1 Divisibility Basic facts about divisibility The Division Algorithm... 3

Transcription

1 Contents 1 Divisibility Basic facts about divisibility The Division Algorithm Greatest Common Divisor and The Euclidean Algorithm Linear Combinations and the gcd The Linear Equation Theorem Using the Linear Equation Theorem to solve Problems Congruences Basic facts about congruences An application of congruences Solving simple congruence equations Primes The Fundamental Theorem of Arithmetic Congruences, Powers, and Fermat s Little Theorem 23 6 Euler s Phi function and Chinese Remainder Theorem Inverses Chinese Remainder Theorem Euler s Phi Function Powers mod m, and Euler s Formula Successive Squaring

2 7.2 Computing kth roots modulo m RSA Primitive roots 38 9 Table of Indices 49 List of Theorems 52 Index 56 2

3 1 Divisibility Notation: N is the set of natural numbers, i.e. N t1, 2, 3,...u. Z is the set of integers, i.e. Z t... 2, 1, 0, 1, 2...u. 1.1 Basic facts about divisibility Definition. If m and n are integers and m 0, we say that m divides n, written m n if n mk for some integer k. In this case m is called a factor of n and n is called a multiple of m. If m does not divide n, we write mffln. Note: m n is a sentence, not a number. Never ever write next to m n! Correct: 2 6. Incorrect: Proposition 1. If a b and b c, then a c. Proof. Suppose that a b and b c. Then b ak and c bq for some integers k, q. Then c bq akq. Since kq is an integer, a c. Proposition 2. If m n and j k then mj nk Proof. Suppose m n and j k. Then n ma and k jb for some a, b P Z. Now nk pmaqpjbq pmjqpabq. Since ab P Z, mj nk. Lemma 3. If m a and m b, then m pax ` byq for all integers x and y. Proof. Suppose that m a and m b. Also let x and y be integers. We know that a mj and b mk for some integers j, k. Then ax ` by mjx ` mky mpjx ` kyq. Since jx ` ky is an integer, m pax ` byq. 1.2 The Division Algorithm Theorem 4. Given integers a, b with b ě 1, there are unique integers q, r satisfying a qb ` r and 0 ď r ă b. 3

4 The idea is that you are dividing a by b. The quotient q is the number of times b goes into a and r is the remainder. Consider a 35, b 13. Note that 13 goes into 35 two times, with 9 left over. Thus ` 9. Proof. Existence: Let q be the largest integer less than or equal to a{b. Let r a qb. Then qb ` r qb ` a qb a. Also since q ď a{b, we know that bq ď a. Thus r a qb ě 0. Now we need to show that r ă b. Suppose that r ě b. Then a qb ` r ě qb ` b bpq ` 1q and hence a{b ě q ` 1. But we said that q is the greatest integer less than or equal to a{b, so we cannot have q ` 1 ď a{b. Thus r ă b. Uniqueness: Suppose that a bq 1 ` r 1 bq 2 ` r 2. Without loss of generality, assume that r 2 ě r 1. Then bq 1 ` r 1 bq 2 ` r 2, and hence bq 1 bq 2 r 2 r 1, which yields bpq 1 q 2 q r 2 r 1. Now, since 0 ď r 2 r 1 ă b, the only way this is possible is if r 2 r 1 0. Thus r 1 r 2. Then bpq 1 q 2 q 0. Since b 0, we must have q 1 q 2 0, which means that q 1 q 2. Using your calculator to do the division algorithm: To find q and r such that a qb`r, first divide a by b. The answer may be a decimal. Round down to the nearest integer. This is q. Now subtract q from the answer, and multiply the result by b. The answer is r. 1.3 Greatest Common Divisor and The Euclidean Algorithm There are two different (but equivalent) ways to define the greatest common divisor of two integers: The more informal definition: Definition. The greatest common divisor of positive integers a and b, or gcdpa, bq, is the largest natural number that divides both a and b. The formal definition usually used in proofs: Definition. Let a, b P N. The greatest common divisor of a and b, written, gcdpa, bq, is the natural number d such that d a and d b If c is any natural number that divides a and b, then c divides d. 4

5 Note: It may not be obvious that the two definitions above are actually equivalent. It should be pretty clear that the formal definition implies the informal one. We will be able to show the other direction once we have a few more results about the greatest common divisor gcdp1008, 1960q There are three methods for finding the greatest common divisor of two numbers: Method 1 List all the divisors of each number: 18 : 1, 2, 3, 6, 9, : 1, 2, 3, 5, 6, 10, 15, 30. The largest common divisor is 6 gcdp18, 30q Method 2 Factor both numbers into their prime factors and take the smallest power of each prime. For example, and So the gcdp8232, 3920q is Methods 1 and 2 (or the elementary school methods ) are not very good for larger numbers. To find gcdp , q would be quite difficult, as factoring these numbers is hard. Method 3 The Euclidean Algorithm Theorem 5 (The Euclidean Algorithm). Let a and b be integers with a ě b ą 0. Carrying out the division algorithm repeatedly, we get integers q 1, q 2,..., q n`1 and r 1, r 2,..., r n such that. a q 1 b ` r 1 b q 2 r 1 ` r 2 r 1 q 3 r 2 ` r 3. r n 2 q n r n 1 ` r n r n 1 q n`1 r n Then r n gcdpa, bq. 5

6 We will use the Euclidean Algorithm to find gcdp1960, 1008q = = = So gcdp1960, 1008q 56. Before we prove that the Euclidean Algorithm works, we will need to prove a lemma. Lemma 6. If a bq ` r, then gcdpa, bq gcdpb, rq. Proof. Let d gcdpa, bq. We know that d a, d b and that if c a and c b then c ď d. We need to show that (i) d b and d r and (ii) If c b and c r then c ď d. We already know that d b. To see that d r, note that r a bq ap1q ` bp qq. Since d a and d b, d r by Lemma 3. So we now know (i). Now suppose that c b and c r. Since a qb ` r bpqq ` rp1q, we can use Lemma 3 again to see that c must divide a. Thus c a and c b, so by hypothesis, c ď d. Thus d is also the greatest common divisor of b and r, and hence gcdpa, bq gcdpb, rq. Using this lemma, it is not too difficult to prove that the Euclidean algorithm works: Proof. Suppose that we perform the Euclidean Algorithm on a and b and get the following sequence: a bq 1 ` r 1 b r 1 q 2 ` r 2 r 1 r 2 q 3 ` r 3. r n 2 r n 1 q n ` r n r n 1 r n q n`1 ` 0 Note that r n r n and r n r n 1. Moreover, clearly no integer greater than r n can divide r n, so we must have that r n gcdpr n 1, r n q. Then, by Lemma 6, gcdpa, bq gcdpb, r 1 q gcdpr 1, r 2 q gcdpr n 1, r n q r n. 6

