Download 1 Prime numbers

Mathematics is the Queen of
Sciences and Arithmetic is the
Queen of Mathematics
Carl Friedrich Gauss
1
1.1
Prime numbers
Definitions, examples and basic properties
Let us start with recalling/formalising the principle of division with remainder.
Theorem 1.1 (The division algorithm). Let a and b be natural numbers with
b 6= 0. There exist unique natural numbers q and r such that
a = bq + r and 0 6 r < b.
Proof. To show existence, note that if a < b then q = 0 and r = a will do;
otherwise consider q = b ab c, i.e. the largest integer such that bq 6 a, and define
r = a − bq. It follows that a = bq + r and r > 0. Furthermore, r > b would
imply a > b(q + 1) contradicting our choice of q, and so 0 6 r < b as required.
To show uniqueness, suppose there exist q, q 0 , r r0 such that
a = bq + r = bq 0 + r0 and 0 6 r, r0 < b.
Note that if r = r0 , then bq = bq 0 and, since b 6= 0, we have q = q 0 as required.
So suppose r < r0 or r > r0 . Without loss of generality r < r0 , which, in turn,
impllies that q > q 0 (as otherwise a = bq + r < bq 0 + r0 = a), and so
b · 1 = b > r0 > r0 − r = (a − bq 0 ) − (a − bq) = b(q − q 0 ) > b · 0,
which implies that 0 < q − q 0 < 1 giving a contradiction.
Note 1.2. The division algorithm can be extended to the whole set Z of integers.
Definition 1.3. Using the same notation as in Theorem 1.1, we say that b is
the divisor, q is the quotient and r is the remainder.
Definition 1.4. Suppose that a and b are integers. We say that b divides a,
which is denoted by b|a, if there exists an integer x such that
a = bx.
We also say that a is divisible by b or that b is a divisor or a factor of a.
So, for example, 4 divides 8; 15 is divisible by 3; and 7 is a divisor of 14.
Note also that every integer is divisible by 1 and itself.
Definition 1.5. Let a > 2 be an integer. We say that a is prime if its only
positive divisors are 1 and a. If a has other divisors, we say a is composite.
[Consequently, a is composite if there exist b, c with 2 6 b, c < a and a = bc.]
1
Note 1.6. The integer 1 is neither composite nor prime.
Examples 1.7.
• Primes: 2, 3, 5, 104729.
• Twin primes: (3, 5), (5, 7), (821, 823).
• Mersenne primes (of the form 2n − 1): 7, 127.
n
• Fermat primes (of the form 22 + 1): 3, 5, 17, 257, 65537.
• James Bond primes: 4007, 6007, 9007.
• Grothendieck prime: 57.
We shall now proceed to describe some results associated with the concept
prime numbers, but before that let us state some basic divisibility properties.
Lemma 1.8. Let a, b and c be integers. Then
(a) if a|b and b|c then a|c;
(b) if a|b and a|c then a|(λb+µc) for any integers λ, µ. In particular, a|(b±c);
(c) if a|b then a|bc.
Proof. ad (a) Suppose that a|b and b|c. There exist x and y such that b = ax
and c = by. But then c = by = (ax)y = a(xy) and so a|c.
The remaining statements can be proved in a similar manner and are left as
an exercise for the reader.
Prime numbers are the building blocks the integers are made of.
Lemma 1.9. Let a > 2 be an integer. Then a has a prime divisor.
Proof. We argue by contradiction. Suppose the statement is not true, and
let a be the smallest positive integer with no prime divisor. Then a cannot be
prime, and so, in particular, there exists b such that 2 6 b < a and b|a. By
assumption, b has a prime divisor p, which then, by Lemma 1.8 (a), divides a.
Note 1.10. For those familiar with the terminology, note that what we used in
the proof was actually the method of (strong) mathematical induction.
In fact, a much stronger result is true.
Theorem 1.11 (Fundamental Theorem of Arithmetic). Any integer greater
than 1 can be expressed as a product of (not necessarily distinct) prime numbers.
Furthermore, such a representation is unique up to the order of the factors.
So, for example, 10 = 2 × 5 and 1200 = 24 × 3 × 52 .
2
Sketch proof. The proof of existence is almost identical to that of Lemma 1.9.
The proof of uniqueness (usually) relies on the fact that if p is prime and p|ab
then p|a or p|b, which we shall discuss next week. For a detailed proof we refer
the reader to, for example, [1, p. 41].
Theorem 1.12 (Euclid). There are infinitely many primes.
Proof. Suppose, for a contradiction, that there are only finitely many primes.
List them as p1 , p2 , . . . , pk , and consider
N = p1 × p2 × · · · × pk + 1.
Clearly N > 2 (2 is on our list). Lemma 1.9 implies that N has a divisor p that
is prime and as such must have appeared on our list. In other words, p = pi for
some i. But then p|(p1 × · · · × pk ) = (N − 1), which means, by Lemma 1.8 (b),
that p|1 and p = ±1. Contradiction.
1.2
Primality testing. Sieve of Eratosthenes
Suppose we are given a number n and we want to check whether it is prime.
A naive approach would be to check whether n is divisible√by 2, 3, . . . , n − 1.
In fact, if n is composite, it must
√ have a factor not exceeding n, so it is enough
to only check integers 2, . . . , n.
We can shrink the list even further by removing all even integers except
for 2, for if n is divisible by an even integer, it must be divisible by 2. Likewise,
it is not necessary to check any multiples of 3 except for 3 itself, and so on.
These observations lie at the heart of the Sieve of Eratosthenes (κοσκινον Ερατοσθενους) algorithm, which allows us to find the prime numbers between 2 and n:
(1) Write out the integers we are interested in: 2, 3, . . . , n.
(2) Set p = 2, the first prime number.
(3) Remove all multiples of p that do not exceed n: 2p, 3p, . . . .
(4) Find the first number remaining on the list after p and replace p with this
number. Note that this number must be prime.
(5) Repeat the last two steps until p2 does not exceed n.
(6) The numbers that remained on the list are prime.
