Scribd
Upload
7 views38 pages

Modular Arithmetic

Chapter 2 discusses modular arithmetic, specifically the integers modulo n, denoted as Z/nZ, and defines congruence, congruence classes, and operations within this system. It presents theorems and examples to illustrate properties of addition and multiplication in modular arithmetic, as well as the concept of reduction mod n. The chapter concludes with exercises and applications of modular arithmetic, including powers and their computations.

Uploaded by

Cholo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
7 views38 pages

Modular Arithmetic

Chapter 2 discusses modular arithmetic, specifically the integers modulo n, denoted as Z/nZ, and defines congruence, congruence classes, and operations within this system. It presents theorems and examples to illustrate properties of addition and multiplication in modular arithmetic, as well as the concept of reduction mod n. The chapter concludes with exercises and applications of modular arithmetic, including powers and their computations.

Uploaded by

Cholo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 38

CHAPTER 2: Modular Arithmetic

2.1. Definition ofi Z/nZ


In this section, we provide a detailed treatment of the system called the
integers modulo (or mod) n.

2.1.1 Definition
Let a,b∈Z and let n∈N. We say that a is congruent to b modulo n, wriflen
a≡b(modn), if n∣(a−b).

2.1.2 Example
● 23≡3(mod10) since 10∣(23−3).
● 23≡7(mod8) since 8∣(23−7).
● 10000≡4(mod7) since (10000−4)=9996=1428⋅7.
Since any two integers are congruent mod 1, we usually require n≥2 from
now on. Congruence modulo n generalizes the notion of divisibility, since
a≡0(modn)⟺n∣a. More generally, if a=qn+r then a≡r(modn), since n∣(a−r).
2.1.3 Theorem
Let n>1 and let a,b,c,d∈Z. Then:
(a) If a=b then a≡b(modn).
(b) a≡a(modn).
(c) If a≡b(modn) then b≡a(modn).
(d) If a≡b(modn) and b≡c(modn) then a≡c(modn).
(e) If a≡b(modn) and c≡d(modn) then a+c≡b+d(modn) and ac≡bd(modn).
Proof
(a) a−b=0, so n∣(a−b).
(b) Follows from (a).
(c) If n∣(a−b) then n∣(b−a).
(d) If n∣(a−b) and n∣(b−c) then n∣((a−b)+(b−c)) so n∣(a−c).
(e) Suppose n∣(a−b) and n∣(c−d). Then n∣((a−b)+(c−d)) so n∣((a+c)−(b+d)), that
is, a+c≡b+d(modn).
For multiplication, we may write a−b=sn for some s∈Z, so a=sn+b. Similarly c=tn+d. So
ac=(sn+b)(tn+d)=n(stn+sd+bt)+bd and n∣(ac−bd).
2.1.4 Example
● 5+8≡1(mod12).
● 5⋅8=40≡4(mod12).
● 53=25⋅5≡1⋅5≡5(mod12).
2.1.5 Example
Let f be a polynomial with integer coefficients. Suppose a≡b(modn). Then
f(a)≡f(b)(modn).

Proof
We make repeated use of Theorem 2.1.3. If a≡b then a2≡b2, and so a3≡b3 etc. So
ak≡bk for each k. So if f=ckxk+⋯+c1x+c0 then f(a)=ckak+⋯+c1a+c0≡ckbk+⋯
+c1b+c0=f(b).
2.1.6 Definition
Let n∈N, n≥2. Let a∈Z. The congruence class of a, denoted [a]n or [a] is the
set of all integers congruent to a mod n:
[a]=b∈Z∣b≡a(modn).
Any element of [a] is called a representative for the congruence class [a].
2.1.7 Example
Let n=2. Then:
● [0]=...,−4,−2,0,2,4,..., the set of even integers.
● [1]=...,−3,−1,1,3,5,..., the set of odd integers.
Note that [0]=[2]=[4] and [1]=[3]=[5] and so on, so there are just these two
congruence classes.
2.1.8 Example
Let n=4. Then:
● [0]=...,−8,−4,0,4,8,....
● [1]=...,−7,−3,1,5,9,....
● [2]=...,−6,−2,2,6,10,....
● [3]=...,−5,−1,3,7,11,....
And [4]=[0], [5]=[1] and so on, so there are just these four congruence classes.
2.1.9 Theorem
a≡c(modn) iff [a]=[c].

Proof
Suppose a≡c(modn). Let b∈[a]. Then b≡a(modn). But a≡c(modn), so b≡c(modn)
(Theorem 2.1.3). Hence b∈[c]. Since b∈[a] was arbitrary, [a]⊆[c]. A similar argument
shows that if b∈[c] then b∈[a], so [c]⊆[a]. Thus [a]=[c].
Suppose [a]=[c]. Since a≡a(modn) we know that a∈[a]=[c], so a≡c(modn).
2.1.10 Corollary
Any two congruence classes mod n are either equal or disjoint.

Proof
Let [a] and [c] be two congruence classes. If they are disjoint there is nothing to prove.
So assume there is an element b in their intersection. Then by definition of congruence
class, b≡a
and b≡c(modn), so a≡c(modn) so [a]=[c] by the previous theorem.
2.1.11 Theorem
There are exactly n congruence classes modulo n, namely [0],[1],...,[n−1].

Proof
We first show that these classes are all distinct. Suppose 0≤r<s<n. Then 0<s−r<n. There is
no integer multiple of n in the interval (0,n), so n∤(s−r), so r≡s(modn). Then by Theorem
2.1.9, [r]=[s]. So no two of [0],[1],...[n−1] are equal.
Next we show that every congruence class is equal to one of these listed. Let a∈Z.
By the Division Algorithm we may write a=qn+r with r=0 or 1 or... or n−1. Now
a≡r(modn) (since a−r=qn). By Theorem 2.1.9, [a]=[r] with r=0 or 1 or... or n−1.
2.1.12 Definition
The set of congruence classes mod n is called the set of integers modulo n, and
denoted Z/nZ.

2.1.13 Definition
Define a function π:Z→Z/nZ by π(a)=[a]. The function is called the reduction mod n
function.

2.2. Defining Operations in Z/nZ


2.2.1 Example
In Z/5Z, [2]⊕[4]=[2+4]=[6]=[1]. Also, [3]⊕[2]=[5]=[0].

2.2.3 Theorem
⊕ is well defined on Z/nZ. That is, it does not depend on the particular names of the
congruence classes chosen in equation 2.2.1.

Proof
Let [a],[c]∈Z/nZ. We must show that if [a]=[b] and [c]=[d] then [a]⊕[c]=[b]⊕[d].
Now [a]=[b] implies a≡b(modn) (Theorem 2.1.9) and similarly [c]=[d] implies
c≡d(modn). Thus a+c≡b+d(modn) by Theorem 2.1.3, so [a+c]=[b+d]. Hence
[a]⊕[c]=[b]⊕[d].
2.2.4 Example
Here is the complete addition table mod 3:

⊕ [0] [1] [2]

[0] [0] [1] [2]

[1] [1] [2] [0]

[2] [2] [0] [1]

We can define multiplication mod n in a similar way.

2.2.5 Definition
Define multiplication on Z/nZ by [a]⊙[b]=[ab].

2.2.6 Theorem
⊙ is well defined on Z/nZ.

Proof Exercise. We have to show that if [a]=[b] and [c]=[d] then [a]⊙[c]=[b]⊙[d].
The Theorems needed are 2.1.9 and 2.1.3.

2.2.7 Example
Here is the complete multiplication table mod 3:

⊙ [0] [1] [2]

[0] [0] [0] [0]

[1] [0] [1] [2]

[2] [0] [2] [1]

2.2.8 Theorem
For any classes [a],[b],[c]∈Z/nZ:
(a) [a]⊕([b]⊕[c])=([a]⊕[b])⊕[c]
(b) [a]⊕[0]=[a]=[0]⊕[a].
(c) [a]⊕[−a]=[0]=[−a]⊕[a].
(d) [a]⊕[b]=[b]⊕[a].
(e) [a]⊙([b]⊙[c])=([a]⊙[b])⊙[c]
(f) [a]⊙[1]=[a]=[1]⊙[a].
(g) [a]⊙[b]=[b]⊙[a].
(h) [a]⊙([b]⊕[c])=([a]⊙[b])⊕([a]⊙[c]).
(i) ([a]⊕[b])⊙[c]=([a]⊙[c])⊕([b]
⊙[c]). Proof
Each property follows from the analogous property about integers. For example to prove
(d): [a]⊕[b]=[a+b]=[b+a] (since a+b=b+a for integers a and b), and [b+a]=[b]⊕[a].
The other properties are just as simple and are left as exercises.
2.2.9 Example
● In Z/6Z we have [2]⊙[3]=[6]=[0]. So two non-zero elements can multiply to
give [0].
● In Z/6Z, [2]⊙[1]=[2]=[2]⊙[4] but [1]=[4]. So cancellation fails: ab=ac does
not imply b=c (even if a=[0]).
2.3. New notation fior Z/nZ
2.3.1 Definition
From now on when working mod n, we write a to mean the congruence class
[a]. We write a+b instead of [a]⊕[b] and ab instead of [a]⊙[b]. We also write
a−b for [a]⊕[−b]. We call [0] the zero element.

Nonetheless we should always bear in mind the distinction between Z and Z/nZ.
For example, mod 5 we have 1≡6, which is not true in Z. We have 2+3=0 which is
also false in Z.

2.3.2 Example
For all n∈Z, n2≡0 or 1(mod4).

Proof
We know that Z/4Z=0,1,2,3. So n2≡02,12,22 or 32. But 02≡0, 12≡1, 22=4≡0, and 32=9≡1(mod4).
2.3.3 Example
For all n∈Z,7∣n3 or 7∣n3±1.

Proof
The 7 congruences classes mod 7 may be represented by −3,−2,−1,0,1,2,3 since 4≡−3,
5≡−2, 6≡−1.
n −3 −2 −1 0 1 2 3

n3 −27≡1 −8≡−1 −1≡−1 0 1 8≡1 27≡−1

Thus n3≡0 or ±1(mod7) for every n.