7 2 Linear Combinations and the gcd 2.1 The Linear Equation Theorem Definition. If there exist integers x and y such that ax ` by c, then we say that c is a linear combination of a and b. What kinds of values can c have? Let s make some tables to investigate. a 13, b 7 a 12, b 8 a 10, b 4 y x y x Table 1: Some data on the possible value of ax ` by y x

8 What kinds of observations can we make about these tables? There s a lot of symmetry. When going down the rows, one counts up by b; down the columns goes up by a. Along the diagonals, you count up by a ` b or a b. The remainder when dividing a by b always appears in the table. Every element in the table is a multiple of gcdpa, bq. The smallest positive number in the table is gcdpa, bq We will now prove some of the observations we made about linear combinations. Lemma 7. Suppose c is a linear combination of a and b. Then gcdpa, bq divides c. Proof. Assume c is a linear combination of a and b. Then c ax ` by for some integers x and y. Since gcdpa, bq divides both a and b, by Lemma 3, gcdpa, bq divides c. Lemma 8. If c is the smallest positive linear combination of a and b, then c divides both a and b. Proof. Suppose c ax ` by and that c is the smallest positive number which can be written this way. Use the Division Algorithm with a and c to get integers q and r satisfying a cq ` r and 0 ď r ă c. Then r a cq a qpax ` byq ap1 qxq ` by. So r is also a linear combination of a and b. But r is less than c, so since c is supposed to be the smallest positive number with this property, r must not be positive. Thus r 0 and a cq which shows that c a. Similarly, c b. Suppose c is the smallest positive linear combination of a and b. Then Lemma 8 tells us that c a and c b. By the definition of greatest common divisor, this implies that c ď gcdpa, bq. Moreover, since c is a linear combination of a and b, Lemma 7 tells us that gcdpa, bq c, which implies that gcdpa, bq ď c. Thus c gcdpa, bq. This proves the following theorem: Theorem 9. The greatest common divisor of a and b is the smallest positive integer that can be written as a linear combination of a and b. We can now characterize all of the linear combinations of two numbers a and b: 8

9 Theorem 10. Given a, b, c P N, there are integers x and y such that ax ` by c if and only if gcdpa, bq c. Proof. Since this is an if and only if theorem, there are two statements that we must prove. Lemma 7 tells us that if ax ` by c for some x, y P Z, then gcdpa, bq c. On the other hand, suppose that gcdpa, bq c. Let d gcdpa, bq. By Theorem 9, there are integers x and y such that ax ` by d. Moreover, since d c, c dk for some k P Z. Thus c dk pax ` byqk apxkq ` bpykq. Since xk, yk P Z, c is a linear combination of a and b. We are now in a position to show that the two definitions of greatest common divisor are the same. Recall our two definitions: Definition 1: A natural number d is the greatest common divisor of integers a and b if (i) d a and d b (ii) d is the greatest natural number with this property, i.e. if c is a natural number such that c a and c b, then c ď d. Definition 2: A natural number d is the greatest common divisor of integers a and b if (I) d a and d b (II) Whenever c is a natural number such that c a and c b then c d. First assume that d satisfies Definition 1. Then clearly (I) holds. To show that (II) holds, suppose that c is a natural number such that c a and c b. By Theorem 10, we know that d ax ` by for some integers x, y. Then by Lemma 3, c d. We will be especially interested in pairs of integers who have no factors other than 1 in common, i.e. integers whose greatest common divisor is 1. Definition. If gcdpa, bq 1, then a and b are called relatively prime. 2 and 17 are relatively prime. In fact 2 and any odd number are relatively prime. 12 and 35 are relatively prime. The next corollary follows directly from Theorem 10 Corollary 11. Integers a and b are relatively prime if and only if there are integers x and y such that ax ` by 1. 9

10 When we know what a and b are, we can show that they are or are not relatively prime by actually computing their greatest common divisor. Corollary 11 gives us another way to show that two numbers are relatively prime. This is especially useful for proofs in which we are unable to compute gcdpa, bq. The proof of the next corollary gives an example of this. ˆa Corollary 12. Suppose that d gcdpa, bq. Then gcd d, b 1. d Proof. The first thing to note is that even though a d, and b appear to be fractions, they are actually d integers. Since d gcdpa, bq we know that d a and d b. Thus a ds and b dt for some integers s and t. Then a d s and b t. Now by Theorem 10, there are integers x and y such that d a ˆ b ax ` by d. Thus x ` y 1. By Corollary 11, a d d d and b are relatively prime, which d ˆa means that gcd d, b 1. d Now that we know that c ax ` by has integer solutions for x and y whenever gcdpa, bq c, the next question is how to find x and y. If we can find a solution to ax ` by d gcdpa, bq, then we can find a solution to c ax ` by where d c. (If c dk and x 0, y 0 are solutions to d ax ` by, then d ax 0 ` by 0, so c dk adx 0 ` bdy 0, so x dx 0 and y dy 0 is a solution to c ax ` by.) One way to find a solution to d ax ` by is to use the Euclidean Algorithm backwards. Find x and y satisfying 18x ` 30y 6. First we perform the Euclidean Algorithm: ` ` ` 0 We see that 6 gcdp30, 18q so 18x ` 30y 6 does have solutions. Now we go backwards through the algorithm: p30 18q

11 So x 2, y 1 is a solution to 18x ` 30y 6. Find x and y satisfying 112x ` 241y 1 First we perform the Euclidean Algorithm ` ` ` ` ` ` 0 Note that 1 gcdp112, 241q. Now we go backwards: p10 7q 2 10 ` ` 3p17 10q p q ` ` 33p q So x 71, y 33 is a solution to 112x ` 241y 1. Another way to find the same solution to ax ` by d is to use the simple continued fraction for a b. 1 A simple continued fraction looks like a 0 ` 1 a 1 ` Find the simple continued fraction for a 2` 1...` 1 an ` ` ` 1 6 ` ` 1 6 ` ` 1 6 ` 1 1` ` 1 6 ` 1 1`

12 1 2 ` 6 ` 1 1` 1 1` 37 2 ` 1 6 ` 1 1` 1 1` ` 1 6 ` 1 1` 1 1` 1 2` 13 Notice that we were actually using the steps of the Euclidean Algorithm to transform each improper fraction. So how do we use continued fractions to solve ax ` by d? 1 It turns out that if a 0 ` 1 a 1 ` 1 a 0 ` 1 a 1 ` a 2` 1...` 1 a n 1 p q a 2` 1...` 1 an is the continued fraction for a, then the continued fraction b will give us the solution we are looking for. (We will need to make one of p or q negative and pair them with a and b appropriately. That is either x p and y q or x q and y p.) Find x and y satisfying 112x ` 241y 1 Since ` 1 6 ` 1 1` 1 1` 1 2` 13, we compute 2 ` 1 6 ` 1 1` 1 1` And ` , so x 71, y 33. Now that we know how to find one solution to ax`by d, how do we find the rest of the solutions? Theorem 13 (Linear Equation Theorem). Let d gcdpa, bq. Then 1. ax ` by c has a solution iff d c. 2. If x x 0 and y y 0 is one solution to ax`by d, then x nx 0 and y ny 0 is one solution to ax ` by nd. 3. If x x 0 and y y 0 is one solution to ax ` by c, then all other solutions are given by x x 0 ` k b d and y y 0 k a d. Before proving Theorem 13, we will need a lemma. This lemma will turn out to be important to us throughout the course. 12