There are many other tests for primality, for example Fermat’s Little Theorem,
which we shall see in a few weeks.
3
1.3
A practice example
We shall show that the square of any integer is either of the form 3k or 3k + 1.
Indeed, let n be an integer. By the division algorithm, there exist q, r with
n = 3q + r
and 0 6 r < 3.
Three cases are possible:
• r = 0, so that n = 3q and n2 = (3q)2 = 3(3q 2 ),
• r = 1, so that n = 3q + 1 and n2 = 3(3q 2 + 2q) + 1,
• r = 2, so that n = 3q + 2 and n2 = 3(3q 2 + 4q + 1) + 1,
and we get the required result in each case.
4
We might call Euclid’s method
the granddaddy of all algorithms,
because it is the oldest nontrivial
algorithm that has survived to
the present day
Donald Knuth
2
Highest common factor. Euclidean algorithm
Definition 2.1. Let a and b be integers. We say that d > 0 is the highest
common factor (or greatest common divisor ) of a and b, denoted by (a, b),
hcf(a, b) or gcd(a, b), if
(a) d|a and d|b (“common factor”), and
(b) if c|a and c|b then c|d (“highest”).
If hcf(a, b) = 1, we say that a and b are coprime (or relatively prime).
So, for example hcf(4, 6) = 2 whereas 2 and 5 are coprime.
One approach for finding hcf(a, b) is via the prime factorisation of a and b
(which exists by the Fundamental Theorem of Arithmetic). For example,
180 = 22 × 32 × 5,
24 = 23 × 3,
and so
hcf(180, 24) = 22 × 3 = 12.
However, when it comes to large numbers, prime factorisation is not very computationally efficient, and Euclidean Algorithm comes into the picture.
We need an intermediate result first.
Lemma 2.2. Let a and b be positive integers, and let q, r be such that
a = bq + r and 0 6 r < b
If hcf(b, r) exists then so does hcf(a, b) and moreover
hcf(a, b) = hcf(b, r).
Proof. For simplicity denote d = hcf(b, r). We want to show that d = hcf(a, b)
so we need to check that it satisfies the conditions of Definition 2.1.
(a) To show that d is a common factor of a and b: by assumption, d|b, and
we also have that d|r, so d|(bq + r) = a.
(b) To show that any common factor of a and b must divide d: let c be a
common factor of a and b. Then c|(a − bq) = r. But also c|b. Thus, by
definition, c|hcf(b, r) = d.
5
So instead of looking at hcf(a, b), we can try to find hcf(b, r), which should
be easier because the numbers are smaller. And, unless r = 0, we can divide b
by r to get even smaller numbers, and so on.
Theorem 2.3 (Euclidean algorithm). Let a and b be positive integers. Then
(a) hcf(a, b) exists and is unique.
(b) (Bézout’s identity) There exist integers x, y such that
hcf(a, b) = ax + by.
(1)
Proof.
(a) Without loss of generality assume that a > b. We know that there exist q0
and r0 such that
a = bq0 + r0 and 0 6 r0 < b.
If r0 6= 0, then we can continue the process: there exist q1 and r1 with
b = r0 q1 + r1 and 0 6 r1 < r0
and, providing r1 6= 0, we can do this again:
r0 = r1 q2 + r2 and 0 6 r2 < r1
···
Suppose we continue this process for as long as we can, which is known
as the Euclidean algorithm. We obtain a strictly decreasing sequence of
nonegative integers
b > r0 > r1 > · · · > 0.
But such sequence can only have finitely many terms, which means that at
some point we cannot continue. This can only happen if the corresponding
remainder is zero (otherwise we could divide by it):
rk−2
= rk−1 qk + rk and 0 6 rk < rk−1 ; rk 6= 0;
rk−1
= rk qk+1 + 0.
Now, rk is a factor of rk−1 and so rk = hcf(rk−1 , rk ). Therefore, applying
Lemma 2.2 recursively, we get
rk
=
hcf(rk−1 , rk ) = hcf(rk−2 , rk−1 )
=
...
=
hcf(r0 , r1 ) = hcf(b, r0 )
=
hcf(a, b)
that is, hcf(a, b) exists and is equal to the last nonzero remainder in the
Euclidean algorithm.
For uniqueness note that if d = hcf(a, b) = d0 then d|a and d|b implying
that d|d0 (as every common factor of a and b is divisible by d0 ), and, by
the same reasoning, d0 |d so that d = d0 .
6
(b) To express hcf(a, b) in terms of a and b, we retrace back the steps of our
Euclidean algorithm:
hcf(a, b)
= rk
= rk−2 − rk−1 qk
= rk−2 − (rk−3 − rk−2 qk−1 ) qk
[rk−1 = rk−3 − rk−2 qk−1 ]
= rk−2 (1 − qk−1 qk ) − rk−3 qk
= ···
= ax + by.
Example 2.4. Find hcf(112, 20) and express it as a combination of 112 and 20.
112
=
20 × 5 + 12
20
=
12 × 1 + 8
12
=
8×1+4
8
=
4 × 2 + 0,
and so hcf(112, 20) = 4. Furthermore,
hcf(112, 20) = 4
=
12 − 8 × 1
=
12 − (20 − 12 × 1) × 1
=
20 × (−1) + 12 × 2
= 20 × (−1) + (112 − 20 × 5) × 2
= 112 × 2 + 20 × (−11).
Theorem 2.3 provides a number of interesting corollaries.
Corollary 2.5. Let a, b, c be integers and suppose that c|ab and hcf(c, a) = 1.
Then c|b.
Proof. By the Euclidean Algoritm, there exist x, y with
1 = cx + ay.
After multiplying both parts of the equation by b we get
b = (cx)b + (ay)b = c(xb) + (ab)y.
Clearly c|c and, by assumption, c|ab, so c|c(xb) + (ab)y = b as required.
Note 2.6. The condition hcf(c, a) = 1 is necessary: 4|(2 × 2) but 4 6 |2.
