Number Theory and Cryptography

Paul Yiu

Department of Mathematics Florida Atlantic University

Fall 2017

Chapters 9–14

October 23, 2017 ii Contents

5 Quadratic Residues 39 5.1 Quadraticresidues...... 39 5.2 TheLegendresymbol ...... 40 1 5.3 The Legendre symbol −p ...... 41 5.3.1 The square roots of  1 (mod p) ...... 42 5.4 Gauss’lemma ...... − 43 2 5.5 The Legendre symbol p ...... 43 5.6 The law of quadratic reciprocity  ...... 44 5.7 Smallest quadratic nonresidue modulo p ...... 47 5.8 Square roots modulo p ...... 48 5.8.1 Square roots modulo prime p 1 (mod 8) ...... 48 5.8.2 Square roots modulo p for a generic6≡ prime p ...... 49 5.9 TheJacobisymbol...... 51

6 Primality Tests and Factorization of Integers 53 6.1 Primality of Mersenne numbers ...... 53 6.2 Germainprimes ...... 55 6.3 Probabilistic primality tests ...... 56 6.3.1 Pseudoprimes...... 56 6.3.2 Euler b-pseudoprimes...... 58 6.3.3 Strong b-pseudoprimes ...... 58 6.4 Carmichaelnumbers...... 61 6.5 Quadratic sieve and factor base ...... 62 6.5.1 Fermat’s factorization ...... 62 6.5.2 Factorbase ...... 63 6.6 Pollard’smethods ...... 66 6.6.1 The ρ-method...... 66 6.6.2 The (p 1)-method ...... 67 − 7 Pythagorean Triangles 69 7.1 Construction of Pythagorean triangles ...... 69 7.2 Fermat’s construction of primitive Pythagorean triangles with con- secutivelegs ...... 70 iv CONTENTS

7.3 Fermat Last Theorem for n =4 ...... 72 7.4 Two ternary trees of rational numbers ...... 73 7.5 Genealogy of Pythagorean triangles ...... 75

8 Homogeneous Quadratic Equations in 3 Variables 79 8.1 Pythagorean triangles revisited ...... 79 8.2 Rational points on a conic ...... 80 8.2.1 Integer triangles with a 60◦ angle ...... 80 8.2.2 Integer triangles with a 120◦ angle...... 82 8.3 Herontriangles...... 84 8.3.1 The Heron formula ...... 84 8.3.2 Construction of Heron triangles ...... 85 8.3.3 Heron triangles with sides in arithmetic progression ..... 86 8.3.4 Heron triangles with integer inradii ...... 87 8.4 The equation Pk,a + Pk,b = Pk,c for polynomial numbers ...... 88 8.4.1 Double ruling of S ...... 89 8.4.2 Primitive Pythagorean triple associated with a k-gonal triple 91 8.4.3 Triangular triples ...... 91 8.4.4 Pentagonal triples ...... 92 38 CONTENTS Chapter 5

Quadratic Residues

5.1 Quadratic residues

Let n > 1 be a given positive integer, and gcd(a,n)=1. We say that a Zn• is a quadratic residue mod n if the congruence x2 a (mod n) is solvable. Otherwise,∈ a is called a quadratic nonresidue mod n. ≡

1. If a and b are quadratic residues mod n, so is their product ab. 2. If a is a quadratic residue, and b a quadratic nonresidue mod n, then ab is a quadratic nonresidue mod n. 3. The product of two quadratic nonresidues mod n is not necessarily a quadratic residue mod n. For example, in Z12• = 1, 5, 7, 11 , only 1 is a quadratic residue; 5, 7, and 11 5 7 are all quadratic{ nonresidues.} ≡ · Proposition 5.1. Let p be an odd prime, and p ∤ a. The quadratic congruence ax2 +bx+c 0 (mod p) is solvable if and only if (2ax+b)2 b2 4ac (mod p) is solvable. ≡ ≡ −

Theorem 5.2. Let p be an odd prime. Exactly one half of the elements of Zp• are quadratic residues.

1 Proof. Each quadratic residue modulo p is congruent to one of the following 2 (p 1) residues. − p 1 2 12, 22, ...,k2, ..., − . 2   p 1 2 2 We show that these residue classes are all distinct. For 1 h < k −2 , h k (mod p) if and only if (k h)(h + k) is divisible by p, this≤ is impossible≤ since≡ each of k h and h + k is smaller− than p. − Corollary 5.3. If p is an odd prime, the product of two quadratic nonresidues is a quadratic residue. 40 Quadratic Residues

In the table below we list, for primes < 50, the quadratic residues and their square roots. It is understood that the square roots come in pairs. For example, the entry (2,7) for the prime 47 should be interpreted as saying that the two solutions of the congruence x2 2 (mod 47) are x 7 (mod 47). Also, for primes of the form p = 4n +1, since≡ 1 is a quadratic≡ residue ± modulo p, we only list quadratic p − p residues smaller than 2 . Those greater than 2 can be found with the help of the square roots of 1. − Quadratic residues mod p and their square roots

3 (1, 1) 5 (−1, 2) (1, 1) 7 (1, 1) (2, 3) (4, 2) 11 (1, 1) (3, 5) (4, 2) (5, 4) (9, 3) 13 (−1, 5) (1, 1) (3, 4) (4, 2) 17 (−1, 4) (1, 1) (2, 6) (4, 2) (8, 5) 19 (1, 1) (4, 2) (5, 9) (6, 5) (7, 8) (9, 3) (11, 7) (16, 4) (17, 6) 23 (1, 1) (2, 5) (3, 7) (4, 2) (6, 11) (8, 10) (9, 3) (12, 9) (13, 6) (16, 4) (18, 8) 29 (−1, 12) (1, 1) (4, 2) (5, 11) (6, 8) (7, 6) (9, 3) (13, 10) 31 (1, 1) (2, 8) (4, 2) (5, 6) (7, 10) (8, 15) (9, 3) (10, 14) (14, 13) (16, 4) (18, 7) (19, 9) (20, 12) (25, 5) (28, 11) 37 (−1, 6) (1, 1) (3, 15) (4, 2) (7, 9) (9, 3) (10, 11) (11, 14) (12, 7) (16, 4) 41 (−1, 9) (1, 1) (2, 17) (4, 2) (5, 13) (8, 7) (9, 3) (10, 16) (16, 4) (18, 10) (20, 15) 43 (1, 1) (4, 2) (6, 7) (9, 3) (10, 15) (11, 21) (13, 20) (14, 10) (15, 12) (16, 4) (17, 19) (21, 8) (23, 18) (24, 14) (25, 5) (31, 17) (35, 11) (36, 6) (38, 9) (40, 13) (41, 16) 47 (1, 1) (2, 7) (3, 12) (4, 2) (6, 10) (7, 17) (8, 14) (9, 3) (12, 23) (14, 22) (16, 4) (17, 8) (18, 21) (21, 16) (24, 20) (25, 5) (27, 11) (28, 13) (32, 19) (34, 9) (36, 6) (37, 15) (42, 18)

5.2 The Legendre symbol

Let p be an odd prime. For an integer a, we define the Legendre symbol

a +1, if a is a quadratic residue mod p, := p 1, otherwise.   (−

ab a b Lemma 5.4. p = p p .       Proof. This is equivalent to saying that modulo p, the product of two quadratic residues (respectively nonresidues) is a quadratic residue, and the product of a quadratic residue and a quadratic nonresidue is a quadratic nonresidue. 1 5.3 The Legendre symbol −p 41   Theorem 5.5 (Euler). Let p be an odd prime. For each integer a not divisible by p,

a 1 (p 1) a 2 − mod p. p ≡   Proof. Suppose a is a quadratic nonresidue mod p. The mod p residues 1, 2,...,p 1 are partitioned into pairs satisfying xy = a. In this case, −

1 (p 1) (p 1)! a 2 − (mod p). − ≡ On the other hand, if a is a quadratic residue, with a k2 (p k)2 (mod p), ≡ ≡ − apart from 0, k, the remaining p 3 elements of Zp can be partitioned into pairs satisfying xy ±= a. −

1 (p 3) 1 (p 1) (p 1)! k(p k)a 2 − a 2 − (mod p). − ≡ − ≡− Summarizing, we obtain

a 1 (p 1) (p 1)! a 2 − (mod p). − ≡− p   Note that by putting a = 1, we obtain Wilson’s theorem: (p 1)! 1 (mod p). a − ≡ − By comparison, we obtain a formula for p :   a 1 (p 1) a 2 − (mod p). p ≡  

1 5.3 The Legendre symbol −p   Theorem 5.6. Let p be an odd prime. 1 is a quadratic residue modulo p if and only if p 1 (mod 4). − ≡ − 2 p 1 p 1 Proof. ( ) If x 1 (mod p), then ( 1) 2 x − 1 (mod p) by Fermat’s ⇒ ≡− p 1 − ≡ ≡ little theorem. This means that −2 is even, and p 1 (mod 4). p 1 ≡ ( ) If p 1 (mod 4), the integer − is even. By Wilson’s theorem, ⇐ ≡ 2 p−1 p−1 p−1 p 1 2 2 2 2 − ! = j2 = j ( j) j (p j)=(p 1)! 1 (mod p). 2 · − ≡ · − − ≡− i=1 i=1 i=1    Y Y Y 2 p 1 The solutions of x 1 (mod p) are therefore x ( − )!. ≡− ≡± 2 Theorem 5.7. There are infinitely many primes of the form 4n +1. 42 Quadratic Residues

Proof. Suppose there are only finitely many primes p1, p2,..., pr of the form 4n+1. Consider the product P = (2p p p )2 +1. 1 2 ··· r Note that P 1 (mod 4). Since P is greater than each of p , p ,..., p , it cannot ≡ 1 2 r be prime, and so must have a prime factor p different from p1, p2, ..., pr. But then modulo p, 1 is a square. By Theorem 5.6, p must be of the form 4n +1,a contradiction. −

5.3.1 The square roots of 1 (mod p) − Here are the square roots of 1 for the first 20 primes p of the form 4k +1: −

p √ 1 p √ 1 p √ 1 p √ 1 p √ 1 − − − − − 5 2 13 5 17 4 29 12 37 6 41 ±9 53 ±23 61 ±11 73 ±27 89 ±34 97 ±22 101 ±10 109 ±33 113 ±15 137 ±37 149 ±44 157 ±28 173 ±80 181 ±19 193 ±81 ± ± ± ± ± In general, the square roots of 1 (mod p) can be found as nk for a quadratic nonresidue n modulo p. −

Example 5.1. Let p = 7933 = 4 1983 + 1. Since p 5 (mod 8), n = 2 is a quadratic nonresidue. We compute×21983 by successive squaring≡ and multiplication making use of the binary expansion

1983 = (11110111111)2.

Since this binary expansion has only one digit 0 at position 26, 1983+26 +20 =211.

a 2 k k ak 2 (mod 7933) 0 1 2 1 1 4 2 1 16 3 1 256 4 1 2072 5 1 1431 6 0 1047 7 1 1455 8 1 6847 9 1 5312 10 1 7596 11 2507 From these, modulo 7933,

2048 1983 2 1 2 = 2507 (2 1047)− 2507 ( 3868) 2950. 2 264 ≡ × × ≡ × − ≡− × The square roots of 1 (mod 7933) are 2950. − ± 5.4 Gauss’ lemma 43

5.4 Gauss’ lemma

Theorem 5.8 (Gauss’ Lemma). Let p be an odd prime, and a an integer not divisible by p. Then a =( 1)µ where µ is the number of residues among p −   p 1 a, 2a, 3a,...... , − a 2 p falling in the range 2

r1,r2,...,rλ, and µ negative ones s , s ,..., s . − 1 − 2 − µ p 1 p Here, λ + µ = −2 , and 0

1 (p 1) µ a µ and a 2 − =( 1) . By Theorem 5.5, =( 1) . − p −   2 5.5 The Legendre symbol p   Theorem 5.9. Let p be an odd prime.