13 Lemma 14. Suppose that a bc and gcdpa, bq 1. Then a c. Proof. Suppose that a bc and gcdpa, bq 1. Then bc ak for some integer k. Also, by Corollary 11 there are integers x and y such that ax ` by 1. Then c cax ` bcy cax ` aky apcx ` kyq. Since cx ` ky is an integer, a c. Now we can prove Theorem 13. Proof. Part 1 is just Theorem 10. For part 2, note that if ax 0 ` by 0 d, then apnx 0 q ` bpny 0 q npax 0 ` by 0 q nd. There are two directions to prove for part 3. First we must show that the given formulas for x and y are a solution. Suppose that x x 0 and y y 0 is a solution to ax ` by c and let d gcdpa, bq. Since d a and d b, both a d and b d are integers, so both x 1 x 0 ` k b d and y 1 y 0 k a d are integers. Now we just need to show that the pair is a solution to ax ` by c. Note that apx 0 ` k b d q ` bpy 0 k a d q ax 0 ` ab d ` by 0 ab d ax 0 ` by 0 c For the other direction, suppose that x x 0 and y y 0 is a solution to ax ` by c and that x 1, y 1 is another solution. We need to show that x 1 and y 1 have the form given in part 3. By assumption, ax 1 ` by 1 c ax 0 ` by 0, which is equivalent to apx 1 x 0 q bpy 0 y 1 q. Now since d a and d b, there are integers r and s such that a dr and b ds. Thus r a d and s b d ˆa. Moreover, by Corollary 12, gcdpr, sq gcd d, b 1. Now rewriting apx 1 x 0 q bpy 0 y 1 q we d get drpx 1 x 0 q dspy 0 y 1 q which yields rpx 1 x 0 q spy 0 y 1 q. Thus r spy 0 y 1 q. Since gcdpr, sq 1, Lemma 14 tells us that r py 0 y 1 q. Thus y 0 y 1 rk for some integer k. Now rpx 1 x 0 q spy 0 y 1 q srk and hence Now x 1 x 0 sk. ˆ b x 1 x 0 ` sk x 1 ` k d a y 1 y 0 rk y 1 k. d 13

14 2.2 Using the Linear Equation Theorem to solve Problems Find all integer solutions to 5x ` 7y 9 First we find gcdp5, 7q 1. Since 1 9, there is a solution to this equation. Now we find one particular solution to 5x ` 7y 1, either by inspection or using the Euclidean Algorithm. By inspection x 3, y 2 works. Multiply your solution by 9 to find one solution to 5x`7y 9: x 27, y 18. Finally, apply the theorem to find all possible solutions: x 27 ` 7k, y 18 5k. Find all integer solutions to 6x 9y 10. First we find gcdp6, 9q 3. Since 3 10, there are no solutions. Find all nonnegative integer solutions to 4x ` 10y 38. First, gcdp4, 10q 2 and 2 38 so there are solutions. Find one particular solution to 4x ` 10y 2 by inspection: x 2, y 1. Then multiply by 19 to find a solution to 4x ` 10y 22: x 38, y 19. Then apply the theorem to find all integer solutions: x 38 ` 5k, y 19 2k. Finally, if we only want positive integer solutions, we must have and 38 ` 5k ě 0 5k ě 38 k ě k ě 0 2k ě 19 k ď 9.5 The only possibilities are k 8, 9. These correspond to the solutions px, yq p2, 3q and px, yq p7, 1q. (Mahaviracarya, 850) There were 63 equal piles of plantain fruit put together and 7 single fruits. They were divided evenly among 23 travelers. What is the smallest possible number of 14

15 fruits in each pile? We can let x the number of fruits in each pile, and y the number of fruits each traveler got. Then 63x ` 7 23y or 63x ` p 23qy 7. We solve this using the methods above. One solution is x 5 and y 14. All solutions are given by x 5 23k and y 63k. We need both x and y to be positive, which means that k ď 0, and we want the minimal positive y-value. We get this with k 0, so the smallest possible number of fruits in each pile is 5. 3 Congruences Definition. We say a is congruent to b modulo m, written a bpmod mq, if m pb aq. For example, 7 15pmod 4q because 4 p15 7q. Also, 25 32pmod 19q because 19 p32 ` 27q. Note: Informally, a bpmod nq means that a and b have the same remainder when divided by n. 3.1 Basic facts about congruences Lemma 15. If a 1 b 1 pmod mq and a 2 b 2 pmod mq, then 1. a 1 ` a 2 b 1 ` b 2 pmod mq 2. a 1 a 2 b 1 b 2 pmod mq Proof. Suppose that a 1 b 1 pmod mq and a 2 b 2 pmod mq. Then m pa 1 b 1 q, and hence a 1 b 1 ms for some integer s. Likewise, m pa 2 b 2 q, so a 2 b 2 mt for some integer t. 1. Note that pa 1 ` a 2 q pb 1 ` b 2 q pa 1 b 1 q ` pa 2 b 2 q ms mt mps tq. Since s t is an integer, m rpa 1 ` a 2 q pb 1 ` b ` 2qs. Thus a 1 ` a 2 b 1 ` b 2 pmod mq. 2. Note that a 1 b 1 `ms and a 2 b 2 `mt. Now a 1 a 2 pb 1 `msqpb 2 `mtq b 1 b 2 `mtb 1 `msb 2 ` m 2 st Thus a 1 a 2 b 1 b 2 mtb 1 ` msb 2 ` m 2 st mptb 1 ` sb 2 ` mstq and hence m pa 1 a 2 b 1 b 2 q. Consequently, a 1 a 2 b 1 b 2 pmod mq. Note: Lemma 15 shows that we can add equivalent things to both sides of a congruence, that we can subtract equivalent things from both sides of a congruence, and that we can multiply both 15

