MST Number Theory and Cryptography

Paul Yiu

Department of Mathematics Florida Atlantic University

Fall 2008 (Revised 2014)

Chapters 1-30

Contents

1 Euclidean Algorithm and Linear Diophantine Equations 101 1.1 Euclidean algorithm and gcd ...... 101 1.2 gcd(a, b) as an integer combination of a and b...... 102 1.3 Linear Diophantine equations ...... 103 1.4 Exercises ...... 103

2 Representation of integers in base b 105 2.1 Representation in a given base ...... 105 2.2 Binary expansions ...... 105 2.2.1 Calculation of high powers by repeated squaring ...... 105 2.2.2 Parity of binomial coefﬁcients ...... 106 2.3 Highest power of a prime dividing a factorial ...... 106 2.4 Exercises ...... 107

3 Prime Numbers 109 3.1 Inﬁnitude of prime numbers ...... 109 3.2 The sieve of Eratosthenes ...... 109 3.3 The Fundamental Theorem of Arithmetic ...... 111 3.4 The number-of-divisors function ...... 112 3.5 The sum-of-divisors function ...... 113 3.6 Perfect numbers ...... 113 3.7 Exercises ...... 114

4 Linear Congruences 115 4.1 The ring of residues modulo n ...... 115 4.2 Simultaneous linear congruences ...... 116 4.3 Exercises ...... 117

5 The Euler ϕ-function 119 5.1 Exercises ...... 120 iv CONTENTS

6 Fermat-Euler theorem 121 6.1 Primality test for Mersenne numbers ...... 121 6.2 Pseudoprimes ...... 122 6.3 Exercises ...... 122

7 Pythagorean Triangles 201 7.1 Construction of Pythagorean triangles ...... 201 7.2 Fermat Last Theorem for n =4 ...... 202 7.3 Fermat’s construction of primitive Pythagorean triangles with consecutive legs ...... 202

8 Homogeneous quadratic equations in 3 variables 207 8.1 Pythagorean triangles revisited ...... 207 8.2 Rational points on a conic ...... 208 8.3 Integer triangles with a 60◦ angle ...... 208 8.4 Integer triangles with a 120◦ angle ...... 210

9 Heron triangles 213 9.1 The Heron formula ...... 213 9.2 Heron triangles ...... 214 9.3 Construction of Heron triangles ...... 214 9.4 Heron triangles with sides in arithmetic progression ...... 215 9.5 Heron triangles with integer inradii ...... 216

10 Genealogy of Pythagorean triangles 219 10.1 Two ternary trees of rational numbers ...... 219 10.2 Genealogy of Pythagorean triangles ...... 221

11 Polygonal numbers 225

11.1 The polygonal numbers Pk,n ...... 225 11.2 The equation Pk,a + Pk,b = Pk,c ...... 226 11.3 Double ruling of S ...... 226 11.4 Primitive Pythagorean triple associated with a k-gonal triple . . . . 227 11.5 Triples of triangular numbers ...... 228 11.6 k-gonal triples determined by a Pythagorean triple ...... 229

12 Quadratic Residues 301 12.1 Quadratic residues ...... 301 12.2 The Legendre symbol ...... 302 12.3 −1 as a quadratic residue modp ...... 303 CONTENTS v

13 The law of quadratic reciprocity 305 13.1 Gauss’ lemma ...... 305 13.2 The law of quadratic reciprocity ...... 307

14 Calculation of square roots 311 14.1 Square roots modulo p ...... 311 14.2 Square roots modulo an odd prime power ...... 313 14.3 Squares modulo 2k ...... 313

15 Primitive roots 315 15.1 Periodicity of decimal expansions of rational numbers ...... 317

16 Sums of two and four squares 319 16.1 Fermat’s two-square theorem ...... 319 16.2 Representation of integers as sums of two squares ...... 320 16.3 Lagrange’s four-square theorem ...... 320 16.3.1 Descent ...... 321

17 Finite continued fractions 401 17.1 Euler’s function F for ﬁnite continued fractions ...... 401 17.2 Cornacchia’ algorithm for a prime as a sum of two squares ....402

18 Inﬁnite continued fractions 405

19 Lagrange’s Theorem 409 19.1 Purely periodic continued fractions ...... 409 19.2 Eventually periodic continued fractions ...... 409 19.3 Reduced quadratic irrationalities ...... 410 19.4 Proof of Lagrange’s theorem ...... 410

20 The Pell Equation 413 20.1 The equation x2 − dy2 =1 ...... 413 20.1.1 ...... 415 20.2 The equation x2 − dy2 = −1 ...... 415 20.3 The equation x2 − dy2 = c ...... 416 20.4 Applications ...... 417

21 Sums of consecutive squares 421 21.1 Sums of an odd number of consecutive squares...... 421 21.2 Even number of consecutive squares...... 423 vi CONTENTS

22 Some simple cryptosystems 501 22.1 Shift ciphers ...... 501 22.2 Afﬁne ciphers ...... 502 22.3 A matrix encryption system ...... 505

23 A public key cryptosystem 509 23.1 RSA-cryptosystems ...... 509 23.2 Signature ...... 510

24 Factoring integers 513 24.1 Flipping a coin over the phone ...... 513 24.2 The quadratic sieve ...... 514 24.3 Factoring by continued fractions ...... 515

25 Elliptic Curves 601 25.1 Group law on y2 = x3 + ax2 + bx + c ...... 601 25.2 The discriminant ...... 602 25.3 Points of ﬁnite order ...... 604

26 Factoring Integers 2 605 26.1 Pollard’s algorithm ...... 605 26.2 Factoring with elliptic curves ...... 606

27 Some examples of the use of elliptic curves 609 27.1 The congruent number problem ...... 609 27.2 Pairs of isosceles triangle and rectangle with equal perimeters and equal areas ...... 610 27.3 Triangles with a median, an altitude, and an angle bisector concurrent611

28 Heron triangles and Elliptic Curves 613 28.1 The elliptic curve y2 =(x − k)2 − 4kx3 ...... 613 28.1.1 Proof of Theorem 28.1 ...... 616

29 The ring of Gaussian integers 701 29.1 The ring Z[i] ...... 701 29.1.1 Norm and units ...... 701 29.1.2 Gaussian primes ...... 701 29.2 An alternative proof of Fermat’s two-square theorem ...... 703

30 Construction of indecomposable Heron triangles 705 30.1 Primitive Heron triangles ...... 705 30.1.1 Triple of simplifying factors ...... 706 30.1.2 Decomposition of Heron triangles ...... 707 CONTENTS vii

30.2 Gaussian integers ...... 708 30.2.1 Heron triangles and Gaussian integers ...... 708 30.3 Orthocentric Quadrangles ...... 710 30.4 Indecomposable primitive Heron triangles ...... 711 30.4.1 Construction of Heron triangles with given simplifying factors712

Chapter 1

Euclidean Algorithm and Linear Diophantine Equations

1.1 Euclidean algorithm and gcd

The greatest common divisor (gcd) of two positive integers can be found without factorization of the integers, instead by a simple application of the Euclidean algorithm. Theorem 1.1 (Euclidean algorithm). Given integers a and b =0 , there are unique integers q and r satisfying a = bq + r, 0 ≤ r<|b|. (1.1) If r =0, we say that a is divisible by b, or simply that b divides a, and write b|a. Suppose a = bq + c for integers a, b, c, and q (with q nonzero). It is easy to see that every common divisor of a and b is a common divisor of b and c, and conversely. Denote by gcd(a, b) the greatest element of the (nonempty) set of common divisors of a and b. Clearly, if b|a, then gcd(a, b)=b. In general, from (1.1), we have gcd(a, b)=gcd(b, r). These observations lead to a straightforward calculation of the gcd of two numbers. To be systematic, we write a = r−1 and b = r0 (assumed positive).

r−1 =r0q0 + r1, 0 ≤ r1

r0 =r1q1 + r2, 0 ≤ r2

r1 =r2q2 + r3, 0 ≤ r3

r2 =r3q3 + r4, 0 ≤ r4 r0 >r1 >r2 > ··· 102 Euclidean Algorithm and Linear Diophantine Equations

and yet remain nonnegative. In other words, some rn divides the preceding rn−1 (and leaves a remainder rn+1 =0). . .

rn−2 =rn−1qn−1 + rn, 0 ≤ rn

rn−1 =rnqn.

From these,

rn =gcd(rn−1,rn)=gcd(rn−2,rn−1)=···=gcd(r−1,r0)=gcd(a, b).

1.2 gcd(a, b) as an integer combination of a and b.

The above calculation of gcd(a, b) can be retraced to give gcd(a, b) as an integer combination of a and b. Here is a more efﬁcient way to obtain such an expression. In the table below, the integers xk and yk are obtained from qk−1 in the same way as rk, beginning with (x−1,x0)=(1, 0) and (y−1,y0)=(0, 1):

xk =xk−2 − qk−1xk−1,x−1 =1,x0 =0;

yk =yk−2 − qk−1yk−1,y−1 =0,y0 =1.

k qk rk xk yk −1 a 1 0 0 q0 b 0 1 1 q1 r1 x1 y1 ...... n − 1 qn−1 rn−1 xn−1 yn−1 n qn rn xn yn n +1 qn+1 0

In each of these steps, rk = axk + byk. In particular,

gcd(a, b)=rn = axn + byn.

It can be proved that |xn|

Theorem 1.2. Let p be a prime number. For every integer a not divisible by p, there exists an integer b such that ab − 1 is divisible by p.

Proof. If a is not divisible by the prime number p, then gcd(a, p)=1. There are integers b and c such that ab + pc =1. It is clear that ab − 1 is divisible by p. 1.3 Linear Diophantine equations 103

1.3 Linear Diophantine equations

Theorem 1.3. Let a, b, c be integers, a and b nonzero. Consider the linear Dio- phantine equation ax + by = c. (1.2)

1. The equation (1.2) is solvable in integers if and only if d := gcd(a, b) divides c.

2. If (x, y)=(x0,y0) is a particular solution of (1.2), then every integer solution is of the form b a x = x + t, y = y − t, 0 d 0 d where t is an integer.

3. For c =gcd(a, b), a particular solution (x, y)=(x0,y0) of (1.2) can be found such that |x0| < |b| and |y0| < |a|.

1.4 Exercises

1. Show that (n!+1, (n +1)!+1)=1.

2. Instead of successive divisions, the gcd of two positive numbers can be found by repeated subtractions. Make use of this to ﬁnd gcd(2a − 1, 2b − 1) for positive integers a and b.

3. Find a parametrization of the integer points on the line 5x +12y =3.

4. In how many ways can a number of 49-cents and 110-cents stamps were purchased with exactly 40 dollars? Is it possible to buy these with exactly 20 dollars?

5. Somebody received a check, calling for a certain amount of money in dollars and cents. When he went to cash the check, the teller made a mistake and paid him the amount which was written as cents, in dollars, and vice versa. Later, after spending $3.50, he suddenly realized that he had twice the amount of the money the check called for. What was the amount on the check?

6. Given relatively prime integers a and b, what is the largest integer which cannot be written as ax + by for nonnegative integers x and y? 104 Euclidean Algorithm and Linear Diophantine Equations Chapter 2

Representation of integers in base b

2.1 Representation in a given base

Given any positive integer b>1, every positive integer n has a unique representation of the form k k−1 n = ckb + ck−1b + ···+ c1b + c0 for nonnegative integers c0,c1,...,ck

2.2 Binary expansions

2.2.1 Calculation of high powers by repeated squaring Let a>1 be a ﬁxed number, and n a large integer. The number an can be computed by repeated squaring, making use of the binary expansion of the exponent n.If

n =(ckck−1 ···c1c0)2, we take successive squares k times beginning with a, and record them in the middle column in the table below.

2j j a cj 0 a 1 a2 . . . . k k a2 product 106 Representation of integers in base b

n Fill the column under cj with the corresponding binary digits of n. Then a is the product of those entries (in the middle column) with a 1 in the same row and the third column.

2.2.2 Parity of binomial coefﬁcients ··· ··· Theorem 2.1 (Lucas). Let m =(akak−1 a1a0)2 and n =(bkbk−1 b1b0)2be ≥ m the binary expansions of positive integers m n. The binomial coefﬁcient n is odd if and only if for each i =0, 1,...,k, ai =1whenever bi =1. 55 = 110111 Example 2.1. 55 is odd since . 35 35 = 100011 55 = 110111 On the other hand, 55 is even since . 25 25 = 011001

2.3 Highest power of a prime dividing a factorial

The exponent of the highest power of 2 dividing 18! is, counting the asterisks along the rows in the matrix below, 9+4+2+1=16.

123456789101112131415161718 ∗∗∗∗∗∗∗∗∗ ∗∗ ∗ ∗ ∗∗ ∗

Proposition 2.2. The exponent of the highest power of a prime p dividing n! is n n n + + + ··· p p2 p3

Let n =(akak−1 ···a1a0)p be the base p expansion of n. The exponent of the highest power of p dividing n! is the sum of the following numbers:

ak ak−1 ak−2 ··· a2 a1 ak ak−1 ··· a3 a2 ak ··· a4 a3 ···

··· ak ak−1 ··· ak Let R(p; k) be the integer whose base p expansion consists of k digits each of 1 k − which is 1. Clearly, R(p; k)= p−1 (p 1). Adding the numbers above along the diagonals, we have 2.4 Exercises 107

ak · R(p; k)+ak−1 · R(p; k − 1) + ···+ a2 · R(p;2)+a1 · R(p;1)

pk − 1 pk−1 − 1 p2 − 1 p − 1 1 − 1 = a · + a − · + ···+ a · + a · + a · k p − 1 k 1 p − 1 2 p − 1 1 p − 1 0 p − 1 n − (a + a − + ···+ a + a ) = k k 1 1 0 . p − 1

Corollary 2.3. Let α(n) denote the number of ones in the binary expansion of n. The exponent of the highest power of 2 dividing n! is n − α(n).

Theorem 2.4 (Kummer). The exponent of the highest power of a prime p dividing a+b the binomial coefﬁcient a is equal to the number of carries in performing the addition of a and b in base p.

2.4 Exercises

1. (a). Multiply in base 2: 11112 and 111112. (b). Let h ≥ k be positive integers. Multiply in base 2 the numbers 11 ···1 (h 1’s) and 11 ···1 (k 1’s). Distinguish between the cases h = k and h>k.

2. Solve the equation (bx −1)(by −1) = bz +1 for positive integers b>1,x,y,z.

3. Multiply in base 7:

[12346]7 × [06]7 =

[12346]7 × [15]7 =

[12346]7 × [24]7 =

[12346]7 × [33]7 =

[12346]7 × [42]7 =

[12346]7 × [51]7 =

4. Find all positive integers n such that 213 +210 +2n is a square.

5. Find all positive integers n such that 214 +210 +2n is a square.

6. Ask your friend to write down a polynomial f(x) with nonnegative integer coefﬁcients. Ask her for the value of f(1). She returns 7. Ask her for the value of f(8). She returns 4305. What is the polynomial? 108 Representation of integers in base b

7. (a) What is the highest power of 2 dividing 100! ? 100 (b) What is the highest power of 2 dividing the binomial coefﬁcient 50 ? n 8. The exponent of the highest power of 2 dividing the binomial coefﬁcient k is α(k)+α(n − k) − α(n).

9. How many zeros are there in the end of the decimal expansion of 1000!. Answer: 249. Chapter 3

Prime Numbers

3.1 Inﬁnitude of prime numbers

A positive integer > 1 is prime if it is not divisible by any positive integer other than 1 and itself.

Theorem 3.1 (Euclid). There are inﬁnite many prime numbers.

Proof. If p1,p2,...,pk were all the primes, the number p1p2 ···pk +1, not being divisible by any of them, should admit a prime factor different from any of them. This is clearly a contradiction.

3.2 The sieve of Eratosthenes √ If N is not a prime number, it must have a factor ≤ N. Given an integer N, to determine all the prime numbers ≤ N, we proceed as follows. Start with the sequence

2, 3, 4, 5, 6,...,N, with each entry unmarked, and the set P = ∅. (1) Note the√smallest entry a of the sequence that is not marked. (2) If a ≤ N, mark each entry of the sequence which is a multiple of a,but not equal to a,√ and replace P by P ∪{a}. (3) If a> N, stop. The set P now consists of the totality of prime numbers ≤ N. 110 Prime Numbers

Primes below 10000

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251 257 263 269 271 277 281 283 293 307 311 313 317 331 337 347 349 353 359 367 373 379 383 389 397 401 409 419 421 431 433 439 443 449 457 461 463 467 479 487 491 499 503 509 521 523 541 547 557 563 569 571 577 587 593 599 601 607 613 617 619 631 641 643 647 653 659 661 673 677 683 691 701 709 719 727 733 739 743 751 757 761 769 773 787 797 809 811 821 823 827 829 839 853 857 859 863 877 881 883 887 907 911 919 929 937 941 947 953 967 971 977 983 991 997 1009 1013 1019 1021 1031 1033 1039 1049 1051 1061 1063 1069 1087 1091 1093 1097 1103 1109 1117 1123 1129 1151 1153 1163 1171 1181 1187 1193 1201 1213 1217 1223 1229 1231 1237 1249 1259 1277 1279 1283 1289 1291 1297 1301 1303 1307 1319 1321 1327 1361 1367 1373 1381 1399 1409 1423 1427 1429 1433 1439 1447 1451 1453 1459 1471 1481 1483 1487 1489 1493 1499 1511 1523 1531 1543 1549 1553 1559 1567 1571 1579 1583 1597 1601 1607 1609 1613 1619 1621 1627 1637 1657 1663 1667 1669 1693 1697 1699 1709 1721 1723 1733 1741 1747 1753 1759 1777 1783 1787 1789 1801 1811 1823 1831 1847 1861 1867 1871 1873 1877 1879 1889 1901 1907 1913 1931 1933 1949 1951 1973 1979 1987 1993 1997 1999 2003 2011 2017 2027 2029 2039 2053 2063 2069 2081 2083 2087 2089 2099 2111 2113 2129 2131 2137 2141 2143 2153 2161 2179 2203 2207 2213 2221 2237 2239 2243 2251 2267 2269 2273 2281 2287 2293 2297 2309 2311 2333 2339 2341 2347 2351 2357 2371 2377 2381 2383 2389 2393 2399 2411 2417 2423 2437 2441 2447 2459 2467 2473 2477 2503 2521 2531 2539 2543 2549 2551 2557 2579 2591 2593 2609 2617 2621 2633 2647 2657 2659 2663 2671 2677 2683 2687 2689 2693 2699 2707 2711 2713 2719 2729 2731 2741 2749 2753 2767 2777 2789 2791 2797 2801 2803 2819 2833 2837 2843 2851 2857 2861 2879 2887 2897 2903 2909 2917 2927 2939 2953 2957 2963 2969 2971 2999 3001 3011 3019 3023 3037 3041 3049 3061 3067 3079 3083 3089 3109 3119 3121 3137 3163 3167 3169 3181 3187 3191 3203 3209 3217 3221 3229 3251 3253 3257 3259 3271 3299 3301 3307 3313 3319 3323 3329 3331 3343 3347 3359 3361 3371 3373 3389 3391 3407 3413 3433 3449 3457 3461 3463 3467 3469 3491 3499 3511 3517 3527 3529 3533 3539 3541 3547 3557 3559 3571 3581 3583 3593 3607 3613 3617 3623 3631 3637 3643 3659 3671 3673 3677 3691 3697 3701 3709 3719 3727 3733 3739 3761 3767 3769 3779 3793 3797 3803 3821 3823 3833 3847 3851 3853 3863 3877 3881 3889 3907 3911 3917 3919 3923 3929 3931 3943 3947 3967 3989 4001 4003 4007 4013 4019 4021 4027 4049 4051 4057 4073 4079 4091 4093 4099 4111 4127 4129 4133 4139 4153 4157 4159 4177 4201 4211 4217 4219 4229 4231 4241 4243 4253 4259 4261 4271 4273 4283 4289 4297 4327 4337 4339 4349 4357 4363 4373 4391 4397 4409 4421 4423 4441 4447 4451 4457 4463 4481 4483 4493 4507 4513 4517 4519 4523 4547 4549 4561 4567 4583 4591 4597 4603 4621 4637 4639 4643 4649 4651 4657 4663 4673 4679 4691 4703 4721 4723 4729 4733 4751 4759 4783 4787 4789 4793 4799 4801 4813 4817 4831 4861 4871 4877 4889 4903 4909 4919 4931 4933 4937 4943 4951 4957 4967 4969 4973 4987 4993 4999 5003 5009 5011 5021 5023 5039 5051 5059 5077 5081 5087 5099 5101 5107 5113 5119 5147 5153 5167 5171 5179 5189 5197 5209 5227 5231 5233 5237 5261 5273 5279 5281 5297 5303 5309 5323 5333 5347 5351 5381 5387 5393 5399 5407 5413 5417 5419 5431 5437 5441 5443 5449 5471 5477 5479 5483 5501 5503 5507 5519 5521 5527 5531 5557 5563 5569 5573 5581 5591 5623 5639 5641 5647 5651 5653 5657 5659 5669 5683 5689 5693 5701 5711 5717 5737 5741 5743 5749 5779 5783 5791 5801 5807 5813 5821 5827 5839 5843 5849 5851 5857 5861 5867 5869 5879 5881 5897 5903 5923 5927 5939 5953 5981 5987 6007 6011 6029 6037 6043 6047 6053 6067 6073 6079 6089 6091 6101 6113 6121 6131 6133 6143 6151 6163 6173 6197 6199 6203 6211 6217 6221 6229 6247 6257 6263 6269 6271 6277 6287 6299 6301 6311 6317 6323 6329 6337 6343 6353 6359 6361 6367 6373 6379 6389 6397 6421 6427 6449 6451 6469 6473 6481 6491 6521 6529 6547 6551 6553 6563 6569 6571 6577 6581 6599 6607 6619 6637 6653 6659 6661 6673 6679 6689 6691 6701 6703 6709 6719 6733 6737 6761 6763 6779 6781 6791 6793 6803 6823 6827 6829 6833 6841 6857 6863 6869 6871 6883 6899 6907 6911 6917 6947 6949 6959 6961 6967 6971 6977 6983 6991 6997 7001 7013 7019 7027 7039 7043 7057 7069 7079 7103 7109 7121 7127 7129 7151 7159 7177 7187 7193 7207 7211 7213 7219 7229 7237 7243 7247 7253 7283 7297 7307 7309 7321 7331 7333 7349 7351 7369 7393 7411 7417 7433 7451 7457 7459 7477 7481 7487 7489 7499 7507 7517 7523 7529 7537 7541 7547 7549 7559 7561 7573 7577 7583 7589 7591 7603 7607 7621 7639 7643 7649 7669 7673 7681 7687 7691 7699 7703 7717 7723 7727 7741 7753 7757 7759 7789 7793 7817 7823 7829 7841 7853 7867 7873 7877 7879 7883 7901 7907 7919 7927 7933 7937 7949 7951 7963 7993 8009 8011 8017 8039 8053 8059 8069 8081 8087 8089 8093 8101 8111 8117 8123 8147 8161 8167 8171 8179 8191 8209 8219 8221 8231 8233 8237 8243 8263 8269 8273 8287 8291 8293 8297 8311 8317 8329 8353 8363 8369 8377 8387 8389 8419 8423 8429 8431 8443 8447 8461 8467 8501 8513 8521 8527 8537 8539 8543 8563 8573 8581 8597 8599 8609 8623 8627 8629 8641 8647 8663 8669 8677 8681 8689 8693 8699 8707 8713 8719 8731 8737 8741 8747 8753 8761 8779 8783 8803 8807 8819 8821 8831 8837 8839 8849 8861 8863 8867 8887 8893 8923 8929 8933 8941 8951 8963 8969 8971 8999 9001 9007 9011 9013 9029 9041 9043 9049 9059 9067 9091 9103 9109 9127 9133 9137 9151 9157 9161 9173 9181 9187 9199 9203 9209 9221 9227 9239 9241 9257 9277 9281 9283 9293 9311 9319 9323 9337 9341 9343 9349 9371 9377 9391 9397 9403 9413 9419 9421 9431 9433 9437 9439 9461 9463 9467 9473 9479 9491 9497 9511 9521 9533 9539 9547 9551 9587 9601 9613 9619 9623 9629 9631 9643 9649 9661 9677 9679 9689 9697 9719 9721 9733 9739 9743 9749 9767 9769 9781 9787 9791 9803 9811 9817 9829 9833 9839 9851 9857 9859 9871 9883 9887 9901 9907 9923 9929 9931 9941 9949 9967 9973 3.3 The Fundamental Theorem of Arithmetic 111

3.3 The Fundamental Theorem of Arithmetic

Lemma 3.2. Let p be a prime. If p|ab, then p|a or p|b.

Proof. Write ab = pc for an integer c. Suppose p |a, then gcd(a, p)=1. There are integers x and y such that ax+py =1. From this,

b =(ax + py)b =(ab)x + p(by)=(pc)x + p(by)=p(cx + by) is divisible by p.

Theorem 3.3. Every positive integer > 1 is uniquely a product of powers of prime numbers.

Proof. (Existence) This follows easily from the fact that every integer > 1 is either a prime or a product of primes. (Uniqueness) Suppose

N = p1p2 ···ph,

N = q1q2 ···qk, for prime numbers p1,...,ph, and q1,...,qk satisfying

p1 ≤ p2 ≤···≤ph and q1 ≤ q2 ≤···≤qk.

We must have h = k and pi = qi for each i =1,...,h. If this is not true, there must be a least positive integer N with two distinct factorizations as above. Note that none of the primes p1, ..., ph is equal to any of the primes q1,...,qk, for if there is a common prime p in the two lists, then N/p is a smaller positive integer with two different prime factorizations. This contradicts the minimality of N. Now we may assume p1 >q1. Consider the number

N =(p1 − q1)p2 ···ph.

Clearly, p1 − q1 is not divisible by q1. Therefore the prime q1 does not appear in this factorization of N . On the other hand, if we rewrite

N = p1p2 ···ph − q1p2 ···ph = q1q2 ···qk − q1p2 ···ph = q1(q2 ···qk − p2 ···ph),

we have a factorization containing the prime divisor q1. Hence the number N

3.4 The number-of-divisors function

The number-of-divisors function:

d(n):=|{d ∈ N : d|n}| .

