MST Number Theoryand Cryptography

Paul Yiu

Department of MathematicsFlorida Atlantic University

Fall 2008

Chapters 1–30

Contents

1 Euclidean Algorithm and Linear Diophantine Equations 1011.1 Euclidean algorithm and gcd . . . . . . . . . . . . . . . . . . . . 1011.2 gcd(a, b) as an integer combination ofa andb. . . . . . . . . . . . 1021.3 Linear Diophantine equations . . . . . . . . . . . . . . . . . . . . 1031.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

2 Representation of integers in baseb 1052.1 Representation in a given base . . . . . . . . . . . . . . . . . . . . 1052.2 Binary expansions . . . . . . . . . . . . . . . . . . . . . . . . . . 105

2.2.1 Calculation of high powers by repeated squaring . . . . .. 1052.2.2 Parity of binomial coefficients . . . . . . . . . . . . . . . . 106

2.3 Highest power of a prime dividing a factorial . . . . . . . . . .. . 1062.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

3 Prime Numbers 1093.1 Infinitude of prime numbers . . . . . . . . . . . . . . . . . . . . . 1093.2 The sieve of Eratosthenes . . . . . . . . . . . . . . . . . . . . . . 109

3.2.1 A visualization of the sieve of Eratosthenes . . . . . . . .. 1093.3 The Fundamental Theorem of Arithmetic . . . . . . . . . . . . . . 1123.4 Perfect numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

4 Linear Congruences 1154.1 The ring of residues modulon . . . . . . . . . . . . . . . . . . . . 1154.2 Simultaneous linear congruences . . . . . . . . . . . . . . . . . . 1164.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5 The Eulerϕ-function 1195.1 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

6 Fermat-Euler theorem 1216.1 Primality test for Mersenne numbers . . . . . . . . . . . . . . . . 1216.2 Pseudoprimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

iv CONTENTS

6.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7 Pythagorean Triangles 2017.1 Construction of Pythagorean triangles . . . . . . . . . . . . . .. . 2017.2 Fermat Last Theorem forn = 4 . . . . . . . . . . . . . . . . . . . 2027.3 Fermat’s construction of primitive Pythagorean triangles with con-

secutive legs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

8 Homogeneous quadratic equations in3 variables 2078.1 Pythagorean triangles revisited . . . . . . . . . . . . . . . . . . .2078.2 Rational points on a conic . . . . . . . . . . . . . . . . . . . . . . 2088.3 Integer triangles with a60◦ angle . . . . . . . . . . . . . . . . . . 2088.4 Integer triangles with a120◦ angle . . . . . . . . . . . . . . . . . 210

9 Heron triangles 2139.1 The Heron formula . . . . . . . . . . . . . . . . . . . . . . . . . 2139.2 Heron triangles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2149.3 Construction of Heron triangles . . . . . . . . . . . . . . . . . . . 2149.4 Heron triangles with sides in arithmetic progression . .. . . . . . 2159.5 Heron triangles with integer inradii . . . . . . . . . . . . . . . .. 216

10 Genealogy of Pythagorean triangles 21910.1 Two ternary trees of rational numbers . . . . . . . . . . . . . . .. 21910.2 Genealogy of Pythagorean triangles . . . . . . . . . . . . . . . .. 221

11 Polygonal numbers 22511.1 The polygonal numbersPk,n . . . . . . . . . . . . . . . . . . . . . 22511.2 The equationPk,a + Pk,b = Pk,c . . . . . . . . . . . . . . . . . . . 22611.3 Double ruling ofS . . . . . . . . . . . . . . . . . . . . . . . . . . 22611.4 Primitive Pythagorean triple associated with ak-gonal triple . . . . 22711.5 Triples of triangular numbers . . . . . . . . . . . . . . . . . . . . 22811.6 k-gonal triples determined by a Pythagorean triple . . . . . . . .. 229

12 Quadratic Residues 30112.1 Quadratic residues . . . . . . . . . . . . . . . . . . . . . . . . . . 30112.2 The Legendre symbol . . . . . . . . . . . . . . . . . . . . . . . . 30212.3 −1 as a quadratic residuemodp . . . . . . . . . . . . . . . . . . . 303

13 The law of quadratic reciprocity 30513.1 Gauss’ lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30513.2 The law of quadratic reciprocity . . . . . . . . . . . . . . . . . . .307

CONTENTS v

14 Calculation of square roots 31114.1 Square roots modulop . . . . . . . . . . . . . . . . . . . . . . . . 31114.2 Square roots modulo an odd prime power . . . . . . . . . . . . . . 31314.3 Squares modulo2k . . . . . . . . . . . . . . . . . . . . . . . . . . 313

15 Primitive roots 31515.1 Periodicity of decimal expansions of rational numbers. . . . . . . 317

16 Sums of two and four squares 31916.1 Fermat’s two-square theorem . . . . . . . . . . . . . . . . . . . . 31916.2 Representation of integers as sums of two squares . . . . .. . . . 32016.3 Lagrange’s four-square theorem . . . . . . . . . . . . . . . . . . .320

16.3.1 Descent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

17 Finite continued fractions 40117.1 Euler’s functionF for finite continued fractions . . . . . . . . . . 40117.2 Cornacchia’ algorithm for a prime as a sum of two squares. . . . 402

18 Infinite continued fractions 405

19 Lagrange’s Theorem 40919.1 Purely periodic continued fractions . . . . . . . . . . . . . . .. . 40919.2 Eventually periodic continued fractions . . . . . . . . . . .. . . . 40919.3 Reduced quadratic irrationalities . . . . . . . . . . . . . . . .. . 41019.4 Proof of Lagrange’s theorem . . . . . . . . . . . . . . . . . . . . 410

20 The Pell Equation 41320.1 The equationx2 − dy2 = 1 . . . . . . . . . . . . . . . . . . . . . 413

20.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41520.2 The equationx2 − dy2 = −1 . . . . . . . . . . . . . . . . . . . . 41520.3 The equationx2 − dy2 = c . . . . . . . . . . . . . . . . . . . . . 41620.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

21 Sums of consecutive squares 42121.1 Sums of an odd number of consecutive squares. . . . . . . . . .. 42121.2 Even number of consecutive squares. . . . . . . . . . . . . . . . .423

22 Some simple cryptosystems 50122.1 Shift ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50122.2 Affine ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50222.3 A matrix encryption system . . . . . . . . . . . . . . . . . . . . . 505

vi CONTENTS

23 A public key cryptosystem 50923.1 RSA-cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . 50923.2 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

24 Factoring integers 51324.1 Flipping a coin over the phone . . . . . . . . . . . . . . . . . . . 51324.2 The quadratic sieve . . . . . . . . . . . . . . . . . . . . . . . . . 51424.3 Factoring by continued fractions . . . . . . . . . . . . . . . . . .515

25 Elliptic Curves 60125.1 Group law ony2 = x3 + ax2 + bx+ c . . . . . . . . . . . . . . . 60125.2 The discriminant . . . . . . . . . . . . . . . . . . . . . . . . . . . 60225.3 Points of finite order . . . . . . . . . . . . . . . . . . . . . . . . . 604

26 Factoring Integers 2 60526.1 Pollard’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 60526.2 Factoring with elliptic curves . . . . . . . . . . . . . . . . . . . .606

27 Some examples of the use of elliptic curves 60927.1 The congruent number problem . . . . . . . . . . . . . . . . . . . 60927.2 Pairs of isosceles triangle and rectangle with equal perimeters and

equal areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61027.3 Triangles with a median, an altitude, and an angle bisector concurrent611

28 Heron triangles and Elliptic Curves 61328.1 The elliptic curvey2 = (x− k)2 − 4kx3 . . . . . . . . . . . . . . 613

28.1.1 Proof of Theorem 28.1 . . . . . . . . . . . . . . . . . . . . 616

29 The ring of Gaussian integers 70129.1 The ringZ[i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

29.1.1 Norm and units . . . . . . . . . . . . . . . . . . . . . . . . 70129.1.2 Gaussian primes . . . . . . . . . . . . . . . . . . . . . . . 701

29.2 An alternative proof of Fermat’s two-square theorem . .. . . . . . 703

30 Construction of indecomposable Heron triangles 70530.1 Primitive Heron triangles . . . . . . . . . . . . . . . . . . . . . . 705

30.1.1 Triple of simplifying factors . . . . . . . . . . . . . . . . . 70630.1.2 Decomposition of Heron triangles . . . . . . . . . . . . . . 707

30.2 Gaussian integers . . . . . . . . . . . . . . . . . . . . . . . . . . 70830.2.1 Heron triangles and Gaussian integers . . . . . . . . . . . .708

30.3 Orthocentric Quadrangles . . . . . . . . . . . . . . . . . . . . . . 71030.4 Indecomposable primitive Heron triangles . . . . . . . . . .. . . 711

30.4.1 Construction of Heron triangles with given simplifying factors712

Chapter 1

Euclidean Algorithm and LinearDiophantine Equations

1.1 Euclidean algorithm and gcd

The greatest common divisor (gcd) of two positive integers can be found withoutfactorization of the integers, instead by a simple application of the Euclidean algo-rithm.

Theorem 1.1(Euclidean algorithm). Given integersa andb 6= 0, there are uniqueintegersq andr satisfying

a = bq + r, 0 ≤ r < |b|. (1.1)

If r = 0, we say thata is divisible byb, or simply thatb dividesa, and writeb|a.Supposea = bq + c for integersa, b, c, andq (with q nonzero). It is easy to see

that every common divisor ofa andb is a common divisor ofb andc, andconversely.Denote bygcd(a, b) the greatest element of the (nonempty) set of common divisorsof a and b. Clearly, if b|a, thengcd(a, b) = b. In general, from (1.1), we havegcd(a, b) = gcd(b, r). These observations lead to a straightforward calculationofthe gcd of two numbers. To be systematic, we writea = r−1 andb = r0 (assumedpositive).

r−1 =r0q0 + r1, 0 ≤ r1 < r0,

r0 =r1q1 + r2, 0 ≤ r2 < r1,

r1 =r2q2 + r3, 0 ≤ r3 < r2,

r2 =r3q3 + r4, 0 ≤ r4 < r3,

...

This division process eventually terminates since the remainders are decreasing,namely,

r−1 > r0 > r1 > r2 > · · ·

102 Euclidean Algorithm and Linear Diophantine Equations

and yet remain nonnegative. In other words, somern divides the precedingrn−1

(and leaves a remainderrn+1 = 0).

...

rn−2 =rn−1qn−1 + rn, 0 ≤ rn < rn−1,

rn−1 =rnqn.

From these,

rn = gcd(rn−1, rn) = gcd(rn−2, rn−1) = · · · = gcd(r−1, r0) = gcd(a, b).

1.2 gcd(a, b) as an integer combination ofa and b.

The above calculation ofgcd(a, b) can be retraced to givegcd(a, b) as an integercombination ofa andb. Here is a more efficient way to obtain such an expression.In the table below, the integersxk andyk are obtained fromqk−1 in the same wayasrk, beginning with(x−1, x0) = (1, 0) and(y−1, y0) = (0, 1):

xk =xk−2 − qk−1xk−1, x−1 = 1, x0 = 0;

yk =yk−2 − qk−1yk−1, y−1 = 0, y0 = 1.

k qk rk xk yk

−1 a 1 00 q0 b 0 11 q1 r1 x1 y1

......

......

...n− 1 qn−1 rn−1 xn−1 yn−1

n qn rn xn yn

n+ 1 qn+1 0

In each of these steps,rk = axk + byk. In particular,

gcd(a, b) = rn = axn + byn.

It can be proved that|xn| < b and|yn| < a.

Theorem 1.2.Letp be a prime number. For every integera not divisible byp, thereexists an integerb such thatab− 1 is divisible byp.

Proof. If a is not divisible by the prime numberp, thengcd(a, p) = 1. There areintegersb andc such thatab+ pc = 1. It is clear thatab− 1 is divisible byp.

1.3 Linear Diophantine equations 103

1.3 Linear Diophantine equations

Theorem 1.3. Let a, b, c be integers,a and b nonzero. Consider the linear Dio-phantine equation

ax+ by = c. (1.2)

1. The equation(1.2) is solvable in integers if and only ifd := gcd(a, b) dividesc.

2. If (x, y) = (x0, y0) is a particular solution of(1.2), then every integer solu-tion is of the form

x = x0 +b

dt, y = y0 −

a

dt,

wheret is an integer.

3. For c = gcd(a, b), a particular solution(x, y) = (x0, y0) of (1.2) can befound such that|x0| < |b| and|y0| < |a|.

1.4 Exercises

1. Show that(n! + 1, (n+ 1)! + 1) = 1.

2. Instead of successive divisions, the gcd of two positive numbers can be foundby repeated subtractions. Make use of this to findgcd(2a − 1, 2b − 1) forpositive integersa andb.

3. Find a parametrization of theinteger points on the line5x+ 12y = 3.

4. In how many ways can a number of 42-cents and 80-cents stamps were pur-chased with exactly 40 dollars.

5. Somebody received a check, calling for a certain amount of money in dollarsand cents. When he went to cash the check, the teller made a mistake and paidhim the amount which was written as cents, in dollars, and vice versa. Later,after spending $3.50, he suddenly realized that he had twicethe amount ofthe money the check called for. What was the amount on the check?

6. Given relatively prime integersa and b, what is thelargest integer whichcannotbe written asax+ by for nonnegativeintegersx andy?

Chapter 2

Representation of integers in baseb

2.1 Representation in a given base

Given any positive integerb > 1, every positive integern has auniquerepresenta-tion of the form

n = ckbk + ck−1b

k−1 + · · ·+ c1b+ c0

for nonnegative integersc0, c1, . . . , ck < b with cb nonzero.We usually write

n = (ckck−1 · · · c1c0)b

and call this the baseb expansion ofn.

2.2 Binary expansions

2.2.1 Calculation of high powers by repeated squaring

Let a > 1 be a fixed number, andn a large integer. The numberan can be computedby repeated squaring, making use of the binary expansion of the exponentn. If

n = (ckck−1 · · · c1c0)2,

we take successive squaresk times beginning witha, and record them in the middlecolumn in the table below.

j a2j

cj

0 a

1 a2

......

k a2k

product

106 Representation of integers in baseb

Fill the column undercj with the correspondingbinary digits ofn. Thenan is theproduct of those entries (in the middle column) with a1 in the same row and thethird column.

2.2.2 Parity of binomial coefficients

Theorem 2.1(Lucas). Letm = (akak−1 · · ·a1a0)2 andn = (bkbk−1 · · · b1b0)2 bethe binary expansions of positive integersm ≥ n. The binomial coefficient

(

mn

)

isodd if and only if for eachi = 0, 1, . . . , k, ai = 1 wheneverbi = 1.

Example 2.1.(

5535

)

is odd since55 = 11011135 = 100011

.

On the other hand,(

5525

)

is even since55 = 11011125 = 011001

.

2.3 Highest power of a prime dividing a factorial

The exponent of the highest power of 2 dividing18! is, counting the asterisks alongthe rows in the matrix below,9 + 4 + 2 + 1 = 16.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

∗ ∗ ∗ ∗∗ ∗

∗

Proposition 2.2. The exponent of the highest power of a primep dividingn! is[

n

p

]

+

[

n

p2

]

+

[

n

p3

]

+ · · ·

Let n = (akak−1 · · ·a1a0)p be the basep expansion ofn. The exponent of thehighest power ofp dividingn! is the sum of the following numbers:

ak ak−1 ak−2 · · · a2 a1

ak ak−1 · · · a3 a2

ak · · · a4 a3

· · ·· · · ak ak−1

· · · ak

Let R(p; k) be the integer whose basep expansion consists ofk digits each ofwhich is 1. Clearly,R(p; k) = 1

p−1(pk − 1). Adding the numbers above along the

diagonals, we have

2.4 Exercises 107

ak · R(p; k) + ak−1 ·R(p; k − 1) + · · ·+ a2 · R(p; 2) + a1 · R(p; 1)

= ak ·pk − 1

p− 1+ ak−1 ·

pk−1 − 1

p− 1+ · · ·+ a2 ·

p2 − 1

p− 1+ a1 ·

p− 1

p− 1+ a0 ·

1− 1

p− 1

=n− (ak + ak−1 + · · ·+ a1 + a0)

p− 1.

Corollary 2.3. Letα(n) denote the number of ones in thebinaryexpansion ofn.The exponent of the highest power of 2 dividingn! is n− α(n).

Theorem 2.4(Kummer). The exponent of the highest power of a primep dividingthe binomial coefficient

(

a+ba

)

is equal to the number ofcarriesin performing theaddition ofa andb in basep.

2.4 Exercises

1. (a). Multiply in base 2:11112 and111112.

(b). Leth ≥ k be positive integers. Multiply in base 2 the numbers11 · · ·1(h 1’s) and11 · · ·1 (k 1’s). Distinguish between the casesh = k andh > k.

2. Solve the equation(bx−1)(by−1) = bz +1 for positive integersb > 1, x, y, z.

3. Multiply in base 7:

[12346]7 × [06]7 =

[12346]7 × [15]7 =

[12346]7 × [24]7 =

[12346]7 × [33]7 =

[12346]7 × [42]7 =

[12346]7 × [51]7 =

4. Find all positive integersn such that213 + 210 + 2n is a square.

5. Find all positive integersn such that214 + 210 + 2n is a square.

6. Ask your friend to write down a polynomialf(x) with nonnegativeintegercoefficients. Ask her for the value off(1). She returns7. Ask her for thevalue off(8). She returns4305. What is the polynomial?

108 Representation of integers in baseb

7. (a) What is thehighestpower of 2 dividing100! ?

(b) What is the highest power of 2 dividing the binomial coefficient(

10050

)

?

8. The exponent of the highest power of 2 dividing the binomial coefficient(

nk

)

is α(k) + α(n− k)− α(n).

9. How many zeros are there in theend of the decimal expansion of 1000!.Answer: 249.

Chapter 3

Prime Numbers

3.1 Infinitude of prime numbers

A positive integer> 1 is prime if it is not divisible by any positive integer otherthan 1 and itself.

Theorem 3.1(Euclid). There are infinite many prime numbers.

Proof. If p1, p2, . . . , pk were all the primes, the numberp1p2 · · · pk + 1, not beingdivisible by any of them, should admit a prime factor different from any of them.This is clearly a contradiction.

3.2 The sieve of Eratosthenes

If N is not a prime number, it must have a factor≤√N .

Given an integerN , to determine all the prime numbers≤ N , we proceed asfollows. Start with the sequence

2, 3, 4, 5, 6, . . . , N,

with each entry unmarked, and the setP = ∅.(1) Note thesmallestentrya of the sequence that isnot marked.(2) If a ≤

√N , mark each entry of the sequence which is a multiple ofa, but

not equal toa, and replaceP by P ∪ {a}.(3) If a >

√N , stop. The setP now consists of the totality of prime numbers

≤ N .

3.2.1 A visualization of the sieve of Eratosthenes

Let a andb be positive integers. The line

b(a + 1)x+ y − (a+ 1) = 0

110 Prime Numbers

joins the points(

1a, 0

)

and(0, b+1) intersects the linex = −1 at the point(−1, (a+1)(b+ 1)). Note that they-coordinate is a composite number. Conversely, ify is acomposite number, then it is of the form(a + 1)(b + 1) for some positive integersa andb, and is they-coordinate of the intersection of the linex = −1 with the linejoining

(

1a, 0

)

and(0, b+ 1). 1 Here is a visualization forN = 35.

11111

2

3

5

7

11

13

17

19

23

29

31

1R. Juricevic,Notices of AMS, September, 2008, p.921.

3.2 The sieve of Eratosthenes 111

Prime below10000

2 3 5 7 11 13 17 19 23 29 31 37 41 43 4753 59 61 67 71 73 79 83 89 97 101 103 107 109 113

127 131 137 139 149 151 157 163 167 173 179 181 191 193 197199 211 223 227 229 233 239 241 251 257 263 269 271 277 281283 293 307 311 313 317 331 337 347 349 353 359 367 373 379383 389 397 401 409 419 421 431 433 439 443 449 457 461 463467 479 487 491 499 503 509 521 523 541 547 557 563 569 571577 587 593 599 601 607 613 617 619 631 641 643 647 653 659661 673 677 683 691 701 709 719 727 733 739 743 751 757 761769 773 787 797 809 811 821 823 827 829 839 853 857 859 863877 881 883 887 907 911 919 929 937 941 947 953 967 971 977983 991 997 1009 1013 1019 1021 1031 1033 1039 1049 1051 1061 1063 1069

1087 1091 1093 1097 1103 1109 1117 1123 1129 1151 1153 1163 1171 1181 11871193 1201 1213 1217 1223 1229 1231 1237 1249 1259 1277 1279 1283 1289 12911297 1301 1303 1307 1319 1321 1327 1361 1367 1373 1381 1399 1409 1423 14271429 1433 1439 1447 1451 1453 1459 1471 1481 1483 1487 1489 1493 1499 15111523 1531 1543 1549 1553 1559 1567 1571 1579 1583 1597 1601 1607 1609 16131619 1621 1627 1637 1657 1663 1667 1669 1693 1697 1699 1709 1721 1723 17331741 1747 1753 1759 1777 1783 1787 1789 1801 1811 1823 1831 1847 1861 18671871 1873 1877 1879 1889 1901 1907 1913 1931 1933 1949 1951 1973 1979 19871993 1997 1999 2003 2011 2017 2027 2029 2039 2053 2063 2069 2081 2083 20872089 2099 2111 2113 2129 2131 2137 2141 2143 2153 2161 2179 2203 2207 22132221 2237 2239 2243 2251 2267 2269 2273 2281 2287 2293 2297 2309 2311 23332339 2341 2347 2351 2357 2371 2377 2381 2383 2389 2393 2399 2411 2417 24232437 2441 2447 2459 2467 2473 2477 2503 2521 2531 2539 2543 2549 2551 25572579 2591 2593 2609 2617 2621 2633 2647 2657 2659 2663 2671 2677 2683 26872689 2693 2699 2707 2711 2713 2719 2729 2731 2741 2749 2753 2767 2777 27892791 2797 2801 2803 2819 2833 2837 2843 2851 2857 2861 2879 2887 2897 29032909 2917 2927 2939 2953 2957 2963 2969 2971 2999 3001 3011 3019 3023 30373041 3049 3061 3067 3079 3083 3089 3109 3119 3121 3137 3163 3167 3169 31813187 3191 3203 3209 3217 3221 3229 3251 3253 3257 3259 3271 3299 3301 33073313 3319 3323 3329 3331 3343 3347 3359 3361 3371 3373 3389 3391 3407 34133433 3449 3457 3461 3463 3467 3469 3491 3499 3511 3517 3527 3529 3533 35393541 3547 3557 3559 3571 3581 3583 3593 3607 3613 3617 3623 3631 3637 36433659 3671 3673 3677 3691 3697 3701 3709 3719 3727 3733 3739 3761 3767 37693779 3793 3797 3803 3821 3823 3833 3847 3851 3853 3863 3877 3881 3889 39073911 3917 3919 3923 3929 3931 3943 3947 3967 3989 4001 4003 4007 4013 40194021 4027 4049 4051 4057 4073 4079 4091 4093 4099 4111 4127 4129 4133 41394153 4157 4159 4177 4201 4211 4217 4219 4229 4231 4241 4243 4253 4259 42614271 4273 4283 4289 4297 4327 4337 4339 4349 4357 4363 4373 4391 4397 44094421 4423 4441 4447 4451 4457 4463 4481 4483 4493 4507 4513 4517 4519 45234547 4549 4561 4567 4583 4591 4597 4603 4621 4637 4639 4643 4649 4651 46574663 4673 4679 4691 4703 4721 4723 4729 4733 4751 4759 4783 4787 4789 47934799 4801 4813 4817 4831 4861 4871 4877 4889 4903 4909 4919 4931 4933 49374943 4951 4957 4967 4969 4973 4987 4993 4999 5003 5009 5011 5021 5023 50395051 5059 5077 5081 5087 5099 5101 5107 5113 5119 5147 5153 5167 5171 51795189 5197 5209 5227 5231 5233 5237 5261 5273 5279 5281 5297 5303 5309 53235333 5347 5351 5381 5387 5393 5399 5407 5413 5417 5419 5431 5437 5441 54435449 5471 5477 5479 5483 5501 5503 5507 5519 5521 5527 5531 5557 5563 55695573 5581 5591 5623 5639 5641 5647 5651 5653 5657 5659 5669 5683 5689 56935701 5711 5717 5737 5741 5743 5749 5779 5783 5791 5801 5807 5813 5821 58275839 5843 5849 5851 5857 5861 5867 5869 5879 5881 5897 5903 5923 5927 59395953 5981 5987 6007 6011 6029 6037 6043 6047 6053 6067 6073 6079 6089 60916101 6113 6121 6131 6133 6143 6151 6163 6173 6197 6199 6203 6211 6217 62216229 6247 6257 6263 6269 6271 6277 6287 6299 6301 6311 6317 6323 6329 63376343 6353 6359 6361 6367 6373 6379 6389 6397 6421 6427 6449 6451 6469 64736481 6491 6521 6529 6547 6551 6553 6563 6569 6571 6577 6581 6599 6607 66196637 6653 6659 6661 6673 6679 6689 6691 6701 6703 6709 6719 6733 6737 67616763 6779 6781 6791 6793 6803 6823 6827 6829 6833 6841 6857 6863 6869 68716883 6899 6907 6911 6917 6947 6949 6959 6961 6967 6971 6977 6983 6991 69977001 7013 7019 7027 7039 7043 7057 7069 7079 7103 7109 7121 7127 7129 71517159 7177 7187 7193 7207 7211 7213 7219 7229 7237 7243 7247 7253 7283 72977307 7309 7321 7331 7333 7349 7351 7369 7393 7411 7417 7433 7451 7457 74597477 7481 7487 7489 7499 7507 7517 7523 7529 7537 7541 7547 7549 7559 75617573 7577 7583 7589 7591 7603 7607 7621 7639 7643 7649 7669 7673 7681 76877691 7699 7703 7717 7723 7727 7741 7753 7757 7759 7789 7793 7817 7823 78297841 7853 7867 7873 7877 7879 7883 7901 7907 7919 7927 7933 7937 7949 79517963 7993 8009 8011 8017 8039 8053 8059 8069 8081 8087 8089 8093 8101 81118117 8123 8147 8161 8167 8171 8179 8191 8209 8219 8221 8231 8233 8237 82438263 8269 8273 8287 8291 8293 8297 8311 8317 8329 8353 8363 8369 8377 83878389 8419 8423 8429 8431 8443 8447 8461 8467 8501 8513 8521 8527 8537 85398543 8563 8573 8581 8597 8599 8609 8623 8627 8629 8641 8647 8663 8669 86778681 8689 8693 8699 8707 8713 8719 8731 8737 8741 8747 8753 8761 8779 87838803 8807 8819 8821 8831 8837 8839 8849 8861 8863 8867 8887 8893 8923 89298933 8941 8951 8963 8969 8971 8999 9001 9007 9011 9013 9029 9041 9043 90499059 9067 9091 9103 9109 9127 9133 9137 9151 9157 9161 9173 9181 9187 91999203 9209 9221 9227 9239 9241 9257 9277 9281 9283 9293 9311 9319 9323 93379341 9343 9349 9371 9377 9391 9397 9403 9413 9419 9421 9431 9433 9437 94399461 9463 9467 9473 9479 9491 9497 9511 9521 9533 9539 9547 9551 9587 96019613 9619 9623 9629 9631 9643 9649 9661 9677 9679 9689 9697 9719 9721 97339739 9743 9749 9767 9769 9781 9787 9791 9803 9811 9817 9829 9833 9839 98519857 9859 9871 9883 9887 9901 9907 9923 9929 9931 9941 9949 9967 9973

112 Prime Numbers

3.3 The Fundamental Theorem of Arithmetic

Theorem 3.2.Every positive integer is uniquely a product of powers of prime num-bers.

Here are three important number theoretic functions.

1. The number of divisors function:d(n) := |{d ∈ N : d|n}| .

2. The sum of divisors function:σ(n) :=∑

d|n d.

3. Eulerϕ-function:ϕ(n) := |{k ∈ Z : 1 ≤ k ≤ n and gcd(k, n) = 1}| .

Each of these functions is multiplicative,i.e., f(mn) = f(m)f(n) if gcd(m,n) =1. They are therefore determined by their values at the prime powers.

1. d(pa) = 1 + a;

2. σ(pa) = 1 + p+ · · ·+ pa = pa+1−1p−1

;

3. ϕ(pa) = pa − pa−1 = pa(

1− 1p

)

.

3.4 Perfect numbers

A perfect number is an integer equal to the sum of all of its divisors, including1 butexcluding the number itself. Euclid had given the followingrule of construction ofevenperfect numbers. IfMk := 1 + 2 + · · ·+ 2k−1 = 2k − 1 is a prime number,2

then the numberNk := 2k−1Mk is perfect. Now, in terms of the functionσ, anintegern is perfect ifσ(n) = 2n. Here is an easy proof of Euclid’s construction:

σ(Nk) =σ(2k−1Mk) = σ(2k−1)σ(Mk) = (2k − 1)(1 +Mk)

=Mk · 2k = 2 · 2k−1Mk = 2Nk.

