A.

Appendix

A.1 Basics from Combinatorics

The factorial function is defined by

n! = 1 · 2 · . . . · n = i , for integers n ≥ 0.
1≤i≤n

As the empty product has value 1, we have 0! = 1! = 1. Further, 2! =

2, 3! = 6, 4! = 24, and so on. In combinatorics, n! is known to be the
number of permutations of {1, . . . , n}, i.e., the number of ways in which n
different objects can be arranged as a sequence. In calculus, one comes across
factorials in connection with Taylor series, and in particular in the series for
the exponential function (e ≈ 2.718 is the base of the natural logarithm):
 xi
ex = , for all real x . (A.1.1)
i!
i≥0

As
 an easy consequence of this we note that for n ≥ 1 we have nn /n! <
i n
i≥0 n /i! = e and hence the following bound:
 n n
n! > . (A.1.2)
e
The binomial coefficients are defined as follows:
 
n n! n(n − 1) · · · (n − k + 1)
= = , (A.1.3)
k k!(n − k)! k!

n integers n ≥ 0 and 0 ≤ k ≤ n. It is useful to extend the definition to

for
k = 0 for k < 0 and k > n. Although the binomial coefficients look like
fractions, they are really integers. This is easily seen by considering their
combinatorial interpretation:

Fact A.1.1. Let A be an arbitrary n-element set. Then for any integer k
there are exactly nk subsets of A with k elements.

M. Dietzfelbinger: Primality Testing in Polynomial Time, LNCS 3000, pp. 133-142, 2004.
 Springer-Verlag Berlin Heidelberg 2004
134 A. Appendix


Proof. For k < 0 or k > n, there is no such subset, and nk = 0. Thus,
assume 0 ≤ k ≤ n. We consider the set Sn of all permutations of A, i.e.,
sequences (a1 , . . . , an ) in which every element of A occurs exactly once. We
know that Sn has exactly n! elements. We now count the elements of Sn
again, grouped in a particular way according to the k-element subsets. For
an arbitrary k-element subset B of A, let

SB = {(a1 , . . . , an ) ∈ Sn | {a1 , . . . , ak } = B} .

Since the elements of B can be arranged in k! ways in the first k positions

of a sequence and likewise the elements of A − B can be arranged in (n − k)!
ways in the last n − k positions, we get |SB | = k!(n − k)!. Now, obviously,

Sn = SB ,
B⊆A, |B|=k

a union of disjoint sets. Thus,


n! = |Sn | = |SB | = |{B | B ⊆ A, |B| = k}| · k!(n − k)! ,
B⊆A, |B|=k

which proves the claim. 


Taking in particular A = {1, . . . , n}, the previous fact is equivalent to
saying that nk is the number of n-bit 0-1-strings (a1 , . . . , an ) with exactly k
1’s. Since there are 2n many n-bit strings altogether, we observe:
 n
= 2n . (A.1.4)
k
0≤k≤n

We note the following important recursion formula for the binomial coeffi-
cients:
   
n n
= = 1 , for all n ≥ 0 ; (A.1.5)
0 n
     
n n−1 n−1
= + , for all n ≥ 1, all integers k . (A.1.6)
k k−1 k

(Note that these formulas give another proof of the fact that nk is an integer.)
Formula (A.1.6) is obvious for k ≤ 0 and k ≥ n. For 1 ≤ k ≤ n − 1 it can
be verified directly from the definition, as follows:
   
n n−1
−
k k−1
n(n − 1) · · · (n − k + 1) k(n − 1)(n − 2) · · · (n − k + 1)
= −
k! (k − 1)! · k
 
(n − k) · (n − 1) · · · (n − k + 1) n−1
= = .
k! k
 A.1 Basics from Combinatorics 135

Formulas (A.1.5) and (A.1.6) give rise to “Pascal’s triangle”, a pattern to

generate all binomial coefficients.

1
1 1
1 2 1
1 3 3 1
1 4 6 4 1
1 5 10 10 5 1
1 6 15 20 15 6 1
1 7 21 35 35 21 7 1
1 8 28 56 1 70 56 28 8
1 9 36
126 126 8484 36 9 1
1 10 45 120 210 252 210 120 45 10 1
. . . . . . . . . . . . . . . . . . . . . . .