2 1 (p+1) 1 (p2 1) =( 1)⌊ 4 ⌋ =( 1) 8 − . p − −   Equivalently, 2 +1 if p 1 mod 8, = ≡± p 1 if p 3 mod 8.   (− ≡± 44 Quadratic Residues

Proof. We need to see how many terms in the sequence p 1 2 1, 2 2, 2 3, ..., 2 − · · · · 2 p are in the range 2

5.6 The law of quadratic reciprocity

Theorem 5.10 (Law of quadratic reciprocity). Let p and q be distinct odd primes.

p q p−1 q−1 =( 1) 2 · 2 . q p −    Equivalently, when at least one of p, q 1 mod 4, p is a quadratic residue mod q if and only if q is a quadratic residue mod≡ p. 1 Proof. (1) Let a be an integer not divisible by p. Suppose, as in the proof of Gauss’ p 1 Lemma above, of the residues a, 2a,... −2 a, the positive least absolute value rep- resentatives are r1, r2, ..., rλ, and the negative ones are s1, s2, ..., sµ. The p 1 − − − numbers a, 2a,..., −2 a are a permutation of h a i p + r , i =1, 2, ...,λ, p i   and k a j p +(p s ), j =1, 2, ...,µ, p − j   p 1 where h1, ..., hλ, k1, ..., kµ are a permutation of 1, 2, . . . , −2 . Considering the sum of these numbers, we have

1 1 (p 1) (p 1) µ 2 − 2 − ma λ a m =p + r + (p s ) · p i − j m=1 m=1 i=1 j=1 X X   X X 1For p ≡ q ≡ 3 mod 4, p is a quadratic residue mod q if and only if q is a quadratic nonresidue mod p. 5.6 The law of quadratic reciprocity 45

1 (p 1) µ µ 2 − ma λ =p + r + s + (p 2s ) p i j − j m=1 i=1 j=1 j=1 X   X X X 1 1 (p 1) (p 1) µ 2 − ma 2 − =p + m + µ p 2 s . p · − j m=1 m=1 j=1 X   X X In particular, if a is odd, then

1 (p 1) 2 − ma µ mod 2, ≡ p m=1 X   and by Gauss’ lemma, 1 (p−1) a P 2 ma =( 1) m=1 p . p − ⌊ ⌋   (2) Therefore, for distinct odd primes p and q, we have

1 (p−1) q P 2 mq =( 1) m=1 p , p − ⌊ ⌋   and 1 (q−1) p P 2 np =( 1) n=1 q . q − ⌊ ⌋  

q 2

n

2 1

1 2 m p 2 (3) In the diagram above, we consider the lattice points (m,n) with 1 m p 1 q 1 p 1 q 1 ≤ ≤ −2 and 1 n −2 . There are altogether −2 −2 such points forming a ≤ ≤ L · q rectangle. These points are separated by the line of slope p through the point (0,0). p 1 For each m = 1, 2,..., −2 , the number of points in the vertical line through 1 (p 1) (m, 0) under L is mq . Therefore, the total number of points under L is 2 − mq . ⌊ p ⌋ m=1 p P j k 46 Quadratic Residues

1 (q 1) L 2 − np Similarly, the total number of points on the left side of is n=1 q . From these, we have P j k

1 (p 1) 1 (q 1) 2 − mq 2 − np p 1 q 1 + = − − . p q 2 · 2 m=1 n=1 X   X   It follows that p q p−1 q−1 =( 1) 2 · 2 . q p −   

The law of quadratic reciprocity can be recast into the following form:

q p , if p q 3 mod 4, = − p ≡ ≡ q +  q  , otherwise.    p   Example 5.2. (a) 59 is a quadratic residue modulo 131:

59 131 13 59 7 = = = = 131 − 59 − 59 − 13 − 13           13 1 = = − = ( 1)=1. − 7 − 7 − −     The square roots are 37. ± (b) 34 is a quadratic nonresidue modulo 97: 34 2 17 2 97 = 97 97 . Now, 97 = +1 by Theorem 5.9, and

17
97
12
3 4 3 17 2 ======1. 97 17 17 17 17 17 3 3 −                Therefore, 34 = (+1)( 1) = 1. 97 − − Example 5.3.
For which primes p> 3 is 3 a quadratic residue ? p ε A prime p> 3 is of the form 6k +ε for ε = 1. For such a prime, 3 = 3 = ε. By the law of quadratic reciprocity, ±

− − − 3 p 1 3 1 p k ε 1 =( 1) 2 · 2 =( 1) ( 1) 2 ε. p − 3 − · − ·     − ε 1 3 k Since ( 1) 2 ε = 1 for ε = 1, we have = ( 1) . This means that 3 is a − · ± p − quadratic residue mod p if and only if k is even,  i.e., p = 12m 1. ± 5.7 Smallest quadratic nonresidue modulo p 47

Exercise Complete the following table for the primes admitting a as a quadratic residue.

a a p = +1 if and only if 1 p 1 (mod4) −2 p ≡ 1 (mod8) 2 ≡± −3 3 −5 5 −6 6 − 5.7 Smallest quadratic nonresidue modulo p

Lemma 5.11. Let p be an odd prime. The smallest quadratic nonresidue modulo p is a prime. Proof. Let b be the smallest quadratic nonresidue. If b is not prime, we write b = cc′, where 1 < c,c′ < b. Exactly one of c, c′ must be a quadratic nonresidue. This contradicts the minimality of b. Let p be a prime. We want to determine the smallest quadratic nonresidue mod- ulo p, denoted by b(p). Clearly, if p 3 or 5 mod 8, then b(p)=2. Recall that 3 is a quadratic residue mod p if and≡ only if p is of the form 12n 1. It follows that b(p)=3 for p 5, 7 (mod 12). Apart from the prime 3, modulo± 24, every odd prime has residue≡ 1, 5, 7, 11, 13, 17, 19, 23. The smallest quadratic nonresidue mod p in these cases are given by

p (mod 24) 1 5 7 11 13 17 19 23 b(p) ? 2 3 2 2 3 2 ? 48 Quadratic Residues

Smallest quadratic nonresidues for the first 100 primes of the form 24k 1. ±

p b(p) p b(p) p b(p) p b(p) p b(p) p b(p) 23 5 47 5 71 7 73 5 97 5 167 5 191 7 193 5 239 7 241 7 263 5 311 11 313 5 337 5 359 7 383 5 409 7 431 7 433 5 457 5 479 13 503 5 577 5 599 7 601 7 647 5 673 5 719 11 743 5 769 7 839 11 863 5 887 5 911 7 937 5 983 5 1009 11 1031 7 1033 5 1103 5 1129 11 1151 13 1153 5 1201 11 1223 5 1249 7 1297 5 1319 13 1321 7 1367 5 1439 7 1487 5 1489 7 1511 11 1559 17 1583 5 1607 5 1609 7 1657 5 1753 5 1777 5 1801 11 1823 5 1847 5 1871 7 1873 5 1993 5 2017 5 2039 7 2063 5 2087 5 2089 7 2111 7 2113 5 2137 5 2161 7 2207 5 2281 7 2351 13 2377 5 2399 11 2423 5 2447 5 2473 5 2521 11 2543 5 2591 7 2593 5 2617 5 2663 5 2687 5 2689 13 2711 7 2713 5 2833 5 2857 5 2879 7 2903 5 2927 5 2953 5 2999 17 3001 7

5.8 Square roots modulo p

5.8.1 Square roots modulo prime p 1 (mod 8) 6≡ a Proposition 5.12. Let p be a prime of the form 4k +3. If p =1, then the square 1 (p+1) roots of a (mod p) are a 4 .   ± Proof.

2 1 (p+1) 1 (p+1) 1 (p 1) a a 4 a 2 = a 2 − a = a = a (mod p). ≡ · p    

a Proposition 5.13. Let p be a prime of the form 8k +5. If p =1, then the square roots of a (mod p) are   1 (p+3) 1 (p 1) (a) a 8 if a 4 − 1 (mod p), ± 1 (p 1) 1 (p+3) ≡ 1 (p 1) (b) 2 4 − a 8 if a 4 − 1 (mod p). ± · ≡− Proof. Note that

2 1 (p+3) 1 (p+3) 1 (p 1) a 8 a 4 = a 4 − a (mod p). ≡ ·   a 1 (p 1) 1 (p 1) Since = a 2 − 1 (mod p), we have a 4 − 1 (mod p). p ≡ ≡±   5.8 Square roots modulo p 49

1 (p 1) 1 (p+3) If a 4 − 1 (mod p), then this gives a 8 as a square root of a (mod p). 1 (p 1) ≡ If a 4 − 1 (mod p), then we have ≡− 2 2 2 1 (p+3) y 1 (p+3) 1 (p 1) 1 (p+3) a a 8 a 8 y 4 − a 8 ≡− ≡ p ≡         for any quadratic nonresidue y (mod p). Since p 5 (mod 8), we may simply take y =2. ≡

Example 5.4. (a) Let p = 23. Clearly 2 is a quadratic residue mod 23. The square roots of 2 mod 23 are 26 18 5 (mod 23). (b) Let p = 29. Both 6 and±7 are≡± quadratic≡∓ residues mod 29. Since 77 1 (mod 29), the square root of 7 mod 29 are 74 23 6. On the other≡ hand, Since 67 1 (mod 29), the square± roots≡± of 6 mod≡∓ 29 are 27 64 12 20 8 (mod≡− 29). ± · ≡± · ≡±

5.8.2 Square roots modulo p for a generic prime p

2 Let a be a quadratic residue mod p. We find x Zp• such that x a (mod p). For this, we write p 1=2s t with t odd, and begin∈ with a quadratic≡ nonresidue n mod p. Compute the− two residues· (1) b := nt mod p, which is a primitive 2s-root of unity mod p, and (2) r := a(t+1)/2 mod p. Lemma 5.14. (a) b is a primitive 2s-root of unity mod p. 1 2 s 1 (b) ρ0 := a− r is a 2 − -root of unity mod p.

2s t 2s 2s t p 1 s Proof. (a) b = (n ) = n · = n − 1 (mod p). Therefore, b is a 2 -root of unity modulo p. ≡ Note that b, being an odd power of a quadratic nonresidue, is a quadratic non- residue mod p. If b is not a primitive 2s-root of unity, there is an integer r, 0 r r

2s−1 1 2 2s−1 1 t+1 2s−1 2s−1 t (p 1)/2 a ρ =(a− r ) (a− a ) = a · = a − = = +1. 0 ≡ · p  

j s 1 Now we find a square root of a mod p in the form b r, for some j, 0 j < 2 − . Let ≤ j =(js 2js 3 j1j0)2 − − ··· be the binary expression of j, each of j0,..., js 1 being 0 or 1. We find the binary digits of j inductively. − 50 Quadratic Residues

s− s− (i) From (b), ρ2 1 1 (mod p). Therefore, ρ2 2 1 (mod p). Set 0 ≡ 0 ≡± 2s−2 0 if ρ0 1 mod p, j = s−2 ≡ 0 1 if ρ2 1 mod p ( 0 ≡−

1 (j0)2 2 1 j0 2 s 2 and ρ1 = a− (b r) = a− (b r) , which is a 2 − -root of unity. (ii) Suppose we have j0, j1,..., jk 1 such that −

1 (jk−1 j1j0)2 2 ρk := a− (b ··· r)

s k 1 is a 2 − − -root of unity mod p. Set

2s−k−2 0 if ρk 1 mod p, j = s−k−2 ≡ k 1 if ρ2 1 mod p ( k ≡−

1 (jkjk−1 j1j0)2 2 s k 2 and ρk+1 := a− (b ··· r) , which is a 2 − − -root of unity. (iii) With j0,..., js 2, we obtain −

1 (js−2 j1j0)2 2 ρs 1 = a− (b ··· r) =1. − Therefore, bjr is a square root of a mod p. Example 5.5. Consider p = 401 and a = 186; a is a quadratic residue mod p, and 1 4 a− = 235. Now, p 1 = 400 = 2 25; (s,t) = (4, 25). With the quadratic nonresidue n =3, we− take · (i) b = nt =325 = 268, 1 (t+1) 13 (ii) r = a 2 = 186 = 103. With these, 1 2 2 22 1 2 (iii) ρ0 = a− r = 235 103 = 98; ρ0 = 1; j0 =1, and ρ1 = a− (br) = 1. 21 · − − (iv) ρ1 =1; j1 =0, and ρ2 = 1. 0 − (v) ρ2 = 1; j =1. 2 − 2 (vi) j = (101)2 =5. The square roots of 186 mod 304 are b5r = 304 = 97. ± ± ± Example 5.6. Consider p = 7993 and a = 41; a is a quadratic residue mod p, and 1 3 3 a− = 4094. Now, p 1=7992=2 3 111; (s,t)=(3, 999). With the quadratic nonresidue n =5, we− take · · (i) b = nt =5999 = 1654, 1 (t+1) 500 (ii) r = a 2 = 41 = 2487. With these, 1 2 2 21 (iii) ρ0 = a− r = ( 3899) 2487 = 2110; ρ0 = 1; j0 = 1, and ρ1 = 1 2 − · − a− (br) = 7992. (iv) ρ20 = 7992 = 1; j =1. 1 − 1 (v) j = (11)2 =3. The square roots of a mod p are b3r = 1975. ± ± 5.9 The Jacobi symbol 51

