Chapter 1: The Integers – Z

Divisibility

• d | n means d divides n evenly: n = kd, k

integer.

• a 6= 0 ⇒ a | 0, a | a. 1 | b, b integer.

• a | b and b | c ⇒ a | c.

• d | x and d | y ⇒ d | (ax + by) a, b ∈ Z.

• Remember GCD, LCM:

gcd(m, n)(m, n 6= 0) is least positive

integer of form xm + yn with x, y ∈ Z

• n | N ⇒ (x%N)%n = x%n.

• Two numbers are relatively prime if only 1

and -1 divide both ⇒ Their GCD is 1.

1

Primes Prime number divisible only by self

and 1; Infinite number of them (Euclid).

Easy proof.

If π(x) is number of primes

≤ x, π(x) ≈ x/ ln(x) (proved 1896). So they

are pretty dense: a 100-digit prime every few

hundred numbers.

2

Equivalence Relations

A ”relation” R on a set S is a subset of S × S

i.e. a set of ordered pairs (x, y) of elements

of S, such that (x, y) ∈ S ⇔ R(x, y) holds.

A function is relation: a set R of pairs such

that for every s ∈ S there is exactly one pair

(s, t) ∈ R. Typically we write f(s) = t. * An

”equivalence relation” is another special sort

of relation, with three properties.

• Reflexivity: For all x ∈ S, (x, x) ∈ R

• Symmetry: If (x, y) ∈ R ⇒ (y.x) ∈ R.

• Transitivity: (x, y), (y, z) ∈ R ⇒ (x, z) ∈ R.

3

Equivalence Relations cont.

Often we will write xRy, or generically, x ∼ y ,

rather than (x, y) ∈ R.

E.g. of equivalence relation: ordinary equality

(of integers, sets, or most others we are used

to).

For any member x of a set S, we can define

an ”equivalence class” x̄ relative to a relation

∼ on S as the set of all elements y ∈ S such

that x ∼ y.

The set of all equivalence classes of ∼ on S is

denoted S/ ∼ . These classes are mutually

disjoint, and their union is all of S. Such a

set of subsets is called a ”partition” of S.

Conversely, any partition of S defines an

equivalence relation.

4

Integers mod m

• a, b, n ∈ Z, n 6= 0. Then a ≡ b (mod m) if

a − b is a multiple of n (a = b + nk: they

have same remainder if divided by n).

• Congruence (mod m) is an equivalence

relation, and integers mod m is just the

collection of equivalence classes, denoted

Z/m.

• Z/m can be represented 0̄, 1̄, ..., ¯m − 1, for

instance: pick reps 0,1, ...m − 1.

• Remember

(x + y)%m = ((x%m) + (y%m))%m,

(x ∗ y)%m = ((x%m) ∗ (y%m))%m?

These are because you can prove

(+,−,×) behave well with congruence

and define analogous operations on the

equivalence classes, so you get

associativity, distributivity, etc.

5

More Congruence

a, b, c, d, n, n 6= 0 ∈ Z, a ≡ b (mod n), c ≡ d

(mod n). Then

a + c ≡ b + d, a − c ≡ b − d, ac ≡ bd (mod n).

Congruences inherit:

• Distributivity

• Associativity of +,×:

(x + y) + z ≡ x + (y + z) (mod m)

(xy)z ≡ x(yz) (mod m)

• +,× identities: 0 + x ≡ x + 0 ≡ x

(mod m), 1 · x ≡ x · 1 ≡ x (mod m)

6

Just-for-fun Applications

We can find the ones-place digit of the

decimal expansion of 3999.

= 3 ∗ 3 ∗ 3 ∗ (34)996/4%10 = 27 ∗ 81249%10

= 7 × 1249%10 = 7

We can prove that x2 − y2 = 2002 has no

integer solutions. note that mod 4,

02 = 0,12 = 1,22 = 0,32 = 1. hence x2 − y2

must be 0, 1, or -1 = 3 (mod 4). but

2002 = 2 (mod 4), so it cannot be such a

difference.

7

Fermat’s Little Theorem

If p is prime, then xp ≡ x (mod p) for all

integers x.

So if p does not divide x (relatively prime),

then xp−1 ≡ 1 (mod p) and xp−2 = x−1

(mod p).

Little Lemma:

gcd(bm − 1, bn − 1) = b(gcd(m,n)) − 1, so for

numbers of form bn, is n is composite, then

for all factors d of n, bn − 1 and bd − 1 have a

factor in common: bd − 1.

Can help exponentiation:

21000%17 = 28 ∗ 216∗62%17 = 28%17 = 1.