Lemma 3.4. Let a and b be relatively prime, and let ab divide ab. (a) If a is relatively prime to b, then a is a divisor of a. (b) If b is relatively prime to a, then b is a divisor of b. Proof. Suppose ab = abc for some integer c. It is enough to prove (a). If a is relatively prime to b, then there are integers x and y such that ax + by =1. From this,

a = a(ax + by)=a(ax)+(ab)y = a(ax)+(abc)y = a(ax + bcy).

This shows that a divides a.

Corollary 3.5. Let a and b be relatively prime. Every divisor of ab is of the form ab, with a|a and b|b. Proposition 3.6. The number-of-divisors function is multiplicative, i.e., if a and b are relatively prime, then d(ab)=d(a)d(b). Proposition 3.7. Let p be a prime. d(pk)=k +1. Proof. The divisors of pk are ph for h =0,...,k. Example 3.1. Find the least number n with d(n)=12. Since

12 = 6 · 2=4· 3=3· 2 · 2,

If d(n)=12, n has one of the factorizations:

p11,p5q, p3q2,p2qr for prime numbers p, 1, r. The smallest is 22 · 3 · 5=60.

1 1 1 Example 3.2. In how many ways can n be written as x + y for positive integers x and y? 1 1 1 If x + y = n , we obtain, by clearing denominators,

(x − n)(y − n)=n2.

Therefore each factorization of n2 into a product ab with a ≤ b determines uniquely ≤ 1 1 1 1 2 x y with x + y = n . There are exactly 2 (d(n )+1)pairs. 3.5 The sum-of-divisors function 113

3.5 The sum-of-divisors function

The sum-of-divisors function: σ(n):= d. d|n Proposition 3.8. The number-of-divisors function is multiplicative, i.e., if a and b are relatively prime, then σ(ab)=σ(a)σ(b).

k+1 k ··· k p −1 Proposition 3.9. Let p be a prime. σ(p )=1+p + + p = p−1 .

3.6 Perfect numbers

A perfect number is an integer equal to the sum of all of its divisors, including 1 but excluding the number itself. Euclid had given the following rule of construction of k−1 k 1 even perfect numbers. If Mk :=1+2+···+2 =2 − 1 is a prime number, k−1 then the number Nk := 2 Mk is perfect. Now, in terms of the function σ,an integer n is perfect if σ(n)=2n. Here is an easy proof of Euclid’s construction:

k−1 k−1 k σ(Nk)=σ(2 Mk)=σ(2 )σ(Mk)=(2 − 1)(1 + Mk) k k−1 =Mk · 2 =2· 2 Mk =2Nk.

Therefore, Nk is an even perfect number perfect. Euler has subsequently shown that every even perfect number must be for this form. 2 Let N be an even perfect number, factored into the form N =2k−1 · m, where k − 1 ≥ 1 and m is odd. Thus,

2N = σ(N)=σ(2k−1 · m)=σ(2k−1)σ(m)=(2k − 1)σ(m).

It follows that 2N 2k m σ(m)= = · m = m + . 2k − 1 2k − 1 2k − 1 m − Note that the number 2k−1 , being the difference σ(m) m, is an integer. As such, it is a divisor of m. This expression shows that m has exactly two divisors. From m k − this we conclude that 2k−1 =1and m =2 1 is a prime. This means that every even perfect number must be of the form 2k−1(2k − 1) in which the factor 2k − 1 is a prime. This was exactly what Euclid gave.

1 k The number Mk =2 − 1 is usually known as the k-th Mersenne number. There are only 44 known Mersenne primes. The latest and greatest record is M32582657 which has 9808358 digits. It is also the greatest known prime. 2It is not known if an odd perfect number exists. 114 Prime Numbers

3.7 Exercises

1. Show that 3, 5, 7 form the only prime triple.

2. Given any integer k ≥ 2, it is always possible to ﬁnd a sequence of k consecutive integers which are all composites.

3. If n is a positive integer, does there exist a positive integer k such that the sequence k +1, 2k +1, 3k +1, ...,nk+1 consists only of composite numbers ?

4. Prove that in the inﬁnite sequence of integers

10001, 100010001, 1000100010001,...

there is no prime number. k ai 5. If n = i=1 pi is the prime factorization of n, then n has altogether τ(n)= k i=1(1 + ai) divisors. 6. Find all sequences of 49 consecutive integers whose squares add up to a square. ≥ 1 1 ··· 1 7. Prove that for n 2, 1+ 2 + 3 + + n is never an integer. √ 8. (a) Show that 2 is not a rational number. √ (b) More generally, for an integer N, N is a rational number if and only if N is the square of an integer.

9. d(n) is an odd number if and only if n is a square.

10. Find the least number n with d(n) = 100.

11. Find the least number n with d(n)=96. Chapter 4

Linear Congruences

4.1 The ring of residues modulo n

Let n>1 be a positive integer. We deﬁne a relation on the set of integers:

a ≡ b mod n if and only if a − b = nq for some q ∈ Z.

This is an equivalence relation. For each integer x, we write

[x]={y ∈ Z : y ≡ x mod n} and call this the residue class of x mod n. There are altogether n distinct residue classes, represented by 0, 1, ...,n − 1. We denote the set of residue classes by Zn. The arithmetic operations of integers respect the congruence relation modulo n, i.e.,ifa ≡ a mod n and b ≡ b mod n, then (i) a ± b ≡ a ± b mod n, (ii) ab ≡ ab mod n.

Thus, there are an addition and a multiplication in the set Zn given by

[a]+[b]=[a + b]and[a] · [b]=[ab].

Clearly, the additive and multiplicative identities are the residue classes [0] and [1] respectively. We summarize these by saying that Zn is a ring. A unit in Zn is an element which has a multiplicative inverse. In other words, [a] ∈ Zn is a unit if and only if there exists b such that [a][b]=[1]. This means that ab−1=nq for an integer q. From this, gcd(a, n)=1. Conversely, if gcd(a, n)=1, then there are integers b and q such that ab − nq =1, from which [a][b]=1.

Theorem 4.1. (a) In Zn, a residue class [a] is a unit if and only if gcd(a, n)=1. (b) Zn is a ﬁeld if and only if n is a prime number. 116 Linear Congruences

Example

The function f : Zm → Zn given by

f([x]m)=[x]n is well deﬁned if and only if m is divisible by n. Here [x]m denotes the residue class of x modulo m; similarly for n.

4.2 Simultaneous linear congruences

An ancient Chinese problem: solve the simultaneous congruences

x ≡ 2mod3,x≡ 3mod5,x≡ 2mod7.

Solution. It is easier to solve the following analogous problems:

(1) x ≡ 1mod3,x≡ 0mod5,x≡ 0mod7. (2) x ≡ 0mod3,x≡ 1mod5,x≡ 0mod7. (3) x ≡ 0mod3,x≡ 0mod5,x≡ 1mod7.

For problem (1), we must have x ≡ 0mod35. Since 35 ≡ 2mod3, and 70 ≡ 1mod3, we may choose x1 =70for a solution of the ﬁrst problem. Similarly, for problem (2), x ≡ 0mod21. Since 21 ≡ 1mod5, we may choose x2 =21for a solution of the second problem. For problem (3), x ≡ 0mod15, and we may choose x3 =15for a solution. Using these, we can ﬁnd a solution to the original problem: x =2x1 +3x2 + 2x3 = 233. Since the least common multiple of 3,5,7 is 105, we may reduce this modulo 105, and obtain x ≡ 23 mod 105 for the solution.

Theorem 4.2 (Chinese Remainder Theorem). Let n1,n2,...,nk be pairwise relatively prime integers. For arbitrary integers a1,a2,...,ak, the system of simultaneous congruences

x ≡ a1 mod n1,x≡ a2 mod n2, ..., x≡ ak mod nk, has a unique solution modulo n1n2 ···nk.

Proof. For each i =1, 2,...,n, the system of simultaneous linear congruences

x ≡ a1 mod n1, ...,x≡ ai mod ni, ...,x≡ ak mod nk, has a unique solution xi mod n1n2 ···ni ···nk. The original problem has solution x ≡ a1x1 + ···+ akxk mod n1n2 ···nk. 4.3 Exercises 117

4.3 Exercises

1. Solve the congruences (a) 3x ≡ 5(mod7); (b) 4x ≡ 12 (mod 16); (c) 4x ≡ 10 (mod 24).

2. Find all residues modulo 12 which have multiplicative inverses.

3. Compute 21092 mod 1093 and 21092 mod 10932.

4. Show that every nonzero element of Zn is a unit if and only if n is a prime number.

5. Solve the equation 1! + 2! + 3! + ···+ n!=m2 for positive integers m and n.

6. Counting from the right end, what is the 2500th digit of 10,000! ?

7. An army has about 20,000 soldiers. If the soldiers line up 7 by 7, there is an incomplete line of 6 soldiers; if they line up 11 by 11, there is an incomplete line of 4; if they line up 13 by 13, there is also an incomplete line of 4; if they line up 17 by 17, there is an incomplete line of 13. How many soldiers are there in the army ? 118 Linear Congruences Chapter 5

The Euler ϕ-function

For a positive integer n, the Euler ϕ-function ϕ(n) gives the number of units in Zn. Z• Z This is the order of the group n of units of n. Theorem 5.1. ϕ is a multiplicative function, i.e., ϕ(mn)=ϕ(m)ϕ(n) if gcd(m, n)=1.

Proof. The function F : Zmn → Zm × Zn given by

F ([x]mn)=([x]m, [x]n) Z• → Z• × Z• restricts to a bijection mn m n. Lemma 5.2. Let p be a prime. (a) ϕ(p)=p −1. k k − 1 (b) ϕ(p )=p 1 p . Proposition 5.3. 1 ϕ(n)=n 1 − . p p|n

ϕ(10i + j) for 0 ≤ i, j ≤ 9 i \ j 0123456789 0 112242646 1 4104126 8 816618 2 8 12 10 22 8 20 12 18 12 28 3 8 301620162412361824 4 16 40 12 42 20 24 22 46 16 42 5 20 32 24 52 18 40 24 36 28 58 6 16 60 30 36 32 48 20 66 32 44 7 24 70 24 72 36 40 36 60 24 78 8 32 54 40 82 24 64 42 56 40 88 9 24 72 44 60 46 72 32 96 42 60 120 The Euler ϕ-function

Example 5.1. We ﬁnd all integers n for which ϕ(n)=24. If p is a prime divisor of n, p − 1 must be a divisor of 24 This means p must be one of 2, 3, 5, 7, 13. If n is not divisible by any of 5, 7, 13, then n =2a3b for some integers a and a b − 1 − 1 a b−1 b, and ϕ(n)=23 (1 2 )(1 3 )=23 . From this, a =3, b =2, and n =23 · 32 =72. If n is divisible by any of p =5, 7, 13, n = pm, p |m. From this, 24 = ϕ(p)ϕ(m)=(p − 1)ϕ(m). If p =5, ϕ(m)=6, m =7, 14, 18, n =35, 70, 90. If p =7, ϕ(m)=4, m =5, 8, 10, 12, n =35, 56, 70, 84. If p =13, ϕ(m)=2, m =3, 4, 6, n =39, 52, 78. Summary: ϕ(n)=24if and only if n is one of the numbers

35, 39, 45, 52, 56, 70, 72, 78, 84, 90.

Example 5.2. We ﬁnd all integers n for which ϕ(n) divides n. Clearly, n must be even, and every power of 2 satisﬁes the condition. Write n =2rk for r ≥ 1 and k>1 odd. Then ϕ(n)=2r−1ϕ(k).Ifk has l distinct prime divisors, then ϕ(k) is divisible by 2l−1 and ϕ(n) is divisible by 2k+l−1. From this, s r s−1 · p−1 we must have l =1, and k = p for an odd prime p.Now,ϕ(n)=2p 2 .If p−1 this divides n, we must have 2 dividing the prime p. This is possible only when p =3. It follows that n =2r · 3s.

5.1 Exercises

1. (a) Find all integers n for which ϕ(n) is an odd number. (b) Find all n for which ϕ(n)=2, 4, 6.

2. (a) Prove that if f(n) is a multiplicative function, then so is F (n):= f(d). d|n (b) Make use of (a) to prove that d|n ϕ(d)=n. Chapter 6

Fermat-Euler theorem

Theorem 6.1 (Fermat-Euler). If gcd(a, n)=1, aϕ(n) ≡ 1modn.

Proof. The function fa : Zn → Zn given by fa([x]) = [ax] induces a bijection Z• → Z• Z• n n. This means that if x1,...,xϕ(n) are the elements of n, then [ax1],..., [axϕ(n)] is a permutation of the same ϕ(n) elements. In other words,

[ax1] ···[axϕ(n)]=[x1] ···[xϕ(n)], or ϕ(n) (a − 1)x1 ···xϕ(n) ≡ 0modn. ϕ(n) Since each of x1,...,xϕ is relatively prime to n, it follows that a − 1 ≡ 0mod n.

Corollary 6.2 (Fermat’s Little Theorem). Let p be a prime, and a an integer. If p does not divide a, then ap−1 ≡ 1modp.

6.1 Primality test for Mersenne numbers

k A Mersenne number of is one of the form Mk := 2 − 1. A Mersenne prime gives rise to an even perfect number (see §3.6).

p Theorem 6.3 (Fermat). If p is prime, then every prime divisor of Mp := 2 − 1 is of the form 2pk +1for some integer k.

11 Example 6.1. (a) To test the primality of M11 =2 − 1 = 2047, we try to ﬁnd divisor of M11 of the form 22k +1.Fork =1, it can be easily checked that 2047 = 23 · 89. (The other divisor 89 = 22 · 4+1). 13 (b) To test the primality of M13 =2 − 1 = 8191, we need only check prime divisors of the form 26k +1which are less than 90. These are 53 and 79. None of these divides 8191. We conclude that M13 is prime. 122 Fermat-Euler theorem

6.2 Pseudoprimes

The converse of Fermat’s little theorem is not true. If 2p−1 ≡ 1(mod4), one cannot conclude that p is a prime. Here is an example: p = 341 = 11 × 31 is composite, but 2340 ≡ 1 mod 341.Acomposite n is called a pseudoprime to base b if bn−1 ≡ 1(modn).

6.3 Exercises

1. Check that M17 = 131071 and M19 = 524287 are primes.

2. Find a prime divisor of M23 = 8388607.

3. Find a prime divisor of M29 = 536870911.

47 4. Consider M47 =2 − 1 = 140737488355327. The beginning primes of the form 94k +1are

283, 659, 941, 1129, 1223, 1693, 1787, 2069, 2351, 2539, 2633, 3761, 4231, 4513, 4889,....

(a) Find two prime divisors of M47 from this list. (b) Completely factorize M47. 5. Show that 561 is a 2-pseudoprime.

6. Show that 1729 is a 2- and 3-pseudoprime. 6.3 Exercises 123

Appendix: Mersenne primes

k Year Discoverer k Year Discoverer 2 Ancient 3 Ancient 5 Ancient 7 Ancient 13 Ancient 17 1588 P.A.Cataldi 19 1588 P.A.Cataldi 31 1750 L.Euler 61 1883 I.M.Pervushin 89 1911 R.E.Powers 107 1913 E.Fauquembergue 127 1876 E.Lucas 521 1952 R.M.Robinson 607 1952 R.M.Robinson 1279 1952 R.M.Robinson 2203 1952 R.M.Robinson 2281 1952 R.M.Robinson 3217 1957 H.Riesel 4253 1961 A.Hurwitz 4423 1961 A.Hurwitz 9689 1963 D.B.Gillies 9941 1963 D.B.Gillies 11213 1963 D.B.Gillies 19937 1971 B.Tuckerman 21701 1978 C.Noll, L.Nickel 23209 1979 C.Noll 44497 1979 H.Nelson, D.Slowinski 86243 1982 D.Slowinski 110503 1988 W.N.Colquitt, L.Welsch 132049 1983 D.Slowinski 216091 1985 D.Slowinski 756839 1992 D.Slowinski,P.Gage 859433 1993 D.Slowinski 1257787 1996 Slowinski and Gage 1398269 1996 Armengaud, Woltman et al. 2976221 1997 Spence, Woltman, et.al. 3021377 1998 Clarkson et. al 6972593 1999 Hajratwala et. al 13466917 2001 Cameron, Woltman, 20996011 2003 Michael Shafer 24036583 2004 Findlay 25964951 2005 Nowak 30402457 2005 Cooper, Boone et al 32582657 2006 Cooper, Boone et al 37156667 2008 Elvenich, Woltman et al 42643801 2009 Strindmo, Woltman et al 43112609 2008 Smith, Woltman et al 57885161 2013

The most recently discovered Mersenne prime M57885161 has about 17.4 million digits, and is the largest known prime.

Appendix: Wilson’s theorem Theorem 6.4 (Wilson). If p is prime, then (p − 1)! ≡−1modp. Proof. Since the statement is trivially true for p =2, we shall assume p an odd prime. Consider the product of all the nonzero elements of Zp. This is clearly 1 · 2 ···(p − 1) = (p − 1)!. Apart from x = ±1, the remaining p − 3 elements can be grouped into pairs of multiplicative inverses. Since each pair of multiplicative inverses multiply to 1, we have

p−3 2 (p − 1)! = 1 · (−1) · 1 = −1 ∈ Zp.

This means (p − 1)! ≡−1modp. Remark. The converse of Wilson’s theorem is also true: If n is composite and n = ab for relatively prime divisors a, b>1, then n = ab divides (n − 1)!, and (n−1)! ≡ 0modn. It remains to consider n = pk for a prime number p and k>1. 124 Fermat-Euler theorem

The base p expansion of n − 1=pk − 1 consists of k digits each of which is p − 1. Therefore, the exponent of the highest power of p dividing (n − 1)! is

pk − 1 − k(p − 1) = pk−1 + pk−2 + ···+1− k ≥ k p − 1 except when p =2and k =2. This means that (n − 1)! ≡ 0modn except when p =2and k =2, in which case we have 3! ≡ 2mod4. Chapter 7

Pythagorean Triangles

7.1 Construction of Pythagorean triangles

By a Pythagorean triangle we mean a right triangle whose side lengths are integers. Any common divisor of two of the side lengths is necessarily a divisor of the third. We shall call a Pythagorean triangle primitive if no two of its sides have a common divisor. Let (a, b, c) be one such triangle. From the relation a2 + b2 = c2, we make the following observations. 1. Exactly two of a, b, c are odd, and the third is even. 2. In fact, the even number must be one of a and b. For if c is even, then a and b are both odd. Writing a =2h +1and b =2k +1,wehave c2 =(2h +1)2 +(2k +1)2 =4(h2 + k2 + h + k)+2. This is a contradiction since c2 must be divisible by 4. 3. We shall assume a odd and b even, and rewrite the Pythagorean relation in the form c + a c − a b 2 · = . 2 2 2 c+a c−a Note that the integers 2 and 2 are relatively prime, for any common divisor of these two numbers would be a common divisor c and a. Consequently, c+a c−a each of 2 and 2 is a square. c+a 2 c−a 2 2 2 2 − 2 4. Writing 2 = u and 2 = v ,wehavec = u + v and a = u v . From these, b =2uv. 5. Since c and a are both odd, u and v are of different parity. We summarize this in the following theorem. Theorem 7.1. The side lengths of a primitive Pythagorean triangle are of the form u2 − v2, 2uv, and u2 + v2 for relatively prime integers u and v of different parity. 202 Pythagorean Triangles

7.2 Fermat Last Theorem for n =4

Theorem 7.2 (Fermat). The area of a Pythagorean triangle cannot be a square.

Proof. Suppose to the contrary there is one such triangle, which we may assume primitive, with side lengths (u2 − v2, 2uv, u2 + v2), u, v being relative prime of different parity. The area A = uv(u2 − v2) being a square, and no two of u, v, u2 − v2 sharing common divisors, each of these numbers must be a square. We write u = a2, v = b2 so that u2 − v2 = a4 − b4 is also a square. Since a4 − b4 =(a2 − b2)(a2 + b2) and the two factors are relatively prime, we must have a2 − b2 = r2 and a2 + b2 = s2 for some integers r and s. From these, 2a2 = r2 + s2 and (2a)2 =2(r2 + s2)=(r + s)2 +(r − s)2. Thus, we have a new Pythagorean triangle (r − s, r + s, 2a). This is a Pythagorean 1 − 1 2 − 2 2 triangle whose area is the square of an integer: 2 (r s)(r + s)= 2 (r s )=b . But it is a smaller triangle since b2 = v is a proper divisor of A = uv(u2 − v2). By descent, beginning with one Pythagorean triangle with square area, we obtain an inﬁnite sequence of Pythagorean triangles with decreasing areas, each of which is a square integer; a contradiction.

Corollary 7.3 (Fermat Last Theorem for n =4). The equation x4 + y4 = z4 does not have solutions in nonzero integers.

Proof. Suppose x4 +y4 = z4 for positive integers x, y, z. The Pythagorean triangle with sides z4 − y4, 2z2y2 and z4 + y4 has a square area

z2y2(z4 − y4)=z2y2x4 =(x2yz)2, a contradiction.

Remark. This proof actually shows that the equation x2 + y4 = z4 has no solution in nonzero integers.

7.3 Fermat’s construction of primitive Pythagorean triangles with consecutive legs

Let a, b, c be the lengths of the sides of a right triangle, c the hypotenuse. Figures (a) and (b) below, together with the Pythagorean theorem, give the following two relations

(a + b − c)2 =2(c − a)(c − b), (7.1) (a + b + c)2 =2(c + a)(c + b). (7.2) 7.3 Fermat’s construction of primitive Pythagorean triangles with consecutive legs 203

b c − b b

c − a c

a + b − c a a c − b

c − a a + b − c c (a) a, b, c from c− (b) a, b, c from c+a and c+b a and c − b

Beginning with a right triangle (a, b, c), we construct a new right triangle (a,b,c) with c − a = c + b and c − b = c + a. By a comparsion of (11.8) and (7.2), we have a + b − c = a + b + c. From these,

a =2a + b +2c, b =a +2b +2c, c =2a +2b +3c.

Note that b − a = b − a. This construction therefore leads to an inﬁnite sequence of integer right triangles with constant difference of legs. In particular, beginning with (3,4,5), we obtain the sequence

(3, 4, 5), (20, 21, 29), (119, 120, 169), (696, 697, 985), ... of Pythagorean triangles with legs differing by 1. This construction gives all such Pythagorean triangles. Note that the above construction is invertible: from a right triangle (a,b,c) one can construct a smaller one (a, b, c) with the same difference between the legs. More precisely,

a =2a + b − 2c, b =a +2b − 2c, (7.3) c = − 2a − 2b +3c.

Since a + b + c = a + b − c 2c that 4a > 3b,or 204 Pythagorean Triangles a > 3(b −a). This means that from every Pythagorean triangle with legs differing by 1, there is a descent, by repeated applications of (7.3), to a minimal integer right triangle with shortest side not exceeding 3. It is clear that there is only one such triangle, namely, (3,4,5). This therefore shows that the above construction actually gives all Pythagorean triangles with consecutive legs. 7.3 Fermat’s construction of primitive Pythagorean triangles with consecutive legs 205 Appendix: Primitive Pythagorean triples < 1000

m, n a, b, c m, n a, b, c m, n a, b, c m, n a, b, c 2, 1 3, 4, 5 3, 2 5, 12, 13 4, 1 15, 8, 17 4, 3 7, 24, 25 5, 2 21, 20, 29 5, 4 9, 40, 41 6, 1 35, 12, 37 6, 5 11, 60, 61 7, 2 45, 28, 53 7, 4 33, 56, 65 7, 6 13, 84, 85 8, 1 63, 16, 65 8, 3 55, 48, 73 8, 5 39, 80, 89 8, 7 15, 112, 113 9, 2 77, 36, 85 9, 4 65, 72, 97 9, 8 17, 144, 145 10, 1 99, 20, 101 10, 3 91, 60, 109 10, 7 51, 140, 149 10, 9 19, 180, 181 11, 2 117, 44, 125 11, 4 105, 88, 137 11, 6 85, 132, 157 11, 8 57, 176, 185 11, 10 21, 220, 221 12, 1 143, 24, 145 12, 5 119, 120, 169 12, 7 95, 168, 193 12, 11 23, 264, 265 13, 2 165, 52, 173 13, 4 153, 104, 185 13, 6 133, 156, 205 13, 8 105, 208, 233 13, 10 69, 260, 269 13, 12 25, 312, 313 14, 1 195, 28, 197 14, 3 187, 84, 205 14, 5 171, 140, 221 14, 9 115, 252, 277 14, 11 75, 308, 317 14, 13 27, 364, 365 15, 2 221, 60, 229 15, 4 209, 120, 241 15, 8 161, 240, 289 15, 14 29, 420, 421 16, 1 255, 32, 257 16, 3 247, 96, 265 16, 5 231, 160, 281 16, 7 207, 224, 305 16, 9 175, 288, 337 16, 11 135, 352, 377 16, 13 87, 416, 425 16, 15 31, 480, 481 17, 2 285, 68, 293 17, 4 273, 136, 305 17, 6 253, 204, 325 17, 8 225, 272, 353 17, 10 189, 340, 389 17, 12 145, 408, 433 17, 14 93, 476, 485 17, 16 33, 544, 545 18, 1 323, 36, 325 18, 5 299, 180, 349 18, 7 275, 252, 373 18, 11 203, 396, 445 18, 13 155, 468, 493 18, 17 35, 612, 613 19, 2 357, 76, 365 19, 4 345, 152, 377 19, 6 325, 228, 397 19, 8 297, 304, 425 19, 10 261, 380, 461 19, 12 217, 456, 505 19, 14 165, 532, 557 19, 16 105, 608, 617 19, 18 37, 684, 685 20, 1 399, 40, 401 20, 3 391, 120, 409 20, 7 351, 280, 449 20, 9 319, 360, 481 20, 11 279, 440, 521 20, 13 231, 520, 569 20, 17 111, 680, 689 20, 19 39, 760, 761 21, 2 437, 84, 445 21, 4 425, 168, 457 21, 8 377, 336, 505 21, 10 341, 420, 541 21, 16 185, 672, 697 21, 20 41, 840, 841 22, 1 483, 44, 485 22, 3 475, 132, 493 22, 5 459, 220, 509 22, 7 435, 308, 533 22, 9 403, 396, 565 22, 13 315, 572, 653 22, 15 259, 660, 709 22, 17 195, 748, 773 22, 19 123, 836, 845 22, 21 43, 924, 925 23, 2 525, 92, 533 23, 4 513, 184, 545 23, 6 493, 276, 565 23, 8 465, 368, 593 23, 10 429, 460, 629 23, 12 385, 552, 673 23, 14 333, 644, 725 23, 16 273, 736, 785 23, 18 205, 828, 853 23, 20 129, 920, 929 24, 1 575, 48, 577 24, 5 551, 240, 601 24, 7 527, 336, 625 24, 11 455, 528, 697 24, 13 407, 624, 745 24, 17 287, 816, 865 24, 19 215, 912, 937 25, 2 621, 100, 629 25, 4 609, 200, 641 25, 6 589, 300, 661 25, 8 561, 400, 689 25, 12 481, 600, 769 25, 14 429, 700, 821 25, 16 369, 800, 881 25, 18 301, 900, 949 26, 1 675, 52, 677 26, 3 667, 156, 685 26, 5 651, 260, 701 26, 7 627, 364, 725 26, 9 595, 468, 757 26, 11 555, 572, 797 26, 15 451, 780, 901 26, 17 387, 884, 965 27, 2 725, 108, 733 27, 4 713, 216, 745 27, 8 665, 432, 793 27, 10 629, 540, 829 27, 14 533, 756, 925 27, 16 473, 864, 985 28, 1 783, 56, 785 28, 3 775, 168, 793 28, 5 759, 280, 809 28, 9 703, 504, 865 28, 11 663, 616, 905 28, 13 615, 728, 953 29, 2 837, 116, 845 29, 4 825, 232, 857 29, 6 805, 348, 877 29, 8 777, 464, 905 29, 10 741, 580, 941 29, 12 697, 696, 985 30, 1 899, 60, 901 30, 7 851, 420, 949 31, 2 957, 124, 965 31, 4 945, 248, 977 31, 6 925, 372, 997 206 Pythagorean Triangles Chapter 8

Homogeneous quadratic equations in 3 variables

8.1 Pythagorean triangles revisited a b A primitive Pythagorean triangle (a, b, c) corresponds to a point (x, y)= c , c in the ﬁrst quadrant on the unit circle

x2 + y2 =1.