Therefore,Nk is an even perfect number perfect.Euler has subsequently shown that every even perfect numbermust be for this

form. 3

LetN be anevenperfect number, factored into the formN = 2k−1 ·m, wherek − 1 ≥ 1 andm is odd. Thus,

2N = σ(N) = σ(2k−1 ·m) = σ(2k−1)σ(m) = (2k − 1)σ(m).

2The numberMk = 2k − 1 is usually known as thek-th Mersenne number. There are only44known Mersenne primes. The latest and greatest record isM32582657 which has9808358 digits. Itis also the greatest known prime.

3It is not known if an odd perfect number exists.

3.5 Exercises 113

It follows that

σ(m) =2N

2k − 1=

2k

2k − 1·m = m+

m

2k − 1.

Note that the numberm2k−1

, being the differenceσ(m) −m, is an integer. As such,it is a divisor ofm. This expression shows thatm hasexactly two divisors. Fromthis we conclude thatm

2k−1= 1 andm = 2k − 1 is a prime. This means that every

even perfect number must be of the form2k−1(2k − 1) in which the factor2k − 1 isa prime. This was exactly what Euclid gave.

3.5 Exercises

1. Show that 3, 5, 7 form the only primetriple.

2. Given any integerk ≥ 2, it is always possible to find a sequence ofk con-secutiveintegers which are all composites.

3. If n is a positive integer, does there exist a positive integerk such that thesequence

k + 1, 2k + 1, 3k + 1, . . . , nk + 1

consists only of composite numbers ?

4. Prove that in the infinite sequence of integers

10001, 100010001, 1000100010001, . . .

there is no prime number.

5. If n =∏k

i=1 pai

i is the prime factorization ofn, thenn has altogetherτ(n) =∏k

i=1(1 + ai) divisors.

6. Find all sequences of 49 consecutive integers whose squaresadd up to asquare.

7. Prove that forn ≥ 2, 1 + 12

+ 13

+ · · ·+ 1n

is never an integer.

8. (a) Show that√

2 is not a rational number.

(b) More generally, for an integerN ,√N is a rational number if and only if

N is the square of an integer.

Chapter 4

Linear Congruences

4.1 The ring of residues modulon

Let n > 1 be a positive integer. We define a relation on the set of integers:

a ≡ b mod n if and only if a− b = nq for some q ∈ Z.

This is an equivalence relation. For each integerx, we write

[x] = {y ∈ Z : y ≡ x mod n}

and call this theresidueclass ofx mod n. There are altogethern distinct residueclasses, represented by 0, 1, . . . ,n− 1. We denote the set of residue classes byZn.

The arithmetic operations of integers respect the congruence relation modulon,i.e., if a ≡ a′ mod n andb ≡ b′ mod n, then

(i) a± b ≡ a′ ± b′ mod n,(ii) ab ≡ a′b′ mod n.Thus, there are an addition and a multiplication in the setZn given by

[a] + [b] = [a+ b] and [a] · [b] = [ab].

Clearly, the additive and multiplicative identities are the residue classes[0] and[1]respectively. We summarize these by saying thatZn is aring.

A unit in Zn is an element which has a multiplicative inverse. In other words,[a] ∈ Zn is a unit if and only if there existsb such that[a][b] = [1]. This means thatab−1 = nq for an integerq. From this,gcd(a, n) = 1. Conversely, ifgcd(a, n) = 1,then there are integersb andq such thatab− nq = 1, from which[a][b] = 1.

Theorem 4.1. (a) In Zn, a residue class[a] is a unit if and only ifgcd(a, n) = 1.(b) Zn is a field if and only ifn is a prime number.

116 Linear Congruences

Example

The functionf : Zm → Zn given by

f([x]m) = [x]n

is well definedif and only ifm is divisible byn. Here[x]m denotes the residue classof x modulom; similarly for n.

4.2 Simultaneous linear congruences

An ancient Chinese problem: solve the simultaneous congruences

x ≡ 2 mod 3, x ≡ 3 mod 5, x ≡ 2 mod 7.

Solution. It is easier to solve the following analogous problems:

(1) x ≡ 1 mod 3, x ≡ 0 mod 5, x ≡ 0 mod 7.(2) x ≡ 0 mod 3, x ≡ 1 mod 5, x ≡ 0 mod 7.(3) x ≡ 0 mod 3, x ≡ 0 mod 5, x ≡ 1 mod 7.

For problem (1), we must havex ≡ 0 mod 35. Since35 ≡ 2 mod 3, and70 ≡1 mod 3, we may choosex1 = 70 for a solution of the first problem.

Similarly, for problem (2),x ≡ 0 mod 21. Since21 ≡ 1 mod 5, we may choosex2 = 21 for a solution of the second problem.

For problem (3),x ≡ 0 mod 15, and we may choosex3 = 15 for a solution.Using these, we can find a solution to the original problem:x = 2x1 + 3x2 +

2x3 = 233. Since theleast common multipleof 3,5,7 is 105, we may reduce thismodulo 105, and obtainx ≡ 23 mod 105 for the solution.

Theorem 4.2(Chinese Remainder Theorem). Let n1, n2, . . . , nk be pairwise rela-tively prime integers. For arbitrary integersa1, a2, . . . , ak, the system of simultane-ous congruences

x ≡ a1 mod n1, x ≡ a2 mod n2, . . . , x ≡ ak mod nk,

has a unique solution modulon1n2 · · ·nk.

Proof. For eachi = 1, 2, . . . , n, the system of simultaneous linear congruences

x ≡ a1 mod n1, . . . , x ≡ ai mod ni, . . . , x ≡ ak mod nk,

has a unique solutionxi mod n1n2 · · ·ni · · ·nk. The original problem has solutionx ≡ a1x1 + · · ·+ akxk mod n1n2 · · ·nk.

4.3 Exercises 117

4.3 Exercises

1. Solve the congruences

(a)3x ≡ 5 (mod 7); (b)4x ≡ 12 (mod 16); (c)4x ≡ 10 (mod 24).

2. Find all residues modulo 12 which have multiplicative inverses.

3. Compute21092 mod 1093 and21092 mod 10932.

4. Show that every nonzero element ofZn is a unit if and only ifn is a primenumber.

5. Solve the equation1! + 2! + 3! + · · ·+ n! = m2

for positive integersm andn.

6. Counting from the right end, what is the 2500th digit of 10,000! ?

7. An army has about 20,000 soldiers. If the soldiers line up 7 by7, there is anincomplete line of 6 soldiers; if they line up 11 by 11, there is an incompleteline of 4; if they line up 13 by 13, there is also an incomplete line of 4; if theyline up 17 by 17, there is an incomplete line of 13. How many soldiers arethere in the army ?

Chapter 5

The Euler ϕ-function

For a positive integern, the Eulerϕ-functionϕ(n) gives the number of units inZn.This is theorder of thegroupZ•

n of units ofZn.

Theorem 5.1.ϕ is a multiplicative function,i.e.,

ϕ(mn) = ϕ(m)ϕ(n) if gcd(m,n) = 1.

Proof. The functionF : Zmn → Zm × Zn given by

F ([x]mn) = ([x]m, [x]n)

restricts to a bijectionZ•mn → Z•

m × Z•n.

Lemma 5.2. Let p be a prime.(a)ϕ(p) = p− 1.

(b) ϕ(pk) = pk(

1− 1p

)

.

Proposition 5.3.

ϕ(n) = n∏

p|n

(

1− 1

p

)

.

ϕ(10i+ j) for 0 ≤ i, j ≤ 9

i \ j 0 1 2 3 4 5 6 7 8 90 1 1 2 2 4 2 6 4 61 4 10 4 12 6 8 8 16 6 182 8 12 10 22 8 20 12 18 12 283 8 30 16 20 16 24 12 36 18 244 16 40 12 42 20 24 22 46 16 425 20 32 24 52 18 40 24 36 28 586 16 60 30 36 32 48 20 66 32 447 24 70 24 72 36 40 36 60 24 788 32 54 40 82 24 64 42 56 40 889 24 72 44 60 46 72 32 96 42 60

120 The Euler ϕ-function

Example 5.1.We find all integersn for whichϕ(n) = 24.If p is a prime divisor ofn, p− 1 must be a divisor of24 This meansp must be

one of2, 3, 5, 7, 13.If n is not divisible by any of5, 7, 13, thenn = 2a3b for some integersa and

b, andϕ(n) = 2a3b(1 − 12)(1 − 1

3) = 2a3b−1. From this,a = 3, b = 2, and

n = 23 · 32 = 72.If n is divisible by any ofp = 5, 7, 13, n = pm, p 6 |m. From this,24 =

ϕ(p)ϕ(m) = (p− 1)ϕ(m).If p = 5, ϕ(m) = 6,m = 7, 14, 18, n = 35, 70, 90.If p = 7, ϕ(m) = 4,m = 5, 8, 10, 12, n = 35, 56, 70, 84.If p = 13, ϕ(m) = 2,m = 3, 4, 6, n = 39, 52, 78.Summary:ϕ(n) = 24 if and only if n is one of the numbers

35, 39, 45, 52, 56, 70, 72, 78, 84, 90.

Example 5.2.We find all integersn for whichϕ(n) dividesn.Clearly, n must be even, and every power of 2 satisfies the condition. Write

n = 2rk for r ≥ 1 andk > 1 odd. Thenϕ(n) = 2r−1ϕ(k). If k hasl distinct primedivisors, thenϕ(k) is divisible by2l−1 andϕ(n) is divisible by2k+l−1. From this,we must havel = 1, andk = ps for an odd primep. Now,ϕ(n) = 2rps−1 · p−1

2. If

this dividesn, we must havep−12

dividing the primep. This is possible only whenp = 3. It follows thatn = 2r · 3s.

5.1 Exercises

1. (a) Find all integersn for whichϕ(n) is an odd number.

(b) Find alln for whichϕ(n) = 2, 4, 6.

2. (a) Prove that iff(n) is a multiplicative function, then so isF (n) :=∑

d|n f(d).

(b) Make use of (a) to prove that∑

d|n ϕ(d) = n.

Chapter 6

Fermat-Euler theorem

Theorem 6.1(Fermat-Euler). If gcd(a, n) = 1, aϕ(n) ≡ 1 mod n.

Proof. The functionfa : Zn → Zn given byfa([x]) = [ax] induces a bijectionZ•

n → Z•n. This means that ifx1, . . . ,xϕ(n) are the elements ofZ•

n, then[ax1], . . . ,[axϕ(n)] is a permutation of the sameϕ(n) elements. In other words,

[ax1] · · · [axϕ(n)] = [x1] · · · [xϕ(n)],

or(aϕ(n) − 1)x1 · · ·xϕ(n) ≡ 0 mod n.

Since each ofx1, . . . ,xϕ is relatively prime ton, it follows thataϕ(n) − 1 ≡ 0 modn.

Corollary 6.2 (Fermat’s Little Theorem). Let p be a prime, anda an integer. Ifpdoes not dividea, thenap−1 ≡ 1 mod p.

6.1 Primality test for Mersenne numbers

A Mersenne number of is one of the formMk := 2k − 1. A Mersenne prime givesrise to an even perfect number (see§3.4).

Theorem 6.3(Fermat). If p is prime, then every prime divisor ofMp := 2p − 1 isof the form2pk + 1 for some integerk.

Example 6.1. (a) To test the primality ofM11 = 211 − 1 = 2047, we try to finddivisor of M11 of the form 22k + 1. For k = 1, it can be easily checked that2047 = 23 · 89. (The other divisor89 = 22 · 4 + 1).

(b) To test the primality ofM13 = 213 − 1 = 8191, we need only check primedivisors of the form26k + 1 which are less than90. These are53 and79. None ofthese divides8191. We conclude thatM13 is prime.

122 Fermat-Euler theorem

6.2 Pseudoprimes

The converse of Fermat’s little theorem is not true. If2p−1 ≡ 1 (mod 4), onecannot conclude thatp is a prime. Here is an example:p = 341 = 11 × 31 iscomposite, but2340 ≡ 1 mod 341. A compositen is called apseudoprimeto basebif bn−1 ≡ 1 (mod n).

6.3 Exercises

1. Check thatM17 = 131071 andM19 = 524287 are primes.

2. Find a prime divisor ofM23 = 8388607.

3. Find a prime divisor ofM29 = 536870911.

4. ConsiderM47 = 247 − 1 = 140737488355327. The beginning primes of theform 94k + 1 are

283, 659, 941, 1129, 1223, 1693, 1787, 2069,

2351, 2539, 2633, 3761, 4231, 4513, 4889, . . . .

(a) Find two prime divisors ofM47 from this list.(b) Completely factorizeM47.

5. Show that561 is a2-pseudoprime.

6. Show that1729 is a2- and3-pseudoprime.

6.3 Exercises 123

Appendix: Mersenne primes

k Year Discoverer k Year Discoverer

2 Ancient 3 Ancient5 Ancient 7 Ancient13 Ancient 17 1588 P.A.Cataldi19 1588 P.A.Cataldi 31 1750 L.Euler61 1883 I.M.Pervushin 89 1911 R.E.Powers107 1913 E.Fauquembergue 127 1876 E.Lucas521 1952 R.M.Robinson 607 1952 R.M.Robinson1279 1952 R.M.Robinson 2203 1952 R.M.Robinson2281 1952 R.M.Robinson 3217 1957 H.Riesel4253 1961 A.Hurwitz 4423 1961 A.Hurwitz9689 1963 D.B.Gillies 9941 1963 D.B.Gillies11213 1963 D.B.Gillies 19937 1971 B.Tuckerman21701 1978 C.Noll, L.Nickel 23209 1979 C.Noll44497 1979 H.Nelson, D.Slowinski 86243 1982 D.Slowinski110503 1988 W.N.Colquitt, L.Welsch 132049 1983 D.Slowinski216091 1985 D.Slowinski 756839 1992 D.Slowinski,P.Gage859433 1993 D.Slowinski 1257787 1996 Slowinski and Gage1398269 1996 Armengaud, Woltman et al. 2976221 1997 Spence, Woltman, et.al.3021377 1998 Clarkson et. al 6972593 1999 Hajratwala et. al13466917 2001 Cameron, Woltman, 20996011 2003 Michael Shafer24036583 2004 Findlay 25964951 2005 Nowak30402457 2005 Cooper, Boone et al 32582657 2006 Cooper, Boone et al37156667 9/8/2008 43112609 8/8/2008

The most recently discovered Mersenne primesM37156667 andM43112609 haveabout11.1 million and12.9 million digits and are the largest known primes.

Appendix: Wilson’s theorem

Theorem 6.4(Wilson). If p is prime, then(p− 1)! ≡ −1 mod p.

Proof. Since the statement is trivially true forp = 2, we shall assumep an oddprime. Consider the product of all the nonzero elements ofZp. This is clearly1 · 2 · · · (p− 1) = (p− 1)!. Apart fromx = ±1, the remainingp− 3 elements canbe grouped intopairs of multiplicative inverses. Since each pair of multiplicativeinverses multiply to 1, we have

(p− 1)! = 1 · (−1) · 1 p−32 = −1 ∈ Zp.

This means(p− 1)! ≡ −1 mod p.

Remark.The converse of Wilson’s theorem is also true: Ifn is composite andn = ab for relatively prime divisorsa, b > 1, thenn = ab divides(n − 1)!, and(n−1)! ≡ 0 mod n. It remains to considern = pk for a prime numberp andk > 1.

124 Fermat-Euler theorem

The basep expansion ofn− 1 = pk − 1 consists ofk digits each of which isp− 1.Therefore, the exponent of the highest power ofp dividing (n− 1)! is

pk − 1− k(p− 1)

p− 1= pk−1 + pk−2 + · · ·+ 1− k ≥ k

except whenp = 2 andk = 2. This means that(n − 1)! ≡ 0 mod n except whenp = 2 andk = 2, in which case we have3! ≡ 2 mod 4.

Chapter 7

Pythagorean Triangles

7.1 Construction of Pythagorean triangles

By a Pythagorean triangle we mean a right triangle whose sidelengths are integers.Any common divisor of two of the side lengths is necessarily adivisor of the third.We shall call a Pythagorean triangleprimitive if no two of its sides have a commondivisor. Let(a, b, c) be one such triangle. From the relationa2 + b2 = c2, we makethe following observations.

1. Exactly two ofa, b, c are odd, and the third is even.

2. In fact, the even number must be one ofa andb. For if c is even, thena andbare both odd. Writinga = 2h+ 1 andb = 2k + 1, we have

c2 = (2h+ 1)2 + (2k + 1)2 = 4(h2 + k2 + h+ k) + 2.

This is a contradiction sincec2 must be divisible by 4.

3. We shall assumea odd andb even, and rewrite the Pythagorean relation inthe form

c+ a

2· c− a

2=

(

b

2

)2

.

Note that the integersc+a2

and c−a2

are relatively prime, for any common divi-sor of these two numbers would be a common divisorc anda. Consequently,each ofc+a

2and c−a

2is a square.

4. Writing c+a2

= u2 and c−a2

= v2, we havec = u2 + v2 anda = u2− v2. Fromthese,b = 2uv.

5. Sincec anda are both odd,u andv are of different parity.

We summarize this in the following theorem.

Theorem 7.1.The side lengths of a primitive Pythagorean triangle are of the formu2 − v2, 2uv, andu2 + v2 for relatively prime integersu andv of different parity.

202 Pythagorean Triangles

7.2 Fermat Last Theorem forn = 4

Theorem 7.2(Fermat). The area of a Pythagorean triangle cannot be a square.

Proof. Suppose to the contrary there is one such triangle, which we may assumeprimitive, with side lengths(u2 − v2, 2uv, u2 + v2), u, v being relative prime ofdifferent parity. The areaA = uv(u2 − v2) being a square, and no two ofu,v, u2 − v2 sharing common divisors, each of these numbers must be a square.We write u = a2, v = b2 so thatu2 − v2 = a4 − b4 is also a square. Sincea4− b4 = (a2− b2)(a2 + b2) and the two factors are relatively prime, we must havea2− b2 = r2 anda2 + b2 = s2 for some integersr ands. From these,2a2 = r2 + s2

and(2a)2 = 2(r2 + s2) = (r + s)2 + (r − s)2.

Thus, we have a new Pythagorean triangle(r− s, r+ s, 2a). This is a Pythagoreantriangle whose area is the square of an integer:1

2(r − s)(r + s) = 1

2(r2 − s2) = b2.

But it is a smaller triangle sinceb2 = v is a proper divisor ofA = uv(u2 − v2).By descent, beginning with one Pythagorean triangle with square area, we obtainan infinite sequence of Pythagorean triangles withdecreasingareas, each of whichis a square integer; a contradiction.

Corollary 7.3 (Fermat Last Theorem forn = 4). The equationx4 + y4 = z4 doesnot have solutions in nonzero integers.

Proof. Supposex4 +y4 = z4 for positive integersx, y, z. The Pythagorean trianglewith sidesz4 − y4, 2z2y2 andz4 + y4 has a square area

z2y2(z4 − y4) = z2y2x4 = (x2yz)2,

a contradiction.

Remark.This proof actually shows that the equationx2 + y4 = z4 has no solutionin nonzero integers.

7.3 Fermat’s construction of primitive Pythagoreantriangles with consecutive legs

Let a, b, c be the lengths of the sides of a right triangle,c the hypotenuse. Figures(a) and (b) below, together with the Pythagorean theorem, give the following tworelations

(a+ b− c)2 =2(c− a)(c− b), (7.1)

(a+ b+ c)2 =2(c+ a)(c + b). (7.2)

7.3 Fermat’s construction of primitive Pythagorean triangles with consecutivelegs 203

c − b

c − a

c − b

c − a

a + b − c

a + b − c

(a)a, b, c fromc−a andc− b

b

a

b

a

c

c

(b)a, b, c fromc+a andc+b

Beginning with a right triangle(a, b, c), we construct a new right triangle(a′, b′, c′)with c′ − a′ = c + b andc′ − b′ = c + a. By a comparsion of (11.8) and (7.2), wehavea′ + b′ − c′ = a + b+ c. From these,

a′ =2a+ b+ 2c,

b′ =a+ 2b+ 2c,

c′ =2a+ 2b+ 3c.

Note thatb′ − a′ = b− a. This construction therefore leads to an infinite sequenceof integer right triangles with constant difference of legs. In particular, beginningwith (3,4,5), we obtain the sequence

(3, 4, 5), (20, 21, 29), (119, 120, 169), (696, 697, 985), . . .

of Pythagorean triangles with legs differing by 1.This construction givesall such Pythagorean triangles. Note that the above

construction is invertible: from a right triangle(a′, b′, c′) one can construct asmallerone(a, b, c) with the same difference between the legs. More precisely,

a =2a′ + b′ − 2c′,

b =a′ + 2b′ − 2c′, (7.3)

c =− 2a′ − 2b′ + 3c′.

Sincea+ b+ c = a′ + b′ − c′ < a′ + b′ + c′, this inverse construction does yield asmaller triangle. However, it certainlycannotlead to a strictly decreasing sequenceof integerright triangles. Now,a = 2a′ + b′ − 2c′ must be a positive integer. Usingthe Pythagorean theorem, it is easy to deduce from2a′ + b′ > 2c′ that4a′ > 3b′, or

204 Pythagorean Triangles

a′ > 3(b′−a′). This means that from every Pythagorean triangle with legs differingby 1, there is a descent, by repeated applications of (7.3), to a minimal integer righttriangle with shortest side not exceeding3. It is clear that there is only one suchtriangle, namely, (3,4,5). This therefore shows that the above construction actuallygivesall Pythagorean triangles with consecutive legs.

7.3 Fermat’s construction of primitive Pythagorean triangles with consecutivelegs 205

Appendix: Primitive Pythagorean triples < 1000

m, n a, b, c m, n a, b, c m, n a, b, c m, n a, b, c

2, 1 3, 4, 5 3, 2 5, 12, 13 4, 1 15, 8, 17 4, 3 7, 24, 255, 2 21, 20, 29 5, 4 9, 40, 41 6, 1 35, 12, 37 6, 5 11, 60, 617, 2 45, 28, 53 7, 4 33, 56, 65 7, 6 13, 84, 85 8, 1 63, 16, 658, 3 55, 48, 73 8, 5 39, 80, 89 8, 7 15, 112, 113 9, 2 77, 36, 859, 4 65, 72, 97 9, 8 17, 144, 145 10, 1 99, 20, 101 10, 3 91, 60, 10910, 7 51, 140, 149 10, 9 19, 180, 181 11, 2 117, 44, 125 11, 4 105, 88, 13711, 6 85, 132, 157 11, 8 57, 176, 185 11, 10 21, 220, 221 12, 1 143, 24, 14512, 5 119, 120, 169 12, 7 95, 168, 193 12, 11 23, 264, 265 13, 2 165, 52, 17313, 4 153, 104, 185 13, 6 133, 156, 205 13, 8 105, 208, 233 13, 10 69, 260, 26913, 12 25, 312, 313 14, 1 195, 28, 197 14, 3 187, 84, 205 14, 5 171, 140, 22114, 9 115, 252, 277 14, 11 75, 308, 317 14, 13 27, 364, 365 15, 2 221, 60, 22915, 4 209, 120, 241 15, 8 161, 240, 289 15, 14 29, 420, 421 16, 1 255, 32, 25716, 3 247, 96, 265 16, 5 231, 160, 281 16, 7 207, 224, 305 16, 9 175, 288, 33716, 11 135, 352, 377 16, 13 87, 416, 425 16, 15 31, 480, 481 17, 2 285, 68, 29317, 4 273, 136, 305 17, 6 253, 204, 325 17, 8 225, 272, 353 17, 10 189, 340, 38917, 12 145, 408, 433 17, 14 93, 476, 485 17, 16 33, 544, 545 18, 1 323, 36, 32518, 5 299, 180, 349 18, 7 275, 252, 373 18, 11 203, 396, 445 18, 13 155, 468, 49318, 17 35, 612, 613 19, 2 357, 76, 365 19, 4 345, 152, 377 19, 6 325, 228, 39719, 8 297, 304, 425 19, 10 261, 380, 461 19, 12 217, 456, 505 19, 14 165, 532, 55719, 16 105, 608, 617 19, 18 37, 684, 685 20, 1 399, 40, 401 20, 3 391, 120, 40920, 7 351, 280, 449 20, 9 319, 360, 481 20, 11 279, 440, 521 20, 13 231, 520, 56920, 17 111, 680, 689 20, 19 39, 760, 761 21, 2 437, 84, 445 21, 4 425, 168, 45721, 8 377, 336, 505 21, 10 341, 420, 541 21, 16 185, 672, 697 21, 20 41, 840, 84122, 1 483, 44, 485 22, 3 475, 132, 493 22, 5 459, 220, 509 22, 7 435, 308, 53322, 9 403, 396, 565 22, 13 315, 572, 653 22, 15 259, 660, 709 22, 17 195, 748, 77322, 19 123, 836, 845 22, 21 43, 924, 925 23, 2 525, 92, 533 23, 4 513, 184, 54523, 6 493, 276, 565 23, 8 465, 368, 593 23, 10 429, 460, 629 23, 12 385, 552, 67323, 14 333, 644, 725 23, 16 273, 736, 785 23, 18 205, 828, 853 23, 20 129, 920, 92924, 1 575, 48, 577 24, 5 551, 240, 601 24, 7 527, 336, 625 24, 11 455, 528, 69724, 13 407, 624, 745 24, 17 287, 816, 865 24, 19 215, 912, 937 25, 2 621, 100, 62925, 4 609, 200, 641 25, 6 589, 300, 661 25, 8 561, 400, 689 25, 12 481, 600, 76925, 14 429, 700, 821 25, 16 369, 800, 881 25, 18 301, 900, 949 26, 1 675, 52, 67726, 3 667, 156, 685 26, 5 651, 260, 701 26, 7 627, 364, 725 26, 9 595, 468, 75726, 11 555, 572, 797 26, 15 451, 780, 901 26, 17 387, 884, 965 27, 2 725, 108, 73327, 4 713, 216, 745 27, 8 665, 432, 793 27, 10 629, 540, 829 27, 14 533, 756, 92527, 16 473, 864, 985 28, 1 783, 56, 785 28, 3 775, 168, 793 28, 5 759, 280, 80928, 9 703, 504, 865 28, 11 663, 616, 905 28, 13 615, 728, 953 29, 2 837, 116, 84529, 4 825, 232, 857 29, 6 805, 348, 877 29, 8 777, 464, 905 29, 10 741, 580, 94129, 12 697, 696, 985 30, 1 899, 60, 901 30, 7 851, 420, 949 31, 2 957, 124, 96531, 4 945, 248, 977 31, 6 925, 372, 997

Chapter 8

Homogeneous quadratic equations in3 variables

8.1 Pythagorean triangles revisited

A primitive Pythagorean triangle(a, b, c) corresponds to a point(x, y) =(

ac, b

c

)

inthe first quadrant on the unit circle

x2 + y2 = 1.

Every rational point on the unit circle can be expressed in terms of the slope of theline joining the point to a fixed point, sayP = (−1, 0) on the circle. Thus, solvingthe equations

y =t(x+ 1),

x2 + y2 =1,

simultaneously, we obtain(x, y) = (−1, 0) = P or

(x, y) = P (t) =

(

1− t21 + t2

,2t

1 + t2

)

.

This is a point in the first quadrant if and only if0 < t < 1. By puttingt = qp

for

relatively prime integersp > q, and we obtain(

p2−q2

p2+q2 ,2pq

p2+q2

)

. It follows that the

sidelengths of a primitive Pythagorean triangle can be written in the form

(a, b, c) =1

g

(

p2 − q2, 2pq, p2 + q2)

for suitable choice ofp andq. Here,

g = gcd(p2 − q2, 2pq) = gcd(p2 − q2, 2) = gcd(p− q, 2).

208 Homogeneous quadratic equations in3 variables

To avoid repetition of representing a primitive Pythagorean triangle by both

(x, y) and(y, x) in the first quadrant, we note that(

1−t2

1+t2, 2t

1+t2

)

=(

2s1+s2 ,

1−s2

1+s2

)

if

and only ifs = 1−t1+t

. Thus, the rational numbert = qp

ands = q′

p′= p−q

p+qrepresent

the same primitive Pythagorean triangle. Note thatgcd(p− q, 2) = 1 if and only ifgcd(p′ − q′, 2) = 2. Thus, we may always restrictp andq of different parity.

8.2 Rational points on a conic

The method in the preceding section applies to a general (nonsingular) homoge-neous equation in 3 variables, or after dehomogenization, to a nonsingular conic inthe Cartesian plane. Suppose a nonsingular conicf(x, y) = c contains a rationalpointP = (x0, y0). Then by passing throughP lines of rational slopet to intersectthe conic again, we obtain a parametrization of the rationalpoints on the curve.

Proposition 8.1. (1) The rational solutions ofx2−dy2 = 1 can be parametrized inthe form

(x, y) =

(

1 + dt2

1− dt2 ,2t

1− dt2)

.

(2) The positive integer solutions ofx2 − dy2 = z2 can be parametrized in theform

(x, y, z) =1

g

(

p2 + dq2, 2pq, p2 − dq2)

,

whereg = gcd(p2 + dq2, 2pq, p2 − dq2).