2.3.4 Example
Prove that the equation x3+10000=y3 has no solutions in integers x, y.

Proof
If x3+10000=y3 then x3+10000≡y3(mod7) (by Theorem 2.1.3(1)). Since 10000≡4(mod7),
x3+4≡y3(mod7).
But x3≡−1,0, or 1(mod7) by previous example, so x3+4≡3,4 or 5(mod7), while
y3≡−1,0, or 1(mod7). This is a contradiction.
2.3.5 Example
What is the last decimal digit of 32010?

Solution
We note that 31≡3(mod10), 32≡9, 33≡7 and 34≡1(mod10). So
32010=34⋅502+2=(34)502⋅32≡1502⋅9=9(mod10).
So the last digit is 9.
Exercises

16 Exercise
(a) Prove that 6∣a(a2+11) for any integer a.
(b) Prove that if a and b are odd then a2−b2 is a multiple of
8. 17 Exercise
Find all solutions of x2+y2=z2 with x,y,z∈N. (Pythagorean triples.)
(a) Recall from Exercise 11 that n is a square iff every exponent occurring in the
factorization of n is even. Using this, prove that if d2∣m2 then d∣m.
(b) Hence prove that if gcd(u,v)=1 and uv is a square then u and v are squares.
(c) Show that if d divides any two of x,y,z then it divides the third.
(d) Let d=gcd(x,y,z). Let X=x/d, Y=y/d, Z=z/d. Show that X2+Y2=Z2
with gcd(X,Y)=gcd(X,Z)=gcd(Y,Z)=1.
(e) Show that one of X and Y must be even and one must be odd, and that Z must
be odd. Hint: work mod 4.
(f) Without loss of generality, let Y be even, say Y=2c and let X and Z be odd. Let
u=(X+Z)/2 and v=(Z−X)/2. Show that uv=c2 and gcd(u,v)=1.
(g) Conclude that u=a2 and v=b2 for some a,b∈Z.
(h) Hence show that X=a2−b2, Y=2ab and Z=a2+b2.
(i) Obtain a Pythagorean triple with 2004 as one of the sides.
2.4. Powers in Z/nZ: Repeated Squaring
2.4.1 Example
Show that 11∣(332+2).

Solution
We repeatedly square mod 11.
32≡9
34=(32)2≡92≡4(mod11)
38=(34)2≡42≡5(mod11)
316=(38)2≡52≡3(mod11)
332=(316)2≡32≡9(mod11)
So 332+2≡9+2≡11≡0(mod11) so 11∣(332+2).
2.4.2 Example
Find the last 2 decimal digits of 2100.

Solution
We work in
Z/100Z. 22≡4
24≡(22)2≡42≡16(mod100)
28=(24)2≡162≡256≡56(mod100)
216=(28)2≡562≡3136≡36(mod100)
232=(216)2≡362≡1296≡−4(mod100)
264=(232)2≡(−4)2≡16(mod10
0) Now 100=64+32+4 so
2100=264⋅232⋅24≡16⋅(−4)⋅16≡76(mod100).
So 2100≡76(mod100).
2.4.3 Theorem
It is possible to calculate aN(modn) using only clog(N) multiplications, for some
constant c.

2.4.5 Algorithm [Powers mod n]


Given x∈Z, n,N∈N with n≥2 this algorithm returns xN(modn). The algorithm is
recursive:

Power(x, n, N) =
if N == 0:
return
1 if N ==
1:
return x %
n if N is
even:
half_power = Power(x, n, N / 2)
return (half_power * half_power)
% n else (N is odd):
return (x * Power(x, n, N - 1)) % n

18 Exercise Calculate 2341(mod340).


19 Exercise Find the smallest integer larger than 11104 that is exactly divisible by 17.
2.5. Application: Diffie-Hellman Key Exchange
2.5.1 Definition
The task of finding N given aN(modn) is called the discrete logarithm problem.

2.5.2 Example
If 2N≡3(mod11), find N.

Solution
We just have to try all the possibilities in turn.
N 1 2 3 4 5 6 7 8 9 10

2N(m 2 4 8 5 10 9 7 3 6 1
od11)

So N=8.

2.5.3 Algorithm [The Diffie-Hellman key exchange algorithm]


(a) A and B publicly choose a large prime number p and base a.
(b) A secretly chooses a number s, and sends as(modp) to B.
(c) B secretly chooses a number t, and sends at(modp) to A.
(d) A secretly calculates k=(at)s(modp). B secretly calculates k=(as)t(modp). Let k
be the secret key.
A and B never reveal s,t or k to anyone else.
E can see as and at(modp) but cannot efficiently find the discrete logarithms s and t, so
she cannot find k=ast.
2.5.4 Example
Suppose a=2, p=11. Suppose A chooses s=4 and B chooses t=8. Calculate the
secret key.

Solution
● A sends 24≡5(mod11) to B.
● B sends 28≡3(mod11) to A.
● A receives 3 from B and calculates k=3s=34≡81≡4(mod11).
● B receives 5 from A and calculates k=5t=58≡(52)4≡(25)4≡34≡81≡4(mod11).
● This establishes the secret key k=4 for A and B to use.

2.6. Inverses in Z/nZ


2.6.1 Definition
Let a∈Z/nZ. A solution x∈Z/nZ of the equation ax≡1(modn) is called an inverse of
a(modn), and denoted a−1.
2.6.2 Example
● 3⋅4≡1(mod11), so 4 is an inverse of 3 mod 11.
● 5⋅5≡1(mod12) so 5 is its own inverse, mod 12.
● 2x≡1(mod10) has no solution. Proof: If 2x≡1(mod10) then 10∣(2x−1). But 2x−1 is
odd, so is not divisible by 10. So 2 is not invertible mod 10.
2.6.3 Theorem
If [a]=[c] in Z/nZ then gcd(a,n)=gcd(c,n).

Proof
If [a]=[c] then a≡c(modn) by Theorem 2.1.9. Let a−c=qn, for some integer q, so a=qn+c. Then
gcd(a,n)=gcd(c,n) by Theorem 1.5.1.
2.6.4 Theorem
a is invertible mod n iff gcd(a,n)=1.

Proof
By definition, a is invertible mod n iff there exists an integer x with ax≡1(modn). This is true
iff there also exists an integer y with ax+ny=1.
But this equation is solvable in x and y iff gcd(a,n)=1 by Theorem 1.6.5 (Bézout's identity).
2.6.5 Corollary
Let p be a prime number. Then every non-zero element of Z/pZ is invertible.

Proof
If a∈Z/pZ is non-zero then a≡0(modp), so p∤a. Since the only factors of p are 1 and p,
this means gcd(a,p)=1, and a is invertible.
2.6.6 Example
Which numbers are invertible mod 12?

Solution
The classes mod 12 are 0, 1, ..., 11. A class a is invertible mod 12 iff gcd(a,12)=1 by Theorem
2.6.4. Testing in turn, gcd(0,12)=12>1, gcd(2,12)=2>1, gcd(3,12)=3>1 etc. So a is invertible
mod 12 iff a≡1,5,7,11(mod12). Thus there are 4 invertible elements mod 12.
2.6.7 Theorem
Let n∈N, n≥2, and let a∈Z.
(a) If a is invertible, then its inverse is unique mod n.
(b) If a is invertible so is a−1, and (a−1)−1≡a.
Proof
(a) Suppose b and c are both inverses of a(modn). Then ab≡ac≡1(modn). So
a(b−c)≡0(modn) which says that n∣a(b−c). Now if a is invertible, gcd(n,a)=1 by
Theorem 2.6.4, so n∣(b−c) by Theorem 1.7.1. Thus b≡c(modn).
(b) If a is invertible then aa−1≡a−1a≡1(modn). This says that a is the inverse of a−1.
2.6.8 Theorem
Let n∈N, n≥2, and let a,b∈Z. If gcd(a,n)=1 then the congruence equation
ax≡b(modn) has a unique solution mod n.

Proof
Take x=a−1b. Then ax=aa−1b≡1⋅b=b(modn), so the equation has a solution.
If x1 and x2 are two solutions then ax1≡ax2(modn) so multiplying by a−1 on each side,
x1≡x2(modn), so the solution is unique.
2.6.9 Example
The equation 3x≡0(mod6) has solutions x≡0,2 or 4(mod6). Note that ax1≡ax2 does not
imply x1≡x2 in this case.

2.6.10 Theorem
a−1ak≡ak−1(modn). This motivates the negative power notation for inverses.

20 Exercise Prove theorem 2.6.10.

2.6.11 Algorithm [Inverses Mod n]


To calculate a−1(modn), find x and y with nx+ay=1, using the Extended Euclidean
Algorithm. Then y≡a−1(modn).

2.6.12 Example
Calculate 11−1(mod80).

Solution
We want to write 80x+11y=1. Using the Extended Euclidean Algorithm:
q T X Y

80 1 0

11 0 1

7 3 1 -7

3 2 -3 22

1 1 4 -29

So 80(4)+11(−29)=1, so 1≡(−29)⋅11(mod80), so 11−1≡−29≡51(mod80).


Check: 11⋅51=561=7⋅80+1≡1(mod80).
2.6.13 Example
Solve the congruence equation 11x≡4(mod80).

Solution
If 11x≡4(mod80) then x≡11−1⋅4≡51⋅4≡204≡44(mod80).
Check: 11⋅44=484≡4(mod80).
21 Exercise Calculate 14−1(mod23). Hence solve the congruence 14x≡11(mod23).