Every rational point on the unit circle can be expressed in terms of the slope of the line joining the point to a ﬁxed point, say P =(−1, 0) on the circle. Thus, solving the equations

y =t(x +1), x2 + y2 =1, simultaneously, we obtain (x, y)=(−1, 0) = P or 1 − t2 2t (x, y)=P (t)= , . 1+t2 1+t2

q This is a point in the ﬁrst quadrant if and only if 0 q, and we obtain p2+q2 , p2+q2 . It follows that the sidelengths of a primitive Pythagorean triangle can be written in the form 1 (a, b, c)= p2 − q2, 2pq, p2 + q2 g for suitable choice of p and q. Here,

g =gcd(p2 − q2, 2pq)=gcd(p2 − q2, 2) = gcd(p − q, 2). 208 Homogeneous quadratic equations in 3 variables

To avoid repetition of representing a primitive Pythagorean triangle by both 1−t2 2t 2s 1−s2 (x, y) and (y, x) in the ﬁrst quadrant, we note that 1+t2 , 1+t2 = 1+s2 , 1+s2 if 1−t q q p−q and only if s = 1+t . Thus, the rational number t = p and s = p = p+q represent the same primitive Pythagorean triangle. Note that gcd(p − q, 2) = 1 if and only if gcd(p − q, 2) = 2. Thus, we may always restrict p and q of different parity.

8.2 Rational points on a conic

The method in the preceding section applies to a general (nonsingular) homogeneous equation in 3 variables, or after dehomogenization, to a nonsingular conic in the Cartesian plane. Suppose a nonsingular conic f(x, y)=c contains a rational point P =(x0,y0). Then by passing through P lines of rational slope t to intersect the conic again, we obtain a parametrization of the rational points on the curve.

Proposition 8.1. (1) The rational solutions of x2 − dy2 =1can be parametrized in the form 1+dt2 2t (x, y)= , . 1 − dt2 1 − dt2 (2) The positive integer solutions of x2 − dy2 = z2 can be parametrized in the form 1 (x, y, z)= p2 + dq2, 2pq, p2 − dq2 , g where g =gcd(p2 + dq2, 2pq, p2 − dq2).

8.3 Integer triangles with a 60◦ angle

If triangle ABC has C =60◦, then

c2 = a2 − ab + b2. (8.1)

Integer triangles with a 60◦ angle therefore correspond to rational points in the ﬁrst quadrant on the curve x2 − xy + y2 =1. (8.2) Note that the curve contains the point P =(−1, −1). By passing a line of rational slope t through P to intersect the curve again, we obtain a parametrization of the rational points. Now, such a line has equation y = −1+t(x +1). Solving this simultaneously with (8.2) we obtain (x, y)=(−1, −1) = P , and 2t − 1 t(2 − t) (x, y)= , , t2 − t +1 t2 − t +1 8.3 Integer triangles with a 60◦ angle 209

1 ≤ which is in the ﬁrst quadrant if 2

gcd(a, b)=gcd(2pq − p2, 2pq − q2) =gcd((p − q)(p + q),q(2p − q)) =gcd((p − q)(p + q), 2p − q) since gcd(p − q, q)=gcd(p + q, q)=gcd(p, q)=1.Now, gcd(p − q, 2p − q)=gcd(p − q, p)=1and gcd(p + q, 2p − q)=gcd(p + q, 3p)=gcd(p + q, 3). This gives gcd(a, b)= gcd(p + q, 3). Proposition 8.2. The primitive integer triangles with a 60◦ angle are given by 1 p(2q − p),q(2p − q),p2 − pq + q2 , g p ≤ where p and q are relatively prime positive integers satisfying 2

p q (a, b, c) 1 1 (1, 1, 1) 3 2 (3, 8, 7) 4 3 (8, 15, 13) 5 3 (5, 21, 19) 5 4 (5, 8, 7) 6 5 (24, 35, 31) 7 4 (7, 40, 37) 7 5 (7, 15, 13) 7 6 (35, 48, 43) 8 5 (16, 55, 49) 8 7 (16, 21, 19) 9 5 (9, 65, 61) 9 7 (45, 77, 67) 9 8 (63, 80, 73) 10 7 (40, 91, 79) 10 9 (80, 99, 91) 210 Homogeneous quadratic equations in 3 variables

Exercise A standard calculus exercise asks to cut equal squares of dimension x from the four corners of a rectangle of length a and breadth b so that the box obtained by folding along the creases has a greatest capacity.

b The answer to this problem is given by √ a + b − a2 − ab + b2 x = . 6 How should one choose relatively prime integers a and b so that the resulting x is an integer? For example, when a =5, b =8, x =1. Another example is a =16, b =21with x =3.

8.4 Integer triangles with a 120◦ angle

If triangle ABC has C = 120◦, then

c2 = a2 + ab + b2. (8.3)

Integer triangles with a 120◦ angle therefore correspond to rational points in the ﬁrst quadrant on the curve x2 + xy + y2 =1. (8.4) Note that the curve contains the point Q =(−1, 0). By passing a line of rational slope t through P to intersect the curve again, we obtain a parametrization of the rational points. Now, such a line has equation y = t(x +1). Solving this simultaneously with (8.2) we obtain (x, y)=(−1, 0) = Q, and 1 − t2 t(2 + t) Q(t)= , , t2 + t +1 t2 + t +1 which is in the ﬁrst quadrant if 0

√ q 3−1 Putting t = p for relatively prime integers p, q satisfying q< 2 p, and clearing denominators, we obtain a =p2 − q2, b =q(2p + q), c =p2 + pq + q2, with 0

p q (a, b, c) 3 1 (8, 7, 13) 4 1 (5, 3, 7) 5 1 (24, 11, 31) 6 1 (35, 13, 43) 7 1 (16, 5, 19) 7 2 (45, 32, 67) 8 1 (63, 17, 73) 9 1 (80, 19, 91) 9 2 (77, 40, 103) 10 1 (33, 7, 37) 10 3 (91, 69, 139)

Exercise 1 (a) Show that a number c is a sum of two consecutive squares if and only if 2c − 1 is a square. (b) Suppose an integer triangle contains a 120◦ angle with its two arms differing by 1. Show that the length of the longest side is a sum of two consecutive squares. 2. It is known that the centroid of a triangle of sides a, b, c lies on its incircle if and only if 5(a2 + b2 + c2)=6(ab + bc + ca). Find a parametrization of all such primitive triangles. 212 Homogeneous quadratic equations in 3 variables Chapter 9

Heron triangles

9.1 The Heron formula

Let ABC be a triangle with sidelengths BC = a, CA = b, AB = c, and semiperime- 1 ter s = 2 (a + b + c). If the incircle touches the sides BC, CA and AB respectively at X, Y , and Z,

AY = AZ = s − a, BX = BZ = s − b, CX = CY = s − c.

s − a s − a

Z I s − c s − c

B C s − b X s − c The radius r of the incircle and the area of the triangle are given by (s − a)(s − b)(s − c) r = , s = s(s − a)(s − b)(s − c).

The latter one is the famous Heron formula. Explicitly in terms of a, b, c, it can be written as 1 2 = 2a2b2 +2b2c2 +2c2a2 − a4 − b4 − c4 . (9.1) 16 Remark. The inradius of a right triangle is r = s − c. Exercise Given a positive integer r, determine all Pythagorean triangles with inradius r. 214 Heron triangles

s − b

r s − a

s − c r

C s − c s − a A

First consider the case of primitive Pythagorean triangles. The one with parameters p>q(of different parity) has inradius r = q(p − q). Note that p − q must be odd, and q does not contain any prime divisor of p − q. There are 2k choices of p − q, where k is the number of odd prime divisors of r. In particular, there is only one (primitive) Pythagorean triangle of inradius 1, which is the (3, 4, 5) triangle.

9.2 Heron triangles

A Heron triangle is an integer triangle with integer area. Here are some fundamental facts about Heron triangles.

Proposition 9.1. (1) The semiperimeter of a Heron triangle is an integer. (2) The area of a Heron triangle is a multiple of 6.

Proof. It is enough to consider primitive Heron triangles, those whose sides are relatively prime. (1) Note that modulo 16, each of a4, b4, c4 is congruent to 0 or 1, according as the number is even or odd. To render in (9.1) the sum 2a2b2 +2b2c2 +2c2a2 − a4 − b4 − c4 ≡ 0 modulo 16, exactly two of a, b, c must be odd. It follows that the perimeter of a Heron triangle must be an even number. (2) Since a, b, c are not all odd nor all even, and s is an integer, at least one of s − a, s − b, s − c is even. This means that is even. We claim that at least one of s, s − a, s − b, s − c must be a multiple of 3. If not, then modulo 3, these numbers are +1 or −1. Since s =(s − a)+(s − b)+(s − c), modulo 3, this must be either 1 ≡ 1+1+(−1) or −1 ≡ 1+(−1) + (−1). In each case the product s(s − a)(s − b)(s − c) ≡−1(mod3)cannot be a square. This justiﬁes the claim that one of s, s − a, s − b, s − c, hence , must be a multiple of 3.

9.3 Construction of Heron triangles

A B C A B C π Let t1 =tan2 , t2 =tan2 , and t3 =tan2 . Since 2 + 2 + 2 = 2 ,wehave t t + t t + t t =1 1 + 1 1 + 1 1 2 2 3 3 1 . If we construct a triangle with sides t2 t3 , t3 t1 , and 9.4 Heron triangles with sides in arithmetic progression 215

1 + 1 1 t1 t2 , then it has inradius and area 1 1 1 1 1 1 1 · · + + = . t1 t2 t3 t1 t2 t3 t1t2t3

t = pi p q i =1, 2 Writing i qi for relatively prime integers i, i, , and magnifying the triangle by a factor p1p2p3, we obtain a Heron triangle with sides

a = p1(p2q3 + p3q2),b= p2(p3q1 + p1q3),c= p3(p1q2 + p2q1), and area p1p2p3q1q2q3 and inradius p1p2p3.

q1p2p3

p1p2p3 1 2 3 Z I p p p p1p2q3

p1q2p3 p1p2p3

B C p1q2p3 X p1p2q3 Note that these integers satisfy

p1p2q3 + p1q2p3 + q1p2p3 = q1q2q3, or p q q − p p 3 = 1 2 1 2 . q3 p1q2 + p2q1

9.4 Heron triangles with sides in arithmetic progression

Consider a primitive Heron triangle with sides in arithmetic progression. By Propo- sition 9.1, the sidelengths are 2a−d, 2a, 2a+d for integers a and d. The semiperimeter being s =3a, we require (3a)(a)(a + d)(a − d)=3a2(a2 − d2) to be an integer. This means a2 − d2 =3b2 (9.2) a b 2 − 2 for an integer b. With x =: d , y := d , we transform this condition into x 3y =1. The Heron triangles with sides in arithmetic progression, therefore, correspond to 216 Heron triangles the rational points in the ﬁrst quadrant on the curve x2 − 3y2 =1. Now, such rational points can be parametrized as 1+3t2 2t 1 (x, y)= , , 0

a = p2 +3q2,d= p2 − 3q2,b=2pq for relatively prime p, q satisfying p2 > 3q2. This gives a Heron triangle (2a − d, 2a, 2a + d;3ab). In each case, we obtain a primitive Heron triangle by dividing the sidelengths by the g =gcd(2a, d) (and correspondingly by g2). Here are the primitive Heron triangles with sides in A.P., generated by taking p ≤ 7: 1

p q (a, b, c; ) 2 1 (13, 14, 15; 84) 3 1 (3, 4, 5; 6) 4 1 (25, 38, 51; 456) 5 1 (17, 28, 39; 210) 5 2 (61, 74, 87; 2220) 6 1 (15, 26, 37; 156) 7 1 (29, 52, 75; 546) 7 2 (85, 122, 159; 5124) 7 3 (65, 76, 87; 2394) 7 4 (193, 194, 195; 16296)

Exercise Is there a Heron triangle whose sides are in geometric progression?

9.5 Heron triangles with integer inradii

We determine all Heron triangles with a given positive integer r as inradius. This is equivalent to the solution of

uvw = r2(u + v + w) (9.3) in positive integers u, v, w. We shall assume u ≥ v ≥ w (so that A ≤ B ≤ C). The Heron triangle in question has sides a = v + w, b = w + u, and c = u + v.We shall distinguish between three cases. In each case, we ﬁnd appropriate bounds for v and w to determine if the corresponding u is an integer.

1Note that some of these Heron triangles have consecutive integers as sidelengths, namely (3, 4, 5; 6), (13, 14, 15; 84), and (193, 194, 195; 1629). These correspond to d =1. We shall treat this case in detail when we study the Pell equation. There is one such “small” triangle missing from the table, corresponding to (p, q)=(9, 5). 9.5 Heron triangles with integer inradii 217

Proposition 9.2. (1) For obtuse Heron triangles with given inradius r, it is enough to check if r2(v + w) u = . (9.4) vw − r2 √ r2 r(r+ r2+w2) is an integer for w

(3) For Pythagorean triangles with√ given inradius r, it is enough to check if r(v+r) u = v−r is an integer for r 0. From u = 2 ≥ v,wehave, 2 4 vw−r √ 2 2 2 − 2 − 2 r2 r(r+ r +w ) after clearing denominator, wv 2r v r w<0. Hence, w 6 , r > tan π = √1 ,wehavew< 3r. Also, B > π . This means r > √ 1 and w √ 3 3 2 8 v 2+1 v<( 2+1)r. (3) In the Pythagorean case, r = w, so that (9.3) becomes uv = r(u+v+r), and r(v+r) ≥ ≤ − 2 − − 2 ≤ u = v−r v. By clearing√ denominator, r(v + r) v(v r), v 2rv r 0, (v − r)2 ≤ 2r2, v<( 2+1)r.

Example 9.1. A Heron triangle is said to be perfect if its area is numerically equal to its perimeter. Equivalently, a perfect Heron triangle has inradius 2. Using Propo- sition 9.2 above, (i) for obtuse triangles, we need only check w =1, and 4

w v u (a, b, c; ) 1 5 24 (6, 25, 29; 60) 1 6 14 (7, 15, 20; 42) 1 8 9 (9, 10, 17; 36)

(ii) There is no acute Heron triangle with inradius 2. We need only check w =3 and v =3, 4. (iii) The only Pythagorean triangles with inradius 2 are (6, 8, 10; 24) and (5, 12, 13; 30). 218 Heron triangles Chapter 10

Genealogy of Pythagorean triangles

10.1 Two ternary trees of rational numbers

Consider the rational numbers in the open interval (0, 1). Each of these is uniquely q in the form p , for relatively prime positive integers p>q. We call p + q the height of the rational numbers. The rational numbers in (0, 1) with odd heights can be arranged in a ternary tree 1 1 with root 2 , as follows. For a rational number t of odd heights, the numbers 2−t , 1 t 2+t , and 1+2t are also in (0, 1) and have odd heights. We call these the descendants of t and label them the left (L), middle (M), and right (R) respectively. If we write q p p q t = p , then these three descendants are 2p−q , 2p+q and p+2q , and have greater 1 2 2 heights. Thus, the rational number 2 has left descendant 5 , middle descendant 3 , 1 and right descendant 4 . s

1 s = 2−t

1 s = 2+t

t s = 1+2t

t 0 1 ∈ \{1 1 } On the other hand, each rational number s (0, 1) 3 , 2 with odd height is the descendant of a unique rational number t, which we call its parent. In fact, n s = m is 220 Genealogy of Pythagorean triangles

− 1 2n−m 1 (i) the left descendant of 2 s = n if 2

1 2

2 2 1 3 5 4

3 3 2 5 5 2 4 4 1 4 8 7 8 12 9 7 9 6

The same applies to rational numbers with even heights. They constitute a 1 ternary tree with root 3 :

1 1 2 3

2 2 1 3 3 1 3 5 4 5 7 5

3 3 2 5 5 2 4 4 1 5 5 3 7 7 3 5 5 1 4 8 7 8 12 9 7 9 6 7 13 11 11 17 13 9 11 7

∈ \{1 1 } Therefore, each rational parameter s (0, 1) 3 , 2 has a unique “genealogy 1 sequence” tracing back to the root 2 . For example, 23 10 3 3 2 1 ←−L ←−M ←−R ←−L ←−L . 36 23 10 4 3 2 Consider one of these ternary trees. If we “ﬂatten” the entire tree by listing the vertices in order, beginning with the “root”, going down through each level from left to right, what is the position of a vertex with a known genealogy sequence? 10.2 Genealogy of Pythagorean triangles 221

Suppose this genealogy sequence has k terms, i.e., the vertex is k levels below the root. Convert it into an integer N in base 3 expansion by

L → 0,M→ 1,R→ 2

1 k respectively. Then the position of the vertex in the list is 2 (3 +1)+N. For example, 23 1 5 the rational number 36 is in position 2 (3 + 1) + 012003 = 122 + 45 = 167, with a genealogy sequence

23 10 3 3 2 1 ←−L ←−M ←−R ←−L ←−L . 36 23 10 4 3 2 Exercise (1) What is the 1000-th vertex in this list from the ternary tree of rational numbers of odd heights, and what is its genealogy sequence?

40 40 9 9 4 1 1 ←−R ←−M ←−R ←−M ←−M ←−R . 169 89 40 22 9 4 2 1−t (2) Show that the rational numbers t and 1+t belong to different ternary trees. How are their genealogy sequences related?

10.2 Genealogy of Pythagorean triangles

The ternary trees in the preceding sections can be translated into a genealogy of Pythagorean triangles. A Pythagorean triangle (or its similarity class) is generated q 1 by a positive rational number t = p of odd height. The tree with root 2 translates into

(3, 4, 5)

(5, 12, 13) (21, 20, 29) (15, 8, 17)

(7, 24, 25) (45, 28, 53) (39, 80, 89) (77, 36, 85) (33, 56, 65) (35, 12, 37 (55, 48, 73) (119, 120, 169) (65, 72, 97) 222 Genealogy of Pythagorean triangles

We ﬁnd the descendants of a Pythagorean triangle (a, b, c) in terms of the sides

a = p2 − q2,b=2pq, c = p2 + q2.

p The left descendant is generated by 2p−q and has sides

2 2 2 2 al =(2p − q) − p =3p − 4pq + q = a − 2b +2c, 2 bl =2(2p − q)p =4p − 2pq =2a − b +2c, 2 2 2 2 cl =(2p − q) + p =5p − 4pq + q =2a − 2b +3c.

p The middle descendant is generated by 2p+q and has sides

2 2 2 2 am =(2p + q) − p =3p +4pq + q = a +2b +2c, 2 bm =2(2p + q)p =4p +2pq =2a + b +2c, 2 2 2 2 cm =(2p + q) + p =5p +4pq + q =2a +2b +3c.

q The right descendant is generated by p+2q and has sides

2 2 2 2 ar =(p +2q) − q = p +4pq +3q = −a +2b +2c, 2 br =2(p +2q)q =2pq +4q = −2a + b +2c, 2 2 2 2 cr =(p +2q) + q = p +4pq +5q = −2a +2b +3c.

q Depending on the value of p , the parent of (a, b, c) is generated by one the 2q−p p−2q q fractions q , q , and p−2q . Since these fractions have the same numerator and denominators, up to permutation and change of signs, they all generate the Pythagorean triangle

a = |q2 − (2q − p)2| = |−p2 +4pq − 3q2| = |a +2b − 2c|, b = |2q(2q − p)| = |−2pq +4q2| = |2a + b − 2c|, c = q2 +(2q − p)2 = p2 − 4pq +5q2 = −2a − 2b +3c.

Consider a right triangle ABC with vertices A =(0,b), B =(a, 0), and C = 1 (0, 0), with semiperimeter s = 2 (a + b + c). The incenter and the excenters are the points

I =(s − c, s − c),Ia =(s − b, −(s − b)),Ib =(−(s − a),s− a),Ic =(s, s).

The circles with these centers and respective radii r = s − c, ra = s − b, rb = s − a, and rc = s are tangents to the sidelines of the triangle. According to the famous Feuerbach theorem, each of these circles is tangent to the nine-point circle, which is the circle passing the midpoints of the three sides. This circle has center N = a b c 4 , 4 and radius 4 . The following theorem gives a nice geometric interpretation of the genealogy of Pythagorean triangles. 10.2 Genealogy of Pythagorean triangles 223

Theorem 10.1. The right triangles with hypotenuses NIa, NIb, NIc and sides parallel to BC and AC are similar to the descendants of ABC. The one with hypotenuse NI (and sides parallel to BC and AC) is similar to the parent of ABC.

Proof. The following table shows the sidelengths of the right triangles involved each magniﬁed by a factor 4:

horizontal vertical hypotenuse NI |a +2b − 2c| |2a + b − 2c| −2a − 2b +3c parent NIa a − 2b +2c 2a − b +2c 2a − 2b +3c left NIb −a +2b +2c −2a + b +2c −2a +2b +3c right NIc a +2b +2c 2a + b +2c 2a +2b +3c middle

C B

Ia 224 Genealogy of Pythagorean triangles Chapter 11

Polygonal numbers

11.1 The polygonal numbers Pk,n

The n-th triangular number is 1 T =1+2+3+···+ n = n(n +1). n 2 The ﬁrst few of these are 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, ....

The pentagonal numbers are the sums of the arithmetic progression

1+4+7+···+(3n − 2) + ···

1 − The n-th pentagonal number is Pn = 2 n(3n 1). Here are the beginning ones: 1, 5, 12, 22, 35, 51, 70, 92, 117, 145, ...

More generally, for a ﬁxed k, the k-gonal numbers are the sums of the arithmetic progression 1+(k − 1) + (2k − 3) + ···. The nth k-gonal number is 1 P = n((k − 2)n − (k − 4)). k,n 2 226 Polygonal numbers

11.2 The equation Pk,a + Pk,b = Pk,c

By a k-gonal triple, we mean a triple of positive integers (a, b, c) satisfying

Pk,a + Pk,b = Pk,c. (11.1) A 4-gonal triple is simply a Pythagorean triple satisfying a2 + b2 = c2. We shall assume in the present chapter that k =4 . By completing squares, we rewrite (11.1) as [2(k − 2)a − (k − 4)]2 +[2(k − 2)b − (k − 4)]2 =[2(k − 2)c − (k − 4)]2 +(k − 4)2, (11.2) and note, by dividing throughout by (k − 4)2, that this determines a rational point on the surface S: x2 + y2 = z2 +1, (11.3) namely, P (k; a, b, c):=(ga − 1,gb− 1,gc− 1), (11.4) 2(k−2) where g = k−4 . This is always an integer point for k =3, 5, 6, 8, with corresponding g = −2, 6, 4, 3.Fork =3(triangular numbers), we shall change signs, and consider instead the point P (3; a, b, c):=(2a +1, 2b +1, 2c +1). (11.5) The coordinates of P (3; a, b, c) are all odd integers exceeding 1.

11.3 Double ruling of S

The surface S, being the surface of revolution of a rectangular hyperbola about its conjugate axis, is a rectangular hyperboloid of one sheet. It has a double ruling, i.e., through each point on the surface, there are two straight lines lying entirely on the surface. Let P (x0,y0,z0) be a point on the surface S. A line through P with direction numbers p : q : r has parametrization

: x = x0 + pt, y = y0 + qt, z = z0 + rt. 11.4 Primitive Pythagorean triple associated with a k-gonal triple 227

Substitution of these expressions into (11.3) shows that the line is entirely contained in the surface S if and only if

px0 + qy0 = rz0, (11.6) p2 + q2 = r2. (11.7)

It follows that 2 2 2 2 − 2 r = r (x0 + y0 z0) 2 2 2 − 2 = r (x0 + y0) (px0 + qy0) 2 2 2 2 − 2 =(p + q )(x0 + y0) (px0 + qy0) 2 =(qx0 − py0) .

This means qx0 − py0 = r, = ±1. (11.8) Solving equations (11.6) and (11.8), we determine the direction numbers of the line. We summarize this in the following proposition. Proposition 11.1. The two lines lying entirely on the hyperboloid S : x2 + y2 = 2 z +1and passing through P (x0,y0,z0) have direction numbers − 2 2 x0z0 y0 : y0z0 + x0 : x0 + y0 for = ±1. In particular, if P is a rational point, these direction numbers are rational.