8.3 Integer triangles with a60◦ angle

If triangleABC hasC = 60◦, then

c2 = a2 − ab+ b2. (8.1)

Integer triangles with a60◦ angle therefore correspond to rational points in the firstquadrant on the curve

x2 − xy + y2 = 1. (8.2)

Note that the curve contains the pointP = (−1,−1). By passing a line of rationalslopet throughP to intersect the curve again, we obtain a parametrization oftherational points. Now, such a line has equationy = −1 + t(x + 1). Solving thissimultaneously with (8.2) we obtain(x, y) = (−1,−1) = P , and

(x, y) =

(

2t− 1

t2 − t+ 1,t(2− t)t2 − t+ 1

)

,

8.3 Integer triangles with a60◦ angle 209

which is in the first quadrant if12< t ≤ 2. By symmetry, we may simply take

12< t ≤ 1 to avoid repetition. Puttingt = q

pfor relatively prime integersp, q, and

clearing denominators, we obtain

a =p(2q − p),b =q(2p− q),c =p2 − pq + q2,

with p2< q ≤ p.

gcd(a, b) = gcd(2pq − p2, 2pq − q2)

= gcd((p− q)(p+ q), q(2p− q))= gcd((p− q)(p+ q), 2p− q)

sincegcd(p− q, q) = gcd(p+ q, q) = gcd(p, q) = 1. Now,gcd(p− q, 2p− q) = gcd(p− q, p) = 1 andgcd(p + q, 2p − q) = gcd(p + q, 3p) = gcd(p + q, 3). This givesgcd(a, b) =gcd(p+ q, 3).

Proposition 8.2. The primitive integer triangles with a60◦ angle are given by

1

g

(

p(2q − p), q(2p− q), p2 − pq + q2)

,

wherep and q are relatively prime positive integers satisfyingp2< q ≤ p and

g = gcd(p+ q, 3).

p q (a, b, c)

1 1 (1, 1, 1)

3 2 (3, 8, 7)

4 3 (8, 15, 13)

5 3 (5, 21, 19)

5 4 (5, 8, 7)

6 5 (24, 35, 31)

7 4 (7, 40, 37)

7 5 (7, 15, 13)

7 6 (35, 48, 43)

8 5 (16, 55, 49)

8 7 (16, 21, 19)

9 5 (9, 65, 61)

9 7 (45, 77, 67)

9 8 (63, 80, 73)

10 7 (40, 91, 79)

10 9 (80, 99, 91)

210 Homogeneous quadratic equations in3 variables

ExerciseA standard calculus exercise asks to cut equal squares of dimensionx from the

four corners of a rectangle of lengtha and breadthb so that the box obtained byfolding along the creases has a greatest capacity.

a

b

x

The answer to this problem is given by

x =a+ b−

√a2 − ab+ b2

6.

How should one choose relatively prime integersa andb so that the resultingx isan integer? For example, whena = 5, b = 8, x = 1. Another example isa = 16,b = 21 with x = 3.

8.4 Integer triangles with a120◦ angle

If triangleABC hasC = 120◦, then

c2 = a2 + ab+ b2. (8.3)

Integer triangles with a120◦ angle therefore correspond to rational points in the firstquadrant on the curve

x2 + xy + y2 = 1. (8.4)

Note that the curve contains the pointQ = (−1, 0). By passing a line of rationalslopet throughP to intersect the curve again, we obtain a parametrization oftherational points. Now, such a line has equationy = t(x + 1). Solving this simulta-neously with (8.2) we obtain(x, y) = (−1, 0) = Q, and

Q(t) =

(

1− t2t2 + t+ 1

,t(2 + t)

t2 + t+ 1

)

,

which is in the first quadrant if0 < t < 1. It is easy to check thatQ(t) andQ

(

1−t1+2t

)

are symmetric about the liney = x. To avoid repetition we may restrict

to 0 < t <√

3−12

.

8.4 Integer triangles with a120◦ angle 211

Putting t = qp

for relatively prime integersp, q satisfyingq <√

3−12p, and

clearing denominators, we obtain

a =p2 − q2,

b =q(2p+ q),

c =p2 + pq + q2,

with 0 < q < p. Note that

gcd(p2 − q2, q(2p+ q) = gcd((p+ q)(p− q), q(2p+ q))

= gcd((p+ q)(p− q), 2p+ q)

= gcd(p− q, 2p+ q)

= gcd(p− q, 3p)= gcd(p− q, 3).

Proposition 8.3. The primitive integer triangles with a120◦ angle are given by

1

g

(

p2 − q2, q(2p+ q), p2 + pq + q2)

,

whereq <(√

3−12

)

p are relatively prime positive integers andg = gcd(p− q, 3).

p q (a, b, c)

3 1 (8, 7, 13)

4 1 (5, 3, 7)

5 1 (24, 11, 31)

6 1 (35, 13, 43)

7 1 (16, 5, 19)

7 2 (45, 32, 67)

8 1 (63, 17, 73)

9 1 (80, 19, 91)

9 2 (77, 40, 103)

10 1 (33, 7, 37)

10 3 (91, 69, 139)

Exercise1 (a) Show that a numberc is a sum of two consecutive squares if and only if

2c− 1 is a square.(b) Suppose an integer triangle contains a120◦ angle with its two arms differing

by 1. Show that the length of the longest side is a sum of two consecutive squares.

2. It is known that the centroid of a triangle of sidesa, b, c lies on its incircle ifand only if

5(a2 + b2 + c2) = 6(ab+ bc+ ca).

Find a parametrization of all such primitive triangles.

Chapter 9

Heron triangles

9.1 The Heron formula

LetABC be a triangle with sidelengthsBC = a,CA = b,AB = c, and semiperime-ters = 1

2(a+ b+ c). If the incircle touches the sidesBC, CA andAB respectively

atX, Y , andZ,

AY = AZ = s− a, BX = BZ = s− b, CX = CY = s− c.

s − b s − c

s − c

s − a

s − a

s − c

Z

X

Y

I

C

A

B

The radiusr of the incircle and the area△ of the triangle are given by

r =

√

(s− a)(s− b)(s− c)s

,

△ =√

s(s− a)(s− b)(s− c).

The latter one is the famous Heron formula. Explicitly in terms ofa, b, c, it can bewritten as

△2 =1

16

(

2a2b2 + 2b2c2 + 2c2a2 − a4 − b4 − c4)

. (9.1)

Remark.The inradius of a right triangle isr = s− c.Exercise

Given a positive integerr, determine all Pythagorean triangles with inradiusr.

214 Heron triangles

s − a

s − a

s − b

s − b

r

r

s − c

s − c

C A

B

First consider the case of primitive Pythagorean triangles. The one with parametersp > q (of different parity) has inradiusr = q(p − q). Note thatp − q must be odd, andqdoes not contain any prime divisor ofp − q. There are2k choices ofp − q, wherek is thenumber ofoddprime divisors ofr. In particular, there is only one (primitive) Pythagoreantriangle of inradius1, which is the(3, 4, 5) triangle.

9.2 Heron triangles

A Heron triangle is an integer triangle with integer area. Here are some fundamentalfacts about Heron triangles.

Proposition 9.1. (1) The semiperimeter of a Heron triangle is an integer.(2) Thearea of a Heron triangle is a multiple of6.

Proof. It is enough to consider primitive Heron triangles, those whose sides arerelatively prime.

(1) Note that modulo16, each ofa4, b4, c4 is congruent to0 or 1, according asthe number is even or odd. To render in (9.1) the sum2a2b2 + 2b2c2 + 2c2a2 −a4 − b4 − c4 ≡ 0 modulo16, exactly two ofa, b, c must be odd. It follows that theperimeter of a Heron triangle must be an even number.

(2) Sincea, b, c are not all odd nor all even, ands is an integer, at least oneof s − a, s − b, s − c is even. This means that△ is even. We claim that at leastone ofs, s − a, s − b, s − c must be a multiple of3. If not, then modulo3, thesenumbers are+1 or−1. Sinces = (s− a) + (s− b) + (s− c), modulo3, this mustbe either1 ≡ 1 + 1 + (−1) or−1 ≡ 1 + (−1) + (−1). In each case the products(s− a)(s− b)(s− c) ≡ −1 (mod 3) cannot be a square. This justifies the claimthat one ofs, s− a, s− b, s− c, hence△, must be a multiple of3.

9.3 Construction of Heron triangles

Let t1 = tan A2, t2 = tan B

2, andt3 = tan C

2. SinceA

2+ B

2+ C

2= π

2, we have

t1t2 + t2t3 + t3t1 = 1. If we construct a triangle with sides1t2

+ 1t3

, 1t3

+ 1t1

, and

9.4 Heron triangles with sides in arithmetic progression 215

1t1

+ 1t2

, then it has inradius1 and area

√

1

t1· 1

t2· 1

t3

(

1

t1+

1

t2+

1

t3

)

=1

t1t2t3.

Writing ti = pi

qifor relatively prime integerspi, qi, i = 1, 2, and magnifying the

triangle by a factorp1p2p3, we obtain a Heron triangle with sides

a = p1(p2q3 + p3q2), b = p2(p3q1 + p1q3), c = p3(p1q2 + p2q1),

and areap1p2p3q1q2q3 and inradiusp1p2p3.

p1q2p3 p1p2q3

p1p2q3

q1p2p3

q1p2p3

p1q2p3p1p2p3

p1p2p3 p1p2p3Z

X

Y

I

C

A

B

Note that these integers satisfy

p1p2q3 + p1q2p3 + q1p2p3 = q1q2q3,

orp3

q3=q1q2 − p1p2

p1q2 + p2q1.

9.4 Heron triangles with sides in arithmetic progres-sion

Consider a primitive Heron triangle with sides in arithmetic progression. By Propo-sition 9.1, the sidelengths are2a−d, 2a, 2a+d for integersa andd. The semiperime-ter beings = 3a, we require(3a)(a)(a+d)(a−d) = 3a2(a2−d2) to be an integer.This means

a2 − d2 = 3b2 (9.2)

for an integerb. With x =: ad, y := b

d, we transform this condition intox2−3y2 = 1.

The Heron triangles with sides in arithmetic progression, therefore, correspond to

216 Heron triangles

the rational points in the first quadrant on the curvex2 − 3y2 = 1. Now, suchrational points can be parametrized as

(x, y) =

(

1 + 3t2

1− 3t2,

2t

1− 3t2

)

, 0 < t <1√3.

The integer solutions of (9.2) are therefore

a = p2 + 3q2, d = p2 − 3q2, b = 2pq

for relatively primep, q satisfyingp2 > 3q2. This gives a Heron triangle(2a −d, 2a, 2a + d; 3ab). In each case, we obtain a primitive Heron triangle by dividingthe sidelengths by theg = gcd(2a, d) (and correspondingly△ by g2).

Here are the primitive Heron triangles with sides in A.P., generated by takingp ≤ 7: 1

p q (a, b, c;△)

2 1 (13, 14, 15; 84)3 1 (3, 4, 5; 6)4 1 (25, 38, 51; 456)5 1 (17, 28, 39; 210)5 2 (61, 74, 87; 2220)6 1 (15, 26, 37; 156)7 1 (29, 52, 75; 546)7 2 (85, 122, 159; 5124)7 3 (65, 76, 87; 2394)7 4 (193, 194, 195; 16296)

ExerciseIs there a Heron triangle whose sides are in geometric progression?

9.5 Heron triangles with integer inradii

We determine all Heron triangles with a given positive integerr as inradius. This isequivalent to the solution of

uvw = r2(u+ v + w) (9.3)

in positive integersu, v, w. We shall assumeu ≥ v ≥ w (so thatA ≤ B ≤ C).The Heron triangle in question has sidesa = v +w, b = w+ u, andc = u+ v. Weshall distinguish between three cases. In each case, we find appropriate bounds forv andw to determine if the correspondingu is an integer.

1Note that some of these Heron triangles have consecutive integers as sidelengths, namely(3, 4, 5; 6), (13, 14, 15; 84), and(193, 194, 195; 1629). These correspond tod = 1. We shall treatthis case in detail when we study the Pell equation. There is one such “small” triangle missing fromthe table, corresponding to(p, q) = (9, 5).

9.5 Heron triangles with integer inradii 217

Proposition 9.2. (1) For obtuse Heron triangles with given inradiusr, it is enoughto check if

u =r2(v + w)

vw − r2. (9.4)

is an integer forw < r and r2

w< v <

r(r+√

r2+w2)w

.(2) For acute Heron triangles with given inradiusr, it is enough to check ifu

given by(9.4) is integer for

w <√

3r and w ≤ v ≤ (√

2 + 1)r.

(3) For Pythagorean triangles with given inradiusr, it is enough to check ifu = r(v+r)

v−ris an integer forr < v < (

√2 + 1)r.

Proof. The expression (9.4) follows easily from (9.3).(1) SinceC

2≥ π

4,w < r. Clearlyvw−r2 > 0. Fromu = r2(v+w)

vw−r2 ≥ v, we have,

after clearing denominator,wv2 − 2r2v − r2w < 0. Hence,r2

w< v <

r(r+√

r2+w2)w

.(2) If the triangle is acute angled, allu, v, w are greater thanr. SinceC

2> π

6,

rw> tan π

3= 1√

3, we havew <

√3r. Also, B

2> π

8. This meansr

v> 1√

2+1and

v < (√

2 + 1)r.(3) In the Pythagorean case,r = w, so that (9.3) becomesuv = r(u+v+r), and

u = r(v+r)v−r

≥ v. By clearing denominator,r(v+ r) ≤ v(v− r), v2− 2rv− r2 ≤ 0,

(v − r)2 ≤ 2r2, v < (√

2 + 1)r.

Example 9.1.A Heron triangle is said to be perfect if its area is numerically equalto its perimeter. Equivalently, a perfect Heron triangle has inradius2. Using Propo-sition 9.2 above,(i) for obtuse triangles, we need only checkw = 1, and4 < v ≤ 8. Forv = 5, 6, 8,the correspondingu is an integer. These give three obtuse Heron triangles.

w v u (a, b, c;△)

1 5 24 (6, 25, 29; 60)1 6 14 (7, 15, 20; 42)1 8 9 (9, 10, 17; 36)

(ii) There is no acute Heron triangle with inradius2. We need only checkw = 3andv = 3, 4.

(iii) The only Pythagorean triangles with inradius2 are(6, 8, 10; 24) and(5, 12, 13; 30).

Chapter 10

Genealogy of Pythagorean triangles

10.1 Two ternary trees of rational numbers

Consider the rational numbers in the open interval(0, 1). Each of these is uniquelyin the form q

p, for relatively prime positive integersp > q. We callp + q theheight

of the rational numbers.The rational numbers in(0, 1) with odd heights can be arranged in a ternary tree

with root 12, as follows. For a rational numbert of odd heights, the numbers1

2−t,

12+t

, and t1+2t

are also in(0, 1) and have odd heights. We call these the descendantsof t and label them the left (L), middle (M), and right (R) respectively. If we writet = q

p, then these three descendants arep

2p−q, p

2p+qand q

p+2q, and have greater

heights. Thus, the rational number12

has left descendant25, middle descendant2

3,

and right descendant14.

s = 12−t

s = 12+t

s = t1+2t

0 1

1

t

s

On the other hand, each rational numbers ∈ (0, 1) \ {13, 1

2} with odd height

is the descendant of a unique rational numbert, which we call its parent. In fact,s = n

mis

220 Genealogy of Pythagorean triangles

(i) the left descendant of2− 1s

= 2n−mn

if 12< s < 1,

(ii) the middle descendant of1s− 2 = m−2n

nif 1

3< s < 1

2, and

(iii) the right descendant of s1−2s

= nm−2n

if 0 < s < 13.

Thus, every rational number in(0, 1) of odd height is in the ternary tree withroot 1

2:

1

2

2

3

2

5

1

4

3

4

3

8

2

7

5

8

5

12

2

9

4

7

4

9

1

6

The same applies to rational numbers withevenheights. They constitute aternary tree with root1

3:

1

2

2

3

2

5

1

4

3

4

3

8

2

7

5

8

5

12

2

9

4

7

4

9

1

6

1

3

3

5

3

7

1

5

5

7

5

13

3

11

7

11

7

17

3

13

5

9

5

11

1

7

Therefore, each rational parameters ∈ (0, 1) \ {13, 1

2} has a unique “genealogy

sequence” tracing back to the root12. For example,

23

36

L←− 10

23

M←− 3

10

R←− 3

4

L←− 2

3

L←− 1

2.

Consider one of these ternary trees. If we “flatten” the entire tree by listing thevertices in order, beginning with the “root”, going down through each level fromleft to right, what is the position of a vertex with a known genealogy sequence?

10.2 Genealogy of Pythagorean triangles 221

Suppose this genealogy sequence hask terms,i.e., the vertex isk levels below theroot. Convert it into an integerN in base3 expansion by

L→ 0, M → 1, R→ 2

respectively. Then the position of the vertex in the list is12(3k+1)+N . For example,

the rational number2336

is in position12(35 + 1) + 012003 = 122 + 45 = 167, with a

genealogy sequence

23

36L←− 10

23M←− 3

10R←− 3

4L←− 2

3L←− 1

2.

Exercise(1) What is the1000-th vertex in this list from the ternary tree of rational num-

bers of odd heights, and what is its genealogy sequence?

40

169

R←− 40

89

M←− 9

40

R←− 9

22

M←− 4

9

M←− 1

4

R←− 1

2.

(2) Show that the rational numberst and 1−t1+t

belong to different ternary trees.How are their genealogy sequences related?

10.2 Genealogy of Pythagorean triangles

The ternary trees in the preceding sections can be translated into a genealogy ofPythagorean triangles. A Pythagorean triangle (or its similarity class) is generatedby a positive rational numbert = q

pof odd height. The tree with root1

2translates

into

(3, 4, 5)

(5, 12, 13) (21, 20, 29) (15, 8, 17)

(7, 24, 25)

(55, 48, 73)

(45, 28, 53) (39, 80, 89)

(119, 120, 169)

(77, 36, 85) (33, 56, 65)

(65, 72, 97)

(35, 12, 37

222 Genealogy of Pythagorean triangles

We find the descendants of a Pythagorean triangle(a, b, c) in terms of the sides

a = p2 − q2, b = 2pq, c = p2 + q2.

The left descendant is generated byp2p−q

and has sides

al = (2p− q)2 − p2 = 3p2 − 4pq + q2 = a− 2b+ 2c,

bl = 2(2p− q)p = 4p2 − 2pq = 2a− b+ 2c,

cl = (2p− q)2 + p2 = 5p2 − 4pq + q2 = 2a− 2b+ 3c.

The middle descendant is generated byp2p+q

and has sides

am = (2p+ q)2 − p2 = 3p2 + 4pq + q2 = a+ 2b+ 2c,

bm = 2(2p+ q)p = 4p2 + 2pq = 2a+ b+ 2c,

cm = (2p+ q)2 + p2 = 5p2 + 4pq + q2 = 2a + 2b+ 3c.

The right descendant is generated byqp+2q

and has sides

ar = (p+ 2q)2 − q2 = p2 + 4pq + 3q2 = −a+ 2b+ 2c,

br = 2(p+ 2q)q = 2pq + 4q2 = −2a + b+ 2c,

cr = (p+ 2q)2 + q2 = p2 + 4pq + 5q2 = −2a + 2b+ 3c.

Depending on the value ofqp, the parent of(a, b, c) is generated by one the

fractions 2q−pq

, p−2qq

, and qp−2q

. Since these fractions have the same numeratorand denominators, up to permutation and change of signs, they all generate thePythagorean triangle

a′ = |q2 − (2q − p)2| = | − p2 + 4pq − 3q2| = |a+ 2b− 2c|,b′ = |2q(2q − p)| = | − 2pq + 4q2| = |2a+ b− 2c|,c′ = q2 + (2q − p)2 = p2 − 4pq + 5q2 = −2a− 2b+ 3c.

Consider a right triangleABC with verticesA = (0, b), B = (a, 0), andC =(0, 0), with semiperimeters = 1

2(a+ b+ c). The incenter and the excenters are the

points

I = (s− c, s− c), Ia = (s− b, −(s− b)), Ib = (−(s− a), s− a), Ic = (s, s).

The circles with these centers and respective radiir = s− c, ra = s− b, rb = s−a,andrc = s are tangents to the sidelines of the triangle. According to the famousFeuerbach theorem, each of these circles is tangent to the nine-point circle, whichis the circle passing the midpoints of the three sides. This circle has centerN =(

a4, b

4

)

and radiusc4. The following theorem gives a nice geometric interpretation

of the genealogy of Pythagorean triangles.

10.2 Genealogy of Pythagorean triangles 223

Theorem 10.1. The right triangles with hypotenusesNIa, NIb, NIc and sidesparallel to BC andAC are similar to the descendants ofABC. The one withhypotenuseNI (and sides parallel toBC andAC) is similar to the parent ofABC.

Proof. The following table shows the sidelengths of the right triangles involvedeach magnified by a factor4:

horizontal vertical hypotenuse

NI |a+ 2b− 2c| |2a+ b− 2c| −2a− 2b+ 3c parentNIa a− 2b+ 2c 2a− b+ 2c 2a− 2b+ 3c leftNIb −a + 2b+ 2c −2a + b+ 2c −2a + 2b+ 3c rightNIc a+ 2b+ 2c 2a+ b+ 2c 2a+ 2b+ 3c middle

B

A

C

I

Ia

Ib

Ic

N

Chapter 11

Polygonal numbers

11.1 The polygonal numbersPk,nThen-th triangular number is

Tn = 1 + 2 + 3 + · · ·+ n =1

2n(n + 1).

The first few of these are1, 3, 6, 10, 15, 21, 28, 36, 45, 55, . . . .

The pentagonal numbers are the sums of the arithmetic progression

1 + 4 + 7 + · · ·+ (3n− 2) + · · ·

Then-th pentagonal number isPn = 12n(3n− 1). Here are the beginning ones:

1, 5, 12, 22, 35, 51, 70, 92, 117, 145, . . .

More generally, for a fixedk, thek-gonal numbers are the sums of the arithmeticprogression1 + (k − 1) + (2k − 3) + · · · . Thenth k-gonal number is

Pk,n =1

2n((k − 2)n− (k − 4)).

226 Polygonal numbers

11.2 The equationPk,a + Pk,b = Pk,c

By ak-gonal triple, we mean a triple of positive integers(a, b, c) satisfying

Pk,a + Pk,b = Pk,c. (11.1)

A 4-gonal triple is simply a Pythagorean triple satisfyinga2 + b2 = c2. We shallassume in the present chapter thatk 6= 4. By completing squares, we rewrite (11.1)as

[2(k − 2)a− (k − 4)]2 + [2(k − 2)b− (k − 4)]2

= [2(k − 2)c− (k − 4)]2 + (k − 4)2, (11.2)

and note, by dividing throughout by(k − 4)2, that this determines arational pointon the surfaceS:

x2 + y2 = z2 + 1, (11.3)

namely,P (k; a, b, c) := (ga− 1, gb− 1, gc− 1), (11.4)

whereg = 2(k−2)k−4

. This is always an integer point fork = 3, 5, 6, 8, with corre-spondingg = −2, 6, 4, 3. For k = 3 (triangular numbers), we shall change signs,and consider instead the point

P ′(3; a, b, c) := (2a+ 1, 2b+ 1, 2c+ 1). (11.5)

The coordinates ofP ′(3; a, b, c) are all odd integers exceeding 1.

11.3 Double ruling ofS

The surfaceS, being the surface of revolution of a rectangular hyperbolaabout itsconjugate axis, is a rectangular hyperboloid of one sheet. It has a double ruling,i.e.,through each point on the surface, there are two straight lines lying entirely on thesurface.

Let P (x0, y0, z0) be a point on the surfaceS. A line ℓ throughP with directionnumbersp : q : r has parametrization

ℓ : x = x0 + pt, y = y0 + qt, z = z0 + rt.

11.4 Primitive Pythagorean triple associated with ak-gonal triple 227

Substitution of these expressions into (11.3) shows that the line ℓ is entirely con-tained in the surfaceS if and only if

px0 + qy0 = rz0, (11.6)

p2 + q2 = r2. (11.7)

It follows that

r2 = r2(x20 + y2

0 − z20)

= r2(x20 + y2

0)− (px0 + qy0)2

= (p2 + q2)(x20 + y2

0)− (px0 + qy0)2

= (qx0 − py0)2.

This meansqx0 − py0 = ǫr, ǫ = ±1. (11.8)

Solving equations (11.6) and (11.8), we determine the direction numbers of the line.We summarize this in the following proposition.

Proposition 11.1. The two lines lying entirely on the hyperboloidS : x2 + y2 =z2 + 1 and passing throughP (x0, y0, z0) have direction numbers

x0z0 − ǫy0 : y0z0 + ǫx0 : x20 + y2

0

for ǫ = ±1.

In particular, ifP is a rational point, these direction numbers are rational.

11.4 Primitive Pythagorean triple associated with ak-gonal triple

Let P be the rational point determined by ak-gonal triple(a, b, c), as given by(11.4), fork ≥ 5 and (11.5) fork = 3 (triangular numbers). We first note that the

228 Polygonal numbers

coordinates ofP all exceed 1. This is clear fork = 3, and fork ≥ 5, it followsfrom the fact thatg = 2(k−2)

k−4> 2. The direction numbers of the ruling lines onS

through the pointP , as given in Proposition 1, are all positive. In view of (11.7),we may therefore choose aprimitive Pythagorean triple(p, q, r) for these directionnumbers. As is well known, every such triple is given by

p = m2 − n2, q = 2mn, r = m2 + n2 (11.9)

for relatively prime integersm > n of different parity.We study the converse question of determiningk-gonal triples from (primitive)

Pythagorean triples.

11.5 Triples of triangular numbers

Given a primitive Pythagorean triple(p, q, r) as in (11.9), we want to determinea triangular triple(a, b, c) corresponding to it. Given anodd integerz0 > 1, weobtain, from (11.6) and (11.8),

x0 =pz0 + ǫq

r, y0 =

qz0 − ǫpr

. (11.10)

We claim that it is possible to choosez0 > 1 so thatx0 andy0 are also oddintegers> 1.

By the euclidean algorithm, there areodd integersu andv such thatqu+ rv =1. (Note thatv must be odd, sinceq is even. Ifu is even, we replace(u, v) by(u − r, v + q), in which both entries are odd). Clearly, the integerz0 = ǫpu issuch thatqz0 − ǫp = ǫp(qu − 1) is divisible byr. This makesy0 an integer. Thecorrespondingx0 is also an integer. Replacingz0 by z0 + rt for a positive integertif necessary, the integersz0, x0, andy0 can be chosen greater than 1. From (11.10),the integersx0 andy0 are both odd, sincep andq are of different parity andz0 isodd.

We summarize this in the following theorem.

Theorem 11.2.Let (p, q, r) be a primitive Pythagorean triple. There are two infi-nite families of triangular triples(aǫ(t), bǫ(t), cǫ(t)), ǫ = ±1, such that one of thelinesℓǫ(P ), P = P ′(3; aǫ(t), bǫ(t), cǫ(t)), has direction numbersp : q : r.

11.6k-gonal triples determined by a Pythagorean triple 229

Triangular triples from primitive Pythagorean triples

(m, n) (p, q, r) (a+(0), b+(0), c+(0)) (a−(0), b−(0), c−(0))

(2, 1) (3, 4, 5) (2, 2, 3) (3, 5, 6)(4, 1) (15, 8, 17) (9, 4, 10) (5, 3, 6)(3, 2) (5, 12, 13) (4, 9, 10) (5, 14, 15)(6, 1) (35, 12, 37) (20, 6, 21) (14, 5, 15)(5, 2) (21, 20, 29) (6, 5, 8) (14, 14, 20)(4, 3) (7, 24, 25) (6, 20, 21) (7, 27, 28)(8, 1) (63, 16, 65) (35, 8, 36) (27, 7, 28)(7, 2) (45, 28, 53) (35, 21, 41) (9, 6, 11)(5, 4) (9, 40, 41) (8, 35, 36) (9, 44, 45)

11.6 k-gonal triples determined by a Pythagorean triple

Now, we considerk ≥ 5. We shall adopt the notation

h′ :=

{

h if h is odd,h2

if h is even,

for an integerh.

Theorem 11.3.Letk ≥ 5 andg = 2(k−4)k−2

. The primitive Pythagorean triple(p, q, r)defined in (11.9) by relatively prime integersm > n with different parity corre-sponds to ak-gonal triple if and only if one of2n

gand 2(m−n)

gis an integer.

Proof. As in (11.10) above, the rational points through which the surfaceS containsa line of direction numbersp : q : r are of the form

(pz + ǫq

r,qz − ǫp

r, z). (11.11)

Suppose this corresponds to ak-gonal triple(a, b, c), so thatz = rc − 1. From(11.4), we obtain, forǫ = 1,

a =m+ n

(k − 2)′(m2 + n2)· [(k − 2)′(m− n)c+ (k − 4)′n], (11.12)

b =n

(k − 2)′(m2 + n2)· [(k − 2)′ · 2mc− (k − 4)′(m− n)]. (11.13)

Note that(k−2)′ and(k−4)′ are always relatively prime, sincegcd(k−2, k−4) = 1or 2 according ask is odd or even.

From these expressions,

230 Polygonal numbers

a2 + b2 − c2 =2(k − 4)′n

(k − 2)′2(m2 + n2)· [(k − 2)′(m− n)c+ (k − 4)′n].

