, a bm iff m a b. PROPOSITION 7. Congruence mod m is an equivalence relation. LEMMA 73. a bm iff b = a + km for some k Z. THEOREM 74. Arithmetic If a a,b b m then a ± b a + b m ab a b m. PROOF. Say a = a + km, b = b + lm. Then a ± b = a ± b + k ± lm and a b = ab + al + bk + klm. FACT 75. Division Thm Every congruence class mod m contains a unique reresentative 0 r < m. DEFINITION 76. The reduction of a mod m is that 0 r < m which is congruent to a. EXAMPLE 77. Divisibility tests m a iff the reduction of a mod m is zero. LEMMA 78. For all k 0, 10 k 19 roof by induction COROLLARY 79. Divisibility test For all n 0, n Sn9 where Sn is the sum of digits of n. DEFINITION 80. Say that b is a modular inverse of a mod m if ab 1m. Say that a is invertible if it has a modular inverse. THEOREM 81. a is invertible mod m iff a, m = 1. PROOF. Assume that ab 1m. Then 1 = ab + km. Thus any rime dividing both a and m must divide 1. Conversely, let a,m be relatively rime. By Bezout s Theorem Theorem 7, there are x,y such that ax + my = 1, which means that ax 1m. EXAMPLE while so = THEOREM 83. CRT Let { } J m j j=1 be airwise relatively rime, and let M = j m j. { } J a j j=1 Z. Then there is a Z, unique mod M, such that a a j m j. Let 18

19 PROOF. Assume first that a 1 = 1 and that a j = 0 for j J. Let N = J j= m j so that M = m 1 N. It is then enough to find a such that a 1m 1 while a 0N. Since N,m 1 = 1 can take a = N N where N is any inverse of N mod m 1. It follows that there exist { } J y j such that j=1 y i δ i j m j. For existence set a = j y j a j. For uniqueness by subtraction it is enough to consider the case a 0m j for all j, for which a must be divisible by M. EXAMPLE 84. Divide the six residue classes mod 6 into their classes mod and 3. EXAMPLE 85. Solve x 13, x 5 and x 37. Indeed 35 = 70 13, 1 15 and It follows that the solution is x , that is x Linear Congruences THEOREM 86. Consider the equation ax bm, and let d = a,m. If d b there are no solutions. Otherwise it is equivalent to d ax d b m d. If a,m = 1 then ax b iff x āb..3. The multilicative grou.3.1. Multilicative order, Euler s Theorem and Fermat s Little Theorem. Examine owers of mod 7, mod 11. Powers of 5 mod 11 and see eriodicity. Examine owers of mod 6 and see eriodicity but no 1. DEFINITION 87. For a,m = 1 the multilicative order of a mod m is ord m a = min{n 1 a n 1m}. PROPOSITION 88. Let a,m = 1. Then a r a s m iff r sord m a..3.. Wilson s Theorem. We evaluate the.3.3. Examles. Pollard s 1 method. The order of mod n 1 is n: it divides n since n 1 n 1 but can t be smaller. Factor = = See that 35 is not rime: ALGORITHM 89. Modular exonentiation by reeated squaring.4. Primality testing Pseudorimes, Charmichael numbers, strong seudorimes, 19

20 CHAPTER 3 Arithmetic functions 3.1. Dirichlet convolution DEFINITION 90. An arithmetical function is a function f : Z 1 R more generally, to C. EXAMPLE 91. Some standard functions. All-ones function In = 1, identity function Nn = n, delta-function δn = Characteristic function of the rimes: Pn = The von-mangoldt function Λn = { 1 n = 1 0 n 1. { 1 n rime for which πx = n x Pn. 0 not { log n = k, k 1 0 else which is the right way to count rimes using Chebychev s function ψx = n x Λn. Let n = e. Then { ωn = #{ rime : n}, Ωn = e. From these get the Möbius 1 ωn n squarefree function µn =, the Liouville function λn = 1 Ωn. 0 else φn = #{0 a < n a,n = 1}, τn = d n 1, σn = d n d, σ k n = d n d k. DEFINITION 9. Call f multilicative if f mn = f m f n if m,n = 1. REMARK 93. This usually has to do with the CRT. EXAMPLE 94. φn is multilicative roof later. LEMMA 95. If f is multilicative and f 1 1 then f n = 0 for all n. PROOF. f n = f n 1 = f n f 1 so 1 f 1 f n = 0 for all n. PROPOSITION 96. f multilicative and n = e then f n = f e. PROOF. Induction on number of rime factors of n. COROLLARY 97. φ k = k k 1 = k 1 1 so φ e = n e e 1 = n e 1 1 = n n 1 1. DEFINITION 98. f is comletely multilicative if f mn = f m f n for all n. EXAMPLE 99. In, δn, N k n. DEFINITION 100. The Dirichlet convolution of f,g is the arithmetical function f gn = f dg n d = f dge d n de=n 0