2.7. The Euler Function


2.7.1 Definition
Define a function ϕ:N→N by ϕ(n)=The number of a with 1≤a≤n and gcd(a,n)=1.
This is called the Euler ϕ function. Equivalently, ϕ(n) is the number of invertible
elements modulo n.
2.7.2 Example
The numbers a with 1≤a≤12 and a relatively prime to 12 are 1, 5, 7 and 11, so ϕ(12)=4.

n Invertible elements mod n ϕ(n)

2 1 1

3 1, 2 2

4 1, 3 2

5 1, 2, 3, 4 4

6 1, 5 2

7 1, 2, 3, 4, 5, 6 6

8 1, 3, 5, 7 4

9 1, 2, 4, 5, 7, 8 6

10 1, 3, 7, 9 4

12 1, 5, 7, 11 4

2.7.3 Theorem
Let p be a prime number and k∈N. Then ϕ(pk)=pk−pk−1=pk−1(p−1).

Proof
ϕ(pk)=pk minus the number of a with 1≤a≤pk and gcd(a,pk)>1.
Now gcd(a,pk)>1 implies a and pk share a common factor, hence a common prime
factor, which must be p. Conversely if p∣a then gcd(a,pk)>1. So the numbers with
gcd(a,pk)>1 are precisely the multiples of p, and there are pk/p=pk−1 of these in
the specified range. So ϕ(pk)=pk−pk−1.
2.7.4 Theorem
If gcd(m,n)=1 then ϕ(mn)=ϕ(m)ϕ(n).

2.7.5 Example
Calculate ϕ(540).
Solution
540=22⋅33⋅51
ϕ(540)=ϕ(22)ϕ(33)ϕ(5)
=(22−21)(33−32)(51−50)
=2(2−1)⋅32(3−1)⋅(5−1)
=2⋅9⋅2⋅4=144
22Exercise Calculate ϕ(n) for 1≤n≤20. Calculate ϕ(2010).
23Exercise Prove that ϕ(n) is even for all n≥3. Prove that ϕ(n)=14 has no solution, and 14 is
the smallest even natural number with this property. Find all n with ϕ(n)=6.
24Exercise Show that ϕ(n2)=nϕ(n). Show that if m∣n then ϕ(m)∣ϕ(n).
25Exercise Show that ϕ(n)=n∏p∣n(1−p1), where p is prime and ∏ denotes the product.
2.8. The Chinese Remainder Theorem
2.8.1 Example
The
system
x≡0(mod
2)
x≡1(mod
2)
clearly is inconsistent. No integer x can be both 0 and 1 mod 2.
2.8.2 Example
The
system
x≡4(mod7
)
x≡9(mod1
1)
x≡3(mod1
3)
is solvable: x=900 is a solution.
2.8.3 Theorem [Chinese Remainder Theorem]
Let m1,…,mn be pairwise relatively prime positive integers. Let ai∈Z, 1≤i≤n. Then any
simultaneous system of congruences
x≡ai(modmi)i=1,2,…n
is solvable. Moreover the solution is unique modulo m1m2⋯
mn. Proof
We give a constructive proof. The idea is to find a number e1 that is 0(modm2),m3,…,mn
but e1≡a1(modm1). Similarly find an e2 that is 0(modm1),m3,m4…,mn but is a2(modm2).
Etc. The desired x will then be e1+e2+⋯+en.
The details are as follows: Let M=∏jmj and Mi=∏j=imj=M/mi.
Then gcd(mi,Mi)=1 because Mi is a product of numbers relatively prime to mi (theorem
1.8.4). So let Ni be an integer with MiNi≡1(modmi).
Finally let x=∑aiMiNi.
If we reduce x(modmi), every term in the sum is 0 except the i-th because mi divides
every other Mj.
So x≡aiMiNi≡ai⋅1=ai(modmi) as required. This proves existence.
If y is another solution of the system then x−y≡0(modmi) for each i, so mi∣(x−y). But the
mi are relatively prime, so m1⋯mn∣(x−y) by Theorem 1.7.6, so x≡y(modm1⋯mn).
2.8.4 Example
Solve the system
x≡4(mod7)
x≡9(mod11)
x≡3(mod13)
Solution
m1=7,m2=11,m3=13.
M1=11⋅13=143, M2=7⋅13=91, M3=7⋅11=77.
Then
M1≡143≡3(mod7), M2≡91≡3(mod11), M3≡77≡−1(mod13).
Thus we can take
N1=3−1≡5(mod7) (since
3⋅5=15≡1(mod7)), N2=3−1≡4(mod11)
(since 3⋅4=12≡1(mod11)),
N3=(−1)−1≡−1≡12(mod13).
So
x=a1M1N1+a2M2N2+a3M3N3
=4⋅(11⋅13)⋅5+9⋅(7⋅13)⋅4+3⋅(7⋅11)⋅(−1)
=4⋅143⋅5+9⋅91⋅4+3⋅77⋅(−1)
=2860+3276−231=5905
≡900(mod7⋅11⋅13). (since 5905=5⋅1001+900)
2.8.5 Example
Solve the equation x2+1≡0(mod85).

Solution
At first this seems to have nothing to do with the CRT. However any solution must satisfy
85∣(x2+1). Since 85=5⋅17 this would imply 5∣(x2+1) and 17∣(x2+1). Conversely if 5∣(x2+1) and
17∣(x2+1) then 85∣(x2+1) by Theorem 1.7.6.
So solving the given equation is the same as solving the
system x2≡−1(mod5)
x2≡−1(mod17).
The equation x2≡−1(mod5) clearly has solutions x≡±2(mod5) (since 22=4≡−1 and
(−2)2=4≡−1). The equation x2≡−1(mod17) has solutions x≡±4(mod17) (since 42=16≡−1
and (−4)2=16≡−1).
There are four choices altogether, and each will reassemble into a solution mod 85 using CRT:
1. x≡2(mod5), x≡4(mod17) ⟹x≡72(mod85).
2. x≡2(mod5), x≡−4(mod17) ⟹x≡47(mod85).
3. x≡−2(mod5), x≡4(mod17) ⟹x≡38(mod85).
4. x≡−2(mod5), x≡−4(mod17)
⟹x≡13(mod85). So x≡13,38,47 or
72(mod85).
26Exercise Check the steps labelled CRT in the above calculation.
27Exercise Solve the system x≡2(mod3), x≡4(mod5), x≡6(mod7).
28Exercise Prove that if gcd(a,561)=1 then a560≡1(mod561). Hint: factor 561 and use the CRT.
2.9. The order ofi an element
2.9.1 Definition
Let (Z/nZ)× be the set of invertible elements mod n.
So (Z/nZ)× is a set with ϕ(n) elements.
2.9.2 Example
● (Z/12Z)×=1,5,7,11.
● If p is prime, (Z/pZ)×=1,2,…,p−1.
Since there are only a finite number of elements in (Z/nZ)×, we must eventually
get ar≡as(modn) for some r>s. Since a is invertible mod n we can multiply by
a−s times and use theorem 2.6.10 to conclude that ar−s≡1(modn). Thus for each a,
ak≡1(modn) for some positive integer k.

2.9.3 Definition
The order of a∈(Z/nZ)× is the least positive integer k such that ak≡1(modn).

2.9.4 Example
Calculate the order of 2 mod 5.

Solution
The powers of 2 mod 5 are:
k 1 2 3 4

2k(mod5) 2 4 3 1
So the order of 2 is 4.

2.9.5 Example
Calculate the order of 2 mod 11.

Solution
The powers of 2 mod 11:
k 1 2 3 4 5 6 7 8 9 10

2k( 2 4 8 5 10 9 7 3 6 1
m
od11)

So the order is 10.

2.9.6 Example
Calculate the order of each invertible element mod 7.

Solution
Consider the table of powers mod 7:
x x2 x3 x4 x5 x6

1 1 1 1 1 1

2 4 1 2 4 1

3 2 6 4 5 1

4 2 1 4 2 1

5 4 6 2 3 1

6 1 6 1 6 1

Thus 1 has order 1, 6 has order 2, 2 and 4 have order 3, and 3 and 5 have order 6.

|x|1|2|3|4|5|6|
|---|---|---|---|---|---|
| Order of x | 1 | 3 | 6 | 3 | 6 | 2 |
2.9.7 Example
1 always has order 1, and every other element in (Z/nZ)× has order greater than 1.
2.9.8 Theorem
Let a∈(Z/nZ)× and let m∈N. Then am=1 iff m is a multiple of the order of a.

Proof
Let the order of a be t.
⟹ Suppose am=1. Use the Division Algorithm to write m=qt+r with 0≤r<t. Then
1≡am=aqt+r=(at)q⋅ar≡1q⋅ar=ar(modn).
Since 0≤r<t, the definition of order implies that r=0. Thus t divides m.
> If m=qt then am=(at)q≡1q=1(modn).
2.9.9 Corollary
Let t be the order of a∈(Z/nZ)×. Then ar≡as iff r≡s(modt).

Proof ar≡as iff ar−s≡1 iff t∣(r−s) by theorem 2.9.8.

2.9.10 Corollary
Let t be the order of a∈(Z/nZ)×. Then 1,a,a2,…,at−1 are all distinct mod n.

Proof
Suppose 0≤s<r<t. If ar≡as then t∣(r−s) by the previous corollary. But 0<r−s<t and there is
no multiple of t in the interval (0,t), contradiction.
2.10. Primitive Roots
2.10.1 Definition
Let a∈(Z/nZ)×. If the order of a is ϕ(n) then a is called a primitive root mod n.

2.10.2 Example
● By example 2.9.4 the order of 2 mod 5 is 4=ϕ(5), so 2 is a primitive root mod 5.
And indeed, the powers of 2 give all invertible elements mod 5.
● By example 2.9.5 the order of 2 mod 11 is 10=ϕ(11), so 2 is a primitive root
mod 11. The powers of 2 give all invertible elements mod 11.
● By example 2.9.6 the order of 2 mod 7 is 3=ϕ(7)=6. Only 3 elements are
powers of 2 mod 7, so 2 is not a primitive root mod 7. However the order of 3
mod 7 is 6, so 3 is a primitive root mod 7.
2.10.3 Example
Solve the equation x7≡5(mod11).

