MFCS

Modular Arithmetic

Klaus Sutner
Carnegie Mellon University
Fall 2022
1 Divisibility

2 Modular Arithmetic

3 Rotation

4 Chinese Remainder
Total Recall: Divisibility 2

For a, b ∈ Z, a divides b iff ∃ c ∈ Z (a · c = b).

This is usually written a | b.

Proposition
Note that ±1 | a and a | 0 for all a ∈ Z.
Divisibility is reflexive, transitive and almost antisymmetric.

Lemma (Linear Combinations)

If d | a and d | b then d | (xa + yb) for all x, y ∈ Z.
Quotients and Remainders 3

Theorem (Division Theorem)

Let b be positive, and a an arbitrary integer. Then there exist integers q
and r such that
a = q · b + r, where 0 ≤ r < b.
Moreover, the numbers q and r are uniquely determined (quotient and
remainder).

In older literature this is often called the “Division Algorithm,” though no

algorithm is anywhere in sight.

Notation:

r = a mod b remainder
q = a div b quotient
Actual Algorithm 4

Suppose both a and b and given in binary, and have thousands of digits.
The data type used to store the bits is an array,

Find a fast algorithm to determine the quotient and remainder.

What is the running time of your algorithm in terms of the number of

digits of the input?
Primes 5

p ≥ 2 is prime if its only positive divisors are 1 and p.

Lemma
For every n ≥ 2 there is a prime p such that p | n.

Theorem (Euclid, c. 300 BCE)

There are infinitely many primes.

Lemma
If p is prime and p | ab then p | a or p | b.
Sample Proof 6

The last lemma is easily handled with a forward link to the greatest
common divisor, see below.

Let d = gcd(a, p).

If d = p then clearly d divides a.

But otherwise d = 1, hence xa + yp = 1 for some integers x and y.

It follows that xab + ypb = b and p divides b.
2
The Fundamental Theorem 7

Theorem
Let n ≥ 2. Then there exist distinct primes p1 , . . . , pk such that

n = pe11 pe22 . . . pekk

where ei > 0. The decomposition is unique up to order.

Proof.
Induction using the last lemma to split off prime factors. 2

But beware, finding this prime decomposition seems very hard

algorithmically. This (presumptive) difficulty turns out to be a blessing in
disguise, it is currently exploited in cryptography.
GCD and Euclidean Algorithm 8

The greatest common divisor is defined by

gcd(a, b) = max d | d divides a, b

a and b are coprime (relatively prime) if gcd(a, b) = 1.

The basic properties of the GCD:

Lemma
gcd(x, 0) = x
gcd(x, y) = gcd(y, x)
gcd(x, y) = gcd(y, x mod y)
Example 9

These properties produce an algorithm to compute it the GCD. Typical

run: a = 4234 and b = 4693286.

4234 = 0 · 4693286 + 4234

4693286 = 1108 · 4234 + 2014
4234 = 2 · 2014 + 206
2014 = 9 · 206 + 160
206 = 1 · 160 + 46
160 = 3 · 46 + 22
46 = 2 · 22 + 2
22 = 11 · 2 + 0

The table provides a complete proof that gcd(4234, 4693286) = 2,

verification comes down to checking the arithmetic.
Linear Combinations 10

The last example suggests to take a closer look at linear combinations

c=x·a+y·b

where x, y ∈ Z.

Obviously c is divisible by gcd(a, b).

More interestingly, we could run through the equations above backwards

and write 2 = gcd(a, b) as a linear combination of a and b:

gcd(a, b) = 2 = 205068 · a − 185 · b

EEA 11

Lemma (Extended Euclidean Algorithm)

There exist integers x, y such that

gcd(a, b) = x · a + y · b.

These so-called cofactors can be computed along with the GCD.

Trace of the Euclidean algorithm. Wlog a ≥ b ≥ 0.

ri−2 = qi · ri−1 + ri where r0 = a, r1 = b
Hence, rn = 0 for some n, and rn−1 = gcd(a, b). Define
x0 = 1 y0 = 0
x1 = 0 y1 = 1
xi = xi−2 − qi · xi−1 yi = yi−2 − qi · yi−1
A simple induction shows that
ri = a · xi + b · yi .
Example 12

qi ri xi yi
− 1233 1 0
− 1000 0 1
1 233 1 −1
4 68 −4 5
3 29 13 −16
2 10 −30 37
2 9 73 −90
1 1 −103 127
9 0 1000 −1233

We have

−103 · 1233 + 127 · 1000 = 1 = gcd(1233, 1000)

Diophantine Equation 13

We can also think of

a·x+b·y =c

as an equation, we want solutions for x and y.