21 The second definition shows that f g = g f. By convention the sum is over ositive divisors and factorizations only. EXAMPLE 101. Calculate φ In for small values of n, note that φ I = N. THEOREM 10. φ I = N. PROOF. Textbook Combinatorial d n φ d n = n since this counts the integers between 1,n according to their gcd with n. THEOREM 103. f, g multilicative then so if f g. PROOF. Let gcdm 1,m = 1. Then there is a bijection between divisors d m 1 m and airs d 1 m 1, d m by d 1,d d 1 d and d gcdd,m 1,gcdd,m. It follows that f gm 1 m def = f dg m 1m d d m 1 m m1 = f d 1 d g m d d 1 m 1 d m 1 d m1 = f d 1 f d g g d d m 1 d 1 m 1 = d 1 m 1 f d 1 g m1 d 1 d m f d g = f gm 1 f gm. EXAMPLE 104. τ = I I, σ k = I N k. m d m d f,g multilicative REMARK 105. f, g comletely multilicative doesn t mean f g is so, e.g. τ = I I. EXAMPLE 106. τ k = k + 1 so τ e = e + 1. σ k = k so σ e = n e PROBLEM 107. Past final τn = 77 and 6 n. Find n. 3.. Mersenne rimes and erfect numbers DEFINITION 108. cf PS1 Call n deficient if σn < n, abundant if σn > n and erfect if σn = n. EXAMPLE , 8. Not clear if odd erfect numbers exist. We ll study even erfect numbers. Let n = s m be erfect with m odd. Then by multilicativity σn = σ s σm = s+1 1 σm. We used s,m = 1. Not enough to say s even, m odd. By assumtion also σn = n = s+1 m. It follows that s+1 s+1 1 m. Since s+1, s+1 1 = 1 they are consecutive we have s+1 σm so write σm = s+1 t. 1

22 We then have s+1 m = s+1 1 s+1 t that is m = s+1 1 t. If t > 1 then 1,t, s+1 1 t are distinct divisors of m so σm 1 + t + s+1 1 t = 1 + s+1 t > σm, a contradiction. It follows that m = s+1 1 and that σm = s+1 = m + 1. In articular, m has no other divisors that 1,m so m is rime. By PS, if s+1 1 is rime then s + 1 itself is rime. We have shown that every even erfect number is of the form 1 1 where, 1 are both rime. Conversely, if, 1 are both rime then σ 1 1 = σ 1 σ 1 = = 1 1. THEOREM 110. An even number is erfect iff it is of the form 1 1 for a rime of the form 1. DEFINITION 111. The numbers of the form M n = n 1 are called Mersenne numbers. PROPOSITION 11. Let q, be rimes with q 1. Then q 1. PROOF. We have seen that the order of mod 1 is 1 1 so the order must divide, but it is not 1. The same argument works mod q: if q 1 then 1q so ord q. But the order is not 1 1q so it is. By Fermat s Little Theorem, the order of any number mod q divides q 1 so q 1. EXAMPLE 113. The first few Mersenne rimes and associated erfect numbers are: 1 = 3; 1 3 = = 7; 7 = = 31 if not rime would have a rime divisor 15 and < 6 = 36 which is imossible. The erfect number is 4 31 = = 17 if not rime would have a rime divisor 17 and < 1 = 144 but there are no such rimes = 818. EXAMPLE = 047 if not rime would have a rime divisor 111 and < 50 = 500. The only rime in this range is 3 and indeed = 89.