Row n has n + 1 entries nk , 0 ≤ k ≤ n. The first and last entry in each row
is 1, each other entry is obtained by adding the two values that are above it
(to the north-west and to the north-east).
Next we note some useful estimates involving binomial coefficients. They
say that Pascal’s triangle is symmetric; and that in each row the entries
increase
2n up to the center, then decrease. Finally, bounds for the central entry
n in the even-numbered rows are given.
  n
Lemma A.1.2. (a) nk = n−k , for 0 ≤ k ≤ n.
 
(b) If 1 ≤ k ≤ n2 , then k−1 n
< nk .
2n 
(c) 2n ≤ 22n ≤ 2n n < 2 , for n ≥ 1.
2n

  n
Proof. (a) Note that nk = k!(n−k)!
n! n!
= (n−k)!(n−(n−k))! = n−k .
(b) Observe that
n
n−k+1 n/2 + 1
 nk = ≥ > 1.
k−1
k n/2

(c) The last inequality 2n < 22n is a direct consequence of (A.1.4). For
2n
n  
the second inequality 22n ≤ 2n observe that by parts (a) and (b) 2n is
n2n 2n 2n n
maximal in the set containing 0 + 2n = 1 + 1 = 2 and i , 0 < i < 2n.

Hence 2n 2n
n is at least the average of these 2n numbers, which is 2 /2n by
(A.1.4). The first inequality is equivalent to 2n ≤ 2n , which is obviously true
for n ≥ 1. 

The binomial coefficients are important in expressing powers of sums.
Assume (R, +, ·, 0, 1) is a commutative ring (see Definition 4.3.2). For a ∈ R
and m ≥ 0 we write am as an abbreviation of a · · · a (m factors), and mR
136 A. Appendix

as an abbreviation of the sum 1 + · · · + 1 (m summands) in R. Then for all

a, b ∈ R and n ≥ 0 we have:
 n
(a + b)n = · ak bn−k . (A.1.7)
k R
0≤k≤n

This formula is often called the binomial theorem. It is easy to prove, using
the combinatorial interpretation of the binomial coefficients. The cases n = 0
and n = 1 are trivially true, so assume n ≥ 2 and consider the product
(a + b) · · · (a + b) with n factors. If this is expanded by “multiplying out”
in R, we obtain a sum of 2n products of n factors each, where a product
contains either the a or the b from each factor (a + b). By Fact A.1.1, there
are exactly nk products in which a occurs k times and b occurs n−k times. By
commutativity, each such product equals ak bn−k . Finally, we write ak bn−k +
· · · + ak bn−k as (1 + · · · + 1) · ak bn−k , with nk summands in each case.

A.2 Some Estimates

Definition A.2.1. For x ∈ R we let x (“floor of x”) denote the largest
integer k with k ≤ x. Similarly, x (“ceiling of x”) denotes the smallest
integer k with k ≥ x.
For example, 5.95 = 5 and 6.01 = 6. Clearly, x is characterized by the
fact that it is an integer and that x−1 < x ≤ x. Similarly, the characteristic
inequalities for x are x ≤ x < x + 1. If a ≥ 0 and b > 0 are integers, then,
with the notation of Definition 3.1.9,
a
= a div b,
b
hence in particular
a
a= · b + (a mod b). (A.2.8)
b
A basic property of the floor function is the following:
Lemma A.2.2. For all real numbers y ≥ 0 we have 2y − 2y ∈ {0, 1}.
Proof. Let {y} = y −y < 1 be the “fractional part” of y. Then 0 ≤ {y} < 1.
If 0 ≤ {y} < 12 , then 2y ≤ 2y < 2y +1, hence 2y = 2y . If 12 ≤ {y} < 1,
then 2y + 1 ≤ 2y < 2y + 2, hence 2y = 2y + 1. 

Next, we estimate a power sum and the harmonic sum.
Lemma A.2.3. For all n ≥ 0 we have

i · 2i = (n − 1) · 2n+1 + 2.
1≤i≤n
 A.3 Proof of the Quadratic Reciprocity Law 137

Proof. We use induction on n. For n = 0 the claim is easily checked. The

induction step follows from the observation that
(n − 1) · 2n+1 + 2 − ((n − 2) · 2n + 2) = (2(n − 1) − (n − 2)) · 2n = n · 2n .


