Number Theory Course notes for MA 341, Spring 2018

Transcription

1 Number Theory Course notes for MA 341, Spring 2018 Jared Weinstein May 2, 2018 Contents 1 Basic properties of the integers Definitions: Z and Q The well-ordering principle The division algorithm Running times The Euclidean algorithm The extended Euclidean algorithm Exercises due February The unique factorization theorem Factorization into primes The proof that prime factorization is unique Valuations The rational root theorem Pythagorean triples Exercises due February Congruences Definition and basic properties Solving Linear Congruences The Chinese Remainder Theorem Modular Exponentiation Exercises due February

2 4 Units modulo m: Fermat s theorem and Euler s theorem Units Powers modulo m Fermat s theorem The φ function Euler s theorem Exercises due February Orders and primitive elements Basic properties of the function ord m Primitive roots The discrete logarithm Existence of primitive roots for a prime modulus Exercises due March Some cryptographic applications The basic problem of cryptography Ciphers, keys, and one-time pads Diffie-Hellman key exchange RSA Quadratic Residues Which numbers are squares? Euler s criterion Exercises due March Quadratic Reciprocity The Legendre symbol Some reciprocity laws The main quadratic reciprocity law The Jacobi symbol Exercises due March The Gaussian integers Motivation and definitions The division algorithm and the gcd Unique factorization in Z[i] The factorization of rational primes in Z[i] Exercises due March

3 10 Unique factorization and its applications Pythagorean triples, revisited A cubic Diophantine equation The system Z[ 2] Examples of the failure of unique factorization The Eisenstein integers Exercises due April Some analytic number theory p 1/p diverges Classes of primes, and their infinitude p ±1 (mod 4) 1/p diverges Exercises due April Continued fractions and Pell s equation A closer look at the Euclidean algorithm Continued fractions in the large Real quadratic irrationals and their continued fractions Pell s equation and Z[ d] The fundamental unit The question of unique factorization for Z[ d] Exercises due April Lagrange s four square theorem Hamiltonian quaternions The Lipschitz quaternions The Hurwitz quaternions Hurwitz primes The end of the proof Basic properties of the integers 1.1 Definitions: Z and Q Number theory is the study of the integers:..., 3, 2, 1, 0, 1, 2, 3,... We use the symbol Z to stand for the set of integers. (Z stands for German Zahl, meaning number.) Now might be a good time to review some settheoretic notations: 3 Z is a true statement, meaning that 3 is a member of the integers, whereas 7 Z. 3

4 We observe that integers can be added, subtracted, and multiplied to produce other integers, but the same cannot be said for division. When we divide integers we create rational numbers, such as 3/7 and 2/3. We write the set of rational numbers as Q, for quotient. The failure of integers to divide each other evenly is so important that we have special notation to express it: for integers a and b, we write a b to mean that b/a is an integer. In other words, a b means that there exists c Z such that b = ac. In this case we say that a is a divisor of b, and that b is a multiple of a. Example The divisors of 12 are 1,2,3,4,6,12 and their negatives. A divisor of a positive integer n is proper if it s positive and not equal to n itself. Thus the proper divisors of 12 are just 1,2,3,4,6. Example is a divisor of every integer, as is 1. Also, every integer divides 0, since 0 = 0 a for every a. However, the only multiple of 0 is 0 itself. Proposition Suppose that a, b, c Z. If a b and b c, then a c. Proof. There exists integers m, n such that b = am and c = bn. c = amn, so a c. Then The above proposition says that the relation a b is transitive. Proposition Suppose a, b, d, x, y Z. If d a and d b, then d ax + by. We remark that ax + by is called a linear combination of a and b. Proof. Write a = dm and b = dn, then ax+by = d(mx+ny), so d ax+by. A positive integer is prime if it has no proper divisors other than 1. By convention, 1 is not counted as prime. Theorem (Euclid). There are infinitely many primes. Proof. If there we finitely many primes, then we could list all of them as p 1,..., p n. The number N = p 1 p n + 1 is divisible by some prime 1, which must be one of our enumerated primes, say p i. Then p i N but also p i p 1 p n. Thus p i (N p 1 p n ) = 1, which is absurd. 1 Strictly speaking, we don t know this fact yet, but for now we ll take it for granted. 4

5 Therefore we are guaranteed to never run out of primes. As of January 2018 the largest known prime is 2 77,232, This is a Mersenne prime, meaning a prime which is one less than a power of two. It is not known if there are infinitely many Mersenne primes. 1.2 The well-ordering principle How do we know that every integer n > 1 is divisible by a prime? An argument might go this way: if n isn t itself prime, then it has a proper divisor n 1 > 1. If n 1 isn t prime, then it has a proper divisor n 2 > 1, and so on. The result is that we get a strictly decreasing sequence of positive integers n > n 1 > n 2 >..., which cannot go on indefinitely. This fact, obvious that it may be, is quite important. We give it a name: The wellordering principle. Axiom (The well-ordering principle). 2 A strictly decreasing sequence of positive integers cannot go on indefinitely. Rather than attempt to prove this statement, we take it as an axiom of the system of integers. 1.3 The division algorithm We noted before that the integers are not closed under division. But there is a familiar operation among integers: you can divide one by another to obtain a quotient and a remainder. For instance, when 39 is divided by 5, the quotient is 7 and the remainder is 4. We can check this by verifying that 39 = When this is done, the remainder must be less than the number you divided by. It would be incorrect to say that 5 goes into 39 with a quotient of 6 and a remainder of 9, even though 39 = is also true. Theorem (The division algorithm). Let a, b Z, with b > 0. There exists a unique pair of integers q, r Z such that a = bq + r and that 0 r < b. Of course, if the remainder r is 0, then a = bq and therefore b a. 2 There is another formulation: every nonempty subset of the positive integers has a least element. The two formulations are equivalent. 5