8

FLT Proof

Note that binomial coefficients are integers,

and have form C(p, i) = p!/(i!(p − i)!). Thus

all the non-trivial binomial coefficients are

divisible by p. Prove by induction: Clearly

FLT true for x = 1. Suppose we know that

xp ≡ x (mod p) for some x. Then

(x + 1)p =∑

0≤i≤p C(p, i)xi1(p−i) =

xp +∑

0≤i≤p−1 C(p, i)xi + 1 ≡ x + 1 (mod p),

since induction hypothesis is xp ≡ x (mod p).

Needs slight extension for x < 0.

9

Unique Factorization

• Any integer may be factored into a

product of distinct primes in just one way.

Nontrivial proof (Garrett).

N = ±pee11 pee2

2 ...peenn .

• Euler phi function φ(N) = number of

integers i,0 ≤ i ≤ N , relatively prime to N .

• p prime, a, b ∈ Z. Then p | (ab) ⇒ p | a or

p | b or both.

• Generalizing, if prime divides product it

divides at least one factor.

10

Phi Function

We know can write

N = ±pe11 p

e22 ...pen

n .

If N factored as above, φ(N) =

(p1 − 1)pe1−11 (p2 − 1)p

e2−11 ...(pn − 1)pen−1

1

Proof by counting (combinatorics) using

inclusion-exclusion principle (Garrett) – more

later!.

Another way to write this, easier to

remember maybe...

φ(N) = N(1 − 1/p1)(1 − 1/p2)...(1 − 1/pn)

11

Finding Primes (factors)

• Divide by all i <√

(n)

• Eratosthenes’s Sieve

• Identities: x2 − y2 = (x − y)(x + y),

• x5+y5 = (x+y)(x4−x3y+x2y2−xy3+y4),

etc.

• Mersenne prime: 2n − 1 prime.

• Fermat prime: 2n + 1 prime.

12

Euclidean Algorithm

More efficient GCD-finder than factoring.

Also finds x, y such that mx + ny = gcd(m, n).

It’s “repeated remaindering”, or repeated

reduction mod x.

Fast: number of steps to compute GCD of

x, y, x > y is ≤ 2 log2 y. (Cute proof in

Garrett).

13

Euclidean Algorithm E.g.

E.g., to find gcd(210, 119):

210 - 1 * 119 = 91

119 - 1 * 91 = 28

91 - 3 * 28 = 7

28 - 4 * 7 = 0 ==> gcd is 7

E.g. gcd(26, 19):

26 - 1 * 19 = 7

19 - 2 * 7 = 5

7 - 1 * 5 = 2

5 - 2 * 2 = 1

2 - 2 * 1 = 0 ==> gcd is 1

14

Find Multiplicative Inverse

To do division: can divide by a (mod n) if

gcd(a, n) = 1.

If m 6= 0,±1, x relatively prime to m: Then x

has multiplicative inverse modulo m. In any

expression ax + bm = 1, a is a multiplicative

inverse for x modulo m, since ax ≡ 1

(mod m).

And if x has mult. inv. mod m, x, m are rel.

prime.

Extended EA also works backwards from EA:

if the gcd(x, m) was 1, can find a and b s.t.

ax + bm = 1. (nice neat algorithm does

everything in a surprisingly cool way!

(Garrett)).

15

E.g. EEA for 19, 26

1 = 5 - 2 * 2

= 5 - 2 * (7 - 1 * 5) = -2 * 7 + 3 * 5

= -2 * 7 + 3 * (19 - 2 * 7) = 3 * 19 - 8 * 7

= 3 * 19 - 8 *(26 - 1 * 19)= -8 *26 + 11 *19

From this we get that the multiplicative

inverse of 19 mod 26 is 11.

16

Fun with Division

Find a−1 with EEA.

Solve ax ≡ c (mod m) when gcd(a, m) = 1

(or evaluate fraction c/a (mod m) ) EEA

yields s, b s.t. sa + bm = 1, and x ≡ cs

(mod m), also the value of the fraction.

Solve ax ≡ b (mod m) if gcd(a, m) = d > 1.

• Unless d | b no solution.

• Solve (a/d)x ≡ (b/d) (mod n/d) to get

soln x0.

• All Solns are of form

x0 + q(n/d),0 ≤ q ≤ (d − 1).

17

Fast Exponentiation

To evaluate xe%m, represent e as a binary

number e = e0 + e1 · 2 + e2 · 22...en · 2n.

Then precompute power-of-two powers of x

by repeated squaring: x2 = x · x, x4 = (x2)2,

etc.

Then

Then xe = xe0(x2)e1 · · · (xn)en%m, performing

the reduction after every multiplication.

18

Algorithm

Compute be (mod m):

• Start with triple (X, E, Y ) = (b, e,1)

• if E is odd, replace Y with X ∗ Y %m, E

with E − 1

• if E is even, replace X with X ∗ X%m, E

with E/2.

