Elementary Number Theory

Transcription

1 This is age i Printer: Oaque this Elementary Number Theory William Stein October 2005

2 ii To my students and my wife, Clarita Lefthand.

3 Contents This is age iii Printer: Oaque this Preface 3 1 Prime Numbers Prime Factorization The Sequence of Prime Numbers Exercises The Ring of Integers Modulo n Congruences Modulo n The Chinese Remainder Theorem Quickly Comuting Inverses and Huge Powers Finding Primes The Structure of (Z/Z) Exercises Public-Key Crytograhy The Diffie-Hellman Key Exchange The RSA Crytosystem Attacking RSA Exercises Quadratic Recirocity Statement of the Quadratic Recirocity Law Euler s Criterion

4 Contents First Proof of Quadratic Recirocity A Proof of Quadratic Recirocity Using Gauss Sums Finding Square Roots Exercises Continued Fractions Finite Continued Fractions Infinite Continued Fractions The Continued Fraction of e Quadratic Irrationals Recognizing Rational Numbers Sums of Two Squares Exercises Ellitic Curves The Definition The Grou Structure on an Ellitic Curve Integer Factorization Using Ellitic Curves Ellitic Curve Crytograhy Ellitic Curves Over the Rational Numbers Exercises Comutational Number Theory Prime Numbers The Ring of Integers Modulo n Public-Key Crytograhy Quadratic Recirocity Continued Fractions Ellitic Curves Exercises Answers and Hints 165 References 173

5 2 Contents

6 Preface This is age 3 Printer: Oaque this This is a textbook about rime numbers, congruences, basic ublic-key crytograhy, quadratic recirocity, continued fractions, ellitic curves, and number theory algorithms. We assume the reader has some familiarity with grous, rings, and fields, and for Chater 7 some rogramming exerience. This book grew out of an undergraduate course that the author taught at Harvard University in 2001 and Notation and Conventions. We let N = {1, 2, 3,...} denote the natural numbers, and use the standard notation Z, Q, R, and C for the rings of integer, rational, real, and comlex numbers, resectively. In this book we will use the words roosition, theorem, lemma, and corollary as follows. Usually a roosition is a less imortant or less fundamental assertion, a theorem a deeer culmination of ideas, a lemma something that we will use later in this book to rove a roosition or theorem, and a corollary an easy consequence of a roosition, theorem, or lemma. Acknowledgements. Brian Conrad and Ken Ribet made a large number of clarifying comments and suggestions throughout the book. Baurzhan Bektemirov, Lawrence Cabusora, and Keith Conrad read drafts of this book and made many comments. Frank Calegari used the course when teaching Math 124 at Harvard, and he and his students rovided much feedback. Noam Elkies made comments and suggested Exercise 4.5. Seth Kleinerman wrote a version of Section 5.3 as a class roject. Samit Dasguta, George Stehanides, Kevin Stern, and Heidi Williams all suggested corrections. I

7 4 Contents also benefited from conversations with Henry Cohn and David Savitt. I used Emacs, L A TEX, and Python in the rearation of this book.

8 1 Prime Numbers This is age 5 Printer: Oaque this In Section 1.1 we describe how the integers are built out of the rime numbers 2, 3, 5, 7, 11,.... In Section 1.2 we discuss theorems about the set of rimes numbers, starting with Euclid s roof that this set is infinite, then exlore the distribution of rimes via the rime number theorem and the Riemann Hyothesis (without roofs). 1.1 Prime Factorization Primes The set of natural numbers is and the set of integers is N = {1, 2, 3, 4,...}, Z = {..., 2, 1, 0, 1, 2,...}. Definition (Divides). If a, b Z we say that a divides b, written a b, if ac = b for some c Z. In this case we say a is a divisor of b. We say that a does not divide b, written a b, if there is no c Z such that ac = b. For examle, we have 2 6 and Also, all integers divide 0, and 0 divides only 0. However, 3 does not divide 7 in Z. Remark The notation b. : a for b is divisible by a is common in Russian literature on number theory.

9 6 1. Prime Numbers Definition (Prime and Comosite). An integer n > 1 is rime if it the only ositive divisors of n are 1 and n. We call n comosite if n is not rime. The number 1 is neither rime nor comosite. The first few rimes of N are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,..., and the first few comosites are 4, 6, 8, 9, 10, 12, 14, 15, 16, 18, 20, 21, 22, 24, 25, 26, 27, 28, 30, 32, 33, 34,.... Remark J. H. Conway argues in [Con97, viii] that 1 should be considered a rime, and in the 1914 table [Leh14], Lehmer considers 1 to be a rime. In this book we consider neither 1 nor 1 to be rime. Every natural number is built, in a unique way, out of rime numbers: Theorem (Fundamental Theorem of Arithmetic). Every natural number can be written as a roduct of rimes uniquely u to order. Note that rimes are the roducts with only one factor and 1 is the emty roduct. Remark Theorem 1.1.5, which we will rove in Section 1.1.4, is trickier to rove than you might first think. For examle, unique factorization fails in the ring Z[ 5] = {a + b 5 : a, b Z} C, where 6 factors into irreducible elements in two different ways: 2 3 = 6 = (1 + 5) (1 5) The Greatest Common Divisor We will use the notion of greatest common divisor of two integers to rove that if is a rime and ab, then a or b. Proving this is the key ste in our roof of Theorem Definition (Greatest Common Divisor). Let gcd(a, b) = max {d Z : d a and d b}, unless both a and b are 0 in which case gcd(0, 0) = 0. For examle, gcd(1, 2) = 1, gcd(6, 27) = 3, and for any a, gcd(0, a) = gcd(a, 0) = a. If a 0, the greatest common divisor exists because if d a then d a, and there are only a ositive integers a. Similarly, the gcd exists when b 0.

10 Lemma For any integers a and b we have 1.1 Prime Factorization 7 gcd(a, b) = gcd(b, a) = gcd(±a, ±b) = gcd(a, b a) = gcd(a, b + a). Proof. We only rove that gcd(a, b) = gcd(a, b a), since the other cases are roved in a similar way. Suose d a and d b, so there exist integers c 1 and c 2 such that dc 1 = a and dc 2 = b. Then b a = dc 2 dc 1 = d(c 2 c 1 ), so d b a. Thus gcd(a, b) gcd(a, b a), since the set over which we are taking the max for gcd(a, b) is a subset of the set for gcd(a, b a). The same argument with a relaced by a and b relaced by b a, shows that gcd(a, b a) = gcd( a, b a) gcd( a, b) = gcd(a, b), which roves that gcd(a, b) = gcd(a, b a). Lemma Suose a, b, n Z. Then gcd(a, b) = gcd(a, b an). Proof. By reeated alication of Lemma 1.1.8, we have gcd(a, b) = gcd(a, b a) = gcd(a, b 2a) = = gcd(a, b 2n). Assume for the moment that we have already roved Theorem A natural (and naive!) way to comute gcd(a, b) is to factor a and b as a roduct of rimes using Theorem 1.1.5; then the rime factorization of gcd(a, b) can read off from that of a and b. For examle, if a = 2261 and b = 1275, then a = and b = , so gcd(a, b) = 17. It turns out that the greatest common divisor of two integers, even huge numbers (millions of digits), is surrisingly easy to comute using Algorithm below, which comutes gcd(a, b) without factoring a or b. To motivate Algorithm , we comute gcd(2261, 1275) in a different way. First, we recall a helful fact. Proosition Suose that a and b are integers with b 0. Then there exists unique integers q and r such that 0 r < b and a = bq + r. Proof. For simlicity, assume that both a and b are ositive (we leave the general case to the reader). Let Q be the set of all nonnegative integers n such that a bn is nonnegative. Then Q is nonemty because 0 Q and Q is bounded because a bn < 0 for all n > a/b. Let q be the largest element of Q. Then r = a bq < b, otherwise q + 1 would also be in Q. Thus q and r satisfy the existence conclusion. To rove uniqueness, suose for the sake of contradiction that q and r = a bq also satisfy the conclusion but that q q. Then q Q since r = a bq 0, so q < q and we can write q = q m for some m > 0. But then r = a bq = a b(q m) = a bq + bm = r + bm > b since r 0, a contradiction.

11 8 1. Prime Numbers For us an algorithm is a finite sequence of instructions that can be followed to erform a secific task, such as a sequence of instructions in a comuter rogram, which must terminate on any valid inut. The word algorithm is sometimes used more loosely (and sometimes more recisely) than defined here, but this definition will suffice for us. Algorithm (Division Algorithm). Suose a and b are integers with b 0. This algorithm comutes integers q and r such that 0 r < b and a = bq + r. We will not describe the actual stes of this algorithm, since it is just the familiar long division algorithm. We use the division algorithm reeatedly to comute gcd(2261, 1275). Dividing 2261 by 1275 we find that 2261 = , so q = 1 and r = 986. Notice that if a natural number d divides both 2261 and 1275, then d divides their difference 986 and d still divides On the other hand, if d divides both 1275 and 986, then it has to divide their sum 2261 as well! We have made rogress: gcd(2261, 1275) = gcd(1275, 986). This equality also follows by reeated alication of Lemma Reeating, we have 1275 = , so gcd(1275, 986) = gcd(986, 289). Kee going: 986 = = = Thus gcd(2261, 1275) = = gcd(51, 17), which is 17 because Thus gcd(2261, 1275) = 17. Aside from some tedious arithmetic, that comutation was systematic, and it was not necessary to factor any integers (which is something we do not know how to do quickly if the numbers involved have hundreds of digits). Algorithm (Greatest Common Division). Given integers a, b, this algorithm comutes gcd(a, b). 1. [Assume a > b 0] We have gcd(a, b) = gcd( a, b ) = gcd( b, a ), so we may relace a and b by their absolute value and hence assume a, b 0. If a = b outut a and terminate. Swaing if necessary we assume a > b.

12 1.1 Prime Factorization 9 2. [Quotient and Remainder] Using Algorithm , write a = bq+r, with 0 r < b and q Z. 3. [Finished?] If r = 0 then b a, so we outut b and terminate. 4. [Shift and Reeat] Set a b and b r, then go to ste 2. Proof. Lemmas imly that gcd(a, b) = gcd(b, r) so the gcd does not change in ste 4. Since the remainders form a decreasing sequence of nonnegative integers, the algorithm terminates. See Section for an imlementation of Algorithm Examle Set a = 15 and b = = gcd(15, 6) = gcd(6, 3) 6 = gcd(6, 3) = gcd(3, 0) = 3 Note that we can just as easily do an examle that is ten times as big, an observation that will be imortant in the roof of Theorem below. Examle Set a = 150 and b = = gcd(150, 60) = gcd(60, 30) 60 = gcd(60, 30) = gcd(30, 0) = 30 Lemma For any integers a, b, n, we have gcd(an, bn) = gcd(a, b) n. Proof. The idea is to follow Examle ; we ste through Euclid s algorithm for gcd(an, bn) and note that at every ste the equation is the equation from Euclid s algorithm for gcd(a, b) but multilied through by n. For simlicity, assume that both a and b are ositive. We will rove the lemma by induction on a + b. The statement is true in the base case when a + b = 2, since then a = b = 1. Now assume a, b are arbitrary with a b. Let q and r be such that a = bq + r and 0 r < b. Then by Lemmas , we have gcd(a, b) = gcd(b, r). Multilying a = bq + r by n we see that an = bnq + rn, so gcd(an, bn) = gcd(bn, rn). Then b + r = b + (a bq) = a b(q 1) a < a + b, so by induction gcd(bn, rn) = gcd(b, r) n. Since gcd(a, b) = gcd(b, r), this roves the lemma. Lemma Suose a, b, n Z are such that n a and n b. Then n gcd(a, b). Proof. Since n a and n b, there are integers c 1 and c 2, such that a = nc 1 and b = nc 2. By Lemma , gcd(a, b) = gcd(nc 1, nc 2 ) = n gcd(c 1, c 2 ), so n divides gcd(a, b).

13 10 1. Prime Numbers At this oint it would be natural to formally analyze the comlexity of Algorithm We will not do this, because the main reason we introduced Algorithm is that it will allow us to rove Theorem 1.1.5, and we have not chosen to formally analyze the comlexity of the other algorithms in this book. For an extensive analysis of the comlexity of Algorithm , see [Knu98, 4.5.3]. With Algorithm , we can rove that if a rime divides the roduct of two numbers, then it has got to divide one of them. This result is the key to roving that rime factorization is unique. Theorem (Euclid). Let be a rime and a, b N. If ab then a or b. You might think this theorem is intuitively obvious, but that might be because the fundamental theorem of arithmetic (Theorem 1.1.5) is deely ingrained in your intuition. Yet Theorem will be needed in our roof of the fundamental theorem of arithmetic. Proof of Theorem If a we are done. If a then gcd(, a) = 1, since only 1 and divide. By Lemma , gcd(b, ab) = b. Since b and, by hyothesis, ab, it follows from Lemma that gcd(b, ab) = b Numbers Factor as Products of Primes In this section, we rove that every natural number factors as a roduct of rimes. Then we discuss the difficulty of finding such a decomosition in ractice. We will wait until Section to rove that factorization is unique. As a first examle, let n = The sum of the digits of n is divisible by 3, so n is divisible by 3 (see Proosition 2.1.3), and we have n = The number 425 is divisible by 5, since its last digit is 5, and we have 1275 = Again, dividing 85 by 5, we have 1275 = , which is the rime factorization of Generalizing this rocess roves the following roosition: Proosition Every natural number is a roduct of rimes. Proof. Let n be a natural number. If n = 1, then n is the emty roduct of rimes. If n is rime, we are done. If n is comosite, then n = ab with a, b < n. By induction, a and b are roducts of rimes, so n is also a roduct of rimes. Two questions immediately arise: (1) is this factorization unique, and (2) how quickly can we find such a factorization? Addressing (1), what if

14 1.1 Prime Factorization 11 we had done something differently when breaking aart 1275 as a roduct of rimes? Could the rimes that show u be different? Let s try: we have 1275 = Now 255 = 5 51 and 51 = 17 3, and again the factorization is the same, as asserted by Theorem above. We will rove uniqueness of the rime factorization of any integer in Section Regarding (2), there are algorithms for integer factorization; e.g., in Sections 6.3 and we will study and imlement some of them. It is a major oen roblem to decide how fast integer factorization algorithms can be. Oen Problem Is there an algorithm which can factor any integer n in olynomial time? (See below for the meaning of olynomial time.) By olynomial time we mean that there is a olynomial f(x) such that for any n the number of stes needed by the algorithm to factor n is less than f(log 10 (n)). Note that log 10 (n) is an aroximation for the number of digits of the inut n to the algorithm. Peter Shor [Sho97] devised a olynomial time algorithm for factoring integers on quantum comuters. We will not discuss his algorithm further, excet to note that in 2001 IBM researchers built a quantum comuter that used Shor s algorithm to factor 15 (see [LMG + 01, IBM01]). You can earn money by factoring certain large integers. Many crytosystems would be easily broken if factoring certain large integers were easy. Since nobody has roven that factoring integers is difficult, one way to increase confidence that factoring is difficult is to offer cash rizes for factoring certain integers. For examle, until recently there was a $10000 bounty on factoring the following 174-digit integer (see [RSA]): This number is known as RSA-576 since it has 576 digits when written in binary (see Section for more on binary numbers). It was factored at the German Federal Agency for Information Technology Security in December 2003 (see [Wei03]): The revious RSA challenge was the 155-digit number

15 12 1. Prime Numbers It was factored on 22 August 1999 by a grou of sixteen researchers in four months on a cluster of 292 comuters (see [ACD + 99]). They found that RSA-155 is the roduct of the following two 78-digit rimes: = q = The next RSA challenge is RSA-640: , and its factorization was worth $20000 until November 2005 when it was factored by F. Bahr, M. Boehm, J. Franke, and T. Kleinjun. This factorization took 5 months. Here is one of the rime factors (you can find the other): (This team also factored a 663-bit RSA challenge integer.) The smallest currently oen challenge is RSA-704, worth $30000: These RSA numbers were factored using an algorithm called the number field sieve (see [LL93]), which is the best-known general urose factorization algorithm. A descrition of how the number field sieve works is beyond the scoe of this book. However, the number field sieve makes extensive use of the ellitic curve factorization method, which we will describe in Section The Fundamental Theorem of Arithmetic We are ready to rove Theorem using the following idea. Suose we have two factorizations of n. Using Theorem we cancel common rimes from each factorization, one rime at a time. At the end, we discover that the factorizations must consist of exactly the same rimes. The technical details are given below.

16 1.2 The Sequence of Prime Numbers 13 Proof. If n = 1, then the only factorization is the emty roduct of rimes, so suose n > 1. By Proosition , there exist rimes 1,..., d such that Suose that n = 1 2 d. n = q 1 q 2 q m is another exression of n as a roduct of rimes. Since 1 n = q 1 (q 2 q m ), Euclid s theorem imlies that 1 = q 1 or 1 q 2 q m. By induction, we see that 1 = q i for some i. Now cancel 1 and q i, and reeat the above argument. Eventually, we find that, u to order, the two factorizations are the same. 1.2 The Sequence of Prime Numbers This section is concerned with three questions: 1. Are there infinitely many rimes? 2. Given a, b Z, are there infinitely many rimes of the form ax + b? 3. How are the rimes saced along the number line? We first show that there are infinitely many rimes, then state Dirichlet s theorem that if gcd(a, b) = 1, then ax + b is a rime for infinitely many values of x. Finally, we discuss the Prime Number Theorem which asserts that there are asymtotically x/ log(x) rimes less than x, and we make a connection between this asymtotic formula and the Riemann Hyothesis There Are Infinitely Many Primes Each number on the left in the following table is rime. We will see soon that this attern does not continue indefinitely, but something similar works. 3 = = = = =

17 14 1. Prime Numbers Theorem (Euclid). There are infinitely many rimes. Proof. Suose that 1, 2,..., n are n distinct rimes. We construct a rime n+1 not equal to any of 1,..., n as follows. If then by Proosition there is a factorization N = n + 1, (1.2.1) N = q 1 q 2 q m with each q i rime and m 1. If q 1 = i for some i, then i N. Because of (1.2.1), we also have i N 1, so i 1 = N (N 1), which is a contradiction. Thus the rime n+1 = q 1 is not in the list 1,..., n, and we have constructed our new rime. For examle, = = Multilying together the first 6 rimes and adding 1 doesn t roduce a rime, but it roduces an integer that is merely divisible by a new rime. Joke (Hendrik Lenstra). There are infinitely many comosite numbers. Proof. To obtain a new comosite number, multily together the first n comosite numbers and don t add Enumerating Primes The Sieve of Eratosthenes is an efficient way to enumerate all rimes u to n. The sieve works by first writing down all numbers u to n, noting that 2 is rime, and crossing off all multiles of 2. Next, note that the first number not crossed off is 3, which is rime, and cross off all multiles of 3, etc. Reeating this rocess, we obtain a list of the rimes u to n. Formally, the algorithm is as follows: Algorithm (Sieve of Eratosthenes). Given a ositive integer n, this algorithm comutes a list of the rimes u to n. 1. [Initialize] Let X = [3, 5,...] be the list of all odd integers between 3 and n. Let P = [2] be the list of rimes found so far. 2. [Finished?] Let to be the first element of X. If n, aend each element of X to P and terminate. Otherwise aend to P. 3. [Cross Off] Set X equal to the sublist of elements in X that are not divisible by. Go to ste 2.

18 1.2 The Sequence of Prime Numbers 15 For examle, to list the rimes 40 using the sieve, we roceed as follows. First P = [2] and X = [3, 5, 7, 11, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31, 33, 35, 37, 39]. We aend 3 to P and cross off all multiles of 3 to obtain the new list X = [5, 7, 11, 13, 17, 19, 23, 25, 29, 31, 35, 37]. Next we aend 5 to P, obtaining P = [2, 3, 5], and cross off the multiles of 5, to obtain X = [7, 11, 13, 17, 19, 23, 29, 31, 37]. Because , we aend X to P and find that the rimes less than 40 are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37. Proof of Algorithm The art of the algorithm that is not clear is that when the first element a of X satisfies a n, then each element of X is rime. To see this, suose m is in X, so n m n and that m is divisible by no rime that is n. Write m = ei i with the i distinct rimes and 1 < 2 <.... If i > n for each i and there is more than one i, then m > n, a contradiction. Thus some i is less than n, which also contradicts out assumtions on m. See Section for an imlementation of Algorithm The Largest Known Prime Though Theorem imlies that there are infinitely many rimes, it still makes sense to ask the question What is the largest known rime? A Mersenne rime is a rime of the form 2 q 1. According to [Cal] the largest known rime as of July 2004 is the Mersenne rime = , which has decimal digits, so writing it out would fill over 10 books the size if this book. Euclid s theorem imlies that there definitely is a rime bigger than this 7.2 million digit. Deciding whether or not a number is rime is interesting, both as a motivating roblem and for alications to crytograhy, as we will see in Section 2.4 and Chater Primes of the Form ax + b Next we turn to rimes of the form ax + b, where a and b are fixed integers with a > 1 and x varies over the natural numbers N. We assume that gcd(a, b) = 1, because otherwise there is no hoe that ax + b is rime infinitely often. For examle, 2x + 2 = 2(x + 1) is only rime if x = 0, and is not rime for any other x N.

19 16 1. Prime Numbers Proosition There are infinitely many rimes of the form 4x 1. Why might this be true? We list numbers of the form 4x 1 and underline those that are rime: 3, 7, 11, 15, 19, 23, 27, 31, 35, 39, 43, 47,... It is lausible that underlined numbers would continue to aear indefinitely. Proof. Suose 1, 2,..., n are distinct rimes of the form 4x 1. Consider the number N = n 1. Then i N for any i. Moreover, not every rime N is of the form 4x + 1; if they all were, then N would be of the form 4x + 1. Thus there is a N that is of the form 4x 1. Since i for any i, we have found a new rime of the form 4x 1. We can reeat this rocess indefinitely, so the set of rimes of the form 4x 1 cannot be finite. Note that this roof does not work if 4x 1 is relaced by 4x + 1, since a roduct of rimes of the form 4x 1 can be of the form 4x + 1. Examle Set 1 = 3, 2 = 7. Then is a rime of the form 4x 1. Next N = = 83 N = = 6971, which is again a rime of the form 4x 1. Again: N = = = This time 61 is a rime, but it is of the form 4x + 1 = However, is rime and = We are unstoable: N = = This time the small rime, 5591, is of the form 4x 1 and the large one is of the form 4x + 1. Theorem (Dirichlet). Let a and b be integers with gcd(a, b) = 1. Then there are infinitely many rimes of the form ax + b. Proofs of this theorem tyically use tools from advanced number theory, and are beyond the scoe of this book (see e.g., [FT93, VIII.4]).