6 Proof. We ll assume that a is positive, the other cases are similar. Consider the sequence a, a b, a 2b, a 3b,.... By the well-ordering principle, these cannot all be nonnegative integers. So there is a least one which is nonnegative, call it r = a bq. If r > b, then a b(q + 1) = r b > 0, which contradicts our assumption that r was the least element of our sequence. Therefore r b. That handles the existence part of the theorem. For uniqueness: if there were another pair q, r such that a = bq + r = bq + r, then r r = b(q q) would be a multiple of b, but since 0 r, r < b, this can only happen if r = r, which implies q = q as well. This proof gives a hint to the algorithm part of the division algorithm: to divide 5 into 39, keep subtracting 5 from 39 to get 34, 29, 24, 19, 14, 9, 4, at which point we cannot subtract anymore and 4 is the remainder. One says that just as multiplication is repeated addition, division is repeated subtraction. I want to introduce an important piece of notation: if r is the remainder when b is divided into a, we sometimes write a mod b = r, especially if the remainder is all we care about. You already do this with time: 17 hours after 2 o clock is 19 mod 12 = 7 o clock. (Or substitute 24 for 12 if you use that system.) We say that r is the residue of a modulo b. It is always between 0 and b 1 inclusive. 1.4 Running times Of course in practice when you want to divide larger numbers, like 114 into , you don t subtract repeatedly at all. Instead you perform an 6

7 algorithm known as long division, which looks like this: ) Thus the quotient is and the remainder is 55. This may look laborious, but you could probably do it by hand in just a few minutes. Contrast this with the repeated subtraction method. You would have had to subtract 114 from a total of times even if you could do one subtraction every second, it would take 40 days! In our applications to cryptography, it will be important to keep track of how long it takes for a person (or a computer) to run a particular algorithm, in terms of how many basic operations are performed as a function of how long the inputs are. In the case of our long division problem, there were = 12 inputs (the total number of digits in 114 and ). If a basic operation means adding, subtracting, or multiplying individual digits, then the long division algorithm took dozens of operations, while the repeated subtraction algorithm took millions of operations. One says that long division is a polynomial time algorithm, but repeated subtraction is exponential time. Behind any abstract theorem in number theory there is often an algorithmic question. For instance, we just saw that every integer n > 1 has a prime divisor. Is there a fast algorithm to find one? One simple method is to try dividing 2, 3, 4,..., n 1, n into n to see if any of these are divisors; the first one that divides n evenly will be prime (why?). Such an algorithm would require at least n steps. When n has hundreds of digits, this is completely impractical. We can save some time by noting that if we reach n without finding any factors, then n must be prime, which limits the number of steps to 7

8 about n. That seems like it should help a lot, until you figure that if n has 200 digits, then n has about 100. Computers these days are fast, but no computer out there can execute steps in any reasonable amount of time. 1.5 The Euclidean algorithm Given positive integers a and b, a common divisor is an integer d such that d a and d b. The greatest common divisor (gcd) is of course the greatest of these. This comes up in simplifying fractions: to reduce 18/12 you have to divide both numerator and denominator by their gcd, which is 6, to get 3/2. If gcd(a, b) = 1, we say that a and b are relatively prime or coprime. If a and b are large numbers, how do we compute gcd(a, b)? One way to be to count down from the smaller of the two numbers, and stop at the first one which divides them both. But if the smaller number has 100 digits, then this process will take about steps, which is far too long. The Euclidean algorithm is a very efficient way to compute gcd(a, b) without having to factor either number. It rests on repeated application of the division algorithm (which we already noted runs in polynomial time). It s best illustrated by example. Suppose we want gcd(119, 259). We calculate: 259 = = = = Note that in each iteration, the denominator and remainder become the numerator and denominator in the next step. The last non-zero remainder is 7, which is the gcd we wanted! The algorithm works because of the following lemma: Lemma For integers a, b, q, r with a = bq + r, we have gcd(a, b) = gcd(b, r). Proof. Let d = gcd(a, b) and e = gcd(b, r). We ll show that d e and e d, which will do the trick. First let s show that d e. Since d divides a and b, it divides r = a bq, which is a linear combination of a and b. Thus d is a common divisor of b and r. Therefore it cannot exceed the greatest common divisor of b and r, which is e. 8

9 Now let s show that e d. Since e divides b and r, it divides a = bq + r, which is a linear combination of b and r. Thus e is a common divisor of a and b. Therefore it cannot exceed the greatest common divisor of a and b, which is d. Thus in the example, gcd(259, 119) = gcd(119, 21) = gcd(21, 14) = gcd(14, 7) = gcd(7, 0) = 7. I should note here that as long as the remainder is nonzero, the algorithm can continue to produce a smaller remainder. By the well-ordering principle, the remainders cannot decrease forever, and so eventually one arrives at a remainder of 0. Finally, note that gcd(r, 0) = r for any nonzero r. It turns out that Euclid s algorithm runs in polynomial time. Computers can easily compute gcd(a, b) even if a and b have hundreds of digits. To get a sense of why Euclid s algorithm runs quickly, let us examine the following worst case scenario, in which we compute gcd(55, 34): 55 = = = = = = = = We computed gcd(55, 34) = 1 in 8 iterations, whereas gcd(259, 119) = 7 took only 4. Notice that the quotient was 1 each time we divided (except the last one), which means that the remainders go down as slowly as possible. We got this result because we used consecutive numbers in the Fibonacci sequence 1, 1, 2, 3, 5, 8,..., in which each number is the sum of the two previous numbers. As a result, computing gcd(a, b) can be done in at most n iterations, where the nth number in the Fibonacci sequence is larger than a and b. 9

10 1.6 The extended Euclidean algorithm The integers 49 and 40 are relatively prime, so it s no surprise that the Euclidean algorithm produces 1: 49 = = = = Now look at the sequence of quotients: 1, 4, 2, 4. It turns out that this sequence encodes the numbers we started with. Place them in the top row of a table like so: Proceeding from left to right, we fill in the blanks as follows. The first number of the top row is 1. Use the two numbers in the second row immediately preceeding this column to make a number like this: = 1. Then = 4, so we put that in the next spot. Filling out everything like this gives us The final column has 40, 49, which of course are the numbers we started with. The second-to-last column has 31, 38. Observe that = 1. This method, called the extended Euclidean algorithm, gives a practical means of finding a solution to the equation ax + by = 1 when gcd(a, b) = 1. Now let s try a = 259 and b = 119, like in our previous example. The sequence of quotients is 2, 5, 1, 2 and the gcd is 7. The extended Euclidean algorithm gives us 10