• When E = 0, done. Y = be%m. Takes at

most 2 log2 e steps, proportional to the

number of digits in e. For reduction mod

m, the numbers never get larger than m2.

19

Square Roots and More

Given reduced value x and modulus, how find√x (mod m)? Number can have more than

two square roots: 42 = 16,62 = 36, so mod

36 - 16 = 20, 16 % 20 = 36 % 20 = 16, and

hence 16 has (at least) square roots

±4 = 4,16 and ±6 = 6,14..

For prime modulus p, at most two roots ±x

exist. (easy proof RN10). If p = 3 (mod 4),

there is a formula for roots of actual squares

mod p: Let x = y(p+1)/4 (mod p). If y has a

square root mod p then they are ±x. If y

doesn’t, then −y does: ±x.

More: if n is relatively prime to p− 1 for some

prime p, then every integer y has an nth root

mod p: yr%p, where r is a multiplicative

inverse of n (mod p − 1).

Why not choose primes ≡ 3 (mod 4) for

RSA? p. 87.

20

Roots mod Composites

A basic tool for decomposing composite

modular problems, and useful the other

direction too: ”Sun Ze’s theorem” AKA the

Chinese Remainder Theorem. Known since

about 450 AD, and in more general form

since 1250.

CRT: Let m1, m2, ..., mk be integers with ms

mutually relatively prime:

i 6= j ⇒ gcd(mi, mk) = 1. Not enough that

(m1, m2), (m2, m3), (m3, m4) etc. rel. prime:

consider m1, m2, ..., mk = 4,5,4,5,4,5...

Given integers a1, a2, ..., ak, there is exactly

one solution (mod m1m2...mk) to the

simultaneous congruences

x ≡ a1 (mod m1), x ≡ a2 (mod m2),

..., x ≡ ak (mod mk).

21

Special Case: 2 congruences

gcd(m, n) = 1 so let sm + tn = 1, thus

t = n−1 (mod m), s = m−1 (mod n).

If

x ≡ a (mod m)

x ≡ b (mod n)

then

x = atn + bsm (mod mn)

22

General Case: n congruences

Recall special case: in brief, x = atn + bsm

(mod mn) Generally, with m1, . . . , mn rel.

prime, simul. congruences

x ≡ b1 (mod m1)

x ≡ b2 (mod m2)

...

x ≡ bn (mod mn),

Let the product M = m1m2 . . . mn, and Mi be

M with mi divided out: Mi = M/mi. This

incomplete product is what we take the

inverse of, and specializes to s = m−1

(mod n) and t = n−1 (mod m) in the

2-congruence case. So let Ti = M−1i

(mod mi). Then

x = T1M1b1 + . . . + TnMnbn (mod M)

is the unique solution modulo M of the

system of n congruences.

23

Square Roots and Factoring

T 6.3 (RSA) Basic Principle: Let n be

integer, suppose there are integers x, y with

x2 ≡ y2 but x not ≡ ±y (mod n). Then n is

composite, and gcd(x − y, n) is a nontrivial

factor of n.

Proof: Let d = gcd(x − y, n). If trivial d = n

then x ≡ y (mod n), which it isn’t by

assumption. If trivial d = 1, we know basic

result that a | bc,gcd(a, b) = 1 ⇒ a | c. Here we

know that n divides x2 − y2 = (x + y)(x − y).

Assuming d = 1 means n doesn’t divide

(x − y) so n | (x + y). But that contradicts

the assumption that x not ≡ −y (mod n).

24

Square Roots mod Composite (cont.)

Suppose we want the square root of 71 (mod

77). If x2 ≡ 71 (mod 77) then x2 ≡ 71 ≡ 1

(mod 7) and x2 ≡ 71 ≡ 5 (mod 11). We can

figure out that x = ±1 (mod 7), x = ±4

(mod 11).

So now we have four sets of two congruences

(a, b) = (1,4), (−1,4), (1,−4), (−1,−4) we can

combine to get a solution (mod 77)

consistent with both. Doing that and

CRTing gives the four square roots:

±15,±29 (mod 77)

25

Backwards...

Thus we have an example of a bad choice of

p, q (7 and 11) if we want to pick them so

their product doesn’t give them away. If we

know, for example, the square roots of 71

mod 77, we know that 152 ≡ 292 ≡ 71

(mod 77)by the Basic Principle 77 is

composite and gcd(15 − 29,77) = 7 is a

non-trivial factor. Factoring n could be slow

but all the operations needed for CRT and

GCD, exponentiations, are fast. So

If n = pq is product of two primes congruent

to 3 (mod 4), and if y is a number relatively

prime to n with a square root (mod n). Then

finding the four solutions ±a,±b to x2 ≡ y

(mod m) is computationally equivalent to

factoring n. And conversely.

