NUMBER THEORY AND CRYPTOGRAPHY

MATH3301

The typed lecture notes don’t contain extras such as exercises or sections with the *
symbol from the full lecture notes. However, these notes have all the necessary content
from the lectures with minor modifications.

Lecture 1
Unless otherwise stated, the lowercase letters a, b, c, d, m, n will always represent inte-
gers, either positive or negative. N = {1, 2, 3, 4, 5 . . . } is the set of positive integers, and
Z = {· · · − 3, −2, −1, 0, 1, 2, 3, 4, . . . } is the set of integers. The notation n ∈ N means that
n is a positive integer, and n ∈ Z means that n is an integer.
To begin, let us introduce some useful notations for discussing divisors and multiples.
Definition (Divisibility). We say d divides n and write d|n if there exists an integer a
such that n = ad. In this case, we call d a divisor (or factor ) of n, and we call n a multiple
of d. We write d̸ | n to indicate that d does not divide n
For example, 2|4, 4|12 and 5̸ | 7. You all have a lot intuition about divisors and multiples,
probably more than you know. It should be intuitively clear, for example, that if you add
together two multiples of three, you get a multiple of three. Similarly, if you multiply a
multiple of three by any other integer, you will still have a multiple of three. The following
lemma simply formalizes this intuition:
Lemma (Properties of Divisibility).
(a) If d|m and d|n, then d|(m + n),
(b) If d|n, then d|mn for any integer m.
Proof.
(a) By hypothesis, we can write m = a1 d and n = a2 d for some integers a1 and a2 . So
m + n = a1 d + a2 d = (a1 + a2 )d,
hence d|(m + n).
(b) If d|n then there exists an integer a such that n = ad. Thus, mn = m(ad) = (ma)d,
hence d|mn.
□
Definition (Prime Number). A positive integer n is prime if n ̸= 1, and the only positive
divisors of n are 1 and n. We say n is composite if n ̸= 1 and n is not prime. Equivalently,
n is composite if n has a divisor d such that 1 < d < n.
A side remark: According to this definition, number 1 is neither prime nor composite. In particular, the number 1 is
not considered to be prime, even though its only positive divisors are 1 and itself. Why is this a better way of defining
primality than allowing 1 to be prime? It might not be clear yet, and in fact, historically there has been some disagreement
about whether 1 should be considered to be prime. But now it is universally agreed by mathematicians that 1 should not
be considered a prime. We’ll see why soon.

Why do we study prime numbers? Just like atoms are fundamental building blocks of
the physical world, prime numbers are the fundamental building blocks of the integers.
This is made precise in the following result:
1
 NUMBER THEORY AND CRYPTOGRAPHY 2

Lemma (Prime Decomposition Lemma). Any integer n ≥ 1 can be written as a product

of primes, so n = p1 . . . pk where p1 , . . . , pk are prime numbers and k ≥ 0.
The result says that any integer can be built (or composed) from prime numbers by
multiplication (which is why we call non-primes composite numbers). To prove this, we
can consecutively take out factors of n until we reach primes. For example, 140 = 14×10 =
(7 × 2) × (2 × 5). We do this formally using the least element principle or the induction
principle.
Proof. We will use the least element principle: every non-empty set S of positive integers
has the minimal element.
Let us prove the lemma by contradiction: assume there exists a positive integer n which
can’t be written as a product of primes. Let us define the set
S = {n ∈ N such that n is not a product of primes}.
By our assumption, S has at least one element, i.e. S is not empty. Let then m be the
minimum of S. Then:
• m ̸= 1 because 1 is a product of 0 primes (by convention);
• m is not prime because otherwise m = m would be the factorisation of m into 1
prime.
Hence, m is composite by definition, so m has a divisor d such that 1 < d < m. Let e
be an integer such that m = ed. Then 1 < e < m as well.
Since both e and d are strictly less than m and m is the minimum of S, then e and d
are not the elements from S. So e and d can be factored into primes. Let them have the
following factorisations