11 The numbers in the last column are 17 = 119/7 and 37 = 259/7. is, we got the numbers we started with, divided out by their gcd. second-to-last column has 6 and 13, and That The and multiplying both sides by 7 gives = 1, = 7. Theorem (Bezout s identity). Let a and b be positive integers. There exist integers x, y such that ax + by = gcd(a, b). Proof. If you believe that the extended Euclidean algorithm works, you may be satisfied already. But here is an independent proof: Among all positive linear combinations ax + by, there is a smallest one, say ax + by = d. Certainly gcd(a, b) d. Let s perform the division algorithm with a and d: a = dq + r, with 0 r < d. Then r = a dq = a (ax + by)q = a(1 xq) bqy is also a linear combination of a and b. Since d was assumed least among all positive linear combinations, and r < d, the only way this is possible is if r = 0. Thus d a. Similarly d b, which means d gcd(a, b). Combining this with gcd(a, b) d gives d = gcd(a, b). 1.7 Exercises due February The proper divisors of 6 are 1,2,3. We have = 6, meaning that 6 is a perfect number. Verify that 28 and 496 are also perfect. 2. The ancient Greeks divided integers n into perfect (sum of proper divisors is n), abundant (sum of divisors is > n), and deficient (sum of divisors is < n). Classify each of the numbers 2, 3,..., 20 into one of these three classes. 3. Suppose that p = 2 n 1 is a Mersenne prime. Prove that 2 n 1 p is a perfect number. 4. Prove that if a, b, c, d Z and a b and c d, then ac bd. 11

12 5. Let p 1,..., p n be distinct primes. How many positive divisors does p 1 p n have? 6. True or false: the rational numbers Q obey the well-ordering principle. Explain your reasoning. 7. What is the remainder when is divided by 5? (Find a pattern in the first few powers of 2.) 8. Use the Euclidean algorithm to compute gcd(527, 408) and gcd(1001, 121). 9. Use the extended Euclidean algorithm to find integers x and y such that 527x + 408y = gcd(527, 408). 10. Let a and b be integers. Show that any common divisor of a and b must divide gcd(a, b). 2 The unique factorization theorem 2.1 Factorization into primes Lemma Every positive integer can be expressed as a product of primes. (Even 1 is a product of primes: it is the empty product, so to speak. And 17 is a product of primes too, but just one of them. So one must interpret the lemma to mean every positive integer can be expressed as a product of zero or more primes. ) Proof. Let n Z be positive. If n = 1, we re done. Otherwise we can find a prime divisor p 1 n. Write n = p 1 n 1, where n 1 < n. If n 1 = 1, we re done. Otherwise we can find a prime divisor p 2 n 1 ; write n 1 = p 2 n 2, with n 2 < n 1. Continuing, we get a sequence of descending positive integers n > n 1 > n 2 >..., which cannot go on forever. Thus there exists t for which n t = 1, and then n = p 1 p 2 p n. The proof even suggests a sort of algorithm for factoring a number into primes: keep dividing out prime factors until you re completely factored the number. For instance, 72 = 2 36 = = = =

13 The process produces the same result no matter how we factor the number. Here s another way: 72 = 3 24 = = = = Perhaps this isn t so surprising. But how do we really know that you get the same prime factorization no matter what? Could there be a particular number n, possibly with hundreds of digits, which has two prime factorizations n = p 1 p 2 = q 1 q 2, with all four primes p 1, p 2, q 1, q 2 distinct? 2.2 The proof that prime factorization is unique All will rest upon the following lemma. Lemma Let a, b, c Z, with a bc and (a, b) = 1. Then a c. Proof. Crucially, we use Bezout s identity (Theorem 1.6.1). There exist x, y Z with ax + by = 1. Multiplying by c, we get acx + bcy = c. We have a bc, so that a bcy. Obviously a acx, so a acx + bcy = c. Corollary Let a, b Z. If p is a prime number and p ab, then p a or p b. Proof. We will show that if p a then p b. If p a, then gcd(p, a) = 1, in which case the preceeding lemma shows that p b. From this it is easy to see that if p divides an arbitrary product then p must divide one of the factors. Theorem (Unique Factorization Theorem). Every positive integer can be written as a product of primes in a unique way, up to ordering. Proof. If p 1 p t = q 1 q s for primes p 1,, p t, q 1,, q s, then p t divides the product q 1 q s, so that it must divide one of the factors. Without loss of generality, p t q s. But these are primes, so we must have p t = q s. Removing this factor gives p 1 p t 1 = q 1 q s 1. Continuing, we are able to match up each p with a q until no further factors remain. 2.3 Valuations The Unique Factorization Theorem shows that every n 1 can be written n = p p ap, 13

