Download Week 7

Week 7
19
37
Squares
We learnt how to solve linear congruences earlier. The next step up could be to try
to solve quadratic congruences, that is congruences of the form
ax2 + bx + c ≡ d mod m.
We should start with the simplest version:
x2 ≡ a mod p ,
where p is a prime number. If a ≡ 0 mod p, the congruence has the unique solution
x ≡ 0 mod p. If p > 2, a 6≡ 0 mod p and there is one solution x we will find a
second solution, because (−x)2 ≡ x2 mod p and −x 6≡ x mod p for p > 2.
In fact, there cannot be a third solution because x2 ≡ y 2 mod p means that
x2 − y 2 = (x − y)(x + y) is divisible by p. By Euclid’s Lemma this implies that p
divides x − y or of x + y. Therefore, either y ≡ x mod p or y ≡ −x mod p; there
is not third possibility. This shows that the congruence x2 ≡ a mod p either has
two solutions or no solution, provided that p is an odd prime.
The question then arises if we can find an easy way to determine for which a
solutions exist and for which a there is no solution. The easiest idea would be to
try all possibilities. For example, the squares modulo 13 are
x
x2
0
0
1
1
2
4
3
9
4
3
5
12
6
10
7 8 9 10
10 12 3 9
11 12
4 1
We nicely see here that the second half of the table is determined by the first half.
This is due to the equality (−x)2 = x2 . We see from this table that there is a
solution for a = 0, 1, 3, 4, 9, 10, 12 and there is no solution for a = 2, 5, 6, 7, 8, 11.
An integer a which is not divisible by p is called a quadratic residue modulo
p if the congruence x2 ≡ a mod p has a solution. If this congruence does not have
a solution, we say that a is a quadratic nonresidue modulo p.
p−1
quadratic
Theorem 19.1. Let p be an odd prime. Then there are exactly
2
p−1
residues modulo p and exactly
quadratic nonresidues modulo p.
2
Proof. What we have seen for p = 13 above is true in general: the numbers
12 , 22 , . . . , ( p−1
)2 are quadratic residues modulo p. We have seen above that we can
2
only have x2 ≡ y 2 mod p if y ≡ x mod p or y ≡ −x mod p. But, considered modulo p, the numbers −1, −2, . . . , − p−1
coincide with the numbers p − 1, p − 2, . . . , p+1
2
2
so that these do not produce new squares.
For p = 13, the quadratic residues are 1, 3, 4, 9, 10, 12 and the quadratic nonresidues are 2, 5, 6, 7, 8, 11. It is interesting to observe that products of elements in
the first set are in the first set as are products of elements of the second set while
products of one from each set is in the second set.
To understand this, we use a primitive root. For example g = 2 is a primitive root
modulo 13 and the quadratic residues are g 0 , g 4 , g 2 , g 8 , g 10 , g 6 (same order as above)
and the quadratic nonresidues are g, g 9 , g 5 , g 11 , g 3 , g 7 . In this case, the even powers
38
MA6011
of g give quadratic residues and the odd powers give the quadratic nonresidues. Is
this true in general?
To answer this question, let g be a primitive root modulo p. The powers of g
are g, g 2 , g 3 , . . . , g p−3 , g p−2 , g p−1 . Because g is a primitive root, they give all nonzero remainders modulo p. Those that are even powers of g are clearly quadratic
residues. There are (p−1)/2 even numbers between 1 and p−1 and there are (p−1)/2
quadratic residues. Thus the odd powers of g are the quadratic nonresidues.
This shows that the quadratic residues are exactly the even powers of a primitive
root g and the quadratic nonresidues are the odd powers of g. Because the sum of
two even or of two odd numbers is even, it is now clear that the product of two
quadratic residues is a quadratic residue and that the product of two quadratic
nonresidues is a quadratic residue as well. Also it is clear that a quadratic residue
multiplied with a quadratic nonresidue will always be a quadratic nonresidue.