Solution
2 is a primitive root mod 11. Recall the table of Example 2.9.5:
k 1 2 3 4 5 6 7 8 9 10

2k( 2 4 8 5 10 9 7 3 6 1
m
od11)

Thus 5≡24. Moreover, since every non-zero element of Z/11Z is a power of 2 (and x≡0 is
clearly not a solution), we can write x≡2y for some integer y. The equation becomes
27y≡24(mod11).
By Corollary 2.9.9,
7y≡4(mod10). (Warning: the new equation is taken modulo the order of 2, which is 10, not
11.) Now 7−1≡3(mod10), so multiplying by 3, y≡3⋅4≡12≡2(mod10).
Hence x≡22≡4(mod11).
Check: 47=16384. 16384=11⋅1489+5, so 47≡5(mod11).
2.10.4 Example
There is no primitive root mod 8.

Proof
(Z/8Z)×=1,3,5,7. But 12≡1(mod8), 32≡9≡1(mod8), 52≡25≡1(mod8), 72≡49≡1(mod8). So
every element of (Z/8Z)× has order at most 2, and nothing has order ϕ(8)=4.
2.10.5 Theorem
There exists a primitive root mod n iff n=2,4,pk or 2pk where p is an odd prime and
k∈N. In particular, there always exist primitive roots mod p.

2.11. Fermat’s Little Theorem


2.11.1 Theorem [Euler]
Let n∈N. Suppose a∈Z and gcd(a,n)=1. Then aϕ(n)≡1(modn).

2.11.2 Example
Recall the table of powers mod 7:

x x2 x3 x4 x5 x6

1 1 1 1 1 1

2 4 1 2 4 1

3 2 6 4 5 1

4 2 1 4 2 1

5 4 6 2 3 1

6 1 6 1 6 1
We see that a6≡1(mod7) for each a, as predicted by Euler’s Theorem since ϕ(7)=6.

2.11.3 Corollary [Fermat’s Little Theorem]


Let p be prime. Suppose a∈Z is not divisible by p. Then ap−1≡1(modp).

Proof
Take n=p in Euler’s Theorem. Then ϕ(p)=p−1.
2.11.4 Corollary
Let p be prime. Then every integer a satisfies ap≡a(modp).

Proof
If p∤a then ap−1≡1(modp), so the result follows on multiplying through by a. If p∣a then
a≡0(modp) and the result is obvious.
2.11.5 Example
Find 3100(mod101). (Note: 101 is prime.)

Solution
By Fermat’s Liflle Theorem 3100≡1(mod101). Indeed a100≡1(mod101) for any
a≡0(mod101).
29Exercise Check by repeated squaring that a100≡1(mod101) for a=2,3,4 and 5.

2.11.6 Example
Calculate 51000000(mod18).

Solution
ϕ(18)=ϕ(2)ϕ(32)=(2−1)⋅(32−31)=1⋅(9−3)=6. So 56≡1(mod18), by Euler’s Theorem.
Now 1000000=6⋅166666+4, so
51000000≡(56)166666⋅54≡1166666⋅54≡54=625(mod18).
625=18⋅34+13, so 54≡13(mod18).
2.12. Applications: RSA
2.12.1 Algorithm [RSA]
● Choose large primes p and q (each with at least 100 decimal digits).
● Calculate N=pq and ϕ(N)=(p−1)(q−1). Choose a random integer e
with gcd(e,ϕ(N))=1.
● Using Euclid’s algorithm, calculate d=e−1(modϕ(N)).
● Publish the public key (N,e). Retain the private key d.
● A message will be an integer x with 0<x<N.
● Encryption: If someone wants to send you a message x they encrypt it by
instead sending xe(modN).
● Decryption: To decrypt a received message y, calculate yd(modN).
2.12.2 Theorem
RSA works.

Proof
Since ed≡1(modϕ(N)), we know ed=1+tϕ(N) for some integer t. If we receive y≡xe, we
calculate yd≡(xe)d≡xed≡x⋅(xϕ(N))t(modN).
Assume that gcd(x,N)=1. By Euler’s theorem xϕ(N)≡1(modN), so yd≡x⋅1t≡x(modN) and we
recover the original message.
30 Exercise What happens if gcd(x,N)>1 in RSA? Then we cannot use Euler’s theorem.
Check the following argument.
Instead of using Euler’s theorem, work mod p:
yd≡x⋅(xϕ(N))t=x⋅x(p−1)(q−1)t≡x⋅(x(p−1))
(q−1)t(modp). This is congruent to:
● 0(modp), if p∣x
● x⋅1(modp), if p∤x (by Fermat’s Liflle Theorem at the last
step). So yd≡x(modp) in all cases, so p∣(yd−x).
Similarly, q∣(yd−x). By Theorem 1.7.6, N=pq∣(yd−x), so x≡y(modN) for all possible
messages x.
31 Exercise If N=pq with p,q each about 10100, estimate ϕ(N)/N. This is
the probability that a random x(modN) will have gcd(x,N)>1. Comment on the
likelihood of this case arising.

32Exercise If gcd(x,N)>1 explain why we can immediately break RSA. (See the
next section.) So the validity of the algorithm is a moot point in this case.

2.12.3 Example
We give an example of RSA with small numbers. Choose p=5,q=11. Then N=pq=55,
ϕ(N)=(5−1)(11−1)=4⋅10=40. Let us choose e=3. Note that gcd(e,ϕ(N))=gcd(3,40)=1. We
need to find d≡e−1(mod40). By Euclid’s algorithm, d=27 (since 3⋅27=81=2⋅40+1).
The public key is (N,e)=(55,3). The private key is d=27. A message will be an integer x with
0<x<55.
Example: To send message x=18, we calculate
xe(modN)=183(mod55).
182=324≡54≡−1(mod55).
183≡18⋅(−1)≡−18≡37(mod55).
The encrypted message is 37. To decrypt, use the private key d=27 and calculate
3727(mod55).
Since 37≡−18(mod55) and 27 is odd, 3727≡(−18)27≡−(1827)
(mod55). We need to calculate 1827(mod55).
181≡18
182≡−1
184≡(−1)2≡1
So 1827=1824⋅182⋅181=(184)6⋅182⋅181≡16⋅(−1)⋅18≡−18(mod55).
So yd≡3727≡−(−18)≡18(mod55).
33 Exercise Let (N,e)=(323,11). Suppose you intercept an encrypted
message 316. Break the cipher and decrypt the message. Hint: you will
have to factor N.

2.13. The Security ofi RSA


The public key (N,e) is available to everyone. The cipher is broken if d is found. Since
de≡1(modϕ(N)), RSA is immediately broken if ϕ(N) can be calculated from N,
since then we can quickly find d using Euclid’s algorithm.