We claim thatn must be divisible by(k − 2)′ for a, b, c to be integers. Letd := gcd(n, (k − 2)′), so that

n = d · n∗, (k − 2)′ = d · (k − 2)∗

for relatively prime integersn∗ and(k − 2)∗.

a2 + b2 − c2 =2(k − 4)′n∗

(k − 2)∗2(m2 + n2)· [(k − 2)∗(m− n)c+ (k − 4)′n∗].

Since(k − 2)∗ is prime to each of(k − 4)′ andn∗, the only possible prime divisorof (k−2)∗ is 2. This means that(k−2)∗ is a power of 2, (possibly 1). If(k−2)∗ iseven, then after cancelling a common divisor 2, the numerator of a2 +b2−c2 is odd,and the denominator is even. This cannot be an integer. It follows that(k−2)∗ = 1,justifying the claim thatn must be divisible by(k − 2)′.

Sinceg = 2(k−2)′

(k−4)′, the condition thatn be divisible by(k − 2)′ is equivalent

to 2ng

being an integer. Under this condition, there is auniquepositive integerc0 < m2 +n2 for whicha0 defined by (11.13) is an integer. Note thata2

0 + b20− c20 isalso an integer. Sinceb0 is rational, it too must be an integer. Everyk-gonal tripleassociated with the primitive Pythagorean triple(p, q, r) is of the form

at = a0 + pt, bt = b0 + qt, ct = c0 + rt

for a positive integert.Forǫ = −1, the treatment is exactly the same, withn replaced bym−n. Indeed,

we have

a =m− n

(k − 2)′(m2 + n2)· [(k − 2)′(m+ n)c− (k − 4)′n],

b =m

(k − 2)′(m2 + n2)· [(k − 2)′ · 2nc+ (k − 4)′(m− n)].

Sincem andn are relatively prime, the integer(k − 2)′ > 1 cannot divide bothn andm − n. This means that a primitive Pythagorean triple(p, q, r) correspondsto at most oneline onS associated withk-gonal triples (fork ≥ 5).

Indeed, ifk = 4h + 2, (k − 2)′ is the even number2h, and cannot divide theodd integerm − n. It follows that only those pairs(m,n), with n a multiple of2hgive(4h+2)-gonal pairs. For example, by choosingm = 2h+1, n = 2h, we have

p = 4h+ 1, q = 8h2 + 4h, r = 8h2 + 4h+ 1,a0 = 4h+ 1, b0 = 8h2 + 2h+ 1, c0 = 8h2 + 2h+ 2.

11.6k-gonal triples determined by a Pythagorean triple 231

These give an infinite family of(4h+ 2)-gonal triples:

at = (4h+ 1)(t+ 1),bt = 8h2 + 2h + 1 + (8h2 + 4h)t,ct = 8h2 + 2h + 2 + (8h2 + 4h+ 1)t.

(4h+ 2)− gonal triples

(h, k, g) (m,n) (p, q, r) (a, b, c)

(1, 6, 4) (3, 2) (5, 12, 13) (5, 11, 12)

(5, 2) (21, 20, 29) (14, 13, 19)

(5, 4) (9, 40, 41) (9, 38, 39)

(7, 2) (45, 28, 53) (18, 11, 21)

(7, 4) (33, 56, 65) (11, 18, 21)

(7, 6) (13, 84, 85) (13, 81, 82)

(9, 2) (77, 36, 85) (11, 5, 12)

(9, 4) (65, 72, 97) (13, 14, 19)

(9, 8) (17, 144, 145) (17, 140, 141)

(11, 2) (117, 44, 125) (104, 39, 111)

(11, 4) (105, 88, 137) (60, 50, 78)

(11, 6) (85, 132, 157) (68, 105, 125)

(11, 8) (57, 176, 185) (38, 116, 122)

(11, 10) (21, 220, 221) (21, 215, 216)

(2, 10, 83) (5, 4) (9, 40, 41) (9, 37, 38)

(7, 4) (33, 56, 65) (33, 55, 64)

(9, 4) (65, 72, 97) (52, 57, 77)

(9, 8) (17, 144, 145) (17, 138, 139)

(11, 4) (105, 88, 137) (90, 75, 117)

(11, 8) (57, 176, 185) (57, 174, 183)

(3, 14, 125 ) (7, 6) (13, 84, 85) (13, 79, 80)

(11, 6) (85, 132, 157) (85, 131, 156)

Chapter 12

Quadratic Residues

12.1 Quadratic residues

Let n > 1 be a given positive integer, andgcd(a, n) = 1. We say thata ∈ Z•n is a

quadratic residuemodn if the congruencex2 ≡ a mod n is solvable. Otherwise,a is called aquadratic nonresiduemodn.

1. If a andb are quadratic residues modn, so is their productab.

2. If a is a quadratic residue, andb a quadratic nonresidue modn, thenab is aquadratic nonresidue modn.

3. The product of two quadratic residues modn is not necessarily a quadraticresidue modn. For example, inZ•

12 = {1, 5, 7, 11}, only 1 is a quadraticresidue;5, 7, and11 ≡ 5 · 7 are all quadratic nonresidues.

Proposition 12.1. Let p be an odd prime, andp ∤ a. The quadratic congruenceax2 + bx+ c ≡ 0 mod p is solvable if and only if(2ax+ b)2 ≡ b2 − 4ac mod p issolvable.

Theorem 12.2.Let p be an odd prime. Exactly one half of the elements ofZ•p are

quadratic residues.

Proof. Each quadratic residue modulop is congruent to one of the following12(p−

1) residues.

12, 22, . . . , k2, . . . ,

(

p− 1

2

)2

.

We show that these residue classes are all distinct. For1 ≤ h < k ≤ p−12

, h2 ≡k2 mod p if and only if (k − h)(h + k) is divisible byp, this is impossible sinceeach ofk − h andh+ k is smaller thanp.

Corollary 12.3. If p is an odd prime, the product of two quadratic nonresidues is aquadratic residue.

302 Quadratic Residues

12.2 The Legendre symbol

Let p be anoddprime. For an integera, we define theLegendre symbol

(

a

p

)

:=

{

+1, if a is a quadratic residue modp,

−1, otherwise.

Lemma 12.4.(

abp

)

=(

ap

)(

bp

)

.

Proof. This is equivalent to saying that modulop, the product of two quadraticresidues (respectively nonresidues) is a quadratic residue, and the product of aquadratic residue and a quadratic nonresidue is a quadraticnonresidue.

For an odd primep,(

−1p

)

= (−1)12(p−1). This is a restatement of Theorem 12.6

that−1 is a quadratic residue modp if and only if p ≡ 1 mod 4.

Theorem 12.5(Euler). Let p be an odd prime. For each integera not divisible byp,

(

a

p

)

≡ a12(p−1) mod p.

Proof. Supposea is a quadraticnonresiduemodp. The modp residues1, 2, . . . , p−1 are partitioned into pairs satisfyingxy = a. In this case,

(p− 1)! ≡ a12(p−1) mod p.

On the other hand, ifa is a quadraticresidue, with a ≡ k2 ≡ (p − k)2 mod p,apart from0,±k, the remainingp− 3 elements ofZp can be partitioned into pairssatisfyingxy = a.

(p− 1)! ≡ k(p− k)a 12(p−3) ≡ −a 1

2(p−1) mod p.

Summarizing, we obtain

(p− 1)! ≡ −(

a

p

)

a12(p−1) mod p.

Note that by puttinga = 1, we obtainWilson’s theorem: (p− 1)! ≡ −1 mod p. By

comparison, we obtain a formula for(

ap

)

:

(

a

p

)

≡ a12(p−1) mod p.

12.3−1 as a quadratic residuemodp 303

12.3 −1 as a quadratic residuemodp

Theorem 12.6.Letp be an odd prime.−1 is a quadratic residuemod p if and onlyif p ≡ 1 mod 4.

Proof. If x2 ≡ −1 mod p, then(−1)p−12 ≡ xp−1 ≡ 1 mod p by Fermat’s little

theorem. This means thatp−12

is even, andp ≡ 1 mod 4.Conversely, ifp ≡ 1 mod 4, the integerp−1

2is even. By Wilson’s theorem,

((p− 1

2)!)2 =

p−12

∏

i=1

j2 =

p−12

∏

i=1

j · (−j) ≡p−12

∏

i=1

j · (p− j) = (p− 1)! ≡ −1 mod p.

The solutions ofx2 ≡ −1 mod p are thereforex ≡ ±(p−12

)!.

Here are the square roots of−1 modp for the first 20 primes of the form4k+1:

p√−1 p

√−1 p

√−1 p

√−1 p

√−1

5 ±2 13 ±5 17 ±4 29 ±12 37 ±641 ±9 53 ±23 61 ±11 73 ±27 89 ±3497 ±22 101 ±10 109 ±33 113 ±15 137 ±37149 ±44 157 ±28 173 ±80 181 ±19 193 ±81

Theorem 12.7.There are infinitely many primes of the form4n+ 1.

Proof. Suppose there are only finitely many primesp1, p2, . . . ,pr of the form4n+1.Consider the product

P = (2p1p2 · · · pr)2 + 1.

Note thatP ≡ 1 mod 4. SinceP is greater than each ofp1, p2, . . . , pr, it cannotbe prime, and so must have a prime factorp different fromp1, p2, . . . , pr. Butthen modulop, −1 is a square. By Theorem 12.6,p must be of the form4n + 1, acontradiction.

In the table below we list, for primes< 50, the quadratic residues and theirsquare roots. It is understood that the square roots come in pairs. For example, theentry (2,7) for the prime 47 should be interpreted as saying that thetwo solutionsof the congruencex2 ≡ 2 mod 47 arex ≡ ±7 mod 47. Also, for primes of theform p = 4n + 1, since−1 is a quadratic residue modulop, we only list quadraticresidues smaller thanp

2. Those greater thanp

2can be found with the help of the

square roots of−1.

304 Quadratic Residues

Quadratic residues modp and their square roots

3 (1, 1)5 (−1, 2) (1, 1)7 (1, 1) (2, 3) (4, 2)11 (1, 1) (3, 5) (4, 2) (5, 4) (9, 3)13 (−1, 5) (1, 1) (3, 4) (4, 2)17 (−1, 4) (1, 1) (2, 6) (4, 2) (8, 5)19 (1, 1) (4, 2) (5, 9) (6, 5) (7, 8) (9, 3) (11, 7) (16, 4)

(17, 6)23 (1, 1) (2, 5) (3, 7) (4, 2) (6, 11) (8, 10) (9, 3) (12, 9)

(13, 6) (16, 4) (18, 8)29 (−1, 12) (1, 1) (4, 2) (5, 11) (6, 8) (7, 6) (9, 3) (13, 10)31 (1, 1) (2, 8) (4, 2) (5, 6) (7, 10) (8, 15) (9, 3) (10, 14)

(14, 13) (16, 4) (18, 7) (19, 9) (20, 12) (25, 5) (28, 11)37 (−1, 6) (1, 1) (3, 15) (4, 2) (7, 9) (9, 3) (10, 11) (11, 14) (12, 7)

(16, 4)41 (−1, 9) (1, 1) (2, 17) (4, 2) (5, 13) (8, 7) (9, 3) (10, 16) (16, 4)

(18, 10) (20, 15)43 (1, 1) (4, 2) (6, 7) (9, 3) (10, 15) (11, 21) (13, 20) (14, 10)

(15, 12) (16, 4) (17, 19) (21, 8) (23, 18) (24, 14) (25, 5) (31, 17)(35, 11) (36, 6) (38, 9) (40, 13) (41, 16)

47 (1, 1) (2, 7) (3, 12) (4, 2) (6, 10) (7, 17) (8, 14) (9, 3)(12, 23) (14, 22) (16, 4) (17, 8) (18, 21) (21, 16) (24, 20) (25, 5)(27, 11) (28, 13) (32, 19) (34, 9) (36, 6) (37, 15) (42, 18)

Chapter 13

The law of quadratic reciprocity

13.1 Gauss’ lemma

Theorem 13.1(Gauss’ Lemma). Letp be an odd prime, anda an integer not divis-

ible byp. Then(

ap

)

= (−1)µ whereµ is the number of residues among

a, 2a, 3a, . . . . . . ,p− 1

2a

falling in the rangep2< x < p.

Proof. Every residue modulop has a unique representative withleast absolutevalue, namely, the one in the range−p−1

2≤ x ≤ p−1

2. The residues described

in the statement of Gauss’ Lemma are precisely those whose representatives arenegative. Now, among the representatives of the residues of

a, 2a, · · · p− 1

2a,

say, there areλ positiveones,

r1, r2, . . . , rλ,

andµ negativeones−s1,−s2, . . . ,−sµ.

Here,λ+ µ = p−12

, and0 < ri, sj <p2.

Note that no two of ther’s are equal; similarly for thes’s. Suppose thatri = sj

for some indicesi andj. This means

ha ≡ ri mod p; ka ≡ −sj mod p

for someh, k in the range0 < h, k < 12(p − 1). Note that(h + k)a ≡ 0 mod p.

But this is a contradiction sinceh + k < p − 1 andp does not dividea. It followsthat

r1, r2, . . . , rλ, s1, s2, . . . , sµ

306 The law of quadratic reciprocity

are a permutation of1, 2, . . . , 12(p− 1). From this

a · 2a · · · p− 1

2a = (−1)µ1 · 2 · · · p− 1

2,

anda12(p−1) = (−1)µ. By Theorem 12.5,

(

ap

)

= (−1)µ.

Example

Let p = 19 anda = 5. We consider the first 9 multiples of 5 mod 19. These are

5, 10, 15, 20 ≡ 1, 25 ≡ 6, 30 ≡ 11, 35 ≡ 16, 40 ≡ 2, 45 ≡ 7.

4 of these exceed 9, namely, 10, 15, 11, 16. It follows that(

519

)

= 1; 5 is a quadraticresidue mod 19.1

Theorem 13.2.(

2

p

)

= (−1)⌊14(p+1)⌋ = (−1)

18(p2−1).

Equivalently,(

2

p

)

=

{

+1 if p ≡ ±1 mod 8,

−1 if p ≡ −3 mod 8.

Proof. We need to see how many terms in the sequence

2 · 1, 2 · 2, 2 · 3, . . . , 2 · p− 1

2

are in the rangep2< x < p. If p = 4k + 1, these are the numbers2k + 2, . . . , 4k,

and there arek of them. On the other hand, ifp = 4k + 3, these are the numbers2k + 2, . . . , 4k + 2, and there arek + 1 of them. In each case, the number of termsis [1

4(p+ 1)].

Example

Square root of 2 modp for the first 20 primes of the form8k ± 1.

p√

2 p√

2 p√

2 p√

2 p√

27 3 17 6 23 5 31 8 41 1747 7 71 12 73 32 79 9 89 2597 14 103 38 113 51 127 16 137 31151 46 167 13 191 57 193 52 199 20

Proposition 13.3(Euler). Let p > 3 be a prime number of the form4k + 3. Ifq = 2p + 1 is also prime, then the Mersenne numberMp = 2p − 1 has a primefactor2p+ 1 and iscomposite.

1Indeed5 ≡ 92 mod 19.

13.2 The law of quadratic reciprocity 307

Proof. Note that the primeq is of the form8k + 7, and so admits2 as a quadraticresidue. By Theorem 13.2,

2p = 212(q−1) ≡

(

2

q

)

= 1 mod q.

This means thatq = 2p + 1 dividesMp = 2p − 1. If p > 3, 2p + 1 < 2p − 1, andMp is composite.

For example,M11 = 211 − 1 is divisible by23 since23 = 2 · 11 + 1 is prime.Similarly,M23 = 223 − 1 is divisible by47, andM83 = 283 − 1 is divisible by167.

13.2 The law of quadratic reciprocity

Theorem 13.4(Law of quadratic reciprocity). Letp andq be distinctoddprimes.(

p

q

) (

q

p

)

= (−1)p−12

· q−12 .

Equivalently, when at least one ofp, q ≡ 1 mod 4, p is a quadratic residuemod qif and only ifq is a quadratic residuemod p. 2

Proof. (1) Leta be an integer not divisible byp. Suppose, as in the proof of Gauss’Lemma above, of the residuesa, 2a, . . . p−1

2a, thepositiveleast absolute value rep-

resentatives arer1, r2, . . . , rλ, and thenegativeones are−s1, −s2, . . . ,−sµ. Thenumbersa, 2a, . . . , p−1

2a are a permutation of⌊

hia

p

⌋

p+ ri, i = 1, 2, . . . , λ,

and⌊

kja

p

⌋

p+ (p− sj), j = 1, 2, . . . , µ,

whereh1, . . . , hλ, k1, . . . , kµ are a permutation of 1, 2, . . . ,p−12

. Considering thesum of these numbers, we have

a ·12(p−1)∑

m=1

m =p

12(p−1)∑

m=1

⌊

ma

p

⌋

+λ

∑

i=1

ri +

µ∑

j=1

(p− sj)

=p

12(p−1)∑

m=1

⌊

ma

p

⌋

+

λ∑

i=1

ri +

µ∑

j=1

sj +

µ∑

j=1

(p− 2sj)

=p

12(p−1)∑

m=1

⌊

ma

p

⌋

+

12(p−1)∑

m=1

m+ µ · p− 2

µ∑

j=1

sj .

2Forp ≡ q ≡ 3 mod 4, p is a quadratic residuemod q if and only if q is a quadratic nonresiduemod p.

308 The law of quadratic reciprocity

In particular,if a is odd, then

µ ≡12(p−1)∑

m=1

⌊

ma

p

⌋

mod 2,

and by Gauss’ lemma,(

a

p

)

= (−1)∑

12 (p−1)

m=1 ⌊map ⌋.

(2) Therefore, for distinct odd primesp andq, we have(

q

p

)

= (−1)∑

12 (p−1)

m=1 ⌊mqp ⌋,

and(

p

q

)

= (−1)∑

12 (q−1)

n=1 ⌊npq ⌋.

1 2 p2

12

q2

n

m(3) In the diagram above, we consider the lattice points(m,n) with 1 ≤ m ≤

p−12

and 1 ≤ n ≤ q−12

. There are altogetherp−12· q−1

2such points forming a

rectangle. These points are separated by the lineL of slope qp

through the point(0,0).

For eachm = 1, 2, . . . , p−12

, the number of points in the vertical line through

(m, 0) under L is⌊mqp⌋. Therefore, the total number of pointsunderL is

∑

12(p−1)

m=1

⌊

mqp

⌋

.

Similarly, the total number of points on theleft side ofL is∑

12(q−1)

n=1

⌊

npq

⌋

. From

these, we have

12(p−1)∑

m=1

⌊

mq

p

⌋

+

12(q−1)∑

n=1

⌊

np

q

⌋

=p− 1

2· q − 1

2.

It follows that(

p

q

)(

q

p

)

= (−1)p−12

· q−12 .

13.2 The law of quadratic reciprocity 309

The law of quadratic reciprocity can be recast into the following form:

(

p

q

)

=

−(

qp

)

, if p ≡ q ≡ 3 mod 4,

+(

qp

)

, otherwise.

Examples

1.(

59131

)

= −(

13159

)

= −(

1359

)

= −(

5913

)

= −(

713

)

= −(

137

)

= −(−1

7

)

=−(−1) = 1.

2.(

3497

)

=(

297

) (

1797

)

. Now,(

297

)

= +1 by Theorem 13.2, and

(

17

97

)

=

(

97

17

)

=

(

12

17

)

=

(

3

17

)(

4

17

)

=

(

3

17

)

=

(

17

3

)

=

(

2

3

)

= −1.

3. For which primesp is 3 a quadratic residue ?(

3

p

)

= (−1)p−12

(p

3

)

= (−1)k+ 12(ǫ−1)ǫ = (−1)k

providedp = 6k + ǫ, ǫ = ±1. This means 3 is a quadratic residue modp ifand only ifk is even, i.e.,p = 12m± 1.

Chapter 14

Calculation of square roots

14.1 Square roots modulop

1. Let p be a prime of the form4k + 3. If(

ap

)

= 1, then the square roots of

a mod p are±a 14(p+1).

Proof.

(

a14(p+1)

)2

≡ a12(p+1) = a

12(p−1) · a =

(

a

p

)

a = a mod p.

2. Let p be a prime of the form8k + 5. If(

ap

)

= 1, then the square roots of

a mod p are

• ±a 18(p+3) if a

14(p−1) ≡ 1 mod p,

• ±214(p−1) · a 1

8(p+3) if a

14(p−1) ≡ −1 mod p.

Proof. Note that(

a18(p+3)

)2

≡ a14(p+3) = a

14(p−1) · a mod p.

Since(

ap

)

= a12(p−1) ≡ 1 mod p, we havea

14(p−1) ≡ ±1 mod p.

If a14(p−1) ≡ 1 mod p, then this givesa

18(p+3) as a square root ofa mod p.

If a14(p−1) ≡ −1 mod p, then we have

a ≡ −(

a18(p+3)

)2

≡(

y

p

)

(

a18(p+3)

)2

≡(

y14(p−1)a

18(p+3)

)2

312 Calculation of square roots

for any quadratic nonresiduey mod p. Sincep ≡ 5 mod 8, we may simplytakey = 2.

Examples

1. Let p = 23. Clearly 2 is a quadratic residue mod 23. The square roots of 2are±26 ≡ ±18 ≡ ∓5 mod 23.

2. Let p = 29. Both 6 and 7 are quadratic residues mod 29.

Since77 ≡ 1 mod 29, the square root of 7 are±74 ≡ ±23∓ 6 mod 29.

On the other hand, Since67 ≡ −1 mod 29, the square roots of 6 are±27·64 ≡±12 · 20 ≡ ±8 mod 29.

Proposition 14.1. Let p be an odd prime andp − 1 = 2λu, u odd. Consider thecongruencex2 ≡ a mod p. Let b be any quadratic nonresidue modp. Assumethat au 6≡ ±1 mod p, and thatµ > 1 is thesmallestinteger for which(au)2µ ≡−1 mod p.(a) If µ = λ− 1, then the congruence hasno solution.(b) If µ ≤ λ − 2, thenau ≡ (bu)2λ−µ−1k for someodd numberk < 2µ+1. Thesolutions of the congruence are

x ≡ ±a 12(u+1)b2

λ−µ−2(2µ+1−k)u mod p.

Example 14.1.Consider the congruencex2 ≡ 215 mod 257. Here257−1 = 28 ·1.In the notation of the above theorem,u = 1. With a = 215, the order ofau = 215modulo 257 is 128:

2152 ≡ 222; 2154 ≡ 197; 2158 ≡ 2;21516 ≡ 4; 21532 ≡ 16; 21564 ≡ 256 ≡ −1.

This meansµ = 6. Let b = 3, a quadratic nonresidue of 257. The successivepowers ofbu ≡ 3 are, modulo 257,

32 ≡ 9; 34 ≡ 81; 38 ≡ 136;316 ≡ 249; 332 ≡ 64; 364 ≡ 241;3128 ≡ 256 ≡ −1.

Now,au = 215 should be an odd power of(bu)2λ−µ−1 ≡ 32 ≡ 9. In fact,

93 ≡ 729 ≡ 215 mod 257.

This meansk = 3. The solutions of the congruence are

x ≡ ±215 · 320(27−3) ≡ ±215 · 3125 ≡ · · · ≡ ±230 ≡ 27 mod 257.

14.2 Square roots modulo an odd prime power 313

14.2 Square roots modulo an odd prime power

The quadratic congruencex2 ≡ 2 mod 7 clearly has solutionsx ≡ ±3 mod 7. Wewant to solve the congruencex2 ≡ 2 mod 72 by seeking a solution of the formx ≡ 3 + 7b.

2 ≡ (3 + 7b)2 = 9 + (6b) · 7 + b2 · 72 = 2 + (1 + 6b) · 7 mod 72

Chooseb so that1 + 6b ≡ 0 mod 7. This givesb ≡ 1 mod 7 andx ≡ 10 mod72.Exercise

1. Show that 9, 16, 23, 30, 37, 44 are all squares modulo 49. (Ofcourse, it isclear for 9 and 16).

Answer:Squares roots modulo 49:

2 9 16 23 30 37 4410 3 45 38 31 24 17

(Note that these square roots form an arithmetic progression of common difference42 mod 49).

2. Proceed to solve the congruencesx2 ≡ 2 mod 73. andx2 ≡ 2 mod 74.

Proposition 14.2. Let p be anodd prime. Supposex2 = a mod pk has solutionx ≡ ck mod pk. Let γ be the multiplicative inverse of2c1 ∈ Z•

p. Then withbk ≡γ · a−c2k

pk mod p, We have a solutionck+1 = ck+bkpk mod pk+1 ofx2 ≡ a mod pk+1.

Example 14.2.The solutions of the congruencesx2 ≡ 12345 mod 7k for k ≤ 8are as follows:

k 1 2 3 4 5 6 7 8x mod 7k 2 37 37 380 5182 89217 677462 3148091

The base 7 expansions of these solutions arex ≡ ±12355210527.

14.3 Squares modulo2k

Here are the squares modulo2k, up tok = 7.

Z4 : 0, 1,Z8 : 4,Z16 : 9,Z32 : 16, 17, 25,Z64 : 33, 36, 41, 49, 57,Z128 : 64, 65, 68, 73, 81, 89, 97, 100, 105, 113, 121.

314 Calculation of square roots

It is easy to see that the analogue of Proposition 8.2.2 is no longer true. Forexample, 1 is clearly a square ofZ4; but5 = 1 + 4 is not a square inZ8.

Supposec ∈ Z2k is a square. Leth be thesmallestinteger such thatc = (a+2h)2

for somea ∈ Z2h−1 . Sincec = (a+2h)2 = a2+2h+1a+22h, we must haveh+1 < k,andh ≤ k − 2.

From this, we infer that 5 is not a square, and the squares inZ8 are 0, 1, 4. Also,apart from these, the squares inZ16 are42 = 0, 52 = 9, 62 = 4, and72 = 1. Thismeans that the squares inZ16 are 0, 1, 4 and 9.

Proposition 14.3.Letk ≥ 3. For every squarec ∈ Z•2k , c+2k is a square inZ•

2k+1 .

Proof. Clearly, if c = 1, c + 2k = 1 + 2k = (1 + 2k−1)2 ∈ Z2k+1 . If c 6= 1, wewrite c = (a + 2h)2 for 1 ≤ h ≤ k − 2 anda ∈ Z2k−3 . Then,(a + 2h + 2k−1)2 =c+ 2k(a + 2h) + 22k−2. Sincea is a unit, modulo2k+1, this isc+ 2k.

Corollary 14.4. A residue given in binary expansion

a = (ak−1ak−2 · · ·a1a0)2,

is a quadratic residue mod2k if and only if on the right of the rightmost digit 1there is an even number (possibly none) of zeros, and on its left there areat leasttwo zeros.

Chapter 15

Primitive roots

Let a ∈ Z•n. By the Fermat-Euler theorem (Theorem 6.1),aϕ(n) = 1, there is a

smallestpositive integerd := ordn(a) such thatad = 1 ∈ Z•n. Such an integer,

called theorder of a in Z•n, must be a divisor ofϕ(n).

Example 15.1.(a)n = 13; ϕ(13) = 12:

a 1 2 3 4 5 6 7 8 9 10 11 12ord13(a) 1 12 3 6 4 12 12 4 3 6 12 2

In this case, there exist elements of order12, for example,a = 2, 6. This meansthe first12 powers of a are all distinct, and hence exhaust all the units of Z•

13:

n 1 2 3 4 5 6 7 8 9 10 11 12

2n 2 4 8 3 6 12 11 9 5 10 7 16n 6 10 8 9 2 12 7 3 5 4 11 1

In this case, the group of unitsZ•13 is acyclic group, with generatora. A gener-

ator ofZ•n is called aprimitive root for n.

(b) n = 16; ϕ(16) = 8:

a 1 3 5 7 9 11 13 15

ord16(a) 1 4 4 2 2 4 4 2

The groupZ•16 is not cyclic in this case, and there is no primitive root for16.

Proposition 15.1. If ordn(a) = t, then

ordn(ak) =t

gcd(t, k).

ExerciseLet p be a prime. If inZ•

p = Zp \ {0} there is an element of ordert, then thereare exactlyϕ(t) elements of ordert.

316 Primitive roots

Theorem 15.2.Letp be an odd prime.(a) For each divisort of p− 1, there are exactlyϕ(t) elements ofZ•

p = Zp \ {0} oforder t.(b) There are exactlyϕ(p− 1) primitive roots forp.

Smallest primitive rootg for primep. 1

p g p g p g p g p g

3 2 5 2 7∗ 3 11 2 13 217∗ 3 19∗ 2 23∗ 5 29∗ 2 31 337 2 41 6 43 3 47∗ 5 53 259∗ 2 61∗ 2 67 2 71 7 73 579 3 83 2 89 3 97∗ 5 101 2

Example 15.2.(a) Letp be a Sophie-Germain prime,i.e.,q = 2p+1 is also prime.(i) If p ≡ 1 (mod 4), thenp+ 1 is primitive root moduloq.(ii) If p ≡ 3 (mod 4), thenp is a primitive root moduloq.

Proof. If p ≡ 1 (mod 4), 2p+ 2 ≡ 1 (mod q) and

1 =

(

1

q

)

=

(

2p+ 2

q

)

=

(

2

q

) (

p + 1

q

)

.

Note that(

2q

)

= −1. From this(p + 1)p ≡(

p+1q

)

= −1 (mod q), the order of

p+ 1 modq is 2p, andp+ 1 is a primitive root.