16 sides of a congruence by equivalent numbers. (Note that in this case equivalent numbers are two numbers that are congruent to each other modulo m.) It is important to note, however, that we can not, in general, divide both sides of a congruence by the same number (or by equivalent numbers). Consider 6 9pmod 3q. This is a true statement. However, if we divide both sides by 3, we get 2 3pmod 3q, which is not a true statement. Lemma 16. Suppose that x ypmod mq. Then x n y n pmod mq for any n P N. Proof. We can get this result by repeated use of Lemma 15 part (b). More formally, we can use induction on n. Note that x 1 y 1 pmod mq, so the statement is true for n 1. Now suppose that x n 1 y n 1 pmod mq. Then by Lemma 15, since x y pmod mq, we can multiply by x on the left and y on the right to obtain x n x n 1 x y n 1 y y pmod mq. Thus the result holds by induction. Definition. We say that an integer r is a residue of a modulo m if a rpmod mq. The set t0, 1, 2,..., m 1u is the canonical set of residues modulo m. A set X of m integers is a complete set of residues modulo m if every integer in the canonical residue set is congruent to exactly one integer in X modulo m. For example, let m 4. t3, 12, 2, 6u is a set of residues. This is not a complete set of residues because none of the integers are congruent to 1 pmod 4q. t0, 1, 2, 3u is the canonical set of residues. t4, 5, 6, 7u is a complete set of residues since 4 0pmod 4q, 5 1pmod 4q, 6 2pmod 4q, and 7 3pmod 4q. t 8, 11, 11, 22u is a complete set of residues. To find the canonical residue for a number: If the number is positive, divide it by m. The remainder is the residue. If the number is negative, divide its absolute value by m. Then take the remainder and subtract that number from m. This is the residue. 3.2 An application of congruences 16

17 Show that is divisible by 41. To do this, we just need to show that pmod 41q. Note that 2 2pmod 41q, so pmod 41q, which implies 2 10 p2 5 q 2 p 9q pmod 41q, and hence 2 20 p2 10 q 2 p 1q 2 1pmod 41q Thus 41 p2 20 1q. 3.3 Solving simple congruence equations Solve the following: 1. x ` 13 9pmod 3q 2. x ` 13 9pmod 7q 3. x 4 3pmod 3q x pmod 25q 5. 7x 3pmod 13q [Trick: multiply both sides by 2] 6. x 3 1pmod 7q 7. 4x 16pmod 6q 8. x 2 9pmod 11q px 3, 9q 9. x 2 8pmod 11q (no solution) We can solve 1 and 2 by adding 13 to both side of the congruence, which is legal by Lemma 15. Similarly for 3, we can add 4 to both sides of the congruence and for 4 we can multiply both sides of the congruence by 6. Number 5 is a little trickier because we know that we cannot generally divide both sides of a congruence. However, we can multiply both sides of the congruence by 2, which yields x 14x 3 2 6pmod 13q. Unfortunately, a similar trick will not work for number 7, as we can see (by trying all six of the numbers in the canonical residue set) that there is no number we can multiply 4 by to get a number congruent to 1 modulo 6. For numbers 6 through 9 we are basically stuck trying all of the possible values for x. For instance, for number 6, we can 17

18 try each of the numbers 0, 1, 2, 3, 4, 5, 6, which form the canonical residue set modulo 7: ı 1pmod 7q 1 3 1pmod 7q pmod 7q pmod 7q pmod 7q pmod 7q 6 3 p 1q 3 1 6pmod 7q So we see that x 1, 2, 4 are the canonical solutions. Obviously trying every number in the canonical residue set is not going to be a productive way to solve congruences when the modulus is very large. We will first look at a method for solving ax bpmod cq. Solve 7x 3pmod 1313q. This is equivalent to 1313 p3 7xq or 1313y 3 7x or 7x`1313y 3. We already know how to do this! One solution is x 1125 and y 6. Then we use the Linear Equation Theorem to say all solutions have the form x 1125 ` 1313k, y 6 7k. General procedure: Suppose ax cpmod mq. Let d gcdpa, mq. If d c then there is no solution. If d c, then solve the equation ax ` my c using methods for solving diophantine equations to get one solution of the form x x 0. All solutions will have the form x x 0 ` kpm{dq. How many distinct pmod mq solutions are there? Solve 10x 45pmod 25q. This is equivalent to 25 p45 10xq or 45 10x 25y or 10x ` 25y 45 2x ` 5y 9 x 2 y 1 works x 2 ` 5k x 2, 17, 12, 17, 22 In this example, x 2`5k for the values k 0, 1, 2, 3, 4. All of these values of k led to distinct solutions. And if we try using other k values, we ll just get repeats of the solutions we have already found (modulo m that is). Let s go back to the example with 7x 3pmod 1313q and try different values of k: 18

19 k 0: x 1125 ` 1313p0q 188pmod 1313q k 1: x 1125 ` 1313p1q 188pmod 1313q k 2: x 1125 ` 1313p2q 188pmod 1313q Clearly every value of k is going to yield the solution x 188 (modulo 1313), since 1313k will always be equivalent to 0 modulo Question: How many solutions do you think that 16x 12pmod 28q will have modulo 28? Note that 7x 3pmod 1313q has one solution and that gcd(7, 1313q 1 Also 10x 45pmod 25q has five solutions and gcdp10, 25q 5 We guess that 16x 12pmod 28q will have four solutions since gcd(16, 28q 4. Of course in each case we also needed gcdpa, mq to divide c or we can t have any solutions at all. Theorem 17 (Linear Congruence Theorem). Let a, c and m be integers with m ě 1 and d gcdpa, mq. Then 1. If dfflc then there is no solution to ax cpmod mq. 2. If d c, then there are exactly d distinct solutions to ax cpmod mq. To solve, find one solution x x 0, y y 0 to ax ` my c. Then all solutions are given by x x 0 ` k m d for k 0, 1, 2, d 1. We already know (by Theorem 10) that ax cpmod mq (which is equivalent to ax ` my c) will have at least one solution if and only if gcdpa, mq divides c. We also know from Theorem 13 part 3 that the solutions described in part 2 above really are solutions. It now remains to show that there are exactly d solutions modulo m, where d gcdpa, mq. To do this, we first need to show that there are at least d solutions. Then we must show that there are no more than d solutions. The following two lemmas prove this. The first lemma shows that none of the solutions we get in the Linear Congruence Theorem will be repeats, which shows that there are at least d solutions. m Lemma 18. If 0 ď k 1 ă k 2 ă d, then x 0 ` k 1 d ı x m 0 ` k 2 d pmod mq. Proof. We will use proof by contradiction. m x 0 ` k 2 d pmod mq. Then m m x 0 ` k 2 d Suppose that 0 ď k 1 ă k 2 ă d, and x 0 ` k 1 m d x 0 ` k 1 m d ı, 19

