Elementary Number Theory andlts Applications

KennethH. Rosen AT&T Informotion SystemsLaboratories (formerly part of Bell Laborotories)

A YY ADDISON-WESLEY PUBLISHING COMPANY Read ing, Massachusetts Menlo Park, California London Amsterdam Don Mills, Ontario Sydney Cover: The iteration of the transformation

n/2 if n T(n) : \ is even l Qn + l)/2 if n is odd

is depicted.The Collatz conjectureasserts that with any starting point, the iteration of ?"eventuallyreaches the integer one. (SeeProblem 33 of Section l.2of the text.)

Library of Congress Cataloging in Publication Data Rosen, Kenneth H. Elementary number theory and its applications. Bibliography: p. Includes index. l. Numbers, Theory of. I. Title. QA24l.R67 1984 512',.72 83-l1804 rsBN 0-201-06561-4

Reprinted with corrections, June | 986

Copyright O 1984 by Bell Telephone Laboratories and Kenneth H. Rosen. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,photocopying, recording, or otherwise,without prior written permission of the publisher. printed in the United States of America. Published simultaneously in Canada. DEFGHIJ_MA_8987 Preface

Number theory has long been a favorite subject for studentsand teachersof mathematics. It is a classical subject and has a reputation for being the "purest" part of mathematics, yet recent developments in cryptology and computer science are based on elementary number theory. This book is the first text to integrate these important applications of elementary number theory with the traditional topics covered in an introductory number theory course.

This book is suitable as a text in an undergraduatenumber theory courseat any level. There are no formal prerequisitesneeded for most of the material covered, so that even a bright high-school student could use this book. Also, this book is designedto be a useful supplementarybook for computer science courses,and as a number theory primer for computer scientistsinterested in learning about the new developmentsin cryptography. Some of the important topics that will interest both mathematics and computer sciencestudents are recursion,algorithms and their computationai complexity, computer arithmetic with large integers, binary and hexadecimal representations of integers, primality testing, pseudoprimality,pseudo-random numbers, hashing functions, and cryptology, including the recently-invented area of public-key cryptography. Throughout the book various algorithms and their computational complexitiesare discussed.A wide variety of primality tests are developedin the text.

Use of the Book

The core material for a course in number theory is presentedin Chapters 1, 2, and 5, and in Sections3.1-3.3 and 6.1. Section 3.4 contains some linear algebra; this section is necessary background for Section 7.2; these two sections can be omitted if desired. Sections 4.1, 4.2, and 4.3 present traditional applications of number theory and Section 4.4 presents an application to computer science; the instructor can decide which of these sectionsto cover. Sections 6.2 and 6.3 discussarithmetic functions. Mersenne primes, and perfect numbers; some of this material is used in Chapter 8. Chapter 7 covers the applications of number theory to cryptology. Sections 7.1, 7.3, and 7.4, which contain discussionsof classical and public-key vt Preface

cryptography,should be includedin all courses.Chapter 8 dealswith primitive roots; Sections 8.1-8.4 should be covered if possible. Most instructors will want to include Section 8.7 which deals with pseudo-randomnumbers. Sections 9.1 and 9.2 are about quadratic residues and reciprocity, a fundamental topic which should be covered if possible;Sections 9.3 and 9.4 deal with Jacobi symbols and Euler pseudoprimesand should interest most readers. Section 10.1, which coversrational numbers and decimal fractions. and Sections I 1.1 and I 1.2 which discussPythagorean triples and Fermat's last theorem are coveredin most number theory courses. Sections 10.2-10.4 and I 1.3 involve continued fractions; thesesections are optional.

The Contents

The reader can determine which chapters to study based on the following descriptionof their contents.

Chapter I introduces two importants tools in establishingresults about the integers, the well-ordering property and the principle of mathematical induction. Recursivedefinitions and the binomial theorem are also developed. The concept of divisibility of integers is introduced. Representations of integers to different bases are described, as are algorithms for arithmetic operations with integers and their computational complexity (using big-O notation). Finally, prime numbers, their distribution, and conjectures about primes are discussed.

Chapter 2 introduces the greatest common divisor of a set of integers. The Euclidean algorithm, used to find greatest common divisors, and its computational complexity, are discussed,as are algorithms to express the greatest common divisor as a linear combination of the integers involved. The Fibonacci numbers are introduced. Prime-factorizations, the fundamental theorem of arithmetic, and factorization techniques are covered. Finally, linear diophantine equationsare discussed.

Chapter 3 introduces congruences and develops their fundamental properties. Linear congruencesin one unknown are discussed,as are systems of linear congruences in one or more unknown. The Chinese remainder theorem is developed,and its application to computer arithmetic with large integers is described. Chapter 4 developsapplications of.congruences. In particular, divisibility tests, the perpetual calendar which provides the day of the week of any date, round-robin tournaments,and computer hashing functions for data storage are discussed. Preface vtl

Chapter 5 developsFermat's little theorem and Euler's theorem which give some important congruencesinvolving powers of integers. Also, Wilson's theorem which gives a congruencefor factorials is discussed.Primality and probabilistic primality tests based on these results are developed. Pseudoprimes, strong pseudoprimes, and Carmichael numbers which masquaradeas primesare introduced. Chapter 6 is concernedwith multiplicative functions and their properties. Special emphasisis devotedto the Euler phi-function,the sum of the divisors function, and the number of divisors function and explicit formulae are developed for these functions. Mersenne primes and perfect numbers are discussed.

Chapter 7 gives a thorough discussionof applicationsof number theory to cryptology, starting with classical cryptology. Character ciphers based on modular arithmetic are described,as is cryptanalysisof theseciphers. Block ciphers based on modular arithmetic are also discussed. Exponentiation ciphers and their applications are described, including an application to electronic poker. The concept of a public-key cipher system is introduced and the RSA cipher is describedin detail. Knapsackciphers are discussed,as are applicationsof cryptographyto computerscience.

Chapter 8 includesdiscussions of the order of an integer and of primitive roots. Indices, which are similar to logarithms, are introduced. Primality testing basedon primitive roots is described. The minimal universalexponent is studied. Pseudo-random numbers and means for generating them are discussed.An applicationto the splicingof telephonecables is also given. Chapter 9 covers quadratic residues and the famous law of quadratic reciprocity. The Legendreand Jacobi symbolsare introducedand algorithms for evaluating them are developed. Euler pseudoprimesand a probabilistic primality test are covered. An algorithm for electronically flipping coins is developed.

Chapter l0 coversrational and irrational numbers,decimal representations of real numbers,and finite simplecontinued fractions of rational and irrational numbers. Special attention is paid to the continued fractions of the square roots of po"itive integers.

Chapter 1l treats some nonlinear diophantine equations. Pythagorean triples are described. Fermat's last theorem is discussed. Finallv. Pell's equation is covered. vill Preface

Problem Sets

After each sectionof the text there is a problem set containingexercises of various levelsof difficulty. Each set containsproblems of a numerical nature; these should be done to developcomputational skills. The more theoretical and challenging problems should be done by studentsafter they have mastered the computationalskills. There are many more problemsin the text than can be realistically done in a course. Answers are provided at the end of the book for selectedexercises, mostly those having numerical answers.

Computer Projects

After each section of the text there is a selectionof computer projects that involve concepts or algorithms discussedin that section. Students can write their programs in any computer language they choose, using a home or personalcomputer, or a minicomputer or mainframe. I encouragestudents to use a structuredprogramming languagesuch as C, PASCAL, or PL/ 1, to do these projects. The projects can serve as good ways to motivate a student to learn a new computer language, and can give those students with strong computer science backgrounds interesting projects to tie together computer scienceand mathematics.

Unsolved Problems

In the text and in the problem setsunsolved questions in number theory are mentioned. Most of these problems have eluded solution for centuries. The reader is welcome to work on these questions,but should be forewarned that attempts to settle such problems are often time-consuming and futile. Often people think they have solved such problems,only to discoversome subtle flaw in their reasoning.

Bibliography

At the end of the text there is an extensivebibliography, split into a section for books and one for articles. Further, each section of the bibliography is subdivided by subject area. In the book section there are lists of number theory texts and references,books which attempt to tie together computer scienceand number theory, books on some of the aspectsof computer science dealt with in the text, such as computer arithmetic and computer algorithms, books on cryptography, and general references.In the articles section of the bibliography, there are lists of pertinent expository and research papers in number theory and in cryptography. These articles should be of interest to the reader who would like to read the original sourcesof the material and who wants more details about some of the topics coveredin the book. Preface tx

Appendix

A set of five tables is included in the appendixto help studentswith their computations and experimentation. Students may want to compile tables different than those found in the text and in the appendix; compiling such tables would provide additional computer projects.

List of Symbols

A list of the svmbols used in the text and where they are defined is included.

Acknowledgments

I would like to thank Bell Laboratoriesand AT&T Information Systems Laboratories for their support for this project, and for the opportunity to use the UNIX system for text preparation. I would like to thank George Piranian for helping me develop a lasting interest in mathematics and number theory. Also I would like to thank Harold Stark for his encouragementand help, starting with his role as my thesisadvisor. The studentsin my number theory courses at the University of Maine have helped with this project, especially Jason Goodfriend, John Blanchard, and John Chester. I am grateful to the various mathematicians who have read and reviewed the book, including Ron Evans, Bob Gold, Jeff Lagarias and Tom Shemanske. I thank Andrew Odlyzko for his suggestions,Adrian Kester for his assistancein using the UNIX system for computations, Jim Ackermann for his valuable comments, and Marlene Rosen for her editing help. I am particularly grateful to the staff of the Bell Laboratories/American Bell/AT&T Information ServicesWord ProcessingCenter for their excellent work and patience with this project. Special thanks go to Marge Paradis for her help in coordinating the project, and to Diane Stevens, Margaret Reynolds, Dot Swartz, and Bridgette Smith. Also, I wish to express my thanks to Caroline Kennedy and Robin Parson who typed preliminary versions of this book at the University of Maine. Finally, I would like to thank the staff of Addison-Wesleyfor their help. I offer special thanks to my editor, Wayne Yuhasz, for his encouragement,aid, and enthusiasm.

Lincroft, New Jersey Kenneth H. Rosen December.1983 Contents

Chapterl. The Integers

l.l The well-ordering 4 1.2 Divisibility l8 1.3 Representationsof int;;;;;....-'.....-'-.'...... 24 t.4 Computer operationswith integers...... 33 1.5 Prime numbers... 45

Chapter2. Greatest Common Divisors and Prime Factorization

2.1 Greatest common divisors 53 2.2 The Euclideanalgorithm ...... 58 2.3 The fundamentaltheorem of arithmetic ...... 69 2,4 Factorization of integersand the Fermat numbers 79 2.5 Linear diophantineequations ...... 87

Chapter3. Congruences

3.1 Introduction to congruences 9l 3.2 Linear congruences...... 102 3.3 The Chinese remainder theorem 107 3.4 Systemsof linear congruences...... I 16

Chapter4. Applications of Congruences

4.1 Divisibilitytests...... 129 4.2 The perpetualcalendar...... 134 4.3 Round-robintournaments...... 139 4.4 Computer file storageand hashingfunctions...... l4l Contents xl

Chapter 5. Some Special Congruences

5.1 Wilson's theorem and Fermat's little theorem 147 5.2 Pseudoprimes...... 152 5.3 Euler'stheorem 16l

Chapter6. MultiplicativeFunctions

6.1 Euler'sphi-function ...... 166 6.2 The sum and numberof divisors...... 174 6.3 Perfect numbersand Mersenneprimes 180

Chapter 7. Cryptology

7.l Characterciphers 188 7.2 Block ciphers 198 7.3 Exponentiationciphers...... 205 7.4 Public-keycryptography ...... 212 7.5 Knapsack ciphers 219 7.6 Some applicationsto computer science 227

Chapter 8. Primitive Roots

8.1 The order of an integer and primitive roots 232 8.2 Primitive roots for primes 238 8.3 Existenceof primitive roots 243 8.4 Index arithmetic 252 8.5 Primality testing using primitive roots...... 263 8.6 Universal exponents. 268 8.7 Pseudo-randomnumbers...... 275 8.8 The splicingof telephonecables .. 280

Chapter 9. Quadratic Residuesand Reciprocity

9.I Quadratic residues 288 9.2 Quadratic reciprocity .. 304 9.3 The Jacobisymbol 314 9.4 Euler pseudoprimes...... 325 xtl Contents

Chapter 10. Decimal Fractions and Continued Fractions

10.1 Decimal fractions... 336 10.2 Finite continuedfractions 350 10.3 Infinite continued fractions 361 10.4 Periodic continued fractions 315

Chapter I l. Some Nonlinear Diophantine Equations

l.l Pythagoreantriples.... 391 t.2 Fermat'slast theorem ...... 397 1.3 Pell'sequations 401

Appendix.. 410 Answers to selected problems 426 Bibliography...... 438 List of symbols.... 445 Index 447 lntroduction

Number theory, in a general sense,is the study of numbers and their properties.In this book,we primarilydeal with the integers,0,+1, +2,.... We will not axiomatically define the integers,or rigorously develop integer arithmetic.l Instead,we discussthe interestingproperties of and relationships between integers. In addition, we study the applicationsof number theory, particularly thosedirected towards computer science. As far back as 5000 years ago, ancient civilizations had developedways of expressingand doing arithmetic with integers. Throughout history, different methods have been used to denote integers. For instance, the ancient Babyloniansused 60 as the base for their number system and the Mayans used 20. Our method of expressing integers, the decimal system,was first developed in India approximately six centuries ago. With the advent of modern computers, the binary system came into widespreaduse. Number theory has been used in many ways to devisealgorithms for efficient computer arithmetic and for computer operationswith large integers. The ancient Greeks in the school of Pythagoras, 2500 years ago, made the distinction betweenprimes and composites. A prime is a positive integer with no positive factors other than one and the integer itself. In his writings, Euclid, an ancient Greek mathematician, included a proof that there are infinitely many primes. Mathematicians have long sought formulae that generateprimes. For instance,Pierre de Fermat, the great French number theorist of the seventeenthcentury, thought that all integers of the form 22' + 1 are prime; that this is false was shown, a century after Fermat made this claim, by the renowned Swiss mathematician Leonard Euler, who demonstratedthat 641 is a factor of 22'+ | . The problem of distinguishing primes from compositeshas been extensively studied. The ancientGreek scholarEratosthenes devised a method,now called

l. Such an axiomatic developmentof the integersand their arithmetic can be found in Landau t6ll. Introduction

the sieve of Eratosthenes, that finds all primes less than a specifiedlimit. It is inefficient to use this sieve to determine whether a particular integer is prime. The problem of efficiently determining whether an integer is prirne has long challengedmathematicians.

Ancient Chinese mathematiciansthought that the primes were precisely those positive integers n such that n divides 2' - 2. Fermat showed that if n is prime, then n does divide 2n - 2. However, by the early nineteenth century, it was known that there are compositeintegers n such that n divides - 2n 2, such as n : 341 . These compositeintegers are called pseudoprimes Becausemost compositeintegers are not pseudoprimes,it is possibleto develop primality tests based on the original Chinese idea, together with extra observations. It is now possibleto efficiently find primes; in fact, primes with as many as 200 decimal digits can be found in minutes of computer time.

The fundamental theorem of arithmetic, known to the ancient Greeks, says that every positive integer can be written uniquely as the product of primes. This factorization can be found by trial division of the integer by primes less than its square-root; unfortunately, this method is very time- consuming. Fermat, Euler, and many other mathematicians have produced imaginative factorization techniques. However, using the most efficient technique yet devised,billions of years of computer time may be required to factor an integer with 200 decimal digits.

The German mathematician Carl Friedrich Gauss, consideredto be one of the greatest mathematicians of all time, developed the language of congruences in the early nineteenth century. When doing certain computations,integers may be replaced by their remainderswhen divided by a specific integer, using the language of congruences. Many questions can be phrased using the notion of a congruencethat can only be awkwardly stated without this terminology. Congruenceshave diverse applications to computer science,including applications to computer file storage, arithmetic with large integers,and the generationof pseudo-randomnumbers.

One of the most important applications of number theory to computer science is in the area of cryptography. Congruencescan be used to develop various types of ciphers. Recently, a new type of cipher system, called a public-key cipher system, has been devised. when a public-key cipher is used, each individual has a public enciphering key and a private deciphering key. Messagesare encipheredusing the public key of the receiver. Moreover, only the receiver can decipher the message,since an overwhelming amount of computer time is required to decipher when just the enciphering key is known. The most widely used public-key cipher system relies on the disparity in computer time required to find large primes and to factor large integers. In lntrocluction

particular, to produce an encipheringkey requiresthat two large primes be found and then multiplied; this can be done in minuteson a computer. When these large primes are known, the decipheringkey can be quickly found. To find the deciphering key from the enciphering key requires that a large integer, namely the product of the large primes, be factored. This may take billions of years. In the following chapters,we discussthese and other topics of elementary number theory and its applications. 1 The Integers

1.1 The Well-OrderingProperty In this section,we discussseveral important tools that are useful for proving theorems. We begin by stating an important axiom, the well-ordering property.

The Well-Ordering Property. Every nonempty set of positive integers has a least element.

The principle of mathematical induction is a valuable tool for proving results about the integers. We now state this principle, and show how to prove it using the well-ordering property. Afterwards, we give an example to demonstratethe use of the principle of mathematical induction. In our study of number theory, we will use both the well-ordering property and the principle of mathematical induction many times.

The Principle of Mathematical Induction. A set of positive integers that contains the integer I and the integer n I I whenever it contains n must be the set of all positive integers.

Proof. Let S be a set of positive integers containing the integer I and the integer n * | whenever it contains n. Assume that S is not the set of all positive integers. Therefore, there are some positive integers not contained in .S. By the well-ordering property, since the set of positive integers not contained in S is nonempty, there is a least positive integer n which is not in .S. Note thatn 11, sincel isinS. Nowsincen ) l,theintegern - 1is l.l The Well-Ordering ProPertY

a positive integer smaller than n, and hence must be in S. But since S containsn - l, it must also contain (n-t) + | : n, which is a contradiction, since n is supposedlythe smallest positive integer not in S. This showsthat S must be the set of all positive integers. tr To prove theorems using the principle of mathematical induction, we must show two things. We must show that the statement we are trying to prove is true for l, the smallest positive integer. In addition, we must show that it is true for the positive integer n * I if it is true for the positive integer n. By the principle of mathematical induction, one concludesthat the set S of all positive integers for which the statement is true must be the set of all positive integers. To illustrate this procedure, we will use the principle of mathematical induction to establish a formula for the sum of the terms of a geometric progression.

Definition. Given real numbers 4 and r. the real numbers a, ar, er2,ot3r... are said to form a geometric progression. Also, a is called the initial term and r is called the common ratio.

Example. The numbers 5, -15,45, -135,... form a geometricprogression with initial term 5 and common ratio -3. In our discussionof sums, we will find summation notation useful. The following notation representsthe sum of the real numberse1, o2,...,on.

2oo:er*az* lan k-l

We note that the letter k, the index of summation, is a "dummy variable" and can be replaced by any letter, so that nn 5,ak: 2 oi k-l j-t i-l

Example. We seethat The Integers

) 2j:I+2+3+4+5:15, j-r ) 2t2:2+2+2+2+2:10, j-r and ) 2 2i : 2 * 22+ 23+ 24+ 2s : 62 . j-1

We also note that in summation notation, the index of summation may range betweenany two integers,as long as the lower limit does not exceedthe upper limit. If m and h are integerssuch that z ( n, then

b oo:am*a^a1* *an. k-m

For instance.we have 5 > k2: 33+ 42+ 52: 50, k;t > 3k:30 + 3t + 32: 13, fr:0 and I

k--2

We now turn our attention to sums of terms of geometricprogressions. The sum of the termse) er, or2,...,arn is

n 2ori:e*ar*ar2+ *arn, j-0 where the summationbegins with 7 : g. We have the following theorem.

Theorem l.l. If a and r ^re real numbersand r * l. then 1.1 The Well-OrderingProperty

n),,narn*l-Q : : (1.1) E ori a * ar *iar-t ar2 + *rar'':T arn T . j:o

Proof. To prove that the formula for the sum of terms of a geometric progressionis valid, we must first show that it holds for n : l. Then, we must show that if the formula is valid for the positive integer n, it must also be true for the positive integer n * l. To start things off, let n: l. Then, the left side of (t.t) is a * ar, while on the right sideof (1.1) we have arL-a a?z-t) ab*l)(r-1) _ _ a(r*l) : a * ar r-l r-l T:

So the formula is valid when n : l.

Now we assumethat (1.1) holds for the positive integer n. That is, we assumethat

0.2) alar+arz+ 'tar'-arn*l-Q I

We must show that the formula also holds for the positive integer n * l. What we must show is that

or@+t)+t_o ar'+2-e (t.:) a*ar+ar2+ * arn * arn*l : r-l r-l

To show that (1.3) is valid, we add orn*r to both sidesof (1.2), to obtain arn+t:o (t.+) (a*ar*ar2+...+arn) * ar'+r- + arr+t, r-l

The left side of (t.+) is identicalto that of (1.3). To show that the right sides are equal, we note that -e (r- arn*l-a 1 ^-nrr _ arn+l , or'*l I ) TAr T- r- I r-l r-1 orn*l-a*ar'+Z arn*l

: r-l

Sincewe haveshown that 0.2) implies (t.:), we can concludethat (t.t) The Integers

holds for all positive integersn. tr

Example. Let n be a positive integer. To find the sum

bro:r*2+22+ *2', k:0 we use Theorem l.l with e : I and r : 2, to obtain

1n*l _ I l+2+22+ . J- 1n : rn*l_r 2-l

Hence, the sum of consecutivenonnegative powers of 2 is one less than the next largest power of 2. A slight variant of the principle of mathematical induction is also sometimes useful in proofs.

The Second Principle of Mathematical Induction. A set of positive integers which contains the integer 1, and which has the property that if it contains all the positiveintegers 1,2,..., k , then it also containsthe integerk + l, must be the set of all positive integers.

Proof. Let T be a set of integers containing I and containing k + I if it contains1,2,..., k. Let S be the set of all positiveintegers n such that all the positive integers less than or equal to n are in Z. Then I is in S, and by the hypotheses,we see that if k is in S, then k + | is in S. Hence, by the principle of mathematical induction, S must be the set of all positive integers, so clearly T is also the set of all positive integers. tr

The principle of mathematical induction provides a method for defining the values of functions at positive integers.

Definition. We say the function f is defined recursively if the value of f at I is specifiedand if a rule is providedfor determiningf h*l) from f h) . If a function is defined recursively, one can use the principle of mathematical induction to show it is defined uniquely at each positive integer. (See problem 12 at the end of this section.)

We now give an example of a function defined recursively. We define the factorial function f fu) : nt . First, we specify that 1.1 The Well-Ordering ProPertY

f(r): I , and thenwe givethe rule for finding f h*1) fromf fu), namely f h+r) : (n+r)'ffu) .

These two statementsuniquely define r!. : To find the value of f G) : 6! from the recursive definition of f h) nl, use the secondproperty successively,as follows f 6) :6.f (5): 6.5.f(4) : 6.s.4'f(3) : 6's'4'3'f(2) :6's'4'3'2f 0).

We now use the first statement of the definition to replacef 0) by its stated value l. to concludethat 6l: 6'5'4'3'2'l:720 .

In general, by successivelyusing the recursive definition, we see that n! is the product of the first n positive integers,i.e. n! : l'2'3 n

For convenience,and future use, we specify that 0! : l. We take this opportunity to define a notation for products, analogous to summation notation. The product of the real numbersa1, a2,...,a,is denoted by

ft o, : ere2 an j-r

The letter 7 above is a "dummy variable", and can be replacedarbitrarily.

Example. To illustrate the notation for products we have ) fI j:l'2'3'4'5:120. j-r 5 II 2: 2.2.2.2.2:25 : 32. j-r 5 fI Zi : 2.22.23.24.2s: 2r5 j-r l0 The Integers

We note that with this notation, n ! : fI . j-r ,r Factorials are used to define binomial cofficients.

Definition. Let m and k be nonnegativeintegers with k 4 m. The r) binomialcofficien, lT I isoenneo uy (^ / r) l*| mt trt:- lk J kt(m_k)t l^) In computing we seethat there is a good deal of cancellation,because lO,J, ...... l^):-- m; t.2.3 @-k)@-k+t) tu-t)m lk ) kt@_k)l k! t.2.3 fu-k) (m-k+r) (m-r)m kt fzl Example.To evaluatethe binomialcoefficien, we notethat L, ,J, r\ 17| : 7t : 1.2.3.4.s.6.7s.6.7 f3J 3t4t r23.r234:E:i)'

We now prove some simple propertiesof binomial coefficients.

Proposition 1.2. Let n and k be nonnegativeintegers with k ( n . Then

(i) [;]:[;]:, r) r ) (ii) lll:l'.1- fkj l,-t,)'

Proof. To see that (i) is true, note that 1.1 The Well-OrderingProperty 11

:# :n'':l [;] nt and

_n,._ \:t t;]n !0! To verify (ii), we seethat frl n; nt lr l- l,l: :-:l ,l tr |.kJ kth-k)t tu-k)r(n-h-k))t ln-* )'

An important property of binomial coefficientsis the following identity.

Theorem 1.2. Let n and k be positive integerswith n > k. Then |',]*, I n I _ |,,*'l loj [o-,J:I r )

Proof. We perform the addition [;]. lr:, by using the commondenominator ftl(n-k+t)!. This gives

nth-k tl) ntk t.+ - Uc lr\, ktfn-k+l\ ktJtt-t(+il nl((n-k +r) +k) kth-k +t)t ntfu*l) klfu-k+r)t (n+l)! kth-k +r)t [n+rI lln u f k ) t2 The Integers

Using Theorem 1.2, we can easily construct Pascal's triangle, which displavsthe binomial coefficients. In this triangle, the binomial coefficient |,,] rsthe (k+t)ttr number in the (n+l)th row. The first nine rows |.r,l of Pascal'striangleare displayedin Figure l.l. I ll r2l l33l r4641 15101051 1615201561 172135352171 18285670562881

'Plr"urt

Figure1.1. triangle.

We seethat the exteriornumbers in the triangleare all l. To find an interiornumber, we simplyadd the two numbersin the positionsabove, and to either side,of the positionbeing filled. From Theorem1.2, this yieldsthe correctinteger. Binomial coefficientsoccur in the expansionsof powersof sums. Exactly how they occuris describedby the binomial theorem.

The BinomialTheorem. Let x and y be variablesand n a positiveinteger. Then

(x*y)n: -2y'+2 [;]".. [T]".-',.l:).. + l,:r)*r.-,+ [,:,]'yn- +l:),'

or using summation notation, 1.1 The Well-Ordering ProPertY l3

^ (n] :2 G+y)n l;l*"-tyt j-0 \J l

We prove the binomial theorem by mathematical induction. In the proof we make use of summation notation.

Proof. We use mathematical induction. When n : l, according to the binomial theorem. the formula becomes frlfrl (x*y)r- + loj"'.yoI,,J"or'

lrlfrl (x+y)r:x But becauselnl: lil:t,this statesthat *y, whichis t"J \^ / obviouslytrue. We now assumethe theorem is valid for the positive integer n, that is, we assumethat ^ fn) : G+y)n 2 l ,lr'-iri . j-0 \r )

We must now verify that the correspondingformula holds with n replaced by n * l, assumingthe result holds for n. Hence,we have (x+y)n+r - (xty)"(x+y) 'l : l, |,,.l I la lil"-t'l\r ) l(x+r) |.i:o J , lnl , fr)

j-0 \r ) j:0 \J ./

We see that by removing terms from the sums and consequently shifting indices.that t4 The Integers

21,).'-'."': In+l + 2l;).'-'.',' and 3l:).'-'''*' :'Al,).'-'''.' * yn+t

:21'!'1"-'*'yj + yn*t

Hence, we find that 't n I (x*Y)'+r - xn+r+> lxn-i+tri I yn+t j-r I

By Theorem 1.2,we have

+ : , t;l[,1'] [';'] so we concludethat

k+y),,'+r- ,,*, + * yn+r bl':'fx,-i*,rir i-t I ) n*t [n+rI - S I l*n+t-iri t1^l.j )

This establishesthe theorem. u

We now illustrate one use of the binomial theorem. If we let x : y : l. we see from the binomial theorem that ^ lrl , rl :(t+t), : : lnl 2n ) l rlt,-rli ) j-0 \r ) j-o LJ,l

This formula showsthat if we add all elementsof the fu+l)th row of Pascal's triangle, we get 2n. For instance,for the fifth row, we find that 1.1 The Well-OrderingProPertY 15

. . . . :, +4+6+4+,:,6:24 [;] [l] [l] [l] [l]

l.l Problems

l. Find the values of the following sums

l0 l0 a) >2 c) 2j' j-r j-r

l0 t0 u) 2i o) 22i. j-l j-r

2. Find the values of the following products

55 il rr2 c) j' j-l r. ) b) trj 0) il2i j-t j-l

3. Find n ! for n equal to each of the first ten positive integers. fro)frol frol frol frol 4. Find lo,|'|. ,.l' I r.l'I tJ'^nalroJ' |'qI fgI froI 5. Find the binomial coefficients and andverirv that l',l' loJ' I o,J' fnl , fnl f,ol lrj*loj: loJ 6. Show that a nonempty set of negativeintegers has a largest element.

7. Use mathematical induction to prove the following formulae.

a) >,i:t+2+3+ + ,:n(nlD. j-l L .t n (n+l) (2n+l) U) 2i': 12+22+32+ + ,a j-l 6 t6 The Integers

| 12 't'ftl c) i.r': t'+ 23+ 33+ * n3: | I i-tt2l 8. Finda formularcr ft Zi. j-l

9. Use the principle of mathematical induction to show that the value at each positive integer of a function defined recursivelyis uniquely determined. (n) r0. what function f is defined recursively by f 0) : 2 and f (n+D : 2f (n) for n)l? ll. If g is defined recursivelyby g(l) :2 and g(n) :2sb-D for n 7 2, what is S(02 t2. The second principle of mathematical induction can be used to define functions recursively. We specify the value of the function at I and give a rule for finding f h+l) from the values of f at the first n positive integers. Show that the values of a function so defined are uniquely determined. We define a function (l) : t3. recursively for all positive integers n bV "f l, f (2):5, and for n 2 2, f h+t):f h) + 2f (n-t). Show that f (n) : 2^ + el)n, using the secondprinciple of mathematical induction.

14. a) Let n be a positive integer. By expanding (l+(-l))'with the binomial theorem. show that , (-r)ofr) : o. ) lrJ

b) usepart (a), and the fact that > f;l :2' , to find t-o \'' J f,l f,l l,l loj* IrJ* loj*

and [,lf,l|,,l ['J*l,J * I'J*

c) Findthesuml -2+22-23 + +2too.

15. Show by mathematical induction that if n is a positive integer, then (2n)t < 22'(nl)z. 1.1 The Well-Ordering ProPertY t7

16. The binomial coefficients x is a variable, and n is a positive integer, [;],*nr."

can be defined recursivelyby the equations : x and [l ] | .I ,_n[,1 In+tJ:R l;l |.".l x! , a)Showthatifxisapositiveinteger,then[oJ:ffi,wherekisan integerwithl(k(x.

. ["] [*l : f'+rl b) Showthatl-l+ 1.,, | l--*, l,whenevernisapositiveinteger. l,?J lt?+rj ln,'t t7. In this problem, we develop the principle of inclusion - exclusion. Suppose that S is a set with n elements and let Pr, P2,.,., P, be t different properties that an element of S may have. Show that the number of elements of S possessingnone of the / properties is n -ln(rr) + n(p) + + n@)l +ln(Pt,Pz)+ n(Pt,Pr)+ + n(P,-r,P,)l - {n(Pr,Pz,Pt)* n(PrPz,Pq) + * n(P,-2,P,4,P,)| + + (-l)'n (P1,P2,...,P,),

where n(Pi,,Pi,,..., P,,) is the number of elements of S possessingall of the properties Pi,,P;,,...,P;,.The first expressionin brackets contains a term for each property, the secondexpression in brackets contains terms for all combinationsof two properties, the third expressioncontains terms for all combinations of three properties,and so forth. (Hint: For each element of S determine the number of times it is counted in the above expression. If an element has k of the lrl lpl ltl properties,show it iscounted t - + - + (-l)ft ,i-.t. This lrJ Itl lrJ equals zeroby problem la(a).)

18. The tower of Hanoi was a popular puzzle of the late nineteenth century. The puzzle includes three pegs and eight rings of different sizes placed in order of size, with the largest on the bottom, on one of the pegs. The goal of the puzzle is to move all the rings, one at a time without ever placing a larger ring on top of a smaller ring, from the first pbg to the second,using the third peg as an auxiliary peg. l8 The Integers

a) Use mathematicalinduction to show that the minimum number of movesto transfer n rings, with the rules we have described,from one peg to another is 2n - 1.

b) An ancient legend tells of the monks in a tower with 64 gold rings and 3 diamond pegs. They started moving the rings, one move per second,when the world was created. When they finish transferring the rings to the second peg, the world ends. How long will the world last? 19. Without multiplying all the terms, show that

il 6! 7!: l0! c) 16!: l4t 5t 2l b) l0!:7! 5! 3! d) 9t - 713! 3! 2!.

20. Let an : (af a2l. ar-1!) - l, and on+t: af. a2t an_tl, where o1,a2,...,etr-1or€ positiveintegers. Show that an*1!: al. a2t onl.

21. Find all positiveintegers x, y,and z suchthat xt * yl: z!.

l.l Computer Projects

Write programs to do the following:

l. Find the sum of the terms of a geometric series. 2. Evaluate n !

3. Evaluate binomial coefficients.

4. Print out Pascal'striangle.

5. List the movesirr the Tower of Hanoi puzzle (seeproblem l8).

6. Expand (x*y)", where n is a positive integer, using the binomial theorem.

1.2 Divisibility

When an integer is divided by a secondnonzero integer, the quotient may or may not be an integer. For instance,24/8: 3 is an integer,while l7/5:3.4 is not. This observationleads to the following definition.

Definition. If a and b are integers, we say that a divides b if there is an integer c such that b : ac. lf a divides b, we also say that a is a divisor or factor of b. 1.2 Divisibility t9

If a dividesb wewritea lb,whileif a doesnotdivideb,wewriteatr U.

Example. The following examples illustrate the concept of divisibility of integers:13 | 182,-5 | 90,t7l28g,e trqq,ltrso, -l | :1,and 17 10.

Example. The divisorsof 6 are +1, *2, +3, and +6. The divisorsof 17 are tl and tI7. The divisors of 100 are +1, *2,+4, +5, +10, +20, +25, +50, and + 100. In subsequentsections, we will need some simple properties of divisibility. We now state and prove these properties.

Proposition1.3. If a,b,and c areintegerswithalb andblr,then alc.

Proof. Since a I b and b I c, there are integers e and f with ae : b and bf : ,. Hence,bf : be)f : aGf) : c, and we concludethat a I c. a

Example. Since 1l | 66 and 66 | tla, Proposition1.3 tells us that 11 | 198.

Proposition1.4. lf a,b,m, and n are integers,and if c la and c lD, then c | (ma+nb).

Proof. Since c I a and c | 6, there are integers e and / such that a : ce and b: cf. Hence, ma * nb: mce * ncf : c(me+nf). Consequently,we see that c | fua+nb). E

Example. Since 3l2l and: I ll, Proposition1.4 tells us that 3 | 6-zl - 3.33): lo5- 99: 6 .

The following theorem statesan important fact about division.

The Divisionl$f$* If a and b areintegers such that b > 0, then there are unique integers q and r such that a : bq * r with 0 ( r < b.

In the equation given in the division algorithm, we call q the quotient and r the remainder.

We note that a is divisible by b if and only if the remainderin the division algorithm is zero. Before we prove the division algorithm, consider the following examples. 20 The Integers

Example. If a-.133 and b:21, then Q:6 and r:7, since 133:21'6+7. Likewise,if a: -50 and b:8, thenq --7 and r:6, since-50:8(-7) + 6.

For the proof of the division algorithm and for subsequent numerical computations,we need to define a new function.

Definition. Let x be a real number. The greatest integer in x, denoted by [x ], is the largestinteger lessthan or equal to x.

Example. We have the following values for the greatest integer in x'. 12.21: 2,131: 3,and I-t.sl : -2. The proposition below follows directly from the definition of the greatest integer function.

Proposition 1.5. If x is a real number, then x-l < [x] ( x. We can now prove the division algorithm. Note that in the proof we give explicit formulae for the quotient and remainder in terms of the greatest integer function.

Proof. Let q:la/bl and r: a - bla/bl. Clearlya: bq * r. To show that the remainder r satisfies the appropriate inequality, note that from Proposition1.5, it follows that

G/b)-l < ta/bl 4a/b.

We multiply this inequality by b, to obtain

a - b < btalbl 4 a.

Multiplying by -1, and reversingthe inequality,we find that -a(-b[a/bl

By adding e, we seethat 0 ( r - a - bla/bl < n.

To show that the quotient q and the remainder r are unique, assumethat we havetwo equationsa: bqr* rr and a : bqz* rr, with 0 ( rr ( b and 0 ( rz < b. By subtracting the secondof these from the first, we find that 1.2 Divisibility 2l

0:bQt-qr)+(r;r2)

Hence. we seethat rz - rr: b(qt-qr).

This tells us that D divides rz- rr. Since 0 ( rr I b and 0 ( rz ( b, we have -b < rz- rr 1b. This shows that b can divide rz- 11 only if rz- 11:0, or, in other words,if 11: 12. Sincebqt + rt: bQz* 12 and rt: 12 we also see that Qr: Qz. This showsthat the quotient q and the remainder r are unique. tr

Example.Let a:1028 and b:34. Then a:bq*r with 0(r

1.2 Problems l. Showthat 3 lgg, s I t+S,7l343,and 888 | 0. 2. Decidewhich of the followingintegers are divisibleby 22 il0 d) r92s44 b) 444 e) -325r6 c) 1716 f) -195518. 22 The Integers

3. Find the quotient and remainder in the division algorithm with divisor 17 and dividend

a) loo c) -44 b) 28e d) -100.

4. What can you conclude if a and b are nonzero integers such that a I b and bla?

5. Show that if a, b, c, and d are integerswith a and c nonzerosuch that a I b and c I d, then ac I bd.

6. Arethereintegersa,b,andc suchthata lbc,buta I b anda I c).

7. Show that if a, b,and c l0 are integers,then a I t if and only if ac I bc.

8. Show that if a and b are positive integers and a I D, then a ( D. 9. Give another proof of the division algorithm by using the well-ordering property. (Hint: When dividing a by b, take as the remainder the least positive integer in the set of integersa-qb.)

10. Show that if a and b are odd positive integers, then there are integers s and , suchthat a : bs * /, whereI is odd and lrl < n. When the integer a is divided by the interger b where b > 0, the division algorithm gives a quotient of q and a remainder of r. Show that if 6 ,f a, when -a is divided by b, the division algorithm gives a quotient of -(q*l) and a remainder of b - r, while if 6 | a, the quotient is -q and the remainder is zero. 12. Show that if a, b, and c are integers with b ) 0 and c ) 0, such that when a is divided by b the quotient is q and the remainder is r, and when q is divided by c the quotient is / and the remainderis s, then when a is divided by bc, the quotient is I and the remainder is bs * r.

13. il Extend the division algorithm by allowing negative divisors. In particular, show that whenever a and b # 0 are integers, there are integers q and r such that a : bq * r, where 0 ( r < lAl . b) Find the remainderwhen 17 is divided by -7.

14. Show that if a and D are positive integers, then there are integers q,r and e : !.1 suchthat a: bq * er where-b/2

15. Show that if a andb arereal numbers,then la+bl 2la] + [r].

16. Show that if a and b are positive real numbers, then labl 2 Laltbl . What is the correspondinginequality when both a and b are negative? When one is negative and the other positive? 1.2 Divisibilitv 23

17. What is the value of [a ] + l-a I when a is a real number?

18. Show that if a is a real number then

a) -I-a I is the least integer greater than or equal to a.

b) la + %l is the integer nearestto a (when there are two integers equidistant from a, it is the larger of the two).

19. Show that if n is an integerand x is a real number, then [x*n] : [xl + n .

20. Show that if m and n \ 0 are integers,then (r r I 1I1 | if m : kn - I for someinteger k. | *+r1 .JL'J I n_ i:ll I I I llyl*tif m:kn-lforsomeintegerk. ILnl

21. Show that the integer n is even if and only if n - 2ln /21 : 0.

22. Show that if a is a real number, then [a ] + Ia + %l : l2al .

23. a) Show that the number of positive integers less than or equal to x that are divisible by the positive integer d is given by [x/dl.

b) Find the number of positive integers not exceeding 1000 that are divisible by 5, by 25, by 125,and by 625.

c) How many integers between 100 and 1000 are divisible by 7? by 49'l

24. To mail a letter in the U.S.A. it costs 20 cents for the first ounce and l8 cents for each additional ounce or fraction thereof. Find a formula involving the greatest integer function for the cost of mailing a letter. Could it possibly cost S 1.08or ,$I .28 to mail a letter?

25. Show that if a is an integer, then 3 divides a3-a

26. Show that the sum of two even or of two odd integers is even, while the sum of an odd and an even integer is odd.

27. Show that the product of two odd integers is odd, while the product of two integers is even if either of the integers is even.

28. Show that the product of two integers of the form 4ft * I is again of this form, while the product of two integersof the form 4k * 3 is of the form 4ft * L

29. Show that the square of every odd integer is of the form 8k + l. 24 The Integers

30. Show that the fourth power of every odd integer is of the form l6k + l.

31. Show that the product of two integersof the form 6k * 5 is of the form 6k * L

32. Show that the product of any three consecutiveintegers is divisible by 6. 33. Let n be a positive integer. We define

f ln/2 if n is even T(n) : 1Qn*D/z if n is odd.

We then form the sequence obtained by iterating T: n, T(n), T(TQ)), f (f(f (n))),... . For instance,starting with n : 7 we have 7,11,17,26,13,20,10,5,8,4,2,1,2,1,2,1.... A well-known conjecture,sometimes called the Collatz coniecture, assertsthat the sequenceobtained by iterating Z alwaysreaches the integerI no matter which positive integer n begins the sequence. a) Find the sequenceobtained by iterating Z starting with n :29.

b) Show that the sequenceobtained by iterating Z starting with n: (2k-l)/3, where k is an evenpositive integer, k > l, always reachesthe integer l.

1.2 Computer Projects

Write programs to do the following:

l Decide whether an integer is divisible by a given integer.

2. Find the quotient and remainder in the division algorithm.

3. Find the quotient, remainder, and sign in the modified division algorithm given in problem 14.

4. Investigatethe sequencen, T(n), T(Th)), f (rQ (n))),... definedin problem 33.

1.3 Representationsof Integers The conventionalmanner of expressingnumbers is by decimal notation. We write out numbers using digits to representmultiples of powers of ten. For instance,when we write the integer 34765,we mea;r 3.104+ 4.103+ 7.102+ 6.101+ 5.100.

There is no particular reasonfor the use of ten as the baseof notation,other than the fact that we have ten fingers. Other civilizations have used different 1.3 Representationsof Integers 25

bases,including the Babylonians,who used base sixty , and the Mayans, who used base twenty Electronic computers use two as a base for internal representationof integers,and either eight or sixteenfor display purposes. We now show that every positive integer greater than one may be used as a base.

Theorem 1.3. Let b be a positive integer with b > l. Then every positive integer n can be written uniquely in the form n : akbk * ap-1bk-rt * a1b I oo,

wherea; is an integerwith 0 ( o; < b-l for,/ :0, 1,..., k and the initial coefficientak I O.

Proof . We obtain an expressionof the desired type by successivelyapplying the division algorithm in the following way. We first divide n by b to obtain n:beo*oo, 0(ao

Then we divide qoby b to find that

eo:bq1ta6 0(ar(6-t.

We continue this processto obtain

Qt: bq2t a2, 0 ( a2 ( b-1, qr= bq3l a3, 0 ( ar ( b-1,

Qk-z: bq*-r * ak-r, 0 ( a1-1 ( b-1, Qk-t: b.0 * ap, 0 ( a1 ( b-t.

The last step of the processoccurs when a quotient of 0 is obtained. This is guaranteedto occur, becausethe sequenceof quotients satisfies n ) qo) qr) qz> "'> 0,

and any decreasing sequence of nonnegative integers must eventually terminate with a term equaling 0. 26 The Integers

From the first equation abovewe find that n: beo* ao.

We next replace {6 using the secondequation, to obtain n : b(bqfta1) + as : bzqrI a1b I as,

Successivelysubstituting for qr, Q2,..., Qk_r,we have n: b3qz+ a2b2* a1b* or,

: =i: ri::,-'**"::,t{,-'.. **olr'u**ol' : at bk + a1r-1bk-r* t aft * ao. where0 ( a; < b-l for 7 : 0,1,...,kand a* I 0, sinceek : 4r-r is the last nonzero quotient. Consequently,we have found an expansion of the desired type.

To see that the expansion is unique, assume that we have two such expansionsequal to n, i.e. n : ekbk + a1r-ybk-t* t a1b * ao : c*bk * c1r-1bk-r* * cft * ro, where 0 ( ar (b and 0 ( c1(b (and if necessarywe add initial terms with zero coefficients to have the number of terms agree). Subtracting one expansionfrom the other, we have (ar,-c)bk +(o,,-r-c1,-)bk-t * *(a;cr)b + (as-ca):0.

If the two expansionsare different, there is a smallestinteger j, O ( < k, "l such that ai # ci. Hence, .f br + * (ai+rci+r)b * : o, l(a*-c*)b(-r G1-c1)] so that Gr,-c)bk-i + + (a1+rci+)b r (ai-c1) : O. 1.3 Representationsof Integers 27

Solving for ai-c; we obtain aj-cj: (crr-ar)bk-j + * (c7+r-ai+)b

: bl(c1,-a1)bk-j-t + * (c7+r-or*,) ].

Hence, we seethat bl G1-c1).

But since 0 ( a; < b and 0 ( c; < b, we know that -b < ai-c1 I b. Consequently, b I h1-c) implies that ej : cj. This contradicts the assumptionthat the two expansionsare different. We concludethat our base 6 expansionof n is unique. ! For b - 2 . we seefrom Theorem 1.3 that the following corollary holds.

Corollary 1.1. Every positive integer may be represented as the sum of distinct powersof two.

Proof. Let n be a positive integer. From Theorem 1.3 with b : 2, we know thatn:atrTk *a1r-12k-t* + aQ* aswhereeachai iseither0or 1. Hence, every positive integer is the sum of distinct powersof 2. tr In the expansionsdescribed in Theorem 1.3, b is called the base or radix of the expansion. We call base l0 notation, our conventionalway of writing integers, decimal notation. Base 2 expansionsare called binary expansions, base 8 expansionsare called octal expansions,and base 16 expansionsare called hexadecimal, or hex for short, expansions. The coefficients ai are called the digits of the expansion. Binary digits are called bits (binary digils) in computerterminology.

To distinguish representationsof integers with different bases, we use a special notation. We write (apapa...aps) 6 to represent the expansion a*bklapabk-rl taft*ao.

Example. To illustrate base b notation, note that Q3Ot : 2.72+ 3.7 + 6 and (10010011)2: 1.27+ 1.24+ 1.2r+ 1.

Note that the proof of Theorem 1.3 givesus a method of finding the baseb expansion of a given positive integer. We simply perform the division algorithm successively,replacing the dividend each time with the quotient, and 28 The Integers

stop when we come to a quotient which is zero. We then read up the list of remaindersto find the base b expansion.

Example. To find the base 2 expansionof 1864,we use the division algorithm successively:

1864: 2.932 + 0, 932:2'466 +0, 466:2'233 +0 233-2'116+1, 116: 2'58 + 0, 58:2'29 +0, 29:2'14 +1, 14:2'7 +0, 7 : 2'3 + 1, 3 : 2'l + l, | : 2'O + 1.

To obtain the base 2 expansionof 1984, we simply take the remaindersof thesedivisions. This showsthat (1864)ro: (11101001000)2. Computers represent numbers internally by using a series of "switches" which may be either "on" or "off". (This may be done mechanically using magnetic tape, electrical switches,or by other means.) Hence, we have two possiblestates for each switch. We can use "on" to representthe digit I and "off" to representthe digit 0. This is why computers use binary expansionsto representintegers internally. Computers use base 8 or base 16 for display purposes. In base 16, or hexadecimal, notation there are l6 digits, usually denoted by 0,1,2,3,4,5,6,7,8,9,A,8,,C,D,,E and F . The letters A,B,C,D,E , and F are used to representthe digits that correspondto 10,11,12,13,14and l5 (written in decimal notation). We give the following example to show how to convert from hexadecimalnotation to decimal notation.

Example. To convert (A35B0F) 16we write (elsnor)re :10.16s + 3'164+ 5'163+ ll'rcz + 0'16+ 15 : ( t o7o5 679)rc. 1.3 Representationsof Integers 29

A simple conversionis possible between binary and hexadecimal notation. We can write each hex digit as a block of four binary digits according to the correspondencegiven in Table l.l .

Hex Binary Hex Binary Digit Digits Digit Digits

0 0000 8 r000 I 0001 9 1001 2 0010 A 1010 3 001l B 1011 4 0100 C l 100 5 0101 D I l0l 6 0110 E 1110 7 0l l1 F llll

Table1.1. Conversionfrom hexdigits to blocksof binarydigits.

Example. An example of conversionfrom hex to binary is (zFBrrc: (tOt t 1110110011)2.Each hex digit is convertedto a block of four binary digits (the initial zerosin the initial block (OOIO)2corresponding to the digit (2) rc are omitted). To convertfrom binary to hex, consider(t t t tOl I I101001)2. We break this into blocks of four starting from the right. The blocks are, from right to left, 1001,1110, 1101, and 0011 (we add the initial zeros). Translatingeach block to hex, we obtain GOng)ru. We note that a conversionbetween two different basesis as easy as binary hex conversion,whenever one of the basesis a power of the other.

1.3 Problems

l. Convert (1999)1sfrom decimal to base 7 notation. Convert (6tOS)t from base 7 to decimal notation.

2. Convert (tOtOOtOOO),from binary to decimal notation and (tgg+),0 from decimal to binary notation. 30 The Integers

3. convert (10001II l0l0l)2 and (l I101001110)2from binary to hexadecimal.

4. convert (ABCDEF)rc, @nrecnD)to, and (9A08)rc from hexadecimal to binary.

5. Explain why we really are using base 1000 notation when we break large decimal integers into blocks of three digits, separatedby commas.

6. a) Show that if D is a negative integer less than -1, then every integer n can be uniquer';:.])::'::;'

. * a1b* oo,

where a1,I 0 and O

b) Find the decimal representationof (tOtOOt)-2 and OZOTD-r.

c) Find the base-2 representationsof the decimal numbers-7,-17, and 61.

7. Show that any weight not exceeding 2k-l may be measured using weights of 1,2,22,...,2ft-1,when all the weightsare placedin one pan.

8. Show that every integer can be uniquely representedin the form

ep3k*ep-.3k-t* *efiles

-1,0, where €i : or I for ,/:0,1 ,2, ..., k. This expansion is called a balanced ternary expansion.

9. Use problem 8 to show that any weight not exceeding $k -t) /Z may be measuredusing weightsof 1,3, 3',...,3ft-1, when the weightsmay be placedin either pan.

r0. Explain how to convert from base 3 to base 9 notation, and from base 9 to base 3 notation.

ll. Explain how to convert from base r to base rn notation, and from base rn notation to baser notation, when r ) I and n are positive integers.

12. Show that if r: (a*a*-1...aps)6, then the quotientand remainderwhen n is divided by bi are q : (apa1,-1...a)6and, : (aj-r...apo)t, respectively. 13. If the base b expansion of n is n : (apa1,-1...aps)6,what is the base b expansionof b^ n"l

14. A Cantor expansionof a positive integer n is a sum

fl:ommt * a^a(m-l)! + * a22l*a1l! 1.3 Representationsof Integers 3t

where each ai is an integer with 0 ( a; < i . a) Find Cantor expansionsof 14, 56, and 384.

b) Show that every positive integer has a unique Cantor expansion.

15. The Chinese game of nim is played as follows. There are a number of piles of matches, each containing an arbitrary number of matches at the start of the game. A move consistsof a player removing one or more matches from one of the piles. The players take turns, with the player removing the last match winning the game.

A winning position is an arrangement of matches in piles so that if a player can move to this position, then, no matter what the second player does, the first player can continue to play in a way that will win the gom€; An example is the position where there are two piles each containing one match; this is a winning position, becausethe secondplayer must remove a match leaving the first player the opportunity to win by removing the last match.

a) Show that the position where there are two piles, each with two matches, is a winning position.

b) For each arrangement of matches into piles, write the number of matches in each pile in binary notation, and then line up the digits of these numbers into columns (adding initial zeroes if necessaryto some of the numbers). Show that a positionis a winning one if and only if the number of ones in each column is even (Example: Three piles of 3, 4, and 7 give 0ll llt 100 where each column has exactly two ones).

16. Let a be an integer with a four-digit decimal expansion,with not all digits the same. Let a' be the integer with a decimal expansion obtained by writing the digits of a in descending order, and let a" be the integer with a decimal expansion obtained by writing the digits of a in ascending order. Define T(a) : a'- a". For instance,f(2318) 8731 1378 : 7358.

a) Show that the only integer with a four-digit decimal expansionwith not all digitsthe samesuch that T(a) : a is a :6174.

b) Show that if a is a positive integer with a four-digit decimal expansionwith not all digits the same, then the sequence a, T (d, f (f G)) , T'QQ(a))),..., obtained by iterating T, eventually reaches the integer 6174. Becauseof this property, 6174 is called Kaprekar's constant. 32 The Integers

17. Let b be a positive integer and let a be an integer with a four-digit base b expansion,with not all digits the same. Define TtG) : a'- a", where a'is the integer with base D expansion obtained by writing the base 6 digits of a in descendingorder, and let d " is the integer with base 6 expansion obtained by writing the baseb digits of a in ascendingorder.

il Let b : 5. Find the unique integer a6 with a four-digit base 5 expansion such that TsGl : ao. Show that this integer aq is a Kaprekar constant for the base5, i.e., a , T(a), r(f b)), f (f Q(a))),... eventuallyreaches 40, whenevera is an integer which a four-digit base 5 expansionwith not all digits the same.

b) Show that no Kaprekar constant exists for the base 6.

1.3 Computer Projects

Write programs to do the following:

l. Find the binary expansion of an integer from the decimal expansion of this integer and vice versa.

2. Convert from base 61 notation to base b2 notation, where D1 and b2are arbitrary positive integersgreater than one.

3. Convert from binary notation to hexadecimalnotation and vice versa.

4. Find the base (-2) notation of an integer from its decimal notation (seeproblem 6).

5. Find the balanced ternary expansion of an integer from its decimal expansion (seeproblem 8).

6. Find the Cantor expansionof an integer from its decimal expansion(see problem 14).

7. Play a winning strategy in the game of nim (seeproblem l5).

8. Find the sequencea, T(a), T(Tfu)), r(rOQ))),... definedin problem 16, where a is a positiveinteger, to discoverhow many iterations are neededto reach 6174.

9. Let b be a positive integer. Find the Kaprekar constant to the base b, when it exists (seeproblem 17). 1.3 Representationsof Integers 33

1.4 Computer Operationswith Integers We have mentioned that computers internally representnumbers using bits, or binary digits. Computers have a built-in limit on the size of integers that can be used in machine arithmetic. This upper limit is called the word size, which we denote by w. The word size is usually a power of 2, such as 235, although sometimesthe word size is a power of 10. To do arithmetic with integers larger than the word size, it is necessaryto devote more than one word to each integer. To store an integer n ) l4/, we expressn in base w notation, and for each digit of this_expansion we use one computer word. For instance, if the word size is 23s, using ten computer words we can store integers as large u, 23s0-1, since integers less than 2350 have no more than ten digits in their base 235expansions. Also note that to find the base 235expansion of an integer, we need only group together blocks of 35 bits. The first step in discussing computer arithmetic with large integers is to describehow the basic arithmetic operationsare methodically performed. We will describe the classical methods for performing the basic arithmetic operationswith integers in base r notation where r ) | is an integer. These methodsare examplesof algorithms.

Definition. An algorithm is a specified set of rules for obtaining a desired result from a set of input. We will describe algorithms for performing addition, subtraction, and multiplication of two n-digit integers a : (an4on-z...egi, and b: (bn-1br-z...brbo)r,where initial digits of zero are added if necessaryto make both expansionsthe same length. The algorithms described are used both for binary arithmetic with integers lessthan the word size of a computer, and for multiple precision arithmetic with integers larger than the word size w, using lr as the base. We first discuss the algorithm for addition. When we add a and b, we obtain the sum

a I b: 5 airt+'i u,rt: 5 Gi + b1)ri. j-o j-0 j:o

To find the base r expansion of the a * b, first note that by the division algorithm, there are integers Cs and ss such that 34 The Integers

ao* bs: Csr * r0,0 ( so 1 r.

Because as and bo are positive integers not exceeding r, we know that ( - 0 ao * bo( 2r 2 , so that co:0 or l ;here c6 is the cany to the next place. Next, we find that there are integersc1 and s1 such that ar * br t Co: C{ t rr,0 ( s1 ( r.

Since0 ( art br * Co ( 2r - 1, we know that Cr:0or l. proceeding inductively,wefindintegersC;ands; for 1 ( i ( n - I by ai * b; * Ci-r: Crr trr, 0 ( s; ( r, with C;:0 or 1. Finally, we let sr: Cn; , sincethe sum of two integers with n digits has n * I digits when there is a carry in the n th place. We concludethat the baser expansionfor the sum is a * b: (srsn_,...J1.ss)7. When performing base r addition by hand, we can use the same familiar technique as is used in decimal addition.

Example.To add (1101)2and (l0l l)2 we write II 1l0l +1001 10110 where we have indicated carries by I's in italics written above the appropriate column. We found the binary digits of the sum by noting that I * I : l'2+ 0,0+0+ 1:0'2 * 1, I +0f 0: O'2+ l,and 1+ l:1.2 *0. We now turn our attention to subtraction. We consider

a - b :'; airi -'i u,rt: 5 Gi - b)ri , j-o j-0 j-0 where we assumethat a ) b. Note that by the division algorithm, there are integers ^Bsand ds such that

os- bo: 86r * dg, 0 ( do ( r, and since as and bs are positive integers lessthan r, we have 1.4 Computer Operationswith Integers 35

-(r-l)

When ao- bo ) 0, we have,86:0. Otherwise,when as- bo 10, we have Bo: - 1;Bo is the borrow from the next place of the baser expansionof a. We use the divisionalgorithm again to find integersB1 and d1 such that a1-bt+ Bo: B{ * dr. 0 < d1 1 r.

- From this equation, we see that the borrow B r : 0 as long as a1 bt + Bo - > 0, and Bt: -l otherwise,since -r ( ar br *Bo (r-l.We proceedinductively to find integersB; and d;, such that ai - btf Bi-r : Bir t di. 0 ( di 1r with B; :0 or -1, for I < t < n - 2. We seethat Bn4: 0, sincea ) b. We canconclude that

a - b : (dnadn-2...d1ds),.

When performing base r subtraction by hand, we use the same familiar technique as is used in decimal subtraction.

Example. To subtract (tot to)2from (t tot l)2,we have -t llotl -10110 101 where the -l in italics above a column indicates a borrow. We found the binary digits of the difference by noting that 1 - 0 : 0'2 * l, 1-l:0'2*0, 0-l:-1'2+1, l-0-l: 0'2+0, and 1-l: 0'2+ 0. Before discussing multiplication, we describe shifting. To multiply (on-r...aps)7 by r^ , we need only shift the expansion left m places, appendingthe expansionwith m zero digits.

Example. To multiply (tOtt01)2 by 2s, we shift the digits to the left five placesand appendthe expansionwith five zeros,obtaining (10110100000)2. 36 The Integers

To deal with multiplication, we first discussthe multiplication of an n-place integer by a one-digitinteger. To multiply (an_1...ori;, by (il,, we first note that

oob:Qor*po,0(ps(r,

- and 0 ( qo ( r l, since0 ( aob ( (r-1)2. Next, we have aft+Qo:Qf *pr,0(pt1t,

and 0 ( qt ( r-1. In general,we have

a;b * 7i-r: Qir I pi, 0 ( p; -< r

( ( - and 0 gr r 1. Furthermore, we have pn: Qn_r. This yields (or-1...ar,o) , (b), : (pnpn-r...pg.o) ,. To perform a multiplication of two n-place integerswe write

( n-t ) n-t ab:al>biril:)Gb)ri. li-r ) i-o

For each -/, we first multiply a by the digit b;, then shift to the left 7 places, and finally add all of the n integerswe have obtained to find the product. When multiplying two integers with base r expansions,we use the familiar method of multiplying decimal integers by hand.

Example. To multiply (l l0l)2 and (t t tO)2we write

ll0l x1110 0000 I l0l 1l0l l10l l0ll01l 0

Note that we first multiplied (1101)2 by each digit of (t t 10)t, shifting each time by the appropriate number of places,and then we added the appropriate integersto find our product. 1.4 Computer Operations with Integers 31

We now discuss integer division. We wish to find the quotient q in the division algorithm a:bq + R, 0 < R < b.

If the baser expansionof q is q : (Qn-rQn-2...Q14o) , , then we have ( n-r a-b l> eiril +R,0

To determine the first digit Qrq of q, notice that a - bqn-1vn-t: uf'i qjri)+ R. U-o )

The right-hand side of this equation is not only positive,but also it is lessthan g brn-t, since 2 qiri rn-l-l. Therefore,we know that j-0

0 ( a - bqn-(n-l < brn-t.

This tells us that O: -tn.'l (L Tt, 4 nn {.t"', Qn-r: la/brn-rl' v t-"rf We can obtain Qn-r by successivelysubtracting br"-l from a until a negative result is obtained, and then qn-1is one lessthan the number of subtractions. To find the other digits of q,, we define the sequenceof partial remainders Ri by

Ro: a and

Ri:Ri-r - bqn-trn-i for i : 1,2, ...,n. By mathematical induction, we show that (n-i-t I (r.s) Ri: qirtlb+R. | > lj-0 )

For i : 0, this is clearly correct, since R0 : a : qb + R. Now assumethat 38 The Integers

Rft:

Then

Rt+r : Rft - bqn-*-rrn-k-l 'l (n-k-t . : qirilb+R-bqn-*-rvn-k-l I U l. .r-o ) fn-(k+r)-r .l :| > qi"lb+R' Ij-0) establishing(1.5). From (t.S), we see that 0 ( Ri < rn-ib, for i : 1,2,...,fl, since n-i -l

i-0 O ( Ri < rn-tb, we see that the digit qn-i is given by lRi-r/brn-il and can be obtained by successivelysubtracting brn-t from Ri-1 until a negative result is obtained,and then qn-; is one lessthan the number of subtractions.This is how we find the digits of q.

Example.To divide(tttOl)2 by (ttt)2, we let q: (qrqrqir. We subtract Z2(ttl)z : (t t tOO), once from (t t tOt)z to obtain (l)2, and once more to - obtaina negativeresult, so that Q2: l. Now Rl : (tttOl)t (ttt00)t: (1)2. We find that ql:0, sinceR1 - 2(1ll)2 is lessthan zero,and likewise Qz:0. Hencethe quotientof the divisionis (100)2and the remainderis (l)2

We will be interestedin discussinghow long it takes a computer to perform calculations. We will measure the amount of time needed in terms of bit operations. By a bit operation we mean the addition, subtraction, or multiplication of two binary digits, the divisionof a two-bit integer by one-bit, or the shifting of a binary integer one place. When we describethe number of bit operations needed to perform an algorithm, we are describing the computational complexity of this algorithm. In describing the number of bit operations needed to perforrn calculations we will use big-O notation. 1.4 ComputerOperations with Integers 39

Definition. If f and g are functions taking positivevalues, defined for all x in a set S, then we say f is OQ) if there is a positive constantK such that f G) < Kg(x) for all x in the setS.

Proposition 1.6. If / is OQ) and c is a positiveconstant, then cf is Ok).

Proof . If / is Ok), then there is a constantK such that f G) < Kg(x) for all x under consideration. Hence cf G) < GK)gG). Therefore, y' is oQ). n

Proposition1.7. lf ft is O(gr)andf2isOkz),then "ft+-fzisOQftg2) andfJzisoQe).

Proof . If / is OQr) and f2 is Okz), then there are constantsK1 and K2 such that -f ,(*) < ,<1g1(x) and "fz(x) 1 K2g2(x) for all x under consideration.Hence

f 1G) +f2G) ( Krsr(x) + x2g2k) ( Kkr(x) + sz?))

where K is the maximum of K1 and K2. Hencef r + -f zis Ok, + gz). Also

-f tk)f z(.x) ( Krsr G) K2s2G) : (KrK2)kt?)g2(x)),

so that "f f zis 0(96). tr

Corollary 1.2. If /1 andf 2are OG), then-f r + -f zis Ok).

Proof . Proposition 1.7 tells us that "f t + f z is O QS). But if + ( KQs), then + ( (zx)g, so that +.f Ok). a f t "fz f t "fz -f r zis Using the big-O notation we can see that to add or subtract two r-bit integers takes Ofu) bit operations,while to multiply two n-bit integers in the conventionalway takes OGz) bit operations(see problems 16 and 17 at the end of this section). Surprisingly, there are faster algorithms for multiplying large integers. To develop one such algorithm, we first consider the multiplication of two 2n-bit integers, say a : (a2n4a2n_2...eflo)z and b : (b2,6b,2n-2...bfti2.We write a :2nAt f 46 and b :2nBr t where -l Bs, 40 The Integers

At: (a2r-1a2n*2...a1711e17)2,Ao: (an-1an-2...apg)2, Bt: (b2n-ft2r-z...bn+t br)2, and B0 : (br-t bn-z...brbiz. We will use the identity (t.e) ab : (22,+2,)ArBrr 2n(ArAi(ao-nr) + (2,+l)AoB0.

To find the product of a and 6 using (t.0), requires that we perform three multiplicationsof n-bit integers (namely ArBr (A, - Ad(Bo- Br), and AsBs), as well as a number of additions and shifts. If we let M(n) denote the number of bit operations neededto multiply two n -bit integers, we find from (t.0) ttrat (r.z) M (2n)< ru h) + Cn. where C is a constant, since each of the three multiplications of n -bit integers takes M (n) bit operations,while the number of additions and shifts neededto compute a'b via (t.0) does not depend on n, and each of these operations takes O (n) bit operations.

From (t.Z), using mathematical induction, we can show that (1.8) a(zk) ( c(3k -2k), where c is the maximum of the quantities M Q) and C (the constant in (t.Z)). To carry out the induction argument, we first note that with k: l, we have MQ) ( c(3t -2t) : c, sincec is the maximum of M(2) and C. As the induction hypothesis,we assumethat MQk) ( c(3ft - 2k).

Then, using (1.7), we have M (zk+t) ( 3u (zk) + czk ( 3c (lt - 2k) + c2k ( cak+t_ c.3.2k* c2k ( c(3ft+l- zk+t).

This establishesthat (1.8) is valid for all positive integers ft. Using inequality (t.8), we can prove the following theorem.

Theorem 1.4. Multiplication of two n-bit integers can be performed using O(nto9'3) bit operations. (Note: log23 is approximately 1.585, which is 1.4 ComputerOperations with Integers 4l

considerably less than the exponent 2 that occurs in the estimate of the number of bit operations needed for the conventional multiplication algorithm.)

Proof . From (t.8) we have M h) : M (ztos'n)( lzlttloerl+t;

< , (3ttot'nl+t_rltoe'nl+t; I ( 3c.rllogrn( 3c.3losr,:3rnto93

(since 3lo8'n: ,'ot").

Hence, Mh) : glnroe'3l. tr We now state, without proof, two pertinent theorems. Proofs may be found in Knuth [50] or Kronsjii tSgl.

Theorem 1.5. Given a positive number e ) 0, there is an algorithm for multiplication of two n-bit integersusing O(nr+') bit operations.

Note that Theorem 1.4 is a specialcase of Theorem 1.5 with e : log23- l, which is approximately0.585.

Theorem 1.6. There is an algorithm to multiply two n-bit integers using O(n log2n log2log2n)bit operations. Since log2n and log2log2nare much smaller than n' for large numbers n, Theorem 1.6 is an improvement over Theorem 1.5. Although we know that M h) : O (n log2n log2log2n), for simplicity we will use the obvious fact that M fu) : O (n2) in our subsequentdiscussions. The conventionalalgorithm describedabove performs a division of a 2n-bit integer by an n-bit integer with O(n2) bit operations. However, the number of bit operations needed for integer division can be related to the number of bit operations needed for integer multiplication. We state the following theorem, which is basedon an algorithm which is discussedin Knuth 1561.

Theorem 1.7. There is an algorithm to find the quotient q:Ia/bl, when the 2n-bit integer a is divided by the integer b having no more than n bits, using O(M Q)) bit operations, where M fu) is the number of bit operationsneeded to multiply two n-bit integers. 42 The Integers

1.4 Problems

l. Add (l0llll0ll)2 and(ttootll0ll)2.

2. Subtract(tot t l0l0l)2 from (1101101100)2.

3. Multiply (t t rOr), and (l10001)2.

4. Find the quotientand remainderwhen (t totoon l)2 is dividedby (1101)2. 5. Add (ABAB)16and (BABA)rc.

6. Subtract (CAFE)16 from (rnno)ru.

7. Multiply (FACE) 16and (BAD)rc.

8. Find the quotient and remainderwhen Gneono),u is divided by (enn.n)ru.

9. Explain how to add, subtract,and multiply the integers18235187 and 22135674 on a computer with word size 1000.

10. Write algorithms for the basic operations with integers in base (-2) notation (seeproblem 6 of Section 1.3).

11. Give an algorithm for adding and an algorithm for subtracting Cantor expansions (seeproblem l4 of Section 1.3).

12. Show that if f 1 and f 2 are O(St) and O(g2), respectively,and c1 and c2 are constants,then c;f1 * ,zf z is O(g1 * g).

13. Show that if f is O(g), then fr it OQk) for all positiveintegers k.

14. Show that a functionf is O(log2n) if and only if f is O(log,n) wheneverr ) l. (Hint: Recall that logon/log6n: logo6.)

15. Show that the base b expansionof a positive integer n has llog6nl+t digits.

16. Analyzing the algorithms for subtraction and addition, show that with n-bit integers these operationsrequire O h) bit operations.

17. Show that to multiply an n-bit and an m-bit integer in the conventionalmanner requires OQm) bit operations.

18. Estimate the number of bit operationsneeded to find l+2+ * n

il by performing all the additions.

b) by using the identity l+2* I n: nh+l)/2, and multiplying and shifting. 1.4 Computer Operations with Integers 43

19. Give an estimate for the number of bit operationsneeded to find ["1 a) n'. b) |.o,|

20. Give an estimate of the number of bit operations needed to find the binary expansionof an integer from its decimal expansion'

21. il Show there is an identity analogousto (1.6) for decimal expansions.

b) Using part (a), multiply 73 and 87 performing only three multiplications of one-digit integers,plus shifts and additions.

c) Using part (a), reduce the multiplication of 4216 and 2733 to three multiplications of two-digit integers, plus shifts and additions, and then using part (a) again, reduce each of the multiplications of two-digit integers into three multiplications of one-digit integers, plus shifts and additions. Complete the multiplication using only nine multiplications of one-digit integers,and shifts and additions.

22. il lf A and B are nxn matrices, with entries aii and bii for I ( i ( n, : I ( f ( n, then AB is the nxn matrix with entries cii 2 ai*b*j. Show that n3 multiplications of integers are used to find AB dir:;;ly from its definition.

b) Show it is possible to multiply two 2x2 matrices using only seven multiplications of integers by using the identity lo,,o,rf lb,, D'tl lazr o,,) lr,, t,,) (a21 l"rrbrr* anbzt x I * a22)(bn-b,,)+l (a rrla 12-a21-a22)b22 |

Ilx * (as-a2)(bzz-bn) - x * (an-azt)(brr-brr)+ I I a22(br-bzr-b e*b22) (a21* a2)(brz-b',-) |

wherex: arrbr,- (att - ct2r- a2)(bn- bp* b2).

c) Using an inductiveargument, and splitting 2nx2n matrices into four nxn matrices, show that it is possibleto multiply two 2k x2k matrices using only 7ft multiplications, and lessthan 7ft+radditions. 44 The Integers

d) Conclude from part (c) that two nxn matrices can be multiplied using O(nt"c7) bit operations when all entries of the matrices have less than c bits, where c is a constant.

23. A dozen equals 12 and a gross equals 122. Using base 12, or duodecimal. arithmetic answer the following questions.

il If 3 gross, 7 dozen, and 4 eggs are removed from a total of l l gross and 3 dozen eggs, how many eggs are left?

b) If 5 truckloads of 2 gross, 3 dozen, and 7 eggs each are delivered to the supermarket, how many eggs were delivered?

c) If I I gross, I 0 dozen and 6 eggs are divided in 3 groups of equal size, how many eggs are in each group?

24. A well-known rule used to find the square of an integer with decimal expansion (an-1...apJro with final digit ao:5 is to find the decimal expansionof the product (anan-1...a)rcl(anan-r...ar)ro* ll and append this with the digits (25)ro. For instance, we see that the decimal expansion of (tOS)2 begins with 16'17 :272, so that (165)2:27225. Show that the rule just describedis valid.

25. In this problem, we generalizethe rule given in problem 24 to find the squaresof integers with final base 28 digit 8, where I is a positive integer. Show that the base 28 expansion of the integer (ana,-1...afl0)z,astarts with the digits of the base 28 expansionof the integer (anana...aflo)zn l(anan-1...ap0)zn* ll and ends with the digits Bl2 and 0 when B is even, and the digits G-l)12 and.B when I is odd.

1.4 Computer Projects

Write programs to do the following:

l. Perform addition with arbitrarily large integers.

2. Perform subtraction with arbitrarily large integers.

3. Multiply two arbitrarily large integersusing the conventionalalgorithm.

4. Multiply two arbitrarily laige integersusing the identity (1.6).

5. Divide arbitrarily large integers,finding the quotient and remainder.

6. Multiply two n xn matrices using the algorithm discussedin problem 22. 1.5 Prime Numbers 45

1.5 Prime Numbers The positive integer I has just one positive divisor. Every other positive integer has at least two positive divisors, becauseit is divisible by I and by itself. Integers with exactly two positive divisors are of great importance in number theory; they are called primes.

Definition. A prime is a positive integer greater than I that is divisible by no positive integersother than I and itself.

Example. The integers2,3,5,13,101 and 163 are primes.

Definition. A positive integer which is not prime, and which is not equal to l, is called composite.

Example. The integers 4:2'2,8:4'2, 33 : 3'11,1ll : 3'37, and l00l : 7'll' 13 are composite. The primes are the building blocks of the integers. Later, we will show that every positive integer can be written uniquely as the product of primes. Here, we briefly discuss the distribution of primes and mention some conjecturesabout primes. We start by showing that there are infinitely many primes. The following lemma is needed.

Lemma 1.1. Every positive integer greater than one has a prime divisor.

Proof . We prove the lemma by contradiction; we assume that there is a positive integer having no prime divisors. Then, since the set of positive integers with no prime divisors is non-empty, the well-ordering property tells us that there is a least positive integer n with no prime divisors. Since n has no prime divisors and n divides n, we see that n is not prime. Hence, we can write n:ab with I 1 a 1 n and | < b 1 n. Becausea 1 n. a must have a prime divisor. By Proposition 1.3, any divisor of a is also a divisor of n, so that n must have a prime divisor, contradicting the fact that n has no prime divisors. We can conclude that every positive integer has at least one prime divisor. tr We now show that the number of primes is infinite.

Theorem 1.8. There are infinitely many primes. 46 The Integers

Proof . Consider the integer

Qn: nt t l, n 2 l.

Lemma 1.1. tells us that Q, has at least one prime divisor, which we denote by gr. Thus, q, must be larger than n; for if 4, ( n, it would follow that Qn I n!, and then, by Propositionl.!, Q, | (er-rr) : l, which is impossible. Since we have found u priJ.''lur*r, tt* r, for every positive integer n, there must be infinitely many primes. tr

Later on we will be interestedin finding, and using, extremely large primes. We will be concernedthroughout this book with the problem of determining whether a given integer is prime. We first deal with this question by showing that by trial divisions of n by primes not exceedingthe square root of n, we can find out whether n is prime.

Thedrem 1.9. If n is a composite integer, then n has a prime factor not exceeding..1n.

Proof . Since n is composite, we can write n : ab, where a and b are integers with | 1a ( D < n. we must have a 4 r/i, since otherwise b 7 a > ,/; and ab > '/i.,/i : n. Now, by Lemma I.l, a must have a prime divisor, which by Proposition 1.3 is also a divisor of a and which is clearly lessthan or equal to ,/i . D

We can use Theorem 1.9 to find all the primes less than or equal to a given positive integer n. This procedure is called the steve of Eratosthenes. We illustrate its use in Figure 1.2 by finding all primes less than 100. We first note that every composite integer less than 100 must have a prime factor less than J00-: 10. Since the only primes lessthan l0 are 2,3,4,and 7, we only need to check each integer less than 100 for divisibility by these primes. We first cross out, below by a horizontal slash -, all multiples of 2. Next we cross out with a slash / those integers remaining that are multiples of 3. Then all multiples of 5 that remain are crossedout, below by a backslash\. Finally, all multiples of 7 that are left are crossedout, below with a vertical slash l. ntt remaining integers (other than l) must be prime. 1.5 Prime Numbers 41

t23+ 5 +7+,/-1€- ll ++ 13 l+- yr +#17+h19+ 2{-*23+g-. X +/*2e-3o- 37 +S- {'F 3l+2Ii+ \ 3? 2{ 4r+43 1+ ,{ 1? 47 +F + {o- -5S- -6F >{+*s3*r- \ +G .yr 59 61 4*tr# \ 83 \ "Yr I -9t- tlt +> 2< + \ 9t 9j .y +OF

Figure1.2. Findingthe PrimesLess Than 100Using the Sieveof Eratosthenes. Although the sieveof Eratosthenesproduces all primes lessthan or equal to a fixed integer, to determinewhether a particular integer n is prime in this manner, it is necessaryto check n for divisibility by all primes not exceeding G. This is quite inefficient;later on we will have better methodsfor deciding whetheror not an integeris prime. We know that there are infinitely many primes, but can we estimate how many primes there are less than a positivereal number x't One of the most famous theorems of number theory, and of all mathematics, is the prime number theorem which answersthis question. To state this theorem, we introducesome notation.

Definition. The function r(x), where x is a positivereal number, denotesthe number of primesnot exceedingx.

Example. From our exampleillustrating the sieveof Eratosthenes,we seethat o(tO) : 4 andzr(tOO) :25. We now state the prime number theorem.

The Prime NumberTheorem. The ratio of zr'(x) to x/log x approachesone as x grows without bound. (Here log x denotesthe natural logarithm of x. In the languageof limits,we have lim zr(x)/+: l). . IOBX 48 The Integers

The prime number theorem was conjectured by Gauss in 1793, but it was not proved until 1896, when a French mathematician J. Hadamard and a Belgian mathematician C. J. de la Vall6e-Poussin produced independent proofs. We will not prove the prime number theorem here; the varioui proofs known are either quite complicated or rely on advanced mathematics. In Table I .l we give some numerical evidence to indicate the validitv of the theorem.

x rG) x /log x oG)/* ti G) r(x) /ti G) log x

103 168 144.8 1.160 178 0.9438202 104 t229 1085.7 1.132 -r 1246 0.9863563 105 9592 8685.9 l.104 9630 0.9960540 106 78498 72382.4 1.085 78628 0.9983466 107 664579 620420.7 1.071 664918 0.9998944 108 5761455 5428681.0 1.061 5762209 0.9998691 l0e 50847534 48254942.4 1.054 5084923s 0.9999665 l0l0 455052512 43429448r.9 1.048 455055614 0.9999932 I l0r 4r180548133948131663.7 1.043 41181654010.999973r l0l2 3760791201836191206825.3 r.039 3760795028r 0.9999990 t0l3 346065535898t34072678387.r 1.036 34606564s810 0.9999997

Tablel.l. Approximationsto rG). x'A"x The prime number theorem tells us that x /log x is a good approximation to rG) when x is large. It has been shown that an even better approximation is given by

ti :T O, ld'i,I ' )':*4{{-/d =1- G) X/V614 L ", log I

(whe-- T d, -^^-, ," J, representsthe areaunder the curvey : lfiog t, and above the r-axis from"* t :2 to / : x). In Table l.l, one seesevidence that /i(x) is an excellentapproximation of zr(x). nd l'^- -L- I'^ -r =O\J frtaft.1',v r ltlx ylr 3 x4G 1.5 PrimeNumbers 49

We can now estimate the number of bit operationsneeded to show that an ',,6-. integer n is prime by trial divisionsof n by ail primes not exceeding The prime',/n number theorem tells us that there are approximately fioeJ; : 2-/i /log n primes not exceeding-6. To divide n by an integer m takes O(log2n.log2m) Uit operations. Therefore, the number of bit operations needed to show that n is prime by this method is at least Q,/i/togilG log2n) - r,/i (where we have ignored thelog2m term since it is at least l, even though it sometimesis as large as (log2n)/D . This method of showing that an integer n is prime is very inefficient, for not only is it necessaryto know all the primes not larger than ..li, but it is also necessaryto do at least a constant multiple of ,/i bit operations. Later on we will have more efficient methodsof showing that an integer is prime. We remark here that it is not necessaryto find all primes not exceedingx in order to compute zr(x). One way that zr(x) can be evaluated without finding all the primes less then x is to use a counting argument based on the sieve of Eratosthenes (see problem l3). (Recently, very efficient ways of finding r(x) using O (x3/s+c)bit operationshave been devisedby Lagarias and Odlyzko t6ql.) We have shown that there are infinitely many primes and we have discussed the abundance of primes below a given bound x, but we have yet to discuss how regularly primes are distributed throughout the positive integers. We first give a result that shows that there are arbitrarily long runs of integers containingno primes.

Proposition 1.8. For any positive integer n, there are at least n consecutive compositepositive integers.

Proof. Consider the n consecutivepositive integers h + l)! + 2, (n+ 1)!+ 3,...,h+ l)! + n t l.

When 2< j(n *l,weknowthatTl(n +l)!. By Proposition1.4, it follows that 7 | (, + t)! +;. Hence, these n consecutiveintegers are all composite. tr

Example. The seven consecutiveintegers beginning with 8! + 2 : 40322 are all composite. (However, these are much larger than the smallest seven consecutivecomposites, 90, 91, 92, 93, 94, 95, and 96.) 50 The Integers

Proposition 1.8 showsthat the gap betweenconsecutive primes is arbitrarily long. On the other hand, primes may often be close iogether. The only consecutive primes are 2 and 3, because2 is the only even prime. Howevei, many pairs of primes differ by two; these pairs of pri-., are called twin primes. Examplesare the primes 5 and 7,ll and 13, l0l and 103,and 4967 and 4969. A famous unsettledconjecture assertsthat there are infinitelv many twin primes.

There are a multitude of conjecturesconcerning the number of primes of various forms. For instance,it is unknown whether there are infinitlly many primes of the form n2 + | where n is a positiveinteger. Questionssuch as this may be easy to state, but are sometimesextremely difficult to resolve.

We conclude this section by discussing perhaps the most notorious conjecture about primes.

Goldbach's Conjecture. Every even positive integer greater than two can be written as the sum of two primes.

This conjecture was stated by Christian Goldbach in a letter to Euler in 1742. It has been verified for all even integersless than a million. One sees by experimentation,as the following exampleillustrates, that usually there are many sums of two primes equal to a particular integer,but a proof that there always is at least one such sum has not yet been found.

Example. The integers 10,24, and 100 can be written as the sum of two primes in the following ways: l0:3+7:5t5, 24:5+lg:7+17:llf13, 100:3+97:ll*gg:17+93 :29*71:41+59:47+53.

1.5 Problems

l. Determinewhich of the followingintegers are primes

a) l0l c) l07 e) I 13 b) 103 d) lll f) tzt. 1.5 PrimeNumbers 51

2. Use the sieveof Eratosthenesto find all primes lessthan 200' 3. Find atl primes that are the differenceof the fourth powersof two integers. 4. Show that no integerof the form n3 * I is a prime, other than 2: 13+ l. -l 5. Show that if a and n are positive integers such that an is prime, then a : 2 and n is prime. (Hint: Use the identity ake-l : Qk-D (aka-t\ + akQ-D+ + ak+l) .

6. In this problem, another proof of the infinitude of primes is given. Assume there are only finitely many primes p r,Pz,...,Pn Form the integer ... Q: prpz pn * l. Show that Q has a prime factor not in the abovelist. Conclude that there are infinitely many primes. ' 7. Let Qn : ptpz " pn t l where Pt,Pz,..., Pn are the n smallest primes. Determine the smallest prime factor of Q^ for n:1,2,3,4,5, and 6. Do you think Q, is prime infinitely often? (tnis is an unresolvedquestion.) 8. Let pt,p2,...,pnbe the first n primesand let m be an integerwith I 1m 1n. Let Q be the product of a set of z primes in the list and let R be the product of the remaining primes. Show that Q + R is not divisible by any primes in the list, and hence must have a prime factor not in the list. Conclude that there are infinitely many primes.

9. Show that if the smallest prime factor p of the positive integer n exceedsd6 then n/p must be prime or 1.

10. il Find the smallest five consecutivecomposite integers. b) Find one million consecutivecomposite integers.

I l. Show that there are no "prime triplets", i.e. primes p, p + 2, and p + 4, other than 3,5, and 7.

12. Show that every integer greater than 11 is the sum of two compositeintegers.

13. Use the principleof inclusion-exclusion(problem 17 of Section 1.1) to show that o(n):(o(.6-)-r)- n l-l . +l-ll tl* lp,I lp,l)

l*l .l*l . +lrnl wherept,pz,...,p, are the primesless than or equalto ^6 (with r:zr

Pi,,...,pi,,and use problem 23 of Section 1.2.)

14. Use problem l3 to find zr(250).

15' il show that the polynomial - x2 x * 4l is prime for all integers x with 0 ( I < 40. Show, however,that it is compositefor x : 4i. b) Show that if (x) : f onxn + an-,x;-t + * a1x r as where the coefficients are integers, then there is an integer y such that (Hint: f(y) is composite. Assume that :p is prim., f(x) unJsho* p dividesf (x+kfl for ail integers ft ' conclude from the faci that a polynomial of degree z takes on each value at most n times, that there is an integer y suctr that f(y) is composite.) 16' The lucky numbers are generated by the following sieving process. Start with the positive integers. Begin the processby crossing out every second integer in the list' starting your count with the integer t. other than I the smallestinteger left is 3, so we continue by crossing out every third integer left, starting the count with the integer l. The next integer left is 7, so we crossout every seventh integer left. Continue this process,where at each stage we cross out every kth integer left where & is the smallest integer left other than one. The integersthat remain are the lucky numbers.

a) Find all lucky numbers lessthan 100.

b) show that there are infinitery many rucky numbers.

17. Show that if p prime is and I ( t ( p, then the binomial coefficient ,, [;] divisibleby p.

1.5 Computer Projects

Write programs to do the following: l ' Decide whether an integer is prime using trial division of the integer by all primes not exceedingits square root.

2. Use the sieveof Eratosthenesto find all primes lessthan 10000. 3' Find zr(n), the number of primes lessthan or equal to rz, using problem 13. 4. verify Goldbach's conjecture for all even integers lessthan 10000. 5. Find all twin primes lessthan 10000.

6. Find the first 100 primes of the form n 2 + l.

7. Find the lucky numbers lessthan 10000 (seeproblem 16). GreatestCommon Divisors and Prime Factorization

2.1 GreatestCommon Divisors If a and b are integers, that are not both zero, then the set of common divisorsof a and 6 is a finite set of integers,always containing the integers*l and -1. We are interestedin the largestinteger among the common divisors of the two integers.

Definition. The greotest common divisor of two integers a and b, that are not both zero, is the largest integer which divides both a and b.

The greatestcommon divisor of a and b is written as (a, b).

Example. The commondivisors of 24 and 84 are t l, J.2, +3, 1.4,t6, and + 12. Hence Q+, g+) : 72. Similarly, looking at setsof commondivisors, we findthat (15,81) :3,(100,5) : 5, (I7,25): l,(0,44):44,(-6, -15) :3, and (-17, 289) : 17.

We are particularly interested in pairs of integers sharing no common divisorsgreater than l. Such pairs of integersare called relatively prime.

Definition. The integers a and b are called relatively prime if a and b have greatestcommon divisor (a, b) : l.

Example. SinceQ5,42) : 1,25 and42 are relativelyprime. 53 54 GreatestCommon Divisors and prime Factorization

Note that since the divisors of -c are the same as the divisors of a, it : follows that (a, b) (lal, la ll (where lc I denotesthe absolutevalue of a which equalsa if a )0 and equals-a if a <0). Hence, we can restrict our attentionto greatestcommon divisors of pairs of positiveintegers. We now provesome properties of greatestcommon divisors.

Proposition 2.1. Let a, b, and c be integerswith G, b) : d. Then (;) b/d, bld) : I (ii) (atcb, b) : (a, b).

Proof. (D Let a and b be integers with (a,b) : d. we will show that a /d and b/d have no common positivedivisors other than 1. Assume that e is a positiveinteger such that e I Q/d) and e I Qtal. Then, there are integersk and I with ald : ke and b/d :Qe, such that a : dek and b : de[. Hence. de is a common divisor of a and b. Since d is the greatestcommon divisor of o and b,e must be l . Consequently,G /d , b /d) : l.

(ii) Let a, b, and c be integers. We will show that the commondivisors of a and b are exactly the same as the common divisorsof a t cb and b. This will show that (a *cb , b) : G, b). Let e be a common divisor of a and b . By Proposition1.4, we see that e I b*cb), so that e is a common divisor of a * cb and 6. It,f is a commondivisor of a * cb and b, then by Proposition 1.4,we seethat/ dividesb+cb) - cb : a, so thatf is a commondivisor of a andb. HenceG*cb, b) : (a, b'). a

We will show that the greatestcommon divisor of the integersa and b, that are not both zero,can be written as a sum of multiplesof a and b. To phrase this more succinctly,we usethe following definition.

Definition. If a and b are integers,then a linear combination of a and b is a sum of the form ma * nD, where both rn and,n are integers. We can now state and prove the following theorem about greatest common divisors.

Theorem 2.1. The greatest common divisor of the integers a and b, that are not both zero, is the least positive integer that is a linear combination of a and b.

Proof. Let d be the least positive integer which is a linear combination of a and b. (There is a least such positive integer, using the well-ordering property, since at least one of two linear combinations l'a t 0'b and 2,1 GreatestCommon Divisors 55

GDa + 0'b, wherea 10, is positive.)We write rz.rlR==r* d:ma*nb, ? wherem andn [email protected] thatd la andd lb. By the divisionalgorithm, we have a:dq*r, 0(r

From'n"'o:'1'::^r: :' ;: ;';::,b) : e-qm)a - qnb

This shows that the integer r is a linear combination of a and D. Since 0 ( r 1d, and d is the least positive linear combinationof a and b, we concludethat r : 0, and henced I o. In a similar manner,we can show that d I b. We now demonstratethat d is the greatest commondivisor of a and b. To show this, all we needto show is that any commondivisor c of a and D must divided. Sinced:ma*nb, if c laandclb,Propositionl.4tellsusthat c I d. tr We have shown that the greatestcommon divisor of the integersa and b, that are not both zero. is a linear combinationof a and b. How to find a particular linear combinationof a and D equal to G, D) will be discussedin the next section.

We can alsodefine the greatestcommon divisor of more than two integers.

Definition. Let e1, e2,...,en be integers, that are not all zero. The greatest common divisor of these integers is the largest integer which is a divisor of all of the integers in the set. The greatest common divisor of at, a2,...,c, is denotedby (a1,a2,,..., an).

Example. We easilysee that 02, 18,30) :6 and (10, 15, 25) : 5. To find the greatestcommon divisor of a set of more than two integers,we can usethe following lemma.

L,emma2.1. If a1, a2,...,an are integers, that are not all zero, then (a1, a2,..., an-1, an) : (a1, a2r..., (on-r, a)).

Proof. Any common divisor of the n integers ar, e2,...,en_t, en is, in particular, a divisor of ar-1 and an, and therefore, a divisor of (an_1,an). 56 GreatestCommon Divisors and PrimeFactorization

Also, any commondivisor of the n-2 integers4 t, a2,...,on_2, and (an_1,an), must be a commondivisor of all n integers,for if it divides (on-r, an), it must divide both cr-1 and an Since the set of n integersand the set of the first n-2 integers together with the greatest common divisor of the last two integers have exactly the same divisors, their greatest common divisors are equal. tr

Example. To find the greatest common divisor of the three integers 105,140, and 350, we use Lemma 2.1 to see that (105,140. 350) : (105,(140,350)) : (l05,70): 35.