23 CHAPTER 4 Crytology 4.1. Introduction Three arties: A Alice would like to communicate some message P laintext to B Bob. The eavesdroer Eve will know everything Alice sends. Alice and Bob will agree on a air of functions E encrytion, D decrytion such that DEP = P for all P. Alice will send the cihertext C = EP. Bob will recover the laintext by evaluating P = DC. Symmetric cryto : Alice and Bob kee D,E secret. Eve only knows C and has to guess what D,E are. Public-key / Asymmetric cryto : Eve knows both C and the function E, while Bob s function D is ket secret. The first scheme requires rior communication between Alice and Bob to agree on the functions. Usually this rior communication is facilitated by a method of the second kind. PKC is more involved, more comutationally exensive. Usually only used for key exchange after which a symmetric ciher is used. Alice and Bob do crytograhy create methods of communications; Eve does crytanalysis breaking such methods. 4.. Character and block cihers In a character ciher we encode every letter of the message as an integer P {0,...,5} thought of as residues mod 6. The function D,E are then mas {0,...,5} {0,...,5}. EXAMPLE 115. Caesar ciher EP P + 36 so DC = C 36. HELLO + 3 =, decryt by 3. EXAMPLE 116. Affine ciher EP = ap + b6. Must have a invertible mod 6 for this to make sense. In that case DC āc b = āc āb is also an affine function HELLO via 3 7, decryt via = REMARK 117. ETAOIN Character cihers are very weak, since they reserve the frequency distribution of the letters which is highly non-uniform. They also reserve the order of the letters TH most common digrah, THE most common trigrah. Even if a different substitution is used for different laintext letters, but the sequence of substitutions reeat it s ossible to recover the block length by checking the letter distributions in residue classes. 3

24 Block cihers: work with several letters are once, erhas on a rolling basis. E.g. affine-linear ma on the vector coming from several letters Asymmetric encrytion: RSA 4

25 CHAPTER 5 Primitive roots 5.1. Primitive roots PROBLEM 118. Solve x Find ord 17 = 8 and 6 so ord 17 6 = 16. Now take log base 16. Similarly for x 5 4 and x 6 4. DEFINITION 119. For a,m = 1 set ord m a = min{n 1 a n 1m} Call r a rimitive root mod if ord r = φm. EXAMPLE 10. Mod 17. Mod 19. LEMMA 11. a is a rimitive root iff every invertible residue is a ower of a; in this case the invertible residues are given by { a j} φm 1 j=0. THEOREM 1. Discerte Logarithm Let r be a rimitive root mod m. Then the equation x n r l m has solutions iff n,φm l in which case there are n,φm such solutions. In articular, b is an nth ower mod m iff b φm n,φm 1m, in which case it has n,φm nth roots. PROOF. Changing variables to x = r t we need to solve nt l φm which is a linear congruence. THEOREM 13. There is a rimitive root mod m iff m is of the form,4, k, k where is an odd rime and k 1. Fix a rime. Two key ingredients: 5.. Primitive roots mod PROPOSITION 14. Let f x Z[x] be of degree n mod that is, a n. Then the congruence f x 0 has at most n solutions. PROOF. If f a 0 then x a divides f mod, and continue by induction. PROPOSITION 15. d n φd = n. THEOREM 16. For every d 1 there are at d elements of order dividing d, and φd elements of order exactly d. PROOF. There are at most d elements since x has order dividing n iff x d 1. Let A d = { 1 a 1 ord a = d }. If this set is not emty let a A d. Then { a j} d 1 are all distinct j=0 5

26 so these are all elements of order dividing d. Since ord a j = elements are of order d exactly. It follows that #A d φd. Thus: 1 = #{1 a 1} = # d 1 A d d 1 ord a j,ord a, exactly φd of these #A d φd = 1. d 1 It follows that we must have equalities throughout, that is that #A d = φd. In articular for n 1, the elements of order dividing n are d n A d and there are d n φd = n of them. COROLLARY 17. There are φφ 1 rimitive roots mod. Idea: linear deformation Primitive roots mod, k THEOREM 18. Let r be a rimitive root mod. Then one of r,r + is a rimitive root mod. PROOF. By Euler s Theorem, ord r φ = 1. Also, r ord r 1 so 1 = ord r ord r. If ord r < 1 it must equal 1. Now consider ord r+ t. Since r+ t r the same reasoning shows that 1 ord r+ t 1. Moreover, r + t 1 = r 1 + 1r t + 1 r t. 1 k= 1 k r 1 k t k k Note that r so as long as t say if t = 1 we have r + t 1 1 so ord r +t 1. THEOREM 19. [not covered in class] Let be odd and let r be a rimitive root mod. Then r is a rimitive root mod k, k. PROOF. Assume by induction that ord k r = k 1 1. It follows that r k 1 1 k. Since r k 1 1 k 1, we have r k 1 = 1+t k 1 for some t not divisible by. It follows that r k 1 1 = 1 +t k 1 = 1 +t k + t l lk 1 +t k 1. l Now if k,l then lk k 1 = k k k + 1 and l if l 1. Finally, if 3 then k 1 3k 1 = k k k + 1 as well so 1 l= r k t k 1 k+1. See textbook Discrete Log and ElGamal 6