To capture such lengthy statements by a short formula, Legendre introduced
a notation now known as the Legendre Symbol. Let p be an odd prime. The
Legendre Symbol ap is defined as follows:


1
a
= −1

p

0
if a is a quadratic residue modulo p
if a is a quadratic nonresidue modulo p
if p divides a
Note that ap depends on a mod p only, so that we can add to a or subtract from
a multiples of p without changing the value of the symbol. What we have seen
above regarding the multiplication of quadratic residues and quadratic nonresidues
can now be expressed by the following simple multiplication formula, which is true
for all integers a, b and all odd primes p:
a
b
ab
=
.
p
p
p
2000
Example 19.2. To determine 2111
we write 2000 = 5 · 20 · 20 and use that the
square of a non-zero Legendre symbol is always equal to 1 (as (−1)2 = 12 = 1).
2000
2111
=
5
2111
20
2111
20
2111
=
5
2111
20
2111
Observing that 462 ≡ 2116 ≡ 5 mod 2111 we conclude that
is a quadratic residue modulo 2111 as well.
2
5
2111
=
5
2111
.
= 1 and so 2000
A useful general result about the Legendre symbol is the following result of Euler.
It will be the basis of the Solovay-Strassen primality test discussed later.
Theorem 19.3. If p is an odd prime and a an integer, then
p−1
a
≡a 2
mod p.
p
Proof. If p | a then both sides are 0. Henceforth we assume that a is not divisible
by p. Let g be a primitive root modulo p then a is congruent to some power of g
Week 7
39
modulo p. If a is a quadratic residue this is an even power, i.e. a ≡ g 2k mod p for
some integer k. We obtain then
a(p−1)/2 ≡ g 2k
(p−1)/2
≡ (g p−1 )k ≡ 1
mod p
where we used Fermat’s Little Theorem to get the last congruence. As ap = 1 we
have shown the required equality in this case.
Assume now that a is a quadratic nonresidue. Then a ≡ g 2k+1 mod p for some
integer k. As above we obtain
a(p−1)/2 ≡ g 2k+1
(p−1)/2
≡ g p−1
k
· g (p−1)/2 ≡ g (p−1)/2
mod p.
Because p is a prime and the square of g (p−1)/2 is congruent to 1 modulo p, this
number is either congruent to 1 or to −1 modulo p. But g is a primitive root and so
the smallest power of g that is congruent to 1 modulo p is g p−1 , hence g (p−1)/2 ≡ −1
mod p. This is the required result.
The theorem says that we can find whether a is or is not a quadratic residue
p−1
modulo p by calculating a 2 mod p. But in most cases this involves more calculations than we would like. However, in the simplest case where a = −1 we obtain a
satisfactory answer.
p−1
−1
= (−1) 2
p
Because p is odd, it will either be of the form 4k + 1 or 4k + 3. Therefore this
formula says that if p = 4k + 1 then −1 is a quadratic residue modulo p, because
(p − 1)/2 = 2k is even. On the other hand, if p = 4k + 3, then −1 is a quadratic
nonresidue, since (p − 1)/2 = 2k + 1 and so (−1)2k+1 = −1. More explicitly, this
result tells us that there is a solution to
x2 ≡ −1
mod p
if p is a prime of the form 4k + 1, but does not tell us how to find such a solution.
We can now try to study the next interesting case a = 2. Let us first gain some
numerical experience. The rows of the following table are obtained by calculating
the squares of 1, 2, . . . , (p − 1)/2 modulo p.