Definition. We say that the integers a1.e2,...,e1 are mutually relatively prime if (a1, e2,...,an) : l. These integers 4re called pairwise relatively prime if for eachpair of integers4; and a; from the set, (ai, a1): l, that is, if eachpair of integersfrom the set is relativelyprime. It is easy to seethat if integersare pairwiserelatively prime, they must be mutually relatively prime. However, the converseis false as the following exampleshows.

Example.Consider the integers15, 21, and 35. Since (15,2r,35):(ts, (2t,35)): (r5,7): r, we see that the three integersare mutually relatively prime. However, they are not pairwise relatively prime, because(tS. zl) : 3, (15,35):5, and (21,35):7.

2.1 Problems

l. Find the greatestcommon divisor of each of the following pairs of integers

il 15,35 d) 99, 100 b) 0, lll e) 1l, l2l c) -12. t8 f) 100,102

Showthat if a andb areintegers with (a, b) : l, then (a*b, a-b) : I or 2.

Show that if a and b are integers, that are not both zero, and c is a nonzero integer,then (ca, cb) : lclb, b\. 4. What is (a2+b2,a*b), where a and b are relativelyprime integers,that are not both zero? 2.1 GreatestCommon Divisors 57

5. Periodicalcicadas are insectswith very long larval periodsand brief adult lives. For each speciesof periodical cicada with larval period of 17 years, there is a similar specieswith a larval period of 13 years. If both the l7-year and l3-year speciesemerged in a particular location in 1900, when will they next both emerge in that location?

6. a) Show that if a and b are both even integers, that are not both zero, then (a,b) : 2fu/2, b /2).

b) Show that if a is an even integer and b is an odd integer, then G, b\ : G12, b). 7. Showthat if a,b, andc areintegers such that G,b): I and c I G*b), then k,a):(c,D)-L

8. il Show that if a,b, and c are integerswith b,b): (a, c) : l, then (a, bc) : L

b) Use mathematicalinduction to showthat if at, a2,...,anare integers,and b is another integer such that (ar b) : (az,b) : : (on,b) - l, then (ap2' ' on,b) : l.

9. Showthat if a, b,and c are integerswith c I ab, thenc | (a, c) (b, c).

10. a) Show that if a and b are positiveintegers with (a , b) : l, then (an, bn) : I for all positiveintegers n.

b) Use part (a) to provethat if a and b are integerssuch that a' I bn where n is a positiveinteger, then c I b. ll. Show that if a, b and c are mutually relatively prime nonzerointegers, then G, bd : (a, b)(a, c), T2, Find a set of three integersthat are mutually relatively prime, but not relatively prime pairwise. Do not use examplesfrom the text.

13. Find four integersthat are mutually relativelyprime, such that any two of these integersare not relativelyprime.

14. Find the greatestcommon divisor of eachof the followingsets of integers

a) 8, lo, 12 d) 6,15,21 b) 5,25,75 e) -7,28, -35 c) 99,9999,0 f) 0,0, l00l .

15. Find three mutually relatively prime integers from among the integers 66, 105,42,70, and 165.

16. Show that ar, a2,...,an are integers that are not all zero and c is a positive integer,then (cat, caz,...,can) - c(a6 a2...,an). 58 Greatest Common Divisors and Prime Factorization

t7. Show that the greatestcommon divisor of the integersat, o2,...,an, that are not all zero,is the least positiveinteger that is a linear combinationof a t, at,..., an. r8. Show that if k is an integer, then the six integers 6k-l, 6k +l , 6k+2, 6k +3, 6k+5, are pairwiserelatively prime.

r9. Show that if k is a positiveinteger, then 3k *2 and 5k +3 are relativelyprime.

20. Show that every positive integer greater than six is the sum of two relativelv prime integersgreater than I .

2t. a) Show that if a and b are relatively prime positive integers, then (a'-b^)l(a-b).a-b) : I or n.

b) Showthat if o andb arepositive integers, then ((an-b'\/G-b), a-b) : (n(a,b)r-t,a-b).

2.1 ComputerProjects l. Write a programto findthe greatestcommon divisor of two integers.

2.2The EuclideanAlgorithm We are going to developa systematicmethod, or algorithm, to find the greatestcommon divisor of two positiveintegers. This method is called the Euclidean algorithm. Before we discuss the algorithm in general, we demonstrateits use with an example. We find the greatestcommon divisor of 30 and 72. First,we usethe divisionalgorithm to writeT2:30'2 + 12,and we use Proposition2.1 to note that $0,7D: (30,72- 2.30) : (10,t2). Another way to see that (J,0,7D: (30, 12) is to notice that any common divisor of 30 and 72 must also divide 12 because12 : 72 - 30'2. and conversely,any common divisor of 12 and 30 must also divide 72, since 72:30'2+ 12. Note we havereplaced 72by the smallernumber 12 in our computationssince 02,30): (30, l2). Next, we use the divisionalgorithm again to write 30 : 2'12 + 6. Using the samereasoning as before,we seethat (30, 12) : (12,6). Because 12 : 6'2 * 0, we now see that 02, O : (6, 0) : 6. Consequently,we can conclude that (72,30) : 6, without finding all the commondivisors of 30 and 72. We now set up the generalformat of the Euclideanalgorithm for computing the greatestcommon divisor of two positiveinteger.

The EuclideanAlgorithm. Let rs : a and r r : b be nonnegativeintegers with b I 0. If the division algorithm is successivelyapplied to obtain ri: ri+tQi*,I ri+2 with 0 1 ri+2 1ri+t for 7 :0,1,2,...,n-2 and r, :0, ot =bt *f^ O

-- then (a , b) r,-1, the last nonzeroremainder. From this theorem,we see that the greatestcommon divisor of c and b is the last nonzero remainder in the sequenceof equations generated by successivelyusing the division algorithm, where at each step,the dividend and divisorare replacedby smaller numbers,namely the divisor and remainder. To prove that the Euclideanalgorithm producesgreatest common divisors, the following lemma will be helpful.

Lemma 2.2. If c and d are integers and c : dq * r where c and d ate integers,then (c, d) : (d, r).

Proof. If an integer e dividesboth c and d, then sincer : c-dq, Proposition 1.4 showsthat elr. If eld and elr, then sincec:dqlr, from Proposition1.4, we seethat e I c. Since the common divisorsof c and d are the sameas the commondivisors of d andr, we seethat k, d) : (d, r). tr We now provethat the Euclideanalgorithm works.

Proof. Let r0: e and rr : b be positive integers with a 7 b. By successivelyapplying the divisionalgorithm, we find that

fg : rtQt*rZ 0< r2 f y : r2Q2* rt 0< r3

tn-3 : fn-2Qn-Z * fn-t 0 ( rr-r : f n-2 fn-lQn-t * fn 0 (r, : I n-l lnQn

We can assumethat we eventuallyobtain a remainder of zero since the sequenceof remaindersa: rolr1>. 12>. ) 0 cannot contain more than c terms. Bv Lemma 2.2. we see that (a, b) : (rs,r1) : (rl, rz) : (rr., r) (rn-r, fn-t) : (rr-r, rr) : (rr,0) : rn. Hence (a,b) : r-. the last nonzeroremainder. tr

We illustratethe useof the Euclideanalgorithm with the following example.

Example. To find (252, 198), we use the division algorithm successivelyto obtain 60 Greatest Common Divisors and Prime Factorization

252: l.1gg+ 54 198:3'54 +36 54:1'36 +18 36 : 2.18.

HenceQSZ. 198): 18.

Later in this section, we give estimates for the maximum number of divisions used by the Euclidean algorithm to find the greatest common divisor of two positive integers. However, we first show that given any positive integer n, there are integersa and b such that exactly n divisionsare requiredto find G, b) using the Euclidean algorithm. First, we define a specialsequence of integers.

Definition. The Fibonacci numbers ur, u2, u3,... are defined recursively by the equationsa t: u2: I and un: un-t * un-2forn 2 3. Using the definition, we see that u3: tt2 * yt: I t | : 2, u3l u2 : 2 * I : 3, and so forth. The Fibonaccisequence begins with the integers 1,1,2,3,5, 8 13,21,34,55,89, I44,.... Eachsucceeding term is obtained by adding the two previousterms. This sequenceis named after the thirteenth century ltalian mathematicianLeonardo di Pisa,also known as Fibonacci,who used this sequenceto model the population growth of rabbits (see problem 16 at the end of this section).

In our subsequentanalysis of the Euclidean algorithm, we wil! need the following lower bound for the nth Fibonacci number.

Theorem 2.2. Let n be a positive integer and let cu: ( l+-.8) /2. Then unlan-2forn73.

Proof. We use the second principle of mathematical induction to prove the desired inequality. We have a 1 2: u3, so that the theorem is true for n :3.

Now assumethat for all integersk with k 4 n, the inequality ok-2 1 ut holds.

Sincea : (l+rfr/2 is a solutionof x2 -x - I : 0, we havea2: a * l. Hence,

otn-l : o2.on-3: (a*l).ar-3 : s1n-2 * an-3 2.2 The Euclidean Algorithm 61

By the induction hypothesis,we have the inequalities an-2 < un, otn-31 un-t ,

Therefore, we concludethat

or'-l lun*un-l-un*l

This finishesthe proof of the theorem. tr

We now apply the Euclidean algorithm to the successiveFibonacci numbers 34 and 55 to find (34. 55). We have 55:34'l+21 34:21'l+13 2l: l3'l + 8 13:8'1 + 5 8 : 5'1 * 3 5:3'l * 2 3:2'l * I 2: l'2.

We observe that when the Euclidean algorithm is used to find the greatest common divisor of the ninth and tenth Fibonacci numbers, 34 and 55, a total of eight divisions are required. Furthermore, (34, 55) : 1. The following theorem tells us how many divisions are needed to find the greatest common divisor of successiveFibonacci numbers.

Theorem 2.3. Let unrr and unt2 be successiveterms of the Fibonacci sequence. Then the Euclidean algorithm takes exactly n divisionsto show that (un*r, ura2): l.

Proof. Applying the Euclidean algorithm, and using the defining relation for the Fibonacci numbers ui : uj-r I ui-z in each step, we seethat

lln*2: Un*t'l t Un, Un*l: Un'l + Un-1,

Lt4: u3'1 * u2' It3 : tt2'2.

Hence, the Euclidean algorithm takes exactly n divisions, to show that (unq2,tlnqr): uz - l. E 62 GreatestCommon Divisors and Prime Factorization

We can now prove a theorem first proved by Gabriel Lame', a French mathematician of the nineteenth century, which gives an estimate for the number of divisions needed to find the greatest common divisor using the Euclidean algorithm.

Lam6's Theorem. The number of divisions neededto find the greatestcommon divisor of two positive integers using the Euclidean algorithm does not exceed five times the number of digits in the smaller of the two integers.

Proof. When we apply the Euclidean algorithm to find the greatest common divisor of a : re and b :r 1 with a ) b, we obtain the following sequenceof equations:

fg : rtQt*rZ, 0(rz1rr, f1 :rZ4Z*rt, 0(131rz,

fn-2 : fn-tQn-t * rr, 0 ( rn 1 rn-t, fn-l : tnQn,

We have used n divisions. We note that each of the quotientsQt, Q2,...,Qn-l is greaterthan or equal to l, and Qn 7 2, sincern 1rn-1. Therefore, rr2l:ur, rn-t 2 2rn 2 2u2: u3, rn-z 2 rn-t * rn 2 ut * u2: u4, rn-l 2 rn-z * rn-t 2 uq * u3: tt5,

rz)13*14 7 unq * un-z: u* b:'r2rz * rt 7 un * un-t : un+l

Thus, for there to be n divisions used in the Euclidean algorithm, we must have b 7 un+r. By Theorem 2.2, we know that unay ) qn-r for n ) 2 where a: (l+.,8)/2. Hence,b ) an-r. Now, sinceloglsa > 1/5, we seethat

logrqb > h-l)loglsa > (CI-l)/5.

Consequently, n-l(S'logleb. 2.2 The Euclidean Algorithm 63

Let b havek decimal{igits, so that b < 10ftand loglsb < k. Hence,we see that n - I < 5k and since /c is an integer, we can concludethat n < 5k. This establishesLam6's theorem. tr The following result is a consequenceof Lam6'stheorem.

Corollary 2.1. The number of bit operations needed to find the greatest commondivisor of twopositive integers a and, yy ir;;i.:f$;:ri?', Proof. We know from Lam6's theorem that O Qogra) divisions, each taking O(log2a)2) bit operations,are neededto find fu, b). Hence, by Proposition 1.7, (a, b) may be found using a total of O((log2a)3) bit operations.D The Euclideanalgorithm can be usedto expressthe greatestcommon divisor of two integers as a linear combination of these integers. We illustrate this by expressing(252, 198) : l8 as a linear combinationof 252and 198. Referring to the stepsof the Euclideanalgorithm used to find (252, 198), from the next to the last step,we seethat 18:54-l'36.

From the secondto the last step,it followsthat 36:198-3'54, which implies that 18: 54- t.(198-3.54): 4.54- 1.198.

Likewise, from the first stepwe have 54:252 - l'198. so that l8 - 4(252-1.198)- 1.198: 4.252- 5.198.

This last equationexhibits l8 : (252, 198) as a linear combinationof 252 and l 98. In general,to seehow d : (a, b) may be expressedas a linear combination of a and 6, refer to the series of equations that is generated by use of the Euclideanalgorithm. From the penultimateequation, we have rn: (a, b) : rn-2- rn-rQn-r.

This expressesb,b)'as a linear combinationof rr-2e,fidrr-1. The secondto 64 GreatestCommon Divisors and PrimeFactorization

the last equationcan be used to expressr2-1 &S rn-3 -rn-zen-z . Using this last equation to eliminate rn-1 in the previousexpression for (4,6), we find that

ln: ln-3- fn-24n-2,

so that

b, b) : rn-2- (rn4-rn-zQn-z)en-r -- - (l+qrnQn-z)rn-z Qn-rrn-3,

which expressesb, b) as a linear combinationof rn-2 zfid r,4. We continue working backwards through the steps of the Euclidean algorithm to express G, b) as a linear combinationof each precedingpair of remaindersuntil we havefound (a, b) as a linear combinationof to: a and 11- b. Specifically, if we havefound at a particular stagethat

G,b):sriltrit,

then, since ti: ti_2- ri_tQi_r,

we have

b,b) : s (ri-z*ri-g1-r) * tr1-r : Q-sqt-)ri-r * sri-2.

This showshow to move up through the equationsthat are generatedby the Euclideanalgorithm so that, at each step, the greatestcommon divisor of a and b may be expressedas a linear combination of a and b.

This method for expressingG, b) as a linear combinationof a and b is somewhatinconvenient for calculation, becauseit is necessaryto work out the steps of the Euclidean algorithm, save all these steps, and then proceed backwardsthrough the stepsto write G,b) as a linear combinationof each successivepair of remainders. There is another method for finding b,b) which requires working through the steps of the Euclidean algorithm only once. The following theoremgives this method.

Theorem 2.4. Let a and b be positive integers. Then

fu,b):sna+tnb,

for n:0,1,2,..., where,sn andtn are the nth terms of the sequencesdefined recursivelyby 2.2 The Euclidean Algorithm 65

SO: l, /0:0, sl :0, /l : l, and - si : Si*z- ?i-tsi-t, tj : tj-z Q1-zt1-t for 7 :2,3, ...,fl, where the q;'s are the quotientsin the divisionsof the Euclideanalgorithm when it is usedto find G,b).

Proof. We will prove that

Q.D ri : sia + tjb for 7 : 0, I ,...,fl. Since G,b) : r, once we have established(2.2), we will know that G,b):sna+tnb.

We prove (2.2) using the secondprinciple of mathematicalinduction. For l :0, we have a : r0: l'a * 0'b : ssa* tsb. Hence, Q.D is valid for j :0. Likewise,b : rr:0'a + l'b: slc + tft, so that Q.D is valid for j : l.

Now, assumethat ri:Sia+tjb for 7 : 1,2,..., k-1. Then, from the kth stepof the Euclideanalgorithm, we have tk : rk-2 - r*_lQt-l .

Using the inductionhypothesis, we find that

r1 : (s1-2a*tp-2b) - (s1raa*t1r-1b)Q*-r : (s1-2-s*-tq*-)a * Qp2-t*-rq*-)b :Ska+tkb.

This finishesthe proof. tr

The following example illustratesthe use of this algorithm for expressing (a,b) as a linear combinationof a and b.

Example. Let a :252 and D : 198. Then 66 GreatestCommon Divisors and prime Factorization

so: l, lo:0, sl :0, Ir : 1, J2:S0-sql:l- 0'l:1, tZ:tO-ttQt:0- 1.1: -1, - J3:St SZQz:0- l'3 : -3, t3: tt - 1ZQZ:1 - (-l)3 : 4, s4: s2- stQt: I - (-l)'t : 4, tq: tz- ttQz: -l - 4.1: -5.

Since14: 18: (252,198)and 14: s4o+ t4b,we have

18 - (252,198) : 4.252- 5.198.

It should be noted that the greatestcommon divisor of two integersmay be expressedin an infinite number of different ways as a linear combination of theseintegers. To seethis, let d : (a,b) and let d : so I tb be one way to write d as a linear combination of a and b, guaranteed to exist by the previousdiscussion. Then

d : (s - k(b/d))a + Q - kb/d))b for all integersk.

Example. With a :252 and b : 198, lB: (252, 198) : (+ - t Ik)252 + (-S - l4k)198 whcneverk is an integer.

2.2 Problems

l. Use the Euclidean algorithm to find the following greatestcommon divisors il (45,75) c) (ooo,r+r+) b) 002,22D d) (2078S,44350).

2. For each pair of integers in problem l, expressthe greatest common divisor of the integersas a linear combination of these integers.

3. For each of the following sets of integers, expresstheir greatest common divisor as a linear combination of these integers

il 6, 10, l5

b) 70,98,105 c) 280,330,405,490.

4. The greatest common divisor of two integers can be found using only subtractions, parity checks, and shifts of binary expansions,without using any divisions. The algorithm proceedsrecursively using the following reduction 2.2 The Euclidean Algorithm 67

I, if a:b lL,b/2) if a and 6 are even G.b): )2k l{o/z,t) if a is even and b is odd -D,b) if a and b are odd. [(a

a) Find (2106,8318) usingthis algorithm.

b) Show that this algorithm always produces the greatest common divisor of a pair of positiveintegers.

5. In problem 14 of Section 1.2, a modified division algorithm is given which says that if a and 6 > 0 are integers,then there exist unique integersq,r, and e such that a : bq * er, wheree - tl,r ) 0, and -blz < er { bl2. We can set up an algorithm, analogous to the Euclidean algorithm, based on this modified division algorithm, called the least-remainder algorithm. It works as follows. Let rs: a and rr: b, where a ) b 7 0. Using the modified division algorithm repeatedly,obtain the greatest common divisor of a and b as the last nonzeroremainder rn in the sequenceof divisions

ro : rtQr * e2r2, -rtlz 1 e2r2 4 ,tlz

rn-Z : ln-tQn-tI enrn, -rn-tl2 I enrn 4, rn-tl2 fn-l : 7n4n'

a) Use the least-remainderalgorithm to find (384, 226).

b) Show that the least-remainder algorithm always produces the greatest commondivisor of two integers.

c) Show that the least-remainderalgorithm is always faster, or as fast, as the Euclidean algorithm.

d) Find a sequenceof integers v6, V1,v2,... such that the least-remainder algorithm takesexactly n divisionsto find (vn*,, vn+z).

e) Show that the number of divisions needed to find the greatest common divisor of two positive integersusing the least-remainderalgorithm is less than 8/3 times the number of digits in the smallerof the two numbers,plus 413.

6. Let m and n be positive integers and let a be an integer greater than one. Show that (a^-1, an-l) - a(^' n) - l.

7. In this problem, we discussthe game of Euclid. Two players begin with a pair of positive integers and take turns making movesof the following type. A player can move from the pair of positiveintegers {x,y} with x 2 y, to any of the pairs [x-ty,yl, where / is a positive integer and x-ty 2 0. A winning move 68 GreatestCommon Divisors and PrimeFactorization

consistsof moving to a pair with one element equal to 0.

a) Show that every sequence of moves starting with the pair {a, bl must eventuallyend with the pair {0, (a, b)}.

b) show that in a game beginning with the pair {a, b},1he first player may play a winning strategyif a - 6 or if a 7 b0+ Jil/z; otherwisethe second player mgr play a winning strategy. (Hint: First show that if y < x ( y(t+VS)/Z then thge is a unique move from l*,Ol that goesto a pair lt, r| with y > ze+Jil/z.)

In problems8 to 16, un refersto the nth Fibonaccinumber.

8. Showthat if n is a positiveinteger, then rz1l u2 I I ttr: un+z- l. 9. Show that if n is a positiveinteger, then unapn-r - u] : GD'.

10. Show that if n is a pqsitive integer, then un: (c'n-0\/'..fs, where o : (t+.,6) /2 andp : Q-'./-il/2. ll. Show that if m and n arepositiveintegers such that m I n, then u^ | un. 12. Show that if m and n are positiveintegers, then (u^, un) : u(m,il.

13. Show that un is evenif and only if 3 | n. (t 'l t4. Letu: li i,. Irn*, Itn I a) Show that Un : . lu, u^_r) b) Prove the result of problem 9 by consideringthe determinant of Un.

15. We define the generalized Fibonacci numbers recursively by the equations gr- a, E2: b, and gn - gn-t* gr-zfor n 2 3. Showthat gn: oun-2* bun-1 for n )- 3.

16. The Fibonacci numbers originated in the solution of the following problem. Supposethat on January I a pair of baby rabbits was left on an island. These rabbits take two months to mature, and on March I they produce another pair of rabbits. They continually produce a new pair of rabbits the first of every succeeding month. Each newborn pair takes two months to mature, and producesa new pair on the first day of the third month of its life, and on the first day of every succeedingmonth. Show that the number of pairs of rabbits alive after n months is precisely the Fibonacci number un, assuming that no rabbits ever die.

17. Show that every positive integer can be written as the sum of distinct Fibonacci numbers. 2.3 The Fundamental Theorem of Arithmetic 69

2.2 Computer Projects

Write programs to do the following:

l. Find the greatestcommon divisor of two integersusing the Euclideanalgorithm.

2. Find the greatest common divisor of two integers using the modified Euclidean algorithm given in problem 5.

3. Find the greatest common divisor of two integers using no divisions (see problem 0. 4. Find the greatestcommon divisor of a set of more than two integers.

5. Express the greatest common divisor of two integers as a linear combination of theseintegers.

6. Express the greatest common divisor of a set of more than two integers as a linear combination of these integers.

7. List the beginning terms of the Fibonacci sequence.

8. Play the game of Euclid describedin problem 7.

2.3 The FundamentalTheorem of Arithmetic The fundamental theorem of arithmetic is an important result that shows that the primes are the building blocks of the integers. Here is what the theoremsays.

The Fundamental Theorem of Arithmetic. Every positive integer can be written uniquely as a product of primes,with the prime factors in the product written in order of nondecreasingsize.

Example. The factorizationsof somepositive integersare given by

240: 2.2.2.2.3.5: 24.3.5,289 : 17.17: 1i2.1001: 7.11.13.

Note that it is convenient to combine all the factors of a particular prime into a power of this prime, such as in the previous example. There, for the factorization of 240, all the fdctors of 2 were combined to form 24. Factorizationsof integers in which the factors of primes are combined to form powersare called prime-power factorizations. To prove the fundamental theorem of arithmetic, we need the following lemma concerningdivisibility.

Lemma 2.3. lf a, b, and c are positive integers such that (a, b) : I and 70 GreatestCommon Divisors and PrimeFactorization

a I bc, thena I c,

Proof. Since G,b): 1, there are integersx and y such that ax * by : y. Multiplying both sides of this equation by c, we have acx * bcy: c. By Proposition1.4, a divides acx * 6cy, since this is a linear combinationof a and bc, both of which are divisibleby a. Hencea I c. a The following corollary of this lemma is useful.

Corollary 2.2. If p dividasap2 an wherep is a prime and c r, a2,...,on are positive integers, then there is an integer i with I < t ( n such that p dividesa;.

Proof. We prove this result by induction. The case where n : I is trivial. Assume that the result is true for n. Considera product of n * t, integers, ar az aral that is divisibleby the primep. Sincep I ar az on*t: (a1a2 an)ana1,we know from Lemma 2.3 that p I ar az en or p I ar+r. Now, it p I ar az a' from the induction hypothesisthere is an integer i with 1 < t ( n such Ihat p I ai. Consequentlyp I a; for some i withl

We now finish the proof of the fundmental theorem of arithmetic by showingthat the factorization is unique.

Supposethat there is a positive interger that has more than one prime factorization. Then, from the well-ordering property, we know there is a least integer n that has at least two different factorizationsinto primes:

fl:PtPz Ps:QtQz Qt, wherept,p2,...,ps,Qt,...,4t are all primes,with pr ( pz ( ( p, and {r(42( (q'. 2.3 The Fundamental Theorem of Arithmetic 71

We will show that pt: Qr,p2: Q2,...,and continueto showthat eachof the successivep's and q's are equal, and that the number of prime factors in the two factorizations must agree, that is s : /. To show that pr: Qr, assumethat pr * qy Then, either pr ) 4r or pr 1 Qr By interchanging the variables,if necessary,we can assumethat pr ( qr. Hence,pr 1q; for i : 1,2,...,tsince 41 is the smallestof the q's. Hence,pr trqi for all i. But, from Corollary 2.2, we see that pr I qflz et : tt. This is a contradiction. Hence, we can conclude that pr : Qr and n/pr: pz pt ps : QzQt Qt. Sincenlpl is an integersmaller than n, and since n is the smallest positive integer with more than one prime factorization,nfpl con be written as a product of primes in exactly one way. Hence, eachpi is equal to the correspondingq;, and s : /. This proves the uniquenessof the prime factorization of positive integers. tr The prime factorization of an integer is often useful. As an example, let us find all the divisorsof an integer from its prime factorization.

Example. The positivedivisors of 120 : 233'5 are thosepositive integers with prime power factorizationscontaining only the primes 2,3, and 5, to powers lessthan or equal to 3, 1, and l, respectively.These divisors are I 3 5 3'5:15 2 2'3: 6 2'5: 10 2'3'5: 30 22: 4 22.3: 12 22.5: 20 223.5: 6o 23:8 z3-3: 24 23.5: 40 23.3.s: l2o .

Another way in which we can use prime factorizations is to find greatest common divisors. For instance,suppose we wish to find the greatest common divisorof 720 : 2432'5and 2100 : 223'52'7. To be a commondivisor of both 720 and 2100, a positiveinteger can contain only the primes 2, 3, and 5 in its prime-power factorization, and the power to which one of theseprimes appears cannot be larger than either of the powersof that prime in the factorizations of 720 and 2100. Consequently,to be a common divisor of 720 and 2100, a positive integer can contain only the primes 2,3, and 5 to powersno larger than2, l, and l, respectively.Therefore, the greatestcommon divisor of 720 and 2100is 22.3.5: 60.

To describe, in general, how prime factorizations can be used to find greatestcommon divsors, let min(a, D) denotethe smalleror minimum, of the two numbers d and 6. Now let the prime factorizationsof a and b be o : pi,pi2.. . p:., b : p'r,plz.. . p:,, where each exponent is a nonnegativeinteger and where all primes occurring 72 GreatestCommon Divisors and PrimeFactorization

in the prime factorizationsof c and of b are included in both products, perhapswith zero exponents. We note that

fu,b): pl'"k"0,)plinb,'b, p:'n(oro,), sincefor eachprime pi, a and b shareexactly min(a;,6;) factorsof p;. Prime factorizationscan also be used to find the smallestinteger that is a multiple of two positive integers. The problem of finding this integer arises when fractions are added.

Definition. The least common multiple of two positive integersa and D is the smallestpositive integer that is divisibleby a and b.

The leastcommon multiple of a and b is denotedby Io, bl.

Example. We have the following least common multiples: ll5,2l l: 105, lZq, Xl : 72,lZ, Z0l : 2A,and [7, lll : 77. Once the prime factorizations of a and b are known, it is easy to find Ia,bl. If a : pi,pi, plr. and,b : pi,pur2 .. . pun,where pt,pz,...,pn are the primes occurring in the prime-powerfactorizations of a and b, then for an integer to be divisible by both c and D, it is necessarythat in the factorization of the integer, eachp; occurs with a power at least as large as ai and bi. Hence, [a,b], the smallestpositive integer divisible by both a and b is *Grb,) *Gru') la,bl: pl Omaxb,'b,) pf where max(x, /) denotesthe larger, or maximum, of x andy. Finding the prime factorization of large integers is time-consuming. Therefore, we would prefer a method for finding the least common multiple of two integers without using the prime factorizations of these integers. We will show that we can find the least common multiple of two positiveintegers once we know the greatest common divisor of these integers. The latter can be found via the Euclideanalgorithm. First, we provethe following lemma.

Iemma 2,4. If x and y are real numbers, then max(x,y) + min(x,y) :x+y.

Proof.If x)y, then min(x,y):y and max(x,!):x, so that max(x,y)+min(x,y):x*y. If x

To find Ia, b l, once b, b) is known,we usethe following theorem.

Theorem 2.5. lf a and b ate positive integers,then la,bl: ab/G,b),, where Ia, b I and G, b) are the least common multiple and greatestcommon divisorof c and b, respectively.

Proof. Let a and b have prime-power factorizations a : p\'pi' pl' and t : pl'p!2 " ' p:', where the expnents are nonnegativeintegers and all primes occurring in either factorization occur in both, perhaps with zero exponents.Now let M1: max(c;, b;) and ffii -min(a1,b1). Then,we have la,blb,il:pY'pY' p{'pT'pT2''' pf' : O{,+^,r{'*^' bY'*^' : pl'+b'Oo'+b' p:'*o' : p\'p;' pi'p"' po^' : ab. sinceMi + ffij: max(ay,bj) + min(ar',b): a1 * b1by Lemma2.4. tr The following consequenceof the fundamentaltheorem of arithmetic will be neededlater.

Lemma 2.5. Let m and n be relatively prime positive integers. Then, if d is a positivedivisor of mn, there is a unique pair of positivedivisors d 1 of m and d2of n such that d : diz. Conversely,if dl and d2 are positivedivisor of z andn, respectively,then d : dfl2is a positivedivisors of mn.

Proof. Let the prime-power factorizations of m and n be m : pT'pT' p:' and n: qi'qi2 " ' qi' . Since (m,n) - l, the set of primes ptPz,...,Ps and the set of primes Qt,42,...,4thave no common elements. Therefore,the prime-powerfactorization of mn is mn: pT'pT' p!'qi'qi' q:' .

Hence,if d is a positivedivisor of mn, then d:pi'piz "' pi'q{'qI' q{' where0(ei (mi for i:1,2,...,s and 0(f (n; for 7:1,2,...,t. Now let 74 GreatestCommon Divisors and prime Factorization

dt : p't'ptz'

and

dr: q{'qI' q{' .

Clearlyd : dfi2and(dr, d) : l. Thisis the decomposition of d wedesire. Conversely,let dy and d2be positivedivisors of m and n, respectively.Then dr: p'r'ptr' p:'

where0 ( ei ( mi for i : 1,2,...,s, and

dr: q{'q[' q{'

where0 < /j ( n; for j : 1,2,...,t. The integer d : dfi2: p'r'pi, . -. pi,q{,q[, q{'

is clearly a divisorof mn: p?'pT' p!'qi'qi, ql,, sincethe power of such prime occurringin the prime-powerfactorization of d is less than or equal to the power of that prime in the prime-power factorization of mn. tr

A famous result of number theory deals with primes in arithmetic progressions.

Dirichlet's Theorem on Primes in Arithmetic Progressions. Let a and b be relatively prime positive integers. Then the arithmetic progression an * b, fl : 1,2,3,..., containsinfinitely many primes.

G. Lejeune Dirichlet, a German mathematician, proved this theorem in 1837. Since proofs of Dirichlet's Theorem are complicated and rely on advanced techniques, we do not present a proof here. However, it is not difficult to prove special cases of Dirichlet's theorem, as the following propositionillustrates.

Proposition 2.2. There are infinitely many primes of the form 4n * 3, where n rs a positiveinteger. 2.3 The Fundamental Theorem of Arithmetic 75

Beforewe provethis result,we first provea useful lemma.

Lemma 2.6. lf a and b are integers both of the form 4n * l, then the product ab is alsoof this form.

Proof. Since a and b are both of the form 4n * l, there exist integers r and s such that a : 4r * 1 and D : 4s * 1. Hence, ab: (+r+t)(4s+1): 16rs* 4r * 4s * l:4(4rs+r*s) * l, which is again of the form 4n * 1. tr We now provethe desiredresult.

Proof. Let us assume that there are only a finite number of primes of the form4n f 3, sayPo: 3,Pt, P2,..., Pr. Let Q:4prpz P,*3.

Then, there is at least one prime in the factorizationof Q of the form 4n * 3. Otherwise,all of these primes would be of the form 4n * 1, and by Lemma 2.6, this would imply that O would also be of this form, which is a contradiction. However, none of the primes po, Pr,...,,Pndivides 0. The : prime 3 does not divide Q, for if 3 I Q, then I I (0-ll 4pt pz p,, which is a contradiction. Likewise, none of the primes p; can divide Q, becausepj I Q impliespi | (Q-4pr pz p) :3 which is absurd. Hence, there are infinitely many primesof the form 4n * 3. tr

2.3 Problems L Find the primefactorizations of a) 36 e) 222 D 5o4o b) 3e D 2s6 j) sooo c) 100 d sr5 k) 9s5s d) 289 h) 989 D 9999.

2. Show that all the powers in the prime-power factorization of an integer n are even if and only if n is a perfect square.

3. Which positive integers have exactly three positive divisors? Which have exactly four positivedivisors?

4. Show that every positive integer can be written as the product of a square and a square-freeinteger. A square-free integer is an integer that is not divisible by 76 Greatest Common Divisors and Prime Factorization

any perfectsquares.

5. An integer n is called powerful if whenevera prime p divides n, p2 divrdesn. Show that every powerful number can be written as the product of a perfect squareand a perfect cube.

6. Show that if a and b are positiveintegers and a3 | b2, then a I b.

7. Let p be a prime and n a positiveinteger. If p' I n, but po*' It n, we say that po exactly divides n, and we write po ll n.

a) Showthat if po ll m andpb ll n, thenpo*b ll mn.

b) Showthat if po ll m, thenpko ll mk.

c) Showthat if po ll m andpb ll n, then ominb'b)il m+ n. 8. a) Let n be a positiveinteger. Show that the power of the prime p occurring in the prime power factorization of n ! is

ln/pl + Inlpzl + ln/p3l +

b) Use part (a) to find the prime-power factorization of 20!.

9. How many zerosare there at the end of 1000!in decimal notation? How many in baseeight notation?

10. Find all positiveintegers n such that n! ends with exactly 74 zeros in decimal notation. ll. Showthat if n is a positiveinteger it is impossiblefor n! to end with exactly153, 154,or 155 zeroswhen it is written in decimal notation.

12. This problem presentsan example of a system where unique factorizationinto primes fails. Let H be the set of all positiveintegers of the form 4ft*1, where k is a positiveinteger.

a) Show that the productof two elementsof 11 is also in fI.

b) An elementh*l in 11 is called a"Hilbert prime" if the only way it can be written as the productof two integersin ^FIis h: h'l : l'ft, Find the 20 smallestHilbert primes.

c) Show every element of H can be factored into Hilbert primes.

d) Show that factorization of elements of FI into Hilbert primes is not necessarilyunique by finding two different factorizationsof 693 into Hilbert primes.

13. Which positiveintegers n aredivisible by all integersnot exceeding,,/;t

14. Find the leastcommon multiple of eachof the following pairs of integers 2.3 The FundamentalTheorem of Arithmetic 77

a) 8,12 d) lll,3o3 b) 14,15 e) 256,5040 c) 28,35 f) 343,999.

15. Find the greatestcommon divisor and leastcommon multiple of the following pairsof integers a) 22335s11,27355372

b) 2.3.5.7.1I'13,17.t9.23.29

c) 2357tt'3,2.3.5.1.1 t.t 3

d) 47tt7gtnl0lrmr,4l rr83rrrl0l 1000.

16. Show that every commonmultiple of the positiveintegers a and b is divisibleby the leastcommon multiple of a and b. t7. Which pairs of integers a and D have greatest common divisor 18 and least commonmultiple 540?

18. Show that if a and b are positive integers,then (a , il | la, bl. When does fu,b) : la, bl? 19. Show that if a and b are positive integers, then there are divisors c of a and d of b withG,d): I andcd:la,bl.

20. Show that if a, b, and c are integers,then [a, Ull c if and only if a I c and b I c.

21. a) Showthat if a and b arepositive integers then (a,b) : (a*b,la,bD.

b) Find the two positive integers with sum 798 and least common multiple l 0780.

22. Show that if a,b, andc are positiveintegers, then (la, bl, t) : lG, c), (b, c)l andlfu, b) , cJ : ([4, cl, lb , cl). 23. a) Show that if a,b, and c are positiveintegers, then

max(a,b,c): a * b * c - min(a,b) - min(a,c) - min(D,c) * min(a,b,c).

b) Use part (a) to show that

a,brcla [a,b,clla,b,cl : . 'br'c.) . G,b) G,c) (b,c) 24. Generalizeproblem 23 to find a formula for (ay,a2,...,on)'1d1,a2,...,an1where a 1.a2,...,a n are positiveintegers. 25. The leastcommon multiple of the integers a1,a2,...,an,that are not all zero, is the smallestpositive integer that is divisible by all the integerso1,ct2,...,a,; it is 78 GreatestCommon Divisors and PrimeFactorization

denotedby Ia 5a2,...,an1. il Find[6,10,15] and [7,11,13j.

b) Show that laya2,...,an-1,anl: l[,a1,a2,...,an-1l,anl. 26. Let n be a positive integer. How many pairs of positive integerssatisfy Ia,bl: n?

27. Prove that there are infinitely many primes of the form 6ft * 5, where k is a positive integer.

28. Show that if a and b are integers, then the arithmetic progression a, a*b, a*Zb,... containsan arbitrary number of consecutivecomposite terms. 29. Find the prime factorizationsof

a) l06-l d) 224-l b) lo8-l e) 230-l c) 2r5-l f) 236-t.

30. A discount store sells a camera at a price less than its usual retail price of ,S99. If they sell 88137 worth of this camera and the discounteddollar price is an integer, how many camerasdid they sell?

31. il show that if p isa prime and,ais a positiveinteger withp I a2, thenp I a.

b) Show that if p is a prime, c is an integer, and n is a positive integer such thatp lan,thenpla.

32. Show that if a and b are positive integers, then a2 | b2 implies that a I b.

33. Show that if a,b, and c are positive integers with (a ,b) : I and ab : cn, then there are positive integers d and,e such that a : dn and b : en.

34. Show that if aya2,...,an are pairwise relatively prime integers, then la1,ct2,...,anl: ap2''' sn.

2.3 Computer Projects

Write programs to do the following:

1. Find all positivedivisors of a positive integer from its prime factorization.

2. Find the greatest common divisor of two positive integers from their prime factorizations.

3. Find the least common multiple of two positive integers from their prime factorizations.

4. Find the number of zeros at the end of the decimal expansionof n ! where n is a positiveinteger. 2.4 Factorization of Integers and the Fermat Numbers 79

5. Find the prime factorizationof n! where n is a positiveinteger.

2.4 Factorization of Integersand the Fermat Numbers From the fundamental theorem of arithmetic, we know that every positive integer can be written uniquely as the product of primes. In this section,we discussthe problem of determiningthis factorization. The most direct way to find the factorization of the positive integer n is as follows. Recall from Theorem 1.9 that n either is prime, or else has a prime factor not exceeding 6 . Consequently,when we divide n by the primes 2,3,5,...not exceeding ,/i,*" either find a prime factorpr of n or elsewe concludethat r is prime. If we have located a prime factor p r of n, we next look for a prime factor of nt: nlp1, beginningour searchwith the prime p1, since n I has no prime factor lessthan p1, nnd any factor of n1 is also a factor of n. We continue,if necessary,determining whether any of the primes not exceeding rlr r divide n1. We continue in this manner, proceedingrecursively, to find the prime factorizationof n.

Example. Let n : 42833. We note that n is not divisible by 2,3 and 5, but that 7 | n. We have 42833- 7 .6119.

Trial divisions show that 6119 is not divisible by any of the primes 7,11,13,17,I9,and 23. However,we seethat 6l19 :29'2ll.

Since 29 > ,m, we know that 211 is prime. We conclude that the prime factorizationof 42833is 42833- 7 ' 29 ' 2ll. Unfortunately,this method for finding the prime factorizationof an integer is quite inefficient. To factor an integer N, it may be necessaryto perform as many as r(JF) divisions, altogether requiring on the order of JF bit operations,since from the prime number theorem zr(JF) is approximately ,N /tog..N : 2,N AogN, and from Theorem 1.7, thesedivisions take at least log N bit operations each. More efficient algorithms for factorization have been developed, requiring fewer bit operations than the direct method of factorization previously described. In general, these algorithms are complicatedand rely on ideasthat we have not yet discussed.For information about thesealgorithms we refer the reader to Guy [66] and Knuth [561. We note that the quickest method yet devised can factor an integer N in 80 GreatestCommon Divisors and PrimeFactorization

approximately e*p(@) bit operations,where exp standsfor the exponentialfunction.

In Table 2.1, we give the time required to factor integersof various sizes using the most efficient algorithm known, where the time for each bit operation has been estimatedas one microsecond(one microsecondis 10-6 seconds).

Number of decimal digits Number of bit operations Time

50 l.4x 10r0 3.9hours

75 9.0xl0r2 104days

100 2.3xl0r5 74 years

200 1.2x1023 3.8xl0e years

300 l.5x l02e 4.9x1015years

500 l.3x l03e 4.2x102syears

Table2.1. Time RequiredFor Factorizationof LargeIntegers.

Later on we will show that it is far easierto decide whether an integer is prime, than it is to factor the integer. This difference is the basis of a cyptographicsystem discussed in Chapter 7. We now describea factorizationtechnique which is interesting,although it is not always efficient. This technique is known as Fermat factorization and is basedon the followinglemma.

Lemma 2.7. lf n is an odd positive integer, then there is a one-to-one correspondencebetween factorizations of n into two positive integers and differencesof two squaresthat equal n.

Proof. Let n be an odd positive integer and let n : ab be a factorization of n into two positive integers. Then n can be written as the differenceof two squares,since

, lo+ul' - lo-ul' n:aD: l-l |l:l 2 ,l t 2 )' 2.4 Factorizationof Integersand the FermatNumbers 81

where G+b)12 and b-b)/2 are both integerssince a and b are both odd. Conversely,if n is the differenceof two squares,say n: s2 - /2, then we can factorn by notingthat n : (s-l)(s+t). tr To carry out the method of Fermat factorization,we look for solutionsof the equation,, : *2 - yz by searchingfor perfect squaresof the form xz - n. Hence, to find factorizationsof n, we search for a square among the sequence of integers

t2-n, Q+Dz-n, (t +2)2-n,... where I is the smallestinteger greater than ,/i . This procedureis guaranteed to terminate,since the trivial factorizationn : n'l leadsto the equation n: fn+rl' lr-rl' I r l- |. , ,l

Example. We factor 6077 using the method of Fermat factorization. Since 77 < ffi1 < 78, we look for a perfect square in the sequence

782- 6077:7 792- 6077:164 802- 6077:323 812- 6077:484:222.

Since 6077:812 - 222. we conclude that 6077: $l-2D(8t+zz) : 59.103. Unfortunately, Fermat factorization can be very inefficient. To factor n using this technique, it may be necessary to check as many as Q + D 12 - ,/n integers to determine whether they are perfect squares. Fermat factorization works best when it is used to factor integers having two factorsof similar size. The integers Fn :22' + I are called the Fermat numbers. Fermat conjectured that these integers are all primes. Indeed, the first few are primes, namely Fo:3, F1 : 5, F2: 17,F3 : 257, and F+: 65537. Unfortunately,F5 :22'* 1 is compositeas we will now demonstrate.

Proposition 2,3. The Fermat number F5: 22'+ 1 is divisibleby 641.

Proof. We will prove that 641 | fr without actually performing the division. Note that 82 GreatestCommon Divisors and PrimeFactorization

641:5.27 + l:2a + 54. Hence. 22'+' =Z'ile-?;^i?ii:,:;o,2ii,Ii:, fil 'r'*'

Therefore,we seethat 64t I F's. tr The followingresult is a valuableaid in the factorizationof Fermat numbers.

Proposition 2.4. Every prime divisor of the Fermat number F, :22' + | is of the form2n+2k+ I.

The proof of Proposition2.4 is left until later. It is presentedas a problem in Chapter 9. Here, we indicate how Proposition2.4 is useful in determining the factorizationof Fermat numbers.

Example. From Proposition 2.4, we know that every prime divisor of F3:22'+ | :257 must be of the form 2sk * l: 32.k + l. Sincethere are no primes of this form less than or equal to ,/81, we can concludethat Ft : 257 is prime.

Example. In attempting to factor F 6 : 22'+ l, we use Proposition2.4 to see that all its prime factorsare of the form 28k + l:256.k * l. Hence,we needonly perform trial divisionsof Foby thoseprimes of the form 256'k + | that do not exceed -,,/Fu. After considerablectmputation, one finds that a primedivisor is obtainedwith k : l0?l,i.e. Z74li'l: (256.10?l+ l) I F6. A great deal of effort has been devoted to the factorization of Fermat numbers. As yet, no new Fermat primes have been found, and many people believe that no additional Fermat primes exist. An interesting, but impractical, primality test for Fermat numbers is given in Chapter 9. It is possibleto prove that there are infinitely many primes using Fermat numbers. We begin by showing that any two distinct Fermat numbers are relativelyprime. The following lemma will be used.

Lemma 2.8. Let F1,:22' * I denotethe kth Fermat number, where k is a nonnegativeinteger. Then for all positiveintegers n , we have FoFf z Fn-t: Fn - 2. Proof. We will prove the lemma using mathematical induction. For n : 1, the identity reads 2.4 Factorization of Integers and the Fermat Numbers 83

Fo : Fr - 2 '

This is obviouslytrue sinceF0 : 3 and Fr : 5. Now let us assumethat the identity holdsfor the positiveinteger n, so that

' ' - FoFf z' Fn-r: F, 2.

With this assumptionwe can easilyshow that the identity holdsfor the integer n * I, since FoFfz Fn-rFr: (FsFf2 "' Fr-)Fn - (Fn - z)Fn: (22'- D(22' + t) -(22'12-l-22'*'-2:Fra1 -2. tr

This leadsto the following theorem.

Theorem 2.6. Let m and n be distinct nonnegativeintegers. Then the Fermat numbersF^ and F, are relatively prime.

Proof. Let us assumethat m 1 n. From Lemma 2.8, we know that

Fffz''' F^' " Fr-r: Fn - 2.

Assumethat d is a commondivisor of F* and Fo. Then, Proposition1.4 tells us that - d I G, FsF.o2 Fm F,-1) :2.

Hence,either d:l or d:2. However,since F, and Fn are odd, d cannot be 2. Consequently,d:l and (F^,F) : I. tr Using Fermat numbers we can give another proof that there are infinitely many primes. First, we note that from Lemma 1.1, every Fermat number Fn has a prime divisorpr. Since (F*,F): l, we know that p^ # p, whenever m # n. Hence,we can concludethat there are infinitely many primes. The Fermat primes are also important in geometry. The proof of the followingfamous theorem may be found in Ore [28].

Theorem 2.7. A regular polygonof n sidescan be constructedusing a ruler and compassif and only if n is of the form n:2opl "' pt wherep;, i:1,2,...,t are distinct Fermat primes and a is a nonnegativeinteger. 84 GreatestCommon Divisors and PrimeFactorization

2.4 Problems

l. Find the prime factorizationof the followingpositive integers

il egzgzt b) 1468789 c) SSOO8OZ9.

2. Using Fermat's factorization method, factor the following positive integers

a) 7709 d) I l02l b) 73 e) 3200399 c) 10897 f) 24681023.

3. a) Show that the last two decimal digits of a perfect squaremust be one of the followingpairs: 00, el, e4,25, o6, e9, wheree standsfor any evendigit and o standsfor any odd digit. (Hint: Show that n2, (50+n)2, and (50-n)2 all have the same final decimal digits, and then consider those integers n with 0(n<2s.)

b) Explain how the result of part (a) can be used to speed up Fermat's factorization method.

4. Show that if the smallestprime factor of n is p, then xz-n will not be a perfect squarefor x ) h+pz) lLp .

5. In this problem, we developthe method of Draim factorization. To search for a factor of the positiveinteger n - nr, we start by using the division algorithm, to obtain

il1:3qy*ry, 0(11 (3.

Settingntr - nr, we let

t/12: t/lt - Zqt, fl2: ttt2* 11.

We use the divisionalgorithm again,to obtain

fl2:5q2* 12, 0 ( 12( 5,

and we let

- : 3: rtl2 2qZ, fl1 t143* t2.

We proceedrecursively, using the division algorithm, to write

nx : (2k+l)qy * ry, 0 ( 11 < 2k+1,

and we define 2.4 Factorization of Integers and the Fermat Numbers 85

fllk : m*-t-2Qt-t, ttk : ttl* * rt-t.

We stop when we obtain a remaindet/1 : 0.

a) Show that n1 : knr - Qk+l) (qft q2*' ' ' + q,-) and rltk : n1 - 2'(qftq2* *qo-r).

b) Showthat if (z*+t) I ,, then (2k+l) I nr andn:(2k*l)m1,11. c) Factor 5899 using the methodof Draim factorization.

6. In this problem, we devel

a) Let u: (a-c,b-d). Showthat u is evenand that if r: (a-c)lu and s : (d-ilfu,then (r,s) : l, r(a*c) : s(d+b), ands I a+c. b) Let sv : a*c. Showthat rv : d + b,e : (a+cd+b), and v is even.

c) Concludethat n may be factoredas n:1fu12)2 + (v/2)zl(r2 + s2).

d) UseEuler's method to factor221 :102 + ll2:52 + 142,2501:502 + 12 : 492+ 102and 1000009: 10002+ 32:9722 + 2352.

7. Show that any number of the form 2an+2* I can be easilyfactored by the use of the identity 4xa + 1 : (2x2+2x+l)(Zx2-Zx+t\. Factor 218+1 using this identity.

8. Show that if a is a positiveinteger and a^ *l is a prime, then m:2n for some positive integer n. (Hint: Recall the identity a^*l: (aft + l) (ak9-t)-akQ-D + -ae+l) wherem:kQ and { is odd).

9. Show that the last digit in the decimal expansionof F, - 2r + | is 7 if n 7 2. (Hint: Using mathematicalinduction, show that the last decimal digit of 22' is 6.)

10. Use the fact that every prime divisor of Fa:2t + I :65537 is of the form 26k + | - 64k * I to verify that F4 is prime. (You should need only one trial division.)

I l. Use the fact that every prime divisor of Fz: 22'+ | is of the form 21k + | : l28k * 1 to demonstrate that the prime factorization of F5 is F. : 641'6700417.

r2. Find all primesof the form 2T * 5, where n is a nonnegativeinteger.

13. Estimate the number of decimal digits in the Fermat number Fn. 86 GreatestCommon Divisors and PrimeFactorization

2.4 Computer Projects

Write programs to do the following:

l. Find the prime factorization of a positive integer.

2. Perform Fermat factorization.

3. Perform Draim factorization (see problem 5).

4. Check a Fermat number for prime factors, using Proposition2.4.

2.5 LinearDiophantine Equations

Consider the following problem. A man wishes to purchase $510 of travelers checks. The checks are available only in denominationsof $20 and $50. How many of each denominationshould he buy? If we let x denotethe number of $20 checks and y the number of $50 checksthat he should buy, then the equation20x * 50y : 510 must be satisfied. To solvethis problem, we need to find all solutions of this equation, where both x and y are nonnegativeintegers.

A related problem arises when a woman wishes to mail a package. The postalclerk determinesthe cost of postageto be 83 cents but only 6-cent and 15-centstamps are available. Can somecombination of thesestamps be used to mail the package? To answerthis, we first let x denotethe number of 6- cent stampsand y the number of l5-cent stampsto be used. Then we must have6x + I5y : 83, where both x and y are nonnegativeintegers. When we require that solutionsof a particular equationcome from the set of integers,we have a diophantine equation. Diophantineequations get their name from the ancient Greek mathematician Diophantus, who wrote extensivelyon such equations. The type of diophantine equation ax * by : c, where a, b, and c are integersis called a linear diophanttneequations in two variables. We now develop the theory for solving such equations. The following theorem tells us when such an equation has solutions,and when there are solutions,explicitly describesthem.

Theorem 2.8. Let a and D be positiveintegers with d : (a,b). The equation ax*by:c has no integralsolutions if dlc. lf dlc, then thereare infinitely many integral solutions. Moveover, if x : x0, | - lo is a particular solutionof the equation,then all solutionsare given by

x : xo+ (b/d)n, ! : yo- fuld)n, 2.5 LinearDiophantine Equations 87

wheren is an integer.

Proof. Assumethat x and y are integerssuch that ax I by : g. Then, since dlo andd lb,byProposition1.4, dlt aswell. Hence,'rfd trc,thereare no integral solutionsof the equation.

Now assumethat d | ,. From Theorem2.1, there are integerss and t with (2.3) d:as+bt.

Sinced l r, thereis an integere with de : c. Multiplying both sidesof (2.3) bv e. we have c:de:(as+bt)e:a(se) + bQe).

Hence, one solution of the equation is given by @Io,.wlere -x0-'Ftf11*}f =7€. X * S€ rtacl I --te To show that there are infinitelymany solutions,let x:nfo+ $liln and y:Y0- G/d)n, wheren is an integer. We seethat this pair (x,y) is a solution,since V rfi"v g rof14 ax t by : oxs* a(bld)n * byo- bGld)il: oxst bys: c.

We now show that every solutionof the equationax * by : c must be of the form describedin the theorern. Supposethat x and y are integers with ax I bY : c. Since axs* byo: ,, by subtractionwe find that

Gx * by) - (axs+ bys):0, which impliesthat a& - x/ + bU -.yd :0.

Hence,

a(x - xo): bjo- y).

Dividingboth sidesof this last equalityby d, we seethat - Gld) (x xs) : (bld) Ut - y).

By Proposition2.1, we know that bld,bld): l. Using Lemma 2.3, it 88 GreatestCommon Divisors and prime Factorization

follows that Q/d) | 9o- y). Hence, there is an integer n with G/d)n:lo-l; this meansthaty -lo- G/iln. Now puttingthis value of y into the equation a(x - xd : bOo- y), we find that aG - xd : bb/d)n, whichimplies that x : x0 + (bld)n. D

We now demonstratehow Theorem 2.8 is used to find the solutions of particular linear diophantineequations in two variables.

Consider the problems of finding all the integral solutions of the two diophantine equationsdescribed at the beginning of this section. We first considerthe equation6x + I5y : 83. The greatestcommon divisor of 6 and 15 is (6,15) : 3. Since I / gl, we know that there are no integral solutions. Hence,no combinationof 6- and l5-cent stampsgives the correct postage.

Next, consider the equation 20x t 50y :519. The greatest common divisorof 20 and 50 is (20,50): 10, and since l0 | 510, there are infinitely many integral solutions. Using the Euclidean algorithm, wo find that 20eD * 50 : 10. Multiplying both sides by 51, we obtain 20(-102) + 50(51) : 510. Hence, a particular solution is given by x0: - 102 and./o:51. Theorem2.8 tellsus that all integralsolutions are of the form x : -102 * 5n and y : 5l - 2n. Since we want both x and y to be nonnegative,we must have - I02 + 5n ) 0 and 5l - 2n ) 0; thus, n ) 20 2/5 and n 4 25 l/2. Since n is an integer, it follows that n:21,22,23,24,or 25. Hence,we havethe following5 solutions:Gy): (3,9),(8,7), (13,5), (19,3), and (23,t).

2.5 Problems l. For eachof the followinglinear diophantine equations, either find all solutions,or showthat thereare no integralsolutions a) 2x I 5y :11 b) l7x * l3y : 1gg c) ZIx * l4y :147 d) 60x * l8y :97 e) t4o2x + t969y : r. 2. A studentreturning from Europechanges his Frenchfrancs and Swissfrancs into U.S. money. If he receives$ll.9l and has receivedI7a for eachFrench franc and 480 for eachSwiss franc, how much of eachtype of currencydid he exchange? 2.5 Linear Diophantine Equations 89

3. A grocer orders apples and orangesat a total cost of $8.39. If apples cost him 25c each and oranges cost him 18c each and he ordered rnore apples than oranges,how many of each type of fruit did he order? l€ I

4. A shopper spends a total of .85.49 for oranges, which cost l8o each, and grapefruits, which cost 33c each. What is the minimum number of pieces of fruit the shoppercould have bought?

5. A postal clerk has only l4-cent and 2l-cent stamps to sell. What combinations of these may be used to mail a packagerequiring postageof exactly

a) .t3.50 b) $4.00 c) $7.772

6. At a clambake, the total cost of a lobster dinner is $ I I and of a chicken dinner is ,$8. What can you conclude if the total bill is

a) $777 b) $96 c) $692

7. Show that the linear diophantineequation afi1* a2x2* I anxn: b has no solutionsif d / D, where d : (a1,a2,...,a11),and has infinitely many solutionsif d I b. 8. Find all integersolutions of the followinglinear diophantine equations a) 2x*3yl4z:5 b) 7x*2ly*352:8 d l0lx * 102y+ 1032:1 . 9. Which combinationsof pennies,dimes, and quarters have a total value99c? 10. How manyways can change be madefor onedollar using a) dimesand quarters b) nickels.dimes, and quarters c) pennies,nickels, dimes, and quarters? I l. Find all integersolutions of the followingsystems of lineardiophantine equations a) x* y* z:100 x*8y*502:156 b) x+ y + z:100 x * 6y * 2lz :121 c) x* y* z + w-100 xt2y13z*4w-300 x*4y*9z1'16w-1000. 12. A piggy bank contains24 coins,all nickels,dimes, and quarters. If the total valueof the f,oinsis two dollars,what combinationsof coinsare possible? 90 GreatestCommon Divisors and PrimeFactorization

13. Nadir Airways offers three types of tickets on their Boston to New York flights. First-classtickets are $70, second-classtickets are $55, and stand-bytickets are $39. If 69 passengersp^y a total of $3274 for their tickets on a particular flight, how many of each type of tickets were sold?

14. Is it possibleto have 50 coins,all pennies,dimes, and quartersworth,$3?

15. Let a and b be relatively prime positive integers and let n be a positive integer. We call a solution x )) of the linear diophantine equation ax * by : n nonnegativewhen both x and y are nonnegative.

il Show that whenevern 2 G-l)(6-l) there is a nonnegativesolution of this equation.

b) Show that if n: ab - a - 6, then there are no nonnegativesolutions.

c) Show that there are exactly (a-1)$-D/2 positive integersn such that the equation has a nonnegativesolution.

d) The post office in a small Maine town is left with stamps of only two values. They discover that there are exactly 33 postage amounts that cannotbe made up using thesestamps, including 46c. What are the values of the remainingstamps?

2.5 Computer Projects

Write programs to do the following:

1. Find the solutionsof a linear diophantine equation in two variables.

2. Find the positivesolutions of a linear diophantine equation in two variables.

3. Find the solutionsof a linear diophantineequation in an arbitrary number of variables.

4. Find all positive integers n for which the linear diophantine equation ax * by : n has no positive solutions (seeproblem I 5). Congruences

3.1 Introduction to Congruences The special language of congruencesthat we introduce in this chapter is extremely useful in number theory. This language of congruences was developedat the beginning of the nineteenthcentury by Gauss.

Definition. lf a and b are integers, we say that a is congruent to b modulo mif m l(a-b). If a iscongruenttoDmodulo m,wewrite a =b (modz). lf m IG-b), we write a # b (mod m), and say that a and b are incongruent modulo m.

Example. We have 22 = 4 (mod 9), since 9 | QZ-D : 18. Likewise 3 = -6 (mod 9) and 200 = 2 (mod 9). Congruencesoften arise in everyday life. For instance, clocks work either modulo 12 or 24 for hours, and modulo 60 for minutes and seconds.calendars work modulo 7 for days of the week and modulo 12 for months. Utility meters often operate modulo 1000, and odometers usually work modulo 100000. In working with congruences, it is often useful to translate them into equalities. To do this, the following propositionis needed.

Proposition 3.1. If a and b are integers,then a = b (mod m) if and only if there is an integer k such that a : b * km. 92 Congruences

Proof. If a:- b (mod m), then m I b-b). This means that there is an integer k with km : a - b, so that A : b * km.

Conversely,if there is an integer /< with a : b * km, then km : a - b. Hence m I G-b), and consequently,a = b (mod rn). tr

Example. We have 19 : -2 (mod 7) and 19 : -2 + 3'7. The following proposition establishes some important properties of congruences.

Proposition 3.2. Let m be a positive integer. Congruencesmodulo rn satisfy the following properties:

(i) Reflexive property. If a is an integer, then a = a (mod m).

(ii) Symmetric property. If a and b are integers such that a = b (mod m),then b = a (mod rn). (iii) Transitive property. If e, b, and c are integers with a = b (mod m) andb :- c (mod m),then a 4 c (mod m ).

Proof.

(i) We seethat a = a (mod m), sincem I G-a) :0.

(iil If a: b (mod m),thenm I Q-b). Hence,there is an integerft with km: a - b. This showsthat (-k)m: b - a. so that m | (b-d. Consequently,D =a (mod m).

(iii) If a = b (mod rz) and b =c (mod la), then m I G-b) and m | (b-d. Hence,there are integersk and 0 with km: a - b and Qm : b - c. Therefore, e - c : (a-D) + (b-c) : km * Qm : (k+Dm. Consequently, m I G-d and a ? c (mod z). tr

From Proposition 3.2, we see that the set of integers is divided into m different sets called congruenceclasses modulo m, each containing integers which are mutually congruent modulo m.

Example. The four congruenceclasses modulo 4 are given by 3.1 Introductionto Congruences 93

Let a be an integer. Given the positive integer m, m ) l, by the division algorithm, we have a : bm * r where 0 ( r ( ru - 1. From the equation a: bm f r, we seethat a 3 r (mod z). Hence, every integer is congruent modulo m to one of the integers of the set 0, 1,...,m- l, namely the remainderwhen it is dividedby m. Since no two of the integers0, 1,...,m- | are congruent modulo m, we have m integers such that every integer is congruent to exactly one of these ln integers.

Definition. A complete system of residues modulo m is a set of integers such that every integer is congruent modulo m to exactly one integer of the set.

Example. The division algorithm shows that the set of integers 0, 1,2,...,m- | is a completesystem of residuesmodulo rn. This is called the set of least nonnegativeresidues modulo m.

Example. Let m be an odd positive integer. Then the set of integers m-l m-3 m-l _ ,,r...tTrT 2 is a complete system of residues called the set of absolute least residues modula m. We will often do arithmetic with congruences. Congruenceshave many of the same properties that equalities do. First, we show that an addition, subtraction, or multiplication to both sides of a congruence preserves the congruence.

Theorem3.1. If a, b, c, and m are integers with m ) 0 such that a = b (modm ). then (il a*c=b+c(modm), -- (iD e - c S - c (modz). (iiD ac bc (mod m).

Proof. Sincea = b (modm), we know that m I G-b). From the identity - G+d - (b+d a - b, we seem llfu+d - $+c)1, so that (i) follows. Likewise,(ii) followsfrom the fact that fu-c) - (b-c): a - b. To show that (iiD holds,note that ac - bc : cG-D. Sincem I Q-b), it follows thatm I cb-b), andhence, ac = bc (modm). tr

Example. Since l9 3 (mod 8), it follows from Theorem 3.1 that 94 Congruences

26: 19+7 = 3 +7 : l0 (mod8), 15: 19 -4: 3- 4: -l (mod8), and 38 : l9'2 = 3'2: 6 (mod 8).

What happenswhen both sides of a congruenceare divided by an integer? Consider the following example.

Example.We have14:7.2:4.2:8 (mod6). But 7 * 4 (mod6). This example shows that it is not necessarily true that we preserve a congruencewhen we divide both sides by an integer. However, the following theorem gives a valid congruencewhen both sidesof a congruenceare divided by the same integer.

Theorem 3.2. If a, b, c and m are integers such that m > 0, d : (c,m), and ac = bc (mod z), then a :- b (mod m/d).

Proof. lf ac = bc (mod m),we know that m I Gc-bc): c(a-b). Hence, there is an integer k with cb-b): km. By dividing both sides by d, we have G /il G-b) : k fu /d). Since (m /d ,c/d) : 1, from Proposition2.1 it follows that m/d I Q-b). Hence,a :- b (mod m/il. a

Example. Since 50 = 20 (mod 15) and (10,5) : 5, we see that 50/10 : 20/10 (mod l5/il, or 5 = 2 (mod 3). The following corollary, which is a special case of Theorem 3.2, is used often.

Corollary 3.1. If a,b,c, and m are integerssuch that m 7 0, (c,m) : 1, and ac = bc (mod la), then a = b (mod llz).

Example. Since 42 = 7 (mod 5) and (5,7) = 1, we can conclude that 42/7 :7/7 (mod 5), or that 6 : I (mod 5). The following theorem, which is more general than Theorem 3.1, is also useful.

Theorem 3.3. If e, b, c, d, and m are integers such that m ) 0, a = b (mod nc), and c = d (mod rn ), then (i) a * c = b + d (modm), - (ii) a - c fi - d (modm), (iii) ac ? bd (mod m).

Proof. Since a = b (mod m) and c = d (mod m), weknow that m I G-U) 3.1 Introductionto Congruences 95

andmlk-d). Hence,there are integersk and.0 withkm:a-b and Qm : c - d. To prove(i), notethat (c+c) - (b+d) : fu-b) + k-d): km * Qm: - (k+Dm. Hence, m ll,(a+c) (U+a)|. Therefore, Q * c = b * d (mod m). - To prove (ii), note that (a-c) - O-d) : b-b) - k-d) : km Qm : - - - &-Dm. Hence,mltG-c)-$-il1, sothat a c $ d (modm)' - - To prove (iii), note that ac - bd :ac bc* bc bd : - cG-b) + OG-d): ckm t bQm: mkk+bD. Hence, m I Qc bil. Therefore,ac = bd (mod m). tr

Example. Since 13 = 8 (mod 5) and 7 =2 (mod 5), using Theorem 3.3 we -8-7=I see that 2O-13+7 :8+2:-0 (mod5), 6:13-7 (mod5), and 9l: l3'7 : 8'2:16 (mod5).

Theorem 3.4. If r612,,...,r^is a completesystem of residuesmodulo m, and if : a is a fositive integer with (a ,fti) 1, then ar1 t b, ar2 * b,..., ar^ * b

is a completesystem of residuesmodulo z.

Proof. First, we show that no two of the integers ar1* b, ar2* b,...,ar^ * b

are congruent mod ulo m. To seethis, note that if ari*b=arr *b (modz),

then, from (ii) of Theorem 3.1, we know that ari = ar1, (mod m) '

Because(a,m) : 1, Corollary 3.1 showsthat rj : rp (mod m) .

Since ,i # rp (mod m) if i # k, we concludethat i : k. Since the set of integers in question consists of m incongruent integers modulo m, theseintegers must be a complete systemof residuesmodulo ru. tr 96 Congruences

The following theorem showsthat a congruenceis preservedwhen both sides are raised to the same positive integral power.

Theorem 3.5. rf a, b, k, and m are integers such that k 7 0, m ) 0, and a = b (mod m), then ak = bk (mod m) .

Proof. Becausea = b (mod m), we haveml? - b). Since ak - bk : (a-b) (ak-t+ak-zb+ . . . *abk-216k-11, we see that G - DlGk - bk). Therefore, from Proposition1.2 it follows that mlGk - Uk). Hence,ek : bk (mod m). tr

Example. Since 7 = 2 (mod 5), Theorem 3.5 tells us that 343 : 73 = 23 = 8 (mod 5).

The following result shows how to combine congruencesof two numbers to different moduli.

Theorem3.6. lf a: b (modmy), a=b (modffiz),...,a=b(modm1,) where a,b,ml, frt2,...,t/t1,a;fo integers with mt,frl2 ,...,t/r1positive, then a = b (mod lmpm2,...,mpl), where Lm1,m2,...,rup1is the leastcommon multiple of mr,rrr2,...,t/tk.

Proof. Sincea=b (modzl), a:-b (modffiz),..., a=b (modmt), we - - know that m, | (o D,mzl G b),...,m* IG-D. From problem 20 of Section2.3, we seethat

[,m1,m2,...,m*]lQ - b).

Consequently,

a = b (mod Lm1,m2,...,m*l).E

An immediate and useful consequenceof this theorem is the following result.

Corollary3.2. lf a: D (modz1), a=b (modffiz),..., a=b (modz1) where a and b are integers and ftt1,r/t2,...,,r,rt1,are relatively prinie positive integers,then

a = b (modn4rtltz." m). 3.1 Introduction to Congruences

Proof. Since ffi1,ftt2,...,t?11,zfa pairwise relatively prime, problem 34 of Section 2.3 tells us that

lm1,m2,...,mkl: ftlill2''' mk

Hence,from Theorem 3.6 we know that a :- b (mod wtfltz' ' ' m). a

In our subsequentstudies, we will be working with congruencesinvolving large powersof integers. For example,we will want to find the least positive residueo1 26+amodulo 645. If we attempt to find this least positive residueby first computing 2644,wewould have an integerwith 194 decimal digits, a most undesirable thought. Instead, to find 26aamodulo 645 we first express the exponent644 in binary notation: G4qro: (lolooooloo)2.

Next, we compute the least positive residues of 2,22,24,28,...,2tt' by successivelysquaring and reducing modulo 645. This givesus the congruences 2 2 (mod 645), 22 4 (mod645), 2+ 16 (mod649, 28 256 (mod 645), 216 391 (mod 645), 232 16 (mod 645), 264 256 (mod645), 2128 391 (mod 645), 22s6 l6 (mod649, 2srz 256 (mod 64il.

We can now compute 2644modulo 645 by multiplying the least positive residuesof the appropriatepowers of 2. This gives 26aa- 2512+128+4: 2512212824 = 256.391.16 :1601536=I(mod645).

We have just illustrated a general procedure for modular exponentiation, that is, for computing 6N modulo m where b, ffi, and N are positive integers. We first expressthe exponentN in binary notation, as l{ : (arar-t...apo)2. We then find the least positive residues of b ,b2,b4,...,b2'modulo rn, by successivelysquaring and reducing modulo rn. Finally, we multiply the least positive residuesmodulo m of bv for thosej with ai : l, reducing modulo rn after each multiplication. 98 Congruences

In our subsequentdiscussions, we will need an estimate for the number of bit operations needed for modular exponentiation. This is provided by the following proposition.

Proposition 3.3. Let b,m, and ,A/ be positive integerswithD < m. Then the least positive residue of bN modulo m can be computed using O (0og2m)2log2N) bit operations.

Proof. To find the least positive residue of bN (mod rn), we can use the algorithm just described. First, we find the least positive residues of b,b2,b4,...,62'modulom, where 2k < N < 2k*t, by successivelysquaring and reducingmodulo ru. This requiresa total of O(0og2m)2log2N)bit operations, becausewe perform [log2lf I squaringsmodulo m, eachrequiring o(Iogzm)2) bit operations. Next, we multiply together the least positive residues of the integers bl correspondingto the binary digits of N which are equal to one, and we reduce modulo m after each multiplication. This also requires O(Qog2m)2log2,n/) bit operations, because there are at most log2N multiplications, each requiring O((log2m)2) Uit operations. Therefore, a total of O((log2m)2log2lf) bit operationsare needed. tr

3.f Problems

l. For which positive integers m are the following statementstrue il 27 :5 (modz)

b) 1000 -- 1 (mod rn )

c) l33l : 0 (mod ln)?

2. Show that if a is an even integer, then a2 = 0 (mod 4), and if a is an odd integer, then a2 = I (mod 4).

3. Show that if a is an odd integer,then az = I (mod 8).

4. Find the least nonnegativeresidue modulo l3 of

a) 22 d) -l b) 100 e) -loo c) i00l f) -1000.

5. Show that if a, b, m, and n are integerssuch that m ) 0, n ) 0, n I m, and a = b (mod rn), then a = b (mod n).

6. Show that if a,b,c, and m are integerssuch that c ) 0, mlO, and a = b (mod rn ), then ac J bc (mod mc). 3.1 Introductionto Congruences 99

7. Showthatif a,b,andc areintegerswithc) 0such thata = b (modc),then (a,c): (bd .

8. Show that if ai =bi (mod z) for j : 1,2,...,n,where m is a positiveinteger and Qi,bi, i : 1,2,...,n'are integers, then nn (modz) il )a1 =)b1 j-t j-l

nn (mod rn b) fl ai:-' fl b;r ). j-l t-t

In problems 9-11 construct tables for arithmetic modulo 6 using the least nonnegativeresidues modulo 6 to representthe congruenceclasses.

9. Construct a table for addition modulo 6.

10. Construct a table for subtraction modulo 6.

I l. Construct a table for multiplication modulo 6.

12. What time does a clock read

a) 29 hours after it reads I I o'clock

b) 100 hours after it reads 2 o'clock

c) 50 hours before it reads 6 o'clock?

13. Which decimal digits occur as the final digit of a fourth power of an integer?

14. What can you conclude if a2 = 62 (mod p), where a and b are integers and p is prime?

15. Show that if ak = bt (mod nr) and ak+t : bk+l (mod nr), where a,b,k, and m are integerswith k>0 and m)0 such that (a,m):1, then a = b (mod rn). If the condition (a,m): I is dropped,is the conclusionthat a = b (mod z) still valid?

16. Show that if n is a positive integer, then

il t+2+3+ +(n-l) =0(modn). b) 13+23+33+ + (n-l)3=o(modn).

17. For which positive integersn is it true that

12+22 +32 + * (n-l)2 = o (modn)?

18. Give a complete system of residuesmodulo l3 consistingentirely of odd integers.

19. Show that if n = 3 (mod 4), then n cannot be the sum of the squares of two integers.

20. il Show that if p is prime, then the only solutions of the congruence x2 =x (modp) arethoseintegers x with x = 0 or I (modp). 100 Congruences

b) Show that if p is prime and ft is a positive integer, then the only solutionsof x2 =x (mod pk) arethoseintegers x such that x E 0 or I (modpe). 21. Find the least positiveresidues modulo 47 of

a) 232 b) 247 c) 22w

22. Let t/t1,t/t2,...,n\r be pairwise relatively prime positive integers. Let ' ' M : mifiz' mp and Mj : M/mi for; - 1,2,...,k. Show that

M(tr* M2a2* * Mpap

runs through a complete system of residues modulo M when a1,a2,...,a1,run through complete systemsof residuesmodulo rn1,nt2,...,r/t1,respectively.

23. Explain how to find the sum z * v from the least positive residue of u * v modulo m, where u and.v are positive integers less than z . (Hint: Assume that u ( v and consider separately the cases where the least positive residue of u I v is lessthan a, and where it is greater than v.)

24. on a computer with word size w, multiplicertion modulo n, where n I w f2, can be performed as outlined. Let T:IJn + %1, and t : T2 - n. For each computation, show that all the required computer arithmetic can be done without exceedingthe word size. (This method was describedby Head t67]).

a) Show that lr | < r.

b) Show that if x and y are nonnegativeintegers lessthan n, then

x:aT*b, y:cT*d

where a,b,c, and d are integers such that 0 ( a ( Z, 0 < , < T, 0 ( c < T, and 0 < d < T.

c) Letz = ad * bc (mod n), with 0 ( z ( z. Show that

d) Let ac:eT*f where e and f areintegerswith0(e

e) Letv:z* er (modn),with0(v (n. Showthatwecanwrite

v : gT * h,

where g and h are integerswith 0 ( g ( f,0 < h < T, and such that : xy hT + V+S)t + bd (mod n). 3.1 Introductionto Congruences 101

f) Show that the right-hand side of the congruence of part (e) can be computed without exceeding the word size by first finding j with

j = (f +s)l (mod n)

and 0 < j < n, and then finding /c with

k=j+Dd(modn)

and0

xy:hT+ft(modn).

This gives the desiredresult.

25. Develop an algorithm for modular exponentiationfrom the base three expansion of the exponent.

26. Find the least positive residueof

a) 3ro modulo I I

b) 2r2 modulo 13

c) 516modulo 17

d) 322modulo 23.

e) Can you propose a theorem from the above congruences?

27. Find the least positive residuesof

a) 5! modulo 7

b) 10! modulo 11

c) 12! modulo 13

d) 16! modulo 17.

e) Can you propose a theorem from the above congruences?

28. Prove Theorem 3.5 using mathematical induction.

29. Show that the least nonnegative residue modulo m of the product of two positive integers less than m can be computed using O(logzm) bit operations.

30. a) Five men and a monkey are shipwrecked on an island. The men have collected a pile of coconuts which they plan to divide equally among themselves the next morning. Not trusting the other men, one of the group wakes up during the night and divides the coconuts into five equal parts with one left over, which he gives to the monkey. He then hides his portion of the pile. During the night, each of the other four men does exactly the same thing by dividing the pile they find into five equal parts leaving one coconut for the monkey and hiding his portion. In the morning, the men 102 Congruences

gather and split the remaining pile of coconuts into five parts and one is left over for the monkey. What is the minimum number of coconuts the men could have collected for their original pile?

b) Answer the same question as in part (a) if instead of five men and one monkey, there are n men and k monkeys, and at each stage the monkeys receive one coconut each.

3.1 Computer Projects

Write computer programs to do the following: l. Find the least nonnegativeresidue of an integer with respectto a fixed modulus.

2. Perform modular addition and subtraction when the modulus is less than half of the word size of the computer.

3. Perform modular multiplication when the modulus is less than half of the word size of the computer using problem 24.

4. Perform modular exponentiationusing the algorithm describedin the text.

3.2 Linear Congruences A congruenceof the form ax = b (mod m)' where x is an unknown integer, is called a linear congruencein one variable. In this section we will see that the study of such congruencesis similar to the study of linear diophantine equationsin two variables. We first note that if x : xo is a solution of the congruence ax 7 b (mod m), and if x1 : r0 (mod m), then ax13 axs- b (modz), so that x 1 is also a solution. Hence, if one member of a congruence class modulo m is a solution, then all members of this class are solutions. Therefore, we'may ask how many of the m congruenceclasses modulo m give solutions; this is exactly the same as asking how many incongruent solutions there are modulo m. The following theorem tells us when a linear congruence in one variable has solutions, and if it does, tells exactly how many incongruent solutionsthere are modulo m.

Theorem 3.7. Let a, b, and m be integers with ru ) 0 and (a,m) : d. lf d I b, then ax j D (mod rn ) has no solutions. If d I b, then ax 7 b (mod rn ) has exactly d incongruent solutionsmodulo z . 3.2 LinearGongruences 103

Proof. From Proposition3.1, the linear congruence ax 7 b (mod m) is equivalent to the linear diophantine equation in two variables ax - m! : b. The integer x is a solution of ax 7 b (mod m) if and only if there is an integer y with ax - my : b. From Theorem 2.8, we know that if d tr b, there are no solutions, while if d I b, ax - my : b has infinitely many solutions,given by

x : ro * (m/d)t,l : lo+ b/d)t, where x : xo and y : !0 is a particular solution of the equation. The values of x given above, x:xo*'(mld)t, are the solutionsof the linear congruence;there are infinitely many of these. To determine how many incongruent solutions there are, we find the condition that describeswhen two of the solutionsxl : x0 + (m/d)tt and x2: xo * (mld)tz are congruent modulo m. If these two solutions are cbngruent,then

ro * fu/d)tr z xo * fu/d)t2(mod m).

Subtracting xo from both sidesof this congruence,we find that fu/d)tr j @/d)t2 (mod m).

(m,m/d) : m/d since z, so that by tt ,ry*"seethat Now @/d) | "ore# t r z 12(mod d). A=h

This shows that a complete set of incongruent solutions is obtained by taking x: xo+ (m/d)t, where / ranges through a complete system of residues modulo d. One such set is given by x : xo + @/d)t where / : 0,1,2,...,d- l. n We now illustrate the use of Theorem

Example. To find allsolutions of 9x = 12 (mod l5), we first note that since (9,tS) :3 and I l{hnere are exactly three incongruentsolutions. We can find these solutions by first finding a particular solution and then adding the appropriatemultiples of l5/3 : 5. To find a particular solution, we consider the linear diophantine equation 9x - l5y : 12. The Euclidean algorithm showsthat A C,q, r "v 104 Congruences

15:9'l + 6 9 :6'1 + 3 /' \ n 6:3'2, 0.t5)- ,)) so tha# s9 :'e.l : 9 - (tS-q.D :9-2 - 15. Hence9.8 - 15.4: 12, and - a particular solutionof 9x l5y : 12 is given by : 8 and lo : 4. "o From the proof of Theorem 3.7, we see that a complete set of 3 incongruent solutionsis given by t : x0 = 8 (mod l5), x : x0 + 5 = 13 (mod l5), and x : xo + 5'2: 18 = 3 (modl5).

We now consider congruencesof the special form ax ? I (mod la). From Theorem 3.7, there is a solution to this congruenceif and only if (a,m): l, and then all solutions are congruent modulo rn. Given an integer a with (a,m) : l, a solution of ax 7 I (mod lz) is called an inverse of a modulo m. / \ 73 )ly =\ lF ai=F7 r3 ?- 2.5.I i =7- L{a,-'}'f.?{ ti'L Example. Since the solutionsof 7x = I (mod 31) satisfyx = 9 (mod 3l),9, and all integers congruent to 9 modulo 31, are inverses of 7 modulo 31. Analogously, since 9'7 = I (mod 3l) , 7 is an inverseof 9 modulo 31. When we have an inverse of a modulo z, we can use it to solve any congruenceof the form ax 2 b (mod m). To see this, let a be an inverseof a modulo m , so that aa: I (mod rn). Then, if ax = D (mod m), we can multiply both sides of this congruence by a to find that - a Gx) : ab (mod rn ), so that x [[ (mod ln ) .

Example. To find the solutionsof 7x:22(mod 31), we multiply both sides of this congruence by 9,, an inverse of 7 modulo 31, to obtain 9-7x = 9-22(mod 31). Hence,x = 198 : 12 (mod 31).

We note here that if (a ,m) : l, then the linear congruence ax j b (mod m) has a unique solution modulo rn.

Example. To find all solutions of 7x = 4 (mod l2), we note that since 0,t2): l, there is a unique solution modulo 12. To find this, we need only obtain a solution of the linear diophantine equation 7x - l2y :4. The Euclidean algorithm gives 12:7' l + 5 7:5'l+2 5:2'2*l 2: 1.2.

Hence [ : 5 - 2.2: 5 - 0-5.1).2: 5.3-2.7 : (12-7.1): 3 - 2.7- 3.2 Linear Congruences 105

12.3- 5.7. Therefore,a particular solutionto the linear diophantineequation is xs : -20 and ys : 12. Hence, all solutionsof the linear congruencesare given by x = -20 = 4 (mod 12). Later otr, we will want to know which integers are their own inverses modulo p where p is prime. The following propositiontells us which integers have this property.

Proposition 3.4. Let p be prime. The positive integer a is its own inverse modulop if and only if a = | (mod p) or e : -l (mod p).

Proof. lf a :l(modp) or a : -l(modp), then a2 = l(modp), so that a is its own inversemodulo p. Conversely,if a is its own inversemodulo p, then a2: a'o: I (modp). - Hence, p I Gz-t). Since a2 l: (a-l)(a+l), either p I G-l) or -1 p I G+t). Therefore,either a = I (modp) or q:- (modp). E

3.2 Problems

l. Find all solutionsof eachof the following linearcongruences.

a) 3x = 2 (mod 7) d) l5x = 9 (mod 25) b) 6x = 3 (mod 9) e) l28x = 833 (mod 1001) c) l7x = 14 (mod 2l) f) 987x = 610 (mod 1597).

2. Leta,b,and mbe positiveintegerswitha70,m ) 0,and (a,m):L The following method can be used to solvethe linear congruenceax 2 b (mod m).

a) Show that if the integer x is a solution of ax = b (mod m), then x is also a solution of the linear congruence

ag - -b[m/al (modzr).

where c1 is the least positive residue of m modulo a. Note that this congruenceis of the same type as the original congruence,with a positive integer smaller than a as the coefficientof x.

b) When the procedure of part (a) is iterated, one obtains a sequence of linear congruences with coefficients of x equal to oo: cr ) a1) a2) Show that there is a positiveinteger n with d, : l, so that at the nth stage, one obtains a linear congruence x=B(modn). 106 Congruences

c) Use the method described in part (b) to solve the linear congruence 6x = 7 (mod 23).

3. An astronomer knows that a satellite orbits the earth in a period that is an exact multiple of I hour that is less than I day. If the astronomer notes that the satellite completes 11 orbits in an interval starting when a 24-hour clock reads 0 hours and ending when the clock reads l7 hours, how long is the orbital period of the satellite?

4. Forwhichintegerscwith0(c < 30doesthecongruencel2x=c (mod30) have solutions? When there are solutions,how many incongruent solutionsare there?

5. Find an inversemodulo 17 of

a) 4c)7 b) s d) re.

6. Show that if d'is an inverseof a modulo m and D is an inverseof D modulo m. then a- i ir un inverseof ab modulo z.

7. Show that the linear congruence in two variables ax * by = c (mod z), where a,b,c,and, m are integers,m ) 0, with d : G,b,m), has exactlydm incongruent solutions,f d I c, and no solutionsotherwise. 8. Find all solutionsof the following linear congruencesin two variables

a) 2x *3y : I (mod7) c) 6x * 3y =0 (mod9) b) 2x + 4v = 6 (mod 8) d) lOx * 5v = 9 (mod l5).

9. Let p be an odd prime and k a positive integer. Show that the congruence x2 = I (mod pt) has exactly two incongruent solutions, namely xE-fl(modpt).

10. Show that the congruence x2 = I (mod 2ft) has exactly four incongruent solutions,namely x E tl or +(t+Zk-t) (mod 2ft), when k > 2. Show that when k : I there is one solution and when k :2 there are two incongruent solutions.

I l. Show that if a and m ^re relatively prime positive integers with a ( rn, then an inverseof a modulo m can be found using O (log m) bit operations.

12. Show that if p is an odd prime and a is a positive integer not divisible by p, then the congruence x2 = a (mod p) has either no solution or exactly two incongruent solutions.

3.2 Computer Projects

Write programs to do the following: 3.3 The Chinese Remainder Theorem 107

l. Solvelinear congruenceusing the methodgiven in the text.

2. Solvelinear congruencesusing the method given in problem 2.

3. Find inversesmodulo m of integersrelatively prime to ln where m is a positive integer.

4. Solve linear congruencesusing inverses. 5. Solve linear congruencesin two variables.

3.3 The ChineseRemainder Theorem In this sectionand in the one following, we discusssystems of simultaneous congruences. We will study two types of such systems. In the first type, there are two or more linear congruencesin one variable, with different moduli (moduli is the plural of modulus). The secondtype consistsof more than one simultaneouscongruence in more than one variable, where all congruences have the samemodulus. First, we considersystems of congruencesthat involveonly one variable,but different moduli. Such systemsarose in ancient Chinesepuzzles such as the following: Find a number that leavesa remainder of I when divided by 3, a remainder of 2 when divided by 5, and a remainder of 3 when divided by 7. This puzzleleads to the following systemof congruences: I (mod 3). x 2 (mod5), x 3 (mod 7)

We now give a method for finding all solutions of systems of simultaneous congruencessuch as this. The theory behind the solution of systemsof this type is provided by the following theorem, which derives its name from the ancient Chineseheritage of the problem.

The Chinese Remainder Theorem. Let rlt1,r/t2,...,trtrbe pairwise relatively prime positiveintegers. Then the systemof congruence

x a1(modz1), x a2(mod,m2),

ar(modm,),

has a unique solutionmodulo M - tltfitz 108 Congruences

Proof. First, we construct a simultaneous solution to the system of congruences. To do this, let Mk : M/mt : fttlll2. . . tytk_rntk+l . mr. we know that (Mr, mt) : I from problem 8 of Section2.1, since : (mi, mp) I wheneveri I k. Hence, from Theorem 3.'7,we can find an inverse ./r of M1 modulo mp, so that Mt lr, = I (mod mt). We now form the sum

x : atM01* a2M21,t2* * arMry,

The integer x is a simultaneous solution of the r congruences. To demonstrate this, we must show that x ? ar, (mod m1) for k : 1,2,...,r. since mt I Mi wheneverj * k, we have Mj :0 (mod nzp). Therefore, in the sum for x, all terms except the kth term are congruent to 0 (mod m). Hence,x ? etM*lr: ak (mod m*), sinceM*t = I (mod m).

We now show that any two solutionsare congruent modulo M. Let xs and x 1 both be simultaneoussolutions to the system of r congruences. Then, for eachk, x0 E xr E ar (mod m*), so that mr | (xo-x). Using Theorem 3.7, we see that M l(xe-x1). Therefore,x0 E x1 (mod M). This showsthat the simultaneoussolution of the systemof r congruencesis unique modulo M. tr We illustrate the use of the Chinese remainder theorem by solving the systemthat arisesfrom the ancient Chinese puzzle.

Example. To solve the system

x = I (mod3) x=2(mod5) x = 3 (mod 7),

- we have M 3.5.7: 105, Mr: 105/3: 35, Mz: IA5/5: 21, and : Mt: 105/7 15. To determine !r, we solve 35yr= I (mod 3), or equivalently,2yr= I (mod 3). This yieldsjzr E 2 (mod 3). We find yzby solving 2lyz: I (mod 5); this immediately gives lz = I (mod 5). Finally, wefind ytby solvingr5yt= 1 (mod 7). Thisgives/r E I (mod 7). Hence, x E l'35'2+ 2.21.1+ 3.15.1 -- 157= 52 (mod105).

There is also an iterative method for solving simultaneous systems of congruences. We illustrate this method with an example. Supposewe wish to solvethe system 3.3 The Chinese Remainder Theorem

x=l(mod s) x =2 (mod6) x =3 (mod7).

We use Proposition 3.1 to rewrite the first congruenceas an equality, namely x : 5t * l, where / is an integer. Inserting this expressionfor x into the secondcongruence, we find that 5r+l:2(mod6). which can easily be solved to show that / : 5 (mod 6) Using Proposition 3.1 again, we write t : 6u * 5 where u is an integer. Hence, x :5(6rz+5) * I : 30u 126. When we insert this expressionfor x into the third congruence,we obtain 30u t 26 = 3 (mod 7).

When this congruenceis solved, we find that u : 6 (mod 7). Consequently, Proposition3.1 tells us thatu -7v * 6, where v is an integer. Hence, x : 30(7v+6) + 26 :210v + 206.

Translating this equality into a congruence,we find that x : 2O6(mod 210), and this is the simultaneoussolution. Note that the method we have just illustrated shows that a system of simultaneous questions can be solved by successively solving linear congruences. This can be done even when the moduli of the congruencesare not relatively prime as long as congruencesare consistent. (See problems 7-10 at the end of this section.) The Chinese remainder theorem provides a way to perform computer arithmetic with large integers. To store very large integers and do arithmetic with them requires special techniques. The Chinese remainder theorem tells us that given pairwise relatively prime moduli r/t1,r/12,...,ffi,,a positive integer n with n < M : rltiltz' ' ' mr is uniquely determined by its least positive residuesmoduli mi for j : 1,2,...,r. Supposethat the word size of a computer is only 100, but that we wish to do arithmetic with integers as large as 106. First, we find pairwise relatively prime integers less than 100 with a product exceeding106; for instance,we can take mt:99, r/t2:98, m3:97, and mq: 95. We convert integersless than 106 into 4-tuples consistingof their least positive residues modulo mt, ffi2, n43, a;fidfti4. (To convert integers as 110 Congruences

large as 106into their list of least positive residues,we need to work with large integers using multiprecision techniques. However, this is done only once for each integer in the input and once for the output.) Then, for instance,to add integers, we simply add their respective least positive residues modulo tntt, t/t2, rn3, ?,fid ftr4, rrrzking use of the fact that if x = xi (mod m) and : ! = li (mod m), then x * y xi * y; (mod m). We then use the Chinese remainder theorem to convert the set of four least positive residuesfor the sum back to an integer.

