Scribd
Upload
11 views48 pages

Aln 3

The document discusses basic number theory concepts including the greatest common divisor, prime numbers, and the fundamental theorem of arithmetic. It defines key terms, presents theorems with proofs, and provides examples to illustrate the concepts.

Uploaded by

Hilal ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views48 pages

Aln 3

The document discusses basic number theory concepts including the greatest common divisor, prime numbers, and the fundamental theorem of arithmetic. It defines key terms, presents theorems with proofs, and provides examples to illustrate the concepts.

Uploaded by

Hilal ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

Chapter 3

Number Theory

Part of G12ALN

Contents
Algebra and Number Theory G12ALN cw ’17

0 Review of basic concepts and theorems

The contents of this first section – well zeroth section, really – is mostly
repetition of material from last year.

Notations: N = {1, 2, 3, . . . }, Z = {. . . , −2, −1, 0, 1, 2, . . . }. If A is a


finite set, I write #A for the number of elements in A.

Theorem 0.1 (Long division). If a, b ∈ Z and b > 0, then there are


unique integers q and r such that

a = qb+r with 0 6 r < b.

Proof. Theorem 3.2 in G11MSS.

The integer q is called the quotient and r the remainder. We say that
b divides a if the remainder is zero. It will be denoted by b | a.

There is an interesting variant to this: There are unique integers q 0 and


r0 with a = q 0 b + r0 and − 2b < r0 6 2b . Instead of remainder, r0 is called
the least residue of a modulo b.

Example. Take a = 62 and b = 9. Then the quotient is q = 6 and the


remainder is r = 8. The least residue is r0 = −1. 

0.1 The greatest common divisor


 
Definition. Let a and b be integers not both equal to 0. The greatest
common divisor of a and b is the largest integer dividing both a and b.
We will denote it by (a, b). For convenience, we set (0, 0) = 0.
 

Let a, b ∈ Z. Any sum of the form m a + n b, where m and n are integers,


is called a linear combination of a and b.

Theorem 0.2. Let a, b be integers, not both equal to 0. Then

i). (a, b) = (a, b + k a) for all integers k.


 
a b
ii). (a,b) , (a,b) = 1.

iii). (a, b) is the least positive integer that is a linear combination of a


and b.

2
Algebra and Number Theory G12ALN cw ’17

iv). The set of linear combinations of a and b is exactly the set of integer
multiples of (a, b).

Proof. See Section 3.3 in G11MSS.

The last part of the above shows that the ideal aZ + bZ, also denoted
(a, b) in ring theory, is generated by the integer (a, b).
Corollary 0.3. Let a, b ∈ Z. An integer d equals (a, b) if and only if the
following three conditions hold.

• d | a and d | b,

• if c | a and c | b for some integer c, then c | d,

• d > 0.

The definition of the greatest common divisor extends to longer lists of


integers: Let a1 , a2 , . . . , an be integers, not all 0. Their greatest common
divisor is again the largest integer dividing all of the integers in the set.
It is denoted by (a1 , a2 , . . . , an ).
 
Definition. Two integers a, b are called coprime (or relatively prime)
if (a, b) = 1. The integers a1 , a2 , . . . , an are called pairwise coprime if
(ai , aj ) = 1 for all i 6= j.
 

Example. If a1 , a2 , . . . , an are pairwise coprime, then (a1 , a2 , . . . , an ) =


1. The converse does not hold. For instance we have (9, 8, 6) = 1, however
they are not pairwise coprime as (9, 6) = 3. 
Aside: How likely is it that two “random” integers are coprime? More pre-
cisely, the probability that two random integer smaller than N are coprime is
a function in N . How does it behave as N → ∞? Answer it converges to π62 .
When N is large about 60.79% of pairs of integers are coprime. 

Lemma 0.4 (Euclid’s Lemma). If a, b, c are integers such that a | bc and


(a, b) = 1, then a | c.

Proof. Corollary 3.15 in G11MSS.

Corollary 0.5. If a, b and n > 1 are integers such that a | n and b | n


and (a, b) = 1, then ab | n.

3
Algebra and Number Theory G12ALN cw ’17

Proof. Since a divides n, there is an integer k such that n = a k. Now b


divides a k. By Lemma 0.4, b divides k since a and b are coprime. There-
fore k = b k 0 for some integer k 0 . Hence n = abk 0 proves the corollary.

Theorem 0.6 (Euclidean Algorithm). Let a, b ∈ Z be such that a > b >


0. Set r0 = a and r1 = b. For i > 1, define recursively ri to be the
remainder when dividing ri−2 by ri−1 . Then the last non-zero entry in
the sequence r0 , r1 , . . . is equal to the greatest common divisor of a and
b.

In detail, we have a chain of equations:

r0 = q1 r1 + r2
r1 = q2 r2 + r3
.. ..
. .
rn−2 = qn−1 rn−1 + rn
rn−1 = qn rn .

Say rn+1 = 0 and rn 6= 0, then (a, b) = rn .

Proof. Section 3.3 in G11MSS.


Example. We compute that the greatest common divisor of 9633 and
3016 is 13.

9633 = 3 · 3016 + 585


3016 = 5 · 585 + 91
585 = 6 · 91 + 39
91 = 2 · 39 + 13
39 = 3 · 13

“Working backwards” we can express (9633, 3016) = 13 as a linear com-


bination of 9633 and 3016:

13 = 91 − 2 · 39
= 91 − 2 · (585 − 6 · 91) = 13 · 91 − 2 · 585
= 13 · (3016 − 5 · 585) − 2 · 585 = 13 · 3016 − 67 · 585
= 13 · 3016 − 67 · (9633 − 3 · 3016) = −67 · 9633 + 214 · 3016


Aside: Implementation of the euclidean algorithm. Here is the pseudo-code
how this algorithm is implemented. In these lecture notes, pseudo-code is
written using the syntax of python with minor modifications. For instance in
python one should write % instead of “mod” in the following code.

4
Algebra and Number Theory G12ALN cw ’17

def gcd(a,b):
while b > 0:
(a, b) = (b, a mod b)
return a

The extended version gives also one possible pair x and y such that (a, b) =
x a + y b.

def extended_gcd(a, b):


(x, y, u, v) = (1, 0, 0, 1)
while b > 0:
q = a//b
(a, b) = (b, a mod b)
(x, y, u, v) = (u, v, x - u*q, y - v*q)
return a, x, y

Here a//b returns the quotient of a divided by b without remainder; e.g. 7//3
returns 2. 
Example. Here an example why mathematical proofs are important. Is
it true that n5 − 5 is coprime to (n + 1)5 − 5 for all n > 0 ? Cer-
tainly it looks like to be true as it holds for all n < 106 . However it
is not true. For n = 1435390 the greatest common divisor of n5 − 5 =
6093258197476329301164169899995 and (n + 1)5 − 5 = 60932794226022
09796244591837946 is equal to the prime number 1968751. If you know
what a resultant is, there is a simple reason for this. 

0.2 Primes
 
Definition. A natural number p is called a prime if p > 1 and the only
positive divisors of p are 1 and p itself. A number n > 1 that is not a
prime is called composite.
 

Theorem 0.7. There are infinitely many primes.

Proof. Section 2.7 in G11ACF.


Aside: Further results on primes. Dirichlet proved the following result. Let a
and m > 1 be coprime integers. Then there are infinitely many primes in the
arithmetic progression a, a + m, a + 2m, . . . For this and more, go to G13FNT
next year!

Primes become sparser and sparser. In some vague sense, the likelihood
that a large integer n is prime is approximately 1/ log(n). Here is how many
primes there are below N for some values of N :

5
Algebra and Number Theory G12ALN cw ’17

N 103 104 105 106 107 108 109


# primes 168 1229 9592 78498 664579 5761455 50847534

However there are many open problems about prime numbers. Here a list of
three of them:

• Goldbach’s Conjecture: Every even positive integer greater than 2 can


be written as a sum of two primes.

• Twin prime conjecture: There are infinitely many pairs of primes p and
q with q = p + 2.

• Landau’s conjecture: There are infinitely many primes of the form n2 +1


with n ∈ Z.

Recently (2013), it was shown by Helfgott that every odd integer greater than
5 can be written as a sum of three primes. Based on initial work by Yitang
Zhang in 2013, we know now that there are infinitely many prime pairs p > q
with p − q < 246. 

Theorem 0.8 (The fundamental theorem of arithmetic). Every positive


integer n > 1 can be written as a product of primes. The product is
unique up to reordering the factors.

Proof. Theorem 3.19 in G11MSS.

Explicitly, every integer n > 1 can be written as

n = pa11 · pa22 · · · par r

for some integer r > 1, some distinct prime numbers p1 , p2 , . . . , pr and


some integers a1 > 1, a2 > 1, . . . , ar > 1. Up to permuting the primes,
this is unique. For instance 13! = 210 · 35 · 52 · 7 · 11 · 13.

Corollary 0.9. Suppose that a, b are


Q two bpositive integers with prime
factorisations: a = ri=1 pai i and b = sj=1
Q j
q
Q j ckwhere p i and qj are primes.
Then the prime factorisation of (a, b) is k pk with the product running
only over all 1 6 k 6 r for which there is a 1 6 j 6 s with qj = pk and
where ck = min{ak , bj }.

Example. The greatest common divisor of 1000 and 1024 is 8, because


1000 = 23 · 53 and 1024 = 210 . 

6
Algebra and Number Theory G12ALN cw ’17

0.3 Congruences
 
Definition. Let m > 1 be a positive integer. If a, b are integers, we say
that a is congruent to b modulo m if m divides a − b. We write a ≡ b
(mod m). The integer m is called the modulus of the congruence.

Given an integer a. The set of all integers b such that a ≡ b (mod m)


is called a congruence class modulo m and is denoted by [a] or a + mZ.

The set of all congruence classes modulo m is denoted by Z/mZ.


 

You will see people using the notation “a mod m = b”. We will refrain
from using this, which is often meant to mean that b is the remainder
of a modulo m. Note that ≡ will always mean congruences and never
vague things like “identically equal to”.

The set Z/mZ comes with a natural ring structure: If a, b ∈ Z. We


set [a] + [b] = [a + b] and [a] · [b] = [ab]. This comes as no surprise when
thinking of quotients of rings by ideals; otherwise just check that the
definition of these operations do not depend on the choice of a and b in
the coset: For instance if a ≡ a0 (mod m) and b ≡ b0 (mod m), then
there exists k ∈ Z and l ∈ Z with a = a0 + km and b = b0 + lm and hence
a · b = a0 · b0 + (kb0 + la0 + kl)m ≡ a0 b0 (mod m).

Example. Z/10Z is the set [0], [1], [2], [3], [4], [5], [6], [7], [8], [9] . We
can write 1234 ≡ 44 ≡ −6 (mod 10) or equivalently [1234] = [44] = [−6]
and they are equal to [4]. The operations look like [13]+[19] = [13+19] =
[32]; of course this is the same as [3]+[9] = [2]. In other words, operations
on Z/10Z are just manipulations regarding only the last digit of positive
integers.