5.9 The Jacobi symbol

ki Definition. Let n = pi be an odd integer. For an integer a with gcd(a,n)=1, the Jacobi symbol is defined by Q a a ki := . n pi   Y   Proposition 5.15. Let m and n be odd numbers. (a) If gcd(a,n)=1 and a b (mod n), then a = b . ≡ n n ab a b a2 (b) If gcd(a,n) = gcd(b,n)=1, then n = n
n . In
particular, n =1. (c) If m and n are relatively prime, and gcd(
a,m
) =
gcd(a,n)=1, then  a a a = . mn n n       1 (d) − =1 if and only if n 1 (mod 4). n ≡ (e) 2 =1 if and only if n 1 (mod 8). n
(f) (The law of reciprocity) If≡±gcd(m,n)=1, then
m n m−1 n−1 =( 1) 2 · 2 . n m −     a Remark. If n is not a prime, n = +1 does not imply that a is a quadratic residue mod n. For example, 2 = 2 2 = ( 1)( 1) = +1. But the quadratic 15
3 5 residues modulo 15 are 1, 4, and 10. − −


52 Quadratic Residues Chapter 6

Primality Tests and Factorization of Integers

6.1 Primality of Mersenne numbers

k A Mersenne number of is one of the form Mk := 2 1. A Mersenne prime gives rise to an even perfect number . If M =2k 1 is a prime,− then k must be a prime. k − The converse, however, is not true. The Mersenne numbers M2 = 3, M3 = 7, M5 = 31, M7 = 127 are all primes. But M11 = 2047 is composite.

p Theorem 6.1 (Fermat). If p> 2 is prime, then every prime divisor of Mp := 2 1 is of the form 2pk +1 for some integer k. −

p Proof. Let q be a prime divisor of Mp, so that 2 1 (mod q). This means that q 1 ≡ orderq(2) = p. Since 2 − 1 (mod q) by Fermat’s little theorem, q 1 is an even multiple of the odd prime≡ p. Therefore, q =2pk +1 for some integer−k.

11 Example 6.1. (a) M11 =2 1 = 2047. The divisors of M11 of the form 22k +1. For k = 1, it can be easily checked− that 2047 = 23 89. (The other divisor 89 = 22 4+1). · · 13 (b) M13 = 2 1 = 8191. We need only check prime divisors of the form 26k +1 which are less− than 90. These are 53 and 79. None of these divides 8191. We conclude that M13 is prime. (c) M = 229 1 = 536870911 = 233 1103 2089. There are 99 primes 29 − × × of the form 58k +1 smaller than the square root of M29. Of these, 233, 1103, 2089 divide M29 (which are the second, 6-th, and 12-th primes in increasing order).

Exercise Factorize completely each of the following Mersenne numbers, or prove that it is prime. 19 (1) M19 =2 1 = 524287. (2) M =223 − 1 = 8388607. 23 − 54 Primality Tests and Factorization of Integers

(3) M =247 1 = 140737488355327. 47 − Remark. In the beginning of the 20-th century, F. N. Cole, Professor of Mathemat- ics at Columbia University, spent the Sundays of three consecutive years on the factorization of M67, and obtained

M =267 1 = 147573952589676412927 = 193707721 761838257287. 67 − × p Theorem 6.2. Let p 3 (mod 4) be a prime. The Mersenne number Mp =2 1 is divisible by 2p +1≡if and only if 2p +1 is prime. − Proof. Let q =2p +1. Note that q 7 (mod 8). p p ≡ ( ) If q divides 2 1, 2 1 (mod q), and orderq(2) divides p. Since ⇒ − 1 ≡ p is prime, orderq(2) = p = 2 (q 1). On the other hand, orderq(2) divides ϕ(q) q 1 2p. Therefore, ϕ(q)− = p or 2p. Since ϕ(q) = p (an odd number), we must≤ have− ϕ≤(q)=2p = q 1, and q is prime. 6 − 2 p (q 1)/2 ( ) Since q 7 (mod 8), = 1. By Euler’s theorem, 2 = 2 − ⇐ ≡ q ≡ 2 1 (mod q). Therefore, q divides 2p 1= M . q ≡ − p   Table 1. The first 100 Mersenne numbers Mp, p 3 (mod 4), divisible by prime q =2p +1 ≡

(p,q) (p,q) (p,q) (p,q) (p,q) (11, 23) (23, 47) (83, 167) (131, 263) (179, 359) (191, 383) (239, 479) (251, 503) (359, 719) (419, 839) (431, 863) (443, 887) (491, 983) (659, 1319) (683, 1367) (719, 1439) (743, 1487) (911, 1823) (1019, 2039) (1031, 2063) (1103, 2207) (1223, 2447) (1439, 2879) (1451, 2903) (1499, 2999) (1511, 3023) (1559, 3119) (1583, 3167) (1811, 3623) (1931, 3863) (2003, 4007) (2039, 4079) (2063, 4127) (2339, 4679) (2351, 4703) (2399, 4799) (2459, 4919) (2543, 5087) (2699, 5399) (2819, 5639) (2903, 5807) (2939, 5879) (2963, 5927) (3023, 6047) (3299, 6599) (3359, 6719) (3491, 6983) (3539, 7079) (3623, 7247) (3779, 7559) (3803, 7607) (3851, 7703) (3863, 7727) (3911, 7823) (4019, 8039) (4211, 8423) (4271, 8543) (4391, 8783) (4871, 9743) (4919, 9839) (4943, 9887) (5003, 10007) (5039, 10079) (5051, 10103) (5171, 10343) (5231, 10463) (5279, 10559) (5303, 10607) (5399, 10799) (5639, 11279) (5711, 11423) (5903, 11807) (6131, 12263) (6263, 12527) (6323, 12647) (6491, 12983) (6551, 13103) (6563, 13127) (6899, 13799) (6983, 13967) (7043, 14087) (7079, 14159) (7103, 14207) (7151, 14303) (7211, 14423) (7643, 15287) (7691, 15383) (7823, 15647) (7883, 15767) (8111, 16223) (8243, 16487) (8663, 17327) (8951, 17903) (9059, 18119) (9371, 18743) (9419, 18839) (9479, 18959) (9539, 19079) (9791, 19583) (10091, 20183) 6.2 Germain primes 55

6.2 Germain primes

An odd prime p for which 2p +1 is also prime is called a Germain prime. Theorem 6.2 can be restated as saying that “if p 3 (mod 4) is a Germain prime, then the ≡ Mersenne number Mp has a prime divisor 2p +1. Table 1 gives the 100 Germain primes of the form 4k +3. Here are the Germain primes of the form 4k +1.

Table 2. The first 100 Germain primes p =4k +1

(p,q) (p,q) (p,q) (p,q) (p,q) (5, 11) (29, 59) (41, 83) (53, 107) (89, 179) (113, 227) (173, 347) (233, 467) (281, 563) (293, 587) (509, 1019) (593, 1187) (641, 1283) (653, 1307) (761, 1523) (809, 1619) (953, 1907) (1013, 2027) (1049, 2099) (1229, 2459) (1289, 2579) (1409, 2819) (1481, 2963) (1601, 3203) (1733, 3467) (1889, 3779) (1901, 3803) (1973, 3947) (2069, 4139) (2129, 4259) (2141, 4283) (2273, 4547) (2393, 4787) (2549, 5099) (2693, 5387) (2741, 5483) (2753, 5507) (2969, 5939) (3329, 6659) (3389, 6779) (3413, 6827) (3449, 6899) (3593, 7187) (3761, 7523) (3821, 7643) (4073, 8147) (4349, 8699) (4373, 8747) (4409, 8819) (4481, 8963) (4733, 9467) (4793, 9587) (5081, 10163) (5333, 10667) (5441, 10883) (5501, 11003) (5741, 11483) (5849, 11699) (6053, 12107) (6101, 12203) (6113, 12227) (6173, 12347) (6269, 12539) (6329, 12659) (6449, 12899) (6521, 13043) (6581, 13163) (6761, 13523) (7121, 14243) (7193, 14387) (7349, 14699) (7433, 14867) (7541, 15083) (7649, 15299) (7841, 15683) (7901, 15803) (8069, 16139) (8093, 16187) (8273, 16547) (8513, 17027) (8693, 17387) (8741, 17483) (8969, 17939) (9029, 18059) (9221, 18443) (9293, 18587) (9473, 18947) (9629, 19259) (9689, 19379) (10061, 20123) (10253, 20507) (10313, 20627) (10529, 21059) (10589, 21179) (10613, 21227) (10709, 21419) (10733, 21467) (10781, 21563) (11321, 22643) (11369, 22739)

Proposition 6.3. Let p be a Germain prime, so that q =2p +1 is also prime. (a) If p 1 (mod 4), then p +1 is primitive root modulo q. (b) If p ≡ 3 (mod 4), then p is a primitive root modulo q. ≡ Proof. (a) If p 1 (mod 4), 2p +2 q +1 1 (mod q) and ≡ ≡ ≡ 1 2p +2 2 p +1 1= = = . q q q q        Note that q 3 (mod 8), and 2 = 1. From this ≡ q −   − p q 1 p +1 (p + 1) =(p + 1) 2 = 1 (mod q). ≡ q −   Therefore, the order of p +1 mod q is 2p, and p +1 is a primitive root. 56 Primality Tests and Factorization of Integers

(b) If p 3 (mod 4), then q 7 (mod 8) and 2p 1 (mod q). It follows that ≡ ≡ ≡ − 1 2p 2 p p 1= − = = = . − q q q q q          Again, − p q 1 p p = p 2 = 1, ≡ q −   and p is a primitive root for q.

6.3 Probabilistic primality tests

6.3.1 Pseudoprimes

p 1 The converse of Fermat’s little theorem is not true. If 2 − 1 (mod p), one cannot conclude that p is a prime. Here is an example: p =≡ 341 = 11 31 is composite, but 2340 1 (mod 341). × ≡ Definition. Given an integer b 2, an odd composite n is called a b-pseudoprime n 1 ≥ if gcd(n,b)=1 and b − 1 (mod n). ≡ Example 6.2. 91 is a 3-pseudoprime, since 390 1 (mod 91). But 91 is not a 2-pseudoprime, since 290 64 (mod≡ 91). To verify these, we make ≡ 90 90 use of the binary expansion of 90 = 10110102, and compute 2 and 3 modulo 91 by successive squaring and multiplication:

t k =2t 2k (mod 91) 3k (mod 91) 0 1 2 3 1 2 4 9 2 4 16 10 ∗ 3 8 17 −9 4 16 16− −10 ∗ 5 32 17 −9 ∗ 6 64 16− −10 − ∗

290 4( 17)(16)(16) 4( 17)( 17) 4(16) 64 (mod 91), ≡ − ≡ − − ≡ ≡ 390 9( 9)( 10)( 10) 92 102 (90)2 1 (mod 91). ≡ − − − ≡ · ≡ ≡ Proposition 6.4. Let b,b ,b 2, and n be an odd composite number prime to b. 1 2 ≥ (a) n is a b-pseudoprime if and only if order (b) n 1. n | − (b) If n is a b-pseudoprime, and ab 1 (mod n), then n is an a-pseudoprime. ≡ 1 (c) If n is a b1- and b2-pseudoprime, then it is also a b1b2- and b1b2− -pseudoprime. 6.3 Probabilistic primality tests 57

n 1 Proof. (a) If n is a b-pseudoprime, then b − 1 (mod n); order (b) n 1. ≡ n | − Conversely, if n 1= k order (b), then − · n

n 1 ordern(b) k b − (b ) 1 (mod n) ≡ ≡ and n is a b-pseudoprime. (b) Let n be a b-pseudoprime. Since ab 1 (mod n), ≡ n 1 n 1 n 1 n 1 a − a − b − (ab) − 1 (mod n). ≡ ≡ ≡ Therefore, n is an a-pseudoprime. n 1 n 1 (c) From b − 1 (mod n) and b − (mod n), we have 1 ≡ 2 ≡ n 1 n 1 n 1 (b b ) − b − b − 1 (mod n). 1 2 ≡ 1 2 ≡

Therefore, n is a b1b2 pseudoprime.