The following example illustrates this technique.

Example. We wish to add x : 123684 and y : 413456 on a computer of word size 100. We have x = 33 (mod99), y = 32 (mod99), x?8(mod98), y = 92 (mod98), x:9(mod97), y : 42 (mod97), x = 89 (mod95). y = 16 (mod95), so that

x+Y=65(mod99) x+y:2(mod98) x + Y = 51 (mod 97) x+y:10(mod95).

We now use the Chinese remainder theorem to find x * y modulo 99'98'97'95.We haveM :99'98.97.95 : 89403930,Mr: M/99:903070, Mz: Ml98:912288, Mt: Ml97:921690, and Mq: Ml95:941094. We need to find the inverse of Mi (mod /i) for i : 1,2,3,4. To do this, we solve the following congruences(using the Euclidean algorithm): - 9O307Oyt = 9ly r 1 (mod 99), 912285y2: 3yz: I (mod98), 921690y3 : 93y3 = I (mod 97), 941094ya = 24yq = I (mod 95).

-- We find that yr:37 (mod 99), yz = 38 (mod 98), /r 24 (mod 97), and !+= 4 (mod 95). Hence, x * y = 65'903070'37+ 2'912285'33+51'921690'24 + l0'941094'4 : 3397886480 = 537140(mod 39403930).

Since 0 ( x * y < 89403930,we concludethat x + y : 537140. 3.3 The Chinese Remainder Theorem 111

On most computersthe word size is a large power of 2, with 235a common value. Hence, to use modular arithmetic and the Chineseremainder theorem to do computer arithmetic, we need integers less than 235that are pairwise relatively prime which multiply together to give a large integer. To find such integers,we use numbers of the form 2m - l, where m is a positiveinteger. Computer arithmetic with thesenumbers turns out to be relativelysimple (see Knuth t57l). To produce a set of pairwise relatively prime numbers of this form, we first provesome lemmata.

Lemma 3.1. If a and b are positive integers,then the least positive residueof Za - I modulo 2b - I is 2' - 1, where r is the least positive residue of a modulob.

Proof. From the division algorithm, c : bq * r where r is the least pos'itive -l) -1) : residue of a modulo b. We have (2o : 12b++r (Zb_DebQ-t)+r a + 2b+,+2,) + (2,-l), which shows that the - remainderwhen 2a - I is divided by 2b - I is 2' l; this is the least positive residueof 2o - 1 modulo 26 - 1. D

We use Lemma 3.1 to Provethe following result.

Lemma 3.2. lf a and b are positive integers, then the greatest common divisor of 2o - 1 and 2' - 1 is 2k,b)- 1.

Proof. When we perform the Euclidean algorithm with a : ro and b - we obtain

f g : rtQt * rZ 0(12(11 : f 1 r2Q2-t r3 0(r:(-rz

: ln-2Qn-2* 0<

where the last remainder, is the greatestcommon divisorof a and b. Using Lenrma 3.1. and the steps of the Euclidean algorithm with a : rs and b : , r, when we perform the Euclidean algorithm on the pair 2a - I : Ro and2b - I : R1, w€ obtain 112 Congruences

:RrQr*Rz Rs R2 :2"-| R1 :RzQz*R: R3 :2"-\

: Rn-r Rn-zQn-z* --,'-rRn-l ^ Rn-t : 2r'-t-1 Rn-z: Rn-tQn-t.

Here the last non-zeroremainder, Rn-l : )r'-r - I : 2G'b)- l, is the greatest common divisorof Ro and R1. tr

From Lemma 3.2, we have the following proposition.

Proposition 3.5. The positive integers 2a - 1 and 2b - I are relatively prime if and only if a and b are relatively prime.

We can now use Proposition3.5 to produce a set of pairwise relatively prime integers, each of which is less than 235,with product greater than a specified integer. Supposethat we wish to do arithmetic with integers as large as 2186. We p:gk lfir:2t5 - I, tltz:zto - l, t/t3:233 - l, t7t4- ztt - l, - tns: 22e l, and r/t6:22s - l. Since the exponentsof 2 in the expressions for the mi are relatively prime, by Proposition 3.5 the M i's are pairwise relatively prime. Also, we have M : H!fl2nt3n4qrflsftio2 2t86. we can now use modular arithmetic and the Chinese remainder theorem to perform arithmetic with integersas large as 2186.

Although it is somewhat awkward to do computer operations with large integers using modular arithmetic and the Chinese remainder theorem, there are some definite advantages to this approach. First, on many high-speed computers, operations can be performed simultaneously. So, reducing an operation involving two large integers to a set of operations involving smaller integers,namely the least positive residuesof the large integers with respectto the various moduli, leads to simultaneous computations which may be performed more rapidly than one operation with large integers. Second,even without taking into account the advantages of simultaneous computations, multiplication of large integers may be done faster using these ideas than with many other multiprecision methods. The interested reader should consult Knuth t561. 3.3 The Chinese Remainder Theorem 113

3.3 Problems l. Find all the solutionsof eachof the followingsystems of congruences.

a) x:4(modll) c) x = 0(mod 2) x = 3(mod 17) x = O(mod3) x E l(mod 5) b) x = l(mod2) x = 6(mod 7) x = 2(mod 3) x = 3(mod 5) d) x :2(mod ll) x = 3(mod 12) x = 4(mod 13) x E 5(mod 17) x = 6(mod l9).

2. A troop of 17 monkeys store their bananas in eleven piles of equal size with a twelfth pile of six left over. When they divide the bananasinto 17 equal groups none remain. What is the smallest number of bananasthey can have? 3. As an odometer check, a specialcounter measuresthe miles a car travels modulo 7. Explain how this counter can be used to determine whether the car has been driven 49335, 149335, or 249335 miles when the odometer reads 49335 and works modulo 100000.

4. Find a multiple of I I that leavesa remainder of I when divided by each of the integers2,3,5, and 7.

5. Show that there are arbitrarily long strings of integerseach divisible by a perfect square. (Hint: Use the Chinese remainder theorem to show that there is a simultaneous solution to the system of congruences x 5 0 (mod 4), - x = -l (mod 9), x: -2 (mod 25),..., x -ls*l (mod p|), where p1, is the kth prime.)

6" Show that if a,b, and c are integerswith (a,b) :1, then there is an integer n suchthat Gn*b.c) : l.

In problems 7-10 we will consider systemsof congruenceswhere the moduli of the congruencesare not necessarilyrelatively prime. 7. Show that the systemof congruences

x 4 a1 (mod rn 1) x :- a2 (mod m2)

has a solution if and only if (m6m2) | Gra). Show that when there is a solution,it is unique modulo (lmvmzl). (Hint: Write the first congruenceas x : a, * km, where ft is an integer, and then insert this expressionfor x into the secondcongruence.)

8. Using problem 7, solvethe following simultaneoussystem of congruences 114 Congruences

\- at x: 4 (mod 6) b) x =7 (mod l0) y- 13 (mod 15) x=4(mod15).

9. Show that the systemof congruences

x t a1 (modz1) x z az (mod m2)

- v, 3 4, (mod ln")

- has a solution if and only if (m;,m1) | G, a) for all pairs of integers (i,7) with I (i

10. Using problem 9, solvethe following systemsof congruences

a) x= 5 (mod6) d) .r = 2 (mod 6) x=3 (modl0) x=4 (mod8) x=8 (mod15) x=2 (mod14) x = 14 (mod 15) b) x = 2 (mod 14) x = 16 (mod 2l) e) x=7 (mod9) x : l0 (mod 30) x = 2 (mod l0) x=3 (mod12) c) x=2 (mod9) x=6 (modl5). x=8 (mod15) x = l0 (mod 25)

ll. What is the smallest number of eggs in a basket if one egg is left over when the eggs are removed 2,3,4,5,or 6 at a time, but no eggs are left over when they are removed7 ata time?

t2. Using the Chinese remainder theorem, explain how to add and how to multiply 784 and 813 on a computerof word size 100.

13. A positive integer x * | with n base b digits is called an automorph to the base b if the last n base b digits of xz are the same as those of x.

a) Find the base l0 automorphs with four or fewer digits.

b) How many base b automorphs are there with n or fewer base b digits, if b has prime-power factorization 6 : pl' pl' ' ' ' pl,' Z

14. According to the theory of biorhythms, there are three cycles in your life that start the day you are born. These are the physical, emotional, and intellectual cycles, of lengths 23,28, and 33 days, respectively. Each cycle follows a sine 3.3 The ChineseRemainder Theorem 115

curve with period equal to the length of that cycle, starting with amplitude zero, climbing to amplitude I one quarter of the way through the cycle,dropping back to amplitude zero one half of the way through the cycle, dropping further to amplitude minus one three quarters of the way through the cycle, and climbing back to amplitude zero at the end of the cycle.

Answer the following questionsabout biorhythms, measuringtime in quarter days (so that the units will be integers).

a) For which days of your life will you be at a triple peak, where all of your three cyclesare at maximum amplitudes?

b) For which days of your life will you be at a triple nadir, where all three of your cycles have lowest amPlitude?

c) When in your life will all three cyclesbe a neutral position(amplitude 0) ?

15. A set of congruencesto distinct moduli greater than one that has the property that every integer satisfiesat least one of the congruencesis called a covering set of congruences.

a) Show the set of congruences x = 0 (mod 2), x = 0 (mod 3), x = | (mod 4), x = I (mod 6), and x = ll (mod 12) is a covering set of congruences.

b) Show that the set of congruences x = 0 (mod 2)), x=0(mod3), x = 0 (mod 5), x = 0 (mod7), x = I (mod6), x rl (modl0), x=l (mod l4), x =2 (mod l5), x =2 (mod2l), x 7 it (mod30),x-4 (mod 35), x = 5 (mod 42), x = 59 (mod 70), and x 104(mod 105)is a covering set of congruences.

Let m be a positive integer with prime-power factorization ^ : zo'p'r'pi' p:' . Show that the congruencex2 = 1 (mod m) has exactly 2'+' solutionswhere e : }if a6 : 0 or l, € : I if a6 : 2, and e : 2 if as} 2. (Hint: Use problems 9 and l0 of Section 2.3.)

The three children in a family have feet that are 5 inches,7 inches,and 9 inches long. When they measurethe length of the dining room of their house using their feet, they each find that there are 3 inches left over. How long is the dining room?

3.3 Computer Projects

Write programs to do the following:

l. Solve systemsof linear congruencesof the type found the Chineseremainder theorem.

2. Solvesystems of linear congruencesof the type given in problems7-10.

3. Add large integersexceeding the word size of the computer using the Chinese remainder theorem. 116 Congruences

4. Multiply large integers exceeding the word size of the computer using the Chinese remainder theorem.

5. Find automorphsto the base D, where b is a positiveinteger greater than one (seeproblem 13).

6. Plot biorhythm charts and find triple peaksand triple nadirs (seeproblem l4).

3.4 Systemsof Linear Congruences

We will considersystems of more than one congruenceinvolving the same number of unknowns as congruences,where all congruenceshave the same modulus. We begin our study with an example.

Suppose we wish to find all integers x and y such that both of the congruences 3x * 4y :5 (mod 13) 2x t 5y = 7 (mod 13) are satisfied. To attempt to find the unknownsx and |, we multiply the first congruenceby 5 and the secondby 4, to obtain

I 5x * 20y = 25 (mod 13) 8x * 20y :- 28 (mod 13).

We subtractthe first congruencefrom the second,to find that

7x = -3 (mod l3).

Since 2 is an inverse of 7 (mod 13), we multiply both sides of the above congruencesby 2. This gives

2'7 x : -2'3 (mod 13), which tells us that

x = 7 (mod l3).

Likewise, we can multiply the first congruenceby 2 and the secondby 3, to seethat 3.4 Systems of Linear Congruences 117

6x * 8y = l0 (mod13) -- 6x * l5y 2l (modl3).

Whenwe subtractthe first congruencefrom the second,we obtain

7y = 11 (mod 13).

To solve for y, we multiply both sidesof this congruenceby 2, an inverseof 7 modulo 13 . We get Z"ly :2'll (modl3), so that v = 9 (mod l3). What we have shownis that any solution(xy) must satisfy

x = 7 (mod l3), y = 9 (mod l3).

When we insert thesecongruences for x and y into the original system,we see that thesepairs actually are solutions,since 3x * 4y : 3'7+ 4'9: 57 =5 (modl3) 2x * 5v = 2'7+5'9 : 59 : 7 (modI3).

Hence, the solutions of this system of congruencesare all pairs G,y) with x = 7 (mod 13) and v = 9 (mod l3). We now give a general result concerningcertain systernsof two congruences in two unknowns.

Theorem3.8. Let a,b,c,d,€,f ,and m be integerswith m ) 0, suchthat (L,m) : l, whereA: ad-bc. Then, the systemof congruences ax*by:e(modm) cx*dy:f(modm)

has a unique solution modulo m given by = @e-bfl (mod ln) " 4 y = L Gf -ce) (mod m),

where A ir un inverseof A modulo m.

Proof. We multiply the first congruenceof the system by d and the secondby b. to obtain 118 Congruences

adx * bdy = de (mod m) bcx * bdy = bf (mod m) .

Then, we subtract the secondcongruence from the first, to find that

Gd-bc) x = de-bf (mod m),

or, sinceA: ad-bc,

Ax = de-bf (mod rn).

Next, we multiply both sidesof this congruenceby A, an inverseof A modulo m, to concludethat

x = A @e-bfl (mod la).

In a similar way, we multiply the first congruenceby c and the secondby a, to obtain

acx * bcy = ce (mod m) acx * ady = af (mod m).

We subtract the first congruencefrom the second,to find that

Gd-bc)y : of -ce (mod z) or

Ly : af -ce (mod na).

Finally, we multiply both sidesof the abovecongruence by r to seethat

y = I bf -cd (mod z). We have shown that if (x,y) is a solution of the system of congruences, then x = A @e-bf) (mod z) , y = L bf -ce) (mod z). We can easily check that anX such pair G,y) is a solution. When x=A @e-bfl (mod m) andy: ibf -tri (mod m), we have 3.4 Systems of Linear Congruences 119

ax*by gE @r-bn + bA Gf -ce) -abf -bce) L bde-abf L, fud-bc) e e (modm), and : -ce) cx * dy 4 tat-bn + dE Gf :- L Gde-brf + adf-cde) = a bd-bdf = A'L,f : / (modm).

This establishesthe theorem. tr By similar methods, we may solve systemsof r congruencesinvolving n unknowns. However, we will developthe theory of solving such systems,as well as larger systems, by methods taken from linear algebra. Readers unfamiliar with linear algebra may wish to skip the remainder of this section. Systems of r linear congruencesinvolving n unknowns will arise in our subsequentcryptographic studies. To study thesesystems when r is large, it is helpful to use the language of matrices. We will use some of the basic notionsof matrix arithmetic which are discussedin most linear algebra texts, suchas Anton t0Ol. We need to define congruencesof matrices before we proceed.

Definition. Let A and B be nxk matrices with integer entries,with (i,/)th entries aii and br7, respectively. We say that A is congruent to B modulo m if aii- bij (modm)for allpairs(i,7)withI < t ( n andt (,r < k. We - write A B (mod m) if I is congruentto B modulo m. The matrix congruence A = B (mod m) provides a succinct way of expressing the nk congruences o,j = bi1 (mod m) for I ( i ( rz and I ( 7 < /c.

Example. We easilysee that 3l (q 3l f" (modrr)' L8 12) l: rJ

The following proposition be needed. 120 Gongruences

Proposition 3.6. lf A and B are nxk matriceswith A : B (mod m), C is an kxp matrix and D is a pxn matrix, all with integer entries, then AC = ^BC (mod m) and DA = DB (mod m).

Proof. Let the entries of A and B be a;i and b,7, respectively,for I ( i ( n and l(7

Now let us considerthe systemof congruences --- QttXtl anxz* *er, xn b1 (modm) AZtXt * aZZXZ t *?r, x, 2 b2 (modm)

Qnr Xt * anZXZ * lann xn : bn (mod rn ).

Using matrix notation, we seethat this system of /, congruencesis equivalent to the matrix conqruenceAX = B (mod lz ).

Qtt an Qln X1 by

azt azz Q2n X2 bz where A : ,X: ,andB:

Anl An2 Onn xn bn

Example. The system

3x*.4y :{ (mod 13) 2xt5y (mod l3) can be written as 3.4 Systemsof LinearCongruences 121

b 4l f'l fsl | | | [ - Ll (modl3). 12 sJ lyj L7J

We now develop a method for solving congruences of- the form AX = B (mod m). This method is based on finding a matrix I such that 7Z - 1 (mod m), where 1 is the identity matrix.

Definition. lf A and ,q are nxn matrices of integers and if ol f'oll t ol tra -,qI:/ (modz), whereI : lo ... isthe identity matrix of ll 100 t,l order n, then 7 is said to be an inverse of A modulo m . If A is an inverse of A and B : 7 (moO rn ), then ^B is also an inverse of A. This follows from Proposition3.6, sinceBA = AA = I (mod m).

Conversely,if 81 and 82are both inversesof A,then Br= 82(modm). To seethis, using Proposition3.6 and the congruenceB1A = BzA = I (modm), we haveBABI: B2ABr (modlcl). SinceABt:1 (modm), we conclude that Bt Z Bz (mod ln).

Example. Since = (m.d5, :;l [t:): [t,[] [;?]

and 1,r4l Ir 3.l: f" xl : |,rol (mod5), |.12) l.24) 15il,l l0rJ

ol [r l] we seethat the 1-^+rivnatrix[' is,. an^ inverse of 5. l, r,J l, o)modulo The followingproposition gives an easymethod for findinginverses for 2x2 matrices.

Proposition3.7. Let A - be a matrix of integers,such that t:') A : det A : ad-bc ts relativelyprime to the positiveinteger m . Then, the 122 Congruences

matrix o-ul r : o=f l-. o)' wherea is the inverseof A modulom,isan inverseof I modulom.

Proof. To verify that tbg matrix 7 ir an inverse of A modulo ra, we need only verify that AA = AA =I (mod z). To see this, note that f u)-l a -ol -fad-bc o l AA: |" ,l4l l:nl -bc+ad).l Va)-l-c oJ--l 0 -faol faao I frol = ^|-ooj=l 1(mod z) o ooj=lo',l: and -f a -n) (" ol - fad-bc o I --f-. -t: A I I AA=LI a)lrd)| | al0 -bc+ad) [aol faaol l,rol : A : = : I (modm)' fooJ I o lo,l [o',l where f ir un inverseof A (mod m), which existsbecause (a,.d : l. tr ir +l Example.Let A : Since2 is an inversedet A:7 modulo13, we lr r,J. have _+l tr_2 1.s : |,ro_sl= |'rosl(moar). l-23) l-46) l.e6J

To provide a formula for an inverseof an nxn matrix where n is a positive integer, we need a result from linear algebra. This result may be found in Anton [60; page 791. It involvesthe notion of the adjoint of a matrix, which is defined as follows.

Definition. The adjoint of an nxn malrix A is the n\n matrix with (i,;)th entry Cyi, where Cii is (-l)t+i times the determinantof the matrix obtained by deleting the ith row and 7th column from A. Thg adjoint of I is denoted 3.4 Systems of Linear Congruences 123

by adj(l).

Theorem 3.9. If A is an nxn matrix with det A* 0, then A GdjA) : (det A) I , where adj A is the adjoint of A. Using this theorem,the following propositionfollows readily.

Proposition 3.8. If A is an n\n matrix with integer entries and rn is a positiveinteger such that (det 'q,U) :1, then the matrix A : A (adj A) is an inverseof I modulo m, where A is an inverseof A : det A modulo m.

Proof. If (det A,m) : l, then we know that det A * 0. Hence, from Theorem 3.9. we have

AadjA:(detnl:A1.

Since (det Z,nl) : l, there is an inverseA of A : det I modulo z. Hence, A (A adj A) = A ' {.zLdjnE - afl = I (mod m), and e tuolilA - [ (uojA ' A) - aar : 1 (modrn ).

This showsthat 7 :^ ' (adj l) is an inverseof I modulo ru. tr fzs ol Example. Let A : 2|.. Then detA: -5. Since(det A,7) :1, and an 120 u 23J inverseof det A : -5 is 4 (mod 7), we find that -2-3 sl -s l-a-tz2ol fezel I:4(.:,djA):4 o tol: l-ro o ool- ltosl(modi), 4 r-r0J t 0 4-40) 1242)

We can use an inverseof I modulo m to solvethe system

AX : B (mod m),

where (det A,m) : l. By Proposition3.6, when we multiply both sidesof this congruenceby an inverseA of A, we obtain 124 Congruences

A Ux): LB (modm) - (,q,4x 4B (modm) X : A B (modn).

Hence,we find the solutionX by forming A B (mod m ). Note that this method providesanother proof of Theorem 3.8. To seethis, ret AX: B, whereA : x : and B - If l:'), t;] [;] A : det A : ad - bc is relativelyprime to ln, then -f -t) - - f"l -1'-1'"--l-. a ||f,l |-^,,_),1(modm). fa, nrl l..l:X=A B-Ai_, ..r lyj ")lf)-ulo, This demonstratesthat (x,y) is a solutionif and only if

x = A,(de-bfl (mod z), y = I bf -ce) (mod lz).

Next, we give an exampleof the solution of a systemof three congruences in three unknownsusing matrices.

Example. We considerthe systemof three congruences

2x1* 5x2t 6xt: 3 (mod7) 2x1 * xt j 4 (mod 7) xr * 2x2* 3x:: I (mod7).

This is equivalentto the matrix congruence sol ,l lzo I [",] f 12 I l"'l =- lalr.noo'^'^"-rl. lrz r,l l",j I'J

we have previouslyshown that the matrix ll 3 : is an inverse of |.242 lzsel tmooz) Hence'wehave l?: lJ 3.4 Systems of Linear Congruences 125

[*,1 fozellrl [r'l lol

l-l:l^.^lll:l-.1:l",l lrosll.l : ltl: I'l(mod7) l',J lz+zjL'J lro) lrj

Before leaving this subject,we should mention that many methodsused for solving systems of linear equations may be adapted to solve systems of congruences. For instance,Gaussian elimination may be adapted to solve systemsof congruenceswhere division is always replacedby multiplication by inversesmodulo ru. Also, there is a method for solvingsystems of congruences analagousto Cramer's rule. We leave the developmentof these methods as problemsfor thosereaders familiar with linear algebra.

3.4 Problems l. Find the solutionsof the followingsystems of linearcongruences. a) x*2y I (mod 5) 2x* y I (mod 5) b) x*3y I (mod 5) 3xt4y 2 (mod 5) d4x +y (mod 5) 2x +3v (mod 5).

Z. Find the solutionsof the following systemsof linear congruences.

a) 2x*3y (mod 7) x*5y (mod 7)

b) 4x* y=5 (mod7) x*2y=4(mod7).

3. What are the possibilitiesfor the number of incongruent solutionsof the system of linear congruences

ax*by:c(modp) : dx * ey f (mod fl,

wherep is a prime and a,b,c d,e, andf are positiveintegers? 4. Find the matrix C such that 126 Congruences

fz'l f+ol Q- (mod5) lor,l llJ

and all entries of C are nonnegativeintegers less than 5.

5. Use mathematical induction to prove that if A and B are nxn matrices with integer entries such that A = B(mod m ), then Ak : Bk(modm) for all positiveintegers k.

6. A matrix A * I is called involutory modulo m if 42 = 1 (mod z). 14nl a) Show that is involutory modulo 26. | | 22) b) Show that if A is a 2x2 involutory matrix modulo m, then detA:tl(modrn).

7. Find an inversemodulo 5 of each of the.following matrices forl il lr ol i',i b) |.,oJ z) c) lz lt ,J 8. Find an inversemodulo 7 of each of the following matrices frrol a) t lt 0 I [0 1 lJ fr z:l b) lr2sl u 4 6J r) lr r r 0l ll l0ll v'^) | | ll0rll' l0r r r,J 9. Use the results of problem 8 to find all solutionsof each of the following systems

a) x+y : I (mod 7) x*zz2(mod7) Y*z=3(mod7) 3.4 Systemsof LinearCongruences 127

b) x*2y*32 : I (mod 7) x*3y*52=l(mod7) x*4yl6z=l(mod7)

c) x*y *z = (mod 7) x*y *w : (mod 7) xtz iw : (mod 7) Y*z *w = (mod 7). 10. How many incongruent solutions does each of the following systems of congruenceshave

a) x* y* z i I (mod 5) 2x*4y*32: I (mod 5)

b) 2x*3y* z 3 (mod 5) x*2y*32 I (mod 5) 2x* z I (mod 5)

c) 3x* y*32 = I (mod5) x*2yt4z :2(mod5) 4x *3y *22:3 (mod5)

il2x*y*z (mod 5) x *2y * z (mod 5) x * y *22 (mod 5).

Develop an analogueof Cramer's rule for solving systemsof n linear congruences in n unknowns.

t2. Develop an analogue of Gaussian elimination to solve systems of n linear congruencesin z unknowns (where m and n may be different).

13. A magic square is a square array of integers with the property that the sum of the integers in a row or in a column is always the same. In this problem, we presenta method for producing magic squares.

a) Show that the n2 integers0,1,...,n2-l are put into the n2 positionsof an n x/, square,without putting two integers in the same position, if the integer k is placed in the i th row and 7th column, where

i=a*ck*e{klnl (modn), j=b+dk+flk/nl (modn),

I < t ( n, 1 ( / ( n, and a,b,c d,e, andf are integers with kf -de,n) : l. b) Show that a magic square produced part (a) (c,n) : (d ,n) : (e,n) : (7 ,n) : l. 128 Congruences

c) The positive and negative diagonals of an nxn square consist of the integers in positions (t1), where i + j = k (mod n) and t- j =ft (modn),respectively,where k isa giveninteger. Asquareis called diabolic if the sum of the integers in a positiveor negativediagonal is always the same. Show that a diabolic square is produced using the procedure given in part (a) if Gtd,n) : (c-d,n) : G*f ,n) : G-f ,n) : l.

3.4 Computer Projects

Write programs to do the following:

l. Find the solutions of a system of two linear congruencesin two unknowns using Theorem 3.8.

2. Find inversesof 2x2 matrices using Proposition3.7.

3. Find inversesof nxn matncesusing Theorem 3.9.

4. Solve systemsof n linear congruencesin n unknowns using inversesof matrices.

5. Solve systems of n linear congruences in n unknowns using an analogue of Cramer's rule (seeproblem ll).

6. Solve system of n linear congruences in m unknowns using an analogue of Gaussianelimination (seeproblem l2).

7. Produce magic squaresby the method given in problem 13. Applicationsof Gongruences

4.1 Divisibility Tests Using congruences,we can develop divisibility tests for integers based on their expansionswith respectto different bases' We begin with tests which use decimal notation. In the following discussion let n: (oooo-r...apo)rc. Then fl:QklOft + arr-J0t-l+ * 4110* oo, with 0 ( o.r ( 9 for,t:0,1, 2,...,k. First, we develop tests for divisibility. by powers.. of 2. Since l0 = 0 (mod 2), Theorem 3.5 tells us that 10/ :0 (mod 2r) for all positive integers7. Hence, n = (a) 1s(mod 2), n = (arao)ro(mod 22), n 3 (azarao)ro(mod 23),

n: (ai-fii-2. . .azarao)to (mod2/)

These congruencestell us that to determine whether an integer n is divisible by 2, we only need to examineits last digit for divisibility by 2. Similarly, to determine whether n is divisible by 4, we only need to check the integer made up of the last two digits of n for divisibility by 4. In general, to test n for divisibility by 2i, we only need to check the integer made up of the last 7 digits of n for divisibility by 2i . r29 130 Applications of Congruences

Example.Let n:32688048. we see that 2ln since zlg, al, since 4 49,8 since g04g, | l, s | +a, 16 | nsincet6 | but 32 /r since'lzi gso+g.- To develop tests for divisibility by powers of 5, first note that since = (mod :0 l0 0 5), we have lY (mod 5/). Hence, divisibility tests for powersof 5 are analogousto those for powersof 2. We only need to check the integer made up of the last 7 digits of n to determinewhether n is divisiblebv 5i.

Example. Let n: 15535375.Since s I s, 5 | n, sincezs lls,25 | n, since 125 | 375, 125 | n, but since625 | slls,625 I n.

Next, we developtests for divisibility by 3 and by 9. Note that both the : congruences l0 I (mod 3) and l0 = I (mod 9) hold. Hence, : 10e I (mod 3) and (mod 9). This givesus the useful congruences (apa1r-1...aps): ekl0& + a*_tl0k-l + * alO * a6 : ek * ap4 *' . . + ar *as (mod3) and (mod9).

Hence, we only need to check whether the sum of the digits of n is divisible by 3, or by 9, to seewhether n is divisibleby 3, or by 9.

: Example. Let n 412783s. Then, the sum of the digits of n is 4+ | +2+ 7 + 8 + 3 + 5:30. SinceI lrobut 9 lt},3l nbutgln. A rather simple test can be found for divisibility by I L Since l0 : -l (mod I l), we have

(a1ra1r-1...aps)t0:aklOk + a1r-110k-r* * alO * as : ak(-l)ft * a*-r(-t)t-t + -at * as (mod I l).

This shows that (apap-1....aps)rc is divisible by I l, if and only if os- at * o2- + (-I)kap, the integer formed by alternately adding and subtracting the digits, is divisible by I l.

Example. We see that 723160823is divisible by 11, since alternately adding and subtractingits digits yields i-z+g-0+6-l+3-z*7:22 which is divisible ll. On the other hand, 33678924is not divisible bv 11. - - since4 2 + 9 8 + 7 - 6 + 3 - 3 :4 is not divisibleby ll. Next, we develop a test to simultaneouslytest for divisibility by the primes 7,ll, and 13. Note that 7'll'13 : l00l and 103: 1000: -l (mod l00l). Hence. 4.1 Divisibility Tests 131

(a1,a1r-r...adro:aklOk + a*-JOft-l + * alO * c6 : (ao* l0ar * 100a) + 1000(ar* 1}aa* 10045)* (tOOO)'(ou+ l0a7 t 100a6)r = (100a2* 10cr+ a0) - (l00ar * l}aa* a) * (t00ar * l0a7 + a) - = (a2a,as),.- (o 5aaa3),s* (a sa7a6)rc- (mod 1001).

This congruencetells us that an integer is congruent modulo l00l to the integer formed by successivelyadding and subtracting the three-digit integers with decimal expansionsformed from successiveblocks of three decimal digits of the original number, where digits are grouped starting with the rightmost digit. As a consequence,since 7,11, and l3 are divisorsof 1001,to determine whetheran integeris divisibleby 7,11, or 13,we only needto checkwhetherthis alternatingsum and differenceof blocksof three digits is divisibleby 7,11, or 13.

Example. Let n - 59358208. Since the alternating sum and difference of the - -91, integers formed from blocks of three digits, 208 358 + 59 : is divisibleby 7 and 13, but not by 11, we seethat r is divisibleby 7 and 13, but notbyIL -----*?.ll of theTvisibility tests we have developedthus far are based on decimal representations. We now develop divisibility tests using base b representations,where b is a positive integer.

Divisibility Test 1. If d I b and 7 and k are positive integers with i < k, then (a1...aps)6 is divisibleby di if and only if (a1-r...apo)uis divisibleby 4i.

Proof. Since b = 0 (mod d), Theorem 3.5 tells us that bj :0 (modd/). Hence, (apa1r-1...aps)6:arrbk * " '+ albl + ai-fti-l + "'+aft*as =aj-ftj-r+"'+a1b*as : (ai-t...aPs)6 (mod d/).

Consequently,d I Q1,a1r-1...aps)6if and only if d I G1-t...aps)6. -

DivisibilityTest 2. lf d | (b-t), then n: (ap...aps)6 is divisibleby d if and only if ap t ' '' + ar t as is divisibleby d.

Proof. Since d | $-l), we have b = I (mod d), so that by Theorem 3.5 we know that bj - I (mod d) for all positiveintegers b. Hence,(ap...aflo)r: 132 Opplications of Congruences .

alrbkI t aft I aoz at * * a1t a6 (modd). This showsthat dlnifandonlyifdl(a*+ * a1t as). tr

Divisibility Test.3. lf d | (b + l), then n : (ap...aps)6 is divisible by d if and only if (-I)kap * -ar * a6 is divisibleby d.

Proof. Since d I ft + 1), we have g: -l (mod d). Hence,bi = (-l)/ (mod d), and consequently,n : (a1, ...aps)b : (-t)k a1, + - o1 (mod * ao d). Hence, d I n if and only if d | ((-l)o oo + -a1 * as). n

Example.Let n: (7F28A6)16(in hex notation).Then, since zl te, from DivisibilityTest l, we know that 2 | n, sincezl e. Likewise,since 4 | 16,we seethat aln, since4tr6. By DivisibilityTest Z, since3l(f6-l), 5l(t6-1), and 15l(16-t), and 7+F+2+8 +A *6:(30),u, we knowthat 3 | n, sinceI | (:O)16,while 5 tr, and I 5 I n, since5 / (30)roand (30)ro. ts / Furthermore,by DivisibilityTest 3, since 17 | (16 + l) and -2* -7: n =6- A +8 F (,q)ru(mod l7), weconcludethat l7 trr, since17 I (D rc.

Example.Let n : (1001001I ll)2. Then, using Divisibility Test 3, we see that3lr, sincen = | - 1+ 1- I +0-0+1- 0+0-l:0(mod3) and3l(z+t) .

4.1 Problems l. Determinethe highestpower of 2 dividingeach of the followingpositive integers

a) 201984 c) 89375744 b) 1423408 d) 4t578912246.

2. Determine the highest power of 5 dividing each of the following positive integers

a) 112250 c) 235555790 b) 4860625 d) 48126953125.

3. Which of the following integers are divisible by 3? Of those that are, which are divisible by 9?

a) 18381 c) 987654321 b) 65412351 d) 78918239735 4.1 Divisibility Tests 133

4. Which of the following integers are divisible by I I

a) 10763732 c) 674310976375 b) 108632001s d) 89243t00645372

5. A repunit is an integerwith decimalexpansion containing all l's.

a) Determine which repunits are divisible by 3; and which are divisible by 9.

b) Determine which repunits are divisible by I l.

c) Determine which repunits are divisibleby 1001. Which are divisible by 7? by 13?

d) Determine which repunits with fewer than l0 digits are prime.

6. A base b repunit is an integer with base b expansioncontaining all 1's.

il Determine which base D repunits are divisible by factors of 6 - l.

b) Determine which base b repunits are divisible by factors of b * l.

7. A base b palindromic integer is an integer whose base 6 representationreads the same forward and backward.

il Show that every decimal palindromic integer with an even number of digits is divisibleby I l.

b) Show that every base 7 palindromic integer with an even number of digits is divisibleby 8.

8. Develop a test for divisibility by 37, based on the fact that 103= I (mod 37). Use this to check 443692 and I 1092785for divisibility by 37.

9. Devise a divisibility test for integersrepresented in base b notation for divisibility by n where n in a divisor of b2 + l. (Hint: Split the digits of the base b representationof the integer into blocks of two, starting on the right).

10. Use the test you developedin problem 9 to decide whether

il (tot t 101lo)2is divisibleby 5.

b) (12100122)3rs divisibleby 2, and whether it is divisibleby 5.

c) (36470124$8 is divisible by 5, and whether it is divisible by 13.

d) (SS:ZO+t320219)ro is divisibleby 101.

ll. An old receipt has faded. It reads 88 chickens at a total of $x4.2y where x and y ^re unreadabledigits. How much did each chicken cost?

12. Use a congruence modulo 9 to find the missing digit, indicated by a question mark: 89878'58965: 5299?56270.

13. We can check a multiplication c : ab by determining whether the congruence c 2 ab (mod rn ) is valid. where m is anv modulus. If we find that 134 Applications of Congruences

c # ab (mod z), then we know an error has been made. When we take m :9 and use the fact that an integer in decimal notation is congruent modulo 9 to the sum of its digits, this check is called casting out nines. Check each of the following multiplications by casting out nines il 875961-2753: 2410520633

b) t4789.23567 : 348532367

c) 24789'43717: 1092700713.

d) Are your checks foolproof?

14. What combinations of digits of a decimal expansionof an integer are congruent to this integer modulo 99? Use your answer to devise a check for multiplication based on casting out ninety nines. Then use the test to check the multiplicationsin problem 13.

4.1 Computer Projects

Write programs to do the following:

1. Determine the highest powersof 2 and of 5 that divide an integer.

2. Test an integer for divisibility by 3,7,9, ll, and 13. (Use congruencesmodulo l00l for divisibility by 7 and 13.)

3. Determine the highest power of each factor of b that divides an integer from the base b expansionof the integer.

4. Test an integer from its base b expansion,for divisibility by factors of b - I and of b + L

4.2 The PerpetualCalendar

In this section,we derive a formula that gives us the day of the week of any day of any year. Since the days of the week form a cycle of length seven,we use a congruencemodulo 7. We denote each day of the week by a number in the set 0, I,2,,3, 4,5,6, settingSunday:0, Monday : l, Tuesday:2, Wednesda! : 3, Thursday : 4, Fridey :5, and Saturday : $.

Julius Caesarchanged the Egyptian calendar,which was basedon a year of exactly 365 days, to a new calendar with a year of averagelength 365 V4days, with leap years every fourth year, to better reflect the true length of the year. However, more recent calculations have shown that the true length of the year is approximately 365.2422days. As the centuries passed,the discrepanciesof 0.0078 days per year added up, so that by the year 1582 approximately l0 extra days had been added unnecessarilyas leap years. To remedy this, in 4.2 The Perpetual Calendar 13s

1582 Pope Gregory set up a new calendar. First, l0 days were added to the date,so that October5, 1582,became October 15, 1582 (and the 6th through the l4th of October were skipped). It was decidedthat leap years would be preciselythe years divisible by 4, except those exactly divisible by 100,i.e., the yearsthat mark centuries,would be leap yearsonly when divisible by 400. As an example,the years 1700, 1800, 1900, and 2100 are not leap years but 1600 and 2000 are. With this arrangement, the average length of a calendar year is 365.2425days, rather close to the true year of 365.2422 days. An error of 0.0003 days per year remains,which is 3 days per 10000 years. In the future, this discrepancy will have to be accounted for, and various possibilitieshave been suggestedto correct for this error.

In dealing with calendar dates for various parts of the world, we must also take into account the fact that the Gregorian calendar was not adopted everywherein 1582. In Britain, the Gregorian calendar was adoptedonly in 1752,and by then, it was necessaryto add I I days. Japanchanged over 1873, the Soviet Union and nearby countries in 1917. while Greece held out until 1923.

We now set up our procedure for finding the duy of the week in the Gregorian calendar for a given date. We first nrust make some adjustments, becausethe extra day in a leap year colmesat the end of February. We take care of this by renumbering the months, starting each year in March, and consideringthe months of January and February part of the precedingyear. For instance,February 1984,is consideredthe 12th month of 1983, and May 1984,is consideredthe 3rd month of 1984. With this convention,for the day of interest, let k : day of the month, z : month, and N : year, with N : 100C + IZ, where C : century and Y : particular year of the century. For example,June 12, 1954,has k:12,fr7:4,N:1954,C:19, and Y :54.

We use March 1, of each year as our basis. Letdy representthe day of the week of March 1, in year I{. We start with the year 1600 and compute the day of the week March l, falls on in any given year. Note that between March I of year l/ - I and March I of year ly', if year N is not a leap year, 365 days have passed,and since 365 : I (mod 7), we seethat du : dN_, * I (mod 7), while if year l/ is a leap year, since there is an extra day between the consecutivefirsts of March, we see that dy = dx_r + 2 (mod 7). Hence, to find dys from drooo,we must find out how many leap years have occurred between the year 1600 and the year N (not including 1600, but including N). To compute this, we first note that there are [(nrr - 160c)/41 years divisible by 4 between 1600 and N, there are [Or-t600)/1001 years divisible by 100 between 1600 and N, and there are ICnr - 1600)/4001years divisible by 400 between 1600 and N. Hence, the number of leap years 136 Applicationsof Congruences

between1600 and N is t0,r - rc00D/41-tor - 1600)/1001+ tcnr - 1600)/4001 : lN /41- 400- lX /t001+ t6 + Ir{/4001 - 4 : lN /41- lw /tool + It//4ool- 388.

(We have used Proposition1.5 to simplify this expression).Now putting this in terms of C and Y , we seethat the number of leap years between1600 and l/ is lzsc+ v/Dl - tc + v/r0o)l+ 1,rc/0+ v/400)l- ras :25C + IY/41 - C + tC/41- 388 = 3C + lC/41+ lY/41- 3 (mod7).

Here we haveagain used Proposition 1.5, the inequalityY/100 ( 1, and the equation |,rc/4 + V /4001 : lc /+l (which follows from problem 20 of Section1.2, since Y/400 < llq.

We can now compute d1y from drcooby shifting drcooby one day for every year that has passed,plus an extra day for each leap year between 1600 and N. This gives the following formula: dx=drcoo+100c+Y-1600+ 3C + IC/41+ lYl4l- 3 (mod7).

Simplifying, we have dx : drcoo- 2c + y + tc/41+ ly/41 (mod7).

Now that we have a formula relating the day of the week for March l, of any year, with the day of the week of March 1, 1600, we can use the fact that March |, 1982, is a Monday to find the day of the week of March I , 1600. For 1982,since.ly': 1982,wehave C : 19,andY :82, and sincedptz: l, it follows that

| = drcoo- 38 + 82 + [19/41 + ts2/41 :- drcoo- 2 (mod 7).

Hence, drcoo:3, so that March 1, 1600,was a Wednesday.When we insert the value of d16ss,the formula for d1,,becomes

du : 3 - 2C + Y + lC/41 + IYl4l (mod 7).

We now use this formula to compute the day of the week of the first day of each month of year l{. To do this, we have to use the number of days of the week that the first of the month of a particular month is shifted from the first of the month of the preceding month. The months with 30 days shift the first of the following month up 2 days, because30 : 2 (mod 7), and thosewith 31 4.2 The Perpetual Calendar 137

: (mod days shift the first of the following month up 3 days, because31 3 7) ' Therefore, we must add the following amounts:

from March l, to APril l: 3 daYs from April l, to May I : 2 daYs from May l, to June l: 3 daYs from June l, to July I : 2 daYs from July 1, to August 1: 3 daYs from August 1, to Septemberl: 3 daYs from September 1, to October I : 2 daYs from October l, to November l: 3 days from November 1, to December 1: 2 days from Decemberl, to January l: 3 daYs from January 1, to February 1: 3 daYs.

We need a formula that gives us the same increments. Notice that we have 1l incrementstotaling 29 days, so that each incrementaverages 2.6 days. By inspection, we find that the function lZ.6m - 0.21- 2 has exactly the same increments as rn goes from I to I l, and is zero when m : l. Hence, the day of the week of the first day of month m of year N is given by by the least positiveresidue of dy + [2.6m - 0.21- 2 modulo 7. To find W, the day of the week of day k of month m of year.ly', we simply add k-l to the formula we have devisedfor the day of the week of the first day of the same month. We obtain the formula: - w k + 12.6m- o.2l- 2C + Y + IYl4l + lcl4l (mod7).

We can use this formula to find the day of the week of any date of any year in the Gregorian calendar.

Example. To find the duy of the week of January 1, 1900, we have c : 18, Ir: 99,m: ll, and k : | (since we considerJanuary as the eleventh month of the preceding year). Hence, we have - w I + 28 - 36 + 99 + 4 + 24 :- I (mod 7), so that the first day of the twentieth century was a Monday.

4.2 Problems

l. Find the day of the week of the day you were born, and of your birthday this Year. 138 Applicationsof Congruences

2. Find the day of the week of the following important dates in U. S. history (use the Julian calendar before 1752, and the Gregorian calendar from I 752 to the present)

il October 12, 1492 (Columbus sights land in the Caribbean) b) May 6, 1692 (peter Minuit buys Manhattan from the natives) c) June 15, 1752 (Benjamin Franklin inventsthe lighteningrod) d July 4, 1776 (U. S. Declaration of Independence) e) March 30, 1867 (U. S. buys Alaska from Russia) f) March 17, 1888 (Great blizzard,in the Eastern u. s.) d February 15, 1898 (U. S. BattleshipMaine blown up in Havana Harbor) h) July 2, 1925 (Scopesconvicted of teaching evolution) i) July 16, 1945 (First atomic bomb exploded) j) July 20, 1969 (First man on the moon) k) August 9,1974 (Nixon resigns) l) March 28, 1979 (Three Mile Island nuclear mishap).

3' To correct the small discrepancy between the number of days in a year of the Gregorian calendar and an actual year, it has been suggestedthat the years exactly divisible by 4000 should not be leap years. Adjust the formula for the day of the week of a given date to take this correction into account.

4. Which of your birthdays, until your one hundredth, fall on the same dav of the week as the day you were born?

5. Show that days with the same calendar date in two different years of the same century, 28, 56, or 84 years apart, fall on the identical day of the week.

6. A new calendar called the International Fixed Calendar has been proposed. In this calendar, there are 13 months, including all our present months, plus a new month, called So/, which is placed between June and July. Each month has 28 days, except for the June of leap years which has an extra day (leap years are determined the same way as in the Gregorian calendar). There is an extra day, Year End Day, which is not in any month, which we may consideras December 29. Devise a perpetual calendar for the International Fixed Calendar to give day of the week for any calendar date.

4.2 Computer Projects

Write programs to do the following:

l. To give the day of the week of any date.

2. To print out a calendar of any year.

3. To print out a calendar for the International Fixed Calendar (See problem 6). 4.3 Round-RobinTournaments 139

4.3 Round-RobinTournaments Congruences can be used to schedule round-robin tournaments. In this section,we show how to schedulea tournament for I/ different teams, so that each team plays every other team exactly once. The method we describewas developedby Freund t65]. First note that if N is odd. not all teams can be scheduledin each round, since when teams are paired, the total number of teams playing is even. So, if N is odd, we add a dummy team, and if a team is paired with the dummy team during a particular round, it draws a bye in that round and does not play. Hence, we can assumethat we always have an even number of teams, with the addition of a dummy team if necessary. Now label the N teamswith the integers1,2,3,...,If-1, N. We construct a schedule,pairing teams in the following way. We have team i, with i * N, play team j, with j I N and j # i, in the kth round if i + j: k (mod /V-l). This schedulesgames for all teams in round k, except for team N and the one team i for which 2i : k (mod li-l). There is one such team because Theorem 3.7 tells us that the congruence 2x :- k (mod /V-l) has exactly one solution with I ( x < .A/-1, since (2, N-l) : 1. We match this team i with team ^A{in the kth round. We must now show that each team plays every other team exactly once. We considerthe first tr/-l teams. Note that team i, where I < t <,Af-l, plays team l/ in round k where 2i : k (mod lf-l), and this happensexactly once. In the other rounds, team i does not play the same team twice, for if team i played team 7 in both rounds k and k', then i + j = k (mod l/-l), and i + j = k' (mod N-l) which is an obvious contradiction because k # k'(mod N-l). Hence, since each of the first lf-l teams plays .Af-l games, and does not play any team more than once, it plays every team exactly once. Also, team I{ plays N-l games, and since every other team plays team N exactly once, team N plays every other team exactly once.

Example. To schedule a round-robin tournament with 5 teams, labeled I,2,3,4, and 5, we includea dummy team labeled6. In round one, team I playsteamT where| + j = l(mod 5). This istheteamj:5 sothat teamI plays team 5. Team 2 is scheduled in round one with team 4, since the solutionof 2+ j =l (mod5) is 7:4. Sincei:3 is the solutionof the congruence2i = 1 (mod 5), team 3 is paired with the dummy team 6, and hence,draws a bye in the first round. If we continue this procedureand finish schedulingthe other rounds,we end up with the pairingsshown in Figure 4.1, where the opponentof team i in round k is given in the kth row and i th column. 140 Applicationsof Congruences

Team I 2 3 4 5 Round

I 5 4 bye 2 I

2 bye 5 4 3 2

3 2 I 5 bye 3

4 3 bye I 5 4

5 4 3 2 I bye

Figure 4.1. Round-Robin Schedulefor Five Teams.

4.3 Problems

1. Set up a round-robin tournament schedulefor

a) 7 teams c) 9 reams b) 8 teams d) 10 teams.

2. In round-robin tournament scheduling, we wish to assign a home team and an away team for each game so that each of n teams, where n is odd, plays an equal number of home games and away games. Show that if when i + j is odd, we assign the smaller of i and 7 as the home team, while if i + 7 is even, we assign the larger of f and 7 as the home team, then each team plays an equal number of home and away games.

3. In a round-robin tournament scheduling, use problem 2 to determine the home team for each game when there are

a) 5 teams b) 7 teams c) 9 teams.

4.3 Computer Projects

Write programs to do the following:

l. Schedule round-robin tournaments. 4.4 Computer File Storage and Hashing Functions t4l

2. Using problem 2, scheduleround-robin tournaments for an odd number of teams, specifying the home team for each game.

4.4 ComputerFile Storage And Hashing Functions A university wishes to store a file for each of its students in its computer. The identifying number or key for each file is the social security number of the student enrolled. The social security number is a nine-digit integer, so it is extremely unfeasible to reserve a memory location for each possible social security number. Instead, a systematic way to arrange the files in memory, using a reasonableamount of memory locations, should be used so that each file can be easily accessed. Systematic methods of arranging files have been developedbased on hashtng functions . A hashing function assignsto the key of each file a particular memory location. Various types of hashing functions have been suggested,but the type most commonly used involves modular arithmetic. We discuss this type of hashing function here. For a general discussionof hashingfunctions see Knuth [52] or Kronsjii t581. Let k be the key of the file to be stored; in our example, k is the social security number of a student. Let m be a positive integer. We define the hashingfunction h (k) by h(k) =k (mod,m), where 0 < ft(k) < m,so that h(k) is the least positiveresidue of k modulo m. We wish to pick n intelligently, so that the files are distributed in a reasonableway throughoutthe z different memory locations0, 1,2,..., m-|. The first thing to keep in mind is that z should not be a power of the base b which is used to representthe keys. For instance,when using social security numbers as keys, ra should not be a power of 10, such as 103, becausethe value of the hashing function would simply be the last several digits of the k"y; this may not distribute the keys uniformly throughout the memory locations. For instance, the last three digits of early issued social security numbers may often be between 000 and 099, but seldom between 900 and ggg. Likewise, it is unwise to use a number dividing 6t * a where k and a are small integers for the modulus rn. In such a case,h (k) would depend too strongly on the particular digits of the key, and different keys with similar, but rearranged, digits may be sent to the same memory location, For instance, if m: lll, then,since lll | (tO3-l) :999, we have 103= 1 (mod 111),so that the social securitynumbers 064212 848 and 064 848 212 are sent to the same memory location, since 142 Applicationsof Congruences

h@64 2r2 S4$ = 064 2r2 848= 064 + 2r2+ 848 = ll24 : 14 (mod 111),

and h(0648482rD= 064848 2r2:064 + 848+ 2r2= rr24: 14(mod lll).

To avoid such difficulties, z should be a prime approximating the number of available memory locations devoted to file storage. For instance, if there are 5000 memory locations available for storage of 2000 student files we could pick m to be equal to the prime 49G9.

We have avoided mentioning the problem that arises when the hashing function assignsthe same memory location to two different files. When this occurs,we say the there is a collision. We need a method to resolvecollisions, so that files are assignedto different memory locations. There are two kinds of collision resolution policies. In the first kind, when a collision occurs. extra memory locationsare linked together to the first memory location. When one wishes to accessa file where this collision resolution policy has been used, it is necessaryto first evaluate the hashing function for the particular key involved. Then the list linked to this memory location is searched.

The secondkind of collision resolution policy is to look for an open memory location when an occupied location is assignedto a file. Various suggestions, such as the following technique have been made for accomplishingthis.

Starting with our original hashing function ho(k): h(k), we define a sequenceof memory locationsft1(ft),h2(k),... . We first attempt to place the file with key ft at location hs(k). If this location is occupied,we move to locationht(k). If this is occupied,we moveto locationh2&), etc.

We can choose the sequence of functions hj(k) in various ways. The simplestway is to let

hj(k) = h(k) * 7 (modm),0 ( ft;(k) < m.

This placesthe file with key ft as near as possiblepast location h &). Note that with this choiceof h1(k), all memory locationsare checked,so if there is an open location,it will be found. Unfortunately, this simple choiceof h1(k) leads to difficulties; files tend to cluster. We see that if kt * k2 and hi(k): h1(k) for nonnegativeintegers i and 7, then h;q,(k): hi+1,(k2) for k : 1,2,3,...,so that exactly the same sequenceof locationsare traced out once there is a collision. This lowers the efficiencyof the search for files in the table. We would like to avoid this problem of clustering, so we choose the function h1(k) in a different way. 4.4 ComputerFile Storageand HashingFunctions 143

To avoid clustering, we use a technique called double hashtng. We choose, as before, h(k) =k (modm), with 0 < ft (/c) < m, where m is prime, as the hashingfunction. We take a secondhashing function g(k): k + I (modm-2), where 0 < g(k) < m - l, so that G(k), m) : l. We take as a probing sequence - hj(k) h(k) + i s(k) (modz), where0 ( ft;(k) < m. Since Q(k), tn) : l, as 7 runs through the integers 0, 1,2,..., m - 1, all memory locationsare traced out. The ideal situation would be for m-2 to also be prime, so that the valuesg(ft) are distributed in a reasonableway. Hence, we would like m-2 and m to be twin primes.

Example. In our example using social security numbers, both m : 4969, and m-2 : 4967 are prime. Our probing sequenceis - hj(k) h(k) + i s(k) (mod 4e6e),

where 0< hj (k)<4969, h(k)=k (mod4969),and s(k)=k+l (mod 4967). Supposewe wish to assignmemory locationsto files for studentswith social securitvnumbers:

kt: 344401 659 k6 : 3J2500 191 kz: 325510 778 k7 : 034367 980 kt:2t2 228844 ks : 546332 t90 kq: 329938 t57 ks : 509496 993 ks:047 900l5l krc: 132489 973.

Sincekt = 269,kz = 1526,and k3 : 2854(mod 496r, we assignthe first three files to locations 269, 1526, and 2854, respectively. Since kq = 1526(mod 4969), but location1526 is taken,we computeh1 (k) = h(k) + : S(k) : 1526+ 216: 1742(mod 4969, since S(k) I + kq = 216 (mod496D. Sincelocation 1742 is free,we assignthe fourth file to this location. The fifth, six, seventh,and eighthfiles go into the availablelocations 3960,4075,2376, and 578, respectively,because ks = 3960,ko = 4075, k.t = 2376,and frs - 578 (mod 4969). We find that ks = 578 (mod 496il: 144 Applicationsof Congruences

becauselocation 578 is occupied,we computeh1(kq) + s&):57g + 2002 : (mod 2580 4969), where S(k) : I * ks = 2002 (mod 4g6D. Hence, we assign the ninth file to the free location 2580. Finally, we find that kro E (mod 1526 4967),but location1526 is taken. we computehr (krd = h(Lrc) + g(k,o) : (mod 1526+ 216: 1742 496r, becauseS:(/cro) :' krc: 216 (mod 4967), but location 1742 is taken. Hence, we continue by finding h2(krc)_ h(krc) + 2g(kd: l95g (mod 496qi)and in this available location,we placethe tenth file.

Table 4.1 lists the assignmentsfor the files of students by their social securitynumbers. [n the table, the file locationsare shownin boldface.

Social Security h Number 1(k) h2(k)

344 40r 659 269 325 510778 r526 2r2 228 844 2854 329 938 ts7 1526 1742 047900 l5l 3960 372500 l9l 4075 034367 980 2376 546 332 r90 s78 509 496 993 578 2580 t32 489973 r526 t742 1958

Table 4.1. Hashing Function for Student Files.

We wish to find conditions where double hashing leads to clustering. Hence,we find conditionswhen

(4.1) hi(k) : h1(k2) and

(4.2) hi+t(k1): hi+r(k), so that the two consecutiveterms of two probe sequencesagree. If both (+.t) and @.D occur, then

h(k) + ig(k1) = h(k) + jg(k2) (modz) 4.4 Computer File Storage and Hashing Functions 145

and h(k)+(t+l)g(kr) = h&) + (j + r)g(k) (modz).

Subtractingthe first of thesetwo congruencesfrom the second,we obtain g(k) : g(k2) (mod rn), so that kr = kz (mod m-2)'

Since S(k) : g(k), we can substitutethis into the first congruenceto obtain h(k) : h(kz) (modrn ),

which showsthat kr = k2 (modm).

Consequently,since (m-2, m) : 1, Theorem 3.6 tells us that kt = k2 (modm(m-D).

Therefore, the only way that two probing sequencescan agree for two consecutiveterms is if the two keys involved,k1 and k2,lre congruentmodulo m(m-Z). Hence, clustering is extremely rare. Indeed, rf m(m-z) > k for all keys k, clusteringwill neveroccur.

4.4 Problems

l. A parking lot has l0l parking places. A total of 500 parking stickers are sold and only 50-75 vehicles are expected to be parked at a time. Set up a hashing function and collision resolution policy for assigning parking places based on licenseplates displaying six-digit numbers.

2. Assign memory locations for students in your class,using as keys the day of the month of birthdays of studentswith hashing function hG) = K (mod l9), - a) with probing sequenceh1(K) h(K) + 7 (mod l9).

b) with probing sequence hjK) = h(K) + i's(r<),0 ( .l ( 16, where g(r): I +K(mod l7).

3. Let the hashing function be ft(rK) = K(mod rn), with 0 < ft(f) < m, andlet the probing sequencefor collision resolution be lr; (f ) = h K) + jq (mod m) , 0 ( ft;(f) < m, for j :1,2,..., m-1. Show that all memory locationsare 146 Applications of Congruences

probed

a) if ln is prime and I ( q ( m -1. b) if m :2' and q is odd. 4. A probing sequence for resolving collisions where the hashing function is h&) = K(modz), 0 < l, (K) < m, is given by nifn = hG) + jQh (f) + 1) (mod m), O < lij(K) < m.

il Show that if z is prime, then all memory sequencesare probed.

b) Determine conditions for clustering to occur, i.e., when hj(K) : h1(K) and hi*,(K) : hi+,(K) for r : I,2,...

5. Using the hashing function and probing sequenceof the example in the text, find open memory locations for the files of students with social security numbers: krr: 137612044,k12: 505576452, kn: 157170996,kro: 131220418. (eaa these to the ten files already stored.)

4.4 Computer Projects

Write programs to assign memory locations to student files, using the hashing function h(k) = ft(modl02l), 0 < l,(k) < l}2l, where the keys the social security numbers of students. "r.

l. Linking files together when collisionsoccur. 2. (mod Using hj(D = h(k) * 7 l02l), -/ : 0, 1,2,... as the probingsequence.

3. Usinghj(k) = h(k\ + j'S&), j:0, 1,2,...where g(k) : | + k (mod l0l9) as the probing sequence. Some Special Congruences

5.1 Wilson's Theoremand Fermat's Little Theorem In this section,we discusstwo important congruencesthat are often useful in number theory. We first discussa congruencefor factorialscalled Wilson's theorem.

Wilson's Theorem. If p is prime, then (p-t)t = -t (mod p). The first proof of Wilson's Theoremwas given by the French mathematician Joseph Lagrange in 1770. The mathematician after whom the theorem is named, John Wilson, conjectured, but did not prove it. Before proving Wilson's theorem,we use an exampleto illustratethe idea behind the proof.

Example. Let p:7. We have (7-l)! :6! : l'2'3'4'5'6. We will rearrange the factors in the product, grouping together pairs of inversesmodulo 7. We - note that 2'4 I (mod 7) and 3'5 = I (mod 7). Hence, 6! : 1.O.4.(g.S).6= 1.6 = -l (mod 7). Thus, we haveverified a special caseof Wilson's theorem. We now use the technique illustrated in the example to prove Wilson's theorem.

: -l Proof. When p:2, we have Q-l)t = t (mod 2). Hence,the theorem is true for p:2. Now, let p be a prime greater than 2. Using Theorem 3.7, for eachinteger a with I ( a { p-I, thereis an inverset, I < a 4 p-1, with aa: 1 (modp). From Proposition3.4, the only positiveintegers less than p that are their own inversesare I and p-1. Therefore,we can group l4'I 148 Some Special Congruences

the integersfrom 2 to p-2 into Q4)/2 pairs of integers,with the product of each pair congruentto I modulop. Hence,we have

2.3 Q-).Q-D = r (modp).

We concludethe proof by multiplying both sidesof the abovecongruence by I andp-l to obtain b-1)! :1.2.3' .Q-3)b-Db-l) = t.(p-r) = -r (modp).tr

An interestingobservation is that the converseof Wilson's theorem is also true, as the following theoremshows.

Theorem 5.1. If n is a positiveinteger such that h-l)t = -l (mod n), then n is prime.

Proof. Assume that n is a compositeinteger and that (n-l)! = -l (mod n). since n is composite,we have n:ob, where | 1 a I n and | < b 1 n. Sincea 1n, we know that a I h-l)!, becausea is one of the n-l numbers multiplied togetherto form (n-l)!. Since h-l)t = -l (mod n), it follows that n I t(r-l)! + ll. This means,by the use of Proposition1.3, that a also divides h-l)t + t. From Proposition 1.4, since a | (n-Dl and al[h-l)! +ll, weconcludethatalt(:n-l)! + I ]- (n-l)! : l. This is an obviouscontradiction, since a ) l. tr

We illustrate the useof this result with an example.

Example. Since (6-l)! : 5! : 120 = 0 (mod 6) , Theorem 5.1 verifies the obviousfact that 6 is not prime.

As we can see,the converseof Wilson's theoremgives us a primality test. To decide whether an integer n is prime, we determine whether h-l)! : -1 (mod n ). Unfortunately, this is an impractical test because n - 1 multiplications modulo n are needed to find (rr'-l)|, requiring O h (log2n)z) bit operations.

When working with congruencesinvolving exponents, the following theorem is of great importance. '(-o,r),=L Fermat's Little Theorem. If p is prime and a is a positive integer with p I a, then aP-t = I (mod p). C,(PS6'","1 'the,) Proof. Con'sider p - | integersa,2a, ..., (p-l)a. None of theseintegers are divisible by p, for if p I ia, then by Lemma 2.3,p I j, sincep tra. This 5.1 Wilson's Theorem and Fermat's Little Theorem 149

is impossiblebecause I ( 7 ( p-1. Furthermore, no two of the integers a, 2a, ..., (p-Da are congruent modulo p. To See this, assume that (a,p) : ja = ka (mod fl. Then, from Corollary 3.1, since l, we have j = k (modp). This is impossible,since 7 and k are positive integersless thanp - I . Since the integers a, 2a, ..., (p-l)a are a set of p-l integers all incongruent to zero, and no two congruent modulo p, we know that the least positive residues of c, 2e,..., (p-l)a, taken in some order, must be the integers 1,2, ...,p-1. As a consequence,the product of the integers a,2a,..., (p-l)a is congruentmodulo p to the product of the first p-l positiveintegers. Hence,

: a'2a Q-I)a l'2 (p-r) (modp).

Therefore, aP-t(p-l)! : (p-l)! (modp) .

Since(p-l)!, p) : l, usingCorollary 3.1, we cancelQ-l)! to obtain aP-t = I (mod p). tr

We illustratethe ideasof the proof with an example.

Example. Let p:7 and a:3. Then, l'3 = 3(mod 7), 2'3 = 6 (mod 7), 3.3 = 2 (mod 7), 4'3 = 5 (mod 7), 5'3 = I (mod 7), and 6'3 = 4 (mod 7). Consequently, (t.l).Q.r.(r.r).(+.1).(5.3).(6.3) = 3.6.2.s.1.4 (mod 7),

so that 36.1.2.3.4.5.6= 3.6.2'5'l'4 (mod 7). Hence,36'6! = 6! (mod 7), and therefore.36 = I (mod 7). On occasion, we would like to have a congruence like Fermat's little theorem that holds for all integersa, given the prime p. This is suppliedby the following result.

Theorem 5.2. If p is prime and a is a positive integer, then eP: a (modp).

Proof. lf p I a,by Fermat'slittle theoremwe know that ap-t: I (modp). Multiplying both sidesof this congruenceby a, we find that ap = a (mod p). lf pl a,then plap aswell,sothataP =a=O (modp). Thisfinishesthe proof, sinceaP = a (mod p) it p I a and if pla. tr 150 SomeSpecial Congruences

Fermat's little theorem is useful in finding the least positive residuesof powers.

Example. We can find the least positive residueof 3201modulo I I with the help of Fermat's little theorem. We know that 310: I (mod ll). Hence. 32or: (3ro)20.3= 3 (mod ll) .

A useful applicationof Fermat's little theorem is providedby the following result.

Theorem5.3. If p is prime and a is an integer with p I a, then aP-2 is an inverseof c modulop.

Proof. If p tra, then Fermat's little theorem tells us that a'aP-2 : sP-t = I (modp). Hence,aP-2 is an inverseof a modulop.

Example. From Theorem 5.3, we know that 2e:512 = 6 (mod ll) is an inverseof 2 modulo I 1.

Theorem 5.3 gives us another way to solve linear congruenceswith respect to prime moduli.

Corollary 5.1. lf a and b are positive integers and p is prime with p I a, then the solutionsof the linear congruenceax = 6 (mod p) are the integers x suchthat x = aP-2b (mod p).

Proof. Suppose that ax = b (mod p). Since p I a, we know from Theorem 5.2 that aP-2 is an inverseof c (modil. Multiplying both sides of the original congruenceby sP-z, we have

aP-2ax = aP-2b(mod p).

Hence,

x 7 aP-2b (mod p). tr

5.1 Problems

l. Using Wilson's theorem, find the least positive residueof 8'9'10.I l. 12.I 3 modulo 7.

2. Using Fermat's little theorem, find the least positive residue oP 2toooooomodulo t1. 5.1 Wilson's Theorem and Fermat's Little Theorem 151

?, Show that 31s: I (mod I l2). 4. Using Fermat'slittle theorem,find the last digit of the base7 expansionof 3r00. 5. Using Fermat'slittle theorem,find the solutionsof the linear congruences

a) 7x = 12 (mod 17) b) 4x=ll(modl9).

6. Show that if n isacompositeintegerwith n * 4,then h - \)t = O (mod n).

7. Show that if p is an odd prime,then 2Q - 3)! : -l (modp).

8. Show that if n is odd and 3 /n, then n2 = | (mod 24).

9. Show that 42 | h' - n) for all positive integers n. 10. Show that if p andq aredistinct primes, then pe-t * qP-r: I (modpq).

I l. Show that p is prime and a and b are integerssuch that ap = bP (mod p), then aP = bP (modp2).

12. Show that if p is an odd prime, then 1232 (p-42(p-2)2 = 1-11b+t)/z(mod p).

13. Showthatif p isprime andp =3 (mod4),then{(p-t\lZll= * I (modp).

14. a) Let p be prime and supposethat r is a positive integer less then p such that _ -l : -l (-l)'r! (modp). Showthat Q-r*l)! (modp). b) Using part (a), showthat 6l! = 63! = -l (mod 71).

15. Using Wilson's theorem,show that if p is a prime and p = I (mod 4), then the - congruence x2 -l (mod p) has two incongruent solutions given by x E t l(p-)/zll (modp).

16. Show that if p is a prime and O1k<-p, then Q-k)!(k-l)! = (-l)e (modp).

17. Showthat if p is prime anda is an integer,then pllap + Q-l)! al. 18. For which positiveintegers n is na * 4n prime?

19. Show that the pair of positiveintegers n and n * 2 are twin primes if and only if 4l(n-l)l + tl + n = 0 (mod n(n * 2)), wheren I l.

20. Showthat thepositiveintegersnand n*k,where n) k and k isan even positive integer, are both prime if and only if (k!)'z[(n-t)t + t] + n(k! - l)(k - l)! = 0 (modn(n + k)). lzo) 21. Show that if p is prime,then ll | = 2 (mod p). lp )

22. a) In problem 17 of Section 1.5, we showed that the binomial coefficient ['), where I < k ( p - l, is divisibleby p when p is prime. Use this fact and the binomial theorem to show that if a and b are integers, then 152 Some Special Congruences

(a + b)p = ap * 6z (modp).

b) Use part (a) to prove Fermat's little theorem by mathematical induction. (Hint: In the induction step, use part (a) to obtain a congruencefor fu + l)p.)

23. Using problem 16 of Section 3.3, prove Gauss' generaltzation of Wilson's theorem, namely that the product of all the positive integersless than m that are relatively prime to rn is congruent to I (mod z), unlessffi : 4,p,, or 2p, where p is an odd prime and I is a positive integer, in which case, it is congruent to -l (mod rn).

24. A deck of cards is shuffied by cutting the deck into two piles of 26 cards. Then, the new deck is formed by alternating cards from the two piles, starting with the bottom pile.

a) Show that if a card begins in the cth position in the deck, it will be in the Dth positionin the new deck where b = 2c (mod 53) and I < 6 <52. b) Determine the number of shuffies of the type described above that are needed to return the deck of cards to its original order.

25. Let p be prime and let a be a positive integer not divisibleby p. We define the Fermat quotient qob) by qp(a): (ap-t-l)/p. Show that if a and,b are positive integers not divisible by the prime p, then : qGb) er(a) + qo$) (modp).

26. Let p be prime and let a1,a2,...,apand b ,,b2,...,b,be completesystems of residues modulo p Show that a1bya2b2,...,aobois not a complete system of residues modulop.

5.1 Computer Projects

Write programs to do the following:

l. Find all Wilson primes lessthan 10000. A Wilson prime is a prime p for which (p - l)! : -l (modp2).

2. Find the primesp lessthan 10000for which Zp-t = I (mod p2).

3. Solve linear congruenceswith prime moduli via Fermat's little theorem.

5.2 Pseudoprimes

Fermat's little theoremtells us that if n is prime and b is any integer,then bn = b (mod n). Consequently,if we can find an integer b such that b' + b (mod n ), then we know that n is composite.

Example. We can show 63 is not prime by observingthat 5.2 Pseudoprimes 153

-__ 263:2eo.2t : (26)ro.23:64to23 23 = g + 2 (mod 63).

Using Fermat's little theorem,we can show that an integer is composite. It would be even more useful if it also provided a way to show that an integer is prime. The ancient Chinesebelieved that if 2'= 2 (mod n ), then n must be prime. Unfortunately, the converseof Fermat's little theorem is not true, as the following example shows.

Example. Let n - 341: 11.31. By Fermat'slittle theorem,we seethat 210 - = I (mod l1), so that 23ao: (2t0;3+ t (mod l1). Also 23a0: (25)68= (32)6s= t (mod 3l). Hence,by Theorem3.1, we have 2340: I (mod 341). By multiplying both sides of this congruence by 2, we have - 2341 2 (mod 341), eventhough 341 is not prime. Examples such as this lead to the following definition.

Definition. Let b be a positive integer. If n is a composite positive integer and b' = b (mod n), then n is called a pseudoprimeto the base b. Note that if (b,n): 1, then the congruencebn = b (mod n) is equivalent to the congruencebn-t: I (mod n ). To seethis, note that by Corollary 3.1 we can divide both sides of the first congruenceby b, since (b,n) : l, to obtain the secondcongruence. By Theorem 3.1, we can multiply both sidesof the second congruencs by b to obtain the first. We will often use this equivalentcondition.

Example. The integers 341 : I l'31, 561 : 3'l 1'17 and 645 : 3'5'43 are pseudoprimesto the base 2, since it is easily verified that 2340: I (mod 341), -- 256o I (mod 561). and 26aa= I (mod 645). If there are relatively few pseudoprimesto the base b, then checking to see whether the congruence b' = D (mod n) holds is an effective test; only a small fraction of compositenumbers pass this test. In fact, the pseudoprimes to the base b have been shown to be much rarer than prime numbers. In particular, there are 455052512 primes, but only 14884 pseudoprimesto the base 2, less than 1010. Although pseudoprimesto any given base are rare, there are, nevertheless,infinitely many pseudoprimesto any given base. We will prove this for the base2. The following lemma is useful in the proof.

Lemma 5.1. lf d and n are positive integers such that d divides rz, then 2d - 1 divides 2n - l.

Proof. Since d I n, there is a positive integer / with dt : n. By setting x:2d in the identitvxt - I - (x - 1) (xt-l+xt-z+ + l), we find 154 Some Special Congruences

that 2n-t:(2d-l) 12dQ-r)+ 2do-Da +2d +l). Consequently, Od - t) | Q' - D. tr

We can now prove that there are infinitely many pseudoprimesto the base 2.

Theorem 5.4. There are infinitely many pseudoprimesto the base2.

Proof. We will show that if r is an odd pseudoprimeto the base 2, then - m : 2' I is also an odd pseudoprimeto the base 2. Since we have at least one odd pseudoprimeto the base 2, namely fls:341, we will be able to construct infinitely many odd pseudoprimesto the base 2 by taking ns: 341 andn1ra1 :2n'- I for k :0, 1,2,3,.... Theseodd integersare all different, sinceno I nt 1 nz 1 .' . 1n* ( n111(

To continue the proof, let n be an odd pseudoprime,so that n is composite and 2n-t = I (mod n). Since n is composite, w€ have n : dt with 11d1n and l

To see that m is composite, w€ use Lemma 5.1 to note that Qd - t) | (Z' - l): m. To show that 2^-t: I (mod re), we first note that since2n :2 (mod n), there is an integerk with 2n - 2: kn. Hence, 2^-t : 22'-2: 2kn. By Lemma 5.1, we know that - m : (2n l) | (2kn- l) : 2^-l - l. Hence, 2m-t - I : 0 (mod z), so that 2^-t = I (mod re). We concludethat z is also a pseudoprimeto the base 2. rl

If we want to know whether an integer n is prime, and we find that 2n-t : I (mod n), we know that n is either prime or n is a pseudoprimeto the base2. One follow-up approachis to test n with other bases. That is, we check to seewhether bn-r : I (mod n) for various positiveintegers 6. If we find any valuesof b with (b,n): I and bn-r # | (mod n), then we know that n is composite.

Example. We have seenthat 341 is a pseudoprimeto the base2. Since

73:343 = 2 (mod341) and

zto: 1024: I (mod341) . 5.2 Pseudoprimes 155

we have

73a0- 03)tt3l = 2t137: (210)1t.23.7 : 8.7 = 56 # I (mod 341).

Hence,we seethat 341 is composite,since Tzto 1l (mod 341).

Unfortunately, there are compositeintegers r? that cannot be shown to be composite using the above approach, becausethere are integers which are pseudoprimesto every base,that is, there are compositeintegers n such that b'-t = I (mod n), for all b with (b,n): l. This leads to the following definition.

Definition. A composite integer which satisfiesbn-t : I (mod n) for all positiveintegers b with (b,il : I is called a Carmichael number.

Example. The integer561 :3'11'17 is a Carmichaelnumber. To seethis, note that if (b, 561) : l, then (b,3) : (b,l l) : (b,17) : l. Hence,from Fermat's little theorem, we have b2 = I (mod 3), 610: I (mod I l), and -- 616 I (mod 17). Consequently,b560: (b2)280: I (mod 3), bs60: (b10)56 = I (mod ll), and 6560: (bl6)35= I (mod l7). Therefore,by Theorem 3.1,b560 = I (mod 561) for all b with (b,n) : L

It has been conjecturedthat there are infinitely many Carmichael numbers, but so far this has not been demonstrated. We can prove the following thecrem,which providesconditions which produceCarmichael numbers.

Theorem 5.5. If n: Qt Qz q1, where the qi's are distinct primes that - - satisfy Qi 1) | (,4 l) for all j, then n is a Carmichaelnumber.

Proof. Let b be a positive integer with (b,n) : l. Then (b,q1): I for - j :1,2,...,k, and hence,by Fermat'slittle theorem,bQt-r I (modQ) for - j :1,2,..., k. Since Qi - l) | (n l) for each integerj :1,2,..., k, there are integers./; with r;(q, - l) : n - L Hence,for each /, we know that b'-t : 6\Q'-r)tt'-t t-oO qrl. Therefore,by Corollary 3.2, we see that bn-t : I (mod n), and we concludethat n is a Carmichaelnumber. D

Example. Theorem 5.5 showsthat 6601 :7'23'41 is a Carmichael number, because J, 23, and 4I are all prime, 6 : Q - t) | oooo,22: Ql - t) | oooo,and 4o: (+t- t) | oooo. The converseof Theorem 5.5 is also true, that is, all Carmichaelnumbers are of the form Qflz Q* where the Qj's are distinct primes and Qi-l) | tr-l) for all j. We provethis fact in Chapter8. 156 Some Special Congruences

Once the congruencebn-r : I (mod n ) has been verified,another possible approach is to considerthe least positive residueoS 6h-D/2 modulo r. We note that if x : 6(,-t)/2, then x2: bn-t: I (mod r). rf n is prime, by Proposition 3.4, we know that either x = I or x = -l (mod n). Consequently,once we have found that b"-t: I (mod n), we can check to see wheth", 6tu-t)/2 = + I (mod n). If this congruencedoes not hold. then we know that n is composite.

Example. Let b:5 and let n:561, the smallestCarmichael number. we find that 5(561-t)/2:5280= 67 (mod 561). Hence,56l is composite.

We continuedeveloping primality testswith the followingdefinitions.

Definition. Let n be a positive integer with n-l : 2't, where s is a nonnegative integer and / is an odd positive integer. We say that n passes Miller's test for the base b if either bt = I (mod n) or b/' : -l (mod n) forsomeTwith0

We now show that if n is prime, then /, passesMiller's test for all basesD with n I b.

Theorem 5.6. lf n is prime and b is a positive integer with n I b, then n passesMiller's test for the baseD.

Proof. Let n-l :2"/, where s is a nonnegativeinteger and I is an odd positiveinteger. Let x1r:6{J.-t)/z'-6?:-'t,fork:0, l,2,...,s.Since n is prime, Fermat's little theorem tells us that x0: bn-t :1 (mod n). By Proposition 3.4,, since x? : 16{n-r)/z1z:xo E I (mod n ), either xt i -l (mod n) or rr E I (mod n). If rr E I (mod n), since x?, : xr E I (mod n), either xz? -l (modn ) or xz71 (mod ru). In general,if we have found that xs: xl : x27 : xk = I (mod n), with k ( s, then, since x?+t : x* 3 I (mod n), we know that either x*+r 7 -l (mod n) or xr+r t 1 (mod n ). Continuing this procedure for k : l, 2,...,s, we find that either x* ? I (mod n), for k :0, 1,...,s, or xt7 -l (mod n) for someinteger /c. Hence,n passesMiller's test for the baseb. n

If the positive integer n passesMiller's test for the base 6, then either : -l bt = I (mod n) or bvt (mod n) for some7 with 0 < j ( s -1, where n - | :2't and r is odd.

In either case, we have bn-t = I (mod n ), since bn-\ - 162tt12'-tfor J:0, 1,2,..., s, so that an integern that passesMiller's test for the baseb is automatically a pseudoprimeto the base b. With this observation,we are 5.2 Pseudoprimes 157

led to the following definition.

Definition. lf n is compositeand passesMiller's test for the base 6, then we say n is a strong pseudoprime to the base b.

Example. Let n :2047 :23'89. Then 220a6:'(21r)186: (ZO+A)186: 1 (mod 204D, so that 2047 is a pseudoprime to the base 2. Since 22046/2: 2to23: (2t l)e3: (zo+g)e3 : I (mod 2047), 2047 passesMiller's test for the base 2. Hence, 2047 is a strong pseudoprimeto the base 2. Although strong pseudoprimesare exceedinglyrare, there are still infinitely many of them. We demonstrate this for the base 2 with the following theorem.

Theorem 5.7. There are infinitely many strong pseudoprimesto the base2.

Proof. We shall show that if n is a pseudoprime to the base 2, then N :2'-l is a strong pseudoprimeto the base2. Let n be an odd integer which is a pseudoprimeto the base 2. Hence, n is composite, and Zn-r : I (mod n). From this congruence, we see that 2'-r -l : nk for someinteger k; furthermore,k must be odd. We have

,Af- I : 2n-2 : 2(2n-r-l) : Ztnk; this is the factorizationof /V-l into an odd integerand a power of 2. We now note that

2?v-r)/2:2nk : (Zn)k = I (mod /V) because2n:(zn-t) + t:I{* I = I (mod,n{).ThisdemonstratesthatN passesMiller's test. In the proof of Theorem 5.4, we showed that if n is composite, then N : 2'-l also is composite. Hence, N passes Miller's Test and is composite, so that N is a strong pseudoprime to the base 2. Since every pseudoprimen to the base 2 yields a strong pseudoprime2n-1 to the base 2 and since there are infinitely many pseudoprimesto the base 2, we conclude that there are infinitely many strong pseudoprimesto the base2. tr The following observationsare useful in combination with Miller's test for checking the primality of relatively small integers. The smallest odd strong pseudoprimeto the base 2 is 2047, so that if n 1 2047, r is odd, and n passes Miller's test to the base2, then n is prime. Likewise, 1373653is the smallest 158 Some Special Congruences

odd strong pseudoprimeto both the bases2 and 3, giving us a primality test for integersless than 1373653. The smallestodd strong pseudoprimeto the bases2,3, and 5 is 25326001,and the smallestodd strong pseudoprimeto all the bases2,3,5, and 7 is 3215031751.Also, lessthan 25.10e,the only odd integerwhich is a pseudoprimeto all the bases2,3,5, and 7 is 3251031751. This leadsus to a primality test for integersless than 25.10e. An odd integer n is prime if n < 25'10e,n passesMiller's test for the bases2,3,5, and 7, andn I 3215031751.

There is no analogyof a Carmichaelnumber for strong pseudoprimes.This is a consequenceof the following theorem.

Theorem 5.8. If n is an odd compositepositive integer, then r passesMiller's test for at most Q-l)/4 basesb with I < b ( n - l. We proveTheorem 5.8 in Chapter 8. Note that Theorem 5.8 tells us that if t? passesMiller's tests for more than (n-l)/4 basesless than n, then n must be prime. However,this is a rather lengthy way, worse than performing trial divisions,to show that a positiveinteger n is prime. Miller's test doesgive an interestingand quick way of showingan integer n is "probablyprime". To see this, take at random an integer b with I < D ( n - I (we will see how to make this "random"choice in Chapter 8). From Theorem 5.8, we seethat if n is composite the probability that r? passesMiller's test for the base b is less than I/4. If we pick k different basesless than n and perform Miller's tests for each of thesebases we are led to the following result.

Rabin's Probabilistic Primality Test. Let n be a positive integer. Pick k different positive integers less than n and perform Miller's test on n for each of these bases. If n is composite the probability that n passesall k tests is lessthan 0/4k.

Let n be a compositepositive integer. Using Rabin's probabilisticprimality test, if we pick 100 different integers at random between I and n and,perform Miller's test for each of these 100 bases,then the probability than n passesall the tests is less than 10-60,an extremely small number. In fact, it may be more likely that a computer error was made than that a compositeinteger passesall the 100 tests. Using Rabin's primality test doesnot definitelyprove that an integer n that passesall 100 tests is prime, but does give extremely strong,indeed almost overwhelming,evidence that the integeris prime.

There is a famous conjecture in analytic number theory called the generalized Riemann hypothesis. A consequenceof this hypothesis is the followingconjecture. 5.2 Pseudoprimes 1s9

Conjecture 5.1. For every compositepositive integer n, there is a baseb with b < 70 (log2n)2,such that n fails Miller's test for the baseb. If this conjecture is true, as many number theoristsbelieve, the following result providesa rapid primality test.

Proposition 5.1. If the generalizedRiemann hypothesisis valid, then there is an algorithm to determine whether a positive integer n is prime using O ((log2n)5)Uit operations.

Proof. Let b be a positive integer less than n. To perform Miller's test for the base b on n takes O (logzn)3) bit operations,because this test requires that we perform no more than log2n modular exponentiations,each using O(logzb)2) Ult operations. Assume that the generalizedRiemann hypothesis is true. lf n is composite,then by Conjective 5.1, there is a base 6 with | < b < 70 (log2n)2such that n fails Miller's test for b. To discoverthis b requires less than O(log2n)3)'O((togzn)z) : O((log2n)5) Uit operations,by Proposition1.7. Hence, after performing O((log2n)s) bit operations,we can determinewhether n is compositeor prime. I The important point about Rabin's probabilistic primality test and Proposition5.1 is that both results indicate that it is possibleto check an integer n for primality using only O((log2n)ft) bit operations,where k is a positive integer. This contrastsstrongly with the problem of factoring. We have seen that the best algorithm known for factoring an integer requires a number of bit operationsexponential in the squareroot of the logarithm of the number of bits in the integer being factored,while primality testing seemsto require only a number of bit operationsless than a polynomialin the number bits of the integer tested. We capitalize on this differenceby presentinga recentlyinvented cipher systemin Chapter 7.

5.2 Problems l. Show that 9l is a pseudoprimeto the base 3. 2. Show that 45 is a pseudoprimeto the bases17 and 19. 3. Show that the even integer n : 161038:2'73' l 103 satisfiesthe congruence 2n = 2 (mod n). The integer 161038 is the smallesteven pseudoprimeto the base2.

4. Show that every odd compositeinteger is a pseudoprimeto both the base I and the base-1. 5. Show that if n is an odd compositeinteger and n is a pseudoprimeto the basea, then n is a pseudoprimeto the base n - a. 160 SomeSpecial Congruences

6, Showthatif n:(azp --l)/G2 -l),wherea isaninteger,a ) l,andp isan odd prime not dividing a(a2 - l), then n is a pseudoprimeto the base a. Conclude that there are infinitely many pseudoprimesto any base a. (Hint: To establish that ao-t = I (mod n), show that 2p | (, - 1), and demonstratethat a2P:2 (modn).)

7. Show that every compositeFermat number F^ : 22' + I is a pseudoprimeto the base2.

8. Show that if p is prime and the Mersenne number Mo : 2P - I is composite, then Mo is a pseudoprime to the base 2.

9. Show that if z is a pseudoprime to the bases a and b, then n is also a pseudoprimeto the base aD.

10. Show that if n is a pseudoprimeto the base a, then n is a pseudoprimeto the base a-, where d' is an inverseof a modulo n. ll. a) Show that if n is a pseudoprimeto the base c, but not a pseudoprimeto the base6, then n is not a pseudoprimeto the baseaD .

b) Show that if there is an integer b with (b,n) : I such that n is not a pseudoprimeto the baseD, then n is a pseudoprimeto lessthan or equal 6 Ah) different basesa with I ( a ( n. (Hint: Show that the setsc t, o2,..., a, and ba1,ba2,...,ba, have no common elements,where ot, o2, ..., ar are the basesless than n to which n is a pseudoprime.)

12. Show that 25 is a strong pseudoprimeto the base 7.

13. Show that 1387 is a pseudoprime,but not a strong pseudoprimeto the base2.

14. Show that 1373653is a strong pseudoprimeto both bases2 and,3.

15. Show that25326001 is a strong pseudoprimeto bases2,3, and 5. 16. Showthat the followingintegers are Carmichaelnumbers il 2821:7'13'31 b) 10585: 5.29'73 c) 29341: l3'37'61 d) 314821: 13.6r.397 e) 27845: 5'17'29.113 f) 172081:7-13.31.61 g) 564651361: 43.3361.3907. 17. Find a Carmichaelnumber of the form7.23.qwhere g is an odd prime. 18. a) Showthat everyinteger of the form(6m+l)(l2m+l)(tg,n +t), wherem isa positiveinteger such that 6m*l,l2mll, and l8m*l are all primes,is a Carmichaelnumber. 5.2 Pseudoprimes 161

b) Conclude from part (a) that 1729- 7'13'l9, 294409: 37'73'109, 55164051 : 2t 1.421.631.I18901521 : 271'541'81l.and 72947529- 307'613'919are Carmichaelnumbers.

19. Show that if n is a positive with n = 3 (mod 4), then Miller's test takes O ((logzn)2) bit operations.

5.2 Computer Projects

Write programs to do the following:

I . Given a positive integer n, determine whether n satisfies the congruence bn-t = I (mod n) where b is a positive integer less than n; if it does, then n is either a prime or a pseudoprimeto the baseD.

2. Given a positive integer integer n, determine whether n passesMiller's test to the base b; if it does then n is either prime or a strong pseudoprimeto the base b.

3. Perform a primality test for integers less than 25'l0e based on Miller's tests for the bases2,3,5, and 7. (Use the remarksthat follow Theorem 5.7.)

4. Perform Rabin's probabilistic primality test.

5. Find Carmichael numbers.

5.3 Euler's Theorem Fermat's little theorem tells us how to work with certain congruences involvingexponents when the modulus is a prime. How do we work with the correspondingcongruences modulo a compositeinteger? For this purpose,we first define a specialcounting function.

Definition. Let n be a positive integer. The Euler phi-function Qh) is defined to be the number of positive integers not exceeding n which are relatively prime to n.

In Tabte 5.1 we displaythe valuesof @(n) for I ( r ( 12. The valuesof d(,n) for I ( n < 100 are given in Table 2 of the Appendix.

n 2 3 4 5 6 7 8 9 l0 il I2

6h) I 2 2 4 2 6 4 6 4 l0 4

Table 5.1. The Valuesof Euler's Phi-functionfor I ( n < 12. 162 Some Special Congruences

In Chapter 6, we study the Euler phi-functionfurther. In this section,we use the phi-function to give an analogue of Fermat's little theorem for compositemoduli. To do this, we needto lay somegroundwork.

Definition. A reduced residue system modulo n is a set of Ofu) integers such that each elementof the set is relativelyprime to n, and no two different elementsof the set are congruentmodulo n.

Example. The set 1,3,5,7 is a reducedresidue system modulo 8. The set -3, -1, l, 3 is alsosuch a set.

we will needthe following theoremabout reducedresidue systems.

Theorem 5.9. lf r1,r2,...,t6G) is a reducedresidue system modulo n, and if a is a positiveinteger with (a,fl) : l, then the set et1, et2, ...,ot6h) is alsoa reducedresidue system modulo r.

Proof. To show that each integer ari is relativelyprime to n, we assumethat (ar1,n) ) l. Then, there is a prime divisor p of (ari,n). Hence, either p I a or p I 11. Thus, we either havep I a and p I n,'o, p I ri and p I n. However, we cannot have both p I r; and p I n, since r; is a member of a reduced residue modulo n, and both p I a and p I n cannot hold since (a,n): l. Hence, we can conclude that ar1 and n are relatively prime for j : l, 2, ..',Qh) . To demonstratethat no two ari's are congruentmodulo n, we assumethat arj = ar1, (mod n), where j and k are distinct positive integers with 1< j (d(n) and I < k (d(n). Since(a,n):l,byCorollary3.l wesee that r; : rk (mod n). This is a contradiction, since r7 and r,1 coffie from the original set of reducedresidues modulo r?,so that ri # rr (mod n). tr We illustratethe useof Theorem 5.9 by the following example.

Example. The set 1,3,5,7 is a reducedresidue system modulo 8. Since (3,8): l, from Theorem5.9, the set 3'l :3,3'3 :9, 3.5: 15,3'7 :21 is also a reducedresidue system modulo 8. We now state E,uler'stheorem.

Euler's Theorem. If m is a positive integer and a is an integer with (a,m) : l, then sotu) = I (mod rn). Before we prove Euler's theorem, we illustrate the idea behind the proof with an example. 5.3 Euler's Theorem 163

Example. We know that both the sets l, 3, 5, 7 and 3'1,3'3, 3'5,3'7 are reduced residuesystems modulo 8. Hence, they have the same least positive residuesmodulo 8. Therefore, (3.l). (3.3). (3.s). (3.7) : l'3'5'7(mod 8),

34'l'3'5'7= l'3'5'7 (mod8).

8) : l, we concludethat

3+_ 3d(a): I (mod g).

We now usethe ideasillustrated by this exampleto prove Euler's theorem.

Proof. Let rr,rZ, ..., ro(^) denote the reducedresidue system made up of the positiveintegers not exceedingm that are relativelyprime to m. By Theorem 5.9, since (a,m) : l, the set Qt1,aty,..., ar6(m) is also a reducedresidue system modulo lz. Hence, the least positiveresidues of ar1, Qr2,...,or6(m) must be the integers 11,12,..., r6(m) in some order. Consequently,if we multiply togetherall terms in eachof thesereduced residue systems, we obtain ar pr2 aryfu't -- r| rz 16(^) (mod la) .

Thus, ' j (mod a6(^)r {z r6(m) r(z r o(m) z ) .

Since (rg2 ra(^), m) : l, from Corollary 3.1, we can concludethat oo(m)= I (mod m). D

We can use Euler's Theorem to find inversesmodulo m. lf a and m are relativelyprime, we know that - s't6(m)-t : 44(m) 1 (mod rn).

Hence,o6(m)-t is an inverseof a modulom.