2.13.1 Theorem
Finding ϕ(N) is equivalent to factoring N.

Proof
⟹ Suppose ϕ(N) is somehow found. Then
ϕ(N)=(p−1)(q−1)=pq−(p+q)+1=N−(p+q)+1
so
p+q=N−ϕ(N)
+1.
Hence p+q can be found.
But
(p−q)2=(p+q)2−4pq=(p+q)2−4
N
so
p−q=(p+q)2−4N
.
This can also be found. Once we know p−q and p+q we recover p and q by adding and
subtracting these quantities:
p=2(p+q)+
(p−q) q=2(p+q)
−(p−q)
> If we know the factorization of N is N=pq then ϕ(N)=(p−1)(q−1) is easily
found. Thus: The security of RSA entirely depends on the difficulty of
factoring a large integer into its prime factors.
Modular Arithmstic Moduls - Answsr Ksy
16 Exsrciss Answsrs
(a) Prove that 6∣a(a2+11) for any integer a.
Proof: We need to show that a(a2+11) is divisible by 2 and 3.
● Divisibility by 2:
○ If a is even, then a(a2+11) is even, so it's divisible by 2.
○ If a is odd, then a2 is odd, so a2+11 is odd + odd = even. Thus, a2+11 is divisible by
2. Since a2+11 is a factor, a(a2+11) is divisible by 2.
In both cases, a(a2+11) is divisible by 2.
● Divisibility by 3:
Consider a(mod3):
○ If a≡0(mod3), then a(a2+11)≡0⋅(02+11)≡0(mod3).
○ If a≡1(mod3), then a(a2+11)≡1⋅(12+11)≡1⋅(1+11)≡1⋅12≡1⋅0≡0(mod3).
○ If a≡2(mod3), then a(a2+11)≡2⋅(22+11)≡2⋅(4+11)≡2⋅15≡2⋅0≡0(mod3). In
all cases, a(a2+11) is divisible by 3.
Since a(a2+11) is divisible by both 2 and 3, and gcd(2,3)=1, it is divisible by
2⋅3=6.
(b) Prove that if a and b are odd then a2−b2 is a multiple of 8.
Proof: If a and b are odd, they can be wriflen as a=2k+1 and b=2m+1 for integers k,m.
Then a2=(2k+1)2=4k2+4k+1=4k(k+1)+1.
Since k(k+1) is always even (either k or k+1 is even), 4k(k+1) is always a multiple of 8.
So a2≡1(mod8) for any odd integer a.
Similarly, b2≡1(mod8) for any odd integer b.
Therefore, a2−b2≡1−1≡0(mod8).
This means a2−b2 is a multiple of 8.
17 Exsrciss Answsrs
(a) If d2∣m2 then d∣m.
Proof: Let the prime factorization of d be d=p1e1…pkek and m=p1f1…pkfk…qjgj.
Then d2=p12e1…pk2ek and m2=p12f1…pk2fk…qj2gj.
If d2∣m2, then for each prime pi that divides d, its exponent in d2 must be less than or equal
to its exponent in m2. So 2ei≤2fi, which implies ei≤fi.
This means that every prime factor of d is also a prime factor of m, and its exponent in d
is less than or equal to its exponent in m. Thus, d∣m.
(b) If gcd(u,v)=1 and uv is a square then u and v are squares.
Proof: Let uv=k2 for some integer k.
Since gcd(u,v)=1, u and v share no common prime factors.
Let p be a prime factor of u. Then p must divide uv=k2. This means p must divide k.
Let pa be the highest power of p dividing u. Then pa divides k2. Since p does not divide v,
pa must be the highest power of p dividing uv.
For k2 to be a perfect square, all exponents in its prime factorization must be even. Thus,
a must be even.
Since this holds for every prime factor of u, u must be a perfect
square. A similar argument shows that v must be a perfect
square.
(c) Show that if d divides any two of x,y,z then it divides the third (for
x2+y2=z2). Proof:
● If d∣x and d∣y, then x=dk1,y=dk2. So (dk1)2+(dk2)2=z2⟹d2(k12+k22)=z2.
This means d2∣z2, and by part (a), d∣z.
● If d∣x and d∣z, then x=dk1,z=dk3. So (dk1)2+y2=(dk3)2⟹y2=d2(k32−k12).
This means d2∣y2, and by part (a), d∣y.
● If d∣y and d∣z, then y=dk2,z=dk3. So x2+(dk2)2=(dk3)2⟹x2=d2(k32−k22).
This means d2∣x2, and by part (a), d∣x.
(d) Let d=gcd(x,y,z). Let X=x/d, Y=y/d, Z=z/d. Show that X2+Y2=Z2
with gcd(X,Y)=gcd(X,Z)=gcd(Y,Z)=1.
Proof: Since d∣x,d∣y,d∣z, we can divide the equation x2+y2=z2 by d2:
(x/d)2+(y/d)2=(z/d)2⟹X2+Y2=Z2.
Now, let g=gcd(X,Y). Then g∣X and g∣Y. By part (c), since X2+Y2=Z2, it implies g∣Z.
So g is a common divisor of X,Y,Z. However, X=x/d,Y=y/d,Z=z/d, which implies
x=Xd,y=Yd,z=Zd. If g>1, then gd would be a common divisor of x,y,z larger than d,
which contradicts d=gcd(x,y,z). Therefore, g=1, so gcd(X,Y)=1.
Similarly, gcd(X,Z)=1 and gcd(Y,Z)=1. These are called primitive Pythagorean triples.
(e) Show that one of X and Y must be even and one must be odd, and that Z must
be odd. Hint: work mod 4.
Proof: Consider X2+Y2=Z2(mod4).
Squares modulo 4 are: 02≡0, 12≡1, 22≡0, 32≡9≡1.
So any square is either 0(mod4) (if even) or 1(mod4) (if odd).
● If both X and Y are even, then X≡0(mod2) and Y≡0(mod2). This
contradicts gcd(X,Y)=1. So X and Y cannot both be even.
● If both X and Y are odd, then X2≡1(mod4) and
Y2≡1(mod4). So Z2=X2+Y2≡1+1≡2(mod4).
However, a square cannot be 2(mod4). This is a contradiction. So X and Y
cannot both be odd.
Since X and Y cannot both be even and cannot both be odd, one must be
even and the other must be odd.
Let's assume X is odd and Y is even (or vice
versa). Then X2≡1(mod4) and Y2≡0(mod4).
So Z2=X2+Y2≡1+0≡1(mod4).
Since Z2≡1(mod4), Z must be odd.
(f) Without loss of generality, let Y be even, say Y=2c and let X and Z be odd. Let
u=(X+Z)/2 and v=(Z−X)/2. Show that uv=c2 and gcd(u,v)=1.
Proof:
From X2+Y2=Z2, we have Y2=Z2−X2=(Z−X)(Z+X).
Substitute Y=2c: (2c)2=(Z−X)(Z+X)⟹4c2=(Z−X)
(Z+X).
Since X and Z are odd, (X+Z) and (Z−X) are both
even. Let Z+X=2u and Z−X=2v. Then u=(X+Z)/2 and
v=(Z−X)/2. Substitute these into the equation:
4c2=(2v)(2u)=4uv. Dividing by 4, we get c2=uv.
Now for gcd(u,v):
Suppose d divides u and d divides v.
Then d divides
u+v=(X+Z)/2+(Z−X)/2=2Z/2=Z. And d divides
u−v=(X+Z)/2−(Z−X)/2=2X/2=X. So d is a
common divisor of X and Z.
From part (d), we know that
gcd(X,Z)=1. Therefore, d must be 1.
Hence, gcd(u,v)=1.
(g) Conclude that u=a2 and v=b2 for some
a,b∈Z. Proof: From part (f), we have uv=c2 and
gcd(u,v)=1.
By part (b), if two coprime integers multiply to a perfect square, then each of them must
be a perfect square.
Thus, u=a2 and v=b2 for some integers a,b.
(h) Hence show that X=a2−b2, Y=2ab and
Z=a2+b2. Proof: We have:
X=u−v=a2−b2
Z=u+v=a2+b2
Also, Y=2c and uv=c2⟹a2b2=c2⟹c=ab (assuming a,b positive for primitive
triples). So, Y=2ab.
Thus, any primitive Pythagorean triple (X,Y,Z) can be generated by X=a2−b2, Y=2ab,
Z=a2+b2 for some coprime integers a,b with a>b, and one of a,b is even and the other is
odd. (This condition ensures gcd(X,Y)=1 and X is odd, Y is even).
(i) Obtain a Pythagorean triple with 2004 as one of the
sides. We have X=a2−b2, Y=2ab, Z=a2+b2.
Case 1: Y=2004.
2ab=2004⟹ab=1002.
We need to find coprime factors a,b of 1002 where one is even and one is odd.
1002=2⋅3⋅167. (167 is prime)
Possible pairs (a,b) with a>b and gcd(a,b)=1:
● a=1002,b=1: (not coprime, a,b are not one even one odd, both even)
● a=167,b=6: gcd(167,6)=1, 167 is odd, 6 is even. This
works! Then X=a2−b2=1672−62=27889−36=27853.
Z=a2+b2=1672+62=27889+36=27925.
So (27853,2004,27925) is a Pythagorean triple.
Check: 278532+20042=775790409+4016016=779806425.
279252=779806425. This is correct.
Case 2: X=2004.
a2−b2=2004⟹(a−b)
(a+b)=2004.
Let a−b=k1 and a+b=k2. Then k1k2=2004.
Also k1 and k2 must have the same parity (since their sum 2a and difference 2b are even),
and since their product is even, both must be even.
Let k1=2x1,k2=2x2. Then 4x1x2=2004⟹x1x2=501.
501=3⋅167.
We need gcd(a,b)=1. Since a=(k1+k2)/2 and b=(k2−k1)/2, gcd(a,b)=gcd((k1+k2)/2,
(k2−k1)/2)=gcd(u,v) where u=(X+Z)/2,v=(Z−X)/2. In the context of a,b being generators,
gcd(a,b)=1 implies gcd(X,Y,Z)=1.
Let's find pairs (x1,x2) for x1x2=501:
● x1=1,x2=501.
a−b=2,a+b=1002⟹2a=1004⟹a=502. 2b=1000⟹b=500.
gcd(502,500)=2=1. This pair won't give a primitive triple. We can divide by 2 to
get a=251,b=250. These are coprime.
X=2512−2502=(251−250)(251+250)=1⋅501=501.
Y=2⋅251⋅250=125500.
Z=2512+2502=63001+62500=125501.
The primitive triple is (501,125500,125501). To get 2004, we need to scale this.
This would be a triple with X=501. If we want X=2004, we multiply by
2004/501=4. So (4⋅501,4⋅125500,4⋅125501)=(2004,502000,502004).
This is another valid triple.
18 Exsrciss Answsr
Calculate 2341(mod340).
First, factor 340=22⋅5⋅17=4⋅5⋅17.
We will calculate 2341 modulo 4, 5, and 17 separately, then use the Chinese Remainder
Theorem.
● Modulo 4:
2341(mod4). Since 341≥2, 2341 is divisible by 22=4.
So 2341≡0(mod4).
● Modulo 5:
By Fermat's Liflle Theorem, 2ϕ(5)≡24≡1(mod5).
341=4⋅85+1.
2341=(24)85⋅21≡185⋅2≡2(mod5).
● Modulo 17:
By Fermat's Liflle Theorem, 2ϕ(17)≡216≡1(mod17).
341=16⋅21+5.
2341=(216)21⋅25≡121⋅25≡32≡15(mod17).
Now we have a system of congruences:
x≡0(mod4)
x≡2(mod5)
x≡15(mod17)
From x≡0(mod4), x=4k.
Substitute into the second congruence: 4k≡2(mod5).
Multiply by 4 (inverse of 4(mod5)):
16k≡8(mod5)⟹k≡3(mod5). So k=5j+3.
Substitute back into x=4k: x=4(5j+3)=20j+12.
Now substitute into the third congruence: 20j+12≡15(mod17).
3j+12≡15(mod17)
3j≡3(mod17)
Since gcd(3,17)=1, we can divide by 3:
j≡1(mod17). So j=17m+1.
Substitute back into x=20j+12: x=20(17m+1)+12=340m+20+12=340m+32.
Therefore, 2341≡32(mod340).