Similarly the clock (neglecting am and pm) is an example of working


modulo 12: “Three hours after 11 o’clock, it is 2 o’clock” reads [3]+[11] =
[2] in Z/12Z or 3 + 11 ≡ 2 (mod 12). 

Recall that the unit group R∗ of a ring is the set of its invertible ele-
ments, i.e., all a ∈ R such that there is b ∈ R with ab = 1R .
Proposition 0.10. The unit group (Z/mZ)∗ consists of all congruence
classes [a] with a coprime to m.

Proof. If [a] is invertible in the ring Z/mZ, then there is a congruence


class [b] with [b]·[a] = [1]. This equation is equivalent to ba ≡ 1 (mod m)
and to ba = 1 + km for some integer k. If d divides both a and m, then d
also divides 1 = km − ab. Hence d = 1. Therefore a and m are coprime.

7
Algebra and Number Theory G12ALN cw ’17

Conversely, if a is coprime to m, then there are integers b and k such


that ba + km = (a, b) = 1. Hence b · a ≡ 1 (mod m) shows that [a] is
invertible.

If m = p is prime, then Z/pZ is a field, often denoted by Fp . For all


composite m, the ring Z/mZ has zero-divisors and it is therefore not a
field.

Recall that we can use the euclidean algorithm as in Theorem 0.6 to find
an inverse b of a modulo m: By working backwards after computing that
(a, m) = 1, we find integers b and k such that b a + k m = 1. Therefore
b a ≡ 1 (mod m).

Example. The inverse of 99 modulo 1307 is computed as follows:

1307 = 13 · 99 + 20
99 = 4 · 20 + 19
20 = 1 · 19 + 1

Then working backwards

1 = 20 − 1 · 19 = 20 − 1 · (99 − 4 · 20) = 5 · 20 − 1 · 99
= 5 · (1307 − 13 · 99) − 1 · 99 ≡ (−66) · 99 (mod 1307)

Hence the inverse of [99] is [−66]. 

8
Algebra and Number Theory G12ALN cw ’17

1 Congruence equations

In this section, we will ask ourselves how to solve equations modulo m.


For instance find all solutions to x7 + xy + 13 ≡ 0 (mod 1000) in x and y.
First, we will answer this completely for linear equations in one variable.
Then we will show ow one can reduce the question to moduli which are
prime powers and then how to reduce it to the case when the modulus
is a prime.

1.1 Linear congruence equation

We will try to solve the following linear congruence equation in one vari-
able:
a x ≡ b (mod m) (1)
where a, b and m > 1 are given integers.

Proposition 1.1. Suppose a and m are coprime. Then the solutions to


equation (1) form exactly one congruence class modulo m.

Proof. If (a, m) = 1, then [a] is a unit in Z/mZ by Proposition 0.10.


So there is an inverse class [a∗ ] with [a][a∗ ] = 1. The equation (1) is
equivalent to [a][x] = [b], which is equivalent to [x] = [a∗ ][b].

Theorem 1.2. Let d = (a, m). If d - b, then (1) has no solutions. If


d | b, then (1) has exactly d incongruent solutions modulo m.

Proof. The equation (1) has a solution if there is an integer k such that
ax = b + km. If d - b, then there are no solutions.

Now suppose that b = d · b0 . Write m = d · m0 and a = d · a0 . We may


divide the above equation by d to get a0 x = b0 + km0 . Hence the solutions
to (1) are the same as to the equation

a0 x ≡ b 0 (mod m0 ).

By the first part of Theorem 0.2, we know that a0 and m0 are coprime.
Therefore we may apply the previous proposition. There is an integer
x0 such that the solutions to our equation are all integers of the form
x = x0 + n m0 for some integer n. The congruence class modulo m0

9
Algebra and Number Theory G12ALN cw ’17

splits up into d congruence classes modulo m: The solutions x0 , x0 + m0 ,


x0 + 2 m0 , . . . , x0 + (d − 1) m0 are incongruent modulo m.

Example. As (33, 21) = 3, we should expect 3 residue classes to satisfy


21x ≡ 15 (mod 33). Indeed, the congruence is equivalent to 7x ≡ 5
(mod 11). Now 7 is the inverse of 8 modulo 11. Hence we get x ≡ 8·5 ≡ 7
(mod 11). Hence the solutions are [7], [18] and [29] modulo 33. 

1.2 The Chinese remainder theorem

Lemma 1.3. Let m and n be coprime positive integers. Let a and b be


two integers. Then the solutions to the system of congruences
x ≡ a (mod m)
x ≡ b (mod n)
is a unique congruence class modulo m · n.

Proof. Existence: Since m and n are coprime, there are integers A and B
such that Am + Bn = 1. Set x = b Am + a Bn. Since Bn ≡ 1 (mod m),
we obtain x ≡ a (mod m). Similarly x ≡ b (mod n).

Uniqueness: If x and y are two solutions, then m and n both divide


x−y as x ≡ y (mod m) and x ≡ y (mod n). Since m and n are coprime,
Corollary 0.5 implies that mn divides x − y. Therefore x ≡ y (mod nm).

Note that this also follows from the more general “Chinese remainder
theorem”, Theorem 2.3.7, in G12ALN. One takes I = mZ and J = nZ.
Then Z/nmZ ∼ = Z/mZ × Z/nZ. Take [x] to be the unique element in
the left hand-side that corresponds to [a], [b] on the right hand-side.
Theorem 1.4 (Chinese remainder theorem). Let m1 , m2 , . . . , mr be pair-
wise coprime positive integers. Then the system of congruences
x ≡ a1 (mod m1 )
x ≡ a2 (mod m2 )
..
.
x ≡ ar (mod mr )
has a unique solution modulo m1 · m2 · · · mr .

10
Algebra and Number Theory G12ALN cw ’17

Proof. By induction on r. There is nothing to do for r = 1. Write


n = m1 · m2 · · · mr−1 and m = mr . By induction, there is a unique a
modulo n that satisfies the first r−1 equations. Now apply the Lemma 1.3
with b = ar .

Example. The age of the captain is an odd number that when divided
by 5 has remainder 3 and when divided by 11 has remainder 8. How old
is the captain?

For x ≡ 3 (mod 5) and x ≡ 8 (mod 11). Since 1 · 11 + (−2) · 5 = 1,


we see that these two combine to x ≡ 3 · 1 · 11 + 8 · (−2) · 5 = −47 ≡ 8
(mod 55). Then x ≡ 8 (mod 55) and x ≡ 1 (mod 2) combine to x ≡ 63
(mod 110). 

1.3 Non-linear equations

We now turn to more general equations. Let m > 1 be an integer. Let


f (x, y, z, . . . ) be a polynomial in (finitely many) variables and integer
coefficients. In the linear case, we had f (x) = ax − b. We wish to find
all solutions to
f (x, y, z, . . . ) ≡ 0 (mod m). (2)
Given a polynomial f as above, we will write NSolf (m) for the num-
ber of solutions modulo m; more precisely this is the number of vec-
tors ([x], [y], [z], . . . ) with entries in Z/mZ such that f (x, y, z, . . . ) ≡ 0
(mod m). (More generally, we could ask for systems of such polynomial
congruence equations.)

Example. Consider f (x, y) = y 2 − x3 − x − 1. Here are the first few


values of NSolf (m).

m 2 3 4 5 6 7 8 9 10 11 12 13 14
NSolf (m) 2 3 2 8 6 4 4 9 16 13 6 17 8
m 15 16 17 18 19 20 21 22 23 24 25 26 27
NSolf (m) 24 8 17 18 20 16 12 26 27 12 40 34 27

For instance the solutions to f (x, y) ≡ 0 (mod 7) are ([0], [1]), ([0], [−1]),
([2], [2]), and ([2], [−2]). 

11
Algebra and Number Theory G12ALN cw ’17

Proposition 1.5. Let f be a polynomial with integer coefficient.

• If n and m are two coprime integers, then

NSolf (n · m) = NSolf (n) · NSolf (m).


Qr
• Let m = i=1 pai i be the prime factorisation of an integer m. Then
r
Y
NSolf (m) = NSolf (pai i ).
i=1

Proof. We use Lemma 1.3. First, if (x + mnZ, y + mnZ, . . . ) is a solution


modulo nm, then (x + mZ, y + mZ, . . . ) is a solution modulo m and
(x + nZ, y + nZ, . . . ) is a solution modulo n. Conversely, if (a + mZ, a0 +
mZ, . . . ) is a solution modulo m and (b + nZ, b0 + nZ, . . . ) is a solution
modulo n, then Lemma 1.3 guarantees us a that there is a x ≡ a (mod m)
and x ≡ b (mod n), and a y ≡ a0 (mod m) and y ≡ b0 (mod n), etc. In
other words (x + nmZ, y + nmZ, . . . ) is a solution modulo nm. Hence
solutions modulo nm are in bijection with pairs of solutions modulo m
and n.

The second part is deduced from the first by induction on the number
of prime factors of m.

The example above shows that that NSolf (nm) and NSolf (n)·NSolf (m)
can differ when (n, m) 6= 1.

Example. Consider the polynomial f (x) = x2 + 1. It has two solutions


modulo 5, namely [2] and [3]. It also has two solutions modulo 13, namely
[5] and [8]. Therefore, the above proposition implies that f (x) ≡ 0
(mod 65) has four solutions. Indeed they are [8], [18], [47] and [57].

Note in particular that this is an example of a polynomial with more


solutions than its degree. If g(x) ∈ k[x] with k a field, there are always
at most deg(g) solutions. However Z/65Z is not a field. 

The proposition tells us that we may restrict now to the case when m
is a prime power when trying to solve (2).

12
Algebra and Number Theory G12ALN cw ’17

1.4 Lifting solutions

Let p be a prime. The aim of this section is to explain how one can
(sometimes) get from a solution modulo p to a solution modulo powers
of p. This process is called “lifting” a solution. We illustrate this first
with an example.

Example. Consider the equation f (x) = x2 + 1 ≡ 0 (mod 5). Checking


all congruence classes modulo p = 5, we find that x0 = 2 and x1 = 3 are
the only two solutions.

Now we consider x2 + 1 ≡ 0 (mod 25). If x is a solution modulo 25


then its remainder modulo 5 is a solution modulo 5. So we can write x
as 2 + t · 5 or 3 + t · 5 for some integer t. We plug this into the equation
to get

0 ≡ (2 + t · 5)2 + 1 = 5 + 4t · 5 + t2 · 52 (mod 25)


⇐⇒ 0 ≡ 5 + 4t · 5 (mod 25)
⇐⇒ 0 ≡ 1 + 4t (mod 5)
⇐⇒ t ≡ 1 (mod 5)

where we used how to solve the resulting linear equation. So we find


that 2 + 1 · 5 = 7 is a solution modulo 25. The only other solution is
3 + 3 · 5 = 18. 
 
2 d
Definition. If f (x) = a0 + a1 x + a2 x + · · · + ad x is a polynomial
with coefficients in Z, we define its derivative by f 0 (x) = a1 + 2 a2 x +
3 a3 x2 + · · · + d ad xd−1 . It is again a polynomial with coefficients in Z.
 