Example. We know that 20@-t - 26-t : 25 : 32:5 (mod 9) is an inverse of 2 modulo 9. We can solve linear congruences using this observation. To solve ax j D (mod z ), where (a ,m) : I , we multiply both sides of this 164 Some Special Congruences

congruenceby aah)-l to obtain

-: oo(m)-to* qQ(m)-tb(mod m).

Therefore, the Solutions are those integers such that y : of(m)-tb (modm).

Example. The solutions of 3x = 7 (mod l0) are given by - :9 x = 3d(10)-1.7 33.J (mod l0), sinced(I0) : 4.

5.3 Problems l. Find a reducedresidue system modulo

a)6 d) t4 b)e e) 16 c) lo f) 17.

2. Find a reduced residue system modulo 2^ , where m is a positive integer.

3. Show if c t, c2, ..., c6(m) is a reduced residue system modulo m , then c1* c2* * ,oh): 0 (modln).

4. Show that if m is a positive integer and a is an integer relatively prime to m, then I I a * a2 * I ofh)-t = 0 (mod m).

5. Use Euler's theorem to find the least positive residueo1 3100000modulo 35.

6. Show that if a is an integer,then a7 = a (mod 63).

7. Show that if a is an integer relatively prime to 32760, then at2=l(mod3276CD.

8. Show that cd(b) I 6ab) : I (mod ab), if a and b are relatively prime positive integers.

9. Solve the following linear congruencesusing Euler's theorem il 5x = 3 (mod 14)

b) 4x = 7 (mod 15)

c) 3x = 5 (mod 16).

10. Show that the solutionsto the simultaneoussystem of congruences 5.3 Euler's Theorem 165

x i ar (mod rn r) * o, (mod mz) =

x ? a, (mod m),

where the mi are pairwise relatively prime, are given by

x j a,ul'^) + a2M!@) a + a,M!t^') (mod u)'

whereM : m1 m2 m, andMj: M/mi forT: 1,2,...,r.

I l. Using Euler'stheorem, find a) the last digit in the decimal expansiono1 7t000

b) the last digit in the hexadecimalexpansion oP 51100$000.

12. Find @(n) for the integersn with 13 ( n < 20. 13. a) Show every positive integer relatively prime to l0 divides infinitely many repunits (see problem 5 of Section 4.1). (Hint: Note that the n -digit repunit lil ... ll : (to'-t)/q.)

b) Show every positiveinteger relativelyprime to b dividesinfinitely many base b repunits (seeproblem 6 of Section4.1).

14. Show that if m isa positiveinteger, m ) 1, then o^ = am-6(m)(mod rn) for all positiveintegers a.

5.3 Computer Projects

Write programsto do the following:

l. Solvelinear congruencesusing Euler'stheorem.

2. Find the solutionsof a systemof linear congruencesusing Euler's theorem and the Chineseremainder theorem (seeproblem l0). MultiplicativeFunctions

6.1 The Euler Phi-function

In this chapter we study the Euler phi-function and other functions with similar properties. First, we presentsome definitions.

Definition. An arithmetic function is a function that is defined for all positive integers.

Throughoutthis chapter,we are interestedin arithmetic functionsthat have a specialproperty.

Definition. An arithmetic function f is called multiplicative if f fun) : f (m)f fu) wheneverm and n are relativelyprime positiveintegers.

Example. The function f h) : I for all n is multiplicative because f(mn):1, f(m):1, and f(n):1, so that fhn):f(m)fh). Similarly, the function g(n) : n is multiplicative, since g(mn) :mn : g(m)efu). Notice that ffun) :1(m)fh) and g(mn): g(m)Sh) for all pairs of integersm and n, whether or not (m,n) : l. Multiplicative functionswith this property are called completely mult ip licative functions.

If / is a multiplicativefunction, then we can find a simple formula for f fu) giventhe prime-powerfactorization of n.

... Theorem6.1. If / is a multiplicativefunction and if n: pi'pi, pi'it

166 6.1 The EulerPhi'function 167

the prime-power factorization of the positive integer n, then f tu): f Qi)f Qi) " "fQi). ' ' ' : Proof. Since f is multiplicativeand Qi',pi' p!) l, we see that f tu): f bi'pi'"'p:) : f Qi''Q? "'pi)): f Qi)-fQi'p\' "'p:'). Sincebi' , p\'"' p!'):1, weknow that f bi' p\'"' p!'): f bi') -fQi'... pl'), ro thatf(n): -fQi') f Qi) f Qi' p:). continuing in thisway, we find that f h) : f Qi) f bi) .f (p\') f Q?) a We now return to the Euler phi'function.First, we considerits values at primesand then at primepowers.

- Theorem 6.2. If p is prime. then 0b) : p l. Conversely, if p is a - - positiveinteger with d(p) p l, thenp is prime.

Proof. If p is prime then every positiveinteger lessthan p is relatively prime to p. Sincethere arep - I suchintegers, we haveQQ) : p - l. Conversely,ifp is composite,thenp hasa divisord with | < d 1p,and, of course,p and d are not relatively prime. Since we know that at least one of the p - | integers| ,2, ...,p - l, namely d, is not relativelyprime to p, - d0) ( p-2. Hence,if0Q):p l,thenp mustbeprime.tr We now find the valueof the phi-functionat prime powers.

Theorem 6.3. Let p be a prime and a a positive integer. Then o-'fp_D 6e\:po-po-t. = f ' zZ\ Proof. The positive integers'less-thanpo that are not relatively prime to p are thoseintegers not exceedingpo that are divisibleby p. There are exactlypo-l such integers,so there arepo - po-r integersless than po that are relatively - primeto po. Hence,6b") : po Po-r. n

Example. Using Theorem6.3, we find that d(53) : 53- 52 : 100, O(zt}):2t0 - 2e:512, andd(tt2) : 112- 11: 110. To find a formula for @(n), given the prime factorization of n, we must show that d is multiplicative. We illustrate the idea behind the proof with the followingexample.

Example.Let m:4 and n:9, so that mn:36. We list the integersfrom I to 36 in a rectangularchart, as shownin Figure 6.1. 168 MultiplicativeFunctions

OOe@@2,@@33

l0 t4 18 22 34 ,O@,5@@27@@

t2 l6 20 24 28 32 36

Figure6.1.

Neither the second nor fourth row contains integers relatively prime to 36, since each element in these rows is not relatively prime to 4, and hence not relatively prime to 36, We enclosethe other two rows; each element of these rows is relatively prime to 4. Within each of theserows, there arc 6 integers relatively prime to 9. We circle these; they are the 12 integers in the list relativelyprime to 36. HenceOGO : 2.6 - OU)O(il.

We now state and prove the theorem that showsthat @is multiplicative.

Theorem 6.4. Let m and n be relatively prime positive integers. Then Qfun): Q(m)th).

Proof. We display the positive integers not exceeding mn in the following way. I m*l 2m*l ... 6-l)m*l

2 m*2 2m*2 h-l)m*2

3 m*3 2m*3 h-I)m*3

2m 3m

Now suppose r lsa posltlve lnteger not exceeding m. Suppose (m,r):d)1. Then no number in the rth row is relatively prime to mn, since anv elementof this row is of the form km * r, where k is an integer 6.1 The EulerPhFfunction 169

with I < t < n - l, and d | &m*r), sinced | * andd I r. Consequently,to find those integers in the display that are relatively prime to mn, we needto look at the rth row only if (m,r) : l. If fuI) :1 and I ( r ( m, we must determinehow many integersin this row are relatively prime to mn. The elements in this row are r , m * r , 2m * r,..., h-l)m * r. Since (r,m) : l, each of these integers is relativelyprime to m. By Theorem3.4, the n integersin the rth row form a completesystem of residuesmodulo r. Hence,exactly Qh) of theseintegers are relatively prime to n. Since thesed(n) integersare also relatively prime to m, they are relativelyprime to mn.

Since there are S(m) rows, each containingd(n) integersrelatively prime to mn, we can concludethal Q(mn) : O(m)efu). tr

CombiningTheorems 6.3 and 6.4, we derivethe following formula for 0Q).

Theorem 6.5. Let n : por'pi' . . . pir' be the prime-power factorization of the positive integer n. Then l) 6h):n0-lttr- tr-.!l . Pr Pz Pt

Proof. Since @is multiplicative, Theorem 6.1 tells us that if the prime-power factorization of n is n : pl,pl, pf,,, th"n 0h): o?i)obi,) oht').

In addition, from Theorem 6.3 we know that Obi')- pf'- p?-t: p;,(l- +)Pi

forT : 1,2,...,k.Hence, t Qh): pi'T- L)ri,(l - I) pi,'o- ) Pr Pz P* pi:o- Lt (r-!) ftt- P* : n(L- Il(l - !) (l-I). Pr Pz Pr,

This is the desiredformula for d(n). D 170 Multiplicative Functions

we illustratethe useof rheorem 6.5 with the following example.

Example. Using Theorem6.5, we note that d(roo): loo(l- - : o(22s2): il(l +) 4o. and

l. 0020: o(2432s): t2oe - - tr - =)-192. ilrr |l )

We now introduce a type of summation notation which is usefulin working with multiplicativefunctions.

Let f be an arithmetic function. Then

2,f (d) dln representsthe sum of the valuesof f at all the positivedivisors of n.

Example. If / is an arithmetic function, then > f U) : f (r)+ f Q)+ f 0) + f U)+ f (O+ f 0D . dlt2

For instance.

> d2: 12+ 22+ 32+ 42+ 62+ 122 dlt2 :l* 4+g+16+36+ 144:ZlO.

The following result, which states that n is the sum of the values of the phi-functionat all the positivedivisors of n, will also be useful in the sequel.

Theorem 6.6. Let n be a positive integer. Then

2A@l:n' dln

Proof. We split the set of integersfrom I to n into classes. Put the integer m into the classCa if the greatestcommon divisor of m and n is d. We seethat m is in C4,i.e. (m,n) : d,if and only if fu/d,n/d) : l. Hence,the number of integersin Ca is the number of positiveintegers not exceedingn/d that are relatively prime to the integer n/d. From this observation,we see that there 6.1 The Euler Phi'function 171

are gh/d) integersin C1. Since we divided the integers I to n into disjoint classesand each integer is in exactly one class,n is the sum of the numbersof elementsin the differentclasses. Consequently, we seethat

n : > Qhld) dln

As d runs through the positiveintegers that divide n, nfd also runs through thesedivisors, so that n:>0fu1d)-DfU) dln dl,

This provesthe theorem.tr

Example.We illustratethe proofof Theorem6.6 whenn : 18. The integers from I to 18 can be split into classesC4 whered I 18 suchthat the classC7 containsthose integers m with (m,18): d . We have c1 : {1,5,7,ll, 13,17} C6 : {6,12} c2 : {2,4,8, 10,14, 16} Cg : {g} C3 : {3,15} Crr: {tg}.

We see that the classCa contains0081d) integers,as the six classes : containd(18) : 6, O(9): 6, 0(6) :2, O(3):2, 0(2) : l, and d(1) I integers,respectively. We notethat 18: d(18) + O(g)+ ,O(0)+ ,0(3)+ QQ)+d(1):2atal. dll8

6.1 Problems

l. Find the value of the Euler phi-function for each of the following integers a) 100 d) 2.3.5.7'rr.13 b) 2s6 e) lo! c) l00l f) 20t .

2. Find all positiveintegers n such that d(n) has the value ill d)6 b)2 e) 14 c)3 f) 24. 172 Multiplicative Functions

3. For which positiveintegers n is 6fu) a) odd b) divisible by 4 c) equal to n/2 ?

4. Show that if n is a positive integer, then fa@ if n isodd QQn): lrrh) if n is even.

5' Show that if z is a .positive integer having k distinct odd prime divisors, then d(n) is divisibleby 2k.

6. For which positive integersn is Qh) a power of 2?

7. Show that if n and k are positiveintegers, then Q(mk) : mk-16(m) .

8. For which positive integerslz doesQfu) divide m ? 9. Show that if a and b are positive integers,then Qbb): (a,b)6G)O$)lOKa,il).

10. Show that if m and,n are positiveintegers with nr I n, then Qfu) | oh). 11. Prove Theorem6.5, using the principle of inclusion-exclusion(see problem lZ of Section 1 l). 12. show that a positive integer n is compositeif and only if oh) ( n - .,,6-. 13. Let n be a positive integer. Define the sequenceof positive integers fl1,n2,13,... recursivelyby nr: Qh) and n1.,1: 6(n*') for ft : r,2,3,... . show that thereis a positive integer r such that n, - 1.

14. Two arithmetic functions/ and I may be multiplied using the Dirichlet product which is defined bv

V*s)(n): 2f @)shlil .

a) Showthat f*g : g*.f . *h b) Showthat (/*g) : f* Q*h) . c) Showthat if r is the multiplicativefunction defined by |,r if n: l ,{n): lo ifn ) l,

- : then rf f*t f for all arithmetic functions/. 6.1 The Euler Phi-function 173

d) The arithmetic function g is said to be the inverse of the arithmetic functton : .f it f*S : g*-f ,. Show that the arithmetic function / has an inverse if (Hint: and only if f 0) I 0. Show that if / has an inverse it is unique. When f 0) # 0, find the inverse.f-t of/ by calculating/(n) recursively, - using the fact that '(n) > f U)f-tfuld).) dln

15. Show that if f and g arc multiplicative functions, then the Dirichlet product /*g is also multiplicative.

t6. Show that the Miibius function defined by t if n - I It l(-t)' if z is square-freewith primefactorization p.\n):1 n:prpz...ps I lO if n has squarefactor larger than I t

is multiplicative.

:0. 17. Showthat if n is a positiveinteger greater than one, then ) p@) dln

18. Let f be an arithmetic function. Show that if F is the arithmetic function defined by

F(n): >f @), ' dln

then

f h):2p@)Fhld). dln

This result is called the Miibius inversion formula.

19. Use the Mobius inversion formula to show that if f is an arithmetic function and F is the arithmetic function defined by

F(n): >f @), dln

thenif F is multiplicative,so is/.

20. Usingthe Mobiusinversion formula and the fact that n - > 0h /il , provethat

a) Q(p') : p' - p'-',where p is a primeand t is . *rr;:, integer. 174 MultiplicativeFunctions

b) d(n ) is multiplicative.

21. Show that the function f (n):ne is completely multiplicative for every real numberk.

22. a) we define Liouville's function r(n) by I(r) : l and for n ) | by \(n) : (-l)4'|+4r+"'+a', if the prime-power factorization of n is n: pi'pi' .'. p:'. Showthat tr(n) is completelymultiplicative.

b) Show that if n is a positive integer then ) tr(n) equals 0 if z is not a perfect square,and equals I if n is a perfect square.

23. a) Show that it f and g are multiplicative functions then fg is also multiplicative.

b) Show that if f and g arc completely multiplicative functions then /g is also completely multiplicative.

24. Show that tf f is completely multiplicative, then f (il : f @r)",.f(pr)o, ' f (p^)"' when the prime-power factorization of n is n : pi'pi' . . . p:".. 25. A function that satisfiesthe equation (mn) :7(m) (n f f + "f ) for all relatively prime positive integers m and n is called additive, and if the above equation holds for all positive integersm and n, f is called completely additive.

a) Show that the function -f (n) : log n is completely additive. b) Show that if <^r(n)is the function that denotesthe number of distinct prime factors of n, then <^ris additive, but not completely additive.

c) Show that if / is an additive function and if g(n):zfb), then g is multiplicative.

6.1 Computer Projects

Write programsto do the following:

l. Find valuesof the Euler phi-function.

2. Find the integerr in problem 13.

6.2 The Sum and Number of Divisors

We will also study two other arithmetic functions in some detail. One of theseis the sum of the divisorsfunction.

Definition. The sum of the divisors function, denoted by o, is defined by settingo(n ) equal to the sum of all the positivedivisors of n. 6.2 The Sum and Number of Divisors 175

In Table6.1 we give oh) for 1 ( n < 12 The valuesof o(n) for I ( n < 100 are givenin Table 2 of the Appendix'

n I 2 3 4 5 6 7 8 9 r0 ll t2

a oQ) I J 4 7 6 t2 8 l5 l3 18 t2 28

Table6.1. The Sumof the Divisorsfor I ( n ( 12 .

The other function which we will study is the number of divisors.

Definition. The number of divisorsfunction, denoted by r, is definedby setting r(n) equal to the number of positivedivisors of n. In Table6.2 we give ,h) for I ( n ( tZ. The values of ,Q) for 1 ( n < 100 are givenin Table 2 of the Appendix.

n I 2 3 4 5 6 7 8 9 10 ll t2

rh) I 2 2 3 2 4 2 4 3 4 2 6

Table6.2. The Number of Divisorsfor I ( n ( 12 '

Note that we can expresso(n) and z(n) in termsof summationnotation. It is simpleto seethat

oh):Dd dln

and ,(n):>1. dln

To provethat o and r are multiplicative,we use the following theorem.

Theorem 6.7. If / is a multiplicative function, then the arithmetic function F (n) dln Beforewe provethe theorem,we illustrate the idea behind its proof with the function, and let following example. Let "f be a multiplicative Ffu) dln 176 MultiplicativeFunctions

: r(60) r(4)F(15). Each of the divisorsof 60 may be written as the productof a divisorof 4 and a divisorof 15 in the followingway: l:1.1, : 2:2'1, 3 1.3,4:4.1, 5 - 1.5,6:2.3, I0:2.5, 12- 4.3, 15: 1.15. :4'5, : 20 30 2'15, 60 : 4-15 (in each product, the first factor is the divisor of 4 , and the secondis the divisorof I 5). Hence, : F(60) f(r) +/o + f$) + f(q) + f$) + f6) +/(10)+ f02) + f (rs)+/(zo) + f Q0 +/(60) :.f (r'1)+ f Q.D+f 0.3)+ f u.D +f 0.5)+ f o.3) + fQ.il + f(4., + f(r.ls) + + + :f f(4.il fQ.l5) fQ.rs) (t)f(l) + f Q)f(r)+ f (l)7(:)+ f @)f(r)+ f (fDj6) +f Q)f(r)+ f Ql|(s)+ f (Df(g)+ f ol7(rs)+ f @f 6) + f Q)f (rs)+ f Q)f 0s) : (/(t)+ fQ) +7Q))(/(rl + fG) + f$) +/(ls)) : F(4)F(rS).

we nowprove Theorem 6.7 using the ideaillustrated by the example.

Proof. To showthat F is a multiplicativefunction, we must show that if m andn arerelatively prime positive integers, then F (md : F (m)r 0). So let us assumethat (m,n) : l. We have

F (mn) : u) ' 02,^n"f

By Lemma2.5,since (m,n): l , eachdivisor of mn canbe writtenuniquely asthe product of relativelyprime divisors dlof m andd2of n, andeach pair of divisorsd1 of m andd2 of n correspondsto a divisord - dfi2 of mn. Hence,we can write

F(mn) : > f Utd2) drl^ drln

Since/ is multiplicativeand since(dbd): l, we seethat 6.2 The Sumand Numberof Divisors 177

F (mn) : 2 f Q)f @z) drln drln 2fQ)ZfVz) drl^ drl, Ffu)Ffu).tr

Now that we know o and r are multiplicative, we can derive formulae for their values based on prime factorizations. First, we find formulae for o(r) and rh) when n is the power of a prime.

Lemma 6.1. Let p be prime and a a positive integer. Then Po*'-l o(po): (t+p+p2+ *po) : p-l

and r(po):a*1.

Proof. The divisors of po are l, p, p' ,...,po-t, po. Consequently,po has exactly a*l divisors,so that r(po) : a * l. Also, we note that o(po):1*p+pz+ * pa-t * po : where we have used #, Theorem1.1. tr

Example. When we apply Lemma 6.1 with p :5 and a: 3, we find that s4- I o(53):1*5+52+53: fi:156andz(53)-l*3:4. The above lemma and the fact that o and r ate multiplicative lead to the following formulae.

Theorem 6.8. Let the positive integer n have prime factorization n:pi'pi2... p:'. Then pl'*'-l p!'*'-l pl'*'-l o(n):ry : i Pt-r Pz-l P,-l j-r Pi-l 178 MultiplicativeFunctions

r(n) : (c1+l)(az+D (c,*t) : G1+D. rI,

Proof. Since both o and r are multiplicative, we see that o(n) : o(pi'p3' pi) : obi)obi) o(pi) and r(n): ,ei,pi, ' ' ' p:') : ,(p1') ,Qi') ,Qi'). Inserting the values for oe!,) and ,Qi) found in Lemma 6.1, we obtain the desiredformulae. D

we illustratehow to useTheorem 6.8 with the following example.

Example. Using Theorem6.8, we find that r!-,, o(200): o(2352): g : 15.31: 465 2-t 5-l

and

r(2oo) : (3+t) Q+D : 12. "(2352): Also

32-l 52-l o(lz0 : o(2a.32.s): T-,1 . . :31. 13.6:241g 2-l 3-l 5-l

and r(24.32.il:(4+l)(z+t)(t+t) : 3o.

6.2 Problems l. Findthe sumof the positiveinteger divisors of a) 35 e) 2'3'5'7'll b) te6 f) 2s345372t1 c) looo g) lo! d) 2r0o h) 201.

2. Find the number of positive integer divisors of

il 36 d) 2.3.s.7.11.13.17.19 b) 99 e) 2i2.s3.74.115.134.17s.19s c) r44 f) 20t.

3. Which positive integers have an odd number of positive divisors? 6.2 The Sumand Numberof Divisors 179

4. For which positive integersn is the sum of divisors of n odd?

5. Find all positiveintegers n with a(n) equal to a) 12 d) 48 b) l8 e) 52 c) 24 f) 84

6. Find the smallestpositive integer n with r(n) equal to

a)l d)6 b)2 dt4 c) 3 f) 100.

7. Show that if k > | is an integer,then the equationrh) : ft has infinitely many solutions.

8. Which positive integers have exactly

a) two positive divisors

b) three positive divisors

c) four positive divisors?

g. What is the product of the positive divisorsof a positive integer n ?

10. Let o1,h) denote the sum of the kth powers of the divisors of n, so that : : o1,h) 2 dk. Note that o1h) sfu). dln a) Find or(4), or(6) and o{12).

b) Give a formula for o1(p), wherep is prime'

c) Give a formula for o1(po), wherep is prime, and a is a positiveinteger.

d) Show that the function op is multiplicative'

e) Using parts (c) and (d), find a formula for o;(n), where n has prime-power factorizationn : pi'pi' . . . p:;.

11. Find all positiveintegers n suchthat d(n) + oQ):2n. 12. Show that no two positive integers have the same product of divisors.

13. Show that the number of pairs of positiveintegers with least common multiple equal to the positive integer n is r(nz).

14. Let n be a positive integer. Define the sequence of integers fl1,tr2,rt3,...b! n1: r(n) and n1.,1: r(n*) for ft :1,2,3,.... Show that there is a positive integer r such that 2 : f,r : flr1t : rlr+2:

15. Show that a positiveinteger n is compositeif and only if o(n) > n + ,/i. 180 MultiplicativeFunctions

16. Show that : if n is a positiveinteger then r(n)z )r(d)3 dln

6.2 Computer Projects

Write programs to do the following:

l. Find the number of divisorsof a positive integer.

2. Find the sum of the divisors of a positive integer.

3. Find the integer r defined in problem 14.

6.3 Perfect Numbersand MersennePrimes

Becauseof certain mystical beliefs, the ancient Greeks were interested in those integers that are equal to the sum of all their proper positive divisors. Theseintegers are called perfect numbers.

Definition. If n is a positive integer and o(n) : 2n, then n is called a perfect number.

Example.Since o(6): l+2 + 3 +6:12, we seethat 6 is perfect. we alsonote that o(28):1 +2+4+7 +14*28:56. so that 28 is another perfect number.

The ancient Greeks knew how to find all even perfect numbers. The following theorem tells us which even positive integersare perfect.

Theorem 6.9. The positiveinteger n is an even perfect number if and only if n :2m-r(2^-l) wherem is a positiveinteger such that 2^-l is prime.

Proof. First, we showthat if n:2m-r(2^-l) where 2^-l is prime, then n is perfect. We notethat sincezn-l is odd, we have (2m-r,2m-l) : 1. Since o is a multiplicative function, we seethat o(n) - o(2^-t)o(2^-l) .

Lemma 6.1 tellsus that o(2^-r):2^-l and o(2^-l):2^, sincewe are assumingthat 2m-l is prime. Consequently, 6.3 PerfectNumbers and MersennePrimes 181

o(n) : Q^-l)2^ :2n , demonstratingthat n is a perfect number. To show that the converseis truen let n be an even perfect number. Write : n :2'l wheres and t arepositive integers and f is odd. Since(2t,t) 1, we seefrom Lemma 6.1 that (6.1) o(n) : o(2':) : o(2')o(t) : (2'+t-t)o(l)

Since n is perfect, we have

G'D o(n) : 2n : 2s+r1

Combining (6.1) and (6.2) showsthat (6.3) (2'+r-1)o(i : 2s+t1

Since(2s+r,2s+t-l): l, from Lemma2.3we seethat 2'+1lo(r). Therefore, there is an integerq such that o(t) - 2'+rQ. Insertingthis expressionfor o(t) into (6.3) tells us that (2s+r_l)2s*rq- 2'*rt , and, therefore, (6.4) (2'+t-l)q : 1 .

Hence,q I t and q # t. When we replace / by the expressionon the left-hand side of (6.4), we find that (6.5) t +q: (2s+t-t)q+q:2'+rq:oQ).

We will show that q : 1. Note that if q * l, then there are at least three distinct positive divisors of t , namely 1, q, and t . This implies that (6.4), oQ) 2 t + q -| 1, which contradicts(6.5). Hence,4: I and,from we concludethat / :2s+l-1. Also, from (6.5), we seethat oQ): t + l, so that t must be prime, since its only positive divisors are I and t. Therefore, n :2t (2r+l-1), where2s+l-1 is prime. tr From Theorem 6.9 we see that to find even perfect numbers, we must find primesof the form 2t-1. In our searchfor primesof this form, we first show that the exponentru must be Prime.

Theorem 6.10. If la is a positiveinteger and2^-l is prime, then m must be 182 MultiplicativeFunctions

pnme.

Proof. Assume that m is not prime, so that m : ab where | 1 a 1 m and, | < b 1m. Then -l -, 2m : 2ab - (Zo-l) 12a(b-Da2a(b-D q...q1o +l) .

Since both factorson the right side of the equationare greater than I, we see that 2m-l is compositeif m is not prime. Therefore,if 2^-l is prime, then nr must also be prime. tr

From Theorem6.10 we seethat to searchfor primes of the form 2^-1, we need to consideronly integersm that are prime. Integersof the form 2m-l have been studied in great depth; these integers are named after a French monk of the seventeenthcentury, Mersenne,who studiedthese integers.

Definition. If m is a positiveinteger, then M^:2^-I is called the mth Mersennenumber, and, if p is prime and Mp:2p-l is alsoprime, thenM, is called a Mersenneprime.

Example. The Mersennenumber M7:27-I is prime, whereasthe Mersenne numberMn:2rr-I :2047 : 23.89is composite.

It is possibleto prove various theoremsthat help decidewhether Mersenne numbers are prime. One such theorem will now be given. Related results are found in the problemsof Chapter 9.

Theorem 6.11. rf p is an odd prime, then any divisor of the Mersenne number Mp :2p-l is of the form 2kp + I where k is a positiveinteger.

Proof. q - - Let be a prime -dividing Mp 2p I. From Fermat's little theorem,we know thatql(ze-t-t). Also, from Lemma 1.2 we know that f. ll\ (6.6) (T -t, 2c-t-t) : 2$t-D -

Since q is a common divisor of zp-l and zc-t-L we know that Qp-t,24-t-l) > l. Hence,(p,q-l): p, sincethe only other possibility, namely (p,q-l) : I, would imply from (6.6) that (Zp-t,2Q-t-l) : l. Hence p | (q-t), and, therefore, there is a positive integer m with - q | : mp. Since q is odd we see that m must be even, so that m : Zk. wherek isapositiveinteger.Hence, q:mp * I - 2kp+1 . tr We can use Theorem6.1 I to help decide whether Mersennenumbers are prime. We illustrate this with the following examples. 6.3 PerfectNumbers and MersennePrimes 183

Example. To decidewhether MB:2r3-l: 8191is prime,we only needlook for a prime factor not exceedinglml : 90.504.... Furthermore, from Theorem6.11, any such prime divisor must be of the form 26k + L The only candidatesfor primesdividinB Mnless than or equal to1fTp are 53 and79. Trial divisioneasily rules out thesecases, so that M s is prime.

Example.To decidewhether Mzt:223-r:8388607 is prime,we only need to determine whether M zt is divisible by a prime less than or equal to ffi: 2896.309...of the form 46k + l. The first prime of this form is 47. A trial divisionshows that 8388607:47'178481, so that M4is composite. Becausethere are specialprimality testsfor Mersennenumbers, it has been possibleto determinewhether extremely large Mersennenumbers are prime. Following is one such primality test. This test has been used to find the largest known Mersenneprimes, which are the largest known primes. The proof of this test may be found in Lenstra [7t] and Sierpifiski[351.

The Lucas-LehmerTest. Let p be a prime and let Mo : 2! -l denote the pth Mersennenumber. Definea sequenceof integersrecursively by settingtr:4, andfork>2, r* ? rtq -2 (modM), 0 ( rr I Mo .

Then, M, is prime if and only if rp-1 - 0 (mod M) .

We usean exampleto illustrate an applicationof the Lucas-Lehmertest.

Example.consider the Mersennenumber M5:25 - I - 3l' Then r,: 4, rzz42-2:14 (mod3l), rt4 A2 -2- 8 (mod31), and r+2 82- 2:0 (mod31). Sincertt 0 (mod31), we concludethat M5:31 is prime.

The Lucas-Lehmer test can be performed quite rapidly as the following corollary states.

Corollary 6.1. Let p be prime and let Mp : 2p - | denotethe pth Mersenne number. It is possibleto determine whether Mo is prime using OQ3) bit operations.

Proof. To determine whether Mp is prime using the Lucas-Lehmer test requiresp - | squaringsmodulo iV* eachrequiring O((log M)2): O(p2) bit operations. Hence, the Lucas-Lehmer test requires O Q3) bit operations.tr 184 Multiplicative Functions

Much activity has been directed toward the discoveryof Mersenneprimes, especiallysince each new Mersenne prime discoveredhas become the largest prime known, and for each ngw Mersenne prime, there is a new perfect number. At the presenttime, a total of 29 Mersenneprimes are known and these include all Mersenne primes Me with p ( 62981 and with 75000 < p < 100000. The known Mersenneprimes are listed in Table 6.3.

p Number of decimal Date of Discovery digits in M o

2 I anclenttrmes I 3 I ancienttimes 2 5 2 ancienttimes 2 7 3 ancienttimes 6 l3 4 Mid 15thcentury + I1 6 1603 2 t9 6 1603 1'2 3l 10 1772 'zz9a 6l 19 1883 89 I 27 l91l ig 107 33 l9l4 zf) q+ t27 39 t876 )q 52r 157 t952 8t) 607 I 183 t952 (, 72 r279 386 1952 2h ? ^l-7s 2203 664 1956 2281 687 1952 3b 32r7 969 t957 4253 1281 1961

4423 L t332 1961 5zLbb 9689 29r7 I 963 994r 2993 I 963 I 1213 3376 1963 r9937 6002 t97| 2r701 6533 I 978 23209 6987 r979 44497 I 3395 1979 86243 25962 1983 r32049 3975I I 983 9l 5050 f9t Table 6. re Known MersennePrimes. 6.3 PerfectNumbers and MersennePrimes 185

Computers were used to find the 17 largest Mersenne primes known. The discovery by high school students of the 25th and 26th Mersenne prime received much publicity, including coverageon the nightly news of a major television network. An interesting account of the search for the 27th Mersenneprime and related historical and computational information may be found in [77]. A report of the discoveryof the 28th Mersenne prime is given in [64]. It has been conjectured but has not been proved, that there are infinitely many Mersenneprimes. We have reduced the study of even perfect numbers to the study of Mersenneprimes. We may ask whether there are odd perfect numbers. The answer is still unknown. It is possibleto demonstratethat if they exist, odd perfect numbers must have certain properties (see problems 1l-14, for example). Furthermore, it is known that there are no odd perfect numbers less than 10200,and it has been shown that any odd perfect number must have at least eight different prime factors. A discussionof odd perfect numbers may be found in Guy [17], and information concerningrecent results about odd perfectnumbers is given by Hagis [681.

6.3 Problems

l. Find the six smallesteven perfect numbers.

2. Show that if n is a positive integer greater than l, then the Mersenne number Mn cannot be the power of a positive integer.

3. If n is a positive integer, then we say that n is deficient if ofu) 1 2n , and we say that n is abundant if oh) ) 2n. Every integer is either deficient, perfect, or abundant.

a) Find the six smallestabundant positive integers.

b) Find the smallestodd abundant positive integer.

c) Show that every prime power is deficient.

d) Show that any divisor of a deficient or perfect number is deficient.

e) Show that any multiple of an abundant or perfect number is abundant.

f) Show that if n -2m-t(2^-l) , where ra is a positive integer such that 2 -l is composite, then n is abundant.

4. Two positive integers m and n are called an amicable pair if o(m\ : o(n) : m * n. Show that each of the following pairs of integersare amicable pairs 186 MultiplicativeFunctions

a) 220,294 b) 1184,l210 c) 7975A, 98730.

5. a) Showthat if n is a positiveinteger with n ) 2, suchthat3.2n-t-1,3.2n-1, and32'22n-r-1 are all prime,then 2n (3'2'-t-DQ.2'-l) and2n(32.22n't-l) form an amicablepair.

b) Find three amicablepairs using part (a).

6. An integer n is called k-perfect if o(il: kn. Note that a perfect number is 2-perfect.

a) Show that 120 : 23.3.5is 3-perfect.

b) Show that 30240: 2s32.5., is 4-perfect.

c) Showthat 14182439040- 27.34.5.7.n2.17.19is 5-perfect.

d) Find all 3-perfectnumbers of the form n -2k.3.p, where p is an odd prime.

e) Show that if n is 3-perfectand 3 I n, then 3n is 4-perfect. 7. A positiveinteger n is calledsuperperfect if oGh)) : Zn. a) Show that 16 is superperfect.

b) Show that if n : 2e where 2q+t-l is prime, then n is superperfect.

c) Show that every even superperfect number is of the form n : 2q where zq+t-l is prime.

d) Show that if n : p2 wherep is an odd prime,'thenn is not superperfect.

8. Use Theorem6.ll to determine whether the following Mersenne numbers are pnme

a) M7 c) Mn b) Mn d) Mzs.

9' Use the Lucas-Lehmer test to determine whether the following Mersenne numbersare prime

a) M3 c) Mn b) M7. d Mn.

10. a) Show that if n is a positive integer and 2n i L is prime, then either Qn+l) | M^ or Qn+D | (a,+D. (Hint: Use Fermat's little theorem to showthat Mn(Mn+z) = O (mod 2z+l).)

b) Use part (a) to show that Ms and My are composite. 6.3 Perfect Numbers and Mersenne Primes 187

11. a) Show that if n is an odd perfect number,then n : po m2 wherep is an odd primeandp7az I (mod4).

b) Use part (a) to show that if n is an odd perfect number, then n=l(mod4). t2. Show that if n - po m2 is an odd perfect number where p is prime, then n=p(mod8). 13. that if n is an odd perfect number, then 3, 5, and 7 are not all divisors of :**

14. Show that if n is an odd perfect number then n has

a) at least three different prime divisors.

b) at least four different prime divisors.

15. Find all positive integers n such that the product of all divisors of n other than n is exactly n 2. (Theseintegers are multiplicative analoguesof perfect numbers.) 16. Let n be a positive integer. Define the sequenca fl1,tt2,rt3,...,recursively by n1 : o(n) - n andflk+r: oQ) - np fot k - 1,2,3,....

a) Show that if n is perfect,then n : nt : fi2: tt3:

b) Show that if n and m are an amicablepair, then n1 : ftt, ttz- tt, tt3: t/t, n4: n,... and so on, f.e.,the sequencefl1,tt2,t13,... is periodic with period 2.

c) Find the sequenceof integersgenerated if n :12496:24'll'71.

It has been conjecturedthat for all n, the sequence of integers n1,n2,n3,... is pefiodic.

6.3 ComputerProjects Write programsto do the following: l. Classifypositive integers according to whether they are deficient, perfect, or abundant(see problem 3).

2. Use Theorem6.ll to look for factorsof Mersennenumbers.

3. Determine whether Mersenne numbers are prime using the Lucas-Lehmer test.

4. Given a positive integer n, determine if the sequencedefined in problem 16 peric.ic.

5. Find amicablepairs. Cryptology

7.1 CharacterCiphers From ancient times to the present, secret messages have been sent. Classically, the need for secret communication has occurred in diplomacy and in military affairs. Now, with electronic communication coming into widespread use, secrecy has become an important issue. Just recently, with the advent of electronic banking, secrecy has become necessary even for financial transactions. Hence, there is a great deal of interest in the techniquesof making messagesunintelligible to everyoneexcept the intended receiver.

Before discussing specific secrecy systems, we present some terminology. The discipline devoted to secrecy systems is called cryptology. Cryptography is the part of cryptology that deals with the design and implementation of secrecy systems, while cryptanalysis is aimed at breaking these systems. A messagethat is to be altered into a secretform is called plaintext. A cipher is a method for altering a plaintext message into ciphertext by changing the letters of the plaintext using a transformation. The key determines the particular transformation from a set of possibletransformations that is to be used. The processof changing plaintext into ciphertext is called encryption or enciphering, while the reverse process of changing the ciphertext back to the plaintext by the intended receiver, possessingknowledge of the method for doing this, is called decryption or deciphering. This, of course, is different from the process someone other than the intended receiver uses to make the messageintelligible through cryptanalysis.

188 7.1 Character Ciphers 189

In this chapter, we present secrecy systemsbased on modular arithmetic. The first of these had its origin with Julius Caesar. The newest secrecy systemwe will discusswas invented in the late 1970's. In all thesesystems we start by translating letters into numbers. We take as our standard alphabet the letters of English and translate them into the integers from 0 to 25, as shownin Table 7.1.

letter A B C D E F G H I J K L M N o P a R S T II V w X Y Z

numerical 0 I 2 3 4 5 6 7 8 9 l0 ll t2 l3 t4 l5 l6 t7 l8 l9 20 2l 22 23 24 25 equivalent

Table7.1. The NumericalEquivalents of Letters.

Of course, if we were sending messagesin Russian, Greek, Hebrew or any other languagewe would use the appropriate alphabet range of integers. Also, we may want to include punctuation marks, a symbol to indicate blanks, and perhaps the digits for representingnumbers as part of the message. However, for the sake of simplicity, we restrict ourselvesto the letters of the English alphabet. First, we discusssecrecy systemsbased on transforming each letter of the plaintext message into a different letter to produce the ciphertext. Such ciphers are called character or monographic ciphers, since each letter is changed individually to another letter by a substitution. Altogether, there are 26! possibleways to produce a monographic transformation. We will discuss a set that is basedon modular arithmetic.

A cipher, that was used by Julius Caesar, is based on the substitution in which each letter is replaced by the letter three further down the alphabet, with the last three letters shifted to the first three letters of the alphabet. To describe this cipher using modular arithmetic, let P be the numerical equivalent of a letter in the plaintext and C the numerical equivalent of the correspondingciphertext letter. Then C:P+3(mod26), 0

The correspondencebetween plaintext and ciphertext is given in Table 7.2. 190 Cryptology

A B c D E F G H I J K L M N o P a R S T U V w X Y Z plaintext 0 I 2 3 4 5 6 8 9 l0 ll t2 l3 l4 l5 l6 t7 l8 t9 20 21 22 23 24 25

3 4 5 6 7 8 9 l0 ll t2 l3 t4 l5 l6 t7 18l9 20 2l 22 23 24 25 0 I 2 ciphertextD E F G H I J K L M N o P a R S T U V w X Y z A B c

Table7.2. The Correspondenceof Letters for the CaesarCipher.

To encipher a messageusing this transformation, we first change it to its numerical equivalent, grouping letters in blocks of five. Then we transform each number. The grouping of letters into blocks helps to prevent successful cryptanalysis based on recognizing particular words. We illustrate this procedureby encipheringthe message

THIS MESSAGE IS TOP SECRET.

Broken into groups of five letters, the messageis

THISM ESSAG EISTO PSECR ET.

Converting the letters into their numerical equivalents,we obtain

19 7 81812 4 l8 1806 4 8181914 15 l8 4 3 17 4 19.

- Using the Caesar transformation Q P*3 (mod 26), this becomes

22 l0 11 2t 15 721 2t 3 9 7 11 21 22 17 18 2t 7 620722

Translating back to letters, we have

WKLVP HVVDJ HLVWR SVHGU HW.

This is the messagewe send. The receiver deciphers it in the following manner. First, the letters are converted to numbers. Then, the relationship P = C-3 (mod 26), 0 < P ( 25, is used to change the ciphertext back to the numerical version of the plaintext, and finally the messageis convertedto letters. We illustrate the deciphering procedure with the following message encipheredby the Ceasar cipher: 7.1 CharacterCiPhers 191

WKLVL VKP.ZZ HGHFL SKHU.

First, we change these letters into their numerical equivalents,to obtain

22|0ll2ll121l0|725257675||1810720.

: Next, we perform the transformation P C-3 (mod 20 to change this to plaintext, and we obtain

1978188 187142222 43428 157417.

We translate this back to letters and recoverthe plaintext message

THISI SHOWW EDECI PHER.

By combining the appropriate letters into words, we find that the message reads

THIS IS HOW WE DECIPHER.

The Caesar cipher is one of a family of similar ciphers described by u shft transformation

C:P+k (mod26),0

where k is the key representingthe size of the shift of letters in the alphabet. There are 26 different transformations of this type, including the case of k = 0 (mod 26), where letters are not altered, since in this case - C P (mod 26). More generally, we will considertransformations of the type (z.t) C-aP*b (mod26), 0

where a and b are integers with (a,26) : l. These are called with ffine transformations. Shift transformations are affine transformations a:1. We require that G,26): 1, so that as P runs through a complete system of residuesmodulo 26, C also does. There are O(2O : 12 choices for a, and 26 choicesfor b, giving a total of 12'26:312 transformations of this type (one of theseis C = P (mod 26) obtainedwhen a:l and D-0). If the rliationship between plaintext and ciphertext is described by (7.1), then the inverserelationship is given bY 192 Cryptology

P = arc-b) (mod26), 0 < P < 25.

where a is an inverseof a (modZO. As an example of such a cipher, let a:7 and b:r}, so that = (mod p c 7P + l0 26). Hence, = l5(c-10) = l5c+6 (mod 26). since 15 is an inverse of 7 modulo 26. The correspondencebetween letters is given in Table 7.3.

A B C D E F G H I J K L M N o P a R S T U V w X Y Z plaintext

0 I 2 3 4 5 6 8 9 l0 ll t2 l3 1415l6 t7 l8 l9 20 2l 22 23 24 25

r0 t7 24 5 t2 l9 0 7 T4 2l 2 9 l6 23 4 ll l8 25 6 l3 20 8 l5 22 3 ciphertext

K R Y F M T A H o V c J a X E L S z G N v B I P w D

Tabfe7.3. TheCorrespondence of Letters for theCipher with C = 7p+10 (mod26).

To illustratehow we obtainedthis correspondence,note that the plaintext letter L with numericalequivalent 1l correspondsto the ciphertextletter J, since7'll + l0:87 = 9 (mod 26) and9 is the numericalequivalent of J. To illustrate how to encipher,note that

PLEASE SEND MONEY is transformedto

LJMKG MGXFQ EXMW.

Also notethat the ciphertext

FEXEN XMBMK JNHMG MYZMN correspondsto the plaintext

DONOT REVEA LTHES ECRET. or combiningthe appropriateletters 193 7.1 GharacterCiPhers

DO NOT REVEAL THE SECRET.

of We now discusssome of the techniquesdirected at the cryptanalysis to break a ciphers based on affine transformations. In attempting is compared monographiccipher, the frequencyof letters in the ciphertext gives information with the frequency of letters i; ordinary text. This countsof concerningthe .orr"rpondencebetween letters. In variousfrequency occurrenceof Englishtext, one findi the percentageslisted in Table 7.4 fot the languages tne Ze lettersof the alphabet. Countsof letter frequenciesin other may be foundin [48] and [52].

S T U V w X Y z letter A B c D E F G H I J K L M N o P a R

frequency 'l I <1

Table 7.4. The Frequencies of Occurrence of the Letters of the Alphabet. are From this information, we see that the most frequentlyoccurring letters E,T,N,O, and A, in that order. We can use this informationto determine which cipher basedon an affine transformationhas been used to enciphera message. First, supposethat we know in advance that a shift cipher has been io encipher a message;each letter of the messagehas been employed - - transformedby ; correspondenceC P+k (mod 26),0 < C < 25. To cryptanalyze the ciPhertext

YFXMP CES PZ C J TDF DPQFW QZCPY NTAS P CTYRX PDDLR PD ,

we first count the numberof occurrencesof eachletter in the ciphertext. This is displayedin Table?.5. 194 Cryptology

letter A B C D E F G H I J K L M N o P a R S T U V w X Y Z

number of I 0 4 5 I 3 0 0 0 0 a occurrences I 0 2 2 J 0 0 I I 3 2

Table7.5. The Numberof Occurrencesof Lettersin a Ciphertext.

We notice that the most frequently occurring letter in the ciphertext is p with the letters c,D,F,T, y and occurring with relatively high frequency. our initial guess would be that P represents E, since E is the -ort frequently occurring letter in English text. If this is so, then 15:4fk (mod i6), s; that ft = I I (mod 26) Consequently,we would have C = p+11 (mod 26) and : (mod P c-l1 26). This correspondenceis given in Table 7.6.

A B C D E F G H I J K L M N o P a R S T U V w X Y Z ciphertext

0 I 2 3 4 ) 6 7 8 9 l0 ll l2 l3 t4 l5 l6 11l8 t9 20 21 22 23 24 25

l5 l6 t7 l8 l9 20 2l 22 23 24 25 0 I 2 3 4 5 6 I 8 9 l0 il t2 l3 t4 plaintext

P R S T U V a w Z Y z A B C D E F G H J K L M N o

Table 7.6. correspondenceof Letters for the Sample ciphertext.

Using this correspondence, we attempt to decipher the message. we obtain

NUMBE RTHEO RYI SU SEFUL FOREN CIPHE RINGM ESSAG ES.

This can easily be read as

NUMBER THEORY IS USEFUL FOR ENCIPHERING MESSAGES.

Consequently,we made the correct guess. If we had tried this transformation, and instead of the plaintext, it had producedgarbled text, we would have tried another likely transformation based on the frequency count of letters in the ciphertext. 195 7.1 CharaeterCiPhers

the form Now, supposewe know that an affine transformationof For C : a p+i (mod 26), 0 < C < 25, has been used for enciphering' instance,suppose we wishto cryptanalyze the encipheredmessage

US LEL JUTCC YRTPS URKLT YGGFV ELYUS LRYXD J URTU ULVCU URJRK QL LQL YXS RV L BRYZ CYREK LVEXB RYZDG HRGUS L J LLM LYPD J LJTJU FALGU PTGVT J ULYU SLDAL TJRWU SLJFE OLPU.

The first thing to do is to count the occurrencesof each letter; this count is displayedin Table7.7

letter A B c D E F G H I J K L M N o P a R S T U v w X Y z

number of 2 2 4 4 5 3 6 0 l0 3 22 I 0 I 4 2 t2 5 8 l6 J I 3 l0 2 occurrences

Table 7.7. The Number of Occurrencesof Letters in a Ciphertext.

With this information, we guessthat the letter L, which is the most frequently occurring letter in the ciphertext, corresponds to E, while the letter U, which occurs with the second highest frequency, correspondsto T. This implies, if -- the transformation is of the form C aP*b (mod 26), the pair of congruences -- 4a*b 11 (mod 26) l9a+b : 20 (mod 26).

By Theorem 3.8, we see that the solution of this system is a E 11 (mod 26) and b : 19 (mod 26).

If this is the correct enciphering transformation, then using the fact that 19 is an inverse of I I modulo 26, the deciphering transformation is --_ p 19 (C-19) : t9C-361 = 19C + 3 (mod 26), 0 < P < 25.

This gives the correspondencefound in Table 7.8. 196 Cryptology

A B C D E F G H I J K L M N o P a R S T U V w X Y z ciphertext

0 I 2 3 4 5 6 ,7 8 9 l0 ll t2 l3 t4 l5 l6 t7 r8l9 20 21 22 23 24 25

3 22 l5 8 I 20 l3 6 25 l9 ll 4 23 t6 9 2 2l r4 0 t9 t2 5 24 t1 t0 plaintext

D w P I B U N G z S L E X a J C V o H A T M P Y R K

Table 7.8. The correspondence of Letters for the Sample ciphertext. With this correspondence,we try to read the ciphertext. The ciphertext becomes

THEBE STAPP ROACH TOL EA RNNUM BERTH EORY I STOAT TEMPT TOSOL VE EVE RYHOM EWORK PROBL EMBYW ORKIN GONTH ESEEX ERCIS ESAST UDENT CANMA STERT HEIDE ASOFT HE SUB JECT.

We leave it to the reader to combine the appropriate letters into words to see that the messageis intelligible.

7.1 Problems

1. using the caesar cipher, encipher the messageATTACK AT DAWN. 2. Decipher the ciphertext message LFDpH LVDZL FRerx HUHG that has been enciphered using the Caesar cipher. 3. Encipher the message SURRENDER IMMEDIATELY using the affine transformationC = llp+18 (mod 26).

4. Decipher the message RToLK TOIK, which was enciphered using the affine transformation C = 3p+24 (mod 26). 5. If the most common letter in a long ciphertext, enciphered by a shift (mod transformation C = P+k 26) is Q, then what is the most likely value of k1 7.1 CharacterCiPhers 197

affine 6. If the two most common letters in a long ciphertext, enciphered by an transformation C = aP*b (mod 26) are W and B, respectively, then what are the most likely values for a and b? 7. Given two ciphers, plaintext may be enciphered by using one of the ciphers, and by then using the other cipher. This procedure produces a product cipher ' : a) Find the product cipher obtained by using the transformation C 5P +13 (mod 26) followed by the transformation c = l7P+3 (mod 26). : b) Find the product cipher obtained by using the transformation C aP+b (mod 26) followed by the transformation C = cP*d (mod 26), where Q,26):(c,26)*1. 8. A Vignbre cipher operates in the following way. A sequence of letters Qr!r,...,0r, with numerical equivalents k1,k2,...,kn, servesas the key. Plaintext messages are split into blocks of length n. To encipher a plaintext block of letters with numerical equivalents PbPz,..., P, to obtain a ciphertext block of letters with numerical equivalentscr,cz,...,cn, we use a sequenceof shift ciphers with

ci 7 pi * k; (mod 26), 0 ( ci ( 25,

for i : 1,2,...,n. In this problem, we use the word SECRET as the key for a Vigndre cipher.

a) Using this Vigndre cipher, encipher the message

DO NOT OPEN THIS ENVELOPE.

b) Decipher the following message which was enciphered using this Vigndre cipher:

WBRCSL AZGJMG KMFV.

c) Describe how cryptanalysis of ciphertext, which was enciphered using a Vigndre cipher, can be carried out.

7.1 Computer Projects Write programs to do the following:

l. Encipher messagesusing the Caesar cipher. 2. Encipher messagesusing the transformation C : P+k (mod 26), where k is a given integer. 3. Encipher messagesusing the transformation C = aP+6 (mod26), where a and b are integers with (a ,26) : I. 198 Cryptotogy

Decipher messagesthat have been encipheredusing the caesar cipher. Decipher messagesthat have been enciphered using the transformation C = P+k (mod26), where ft is a given integer.

Decipher messagesthat have been enciphered using the transformation = (mod c aP+6 26), where a and b are integerswith (a,26) : r. Cryptanalyze, using frequency counts, ciphertext that was enciphered using a transformation of the form c = p+k (mod26) where k is an unknown integer.

cryptanalyze, using frequency counts, ciphertext that was enciphered using a transformation of the form c = ap*D (mod26) where a and b are unknown integers with (a,26) - l. Encipher messagesusing vigndre ciphers (seeproblem g).

Decipher messagesthat have been encipheredusing vigndre ciphers.

7.2 Block Ciphers

We have seenthat monographicciphers basedon substitution are vulnerable to cryptanalysis based on the frequency of occurrence of letters in the ciphertext. To avoid this weakness, cipher systems were developed that substitute for each block of plaintext letters of a specified length, a block of ciphertext letters of the same length. Ciphers of this sort are called block or polygraphic ciphers. In this section, we will discuss some polygraphic ciphers basedon modular arithmetic; thesewerO developed by Hill [87] around 1930. First, we consider digraphic ciphers; in these ciphers each block of two letters of plaintext is replaced by a block of two letters of ciphertext. We illustrate this processwith an example.

The first step is to split the message into blocks of two letters (adding a dummy letter, say X, at the end of the message,if necessary,so that the final block has two letters). For instance,the message

THE GOLD IS BURIED IN ORONO is split up as 199 7.2 Block Giphers

(as Next, these letters are translated into their numerical equivalents previouslydone) to obtain 19 7 4 6 14 11 38 l8r 20t7 84 38 13 14 17 14 13 14.

Each block of two plaintext numbers P,Pz is converted into a block of two ciphertextnumbers C 1C2: Cr = 5Pr + lTPz (mod 26) Cz= 4Pt + lSPz (mod26).

For instance,the first block l9 7 is convertedto.6 25, because Cr = 5'19 + l7'7 : 6 (mod 26) Cz= 4'19+ 15'7:25 (mod26).

After performing this operation on the entire message,the following ciphertext is obtained: 625 t82 23 13 21 2 3 9 2523 4 r42r 217 2 1l l8 l7 2.

When these blocks are translated into letters, we have the ciphertext message GZ SC XN VC DJ ZX EO VC RC LS RC.

The deciphering procedure for this cipher system is obtained by using Theorem 3.8. To find the plaintext block Pfz correspondingto the ciphertext block CrCz, we use the relationship Pr = lTCt t 5Cz (mod 26) Pz = l8Cr * 23Cz (mod 26).

The digraphic cipher system we have presented here is conveniently describedusing matrices. For this cipher system,we have / 'r / )r ) lc,l ls 17llP,l I l=t tl l(mod26). lc,) L4 tsj lP,j In 5'l From Proposition3.7, we see that the matrix | | is an inverse of lts n) 6 r7'| | | modulo 26. Hence, Proposition3.6 tells us that deciphering can be l+ lsJ done using the relationship 200 Cryptology

= (mod 26). ;] [;;] [: [:;] general, ln a Hill cipher system may be obtained by splitting plaintext into blocks of n letters, translating the letters into their numerical equivalents,and forming ciphertext using the relationship - Q AP (mod20.

C1 P1 C2 P2

whereA is an nxn matrix with (det A,26) : I, C : and P:

cn Pn and where C1C2...C, is the ciphertext block that correspondsto the plaintext block P1P2...Pn Finally, the ciphertext numbers are translated back to letters. For deciphering,we use the matrix A, an inverseof A modulo 26, which may be obtained using Proposition 3.8. Since AA : / (mod 26), we have Zc = Z<,qn = (2,4p -p (mod26).

Hence, to obtain plaintext from ciphertext, we use the relationship P : ZC (JrrlOd 2f.).

We illustratethis procedureusi ngn:3 and the encipheringmatrix l9 ["2 A: 23 25 ls lro 7 I

Since det A = 5 (mod 26), we have (det A,26) : l. To encipher a plaintext block of length three, we use the relationship 201 7.2 Block CiPhers

[c') ["'l Ittt lcrl = e lP'l (mod26). [',1 [",J To encipher the message STOP PAYMENT, we first split the message into blocks of tht"" letters, adding a final dummy letter X to fill out the last block. We have plaintext blocks

STO PPA YME NTX.

We translatethese letters into their numericalequivalents

181914 15150 24124 131923.

We obtain the first block of ciphertextin the followingway: [.'l [" z 'nl ["] [ '] tllll.ll.l (mod26). 1.,l:ls n rtl |tnl-ltnl Itlllll^l [.,j [ro 7 t J |.toj U3,;

Encipheringthe entire plaintext messagein the same manner,we obtain the ciphertextmessage

81913 13415 0222 20110.

Translatingthis messageinto letters,we haveour ciphertextmessage

TTN NEP ACW ULA.

The deciphering process for this polygraphic cipher system takes a ciphertext block and obtains a plaintext block using the transformation

tt_tlf"'l [.'l = 7 (mod26) lprlrrll lrrl L",J lt'j

where 202 Cryptology

6 -5 ll

Z: -l -10

is an inverse of I modulo 26, which may be obtained using proposition 3.g. Because polygraphic ciphers operate with blocks, rather than with individual letters, they are not vulnerable to cryptanalysis based on letter frequency. However, polygraphic ciphers operating with blocks of sizen are vulnerable to cryptanalysis based on frequenciesof blocks of size n. For instance, with a digraphic cipher system, there are 262: 676 digraphs, blocks of length two. Studies have been done to compile the relative fiequencies of digraphs in typical English text. By comparing the frequenciis of digraphs in the ciphertext with the average frequencies of digraphs, it is ofGn possible to successfullyattack digraphic ciphers. For example, according to some counts, the most common digraph in English is TH, followed closely by HE. If a Hill digraphic cipher system has been employed and the most common digraph is KX, followed by YZ, we may guessthat the ciphertext digraphs KX and vZ correspond to TH and HE, respectively. This would mean that the blocks 19 7 andT 4 are sent to 1023 and21 25, respectively. If A is the enciphering matrix, this implies that ?l_ l0 2l ta,lrn : (mod 26). Iz 4) 23 25

is an inverse (mod 26), wefindthat "t [? l) lzt r7') : (mod26)' ltt 2) whichrgives possiblekey. After attemptingto decipherthe ciphertextusing 12e A- to transform the ciphertext,we would [s 23 know if our guesswas correct.

In general, if we know n correspondencesbetween plaintext blocks of size n and ciphertext blocks of size n, for instance if we know that the ciphertext blocks C1iC2i...Cni,j : 1,2,...,n, correspond to the plaintext blocks PryP2i...Pni,j : 1,2,...,n,respectively, then we have 7.2 Block Ciphers

,[:]il (mod26), for 7 - 1,2 ,...,fl.

These n congruencescan be succinctly expressedusing the matrix congruence AP=C (mod26), where P and C arc nxn matrices with ryth entries Pl; and Cii, respectively. If (det p,26): l, then we can find the encipheringmatrix A via A = CF (mod 26), where P is an inverseof P modulo 26. Cryptanalysis using frequenciesof polygraphs is only worthwhile for small valuesof n, where n is the size of the polygraphs. When n:10, for example, there are 26t0, which is approximately l.4x10la, polygraphsof this length. Any analysis of the relative frequencies of these polygraphs is extremely infeasible.

7.2 Problems

l. Using the digraphic cipher that sends the plaintext block Pf2to the ciphertext block CrCz with

Cr = 3Pt + I0P2 (mod 26) Cz = 9Pt + 7P2 (mod 26),

encipher the messageBEWARE OF THE MESSENGER.

2. Decipher the ciphertext message UW DM NK QB EK, which was enciphered using the digraphic cipher which sends the plaintext block Pfz into the ciphertext block CrCz with

Cr = 23Pt + 3Pz (mod 26) Cz = IOP| + 25P2 (mod 26).

3. A cryptanalyst has determined that the two most common digraphs in a ciphertext messageare RH and NI and guessesthat these ciphertext digraphs correspond to the two most common diagraphs in English text, TH and HE. If 204 Cryptotogy

the plaintext was encipheredusing a Hill digraphic cipher describedby Cr = aP1* bP2 (mod 26) Cz = cP1 * dP2 (mod 26).

what are a,b,c, and,d2 4. How many pairs of letters remain unchanged when encryption is performed using the following digraphic ciphers

il Cr E 4pt + 5p2 (mod 26) Cz = 3Pt + P2 (mod 26) b) Cr = lpt + I7p2 (mod26) Cz = Pt + 6Pz (mod 26) c) Cr = 3Pt + 5Pz (mod26) Cz = 6Pt + 3P2 (mod26)?

5. Show that if the^encipheringmatrix A in the Hill cipher systemis involutory modulo 26, i.e, 42 = 1 (mod 26), then A alsoserves as a decipheringmatrix for this ciphersystem.

6. A cryptanalysthas determinedthat the three most commontrigraphs (blocksof length three) in a ciphertextare, LME, wRI and zyC and gu"rr", that these ciphertext trigraphs correspondto the three most commontrigraphs in English text, THE, AND, and THA. If the plaintext was encipheredusing a Hill trigraphic cipher describedby C = AP (mod 26), what are the entriesof the 3x3 encipheringmatrix A? 7. Find the product cip^her.obtained by using the digraphic Hill cipher with encipherinsmatrix followedby using .[f lij the digraphicHill cipher with encipherins."tri* [r5, \) 8. Showthat the productcipher obtainedfrom two digraphicHill ciphersis again a digraphicHill cipher.

9. Show that the product cipher obtainedby encipheringfirst using a Hill cipher with blocksof size m and then using a Hill cipher with blocksof sizen is again a Hill cipherusing blocks of sizelm,nl. 10. Find the 6x6 encipheringmatrix correspondingto the productcipher obtainedby first usingthe Hill cipherwith encipheringmatrix rotto*"d by t} | J, usingthe Hillcipher with enciphering.",r,* fl A ?l [0 I lJ 11. A transposition cipher is a cipher where blocks of a specified size are enciphered by permuting their characters in a specified manner. For instance, plaintext blocks of length five, P1P2P3PaP5, may be sent to ciphertext blocks c1c2c3cac5: P4PIPIPP3. Show that every such transposition cipher is a 7.3 ExPonentiationCiphers 205

Hill cipher with an enciphering matrix that contains only 0's and I's as entries with the property that each row and each column contains exactly one 1.

7.2 Computer Proiects Write programs to do the following:

l. Encipher messagesusing a Hill cipher.

2. Decipher messagesthat were encipheredusing a Hill cipher.

3. Cryptanalyze messagesthat were enciphered using a digraphic Hill cipher, by analyzing the frequency of digraphs in the ciphertext.

7.3 ExponentiationCiphers In this section, we discussa cipher, based on modular exponentiation,that was invented in 1978 by Pohlig and Hellman [9t1. We will see that ciphers produced by this system are resistant to cryptanalysis.

Let p be an odd prime and let e, the enciphering key, be a positive integer with (e,p-l) : l. To encipher a message,we first translate the letters of the message into numerical equivalents (retaining initial zeros in the two-digit numerical equivalentsof letters). We use the same relationship we have used before. as shown in Table 7.9.

letter A B c D E F G H I J K L M N o P a R S T U V w X Y z

numerical 00 0r 02 03 04 05 06 0'l 08 09 l0 ll t2 l3 t4 l5 l6 t7 l8 l9 20 2l 22 23 24 25 equivalent

Table 7.9. Two-digit Numerical Equivalentsof Letters.

Next, we group the resulting numbers into blocks of 2m decimal digits, where 2m is the largest positive even integer such that all blocks of numerical equivalents corresponding to m letters (viewed as a single integer with 2m decimaldigits)arelessthanp,e.g. if 2525< p <252525,then m:2. For each plaintext block P, which is an integer with 2m decimal digits, we form a ciphertext block C using the relationship C=Pe (modp),0(C

The ciphertext messageconsists of these ciphertext blocks which are integers 206 Cryptology

less than p. we illustrate the encipheringtechnique with the following example.

Example' Let the prime to be used as the modulus in the enciphering procedure : be p 2633and let the encipheringkey to be usedas the .*ponrni in the modular :29, exponentiationbe e so thai (r,p-l) - (2g,2$;): l. To encipherthe plaintextmessage,

THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER, we first convertthe lettersof the messageinto their numericalequivalents, and then form blocksof length four from thesedigits, to obtain 1907 0818 0818 0013 0423 0012 l5l I 0414 0500 1304 2315 l4l3 0413 1908 0019 0814 1302 081s 07a4 nn .

Note that we haveadded the two digits 23, correspondingto the letter X, at the endof the messageto fill out the final blockof fbur digits. We next translateeach plaintextblock P into a ciphertextblock C using the relationship

C=pzs (mod263r,0< C <2633.

For instance,to obtainthe first ciphertextblock from the first plaintextblock we compute

C : 19072e= 2199 (mod 263i.

To efficientlycarry out the modular exponentiation,we use the algorithm givenin Section3.1. When we encipherthe blocksin this way, we find that the ciphertextmessage is 2199 t745 1745 r206 2437 2425 t729 1619 0935 0960 to72 l54l 1701 I 553 0735 2064 l35l t704 1841 r459

To decipher a ciphertext block c, we need to know a deciphering key, namely an integer d such that de = | (mod p-l), so that d is an inverseof (mod e p-l), which exists since (e,p-l): l. If we raise the ciphertext block C to the dth power modulo p,wa recoverour plaintext block p, since 207 7.3 ExponentiationGiphers

p (mod p), Cd = (p")d : ped = pkQ-t)+t = (pp-t)k = P

= (mod p-l)' where de : ki-l) + l, for some integer k, since de I that (Note that we have used Fermat's little theorem to see - pn-t I (modp).)

the prime Example. To decipher the ciphertext blocks generated using : inverse of e moduius p : 2633 and the enciphering key e 29, we need an that modulo j-t : 2632. An easy computation, as done in Section-3.2, shows to d : 2269 is such an inverse. To decipher the ciphertext block C in order find the correspondingplaintext block P, we use the relationship P : 9226e (mod 263i.

For instance,to decipher the ciphertext block 2199, we have P = 2lgg226e: 1907 (mod 263r.

Again, the modular exponentiationis carried out using the algorithm given in Section3.2. (mod For each plaintext block P that we encipher by computing P' p), we use only O(tog2il3) bit operations,as Proposition3.3 demonstrates. Before we decipher we need to find an inversed of e modulo p-1. This can be done (see this needs using O(log il bit operations problem ll of Section 3.2), and, to be done only once. Then, to recover the plaintext block P from a ciphertext block C, we simply need to compute the leait positiveresidue of Cd modulop; we can do this using OKlog2p)3) bit operations. Consequently, the processos of enciphering and deciphering using modular exponentiation can be done rapidly. On the other hand, cryptanalysis of messagesenciphered using modular exponentiation generally cannot be done rapidly. To see this, suppose we know the prime p used as the modulus, and moreover, suppose we know the plaintext block P correspondingto a ciphertext block C, so that 0.2) C = P' (modp).

For successfulcryptanalysis, we need to find the enciphering key e. When the relationship Q.D holds, we say that e is the logarithm of C to the base p modulo p. There are various algorithms for finding logarithms to a given base modulo a prime. The fastest such algorithm requires approximately .*p(.,,6Ep log-mgp) bit operations(see [81]). To find logarithmsmodulo a prime with n decimal digits using the fastest known algorithm requires approximately the same number of bit operations as factoring integers with 208 Cryptology

the same number of decimal digits, when the fastest known factoring algorithm is used. Consulting Table 2.1, we see that finding logarithms modulo a prime p requires an extremely long time. For instance, when p has 100 decimal digits, finding logarithmr rnodulo p requires approximately 74yearc, whereas when p has 200 decimal digiis, approxim"i"ry 3.gxl0! years are required. we should mention that for primes p where p-l has only smalr prime factors, it is possible to use special techniques to find logarithms modulo p using o (logzp) bit operations. Clearly, this sort of prime should not be used as a modulus in this cipher system. Taking a prime p : 2q * l, where q is also prime, obviates this difficulty. Modular exponentiation - is useful for establishing common keys to be used by two or more individuals. These common keys may, for instance, be used as keys in a cipher system for sessionsof data communication, and should be constructed so that unauthorized individuals cannot discover them in a feasible amount of computer time. Let p be a large prime and let a be an integer relatively prime to p. Each individual in the network picks a key k that is an integei relatively prime to p-l ' When two individuals with keys &1 and k2 wisi to exchange a key, the first individual sendsthe secondthe inieger-71, where

./r E at'(modp), 0 < yr ( p,

and the second individual finds the common key K by computing

K: yf'=a&'&'(-odp), o

similarly, the secondindividual sends the first the integery2 where lz = ak' (modp), o 1 yz 1 p, and the first individualfinds the commonkey K by computing : K yl' =o&'&' (*od p), o < K < p.

We note that other individualsin the networkcannot find this commonkey K in a feasibleamount of computertime, sincethey must computelogarithmi modulop to find K.

In a similar manner,a commonkey can be sharedby any group of z individuals. If theseindividuals have keys k t,k2,..., kn, ihey can sharethe commonkey 209 7.3 ExponentiationCiPhers

K - ak'k""4 (mod P)'

common key We leave an explicit description of a method used to produce this K as a problem for the reader. by An amusing application of exponentiation ciphers has been described Shamir, Rivest, una eat.man [961. They show that by using exponentiation via ciphers, a fair game of poker may be played by two players communicating jointly computers. Suppose Alex and Betty wish to play poker. First, they chooie a large pii-" p. Next, they individually choosesecret keys e1aJrd €2' to be used as exponents in modular exponentiation. Let Er, and Er, represent the corresponding enciphering transformations, so that 8",(M) = M" (mod p) Er,(M) = M" (mod p),

where M is a plaintext message. Let dl and d2be the inversesof el and e2 modulo p respectively, and let Dr, and D", be the corresponding deciphering transformations, so that D",(C) = cd.' (mod p) D,:,(c) = cd'(mod p),

where C is a ciphertext message. Note that enciphering transformations commute, that is

E r,(E : Er,(E r,(M)), ",(M))

slnce (M")', :_ (M',)', (modp).

To play electronic poker, the deck of cards is representedby the 52 messages .TWO M r : OF CLUBS' ,r:."THREE oF CLUBS"

M sz: "ACE OF SPADES."

When Alex and Betty wish to play poker electronically, they use the following sequenceof steps. We supposeBetty is the dealer. 210 Cryptotogy

Betty uses her enciphering transformation to encipher the 52 messages for the cards. She obtains Er,(M 1), Er,(Mr),...,er, (arl.-- Betty shuffies the d".,k, by randomly riordering the enciphered messages. Then she sendsthe 52 shuffiedenciphered messages to Alex. ll. Alex selects, at random, five of the encipheredmessages that Betty has sent him. He returns these five messagesto Betty and she deciphers them to find her hand, using her deciphering transformation Drr, since D,,(E",(M)) : M for all messagesM. Alex cannot determine which cards Betty has, since he cannot decipher the enciphered messages Er,(M), j : 1,2,...,52.

lll. Alex selects five other enciphered messages at random. Let these messagesbe C1, Cz, Cl, Ca, and C5, where

Cj : Err(Mi,),

: i r,2,3,4,5. Alex enciphers these five previously encipheredmessages using his encipheringtransformation. He obtains the fivi messages : Cjr E r,(C) : E r,(Er,(1,t,,))

: i 1,2,3,4,5. Alex sendsthese five messagesthat have been enciphered twice (first by Betty and afterwards by Alex) to Betty. lv. Betty uses her deciphering transformation D", to find D",(C;*): D",(E ",(n",(*t,))) : Drr(Er,(Er,(M,,))) - Eer(Mi,),

since Er,(Er,(M)) :8",(Er,(M)) and Dr.(Er,(M)) - M for all messagesM. Betty sendsthe fives messageE",(Mi) back to Alex.

v. Alex useshis decipheringtransformation Dr, to obtain his hand, since D",(E",(M;,)) : M;,.

When a game is played where it is necessaryto deal additional cards, such as draw poker, the same steps are followed to deal additional cards from the remaining deck. Note that using the procedure we have described, neither player knows the cards in the hand of the other player, and all hands are equally likely for each player. To guarantee that no cheating has occurred, at the end of the game both players reveal their keys, so that each player can verify that the other player was 211 7.3 ExponentiationCiPhers

actually dealt the cards claimed. may A description of a possibleweakness in this scheme,and how it be overcome,may be found in problem 38 of Section 9.1.

7.3 Problems : the message l. Using the prime p - l0l and enciphering key e 3, encipher GOOD MORNING using modular exponentiation' 2. What is the plaintext message that corresponds to the ciphertext l2t3Og02053g 120g 1234 1103 1374 produced using modular exponentiation : with modulus p : 2591 and encipheringkey e 13 2 when 3. Show that the enciphering and deciphering procedures are identical - enciphering is done using modular exponentiation with modulus P 3l and enciphering key e : ll

4. With modulus p - 29 and unknown enciphering key e, modular exponentiation produces the ciphertext 04 19 19 ll 04 24 09 15 15. Cryptanalyze the ubou" cipher, if it is also known that the ciphertext block 24 corresponds to the plaintexi letter U (with numerical equivalent 20). (Hint: First find the iogarithm of 24 to the base 20 modulo 29 using some guesswork.)

5. Using the method described in the text for exchanging common keys, what is the key that can be used by individuals with keys kt:27 and kr:31 "o..onwhen the modulus is p : l0l and the base is a : 51'

6. What is the group key K that can be shared by four individuals with keys * k1 : ll, k2:12, k3:17, kc:19 using the modulusP 1009 and base a:31.

7. Describe a procedure to allow n individuals to share the comrnon key described in the text.

7.3 Computer Proiects

Write programs to do the following:

l. Encipher messagesusing modular exponentiation.

2. Decipher messagesthat have been enciphered using modular exponentiation.

3. Cryptanalyze ciphertext that has been enciphered using modular exponentiation when a correspondencebetween a plaintext block P and a ciphertext block C is known.

4. Produce common keys for individuals in a network. 212 Gryptology

5. Play electronic poker using encryption via modular exponentiation.

7.4 Public-KeyCryptography If one of the cipher systemspreviously described in this chapter is used to establish secure communications within a network, then each pair of communicants must employ an enciphering key that is kept secret from the other individuals in the network, sincl once the encipheringkey in one of those cipher systems is known, the deciphering key can be fiund using a small amount of computer time. Consequently,to maintain secrecythe enciphering keys must themselvesbe transmitted ovei a channel of securecommunications. To avoid assigninga key to each pair of individuals that must be kept secret from the rest of the network, a new type of cipher system, called a public-key cipher system, has been recentiy introduced. In ttris type of cipher system, enciphering keys can be made-public, since an unrealistically large amount of computer time is required to find a deciphering transformation from an enciphering transformation. To use a public-key cipher system to establish secret communications in a network of n individuals, each individual produces a key of the type specified by the cipher system, retaining certain private information that went into the constructionof the enciphering transformation E (D, obtained from the key ft according to a specifiedrule. Then a directory of the n keys k1, k2,...,k, is published. wtrn individual i wishes to send a message to individual ], the letters of the message are translated into their numerical equivalents and combined into blocks of specified size. Then, for each plaintlxt block p a corresponding - ciphertext block c E1,, (p) is computed using the enciphering transformation Ekt. To decipher the message, individual 7 applies the deciphering transformation D1r,to each ciphertext block C to find p, i.e. Dk,(C) - Pkt(Eo,(r)) : f.

Since the deciphering transformation Do, cannot be found in a realistic amount of time by anyoneother than individual -/, no unauthorized individuals can decipher the message,even though they know the key k;. Furthermore, cryptanalysis of the ciphertext message, even with knowiedge of ki, is extremely infeasibledue to the large amount of computer time needed.

The Rfl cipher system, recently invented by Rivest, Shamir, and tgl? Adleman lgl], is a puitic-key cipher system based on modular exponentiation where the keys are pairs (e,n), consistingof an exponent e and a modulus n that is the product of two large primes, i.e. n: pq, where p and.q are large '^ ,n+t -,,"lulus, P 1 q',te ubi,c; { f\rirte p L L e^qvh7 7.4 Public-KeYCrYPtograPhY 21s Secm{: C docryrily P'1 primes, so that G,Q(il): l. To enciphera message,we first translate the ietters into their numerical equivalents and then form blocks of the largest possiblesize (with an even number of digits). To encipher a plaintext block P, we form a ciphertext block C bY E@) :C zP' (modn), 0 1 C 1 n.

The deciphering procedure requires knowledge of an inverse d of e modulo Qh), which existssince G,Qh)) : l. To decipherthe ciphertextblock C, we find e"l- | - ri 4{") +t D (O = Cd : (P')d : Ped : Pkdh) _ (poft);kp = p (mod n),

where ed: kth) * I for someinteger k, sinceed = I (mod Ob)), and by -- Euler's theorem, we have pa(fi) 1 (mod n), when (P, n) : | (the probability that P and n are not relatively prime is extremely small; see problem 2 at the end of this section) . The pair (d, n) is a deciphering key. To illustrate how the RSA cipher system works, we present an example where the enciphering modulus is the product of the two primes 43 and 59 (which are smaller than the large primes that would actually be used). We have n : 43 ' 59 : 2537 as the modulus and e - 13 as the exponent for the RSA cipher. Note that we have (e, Qh)) : (13, 42' 58) : l. To encipher the message

PUBLIC KEY CRYPTOGRAPHY.

wq first translate the letters into their numerical equivalents,and then group these numbers together into blocks of four. We obtain

1520 01I l 0802 1004 2402 1724 l5l9 1406 1700 1507 2423,

where we have added the dummy letter X : 23 at the end-of the passageto fill out the final block. We encipher each plaintext block into a ciphertext block, using the relationship

C = Prt (mod 2537)

For instance, when we encipher the first plaintext block 1520, we obtain the ciphertext block 214 Cryptology

C = (1520)13= 95 (mod 253D.

Enciphering all the plaintext blocks, we obtain the ciphertext message

0095 1648 l4l0 t299 081I 2333 2132 0370 I 185 1457 1084.

In order to decipher messagesthat were encipheredusing the RSA cipher, we must find : an inverse of e 13 modulo oeslil : o(43. 5i) : : 42' 58 2436- A short computation using the Euclidean algorithm, as done in section 3.2, shows that d :937 is an inverse of 13 modulo 2436. Consequently,to decipher the cipher text block C, we use the relationship - P ge37 (mod 253D,0

which is valid because : - ge37 (pr3)e37 (p2az6)sp= p (mod 2537): note that we have used Euler's theorem to see that - pQQs37)- p2436 t (mod 2537), when (P, 2537) : | (which is true for all of the plaintext blocks in our example).

To understand how the RSA cipher system fulfills the requirements of a public-key cipher system, first note that each individual can find two large primes p and q, with 100 decimal digits, in just a few minutes of computer time. These primes can be found by picking odd integers with 100 digits at random; by the prime number theorem, the probability that such an integer is prime is approximately 2tog 10100. Hence, we expect to find a prime after examining an average of l/OAog 10100),or approximately ll5, such integers. To test these randomly chosen odd integers for primality, we use Rabin's probabilistic primality test discussedin Section 5.2. For each of these 100- digit odd integers we perform Miller's test for 100 basesless than the integer; the probability that a compositeinteger passesall thesetests is lessthan 10-60. The procedure we have just outlined requires only a few minutes of computer time to find a 1OO-digitprime, and each individual need do it only twice.

Once the primes p and q have been found, an enciphering exponent e should be chosen with (e,e(pq)) : l. One suggestion for choosing e is to take any prime greater than both p and q. No matter how e is found, it should be true that 2' > fl : pQ, so that it is impossible to recover the 215 7.4 Public-KeYCrYPtograPhY

eth root of the integer C plaintext block P, P # O or 1, just by taking the withC=P,(modn),01C1n.Aslongas2,}||,everymessageother followed by u reduction than p : 0 and l, is enciphered by exponentiation modulo n. enciphering messages We note that the modular exponentiationneeded for a few seconds of using the RSA cipher system can be done using only base in the modular computer time when th; modulus, exponent, and the Euclidean exponentiationhave as many as 200 decimal digits' Also, using exponent e algorithm, we can rapidly find an inverse d of the enciphering q are known' so that rnldulo 6(r) when the primes p and : 0h) :6(Pq) (P-l)(q-l) is known' (e, to To see why knowledgeof the enciphering key n) does not easily lead the deciphering key (d] n), note that to find d, an inverse of e modulo 6h), (p-l)(q-l)' finding requiresthat we first find Qh):OQq): Note that is not easier than factoring the . To se7-y!5 no.!1 that Q0) - :'/mqJIlSgg-t? :!Q+d'-4n' so i i n : n - o0) +l andp q : (p-q)|, and consequently if,u, p : t/2lQ+Q + Q-il\ and q Vzl|+q) + : : are p and q can easily U" found when n pq and 6h) b-l)Q-l) digits, known. Note that when p and q both have around 100 decimal n - pq has around 200 decimal digits. From Table 2.1, we seethat using the fastest factorization algorithm known, 3.8xlOe years of computer time are required to factor an inleger of this size. Also, if the integer d is known, but - I is a multiple of o(n) is not, then n may also be factored easily, since ed an integer n using any eh) and there are special algorithms for factoring impossible multiple of 6h) (seeMill.r t72D. It has not been proven that it is to decipher messages enciphered using the RSA cipher system without factoring n, but so far no such method has been discovered' As yet,all decipherlng methods suggestedthat work in general are equivalent to factoring n, and as we have remarked, factoring large integers Seems to be an intractable problem, requiring tremendousamounts of computer time. A few extra precautionsshould be taken in choosingthe primes p and q to be used in the RSA cipher system to prevent the use of special rapid - - techniquesto factor n : pq. For example, both p | and q I should have large pri-. factors, (p - l, q - l) should be small, and p and q should have decimal expansionsdiffering in length by a few digits' For the RSA cipher system, once the modulus n has been factored, it is easy to find the deciphering transformation from the enciphering transformation. It may be possible to somehow find the deciphering transformation from the enciphering transformation without factoring n, although this seemsunlikely. Rabin [92] has discovereda variant of the RSA 216 Cryptotogy

cipher system for which factorization of the modulus n has almost the same computational complexity as obtaining the deciphering transformation the enciphering from transformation. To describe Rabin,s : cipher system, ret n pq, where p and q are odd primes, and let b be an integer with 0 6 1 < n. To encipher the plaintexi messagep, we form : e p@+b) (mod n).

We will not discuss the deciphering procedurefor Rabin ciphers here, because it relies on some concepts we havi not yet developed (see problem 36 in Section 9'l). However, we remark that there are foui possibleualue, of p for each ciphertext - p(p+b) c such that e (mod n), an ambiguity which complicates the deciphering process. when p and q are known, the deciphering procedure for a Rabin cipher can be carriei out rapidly since O(log n ) bit operationsare needed. Rabin has shown that if there is an algorithm for deciphering in this cipher system, without knowledge of the primes p and q, that ."qui.", f hf ait operations, then there is an algorithm for the factorization of n requiiing only (n) 2$ * log n ) bit operations. Hence the processof deciphering messages enciphered with a Rabin cipher without knowledgeof p and-q is a problern of computational complexity similar to that of factori zation. Public-key cipher systemscan also be used to send signed messages. When signatures are used, the recipient of a messageis sure that the messagecame from the sender, and can convince an impartial judge that only the sender could be the source of the message. This authentication is needed for electronic mail, electronic banking, and electronic stock market transactions. To see how the RSA cipher system can be used to send signed messages, supposethat individual i wishesto send a signed messageto individ ual j. itr. first thing that individual i doesto a plaintext block p is to compute S - Do,(P) = pd' (mod n;), where (di, n) is the deciphering key for individual f , which only individual i knows. Then, if ni t n1, where (ei, n) is the enciphering key ior individual 7, individual i enciphersS by forming

,:Ekt(S)=S', (modn;), 0

For deciphering, individual 7 first uses the private deciphering transformation Dp, to recover S, since 7.4 Public-Key CrYPtograPhY 217

D1,,(C)- PktGp, (S)) : s.

To find the plaintext message P , supposedly sent by individual i, individual 7 next uses the pubtic enciphering transformation Eq, since 81,(s) - fi,kt(Dr,(P)) : P.

Here, we have used the identity Ep,(Dp,(P)) : P, which follows from the fact that - Ep,(Dp,(P))= (Pd')" Pd'e': P (mod n;)' since :- diei I (mod Oh)).

The combination of the plaintext block P and the signed version S convinces individual 7 that the message actually came from individual i. Also, individual i cannot deny sending the message, since no one other than individual f could have produced the signed message S from the original messageP.

The RSA cipher system relies on the difference in the computer time needed to find primes and the computer time needed to factor. In Chapter 9, we will use this same difference to develop a technique to "flip coins" electronically.

7.4 Problems

l. Find the primesp andq if n : PQ - 4386607and d(n) : 4382136. 2. Supposea cryptanalystdiscovers a messageP that is not relativelyprime to the encipheringmodulus n : pq usedin a RSA cipher.

a) Showthat the cryptanalystcan factorn. . p or fP," ) 1 b) Show that it is extremelyunlikely that sucha messagecan be discoveredby demonstratingthat the probability that a messageP is not relativelyprime 1-!, to n i, !+ and if p andq are both largerthan l0rm,this pqpq probabilityis leis thin 10-s. 3. What is the ciphertext that is produced when the RSA cipher with key (e,n) : G,266il is usedto encipherthe messageBEST WISHES? 4. If the ciphertext message produced by the RSA cipher with key (e,n) : (s,zggt) is 05041874 0347 0515 2088 2356 0736 0468, what is the 218 Cryptology

plaintext message?

5. Harold and Audrey have as their RSA keys (3,23.4D and (7,31.59), respectively.

a) Using the method in the text, what is the signed ciphertext sent by Harold to Audrey, when the plaintext messageis cHEERs tranorot b) Using the method in the text, what is the signed ciphertext sent by Audrey to Harold when the plaintext messageis SINCERELY AUDREY? problems '7, In 6 and we present two methods for sending signed messagesusing the RSA cipher system, avoiding possible changes in block sizes.

6. Let H be a fixed integer. Let each individual have two pairs of enciphering keys: - (e,n) k and k* - (e,n*) with n < H

il Show that is is not necessaryto change block sizes when the transformation Eor. is applied after Dp, has been applied.

b) Explain how individual 7 can recover the plaintext message P, and why no one other than individual l' could have sent the message.

c) Let individual f have enciphering keys (3,11.71) and Q2}.4D so that 781 : 1l'71 < 1000 < ll89 - 29'41, and let individualj have enciphering keys (7,19.47)and, (7,31.3D, so that g93: lg.4j < 1000 < II47:31.37. What ciphertext message does individual f send to individual 7 using the method given in this problem when the signed plaintext messageis HELLO ADAM? What ciphertext message does individual j send to individual f when the signed plaintext messageis GOODBYE ALICE?

7 . il Show that if individuals f and y have enciphering keys k; - (ei,n) and ki : (ei,n), respectively, where both n; and ni are products of two distinct primes, then individual i can send a signed message P to individual 7 without needing to change the size of blocks by sending

Er,(Dr,(P)) if n, < n, Dp,(Ep,@)) if ni ) ni .

b) How can individual T recover p? c) How can individual j/ guarantee that a messagecame from individual i ?

d) Let ki - (11,47.61) and ki - (13,43.59). Using the method described in part (a), what does individual f send to individual 7 if the message is REGARDS FRED, and what does individual 7 send to individual i if the message is REGARDS ZELDA? 2r9 1.5 Knapsack CiPhers

using the Rabin ciPher 8. Encipher the message SELL NOW C = P(r+s) (mod2573).

?.4 Computer Projects

Write programs to do the following:

1. Encipher messageswith an RSA cipher'

2. Decipher messagesthat were enciphered using an RSA cipher. described in the text' 3. Send signed messagesusing an RSA cipher and the method problem 6' 4. Send signed messagesusing an RSA cipher and the method in in problem 7' 5. Send signal messagesusing an RSA cipher and the method

6. Encipher messagesusing a Rabin cipher'

7.5 KnapsackCiphers In this section, we discuss cipher systems based on the knapsack problem. Given a set of positive integers Qr,a2,..., an and a Sum S of a subsetof these integers, the knapsack problem asks which of these integers add together to give S. Another way to phrase the knapsack problem is to ask for the values of xyx2,..., xn, each either 0 or 1, such that (7.3) S:arxr*a2x2* larxn'

We use an example to illustrate the knapsackproblem.

Example. Let (a1,o2,o3,aa,a5): (2,'7,8,11,12). By inspection,w€ see that there are two subsets of these five integers that add together to give 21, namely 2l -- 2+8+l | : 2*7*12. Equivalently, there are exactly two :0 solutionsto the equation2x1* 7x2* 8x3 * llxa * l2x5:21, with Ii : or I for i : 1,2,3,4,5, namely xr : x3: x4: l, x2: 15 0, and Xl: XZ: X5: l, X3: I+ : 0. To verify that equation (7.3) holds, where each.x, is either 0 or 1, requires that we perform at most n additions. On the other hand, to search by trial and error for solutions of (2.3), may require that we check all 2n possibilities for (x1, x2,..., rn). The best method known for finding a solution of the knapsack problem requires O(2n/2) bit operations, which makes a computer solution of a general knapsack problem extremely infeasible even when n : 100. 220 Gryptology

certain values of the integers e1, a2,...,en make the solution of the knapsack problem much easier than the- solutlon in the general case. For instance, if : ai )i-1, to find the solution of S - Ar xr * a2x2-l ": I an xr, where ri:0 or I for i: 1,2,...,ft, simply requires that we find the binary expansionof S. We can also produce easyknapsack problems by choosingthe integersd1, oz,...,cn so that the sum of the first of these 7-l integers is alwayrl.r, than the Tiir int"ger, i.e. so that j-r 2o,{oi, j : 2,3,...,n. i-l

If a sequenceof integers d1, e2,...,an satisfiesthis inequality,we call the sequencesuper -increasing.

Example. The sequence 2, 3,7, 14, 27 is super-increasing because 3 > 2,7 > 3+2,14 > 7+3+2,and 27 > l4+i+3+2.

To see that knapsack problems involving super-increasingsequences are easy to solve,we first consideran example.

Example. Let us find the integersfrom the set 2,3,7,14,27 that have 37 as their sum. First, we note that since 2+ 3 + 7 + 14 < 27, a sum of integers from this set can only be greater than 27 if the sum contains the integer 27. Hence,if 2x1* 3x2* 7x3 * l4xa* 27x5- 37 with each .x;:0 or l, we must have 15 : I and 2x1* 3x2* 7x3| l4xa: 19. Since 14 > 10, x4 must be 0 and we have 2x1* 3x2* 7x3: 10. Since 2 + 3 ( 7, we must : have x, 1 and therefore 2x1l3x2:3. Obviously,we hava x2: I and rr - 0. The solutionis 37 - 3 + 7 + 27.

In general, to solve knapsack problems for a super-increasingseeuolco 41, a2,...,an, i.e. to find the values of xt, x2, ...,xn with ,S : atxl * a2x2* * enxn and x;:0 or I for i:1,2,..., n when.S is given,we usethe following algorithm. First, we find x, by noting that

[r ir S Z an r,:toif S(an.

Then, we find xn-r, xn-2,...,x1, in succession,using the equations 7.5 KnapsackCiphers 221

n if s- t-i+l xj- n .s- ;-;+l

for7 : n-l,n-2,...,1. To seethat this,algorirhm works, first note that if xn :0 when S 7 an, then)orrr( 2o, len

The ciphers that we describe here are based on transformed super-increasing sequences.To be specific,let or, a2,...,an be super-increasingand let m be a positive integer with lz ) 2ao. Let w be an integer relatively prime to m with inverse w modulo m. We form the sequence b1, b2,...,b, where : bj wai (mod m) and 0 < bi 1 m. we cannot use a special technique to solve : a knapsack problem of the type ^g b b,", where ,S is a positive i-l integer, since the sequence is not super-increasing. However, when fr is known. we can find (7.4) : : wT i fr|,r, h o,r, (modlz) j-l i-l since fibi =ai (mod m). From (7.0 we see that

So: Zo,r, t-l where Ss is the least positiveresidue of frS modulo z. We can easilv solve the equation 222 Cryptology

: So D o,r,, i-l since er, e2,...,an is super-increasing.This solvesthe knapsackproblem s : !, b,r,, i-l since bi = wa; (mod m) and 0 ( D; I m. We illustrate this procedurewith an example.

Example. The super-increasingsequence (oya2,a3,a4,a5):(3,5,9,20,44) can be transformed into the sequence(b3 b2, by bq, b5): (23,6g,69,5,11)by taking bi = 67a1 (mod 89), for 7 : 1,2,3,4,5. To solve the knapsack problem 23x1+ 68 xz* 69 x3* Sxa* llx5:84, we can multiply both sidesof this equation by 4 , an inverse of 67 modulo 89 , and reduce modulo 89, to obtain the congruence 3x1 * 5x2 * 9x3 * 20xa * 44x5 = 336 = 69 (mod g9). since 89>3+5+9+20+44, we can concludethat 3x1*5x2* 9x3 * 20xa * 44x5: 69. The solution of this easy knapsack problem is xs : x4: x2: I and x3 : rr : 0. Hence, the original knapsack problem has as its solution68 * 5 + 1l : 84.