20 1.2 The Sequence of Prime Numbers 17 TABLE 1.1. Values of π(x) x π(x) How Many Primes are There? We saw in Section that there are infinitely many rimes. In order to get a sense for just how many rimes there are, we consider a few warm-u questions. Then we consider some numerical evidence and state the rime number theorem, which gives an asymtotic answer to our question, and connect this theorem with a form of the Riemann Hyothesis. Our discussion of counting rimes in this section is very cursory; for more details, read Crandall and Pomerance s excellent book [CP01, 1.1.5]. The following vague discussion is meant to motivate a recise way to measure the number of rimes. How many natural numbers are even? Answer: Half of them. How many natural numbers are of the form 4x 1? Answer: One fourth of them. How many natural numbers are erfect squares? Answer: Zero ercent of all natural numbers, in the sense that the limit of the roortion of erfect squares to all natural numbers converges to 0. More recisely, #{n N : n x and n is a erfect square} lim = 0, x x since the numerator is roughly x and lim x x x = 0. Likewise, it is an easy consequence of Theorem below that zero ercent of all natural numbers are rime (see Exercise 1.4). We are thus led to ask another question: How many ositive integers x are erfect squares? Answer: roughly x. In the context of rimes, we ask, Question How many natural numbers x are rime? Let For examle, π(x) = #{ N : x is a rime}. π(6) = #{2, 3, 5} = 3. Some values of π(x) are given in Table 1.1, and Figures 1.1 and 1.2 contain grahs of π(x). These grahs look like straight lines, which maybe bend down slightly. Gauss had a lifelong love of enumerating rimes. Eventually he comuted π( ), though the author doesn t know whether or not Gauss got the right answer, which is Gauss conjectured the following asymtotic formula for π(x), which was later roved indeendently by Hadamard and Vallée Poussin in 1896 (but will not be roved in this book):

21 18 1. Prime Numbers y 180 Grah of π(x) 100 (200, 46) (100, 25) 100 FIGURE 1.1. Grah of π(x) for x < 1000 (900, 154) (1000, 168) 900 x TABLE 1.2. Comarison of π(x) and x/(log(x) 1) x π(x) x/(log(x) 1) (arox) Theorem (Prime Number Theorem). The function π(x) is asymtotic to x/ log(x), in the sense that lim x π(x) x/ log(x) = 1. We do nothing more here than motivate this dee theorem with a few further numerical observations. The theorem imlies that so for any a, lim x lim π(x)/x = lim 1/ log(x) = 0, x x π(x) x/(log(x) a) = lim x π(x) x/ log(x) aπ(x) = 1. x Thus x/(log(x) a) is also asymtotic to π(x) for any a. See [CP01, 1.1.5] for a discussion of why a = 1 is the best choice. Table 1.2 comares π(x) and x/(log(x) 1) for several x < As of 2004, the record for counting rimes aears to be π( ) = The comutation of π( ) reortedly took ten months on a 350 Mhz Pentium II (see [GS02] for more details).

22 1.2 The Sequence of Prime Numbers 19 π(x) x π(x) 4800 x FIGURE 1.2. Grahs of π(x) for x < and x < For the reader familiar with comlex analysis, we mention a connection between π(x) and the Riemann Hyothesis. The Riemann zeta function ζ(s) is a comlex analytic function on C \ {1} that extends the function defined on a right half lane by n=1 n s. The Riemann Hyothesis is the conjecture that the zeros in C of ζ(s) with ositive real art lie on the line Re(s) = 1/2. This conjecture is one of the Clay Math Institute million dollar millennium rize roblems [Cla]. According to [CP01, 1.4.1], the Riemann Hyothesis is equivalent to the conjecture that Li(x) = x 2 1 log(t) dt is a good aroximation to π(x), in the following recise sense: Conjecture (Equivalent to the Riemann Hyothesis). For all x 2.01, π(x) Li(x) x log(x). If x = 2, then π(2) = 1 and Li(2) = 0, but 2 log(2) = , so the inequality is not true for x 2, but 2.01 is big enough. We will do nothing more to exlain this conjecture, and settle for one numerical examle. Examle Let x = Then π(x) = , Li(x) = , π(x) Li(x) = , x log(x) = , x/(log(x) 1) = One of the best oular article on the rime number theorem and the Riemann hyothesis is [Zag75].

23 20 1. Prime Numbers 1.3 Exercises 1.1 Comute the greatest common divisor gcd(455, 1235) by hand. 1.2 Use the Sieve of Eratosthenes to make a list of all rimes u to Prove that there are infinitely many rimes of the form 6x 1. π(x) 1.4 Use Theorem to deduce that lim x x = 0.

24 2 The Ring of Integers Modulo n This is age 21 Printer: Oaque this This chater is about the ring Z/nZ of integers modulo n. First we discuss when linear equations modulo n have a solution, then introduce the Euler ϕ function and rove Fermat s Little Theorem and Wilson s theorem. Next we rove the Chinese Remainer Theorem, which addresses simultaneous solubility of several linear equations modulo corime moduli. With these theoretical foundations in lace, in Section 2.3 we introduce algorithms for doing interesting comutations modulo n, including comuting large owers quickly, and solving linear equations. We finish with a very brief discussion of finding rime numbers using arithmetic modulo n. 2.1 Congruences Modulo n In this section we define the ring Z/nZ of integers modulo n, introduce the Euler ϕ-function, and relate it to the multilicative order of certain elements of Z/nZ. If a, b Z and n N, we say that a is congruent to b modulo n if n a b, and write a b (mod n). Let nz = (n) be the ideal of Z generated by n. Definition (Integers Modulo n). The ring of integers modulo n is the quotient ring Z/nZ of equivalence classes of integers modulo n. It is equied with its natural ring structure: (a + nz) + (b + nz) = (a + b) + nz (a + nz) (b + nz) = (a b) + nz.

25 22 2. The Ring of Integers Modulo n Examle For examle, Z/3Z = {{..., 3, 0, 3,...}, {..., 2, 1, 4,...}, {..., 1, 2, 5,...}} We use the notation Z/nZ because Z/nZ is the quotient of the ring Z by the ideal nz of multiles of n. Because Z/nZ is the quotient of a ring by an ideal, the ring structure on Z induces a ring structure on Z/nZ. We often let a or a (mod n) denote the equivalence class a + nz of a. If is a rime, then Z/Z is a field (see Exercise 2.11). We call the natural reduction ma Z Z/nZ, which sends a to a + nz, reduction modulo n. We also say that a is a lift of a + nz. Thus, e.g., 7 is a lift of 1 mod 3, since 7 + 3Z = 1 + 3Z. We can use that arithmetic in Z/nZ is well defined is to derive tests for divisibility by n (see Exercise 2.7). Proosition A number n Z is divisible by 3 if and only if the sum of the digits of n is divisible by 3. Proof. Write n = a + 10b + 100c +, where the digits of n are a, b, c, etc. Since 10 1 (mod 3), n = a + 10b + 100c + a + b + c + (mod 3), from which the roosition follows Linear Equations Modulo n In this section, we are concerned with how to decide whether or not a linear equation of the form ax b (mod n) has a solution modulo n. Algorithms for comuting solutions to ax b (mod n) are the toic of Section 2.3. First we rove a roosition that gives a criterion under which one can cancel a quantity from both sides of a congruence. Proosition (Cancellation). If gcd(c, n) = 1 and ac bc (mod n), then a b (mod n). Proof. By definition n ac bc = (a b)c. Since gcd(n, c) = 1, it follows from Theorem that n a b, so a b (mod n), as claimed.

26 2.1 Congruences Modulo n 23 When a has a multilicative inverse a in Z/nZ (i.e., aa 1 (mod n)) then the equation ax b (mod n) has a unique solution x a b (mod n) modulo n. Thus, it is of interest to determine the units in Z/nZ, i.e., the elements which have a multilicative inverse. We will use comlete sets of residues to rove that the units in Z/nZ are exactly the a Z/nZ such that gcd(ã, n) = 1 for any lift ã of a to Z (it doesn t matter which lift). Definition (Comlete Set of Residues). We call a subset R Z of size n whose reductions modulo n are airwise distinct a comlete set of residues modulo n. In other words, a comlete set of residues is a choice of reresentative for each equivalence class in Z/nZ. For examle, R = {0, 1, 2,..., n 1} is a comlete set of residues modulo n. When n = 5, R = {0, 1, 1, 2, 2} is a comlete set of residues. Lemma If R is a comlete set of residues modulo n and a Z with gcd(a, n) = 1, then ar = {ax : x R} is also a comlete set of residues modulo n. Proof. If ax ax (mod n) with x, x R, then Proosition imlies that x x (mod n). Because R is a comlete set of residues, this imlies that x = x. Thus the elements of ar have distinct reductions modulo n. It follows, since #ar = n, that ar is a comlete set of residues modulo n. Proosition (Units). If gcd(a, n) = 1, then the equation ax b (mod n) has a solution, and that solution is unique modulo n. Proof. Let R be a comlete set of residues modulo n, so there is a unique element of R that is congruent to b modulo n. By Lemma 2.1.6, ar is also a comlete set of residues modulo n, so there is a unique element ax ar that is congruent to b modulo n, and we have ax b (mod n). Algebraically, this roosition asserts that if gcd(a, n) = 1, then the ma Z/nZ Z/nZ given by left multilication by a is a bijection. Examle Consider the equation 2x 3 (mod 7), and the comlete set R = {0, 1, 2, 3, 4, 5, 6} of coset reresentatives. We have so (mod 7). 2R = {0, 2, 4, 6, 8 1, 10 3, 12 5}, When gcd(a, n) 1, then the equation ax b (mod n) may or may not have a solution. For examle, 2x 1 (mod 4) has no solution, but 2x 2 (mod 4) does, and in fact it has more than one mod 4 (x = 1 and x = 3). Generalizing Proosition 2.1.7, we obtain the following more general criterion for solvability.

27 24 2. The Ring of Integers Modulo n Proosition (Solvability). The equation ax b (mod n) has a solution if and only if gcd(a, n) divides b. Proof. Let g = gcd(a, n). If there is a solution x to the equation ax b (mod n), then n (ax b). Since g n and g a, it follows that g b. Conversely, suose that g b. Then n (ax b) if and only if ( n a g g x b ). g Thus ax b (mod n) has a solution if and only if a g x b g (mod n g ) has a solution. Since gcd(a/g, n/g) = 1, Proosition imlies this latter equation does have a solution. In Chater 4 we will study quadratic recirocity, which gives a nice criterion for whether or not a quadratic equation modulo n has a solution Fermat s Little Theorem The grou of units (Z/nZ) of the ring Z/nZ will be of great interest to us. Each element of this grou has an order, and Lagrange s theorem from grou theory imlies that each element of (Z/nZ) has order that divides the order of (Z/nZ). In elementary number theory this fact goes by the monicker Fermat s Little Theorem, and we rerove it from basic rinciles in this section. Definition (Order of an Element). Let n N and x Z and suose that gcd(x, n) = 1. The order of x modulo n is the smallest m N such that x m 1 (mod n). To show that the definition makes sense, we verify that such an m exists. Consider x, x 2, x 3,... modulo n. There are only finitely many residue classes modulo n, so we must eventually find two integers i, j with i < j such that x j x i (mod n). Since gcd(x, n) = 1, Proosition imlies that we can cancel x s and conclude that x j i 1 (mod n). Definition (Euler s hi-function). For n N, let ϕ(n) = #{a N : a n and gcd(a, n) = 1}.

28 2.1 Congruences Modulo n 25 For examle, ϕ(1) = #{1} = 1, ϕ(2) = #{1} = 1, ϕ(5) = #{1, 2, 3, 4} = 4, ϕ(12) = #{1, 5, 7, 11} = 4. Also, if is any rime number then ϕ() = #{1, 2,..., 1} = 1. In Section 2.2.1, we will rove that ϕ is a multilicative function. This will yield an easy way to comute ϕ(n) in terms of the rime factorization of n. Theorem (Fermat s Little Theorem). If gcd(x, n) = 1, then x ϕ(n) 1 (mod n). Proof. As mentioned above, Fermat s Little Theorem has the following grou-theoretic interretation. The set of units in Z/nZ is a grou (Z/nZ) = {a Z/nZ : gcd(a, n) = 1}. which has order ϕ(n). The theorem then asserts that the order of an element of (Z/nZ) divides the order ϕ(n) of (Z/nZ). This is a secial case of the more general fact (Lagrange s theorem) that if G is a finite grou and g G, then the order of g divides the cardinality of G. We now give an elementary roof of the theorem. Let P = {a : 1 a n and gcd(a, n) = 1}. In the same way that we roved Lemma 2.1.6, we see that the reductions modulo n of the elements of xp are the same as the reductions of the elements of P. Thus a P(xa) a (mod n), a P since the roducts are over the same numbers modulo n. Now cancel the a s on both sides to get x #P 1 (mod n), as claimed.

29 26 2. The Ring of Integers Modulo n Wilson s Theorem The following characterization of rime numbers, from the 1770s, is called Wilson s Theorem, though it was first roved by Lagrange. Proosition (Wilson s Theorem). An integer > 1 is rime if and only if ( 1)! 1 (mod ). For examle, if = 3, then ( 1)! = 2 1 (mod 3). If = 17, then But if = 15, then ( 1)! = (mod 17). ( 1)! = (mod 15), so 15 is comosite. Thus Wilson s theorem could be viewed as a rimality test, though, from a comutational oint of view, it is robably the least efficient rimality test since comuting (n 1)! takes so many stes. Proof. The statement is clear when = 2, so henceforth we assume that > 2. We first assume that is rime and rove that ( 1)! 1 (mod ). If a {1, 2,..., 1} then the equation ax 1 (mod ) has a unique solution a {1, 2,..., 1}. If a = a, then a 2 1 (mod ), so a 2 1 = (a 1)(a+1), so (a 1) or (a+1), so a {1, 1}. We can thus air off the elements of {2, 3,..., 2}, each with their inverse. Thus 2 3 ( 2) 1 (mod ). Multilying both sides by 1 roves that ( 1)! 1 (mod ). Next we assume that ( 1)! 1 (mod ) and rove that must be rime. Suose not, so that 4 is a comosite number. Let l be a rime divisor of. Then l <, so l ( 1)!. Also, by assumtion, l (( 1)! + 1). This is a contradiction, because a rime can not divide a number a and also divide a + 1, since it would then have to divide (a + 1) a = 1. Examle We illustrate the key ste in the above roof in the case = 17. We have = (2 9) (3 6) (4 13) (5 7) (8 15) (10 12) (14 11) 1 (mod 17), where we have aired u the numbers a, b for which ab 1 (mod 17).

30 2.2 The Chinese Remainder Theorem The Chinese Remainder Theorem In this section we rove the Chinese Remainder Theorem, which gives conditions under which a system of linear equations is guaranteed to have a solution. In the 4th century a Chinese mathematician asked the following: Question There is a quantity whose number is unknown. Reeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What is the quantity? In modern notation, Question asks us to find a ositive integer solution to the following system of three equations: x 2 (mod 3) x 3 (mod 5) x 2 (mod 7) The Chinese Remainder Theorem asserts that a solution exists, and the roof gives a method to find one. (See Section 2.3 for the necessary algorithms.) Theorem (Chinese Remainder Theorem). Let a, b Z and n, m N such that gcd(n, m) = 1. Then there exists x Z such that x a x b (mod m), (mod n). Moreover x is unique modulo mn. Proof. If we can solve for t in the equation a + tm b (mod n), then x = a + tm will satisfy both congruences. To see that we can solve, subtract a from both sides and use Proosition together with our assumtion that gcd(n, m) = 1 to see that there is a solution. For uniqueness, suose that x and y solve both congruences. Then z = x y satisfies z 0 (mod m) and z 0 (mod n), so m z and n z. Since gcd(n, m) = 1, it follows that nm z, so x y (mod nm). Algorithm (Chinese Remainder Theorem). Given corime integers m and n and integers a and b, this algorithm find an integer x such that x a (mod m) and x b (mod n). 1. [Extended GCD] Use Algorithm below to find integers c, d such that cm + dn = [Answer] Outut x = a + (b a)cm and terminate.

31 28 2. The Ring of Integers Modulo n Proof. Since c Z, we have x a (mod m), and using that cm + dn = 1, we have a + (b a)cm a + (b a) b (mod n). Now we can answer Question First, we use Theorem to find a solution to the air of equations x 2 (mod 3), x 3 (mod 5). Set a = 2, b = 3, m = 3, n = 5. Ste 1 is to find a solution to t (mod 5). A solution is t = 2. Then x = a + tm = = 8. Since any x with x x (mod 15) is also a solution to those two equations, we can solve all three equations by finding a solution to the air of equations x 8 (mod 15) x 2 (mod 7). Again, we find a solution to t (mod 7). A solution is t = 1, so x = a + tm = = 23. Note that there are other solutions. Any x x (mod 3 5 7) is also a solution; e.g., = Multilicative Functions Definition (Multilicative Function). A function f : N Z is multilicative if, whenever m, n N and gcd(m, n) = 1, we have f(mn) = f(m) f(n). Recall from Definition that the Euler ϕ-function is ϕ(n) = #{a : 1 a n and gcd(a, n) = 1}. Lemma Suose that m, n N and gcd(m, n) = 1. Then the ma ψ : (Z/mnZ) (Z/mZ) (Z/nZ). (2.2.1) defined by is a bijection. ψ(c) = (c mod m, c mod n) Proof. We first show that ψ is injective. If ψ(c) = ψ(c ), then m c c and n c c, so nm c c because gcd(n, m) = 1. Thus c = c as elements of (Z/mnZ). Next we show that ψ is surjective. Given a and b with gcd(a, m) = 1 and gcd(b, n) = 1, Theorem imlies that there exists c with c a (mod m) and c b (mod n). We may assume that 1 c nm, and since gcd(a, m) = 1 and gcd(b, n) = 1, we must have gcd(c, nm) = 1. Thus ψ(c) = (a, b).

32 2.3 Quickly Comuting Inverses and Huge Powers 29 Proosition (Multilicativity of ϕ). The function ϕ is multilicative. Proof. The ma ψ of Lemma is a bijection, so the set on the left in (2.2.1) has the same size as the roduct set on the right in (2.2.1). Thus ϕ(mn) = ϕ(m) ϕ(n). The roosition is helful in comuting ϕ(n), at least if we assume we can comute the factorization of n (see Section for a connection between factoring n and comuting ϕ(n)). For examle, Also, for n 1, we have ϕ(12) = ϕ(2 2 ) ϕ(3) = 2 2 = 4. ϕ( n ) = n n = n n 1 = n 1 ( 1), (2.2.2) since ϕ( n ) is the number of numbers less than n minus the number of those that are divisible by. Thus, e.g., ϕ( ) = 388 ( ) = = Quickly Comuting Inverses and Huge Powers This section is about how to solve the equation ax 1 (mod n) when we know it has a solution, and how to efficiently comute a m (mod n). We also discuss a simle robabilistic rimality test that relies on our ability to comute a m (mod n) quickly. All three of these algorithms are of fundamental imortance to the crytograhy algorithms of Chater How to Solve ax 1 (mod n) Suose a, n N with gcd(a, n) = 1. Then by Proosition the equation ax 1 (mod n) has a unique solution. How can we find it? Proosition (Extended Euclidean reresentation). Suose a, b Z and let g = gcd(a, b). Then there exists x, y Z such that ax + by = g. Remark If e = cg is a multile of g, then cax + cby = cg = e, so e = (cx)a + (cy)b can also be written in terms of a and b.

33 30 2. The Ring of Integers Modulo n Proof of Proosition Let g = gcd(a, b). Then gcd(a/d, b/d) = 1, so by Proosition the equation ( a g x 1 mod b ) (2.3.1) g has a solution x Z. Multilying (2.3.1) through by g yields ax g (mod b), so there exists y such that b ( y) = ax g. Then ax + by = g, as required. Given a, b and g = gcd(a, b), our roof of Proosition gives a way to exlicitly find x, y such that ax+by = g, assuming one knows an algorithm to solve linear equations modulo n. Since we do not know such an algorithm, we now discuss a way to exlicitly find x and y. This algorithm will in fact enable us to solve linear equations modulo n to solve ax 1 (mod n) when gcd(a, n) = 1, use the algorithm below to find x and y such that ax + ny = 1. Then ax 1 (mod n). Suose a = 5 and b = 7. The stes of Algorithm to comute gcd(5, 7) are, as follows. Here we underlying, because it clarifies the subsequent back substitution we will use to find x and y. 7 = so 2 = = so 1 = = 5 2(7 5) = On the right, we have back-substituted in order to write each artial remainder as a linear combination of a and b. In the last ste, we obtain gcd(a, b) as a linear combination of a and b, as desired. That examle was not too comlicated, so we try another one. Let a = 130 and b = 61. We have 130 = = = = = = = = = = Thus x = 23 and y = 49 is a solution to 130x + 61y = 1. Algorithm (Extended Euclidean Algorithm). Suose a and b are integers and let g = gcd(a, b). This algorithm finds d, x and y such that ax + by = g. We describe only the stes when a > b 0, since one can easily reduce to this case. 1. [Initialize] Set x = 1, y = 0, r = 0, s = [Finished?] If b = 0, set g = a and terminate.