Lemma 1.6. Let f (x) ∈ Z[x] and set g(x) = f (x + a) for some integer
a. Then g 0 (x) = f 0 (x + a).

Proof. If we relate this back to the usual definition of the derivative


of real functions, then the lemma follows immediately from the chain
rule. If we
Pd want kto avoid limits, then
Pd we canPkdo kthe following. Write
 k−i
f (x) = k=0 ck x . Then g(x) = k=0 ck i=0 i a xi and we can

13
Algebra and Number Theory G12ALN cw ’17

compute
d k  
0
X X k k−i i−1
g (x) = ck i a x
k=0 i=1
i
d k−1  
X X k
= ck (j + 1) ak−(j+1) xj
k=0 j=0
j + 1
d k−1  
X X k − 1 (k−1)−j j
= ck k a x
k=0 j=0
j
d
X
= ck k (x + a)k−1 = f 0 (x + a).
k=0

Theorem 1.7 (Hensel’s Lemma). Let p be a prime and k > 1. Let


f (x) be a polynomial with coefficients in Z. Suppose x0 is a solution of
f (x) ≡ 0 (mod pk ) such that f 0 (x0 ) 6≡ 0 (mod p). Then there is a unique
t modulo pk such that x0 + t pk is a solution to f (x) ≡ 0 (mod p2k ).

Proof. Write ξ = x − x0 . Plug x = ξ + x0 into f and expand it as a


polynomial in the new unknown ξ. We get f (ξ + x0 ) = a0 + a1 ξ + a2 ξ 2 +
· · · + ad ξ d for some integers ai . We note that a0 = f (x0 ) is divisible
by pk , say a0 = pk b. By the previous lemma, we find that a1 = f 0 (x0 ),
which is not divisible by p. Now we wish to find the solutions to f (x) ≡ 0
(mod p2k ) with ξ = t pk :

0 ≡ a0 + a1 t pk + a2 t2 p2k + · · · + ad td pdk (mod p2k )


⇐⇒ 0 ≡ a0 + a1 t pk (mod p2k )
⇐⇒ 0 ≡ pk · (b + a1 t) (mod p2k )
⇐⇒ 0 ≡ b + a1 t (mod pk )

We are reduced to solve a linear congruence. Since p does not divide


a1 , the latter is coprime to pk . Therefore there is a unique solution for t
modulo pk by Proposition 1.1.

Example. We know that 18 is a solution to x2 + 1 ≡ 0 modulo 25. We


have f 0 (18) = 2 · 18 6≡ 0 (mod 5). So the theorem applies to give us a
solution modulo 54 .

Explicitly, we need to solve 0 ≡ b+a1 t modulo 25 with a1 = f 0 (18) ≡ 11


(mod 25) and b = f (18)/25 = 13. Now solve the equation 0 ≡ 13 + 11 t
(mod 25): the inverse of 11 modulo 25 is 16, hence t ≡ −13 · 11 ≡ 17
(mod 25). This gives x = 18 + 17 · 25 = 443 is a solution to x2 + 1 ≡ 0
modulo 54 . 

14
Algebra and Number Theory G12ALN cw ’17

It is also clear from the proof above that we have two further cases. If
0
f (x0 ) ≡ 0 (mod p) and f (x0 ) 6≡ 0 (mod p2k ), then there is no solution
for t. If f 0 (x0 ) ≡ 0 (mod p) and f (x0 ) ≡ 0 (mod p2k ) then all t are
solutions.

Corollary 1.8. If there exists a solution x0 to f (x) ≡ 0 (mod p) with


f 0 (x0 ) 6≡ 0 (mod p). Then there exists a solution to f (x) ≡ 0 (mod pk )
for all k > 1, too.

Example. When the condition f 0 (x0 ) 6≡ 0 (mod p) is not satisfied, it is


more complicated. The polynomial f (x) = x2 + x + 7 has a solutions
x0 = 1 modulo 9, yet no solutions modulo 27 or any higher power of
3. This is because f 0 (1) ≡ 0 (mod 3), but f (1) 6≡ 0 (mod 27). Now
x2 + x + 25 will have a solution x0 = 1 modulo 27, but none modulo 81.

For instance the polynomial x3 − 3 x + 2 has a solution x0 = 1 modulo


all powers of 3, yet Hensel’s Lemma never applies. 
Aside: T his is the starting point to the construction of “p-adic numbers”.
They form an interesting field containing Q incorporating working with poly-
nomial equations modulo pk for all k at once. They really should stand on
equal footing with the real numbers as they can be obtained by the same com-
pletion process. But that is very exciting material for G13FNT and G14ANT.


A concluding remark on this section. Given a polynomial equation,


we have seen how to use the Chinese remainder theorem to reduce the
question to m = pk for a prime number k. Then Hensel’s lemma allows
us often to answer it for a prime powers by solving it for m = p. This
leaves the question of how to solve polynomial equations modulo primes
p. For small primes p, one can just run through all values, but for large
p this is far from being efficient. There is a lot of on-going research in
this direction.

15
Algebra and Number Theory G12ALN cw ’17

2 Arithmetic functions

In this section, we will study functions like the Euler totient function
that measure arithmetic properties of numbers. Typical questions could
be: How many prime factors does a very large number have in average?

Definition. A function f : N → C is called an arithmetic function.
Such a function f is called multiplicative if f (mn) = f (m)f (n) for all
pairs of coprime positive integers m, n. It is called completely multi-
plicative if f (mn) = f (m)f (n) for all positive integers m and n.

Example. The function f (n) = ns is completely multiplicative for any


real number s. Given a polynomial f (x, y, z, . . . ) with integer coeffi-
cients, by Proposition 1.5 the function NSolf is multiplicative, but not
completely multiplicative in general. 

2.1 The Euler phi-function


 
Definition. Let n be a positive integer. Euler’s phi-function ϕ(n) is
defined to be the number of units in Z/nZ. It is also called Euler’s
totient function. By Proposition 0.10, we obtain
n o
ϕ(n) = # a 1 6 a < n and (a, n) = 1

 

Here is a table with some values of Euler’s ϕ-function.

n 1 2 3 4 5 6 7 8 9 10 11 12 13 14
ϕ(n) 1 1 2 2 4 2 6 4 6 4 10 4 12 6

n 15 16 17 18 19 20 21 22 23 24 25 26 27 28
ϕ(n) 8 8 16 6 18 8 12 10 22 8 20 12 18 12

In Figure 1, there is a plot of the values up to 1000.


Theorem 2.1. Euler’s phi function is multiplicative, but not completely
multiplicative.

Proof. Let m and n be coprime natural numbers. We show that the map
∗ ∗ ∗
Ψ : Z/mnZ → Z/mZ × Z/nZ

x + nmZ 7→ x + mZ, x + nZ

16
Algebra and Number Theory G12ALN cw ’17

Figure 1: First 1000 values of ϕ

is a bijection. First note that the map is well defined in that, if we


replace x by x0 = x + knm for some k ∈ Z, then x + mZ = x0 + mZ and
x + nZ = x0 + nZ. Also x + nmZ is invertible if and only if (x, nm) = 1.
Using Euclid’s Lemma 0.4, this is equivalent to (x, n) = 1 and (x, m) =
1 because (n, m) = 1. Hence Ψ sends invertible elements to pairs of
invertible elements.

Now if Ψ(x + nmZ) = Ψ(x0 + nmZ), then x ≡ x0 (mod n) and x ≡ x0


(mod m). Now the Chinese remainder Theorem as in Lemma 1.3 shows
that x ≡ x0 (mod nm). Therefore Ψ is injective. The same lemma also
shows that Ψ is surjective: Take (a + mZ, b + nZ) in the target of Ψ.
Then there exists x such that x ≡ a (mod m) and x ≡ b (mod n). Then
Ψ(x + nmZ) = (a + mZ, b + nZ). We have shown that Ψ is a bijection.

Therefore ϕ(m n) = #(Z/mnZ)∗ = #(Z/mZ)∗ · #(Z/nZ)∗ = ϕ(m) ·


ϕ(n) shows that ϕ is multiplicative. Since ϕ(4) 6= ϕ(2) · ϕ(2), it is not
completely multiplicative.

Note that Corollary 2.3.8 in G12ALN with R = Z, I1 = mZ and


I2 = nZ yields that

(Z/mnZ)∗ ∼
= (Z/mZ)∗ × (Z/nZ)∗ .

is not just a bijection but a group isomorphism.

17
Algebra and Number Theory G12ALN cw ’17

Qr
Proposition 2.2. If n = i=1 pai i is the prime factorisation of n, then
r 
Y  Y 1
ϕ(n) = pai i − pai i −1 = n · 1−
i=1
p
p|n

where the last product runs over all prime divisors p of n.

Proof. This is the content of Corollary Q 2.5.5ai in G12ALN. First the pre-
vious theorem implies that ϕ(n) = i ϕ pi . Let k > 1. Now to be
coprime to pk is the same as to be coprime to p. So from all pk values in
the range 1 6 a 6 pk , we will not allow pk−1 one of them, namely p, 2p,
. . . , pk . This gives ϕ(pk ) = pk − pk−1 .

Aside: More on ϕ(n). The average of all values ϕ(k) for 1 6 k 6 n stays
close to π32 n. One has this remarkable limit statement

ϕ(n) · log(log(n))
lim inf = e−γ ≈ 0.5614 . . .
n
where γ is the Euler-Mascheroni constant. However there are infinitely many
n for which the fraction on the left is smaller than e−γ .

Using the formula in Proposition 2.2 it is possible to compute ϕ(n) if the


factorisation of n is known. Conversely, if we know how to compute it fast
without factoring, we could break the RSA cryptosystem. 

2.2 Divisor functions



Definition. The sum of divisors function σ is defined by setting σ(n)
equal to the sum of all positive divisors of n. The number of divisors
function τ is defined by setting τ (n) equal to the number of positive
divisors of n.

P P P
We may write σ(m) = d|m d and τ (m) = d|m 1. The notation d|n
will always stand for the sum over d running through all positive divisors
of n. For instance, for a prime p, we have τ (p) = 2 and σ(p) = p + 1.

n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
σ(n) 1 3 4 7 6 12 8 15 13 18 12 28 14 24 24
τ (n) 1 2 2 3 2 4 2 4 3 4 2 6 2 4 4

The first thousand values of σ and τ are plotted in Figure 2.

18
Algebra and Number Theory G12ALN cw ’17

Figure 2: Values of σ(n) on the left and of τ (n) on the right

Theorem 2.3. The arithmetic functions σ and τ are multiplicative.

Proof. Let m and n be coprime natural numbers. Let d be a divisor of


n · m. Set v = (d, n) and w = vd . Then (w, n) = 1 and w | n · m. Euclid’s
Lemma 0.4 implies w | m. In other words, every divisor d of m · n can
be written uniquely as d = w · v with w | m and v | n.
X XX X  X 
σ(m n) = d= wv = w · v = σ(m) · σ(n)
d|mn w|m v|n w|m v|n
X XX X  X 
τ (m n) = 1= 1= 1 · 1 = τ (m) · τ (n)
d|mn w|m v|n w|m v|n

k
P
This proof generalises to show that the function σk (n) = d|n d is
multiplicative for all real values of k. With this notation σ = σ1 and
τ = σ0 . Again, neither is completely multiplicative.