20 and hence m mc x 0 ` k 2 d m ı x 0 ` k 1 m d d pk 2 k 1 q for some integer c. Moreover, since m, m d, and k 2 k 1 are all positive, we must have c ą 0, which actually means that c ě 1. Now k 2 k 1 cd and k 2 cd`k 1 ě d`k 1 ě d which is a contradiction. m (Remember that k 2 ă d.) Thus x 0 ` k 1 d ı x m 0 ` k 2 d pmod mq. The next lemma shows that if k ě d, then the corresponding solution will have already been obtained from a k ă d and hence we will have at most d solutions. m Lemma 19. If k 2 ě d then x 0 `k 2 d x m 0 `k 1 d pmod mq for some integer k 1 with k 1 k 2 pmod dq and 0 ď k 1 ă d. Proof. Let k 1 k 2 pmod dq with 0 ď k 1 ă d. Note that x 0 ` k 2 m d x 0 k 1 m d ˆk2 k 1 d m. Because k 1 k 2 pmod dq, d pk 2 k 1 q and hence k 2 k 1 dj for some j P Z. Thus the number k 2 k 1 m d j is an integer. Therefore m px 0 ` k 2 d x m 0 k 1 d zq, and consequently, x m 0 ` k 2 d m x 0 ` k 1 d pmod mq. Question: If ca cbpmod mq, when is it legal to cancel the c s from both sides? Let s look at a few examples. Consider 15 45pmod 6q divide by 5: 3 9pmod 6q divide by 3: 5 ı 15pmod 6q divide by 15: 1 ı 3pmod 6q So it s ok to divide by 5, but not by 3 or 15 in this case. Consider pmod 10q divide by 3: pmod 10q divide by 7: 45 75pmod 10q divide by 5: 63 ı 105pmod 10q So it s ok to divide by 3 and 7, but not by 5 in this case. 20

21 It appears that the following is true: Lemma 20. If ca cbpmod mq and gcd(c, mq 1, then a bpmod mq Proof. Suppose ca cbpmod mq and gcdpc, mq 1. Then m pca cbq, which we can also write as m pcpa bqq. Since gcdpc, mq 1, Lemma 14 tells us that m pa bq. Thus a bpmod mq. Let s prove the divisibility test for 3: A number is divisible by 3 if and only if the sum of its digits is divisible by 3. Proof: Suppose a number a can be written as a n a n 1 a 2 a 1 a 0 (i.e. the a i s are the digits). Then we can write a 10 n a n ` 10 2 a 2 ` 10 a 1 ` a 0. Note that a number is divisible by 3 if and only if it is congruent to 0 modulo 3. So we just need to show that a is congruent to 0 modulo 3 exactly when a n ` ` a 1 ` a 0 is congruent to 0 modulo 3. Note that 10 1pmod 3q so 10 k 1 k 1pmod 3q for all k ě 1. Thus a 10 n a n ` 10 2 a 2 ` 10 a 1 ` a 0 a n ` a n 1 ` ` a 1 ` a 0 pmod 3q. Thus a 0pmod 3q if and only if a n ` a n 1 ` ` a 1 ` a 0 0pmod 3q. 4 Primes Definition. An integer p is prime if p ą 1 and its only divisors are 1 and p. An integer n ą 1 is composite if n is not prime. Lemma 21. Suppose p is prime and p ab. Then p a or p b. Proof. Suppose that p is prime and p ab. If p a we are done. If pffla, then the only natural number that divides both p and a is 1, so gcdpa, pq 1. By Lemma 14, p b. Note: Lemma 21 is not true if p is not prime. Theorem 22. (Prime Divisibility Property) If p is prime and p a 1 a 2... a k, then p divides one of a 1, a 2,..., a k. Proof. We will use induction on k. When k 2, this is just Lemma 21. Now suppose that if p ą 2 and p divides a product of k 1 factors, then p divides one of the factors. Let p a 1 a 2... a k. Then 21

22 by Lemma 21, p a 1 or p a 2... a k.. By the inductive hypothesis, if p a 2... a k., then p divides on of the k 1 factors a 2,..., a k. Thus p a 1 or p divides on of a 2,..., a k. In other words, p divides on of a 1, a 2,..., a k. 4.1 The Fundamental Theorem of Arithmetic Theorem 23 (The Fundamental Theorem of Arithmetic). Every integer n ě 2 can be factored into a product of primes n p 1 p 2... p r in exactly one way. Proof. Let n ě 2 be an integer. First we show that n can be written as a product of primes. If n is prime, then we are done. If n is not prime, then it has a factor other than 1 or n. Let p 1 be the least factor of n other than 1. If p 1 were not prime, then it would have a divisor k with 1 ă k ă p 1. But if k p 1 and p 1 n, then k n and p 1 would not, in fact, be the least divisor of n. Thus p 1 must be prime. Now n p 1 n 1 for some integer n 1 1. If n 1 is prime, then we are done. If not, then let p 2 be the least divisor of n 1 other than 1. By the reasoning above, p 2 is prime. Then n 1 p 2 n 2 for some integer n 2 ă n 1. Then n p 1 p 2 n 2. If n 2 is prime, then we are done. Otherwise we can write n 2 p 3 n 3 with p 3 prime and n 3 ă n 2 ă n 1. Then n p 1 p 2 p 3 n 3. Continuing this process we get integers n ą n 1 ą n 2 ą n 3 ą ą 1. There cannot be infinitely many integers between 1 and n, so this process must end, which means that n j must be prime for some j. Then n p 1 p 2 p k n k is a factorization of n into primes. Now that we know that every integer greater than 1 can be written as a product of primes we need to show that these factorizations are unique. Suppose that n can be factored into primes in two different ways: n p 1 p 2 p r q 1 q 2 q s. Without loss of generality, r ď s, p 1 ď p 2 ď ď p r, and q 1 ď q 2 ď ď q s. Since q 1 q 2 q s p 1 pp 2 p r q, p 1 q 1 q 2 q s. By the Prime Divisibility Property ( Theorem 22), p 1 q j for some 1 ď j ď s. Since q j is prime, its only factors are 1 and q j, and since p 1 is prime, p 1 1. Thus p 1 q j ě q 1. By the same reasoning, q 1 p v for some 1 ď v ď r and hence q 1 p v ě p 1. Thus p 1 q 1. Now we have p 1 p 2 p r p 1 q 2 q s and hence p 2 p 3 p r q 2 q 3 q s. Repeating the process above yields p 2 q 2 which implies If we repeat the process r times, we will get p 3 p 4 p 4 q 3 q 4 q s. 1 q r`1 q r`2 q s. Since q w ą 1 for all w, we must have s r. Thus p 1 q 1, p 2 q 2,..., p r q r which shows that the two factorizations of n must have been the same. 22

23 Lemma 24. Suppose that a ą 1 and a b. Then afflpb ` 1q. Proof. We will use proof by contradiction. Suppose that a ą 1 and a b. By way of contradiction, suppose that a pb`1q. Then b ca and b`1 da for some integers c and d. Then ca`1 b`1 da, and hence 1 apd cq. Since a and d c are integers and a ą 1, the product of a and d c cannot be 1, so we have our contradiction. Thus if a ą 1 and a b, then afflpb ` 1q. Theorem 25. (Infinitely Many Primes Theorem) There are infinitely many prime numbers. Proof. Suppose there are only finitely many primes p 1, p 2..., p r. Consider the number A p 1 p 2 p r ` 1. Because A is not on the list of all primes, A cannot be prime. By the Fundamental Theorem of Arithmetic, A must be divisible by some prime; however, by Lemma 24 none of p 1, p 2,... p r can divide A, and so we have a contradiction. Thus there cannot be finitely many primes. 5 Congruences, Powers, and Fermat s Little Theorem We now turn to congruences of the form x n apmod mq. To take steps toward solving this, we consider what kind of values a n pmod mq can have, given m and a. We will start first with prime values of m. a a 2 a 3 a Table 2: Powers of a modulo 3 a a 2 a 3 a 4 a 5 a Table 3: Powers of a modulo 5 Notice that modulo 3, the columns start to repeat after 2 Modulo 5, the columns start to repeat after 4 Modulo 11, the columns start to repeat after 10 And right before the columns start repeating, there is a column of all 1s (except in the first row, where we have a 0). 23