p
3
5
7
11
13
17
19
23
29
31
37
quadratic residues modulo p
1
1, 4
1, 4, 2
1, 4, 9, 5, 3
1, 4, 9, 3, 12, 10
1, 4, 9, 16, 8, 2, 15, 13
1, 4, 9, 16, 6, 17, 11, 7, 5
1, 4, 9, 16, 2, 13, 3, 18, 12, 8, 6
1, 4, 9, 16, 25, 7, 20, 6, 23, 13, 5, 28, 24, 22
1, 4, 9, 16, 25, 5, 18, 2, 19, 7, 28, 20, 14, 10, 8
1, 4, 9, 16, 25, 36, 12, 27, 7, 26, 10, 33, 21, 11, 3, 34, 30, 28
40
MA6011
We can see that 2 is a quadratic residue for the primes 7, 17, 23, 31 and a quadratic
nonresidue for 5, 11, 13, 29, 37. How can we see a pattern here? The answer is
obtained by considering these primes modulo 8. It turns out that the primes for
which 2 is a quadratic residue are congruent to 1 or 7 modulo 8. The primes for
which 2 is a quadratic nonresidue are congruent to 3 or 5 modulo 8. This observation
indeed is true in general.
To capture this statement in a short formula, we observe that (p2 − 1)/8 is even
if p = 8k ± 1 and odd for p = 8k ± 3. Indeed,
64k 2 ± 16k
(8k ± 1)2 − 1
=
= 2(4k 2 ± k) and
8
8
(8k ± 3)2 − 1
64k 2 ± 48k + 8
=
= 2(4k 2 ± 3k) + 1.
8
8
Theorem 19.4. If p is an odd prime, we have
p2 −1
2
= (−1) 8 .
p
p−1
Proof. The idea of the proof is to calculate 2 2 mod p and then use Theorem 19.3.
To illustrate how this can be done, let us first consider the case p = 23. Note that
(p−1)/2 = 11 so that we need to find 211 mod 23. Inspired by the proof of Fermat’s
Little Theorem, we multiply 211 by 11! = 1 · 2 · · · · 10 · 11 and obtain
211 · 11! ≡ 2 · 4 · · · 10 · 12 · 14 · · · 22
≡ 2 · 4 · · · 10 · (−12) · (−14) · · · (−22)
≡ (−22) · 2 · (−20) · 4 · (−18) · · · 10 · (−12)
≡ 1 · 2 · 3 · 4 · 5 · · · 10 · 11 ≡ 11! mod 23
where we have inserted an even number (six) of minus signs in the second row. But
11! is coprime to 23, and so we get 211 ≡ 1 mod 23. Theorem 19.3 implies now that
2 is a quadratic residue modulo 23.
As a second example consider p = 19 = 2 · 8 + 3. We have (p − 1)/2 = 9 and
similar calculations give
29 · 9! ≡ 2 · 4 · · · 8 · 10 · 12 · · · 18
≡ − 2 · 4 · · · 8 · (−10) · (−12) · · · (−18)
≡ − (−18) · 2 · (−16) · 4 · (−14) · · · 8 · (−10)
≡ − 1 · 2 · · · · 8 · 9 ≡ − 9! mod 19,
This time we get an extra minus sign because we have an odd number (five) of
negative factors. We obtain 29 ≡ −1 mod 19. By Theorem 19.3 this means that 2
is a quadratic nonresidue modulo 19.
This argument works in general. For example, if p = 8k + 1, then (p − 1)/2 = 4k
and we would like to determine 24k mod p. The number of negative factors is equal
to 2k, so there is no extra minus sign here:
24k · (4k)! ≡ 2 · 4 · · · (4k) · (4k + 2) · · · (8k − 2) · (8k)
≡ 2 · 4 · · · (4k) · (−(4k + 2)) · · · (−(8k − 2)) · (−8k)
≡ (−8k) · 2 · (−8k + 2) · 4 · (−8k + 4) · · · (−4k − 2) · (4k)
≡ 1 · 2 · 3 · 4 · 5 · · · (4k − 1) · (4k) mod p.
Week 7
41
As in the examples this implies 24k ≡ 1 mod p and from Theorem 19.3 we conclude
that 2 is a quadratic residue modulo p = 8k + 1.
If p = 8k + 7, we have (p − 1)/2 = 4k + 3 and in a similar calculation we
would insert 2k + 2 minus signs and obtain 24k+3 ≡ 1 mod p. Similar arguments
for p = 8k + 3, 8k + 5 show that 2 is a quadratic nonresidue in these cases.