Next, if p ≡ 3 (mod 4), then2p ≡ −1 (mod q), and(

−1q

)

=(

2pq

)

. Again,(

pq

)

= −1, andp is a primitive root forq.

The beginning Sophie Germain primes

4k + 1 : 5 29 41 53 89 113 173 233 . . .

4k + 3 : 3 11 23 83 131 179 191 239 . . .

Exercise2. If p is a Fermat prime, then every quadratic nonresidue modp is a primitive

root forp.3. If p ≡ 3 (mod 4) andq = 1

2(p − 1) are both primes, then−3 is a primitive

root forp.4. Letp ≡ 3 (mod 4) be a prime. Ifa ∈ Z•

p has order12(p − 1), then−a is a

primitive root forp.5. If p ≡ 3 (mod 8) andq = 1

2(p − 1) are both primes, then 2 is a primitive

root forp.

1Those with asterisks are primes admitting10 for a primitive root.

15.1 Periodicity of decimal expansions of rational numbers 317

6. If p ≡ 7 (mod 8) andq = 12(p − 1) are both primes, then−2 is a primitive

root forp.7. Referring to Example 8.2.7 above, how many primitive roots does 73 have ?

List them. What about 29 ?8. For anoddprimep, a primitive root forpk is also a primitive root forp.9. If g is a primitive root for an odd primep and if gp−1 − 1 is divisible byp2,

theng is nota primitive root forpk, k ≥ 2.10. Letg be a primitive root for an odd primep.(a) If p ≡ 1 (mod 4), then−g is also a primitive root forp.(b) If p ≡ 3 (mod 4), then−g has order1

2(p− 1) in Z•

p.Artin’s conjecture : If g is a nonzero integer, not a square nor−1, then there areinfinitelymany primesp such thatg is a primitive root modp.

Theorem 15.3.A positive integern admits primitive roots if and only ifn is1, 2, 4, pa

or 2pa for an oddprimep anda ≥ 1.

15.1 Periodicity of decimal expansions of rational num-bers

Let r = ab

be a reduced fraction in whichb = 2h5kn, with gcd(n, 10) = 1. If l =max(h, k), then the decimal expansion ofr is a period of length afterl terms, andthe length of the period is the order of 10 in the group of unitsof Z•

n. In particular,if p is a prime admitting 10 as a primitive root, then the decimal expansion of1

pis

periodic with periodp− 1. For examples,

1

17= 0.0588235294117647;

1

19= 0.052631578947368421;

1

23= 0.0434782608695652173913;

1

29= 0.0344827586206896551724137931.

Example 15.3.The prime31 does not admit10 as a primitive root. To find theperiod of 1

31, we determine the order of10 in Z31. Now,3 is a primitive root of31,

and314 = 10. By Theorem 15.3, ord31(14) = 15.

1

31= 0.032258064516129.

Chapter 16

Sums of two and four squares

16.1 Fermat’s two-square theorem

Theorem 16.1.Let p be anodd prime. p is a sum of two squares if and only ifp ≡ 1 (mod 4). In this case, the expression isunique.

Proof. (Euler) Sincep ≡ 1 (mod 4), the equationx2 + y2 = mp is solvable inintegers for somem. We want to show that thesmallestpossible value ofm is 1.Note that we may choose|x|, |y| < p

2so thatm < p

2. If m 6= 1, it cannot divide

both of x andy, for otherwisem2|x2 + y2 = mp andm|p, contrary tom < p2.

Now choose integersa and b such thatx1 = x − am andy1 = y − bm satisfy|x1|, |y1| ≤ m

2. Note thatx1 andy1 cannot be both zero, and

0 < x21 + y2

1 ≤m2

2.

It follows thatx21 + y2

1 = m′m for somem′ ≤ m2< m. Now,

m2m′p = (x2 + y2)(x21 + y2

1) = (xx1 + yy1)2 + (xy1 − yx1)

2,

and

xx1 + yy1 = x(x− am) + y(y − bm) = (x2 + y2)− (ax+ by)m = mX

xy1 − yx1 = x(y − bm)− y(x− am) = m(−bx + ay) = mY

for someX andY . From this it follows that

X2 + Y 2 = m′p

with m′ < m. By descent, we finally reach an equationx2 + y2 = p.Uniqueness: Ifp = a2 + b2 = x2 + y2, wherea < b andx < y are all positive,

then

p2 = (a2 + b2)(x2 + y2) = (ax+ by)2 + (ay − bx)2 = (ax− by)2 + (ay + bx)2

320 Sums of two and four squares

Note that

(ax+ by)(ay + bx) = ab(x2 + y2) + (a2 + b2)xy = p(ab+ xy).

This means that one ofax+by anday+bx is divisible byp. Sinceax+by, ay+bx ≤p, we must haveay − bx = 0 or ax − by = 0. In other words,x

y= a

bor b

a. Indeed,

xy

= ab. It follows that we must havex = a andy = b.

16.2 Representation of integers as sums of two squares

We say that a representationn = x2 + y2 is primitive if gcd(x, y) = 1.

Lemma 16.2. If n has a prime divisorq ≡ 3 (mod 4), then it does not have aprimitive representation.

Proof. Suppose to the contrary thatn = x2 +y2 is a primitive representation. Sinceq dividesn, it does not divide any ofx andy. In the fieldZq, we writey = ax forsomea. This means that0 = x2 + y2 = x2(1 + a2). Sincex 6= 0, we havea2 = −1in Zq, q ≡ 3 mod 4, a contradiction.

Theorem 16.3.n = 2a

∏

i

pbi

i

∏

j

qcj

j

be the prime factorization ofn in which thep’s andq’s are respectively primes ofthe form4k + 1 and4k + 3. The numbern is expressible as a sum of two squaresif and only if each of the exponentscj is even.

Proof. (Sufficiency) Since2 = 12 + 12, and everypi is a sum of two squares, ifeverycj is even, by repeatedly using the composition formula

(a2 + b2)(x2 + y2) = (ax+ by)2 + (ay − bx)2

we easily obtainn as a sum of two squares.(Necessity) Letn be divisible by a primeq ≡ 3 (mod 4), with highestpower

qc, c odd. Consider a representationn = x2 + y2, with gcd(x, y) = d > 1. Let qc′

be thehighestpower ofq dividing d. (Possibly,c′ = 0). Write x = dX, y = dY .Thengcd(X, Y ) = 1. LetN = X2 + Y 2. The highest power ofq dividingN isqc−2c′. This is positive sincec is odd, contradicting Lemma 16.2 above.

16.3 Lagrange’s four-square theorem

Theorem 16.4.Every positive integer can be represented as a sum of four squaresof nonnegative integers.

16.3 Lagrange’s four-square theorem 321

Lemma 16.5(4-square identity).

(x21 + x2

2 + x23 + x2

4)(y21 + y2

2 + y23 + y2

4) = z21 + z2

2 + z23 + z2

4 ,

where

z1 = x1y1 + x2y2 + x3y3 + x4y4,

z2 = x1y2 − x2y1 + x3y4 − x4y3,

z3 = x1y3 − x2y4 − x3y1 + x4y2,

z4 = x1y4 + x2y3 − x3y2 − x4y1.

Therefore it is enough to prove Lagrange’s theorem for primenumbers.

Lemma 16.6. Let p be a prime number. There are integersx and y such thatx2 + y2 + 1 ≡ 0 (mod p).

Proof. The setS := {x2 ∈ Zp : x ∈ Z} has exactlyp+12

elements; so does the setT := {−(x2 + 1) ∈ Zp : x ∈ Z}. Now,

|S ∩ T | = |S|+ |T | − |S ∪ T | ≥ p + 1

2+p + 1

2− p = 1.

Therefore, there are integersx and y satisfyingx2 ≡ −(y2 + 1) (mod p), i.e.,x2 + y2 + 1 ≡ 0 (mod p).

16.3.1 Descent

Let p be a prime number. There are integersx andy such thatx2+y2+1 is divisibleby p. We write this in the formx2

1 + x22 + x2

3 + x24 = kp for some integerk. Clearly,

we may assume|x1|, |x2|, |x3|, |x4| ≤ p−12

< p2. This meanskp < 4 ·

(

p2

)2= p2

andk < p. If k 6= 1, we shall show thatx1, x2, x3, x4 can be replaced by anotherquadruple with asmallerk. Then, by descent, we shall ultimately reachk = 1.

Supposek is even. We may assumex1 ≡ x2 (mod 2) andx3 ≡ x4 (mod 2).Then

(

x1 + x2

2

)2

+

(

x1 − x2

2

)2

+

(

x3 + x4

2

)2

+

(

x3 − x4

2

)2

=x2

1 + x22 + x2

3 + x24

2

=k

2· p

with a smaller multiplier forp.

322 Sums of two and four squares

Supposek is odd. Fori = 1, 2, 3, 4, chooseyi ≡ xi with |yi| < k2. Note that

y21 + y2

2 + y23 + y2

4 ≡ x21 + x2

2 + x23 + x2

4 (mod k). Write y21 + y2

2 + y23 + y2

4 = kq

for someq < k. Note thatq must be nonzero.1

Apply the four-square identity to the two quadruplesxi andyi. The left handside is(kp)(kq) = k2pq. On the right hand side,z2, z3, z4 are clearly divisible byk; so isz1 becausez1 = x1y1 + x2y2 + x3y3 + x4y4 ≡ x2

1 + x22 + x2

3 + x24 ≡ 0

(mod k). Writing zi = kwi for i = 1, 2, 3, 4, we have, from the 4-square identity,w2

i + w22 + w2

3 + w24 = qp for q < k.

1

Chapter 17

Finite continued fractions

17.1 Euler’s functionF for finite continued fractions

Every rational numberab

can be written as a finite continued fraction in the form

a

b= q1 +

1

q2 +1

q3 +1

.. . +1

qn

,

whereq1, q2, . . . ,qn are the quotients in the Euclidean algorithm sequence for(a, b):puttingr0 = a, r1 = b, we defineqk andrk for k = 1, . . . , n by

r0 = r1q1 + r2,

r1 = r2q2 + r3,

...

rn−2 = rn−1qn−1 + rn,

rn−1 = rnqn.

Here,qk = ⌊ rk−1

rk⌋, and

r1 > r2 > r3 > · · · > rn > 0.

The numberrn is the gcd ofa andb. If we assume the rational number given in itslowest terms, thenrn = 1.

We shall write the continued fraction above simply as[q1, q2, . . . , qn]. Now, it iseasy to compute the following.

[q1] =q1

1,

402 Finite continued fractions

[q1, q2] =q1q2 + 1

q2,

[q1, q2, q3] =q1q2q3 + q1 + q3

q2q3 + 1,

[q1, q2, q3, q4] =q1q2q3q4 + q1q2 + q1q4 + q2q3 + 1

q2q3q4 + q2 + q4,

...

Euler has given a very elegant procedure of computing finite continued frac-tions:

[q1, q2, . . . , qk] =F (q1, q2, . . . , qk)

F (q2, . . . , qk),

whereF is the function obtained in the following way:F (q1, q2, . . . , qk) is the sumq1q2 · · · qk and all products obtained by deletingpairs of consecutive factors, withthe stipulation that ifk is even, deletingall consecutive pairs leads to the emptyproduct 1.

Note that

F (q1, q2, . . . , qk) = F (qk, · · · , q2, q1);F (q1, q2, . . . , qk+1) = F (q1, q2, . . . , qk−1) + qk+1F (q1, q2, . . . qk).

In the euclidean algorithm sequence,

rk = F (qk+1, qk+2, . . . , qn),

for k = 0, 1, 2, . . . , n.

17.2 Cornacchia’ algorithm for a prime as a sum oftwo squares

Like the sequencerk, we use thesamerecurrence relations to generate two se-quencessk andtk, using the sameqk but with different initial values

(iv) s0 = 1, s1 = 0;(v) t0 = 0, t1 = 1.It is clear thatrk = ask + btk for eachk.

Proposition 17.1. (1) rk = ask + btk for everyk. In particular,btk ≡ rk (mod a).(2) The sequences(sk) and(tk) are alternating in sign. More precisely,

sk = (−1)k|sk| and tk = (−1)k+1|tk|,

for k = 0, 1, 2, . . . , n+ 1.

17.2 Cornacchia’ algorithm for a prime as a sum of two squares 403

(3) The sequences(|sk|) and(|tk|) satisfy

|sk+1| = |sk−1|+ qk|sk|,|tk+1| = |tk−1|+ qk|tk|.

(4) The sequence(|tk|) is increasing. Consequently, thereversalof (|tk|) is aeuclidean algorithm sequence.

Theorem 17.2(Cornacchia). Let p ≡ 1 (mod 4) be a prime, andq the “smallerpositive square root” of−1 mod p. If x andy are the first two remainders in theeuclidean algorithm sequence of(p, q), thenp = x2 + y2.

Proof. In the euclidean algorithm table for the pair(a, b) = (p, q) (ending inndivisions), we make the following observations.(1) n is even.(2) The sequence(|tk|) is the reversal of(rk); i.e., |tk| = rn+1−k for everyk ≤ n.(3) The sequence(qk) is palindromic;i.e., qn+1−k = qk for everyk ≤ n.(4) r2

k + t2k is divisible byp for everyk.(5) Letn = 2m. In the sequence(rk), rm is thefirst term smaller than

√p.

Clearly, |tn+1| = p. Sincern = 1, we haveqtn ≡ 1 mod p, andtn ≡ −q modp. It follows thattn = −q or p − q. The reversal of(|tk|) is a euclidean algorithmsequence ending in exactlyn divisions (as the sequence(rk)). If |tn| = p − x, thesequence of division would be

p, p− q, q, . . .

which would belonger than the division sequence of(p, q), a contradiction. Thus,(1) n is even, and(2) the reversal of sequence(|tk|) is the euclidean algorithm sequence of(p, q),which is exactly the sequence(rk).(3) is an immediate consequence of (2).(4) follows fromqtk ≡ rk mod p. Squaring, we haver2

k ≡ q2t2k ≡ −t2k mod p, andr2k + t2k ≡ 0 mod p.

(5) Write n = 2m. Note thatrm = F (qm+1, qm+2, . . . , q2m), and p = r0 =F (q1, q2, . . . , q2m). Now,

r2m = rm · rm

= F (qm+1, qm+2, . . . , q2m)F (qm+1, qm+2, . . . , q2m)= F (qm, qm−1, . . . q1)F (qm+1, qm+2, . . . , q2m)= F (q1, q2, . . . qm)F (qm+1, qm+2, . . . , q2m).

It is clear that each term in the product is contained inF (q1, q2, . . . , q2m). Thisshows thatr2

m < p. On the other hand,

r2m−1 = rm−1 · rm−1

404 Finite continued fractions

= F (qm, qm+1, qm+2, . . . , q2m)F (qm, qm+1, qm+2, . . . , q2m)= F (qm+1, qm, qm−1, . . . q1)F (qm, qm+1, qm+2, . . . , q2m)= F (q1, q2, . . . qm, qm+1)F (qm, qm+1, qm+2, . . . , q2m).

Every product inF (q1, q2, . . . , q2m) is contained in this product. This shows thatr2m−1 > p.

Now, sincer2m + r2

m+1 = r2m + t2n−m = r2

m + t2m is divisible byp, andrm+1 <

rm <√p, the sumr2

m + r2m+1 being positive and smaller than2p, must bep.

Chapter 18

Infinite continued fractions

Associated with an infinite continued fraction[q0, q1, q2, q3, . . . , qn, . . . ] is a se-quence ofconvergentswhich are finite continued fractions:

Pk

Qk

= [q0, q1, . . . , qk].

The numeratorsPk andQk can be determined recursively as follows.

Pk = Pk−2 + qkPk−1, P−2 = 0, P−1 = 1,Qk = Qk−2 + qkQk−1, Q−2 = 1, Q−1 = 0.

Example 18.1. 1.The successive convergents of the continued fraction[1, 2, 3, 4, 5, 6, 7, 8, 9, 10]are computed easily using these relations.

k −2 −1 0 1 2 3 4 5 6 7 8 9qk 1 2 3 4 5 6 7 8 9 10Pk 0 1 1 3 10 43 225 1393 9976 81201 740785 7489051Qk 1 0 1 2 7 30 157 972 6961 56660 516901 5225670

2. Here are the convergents of the continued fraction[1, 2, 1, 3, 1, 4, 1, 5, 1, 6]and their differences:

1 32

43

1511

1914

9167

11081

641472

751553

51473790

12

−16

133

−1154

1938

−15427

138232

−1261016

12095870

Note that the numerators of the differences are all±1.

Lemma 18.1. Pk

Qk− Pk−1

Qk−1= (−1)k−1

Qk−1Qk.

Proof. Write Pk

Qk− Pk−1

Qk−1= Nk

Qk−1Qk. We have

Nk = PkQk−1 −QkPk−1

406 Infinite continued fractions

= (Pk−2 + qkPk−1)Qk−1 − (Qk−2 + qkQk−1)Pk−1

= −(Pk−1Qk−2 −Qk−1Pk−2)= −Nk−1.

SinceN1 = 1, we have by easy inductionNk = (−1)k−1N1 = (−1)k−1, and theresult follows.

Theorem 18.2.Let q0, q1, . . . , qn, . . . be an infinite sequence of positive integers,q0 possibly zero. Theinfinite continued fraction

a := [q0, q1, q2, . . . , qn, . . . ]

is always well defined,i.e., limn→∞[q0, q1, . . . , qn] exists. This limit is always anirrationalnumber.

Proof. For eachn ≥ 0, let an be then-th convergentPn

Qn. By the above lemma,

an+2−an = (an+2−an+1)+(an+1−an) =(−1)n+1

Qn+1Qn+

(−1)n

QnQn−1=

(−1)n(Qn+1 −Qn−1)

Qn−1QnQn+1.

Note that(Qn) is an increasing sequence of positive integers, (this is clear fromthe recurrence relation forQn). It follows thata0, a2, a4, . . . is an increasingse-quence, anda1, a3, a5, . . . is a decreasingsequence. Furthermore, eacha2h+1 isgreater than everya2k:

a0 < a2 < a4 < · · · < a2k < · · · · · · < a2h+1 < a5 < a3 < a1.

It follows that the subsequencesa2n anda2n+1 are convergent; indeed, they con-verge to a common limit since

limn→∞

a2n+1 − limn→∞

a2n = limn→∞

(a2n+1 − a2n) = limn→∞

1

Q2nQ2n+1= 0

since the sequence(Qn) of positive integersis strictly increasing. The commonlimit a of these two subsequences is theinfinitecontinued fraction[q0, q1, . . . , qn, . . . ].This numbera is irrational since its continued fraction expansion is not finite.

Let ζ be a real, irrational number, The continued fraction expansion of ζ can befound recursively as follows.

ζ0 = ζ, q0 = [ζ0]; ζn+1 =1

ζn − [ζn], qn+1 = [ζn+1].

Then,ζ = [q0, q1, q2, . . . , qn, . . . ].

407

Theorem 18.3(Lagrange). Let d be a nonsquare integer. The continued fractionexpansion of of aquadratic irrationalityof the forma+ b

√d, a, b ∈ Q, is eventually

periodic; i.e., there existk andl such that in the expansion

a + b√d = [q0, q1, . . . , qn, . . . ],

qk+nl+i = qk+i for n ≥ 0, 0 ≤ i < l.

Theorem 18.4.Let d be a rational number which is not a square. The continuedfraction expansion ofd is of the form

√d = [q0, q1, q2, . . . , q2, q1, 2q0],

whereq0 = [√d].

Example 18.2. 1.Continued fraction expansions of√d, d < 50. Those with

asterisks have periods ofodd lengths.

√2∗ = [1, 2];

√27 = [5, 5, 10];√

3 = [1, 1, 2];√

28 = [5, 3, 2, 3, 10];√5∗ = [2, 4];

√29∗ = [5, 2, 1, 1, 2, 10];√

6 = [2, 2, 4];√

30 = [5, 2, 10];√7 = [2, 1, 1, 1, 4];

√31 = [5, 1, 1, 3, 5, 3, 1, 1, 10];√

8 = [2, 1, 4];√

32 = [5, 1, 1, 1, 10];√10∗ = [3, 6];

√33 = [5, 1, 2, 1, 10];√

11 = [3, 3, 6];√

34 = [5, 1, 4, 1, 10];√12 = [3, 2, 6];

√35 = [5, 1, 10];√

13∗ = [3, 1, 1, 1, 1, 6];√

37∗ = [6, 12];√14 = [3, 1, 2, 1, 6];

√38 = [6, 6, 12];√

15 = [3, 1, 6];√

39 = [6, 4, 12];√17∗ = [4, 8];

√40 = [6, 3, 12];√

18 = [4, 4, 8];√

41∗ = [6, 2, 2, 12];√19 = [4, 2, 1, 3, 1, 2, 8];

√42 = [6, 2, 12];√

20 = [4, 2, 8];√

43 = [6, 1, 1, 3, 1, 5, 1, 3, 1, 1, 12];√21 = [4, 1, 1, 2, 1, 1, 8];

√44 = [6, 1, 1, 1, 2, 1, 1, 1, 12];√

22 = [4, 1, 2, 4, 2, 1, 8];√

45 = [6, 1, 2, 2, 2, 1, 12];√23 = [4, 1, 3, 1, 8];

√46 = [6, 1, 3, 1, 1, 2, 6, 2, 1, 1, 3, 1, 12];√

24 = [4, 1, 8];√

47 = [6, 1, 5, 1, 12];√26∗ = [5, 10];

√48 = [6, 1, 12].

2. Some simple patterns:√a2 + 1 = [a, 2a];√a2 − 1 = [a− 1, 1, 2a− 2];√a2 + a = [a, 2, 2a];√a2 + 2 = [a, a, 2a];√a2 − 2 = [a− 1, 1, a− 2, 1, 2a− 2].

Chapter 19

Lagrange’s Theorem

19.1 Purely periodic continued fractions

Let a be represented by apurely periodiccontinued fraction:

ζ = [q0, q1, . . . , qk].

This meansζ = [q0, q1, . . . , qk, ζ ]. Let Pk−1

Qk−1and Pk

Qkbe the last two convergents of

the finite continued fraction[q0, q1, . . . , qk]. Then,

ζ =Pk−1 + ζPk

Qk−1 + ζQk

.

From this, we see thatζ is a root of the quadratic equation

Qkx2 − (Pk −Qk−1)x− Pk−1 = 0.

Since the product of the two roots of this equation, being−Pk−1

Qk, is negative, exactly

one of them is positive. This must be the numberζ , and it is clear that this is anumber of the forma + b

√d, a, b ∈ Q. Here,d cannot be a square, for otherwise,

the numberζ would have been rational.

19.2 Eventually periodic continued fractions

It follows that a number witheventually periodiccontinued fraction expansion isalso a quadratic irrationality. Consider

µ = [p0, p1, . . . , ph, q1, . . . , qk].

Let ζ be the irrational number withpurely periodiccontinued fraction expansion[q1, . . . , qk]. This is of the forma+ b

√d according to§19.1. Ifh = 0, then

µ = [p0, ζ ] = p0 +1

ζ

410 Lagrange’s Theorem

is clearly of the forma′ + b′√d, a′, b′ ∈ Q. If h ≥ 1, let P ′

Q′and P

Qbe the last two

convergents of the continued fraction[p0, . . . , ph]. Then

µ = [p0, . . . , ph, ζ ] =P ′ + ζP

Q′ + ζQ.

This also is of the forma′ + b′√d, a′, b′ ∈ Q.

We have therefore proved the easier half of Lagrange theorem: every eventuallyperiodic continued fraction represents a quadratic irrationality. The proof of theconverse is more difficult, and requires a more detailed analysis of numbers withpurely periodic continued fraction expansions.

19.3 Reduced quadratic irrationalities

Let ζ = [q0, q1, . . . , qk]. It is the positive root of the quadratic equation

x = [q0, q1, . . . , qk, x].

Note thatq0 − x = −1[q1,...,qk,x]

, and this can be rewritten as

[q0,−1

x] =

−1

[q1, . . . , qk, x].

Continuing, we obtain

[qk, qk−1, . . . , q1, q0,−1

x] =−1

x.

This meansζ is the positive root ofx = [q0, q1, . . . , qk, x] if and only if −1ζ

isthe positive root ofy = [qk, qk−1, . . . , q0, y]. Consequently, it follows that everyequation of the formx = [q0, . . . , qk, x] has exactly one positive rootζ > 1, andone negative root between−1 and 0. This negative root is necessarily theconjugateζ. We shall say that a quadratic irrationalityζ is reducedif it satisfies the condition

ζ > 1 > 0 > ζ > −1.

We may paraphrase the conclusion by saying thata purely periodic continued frac-tion represents a reduced quadratic irrationality.

19.4 Proof of Lagrange’s theorem

Consider now a general quadratic irrationality of the form

ζ =P +√d

Q,

19.4 Proof of Lagrange’s theorem 411

whereP , Q andd are integers. By replacingP , Q andd by suitable integer multi-ples, we may assume thatd−P 2

Qis an integer, and we shall work with this assump-

tion, and writed = P 2 +QQ′ for an integerQ′.

Lemma 19.1. If the quadratic irrationalityζ = P+√

dQ

is reduced, then the integersP andQ are positive, and

P < [√d], Q < P +

√d < [2

√d].

Now, let ζ = P+√

dQ

be a quadratic irrationality withd − P 2 = QQ′ for someintegerQ′. For every integerm,

1

ζ −m=

Q

P −mQ +√

d=

Q(−P + mQ +√

d)

d− (P −mQ)2=−P + mQ +

√d

1Q [d− (P −mQ)2]

=−P + mQ +

√d

Q′ + 2mP −m2Q.

Note that in this expression,

d− (−P +mQ)2 = (d− P 2) + 2mPQ−m2Q2 = Q(Q′ + 2mP −m2Q).

It follows that we can obtain the continued fraction expansion of ζ by working out

P0 = P, Q0 = Q, Q−1 = Q′,

ζk =Pk +

√d

Qk

, qk = [ζk],

Pk+1 = −Pk + qkQk,

Qk+1 = Qk−1 + 2qkPk − q2kQk =

d− P 2k+1

Qk

.

Note thatζ = [q0, . . . , qn−1, ζn]. In particular,

ζ =Pn−2 + ζnPn−1

Qn−2 + ζnQn−1.

Consider the conjugate

ζ =Pn−2 + ζnPn−1

Qn−2 + ζnQn−1

.

From this,

ζn = −Qn−2ζ − Pn−2

Qn−1ζ − Pn−1

= −Qn−2

Qn−1·ζ − Pn−2

Qn−2

ζ − Pn−1

Qn−1

.

Since the sequencePn

Qnconverges toζ , we can chooseN large enough so thatζN

lies between−1 and 0. In other words,ζN is reduced.

412 Lagrange’s Theorem

It follows as a consequence of this observation that in the construction of thecontinued fraction expansion ofζ above, allζn, n ≥ N , are reduced. By Lemma19.1, we have

0 < Pn <√d, 0 < Qn < 2

√d, for every n ≥ N.

There must exist distinct integersh, k ≥ N such that

Ph = Pk, Qh = Qk.

If we chooseh andk = h + r to be thesmallestpossible integers for which thesehold, then for every integert ≥ 0 and0 ≤ s < r,

Ph+tr+s = Ph+s, Qh+tr+s = Qh+s.

From this,qh+tr+s = qh+s.

This completes the proof of Lagrange’s theorem.

Corollary 19.2. The continued fraction expansion of areducedquadratic irra-tionality ispurelyperiodic.

Proof. It is enough to show that ifζ = [q0, q1, . . . , qr] is reduced, then indeed,q0 = qr. (The general case follows by induction). Letθ = [q1, . . . , qr]. Sinceq0 + 1

θ

is reduced,

q0 +1

θ> 1 > 0 > q0 +

1

θ> −1.

From this,q0 = [−1θ]. However,−1

θhas continued fraction expansion[qr, . . . , q1].

It follows tht qr = q0.

Exercise

1. If x is reduced, then so is1x−[x]

.

2. If a quadratic irrationalityζ > 1 satisfiesζ < −1, then the continued fractionexpansion ofζ has one single term before the period.1

1Solution. There is a positive integerc such thatc + ζ lies between−1 and 0. In other words,c + ζ is reduced, and has periodic continued fraction expansion[q0, . . . , qr]. Then,

ζ = [q1 − c, q2, . . . , qr, qr].

Chapter 20

The Pell Equation

20.1 The equationx2 − dy2 = 1

Let d be a fixed integer. We consider thePell equationx2 − dy2 = 1. Clearly, ifdis negative or is a (positive) square integer, then the equation has only finitely manysolutions.

Theorem 20.1.Letd be anonsquare, positiveinteger. The totality of positive solu-tions of the Pell equationx2 − dy2 = 1 form an infinite sequence(xn, yn) definedrecursively by

xn+1 = axn + dbyn,

yn+1 = bxn + ayn; x1 = a, y1 = b,

where(x1, y1) = (a, b) is the fundamentalsolution (witha, b smallest possible)obtained from the continued fraction expansion

√d = [q0, q1, . . . , qk],

as follows. LetPk−1

Qk−1the(k − 1)−th convergent of

√d.

(a). If the length of the period iseven, then(a, b) = (Pk−1, Qk−1) is thesmallestpositivesolution of the Pell equationx2 − dy2 = 1.