Theorem 2.4. Suppose that n ∈ N has the prime factorisation n =


Q r ai
i=1 pi . Then

r r
Y pai +1 − 1
i
Y
σ(n) = and τ (n) = (ai + 1).
i=1
pi − 1 i=1

19
Algebra and Number Theory G12ALN cw ’17

Proof. Theorem 2.3 implies that σ(n) = i σ pai i . Let p be a prime.


Q 

The divisors of pk are 1, p, p2 , . . . , pk . Hence σ(pk ) = 1 + p + · · · + pk =


pk+1 −1
. Similarly τ (n) = i τ (pai i ) and pk has k + 1 divisors.
Q
p−1

2.3 Möbius inversion


 
Definition. An integer n > 1 is square-free if it has no square divisors
greater than 1.
 

Lemma 2.5. i). An integer n > 1 is square-free if and only if it is a


product of distinct primes.
ii). Every integer n > 1 can be written as a · b2 with a square-free.
iii). Let n > 1 be a square-free integer and m ∈ Z. If p | m for all prime
divisors p of n, then n divides m.

Proof. i). ⇒: Factor n into its prime factorisation. If one prime p


arises to a higher power than 1, then p2 divides n which is im-
possible if n is square-free. ⇐: If d2 divides a product of distinct
primes, then the prime factorisation of d can not contain any of
those primes. Hence d = 1 and so n is square-free.
ii). Let n > 1. Among all the squares dividing n, there is one that is
the largest; call it b2 . Since it divides n, we find a a ∈ N such that
n = a · b2 . Now if d2 divides a, then d2 b2 divides n. But there is no
larger square dividing n, hence d2 b2 = b2 shows that d 6 1 and a
is square-free.
iii). As n is square-free, we can write n = p1 · p2 · · · pr for distinct
prime numbers pi . Assume that pi divides m for all i. Now apply
Corollary 0.5 repeatedly to show that n = p1 · p2 · · · pr must divide
m.

 
Definition. The Möbius function µ : N → {−1, 0, 1} is defined by

1
 if n=1
µ(n) = 0 if n is not square-free
 r
(−1) if n = p1 p2 · · · pr with pi distinct primes.

 

20
Algebra and Number Theory G12ALN cw ’17

n 1 2 3 4 5 6 7 8 9 10 11 12 . . . 30
µ(n) 1 −1 −1 0 −1 1 −1 0 0 1 −1 0 −1

P
Lemma 2.6. If n > 1, then d|n µ(d) = 0.

Example. µ(12) + µ(6) + µ(4) + µ(3) + µ(2) + µ(1) = 0 + 1 + 0 + (−1) +


(−1) + 1 = 0. 

Proof. Write n = pa11 · · · par r . Then in the sum


P
d|n µ(d) we can neglect
all terms for which d is not square-free.
X X
µ(d) = µ(d)
d|n d|n
square-free

= µ(1) + µ(p1 ) + µ(p2 ) + · · · + µ(pr )+


+ µ(p1 p2 ) + µ(p1 p3 ) + · · · + µ(pr−1 pr )+
+ µ(p1 p2 p3 ) + · · · + µ(p1 p2 · · · pr )
     
1 r 2 r 3 r
= 1 + r · (−1) + (−1) + (−1) + · · · + (−1)r
2 3 r
r
= (1 + (−1)) = 0


Definition. The convolution of two arithmetic functions f and g is
defined by
X  X
(f ∗ g)(n) = f (d) · g nd = f (d) · g(e).
d|n de=n

We define two auxiliary arithmetic functions I and ε. They are defined


by I(n) = 1 for all n and
(
1 if n = 1;
ε(n) =
0 if n > 1.

Lemma 2.7. For all arithmetic functions f , g, h:

P
i). (f ∗ I)(n) = d|n f (d)

21
Algebra and Number Theory G12ALN cw ’17

ii). f ∗ g = g ∗ f
iii). f ∗ (g ∗ h) = (f ∗ g) ∗ h
iv). I ∗ µ = µ ∗ I = ε
v). f ∗ ε = ε ∗ f = f

Proof. The first property is by definition,


P the second follows from the
symmetry of the formula (f ∗g)(n) = ed=n f (e)g(d). The third property
is shown as follows:
  X
f ∗ (g ∗ h) (n) = f (c) · (g ∗ h)(e)
ec=n
X X
= f (c) · g(a)h(b)
ec=n ab=e
X
= f (c) · g(a) · h(b)
abc=n

which is symmetric again, therefore it equals (f ∗ g) ∗ h (n) for all n.
Property iv) is easy for n = 1 and is exactly what the previous lemma
says for n > 1. The last property is easy again.

Theorem 2.8 (Möbius


P inversion Theorem).
P If f is ann arithmetic
 func-
tion and F (n) = d|n f (d) then f (n) = d|n µ(d) · F d .

Proof. F = f ∗ I implies µ ∗ F = µ ∗ (f ∗ I) = f ∗ (µ ∗ I) = f ∗ ε = f .

P
Example. By definition, we have σ(n) = d|n d. So the Möbius inver-
sion theorem for f (n) = n and F (n) = σ(n) yields the formula
X n
n= µ(d)σ .
d
d|n

For instance

12 = µ(12)σ(1) + µ(6)σ(2) + µ(4)σ(3)+


+ µ(3)σ(4) + µ(2)σ(6) + µ(1)σ(12)
= 0 · 1 + (+1) · 3 + 0 · 4 + (−1) · 7 + (−1) · 12 + (+1) · 28.

22
Algebra and Number Theory G12ALN cw ’17

Theorem 2.9. Let f be an arithmetic function such that f (1) = 1. Then


there exists a unique arithmetic function g such that f ∗ g = ε. The
arithmetic function g is called the Dirichlet inverse of f .

Proof. We are looking for a function g such that ε(n) = (f ∗ g)(n) for all
n. For n = 1, this imposes that 1 = ε(1) = (f ∗ g)(1) = f (1) · g(1) = g(1).
If n = p is a prime, we find 0 = ε(p) = f (1) · g(p) + f (p) · g(1). This
forces us to set g(p) = −f (p). Similarly, one can show that we must have
g(p2 ) = −f (p)2 − f (p2 ) by taking n = p2 . Now, we see that in general
for an integer n > 1, the equations (f ∗ g)(n) = ε(n) = 0 imposes us to
set X n
g(n) = − g(d) · f .
d
n6=d|n

if we already know the value of g for all divisors d of n. Hence, we


construct inductively a unique function that satisfies f ∗ g = ε.

Corollary 2.10. The set G of all arithmetic functions f with f (1) = 1


forms an abelian group under the convolution ∗ with ε being the identity
element.

Proof. This is the summary of the previous theorem with parts ii), iii),
v) of Lemma 2.7.

Example. The Dirichlet inverse of I is µ by part iv) of Lemma 2.7.


What is Dirichlet inverse of τ ? We are looking for a function g such that
τ ∗ g = ε. We can write τ = I ∗ I and solve the equation on g:

I ∗I ∗g =ε now ∗ by µ on the left


µ∗I ∗I ∗g =µ∗ε
ε∗I ∗g =µ
I ∗g =µ and do it once more
µ∗I ∗g =µ∗µ
ε∗g =µ∗µ
g = µ ∗ µ.

23
Algebra and Number Theory G12ALN cw ’17

3 Basic theorems on primes

In this section, we will prove a few basic theorems on prime numbers.


This will be applied to find primality testing and factorisation methods.

3.1 Fermat, Euler and Wilson

Some classic theorems in number theory. Proven by Pierre de Fermat


(1601–1665), Leonhard Euler (1707 – 1783) and by Joseph-Louis Lag-
range (1736–1813).

Lagrange gave the first proof to the following theorem, already stated
without proof before by Ibn al-Haytham (c. 1000 AD), Edward Waring,
and John Wilson.
Theorem 3.1 (Wilson’s Theorem). If p is a prime, then (p − 1)! ≡ −1
(mod p).

Proof. We may suppose that p is odd as the theorem is true for p = 2.


Each element of the group (Z/pZ)∗ is represented exactly once in the
product (p − 1)! = 1 · 2 · · · (p − 1). For each 1 6 a < p there is a unique
1 6 b < p such that a b ≡ 1 (mod p).

If a = b, then a2 ≡ 1 (mod p). This then implies that p divides


a2 − 1 = (a − 1)(a + 1), from which we deduce that p divides a − 1 or
a + 1 as p is prime. Hence only a = 1 and a = p − 1 are equal to their
own inverses.

Therefore, every factor in the product [2] · · · [p − 3] · [p − 2] cancels out


with exactly another factor in the same product, without any overlaps.
Hence

(p − 1)! ≡ 2 · 3 · · · (p − 2) · (p − 1) ≡ 1 · (p − 1) ≡ −1 (mod p).

24
Algebra and Number Theory G12ALN cw ’17

Example. For p = 11, we get 10! = 3628800, which is congruent to 10


modulo 11. Recall that the remainder of an integer modulo 11 can be
computed as the alternating sum of its decimal digits. Here 0 − 0 + 8 −
8 + 2 − 6 + 3 = −1. 

Corollary 3.2. Let p be an odd prime number. Then


 p − 1  2
! ≡ (−1)(p+1)/2 (mod p).
2

Proof. Starting from Wilson’s Theorem, we have


−1 ≡ 1 · 2 · 3 · · · (p − 1) (mod p)
≡ 1 · 2 · 3 · · · p−1 p−1
 
2
· (−1) · (−2) · (−3) · · · − 2
(mod p).
Now on the right hand side, we see two factors of ( p−1
2
)! and (p − 1)/2
factors of (−1).


Example. It follows from this corollary that (p − 1)/2 ! is ±1 modulo
p if p ≡ 3 (mod 4), but it does not say which. Otherwise it is an element
i such that i2 ≡ −1 (mod 4). Here are the first few values

 p 3 5 7 11 13 17 19 23 29 31 37
(p − 1)/2 ! mod p 1 2 −1 −1 5 13 −1 1 12 1 31

Theorem 3.3 (Fermat’s little Theorem). If p is a prime and a is a


positive integer with p - a, then
ap−1 ≡ 1 (mod p). (3)

Proof. Since p - a, the congruence class [a] belongs to the group (Z/pZ)∗ .
Hence the list [a], [2] · [a], . . . , [p − 1] · [a] also contains each non-zero
congruence class exactly once. Therefore
a · 2 a · 3 a · · · (p − 1) a ≡ 1 · 2 · 3 · · · (p − 1) (mod p)
ap−1 · (p − 1)! ≡ (p − 1)! (mod p)
Since (p − 1)! 6≡ 0 (mod p), we can simplify the above to equation (3).