The cipher system based on the knapsack problem works as follows. Each individual chooses a super-increasing sequence of positive integers of a specified length, say N, e.g. ar, a2,..., aN, as well as a modulus m with m ) 2ay and a multiplier w with (m,w) :1. The transformed sequence b1, b2,...,by, where bi = wai (mod m), 0 < bi 1 m, for j - 1,2,...,N, is made public. When someonewishes to send a messageP to this individual, the messageis first translated into a string of 0's and I's using the binary equivalentsof letters, as shown in Table 7.10. This string of zeros and ones is next split into segmentsof length N (for simplicity we supposethat the length of the string is divisible by N; if not, we can simply fill out the last block with all l's). For each block, a sum is computedusing the sequencebvbz,...,bxi for instance,the block x1x2...x11gives S: Drxr * b2x2* * byxy. Finally, the sums generatedby each block form the ciphertext message.

We note that to decipher ciphertext generated by the knapsack cipher, without knowledge of m and w, requires that a group of hard knapsack problems of the form

(7.s) S : brxr f b2x2* * byxy be solved. on the other hand, when m and w are known, the knapsack problem (z.s) can be transformed into an easy knapsackproblem, since 223 7.5 KnapsackCiphers

binary binary letter equivalent letter equivalent

A 00000 N 01101 B 00001 o 0lll0 C 00010 P 0llll D 0001I a 10000 E 00100 R 10001 F 00101 S 10010 G 001r0 T l00l I H 00111 U 10100 I 01000 V l0l0l J 0100r w 10110 K 01010 X l0l l1 L 01011 Y l 1000 M 0l100 Z 11001

Table 7.10. The Binary Equivalents of Letters.

wIS: frbp1 * frb2x2I ' * wbyx7,1 z atxl * a2x2* * ayxy (mod m ),

where frbj: a; (mod 22), where w- is an inverseof w modulo m, so that (7.6) So - afi1 * a2x2l * a1vx1v,

where Ss is the least positive residue of wlS modulo rn. We have equality in (7.6), since both sides of the equation are positive integers less than m which are congruent modulo ltt. We illustrate the enciphering and deciphering proceduresof the knapsack cipher with an example. We start with the super-increasing sequence (a1,a2,a3,Q4,Q5tA6,A7,Qg,Qg,,Ato): (2,1I '14'29'58'lI9'24I'480'959'1917)' We : take m: 383? as the encipheringmodulus, so that m ) 2a1s,?fld w l00l as the multiplier, so that (m,w):1, to transform the super-increasing sequenceinto the sequence(2002,3337,2503,2170, 503,172,3347,855,709,417). To encipher the message

REPLY IMMEDIATELY, Cryptology

we first translate the letters of the message into their five digit binary equivalents,as shown in Table 7.10,,and thenlroup thesedigits into blocks of ten, to obtain

1000100100 0llltOl0ll 1100001000 0110001100 0010000011 0100000000 1001100100 0101I11000.

For each block of ten binary digits, we form a sum by adding together the appropriate terms (2002, of the sequence 3337, 2503, 2170, sd:, t 72, 3347, 855,709, 417) in the slots correspondingto positionsof the block containing a digit equal to l. This gives us

3360 12986 8686 10042 3629 3337 5530 s72s.

For instance,we compute the first sum, 3360, by adding 2002,503, and g55. To decipher, we find the least positive residue modulo 3837 of 23 times each sum' since 23 is an inverse of 1001 modulo 3837, and then we solve the corresponding easy knapsack problem with respect to the original super- (2,11,14,29,59,119,241,4g0,959,lglT). increasing sequence For example, to decipher the first block, we find that 3360.23:540(mod 3837), and then note : that 540 480 + 58 + 2. This tells us that the first block of plaintext binary digitsis 1000100100.

Recently, Shamir [g+] tras shown that knapsack ciphers are not satisfactory for public-key cryptography. The reason is that there is an efficient algorithm for solving knapsack problems involving sequences b1, b2,...,b, with (modm), bi: wai where w and m are relatively prime poritiue integers and ar, o2,...,an is a super-increasingsequence. The algorithm found by Shamir can solve these knapsack problems using only O @ hD bit operations, where P is a polynomial, instead of requiring exponential time, ir required for general knapsack problems, involving sequencesof a general nature."r

There are several possibilities for altering this cipher system to avoid the weakness found by Shamir. One such possibility is to choose a sequence of pairs of relatively prime integers (w1,m1),,(w2,m2) ,..., (w,mr), and then form the series of sequences 7.5 KnapsackGiPhers 22s

b9) 7w1ai(modzr) ;;,, :rrijt' (mod m z)

bj') =w,b j'-rt (modz"), for j : l, 2, ..., n. We then use the final sequence b[') , b$'),..., bl') as the encipheringsequence. As of mid-1983,no efficientalgorithm had beenfound for solving knapsack problems involving sequencesobtained by iterating modular multiplications with different moduli (although there are several promisingmethods for the productionof suchalgorithms).

7.5 Problems l. Decidewhether each of the followingsequences is super-increasing a) (3,5,9,19,40) c) (3,7,17,30,59) b) (2,6,10,15,36) d (l l,2l,4l,8l,l5l).

2. Show that if 41, a2,...,dn is a super-increasingsequence, then c; 2 A-r for j - 1,2,.", f,' 3. Show that the sequencea1, a2,...,a21 is super-increasingif ai+r ) 2ai for j - 1,2,..., fl-l'. 4. Find all subsetsof the integers2,3,4,7, 11,13, 16 that have18 astheir sum. 5. Find the sequence obtained from the super-increasing sequence (1,3,5,10,20,41,80)when modular multiplication is applied with multiplier w : 17 and modulvsm : 162. 6. Encipher the messageBUY NOW using the knapsackcipher based on the sequenceobtained from the super-increasingsequence (17,19,37,81,160), by performing modular multiplication with multiplier w :29 and modulus m :331. 7. Decipherthe ciphertext402 105 150 325 that was encipheredby the knapsack cipher basedon the sequence(306,374,233,L9,259). This sequenceis obtained : : 464, by using-modular multiplication with multiplier w 17 and modulusm to transformthe super-increasingsequence (I8,22,4I,83,179). 8. Find the sequenceobtained by applyingsuccessively the modularmultiplications with multipliersand moduli (7,92), (11,95),and (6,101),respectively, on the super-increasingsequence (3,4,8,I7,33,67) . 226 Cryptology

9. What process can be employed to decipher messagesthat have been enciphered using knapsack ciphers that involve sequences arising from iterating modular multiplications with different moduli?

10. A multiplicative knapsack problem is a problem of the following type: Given positive integers aya2,...,an and a positive integer P, find the subset, or subsets, of these integers with product P, or equivalently, find all solutions of P - ai'ai'." oi'

where xj - 0 or I for j : 1,2,...,n.

il Find all products of subsetsof the integers 2,3,5,6,and l0 equal to 60.

b) Find all products of subsetsof the integers 8,13,17,21,95,121equal to 15960.

c) Show that if the integets a1,a2,...,anare mutually relatively prime, then the multiplicative knapsack problem P:ai'ai'"'oI', rj-0 or I for j : I,2,...,n, is easily solved from the prime factorizations of the integers P,ayo2,...,an, and show that if there is a solution, then it is unique.

d) Show that by taking logarithms to the base b modulo m,where (b,m): I and 0 < b < m, the multiplicative knapsack problem P-ai'ai'"'ol'

is converted into an additive knapsack problem

S - a1x1 * a2x2 * * anxn

where S, @1,e20...;dn ate the logarithms of to the base 6 modulo m, respectively.

e) Explain how parts (c) and (d) can be used to produce ciphers where messagesare easily deciphered when the mutually relatively prime integers a1, a2t...; an are known, but cannot be deciphered quickly when the integers d\, dzr...,an Are knOwn.

7.5 ComputerProjects Write programsto do the following: 1. Solveknapsack problems by trial and error. 2. Solve knapsack problems involving super-increasing sequences. 3. Encipher messagesusing knapsack ciphers. Decipher messagesthat were enciphered using knapsack ciphers.

Encipher and decipher messages using knapsack ciphers involving sequences arising from iterating modular multiplications with different moduli. 227 7.6 Some Applicationsto ComputerScience

of mutually relatively 6. Solve multiplicative knapsack problems involving sequences prime integers (see Problem 10).

7.6 Some Applications to Computer Science In this section we describe two applications of cryptography to computer science. The Chinese remainder theorem is used in both applications. The first application involves the enciphering of a database. A database is a collection of computer files or records. Here we will show how to encipher an entire databasi so that individual files may be deciphered without jeopardizing the security of other files in the database'

Supposethat a databaseB contains the n files Fv Fz,,-.-,Fn' Since each file is a string of 0's and I's, we can consider each file to be a binary integer. We first choose n distinct primes rltr, t7r2,...1 r/tn with m1 ) F1 for j :1,2,...,fr. As the ciphertextwe use an integerC that is congruentto F;_ modulo mi for j :1,2,...,n; the existenceof such an integeris guaranteed - by the ihin.t" remainder theorem. We let M fttr trtz mn and :1,2,...,n. let ,i- wherey; is an fui: M/ry forT Furthermore, !i.'-lf inverseof Ml modulo rz;. For the ciphertext, we take the integer C with C:br,r,(modM), 0

The integers e r, €2, ..., €n serveas the write subkeys of the cipher. To retrieve the 7th file F; from the ciphertext C, we simply note that Fi=C(modm),0(F;1mi.

We call the moduli my r/121...r mn the read subkeys of the cipher. Note that knowledgeof mi permits accessonly to file7; for accessto the other files, it is necessaryto know the moduli other than mi. We illustrate the enciphering and deciphering proceduresfor databaseswith the following examPle.

Example. Suppose our database contains four files Fr, Fz, F3,lfid Fa, representedby ih" binu.y integers(01I l)2, (1001)r,(t t00)2, iIDd (t t t t)2, or in decimal notation Fr:7, Fz:9, Ft: 12 and Fq: 15' We pick four primes, filr: 11,m2: 13,trl3: 17, and trl4: 19, greater than the corresponding integers representing the files. To encipher this database, we 228 Cryptology

use the chinese remainder theoremto find the ciphertextc which is the positiveinteger with C=7(modlt), C=9(moit3), C= 12(modl7), and c = 15 (modl9), less thanM: ll.l3.l7.l9:461g9. To computec we first find -. : Mr 13.17.19 4199, Mz: 1l.l7.lg: 3553, Mt: l1'13'19:2717, and Mt- ll.l3. 17:2431. W. easilyfind that lr-7,y2: l0,.pr: ll and /+: lg areinverses of Mi modulo j:1,2,3,4. mj for Hence,the writesubkeys arta e1: 4199.i: 29393,e2: 3553'10: 35530, - : e3 27l7.ll 2ggg7,and, eo: 243l.lg: 4375g.To constructthe ciphertext,we note that : Q e1F1l e2F2* e3F3* eqFc = 29393.7+ 35530.9+ 29887.12+ 43758.15 = 1540535 = 16298 (mod 46189),

so that c:16298. The read subkeysare the integers mi, j - 1,2,3,4. To recover the file F7 from C, we simply find the least positive residue of C modulo rn7. For instance,we find F1 by noting that Fr=16298=7(modtl).

We now discussanother application of cryptography, namely a method for sharing secrets. Suppose that in a communications network,- there is some vital, but extremely sensitiveinformation. If this information is distributed to several individuals, it becomesmuch more vulnerable to exposure; on the other hand, if this information is lost, there are serious consequences.An example of such information is the master key K used for accessto the password file in a computer system.

In order to protect this master key K from both loss and exposure, we construct shadows kv kz, ..., k, which are given to r different individuals. We will show that the key K can be produced easily from any s of these shadows, where s is a positive integer less than r, whereas the knowledge of less than s of these shadows does not permit the key K to be found. Because at least s different individuals are needed to find K, the key is not vulnerable to exposure. In addition, the key K is not vulnerable to loss, since any .t individuals from the r individuals with shadows can produce K. Schemeswith the propertieswe have just describedare called (s,r) threshold schemes.

To develop a system that can be used to generate shadows with these properties, we use the chinese remainder theorem. we choose a prime p greater than the key K and a sequence of pairwise relatively prime integeis rTtb ftiz, ..., ffir that are not divisible by p, such that 229 7.6 Some Applications to Computer Science

mt1mz1 1lttr, and

0.7) tTlt lllz ffi, ) Pffirffir-t frlFs*z of the Note that the inequality (7.7) states that the product of the s smallest largest of, the integers n; is g."utr.- than the product of p and the s-l - A/p is intelgersm'1. nt-om Q.l), we see ttrat if M tttttTtz n' then greater than the product of any set of s-l of the intege$ mi. Now let I be a nonnegativeinteger less than M /p that is chosenat random. Let Ko: K * tP'

sothat0( Ko( M-l (since0( Ko:K*tp< p+tp:(l+l)p( (M/p)p: M).

To producethe shadowskr kz, ..., kr, we let k1 be the integerwith ki = Ks (mod rn;), 0 ( k; I mi,

can be found by any s for 7 : 1,2,...,r. To see that the master key K individuals possessingshadows, from the total of r individuals with shadows, supposethat the s shadowski,,ki,,..., ki, are available. Using the Chinese remainder theorem, we can easily find the least positive residue of Ks modulo Mi where Mi: Hj,ffij, ftri,. Since we know that 0 ( Ko < M 4 Mi, - we can determine Ks, and then find K : Ko tp. - On the other hand, suppose that we know only the s 1 shadows kr,, k,r, ..., k,,-r. By the Chinese remainder theorem' we can determine the : least positive residue a of Ks modulo M; where Mi ffii,ffii, Hi,-,' With these shadows, the only information we have about Ks is that a is the least positive residue of Kq modulo Mi and 0 ( Ko < M - Consequently,we only know that Ko:a*xM;,

where 0 ( x < M/Mt From 0.1), we can conclude that M /Mi ) p, so that as .r ranges through the positive integers less than M lM, o x takes every : valuein a full set of residuesmodulo p. Since (m1,P): I for i 1,2, ...,s , we know that (Mi,p) : l, and consequently,a * xMi runs through a full set of residues modulo p as x does. Hence, we see that the knowledge of s-l shadows is insufficient to determine Ko, as Ks could be in any of the p 230 Cryptology

congruenceclasses modulo p.

we use an example to illustrate this threshold scheme.

Example. Let :4 K be the master key. we will use a (2,3) threshold schemeof the kind just describedwitir p -7, r11: ll, ftr2:12, and trt3:17, : so thatM Dtirt2:132 ) pmt: ll9. We pick t :iqrandomly from among the positive integers less than M /p : 132/7. This gives us Ko: K i tp :4 * 14.7:102.

The three shadowskvkz, and ft3 are the least positive residuesof Ks modulo l7lt, f/12,and m3, i.e.

kr = 102= 3 (modll) kz = 102= 6 (mod 12) kt = 102= 0 (modl7), so that the three shadowsare kl : 3, kz:6, and kr : 0.

We can recover the master key K from any two of the three shadows. Suppose we know that kr: 3 and kr : 0. Using the Chinese remainder theorem, we can determine Ks modulo n7t/tt: ll.lj - lg7, i.e. since = (mod Ko 3 ll) and Ko = 0 (mod 17) we have ko = 102 (mod 1g7). :132 Since 0 ( Ko < M < 187,we know that K6 :102, and consequently the master key is K : Ks - tp : lO2 - 14.7 : 4.

We will develop another threshold scheme in problem 12 of Section g.2. The interested reader should also consult Denning [47] for related topics in cryptography.

7.6 Problems

l. Supposethat the databaseI contains four files, F1 :4, Fz- 6, Ft: 10, and : F+: 13. Let ml 5, ntz:7, fti3 - ll, andma - 16 be the read subkevsof the cipher used to encipher the database.

il What are the write subkeysof the cipher?

b) what is the ciphertext c corresponding to the database?

2. When the database I with three files Fr Fz, and ^F3is enciphered using the method described in the text, with read subkeys ft:1 : 14, fir2: 15, and nt3:19, the correspondingciphertext is c:619. If file F3 is changed from - : Fr ll to F3 12, what is the updated value of the ciphertext c? 231 7.6 Some Applications to Computer Science

: using a (2'3) threshold 3. Decomposethe master key K 3 into three shadows - : 8' t/tz: 9' m3 : ll schemeof the type describedin the text with p 5' mr and with t -- 13. three pairs of shadows 4. Show how to recover the master key K from each of the found in Problem 3.

7.6 Computer Projects Write programs to do the following: files from l. Using the system describedin the text, encipher databasesand recover the ciphertext versionof databases' (see 2. Update files in the ciphertext versionof databases problem 2)'

3. Find the shadowsin a threshold schemeof the type describedin the text.

4. Recover the master key from a set of shadows' Primitive Roots

8.1 The Order of an Integer and primitive Roots

From Euler's theorem, if m is a positive integer and if a is an integer relatively prime to m, then s6(m) = | (mod m). Therefore, at least one positive integer x satisfiesthe congrueneea* = 1 (mod rz). Consequently,by the well-ordering property, there is a least positive integer x satiifying this congruence.

Definition. Let a and m be relatively prime positive integers. Then, the least positive integer x such that e* = I (mod z) is called the order of a modulo m.

We denote the order of a modulo m by ord_a.

Example. To find the order of 2 modulo 7, we compute the least positive residuesmodulo 7 of powersof 2. We find that

2t = 2 (mod7), 22 4 (mod 7), 23 I (mod 7).

Therefore, ord,72: 3.

Similarly, to find the order of 3 modulo 7 we compute 3t 3 (mod 7), 32 : 2 (mod 7), 33 = 6 (mod 7) 3e 4 (mod 7) , 3s = 5 (mod 7) , 36 = I (mod 7).

We see that ord73 : 6. 233 8.1 The Order of an Integer and PrimitiveRoots

(mod need In order to find all solutionsof the congruencea* = I m), we the followingtheorem. > 0, then the Theorem 8.1. lf a and n ate relatively prime integerswith n (mod only positiveinteger x is a solutionof the congruencea' = I n) if and if ord,a I x. Hence, Proof. If ordra I x, then x : k'ordnc wherek is a positiveinteger' a* -ok'ord'a:(ao'd'o)k =l (modn).

write Conversely,if a* = I (mod n ), wo first use the division algorithm to x : q'ordna * r, 0 ( r ( ordra.

From this equation, we see that (mod a, : oa'ord.a*r - (aord,o)e gr - a, n).

(mod Since a' = I (mod n), we know that a' = I n). From the inequality : is the 0 ( r ( ord, Q, we conclude that r:0, since, by definition, y ordna :0, we have least positive integer such that.av = I (mod n). Because f x : a'ordna. Therefore,ordna I x. D This theorem leads to the following corollary'

Corollary 8.1. lf a and n are relatively prime integers with n ) 0, then ordnaI Ofu).

Proof. Since (a,n) : 1, Euler's theorem tells us that qb('\: l (modn).

Using Theorem 8.1, we concludethat ordra I O(n)' n We can use Corollary 8.1 as a shortcut when we compute orders. The following example illustrates the procedure. : Example. To find the order of 5 modulo 17, we first note that 0(ll7) 16. sinceihe onty positivedivisors of 16 are 1,2,4,8, and 16, from corollary 8.1 theseare the only possiblevalues of ord175. Since 5r = 5 (mod l7),52 = 8 (mod l7),54:13 (mod l7), 58 = 16 (mod 17), 516= I (mod l7),

we concludethat ord175- 16. 234 Primitive Roots

The following theorem will be useful in our subsequentdiscussions.

Theorem 8.2. rf a and n are relatively prime integers with n ) 0, then ai = aj , (mod n) where r and 7 are nonnegative integers, if and only if i = j (mod ordna).

Proof. Supposethat i = j (modordna), and 0 < j < t. Then, we have i : j * k'ordra, wherek is a positiveinteger. Hence,

ai : ojrk'ord'a : aj(ao'd.o)o = a/ (mod n ). sinceoord'a=l(modn).

Conversely,assume that ai = ar (mod n) with i > j. Since (a,n): l, we know that (ai,n) : 1. Hence,using Corollary 3.1, the congruence ai = ai ai-i = ai (mod n) implies,by cancellationof a/, that ai-j: I (modn).

From Theorem 8.1, it follows that ordra divides i - j, or equivalently, i = j (mod ord,a). tr

Given an integer n, we are interested in integers a with order modulo n equal to Qfu). This is the largestpossible order modulo r.

Definition. If r and n are relatively prime integers with n ) 0 and if ordrr :6h), then r is called a primitive root modulo n.

Example. We have previously shown that ord73 : 6 : 00). Consequently,3 is a primitive root modulo 7. Likewise, since ord75 : 6, as can easily be verified, 5 is also a primitive root modulo 7.

Not all integers have primitive roots. For instance, there are no primitive roots modulo 8. To see this, note that only integers less than 8 and relatively primeto 8 are 1,3,5, and7, and ord3l: l, whileords3: ords5: ords7:2. Since d(8) : 4, there are no primitive roots modulo 8. In our subsequent discussions,we will find all integers possessingprimitive roots. To indicate one way in which primitive roots are useful, wo the following theorem.

Theorem 8.3. lf r and n are relatively prime positive integers with n ) 0 and if r is a primitive root modulo n, then the integers 235 8.1 The Order of an Integer and Primitive Roots

tl , f2' "'' '6b) form a reduced residueset modulo n.

root r form Proof. To demonstratethat the first @(r) powers of the primitive they are all a reduced residue set modulo n, we only need to show that relatively prime to n, and that no two are congruent modulo n. (rk,n):1 Since G,n):1, it followsfrom problem8 of Section2'1 that prime to n ' for any positive integer k. Hence, these powers are all relatively that To show that no two of these powersare congruent modulo n, assume ri = r/ (mod n ) .

(mod for From Theorem 8.2, we see that i = i Qfu))' However' = (mod implies I < t ( O(n) and 1 < j < 0h), the congruencei / d(n)) n. This that i : j . Hence, no i*o of these powers are congruent modulo showsthat we do have a reduced residue systemmodulo r. D

since Example. Note that 2 is a primitive root modulo 9, first 22 = 4,2t = g, and 26 = I (mod 9). From Theorem 8.3, we seethat the modulo 9. These are OO) :6 powers of 2 form a reduced residue system (mod = (mod 9), Zt = 2 (mod 9), 22 = 4 (mod 9), 23 = 8 9), 24 7 2s = 5 (mod 9), and 26 = 1 (mod 9). When an integer possessesa primitive root, it usually has many primitive roots. To demonstratethis, we first prove the following theorem'

Theorem 8.4. If ord-a : / and if r,l is a positive integer, then ord- (a") : t lQ,D .

Proof. Let J:ord-(a"), v:(t,u), t:tvv, and u:tltv' From Proposition2.1, we know that (r yu1) : l. Note that (a")t': (ar',)Qlv): (at)u': I (mod rn),

since ord.^a: t. Hence,Theorem 8.1 tells us that s I tr' On the other hand, since (a\t : eus = I (mod rn),

we know that I I zs. Hence, tp I u1vs, slld consequently,tt | ,tt. Since 236 Primitive Roots

Q6u): l, usingLemma 2.3,we see that /, | ". Now, sinces I tr and t, I r, we concludethat,s : I t: t/v : t/(t,u). This provesthe result. tr

We have the following corollary of Theorem g.4.

Corollary 8.2. I et r be a primitive root modulo z where m is an integer, m 2 r. Then r' is a primitive root modulo m if and,onlyif (u,o(d ) : l:

Proof. From Theorem 8.4, we know that ord,^r' : ord^rf (u,ord*r) : Q(m)/fu,0@D.

consequently, : ord- ru efu), and ru is a primitive root modulo m, if and only if (u,Q(m)) : t. D

This leads immediately to the following theorem.

Theorem 8.5' If the positive integer m has a primitive root, then it has a total of Q@fu)) incongruent primitive roots.

Proof. Let r be a primitive root modulo rn. Then Theorem 8.3 tells us that the integers r, 12,...,vbh) form a reduced residue system modulo ,,. From Corollary 8.2, we know that r" is a primitive root modulo rn if and only if (u,a(*)): l. since there ut" r*""ily o@@)) such integersa, there are exactly 0@@)) primitive roots modulo ru. tr

Example. Let m: 11. A little computationtells us that 2is a primitive root modulo 11. since ll has a primitive root, we know that 11 has a@ol)) :4 incongruent primitive roots. It is easiry seen that 2, 6,7, and g are four incongruent primitive roots modulo I l.

8.1 Problems

1. Determine the

a) order of 2 modulo 5 c) order of l0 modulo 13 b) order of 3 modulo l0 d) order of 7 modulo 19. 8.1 The Order of an Integer and Primitive Roots 237

2. Find a primitive root modulo

il4 d) 13 b)5 e) 14 c) l0 f) 18.

3. Show that the integer 12 has no primitive roots' many 4. How many incongruent primitive roots does 13 have? Find a set of this incongruent primitive roots modulo 13.

5. Show that if dis an inverseof c modulo n, then ordna: ordnd. n 6. Show that if n is a positive integer and a and 6 are integers relatively prime to : such that (ordna, ordnD) : l, then ord'(ab) ordna'ordnb' when 7. Find a formula for ordn Gil if a and b are integers relatively prime to n ordna and ordrb are not necessarily relatively prime'

g. Decide whether it is true that if n is a positive integer and d is a divisor of Qh), then there is an integer a with ordna : d.

g. Show that if a is an integer relatively prime to the positive integer m and ord^a : s/, then ord^at : s .

10. Show that if m is a positive integer and a is an integer relatively prime to z such that ord^a - tlt - 1, then rr is prime.

I 1. Show that r is a primitive root modulo the odd prime p if and only if

,e_D/e * I (modp)

for all prime divisorsq of P-1. 12. Show that if r is a primitive root modulo the positive integer m, then i is also a primitive root modulo m, if i is an inverse of r modulo m '

13. Show that ordp 2 ( 2'*1, where Fn : 2T * I is the nth Fermat number.

14. Let p be a prime divisor of the Fermat number Fn:2v * l' a) Show that ordo2 :Zn*r.

b) From part (a), conclude that 2n+r | (p-1), so that p must be of the form z"+rk + l. : 15. Let m: an - 1, where a andn arepositive integers. Show that ordra n and conclude that n I O@). 16. a) Show that if p and q are distinct odd primes, then pq is a pseudoprime to the base 2 if and only if ordo2 | 0-t) and ordo2 | Q-D. b) Use part (a) to decide which of the following integers are pseudoprimes to the base2: 13'67, 19'73,23'89,29'97. 238 PrimitiveRoots

17. Show that if p and q are distinct odd primes, then pq is a pseudoprime to the base2 if and only if MoMo: (2p-r)ei-D ir" prrriJoprimeto the base2. 18. There is a method for deciphering messagesthat were enciphered by an RSA cipher, without knowledge of the deciphering key. This method is based on iteration. Supposethat the public key ie,il ir"o ro. enciphering is known, but the deciphering key (d,il is not. To decipher a ciphertext block C, we form a sequenceCt,Cz,C3,...settingCr = C" (modn),0 < C1 1n andC;+1E (mod C7Y n), 0 < Ci+t 1 n for j - 1,2,3,....

a) Show that C1 = Cd (mod n), 0 1 C1 1 n. b) Show that there is an index 7 such that C1: C and Cj_t : p, where p is the original plaintext message. Show that this indei 7' is a divisor of ord,61n,1e

c) Let n:47'59 :17. and e Using iteration,find the plaintext corresponding to the ciphertext 1504.

(Note: This iterative method for attacking RSA ciphers is seldom successfulin a reasonable amount of time. Moreover, the primes p and q may be chosen so that this attack is almost always futile. See pioblem l3 of Section g.2.)

8.1 Computer Projects

Write projects to do the following: l. Find the order of c modulo rn, when a and m are relatively lntegers.

2. Find primitive roots when they exist. 3. Attempt to decipher RSA ciphers by iteration (seeproblem r g).

8.2 PrimitiveRoots for primes In this section and in the one following, our objective is to determine which integers have primitive roots. In this ,..tion, we show that every prime has a primitive root. To do this, we first need to study porynomial congru"nces. Let (x) be polynomial f a with integer coefficients. We say that an integer c is a root of (x) f modulo m it f(c) = 0 (mod z). It i, *ryio rr. that if c is a root of (x) f modulo m, then every integer congruent to c modulo m is also a root.

Example. The polynomial f (i : x2 * x * t has exactly two incongruent roots modulo T,namely x = 2 (mod 7) andx = 4 (mod 7). 8.2 PrimitiveRoots for Primes 239

Example. The polynomial gG) : x7 * 2 has no roots modulo 5.

Example. Fermat's little theorem tells us that if p is prime, then the polynomial hQ) - rP-t - t has exactly p-l incongruent roots modulo p, namelyx = I ,2,3, ...,P-l (modP). We will need the following important theorem concerning roots of polynomialsmodulo p where p is a prime.

* cs be a Lagrange'sTheorem. Let f (x) : arxn + an4xn-r * + afi potyno.nial of degree n with integer coefficients and with leading coefficient an p. noi Oiuiribleby p. Then f k) has at most n incongruent roots modulo

rt : l' Proof. To prove the theorem, we use mathematical induction' When modulop rsa solution *e hauef (;: atx I aowithp f c1. A root of /G) -as since of the linear congruence a 1x 2 (mod p). By Theorem 3'7, (a1,p): l, this linear congruencehas exactly one solution, so that there is n : l ' exactly one root modulo p of f G). Clearly, the theorem is true for - l' Now supposethat the theorem is true for polynomials of degree n and by let U" a polynomial of degree n with leading coefficientnot divisible fk) p p. Assume that ihe polynomial f G) has n f I incongruent roots modulo ' :0,1,,...,,fl.We have s?r!cs,cr,,..,cn, so that f k) = 0 (modp) for k rG)- rGo) ]] =i:l:'_-,iirr;.,:,;'y,"_;,;;q"+ i .,a_ii',[.,,", ar)y(x-cs) (xn-z * x'-3cg* + xcfi-3 + c6-2') + * a1(x-cs) : (x-cs)g (x),

- where g(x) is a polynomial of degree n | with leading coefficient a,. we integer, now show that c r,cz,....,cnare all roots of g(x) modulop. Letk be an : : (mod 1 < k ( r. Sincef G) f (c) 0 p), we have - : (ct -co)skt) = (mod ' f Gr,) f (rr) 0 P) : (mod From Corollary 2.2, we know that gk) 0 p), since c1,- co# 0 (modp). Hence, c1 is a root of g(x) modulo p' This shows - that the polynomial g(x), which is of degree n | and has a leading p' coefficient not divisible by P, has n incongruent roots modulo This contradicts the induction hypothesis. Hence, f G) must have no more than n incongruent roots modulo p. The induction argument is complete' tr We use Lagrange's theorem to prove the following result. 240 PrimitiveRoots

Theorem 8.6. Let p be prime and let d be a divisor of p-1. Then the polynomial xd - I has exactly d incongruent roots modulo p.

Proof. Let p-l : de. Then - xP-r | : (xd-1;1"d(e-t) a rdG-D I * x, * l) : (xd-l)g(x) .

From Fermat's little theorem, we see that xP-r - I hasp-l incongruent roots modulo p. Furthermore, from Corollary 2.2, we know that any root of - xP-t I modulo p is either a root of x7 - I modulo p or u rooi of g(x) modulop.

Lagrange'stheorem tells us that g(x) has at most dG-l): p - d - | roots modulo p. Since every root of xP-r - I modulo p that is not a root of g(x) - modulo .p must be a root of xd I modulo p, we know that the polynomial - - xd | has at least Q-D Q-d-r): d incongruentroots modulo p. On the other hand, Lagrange's theorem tells us that it has at most d incongruent roots modulo p. Consequently, xd - I has precisely d incongruent roots modulo p. tr

Theorem 8.6 can be used to prove the following result which tells us how many incongruent integers have a given order modulo p.

Theorem 8.7. Let p be a prime ancl let d be a positive divisor of p-1. Then the number of incongruent integersof order d modulo p is equat to o@).

Proof. For each positive integer d dividing p-1, let F@) denote the number of positive integers of order d modulo p that are less than p. Since the order modulop of an integer not divisiblebyp dividesp-1, it follows that

p-l : d lp-l

From Theorem6.6, we knowthat

p-l : dlp-r

We will showthat F(d) < O@) whend I e-D. This inequality,together with the equality

dlp-r dlp-r 8.2 Primitive Roots for Primes 241

implies that F (d) : O@) for each positive divisor d of p-1. Let dl b-l). If F(d) :0, it is clear that F(d) < O@). Otherwise, thereis an integera of orderd modulop. Sinceotdra : d, the integers

a, a2t .", Qd

are incongruent modulo p. Furthermore, each of these powers of a is a root - of *d -1 modulo p, since bk)d (ad)k = | (modp) for all positive - integers k. From Theorem 8.6, we know that xd I has exactly d of incongruent roots modulo P, So every root modulo p is congruent to one these powers of a. However, from Theorem 8.4, we know that the powers of a with order d are those of the form a& with (kd): l' There are exactly consequently,if there is one O@) such integers k with I < k < d, and positive element of order d modulo p, there must be exactly 0U) such integersless than d. Hence,FU) < 'd(d). Therefore, we can conclude that F (d) : OU), which tells us that there are D precisely O@) incongruent integers of order d modulo p ' The following corollary is derived immediately from Theorem 8'7'

Corollary 8.3. Every prime has a primitive root'

Proof. Let p be a prime. By Theorem 8.7, we know that there ate |Q-l) incongruent integers of order p-l modulo p. Since each of these is, by definition, a primitive root, p has 6Q-l) primitive roots. The smallest positive primitive root of each prime less than 1000 is given in Table 3 of the APPendix.

8.2 Problems 1. Find the numberof primitive rootsof the followingprimes:

a) 7 d) 19 b) l3 e) 29 c) t7 f) 47.

(mod -r 2. Let r be a primitive root of the prime p with p = | 4)' Show that is also a primitive root. : that 3. Show that if p is a prime and p I (mod 4), there is an integer x such x2 = -l (modp). (Hint: Use Theorem 8.7 to show that there is an integer x of order 4 modulo P.) 242 PrimitiveRoots

4. a) Find the number of incongruent roots modulo 6 of the polynomialx2 - x.

b) Explain why the answer to part (a) does not contradict Lagrange's theorem. 5. il Use Lagrange's theorem to show that if p is a prime and /(x) is a polynomial of degree n with integer coefficients and more than n roots modulo p, then p divides every coefficientof /(x). b) Let p be prime. Using part (a), show that every coefficient of the polynomialf (x) : (x-l) (x-D ... (*-p+l) - xp-t + I is divisibtebyp. (b), c) Using part give a proof of Wilson's theorem. (Hint: Consider the constant term of f (x).) 6. Find the least positive residue of the product of a set of d(p_t) incongruent primitive roots modulo a prime p.

7. A systematic method for constructing a primitive root modulo a prime p is outlined in problem. this Let the prime factorization of ee) : p-l be : p-l q\'q'; q',, whereQr, ez, ..., qt areprime. a) Use Theorem 8.7 to show that there are integers d1, a2,...,a, such that ordrat : q'i, ordra2: q|, ..., ordoa,: q:,. b) Use problem 6 of section 8.1 to show that a : aflz-.. a, is a primitive root modulop. c) Follow the procedure outlined in parts (a) and (b) to find a primitive root modulo 29.

8. Let the positive integer n have prime-power factorization n: pl,pi,...p?. Show that the number of,incongruent bases modulo n for *tti.tt n is a pseudoprimeto that base is I (n -1, pi-D .

9. Use problem 8 to show that every odd composite integer that is not a power of 3 is a pseudoprimeto at least two basesother than i l. 10. Show that if p is prime and p :2q ! l, where q is prime and a is a positive integer with I 1 a I p-1, then p -a2 is a primitive root modulo p. I l. il Supposethat /(x) is a polynomial with integer coefficientsof degree n-1. Let x1,x2,...,xn be n incongruent integers modulo p. Show that for all integersx, the congruence

.f k) i-t i-_t,

t^rold^s' is (mod -.*h"1". F an inverse of xj-xi n ). This technique for finding f (x) modulo p is called Lagrange interpolation. 8.3 The Existence of Primitive Roots 243

b) Find the least positive residue of /(5) modulo 1l if /(x) is a polynomial of -- (mod degree3 with f 0) S,f Q) = 2,andf G) = 4 l1). 12. In this problem, we develop a threshold scheme for protection of master keys in a computer system, different than the scheme discussed in Section 7.6. Let f (x) be a randomly chosen polynomial of degree r-1, with the condition that K, the master key, is the constant term of the polynomial. Let p be a prime, such that p > K and p ) s. The s shadows krkz, ..., k, are computed by finding the :1,2,..., least positiveresidue of f G) modulop for i s where xt,xz,...,.xr are randomly chosenintegers incongruent modulo p, i.e., ( ki = f(x;) (modp), o ( k; p,

for; -

a) Use Lagrange interpolation, described in problem I l, to show that the master key K can be determined from any r shadows.

b) Show that the master key K cannot be determined from less than r shadows.

c) Let K:33, p:47, t:4, and s:7. Let fG): 4x3+xz+ 3lx + 33. Find the seven shadowscorresponding to the values of /(x) at 1,2,3,4,5,6,and 7.

d) Show how to find the key from the four shadowsf 0), f Q), f Q), and / (4) . 13. Show that an RSA cipher with enciphering modulus n: pq is resistant to attack by iteration(see problem 18 of Section8.1) if p:2p'+ I and q:2q'* l, where p' and q' are primes.

8.2 Computer Projects

Write programs to do the following:

1. Find a primitive root of a prime using problem 7.

2. Implement the threshold schemegiven in problem 12.

8.3 The Existenceof Primitive Roots In the previoussection, we showedthat every prime has a primitive root. In this section, we will find all positive integers having primitive roots. First, we will show that every power of an odd prime possessesa primitive root. We begin by consideringsquares of primes.

Theorem 8.8. If p is an odd prime with primitive root r, then either r or 244 PrimitiveRoots

r * p is a primitive root modulo p2.

Proof. Since r is a primitive root modulo p, we know that ordrr:0Q):p-1.

Let n : ordozr,so that r'= I (modp2).

since a congruencemodulo p'obviously holds modulo p, wa have rn = I (modp).

From Theorem 8.1, it follows that

p-l: ordrrl n.

On the other hand, Corollary g.l tells us that nlOQ2):p(p-t).

Since n p(p-t) I and p-l I n,, either n : p-l or n:p(p-l). If n : p (p-l), then r is a primitive root modulop2, since ordrrr : Q(pz). Otherwise,we haven : p-1, sothat (s.1) rP-t=1(modp2).

Let s : r+p. Then, sinces E r (mod p), s is also a primitive root modulo p. Hence, ordo"r equals either p-l or p (p-l). we will show that ordo,r * p-1. The binomial theorem tells us that : (rtp)o-r : .rp-r 7p-t + Q_Dro-rp * 1p;I)rr_rp, + z v4-t + (p-Dp.rP-2 (modp2).

Hence,using (S.t), we seethat

sP-r = I + (p-l)p.70-2: l - prp-z (modp2).

From this last congruence,we can concludethat sp-t# l (modp2).

To see this, : note that if 5P-l l^(mod p2), then prp-z = 0 (modp2). This last congruence implies that rp-2 = 0 (mod p), which is impossible, since 8.3 The Existence of Primitive Roots 245

: p (p -l) : p tr , (remember r is a primitive root of p). Hence, ordrus : p' ' a O $\. Consequently,s r*p is a primitive root of

Example. The prime p :7 has r : 3 as a primitive root. From the proof of :49' Theorem8.8, we seethat r : 3 is alsoa primitiveroot modulop2 since rP-t - 36 + I (mod 49)'

We note that it is extremelyrare for the congruence rP-t = I (modp2)

to hold when r is a primitive root modulo the prime p. Consequently,it is very seldomthat a primitive root r modulo the prime p is not also a primitive root modulo p'. The smallestprime p for which there is a primitive root that is not also a primitive root modulo p2 is p : 497. For the primitive root l0 modulo487, we have 10486: 1 (mod 4872).

Hence, l0 is not a primitive root modulo 4872,but by Theorem 8.8, we know that 497: 10 + 487 is a primitive root modulo 4872. We now turn our attention to arbitrary powersof primes.

Theorem 8.9. Let p be an odd prim e, then pk has a primitive root for all positive integers ft . Moreover, if r is a primitive root modulo p2, then r is a primitive root modulopo, for all positiveintegers k.

Proof. From Theorem 8.8, we know that p has a primitive root r that is also a primitive root moduloP2, so that (8.2) rp-t # 1 (modp2).

Using mathematicalinduction, we will provethat for this primitive root r, (8.3) yn'-'$-t) 1 I (modpft)

for all positiveintegers k. Once we have establishedthis congruence,we can show that r is also a primitive root modulo pk by the following reasoning. Let n : ord6r.

From Theorem 6.8, we know that n I OQ\: O*-r(p-l). On the other hand,since 246 PrimitiveRoots

7n - I (modpk),

we also know that

rn = I (modp).

From Theorem 8.1, we see : that p-l 6e) | n. Becausee-Dl r, and n I o*-rQ-I), we know that n:'p'(p-l), wh'erel is an integersuch that ( 0 r ( k-t. If n: p'(p-l) with / < k-2, then 7p'-2(p-t): (7p'@-t)1r'-rn: l (mod pk),

which would contradict (8.3). : Hence, ordotr pk-t b-D : oeo). Consequently,r is also a prirnitive root modulo pk.

All that remains is to prove (8.3) using mathematicalinduction. The case (8.2). of k:2 follows from Let us assumethe assertionis true for the positive integerk>2.Then

7nt-t(t_t)# l (modpk).

: since G,p) l, we know that (r,pk-t) : 1. consequently,from Euler's theorem,we know that

vPL-2(o-D : ,Q(Pk-tt

Therefore,there an integer d such that

yo'-'Q-t): I * dpk-t,

wherep trd, sinceby hypothesisyP'-'(P-t) * t (moApk). We take the pth powerof both sidesof the aboveequation, to obtain, via the binomial theorem, yP'-'(P-l) - 0 + dp*-t1o | + p@pt-r, * (|)o'Urk-t)2 + * (dpk-t1n | * dpk (modpo*').

Sincep I d, we can concludethat

,.P^-'(P-r)# I (mod po*t).

completesthe proof by induction. tr

Example. From a previousexample, we know that r : 3 is a primitive root 8.3 The Existenceof PrimitiveRoots 247

: modulo 7 and 72. Hence, Theorem 8.9 tells us that r 3 is also a primitive root modulo 7k for all positive integersk. It is now time to discusswhether there are primitive roots modulo powers of Z. We first note that both 2 and 22: 4 have primitive roots, narnely 1 and 3, respectively. For higher powersof 2, the situation is different, as the following theorem shows;there are no primitive roots modulo these powersof 2.

Theorem 8.10. If a is an odd integer, and if k is an integer, k ) 3, then aOQL)/2: e2'-': 1 (mod 2k). proof. We prove this result using mathematical induction. If a is an odd integer, then a : 2b t 1, where b is an integer. Hence, a2 : (2b+ 1)2: 4b2+ 4b * I : 4b$ + 1) + 1.

Since either b or b * 1 is even,we seethat 8 | 4b (b + l), so that a2 :- I (mod 8).

This is the congruenceof interestwhen k :3. Now to complete the induction argument, let us assumethat a2'-' = I (mod 2k) .

Then there is an integer d such that e2'-': l+d'zk.

Squaring both sides of the above equality, we obtain e2'-': | + d2k+r q 422zk.

This yields e2'-'= 1 (mod zk+r),

which completes the induction argument. n Theorem 8.10 tells us that no power of 2, other than 2 and 4, has a primitive root, since when a is an odd integer, ord2ta # OQk) , since a6Q')lz : 1 (mod 2k) .

Even though there are no primitive roots modulo 2k for k > 3, there always is an element of largest possible order, namely OQ\ I 2, as the following theorem shows. 248 PrimitiveRoots

Theorem 8.11. Let k 7 3be an integer. Then

ord2.5: O(Zk)D:2k-2.

Proof. Theorem 8.10 tells us that

52'-' = I (mod 2k). for k 2 3. From Theorem 8.1, we see that ordr.S I Z*-2. Therefore, if we show that ordr.5 | 2l"-t , we can concludethat ord2.5- 2k-2.

To show that ordr,S tr 2k-3, we will prove by mathematical induction that fork)3,

52,-'= | + 2k_t * I (mod 2k).

For k : 3. we have 5:l+4(mod8).

Now assumethat 52'-': l+zk-I (mod2ft).

This meansthat thereis a positiveinteger d suchthat S2'-'_(1+2k-r)+dZk.

Squaringboth sides,we find that 52'-': (l + 2k-t)2+ 20 + zk-t)dZk + (dzk)z so that

52,-,= 0 + 2k-r)2 : | + 2k + 22k-2 : I + 2t (mod Zk+\ .

This completesthe induction argument and showsthat

ordr'5 : O(2k)/2' tr

We have now demonstratedthat all powers of odd primes possessprimitive roots, while the only powersof 2 having primitive roots are 2 and 4. Next, we determine which integers not powers of primes, i.e. those integers divisible by two or more primes, have primitive roots. We will demonstratethat the only positive integers not powers of primes possessingprimitive roots are twice 8.3 The Existenceof PrimitiveRoots 249

powersof odd primes. We first narrow down the set of positive integers we need consider with the following result.

Theorem 8.12. If r is a positive integer that is not a prime power or twice a prime power, then n doesnot have a primitive root.

Proof. Let n be a positive integer with prime-power factorization ,-p\,p'i...p';.

Let us assumethat the integer n has a primitive root r. This means that : (r,n) : I and ordnr :6h). Since (r,n) : l, we know that (r,p') l, wheneverpt is one of the prime powersoccurring in the factorization of r. By Euler's theorem, we know that : ro@') I (mod P) .

Now let U be the leastcommon multiple of Q(p'r), OQ'il,..-,0(p';), i-e. u : [oQ\'),aQ'il,...,0b'il1.

SinceObh I U, we knowthat ru = t (modP,l')

for i : l, 2 ,...,m . From this last congruence,we seethat ordrr:6Q)

From Theorem6.4, since @ is multiplicative,we have Qh) : oi\'p?''' p';): 6(p't')o7'il ob';l'

This formulafor d(n) andthe inequality$fu) < U imply that oQ\')o,'il''' oa'il ( td(p'r'),oQ';)'...,ob'il\.

Since the product of a set of integers is less than or equal to their least common multiple only if the integers are pairwise relatively prime (and then the less than or equal to relation is really just an equality), the integers Q(p'r'),0$';),..., OQ';) must be pairwise relatively prime' 250 Primitive Roots

We notethat e(pt) : rt-r(p-l), so that ee,) is evenif p is odd,or if p : 2 and t > Z. Hence,the numberse(p'r'), Oe'il,..., Oe,;\ are not pairwise relativelyprime unlessm: I and n is a primspower o, *:2 and : the factorization of n is n 2p', where p is an odd prime and / is a positive integer. tr

We have now limited considerationto integers of the form n : 2p,, where p is an odd prime and r is a positive integer. We now show that all such integers have primitive roots.

Theorem 8.13. rf p is an odd prime and r is a positive integer, then 2pt possesses a primitive root. In fact, if r is a primitive root modulopt, then if r is odd it is also a primitive root modulo 2pt, while if r is even, r * pt is a primitive root modulo 2pt.

Proof. If r is a primitive root modulo pt , then rob') = I (modp,), and no positive exponentsmaller than 6(pt) has this property. From Theorem : -- 6.4, we note that O(zp') 0Q) 66t7 : e(p,), so that ,6(2n') 1 (mod p') .

If r is odd, then

,o(zp')= I (mod 2).

Thus, by corollary 3.2, we see that rQQp';: I (mod 2p,). since no smaller power of r is congruent to I modulo 2pt , we conclude that r is a primitive root modulo 2pt .

On the other hand, if r is even, then r *p' Hence,

(r + P'10{zP') I (mod 2)

Since r * p' = r (mod p'), we seethat

G * pt )QQP') I (modp')

(r Therefore, + ot1oQfl: I (mod 2p'), and as no smaller power of r *pr is congruent to 1 modulo 2pt , we concludethat r * p' is a primitive root modulo 2p'. rt

Example. Earlier this section we showed that 3 a primitive root modulo 8.3 The Existenceof PrimitiveRoots 251

7t for all positive integers /. Hence, since 3 is odd, Theorem 8.13 tells us that 3 is also a primitive root modulo 2'7t for all positive integers /. For instance, 3 is a primitive root modulo 14. positive Similarly, we know that 2 is a primitive root modulo 5' for all integers/. Hence, since 2 + 5t is odd, Theorem 8.13 tells us that 2 * 5t is a primitive root modulo 2.5t for all positive integers f. For instance,2T is a primitive root modulo 50.

Combining Corollary 8.3 and Theorems8.9, 8.12,8.13, we can now describe which positive integers have a primitive root.

Theorem 8.14. The positive integer n possessesa primitive root if and only if

fr :2,4, p', or 2pt,

where p is an odd prime and / is a positive integer.

8.3 Problems

l. Which of the integers4,10,16,22 and 28 have a primitive root?

2. Find a primitive root modulo

a) lf c) r72 b) B2 d) D2.

3. Find a primitive root, for all positive integers k, modulo

a) 3k c) l3k b) lle d) nk.

4. Find a primitive root modulo

a)6c)26 b) 18 e) 338.

5. Find all the primitive roots modulo 22.

6. Show that there are the same number of primitive roots modulo 2pt as there are of p' , where p is an odd prime and r is a positive integer. 7. Show that if rn has a primitive root, then the only solutions of the congruence x2 = I (mod m) are x E t I (mod z). 252 PrimitiveRoots

8. Let n be a positive integer possessinga primitive root. Using this primitive root, prove that the product of all positive integers less than n and relatively prime to n is congruent to -l modulo n. (When n is prime, this result is Wilson's Theorem.)

9. Show that although there are no primitive roots modulo 2& where k is an integer, k > 3, every odd integer is congruent to exactly one of the integers (-1)"50, where a:0 or I and B is an integer satisfying0 < B ( 2ft-2-1.

8.3 Computer Projects

Write computer programs to do the following:

l. Find primitive roots modulo powersof odd primes.

2. Find primitive roots modulo twice powers of odd primes.

8.4 Index Arithmetic

In this section we demonstrate how primitive roots may be used to do modular arithmetic. Let r be a primitive root modulo the positive integer m (so that m is of the form describedin Theorem 8.14). From Theorem 8.3, we know that the integers

r, 12, 13 form a reduced system of residuesmodulo nr. From this fact, we seethat if a is an integer relatively prime to m, then there is a unique integer x with 1(x46@)suchthat

r' a (mod m).

This leads to the following definition.

Definition. Let m be a positive integer with primitive root r. If a is a positive integer with (a,m): l, then the unique integer x with I (x(d(z) and r* = a (mod m) is called the index of a to the base r modulo m. With this definition, we havea - ,ind'a (mod m ). If x is' the index of a to the base r modulo m, rhen we write x : indra, where we do not indicate the modulus m in the notation, since it is assumed"to be fixed. From the definition, we know that if a and b are integers relatively prime lo m and a = b (mod m), then ind,a : indrb.

Example. Let m : 7. We have seen that 3 is a primitive root modulo 7 and 8.4 lndex Arithmetic 253

(mod (mod that 3r = 3 (mod 7),32 = 2 (mod7),33 = 6 7),34 =4 7), 35= 5 (mod 5). and 36 = I (mod 7).

Hence, modulo 7 we have ind3l : 6, indt2 : 2, indl3 : 1, ind34: 4, indr5 : 5, indr6 : 3.

With a different primitive root modulo 7, we obtain a different set of indices. For instance,calculations show that with respectto the primitive root 5, ind5l : 6, inds2: 4, inds3: 5, ind54: 2, ind.55: l, inds6 : 3.

We now develop some properties of indices. These properties are somewhat similar to those of logarithms, but instead of equalities, we have congruences modulo6@).

Theorem 8.15. Let m be a positive integer with primitive root r, and let a and b be integersrelatively prime to m. Then

(i) ind,l =0 (mod Qfu)). (ii) ind,Gb) = ind,a * ind,b (mod O@)) -- (iii) ind,ak la. ind,a (mod 6h)) if k is a positiveinteger.

Proof of G). From Euler's theorem, we know that ,6(m): I (mod z). Since r is a primitive root modulo m, no smaller positive power of r is congruentto 1 modulo rn. Hence,ind,l : 6(m) = O (mod Qfu)) .

Proof of (ii). To prove this congruence, note that from the definition of indices,

,ind'Qil : ab (mod ,,, )

and

,ind,a*ind,b- ,ind,o ,ind,b = Ab (mOd ,, ).

Hence, * ind,D ,ind,Gb) = 7ind,a (mod rn ).

Using Theorem 8.2, we concludethat ind,(ab) : ind,a * ind,b (mod 6@)). 254 PrimitiveRoots

Proof of Gii). To prove the congruence of interest, first note that, by definition, we have -: ,ind',ar ak (mod m ) and

,k'ind'a = (rind'o)P : ak (mod rn).

Hence,

ind'o ,ind,aL = rk' (mod rn ).

Using Theorem 8.2, this leads us immediately to the congruence we want, namely - ind,ak ft. ind,a (mod 6fuD, a

Example. From the previous examples,we see that modulo 7, ind52: 4 and ind53:5. SinceAQ) :6, part (ii) of Theorem8.15 tells us that ind56- inds2.3: inds2t ind53:4 t 5:9 = 3 (mod6).

Note that this agreeswith the value previouslyfound for ind56. From part (iii) of Theorem 8.15, we seethat

ind53a= 4'inds3 = 4.5 : 20 = 2 (mod 6).

Note that direct computation gives the same result, since ind53a- indsSl - inds4: 2.

Indices are helpful in the solution of certain types of congruences. Consider the following examples.

Example. We will use indices to solve the congruence6xr2 : I 1 (mod 17). We find that 3 is a primitive root of 17 (since 38 = -l (mod l7)). The indicesof integersto the base3 modulo l7 are given in Table 8.1.

a I 2 3 4 5 6 7 8 9 10 1l t2 13 l4 t5 16 ind3a 16 14 I r2 5 l5 ll l0 2 3 7 l3 4 9 6 8

Table8.1. Indicesto the Base3 Modulo 17. Taking the index of each side of the congruenceto the base 3 modulo 17, we obtain a congruencemodulo d(t7) : 16, namely 255 8.4 Index Arithmetic

ind3(6xr2)= ind3l| :'l (mod 16).

Using (ii) and (iii) of Theorem 8.15, we obtain :, (mod ind3(6xr2)- ind36* ind3(x12) 15 + 12'ind3x 16).

Hence, 15+12'ind3x=7(mod16)

or 12'ind3x=8(mod16).

Using Corollary 3.1, upon divisionby 4 we find that ind3x : 2 (mod 4).

Hence,

ind3x : 2,6, 10,or 14 (mod 16).

consequently, from the definition of indices,we find that x 2 32,36,3to or 3la (mod 17),

(note that this congruence holds modulo 17)' Since - 32:- 9,36 : 15,310 8, and 314: 2 (mod l7), we concludethat x 3 9,15, 8, or 2 (mod17).

Since each step in the computations is reversible,there are four incongruent solutionsof the original congruencemodulo l7'

(mod Example. We wish to find all solutionsof the congruence7'= 6 17). When we take indices to the base 3 modulo 17 of both sides of this congruence,we find that ind3(7') : ind36: 15 (mod 16).

From part (iii) of Theorem 8.15, we obtain ind3(7') : x'ind37: llx (mod 16).

Hence. 256 PrimitiveRoots

llx : 15 (mod 16).

Since 3 is an inverse of I I modulo 16, we multiply both sides of the linear congruenceabove by 3, to find that

x = 3.15:45 : 13(mod 16).

All stepsin this computationare reversible.Therefore, the solutionsof 7* = 6 (mod 17)

are given by

x = t3 (mod 16).

Next, we discuss congruencesof the form xk = a (mod m), where m is a positive integer with a primitive root and (a,m) : l. First, we present a definition.

Definition ' lf m and k are positive integers and a is an integer relatively prime to ffi, then .we say that a is a kth power residue if * if the congruencexk = a (mod,m) has a solution. When z is an integer possessinga primitive root, the following theorem gives a useful criterion for an integer a relatively prime to m to be a kth power residueof m.

Theorem 8.16. Let m be a positive integer with a primitive root. If k is a positive integer a1d o is an integer relatively prime to m, then the congruence xk = a (mod m) has a solutioriif and only-ii oQh)ld=l(modln) where d : (k,6(m)). Furthermore, if there are solutions of xk : a (mod m)' then there are exactly d incongruentsolutions modulo rn.

Proof. Let r be a primitive root modulo the positive integer 17. We note that the congruence

xk (mod z) holds if and only (8. 1) k' ind,x ind,a (mod 6@)).

Now (k,e(m)) let d: and y : ind,x, so that x (mod z ). From 257 8.4 Index Arithmetic

Theorem 3.?, we note that it d tr indra, then the linear congruence (8.2) ky : ind"o (mod Qfu))

(8 has no solutions,and hence, there are no integers x satisfying l). If modulo such d lind'a, then there are exactly d integersy incongruent d(z) that (8.2) holds,and hence,exactly d integersx incongruentmodulo z such rhat (8.1) holds. Since d I ind,a if and only if @@)/ilind,a = o (mod Q(m)), and this congruenceholds if and only if ooh)/d:1(modrz). the theorem is true. tr We note that Theorem 8.16 tells us that if p is a prime, k is a positive integer, and a is an integer relatively prime to p, then a is a kth power residueof p if and only if oQ-D/d: 1 (modp),

where d : (k,p-l). We illustratethis observationwith an example.

Example. To determine whether 5 is a sixth power residue of 17, i.e. whether the congruence x6 = 5 (mod 17)

has a solution, we determine that 5t6/(6,16): 58 = -l (mod l7).

Hence,5 is not a sixth power residueof 17. A table of indices with respectto the least primitive root modulo each prime lessthan 100 is given in Table 4 of the Appendix. We now present the proof of Theorem 5.8. We state this theorem again for convenience.

Theorem 5.8. If n is an odd compositepositive integer, then r passesMiller's test for at most fu-l)/4 basesb with I < , 1n-1.

We need the following lemma in the proof of Theorem 5.8. 258 PrimitiveRoots

Lemma 8.1. Let p be an odd prime and let e and q be positive integers. Then the number of incongruent solutions of the congruence xe-t = I (modpr) is (q,pr-re-D.

Proof' Let r be a primitive root of p' . By taking indiceswith respect to r, we see that x4: (modp,) I if and only if qy = 0 (mod6e,D where y : ind'x . using Theorem 3.j, we see that there are exactli e,6er)) incongruent :0 solutionsof gy (mod|e"D. consequently,there are : (q,p'-tb-l)) Q,6Q")) incongruentsolutions of xe = 1 {-oAp'). tr We now proceedwith a proofof Theorem5.g. : Proof. Let n-l 2't, wheres is a positiveinteger and,t is an odd positive integer. For n to be a strongpseudoprime to the baseD, either bt : I (mod n )

b2tt : -1 (mod n) forsomeintegerTwith0(7 ( s - l. Ineithercase,wehave bn-t= I (modn).

Let the prime-powerfactori zation of n be n : pi,pi, . . . p',,. From Lemma 8.1, we know that there are (n-r, p'/Qi-l)) : h-l,pi-l) incongruent solutionsof xn-r: I (modp7) , j :1,2,...,r. Consequently,the Chinese remainder theoremtells us that thereare exactlvfI h-\,p1-l) incongruent j-r solutionsof x'-l = I (mod n ).

To prove the theorem, we first consider the case where the prime-power flactorizationof n contains a prime power p[. with exponente* 2 2. Since bo-D /pt : t/p't-t - t/p't < z/g

(the largestpossible value occurswhen pj :3 and ei :2), we seethat 259 8.4 Index Arithmetic

r fI tu-r,pj-r)< fI Q;t) ;:l j-r

li-l l+,r) ll** "+" Since ?"*f0n-l) for n > 9 , we seethat r (n-l ,p,-l) ( (r -r)14. j:ru

Consequently,there are at most Q-Dla integersb, I < 6 ( n , for which n is a strong pseudoprimeto the base b. The other caseto consideris when n: PPz"'P. wherePt,Pz,.-.,Pr are distinct odd primes. Let pt - | : 2t'tr, i : 1,2,...,r,

where s; is a positive integer and /; is an odd positive integer. We reorder the primespr,p2,...,p,, (if necessary)so thatsr ( sz ( ( s, ' We note that h-l,pi-l) : 2*ink') (t,t,).

: The number of incongruentsolutions of x' = I (mod pi) is T (t,t;). From problem 15 at the end of this section, there are 2il; incongruent solutions of *y''= -l (modp;) when O ( f ( si-I, and no solutionsotherwise. Hence, using the Chinese remainder theorem, there are TrTz"'7, incongruent solutions of xt : I (mod n), and 2i' TrTz"'7, incongruent solutions of x/, = -1 (mod n) when 0 ( 7 ( s1-1. Therefore,there area total of ,,-' [ I - I Z"'-tI TrTz"' T, lt* > 2t'l TrTz"' T,lt + .;; I l,r-oJtL)

integers b with 1< D ( n-1, for which n is a strong pseudoprimeto the Uasetr. (We have usedTheorem l.l to evaluatethe sum in the last formula.) Now note that 260 PrimitiveRoots

: (pr-l) "' *s, 6h) (pz-l) (pr-l) : tiz tr1t'*s'*

We will showthat

rrrz'" r,[,*ro] *,,r,ro, | 2',-t )

which proves . . the desiredresult. BecauseTrTz. 7, ( r1r, tr, we can achieveour goal by showing that

(8.3) *r,< r/4. |[,*l'-t z',-t )lrr',*',*''

Sincesr ( sz ( ( s, , we seethat ' f, * Uf ,r',*',*as, ( f,*^ ''.'-t f ,r,,, | 2'-t )' l. 2,-l J'' -- I 2"r-l 2", 2"r(2, -l) :l++-l 2"t 2,-l 2rtr(2, -l) | I- 2',-2 2'-l 2"'(2'-l) -

From this inequality,we concludethat (s.r) is valid when r ( 3.

When r:2, we haven: pp2 with pr|:2trt1 and pz-l:2trtz, with rr ( sz. If s1 ( s2, then (S.f) is againvalid, since ( ''" I . rt',-, I -L. I r ^ ) [t ?)/2',*',:[' . +]/lz",z',-',) :[+.#),,"-" *+

When sr:J2, we have(n-l,prl):2'Tr and (n-l,pz-l):2tTz. Let us assume that pr ) pz. Note that T1 * t1, for if Tr: tr, then 261 8.4 Index Arithmetic

(pt-l) I (n-l), sothat n : prpzZ pz= 1 (modpr-l),

which impliesthat P2 ) Pr, a contradiction.Since T1# t'1, we know that ( Tr ( tr / 3. Similarlv,lf t 1 pz then T2 # tr, so that 7"2 t2l3 . Hence, 7 2'":t^2s, , I TrTz4 t12/3,andsince lr * l/r"'* , wehave t 3) ; | -,2r, , l TtTzlr+ f | < r t222"16: 6h)16, lr)

which proves the theorem for this final case' since oh) /6 ( (n -r) /6 < (/,-r) /4. tr By analyzing the inequalities in the proof of Theorem 5.8, we can see that the probability that n is a strong pseudoprimeto the randomly chosenbase D, 1 < b ( n-1, is close to ll4 only for integers n with prime factorizations of the form n : prp2withPr: | + 2q1and Pz: I t 4q2, where{1 and Q2are odd primes, or n : qflzQt with Pr: | + 2qr,P2: | * 2q2, and (see pz: I t 2q3,where Qr,ez,andq3are distinct odd primes problem16).

8.4 Problems

l. Write out a table of indices modulo 23 with respectto the primitive root 5.

2. Find all the solutions of the congruences

a) 3xs = I (mod 23) b) 3xta = 2 (mod 23).

3. Find all the solutionsof the congruences

il 3' :- 2 (mod 23) b) 13" = 5 (mod 23)'

4. For which positive integers a is the congruence axa = 2 (mod 13) solvable? : 5. For which positive integers 6 is the congruence 8x7 b (mod 29) solvable?

6. Find the solutionsof 2x = x (mod 13), using indices to the base 2 modulo 13.

7 . Find all the solutionsof x' : x (mod 23).

8. Show that if p is an odd prime and r is a primitive root of p, then ind,(p-|) : (p-r) /2. 262 Primitive Roots

9. Let p be an prime. odd Show that the congruence x4 = _l(modp) has a solution if and only if p is of the form gfr + l. 10. Prove that there are infinitely many primes of the form 8ft*1. (Hint: Assume that p6p2,...,pn are the only primes of this form. Let e - (ppz. . . p)a+l . Show that Q must lave an odd prime factor different than j1p2,...,pn, and by problem 9, necessarilyof the form 8k+l .) ll. From problem 9 of Section 8.3, we know that if a is a positive integer, then there are unique : integers a and B with a 0 or I and 0 < B ( Z*-i-t such that = (-l)" (mod a 5p 2ft). Define the index system of a modulo 2k to be equal to the pair (a,B).

a) Find the index systemsof 7 and 9 modulo 16.

b) Develop rules for the index systems modulo 2& of products and powers analogousto the rules for indices.

c) Use the index system modulo 32 to find all solutionsof j xs = I I (mod 32) and 3' = 17 (mod 32). : ' ' ' 12. Let n 2"p\'pj ph be the prime-power factorization of n. Let a be an integer relatively prime to n. Let r1,r2,...,r^ be primitive roots of pti,p'i,..., p';, : respectively, and let 71 ind", a (mod p'1), 72 : ind", a (mod ptl), ...,1m:ind,.a (mod p'il. rc /o ( 2, let rs be a primitive root of 2t,,and let : (mod 7e ind,. a 2t). If ls 2 3,let (a,p) be the index systemof c modulo 2k, (-l)'5P so that a = (mod 2t). Define the index system of a modulo n to be (1o,1r,72, ...,y) if to ( 2 and (a,8,7t,^12,...,1^)if to Z 3.

a) Show that if n is a positive integer, then every integer has a unique index system modulo n.

b) Find the index systemsof 17 and 4l (mod lZ0) (in your computations, use 2 as a primitive root of the prime factor 5 of 120).

c) Develop rules for the index systems modulo n of products and powers analogousto those for indices.

d) Use an index system modulo 60 to find the solutions of I lx7 : 43 (mod 60).

Let p be a prime, p ) 3. Show that if p =2 (mod 3) then every integer not divisible by 3 is a third-power, or cubic , residueof p, while if p : I (mod 3), an integer a isa cubic residueof p if and only i1 o@-t)/3: I (modp).

Let e be a positive integer with e 7 2.

il Show that if ft is a positive integer, then every odd integer a is a kth power residue of 2" .

b) Show that if /c is even, then an integer a isa /

kth c) Show that if /< is a positive integer, then the number of incongruent power residues of 2" is 2"-r ' b.2) h,2"-2)

(Hint: Use problem I 1.) an odd 15. Let N - 2ju be a positive integer with 7 a nonnegative integer and a positive integer and let p-l:2"/, where s and t are positiveintegers with I - -l (modp) if odd. Show that there aie 2j (t,u) incongruent solutions of xN 0 ( ,l ( s-1, and no solutionsotherwise' base b 16. a) Show that the probability that n is a strong pseudoprime for a randomly chosen with I < 6 < n-l is near (n-l)/4 only when n has a prime factorization of the form n : ptPz where Pr: | * Zqr and pz: | * 4qz with q1 and q, prime or n: PPtPt where Pt: | * Zqr, pz: | * 2qz,pt : | * 2q3with q r,Tz,Qtdistinct odd primes.

b) Find the probability that n : 49939'99877is a strong pseudoprime to the - base b randomly chosenwith 1 < b < n l'

8.4 Computer Projects Write programs to do the following:

l. Construct a table of indices modulo a particular primitive root of an integer. (mod Z. Using indices, solve congruences of the form axb = c nr) where a,b,c,andm are integers with c ) 0, m ) 0, and where z has a primitive root.

3. Find kth power residues of a positive integer m having a primitive root, where k is a positive integer.

4. Find index systemsmodulo powersof 2 (see problem l1)'

5. Find index systemsmodulo arbitrary positive integers (seeproblem l2).

8.5 Primality TestsUsing PrimitiveRoots From the conceptsof orders of integers and primitive roots, we can produce useful primality tests. The following theorem presentssuch a test.

Theorem 8.f 7. If n is a positive integer and if an integer x exists such that xn-t = I (mod n)

and 264 PrimitiveRoots

*G-t)/a#l(modn)

for all prime divisors q of n - 1, then n is prime.

Proof. Since xn-r: I (mod g.l n), Theorem tells us that ord,x | (n -l). we : - will show that ordrx n r. Suppose that ord,,x # n - l. Since ordrx (n -t), | there is an integer k with n - | : k.ordrx and since ordrx ln- l,weknowthatk > l. Letq beaprimedivisorofk. Then *h-r)h : *klqord,r: (xord.xS&/d= I (mod n).

However, this contradicts the hypothesesof the theorem, so we must have : - ordnx n l. Now, sinceordnx ( O(n) and 6h) ( n _ l, it follows that : - Qh) n l. RecallingTheorem 6.2,we know that n must be prime. tr Note that Theorem 8.17 is equivalent to the fact that if there is an integer with order modulo n equal to n-\ , then n must be prime. We illustrate the useof Theorem 8.17 with an example.

Example. Let n:1009. Then llr008: I (mod 1009). The prime divisors of 1008 are 2,3, and 7 . we see that rlt008/2:11504- -i (mod 1009), : 111008/3 11336= 3:4 (mod 1009), and 11l00tf: 11144_ 934 (mod l00g). Hence, by Theorem 8.17 we know that 1009is prime.

The following corollary of Theorem 8.17 gives a slightly more efficient primality test.

Corollary 8.4. If n is an odd positive integer and if x is a positive integer such that --l *h-D/2 (modru) and

,h_r)/c*l(modn) for all odd prime divisors q of n - l, then n is prime.

Proof. Since *b-r)/2: - I (mod n), we see that

xr-r : 1*b-D/212= (-l)2 = | (mod n).

Since the hypothesesof Theorem 8.17 are met, we know that n is prime. D

Example. Let n :2003. The odd prime divisorsof n-l :2002 are 7,ll, 265 8.5 Primality Tests Using Primitive Roots

-1 u:874 and 13. Since 52002/2:51001 = (mod 2003), 52002/t=.5T - : (mod 2003), lzooz,tr- 5183 886 (mod 2003), and 52oo2/135154 : 633 (mod 2003), we seefrom Corollary 8.4 that 2003 is prime. To determine whether an integer n is prime using either Theorem 8.17 or - Corollary 8.4, it is necessaryto know the prime factorizationof n l' As we have remarked before, finding the prime factorization of an integer is a time- consuming process. Only when we have some a priori information about the factorization of n - | are the primality tests given by these results practical. Indeed, with such information these tests can be useful. Such a situation occurs with the Fermat numbers; in Chapter 9 we give a primality test for these numbers basedon the ideas of this section. It is of interest to ask how quickly a computer can verify primality or compositeness.We answer thesequestions as follows.

Theorem 8.18. If n is composite, this can be proved with O(logzilz) bit operations.

Proof. If n is composite, there are integers a and b with | 1 a 1 fi, | < b 1 n, and n - ab. Hence, given the two integers a and b, we multiply a and,b and verify that n : ab. This takes O (logzn)2) bit operations and proves that n is comPosite. tr We can use Theorem 8.17 to estimatethe number of bit operationsneeded to prove primality when the appropriate information is known.

Theorem 8.19. If n is prime, this can be proven using O((logzn)a) bit operations.

Proof. We use the secondprinciple of mathematical induction. The induction hypothesis is an estimate for f h), where f h) is the total number of multiplications and modular exponentiationsneeded to verify that the integer n is prime. We demonstratethat - f b) ( 3 (lognltosD 2.

First, we note that / (2) : l. We assume that for all primes Q, with q < n, the inequality f (q) ( 3 (loeqltosD -2

holds. 266 PrimitiveRoots

To prove that n is prime, we use Corollary 8.4. Once we have the numbers 2o, qr,..., Qt, and x that supposedlysatisfy (i) n-l:2oqfl2.. Qt, (ii) q; is prime for i : L, 2,...,t, (iii) *G-t)/2 --l (modn),

and

(iv) r(/.-t)/L = I (mod n), for i : l, 2,... t, we need to do I multiplications to check (i), t * 1 modular exponentlatronsto (iii) (iv), check and and -f (q) multiplications and modular exponentiationsto (ii), check that q; is prime for i : I ,2,..., t. Hence. fh):t*(r+t)+ifQ,) t-' , ( 2l + I + ) ((l togq;fiogD - 2) :t*(fnogDtoeQflz...Q)

: Gflog2)log2qflz...q) - 2

( (3/og z)log(Z'qfl2. . . q) - 2

: 3(log ntog D - 2 .

Now each multiplication requires O ((logzil2) bit operationsand each modular exponentiationrequires O(logzd3) bit operations.Since the total number of multiplications and modular exponentiationsneeded is f h) : o (log2n), the total number of bit operations needed is oKlogzn)(log2n)3): o((logzn)a). n Theorem8.19 was discoveredby Pratt. He interpretedthe result as showingthat everyprime has a "succinctcertification of primality." It should be noted that Theorem8.19 cannot be used to find this short proof of primality, for the factorizationof n - | and the primitive root x of n are required. More informationon this subjectmay be foundin Lenstra[Zt]. Recently, an extremely efficient primality test has been developedby Adleman, Pomerance,and Rumely. We will not describethe test here becauseit relies on conceptsnot developedin this book. We note, that to 267 8.5 Primality Tests Using Primitive Roots

less than determine whether an integer is prime using this test requires (log2n;clog,logrlog,n bit operations, where c is a constant. For instance, to just 40 secondsand to determine whether a too-digit integer is prime requires just minutes' Even determinewhether a 200-digit integer is prime requires l0 amount of a 1000-digit integer may be checked for primality in a reasonable time, one week. Fo, more information about this test see[63] and [74].

8.5 Problems :2' l. Show that l0l is prime usingTheorem 8.17 with x : 2. Show that 257 rs prime using Corollary 8.4 with x 3'

a J. Show that if an integer x exists such that

x2r :1 (mod F")

and

*'r-l* I (mod F,),

then the Fermat number Fn :2Y * I is prime. - | 4. Let n be a positive integer. Show that if the prime-power factorization of n is n - l: pi'pi'..' pi' andfor 7: 1,2,...,/,there exists an integerxy such that

*|n-'t', * 1(modn)

and

xi-t= I (modn),

then n is prime.

5. Let n be a positive integer such that n-l:mirni' j-r

where m is a positive integer, ot, a2,..., ar Are poSitive integerS, and qt, Q2,...,Qr are relatively prime integers greater than one. Furthermore, let br, b2,"', b, be positive integers such that there exist integers xt, xz,"', x, with -- x,!-r I (mod n )

and 268 Primitive Roots

6'!'-t)/e'-l,n) : I

for;: 1,2,...,r, where every prime factor of q; is greaterthan or equal to b; for ; : 1,2,...,r, and <(r+fiu?1,. j-1

Show that n is prime.

8.5 ComputerProjects

write programsto showthat a positiveinteger n is primeusing l. Theorem8.17. 2. Corollary8.4. 3. Problem4. 4. Problem5.

8.6 Universal Exponents

Let n be a positive integer with prime-power factori zation , : p\,p,i p,; .

If a is an integerrelatively prime to n, thenEuler's theorem tells us that aAQ')= I (modpt)

whenever pt is one of the prime powers occurring in the factorizatron of n As in the proof of Theorem 8.12, let u : l6Qi'),07,il, ..., ob,;)l , theleast common multiple of theintegers OQ! ), i : 1,2,...,m. Since ohhlu for i : 1,2,...,n, usingTheorem 8.1 we seethat

au = t(modp,1') for i : 1,2,..., m. Hence,from Corollary 3.2, it followsthat 269 8.6 UniversalExPonents

aU = I (mod n).

This leads to the following definition.

Definition. A universal exponent of the positive integern is a Positiveinteger U such that au = I (mod n ),

for all integers a relatively prime to n.

Example. Since the Prime Powerfactorization of 600 is 23'3'52, it follows that u : lOQ3),O(:), d(52)l : 12,2,201 : 20 is a universal exponent of 600. From Euler's theorem, we know that d(n) is a universal exponent. As we have already demonstrated,the integer (J - IAQ\),,0|'il,...,ybh)l is also a universal exponent of n: p'ip'; p';. We are interested in finding the smallest positive universal exponentof n.

Definition. The least universal exponent of the positive integer n is called the minimal universal exponent of n, and is denotedby I(n)' We now find a formula for the minimal universal exponent l,(n), based on the prime-power factorization of n. First, note that if n has a primitive root, then tr(n) - 6fu). Since powers of odd primes possessprimitive roots, we know that I(p') : 6(p'),

whenever p is an odd prime and / is a positive integer. Similarly, we have tr(2): b(2): I and tr(4): O(4):2, since both 2 and 4 have primitive roots. On the other hand, if t 2 3, then we know from Theorem 8.10 that a2'-': 1(mod 2t)

and ord, a : 2'-2, so that we can concludethat X(2t) : zt-z 1f t > 3. We have found tr(r) when n is a power of a prime. Next, we turn our attention to arbitrary positive integers n '

Theorem 8.20. Let n be a positive integer with prime-power factorization 270 Primitive Roots

: I , 2'"p\'p'i rm.

Then \(n ), the minimal universarexponent of n, is given by tr(n) : h(2'.), eb'r,),..., Oe';)l ,

Moreover, there exists an integer a such that ord,na: ), (r), the largest possibleorder of an integer modulo n.

Proof. Let a be an integer with (a , n) : l. For convenience,let M - tr(zt), o(p'i), o7'il,..., Qbill .

Since M is divisible by all of the integers X(2/g, e(p'r,) : x(pl,), : : 6Q';l ^(p';),..., QQil xb'il, and since oxb') : t (moo p,) for all prime-powersin the factorization of n, we seethat aM = l (modp,),

wheneverp' is a prime-power occurring in the factorizationof n. Consequently,from Corollary 3.2, we can concludethat aM = I (modn).

The last congruenceestablishes the fact that M is a universal exponent. We must now show that M is the least universal exponent. To do this, we find an integer a such that no positivepower smaller than the Mth powerof a is congruentto I modulo n. With this in mind, let r; be a primitive root of Pi

We considerthe systemof simultaneouscongruences x=3(mod2") x j11 (modpl') x : 12 (moap';)

r- (mod p';).

By the Chineseremainder theorem,there is a simultaneoussolution a of this system which is unique modulo n : 2'"p'ip'i p';: we will show that 271 8.6 UniversalExPonents

positive integer such ordn a - M. To prove this claim, assume that .l{ is a that aN = I (modn).

Then, if pt is a prime-powerdivisor of n, we have aN = 1(modp'),

so that ordo,c | .lf.

we have But, since a satisfieseach of lhe m * I congruencesof the system, ordo,a: X(pt),

we have for each prime power in the factorization. Hence, from Theorem 8'1, \b,) | r{

for all prime powers p' in the factorization of n. Therefore, from Corollary 3.2.we know that M: [tr(2"),\(p1'),x(pti) ,...,xb';)l | /{' Since aM = I (modn) and MIN wheneveraN = 1(modn), we can concludethat ordna : M.

a This shows that M - \(n) and simultaneously produces a positive integer with ord, a : )r(n). tr

Example. Since the prime-power factorization of 180 is 2232'5,from Theorem 8.20 it follows that : x (180) : Io(22), o(32),d(5) | : 1.2,6, 4l 12.

To find an integer a with ordlsga : 12, first we find primitive roots modulo 32 5, and 5. For instance, we take 2 and 3 as primitive roots modulo 32 and respectively. Then, using the Chinese remainder theorem, we find a solution of the systemof congruences 1=iiililil 272 Primitive Roots

obtaining a = 83 (mod 180). From the proof of Theorem g.20, we see that ord1ss83- 12.

:26325.7.13.17.19-37.73. Example. Let n Then.we have \(n : ) [x(26),a(32),.d(5), oOD, d(I9), o(37),o(7rl : [,24,2.3, 22,24, 2.32, 2232,23321 :24.32 : 144.

Hence, whenever a is a positive integer relatively prime to 26'32'5'17'17'rg'37.73we know that at44: r (moo 26.32.5.17.rg.37.37.7r. We now return to the Carmichael numbers that we discussedin Section 5.2. Recall that a Carmichael number is a composite integer that satisfies bn-r : I (mod n) for all positive integers D with (b, n) : r-. we proved that if rt : Q.r4z 4k, where Qv Q2,...,e* are distinct primes satisfying - : @i 1) | tn-l) for i r,2,...,,k,ih.n i it u carmichaer number. Here, we prove the converseof this result.

Theorem 8.21. rf n ) 2 is a carmichael : number, then n Qtez Qk, q;'s are distinct - yh.r-. ^the - primes such that (qi r)'l'(n-rl i;; j : 1,2,...,k.

Proof. If n is a Carmichael number, then

br-t : I (mod n )

for all positive (b,n): integers6 with l. Theorem 8.20 tells us that there is : an integer a with ordna X(n), where I(n) is the minimal universal exponent,and sincean-r = I (mod re),Theorem g.l tells us that r(n)l(n_l).

Now n must be odd, for if n was even, then n-l would be odd, but tr(n) is even (since n ) 2), contradictingthe fact that ),(n) | (r-l). We now show that n must be the product of distinct primes. Suppose r has a prime-powerfactor pt with t>2. Then :0(p') rQ') : pt-t (p-l) | x(n) : n-t.

This implies (n-l), that p | which is impossiblesince p I n.Consequently, n must be the product of distinct odd primes, say 273 8.6 UniversalExPonents

: tt QtQz Qtc'

We conclude the proof by noting that : \(qi) : O(q) : (qi-D I r(n) n-l' E

Carmichael We can easily prove more about the prime factorizations of numbers.

different odd Theorem 8.22. A Carmichael number must have at least three prime factors.

just prime proof. Let n be a carmichael number. Then n cannot have one So assume factor, since it is composite, and is the product of distinct primes. that n : pq, where p and q are odd primes with p>q' Then (mod n-l: pq-l: (p-Dq + Q-1) = q-l + 0 p-l)'

number which shows that (p-l) I (n -l) Hence, n cannot be a Carmichael if it has just two different prime factors. E

8.6 Problems of n l. Find tr(n). the minimal universal exponent of n, for the following values

il 100 e) 2n3t'52'7 b) r44 f) 2s32'52'73'll2'13' 17'19 c) 222 e) 1o! d) 884 h) 20!.

2. Find all positiveintegers n suchthat tr(n) is equalto

a)l d)4 02 e)5 c)3 CI6.

3. Find the largestintegern with tr(z) : 12. 4. Find an integerwith the largestpossible order modulo

a) 12 d) 36 b) ls e) 40 c) 20 f) 63. 274 Primitive Roots

5. Show that if m is a positive integer, then tr(rr) divides 6fu) . 6. show that if m and n are rerativery prime positive integers, then |r(mn) : [tr(re), tr(n)]. 7. Let n be the largest positive integer satisfying the equation ),(n ) : a, where c is a fixed positive integer. Show that if la is another solution of tr(z) : a,then m dividesn.

8. Show that if n is a positive integer, then there are exactly d(I(n)) incongruent integers with maximal order modulo z. 9. Show that if a and m are relatively prime positive integers, then the solutions of the congruence ax = b(mod m) are the integers x such that x = at'(m)-tb (mod m ). 10. show that if c is a positive integer greater than one, then the integers l' ,2' (m-l)' form_a ,-.-, complete system of residuesmodulo m if and,only if z is square-freeand (c,tr(m)) : l. ll. a) Show that if c and m are positive integers then the congruence x" = r (mod m) has exactly

fI (l + (c-t , Obi)) j-l

incongruent solutions, where m has prime-power factorization m : pi'pi, . .. p:.. b) Show = that x' x(mod z) has exactly 3, solutions if and only if (c-1, 6(m)) :2. 12. Use problem l1 to show that there are always at least 9 plaintext messagesthat are not changed when encipheredusing an RSA cipher. 13. Show that there are no carmichael numbers of the form 3pq where p and q are primes.

t4. Find all carmichael numbers of the form 5pq where p and q are primes. 15. Show that there are only a finite number of carmichael numbers of the form : fl pqr, where p is a fixed prime, and q and r are also primes. 16. Show that the deciphering exponent d for an RSA cipher with encipheringkey (e,n) can be taken to be an inverseof e modulo ),(n) .

8.6 Computer Projects

Write programs to do the following:

l. Find the minimal universal exponent of a positiveinteger. 275 8.7 Pseudo'RandomNumbers

universal exponent of 2. integer with order modulo n equal to the minimal "" ;j"O n with minimal universal 3. Given a positive integer M, find all positive integers exponentequal to M.

4. Solve linear congruencesusing the method of problem 9'

8.7 Pseudo-RandomNumbers of Numbers chosen randomly are often useful in computer simulation for generating complicated phenomena. To perform simulations, some method means for random numbers is needed. There are various mechanical use' generating random numbers, but these are ineffficient for computer preferable' One Instead, a systematic method using computer arithmetic is by Von such method, called the middte ' square method, introduced we start Neumann, works as follows. To generatefour-digit random numbers, number to with an arbitrary four-digit number, say 6139. We square this the second obtain 37687321',and *. tuk. the middle four digits 6873 as of random random number. We iterate this procedure to obtain a sequence a new numbers, always squaring and removing the middle four-digits to obtain (ttre number random number from the preceding one. square of a four-digit considered has eight or fewer digits. Those with fewer than eight digits are eigtrt-digit numbers by adding initial digits of 0') not Sequences produced by the middle-square method are' in reality, randomly chosen. When the initial four-digit number is known, the entire appears ,"qu.n.. is determined. However, the sequenceof numbers produced to be random, and the numbers produced are useful for computer simulations. The integers in sequencesthat have been chosenin some methodical manner, but appear to be random, are called pseudo-random numbers. It turns out that the nriddle-square method has some unfortunate weaknesses.The most undesirable feature of this method is that, for many choices of the initial integer, the method produces the same small set of numbers over and over. For instance,starting with the four-digit integer 4100 and using the middle-square method, we obtain the sequence 8100,6100, 2100, 4100, 8100, 6100, 2100,... which only gives four different numbers before rePeating. The most commonly used method for generating pseudo-randomnumbers is called the linear congruential method which works as follows. A set of integerst/t, e, c, and xs is chosenso that m ) 0, 2 < a 4' m, 0 < c 4 m' and 0 ( xo ( z. The sequence of pseudo-random numbers is defined 276 Primitive Roots

recursivelyby

xn+r 3 axn * c (mod m), 0 ( xr+r 1 r/t,

for ft :0, 1,2,3 . ,... We call m the modulus, a the multiplier, c the increment, and xs the seed of the pseudo-randomnumber generator. The following examplesillustrate the lineai congruential method.

Example. With m:12, a-3, c:4, and r0:5, we obtain xt E 3'5 + 4=7 (mod j. 12),so that xr: Similarly,we find that x2: 1, sincexz=3.7 + 4: I (mod I2),x3:7, sincex: E 3.1+ 4=7 (modl2), and so on' Hence, the generator producesjust three different integers before repeating. The sequence of pseudo-iandom numbers obtained is 5,7,I,7,1,7,1,.... '1, With frt : 9, : : e c 4, and x0 : 3, we obtain the sequence 3, 7, 8, 6, l, 2, 0, 4, 5,3,... . This sequence contains g different numbers before repeating.

The following theorem tells us how to find the terms of a sequenceof pseudo-random numbers generated by the linear congruential method directly from the multiplier, the increment, and the seed.

Theorem 8.24. The terms of the sequence generated by the linear congruential method previouslydescribed are given by

X1, akxo+ c(ak-l) /(a-l) (modla), 0 ( xr 1 m.

Proof. We prove this result using mathematical induction. For k : l, the formula is obviously true, since rr E axs* c (mod m),0 ( xr 1m. Assume that the formula is valid for the ftth term. so that z x* akxo + c(ak-l)/b_l) (modt?t), 0 ( xr I m.

xk+t *c (modz), 0(xr+r 1t/t, we have

xr+r s a(akxs+ c(ak-l)/fu-l)) + c = ak+txo* c(aGk-l)/G-t) + t = ak+lxo* c(ak+r-D/G-D (modz), which is the correct formula for the (k+t)ttr term. This demonstratesthat the formula is correct for all positive integers k. tr 8.7 Pseudo-RandomNumbers 277

The period length of a linear-congruential pseudo-random number generator is the maximum length of the sequenceobtained without repetition. We note that the longest possible period length for a linear congruential generator is the modulus m. The following theorem tells us when this maximum length is obtained.

Theorem 8.25. The linear congruential generator produces a sequence of period length m if and only if (c, m) : l, a = 1 (mod p) for all primes p dividing m, and a = | (mod 4) if a | ^. Because the proof of Theorem 8.25 is complicated and quite lengthy we omit it. For the proof, the reader is referred to Knuth t561. The case of the linear congruential generator with c : 0 is of special interest becauseof its simplicity. In this case, the method is called the pure multiplicative congruential method. We specify the modulus la, multiplier a, and seed xs. The sequenceof pseudo-randomnumbers is defined recursively by xnal - axo (mod m), 0 1 xn+t 1 m.

In general, we can expressthe pseudo-randomnumbers generatedin terms of the multiplier and seed: --- xn a'xo (mod m), 0 1 xn+t 1 m.

If { is the period length of the sequenceobtained using this pure multiplicative generator,then f is the smallest positive integer such that xs:- a[xs (mod la).

If (xo, m) : l, using Corollary 3.1, we have oI=1 (modz).

From this congruence,we know that the largest possibleperiod length is tr(lrr), where X(rz) is the minimal universal exponentmodulo z. For many applications, the pure multiplicative generator is used with the modulus m equalto the Mersenneprime M3r:23r - l. When the modulus m is a prime, the maximum period length is rn -1, and this is obtained when a is a primitive root of rn. To find a primitive root of M 31that can be used with good results,we frrst demonstratethat 7 is a primitive root of M t.

Proposition 8.1. The integer 7 is a primitive root of M31:23r-1. 278 PrimitiveRoots

Proof. To show that 7 is a primitive root of M31- )31 it is sufficientto showthat

,wt'-Dh 1y (modMt)

for all prime divisors q of Mt-r. with this information, we can conclude that ord2r,,7 : My-|. To find the factorizationof M31_1, we note that My-l : 231- 2: 2(230-l) : 2(215-t)(Zl5+t) : z(zs-t)(2to+2s+t) (zs+t ) (210-zs+t) : 2.32-7.11.3l. I 51.331.

If we show that

q- ,(Mrr_t)/q I (mod M y)

for q :2,3,7, Il, 31,l5l, and 331,then we know that 7 is a primitive root of M31- 214748364j. Since

7{Mil-t)/2 2147483646+ I (mod M y) 7(Mrrt)13 rsr347773s+ 1(mod M t) 7(M\-Dn 12053628s 1(mod t)/rr + M t) 7(Mr 1969212174+ I (mod M y) 7(Mrfr)/3r st2+ I (mod M y) 7(M,t-r) /rsl s35044134+ 1(mod M z) 7(Mrft)/33r 176188s083+ I (mod M y) we see that 7 is a primitive root of M31. E In practice' we do not want to use the primitive root 7 as the generator, since the first few integers generated are imall. Instead, we find a larger primitive root using Corollary 8.2. We take a power of 7 where the exponent is relativelyprime_ to M3;r. For instance,since (s, Mrr-1): l, corollary 8.2 tellsus that 75:16807 is alsoa primitiveroot. since (l3,Mrr- l) : l, another possibility : is to use 7t3 2s22462g2 (mod Mt) as the multiplier. We havely touched briefly on the important subject of pseudo-random numbers' For a thorough discussion of the generation and statistical properties of pseudo-randomnumbers see Knuth tse t.