(b). If the length of the period isodd, then the smallest positive solution of theequationx2 − dy2 = 1 is (a, b) = (P 2

k−1 + dQ2k−1, 2Pk−1Qk−1).

Examples

1. The fundamental solution of the Pell equationx2 − 2y2 = 1 is (3,2). Thisgenerates an infinite sequence of nonnegative solutions(xn, yn) defined by

xn+1 = 3xn + 4yn, yn+1 = 2xn + 3yn; x0 = 1, y0 = 0.

414 The Pell Equation

The beginning terms are

n 1 2 3 4 5 6 7 8 9 10 . . .

xn 3 17 99 577 3363 19601 114243 665857 3880899 22619537 . . .

yn 2 12 70 408 2378 13860 80782 470832 2744210 15994428 . . .

2. Fundamental solution(a, b) of x2 − dy2 = 1 for d < 100:

d a b d a b d a b2 3 2 3 2 1 5 9 46 5 2 7 8 3 8 3 110 19 6 11 10 3 12 7 213 649 180 14 15 4 15 4 117 33 8 18 17 4 19 170 3920 9 2 21 55 12 22 197 4223 24 5 24 5 1 26 51 1027 26 5 28 127 24 29 9801 182030 11 2 31 1520 273 32 17 333 23 4 34 35 6 35 6 137 73 12 38 37 6 39 25 440 19 3 41 2049 320 42 13 243 3482 531 44 199 30 45 161 2446 24335 3588 47 48 7 48 7 150 99 14 51 50 7 52 649 9053 66249 9100 54 485 66 55 89 1256 15 2 57 151 20 58 19603 257459 530 69 60 31 4 61 1766319049 22615398062 63 8 63 8 1 65 129 1666 65 8 67 48842 5967 68 33 469 7775 936 70 251 30 71 3480 41372 17 2 73 2281249 267000 74 3699 43075 26 3 76 57799 6630 77 351 4078 53 6 79 80 9 80 9 182 163 18 83 82 9 84 55 685 285769 30996 86 10405 1122 87 28 388 197 21 89 500001 53000 90 19 291 1574 165 92 1151 120 93 12151 126094 2143295 221064 95 39 4 96 49 597 62809633 6377352 98 99 10 99 10 1

3. Pell’s equations whose fundamental solutions are very large:

d a b421 3879474045914926879468217167061449 189073995951839020880499780706260541 3707453360023867028800645599667005001 159395869721270110077187138775196900601 38902815462492318420311478049 1586878942101888360258625080613 464018873584078278910994299849 18741545784831997880308784340661 16421658242965910275055840472270471049 638728478116949861246791167518480580673 4765506835465395993032041249 183696788896587421699032600769 535781868388881310859702308423201 19320788325040337217824455505160919 4481603010937119451551263720 147834442396536759781499589937 480644425002415999597113107233 15701968936415353889062192632949 609622436806639069525576201 19789181711517243032971740991 379516400906811930638014896080 12055735790331359447442538767

20.2 The equationx2 − dy2 = −1 415

4. The equationx2 − 4729494y2 = 1 arises from the famousCattle problemofArchimedes, and hassmallestpositive solution

x = 109931986732829734979866232821433543901088049,

y = 50549485234315033074477819735540408986340.

Exercise

1. Solve the Pell equations (a)x2 + 3y2 = 1; (b) x2 − 4y2 = 1 for integersolutions.1

2. Find the 10smallestnonnegative solutions of the Pell equationx2− 3y2 = 1.2

3. For a positive,nonsquareintegern, let (an, bn) be the fundamental solutionof the Pell equationx2 − ny2 = 1. If n is a square, setbn = 0.

(a) Show that every positive integer occurs infinitely oftenin the sequence(bn).

(b) Determine all occurrences ofpk, p prime,k > 0, in the sequence(bn).

4. Deduce that ifp is a prime of the form4k + 1, then the continued fractionexpansion of

√p hasoddperiod.

20.1.1

If (a, b) is thefundamentalsolution of the Pell equationx2 − dy2 = 1, generatingthe infinite sequence ofnonnegativesolutions(x0, y0) = (1, 0), (x1, y1) = (a, b),(x2, y2), . . . ,(xn, yn), . . . , then

xn+1 = 2axn − xn−1; yn+1 = 2ayn − yn−1.

20.2 The equationx2 − dy2 = −1

Indeed, if the length of the period of the continued fractionexpansion of√d is odd,

then(Pk−1, Qk−1) is thesmallestpositive solution of the equation

x2 − dy2 = −1.

Only when this period is odd does this equation have solutions.1(a). (x, y) = (±1, 0); (b). (x, y) = (±1, 0).2

n 1 2 3 4 5 6 7 8 9 10 11 . . .xn 2 7 26 97 362 1351 5042 18817 70226 262087 978122 . . .yn 1 4 15 56 209 780 2911 10864 40545 151316 564719 . . .

416 The Pell Equation

Examples

1. Smallest positive solution(a, b) of x2−dy2 = −1 for the first 24 values ofd:

d a b d a b d a b

2 1 1 5 2 1 10 3 113 18 5 17 4 1 26 5 129 70 13 37 6 1 41 32 550 7 1 53 182 25 58 99 1361 29718 3805 65 8 1 73 1068 12574 43 5 82 9 1 85 378 4189 500 53 97 5604 569 101 10 1

2. If p ≡ 1 (mod 4) is prime, then the equationx2 − py2 = −1 is solvable.

Proof. Let (a, b) be the fundamental solution ofx2 − py2 = 1. This meansa2 − 1 = pb2. Note thata must be odd, for otherwisea2 − 1 ≡ −1 (mod 4),butpb2 ≡ 1 (mod 4), a contradiction. Consequently,gcd(a+ 1, a− 1) = 2,and we have

(i) a+ 1 = 2r2, a− 1 = 2ps2, or

(ii) a + 1 = 2pr2, a− 1 = 2s2, for some nonnegative integersr ands.

In (i), we haver2 − ps2 = 1, with r < a, a contradiction since(a, b) is thesmallestpositive solution ofx2 − py2 = 1. It follows that (ii) holds, and wehaves2 − pr2 = −1.

20.3 The equationx2 − dy2 = c

Letd be anonsquareinteger, andc an integer other than0,±1. Clearly, the equation

x2 − dy2 = c

is solvable only ifd is a quadratic residue moduloc (Exercise). This condition,however, is not sufficient to guarantee existence of solutions. Consider the contin-ued fraction expansion of

√d:√d = [q0, q1, . . . , qk],

with the firstk convergents

Pi

Qi= [q0, q1, . . . , qi], i = 0, 1, 2, . . . , k − 1.

Theorem 20.2.If |c| <√d, andx2−dy2 = c is solvable, thenc must be one of the

numbersP 2i − dQ2

i , i = 0, 1, 2, . . . , k − 1.

20.4 Applications 417

Theorem 20.3.Let c > 1 be a positive integer.(a) If the equationx2−dy2 = c is solvable, it must have afundamentalsolution

(u, v) in the range

0 < |u| ≤√

1

2(a+ 1)c, 0 ≤ v ≤ b

√

2(a+ 1)·√c.

Every solution appears in adoubly infinite sequence(xn, yn)

un+1 = aun + dbvn,

vn+1 = bun + avn, u1 = u, v1 = v,

for some(u, v) in the range above.(b) Same conclusion for the equationx2− dy2 = −c, except that it must have a

solution(u, v) in the range

0 ≤ |u| ≤√

1

2(a− 1)c, 0 < v ≤ b

√

2(a− 1)·√c.

Example 20.1.Consider the equationx2 − 23y2 = 4 · 11 · 23. It is easy to seethatx andy must be both even, and 23 dividesx. With x = 46h, y = 2k, we have23h2 − k2 = 11, or k2 − 23h2 = −11. The fundamental solution ofx2 − 23y2 = 1being(a, b) = (24, 5), we need only findy in the range1 ≤ h ≤ 2 It is now easy tosee thatonlyh = 2 givesk = 9. From this we obtain(x1, y1) = (92, 18). The othersolutions are generated recursively by

xn+1 = 24xn + 115yn, yn+1 = 5xn + 24yn, x1 = 92, y1 = 18.

Here are the first 5 solutions.

n 1 2 3 4 5 . . .xn 92 4278 205252 9847818 472490012 . . .yn 18 892 42798 2053412 98520978 · · ·

20.4 Applications

1. Which triangular numbers are squares ? Suppose thek−th triangular numberTk = 1

2k(k+ 1) is the square ofn. n2 = 1

2k(k+ 1); 4k2 + 4k+ 1 = 8n2 + 1;

(2k + 1)2 − 8n2 = 1. The smallest positive solution of the Pell equationx2−8y2 = 1 being(3, 1), we have the solutions(ki, ni) of the equation givenby

2ki+1 + 1 = 3(2ki + 1) + 8ni,

ni+1 = (2ki + 1) + 3ni, k0 = 1, n0 = 1.

418 The Pell Equation

This means

ki+1 = 3ki + 4ni + 1,ni+1 = 2ki + 3ni + 1, k0 = 1, n0 = 1.

The beginning values ofk andn are as follows.

i 0 1 2 3 4 5 6 7 8 9 10 . . .ki 1 8 49 288 1681 9800 57121 332928 1940449 11309768 65918161 . . .ni 1 6 35 204 1189 6930 40391 235416 1372105 7997214 46611179 . . .

2. Find all integersn so that the mean and the standard deviation ofn consecu-tive integers are both integers.

If the mean ofn consecutive integers is an integer,n must be odd. We maytherefore assume the numbers to be−m ,−(m−1), . . . ,−1, 0, 1, . . . ,m−1,

m. The standard deviation of these number is√

13m(m+ 1). For this to be an

integer, we must have13m(m+ 1) = k2 for some integerk. m2 = m = 3k2;

n2 = (2m + 1)2 = 12k2 + 1. The smallest positive solution of the Pellequationn2 − 12k2 = 1 being (7,2), the solutions of this equations are givenby (ni, ki), where

ni+1 = 7ni + 24ki,

ki+1 = 2ni + 7ki, n0 = 1, k0 = 0.

The beginning values ofn andk are

i 1 2 3 4 5 6 7 8 . . .ni 7 97 1351 18817 262087 3650401 50843527 708158977 . . .ki 2 28 390 5432 75658 1053780 14677262 204427888 . . .

3. Find all Pythagorean triangles the lengths of whose two shorter sides differby 1.

Let x and x + 1 be the two shorter sides of a Pythagorean triangle, withhypotenusey. Then y2 = x2 + (x + 1)2 = 2x2 + 2x + 1. From this,2y2 = (2x + 1)2 + 1. The equation Withz = 2x + 1, this reduces to thePell equationz2 − 2y2 = −1, which we know has solutions, with the of thisequations are(zn, yn) given recursively by smallest positive one(1, 1), andthe equationz2−2y2 = 1 has smallest positive solution(3, 2). It follows thatthe solutions are given recursively by

zn+1 = 3zn + 4yn,

yn+1 = 2zn + 3yn, z0 = 1, y0 = 1.

20.4 Applications 419

If we write zn = 2xn + 1, these become

xn+1 = 3xn + 2yn + 1,yn+1 = 4xn + 3yn + 2, x0 = 0, y0 = 1.

The beginning values ofxn andyn are as follows.

n 1 2 3 4 5 6 7 8 9 10 . . .xn 3 20 119 696 4059 23660 137903 803760 4684659 27304196 . . .yn 5 29 169 985 5741 33461 195025 1136689 6625109 38613965 . . .

4. Find eleven consecutive positive integers, the sum of whosesquares is thesquare of an integer.

Answer:

182 + 192 + · · ·+ 282 = 772,

382 + 392 + · · ·+ 482 = 1432,

4562 + 4572 + · · ·+ 4662 = 15292,

8542 + 8552 + · · ·+ 8642 = 28492,

91922 + 91932 + · · ·+ 92022 = 305032,

171322 + 171332 + · · ·+ 171422 = 568372,...

Chapter 21

Sums of consecutive squares

21.1 Sums of an odd number of consecutive squares.

Suppose the sum of the squares of2k + 1 consecutivepositiveintegers is a square.If the integers areb, b± 1, . . . , b± k. We require

(2k + 1)b2 +1

3k(k + 1)(2k + 1) = a2

for an integera. From this we obtain the equation

a2 − (2k + 1)b2 =1

3k(k + 1)(2k + 1). (Ek)

1. Suppose2k + 1 is a square. Show that(Ek) has solution only whenk =6m(m + ǫ) for some integersm > 1, andǫ = ±1. In each case, the number ofsolutions isfinite.

Number of solutions of(Ek) when2k + 1 is a square

2k + 1 25 49 121 169 289 361 529 625 841 961 . . .

0 1 1 2 7 3 5 3 3 10 . . .

2. Find theuniquesequence of 49 (respectively 121) consecutive positive inte-gers whose squares sum to a square.

Answer: 252 + 262 + · · ·+ 732 = 3572; 2442 + 2452 + · · ·+ 3642 = 33662;Remark: The two sequences of 169 consecutive squares whose sums aresquares

are

302 + 312 + · · ·+ 1982 = 16122;5102 + 5112 + · · ·+ 6782 = 77482.

422 Sums of consecutive squares

3. Suppose2k + 1 is not a square. Ifk + 1 is divisible9 = 32 or by any primeof the form4k + 3 ≥ 7, then the equation(Ek) has no solution.

4. Show that for the following values ofk < 50, the equation(Ek) has nosolution:

k = 6, 8, 10, 13, 17, 18, 20, 21, 22, 26, 27, 30, 32,34, 35, 37, 40, 41, 42, 44, 45, 46, 48, . . .

5. Supposep = 2k + 1 is a prime. If the Legendre symbol(

− 13k(k+1)

p

)

= −1,

then the equation(Ek) hasno solution.6. Show that for the following values ofk < 50, the equation(Ek) has no

solution:

1, 2, 3, 8, 9, 14, 15, 20, 21, 26, 33, 39, 44.

We need only consider(Ek) for the following values ofk:

5, 7, 11, 16, 19, 23, 25, 28, 29, 31, 36, 38, 43, 47, 49.

7. Check that among these, only fork = 5, 11, 16, 23, 29 are the equations(Ek)solvable.

8. From the data of Example 20.1, work out 5 sequences of 23 consecutiveintegers whose squares add up to a square in each case.

Answer:

72 + 82 + · · ·+ 292 = 922;8812 + 8822 + · · ·+ 9032 = 42782;

427872 + 427882 + · · ·+ 428092 = 2052522;20534012 + 20534022 + · · ·+ 20534232 = 98478182;

· · · · · · · · ·

9. Consider the equation(E36) : a2 − 73b2 = 12 · 37 · 73. Check that thisequation does in fact have solutions(u, v) = (4088, 478), (23360, 2734).

10. Make use of the fundamental solution ofx2 − 73y2 = 1, namely,(a, b) =(2281249, 267000), to obtain two sequences of solutions of(E73):

Answer:

(4088, 478), (18642443912, 2181933022), (85056113063608088, 9955065049008478), . . .(23360, 2734), (106578370640, 12474054766), (486263602888235360, 56912849921762734), . . .

This means, for example, the sum of the squares of the 73 numbers with center478 (respectively 2734) is equal to the square of 4088 (respectively 23360).

21.2 Even number of consecutive squares. 423

21.2 Even number of consecutive squares.

Suppose the sum of the squares of the2k consecutive numbers

b− k + 1, b− k + 2, . . . , b, . . . , b+ k − 1, b+ k,

is equal toa2. This means

(2a)2 − 2k(2b+ 1)2 =2k

3(4k2 − 1). (E ′

k)

Note that the numbers2k, 4k2 − 1 are relatively prime.1. Show that the equation(E ′

k) has no solution if2k is a square.2. Suppose2k is not a square. Show that if2k + 1 is divisible by 9, or by any

prime of the form4k + 1, then the equation(E ′k) has no solution.

3. Show that fork ≤ 50, the equation(E ′k) has no solution for the following

values ofk:

k = 3, 4, 5, 9, 11, 13, 15, 17, 21, 23, 24, 27, 29, 31, 33,35, 38, 39, 40, 41, 45, 47, 49.

4. Letk be a prime. Show that the equation(E ′k) can be written as

(2b+ 1)2 − 2ky2 = −4k2 − 1

3.

By considering Legendre symbols, show that the equation(E ′k) has no solution for

the following values ofk ≤ 50:

k = 5, 7, 17, 19, 29, 31, 41, 43.

5. By using Theorem 10.5.3, check that, excluding square values of2k < 100,the equation(E ′

k) has solutions only fork = 1, 12, 37, 44.The case2k = 2 has been dealt with in Example 10.6.3.6. Show that (34, 0), (38, 3), (50, 7) are solutions of(E”12). Construct from

them three infinite sequences of expressions of the sum of 24 consecutive squaresas a square.

Answer:

252 + 262 + · · ·+ 482 = 1822;442 + 452 + · · ·+ 672 = 2742;762 + 772 + · · ·+ 992 = 4302.

7. Show that (185, 2), (2257,261), and (2849, 330) are solutions of (E ′37).

Construct from them three infinite sequences of expressionsof the sum of 74 con-secutive squares as a square.

424 Sums of consecutive squares

Answer:

2252 + 2262 + · · ·+ 2982 = 22572;2942 + 2952 + · · ·+ 3672 = 28492;

130962 + 130972 + · · ·+ 131792 = 7638652.

8. Show that and (242, 4) and (2222,235) are solutions of(E ′44). Construct from

them two infinite sequences of expressions of the sum of 88 consecutive squares asa square.

Answer:

1922 + 1932 + · · ·+ 2792 = 22222;59252 + 59262 + · · ·60122 = 559902.

Remark: The equation(E ′26) : x2 − 52y2 = 18 · 52 · 53 does indeed have

two infinite sequences of solutions generated by the particular solutions (338, 36),(2002,276), and the fundamental solution (649,90) of the Pell equationx2−52y2 =1. None of these, however, leads to a solution of(E ′

26) since all they’s are even.

Chapter 22

Some simple cryptosystems

A cryptosystem consists of(i) encryption and decryption (or enciphering and deciphering) algorithms, usuallyassumed known, and(ii) encryption and decryption keys.

A plaintextis enciphered using an encryption key, sent to a receiver, who deci-phers theciphertextby finding an appropriate decryption key.

22.1 Shift ciphers

The simplest cryptosystem is theshift ciphers. The encryption algorithm is simplyshifting the alphabet by a fixed number. Clearly the decryption algorithm is ofthe same kind. The encryption key is the number of spaces shifted forward orbackward. For example, the plaintext

A point is that which has no part. A line is length without breadth.The extremities of a line are points

is shifted5 places forward to yield the ciphertext

FUTNSYNXYMFYBMNHMMFXSTUFWYFQNSJNXQJSLYMBNYMTZYGWJFIYMYMJJCYWJRNYNJXTKFQNSJFWJUTNSYX

The receiver of the ciphertext, knowing the encryption algorithm but not thekey, first studies the frequencies of the various letters in the ciphertext, and makesuse of known frequency statistics to figure out the appropriate shift to decipher themessage.

A B C D E F G H I J K L M0 2 1 0 0 8 1 1 1 9 1 1 8N O P Q R S T U V W X Y Z10 0 0 3 1 6 5 3 0 4 5 12 1

502 Some simple cryptosystems

Here are the percentage frequencies of letters in English:

a b c d e f g h i j k l m8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2 0.8 4.0 2.4

n o p q r s t u v w x y z6.7 7.5 1.9 0.1 6.0 6.3 9.1 2.8 1.0 2.3 0.1 2.0 0.1

The most frequently occurring letters in a reasonably long passage in Englisharee, followed byt, a, o, i, n.

For the current ciphertext, it is reasonable to decipher by ashift that makesY← e, or N← e, or J← e.

If we decipher byY← e, shifting6 places forward, the first few letters FUTNS-YNXY yield laztyetde, which is not a meaningful text. This is also the case withN← e, 9 places backward. The next one,J← e, 5 places backward, easily deciphersthe message.

ExerciseA shift cipher yields the following ciphertext:

FSDHN WHQJN XJVZF QYTFW NLMYF SLQJI YWNFS LQJNSBMNHM TSJTK YMJXN IJXFG TZYYM JWNLM YFSLQ JNXJVZFQYT YMJWF INZXF SIYMJ GFXJN XJVZF QYTYM JHNWHZRKJW JSHJ

with frequency count:A B C D E F G H I J K L M0 1 0 1 0 12 2 6 4 18 2 5 9

N O P Q R S T U V W X Y Z12 0 0 7 1 8 6 0 3 7 7 12 6

Decipher the message.

22.2 Affine ciphers

An affine cipher is a generalization of the shift cipher. The letters in the alphabetsare replaced by the numbers0, 1, . . . ,26.

a b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12A B C D E F G H I J K L M

n o p q r s t u v w x y z13 14 15 16 17 18 19 20 21 22 23 24 25N O P Q R S T U V W X Y Z

22.2 Affine ciphers 503

The encryption algorithm is to encode a letter corresponding to an integerxby the letter corresponding to the integerαx + β mod 26 obtained by some affinesubstitution. To make decryption possible, the encryptionkey (affine substitution)x 7→ αx+ b mod 26 is required to be invertible, so that the decryption key is ofthesame formx 7→ ax + b mod 26 for some integersa, b. This means thatα andashould be units inZ26.

Suppose we decide that two certain LETTERS (represented by integersx1 andx2) are the ciphertexts of two letters (represented by integersy1 andy2. The coeffi-cients of the decryption key are determined by

ax1 + b = y1

ax2 + b = y2.

From these,a(x1 − x2) = y1 − y2 mod 26 should have a solutiona ∈ Z26. Thecorresponding value ofb can be easily determined.

Example 22.1.Suppose by an affine cipher we have the following ciphertext:

HXOFS SGSRP KMFOB EEOOM ECPSF NASKE IXSAI ORSBSKBHAH JOEAP IOAHE KPLSK FHOLE KIIOE EICPF ORSJJSQOLF WLOKH OBSPS MWDSE XKCCP LESSP APLOO LHXOSPJWBA EGAEH XCHHX OBOMC WFOCL OMCPL RSBHX OOCBJAOBFS SGEAP HXOEO BAOE

To decipher this we first study the frequencies of the letters:

A B C D E F G H I J K L M11 10 9 1 16 8 3 12 6 5 8 9 5N O P Q R S T U V W X Y Z1 26 12 1 4 20 0 0 0 4 8 0 0

(1) The most frequently occurring letters areO (26 times) andS (20 times). Itis reasonable to takeO← e andS← t. This suggests a decryption key which takes14 7→ 4 and18 7→ 19.

Note that the congruence(18− 14)a ≡ 19− 4 mod 26, i.e., 4a ≡ 5 mod 26, isclearly unsolvable.

(2) We tryO← e, andS← a, with decryption key14 7→ 4 and18 7→ 0. Thisgivesa = −1 andb = 18, and the decryption keyx 7→ 18− x mod 26:

A B C D E F G H I J K L Ms r q p o n m l k j i h gN O P Q R S T U V W X Y Zf e d c b a z y x w v u t

With this, the first few letters HXOFSSGSRP correspond tojtclyykyzb, an un-intelligible string.

504 Some simple cryptosystems

(3) We make another attempt:O← e andS← o with decryption key14 7→ 4and18 7→ 14. Here,4a ≡ 10 mod 26 has solutiona ≡ 9 mod 13. Modulo26, a iseither9 or 22. Sincea is a unit inZ26, we choosea = 9. From thisb ≡ 4−14×9 ≡8 mod 26.

The decryption keyx 7→ 9x+ 8 mod 26 yields the deciphering

A B C D E F G H I J K L Mx 0 1 2 3 4 5 6 7 8 9 10 11 12

9x + 8 8 17 0 9 18 1 10 19 2 11 20 3 12i r a j s b k t c l u d m

N O P Q R S T U V W X Y Zx 13 14 15 16 17 18 19 20 21 22 23 24 25

9x + 8 21 4 13 22 5 14 23 6 15 24 7 16 25v e n w f o x g p y h q z

Applying this to the ciphertext, we obtain

HXOFSSGSRP KMFOBEEOOM ECPSFNASKE IXSAIORSBSthebookofn umbersseem sanobvious choiceforoKBHAHJOEAP OAHEKPLSK FHOLEKIIOE EICPFORSJJurtitlesin ceitsundou btedsucces scanbefollSQOLFWLOKH OBSPSMWDSE XKCCPLESSP APLOOLHXOSowedbydeut eronomyjos huaandsoon indeedtheoPJWBAEGAEH XCHHXOBOMC WFOCLOMCPL RSBHXOOCBJnlyriskist hattherema ybeademand fortheearlAOBFSSGEAP HXOEOBAOEierbooksin theseries

The book of numbersseems an obvious choice for our title, since itsundoubted success can be followed byDeuteronomy, Joshua, and soon. Indeed the only risk is that there may be a demand for the earlierbooks in the series.

J. H. Conway and R. K. Guy,The Book of Numbers, Preface.

Example 22.2.Decipher the following message obtained by an affine substitution:

FRFYM JRFYN HNFSQ NPJFU FNSYJ WTWFUTJYNX FRFPJ WTKUF YYJWS XNKMN XUFYYJWSXF WJRTW JUJWR FSJSY YMFSY MJNWXNYNXG JHFZX JYMJD FWJRF IJTKN IJFX

Frequency count:A B C D E F G H I J K L M0 0 0 1 0 18 1 2 2 18 3 0 5N O P Q R S T U V W X Y Z11 0 2 1 6 7 5 5 0 10 8 13 1

22.3 A matrix encryption system 505

A B C D E F G H I J K L Mx 0 1 2 3 4 5 6 7 8 9 10 11 12

decrypt key

N O P Q R S T U V W X Y Zx 13 14 15 16 17 18 19 20 21 22 23 24 25

decrypt key

22.3 A matrix encryption system

Consider a cryptosystem that makes use of25 symbols for the alphabet, by confus-ing z with x. Identify a, b, c, . . . y with0, 1, 2, . . .24, and write these numbers inbase5:

a b c d e f g h i j k l m00 01 02 03 04 10 11 12 13 14 20 21 22A B C D E F G H I J K L M

n o p q r s t u v w x,z y23 24 30 31 32 33 34 40 41 42 43 44N O P Q R S T U V W X,Z Y

For encryption, we choose aninvertable 2 × 2 matrix P =

(

a b

c d

)

and a

column vectorQ =

(

u

v

)

over the fieldZ5. Treat each of the2-digit number as a

column vectorX and, multiply byP to encode aX 7→ PX +Q ∈ Z25.

For P to be invertible, its determinantad − bc must be nonzero inZ5. Thiscondition is also sufficient. In this case, the inverse is given by

(

a b

c d

)−1

= (ad− bc)−1

(

d −b−c a

)

.

The decryption key is a transformation of the same kind, namely, X 7→ AX+Bfor some invertible matrixA and column matrixB.

For example, withP =

(

2 40 3

)

,Q =

(

13

)

, we have

a b c d e f g h i j k l mX 00 01 02 03 04 10 11 12 13 14 20 21 22

PX + Q 13 01 44 32 20 33 21 14 02 40 03 41 34I B Y R K S L J C U D V T

n o p q r s t u v w x,z yX 23 24 30 31 32 33 34 40 41 42 43 44

PX + Q 22 10 23 11 04 42 30 43 31 24 12 00M F N G E W P X,Z Q O H A

506 Some simple cryptosystems

With this encryption key, the plaintextLet no one ignorant of geometry enterhere is enciphered into

VKPMFFMKCLMFEIMPFSLKFTKPEAKMPKEJKEK

The decryption key isX 7→(

3 10 2

)

X −(

11

)

.

Example 22.3.Consider the following message obtained from a matrix encryption:

THLLTLENGXSAYTLEAIRTHLKIEXQCYCTYVISOELHLNYCBCXCTA

Here, a frequency count

A B C D E F G H I J K L M3 1 5 0 4 0 1 3 3 0 1 7 0N O P Q R S T U V W X,Z Y2 1 0 1 1 2 6 0 1 0 3 4

suggestsL ← e, T ← t, C← iWe find a decryption keyX 7→ AX +B such that

A

(

21

)

+B =

(

04

)

,

A

(

34

)

+B =

(

34

)

,

A

(

02

)

+B =

(

13

)

.

By subtraction, we have

A

(

13

)

=

(

30

)

and A

(

31

)

=

(

14

)

.

These can be combined into one single matrix equation

A

(

1 33 1

)

=

(

3 10 4

)

.

From this,

A =

(

3 10 4

) (

1 33 1

)−1

=

(

0 14 2

)

,

andB =

(

04

)

−(

0 14 2

) (

21

)

=

(

44

)

.

22.3 A matrix encryption system 507

Therefore, the decryption key is

X 7→(

0 14 2

)

X −(

11

)

.

A B C D E F G H I J K L M00 01 02 03 04 10 11 12 13 14 20 21 2244 01 13 20 32 43 00 12 24 31 42 04 11y b i k r x a h o q w e g

N O P Q R S T U V W X Y23 24 30 31 32 33 34 40 41 42 43 4423 30 41 03 10 22 34 40 02 14 21 3 3n p v d f m t u c j l s

Thus, we decode the message asTHLLT LENGX SAYTL EAIRT HLKIE XQCYCtheet ernal myste ryoft hewor ldisiTYVIS OELHL NYCBC XCTAtscom prehe nsibi lity

The eternal mystery of the world is its comprehensibility.