14 where p runs over primes and a p is a nonnegative integer. It must be the case that a p = 0 for all but finitely many primes, so that the product can make sense. Since prime factorization is unique, the a p are uniquely determined by n, and so it makes sense to define val p (n) = a p, the valuation of n at p. For instance, 75 = 3 5 2, so val 3 (75) = 1 and val 5 (75) = 2, whereas val p (75) = 0 for every other prime p. You can extend this definition to include negative n as well: val p ( n) = val p (n). You can even extend it to include 0. We set val p (0) =. (Why is this the right definition?) The function val p obeys the following rules: val p (mn) = val p (m) + val p (n) val p (m k ) = k val p (m), which makes it similar to the logarithm to base p. Here are some basic facts about val p : Theorem Let a, b Z. 1. a b if and only if, for all primes p, val p (a) val p (b). 2. val p (gcd(a, b)) = min {val p (a), val p (b)}. 3. val p (lcm(a, b)) = max {val p (a), val p (b)}. 4. If a > 0, then a is a perfect kth power if and only if, for all primes p, k val p (a). I encourage you think about why these facts are true, and to work with some examples. For instance, the gcd of and is A consequence of (2) is that gcd(a, b) = 1 if and only if, for all primes p, either val p (a) or val p (b) is 0. Theorem For a, b Z positive, gcd(a, b) lcm(a, b) = ab. Proof. The val p of the left hand side is min {val p (a), val p (b)}+max {val p (a), val p (b)} = val p (a) + val p (b) (why?), which is the same as val p (ab). Theorem Let a and b be coprime positive integers. If ab is a perfect square, then so are a and b. Proof. Since ab is a perfect square, val p (ab) = val p (a) + val p (b) is even for all p. Then since one of val p (a) and val p (b) has to be 0, both must be even. This shows by point (4) above that a and b are perfect squares. 14

15 2.4 The rational root theorem This is a classic example of proof by contradiction. Theorem is irrational. Proof. Assume that 2 is rational. Then 2 = p/q for positive p, q Z. Then p 2 = 2q 2. Since 2 p 2, Theorem [?] shows that 2 p; i.e. p is even. Write p = 2p 0 ; then p 2 0 = 2q2. The same reasoning shows that q is even. Write q = 2q 0, and then p 2 0 = 2q2 0. But this is the original equation! Repeating the process gives a descending sequence of positive integers p > p 0 > p 1 >..., which is impossible. It may have occurred to you to avoid the use of the well-ordering principle in this proof by arguing as follows: express p/q in lowest terms, show that p and q are both even, and then draw a contradiction. To do this, though, we need to know that it is possible to expression in lowest terms in the first place! This is the point of the following theorem: Theorem If gcd(p, q) = d, then gcd(p/d, q/d) = 1. Then if p/q is a rational number, we can let d = gcd(p, q), and then after writing p = dp 0 and q = dq 0, then gcd(p 0, q 0 ) = 1, and p 0 /q 0 is in lowest terms. Proof. We can write px + qy = d for some integers x and y, and then p 0 x + q 0 y = 1, which shows that gcd(p 0, q 0 ) = 1. But let s return to the subject of irrationality. A variation of the above proof can be used to show that 3 and 7 1/3 are irrational too. These are examples of algebraic numbers, a class of complex numbers which include combinations like 2 + 3, A number is algebraic if it is the root of a polynomial with integer coefficients. Theorem (Rational Root Theorem). Suppose the polynomial f(x) = a n x n + a n 1 x n a 0 has coefficients a i Z. If p/q is a fraction in lowest terms which is a root of f(x), then q a n and p a 0. Proof. The fact that p/q is a root of f(x) means that f(p/q) = 0. After clearing away denominators, this becomes a n p n + a n 1 p n 1 q + + a 1 pq n 1 + a 0 q n = 0. 15

16 Since p divides all terms other than the last one, it divides the last one as well: p a 0 q n. But by Theorem 2.2.2, p a 0 (remember that gcd(p, q) = 1). The proof that q a n is similar. The Rational Root Theorem gives a method for finding all rational roots p/q of a polynomial with integer coefficients, since the possibilities for p and q are limited. We can also use the Rational Root Theorem to show 2 is irrational in another way. 2 is a root of x 2 2. If 2 = p/q in lowest terms, then p 2 and q 1, which implies that p/q = ±2. But this is nonsense, since 2 ±2! The same proof can be used to show that n is irrational whenever n is not a perfect square. 2.5 Pythagorean triples A pythagorean triple is a list (a, b, c) of integers which satisfy a 2 + b 2 = c 2, so that a, b, c could be the lengths of sides of a right triangle. This is an example of a Diophantine equation: a polynomial equation meant to be solved for integer variables. This particular Diophantine equation is truly old, the solution (3, 4, 5) being known to the ancient Egyptians. Other familiar solutions are (5, 12, 13) and (6, 8, 10). The point of this discussion is to find all the Pythagorean triples. Note that if a prime p divides two of the three numbers, then it divides the third (Theorem again). Let s call a triple primitive if gcd(a, b, c) = 1. Then in a primitive triple, all pairs (a, b), (a, c), (b, c) are coprime as well. It suffices to find all the primitive triples, because any other triplet is just a multiple of a primitive one. Suppose (a, b, c) is primitive. Then a and b can t both be even. But they can t both be odd either: if a = 2m+1 and b = 2n+1 are odd, then c = 2c 0 is even, and substituting gives or 4m 2 + 4m n 2 + 4n + 1 = 4c 2 0, 2(m 2 + m + n 2 + n) + 1 = 2c 2 0, which is impossible. So a and b have opposite parities. Without loss of generality, say a is odd and b is even. We have a 2 = c 2 b 2 = (c + b)(c b). 16

17 Since gcd(b, c) = 1, gcd(c + b, c b) is 1 or 2 (Exercise 3). But we can rule out 2, since (c + b)(c b) = a 2 is odd. Thus (c + b)(c b) = a 2 is odd, so in fact gcd(c+b, c b) = 1. Now by Theorem 2.3.3, c+b = p 2 and c b = q 2 for positive integers p, q. These have to be odd and relatively prime. Solving, we get c = (p 2 + q 2 )/2, b = (p 2 q 2 )/2, and a = pq. Theorem As p and q run through pairs of odd coprime integers, (pq, (p 2 q 2 )/2, (p 2 + q 2 )/2) runs through all primitive Pythagorean triples (up to switching the a and b coordinates). 2.6 Exercises due February 9 1. How many (positive) divisors does the number have? 2. Prove that if a, b, c Z, then gcd(ab, ac) = a gcd(b, c). 3. Prove that if a, b Z are coprime then gcd(a + b, a b) is either 1 or Let a, b, c Z. Prove that if gcd(a, b) = 1, a c, and b c, then ab c. 5. Prove that if ab is a perfect cube and gcd(a, b) = 1, then a and b are both perfect cubes. 6. Find all rational roots of 3x 3 + x 2 + x Prove that is irrational. 8. Show that if a and b are integers and a n b n, then a b. (There are multiple ways to do this. One quick way is to use the rational root theorem!) 9. When the number 30! is written out in base 10, how many zeros are at the end? 10. Is it possible to write 50 as the difference between two perfect squares? 3 Congruences 3.1 Definition and basic properties Definition For integers a, b, m, we write a b (mod m) (pronounced: a is congruent to b modulo m) if m a b. 17