26

Chinese Bagel

The k = 2 case can be graphically

representated on a torus, e.g. 3x5

x%5

| 0 1 2 3 4

---|---------------

0 |00 06 12 03 09

x%3 1 |10 01 07 13 04

2 |05 11 02 08 14

27

Back to roots mod composites Find x

such that x2 = y (mod pq). Such an x must

also satisfy x2 = y (mod p), x2 = y

(mod q). Sun Ze’s theorem tells us, given

y1 ∈ Z/p and y2 ∈ Z/q, how to find the unique

y ∈ Z/pq that satisfies y%p = y1 and

y%q = y2.

Find x2 = −1 (mod 221). 221 = 13 · 17.

The square roots of -1 mod 13 are 5 and 8,

and the square roots of -1 mod 17 are 4 and

13. We also can find that 1 = 4 * 13 - 3 *

17. Taking m = 13, n = 17, and one pair of

roots, a = 5 and b = 4, and plugging into

the CRT formula, we get

x = 4 · 4 · 13 + 5 · (−3) · 17 = 208 − 255 =

−47 ≡ 174 (mod 221). Checking,

1742 = 30276 ≡ 220 ≡ −1 (mod 221).

We could find 3 other roots by plugging in

the other combinations, and in general we

could find up to 2n roots where n is the

number of distinct prime factors.

28

Euler’s Theorem

Generalized FLT. Proved more easily with

tools from Group Theory (RN12). Recall

Euler phi-function φ(n) is number of integers

b s.t. 0 < b < n and gcd(b, n) = 1.

Theorem: For x, n relatively prime, xφ(n) ≡ 1

(mod n)

If n prime, φ(n) = (n − 1) and we have FLT.

Proof is like FLT proof too.

Examples ...

29

Using Euler’s Theorem

With a, n, x, y ∈ Z, n ≥ 1,gcd(a, n) = 1,

x ≡ y (mod φ(n)) ⇒ ax ≡ ay (mod n).

So modding out φ(n) in the exponent can

save you work

With x = y + φ(n)k, clearly

ax = ay+φ(n)k = ay(aφ(n))k ≡ ay1k ≡ ay (mod n)

30

Key Exchange Example

How communicate short message (say a

192-bit key) on a public channel? Physical

lock analogy.

• Alice publishes p prime > 192 bits.

φ(p) = p − 1.

• A finds random a,gcd(a, p − 1) = 1, B

similarly finds a b.

• A sends K1 ≡ Ka (mod p) to B

• B sends K2 ≡ Kb1 (mod p) to A

• A sends K3 ≡ Ka−1

2 (mod p) to B

• B computes Kb−13 ≡ Kaba−1b−1

(mod p) ≡ K

31

Primitive Roots – Why do we care?

Related to discrete logs.

Concept used in ciphers like El Gamal and

Elliptic Curve, Discrete Log ciphers.

32

Primitive Roots, Discrete Logs

For n a positive integer, g is a primitive root

(or multiplicative generator) modulo n if for

every x relatively prime to n there is an

integer l so that gl ≡ x (mod n).

For prime n, multiplying g by itself eventually

generates all the non-zero congruence classes

mod n.

For fixed (base) g and a given x, the integer l

is the discrete logarithm of x base g modulo

n.

Most integers have no primitive root: 8

doesn’t.

33

Prim. Root Properties

• For prime modulus p there are φ(p − 1)

primitive roots.

• If g is prim. root of prime p, gn ≡ 1

(mod p) ⇔ n ≡ 0 (mod p − 1).

• If ditto, gj ≡ gk (mod p) ⇔ j ≡ k

(mod p − 1).

34

Prim. Root Existence

Theorem: The only integers n with primitive

roots modulo n are of forms:

• n = pe, p an odd prime and e ≥ 1.

• n = 2pe ditto

• n = 2,4.

Raising any element h of Z/n to successive

powers has to cycle, and so comes back to h,

and thus it must be that ht ≡ 1 (mod n) for

some value(s) of t. The smallest such t is

called the order of h (mod n).

Fact: the order of a prim. root modulo a

prime p is p − 1, and the order of a prim. root

modulo pe is (p − 1)pe−1.

35

Quadratic Symbols – Why?

• “The algorithm here for fast computation

of ’quadratic symbols’ is fundamental to

many algorithms. Perhaps second in

importance only to ehe Euclidean

algorithm, this is another of the good

algorithms we have.” – Garrett.

• Does a number have a square root

(mod n)?

• Fast implementation of Euler’s Criterion

(T. 3.10, p.88).

• Rewrite rules allow for simplification and

ultimately evaluation of Legendre and

Jacobi symbols.

36

Jacobi Symbols

• Jacobi symbols display “quadratic

reciprocity” property.

• QR the first result of modern number

theory (Gauss, 1796): relates two things

that have no obvious reason to be related.

• Time: 2 log2 n for (xn).

37