Now, if p is prime and p 6 |a, we must necessarily have hcf(p, a) = 1, and so,
rewriting Corollary 2.5 accordingly, we get
Corollary 2.7. Let p be a prime such that p|ab. Then p|a or p|b.
7
A classical application of this result is the proof of the uniqueness part of
the Fundamental Theorem of Arithmetic.
Proof of uniqueness of prime factorisation. We shall proceed by contradiction
and assume that N is the smallest integer that can be written as a product of
primes in (at least) two ways:
N = pe11 · · · pekk = q1f1 · · · qlfl .
Now, p1 |N = q1f1 · · · qlfl and so, applying Corollary 2.7 repeatedly, we conclude
that there exists i with p1 |qifi = qi qi · · · qi . Appealing to Corollary 2.7 again,
we conclude that p1 |qi . But qi is prime, and p1 > 1, which is only possible if
qi = p1 . Without loss of generality assume that i = 1 and so we have
M := pe11 −1 · · · pekk =
N
N
=
= q1f1 −1 · · · qlfl .
p1
q1
Since M < N , its factorisation into primes must be unique. Consequently k = l
and (up to a rearrangement of the indices on the right) p1 = q1 , . . . , pk = qk ,
e1 = f1 , . . . , ek = fk . Contradiction.
The proof of the following result is similar to that of Corollary 2.5 and is
left as an exercise on one of the problem sheets.
Corollary 2.8. Suppose that hcf(a, b) = 1, a|c and b|c. Then ab|c.
We shall finish with a couple of observations.
Note 2.9.
(a) The worst case scenario occurs when the algorithm is applied to two consecutive
√ Fibonacci numbers. Since nth Fibonacci number is roughly equal
to φn / 5, the complexity of the algorithm is O(log n).
(b) The integers x, y satisfying (1) are not unique and in fact there are infinitely many of them. It can be shown that if (x, y) is any solution to (1),
then all solutions are described by the set
kb
ka
x+
, y−
| k is an integer .
hcf(a, b)
hcf(a, b)
For example,
4 = 112 × 2 + 20 × (−11) = 112 × 7 + 20 × (−39).
(c) Equation (1) is an example of a Diophantine equation of first order. It is an
easy consequence of the Euclidean Algorithm that an equation ax+by = c
is soluble (in integers) if and only if hcf(a, b)|c.
(d) The concept of hcf can be generalised in several directions. On the one
hand, it can be extended to more than two variables. On the other hand,
it can be applicable to other structures, such as rings of polynomials (long
division), Gaussian integers
(which are numbers of the form a + ib with
√
a, b integers and i = −1) or, more generally, Euclidean domains.
8
Gauss once said “Mathematics is
the queen of the sciences and
number-theory the queen of
mathematics.” If this be true we
may add that the Disquisitiones
is the Magna Charta of
number-theory.
M.Cantor
3
3.1
Modular (aka clock) arithmetic
Introduction
Suppose that it is now 9 o’clock. What will the time be in 8 hours? In “normal”
arithmetic this would be 9 + 8 = 17 o’clock. But if we live in a 12-hour clock
world, then it will actually be 5. So in the clock arithmetic (which is arithmetic
modulo 12 ) we have
9 + 8 = 5.
We can generalise the notion as follows.
Definition 3.1. Let n be a positive integer. We say that integers a and b are
congruent modulo n if n|(a − b). This is denoted as
a≡b
(mod n).
[Equivalently, a ≡ b (mod n) if a = b + kn for some integer k.]
Some authors use notation a ≡ b (n) or even a = b (n).
So, for example, 1 ≡ 13 (mod 12) and −1 ≡ 1 (mod 2), but 1 6≡ 5 (mod 3).
In general, if we are dealing with arithmetic modulo n, then all multiples
of n can be ignored, and so instead of dealing with original numbers we can look
at their remainder when divided by n thus restricting ourselves to the numbers
{0, 1, . . . , n − 1} or {−n + 1, . . . , −1, 0}. We shall often identify numbers with
their remainders, so that the sentence “find a (mod n)” will mean “find the
remainder of a when divided by n”.
We start with some basic properties of congruences. Their proof is very
much in the spirit of that of Lemma 1.8 and is left as an exercise for the reader.
Lemma 3.2. Let a, b, c and d be integers and let n be a positive integer. Then
(a) a ≡ a (mod n);
(b) if a ≡ b (mod n) then b ≡ a (mod n);
(c) if a ≡ b (mod n) and b ≡ c (mod n) then a ≡ c (mod n);
(d) if a ≡ b (mod n) and c ≡ d (mod n) then a ± c ≡ b ± d (mod n);
9
(e) if a ≡ b (mod n) and c ≡ d (mod n) then ac ≡ bd (mod n). In particular,
ak ≡ bk (mod n) for any k.
Note that the implications in part (e) of Lemma 3.2 are not reversible. For
example, 2×2 ≡ 0×0 (mod 4) but of course 2 6≡ 0 (mod 4). Things are different
however if include certain (co-)primality restrictions.
Theorem 3.3. Suppose that ac ≡ bc (mod n). If, in addition, hcf(n, c) = 1,
then a ≡ b (mod n).
Proof. By assumption n|(ac − bc) = (a − b)c and hcf(n, c) = 1. Corollary 2.5
implies that n|(a − b) as required.
Corollary 3.4. Let p be prime and suppose that ac ≡ bc (mod p) and p 6 |c.
Then a ≡ b (mod p).
Examples 3.5.
(a) Calculate the remainder of 25260 + 26025 (mod 3).
Note that 25 ≡ 1 (mod 3) and so
25260 ≡ 1260 = 1 (mod 3).
Similarly, 260 ≡ 2 ≡ −1 (mod 3) and so
26025 ≡ (−1)25 = −1 (mod 3).
Thus
25260 + 26025 ≡ 1 + (−1) = 0 (mod 3),
and the remainder is 0.
(b) The square of an integer never has remainder 2 when divided by 3.