24 a a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a Table 4: Powers of a modulo 11 Theorem 26 (Fermat s Little Theorem). If p is prime and a ı 0pmod pq, then a p 1 1pmod pq. What is the remainder when is divided by 11? By Fermat s Little Theorem, pmod 11q p4 10 q pmod 11q pmod 11q p5 2 qp5 4q pmod 11q So the remainder is 5. Before proving Fermat s Little Theorem, we will see why it holds for p 5. Then we will try to generalize to p in general. Let s try to explain why 2 4 1pmod 5q. First we make a table with values of a and 2apmod 5q: a apmod 5q Then p2 1qp2 2qp2 3qp2 4q pmod 5q. 24

25 By dividing both sides by 1, 2, 3, and 4, which we can do since 1, 2, 3, and 4 are relatively prime to 5 (Lemma 20), we get 2 4 1pmod 5q. Lemma 27. Suppose that p is a prime and pffla. Then the lists 1, 2, 3,..., p 1 a, 2a, 3a,..., pp 1qa pmod pq are the same (except for reordering). pmod pq and Proof. Since p is prime, pffla, and p does not divide 1, 2, 3,..., p 1, p must not divide any of a, 2a,..., pp 1qa. (Recall that if p ef then p e or p f, so if pffle and pfflf, then pfflef.) Thus none of the numbers a, 2a,..., pp 1qa are congruent to 0 modulo p. This means that the list a, 2a, 3a,..., pp 1qa pmod pq must be contained in the list 1, 2, 3,..., p 1 pmod pq. If we can show that no two of the numbers a, 2a,..., pp 1qa are the same modulo p, then we ll know that the two lists are exactly the same. By way of contradiction, suppose that ka japmod pq for some 1 ď k ă j ď p 1. Then p apj kq. Since pffla, we must have p pj kq. However, since 1 ď k ă j ď p 1, 1 ď j k ď p 1 and p does not divide any integers between 1 and p 1, we have our contradiction. Thus all of the numbers in the list a, 2a, 3a,..., pp 1qa pmod pq are distinct and hence the two lists are the same. Proof of Fermat s Little Theorem: By Lemma 27, the lists 1, 2, 3,..., p 1 pmod pq and a, 2a, 3a,..., pp 1qa pmod pq are the same. Thus paqp2aqp3aq ppp 1qaq 1p2qp3q pp 1qpmod pq and so a p 1 pp 1q! pp 1q!pmod pq. Notice that gcdppp 1q!, pq 1 so by Lemma 20, we can cancel pp 1q!. Thus a p 1 1pmod pq. Proof. exercise. Let m ` 37. Is m prime? Using a computer, we can tell that 2 m 1 pmod mq ı 1, so m is not prime. Does this tell us what the factors are? No, but it s not prime. Use Fermat s Little Theorem to solve x 86 6pmod 29q. 25

26 x 86 6pmod 29q px 28 q 3 x 2 6pmod 29q x 2 6pmod 29q Now you can make a table of values for x 2 pmod 29q : x x 2 pmod 29q Thus there are two solutions (modulo 29): x 8, 21. Note: We only needed to make a table with values from 0 to 14, since 15 14, 16 13, 17 12, 18 11, 19 10, and so on. (Since x 2 p xq 2, the values in the second half of the table are the same as the values in the first half, but in reverse order.) The same would be true if we had x 4 or any other even power of x. For odd powers we need to be more careful; however, we can still use the first half of the table and the fact that p xq n x n when n is 26

27 odd to make it easier to fill out the second half of the table. 6 Euler s Phi function and Chinese Remainder Theorem 6.1 Inverses To solve an equation like x ` 2 7 we add 2 to both sides of the equation because 2 is the additive inverse of 2. Similarly to solve the congruence x ` 2 7pmod 11q, we could add 2 to both sides of the congruence. (Lemma 15 allows us to do this.) Similarly, to solve the equation 3x 9 we multiply both sides of the equation by 1 3 since 1 3 is the multiplicative inverse of 3. However, if we have the congruence 3x 9pmod 11q, we cannot solve it by multiplying both sides by 1 3 because with congruences we only work with integers. Lemma 15 tells us that if a 1 b 1 pmod mq and a 2 b 2 pmod mq, then a 1 a 2 b 1 b 2 pmod mq. However, a 1, a 2, b 1, and b 2 have to be integers. Is there an integer that acts like 1 1 modulo 11? In the integers Is there an integer k such that 3k 1pmod 11q? The Linear Congruence Theorem tells us that since gcdp3, 11q 1, there is exactly one solution to the congruence 3k 1pmod 11q. It is not hard to see that k 4 is the solution: pmod 11q. Just like 1 3 is called the multiplicative inverse of 3 in the integers, we call 4 the inverse of 3 modulo 11. Definition. If ab 1pmod mq then b is called the inverse of a modulo m. The Linear Congruence Theorem tells us that ax 1pmod mq has a solution if and only if gcdpa, mq 1 and if gcdpa, mq 1, then there is exactly one solution. This gives us the following lemma: Lemma 28. The integer a has an inverse modulo m if and only if gcdpa, mq 1. If a has an inverse, then this inverse is unique (modulo m). We can use inverses to solve linear congruence equations. For example, through trial and error we may discover that modulo 10 the inverses are as follows: a a So to solve 7x 2pmod 10q you just multiply both sides by 3, the inverse of 7: 21x 6pmod 10q, and hence x 6pmod 10q. 27