20
Quadratic Reciprocity
If we have a factorisation a = p1 p2 · · · pn then the multiplicative rule
p1
p2
pn
a
=
···
p
p
p
p
shows that we need to be able to calculate pq for primes p and q.
Carl Friedrich Gauss was the first who gave a proof of a remarkable result which
related the quadratic nature of q modulo p with the quadratic nature of p modulo
q. Let us draw up a table of values of Legendre symbols pq from which we can
conjecture the result of Gauss.
p\q
3
5
7
11
13
17
19
23
3
−1
−1
1
1
−1
−1
1
5
−1
−1
1
−1
−1
1
−1
7
11 13
1 −1 1
−1 1 −1
1 −1
−1
−1
−1 −1
−1 −1 1
1
1 −1
−1 −1 1
17 19 23
−1 1 −1
−1 1 −1
−1 −1 1
−1 −1 1
1 −1 1
1 −1
1
1
−1 −1
By examining this table we can spot various nice properties. Looking at the 5-row
and 5-column we see that they are the same. In other words
5
p
=
.
p
5
However, the same can not be said about the 7-row and the 7-column or the 11row and 11-column. However, the 13-row matches the 13-column and the 17-row
matches the 17-column. The key observation is that 5, 13 and 17 are congruent to
1 mod 4 while 7, 11, 19 and 23 are congruent to 3 mod 4. This eventually leads to
the following important result.
Theorem 20.1 (Quadratic Reciprocity Theorem). If p and q are distinct odd primes
then
p
q
=
p
q
except when p ≡ q ≡ 3 mod 4, in which case
q
p
=−
.
p
q
42
MA6011
Again this information can be encapsulated in the following single formula
(p−1) (q−1)
q
p
= (−1) 2 · 2
p
q
which is valid for distinct odd primes p and q.
There are many different proofs of the Quadratic Reciprocity Theorem. We will
be more concerned with using the result.
Example 20.2. To determine whether 251 is a quadratic residue modulo 641, we
first note that both numbers are prime and that 641 ≡ 1 mod 4. By Theorem 20.1
we thus have
641
139
251
=
=
.
641
251
251
We used here that 641 ≡ 139 mod 251. As 139 is prime and 251 ≡ 139 ≡ 3 mod 4
quadratic reciprocity implies
139
251
112
7
16
7
=−
=−
=−
=−
.
251
139
139
139
139
139
Using the Quadratic Reciprocity Theorem again we obtain
139
−1
7
=−
=−
= −(−1)3 = 1.
139
7
7
= −1. Hence 251 is a quadratic nonresidue modulo 641.
Thus 251
641
In such calculations, the hardest task is often factorising the numbers involved.
If the numbers are very large, this might not be possible. Therefore, it is useful to
generalise the Legendre symbol to composite numbers in the following way. If a is
an integer and b a positive
odd integer with prime factorisation b = p1 p2 · · · pn , the
a
Jacobi Symbol b is defined as the product of the Legendre symbols of the prime
factors of b:
a a a a =
···
.
b
p1
p2
pn
The results about the Legendre symbol translate easily into the following results for
the Jacobi symbol, valid for arbitrary odd integers a and b.
(
1 if b ≡ 1 mod 4
−1
=
b
−1 if b ≡ 3 mod 4
(
1
2
=
b
−1
if b ≡ 1 or 7
if b ≡ 3 or 5
 b



a 
a
=

b
b


−
a
mod 8
mod 8
if a or b ≡ 1
mod 4
if a ≡ b ≡ 3
mod 4
Week 7
43
Note that in this formula you can only flip ab if a is odd. Thus if a is even
you must use the multiplicative property of the Jacobi symbol to remove powers
of 2 before flipping. The advantage of using the Jacobi symbol is that there is no
need to factorise the integers involved. The numbers are getting smaller during the
calculation because after an application of reciprocity we get a larger number on top
of a smaller one and we can always reduce a modulo b when we calculate ab .