Indeed, let a be an integer and let r be its remainder when divided by 3
so that a ≡ r (mod 3). Then a2 ≡ r2 (mod 3) and three cases are possible
• if r = 0, then a2 ≡ 02 = 0 (mod 3),
• if r = 1, then a2 ≡ 12 = 1 (mod 3),
• if r = 2, then a2 ≡ 22 = 4 ≡ 1 (mod 3),
so a2 can only have a remainder 0 or 1 when divided by 3.
(c) What is the remainder of 1! + 2! + · · · + 100! when divided by 12?
First note that k! contains a factor of 12 = 3 × 4 whenever k > 4, which
means that 4! ≡ 0 (mod 12), . . . , 100! ≡ 0 (mod 12). Thus
1! + 2! + · · · + 100! ≡ 1! + 2! + 3! + 0 + · · · + 0 ≡ 1 + 2 + 6 ≡ 9 (mod 12),
and the remainder is 9.
10
(d) Show that 230 − 1 is divisible by 31.
Note that 25 = 32 ≡ 1 (mod 31). Hence
230 = (25 )6 ≡ 16 = 1 (mod 31),
which means that 31|(230 − 1) as required.
Note 3.6. Parts (a)–(c) of Lemma 3.2 show that ≡ is a reflexive, symmetric and
transitive relation respectively, and hence it is an equivalence relation. For any
integer a we denote the corresponding equivalence class by [a], so that
[a] = {b : b ≡ a (mod n)} = {. . . , a − 2n, a − n, a, a + n, a + 2n, . . .}.
We can then define arithmetic operations by setting
[a] + [b] := [a + b],
−[a] := [−a],
[a][b] := [ab],
and, with respect to these operations, the resulting structure, usually denoted
by Z/nZ = Zn , forms a commutative ring. If n is prime, then this ring is a field,
so that we can not only add, subtract and multiply, but also divide by nonzero
elements.
11
3.2
Theorems of Fermat and Euler
Theorem 3.7 (Fermat’s Little Theorem). Let p be a prime and a be an integer
such that p 6 |a. Then
ap−1 ≡ 1 (mod p).
Proof. Firstly, consider the set
S = {a, 2a, . . . , (p − 1)a}.
We claim that all elements in S are distinct modulo p. Indeed, let i and j be
integers such that
1 6 i, j 6 p − 1
and ia ≡ ja (mod p).
(2)
This means that p|a(i − j) and, since p 6 |a, Corollary 2.7 implies that p|(i − j),
so that
i − j = kp
for some integer k. However, the first part of equation (2) implies that
(−1) × p < −p + 2 = 1 − (p − 1) 6 i − j 6 (p − 1) − 1 = p − 2 < 1 × p.
This forces k to be 0, which, in turn, implies that i = j as required.
So, S consists of p−1 elements, which are all distinct (mod p). Furthermore,
none of these elements can be divisible by p as neither are a, 1, . . . , (p − 1). This
means that mod p the elements of S are precisely 1, 2, . . . , p − 1, possibly in
another order. Consequently,
a × 2a × · · · × (p − 1)a ≡ 1 × 2 · · · × (p − 1) (mod p),
and so
ap−1 (p − 1)! ≡ (p − 1)! (mod p).
Being prime, p does not divide any of the factors of (p − 1)!. Thus, by Corollary 3.4, we can cancel (p − 1)! meaning that ap−1 ≡ 1 (mod p) as required.
Note 3.8. There is another proof of Fermat’s Litte Theorem, which can often
be found in books. It is actually really neat, but requires some knowledge of
group theory. The idea is as follows: the numbers 1, . . . , p − 1 are the invertible
elements mod p and as such form a group under multiplication (so that we
can multiply elements and take inverses). Let now a be an element in this
group, so that hcf(a, p) = 1 and a 6 |p. By Lagrange’s Theorem, the order of a,
i.e. smallest n with an ≡ 1 (mod p), must divide the order of the group, which
is p − 1, and the result follows.
Corollary 3.9. Let a be any integer and p be any prime. Then
ap ≡ a (mod p).
12
Proof. If p 6 |a, Fermat’s Little Theorem implies that ap−1 ≡ 1 (mod p) and we
just multiply both sides of the congruence by a.
Otherwise p|a, which means that a ≡ 0 ≡ ap (mod p) and we are done.
Corollary 3.10. Let n be an integer. If there exists an integer a with an 6≡ a (mod n),
then n is not prime.
For example, 2117 ≡ 44 6≡ 2 (mod 117), and so 117 is not a prime. Indeed,
117 = 13 × 32 .
Examples 3.11.
(a) Example 3.5 (b) revisited: Calculate 230 (mod 31).
31 is prime and 30 = 31 − 1, so 230 ≡ 1 (mod 31).
(b) Calculate 542 (mod 11).
Note that 510 ≡ 1 (mod 11), which means that
4
540 = 510 ≡ 14 = 1 (mod 11),
and so
542 ≡ 52 = 25 ≡ 3 (mod 11).
Note 3.12. Note that Fermat’s theorem is not a sufficiency result and so cannot
be used for determining primality. As an illustration, it can be shown that
a560 ≡ 1 (mod 561)
for all a coprime to 561, and yet 561 is not prime: 561 = 3 × 11 × 17. Such
numbers are called Carmichael numbers.
Fermat did not provide a proof of his theorem, saying that it was too long
(how typical of him!). Leibniz provided a proof of the result, but did not publish
it, and it was Euler who first published his own version of the proof. He also
came up with a generalisation of the result, which we shall now proceed to
explore, but first we need to establish the terminology.
Definition 3.13. Let n be a natural number. We define φ(n) to be the number
of natural numbers not exceeding n that are coprime to n, i.e.
φ(n) = #{a ∈ N : a 6 n, hcf(a, n) = 1}.
The function φ is also called Euler’s phi-function or totient.
Note 3.14. Continuing with the language of group theory, alternatively, φ(n) is
the number of elements that are invertible mod n.
So, for example, to find φ(12) we need to count all positive integers that
are smaller than 12 and are coprime to 12. These are 1, 5, 7 and 11, and so
φ(12) = 4. Similarly, φ(1) = 1 and φ(30) = 8.