27 CHAPTER 6 Quadratic recirocity Fix an odd rime Quadratic residues DEFINITION 130. Let a not be divisible by. Call a a quadratic residue mod if there is x Z such that x a. Otherwise say that x is a quadratic non-residue. NOTATION 131. The Legendre Symbol is given by: a +1 a a quadratic residue = 1 a a quadratic nonresidue. 0 a We first study a as a function of a. EXAMPLE 13. List all squares mod 3,5,7,11 and obtain the residues and non-residues. PROPOSITION 133. Euler s criterion a a 1. PROOF. If a both sides vanish mod. Otherwise, this is the case n = of Theorem 1. EXAMPLE 134. For which rimes amond 3,5,7,11 is 1 a square mod? COROLLARY 135. The quadratic character of 1 1 = 1 1 = { LEMMA 136. Let a,a,b Zwith a a. Then: 1 a = a ; b = 1 if b; 3 a b = ab. PROOF. The first two claims are true by definition x a iff x a. For the third, it is clear if divides one of a,b or if at least one is a quadratic residue, but the claim that if both a,b are non-residues then ab is a residue is non-trivial. In any case using Euler s criterion it is easy to check that ab a ab 1 a 1 1 b and if signs are congruent mod they are equal since. Another criterion: 7 b

28 PROPOSITION 137. Gauss s Lemma Let a. Then a = 1 s where s is the number of t, 1 t 1 such that the least ositive residue of at is greater than PROOF. We evalute the roduct at = a t=1 1.! in another way. For this divide the numbers 1 x 1 into airs {x, x} x x since is odd. If at,at belong to the same air then either they are equal at which oint t t or oosite, at which oint at at forces t t. Since the range 1 t 1 does not contain t,t such that t t and since 1 there are exactly 1 airs it follows that t=1 at 1 x 1 ±x where the sign is + or according to whether at x or at x. By assumtion we have s minus signs, so The factor 1 a 1 1! 1 s 1 x 1 s!. x=1 1! is invertible mod and we are done by Euler s criterion. COROLLARY 138. The quadratic character of { 1 ±18 = 1 ±38. PROOF. Exlicit count using Gauss s Lemma. 6.. Quadratic recirocity Now consider a as a function of. Euler observed that this only deends on the class of mod 4a. Gauss eventually roved this: THEOREM 139. Gauss Let,q be distinct odd rimes. Then { q = 1 1 q 1 1 q 34 =. q +1 otherwise { } PROOF. Based on Exercize 17 to section 11. Let R = 1 a q 1 a, q = 1, let { } { } T = q,q,, 1 q and let S = R T = 1 a q 1 a, = 1 if a, = 1 then either a, q = 1 or a is divisible by q. Finally, set A = a R a. One one hand we then have: a = a S q k=0 j=1 1! q 1 1 q 1 k + j j=1 q j!!

29 by Wilson s Theorem. On the other hand we have a = a S a a R = Aq 1 by Euler s criterion Proosition 133. Since conclude By symmetry we also have 1 j=1 1! q 1 A 1 A 1 q 1 A 1 1 q j!! is invertible mod and. q q q. q ±1 we We now evaluate A mod q. For this note that if x is a residue class mod q then x xq since,q are odd. It follows that for each air {x, x} of invertible residue class mod q exactly one member belongs to A. Now let a R and assume that ā ±aq. Then exactly { one of ā, ā belongs to R and} together we get either a 1 or a 1 in A. Accordingly let R = 1 a q 1 a ±1q. We have shown that: A ± a R aq. There are 4 residues a mod q such that a 1. Those are ±1 and ±u where u 1 and u 1q. There residues contribute ±u to A. Assume first that at least one of,q is 34. Then there is not x mod that rime such that x 1 mod that rime; a fortiori there is no a mod q such that a 1q and hence A ±uq. It follows that A mod and A mod q are oosite signs. If 14 and q 34 this means that q and q have oosite signs as claimed, while if q 34 it means that q and q have oosite signs as claimed. We are left with the case q 14. Now fix ε,δ such that ε 1 and δ 1q. By the CRT there is v mod q such that v ε and v ε q. Then the solutions to a 1q are ±v,±uv, and R contains recisely one from each air, so that A ±u ±v±uv ±u ±1. It follows that q and q are congruent to the same sign mod q, and hence they are equal. REMARK 140. Alternative roof: Let G = a a ζ a be the Gauss sum mod. Then Ḡ = a a ζ a = 1 G so 1 G = G = by Planchere s formula. We thus have q 1 = q 1 G q 1