28 6.2 Chinese Remainder Theorem 17 pirates try to split a pile of gold coins. When they split up the coins there are 3 left over. They begin to fight, and one pirate is killed. They again try to split the coins among 16 of them. Now there are 10 left over. Again one is killed. Finally, the coins divide equally among 15 of them. how many coins are there? This is equivalent to solving x 3pmod 17q, x 10pmod 16q, x 0pmod 15q. How do we solve a system of congruences like this? Theorem 29. (Chinese Remainder Theorem) Let m 1, m 2,..., m k be positive integers such that gcdpm i, m j q 1 for i j. Let M m 1 m 2... m k, r i M{m i and r i be the inverse of r i modulo m i Then the system of congruences x a 1 pmod m 1 q x a 2 pmod m 2 q. x a k pmod m k q has solution x a 1 r 1 r 1 ` a 2 r 2 r 2 a k r k r k pmod Mq. Back to the pirate problem: m 1 17, m 2 16, m 3 15, a 1 3, a 2 10, a 3 0. Then M Next, r {17 240, r {16 255, r { To find r i, we have to solve three congruences: r 1 1pmod 17q which is equivalent to 2 r 1 1pmod 17q, which means r Similarly, 255 r 2 1pmod 16q means 15 r 2 1pmod16q, so r We don t actually need r 3 since a 3 0. Then x 3p240q9 ` 10p255q15 ` 0p272qp r 3 q pmod 4080q. So the least possible number of pirates is However, any number that is congruent to 3930 modulo 4080 (such as 8010) will satisfy the system of congruences. Before proving the Chinese Remainder Theorem we will need to prove the following lemma. Lemma 30. If gcdpa, cq 1 and gcdpb, cq 1, then ab and c are relatively prime. Proof. Suppose that gcdpa, cq 1 and gcdpb, cq 1. By way of contradiction, suppose that d gcdpab, cq ą 1. Then by The Fundamental Theorem of Arithmetic, d can be factored into 28

29 primes. Let p be a prime factor of d. Then p d and since d ab and d c, we have that p ab and p c (by Proposition 1.1). Since p is prime and p ab, p a or p b (Lemma 21). Without loss of generality, p a. Then p a and p c and hence gcdpa, cq ě p ą 1, which is a contradiction. Thus gcdpab, cq 1. We are now able to prove the Chinese Remainder Theorem. Proof. First note that r i M{m i m 1 m 2 m i 1 m i`1 m k and since m i is relatively prime to m j for j i, by Lemma 30, gcdpm i, r i q 1. And thus r i has an inverse modulo m i (Lemma 28). So we know that the r i s exist. Now let x a 1 r 1 r 1 ` a 2 r 2 r 2 a k r k r k pmod Mq. Then a i r i r i a i pmod m i q and a j r j r j 0pmod m i q. So x 0 ` 0 ` a i ` ` 0pmod m i q. Thus x simultaneously solves all of the congruences. 6.3 Euler s Phi Function Definition. The Euler Phi function is defined as φpmq the number of positive integers less than m which are relatively prime to m. φp10q 4 since 1, 3, 5, 7 are relatively prime to 10 φp15q 8 since 1, 2, 4, 7, 8, 11, 13, 14 are relatively prime to 15. What is φp100q? List them all: 1, 3, 7, 9, 11, 13, 17, 19,.... All the evens are out and all the 5 s. So that seems that φp100q 40. We need a more reliable method. We will build a general formula for φpmq by breaking it into cases. First we look at φppq where p is prime. Since p is prime, its only divisors are 1 and p. Thus 1, 2,..., p 1 are all relatively prime to p, and hence φppq p 1. Lemma 31. If p is prime, φppq p 1. The next step is to look at powers of primes. 29

30 Lemma 32. If p is prime, then φpp k q p k p k 1. Proof. The numbers between 1 and p k that are not relatively prime to p k are p, 2p, 3p,..., p k 1 p. Thus there are p k 1 numbers that are less than or equal to p k and not relatively prime to p k, and hence the number of positive integers that are less than and relatively prime to p k is p k p k 1. What about for φpmq where m is not prime? Let s look at some examples m n mn φpmq φpnq φpmnq Table 5: φpmnq compared to φpmq and φpnq This seems to suggest that φpmnq φpmqφpnq. However this definitely doesn t always hold. For example φp2 6q φp12q φp2qφp6q and φp6 6q φp36q φp6qφp6q. Notice, however, that gcdp2, 6q 2 and gcdp6, 6q 6 while gcdpm, nq 1 for all of the m, n pairs in Table 5 Theorem 33. If gcdpm, nq 1, then φpmnq φpnqφpmq. φp100q φp4qφp25q φp2 2 qφp5 2 q p4 2qp25 5q 40. φp3060q φp8 5 79q φp8qφp5qφp79q p8 4qp4qp78q In order to prove Theorem 33 for computing Euler s Phi Function φpmq we need the following lemma. Lemma 34. Suppose that a bpmod mq, a bpmod nq, and gcdpm, nq 1. Then a bpmod mnq. Proof. exercise 30

31 Proof of Theorem 33. Suppose that m and n are relatively prime. We will make two sets A ta : 1 ď a ď mn, gcdpa, mnq 1u B tpb, cq : 1 ď b ď m, 1 ď c ď n, gcdpb, mq gcdpc, nq 1u We will count the number of things in both sets and show that A φpmnq, B φpmqφpnq, and A B. Clearly, by definition, A φpmnq and B φpmqφpnq. Now we show A B. We will define a one-to-one correspondence between A and B by a function f : A Ñ B. For a P A, let fpaq papmod mq, apmod nqq. First we suppose that fpa 1 q fpa 2 q. Then pa 1 pmod mq, a 1 pmod nqq pa 2 pmod mq, a 2 pmod nqq, and hence a 1 a 2 pmod mq and a 1 a 2 pmod nq. Thus by Lemma 34, a 1 a 2 pmod mnq. Since a 1 and a 2 are both less than mn, they must be equal. So a 1 a 2. Thus f is one-to-one. Now suppose pb, cq P B. Then we need an a such that a bpmod mq and a cpmod nq. Can this always be done? Since gcdpm, nq 1, the Chinese Remainder Theorem tells us that we can find such an a. Thus f is onto. Since f is a bijection, we know that A B, so φpmnq φpmqφpnq. Let s consider φp30q and show it equals φp5qφp6q. Then A ta : 1 ď a ď 30, gcdpa, 30q 1u B tpb, cq : 1 ď b ď 5, 1 ď c ď 6, gcdpb, 5q gcdpc, 6q 1u So The function f is A t1, 7, 11, 13, 17, 19, 23, 29u B tp1, 1q, p1, 5q, p2, 1q, p2, 5q, p3, 1q, p3, 5q, p4, 1q, p4, 5qu a pb, cq (1,1) (2,1) (1, 5) (3, 1) (2, 5) (4, 1) (3, 5) (4, 5) Theorem 35. For n ą 2 φpnq is even. Proof. Exercise 31

32 7 Powers mod m, and Euler s Formula Now we consider the values of a k pmod mq for values of m which are not prime. a a 2 a 3 a 4 a Ñ Ñ Table 6: Values of a k pmod mq for m 4 a a 2 a 3 a 4 a 5 a 6 a 7 a 8 a Ñ Ñ Table 7: Values of a k pmod mq for m 6 a a 2 a 3 a 4 a 5 a 6 a 7 a 8 a Ñ Ñ Ñ Ñ Table 8: Values of a k pmod mq for m 10 Looking at the mod 10 table, the first column (0, 1, 2, 3, 4,..., 9) repeats for the first time in the the a 5 position. In the mod 6 table, the first column repeats for the first time in the a 3 position. For primes, the first column repeated for the first time in the a p column. In this case, there was a column of 1 s before the repeat (except in the 0 row). For the 10 and 6 tables the columns before the repeat column, we don t have all 1 s, but in the 10 table, we have 1 s in the rows for 1, 3, 7, 9, which are the numbers that are relatively prime to 10. Moreover the power we raise those numbers to in order to get 1, is 4 which is φp10q. Theorem 36 (Euler s Theorem). Suppose gcdpa, mq 1. Then a φpmq 1pmod mq. 32