18 The notation here suggests that somehow a and b are equal in a funny way. Indeed you probably already have a notion of taking a number modulo 12 (or 24) when you think about the clock: The clock looks the same when 100 hours pass as when 4 hours pass, because mod 12. Or if you think about numbers as being even or odd: a b (mod 2) means that a and b have the same parity (they are either both odd or both even). The notion that a b (mod m) is a sort of equality can be formalized by checking the following three properties: 1. (Reflexivity) a a (mod m). 2. (Symmetry) If a b (mod m) then b a (mod m). 3. (Transitivity) If a b (mod m) and b c (mod m) then a c (mod m). 4. If a b (mod m) then: a + c b + c (mod m) a c b c (mod m) ac bc (mod m) The first three properties express the fact that is an equivalence relation. This means that you can treat the symbol much like the = symbol, at least when it comes to substituting equals for equals. The fourth property means that when it comes to congruences you can add, subtract or multiply by c on both sides and the congruence will remain true. You should be able to come up with short proofs of the above properties. For instance, here s a proof of 4(a): If a b (mod m) it means that m a b = (a + c) (b + c), so a + c b + c (mod m). 3.2 Solving Linear Congruences The rules we outlined above enable us to solve for x in congruences like x (mod 10). Namely, you can subtract 3 from both sides to get x 2 (mod 10), which is the same as x 8 (mod 10). But if the equation is 3x 2 (mod 10), 18

19 we cannot divide by 3 on both sides just yet because 1/3 doesn t having any meaning modulo 10 (at least until we give it meaning). We can try plugging in x = 0, 1,..., 9 to see that there is just one solution x 4 (mod 10). Here s another example: 2x 4 (mod 10). There s the obvious solution x 2 (mod 10), but then there s also x 7 (mod 10). Those are the only solutions modulo 10. You can also say that the complete solution is x 2 (mod 5). Finally, look at 2x 3 (mod 10). This time there are no solutions at all! Thus a linear congruence can have zero, one, or more than one solutions. Theorem The congruence ax b (mod m) has a solution if and only if gcd(a, m) b. If a solution exists, then it is unique modulo m/ gcd(a, m). In particular if gcd(a, m) = 1 then a solution always exists and is unique modulo m. Proof. Let s begin with the case that gcd(a, m) = 1. Then there exist x, y Z with ax +my = 1. But then m my = ax 1, so that ax 1 (mod m). We can multiply this by b to get a(bx) b (mod m). Therefore x = bx is a solution. If x is another solution, then ax ax (mod m), so m a(x x ). Since gcd(a, m) = 1, m x x and so x x (mod m). We have shown that the solution is unique in this case. In the general case, let d = gcd(a, m). The congruence ax b (mod m) means that m ax b. Since d m and a, we also have d b. Thus shows that if there is a solution we must have d b. Supposing then that d b, let a = da 0, b = db 0 and m = dm 0. The statement m ax b is equivalent to m 0 a 0 x b 0, or a 0 x b 0 (mod m 0 ). But now gcd(a 0, m 0 ), so this new congruence has a unique solution modulo m The Chinese Remainder Theorem This section is concerned with solving simultaneous congruences such as x 2 (mod 7) x 5 (mod 6), where x needs to satisfy both congruences at the same time. We might proceed by listing the solutions to the first congruence: 2, 9, 16, 23,... and stopping at the first one that satisfies the second, which is 23. Here s a 19

20 different one: x 2 (mod 8) x 3 (mod 10). This one does not have any solutions, since those x which satisfy the first congruence are even, and those satisfying the second congruence must be odd. First we ll handle the situation that m and n are coprime. Theorem Let m and n be coprime integers. congruences Then the system of has a unique solution modulo mn. x a (mod m) x b (mod n) Proof. FIrst we ll show that a solution exists, and then we ll show it s unique mod mn. Since m and n are coprime, there exist integers y and z such that my + nz = 1. Then my 1 (mod n) and nz 1 (mod m). So x = anz + bmy satisfies x a (mod m) and x b (mod n). For uniqueness: if x is another solution, then x x 0 (mod m) and x x 0 (mod n). That is, x x is divisible by m and n. Since m and n are relatively prime, x x is divisible by mn, so that x x (mod mn). The proof suggests a practical solution to the system of congruences: use the Extended Euclidean Algorithm to find y and z such that my + nz = 1, and then use the formula for x above. If m and n are not necessarily relatively prime, say d = gcd(m, n), then the simultaneous congruence cannot have a solution unless d a b. 3.4 Modular Exponentiation We have already remarked that the division algorithm runs very fast. The operation a (mod m) can be computed in polymomial time, so that it is reasonable to compute even if a and m have hundreds of digits. The same is true for modular exponentiation, meaning the computation of a n (mod m). We demonstrate with the example of (mod 100). That 20

21 is, we want the last two digits of Certainly we could compute and simply write down the last two digits, but this is impractical when the exponent is very large. Instead, we write the exponent in binary: 165 = Now the idea is to square the base 7 repeatedly: Then 3 3 (mod 100) = (mod 100). The number of times you have to square the base is at most then number of binary digits of the exponent, which is proportional to the number of decimal digits. Thus this method can handle exponents which have hundreds of digits. This fact is important for cryptography: it is much easier to exponentiate than it is to do the reverse (extract a root). 3.5 Exercises due February 16 For 1 4, if it s true, prove it, and if it s false, give a counterexample. 1. True or False: If a b (mod m) and c d (mod n) then ac bd (mod mn). 2. True or False: If a b (mod m) and c d (mod m) then ac bd (mod m). 3. True or False: the only solutions to x 2 1 (mod n) are x ±1. 4. True or False: if b c (mod m), then a b a c (mod m). 21