11.4 Primitive Pythagorean triple associated with a k-gonal triple

Let P be the rational point determined by a k-gonal triple (a, b, c), as given by (11.4), for k ≥ 5 and (11.5) for k =3(triangular numbers). We ﬁrst note that the 228 Polygonal numbers coordinates of P all exceed 1. This is clear for k =3, and for k ≥ 5, it follows 2(k−2) S from the fact that g = k−4 > 2. The direction numbers of the ruling lines on through the point P , as given in Proposition 1, are all positive. In view of (11.7), we may therefore choose a primitive Pythagorean triple (p, q, r) for these direction numbers. As is well known, every such triple is given by

p = m2 − n2,q=2mn, r = m2 + n2 (11.9) for relatively prime integers m>nof different parity. We study the converse question of determining k-gonal triples from (primitive) Pythagorean triples.

11.5 Triples of triangular numbers

Given a primitive Pythagorean triple (p, q, r) as in (11.9), we want to determine a triangular triple (a, b, c) corresponding to it. Given an odd integer z0 > 1,we obtain, from (11.6) and (11.8), pz + q qz − p x = 0 ,y= 0 . (11.10) 0 r 0 r

We claim that it is possible to choose z0 > 1 so that x0 and y0 are also odd integers > 1. By the euclidean algorithm, there are odd integers u and v such that qu + rv = 1. (Note that v must be odd, since q is even. If u is even, we replace (u, v) by (u − r, v + q), in which both entries are odd). Clearly, the integer z0 = pu is such that qz0 − p = p(qu − 1) is divisible by r. This makes y0 an integer. The corresponding x0 is also an integer. Replacing z0 by z0 + rt for a positive integer t if necessary, the integers z0, x0, and y0 can be chosen greater than 1. From (11.10), the integers x0 and y0 are both odd, since p and q are of different parity and z0 is odd.

We summarize this in the following theorem.

Theorem 11.2. Let (p, q, r) be a primitive Pythagorean triple. There are two inﬁ- nite families of triangular triples (a(t),b(t),c(t)), = ±1, such that one of the lines (P ), P = P (3; a(t),b(t),c(t)), has direction numbers p : q : r. 11.6 k-gonal triples determined by a Pythagorean triple 229

Triangular triples from primitive Pythagorean triples

(m, n) (p, q, r) (a+(0),b+(0),c+(0)) (a−(0),b−(0),c−(0)) (2, 1) (3, 4, 5) (2, 2, 3) (3, 5, 6) (4, 1) (15, 8, 17) (9, 4, 10) (5, 3, 6) (3, 2) (5, 12, 13) (4, 9, 10) (5, 14, 15) (6, 1) (35, 12, 37) (20, 6, 21) (14, 5, 15) (5, 2) (21, 20, 29) (6, 5, 8) (14, 14, 20) (4, 3) (7, 24, 25) (6, 20, 21) (7, 27, 28) (8, 1) (63, 16, 65) (35, 8, 36) (27, 7, 28) (7, 2) (45, 28, 53) (35, 21, 41) (9, 6, 11) (5, 4) (9, 40, 41) (8, 35, 36) (9, 44, 45)

11.6 k-gonal triples determined by a Pythagorean triple

Now, we consider k ≥ 5. We shall adopt the notation h if h is odd, h := h 2 if h is even, for an integer h. ≥ 2(k−4) Theorem 11.3. Let k 5 and g = k−2 . The primitive Pythagorean triple (p, q, r) deﬁned in (11.9) by relatively prime integers m>nwith different parity corre- 2n 2(m−n) sponds to a k-gonal triple if and only if one of g and g is an integer. Proof. As in (11.10) above, the rational points through which the surface S contains a line of direction numbers p : q : r are of the form pz + q qz − p ( , ,z). (11.11) r r Suppose this corresponds to a k-gonal triple (a, b, c), so that z = rc − 1. From (11.4), we obtain, for =1,

m + n a = · [(k − 2)(m − n)c +(k − 4)n], (11.12) (k − 2)(m2 + n2) n b = · [(k − 2) · 2mc − (k − 4)(m − n)]. (11.13) (k − 2)(m2 + n2)

Note that (k−2) and (k−4) are always relatively prime, since gcd(k−2,k−4) = 1 or 2 according as k is odd or even. From these expressions, 230 Polygonal numbers

2(k − 4)n a2 + b2 − c2 = · [(k − 2)(m − n)c +(k − 4)n]. (k − 2)2(m2 + n2) We claim that n must be divisible by (k − 2) for a, b, c to be integers. Let d := gcd(n, (k − 2)), so that n = d · n∗, (k − 2) = d · (k − 2)∗ for relatively prime integers n∗ and (k − 2)∗.

2(k − 4)n∗ a2 + b2 − c2 = · [(k − 2)∗(m − n)c +(k − 4)n∗]. (k − 2)∗2(m2 + n2) Since (k − 2)∗ is prime to each of (k − 4) and n∗, the only possible prime divisor of (k − 2)∗ is 2. This means that (k − 2)∗ is a power of 2, (possibly 1). If (k − 2)∗ is even, then after cancelling a common divisor 2, the numerator of a2 +b2 −c2 is odd, and the denominator is even. This cannot be an integer. It follows that (k −2)∗ =1, justifying the claim that n must be divisible by (k − 2). 2(k−2) − Since g = (k−4) , the condition that n be divisible by (k 2) is equivalent 2n to g being an integer. Under this condition, there is a unique positive integer 2 2 2 2 − 2 c0

at = a0 + pt, bt = b0 + qt, ct = c0 + rt for a positive integer t. For = −1, the treatment is exactly the same, with n replaced by m−n. Indeed, we have m − n a = · [(k − 2)(m + n)c − (k − 4)n], (k − 2)(m2 + n2) m b = · [(k − 2) · 2nc +(k − 4)(m − n)]. (k − 2)(m2 + n2)

Since m and n are relatively prime, the integer (k − 2) > 1 cannot divide both n and m − n. This means that a primitive Pythagorean triple (p, q, r) corresponds to at most one line on S associated with k-gonal triples (for k ≥ 5). Indeed, if k =4h +2, (k − 2) is the even number 2h, and cannot divide the odd integer m − n. It follows that only those pairs (m, n), with n a multiple of 2h give (4h +2)-gonal pairs. For example, by choosing m =2h +1, n =2h,wehave p =4h +1,q=8h2 +4h, r =8h2 +4h +1, 2 2 a0 =4h +1,b0 =8h +2h +1,c0 =8h +2h +2. 11.6 k-gonal triples determined by a Pythagorean triple 231

These give an inﬁnite family of (4h +2)-gonal triples:

at =(4h +1)(t +1), 2 2 bt =8h +2h +1+(8h +4h)t, 2 2 ct =8h +2h +2+(8h +4h +1)t.

(4h +2)− gonal triples

(h, k, g) (m, n) (p, q, r) (a, b, c) (1, 6, 4) (3, 2) (5, 12, 13) (5, 11, 12) (5, 2) (21, 20, 29) (14, 13, 19) (5, 4) (9, 40, 41) (9, 38, 39) (7, 2) (45, 28, 53) (18, 11, 21) (7, 4) (33, 56, 65) (11, 18, 21) (7, 6) (13, 84, 85) (13, 81, 82) (9, 2) (77, 36, 85) (11, 5, 12) (9, 4) (65, 72, 97) (13, 14, 19) (9, 8) (17, 144, 145) (17, 140, 141) (11, 2) (117, 44, 125) (104, 39, 111) (11, 4) (105, 88, 137) (60, 50, 78) (11, 6) (85, 132, 157) (68, 105, 125) (11, 8) (57, 176, 185) (38, 116, 122) (11, 10) (21, 220, 221) (21, 215, 216) 8 (2, 10, 3 ) (5, 4) (9, 40, 41) (9, 37, 38) (7, 4) (33, 56, 65) (33, 55, 64) (9, 4) (65, 72, 97) (52, 57, 77) (9, 8) (17, 144, 145) (17, 138, 139) (11, 4) (105, 88, 137) (90, 75, 117) (11, 8) (57, 176, 185) (57, 174, 183) 12 (3, 14, 5 ) (7, 6) (13, 84, 85) (13, 79, 80) (11, 6) (85, 132, 157) (85, 131, 156) Chapter 12

Quadratic Residues

12.1 Quadratic residues ∈ Z• Let n>1 be a given positive integer, and gcd(a, n)=1. We say that a n is a quadratic residue mod n if the congruence x2 ≡ a mod n is solvable. Otherwise, a is called a quadratic nonresidue mod n. 1. If a and b are quadratic residues mod n, so is their product ab. 2. If a is a quadratic residue, and b a quadratic nonresidue mod n, then ab is a quadratic nonresidue mod n. 3. The product of two quadratic residues mod n is not necessarily a quadratic Z• { } residue mod n. For example, in 12 = 1, 5, 7, 11 , only 1 is a quadratic residue; 5, 7, and 11 ≡ 5 · 7 are all quadratic nonresidues. Proposition 12.1. Let p be an odd prime, and p a. The quadratic congruence ax2 + bx + c ≡ 0modp is solvable if and only if (2ax + b)2 ≡ b2 − 4ac mod p is solvable. Z• Theorem 12.2. Let p be an odd prime. Exactly one half of the elements of p are quadratic residues. 1 − Proof. Each quadratic residue modulo p is congruent to one of the following 2 (p 1) residues. p − 1 2 12, 22, ...,k2, ..., . 2 ≤ ≤ p−1 2 ≡ We show that these residue classes are all distinct. For 1 h

12.2 The Legendre symbol

Let p be an odd prime. For an integer a, we deﬁne the Legendre symbol a +1, if a is a quadratic residue mod p, := p −1, otherwise. ab a b Lemma 12.4. p = p p . Proof. This is equivalent to saying that modulo p, the product of two quadratic residues (respectively nonresidues) is a quadratic residue, and the product of a quadratic residue and a quadratic nonresidue is a quadratic nonresidue. − 1 − 1 − 2 (p 1) For an odd prime p, p =( 1) . This is a restatement of Theorem 12.6 that −1 is a quadratic residue mod p if and only if p ≡ 1mod4.

Theorem 12.5 (Euler). Let p be an odd prime. For each integer a not divisible by p, a 1 − ≡ a 2 (p 1) mod p. p Proof. Suppose a is a quadratic nonresidue mod p. The mod p residues 1, 2,...,p− 1 are partitioned into pairs satisfying xy = a. In this case,

1 − (p − 1)! ≡ a 2 (p 1) mod p.

On the other hand, if a is a quadratic residue, with a ≡ k2 ≡ (p − k)2 mod p, apart from 0, ±k, the remaining p − 3 elements of Zp can be partitioned into pairs satisfying xy = a.

1 − 1 − (p − 1)! ≡ k(p − k)a 2 (p 3) ≡−a 2 (p 1) mod p.

Summarizing, we obtain a 1 − (p − 1)! ≡− a 2 (p 1) mod p. p

Note that by putting a =1, we obtainWilson’s theorem: (p − 1)! ≡−1modp.By a comparison, we obtain a formula for p : a 1 − ≡ a 2 (p 1) mod p. p 12.3 −1 as a quadratic residue modp 303

12.3 −1 as a quadratic residue modp

Theorem 12.6. Let p be an odd prime. −1 is a quadratic residue mod p if and only if p ≡ 1mod4.

p−1 − Proof. If x2 ≡−1modp, then (−1) 2 ≡ xp 1 ≡ 1modp by Fermat’s little p−1 ≡ theorem. This means that 2 is even, and p 1mod4. ≡ p−1 Conversely, if p 1mod4, the integer 2 is even. By Wilson’s theorem,

p−1 p−1 p−1 p − 1 2 2 2 (( )!)2 = j2 = j · (−j) ≡ j · (p − j)=(p − 1)! ≡−1modp. 2 i=1 i=1 i=1

2 ≡− ≡± p−1 The solutions of x 1modp are therefore x ( 2 )!. Here are the square roots of −1 mod p for the ﬁrst 20 primes of the form 4k +1: √ √ √ √ √ p −1 p −1 p −1 p −1 p −1 5 ±2 13 ±5 17 ±4 29 ±12 37 ±6 41 ±9 53 ±23 61 ±11 73 ±27 89 ±34 97 ±22 101 ±10 109 ±33 113 ±15 137 ±37 149 ±44 157 ±28 173 ±80 181 ±19 193 ±81

Theorem 12.7. There are inﬁnitely many primes of the form 4n +1.

Proof. Suppose there are only ﬁnitely many primes p1, p2,...,pr of the form 4n+1. Consider the product 2 P =(2p1p2 ···pr) +1.

Note that P ≡ 1mod4. Since P is greater than each of p1, p2, ..., pr, it cannot be prime, and so must have a prime factor p different from p1, p2, ..., pr. But then modulo p, −1 is a square. By Theorem 12.6, p must be of the form 4n +1,a contradiction. In the table below we list, for primes < 50, the quadratic residues and their square roots. It is understood that the square roots come in pairs. For example, the entry (2,7) for the prime 47 should be interpreted as saying that the two solutions of the congruence x2 ≡ 2mod47are x ≡±7mod47. Also, for primes of the form p =4n +1, since −1 is a quadratic residue modulo p, we only list quadratic p p residues smaller than 2 . Those greater than 2 can be found with the help of the square roots of −1. 304 Quadratic Residues

Quadratic residues mod p and their square roots

3 (1, 1) 5 (−1, 2) (1, 1) 7 (1, 1) (2, 3) (4, 2) 11 (1, 1) (3, 5) (4, 2) (5, 4) (9, 3) 13 (−1, 5) (1, 1) (3, 4) (4, 2) 17 (−1, 4) (1, 1) (2, 6) (4, 2) (8, 5) 19 (1, 1) (4, 2) (5, 9) (6, 5) (7, 8) (9, 3) (11, 7) (16, 4) (17, 6) 23 (1, 1) (2, 5) (3, 7) (4, 2) (6, 11) (8, 10) (9, 3) (12, 9) (13, 6) (16, 4) (18, 8) 29 (−1, 12) (1, 1) (4, 2) (5, 11) (6, 8) (7, 6) (9, 3) (13, 10) 31 (1, 1) (2, 8) (4, 2) (5, 6) (7, 10) (8, 15) (9, 3) (10, 14) (14, 13) (16, 4) (18, 7) (19, 9) (20, 12) (25, 5) (28, 11) 37 (−1, 6) (1, 1) (3, 15) (4, 2) (7, 9) (9, 3) (10, 11) (11, 14) (12, 7) (16, 4) 41 (−1, 9) (1, 1) (2, 17) (4, 2) (5, 13) (8, 7) (9, 3) (10, 16) (16, 4) (18, 10) (20, 15) 43 (1, 1) (4, 2) (6, 7) (9, 3) (10, 15) (11, 21) (13, 20) (14, 10) (15, 12) (16, 4) (17, 19) (21, 8) (23, 18) (24, 14) (25, 5) (31, 17) (35, 11) (36, 6) (38, 9) (40, 13) (41, 16) 47 (1, 1) (2, 7) (3, 12) (4, 2) (6, 10) (7, 17) (8, 14) (9, 3) (12, 23) (14, 22) (16, 4) (17, 8) (18, 21) (21, 16) (24, 20) (25, 5) (27, 11) (28, 13) (32, 19) (34, 9) (36, 6) (37, 15) (42, 18) Chapter 13

The law of quadratic reciprocity

13.1 Gauss’ lemma

Theorem 13.1 (Gauss’ Lemma). Let p be an odd prime, and a an integer not divis- a − μ ible by p. Then p =( 1) where μ is the number of residues among p − 1 a, 2a, 3a,...... , a 2 p falling in the range 2

r1,r2,...,rλ, and μ negative ones −s1, −s2,...,−sμ. p−1 p Here, λ + μ = 2 , and 0

ha ≡ ri mod p; ka ≡−sj mod p 1 − ≡ for some h, k in the range 0

1 − are a permutation of 1, 2,..., 2 (p 1). From this p − 1 p − 1 a · 2a ··· a =(−1)μ1 · 2 ··· , 2 2 1 − 2 (p 1) − μ a − μ and a =( 1) . By Theorem 12.5, p =( 1) .

Example Let p =19and a =5. We consider the ﬁrst 9 multiples of 5 mod 19. These are

5, 10, 15, 20 ≡ 1, 25 ≡ 6, 30 ≡ 11, 35 ≡ 16, 40 ≡ 2, 45 ≡ 7. 5 4 of these exceed 9, namely, 10, 15, 11, 16. It follows that 19 =1; 5 is a quadratic residue mod 19. 1 Theorem 13.2. 2 1 1 2− =(−1) 4 (p+1) =(−1) 8 (p 1). p Equivalently, 2 +1 if p ≡±1mod8, = p −1 if p ≡−3mod8. Proof. We need to see how many terms in the sequence p − 1 2 · 1, 2 · 2, 2 · 3, ..., 2 · 2 p are in the range 2

Example Square root of 2 mod p for the ﬁrst 20 primes of the form 8k ± 1. √ √ √ √ √ p 2 p 2 p 2 p 2 p 2 73 17 6 23 5 31 8 41 17 47 7 71 12 73 32 79 9 89 25 97 14 103 38 113 51 127 16 137 31 151 46 167 13 191 57 193 52 199 20

Proposition 13.3 (Euler). Let p>3 be a prime number of the form 4k +3.If p q =2p +1is also prime, then the Mersenne number Mp =2 − 1 has a prime factor 2p +1and is composite.

1Indeed 5 ≡ 92 mod 19. 13.2 The law of quadratic reciprocity 307

Proof. Note that the prime q is of the form 8k +7, and so admits 2 as a quadratic residue. By Theorem 13.2, 1 − 2 2p =22 (q 1) ≡ =1modq. q p p This means that q =2p +1divides Mp =2 − 1.Ifp>3, 2p +1< 2 − 1, and Mp is composite. 11 For example, M11 =2 − 1 is divisible by 23 since 23 = 2 · 11 + 1 is prime. 23 83 Similarly, M23 =2 − 1 is divisible by 47, and M83 =2 − 1 is divisible by 167.

13.2 The law of quadratic reciprocity

Theorem 13.4 (Law of quadratic reciprocity). Let p and q be distinct odd primes. p q p−1 · q−1 =(−1) 2 2 . q p Equivalently, when at least one of p, q ≡ 1mod4, p is a quadratic residue mod q if and only if q is a quadratic residue mod p. 2 Proof. (1) Let a be an integer not divisible by p. Suppose, as in the proof of Gauss’ p−1 Lemma above, of the residues a, 2a,... 2 a, the positive least absolute value rep- resentatives are r1, r2, ..., rλ, and the negative ones are −s1, −s2, ..., −sμ. The numbers a, 2a,..., p−1 a are a permutation of 2 h a i p + r ,i=1, 2, ...,λ, p i and k a j p +(p − s ),j=1, 2, ...,μ, p j p−1 where h1, ..., hλ, k1, ..., kμ are a permutation of 1, 2, ..., 2 . Considering the sum of these numbers, we have 1 − 1 − 2 (p 1) 2 (p 1) μ ma λ a · m =p + r + (p − s ) p i j m=1 m=1 i=1 j=1 1 − 2 (p 1) μ μ ma λ =p + r + s + (p − 2s ) p i j j m=1 i=1 j=1 j=1 1 − 1 − 2 (p 1) 2 (p 1) μ ma =p + m + μ · p − 2 s . p j m=1 m=1 j=1

2For p ≡ q ≡ 3mod4, p is a quadratic residue mod q if and only if q is a quadratic nonresidue mod p. 308 The law of quadratic reciprocity

In particular, if a is odd, then

1 (p−1) 2 ma μ ≡ mod 2, p m=1 and by Gauss’ lemma, 1 a 2 (p−1) ma =(−1) m=1 p . p (2) Therefore, for distinct odd primes p and q,wehave 1 q 2 (p−1) mq =(−1) m=1 p , p and 1 p 2 (q−1) np =(−1) n=1 q . q

q 2

2 1 12 m p (3) In the diagram above, we consider the lattice points2 (m, n) with 1 ≤ m ≤ p−1 ≤ ≤ q−1 p−1 · q−1 2 and 1 n 2 . There are altogether 2 2 such points forming a L q rectangle. These points are separated by the line of slope p through the point (0,0). p−1 For each m =1, 2,..., 2 , the number of points in the vertical line through 1 (p−1) (m, 0) under L is mq . Therefore, the total number of points under L is 2 mq . p m=1 p 1 − L 2 (q 1) np Similarly, the total number of points on the left side of is n=1 q . From these, we have

1 (p−1) 1 (q−1) 2 mq 2 np p − 1 q − 1 + = · . p q 2 2 m=1 n=1 It follows that p q p−1 · q−1 =(−1) 2 2 . q p 13.2 The law of quadratic reciprocity 309

The law of quadratic reciprocity can be recast into the following form: ⎧ ⎨ q p − , if p ≡ q ≡ 3mod4, = p q ⎩ q + p , otherwise.

Examples 59 − 131 − 13 − 59 − 7 − 13 − −1 1. 131 = 59 = 59 = 13 = 13 = 7 = 7 = −(−1) = 1. 34 2 17 2 2. 97 = 97 97 .Now, 97 =+1by Theorem 13.2, and

17 97 12 3 4 3 17 2 ======−1. 97 17 17 17 17 17 3 3

3. For which primes p is 3 a quadratic residue ? 3 p−1 p 1 − =(−1) 2 =(−1)k+ 2 ( 1) =(−1)k p 3

provided p =6k + , = ±1. This means 3 is a quadratic residue mod p if and only if k is even, i.e., p =12m ± 1. 310 The law of quadratic reciprocity Chapter 14

Calculation of square roots

14.1 Square roots modulo p a 1. Let p be a prime of the form 4k +3.If p =1, then the square roots of 1 a mod p are ±a 4 (p+1).

Proof. 2 1 1 1 − a a 4 (p+1) ≡ a 2 (p+1) = a 2 (p 1) · a = a = a mod p. p

a 2. Let p be a prime of the form 8k +5.If p =1, then the square roots of a mod p are

1 1 − •±a 8 (p+3) if a 4 (p 1) ≡ 1modp, 1 − 1 1 − •±2 4 (p 1) · a 8 (p+3) if a 4 (p 1) ≡−1modp.

Proof. Note that 2 1 1 1 − a 8 (p+3) ≡ a 4 (p+3) = a 4 (p 1) · a mod p. 1 − 1 − a 2 (p 1) ≡ 4 (p 1) ≡± Since p = a 1modp,wehavea 1modp. 1 − 1 If a 4 (p 1) ≡ 1modp, then this gives a 8 (p+3) as a square root of a mod p. 1 − If a 4 (p 1) ≡−1modp, then we have 2 2 2 1 y 1 1 − 1 a ≡− a 8 (p+3) ≡ a 8 (p+3) ≡ y 4 (p 1)a 8 (p+3) p 312 Calculation of square roots

for any quadratic nonresidue y mod p. Since p ≡ 5mod8, we may simply take y =2.

Examples 1. Let p =23. Clearly 2 is a quadratic residue mod 23. The square roots of 2 are ±26 ≡±18 ≡∓5mod23.

2. Let p =29. Both 6 and 7 are quadratic residues mod 29. Since 77 ≡ 1mod29, the square root of 7 are ±74 ≡±23 ∓ 6mod29. On the other hand, Since 67 ≡−1mod29, the square roots of 6 are ±27·64 ≡ ±12 · 20 ≡±8mod29.

Proposition 14.1. Let p be an odd prime and p − 1=2λu, u odd. Consider the congruence x2 ≡ a mod p. Let b be any quadratic nonresidue mod p. Assume μ that au ≡±1modp, and that μ>1 is the smallest integer for which (au)2 ≡ −1modp. (a) If μ = λ − 1, then the congruence has no solution. λ−μ−1 (b) If μ ≤ λ − 2, then au ≡ (bu)2 k for some odd number k<2μ+1. The solutions of the congruence are

1 λ−μ−2 μ+1− x ≡±a 2 (u+1)b2 (2 k)u mod p.

Example 14.1. Consider the congruence x2 ≡ 215 mod 257. Here 257−1=28 ·1. In the notation of the above theorem, u =1. With a = 215, the order of au = 215 modulo 257 is 128: 2152 ≡ 222; 2154 ≡ 197; 2158 ≡ 2; 21516 ≡ 4; 21532 ≡ 16; 21564 ≡ 256 ≡−1.

This means μ =6. Let b =3, a quadratic nonresidue of 257. The successive powers of bu ≡ 3 are, modulo 257,

32 ≡ 9; 34 ≡ 81; 38 ≡ 136; 316 ≡ 249; 332 ≡ 64; 364 ≡ 241; 3128 ≡ 256 ≡−1.

λ−μ−1 Now, au = 215 should be an odd power of (bu)2 ≡ 32 ≡ 9. In fact,

93 ≡ 729 ≡ 215 mod 257.

This means k =3. The solutions of the congruence are

0 7 x ≡±215 · 32 (2 −3) ≡±215 · 3125 ≡···≡±230 ≡ 27 mod 257. 14.2 Square roots modulo an odd prime power 313

14.2 Square roots modulo an odd prime power

The quadratic congruence x2 ≡ 2mod7clearly has solutions x ≡±3mod7.We want to solve the congruence x2 ≡ 2mod72 by seeking a solution of the form x ≡ 3+7b.

2 ≡ (3 + 7b)2 =9+(6b) · 7+b2 · 72 =2+(1+6b) · 7mod72 Choose b so that 1+6b ≡ 0mod7. This gives b ≡ 1mod7and x ≡ 10 mod 72. Exercise 1. Show that 9, 16, 23, 30, 37, 44 are all squares modulo 49. (Of course, it is clear for 9 and 16). Answer: Squares roots modulo 49:

2 9 16 23 30 37 44 1034538312417

(Note that these square roots form an arithmetic progression of common difference 42 mod 49). 2. Proceed to solve the congruences x2 ≡ 2mod73. and x2 ≡ 2mod74.

Proposition 14.2. Let p be an odd prime. Suppose x2 = a mod pk has solution ≡ k ∈ Z• ≡ x ck mod p . Let γ be the multiplicative inverse of 2c1 p. Then with bk − 2 · a ck k k+1 2 ≡ k+1 γ pk mod p, We have a solution ck+1 = ck +bkp mod p of x a mod p . Example 14.2. The solutions of the congruences x2 ≡ 12345 mod 7k for k ≤ 8 are as follows:

k 12 3 4 5 6 7 8 x mod 7k 2 37 37 380 5182 89217 677462 3148091

The base 7 expansions of these solutions are x ≡±12355210527.