34 2.3 Quickly Comuting Inverses and Huge Powers [Quotient and Remainder] Use Algorithm to write a = qb+c with 0 c < b. 4. [Shift] Set (a, b, r, s, x, y) = (b, c, x qr, y qs, r, s) and go to ste 2. Proof. This algorithm is the same as Algorithm , excet that we kee track of extra variables x, y, r, s, so it terminates and when it terminates d = gcd(a, b). We omit the rest of the inductive roof that the algorithm is correct, and instead refer the reader to [Knu97, 1.2.1] which contains a detailed roof in the context of a discussion of how one writes mathematical roofs. Algorithm (Inverse Modulo n). Suose a and n are integers and gcd(a, n) = 1. This algorithm finds an x such that ax 1 (mod n). 1. [Comute Extended GCD] Use Algorithm to comute integers x, y such that ax + ny = gcd(a, n) = [Finished] Outut x. Proof. Reduce ax+ny = 1 modulo n to see that x satisfies ax 1 (mod n). See Section for imlementations of Algorithms and Examle Solve 17x 1 (mod 61). First, we use Algorithm to find x, y such that 17x + 61y = 1: 61 = = = = = = = = Thus ( 5) = 1 so x = 18 is a solution to 17x 1 (mod 61) How to Comute a m (mod n) Let a and n be integers, and m a nonnegative integer. In this section we describe an efficient algorithm to comute a m (mod n). For the crytograhy alications in Chater 3, m will have hundreds of digits. The naive aroach to comuting a m (mod n) is to simly comute a m = a a a (mod n) by reeatedly multilying by a and reducing modulo m. Note that after each arithmetic oeration is comleted, we reduce the result modulo n so that the sizes of the numbers involved do not get too large. Nonetheless, this algorithm is horribly inefficient because it takes m 1 multilications, which is huge if m has hundreds of digits. A much more efficient algorithm for comuting a m (mod n) involves writing m in binary, then exressing a m as a roduct of exressions a 2i, for

35 32 2. The Ring of Integers Modulo n various i. These latter exressions can be comuted by reeatedly squaring a 2i. This more clever algorithm is not simler, but it is vastly more efficient since the number of oerations needed grows with the number of binary digits of m, whereas with the naive algorithm above the number of oerations is m 1. Algorithm (Write a number in binary). Let m be a nonnegative integer. This algorithm writes m in binary, so it finds ε i {0, 1} such that m = r i=0 ε i2 i with each ε i {0, 1}. 1. [Initialize] Set i = [Finished?] If m = 0, terminate. 3. [Digit] If m is odd, set ε i = 1, otherwise ε i = 0. Increment i. 4. [Divide by 2] Set m = m 2, the greatest integer m/2. Goto ste 2. Algorithm (Comute Power). Let a and n be integers and m a nonnegative integer. This algorithm comutes a m modulo n. 1. [Write in Binary] Write m in binary using Algorithm 2.3.6, so a m = (mod n). ε i=1 a2i 2. [Comute Powers] Comute a, a 2, a 22 = (a 2 ) 2, a 23 = (a 22 ) 2, etc., u to a 2r, where r + 1 is the number of binary digits of m. 3. [Multily Powers] Multily together the a 2i such that ε i = 1, always working modulo n. See Section for an imlementation of Algorithms and We can comute the last 2 digits of 6 91, by finding 6 91 (mod 100). Make a table whose first column, labeled i, contains 0, 1, 2, etc. The second column, labeled m, is got by dividing the entry above it by 2 and taking the integer art of the result. The third column, labeled ε i, records whether or not the second column is odd. The fourth column is comuted by squaring, modulo n = 100, the entry above it. We have i m ε i 6 2i mod (mod 100). That is easier than multilying 6 by itself 91 times.

36 2.4 Finding Primes 33 Remark Alternatively, we could simlify the comutation using Theorem By that theorem, 6 ϕ(100) 1 (mod 100), so since ϕ(100) = ϕ( ) = (2 2 2) (5 2 5) = 40, we have (mod 100). 2.4 Finding Primes Theorem (Pseudorimality). An integer > 1 is rime if and only if for every a 0 (mod ), a 1 1 (mod ). Proof. If is rime, then the statement follows from Proosition If is comosite, then there is a divisor a of with a 1,. If a 1 1 (mod ), then a 1 1. Since a, we have a a 1 1 hence a 1, a contradiction. Suose n N. Using this theorem and Algorithm 2.3.7, we can either quickly rove that n is not rime, or convince ourselves that n is likely rime (but not quickly rove that n is rime). For examle, if 2 n 1 1 (mod n), then we have roved that n is not rime. On the other hand, if a n 1 1 (mod n) for a few a, it seems likely that n is rime, and we loosely refer to such a number that seems rime for several bases as a seudorime. There are comosite numbers n (called Carmichael numbers) with the amazing roerty that a n 1 1 (mod n) for all a with gcd(a, n) = 1. The first Carmichael number is 561, and it is a theorem that there are infinitely many such numbers ([AGP94]). Examle Is = 323 rime? We comute (mod 323). Making a table as above, we have Thus i m ε i 2 2i mod (mod 323), so 323 is not rime, though this comutation gives no information about 323 factors as a roduct of rimes. In fact, one finds that 323 =

37 34 2. The Ring of Integers Modulo n It s ossible to easily rove that a large number is comosite, but the roof does not easily yield a factorization. For examle if n = , then 2 n 1 1 (mod n), so n is comosite. Another ractical rimality test is the Miller-Rabin test, which has the roerty that each time it is run on a number n it either correctly asserts that the number is definitely not rime, or that it is robably rime, and the robability of correctness goes u with each successive call. For a recise statement and imlementation of Miller-Rabin, along with roof of correctness, see Section If Miller-Rabin is called m times on n and in each case claims that n is robably rime, then one can in a recise sense bound the robability that n is comosite in terms of m. For an imlementation of Miller-Rabin, see Listing in Chater 7. Until recently it was an oen roblem to give an algorithm (with roof) that decides whether or not any integer is rime in time bounded by a olynomial in the number of digits of the integer. Agrawal, Kayal, and Saxena recently found the first olynomial-time rimality test (see [AKS02]). We will not discuss their algorithm further, because for our alications to crytograhy Miller-Rabin or seudorimality tests will be sufficient. 2.5 The Structure of (Z/Z) This section is about the structure of the grou (Z/Z) of units modulo a rime number. The main result is that this grou is always cyclic. We will use this result later in Chater 4 in our roof of quadratic recirocity. Definition (Primitive root). A rimitive root modulo an integer n is an element of (Z/nZ) of order ϕ(n). We will rove that there is a rimitive root modulo every rime. Since the unit grou (Z/Z) has order 1, this imlies that (Z/Z) is a cyclic grou, a fact this will be extremely useful, since it comletely determines the structure of (Z/Z) as an abelian grou. If n is an odd rime ower, then there is a rimitive root modulo n (see Exercise 2.25), but there is no rimitive root modulo the rime ower 2 3, and hence none mod 2 n for n 3 (see Exercise 2.24). Section is the key inut to our roof that (Z/Z) is cyclic; here we show that for every divisor d of 1 there are exactly d elements of (Z/Z) whose order divides d. We then use this result in Section to roduce an element of (Z/Z) of order q r when q r is a rime ower that exactly divides 1 (i.e., q r divides 1, but q r+1 does not divide 1), and multily together these elements to obtain an element of (Z/Z) of order 1.

38 2.5 The Structure of (Z/Z) Polynomials over Z/Z The olynomials x 2 1 has four roots in Z/8Z, namely 1, 3, 5, and 7. In contrast, the following roosition shows that a olynomial of degree d over a field, such as Z/Z, can have at most d roots. Proosition (Root Bound). Let f k[x] be a nonzero olynomial over a field k. Then there are at most deg(f) elements α k such that f(α) = 0. Proof. We rove the roosition by induction on deg(f). The cases in which deg(f) 1 are clear. Write f = a n x n + a 1 x + a 0. If f(α) = 0 then f(x) = f(x) f(α) = a n (x n α n ) + a 1 (x α) + a 0 (1 1) = (x α)(a n (x n α n 1 ) + + a 2 (x + α) + a 1 ) = (x α)g(x), for some olynomial g(x) k[x]. Next suose that f(β) = 0 with β α. Then (β α)g(β) = 0, so, since β α 0, we have g(β) = 0. By our inductive hyothesis, g has at most n 1 roots, so there are at most n 1 ossibilities for β. It follows that f has at most n roots. Proosition Let be a rime number and let d be a divisor of 1. Then f = x d 1 (Z/Z)[x] has exactly d roots in Z/Z. Proof. Let e = ( 1)/d. We have x 1 1 = (x d ) e 1 = (x d 1)((x d ) e 1 + (x d ) e ) = (x d 1)g(x), where g (Z/Z)[x] and deg(g) = de d = 1 d. Theorem imlies that x 1 1 has exactly 1 roots in Z/Z, since every nonzero element of Z/Z is a root! By Proosition 2.5.2, g has at most 1 d roots and x d 1 has at most d roots. Since a root of (x d 1)g(x) is a root of either x d 1 or g(x) and x 1 1 has 1 roots, g must have exactly 1 d roots and x d 1 must have exactly d roots, as claimed. We ause to reemhasize that the analogue of Proosition is false when is relaced by a comosite integer n, since a root mod n of a roduct of two olynomials need not be a root of either factor. For examle, f = x 2 1 Z/15Z[x] has the four roots 1, 4, 11, and 14.

39 36 2. The Ring of Integers Modulo n Existence of Primitive Roots Recall from Section that the order of an element x in a finite grou is the smallest m 1 such that x m = 1. In this section, we rove that (Z/Z) is cyclic by using the results of Section to roduce an element of (Z/Z) of order d for each rime ower divisor d of 1, and then we multily these together to obtain an element of order 1. We will use the following lemma to assemble elements of each order dividing 1 to roduce an element of order 1. Lemma Suose a, b (Z/nZ) have orders r and s, resectively, and that gcd(r, s) = 1. Then ab has order rs. Proof. This is a general fact about commuting elements of any grou; our roof only uses that ab = ba and nothing secial about (Z/nZ). Since (ab) rs = a rs b rs = 1, the order of ab is a divisor of rs. Write this divisor as r 1 s 1 where r 1 r and s 1 s. Raise both sides of the equation to the ower r 2 = r/r 1 to obtain a r1s1 b r1s1 = (ab) r1s1 = 1. a r1r2s1 b r1r2s1 = 1. Since a r1r2s1 = (a r1r2 ) s1 = 1, we have b r1r2s1 = 1, so s r 1 r 2 s 1. Since gcd(s, r 1 r 2 ) = gcd(s, r) = 1, it follows that s = s 1. Similarly r = r 1, so the order of ab is rs. Theorem (Primitive Roots). There is a rimitive root modulo any rime. In articular, the grou (Z/Z) is cyclic. Proof. The theorem is true if = 2, since 1 is a rimitive root, so we may assume > 2. Write 1 as a roduct of distinct rime owers q ni i : 1 = q n1 1 qn2 2 qnr r. By Proosition 2.5.3, the olynomial x qn i i the olynomial x qn i 1 i 1 has exactly q ni 1 i (q i 1) elements a Z/Z such that a qn i i of these elements has order q ni i q ni 1 i an a i of order q ni i 1 has exactly q ni i roots, and roots. There are q ni i q ni 1 i = = 1 but a qn i 1 i 1; each. Thus for each i = 1,..., r, we can choose. Then, using Lemma reeatedly, we see that a = a 1 a 2 a r has order q n1 1 qnr r = 1, so a is a rimitive root modulo.

40 2.5 The Structure of (Z/Z) 37 Examle We illustrate the roof of Theorem when = 13. We have 1 = 12 = The olynomial x 4 1 has roots {1, 5, 8, 12} and x 2 1 has roots {1, 12}, so we may take a 1 = 5. The olynomial x 3 1 has roots {1, 3, 9}, and we set a 2 = 3. Then a = 5 3 = 15 2 is a rimitive root. To verify this, note that the successive owers of 2 (mod 13) are 2, 4, 8, 3, 6, 12, 11, 9, 5, 10, 7, 1. Examle Theorem is false if, e.g., is relaced by a ower of 2 bigger than 4. For examle, the four elements of (Z/8Z) each have order dividing 2, but ϕ(8) = 4. Theorem (Primitive Roots mod n ). Let n be a ower of an odd rime. Then there is a rimitive root modulo n. The roof is left as Exercise Proosition (Number of rimitive roots). If there is a rimitive root modulo n, then there are exactly ϕ(ϕ(n)) rimitive roots modulo n. Proof. The rimitive roots modulo n are the generators of (Z/nZ), which by assumtion is cyclic of order ϕ(n). Thus they are in bijection with the generators of any cyclic grou of order ϕ(n). In articular, the number of rimitive roots modulo n is the same as the number of elements of Z/ϕ(n)Z with additive order ϕ(n). An element of Z/ϕ(n)Z has additive order ϕ(n) if and only if it is corime to ϕ(n). There are ϕ(ϕ(n)) such elements, as claimed. Examle For examle, there are ϕ(ϕ(17)) = ϕ(16) = = 8 rimitive roots mod 17, namely 3, 5, 6, 7, 10, 11, 12, 14. The ϕ(ϕ(9)) = ϕ(6) = 2 rimitive roots modulo 9 are 2 and 5. There are no rimitive roots modulo 8, even though ϕ(ϕ(8)) = ϕ(4) = 2 > Artin s Conjecture Conjecture (Emil Artin). Suose a Z is not 1 or a erfect square. Then there are infinitely many rimes such that a is a rimitive root modulo. There is no single integer a such that Artin s conjecture is known to be true. For any given a, Pieter [Mor93] roved that there are infinitely many such that the order of a is divisible by the largest rime factor of 1. Hooley [Hoo67] roved that something called the Generalized Riemann Hyothesis imlies Conjecture

41 38 2. The Ring of Integers Modulo n Remark Artin conjectured more recisely that if N(x, a) is the number of rimes x such that a is a rimitive root modulo, then N(x, a) is asymtotic to C(a)π(x), where C(a) is a ositive constant that deends only on a and π(x) is the number of rimes u to x Comuting Primitive Roots Theorem does not suggest an efficient algorithm for finding rimitive roots. To actually find a rimitive root mod in ractice, we try a = 2, then a = 3, etc., until we find an a that has order 1. Comuting the order of an element of (Z/Z) requires factoring 1, which we do not know how to do quickly in general, so finding a rimitive root modulo for large seems to be a difficult roblem. See Section for an imlementation of this algorithm for finding a rimitive root. Algorithm (Primitive Root). Given a rime this algorithm comutes the smallest ositive integer a that generates (Z/Z). 1. [ = 2?] If = 2 outut 1 and terminate. Otherwise set a = [Prime Divisors] Comute the rime divisors 1,..., r of 1 (see Section 7.1.3). 3. [Generator?] If for every i, we have a ( 1)/i 1 (mod ), then a is a generator of (Z/Z), so outut a and terminate. 4. [Try next] Set a = a + 1 and go to ste 3. Proof. Let a (Z/Z). The order of a is a divisor d of the order 1 of the grou (Z/Z). Write d = ( 1)/n, for some divisor n of 1. If a is not a generator of (Z/Z), then since n ( 1), there is a rime divisor i of 1 such that i n. Then a ( 1)/i = (a ( 1)/n ) n/i 1 (mod ). Conversely, if a is a generator, then a ( 1)/i 1 (mod ) for any i. Thus the algorithm terminates with ste 3 if and only if the a under consideration is a rimitive root. By Theorem there is at least one rimitive root, so the algorithm terminates. We imlement Algorithm in Section Exercises 2.1 Comute the following gcd s using Algorithm : gcd(15, 35), gcd(247, 299), gcd(51, 897), gcd(136, 304)

42 2.6 Exercises Use Algorithm to find x, y Z such that 2261x y = Prove that if a and b are integers and is a rime, then (a + b) a + b (mod ). You may assume that the binomial coefficient is an integer.! r!( r)! 2.4 (a) Prove that if x, y is a solution to ax + by = d, then for all c Z, x = x + c b d, is also a solution to ax + by = d. y = y c a d (b) Find two distinct solutions to 2261x y = 17. (c) Prove that all solutions are of the form (2.6.1) for some c. (2.6.1) 2.5 Let f(x) = x 2 + ax + b Z[x] be a quadratic olynomial with integer coefficients and ositive leading coefficients, e.g., f(x) = x 2 + x + 6. Formulate a conjecture about when the set {f(n) : n Z and f(n) is rime} is infinite. Give numerical evidence that suorts your conjecture. 2.6 Find four comlete sets of residues modulo 7, where the ith set satisfies the ith condition: (1) nonnegative, (2) odd, (3) even, (4) rime. 2.7 Find rules in the sirit of Proosition for divisibility of an integer by 5, 9, and 11, and rove each of these rules using arithmetic modulo a suitable n. 2.8 (*) The following roblem is from the 1998 Putnam Cometition. Define a sequence of decimal integers a n as follows: a 1 = 0, a 2 = 1, and a n+2 is obtained by writing the digits of a n+1 immediately followed by those of a n. For examle, a 3 = 10, a 4 = 101, and a 5 = Determine the n such that a n a multile of 11, as follows: (a) Find the smallest integer n > 1 such that a n is divisible by 11. (b) Prove that a n is divisible by 11 if and only if n 1 (mod 6). 2.9 Find an integer x such that 37x 1 (mod 101) What is the order of 2 modulo 17? 2.11 Let be a rime. Prove that Z/Z is a field Find an x Z such that x 4 (mod 17) and x 3 (mod 23).

43 40 2. The Ring of Integers Modulo n 2.13 Prove that if n > 4 is comosite then 2.14 For what values of n is ϕ(n) odd? (n 1)! 0 (mod n) (a) Prove that ϕ is multilicative as follows. Suose m, n are ositive integers and gcd(m, n) = 1. Show that the natural ma ψ : Z/mnZ Z/mZ Z/nZ is an injective homomorhism of rings, hence bijective by counting, then look at unit grous. (b) Prove conversely that if gcd(m, n) > 1 then the natural ma ψ : Z/mnZ Z/mZ Z/nZ is not an isomorhism Seven cometitive math students try to share a huge hoard of stolen math books equally between themselves. Unfortunately, six books are left over, and in the fight over them, one math student is exelled. The remaining six math students, still unable to share the math books equally since two are left over, again fight, and another is exelled. When the remaining five share the books, one book is left over, and it is only after yet another math student is exelled that an equal sharing is ossible. What is the minimum number of books which allow this to haen? 2.17 Show that if is a ositive integer such that both and are rime, then = Let ϕ : N N be the Euler ϕ function. (a) Find all natural numbers n such that ϕ(n) = 1. (b) Do there exist natural numbers m and n such that ϕ(mn) ϕ(m) ϕ(n)? 2.19 Find a formula for ϕ(n) directly in terms of the rime factorization of n Find all four solutions to the equation x (mod 35) Prove that for any ositive integer n the fraction (12n + 1)/(30n + 2) is in reduced form Suose a and b are ositive integers. (a) Prove that gcd(2 a 1, 2 b 1) = 2 gcd(a,b) 1. (b) Does it matter if 2 is relaced by an arbitrary rime? (c) What if 2 is relaced by an arbitrary ositive integer n?

44 2.6 Exercises For every ositive integer b, show that there exists a ositive integer n such that the olynomial x 2 1 (Z/nZ)[x] has at least b roots (a) Prove that there is no rimitive root modulo 2 n for any n 3. (b) (*) Prove that (Z/2 n Z) is generated by 1 and Let be an odd rime. (a) (*) Prove that there is a rimitive root modulo 2. (Hint: Use that if a, b have orders n, m, with gcd(n, m) = 1, then ab has order nm.) (b) Prove that for any n, there is a rimitive root modulo n. (c) Exlicitly find a rimitive root modulo (*) In terms of the rime factorization of n, characterize the integers n such that there is a rimitive root modulo n.

45 42 2. The Ring of Integers Modulo n

46 3 Public-Key Crytograhy This is age 43 Printer: Oaque this The author recently watched a TV show (not movie!) called La Femme Nikita about a woman named Nikita who is forced to be an agent for a shady anti-terrorist organization called Section One. Nikita has strong feelings for fellow agent Michael, and she most trusts Walter, Section One s ex-biker gadgets and exlosives exert. Often Nikita s worst enemies are her sueriors and coworkers at Section One. A synosis for a season three eisode is as follows: PLAYING WITH FIRE On a mission to secure detonation chis from a terrorist organization s heavily armed base cam, Nikita is catured as a hostage by the enemy. Or so it is made to look. Michael and Nikita have actually created the scenario in order to secretly rendezvous with each other. The ruse works, but when Birkoff [Section One s master hacker] accidentally discovers encryted messages between Michael and Nikita sent with Walter s hel, Birkoff is forced to tell Madeline. Susecting that Michael and Nikita may be lanning a cou d état, Oerations and Madeline use a second team of oeratives to track Michael and Nikita s next secret rendezvous... killing them if necessary.

47 44 3. Public-Key Crytograhy FIGURE 3.1. Diffie and Hellman (hotos from [Sin99]) What sort of encrytion might Walter have heled them to use? I let my imagination run free, and this is what I came u with. After being catured at the base cam, Nikita is given a hone by her cators, in hoes that she ll use it and they ll be able to figure out what she is really u to. Everyone is eagerly listening in on her calls. Remark In this book we will assume available a method for roducing random integers. Methods for generating random integers are involved and interesting, but we will not discuss them in this book. For an in deth treatment of random numbers, see [Knu98, Ch. 3]. Nikita remembers a conversation with Walter about a ublic-key crytosystem called the Diffie-Hellman key exchange. She remembers that it allows two eole to agree on a secret key in the resence of eavesdroers. Moreover, Walter mentioned that though Diffie-Hellman was the first ever ublic-key exchange system, it is still in common use today (e.g., in OenSSH rotocol version 2, see htt:// Nikita ulls out her handheld comuter and hone, calls u Michael, and they do the following, which is wrong (try to figure out what is wrong as you read it). 1. Together they choose a big rime number and a number g with 1 < g <. 2. Nikita secretly chooses an integer n. 3. Michael secretly chooses an integer m. 4. Nikita tells Michael ng (mod ). 5. Michael tells mg (mod ) to Nikita. 6. The secret key is s = nmg (mod ), which both Nikita and Michael can easily comute.

48 3. Public-Key Crytograhy 45 Michael Nikita Section One Nikita s cators Here s a very simle examle with small numbers that illustrates what Michael and Nikita do. (They really used much larger numbers.) 1. = 97, g = 5 2. n = m = ng 58 (mod 97) 5. mg 87 (mod 97) 6. s = nmg = 78 (mod 97) Nikita and Michael are foiled because everyone easily figures out s: 1. Everyone knows, g, ng (mod ), and mg (mod ). 2. Using Algorithm 2.3.3, anyone can easily find a, b Z such that ag + b = 1, which exist because gcd(g, ) = Then ang n (mod ), so everyone knows Nikita s secret key n, and hence can easily comute the shared secret s. To taunt her, Nikita s cators give her a aragrah from a review of Diffie and Hellman s 1976 aer New Directions in Crytograhy [DH76]: The authors discuss some recent results in communications theory [...] The first [method] has the feature that an unauthorized eavesdroer will find it comutationally infeasible to deciher the message [...] They roose a coule of techniques for imlementing the system, but the reviewer was unconvinced.