d = p1 p2 . . . pk ,
e = q1 q2 . . . qr ,
then
m = ed = p1 p2 . . . pk q1 q2 . . . qr ,
so m is a product of primes, and thus, m is not an element of S, contradiction. □
Remark. We can replace the least element principle with the induction principle. We leave
the proof by induction below.
Alternative proof by induction.
Base case. n = 1 is is the product of zero primes. So take k = 0.
Induction hypothesis. Suppose that for any 1 < n′ < n, we can write n′ as a product of
primes.
Induction step. We show that n can also be written as a product of primes. If n is
prime, then we are done already (by taking n = p1 ). Suppose now that n is not prime.
Then n = ab for some 1 < a, b < n. By the induction hypothesis, we can write a = p1 . . . pk
and b = pk+1 . . . pk+l , where the pi are all prime, so n = ab = p1 . . . pk+l , a product of
primes. □
So primes are important. How do we find primes? The Sieve of Eratosthenes is a well-
known ancient algorithm for finding all the primes under a given number. See
http://en.wikipedia.org/wiki/Sieve_of_Eratosthenes for a visual demonstration of
finding all primes under 120.
The technique is to cross off all multiples of a given prime, starting with 2. After
crossing off multiples of 2, the first uncrossed number is 3. So we cross off multiples 3,
 NUMBER THEORY AND CRYPTOGRAPHY 3

which gives 5 as the next uncrossed-off number. We then cross off multiples of 5, etc. Note
that to find all the primes up to 120, we only need to cross off multiples of 2,3,5, and 7
due to the following result:
Lemma.
√ If N ≥ 2 is a positive integer, either N is prime or N has a prime divisor
p ≤ N.
Proof. Since N is composite, we can write N = ed with 1 < e, d < N . We can assume
that e ≤ d without loss of generality (otherwise, swap e and d). Then:
e2 ≤ ed = N,
√
so e2 ≤ N , which is equivalent to e ≤ N .
By the prime decomposition lemma, we √ e = p1 · · · pk ,
√ can write e as a product of primes,
with k ≥ 1 since e > 1. Then p1 ≤ e ≤ N , so N has a prime factor p1 ≤ N . □
Ok, we know that primes are important, and how to find some primes if we need to. If
we look at the sieve method (see link above) we see that the primes are getting scarcer
as we get further along, there are more numbers between the primes as we move along.
So do the primes eventually stop somewhere? Are there finitely many? The answer to
this question was given in Euclid’s Elements, the most important mathematical text of
the ancient world. Euclid’s proof is still the best!
Theorem (Euclid). There are infinitely many primes.
Proof. We again use proof by contradiction. Suppose the contrary, that there are finitely
many primes p1 , . . . , pk . Consider the integer N = 1 + (p1 · · · pk ). Note that none of
the primes pi can divide N since dividing pi into N produces a remainder of 1. Also
observe that N > 1 (since there is at least one prime, for instance 2!). So by the prime
decomposition lemma, N must have a prime divisor, say q. But now q is a prime which is
not on our original list p1 , . . . , pk —a contradiction! □
Since there are infinitely many primes, we cannot ask: How many primes are there?
However, we can ask: how many primes are there up to a fixed integer n? Let π(n) be
the number of primes less than n. Euclid’s theorem says that π(n) increases to ∞ as n
increases, and the sieve of Eratosthenes suggests that π(n) grows slowly. A famous modern
theorem, the Prime Number Theorem, says that
n
π(n) ∼ .
ln(n)
Here, ‘∼’ intuitively means that π(n) “gets closer and closer” to n/ ln(n) as n increases, so
for large n, there are approximately n/ ln(n) primes less than n. However it is important
to emphasize that “closer and closer” does not mean that the difference between π(n) and
n/ ln(n) approaches 0; it means that the ratio between π(n) and n/ ln(n) approaches 1:
π(n)
lim = 1.
n→∞ n/ ln(n)

(You might be surprised that there is a real distinction here, but in fact it is very common.
For instance, the sequences n2 and n2 + n have a difference which tends to ∞ but a ratio
that tends to 1.)
The proof of this theorem, however, is beyond the scope of this course.
 NUMBER THEORY AND CRYPTOGRAPHY 4