25
Algebra and Number Theory G12ALN cw ’17

Alternatively, we may use group theory to prove it. Corollary 1.3.6


in G12ALN showed that the order of a group element divides the group
order. Here G = (Z/pZ)∗ is of order p − 1. If r is the order of [a], then
p − 1 = rk for some integer k. Now by definition [a]r = [1]. Therefore
k
[a]p−1 = [a]r = [1]k = [1] gives the above theorem again.

Corollary 3.4. If p is prime, then ap ≡ a (mod p), for every a ∈ Z.

Proof. If p - a, then we obtain this by multiplying (3) by a on both sides.


If p | a, then ap ≡ 0 ≡ a mod p.

Theorem 3.5 (Euler’s Theorem). Let n be a positive integer, and a ∈ Z


with (a, n) = 1. Then aϕ(n) ≡ 1 (mod n).

This is a generalisation of Fermat’s little Theorem 3.3 since ϕ(p) = p−1


if p is prime. The proof is a generalisation, too.

Proof. Since (a, n) = 1, the congruence class [a] belongs to the group of
units (Z/nZ)∗ . Multiplying each element of (Z/nZ)∗ by [a] just permutes
the group elements. We obtain
Y Y
[a] · x = x
x∈(Z/nZ)∗ x∈(Z/nZ)∗
Y Y
[a]ϕ(n) · x= x
x∈(Z/nZ)∗ x∈(Z/nZ)∗

Simplifying on both sides by the product yields the desired congruence.

Alternatively it is again a simple consequence of Corollary 1.3.6.

As explained above Fermat’s little Theorem follows from knowing the



group order of Z/pZ . Instead, we know actually much more:
∗
Theorem 3.6. Let p be a prime. Then Z/pZ is a cyclic group of
order p − 1.

Proof. Theorem 2.5.3 in G12ALN.

26
Algebra and Number Theory G12ALN cw ’17

Example. For instance if p = 19, then [13] is a generator of the cyclic


group (Z/19Z)∗ of order 18. We have

k 0 1 2 3 4 5 6 7 8 9 10
[13]k [1] [13] [17] [12] [4] [14] [11] [10] [16] [18] [6]
k 11 12 13 14 15 16 17 18 19 20 21
[13]k [2] [7] [15] [5] [8] [9] [3] [1] [13] [17] [12]

The sequence starts to be period at k = p − 1. Before that it seems to go


randomly through the residue classes. This fact is used in cyptography
(El Gamal cipher) for very large primes p. See G13CCR. 
 
∗
Definition. Let m be an integer such that Z/mZ is a cyclic group.
An integer g such that [g] generates this cyclic group is called a prim-

itive element modulo m. 

Primitive elements exists modulo primes by the above theorem and


modulo powers of odd primes (see G13FNT), but not for arbitrary mod-
ulus m. If there are, we can find one by trying the first few small integers
using the following criterion.
Proposition 3.7. Let p be a prime and a an integer which is not divisible
p−1
by p. If a ` 6≡ 1 (mod p) for all prime divisors ` of p − 1, then a is a
primitive element.

∗
Proof. We know that Z/pZ is a cyclic group by Theorem 3.6. Let d
be the order of the element [a] in this group. By Lagrange’s theorem
(Corollary 1.3.6 in G12ALN), we know that d divides p − 1. We want to
show that d = p − 1.

Write p − 1 = d · e. We have ad ≡ 1 (mod p). Suppose e > 1 and let


` be a prime factor of e. Then d divides p−1
`
, say dk = p−1
`
. Therefore
p−1
dk
a ` = a ≡ 1 (mod p), which contradicts the hypothesis. Therefore
e = 1 and d = p − 1.

Example. We use this to check that 13 is a primitive element modulo


p = 19: The prime factors of p − 1 = 18 are 2 and 3. So we have
p−1 p−1
to compute a 2 = [13]9 and a 3 = [13]6 . Since [13]9 = [−1] and
[13]6 = [11], we see that 13 is indeed a primitive element. 

Here is a list of the smallest positive primitive element g for the first
few primes.

27
Algebra and Number Theory G12ALN cw ’17

p 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47
g 1 2 2 3 2 2 3 2 5 2 3 2 6 3 5
Aside: Artin’s conjecture. Is it true that 2 appears infinitely often in the
above list? This is still an unsolved problem. Heath-Brown showed in 1986
that we have infinitely often a number below 8 in this list. 

3.2 Primality tests

In view of its application to cryptography (see G13CCR next year), one


would like to the solve the following two problems effectively (say with a
fast computer and huge, huge entries): Given an integer n > 1, can we
decide if n is prime or composite? Given an integer n > 1, can we find
its prime factorisation?

Theorem 3.8 (Trial√ division). If n ∈ Z is composite, then n has a prime


factor not exceeding n.

Proof. Since n is composite,√ there are a, b ∈ Z such that 1 < a 6 b < n


and n = a b. We have a 6 n because a2 6 a√b = n. Now a has a prime
divisor p, which divides n, too, and p 6 a 6 n.

If we have a list of all the primes p below 106 , then by this theorem
we have an efficient way to solve both questions for n < 1012 . Just try
to divide n by all primes in the list. If none divides n, then n is prime.
Otherwise, we can divide n by p and try to divide np and so forth until
we get the full factorisation of n. To store all 37607912018 primes below
1012 would take more then 168 GB. Trial division is not efficient for n
with hundreds or thousands of digits.

The following is a converse to Wilson’s Theorem 3.1.

Proposition 3.9. If n is a positive integer such that (n − 1)! ≡ −1


(mod n), then n is prime.

Proof. Suppose n = ab with natural number a and b. If a and b are both


smaller than n, then a and b appear in (n − 1)! and so n = ab divides
(n − 1)!. But then 0 ≡ (n − 1)! ≡ −1 (mod n). So a or b must be equal
to n the other 1.

28
Algebra and Number Theory G12ALN cw ’17

This proposition would give another method of decide if n is prime.


However, it is useless as it would take long to compute (n − 1)! modulo
n. It is a bit of a surprise that the following is a rather efficient test to
prove that an integer n is composite.

Proposition 3.10. Let n > 1. Suppose b is coprime to n and that


bn−1 6≡ 1 (mod n), then n is composite.

Proof. This is the contra-positive of Fermat’s little Theorem 3.3.

Example. For instance, we can prove that 15 is composite: Take b = 2,


then 214 = 16384 ≡ 4 (mod 15). This tells us that 15 is composite
without revealing any factors. 

How do we compute ak modulo n? The naive way is to evaluate ak and


then to take the remainder modulo n. But that takes at least k steps
and involves huge integers. It is better to reduce modulo n after each
multiplication; however that still involves k steps. For k = n − 1 this is
worse than trial division. So here is the idea to compute this, it is called
fast modular exponentiation:

Write k in binary expansion

k = kr · 2r + kr−1 · 2r−1 + · · · + k1 · 2 + k0 .

By definition kr = 1. Start with b = a. Now, if kr−1 is 1, then we replace


b by a · b2 modulo n, otherwise by b2 modulo n. Then with the same rule
for kr−2 and so on. In the end b will have the value ak modulo n. The
idea is simply the following equation

2  2 2
  !
2
ak = ak0 · ak1 · ak2 · · · akr−1 · (akr )2 · · ·

.

So all we need to do is squaring r times and maybe multiplying a few


times by a, always modulo n. We can represent this in a simple table

i r r − 1 ... 1 0
ki 1 kr−1 . . . k1 k0 ← fill in the binary digits of k
b a ... ... ← fill up from the left, each step
either a · b2 or b2 modulo n

√ 2 · log2 (n) operations. When


Since r 6 log2 (n) this method uses at most
n is large this is much better than n or n.

29
Algebra and Number Theory G12ALN cw ’17

Example. For instance suppose we want to compute 3220 modulo n =


221. As 220 = 27 + 26 + 24 + 23 + 22 = 110111002 , we get

i 7 6 5 4
ki 1 1 0 1
2 2
b 3 3 · 3 ≡ 27 27 ≡ 66 3 · 662 ≡ 29

i 3 2 1 0
ki 1 1 0 0
b 3 · 292 ≡ 92 2 2
3 · 92 ≡ 198 198 ≡ 87 2
87 ≡ 55

So 3220 ≡ 55 (mod 221). It proves that 221 is composite. This is much


better than passing through the computation of 3220 , which has 105
decimal digits. 
Example. For example consider the integer

n =2405103478365565317102362319979107852729856194163135049 . . .
. . . 853668763716791595912281396928100231152023891852493779

Trial division will never (well, at least not in within the age of the uni-
verse) succeed in deciding if n is prime or composite. On the other hand,
my computer in the office takes about 50 µs to evaluate

2n−1 ≡158256580117107554768470787587371196902955183533611778 . . .
. . . 998301777136825967440252388516455258006828210287748445

modulo n. Hence n is not prime. Yet, we have not idea what the prime
factors are. 
Aside: Fast modular exponentiation Here is the code for an alternative version
of fast modular exponentiation. Rather then reading teh binary digits from
left-to-right, this reads them from right-to-left. In fact, it computes these
digits as we go along.

def modexp(a,k,n):
r = 1
b = a
while k > 0:
if k is odd:
r = r*b mod n
b = b^2 mod n
k = k//2
return r

30
Algebra and Number Theory G12ALN cw ’17

Note that the converse to Proposition 3.10 is not valid. For instance
1114 ≡ 1 (mod 15) does not imply that 15 is prime. With respect to the
base b = 11, the composite number n = 15 behaves like a prime.

n−1
Definition. Let n > 1. If b ≡ 1 (mod n) yet n is composite, then
n is called a pseudoprime to base b. A composite number n that is
pseudoprime to all bases b > 1 with (b, n) = 1 is called a Carmichael
number.

Theorem 3.11. Suppose n > 1 is a square-free composite number such


that (p − 1) | (n − 1) for all primes p dividing n. Then n is a Carmichael
number.

Proof. Let b > 1 be an integer coprime to n. Let p | n. Then b is coprime


to p. By assumption there is an integer t such that n − 1 = t · (p − 1). By
Fermat’s Little Theorem 3.3, bn−1 = (bt )p−1 ≡ 1 (mod p). Therefore p
divides bn−1 −1 for all prime divisors of n. By the third part of Lemma 2.5
the assumption that n is square-free implies that n divides bn−1 −1.

Example. Let n = 561. The prime factorisation of n is 3 · 11 · 17. Now


3 − 1 divides 561 − 1, also 11 − 1 divides it and 17 − 1 does. Hence 561 is
a Carmichael number. The theorem shows that b560 ≡ 1 (mod 561) for
all b with (b, 561) = 1. 
Aside: 561 is the smallest Carmichael number. The following are 1105, 1729,
2465, 2821, 6601. . . (for a longer list see http://oeis.org/A002997). Even
worse, it is known that there are infinitely many of them (Red Alford, Andrew
Granville and Carl Pomerance in 1994). Therefore one needs stronger methods
to prove that a suspected huge number is indeed prime. Some examples are
Pocklington’s test, elliptic curve primality test, Agrawal-Kayal-Saxena prim-
ality test. At worst it takes something like log(n)6 steps to check if n is prime.