Proposition 6.5. If n fails the test

n 1 b − 1 (mod n) ≡ for a single base b Z• , then it fails the test for at least half of the possible bases ∈ n b Z• . ∈ n n 1 Proof. Suppose b − 1 (mod n), i.e., n is not a b-pseudoprime. Let b , b ,..., 6≡ 1 2 bs Zn• be the bases for which n is a pseudoprime. If n passes the test for any of the ∈ 1 bases bb , then by Proposition 6.4 (c), it would be a pseudoprime for (bb )b− b i i i ≡ (mod n), a contradiction. Thus, the distinct residues bb1, bb2,..., bbs are bases for which the test fails. There are at least as many bases for which n fails the test as there are bases for which n passes the test.

Corollary 6.6. Let n> 1 be a given integer. If n passes the test

n 1 b − 1 (mod n) ≡ k for b = b , b ,...,b , then the probability that n is a prime is at least 1 1 . 1 2 k − 2
Proof. For i =1, 2, ..., k, n is a bi-pseudoprime. By Proposition 6.5, the proba- bility that n is still composite despite passing the k tests is at most 1 out of 2k. From this the result follows.

Example 6.3. n = 149729 is a b-pseudoprime for the 9 values of b =2, 3, 5, 7, 11, 13, 17, 19, 23. (In each column, the product of the numbers with row header 1 is 1 9 (mod 149729)). The probability that it is prime is at least 1 1 = 511 . − 2 512
58 Primality Tests and Factorization of Integers

0 2 3 5 7 11 13 17 19 23 0 4 9 25 49 121 169 289 361 529 0 16 81 625 2401 14641 28561 83521 130321 130112 0 256 6561 91167 75099 96682 7129 33060 102029 23159 0 65536 74498 114828 17558 127112 64510 91629 8116 10003 1 140660 96890 34386 141082 54425 122003 119424 138425 41037 1 45540 112987 136812 55838 141547 22390 105068 61579 33306 1 144950 17900 50783 75277 16261 19408 64912 86316 97204 0 80033 139669 130522 132724 148436 102029 43955 86545 118800 0 24198 136525 126322 43326 24830 8116 88738 143258 134189 0 102814 61060 29238 139532 94607 138425 34805 99450 128452 1 925 71500 57783 66883 134016 61579 80415 103134 79962 0 106980 52753 68118 32085 144977 86316 76173 23525 43957 0 34556 15815 109943 60350 122154 86545 27721 27241 114833 1 28361 66795 140537 114304 56763 143258 44613 15157 134588 0 2133 97012 45708 51876 19818 99450 121901 50363 14782 0 57819 111849 52527 40059 13957 103134 148925 22509 52913 1 37378 41393 29446 77788 420 23525 47500 121874 2998

6.3.2 Euler b-pseudoprimes Definition. An odd composite number b is called an Euler b-pseudoprime if gcd(n,b)=1 and (n 1)/2 b b − (mod n), ≡ n   b where n is the Jacobi symbol. Proposition
6.7. Let b > 1 be a fixed integer and n > 1 be an odd composite number. If n is an Euler b-pseudoprime, then it is a b-pseudoprime.

n−1 2 2 b n 1 b Proof. If b n (mod n), then squaring, we have b − n = 1 (mod n). This shows that≡n is a b-pseudoprime. ≡

Proposition 6.8 (Solovay-Strassen primality test). Let n > 1 be a given integer. If n passes the test (n 1)/2 b b − (mod n) ≡ n   k for b = b , b ,...,b , then the probability that n is a prime is at least 1 1 . 1 2 k − 2
6.3.3 Strong b-pseudoprimes Definition. Let n be an odd composite number, and n 1=2s t where t is odd. − · For b Zn• , n is called a strong b-pseudoprime if either∈bt 1 (mod n), ≡ 2r t or there exists r, 0 r

Lemma 6.9. Let b > 1 be a fixed integer and n be an odd composite number − n 1 s satisfying b 2 1 (mod n). Write n 1=2 t with t odd. Let p be a prime ≡ − s′ − · divisor of n, and write p 1=2 t′ with t′ odd. Then s′ s and − · ≥

b 1 if s′ = s, = − p 1 if s >s   ( ′

− n 1 2s−1t Proof. Since b 2 b 1 (mod n), and t, t′ are both odd, we have ≡ ≡− ′ ′ t t − t 2s−1t′ 2s−1t n 1 t′ b b b 2 ( 1) 1 (mod n). ≡ ≡ ≡ − ≡−

 s− ′      Therefore, b2 1t 1 (mod n). Since p is a divisor of n, we also have ≡− s−1 ′ b2 t 1 (mod p). (6.1) ≡− s′ s 1 If s′ < s, then s′ s 1 and p 1=2 t′ is a divisor of 2 − t′. By (6.1), ′ p 1 2s t′ ≤ − − b − = b cannot be 1 mod p, contrary to Fermat’s little theorem. Thus, s′ s. From (6.1) again, ≥

′ s −s − ′ 2 ′ b p 1 2s −1t′ 2s−1t′ 2s −s 1 if s′ = s b 2 b b =( 1) = − p ≡ ≡ ≡ − (1 if s′ > s.    

Proposition 6.10. Let b > 1 be a fixed integer and n > 1 be an odd composite number. If n is a strong b-pseudoprime, then it is an Euler pseudoprime. Proof. We consider three cases. t Case 1. bt 1 (mod n). Since t is odd, b = b , and ≡ n n  
− t n 1 t 2s−1 1 b b b 2 =(b ) 1= = = . ≡ n n n       n−1 Case 2. b 2 1 (mod n). Write n = p as a product of primes, not necessar- ily distinct. Let≡−k denote the number of primes p, counting multiplicity, for which Q b b k s′ = s in Lemma ??. We always have s′ s and = =( 1) . ≥ n p − s+1 On the other hand, modulo 2 , we have p 1
unless pis one of the k primes s ≡ Q s s for which s′ = s, in which case p = 1+2 . Since n = 1+2 t 1+2 (mod 2s+1), we have · ≡

1+2s p (1+2s)k 1+ k 2s (mod 2k+1). ≡ ≡ ≡ · Y Y This means that k must be odd, and b =( 1)k = 1. n − −
60 Primality Tests and Factorization of Integers

r− Case 3. b2 1t 1 (mod n) for some 0

b 1 if s′ = r = − p 1 if s > r.   ( ′ Let k be the number of primes (counting multiplicity) in the product n = p for b k which s′ = r. Then as in case 2, we gave = ( 1) . On the other hand, since n − n =1+2st 1 (mod 2r+1) and n = p (1+2r)k (mod 2r+1), it followsQ that
it must be even,≡ and b =1. ≡ n Q Remark. The converses
of Propositions 6.7 and 6.10 are not true. (1) 91 is a 3-pseudoprime but not an Euler 3-peudoprime. (2) 561 is an Euler 2-pseudoprime but not a strong 2-pseudoprime.

Proposition 6.11. Let b> 1 be a fixed integer, and n 3 (mod 4). If n is an Euler b-pseudoprime, then it is a strong b-pseudoprime. ≡

Proof. Since n 3 (mod 4), n 1=2s t with s = 1 and t odd. Since n is an Euler b-pseudoprime,≡ − ·

− t n 1 b b = b 2 1 (mod n). ≡ n ≡±   Now, since s = 1, this is exactly the condition for n to be a strong b-pseudoprime.

Proposition 6.12. If n is an odd composite number, then it is a strong b-pseudoprime for at most 25% of all 0

Proposition 6.13 (Rabin-Miller test). Let n be an odd integer, and n 1=2s t − · with t odd. If for b = b1, b2,..., bk, n passes the test: either bt 1 (mod n), ≡ 2r t or there exists r, 0 r

1. Check that M17 = 131071 and M19 = 524287 are primes.

2. Find a prime divisor of M23 = 8388607.

3. Find a prime divisor of M29 = 536870911. 6.4 Carmichael numbers 61

47 4. Consider M47 = 2 1 = 140737488355327. The beginning primes of the form 94k +1 are − 283, 659, 941, 1129, 1223, 1693, 1787, 2069, 2351, 2539, 2633, 3761, 4231, 4513, 4889,....

(a) Find two prime divisors of M47 from this list. (b) Completely factorize M47. 5. Show that 561 is a 2-pseudoprime. 6. Show that 1729 is a 2- and 3-pseudoprime.

6.4 Carmichael numbers

n 1 Definition. A Carmichael number is a composite integer n for which b − 1 ≡ (mod n) for every b Z• . ∈ n Example 6.4. 561 = 3 11 17 is a Carmichael number. To prove this, we show· that· if gcd(b, 561) = 1, b560 1 (mod 3), b560 1 (mod 11), and b560 1 (mod 17). Now, by Fermat’s little≡ theorem, ≡ ≡ b2 1 (mod3) b560 (b2)280 1 (mod3), ≡ ⇒ ≡ ≡ b10 1 (mod 11) b560 (b10)56 1 (mod 11), ≡ ⇒ ≡ ≡ b16 1 (mod 17) b560 (b16)35 1 (mod 17). ≡ ⇒ ≡ ≡ By the Chinese Remainder Theorem, b560 1 (mod 561). This shows that 561 is a Carmichael number. ≡ This example shows that to check if n is a Carmichael number, it is enough to n 1 check if it passes the test b − 1 (mod n) for prime numbers b

2 2 Proof. Suppose p n for a prime p. Let g be a primitive root of p . Let n′ be the product of all primes| other than p which divide n. By the Chinese Remainder Theorem, there is an integer b satisfying

2 b g (mod p ), b 1 (mod n′). ≡ ≡ Then gcd(b,n)=1 and b is a primitive root of p2. We claim that n is not a b-pseudoprime. n 1 n 1 2 If n is a b-pseudoprime, then b − 1 (mod n), and b − 1 (mod p ) since 2 ≡ ≡ p n. Since orderp2 (b)= p(p 1), p(p 1) n 1. Since| n 1 1 (mod p), n−1 is not divisible− | − by p(p 1). This is a contradiction. − ≡− − − 62 Primality Tests and Factorization of Integers

Proposition 6.15. An odd, square free, composite number n is a Carmichael num- ber if and only if p 1 n 1 for every prime p dividing n. − | − Proof. ( ) Let n be a Carmichael number. Suppose⇒n 1 is not divisible by p 1 for some prime divisor p of n. Let g be a primitive− root of p. Find an− integer b satisfying

b g (mod p), b 1 (mod n/p). ≡ ≡ n 1 n 1 Then gcd(b,n)=1 and b − g − 1 (mod p) since n 1 is not divisible by n ≡1 6≡ − orderp(g)= p 1. Hence, b − 1 (mod n) cannot hold. ( ) For p n−, write n 1= k≡(p 1) for some integer k. Let b be any base with gcd(⇐b,n)=1|. − − n 1 k(p 1) p 1 k b − = b − (b − ) 1 (mod p). ≡ ≡ Since n is square free, it is the product of all prime divisors of n. If follows that n 1 b − 1pmodn, and n is a Carmichael number. ≡ Proposition 6.16. A Carmichael number is the product of at least three distinct primes. Proof. By proposition 6.14, a Carmichael number must be a product of distinct primes. It remains to show that it cannot be a product of two distinct primes. Con- sider n = pq for distinct primes p 561, it is enough to consider n = pqr with prime numbers p

6.5 Quadratic sieve and factor base

6.5.1 Fermat’s factorization Given an integer n with √n = m, if there is an integer x>m such that x2 n = y2 for some y Z, y =⌊x ⌋1, then n = x2 y2 = (x y)(x + y) is a nontrivial− factorization of∈n. 6 − − − 6.5 Quadratic sieve and factor base 63

Example 6.6. (a) n = 200819; √n = 449. ⌊ ⌋ 4502 n = 202500 200819 = 1681 = 412. − − Therefore, 200819 = 4502 412 = 409 491, in which both factors are prime. (b) n = 88169891; √n− = 9389. · ⌊ ⌋ 93902 88169891 = 2209 = 472. − 88169891 = 93902 472 = 9343 9437, in which both factors are prime. (c) n = 809009;−√n = 899. · ⌊ ⌋ x x2 n − 900 991 901 2 (mod 10) 902 ≡ 3 (mod 10) 903 6400≡ = 802 809009 = 9032 802 = 823 983, in which both factors are prime. (d) n = 84085777− ; √n ·= 9169. If x2 n = y2 for an integer⌊ ⌋ y, the units digit of x must be one of 1, 4, 6, 9. − x x2 n x x2 n x x2 n − − − 9171 21464 9181 204984 9191 388704 9174 76499 9184 260079 9194 443859 9176 113199 9186 296819 9196 3480639 9179 168264 9189 351944 9199 535824 = 7322 84085777 = 91992 7322 = 8467 9931, in which both factors are prime. − · Exercise (1) Factor 17819. (2) Factor n = 9226873, given √n = 9607. ⌊ ⌋ 6.5.2 Factor base This is a generalization of Fermats factorization. Given an integer n with m = √n , we consider integers x close to m with x2 n factored into “small” primes. ⌊More⌋ precisely, we specify a factor base B consisting− of 1 and some primes, and restrict to those x for which the factors of x2 n are all− in B. With enough x, we collect those for which the product of x2 n is− a square. −2 B Suppose, for j =1, 2, ..., k, zj := xj n = yj factors into primes in , and k 2 − k that j=1 zj = Z for an integer Z. Then, with X := j=1 xj, Q k Q X2 = x2 Z2 (mod n). j ≡ j=1 Y 64 Primality Tests and Factorization of Integers