22 5. The multiplicative inverse of a (mod m) is an integer b such that ab 1 (mod m). Prove that the multiplicative inverse, if it exists, is unique modulo m. 6. Solve 15x 4 (mod 79). 7. Solve the system of congruences: 8. Compute (mod 501). z 1 (mod 50) z 1 (mod 71) 9. Let n 0 be an integer, and let m = 2 n + 1. Show that 2 2n 1 (mod m). 10. Let (a, b, c) be a Pythagorean triple. Show that 60 abc. 4 Units modulo m: Fermat s theorem and Euler s theorem 4.1 Units For integers a, b and m, we say that b is a (multiplicative) inverse to a modulo m if ab 1 (mod m). Of course the relation is mutual: if b is an inverse to a, then a is an inverse to b. You have already seen that an inverse is unique if it exists. Theorem a has a multiplicative inverse modulo m if and only if gcd(a, m) = 1. Proof. This is just a special case of a prior theorem: ax 1 (mod m) has a solution if and only if gcd(a, m) 1, which is to say gcd(a, m) = 1. The most important thing about units is that they can be canceled from both sides of a congruence. That is, if a is a unit modulo m, and ax ay (mod m), then we can multiply both sides be the inverse of a to get x y (mod m). Theorem The set of units modulo m is closed under multiplication. Proof. If a and b have inverses c and d, then ab is also a unit, since (ab)(cd) = (ac)(bd) 1 (mod m). 22

23 Let U m be the set of units modulo m. (This set is also written (Z/mZ).) The above theorem means we can creat multiplication tables modulo m, like this one for m = 10: Observe that every row and every column contains every unit exactly once. (Sometimes I call this the sudoku property.) This reflects the fact that if a is a unit mod m, then the linear equiation ax b (mod m) has a unique solution modulo m. Notice also that the table is symmetric about its diagonal: this reflects the fact that ab = ba (multiplication is commutative). In abstract algebra we call this sort of structure an abelian group. Easy and important exercise: Construct a table like this for m = 5, m = 7 and m = 12. Take note of any patterns you observe. 4.2 Powers modulo m Let a be an integer considered modulo m, and consider the sequence of powers a, a 2, a 3 (mod m), For instance, here are the powers of 2 modulo m for three values of m: m The first thing we can prove about this is that since there are only finitely many residues modulo m, and infinitely many possible powers, that we can find N > n with a N a n (mod m). But then, multiplying by a gives a n+k+1 a n+1 as well, and so on; we infer that the sequence a n, a n+1,..., a N 1 (mod m) is the same as the sequence a N, a N+1,..., a 2N n 1. In conclusion, the sequence powers of a modulo m must eventually enter a repeating cycle. A special case occurs when a is a unit modulo m. Then we can cancel the excess powers in a N a n to get a N n 1 (mod m). Thus at some point in the sequence of powers, 1 appears. 23

24 Definition Let a be a unit modulo m. The order of a modulo m, written ord m (a), is the smallest power n such that a n 1 (mod m). Looking at the table above, ord 15 (2) = 4 and ord 17 (2) = 8. We ll resume the study of this ord function a bit later. 4.3 Fermat s theorem When p is a prime number, U p is the set of all nonzero residues 1, 2,..., p 1. Consider the following table listing a n modulo 7: Strikingly, row 6 has only 1s. n 1 n 2 n 3 n 4 n 5 n 6 n Theorem (Fermat s (little) theorem). Let p be a prime number, and let a be a unit modulo p. Then a p 1 1 (mod p). Somtimes the theorem is stated a slightly different way: a p a (mod p) for all integers a (not just units). The only non-unit modulo p is 0, and of course 0 p 0, so the two forms are equivalent. We ll give two proofs of Fermat s theorem. #1. This proof is based on the sudoku property of the multiplication table modulo p. For a unit a, the ath row of the table reads a, 2a, 3a,..., (p 1)a (mod p). But by the sudoku property, this list of residues is just a reordering of 1, 2, 3,..., (p 1). This means the product of these two lists is the same: a 2a 3a (p 1)a (p 1) (mod p) The residues 1, 2, 3,..., (p 1) are all units, so we can cancel them; what s left over is a p 1 1 (mod p). 24

25 #2. We re going to prove a p a (mod p) for all a = 1, 2,... by induction 3. The base case 1 p 1 (mod p) is trivial. Now, assuming n p n, we use the binomial theorem: (n + 1) p = n p + ( ) p n p The binomial coefficients are ( ) p = k ( ) p n p p! k!(p k)! Z ( ) p n If k = 1,..., p 1, then neither k! ( nor ) (p k)! is divisible by p (by Theorem p 2.2.2!), but p does divide p! = k!(p k)!, so (Theorem again!) k ( ) p p. Therefore (n + 1) k p n p + 1 (mod p), so that by the inductive hypothesis (n + 1) p n + 1. We win by induction. 4.4 The φ function Definition For an integer m, φ(m) is the number of units modulo m. In order words, it is the number of integers among 1, 2,..., m which are relatively prime with m. This function is sometimes called Euler s totient function. The first few values of φ(m) are 3 The principal of mathematical induction is a way of proving a proposition P (n) for all n = 1, 2,.... It says that if P (1) is true, and if the implication P (n) = P (n + 1) is true for any n 1, then P (n) is true for all n. But we don t need to assume this as an axiom; it follows from the well-ordering principle! Indeed, if there were some n for which P (n) were false, then by hypothesis n 1. Also P (n 1) could not be true, since it implies P (n). Again by hypothesis, n 1 1. Continuing, we find a sequence of positive integers which descends indefinitely, contradiction. 25