49 46 3. Public-Key Crytograhy 3.1 The Diffie-Hellman Key Exchange As night darkens Nikita s cell, she reflects on what has haened. Uon realizing that she mis-remembered how the system works, she hones Michael and they do the following: 1. Together Michael and Nikita choose a 200-digit integer that is likely to be rime (see Section 2.4), and choose a number g with 1 < g <. 2. Nikita secretly chooses an integer n. 3. Michael secretly chooses an integer m. 4. Nikita comutes g n (mod ) on her handheld comuter and tells Michael the resulting number over the hone. 5. Michael tells Nikita g m (mod ). 6. The shared secret key is then s (g n ) m (g m ) n g nm (mod ), which both Nikita and Michael can comute. Here is a simlified examle that illustrates what they did, that involves only relatively simle arithmetic. 1. = 97, g = 5 2. n = m = g n 7 (mod ) 5. g m 39 (mod ) 6. s (g n ) m 14 (mod ) The Discrete Log Problem Nikita communicates with Michael by encryting everything using their agreed uon secret key. In order to understand the conversation, the eavesdroer needs s, but it takes a long time to comute s given only, g, g n, and g m. One way would be to comute n from knowledge of g and g n ; this is ossible, but aears to be comutationally infeasible, in the sense that it would take too long to be ractical.

50 3.1 The Diffie-Hellman Key Exchange 47 Let a, b, and n be real numbers with a, b > 0 and n 0. Recall that the log to the base b function characterized by log b (a) = n if and only if a = b n. We use the log b function in algebra to solve the following roblem: Given a base b and a ower a of b, find an exonent n such that That is, given a = b n and b, find n. a = b n. Examle The number a = is the nth ower of b = 3 for some n. With a calculator we quickly find that n = log 3 (19683) = log(19683)/ log(3) = 9. A calculator can quickly comute an aroximation for log(x) by comuting a artial sum of an aroriate raidly-converging infinite series (at least for x in a certain range). The discrete log roblem is the analogue of this roblem but in a finite grou: Problem (Discrete Log Problem). Let G be a finite abelian grou, e.g., G = (Z/Z). Given b G and a ower a of b, find a ositive integer n such that b n = a. As far as we know, finding discrete logarithms when is large is difficult in ractice. Over the years, many eole have been very motivated to try. For examle, if Nikita s cators could efficiently solve Problem 3.1.2, then they could read the messages she exchanges with Michael. Unfortunately, we have no formal roof that comuting discrete logarithms on a classical comuter is difficult. Also, Peter Shor [Sho97] showed that if one could build a sufficiently comlicated quantum comuter, it could solve the discrete logarithm roblem in time bounded by a olynomial function of the number of digits of #G. It is easy to give an inefficient algorithm that solves the discrete log roblem. Simly try b 1, b 2, b 3, etc., until we find an exonent n such that b n = a. For examle, suose a = 18, b = 5, and = 23. Working modulo 23 we have b 1 = 5, b 2 = 2, b 3 = 10,..., b 12 = 18, so n = 12. When is large, comuting the discrete log this way soon becomes imractical, because increasing the number of digits of the modulus makes the comutation take vastly longer. Perhas art of the reason that comuting discrete logarithms is difficult, is that the logarithm in the real numbers is continuous, but the (minimum) logarithm of a number mod n bounces around at random. We illustrate this exotic behavior in Figure 3.2.

51 48 3. Public-Key Crytograhy y x y FIGURE 3.2. Grahs of the continuous log and of the discrete log modulo 97. Which looks easier to comute? x

52 3.1.2 Realistic Diffie-Hellman Examle 3.1 The Diffie-Hellman Key Exchange 49 In this section we resent an examle that uses bigger numbers. First we rove a roosition that we can use to choose a rime in such a way that it is easy to find a g (Z/Z) with order 1. We have already seen in Section 2.5 that for every rime there exists an element g of order 1, and we gave Algorithm for finding a rimitive root for any rime. The significance of the roosition below is that it suggests an algorithm for finding a rimitive root that is easier to use in ractice when is large, because it does not require factoring 1. Of course, one could also just use a random g for Diffie-Hellman; it is not essential that g generates (Z/Z). Proosition Suose is a rime such that ( 1)/2 is also rime. Then the elements of (Z/Z) have order either 1, 2, ( 1)/2, or 1. Proof. Since is rime, the grou (Z/Z) has order 1. By assumtion, the rime factorization of 1 is 2 (( 1)/2). Let a (Z/Z). Then by Theorem , a 1 = 1, so the order of a is a divisor of 1, which roves the roosition. Given a rime with ( 1)/2 rime, find an element of order 1 as follows. If 2 has order 1 we are done. If not, 2 has order ( 1)/2 since 2 doesn t have order either 1 or 2. Then 2 has order 1. Let = Then is rime, but ( 1)/2 is not. So we kee adding 2 to and testing seudorimality using Section 2.4 until we find that the next seudorime after is q = It turns out that q seudorime and (q 1)/2 is also seudorime. We find that 2 has order (q 1)/2, so g = 2 has order q 1 and is hence a generator of (Z/qZ), at least assuming that q is really rime. The secret random numbers generated by Nikita and Michael are and Nikita sends n = m = g n = (Z/Z) to Michael, and Michael sends g m = (Z/Z) to Nikita. They agree on the secret key g nm = (Z/Z). Remark See Section for a comuter imlementation of the Diffie-Hellman key exchange.

53 50 3. Public-Key Crytograhy Nikita g nt (mod ) The Man Michael g mt (mod ) PSfrag relacements g nt (mod ) g mt (mod ) FIGURE 3.3. The Man in the Middle Attack The Man in the Middle Attack After their first system was broken, instead of talking on the hone, Michael and Nikita can now only communicate via text messages. One of her cators, The Man, is watching each of the transmissions; moreover, he can intercet messages and send false messages. When Nikita sends a message to Michael announcing g n (mod ), The Man intercets this message, and sends his own number g t (mod ) to Michael. Eventually, Michael and The Man agree on the secret key g tm (mod ), and Nikita and The Man agree on the key g tn (mod ). When Nikita sends a message to Michael she unwittingly uses the secret key g tn (mod ); The Man then intercets it, decryts it, changes it, and re-encryts it using the key g tm (mod ), and sends it on to Michael. This is bad because now The Man can read every message sent between Michael and Nikita, and moreover, he can change them in transmission in subtle ways. One way to get around this attack is to use a digital signature scheme based on the RSA crytosystem. We will not discuss digital signatures further in this book, but will discuss RSA in the next section.

54 3.2 The RSA Crytosystem The RSA Crytosystem The Diffie-Hellman key exchange has drawbacks. As discussed in Section 3.1.3, it is suscetible to the man in the middle attack. This section is about the RSA ublic-key crytosystem of Rivest, Shamir, and Adleman [RSA78], which is an alternative to Diffie-Hellman that is more flexible in some ways. We first describe the RSA crytosystem, then discuss several ways to attack it. It is imortant to be aware of such weaknesses, in order to avoid foolish mistakes when imlementing RSA. We barely scratched the surface here of the many ossible attacks on secific imlementations of RSA or other crytosystems How RSA works The fundamental idea behind RSA is to try to construct a tra-door or one-way function on a set X, that is, an invertible function E : X X such that it is easy for Nikita to comute E 1, but extremely difficult for anybody else to do so. Here is how Nikita makes a one-way function E on the set of integers modulo n. 1. Using a method hinted at in Section 2.4, Nikita icks two large rimes and q, and lets n = q. 2. It is then easy for Nikita to comute ϕ(n) = ϕ() ϕ(q) = ( 1) (q 1). 3. Nikita next chooses a random integer e with 1 < e < ϕ(n) and gcd(e, ϕ(n)) = Nikita uses the algorithm from Section to find a solution x = d to the equation ex 1 (mod ϕ(n)). 5. Finally, Nikita defines a function E : Z/nZ Z/nZ by E(x) = x e Z/nZ. Anybody can comute E fairly quickly using the reeated-squaring algorithm from Section

55 52 3. Public-Key Crytograhy Nikita s ublic key is the air of integers (n, e), which is just enough information for eole to easily comute E. Nikita knows a number d such that ed 1 (mod ϕ(n)), so, as we will see, she can quickly comute E 1. To send Nikita a message, roceed as follows. Encode your message, in some way, as a sequence of numbers modulo n (see Section 3.2.2) then send m 1,..., m r Z/nZ, E(m 1 ),..., E(m r ) to Nikita. (Recall that E(m) = m e for m Z/nZ.) When Nikita receives E(m i ), she finds each m i by using that E 1 (m) = m d, a fact that follows from the following roosition. Proosition (Decrytion key). Let n be an integer that is a roduct of distinct rimes and let d, e N be such that 1 de 1 for each rime n. Then a de a (mod n) for all a Z. Proof. Since n a de a if and only if a de a for each rime divisor of n, it suffices to rove that a de a (mod ) for each rime divisor of n. If gcd(a, ) 0, then a 0 (mod ), so a de a (mod ). If gcd(a, ) = 1, then Theorem asserts that a 1 1 (mod ). Since 1 de 1, we have a de 1 1 (mod ) as well. Multilying both sides by a shows that a de a (mod ). Thus to decryt E(m i ) Nikita comutes E(m i ) d = (m e i ) d = m i. For an imlementation of RSA see Section Encoding a Phrase in a Number In order to use the RSA crytosystem to encryt messages, it is necessary to encode them as a sequence of numbers of size less than n = q. We now describe a simle way to do this. For an imlementation of a slightly more general encoding that includes extra randomness so that lain text encodes differently each time, see Section Suose s is a sequence of caital letters and saces, and that s does not begin with a sace. We encode s as a number in base 27 as follows: a single sace corresonds to 0, the letter A to 1, B to 2,..., Z to 26. Thus RUN NIKITA is a number written in base 27: RUN NIKITA = (in decimal).

56 3.2 The RSA Crytosystem 53 To recover the letters from the decimal number, reeatedly divide by 27 and read off the letter corresonding to each remainder: = A = T = I = K = I = N = = N 507 = U 18 = R If 27 k n, then any sequence of k letters can be encoded as above using a ositive integer n. Thus if we use can encryt integers of size at most n, then we must break our message u into blocks of size at most log 27 (n) Examles So the arithmetic is easy to follow, we use small rimes and q and encryt the single letter X using the RSA crytosystem. 1. Choose and q: Let = 17, q = 19, so n = q = Comute ϕ(n): ϕ(n) = ϕ( q) = ϕ() ϕ(q) = ( 1)(q 1) = q q + 1 = = Randomly choose an e < 288: We choose e = Solve 95x 1 (mod 288). Using the GCD algorithm, we find that d = 191 solves the equation. The ublic key is (323, 95), so the encrytion function is E(x) = x 95, and the decrytion function is D(x) = x 191. Next, we encryt the letter X. It is encoded as the number 24, since X is the 24th letter of the alhabet. We have E(24) = = 294 Z/323Z.

57 54 3. Public-Key Crytograhy To decryt, we comute E 1 : E 1 (294) = = 24 Z/323Z. This next examle illustrates RSA but with bigger numbers. Let = , q = Then n = q = and ϕ(n) = ( 1)(q 1) = Using a seudo-random number generator on a comuter, the author randomly chose the integer Then e = d = Since log 27 (n) 38.04, we can encode then encryt single blocks of u to 38 letters. Let s encryt RUN NIKITA, which encodes as m = We have E(m) = m e = Remark In ractice one usually choses e to be small, since that does not seem to reduce the security of RSA, and makes the key size smaller. For examle, in the OenSSL documentation (see htt:// about their imlementation of RSA it states that The exonent is an odd number, tyically 3, 17 or Attacking RSA Suose Nikita s ublic key is (n, e) and her decrytion key is d, so ed 1 (mod ϕ(n)). If somehow we comute the factorization n = q, then we can comute ϕ(n) = ( 1)(q 1) and hence comute d. Thus if we can factor n then we can break the corresonding RSA ublic-key crytosystem.

58 3.3.1 Factoring n Given ϕ(n) 3.3 Attacking RSA 55 Suose n = q. Given ϕ(n), it is very easy to comute and q. We have ϕ(n) = ( 1)(q 1) = q ( + q) + 1, so we know both q = n and + q = n + 1 ϕ(n). Thus we know the olynomial x 2 ( + q)x + q = (x )(x q) whose roots are and q. These roots can be found using the quadratic formula. Examle The number n = q = is a roduct of two rimes, and ϕ(n) = We have f = x 2 (n + 1 ϕ(n))x + n = x x = (x )(x ), where the factorization ste is easily accomlished using the quadratic formula: b + b 2 4ac 2a = = We conclude that n = When and q are Close Suose that and q are close to each other. Then it is easy to factor n using a factorization method of Fermat. Suose n = q with > q, say. Then ( ) 2 ( ) 2 + q q n =. 2 2 Since and q are close, is small, s = q 2 t = + q 2 is only slightly larger than n, and t 2 n = s 2 is a erfect square. So we just try t = n, t = n + 1, t = n + 2,...

59 56 3. Public-Key Crytograhy until t 2 n is a erfect square s 2. (Here x denotes the least integer n x.) Then = t + s, q = t s. Examle Suose n = Then n = If t = , then t 2 n = If t = , then t 2 n = If t = , then t 2 n = 804 Z. Thus s = 804. We find that = t + s = and q = t s = Factoring n Given d In this section, we show that finding the decrytion key d for an RSA crytosystem is, in ractice, at least as difficult as factoring n. We give a robabilistic algorithm that given a decrytion key determines the factorization of n. Consider an RSA crytosystem with modulus n and encrytion key e. Suose we somehow finding an integer d such that a ed a (mod n) for all a. Then m = ed 1 satisfies a m 1 (mod n) for all a that are corime to n. As we saw in Section 3.3.1, knowing ϕ(n) leads directly to a factorization of n. Unfortunately, knowing d does not seem to lead easily to a factorization of n. However, there is a robabilistic rocedure that, given an m such that a m 1 (mod n), will find a factorization of n with high robability (we will not analyze the robability here). Algorithm (Probabilistic Algorithm to Factor n). Let n = q be the roduct of two distinct odd rimes, and suose m is an integer such that a m 1 (mod n) for all a corime to n. This robabilistic algorithm factors n with high robability. In the stes below, a always denotes an integer corime to n = q. 1. [Divide out owers of 2] If a m/2 1 (mod n) for several randomly chosen a, set m = m/2, and go to ste 1, otherwise let a be such that a m/2 1 (mod n). 2. [Comute GCD s] Comute g = gcd(a m/2 1, n). 3. [Terminate?] If g is a roer divisor of n, outut g and terminate. Otherwise go to ste 1 and choose a different a. In ste 1, note that m is even since ( 1) m 1 (mod n), so it makes sense to consider m/2. It is not ractical to determine whether or not a m/2 1 (mod n) for all a, because it would require doing a comutation for too

60 3.3 Attacking RSA 57 many a. Instead, we try a few random a; if a m/2 1 (mod n) for the a we check, we divide m by 2. Also note that if there exists even a single a such that a m/2 1 (mod n), then half the a have this roerty, since then a a m/2 is a surjective homomorhism (Z/nZ) {±1} and the kernel has index 2. Proosition imlies that if x 2 1 (mod ) then x = ±1 (mod ). In ste 2, since (a m/2 ) 2 1 (mod n), we also have (a m/2 ) 2 1 (mod ) and (a m/2 ) 2 1 (mod q), so a m/2 ±1 (mod ) and a m/2 ±1 (mod q). Since a m/2 1 (mod n), there are three ossibilities for these signs, so with robability 2/3, one of the following two ossibilities occurs: 1. a m/2 +1 (mod ) and a m/2 1 (mod q) 2. a m/2 1 (mod ) and a m/2 +1 (mod q). The only other ossibility is that both signs are 1. In the first case, a m/2 1 but q a m/2 1, so gcd(a m/2 1, q) =, and we have factored n. Similarly, in the second case, gcd(a m/2 1, q) = q, and we again factor n. Examle Somehow we discover that the RSA crytosystem with n = and e = has decrytion key d = We use this information and Algorithm to factor n. If m = ed 1 = , then ϕ(q) m, so a m 1 (mod n) for all a corime to n. For each a 20 we find that a m/2 1 (mod n), so we relace m by m 2 = Again, we find with this new m that for each a 20, a m/2 1 (mod n), so we relace m by Yet again, for each a 20, a m/2 1 (mod n), so we relace m by This is enough, since 2 m/ (mod n). Then gcd(2 m/2 1, n) = gcd( , ) = , and we have found a factor of n. Dividing, we find that n =

61 58 3. Public-Key Crytograhy Further Remarks If one were to imlement an actual RSA crytosystem, there are many additional tricks and ideas to kee in mind. For examle, one can add some extra random letters to each block of text, so that a given string will encryt differently each time it is encryted. This makes it more difficult for an attacker who knows the encryted and laintext versions of one message to gain information about subsequent encryted messages. For an examle imlementation that incororates this randomness, see Listing In any articular imlementation, there might be attacks that would be devastating in ractice, but which wouldn t require factoring the RSA modulus. RSA is in common use, e.g., it is used in OenSSH rotocol version 1 (see htt:// We will consider the ElGamal crytosystem in Sections It has a similar flavor to RSA, but is more flexible in some ways. 3.4 Exercises 3.1 This roblem concerns encoding hrases using numbers using the encoding of Section What is the longest that an arbitrary sequence of letters (no saces) can be if it must fit in a number that is less than 10 20? 3.2 Suose Michael creates an RSA crytosystem with a very large modulus n for which the factorization of n cannot be found in a reasonable amount of time. Suose that Nikita sends messages to Michael by reresenting each alhabetic character as an integer between 0 and 26 (A corresonds to 1, B to 2, etc., and a sace to 0), then encryts each number searately using Michael s RSA crytosystem. Is this method secure? Exlain your answer. 3.3 For any n N, let σ(n) be the sum of the divisors of n; for examle, σ(6) = = 12 and σ(10) = = 18. Suose that n = qr with, q, and r distinct rimes. Devise an efficient algorithm that given n, ϕ(n) and σ(n), comutes the factorization of n. For examle, if n = 105, then = 3, q = 5, and r = 7, so the inut to the algorithm would be n = 105, ϕ(n) = 48, and σ(n) = 192, and the outut would be 3, 5, and 7. For comutational exercises about crytosystems, see the exercises for Chater 7.

62 4 Quadratic Recirocity This is age 59 Printer: Oaque this The linear equation ax b (mod n) has a solution if and only if gcd(a, n) divides b (see Proosition 2.1.9). This chater is about some amazing mathematics motivated by the search for a criterion for whether or not a quadratic equation ax 2 + bx + c 0 (mod n) has a solution. In many cases, the Chinese Remainder Theorem and the quadratic formula reduce this question to the key question of whether a given integer a is a erfect square modulo a rime. The quadratic recirocity law of Gauss rovides a recise answer to the following question: For which rimes is the image of a in (Z/Z) a erfect square? Amazingly, the answer deends only on the reduction of modulo 4a. There are over a hundred roofs of the quadratic recirocity law (see [Lem] for a long list). We give two roofs. The first, which we give in Section 4.3, is comletely elementary and involves keeing track of integer oints in intervals. It is satisfying because one can understand every detail without much abstraction, but it is unsatisfying because it is difficult to concetualize what is going on. In shar contrast, our second roof, which we we give in Section 4.4, in more abstract and uses a concetual develoment of roerties of Gauss sums. You should read Sections 4.1 and 4.2, then at least one of Section 4.3 or Section 4.4, deending on your taste and how much abstract algebra you know.

63 60 4. Quadratic Recirocity In Section 4.5, we return to the comutational question of actually finding square roots and solving quadratic equations in ractice. 4.1 Statement of the Quadratic Recirocity Law In this section we state the quadratic recirocity law. Definition (Quadratic Residue). Fix a rime. An integer a not divisible by is quadratic residue modulo if a is a square modulo ; otherwise, a is a quadratic nonresidue. The quadratic recirocity theorem connects the question of whether or not a is a quadratic residue modulo to the question of whether is a quadratic residue modulo each of the rime divisors of a. To exress it recisely, we introduce some new notation. Definition (Legendre Symbol). Let be an odd rime and let a be an integer corime to. Set ( ) { a +1 if a is a quadratic residue, and = 1 otherwise. We call this symbol the Legendre Symbol. This notation is well entrenched in the literature, even though it is also the notation ( ) for a divided by ; be careful not to confuse the two. ( ) a a Since only deends on a (mod ), it makes sense to define for ( ) ã a Z/Z to be for any lift ã of a to Z. ( ) Lemma The ma ψ : (Z/Z) a {±1} given by ψ(a) = is a surjective grou homomorhism. Proof. By Theorem 2.5.5, G = (Z/Z) is a cyclic grou of order 1. Because is odd, G has even order, ( so) the subgrou H of squares of elements of G has index 2 in G. Since = 1 if and only if a H, we see that ψ is the comosition G G/H = {±1}, where we identify the nontrivial element of G/H with 1. Remark We could also rove that ψ is surjective without using that (Z/Z) is cyclic, as follows. If a (Z/Z) is a square, say a b 2 (mod ), then a ( 1)/2 = b 1 1 (mod ), so a is a root of f = x ( 1)/2 1. By Proosition 2.5.2, the olynomial f has at most ( 1)/2 roots. Thus there must be an a (Z/Z) that is not a root of f, and for that a, we have ( ψ(a) = a a ) = 1, and trivially ψ(1) = 1, so the ma ψ is surjective. Note

64 4.1 Statement of the Quadratic Recirocity Law 61 TABLE 4.1. When is 5 a square modulo? ( ) ( ) 5 5 mod 5 mod that this argument does not rove that ψ is a homomorhism, though it can be extended ( to ) one that does. The symbol only deends on the residue class of a modulo, so a making a table of values ( ) a 5 for ( many ) values of a would be easy. Would 5 it be easy to make a table of for many? Probably, since there is ( ) 5 a simle attern in Table 4.1. It aears that ( deends only on the ) 5 congruence class of modulo 5. More recisely, ( ) = 1 if and only if 1, 4 (mod 5), i.e., = 1 if and only if is a square modulo 5. 5 Based on similar observations, in the 18th century various mathematicians found a conjectural exlanation for the mystery suggested by Table 4.1. Finally, on Aril 8, 1796, at the age of 19, Gauss roved the following theorem. Theorem (Gauss s Quadratic Recirocity Law). Suose and q are distinct odd rimes. Then Also ( ) 1 = ( 1) ( 1)/2 and ( ) = ( 1) 1 2 q 1 2 q ( ) q. We will give two roofs of Gauss s formula relating ( ) { 2 1 if ±1 (mod 8) = 1 if ±3 (mod 8). ( ) q to ( ) q. The first elementary roof is in Section 4.3, and the second more algebraic roof is in Section 4.4. In our examle Gauss s theorem imlies that ( 5 ) = ( 1) ( 5) = ( 5) = { +1 if 1, 4 (mod 5) 1 if 2, 3 (mod 5).