If X Y (mod n), then n has a common divisor of one or both of X Y . This gives6≡ a nontrivial factorization of n. ±

Example 6.7. n = 9509; √n = 97. Let B = 1, 2, 5, 11 . ⌊ ⌋ {− } j x z = x2 n j j j − 1 95 484 = 22 112 2 97 −100 = −22 · 52 3 103 1100− = 2−2 52· 11 4 128 6875 = 54 · 11· · 2 2 2 2 Note that z1z2 = (2 5 11) . Therefore, (95 97 2 5 11)(95 97+2 5 11) 0 (mod n); 8995 9435· · 0 (mod n). Now, gcd(· −n, 9435)· · = 37 and· gcd(·n,·8995)≡ = 257. This gives·9509 =≡ 37 257, in which both factors are prime. · Example 6.8. n = 87463; √n = 295. Let B = 1, 3, 17 . ⌊ ⌋ {− } j x z = x2 n j j j − 1 296 153 = 32 17 2 316 12393 = 3·6 17 · 4 Note that x1x2 = 296 316 6073 (mod n) and 3 17 = 1377. Therefore, (6073 1377)(6073 + 1377)· ≡0 (mod n). This gives 4696· 7450 0 (mod n). Now, gcd(− n, 4696) = 587 and≡gcd(n, 7450) = 149. This gives· 87463≡ = 149 587, in which both factors are prime. ·

Example 6.9. Consider n = 3837523 with m = √n = 1958. We have ⌊ ⌋ 19642 n = 19773 32 132 (mod n), − ≡ · 93982 23n = 59375 59 19 (mod n), − ≡ · 170782 76n = 6336 26 32 11 (mod n), − ≡ · · 190952 95n = 54340 22 5 11 13 19 (mod n). − ≡ · · · · Multiplication gives

(1964 9398 17078 19095)2 (24 32 53 11 132 19)2 (mod n), · · · ≡ · · · · · or 22303872 25867052 (mod n). ≡ Thus, gcd(3837523, 2586705 2230387) = gcd(3837523, 356318) = 1093 is a divisor of n. The other divisor− is 3511. 3837523 = 1093 3511, both factors are prime numbers. × 6.5 Quadratic sieve and factor base 65

Exercise (1) Factor N = 642401 by making use of

5161072 7 (mod N) and 1877222 22 7 (mod N). ≡ ≡ · (2) Factor N = 2288233 by making use of

8805252 2 (mod N), 20572022 3 (mod N), 6485812 6 (mod N). ≡ ≡ ≡ 66 Primality Tests and Factorization of Integers

6.6 Pollard’s methods

6.6.1 The ρ-method

Let n be a given integer and f(x) Z[x]. Beginning with an integer x0, construct a sequence of integers ∈ x1, x2, x3, ... by xk+1 = f(xk) (mod n).

If p is a prime divisor of n, there is a correspond sequence zk = xk (mod p) of integers in the range [0,p 1]. If p √n, the number of possible values of z − ≤ k is much less than the number of possible values of xk. We expect the zk to repeat sooner.

2 Example 6.10. Let n = 341 and f(x)= x +1 (mod n). With x0 =3 we generate two sequences xk and yk by

xk+1 = f(xk) (mod n),

yk = x2k (mod n).

k 0 1 2 3 4 5 6

xk 3 10 101 313 103 39 158 yk 3 101 103 158 70 103 158 Since 341 = 11 31, we reduce x and y modulo 31 and obtain · k k k 0 1 2 3 4 5 6

xk (mod 31) 3 10 8 3 10 8 3 yk (mod 31) 3 8 10 3 8 10 3

Note that x y (mod 31). The period of the sequence modulo 31 is 3. We 3 ≡ 3 can find a factor by computing gcd(xk yk,n). Now, gcd(x3 y3, 341) = 31, which is a factor of 341. − − Let n be an integer, known to be composite by some means. To find a divisor of n, we proceed as follows. Let f(x) be a polynomial in Z[x]; for example, f(x) = 2 x +1. With an arbitrary integer x0, form a sequence x1, x2, x3, ..., xk, . . . by setting xk+1 = f(xk). Compute gcd(xk xj, n) to find a nontrivial divisor of n. − t t+1 In practice, we evaluate gcd(xk x2t 1, n) only for 2 k < 2 to see if we get a number other than 1. − − ≤ 6.6 Pollard’s methods 67

6.6.2 The (p 1)-method − Let n be a number, known to be composite, and with prime divisor p for which p 1 has no large prime divisor. To find p, we proceed as follows. − (1) Choose an integer k which is a multiple of all or most integers less than some bound B. For example, k = B! or the lcm of all integers B. (2) Choose an integer a between 2 and n 2, and compute≤ ak mod n by suc- cessive squaring and multiplication. − (3) Compute d := gcd(ak 1, n). (4) If d is a proper divisor− of n, we are done. If not, start with a new choice of a or k.

25 Example 6.11. Factorization of the Fermat number F5 =2 + 1 = 4294967297.

k! k! k 3 1 mod n gcd(3 1, F5) − − 2 8 1 3 728 1 4 3256662175 1 5 4065325300 1 6 990686970 1 7 1257098687 1 8 2900503847 641

Therefore, F5 is divisible by 641. The other factor 6700417 is prime.

26 Example 6.12. The Fermat number F6 =2 + 1 = 18446744073709551617.

k! k! k 3 1 mod n gcd(3 1, F6) − − 2 8 1 3 728 1 4 282429536480 1 5 2344555024490626679 1 6 7551487168740433337 1 7 11134113447621028083 1 8 11661865442864085302 1 9 3413170283875363738 1 10 132104342037419423 1 11 5698030053305526698 1 12 15579902259502795415 1 13 7710393468139989079 1 14 15754797740948688290 1 15 6752279936723740001 1 16 4485055022886619284 1 17 7037561377184777195 274177

Therefore, F6 is divisible by 274177. The other factor is 67280421310721. 68 Primality Tests and Factorization of Integers

Example 6.13. Consider n = M =237 1 = 137438953471. 37 − k 3k! 1 mod n gcd(3k! 1, n) − − 2 8 1 3 728 1 4 7551629538 1 5 15214259457 1 6 43516370763 1 7 125279406031 1 8 119263526686 1 9 3465806577 1 10 38475681876 1 11 10285210697 1 12 127117973205 1 13 126884750168 1 14 81466900120 1 15 124380452483 1 16 29088017262 1 17 3720037194 1 18 4364260944 1 19 136553569690 1 20 55675398330 1 21 85112717908 1 22 50144290561 1 23 92650061229 1 24 42288808717 1 25 130938553932 1 26 25931788959 1 27 35038256735 1 28 22637327587 1 29 120806235412 1 30 95937529376 1 31 57327010970 1 32 21192769333 1 33 131688823070 1 34 94975611158 1 35 7125832211 1 36 103940995523 1 37 100603771101 223

Example 6.14. Let n = 2479. We compute 2k! (mod n) and gcd(2k! 1 (mod n), n). − k d := 2k! (mod n) gcd(d, n) 1 2 1 2 4 1 3 64 1 4 1823 1 5 618 1 6 223 37 Chapter 7

Pythagorean Triangles

7.1 Construction of Pythagorean triangles

By a Pythagorean triangle we mean a right triangle whose side lengths are integers. Any common divisor of two of the side lengths is necessarily a divisor of the third. We shall call a Pythagorean triangle primitive if no two of its sides have a common divisor. Let (a,b,c) be one such triangle. From the relation a2 + b2 = c2, we make the following observations. 1. Exactly two of a, b, c are odd, and the third is even. 2. In fact, the even number must be one of a and b. For if c is even, then a and b are both odd. Writing a =2h +1 and b =2k +1, we have c2 = (2h + 1)2 + (2k + 1)2 = 4(h2 + k2 + h + k)+2. This is a contradiction since c2 must be divisible by 4. 3. We shall assume a odd and b even, and rewrite the Pythagorean relation in the form c + a c a b 2 − = . 2 · 2 2   c+a c a Note that the integers 2 and −2 are relatively prime, for any common divi- sor of these two numbers would be a common divisor c and a. Consequently, c+a c a each of 2 and −2 is a square. c+a 2 c a 2 2 2 2 2 4. Writing 2 = u and −2 = v , we have c = u + v and a = u v . From these, b =2uv. − 5. Since c and a are both odd, u and v are of different parity. We summarize this in the following theorem. Theorem 7.1. The side lengths of a primitive Pythagorean triangle are of the form u2 v2, 2uv, and u2 + v2 for relatively prime integers u and v of different parity. − 70 Pythagorean Triangles

7.2 Fermat’s construction of primitive Pythagorean triangles with consecutive legs

Let a, b, c be the lengths of the sides of a right triangle, c the hypotenuse. Figures (a) and (b) below, together with the Pythagorean theorem, give the following two relations

(a + b c)2 =2(c a)(c b), (7.1) − − − (a + b + c)2 =2(c + a)(c + b). (7.2)

b c b − b

c a − c

a + b c − a a c b − c a a + b c − c − (a) a, b, c from c−a (b) a, b, c from c + a and c + b and c − b

Beginning with a right triangle (a,b,c), we construct a new right triangle (a′,b′,c′) with c′ a′ = c + b and c′ b′ = c + a. By a comparison of (8.16) and (7.2), we − − have a′ + b′ c′ = a + b + c. From these, −

a′ =2a + b +2c,

b′ =a +2b +2c,

c′ =2a +2b +3c.

Note that b′ a′ = b a. This construction therefore leads to an infinite sequence of integer right− triangles− with constant difference of legs. In particular, beginning with (3,4,5), we obtain the sequence

(3, 4, 5), (20, 21, 29), (119, 120, 169), (696, 697, 985), ... of Pythagorean triangles with legs differing by 1. This construction gives all such Pythagorean triangles. Note that the above construction is invertible: from a right triangle (a′,b′,c′) one can construct a smaller 7.2 Fermat’s construction of primitive Pythagorean triangles with consecutive legs 71 one (a,b,c) with the same difference between the legs. More precisely,

a =2a′ + b′ 2c′, − b =a′ +2b′ 2c′, (7.3) − c = 2a′ 2b′ +3c′. − −

Since a + b + c = a′ + b′ c′ 2c′ that 4a′ > 3b′, or a′ > 3(b′ a′). This means that from every Pythagorean triangle with legs differing by 1, there− is a descent, by repeated applications of (7.3), to a minimal integer right triangle with shortest side not exceeding 3. It is clear that there is only one such triangle, namely, (3, 4, 5). This therefore shows that the above construction actually gives all Pythagorean triangles with consecutive legs. 72 Pythagorean Triangles