In contrast, factorisation is much harder. The following is a simple method,


which is quite a bit faster than the above trial division. However, one does
not expect that it could be done in time polynomial in log(n); except on a
quantum computer. 

3.3 Pollard p − 1 factorisation

Let n be an integer. Think of an integer with 20 to 50 decimal digits.


We want to find the prime factorisation of n. Note that it is enough to

31
Algebra and Number Theory G12ALN cw ’17

find one divisor 1 < d < n of n for we could then apply our method
recursively for the smaller numbers d and nd .

We will certainly start by using trial division to see if n is divisible


by 2, 3, 5, 7, etc. On a computer, we could test to divide by all prime
numbers up to 106 in no time. So we may assume that n has no small
prime factor, in particular it is certainly an odd number. Also, we would
check with a fast test to see if n is composite or prime. Therefore, we
will also assume that n is composite.

First assume, a gentle fairy comes to help us. She gives us a number
K and tells us that there is a prime factor p of n such that p − 1 divides
K. However she does not tell us what p is.

Now, we pick a random 1 < a < n. If (a, n) is not 1, then we have a


factor, so we may assume that (a, n) = 1. Now compute aK − 1. Because
the fairly told us that there is an integer t such that (p − 1)t = K, we
find
aK ≡ at(p−1) = (at )p−1 ≡ 1 (mod p)
which shows that p divides aK − 1. Hence p divides (aK − 1, n). One of
two things can happen: Either this gcd is a proper divisor of n and we
are done, or (aK − 1, n) = n. In the latter case, we just pick another a
and hope we are not unlucky again.
Example. Say n = 121933417163. The fairy tells us that

K = 3217644767340672907899084554130

has the good property. Indeed taking a = 2, we find that (aK − 1, n) =


987659. This happens to be the bigger of the two prime factors of n. 

The example should alert us. It looks like computing aK is going to


be very tedious with such large values of K. However, we only need to
compute aK modulo n, since we will take the gcd with n afterwards. This
can be done very fast even for huge K and n.

Now, the real problem about this world is that fairies hardly ever help
us. So how would we get a good candidate for K? Let B be an integer,
say 100 or 1000. Then one first choice of K would be to take the product
of all prime numbers ` smaller than B. In fact that is K in the example
above with B = 80. Now this K will work if one prime factor p of n
is such that p − 1 factors into a product of distinct primes ` all smaller
than B. In the example above p − 1 = 987658 = 2 · 7 · 19 · 47 · 79 had this
property.

A slightly better version takes smaller primes ` to some powers. For


instance it is rather likely that p − 1 is divisible by 4. A typical K is the

32
Algebra and Number Theory G12ALN cw ’17

product K = `n` such that `n` is the largest power of ` which is just
Q
smaller than B. If p − 1 divides this K, it is called B-power-smooth.

As a summary here the method explained again. We want to factor n.

• Pick a bound B (best not with more than 6 decimal digits).


• Compute K as a product over all primes ` < B of the largest prime
power `n` < B.
• Pick an integer 1 < a < n. If (a, n) > 1, then we found a factor of
n and stop.
• Compute d = (aK − 1, n) using fast modular exponentiation.
– If 1 < d < n, then we found a factor of n.
– If d = 1, then the choice of B was too small. Increase it.
– If d = n, we try some other values of a or decrease B.
Example. As a toy example, we wish to factor n = 6887. We pick
B = 5. Then K = 22 · 3 · 5 = 60. Then 260 − 1 ≡ 1961 modulo n. But
(1961, n) = 1.

Now, we increase B to 7. We get K = 22 · 3 · 5 · 7 = 420. Then


2420 − 1 ≡ 1917 (mod n). Now (1917, n) = 71 and we have found a
factor of n. 
Aside: H ow likely is it that p − 1 is B-power-smooth for some given B? In
Figure 3 we see a plot of the percentage for some values of B.

Figure 3: The proportion of primes up to 100000 that are such that p − 1


is B-power-smooth for B = 10, 100, 1000 and 10000.

33
Algebra and Number Theory G12ALN cw ’17

4 Quadratic Reciprocity

We will answer in this chapter how to solve equations like x2 ≡ a (mod p)


for a prime p. In fact, that is an exaggeration: We will only learn how
to detect whether or not this equation has a solution.

Note that the question is without interest when p = 2. We will therefore


assume throughout this chapter that p is an odd prime.

For p = 3, we see that x2 ≡ 2 has no solution, since 02 ≡ 0 and


1 ≡ (−1)2 ≡ 1. For p = 5, we can compute all squares:
2

x 0 1 2 3 4
x2 0 1 4 4 1

So only when a ≡ 0, 1, 4 (mod 5), we have a solution to x2 ≡ a (mod p).


Similarly for p = 7, we have

x 0 1 2 3 4 5 6
2
x 0 1 4 2 2 4 1

so only a ≡ 0, 1, 2, 4 admit a “square root”, but not a ≡ 3, 5, 6.

4.1 The Legendre symbol



Definition. A quadratic residue modulo p is an integer a (mod p) such
that p - a and x2 ≡ a (mod p) has solutions; a quadratic non-residue1
modulo p is an integer a such that p - a and x2 ≡ a (mod p) has no
solutions.

Lemma 4.1. Let p be an odd prime. Let g be a primitive element modulo


p. Then a ≡ g k (mod p) is a quadratic residue if and only if k is even,
otherwise it is a quadratic non-residue. There are exactly p−1
2
quadratic
residues modulo p and just as many quadratic non-residues.

Proof. If k = 2n is even, then x = g n is a solution to x2 ≡ g k (mod p)


and hence g k is a quadratic residue. Conversely, if b = g n is a solution to
x2 ≡ g k (mod p) then 2n ≡ k (mod p − 1). Since p − 1 is even, k must
be even, too.

34
Algebra and Number Theory G12ALN cw ’17

Now, g 0 , g 2 , g 4 , . . . , g p−3 are all quadratic residues modulo p and g 1 , g 3 ,


g 5 ,. . . , g p−2 are all quadratic non-residues modulo p. There are p−1 2
of
each.

This would be false if p were not assumed to be prime. The only


invertible residue classes that are square modulo 15 are 1 and 4.
 
Definition. The Legendre symbol ( ap ) is defined for a ∈ Z and p an
odd prime by

a  0 if p | a;
= +1 if p - a and x2 ≡ a (mod p) has solutions;
p 
−1 if p - a and x2 ≡ a (mod p) has no solutions.

So ( ap ) = +1 when a is a quadratic residue and ( ap ) = −1 when a is a


quadratic non-residue modulo p.
 

Please write the () around ap to distinguish it from the fraction. A short


way to define the Legendre symbol is to say that the number of solutions
to x2 ≡ a (mod p) is 1 + ( ap ).

Proposition 4.2. i). ( ap ) = ( pb ) when a ≡ b (mod p);

ii). Euler’s Criterion: ( ap ) ≡ a(p−1)/2 (mod p);


(
+1 if p ≡ 1 (mod 4);
iii). ( −1
p
) = (−1)(p−1)/2 =
−1 if p ≡ 3 (mod 4);

iv). ( ab
p
) = ( ap )( pb ).

Proof. i). Clear as the definition only depended on a modulo p.

ii). If p | a, then both sides are zero modulo p.


Otherwise a ≡ g k for some k, where g is a fixed primitive element
modulo p. Now ( ap ) = (−1)k by Lemma 4.1. Let h = g (p−1)/2 . Since
h2 = g p−1 ≡ 1 by Fermat’s little Theorem 3.3, but h 6≡ 1 (mod p),
we have h ≡ −1 (mod p). Now a(p−1)/2 ≡ hk ≡ (−1)k modulo p.

iii). Take a = −1 in the previous part. We find that ( −1


p
) ≡ (−1)(p−1)/2
(mod p). However both sides of this congruence are either +1 or
−1. Since p is odd, the two sides must be equal.

35
Algebra and Number Theory G12ALN cw ’17

iv). Part ii) shows that


 ab   a  b 
(p−1)/2 (p−1)/2 (p−1)/2
≡ (ab) =a ·b ≡ .
p p p
As both sides are among −1, 0, 1, this congruences is an equality.

Corollary 4.3. Let p be an odd prime. The map ( p· ) : (Z/pZ)∗ → {±1}


is a group homomorphism.

Example. In principle, Euler’s criterion give a way to compute ( ap ). But


it is hardly faster than checking all residue classes x for a solution to
x2 ≡ a (mod p). For p = 11, we get

a 1 2 3 4 5 6 7 8 9 10
a5 1 32 243 1024 3125 7776 16807 32768 59049 100000
5
a mod 11 1 −1 1 1 1 −1 −1 −1 1 −1
a
( 11 ) 1 −1 1 1 1 −1 −1 −1 1 −1

Aside: Primality testing using Euler’s criterion. Note that Euler’s criterion
is false when p is not a prime. For instance is 27 6≡ ±1 modulo 15 so 15 can
not be a prime. More convincingly, 31996001 ≡ 2664001 6≡ ±1 (mod 3992003).
So 3992003 is not prime.

A composite integer n > 1 is called an Euler pseudoprime to the base b if


b(n−1)/2 ≡ ±1. There are much fewer integers that are Euler pseudoprime to
all bases b > 1 with (b, n) = 1. So this forms a much better test to prove that
an integer n is composite.

After extending the Legendre symbol to the Jacobi symbol ( na ) for any odd
integer n, one can even test for b(n−1)/2 ≡ ( nb ) (mod n). 

An important consequence of the last item in Proposition 4.2 is the


following. If we want to know how to evaluate ( ap ) for all a, it is enough
to evaluate ( −1
p
), ( p2 ) and ( pq ) for odd primes q, as we can first factor a.
For instance
 −2143018   −1   2   101   1032   −1   2   101 
= · · · = · · .
p p p p p p p p
We will now proceed to give a formula for exactly the other two Legendre
symbols ( p2 ) and ( pq ). But first we not an interesting consequence of the
above proposition.

36
Algebra and Number Theory G12ALN cw ’17

Theorem 4.4. There are infinitely many primes of the form 4n + 1.

Proof. Suppose {p1 , . . . pr } is the complete list of primes of the form


4n + 1. Let p be a prime divisor of n = (2p1 · · · pr )2 + 1. Then −1 is a
quadratic residue modulo p, so p ≡ 1 (mod 4). But p can not be equal
to pi . Contradiction.

Aside: As mentioned earlier, G13FNT will generalise this vastly and also
explain in what sense roughly half of the primes are congruent to 1 modulo 4.


4.2 The Computation of ( p2 )

We wish to find a closed formula for ( p2 ) only depending on the odd prime
p. Here is what the first few values look like

p 3 5 7 11 13 17 19 23 27 31 37
( p2 ) −1 −1 1 −1 −1 1 −1 1 −1 1 −1
 
Definition. Let a be an integer. The integer s such that s ≡ a
(mod p) and |s| < p2 is called the least residue of a modulo p.
 