8.7 Problems

l Find the sequence of two-digit pseudo-random numbers generated using the middle-squaremethod, taking 69 as the seed. 279 8.7 Pseudo-RandomNumbers

generated by 2. Find the first ten terms of the sequenceof pseudo-random numbers : z * (mod 19)' the linear congruential method with x0 6 and xn+r 5x, 2 What is the period length of this generator? generated by 3. Find the period length of the sequenceof pseudo-random numbers :2 (mod 25)' the linear congruential method with x6 and xn+t 7 4xn * 7 generationof 4. Show that if either a : 0 or a - I is used for the multiplier in the pseudo-random numbers by the linear congruential method, the resulting numbers' ."qu.n"" would not be a good choice for a sequenceof pseudo-random where 5. Using Theorem 8.25, find those integers a which give period length .m, -:axn (mod m), (r, i) : l, for the linear congruential generator xnal I c where

a) m:1000 c) m : 106-l b) nr - 30030 d) m :225-1.

can be 6. Show that every linear congruential pseudo-random number generator simply expressedin terms of a linear congruential generator with increment c : 1 and seed 0, by showing that the terms generated by the linear congruential = generator xn+r7 axn * c (mod lrt), with seed xe, can be expressedas xn :- (mod ? 6 y, + xo (mod m), where b (a-1) xo * c m), yo:0' and ln+t aln* I (modln). number 7. Find the period length of the pure multiplicative pseudo-random generator xn Z cxn-r (mod 231-l) when the multiplier c is equal to

a)z c) 4 e) 13. b)3 d)s

8. Show that the maximal possibleperiod length for a pure multiplicative generator -3 of the form xnal QXn (mod 2"), e 2 3, is 2'-2. Show that this is obtained -: when a t3 (mod 8). 9. Another way to generate pseudo-random numbers is to use the Fibonacci generator. Let m be a positive integer. Two initial integersx6 and x1 less than m are specified and the rest of the sequenceis generated recursively by the congruolce.r2al :- xn * xn-1 (mod rn), 0 ( xn+r 1 m'

Find the first eight pseudo-random numbers generated by the Fibonacci generatorwith modulusn : 3l and initial valuesx0: I and xt:24.

10. Find a good choice for the multiplier a in the pure multiplicative pseudo-random number generator xn+rZ axn (mod l0l). (Hint: Find a primitive root of 101 that is not too small.)

ll. Find a good choice for the multiplier c in the pure multiplicative pseudo-random number generator xn i axn-r (mod 22s-1). (Hint: Find a primitive root of 280 PrimitiveRoots

225-l and then take an appropriate power of this root.)

12. Find the multiplier a and increment c of the linear congruential pseudo-random number generator xn+rt axn * c (mod 1003), 0 ( xn+r < 1003, if xs: l, x2:4O2, andx3:361.

13. Find the multiplier a of the pure multiplicative pseudo-random number generator xnal- QXn (mod 1'000), 0 ( xn11 < 1000, if 313 and 145 are consecutive terms generated.

8.7 Computer Projects

Write programs to generatepseudo-random numbers using the following generators: l. The middle-sequencegenerator.

2. The linear congruential generator.

3. The pure multiplicative generator.

4. The Fibonacci generator (see problem 9).

8.8 An Application to the Splicing of TelephoneCables An interesting application of the preceding material involvesthe splicing of telephonecables. We base our discussionon the expositionof Ore [28], who relates the contents of an original article by Lawther [70], reporting on work done for the SouthwesternBell TelephoneCompany.

To develop the application, we first make the following definition.

Definition. Let m be a positive integer and let a be an integer relatively prime to m. The + I - exponent of a modulo ru is the smallest positive integer x such that

et + I (mod rn).

We are interested in determining the largest possible + 1 - exponent of an integer modulo m; we denote this by },s(rn). The following two theorems relate the value of the maximal + I - exponent trs(z) to }.(m ), the minimal universal exponentmodulo rz. First, we considerpositive integersthat possessprimitive roots.

Theorem 8.26. lf m isa positiveinteger,m ) 2, with aprimitive root, then the maximal *l - exponenttrs(rn ) equals0@) / 2: )r@) / 2. 8.8 An Applicationto the Splicingof TelephoneCables 281

Proof. We first note that if m has a primitive root, then \(z) : 6(m). From problem 5 of Section 6.1, we know that g(m) is even, so that 0@) I Z is an integer, if m ) 2. Euler's Theorem tells us that - ootu) :1oatu) lzlz I (mod lz), for all integersa with (a,m) : 1. From problem 7 of Section8.3, we know that when m has a primitive root, the only solutionsof x2 = I (mod m) are x=-tl (modru). Hence, sfh) l2: t | (modz).

This implies that \s(r,)(d(z)lz.

Now let r be a primitive root of modulo m with f I - exponent e. Then re = t | (mod la), so that r2'= 1 (modz).

Since ord^r : 6(m), Theorem 8.1 tells us that 6fu) | 2e, or equivalently, that (6(m) /D I e. Hence, the maximum +l - exponentL6(z) is at least Q@) / Z. However, we know that l(rn ) 4 6fu) /2. Consequently, l,s(rzr):6fu) /2:\fu) /2. tr We now will find the maximal + I - exponent of integers without primitive roots.

Theorem 8.27. lf m is a positive integer withciut a primitive root, then the maximal +1 - exponent \6(rn) equals I(m), the minimal universal exponent of m.

Proof. We first show that if a is an integer of order )t(m) modulo z with + I - exponente such that

ottu)/2# _t (mod z), then e : X(z). Consequently,once we have found such an integer a, we will have shown that ),q(tn) : tr(lz). Assume that a is an integer of order xfu) modulo m with + I - exponent e such that 282 PrimitiveRoots

o)'tu)/2# -r (mod ru).

Since o" = + (mod I rn ), it follows that az, = I (mod z). From Theorem8.1, we know that >rfu) l2e. since x@) l2e and e ( \(z), either e:t(m)/2 or e:x(m). To see that er\,(m)/2, note that ae :- +1 (mod ln), but o),@)/2* I (mod rn), since ord^o:\(m), and o>'(-)/z -t (mod # z) , by hypothesis. Therefore, we can conclude that if ord. a : +l - )r(m), a has exponent e, and a, = _l (mod z), then e : h,(m).

We now find an integer a with the desired properties. Let the prime-power factorization - . . . of m be m 2'op'r' p'; p'r'. we consider several cases. We first consider those rn with at least two different odd prime factors. Among the prime-powers p!' diriding ffi,, let pl be one with the smallest power of 2 dividi"g Obh. Let ri be a primitive root of p',, for i: 1,2,...,s. Let a be an integer satisfying the simultaneouscongruences

Q:5 (mod 2') alri (mod pj') for all i with i # j o-ri ) (moap!).

Such an integer a is guaranteed to exist by the remainder theorem. Note that

ord.a: [I(2tg, Ob','),...,Oe!) / 2 ,...,6Qb1, ^ ,. and, by our choice or pl, we know that this least common multiple equals \,(m). ) e:rj- (modp!), we know that otb/) /' = - 'l,!(P'j' (modp!). I BecauseOeh / z I x@) / z,weknow that It(d /2 - t (modp!),

so that /' otr(*) * -t (mod rn).

Consequently,the + I - exponentof a is I(z). The next case we considerdeals with integers of the form rn - 2toott where p is an odd prime,tr2l and to) 2, sincem hasno primitiveroots. When to: 2 or 3, we have 283 8.8 An Application to the splicing of Telephone Gables

x(,n):12, eQ\')l : dQi').

Let. a be a solution of the simultaneouscongruences a=l (mod4) a t r (mod p'i),

: Because where r is a primitive root of p'1'. We seethat ord- a lr(m) ' - ox@)/2 1 (mod 4),

we know that ox(n)/2 + _l(mod ru).

(z)' Consequently,the +1 - exponentof a is f

When ts 2 ,,let a be a solutionof the simultaneouscongruences a=3 (mod2t') -: a r (mod p'il;

We see the Chinese remainder theorem tells us that such an integer exists. thatord- : ^::,:; ',::';, " ,:':',i :i:':';:,*ll;:'l ""n"'

Thus, ox('.'.)/2 + _t (mod rc),

sothat the 1l - exponentof a is tr(rn). Finally,when m:2'o with ts2 3, from Theorem8.tl we know that ord-5 : X(na),but - 5r(nr)/2 = 152)0(m)/4 1 (mod8).

Therefore,we seethat 5r(m) /, + _1 (modru);

we concludethat the +1 - exponentof 5 is l(lz)' This finishesthe argument since we have dealt with all caseswhere m not have a primitive root. tr 284 PrimitiveRoots

We now develop a system for splicing telephone cables. Telephone cables are made up of concentric layers of insulated copper wire, as illustrated in Figure 8.1, and are produced in sectionsof specifiedlength.

Figure8.1. A cross-sectionof one layer of a telephonecable.

Telephone lines are constructed by splicing together sectionsof cable. When two wires are adjacent in the same layer in multiple sections of the cable, there are often problems with interference and crosstalk. Consequently,two wires adjacent in the same layer in one section should not be adjacent in the same layer in any nearby sections. For practical purpose,the splicing system should be simple. We use the following rules to describethe system. Wires in concentric layers are spliced to wires in the corresponding layers of the next section, following identical splicing direction at each connection. In a layer with m wires, we connect the wire in position j in one section, where I < i ( rn to the wire in position S(j) in the next section,where S(i) is the least positive residue of I + (j-l)s modulo m. Here, s is called the spread of the splicing system. We see that when a wire in one section is spliced to a wire in the next section, the adjacent wire in the first section is spliced to the wire in the next section in the position obtained by counting forward s modulo m from the position of the last wire spliced in this section. To have a one-to- one correspondencebetween wires of adjacent sections,we require that the spread s be relatively prime to the number of wires z. This shows that if wires in positions j and k are sent to the same wire in the next section, then .S(j) : S (k) and 8.8 An Applicationto the Splicingof TelephoneCables 285

I + (j-l)s : I + (k-l)s (modz),

so that js = ks (mod m ). Since (m, s) : l, from Corollary 3.1 we seethat j = k (mod z ), which is imPossible.

Example. Let us connect 9 wires with a spread of 2. We have the correspondence I *l 2-3 3*5 4-7 5*9 6-2 7 -4 8*6 9-8.

This is illustratedin figure8.2.

Figure8.2. Splicingof 9 wireswith spreadof 2.

The following proposition tells us the correspondenceof wires in the first sectionof cable to the wires in the n th section.

Proposition 8.2. Let S'(7) denote the position of the wire in the nth section spliced to the 7th wire of the first section. Then .S'(j) = I + (7-l)s'-r (modz).

Proof. For n : 2, by the rules for the splicing system, we have s2(j) : I + (r-l)s (mod rn),

so the proposition is true for n : 2. Now assumethat S'(j) : I + (7-1)sn-r (modla).

Then, the next section, we have the wire in position S'(7) spliced to the 286 PrimitiveRoots

wire in position

gn+r(r) = I + (,Sr(,r)-t), =li f1;i)',*dm)

This showsthat the propositionis true. D In a splicing system, we want to have wires adjacent in one section separated as long as possible in the following sections. After n splices, Proposition8.2 tells us that the adjacentwires in the 7th and j+l th positions are connected to wires in positions Sr(j) = I + (7_l)s, (mod rn) and ,s'(j+l): I t jsn (mod m), respectively.These wiies are adjacent in the n th sectionif, and only if, - .S'(i) S'in(i+t) : r | (mod m).

or equivalently, (t (j-l)s') - + (l+7sn) = + I (mod ln),

which holds if and onlv if

sn: tl (modm).

We can now apply the material at the beginning of this section. To keep adjacent wires in the first section separatedas long as possible,we should pick for the spreads an integer with maiimar + l - .^ponrnt \o(n).

Example. with 100 wires, we should choose a spread s so that the f I exponentof s is ro(too) : : ^,(100) 20. The appropriatecomputations sho- that s : 3 is such a spread.

8.8 Problems

l. Find the maximal t I - exponent of

a) t7 d) 36 b) 22 e) 99 c) 24 f) 100.

2. Find an integer with maximal * I - exponent modulo il 13 il2s 8.8 An Application to the Splicing of Telephone Cables 287

b) 14 e) 36 c) t5 f) 60.

3. Devise a splicing schemefor telephonecables containing

a) 50 wires b) 76 wires c) 125 wires.

4. Show that using any splicing system of telephonecables with ln wires arranged in a concentric layer, adjacent wires in one section can be kept separated in at most [ @-l) / 2] successivesections of cable. Show that when lz is prime this upper limit is achievedusing the system developedin this section.

8.8 Computer Projects Write programs to do the following:

1. Findmaximal tl -exPonents.

2. Develop a schemefor splicing telephonecables as describedin this section. Quadratic Residues

9.1 Quadratic Residues Let p be an odd prime and a an integer relatively prime to p. In this chapter, we devote our attention to the question: Is a a perfect square modulo p? We begin with a definition.

Definition. If m is a positive integer, we say that the integer a is a quadratic residue of (a,/k) : m if I and the ctngruence ,, = a (mod m) has a solution. If the congruence x2 = a (moa d has no solution, we say that a is a quadratic nonresidue of m.

Example. To determine which integers are quadratic residues of I l, we compute the squares of the integers r,2, 3,...,r0.' we find 12:102: (mod ^ that t tt), 22= 92: it,noO-iii, 32: g2- 9 (modll), 42: '12:5 (mod ll), and 52: 62= t frnoJrrl. Hence,the quadratic residuesof I I are I, 3, 4, 5, and 9; the integers 2, 6,7, g, and 10 are quadratic nonresiduesof I l. Note that the quadratic residuesof the positive integer m arejust the ftth power residuesof m with /<:2, as defined in Section 8.4. We will show that if p is an odd prime, then there are exactly as many quadratic residues as quadratic nonresidues of p among the integlrs r,2,...,p - r. To demonstrate this fact, we use the following lemma.

Lemma 9.1. Let p be an odd prime and a an integer not divisible by p. Then, the congruence

288 9.1 QuadraticResidues 289

x2= a (modp) has either no solutionsor exactly two incongruent solutionsmodulo p.

Proof. lf x2 : c (mod p) has a solution, say x : xo, then we can easily demonstrate that x : -r0 is a second incongruent solution. Since (-xo)': *& = c (modp), we see that -xs is a solution. We note that -xs xo # -xs (mod p), for if xo E (mod p), then we have 2xo:0 (mod p). This is imPossiblesince p is odd and p tr xo (since x& = a (modp)and p tra). To show that there are no more than two incongruent solutions,assume that x : xo and x : xt are both solutions of x2 = a (mod p). Then, we have x& = x? = a (madp), so that x& - x? : (xo*x r) (xo-x r) = 0 (mod p). :- -xe Hence, pl(xs+x1) or pl(xo-xr), so that x | (mod P) or xr E xe (mod p). Therefore,if there is a solutionof x2 = a (mod p), there are exactly two incongruentsolutions. tr This leads us to the following theorem.

Theorem 9.1. If p is an odd prime, then there are exactly Q-l)12 quadratic residues of p and Q-l) /2 quadratic nonresiduesof p among the integers 1,2,'.',p-l'

Proof. To find all the quadratic residuesof p among the integers 1,2,...,p-l we compute the least positive residuesmodulo p of the squaresof the integers 1,2,...,p - l. Since there are p - | squares to consider and since each congruencex2: c (mod p) has either zero or two solutions,there must be exactly Q-D/2 quadraticresidues of p amongthe integers 1,2,...,p-1. The remaining p-l - (p-l)/z- Q-l)lZ positive integers less than p-l are quadratic nonresiduesof p. tr

The special notation associatedwith quadratic residues is described in the following definition.

Definition. Let p bean odd prime and a an integer not divisible by p. The frl Legendre symbol L'Jis defined by I if a is a quadratic residue of p f,l _{ IrJ l.-l if a is a quadratic nonresidueof p. I o I Example. The previousexample shows that the Legendresymt 'ors Itt ,J' 290 QuadraticResidues

Q: l, 2,...,10,have the following values: lrl :lrl :fol- [",l-[,,l:[,J: [+]: [#] :' lal :fgl :f'l-f'l-f'ol :-r, [,',l- [u ,J: [" ,l: l" ,J:l" ,l we now present a criterion for deciding whether an integer is a quadratic residueof a prime. This criterion is useful in demonstratingproperties of the Legendresymbol.

Euler's criterion' Let p be an odd prime and let a be a positive integer not divisibleby p. Then r I lgl= ob-D/27^odp). lp )

rl Proof. First, assume : that l* | t Then,the congruence x2 : a (modp) lp ) has a solution, : say x ro. Using Fermat'slittle theorem,we seethat - ob-r)/2 Gl1

Hence,if - know that ob-t)/2(modp).

Now consider the case where : - l* I t Then, the congruence x.2= a (modp) hasno solutions.o-i?{.orem 3.7,for eachinteger i such that I t < p-1, there S is a uniqueinteger 7 with I < j ( p_1, suchthat ii - c(modp). Furthermore, sin-cethe ioniruence *i L otiroo pl has no solutions,we know that i * j. Thus,*.."i groupthe integersr,Z,...,p-l i.nto(r -l) /2 pairseach with productc. Multipiying thesepairs together,we find that

(p-l)t = ah-t)/21-od p).

Wilson'stheorem tells us that (p-l)t = _l (modp), we seethat -l = ob-t)/2(modp). 9.1 Quadratic Residues 291

- In this case, we also have |,"] o$-t)/2(modp). D l.pJ : Example. Lel p :23 and c :5. Since5ll -l (mod 23), Euler'scriterion rs'l rellsus that : -1. Hence,5 is a quadraticnonresidue of 23. l;l We now prove some propertiesof the Legendre symbol.

Theorem 9.2. ilet p be an odd prime and a and b integers not divisible by p . Then

(i) ir a =D (modp), then : [;] t;] (ii) ["] fbI-f4) lp)lp) Lp ) (iii) f4l :, Ip )

= (modp), then x2=a (modp) solutionif and Proof of 0. lf a D ltut.,u : onlyif x2 = b (modp) hasa solution.Hence, l* I l+ | lp ) lp ) Proof of (iil. By Euler's criterion, we know that

fal = o(o-r)/z(mod\'^!vsrl' p), Iql = 6b-D/z(mod p), l.pJ-- V)-"

and

[a) = GDe-t)/2(mod p). Ip )

Hence. - o$-t)/z6b-r)/z: (ab1e-t)/z : ltl (modp). lp )

Since the only possiblevalues of a Legendresymbol are * I, we concludethat 292 QuadraticResidues [;]itl :l+)

Proofof Gii).since f:l : *r , frompart (ii) it followsthat lp ) r-lr ) l,):lor) tflt?):,tr Part (ii) of Theorem 9.2 has the following interestingconsequence. The product of two quadratic residues,or of two quadratic nonresidues,of a prime is a quadratic residue of that prime, whereas the product of a quadratic residue and a quadratic nonresidueis a quadratic nonresidue. using Euler's criterion, we can classify those primes having _ l as a quadratic residue.

Theorem 9.3. If p is an odd prime, then r)( l-rl Jrif p: l(mod4) l-, : I --l (mod4). f p J t-r if p

Proof. By Euler'scriterion, we knowthat [ -' ' ] I | = (-1)(r-t)/21-odp). [r )

If p : I (mod :4k 4), then p * I for someinteger ft. Thus, (1){o-Dtz: (_l)2k : l, r) sothat : l+f r. rf p = 3 (mod4),then p:4k*3 forsome integer lp ) fr. Thus.

1-9{o-D/t: (-l)zk+t - -1. ( -,^ l sothat | | =-t. tr Lp ) The following elegant result of Gauss provides another criterion to determine whether an integer a relatively prime to the prime p is a quadratic residueof p. 9,1 Quadratic Residues 293

(a : Gauss'Lemma. LeI p be an odd prime and a an integer with ,p) l. Ii s is the number of least positive residues modulo p of the integers Q, 2A, 3e,...,((p-D/Da that are greater than p/2, then the Legendresymbol Irl l-l= = (-l)'. lp )

proof. Let u1, u2,...,1tsrepresent the least positive residues of the integers a, 2a, 3o,...,((p-D /Da that are greaterthan p /2, and let v 1,v2,...,v; be the least positive residues of these integers that are less than p 12. Since (,r ( Qa,p): I forall 7 with t b-l)/2, allof theseleastpositiveresidues arein the set 1,2,...,P- l.

We will show that p-ut, P-u2,..., P-ur, v1,v2,.'.,v1comprise the set of integers 1,2,...,(p-D/2, in some order. To demonstratethis, it sufficesto show that no two of these integers are congruent modulo p, since there are exactly Q-l)/2 numbersin the set, and all are positiveintegers not exceeding (p-D /2. It is clear that no two of the ai's are congruentmodulo p and that no two of the v;'s are congruentmodulo p;if a congruenceof either of thesetwo sorts held, wb would have ma z na (mod p) where m and n are both positive integers not exceeding Q-D12. Since p tr a, this implies that 7n - n (mod p) which is impossible. - a, vit for if In addition, one of the integers P 4 cannot be congruent to l) - such a congruence held, we would have ma 3 p na (modp), so that -- -n (mod ma t -na (modil. Sincep tra, this impliesthat m p) . This is impossiblebecause both m andn arein the set l, 2,...,(p-l)/2. - - - Now that we know that p Ul, P 112,...'P Ur, Vl, V2,,..., Vt afe the integersl, 2,...,(p-l) 12,in someorder. we concludethat

' ' :- (mod (P-')(P-uz) (p-u)v 1v2 vt t+l p ), which implies that

(e.l (-t)'ultz' urv1v2 vt [n:i, (modp ). ) f z )

BUt, sinCe ll1, ll2,...rlls,vl, VZ,...rvt are the least positive residues of a,2a,...,((p-t)/Da, we also know that 294 QuadraticResidues

@.2) utuz' Lt,vtv2-..vtz a.2a...1+1" lz ) p-r( ) : oT l+lr (moop). l.- )

Hence,from (9.1) and (9.2), we seethat p-t(' I r l (-r)'a lf lr= l+lr(moap). lL j lt ) Because(p,((p-D/DD: l, thiscongruence implies that (-t),a+:l (modp).

By multiplying both sidesby (-l)', we obtain p-l a 2 : (-t)'(modp). p-tr) Since Euler's criterion tells usthata 2 : lil (modp),itfollowsthar lp ) r) l* | = (-l)' (modp), tp ) establishingGauss tr

Exampte.Let o:5 andp: ll. To find t+l by Gauss.lemma, we computethe leastpositive residuesof r.5,2.5: llsl o s,and5.5. Theseare 5, 10, 4,9, and 3, respectively. Since.,exactlytwo of these are greater than ll/2,Gauss'lemma tellsus rhat l+ | : (-l)2: l. l rr J Using Gauss' lemma, we can characterize all primes that have 2 as a quadratic residue.

Theorem 9.4. If p is an odd prime, then r) lZl:(-1)g,-rvs. [p J 9.1 Quadratic Residues 29s

Hence, 2 is a quadratic residue of all primes p : + I (mod 8) and a quadratic nonresidueof all primes p + 3 (mod 8).

Proaf. From Gauss'lemma, we know that if s is the numberof leastpositive residuesof the integers r) 1.2,2.2, 3.2, ..., l+1.'\- ) rl : (-l)'. thatare greater than pl2,then l+ | Sinceall theseintegers are less lp ) than p, we only need to count those greater than p /2 to find how many have least positive residuegreater than p /2.

The integer2j, where I ( 7 ( b-l)/z, is lessthan pl2when i 4 pla. Hence, there are Ip /41 integers in the set less than p /2. Consequently,there n-l are s

L that : (-D+-tP/al

To prove the theorem,we must show that

- '4- = {p'-1)/8(mod 2). +2 el

To establish this, we need to consider the congruenceclass of p modulo 8, since, as we will see, both sides of the above congruencedepend only on the congruenceclass of p modulo 8.

We first considerb'-l)/5. If p = +l(mod 8), thenp:8k +l whereft is an integer,so that (p'-l)/8 - ((sk+t)2-t)/8: G+k2+r6k)/8:8k2+ 2k:0 (mod2).

: If p + 3 (mod 8), then P : 8k + 3 where k is an integer,so that (p'-l)/8 : ((st + iz-D/s: (64k2 + 48k + 8)/8 :8k2 + 6k +l : I (mod 2).

Nowconsider - /ql. rf p I (mod8), thenp :8k + | for some + l' b integer k and 296 QuadraticResidues

d - -tp/+l:4k -lztc :2k 2 + t/41 = 0 (mod2);

if p :3 (mod : gk 8), thenp * 3 for someinteger k, and -b/ql : - + 4k+ I t2* + 3/41: 2k+l = I (mod2);

lfp = (mod : 5 8), then p Bk f 5 for someinteger k, and n-l -tp/ql : 4k - : T + 2 [ztc+ S/4] 2k +l = I (mod2);

ifp = (mod : 7 8), then p Bk * 7 for someinteger k, and n-l - - T lp/ql:4k + 3 Izn + 7/41:2k + 2 = 0 (mod2).

Comparing the congruenceclasses modulo Z of - (pz-D * Ip /41 and /A for the four possiblecongruence classesof the odd irime p modulo g, we see that we alwavs nar" - * b/ql = {pr-1)/8 (mod 2).

Hence,(Z) : 1-1y(r,-r)/8. p Fromthe computations of the congruenceclass of (pz_l)/g 2), we see ,(mod that l3l:l if p:+l(mod8), while -, lp ) if p = r 3 (mod8). tr l?):

Example. From Theorem9.4, we seethat [+]: [+] - [*):[+] :, while (".l L f+l:f+l :fal :fzl : : I l:_.1 [3J [sJ It'.l Ir,l- [+][2eJ We now present an example to show how to evaluateLegendre symbols.

Exampte.To evaluate we usepart (i) of Theorem Iuf+1, )' 9.2 to obtain 9.1 Quadratic Residues 297

rt2 3 lvt : lg = | | : t.since317 =9 (mod1l). |." L' lilJ Iesl To evaluate since 8e: -2 (mod13)' we have lii l, t1l [U l. Becauset3 = I (mod4), Theoreme.3 . L13 ,l I t3 J I : t. Since 13 = -3 (mod 8), we see from Theorem 9.4 ,n| Consequently,., fql :_1. [ ,, t In the next section, we state and prove a theorem of fundamental importance for the evaluation of Legendre symbols. This theorem is called the law of quadratic reciProcitY. The difference in the length of time needed to find primes and to factor is the basis of the RSA cipher discussedin Chapter 7. This differenceis also the basis of a method to "flip coins" electronically that was invented by Blum [821. Results about quadratic residuesare used to developthis method. Suppose Ihat n : pq, where p and q are distinct odd primes and suppose that the congruencex2 = a (modn), O 1a 1tt, has a solutionx : x0. We show that there are exactly four incongruent solutions modulo n. To see this, let xoExl(modp), 0(xt 1p, and let xoEx2(modq), 0 ( x2 < q. Then the congruence x2 = a (mod p) has exactly two 'and -x1 incongruentsolutions, namely x z x' (modp) x = P (modp). Similarly the congruence x2 : c (mod g) has exactly two incongruent - solutions,namely x 2 xz (mod q) andx = Q x2 (mod g). From the Chinese remainder theorem, there are exactly four incongruent solutionsof the congruencex2 = a (mod n) ; these four incongruent solutions are the unique solutions modulo pq of the four sets of simultaneous congruences

x (mod p) (iii) x = p - x1 (modp) x (mod q) xzxz (mod q)

(ii) x x1 (modp) (iv) x - x1 (modp) - - (mod x Q xz (mod q) x x2 q).

We denote solutionsof (i) and (ii) by x and y, respectively.Solutions of (iii) and (iv) are easily seento be n-y and n-x, respectively. 298 QuadraticResidues

We also note that when p = = (mod q 3 4), the solutions of x2: a (modp) and of x2: a (mod - q) ur" , ;'o

: 1oQ+t)/t12 eQ+o/z: oe-Dlz.a =a (mod q).

Using the chinese remainder theorem, together with the explicit solutions just constructed' we can easily find the four incongruent solutions x2 = a (mod of n) . The following example illustrates this procedure.

Example' Supposewe know a priori that the congruence x2 = 860 (mod I l02t)

has a solution'since 11021:103'107, to find the four incongruentsolutions we solve the congruences :860 x2 = 36 (mod 103)

and

x2:g60:4(modl07).

The solutionsof these congruencesare : ; +36(ro:+D/q- +3626= + 6 (mod103) and

= + r 4Qo7+D/a= t 427: * 2 (mod 107), respectively. Using the chinese remainder theorem, we obtain x 4 *. 2r2, * 109 (mod ll02l) as the solutions of the four systems of congruences described by the four possiblechoices of signs in the system + of congruences x = 6 (mod 103),x = + 2 (mod 107). we can now describe a method for electronicaily flipping coins. suppose that Bob and Alice are communicating electronically. etice !i.t, two distinct 9.1 QuadraticResidues 299

large primesp and q, with p = q = 3 (mod 4). Alice sendsBob the integer n : pq. Bob picks, at random, a positive integer x less than n and sendsto Alice the integer a with x2 : a (mod n),0 ( a I n. Alice finds the four solutionsof x2 = a (mod n), namelyx, !, fr-x, andn-y. Alice picksone of : these four solutions and sends it to Bob. Note that since x + y 2* t # 0 (modp) and x + y = 0 (mod q), we have G+y,n): q, and similarly G+h-y), n) : p. Thus, if Bob receiveseither y or n-y, he can rapidly factor n by using the Euclidean algorithm to find one of the two prime factors of n. On the other hand, if Bob receiveseither x or n-x, he has no way to factor n in a reasonablelength of time. Consequently,Bob wins the coin flip if he can factor n, whereasAlice wins if Bob cannot factor n. From previous comments, we know that there is an equal chance for Bob to receivea solution of x2 = a (mod n) that helps him rapidly factor n, or a solution of x2 = a (mod r) that does not help him factor n. Hence, the coin flip is fair.

9.1 Problems

l. Find all the quadratic residuesof

a) 3 c)13 b)s d) te. r.t 2. Findthe value of theLegendre symbols : 1,2,3,4,5,and6. l+ I,for7

3. Evaluate the Legendre symbol

il using Euler's criterion.

b) usingGauss'lemma.

4. Let a and b be integers not divisible by the prime p. Show that there is either one or three quadratic residuesamong the integersa, b , and ab .

5. Show that if p is an odd prime, then ( ll ifp I or 3 (mod 8) -1 l-r itp -l or -3 (mod 8).

6. Show that if the prime-power factorization of n is

)r n : p?"*tpl"*t ' " pi"*tpili' Pn

and q is a prime not dividing n, then 300 QuadraticResidues

lorl t7l 7. Show that if p is prime andp - 3 (mod 4), then te_0/Zll = (_t), (modp), where I is the number of positive integers less than p /2 that are quadratic residuesof p.

8. show that if b is a positive integer not divisibre by the prime p, then

i*l. l+1.i+l . +f"'-pol :o" lp) lp) [pJ I p ) 9. Let p be prime and a a quadratic residue of p. Show (mod -a that if p = | 4), then is also a quadratic residue of p, whili it p = 3 (mod i), th"n _a is a quadratic nonresidueof p.

10. Consider the quadratic congruence ax2 * bx * c = 0 (modp), where p is prime and a,b, and c are integerswith p I a. il Let'p :2. Determine which quadratic congruences(mod 2) havesolutions. b) Let p be an odd prime : - and let d b2 4ac. show that the congruence axz + bx * r 0 (mod = p) is equivarent to the congruence y2 = d (modp), :2ax where y t b. Concludethat if d =0 (modp), then there is exactly one solution x modulo p, if d is a quadratic residue of p, then there are two incongruent solutions, while if d is a quadratic nonresidueof p, then there are no solutions. Find all solutionsof the quadratic congruences a) x2+ x*l=0(mod7) b) x2+5x+l:0(mod7) c) x2+3x+l=0(mod7).

12. Show that if p is prime and p 2 7, then a) there are always two consecutivequadratic residuesof p (Hint: First show that at leastone of 2,5,and r0 is a quadratic residu. oip.) b) there are always two quadratic residuesof p that differ by 2. c) there are always two quadratic residuesof p that differ by 3. 13. Show that if a is a quadratic residue of the p, then the solutionsof x2 = a (mod p) are -F il x E an+l(mod p),if p :4n * 3.

b) x E * 22n+ron+r(mod p), if p :gn * 5. 9.1 Ouadratic Residues 301

|4.Showthatifpisaprimeandp:8n*l,andrisaprimitiverootmodulop, then the solutionsof x2 = I 2 (mod p) are given by

x E t (r1n t r') (modp),

where the * sign in the first congruencecorresponds to the + sign inside the parenthesesin the secondcongruence.

15. Find all solutionsof the congruencex2 = I (mod l5).

16. Let p be an odd prime, e a positive integer, and a an integer relatively prime to p.

a) Show that the congruencex2: a (modp"), has either no solutions or exactly two incongruentsolutions modulo p".

b) Show that there is a solution to the congruence x2 = a (mod p'*') if and only if there is a solution to the congruencex2 = a(mod p"). Conclude that the congruencex2 = c(modp") has no solutionsif a is a quadratic nonresidueof p, and exactly two incongruent solutions modulo p if a is a quadratic residueof p.

c) Let n be an odd integer. Find the number of incongruent solutions modulo n of the congruencex2 = a(mod n), where n has prime-powerfactorization | ' . ' !-l n : p'ipti p';, in terms of the Legendre'a--- symbols J l- lgl [p, j""', lo. )' t7. Find the number of incongruent solutionsof

il x2 : 3l (mod 75) b) x2 : 16 (mod 105) c) x2 : 46 (mod 231) d) x2 = l156 (mod 32537stt6).

18. Show that the congruencex2 = a(mod 2"), where e is an integer,e 2 3, has either no solutionsor exactly four incongruent solutions. (Hint: Use the fact that (*x)2 : (2e-t*x)2 (mod 2").)

Show that there are infinitely many primes of the form 4k * l. (Hint: Assume that pt,p2,...,pnare the only such primes. Form N :4(ppz"'P)2 * l, and show, using Theorem 9.3, that N has a prime factor of the form 4k * I that is not one of p1,p2,...,pn.) 20. Show that there are infinitely many primes of the form

a) 8k-l b) 8&+r c) 8fr+5.

(Hint: For each part, assumethat there are only finitely many primes Pr,P2,...,Pn of the particular form. For part (a) look at @ppz"'P)2 - 2, for part (b), lookat (prpr"'p)2 * 2, and for part (c), lookat (ppz"'p,)z + 4. In each 302 Quadratic Residues

part' show that there is a prime factor of this integer of the required form not among the primes pr,p2,...,pn use Theorems9.3 and 9.4.) 21. Show that if p is an odd prime,.then the congruencex2 = a (modpn) has a solution for all positive integers n if and only if a" is a quadratic residue of p. 22' show that if p is an odd prime with primitive root r , and a is a positive integer not divisibleby p, then a is a quadratic residueof p if and onty irino"a is even. 23' Show that every primitive root of an odd primep is a quadratic nonresidueof p. 24. Let p be an odd prime. Show that there are (p-D/z _ quadratic nonresidues 6e_D of p that are not primitive roots of p. 25' Let p and'q :2p * I both be odd primes. Show that the p-l primitive roots of q are the quadratic residues of g, other than the nonresidue2p of q . 26' show that i! p and' q - 4p I are both primes and if a is a quadratic nonresidueof q .* with ordoa * 4,thena is a primitive root of q. 27' Show that a prime p is a Fermat prime if and onlyJ if-- every- '-'J quadratic1-*uras1 nonresidue of p is also a primitive root of p. .

28. Show that a prime divisor p of the Fermat number Fn : 22.* I must be of the form 2n+2k+ r. (Hint, show - that irioz 2n+1. Then show that 2$-tttz = I (mod p) using Theorem 9.4. conclude that 2n+tle-D/2) 29. a) Show that if p isa primeof the form4ft * 3 and q :Zp * I is prime, then q dividesthe Mersenne : number Mo 2p-L (Hint: Consider thl Legendre symboll:1.) lq) b) Frompart (a), show that nl Mr,47l M23,and 5031 Mrr. 30. Showthat if n is a positive integerand 2n*r is prime,and if n s0 or 3(mod4), then 2n * | dividesthe Mersenne jl numberMo:2n_1, white if n or2 (mod4),then * I divides r2n Mn*2:2n t L (Hint:Considerthe Legendre symbol l+ | useTheorem 9.4.) lzn+r ) "na Showthat if p is an odd prime,then

'>p-2 (.'. -' l l/(i+l) l:_,.' t-"- [ p )

(Hint:First showthar : *n".r7-is-" an inverse of modulo If+l P [+lP 7 p). J t )

32' Let p be an odd prime. Among pairs of consecutivepositive integers less than p, let (RR), (RN), (NR), (Nu) ano denote the number of pairs of two quadratic 9.1 Quadratic Residues 303

residues, of a quadratic residue followed by a quadratic nonresidue, of a quadratic nonresidue followed by a quadratic residue, and of two quadratic nonresidues,respectively.

il Show that (RR) (RN) : + lU-'-t-17{n-r\/21 (NR) + (NN) : -'*t-11{r-D/21 lb (RD + (NR) : l'r (RN) + (NN) : lr-u

b) Using problem 30, show that 't ,il^( l t(t+l) | : (no- + (NN)- (RN)- (NR): -r. t:' I P )

c) From parts (a) and (b), find (RD, (RN), (NR), and (NN). 33. Use Theorem 8.15 to proveTheorem 9.1. 34. Let p and q be odd primes. Show that

a) 2 is a primitive root of q, if q : 4p * 1.

b) 2 is a primitiverootof q,if p isof the form 4/<* I and Q:2p * l.

c) -2is a primitiveroot of q,if p is of the form4k - I and Q :2p * l.

d) -4 is a primitive root of q, if q : 2p * | '

35. Find the solutionsof x2 = 482 (mod 2773) (note that 2773:41'59).

36. In this problem, we develop a method for deciphering messagesenciphered using a Rabin cipher. Recall that the relationship between a ciphertext block C and the corresponding plaintext block P in a Rabin cipher is C = P Q+O) (mod n), where n: pq, p and q are distinct odd primes, and b is a positive integer lessthan n.

a) Show that C *a 3 (f+6)2(modn), wherea =(lD2 (modn), and 2 is an inverseof 2 modulo n.

b) Using the algorithm in the text for solving congruences of the type x2 = a (mod n), together with part (a), show how to find a plaintext block P from the correspondingciphertext block C. Explain why there are four possible plaintext messages. (This ambiguity is a disadvantage of Rabin ciphers.)

c) Using problem 35, decipher the ciphertext message 1819 0459 0803 that was encipheredusing the Rabin cipherwith D - 3 and n:47'59:2773. 304 QuadraticResidues

37' Let p be an odd prime and let c be the ciphertext obtained by modular exponentiation, with exponent e and modulus p, from the plaintext p, Le., c = p' (modp),0 ( < c n, where(e,p-l) :1. show tnalc is a quadratic residue p of p if and only if is a quadratic residue of p . 38' a) Show that the secondplayer in a game of electronic poker (see Section 7.3) can obtain an advantage by noting which cards have numerical equivalents that are quadratic residuesmodulo p . (Hint: Use problem 37.) b) Show that the advantage of the second player noted in part (a) can be eliminated if the numerical equivalents of cards thai are quadratic nonresiduesare all multiplied by a fixed quadratic nonresidue. 39' Show that if.the probing sequence for resolving collisionsin a hashing scheme is h1(K) = h(K) + ai * biz (modn), wherJ n ir u 6urting*function, z is a positive integer, and a and 6 are integers with (b ,m) : l, thJn only half the possible file locations are probed. This is called the quadratic search.

9.1 Computer Projects

Write programs to do the following:

l. Evaluate Legendre symbols using Euler's criterion.

2. Evaluate Legendre symbolsusing Gauss' lemma. 3' Flip coins electronically using the proceduredescribed in this section. 4' Decipher messagesthat were encipheredusing a Rabin cipher (seeproblem 35).

9.2 The Law of QuadraticReciprocity Ol elegrant.,theorem of Gauss f relatesthe two Legendre symbols | 9 I | * I, wherep and,q are bothodd This theorem, lq) "'o lp) called the law of quadratic reciprocity, tells us whether the congruence x2 : p (mod q) has solutions, once we know whether there are solutions of the congruence x2 = p(mod q), where the rolesof p and q are switched. We now state this famous theorem.

The Law of Quadratic Reciprocity. Let p and q be odd prirnes. Then f )f p-t.q-l ,l ^, lzlle_l_ eD-, . tq ) lp ) 9.2 The Law of Quadratic Reciprocity 305

Before we prove this result, we will discussits consequencesand its use. We first note that the quantity Q-D/2 is even when p =-l(mod 4) and odd = we see that is even if whenp i(mod 4). Consequently, + + (mod q = | (mod4), while is odd if p =t 4) or + + p = q = 3 (mod 4). Hence, we have (orboth) folInl Jr rf p:l(mod4)orq=t(mod4) irP:q=3(mod4)' |.;l F)-- l-t .| Sincethe only possible values l+'l uno [+ t l, wesee that " lq) lp) "r. {r ) (or I l"l tt p =t(mod 4) orq =t(mod 4) both) [n-l:.lt'.o'., lq,| l-["I uo =q=3(mod4). I tp J

: Thismeans that if p andq areoddprimes, then [+l [*'l both lq,) .,lP J,""t.ss -[;] p andq arecongruentto 3 modulo4,andin that.ur., : [t]

p: 13 and q:17. Since =rq = | (mod4), the law of Example. Let ,P quadraticreciprocity tells us that : Frompart (i) of rheorem | # 'I I\ i+ ''l. \ e.2,weknowtl. Itt'l i:11lq followsthat, ;il1l; rj: ;:il ;:.'il.":'_.1""""- /\\ l",J: |.,, thatl*l : t I I/ J

Let : 7 and : 19- Sincerp q = 3(mod 4) , from the law of Example. P Q = r) 12 quadratic reciprocity, we know that :- I l. From Dart (i) of lil L7 ) Theorem9.2, we see that t+ I : Again'using the iaw of quadratic l./ ) l+l 306 Quadratic Residues

reciprocity,since 5 = l(mod 4) and 7 = j(mod 4), we have : (i) +J part ., of Theorem and Theorem [+] f-T 2.2 9.4, we know that l+l- l?l: -'r' Hencerrv','lvutrl : , [5J [5J [+l we can use the law of quadratic reciprocity and Theorems 9.2 and 9.4 evaluate Legendre "pii.. to symbols. Unfortunately, factorizations computed must be to evaluateLegendre symbols in this wav.

Example.We will calculatel:rt I , wefactor 73: 233"";;,;,"_ ,"Jm,::""::1,:'j:;:"'""" [+l :[+l :l-,' lfg-l IrooeJtroor J- [t*n,Ji,*r,J

To evaluate the two l-sgsndre symbors on the right side of this equarity, we use the law of quadratic reciprocity. i Since tOoq I (mod 4), ;. seethat Izt ] frooeIIr' l:[1ql= Irooej:tr ,|'lrootj l3r ) Using Theorem 9.2, paft (i), we have Irooql lzol lx ,l:t",l [+]:[+] By parts (ii) and (iii) of Theorem9.2. lpl :lzri :l 123) [zr )- t

The law of quadratic reciprocity, part and Theorem tell us that 9.4 [' l- (rtl : : : -1 IzrJ-ITj t+] 9.2 The Law of Quadratic Reciprocity 307

Likewise, using the law of quadratic reciprocity, Theorem 9.2, and Theorem 9.4, we find that lul :- fll : : - : : |.r' ,| |.tt .| [+][+] [+] [+] [+] [+] lzl: :-[+):-' l3 J

consequently, : [*] (- \ : Therefore,l # I : t-r)(-l) t [,009 ) We now present one of the many possibleapproaches for proving the law of quadratic reciprocity. Gauss,who first proved this result, found eight different what was facetiously iroofs, and an article published a few years ago offered ialled the l52nd proof of the law of quadratic reciprocity. Before presenting the proof, we give a somewhat technical lemma, which we use in the proof of this important law.

Lemma rfp an odd prime and a is an odd integer not divisible by p, then r) lgl: 1-11rb'il, lp)

where (P-r)/2 T b,p) j-r

Proof. Consider the least positive residues of the integers a, 2a,...,((p-l)lDa; let u1, 112,...,It, be those greater than p /2 and let v t, v2,...,v, be thoseless than p /2. The division algorithm tells us that ja : pljo lpl + remainder,

where the remainder is one of the uj's or vj's. By adding the Q-l)/Z equationsof this sort, we obtain 308 QuadraticResidues

(e.3) @-Dlz b-D /2 r , .Z ia: a pf,ia/pl*iui+iv1. r-' J-t j:l j:l As we showedin the proof of Gauss'lemma, the integersp _ ur,...,p _ us, vt,...,vt are precis.ely the integers1,2,..., b-l)/2, ii someo.j... Hence, summingall theseintegers, we obtain (e.4) b-r)/2 s 1 i: \ Q-u)+ vi:ps- q+ j:rZ j:r ) i !,r1. j_r j:l t*l

Subtracting (9.4) from (9.3), we find that g_r)/z (p_D/2 (p_D/2 r j:t j-t j_t j _l

or equivalently,since T(a,p) :t')'' Ija/pl, i'l . (p-t) /2 (a-l)

j: I j:r

Reducing this last equation modulo 2, since a and,p are odd, yields o = T(a,p) - s (modD. Hence,

T(a,p) =s (mod2).

To finish the proof, we note that from Gauss,lemma

tLl:|,) (-t)'. tp ) Consequently, (-t)" : (-1)r6,e), it follows that r) lgl:1-1;r(a,r). g lp ) Although Lemma 9.2 is usedprimarily as a tool in the proof of the law of quadraticreciprocity, it can alsobe usedto evaruateLegend^re symbols.

Example.To find |'+ I , usingLemma 9.2, weevaluatethe sum l'^ J The Law of OuadraticReciprocity 309

5 17j/rrl : I7lul + t r4/rtl+ I2rltll + [28/ll]+ t3s/l1l j-1 :0+ I + I +2+3:7. (tl : -1. Hence,l+l (-l)7: L" J r ) Likewise,to find I + t, wenote that l./ ) 3 : 1 * 3 * 4 - 8, ) tr rilll lrrl7l + t22l7l+ l33l7l: j:l r) sothar t+ | : (-l)8: l. L/ ) Beforewe presenta proof of the law of quadraticreciprocitY, we use an exampleto illustratethe methodof proof. with Let p : 7 and Q : ll. We consider pairs of integers k ,y) 7-l llll :3 and I ( v < :5. Thereare 15such pairs' We l(x<;:3andl(Y'- 2 :7y note that no-n.of thesepairs satisfy llx : 7y, sincethe equalityllx is i.pfi"r that 1t l1y, sotirat either it I Z, whichis absurd,or 11 ly, which impossiblebecause t ( y ( 5. We dividethese 15 pairs into two groups,depending on the relativesizes of llx and7y. The pairs of integersG,y) with I ( x < 3, I ( y { 5, and llx > 7y urc pr..isely thosepairs satisfyingI ( x ( 3 and 1 ( y ( 11xl7. For a fixed integerx with 1 ( x ( 3, there are lttx/ll allowablevalues of y. Hence, the total number of pairs satisfying I ( x < 3, 1 ( / ( 5, and llx ) 1y is 3 : 2 tt tlTl : ttt/tl + 122/71+ I33l7l: I * 3 + 4 8; j:1

(3,4)' theseeight pairsare (l,l), (2,D, (2,2), (2,3), (3,1), (3,2), (3,3) and The pairs of integers G,y) with I ( x < 3, I ( y ( 5, and llx 1 7y *r. pr..isely those pairs satisfying I ( y ( 5 and 1 ( x 4 7y /tt. For a fixed integer y with I ( y ( 5, there are lly/ttl allowable values of x. Hence, the total number of pairs satisfying I ( x < 3, I ( y ( 5, and llx ( 7y is 310 QuadraticResidues

5 ltj /ttl : Ij lrrl + [tLltr]+ [2r/rtl+ I28ln] + [3sll1] j-r :0*l + 1+ 2*3:7.

Theseseven pairs are (l,2) , (1,3),(1,4), (1,5), (2,4), (2,5), and (3,5) Consequently,we seethat 1l-1 7-l 35 15: ) trrjlll+ > ltjltll : 8 * 7. T;:5'3: j-r j-r

Hence,

rr-l .7-l i,rrrr,r,* i, rtinl (_t) 2 2:(_l);*' i-l 35 2lni/tl )Iti/rrl (- I )i-' (- I )r-'

3 rr I Z,'rj/tl Since Lemma g.2 tells r.^rs that+L^+ | : (-1;r-t and 17 | 'l 5t/ (t t-'rr-r :(-1)i-t,weseethat..Ittrr"t lt lfrrl" :(-t) 2 2 l#l I ll | r,'J [11J|.7 ) This establishesthe special case of the law of quadratic reciprocity when p:7andq:ll.

We now prove the law of quadratic reciprocity, using the idea illustrated in the example.

-l) Proof. We consider pairs of integers (x,y) with I ( x ( Q /2 and o-l I ( y ( (q -D/2. There ur" 2-l such pairs. We divide t-hesepairs ; T into two groups, dependingon the relative sizesof qx and py. First, we note that qx I py for all of these pairs. For if qx : py, then qlpy, which impliesthat qlporqly. However,since q and p are distinct primes,we know that q lp,and since I ( y ( (q-i12, we know that q I y. To enumerate the pairs of integers (xy) with I ( x ( Q-I)/z, 1 ( y ( (q -l) /2, and qx > py, we note that these pairs are preciselythose where I (x ( (p-l)/2and I (y 4qx/n. For each fixed value of the integer x, with 1 ( x 4 b-1012, there are Iqx/pl integers satisfying I ( y 4 qx /n. Consequently, the total number of pairs of integers G,y) 9.2 The Law of Quadratic Reciprocity 311

Q-t)t2 withl (x ( Q-D/2,t (v ( Q-D/2,andqx> Pvis Iqilpl' ?, -l) We now considerthe pairs of integersG,il with 1 ( x ( b 12, 1 ( y ( (q-D 12,and qx < py . These pairs are preciselythe pairs of integlrsG,il with 1(y ( (q-D/Zand 1(x 4pylq. Hence,foreach -1) fixed value of the integer y, where I ( y ( (q 12, there are exactly lpy lql integers x satisfying I ( x 4 py lq. This shows that the total ( (q-t)/z, nurnu..of pairselil/r.g"rt (i,y) with I ( x ( b-D/2,1 (y and qx < py is j-r Adding the numbers of pairs in these classes,and recalling that the total '=rt numberof suchpairs ,, '+,we seethat ')'' hilpt*'ni'' ,r,,d: +'+ , j-| i-r

or using the notation of Lemma 9.2, p-l T(q,p) + TQ,q) - .q-l 22

Hence, p-l .q-r 22 ,-t1rQ'il+r@,q): (- 11r(e'n)1-11r{n'c) : (-t)

: Lemma 9.2tells us that 1-1yr(a,r): ["'l ."0 1-gr{o.o) [".| Hence lp J lq) f lf \ P-t.q-l lzll4l:(-t) 2 2 l.qJl.p J

This concludesthe proof of the law of quadratic reciprocity. n The law of quadratic reciprocity has many applications. One use is to prove the validity of the following primality test for Fermat numbers.

Pepin's Test. The Fermat number F^ : 22' + I is prime if and only if 3G'-r)12: -l (mod F-).

proof. We will first show that F* is prime if the congruencein the statement of the theorem holds. Assume that 312 QuadraticResidues

3G^-r)/2: -l (mod F*).

Then, by squaring both sides,we obtain

3F.-1 = I (mod F*).

From this congruence,we seethat if p is a prime dividing F*,then 3F.-l = I (modp),

and hence,

ordo3 | {f ^-I) : 22'.

Consequently,ordr3 must be a power of 2. However, ordo3tr2''-': (F^-D/2,

since - -l (mod 3G^-t)/2 F*) . Hence, the only possibility is that o1do3:22^ : - : - F^ l. Since ordo3 Fm-t ( p I and p I F*, we see that p : F^, and consequently,F^ must be prime.

Conversely,ifFr:22'* I is prime for m ) l, thenthe law of quadratic reciprocity tells us that (e.5) t*l:[+J:[+] since F^ = | (mod 4) and F^ = 2 (mod 3). Now, using Euler's criterion, we know that (e.6) t*l3G'-t)/'(-od F-). I From the two equationsinvolving I I (9.5) (s.e), [". j' and we concludethat _ 3(J'._r)/2 _1 (modF).

This finishesthe proof. tr

Example.Letm:2. Then F2: 22'+l:17and

aFr-t)lz _ 38 : -1 (mod l7). 313 9.2 The Law of QuadraticReciprocity

By Pepin'stest, we seethat F2 : l7 is prime' : notethat Let m :5. Then Fs:22' + l:232 t I 4294967297-We - -l (mod 3G,-D/2: 12": 32t4148364810324303 * 4294967297).

Hence,by Pepin'stest, we seethat F5 is composite'

9.2 Problems

l. Evaluate the following Legendre symbols

a, d) [-u] [*] [64r.J

u, e) f:ul [+l leerJ Iros] c,t*l l*'l prime, then 2. Using the law of quadratic reciprocity, show that if p is an odd

p = tl (mod 12) : p = t5 (mod 12). [;] {lii

3. Show that if p is an odd Prime, then

[-r I: ifp=t(mod6) [7J {l if p = -l (mod 6).

4. Find a congruencedescribing all primes for which 5 is a quadratic residue' 5. Find a congruencedescribing all primes for which 7 is a quadratic residue. (Hint: 6. Show that there are infinitely many primes of the form 5Ic * 4' Let n be prime of a positive integer and form Q : 5(tnr'\2+ 4' Show that Q has a divisor the form 5k + 4 greater than n. To do this, use the law of quadratic reciprocity - to show that if a primep dividesQ, then t I t)l| ? | 314 Quadratic Residues

7. Use Pepin'stest to show that the following Ferntat numbersare primes

a) Fr : 5 b) F3 - z5i c) F4: 65537.

8. From Pepin'stest, conclude that 3 is a primitive root of every Fermat prime.

9. In this problem,we give another proof of the law of quadratic reciprocity. Let p and q be distinct odd primcs. Let R be the interior of the rectanglewith vertices o: (o,o),A: b/2,0, B: Q/2,0,and C : b/2,q/D. a) Show that the number of lattice points (points with integer coordinates)in R i, P-l .q-l 22 b) Show that there are no lattice pointson the diagonalconnecting O and C.

c) Show that the number of lattice points in the triangle with verticesO, A, C Q-D/2 is i-l

d) Show that the number of lattice points in the triangle with verticesO, B, Q_r)/2 and C is j-l

e) Concludefrom parts (a), (b), (c), and (d) that

Q-t)/2 Q-D/2

j-t j-l

Derive the law of quadratic reciprocityusing this equationand Lemma

9.2 Computer Projects

Write programsto do the following:

l. EvaluateLegendre symbols, using the law of quadratic reciprocity.

2. Determinewhether Fermat numbersare prime using Pepin'stest.

9.3 The Jacobi symbol In this section,we definethe Jacobisymbol. This symbolis a generalization of the Legendresymbol studied in the previoustwo sections. Jacobi symbols are useful in the evaluationof Legendresymbols and in the definitionof a type of pseudoprime.

Definition. Let n be a positive integer with prime factorization n:p'ipti 'p; and let a be a positiveinteger relatively prime to n. Then, 315 9.3 The Jacobi sYmbol

the Jacobi symbol t' dennedbY t; I [.] : l, ,| Ip\'p'; " ' p'; l:[*]' t;l lh)' are Legendre where the symbolS on the right-hand side of the equality symbols.

Example. From the definition of the Jacobi symbol, we seethat ['l: lzl ::lil lz)'let :(-r)2(-r):-r' l45,11."ij l;l

and #l:[+*l :[+l [+l [+] :[+l [+ll*l : : '-D2 t2(-'l): -r [+]'[+l'[+] When r is prime,the Jacobisymbol is the sameas the Legendresymbol'

However,when n is composite,the valueof the Jacobisymbol ' lq I Oott nor lr) tell us whether the congruencex2 = a (mod n) has solutions..,*. do know - see that if the congruencex2 = a (mod n) has solutions,then l* | t To ln) (modn) this, note that if p is a prime divisor of n and if x2 =a has solutions, then the congruencex2 = a (mod p) also has solutions. Thus, r I f -l m ( ^ )t : : it is possible I i | : t Consequently,' | + I II | * I l. To seethat lp).. ln) i-1lPi) tl g : (mod a : 2 and that I | : 1 when there are no solutions to xz a n), let ln ) : (-r)(-1): n: t5.Nore that : t?l r. However,thereare [+lt ^- r t+.|t - J l. ) ,l no solutionsto x2 i 2 (mod i S), rin* the congruencesx2 = 2 (mod 3) and x2 = 2 (mod 5) have no solutions. We now show that the Jacobi symbol enjoys some propertiessimilar to those of the Legendresymbol. 316 QuadraticResidues

Theorem 9.5. Let n be an odd positive integer and let a and b be integers relativelyprime to n. Then (i) if a: D (modn),then ll: l*) (ii) lol:n ["]fql I ) ln ) ln ) r)-t (iii) | | : t_ 11h-D/z' f tr ) /) (iv) ILl :1-1) (n':-r)/a. ln )

Proof- In the proof of all four parts of this theoremwe use the prime factorizationn : p\,p'i . . p';.

(i). Proof of we knowthat if p is a rrime.,dividinqn,then a =b (modp). Hence,from Theoremg.z : G\ we have l* | l+ | consequentry,we see IDJ lp) that i*l: f*l"l+J" [-tL'-:lr'llo )"l o l" I ol'': fal f,,J lo,Jlp,) lo^,| lo,t lp^):l;j

Proof (i). , I i a I of Fromrv"' Theorem rrrvvrwttt9.27'L \Ir'f'(ii), wews knowKlluw that fq) : | lo, ,l ltl F)' Hence. [+):l*)"[#]"l*)'- : [;] " l*)" {t)" [*] " l*)'-l*)'' : [;] [*] 317 9.3 The Jacobi sYmbol

if p is prime' then Proof of Gril. Theorem 9.3 tells us that - (-11 Q-r)/2.ConsequentlY, t+l 'l" f-r I l'-rl"l-r . [-' ]" l-l: ll_ l"'rll ln,| LP,)lPrJ tP^) t'(p'-t)/Z+ '" + t^(p^-r)/2 : (- ,1tJn;t\/2+

From the prime factorization of n, we have (t (p^-l))'' n- (r + Qr-l))"(l + bz-l))"''' *

Since Qi-l) is even.it follows that (t + (pi-l))" = | + tib,-t) (mod 4)

and (mod4). (l + r,(pi-l))(r + r, Qi-D): I + tiQl-t) + tibi-l)

Therefore, '''+ (mod n = 1+ tlpr-t) + t2(p2-i + t^(p^-l) 4)'

This impliesthat (mod Q-D/2 = tJprD12 * tz(pz-D12+ + t^(p*-D12 2) . r' Combiningthis congruence for (n-1) lZ wittttheexpression for 'no*t l+J /)n-l rlr--' 2 that | | : (-l) l,r ) r) : (-1;(r'l-r)/8' Hence' Proof of (iil .If p is prime,then l+l lp) +t^Qi-r\tt Izl : Il" [z] t+'lt : (_l),,bi_t,tts+t,gt-r)/8+ L,J lp'J lp,) lp^)

As in the proof of (iii), we note that n2: (r+ (p?-r)"0 + @?-l))""' (t + bT-l))". 318 QuadraticResidues

Sincepl-I = 0 (mod8), wesee that 0 + Q?-l))', = | + tie?-l) (mod64)

and (l+r,b?-l))(l + 4el-t)) = | * t;e?_D+ t,A? t) (mod64). Hence,

n2:t+tJp?-D+tze?-D+ + t^(pT-l) (mod64). This implies that (n2-t)/8: tJp?-D/B+ tze?-D/s +... + t*(p3,_l)/8(mod s).

combiningthis (n2- congruencefor l)/g with the expressionfor [el teils f ln ) us that lLl"'l :1-1;(n'-t)/8. D ln ) We now demonstrate that the reciprocity law holds for the Jacobi symbol as well as the Legendre symbol.

Theorem 9.6. Let n and m be relatively prime odd positive integers.Then f lf I m-t n-l lrl-| lLl: (_t) , , . lm )l n )

Proof. Let the prime factorizations of rn and n be m : pl,pl, . " p!' and n : ql'q!, . . . qor,.we seethat lr):,4tt)':,q,s w)'"' and

t ( s r IIl;ln l4/ :rtrt l*):j-t I I'J ) j-t i-t It)"'' Thus, 319 9.3 The Jacobi symbol

:,g q'l 10tu' l+l[*] ,sti*l th) l From the law of quadratic reciProcity, we know that [o,-,1f n,-,I lr l t*ltr) :(-rllrj t-) Hence,

r |^) [ , I ( ' r \ "): (-l)'-'l-' \ / f| ff(-l) [7Jl;): t-l j-l

We note that t,p,",1+l ',[+] :z ",1+] ,.a''t+] As we demonstratedin the proof of Theorem 9.5 (iii), Doif+] =* (mod2) j-t(o)z

and

n-l (mod 2). 5u,[+]= 2

Thus, r s (e.8) ^fr,-tl ^[Qr-tl =.-l +(mod2). i-t i-r J \

Therefore,from (g.Z) and (9.8), we can concludethat f )f ) m-l n-l lLllal:(_r) 2 2 tr I n )lm )

We now developan efficient algorithm for evaluating Jacobi symbols. Let a : and b be relatively prime positive integers with a < b. Let Ro Q and power of R r : D Using the division algorithm and factoring out the highest two dividing the remainder, we obtain 32A Quadratic Residues

Ro: Rflr+2t'R2,,

where s1 is a nonnegative integer and R2 is an odd positive integer less than R ' When we successively I use the division algorithm, and factor out the highest power of two dividing remainders,we obtain Rr: Rzez+2"'R3 *r: Rflt+2"Ra

Rr-r : Rn_2Qn_2* 2t.-rRn_1 Rn-z: Rn-tQr-, + 2t.-t. I ,

where s; is a nonnegativeinteger and R; is an odd positive integer less than : &-r for i 2,3,...,n-l Note that the number of division, ,"qu-ir"d to reach the final equation does not exceedthe number of divisions requiied to find the greatestcommon divisor of a and b using the Euclidean algorithm.

we illustrate this sequenceof equationswith the following example.

Example.Leta:401 andb: lll. Then 401:111.3 + 22.n lll- 17.6+20.9 17:9.1+23.1.

Using the sequence of equations we have described, together with the properties of the Jacobi symbol, we prove the following theorem, which gives an algorithm for evaluating Jacobi symbols.

Theorem 9.7. Let a and b be positive integers with a > b . Then ni-r R,-r f ^'l +"'+s'-r-&!a!**f, +...+R"_,-tR._r_r t 8-r z 2 2 2 l+l:(-l)'' ' lb ) where the integersR; and s;,,t :1,2,...,n-l , are as previouslydescribed.

Proof. From the first equation and (i), (ii) and (iv) of Theorem 9.5. we have

fgl- : la,|-i+l:[+]: (-1) 321 9.3 The Jacobi symbol

we have using Theorem9.6, the reciprocitylaw for Jacobisymbols, t*l:'-')+ + t#l so that R,-l R,-l ni-t- l+l:(-r)Tf ^ I [ n, I LDJ IR,J

Similarly, using the subsequentdivisions, we find that lgl :,-,rT'/ ry*n#i+l [ ^, ,| 1R;+rJ the desired forT :2,3,...,n-t\ *nen we combineall the equalities,we obtain expression' for l+ I tr [b ,l The followingexample illustrates the useof Theorem9.7.

Example. To evaluate we use the sequenceof divisionsin the [++], previousexample and Theorem9.7. This tells us that n't'.ttr!:r +:r. [+orl:,-,lt F*o'"lt*' +*!+ l.111J

The following corollary describes the computational complexity of the algorithm for evaluating Jacobi symbols given in Theorem 9.7.

Corollary 9.1. Let a and D relatively prime positive integers with a > b ' ,,be can be evaluated using O(loezb)3) bit Then the Jacobi symbol" l+ | lb) operations. rt a sequenceof O1ogzb) Proof. To find lf I uting Theorem9.7,we perform t.DJ divisions. To see this, note that the number of divisions does not exceed the number of divisions needed to find G,b) using the Euclidean algorithm. Thus, by Lam6's theorem we know that O (log2b) divisions are needed. Each 322 QuadraticResidues

divisioncan be done ((lo^gzD2) using o operations.Each pair of integers si can .bit fl.u.nd be found using o(logzb) bit operationson"" ih" appropriate divisionhas been carried out. consequently, o((log2D)3)bit operationsare requiredto find the integers R;,s7, :1,2,"',n-t i a andb. Finaily,to evaluatethe exponent -l lr.T of in the expressionfor l+l in Theorem9.7, we usethe last threebits in the lD ) binary expansion: : of Ri,i r,2,...,,n-r and the last bit in the binary expansionsof sy,,r: r,,2,...,n-r. Therefore,we use 0(lo926) additionalbit operationsto find Since I+l o((log2D)3)+ ooog2b): o(tog2,D2) , the lD ) corollarvholds. tr

9.3 Problems

I. Evaluatethe followingJacobi symbols a, t+] b, [*] b, [*] , lx) c,[*] 'tml 2. For which positive integers n that are relatively to 15 does the Jacobi symbor equarr? t*l 3. For which positive integers n that are relatively to 30 does the Jacobi symbor equarr? |.+l 4. Let a and b be relatively prime integers such that b is odd and positive and a : (-l)'2'q where q is odd. Show that

b-l + br-l : (-l)--'r l-'' ["1 lb )

5. Let n be an odd square-free.,positive integer. Show that there is an integer a suchthat (a,n): I and : -t l;,J 323 9.3 The Jacobi sYmbol

6. Let n be an odd square-freepositive integer' r\ istakenoverall k ina reducedset a) Showthat )l+l:0, wherethesum ln ) of residuesmodulo n. (Hint: Useproblem 5') residues b) From part (a), show ,n. numberof integersin a reduc?O"ti'of 11"\ O : -t. modulon suchttut I | : I"---r-- is equal to the number*itn l* I lrj l'J 7. Let a and b:ro be relatively prime odd positive integerssuch that

A : lOQt * e1r1 tO: rlQ2 I e2r2

fn-l: fn-tQn-t* enfn

with where q; is a nonnegative even integol, €; : t l, r; iS a positive integer : are obtained by ri 1 ri t, for t : 1,2,...,frj , and rn l. These equations successivelyusing the modified division algorithm given in problem l0 of Section t.2. f^'l a) Show that the Jacobi symbol- | * I i, given by l.DJ *t-f'+l f"l l++*++:.t 2 2 2 2 2 ) Irl :(-l)[

b) Showthat the Jacobisymbol [+.| t, givenbv lD ) t'^l l+ | : (-r)r' lb;

where T is the number of integersi, I <, ( n, with ri-r 7 ciri = 3 (mod 4).

8. Show that if a and b are odd integers and (a,b): l, then the following reciprocity law holds for the Jacobi symbol: I a-t b-t ira

In problems9- 15 we dealwith the Kronecker symbolwhich is definedas follows.Let u positiveinteger that is not a perfect,quu." suchthat a E0 or I (mod4). We oenne1 P"

l") ifa=l(mod8) ttt: -lifa=5(mod8). \l i'

Legendresymbo' if p is an odd prime such that p/a [;):the [;]

:,q[f]" (o"t): : ir I andnIIpi is the prime factorizationof n. [;] ./- I 9. Evaluate the following Kronecker symbols

a, b, c, [*] [*] [*]

For problems 10-15 let a be a positive integer that is not a perfect square such that a= 0 or I (mod 4). ("1 : ( z l l0' Showthat it" zla, wherethe svmbolon the rightis a Jacobi [;] tftl symbol.

Show that if n1and,n2t,re positiveintegers and if (app2) : [*):

Show that if n is a positive integer rl r ) relatively prime to a and if a is odd, then ILI:: I n I whileif a is even,and a :2't wheret is odd,then f ;J [l]J' ['l (_r)r-l.z-l2 2 f ) l;J tTrll 13. Show that if tt1 and ,? uti positive.,integers relatively prime to a and flt 7 nz (mod I al), thenlsl: lLl. f't ,J lnz )

Show that if alo, then there exists a positive integer n with -t-,l n) 325 9.4 Euler Pseudoprimes

al if a > 0 10. : Jr 15. Show that if a then IFJ [- r if a <0.

9.3 Computer Projects Write programs to do the following:

l. EvaluateJacobi symbols using the methodof Theorem 9.7.

2. Evaluate Jacobi symbols using problems 4 and 7.

3. Evaluate Kronecker symbols (defined in the problem set).

9.4 Euler Pseudoprimes Let p be an odd prime number and let b be an integer not divisible by p. By Euler's criterion, we know that ('t 6b-t)lz _ l4l(modp). lp )

Hence, if we wish to test the positiveinteger n for primality, we can take an integerb, with (b , il : l, and determinewhether r,'l 6h-D/2: lg I (modn), ln )

where the symbolon the right-handside of the congruence is the Jacobi symbol.If we find that this congruencefails, then r is composite.

Example. Let n :341 and b :2. We calculatethat 2r7o= 1 (mod 341). (t I : -1. Since341 : -3 (mod8), usingTheorem 9.5 (iv),we seethat | -. I l.34r.l Consequently, 2t7og (mod 341). This demonstratesthat 341 is not [+ prime. Thus, we can define a type of pseudoprimebased on Euler's criterion.

Definition. An odd, composite,positive integer n that satisfiesthe congruence 326 QuadraticResidues

__ ql 6h_D/2f ,_"d n), l" )

where 6 is a positive integer is called an Euler pseudoprime to the baseb. An Euler pseudoprime to the base b is a composite integer that masquerades as a prime by satisfying the congruencegiven in the definition.

Example.Letn:1105 andb:2. wecalculatethat 2s.s2-I (modll05). Since'1105 = I (mod 8), we see that l+] : t.- Hence, r I lllos) -- 2552 I + | (-oa l 105). BecauseI r05 is composite,it is an Euler l-1105 ,l pseudoprimeto the base 2.

The following proposition shows that everv Eulerpseudoprime to the baseD is a pseudoprimeto this base.

Proposition 9.1. If n is an Euler pseudoprime to the base b, then n is a pseudoprimeto the baseD.

Proof. If n is an Euler pseudoprimeto the base6, then - 6G-t)/2f al (modn). ln )

Hence, by squaring both sidesof this congruence,we find that ( \2 16b-D/212-lql (modz). lr) (. ) Sincelgl: t l, we seethat = I (mod n ). This means that n l, ) pseudoprimeto the baseD. tr

Not every pseudoprimeis an Euler pseudoprime. For example, the integer 341 is not an Euler pseudoprime to the base 2, as we have shown. but is a pseudoprimeto this base.

we know that every Euler pseudoprimeis a pseudoprime. Next, we show that the converseis true, namely that every strong pseudoprimeis an Euler pseudoprime. 327 9.4 EulerPseudoPrimes

b, then n is an Euler Theorem 9.8. lf n is a strong pseudoprimeto the base pseudoprimeto this base.

if n - | : 2't ' Proof. Let n be a strong pseudoprimeto the base b. Then : = -1 (mod n) where where / is odd, eithe-r bt I (mod n) or b2" prime-powerfactorization of n ' 0 ( r ( s-1. Let n: fI pi'be the f:l prime divisor of First, consider the casewhere b' = I (mod n)' Let p be a is odd, we see n. Since b, = l(modp), we know that ordo6lr. Becauser an odd divisor that ordob is also odd. Hence, ordrb I b-l)12,since ordob is -1. of the eveninteg er 6Q) - p Therefore, 6Q-r)/2= I (modP)'

f a l : Consequently,by Euler'scriterion , we have t |-;j r\ To computethe Jacobisymbol we notethat :'for all primes I + I' ln ) lil p dividingn. Hence, : -ftIllo':r. lnlInr l+] =tIP'J lfrrl : (b')2' (mod Since bt =1 (mod n), we know that b'-r = I n). Therefore, we have |r b,-t:[a[=t(modn). ln )

We concludethat n is an Euler pseudoprimeto the base b. Next. considerthe casewhere 6rt : -l (mod n)

for somer with 0 ( r ( s - 1. If p is a prime divisor of n, then b2't= -l (modp).

Squaring both sidesof this congruence'we obtain 328 Quadratic Residues

b2"', = l (modp).

This implies that ordob | 2'+rv, but that ordobI z,t. Hence, ordrb : 2'*rc,

where c is an odd integer. Since ordobl(p-l) and 2,+tlordrb, it follows that 2'+tl(p-l).

Therefore, :2r+rd we havep * l, whered is an integer. Since - 6(ord,b)/2 -l (mod p),

we have r\ I A | = 6Q-D/z : 66rd,b/z)((p-D/ord,b) lp ) - (- r!Q-l)/otd,u : (-11Q-r)/2*', (mod p).

Becausec is odd, we knowthat (-t)' : -1. Hence, r) (e.e) l+ | : (-1)rr-r)rz'*': (-l)d, lp) recallingthatd:(p -I) /2'+t. Since each prime p; divid ing n is of the form pr : 2'rrdi + l, it follows that

m n : fI pj'. t-l m : fI (2'+td, + l)o, ,;, : fI (l + 2'+raid;) t-l m = I + 2'+t > aidi (mod 22r+2).

Therefore.

m t2'-t : )rs (mod h-D/2 Z/ a;di 2'+t). i-l 329 9.4 EulerPseudoprimes

This congruenceimPlies that (mod 12s-t-r = i aidi 2) i-l

and

2 o'd' (mod (9.10) 66-r\/2 : (6rt7z:-'- : (-t)'.* : (-1)t-t n).

On the other hand, from (9.9), we have m ^) .fo,o, : (-1)i-t lnl: ft [+.|.: fr ((-r)d,)., : fI el)"'"' InJ ,.:r|.p,J i_r t-l

Therefore, combining the previousequation with (9.10),we seethat - 6(n-t)/z [ql (mod n). ln)

Consequently,n is an Euler pseudoprimeto the baseD' tr

Although every strong pseutloprimeto the base D is an Euler pseudoprime to this base, note that not every Euler pseudoprimeto the base b is a strong pseudoprime to the base b, as the following example shows.

Example. We have previously shown that the integer 1105 is an Euler pseudoprimeto the base 2. However, 1105 is not a strong pseudoprimeto the base 2 since 2(llos-l)/2:2552: I (mod 1105),

while 20t0s-r)/22:2276: 7gl + t 1 (mod ll05).

Although an Euler pseudoprime to the base b is not always a strong pseudoprime to this base, when certain extra conditions are met, an Euler pseudoprimeto the base D is, in fact, a strong pseudoprimeto this base. The following two theoremsgive results of this kind.

Theorem 9.9. If n : 3 (mod 4) and n is an Euler pseudoprime to the base b, then n is a strong pseudoprimeto the baseb. 330 Quadratic Residues

Proof. From the congruence n = 3 (mod 4), we know that n-l : 22.t where t : (n-l)/z is odd' Since n is an Euler pseudoprimeto the baseb, it follows that

- ql bt : 6..'-t)/2 f (modn). ln ) r\ tbl Drnce : +1, l- | we know that either bt = l (modn) or ln ) b' = -l (mod n). Hence,one of the congruencesin the definitionof a strong pseudoprime to the base b must hold. consequently,n is a strong pseudoprimeto the baseb. tr

Theorem9.10. If n is an Euler pseudoprimeto the base6 and lal : -r. \lnl '/ then n is a strong pseudoprimeto the baseb.

Proaf. We : write n-l 2't , where / is odd and s is a positive integer. Since n is an Euler pseudoprimeto the base b, we have - br-,t: 6,.'-r)/2 fa l (modn). ln) r) But sincel4 I : -t, wesee that ln) b'r-' = -l (mod r).

This is one of the congruencesin the definition of a strong pseudoprimeto the baseb. Since n is composite,it is a strong pseudoprimeto ihe base,. tr Using the concept of Euler pseudoprimality, we will develop a probabilistic primality test. This test was first suggestedby Solovay and Stiassen [7g]. Before presentingthe test, we give some helpful lemmata.

Lemma 9.3. If n is an odd positive integer that is not a perfect sguare,then there is at least one integer b with | < b I ft,(b ,n) : r, andl4 | : -,, ln ) where is the Jacobi symbol. 9.4 Euler Pseudoprimes 331

Proof. If n is prime, the existence of such an integer b is guaranteed by Theorem 9.1. If n is composite,since n is not a perfect square,we can write n: rs where (r,s) : I and r: p', with p an odd prime and e an odd positive integer.

Now let / be a quadratic nonresidue of the prime p; such a / exists by Theorem 9.1. We use the Chinese remainder theorem to find an integer b with 1 < b 1 n, (b ,n) : 1, and such that b satisfiesthe two congruences b = t (mod r) b = | (mod s).

Then, fal : (ul f;J l7): tp|,bl"-(_r),-_r,) and : , Since : ro,,owsthat : -' r [*] [*] ii] t1],', [*]

Lemma 9.4. Let n be an odd compositeinteger. Then there is at leastone integerD with | < b I n, (b,n) : 1,and r\ 66-D/z1 l4 | (modn). ln)

Proof. Assume that for positiveintegers not exceeding n and relatively primeto n, that r) (e.1l) 6h-t)/2 : l4 | (modn). ln)

Squaring both sides of this congruence tells us that r t2 lAl b,-t : l3 I = (+ l)z : I (modn), ln ) if (b,n) : I Hence, n must be a Carmichael number. Therefore, from Theorem8.21, we know that n: Qt4z"'e, , whereQt,Qz,...,Qr are distinct odd primes. We will now show that 332 QuadraticResidues

6h-t)/2= 1(modn)

for all integers b with I ( ( (b,n) b n and :1. Suppose that b is an integer such that

6h-r)/2: -l (mod n).

we use the chinese remainder theorem to find an integer a with | 1 a { fl, (a,n): l. and

a=b(modq1) :- . a | (modQzQs. . q,).

Then, we observethat - o.r2) oG-1)/2 6b-D/z: _l (modq1),

while (e.13) o(n-r)/Z= I (mod ezQt...Q,).

From congruencesO.lD and (9.13),we seethat

oh_t)/2* + 1(modn),

contradictingcongruence (q.tt). Hence,we must have 6(,-t)/2= I (modn),

for all D with ( I < , n and (b,n) - r. Consequentry,from the definition of an Euler pseudoprime,we know that j 6".-t)/2:|,a : I (modn) l, ) for all D with ( (b,n) : I < b n and r. However,Lemma 9.3 tells us that this is impossible. Hence, the original assumption is false. There must be at leastone integer6 with | < b 1 fl, (b,,D: l, and |r 6G-D/z1 l4 | (mod n ). tr ln )

We can now state and prove the theorem that the basis of the probabilistic primality test. 9.4 Euler Pseudoprimes 333

Theorem 9.11. Let n be an odd composite integer. Then, the number of positive integersless then n, relatively prime to n , that are basesto which n is an Euler pseudoprime,is lessthan 6fu) /2.

Proof. From Lemma 9.4, we know that there is an integer b with I < b 1 n, (b,n): l, and ql (s.rq 6b-r)/2l f (modn). lnJ

Now, let e1,e2,...,e^denote the positive integers less than n satisfying 1 ( a; ( n, (ai,n) : l, and r) - (e.ls) afn-rtrzlLl (modn), In ) for; : 1,2,...,m. Let rr{2,...,rm be the least positiveresidues of the integersbayba2,...,ba^ modulo n. We note that the integers rj are distinct and (ri,n): I for j : 1,Z,...,frt.Furthermore,

(e.16) ,(n-,)t21 (modn). [+]

For, if it were true that

,e-,)/2- (modn), [+] then we would have - $a)(n-,)/2l+l r-"0,r

This would imply that,

6h-t)/2o(n-t)/2: t+l (mod n ), Ir1J [+] and since (9.14) holds.we would have 334 QuadraticResidues

6."-t\/2_ fqI l, )' contradicting(9.14).

Since aj, j :1,2,...,m, satisfies the congruence (9.15) while rj, j :1,2,...,n, (g.to) doesnot, as shows,we know thesetwo setsof integers share no common elements. Hence, looking at the two sets together, we have a total of 2m distinct positive integers less than n and,relativ-ely prime to n. Since there are integers Qh) less than n that are relatively-filis prime to /r, we can conclude that qfu), 2m < so that m < eh)/2. proves the theorem. tr

From Theorem 9.1 l, we see that if n is an odd compositeinteger, when an integer b is selectedat random from the integers 1,2,,....,n-1,th; probability that n is an Euler pseudoprime to the base 6 is less than I/2. This leads to the following probabilistic primality test.

The Solovay-Strassen Probabilistic Primality Test. Let n be a positive integer. Select, at random, ft integers bpb2,...,boLorr the integers i,2,...,r-r. For each of theseintegers bj,j : 1,2,...,k,determine whether

6Q-t)/2 (modn) t+] If any of these congruencesfails, then n is composite. If n is prime then all these congruences hold. If n is composite, the probability that all k congruences hold is less than l/2k. Therefore, if n passesthis test n is ,,almost certainly prime."

Since every strong pseudoprimeto the base b is an Euler pseudoprimeto this base, more composite integers pass the Solovay-Strassenprobabilistic primality test than the Rabin probabilistic primality test, altirough both require O(kQag2n)3) bit operations.

9.4 Problems

l. Show that the integer 561 is an Euler pseudoprimeto the base 2. 2. Show that the integer 15841 is an Euler pseudoprime to the base 2, a strong pseudoprimeto the base 2 and a Carmichael number. 3. Show that if n is an Euler pseudoprimeto the basesa and 6. then n is an Euler pseudoprimeto the basea6. 9.4 EulerPseudoprimes 335

4. Show that if n is an Euler pseudoprimeto the base b, then n is also an Euler pseudoprimeto the basen-b. 5. Show that if n= 5 (mod 8) and n is an Euler pseudoprimeto the base 2, then r is a strong pseudoprimeto the base 2.

6. Show that if n = 5 (mod 12) and n is an Euler pseudoprimeto the base3, then n is a strong pseudoprimeto the base 3.

7. Find a congruencecondition that guaranteesthat an Euler pseudoprimeto the base 5 satisfying this congruencecondition is a strong pseudoprimeto the base 5.

8. Let the composite positive integer n have prime-power factorization , : pl,pi, . . . ph, where pi : | * zfqi for i:1,2,...,ffi, where kr ( kz ( < k-, and where n: | * 2kq. Show that n is an Euler pseudoprimeto exactly

6" II ((n-l)/2, p1-t) j-l

different basesb with l

9.4 ComputerProjects Write programsto do the following:

Determine if an integer passesthe test for Euler pseudoprimesto the base b.

Perform the Solovay-Strassenprobabilistic primality test. 10

Decimal Fractions and GontinuedFractions

10.1 DecimalFractions In this chapter, we will discuss rational and irrational numbers and their representations as decimal fractions and continued fractions. we begin with definitions.

Definition. The real number a is called rational a - a /b, where a and b are integers with b * 0. If a is not rational. then say that u is irrational. If a is rational a number then we may write a as the quotient of two integers in infinitely many ways, for if ot : a f b, where o uni b are integers with b ;t' 0, then : a ka f kD whenever fr is a nonzero integer. It is easy to see that a positive rational number may be written uniquely as the quotient of two relatively prime positive integers; when this is done we say that the rational number is in lowest terms.

Example. We note that the rational number ll/Zl is in lowest terms. We also see that

-tt/-21 - tt/2r : 22/42: 33/63:

The following theorem tells us that the sum, difference, product, and quotient (when the divisor is not zero) of two rational number is again rational. 337 1O.1 DecimalFractions

Then a + a - 0' a9' Theorem 10.1. Let a and B be rational numbers. 0, and a/0 (when P+0 are rational'

: alb and : cld' where Proof. Since a and p are rational, it follows that a B * O' Then' each of the e, b, c, and d are integers with b * 0 and d numbers a * B : a/b + cld : (ad*bc)/bd' - : (ad-bc)lbd' a - 0: a/b c/d a0-b/b)'k/d)-acfbd, a/0 : b /b) lG ld) : ad lbc @*0 '

denominatcr different is rational, since it is the quotient of two integers with from zeto. D We start by The next two results show that certain numbers are irrational' considering ,/T

Proposition 10.1. The number '/T is irrational'

prime integers Proof. Suppose that .,,6 : a lb, where c and b are relatively with b I 0. Then, we have 2: a2lb2,

so that 2b2 : a2.

q :2c, so that Since 2lor,problem 3l of Section2.3 tells us that2la. Let b2:2c2.

6. However, Hence,21b,, and by problem 3l of Section2.3,2 also divides b' This since G,b)':1, we^know that 2 cannot divide both a and contradiction shows that .6 is irrational' B it We can also use the following more general result to show that .6 irrational.

* * Theorem 10.2. Let o( be a root of the polynomial x' cnlxn-t * cp * cs where the coefficientsca, ct,...,cn-r,are integerswith cs * 0. Then a is either an integer or an irrational number'

and b Proof. Supposethat a is rational. Then we can write ot: alb whete a 338 DecimafFractions and ContinuedFractions

are relatively prime integers with b - o. Since ot is a root of x' + cr-1xn-l * * cp * ,0, we have

b/b), rc,_tG/6y,-t * +cJa/D *ca:0.

Multiplying by bn, we find that

an + cn_pn-tb + * cpbo-r + csbn: 0.

Since ' '!n',*n', ^:,,;;'i-. ,,n*' u * * , u'^o!,',u"rli-"o;ui, orp Sincex,'-::'il p b and b an I I , we know that p I a, Hence, by problem 3l of Section 2.3, w: see that pla. Howiver, since (a, b) : l, this is a contradiction which shows that b : t 1. Consequently,if a is : rational then d * o, so that a must be an integer. tr we illustrate the use of Theorem 10.2 with the following example.

Example' Let a be a positive integer that is not the mth power of an integer, so that "\/i it not an integer. ThJn x/i i, irrationat by Theorem - 10.1, since "

The numbers zr and e are both irrational. We will not prove that either of thesenumbers are irrational here; the readercan find proofsin Itg]. We now consider base 6 expansionsof real numbers, where b is a positive integer,b > l. Let a be a real number,and ret a:Ial be the integerpart of a, so that r:o--[a] is the fractionalpart of a and ot:a *7 with 0 < I' < 7 From Theorem 1.3, the integer a has a unique baseb expansion. We now ^y show that the fractional part also has a unique base6 expansion.

Theorem 10.3. Let 7 be a real number with 0 ( y ( l, and let b be a positive integer, b > | . Then T can be uniquely written as

r: ; ci/bi j-r where the coefficientsc; are integers with 0 ( c; < 6-l for j : 1,2,...,with the restriction that for every positive integer l/ there is an integer n with n2Nandc, lb-1. 339 1O,1 Decimal Fractions

series' We will use the In the proof of Theorem 10.3, we deal with infinite geometric series' following formula for the sum of the terms of an infinite

< t. Then Theorem 10.4. Lets and r be real nurnberswith lr[ V ori: a/0-'). j-0

(Most bookscontain a proof') For a proof of Theorem 10.4,see [62]. calculus

We can now ProveTheorem 10'3'

Proof. We first let c1: IbTl ,

let so that 0 ( cr ( b_1, since0 < b7 < b. In addition, - - ^fr: bl cr: b^Y lbll '

sothat0(?r(land c1 , 7l ^Y: 1 ' b b

^yg : We recursivelYdefine c1 and for k 2,3,..., bY ck : [bfr-r]

and nlk-t:+.+'

< I' Then' so that 0(cr (b-t, since0(bzt-r1b, and 0(rt follows that C1 C"t Cn * +^Y, 7:T* Ur* n, b,

consequently, Since0 ( ln ( l, we seethat a 4lr/bn < l/bn. :0. )tgntO'

Therefore. we can concludethat 340 DecimalFractions and ContinuedFractions

7: lim n<6

')6 : r, .{,t " J j:l

To show that this expansionis unique,assume that

r:; c1/bi:; dj/bi, j -l j:l

whereo r, b-l ( 5 < and 0 d, < b-1, and, for everypositive integer.v, thereare integersn and m with i, * D-l andd* r b-1. Assumethat k is the smallestindex- for which cr, * d1r, and assumethat c1,7 dr, (the case cr 4 dp is handled by switchingthe roresof the two expansions).Then o : : (c*-d) ; k1-d1) lbi /bk * ki-d) /bj , j,i', _k+l

so that

( 10.1) : G1,-d1)/bk ; e1-c1) /bi j-k+t

Since c; ) d*, we have (10.2) b*-d) /bo > , /uo.

while

(10.3)

j:k+t j-k+l l lLK+l :(b-l) "u , | _ t/b : l/bk, where we have used Theorem 10.4 to evaluatethe sum on the right-hand side of the inequality. Note that equality holds in (10.3) if and only if dj - c.i: b-l for al! i with 7 ) t 1t, and this occurs if and only if dj :.b-l-and ci:0 for i 2 k+t. However,such an instanceis excludedby the hypothesesof the theorem. Hence, the inequality in (tO.:) is strict, and therefore, (to.z) and (10.3) contradict (to.t). ttris shows that the baseb expansionof a is unique. tr \ 1O.1 Decimal Fractions 341

The unique expansionof a real number in the form ). c1/bi is called the J-t base b expansionof this number and is denotedby kp2ca..)6.

To find the base b expansion(.cp2ca..)6 of a real number 7, wo can use the recursive formula for the digits given in the proof of Theorem 10.3, namely ck : lbt*-J , ^fk : by*-t - lblt -J , where ^Yo: ^Y,for k : 1,2,3,...

Example. Let (.cp2ca..)6 be the base8 expansionof l/6. Then - ' t- I c1: [8 ;l: 1,, ^yt:8 -l : o + T,

_ l_ 2 c2:[8';'l:2, ^y2:s -2: J + t' _ )_ I ca:[8']l-5, ^y3:B -5- J + T' _ t- 2 ca:[8'Tl:2, 74:8 -2- J + T' ^ys-s I cs:[8'?t:t, +-s: T, and so on. We seethat the expansionrepeats and hence, t/6 : (1252525..)8.

We will now discussbase b expansionsof rational numbers. We will show that a number is rational if and only if its base D expansion is periodic or terminates.

Definition. A base D expansion (.cp2ct..)r is said to terminate if there is a positiveinteger n such that c, - cn*l - cn+z: : 0.

Example. The decimal expansionof l/8, (.125000...)ro: (.125)ro,terminates. Also, the base6 expansionof 419,(.24000...)o - (24)6, terminates.

To describethose real numbers with terminating base b expansion,we prove the following theorem. 342 DecimalFractions and ContinuedFractions

Theorem 10.5. The real number a, 0 < q I 1, has a terminating base D expansionif and onlyif a is rationaland a : r/s, where 0 ( r ( s and every prime factor of s also divides D.

Proof. First, supposethat a has a terminating base6 expansion,

d: (c 1c2...c)6 . Then

Q:

b'

so that a is rational, and can be written with a denominatordivisible only by primesdividing b.

Conversely,suppose that 0 ( a ( l, and

a: rfs .

where each prime dividing s also divides6. Hence,there is a power of D, say bN, that is divisible (for by s instance, take N to be the largest exponent in the prime-power factorization of s). Then bNot:b*r/t:er,

where sa : bN,, and a is a positive integer since slbr. Now let (a*a^-1...aps)6 be the baseb expansionof or. ln"n a^b^*o^-tb^-r + . . . * atb*ag a: ar/bN : 6u : d*b--N + am_tbm-l-fl + *a1b|-tr+ aob-N

: (.00...a mom-t...a ,as)y .

Hence,a has a terminating base6 expansion. D Note that every terminating base b expansion can be written as a nonterminatingbase 6 expansionwith a tail-end consistingentirely of the digit (.cp2... b-1, since c^)r- (cp2... cm-lb-lb- i...lu pir instance,(12)to: (.ttlll...)ro . This is why we require in Theorem10.3 that for every integer N there is an integer n, such that n ) N and 343 1O.1 Decimal Fractions

not be unique. cn# b-l; without this restrictionbase b expansionswould for instance A base b expansionthat does not terminate may be periodic, I 13: (.333...)1s ' | /6 : (.1666.'.) to '

and | /7 : (.t+ztst 142857142857 ..) rc'

if there are Definition. A base b expansion (.cp2ca..)6 is called periodic : positive integers N and k such that cn11 cn for n 7 N ' Wedenoteby(cp2...cv1-,']]-"*1-')6theperiodicbaseb expanslon instance'we have (.cp 2...c7,1- rclr...cry+ t -( tt...c N+t-rc.nv "') a' For r/3 : (.J)_.,0, 716: (.16)ro ,

and ll7 : (.taxsz) ro .

begin Note that the periodic parts of the decimal expansionsof 1/3 and l/7 proceedsthe immediately, while in the decimal expansion of l/6 the digit I b periodic pirt of the expansion. We call the part of a periodic base periodic part L*punsion preceding the periodic part the pre-period, and the thi period, where we take the period to have minimal possiblelength'

(.ootorzr)r. pre-period is Example. The base 3 expansionof 2/45 is The (001)3and the periodis (Ot2l)3.

The next theorem tells us that the rational numbers are those real numbers gives with periodic or terminating base b expansions. Moreover, the theorem the lengths of the pre-period and periods of base b expansionsof rational numbers.