Lecture 2
Last time, we proved that every integer can be written as a product of primes. We are
heading towards a much more powerful result:
Theorem (Fundamental Theorem of Arithmetic). Every integer n can be written uniquely
as a product of primes.
The theorem says that if n = p1 . . . pk = q1 . . . ql are two prime factorisations, then in
fact they are the same list of primes. More precisely, k = l and p1 = q1 , . . . , pk = qk after
some reordering. While this extra condition of uniqueness is intuitively obvious and has
been ingrained in our consciousness from a young age, it is actually a very deep result,
and we cannot prove it directly from the definitions. Here is a simple example which
emphasizes the difference between the Prime Decomposition Lemma (which is easy) and
the Fundamental Theorem of Arithmetic (which is hard).
Example. Imagine a world with only even numbers 0, 2, 4, 6, 8, . . .. Perhaps everything
comes in pairs in this world, so its inhabitants never felt the need to invent or utilize
odd numbers. Just as in our world, one can define primes to be numbers which cannot
be broken down and composite numbers to be those which can. In this world, 2 will be
prime, 4 = 2 × 2 is not prime, but 6 = 2 × 3 is prime because 3 doesn’t exist in this world,
and there’s no other way to factor it.
In this world, the prime decomposition lemma holds (by exactly the same proof), and at
first it appears that unique factorization might hold as well. But in fact, it fails. To see this,
first note every other even number 2, 6, 10, 14, 18, . . . is prime in this world. Now consider
the number 36. We can factor it using primes in two different ways: 36 = 2 × 18 = 6 × 6.
In our imagined world, the fundamental theorem of arithmetic is not true!
At the moment, it is really not clear how to attack the fundamental theorem of arith-
metic. Thus, we will do mathematicians always do when they get stuck. Move onto an
entirely different problem! We’ll switch gears for a bit and explore Diophantine equations.
At first, this topic seems unrelated to primes but we’ll see later that it actually equips us
with the necessary tools to prove the Fundamental Theorem of Arithmetic.
The overall goal of the theory of Diophantine equations is to figure out when an equation
has integer solutions. To make this concrete, let’s consider the following problem.
Problem (Linear Diophantine Equation in 2 variables). Let a, b, c be fixed integers. When
does the equation
ax + by = c
have a solution with x and y integers?
For example:
2x + 3y = 7 has solutions: (x, y) = (2, 1), (−1, 3), . . .
15x + 9y = 3 has solutions: (x, y) = (−2, 1), (2, −3), . . .
but we claim that
2x + 4y = 7 has no solutions.
To see this, note if x and y are any integers, then 2x + 4y must be even. On the other
hand, 7 is not even. Therefore, we cannot possibly plug in integers for x and y to solve
this equation. Similarly
15x + 9y = 17 has no solutions,
since 3|15 and 3|9 but 3̸ | 17. We will put this observation in general terms.
 NUMBER THEORY AND CRYPTOGRAPHY 5