26 m φ(m) The first thing I notice is that φ(m) appears to be even for m 3. (This follows from the fact that the units come in pairs a and a.) But of course we might want a formula for φ(m). One easy special case is that when p is a prime number, φ(p) = p 1, since the units are exactly 1, 2,..., p 1. Another case is a prime power p n : among the numbers 1, 2,..., p n, the only non-units modulo p n are those numbers divisible by p, so that φ(p n ) = p n p n 1. Theorem For m and n relatively prime, φ(mn) = φ(m)φ(n). Proof. (This is just a sketch.) We apply the Chinese remainder theorem. Each unit a modulo mn can be reduced modulo m and then modulo n, to create a function U mn U m U n. The Chinese remainder theorem shows that this function is one-to-one and onto, so that φ(mn) = φ(m)φ(n). By combining together what we know so far about φ, we get the following formula. Theorem If p a 1 1 par r φ(n) = i is the prime factorization of n, then (p a i p a i 1 ). Note that this requires knowing the prime factorization of n. As far as we know there is no shortcut to finding φ(n) without knowing the prime factorization. Therefore if n has hundreds of digits, φ(n) is very difficult to compute. 4.5 Euler s theorem Fermat s theorem has an extension to general moduli m. In fact we can just adapt proof #1 of Fermat s theorem to obtain Euler s theorem: 26

27 Theorem Let a be a unit modulo m. Then a φ(m) = 1 (mod m). 4.6 Exercises due February Compute (mod 101). 2. Compute (mod 47). 3. Compute φ(75000). 4. Compute (mod 18). 5. Prove that if p is prime, and x 2 1 (mod p), then x ±1 (mod p). 6. Prove that if p is an odd prime, and a is a unit mod p, then a (p 1)/2 ±1 (mod p). 7. How many solutions are there to x 2 1 (mod n), where n is a product of r distinct primes? 8. Prove Wilson s theorem: If p is prime, then (p 1)! 1 (mod p). Strategy: each a = 1,..., p 1 has a multiplicative inverse b, and then a and b are distinct unless a = ±1. 9. Fermat s theorem suggests the following test for primality: if a is a unit mod m, and a m 1 1 (mod m), then m cannot be prime. Compute (mod 119), and use this method to show that 119 is composite. 10. Unfortunately, this method is not foolproof. The number 561 is composite: 561 = Nevertheless, show that for all units a modulo 561, a (mod 561). 5 Orders and primitive elements 5.1 Basic properties of the function ord m Let a be a unit modulo m. Recall that a ordm(a) 1 (mod m), and a n 1 (mod m) for any integer 1 n < ord m (a). Thus if we do find a positive integer n with a n 1 (mod m), we can conclude that ord m (a) n. In fact a little more is true: Theorem Suppose that a n 1 (mod m). Then ord m (a) n. 27

28 Proof. By the division algorithm, we can write n = q ord m (a) + r, where 0 r < ord m (a). Then 1 a n (a ordm(a) ) q a r 1 q a r a r (mod m). If r 0, we get a contradiction, since r < ord m (a). n = q ord m (a). Thus r = 0 and Here s an important corollary. By Euler s theorem, a φ(m) 1 (mod m), and therefore ord m (a) φ(m). (5.1.1) This is a strong restriction on what ord m (a) could possibly be. It means that if we are interested in finding ord m (a), we don t need to compute all the powers a, a 2,... modulo m, stopping when we reach 1. Instead, we can compute a n for all divisors n of φ(m). The order ord m (a) is the least divisor n for which a n 1 (mod m). Theorem For an integer n, ord m (a n ) = ord m (a)/ gcd(n, ord m (a)). Proof. We have ordm(a) n (a n ) gcd(n,ordm(a)) = (a ordm(a) ) gcd(n,ordm(a)) 1 gcd(n,ordm(a)) 1 (mod m), so that ord m (a n ) ord m (a)/ gcd(n, ord m (a)). On the other hand, we have n a n ordm(an) = (a n ) ordm(an) 1 (mod m). Therefore by the previous theorem ord m (a) n ord m (a n ), so that ord m (a) n gcd(n, ord m (a)) gcd(n, ord m (a)) ord m(a n ). By Lemma 2.2.1, ord m (a)/ gcd(n, ord m (a)) ord m (a n ). 5.2 Primitive roots We have seen that ord m (a) φ(m) for every unit a modulo m. Sometimes it happens that ord m (a) = φ(m). This happens for instance with 3 modulo 7. The powers of 3 modulo 7 are 1, 3, 2, 6, 4, 5, 1,.... Notice that all units modulo 7 appear in this sequence. Definition A unit a is a primitive root modulo m if ord m (a) = φ(m). 28

29 To determine whether a is a primitive root, you can calculate a φ(m)/p (mod m) for every prime p which divides φ(m). If none of these residues is 1, then a is a primitive root. Here is a chart of the first few positive integers m and their primitive roots. m prim. roots mod m , ,5 8 none 9 2,5 10 3,7 11 2,6,7,8 12 none Later we ll tackle the question of which m have primitive roots. It turns out that a primitive root exists whenever m is prime. The following theorem explains the term primitive root. Theorem Let a be a primitive root modulo m. Then for every unit u modulo m, there exists n Z such that u a n (mod m). Furthermore, n is unique modulo φ(m). Thus, every unit can be generated from a primitive root. Proof. We claim that the residues 1, a, a 2,..., a φ(m) 1 are all distinct modulo m. Indeed if two of them were the same, say a i a j (mod m) for 0 i < j < φ(m), then a j i 1 (mod m), which is a contradiction because 0 < j i < φ(m). Also, all of these powers are units. But this list contains φ(m) elements, and that is exactly how many units there are. So the list must contain every unit exactly once. For uniqueness: if a n a n (mod m), then a n n 1 (mod m), so that by Theorem ord m (a) = φ(m) n n, meaning that n n (mod φ(m)). 29