(
 
2 (p2 −1)/8 +1 if p ≡ ±1 (mod 8);
Proposition 4.5. p
= (−1) =
−1 if p ≡ ±3 (mod 8).

Proof. Let us start by proving the second equality: Write p = 8k + i for


some i ∈ {1, 3, 5, 7}. Now p2 − 1 = (8k + i)2 − 1 = 64k 2 + 16k i + i2 − 1 ≡
i2 − 1 (mod 16) is divisible by 16 if i = 1 or 7, but only divisible by 8 is
i = 3 or 5.

Now to the first equality. Consider the least residues of all even integers
2, 4, . . . , p − 1.

p − 1 ≡ −1 ≡ (−1)1 · 1
2 ≡ 2 ≡ (−1)2 · 2
p − 3 ≡ −3 ≡ (−1)3 · 3
.. .. ..
. . .

37
Algebra and Number Theory G12ALN cw ’17

p−1
There are 2
elements in the list. Their product gives
p−1
p − 1 1 p−1 p+1
p − 1
· 2 · 2
2 2 · ! ≡ (−1) 2 · ! (mod p) ,
2 2
2
since 1 + 2 + 3 + · · · + p−1
2
= 12 ( p−1
2
)( p−1
2
+ 1) = p 8−1 . Simplifying by the
factorial on both sides and using Euler’s criterion proves the proposition.

4.3 The Law of Quadratic Reciprocity

Theorem 4.6 (Law of Quadratic Reciprocity). Let p and q be distinct


odd primes. Then
(
+1 if p ≡ 1 (mod 4);
i). ( −1p
) = (−1)(p−1)/2 =
−1 if p ≡ 3 (mod 4).
(
2 +1 if p ≡ ±1 (mod 8);
ii). ( p2 ) = (−1)(p −1)/8 =
−1 if p ≡ ±3 (mod 8).
(
p−1 q−1 +1 if p ≡ 1 (mod 4) or q ≡ 1 (mod 4);
iii). ( pq )( pq ) = (−1) 2 2 =
−1 if p ≡ 3 (mod 4) and q ≡ 3 (mod 4).

We have seen part i) and part ii) already. We will prove the most
difficult part iii) later.

Computation of Legendre symbols

Here an example of how to compute Legendre symbols very fast.


 44   4   11   11   47 
= · = =−
47 47 47 47 11
3  11   2 
=− = (−1) · (−1) · = = −1
11 3 3
or faster
 44   −3   −1   3   47   2 
= = · = (−1) · (−1) · = = −1
47 47 47 47 3 3
Aside: Is the computation as slow as factorisation? It is very quick to com-
1000003
pute ( 3000017 ) this way, knowing that both entries are primes here. Otherwise
we would have to factor and that may be very time consuming for large in-
tegers. Luckily there is a generalisation of Legendre symbols called Kronecker

38
Algebra and Number Theory G12ALN cw ’17

symbols (or Jacobi symbols) which satisfy a quadratic reciprocity even for
composite numbers.

So a computer can decide in milliseconds if a given integer a is a quadratic


residue modulo a huge prime p. 

4.4 Primes for which a is a quadratic residue

The quadratic reciprocity law has an amazing consequence. We now fix


a and vary p.

Proposition 4.7. Fix an integer a > 1. The set of all primes p for which
( ap ) = +1 consists of all primes in certain congruence classes modulo 4|a|.

For instance if a = q is a prime which is congruent to +1 modulo 4.


Then ( pq ) = ( pq ) by iii). The later only depends on the residue class of p
modulo q = a.

Example. As an example, we can take a = 5. Then 5 is a quadratic


residue modulo p if and only if ( p5 ) = +1. That is the case exactly when
p ≡ 1 or 4 modulo 5.

p 3 5 7 11 13 17 19
( p5 ) −1 0 −1 1 −1 −1 1
p mod 5 3 0 2 1 3 2 4

If instead a = q is a prime which is congruent to 3 modulo 4. Then


( pq ) = ±( pq ) with the sign +1 if and only if p ≡ +1 (mod 4). So we have
that
(
( pq ) = +1 and p ≡ +1 (mod 4) or
q  
= +1 ⇔
( pq ) = −1 and p ≡ −1 (mod 4) .

p

The first condition in both cases is a condition on p modulo q while


the second is a condition on p modulo 4. So by the Chinese remainder
theorem, we can reformulate one condition modulo 4q.

Example. As an example, we can take a = 3. The above shows that 3


 modulo p if and only if either p ≡ +1 (mod 3)
is a quadratic residue
and p ≡ 1 (mod 4) or p ≡ −1 (mod 3) and p ≡ −1 (mod 4) . That is
equivalent to either p ≡ 1 (mod 12) or p ≡ −1 (mod 12) by the Chinese
remainder theorem.

39
Algebra and Number Theory G12ALN cw ’17

p 3 5 7 11 13 17 19
( p3 )0 −1 −1 1 1 −1 −1
p mod 12 0 5 7 −1 1 5 7

Proof of Proposition 4.7. We may assume that a > 0 is square-free or


−a > 0 is square-free as square factors in a can be neglected. Factor
a = ±q1 q2 · · · qr . Suppose we know what congruence class modulo 4|a|
the prime p belongs to. Then we know what congruence class modulo
4qi it belongs to for all i. Hence we know the value of ( qpi ) by the above
explanation in the two cases. We also know ( −1 p
). If 2 | a, then 8 | 4a;
therefore we also know ( p ). Hence we know ( p ) = ( ±1
2 a
p
) · ( qp1 ) · · · ( qpr ).

Example. We evaluate ( 10 p
) as a further example with a composite a.
We take p ∈/ {2, 5}, since ( 5 ) = 0. Note that ( 10
10
p
) = ( p2 )( p5 ); we evaluate
the two factors separately, using quadratic reciprocity in each case.

First, since 5 ≡ 1 (mod 4) we have


(
5 p +1 if p ≡ ±1 (mod 5),
= =
p 5 −1 if p ≡ ±2 (mod 5).

Next, the value of ( p2 ) depends on p (mod 8):


(
2 +1 if p ≡ ±1 (mod 8),
=
p −1 if p ≡ ±3 (mod 8).

Hence the product ( 10 p


) = ( p2 )( p5 ) depends on p modulo 40. We get
( 10
p
) = +1 if either ( p2 ) = ( p5 ) = +1 or ( p2 ) = ( p5 ) = −1. In other words
( 10
p
) = +1 if either

p ≡ ±1 (mod 8) and p ≡ ±1 (mod 5)


or
p ≡ ±3 (mod 8) and p ≡ ±2 (mod 5).
We use the Chinese Remainder Theorem to replace each pair (p mod
5, p mod 8) by a single class (p mod 40). For example,
 
p ≡ 2 (mod 5)
⇐⇒ p ≡ −13 (mod 40).
p ≡ 3 (mod 8)

40
Algebra and Number Theory G12ALN cw ’17

Combining all the possibilities in this way gives


 
10
= +1 ⇐⇒ p ≡ ±1, ±3, ±9, ±13 (mod 40).
p

The other residue classes modulo 40 (and coprime to 40) give the other
cases:
 
10
= −1 ⇐⇒ p ≡ ±7, ±11, ±17, ±19 (mod 40).
p

Hence finally,
  (
10 +1 if p ≡ ±1, ±3, ±9, ±13 (mod 40),
=
p −1 if p ≡ ±7, ±11, ±17, ±19 (mod 40).


Example. Further examples that you are encouraged to compute in a


similar way are the following three statements:
(
6 +1 if p ≡ ±1, ±5 (mod 24),
=
p −1 if p ≡ ±7, ±11 (mod 24).
(
 −5  +1 if p ≡ 1, 3, 7, 9 (mod 20), and
=
p −1 if p ≡ −1, −3, −7, −9 (mod 20).
(
 −3  +1 if p ≡ 1 (mod 3);
=
p −1 if p ≡ 2 (mod 3).

In the last example with a = −3, one initially finds a condition modulo
4|a| = 12. However it simplifies to a condition modulo 3. The same will
be true for all a = −q with q a prime congruent to 3 modulo 4. 
Aside: More generally. Given a quadratic polynomial, like x2 − a, then to
know if the polynomial has a root modulo p only depends on the congruence
class of p modulo some m. The same is no longer true for cubic polynomials.
For instance, the polynomial x3 − 2 has a solution modulo p if and only if
p≡ 2 (mod 3) or p ≡ 1 (mod 3) and p = a2 + 27b2 for some integers a and
b . The last condition is not a condition modulo m for any m. Examples of
such primes are 31, 43, 109, 127, . . . Behind all this is that a certain “Galois
group” is no longer abelian. 

4.5 The proof of the quadratic reciprocity law

This is one of the many proofs of the quadratic reciprocity law. It is was
discovered by G. Rousseau.

41
Algebra and Number Theory G12ALN cw ’17

Let p and q be two ∗ distinct odd primes. We will consider the abelian

group
 G = Z/pZ × Z/qZ . It contains the normal subgroup N =
([1], [1]), ([−1], [−1]) of order 2. To ease the notation, we will write
(a, b) instead of ([a], [b]). Each coset in G/N consist of a pair of the form
n o
(a, b)N = (a, b), (−a, −b) .

One of the two can be written with 1 6 a 6 (p − 1)/2.


Example. Let’s list the elements of the group G/N for p = 5 and q = 7:
(1, 1)N (1, 2)N (1, 3)N (1, 4)N (1, 5)N (1, 6)N
(2, 1)N (2, 2)N (2, 3)N (2, 4)N (2, 5)N (2, 6)N
The product of the first line is (1, 6!)N = (1, −1)N and for the second line
it is (26 , 6!) = (−1, −1). So the product over all elements is (−1, 1)N =
{(−1, 1), (1, −1)}. 

We will now compute the product of all elements in G/N , similar to


what we did when proving Wilson’s Theorem 3.1. We find
(p−1)/2 q−1
Y Y Y
π= g= (a, b)N
g∈G/N a=1 b=1
(p−1)/2
Y
aq−1 , (q − 1)! N

=
a=1  
= p−1
2
! q−1
, (q − 1)!(p−1)/2
N

Now by Wilson’s Theorem 3.1, (q − 1)! ≡ −1 (mod q). By its Corol-


lary 3.2, we also know that p−1 2
)!2 ≡ −(−1)(p−1)/2 (mod p) and raising
this to the power (q − 1)/2, we get
 (q−1)/2 
π = −(−1)(p−1)/2 , (−1)(p−1)/2 N
 
(q−1)/2 (p−1)/2·(q−1)/2 (p−1)/2
= (−1) · (−1) , (−1) N (4)

Not that it matters for the proof, but one can check that
(
(1, 1)N = N if p ≡ q ≡ 1 (mod 4)
π= 
(1, −1)N = (1, −1), (−1, 1) else.