30 and Multilying by G we find: G q 1 = 1 1 G q Since G is invertible mod q we conclude q q 1 G q 1 1 q q 1 a q 1 1 q q 1 a q ζ aq q Gq. q G q. q q as a congruence in Z[ζ ]. However, if a rational number is an algebraic integer then it is an integer, so this congruence holds in Z and both sides are equal. ALGORITHM 141. To evaluate a : 1 Reduce a mod to get a. Factor a, and eliminate any square factors. 3 For any rime factor q of a, relate q to q using QR, and evaluate the latter recursively. Better algorithm: avoid factoring The Jacobi Symbol DEFINITION 14. Let P be an odd ositive integer, with rime factorization P = i i the i need not be distinct. For a Z the Jacobi symbol is the function a def a = P. i i LEMMA 143. Let a,a,b Zwith a a P. Then: 1 a P = a P ; = 1 if P,b = 1; b P 3 a P bp = abp. PROOF. These all follow from the resective roerties of the Legendre symbol. THEOREM 144. Let P,Q be odd nad ositive. Then: 1 1 P 1 P = 1 ; P P = ; 3 Q PQ P = 1 P 1 Q 1. 30

31 PROOF. In both 1, the claim holds for P rime. Both sides of the claimed equality are also comletely multilicative clear on the Jacobi Symbol side and an easy calculation on the other so the claim follows. For art 3 one checks that both sides are searately comletely multilicative in P,Q for the RHS this is already checked for art 1 so again equality follows from the case of rimes, which is the law of QR. ALGORITHM 145. To evaluate a P : 1 Reduce a mod P to get a. Write a = t Q with Q odd. We then have a P = a P 3 Evalute P by art, and Q P by relating it to PQ = P t Q P. and continuing recursively. 31

32 CHAPTER 7 Secial toics 7.1. The Gaussian integers Baseically a review of the course but using a different number system. Defined the rings Qi and Z[i]. State that they are rings. Define conugation and the norm; relate it to divisibility in Qi. Find all units of Z[i]. Divisition with remainder in Z[i] by rounding quotient in Qi. Divisibility: Only finitely many divisors; define gcd; Euclid s Lemma still holds. Due to division with remainder Euclid s Algorithm also still holds. Bezout s extension also holds, and can also roof Bezout s Theorem by considering a minimal element of the ideal generated by z,w. This also shows the GCD is unique u to associates. Unique factorization Define irreducible, rime. Discuss associates. If Nz = is a rational rime then z must be irreducible. Show that every Guassian integer is a roduct of irreducibles. Show that π is rime iff it is irreducible and not a unique. Conclude that the rime factorization is unique u to ermutation and associates. Classification of rimes. If π is rime then π divides Nπ which is a rational integer, and hence a roduct of rational rimes. It follows that π for some rational rime. If Nπ = = N then π is assoc to. Otherwise Nπ =. = i1 + i so 1 + i is the only rime dividing. If 34 and a + b then a, b if a then āb 1. It follows that is not a norm, so is still rime in Z[i]. If 14 then there is a Z such that a + 1. But a ± i in Z[i] so is not rime. It follows that there is a rime roerly dividing so Nπ =. This says = π π and the two are not associates: π π = π / Z[i], so is divisible by exactly two rimes and we can write = a + b in 8 ways, coming from the 4 associates of π, π each. 3

33 y = x 3 + ax + b. Plane cubics; the addition law. Fermat descent for x 4 + y 4 = z. Modularity Ellitic curves mod. Ellitic curve crytograhy. 7.. Ellitic curves 33

34 Bibliograhy 34