65 62 4. Quadratic Recirocity As an alication, the following examle illustrates how to answer questions like is a a square modulo b using Theorem Examle Is 69 a square modulo the rime 389? We have ( ) ( ) ( ) ( ) = = = ( 1) ( 1) = Here ( ) 3 = 389 and ( ) 23 = 389 ( ) 389 = 3 ( ) ( ) = = ( ) ( ) 1 2 = ( ) 2 = 1, 3 ( ) 2 23 = ( 1) = 1. Thus 69 is a square modulo 389. Though we know that 69 is a square modulo 389, we don t know an exlicit x such that x 2 69 (mod 389)! This is reminiscent of how we could rove using Theorem that certain numbers are comosite without knowing a factorization. Remark The Jacobi symbol is an extension of the Legendre symbol to comosite moduli. For more details, see Exercise Euler s Criterion Let be an odd rime and a an integer not ( divisible ) by. Euler used a the existence of rimitive roots to show that is congruent to a ( 1)/2 modulo. We will use this fact reeatedly below in both roofs of Theorem ( ) a Proosition (Euler s Criterion). We have = 1 if and only if a ( 1)/2 1 (mod ). Proof. The ma ϕ : (Z/Z) (Z/Z) given by ϕ(a) = a ( 1)/2 is a grou homomorhism, since owering is a grou homomorhism of( any ) abelian grou. Let ψ : (Z/Z) {±1} be the homomorhism ψ(a) = of Lemma If a ker(ψ), then a = b 2 for some b Z/Z, so ϕ(a) = a ( 1)/2 = (b 2 ) ( 1)/2 = b 1 = 1. Thus ker(ψ) ker(ϕ). By Lemma 4.1.3, ker(ψ) has index 2 in (Z/Z), so either ker(ϕ) = ker(ψ) or ϕ = 1. If ϕ = 1, the olynomial x ( 1)/2 1 a

66 4.3 First Proof of Quadratic Recirocity 63 has 1 roots in the field Z/Z, which contradicts Proosition 2.5.2, so ker(ϕ) = ker(ψ), which roves the roosition. From a comutational ( ) oint of view, Corollary rovides a convenient way to comute. See Section for an imlementation. a Corollary The equation x 2 ( a ) (mod ) has no solution if and only if a ( 1)/2 1 (mod ). Thus a ( 1)/2 (mod ). Proof. This follows from Proosition and the fact that the olynomial x 2 1 has no roots besides +1 and 1 (which follows from Proosition 2.5.3). As additional comutational ( ) motivation for the value of Corollary 4.2.2, a note that to evaluate using Theorem would not be ractical if a and both very large, because it would require ( ) factoring a. However, Corollary rovides a method for evaluating without factoring a. Examle Suose = 11. By squaring each element of (Z/11Z), we see that the squares modulo 11 are {1, 3, 4, 5, 9}. We comute a ( 1)/2 = a 5 for each a (Z/11Z) and get 1 5 = 1, 2 5 = 1, 3 5 = 1, 4 5 = 1, 5 5 = 1, 6 5 = 1, 7 5 = 1, 8 5 = 1, 9 5 = 1, 10 5 = 1. Thus the a with a 5 = 1 are {1, 3, 4, 5, 9}, just as Proosition redicts. Examle We determine whether or not 3 is a square modulo the rime = Using a comuter we find that a a 3 ( 1)/2 1 (mod ). Thus 3 is not a square modulo. This comutation wasn t difficult, but it would have been tedious by hand. The law of quadratic recirocity rovides a way to answer this question, which could easily be carried out by hand: ( ) ( ) = ( 1) (3 1)/2 ( )/ ( ) 1 = ( 1) = First Proof of Quadratic Recirocity Our first roof of quadratic recirocity is elementary. The roof involves keeing track of integer oints in intervals. Proving Gauss s lemma is the

67 64 4. Quadratic Recirocity ( first ste; this lemma comutes a ) in terms of the number of integers of a certain tye that lie in a certain interval. Next we rove Lemma 4.3.2, which controls how the arity of the number of integer oints in an interval changes when an endoint of the interval is changed. Then we rove that ( a ) deends only on modulo 4a by alying Gauss s lemma and keeing careful track of intervals as they are rescaled and their endoints are changed. Finally, in Section we use some basic algebra to deduce the quadratic recirocity law using the tools we ve just develoed. Our roof follows the one given in [Dav99] closely. Lemma (Gauss s Lemma). Let be an odd rime and let a be an integer 0 (mod ). Form the numbers a, 2a, 3a,..., 1 2 a and reduce them modulo to lie in the interval ( 2, 2 ). Let ν be the number of negative numbers in the resulting set. Then ( ) a = ( 1) ν. Proof. In defining ν, we exressed each number in { S = a, 2a,..., 1 } 2 a as congruent to a number in the set { 1, 1, 2, 2,..., 1 2, 1 }. 2 No number 1, 2,..., 1 2 aears more than once, with either choice of sign, because if it did then either two elements of S are congruent modulo or 0 is the sum of two elements of S, and both events are imossible. Thus the resulting set must be of the form T = { ε 1 1, ε 2 2,..., ε ( 1)/2 1 2 where each ε i is either +1 or 1. Multilying together the elements of S and of T, we see that ( ) 1 (1a) (2a) (3a) 2 a ( (ε 1 1) (ε 2 2) ε ( 1)/2 1 ) (mod ), 2 so a ( 1)/2 ε 1 ε 2 ε ( 1)/2 (mod ). ( The lemma then follows from Proosition 4.2.1, since }, a ) = a ( 1)/2.

68 4.3.1 Euler s Proosition For rational numbers a, b Q, let 4.3 First Proof of Quadratic Recirocity 65 (a, b) Z = {x Z : a x b} be the set of integers between a and b. The following lemma will hel us to kee track of how many integers lie in certain intervals. Lemma Let a, b Q. Then for any integer n, and # ((a, b) Z) # ((a, b + 2n) Z) (mod 2) # ((a, b) Z) # ((a 2n, b) Z) (mod 2), rovided that each interval involved in the congruence is nonemty. Note that if one of the intervals is emty, then the statement may be false; e.g., if (a, b) = ( 1/2, 1/2) and n = 1 then #((a, b) Z) = 1 but #(a, b 2) Z = 0. Proof. Let x denotes the least integer x. Since n > 0, (a, b + 2n) = (a, b) [b, b + 2n), where the union is disjoint. There are 2n integers, b, b + 1,..., b + 2n 1, in the interval [b, b + 2n), so the first congruence of the lemma is true in this case. We also have (a, b 2n) = (a, b) minus [b 2n, b) and [b 2n, b) contains exactly 2n integers, so the lemma is also true when n is negative. The statement about # ((a 2n, b) Z) is roved in a similar manner. Once we have roved the following roosition, it will be easy to deduce the quadratic recirocity law. Proosition (Euler). Let be an odd rime and let a ( be a) ositive ( ) integer with a. If q is a rime with q ± (mod 4a), then =. ( Proof. We will aly Lemma to comute S = a { a, 2a, 3a,..., 1 } 2 a ). Let a a q

69 66 4. Quadratic Recirocity and I = ( ) ( ) (( 1 3 2,, 2 b 1 ) ), b, 2 2 where b = 1 2 a or 1 2 (a 1), whichever is an integer. We check that every element of S that reduces to something in the interval ( 2, 0) lies in I. This is clear if b = 1 2 a < 1 2 a. If b = 1 2 (a 1), then b + 2 > 1 2 a, so ((b 1 2 ), b) is the last interval that could contain an element of S that reduces to ( 2, 0). Note that the integer endoints of I are not in S, since those endoints are divisible by, but no element of S is divisible by. Thus, by Lemma 4.3.1, ( ) a = ( 1) #(S I). To comute #(S I), first rescale by a to see that #(S I) = # (Z 1a ) I, where ( 1 ( a I = 2a, ) ( 3 a 2a, 2 ) ( (2b 1), b )). a 2a a Write = 4ac + r, and let ( ( r J = 2a, r ) ( 3r a 2a, 2r ) ( (2b 1)r, br )). a 2a a The only difference between I and J is that the endoints of intervals are changed by addition of an even integer. By Lemma 4.3.2, ν = # (Z 1a ) I #(Z J) (mod 2). ( ) a Thus = ( 1) ν deends only on r, i.e., only on modulo 4a. Thus if ( ) ( ) q (mod 4a), then =. a a q If q (mod 4a), then the only change in the above comutation is that r is relaced by 4a r. This changes 1 a I into K = ( 2 r 2a, 4 r ) a ( 6 3r 2a, 8 2r a ( 4b 2 ) (2b 1)r, 4b br 2a a ).

70 4.3 First Proof of Quadratic Recirocity 67 Thus K is the same as 1 ai, excet even integers have been added to the endoints. By Lemma 4.3.2, (( ) ) 1 #(K Z) # a I Z (mod 2), ( so a ) ( = a q ), which comletes the roof. The following more careful analysis in the secial case when a = 2 hels illustrate the roof of the above lemma, and the result is frequently useful in comutations. For an alternative roof of the roosition, see Exercise 4.5. Proosition (Legendre symbol of 2). Let be an odd rime. Then ( ) { 2 1 if ±1 (mod 8) = 1 if ±3 (mod 8). Proof. When a = 2, the set S = {a, 2a,..., } is {2, 4, 6,..., 1}. We must count the arity of the number of elements of S that lie in the interval I = ( 2, ). Writing = 8c + r, we have ) ( 1 # (I S) = # = # 2 I Z (( 2c + r 4, 4c + r 2 (( = # 4, 2) ) Z ) ) Z # (( r 4 2), r ) Z (mod 2), where the last equality comes from Lemma The ossibilities for r are 1, 3, 5, 7. When r = 1, the cardinality is 0, when r = 3, 5 it is 1, and when r = 7 it is Proof of Quadratic Recirocity It is now straightforward to deduce the quadratic recirocity law. First Proof of Theorem First suose that q (mod 4). By swaing and q if necessary, we may assume that > q, and write q = 4a. Since = 4a + q, ( ) q ( ) 4a + q = = q ( ) 4a = q ( 4 q ) ( ) a = q ( ) a, q and ( ) q = ( ) ( ) 4a 4a = = ( ) 1 ( ) a.

71 68 4. Quadratic Recirocity ( Proosition imlies that ( ) q ( ) q = ( 1 a q ) ( = ) a ), since q (mod 4a). Thus = ( 1) 1 2 = ( 1) 1 2 q 1 2, where the last equality is because 1 2 is even if and only if q 1 2 is even. Next suose that q (mod 4), so q (mod 4). Write + q = 4a. We have ( ) ( ) ( ) ( ) ( ) ( ) 4a q a q 4a a = =, and = =. q q q ) ) Since q (mod 4a), Proosition imlies that =. Since ( 1) 1 2 q 1 2 = 1, the roof is comlete. ( q ( q 4.4 A Proof of Quadratic Recirocity Using Gauss Sums In this section we resent a beautiful roof of Theorem using algebraic identities satisfied by sums of roots of unity. The objects we introduce in the roof are of indeendent interest, and rovide a owerful tool to rove higher-degree analogues of quadratic recirocity. (For more on higher recirocity see [IR90]. See also Section 6 of [IR90] on which the roof below is modeled.) Definition (Root of Unity). An nth root of unity is a comlex number ζ such that ζ n = 1. A root of unity ζ is a rimitive nth root of unity if n is the smallest ositive integer such that ζ n = 1. For examle, 1 is a rimitive second root of unity, and ζ = is a rimitive cube root of unity. More generally, for any n N the comlex number ζ n = cos(2π/n) + i sin(2π/n) is a rimitive nth root of unity (this follows from the identity e iθ = cos(θ)+ i sin(θ)). For the rest of this section, we fix an odd rime and the rimitive th root ζ = ζ of unity. Definition (Gauss Sum). Fix an odd rime. The Gauss sum associated to an integer a is 1 ( ) n g a = ζ an, n=0 where ζ = ζ = cos(2π/) + i sin(2π/).

72 4.4 A Proof of Quadratic Recirocity Using Gauss Sums 69 g 2 = ( 0 5) + ( 1 5 ) ζ 2 + ( 2 5 ) ζ 4 + ( ( 3 5) ζ + 4 5) ζ 3 = 5 1 ζ = e +1 2πi/5 ζ 2 g 2 2 = ζ 3 +1 ζ 4 1 FIGURE 4.1. Gauss sum g 2 for = 5 Note that is imlicit in the definition of g a. If we were to change, then the Gauss sum g a associated to a would be different. The definition of g a also deends on our choice of ζ; we ve chosen ζ = ζ, but could have chosen a different ζ and then g a could be different. Figure 4.1 illustrates the Gauss sum g 2 for = 5. The Gauss sum is obtained by adding the oints on the unit circle, with signs as indicated, to obtain the real number 5. This suggests the following roosition, whose roof will require some work. Proosition (Gauss sum). For any a not divisible by, g 2 a = ( 1) ( 1)/2. In order to rove the roosition, we introduce a few lemmas. Lemma For any integer a, { 1 ζ an if a 0 (mod ), = 0 otherwise. n=0 Proof. If a 0 (mod ), then ζ a = 1, so the sum equals the number of summands, which is. If a 0 (mod ), then we use then identity x 1 = (x 1)(x x + 1) with x = ζ a. We have ζ a 1, so ζ a 1 0 and 1 ζ an = ζa 1 ζ a 1 = 1 1 ζ a 1 = 0. n=0 Lemma If x and y are arbitrary integers, then { 1 ζ (x y)n if x y (mod ), = 0 otherwise. n=0

73 70 4. Quadratic Recirocity Proof. This follows from Lemma by setting a = x y. Lemma We have g 0 = 0. Proof. By definition 1 ( ) n g 0 =. (4.4.1) n=0 By Lemma 4.1.3, the ma ( ) : (Z/Z) {±1} is a surjective homomorhism of grous. Thus half the elements of (Z/Z) ma to +1 ( and ) half ma to 1 (the subgrou that mas to +1 has index 2). Since = 0, the sum (4.4.1) is 0. 0 Lemma For any integer a, g a = ( ) a g 1. Proof. When a 0 (mod ) the lemma follows from Lemma 4.4.6, so suose that a 0 (mod ). Then ( ) a g a = ( a ) 1 n=0 ( ) n ζ an = 1 n=0 ( ) an 1 ζ an = m=0 ( ) m ζ m = g 1. Here we use that multilication by a is an automorhism of Z/Z. Finally, ( ) ( ) 2 a a multily both sides by and use that = 1. We have enough lemmas to rove Proosition Proof of Proosition We evaluate the sum 1 a=0 g ag a in two different ways. By Lemma 4.4.7, since a 0 (mod ) we have g a g a = ( ) ( ) a a g 1 g 1 = ( 1 ) ( ) 2 a g1 2 = ( 1) ( 1)/2 g 2 1, ( ) a where the last ste follows from Proosition and that {±1}. Thus 1 g a g a = ( 1)( 1) ( 1)/2 g1. 2 (4.4.2) a=0

74 4.4 A Proof of Quadratic Recirocity Using Gauss Sums 71 On the other hand, by definition 1 ( ) n g a g a = = = n=0 1 1 n=0 m=0 1 1 n=0 m=0 ζ an ( n ( n 1 m=0 ) ( m ( ) m ζ am ) ζ an ζ am ) ( ) m ζ an am. Let δ(n, m) = 1 if n m (mod ) and 0 otherwise. By Lemma 4.4.5, g a g a = a=0 = = 1 a=0 n=0 m=0 1 1 n=0 m=0 1 1 n=0 m=0 1 = n=0 ( n = ( 1). ( n ( n ) 2 ( n ) ( ) m ζ an am ) ( ) m 1 ) ( m a=0 ζ an am ) δ(n, m) Equate (4.4.2) and the above equality, then cancel ( 1) to see that Since a 0 (mod ), we have g 2 1 = ( 1) ( 1)/2. g 2 a = and the roosition is roved. ( a ) 2 = 1, so by Lemma 4.4.7, ( ) 2 a g1 2 = g 2 1, Proof of Quadratic Recirocity We are now ready to rove Theorem using Gauss sums. Proof. Let q be an odd rime with q. Set = ( 1) ( 1)/2 and recall that Proosition asserts that = g 2, where g = g 1 = ( ) 1 n=0 ζ n. n

75 72 4. Quadratic Recirocity Proosition imlies that ( ) ( ) (q 1)/2 q (mod q). We have g q 1 = (g 2 ) (q 1)/2 = ( ) (q 1)/2, so multilying both sides of the dislayed equation by g yields a congruence ( ) g q g (mod q). (4.4.3) q But wait, what does this congruence mean, ( ) given that g q is not an integer? It means that the difference g q g lies in the ideal (q) in the ring Z[ζ] of all olynomials in ζ with coefficients in Z. The ring Z[ζ]/(q) has characteristic q, so if x, y Z[ζ], then (x + y) q x q + y q (mod q). Alying this to (4.4.3), we see that q g q = ( 1 n=0 ( ) ) q n ζ n 1 n=0 ( ) q n ζ nq 1 n=0 ( ) n ζ nq g q (mod q). By Lemma 4.4.7, g q g q Combining this with (4.4.3) yields ( ) q g ( ) q g ( q ) g (mod q). (mod q). Since ( ) g( 2 = ) and q, we can cancel g from both sides to find that q q (mod q). Since both residue symbols are ±1 and q is odd, it ) ( ) follows that =. Finally, we note using Proosition that ( q ( ) ( ( 1) ( 1)/2 ) = = q q q ( 1 q ) ( 1)/2 ( ) = ( 1) q q ( ). q 4.5 Finding Square Roots [[something about schoof olynomial time algo!!!]] We return in this section to the question of comuting square roots. If K is a field in which

76 4.5 Finding Square Roots , and a, b, c K, with a 0, then the solutions to the quadratic equation ax 2 + bx + c = 0 are x = b ± b 2 4ac. 2a Now assume K = Z/Z, with an odd rime. Using Theorem 4.1.5, we can decide whether or not b 2 4ac is a erfect square in Z/Z, and hence whether or not ax 2 + bx + c = 0 has a solution in Z/Z. However Theorem says nothing about how to actually find a solution when there is one. Also, note that for this roblem we do not need the full quadratic recirocity law; in ractice to decide whether an element of Z/Z is a erfect square Proosition is quite fast, in view of Section 2.3. Suose a Z/Z is a nonzero quadratic residue. If 3 (mod 4) then b = a +1 4 is a square root of a because b 2 = a +1 2 = a = a 1 2 a = ( ) a a = a. We can comute b in time olynomial in the number of digits of using the owering algorithm of Section 2.3. We do not know a deterministic olynomial-time algorithm to comute a square root of a when 1 (mod 4). The following is a standard robabilistic algorithm to comute a square root of a, which works well in ractice. Consider the quotient ring R = (Z/Z)[x]/(x 2 a), by which we mean the following. We have with multilication defined by R = {u + vα : u, v Z/Z} (u + vα)(z + wα) = (uz + awv) + (uw + vz)α. Here α corresonds to the class of x in the quotient ring. Let b and c be the square roots of a in Z/Z (though we cannot easily comute b and c yet, we can consider them in order to deduce an algorithm to find them). We have ring homomorhisms f : R Z/Z and g : R Z/Z given by f(u + vα) = u + vb and g(u + vα) = u + vc. Together these define a ring isomorhism ϕ : R Z/Z Z/Z given by ϕ(u + vα) = (u + vb, u + vc). Choose in some way a random element z of (Z/Z), and define u, v Z/Z by u + vα = (1 + zα) 1 2,

77 74 4. Quadratic Recirocity where we comute (1 + zα) 1 2 quickly using an analogue of the binary owering algorithm of Section If v = 0 we try again with another random z. If v 0 we can quickly find the desired square roots b and c as follows. The quantity u + vb is a ( 1)/2 ower in Z/Z, so it equals either 0, 1, or 1, so b = u/v, (1 u)/v, or ( 1 u)/v, resectively. Since we know u and v we can try each of u/v, (1 u)/v, and ( 1 u)/v and see which is a square root of a. We imlement this algorithm in Section Examle Continuing Examle 4.1.6, we find a square root of 69 modulo 389. We aly the algorithm described above in the case 1 (mod 4). We first choose the random z = 24 and find that (1 + 24α) 194 = 1. The coefficient of α in the ower is 0, and we try again with z = 51. This time we have (1 + 51α) 194 = 239α = u + vα. The inverse of 239 in Z/389Z is 153, so we consider the following three ossibilities for a square root of 69: u v = 0 1 u v = u v = 153. Thus 153 and 153 are the square roots of 69 in Z/389Z. 4.6 Exercises 4.1 Calculate the following by hand: ( ) ( 3 97, ), ( Use Theorem to show that for 5 rime, ( ) { 3 1 if 1, 11 (mod 12), = 1 if 5, 7 (mod 12). ) (, and 5! ) 7. ( ) 4.3 (*) Use that (Z/Z) 3 is cyclic to give a direct roof that = 1 when 1 (mod 3). (Hint: There is an c (Z/Z) of order 3. Show that (2c + 1) 2 = 3.) ( ) 4.4 (*) If 1 (mod 5), show directly that = 1 by the method of Exercise 4.3. (Hint: Let c (Z/Z) be an element of order 5. Show that (c + c 4 ) 2 + (c + c 4 ) 1 = 0, etc.) ( ) 4.5 (*) Let be an odd rime. In this exercise you will rove that = 1 if and only if ±1 (mod 8). 5 2 (a) Prove that x = 1 t2 1 + t 2, y = 2t 1 + t 2

78 4.6 Exercises 75 is a arameterization of the set of solutions to x 2 + y 2 1 (mod ), in the sense that the solutions (x, y) Z/Z are in bijection with the t Z/Z { } such that 1+t 2 0 (mod ). Here t = corresonds to the oint ( 1, 0). (Hint: if (x 1, y 1 ) is a solution, consider the line y = t(x + 1) through (x 1, y 1 ) and ( 1, 0), and solve for x 1, y 1 in terms of t.) (b) Prove that the number of solutions to x 2 + y 2 1 (mod ) is + 1 if 3 (mod 4) and 1 if 1 (mod 4). (c) Consider the set ( S) of airs ( ) (a, b) (Z/Z) (Z/Z) such that a + b = 1 and = = 1. Prove that #S = ( + 1 4)/4 a b if 3 (mod 4) and #S = ( 1 4)/4 if 1 (mod 4). Conclude that #S is odd if and only if ±1 (mod 8) (d) The ma σ(a, b) = (b, a) that swas coordinates is a bijection of the set S. It has exactly one fixed oint ( ) if and only if there is a an a Z/Z such that 2a = 1 and = 1. Also, rove that ( ) a 2a = 1 has a solution a Z/Z with = 1 if and only if ( ) = 1. 2 (e) Finish by showing that σ has exactly one fixed oint if and only if #S is odd, i.e., if and only if ±1 (mod 8). Remark: The method of roof of this exercise can be generalized to give a roof of the full quadratic recirocity law. 4.6 How many natural numbers x < 2 13 satisfy the equation x 2 5 (mod )? You may assume that is rime. 4.7 Find the natural number x < 97 such that x 4 48 (mod 97). Note that 97 is rime. 4.8 In this roblem we( will ) formulate an analogue of quadratic recirocity for a symbol like, but without the restriction that q be a rime. a q Suose n is a ositive integer, which we factor as k the Jacobi symbol ( a n) as follows: ( a = n) k ( ) ei a. i=1 i i=1 ei i. We define (a) Give an examle to show that ( a n) = 1 need not imly that a is a erfect square modulo n.