1

1Answer to Example 22.2:A mathematician, like a painter or a poet, is a maker of patterns.If his patterns are more permanent than theirs, it is because they are made of ideas. (G.H. Hardy,A Mathematician’s Apology, §10).

Chapter 23

A public key cryptosystem

23.1 RSA-cryptosystems

The RSA-cryptosystem1 is a public key cryptosystem based on the difficulty offactorization of large integers. Letp andq be prime numbers, andN = pq, with

ϕ(N) = ϕ(pq) = (p− 1)(q − 1) = N + 1− p− q.

Let e be an integer prime toϕ(N), so that there existsd with ed ≡ 1 mod ϕ(N).In such a cryptosystem, plaintexts and ciphertexts are converted into numbers

< N . Here are some standard ways to do this.(1) The letters in the alphabets are first converted into two-digit numbers and

then concatenated to form a large number (not exceedingN). If N is a100-digitnumber, then we agree to concatenate strings of40 letters into80-digit numbers. Inorder to avoid “missing zeros” in the leftmost positions, wemay agree to convert,for example,a,b,c, . . . into10, 11, . . . ,35.

(2) SupposeN > 26k. We may regard a block ofk letters (under the usualidentification ofa, b, c, . . . by0, 1, . . . , 25) as the base26-expansion of an integer.For example ifN ≈ 500, 000, we may convert blocks of4 letters likemath into

12 · 263 + 0 · 262 + 19 · 26 + 7 = 211413

and other numbers< N .In the examples below, we shall make use of this scheme.For texts involving numbers< N , the RSA-cryptosystem has

(i) encryption key RSAe = (N, e) which converts a plaintextx into a ciphertextxe mod N , and(ii) decryption key RSAd = (N, d) which converts a ciphertextx into a plaintextxd mod N .

1Named after Rivest, Shamir and Adleman

510 A public key cryptosystem

Example 23.1.Here is an illustration with small primes. LetN = 1271 (which isthe product of two small primes,31 and41). Hereϕ(N) = 1200. We treat texts as2-letter blocks, and use the encryption key RSAe(1271, 7). Given the plaintextno,we(i) convert it into the numberx = 13 · 26 + 14 = 352,(ii) compute3527 mod 1271, getting602, and(iii) write 602 = 23 · 26 + 4, corresponding to XE.

For the decryption key, we first findϕ(1271) = 1200 and the inverse of7 mod1200, which isd = 343. This leads to RSAd(1271, 343). Therefore, to decode themessage,(i’) convert XE into the integer602,(ii’) compute602343 mod 1271, getting352,(iii’) write 352 = 13 · 26 + 14 and decipher the text asno.

Given alarge numberN which is known to be the product of two large primenumbers, it is very difficult to factorN , (equivalently to findϕ(N)), and thereforethe inversed = e−1 mod N .

Bob publishes on his website his encryption key

fB := RSAe(N, e)

and conceals his decryption key

f−1B := RSAd(N, d).

He invites messages sent to him encrypted by his public key.Alice does so. She takes a plaintextx, encodes it according tofB(x) = xe mod

N , and sends it to Bob as a ciphertexty < N . When Bob receives this, he deciphersby using his own (concealed) decryption key and retrievesx = yd mod N as theplaintext.

Even when a spy (Eve) intercepts Alice’s message, she has no reasonable meansof deciphering, even though Bob’s encryption key has been made public.

23.2 Signature

Alice and Bob, by publishing their own encryption keys:

Alice: fA := RSAe(Na, ea)Bob: fB := RSAe(Nb, eb)

can communicate without fearing intercepted messages being decoded easily. Alicewants to send a message (in the form of a numberx < N := min(Na, Nb)) to Bobin such a way that Bob knows that the message is from her. It is not enough to just

23.2 Signature 511

sendfB(x) to Bob. Instead, Alice sendsz := fB ◦ f−1A (x). In other words, Alice

applies(i) to x her own (concealed) decryption keyf−1

A to gety, and then(ii) to y Bob’s public keyfB to getz.Alice then sendsz to Bob. When Bob receivesz, he applies(i) first his own decryption keyf−1

B to getw (which is the same asy above), andthen(ii) to w Alice’s public keyfA to get a meaningful messagex.

Since Alice is (supposedly) the only person knowingf−1A , Bob knows that this

message has been sent by Alice.

Example 23.2. Suppose Alice’s public key isfA = RSAe(1247, 11). Her con-cealed decryption key isf−1

A = RSAd(1247, 107). Bob uses the public keyfB =RSAe(1271, 7) and conceals his own decryption keyf−1

B = RSAd(1271, 343).To send the messageno (corresponding to the numberx = 352) to Bob, Alice

(i) uses her own decryption key to findy = 352107 ≡ 796 mod 1247,(ii) applies Bob’s public key to getz = 7967 ≡ 259 mod 1271and sendsz (or the corresponding ciphertext JZ).

When Bob receives JZ (or the number259), he(i’) applies his own decryption key to getw = 259343 ≡ 796 mod 1271,(ii’) applies Alice’s public key to getx = 7967 ≡ 352 mod 1247, which corre-sponds to the plaintextno.

Chapter 24

Factoring integers

24.1 Flipping a coin over the phone

Alice and Bob play a coin-flipping game over the phone.(1) Alice chooses two large distinct prime numbersp andq, both congruent to

3 mod 4, computes the productN = pq and gives it to Bob, concealing the primesp andq.

(2) Bob takes a random integerx < N2

, sticks it to one side of a coin. He thencomputesy = x2 mod N and gives it to Alice.

ModuloN , this numbery has four square roots±A and±B. One of them iscongruent tox mod N . Over the telephone, Alice would give Bob a number. Shewins if her number is congruent±x mod N , and loses if not.

(3) Alice, using the primesp andq can actually compute the four square rootsof y mod N . This is what she would do. Sincep ≡ 3 mod 4, p+1

4and q+1

4are

integers. Alice puts

a ≡ yp+14 mod p and b ≡ y

q+14 mod q.

It is easy to check thata2 ≡ y mod p andb2 ≡ y mod q. By the Chinese remaindertheorem, Alice findsA mod N andB mod N satisfying

A ≡ a mod p, A ≡ b mod q,

andB ≡ a mod p, B ≡ −b mod q.

Alice sticks±A to one side of her coin, and±B to the other side. She chooses oneface and reports the numbers (±A or±B) to Bob. She wins if her number coincideswith Bob’s, and loses otherwise. In other words, Alice wins if and only if her cointurns up the same face as Bob’s.

(5) Receiving Alice’s number, Bob informs her if she wins or loses.

514 Factoring integers

Suppose Bob tells Alice that she loses. How can Alice make sure that Bob doesnot lie? If Alice really loses, she would have given a distinct square root ofy otherthanx. This means Bob now has both square roots±A and±B of y mod N . FromA2 ≡ B2 mod N , he should be able to factorN = pq (by givinggcd(A − B, N)as a nontrivial divisor).

Here is an illustration with very small primes.

Example 24.1.Alice choosesp = 43 andq = 59 (both prime numbers of the form4k + 3). She computes the product

N = pq = 2537

and gives it to Bob.Bob chooses the numberx = 1234, and gives Alice

y = x2 ≡ 556 mod N.

When Alice receivesy, she first computesa = 55611 ≡ (−3)11 ≡ 13 mod 43andb = 55615 ≡ 2515 ≡ 5 mod 59, and then determinesA andB, by the Chineseremainder theorem,

A ≡ 13 mod 43, A ≡ 5 mod 59⇒ A ≡ 1303 ≡ −1234 mod 2537,

and

B ≡ 13 ≡ 43, B ≡ −5 mod 59⇒ B ≡ 1647 ≡ −890 mod 2537.

Therefore, Alice wins if she gives1234 or 1304, loses if she gives890 or 1647.Suppose she gives890 to Bob. Bob would tell her that she loses and confirms

by giving her the divisorgcd(1234− 890, 2537) = 43 of N .

24.2 The quadratic sieve

Lemma 24.1.Given an integerN , if there are integersx, y satisfying

x2 ≡ y2 mod N, but x 6= ±y mod N,

thenN is composite with a nontrivial divisorgcd(x− y, N).

Examples (1) ForN = 799, we have

302 ≡ 101 mod N and 642 ≡ 101 mod N.

This means that moduloN , 0 ≡ 642 − 302 ≡ (64− 30)(64 + 30) ≡ 2 · 17 · 2 · 47.SinceN is odd, we obtain the divisors17 and47. Indeed,799 = 17 · 47.

24.3 Factoring by continued fractions 515

(2) LetN = 3837523. We have

93982 = 55 · 19 mod N,

190952 = 22 · 5 · 11 · 13 · 19 mod N,

19642 = 32 · 133 mod N,

170782 = 26 · 32 · 11.

Multiplication gives

(9398 · 19095 · 1964 · 17078)2 ≡ (24 · 32 · 53 · 11 · 132 · 19)2 mod N,

or22303872 ≡ 25867052 mod N.

Thus,gcd(3837523, 2586705 − 2230387) = gcd(3837523, 356318) = 1093 is adivisor ofN . The other divisor is3511.

24.3 Factoring by continued fractions

Since the convergents of the continued fraction expansion of√N are very good

rational approximations to√N , it is expected that for such a convergentP

Q, P 2 −

NQ2 is a small integer (in comparison withN), and so have a factorization into“small primes”. This observation provides a reasonable wayof performing thequadratic sieve.

Example 24.2.LetN = 2537. From the continued fraction expansion of√N = [50, 2, 1, 2, 2, 12, 5, 1, 5, 2, 5, 1, 5, 12, 2, 2, 1, 2, 100],

we compute

qk 50 2 1 2 2 · · ·Pk 50 101 151 403 957 · · ·

P 2k mod N −37 53 −32 41 −8 · · ·

From these,

1512 ≡ − 25 mod N

9572 ≡ − 23 mod N.

Therefore,(151 · 957)2 ≡ (24)4 mod N . From this, we obtaingcd(151 · 957 −24, 2537) = 59. This gives the factorization2537 = 59 · 43.

516 Factoring integers

Example 24.3.Consider againN = 3837523, with continued fraction1

√N = [1958, 1, 23, 1, 3, 1, 13, 1, 1, 4, 4, 1, 1, 5, 16, 1, 1, 1, 2, 1, 5,

2, 2, 1, 3, 1, 1, 3, 1, 1, 3, 1, 1, 1, 3, 5, 1, 61, 2, 1, 6, · · ·].

If we restrict to very small primes, we find with the36-th convergentq35 = 5,P35 = 428399. Here,

4283992 ≡ 3249 ≡ (3 · 19)2 mod N.

This givesgcd(428399 − 3 · 19, N) = 3511 as a divisor. The other divisor isgcd(428399 + 3 · 19, N) = 1093.Exercise

1. LetN = 642401. Make use of

5161072 ≡ 7 mod N and 1877222 ≡ 22 · 7 mod N

to factorN .

2. LetN = 2288233. Make use of

8805252 ≡ 2 mod N, 20572022 ≡ 3 mod N, 6485812 ≡ 6 mod N

to factorN .

1The period has length1162. We list here the first40 entries of the period.

Chapter 25

Elliptic Curves

25.1 Group law ony2 = x3 + ax2 + bx + c

Consider an elliptic curve

(E) y2 = f(x) := x3 + ax2 + bx+ c.

We shall write a pointP on (E) in the formP = (x[P ], y[P ]), and put the identityat a point of infinity, so that

y[−P ] = −y[P ].

P

QP ∗ Q

P + Q

Consider a line of slopem passing throughP . It has equationy − y[P ] = m(x − x[P ]). It intersects the elliptic curve(E) at points whosex-coordinates are the roots of the equation

(mx+ (y[P ]−mx[P ]))2 = x3 + ax2 + bx+ c,

or equivalently,

x3 − (m2 − a)x2 − (2m(y[P ]−mx[P ])− b)x+ c− (y[P ]−mx[P ])2 = 0.

602 Elliptic Curves

Since the sum of the three roots of the cubic ism2 − a, we make the followingconclusions.

(1) If the line is the tangent atP , then(i) m = f ′(x[P ])

2y[P ],

(ii) the third intersection hasx-coordinate

m2 − a− 2x[P ] =f ′(x[P ])2

4y[P ]2− a− 2x[P ]

=x[P ]4 − 2bx[P ]2 − 8cx[P ] + (b2 − 4ac)

4y[P ]2

=x[P ]4 − 2bx[P ]2 − 8cx[P ] + (b2 − 4ac)

4(x[P ]3 + ax[P ]2 + bx[P ] + c).

They-coordinate can be computed from the equation of the line.

x[2P ] =x[P ]4 − 2bx[P ]2 − 8cx[P ] + (b2 − 4ac)

4(x[P ]3 + ax[P ]2 + bx[P ] + c).

(2) If the line joins two pointsP1 andP2 on (E), then(i) m = y[P1]−y[P2]

x[P1]−x[P2];

(ii) the third intersection hasx-coordinate

m2 − a− x[P1]− x[P2]

=

(

y[P1]− y[P2]

x[P1]− x[P2]

)2

− a− (x[P1] + x[P2])

=x[P1]x[P2](x[P1] + x[P2] + 2a) + b(x[P1] + x[P2]) + 2c− 2y[P1]y[P2]

(x[P1]− x[P2])2.

They-coordinate can be computed from the equation of the line.

25.2 The discriminant

The discriminant of the cubicf(x) := x3 + ax2 + bx+ c is the number

D := −4a3c+ a2b2 + 18abc− 4b3 − 27c2.

Theorem 25.1(Nagell-Lutz). LetP = (x, y) be a finite order point of(E) : y2 =x3 + ax2 + bx+ c. Then eithery = 0 (in which caseP has order2) or y2|D.

Theorem 25.2(Mazur). The torsion group of the rational points of an elliptic curveoverQ is one of the following15 groups:

(i) Zn with n = 1, 2, 3, . . . ,9, 10, 12;(ii) Z2n ⊕ Z2 with n = 1, 2, 3, 4.

25.2 The discriminant 603

Example 25.1.y2 = x3 + 17 has two obvious integer pointsP = (−2, 3) andQ = (−1, 4).

h \ k −1 0 1

−2 (2,−5) (8, 23)(

−20681 , −541

729

)

−1 (4, 9) (−2,−3) (52,−375)

0 (1,−4) ∞ (−1, 4)

1 (52, 375) (−2, 3) (4,−9)

2(

−20681 ,

541729

)

(8,−23) (2, 5)

Also 3P + 2Q = (43, 280) and2P + 3Q = (5234, 378661).

O

PQ

R

P ∗ Q

Q ∗ R

P + Q

Q + R

P ∗ (Q + R) = (P + Q) ∗ R

604 Elliptic Curves

Example 25.2.y2 = x3 − 43x+ 166 has an integer pointP = (3, 8).

2P = (−5,−16),

3P = (11,−32),

4P = (11, 32).

This means that4P = −3P and7P = 0. The point generates a cyclic group oforder7.

25.3 Points of finite order

Consider an elliptic curve

y2 = f(x) = x3 + ax2 + bx+ c.

(1) A pointP = (x, y) has order2 if and only if y = 0. In this case,x is a rootof f(x).

(2) A pointP = (x, y) has order3 if and only if x is a root of

3x4 + 4ax3 + 6bx2 + 12cx+ (4ac− b2) = 0.

Proof. x[2P ] = x[P ].

Theorem 25.3(Nagell-Lutz). Lety2 = x3 + ax2 + bx+ c, a, b, c ∈ Z be a nonsin-gular cubic curve with discriminantD. If (x, y) is a rational point of finite order,thenx andy are integers and eithery = 0 (in which caseP has order2) or y2|D.

Example 25.3.y2 = x3 + 5x2 + 4x = x(x+ 1)(x+ 4) has three rational roots.The points(0, 0), (−1, 0), and(−4, 0) are order 2 points.Discriminant =24 · 32.y2 = 22: x = −2, (−2, 2), (−2,−2).y2 = 22 · 32: x = 2, (2, 6), (2,−6).For each of these,x(2P ) = 0. This means that these are order4 points.

Theorem 25.4(Mazur). The torsion group of the rational points of an elliptic curveoverQ is one of the following 15 groups:

(i) Zn with n = 1, 2, 3, . . . , 9, 10, 12;(ii) Z2n ⊕ Z2 with n = 1, 2, 3, 4.

Example 25.4.

Elliptic Curve Torsion group Discriminanty2 = x3 + 2 0 −22 · 33

y2 = x3 + x Z2 −22

y2 = x3 + 4 Z3 −24 · 33

y2 = x3 + 4x Z4 −28

Chapter 26

Factoring Integers 2

26.1 Pollard’s algorithm

To factor a large composite integerN , first choose a numberK, say of the form

lk = LCM[1, 2, . . . , k],

and computegcd(2lk − 1, N). 1 If this is between1 andN , then it gives a factor-ization ofN .

To execute the computations efficiently, note that if we write ck = kgcd(k,lk−1)

andbk = 2lk mod N , then(i) lk = cklk−1,(ii) bk ≡ bck

k−1 mod N .

Example 26.1.N = 2537:

k ck lk bk := 2lk mod N gcd(bk − 1, N)

2 2 2 4 13 3 6 64 14 2 12 −978 15 5 60 −586 16 1 60 −586 17 7 420 1162 43

This gives2537 = 43 · 59.

Example 26.2.LetN = 246082373.

1The base2 may be replaced by othera in the range1 < a < N .

606 Factoring Integers 2

k ck lk bk := 2lk mod N gcd(bk − 1, N)

1 1 1 2 12 2 2 22 ≡ 4 13 3 6 43 ≡ 64 14 2 12 642 ≡ 4096 15 5 60 (4096)5 ≡ −51132818 16 1 60 −51132818 17 7 420 (−51132818)7 ≡ 60592910 18 2 840 (60592910)2 ≡ −30746792 19 3 2520 (−30746792)3 ≡ −115141632 2521

Notegcd(b9 − 1, N) = gcd(−115141633, N) = 2521 since

(−115141633)(21806) + (246082373)(10203) = 2521.

Thus, we have found a divisor2521 of 246082373. This gives

246082373 = 2521 · 97613.

Example 26.3.N = 618240007109027021. It takesk = 243 to get the divisor250387201 and factorization

N = 250387201 · 2469135821.

26.2 Factoring with elliptic curves

Given an elliptic curvey2 = x3 + bx+ c, ((E):)

with integer coefficients and a prime numberp, we consider

y2 ≡ x3 + bx+ c (mod p). ((E)p:)

The addition laws

x(P1 + P2) = m2 − x(P1)− x(P2),

x(2P ) = λ2 − 2x(P ),

apply to(E)p since

m =y(P1)− y(P2)

x(P1)− x(P2), λ =

3x2 + a

2y

can be interpreted as elements ofZp.

26.2 Factoring with elliptic curves 607

Example 26.4.Consider(E)5 : y2 = x3 +4x+4 (mod 5). There are only finitelymany points on the curve, namely,

(0, 2), (0, 3), (1, 2), (1, 3), (2, 0), (4, 2), (4, 3), ∞.

In computing(1, 2) + (4, 3), we havem = 3−24−1

= 13≡ 2 mod 5. Therefore,

x3 ≡ 22 − 1− 4 ≡ 4 mod 5,

y3 ≡ 2(4− 1) + 2 ≡ 3 mod 5,

we have(1, 2) + (4, 3) = (4,−3) = (4, 2) ∈ (E)5.

Example 26.5.Consider(E)2011 : y2 = x3+4x+4 (mod 2011). WithP = (1, 3),we compute2P by first evaluating at(1, 3):

2ydy = (3x2 + 4)dx⇒ dy

dx=

7

6.

Now, since2011 + 6 · (−335) = 1, we haveλ = 76≡ 7 × (−335) = −334.

Therefore,

x2 ≡ λ2 − 2 · 1 ≡ 949 mod 2011,

y2 ≡ − 334(949− 1) + 3 ≡ −902 mod 2011,

we have2(1, 3) = (949, 902) ∈ (E)2011. Similarly,3P = (410,−824) ∈ (E)2011.Now we work out an example when the primep is replaced by a composite.Consider(E)2773 : y2 ≡ x3 + 4x + 4 (mod 2773), again withP = (1, 3).

Since2773− 6 · 462 = 1, we haveλ = 76≡ 7× (−462) = −461. Therefore from

x2 ≡ λ2 − 2 · 1 ≡ −1002 mod 2773,

y2 ≡ − 461(−1002− 1) + 3 ≡ −705 mod 2773,

we have2(1, 3) = (−1002, 705).Now, we we compute3P = 2P + P , we have

m =705− 3

−1002− 1=

702

1003.

Attempting to find the inverse of1003 modulo2773, we have insteadgcd(2773, 1003) =59 = 2773 · 4− 1003 · 11.

Thus, the calculation fails to give3P , but it yields a factorization of2773 =59 · 47.

Chapter 27

Some examples of the use of ellipticcurves

27.1 The congruent number problem

The area of an integer right triangle (Pythagorean) is always a multiple of6. Fi-bonacci asked for a right triangle withrational sides whose area is5, and gave asan example . More generally, a positive integern is called a congruent number if itis the area of a rational right triangle.

Proposition 27.1.n is a congruent number if there is a rational numberx such thatx2 − n andx2 + n are both squares of rational numbers. In other words,n is thecommon difference of three rational squares in arithmetic progression.

The lengths of the sides of the right triangle are√x2 + n±

√x2 − n and2x.

Let (a, b, c) be a rational right triangle with hypotenusec and arean. From

(a+ b)2 = c2 + 4n,

(a− b)2 = c2 − 4n,

we have(a2 − b2)2 = c4 − 16n2 or

(

a2 − b24

)2

=(c

2

)4

− n2.

Let x =(

c2

)2andy = (a2−b2)c

8. Multiplying the above equation throughout byx,

we havey2 = x3 − n2x.

Proposition 27.2.Let(x, y) be a rational point on the elliptic curvey2 = x3−n2x.Supposex is a square (rational number) with even denominator (when expressed inlowest terms). Then there is a rational right triangle of area n and hypotenuse2x.

610 Some examples of the use of elliptic curves

Example 27.1.The Pythagorean triangle(3, 4, 5) with area6 corresponds to therational pointP =

(

254, −35

8

)

on the elliptic curvey2 = x3 − 36x. Since2P =(

144240119600

, 17265563992744000

)

, and 144240119600

=(

1201140

)2, this corresponds to the rational right

triangle(

710, 120

7, 1201

70

)

and area6.

Example 27.2.More interesting is Fibonacci’s example, the three rational squares(

3112

)2,(

4112

)2,(

4912

)2in arithmetic progression of common difference5. This means

that the rational triangle(

32, 20

3, 41

6

)

has area5. This corresponds to the rationalpointP =

(

1681144

, −62279,288

)

on the elliptic curvey2 = x3 − 25x. Now,

2P =

(

11183412793921

2234116132416,

468238010077154040511

2226216297771777024

)

.

What rational triangle of area5 does this give?

Example 27.3.Since there is no Pythagorean triangle with square area, no squarerational number can be a congruent number.Exercise

Euler had found that3372 ± 7 · 1202 are both squares, being the squares of463and113 respectively. Make use of this to find two rational right triangles with area7.

27.2 Pairs of isosceles triangle and rectangle with equalperimeters and equal areas

The isosceles(5, 5, 6) and the rectangle6× 2 both have perimeter16 and area12.More generally, we seek an isosceles triangle with sides(m2 + n2, m2 +

n2, 2(m2 − n2). It has perimeter4m2, height2mn, and area2mn(m2 − n2). Arectangle of integer dimensionsp×q has the same perimeter and area as the triangleif and only if

p+ q = 2m2,

pq = 2mn(m2 − n2).

Note that(p− q)2 = (p+ q)2 − 4pq = 4m4 − 8mn(m2 − n2). If we put

x =2n

m, y =

p− qm2

,

this condition becomesy2 = x3 − 4x+ 4.

27.3 Triangles with a median, an altitude, and an angle bisector concurrent611

Exercise(1) Clearly, the point(1, 1) is on the curve. With1 = 2n

m, we takem = 2, n = 1.

This gives the isosceles triangle(5, 5, 6) and rectangle6× 2 as above.(2) There is another obvious pointP = (2, 2). Indeed, on the elliptic curve

2P = (0, 2), 3P = (−2,−2), 4P = (1,−1).

k ±kP (m, n) side and base p× q perimeter, area

−4 (1, 1) (2, 1) 5, 6 2× 6 (16, 12)

7(

10

9, 26

27

)

(9, 5) 106, 112 42× 120 (324, 5040)−10

(

88

49, 554

343

)

(49, 44) 4337, 930 462× 4340 (9604, 2005080)

13(

206

961, 52894

29791

)

(961, 103) 934130, 1825824 103664× 1743378 (3694084, 180725536992)

−15(

9362

10609, 1175566

1092727

)

(10609, 4681) 134462642, 181278240 52009232× 173092530

27.3 Triangles with a median, an altitude, and an an-gle bisector concurrent

Given triangleABC, the altitude onBC, the bisector of angleB and the medianonAB are concurrent if and only if

cos β =a

c + a.

B C

A

D

EF

P

By the law of cosines,cosβ = c2+a2−b2

2ca, we have

a3 − ab2 + a2c− b2c− ac2 + c3 = 0.

By puttingx = 2cc+a

andy = 2bc+a

, this becomes

y2 = x3 − 4x+ 4

again. If(x, y) is a rational point on the elliptic curve, thena : b : c = 2−x : y : x.To satisfy the triangle inequality, we requirey < 2 and 1

2(2 − y) < x < 1

2(y + 2).

Here are some examples generated from multiples ofP = (2, 2):

612 Some examples of the use of elliptic curves

k ±kP (a, b, c)

−4 (1, 1) (1, 1, 1)

7(

10

9, 26

27

)

(12, 13, 15)

−10(

88

49, 554

343

)

(35, 277, 308)

13(

206

961, 52894

29791

)

(26598, 26447, 3193)−15

(

9362

10609, 1175566

1092727

)

(610584, 587783, 482143)

18(

589456

483025, 324783646

335702375

)

(130866415, 162391823, 204835960)

−21(

92869078

57017601, 578576841362

430539905151

)

(79912701162, 289288420681, 350627203989)

Chapter 28

Heron triangles and Elliptic Curves

28.1 The elliptic curvey2 = (x− k)2 − 4kx3

A triangle is determined, up to similarity, by a set of three positive real numbers{t1, t2, t3} satisfying the relation

t1t2 + t2t3 + t3t1 = 1. (28.1)

Such are indeed the tangents of the half - angles of the triangle. If the triangle isscaled to have unit semiperimeter, the lengths of the sides are

t1(t2 + t3), t2(t3 + t1), and t3(t1 + t2),

and the area isk = t1t2t3. From the inequality of arithmetic and geometric means,it is easy to see thatk2 ≤ 1

27, with equality precisely in the case of an equilateral

triangle. We study triangles with rational sides and rational areas. It is clear thatfor such triangles, the parameterst1, t2, andt3 are all rational. Since such trianglescannot be equilateral, we shall assumek2 < 1

27. Elimination oft3 leads to

t21t22 − (t1 − k)t2 + kt1 = 0.

A given rational numbert1 determines a rational numbert2, and consequently atriangle with rational sides and rational area, if and only if (t1 − k)2 − 4kt31 is arational square. A rational point(x, y) on the elliptic curve

Ek : y2 = (x− k)2 − 4kx3,

therefore, determines rational numbers

t1 = x, t2 =x+ y − k

2x2, t3 =

x− y − k2x2

. (28.2)

614 Heron triangles and Elliptic Curves

These parameters in turn define a genuine triangle providedx > k, (see Lemma 2below), the sides of the triangles being

a = t1(t2 + t3) =x− kx

,

b = t2(t3 + t1) =x+ y + k

2x,

c = t3(t1 + t2) =x− y + k

2x.

Given a triangle with unit semiperimeter and rational areak, we shall show thatthe associated elliptic curvesEk has positive rank, provided that the triangle is non-isosceles. This leads to the following theorem on the existence of arbitrary numberof Heron triangles equal in perimeter and in area.

Theorem 28.1.Given a non-isosceles rational triangleT (of semiperimeter 1) anda positive integerN , there are an integers andN noncongruent Heron trianglesall having the same area and perimeter assT .

The qualification of non-isosceles triangle is essential. An example is providedby the case of the isosceles with sides (5,5,6), witht1 = t2 = 1

2, andt3 = 3

4, and

k = t1t2t3 = 316

. The elliptic curveEk has rank 0, (See Proposition 10), showingthat there are no other triangles of unit semiperimeter withthe same value ofk.However, such an isosceles triangle has equal perimeter andequal area as anotherisosceles triangle, then the elliptic curve has positive rank, and the statement of thetheorem remains valid.

Guy [??, D16] reports that the problem of finding as many different triples ofpositive integers as possible with the same sum and the same product has beensolved by A. Schinzel, that there are arbitrarily many. Theorem 1 offers a solution tothe same problem: an arbitrary number of such triples, with the additional propertythat the sum and the product multiply to a square, can be constructed from any tripleof distinct positive integersx, y, z with the same property,i.e.,xyz(x+y+z) = A2

for an integerA. Any such triple defines a Heron triangle with sidesx + y, y + z,z + x, and areaA.