14.3 Squares modulo 2k

Here are the squares modulo 2k,uptok =7.

Z4 :0, 1, Z8 :4, Z16 :9, Z32 :16, 17, 25, Z64 :33, 36, 41, 49, 57, Z128 :64, 65, 68, 73, 81, 89, 97, 100, 105, 113, 121. 314 Calculation of square roots

It is easy to see that the analogue of Proposition 8.2.2 is no longer true. For example, 1 is clearly a square of Z4;but5=1+4is not a square in Z8. h 2 Suppose c ∈ Z2k is a square. Let h be the smallest integer such that c =(a+2 ) h 2 2 h+1 2h for some a ∈ Z2h−1 . Since c =(a+2 ) = a +2 a+2 , we must have h+1

k k k−1 2 Proof. Clearly, if c =1, c +2 =1+2 =(1+2 ) ∈ Z2k+1 .Ifc =1 ,we h 2 h k−1 2 write c =(a +2 ) for 1 ≤ h ≤ k − 2 and a ∈ Z2k−3 . Then, (a +2 +2 ) = c +2k(a +2h)+22k−2. Since a is a unit, modulo 2k+1, this is c +2k.

Corollary 14.4. A residue given in binary expansion

a =(ak−1ak−2 ···a1a0)2, is a quadratic residue mod 2k if and only if on the right of the rightmost digit 1 there is an even number (possibly none) of zeros, and on its left there are at least two zeros. Chapter 15

Primitive roots

∈ Z• ϕ(n) Let a n. By the Fermat-Euler theorem (Theorem 6.1), a =1, there is a d ∈ Z• smallest positive integer d := ordn(a) such that a =1 n. Such an integer, Z• called the order of a in n, must be a divisor of ϕ(n).

Example 15.1. (a) n =13; ϕ(13) = 12:

a 1 2 3 4 5 6 7 8 9 10 11 12 ord13(a) 1 12 3 6 4 12 12 4 3 6 12 2 In this case, there exist elements of order 12, for example, a =2, 6. This means Z• the ﬁrst 12 powers of a are all distinct, and hence exhaust all the units of 13:

n 1 2 3 4 5 6 7 8 9 10 11 12 2n 2 4 8 3 6 12 11 9 5 10 7 1 6n 6 10 8 9 2 12 7 3 5 4 11 1

Z• In this case, the group of units 13 is a cyclic group, with generator a. A gener- Z• ator of n is called a primitive root for n. (b) n =16; ϕ(16) = 8:

a 1 3 5 7 9 11 13 15 ord16(a) 1 4 4 2 2 4 4 2 Z• The group 16 is not cyclic in this case, and there is no primitive root for 16.

Proposition 15.1. If ordn(a)=t, then t ord (ak)= . n gcd(t, k)

Exercise Z• Z \{ } Let p be a prime. If in p = p 0 there is an element of order t, then there are exactly ϕ(t) elements of order t. 316 Primitive roots

Theorem 15.2. Let p be an odd prime. − Z• Z \{ } (a) For each divisor t of p 1, there are exactly ϕ(t) elements of p = p 0 of order t. (b) There are exactly ϕ(p − 1) primitive roots for p.

Smallest primitive root g for prime p. 1

p g p g p g p g p g 3 2 5 2 7∗ 3 11 2 13 2 17∗ 3 19∗ 2 23∗ 5 29∗ 2 31 3 37 2 41 6 43 3 47∗ 5 53 2 59∗ 2 61∗ 2 67 2 71 7 73 5 79 3 83 2 89 3 97∗ 5 101 2

Example 15.2. (a) Let p be a Sophie-Germain prime, i.e., q =2p +1is also prime. (i) If p ≡ 1(mod4), then p +1is primitive root modulo q. (ii) If p ≡ 3(mod4), then p is a primitive root modulo q. Proof. If p ≡ 1(mod4), 2p +2≡ 1(modq) and 1 2p +2 2 p +1 1= = = . q q q q 2 − p ≡ p+1 − Note that q = 1. From this (p +1) q = 1(modq), the order of p +1mod q is 2p, and p +1is a primitive root. Next, if p ≡ 3(mod4), then 2p ≡−1(modq), and −1 = 2p . Again, q q p − q = 1, and p is a primitive root for q.

The beginning Sophie Germain primes

4k + 1 : 5 29 41 53 89 113 173 233 ... 4k + 3 : 3 11 23 83 131 179 191 239 ... Exercise 2. If p is a Fermat prime, then every quadratic nonresidue mod p is a primitive root for p. ≡ 1 − − 3. If p 3(mod4)and q = 2 (p 1) are both primes, then 3 is a primitive root for p. ≡ ∈ Z• 1 − − 4. Let p 3(mod4)be a prime. If a p has order 2 (p 1), then a is a primitive root for p.

1Those with asterisks are primes admitting 10 for a primitive root. 15.1 Periodicity of decimal expansions of rational numbers 317

≡ 1 − 5. If p 3(mod8)and q = 2 (p 1) are both primes, then 2 is a primitive root for p. ≡ 1 − − 6. If p 7(mod8)and q = 2 (p 1) are both primes, then 2 is a primitive root for p. 7. Referring to Example 8.2.7 above, how many primitive roots does 73 have ? List them. What about 29 ? 8. For an odd prime p, a primitive root for pk is also a primitive root for p. 9. If g is a primitive root for an odd prime p and if gp−1 − 1 is divisible by p2, then g is not a primitive root for pk, k ≥ 2. 10. Let g be a primitive root for an odd prime p. (a) If p ≡ 1(mod4), then −g is also a primitive root for p. ≡ − 1 − Z• (b) If p 3(mod4), then g has order 2 (p 1) in p. Artin’s conjecture:Ifg is a nonzero integer, not a square nor −1, then there are inﬁnitely many primes p such that g is a primitive root mod p. Theorem 15.3. A positive integer n admits primitive roots if and only if n is 1, 2, 4,pa or 2pa for an odd prime p and a ≥ 1.

15.1 Periodicity of decimal expansions of rational numbers

a h k Let r = b be a reduced fraction in which b =25 n, with gcd(n, 10) = 1.Ifl = max(h, k), then the decimal expansion of r is a period of length after l terms, and Z• the length of the period is the order of 10 in the group of units of n. In particular, 1 if p is a prime admitting 10 as a primitive root, then the decimal expansion of p is periodic with period p − 1. For examples,

1 =0.0588235294117647; 17 1 =0.052631578947368421; 19 1 =0.0434782608695652173913; 23 1 =0.0344827586206896551724137931. 29 Example 15.3. The prime 31 does not admit 10 as a primitive root. To ﬁnd the 1 Z period of 31 , we determine the order of 10 in 31.Now,3 is a primitive root of 31, 14 and 3 =10. By Theorem 15.3, ord31(14) = 15. 1 =0.032258064516129. 31 318 Primitive roots Chapter 16

Sums of two and four squares

16.1 Fermat’s two-square theorem

Theorem 16.1. Let p be an odd prime. p is a sum of two squares if and only if p ≡ 1(mod4). In this case, the expression is unique. Proof. (Euler) Since p ≡ 1(mod4), the equation x2 + y2 = mp is solvable in integers for some m. We want to show that the smallest possible value of m is 1. | | | | p p Note that we may choose x , y < 2 so that m< 2 .Ifm =1, it cannot divide 2| 2 2 | p both of x and y, for otherwise m x + y = mp and m p, contrary to m< 2 . Now choose integers a and b such that x1 = x − am and y1 = y − bm satisfy | | | |≤ m x1 , y1 2 . Note that x1 and y1 cannot be both zero, and m2 0

2 2 xx1 + yy1 = x(x − am)+y(y − bm)=(x + y ) − (ax + by)m = mX xy1 − yx1 = x(y − bm) − y(x − am)=m(−bx + ay)=mY for some X and Y . From this it follows that

X2 + Y 2 = mp with m

p2 =(a2 + b2)(x2 + y2)=(ax + by)2 +(ay − bx)2 =(ax − by)2 +(ay + bx)2 320 Sums of two and four squares

Note that

(ax + by)(ay + bx)=ab(x2 + y2)+(a2 + b2)xy = p(ab + xy).

This means that one of ax+by and ay+bx is divisible by p. Since ax+by, ay+bx ≤ − − x a b p, we must have ay bx =0or ax by =0. In other words, y = b or a . Indeed, x a y = b . It follows that we must have x = a and y = b.

16.2 Representation of integers as sums of two squares

We say that a representation n = x2 + y2 is primitive if gcd(x, y)=1. Lemma 16.2. If n has a prime divisor q ≡ 3(mod4), then it does not have a primitive representation.

Proof. Suppose to the contrary that n = x2 +y2 is a primitive representation. Since q divides n, it does not divide any of x and y. In the ﬁeld Zq, we write y = ax for some a. This means that 0=x2 + y2 = x2(1 + a2). Since x =0 ,wehavea2 = −1 in Zq, q ≡ 3mod4, a contradiction. Theorem 16.3. a bi cj n =2 pi qj i j be the prime factorization of n in which the p’s and q’s are respectively primes of the form 4k +1and 4k +3. The number n is expressible as a sum of two squares if and only if each of the exponents cj is even.

2 2 Proof. (Sufﬁciency) Since 2=1 +1, and every pi is a sum of two squares, if every cj is even, by repeatedly using the composition formula

(a2 + b2)(x2 + y2)=(ax + by)2 +(ay − bx)2 we easily obtain n as a sum of two squares. (Necessity) Let n be divisible by a prime q ≡ 3(mod4), with highest power qc, c odd. Consider a representation n = x2 + y2, with gcd(x, y)=d>1. Let qc be the highest power of q dividing d. (Possibly, c =0). Write x = dX, y = dY . Then gcd(X, Y )=1. Let N = X2 + Y 2. The highest power of q dividing N is qc−2c . This is positive since c is odd, contradicting Lemma 16.2 above.

16.3 Lagrange’s four-square theorem

Theorem 16.4. Every positive integer can be represented as a sum of four squares of nonnegative integers. 16.3 Lagrange’s four-square theorem 321

Lemma 16.5 (4-square identity).

2 2 2 2 2 2 2 2 2 2 2 2 (x1 + x2 + x3 + x4)(y1 + y2 + y3 + y4)=z1 + z2 + z3 + z4, where

z1 = x1y1 + x2y2 + x3y3 + x4y4,

z2 = x1y2 − x2y1 + x3y4 − x4y3,

z3 = x1y3 − x2y4 − x3y1 + x4y2,

z4 = x1y4 + x2y3 − x3y2 − x4y1.

Therefore it is enough to prove Lagrange’s theorem for prime numbers.

Lemma 16.6. Let p be a prime number. There are integers x and y such that x2 + y2 +1≡ 0(modp).

{ 2 ∈ Z ∈ Z} p+1 Proof. The set S := x p : x has exactly 2 elements; so does the set 2 T := {−(x +1)∈ Zp : x ∈ Z}.Now,

p +1 p +1 |S ∩ T | = |S| + |T |−|S ∪ T |≥ + − p =1. 2 2 Therefore, there are integers x and y satisfying x2 ≡−(y2 +1)(modp), i.e., x2 + y2 +1≡ 0(modp).

16.3.1 Descent Let p be a prime number. There are integers x and y such that x2 +y2 +1is divisible 2 2 2 2 by p. We write this in the form x1 + x2 + x3 + x4 = kp for some integer k. Clearly, | | | | | | | |≤ p−1 p · p 2 2 we may assume x1 , x2 , x3 , x4 2 < 2 . This means kp < 4 2 = p and k

≡ | | k Suppose k is odd. For i =1, 2, 3, 4, choose yi xi with yi < 2 . Note that 2 2 2 2 ≡ 2 2 2 2 2 2 2 2 y1 + y2 + y3 + y4 x1 + x2 + x3 + x4 (mod k). Write y1 + y2 + y3 + y4 = kq for some q

1 Chapter 17

Finite continued fractions

17.1 Euler’s function F for ﬁnite continued fractions

a Every rational number b can be written as a ﬁnite continued fraction in the form a 1 = q + , b 1 1 q + 2 1 q3 + . 1 .. + qn where q1, q2,...,qn are the quotients in the Euclidean algorithm sequence for (a, b): putting r0 = a, r1 = b, we deﬁne qk and rk for k =1,...,nby

r0 = r1q1 + r2,

r1 = r2q2 + r3, . .

rn−2 = rn−1qn−1 + rn,

rn−1 = rnqn.

Here, q = rk−1 , and k rk

r1 >r2 >r3 > ···>rn > 0.

The number rn is the gcd of a and b. If we assume the rational number given in its lowest terms, then rn =1. We shall write the continued fraction above simply as [q1,q2,...,qn].Now,itis easy to compute the following. q [q ]= 1 , 1 1 402 Finite continued fractions

q1q2 +1 [q1,q2]= , q2 q1q2q3 + q1 + q3 [q1,q2,q3]= , q2q3 +1 q1q2q3q4 + q1q2 + q1q4 + q2q3 +1 [q1,q2,q3,q4]= , q2q3q4 + q2 + q4 . .

Euler has given a very elegant procedure of computing ﬁnite continued fractions: F (q1,q2,...,qk) [q1,q2,...,qk]= , F (q2,...,qk) where F is the function obtained in the following way: F (q1,q2,...,qk) is the sum q1q2 ···qk and all products obtained by deleting pairs of consecutive factors, with the stipulation that if k is even, deleting all consecutive pairs leads to the empty product 1. Note that

F (q1,q2,...,qk)=F (qk, ··· ,q2,q1); F (q1,q2,...,qk+1)=F (q1,q2,...,qk−1)+qk+1F (q1,q2,...qk).

In the euclidean algorithm sequence,

rk = F (qk+1,qk+2,...,qn), for k =0, 1, 2,...,n.

17.2 Cornacchia’ algorithm for a prime as a sum of two squares

Like the sequence rk, we use the same recurrence relations to generate two sequences sk and tk, using the same qk but with different initial values (iv) s0 =1, s1 =0; (v) t0 =0, t1 =1. It is clear that rk = ask + btk for each k.

Proposition 17.1. (1) rk = ask + btk for every k. In particular, btk ≡ rk (mod a). (2) The sequences (sk) and (tk) are alternating in sign. More precisely,

k k+1 sk =(−1) |sk| and tk =(−1) |tk|, for k =0, 1, 2,...,n+1. 17.2 Cornacchia’ algorithm for a prime as a sum of two squares 403

(3) The sequences (|sk|) and (|tk|) satisfy

|sk+1| = |sk−1| + qk|sk|, |tk+1| = |tk−1| + qk|tk|.

(4) The sequence (|tk|) is increasing. Consequently, the reversal of (|tk|) is a euclidean algorithm sequence. Theorem 17.2 (Cornacchia). Let p ≡ 1(mod4)be a prime, and q the “smaller positive square root” of −1modp.Ifx and y are the ﬁrst two remainders in the euclidean algorithm sequence of (p, q), then p = x2 + y2. Proof. In the euclidean algorithm table for the pair (a, b)=(p, q) (ending in n divisions), we make the following observations. (1) n is even. (2) The sequence (|tk|) is the reversal of (rk); i.e., |tk| = rn+1−k for every k ≤ n. (3) The sequence (qk) is palindromic; i.e., qn+1−k = qk for every k ≤ n. 2 2 (4) rk + tk is divisible by p for every k. √ (5) Let n =2m. In the sequence (rk), rm is the ﬁrst term smaller than p. Clearly, |tn+1| = p. Since rn =1,wehaveqtn ≡ 1modp, and tn ≡−q mod p. It follows that tn = −q or p − q. The reversal of (|tk|) is a euclidean algorithm sequence ending in exactly n divisions (as the sequence (rk)). If |tn| = p − x, the sequence of division would be

p, p − q, q, . . . which would be longer than the division sequence of (p, q), a contradiction. Thus, (1) n is even, and (2) the reversal of sequence (|tk|) is the euclidean algorithm sequence of (p, q), which is exactly the sequence (rk). (3) is an immediate consequence of (2). ≡ 2 ≡ 2 2 ≡−2 (4) follows from qtk rk mod p. Squaring, we have rk q tk tk mod p, and 2 2 ≡ rk + tk 0modp. (5) Write n =2m. Note that rm = F (qm+1,qm+2,...,q2m), and p = r0 = F (q1,q2,...,q2m).Now, 2 · rm = rm rm = F (qm+1,qm+2,...,q2m)F (qm+1,qm+2,...,q2m) = F (qm,qm−1,...q1)F (qm+1,qm+2,...,q2m) = F (q1,q2,...qm)F (qm+1,qm+2,...,q2m).

It is clear that each term in the product is contained in F (q1,q2,...,q2m). This 2 shows that rm

= F (qm,qm+1,qm+2,...,q2m)F (qm,qm+1,qm+2,...,q2m) = F (qm+1,qm,qm−1,...q1)F (qm,qm+1,qm+2,...,q2m) = F (q1,q2,...qm,qm+1)F (qm,qm+1,qm+2,...,q2m).

Every product in F (q1,q2,...,q2m) is contained in this product. This shows that 2 rm−1 >p. 2 2 2 2 2 2 Now,√ since rm + rm+1 = rm + tn−m = rm + tm is divisible by p, and rm+1 < 2 2 rm < p, the sum rm + rm+1 being positive and smaller than 2p, must be p. Chapter 18

Inﬁnite continued fractions

Associated with an inﬁnite continued fraction [q0,q1,q2,q3,...,qn,...] is a sequence of convergents which are ﬁnite continued fractions:

Pk =[q0,q1,...,qk]. Qk

The numerators Pk and Qk can be determined recursively as follows.

Pk = Pk−2 + qkPk−1,P−2 =0,P−1 =1, Qk = Qk−2 + qkQk−1,Q−2 =1,Q−1 =0. Example 18.1. 1. The successive convergents of the continued fraction [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] are computed easily using these relations.

k −2 −101 2 3 4 5 6 7 8 9 qk 12 3 4 5 6 7 8 9 10 Pk 0 1 1 3 10 43 225 1393 9976 81201 740785 7489051 Qk 1 0 1 2 7 30 157 972 6961 56660 516901 5225670

2. Here are the convergents of the continued fraction [1, 2, 1, 3, 1, 4, 1, 5, 1, 6] and their differences:

3 4 15 19 91 110 641 751 5147 1 2 3 11 14 67 81 472 553 3790

1 −1 1 −1 1 −1 1 −1 1 2 6 33 154 938 5427 38232 261016 2095870 Note that the numerators of the differences are all ±1. − k−1 Lemma 18.1. Pk − Pk−1 = ( 1) . Qk Qk−1 Qk−1Qk

Proof. Write Pk − Pk−1 = Nk .Wehave Qk Qk−1 Qk−1Qk

Nk = PkQk−1 − QkPk−1 406 Inﬁnite continued fractions

=(Pk−2 + qkPk−1)Qk−1 − (Qk−2 + qkQk−1)Pk−1 = −(Pk−1Qk−2 − Qk−1Pk−2) = −Nk−1.

k−1 k−1 Since N1 =1, we have by easy induction Nk =(−1) N1 =(−1) , and the result follows.

Theorem 18.2. Let q0,q1,...,qn,... be an inﬁnite sequence of positive integers, q0 possibly zero. The inﬁnite continued fraction

a := [q0,q1,q2,...,qn,...] is always well deﬁned, i.e., limn→∞[q0,q1,...,qn] exists. This limit is always an irrational number.

Proof. ≥ Pn For each n 0, let an be the n-th convergent Qn . By the above lemma,

n+1 n n (−1) (−1) (−1) (Qn+1 − Qn−1) an+2−an =(an+2−an+1)+(an+1−an)= + = . Qn+1Qn QnQn−1 Qn−1QnQn+1

Note that (Qn) is an increasing sequence of positive integers, (this is clear from the recurrence relation for Qn). It follows that a0,a2,a4,... is an increasing sequence, and a1,a3,a5,... is a decreasing sequence. Furthermore, each a2h+1 is greater than every a2k:

It follows that the subsequences a2n and a2n+1 are convergent; indeed, they con- verge to a common limit since 1 lim a − lim a = lim (a − a ) = lim =0 →∞ 2n+1 →∞ 2n →∞ 2n+1 2n →∞ n n n n Q2nQ2n+1 since the sequence (Qn) of positive integers is strictly increasing. The common limit a of these two subsequences is the inﬁnite continued fraction [q0,q1,...,qn,...]. This number a is irrational since its continued fraction expansion is not ﬁnite. Let ζ be a real, irrational number, The continued fraction expansion of ζ can be found recursively as follows. 1 ζ0 = ζ, q0 =[ζ0]; ζn+1 = ,qn+1 =[ζn+1]. ζn − [ζn] Then, ζ =[q0,q1,q2,...,qn,...]. 407

Theorem 18.3 (Lagrange). Let d be a nonsquare integer.√ The continued fraction expansion of of a quadratic irrationality of the form a + b d, a, b ∈ Q,iseventually periodic; i.e., there exist k and l such that in the expansion √ a + b d =[q0,q1,...,qn,...], qk+nl+i = qk+i for n ≥ 0, 0 ≤ i

√ √ √2∗ =[1, 2]; √27 = [5, 5, 10]; √3=[1, 1, 2]; √28 = [5, 3, 2, 3, 10]; √5∗ =[2, 4]; √29∗ =[5, 2, 1, 1, 2, 10]; √6=[2, 2, 4]; √30 = [5, 2, 10]; √7=[2, 1, 1, 1, 4]; √31 = [5, 1, 1, 3, 5, 3, 1, 1, 10]; √8=[2, 1, 4]; √32 = [5, 1, 1, 1, 10]; √10∗ =[3, 6]; √33 = [5, 1, 2, 1, 10]; √11 = [3, 3, 6]; √34 = [5, 1, 4, 1, 10]; √12 = [3, 2, 6]; √35 = [5, 1, 10]; √13∗ =[3, 1, 1, 1, 1, 6]; √37∗ =[6, 12]; √14 = [3, 1, 2, 1, 6]; √38 = [6, 6, 12]; √15 = [3, 1, 6]; √39 = [6, 4, 12]; √17∗ =[4, 8]; √40 = [6, 3, 12]; √18 = [4, 4, 8]; √41∗ =[6, 2, 2, 12]; √19 = [4, 2, 1, 3, 1, 2, 8]; √42 = [6, 2, 12]; √20 = [4, 2, 8]; √43 = [6, 1, 1, 3, 1, 5, 1, 3, 1, 1, 12]; √21 = [4, 1, 1, 2, 1, 1, 8]; √44 = [6, 1, 1, 1, 2, 1, 1, 1, 12]; √22 = [4, 1, 2, 4, 2, 1, 8]; √45 = [6, 1, 2, 2, 2, 1, 12]; √23 = [4, 1, 3, 1, 8]; √46 = [6, 1, 3, 1, 1, 2, 6, 2, 1, 1, 3, 1, 12]; √24 = [4, 1, 8]; √47 = [6, 1, 5, 1, 12]; 26∗ =[5, 10]; 48 = [6, 1, 12].

2. Some simple patterns: √ √a2 +1 = [a, 2a]; √a2 − 1=[a − 1, 1, 2a − 2]; √a2 + a =[a, 2, 2a]; √a2 +2 = [a, a, 2a]; a2 − 2=[a − 1, 1,a− 2, 1, 2a − 2]. 408 Inﬁnite continued fractions Chapter 19

Lagrange’s Theorem

19.1 Purely periodic continued fractions

Let a be represented by a purely periodic continued fraction:

ζ =[q0,q1,...,qk]. This means ζ =[q ,q ,...,q ,ζ]. Let Pk−1 and Pk be the last two convergents of 0 1 k Qk−1 Qk the ﬁnite continued fraction [q0,q1,...,qk]. Then,

P − + ζP ζ = k 1 k . Qk−1 + ζQk From this, we see that ζ is a root of the quadratic equation

2 Qkx − (Pk − Qk−1)x − Pk−1 =0. Since the product of the two roots of this equation, being − Pk−1 , is negative, exactly Qk one of them is positive. This√ must be the number ζ, and it is clear that this is a number of the form a + b d, a, b ∈ Q. Here, d cannot be a square, for otherwise, the number ζ would have been rational.

19.2 Eventually periodic continued fractions

It follows that a number with eventually periodic continued fraction expansion is also a quadratic irrationality. Consider

μ =[p0,p1,...,ph, q1,...,qk]. Let ζ be the irrational number with √purely periodic continued fraction expansion [q1,...,qk]. This is of the form a + b d according to §19.1. If h =0, then 1 μ =[p ,ζ]=p + 0 0 ζ 410 Lagrange’s Theorem √ ∈ Q ≥ P P is clearly of the form a + b d, a ,b .Ifh 1, let Q and Q be the last two convergents of the continued fraction [p0,...,ph]. Then P + ζP μ =[p ,...,p ,ζ]= . 0 h Q + ζQ √ This also is of the form a + b d, a,b ∈ Q. We have therefore proved the easier half of Lagrange theorem: every eventually periodic continued fraction represents a quadratic irrationality. The proof of the converse is more difﬁcult, and requires a more detailed analysis of numbers with purely periodic continued fraction expansions.

19.3 Reduced quadratic irrationalities

Let ζ =[q0,q1,...,qk]. It is the positive root of the quadratic equation

x =[q0,q1,...,qk,x]. Note that q − x = −1 , and this can be rewritten as 0 [q1,...,qk,x] −1 −1 [q0, ]= . x [q1,...,qk,x] Continuing, we obtain −1 −1 [q ,q − ,...,q ,q , ]= . k k 1 1 0 x x −1 This means ζ is the positive root of x =[q0,q1,...,qk,x] if and only if ζ is the positive root of y =[qk,qk−1,...,q0,y]. Consequently, it follows that every equation of the form x =[q0,...,qk,x] has exactly one positive root ζ>1, and one negative root between −1 and 0. This negative root is necessarily the conjugate ζ. We shall say that a quadratic irrationality ζ is reduced if it satisﬁes the condition

ζ>1 > 0 > ζ>−1.

We may paraphrase the conclusion by saying that a purely periodic continued fraction represents a reduced quadratic irrationality.