Remark. Once we find one solution for the linear Diophantine equation in 2 variables, we
can generate all its solutions quite easily. For details, you can see our example from the
lecture about how to generate all solutions of the equation 3x − 2y = 1 out of one solution
(x = 3, y = 4) and all solutions of the equation 3x − 2y = 0.
Observation: Suppose ax + by = c has an integer solution. If d is any integer such that
d|a and d|b, we must have d|c as well.
Proof. Since there exists a solution, there exists n, m such that an + bm = c. By a
property of divisors, d|a ⇒ d|an. Similarly, d|bm, so by another property of divisors,
d|(an + bm) = c. □
In order to use this observation in the strongest possible way, we are motivated to make
the following definition.
Definition (Greatest Common Divisor). The greatest common divisor of two integers a
and b is defined to be the largest integer d such that d|a and d|b. We write gcd(a, b) for
the greatest common divisor of a and b.
For example, gcd(10, 14) = 2, which can be seen by listing out the divisors of 10 and
14, and identifying the largest number which is on both lists (Divisors of 10: 1, 2, 5, 10;
Divisors of 14: 1, 2, 7, 14). This is of course a very slow way of computing gcd’s in general,
and in the next lecture we shall discuss a faster method.
Now our observation implies that if ax + by = c has a solution, then gcd(a, b)|c. This
gives a necessary condition for solutions. If it doesn’t hold, then we can say no solutions
exist. Thus, faced with the equation
27x + 18y = 3000,
we can quickly prove that no solutions exist. We just compute gcd(27, 18) = 9 and check
9̸ | 3000. On the other hand, we can’t say much (yet) about the equation
27x + 18y = 3006.
We can’t rule out solutions since 3006 = 9 × 334. The natural question now is to wonder
whether this necessary condition is sufficient. In other words, if gcd(a, b)|c, then does
ax + by = c have solutions? The crux of the matter is to see whether ax + by = gcd(a, b)
has solutions. Why?
Lemma. Suppose there exist n, m such that an + bm = gcd(a, b). Then ax + by = c has
a solution whenever gcd(a, b)|c.
Proof. If gcd(a, b)|c, then c = d × gcd(a, b) for some integer d. Now if n and m are chosen
to satisfy an + bm = gcd(a, b), then we claim that x = dn, y = dm solves ax + by = c.
Indeed, we have
a(dn) + b(dm) = (an + bm)d = gcd(a, b) · d = c.
□
By this lemma, and the fact that 27(1) + 18(−1) = 9 = gcd(27, 18), we see that
27x + 18y = 3006 has a solution, namely x = 334, y = −334.
Thus, the key point for obtaining a complete answer to our original question concerning
Diophantine equations is to check whether we can write gcd(a, b) as an integer linear
combination of a and b. We will see an efficient algorithm for doing this next time.
 NUMBER THEORY AND CRYPTOGRAPHY 6

Lecture 3
In this lecture, we’ll introduce the Euclidean algorithm, which solves both the problems
we came up against in the last lecture.
(1) Is there a way to compute gcd(a, b) quickly?
(2) Given a, b can we find n, m such that an + bm = gcd(a, b)?
The starting point for the Euclidean algorithm is simply primary school long division
with remainder.
Lemma (Division algorithm). Given positive integers a, b with b ≥ a, there exist unique
integers q, r with 0 ≤ r < a such that b = qa + r.
To find q and r, we simply perform long division with remainder, e.g. if a = 5, b = 37
then a goes into b 7 times with remainder 2. This precisely says that q = 7, r = 2, i.e.
37 = 7 × 5 + 2.
Let us prove the division lemma formally for all a and b.
Proof. We will use the least element principle again. Let us define the set
S = {b − ma ≥ 0, where m is integer},
in other words, S contains all non-negative integers of the form b − ma where m is some
integer.
The set S is non-empty because it contains b = b − 0 · a, hence, S has a minimum, let
us denote it r. Since r is an element of S, r ≥ 0 and r can be represented in the form
r = b − qa,
for some integer q.
Assume that r ≥ a, then
0 ≤ r − a ≤ b − qa − a = b − (q + 1)a,
with q + 1 an integer number. It means that b − (q + 1)a is an element of S, which is less
than r, contradiction; hence, r < a. In the end, we get,
r = b − qa ⇔ b = qa + r,
where q, r are integers, and 0 ≤ r < a. □
The following proposition shows why the division algorithm is useful for computing
gcd’s. The point is that if we want to compute gcd(a, b), it’s enough to compute gcd(r, a)
which is easier since a < b and r < a.
Proposition. If a, b satisfy b = qa+r then gcd(a, b) = gcd(r, a). In particular, gcd(a, b) =
a when r = 0.
Proof. Let us first prove that d is a common divisor of a and b if and only if d is a common
divisor of a and r, i.e. we will show that the following sets coincide:
{common divisors of a and b} = {common divisors of a and r}.
We prove this statement in two steps:
Step 1: If d is a common divisor of a and b, then d is a common divisor of a
and r.
We note that r = b − qa. Since d|a, then d|aq by the properties of divisibility. Moreover,
d|b, so d|b − qa = r. So d divides a and r, i.e. d is a common divisor of a and r.
Step 2: If d is a common divisor of a and r, then d is a common divisor of a
and b.
 NUMBER THEORY AND CRYPTOGRAPHY 7