33 Let m 36. The numbers relatively prime to 36 are 1, 5, 7, 11, 13, 17, 19, 23, 25, 29, 31, 35. Since there are 12 of them φp36q 12. So a 12 1pmod 36q for any a in the list above. The idea of the proof of Euler s Theorem is just like FLT. For example, let s prove 4 6 1pmod 9q. There are 6 numbers relatively prime to 9: 1, 2, 4, 5, 7, 8. Multiply them all by 4: It s the same list; just reordered! So 4, 8, 7, 2, 1, 5. p4 1qp4 2qp4 4qp4 5qp4 7qp4 8q pmod 9q. We are allowed to cancel the numbers that are relatively prime to 9, so 4 6 1pmod 9q. Lemma 37. Let k 1, k 2,... k φpmq be the φpmq numbers relatively prime to m. Let gcdpa, mq 1. Then the list ak 1, ak 2,... ak φpmq pmod mq is the same as the list k 1, k 2,... k φpmq, except possibly rearranged. Proof. First we show there are no repeats in the list ak 1,... ak φpmq. Suppose ak ajpmod mq for some 1 ď j, k ă m. Since gcdpa, mq 1, by Lemma 20 we have k jpmod mq. But since 1 ď k, j ă m, it must be that k j. So there are no repeats in the list. Now we just need to show that ak i pmod mq actually comes from the list k 1, k 2,..., k φpmq, i.e. we must show that if ak i rpmod mq with 0 ď r ă m then gcdpr, mq 1. If ak i rpmod mq, then m pak i rq and hence ak i r mq or ak i mq ` r for some integer q. Since both a and k i are relatively prime to m, by Lemma 30, ak i must be relatively prime to m. By Lemma 6 1 gcdpak i, mq gcdpr, mq. Thus r must be in the list k 1, k 2,..., k φpmq and hence the two lists are the same. 33

34 Proof of Euler s Theorem. Let k 1, k 2,... k φpmq be as in the lemma. Then by Lemma 37, pak 1 qpak 2 q pak φpmq q k 1 k 2 k φpmq pmod mq. By the choice of k i, gcdpk i, mq 1 so by Lemma 20, we can cancel each k i. That leaves us with so a a a looomooon φpmq times 1pmod mq a φpmq 1pmod mq. Both Euler s Theorem and Fermat s Little Theorem give us ways to compute inverses. By Fermat s Little Theorem, a a p 2 a p 1 1pmod pq, so a p 2 pmod pq is the inverse of a modulo p. Similarly if gcdpa, mq 1, then Euler s Theorem tells us that a a φpmq 1 a φpmq 1pmod mq. Thus a φpmq 1 pmod mq is the inverse of a modulo m. 7.1 Successive Squaring So far, we have used Euler s Theorem to help us calculate things of the form a k pmod mq, particularly when k is large. However, this will not always work. For example, to find pmod 15q, we cannot use Euler s Theorem because 3 and 15 are not relatively prime. Even in cases where we can use Euler s Theorem, it may not be that helpful. Consider pmod q. By factoring, φp915163q φp1009qφp907q Using Euler s Theorem to simplify we get pmod q. But that is still pretty unhelpful. Successive squaring helps compute a n pmod mq when Euler s Theorem is not helpful (or not helpful enough). Let s compute pmod 853q. The first step is to write 327 as a sum of powers of 2: ` 64 ` 4 ` 2 ` 1. Now we compute 7 k pmod 853q for k 2, 2 2, 2 4, 2 5, 2 6, 2 7, pmod 853q 7 4 p7 2 q pmod 853q 7 8 p7 4 q pmod 853q 7 16 p7 8 q pmod 853q 7 32 p7 16 q pmod 853q 7 64 p7 32 q pmod 853q p7 64 q pmod 853q p7 128 q pmod 853q 34

35 Now `64`4`2` pmod 853q 7.2 Computing kth roots modulo m How do we solve x k bpmod mq? Solve x 17 11pmod 588q. 1. First find φp588q. We can factor , so φp588q Then find the smallest positive u such that 17u 1pmod 168q. In other words, find the inverse of 17 modulo 168. We must solve 17u ` 168y 1. Use continued fractions: p9q ` p1q ` p7q ` 1 So the continued fraction is 9 ` 1 1 ` A little experimentation reveals that u 79, y 8 We know u 79 ` 168k and to get a positive solution let k 1. Then u 89. We call u the recovery exponent. 3. Use the recovery exponent to solve: x 17 11pmod 588q px 17 q pmod 588q px 168 q y x pmod 588q x pmod 588q x 527 Theorem 38. To solve x k bpmod mq, we first require that gcdpb, mq 1, and gcdpk, φpmqq 1. Then the steps are: 1. Find φpmq. 2. Solve ku 1pmod φpmqq 3. Compute b u pmod mq by successive squaring. Then x b u pmod mq is the solution. 35

36 Proof. First we note that step 2 is solvable as long as gcdpk, φpmqq 1. Now we show that x b u pmod mq is the desired solution. Let x b u pmod mq. Then x k pb u q k b ku pmod mq. Since ku 1pmod φpmqq, we can write ku φpmqy ` 1 for some integer y. Therefore x k b ku b φpmqy`1 pb φpmq q y b bpmod mq, since gcdpb, mq 1 and Euler s theorem imply that b φpmq 1pmod mq. How efficient is this process? Step 3 is done by successive squaring, which is pretty easy. Step 2 can be done using the Euclidean Algorithm and continued fractions. Step 1 is easy if you can factor m. However, factoring can be very difficult in general. Solve x 3 5pmod 16q. First, φp16q 8. So we solve 3u 1pmod 8q. By inspection, u 3 works. Then we take x 5 3 pmod 16q 25p5q 9p5q 13pmod 16q. Solve x 31 33pmod 98q. First find φp98q 42. We check that gcdp33, 98q 1 and gcdp42, 31q 1. Next solve 31u 1pmod 42q. This is equivalent to 11u 1pmod 42q, and u 19 works. Then we solve for x pmod 98q (mod 98) (mod 98) (mod 98) (mod 98) (mod 98) (mod 98) x 89 Solve x 11 4pmod 19q. Since 19 is prime, φp19q 18. Then we solve 11u 1pmod 18q. By inspection, u 5 works. Then x 4 5 pmod 19q p4 2 q 2 4pmod 19q p 3q pmod 19q. 7.3 RSA Here is the method for RSA encryption: To encrypt 1. Pick two large primes p, q 2. Let m pq 3. Calculate φpmq pp 1qpq 1q 36