Again, we clearly need d = gcd(a, b) | c for any solution to exist.

We can divide by the GCD and use the extended Euclidean algorithm as
before. But note that the solution is not unique: for any solution (x0 , y0 )
we get infinitely many other solutions of the form

(x0 + tb/d, y0 − ta/d)

where t ∈ Z. In fact, these are all the solutions.

Efficiency of EEA 14

One can implement all the necessary arithmetic in O(k 2 ) steps for k-bit
numbers. In fact addition is only O(k), but for mods and remainders we
need O(k 2 ) steps.

But how often does the while-loop execute? Trivially no more than a ≥ b
times, but that’s no good at all.

Note that one must lose one bit at least at every other step. This follows
from
ri−2 = qi · ri−1 + ri
Hence total running time is O(k 3 ) steps for k-bit inputs.

Incidentally, the worst possible input is two consecutive Fibonacci

numbers. In this case, qi = 1 at all times, and the algorithm just runs
backwards through the Fibonacci numbers.
p-adic Valuations 15

Definition
Let p prime. The p-adic valuation of an integer n ̸= 0 is the largest e
such that pe divides n, in symbols νp (n); we set νp (0) = ∞.

νp (ab) = νp (a) + νp (b)

a | b ⇐⇒ ∀ p (νp (a) ≤ νp (b))

Y
gcd(a, b) = pmin(νp (a),νp (b))
p

Alas, the last formula does not yield an efficient way to compute gcds: we
have no good way to produce the prime decomposition of the numbers.
The Lattice View 16

The natural numbers with division ⟨N, |⟩ form a so-called lattice: a

partial order where any two elements have a join (supremum) and and a
meet (infimum).
In this case, the join is simply the least common multiple, and the meet
is the greatest common divisor.

Taking an algebraic perspective, one can think of a structure ⟨A, ⊔, ⊓⟩

with two binary operations where
⊔ and and ⊓ are associative and commutative

absorption holds:

x ⊔ (x ⊓ y) = x x ⊓ (x ⊔ y) = x
Divisor Lattice 17

30

6 10 15

2 3 5

A good way to visualize a divisor lattice is to draw a little diagram like

this one.
148176 18
Exercises 19

Exercise
Verify that ⟨N, lcm, gcd⟩ really forms lattice.

Exercise
How are lcm and gcd expressed in the picture of the divisor lattice of 30?

Exercise
How is the structure of prime divisors of 148176 = 24 33 73 expressed in
the picture of the divisor lattice?
1 Divisibility

2 Modular Arithmetic

3 Rotation

4 Chinese Remainder
Odds and Evens 21

Distinguishing between even and odd integers may sound trivial, but it is
often quite useful. Here is a simple example.

Suppose we have a polynomial with integer coefficients

p(x) = a · x3 + b · x2 + c · x + d.

Claim
If both p(0) and p(1) are odd, then p(x) ̸= 0 for all integers x.

Here is a trick to prove this: it suffices to show that p(x) is always odd.
“Suffices” sounds weird, this is actually a stronger assertion.
Picture 22

10

-2 -1 1 2

-5

Careful, though, there is a root over R, just not an integral one.

Even/Odd Arithmetic 23

To do this, we need to understand how the even/odd classification

interacts with arithmetic. No problem.

We write e for even, and o for odd. Here are the Cayley tables for
even/odd addition and multiplication:
+ e o · e o
e e o e e e
o o e o e o

It follows that n even (odd) implies nk even (odd) for all k ≥ 1. So we

can eliminate higher-degree terms in the polynomial.

So, now we are dealing with the linear polynomial (a + b + c)x + d.

The Argument 24

First note that p(0) = d and p(1) = a + b + c + d are both odd.

Case 1: So for even x we get

p(e) = (a + b + c) · e + o = o

Case 2: For odd x we have

p(o) = (a + b + c)o + o = e · o + o = o.

In both cases p(x) is odd, done.

Princeps Mathematicorum 25

Carl Friedrich Gauss, 1777-1855.

Modular Arithmetic 26

Fix some positive modulus m. We can define an equivalence relation ≡m

on Z as follows:

x ≡m y ⇐⇒ m divides x − y

We say that x is congruent to y modulo m.

Notation: we usually write

x=y (mod m)

instead of x ≡m y. This looks more algebraic and turns out to be more

convenient in a lot of arguments.