What we have said so far suggests that the Legendre symbol and the Jacobi
symbol have very similar properties. There are, however, important differences
between
them. One of them is related to quadratic residues. The Legendre symbol
a
,
where
p is an odd prime, gives us an answer to the question if the congruence
p
2
x ≡ a mod p has a solution. This is not true for the Jacobi symbol as we can see
in the following example.
Example 20.3. The squares of 0, 1, . . . , 17 modulo 35 are
0, 1, 4, 9, 16, 25, 1, 14, 29, 11, 30, 16, 4, 29, 21, 15, 11, 9.
For example 12 is not among them, hence x2 ≡ 12 mod 35 has no solution. On the
other hand
12
12
2
5
2
7
2
2
12
=
=
=
=
= 1.
35
5
7
5
7
5
5
5
5
This example indicates that we need to be careful
with the interpretation of
a
our calculations. It can be shown, however, that b = −1 still implies that the
congruence x2 ≡ a mod b does not have a solution.
Another important difference between the Legendre symbol and the Jacobi symbol is that Theorem 19.3 does not hold in general for the Jacobi symbol, as we can
see in the following example.
12
= 1. Let us
Example 20.4. We have seen in the previous example that 35
b−1
a
17
now calculate 12 mod 35 in order to verify that a 2 and b do not need to be
congruent modulo b in general. We intend to use the Chinese Remainder Theorem,
so we start calculating 1217 modulo 5 and 7. We use Fermat’s Little Theorem in our
calculation:
1217 ≡ 217 ≡ 2 mod 5
1217 ≡ (−2)17 ≡ (−2)5 ≡ −32 ≡ 3
mod 7.
To finish with the Chinese Remainder Theorem, we have to solve 5k +2 ≡ 3 mod 7.
The solution is k = 3 and so we see that 17 ≡ 2 mod 5 and 17 ≡ 3 mod 7, hence
217 ≡ 17 mod 35.
This observation is the basis of the Solovay-Strassen Primality Test:
Let n be an odd number and let a be an integer such that gcd(a, n) = 1.
We say n passes the Solovay-Strassen test to base a if
a
n−1
mod n.
a 2 ≡
n
44
MA6011
A number a for which this condition is violated is called an Euler witness. Theorem
19.3, which is attributed to Euler, means that the existence of an Euler witness
implies that the number n is composite.
Example 20.5. We have seen above that 12 is an Euler witness for n = 35. Here
is an example with the Carmichael number 561. With a = 5 our calculations are:
561
1
5
=
=
= 1 and
561
5
5
5280 ≡ 5256 · 516 · 58 ≡ 511 · 511 · 169 ≡ 65
mod 561.
This shows that 5 is an Euler witness for n = 561. A closer look at this example
reveals that if 5280 ≡ 65 mod 561 was obtained first, there would be no need to
actually calculate the Jacobi symbol, because the Jacobi symbol can never be equal
to 65. A more interesting situation occurs with a = 13, where we get
13280 ≡ 13256 · 1316 · 138 ≡ 460 · 460 · 256 ≡ 1
13
561
2
=
=
= −1.
561
13
13
mod 561
and
It can be shown that for each odd composite number n at least 50% of the
numbers from 1 to n − 1 that are coprime to n are Euler witnesses. This means if
we randomly choose a between 1 and n − 1, a composite number passes the SolovayStrassen test with a probability less than 0.5. This is only half as good as what we
have seen in the Rabin-Miller test, but this still is a strong test. For example, if we
carry out this test for 100 randomly chosen a and none of them is an Euler witness,
the probability that n is composite is less than 0.5100 which is approximately equal
to 8.89 × 10−32 .
Finally, it can be shown that a number n that passes the Rabin-Miller test to
base a would also pass the Solovay-Strassen test to base a. Therefore, in practice
the Rabin-Miller test is preferred over the Solovay-Strassen test.