Now we use the Chinese remainder Theorem. Recall from the proof of
Theorem 2.1, that there is a group isomorphism
∗ ∗ ∗
Ψ : Z/pqZ → Z/pZ × Z/qZ

c + pqZ 7→ c + pZ, c + qZ

42
Algebra and Number Theory G12ALN cw ’17

∗
Write G0 for the group Z/pqZ . Under Ψ, the subgroup N corresponds
to the subgroup N 0 6 G0 given by N 0 = 1 + pqZ, −1 + pqZ . Now
each coset in G0 /N 0 is a pair c + pqZ, −c + pqZ . So if we run over all


1 6 c 6 pq−1
2
which are coprime to p and q, then (c + pqZ)N 0 will run
through all cosets in G0 /N 0 . Applying Ψ to this, we see that
n o
pq−1
G/N = (c, c)N 1 6 c 6 2 and (c, pq) = 1 .

Example. Let us make this explicit for the case p = 5 and q = 7 again.
The group G/N can also be presented as

(1, 1)N (2, 2)N (3, 3)N (4, 4)N (6, 6)N = (1, 6)N (8, 8) = (3, 1)N
(9, 9) = (4, 2)N (11, 11)N = (1, 4)N (12, 12)N = (2, 5)N
(13, 13)N = (3, 6)N (16, 16)N = (1, 2)N (17, 17)N = (2, 3)N

Now in this new presentation, we can also compute the product of all
elements in G/N . Y
π= (c, c)N
16c6 pq−1
2
(c,pq)=1

Let’s look at the first component alone. We group the factors from 1
to p − 1, then from p + 1 to 2p − 1 etc. Note the product runs up to
pq−1
2
= q−1
2
p + p−1
2
. In the end we have to divide by those factors which
are not coprime to q, i.e. by q, 2q, . . .
q−1 pq−1
p−1 2p−1 2
p−1 2
Y 1 Y Y Y Y
c= p−1 · c· c··· c· c
pq−1
1 · q · 2q · · · · 2
q c=1 c=p+1
16c6 2 c=( q−1
2
−1)p+1 c= q−1
2
p+1
(c,pq)=1

Q
Note that all the in the above right hand side, except the very last
one, are just (p − 1)! modulo p. The last product is ( p−1
2
)! instead. So
this simplifies to

(p − 1)!(q−1)/2 · p−1

Y !
c≡ p−1
2 (mod p)
q (p−1)/2 · 2 !
pq−1
16c6 2
(c,pq)=1

(−1)(q−1)/2 q 
≡   ≡ (−1)(q−1)/2 · (mod p),
q p
p

where we used Euler’s criterion in Proposition 4.2 and the fact that ( pq )
is ±1.

43
Algebra and Number Theory G12ALN cw ’17

The computation on the second component is similar and we find


 
(q−1)/2 q (p−1)/2 p
π = (−1) · ( p ), (−1) · (q) N (5)

Now we can compare the equation (4) and (5). It is clear that both are
either N or (1, −1)N . We can detect in which of the two (a, b)N is by
just looking at ab ∈ ±1. Here we get that

(−1)(q−1)/2 ·(−1)(p−1)/2·(q−1)/2 ·(−1)(p−1)/2 = (−1)(q−1)/2 ·( pq )·(−1)(p−1)/2 ·( pq )

This simplifies to ( pq ) · ( pq ) = (−1)(p−1)/2·(q−1)/2 , which is what we wanted


to prove.

44
Algebra and Number Theory G12ALN cw ’17

5 Diophantine equations

An equation (usually polynomial) is called a diophantine equation if we


are interested in its solutions in the set of integers or rational numbers.
Example. The equation 2x + 3y = 1 has an integer solution (x, y) =
(−1, 1). The equation x2 = 2 has no rational solution and by the same
argument x2 = 2y 2 has no integer solution. 

5.1 Linear diophantine equations

Given integers a, b, and c, we consider the equation


ax + by = c (6)
in two unknowns x and y. We will assume a 6= 0 and b 6= 0. The solutions
with x, y in Q or C are easy; here we are looking for x, y ∈ Z.
Theorem 5.1. Set d = (a, b). If d - c, then the equation (6) has no
integer solutions. If d | c, then there are infinitely many integer solutions.
If ξ and η are such that aξ + bη = d, then all solutions are given by
c b c a
x= ξ + · k, and y = η − · k,
d d d d
where k ranges over the set of integers.

Proof. Finding all x ∈ Z such that there is a y ∈ Z satisfying (6) is


equivalent to finding x ∈ Z such that a x ≡ c (mod b). So we can apply
Theorem 1.2. If d - c, then there are no solutions.

Assume now that d | c. The solutions to a x ≡ c (mod b) form a unique


congruence class modulo b0 = b/d. Since x0 = c/d · ξ and y0 = c/d · η
is a solution to (6), the solutions to the congruence equation form the
congruence class x0 + b0 Z. Now if x = x0 + kb0 for some integer k, then
we get
c = a (x0 + k b0 ) + b y
c b
= a ξ + k + by
d d
c b
= (d − bη) + a k + b y.
d d

This implies that


c a
0=b y− η+k
d d
and since b 6= 0, we get the expression for y in the theorem.

45
Algebra and Number Theory G12ALN cw ’17

5.2 Non-linear diophantine equations

Let f (x, y, z, . . . ) be a polynomial with integer coefficients. If we started


with a polynomial with rational coefficients, we could multiply it with
the common denominator to achieve integer coefficients.

The question of finding rational solution reduced to the question of


finding integer solutions: Write the unknown as x = X/d, y = Y /d,
. . . where X, Y , . . . , d are integers. Then multiply f ( Xd , Yd , . . . ) by a
sufficiently high power of d. Now we have a new polynomial equation in
one more variable for which we look for integer solutions.

On the one hand, there are two easy ways to prove that an equation
does not have an integer solution: Inequalities and congruences. The two
lemma below are obvious, yet useful.

Lemma 5.2. Let f (x, y, z, . . . ) be a polynomial with integer coefficients


such that f (x, y, z, . . . ) > 0 for all real x, y, z, . . . . Then f (x, y, z, . . . ) =
0 has no integer solution.

Example. The equation x4 + 17 x2 y 6 + 9 z 2 + 19 = 0 has no solution


because the right hand side is always larger or equal to 19. 

Lemma 5.3. Let f (x, y, z, . . . ) be a polynomial with integer coefficients


such that f (x, y, z, . . . ) ≡ 0 (mod m) has no solution for some m > 1.
Then f (x, y, z, . . . ) = 0 has no integer solution.

Example. The equation x3 − y 3 = 3 does not have a solution modulo 9,


so it can not have an integer solution. Inequalities would not help here
as there are plenty of real solutions to it. 

On the other hand if we suspect an integer solution, it is often very


difficult to find one. For instance x4 + y 4 + z 4 = t4 has plenty of solutions
with non-zero x, y and z. Yet, the smallest solution is

958004 + 2175194 + 4145604 = 4224814 .

(It was a conjecture of Euler that there were none, disproved by Elkies
in 1987.)

If the equation has only finitely many solutions in C, then we can just
compute them to very high precision and check if any integer close-by is
a solution. That is a way to solve equations f (x) = 0 in one variable;
though that is not the best way to do so. If there are infinitely many
solutions in the real numbers, then this method can not be used.

46
Algebra and Number Theory G12ALN cw ’17

Let f (x, y, z, . . . ) = 0 be a polynomial equation with coefficients in Z.


(It could even be a system of such equations.) Suppose it has infinitely
many solutions in the real numbers. Suppose also that for each m > 1,
there is a solution to this equation modulo m. Now both above methods
fail to show that there are no solutions in integers. We would start by
looking for integer solutions, by searching through all small x and y.
Even if we know that there are no solutions with |x| < 106 , we would
have no guarantee that there are no solutions in general. These are the
really difficult diophantine equations.
Aside: Modulo all m? It looks like an infinite amount of work to check that
an equation has a solution modulo m for all m. We saw that the problem
is essentially equivalent to finding solutions modulo p for all primes p using
Hensel’s lemma and the Chinese remainder theorem.

Now if there are infinitely many solutions to the equation over R, then there
is a constant C such that the equation has automatically a (liftable) solution
modulo p for all primes p > C. Given the equation, one can, in principle,
determine C effectively. For instance for an equation like ax3 + by 3 + cz 3 = 0
with pair-wise coprime non-zero integer constants a, b, c, then C can be taken
to be the largest prime divisor of 3abc. The general result is a consequence of
the work of many mathematicians starting with André Weil in the 1940s and
culminating with the work of Pierre Deligne that won him the Fields medal
in 1978. 

There is some good news. Consider an equation f (x, y, z, . . . ) = 0 of


total degree 2, like for instance

3 x2 + 10 xy + 4 y 2 + 12 x − 6 y − 21 = 0.

They are called quadratic forms. Minkowski proved that such a quadratic
form has a rational solution if and only if it has a real solution and a
solution modulo m for all m > 1. The proof involves a method called
the “geometry of numbers”. A good exposition of Minkowski’s theorem
can be found in Serre’s “Course in arithmetic” QA155 SER.

However, there is some bad news. This only holds for quadratic forms.
For instance Selmer found that 3x3 + 4y 3 + 5z 3 = 0 has no non-trivial
solution, yet it has plenty of real solutions and also a non-trivial solution
modulo m for all m > 1. Here is another example of this.

Theorem 5.4 (Lind 1940, Reichardt 1942). There are no rational num-
bers x and y such that 2y 2 = 1 − 17x4 .

It is easy to show that there are real solutions: A picture of the curve
can be seen in Figure 4 at the end of the notes. The corresponding
equation for integers (see (7) below) has a non-trivial solution modulo

47
Algebra and Number Theory G12ALN cw ’17

Figure 4: The real solutions to the equation of Lind and Reichardt in


Theorem 5.4

all integers m > 1. Hence the proof has to use something stronger; in
our case it is going to be the quadratic reciprocity law.

Proof. Suppose (x, y) is a solution. Write x = X/Z as a reduced fraction.


Then
Z 4 − 17X 4
2y 2 =
Z4
shows that the denominator of y must be Z 2 as the right hand side is
again a reduced fraction. So we may write y = Y /Z 2 for some integer Y
which is coprime to Z. We obtain the new equation

2Y 2 = Z 4 − 17 X 4 (7)

to be solved in integers X, Y , Z with (X, Z) = 1 and (Y, Z) = 1.

Note first that 17 can not divide Y : If it did, then Z would also be
divisible by 17, but that is not allowed as (Y, Z) = 1. Now let p be a
p
prime factor of Y . Hence p 6= 17. If p = 2, then ( 17 ) = +1 as 17 ≡ 1
(mod 8). If p 6= 2, then from the equation Z ≡ 17X 4 (mod p), we see
4

that 17 must be a quadratic residue modulo p. Hence ( 17 p


) = +1. By
p
the quadratic reciprocity law (Theorem 4.6), this implies that ( 17 ) = +1
because 17 ≡ 1 (mod 4).

Therefore we have shown that all prime factors of Y are quadratic


residues modulo 17, which shows that Y is a quadratic residue modulo
17. From 2Y 2 ≡ Z 4 (mod 17) we now deduce that 2 should be a 4th
power modulo 17. However only 1, 4, −4 and −1 are fourth powers
modulo 17 which means that we have reached a contradiction.

48

You might also like