Theorem 10.6. Let b be a positive integer. Then a periodic base b expansion representsa rational number. Conversely,the base b expansionof a rational ( number either terminates or is periodic. Furthero if 0 < a 1, a: rfs, : where r and J are relatively prime positive integers, and s T(J where every prime factor af T divides 6 and (U ,b) : 1, then the period length of the base b of a is ordy b, and the pre-period length is .l/, where N is the ""punrion smaliestpositive integer such that TlbN. 344 DecimalFractions and ContinuedFractions

Proof. First, supposethat the baseD expansionof a is periodic,so that a: (.crrr...r*ffi)o

c1 ct I-J- b62

C1 C'; I-J- b62

where we have used Theorem 10.4 to see that €l s^_ 6tc ojo I bk-l t"^ ,r-._ bk

Since a is the sum of rational numbers, Theorem l0.l tells us that a is rational.

Conversely, supposethat 0 ( a ( l, a : r /s, where r and s are relatively prime positive integers, : s T(J, where every prime factor of T divides b, Ql,b): 1, and I/ is the smallestinteger such-that Tlb*

Since Tlb*, we have aT: bN, where c is a positiveinteger. Hence

(10.4) bNa:bN L- or TUU

Furthermore,we can write (r0.5) ar c i:n*i,

where A and C are integers with 0 < I < 6N, 0 < c < u.

and(c,u): (the l. inequalityfor A followssince 0 ( bNa: + < bN. U which results from the inequality 0 ( a ( I when both sides are multiplied by bN) (C,tl): . The fact that I follows easilyfrom the condition (r,s) : l. From Theorem 1.3,A has a baseb expansionA : (anan_t...epo)u. : lf U l, then the base b expansion of a terminates as shown above. Otherwise, Iet v : ord,ub. Then, 34s 1O.1 DecimalFractions

Qu+t) c (10.6) b' +t, #: U where/ is an integer, since b' = | (modU). However, we also have

(- (t Cj c' (10.7) -+ + * al. b'+:b'l]+ b') U LA 62 b'

(cp2ca...)6is thebase b expansiono' that where t,so - ck : lblt -J , ^yk- b'yt-r lbl*-J

C :1,2,3,.... (10.7)we seethat where To : T, for k From (-( (10.8) b' *: lr,bu-t+ c2b'-z+ * r"] t ru. U\ ( ( l, Equatingthe fractionalparts of (10.6) and (tO.S),noting that 0 T, we find that C 4t:-Iv u'

ConsequentlY,we seethat ^Yv: ": t' so that from the recursivedefinition of c1,c2,...we can concludeIhzt cpau: c1, for k : 1,2,3,.,.. Hence nuta periodicbase b expansion $ c - (n-rcr-Q6. U

Combining (tO.+) and (10.5), and inserting the base b expansionsof A and 9. *. huu, U' (ro.s) bN a : (anan-1...atao. c p2...cv)6.

Dividing both sidesof (10.9) by bN, we obtain a : (.00...anan-r...opoffi) u,

(where we have shifted the decimal point in the base b expansion of brya N 346 Decimal Fractions and Continued Fractions

spaces to the left to obtain the base b expansion of a). In this base D expansion of a, the pre-period (.00...a,an-t...ipo)a is of length - N, beginning with.A/ h*1) zeros,and the period f.ngit, ir r. We have shown that there is a base b expansionof a with a pre-period of length r/ and a period of length v. To finish the proof, we must ,t o* that we cannot regroup the base b expansion of a, so that either the pre-period has length less than ry', or the period has length less than v. To do this, suppose that q: (.crrr...trffi)u

C1 Ct : *;* , cM+k b *#*(*)la. -;m

k +c ftM-t 2bM-2q +cM)(bk-t) + Gyar6k-t+ f cTaap) bM (bk -t)

Sinceq.: rfs, (r,s) : with l, we seethat slbM$k_D. Consequently,TlbM uTd ul(tk-o. Hence, M > N, and vlk (from Theoremg.l, since bk = I (mod tD : and v ord,ub). Therefore,'the pre-period length cannot be less than ,^/ and the period length cannot be less than v. D We can use Theorem 10.6 to determine the lengths of the pre-period and period of decimal expansions. Let a: r/s, 0 < a ( l, and , :2", 5r,, where (1,10) : , l. Then, from Theorem 10.6 the pre-period has length max (s1,s2)and the period has length ord,l0.

Example. - Let ot:5/28. since 2g 22.7,,Theorem10.6 tells us that the pre- has length rylt:d 2 and the period has length ord710 : 6. Since : (fiasll4z), 5/28 we seethat theselengths are correct. Note that the pre-period and period lengths of a rational number r f s, in lowest terms, dependsonly on the denominators, and not on the numerator/. we observe that from Theorem r 0.6, a base b expansion that is not terminating and is not periodic representsan irrational number.

Example. The number with decimal expansion or: .10100100010000..., consisting of a one followed by a zero, a one followed by two zeros, a one followed by three zeroes, and so on, is irrational because this decimal expansiondoes not terminate, and is not periodic. 347 1O.1 DecimalFractions

so that its decimal The number d in the above example is concocted occurring numbers expansion is clearly not periodic. To show that naturally 10.6, becausewe do such as e and 7( are irrational, we cannot use Theorem numbers' No matter not have explicit formulae for the decimal digits of these we still cannot how many decimal digits of their expansions we compute, the period could conclude that they are irrational from ihis evidence,because be longer than the number of digits we have computed'

10.1 Problems

l. Show that dE is irrational l0'l' a) by an argument similar to that given in Proposition

b) using Theorem 10.2.

2. Show that :/i + ..6 is irrational. 3. Show that a) log23is irrational. positive integer which b) logob is irrational, where p is a prime and b is a is not a Power of P - rational or 4. show that the sum of two irrational numbers can be either irrational. either rational or 5. Show that the product of two irrational numbers can be irrational.

6. Find the decimal expansionsof the following numbers

a) 2/5 d) 8lrs b) slt2 e) lllll c) r2113 f) 1/1001.

7. Find the base8 expansionsof the following numbers a) rl3 d) r16 b) rl4 e) rlrz c) rls f) r122.

8. Find the fraction, in lowest terms, representedby the following expansions a) .rz b) .i c) n. 348 Decimal Fractions and Continued Fractions

9' Find the fraction, in lowest terms, representedby the following expansions a) (.rzi, c) (.iT),, b) (.oar6 d) (M),6.

l0' For which positive integersD doesthe base6 expansionof l r/zro terminate? I l ' Find the pre'period and period lengths of the decimal expansionsof the following rational numbers

il 7/t2 d) rc/23 b) tt/30 e) B/s6 c) t/7s f) t/6t.

12' Find the pre'period and period lengths of the base 12 expansionsof the following rational numbers

a) t/+ d) s/24 b) r/B e) 17h32 c) 7/ro f) 7860.

13' Let b be a positive integer.Show that the periodlength of the base6 expansion - of l/m is m I if andonly if z is piimeand , i, primitiveroot of m. " 14. For whichprimes p doesthe decimalexpansion of l/p haveperiod length of

a)l d)4 b)2 e)5 c)3 f) 6?

15. Find the baseb expansionsof

a) r/(b-r) b) r/6+D .

16. Showthat the baseD expansionof t/G-1)z;, 1.9ffirJp1;u. 17. Showthat the real numberwith base6 expansion (otzt.,.o-tlol rr2..)t,

constructed by successively listing the base b expansionsof the integers, is irrational.

18. Show that +.#.#.#.# 349 1O.1 Decimal Fractions

one. is irrational, wheneverD is a positiveinteger larger than integers greater than one' r9. Let byb2,fur... !s an infinite sequence of positive Show that every real number can be represented as ,o*?.#+#;+,

( ( for k : I'2'3'"" where cs,c1,cz,c!,...are integerssuch that 0 ct bp

20. a) Show that every real number has an expansion CrCtrt+ to+l! * zl* 3!

( ( : l'2'3'"" where cs,c1,c2,c!,-.-are integers and 0 ct k for k expansion of the type b) show that every rational number has a terminating describedin Part (a). of llp is ('t,tr'-oJ" Zl. Supposethat p is a prime and the base b expansion is p - l. show that so that the period length of the base b expansion of llp ( if z is a positiveinteger with I ( ln p, then.

m /p : (.cya1...coac( 2...c1sacP)6'

where k : indtm modulo P. - ('ffi)6 period length' 22. Show that if p is prime and l/p has an even : k :2t, thenci * ci+t: b-l for.,;r 1,2,"',t whete h and' k 23. The Farey series Fn of order n is the set of fractions hlk (h,k): order' Here, we are integers,0 ( ft < k ( n, and 1, in ascending Farey 0 and I in the forms and respectively' For instance, the include i II seriesof order 4 is 0l112 3l T'T,T'T'7,7,T

a) Find the Farey series of order 7. series' then b) Show that if a/b and c/d are successiveterms of a Farey bd - ac :1. Farey series, c) Show that if a/b, c/d, and e/f are successiveterms of a then

c a*e 7- E7' 3so DecimalFractions and ContinuedFractions

d) Show that if a/b and, c/d are successiveterms of the Farey series of order n, then b*d ) n.

24. Let n be a positiveinteger, n ) l. Show that I not an integer.

l0.l ComputerProjects

Write computerprograms to do the following: I ' Find the base6 expansion of a rational number, where b is a positive integer. 2' Find the numerator and denominator of a rational number in lowesr rerms from its base b expansion. 3' Find the pre-period and period lengths of the base D expansion of a rational number, where b is a positiveinteger. 4' List the terms of the Farey series of order n where n is a positive integer (see problem 23).

10.2 Finite Continued Fractions Using the Euclidean algorithm we can express rational numbers as continued fractions. For instance, the Euclidean algorithm produces the following sequenceof equations:

62:2.23 + lG 23: l.16+ 7 16:2-7 + 2 7:3-2 + l.

When we divide both sidesof eachequation by the divisorof that equation,we obtain 62:r*16:,)r I L 23 23 nlr6 ?3-:t+L:t* I 16 16 16/7 16 : I + Z: r + I 7 7 7/2 +:3 + !. 2 2'

By combiningthese equations, we find that 351 1O.2 Finite Continued Fractions

62 :2+ 1 23 23116 :2+ t I Ir' -L: rc17 :2* I 1+h

:2* I 1+ 2++- 3*;

fraction The final expressionin the abovestring of equationsis a continued expansionof 62123. We now definecontinued functions'

of the form Definition. A finite continuedfraction is an expression I aot atl ctz *

+- 1 an-rt L an positive' The real where Qg,a1,a2,...,anale real numbers with Q1,Q2,Q3',"''an fraction' numbers ej,a2,...,Q'n are called lhe partial quotients of the continued an are all The continued fraction is called simple if the real numbers as,c r,..., integers. we use the Because it is cumbersome to fully write out continued fractions, in the above notation Lso;a1,e2,...,Ctn|to represent the continued fraction definition. a We will now show that every finite simple continued fraction represents number can rational number. Later we will demonstrate that every rational be expressedas a finite simple continued fraction' 352 DecimalFractions and ContinuedFractions

Theorem l0'7 ' Every finite simple continued fraction represents a rational number.

Proof' we will prove the theorem using mathematical induction. For n : 1 we have

I [ao;arl:oo+ *aoar*l al og

which is rational. Now assume.that for the positive integer k the simple continuedfraction [ag;at,e2,...,eklis rational whlnevst as,or,...,okare integers with a positive. r,...,ak Let as,at,...,ek+tbe integers with er,...,ek+t positive. Note that

[ag.a1,...,ak+tl: ag + Ia;a2,..., a1r.a1ra1l

By the induction hypothesis, [a ria2,...,ek,ek+r] is rational; hence, there are integers r and s, with s*0, such that this continued fraction equals r/s. Then

I agr*S lao;a1,...,ak,ok+tl : ag + r/s which is again a rational number. tr We now show, using the Euclidean algorithm, that every rational number can be written as a finite simple continued fraction.

Theorem 10.8. Every rational number can be expressedby u finite simple continued fraction.

Proof. Letx:a/b wherea andb areintegerswithb > 0. Letrs-a and r't : b. Then the Euclidean algorithm prodr.", the following sequenceof equations: 353 1O.2 Finite ContinuedFractions

( rO : r1Q1* 12 Q 1r2 tt, r| : r2Q2* 13 0(131rr, 12: r3Qtl 14 0(ra113,

: ln-3 : fn'ZQn-Z* fr-t 0(rn-11tn-z, fn-Z: fn-1Qn-1*fn 0(rnlrn-t fn-l : tnQn

Writing these In the above equations 4z,Qt,.",Qn are positive integers. equations in fractional form we have lo tt I L: : Qr*;:qt+ b /1 6 tt: . 13 I q2+;:Q2.Trt r2 rZ: ta, I nr*;:et* r3 rrt^

ln-3 tn-l I : -t-L - : Qn-2 rn-2 tn-2 rn-2/rn-t ln-2: ,n - L :-n--.+4 -,n-r,/r, Qn-l t qn-l rn-l' ; fn-l : ,QN rn

Substitutingthe value of r1/r2from the secondequation into the first equation' we obtain al (l 0.10) T:4tt , t 4z r ,rlry

into (10.10) Similarly, substituting the value of r2fr3 from the third equation we obtain 354 DecimalFractions and ContinuedFractions

c * b Qr Qz*

Qt*+rilrt

Continuing in this manner, we find that q't+ I T: Qz* Qt*

,l * Qn-t Qn Hence qnl. This shows t:rnriQz,..., that everyrational number can be written as a finite simplecontinued fraction. ! We note that continued fractions for rational numbers are not unique. From the identity

an : Gn-l) +

we seethat

[ag;a1,e2,..., en_t,onl : Iag;a1,ct2,...,en_t,en

whenevera, ) L

Example. We have

1 : [o;I ,l,l ,31 : [o;l I #II ,l ,l,2, ].

In fact, it can be shown that every rational number can be written as a finite simple continued fraction in exactly two ways, one with an odd number of terms, the other with an even number (see problem 8 at the end of this section). Next, we will discussthe numbersobtained from a finite continuedfraction by cutting off the expressionat variousstages.

Definition. The continuedfractions [as;a1,o2,..., a1l, where ft is a nonnegative integer less than n, is called the kth convergenr of the continued fraction 355 1O.2 Finite ContinuedFractions

by Ct ' [ao;a1,e2,...,Qnl The kth convergentis denoted the convergentsof In our subsequentwork, we will need some properties of starting with a a continued fraction. We now develop these properties, formula for the convergents.

a a, positive' Theorem 10.9. Lel ag,a1,e2,...,an be real numbers,with 1;a/;..., definedrecursively by Let the sequencesP0,Pt,..., Pn and qs,qt,"', Qnbe Po: aO Qo: I : Pt : asol*l q1 ar

and t q*-z P* : okPk-t t P*-z Qk: apQt-t

: is givenby for /c : 2,3,...,n. Then the kth convergentCk I'ao;at,.'.,okl -- Cp P*lqr' : proof. we will prove this theorem using mathematical induction. For k 0 we have Co: lael : asll : Polqo.

For k : l, we seethat aoat*l :Pt Cr : lao;a1l: as + !: a1 a1 Qt

Hence.the theoremis valid for k : 0 andk:l where Now assume that the theorem is true for the positive integer k 2

real Becauseof the way in which the p;'s and 4y'sare defined, we see that the quotients numbers p*-r,p*-z,Qk-1, and Q*-z depend only on the partial by e0,er,...,ak-r . Conr"quently, we can replace the real number ap a* * lla*+t in (t0'l I), to obtain 3s6 Decimal Fractions and Continued Fractions

Ct+r : [ag;at,...,ok,ok+rl : Iao:a1,...,(tk_t,ok +!l ap

+l P*-r t p*-z ["^ ok+t

. l"r *)nr-,*q*-z

a*n(arp*-r * p*-z) * p1,-1

apal(alrQrr-t * Qt_) * qt_t

_ o*+Pt * P*-r a*+fi* * q*-r

_ P*+t Q*+t

This finishesthe proof by induction. D we illustrate how to use Theorem 10.9with the following example.

Example. we have 173/55: [3;6,r,71. we computethe sequencesp1 andq, forj :0,1,2,3,by

Po: 3 Qo: I Pt:3'6+l: 19 Ql:6 Pz: l'19+3:22 Qz: l'6*l : 7 : Pt:7'22+19 173 43- 7'7+6: 55.

Hence,the convergentsof the abovecontinued fraction are Co : po/qo: 3/l : 3 Ct:Pt/qt:19/6 Cz: pz/qz : 22/7 Ct: pJqt: 173/55.

We now state and prove another important property of the convergentsof a continued fraction.

Theorem 10.10. Let k be a positiveinteger, k 2 | Let the /cth convergent of the continued fraction las;ar,...,onlbe c1 : p*/qt, wherept< and,q1, ai as 357 '1O.2Finite ContinuedFractions

definedin Theorem 10.9. Then : (-l)k-l' PrrT*-r' P*-t4t'

For k : I we Proof. We use mathematical induction to prove the theorem' have (asal+l)'l - : l' PtQo-PoT1: asat

that Assume the theorem is true for an integer k where I < ft I tt , so - : (-l)t-l' Pt Q*-r P*-rQt

Then, we have - (arr+rpt - * Pt+rQt P*Qt+t * pr-)qr, P*(arrttQ* Qr-) - - (-l)k-t: (-1)k' Pt-tQt Ptq*-t:

tr so that the theorem is true for k + l. This finishesthe proof by induction. we illustrate this theorem with the example we used to illustrate Theorem 10.9.

Example. For the continuedfraction [3;6,1,71we have - - : -l PoQt PrQo: 3'6 19'l : - : PrQz- PzQl 19'7 22'6 I - - : -1' PzQt PtQz: 22'55 173'7

As a consequenceof Theorem 10.10, we see that the convergentspt lqx for k:1,2,... are in lowestterms. Corollary 10.1demonstrates this.

Corollary 10.1. Let C*: p*lqr, be the kth convergent of the simple continuedfraction las;ar,...,8211,where the integersPt and qp are as definedin Theorem 10.9. Then the integersPr, and qy are relativelyprime.

Proof. Let d : (p*,q*). From Theorem 10.10,we know that - P*Q*-r Q*P*-r: (-l)k-l'

Hence, from ProPosition1-2 we have d I el)k-r.

Therefore,d : l. B 3s8 Decimal Fractions and Continued Fractions

we alsohave the foilowingusefur coroilary of Theoremr0.10.

corollary 10.2- L?t ck : pr/qp be the kth convergent of the simple continuedfraction lao:a1,e2,..., e11l Then {-)*-r C1,- Cr-r : QtrQ*_r

for all inregersk with I < ft n Also,

^ alrG)k Cp- -x-2: QtQt-z

for all integersk with 2 < k ( n .

Proof. From Theorem - 10.10we know thatplrQ*_t Q*pr_r: (_l)k-l

We obtainthe first identitv.

''nnr pr_r (_t)k-l Ck - Cft-r : - Qr Qt-r QtQ*_r

by dividingboth sidesby qrQ*_r . To obtainthe secondidentity, note that Pt'-z Ltr.-r -Lk-z:- -Pt' :- P*Qr-z-P*-zQ* Q* Q*-z Q*Q *-z

since : Pk at p*-r * p*-z andq2 : okek-r * q*-2, we seethat the numerator of the fraction on the right is - prr-zQ*: (a*p*_t - P*Q*-z * p*_z)qk_2 p*_z(arQr,_r* Qr_z) - at(Ptr-tQtt-z- p*-zQ*-) : arr(-l)k- 2,

where we have used Theorem 10.r0 that - Pr-tQt,-z Pt-zQ*-r : (- Dk-z.

Therefore,we find that

a1,GDk Cp - Ck-z: Q*4 tr-z

is the second identity of the corollary. tr 359 1O.2 Finite Continued Fractions

theoremwhich is useful Using corollary 10.2 we can prove the following when developinginfinite continuedfractions'

of the finite simplecontinued Theorem l0.ll. Let c1 be the kth convergent fractionlag:at,Q2,..., Qnl. Then Cr)Cl)Cs) ' Co ( Cz 1 Cq 1 '

:0'l'2"" is greaterthan every and everyodd-numbercd convergent Cri*r ' i : even numberedconvergent Czi,-l 0,1.2,"' : Proof. SinceCorollary 10.2tells us that, for k /'3'"''rt' C1r-C*-z:#'

we know that Cp 1 C*-z

when k is odd,and C* ) C*-z

when k is even. Hence Ct 7 Ct ) Cs

and Co ( Cz 1 Cq 1

To show that every odd-numberedconvergent is greater than every even' numberedconvergent, note that from Corollary 10.2we have (-l)2--r'o' - Cz^-Czr n-l'- Qz^Qz^'t

so that Cz^-t 7 Cz^. To compareC21, and Cri-r, we seethat Czj-r) Crj*z*-l > Crj*ro ) Cz*'

-numbered so that every odd-numberedconvergent is greater than every even convergent. tr 360 Decimal Fractions and Continued Fractions

Example. Consider the finite simple continuedfraction 12:3,1,1,2,41.Then the convergentsare

Co- 2/l-2 C1 - 7/3:2.3333... Cz- 9/4:2.25 C: : 16/7:2.2857... C+: 4l/lS:2.2777... Cs : ftA/79 : 2.2784....

We seethat

Co : 2 1 Cz: 2.25I Ca : 2.2777... ( Cs :2.2784... ( Cr :2.2957... ( Cr :2.3333...

10.2 Problems

l ' Find the rational number, expressedin lowest terms, representedby each of the following simple continued fractions

a) IZ;ll e) [ r ;r] b) [t;z,z] f) [l; l,l ] c) [0;5,0] e) [ I ;t,l,l ] d) [3;7,15,1 ] h) [ l; I ,l ,l,l ].

2' Find the simple continued fraction expansion not terminating with the partial quotient one, of each of the following rational numbers il 6/s d) slsss b) 22t7 e) -4311001 c) t9/29 f) 873/4867.

Find the convergentsof each of the continued fractions found in problem 2.

Let up denote the kth Fibonaccci number. Find the simple continued fraction, terminating with the partial quotient of one, of u1,-,1fup,where ft is a positive lnteger.

5. Show that if the simple continued fraction expressionof the rational number a, a.)1, is [a6;at,...,akl,then the simple continued fraction expressionof l/a is l};a o,ar,. . .,a k'l. 6. Show that if ae * 0, then 361 1O.3 InfiniteContinued Fractions

: P*/p*-r Iooia*-t,. - .,a1,asl

and q : q* / tr-r I'au:a r-r,"',a 2,a 11,

of the where Ck-r: p*-t/qrr-r and C* : pt lq*,k ) l,are successiveconvergents : * pp-2 to continuedfraction la6;a1,...,an1 (Hint: Use the relationP* a*P*-1 showthat pt /p*-r: ar * I/(px-t/p*-). of the 7. Show that q1,) u1, for k:1,2,... where c*: p*lqr is the kth convergent simple continued fraction las;a1,...,an1and all denotesthe kth Fibonacci number' 8. Show that every rational number has exactly two finite simple continued fraction expansions.

9. Let lao;ar,a2,...,a211be the simple continued fraction expansion of rls where (r,s): I and r)l Show that this continued fraction is symmetric, i'e. os: a21tat: an-td2: an-2,...,if and only if s l(r2+t) if n is oddand s l(r2-t) if n is even. (Hint: Use problem 6 and Theorem 10.10).

10. Explain how finite continued fractions for rational numbers, with both plus and minus signs allowed, can be generated from the division algorithm given in problem 14 of section1.2'

ll. Let as,ar,a2,...,akbe real numbers with a r,o2,...positiveand let x be a positive real number. Show that Ias;a1,.'.,ar,l1 lao;a6--.,a1,*xl if k is odd and Ias;a1,...,at1> [ao;a1,.'.,o1r*x]if t is even.

10.2 Computer Projects Write programs to do the following:

l. Find the simple continued fraction expansionof a rational number

2. Find the convergentsof a finite simple continued fraction.

10.3 InfiniteContinued Fractions Supposethat we have an infinite sequenceof positiveintegers Qo,Qt,ay,... . How can we define the infinite continued fraction Las,at,a2,...l? To make sense of infinite continued fractions, we need a result from mathematical analysis. We state the result below, and refer the reader to a mathematical analysisbook, such as Rudin lezl, for a proof.

Theorem ll.l2. Let xs,x r,x2,... be a Sequenceof real numbers Such that xo ( xr ( xz (... and x7, < u for k : 0,1,2,...for somereal number u, or xo2 xr2 xz7 ... andxt2 L for k:0,1,2,... for somereal numberl. 362 Decimal Fractions and Continued Fractions

Then the terms of the sequence xu,xr,x2,... tend to a limit x, i.e. there exists a real number x such that

14to:"'

Theorem 10'12 tells us that the terms of an infinite sequencetend to a limit in two specialsituations, when the terms of the sequenceare increasingand all less than an upper bound, and when the terms of the sequenceare decreasing and all are greaterthan a lower bound. We can now define infinite continued fractions as limits of finite continued fractions, as the following theorem shows.

Theorem 10.13. Let as,e1,ct2,... be an infinite sequenceof integers with ar,Qz,... positive, : and let ck lag;a1,a2,...,e1a1Then the convergentscp tend to a limit ot.i.e J4to:"'

Before proving Theorem l0.l 3 we note that the limit a described in the statement of the theorem is called the value of the infinite simple continued fraction [as;at,o 2,...1 .

To prove Theorem 10.13,we will show that the infinite sequenceof even- numbered convergents is increasing and has an upper bound and that the infinite sequenceof odd-numbered convergentsis decreasingand has a lower bound. We then show that the limits of these two sequences,guaranteed to exist by Theorem 10.12,are in fact equal. We now will proveTheorem 10.13.

Proof. Let m be an even positive integer. From Theorem 10.1l, we seethat

cr ) ct) cs ) ) C^-t ca1cz1cq1 1C^, and C2i 7 Czn+t whenever 2j 4 m and 2k + | <. m . By considering all possiblevalues of m, we seethat

Cr ) Ct>. Cs ) ) Czn-t ) Czn+, co(czlc+( 1 Czn-z 1 C2n I and czi ) Cz**t for all positive integers j and k. we see that the hypothesesof Theorem rc.12 are satisfied for each of the two sequences C1,C3,C2,...and Cs,Cz,C4,.... Hence, the sequenceC1,C3,C5,... tends to a 363 1O.3 lnfinite Continued Fractions

a2 i'e' limit d1 and the sequenceCs,C2,C4,"' tendsto a limit ' : dr )i*c"*r

and : o(2' )*c"

Using Our goal is to show that these two limits a1 and oQ are equal' Corollary 10.2we have (-l)(z'+tl-t - : lzn*t - Pzn - Czn+r Ctn* zn Qzn+t Qzn Qzn+lQz, Qzn+lQzn

(see 7 of Section 10.2), we Since e* 2 k for all positiveintegers /c problem know that I - ezn+rQzn (zn+l)Qn)

and hence

Czn*t - Cz, Qzn+tQzn

tendsto zero,i.e. (Czra1- C2n) : 0. nlim

Hence,the sequencesC1 ,C3,Cs,... and Cg,C2,C4,...have the Samelimit, since (cr, - cz) : Czn*t- cz, : o. j* *t ,lg ,lg

Therefore ayr: aq, z11dwe conclude that all the convergentstend to the limit d : (rr : dz. This finishesthe proof of the theorem' D Previously, we showed that rational numbers have finite simple continued fractions. Next, we will show that the value of any infinite simple continued fraction is irrational.

Theorem 10.14. Let os,,o1,e2,...be integerswith a1,Q2,...positive. Then Iao;a r,,a 2,...1 is irrational.

Proof. Let a : las;at,ctz,...land let 364 DecimalFractions and ContinuedFractions

: Cr pr/qp : [ao;at,...,akl

denote the /cth convergentof a. Whenn is a positiveinteger, Theorem 10.I I shows that C2, ( a ( Czr+t, so that ( - 0 a Czn I Czn*t - Czo .

However, from Corollary 10.2,we know that

I - : Czn*t C2n ' 4zn+tQzn

this meansthat

Pzn 0(a-Czn:a- a 4 zn Qzn+tQzn and therefore, we have

0 1 aq2, - pzn 1 l/qzr+t .

Assume that a is rational, so that ot : e /b where a and b are integerswith b + A. Then

-pzn< I oaoQr" , b Qzr+t and by multiplying this inequality by b we seethat

01aq2n-bpzn Qzn+t - Note that aq2, bpzn is an integer for all positive integersn. However, since ) Qzr+r 2n*I, there is an integer n such that Qzn+t> b, so that b/Qzr+t < I . This is a contradiction,since the integer aQzn- bprn cannot be between0 and I . We concludethat a is irrational. n

We have demonstrated that every infinite simple continued fraction representsan irrational number. We will now show that every irrational number can be uniquely expressedby an infinite simple continuedfraction, by first constructing such a continued fraction, and then by showing that it is unique. 365 1O.3 Infinite Continued Fractions

and define the sequence Theorem f0.15. Let a: cvObe an irrational number Q0,Qt, Q2,'..reCufsivelY bY

Qk : lapl, crk+l:I/bt-a)

continued for k : 0, l, 2,.... Then a is the value of the infinite, simple fraction Lag;ar, az,-..1.

is an integer Proof. From the recursivedefinition given above,we see that ap that for every k. Further, we can easily show using mathematical induction : Next, if a7, is irrational for every k. We first note that d0 a is irrational' is also we assume that a1, is irrational, then we can easily see that a,p1' irrational, sincethe relation dk+r:l/(at-a*)

impliesthat I (10.12) otk:A**Ls qk+l

and if d;611were rational,thenby Theorem10.1, a7. would also be rational' Now, since a7, is irrational andap is an integer,we know that 47, I at, and

aplatlap*|,

so that 0(a1-ap<1.

Hence, a(k+t: 1l@* - ap) ) l,

and consequently, ak+r: [ar+rl ) 1

fsr k : 0, I , 2, ... . This meansthat all the integers Note that by repeatedlyusing (tO.t2) we seethat 366 DecimalFractions and ContinuedFractions

I Q: d0: ao* : [as;al Iul l. ao* : Ia6;a1,a2l at-fL a2

: Qo* : Iag;al,o z,...,ctk,atr+ll. at i az -f

I *a1r* otk+l

what we must now show is that the value of las;at,o2,...,ek,c,k+1]tends to a as ft tendsto infinity, i.e., as k grows without bound. From Theorem 10.9,we seethat

a*+tP* * pt+t a : fag;ar,...,ok,ak+ll: at+rT* * q*-r

: where Cj pi/qi is the 7th convergentof las;afl2,...1. Hence a*+rPr * p*-t pt a-Cp : dtc+tQ* * q*-t Q* -(Prqrr-t - Prr-tQ*) (ar+gr, * q*-)q* (-t)t ' (ar+g* * q*r)qt where we have used Theorem 10.10 to simplify the numeratoron the right- hand side of the secondequality. Since : a*+rQ* * qt-r ) at+flt * q*-r Qk+|, we seethat 367 1O.3 Infinite Continued Fractions

lo-c*L'* QtrQx+t

10.2),we note that llq*qn*t tends SinceQr,2 k (from problem7 of Section k tends to infinity' or to zero as k tends to infinity. Hence, Cp tends to a as fraction phrased differently, the value of the infinite simple continued las;a1,a2,...1isa. tr representsan To show that the infinite simple continued fraction that irrational number is unique, we prove the following theorem.

Theorem 10.16. If the two infinite simple continued fractions las;at,a2,...1 bx for and lbo;br,bz,...lrepresents the same irrational number, then ar: k :0,1,2,... : Proof. Suppose that a: lag;at,a2,...1. Then, since Co 4o and Ct: ao * l/at, Theorem10.11 tells us that ao 1a 1ag* Ifa1,

so that ao: lc-l. Further, we note that

[ag;a1,a2,."1: ao

since

a : la s;ar,a 2,...1 : 1,a2,...,apl olgl[aoia I :lim(ao+, ,) /<-- lq 1ia2,Q 3,...,ap I

: do* lim Ia1,o2,...,apl /<-- I : aol --. lO 1iO2,O 3,. .. I

Supposethat

la s;a1,a 2,...1 : lb oibr,b 2,...1.

Our remarksshow that aO: bO: lol 368 DecimalFractions and ContinuedFractions

and that ao* +:bo " ' Io 1;a2,...1 Ib ,.bz,...l so that

Ia;a2,...!: [btibz,...l.

Now assumethat a1r: bk, and that laptl;a1ra2,...1:[bn*r;bt+2,...1. Using the same argument, we see that apal : bpa1,o.1d, a*+rl : I +- bk-t+ ' ' Lapa2io1ra3,...l lb**t;b*+t,..1

which implies that

['ap,z;a 1ra3,... ] : lb 1ra2;b1ra3,... I .

Hence,by mathematicalinduction we see that a2 : b1, for k :0,1,2,... . D To find the simple continued fraction expansionof a real number, we use the algorithm given in Theorem 10.15. We illustrate this procedurewith the following example.

Example. Let a : G. We find that t ao:lrfil:2, ant,:G5:T "E+Z

I Qt:r*r:2, s.)__ : J6+2 (J6,*2'2' )-z

I {e+z ...... :-: : q q{ E ez: [Jo+zl - _ d1 Qo+D-4 2

: Since d3 we Seethat a3: ot, a4: e2,...,and sOO n Hence ^f6: 12;2,4,2,4,2,4,...1.

The simple continued fraction of -,.6' is periodic. We will discuss simple continued fractions in the next section.

The convergentsof the infinite simple continued fraction of an irrational number good are approximationsto a. In fact, if p*/qt, is the 7th convergenr of this continued fraction, then, from the proof of Theorem 10.15, we know that 369 1O.3 InfiniteContinued Fractions

l"-polqol < llq*qx+t

so that lo - polqxl < tlq? ,

sinceQt I Q*+r. of the simple The next theorem and corollary show that the convergents to a, in the sense continued fraction of a are the best rational approximations with a denominator that prrlql is closer to a than any other rational number lessthan q1. :1,2,"', be Theorem 10.17. Let a be an irrationalnumber and let n1le1,i a' If r and s are the convergentsof the infinite simplecontinued fraction of integerswith s ) 0 such that lso-rl < lqo"-pol

thens 7 qr*t.

( I q*+r. We proof. Assume that lso-r | < lqr,o-pnl, but that 1 s considerthe simultaneousequations Ptx*Pt+rl:r Qtx*Q*+t!:5.

then By multiplying the first equation by Q* and the second by px, and subtracting the secondfrom the first' we find that - (Pt+rqr-PxQt +)Y - tQk sP* '

- : (-l)fr, From Theorem 10.10,we know tharppag* Pt Qt+l so that y : (-l)k (rq1,-sP).

ppal Similarly, multiplying the first equation by Qlrayand the second by and then subtracting the first from the second,we find that x : (-l)k(sppa;rQ*+).

Wenotethat x#O and y#Q. If x:0thensPt+t:r4k+t'Since (px*t,qrr*) : l, Lemma 2.3 tells us that q*+tls, which implies that :0, r : pkx and s : Qt+t ) s, contraryto our assumption.If y then Qkx' so that 370 Decimal Fractions and Continued Fractions

: lso-rl l" llqp-pr,l) lqro-p*l, sinceIrl > l, contraryto our assumption. we will now showthat x and y haveopposite signs. First, supposethat y <0. Since -Qt<+tl,weknowthatx Qkx:s ) 0,because{1x) ) 0 and Q* 0. When / ) 0, since 2 q1ra1) s, : - Qtc+r! we see that Qkx s Q*+r! ( 0,sothatx ( 0. From Theoreml0.l l, we know that eitherPt/qt ( a ( p*+r/qx+t or that ( ( Pt+t/q*+r a Pr/q1r. In either case. we easily see - - that Qtea pt, and Qr+p p*+r have oppositesigns. From the simultaneousequations we startedwith, we seethat lso-r | : lQorIql,lp)a - (po*+p**t)l : lx(qp-pr) + yQ1,ap-p;-;it combining the conclusionsof the previoustwo paragraphs,we see that x(qpa-pr) and!(Q*+p-p,t*r) havethe samesign, so that lso-rl : l{ llqoo-pol+ lyllq**p-pr,+rl 2 lxllqoo-pnl ) lqto-pr,l, sincel*l>t. Thiscontradicts our assumption. We have shownthat our assumptionis false,and consequently,the proof is complete.tr

Corollary 10.3. q Let be an irrationalnumber and let pi/qi, j:1,2,... be the convergents of the infinite simple continued fraction-of *. lf r/s is a rational number, wherer and .r are integerswith s ) 0, such that lo-r/tl < l"-p*/qol , then s ) q*.

Proof. Supposethat s ( qt and that lo-r/sl < l"-pr,lqr,l. 371 1O.3 Infinite Continued Fractions

that By multiplying thesetwo inequalities,we find sla-r lsl < qol"-Polqol

so that lsa-tl < lqod-Pxl ,

violating the conclusionof Theorem l0'17' tr

of 7( is Example. The simple continued fraction patternin o:li;j,15,1,292,1,1,1,2,1,j,...1.Note that there is no discernible continued fraction the sequenceof partial quotients. The convergentsof this 22/7 3331106' are the best rational approximationsto r. The first five are 3, ' that 2217is 3351113,and 103993/33102.We concludefrom Corollary 10.3 106, that the best rational approximation of t with denominator less than less than 31.5lll3 is the besi rational approximationof zr with denominator 33102.and so on. Finally, we conclude this section with a result that shows that any be a sufficiently close rational approximation to an irrational number must convergentof the infinite simple continuedfraction expansionof this number.

Theorem 10.18. lf a is an irrational number and if r ls is a rational number in lowestterms, wherer and s are integerswith s ) 0, such that lo-r/sl < t/2s2,

then r/s is a convergentof the simple continued fraction expansionof a.

proof. Assume that r/s is not a convergentof the simple continued fraction expansion of a. Then, there are successiveconvergents pxlqx and ppallqp*t suchthat Qn 4 s I Qrr+t From Theorem 10.17,we seethat < slq-r/sl < t/zs' lqoo-pol It ".-rl:

Dividing by qr we obtain lo-polqol < 1l2sq*.

Since we know that \tpo-rqol > t (we know that sP*-rQr is a nonzero integersince r ls #pplqr), it followsthat 372 Decimal Fractionsand ContinuedFractions

-x| - lspt-rq*l sQ* , sQ*'- : lor tl lqo sl ll I qrl F:l .l*l 2tq* 2s2

(where we have used the triangle inequality to obtain the secondinequality above). Hence,we seethat

t/2sqp I t/2s2

Consequently,

Zsqp ) 2s2, which implies that q1, ) s, contradicting the assumption. tr

10.3 Problems

L Find the simple continued fractions of the following real numbers a) ,rf2 c) -,/i r+.6 b) ^f3 d) .

2' Find the first five partial quotients of the simple continued fractions of the following real numbers

a) 1/, c) (e-l)/(e+l) b) 2r d) (e2-t)/(e2+D.

Find the best rational approximation to zr with a denominator lessthan 10000. The infinite simple continued fraction expansionof the number e is e : l2;1,2,1,1,4,l, 1,6, 1, 1,g,...1.

a) the first eightconvergents of the continuedfraction of e 373 1O.3 Infinite Continued Fractions

denominator less than b) Find the best rational approximation to e having a 100. fraction expansion 5. Let d be an irrational number with simple continued fraction of -ot is o : loo;ot,a2,...f Show that the simple continued at: 1' [-as-l;1,a,-l,as,a3,...lifa12 I and[-as-l;a2lldv"'lif simple 6. Show that if p*lqx and,p1,a/q1a1 2f€ consecutive convergents of the continued fraction of an irrational number a, then lo- pr/qrl < tlzqo'

lo - po*r/qo*,1( l/2qla.

- - (Hint: First showthat lo - pr*r/q**,1+ lo- polqol lpo*r/q&+r pr,/qtl: l/q*q**t using CorollarY 10.2.)

7. Let a be an irrational number , a ) I . Show that the kth convergent of the simple continued fraction of l/a is the reciprocal of the (k-t)th convergent of the simple continued fraction of a . 8. Let a be an igational number, and let pllei denote the jth convergent of the simple continued fraction expansion of a. Show that at least one of any three consecutiveconvergents satisfies the inequality la- pileil < t/G/-sqil.

Conclude that there are infinitely many rational numbers plq, where p and q are integerswith q # O, such that l''- plql

9. Show that if a - (l +lf9/2, then there are only a finite number of rational numbers plq , where p and q are integers,q # 0, such that lo-plql

(Hint: Consider the convergents of the simple continued fraction expansion or..6.)

10. If a and B are two real numbers, we say that p is equivalent to a if there are integersa,b,c, andd that ad - bc : il and 0 : ,such #

a) Show that a real number a is equivalent to itself.

b) Show that if a and p are real numbers with p equivalent to a , then a is equivalent to B Hence, we can say that two numbers a and B are equivalent. 374 Decimal Fractions and Continued Fractions

c) Show that if a,S, and l, are real numbers such that a and B are equivalent and B and l, are equivalent,then a and l, are equivalent. d) Show that any two rational numbers are equivalent. e) Show that two irrational numbers a and p are equivalent if and only if the tails of their simple continued fractions agree, i.e. a : Iag;a1,a2,...,ai,c1,c2,c3,...1 and g : [bo:b1,b2,...,b1r,c1,c2,ca,...1.where ai,t:0,1,2,...j, b1,i:0,1,2,...,k and c;, j : 1,2,3,...are intejers, all positive except perhaps as and bs . I I ' Let a be an irrational number, and let the simple continued fraction expansion of a be a : Ias;aba2,.-.1. Let p*/q* denote, as usual, the &th convergent of this continued fraction. We define the pseudoconvergnts of this continued fraction to be

: (tP*-r P*t/q*., + pr-)/QQ*t * Q*-z),

where k is a positive integer, k > 2, and t is an integer with 0 < r I at, . a) Show that each pseudoconvergentis in lowest terms b) Show that the sequenceof rational numbers pt ,z/q*,2,...,pk,o,-,/Qk,a,_,, p*/e* is increasingif k is even, and decreasingif ft is odd

c) Show that if r and r are integers with s ) 0 such that

lo-rlsl ( l" -p*.,/q*.,|

where k is a positive integerand 0

d) Find the pseudoconvergentsof the simple continued fraction of zr for k -2.

10.3 Computer Projects

Write programs to do the following:

l. Find the simple continued fraction of a real number.

2. the best rational approximationsto an irrational number.

10.4 Periodic ContinuedFractions

We call the infinite simple continuedfraction [as;at,az,...lperiodic if there are positive integers N and k such that an : ara1, for all positive integers n with n > N. We use the notation 375 1O.4 PeriodicContinued Fractions

lag;at,o2,...,oN-r,m to expressthe periodicinfinite simple continued fraction -1'41y'41y l' I a o:a l,a 2,...,QN - l,a N rQN + 1,"',a N +k 1 1'"'

For instance, tt;Z,lAl denotes the infinite simple continued fraction I I ;2,3,4,3,4,3,4,...1. In Section 10.1, we showed that the base b expansionof a number is periodic if and only if the number is rational. To characterizethose irrational numbers with periodic infinite simple continued fractions, we need the following definition.

Definition. The real number a is said to be a quadratic irrational if a is irrational and if a is a root of a quadratic polynomial with integer coefficients, i.e. Aa2+Ba*C:0,

where A,B, and C are integers.

Example. Let a :2 * ,/7. Then a is irrational, for if a were rational, then by Theorem10.1, a -2- .,,6would be rational,contradicting Theorem 10.2. Next, note that a2 - 4a t | : (7+4,fi - 4Q+,/t * I : o.

Hence a is a quadratic irrational. We will show that the infinite simple continued fraction of an irrational number is periodic if and only if this number is a quadratic irrational. Before we do this, we first developsome useful results about quadratic irrationals.

Lemma 10.f. The real number a is a quadratic irrational if and only if there are integersa,b, and c with , > 0 and c 10, such t"hatb is not a perfect square and : : (a+Jt) lc.

Proof. If a is a quadratic irrational, then a is irrational, and there are integers A,B, and C such that Aaz + Ba t C :0. From the quadratic formula. we know that 376 DecimafFractions and Continued Fractions

-B*GQAC (I:- 2A

Since a is a real number, - we have 82 4AC ) 0, and since a is irrational, 82 - 4AC is a perfect -not square and A r^0. By either-r^: taking e: -B,b: 82 - 4AC, :24 c o, o: b, b : g2 _ 4;t, _ZU, wO have our desired representationof a. Conversely,if 'r" wherea,b, andc areinte*.r-, ;; ,ti"i:O, and6 nota perrectsquare, then by Theorems10.1 and 10.2, we can easily see that a is irrational. Further, we note that

co2-2aca+(a2-b2):0. so that c is a quadratic irrational. tr

The following lemma will be used when we show that periodic simple continued fractions representquadratic irrationals.

Lemma 10.2. If a is a quadratic irrational and if r,s ,t, and u are integers, then (ra*s)/(to*u) is either rational or a quadratic irrational.

Proof. From Lemma 10.1,there are integersa,b, and,c with b > 0. c # 0. and b not a perfect square such that a: (a+Jb)/c.

fur*cl)+rJb (at rcu) +t Jt I Gr +cil + r JF lI ht + cil -t.'.6 | IGt *cu) +t .,/blt(at +cu)-t ./n I lGr *cs\(at *cu) -rtblt[r (attcD -t Gr*cl)l../T (at *cu)2-t2b 377 1O.4 Periodic Continued Fractions

irrational'unless the Hence,from Lemma l0.l (ra*s)/Qa+d is a quadratic is rational' tr ;;;d;i";, G is zero, which would imply that this number "t fractions of quadratic In our subsequentdiscussions of simple continued quadratic irrational' irrationalswe *iil use the notion of the conjugateof a

-- Then the coniugate Definition. Let a (a+JD lc be a quadratic irrational' : (a-Jb)lc' of a, denotedby o', is definedby a'

the polynomial Lemma 10.3. If the quadratic irrational d. is a root of a', the conjugate Axz + Bx * C : 0, then the other root of this polynomial is of a.

two roots of Proof. From the quadratic formula, we see that the Axz+Bx*C:0are _B*[EW ZA

of If a is one of these roots, then a' is the other root, becausethe sign tr4AC is reversedto obtain a' from a. tr The following lemma tells us how to find the conjugatesof arithmetic expressionsinvolving quadratic irrationals'

(a2*bzJd)f quadratic Lemma 10.4. If a' : (aftbffd)/c1 and ,,2: cz are irrationals,then (i) (a1+a2)' -- al t a'2

(ii) (a;c.2)' : o| - d'2

(iii) (ap)' : d'td2

(iv) (c"rlc.)': a't/o.z.

parts easier. The proof of (iv) will be given here; the proofs of the other are These appear at the end of this section as problems for the reader'

Proof of (iv). Note that 378 Decimal Fractions and Continued Fractions

t G ftbr.'./Z)/r, vllq) ".' Gr+bz,/cl)/cz c _ r(a ,+b r/7) G 2-.bz,/T)

: lb2)''/7 ,,

While

, t , G;brE)/cz .^lrsl---7- -- " " (or-brrE) /cz cz(arbtQ)Gr+br,/V)

c {a 2- b 2,/7 ) (a z+ b 2,/7 ) - _ kzapz-czbftzd) (czazbrczaft)fi

Hence (at/a)' : or'r/a'2.D The fundamental result about periodic simple continued fractions is Lagrange's Theorem. (Note that this theorem is different than Lagrange,s theorem on polynomial congruncesdiscussed in Chapter 8. In this chapter we do not refer to that result.)

Lagrange'sTheorem. The infinite simple continued fraction of an irrational number is periodic if and only if this number is a quadratic irrational.

We first prove that a periodic continued fraction represents a quadratic irrational. The converse,that the simple continued fraition of a quadratic irrational is periodic, will be proved after a special algorithm for obtaining the continued fraction of a quadratic irrational is developed.

Proof. Let the simple continued fraction of a be periodic, so that : a la g;at,,e 2,..,,a N -r,ffi|

Now let

0 : la1s;aN+r,...,41r+ftl

Then 379 1O.4 Periodic Gontinued Fractions

g : lal;aN*I,...,4N**,01,

and from Theorem 10.9,it followsthat ^ 1P*tP*-t (10.13) t) - oq*tq*-r'

Since the where p*lq* and p1r-r/Q1r-1ata convergentsof Ia11;av"1'"''oru+kl' and from (tO't3) we simple continuedf.u.tlon of p is infinite, B is irrational, have - qr,02t Qr,-r-P)0 P*-r : a'

so that p is a quadratic irrational. Now note that a : lag;a1,Q2,...,Q N-r,01,

so that from Theorem 10'9 we have 'a;;:fr;0pr,r-ftPN-z '

where pN-t/qN-1 and pr,t-zlqN-2uteconvergents of [ao;a t.a2'"''o7'1-11'Since B is a q*Oruii. irrational, Lemma 10.2 tells us that a is also a quadratic irrational (we know that at is irrational because it has an infinite simple continuedfraction exPansion).D To develop an algorithm for finding the simple continued fraction of a quadratic irrational, we need the following lemma'

Lemma 10.5. If a is a quadratic irrational, then d. can be written as : @+,/V)/Q,

whereP,Q,andd are integefs,Q*O,d > O,d is nota perfectsquare, and QIQ-P2) .

Proof. Since a is a quadratic irrational, Lemma 10.1 tells us that , : (a+Jb)lc,

where a,b, and c are integers, b > 0 , and c # 0 . We multiply both the numerator and denominator of this expressionfor q by Itl to obtain 380 Decimal Fractionsand ContinuedFractions

a.-

(where we haveused the fact that -,tr\. lrl: Now let p : alcl, clcl, andd:bc2. Thenp,e, e: andd areintegers, e l0 since,70,d >O (since6 > 0), d is not iperfect lQuaresince b is not a perfectsquare, and finally since el@-p\ d-p2:6rz'oirz :;rbjoif:;T'(ilorl. n We now presentan algorithm for findingthe samplecontinued fractions of quadraticirrationals.

Theorem 10.19. Let a be a quadratic irrational, sothat by Lemma 10.5there are integers Ps,Qs,and d such that @o+,/7)/Qo , where > Q0*0,d 0, d is not a perfectsquare, and eel @-p&). Recursively define dk:(ro+,/7)/Qr, Ctk: [a1], Pk+r:atQt-Pk, Q**r : (d-roL*t)/Q*, for k : 0,1,2,... Then a : fag;at,a2,...1.

Proof. using mathematical induction, pk we will show that and e* are integerswith Q1,* 0 and e*l@-rp, for k:0,r,2,.... First,note that this assertion : is true for k 0 from the hypothesesof the theorem. Now assume that P1 and Qp are integerswith e* * 0 and e*l@_p?i. Then Pk+r: a*Qt - Pp is also an integer. Further, Q*+r: @-rf *r11qo : [d-(o*Q,,-pr)2]/e* : @-rfi/Qo + (2a1,P1,-a?er).

Since by Qrl@-pil, the induction hyporhesis,we seethat Qpal is an integer, and since d is not a perfect square, we see that d I Pi, so that Q*+t : @-rf*;/Qo t o . Since Q* : U-rf*1/Qo*t 1O.4 PeriodicContinued Fractions 381

we can concludethat Q1,ql@-pt*t) . This finishesthe inductiveargument. To demonstratethat the integerses,a1,a2,... are the partial quotientsof the simple continuedfraction of a', we use Theorem 10.15. If we can show that o(k+t: llbr-ap), fork: then we know that a : fas;a1,a2,...1.Note that Pk + ,/7 ap-ak: -ap Af : l^/7 - G*Qr,- P)llQ*

: G/7 - pt +) lQ* : G/V- P**')(JV+ P*+)/er,G/T+ P**r)

: @-rl*)/Q*QI + Pr*r)

: Q*Qr,n/Qr,G/7+ Pt*,)

: Q**r/('/i + Pr,*)

: lla*+r , where we have usedthe definingrelation for Qp* to replaced-Ppzar with QtQ**r. Hence,we canconclude that a : las;a1,e2,...f. D We illustratethe use of the algorithmgiven in Theorem10.19 with the followingexample.

Example. Let a : Q+J1)/2 . UsingLemma 10.5,we write : G+.,/N)/4 wherewe set Po : 6, Q.o: 4 , and d : 28. Henceoo: [a] : 2, and

: Pr 2'4-6:2, a1 Q + ..E)/e, : Qr (28-22)/4:6, O1 IQ+,/z$/61: r,

: P2 l'6-2:4, ot2 G+,,/Tg/2, Qz : Og-+2)/o:2, A2 t 382 Decimal Fractions and Continued Fractions

P3 - 4'2-!:4, d3 : : e+.,m)/6, Qt Qg-+2)/2:6 o3 : tG+6>Jil:r, P4 : l'6-4:2, d4 : e+rFZ$/q, - (28-22)/6:4, Qq a4 : t7+.'-z$/il: t, - Ps l'4-2:2, a5 : e+r/-Z$/6, - Qs Q8-22)/4:6, a5 : t(z+,,/N)/61: l, andso, with repetition, pr: p5 since ander: es. Hence,we seethat G+.n) /2 : I2;1,4,1,1,r,4,r,1,...I : I2;1,4,1,11.

We now finish the proof of Lagrange'sTheorem by showingthat the simple continuedfraction expansion of a quadraticirrational is periodic. Proof (continued). Let a be a quadraticirrational, so that by Lemma 10.5 we canwrite a as

o : (po + .,8) /eo .

Furthermore,by Theorem10.19 we haveo: lao;ar,ez,...lwhere : dk (r1, + ,,/7)/Q* , ap : [apl, Pwr : atQ*-Pk*t, Q*r : Q -rf *1 /Qo*r, fork:

Sincea : Ia s;a' "" that )'lrl,o;]:ffi _ll;lIjl "_* q*-). Taking conjugatesof both sides of this equation,and using Lemma 10.4, seethat

(ro.r+) o' : (pr,-p'* * p*-) /(qt,-p'n * q*-).

When we solve(tO.t4) for ol1,, ws find that 383 1O.4 Periodic Continued Fractions

( - P*-zI , -ex-,l" tr- | dk: qk^ t , p*t t ,*t l

to a as k tends to Note that the convergents p*-z/Q1r-2 and p*-rlqrr-t tend infinity, so that

| , - P*-z - P*-t la. t fr' I Q*-z I Q*-t Since tendsto 1. Hence, there is an integer N such that a'* 10 for k > N. o't>- 0 for k > l, we have Pp + Jd Po-Jd Zfi otk-Otk : r0. Q* Q* Qr

sothatQ*> 0fork>N. - SinceQ*Qrr*, - d P?*r, we seethat for k 2 ly', - 0t ( Q*Q**r-- d P?*t

Alsofork>N,wehave Pl*, (d: Pl*t-Q*Qx*r,

sothat - ,/7 I P*+r < -,/7.

- <-r/7, From the inequalities 0 ( 0r ( d and -,[d < P*+r that hold for k > N , we see that there are only a finite number of possiblevalues for the pair of integers Px,Qx for k > N . Since there are infinitely many integers k with k > N,therearetwointegersi andT suchthatPi:Pi andQi:Qi : with i < j . Hence, from the defining relation for cu;., we see that o(i di conseque Hence "t'*:;:;,";:"',i: ,-,,i:"',oi,*,'lo,ol,.;:,,':,.:,:i:i-,,,

: Ia g;al,o 2,...,ai-1,Qi,o i +1,...,a i -tl .

This shows that a has a periodic simple continued fraction. D 384 DecimalFractions and ContinuedFractions

Next, we investigate those periodic simple continued fractions that are purely periodic, i.e. those without a pre_period.

Definition. The continued fraction [as;at,ez,...f is called purely periodic if thereis an integern such thata1r: entk, for k :0,1 ,2,...,sothat lag;at,az,...l:Iffi.

Example' The continued fraction tl;jl: (t+.1:) /2 is purely periodic while [2;2,41: JA is not.

The next definition and theorem describe those quadratic irrationals with purely periodic simple continued fractions.

Definition. A quadratic irrational at if called reduced if a ) I -l ( and a' ( 0, wherea'is the conjugateof a .

Theorem 10.20. The simple continuedfraction of the quadratic irrational a is purely periodic iI-and only if a is reduced. Further, if a is reduced and a: l,as;at,e2,...,enlthen the continuedfraction of - l/oi i, to;o,,_ffi

Proof. First, assume that a is a reduced quadratic irrational. Recall from Theorem 10.15 that the partial fractionsof the simple continuedfraction of a are given by

ek : lapl, otk+t : l/@tr-o*), fork: where ato: d We see that

l/qt+t:ek-ak, and taking conjugates,using Lemma 10.4, we see that

(ro.rs) l/a'*+t: c,'k- a1r. we can prove, by mathematical induction, that - I ( a1 ( 0 for k:0,1,2,.... First,note that since c.0: a is reduced,-l l ao < 0. Now -r assumethat 1 a'1,< 0 . Then, sincea* 21 for k :0,1,2,-... (note that ao2 I sincea > 1), we seefrom (tO.t5) that

l/ott+r < -1, -l so that 1 a'k+t< 0 . Hence,-l < a) 10 for /c : 38s 1O.4 Periodic Continued Fractions

Next. note that from (to.t5) we have

d'k:a**lla'*+t t and since-l 1 a'* < 0 , it follows that -l 1a**lfa'1ra1 <0.

Consequently, -l - l/a'*+t 1 ax 1 -lf a'rr+r,,

so that ek: [ - 1/or*r].

Sincea is a quadratic irrational, the proof of Lagrange's Theorem shows that and hence there u.. nonn.gative integersi and i' i,< 7, such that ai 7-oi, :I-t/a,| seethat with -1/u';: -l/aj. Since ai-t:l-t/ai il anOoi-t j-l jt , we : oj-t + llai oi-l : ej-'.. Furthermore, since oti-t: ai-t I llai and , dj-: we alsoseethatai-1:o i-rContinuingthisargument'w€seethat : di-z : o(j-z)ai-3: aj-30..',and finally, that ag aj-i ' Since

d0 : a : Iag;a1,...,oi-i-t,ai-il : la o;a 1,...,ei -i -1,041 :loo.gr,Gl,

we see that the simple continued fraction of a is purely periodic. To prove the converse,assume that a is a quadratic irrational with a purely periodiccontinuedfractiono:|ffio|.Sincea:|ag;a1,Q2,,...,a2,ot|, Theorem 10.9 tells that aP* * P*-t (10.1 6) a:ffi,

where pr,_tlq*_r and p1rlq1, 3;fe the (k-l)th and kth convergentsof the continuedfraction expansionof a . From (tO.t6), we seethat - : (10.17) er,a2* (q*-rP)o Pt-r 0.

Now, let p be the quadratic irrational such that g :latiatc-l,...,at,aol, i.e. with the period of the simple continued fraction for a reversed. Then that 0 : lo*iek-r,...,at,ao,Al,so that by Theorem10.9,it follows 386 DecimalFractions and ContinuedFractions

(ro.rs) D opi + pi-, P--._- Fqr * q*-r

where pi-t/qL and pr,/q* (ft-l)th are the and kth convergents of the continued fraction expansion of B . Note, however,from probremi of section 10.2.that

Pt /p1r-1: lanian-1,...,et,eol: pi/qi

and : Qt/q2-1 farion-r,...,a2,el! : pL /qi_t.

Since pi-t pi/qi /qi-, ?d are convergents,we know that they are in lowest terms' Also, P*/pp-, and qp/q1-1 ilre in lowest terms, since Theorem 10.10 tells us that ppqp-r - p*-rQk : (-t)e-t . Hence,

pi - p*, Qt : pk-r and

- Pk-t 4t<,Qt<-t : ek-t.

Insertingthese values into (l0.lg). we seethat p,: 0p* * qr 1p*-r * qrt

Therefore, we know that

Pr$2*(q*t-pr)|-Q*:o

This impliesthat (ro.rq) er,Gt/ilz * (q*-r- pt) Gtlp) - pk_t:

(to.tz) (10.19), From and we seethat the two rootsof the quadratic equation 4*x2 * (q*-r - p)x - p*-t : 0

-1/0, are a and so that by the quadratic equation, we have a : -t/8. Since : 0 lanian-t,...,at,aol,we see that p > I, so that -l < s7':-l/p<0. Hence, a is a reducedquadratic irrational.

Furthermore, note that since fi : -l/ot,. it follows that 387 10.4 PeriodicContinued Fractions

-l/o':ffiol' tr

fraction of '/D , We now find the form of the periodic simple continued Although \6 is not where D is a positive integer that is not a perfect square' -l quadratic since its conjug-ate-,/D is not between and 0, the reduced, - lie r.*,o*r"i6-t; .6-ii r.duced,since its conjugate,l,/Dl '[5 ' does that the between-1 and 0. Therefore,from Theorem 10.20, we know initialpartial continuedfraction or [.lill +.,/D is purely periodic. Sincethe + is quotient of the simple continued fraction of tJD | "/D if faf + ,/Dl:21,/Dl:2a0, whereao:I../Dl ' wecan write I,/DI+-,/D:tml- : I2ao;a t,Q 2,...,a n,2Q g,a l,...,Q rl'

Subtracting ao : ,/6 from both sidesof this equality, we find that ./ D : la g;a3a 2,...,2ag,,a 1,a2,...2a 0,...1 :log;orro'zmol.

To obtain even more information about the partial quotients of the continued fraction of ,/D, we note that from Theorem 10.20, the simple -l - be obtained from that continuedfraction expansionof /$'IDl "/D) can for t.,6l + ..lD , by reversingthe period, so that r/G/D-t.D1):tffi.

But also note that 6 -t-6-l:lo;orprGol,

so that by taking reciprocals,we find that | / G/D - t.D-l) - tor;o rGrl -

Therefore,when we equatethese two expressionsfor the simple continued fractionof llG/D - t.D]) , we obtain

Al: QnrQ2: Cln-ys...;On: Ol,

so that the periodic part of the continued fraction for ..lD is symmetricfrom the first to the penultimate term. In conclusion, we see that the simple continued fraction of 16 has the form ..ld:loo;ffi. 388 Decimal Fractions and Continued Fractions

We illustratethis with someexamples.

Example. Note that

8- [4;l,3,1 ,8] .16l ts,ffii.rol - ,Fqe 16;l,2,1 ,1,2,6,2,1 ,l ,2,1 ,l2l ,,/Te : [8;1,2,l,I,5,4,5, 1,1,2,1, I6l and -,/ri: tq;ml, where each continued fraction has a pre-period of rength l and a period ending with twice the first partial quotient which is symmetric from the first to the next to the last term. The simple continued fraction expansionsof ,E fo, positive integers d such that d is not perfect a square and d < 100 can be found in Table 5 of the Appendix.

10.4 Problems

l. Find the simplecontinued fractions of

a) Jt d) ,/41 b) Jr r e) 6 c) Jzt r) ,/-gq.

2. Find the simple continued fractions of il o+,fi /z b) Qq+,81)lt c) (tt-.E)t.

3. Find the quadratic irrational with simple continued fraction expansion il [z;t,5] b) tz;rSI c) t2JJI. 4. Letd il beapositive Show that the simple continued fraction of ,,/N isla:Tdl. 389 1O.4 Periodic Continued Fractions

oi tffit't'fZgg' and b) Uggrrt (a) to find the simplecontinued fractions J22r0.

5. Let d be a integer,d 2 2' is a) Show that the simple continued fraction of ,/F [d-l ;@l' t;zla-zl. b) show that the simple continued fraction of JFd is [d- of rfg9' tffg' c) Ugparts (a) and (b) to find the simple continued fractions ,lnz. and..G60' the simple continued fraction of 6. a) Shory lhat if d ,l un int"g.t, d > 3 , then ,tm is[d-1'lH,l2d-21. of b) Show that if d is a positive integer, then the simple continued fraction '/fu. rsld;c$71. -l,ft-gt c) Find the simple continued fraction expansionsof ,/6,.6f , anO

7. Let d be an odd positive integer'

a) Show that the simple continued fraction of JF+ is ld;ffil,ird>l' of J d2-q b) Show that thr __qgple continued fraction la-lM,zd-zi,\f d>3. 8. Show that the simple continued fraction of Ji , where d is a positive integer, has period length one if and only if d : a2+l *here a is a nonnegativeinteger. 9. Show that the simple continued fraction of Jd , where d is a positive integer, has period length two if and only if d : a2 + b where a and b are integers, b > l, andbl\a . 10. prove that if 6,1: (ar+brJrl)lct and a2-- (a2*urJd)/c, ^re quadratic irrationals, then

a) (a1*42)' : c,'t* o''2

- b) (a1-a2)' : d'r d2

c) (c''c.z)' : ot't'or2.

11. Which of the following quadratic irrationals have purely periodic continued fractions

a) l+.6 c) (tt - ,/-toltg b) 2 + ,/-B d) e + ,f?l)/z c) 4+',m e) (tz + -'.ft-g)l:t

12. Supposethat a : G+JF)/c, where 4,b, and c are integers,b ) 0, and b is noi u perfecl square. Show that is a reduced quatratic irrational if and only if ola

13. Show that if ir-u reduced quadratic jrrational, 1 then _ l/a, is also a reduced quadratic irrational.

14' Let k be a positive integer. Show that there are infinitely mgy positive integers D, such that the simple continued fraction expansion of ,/6 h., , period of length k. (Hint: Let at:2, e2:5, and for k > 3 let a1,:2ak_t I a*_z Show that if p : (tar + l)2 * 2a1,-1* r, where / is a nonnegativeinteger, then rD has a period of length k + l.)

15' Let k be a iF:r. Let Dk - (3k+t)2 lgsitiu: + 3 Show that the simple continued fraction of JOp has a period of length 6ft.

10.4 Computer Projects

Write computer programs to do the following: 1' Find the quadratic irrational that is the value of a periodic simple continued fraction.

2' Find the periodic simple continued fraction expansionof a quadratic irrational. 11 some NonlinearDiophantine Equations

11.1 PythagoreanTriPles The Pythagoreantheorem tells us that the sum of the squaresof the lengths of the legs of a right triangle equals the square of the length of the hypothenrur.. Conversely,any triangle for which the sum of the squares of the lengths of the two shortestsides equals the square of the third side is a right triangle. Consequently,to find all right triangles with integral side lengths, we need to find all triples of positive integers x ,y ,z satisfying the diophantine equation (rr.t) x2+!2:22

Triples of positive integers satisfying this equation are called Pythagorean triPles.

Example. The triples 3,4,5; 6,8,10; and 5,12,,13are Pythagorean triples because32 + 42 : 5'.62 + 82: 102,and 52 + 122: 132. Unlike most nonlinear diophantine equations, it is possible to explicitly describe all the integral solutions of (ll.l). Before developing the result describingall Pythagoreantriples, we needa definition.

: Definition. A Pythagoreantriple x,!,2 is calledprimitive if (x,y,z) l.

Example. The Pythagoreantriptes 3,4,5 and 5,I2,I3 are primitive' whereas 391 392 Some Nonlinear Diophantine Equations

the Pythagoreantriple 6,g,10is not. pythagorean Let x,!,2 be a triple with (x,y,z) : d . Then,"i-r'r,,r1,21): there are integers xr, t,zr with x : : J dxi,y dyt,, ir, l. Furthermore, because ""A

x2+y2:22,

we have

G/d)2+(y/il2:(z/d)2,

so that x?+y?:r?.

Hence,xt,!t,21 pythagorean is a primitive triple, and the original triple x,!,2 is simply an integral multiple of this primitive pytgagoreantriple. Also, note that any integral multiple of a primitive (or for that matter any) Pythagoreantriple pythagorean is again a triple. If x1])t,zt is a primitive Pythagoreantriple, then we have x? + y? : r?,,

and hence.

@x)2+(dyr)r:(dz)2, so that dx 1,dy1,dz 1 is a Pythagoreantriple.

Consequently, all Pythagorean triples can be found by forming integral multiples of primitive Pythagorean triples. To find all primitive pythago*un triples, we needsome lemmata. The first lemma tells us that any two integers of a primitive Pythagoreantriple are relatively prime.

Lemma 11.1. If x,!,z is a primitive Pythagorean triple, then G,y) : (x ,z) : (y,z) : l.

Proof. pythagorean suppose x ,! ,z is a primitive triple and (x ,y) > l. Then, there is a primep such (xy), tha,tp^l sothat p I x andp I y. Sincep I x andp (r'+ :22. l.-y,*. know thatp | y') Becausep l;r,'*..un conclude (using that p I z problem 32 of Section 3.2). This is a contradiction since (x : (x ,y ,z) l. Therefore, g) : l. In a similar manner we can easilv show that (x ,z) : (y ,z) : l. D 393 1 1.1 Pythagorean TriPles

integers of a primitive Next, we establish a lemma about the parity of the PythagoreantriPle.

then x is even and y Lemma 11.2. If x,y,z is a primitive Pythagoreantriple, is odd or x is odd and Y is even'

1l '1, we know Proof. Let x ,!,z be a Primitive Pythagoreantriple. By Lemma Also x and y cannot that (x ,y\ : 1, so that x and y cannot both be even. (from 2 of Section 2'1) both be odd. If x and Y were both odd, then problem we would have ) x- = vz = I (mod 4),

so that 22:x2*y2 = 2(mod4).

This is impossible (again from problem 2 of Section2.1). Therefore,x is even and y is odd, or vice versa. E The final lemma that we need is a consequenceof the fundamental theorem of arithmetic. It tells us that two relatively prime integers that multiply together to give a square must both be squares'

(r,s) : Lemma 11.3. If r,s, and t are positive integers such that I and : : ; : t2, then there are integersz and n such that r m2 and s n2.

Proof. If r :1 or s : l, then the lemma is obviously true, so we may ,upptr. that r ) I and s ) 1. Let the prime-power factorizationsof r,,s, and lbe ,:p1,pi2... p:", s : p:,i\ p:,it p:"

and t : ql' ql' quo'.

Since (r,s ) : l, the primes occurring in the factorizations of r and s are distinct. Sincers : t2, we have pi'pi' pi"pi,+ipi,n pl,': q?"q'ru' qiur'

From the fundamental theorem of arithmetic, the prime-powers occurring on 394 Some Nonlinear Diophantine Equations

the two sides of the above equation are the same. Hence, eachpi must be equal to for some j with Qi matching exponents, so that a; : 2bi. consequently,every exponent a; is even,and thereforeai/2 is an integer. we see - : that r m2 and , 12, where m andn arethe integers a./2 : a-/z a/2 m pt' P2' Pu"

and

: a/2 n pi,r('pi,C' Pr" !

We can now prove the desired result that describes all primitive Pythagoreantriples.

Theorem ll.l. The positive integers x,l,z form a primitive pythagorean triple, with y even,if and only if there are relativelyprime positiveintegers 172 and n, |/t ) n, with m odd and n even or m even and,n odd, such that x : m2-n2 'r7-'#ir'

Prot{. Let x ,y ,z be a primitive Pythagoreantriple. Lemma I 1.2 tells us that x is odd and y is even, or vice versa. Since we have assumed that y is even, x and z are both odd. Hence,z*x and z-x are both even,so that there are positiveintegers r ands with r : (z+i/2and s : (z-il/2.

Sincex2+y2:22, we havey2: z2-x2: (z*x)G-x). Hence. Ir)' lz+x] f,-"1 lr): I , .lt ' J:" we notethat (r,s):1. (r,s): To seethis, let d. Sinced l, and d ls, dlG+s)- z and,dl(r-s):x. This meansthatdl(*,r):1, sothat d :1.

Using Lemma I 1.3, we see that there are integers la and n such that : : r m2 and,s n2. Writing x,y,andz in termsof m andn we have x:r-.s:m2-n2. y:rM:rffi:2mn. 395 1 1.1 PYthagoreanTriPles

z:r*s:m2+n2.

m and n must also we see-x also that (m ,n) : 1, since any common divisor of : know that (x,y,z) : l' Oi"iO" : m2-n2',y :2mn, andz *'+r', and we were' then x y ' We also note that rn and n cannot both be odd, for if they (x,y : l ' Since and z would all be even, contradicting the condition ,z) n is odd, (m,n) : I and m and n cannot both be odd, we seem is even and triple has the or vice versa. This shows that every primitive Pythagorean appropriate form. To seethat everYtriPle x : m2-n2 y:2mn :2m2*n2,

(m,n) : where m and n are positive integers, m ) n, 1, and that m * n (mod 2), forms a primitive Pythagoreantriple, first note x2 + y2 : (m2-n2)2+ (2mn)2 : (ma-2m2n2+n4)* 4m2n2 : ^4 * 2m2n2t na : (m2+n2)2 : 22.

To see that these values of x,y, and z are mutually relatively .prime, assume that (x,y,z): d ) !. Then, thereis a primep-such thatp l^(x,y,z)^.We note that p * 2, since x is odd (becausex: m2-n2 where mz and n2 have ofporit" parity). Also, note that becausep I,x andp l t, p I G+i:2m2 the fact that an'dp lit-;:2n2. Hencep I m and p In, contradicting (*,i) :1. Therefore, (r,y,z) : l, and xoy,z is a primitive Pythagorean triple. This concludesthe proof. D The following example illustrates the use of Theorem I I .l to produce PythagoreantriPles.

(mod Example. Let m:5 and n:2, so that (m,n): I, ffi * n 2), and m ) n. Hence,Theorem 1I .1 tells us that x:m2-n2:52-22:21 Y:2mn:2'5'2:20 z:m2+n2:52+22:29

is a primitive Pythagoreantriple. 396 Some Nonlinear Diophantine Equations

We list the primitive pythagorean triples generatedusing Theorem I l.l with rn :< 6 in Table I l.l.

m n x : m2-n2 y:2mn t : m2+n2

2 I 3 4 5 3 2 5 t2 l3 4 I 15 8 l7 4 3 7 24 25 5 2 2l 20 29 5 4 9 40 4l 6 I 35 r2 37 6 5 1l 60 6t

Table 11.1. Some Primitive pythagoreanTriples.

I l.l Problems

l. Find all

il primitive Pythagoreantriples x,l,z with z < 40. b) Pythagoreantriples x,!,2 with z < 40. pythagorean 2. Show that if x,!,2 is a primitive triple, then either x or y is divisibleby 3.

3. Show that if x ,!,z is a Pythagorean triple, then exactly one of x,y , and,z is divisibleby 5. 4. Show that if x,l,z is a Pythagorean triple, then at least one of x,y, and z is divisible by 4.

5. Show that every positive integer greater than three is part of at least one Pythagoreantriple. - 6. Let xl 3,lt: 4, zt: 5, and let for n :2,3,4, ..., be defined recursivelvbv 397 11.2 Fermat'sLast Theorem

xntl- 3xn*Zzn*l !n+r-3xn*2zo*2 zn+t-4xn*3zn*2'

Show that xnln,zn is a Pythagoreantriple' isoneof 7. Showthat if x,!,2 isa Pythagoreantriple withy:x + l, thenx,l,Z the Pythagoreantriples given in problem 6' : g. Find all solutionsin positive integersof the diophantine equation x2 I 2y2 t2'

g. Find all solutionsin positive integersof the diophantine equation x2 * 3y2: t2-

10. Find all solutions in positive integers of the diophantine equation w2+xzry':t'.

I l. Find all Pythagoreantriples containing the integer 12. - 12. Find formulae for the integersof all Pythagoreantriples x,l,z with z y*l - 13. Find formulae for the integersof all Pythagoreantriples x,l,z with z y * 2' : 14. Show that the number of Pythagoreantriples x,-y,z (with x2 + y2 z2) with a fixed integer x is (rk2)-l)/2if x is odd, and (r!2l4-1)/2 if x is even. 15. Find all solutions in positive integers of the diophantine equation *' * py' : 22, wherep isaprime.

11.1 Computer Projects

Write programs to do the following:

l. Find all Pythagoreantriples xJ,z with xy,and z lessthan a given bound.

2. Find all Pythagoreantriples containing a given integer'

ll.2 Fermat's Last Theorem In the previous section, we showed that the diophantine equation x2 + y2 : z2 has infinitely many solutionsin nonzerointegers x, !, z . What happens when we replace the exponent two in this equation with an integer grrut.. than two? Next to the discussionof the equationxz + y2 : z2 in his copy of the works of Diophantus, Fermat wrote in the margin: "However, it is impossibleto write a cube as the sum of two cubes,a fourth power as the sum of two fourth powers and in general any power the sum of two similar powers. For this I have discovereda truly wonderful proof, but the margin is too small to contain it." 398 Some Nonlinear Diophantine Equations

Since Fermat made this statement many peoplehave searchedfor a proof of this assertion without success. Even trrouitr no ,or...t proof has yet been discovered,the foilowing conjectureis knowi as Fermat,s rasttheorem.

Fermat's Last Theorem. The diophantineequation x'+ln:zn

has no solutionsin nonzerointegers x, r, z when n is an integer with n D 3. Currently' we know that Fermat's last theorem is true for all positive integers n with 3 ( n <125000. In this section,we will showthat the specialcase of Fermat's last theorem with n: 4 is true. That is, we will ,ho* that the diophantineequation

xa+!4:24

has no solutions in nonzerointegers x, !, z. Note that if we could also show that the diophantineequations

xP + YP :7P

has no solutionsin nonzerointegers x,!,2 wheneverp is an odd prime, then we would know that Fermat's last theorem is true (seeprobl em 2 at the end of this section). The proof we will give of the special case of n - 4 uses the method of infnite descent devised by Fermat. This method is an offshoot of the well-ordering property, and shows that a diophantine equation has no solutions by showing that for every solution there is a "smaller', solution. contradicting the well-ordering property.

Using the method of infinite descent we will show that the diophantine equationxa + : !4 22. has no solutionsin nonzerointegers x, !, andz. This is strongerthan showingthat Fermat's last theorem is true for n: 4, because any solutionof xa + y4: ta: (22)2gives a solutionof xa * va:22.

Theorem 11.2. The diophantine equation **',ro,r:t' hasno solutions in nonzer",",.*1,

Proof. Assume that the above equation has a solution in nonzero integers x,l,z. Since we may replaceany number of the variableswith their negatives 399 11.2 Fermat's Last Theorem

we may assumethat x,Y,z are without changing the validity of the equation' positiveintegers' : this, let (x,Y) : d. Then We may also supposethat (x,y) 1' To see (xvYt) : wherex1 and y itro Positiveintegers' x : dx1 and y = dY,, with 1' 1 since xa + Y4 : '2 ' vtehave (dx)4+(dYr)4:22, so that da(xf + Yf):'2'

2'2' we know that d' I t. Hence do | ,', and, by problem 32 of Section Thus' Therefore, z : d'r r, where z 1is a positiveinteger' da(xf + yf): (d2tr)': dor?,

so that xf+yl:t?.

x : xt'! : : zr This givesa solutionof xa + ya: '2 in positiveintegers lr'z with (xr,yr) : 1. : xa + y4: z2' where So, supposethat x: x,,l :10, z z.'is a.solutionof with (xe,-/o): 1 ' We will show that there xo, lo, andzsare positiveintegers : : zt with (xr'yl) : 1' is anothersolution in positiveintegers x xr,! lt, z: suchthat 21 1 zs. Sincexd + yt : zl,we have Gilz+ (y&)2:zE, we have so that x&, y&, ,o is a Pythagoreantriple. Furthermore, p y&' thenp xs l-fi, - i, ro. if p is a primesuch that p I x3 and I I r&> zs is a ;;';'l'ro, contradictingthe fact that (xq,lrq): l. Hence,*3,yE, afe prim-itiveiythagorean triple, and by Theorem-11.1, we know that there positiveintegers z andn with (z ,n), m # rl (mod 2) ' and x& : m2-n2 !& : Zmn zo: m2+n2,

yfr the even where we have interchangedx62 andyfr, if necessary'to make integerof this Pair. 400 Some Nonlinear Diophantine Equations

From the equationfor xfr, we seethat x&+n2:m2.

Since (m,n) : l, it foilows that x,s,n,m is a primitive pythagorean Again using tripre. Theorem I I .1, we seethat there are (r,s) : fositive integersr and s with l, r # s (mod2). and

ro : ,2-s2 n:2rs m - r2+s2.

Since m is odd and (m,n) : l, we know that (m,2d : l. We note that becausey&: (2dm, Lemma ll.3 tells us that there are positiveintegers z1 andw with m:t? and2n:w2. Sincew is even,w:2v wherev is a positiveinteger, so that

v2: n/2: rs.

since (r,s): I , Lemma 11.3 tells us that there are positiveintegers x1 erd y1 such that r : xl and : s y? . Note that since(r,s) : l, it easiryfolows that (xl,-yr) : l. Hence.

x{+yf: zl-2

where x ?re positive t,! t,z 1 integers with (r r,y1) : l. Moreover, we have zt I 26, because

zr(zf:m2

To complete the proof, assumethat xa * y4 : z2 has at least one integral solution' By the well-ordering property,we know that among the solutionsin positiveintegers, there is a solutionwith the smallestvalue is of the variable z However, we have shown that from this solution we can find another solution with a smaller value of the variable z, leading to a contradiction. This completes the proof by the method of infinite descent. n Readers interested in the history of Fermat's last theorem and how investigationsrelating to this conjecture led to the genesisof the theory of algebraicnumbers are encouragedto consult the booksof Edwards Il4l and Ribenboim Irt]. A great deal of researchrelating to Fermat'slast theoremis underway. Recently, the German mathematicianFaltings establisheda result that showsthat for a fixed positiveinteger n, n > 3, the diophantineequation xn + yn : z' has at most a finite number of solutionswhere x g, and,z are integersand (x,-y) : l. 401 11.3 Pell's Equation

ll.2 Problems and n is an integer n ) 2' then l. show that if x,! ,z is a Pythagorean triple x"*yn#zn. of Theorem I l '2' and the 2.. Show that Fermat's last theorem is a consequence : in nonzero integers when p is an assertion that xP * yp zP has no solutions odd prime. p is prime and 3. Using Fermat's little theorem, show that if a) if xp-l * yn-t : zP-r, then p | *yt . (x+Y-z). b) if xP + lP : zP, then p | has no solutions in nonzero 4. Show that the diophantine equation xo-yo: z2 integers using the method of infinite descent' with integer sides is 5.Usingproblem4,showthattheareaofarighttriangle never a Perfect square. - no solutions in nonzero 6. Show that the diophantine equation xa + 4ya z2 has integers. - : has no solutions in nonzero i. Show that the diophantine equation x' 8y4 z2 integers. : many solutions' 8. Show that the diophantine equation xa + 3ya z4 has infinitely perfect square' 9. Show that in a Pythagorean triple there is at most one infinitely many integer 10. Show that the diophantine equation xz + y2: z3 has k the integers solutions by showing that for each positive integer : x : 3k2-1, | - k(k2-3), z k2 * I form a solution.

tt.2 Computer Proiects

equations such l. Write a computer program to search for solutionsof diophantine asxn *Yn:zn.

11.3 Pell's Equation In this section,we study diophantine equationsof the form (11.2) x2-dy',:r,

(0, are no where d and n are fixed integers. When d <0 and n there most a finite solutionsof (11.2). When d < 0 and n ) 0, there can be at 402 Some Nonlinear Diophantine Equations

numberof solutions, sincethe equationx2 - dyr: n impliesthat JM. l"l < fi lrl < Also, note that when d is a perfect,quur., : il* sayd D2, - - x2 dy': x2 Dry : G+Dfl(x-Dy) - n Hence,any solutionof Qt.D, when d is a perfectsquare, corresponds to a simultaneoussolution of the equations ::'d=;, where a and b are integers : such that n ab. In this case, there are only a finite number of solutions, since there is at most one solution in integers of thesetwo equationsfor each factorization n : ab For the rest of this section,we are interestedin the diophantineequation x2 - dy':n, where d and n areintegers andd is a positiveinteger which is not a perfect square. As the following theorem shows, the simpL continued fraction of -,/v is very useful for the study of this equation.

Theorem 11.3. Let d and n be integers such that d > 0, d is not a perfect square, and < .lf - lrl r/7. x2 dyI: n, then xfy is a convergentof the simple continued fraction of ^/7.

Proof. First consider the casewhere n ) A. Sincex2 _ dyr: n,wesee that (tr.:) G +y./7)G -y,/V) : n From (tt.:), - we seethat x y.,/7 ) 0, sothat x > yrT. consequently, * _,/7>0, v and since 0 1 n < ,8, we seethat ta G -,/7v) YW v : x2-dY2 y G + y,/7) 403 1 1.3 Pell's Equation

\-fr YQYJA)

t fi \qI1 Zy'rld

:l L!) rr2

1 x_ that x must be a 0 < .,17< +, Theorem10.18 tells us ly Since v 2v'-r convergentof the slmple contlnueo1 fractionof JL - : by -d, to obtain When n ( 0. we divide both sidesof x2 dy' n v2- ,fr*':-3

we see that y /x is a By a similar argument to that given when n ) 0 o of ll.r/7' Therefore' convergent of the simple continuid fraction expansion must be a from problem 7 of Slction 10'3, we know tB *l!,:1l,j.,/x) : l/(l/{cl ) ' u converyentof the simplecontinued fraction of './d x2 - dy': n, we have^1"1 shown that solutionsof the diophantine equation the simple continued *h;; . .n, are gifn by the convergents of help us use these fraction expansion of fi. The next theorem will convefgentsto find solutionsof this diophantine equation'

^ perfect square' Theorem 11.4. Let d be a positive integer that is not --!*Q! - 'o'' and il; dk : (io + ',/hlQr, oo: [47.1, P*+r pt*'JlQ*, :0,1,2,... where ao: Jd ' Furthermore'Iet O;';-r: (;"- t* L of the simple continued fraction expansionof ;J;r denote tie kth convergent Jd. Then pt-dqt:(-1)&-rgp*1.

Before we prove Theorem 11.4, we prove a useful lemma.

u ^te rational Lemma 11.4.Let r*sr/V:t+rt/l wherer,s,t, and Then r : t numbers and d is a positive integer that is not a perfect square. ands:u.

proof. Since r * s,/7 : t * u,/7, *"see that if s # u then r-t ,/7 - u-s 444 Some Nontinear Diophantine Equations

By Theorem 10.1, (r-t)/(u-s) is rational, and by Theorem r0.2 irrational. : Jv i, Hence,s u, and consequentlyr : t. A We can now prove Theorem I 1.4.

Proof. Since ^E : o,0: Ias;ar, e2,...,ek,otk+tL, Theorem 10.9tells us that -vstj ott+tp* I p*_t ,rt"rrqk+ qrr'

: Since dk+t (pt *, + ,/7)/er+r we have JV: (P**t + ,8)p* * e*+pr,_t (P**, + ,/V)qr * et +rQ*_t

Therefore, we see that

dqt t (Pt+flt, I : (pr,+tpr, Qt +rQtr-r)fi * e*+rpt,-r) + p*fi.

From Lemma 11.4, we find : that dqr, P*+tPt, * Q*+et -r and Pt+fl* f pk Qt+rQn-t: When we multiply tt. first of these two equations by qt and the second pt, by subtract the first from the second, and then simplify, we obtain - : pt dqi (ptqt -t - pr-tQ*)eo*,: (- l)o-teo*r,

where we have usedrheorem 10.10to completethe proof. tr The special case of the _ diophantine equation x2 dy, : , with n : I is called Pell's equation. we will use Theorems ll.3 and rr.4 to find all solutions of Pell's equationand the relatedequation x2 - dy, : -t.

Theorem 1l'5' Let d be a positive integer that is not a perfect square. Let px/qt denote the kth convergent of the simple continued fraction of .8, k : 1,2,3,"' and let n be the period length of this continuedfraction. Then, y.!"n even, the positive solutions of the - ,r, diophantine equation x- ay" : I are : : j : r* lin- t, ! Qir-t, 1,2,3,...,and the diophantine equation x2 - : - dy' l has no solutions. when n is odd, the positive solutionsof x2 - d!':1 : are x p2jn-r,! : Qzin_r,j :1,2,3,... and the solutionsof xz - -l : dy': arex pei_Dn_r,l : Qei_r)n_r,j - 1,2,3,....

Pyoof. Theorem 1r.3 tells us that if xo,ro is a positive solution of x2 - dy': tl, then x0: p*2!o: Q* wherep*/q1, is a convergentof the simple continued fraction of ,/7 . On the other hand, from Theorem I 1.4 we know that 405 1 1.3 Pell's Equation

pt-dq?:(-l)ft-r21*1, whereQx*tisasdefinedinthestatementofTheoremll.4. is n, we know that Becausethe period cf the continued expansion oL"/j : ('int"J'l : ' Hence' Qjn: Qo:I for7 1,2,3,"', "tf pk-, - d q?^-t: (- l)i'Qni : (- I )/n'

a solution of This equation shows that when n is even Pin-t, Qin-t is is-a solution x2-dyz:l for 7 :1,2,3,..., and when n is odd,Pzin-t,421n-t x2 - dy': -l for of x2 - dy': I and Pz(j-Dr-r,Qz(i-Dn-,is a solutionof j : 1,2,3,... - :1 - : -1 To show that the diophantine equationsx2 dy' and x2 dy2 I have no solutions other than those already found, we will show that Qpal: -l : implies that n lk and that Q1 # for 7 1.2.3.... We first notethat if Qt*t: l, then c,k+l: P1ra1* 'ftr'

purely Since ok+l : la1ra,.a1r1z,...l,the continuedfraction expansiOnof a1a1is -1 1 a*+r: Pk+r- ''17 < O' periodic. Hence, Theoiem !0.20 tells us that This impliesthat Pk+t:lr/71, so that dk : c"o,and nlk'

ToseethatQl#-lfor7:l,2,3,""notethatQi:-limpliesthat-'Sin"" dj : -pi -G. ct; has a purely periodic simple continued fraction expansion,we know that -l < ei:-Pi+^ftt <0

and dj:-Pj--./7>t.

-r/7 From the first of these inequalities, we see that Pi > and, from the second, we see that Pi < -l -fi. Since these two inequalities for p1 are -1- contradictory,we seethat Qt # -1, Since we have found all solutionsof x2-dy2: I and x2-dy2: where x and y arc positive integers,we have completedthe proof. n

We illustrate the use of Theorem 11.5 with the following examples'

Example. Since the simple continued fraction of .,8 is tl;f ,f 'f ,f ,el the 406 Some Nonlinear Diophantine Equations

positivesolutions of the diophantineequation x2 I are pni_t,et.'j_t, i : l'2'3"" *T]: p1_o1/e.roi-r . .l3yr: is the (roi-l)th ctnvergentor ,r," simple continued fraction expansion .,m. of The least po-ritiu" sorution is pe:649, : 180. The positive {e solutions of the diophantine equation x2-13y2 : -I are : Prci-o,Qtoi-oi 1,2,3,...;the least positive solution is Pq: 18,qa: 5.

Example. Since -,.fr the continued fraction of is t3;Wl, the positive solutionsof x2 - t4y2_: : I are pai-1,e4j-r,j r,.2,3,...where p+i-tbqi-r is the convergentof 7th the simple continued fraction expansionof Vl4. The least positive sohltion is pt: 15, Qt: 4. The diophantine equation xz - l4y2 : -1 has no rotuiionr, since the period length of the simple continued fraction expansionaf ,/la is even. We conclude this section with the following theorem that shows how to find all the positive pell's solutionsof equation x2-- dyt : I from the least positive solution, without finding subsequentconvergents of the continued fraction expansionof ,/7.

Theorem 11.6. L9t xg1 be the least positive solution of the diophantine equation - : x2 dyL l, where d is a positive integer that is not a perfect square. Then all positivesolutions xk,lk are given by xtr*yrfi:(xt*yrr/v)o

(Note fork: that xp andy1, are determinedby the useof Lemma I 1.4).

Proof. We need to show that x1r,y1,is a solution for k : and that every solution is of this form. To show that x1,/r -.!! a solution, tst note that by taking conjugates, it follows - (x that x1, ytrfi: r- lr,,/T)k, becausefrom Lemma 10.4, the conjugate of a power is the power of the conjugate. Now, note that xt - dyt : (xp+ yr,fi)G,, - yr,fi) : (xr t y16)o (", - yrE)k : (x?- ayilo : 1.

Hence xk,lt is a solution for fr :

To show that every positive solution is equal to x*,lt< for some positive integer ft, assume that X,y is a positive solution different from x*,lk for : k 1,2,3,.... Then thereis an integerr suchthat 407 1 1.3 Pell's Equation

(xl + yJ7)" < x + Y./7 ( (xt * v]/a)n*t'

(x we obtain When we multiply this inequalityby t * y rfi)-"' ( I < (xr- rrfi)n(x + YJd) xt + YIIA' - : (x1 sincex? - dy?:1 impliesthat x t !t,[i * yt,[d)-t. Now let s * / ./7 :(r, - yrfi)'(x + YJI),

and note that s2-dtz:(s - tJa)(s+ t,/D : (xt + yf/7)'8 - Y,l7)Gt - yrfi)n(X + YJA) : (*?- dy?)'8' - dYz) -l - t.