30 Theorem Suppose a is a primitive root modulo m. Then the full set of primitive roots modulo m is { } a n 1 n φ(m), gcd(n, φ(m)) = 1. Thus the number of primitive roots modulo m is φ(φ(m)). Proof. By Theorem 5.2.2, it suffices to say when a n is a primitive root. By Theorem 5.1.2, ord m (a n ) = φ(m)/ gcd(n, φ(m)). Thus a n is a primitive root if and only if gcd(n, φ(m)) = The discrete logarithm Let m be an integer, and let b be a primitive root modulo m. By Theorem 5.2.2, every unit a is a power of b: a b k (mod m). Here the integer k may be considered modulo φ(m). We set k = log b (a), and call this the discrete logarithm of a to the base b. For instance, 2 is a primitive root modulo 11, and (mod 11), so log 2 (5) = 4. (You have to deduce from context that we are referring to the discrete logarithm here, and not the usual one.) The discrete logarithm obeys some of the usual rules that logarithms do, only modulo φ(m): log b (xy) log b (x) + log b (y) (mod φ(m)) log b (x n ) n log b (x) (mod φ(m)) Unlike the case of usual logarithms, discrete logarithms are not easy to compute. If m has hundreds of digits, one knows that there exists a k that makes b k a (mod m) true, but finding this k is not at all straightforward. There are algorithms to do so, but none that we know so far runs in polynomial time. Thus, the discrete logarithm is hard to compute. 5.4 Existence of primitive roots for a prime modulus Here we will address the question of the existence of primitive roots modulo a prime. The proof is a little involved, so we ll demonstrate the main idea with an example. Suppose we want to show that there exists a primitive 30

31 root modulo 59. This means finding a unit of order 58. By (5.1.1), the possible orders of units all divide 58, so they must be 1, 2, 29 or 58. The only element of order 1 is 1, and the only element of order 2 is 1. (This is proved in your exercises from last week it s here we use the fact that 59 is prime.) But there are more than 2 units! Therefore there exists an element of order 29 or 58. If there s an element of order 58, great; that s a primitive root. Otherwise, suppose x is an element of order 29. What is the order of x? It must be 29 or 58, since x ±1 (mod 59). But ( x) 29 = x 29 1 (mod 59), so that x must be a primitive root. In order for the above proof to work, it was important to know that x 2 1 (mod 59) could have only two solutions, namely ±1. This is a special case of the following theorem: Theorem Let f(x) = x n + a n 1 x n a 0 be a polynomial with integer coefficients, and let p be a prime. Then f(x) 0 (mod p) can have no more than n distinct solutions modulo p. Proof. The proof will follow from the following fact which is familiar from algebra: If f(r) 0 (mod p), then we can write f(x) (x r)g(x) (mod p) for some polynomial g(x), whose degree is n 1. (This is a congruence between polynomials it means that corresponding coefficients on either side are congruent.) This is easy to see when r = 0, because if f(0) 0 (mod p) it means that c 0 0 (mod p), so that f(x) (mod p) is divisible by x. In general, we can substitute: f(x+r) has 0 as a root, so f(x+r) xh(x), and so (substituting back) f(x) (x r)h(x r). Now suppose f(x) has n distinct roots r 1,, r n modulo p. Then f(x) (x r 1 )f 2 (x). Plugging in x = r 2, we get 0 f(r 2 ) (r 2 r 1 )f 2 (r 2 ). But since r 2 r 1, we can use Corollary to get f 2 (r 2 ) 0 (mod p). Thus (x r 2 ) can be factored out of f 2 (x): f(x) (x r 1 )(x r 2 )f 3 (x). Continuing, we get f(x) (x r 1 ) (x r n ) (mod p). (There can be nothing left over, because both sides are degree n with unit leading coefficients.) Again by Corollary 2.2.2, there cannot be a root of this other than r 1,..., r n. Lemma Suppose m and n are relatively prime. If ord p (x) = m and ord p (y) = n, then ord p (xy) = mn. 31

32 Proof. Let d = ord p (xy). On the one hand, (xy) mn = (x m ) n (y n ) m 1 (mod p), so that d mn. On the other hand, 1 (xy) md y md, so that by Theorem 5.1.1, n md, and so (Lemma 2.2.1) n d. Similarly m d, and so (since m and n are coprime) mn d. Now we return to the problem of finding a primitive root modulo a prime p. Suppose φ(p) = p 1 factors as l n 1 1 lnt t. That is, val l i (p 1) = n i for i = 1,..., t. We first claim that for each i there exists a unit u with val li ord p (u) = n i. Assume otherwise: this would mean that u (p 1)/l i 1 (mod p). But this contradicts Lemma 5.4.1, because it would mean that the polynomial x (p 1)/l i 1 has p 1 roots modulo p. Therefore there exists, for each i, a unit u i with val li ord p (u i ) = n i. Let v i = u ordp(u i)/l n i i i ; then by Lemma we have ord p (v i ) = l n i i. Let v = v 1 v t. By Lemma 5.4.2, ord p (v) = l n 1 1 lnt t = p 1, so that v is a primitive root. We have proved: Theorem Let p be a prime. There exists a primitive root modulo p. Note that the above proof is not constructive! That is, it doesn t give us an algorithm to find a primitive root modulo p. If p is large, we don t have a great way of finding a primitive root. I will say however that if we happen to know all the prime factors of p 1, then we can quickly check if a given unit u is primitive (by testing u (p 1)/l 1 for all prime l dividing p 1), so one might simply test units 2, 3, until one finds a primitive root. 5.5 Exercises due March 2 These exercises constitute your midterm. You may refer to the notes, but not to any outside sources, and you must work on your own Find integers x, y, z such that Please show your method. 55x + 35y + 77z = Let n be an integer. Show that n 13 n is divisible by True or false: for units a and b modulo m, ord m (ab) = ord m (a) ord m (b). (If true, prove it, if false, give a counterexample.) 4 Added Monday Feb. 26: I shouldn t have to say this, but there are some very real consequences for handing in work that is not your own on an exam. I won t hesitate to report plagiarism or copying to the Dean. 32