Let k be a rational number< 13√

3. The cubic polynomial

fk(x) := (x− k)2 − 4kx3 (28.3)

has three distinct real roots separated byk and3k, since

f(−∞) = +∞,f(k) = −4k4 < 0,f(3k) = 4k2(1− 27k2) > 0,

f(+∞) = −∞.

28.1 The elliptic curvey2 = (x− k)2 − 4kx3 615

This means that the elliptic curveEk has two components, one of which is com-pact. A point(x, y) on Ek lies in the compact component if and only ifx > k. ByLemma 2 below, a point onEk corresponds to a genuine triangle if and only if itslies in the compact component.

Lemma 28.2. A point (x, y) on the elliptic curveEk defines a genuine triangle ifand only ifx > k.

Proof. From (28.2),t2 + t3 = x−kx2 andt2t3 = y2

4x4 . It is clear thatt1, t2, t3 are allpositive (and defines a genuine triangle) if and only ifx > k.

The addition law ofEk is given by

x(P +Q) =1

4k(1− λ2)− x(P )− x(Q),

where

λ =

{

y(P )−y(Q)x(P )−x(Q)

, if P 6= Q,x(P )−k−6k·x(P )2

y(P ), if P = Q.

Lemma 28.3. Let P be a point on the compact component ofEK . The six points±P ,±P ± I all represent the same (similarity class of) rational triangles.

Proof. Write P = (t1, t21(t2 − t3)). Then, forǫ = ±1,

ǫ(P + I) = (t2, ǫt22(t3 − t1)),

ǫ(P − I) = (t3, ǫt23(t1 − t2)).

Let P andQ be two distinct points onEk, one on each of the two components.By the convexity of the compact component, it is clear that the sumP + Q lies inthe compact component. Now, ifP is a point in the compact component, then2Pmust be in the noncompact one. It follows by induction that all odd multiples ofPare in the compact component, and hence define genuine rational triangles.

Example 28.1.Fork = 16, the cubic polynomialfk(x) = 1

36(1−12x+36x2−24x3)

is irreducible.

Example 28.2.Fork = 1681331

= 23·3·7113 , the cubic polynomial

fk(x) = −4k(x− 56

33)(x2 − 699

2464x+

9

484).

The rational root5633

corresponds to the isosceles Heron triangle(65, 65, 112). Onthe same curve, there are rational points withx = 2

11, 8

11, 21

22, corresponding to the

Heron triangle(37, 100, 105), also of perimeter 242 and area 1848.

Example 28.3.For k = 60343

, the cubic polynomialfk(x) has three rational roots15112

< 1235

< 2021

. The larger two correspond respectively to the isosceles trian-gles (24, 37, 37) and (29, 29, 40), both with perimeters 98 and area 420. OnEk

lie also the rational points withx = 514, 4

7, 6

7, corresponding to the Heron triangle

(25, 34, 39), with the same perimeter and area.

616 Heron triangles and Elliptic Curves

28.1.1 Proof of Theorem 28.1

A non-isosceles triangle with semiperimeter 1 and areak corresponds to a pointP in the component of the elliptic curveEk. Such a point cannot have finite or-der, and so generates an infinite cyclic subgroup ofEk. The pointsmP lies in thecompact component precisely whenm is odd. For any given integerN , the points(2m− 1)P , 1 ≤ m ≤ N , all lie in the compact component, and therefore representrational trianglesTm, each of semiperimeter 1 and areak. Lets be the least commonmultiple of the denominators of the lengths of sides of theseN triangles. Magni-fying each of them by the factors, we obtain a sequence ofN Heron triangles, allwith semiperimeters, and areaks2.

Example 28.4.The right triangle (3,4,5) corresponds to the pointP (1, 16) on the

curveE1/6. The primitive Heron triangles corresponding the pointsP , 3P , 5P , 7P ,and9P , with their semiperimeters and areas, are as follows.

(3, 4, 5; 6, 6),(287, 468, 505; 630, 66150),(3959527, 3997940, 5810001; 6883734, 7897632297126),(3606573416251, 5935203156525, 6344028032612; 7942902302694,

10514949498356941266609606),(480700822846118327460, 630296830413008002763, 795751643958885119197;

953374648609005724710, 151487203435057523536941712814925384097350).

The LCM of the semiperimeters being

s = 1447986121797526457728510272387457724310,

magnifying these triangles by appropriate factors, we obtain five Heron triangles,all with semiperimeters and area

△ = 349443968153040187579733428603820320155254000034420331290213618794580660829350.

The following example shows that the hypothesis of non-isoscelesity is essen-tial.

Remark.Let k = 12· 1

2· 3

4= 3

16. The elliptic curve is cyclic of order 6. In particular,

it has rank0.

This value ofk arises from the isosceles triangle(5, 5, 6). By Proposition 7,there is no other (noncongruent) triangle of unit semiperimeter and the same area.On the other hand, Example 1 shows that for the isosceles triangle (65,65,126), theassociated elliptic curve has positive rank.

Chapter 29

The ring of Gaussian integers

29.1 The ringZ[i]

29.1.1 Norm and units

By the ring of Gaussian integers we mean

Z[i] := {a+ bi : a, b ∈ Z}.

Each element ofZ[i] is called a Gaussian integer. Forα = a + bi, we define thenorm N(α) := a2 + b2 ∈ Z. One important property of the norm is its multiplica-tivity:

Lemma 29.1.For α, β ∈ Z[i],

N(αβ) = N(α)N(β).

A Gaussian integerα is a unit if it is invertible in Z. If α is a unit with mul-tiplicative inverseβ, thenαβ = 1 andN(α)N(β) = N(αβ) = N(1) = 1. Thismeans thatN(α) = 1 andα = ±1, or±i.

Proposition 29.2.The only units inZ[i] are±1 and±i.

29.1.2 Gaussian primes

Two Gaussian integersα andβ areassociateif α = εβ for some unitε ∈ Z[i].Exercise

1. Show that the relation of being associate is an equivalence relation onZ[i].

2. Show that2 is not a prime inZ[i].

702 The ring of Gaussian integers

A Gaussian integerπ ∈ Z[i] is prime if(i) π is not a unit inZ[i], and(ii) π = αβ ∈ Z[i]⇒ α or β is a unit inZ[i].

Proposition 29.3. The ring of Gaussian integers satisfies the euclidean algorithm:for α, β ∈ Z[i] with β 6= 0, there areγ andδ ∈ Z[i] satisfying(i) α = βγ + δ,(ii) N(δ) < N(β).

Proof. Regardingα andβ as complex numbers, we haveαβ

= x + iy for rationalnumbersx andy. Let a andb be integers such that|x − a| ≤ 1

2and|y − b| ≤ 1

2.

The numbersγ := a + bi andδ := β((x − a) + (y − b)i) satisfyδ = α − βγ andso is a Gaussian integer. Since

∣

∣

∣

∣

δ

β

∣

∣

∣

∣

2

= (x− a)2 + (y − b)2 ≤ 1

4+

1

4≤ 1

2,

we haveN(δ) < N(β).

Therefore, we have a notion of gcd inZ[i]. The gcd of two Gaussian integers isdefined up to a unit.

Corollary 29.4. The ring of Gaussian integers is a Bezout domain: forα, β ∈ Z[i],there areγ, δ ∈ Z[i] such that

gcd(α, β) = αγ + βδ.

Proposition 29.5.The following two statements are equivalent.(i) π ∈ Z[i] is a prime.(ii) π|αβ ∈ Z[i]⇒ π|α or π|β.

Theorem 29.6.The primes inZ[i] are precisely(i) the primesp ≡ 3 (mod 4) in Z,(ii) ±1± i which have norm2, and(iii) a+ bi for whicha2 + b2 is an odd primep ≡ 1 (mod 4) in Z.

Corollary 29.7 (Unique factorization). Every nonzero Gaussian integer can be de-composed “uniquely” into a product of Gaussian primes: if

α = π1 · · ·πh = ψ1 · · ·ψk

for Gaussian primesπ1, . . . ,π1 andψ1, . . .ψk, then(i) h = k,(ii) after a suitable permutation ofψ1, . . . , ψk, for i = 1, 2, . . . , k, the Gaussianprimesπi andψi are associate.

29.2 An alternative proof of Fermat’s two-square theorem 703

29.2 An alternative proof of Fermat’s two-square the-orem

Sincep ≡ 1 (mod 4), −1 is a quadratic residue. This means that there exists anintegera ≤ p−1

2such thata2 + 1 is divisible byp. Note thata2 + 1 < p2.

Regarded as Gaussian integers,a2 + 1 = (a + i)(a − i). We claim thatp doesnot dividea + i nor a − i; otherwise,p2 = N(p) ≤ N(a + i) = a2 + 1 < p2, acontradiction. This means thatp is not a prime inZ[i] and there is a factorizationof p = αβ ∈ Z[i], in which none ofα, β is a unit,i.e.,N(α), N(β) > 1. It followsfrom

p2 = N(p) = N(α)N(β)

thatN(α) = N(β) = p, andp is a sum of two squares of integers.

Chapter 30

Construction of indecomposableHeron triangles

30.1 Primitive Heron triangles

Given a triangleABC with sidelengthsBC = a, CA = b andAB = c, we lets := 1

2(a+ b+ c) be the semiperimeter, and

t1 = tanA

2, t2 = tan

B

2, t3 = tan

C

2.

These satisfyt1t2 + t2t3 + t3t1 = 1. (30.1)

r

r

r

s − b s − c

s − c

s − a

s − a

s − b

I

X

Y

Z

A

B C

We shall assume throughout this chapter that all sidelengths of triangles are ra-tional. Such a triangle is called arational triangle if its area is rational. Equiv-alently, t1, t2, t3 are all rational numbers. Puttingti = ni

di, i = 1, 2, 3, with

gcd(ni, di) = 1, we rewrite (30.1) in the form

n1n2d3 + n1d2n3 + d1n2n3 = d1d2d3. (30.2)

706 Construction of indecomposable Heron triangles

A rational triangle, under a suitable magnification, gives aprimitive Heron tri-angle, one with integer sides which are relatively prime, and with integer area. Infact, by putting

a =n1(d2n3 + n2d3),

b =n2(d3n1 + n3d1), (30.3)

c =n3(d1n2 + n1d2),

we obtain a Heron triangle with semiperimeters = n1n2d3 + n1d2n3 + d1n2n3 =d1d2d3 and area△ = n1d1n2d2n3d3. A primitive Heron triangleΓ0 results bydividing by the sides byg := gcd(a1, a2, a3).

30.1.1 Triple of simplifying factors

Unless explicitly stated otherwise, whenever the three indices i, j, k appear al-together in an expression or an equation, they are taken as apermutationof theindices1, 2, 3.

Note that from (30.1) or (30.2), any one ofti, tj , tk can be expressed in termsof the remaining two. In the process of expressingti = ni

diin terms oftj =

nj

djand

tk = nk

dk, we encounter certain “simplifying factors”, namely,

gi := gcd(djdk − njnk, njdk + djnk),

so that

gini = djdk − njnk,

gidi = djnk + njdk, (30.4)

We shall call(g1, g2, g3) thetriple of simplifying factorsfor the numbers(t1, t2, t3),or of the similarity class of triangles they define.

Example 30.1.For the(13, 14, 15; 84), we havet1 = 12, t2 = 4

7andt3 = 2

3. From

1− t2t3t2 + t3

=7 · 3− 4 · 27 · 2 + 4 · 3 =

13

26=

1

2,

it follows thatg1 = 13. Similarly, g2 = 1 andg3 = 5. On the other hand, for theindecomposable Heron triangle(25, 34, 39; 420), we have(t1, t2, t3) = ( 5

14, 4

7, 6

7).

The simplifying factors are(g1, g2, g3) = (5, 17, 13).

Example 30.2.For(15, 34, 35; 252), the simplifying factors are(g1, g2, g3) = (5, 17, 5).Exercise

For the sidelengths given in (30.3), we have

a = g1n1d1, b = g2n2d2, c = g3n3d3.

30.1 Primitive Heron triangles 707

30.1.2 Decomposition of Heron triangles

A Heron triangleΓ := (a1, a2, a3;△) is said to bedecomposableif there are (non-degenerate) Pythagorean trianglesΓ1 := (x1, y, a1;△1), Γ2 := (x2, y, a2;△2), andǫ = ±1 such that

a3 = ǫx1 + x2, △ = ǫ△1 +△2.

According asǫ = 1 or −1, we shall say thatΓ is obtained by juxtaposingΓ1 andΓ2, (Γ = Γ1 ∪ Γ2), or by excisingΓ1 from Γ2, (Γ = Γ2 \ Γ1).

In general, a Heron triangle is decomposable into two Pythagorean componentsif and only if it has at least one integer height.

Theorem 30.1.A primitive Heron triangle can be decomposed into two Pythagoreancomponents in at most one way.

Proof. This follows from three propositions.(1) A primitive Pythagorean triangle is indecomposable.1

(2) A primitive, isosceles, Heron triangle is decomposable, the only decompo-sition being into two congruent Pythagorean triangles.2

(3) If a non-Pythagorean Heron triangle has two integer heights, then it cannotbe primitive.3

1Proof of (1). We prove this by contradiction. A Pythagorean triangle, if decomposable, ispartitioned by the altitude on the hypotenuse into two similar but smallerPythagorean triangles.None of these, however, can have all sides of integer length by the primitivity assumption on theoriginal triangle.

2Proof of (2). The triangle being isosceles and Heron, the perimeter and hence the base must beeven. Each half of the isosceles triangle is a (primitive) Pythagorean triangle,(m2−n2, 2mn, m2 +n2), with m, n relatively prime, and of different parity. The height on each slant side of the isoscelestriangle is

2mn(m2 − n2)

m2 + n2,

which clearly cannot be an integer. This shows that the only way of decomposing a primitive isosce-les triangle is into two congruent Pythagorean triangles.

3Proof of (3). Let(a, b, c;△) be a Heron triangle, not containing any right angle. Supposetheheights on the sidesb andc are integers. Clearly,b andc cannot be relatively prime, for otherwise,the heights of the triangle on these sides are respectivelych andbh, for some integerh. This isimpossible since, the triangle not containing any right angle, the height onb must be less thanc,Suppose thereforegcd(b, c) = g > 1. We writeb = b′g andc = c′g for relatively prime integersb′ andc′. If the height onc is h, then that on the sideb is ch

b= c

′h

b′. If this is also an integer, then

h must be divisible byb′. Replacingh by b′h, we may now assume that the heights onb andc arerespectivelyc′h andb′h. The sidec is divided intob′k and±(c− b′k) 6= 0, whereg2 = h2 + k2. Itfollows that

a2 = (b′h)2 + (c′g − b′k)2

= b′2(h2 + k2) + c′2g2 − 2b′c′gk

= g[g(b′2 + c′2)− 2b′c′k]

From this it follows thatg dividesa2, and every prime divisor ofg is a common divisor ofa, b, c.The Heron triangle cannot be primitive.

708 Construction of indecomposable Heron triangles

30.2 Gaussian integers

We shall associate with each positive rational numbert = nd, n, d relatively prime,

the primitive, positive Gaussian integerz(t) := d + n√−1 ∈ Z[

√−1]. Here, we

say that a Gaussian integerx+ y√−1 is

• primitive if x andy are relatively prime, and

• positiveif both x andy are positive.

The norm of the Gaussian integerz = x+y√−1 is the integerN(z) := x2+y2.

The norm inZ[√−1] is multiplicative:

N(z1z2) = N(z1)N(z2).

The argumentof a Gaussian integerz = x+ y√−1 is the unique real number

φ = φ(z) ∈ [0, 2π) defined by

cosφ =x

√

x2 + y2, sinφ =

y√

x2 + y2.

A Gaussian integerz is positive if and only if0 < θ(z) < 12π. Each positive

Gaussian integerz = x+ y√−1 has acomplement

z∗ := y + x√−1 =

√−1 · z,

wherez := x− y√−1 is the conjugate ofz. Note thatN(z∗) = N(z), and

φ(z) + φ(z∗) =π

2. (30.5)

for each pair of complementary positive Gaussian integers.Recall that the units ofZ[

√−1] are precisely±1 and±

√−1. An odd (rational)

prime numberp ramifies into two non - associate primesπ(p) andπ(p) in Z[√−1],

namely,p = π(p)π(p), if and only if p ≡ 1 (mod 4). For applications in the presentpaper, we formulate the unique factorization theorem inZ[

√−1] as follows.

Proposition 30.2. Let g > 1 be an odd number. There is a primitive Gaussianintegerθ satisfyingN(θ) = g if and only if each prime divisor ofg is congruent to1 (mod 4).

30.2.1 Heron triangles and Gaussian integers

Consider the Heron triangleΓ := Γ(t1, t2, t3) with sides given by (30.3). In termsof the Gaussian integerszi := z(ti) = di + ni

√−1, the relations (30.4) can be

rewritten asgizi =

√−1 · zjzk = (zjzk)

∗. (30.6)

30.2 Gaussian integers 709

Lemma 30.3.N(zi) = gjgk.

Proof. From the relation (30.6), we have

g2iN(zi) = N(zj)N(zk).

Combining these, we have

(gigjgk)2 = N(zi)N(zj)N(zk),

and the result follows easily.

Proposition 30.4. (1) gi is a common divisor ofN(zj) andN(zk).(2) At least two ofgi, gj, gk exceed 1.(3) gi is even if and only if allnj , dj, nk anddk are odd.(4) At most one ofgi, gj, gk is even, and none of them is divisible by 4.(5) gi is prime to each ofnj , dj, nk, anddk.(6) Each odd prime divisor ofgi, i = 1, 2, 3, is congruent to1 (mod 4).

Proof. (1) follows easily from Lemma 30.3.(2) Supposeg1 = g2 = 1. Then,N(z3) = 1, which is clearly impossible.(3) is clear from the relation (30.4).(4) Supposegi is even. Thennj, dj, nk, dk are all odd. This means thatgi, being

a divisor ofN(zj) = d2j +n2

j ≡ 2 (mod 4), is not divisible by 4. Also,djdk−njnk

andnjdk + djnk are both even, and

(djdk − njnk) + (njdk + djnk)

= (dj + nj)(dk + nk)− 2njnk

≡ 2 (mod 4),

it follows that one of them is divisible by 4, and the other is 2(mod 4). Aftercancelling the common divisor 2, we see that exactly one ofni anddi is odd. Thismeans, by (c), thatgj andgk cannot be odd.

(5) If gi andnj admit a common prime divisorp, thenp divides bothnj andn2

j + d2j , and hencedj as well, contradicting the assumption thatdj + nj

√−1 be

primitive.(6) is a consequence of Proposition 30.2.

Proposition 30.5.gcd(g1, g2, g3) = 1.

Proof. We shall derive a contradiction by assuming a common rational prime divi-sor p ≡ 1 (mod 4) ofgi, gj, gk, with positiveexponentsri, rj, rk in their primefactorizations. By the relation (30.6), the productzjzk is divisible by the rationalprime powerpri. This means that the primitive Gaussian integerszj andzk shouldcontain in their prime factorizations powers of the distinct primesπ(p) andπ(p).

710 Construction of indecomposable Heron triangles

The same reasoning also applies to each of the pairs(zk, zi) and(zi, zj), so thatzk andzi (respectivelyzi andzj) each contains one of the non - associate Gaussianprimesπ(p) andπ(p) in their factorizations. But then this means thatzj andzk aredivisible by the sameGaussian prime, a contradiction.

Corollary 30.6. If a, b, c are given as in (30.3), then

gcd(a, b, c) = gcd(n1d1, n2d2, n3d3).

Proof. This follows from the expressions (30.3):ai = ginidi, for i = 1, 2, 3, andProposition 30.5.

ExerciseProve that a Heron triangle is Pythagorean if and only if its triple of simplifying

factors is of the form(1, 2, g), for an odd numberg whose prime divisors are all ofthe form4m+ 1.

30.3 Orthocentric Quadrangles

Now we consider a rational triangle which does not contain a right angle. Thevertices and the orthocenter form an orthocentric quadrangle, i.e., each of thesefour points is the orthocenter of the triangle with verticesat the remaining threepoints. If any of the four triangles is rational, then so are the remaining three. Theconvex hull of these four points is an acute - angled triangleΓ. We label the verticesA,B, C, and the orthocenter in the interior byH and use the following notation fortriangles:

Γ = ABC, Γ1 = HBC, Γ2 = BHC, Γ3 = ABH.

Let t1, t2, t3 be the tangents of the half angles ofΓ, z1, z2, z3 the associatedGaussian integers, and(g1, g2, g3) the corresponding simplifying factors. Then thetangents of the half angles ofΓk are

1− ti1 + ti

,1− tj1 + tj

, and1

tk.

We first assume thatg1, g2, g3 are all odd, so that fori = 1, 2, 3, di andni areof different parity, (Proposition 30.4(3)). The triangleΓk has associated primitiveGaussian integers

z′i = (di + ni) + (di − ni)√−1 = (1 +

√−1)zi,

z′j = (dj + nj) + (dj − nj)√−1 = (1 +

√−1)zj ,

z′k = nk + dk

√−1 =

√−1 · zk. (30.7)

30.4 Indecomposable primitive Heron triangles 711

From these,

z′jz′k = (1 +

√−1)√−1 · zjzk = gi(1 +

√−1)zi = gi

√−1 · z′i,

z′iz′k = (1 +

√−1)√−1 · zizk = gj(1 +

√−1)zj = gj

√−1 · z′j ,

z′iz′j = 2

√−1 · zizj = 2gkzk = 2gk

√−1 · z′k.

Thus, the triangleΓk has simplifying factors(gi, gj, 2gk).Suppose now that one of the simplifying factors ofΓ, say,gk is even. Then

ni, di, nj , dj are all odd, andnk, dk have different parity. A similar calculationshows that the simplifying factors for the trianglesΓi, Γj andΓk are(2gi, gj,

gk

2),

(gi, 2gj,gk

2), and(gi, gj,

gk

2) respectively.

We summarize these in the following proposition.

Proposition 30.7. The simplifying factors for the four (rational) triangles in anorthocentric quadrangle are of the form(g1, g2, g3), (2g1, g2, g3), (g1, 2g2, g3) and(g1, g2, 2g3), with g1, g2, g3 odd integers.

30.4 Indecomposable primitive Heron triangles

A routine computer search gives the following indecomposable, primitive Herontriangles with sides≤ 100, excluding Pythagorean triangles:

(5, 29, 30; 72) (10, 35, 39; 168) (15, 34, 35; 252) (13, 40, 45; 252) (17, 40, 41; 336)(25, 34, 39; 420) (5, 51, 52; 126) (15, 52, 61; 336) (20, 53, 55; 528) (37, 39, 52; 720)(17, 55, 60; 462) (26, 51, 73; 420) (17, 65, 80; 288) (29, 65, 68; 936) (34, 55, 87; 396)(39, 55, 82; 924) (41, 50, 89; 420) (35, 65, 82; 1092) (26, 75, 91; 840) (39, 58, 95; 456)(17, 89, 90; 756) (26, 73, 97; 420) (41, 60, 95; 798) (51, 52, 97; 840)

We study the condition under which the primitive Heron triangleΓ0 = Γ0(t1, t2, t3)constructed in§?? is indecomposable. Clearly,Γ0 = Γ(t1, t2, t3) is indecompos-able if this is so for the triangleΓ defined by (30.3). More remarkable is the validityof the converse.

Theorem 30.8.A non-Pythagorean, primitive Heron triangleΓ0 = Γ0(t1, t2, t3) isindecomposable if and only if each of the simplifying factorsgi, i = 1, 2, 3, containsan odd prime divisor.

Proof. We first prove the theorem for the triangleΓ := Γ(t1, t2, t3) defined by(30.3).

SinceΓ has area△ = n1d1n2d2n3d3, the height on the sideai = ginidi is givenby

hi =2njdjnkdk

gi.

712 Construction of indecomposable Heron triangles

Since the triangle does not contain a right angle, it is indecomposable if and only ifnone of the heightshi, i = 1, 2, 3, is an integer. By Proposition 8(d), this is the caseif and only if each ofg1, g2, g3 contains an odd prime divisor.

To complete the proof, note that the sides (and hence also theheights) ofΓ0

are 1g

times those ofΓ. Here,g := gcd(a1, a2, a3) = gcd(n1d1, n2d2, n3d3) byCorollary 30.6. The heights ofΓ0 are therefore

h′i =2njdjnkdk

gi · g=

2

gi

· njdjnkdk

gcd(n1d1, n2d2, n3d3).

Note that njdjnkdk

gcd(n1d1,n2d2,n3d3)is anintegerprime togi. If h′i is not an integer, thengi

must contain an odd prime divisor, by Proposition 30.4(4) again.

Corollary 30.9. Let Γ be a primitive Heron triangle. Denote byΓi, i = 1, 2, 3, theprimitive Heron triangles in the similarity classes of the remaining three rationaltriangles in the orthocentric quadrangle containingΓ. The four trianglesΓ andΓi,i = 1, 2, 3, are either all decomposable or all indecomposable.

Example 30.3.From the orthocentric quadrangle of each the indecomposable Herontriangles(15, 34, 35; 252) and (25,34,39;420), we obtain three other indecompos-able primitive Heron triangles.

(a1, b1, c1) (g1, g2, g3) (a1, b1, c1) (g1, g2, g3)(15, 34, 35; 252) (5, 17, 5) (25, 34, 39; 420) (5, 17, 13)(55, 17, 60; 462) (5, 17, 10) (285, 187, 364; 26334) (5, 17, 26)(119, 65, 180; 1638) (5, 17, 10) (700, 561, 169; 30030) (10, 17, 13)(65, 408, 385; 12012) (5, 34, 5) (855, 952, 169; 62244) (5, 34, 13)

30.4.1 Construction of Heron triangles with given simplifyingfactors

Theorem 30.10.Letg1, g2, g3 be oddnumbers satisfying the following conditions.(i) At least two ofg1, g2, g3 exceed 1.(ii) The prime divisors ofgi, i = 1, 2, 3, are all congruent to 1 (mod 4).(iii) gcd(g1, g2, g3) = 1.

Supposeg1, g2, g3 together containλ distinct rational (odd) prime divisors. Thenthere are2λ−1 distinct, primitive Heron triangles with simplifying factors(g1, g2, g3).

Proof. Suppose(g1, g2, g3) satisfies these conditions. By (ii), there are primitiveGaussian integersθi, i = 1, 2, 3, such thatgi = N(θi). Sincegcd(g1, g2, g3) = 1,if a rational primep ≡ 1 (mod 4) dividesgi andgj , then, in the ringZ[

√−1], the

prime factorizations ofθi andθj contain powers of the same Gaussian primeπ orπ.

30.4 Indecomposable primitive Heron triangles 713

Therefore, ifg1, g2, g3 together containλ rational prime divisors, then there are2λ choices of the triple of primitive Gaussian integers(θ1, θ2, θ3), correspondingto a choice between the Gaussian primesπ(p) andπ(p) for each of these rationalprimes. Choose unitsǫ1 andǫ2 such thatz1 = ǫ1θ2θ3 andz2 = ǫ2θ3θ1 are positive.

Two positive Gaussian integersz1 andz2 define a positive Gaussian integerz3via (30.6) if and only if

0 < φ(z1) + φ(z2) <π

2. (30.8)

Sinceφ(z∗1) + φ(z∗2) = π − (φ(z1) + φ(z2)), it follows that exactly one of thetwo pairs(z1, z2) and(z∗1 , z

∗2) satisfies condition (30.8). There are, therefore,2λ−1

Heron triangles with(g1, g2, g3) as simplifying factors.

Making use of Theorems 30.8, 30.10, and Proposition 30.7, itis now easy toconstruct indecomposable primitive Heron triangles from any triples of odd integers(g1, g2, g3), each greater than 1, and satisfying the conditions of Theorem 30.10. Forexample, by choosingg1, g2, g3 from the first few primes of the form4k + 1, weobtain the following primitive Heron triangles, all indecomposable:

(g1, g2, g3) (d1, n1) (d2, n2) (d3, n3) (a, b, c;△)(5, 13, 17) (14, 5) (7, 6) (7, 4) (25, 39, 34; 420)

(5, 14) (9, 2) (8, 1) (175, 117, 68; 2520)(11, 10) (7, 6) (8, 1) (275, 273, 68; 9240)(10, 11) (9, 2) (7, 4) (275, 117, 238; 13860)

(5, 13, 29) (4, 19) (12, 1) (8, 1) (95, 39, 58; 456)(16, 11) (8, 9) (8, 1) (110, 117, 29; 1584)(11, 16) (12, 1) (7, 4) (220, 39, 203; 3696)(19, 4) (8, 9) (7, 4) (95, 234, 203; 9576)

(5, 17, 29) (22, 3) (12, 1) (2, 9) (55, 34, 87; 396)(18, 13) (9, 8) (9, 2) (65, 68, 29; 936)(18, 13) (12, 1) (6, 7) (195, 34, 203; 3276)(22, 3) (9, 8) (7, 6) (55, 204, 203; 5544)

(13, 17, 29) (22, 3) (16, 11) (10, 11) (39, 136, 145; 2640)(22, 3) (19, 4) (5, 14) (429, 646, 1015; 87780)(18, 13) (19, 4) (11, 10) (1521, 646, 1595; 489060)(18, 13) (16, 11) (14, 5) (1521, 1496, 1015; 720720)

Further examples can be obtained by considering the orthocentric quadrangle ofeach of these triangles.