As usual, equivalence classes are expressed by brackets: [x] or [x]≡m .

Don’t confuse this with [n] = {1, 2, . . . , n}.

Two Notations 27

Recall: for a given modulus m, a mod m denotes the remainder function,

a map on the integers:

mod m : Z −→ {0, 1, . . . , m−1}

The kernel relation of this function is none other than ≡m .

On the other hand, the notation

a = b (mod m)

indicates that a and b are congruent modulo m. Essentially this says: do

not interpret the equation over Z, but over a different algebraic structure,
the modular numbers, that we will introduce shortly.
Congruences 28

There are lots of equivalence relations on the integers, but ours is

particularly interesting since it coexists peacefully with addition and
multiplication (this is the meaning of congruence in algebra in general).

Here is the critical idea: we can define arithmetic on the equivalence

classes to obtain a new algebraic structure Zm of modular numbers.

[x] + [y] = [x + y]
[x] · [y] = [x · y]

A potential problem with this type of definition is that it needs to be

well-defined: we must be able to change the representatives without
breaking the identities.
More on Congruences 29

So we have to check the following:

x = x′ , y = y ′ (mod m)

implies

x + y = x′ + y ′ (mod m)
′ ′
x·y =x ·y (mod m)

This is a huge restriction compared to arbitrary equivalence relations.

There are uncountably many equivalence relations on Z, but it turns out
that all non-trivial congruences are Gaussian congruences.
Proof 30

Let’s check for addition. We have to show that

x = x′ , y = y ′ (mod m) implies x + y = x′ + y ′ (mod m)

Let x = qm + r, x′ = q ′ m + r, y = pm + s, y ′ = p′ m + s. Then

x + y = (q + p)m + r + s x′ + y ′ = (q ′ + p′ )m + r + s

and our claim holds.

Multiplication is entirely similar.

Remainders 31

We could express the critical arithmetic properties also in terms of the

remainder function like so:

(x + y) mod m = ((x mod m) + (y mod m)) mod m

(x · y) mod m = ((x mod m) · (y mod m)) mod m

Note that this is a bit clumsy, we have to remainder twice (at least in
general).
All Congruences are Gaussian 32

Claim: Let ≡ be a non-trivial congruence on the integers. Then ≡ is a

Gaussian congruence.

Proof. Let a < b such that a ≡ b. Then 0 = a − a ≡ b − a. Let m > 0

be the least such difference and note that mZ ⊆ [0].

We claim that [0] = mZ.

Suppose otherwise and let 0 ≡ b where b ∈

/ mZ. Let p such that
pm < b < (p + 1)m. Then 0 < b < m, but b ≡ 0, contradicting our
choice of m.

It follows that [a] = a + mZ and we are done. 2

Living Dangerously 33

Careful notations that keep track of lots of details like

[x]≡m [x]Zm +m ·m +Zm

are perfectly correct, but they get very tedious in actual use.

So, if it is clear from context what we mean, we may drop all these
decorations and just write x instead of [x]≡m . Similarly we just use +
and · for addition and multiplication of modular numbers.

In effect, we load a different math library and work in

Zm = ⟨{0, 1, . . . , m−1}, +, ·⟩

If you feel nervous about this initially, add brackets and subscripts to your
heart’s content.
Cayley Tables 34

Example (Z5 )
+ 0 1 2 3 4 · 0 1 2 3 4
0 0 1 2 3 4 0 0 0 0 0 0
1 1 2 3 4 0 1 0 1 2 3 4
2 2 3 4 0 1 2 0 2 4 1 3
3 3 4 0 1 2 3 0 3 1 4 2
4 4 0 1 2 3 4 0 4 3 2 1
Cayley Tables 35
Inevitable Clock Problem 36

A clock (which functions accurately) shows the hour hand positioned at a

minute mark, and the the minute hand two marks away. What time is it?

Really have 60 possible positions. Equations:

m=h±2 (mod 60)

m = 12h (mod 60)

By exploiting the congruence properties it follows that

11h = ±2 (mod 60)

multiply by 11:

h = ±22 (mod 60)

It’s 4:24 or 7:36.

The Real Problem 37

The real question:

How does one solve equations modulo m?

Since there are only finitely many modular numbers one could, in
principle, use brute force. Alas, for even slightly large moduli this is not a
realistic option, we need some theory.