79 76 4. Quadratic Recirocity (b) (*) Let n be odd and a and b be integers. Prove that the following holds: i. ( ( a b ) ( n) n = ab ) ( n. (Thus a a ) n induces a homomorhism from (Z/nZ) to {±1}.) ii. ( ) 1 n n (mod 4). iii. ( 2 n) = 1 if n ±1 (mod 8) and 1 otherwise. iv. ( ) a 1 ( a n = ( 1) 2 n 1 2 n ) a 4.9 (*) Prove that for any n Z the integer n 2 + n + 1 does not have any divisors of the form 6k 1.

80 5 Continued Fractions This is age 77 Printer: Oaque this A continued fraction is an exression of the form 1 a a a 2 + a 3 +. In this book we will assume that the a i are real numbers and a i > 0 for i 1, and the exression may or may not go on indefinitely. More general notions of continued fractions have been extensively studied, but they are beyond the scoe of this book. We will be most interested in the case when the a i are all integers. We denote the continued fraction dislayed above by [a 0, a 1, a 2,...]. For examle, [1, 2] = = 3 2, 1 [3, 7, 15, 1, 292] = = = ,

81 78 5. Continued Fractions and 1 [2, 1, 2, 1, 1, 4, 1, 1, 6] = = = The second two examles were chosen to foreshadow that continued fractions can be used to obtain good rational aroximations to irrational numbers. Note that the first aroximates π and the second e. Continued fractions have many alications. For examle, they rovide an algorithmic way to recognize a decimal aroximation to a rational number. Continued fractions also suggest a sense in which e might be less comlicated than π (see Examle and Section 5.3). In Section 5.1 we study continued fractions [a 0, a 1,..., a n ] of finite length and lay the foundations for our later investigations. In Section 5.2 we give the continued fraction rocedure, which associates to a real number x a sequence a 0, a 1,... of integers such that x = lim n [a 0, a 1,..., a n ]. We also rove that if a 0, a 1,... is any infinite sequence of ositive integers, then the sequence c n = [a 0, a 1,..., a n ] converges; more generally, we rove that if the a n are arbitrary ositive real numbers and n=0 a n diverges then (c n ) converges. In Section 5.4, we rove that a continued fraction with a i N is (eventually) eriodic if and only if its value is a non-rational root of a quadratic olynomial, then discuss oen questions concerning continued fractions of roots of irreducible olynomials of degree greater than 2. We conclude the chater with alications of continued fractions to recognizing aroximations to rational numbers (Section 5.5) and writing integers as sums of two squares (Section 5.6). The reader is encouraged to read more about continued fractions in [HW79, Ch. X], [Khi63], [Bur89, 13.3], and [NZM91, Ch. 7]. 5.1 Finite Continued Fractions This section is about continued fractions of the form [a 0, a 1,..., a m ] for some m 0. We give an inductive definition of numbers n and q n such

82 that for all n m 5.1 Finite Continued Fractions 79 [a 0, a 1,..., a n ] = n q n. (5.1.1) ( We then give related formulas for the determinants of the 2 2 matrices n n 1 ) ( n q n q n 1 and n 2 ) q n q n 2. which we will reeatedly use to deduce roerties of the sequence of artial convergents [a 0,..., a k ]. We will use Algorithm to rove that every rational number is reresented by a continued fraction, as in (5.1.1). Definition (Finite Continued Fraction). A finite continued fraction is an exression 1 a 0 +, 1 a a a n where each a m is a real number and a m > 0 for all m 1. Definition (Simle Continued Fraction). A simle continued fraction is a finite or infinite continued fraction in which the a i are all integers. To get a feeling for continued fractions, observe that [a 0 ] = a 0, [a 0, a 1 ] = a = a 0a 1 + 1, a 1 a 1 1 [a 0, a 1, a 2 ] = a 0 + a = a 0a 1 a 2 + a 0 + a 2. a 1 a a 2 Also, [a 0, a 1,..., a n 1, a n ] = [ a 0, a 1,..., a n 2, a n = a [a 1,..., a n ] = [a 0, [a 1,..., a n ]]. a n ] Partial Convergents Fix a finite continued fraction [a 0,..., a m ]. We do not assume at this oint that the a i are integers. Definition (Partial convergents). For 0 n m, the nth convergent of the continued fraction [a 0,..., a m ] is [a 0,..., a n ]. These convergents for n < m are also called artial convergents.

83 80 5. Continued Fractions For each n with 2 n m, define real numbers n and q n as follows: 2 = 0, 1 = 1, 0 = a 0, n = a n n 1 + n 2, q 2 = 1, q 1 = 0, q 0 = 1, q n = a n q n 1 + q n 2. Proosition (Partial Convergents). For n 0 we have [a 0,..., a n ] = n q n. Proof. We use induction. The assertion is obvious when n = 0, 1. Suose the roosition is true for all continued fractions of length n 1. Then [a 0,..., a n ] = [a 0,..., a n 2, a n ] a ( ) n a n a n n 2 + n 3 = ( ) a n a n q n 2 + q n 3 = (a n 1a n + 1) n 2 + a n n 3 (a n 1 a n + 1)q n 2 + a n q n 3 = a n(a n 1 n 2 + n 3 ) + n 2 a n (a n 1 q n 2 + q n 3 ) + q n 2 = a n n 1 + n 2 a n q n 1 + q n 2 = n q n. Proosition For n 0 we have and Equivalently, and n q n 1 q n n 1 = ( 1) n 1 (5.1.2) n q n 2 q n n 2 = ( 1) n a n. (5.1.3) n q n n 1 q n 1 = ( 1) n 1 1 q n q n 1 n n 2 = ( 1) n a n. q n q n 2 q n q n 2 Proof. The case for n = 0 is obvious from the definitions. Now suose n > 0 and the statement is true for n 1. Then n q n 1 q n n 1 = (a n n 1 + n 2 )q n 1 (a n q n 1 + q n 2 ) n 1 = n 2 q n 1 q n 2 n 1 = ( n 1 q n 2 n 2 q n 1 ) = ( 1) n 2 = ( 1) n 1.

84 5.1 Finite Continued Fractions 81 This comletes the roof of (5.1.2). For (5.1.3), we have n q n 2 n 2 q n = (a n n 1 + n 2 )q n 2 n 2 (a n q n 1 + q n 2 ) = a n ( n 1 q n 2 n 2 q n 1 ) = ( 1) n a n. Remark Exressed in terms of matrices, the roosition asserts that the determinant of ( n n 1 ) q n q n 1 is ( 1) n 1, and of ( n n 2 ) q n q n 2 is ( 1) n a n. Corollary (Convergents in lowest terms). If [a 0, a 1,..., a m ] is a simle continued fraction, so each a i is an integer, then the n and q n are integers and the fraction n /q n is in lowest terms. Proof. It is clear that the n and q n are integers, from the formula that defines them. If d is a ositive divisor of both n and q n, then d ( 1) n 1, so d = The Sequence of Partial Convergents Let [a 0,..., a m ] be a continued fraction and for n m let c n = [a 0,..., a n ] = n q n denote the nth convergent. Recall that by definition of continued fraction, a n > 0 for n > 0, which gives the artial convergents of a continued fraction additional structure. For examle, the artial convergents of [2, 1, 2, 1, 1, 4, 1, 1, 6] are 2, 3, 8/3, 11/4, 19/7, 87/32, 106/39, 193/71, 1264/465. To make the size of these numbers clearer, we aroximate them using decimals. We also underline every other number, to illustrate some extra structure. 2, 3, , , , , , , The underlined numbers are smaller than all of the non-underlined numbers, and the sequence of underlined numbers is strictly increasing, whereas the non-underlined numbers strictly decrease. We next rove that this extra structure is a general henomenon. Proosition (How convergents converge). The even indexed convergents c 2n increase strictly with n, and the odd indexed convergents c 2n+1 decrease strictly with n. Also, the odd indexed convergents c 2n+1 are greater than all of the even indexed convergents c 2m.

85 82 5. Continued Fractions Proof. The a n are ositive for n 1, so the q n are ositive. By Proosition 5.1.5, for n 2, c n c n 2 = ( 1) n a n q n q n 2, which roves the first claim. Suose for the sake of contradiction that there exist integers r, m such that c 2m+1 < c 2r. Proosition imlies that for n 1, c n c n 1 = ( 1) n 1 1 q n q n 1 has sign ( 1) n 1, so for all s 0 we have c 2s+1 > c 2s. Thus it is imossible that r = m. If r < m, then by what we roved in the first aragrah, c 2m+1 < c 2r < c 2m, a contradiction (with s = m). If r > m, then c 2r+1 < c 2m+1 < c 2r, which is also a contradiction (with s = r) Every Rational Number is Reresented Proosition (Rational continued fractions). Every nonzero rational number can be reresented by a simle continued fraction. Proof. Without loss of generality we may assume that the rational number is a/b, with b 1 and gcd(a, b) = 1. Algorithm gives: a = b a 0 + r 1, 0 < r 1 < b b = r 1 a 1 + r 2, 0 < r 2 < r 1 r n 2 = r n 1 a n 1 + r n, r n 1 = r n a n < r n < r n 1 Note that a i > 0 for i > 0 (also r n = 1 since gcd(a, b) = 1). Rewrite the equations as follows: a/b = a 0 + r 1 /b = a 0 + 1/(b/r 1 ), b/r 1 = a 1 + r 2 /r 1 = a 1 + 1/(r 1 /r 2 ), r 1 /r 2 = a 2 + r 3 /r 2 = a 2 + 1/(r 2 /r 3 ), r n 1 /r n = a n. It follows that a b = [a 0, a 1,..., a n ].

86 5.2 Infinite Continued Fractions 83 The roof of Proosition leads to an algorithm for comuting the continued fraction of a rational number. See Section 7.5 for an imlementation. A nonzero rational number can be reresented in exactly two ways; for examle, 2 = [1, 1] = [2] (see Exercise 5.2). 5.2 Infinite Continued Fractions This section begins with the continued fraction rocedure, which associates to a real number x a sequence a 0, a 1,... of integers. After giving several examles, we rove that x = lim n [a 0, a 1,..., a n ] by roving that the odd and even artial convergents become arbitrarily close to each other. We also show that if a 0, a 1,... is any infinite sequence of ositive integers, then the sequence of c n = [a 0, a 1,..., a n ] converges, and, more generally, if a n is an arbitrary sequence of ositive reals such that n=0 a n diverges then (c n ) converges The Continued Fraction Procedure Let x R and write x = a 0 + t 0 with a 0 Z and 0 t 0 < 1. We call the number a 0 the floor of x, and we also sometimes write a 0 = x. If t 0 0, write 1 t 0 = a 1 + t 1 with a 1 N and 0 t 1 < 1. Thus t 0 = 1 a 1+t 1 = [0, a 1 + t 1 ], which is a (non-simle) continued fraction exansion of t 0. Continue in this manner so long as t n 0 writing 1 t n = a n+1 + t n+1 with a n+1 N and 0 t n+1 < 1. We call this rocedure, which associates to a real number x the sequence of integers a 0, a 1, a 2,..., the continued fraction rocess. We imlement it in on a comuter in Section 7.5. Examle Let x = 8 3. Then x = , so a 0 = 2 and t 0 = 2 3. Then 1 t 0 = 3 2 = , so a 1 = 1 and t 1 = 1 2. Then 1 t 1 = 2, so a 2 = 2, t 2 = 0, and the sequence terminates. Notice that 8 = [2, 1, 2], 3 so the continued fraction rocedure roduces the continued fraction of 8 3.

87 84 5. Continued Fractions Examle Let x = Then so a 0 = 1 and t 0 = We have 1 t 0 = x = , = = so again a 1 = 1 and t 1 = Likewise, a n = 1 for all n. As we will see below, the following exciting equality makes sense = Examle Suose x = e = Using the continued fraction rocedure, we find that a 0, a 1, a 2,... = 2, 1, 2, 1, 1, 4, 1, 1, 6, 1, 1, 8, 1, 1, 10,... For examle, a 0 = 2 is the floor of 2. Subtracting 2 and inverting, we obtain 1/ = , so a 1 = 1. Subtracting 1 and inverting yields 1/ = , so a 2 = 2. We will rove in Section 5.3 that the continued fraction of e obeys a simle attern. The 5th artial convergent of the continued fraction of e is [a 0, a 1, a 2, a 3, a 4, a 5 ] = = , which is a good rational aroximation to e, in the sense that e = Note that < 1/32 2 = , which illustrates the bound in Corollary below. Let s do the same thing with π = : Alying the continued fraction rocedure, we find that the continued fraction of π is a 0, a 1, a 2,... = 3, 7, 15, 1, 292, 1, 1, 1, 2, 1, 3, 1, 14,... The first few artial convergents are 3, 22 7, , , ,

88 5.2 Infinite Continued Fractions 85 These are good rational aroximations to π; for examle, = Notice that the continued fraction of e exhibits a nice attern (see Section 5.3 for a roof), whereas the continued fraction of π exhibits no attern that is obvious to the author. The continued fraction of π has been extensively studied, and over 20 million terms have been comuted. The data suggests that every integers aears infinitely often as a artial convergent. For much more about the continued fraction of π or of any other sequence in this book, tye the first few terms of the sequence into [Slo] Convergence of Infinite Continued Fractions Lemma For every n such that a n is defined, we have x = [a 0, a 1,..., a n + t n ], and if t n 0 then x = [a 0, a 1,..., a n, 1 t n ]. Proof. We use induction. The statements are both true when n = 0. If the second statement is true for n 1, then [ ] 1 x = a 0, a 1,..., a n 1, t n 1 = [a 0, a 1,..., a n 1, a n + t n ] [ = a 0, a 1,..., a n 1, a n, 1 ]. t n Similarly, the first statement is true for n if it is true for n 1. Theorem (Continued Fraction Limit). Let a 0, a 1,... be a sequence of integers such that a n > 0 for all n 1, and for each n 0, set c n = [a 0, a 1,... a n ]. Then lim n c n exists. Proof. For any m n, the number c n is a artial convergent of [a 0,..., a m ]. By Proosition the even convergents c 2n form a strictly increasing sequence and the odd convergents c 2n+1 form a strictly decreasing sequence. Moreover, the even convergents are all c 1 and the odd convergents are all c 0. Hence α 0 = lim n c 2n and α 1 = lim n c 2n+1 both exist and α 0 α 1. Finally, by Proosition so α 0 = α 1. c 2n c 2n 1 = 1 1 q 2n q 2n 1 2n(2n 1) 0,

89 86 5. Continued Fractions We define [a 0, a 1,...] = lim c n. n Examle We illustrate the theorem with x = π. As in the roof of Theorem 5.2.5, let c n be the nth artial convergent to π. The c n with n odd converge down to π c 1 = , c 3 = , c 5 = whereas the c n with n even converge u to π c 2 = , c 4 = , c 6 = Theorem Let a 0, a 1, a 2,... be a sequence of real numbers such that a n > 0 for all n 1, and for each n 0, set c n = [a 0, a 1,... a n ]. Then lim c n exists if and only if the sum n n=0 a n diverges. Proof. We only rove that if a n diverges then lim n c n exists. A roof of the converse can be found in [Wal48, Ch. 2, Thm. 6.1]. Let q n be the sequence of denominators of the artial convergents, as defined in Section 5.1.1, so q 2 = 1, q 1 = 0, and for n 0, q n = a n q n 1 + q n 2. As we saw in the roof of Theorem 5.2.5, the limit lim n c n exists rovided that the sequence {q n q n 1 } diverges to ositive infinity. For n even, q n = a n q n 1 + q n 2 = a n q n 1 + a n 2 q n 3 + q n 4 = a n q n 1 + a n 2 q n 3 + a n 4 q n 5 + q n 6 = a n q n 1 + a n 2 q n a 2 q 1 + q 0 and for n odd, q n = a n q n 1 + a n 2 q n a 1 q 0 + q 1. Since a n > 0 for n > 0, the sequence {q n } is increasing, so q i 1 for all i 0. Alying this fact to the above exressions for q n, we see that for n even q n a n + a n a 2, and for n odd q n a n + a n a 1. If a n diverges, then at least one of a 2n or a 2n+1 must diverge. The above inequalities then imly that at least one of the sequences {q 2n } or {q 2n+1 } diverge to infinity. Since {q n } is an increasing sequence, it follows that {q n q n 1 } diverges to infinity.

90 5.2 Infinite Continued Fractions 87 Examle Let a n = 1 n log(n) for n 2 and a 0 = a 1 = 0. By the integral test, a n diverges, so by Theorem the continued fraction [a 0, a 1, a 2,...] converges. This convergence is very slow, since, e.g. yet [a 0, a 1,..., a 9999 ] = [a 0, a 1,..., a ] = Theorem Let x R be a real number. Then x is the value of the (ossibly infinite) simle continued fraction [a 0, a 1, a 2,...] roduced by the continued fraction rocedure. Proof. If the sequence is finite then some t n = 0 and the result follows by Lemma Suose the sequence is infinite. By Lemma 5.2.4, x = [a 0, a 1,..., a n, 1 t n ]. By Proosition (which we aly in a case when the artial quotients of the continued fraction are not integers!), we have x = Thus if c n = [a 0, a 1,..., a n ], then 1 n + n 1 t n. 1 q n + q n 1 t n Thus x c n = x n = q n 1 t n n q n + n 1 q n 1 t n n q n n q n 1 ( ). 1 q n t n q n + q n 1 = n 1q n n q ( n 1 ) 1 q n t n q n + q n 1 ( 1) n = ( ). 1 q n t n q n + q n 1 1 x c n = ( ) 1 q n t n q n + q n 1 1 < q n (a n+1 q n + q n 1 ) 1 1 = q n q n+1 n(n + 1) 0.

91 88 5. Continued Fractions 1 In the inequality we use that a n+1 is the integer art of t n, and is hence 1 t n < 1, since t n < 1. This corollary follows from the roof of the above theorem. Corollary (Convergence of continued fraction). Let a 0, a 1,... define a simle continued fraction, and let x = [a 0, a 1,...] R be its value. Then for all m, x m < 1. q m q m+1 q m Proosition If x is a rational number then the sequence a 0, a 1,... roduced by the continued fraction rocedure terminates. Proof. Let [b 0, b 1,..., b m ] be the continued fraction reresentation of x that we obtain using Algorithm , so the b i are the artial quotients at each ste. If m = 0, then x is an integer, so we may assume m > 0. Then x = b 0 + 1/[b 1,..., b m ]. If [b 1,..., b m ] = 1 then m = 1 and b 1 = 1, which will not haen using Algorithm , since it would give [b 0 +1] for the continued fraction of the integer b Thus [b 1,..., b m ] > 1, so in the continued fraction algorithm we choose a 0 = b 0 and t 0 = 1/[b 1,..., b m ]. Reeating this argument enough times roves the claim. 5.3 The Continued Fraction of e The continued fraction exansion of e begins [2, 1, 2, 1, 1, 4, 1, 1, 6,...]. The obvious attern in fact does continue, as Euler roved in 1737 (see [Eul85]), and we will rove in this section. As an alication, Euler gave a roof that e is irrational by noting that its continued fraction is infinite. The roof we give below draws heavily on the roof in [Coh], which describes a slight variant of a roof of Hermite (see [Old70]). The continued fraction reresentation of e is also treated in the German book [Per57], but the roof requires substantial background from elsewhere in that text Preliminaries First, we write the continued fraction of e in a slightly different form. Instead of [2, 1, 2, 1, 1, 4,...], we can start the sequence of coefficients [1, 0, 1, 1, 2, 1, 1, 4,...] to make the attern the same throughout. (Everywhere else in this chater we assume that the artial quotients a n for n 1 are ositive, but

92 5.3 The Continued Fraction of e 89 temorarily relax that condition here and allow a 1 = 0.) The numerators and denominators of the convergents given by this new sequence satisfy a simle recurrence. Using r i as a stand-in for i or q i, we have r 3n = r 3n 1 + r 3n 2 r 3n 1 = r 3n 2 + r 3n 3 r 3n 2 = 2(n 1)r 3n 3 + r 3n 4. Our first goal is to collase these three recurrences into one recurrence that only makes mention of r 3n, r 3n 3, and r 3n 6. We have r 3n = r 3n 1 + r 3n 2 = (r 3n 2 + r 3n 3 ) + (2(n 1)r 3n 3 + r 3n 4 ) = (4n 3)r 3n 3 + 2r 3n 4. This same method of simlification also shows us that r 3n 3 = 2r 3n 7 + (4n 7)r 3n 6. To get rid of 2r 3n 4 in the first equation, we make the substitutions 2r 3n 4 = 2(r 3n 5 + r 3n 6 ) = 2((2(n 2)r 3n 6 + r 3n 7 ) + r 3n 6 ) = (4n 6)r 3n 6 + 2r 3n 7. Substituting for 2r 3n 4 and then 2r 3n 7, we finally have the needed collased recurrence, r 3n = 2(2n 1)r 3n 3 + r 3n Two Integral Sequences We define the sequences x n = 3n, y n = q 3n. Since the 3n-convergents will converge to the same real number that the n-convergents do, x n /y n also converges to the limit of the continued fraction. Each sequence {x n }, {y n } will obey the recurrence relation derived in the revious section (where z n is a stand-in for x n or y n ): z n = 2(2n 1)z n 1 + z n 2, for all n 2. (5.3.1) The two sequences can be found in Table 5.1. (The initial conditions x 0 = 1, x 1 = 3, y 0 = y 1 = 1 are taken straight from the first few convergents of the original continued fraction.) Notice that since we are skiing several convergents at each ste, the ratio x n /y n converges to e very quickly.