 1
Lemma A.2.4. For Hn = 1≤i≤n i (the nth harmonic number ) we have
ln n < Hn < 1 + ln n, , for n ≥ 2.
Proof. Note that
i+1 i
dx 1 1 dx
< , for i ≥ 1, and < , for i ≥ 2.
i x i i i−1 x
Summing the first inequality for 1 ≤ i < n, we obtain
n
dx  i+1
dx  1 1
ln n = = < = Hn − < Hn ;
1 x i x i n
1≤i<n 1≤i<n

summing the second inequality for 1 < i ≤ n we obtain

 1  i
dx n
dx
Hn − 1 = < = = ln n. 

i i−1 x 1 x
1<i≤n 1<i≤n

A.3 Proof of the Quadratic Reciprocity Law

In this section, we provide a full proof of Theorem 6.3.1, the quadratic reci-
procity law. Also, Proposition 6.3.2 will be proved here.

A.3.1 A Lemma of Gauss

Let p ≥ 3 be a prime number. We let
Hp = {1, 2 . . . , 12 (p − 1)}.
Traditionally, Hp is called the “canonical half system”, since it contains ex-
actly half the elements of Z∗p , and Z∗p = H ∪ {p − i | i ∈ H}, as a union of
disjoint sets. (Recall that p − i is the additive inverse −i of i in Zp .) For a ∈ Z
with p
a consider the sequence
Sp (a) = ((a · 1) mod p, (a · 2) mod p, . . . , (a · 12 (p − 1)) mod p).
Note that, clearly, Sp (a) = Sp (b) if a ≡ b (mod p). Some of the entries in
Sp (a) will be in Hp , some will be not.
For a with p
a we define:
kp (a) = the number of entries in Sp (a) that belong to Z∗p − Hp .
138 A. Appendix

a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
2a mod 17 2 4 6 8 10 12 14 16 1 3 5 7 9 11 13 15
3a mod 17 3 6 9 12 15 1 4 7 10 13 16 2 5 8 11 14
4a mod 17 4 8 12 16 3 7 11 15 2 6 10 14 1 5 9 13
5a mod 17 5 10 15 3 8 13 1 6 11 16 4 9 14 2 7 12
6a mod 17 6 12 1 7 13 2 8 14 3 9 15 4 10 16 5 11
7a mod 17 7 14 4 11 1 8 15 5 12 2 9 16 6 13 3 10
8a mod 17 8 16 7 15 6 14 5 13 4 12 3 11 2 10 1 9
k17 (a) 0 4 3 4 3 3 3 4 4 5 5 5 4 5 4 8
sign of
+ + − + − − − + + − − − + − + +
(−1)k17 (a)

Table A.1. S17 (a) and k17 (a), for a = 1, . . . , 16

Lemma A.3.1. If the odd prime p does not divide a, then

 
a
= (−1)kp (a) .
p
In words: a is a quadratic residue modulo p if and only if kp (a) is even.
As an example, consider p = 17. The canonical half system is H17 =
{1, . . . , 8}. The sequences S17 (a), 1 ≤ a ≤ 16, are listed in Table A.1, to-
gether with k17 (a) and the sign of (−1)k17 (a) . Assuming the lemma for a
moment, we may read off from the table that the quadratic residues modulo
17 in Z∗17 are 1, 2, 4, 8, 9, 13, 15, 16.
Proof. Let k = kp (a), let H = Hp , let R ⊆ Z∗p the set of k entries in Sp (a)
that exceed p/2, and let T be the set of the 12 (p − 1) − k other entries.
Claim: H is the disjoint union of {p − r | r ∈ R} and T .
Proof of Claim: Since Zp is a field, the entries in Sp (a) are distinct, hence
{p − r | r ∈ R} ⊆ H has k elements and T has p/2 − k elements. Thus, to
prove the claim, it is sufficient to show that {p − r | r ∈ R} ∩ T = ∅. Assume
for a contradiction that p − r = t for some r ∈ R and some t ∈ T . Now
r = i · a mod p for some i ∈ H, and t = j · a mod p for some j ∈ H. The
assumption entails

0 ≡ r + t ≡ i · a + j · a ≡ (i + j) · a (mod p).