19 Exsrciss Answsr
Find the smallest integer larger than 11104 that is exactly divisible by 17.
This means we want to find the smallest integer K>11104 such that
K≡0(mod17). First, calculate 11104(mod17).
By Fermat's Liflle Theorem, 1116≡1(mod17) (since 17 is prime and 17∤11).
104=16⋅6+8.
So 11104=(1116)6⋅118≡16⋅118≡118(mod17).
Now calculate 118(mod17):
112=121≡2(mod17) (121=7⋅17+2)
114≡22≡4(mod17)
118≡42≡16≡−1(mod17).
So 11104≡−1(mod17).
This means 11104=17k−1 for some integer k.
We are looking for the smallest integer K>11104 such that
K≡0(mod17). If 11104=M, then M≡−1(mod17).
The next multiple of 17 after M would be M−(−1)+17=M+1+17=M+18. No, this is not
correct. If M≡−1(mod17), then the nearest multiple of 17 greater than M is M−
(−1)=M+1.
For example, if M=16, M≡−1(mod17). The smallest multiple of 17 greater than 16 is 17. So
M+1=16+1=17.
Thus, the smallest integer larger than 11104 that is exactly divisible by 17 is 11104+1.
20Exsrciss Answsr
Prove Theorem 2.6.10: a−1ak≡ak−1(modn).
Proof:
Since a−1 is the inverse of a modulo n, by definition
a−1a≡1(modn). We want to show a−1ak≡ak−1(modn).
We can write ak=a⋅ak−1.
Then a−1ak=a−1(a⋅ak−1).
By associativity of multiplication in modular arithmetic (from Theorem 2.2.8 (e)), we
have: a−1(a⋅ak−1)≡(a−1a)⋅ak−1(modn).
Since a−1a≡1(modn), we substitute
this: (a−1a)⋅ak−1≡1⋅ak−1(modn).
And 1⋅ak−1≡ak−1(modn).
Therefore, a−1ak≡ak−1(modn).
21 Exsrciss Answsr
Calculate 14−1(mod23). Hence solve the congruence 14x≡11(mod23).
Part 1: Calculate 14−1(mod23).
We use the Extended Euclidean Algorithm to find integers x,y such that 23x+14y=1.
23=1⋅14+9
14=1⋅9+5
9=1⋅5+4
5=1⋅4+1
Now work backwards to express 1:
1=5−1⋅4
1=5−1⋅(9−1⋅5)=5−9+5=2⋅5−9
1=2⋅(14−1⋅9)−9=2⋅14−2⋅9−9=2⋅14−3⋅9
1=2⋅14−3⋅(23−1⋅14)=2⋅14−3⋅23+3⋅14=5⋅14−3⋅23.
So we have 23(−3)+14(5)=1.
Reducing this modulo 23, we get
14(5)≡1(mod23). Therefore, 14−1≡5(mod23).
Part 2: Solve 14x≡11(mod23).
Multiply both sides by 14−1≡5(mod23):
5⋅(14x)≡5⋅11(mod23)
(5⋅14)x≡55(mod23)
70x≡55(mod23)
Since 70≡1(mod23) (70=3⋅23+1) and 55≡9(mod23) (55=2⋅23+9):
1x≡9(mod23)
x≡9(mod23).
Check: 14⋅9=126. 126=5⋅23+11, so 126≡11(mod23). The solution is correct.
22 Exsrciss Answsrs

Calculate ϕ(n) for 1≤n≤20. Calculate ϕ(2010).


● ϕ(1)=1 (by convention, as gcd(1,1)=1)
● ϕ(2)=1 (invertible: 1)
● ϕ(3)=2 (invertible: 1, 2)
● ϕ(4)=2 (invertible: 1, 3)
● ϕ(5)=4 (invertible: 1, 2, 3, 4)
● ϕ(6)=ϕ(2)ϕ(3)=1⋅2=2 (invertible: 1, 5)
● ϕ(7)=6 (invertible: 1, 2, 3, 4, 5, 6)
● ϕ(8)=ϕ(23)=23−22=8−4=4 (invertible: 1, 3, 5, 7)
● ϕ(9)=ϕ(32)=32−31=9−3=6 (invertible: 1, 2, 4, 5, 7, 8)
● ϕ(10)=ϕ(2)ϕ(5)=1⋅4=4 (invertible: 1, 3, 7, 9)
● ϕ(11)=10
● ϕ(12)=ϕ(22)ϕ(3)=(22−21)(3−1)=2⋅2=4 (invertible: 1, 5, 7, 11)
● ϕ(13)=12
● ϕ(14)=ϕ(2)ϕ(7)=1⋅6=6
● ϕ(15)=ϕ(3)ϕ(5)=2⋅4=8
● ϕ(16)=ϕ(24)=24−23=16−8=8
● ϕ(17)=16
● ϕ(18)=ϕ(2)ϕ(32)=1⋅(32−31)=1⋅6=6
● ϕ(19)=18
● ϕ(20)=ϕ(22)ϕ(5)=(22−21)(5−1)=2⋅4=8
Calculate ϕ(2010).
First, find the prime factorization of 2010.
2010=10⋅201=(2⋅5)⋅(3⋅67).
So 2010=21⋅31⋅51⋅671.
Since all prime factors are distinct, we use the multiplicative property of ϕ:
ϕ(2010)=ϕ(2)ϕ(3)ϕ(5)ϕ(67)
ϕ(2010)=(2−1)(3−1)(5−1)(67−1)
ϕ(2010)=1⋅2⋅4⋅66=528.
23 Exsrciss Answsrs
(a) Prove that ϕ(n) is even for all
n≥3. Proof:
● If n=pk where p is an odd prime, then ϕ(pk)=pk−pk−1=pk−1(p−1). Since p is odd,
p−1 is even. So ϕ(pk) is even.
● If n=2k for k≥2 (so n≥4), then ϕ(2k)=2k−2k−1=2k−1(2−1)=2k−1. Since k≥2, k−1≥1,
so 2k−1 is even. Thus ϕ(2k) is even for n≥4. (ϕ(2)=1, not even).
● If n has at least one odd prime factor p, then n=pkm where gcd(pk,m)=1. Then
ϕ(n)=ϕ(pk)ϕ(m). Since ϕ(pk) is even (as shown above), ϕ(n) will be even.
● The only remaining case is n=2. ϕ(2)=1, which is not even. The question
specifies n≥3.
Therefore, for n≥3, ϕ(n) is always even.
(b) Prove that ϕ(n)=14 has no solution, and 14 is the smallest even natural number with
this property.
Proof:
Suppose ϕ(n)=14.
We know ϕ(n)=n∏p∣n(1−p1). Also, p−1 divides ϕ(n) for every prime factor p of
n. So p−1 must divide 14. This means p−1∈1,2,7,14.
Possible primes p are:
● p−1=1⟹p=2.
● p−1=2⟹p=3.
● p−1=7⟹p=8 (not prime).
● p−1=14⟹p=15 (not prime).
So the only possible prime factors of n are 2 and 3.
This means n must be of the form 2a3b for some non-negative integers a,b.
● If n=2a: ϕ(2a)=2a−2a−1=2a−1. We need 2a−1=14. This is not possible as 14 is not
a power of 2.
● If n=3b: ϕ(3b)=3b−3b−1=3b−1(2). We need 2⋅3b−1=14⟹3b−1=7. Not possible.
● If n=2a3b: ϕ(n)=ϕ(2a)ϕ(3b).
If a=0, we have 3b−1⋅2=14⟹3b−1=7, no
solution. If b=0, we have 2a−1=14, no solution.
If a≥1,b≥1: ϕ(n)=(2a−2a−1)
(3b−3b−1)=2a−1⋅2⋅3b−1=2a⋅3b−1. We need 2a⋅3b−1=14.
If b=1, then 2a⋅30=2a=14, no solution.
If b≥2, then 3b−1 would be a multiple of 3. 14 is not a multiple of 3. So no
solution for b≥2.
Thus, there is no integer n such that ϕ(n)=14.
To prove 14 is the smallest even natural number with this property, we check all even
numbers less than 14:
● ϕ(1)=1
● ϕ(2)=1
● ϕ(3)=2 (found for n=3,4,6)
● ϕ(4)=2
● ϕ(5)=4 (found for n=5,8,10,12)
● ϕ(6)=2
● ϕ(7)=6 (found for n=7,9,14,18)
● ϕ(8)=4
● ϕ(9)=6
● ϕ(10)=4
● ϕ(11)=10
● ϕ(12)=4
● ϕ(13)=12
So the values of ϕ(n) for n≥3 that are even and less than 14 are 2, 4, 6, 8, 10, 12.
All these values are aflained by some n. So 14 is indeed the smallest such
even
number.
(c) Find all n with ϕ(n)=6.
We require p−1∣6 for all prime factors p of n. So p−1∈1,2,3,6.
Possible primes p:
● p−1=1⟹p=2.
● p−1=2⟹p=3.
● p−1=3⟹p=4 (not prime).
● p−1=6⟹p=7.
So n can only have prime factors 2, 3, 7. Thus n=2a3b7c.
Case 1: n=2a. ϕ(2a)=2a−1. 2a−1=6, no integer solution for
a. Case 2: n=3b. ϕ(3b)=3b−1⋅2.
2⋅3b−1=6⟹3b−1=3⟹b−1=1⟹b=2. So n=32=9 is a solution.
ϕ(9)=6.
Case 3: n=7c. ϕ(7c)=7c−1⋅6.
6⋅7c−1=6⟹7c−1=1⟹c−1=0⟹c=1. So n=71=7 is a solution.
ϕ(7)=6.
Case 4: n=2a3b. ϕ(n)=ϕ(2a)ϕ(3b).
If a=1, ϕ(2)=1. ϕ(n)=1⋅(3b−1⋅2)=2⋅3b−1.
2⋅3b−1=6⟹3b−1=3⟹b=2.
So n=2132=18 is a solution. ϕ(18)=6.
If a≥2, ϕ(2a)=2a−1. ϕ(n)=2a−1⋅(3b−1⋅2)=2a⋅3b−1.
2a⋅3b−1=6.
If b=1, 2a=6, no integer solution for a.
If b=2, 2a⋅3=6⟹2a=2⟹a=1. This contradicts
a≥2. Case 5: n=2a7c. ϕ(n)=ϕ(2a)ϕ(7c).
If a=1, ϕ(2)=1. ϕ(n)=1⋅(7c−1⋅6)=6⋅7c−1.
6⋅7c−1=6⟹7c−1=1⟹c=1.
So n=2171=14 is a solution. ϕ(14)=6.
If a≥2, ϕ(2a)=2a−1. ϕ(n)=2a−1⋅(7c−1⋅6)=2a⋅3⋅7c−1.
2a⋅3⋅7c−1=6.
If c=1, 2a⋅3=6⟹2a=2⟹a=1. This contradicts a≥2.
Case 6: n=3b7c. ϕ(n)=ϕ(3b)ϕ(7c)=(3b−1⋅2)⋅(7c−1⋅6)=12⋅3b−1⋅7c−1.
12⋅3b−1⋅7c−1=6. This implies 3b−1⋅7c−1=1/2, no integer
solution. Case 7: n=2a3b7c. ϕ(n)=ϕ(2a)ϕ(3b)ϕ(7c).
If a=1, ϕ(n)=1⋅(3b−1⋅2)⋅(7c−1⋅6)=12⋅3b−1⋅7c−1. This is 12⋅⋯=6, no solution.
If a≥2, ϕ(n)=2a−1⋅(3b−1⋅2)⋅(7c−1⋅6)=2a⋅3⋅2⋅7c−1=2a+1⋅3⋅7c−1. This is 2a+1⋅3⋅⋯=6, implies
2a⋅7c−1=1, implies a=0,c=0, contradicts a≥2,c≥1.
The integers n for which ϕ(n)=6 are n=7,9,14,18.