If n does not have many divisors, it may be easier to calculate the number
of integers it is not coprime to.
13
Examples 3.15.
(a) Let p be a prime. There are p numbers that do not exceed p and of those
only p is not coprime to p. Consequently,
φ(p) = p − 1.
So, for example, φ(4007) = 4006.
(b) Let p be a prime and e be a positive integer. Then
1
.
φ(pe ) = pe − pe−1 = pe 1 −
p
So, for example, φ(169) = φ(132 ) = 132 − 131 = 156.
The proof of the statement is similar and is left as an exercise on one of
the problem sheets.
(c) Let p and q be two distinct primes. Without loss of generality assume
p < q. There are pq elements that do not exceed pq. Of those, the numbers
that are not coprime to pq are multiples of p up to qp and multiples of q
up to pq:
p 2p 3p . . . (q − 1)p qp
total: q
q 2q 3q . . . (p − 1)q pq
total: p
But pq appears twice on our list, so
φ(pq) = pq − p − q + 1 = (p − 1)(q − 1).
(3)
So, for example, φ(143) = φ(11 × 13) = (11 − 1) × (13 − 1) = 120.
Note that we have shown that if p and q are distinct prime numbers, then
φ(pq) = φ(p)φ(q). In fact, this is a specific case of a more general result, the
proof of which can be found for example in [1, p. 133].
Theorem 3.16. The function φ is multiplicative, that is φ(mn) = φ(m)φ(n)
whenever m and n are coprime.
The result, combined with the Fundamental Theorem of Arithmetic and
Example 3.15 (b) gives a recipe for calculating φ(n) for any n.
Corollary 3.17. Let n be an integer, and let
n = pe11 · · · pekk
be its (unique) representation as a product of distinct primes. Then
1
1
··· 1 −
.
φ(n) = pe11 − pe11 −1 · · · pekk − pkek −1 = n 1 −
p1
pk
14
To illustrate, 100 = 22 × 52 , so
φ(100) = (22 − 21 )(52 − 51 ) = 2 × 20 = 40.
Theorem 3.18 (Euler). Let a and n be integers with hcf(a, n) = 1. Then
aφ(n) ≡ 1 (mod n).
Before we proceed, note that if n is a prime not dividing a then hcf(a, n) = 1
and φ(n) = (n − 1), and we immediately get Fermat’s Little Theorem.
Proof of Theorem 3.18. We shall proceed in the spirit of our proof of Theorem 3.7. Let 1 6 b1 < b2 < · · · < bφ(n) 6 n be the integers not exceeding n that
are coprime to n, and consider the set
S = {ab1 , ab2 , . . . , abφ(n) }.
Suppose that
abi ≡ abj (mod n)
for some i, j with 1 6 i, j 6 φ(n) so that n|a(bi − bj ). Coprimality of a and n
implies that n|(bi − bj ) and so bi − bj is an integer multiple of n. However,
(−1) × n < 1 − n 6 bi − bj 6 n − 1 < 1 × n,
and so bi − bj = 0 meaning that i = j.
So S has φ(n) elements, which are all distinct mod n and which are all
coprime to n (since a and all bi are). Consequently modulo n the elements of S
are precisely b1 , . . . , bφ(n) , perhaps in a different order. So
φ(n)
φ(n)
aφ(n)
Y
bi = (ab1 )(ab2 ) · · · (abφ(n) ) ≡ b1 b2 · · · bφ(n)
i=1
Y
bi (mod n).
i=1
Qφ(n)
Qφ(n)
Coprimality of n and i=1 bi implies, by Theorem 3.3, that i=1 bi can be
cancelled and so aφ(n) ≡ 1 (mod n) as required.
Note 3.19. There is an alternative proof of Euler’s Theorem, which is identical
to that described in Note 3.8 and follows from the fact that the set of elements
invertible mod n forms a group under multiplication. The group is often called
the group of units and its order is consequently φ(n).
Examples 3.20.
(a) Find the remainder of 3201 when divided by 100.
We already saw that φ(100) = φ(22 × 52 ) = 40, and so 340 ≡ 1 (mod 100).
Consequently, 3200 = (340 )5 ≡ 15 = 1 (mod 100) and 3201 ≡ 3 (mod 100).
(b) Find the unit digit of 7100 by means of Euler’s theorem.
Translating the question into the language of congruences, we need to
evaluate 7100 (mod 10). Note that φ(10) = φ(2 × 5) = (2 − 1)(5 − 1) = 4,
and so 7100 = (74 )25 ≡ 125 = 1 (mod 10).
15
3.3
Linear congruences and Chinese Remainder Theorem
Suppose we want to solve the equation
ax = b.
(4)
If there are no restrictions on x then, provided a 6= 0, the equation has a
unique solution: x = ab . If we require all terms to be integers, then (4) has one
solution, ab , if a|b and no solutions otherwise. But suppose now that we work
in modulo arithmetic: given a, b and n we want to find x such that
ax ≡ b (mod n).
(5)
In the spirit of the previous section, one approach is just to check whether any
of the numbers a × 0, a × 1, . . . , a × (n − 1) satisfy (5).
Example 3.21. By checking 0, 1 and 2, we see that the solution to the equation
2x ≡ 1 (mod 3) is x ≡ 2 (mod 3).
Whilst the trial and error method works in general, let us try to derive a
general algorithm for solving such equations. Note that
(5) is soluble
⇔
⇔
⇔
∃ (there exists) x such that n|(ax − b)
∃ x such that ∃ y such that ax − b = ny
∃ x, y such that the equation b = ax − ny is soluble.
Thus solubility of ax ≡ b (mod n) is equivalent to solubility of ax − ny = b.
Theorem 3.22. Let A, B and C be integers. The equation
Ax + By = C
(6)
is soluble in integers (in x and y) if and only if hcf(A, B)|C.
Proof. For simplicity we shall denote hcf(A, B) by d.
⇒ Suppose there exist x and y satisfying (6). By definition, d|A and d|B,
so d|Ax + By = C as required.