Appendix: Primitive Pythagorean triples < 1000

u, v a, b, c u, v a, b, c u, v a, b, c u, v a, b, c 2, 1 3, 4, 5 3, 2 5, 12, 13 4, 1 15, 8, 17 4, 3 7, 24, 25 5, 2 21, 20, 29 5, 4 9, 40, 41 6, 1 35, 12, 37 6, 5 11, 60, 61 7, 2 45, 28, 53 7, 4 33, 56, 65 7, 6 13, 84, 85 8, 1 63, 16, 65 8, 3 55, 48, 73 8, 5 39, 80, 89 8, 7 15, 112, 113 9, 2 77, 36, 85 9, 4 65, 72, 97 9, 8 17, 144, 145 10, 1 99, 20, 101 10, 3 91, 60, 109 10, 7 51, 140, 149 10, 9 19, 180, 181 11, 2 117, 44, 125 11, 4 105, 88, 137 11, 6 85, 132, 157 11, 8 57, 176, 185 11, 10 21, 220, 221 12, 1 143, 24, 145 12, 5 119, 120, 169 12, 7 95, 168, 193 12, 11 23, 264, 265 13, 2 165, 52, 173 13, 4 153, 104, 185 13, 6 133, 156, 205 13, 8 105, 208, 233 13, 10 69, 260, 269 13, 12 25, 312, 313 14, 1 195, 28, 197 14, 3 187, 84, 205 14, 5 171, 140, 221 14, 9 115, 252, 277 14, 11 75, 308, 317 14, 13 27, 364, 365 15, 2 221, 60, 229 15, 4 209, 120, 241 15, 8 161, 240, 289 15, 14 29, 420, 421 16, 1 255, 32, 257 16, 3 247, 96, 265 16, 5 231, 160, 281 16, 7 207, 224, 305 16, 9 175, 288, 337 16, 11 135, 352, 377 16, 13 87, 416, 425 16, 15 31, 480, 481 17, 2 285, 68, 293 17, 4 273, 136, 305 17, 6 253, 204, 325 17, 8 225, 272, 353 17, 10 189, 340, 389 17, 12 145, 408, 433 17, 14 93, 476, 485 17, 16 33, 544, 545 18, 1 323, 36, 325 18, 5 299, 180, 349 18, 7 275, 252, 373 18, 11 203, 396, 445 18, 13 155, 468, 493 18, 17 35, 612, 613 19, 2 357, 76, 365 19, 4 345, 152, 377 19, 6 325, 228, 397 19, 8 297, 304, 425 19, 10 261, 380, 461 19, 12 217, 456, 505 19, 14 165, 532, 557 19, 16 105, 608, 617 19, 18 37, 684, 685 20, 1 399, 40, 401 20, 3 391, 120, 409 20, 7 351, 280, 449 20, 9 319, 360, 481 20, 11 279, 440, 521 20, 13 231, 520, 569 20, 17 111, 680, 689 20, 19 39, 760, 761 21, 2 437, 84, 445 21, 4 425, 168, 457 21, 8 377, 336, 505 21, 10 341, 420, 541 21, 16 185, 672, 697 21, 20 41, 840, 841 22, 1 483, 44, 485 22, 3 475, 132, 493 22, 5 459, 220, 509 22, 7 435, 308, 533 22, 9 403, 396, 565 22, 13 315, 572, 653 22, 15 259, 660, 709 22, 17 195, 748, 773 22, 19 123, 836, 845 22, 21 43, 924, 925 23, 2 525, 92, 533 23, 4 513, 184, 545 23, 6 493, 276, 565 23, 8 465, 368, 593 23, 10 429, 460, 629 23, 12 385, 552, 673 23, 14 333, 644, 725 23, 16 273, 736, 785 23, 18 205, 828, 853 23, 20 129, 920, 929 24, 1 575, 48, 577 24, 5 551, 240, 601 24, 7 527, 336, 625 24, 11 455, 528, 697 24, 13 407, 624, 745 24, 17 287, 816, 865 24, 19 215, 912, 937 25, 2 621, 100, 629 25, 4 609, 200, 641 25, 6 589, 300, 661 25, 8 561, 400, 689 25, 12 481, 600, 769 25, 14 429, 700, 821 25, 16 369, 800, 881 25, 18 301, 900, 949 26, 1 675, 52, 677 26, 3 667, 156, 685 26, 5 651, 260, 701 26, 7 627, 364, 725 26, 9 595, 468, 757 26, 11 555, 572, 797 26, 15 451, 780, 901 26, 17 387, 884, 965 27, 2 725, 108, 733 27, 4 713, 216, 745 27, 8 665, 432, 793 27, 10 629, 540, 829 27, 14 533, 756, 925 27, 16 473, 864, 985 28, 1 783, 56, 785 28, 3 775, 168, 793 28, 5 759, 280, 809 28, 9 703, 504, 865 28, 11 663, 616, 905 28, 13 615, 728, 953 29, 2 837, 116, 845 29, 4 825, 232, 857 29, 6 805, 348, 877 29, 8 777, 464, 905 29, 10 741, 580, 941 29, 12 697, 696, 985 30, 1 899, 60, 901 30, 7 851, 420, 949 31, 2 957, 124, 965 31, 4 945, 248, 977 31, 6 925, 372, 997

7.3 Fermat Last Theorem for n =4

Theorem 7.2 (Fermat). The area of a Pythagorean triangle cannot be a square.

Proof. Suppose to the contrary there is one such triangle, which we may assume primitive, with side lengths (u2 v2, 2uv,u2 + v2), u, v being relative prime of − 7.4 Two ternary trees of rational numbers 73 different parity. The area A = uv(u2 v2) being a square, and no two of u, v, u2 v2 sharing common divisors, each− of these numbers must be a square. We write− u = a2, v = b2 so that u2 v2 = a4 b4 is also a square. Since a4 b4 =(a2 b2)(a2 + b2) and the two− factors are relatively− prime, we must have a2 − b2 = r2 and− a2 + b2 = s2 for some integers r and s. From these, 2a2 = r2 + s2 and− (2a)2 = 2(r2 + s2)=(r + s)2 +(r s)2. − Thus, we have a new Pythagorean triangle (r s,r + s, 2a). This is a Pythagorean −1 1 2 2 2 triangle whose area is the square of an integer: 2 (r s)(r + s)= 2 (r s )= b . But it is a smaller triangle since b2 = v is a proper− divisor of A = uv−(u2 v2). By descent, beginning with one Pythagorean triangle with square area, we− obtain an infinite sequence of Pythagorean triangles with decreasing areas, each of which is a square integer; a contradiction.

Corollary 7.3 (Fermat Last Theorem for n = 4). The equation x4 + y4 = z4 does not have solutions in nonzero integers.

Proof. Suppose x4 +y4 = z4 for positive integers x, y, z. The Pythagorean triangle with sides z4 y4, 2z2y2 and z4 + y4 has a square area − z2y2(z4 y4)= z2y2x4 =(x2yz)2, − a contradiction.

Remark. This proof actually shows that the equation x2 + y4 = z4 has no solution in nonzero integers.

7.4 Two ternary trees of rational numbers

Consider the rational numbers in the open interval (0, 1). Each of these is uniquely q in the form p , for relatively prime positive integers p>q. We call p + q the height of the rational numbers. The rational numbers in (0, 1) with odd heights can be arranged in a ternary tree 1 1 with root 2 , as follows. For a rational number t of odd heights, the numbers 2 t , 1 t − 2+t , and 1+2t are also in (0, 1) and have odd heights. We call these the descendants of t and label them the left (L), middle (M), and right (R) respectively. If we write q p p q t = p , then these three descendants are 2p q , 2p+q and p+2q , and have greater 1 − 2 2 heights. Thus, the rational number 2 has left descendant 5 , middle descendant 3 , 1 and right descendant 4 . 1 1 On the other hand, each rational number s (0, 1) 3 , 2 with odd height is the descendant of a unique rational number t∈, which we\ { call its} parent. In fact, n s = m is 1 2n m 1 (i) the left descendant of 2 = − if

s

1

1 s = 2−t

1 s = 2+t

t s = 1+2t

t 0 1

1 m 2n 1 1 (ii) the middle descendant of s 2= −n if 3

1 2

2 2 1 3 5 4

3 3 2 5 5 2 4 4 1 4 8 7 8 12 9 7 9 6

The same applies to rational numbers with even heights. They constitute a 1 ternary tree with root 3 : 1 1 Therefore, each rational parameter s (0, 1) 3 , 2 with odd height has a ∈ \ { 1 } unique “genealogy sequence” tracing back to the root 2 . For example, 23 10 3 3 2 1 L M R L L . 36 ←− 23 ←− 10 ←− 4 ←− 3 ←− 2 Consider one of these ternary trees. If we “flatten” the entire tree by listing the vertices in order, beginning with the “root”, going down through each level from left to right, what is the position of a vertex with a known genealogy sequence? 7.5 Genealogy of Pythagorean triangles 75

1 1 2 3

2 2 1 3 3 1 3 5 4 5 7 5

3 3 2 5 5 2 4 4 1 5 5 3 7 7 3 5 5 1 4 8 7 8 12 9 7 9 6 7 13 11 11 17 13 9 11 7

Suppose this genealogy sequence has k terms, i.e., the vertex is k levels below the root. Convert it into an integer N in base 3 expansion by

L 0,M 1, R 2 → → → 1 k respectively. Then the position of the vertex in the list is 2 (3 +1)+N. For example, 23 1 5 the rational number 36 is in position 2 (3 +1)+012003 = 122+45 = 167, with a genealogy sequence

23 10 3 3 2 1 L M R L L . 36 ←− 23 ←− 10 ←− 4 ←− 3 ←− 2

Exercise

(1) What is the 1000-th vertex in this list from the ternary tree of rational numbers of odd heights, and what is its genealogy sequence?

40 40 9 9 4 1 1 R M R M M R . 169 ←− 89 ←− 40 ←− 22 ←− 9 ←− 4 ←− 2 1 t (2) Show that the rational numbers t and 1+−t belong to different ternary trees. How are their genealogy sequences related?

7.5 Genealogy of Pythagorean triangles

The ternary trees in the preceding sections can be translated into a genealogy of Pythagorean triangles. A Pythagorean triangle (or its similarity class) is generated q 1 by a positive rational number t = p of odd height. The tree with root 2 translates into We find the descendants of a Pythagorean triangle (a,b,c) in terms of the sides

a = p2 q2, b =2pq, c = p2 + q2. − 76 Pythagorean Triangles

(3, 4, 5)

(5, 12, 13) (21, 20, 29) (15, 8, 17)

(7, 24, 25) (45, 28, 53) (39, 80, 89) (77, 36, 85) (33, 56, 65) (35, 12, 37 (55, 48, 73) (119, 120, 169) (65, 72, 97)

p The left descendant is generated by 2p q and has sides − a = (2p q)2 p2 =3p2 4pq + q2 = a 2b +2c, l − − − − b = 2(2p q)p =4p2 2pq =2a b +2c, l − − − c = (2p q)2 + p2 =5p2 4pq + q2 =2a 2b +3c. l − − − p The middle descendant is generated by 2p+q and has sides

2 2 2 2 am = (2p + q) p =3p +4pq + q = a +2b +2c, − 2 bm = 2(2p + q)p =4p +2pq =2a + b +2c, 2 2 2 2 cm = (2p + q) + p =5p +4pq + q =2a +2b +3c.

q The right descendant is generated by p+2q and has sides a =(p +2q)2 q2 = p2 +4pq +3q2 = a +2b +2c, r − − b = 2(p +2q)q =2pq +4q2 = 2a + b +2c, r − c =(p +2q)2 + q2 = p2 +4pq +5q2 = 2a +2b +3c. r − q Depending on the value of p , the parent of (a,b,c) is generated by one the 2q p p 2q q fractions q− , −q , and p 2q . Since these fractions have the same numerator and denominators, up to permutation− and change of signs, they all generate the Pythagorean triangle

2 2 2 2 a′ = q (2q p) = p +4pq 3q = a +2b 2c , | − − | |− 2 − | | − | b′ = 2q(2q p) = 2pq +4q = 2a + b 2c , | 2 − | 2 |− 2 | 2| − | c′ = q + (2q p) = p 4pq +5q = 2a 2b +3c. − − − − 7.5 Genealogy of Pythagorean triangles 77

Consider a right triangle ABC with vertices A = (0,b), B = (a, 0), and C = 1 (0, 0), with semiperimeter s = 2 (a + b + c). The incenter and the excenters are the points

I =(s c, s c), I =(s b, (s b)), I =( (s a), s a), I =(s,s). − − a − − − b − − − c The circles with these centers and respective radii r = s c, r = s b, r = s a, − a − b − and rc = s are tangents to the sidelines of the triangle. According to the famous Feuerbach theorem, each of these circles is tangent to the nine-point circle, which is the circle passing the midpoints of the three sides. This circle has center N = a b c 4 , 4 and radius 4 . The following theorem gives a nice geometric interpretation of the genealogy of Pythagorean triangles.
Theorem 7.4. The right triangles with hypotenuses NIa, NIb, NIc and sides par- allel to BC and AC are similar to the descendants of ABC. The one with hy- potenuse NI (and sides parallel to BC and AC) is similar to the parent of ABC. Proof. The following table shows the sidelengths of the right triangles involved each magnified by a factor 4:

horizontal vertical hypotenuse NI a +2b 2c 2a + b 2c 2a 2b +3c parent | − | | − | − − NIa a 2b +2c 2a b +2c 2a 2b +3c left NI a−+2b +2c 2a−+ b +2c 2a−+2b +3c right b − − − NIc a +2b +2c 2a + b +2c 2a +2b +3c middle

Ic

A

Ib

N

I

C B

Ia 78 Pythagorean Triangles Chapter 8

Homogeneous Quadratic Equations in 3 Variables

8.1 Pythagorean triangles revisited

a b A primitive Pythagorean triangle (a,b,c) corresponds to a point (x,y)= c , c in the first quadrant on the unit circle
x2 + y2 =1.