24 Exsrciss Answsrs
(a) Show that ϕ(n2)=nϕ(n).
Proof:
Let the prime factorization of n be n=p1e1p2e2⋯pkek.
Then n2=p12e1p22e2⋯pk2ek.
Using the formula ϕ(m)=m∏p∣m(1−p1):
ϕ(n)=n(1−p11)(1−p21)⋯(1−pk1).
For n2, the set of distinct prime factors is the same as
for n. So ϕ(n2)=n2(1−p11)(1−p21)⋯(1−pk1).
We can rewrite this as:
ϕ(n2)=n[n(1−p11)(1−p21)⋯(1−pk1)].
The term in the square brackets is exactly ϕ(n).
Therefore, ϕ(n2)=nϕ(n).
(b) Show that if m∣n then ϕ(m)∣ϕ(n).
Proof:
Let m=p1a1…pkak and n=p1b1…pkbk⋅q1c1…qjcj, where pi are common prime factors and qi
are prime factors of n not in m.
Since m∣n, we must have ai≤bi for all i=1,…,k.
ϕ(m)=∏i=1k(piai−piai−1)=∏i=1kpiai−1(pi−1). (Assume ai≥1)
ϕ(n)=(∏i=1k(pibi−pibi−1))(∏l=1j(qlcl−qlcl−1))
ϕ(n)=(∏i=1kpibi−1(pi−1))(∏l=1jqlcl−1(ql−1)).
We can write ϕ(n)=(∏i=1kpiai−1(pi−1))(∏i=1kpibi−ai)(∏l=1jqlcl−1(ql−1)).
The first part is ϕ(m).
The product ∏i=1kpibi−ai is an integer since bi−ai≥0.
The product ∏l=1jqlcl−1(ql−1) is also an integer.
Since ϕ(n) is a product of ϕ(m) and other integers, ϕ(m) must divide ϕ(n).
25 Exsrciss Answsr
Show that ϕ(n)=n∏p∣n(1−p1).
Proof:
Let the prime factorization of n be n=p1e1p2e2⋯pkek.
The Euler totient function ϕ(n) is multiplicative, which means if gcd(A,B)=1, then
ϕ(AB)=ϕ(A)ϕ(B).
Using this property and the formula for prime powers:
ϕ(n)=ϕ(p1e1p2e2⋯pkek)
=ϕ(p1e1)ϕ(p2e2)⋯ϕ(pkek)
=(p1e1−p1e1−1)(p2e2−p2e2−1)⋯
(pkek−pkek−1) Factor out piei from each
term:
=p1e1(1−p11)p2e2(1−p21)⋯pkek(1−pk1)
Rearrange the terms:
=(p1e1p2e2⋯pkek)(1−p11)(1−p21)⋯
(1−pk1) The term (p1e1p2e2⋯pkek) is
n.
The product of terms (1−pi1) can be wriflen using product notation: ∏p∣n(1−p1).
Therefore, ϕ(n)=n∏p∣n(1−p1).
26 Exsrciss Answsr
Check the steps labelled CRT in Example 2.8.5.
The example states:
x≡2(mod5), x≡4(mod17) CRT ⟹x≡72(mod85).
m1=5,m2=17. a1=2,a2=4. M=m1m2=85.
M1=17, M2=5.
Find N1 such that M1N1≡1(modm1)⟹17N1≡1(mod5).
17≡2(mod5), so 2N1≡1(mod5). Multiply by 3 (inverse of 2 mod 5): 6N1≡3(mod5)⟹N1≡3(mod5).
Find N2 such that M2N2≡1(modm2)⟹5N2≡1(mod17).
5N2≡1(mod17). Try multiplying by values: 5⋅7=35≡1(mod17). So N2≡7(mod17).
x=a1M1N1+a2M2N2(modM)
x=2⋅17⋅3+4⋅5⋅7(mod85)
x=102+140(mod85)
x=242(mod85)
242=2⋅85+72. So 242≡72(mod85).
The first step is correct.
x≡2(mod5), x≡−4(mod17) CRT ⟹x≡47(mod85).
a1=2,a2=−4≡13(mod17).
x=2⋅17⋅3+13⋅5⋅7(mod85)
x=102+455(mod85)
x=557(mod85)
557=6⋅85+47. So 557≡47(mod85).
The second step is correct.
x≡−2(mod5), x≡4(mod17) CRT ⟹x≡38(mod85).
a1=−2≡3(mod5), a2=4.
x=3⋅17⋅3+4⋅5⋅7(mod85)
x=153+140(mod85)
x=293(mod85)
293=3⋅85+38. So 293≡38(mod85).
The third step is correct.
x≡−2(mod5), x≡−4(mod17) CRT
⟹x≡13(mod85). a1=−2≡3(mod5),
a2=−4≡13(mod17). x=3⋅17⋅3+13⋅5⋅7(mod85)
x=153+455(mod85)
x=608(mod85)
608=7⋅85+13. So 608≡13(mod85).
The fourth step is correct.
All CRT steps are verified as correct.

27 Exsrciss Answsr
Solve the system x≡2(mod3), x≡4(mod5), x≡6(mod7).
m1=3,m2=5,m3=7. a1=2,a2=4,a3=6.
M=3⋅5⋅7=105.
M1=5⋅7=35.
M2=3⋅7=21.
M3=3⋅5=15.
Find N1: M1N1≡1(modm1)⟹35N1≡1(mod3).
35≡2(mod3), so 2N1≡1(mod3). Multiply by 2: 4N1≡2(mod3)⟹N1≡2(mod3).
Find N2: M2N2≡1(modm2)⟹21N2≡1(mod5).
21≡1(mod5), so
1N2≡1(mod5)⟹N2≡1(mod5). Find N3:
M3N3≡1(modm3)⟹15N3≡1(mod7).
15≡1(mod7), so
1N3≡1(mod7)⟹N3≡1(mod7). Calculate x:
x=a1M1N1+a2M2N2+a3M3N3(modM)
x=(2⋅35⋅2)+(4⋅21⋅1)+(6⋅15⋅1)(mod105)
x=140+84+90(mod105)
x=314(mod105)
314=2⋅105+104.
So x≡104(mod105).
Check:
104≡2(mod3) (104=3⋅34+2) - Correct.
104≡4(mod5) (104=5⋅20+4) - Correct.
104≡6(mod7) (104=7⋅14+6) - Correct.
28 Exsrciss Answsr
Prove that if gcd(a,561)=1 then a560≡1(mod561). Hint: factor 561 and use the CRT.
Proof:
First, factor 561: 561=3⋅11⋅17.
Since gcd(a,561)=1, it implies gcd(a,3)=1, gcd(a,11)=1, and
gcd(a,17)=1. By Fermat's Liflle Theorem:
● aϕ(3)≡a2≡1(mod3).
We need to check a560(mod3). 560=2⋅280.
So a560=(a2)280≡1280≡1(mod3).
● aϕ(11)≡a10≡1(mod11).
We need to check a560(mod11). 560=10⋅56.
So a560=(a10)56≡156≡1(mod11).
● aϕ(17)≡a16≡1(mod17).
We need to check a560(mod17). 560=16⋅35.
So a560=(a16)35≡135≡1(mod17).
So we have the system of congruences:
a560≡1(mod3)
a560≡1(mod11)
a560≡1(mod17)
Since 3,11,17 are pairwise relatively prime, by the Chinese Remainder Theorem, if a number
is congruent to 1 modulo each of these, it is congruent to 1 modulo their product.
Therefore, a560≡1(mod3⋅11⋅17), which means a560≡1(mod561).
This is an example of a Carmichael number (561=3⋅11⋅17). For Carmichael
numbers n, an−1≡1(modn) for all a with gcd(a,n)=1.
29 Exsrciss Answsr
Check by repeated squaring that a100≡1(mod101) for a=2,3,4 and 5.
Note that 101 is a prime number. By Fermat's Liflle Theorem, a100≡1(mod101) for
a≡0(mod101). This exercise is to verify it through computation.
For a=2(mod101):
21=2
22=4
24=16
28=256≡54(mod101) (256=2⋅101+54)
216≡542=2916≡88(mod101) (2916=28⋅101+88)
232≡882≡(−13)2=169≡68(mod101) (169=1⋅101+68)
264≡682=4624≡79(mod101) (4624=45⋅101+79)
100=64+32+4.
2100=264⋅232⋅24≡79⋅68⋅16(mod101)
79⋅68=5372≡27(mod101) (5372=53⋅101+27)
27⋅16=432≡28(mod101) (432=4⋅101+28)
Ah, wait. Let's recompute powers 2k(mod101) carefully.
21=2
22=4
24=16
28=256≡54(mod101)
216≡542=2916(mod101). 2916=28×101+88⟹216≡88(mod101)
232≡882≡(−13)2=169(mod101). 169=1×101+68⟹232≡68(mod101)
264≡682=4624(mod101). 4624=45×101+79⟹264≡79(mod101)
100=64+32+4.
2100≡264⋅232⋅24(mod101)
2100≡79⋅68⋅16(mod101)
79⋅68=5372. 5372=53⋅101+19. So 79⋅68≡19(mod101).
2100≡19⋅16=304(mod101).
304=3⋅101+1. So 2100≡1(mod101). Correct.
For a=3(mod101):
31=3
32=9
34=81≡−20(mod101)
38≡(−20)2=400≡97≡−4(mod101) (400=3⋅101+97)
316≡(−4)2=16(mod101)
332≡162=256≡54(mod101)
364≡542=2916≡88(mod101)
100=64+32+4.
3100≡364⋅332⋅34≡88⋅54⋅(−20)(mod101)
88⋅54=4752. 4752=47⋅101+5. So 88⋅54≡5(mod101).
3100≡5⋅(−20)=−100≡1(mod101). Correct.
For a=4(mod101):
Since 4=22, 4100=(22)100=2200.
2200=(2100)2≡12≡1(mod101). Correct.
For a=5(mod101):
51=5
52=25
54=625≡19(mod101) (625=6⋅101+19)
58≡192=361≡58(mod101) (361=3⋅101+58)
516≡582=3364≡31(mod101) (3364=33⋅101+31)
532≡312=961≡52(mod101) (961=9⋅101+52)
564≡522=2704≡74(mod101) (2704=26⋅101+74)
100=64+32+4.
5100≡564⋅532⋅54≡74⋅52⋅19(mod101)
74⋅52=3848. 3848=38⋅101+10. So 74⋅52≡10(mod101).
5100≡10⋅19=190(mod101).
190=1⋅101+89≡−12(mod101).
Wait, there's a calculation error somewhere. Let me recheck 54.
54=625. 625=6×101+19. Correct.
58=192=361. 361=3×101+58. Correct.
516=582=3364. 3364=33×101+31. Correct.
532=312=961. 961=9×101+52. Correct.
564=522=2704. 2704=26×101+78.
Ah, 2704=26×101+78, not 74. So 564≡78(mod101).
Let's recompute 5100 with 564≡78:
5100≡564⋅532⋅54≡78⋅52⋅19(mod101)
78⋅52=4056. 4056=40⋅101+16. So 78⋅52≡16(mod101).
5100≡16⋅19=304(mod101).
304=3⋅101+1. So 5100≡1(mod101). Correct.
30Exsrciss Answsr
What happens if gcd(x,N)>1 in RSA?
The exercise already provides the detailed proof:
If gcd(x,N)>1, then either p∣x or q∣x (since N=pq and p,q are prime).
The proof showed that yd≡x(modp) and yd≡x(modq).
● Case 1: p∣x. Then
x≡0(modp). xϕ(N)=x(p−1)
(q−1)t.
If p∣x, then x≡0(modp). So x(p−1)(q−1)t≡0(modp) (assuming (p−1)
(q−1)t≥1). Then yd≡x⋅(xϕ(N))t≡x⋅0≡0(modp).
Since x≡0(modp), we have yd≡x(modp). This holds.
● Case 2: p∤x. (But q∣x could be true).
Then by Fermat's Liflle Theorem, xp−1≡1(modp).
So xϕ(N)=x(p−1)(q−1)t=(xp−1)(q−1)t≡1(q−1)t≡1(modp).
Then yd≡x⋅(xϕ(N))t≡x⋅1t≡x(modp). This also holds.
So in all cases (whether p∣x or p∤x), we have
yd≡x(modp). A symmetrical argument shows
yd≡x(modq).
Since yd≡x(modp) and yd≡x(modq), and p,q are distinct primes (hence
gcd(p,q)=1), by the Chinese Remainder Theorem, yd≡x(modpq).
Since pq=N, we get yd≡x(modN).
So RSA still works even if gcd(x,N)>1.
The "moot point" comment in the original module (Exercise 32 refers to it)
suggests that if gcd(x,N)>1, then it might be easier to break RSA. This is because if
gcd(x,N)>1, then gcd(x,N) would be either p or q. If an aflacker can find
gcd(x,N), they immediately get one of the prime factors of N, which breaks the
RSA scheme. The likelihood of this happening (for a randomly chosen message
x) is very low, as discussed in the next exercise.