⇐ Suppose that d|C, that is, there exists z with C = dz. By Euclidean
Algorithm, there exist x and y with d = Ax + By, which means that
C = dz = (Ax + By)z = A(xz) + B(yz)
and the pair (xz, yz) provide a required solution to (6).
Combined with the previous argument, this gives the following
Theorem 3.23. The equation ax ≡ b (mod n) is soluble if and only if hcf(a, n)|b.
Corollary 3.24. Let p be a prime. The equation
ax ≡ b (mod p)
is soluble if and only if either p 6 |a or p divides both a and b.
16
Note 3.25. If b = 1 then Theorem 3.23 says that the elements that are invertible
mod n are precisely those that are coprime to n.
In particular, if p is prime, all of 1, 2, . . . , p − 1 are invertible mod p.
Consequently, Z/pZ, which consists precisely of (equivalence classes of) these
elements is a field.
Theorem 3.23 provides an algorithm for solving linear congruences via the
Euclidean Algorithm (although for small n this may be an overkill).
Note 3.26. As noted above, x is a solution to ax ≡ b (mod n) then so is x + nk
for any integer k. In fact, if hcf(a, n) = 1 then these are the only solutions.
However, when this is not the case, there may be more than one incongruent
solution mod n. For example, the equation
18x ≡ 30 (mod 42)
has solutions
x ≡ 4, 11, 18, 25, 32, 39 (mod 42),
which are precisely the distinct values of (the unique) solution to
3x ≡ 5 (mod 7).
Notice that 3 = 18/6, 5 = 30/6 and 7 = 42/6. Too much for a coincidence?
Indeed, this is just an example of a more general rule: note that h = hcf(a, n),
then Theorem 3.23 ensures that h|b. Consequently, a = ha0 , b = hb0 and
n = hn0 . But then
⇔
⇔
⇔
⇔
ax ≡ b (mod n)
ax − b = kn
ha0 x − hb0 = khn0
a0 x − b0 = kn0
a0 x ≡ b0 (mod n0 )
soluble
for some n
the latter now being uniquely soluble as hcf(a0 , b0 ) = hcf(a, b)/h = 1!
Example 3.27. Find a solution to 11x ≡ 3 (mod 17).
Note that hcf(11, 17) = 1. Furthermore, by the Euclidean Algorithm,
17
=
11 × 1 + 6
11
=
6×1+5
6
=
5×1+1
5
=
5 × 1 + 0,
and so
1 = hcf(11, 17)
=
6−5
=
6 − (11 − 6 × 1)
=
6 × 2 − 11 × 1
=
(17 − 11 × 1) × 2 − 11 × 1
=
17 × 2 − 11 × 3,
17
and so
3=1×3
=
(17 × 2 − 11 × 3) × 3
=
17 × 6 − 11 × 9
≡ 11 × (−9) (mod 17),
and −9 is a solution. As well as −9 + 17k for any integer k, e.g. 8.
Suppose now that we want to solve several linear congruences simultaneously.
Theorem 3.28 (Chinese Remainder Theorem). Let n1 , n2 , . . . , nr be mutually
coprime, that is, hcf(ni , nj ) = 1 whenever i 6= j, and suppose we are also given
integers a1 , a2 , . . . , ar . Then the simultaneous system of congruences
x
x
≡
a1 (mod n1 )
≡
a2 (mod n2 )
···
x
≡
ar (mod nr )
is soluble and, moreover, the solution is unique modulo N = n1 n2 · · · nr .
Proof. To show existence, we define, for each i,
Y
N
Ni :=
=
nj .
ni
j=1...r
j6=i
Then (Ni , ni ) = 1 and, by Theorem 3.23, there exists xi such that
Ni xi ≡ 1 (mod ni ).
Furthermore, if j 6= i then ni |Nj and so
Nj ≡ 0 (mod ni ).
Consequently, if we define
x=
r
X
aj Nj xj ,
j=1
then, for each i,
x ≡ ai Ni xi ≡ ai (mod ni )
as required.
Since N ≡ 0 (mod ni ) for each i, for every solution x every x + N k is also a
solution. Conversely, suppose that y is another simultaneous solution, that is,
for every i we have
x ≡ ai (mod ni )
and
y ≡ ai (mod ni ).
This implies that x − y ≡ 0 (mod ni ), that is, ni |(xQ
− y). However, the ni
r
are mutually coprime, so Corollary 2.8 implies that i=1 ni |(x − y), and so
x ≡ y (mod N ) as required.
18
Example 3.29 (Sun Tsu, 5th(?) century AD). Find a number that leaves the
remainders 2, 3 and 2 when divided by 3, 5 and 7 respectively.
Translating the question into the language of congruences, we are looking
for x such that
x
≡ 2 (mod 3)
x
≡ 3 (mod 5)
x
≡ 2 (mod 7),
so that n1 = 3, n2 = 5, n3 = 7 (mutually coprime) and a1 = 2, a2 = 3, a3 = 2.
Following the proof of the Chinese remainder theorem, we define
N = n1 n2 n3 = 3 × 5 × 7 = 105
and
N1 =
N
= 5 × 7 = 35;
n1
N2 =
N
= 3 × 7 = 21;
n2
N3 =
N
= 3 × 5 = 15.
n3
So we now need to solve three equations, either by the Euclidean Algoritm or
by trial and error:
(1) 35x ≡ 1 (mod 3). This gives x1 = −1.
(2) 21x ≡ 1 (mod 5). This gives x2 = 1.
(3) 15x ≡ 1 (mod 7). This gives x3 = 1.
Thus one solution is
3
X
ai Ni xi = 2 × 35 × (−1) + 3 × 21 × 1 + 2 × 15 × 1 = 23,
i=1
and all solutions are given by the set
{23 + 105k : k is an integer}.
Example 3.30. Solve the following simultaneous system of equations:
10x
≡ 2 (mod 26)
7x
≡ 3 (mod 20).