But p
a and p
(i + j), since 0 < i + j < p. This is the desired contradiction,
and the claim is proved.
(For an example, the reader may wish to go back to Table A.1 and in the
sequences S17 (a) replace the entries r larger than 8 by 17 − r to see that in
each case the resulting sequence is just a permutation of (1, 2, . . . , 8).)
 A.3 Proof of the Quadratic Reciprocity Law 139

Let b = a mod p, and calculate in Zp :

i= (−r) · t = (−1)k · r· t = (−1)k (i · b)
i∈H r∈R t∈T r∈R t∈T i∈H


= (−1) · b
k (p−1)/2
· i.
i∈H

By cancelling in Z∗p , we conclude (−1)k · b(p−1)/2 = 1 in Zp . Since both (−1)k

and b(p−1)/2 belong to {1, −1} in Zp , this entails
 b (−1) ≡ b  a
k (p−1)/2
(mod p).
By Lemma 6.1.3, we conclude that (−1) ≡ p mod p ≡ p mod p; this
k

means that k is even if and only if ap = 1. 

Using Lemma A.3.1, it is easy to determine when 2 is a quadratic residue
modulo p.
Corollary A.3.2. For p ≥ 3 a prime number, we have:
 
2 2
= (−1)(p −1)/8 .
p

In words: 2 is a quadratic residue modulo p if and only if p ≡ 1 or p ≡ 7

(mod 8).

Proof. The number kp (2) of elements of size at least p/2 in the sequence
Sp (2) = (2, 4, 6, . . . , p − 1) is the same as the number of elements of size at
least p/4 in (1, 2, 3, . . . , 12 (p − 1)). Since p/4 is not an integer, we have

kp (2) = 12 (p − 1) − p/4 .

Depending on the remainder p mod 8, there are four cases:

If p = 8
+ 1, then kp (2) = 4
− 2
= 2
, which is even.
If p = 8
+ 3, then kp (2) = 4
+ 1 − 2
= 2
+ 1, which is odd.
If p = 8
+ 5, then kp (2) = 4
+ 2 − (2
+ 1) = 2
+ 1, which is odd.
If p = 8
+ 7, then kp (2) = 4
+ 3 − (2
+ 1) = 2
+ 2, which is even.
The claim now follows from Lemma A.3.1. 


A.3.2 Quadratic Reciprocity for Prime Numbers

For a ∈ Z, p
a, let
  i · a  i · a − (i · a) mod p
λp (a) = (i · a) div p = = . (A.3.9)
p p
i∈Hp i∈Hp i∈Hp

(The last equation in this definition is immediate from (A.2.8). Note that
λp (a) depends on a, not only on the equivalence class of a modulo p.)
140 A. Appendix

Lemma A.3.3. If p ≥ 3 is a prime number and a ∈ Z is odd with p
a, then

 
a
= (−1)λp (a) .
p

In words: a is a quadratic residue modulo p if and only if λp (a) is even.

Proof. Using the definition of R and T from Lemma A.3.1, and writing H
for Hp again, we calculate in Z:
     
i·a = (i · a − (i · a) mod p) + r+ t = λp (a) · p + r+ t.
i∈H i∈H r∈R t∈T r∈R t∈T
(A.3.10)

Using the claim in the proof of Lemma A.3.1 again, we obtain

    
i= (p − r) + t = kp (a) · p − r+ t. (A.3.11)
i∈H r∈R t∈T r∈R t∈T

Subtracting (A.3.11) from (A.3.10) yields

 
(a − 1) · i = (λp (a) − kp (a)) · p + 2 · r. (A.3.12)
i∈H r∈R

Now since a is odd, a − 1 is even, so (A.3.12) implies that λp (a) − kp (a) is an

even number. Thus, the lemma follows by Lemma A.3.1. 

For example, we could calculate that λ17 (10) =  10 17 +  20
17 +  30
17 +
 40
17 +  17 +  17 +  17 +  17
50 60 70 80
= 0 + 1 + 1 + 2+ 2 + 3 + 4 + 4 = 19,
which is odd; using Lemma A.3.1 we conclude that 10 17 = −1. Obviously, in
general it is sufficient to add the numbers  p , 1 ≤ i ≤ 12 (p − 1), modulo 2.
i·a

However, this is a hopelessly inefficient method for calculating ap . We will
use Lemma A.3.3 only for proving the following theorem.