- we know that We seethat s,/ is a solutionof x2 dy': l, and furthermore, + > 1, i .; ,fr'.'"*;;';r",lV.--Mor.oner, sincewe knowthat s t-,/7 wesee that 0 < (s + tJa)-r < 1. Hence 1- r : t r,/7>+(s - r.'.ff)l> o +t(s/-

and , : 1[(s + t-./7)- (s - t',17)]> o. 2Jd

t'2 y1, by the This meansthat s,/ is a positivesolution, so that s 2 x1,and contradicts the choice of x1,y1 as the smallest-positivesolution' But this be xpy1, for some inequality s * f ../7 < xr * ytfi. Therefore X,I' must choice of /c. tr To illustratethe use of Theorem I1.6, we have the following example'

positive solution of Example. From a previous example we know that the least - Hence' all the diophantineequation x2 l3y': I is xt:649, -Pr: 180' positive solutionsare given by xt, yp where x* * yr,./n : (649+ tgo\[Lte .

For instance,we have 408 SomeNonlinear Diophantine Equations

xz* y 2,8 : 842361+ 233640.,/lt Hence x2:842361, y2 : 233640 is the least positive - : solution of x2 l3y2 l, otherthan X1- 649,y' : 180.

ll.3 Problems

l ' Find all the solutions of each of the foilowing diophantine equations a) x2 + 3y2:4

b) x2 + 5y2:7

c) 2x2+ 7y2:30.

2' Find all the solutions of each of the following diophantine equations a) x'-y':B

b) x2 - 4y2: 40

c) 4xz - 9/2 : loo.

3' For which of the following values of n does the diophantine equation x2 - 3ly' : n havea solution

a)l d) -3 b) -1 d4 c)2 f) -s?

4. Find the least positive solution of the diophantine equations

a) x2 - 29y2: -1 b) x2 - 29yz: 1.

5. Find the three smallest positive solutions of the diophantine equation x2-37y2:1.

6. For each of the following values of d determine whether the diophantine equationx2 - drz : -l has solutions

il2 e) tj b)3 f) 3l c)6 e) 4r d) 13 h) s0.

7. The least positive solution of the diophantine equation xz - 6lyz : 1 is xt:1766319049, lt- 2261i398A. Find the least positivesolution other than x t,l t. 1 1.3 Pell's Equation 409

8. S!g* that if pr/qt is a converggntof the simple continued fraction expansionof Jd thenlp? - dq?l < | + zJd. 9. Show that if d is a positive integer divisible by a prime of the form 4ft * 3, then the diophantineequation x2 - dy': -l has no solutions.

Let d and n be positive integers.

il Show that if r,s is a solution of the diophantine equation x2 - dyz : I and X,Y is a solution of the diophantine equation x2 - dy' : , then Xr + dYs, Xs t Yr is alsoa solutionof x2 - dy': r.

b) Show that the diophantine equation x2 - dyz: n either has no solutions,or infinitelv many solutions.

I l. Find those right triangles having legs with lengths that are consecutiveintegers. (Hint: use Theorem 11.1 to write the lengths of the legs as x -.r2 - 12 and y :2st, where s and t are positiveintegers such that (s,t) : l, s ) / and s and t have opposite parity. Then x-y:il implies that (s - r)2- 2t2: +1.)

12. Show that each of the following diophantine equationshas no solutions

a) xa-2ya:1 b) x4-2y2--1.

11.3 Computer Projects

Write programs to do the following:

1. Find those integers n with lrl < Ji such that the diophantine equation x2 - dyz: rz has no solutions.

2. Find the least positive solutions of the diophantine equations x2 - dy': I and x2 - dy2- -1.

3. Find the solutionsof Pell's equation from the least positive solution (seeTheorem I 1.6).

Appendix 412 Appendix

Tabfe 1. FactorTable.

The leastprime fac1o1,of .::h.odd positive integerless than 10000and not divisibleby five is givenin the table. ThJinitial digitsof tile integeiare listedto the sideand the lastdigit is at the top primes of the column. are indicatedwith a dash..

1379 1379 1379 1379 0 -1311- 3 4A 80 3 ll 3 - t20 I 317 3 4l 3 7 3- 8l 319 3 t2l 7 --23 2 3- 3- 42 373 82 r22 3- 3- 3 3- 3 43 19_ 83 3 7 3- 123 4 3- 3 7 44 3- 3- 84 29373 t24 17fi29_ ) 3- 3- 45 lt 3- 3 85 23-- 125 3 7 3- 6 3- 3 46 7 86 3 - 3 lr r26 13373 7 7^ 47 3 ll 3 - 87 13 3- 3 t27 3119 8 3- 3- 48 13 3- 3 88 7 128 3- 3- 9 7 3- -r7 3 49 7_ 89 3 19 329 t29 3- t0 3 50 3- 3- 90 t7 3- 3 130 7 n 3- 3 7 51 7 3lI 3 9r - ll 7 - 131 3 13 3 - t2 ll 3- 3 52 1723 92 313 3- r32 3- 3 13 7-- 53 313 3 7 93 7 3- 3 r33 rr 31 7 13 14 3 ll 3 - 54 3- 3 94 -23 - 13 134 317 319 15 3- 3 55 19 7-13 95 3 8 37 135 7 323 3 l6 7--13 56 3- 3- 96 3t 3- 3 136 -29-37 t7 3- 3- 57 3- 3 97 7 -tl r37 3- 3 7 l8 3 11 3 58 7ll-19 98 3- 323 r38 319 3 l9 59 3- 3- 99 3- 3 139 13 7tt- 20 3 7 3 ll 60 3- 3 100 7t719- 140 323 3- 2l 373 6l 13- l0l 3- 3- t4l 17 313 3 22 13- 62 3 7 3t7 t02 313 3 r42 7--- 23 3- 3- 63 373 103 t7- r43 3- 3- 24 313 3 _ 64 ll rc4 3 7 3- 144 ll 3- 3 25 - ll - 7 65 3- 3- 105 37 3 145 31- 26 3- 3- 66 323 3 106 1t - t46 3 7 313 27 3- - - 3 67 ll 7 107 329 313 147 37 3 28 717 68 3- 3r3 r08 23 3- 3 148 29 3 - 3 13 69 317 3 109 7 r49 3- 3- 30 7 3- -19 3 70 7- ll0 3- 3- 150 19 3 11 3 3l - ll 7l 323 3- lll lt 3- 3 r5l -1737 7 32 3t7 3 7 72 7 3- 3 lt2 19- 7- rs2 3 - 3 11 33 3- 3 - - 73 t7 1l ll3 3 ll 3 t7 153 329 3 34 ll 7 - - 74 3- 3 7 rt4 7 331 3 r54 23- 7- 35 3- 3- 75 3- 3 ll5 1319 t55 3- 3- Appendix 413

Table 1. (Continued).

r379 1379 1379 1379

36 19 3- 3 76 7t3- ll6 3- 3 7 156 7 3- 3 37 7-t3- 77 3- 3r9 rt7 3 lt 3 t57 - 11t9 - 38 3- 3- 78 ll 3- 3 118 7 -29 158 3- 3 7 39 t7 3- 3 79 713-17 ll9 3 - 3 ll 159 37 3- 3 160 7-- 2m 3- 3 7 240 7 329 3 280 753 r6l 3- 3- 201 3- 3 241 -19-41 281 329 3- t62 3- 3 202 43 7 -- 242 3- 3 7 282 7 3rt 3 r63 723-ll 203 3r9 3- 243 ll 3- 3 283 19--17 t64 331 317 204 13 323 3 244 7 -31 284 3- 3 7 r65 t3 3- 3 205 7-tl29 245 3 ll 3 - 285 3- 3 r66 ll - 206 3- 3- 246 23 3- 3 286 747t9 r67 3 7 323 207 t9 33t 3 247 7 --37 287 313 3- r68 41 373 208 248 313 319 288 43 3- 3 r69 19- 209 3 7 3- 249 47 3ll 3 289 7rl-13 170 313 3- 210 u373 250 4t-2313 290 3- 3- 17l 29 3r7 3 2tl 29 t3 251 3 7 3 ll 291 4t 3- 3 172 - - ll 7 2t2 3 ll 3 - 252 37 3 292 2337-29 173 3- 337 2r3 3- 3 253 -t743- 293 3 7 3- 174 3- 3 2t4 --19 7 254 3- 3- 294 l7 37 3 175 r7- 7- 2t5 3- 3t7 ?5S 3- 3 29s t3 - - ll 176 341 329 2r6 3 ll 3 256 t3lt17 7 296 3- 3- 177 7 3- 3 217 l34t 7 - 257 331 3- 297 313 3 178 13- 2t8 337 3rl 2s8 29 313 3 298 ttt929 7 179 3ll 3 7 2r9 7 313 3 259 723 299 341 3- 180 313 3 220 3r--47 260 3r9 3- 300 331 3 l8l 723t7 22r 3- 3 7 26r 7 3- 3 301 -23 7 - r82 3- 331 222 317 3 262 -4337r1 302 3 - 3 13 r83 3 ll 3 223 23 7-- 263 3- 3 7 303 7 3- 3 184 719-43 224 3- 3r3 264 19 3- 3 304 - t7 11- 185 317 3lr 225 337 3 265 ll 7 -- 305 343 3 7 186 3- 3 226 731-- 266 3- 3t7 306 3- 3 t87 227 3- 343 267 3- 3 307 37 717- 188 3 7 3- 228 3- 3 268 7--- 308 3- 3- 189 31 37 3 229 29--ll 269 3- 3- 309 11 3 19 3 r90 - lt -23 230 3 7 3- 270 37 3- 3 3r0 72913- l9l 3- 3r9 231 37 3 27r ll - 3ll 3 l1 3 - 414 Appendix

Table 1. (Continued).

l3 7 9 1379 1379 1379 192 t7 341 3 232 n23t3t7 272 3 7 3- 3t2 353 3 r93 --13 7 233 3- 3- 273 37 3 3r3 ; 13-43 r94 329 3- 234 3- 3 274 - 134t - 3r4 3 7 347 195 319 -13- 3 235 7 275 3 - 3 3l 315 23 373 r96 3713 7tl 236 3r7 323 276 ll 3- 3 316 r97 29- 3- 3- 237 3- 3 277 1747- 7 317 198 3 19 3 ll 7 3- 3 238 7- 278 3 11 3 - 318 r99 - 3- 3 11 239 3- 3- 279 3- 3 3le- 3rz37 320 3- 3- * :oo 13 3- 3 400 _19 440 3 7 3- 321 13 3- 3 361 23-- 7 40r 3- 3- 44r lr 3 7 3 322 - l1 7 - 362 3- 319 402 3- 3 442 1943 323 353 34r 363 3- 3 403 2937tt 7 443 3ll 323 324 7 317 - 3 364 ll 7 4l 404 313 3- 444 3- 3 325 365 313 3- 405 3- 3 445 -6t- 7 326 313 3 7 366 7 319 3 406 3tt7 713 446 3- 34r 327 329 -13 3 367 40'7 3- 3- 447 17 3 11 3 328 r7 7 19ll 368 329 3 7 408 7 361 3 448 767 329 337 3- 369 3- 3 409 l7- 449 3 - 3 ll 330 3- 3 370 7tt_ 4r0 3ll 3 7 450 7 3- 3 331 7-3r- 37r 347 3- 4tr 323 3 451 13- 332 3- 3- 372 61 3- 3 412 t3 7-- 452 3- 3 7 333 347 3 373 7-37- 413 3- 3- 453 23 313 3 334 13-_-17 374 319 323 414 41 3 1l 3 454 19 7*- 335 3 7 3- 375 ll 313 3 4t5 7--- 455 329 347 336 -53 37 3 376 416 323 311 456 3- - - 3 337 ll 3l 377 3 7 3- 4t7 43 3- 3 457 71723t9 338 3r7 3- 378 19373 418 37 47 53 59 458 3 - 3 13 339 343 3 379 t7--29 419 3 7 313 4s9 3- 3 340 l94r- 7 380 3- 331 420 37 3 460 43-t7lI 341 3- 313 381 37 3ll 3 421 - lt 461 3 7 331 342 ll 323 3 382 --43 7 422 341 3- 462 373 343 47- 719 383 3- 311 423 319 3 463 tt4t-- 344 - 3 ll 3 384 23 3- 3 424 --31 7 464 3- 3- 345 7 3- 3 385 717 42s 3- 3- 465 3- 3 346 386 3- 353 426 3t7 3 466 59-13 7 347 323 3 7 387 7 3- 3 427 7tl 467 3- 3- 415 Appendix

Table 1. (Continued).

-1113- 3- 3- 468 31 343 3 348 59 3 1l 3 388 428 7 3- 3 469 -13 737 349 713- 389 3r7 3 7 429 430 1113 59 3l 470 3- 317 350 3 31 3 ll 390 47 3- 3 't -- 319 3',l 471 353 3 351 3- 3 39r 7 431 29 3- 3 4',72 29- 352 713-- 392 3- 3- 432 61 7-- 473 3- 3',l 3s3 3- 3- 393 33r 3 433 --rl 343 3- 474 11 347 3 354 3- 3 394 7 434 3- 3 475 767- 5311 39s 359 337 435 19 355 476 311 319 3 7 343 396 t7 3- 3 436 7-lr17 356 477 13 317 3 37 3 397 tr 2941 23 437 3- 329 357 478 7 --- 1737 398 3 7 3- 438 13 341 3 358 -23-53 479_ 3- 3- _ 3- 359 399 13373 439 359 -Tt1 qt*- r 7t 600 17 3- 3 480 :tn- 3- 5zo 560 :-Tl 341 3 601 7tl13 481 t7 - - 61 521 313 317 561 31 7-1713 602 3r9 3- 482 3 7 3 11 522 23 3- 3 562 -13 343 3- 603 37 3- 3 483 37 3 523 563 3- 3 604 7 --23 484 47 29 37 13 524 3 7 329 564 605 3- 373 485 323 343 525 59373 565 7 3- 606 11 3- 3 486 3 31 3 526 -1923rr 566 3 607 13-59- 487 - 1l - 7 527 3- 3- s67 53373 - 11- 608 3 7 3- 488 319 3- s28 317 3 568 13 - 341 609 37 3 489 67 359 3 s29 1167 7 s69 3- 3 610 -r73141 490 13- 7- 530 3- 3- 570 313 -29- 3- 329 3- 531 47 313 3 571 7 611 491 317 3 -r t7- 773 572 359 3t7 612 3 11 492 313 3 532 1'1 '7 3 613 I 493 - 1l 533 3- 319 573 11 3- 't- 614 3 - 3 l1 494 3- 3 7 534 7 3- 3 5',74 13 615 347 3 495 3- 3 535 -531123 )t) 3 11 3 3 6r6 6r- 731 496 11 7 - - s36 331 3 7 576 7 373 617 3- 337 497 3- 313 537 41 319 3 5',77 2923s3- '7 -17 7 618 323 3 498 17 3- 3 538 7 578 3- 3 619 4111 499 7-19- s39 3- 3- 579 3 11 3 4^- | - JI 620 3- 3 7 s00 3- 3- 540 11 3- 3 580 - 3- 3 329 3 54r 7--- 581 3 3 11 621 501 ^a '7 5- J 622 13- 502 ll 47 542 311 361 582 623 323 3r7 503 3 7 3- 543 3- 3 583 71913- 416 Appendix

Table 1. (Continued).

504 7r373 544 13_ 584 3- 3- 624 79 3- 3 505 -31 13_ 545 3 7 353 585 3_ 3 625 713-tr 506 361 337 546 43373 - 586 ll 626 3- 3- 507 Ir 3- 3 547 -13 587 3 7 3- 627 3- 3 508 -13- 7 548 3 - 3 ll 588 373 628 ll6l-19 509 3 lt 3 _ 549 17 323 3 589 4371-17 629 3 7 3- 510 3- 3 550 7 590 3- 319 630 373 5ll 19- 7- 551 337 3- 591 23 361 3 631 - 59- tl 512 347 323 552 3- 3 592 3t - - 7 632 3- 3- 513 7 3ll 3 553 - ll 7 29 593 317 3_ 633 13 3- 3 514 5337-19 s54 323 331 594 13 319 3 634 t7-tt 7 515 3- 3 7 555 7 3- 3 595 11- 7 s9 635 3- 3- 516 13 3- 3 556 67-19- 596 367 347 636 3- 3 517 731_ s57 3- 3 7 597 7 343 3 637 23- 7- 518 37r 3- s58 337 -31-53 3 598 638 313 3_ 519 29 3- 3 559 729tl 599 313 3 7 639 7 3- 3 640 37 1943 t3 680 3 - 3 1l 720 19 3- 3 760 ll - - 7 64r 3 1l 3 7 681 7 3t7 3 721 7- 761 323 319 642 3- 3 682 t9- 722 3 31 3 - 762 329 3 643 s9 74147 683 3- 3 7 723 7 3- 3 763 1317 7- 644 317 3- 684 34r 3 724 13--ll 764 3- 3- 645 3 ll 3 685 13 7-19 725 3- 3 7 765 7 3t3 3 646 72329-_ 686 3- 3- 726 53 313 3 766 477911- 647 3 - 3 ll 687 313 3 727 il 7 1929 767 3- 3 7 648 313 3 688 7 -7t83 728 3- 337 768 3- 3 649 -437367 689 361 3- 129 23 3- 3 769 743_ 650 3 7 323 690 57 3- 3 730 767-- 770 3 - 3 13 651 17373 - - 69r 31 lt 73r 37t 313 771 ll 652 - ll6l _ 3- 3 692 3 7 313 732 3t7 3 772 7--59 6s3 347 313 693 29373 733 --lt4l 773 311 371 654 31 3- 3 694 ll 53 734 3 7 3- 774 361 655 --79 7 3 695 317 3- 735 37 3 775 23- 656 3- 3- 696 3- 3 736 173753- 776 3 7 317 657 3- 3 697 - 19- 7 737 373 347 777 t9373 658 -29 7 11 698 3- 329 738 1l 383 3 778 314313- 659 319 3- 699 3- 3 739 19-13 7 779 3 - 3 1l 417 Appendix

Table 1. (Continued)'

1379 1379 1379 1379 '740 31 780 29 331 3 660 7 3- 3 700 -47 743 3 11 3 3 781 7313- 7 661 111713- 701 3- 3- 741 3- '702 782 3- 3- 662 337 3 7 7 3- 3 742 4113 117 783 41 3t7 3 663 19 3- 3 703 791331- 743 3- 343 3 784 - 11 7 47 664 29 71761 704 3- 3 7 744 7 3ll -29 785 3- 329 665 3- 3- 705 1l 3- 3 745 786 7 3- 3 666 359 3 706 23 737- 746 3r7 3 7 - 787 667 7-lr- 707 3 11 3 747 31 3- 3 788 3- 3 7 668 341 3- 708 73 319 3 748 7-- 789 13 353 3 669 337 3 709 741473r 749 359 3- 790 7 -rl 670 19- 7r0 3- 3- 750 13 3- 3 -73 791 341 3* 671 3 7 3- 7tl 13 3 11 3 751 7 rl 792 89 3- 3 672 ll 3 7 3 7t2 752 3- 3- 793 7 --r7 673 53--23 713 3 7 3 11 753 t7 3- 3 -19 794 3* 674 3 ll 317 7t4 37 37 3 754 3r3 795 373 3 675 43 329 3 715 -2317 - 755 3 7 3- 19-3113 676 --67 7 7t6 3 13 367 756 37 3 796 - - 3 7 379 677 313 3- 717 7r 3- 3 757 67 1l 797 23373 678 3 1l 3 718 43rr- 7 758 3- 3- 798 6l-1119 679 713 7t9 3- 323 759 371 3 799 3- 3- 800 353 3- 840 31 3 7 3 880 13--23 920 61 3r3 3 801 3- 3 841 t34719- 881 3 7 3- 92r aa 922 -23 - l1 802 137123 7 842 5- 882 37 3 - 3 7 3- 803 329 3- 843 3 ll 3 883 ll 923 37 3 804 1l 3 13 3 844 23-- 7 884 337 3- 924 il 19-47 805 83- 7- 845 379 3ll 885 53 317 3 925 3s9 313 806 3 ll 3 - 846 3- 3 886 7 926 3- 3 807 7 341 3 847 433776r 887 319 313 927 73 --37 7 808 -59 848 3r7 313 888 83 3- 3 928 3r7 809 3- 3 7 849 7 329 3 889 t7- 7ll 929 3- 34r 3 810 3 ll 3 850 -114767 890 329 3s9 930 71 -67 7 - 811 7 -23 851 3- 3 7 891 7 337 3 931 - - 3- 319 812 3 - 3 1l 852 3- 3 892 11 79 932 7 3- 3 813 47 379 3 8s3 19 7-- 893 3- 3 7 933 13- 814 7 r7 -29 854 3- 383 894 323 3 934 3 7 815 3 31 3 4r 855 r7 343 3 895 71317 935 347 418 Appendix

Table 1. (Continued).

1379 1379 1379 1379 816 3- 3 856 7-1311 896 3- 3- 936 ll 317 3 817 -1113- 857 3- 323 897 347 3 937 7 _83 818 3 7 319 858 331 3 898 7131189 938 3ll 341 819 373 859 ll 13 899 317 3- 939 3- 820 591329_ 3 860 3 7 3- 900 3- 3 940 7 -2397 821 343 3_ 86r 79373 901 7l 29 94r 3- 3- 822 319 3 862 37-- 902 3 7 3- 942 823 3 ll 3 7 863 389 353 903 lr 3 7 3 943 824 3 - 373 864 3- 3 904 83- 944 3 7 3 ll 825 37 323 3 865 4tt7tt 7 905 3 ll 3 - 945 t3373 826 l1- - 7 866 3- 3- 906 13 3- 3 946 -17 827 3- 3r7 867 13 3- 3 907 474329 7 947 3- 3- 828 7 3- 3 868 -19 7- 908 331 361 948 19 353 3 829 _43 869 3- 3- 909 3 ll 3 949 - ll - 7 830 319 3 7 870 7 3- 3 910 19- 7- 950 3 13 337 831 3- 3 871 31-23- 9tl 3 31 3 1l 951 3 31 3 832 53 7tt- 872 311 3 7 912 7 3- 3 952 -89 7 t3 833 3 13 3 31 873 3- 3 913 23- - 13 953 3- 3- 834 t9 317 3 874 7-13 9r4 34t 3 7 954 7 3- 3 835 7-6r13 875 3- 319 915 3- 3 955 - 4119 l1 836 3- 3- 876 3 ll 3 916 789s3 956 373 3 7 837 il 3- 3 877 73167- 917 3- 367 957 t7 361 3 838 1783 878 3 - 3 1l 9r8 3- 3 958 11 7 -43 839 3 7 337 879 59 319 3 919 72917- 959 353 329 960 3 13 3 970 893118 7 980 3- 317 990 3- 3 961 7-59- 971 3 ll 3 - 981 3- 3 991 rr2347 7 962 3- 3- 972 37t 3 982 7tt3r- 992 3- 3- 963 323 an4 3 973 t- 983 3- 3- 993 319 3 964 - - 3l ll 974 3- 3- 984 13 343 3 994 -61 7- 965 3 7 313 975 7 3rt 3 985 -59 99s 337 323 966 37 3 976 43 t3 986 3 7 37r 996 7 3- 3 967 t9 t7 977 329 3 7 987 373 997 13-ut7 968 323 - 3 978 3- 3 988 4t - - ll 998 367 3 7 969 l1 3- 3 979 19741 989 313 319 999 97 313 3

Reprinted with permission from u. Dudley, Elementary Number Theory, Second Edition, copyrighto 1969 and l97g by w. H. Freeman and company. All rights reserved. 419 Appendix

Table 2. Valuesof Some Arithmetic Functions'

I I I I 3 2 I 2 4 3 2 2 4 2 J 6 5 4 2 t2 6 2 4 'l 6 2 I l5 I 4 4 l3 9 6 3 l8 l0 4 4 t2 ll l0 2 28 t2 4 6 t4 l3 t2 2 24 l4 6 4 24 l5 I 4 3l l6 8 5 l8 t'l l6 2 39 l8 6 6 l9 l8 2 20 2A 8 6 42 2l t2 4 32 22 l0 4 36 23 22 2 24 24 8 8 60 25 20 3 3l 26 t2 4 42 2'I l8 4 40 28 t2 6 56 29 28 2 30 30 I 8 72 3l 30 2 32 32 l6 6 63 48 33 20 4 34 l6 4 54 48 35 24 4 9l 36 t2 9 38 5I 36 2 38 l8 4 60 39 24 4 56 40 l6 8 90 4l 40 2 42 42 t2 8 96 43 42 2 44 44 20 6 84 45 24 6 78 46 22 4 72 4"1 46 2 48 48 l6 l0 124 49 42 3 57 420 Appendix

Table 2. (Continued).

50 20 6 93 5l 32 4 72 52 24 6 98 53 52 2 54 54 l8 8 120 55 40 4 72 56 24 8 120 57 36 4 80 58 28 4 90 59 58 2 60 60 l6 t2 6r 168 60 2 62 62 30 4 96 63 36 6 104 64 32 7 127 65 48 4 84 66 20 8 144 67 66 2 68 68 32 6 r26 69 44 4 96 7A 24 8 t44 7l 70 2 72 72 24 t2 r95 73 72 2 74 74 36 4 n4 75 40 6 t24 76 36 6 11 140 60 4 96 78 24 8 168 79 78 2 80 80 32 t0 186 8l 54 5 t2r 82 40 4 r26 83 82 2 84 84 24 t2 224 85 64 4 108 86 42 4 t32 87 56 4 120 88 40 8 180 89 88 2 90 90 24 t2 234 9l 72 4 n2 92 44 6 r68 93 60 4 128 94 46 4 t44 95 72 4 t20 96 32 t2 252 9',| 96 2 98 98 42 6 t7l 99 60 6 r56 100 40 9 217 421 Appendix

Table 3. PrimitiveRoots Modulo Primes

prime p, p < 1000is givenin the table' The leastprimitive root r modulop for each

709 2 l9l l9 439 r5 2 1 719 ll 193 5 443 2 3 2 727 5 r97 2 449 3 5 2 733 6 199 t 457 l3 7 3 739 3 2tl 2 46r 2 1l 2 743 5 2 223 3 463 J l3 2 75r 3 3 227 2 467 t7 13 751 2 2 229 6 479 l9 n 6 487 J 76r 23 5 233 3 49r 2 769 ll 29 2 239 7 499 1 773 2 31 3 241 7 s03 ) 787 2 3',1 2 251 6 s09 2 797 2 4l 6 257 3 3 809 3 43 3 263 5 521 2 811 3 47 5 269 2 523 541 2 82r 2 53 2 271 6 2 823 J 59 2 277 5 547 2 827 2 6l 2 28r 3 5)/ 2 829 2 67 2 283 3 563 3 839 ll 7I 7 293 2 569 3 853 2 73 5 307 5 57r 5 857 3 79 3 311 T7 577 2 859 I 83 2 313 l0 587 3 863 5 89 3 317 2 593 7 877 2 97 5 331 3 599 7 881 3 l0l 2 33',1 10 601 3 883 2 103 5 347 2 607 2 887 5 107 2 349 2 613 3 907 2 109 6 3s3 3 617 2 9ll l7 113 3 359 7 6r9 3 919 7 127 3 367 6 63r 3 929 3 131 2 373 2 641 ll 937 5 r37 3 379 2 643 5 94r 2 139 2 383 5 647 2 947 2 t49 2 389 2 653 2 953 3 l5l 6 397 5 659 z 967 5 157 5 401 3 601 5 97r 6 163 2 409 21 673 977 3 5 419 2 677 2 r67 983 5 r73 2 421 2 683 5 3 991 6 179 2 43r 7 691 2 997 7 l8l 2 433 5 701 422 Appendix

Table 4. Indices

p Numbers

I I r( l: lt2 l: I to l! l8 )1 22 29 28 3r 30 3i 36 4l 40 43 42 47 46 53 52 59 58 6l 60 67 66 7l 70 73 72 79 78 83 82 89 88 97 96 'ilil,Y,l'il;i l^ilrrl trlfr|JIl,lil'i p Numbers t7 18l19 20 2l 22 23 24 25 26 27 28 29 30 3l 32 33 l9 l0 el I 23 7 Indices rzlrs 5 l3 lt tl 29 2l ll I e 24 t7 26 20 8 l6 l9 rslr+l 3l 7 z6i 4 8 29 t7 27 l3 l0 5 rlrol I l5 37 7 17135 25 22 3l l5 29 l0 t2 6l34l2l t4 9 5 20 4l 33 16 I e 34 t4 29 36 l3 4 l7 s rr j 23 28 l0 l8 43 38 I I zslrc37 36 t5 t6 40 8 l7 3l sl4r ll 34 9 3l 47 t6 12l4s 37 6 25 5 28 2 29 t4l22l3s 39 3 44 27 53 l0 3sl'3749 3l 7 39 20 42 25 sl116146l3 33 f 23 59 40 43138 8 t0 26 l5 53 t2 46 3412012857 49 5 t7 6l 47 t3li26 24 55 l6 57 9 44 4l nlsrlrs 29 59 5 2l 67 64 13ll0 17 62 60 28 42 30 20 stl2sl44 55 47 5 32 7l 49 581 16 40 27 37 l5 44 56 45 a rr oa 60 ll 30 57 73 2l 20162 I I 17 39 63 46 30 2 67 18l4el35 l5 ll 40 6l 79 2l 6132 I 70 54 72 26 l3 46 38 3l6llll 67 56 20 69 83 56 63147 29 80 25 60 75 54 78 s2lt0l12 l8 38 5 t4 89 6 r8135 t4 82 t2 57 49 52 39 3l2slse87 3l 80 85 97 89 78181 69 5 24 77 76 2 59 l8l 3l13 9 46 74 60

Reprintedwith permission from J. V. Uspenskyand M. A. Heaslet,Elementary Number Theory, McGraw-Hill Book Company.Copyright O 1939. 423 Appendix

Table 4. (Continued).

Numbers p

3'l I l9 t8 4l r9 2l 2 32 35 6 20 Indices 43 23 l8 l4 4 33 22 6 l2l I I 4l 23 47 34 33 30 42 l7 3l 9 tsl24 13| 431 ')) | 40 44 2l 23 s3 ll 9 36 30 38 4l 50 4s132 8l 29 23 54 36 59 4l 24 44 55 39 3'l 9 14l ll 33I 27 148 16 58 20 l0 38 6l 48 ll l4 39 27 46 2s 54156 431 ri I 34 50 43 46 67 65 38 l4 22 ll 58 l8 s3163 el 6rl 27 29 9 50 2 7l 55 29 64 2A 22 65 46 25133 48 43 l0 2l 1 1 66 78 29 34 28 64 70 65 25 tl+t 5r 7rI l3 54 3l 38 I l7 28 79 25 37 l0 t9 36 35 74 75158 4el761 64 30 59 76 l6 83 57 35 64 20 48 67 30 40181 7tl 26 1 7 6l 23 65 74 89 22 63 34 ll 5l 24 30 2lll0 2el28 72 73 54 1 62 97 27 32 t6 9l l9 95 85139 4l 58 145 l5 84 l4 Numbers p 65 50 5l 52 53 54 )) 56 )t 58 59 60 6l 62 63 64

53 43 27 76 IncLices 59 r3 32 47 22 35 3l 2l 30 29 6l 45 53 42 33 t9 37 52 32 36 3l 30 48 35 6 34 67 3l 5t 2l 57 52 8 26 49 45 36 56 53 36 67 7l 62 5 5l 23 l4 59 t9 42 4 J 66 69 I 17 '73 l0 27 3 53 26 56 57 68 43 5 23 58 45 48 60 '7'7 lle 79 50 22 42 52 65 33 t5 3l 7l 45 160 55 24 18 83 55 46 79 59 53 5l ll 37 13 34 l9 66 l3e 70 6 22 89 68 7 55 78 l9 66 4l 36 75 43 l5 69 147 83 8 5 97 36 63 93 l0 \) 87 37 55 47 67 43 64 t80 75 t2 26

Numbers p 't0 'tl 't6 66 67 68 69 72 73 74 75 II 78 79 80 8l

67 33 7l 63 47 6l 4l 35 Inclices 78 69 50 JI 52 42 44 36 79 73 48 29 2'7 4l 5l t4 44 23 4'l 40 43 39I 83 t5 45 58 50 36 33 65 69 zl 44 49 32 68 143 3l 42 89 13 56 38 58 79 62 50 20 27 53 67 77 40 142 46 4 97 94 57 6l 5l 66 lt 50 28 29 72 53 2l JJ t30 4l 88

Numbers p 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96

83 4l Indlces 89 37 6l 26 76 45 60 44 '73 97 23 t7 90 38 83 92 s4l'7e156 149 201 22 82 48 Appendix

Table 4. (Continued).

p Indices I 2 3 4 5 6 7 8 e{t0llt l2 l3 t4 l5 t6 2l rl | | | 21 41 3l rl I ll 3l 21 6l 41 5l I Numbers ll 2l 4l8l slrol I I 7l3l6l 'l I Ir 2l 4l 8l 3l aln ul el slrol zl I l' 3l elrolnl slrs trlrolr+l al tl 4 t2 2l al r l! 21 4l sl rol rgl 7) t4l elrs;rzlrslrrl l 2. 5l 2ltol rl olrzl s +lzol rl 17l16l llI tlzzl rslzrI nl lsl I 2l 21 4l altol :l 6l rz z+ rs I rs t vl zal 3l 3l el271rolzelrcl 1 ! ! I I I zt I zs t7| 20I 2eI zsI n I al z+lro I :oI zsI 3'' 21 4l al roltzlztl t7 34 n zelrs 41 olrelrrlzslztl:Bl I l3t l2sI I I :oI z:I s I zeltolrel32l28l +lz+lztl glrsl 43 3l slzt llslzel+rl 37 rz ro ro +l rzl 4'l slzs l2s; I I | rclzzl ztl I rrI r+lzzlul n | 8| 40lrz I r: I re| +l I ztl +tl n I 53 2l 4l 8lt6l:zlrrl z2l44lrs rz :+ rs m t Al 59 zl +l I | | I I I zal slrolrzl si t0 | z0| 40| 2t | +z! zsI soI +r I zt I +eI 6l zl 4l alrel:zl :l 6l t21z+l +t I tsI q I rsI :oI rt I zzl 67 2l 4l sl roltzleqlr 5sl+rlul rsl ol rsl 7l Tl4elsqlsrlsrl I :ol sl roi zl 141211+21 +s | :r | +lztl s+I z: I rsI 73 slzslszl+rlstl sl ril 2l lol sol:r I el+sl olsol a I 79 3l elztl zl elrsl ,11+lrzlxlzt slz+lzzlsslrol 83 I zl 4l sl roltzloal 15| t I t+ | zaI seI zqI ssI t: I ee| +qI 89 3l el27lsrloslrzl itl64l t+l +zly lzzI eoI zoI ooI zl 97 sl2sl28l43l2tl sl ol ol lol s:I zrI ul zgl+s | +el:e I

p Indices t7 l8 t9 20 2l 22 I 23 24 25 26 27 28 29 30 3r 32 33 19 l0 I 23 l5 6 t2 l4 I I Numbers 29 2l l3 26 23 t7 ) l0 20 ll 22 rs r 3l 22 I I I 4 l2 5 l5 t4 II 2 6 l8 tlzr I 37 l8 36 lr:l 35 33 29 21 ) l0 20 3 6lt2l24 1 I | ll 22 t4 41 26 33 34 40 35 5 30 t6 t4 2 9 l3 37 t'l 43 26 35 l9 l4 42 Irzltrlzz 40 34 t6 ) l5 2l 6l18 II 33 I3 39 47 38 2 l0 3 l5 | 28 46 42 22 16 3312412636 39 35 53 J 6 t2 24 48 43 33 l3 26 52 sll4el4s 37 21 42 3r 59 33 t4 28 56 53 47 35 ll 22 44l2els857 )5 5l 43 6l 44 27 54 47 33 5 l0 20 40 l9 38l15l30l60 59 57 53 67 20 40 t3 26 s2 37 7 l4 28 56 4sl23l46l25 50 33 66 7l 62 8 56 37 I 46 38 53 t6 4l 3 2tl 5135132 ll 6 42 73 20 27 62 l8 t7 t2 60 8 40 54 srl:el:+l24 47 16 79 48 65 37 32 t7 5l 74 64 34 23 6el4el68l46 59 t9 57 83 l5 30 60 't7 37 74 65 47 ll 22 44 s 'o zo 40 80 7l 89 6 t8 54 73 | I I 4l 34 I3 39 28 84 t+1++l+tl40 3l 4 t2 9? 83 2t 38 93 77 94 82 22 t3 65 z+ltslul 79 35 78 425 Appendix

Table 4. (Continued).

Indices p 44i|45i.464',1 48 49 34 35136 37 38 39 40 4l 42 4t

17 28 19 I I 4l 20 38 23 15 8 I I Numbers 17 8 24 29 I 43 3l t zl 20 rl I 29 4 20 6 30 9 45 37 M 32llel 47 34 5 l0 20 9 l8 36 l9 38 23 46 39 25 50 47l4rl2e 53 52 45 3t 27 54 49 39 l9 38 l7 34 9 l8 36113126 59 t'l 34 1 45 29 58 55 49 37 l3 26 52 43 25l50l3e 6l 2el58l4e 3l 65 63 59 5l 35 3 6 t2 24 48 162l5i 6',1 67 17 l0 70 & 22 t2 l3 20 69 57 44 24l|26140 143I 7l 7116312342 73 35 29 72 68 48 2l 32 l4 70 58 164128 t) l3 39 38 35 26 78 76 70 52 77 ?3l6rl2s :l61143 79 l9 59 35 70 57 3l 62 4l 82 8l 79 ?5167151 138|t16 83 8818618062 89 36 l9 57 82 68 26 78 56 79 59 l8 124 58t96 192 97 2 l0 50 56 86 42 l6 80 12 60 el45l31

lndices p

53 40 27 I I N mbers 59 3 6 t2 24 48 37 l5 30 I 6r l4 28 56 5l 4l 2l 42 23 46 3l I I 22 M 21l|42 17 34 67 47 27 54 4l t5 30 60 53 39 1l 50166 36 39 'll 48 52 9 63 l5 34 25 33 18 55 30 68 33 rel22 37 39 13 61 43 69 53 46 ll )) 56 6l l3 65 47 62 28 5t15 45 56 19 50 7l 55 I zl 63 31 t4 42 23 46 36 72 83 69 55 27 54 25 50 l7 34 68 53 rlrs 83 71135 l6 48 89 72 38 25 75 47 <) 6',7 23 69 29 87 33 68 491516l t4 97 72 69 54 76 89 57 9l 67 44 26

Indices p .,'riiiiii oolet loa los lio lurlnltt lralrs lttltt lzt lre180 | 8t 67 I I 7l 60 65 29 6l I {umbt 73 49 26 57 66 38 44 I I 19 10 30 ll 33 20 60 22 66 40 4l 44 53 t l2 24 48 l3 2('ls2r 42 83 6l 39 78 73 63 43 3 6 l2r 7',| )i ' 89 55 76 50 6l 5 l5 45 46 49 58 85 170132 23 Itil90 162 l9 97 70 59 4 20 3 15 75 84 32 63 24

Indices p 94 95 96 82 83184 85186187188 89190 9t192193

83 I umbrlrs 89 2r 63 ll 33llol30 I N I 52 66 lrs 97 95 87147 4l I ll I 55 8l 17185 37 88 Table 5. Simple Continued Fractions for Square Roots of positive lntegers

d J7 d J7

, t- | I r,,ll i 53 I t7;3,1,1,3.141 l: lrr:1-l I 54 Itz;zre;J.r+t is ltz,ql I 55 I tt,T,zl,tqi lolt2:2+t I 56 I t't;zr+l t- lt lrz;r,TJ'+t l 57 I t7;l,t,4,l.l.l4l t- ls )r2;yet I 58 I I7:l,l,l,l.l.l.t4l l0 [3:6] I | | 59 Itt;nd.tqt Itt I l:;:,ot I 60 [l:l I tz I t:;Nl I | ,z,t,t+1 6l I tz;r,q3JJtr,raJJat InItl,r.r,T,l,ol I 62 I t7;1,6,|,l4l | 'o I f3:LAGt I 63 t5 Itz;1r+t i I [3;t,6] | 65 I [a;to] ln|t+:st I 66 Its;sT't Jts J l+;+,al I - ,n r+;1i;l)"rl 61 I lE;521.1,7,1.t.2,5,t61 I I I 68 | --[s:+.ro] I 20 I Ia:2,81 i 69 I zt I t4;iJJJJst I t8:3,3,1,4.1 .3.3.161 t+rr,xJ.r"sl 70 --ts;zT;,rJ,lot |,z I I 7l l8;22,-l,1 .t ,z,z,tol I 23| [+:t.l,r,s] | 72 zq [8;2,16J I I t4;l,81 | 73 [8;1.1,5,5,1.1.161 I ze I ts;rol I ,, 11I tg;l, r J,l,Gt I I rs:s,ror I /) [8;l, r ,l ,l6] j 28 j ts;3,2,:,rol I | - 76 1 IE;1,2, l,1,5,4,5. t,t,Z, t, t O] I 2eI ts:ttJ;Jot I 77 [8:1,3,2,3,l,l6J I :o I Is:z,rol l 1 78I ts:r,q,T. t6l I ,' I ts;r,r-:_:;rr,rol I 7el ta;ffi.I 32 t5:l,l,l,lol I | I 80 I [8;l,l6l | :l I ts;r,fr,ro1 | 82 ts;r,+rlot I [9;I 8] l:+ I I 83I Iq;eJ8t l:s lts:_ol I 34 [9;6,l8l i7 t6:l2l 1 I | I --lt5 | tq;{I,l,a,I8t i:a j to;o,ut L 16l tq:1.1..-r'r.sJJJmr l:r 116'aJI l;J7 l [9;3,181 ]qolto;:J2l l;18itq;2JJ,l2,l8t io' lto:fut i;rel 42 [\ry,zJal I ) [6:2,t21 | .'oi[9;2,18] ll lo,llu,@,,rl l; I [9;l,l ,5,I .5.l. I.l 8l aa l|.6:l.l,l,2,l.l.t.l2l l .t't I 4s -l _--l9:l ,l ,2.4.2.1. 1 . 181 lt6;r,t]Jm1 l; 3l I9:1,1 ,4.6.4.t .1 . 1 Sl +e1ro,ffirli 4l rg;mr 47 [ [o;t,s,r,tzl I g't [9;1,2,1,18] 48lle;r,rzl lq6l lq;t,:,r,rsl soltz;l+l l; -l tg:t,s],rrr;l,l.ill 5r I tt:t.tql I ;8 szltt:+ttfV.u, i [q;t,a,t,te] lnq i lg;iJTl

426 Answers to Selected Problems

Sectionl.l 1. a) 20 b) s5 c) :as d) 2046 2. a) 32b) 120c) 14400d) 32768 3. t. 2. 6, 24, 120,720,5040, 40320, 362880, 3628800 4. l, 120,252,120, I 5. 84.126. 210 \n+D/2 g. 2n 10.2n rr. 65536 21. x : y : l. z :2

Section 1.2 : l. 99 : 3'33,145 : 5'79,343 : 7'49,0 888'0 2. a). c), d), e) 3. a) 5,15 b) 17,0 c)-3,7 d)-6,2 4. a: *.b 13. b) 3 11. 0 if a is an integer,-l otherwise. 23. b) 200.40,8,I c) 128,l8 24. 20 + l8[x-l], St.08no, $1.28 Yes

Section 1.3

l. (5554)r,(2fi2) rc 2. (328)ro.(l I I I loooooo)2 3. (trs) ,u,(74E) 6 4. (tOtOt0lI I l00l l0l I l l0l I I l)2, (t tOtI 1l0l I I I l0l0l l00l I l0l l0l)2, (rootlolooooolol l)2 6. b) -39,26c) (tool)-2,(ll00ll)-2, (1001l0l)-z 14.il t+:2'31 +l'21.,56:2'4t+ l'3!+ l'2!,384:3'5!+ l'4!

Section1.4 l. (root0llol lo)2 2. (rttilolll)z 3. (rott000ll0l)2 4. (l llo)2.(loool)2 5. (too65)ro 6. (338F)re 't . (8705736)r6 8. (l I C) rc,(28 95) ro 428 Answers to Selected problems

23' a) 7gross,7do,zen,andgeggs b) il gross,5dozen,andlreggs c) 3 gross,I I dozen,and 6 eggs

Section 1.5 a) prime I b) prime c) prime d) compositee) prime f) composite 7. 3,7,31,211,2311,59 r0. il 24,25,26,27,29 b) 100000.l+ 2,1000001!+3,...,1000001!+ 1000001 t4.53 16. a) 1,3,7,9,13,15,21,25,31,33,37,43,49,51,63,67,69,73,75,7g,g7.93.99

Section 2.1

l. il5 b) lll c)o d) I e)rr il2 4. I if a is oddand b is evenor viceversa, 2 otherwise 5. 2t2l 14.il2 b)sc)ssd)3 e)t f)1001 15. 66,70,105;66,70,165; or 42,70,165 (3k+2, 19. 5k+3): I sinces3k+D_3(5k+3) : I

Section 2,2 l.a)rsb)6dZd)s 2. a) rs :2.45 + (-l)75 b) 6 - 6.222+ (_13)102 c) z:65'1414 + (-r38)666d) 5 :800.44350+ (-1101)20185 : 3. a) I l'6+ l.l0 + (-t)t5 b) 7:0.70 + (_l)9g+ 1.105 c) 5 : -5.280+ 4.330+ (-t)+os+ 1.490 4. ilZ s. il2

Section 2.3 l. il 22.32b) 3.13c) 22.52d) 172d,2.l.ll f) 28 g) s.rol il 23.43i) 24.32.5.7 | 2653k) 3.5.72.I 3 l) 9.1l.l0l t, 1t,,l i 8. b) 2r8'38.54. 7.1 1.13. t7.tg 9. 249,331 10. 300,301, 302, 303, 304 |2. b) 5,9,| 3,17,2 l,Zg,3 3,37,4 1,49,53,57,6 1,69,7 3,7 7,gg,g 3.g7 .l Ol d) 693 : 21.33: 9.77 14.il 24 b) 210 c) r+o d) I l2l I e) soo+oil 3426s7 15.il 2233 53 72.21 3s s5 77 b) 1,2.3.5.7.11.13.17.19.23.29 d 2.s.11,23.3.57.7.1113.13 d) 1011000,4lfi47rr7g|r g3ilrl0lr00l 17.18,540;36,270:54, 180; 90. 108 21.308,490 25. a) 30,l00l 29. afuc)2.:r,r5r d) 32.5.7.13.t7.24t e) 52.13.41.6t.1321 f) 33.5.7.I 3. 19.37.73. 109 30. 103 429 Answers to Selected Problems

Section 2.4 l. il zz'ql'eu b) 7'37'53'107c) t92'3r'4969 toot'1999 f) 4957'4967 2. u) r:.sqr b) 73 c) tz'6+t d) 103'107e) lz' 5 l3' 2nlogrc2 5. d17,347 6. d)13'17,41.61,293'34137.5'13'3?'109

Section 2.5 -4OO-11n l. a) x:33 *5n.1:-ll-2n b) x:*300* l3n'y'il d)no sorution cb1 y =-zi^\n -;13:::il;4,-"44r, ,x'ZI il x:889+ 1969n,Y:-633-1402n 2. 39 Frenchfrancs, I I Swissfrancs 3. 17apples, 23 oranges 8-'l. 0f 4. l8 "Pt =(25,0),(22,2),(19,4),(16,6),(13,8)' 5. a) (14-centstamps,2l-centstamps) (10,1o), (?, 12),(4,14), (1, 16) b) no solution =(54,1)' (51' 3)' (48' 5)'(45'7)' c) (14-centstamps,2l-cent stamps) (24',2r\',(21',23)', (42,g),(39,11), (36, l3), (33,15), (30, l7),(27 ' 19)' (0',37) (18, 25),(15,2:7),(12, 29),(9, 31), (6, 33),(3, 35), 10.a)3 t)ze d242 - I l. a) x :98-6n, ! : | * 7n,z l-n b) no solution -100+ : w -- fr c)x:50*n, l: 3n, z 150-3n, (1 (14,8, 2), (11,12, 1)' t2. (nickels,dimes, quarters) : (20,0. 4), 7, 4, 3), (8.16,0) 15. 7 centsand 12 cents 13.9 first-class,l9 second-class,4l standby 14. no

Section 3.1 l. a) l,2JlP$ 1,3,9,27,3J,111,333,999..'it 4. il g b) b c) o d) 12 d + f) I "ff2,

9. 0 | 2 3 4 5 10. 0 | 2 3 4 5ll. x 0r23 5 321 0 0 0 0 0 0 0 l0r 2345 0 054 I 23450 I 105 432 I 0 I 2 J 5 lr A 2 34501 z 2r0 543 2 0 L + 0 l2 J J 0 J J J t3 4 J 321 054 0 t- 5012 4 , 0r23 4 432 105 .+ 0 4 2 0 2 I lo 4 J 5 ls 0 t234 5 543 210 5 0 5

12. a) 4 o'clock b) 6 o'clockc) 4 o'clock I 3. 0.I,5,6 14. a 7 + b (modp) 17. n 7 + I (mod 6) 18. 1,3,5,7,9,1l,l 3,15,17,19,21,23,25 2t.a\qzlr)zc)t8 (modp) prime andpla 26. a) t b) I cl f O) I e) ap-t = 1 whenp is -t -l (p-l)! : -l (modp) whenp is prime 27. a) -1 b) -l c) d) e) 30. a) 15621 430 Answers to Selected problems

Section 3.2

L a) x:3 (mod 7) b) x:2,5,g (mod 9) c) x=7 (mod 2l) d) e) x=812 (mod no solurion l00l) f) x:1596 (mod t5g7) 2. c) x=5 (mod 23) 3. I t hours 4. 6-0,6,12,18,24(mod 30), 6 solutions s.a)r:D7c)sd)t6 8. a) (x,y)= (0,5),\t,D.,e.O,(3,3),(4,0),(5,4),(6,1) (mod7) b) (x,y)= (t,l),(1,3),(t,5),tr,zl,t:,ol ,G,zi,ii',qj,ir,ul,(5,1),(5,3),(5,5),(5,7), (7,0),(7,2).(7,4),(l.0 (mod g) c) (x,y)= (0,0),(0,3), (0,6), (I , I ), ( I ,4), (I ,7) ,(2,2) ,(2,5), (2,g), (3,0), (3,3), (3,6), (4,1),(4,4),(4,D,$,D,(5,5),(5,gl,re,ol,ro,:J,-ii,il ,(7,1),(7,4),(7,7),(g,2), (8,5),(g,g)(mod 9) d) no solution

Section 3.3

l' a) x = 37 (modlg7) (mod b) x:23 30) c) x:6 (mod2r0) d) x = 150999(mod 554268) 4. 2l0l *201 8. a) x = 28 (mod 30) b) no solution 10. a) :23 (mod x 30) b) x = 100 (mod210) : c) no solurion d) x 44 (mod g40) e) no solution il. 30t | 3. 0000,0001,0625,9376 17. 26 feet6 inches

Section 3.4

l. a) (x,y) = (2,2) (mod5) b) no (x,y) solution c) = (0,2),(1,3), (2,4), (:,0) or (4,1) (mod 5) 2. a) (x,y)= (0,4),(l,l), (2,5),(3,2), (4,6), (5,3),(6,0) (mod 7) b) no solution 3. 0, l, p, orp2 ( 4. l0 a) t) t- { rl ls rl fr4l 1. a) l0ol b) c) U / \lo 2l/ t-l, rJ 554 {q 4 3J o 6l ls I [z l) 545 8. a) l4 t ol b) ol c) lr lz' 455 lr 4 4) ll 4 oj l5 [4 555 9. a) x :0,y E 7,2 -2 (mod7) : b) x l,-y E 0,2 = 0 (mod7) c) = 5,-y= 5,, = 5,w = 5 (mod7) r0.il0b)5c)2sd)l" 431 Answers to Selected Problems

Section 4.1

l. a) 28 b) 24 c) 2ro d) 2t 2. a) 53 b) 54 c) 5r c) 5e 3' and 9 d) not bv 3 3. a) by 3, not by 9 b) by 3, and 9 c) by 4. a) no b) Yes c) no d) no by 3, and by 9 b) thosewith an 5. a) thosewith their number of digits divisible of digits divisibleby 6 evennumber of digits c) thosewith their numbcr (sameior 7 and for 13) d) I 1 * a5 aaa3l at apo (mod 3l)' 8. ozro2n-t...aps-azno2n-t azn-z * 37tr 4$6e2.3711 l09278s 13 d) yes 10. a) no b) not by 3, by 5 c) not by 5' not by ll. 73 e '!-6 12. ninescheck d) no' for example I 3. a) incorrect b) incorrect c) passescasting out part (c) is incorrect,but passescheck

Section 4.2

d) Thursday 2. a) Friday b) Friday c) Monday e) Saturday f) Saturday g) Tuesday h) Thursday i) Monday j) Sunday k) Friday l) Wednesday

Section 4.3

') ,4 () 1 l. a) Tcanr 3 t

Round ') I 1 6 b)'c 3 ,| ')l b-vc 1 6 5 '--ltl -l 2 ------1 3 ) I 1 6 b)'c -l I 4 4 3 b\,c 1 o

,1 5 5 J 2 I 1 brc

.4 1 o 6 5 bvc ) I ) blc 1 o 5 4 3 2

3: 1,5,Round 4:3,4' Round5: 3. a) Hometeams: Round l:4,5. Round2:2,3, Round t.2

Section 4.4

5. 558, 1002,2t-t4, 4 432 Answers to Selected problems

Section 5.1

l. _l l" 2. I 4.4 5. a) x : (mod 9 17) b) ,r : 17 (mod 19) 18. I 24. 52

Section 5.2 t7. 7.23.67

Section 5.3

l. a) 1,5 b) 1.2,4,5,7,g c) 1,3,7,9d) 1,3,5,9,,.13e) t,:.s,2,9.,,t3.15

) 11\r 1m-l ar.J\..,\L I 5. ll 9. a) x :9 (mod 14) : b) x 13 (mod 15) c) -r = 7 (mod t6) ll. a) r b) I : 12. d(13) 12,004 :6.a(16) :8, : :6, d(I7) 16,,r(r8) o(tg): t8,d(20) : 8 Section 6.1 il f

l. il +o b) t28 d t2o il 5760 2' a) 1,2 b) 3, 4, 6 d no sorurion d) 7, 9, 14,and rg e) no sorution f) 35, 39, 45, 52, 56,70,J2,7g, g4, g0 3' il l' z b) thoseintegers n suchthat 8 | n:al n. andn hasat leastonc odd prinrc factor; n has at reasttwo odd prime factors;or n has a prime factor p = t (mod c)zk,k:1,2,._. 4)

Section 6.2 1. a) 48 b) 399 d 2sqo d) 2r0r_l e) 6912 2.il9 b)6 c)rs il2s6 3. perfect squares 4' thosepositive integers that have only evenpowers of odd primes in their prime- power factorization 5. a) 6,r r b) r0,r 7 c) | 4,| 5,21,23 d) 33,35,47 e) no sorution f) 44,65 6.a)t 02 dq d)t2 dtgz f)45360 8' a) primes b) squares of primes c) productsto two distinct primesor primes cubesof 9 . nr(n) /2 10.a) 73,252.2044b) r +pk c) (pku+rt_D/gk_D o ii

Section 6.3

1. 6, 29, 496,g I 2g, 33550336,g5ggg69056 433 Answers to Selected Problems

3. il t2,18,20,24,30,36b) 945 7. a), c) Prime 8. a),b), d) Prime

Section7.1 l. DWWDFNDWGD ZQ 2. I CAME I SAW I coNQUERED 3. IEXXK FZKXC UUKZC STKJW 4. PHONEHOME 5. t2 6. 9.t7 'r (mod 26) 7. il C:7P + 16 (mod26) b) C:acP * bc d INSIDE 8. A) VSPFXHHIPKLB KIPMIE GTG b) EXPLOSIVES

Section 7.2 AZ l. RL OQ NZ OF XM CQ KE QI VD 2. IGNORETHIS

a Il 24] J. 12425 ) 4. a) t b) l3 d26 Iz t: I I 6. I I 23101 12537 )

i. digraphicHill cipherwith encipheringmatrix Itj 163] 000 ol [52 310 ol 13r 12 I 310 0l ro 2t3 rl loo I 0 2t7 'l l0 l.00 00s rl

Section 7.3 l. t4 t7 t7 27 ll 17657607 76 t4 Z. DO NOT READTHIS 4. GOODGUESS 5. 92 6. 150

Section 7.4 l. 1453,3019 3. 12151224 t47l 00230l16 4. EAT CHOCOLATECAKE 434 Answers to Selected problems

5' a) 03710354 0858 0858 0087 1359 0354 00000087 1543 I 7g7053sb) 001 g 02740872 082r 0073 084s 0977 ffi8 #l 3l1i'u* 074000000008 0r48 0803 04r5 6' d 00420056 0481 0481 0763 0000 00510000 02940262 0995 0495 05:|' 00000734 0152 0647 0972 ag72 7' d) 1383181203520000 13830130 1080 r35r r383 r 81201300g72r208 00000972 0956 l5l5 09371297 1208 2273 l5l5 0000 8. 0872I 1521537 0169

Section 7.5

l. a) yes b) no c) yes d) no 4. l8 : : 2*16 2*3*13: 3*4*l I : 7*l I 5. (tz,st,g5,g,16,4g,64) 6. 6242382306332274 g. (44,37,74,7 2,50,24) 10. :2.3.10:2.5.6:6.10 a) 0o b) 15960:g.21.95

Section 7,6

l. a) 3696,2640,5600,3g5 b) 53g9 2. 829

Section8.1 l. il4 04 c)6 2. a) 3 b) 2,3 c) 3,7 d) 2,6,7,ll e) 3,5 f) 4.4 5, I I 16. il 23.89 18. d 2209

Section 8.2

L a)2 04 c)8 d)6 e)t2 f)22 q 4. il b) the modulusis not prime 6. 1 il. b) 6 12.c) 22,37,g,6, g, 3g. 26

Section 8.3 l. 4, 10,22 2. ilz 02 c): il2 3. il2 02 dz d)3 4. a)5 b)5 c)rs d)15 5. 7. 13.17.t9

Section 8.4 : l. ind5l 22,ind52:2. ind53:16, ind54:4, ind5J: I , ind56: 18,ind57 : 19. 435 Answers to Selected Problems

ind58:6,ind59:l0.ind5l0:3'indsll:9'ind:12:20'ind5l3:14'indi14:71' ind5l5:l7,ind5l6:8.ind5l7:7'ind5l8:12'indslg:15'indr2O:5' ind52l: 13,ind522: ll (mod 23) 2. a) -r=9 (mod 23) b) x=9'14 3. .) x : 7, 18 (mod 22) b) no solution -1. a : 2.5,tlr 6 (rnod l3) (mod 5. b : 8.9.20.or 2l 29) 49, | (r.IlodI -56) 6. ,r 3 10,16,57,59.90.99.1 I 5.1 34, 144.1 45. I or -52 (rnod x E 1,12.45.41.7tt'91'93'100'137'139'144' T. x = I (mod22). a - 0 23),or 5,277.32 l ,323,367'369'3tt 6,,1|3.41 5,4.]0' 183'l 85.188,210,229,23l ' 232.?.52.254,27 459,461.or 496 (mod 506) (mod 't - 42 (nrod8) lt. a) (t,Z), (0,2) c) -x = 29 l2), = 17 (mod60) 12 b) (0,0, 1, l), (0,0' 1,4) d) 'x l6.b)([email protected]):'74999249..,

Section 8.6 go g) 8o+o h) I 254I l 328000 r.a)20 b)12 c):0 d)48 e) t f) 388080 d) 5, l0' 15.16,20, 30' 40' 48' 60' 2. a) t,z b) 3,4, 6' 8. 12.24 c) nosolution q, 12'84'126' 80. 120,240 e) no solution f) z. 14,18. 21.28,36.42.56,63. I 68.252. 504 3.65520 4. a)tt b)2 c)l d)ll e)tg f)38 I 4. 5.I 3'l'l'29.5'lT'29, 5',29'13

Section 8.7 5, 25.62.84. -s' 25. 62'" l. 69,76,17,92,46,I I' 12.14. 19. 36, 29,84, lengthis 9 7.6.13,10,14,15, l,7' 18.16. 6, l3- ....period 3. l0 loz3z+tttz: "7.a) lt b) 715827882c) 3l d) 195225786c) 9. 1,74,25,I 8, I 2, 30'll. l0

Section 8.8 l. a)s b)5 d2 d)6 e) 30 i) 20 2. a)2 b)3 d2 il2 e)5 t)7 sPrcads : 2 3. a) usesPread s : 3 b) usespread s: 2l c) usc

Section 9.1 l, l6.l 7 I . a) t b) I ,4 c) I ,3,4,9,10,12 d) 1,4,-s,6,7,9.1 2. l,l,-1,1,-1,-l (mod no solution I l. a) -r = 2,4 (mod 7) b) -r = | 7) c) 15. .r = 1,4,11,14(mod l5) 36. c) DETOUR 436 Answersto Setectedproblems

Section 9.2 l.a)-l b)-l c)_l d)_l e)r f)l 4.p=+l(mod5) 5.p= +1,*3,+g(mod2g)

Section 9.3

l.a)r b)-lc)r d)l e)_l f)l 2. n : 1,7,11,17,43,49,53,or59(mod60) 3. n = 1,7,13,17,19,2937,71,g3, 91,101,103,107,109,113,or I l9 (mod 120) 9. a) -l b) -l c) -r

Section l0.l

6. a).lb) .ar6c) .92nr6 d) .5 e)xOq f) .000999 (:s)g i. a) b) (.2)sc) (.r+o:),ai'f.'i6, e) (.052)6f) (.02721350564)R 8 u)3 b)+ dL 25 90 33 s. u)Sb)+.)Ad) el6 343 70 20 I 365 10. b :2s'3s'5"7"', wheres1,.92,s3, and sa are nonnegativeintegers, not a1 zero ll. a) 2,1 b) l,t c) z,t d) 0,22 e) 3.e rl o.o1 12. a) l,o b) 2,0 c) 1,4 d) 2,1 e) l,l f) 2.4 t4. a) 3 b) l1 d tt d) l0l d +t.zT D 7.13 0 l I 1 23. a) I 2 t_2 3 1 4 3 2 5 3 4 5 6l T'i' 6'T';'t't't';,r,7,T';,;';,;';,;,; Section10.2 l. il t5/7 0 t0/7 d olzl d) 3ss/ll3 d z f) 3/2 d s/3 h) 8/5 2. a) [t;s] U)B;zl c) [0;1,1,1,9]d) [0;199,1,4]e)[- |;1,22,3,1,1.2,21 f) [o;5,l,l,z,l,4,l,2ll

Section10.3 I . a) [l;2,2,2,...1b) [ t;1,2,1,2,1 ,2,...) c) [2;4,4,4,..)d) [ t ;1,1,1,...J 2. 4_l,L!,s,t b) 6J,l,l,J c) 0,2,6,10,14d) 0,1,3,5,7 ? 312689 99532 /^\238il1997106193 o, l- l'3'4 ^7'32'39'7t: + ll. d) 21 4t 69 9l l13-135'157 t7g'201 223 z4s 267z}s 3ll g t5'22'29'36,Jt,E-'T,d,7l '7g 'g5 ,lt,f

Section 10.4 l. b) ") IU,t,t,+1 t3;:,61c) ta;l":,r.sla) to;FrZt 2. a) [l;2] 3. a) (z: +.,/Til/rc b) (-l +,/+sl/z c) (s+ .,Fazlto 4. b) [ lo;20], 117:frl, I4t:il) 437 Answers to Selected Problems

5. c) [q;j,J8],tt o:z2o|lte;Tt4I?q,2,+t1 6. d to:ffil, 17:7,t41, I l6;l,t 5,1,321 I l. b), c), e)

Section I l.l b) 3'4'5;6'8'10;5',12',13;9' l. a) 3,4,5:5,12,13;15,8,17:'7,24,25:21,2O,29:35,12,37 l8'24'30; 30'16'34; 12,15;15,8,17:12,16,20:7,24,25;15,20,25;10'24'26:21'20'29; 21,28,35,35,12,37 ; I 5,36,39;24,32,40 1 ' - I : 2\ : nln,z-- : (m2+Zn2)where mandnarepositiveintegers. 8. x ;(m"-Zn"),Y t i^l L(2^2-nz),! : : where m and n a(e positiveintegers, ,: ^r,, +Q.m2+n2) *>it,li, andn is even I : - | , ) , r ?\ wherer- - ^^ m--- ^-,{and n,- ^-oare positive^^"iti'r, integers, 9. , - l-{^z-3n2),y mn,, f,(^2+3n2) *rrTln,andm = n(mod 2)

Section 11.3 c)x: + l'y: +2 l. a)x:!2,y:0;x:+l,y:!l b)nosolution +5'l:0; x:*13'y:+3 2. a)x: t3,y:*l b)nosolution c)x- :9801, : 3. a) x : 70,y : 13 b) x Y 1820 : : : 42703566796801, 5' X : l 52Q,y : 273 ; x 4620799,y 829920;x : Y 766987012160 6. a), d), e), g), h) Yes b)' c)' f) no '1. : x : 6239'765965'120528801,! 19892016576262330040 Bibliography

BOOKS

Number Theory

l ' w. W. Adams and L. J. Goldstein, Intoduction to Number Theory, Prentice-Hall,Englewood Cliffs, New Jersey,1g76.

2. G. E. Andrews,Number Theory, w. B. Saunders,philadelphia, lg7l. 3. T. A. Apostol, Introduction to Analytic Number Theory, Springer- Verlag, New York, 1976.

4. R' G. Archibald, An Introduction to the Theory of Numbers, Merrill, Columbus,Ohio, 1970.

5. I. A. Barnett, Elements of Number Theory, prindle, weber, and Schmidt, Boston,1969.

6. A. H. Beiler, Recreations in the Theory of Numbers, 2nd ed., Dover, New York, 1966.

7. E. D. Bolker, Elementary Number Theory, Benjamin,New york, 1970. 8. Z. I. Borevich and I. R. Shafarevich, Number Theory, Academic press, New York, 1966.

9. D. M. Burton, Elementary Number Theory, Allyn and Bacon, Boston, t976.

10. R. D. Carmichael, The Theory of Numbers and Diophantine Analysis, Dover,New York, 1959 (reprintof the original 1914and l9l5 editions). I l. H. Davenport, The Higher Arithmetic, 5th ed., Cambridge University Press,Cambridge, 1982.

12. L. E, Dickson, History of the Theory of Numbers, three volumes, chelsea,New York, 1952 (reprint of the l9l9 original).

13. L. E. Dickson, Introduction to the Theory of Numbers, Dover, New York 1957 (reprint of the original 1929edition). 438 439 BibliograPhY

New York' 14. H. M. Edwards, Fermat's Last Theorem,Springer-verlag, 1911. 15. A.A.Gioia,TheTheoryofIYttmbers,Markham'Chicagol970. ed., Birkhausero 16. E. Grosswald,, Topics from the Theory of Numbers, 2nd Boston,1982. t'7. R. K. Guy, l.)nsolvedProblems in l,{umber Theory, springer-verlag, New York, 1981. Theory of 18. G. H. Hardy and E. M. Wright, An Introduction to the 1,,{umbers,5th ed.,Oxford University Press,Oxford, 1919' New York 19. L. Hua, Introduction to Number Theory, Springer-verlag, l 982. 20. K. Ireland and M. L Rosen, A Classical Introduction to Modern IYumberTheory, Springer-Verlag, New York, 1982' 21. E. Landau,Elementary Number Theory,Chelsea, New York, 1958' 22. W. J. LeVeque, Fundamentals of Number Theory, Addispn-Wesley, Reading,Massachusetts, 1977 . 23. w. J. LeVeque, Reviewsin Number TheOry, six volumes, American MathematicalSociety, Washington, D.C., 1974' 24. C. T. Long, Elementary Introduction to Number Theory, 2nd ed., Heath, Lexington,Massachusetts, 1972. (no 25. G. B. Matthews, Theory of Numbers,Chelsea, New York date)' 26. I. Niven and H. S. Zuckerman, An Introduction to the Theory of Numbers,4th ed.,Wiley, New York, 1980. 2l. O. Ore, An Invitation to Number Theory, Random House, New York' t967. 28. O. Ore, Number Theory and its History, McGraw-Hill, New York, I 948.

29. A. J. Pettofrezzo and D. R. Byrkit, Elements of Number Theory, Prentice-Hall,Englewood Cliffs, New Jersey,1970' 30. H. Rademacher, Lectures on Elementary [t{umber Theory, Blaisdell, New York 1964,reprint Krieger, 1977.

31. P. Ribenboim,1-J Lectures on Fermat's Last Theorem,Springer-Verlag, New York, 1919. 440 Bibliography

32. J. Roberts, Elementary Number Theory, MIT press, cambridge, Massachusetts,1977. 33. D. shanks,solved problems and unsolved in Number Theory,2nd ed., Chelsea,New york. 197g. 34. J. E. Shockley, Introduction to Number Theory, Holt, Rinehart, and Winston, 1967. 35. w. Sierpifski, Elementary Theory of Numbers, polski Akademic Nauk, Warsaw, 1964. 36. w. Sierpifiski, problems A selection of in the Theory of Numbers, PergammonPress, New york, 1964. 37. w. problems Sierpirlski, 250 in Elementory Number Theory, polish ScientificPublishers, Warsaw, 1g70. 38. H. M. Stark, An Introduction to Number Theory, Markham, chicago, press, 1970;reprint MIT cambridge, Massachuseits,r9ig. 39. B. M. Stewart, The Theory of Numbers, 2nd, ed., Macmiilan, New York, 1964. 40. J. v. Uspensky and M. A. Heaslet, Elementary Number Theory, McGraw-Hill, New York. lg3g. 4l' C' Vanden Eyden, Number Theory, International Textbook, Scranton, Pennsylvania,1970. 42. I. M. vinogradov. Elements of Number Theory, Dover, New york, t954.

Number Theory with Computer Science

43. A. M. Kirch, Elementary Number Theory: A computer Approach, Intext, New York, 1974. 44. D. G. Malm, A computer Laboratory Manual for Number Theory, COMPress,Wentworth, New Hampshire, 1979.

45. D. D. spencer, computers in Number Theory, computer science press, Rockville,Maryland, 1982. 441 BibliograPhY

CryptographY

Hayden, Rochelle Park, 46. B. Bosworth, codes, ciphers, and computers, New JerseY,1982. Addison.Wesley, 47. D. E. R. Denning, Cryptography and Data Security, Reading, Massachusetts,1982' Aegean Park Press, 48. w. F. Friedman, Elements of Cryptanalysis, Laguna Hills, California, 1978'

49.A.Gersho,ed.,AdvancesinCryptography'Dept'ofElectricaland 1982. computer Engineering,Univ. calif. Santa Barbara, Writing' Macmillan' 50. D. Kahn, The Codebreakers,the Story of Secret New York' 1967. 1981' 51. A. G. Konheim, Cryptography: A Primer, Wiley' New York' Park Press, 52. S. Kullback, s/atis tical Methods in cryptanalysis, Aegean Laguna Hills, California, 1976. Dimension tn 53. C. H. Meyer and S. M. Matyas' Cryptography: A New Computer Data Security, Wiley, New York, 1982' Association of 54. A. sinkov, Elementary cryptanalysis, Mathematical America, Washington,D.C., 1966'

Computer Science

and Design' 55. K. Hwan g, Computer Arithmetic: Principles, Architecture WileY, New York, 1979. 'of semi-Numertcal 56. D. E. Knuth, Art computer Programming: Reading Algorithms volume 2, 2nd €d., Addison wesley, Massachusetts,l98l . and searching, 57. D. E. Knuth, Art of computer Programming: sorting volume 3, Addison-wesley,Reading, Massachusetts, 1973. wiley, New 58. L. Kronsjo, Algorithms: Their complexity and Efficiency, York, 1979. its Applications 59. N. S. Szab5 and R. J. Tanaka, ResidueArithmetic and to Computer Technology,McGraw-Hill' 1967' 442 Bibliography

General

60. H. Anton, Elementary Linear Algebra, 3rd ed., Wiley, New York, 1981. 61. E. Landau, Foundations of Analysfs, 2nd ed., Chelsea,New York, 1960. 62. W. Rudin, Principles of Mathematical Analysis, 2nd ed., McGraw-Hill, New York 1964.

ARTICLES

NumbenTheory

63. Ll M. Adleman, C. Pomerancq and R. S. Rumely, "On distinguishing prlime numbers from composite numbers," Annals of Mathematics, volume 117 (1983),173-2A6. 64. J. Ewing, t 286243-lis prime," The Mathematical Intelligencer, Volume 5 (1983),60. 65. J.lE. Freund, "Round Robin Mathematicso"American Mathematical tullonthly,Volume 63 (1956), ll2-114. 66. R. K. Guy, "How to factor a number" Proceedings of the Ftfth Manitoba Coderence on Numerical Mathematics, Utilitas, Winnepeg, Manitoba, 1975, 49-89. I ot. A. K. Head, "Multiplication modulo n," BIT, Volume 20 (tgSO), 115- l I16. 68. P. Hagis, Jr., "Sketch of a proof that an odd perfect number relatively prime to 3 has at least eleven prime factors," Mathematics of Computations, Volume 46 0983), 399-404. 69. J. C. Lagarias and A. M. Odlyzko, "New algorithms for computing n(ff)," Bell LaboratoriesTechnical Memorandum TM-82-1 I 218-57.

70. H. P. Lawther, Jr., "An applicationof number theory to the splicing of telephonecables," American Mathematical Monthly,Yolume 42 (tggS), 8l -91. 71. H.1 W. Lenstra, Jr., "Primality testing," Studieweek Getaltheorie en Co[nputers, 1-5 September 1980, Stichting Mathematisch Centrum, Arfrsterdam.Holland. 443 BibliograPhY

and testsfor primality Proceedings 72. G. L. Miller, "Riemann'shypothesis on the Theory of"' computing, of thq seventhAnnual Ac:M symposium 234-239. 1,73. in primality testing"' The -' C. pomerance, "Recent developments 3 (lgg l), 97-105. i' urrir*"rical Intelligencer,volume Scientific American' Volume \lq. C. pomerance,"The search for primes," 241 (tgSD, 136'147. .15. ,,probabilistic lesting primality," Journal of M. o. Rabin, algorithms for 128-138' Number Theory,Volume 12 0980)' ,,Recent testing," Notices of the ./6. R. Rumely, advances in primality 30 (1983), 4,75-47,7, American Mathematical Sociely,Volume 2'7th Mersenne prime"' Journal of 77. D. Slowinski, "searching for the (1918/9),258-261' RecreationalMathematics, Volume I I Monte Carlo test for PrimalitY," 78. R. Solovay and V. Strassen'"A fast 6 09ll)' 84-85 and erratum, SIAM Journal for Computing, Volume volume7 (1978),118. in the develoPment of 79. H. C. Williams, "The influence of computers with APPlications, number theory," Computers and Mathematics Volume8 (1982),75-93' Ars combinatorica' g0. H. c. williams, "Primalitytesting on a computer", volume5 (1978),127-185'

CryptograPhY

for the discretelogarithm 81. L. M. Adleman, "A subexponentialalgorithm Proceedings of the 2ath problem with applications to cryptogiaphy," Science' 1979' 55' Annual Sy*:,porium on the Fonia'tioit of Computer 60. - for solving impossible g2. M. Blum, "coin-flipping by telephone a protocol 133-137' problems,"IEEE Proceedings'Spring Compcon" in cryptography"' IEEE 83. w. Diffie and M. Hellman, "New directions 22 (l976),644-655' Transactionson Idormation Theory, Volume and public key g4. D. R. Floyd, "Annotated bibliographicalin conventional (1983) 12'24' cryptograpnr,. Cryptologia, Volume 7 ' 444 Bibliography

85. J. Gordon, "Use of intractable problems rn cryptography," Information Privacy, Volume 2 (19g0), l7g-fg4. 86. M. E. Hellman, "The mathematics of public-key cryptography," Scientffic American, Volume 241 (1979) t46-t57. 87. L. S. Hill, "Concerning certain linear transformation apparatus cryptography," of American Mathematical Monthly, Volume 3g (1931). l 35-1 54.

88. A. Lempel, "cryptology in transition," computing surveys, volume ll Q979), 285-303.

89. R. J. Lipton, "How ,,An to cheat at mental poker,,,and improved power encryption method," unpublished reports, Department of computer Science,University of California, Berklir'y, 1979. 90. R. c. Merkle and M. E. Hellman, "Hiding information and signaturesin trapdoor knapsacks," IEEE Transactiins in Idormatioi Theory, Volume 24 (1979),525-530. 91. s. Pohlig and M. Hellman, "An improved argorithm for computing logarithms over GF(p) and its .ryptog.upt i. significance,,' IEEE Transactions on Information Theory, volume 24 (rgj"$, roC_iio. 92. M. o. Rabin,. "Digitalized signatures and public-key functions as intractable as factorization," MIT Laboratory for computer science Technical Report LCS/TR-212, cambridge, Massachusetts,rg7g. 93. R. L. Rivest, A. Shamir, and L. M. Adleman, "A method for obtaining digital signatures a1d public-key cryptosystems,"communications of the ACM, Volume 2t (1979), tZO-126. 94. A. shamir, uA polynomial time algorithm for breaking the basic Merkle-Hellman proceedings cryptosystem," of the 2ird Annual symposium of the Foundations of computeiscie,nce, r45-r52. 95. A. Shamir, "How to share a secret," communications of the ACM, Volume22 0979), 612-6t3. 96. A. Shamir, R. L. Rivest, and L. M. Adleman, "Mentar poker,,, The Mathematical Gardner, ed. D. A. Klarner, wadsworth International, Belmont,California, 198l, 37-43. List of SYmbols

t Summation, 5 2 nt Factorial, 8 II Product, 9 l*) It Binomialcoeficient, l0 t.kJ olb Divides, 19 olt Doesnot divide, 19 lxl Greatestinteger, 20 27 (a1ra1r-1...afl0)t Baseb exPansion, Computerword size, 33 ov) Big-O notation, 38 ,r(.x) Numberof Primes,47 G,b) Greatestcommon divisor, 53 commondivisor (of n integers),55 (a 1,,a2,..-,an) Greatest 60 un Fibonaccinumber, la,bl Least commonmultiPle, 72 min(xy) Minimum, 72 max(x,y) Maximum, 72 p'lln Exactlydivide, 76 (of n integers),77 ta1,a2,...,anl Leastcommon multiple F, Fermatnumber, 81 a = b(mod z) Congruent,9l a # b(mod nr) Not congruent,91 a Inverse, 104 (matrices), A:B(modra) Congruent I l9 7 Inverse(of matrix), l2l I Identity lnatrix, l2l adj Ca) Adjoint, 122 h (k) Hashingfunction, 141 l6l 6h) Euler'sphi-function, List of Symbols

Summation dln overdivisors, 170

f*s Dirichletproduct, 172 ph) Miibiusfunction. 173 o(n) Sumof divisorsfunction, I74 r(n) Numberof divisorsfunction , 17s M- Mersennenumber. l g2 E*(P) Encipheringtransformation, ZI2 D*(c) Decipheringtransformation, 212 ord.a Orderof a modulom. Z3Z ind,a Indexof a to the baser, 252 I(n ) Minimal universalexponent, 269 X6(n) Maximal +l - exponent,2g0 |ts-l I Legendresymbol, lp ) 289 r) lLl Jacobisymbol, ln J 314 (c p2ca..) 6 BaseD expansion,341 (.c 1...cr-1r b Periodicbase 6 expansion,343 Fn Fareyseries of ordern, 349 Iag;a 1,a2,...,,e111 Finitesimple continued fraction, 351 Ck : Pr/qr Convergentof a continuedfraction, 354 [ag;a t,az,...l Infinitesimple continued fraction, 362 Ia g;a r,...,o* - ,,ffifr|' Periodiccontinued fraction, 3i4 Q, Conjugate,377 lndex

189 Absolute least residues, 93 Caesarcipher, Abundant integer, 185 Calendar, 134 135 Additive function, 174 Gregorian, Fixed, 138 Affine transformation, l9l International 30 Algorithm, 33,58 Cantor expansion, division, 19 Card shuffiing, 152 155'272 Euclidean, 58 Carmichaelnumber, for addition, 33 Carry, 34 for division, 3'7,41 Casting out nines, 134 189 for matrix multiPlication, 43 Character ciPher, 2,107, for modular exPonentiation, 97 Chinese,ancient, 107 for modular multiPlication, 100 Chinese remainder theorem, for multiplication, 35,39 Cicada, periodic, 5'l for subtraction, 34 Cipher, 188 least-remainder, 67 block, 198 Amicable pair, 185 Caesar, 189 Approximation, character, 189 best rational, 37| digraphic, 198 by rationals, 369 exponentiation, 205 Arithmetic function, 166,418 Hill, 198 Arithmetic, fundamental iterated knapsack, 224 theorem of, 2,69 knapsack, 221 Arithmetic progression, monographic, 189 primes in, 74 polygraphic, 198 AutomorPh, 114 product, 19'l public-key, 2,212 Babylonians,1,25 Rabin, 215 Balanced ternary exPansion, 30 RSA, 212 Base, 27 substitution, 189 BaseD expansion, 27,341 transposition, 204 Best rational aPProximation, 371 Vigndre, 197 Big-O notation, 38,39 Ciphertext, 188 Binary notation, 27 Clustering, 142 Binomial coeffficient, l0 Coconut problem, 101 Binomial theorem, 12 Coefficients,binomial, 10 Biorhythms, I l4 Coin flipping, 298 Bit operation, 38 Collatz conjecture, 24 Bits, 27 Collision. 142 Block cipher, 198 Common key, 208 Borrow, 35 Common ratio, 5 Complete system of residues, 93 Caesar.Julius, 189 Completelyadditive function, 174 448 Index

Completelymultiplicative Diophantus, 86 function, 166 Dirichlet, G. Lejeune, 74 Composite, 1,45 Dirichlet product, 172 Computationalcomplexity, 3g Dirichlet's theorem on primes in of addition, 39 arithmetic progression, 74 of Euclidean algorithm, 62 Divide, l8 of division, 4 - Divisibility, l8 of matrix multiplication, 43 Divisibilitytests, lZ9 of multiplication, 39 Divisionalgorithm, l9 of subtraction, 39 Divisor, l8 Computer arithmetic, 33,109 Double hashing, 143 Computer files, 141,227 Draim factorization, g4 Computer word size, 33,109 Duodecimal notation, 44 Congruence, 2,gl linear, 102 Electronic poker, 209,304 of matrices, I l9 Enciphering, 188 Congruenceclass. 92 Encryption, 188 Conjecture, Equation, Ccllatz, 24 diophantine, 86 Goldbach, 50 Pell's, 404 Conjugate, 377 Eratosthenes, I Continuedfraction, 350 Eratosthenes,sieve of, 2,46 finite, 351 Euclid, I infinite, 362 Euclideanalgorithm, 5g periodic, 374 425 Euler. L.. I purely periodic, 3g3 Eulerphi-function, l6l,l67 simple, 351 Eulerpseudoprime, 325 Convergent, 354 Euler'scriterion. 290 Coversionof bases, Zg Euler's factorizationmethod, g5 Coveringset of congruences, I l5 Euler's theorem, 161 Cryptanalysis, 188 Exactly divide. i6 Cryptography, 188 Expansion, Cryptology, 188 baseb, 27 Cubic residue, 262 Cantor, 30 continuedfraction, 350 Database, 227 periodic base b, 343 Day of the week, 134 periodiccontinued function, 374 Decimal notation, 27 terminating, 341 Deciphering, 186 t l-exponent, 280 Decipheringkey, 213 Exponentiationcipher, 205 Decryption, 188 Deficient integer, 185 Factor, l8 Descent,proof by, 398 Factor table, 4ll Diabolic matrix, 127 Factorial function, 8 Digraphic cipher, 198 Factorization, 69,79 Diophantine equations, 86,391 Draim, 84 linear, 86 Euler, 85 lndex

C., 50 Fermat. 80 Goldbach, conjecture, 50 prime, 68 Goldbach's divisor, 53 prime-power, 69 Greatest common integer function, 20 speedof, 80,215 Greatest 2 Faltings,G., 400 Greeks, ancient, Farey series, 349 J., 48 Fermat, P. de, 1,397 Hadamard, of, l'l Fermat factorization, 80 Hanoi, tower 141 Fermat number, 81,302,311 Hashing, 143 Fermat prime, 8l double, 304 Fermat quotient, 152 quadratic, 141 Fermat's last theorem, 398 Hashing function, 27 Fermat's little theorem, 148 Hexadecimal notation, Fibonacci, 60 Hilbert prime, 76 Fibonacci numbers, 60 Hill cipher, 198 generalized, 68 z, l2l Fibonacci pseudo-randomnumber Identity matrix modulo 17,51 generator, 219 Inclusion-exclusion,principle of, Frequencies, Incongruent, 9l of letters, 193 Index of an integer, 252,421 of digraphs, 202 Index of summation, 5 of polygraphs, 203 Index system, 262 Function. Induction, mathematical, 4 additive, 174 Infinite simple continued fraction, 362 arithmetic, 166 Infinitude of primes, 45,82 completely additive, l7 4 Integer, completely multiPlicative, 166 abdundant,185 Euler phi, 161 deficient, 185 factorial, 8 palindromic, 133 greatest integer, 20 powerful, 16 hashing, 141 square-free,75 t73 Liouville's, 174 Inverse of an arithmetic function, Mobius, l'73 Inverse modulo lrr, 104 multiplicative, 166 Inverse of a matrix modulo nr, l2I number of divisors. 175 Involutory matrix, 126,244 sum of divisors. 174 Irrational number, 336,36'l Fundamental Theorem of Arithmetic, 69 Jacobi symbol, 314

Game of Euclid, 67 Kaprekar constant, 3l Gauss,C. G., 2,47 Key, l4l Gauss' generalization of common, 208 Wilson's theorem, 152 deciphering, 213 Gauss'lemma, 293 enciphering, 212 Generalized Riemann hypothesis, 158 mastero 228 Generalized Fibonacci numbers, 68 public, 212 Geometric progression, 5 shared, 208 450 Index

Knapsack cipher, 221 algorithm for, 97 Knapsack problem, 219 Monographic cipher, 189 k-perfect number, 186 Monkeys, l0l Kronecker symbol, 324 Multiple precision, 33 k th power residue, 256 Multiplication, 35,39 matrix, 43 Lagrange,J., 147 Multiplicative function, 166 Lagrange interpolation, 242 Multiplicative knapsackproblem, 226 Lagrange's theorem Mutually relatively prime, 56 (on continued functions), 378 Lagrange'stheorem Nim. 3l (on polynomial congruences), 219 Notation, Lam6, G., 62 big-O, 38 Lam6's theorem, 62 binary, 27 Law of quadratic reciprocity, 297,314 decimal, 27 Least common multiple, 72 duodecimal, 44 Least nonnegativeresidue, 93 hexadecimal, 27 Least-remainderalgorithm, 67 octal, 27 Legendre symbol, 289 product, 9 Lemma, Gauss'. 293 summation,5,l70 Linear combination, 54 Number, greatestcommon divisor as a, 54,63 Carmichael, 155,2'12 Linear congruence, 102 Fermat, 8l Linear congruential method, 275 Fibonacci, 60 Liouville's function, 114 generalizedFibonacci, 68 Logarithms modulo p, 207 irrational. 336 Lowest terms, 336 k-perfect, 186 Lucas-Lehmertest, 183 lucky, 52 Lucky numbers, 52 Mersenne, 182 perfect, 180 Magic square, 127 rational, 336 Master key, 228 superperfect, 186 Mathematical induction. 4 Number of divisors function. 175 Matrix, involutory, 126 Matrix multiplication, 43 Octal notation, 27 Maximal t1-exponent, 280 Operation, bit, 38 Mayans, 1,25 Order of an integer, 232 Mersenne,M., 182 Mersenne number. 182 Pairwise relatively prime, 56 Mersenne prime, 182 Palindromicinteger, 133 Method of infinite descent, 398 Partial remainder, 37 Middle-squaremethod, 275 Partial quotient, 351 Miller's test, 156 Pascal'striangle, 12 Minimal universal exponent, 269 Pell's equation, 404 Mobius function, 173 Pepin'stest, 3l I Mobius inversionformula, 173 Perfect number, 180 Modular exponentiation, 97 Period, 451 lndex

pure multiPlicative, 277 of a baseb exPansion, 343 ciPher, 2,212 of a continued fraction, 374 Public-key periodiccontinued fraction' 383 Periodic base b exPansion, 343 Purely 1 Periodic cicada, 5'l Pythagoras, triPle, 391 Periodiccontinued fraction, 374 Pythagorean theorem, 391 Plaintext, 188 Pythagorean Poker. 209,304 304 PolygraphicciPher, 198 Quadratic hashing, 375 Powerful integer, 76 Quadratic irrational, 288 Prepperiod, 343 Quadratic nonresidue, law, 297,304 Primality test, 153,263 Quadratic reciProcitY 288 probabilistic, 158,334 Quadratic residue, Primes, 1,45 Quotient, l9 Fermat, 8l Fermat, l52 Hilbert, 76 partial, 351 in arithmetic Progressions,74 infinitude of, 45 Rabbits, 68 215,303 Mersenne, 182 Rabin'scipher system, Wilson, 152 Rabin's probabilisticPrimalitY 34 Prime number theorem, 47 test, I 58,214,3 336 Prime-power factorization, 69 Rational number, Primitive root, 234,243 42O Read subkeY, 227 8 Primitive PythagoreantriPle, 391 Recursivedefinition, 162 Principleof inclusion-exclusion,l7 Reducedresidue system, irrational, 384 Principleof mathematicalinduction, Reducedquadratic second, 8 ReflexiveproPertY, 92 Probabilisticprimality test, 158'334 Regular polygon, Probing sequence, 143 constructabilitY, 83 Problem, Relativelyprime, 53 knapsack, 219 mutually, 56 multiplicativeknaPsack, 226 pairwise, 56 Remainder, l9 Product, Dirichlet, 172 Repunit, 133,165 Product ciPher, 192 Residue, Property, cubic, 262 reflexive, 92 k th power, 256 symmetric, 92 least nonnegative, 93 transitive, 92 quadratic, 288 well-ordering, 4 Residues, Pseudoconvergent,37 4 absoluteleast, 93 Pseudoprime,2,153 complete sYstemof, 93 Euler, 325 reduced, 162 strong, 157 Root of a polynomialmodulo rn, 238 Pseudo-randomnumbers, 275 Round-robintournament, 139 Pseudo-randomnumber generator' RSA cipher system, 212,274 Fibonacci, 279 linear congruential, 275 SecondprinciPle of middle'square, 275 4s2 lndex

mathematical induction. 8 Fermat's last, 398 Seed, 276 Fermat'slittle. 148 Shadows, 228 Lagrange's (on continued Shift transformation. l9l fractions), 378 Shifting, 35 Lagrange's (on polynomial Sieve of Eratosthenes, 2,46 congruences), 239 Signature, 216 Lam6's, 62 Signed message, 216,218 Wilson's, 147 Solovay-Strassenprobabilistic Threshold scheme, 228,243 primality test, 334 Tower of Hanoi. 17 Splicing of telephonecables, 284 Transitive property, 92 Spread of a splicing scheme, 284 Transpositioncipher, 204 Square-freeinteger, 7 5 Triangle, Strong pseudoprime, 157 Pascal's, l2 Subkey, Pythogrean, 391 read, 227 Twin primes, 50 write, 227 Substitution cipher, 189 Universal exponent, 269 Succinct certificate of primality, 266 Sum of divisorsfunction, 174 Vall6e-Poussin,C. de la, 48 Summation notation, 5 Vignrire ciphers, 197 Super-increasingsequence, 22O Superperfectnumber, 186 Weights, problem of, 30 Symbol, Well-ordering property, 4 Jacobi. 314 Wilson, J., 147 Kronecker, 324 Wilson prime, 152 Legendre, 289 Wilson's theorem, 147 Symmetric property, 92 Gauss' generalization of, 152 System of residues, Word size, 33,104 complete, 93 Write subkey, 22'l reduced, 162 Systemof congruences,107,1 l6

Telephonecables, 284 Terminating expansion, 341 Test, divisibility, 129 Lucas-Lehmer, 183 Miller's, 156 Pepin's, 3l I primality, 153,263 probalisticprimality, 158,334 Theorem, binomial, 12 Chineseremainder. 107 Dirichlet's, 74 Eulerns, l6l