We first need to solve the congruences separately to transform them into the
form x ≡ ai (mod ni ). We have
(1) 10x ≡ 2 (mod 26). This is equivalent to 5x ≡ 1 (mod 13), which, in turn,
has x ≡ −5 (mod 13) as a solution.
(2) 7x ≡ 3 (mod 20). This gives x ≡ 9 (mod 20).
19
So, the initial system of equations is equivalent to
x
≡
x
≡
−5 (mod 13)
9 (mod 20),
and, with notation as above, we have a1 = −5, a2 = 9, N = 13 × 20 = 260,
N1 = 20, N2 = 13, and we need to solve
(1) 20x ≡ 1 (mod 13). This gives x1 = 2.
(2) 13x ≡ 1 (mod 20). This gives x2 = −3.
Thus the answer is
x ≡ −5 × 20 × 2 + 9 × 13 × (−3) = −31 (mod 260).
Note 3.31. Suppose we are trying to solve the linear congruence
5x ≡ 4 (mod 231).
Note that 231 = 3 × 7 × 11, and so the above is equivalent to simultaneously
solving
5x
≡ 4 (mod 3)
5x
≡ 4 (mod 7)
5x
≡ 4 (mod 11),
and we are now in the familiar situation of the previous example! The details
of the remaining calculations are left as an exercise for the reader.
20
4
Modern Number Theory
Mathematicians are like
Frenchmen: whatever you say to
them they translate into their
own language and forthwith it is
something entirely different
Johann Wolfgang von Goethe
4.1
RSA encryption
RSA is a method of public key cryptography. Officially, the algorithm was
invented in 1977 by Rivest, Shamir and Adleman (hence the name), however,
an essentially the same method was already described by Clifford Cocks in 1973
in a classified paper.
The system uses two keys: a public one, used for encryption, and a private
one, used for decryption. The private key is chosen and used by the recipient
only, which means that there is no need for transmitting it to other people,
which greatly increases the level of security.
To describe the algorithm, we need three characters:
• Alice, the sender of the message;
• Bob, the recipient of the message;
• (optional) Eve, a malicious eavesdropper.
The process of transmitting the message is as follows:
(i) Bob picks two distinct (large) primes p and q and calculates n = pq. He
then chooses an integer e satisfying
hcf(e, (p − 1)(q − 1)) = 1.
The values of e and n are then announced publicly.
(ii) Alice picks a secret message she wants to send to Bob, plaintext, and
converts it into a numerical string M , called ciphertext. The conversion is
done using (for example) the following table:
A = 00
B = 01
C = 02
...
Z = 25
, = 26
. =27
? = 28
! = 39
21
0 = 29
1 = 30
2 = 32
...
9 = 38
(iii) Alice then encrypts the message by calculating N := M e (mod n), possibly splitting M into smaller pieces first, if M > n. The value of N is
announced publicly.
(iv) To decrypt the message, Bob picks d with the property
de ≡ 1 (mod (p − 1)(q − 1))
and calculates N d (mod n).
Note that the string does indeed correspond to Alice’s message:
(mod n) :
Nd
≡
(M e )d (mod n)
= M ed
= M 1+k(p−1)(q−1)
k
= M × M φ(n)
as de ≡ 1 (mod (p − 1)(q − 1))
≡ M × 1k
by Euler’s Theorem
as φ(n) = φ(pq) = (p − 1)(q − 1)
= M.
Example 4.1. In this example we shall be following the above notation.
Suppose that Alice wants to send a secret message “The answer is forty two”
to Bob. She somehow signals to Bob that she is about to send him a message,
and so he must generate a public key.
(i) Bob picks two large primes p = 43 and q = 71. In this case n = 3053 and
(p − 1)(q − 1) = 2940, and so he needs to choose e with hcf(e, 2940) = 1,
say e = 11. The pair (n = 3053, e = 11) is then announced publicly.
(ii) The plaintext Alice wants to send is “The answer is forty two”. She
converts it into ciphertext using the table from page 22:
T = 19
A = 00
I = 08
F = 05
T = 19
H = 07
N = 13
S = 18
O = 14
W = 22
E = 04
S = 18
R = 17
O = 14,
W = 22
E = 04
T = 19
Y = 24
R = 17
so Alice’s message is
M = 19070400131822041708180514171924292214.
(iii) Alice now needs to calculate N := M e (mod n), but she first needs to
split M into blocks whose value is less than n = 3053. In our case blocks
of length 4 (corresponding to two letters) will do, since we are only using
letters and so the biggest possible value of a two-letter combination is 2525,
corresponding to “zz”. So,
14 ,
M = 1907
| {z } 1318
| {z} 2204
| {z} 1708
| {z} 1805
|{z } 1417
|{z } 1924
|{z } 1922
|{z } |{z}
|{z } 0400
block 1 block 2 block 3 block 4 block 5 block 6 block 7 block 8 block 9 block 10
22
which gives, mod 3053,
190711
≡
2611
40011
≡
1227
11
≡
2291
11
≡
2558
11
1708
≡
2038
180511
≡
2020
11
≡
1134
11
≡
2516
11
≡
2987
1411
≡
440.
1318
2204
1417
1924
1922
Thus the public message Alice trasmits to Bob is
N := 2611 1227 2291 2558 2038 2020 1134 2516 2987 440.
(iv) Bob now needs to pick d with the property
11d ≡ 1 (mod 2940),
for which he can use our good old friend Euclidean algorithm:
2940
=
11 × 267 + 3
11
=
3×3+2
3
=
2 × 1 + 1;
hcf(2940, 11) = 1
=
3−2×1
=
3 − (11 − 3 × 3) × 1
=
3 × 4 − 11
=
(2940 − 11 × 267) × 4 − 11
=
2940 × 4 − 11 × 1069,
and so he can pick d = −1069 + 2940 = 1871. He now needs to calcu-
23
late N d (mod n = 3053):
26111871
≡
1907
12271871
≡
400
2291
1871
≡
1318
2558
1871
≡
2204
2038
1871
≡
1708
20201871
≡
1805
1134
1871
≡
1417
2516
1871
≡
1924
2987
1871
≡
1922
4401871
≡
14,
and so Alice’s ciphertext was
1907 400 1318 2204 1708 1805 1417 1924 1922 14,
which can now be translated into the plaintext message “The answer is
forty two” (or, rather, “TH EA NS WE RI SF OR TY TW O”) using the
conversion table on page 22.