We will use a similar argument and b = qa + r. Since d|a, then d|aq by the properties
of divisibility. Moreover, d|r, so d|qa + r = b. So d divides a and b, i.e. d is a common
divisor of a and b.
Thus, we proved that
{common divisors of a and b} = {common divisors of a and r},
so their maximal elements should also coincide. The maximal element of the set on the
left-hand side is gcd(a, b), and the maximal element of the set on the right-hand side is
gcd(a, r), so
gcd(a, b) = gcd(a, r).
□
Let’s use this proposition to compute the gcd of 45 and 12:
(1) Dividing 12 into 45, we get 45 = 3 × 12 + 9. Thus, gcd(45, 12) = gcd(12, 9) by our
Proposition.
(2) Dividing 9 into 12, we get 12 = 1 × 9 + 3. Thus, gcd(12, 9) = gcd(9, 3) by our
Proposition.
(3) Dividing 3 into 9, we get 9 = 3 × 3 + 0 so gcd(9, 3) = 3. by our Proposition (with
r = 0).
(4) Now we are done: gcd(45, 12) = gcd(12, 9) = 3.
This procedure is called the Euclidean algorithm, and we can write it out formally as
follows:
Euclidean Algorithm: Given a, b compute gcd(a, b).
(1) Set a1 = |a| and b1 = |b|.
(2) Write b1 = q1 a1 + r1 where 0 ≤ r1 < a1 . Set b2 := a1 , a2 := r1 .
(3) Write b2 = q2 a2 + r2 where 0 ≤ r2 < a2 . Set b3 := a2 , a3 := r2 .
..
. we repeat until r = 0, i.e. we stop when we get an equation of the form
k

(4) Write bk = qk ak + 0.
(5) Return gcd(a, b) = gcd(a1 , b1 ) = gcd(a2 , b2 ) = . . . = gcd(ak , bk ) = ak .
Note: the procedure will reach rk = 0 after finitely many steps, since the remainders are
getting strictly smaller in each step. For a harder example, let’s find gcd(986, 289):
(1) Set a1 = 289 and b1 = 986.
(2) Write 986 = 3 × 289 + 119. Set b2 = 289, a2 = 119.
(3) Write 289 = 2 × 119 + 51. Set b3 = 119, a3 = 51.
(4) Write 119 = 2 × 51 + 17. Set b4 = 51, a4 = 17.
(5) Write 51 = 3 × 17 + 0.
(6) Return gcd(986, 289) = 17.
We now know how to compute gcd(a, b). Now let us consider our second problem, i.e.
how to find n, m such that an+bm = gcd(a, b). We do this by simply rolling the algorithm
backwards, using the equations produced by the Euclidean algorithm at each step. This
is known as the Extended Euclidean Algorithm. Let’s do this with our example, i.e. let’s
see how to write 17 as an integer linear combination of 986 and 289:

Extended Euclidean Algorithm (example):

(1) By line (4) above, we have
17 = 119 − 2 × 51.
 NUMBER THEORY AND CRYPTOGRAPHY 8

(2) By line (3) above, we can rewrite this equation as

17 = 119 − 2 × (289 − 2 × 119)
= 5 × 119 − 2 × 289
(3) By line (2) above, we can rewrite this equation as
17 = 5 × (986 − 3 × 289) − 2 × 289
= 5 × 986 − 17 × 289
(4) Now are done! Indeed, we have written gcd(986, 289) = 986n + 289m where n = 5
and m = −17.
While it is possible to write the extended euclidean algorithm in formal notation for
general integers a and b, it is not particularly helpful. The best way to understand this
method of rolling the Euclidean Algorithm backwards is to make up some examples and
do them yourself.