93 90 5. Continued Fractions TABLE 5.1. Convergents n x n y n x n /y n A Related Sequence of Integrals Now, we define a sequence of real numbers T 0, T 1, T 2,... by the following integrals: T n = 1 0 t n (t 1) n n! e t dt. Below, we comute the first two terms of this sequence exlicitly. (When we comute T 1, we are doing the integration by arts u = t(t 1), dv = e t dt. Since the integral runs from 0 to 1, the boundary condition is 0 when evaluated at each of the endoints. This vanishing will be helful when we do the integral in the general case.) T 0 = T 1 = = 0 1 e t dt = e 1, t(t 1)e t dt 0 ((t 1) + t)e t dt 1 1 = (t 1)e t te t = 1 e + 2(e 1) = e 3. e t dt The reason that we defined this series now becomes aarent: T 0 = y 0 e x 0 and that T 1 = y 1 e x 1. In general, it will be true that T n = y n e x n. We will now rove this fact. It is clear that if the T n were to satisfy the same recurrence that the x i and y i do, in equation (5.3.1), then the above statement holds by induction. (The initial conditions are correct, as needed.) So we simlify T n by

94 integrating by arts twice in succession: T n = 1 = = t n (t 1) n n! e t dt t n 1 (t 1) n + t n (t 1) n 1 ( t n 2 (t 1) n (n 2)! (n 1)! + n tn 1 (t 1) n 1 (n 1)! 5.4 Quadratic Irrationals 91 e t dt ) e t dt + n tn 1 (t 1) n 1 + tn (t 1) n 2 (n 1)! (n 2)! 1 t n 2 (t 1) n 2 = 2nT n 1 + (2t 2 2t + 1) e t dt n 2! = 2nT n t n 1 (t 1) n 1 n 2! = 2nT n 1 + 2(n 1)T n 1 + T n 2 = 2(2n 1)T n 1 + T n 2, 1 e t t n 2 (t 1) n 2 dt + 0 n 2! e t dt which is the desired recurrence. Therefore T n = y n e x n. To conclude the roof, we consider the limit as n aroaches infinity: lim n by insection, and therefore 1 0 t n (t 1) n n! e t dt = 0, x n lim = lim n y (e T n ) = e. n n y n Therefore, the ratio x n /y n aroaches e, and the continued fraction exansion [2, 1, 2, 1, 1, 4, 1, 1,...] does in fact converge to e Extensions of the Argument The method of roof of this section generalizes to show that the continued fraction exansion of e 1/n is [1, (n 1), 1, 1, (3n 1), 1, 1, (5n 1), 1, 1, (7n 1),...] for all n N (see Exercise 5.6). 5.4 Quadratic Irrationals The main result of this section is that the continued fraction exansion of a number is eventually reeating if and only if the number is a quadratic

95 92 5. Continued Fractions irrational. This can be viewed as an analogue for continued fractions of the familiar fact that the decimal exansion of x is eventually reeating if and only if x is rational. The roof that continued fractions of quadratic irrationals eventually reeats is surrisingly difficult and involves an interesting finiteness argument. Section emhasizes our striking ignorance about continued fractions of real roots of irreducible olynomials over Q of degree bigger than 2. Definition (Quadratic Irrational). A real number α R is a quadratic irrational if it is irrational and satisfies a quadratic olynomial with coefficients in Q. Thus, e.g., (1 + 5)/2 is a quadratic irrational. Recall that = [1, 1, 1,...]. The continued fraction of 2 is [1, 2, 2, 2, 2, 2,...], and the continued fraction of 389 is [19, 1, 2, 1, 1, 1, 1, 2, 1, 38, 1, 2, 1, 1, 1, 1, 2, 1, 38,...]. Does the [1, 2, 1, 1, 1, 1, 2, 1, 38] attern reeat over and over again? Periodic Continued Fractions Definition (Periodic Continued Fraction). A eriodic continued fraction is a continued fraction [a 0, a 1,..., a n,...] such that a n = a n+h for some fixed ositive integer h and all sufficiently large n. We call the minimal such h the eriod of the continued fraction. Examle Consider the eriodic continued fraction [1, 2, 1, 2,...] = [1, 2]. What does it converge to? We have so if α = [1, 2] then 1 [1, 2] = , α = α = α + 1 α = 1 + α 2α + 1 = 3α + 1 2α + 1.

96 5.4 Quadratic Irrationals 93 Thus 2α 2 2α 1 = 0, so α = Theorem (Periodic Characterization). An infinite simle continued fraction is eriodic if and only if it reresents a quadratic irrational. Proof. (= ) First suose that [a 0, a 1,..., a n, a n+1,..., a n+h ] is a eriodic continued fraction. Set α = [a n+1, a n+2,...]. Then so by Proosition α = [a n+1,..., a n+h, α], α = α n+h + n+h 1 αq n+h + q n+h 1. Here we use that α is the last artial quotient. Thus, α satisfies a quadratic equation with coefficients in Q. Comuting as in Examle and rationalizing the denominators, and using that the a i are all integers, shows that [a 0, a 1,...] = [a 0, a 1,..., a n, α] 1 = a a 1 + a α is of the form c + dα, with c, d Q, so [a 0, a 1,...] also satisfies a quadratic olynomial over Q. The continued fraction rocedure alied to the value of an infinite simle continued fraction yields that continued fraction back, so by Proosition , α Q because it is the value of an infinite continued fraction. ( =) Suose α R is an irrational number that satisfies a quadratic equation aα 2 + bα + c = 0 (5.4.1) with a, b, c Z and a 0. Let [a 0, a 1,...] be the continued fraction exansion of α. For each n, let r n = [a n, a n+1,...], so α = [a 0, a 1,..., a n 1, r n ].

97 94 5. Continued Fractions We will rove eriodicity by showing that the set of r n s is finite. If we have shown finiteness, then there exists n, h > 0 such that r n = r n+h, so [a 0,..., a n 1, r n ] = [a 0,..., a n 1, a n,..., a n+h 1, r n+h ] = [a 0,..., a n 1, a n,..., a n+h 1, r n ] = [a 0,..., a n 1, a n,..., a n+h 1, a n,..., a n+h 1, r n+h ] = [a 0,..., a n 1, a n,..., a n+h 1 ]. It remains to show there are only finitely many distinct r n. We have α = n q n = r n n 1 + n 2 r n q n 1 + q n 2. Substituting this exression for α into the quadratic equation (5.4.1), we see that A n r 2 n + B n r n + C n = 0, where A n = a 2 n 1 + b n 1 q n 1 + cq 2 n 1, B n = 2a n 1 n 2 + b( n 1 q n 2 + n 2 q n 1 ) + 2cq n 1 q n 2, and C n = a 2 n 2 + b n 2 q n 2 + c 2 n 2. Note that A n, B n, C n Z, that C n = A n 1, and that B 2 4A n C n = (b 2 4ac)( n 1 q n 2 q n 1 n 2 ) 2 = b 2 4ac. Recall from the roof of Theorem that α n 1 < 1. q n q n 1 Thus so Hence ( A n = a αq n 1 + q n 1 αq n 1 n 1 < 1 q n < 1 q n 1, n 1 = αq n 1 + δ q n 1 δ q n 1 with δ < 1. ) 2 + b ( αq n 1 + δ q n 1 = (aα 2 + bα + c)qn aαδ + a δ2 qn bδ = 2aαδ + a δ2 qn bδ. ) q n 1 + cq 2 n 1

98 Thus δ2 A n = 2aαδ + a q 2 n Quadratic Irrationals 95 + bδ < 2 aα + a + b. Thus there are only finitely many ossibilities for the integer A n. Also, C n = A n 1 and B n = b 2 4(ac A n C n ), so there are only finitely many triles (A n, B n, C n ), and hence only finitely many ossibilities for r n as n varies, which comletes the roof. (The roof above closely follows [HW79, Thm. 177, g ].) Continued Fractions of Algebraic Numbers of Higher Degree Definition (Algebraic Number). An algebraic number is a root of a olynomial f Q[x]. Oen Problem Give a simle descrition of the comlete continued fractions exansion of the algebraic number 3 2. It begins [1, 3, 1, 5, 1, 1, 4, 1, 1, 8, 1, 14, 1, 10, 2, 1, 4, 12, 2, 3, 2, 1, 3, 4, 1, 1, 2, 14, 3, 12, 1, 15, 3, 1, 4, 534, 1, 1, 5, 1, 1,...] The author does not see a attern, and the 534 reduces his confidence that he will. Lang and Trotter (see [LT72]) analyzed many terms of the continued fraction of 3 2 statistically, and their work suggests that 3 2 has an unusual continued fraction; later work in [LT74] suggests that maybe it does not. Khintchine (see [Khi63, g. 59]) No roerties of the reresenting continued fractions, analogous to those which have just been roved, are known for algebraic numbers of higher degree [as of 1963]. [...] It is of interest to oint out that u till the resent time no continued fraction develoment of an algebraic number of higher degree than the second is known [emhasis added]. It is not even known if such a develoment has bounded elements. Generally seaking the roblems associated with the continued fraction exansion of algebraic numbers of degree higher than the second are extremely difficult and virtually unstudied. Richard Guy (see [Guy94, g. 260]) Is there an algebraic number of degree greater than two whose simle continued fraction has unbounded artial quotients? Does every such number have unbounded artial quotients?

99 96 5. Continued Fractions Baum and Sweet [BS76] answered the analogue of Richard Guy s question but with algebraic numbers relaced by elements of a field K other than Q. (The field K is F 2 ((1/x)), the field of Laurent series in the variable 1/x over the finite field with two elements. An element of K is a olynomial in x lus a formal ower series in 1/x.) They found an α of degree three over K whose continued fraction has all terms of bounded degree, and other elements of various degrees greater than 2 over K whose continued fractions have terms of unbounded degree. 5.5 Recognizing Rational Numbers Suose that somehow you can comute aroximations to some rational number, and want to figure what the rational number robably is. Comuting the aroximation to high enough recision to find a eriod in the decimal exansion is not a good aroach, because the eriod can be huge (see below). A much better aroach is to comute the simle continued fraction of the aroximation, and truncate it before a large artial quotient a n, then comute the value of the truncated continued fraction. This results in a rational number that has relatively small numerator and denominator, and is close to the aroximation of the rational number, since the tail end of the continued fraction is at most 1/a n. We begin with a contrived examle, which illustrates how to recognize a rational number. Let x = 9495/3847 = The continued fraction of the truncation is We have [2, 2, 7, 2, 1, 5, 1, 1, 1, 1, 1, 1, , 2, 1, 1, 1,...] [2, 2, 7, 2, 1, 5, 1, 1, 1, 1, 1, 1] = Notice that no reetition is evident in the digits of x given above, though we know that the decimal exansion of x must be eventually eriodic, since all decimal exansions of rational numbers are eventually eriodic. In fact, the length of the eriod of the decimal exansion of 1/3847 is 3846, which is the order of 10 modulo 3847 (see Exercise 5.7). For a slightly less contrived alication of this idea, suose f(x) Z[x] is a olynomial with integer coefficients, and we know for some reason that one root of f is a rational number. Then we can find that rational number by using Newton s method to aroximate each root, and continued fractions to decide whether each root is a rational number (we can substitute the value of the continued fraction aroximation into f to see if it

100 5.6 Sums of Two Squares 97 is actually a root). One could also use the well-known rational root theorem, which asserts that any rational root n/d of f, with n, d Z corime, has the roerty that n divides the constant term of f and d the leading coefficient of f. However, using that theorem to find n/d would require factoring the constant and leading terms of f, which could be comletely imractical if they have a few hundred digits (see Section 1.1.3). In contrast, Newton s method and continued fractions should quickly find n/d, assuming the degree of f isn t too large. For examle, suose f = 3847x x To aly Newton s method, let x 0 be a guess for a root of f. Then iterate using the recurrence x n+1 = x n f(x n) f (x n ). Choosing x 0 = 0, aroximations of first two iterates are and x 1 = , x 2 = The continued fraction of the aroximations x 1 and x 2 are and [2, 2, 6, 1, 47, 2, 1, 4, 3, 1, 5, 8, 2, 3] [2, 2, 7, 2, 1, 5, 1, 1, 1, 1, 1, 1, 103, 8, 1, 2, 3,...]. Truncating the continued fraction of x 2 before 103 gives [2, 2, 7, 2, 1, 5, 1, 1, 1, 1, 1, 1], which evaluates to 9495/3847, which is a rational root of f. Another comutational alication of continued fractions, which we can only hint at, is that there are functions in certain arts of advanced number theory (that are beyond the scoe of this book) that take rational values at certain oints, and which can only be comuted efficiently via aroximations; using continued fractions as illustrated above to evaluate such functions is crucial. 5.6 Sums of Two Squares In this section we aly continued fractions to rove the following theorem. Theorem A ositive integer n is a sum of two squares if and only if all rime factors of n such that 3 (mod 4) have even exonent in the rime factorization of n.

101 98 5. Continued Fractions We first consider some examles. Notice that 5 = is a sum of two squares, but 7 is not a sum of two squares. Since 2001 is divisible by 3 (because 2 + 1), but not by 9 (since is not), Theorem imlies that 2001 is not a sum of two squares. The theorem also imlies that is a sum of two squares. Definition (Primitive). A reresentation n = x 2 + y 2 is rimitive if x and y are corime. Lemma If n is divisible by a rime 3 (mod 4), then n has no rimitive reresentations. Proof. Suose n has a rimitive reresentation, n = x 2 + y 2, and let be any rime factor of n. Then x 2 + y 2 and gcd(x, y) = 1, so x and y. Since Z/Z is a field we may divide by y 2 in the equation x 2 + y 2 0 (mod ( ) ) to see that (x/y) 2 1 (mod ). Thus the quadratic residue symbol equals +1. However, by Proosition 4.2.1, 1 ( ) 1 = ( 1) ( 1)/2 ( ) 1 so = 1 if and only if ( 1)/2 is even, which is to say 1 (mod 4). Proof of Theorem (= ). Suose that 3 (mod 4) is a rime, that r n but r+1 n with r odd, and that n = x 2 + y 2. Letting d = gcd(x, y), we have with gcd(x, y ) = 1 and x = dx, y = dy, and n = d 2 n (x ) 2 + (y ) 2 = n. Because r is odd, n, so Lemma imlies that gcd(x, y ) > 1, a contradiction. To reare for our roof of ( =), we reduce the roblem to the case when n is rime. Write n = n 2 1n 2 where n 2 has no rime factors 3 (mod 4). It suffices to show that n 2 is a sum of two squares, since (x y 2 1)(x y 2 2) = (x 1 x 2 y 1 y 2 ) 2 + (x 1 y 2 + x 2 y 1 ) 2, (5.6.1) so a roduct of two numbers that are sums of two squares is also a sum of two squares. Since 2 = is a sum of two squares, it suffices to show that any rime 1 (mod 4) is a sum of two squares.

102 5.6 Sums of Two Squares 99 Lemma If x R and n N, then there is a fraction a in lowest b terms such that 0 < b n and x a 1 b b(n + 1). Proof. Consider the continued fraction [a 0, a 1,...] of x. By Corollary , for each m x m < 1. q m q m+1 q m Since q m+1 q m + 1 and q 0 = 1, either there exists an m such that q m n < q m+1, or the continued fraction exansion of x is finite and n is larger than the denominator of the rational number x, in which case we take a b = x and are done. In the first case, so a b = m q m x m < 1 q m q m+1 q m satisfies the conclusion of the lemma. 1 q m (n + 1), Proof of Theorem ( =). As discussed above, it suffices to rove that any rime 1 (mod 4) is a sum of two squares. Since 1 (mod 4), ( 1) ( 1)/2 = 1, so Proosition imlies that 1 is a square modulo ; i.e., there exists r Z such that r 2 1 (mod ). Lemma 5.6.4, with n = and x = r, imlies that there are integers a, b such that 0 < b < and r a b 1 b(n + 1) < 1 b. Letting c = rb + a, we have that so But c rb (mod ), so c < b b = = 0 < b 2 + c 2 < 2. b 2 + c 2 b 2 + r 2 b 2 b 2 (1 + r 2 ) 0 (mod ). Thus b 2 + c 2 =. Remark Our roof of Theorem leads to an efficient algorithm to comute a reresentation of any 1 (mod 4) as a sum of two squares. See Listing for an imlementation.

103 Continued Fractions 5.7 Exercises 5.1 If c n = n /q n is the nth convergent of [a 0, a 1,..., a n ] and a 0 > 0, show that [a n, a n 1,..., a 1, a 0 ] = n n 1 and (Hint: In the first case, notice that [a n, a n 1,..., a 2, a 1 ] = q n q n 1. n = a n + n 2 = a n + 1 n 1 n 1.) n 1 n Show that every nonzero rational number can be reresented in exactly two ways be a finite simle continued fraction. (For examle, 2 can be reresented by [1, 1] and [2], and 1/3 by [0, 3] and [0, 2, 1].) 5.3 Evaluate the infinite continued fraction [2, 1, 2, 1]. 5.4 Determine the infinite continued fraction of Let a 0 R and a 1,..., a n and b be ositive real numbers. Prove that if and only if n is odd. [a 0, a 1,..., a n + b] < [a 0, a 1,..., a n ] 5.6 (*) Extend the method resented in the text to show that the continued fraction exansion of e 1/k is [1, (k 1), 1, 1, (3k 1), 1, 1, (5k 1), 1, 1, (7k 1),...] for all k N. (a) Comute 0, 3, q 0, and q 3 for the above continued fraction. Your answers should be in terms of k. (b) Condense three stes of the recurrence for the numerators and denominators of the above continued fraction. That is, roduce a simle recurrence for r 3n in terms of r 3n 3 and r 3n 6 whose coefficients are olynomials in n and k. (c) Define a sequence of real numbers by T n (k) = 1 1/k (kt) n (kt 1) n k n 0 n! e t dt. i. Comute T 0 (k), and verify that it equals q 0 e 1/k 0. ii. Comute T 1 (k), and verify that it equals q 3 e 1/k 3.

104 5.7 Exercises 101 iii. Integrate T n (k) by arts twice in succession, as in Section 5.3, and verify that T n (k), T n 1 (k), and T n 2 (k) satisfy the recurrence roduced in art 6b, for n 2. (d) Conclude that the continued fraction [1, (k 1), 1, 1, (3k 1), 1, 1, (5k 1), 1, 1, (7k 1),...] reresents e 1/k. 5.7 Let d be an integer that is corime to 10. Prove that the decimal exansion of 1 d has eriod equal to the order of 10 modulo d. (Hint: 1 For every ositive integer r, we have 1 10 = r n 1 10 rn.) 5.8 Find a ositive integer that has at least three different reresentations as the sum of two squares, disregarding signs and the order of the summands. 5.9 Show that if a natural number n is the sum of two two rational squares it is also the sum of two integer squares (*) Let be an odd rime. Show that 1, 3 (mod 8) if and only if can be written as = x 2 +2y 2 for some choice of integers x and y Prove that of any four consecutive integers, at least one is not reresentable as a sum of two squares.

105 Continued Fractions

106 6 Ellitic Curves This is age 103 Printer: Oaque this We introduce ellitic curves and describe how to ut a grou structure on the set of oints on an ellitic curve. We then aly ellitic curves to two crytograhic roblems factoring integers and constructing ublickey crytosystems. Ellitic curves are believed to rovide good security with smaller key sizes, something that is very useful in many alications, e.g., if we are going to rint an encrytion key on a ostage stam, it is helful if the key is short! Finally, we consider ellitic curves over the rational numbers, and briefly survey some of the key ways in which they arise in number theory. 6.1 The Definition Definition (Ellitic Curve). An ellitic curve over a field K is a curve defined by an equation of the form y 2 = x 3 + ax + b, where a, b K and 16(4a b 2 ) 0. The condition that 16(4a b 2 ) 0 imlies that the curve has no singular oints, which will be essential for the alications we have in mind (see Exercise 6.1).

107 Ellitic Curves FIGURE 6.1. The Ellitic Curve y 2 = x 3 + x over Z/7Z In Section 6.2 we will ut a natural abelian grou structure on the set E(K) = {(x, y) K K : y 2 = x 3 + ax + b} {O} of K-rational oints on an ellitic curve E over K. Here O may be thought of as a oint on E at infinity. In Figure 6.1 we grah y 2 = x 3 + x over the finite field Z/7Z, and in Figure 6.2 we grah y 2 = x 3 + x over the field K = R of real numbers. Remark If K has characteristic 2 (e.g., K = Z/2Z), then for any choice of a, b, the quantity 16(4a b 2 ) K is 0, so according to Definition there are no ellitic curves over K. There is a similar roblem in characteristic 3. If we instead consider equations of the form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, we obtain a more general definition of ellitic curves, which correctly allows for ellitic curves in characteristic 2 and 3; these ellitic curves are oular in crytograhy because arithmetic on them is often easier to efficiently imlement on a comuter. 6.2 The Grou Structure on an Ellitic Curve Let E be an ellitic curve over a field K, given by an equation y 2 = x 3 + ax + b. We begin by defining a binary oeration + on E(K). Algorithm (Ellitic Curve Grou Law). Given P 1, P 2 E(K), this algorithm comutes a third oint R = P 1 + P 2 E(K).