19.4 Proof of Lagrange’s theorem

Consider now a general quadratic irrationality of the form √ P + d ζ = , Q 19.4 Proof of Lagrange’s theorem 411 where P , Q and d are integers. By replacing P , Q and d by suitable integer multi- d−P 2 ples, we may assume that Q is an integer, and we shall work with this assumption, and write d = P 2 + QQ for an integer Q. √ P + d Lemma 19.1. If the quadratic irrationality ζ = Q is reduced, then the integers P and Q are positive, and √ √ √ P<[ d],Q

√ √ √ 1 Q Q(−P + mQ + d) −P + mQ + d −P + mQ + d = √ = = = . − − − − 2 1 − − 2 − 2 ζ m P mQ + d d (P mQ) Q [d (P mQ) ] Q +2mP m Q Note that in this expression,

d − (−P + mQ)2 =(d − P 2)+2mP Q − m2Q2 = Q(Q +2mP − m2Q).

It follows that we can obtain the continued fraction expansion of ζ by working out

P0 = P, Q0 = Q, Q−1 = Q , √ Pk + d ζk = ,qk =[ζk], Qk

Pk+1 = −Pk + qkQk,

d − P 2 − 2 k+1 Qk+1 = Qk−1 +2qkPk qkQk = . Qk

Note that ζ =[q0,...,qn−1,ζn]. In particular,

P − + ζ P − ζ = n 2 n n 1 . Qn−2 + ζnQn−1 Consider the conjugate P − + ζ P − ζ = n 2 n n 1 . Qn−2 + ζnQn−1 From this, − Pn−2 Q − ζ − P − Q − ζ ζ = − n 2 n 2 = − n 2 · Qn−2 . n Pn−1 Q − ζ − P − Qn−1 ζ − n 1 n 1 Qn−1

Pn Since the sequence Qn converges to ζ, we can choose N large enough so that ζN lies between −1 and 0. In other words, ζN is reduced. 412 Lagrange’s Theorem

It follows as a consequence of this observation that in the construction of the continued fraction expansion of ζ above, all ζn, n ≥ N, are reduced. By Lemma 19.1, we have √ √ 0

There must exist distinct integers h, k ≥ N such that

Ph = Pk,Qh = Qk.

If we choose h and k = h + r to be the smallest possible integers for which these hold, then for every integer t ≥ 0 and 0 ≤ s

Ph+tr+s = Ph+s,Qh+tr+s = Qh+s.

From this, qh+tr+s = qh+s. This completes the proof of Lagrange’s theorem.

Corollary 19.2. The continued fraction expansion of a reduced quadratic irrationality is purely periodic.

Proof. It is enough to show that if ζ =[q0, q1,...,qr] is reduced, then indeed, 1 q0 = qr. (The general case follows by induction). Let θ =[q1,...,qr]. Since q0 + θ is reduced, 1 1 q0 + > 1 > 0 >q0 + > −1. θ θ From this, q =[− 1 ]. However, − 1 has continued fraction expansion [q ,...,q ]. 0 θ θ r 1 It follows tht qr = q0. Exercise

1 1. If x is reduced, then so is x−[x] .

2. If a quadratic irrationality ζ>1 satisﬁes ζ<−1, then the continued fraction expansion of ζ has one single term before the period. 1

1Solution. There is a positive integer c such that c + ζ lies between −1 and 0. In other words, c + ζ is reduced, and has periodic continued fraction expansion [q0,...,qr]. Then,

ζ =[q1 − c, q2,...,qr,qr]. Chapter 20

The Pell Equation

20.1 The equation x2 − dy2 =1

Let d be a ﬁxed integer. We consider the Pell equation x2 − dy2 =1. Clearly, if d is negative or is a (positive) square integer, then the equation has only ﬁnitely many solutions.

Theorem 20.1. Let d be a nonsquare, positive integer. The totality of positive solu- 2 2 tions of the Pell equation x − dy =1form an inﬁnite sequence (xn,yn) deﬁned recursively by

xn+1 = axn + dbyn, yn+1 = bxn + ayn; x1 = a, y1 = b, where (x1,y1)=(a, b) is the fundamental solution (with a, b smallest possible) obtained from the continued fraction expansion √ d =[q0, q1,...,qk], √ as follows. Let Pk−1 the (k − 1)−th convergent of d. Qk−1 (a). If the length of the period is even, then (a, b)=(Pk−1,Qk−1) is the smallest positive solution of the Pell equation x2 − dy2 =1. (b). If the length of the period is odd, then the smallest positive solution of the 2 − 2 2 2 equation x dy =1is (a, b)=(Pk−1 + dQk−1, 2Pk−1Qk−1).

Examples 1. The fundamental solution of the Pell equation x2 − 2y2 =1is (3,2). This generates an inﬁnite sequence of nonnegative solutions (xn,yn) deﬁned by

xn+1 =3xn +4yn,yn+1 =2xn +3yn; x0 =1,y0 =0. 414 The Pell Equation

The beginning terms are

n 12 3 4 5 6 7 8 9 10... xn 3 17 99 577 3363 19601 114243 665857 3880899 22619537 ... yn 2 12 70 408 2378 13860 80782 470832 2744210 15994428 ...

2. Fundamental solution (a, b) of x2 − dy2 =1for d<100:

da b da b d a b 23 2 32 1 5 9 4 65 2 78 3 8 3 1 10 19 6 11 10 3 12 7 2 13 649 180 14 15 4 15 4 1 17 33 8 18 17 4 19 170 39 20 9 2 21 55 12 22 197 42 23 24 5 24 5 1 26 51 10 27 26 5 28 127 24 29 9801 1820 30 11 2 31 1520 273 32 17 3 33 23 4 34 35 6 35 6 1 37 73 12 38 37 6 39 25 4 40 19 3 41 2049 320 42 13 2 43 3482 531 44 199 30 45 161 24 46 24335 3588 47 48 7 48 7 1 50 99 14 51 50 7 52 649 90 53 66249 9100 54 485 66 55 89 12 56 15 2 57 151 20 58 19603 2574 59 530 69 60 31 4 61 1766319049 226153980 62 63 8 63 8 1 65 129 16 66 65 8 67 48842 5967 68 33 4 69 7775 936 70 251 30 71 3480 413 72 17 2 73 2281249 267000 74 3699 430 75 26 3 76 57799 6630 77 351 40 78 53 6 79 80 9 80 9 1 82 163 18 83 82 9 84 55 6 85 285769 30996 86 10405 1122 87 28 3 88 197 21 89 500001 53000 90 19 2 91 1574 165 92 1151 120 93 12151 1260 94 2143295 221064 95 39 4 96 49 5 97 62809633 6377352 98 99 10 99 10 1

3. Pell’s equations whose fundamental solutions are very large:

da b 421 3879474045914926879468217167061449 189073995951839020880499780706260 541 3707453360023867028800645599667005001 159395869721270110077187138775196900 601 38902815462492318420311478049 1586878942101888360258625080 613 464018873584078278910994299849 18741545784831997880308784340 661 16421658242965910275055840472270471049 638728478116949861246791167518480580 673 4765506835465395993032041249 183696788896587421699032600 769 535781868388881310859702308423201 19320788325040337217824455505160 919 4481603010937119451551263720 147834442396536759781499589 937 480644425002415999597113107233 15701968936415353889062192632 949 609622436806639069525576201 19789181711517243032971740 991 379516400906811930638014896080 12055735790331359447442538767 20.2 The equation x2 − dy2 = −1 415

4. The equation x2 − 4729494y2 =1arises from the famous Cattle problem of Archimedes, and has smallest positive solution

x = 109931986732829734979866232821433543901088049, y = 50549485234315033074477819735540408986340.

Exercise 1. Solve the Pell equations (a) x2 +3y2 =1; (b) x2 − 4y2 =1for integer solutions. 1 2. Find the 10 smallest nonnegative solutions of the Pell equation x2 − 3y2 =1. 2

3. For a positive, nonsquare integer n, let (an,bn) be the fundamental solution 2 2 of the Pell equation x − ny =1.Ifn is a square, set bn =0. (a) Show that every positive integer occurs inﬁnitely often in the sequence (bn). k (b) Determine all occurrences of p , p prime, k>0, in the sequence (bn).

4. Deduce that if√p is a prime of the form 4k +1, then the continued fraction expansion of p has odd period.

20.1.1 If (a, b) is the fundamental solution of the Pell equation x2 − dy2 =1, generating the inﬁnite sequence of nonnegative solutions (x0,y0)=(1, 0), (x1,y1)=(a, b), (x2,y2),...,(xn,yn),...,then

xn+1 =2axn − xn−1; yn+1 =2ayn − yn−1.

20.2 The equation x2 − dy2 = −1 √ Indeed, if the length of the period of the continued fraction expansion of d is odd, then (Pk−1,Qk−1) is the smallest positive solution of the equation x2 − dy2 = −1. Only when this period is odd does this equation have solutions. 1(a). (x, y)=(±1, 0); (b). (x, y)=(±1, 0). 2 n 12 3 4 5 6 7 8 9 10 11 ... xn 2 7 26 97 362 1351 5042 18817 70226 262087 978122 ... yn 1 4 15 56 209 780 2911 10864 40545 151316 564719 ... 416 The Pell Equation

Examples 1. Smallest positive solution (a, b) of x2 − dy2 = −1 for the ﬁrst 24 values of d:

da b dab dab 21 1 521 1031 13 18 5 17 4 1 26 5 1 29 70 13 37 6 1 41 32 5 50 7 1 53 182 25 58 99 13 61 29718 3805 65 8 1 73 1068 125 74 43 5 82 9 1 85 378 41 89 500 53 97 5604 569 101 10 1

2. If p ≡ 1(mod4)is prime, then the equation x2 − py2 = −1 is solvable.

Proof. Let (a, b) be the fundamental solution of x2 − py2 =1. This means a2 − 1=pb2. Note that a must be odd, for otherwise a2 − 1 ≡−1(mod4), but pb2 ≡ 1(mod4), a contradiction. Consequently, gcd(a +1,a− 1) = 2, and we have (i) a +1=2r2, a − 1=2ps2,or (ii) a +1=2pr2, a − 1=2s2, for some nonnegative integers r and s. In (i), we have r2 − ps2 =1, with r

20.3 The equation x2 − dy2 = c

Let d be a nonsquare integer, and c an integer other than 0, ±1. Clearly, the equation

x2 − dy2 = c is solvable only if d is a quadratic residue modulo c (Exercise). This condition, however, is not sufﬁcient to√ guarantee existence of solutions. Consider the continued fraction expansion of d: √ d =[q0, q1,...,qk], with the ﬁrst k convergents

Pi =[q0,q1,...,qi],i=0, 1, 2,...,k− 1. Qi √ Theorem 20.2. If |c| < d, and x2 − dy2 = c is solvable, then c must be one of the 2 − 2 − numbers Pi dQi , i =0, 1, 2,...,k 1. 20.4 Applications 417

Theorem 20.3. Let c>1 be a positive integer. (a) If the equation x2 − dy2 = c is solvable, it must have a fundamental solution (u, v) in the range 1 b √ 0 < |u|≤ (a +1)c, 0 ≤ v ≤ · c. 2 2(a +1)

Every solution appears in a doubly inﬁnite sequence (xn,yn)

un+1 = aun + dbvn, vn+1 = bun + avn,u1 = u, v1 = v, for some (u, v) in the range above. (b) Same conclusion for the equation x2 − dy2 = −c, except that it must have a solution (u, v) in the range 1 b √ 0 ≤|u|≤ (a − 1)c, 0

Example 20.1. Consider the equation x2 − 23y2 =4· 11 · 23. It is easy to see that x and y must be both even, and 23 divides x. With x =46h, y =2k,wehave 23h2 − k2 =11,ork2 − 23h2 = −11. The fundamental solution of x2 − 23y2 =1 being (a, b)=(24, 5), we need only ﬁnd y in the range 1 ≤ h ≤ 2 It is now easy to see that only h =2gives k =9. From this we obtain (x1,y1)=(92, 18). The other solutions are generated recursively by

xn+1 =24xn + 115yn,yn+1 =5xn +24yn,x1 =92,y1 =18.

Here are the ﬁrst 5 solutions.

n 12 3 4 5 ... xn 92 4278 205252 9847818 472490012 ... yn 18 892 42798 2053412 98520978 ···

20.4 Applications

1. Which triangular numbers are squares ? Suppose the k−th triangular number 1 2 1 2 2 Tk = 2 k(k +1)is the square of n. n = 2 k(k +1); 4k +4k +1=8n +1; (2k +1)2 − 8n2 =1. The smallest positive solution of the Pell equation 2 2 x −8y =1being (3, 1), we have the solutions (ki,ni) of the equation given by

2ki+1 +1 = 3(2ki +1)+8ni, ni+1 =(2ki +1)+3ni,k0 =1,n0 =1. 418 The Pell Equation

This means

ki+1 =3ki +4ni +1, ni+1 =2ki +3ni +1,k0 =1,n0 =1.

The beginning values of k and n are as follows.

i 01 2 3 4 5 6 7 8 9 10 ... ki 1 8 49 288 1681 9800 57121 332928 1940449 11309768 65918161 ... ni 1 6 35 204 1189 6930 40391 235416 1372105 7997214 46611179 ...

2. Find all integers n so that the mean and the standard deviation of n consecutive integers are both integers. If the mean of n consecutive integers is an integer, n must be odd. We may therefore assume the numbers to be −m ,−(m− 1),...,−1,0,1,...,m − 1, 1 m. The standard deviation of these number is 3 m(m +1). For this to be an 1 2 2 2 integer, we must have 3 m(m +1)=k for some integer k. m = m =3k ; n2 =(2m +1)2 =12k2 +1. The smallest positive solution of the Pell equation n2 − 12k2 =1being (7,2), the solutions of this equations are given by (ni,ki), where

ni+1 =7ni +24ki, ki+1 =2ni +7ki,n0 =1,k0 =0.

The beginning values of n and k are

i 12 3 4 5 6 7 8 ... ni 7 97 1351 18817 262087 3650401 50843527 708158977 ... ki 2 28 390 5432 75658 1053780 14677262 204427888 ...

3. Find all Pythagorean triangles the lengths of whose two shorter sides differ by 1. Let x and x +1be the two shorter sides of a Pythagorean triangle, with hypotenuse y. Then y2 = x2 +(x +1)2 =2x2 +2x +1. From this, 2y2 =(2x +1)2 +1. The equation With z =2x +1, this reduces to the Pell equation z2 − 2y2 = −1, which we know has solutions, with the of this equations are (zn,yn) given recursively by smallest positive one (1, 1), and the equation z2 − 2y2 =1has smallest positive solution (3, 2). It follows that the solutions are given recursively by

zn+1 =3zn +4yn, yn+1 =2zn +3yn,z0 =1,y0 =1. 20.4 Applications 419

If we write zn =2xn +1, these become

xn+1 =3xn +2yn +1, yn+1 =4xn +3yn +2,x0 =0,y0 =1.

The beginning values of xn and yn are as follows.

n 12345678910... xn 3 20 119 696 4059 23660 137903 803760 4684659 27304196 ... yn 5 29 169 985 5741 33461 195025 1136689 6625109 38613965 ...

4. Find eleven consecutive positive integers, the sum of whose squares is the square of an integer. Answer:

182 +192 + ···+282 =772, 382 +392 + ···+482 = 1432, 4562 + 4572 + ···+ 4662 = 15292, 8542 + 8552 + ···+ 8642 = 28492, 91922 + 91932 + ···+ 92022 = 305032, 171322 + 171332 + ···+ 171422 = 568372, . . 420 The Pell Equation Chapter 21

Sums of consecutive squares

21.1 Sums of an odd number of consecutive squares.

Suppose the sum of the squares of 2k +1consecutive positive integers is a square. If the integers are b, b ± 1,...,b± k. We require 1 (2k +1)b2 + k(k + 1)(2k +1)=a2 3 for an integer a. From this we obtain the equation 1 a2 − (2k +1)b2 = k(k + 1)(2k +1). (E ) 3 k

1. Suppose 2k +1is a square. Show that (Ek) has solution only when k = 6m(m + ) for some integers m>1, and = ±1. In each case, the number of solutions is ﬁnite.

Number of solutions of (Ek) when 2k +1is a square

2k + 1 25 49 121 169 289 361 529 625 841 961 ... 01127353310...

2. Find the unique sequence of 49 (respectively 121) consecutive positive integers whose squares sum to a square. Answer: 252 +262 + ···+732 = 3572; 2442 + 2452 + ···+ 3642 = 33662; Remark: The two sequences of 169 consecutive squares whose sums are squares are

302 +312 + ···+ 1982 = 16122; 5102 + 5112 + ···+ 6782 = 77482. 422 Sums of consecutive squares

3. Suppose 2k +1is not a square. If k +1is divisible 9=32 or by any prime of the form 4k +3≥ 7, then the equation (Ek) has no solution. 4. Show that for the following values of k<50, the equation (Ek) has no solution:

k =6, 8, 10, 13, 17, 18, 20, 21, 22, 26, 27, 30, 32, 34, 35, 37, 40, 41, 42, 44, 45, 46, 48,... − 1 3 k(k+1) − 5. Suppose p =2k +1is a prime. If the Legendre symbol p = 1, then the equation (Ek) has no solution. 6. Show that for the following values of k<50, the equation (Ek) has no solution: 1, 2, 3, 8, 9, 14, 15, 20, 21, 26, 33, 39, 44.

We need only consider (Ek) for the following values of k:

5, 7, 11, 16, 19, 23, 25, 28, 29, 31, 36, 38, 43, 47, 49.

7. Check that among these, only for k =5, 11, 16, 23, 29 are the equations (Ek) solvable. 8. From the data of Example 20.1, work out 5 sequences of 23 consecutive integers whose squares add up to a square in each case. Answer:

72 +82 + ···+292 =922; 8812 + 8822 + ···+ 9032 = 42782; 427872 + 427882 + ···+ 428092 = 2052522; 20534012 + 20534022 + ···+ 20534232 = 98478182; ·········

2 2 9. Consider the equation (E36): a − 73b =12· 37 · 73. Check that this equation does in fact have solutions (u, v) = (4088, 478), (23360, 2734). 10. Make use of the fundamental solution of x2 − 73y2 =1, namely, (a, b) = (2281249, 267000), to obtain two sequences of solutions of (E73): Answer:

(4088, 478), (18642443912, 2181933022), (85056113063608088, 9955065049008478),... (23360, 2734), (106578370640, 12474054766), (486263602888235360, 56912849921762734),...

This means, for example, the sum of the squares of the 73 numbers with center 478 (respectively 2734) is equal to the square of 4088 (respectively 23360). 21.2 Even number of consecutive squares. 423

21.2 Even number of consecutive squares.

Suppose the sum of the squares of the 2k consecutive numbers

b − k +1,b− k +2,...,b,...,b+ k − 1,b+ k, is equal to a2. This means 2k (2a)2 − 2k(2b +1)2 = (4k2 − 1). (E ) 3 k Note that the numbers 2k, 4k2 − 1 are relatively prime. 1. Show that the equation (Ek) has no solution if 2k is a square. 2. Suppose 2k is not a square. Show that if 2k +1is divisible by 9, or by any prime of the form 4k +1, then the equation (Ek) has no solution. ≤ 3. Show that for k 50, the equation (Ek) has no solution for the following values of k:

k =3, 4, 5, 9, 11, 13, 15, 17, 21, 23, 24, 27, 29, 31, 33, 35, 38, 39, 40, 41, 45, 47, 49.

4. Let k be a prime. Show that the equation (Ek) can be written as 4k2 − 1 (2b +1)2 − 2ky2 = − . 3 By considering Legendre symbols, show that the equation (Ek) has no solution for the following values of k ≤ 50:

k =5, 7, 17, 19, 29, 31, 41, 43.

5. By using Theorem 10.5.3, check that, excluding square values of 2k<100, the equation (Ek) has solutions only for k =1, 12, 37, 44. The case 2k =2has been dealt with in Example 10.6.3. 6. Show that (34, 0), (38, 3), (50, 7) are solutions of (E”12). Construct from them three inﬁnite sequences of expressions of the sum of 24 consecutive squares as a square. Answer:

252 +262 + ···+482 = 1822; 442 +452 + ···+672 = 2742; 762 +772 + ···+992 = 4302.

7. Show that (185, 2), (2257,261), and (2849, 330) are solutions of (E37). Construct from them three inﬁnite sequences of expressions of the sum of 74 consecutive squares as a square. 424 Sums of consecutive squares

Answer:

2252 + 2262 + ···+ 2982 = 22572; 2942 + 2952 + ···+ 3672 = 28492; 130962 + 130972 + ···+ 131792 = 7638652.

8. Show that and (242, 4) and (2222,235) are solutions of (E44). Construct from them two inﬁnite sequences of expressions of the sum of 88 consecutive squares as a square. Answer:

1922 + 1932 + ···+ 2792 = 22222; 59252 + 59262 + ···60122 = 559902.

2 − 2 · · Remark: The equation (E26):x 52y =18 52 53 does indeed have two inﬁnite sequences of solutions generated by the particular solutions (338, 36), (2002,276), and the fundamental solution (649,90) of the Pell equation x2 −52y2 = 1. None of these, however, leads to a solution of (E26) since all the y’s are even. Chapter 22

Some simple cryptosystems

A cryptosystem consists of (i) encryption and decryption (or enciphering and deciphering) algorithms, usually assumed known, and (ii) encryption and decryption keys. A plaintext is enciphered using an encryption key, sent to a receiver, who deciphers the ciphertext by ﬁnding an appropriate decryption key.

22.1 Shift ciphers

The simplest cryptosystem is the shift ciphers. The encryption algorithm is simply shifting the alphabet by a ﬁxed number. Clearly the decryption algorithm is of the same kind. The encryption key is the number of spaces shifted forward or backward. For example, the plaintext A point is that which has no part. A line is length without breadth. The extremities of a line are points is shifted 5 places forward to yield the ciphertext

FUTNSYNXYMFYBMNHMMFXSTUFWYFQNSJNXQJSLYMBN YMTZYGWJFIYMYMJJCYWJRNYNJXTKFQNSJFWJUTNSYX The receiver of the ciphertext, knowing the encryption algorithm but not the key, ﬁrst studies the frequencies of the various letters in the ciphertext, and makes use of known frequency statistics to ﬁgure out the appropriate shift to decipher the message.

A BCDEFGH I J K L M 0210081119118 NOPQRSTUVWXY Z 10 0 0 3 1 6 5 3 0 4 5 12 1 502 Some simple cryptosystems

Here are the percentage frequencies of letters in English:

abcd e fghi jklm 8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2 0.8 4.0 2.4 nopq r s tuvwxyz 6.7 7.5 1.9 0.1 6.0 6.3 9.1 2.8 1.0 2.3 0.1 2.0 0.1

The most frequently occurring letters in a reasonably long passage in English are e, followed by t, a, o, i, n. For the current ciphertext, it is reasonable to decipher by a shift that makes Y ← e,orN ← e,orJ ← e. If we decipher by Y ← e, shifting 6 places forward, the ﬁrst few letters FUTNS- YNXY yield laztyetde, which is not a meaningful text. This is also the case with N ← e, 9 places backward. The next one, J ← e, 5 places backward, easily deciphers the message. Exercise A shift cipher yields the following ciphertext:

FSDHN WHQJN XJVZF QYTFW NLMYF SLQJI YWNFS LQJNS BMNHM TSJTK YMJXN IJXFG TZYYM JWNLM YFSLQ JNXJV ZFQYT YMJWF INZXF SIYMJ GFXJN XJVZF QYTYM JHNWH ZRKJW JSHJ with frequency count: A BCDE F GH I J K L M 0 101012264182 5 9

NOPQR S TUVWXY Z 1200718 603 7 7126

Decipher the message.

22.2 Afﬁne ciphers

An afﬁne cipher is a generalization of the shift cipher. The letters in the alphabets are replaced by the numbers 0, 1,...,26. abcdefghi jklm 0123456789101112 ABCDEFGH I J KLM nopqr s tuvwxyz 13 14 15 16 17 18 19 20 21 22 23 24 25 NOPQRSTUVWXYZ 22.2 Afﬁne ciphers 503

The encryption algorithm is to encode a letter corresponding to an integer x by the letter corresponding to the integer αx + β mod 26 obtained by some affine substitution. To make decryption possible, the encryption key (affine substitution) x → αx + b mod 26 is required to be invertible, so that the decryption key is of the same form x → ax + b mod 26 for some integers a, b. This means that α and a should be units in Z26. Suppose we decide that two certain LETTERS (represented by integers x1 and x2) are the ciphertexts of two letters (represented by integers y1 and y2. The coeffi- cients of the decryption key are determined by

ax1 + b = y1

ax2 + b = y2.

From these, a(x1 − x2)=y1 − y2 mod 26 should have a solution a ∈ Z26. The corresponding value of b can be easily determined.