Every rational point on the unit circle can be expressed in terms of the slope of the line joining the point to a fixed point, say P =( 1, 0) on the circle. Thus, solving the equations −

y =t(x + 1), x2 + y2 =1, simultaneously, we obtain (x,y)=( 1, 0) = P or − 1 t2 2t (x,y)= P (t)= − , . 1+ t2 1+ t2   q This is a point in the first quadrant if and only if 0 q, and we obtain p2+−q2 , p2+q2 . It follows that the sidelengths of a primitive Pythagorean triangle can be written in the form 1 (a,b,c)= p2 q2, 2pq, p2 + q2 g −
for suitable choice of p and q. Here,

g = gcd(p2 q2, 2pq) = gcd(p2 q2, 2) = gcd(p q, 2). − − − 80 Homogeneous Quadratic Equations in 3 Variables

To avoid repetition of representing a primitive Pythagorean triangle by both 1 t2 2t 2s 1 s2 (x,y) and (y,x) in the first quadrant, we note that 1+−t2 , 1+t2 = 1+s2 , 1+−s2 if ′ 1 t q q p q   ′   and only if s = 1+−t . Thus, the rational numbers t = p and s = p = p+−q represent the same primitive Pythagorean triangle. Note that gcd(p q, 2)=1 if and only if − gcd(p′ q′, 2)=2. Thus, we may always restrict p and q of different parity. −

8.2 Rational points on a conic

The method in the preceding section applies to a general (nonsingular) homoge- neous equation in 3 variables, or after dehomogenization, to a nonsingular conic in the Cartesian plane. Suppose a nonsingular conic f(x,y) = c contains a rational point P =(x0,y0). Then by passing through P lines of rational slope t to intersect the conic again, we obtain a parametrization of the rational points on the curve.

Proposition 8.1. (1) The rational solutions of x2 dy2 =1 can be parametrized in the form − 1+ dt2 2t (x,y)= , . 1 dt2 1 dt2  − −  (2) The positive integer solutions of x2 dy2 = z2 can be parametrized in the form − 1 (x,y,z)= p2 + dq2, 2pq, p2 dq2 , g −
where g = gcd(p2 + dq2, 2pq,p2 dq2). −

8.2.1 Integer triangles with a 60◦ angle

If triangle ABC has C = 60◦, then

c2 = a2 ab + b2. (8.1) −

Integer triangles with a 60◦ angle therefore correspond to rational points in the first quadrant on the curve x2 xy + y2 =1. (8.2) − Note that the curve contains the point P =( 1, 1). By passing a line of rational slope t through P to intersect the curve again,− we− obtain a parametrization of the rational points. Now, such a line has equation y = 1+ t(x + 1). Solving this simultaneously with (8.2) we obtain (x,y)=( 1, 1)− = P , and − − 2t 1 t(2 t) (x,y)= − , − , t2 t +1 t2 t +1  − −  8.2 Rational points on a conic 81

1 which is in the first quadrant if 2 < t 2. By symmetry, we may simply take 1 ≤ q 2 < t 1 to avoid repetition. Putting t = p for relatively prime integers p, q, and clearing≤ denominators, we obtain

a =p(2q p), − b =q(2p q), − c =p2 pq + q2, − with p

gcd(a,b) =gcd(2pq p2, 2pq q2) − − = gcd((p q)(p + q),q(2p q)) − − = gcd((p q)(p + q), 2p q) − − since gcd(p q,q) = gcd(p + q,q) = gcd(p,q)=1. Now, gcd(p q, 2−p q) = gcd(p q,p)=1 and gcd(p −+ q, 2p− q) = gcd(−p + q, 3p) = gcd(p + q, 3). This gives gcd(a,b) = gcd(p + q, 3). −

Proposition 8.2. The primitive integer triangles with a 60◦ angle are given by 1 p(2q p), q(2p q), p2 pq + q2 , g − − −

p where p and q are relatively prime positive integers satisfying 2 < q p and g = gcd(p + q, 3). ≤

p q (a,b,c) 1 1 (1, 1, 1) 3 2 (3, 8, 7) 4 3 (8, 15, 13) 5 3 (5, 21, 19) 5 4 (5, 8, 7) 6 5 (24, 35, 31) 7 4 (7, 40, 37) 7 5 (7, 15, 13) 7 6 (35, 48, 43) 8 5 (16, 55, 49) 8 7 (16, 21, 19) 9 5 (9, 65, 61) 9 7 (45, 77, 67) 9 8 (63, 80, 73) 10 7 (40, 91, 79) 10 9 (80, 99, 91) 82 Homogeneous Quadratic Equations in 3 Variables

8.2.2 Integer triangles with a 120◦ angle

If triangle ABC has C = 120◦, then

c2 = a2 + ab + b2. (8.3)

Integer triangles with a 120◦ angle therefore correspond to rational points in the first quadrant on the curve x2 + xy + y2 =1. (8.4) Note that the curve contains the point Q = ( 1, 0). By passing a line of rational slope t through P to intersect the curve again,− we obtain a parametrization of the rational points. Now, such a line has equation y = t(x + 1). Solving this simulta- neously with (8.2) we obtain (x,y)=( 1, 0) = Q, and − 1 t2 t(2 + t) Q(t)= − , , t2 + t +1 t2 + t +1   which is in the first quadrant if 0

a =p2 q2, − b =q(2p + q), c =p2 + pq + q2, with 0

gcd(p2 q2,q(2p + q) =gcd((p + q)(p q),q(2p + q)) − − = gcd((p + q)(p q), 2p + q) − =gcd(p q, 2p + q) − =gcd(p q, 3p) − =gcd(p q, 3). −

Proposition 8.3. The primitive integer triangles with a 120◦ angle are given by

1 p2 q2, q(2p + q), p2 + pq + q2 , g −
√3 1 where q < − p are relatively prime positive integers and g = gcd(p q, 3). 2 −   8.2 Rational points on a conic 83

p q (a,b,c) 3 1 (8, 7, 13) 4 1 (5, 3, 7) 5 1 (24, 11, 31) 6 1 (35, 13, 43) 7 1 (16, 5, 19) 7 2 (45, 32, 67) 8 1 (63, 17, 73) 9 1 (80, 19, 91) 9 2 (77, 40, 103) 10 1 (33, 7, 37) 10 3 (91, 69, 139)

Exercise 1. Show that a number c is a sum of two consecutive squares if and only if 2c 1 is a square. −

2. Suppose an integer triangle contains a 120◦ angle with its two arms differing by 1. Show that the length of the longest side is a sum of two consecutive squares. 3. It is known that the centroid of a triangle of sides a, b, c lies on its incircle if and only if 5(a2 + b2 + c2)=6(ab + bc + ca). Find a parametrization of all such primitive triangles. 4. A standard calculus exercise asks to cut equal squares of dimension x from the four corners of a rectangle of length a and breadth b so that the box obtained by folding along the creases has a greatest capacity.

a

x

b The answer to this problem is given by a + b √a2 ab + b2 x = − − . 6 How should one choose relatively prime integers a and b so that the resulting x is an integer? For example, when a =5, b =8, x =1. Another example is a = 16, b = 21 with x =3. 84 Homogeneous Quadratic Equations in 3 Variables

8.3 Heron triangles

8.3.1 The Heron formula Let ABC be a triangle with sidelengths BC = a, CA = b, AB = c, and semiperime- 1 ter s = 2 (a + b + c). If the incircle touches the sides BC, CA and AB respectively at X, Y , and Z,

AY = AZ = s a, BX = BZ = s b, CX = CY = s c. − − −

A

s a − s a − Y

I Z s c − s c −

B C s b X s c − − The radius r of the incircle and the area of the triangle are given by △ (s a)(s b)(s c) r = − − − , r s = s(s a)(s b)(s c). △ − − − The latter one is the famous Heronp formula. Explicitly in terms of a, b, c, it can be written as 1 2 = 2a2b2 +2b2c2 +2c2a2 a4 b4 c4 . (8.5) △ 16 − − − Remark. The inradius of a right triangle is r = s c.
B −

s b − s b −

r s a − s c r −

C s c s a A − −

Exercise Given a positive integer r, determine all Pythagorean triangles with inradius r. First consider the case of primitive Pythagorean triangles. The one with parameters p>q (of different parity) has inradius r = q(p q). Note that p q must be odd, and q does not contain any − − prime divisor of p q. There are 2k choices of p q, where k is the number of odd prime divisors of − − 8.3 Heron triangles 85 r. In particular, there is only one (primitive) Pythagorean triangle of inradius 1, which is the (3, 4, 5) triangle. A Heron triangle is an integer triangle with integer area. Here are some funda- mental facts about Heron triangles.

Proposition 8.4. (1) The semiperimeter of a Heron triangle is an integer. (2) The area of a Heron triangle is a multiple of 6.

Proof. It is enough to consider primitive Heron triangles, those whose sides are relatively prime. (1) Note that modulo 16, each of a4, b4, c4 is congruent to 0 or 1, according as the number is even or odd. To render in (8.5) the sum 2a2b2 +2b2c2 +2c2a2 a4 b4 c4 0 modulo 16, exactly two of a, b, c must be odd. It follows that the− perimeter− − of a≡ Heron triangle must be an even number. (2) Since a, b, c are not all odd nor all even, and s is an integer, at least one of s a, s b, s c is even. This means that is even. We claim that at least one of− s, s −a, s − b, s c must be a multiple△ of 3. If not, then modulo 3, these numbers are−+1 or− 1. Since− s =(s a)+(s b)+(s c), modulo 3, this must be either 1 1+1+(− 1) or 1 −1+( 1)+(− 1).− In each case the product s(s a)(s ≡b)(s c) − 1 (mod− ≡ 3) cannot− be a square.− This justifies the claim that− one of −s, s a−, s ≡−b, s c, hence , must be a multiple of 3. − − − △

8.3.2 Construction of Heron triangles

A B C A B C π Let t1 = tan 2 , t2 = tan 2 , and t3 = tan 2 . Since 2 + 2 + 2 = 2 , we have t t + t t + t t = 1. If we construct a triangle with sides 1 + 1 , 1 + 1 , and 1 2 2 3 3 1 t2 t3 t3 t1 1 + 1 , then it has inradius 1 and area t1 t2

1 1 1 1 1 1 1 + + = . t · t · t t t t t t t s 1 2 3  1 2 3  1 2 3 Writing t = pi for relatively prime integers p , q , i = 1, 2, and magnifying the i qi i i triangle by a factor p1p2p3, we obtain a Heron triangle with sides

a = p1(p2q3 + p3q2), b = p2(p3q1 + p1q3), c = p3(p1q2 + p2q1), and area p1p2p3q1q2q3 and inradius p1p2p3. Note that these integers satisfy

p1p2q3 + p1q2p3 + q1p2p3 = q1q2q3, or p q q p p 3 = 1 2 − 1 2 . q3 p1q2 + p2q1 86 Homogeneous Quadratic Equations in 3 Variables

A

q1p2p3

q1p2p3

Y

p p p 1 2 3 p p p Z I 1 2 3 p1p2q3

p1q2p3 p1p2p3

B C p1q2p3 X p1p2q3

8.3.3 Heron triangles with sides in arithmetic progression

Consider a primitive Heron triangle with sides in arithmetic progression. By Propo- sition 8.4, the sidelengths are 2a d, 2a, 2a+d for integers a and d. The semiperime- ter being s =3a, we require (3a−)(a)(a + d)(a d)=3a2(a2 d2) to be an integer. This means − − a2 d2 =3b2 (8.6) −

a b 2 2 for an integer b. With x =: d , y := d , we transform this condition into x 3y =1. The Heron triangles with sides in arithmetic progression, therefore, correspond− to the rational points in the first quadrant on the curve x2 3y2 = 1. Now, such rational points can be parametrized as −

1+3t2 2t 1 (x,y)= , , 0

a = p2 +3q2, d = p2 3q2, b =2pq − for relatively prime p, q satisfying p2 > 3q2. This gives a Heron triangle (2a d, 2a, 2a + d;3ab). In each case, we obtain a primitive Heron triangle by dividing− the sidelengths by the g = gcd(2a,d) (and correspondingly by g2). △ Here are the primitive Heron triangles with sides in A.P., generated by taking p 7: 1 ≤

1Note that some of these Heron triangles have consecutive integers as sidelengths, namely (3, 4, 5;6), (13, 14, 15; 84), and (193, 194, 195; 1629). These correspond to d = 1. We shall treat this case in detail when we study the Pell equation. There is one such “small” triangle missing from the table, corresponding to (p,q)=(9, 5). 8.3 Heron triangles 87

p q (a, b, c; △) 2 1 (13, 14, 15; 84) 3 1 (3, 4, 5;6) 4 1 (25, 38, 51; 456) 5 1 (17, 28, 39; 210) 5 2 (61, 74, 87; 2220) 6 1 (15, 26, 37; 156) 7 1 (29, 52, 75; 546) 7 2 (85, 122, 159; 5124) 7 3 (65, 76, 87; 2394) 7 4 (193, 194, 195; 16296)

Exercise Is there a Heron triangle whose sides are in geometric progression?