We know how to handle linear equations ax = c (mod m), but life

becomes already fairly difficult for quadratic ones. The good news: one
can exploit this computational hardness for cryptography.
Simplifying Equations 38

Proposition
Let ab = ac (mod m) and m′ = m/ gcd(a, m).
Then b = c (mod m′ ).

In particular when a and m are coprime we can simply drop the a.

Exercise
Use p-adic valuations to prove the proposition.
Inhomogeneous Equations 39

First an important special case.

Lemma
The equation
a·x=1 (mod m)
has a solution if, and only if, a and m are coprime.
If a solution exists it is unique modulo m.

Proof.
A solution means that ax − 1 = qm, so a and m must be coprime.
In the opposite direction use the extended Euclidean algorithm to
compute cofactors ax + my = 1.
2
Multiplicative Inverses 40

The situation in the lemma is very important.

The solution x such that ax = 1 (mod m) is called the multiplicative

inverse of a (modulo m).

Notation: a−1 (mod m).

Example
m = 11.
x 1 2 3 4 5 6 7 8 9 10
x−1 1 6 4 3 9 2 8 7 5 10
Note that 10 = 10−1 (no surprise, really: 10 = −1).
So 1/2 = 6 (mod 11).
Euler’s Totient Function 41

The collection of all modular numbers that have a multiplicative inverse

is usually written Z⋆m and called the multiplicative subgroup.

Definition (Multiplicative Subgroup)

Z⋆m = { a ∈ Zm | gcd(a, m) = 1 }

Definition (Euler’s Totient Function)

The cardinality of Z⋆m is written φ(m).
Some Values 42

Here are the first few values of φ

1, 1, 2, 2, 4, 2, 6, 4, 6, 4, 10, 4, 12, 6, 8, 8, 16, 6, 18, 8, 12, 10, 22, 8, 20, 12, 18,
12, 28, 8, 30, 16, 20, 16, 24, 12, 36, 18, 24, 16, 40, 12, 42, 20, 24, 22, 46, 16, 42, . . .

Looks complicated.
It is certainly far from clear what the next value would be.
Plot 43

400

300

200

100

100 200 300 400

Computing the Totient Function 44

Obviously we can compute φ(n) by brute force, but that’s a white lie:
what if n has 1000 digits?

Here is a trick: we can compute φ(n) if we know the prime factorization

of n:
For p prime φ(p) = p − 1 and φ(pk ) = (p − 1)pk−1 .

For m and n coprime, φ(mn) = φ(m)φ(n).

Hence, given the prime decomposition

n = pe11 pe22 . . . pekk

we can compute the totient function like so:

φ(n) = (p1 − 1)pe11 −1 (p2 − 1)pe22 −1 . . . (pk − 1)pkek −1

Not so fast . . . 45

Note the hedge: “given the prime decomposition”

Getting the decomposition requires factorization, and that is a difficult

operation and presumably computationally hard in some technical sense.

As a consequence, it is not clear how to compute φ(n) efficiently.

In fact, the two problems are computationally closely related. Some

cryptographic schemes depend on the totient function being hard to
compute.
Inhomogeneous Equations, II 46

Lemma
In the general case
a · x = c (mod m)
we have a solution if, and only if, gcd(a, m) divides c.
Moreover, the number of solutions is gcd(a, m).

Exercise
Prove the general case.
Modular Arithmetic and Primes 47

When p is prime the structure of Z⋆p is particularly simple:

Z⋆p = {1, 2, . . . , p − 1}

As a consequence, we can solve all equations ax = b (mod p) as long as

a ̸= 0 (mod p).

Here are some classical results concerning prime moduli.

Q
Note that (p−1)! = x∈Z⋆p x for p prime.
Wilson’s Theorem 48

Theorem (Wilson’s Theorem)

p is prime if, and only if, (p − 1)! ≡ −1 (mod p).

Proof.
First assume p is prime, wlog p > 2. We can pair off a ∈ Z⋆p and
a−1 ∈ Z⋆p .
a and a−1 are always distinct except in the case a = ±1: the quadratic
equation x2 = 1 (mod p) has at most two solutions since
x2 − 1 = (x + 1)(x − 1).

For the opposite direction assume p fails to be prime, say, ab = p for

1 < a, b < p. But then (p − 1)! and p are not coprime whereas −1 and p
are coprime, contradiction.
2
Food for Thought 49

You may have heard that primality testing is algorithmically challenging.

There is an amazing polynomial time algorithm, using mostly high school

arithmetic, but, sadly, it is useless in practice.