Example 22.1. Suppose by an afﬁne cipher we have the following ciphertext:

HXOFS SGSRP KMFOB EEOOM ECPSF NASKE IXSAI ORSBS KBHAH JOEAP IOAHE KPLSK FHOLE KIIOE EICPF ORSJJ SQOLF WLOKH OBSPS MWDSE XKCCP LESSP APLOO LHXOS PJWBA EGAEH XCHHX OBOMC WFOCL OMCPL RSBHX OOCBJ AOBFS SGEAP HXOEO BAOE

To decipher this we ﬁrst study the frequencies of the letters:

A B CD E F GH I J KLM 11 10 9 1 16 8 3 12 6 5 8 9 5 N O P Q R S T U VWXY Z 1 261214 2000 0 4 80 0

(1) The most frequently occurring letters are O (26 times) and S (20 times). It is reasonable to take O ← e and S ← t. This suggests a decryption key which takes 14 → 4 and 18 → 19. Note that the congruence (18 − 14)a ≡ 19 − 4mod26, i.e., 4a ≡ 5mod26,is clearly unsolvable. (2) We try O ← e, and S ← a, with decryption key 14 → 4 and 18 → 0. This gives a = −1 and b =18, and the decryption key x → 18 − x mod 26: ABCDEFGH I J KLM s rqponml k j i hg NOPQRSTUVWXY Z fedcbazyxwvu t With this, the ﬁrst few letters HXOFSSGSRP correspond to jtclyykyzb, an un- intelligible string. 504 Some simple cryptosystems

(3) We make another attempt: O ← e and S ← o with decryption key 14 → 4 and 18 → 14. Here, 4a ≡ 10 mod 26 has solution a ≡ 9mod13. Modulo 26, a is either 9 or 22. Since a is a unit in Z26, we choose a =9. From this b ≡ 4−14×9 ≡ 8mod26. The decryption key x → 9x +8mod26yields the deciphering ABCDEFGH I J KLM x 0123456789101112 9x +8 81709181101921120312 irajsbktcludm NOPQRSTUVWXYZ x 13 14 15 16 17 18 19 20 21 22 23 24 25 9x +8 21 4 13 22 5 14 23 6 15 24 7 16 25 venwfoxgpyhqz Applying this to the ciphertext, we obtain HXOFSSGSRP KMFOBEEOOM ECPSFNASKE IXSAIORSBS thebookofn umbersseem sanobvious choiceforo KBHAHJOEAP OAHEKPLSK FHOLEKIIOE EICPFORSJJ urtitlesin ceitsundou btedsucces scanbefoll SQOLFWLOKH OBSPSMWDSE XKCCPLESSP APLOOLHXOS owedbydeut eronomyjos huaandsoon indeedtheo PJWBAEGAEH XCHHXOBOMC WFOCLOMCPL RSBHXOOCBJ nlyriskist hattherema ybeademand fortheearl AOBFSSGEAP HXOEOBAOE ierbooksin theseries

The book of numbers seems an obvious choice for our title, since its undoubted success can be followed by Deuteronomy, Joshua, and so on. Indeed the only risk is that there may be a demand for the earlier books in the series. J. H. Conway and R. K. Guy, The Book of Numbers, Preface.

Example 22.2. Decipher the following message obtained by an afﬁne substitution:

FRFYM JRFYN HNFSQ NPJFU FNSYJ WTWFU TJYNX FRFPJ WTKUF YYJWS XNKMN XUFYY JWSXF WJRTW JUJWR FSJSY YMFSY MJNWX NYNXG JHFZX JYMJD FWJRF IJTKN IJFX

Frequency count: A B C D E F G H I J K L M 0 0 0 1 0 18 1 2 2 18 3 0 5 N O P Q R S T U V W X Y Z 11 0 2 1 6 7 5 5 0 10 8 13 1 22.3 A matrix encryption system 505

A B C D E F G H I J K L M x 0 1 2 3 4 5 6 7 8 9 10 11 12 decrypt key

N O P Q R S T U V W X Y Z x 13 14 15 16 17 18 19 20 21 22 23 24 25 decrypt key

22.3 A matrix encryption system

Consider a cryptosystem that makes use of 25 symbols for the alphabet, by confus- ing z with x. Identify a, b, c, ...y with 0, 1, 2, ...24, and write these numbers in base 5: abcdefghi j k lm 00 01 02 03 04 10 11 12 13 14 20 21 22 ABCDEFGH I J K LM nopqr s tuvwx,zy 23 24 30 31 32 33 34 40 41 42 43 44 N O P Q R S T U V W X,Z Y ab For encryption, we choose an invertable 2 × 2 matrix P = and a cd u column vector Q = over the ﬁeld Z . Treat each of the 2-digit number as a v 5 → ∈ Z2 column vector X and, multiply by P to encode a X PX + Q 5. For P to be invertible, its determinant ad − bc must be nonzero in Z5. This condition is also sufﬁcient. In this case, the inverse is given by −1 ab − d −b =(ad − bc) 1 . cd −ca

The decryption key is a transformation of the same kind, namely, X → AX +B for some invertible matrix Aand column matrix B. 24 1 For example, with P = , Q = ,wehave 03 3

abcdefg h i j k lm X 00 01 02 03 04 10 11 12 13 14 20 21 22 PX + Q 13 01 44 32 20 33 21 14 02 40 03 41 34 I BYRKSL J CUDVT n o p q r s t u v w x,z y X 23 24 30 31 32 33 34 40 41 42 43 44 PX + Q 22 10 23 11 04 42 30 43 31 24 12 00 MFNGEWPX,ZQOHA 506 Some simple cryptosystems

With this encryption key, the plaintext Let no one ignorant of geometry enter here is enciphered into

VKPMFFMKCLMFEIMPFSLKFTKPEAKMPKEJKEK 31 1 The decryption key is X → X − . 02 1

Example 22.3. Consider the following message obtained from a matrix encryption:

THLLTLENGXSAYTLEAIRTHLKIEXQCYCTYVISOELHLNYCBCXCTA

Here, a frequency count A B C D E F G H I J K L M 3 1 5 0 4 0 1 3 3 0 1 7 0 N O P Q R S T U V W X,Z Y 2 1 0 1 1 2 6 0 1 0 3 4 suggests L ← e, T ← t, C ← i We ﬁnd a decryption key X → AX + B such that

2 0 A + B = , 1 4 3 3 A + B = , 4 4 0 1 A + B = . 2 3

By subtraction, we have 1 3 3 1 A = and A = . 3 0 1 4 These can be combined into one single matrix equation 13 31 A = . 31 04

From this, − 31 13 1 01 A = = , 04 31 42 0 01 2 4 and B = − = . 4 42 1 4 22.3 A matrix encryption system 507

Therefore, the decryption key is 01 1 X → X − . 42 1

ABCDEFGH I J K LM 00 01 02 03 04 10 11 12 13 14 20 21 22 44 01 13 20 32 43 00 12 24 31 42 04 11 ybikrxahoqweg NOPQRS TUVWXY 23 24 30 31 32 33 34 40 41 42 43 44 23 30 41 03 10 22 34 40 02 14 21 3 3 npvdfmtuc j l s Thus, we decode the message as THLLT LENGX SAYTL EAIRT HLKIE XQCYC theet ernal myste ryoft hewor ldisi TYVIS OELHL NYCBC XCTA tscom prehe nsibi lity

The eternal mystery of the world is its comprehensibility.

1Answer to Example 22.2: A mathematician, like a painter or a poet, is a maker of patterns. If his patterns are more permanent than theirs, it is because they are made of ideas. (G. H. Hardy, A Mathematician’s Apology, §10). 508 Some simple cryptosystems Chapter 23

A public key cryptosystem

23.1 RSA-cryptosystems

The RSA-cryptosystem 1 is a public key cryptosystem based on the difﬁculty of factorization of large integers. Let p and q be prime numbers, and N = pq, with

ϕ(N)=ϕ(pq)=(p − 1)(q − 1) = N +1− p − q.

Let e be an integer prime to ϕ(N), so that there exists d with ed ≡ 1modϕ(N). In such a cryptosystem, plaintexts and ciphertexts are converted into numbers 26k. We may regard a block of k letters (under the usual identiﬁcation of a, b, c, ...by 0, 1, ..., 25) as the base 26-expansion of an integer. For example if N ≈ 500, 000, we may convert blocks of 4 letters like math into

12 · 263 +0· 262 +19· 26 + 7 = 211413 and other numbers

1Named after Rivest, Shamir and Adleman 510 A public key cryptosystem

Example 23.1. Here is an illustration with small primes. Let N = 1271 (which is the product of two small primes, 31 and 41). Here ϕ(N) = 1200. We treat texts as 2-letter blocks, and use the encryption key RSAe(1271, 7). Given the plaintext no, we (i) convert it into the number x =13· 26 + 14 = 352, (ii) compute 3527 mod 1271, getting 602, and (iii) write 602 = 23 · 26 + 4, corresponding to XE. For the decryption key, we ﬁrst ﬁnd ϕ(1271) = 1200 and the inverse of 7mod 1200, which is d = 343. This leads to RSAd(1271, 343). Therefore, to decode the message, (i’) convert XE into the integer 602, (ii’) compute 602343 mod 1271, getting 352, (iii’) write 352 = 13 · 26 + 14 and decipher the text as no.

Given a large number N which is known to be the product of two large prime numbers, it is very difﬁcult to factor N, (equivalently to ﬁnd ϕ(N)), and therefore the inverse d = e−1 mod N. Bob publishes on his website his encryption key

fB := RSAe(N,e) and conceals his decryption key

−1 fB := RSAd(N,d).

He invites messages sent to him encrypted by his public key. e Alice does so. She takes a plaintext x, encodes it according to fB(x)=x mod N, and sends it to Bob as a ciphertext y

23.2 Signature

Alice and Bob, by publishing their own encryption keys:

Alice: fA := RSAe(Na,ea) Bob: fB := RSAe(Nb,eb) can communicate without fearing intercepted messages being decoded easily. Alice wants to send a message (in the form of a number x

◦ −1 send fB(x) to Bob. Instead, Alice sends z := fB fA (x). In other words, Alice applies −1 (i) to x her own (concealed) decryption key fA to get y, and then (ii) to y Bob’s public key fB to get z. Alice then sends z to Bob. When Bob receives z, he applies −1 (i) ﬁrst his own decryption key fB to get w (which is the same as y above), and then (ii) to w Alice’s public key fA to get a meaningful message x. −1 Since Alice is (supposedly) the only person knowing fA , Bob knows that this message has been sent by Alice.

Example 23.2. Suppose Alice’s public key is fA = RSAe(1247, 11). Her con- −1 cealed decryption key is fA = RSAd(1247, 107). Bob uses the public key fB = −1 RSAe(1271, 7) and conceals his own decryption key fB = RSAd(1271, 343). To send the message no (corresponding to the number x = 352) to Bob, Alice (i) uses her own decryption key to ﬁnd y = 352107 ≡ 796 mod 1247, (ii) applies Bob’s public key to get z = 7967 ≡ 259 mod 1271 and sends z (or the corresponding ciphertext JZ). When Bob receives JZ (or the number 259), he (i’) applies his own decryption key to get w = 259343 ≡ 796 mod 1271, (ii’) applies Alice’s public key to get x = 7967 ≡ 352 mod 1247, which corresponds to the plaintext no. 512 A public key cryptosystem Chapter 24

Factoring integers

24.1 Flipping a coin over the phone

Alice and Bob play a coin-ﬂipping game over the phone. (1) Alice chooses two large distinct prime numbers p and q, both congruent to 3mod4, computes the product N = pq and gives it to Bob, concealing the primes p and q. N (2) Bob takes a random integer x< 2 , sticks it to one side of a coin. He then computes y = x2 mod N and gives it to Alice. Modulo N, this number y has four square roots ±A and ±B. One of them is congruent to x mod N. Over the telephone, Alice would give Bob a number. She wins if her number is congruent ±x mod N, and loses if not. (3) Alice, using the primes p and q can actually compute the four square roots ≡ p+1 q+1 of y mod N. This is what she would do. Since p, q 3mod4, 4 and 4 are integers. Alice puts

p+1 q+1 a ≡ y 4 mod p and b ≡ y 4 mod q.

It is easy to check that a2 ≡ y mod p and b2 ≡ y mod q. By the Chinese remainder theorem, Alice ﬁnds A mod N and B mod N satisfying

A ≡ a mod p, A ≡ b mod q, and B ≡ a mod p, B ≡−b mod q. Alice sticks ±A to one side of her coin, and ±B to the other side. She chooses one face and reports the numbers (±A or ±B) to Bob. She wins if her number coincides with Bob’s, and loses otherwise. In other words, Alice wins if and only if her coin turns up the same face as Bob’s. (5) Receiving Alice’s number, Bob informs her if she wins or loses. 514 Factoring integers

Suppose Bob tells Alice that she loses. How can Alice make sure that Bob does not lie? If Alice really loses, she would have given a distinct square root of y other than x. This means Bob now has both square roots ±A and ±B of y mod N. From A2 ≡ B2 mod N, he should be able to factor N = pq (by giving gcd(A − B, N) as a nontrivial divisor). Here is an illustration with very small primes.

Example 24.1. Alice chooses p =43and q =59(both prime numbers of the form 4k +3). She computes the product

N = pq = 2537 and gives it to Bob. Bob chooses the number x = 1234, and gives Alice

y = x2 ≡ 556 mod N.

When Alice receives y, she ﬁrst computes a = 55611 ≡ (−3)11 ≡ 13 mod 43 and b = 55615 ≡ 2515 ≡ 5mod59, and then determines A and B, by the Chinese remainder theorem,

A ≡ 13 mod 43,A≡ 5mod59⇒ A ≡ 1303 ≡−1234 mod 2537, and

B ≡ 13 ≡ 43,B≡−5mod59⇒ B ≡ 1647 ≡−890 mod 2537.

Therefore, Alice wins if she gives 1234 or 1304, loses if she gives 890 or 1647. Suppose she gives 890 to Bob. Bob would tell her that she loses and conﬁrms by giving her the divisor gcd(1234 − 890, 2537) = 43 of N.

24.2 The quadratic sieve

Lemma 24.1. Given an integer N, if there are integers x, y satisfying

x2 ≡ y2 mod N, but x = ±y mod N, then N is composite with a nontrivial divisor gcd(x − y, N).

Examples (1) For N = 799,wehave

302 ≡ 101 mod N and 642 ≡ 101 mod N.

This means that modulo N, 0 ≡ 642 − 302 ≡ (64 − 30)(64 + 30) ≡ 2 · 17 · 2 · 47. Since N is odd, we obtain the divisors 17 and 47. Indeed, 799 = 17 · 47. 24.3 Factoring by continued fractions 515

(2) Let N = 3837523.Wehave

93982 =55 · 19 mod N, 190952 =22 · 5 · 11 · 13 · 19 mod N, 19642 =32 · 133 mod N, 170782 =26 · 32 · 11.

Multiplication gives

(9398 · 19095 · 1964 · 17078)2 ≡ (24 · 32 · 53 · 11 · 132 · 19)2 mod N, or 22303872 ≡ 25867052 mod N. Thus, gcd(3837523, 2586705 − 2230387) = gcd(3837523, 356318) = 1093 is a divisor of N. The other divisor is 3511.

24.3 Factoring by continued fractions √ Since the convergents of the√ continued fraction expansion of N are very good P 2 − rational approximations to N, it is expected that for such a convergent Q , P NQ2 is a small integer (in comparison with N), and so have a factorization into “small primes”. This observation provides a reasonable way of performing the quadratic sieve.

Example 24.2. Let N = 2537. From the continued fraction expansion of √ N =[50, 2, 1, 2, 2, 12, 5, 1, 5, 2, 5, 1, 5, 12, 2, 2, 1, 2, 100], we compute

qk 50 2 1 2 2 ··· Pk 50 101 151 403 957 ··· 2 − − − ··· Pk mod N 37 53 32 41 8 From these,

1512 ≡−25 mod N 9572 ≡−23 mod N.

Therefore, (151 · 957)2 ≡ (24)4 mod N. From this, we obtain gcd(151 · 957 − 24, 2537) = 59. This gives the factorization 2537 = 59 · 43. 516 Factoring integers

Example 24.3. Consider again N = 3837523, with continued fraction 1

√ N = [1958, 1, 23, 1, 3, 1, 13, 1, 1, 4, 4, 1, 1, 5, 16, 1, 1, 1, 2, 1, 5, 2, 2, 1, 3, 1, 1, 3, 1, 1, 3, 1, 1, 1, 3, 5, 1, 61, 2, 1, 6, ···].

If we restrict to very small primes, we ﬁnd with the 36-th convergent q35 =5, P35 = 428399. Here,

4283992 ≡ 3249 ≡ (3 · 19)2 mod N.

This gives gcd(428399 − 3 · 19,N) = 3511 as a divisor. The other divisor is gcd(428399 + 3 · 19,N) = 1093. Exercise

1. Let N = 642401. Make use of

5161072 ≡ 7modN and 1877222 ≡ 22 · 7modN

to factor N.

2. Let N = 2288233. Make use of

8805252 ≡ 2modN, 20572022 ≡ 3modN, 6485812 ≡ 6modN

to factor N.

1The period has length 1162. We list here the ﬁrst 40 entries of the period. Chapter 25

Elliptic Curves

25.1 Group law on y2 = x3 + ax2 + bx + c

Consider an elliptic curve

(E) y2 = f(x):=x3 + ax2 + bx + c.

We shall write a point P on (E) in the form P =(x[P ],y[P ]), and put the identity at a point of inﬁnity, so that y[−P ]=−y[P ].

Q P ∗ Q

P + Q

Consider a line of slope m passing through P . It has equation y − y[P ]=m(x − x[P ]). It intersects the elliptic curve (E) at points whose x- coordinates are the roots of the equation

(mx +(y[P ] − mx[P ]))2 = x3 + ax2 + bx + c, or equivalently,

x3 − (m2 − a)x2 − (2m(y[P ] − mx[P ]) − b)x + c − (y[P ] − mx[P ])2 =0. 602 Elliptic Curves

Since the sum of the three roots of the cubic is m2 − a, we make the following conclusions. (1) If the line is the tangent at P , then f (x[P ]) (i) m = 2y[P ] , (ii) the third intersection has x-coordinate

f (x[P ])2 m2 − a − 2x[P ]= − a − 2x[P ] 4y[P ]2 x[P ]4 − 2bx[P ]2 − 8cx[P ]+(b2 − 4ac) = 4y[P ]2 x[P ]4 − 2bx[P ]2 − 8cx[P ]+(b2 − 4ac) = . 4(x[P ]3 + ax[P ]2 + bx[P ]+c) The y-coordinate can be computed from the equation of the line.

x[P ]4 − 2bx[P ]2 − 8cx[P ]+(b2 − 4ac) x[2P ]= . 4(x[P ]3 + ax[P ]2 + bx[P ]+c)

(2) If the line joins two points P1 and P2 on (E), then − m = y[P1] y[P2] (i) x[P1]−x[P2] ; (ii) the third intersection has x-coordinate

m2 − a − x[P ] − x[P ] 1 2 2 y[P1] − y[P2] = − a − (x[P1]+x[P2]) x[P1] − x[P2]

x[P1]x[P2](x[P1]+x[P2]+2a)+b(x[P1]+x[P2]) + 2c − 2y[P1]y[P2] = 2 . (x[P1] − x[P2]) The y-coordinate can be computed from the equation of the line.

25.2 The discriminant

The discriminant of the cubic f(x):=x3 + ax2 + bx + c is the number

D := −4a3c + a2b2 +18abc − 4b3 − 27c2.

Theorem 25.1 (Nagell-Lutz). Let P =(x, y) be a ﬁnite order point of (E): y2 = x3 + ax2 + bx + c. Then either y =0(in which case P has order 2)ory2|D.

Theorem 25.2 (Mazur). The torsion group of the rational points of an elliptic curve over Q is one of the following 15 groups: (i) Zn with n =1, 2, 3,...,9, 10, 12; (ii) Z2n ⊕ Z2 with n =1, 2, 3, 4. 25.2 The discriminant 603

Example 25.1. y2 = x3 +17has two obvious integer points P =(−2, 3) and Q =(−1, 4).

\ − h k 1 0 1 − − −206 −541 2 (2, 5) (8, 23) 81 , 729 −1 (4, 9) (−2, −3) (52, −375) 0 (1, −4) ∞ (−1, 4) 1 (52, 375) (−2, 3) (4, −9) −206 541 − 2 81 , 729 (8, 23) (2, 5) Also 3P +2Q =(43, 280) and 2P +3Q = (5234, 378661).

Q ∗ R

P Q P ∗ Q

Q + R R

P + Q P ∗ (Q + R)=(P + Q) ∗ R 604 Elliptic Curves

Example 25.2. y2 = x3 − 43x + 166 has an integer point P =(3, 8).

2P =(−5, −16), 3P =(11, −32), 4P =(11, 32). This means that 4P = −3P and 7P =0. The point generates a cyclic group of order 7.

25.3 Points of ﬁnite order

Consider an elliptic curve y2 = f(x)=x3 + ax2 + bx + c. (1) A point P =(x, y) has order 2 if and only if y =0. In this case, x is a root of f(x). (2) A point P =(x, y) has order 3 if and only if x is a root of 3x4 +4ax3 +6bx2 +12cx +(4ac − b2)=0. Proof. x[2P ]=x[P ]. Theorem 25.3 (Nagell-Lutz). Let y2 = x3 + ax2 + bx + c, a, b, c ∈ Z be a nonsingular cubic curve with discriminant D.If(x, y) is a rational point of ﬁnite order, then x and y are integers and either y =0(in which case P has order 2)ory2|D. Example 25.3. y2 = x3 +5x2 +4x = x(x +1)(x +4)has three rational roots. The points (0, 0), (−1, 0), and (−4, 0) are order 2 points. Discriminant = 24 · 32. y2 =22: x = −2, (−2, 2), (−2, −2). y2 =22 · 32: x =2, (2, 6), (2, −6). For each of these, x(2P )=0. This means that these are order 4 points. Theorem 25.4 (Mazur). The torsion group of the rational points of an elliptic curve over Q is one of the following 15 groups: (i) Zn with n =1,2,3,...,9,10,12; (ii) Z2n ⊕ Z2 with n =1,2,3,4. Example 25.4. Elliptic Curve Torsion group Discriminant y2 = x3 +2 0 −22 · 33 2 3 2 y = x + x Z2 −2 2 3 4 3 y = x +4 Z3 −2 · 3 2 3 8 y = x +4x Z4 −2 Chapter 26

Factoring Integers 2

26.1 Pollard’s algorithm

To factor a large composite integer N, ﬁrst choose a number K, say of the form

lk = LCM[1, 2,...,k], and compute gcd(2lk − 1,N). 1 If this is between 1 and N, then it gives a factorization of N. To execute the computations efﬁciently, note that if we write c = k k gcd(k,lk−1) lk and bk =2 mod N, then (i) lk = cklk−1, ≡ ck (ii) bk bk−1 mod N.

Example 26.1. N = 2537:

lk k ck lk bk := 2 mod N gcd(bk − 1,N) 2 2 2 4 1 3 3 6 64 1 4 2 12 −978 1 5 5 60 −586 1 6 1 60 −586 1 7 7 420 1162 43

This gives 2537 = 43 · 59.

Example 26.2. Let N = 246082373.

1The base 2 may be replaced by other a in the range 1

lk k ck lk bk := 2 mod N gcd(bk − 1,N) 1 1 1 2 1 2 2 2 22 ≡ 4 1 3 3 6 43 ≡ 64 1 4 2 12 642 ≡ 4096 1 5 5 60 (4096)5 ≡−51132818 1 6 1 60 −51132818 1 7 7 420 (−51132818)7 ≡ 60592910 1 8 2 840 (60592910)2 ≡−30746792 1 9 3 2520 (−30746792)3 ≡−115141632 2521

Note gcd(b9 − 1,N)=gcd(−115141633,N) = 2521 since

(−115141633)(21806) + (246082373)(10203) = 2521.

Thus, we have found a divisor 2521 of 246082373. This gives

246082373 = 2521 · 97613.

Example 26.3. N = 618240007109027021. It takes k = 243 to get the divisor 250387201 and factorization

N = 250387201 · 2469135821.

26.2 Factoring with elliptic curves

Given an elliptic curve y2 = x3 + bx + c, ((E):) with integer coefﬁcients and a prime number p, we consider

2 3 y ≡ x + bx + c (mod p). ((E)p:)

The addition laws

2 x(P1 + P2)=m − x(P1) − x(P2), x(2P )=λ2 − 2x(P ), apply to (E)p since

y(P ) − y(P ) 3x2 + a m = 1 2 ,λ= x(P1) − x(P2) 2y can be interpreted as elements of Zp. 26.2 Factoring with elliptic curves 607

2 3 Example 26.4. Consider (E)5 : y = x +4x+4 (mod 5). There are only ﬁnitely many points on the curve, namely,

(0, 2), (0, 3), (1, 2), (1, 3), (2, 0), (4, 2), (4, 3), ∞.

3−2 1 ≡ In computing (1, 2) + (4, 3),wehavem = 4−1 = 3 2mod5. Therefore,

2 x3 ≡ 2 − 1 − 4 ≡ 4mod5,

y3 ≡ 2(4 − 1) + 2 ≡ 3mod5, we have (1, 2) + (4, 3) = (4, −3) = (4, 2) ∈ (E)5.

2 3 Example 26.5. Consider (E)2011 : y = x +4x+4 (mod 2011). With P =(1, 3), we compute 2P by ﬁrst evaluating at (1, 3):

dy 7 2ydy =(3x2 +4)dx ⇒ = . dx 6 · − 7 ≡ × − − Now, since 2011 + 6 ( 335) = 1,wehaveλ = 6 7 ( 335) = 334. Therefore,

2 x2 ≡ λ − 2 · 1 ≡ 949 mod 2011,

y2 ≡−334(949 − 1) + 3 ≡−902 mod 2011, we have 2(1, 3) = (949, 902) ∈ (E)2011. Similarly, 3P = (410, −824) ∈ (E)2011. Now we work out an example when the prime p is replaced by a composite. 2 3 Consider (E)2773 : y ≡ x +4x + 4 (mod 2773), again with P =(1, 3). − · 7 ≡ × − − Since 2773 6 462 = 1,wehaveλ = 6 7 ( 462) = 461. Therefore from

2 x2 ≡ λ − 2 · 1 ≡−1002 mod 2773,

y2 ≡−461(−1002 − 1) + 3 ≡−705 mod 2773, we have 2(1, 3) = (−1002, 705). Now, we we compute 3P =2P + P ,wehave 705 − 3 702 m = = . −1002 − 1 1003 Attempting to ﬁnd the inverse of 1003 modulo 2773, we have instead gcd(2773, 1003) = 59 = 2773 · 4 − 1003 · 11. Thus, the calculation fails to give 3P , but it yields a factorization of 2773 = 59 · 47. 608 Factoring Integers 2 Chapter 27

Some examples of the use of elliptic curves

27.1 The congruent number problem

The area of an integer right triangle (Pythagorean) is always a multiple of 6. Fi- bonacci asked for a right triangle with rational sides whose area is 5, and gave as an example . More generally, a positive integer n is called a congruent number if it is the area of a rational right triangle. Proposition 27.1. n is a congruent number if there is a rational number x such that x2 − n and x2 + n are both squares of rational numbers. In other words, n is the common difference of three rational squares in arithmetic progression. √ √ The lengths of the sides of the right triangle are x2 + n ± x2 − n and 2x. Let (a, b, c) be a rational right triangle with hypotenuse c and area n. From

(a + b)2 = c2 +4n, (a − b)2 = c2 − 4n, we have (a2 − b2)2 = c4 − 16n2 or a2 − b2 2 c 4 = − n2. 4 2

2 2 c 2 (a −b )c Let x = 2 and y = 8 . Multiplying the above equation throughout by x, we have y2 = x3 − n2x. Proposition 27.2. Let (x, y) be a rational point on the elliptic curve y2 = x3 −n2x. Suppose x is a square (rational number) with even denominator (when expressed in lowest terms). Then there is a rational right triangle of area n and hypotenuse 2x. 610 Some examples of the use of elliptic curves

Example 27.1. The Pythagorean triangle (3, 4, 5) with area 6 corresponds to the rational point P = 25 , − 35 on the elliptic curve y2 = x3 − 36x. Since 2P = 4 8 1442401 1726556399 1442401 1201 2 19600 , 2744000 , and 19600 = 140 , this corresponds to the rational right 7 120 1201 triangle 10 , 7 , 70 and area 6.