Note 4.2.
• A bit of terminology: n is called the modulus; e is called the (encryption)
exponent and d is known as the decryption exponent.
• In order to apply Euler’s theorem, we need to ensure that M , or each of
its blocks, is coprime to n. This is a very likely event if p and q are very
large, but still needs to be looked at.
• An efficient way of calculating xd (mod n) is via binary expansion: if
d = a0 + a1 × 2 + a2 × 22 + · · · + ak × 2k ,
ai = 0, 1,
then we can calculate recursively
x0 := x,
xi+1 := x2i
(mod n)
i
(so that xi = x2 (mod n)), in which case
xd = xa0 0 × xa1 1 × · · · × xakk (mod n).
• If Eve manages to discover the value of φ(n), then, also knowing n, she
can easily calculate p and q thus being able to decrypt a message. Otherwise, however, she needs to come up with an efficient prime factorisation
algorithm. To make Eve’s life harder, p and q should be chosen far apart.
24
• In order to establish security of the system, RSA Laboratories used to
offer money for finding prime factorisation of certain large (around 500
digits) numbers that were precisely of the form pq.
• RSA algorithm can be used for creating digital signatures to verify the
identity of the sender.
4.2
Number Theory flavours
It is of course impossible to precisely partition the subject into a list of subtopics
— there are many overlaps between the areas and furthermore, many questions
may be solved using techniques from different areas of mathematics (or physics!).
However, depending on the methods used and questions asked, number theory
includes, although is not limited to, the following branches:
Elementary Number Theory This is the area we have been looking at
in this course. The term “elementary” reflects the fact that the results are
self-contained and do not require techniques from other areas of mathematics.
Examples of topics covered by this branch include divisibility and Euclid’s algorithm, arithmetic functions (such as Euler’s φ-function), linear congruences
and quadratic residues.
Many theorems and conjectures may be stated in elementary number-theoretic
terms, even though the proof may requre very complex techniques. Examples
include Fermat’s Last Theorem, Twin Prime Conjecture and many more.
Analytic Number Theory This is an area that uses techniques from Calculus and (Complex) Analysis to tackle number-theoretic problems. Its classical
result is
Theorem (Prime Number Theorem, Gauss). For any integer n we define π(n)
to be the number of primes not exceeding n, that is,
π(n) := #{p : p 6 n and p is prime}.
Then
lim
n→∞
π(n)
= 1,
n/ ln(n)
or, equivalently,
n
.
ln n
In other words, the probability that a (randomly chosen and large) number n is
prime is about 1/ ln(n), and the gap between two consecutive primes near n is
about ln(n).
π(n) ∼
Another analytic number theory result says that π and e are transcendental,
that is, cannot be solutions of a polynomial with rational coefficients.
25
Algebraic Number Theory Here we use abstract algebra settings in a
number-theoretic environment, and instead of dealing with integers, we often
look at bigger structures, for example the ring of Gaussian√integers Z[i], in
which every
√ element has the form a + ib with a, b ∈ Z and√i = −1, or quadratic
fields Q[ d], in which every element has the form a + db with a, b ∈ Q. We
also extend the notion of 1, primality, divisibility, unique factorisation and so
on. It turns out that with correct terminology, many results we covered in this
course hold in a much more general setting.
Algebraic Number Theory provides provides various methods for solving
Diophantine equations, such as the one in Fermat’s Last Theorem which, among
other things, explored the relation between elliptic curves and modular forms.
Elliptic curves are also used in cryptography and prime factorisation.
Combinatorial Number Theory This area looks at the relation between
number theory, combinatorics and other related areas. One of the most famous
results in the area is
Theorem (Green–Tao, 2004). The sequence of prime numbers contains arbitrarily long arithmetic progressions.
Note that the proof is not constructive, so if we want to find an arithmetic
progression of length k, we need to employ other methods.
4.3
Who wants to be a millionaire?
Here are a couple of problems you may want to look at in your spare time. They
are all unsolved, and the proof of, or a counterexample to, most is associated
with a prize of up to $ 1,000,000 (not to mention eternal mathematical fame!)
Conjecture. There are infinitely many Mersenne primes.
(recall: a prime is called Mersenne if it is of the form 2n − 1.)
Conjecture. Every Fermat number with n > 5 is composite.
n
(recall: a number is called Fermat if it is of the form 22 + 1.)
Conjecture (Twin primes conjecture).
There are infinitely many pairs of twin primes.
Conjecture (Goldbach conjecture).
Every even integer greater than 2 can be expressed as a sum of two primes.
Conjecture (Riemann hypothesis). The zeroes of the Riemann zeta function,
which is the analytic continuation of the function
ζ(s) =
∞
X
1
,
ns
n=1
have the form of either −2k with k positive integer, or
26
1
2
+ it with t real.
4.4
Further general info
There is of course much more to the subject, but the course is too short for us to
be able to learn about everything so you are encouraged to browse through the
numerous books and web-pages to learn more. In addition to the number theoryspecific list provided at the end of the course, here are a few more resources of
general interest:
• G.H. Hardy, A Mathematician’s Apology: a classical well-written essay
describing the beauty and aesthetics of Mathematics. May be really inspirational though a bit outdated and depressing at times and should not
be taken too seriously.
• Tim Gowers, Mathematics: A Very Short Introduction: another book on
the subject of mathematics as a subject, with definitions of many commonly used mathematical concepts and discussions on commonly asked
sociological questions.
• http://www.tricki.org/: a wiki-style website developed by Gowers, which
is intended to be a repository of useful problem-solving techniques.
• http://www.theoremoftheday.org/: does what is says on the tin!
27
References
[1] D. M. Burton. Elementary number theory. McGraw-Hill, seventh edition,
2010.
28