8.3.4 Heron triangles with integer inradii We determine all Heron triangles with a given positive integer r as inradius. This is equivalent to the solution of

uvw = r2(u + v + w) (8.7) in positive integers u, v, w. We shall assume u v w (so that A B C). The Heron triangle in question has sides a = v +≥w, b ≥= w + u, and c =≤u +≤v. We shall distinguish between three cases. In each case, we find appropriate bounds for v and w to determine if the corresponding u is an integer.

Proposition 8.5. (1) For obtuse Heron triangles with given inradius r, it is enough to check if r2(v + w) u = . (8.8) vw r2 − r2 r(r+√r2+w2) is an integer for w

w< √3r and w v (√2+1)r. ≤ ≤ (3) For Pythagorean triangles with given inradius r, it is enough to check if r(v+r) √ u = v r is an integer for r 0. From u = vw r2 v, we have, ≥ − 2 − ≥ 2 2 after clearing denominator, wv2 2r2v r2w< 0. Hence, r

C π (2) If the triangle is acute angled, all u, v, w are greater than r. Since 2 > 6 , r > tan π = 1 , we have w < √3r. Also, B > π . This means r > 1 and w 3 √3 2 8 v √2+1 r2 √ w

w v u (a,b,c; ) △ 1 5 24 (6, 25, 29; 60) 1 6 14 (7, 15, 20; 42) 1 8 9 (9, 10, 17; 36)

(ii) There is no acute Heron triangle with inradius 2. We need only check w =3 and v =3, 4. (iii) The only Pythagorean triangles with inradius 2 are (6, 8, 10; 24) and (5, 12, 13; 30).

8.4 The equation Pk,a + Pk,b = Pk,c for polynomial numbers

The n-th triangular number is 1 T =1+2+3+ + n = n(n + 1). n ··· 2 The first few of these are 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, ... .

The pentagonal numbers are the sums of the arithmetic progression 1+4+7+ + (3n 2) + ··· − ··· The n-th pentagonal number is P = 1 n(3n 1). Here are the beginning ones: n 2 − 1, 5, 12, 22, 35, 51, 70, 92, 117, 145, ... 8.4 The equation Pk,a + Pk,b = Pk,c for polynomial numbers 89

More generally, for a fixed k, the k-gonal numbers are the sums of the arithmetic progression 1+(k 1)+(2k 3) + . The nth k-gonal number is − − ··· 1 P = n((k 2)n (k 4)). k,n 2 − − −

By a k-gonal triple, we mean a triple of positive integers (a,b,c) satisfying

Pk,a + Pk,b = Pk,c. (8.9)

A 4-gonal triple is simply a Pythagorean triple satisfying a2 + b2 = c2. We shall assume in the present chapter that k = 4. By completing squares, we rewrite (8.9) as 6

[2(k 2)a (k 4)]2 + [2(k 2)b (k 4)]2 = [2(k − 2)c −(k − 4)]2 +(k −4)2, − − (8.10) − − − − and note, by dividing throughout by (k 4)2, that this determines a rational point on the surface S: − x2 + y2 = z2 +1, (8.11) namely, P (k; a,b,c):=(ga 1, gb 1, gc 1), (8.12) − − − 2(k 2) − where g = k 4 . This is always an integer point for k = 3, 5, 6, 8, with corre- sponding g = − 2, 6, 4, 3. For k = 3 (triangular numbers), we shall change signs, and consider instead− the point

P ′(3; a,b,c) := (2a +1, 2b +1, 2c + 1). (8.13)

The coordinates of P ′(3; a,b,c) are all odd integers exceeding 1.

8.4.1 Double ruling of S The surface S, being the surface of revolution of a rectangular hyperbola about its conjugate axis, is a rectangular hyperboloid of one sheet. It has a double ruling, i.e., through each point on the surface, there are two straight lines lying entirely on the surface. 90 Homogeneous Quadratic Equations in 3 Variables

Let P (x0,y0,z0) be a point on the surface S. A line ℓ through P with direction numbers p : q : r has parametrization

ℓ : x = x0 + pt, y = y0 + qt, z = z0 + rt.

Substitution of these expressions into (8.11) shows that the line ℓ is entirely con- tained in the surface S if and only if

px0 + qy0 = rz0, (8.14) p2 + q2 = r2. (8.15)

It follows that

2 2 2 2 2 r = r (x0 + y0 z0) 2 2 2 − 2 = r (x0 + y0) (px0 + qy0) 2 2 2− 2 2 = (p + q )(x0 + y0) (px0 + qy0) = ( qx + py )2. − − 0 0 This means qx + py = ǫr, ǫ = 1. (8.16) − 0 0 ± Solving equations (8.14) and (8.16), we determine the direction numbers of the line. We summarize this in the following proposition.

Proposition 8.6. The two lines lying entirely on the hyperboloid S : x2+y2 = z2+1 and passing through P (x0,y0,z0) have direction numbers

x z ǫy : y z + ǫx : x2 + y2 0 0 − 0 0 0 0 0 0 for ǫ = 1. ± In particular, if P is a rational point, these direction numbers are rational. 8.4 The equation Pk,a + Pk,b = Pk,c for polynomial numbers 91

8.4.2 Primitive Pythagorean triple associated with a k-gonal triple Let (a,b,c) be a triangular triple. The coordinates of

P ′(3; a,b,c) := (2a +1, 2b +1, 2c + 1) on S are odd integers > 1. The components of the direction numbers p : q : r of the line ℓ through P ′(3; a,b,c) lying entirely on S are positive integers satisfying (8.15). The triple (p,q,r) can be taken as a primitive Pythagorean triple generated by relatively prime integers m>n of different parity. The same is true for pentagonal triples. We study the converse question of determining triangle and pentagonal triples from (primitive) Pythagorean triples.

8.4.3 Triangular triples For a primitive Pythagorean triple (p,q,r) given in (8.15), we determine a triangular triple (a,b,c) corresponding to it. Lemma 8.7. Let (p,q,r) be a primitive Pythagorean triple

p = m2 n2, q =2mn, r = m2 + n2 − in which m and n are relatively prime with different parity. It is possible to choose an odd number z0 > 1 such that pz ǫq qz + ǫp x = 0 − , y = 0 (8.17) 0 r 0 r are also odd integers > 1.

Proof. By solving (8.14) and (8.16), we obtain x0 and y0 given in (8.17) above. If z0 is odd, then so are x0 and y0. By the euclidean algorithm, there are odd integers u and v such that qu+rv = 1. (Note that v must be odd, since q is even. If u is even, we replace− (u,v) by (u r, v + q), in which both entries are odd). Clearly, the integer z = ǫpu is − 0 such that qz0 + ǫp = ǫp(qu + 1) is divisible by r. This makes y0 an integer. The corresponding x0 is also an integer. Replacing z0 by z0 + rt for a positive integer t if necessary, the integers z0, x0, and y0 can be chosen greater than 1. We summarize this in the following theorem. Theorem 8.8. Let (p,q,r) be a primitive Pythagorean triple. There are two infinite families of triangular triples (a (t),b (t),c (t)), ǫ = 1, such that one of the lines ǫ ǫ ǫ ± ℓǫ(P ), P = P ′(3; aǫ(t),bǫ(t),cǫ(t)), has direction numbers p : q : r. 92 Homogeneous Quadratic Equations in 3 Variables

Triangular triples from primitive Pythagorean triples

(m,n) (p,q,r) (a+(0),b+(0),c+(0)) (a−(0),b−(0),c−(0)) (2, 1) (3, 4, 5) (3, 5, 6) (2, 2, 3) (4, 1) (15, 8, 17) (5, 3, 6) (9, 4, 10) (3, 2) (5, 12, 13) (5, 14, 15) (4, 9, 10) (6, 1) (35, 12, 37) (14, 5, 15) (20, 6, 21) (5, 2) (21, 20, 29) (14, 14, 20) (6, 5, 8) (4, 3) (7, 24, 25) (7, 27, 28) (6, 20, 21) (8, 1) (63, 16, 65) (27, 7, 28) (35, 8, 36) (7, 2) (45, 28, 53) (9, 6, 11) (35, 21, 41) (5, 4) (9, 40, 41) (9, 44, 45) (8, 35, 36)

8.4.4 Pentagonal triples Theorem 8.9. A line on S with direction numbers

p = m2 n2, q =2mn, r = m2 + n2 (8.18) − for relatively prime integers m>n of different parity generates pentagonal triples if and only if one of m n and n is divisible by 3. − Proof. The rational points through which the surface

S : x2 + y2 = z2 +1 contains a line of direction numbers p : q : r are of the form pz εq qz + εp − , , z . (8.19) r r   Suppose this is P (5; a,b,c)=(6a 1, 6b 1, 6c 1) − − − for a pentagonal triple (a,b,c). We consider two cases. (1) For ε =1, pz q qz + p 6a 1= − , 6b 1= , z =6c 1. − r − r − From these, 6pc p q + r 6qc + p q + r a = − − , b = − . (8.20) 6r 6r Substituting equation (8.18) into (8.20), we get m n a = − (3(m + n)c n) , (8.21) 3(m2 + n2) · − 8.4 The equation Pk,a + Pk,b = Pk,c for polynomial numbers 93

m b = (3 2nc +(m n)) . (8.22) 3(m2 + n2) · · −

From these expressions, m n a2 + b2 c2 = − (6n c +(m n)) . (8.23) − 32(m2 + n2) · · −

Clearly, m n must be divisible by 3. − 2 2 Note that there is a unique positive integer c0 < m + n for which b0 defined 2 2 2 by (8.22) is an integer. Since a0 + b0 c0 is also an integer and a0 is rational, it too must be an integer. These give pentagonal− triples

at = a0 + pt, bt = b0 + qt, ct = c0 + rt for a positive integer t. (2) For ε = 1, − pz + q qz p 6a 1= , 6b 1= − , z =6c 1. − r − r − From these, 6pc p + q + r 6qc p q + r a = − , b = − − . (8.24) 6r 6r Substituting equation (8.18) into (8.24), we get

m + n a = (3(m n)c + n) , (8.25) 3(m2 + n2) · − n b = (3 2mc (m n)) . (8.26) 3(m2 + n2) · · − −

From these expressions,

2n a2 + b2 c2 = (3(m n)c + n) . (8.27) − 32(m2 + n2) · −

A similar reasoning as above shows that n must be divisible by 3 for a, b, c to 2 2 be integers, and there is a unique integer c0

Since m and n are relatively prime, the integers m n and n cannot be both divisible by 3. This means that a primitive Pythagorean− triple (p,q,r) corresponds to at most one line on S associated with pentagonal triples. 94 Homogeneous Quadratic Equations in 3 Variables

Example 8.2. Since the Pythagorean triple (p,q,r)=(3, 4, 5) results from (m,n)= (2, 1), for which none of m n and n is divisible by 3, there is no pentagonal triples on ruling lines of S with direction− numbers 3:4:5. The table below gives some examples. The pentagonal triples (a+(0),b+(0),c+(0)) are computed using (8.21) 2 2 and (8.22) with a suitable choice of c+(0) < r = m + n . Likewise, the triples (a (0),b (0),c (0)) are computed using (8.25) and (8.26). − − − Pentagonal triples from primitive Pythagorean triples

(m, n) (p,q,r) (a+(0),b+(0),c+(0)) (a−(0),b−(0),c−(0)) (4, 1) (15, 8, 17) (7, 4, 8) (4, 3) (7, 24, 25) (7, 23, 24) (5, 2) (21, 20, 29) (5, 5, 7) (7, 4) (33, 56, 65) (4, 7, 8) (7, 6) (13, 84, 85) (13, 82, 83) (8, 3) (55, 48, 73) (22, 19, 29) (8, 5) (39, 80, 89) (35, 72, 80)