108 2 6.2 The Grou Structure on an Ellitic Curve 105 y 1 0 x FIGURE 6.2. The Ellitic Curve y 2 = x 3 + x over R 1. [Is P i = O?] If P 1 = O set R = P 2 or if P 2 = O set R = P 1 and terminate. Otherwise write (x i, y i ) = P i. 2. [Negatives] If x 1 = x 2 and y 1 = y 2, set R = O and terminate. { (3x a)/(2y 1 ) if P 1 = P 2, 3. [Comute λ] Set λ = (y 1 y 2 )/(x 1 x 2 ) otherwise. 4. [Comute Sum] Then R = ( λ 2 x 1 x 2, λx 3 ν ), where ν = y 1 λx 1 and x 3 = λ 2 x 1 x 2 is the x-coordinate of R. Note that in Ste 3 if P 1 = P 2, then y 1 0; otherwise, we would have terminated in the revious ste. We imlement this algorithm in Section Theorem The binary oeration + defined above endows the set E(K) with an abelian grou structure, in which O is the identity element. Before discussing why the theorem is true, we reinterret + geometrically, so that it will be easier for us to visualize. We obtain the sum P 1 + P 2 by finding the third oint P 3 of intersection between E and the line L determined by P 1 and P 2, then reflecting P 3 about the x-axis. (This descrition requires suitable interretation in cases 1 and 2, and when P 1 = P 2.) This is illustrated in Figure 6.3, in which (0, 2) + (1, 0) = (3, 4)

109 Ellitic Curves on y 2 = x 3 5x + 4. To further clarify this geometric interretation, we rove the following roosition. Proosition (Geometric grou law). Suose P i = (x i, y i ), i = 1, 2 are distinct oint on an ellitic curve y 2 = x 3 +ax+b, and that x 1 x 2. Let L be the unique line through P 1 and P 2. Then L intersects the grah of E at exactly one other oint Q = ( λ 2 x 1 x 2, λx 3 + ν ), where λ = (y 1 y 2 )/(x 1 x 2 ) and ν = y 1 λx 1. Proof. The line L through P 1, P 2 is y = y 1 + (x x 1 )λ. Substituting this into y 2 = x 3 + ax + b we get (y 1 + (x x 1 )λ) 2 = x 3 + ax + b. Simlifying we get f(x) = x 3 λ 2 x 2 + = 0, where we omit the coefficients of x and the constant term since they will not be needed. Since P 1 and P 2 are in L E, the olynomial f has x 1 and x 2 as roots. By Proosition 2.5.2, the olynomial f can have at most three roots. Writing f = (x x i ) and equating terms, we see that x 1 + x 2 + x 3 = λ 2. Thus x 3 = λ 2 x 1 x 2, as claimed. Also, from the equation for L we see that y 3 = y 1 + (x 3 x 1 )λ = λx 3 + ν, which comletes the roof. To rove Theorem means to show that + satisfies the three axioms of an abelian grou with O as identity element: existence of inverses, commutativity, and associativity. The existence of inverses follows immediately from the definition, since (x, y) + (x, y) = O. Commutativity is also clear from the definition of grou law, since in arts 1 3, the recie is unchanged if we swa P 1 and P 2 ; in art 4 swaing P 1 and P 2 does not change the line determined by P 1 and P 2, so by Proosition it does not change the sum P 1 + P 2. It is more difficult to rove that + satisfies the associative axiom, i.e., that (P 1 + P 2 ) + P 3 = P 1 + (P 2 + P 3 ). This fact can be understood from at least three oints of view. One is to reinterret the grou law geometrically (extending Proosition to all cases), and thus transfer the roblem to a question in lane geometry. This aroach is beautifully exlained with exactly the right level of detail in [ST92, I.2]. Another aroach is to use the formulas that define + to reduce associativity to checking secific algebraic identities; this is something that would be extremely tedious to do by hand, but can be done using a comuter (also tedious). A third aroach (see e.g. [Sil86] or [Har77]) is to develo a general theory of divisors on algebraic curves, from which associativity of the grou law falls out as a natural corollary. The third aroach is the best, because it oens u many new vistas; however we will not ursue it further because it is beyond the scoe of this book.

110 5 6.3 Integer Factorization Using Ellitic Curves 107 y 4 3 L (3, 4) 2 (0, 2) (1, 0) x -3-4 L (3, 4) FIGURE 6.3. The Grou Law: (1, 0) + (0, 2) = (3, 4) on y 2 = x 3 5x Integer Factorization Using Ellitic Curves In 1987, Hendrik Lenstra ublished the landmark aer [Len87] that introduces and analyzes the Ellitic Curve Method (ECM), which is a owerful algorithm for factoring integers using ellitic curves. Lenstra s method is also described in [ST92, IV.4], [Dav99, VIII.5], and [Coh93, 10.3]. Lenstra s algorithm is well suited for finding medium sized factors of an integer N, which today means 10 to 20 decimal digits. The ECM method is not directly used for factoring RSA challenge numbers (see Section 1.1.3), but it is used on auxiliary numbers as a crucial ste in the number field sieve, which is the best known algorithm for hunting for such factorizations. Also, imlementation of ECM tyically requires little memory. Lenstra Pollard s ( 1)-Method Lenstra s discovery of ECM was insired by Pollard s ( 1)-method, which we describe in this section.

111 Ellitic Curves Definition (Power smooth). Let B be a ositive integer. If n is a ositive integer with rime factorization n = ei i, then n is B-ower smooth if ei i B for all i. Thus 30 = is B ower smooth for B = 5, 7, but 150 = is not 5-ower smooth (it is B = 25-ower smooth). We will use the following algorithm in both the Pollard 1 and ellitic curve factorization methods. Algorithm (Least Common Multile of First B Integers). Given a ositive integer B, this algorithm comutes the least common multile of the ositive integers u to B. 1. [Sieve] Using, e.g., the Sieve of Eratosthenes (Algorithm 1.2.3), comute a list P of all rimes B. 2. [Multily] Comute and outut the roduct P log (B). Proof. Let m = lcm(1, 2,..., B). Then ord (m) = max({ord (n) : 1 n B}) = ord ( r ), where r is the largest ower of that satisfies r B. Since r B < r+1, we have r = log (B). We imlement Algorithm in Section Let N be a ositive integer that we wish to factor. We use the Pollard ( 1)-method to look for a nontrivial factor of N as follows. First we choose a ositive integer B, usually with at most six digits. Suose that there is a rime divisor of N such that 1 is B-ower smooth. We try to find using the following strategy. If a > 1 is an integer not divisible by then by Theorem , a 1 1 (mod ). Let m = lcm(1, 2, 3,..., B), and observe that our assumtion that 1 is B-ower smooth imlies that 1 m, so a m 1 (mod ). Thus gcd(a m 1, N) > 1. If gcd(a m 1, N) < N also then gcd(a m 1, N) is a nontrivial factor of N. If gcd(a m 1, N) = N, then a m 1 (mod q r ) for every rime ower divisor q r of N. In this case, reeat the above stes but with a smaller choice of B or ossibly a different choice of a. Also, it is a good idea to check from the start whether or not N is not a erfect ower M r, and if so relace N by M. We formalize the algorithm as follows:

112 6.3 Integer Factorization Using Ellitic Curves 109 Algorithm (Pollard 1 Method). Given a ositive integer N and a bound B, this algorithm attemts to find a nontrivial factor m of N. (Each rime m is likely to have the roerty that 1 is B-ower smooth.) 1. [Comute lcm] Use Algorithm to comute m = lcm(1, 2,..., B). 2. [Initialize] Set a = [Power and gcd] Comute x = a m 1 (mod N) and g = gcd(x, N). 4. [Finished?] If g 1 or N, outut g and terminate. 5. [Try Again?] If a < 10 (say), relace a by a + 1 and go to ste 3. Otherwise terminate. We imlement Algorithm in Section For fixed B, Algorithm often slits N when N is divisible by a rime such that 1 is B-ower smooth. Aroximately 15% of rimes in the interval from and are such that 1 is 10 6 owersmooth, so the Pollard method with B = 10 6 already fails nearly 85% of the time at finding 15-digit rimes in this range (see also Exercise 7.14). We will not analyze Pollard s method further, since it was mentioned here only to set the stage for the ellitic curve factorization method. The following examles illustrate the Pollard ( 1)-method. Examle In this examle, Pollard works erfectly. Let N = We try to use the Pollard 1 method with B = 5 to slit N. We have m = lcm(1, 2, 3, 4, 5) = 60; taking a = 2 we have (mod 5917) and gcd(2 60 1, 5917) = gcd(3416, 5917) = 61, so 61 is a factor of Examle In this examle, we relace B by larger integer. Let N = With B = 5 and a = 2 we have (mod ), and gcd(2 60 1, ) = 1. With B = 15, we have m = lcm(1, 2,..., 15) = , (mod ), and gcd( , N) = 2003, so 2003 is a nontrivial factor of

113 Ellitic Curves Examle In this examle, we relace B by a smaller integer. Let N = Suose B = 7, so m = lcm(1, 2,..., 7) = 420, (mod 4331), and gcd( , 4331) = 4331, so we do not obtain a factor of If we relace B by 5, Pollard s method works: (mod 4331), and gcd(2 60 1, 4331) = 61, so we slit Examle In this examle, a = 2 does not work, but a = 3 does. Let N = 187. Suose B = 15, so m = lcm(1, 2,..., 15) = , (mod 187), and gcd( , 187) = 187, so we do not obtain a factor of 187. If we relace a = 2 by a = 3, then Pollard s method works: (mod 187), and gcd( , 187) = 11. Thus 187 = Motivation for the Ellitic Curve Method Fix a ositive integer B. If N = q with and q rime and 1 and q 1 are not B-ower smooth, then the Pollard ( 1)-method is unlikely to work. For examle, let B = 20 and suose that N = = Note that neither 59 1 = 2 29 nor = 4 25 is B-ower smooth. With m = lcm(1, 2, 3,..., 20) = , we have 2 m (mod N), and gcd(2 m 1, N) = 1, so we do not find a factor of N. As remarked above, the roblem is that 1 is not 20-ower smooth for either = 59 or = 101. However, notice that 2 = 3 19 is 20-ower smooth. Lenstra s ECM relaces (Z/Z), which has order 1, by the grou of oints on an ellitic curve E over Z/Z. It is a theorem that #E(Z/Z) = + 1 ± s for some nonnegative integer s < 2 (see e.g., [Sil86, V.1] for a roof). (Also every value of s subject to this bound occurs, as one can see using comlex multilication theory.) For examle, if E is the ellitic curve y 2 = x 3 + x + 54 over Z/59Z then by enumerating oints one sees that E(Z/59Z) is cyclic of order 57. The set of numbers ± s for s 15 contains 14 numbers that are B-ower smooth for B = 20 (see Exercise 7.14). Thus working with an ellitic curve gives us more flexibility. For examle, 60 = is 5-ower smooth and 70 = is 7-ower smooth.

114 6.3 Integer Factorization Using Ellitic Curves 111 FIGURE 6.4. Hendrik Lenstra Lenstra s Ellitic Curve Factorization Method Algorithm (Ellitic Curve Factorization Method). Given a ositive integer N and a bound B, this algorithm attemts to find a nontrivial factor m of N. Carry out the following stes: 1. [Comute lcm] Use Algorithm to comute m = lcm(1, 2,..., B). 2. [Choose Random Ellitic Curve] Choose a random a Z/NZ such that 4a (Z/NZ). Then P = (0, 1) is a oint on the ellitic curve y 2 = x 3 + ax + 1 over Z/NZ. 3. [Comute Multile] Attemt to comute mp using an ellitic curve analogue of Algorithm If at some oint we cannot comute a sum of oints because some denominator in ste 3 of Algorithm is not corime to N, we comute the gcd of this denominator with N. If this gcd is a nontrivial divisor, outut it. If every denominator is corime to N, outut Fail. We imlement Algorithm in Section If Algorithm fails for one random ellitic curve, there is an otion that is unavailable with Pollard s ( 1)-method we may reeat the above algorithm with a different ellitic curve. With Pollard s method we always work with the grou (Z/NZ), but here we can try many grous E(Z/NZ) for many curves E. As mentioned above, the number of oints on E over Z/Z is of the form + 1 t for some t with t < 2 ; Algorithm thus has a chance if + 1 t is B-ower-smooth for some t with t < Examles For simlicity, we use an ellitic curve of the form y 2 = x 3 + ax + 1, which has the oint P = (0, 1) already on it. We factor N = 5959 using the ellitic curve method. Let m = lcm(1, 2,..., 20) = = ,

115 Ellitic Curves where x 2 means x is written in binary. First we choose a = 1201 at random and consider y 2 = x x + 1 over Z/5959Z. Using the formula for P +P from Algorithm imlemented on a comuter (see Section 7.6) we comute 2 i P = 2 i (0, 1) for i B = {4, 5, 6, 7, 8, 13, 21, 22, 23, 24, 26, 27}. Then i B 2i P = mp. It turns out that during no ste of this comutation does a number not corime to 5959 aear in any denominator, so we do not slit N using a = Next we try a = 389 and at some stage in the comutation we add P = (2051, 5273) and Q = (637, 1292). When comuting the grou law exlicitly we try to comute λ = (y 1 y 2 )/(x 1 x 2 ) in (Z/5959Z), but fail since x 1 x 2 = 1414 and gcd(1414, 5959) = 101. We thus find a nontrivial factor 101 of For bigger examles and an imlementation of the algorithm, see Section A Heuristic Exlanation Let N be a ositive integer and for simlicity of exosition assume that N = 1 r with the i distinct rimes. It follows from Lemma that there is a natural isomorhism f : (Z/NZ) (Z/ 1 Z) (Z/ r Z). When using Pollard s method, we choose an a (Z/NZ), comute a m, then comute gcd(a m 1, N). This gcd is divisible exactly by the rimes i such that a m 1 (mod i ). To reinterret Pollard s method using the above isomorhism, let (a 1,..., a r ) = f(a). Then (a m 1,..., a m r ) = f(a m ), and the i that divide gcd(a m 1, N) are exactly the i such that a m i = 1. By Theorem , these i include the rimes j such that j 1 is B-ower smooth, where m = lcm(1,..., m). We will not define E(Z/NZ) when N is comosite, since this is not needed for the algorithm (where we assume that N is rime and hoe for a contradiction). However, for the remainder of this aragrah, we retend that E(Z/N Z) is meaningful and describe a heuristic connection between Lenstra and Pollard s methods. The significant difference between Pollard s method and the ellitic curve method is that the isomorhism f is relaced by an isomorhism (in quotes) g : E(Z/NZ) E(Z/ 1 Z) E(Z/ r Z) where E is y 2 = x 3 + ax + 1, and the a of Pollard s method is relaced by P = (0, 1). We ut the isomorhism in quotes to emhasize that we have not defined E(Z/N Z). When carrying out the ellitic curve factorization algorithm, we attemt to comute mp and if some comonents of f(q) are O, for some oint Q that aears during the comutation, but others are nonzero, we find a nontrivial factor of N.

116 6.4 Ellitic Curve Crytograhy 6.4 Ellitic Curve Crytograhy 113 In this section we discuss an analogue of Diffie-Hellman that uses an ellitic curve instead of (Z/Z). The idea to use ellitic curves in crytograhy was indeendently roosed by Neil Koblitz and Victor Miller in the mid 1980s. We then discuss the ElGamal ellitic curve crytosystem Ellitic Curve Analogues of Diffie-Hellman The Diffie-Hellman key exchange from Section 3.1 works well on an ellitic curve with no serious modification. Michael and Nikita agree on a secret key as follows: 1. Michael and Nikita agree on a rime, an ellitic curve E over Z/Z, and a oint P E(Z/Z). 2. Michael secretly chooses a random m and sends mp. 3. Nikita secretly chooses a random n and sends np. 4. The secret key is nmp, which both Michael and Nikita can comute. Presumably, an adversary can not comute nmp without solving the discrete logarithm roblem (see Problem and Section below) in E(Z/Z). For well-chosen E, P, and exerience suggests that the discrete logarithm roblem in E(Z/Z) is much more difficult than the discrete logarithm roblem in (Z/Z) (see Section for more on the ellitic curve discrete log roblem) The ElGamal Crytosystem and Digital Rights Management This section is about the ElGamal crytosystem, which works well on an ellitic curves. This section draws on a aer by a comuter hacker named Beale Screamer who cracked a Digital Rights Management (DRM) system. The ellitic curve used in the DRM is an ellitic curve over the finite field k = Z/Z, where = In base 16 the number is 89ABCDEF F7, which includes counting in hexadecimal, and digits of e, π, and 2. The ellitic curve E is y 2 = x x

117 Ellitic Curves We have #E(k) = , and the grou E(k) is cyclic with generator B = ( , ). Our heroes Nikita and Michael share digital music when they are not out fighting terrorists. When Nikita installed the DRM software on her comuter, it generated a rivate key n = , which it hides in bits and ieces of files. In order for Nikita to lay Juno Reactor s latest hit juno.wma, her web browser contacts a web site that sells music. After Nikita sends her credit card number, that web site allows Nikita to download a license file that allows her audio layer to unlock and lay juno.wma. As we will see below, the license file was created using the ElGamal ublic-key crytosystem in the grou E(k). Nikita can now use her license file to unlock juno.wma. However, when she shares both juno.wma and the license file with Michael, he is frustrated because even with the license his comuter still does not lay juno.wma. This is because Michael s comuter does not know Nikita s comuter s rivate key (the integer n above), so Michael s comuter can not decryt the license file. We now describe the ElGamal crytosystem, which lends itself well to imlementation in the grou E(Z/Z). To illustrate ElGamal, we describe how Nikita would set u an ElGamal crytosystem that anyone could use to encryt messages for her. Nikita chooses a rime, an ellitic curve E over Z/Z, and a oint B E(Z/Z), and ublishes, E, and B. She also chooses a random integer n, which she kees secret, and ublishes nb. Her ublic key is the four-tule (, E, B, nb). Suose Michael wishes to encryt a message for Nikita. If the message is encoded as an element P E(Z/Z), Michael comutes a random integer r

118 6.4 Ellitic Curve Crytograhy 115 and the oints rb and P + r(nb) on E(Z/Z). Then P is encryted as the air (rb, P + r(nb)). To decryt the encryted message, Nikita multilies rb by her secret key n to find n(rb) = r(nb), then subtracts this from P + r(nb) to obtain P = P + r(nb) r(nb). We imlement this crytosystem in Section Remark It also make sense to construct an ElGamal crytosystem in the grou (Z/Z). Returning out our story, Nikita s license file is an encryted message to her. It contains the air of oints (rb, P + r(nb)), where and rb = ( , ) P + r(nb) = ( , ). When Nikita s comuter lays juno.wma, it loads the secret key n = into memory and comutes n(rb) = ( , ). It then subtracts this from P + r(nb) to obtain P = ( , ). The x-coordinate is the key that unlocks juno.wma. If Nikita knew the rivate key n that her comuter generated, she could comute P herself and unlock juno.wma and share her music with Michael. Beale Screamer found a weakness in the imlementation of this system that allows Nikita to detetermine n, which is not a huge surrise since n is stored on her comuter after all The Ellitic Curve Discrete Logarithm Problem Problem (Ellitic Curve Discrete Log Problem). Suose E is an ellitic curve over Z/Z and P E(Z/Z). Given a multile Q of P, the ellitic curve discrete log roblem is to find n Z such that np = Q.

119 Ellitic Curves For examle, let E be the ellitic curve given by y 2 = x 3 + x + 1 over the field Z/7Z. We have E(Z/7Z) = {O, (2, 2), (0, 1), (0, 6), (2, 5)}. If P = (2, 2) and Q = (0, 6), then 3P = Q, so n = 3 is a solution to the discrete logarithm roblem. If E(Z/Z) has order or ±1 or is a roduct of reasonably small rimes, then there are some methods for attacking the discrete log roblem on E, which are beyond the scoe of this book. It is thus imortant to be able to comute #E(Z/Z) efficiently, in order to verify that the ellitic curve one wishes to use for a crytosystem doesn t have any obvious vulnerabilities. The naive algorithm to comute #E(Z/Z) is to try each value of x Z/Z and count how often x 3 + ax + b is a erfect square mod, but this is of no use when is large enough to be useful for crytograhy. Fortunately, there is an algorithm due to Schoof, Elkies, and Atkin for comuting #E(Z/Z) efficiently (olynomial time in the number of digits of ), but this algorithm is beyond the scoe of this book. In Section we discussed the discrete log roblem in (Z/Z). There are general attacks called index calculus attacks on the discrete log roblem in (Z/Z) that are slow, but still faster than the known algorithms for solving the discrete log in a general grou (one with no extra structure). For most ellitic curves, there is no known analogue of index calculus attacks on the discrete log roblem. At resent it aears that given the discrete log roblem in E(Z/Z) is much harder than the discrete log roblem in the multilicative grou (Z/Z). This suggests that by using an ellitic curve-based crytosystem instead of one based on (Z/Z) one gets equivalent security with much smaller numbers, which is one reason why building crytosystems using ellitic curves is attractive to some crytograhers. For examle, Certicom, a comany that strongly suorts ellitic curve crytograhy, claims: [Ellitic curve cryto] devices require less storage, less ower, less memory, and less bandwidth than other systems. This allows you to imlement crytograhy in latforms that are constrained, such as wireless devices, handheld comuters, smart cards, and thin-clients. It also rovides a big win in situations where efficiency is imortant. For an u-to-date list of ellitic curve discrete log challenge roblems that Certicom sonsors, see [Cer]. For examle, in Aril 2004 a secific crytosystem was cracked that was based on an ellitic curve over Z/Z, where has 109 bits. The first unsolved challenge roblem involves an ellitic curve over Z/Z, where has 131 bits, and the next challenge after that is one in which has 163 bits. Certicom claims at [Cer] that the 163-bit challenge roblem is comutationally infeasible.

120 6.5 Ellitic Curves Over the Rational Numbers 117 FIGURE 6.5. Louis J. Mordell 6.5 Ellitic Curves Over the Rational Numbers Let E be an ellitic curve defined over Q. The following is a dee theorem about the grou E(Q). Theorem (Mordell). The grou E(Q) is finitely generated. That is, there are oints P 1,..., P s E(Q) such that every element of E(Q) is of the form n 1 P n s P s for integers n 1,... n s Z. Mordell s theorem imlies that it makes sense to ask whether or not we can comute E(Q), where by comute we mean find a finite set P 1,..., P s of oints on E that generate E(Q) as an abelian grou. There is a systematic aroach to comuting E(Q) called descent (see e.g., [Cre97, Cre, Sil86]). It is widely believed that descent will always succeeds, but nobody has yet roved that it does. Proving that descent works for all curves is one of the central oen roblem in number theory, and is closely related to the Birch and Swinnerton-Dyer conjecture (one of the Clay Math Institute s million dollar rize roblems). The crucial difficulty amounts to deciding whether or not certain exlicitly given curves have any rational oints on them or not (these are curves that have oints over R and modulo n for all n). The details of using descent to comuting E(Q) are beyond the scoe of this book. In several laces below we will simly assert that E(Q) has a certain structure or is generated by certain elements. In each case, we comuted E(Q) using a comuter imlementation of this method The Torsion Subgrou of E(Q) and the Rank For any abelian grou G, let G tor be the subgrou of elements of finite order. If E is an ellitic curve over Q, then E(Q) tor is a subgrou of E(Q), which must be finite because of Theorem (see Exercise 6.6).