Currently, all usable primality tests involve randomization.

Question:
Why can’t we use Wilson’s theorem for a fast primality test?
Little Fermat 50

Theorem (Fermat’s Little Theorem)

If p is prime and coprime to a, then ap−1 = 1 (mod p).

Proof.
a : Z⋆p → Z⋆p , b
Consider the map b a(x) = ax.
a is a bijection, so
b
Y Y Y Y
−ap−1 = ap−1 x= ax = a(x) =
b x = −1 (mod p)
x∈Z⋆
p x∈Z⋆
p x∈Z⋆
p x∈Z⋆
p

Here we have used φ(p) = p − 1. Done.

2
1 Divisibility

2 Modular Arithmetic

3 Rotation

4 Chinese Remainder
Application: Rotating Arrays 52

Here is a simple algorithm question: figure out how to rotate an array of

length n by s places, say, to the left.

Problem: Rotation
Instance: An array A, a positive integer s.
Solution: Rotate A by s places.

This is entirely trivial if we simply copy some of the elements to a second

array first.

This approach is linear time, but requires extra memory, up to n/2.

Can we do better?
Forcing Constant Space 53

It is clear that we can get liner time/constant space if we rotate the array
by only one place: just remember a0 and move everyone over.

Constant space here means: constant amount of extra space, we do not

charge the algorithm for the original array.

Then just repeat s times, done.

No good at all: space is constant, but time is now quadratic.

Reversal 54

One method that is absolutely not obvious is to exploit reversal.

Clearly, an array can be reversed in linear time/constant space: just move

two pointers from both ends towards the center.

By reversing twice (in the right way) we get rotation:

rev(A, 0, s); rev(A, s, n); rev(A, 0, n)

Here rev(A, k, ℓ) means: reverse that part ak , ak+1 , . . . , aℓ−1 , as usual

with 0-indexed arrays.
Improvements? 55

The last method is linear time and constant space. But we can still
quibble: it moves every element in the array twice.

Could we move the elements only once? After all, we know exactly where
they are supposed to go.

Something like
a0 ← as ← a2s ← a3s ← . . .
a sequence of displacements (we have to remember a0 which gets
clobbered right away).

Could this possibly work? If so, exactly how? What does . . . actually
mean?
Iterating Addition 56

Addition on Zm is fairly straightforward, and we can easily describe the

effect of repeated addition.
Say, we define the additive function

α : Zm −→ Zm
x 7−→ x + s mod m

Question: What would the orbits

orb(a; α) = a, α(a), α2 (a), . . . , αn (a), . . .

look like?
Example 57

Let m = 20 and s = 6. Then there are essentially two orbits: infinite

repetitions of the following basic blocks:

0, 6, 12, 18, 4, 10, 16, 2, 8, 14

1, 7, 13, 19, 5, 11, 17, 3, 9, 15

The hedge “essentially” covers the case where we start at different

points. As sets, these orbits simply are the even and odd numbers
between 0 and 19. By contrast, s = 11 produces a single repeating block

0, 11, 2, 13, 4, 15, 6, 17, 8, 19, 10, 1, 12, 3, 14, 5, 16, 7, 18, 9
General Case 58

The two examples are no coincidence: α is injective, so all the orbits

must be repeating blocks, cycles of elements that repeat forever.

Moreover, since α(x) + y = α(x + y) (mod m) all the cycles are just
rotations of each other and it suffices to understand the single orbit
orb(0, α).

So we need the least k > 0 such that ks = 0 (mod m).

We know how to do this: k = m/ gcd(s, m).

Proposition
α has gcd(s, m) distinct orbits, each of length m/ gcd(s, m).
And Rotation? 59

This means that we can concoct an algorithm that uses two nested loops:

The outer loop runs through gcd(s, m) rounds.

In round r, 0 ≤ r < gcd(s, m), we displace ar by ar+s , and so on,
for m/ gcd(s, m) elements.

Each array element is moved only once, and into its final position.

Exercise
Implement this rotation method. Compare to the reversal method.
1 Divisibility

2 Modular Arithmetic

3 Rotation

4 Chinese Remainder
Multiple Linear Equations 61

How about a system of linear equations, with several moduli:

ai x = bi (mod mi ) where i = 1, . . . , n

We know how to simplify this system a little bit: for a solution to exist
we need that gcd(ai , mi ) divides bi .

So we get equivalent equations a′i x = b′i (mod m′i ) where a′i and m′i are
coprime.