31 Exsrciss Answsr
If N=pq with p,q each about 10100, estimate ϕ(N)/N. This is the probability that a random
x(modN) will have gcd(x,N)>1. Comment on the likelihood of this case arising.
The probability that gcd(x,N)>1 is 1−Nϕ(N).
ϕ(N)=ϕ(pq)=ϕ(p)ϕ(q)=(p−1)(q−1).
Nϕ(N)=pq(p−1)(q−1)=pp−1⋅qq−1=(1−p1)(1−q1).
The probability that gcd(x,N)>1 is 1−(1−p1)
(1−q1). 1−(1−p1−q1+pq1)=p1+q1−pq1.
Given p,q are about 10100, p and q are extremely large
numbers. p1 will be roughly 10−100.
q1 will be roughly 10−100.
pq1 will be roughly 10−200.
So the probability is approximately 10−100+10−100−10−200≈2⋅10−100.
This is an astronomically small probability. The likelihood of a random message x having
gcd(x,N)>1 is practically zero.
32 Exsrciss Answsr
If gcd(x,N)>1 explain why we can immediately break RSA.
If gcd(x,N)>1, then computing the greatest common divisor between the message x and the
public modulus N would reveal a factor of N.
Since N=pq (where p,q are distinct primes), if gcd(x,N)=g>1, then g must be either p or q.
● If gcd(x,N)=p, then p is revealed.
● If gcd(x,N)=q, then q is revealed.
Once one of the prime factors (p or q) is known, the other can be found by
simple division (q=N/p or p=N/q).
With both p and q known, ϕ(N)=(p−1)(q−1) can be calculated.
Once ϕ(N) is known, the private key d can be found using the Extended
Euclidean
Algorithm to solve ed≡1(modϕ(N)).
Since finding d breaks RSA, finding a message x such that gcd(x,N)>1 allows an
aflacker to factor N and decrypt all future messages.
33 Exsrciss Answsr
Let (N,e)=(323,11). Suppose you intercept an encrypted message 316.
Break the cipher and decrypt the message. Hint: you will have to
factor N.

Step 1: Factor N.
N=323.
We can try dividing by small prime numbers.
Not divisible by 2, 3, 5.
Try 7: 323/7≈46 (not
integer). Try 11: 323/11≈29
(not integer). Try 13:
323/13≈24 (not integer). Try
17: 323/17=19.
So p=17 and q=19.
Step 2: Calculate ϕ(N).
ϕ(N)=(p−1)(q−1)=(17−1)(19−1)=16⋅18=288.
Step 3: Find the private key d.
We need to solve ed≡1(modϕ(N)), which is
11d≡1(mod288). Use Extended Euclidean Algorithm for
11d+288k=1:
288=26⋅11+2
11=5⋅2+1
Work backwards:
1=11−5⋅2
1=11−5⋅(288−26⋅11)
1=11−5⋅288+130⋅11
1=131⋅11−5⋅288.
So 11d≡1(mod288) implies
d≡131(mod288). The private key is
d=131.
Step 4: Decrypt the message.
The encrypted message is y=316. We need to calculate yd(modN), which is
316131(mod323). Since 316≡−7(mod323), we can compute (−7)131(mod323).
This is −(7131)(mod323).
Let's compute 7131(mod323) using repeated squaring.
We work modulo 17 and modulo 19, then use CRT.
131(mod16) (for mod 17): 131=16⋅8+3.
7131≡(716)8⋅73≡18⋅73≡73=343≡343−20⋅17=343−340=3(mod17).
131(mod18) (for mod 19): 131=18⋅7+5.
7131≡(718)7⋅75≡17⋅75≡75(mod19).
71=7
72=49≡11(mod19)
73≡11⋅7=77≡1(mod19) (77=4⋅19+1)
75=73⋅72≡1⋅11≡11(mod19).
So we have the system:
x≡3(mod17)
x≡11(mod19)
From the first, x=17k+3.
Substitute into the second: 17k+3≡11(mod19).
−2k+3≡11(mod19)
−2k≡8(mod19)
2k≡−8≡11(mod19).
Multiply by 10 (inverse of 2 mod 19):
20k≡110(mod19). k≡110(mod19). 110=5⋅19+15. So
k≡15(mod19). k=19j+15.
Substitute back into x=17k+3:
x=17(19j+15)+3
x=323j+17⋅15+3
x=323j+255+3=323j+258.
So 7131≡258(mod323).
Now, remember the original message was −(7131)
(mod323). yd≡−(258)(mod323).
−(258)=−258+323=65(mod323).
The decrypted message is 65.
Rsfisrsncss
The content of this module is based on standard topics in number theory and
abstract algebra. Key concepts and theorems can be found in a wide range of
textbooks. Here are some highly recommended references:
1. "A Friendly Introduction to Number Theory" by Joseph H. Silverman
○ This book provides an accessible and engaging introduction to number
theory, covering modular arithmetic, prime numbers, cryptography
(including RSA), and other fundamental concepts.
2. "Elementary Number Theory and Its Applications" by Kenneth Rosen
○ A comprehensive textbook that covers a broad range of topics in
elementary number theory, including detailed explanations of modular
arithmetic, congruences, prime numbers, and public-key cryptography.
3. "Abstract Algebra" by David S. Dummit and Richard M. Foote
○ While more advanced, this book provides a rigorous treatment of the
algebraic structures underlying modular arithmetic, such as rings and
fields, in the context of general abstract algebra.
4. "Contemporary Abstract Algebra" by Joseph A. Gallian
○ Another excellent textbook for abstract algebra that clearly explains
modular
arithmetic as a foundational concept for understanding quotient groups and
rings.
5. "Introduction to Cryptography with Coding Theory" by Wade
Trappe and Lawrence C. Washington
○ This book specifically focuses on the applications of number theory, including
modular arithmetic, to modern cryptography, providing deeper insights
into algorithms like RSA and Diffie-Hellman.
These resources offer extensive coverage of the topics presented in this module
and can be used for further study and exploration.

You might also like