Theorem A.3.4 (Quadratic Reciprocity for Prime Numbers). Let p

and q be distinct odd prime numbers. Then
   
= (−1) 2 · 2 ·
p p−1 q−1 q
,
q p

that means
  
q
  
 , if p ≡ 1 or q ≡ 1 (mod 4) , and
p p
=  
q 
 q
− , if p ≡ 3 and q ≡ 3 (mod 4).
p
 A.3 Proof of the Quadratic Reciprocity Law 141

Proof. Let
  p−1 q − 1

M = (i, j)  1 ≤ i ≤ , 1≤j≤ . (A.3.13)
2 2
Now define
M1 = {(i, j) ∈ M | j · p < i · q} , and
M2 = {(i, j) ∈ M | i · q < j · p}.
Note that there cannot be a pair (i, j) ∈ M that satisfies i · q = j · p, since
this would mean that p divides i, which is smaller than p. Thus, M1 and M2
split M into two disjoint subsets, and we get
p−1 q−1
|M1 | + |M2 | = |M | = · . (A.3.14)
2 2
Now for each fixed i ≤ p−1
2 the number of pairs (i, j) ∈ M1 is i · q/p . Hence

|M1 | = i · q/p = λp (q).
1≤i≤(p−1)/2

Similarly, |M2 | = λq (p). Thus, from (A.3.14) we get

p−1 q−1
· = λp (q) + λq (p).
2 2
Now Lemma A.3.3 entails
   
(−1)
p−1
2 · q−1
2 = (−1)λp (q)+λq (p) =
p
·
q
,
q p

which is the assertion of the theorem. 



A.3.3 Quadratic Reciprocity for Odd Integers

In this section, we prove Theorem 6.3.1 and Proposition 6.3.2.

Proof of Theorem 6.3.1. We show: If n ≥ 3 and m ≥ 3 are odd integers,
then
   
m
= (−1) 2 ·
n−1 m−1
2 ·
n
.
n m

We consider the prime factorizations n = p1 · · · pr and m = q1 · · · qs , and

prove the claimby induction on r + s. If m and n are not relatively prime,
n
both m and m n are 0, and there is nothing to show. Thus, we assume
from here on that gcd(n, m) = 1.
Basis: r + s = 2, i.e., n and m are distinct prime numbers. — Then the claim
is just Theorem A.3.4.
142 A. Appendix

Induction step: Assume r + s ≥ 3, and the claim is true for all n , m that
together have fewer than r + s prime factors. By symmetry, we may assume
that n is not a prime number. We write n = k
for numbers k,
≥ 3. By the
induction hypothesis, we have
       
= (−1) 2 · = (−1) 2 · 2 .
m k k−1 m−1 m
−1 m−1
· 2 and ·
k m
m
(A.3.15)

Using multiplicativity in both upper and lower positions (Lemma 6.2.2(a)

and (c)) we get by multiplying both equations:
     −1 
m−1
= (−1) 2 · ·
m n k−1 m−1
+ −1 m−1 k−1
= (−1) 2 +
2
· 2 2 2 2 .
n m
(A.3.16)
(k−1)(−1)
Now 2 is an even number, hence

n−1 (k − 1)(
− 1) + k +
− 2 k−1
−1

= ≡ + (mod 2).
2 2 2 2
Plugging this into (A.3.16) yields the inductive assertion. Thus the theorem
is proved. 

Proof of Proposition 6.3.2. We show that for n ≥ 3 an odd integer we
have
 
2 n2 −1
= (−1) 8 .
n
Again, we consider the prime factorization n = p1 · · · pr and prove the
claim by induction on r. If r = 1, i.e., n is a prime number, the assertion
is just Corollary A.3.2. For the induction step, assume r ≥ 2, and that the
claim is true for n with fewer than r prime factors. Write n = k
for numbers
k,
≥ 3. By multiplicativity and the induction hypothesis, we have
     
2 2 2 k2 −1 2 −1
= · = (−1) 8 + 8 . (A.3.17)
n k

(k2 −1)(2 −1)
Now 8 is divisible by 8, hence

n2 − 1 (k 2 − 1)(
2 − 1) + k 2 +
2 − 2 k 2 − 1
2 − 1
= ≡ + (mod 2).
8 8 8 8
(A.3.18)

If we plug this into (A.3.17), we obtain the inductive assertion. Thus the
proposition is proved.