But that is equivalent to x = ci (mod m′i ) for some appropriate ci .

Multiple Linear Equations, II 62

So we only have to deal with the situation

x = ai (mod mi ) i = 1, . . . , n

Tricky in general, but for coprime moduli easy. We only consider n = 2.

Let m = m1 m2 and define the double remainder function

f : Zm −→ Zm1 × Zm2
f (x) = (x mod m1 , x mod m2 )

Claim
f is injective and hence bijective.
Proof 63

To see this, suppose f (x) = f (x′ ), where 0 ≤ x ≤ x′ < m. Then

x′ − x = q1 m1 = q2 m2 .

But m1 and m2 are coprime, so m | x′ − x and therefore x = x′ .

Since domain and codomain of f both have cardinality m, f must be a

bijection by General Abstract Nonsense.
2

Hence we can solve x = a (mod m1 ) and x = b (mod m2 ): let

x = f −1 (a, b)

Great. But how do we find the x computationally?

CRT Example 64

Let m1 = 3 and m2 = 5, so m = 15.

Here is the canonical map f : Z15 → Z3 × Z5 ,

f (x) = (x mod 3, x mod 5).

0 (0, 0) 8 (2, 3)
1 (1, 1) 9 (0, 4)
2 (2, 2) 10 (1, 0)
3 (0, 3) 11 (2, 1)
4 (1, 4) 12 (0, 2)
5 (2, 0) 13 (1, 3)
6 (0, 1) 14 (2, 4)
7 (1, 2)

By table lookup, the solution to x = 2 mod 3, x = 1 mod 5 is

x = f −1 (2, 1) = 11.
EEA to the Rescue 65

A better method is to use the EEA. Compute the cofactors:

αm1 + βm2 = 1

Then

f (αm1 ) = (0, 1)
f (βm2 ) = (1, 0)

whence

f (bαm1 + aβm2 ) = (a, b)

So the solution is x = b · αm1 + a · βm2 .

CRT Example II 66

As we have seen, the solution to

x = 2 mod 3 x = 1 mod 5

is x = 11.

Here is the computationally superior solution: determine cofactors

(−3) · 3 + 2 · 5 = 1

which produce a solution

x = 1 · (−3) · 3 + 2 · 2 · 5 = 11
Chinese Remainder Theorem 67

Our result also holds for more than 2 equations (and is very old).

Theorem (CRT)
Let mi , i = 1, . . . , n be pairwise coprime. Then the equations

x = ai (mod mi ) i = 1, . . . , n

have a unique solution in Zm , m = m1 m2 . . . mn .

This follows from repeated application of the solution for n = 2 since m1

and m2 . . . m2 are also coprime.
Computation 68

How do we compute the solution for n > 2? We could use the method
for n = 2 recursively, but that is a bit tedious. Here is a better way.

Define
ci = m/mi
so that ci = 0 (mod mj ), i ̸= j, but ci and mi are coprime. Use EEA to
find inverses
αi ci = 1 (mod mi )

Then
x = a1 α1 c1 + a2 α2 c2 + . . . an αn cn (mod m)
A Generalization 69

In general, a solution may exist even if some of the moduli are not
coprime. This is expressed in the following generalization† .

Theorem (Generalized CRT)

The equations

x = ai (mod mi ) i = 1, . . . , n

have a solution if, and only if, for all i ̸= j:

ai = aj (mod gcd(mi , mj ))

The solution is unique modulo m = lcm(m1 , m2 , . . . , mn ).

† This
is the kind of result that you might want to be aware of, but there is no
need memorizing it in detail.
Application: Large Numbers 70

Suppose you have a 64-bit architecture, but you need to compute with
100-bit numbers.

A bignum library is overkill, but we can fake 100-bit numbers relatively

cheaply:
find two primes p and q, each 60 bits long,
compute in Zp × Zq , using built-in arithmetic for each component.

The computation can involve many steps, we always keep our numbers in
two-component form, each using 64 bits. Only in the end will we convert
back to a single 100-bit number.
And the Primes? 71

There is an old result by Chebyshev that provides a lower bound for the
number of k-digit primes (primes in [2k−1 , 2k − 1]).



7 2k − 1 9 2k−1 − 1
−
8 ln (2k − 1) 8 ln (2k−1 − 1)

For example, for k = 100 we get at least 5.61 × 1027 primes. The length
of the interval is about 6.34 × 1029 .

So we can pick a number at random and check for primality. If it fails,

pick another one or start searching starting at the first number.