Example 27.2. More interesting is Fibonacci’s example, the three rational squares 31 2 41 2 49 2 12 , 12 , 12 in arithmetic progression of common difference 5. This means 3 20 41 that the rational triangle 2 , 3 , 6 has area 5. This corresponds to the rational 1681 − 62279, 2 3 − point P = 144 , 288 on the elliptic curve y = x 25x.Now, 11183412793921 468238010077154040511 2P = , . 2234116132416 2226216297771777024

What rational triangle of area 5 does this give?

Example 27.3. Since there is no Pythagorean triangle with square area, no square rational number can be a congruent number. Exercise Euler had found that 3372 ± 7 · 1202 are both squares, being the squares of 463 and 113 respectively. Make use of this to ﬁnd two rational right triangles with area 7.

27.2 Pairs of isosceles triangle and rectangle with equal perimeters and equal areas

The isosceles (5, 5, 6) and the rectangle 6 × 2 both have perimeter 16 and area 12. More generally, we seek an isosceles triangle with sides (m2 + n2,m2 + n2, 2(m2 − n2). It has perimeter 4m2, height 2mn, and area 2mn(m2 − n2).A rectangle of integer dimensions p×q has the same perimeter and area as the triangle if and only if

p + q =2m2, pq =2mn(m2 − n2).

Note that (p − q)2 =(p + q)2 − 4pq =4m4 − 8mn(m2 − n2).Ifweput 2n p − q x = ,y= , m m2 this condition becomes y2 = x3 − 4x +4. 27.3 Triangles with a median, an altitude, and an angle bisector concurrent611

Exercise 2n (1) Clearly, the point (1, 1) is on the curve. With 1= m , we take m =2, n =1. This gives the isosceles triangle (5, 5, 6) and rectangle 6 × 2 as above. (2) There is another obvious point P =(2, 2). Indeed, on the elliptic curve 2P =(0, 2), 3P =(−2, −2), 4P =(1, −1).

k ±kP (m, n) side and base p × q perimeter, area −4 (1, 1) (2, 1) 5, 6 2 × 6 (16, 12) 10 26 × 7 9 , 27 (9, 5) 106, 112 42 120 (324, 5040) − 88 554 × 10 49 , 343 (49, 44) 4337, 930 462 4340 (9604, 2005080) 206 52894 × 13 961 , 29791 (961, 103) 934130, 1825824 103664 1743378 (3694084, 180725536992) 9362 1175566 −15 10609 , 1092727 (10609, 4681) 134462642, 181278240 52009232 × 173092530

27.3 Triangles with a median, an altitude, and an angle bisector concurrent

Given triangle ABC, the altitude on BC, the bisector of angle B and the median on AB are concurrent if and only if a cos β = . c + a

E F

B D C c2+a2−b2 By the law of cosines, cos β = 2ca ,wehave a3 − ab2 + a2c − b2c − ac2 + c3 =0.

2c 2b By putting x = c+a and y = c+a , this becomes

y2 = x3 − 4x +4 again. If (x, y) is a rational point on the elliptic curve, then a : b : c =2− x : y : x. 1 − 1 To satisfy the triangle inequality, we require y<2 and 2 (2 y)

k ±kP (a, b, c) −4 (1, 1) (1, 1, 1) 10 26 7 9 , 27 (12, 13, 15) − 88 554 10 49 , 343 (35, 277, 308) 206 52894 13 961 , 29791 (26598, 26447, 3193) − 9362 1175566 15 10609 , 1092727 (610584, 587783, 482143) 589456 324783646 18 483025 , 335702375 (130866415, 162391823, 204835960) 92869078 578576841362 −21 57017601 , 430539905151 (79912701162, 289288420681, 350627203989) Chapter 28

Heron triangles and Elliptic Curves

28.1 The elliptic curve y2 =(x − k)2 − 4kx3

A triangle is determined, up to similarity, by a set of three positive real numbers {t1,t2,t3} satisfying the relation

t1t2 + t2t3 + t3t1 =1. (28.1)

Such are indeed the tangents of the half - angles of the triangle. If the triangle is scaled to have unit semiperimeter, the lengths of the sides are

t1(t2 + t3),t2(t3 + t1), and t3(t1 + t2), and the area is k = t1t2t3. From the inequality of arithmetic and geometric means, 2 ≤ 1 it is easy to see that k 27 , with equality precisely in the case of an equilateral triangle. We study triangles with rational sides and rational areas. It is clear that for such triangles, the parameters t1, t2, and t3 are all rational. Since such triangles 2 1 cannot be equilateral, we shall assume k < 27 . Elimination of t3 leads to

2 2 − − t1t2 (t1 k)t2 + kt1 =0.

A given rational number t1 determines a rational number t2, and consequently a − 2 − 3 triangle with rational sides and rational area, if and only if (t1 k) 4kt1 is a rational square. A rational point (x, y) on the elliptic curve

2 2 3 Ek : y =(x − k) − 4kx , therefore, determines rational numbers

x + y − k x − y − k t = x, t = ,t= . (28.2) 1 2 2x2 3 2x2 614 Heron triangles and Elliptic Curves

These parameters in turn deﬁne a genuine triangle provided x>k, (see Lemma 2 below), the sides of the triangles being x − k a = t (t + t )= , 1 2 3 x x + y + k b = t (t + t )= , 2 3 1 2x x − y + k c = t (t + t )= . 3 1 2 2x Given a triangle with unit semiperimeter and rational area k, we shall show that the associated elliptic curves Ek has positive rank, provided that the triangle is non- isosceles. This leads to the following theorem on the existence of arbitrary number of Heron triangles equal in perimeter and in area. Theorem 28.1. Given a non-isosceles rational triangle T (of semiperimeter 1) and a positive integer N, there are an integer s and N noncongruent Heron triangles all having the same area and perimeter as sT .

The qualification of non-isosceles triangle is essential. An example is provided 1 3 by the case of the isosceles with sides (5,5,6), with t1 = t2 = 2 , and t3 = 4 , and 3 E k = t1t2t3 = 16 . The elliptic curve k has rank 0, (See Proposition 10), showing that there are no other triangles of unit semiperimeter with the same value of k. However, such an isosceles triangle has equal perimeter and equal area as another isosceles triangle, then the elliptic curve has positive rank, and the statement of the theorem remains valid. Guy [??, D16] reports that the problem of finding as many different triples of positive integers as possible with the same sum and the same product has been solved by A. Schinzel, that there are arbitrarily many. Theorem 1 offers a solution to the same problem: an arbitrary number of such triples, with the additional property that the sum and the product multiply to a square, can be constructed from any triple of distinct positive integers x, y, z with the same property, i.e., xyz(x+y +z)=A2 for an integer A. Any such triple defines a Heron triangle with sides x + y, y + z, z + x, and area A. Let k be a rational number < √1 . The cubic polynomial 3 3

2 3 fk(x):=(x − k) − 4kx (28.3) has three distinct real roots separated by k and 3k, since

f(−∞)=+∞, f(k)=−4k4 < 0, f(3k)=4k2(1 − 27k2) > 0, f(+∞)=−∞. 28.1 The elliptic curve y2 =(x − k)2 − 4kx3 615

This means that the elliptic curve Ek has two components, one of which is compact. A point (x, y) on Ek lies in the compact component if and only if x>k.By Lemma 2 below, a point on Ek corresponds to a genuine triangle if and only if its lies in the compact component.

Lemma 28.2. A point (x, y) on the elliptic curve Ek deﬁnes a genuine triangle if and only if x>k. 2 x−k y Proof. From (28.2), t2 + t3 = x2 and t2t3 = 4x4 . It is clear that t1, t2, t3 are all positive (and deﬁnes a genuine triangle) if and only if x>k.

The addition law of Ek is given by 1 x(P + Q)= (1 − λ2) − x(P ) − x(Q), 4k where y(P )−y(Q) x(P )−x(Q) , if P = Q, λ = x(P )−k−6k·x(P )2 y(P ) , if P = Q.

Lemma 28.3. Let P be a point on the compact component of EK . The six points ±P , ±P ± I all represent the same (similarity class of) rational triangles. 2 − ± Proof. Write P =(t1,t1(t2 t3)). Then, for = 1, 2 − (P + I)=(t2,t2(t3 t1)), − 2 − (P I)=(t3,t3(t1 t2)).

Let P and Q be two distinct points on Ek, one on each of the two components. By the convexity of the compact component, it is clear that the sum P + Q lies in the compact component. Now, if P is a point in the compact component, then 2P must be in the noncompact one. It follows by induction that all odd multiples of P are in the compact component, and hence deﬁne genuine rational triangles. 1 1 − 2 − 3 Example 28.1. For k = 6 , the cubic polynomial fk(x)= 36 (1 12x+36x 24x ) is irreducible. 168 23·3·7 Example 28.2. For k = 1331 = 113 , the cubic polynomial 56 699 9 f (x)=−4k(x − )(x2 − x + ). k 33 2464 484 56 The rational root 33 corresponds to the isosceles Heron triangle (65, 65, 112).On 2 8 21 the same curve, there are rational points with x = 11 , 11 , 22 , corresponding to the Heron triangle (37, 100, 105), also of perimeter 242 and area 1848. 60 Example 28.3. For k = 343 , the cubic polynomial fk(x) has three rational roots 15 12 20 112 < 35 < 21 . The larger two correspond respectively to the isosceles triangles (24, 37, 37) and (29, 29, 40), both with perimeters 98 and area 420. On Ek 5 4 6 lie also the rational points with x = 14 , 7 , 7 , corresponding to the Heron triangle (25, 34, 39), with the same perimeter and area. 616 Heron triangles and Elliptic Curves

28.1.1 Proof of Theorem 28.1 A non-isosceles triangle with semiperimeter 1 and area k corresponds to a point P in the component of the elliptic curve Ek. Such a point cannot have ﬁnite order, and so generates an inﬁnite cyclic subgroup of Ek. The points mP lies in the compact component precisely when m is odd. For any given integer N, the points (2m − 1)P , 1 ≤ m ≤ N, all lie in the compact component, and therefore represent rational triangles Tm, each of semiperimeter 1 and area k. Let s be the least common multiple of the denominators of the lengths of sides of these N triangles. Magni- fying each of them by the factor s, we obtain a sequence of N Heron triangles, all with semiperimeter s, and area ks2.

1 Example 28.4. The right triangle (3,4,5) corresponds to the point P (1, 6 ) on the curve E1/6. The primitive Heron triangles corresponding the points P , 3P , 5P , 7P , and 9P , with their semiperimeters and areas, are as follows.

(3, 4, 5; 6, 6), (287, 468, 505; 630, 66150), (3959527, 3997940, 5810001; 6883734, 7897632297126), (3606573416251, 5935203156525, 6344028032612; 7942902302694, 10514949498356941266609606), (480700822846118327460, 630296830413008002763, 795751643958885119197; 953374648609005724710, 151487203435057523536941712814925384097350).

The LCM of the semiperimeters being

s = 1447986121797526457728510272387457724310, magnifying these triangles by appropriate factors, we obtain ﬁve Heron triangles, all with semiperimeter s and area

= 349443968153040187579733428603820320155254000034420331290213618794580660829350.

The following example shows that the hypothesis of non-isoscelesity is essential. 1 · 1 · 3 3 Remark. Let k = 2 2 4 = 16 . The elliptic curve is cyclic of order 6. In particular, it has rank 0. This value of k arises from the isosceles triangle (5, 5, 6). By Proposition 7, there is no other (noncongruent) triangle of unit semiperimeter and the same area. On the other hand, Example 1 shows that for the isosceles triangle (65,65,126), the associated elliptic curve has positive rank. Chapter 29

The ring of Gaussian integers

29.1 The ring Z[i]

29.1.1 Norm and units By the ring of Gaussian integers we mean

Z[i]:={a + bi : a, b ∈ Z}.

Each element of Z[i] is called a Gaussian integer. For α = a + bi, we deﬁne the norm N(α):=a2 + b2 ∈ Z. One important property of the norm is its multiplica- tivity:

Lemma 29.1. For α, β ∈ Z[i],

N(αβ)=N(α)N(β).

A Gaussian integer α is a unit if it is invertible in Z.Ifα is a unit with multiplicative inverse β, then αβ =1and N(α)N(β)=N(αβ)=N(1) = 1. This means that N(α)=1and α = ±1,or±i.

Proposition 29.2. The only units in Z[i] are ±1 and ±i.

29.1.2 Gaussian primes Two Gaussian integers α and β are associate if α = εβ for some unit ε ∈ Z[i]. Exercise

1. Show that the relation of being associate is an equivalence relation on Z[i].

2. Show that 2 is not a prime in Z[i]. 702 The ring of Gaussian integers

A Gaussian integer π ∈ Z[i] is prime if (i) π is not a unit in Z[i], and (ii) π = αβ ∈ Z[i] ⇒ α or β is a unit in Z[i].

Proposition 29.3. The ring of Gaussian integers satisﬁes the euclidean algorithm: for α, β ∈ Z[i] with β =0 , there are γ and δ ∈ Z[i] satisfying (i) α = βγ + δ, (ii) N(δ)

α Proof. Regarding α and β as complex numbers, we have β = x + iy for rational | − |≤ 1 | − |≤ 1 numbers x and y. Let a and b be integers such that x a 2 and y b 2 . The numbers γ := a + bi and δ := β((x − a)+(y − b)i) satisfy δ = α − βγ and so is a Gaussian integer. Since 2 δ 2 2 1 1 1 =(x − a) +(y − b) ≤ + ≤ , β 4 4 2 we have N(δ)

Corollary 29.4. The ring of Gaussian integers is a Bezout« domain: for α, β ∈ Z[i], there are γ, δ ∈ Z[i] such that

gcd(α, β)=αγ + βδ.

Proposition 29.5. The following two statements are equivalent. (i) π ∈ Z[i] is a prime. (ii) π|αβ ∈ Z[i] ⇒ π|α or π|β.

Theorem 29.6. The primes in Z[i] are precisely (i) the primes p ≡ 3(mod4)in Z, (ii) ±1 ± i which have norm 2, and (iii) a + bi for which a2 + b2 is an odd prime p ≡ 1(mod4)in Z.

Corollary 29.7 (Unique factorization). Every nonzero Gaussian integer can be decomposed “uniquely” into a product of Gaussian primes: if

α = π1 ···πh = ψ1 ···ψk for Gaussian primes π1,...,π1 and ψ1,...ψk, then (i) h = k, (ii) after a suitable permutation of ψ1, ..., ψk, for i =1, 2,...,k, the Gaussian primes πi and ψi are associate. 29.2 An alternative proof of Fermat’s two-square theorem 703

29.2 An alternative proof of Fermat’s two-square theorem

Since p ≡ 1(mod4), −1 is a quadratic residue. This means that there exists an ≤ p−1 2 2 2 integer a 2 such that a +1is divisible by p. Note that a +1 1. It follows from p2 = N(p)=N(α)N(β) that N(α)=N(β)=p, and p is a sum of two squares of integers. 704 The ring of Gaussian integers Chapter 30

Construction of indecomposable Heron triangles

30.1 Primitive Heron triangles

Given a triangle ABC with sidelengths BC = a, CA = b and AB = c, we let 1 s := 2 (a + b + c) be the semiperimeter, and A B C t =tan ,t=tan ,t=tan . 1 2 2 2 3 2 These satisfy

t1t2 + t2t3 + t3t1 =1. (30.1)

s − a s − a Y r I Z s − c r s − b r

B C s − b X s − c

We shall assume throughout this chapter that all sidelengths of triangles are rational. Such a triangle is called a rational triangle if its area is rational. Equiv- t t t t = ni i =1, 2, 3 alently, 1, 2, 3 are all rational numbers. Putting i di , , with gcd(ni,di)=1, we rewrite (30.1) in the form

n1n2d3 + n1d2n3 + d1n2n3 = d1d2d3. (30.2) 706 Construction of indecomposable Heron triangles

A rational triangle, under a suitable magniﬁcation, gives a primitive Heron triangle, one with integer sides which are relatively prime, and with integer area. In fact, by putting

a =n1(d2n3 + n2d3),

b =n2(d3n1 + n3d1), (30.3)

c =n3(d1n2 + n1d2), we obtain a Heron triangle with semiperimeter s = n1n2d3 + n1d2n3 + d1n2n3 = d1d2d3 and area = n1d1n2d2n3d3. A primitive Heron triangle Γ0 results by dividing by the sides by g := gcd(a1,a2,a3).

30.1.1 Triple of simplifying factors Unless explicitly stated otherwise, whenever the three indices i, j, k appear altogether in an expression or an equation, they are taken as a permutation of the indices 1, 2, 3. Note that from (30.1) or (30.2), any one of ti, tj, tk can be expressed in terms t = ni t = nj of the remaining two. In the process of expressing i di in terms of j dj and t = nk , we encounter certain “simplifying factors”, namely, k dk

gi := gcd(djdk − njnk,njdk + djnk), so that

gini = djdk − njnk, gidi = djnk + njdk, (30.4)

We shall call (g1,g2,g3) the triple of simplifying factors for the numbers (t1,t2,t3), or of the similarity class of triangles they deﬁne.

1 4 2 Example 30.1. For the (13, 14, 15; 84),wehavet1 = 2 , t2 = 7 and t3 = 3 . From 1 − t t 7 · 3 − 4 · 2 13 1 2 3 = = = , t2 + t3 7 · 2+4· 3 26 2 it follows that g1 =13. Similarly, g2 =1and g3 =5. On the other hand, for the 5 4 6 indecomposable Heron triangle (25, 34, 39; 420),wehave(t1,t2,t3)=(14 , 7 , 7 ). The simplifying factors are (g1,g2,g3)=(5, 17, 13).

Example 30.2. For (15, 34, 35; 252), the simplifying factors are (g1,g2,g3)=(5, 17, 5). Exercise For the sidelengths given in (30.3), we have

a = g1n1d1,b= g2n2d2,c= g3n3d3. 30.1 Primitive Heron triangles 707

30.1.2 Decomposition of Heron triangles

A Heron triangle Γ:=(a1,a2,a3; ) is said to be decomposable if there are (non- degenerate) Pythagorean triangles Γ1 := (x1,y,a1; 1), Γ2 := (x2,y,a2; 2), and = ±1 such that a3 = x1 + x2, = 1 + 2.

According as =1or −1, we shall say that Γ is obtained by juxtaposing Γ1 and Γ2,(Γ=Γ1 ∪ Γ2), or by excising Γ1 from Γ2,(Γ=Γ2 \ Γ1). In general, a Heron triangle is decomposable into two Pythagorean components if and only if it has at least one integer height. Theorem 30.1. A primitive Heron triangle can be decomposed into two Pythagorean components in at most one way. Proof. This follows from three propositions. (1) A primitive Pythagorean triangle is indecomposable. 1 (2) A primitive, isosceles, Heron triangle is decomposable, the only decomposition being into two congruent Pythagorean triangles. 2 (3) If a non-Pythagorean Heron triangle has two integer heights, then it cannot be primitive. 3

1Proof of (1). We prove this by contradiction. A Pythagorean triangle, if decomposable, is partitioned by the altitude on the hypotenuse into two similar but smaller Pythagorean triangles. None of these, however, can have all sides of integer length by the primitivity assumption on the original triangle. 2Proof of (2). The triangle being isosceles and Heron, the perimeter and hence the base must be even. Each half of the isosceles triangle is a (primitive) Pythagorean triangle, (m2 − n2, 2mn, m2 + n2), with m, n relatively prime, and of different parity. The height on each slant side of the isosceles triangle is 2mn(m2 − n2) , m2 + n2 which clearly cannot be an integer. This shows that the only way of decomposing a primitive isosceles triangle is into two congruent Pythagorean triangles. 3Proof of (3). Let (a, b, c; ) be a Heron triangle, not containing any right angle. Suppose the heights on the sides b and c are integers. Clearly, b and c cannot be relatively prime, for otherwise, the heights of the triangle on these sides are respectively ch and bh, for some integer h. This is impossible since, the triangle not containing any right angle, the height on b must be less than c, Suppose therefore gcd(b, c)=g>1. We write b = bg and c = cg for relatively prime integers ch ch b and c . If the height on c is h, then that on the side b is b = b . If this is also an integer, then h must be divisible by b. Replacing h by bh, we may now assume that the heights on b and c are respectively ch and bh. The side c is divided into bk and ±(c − bk) =0 , where g2 = h2 + k2.It follows that

a2 =(bh)2 +(cg − bk)2 = b2(h2 + k2)+c2g2 − 2bcgk = g[g(b2 + c2) − 2bck]

From this it follows that g divides a2, and every prime divisor of g is a common divisor of a, b, c. The Heron triangle cannot be primitive. 708 Construction of indecomposable Heron triangles

30.2 Gaussian integers

n We shall associate with each positive rational number t√= d , n, d√relatively prime, the primitive, positive Gaussian integer√ z(t):=d + n −1 ∈ Z[ −1]. Here, we say that a Gaussian integer x + y −1 is

• primitive if x and y are relatively prime, and • positive if both x and y are positive. √ The norm of√ the Gaussian integer z = x+y −1 is the integer N(z):=x2 +y2. The norm in Z[ −1] is multiplicative:

N(z1z2)=N(z1)N(z2). √ The argument of a Gaussian integer z = x + y −1 is the unique real number φ = φ(z) ∈ [0, 2π) deﬁned by x y cos φ = , sin φ = . x2 + y2 x2 + y2

1 A Gaussian integer z is√ positive if and only if 0 <θ(z) < 2 π. Each positive Gaussian integer z = x + y −1 has a complement √ √ z∗ := y + x −1= −1 · z, √ where z := x − y −1 is the conjugate of z. Note that N(z∗)=N(z), and π φ(z)+φ(z∗)= . (30.5) 2 for each pair of complementary√ positive Gaussian integers.√ Recall that the units of Z[ −1] are precisely ±1 and ± −1. An odd (rational)√ prime number p ramiﬁes into two non - associate primes π(p) and π(p) in Z[ −1], namely, p = π(p)π(p), if and only if p ≡ 1 (mod 4). For applications√ in the present paper, we formulate the unique factorization theorem in Z[ −1] as follows. Proposition 30.2. Let g>1 be an odd number. There is a primitive Gaussian integer θ satisfying N(θ)=g if and only if each prime divisor of g is congruent to 1 (mod 4).

30.2.1 Heron triangles and Gaussian integers

Consider the Heron triangle Γ:=Γ(t1,t2,t3) with√ sides given by (30.3). In terms of the Gaussian integers zi := z(ti)=di + ni −1, the relations (30.4) can be rewritten as √ ∗ gizi = −1 · zjzk =(zjzk) . (30.6) 30.2 Gaussian integers 709

Lemma 30.3. N(zi)=gjgk. Proof. From the relation (30.6), we have

2 gi N(zi)=N(zj)N(zk). Combining these, we have

2 (gigjgk) = N(zi)N(zj)N(zk), and the result follows easily.

Proposition 30.4. (1) gi is a common divisor of N(zj) and N(zk). (2) At least two of gi, gj, gk exceed 1. (3) gi is even if and only if all nj, dj, nk and dk are odd. (4) At most one of gi, gj, gk is even, and none of them is divisible by 4. (5) gi is prime to each of nj, dj, nk, and dk. (6) Each odd prime divisor of gi, i =1, 2, 3, is congruent to 1(mod4). Proof. (1) follows easily from Lemma 30.3. (2) Suppose g1 = g2 =1. Then, N(z3)=1, which is clearly impossible. (3) is clear from the relation (30.4). (4) Suppose gi is even. Then nj, dj, nk, dk are all odd. This means that gi, being 2 2 ≡ − a divisor of N(zj)=dj + nj 2(mod4), is not divisible by 4. Also, djdk njnk and njdk + djnk are both even, and

(djdk − njnk)+(njdk + djnk)

=(dj + nj)(dk + nk) − 2njnk ≡ 2(mod4), it follows that one of them is divisible by 4, and the other is 2 (mod 4). After cancelling the common divisor 2, we see that exactly one of ni and di is odd. This means, by (c), that gj and gk cannot be odd. (5) If gi and nj admit a common prime divisor p, then p divides both√nj and 2 2 − nj + dj , and hence dj as well, contradicting the assumption that dj + nj 1 be primitive. (6) is a consequence of Proposition 30.2.

Proposition 30.5. gcd(g1,g2,g3)=1. Proof. We shall derive a contradiction by assuming a common rational prime divisor p ≡ 1 (mod 4) of gi, gj, gk, with positive exponents ri, rj, rk in their prime factorizations. By the relation (30.6), the product zjzk is divisible by the rational ri prime power p . This means that the primitive Gaussian integers zj and zk should contain in their prime factorizations powers of the distinct primes π(p) and π(p). 710 Construction of indecomposable Heron triangles

The same reasoning also applies to each of the pairs (zk,zi) and (zi,zj), so that zk and zi (respectively zi and zj) each contains one of the non - associate Gaussian primes π(p) and π(p) in their factorizations. But then this means that zj and zk are divisible by the same Gaussian prime, a contradiction.

Corollary 30.6. If a, b, c are given as in (30.3), then

gcd(a, b, c)=gcd(n1d1,n2d2,n3d3).

Proof. This follows from the expressions (30.3): ai = ginidi, for i =1, 2, 3, and Proposition 30.5. Exercise Prove that a Heron triangle is Pythagorean if and only if its triple of simplifying factors is of the form (1, 2,g), for an odd number g whose prime divisors are all of the form 4m +1.

30.3 Orthocentric Quadrangles

Now we consider a rational triangle which does not contain a right angle. The vertices and the orthocenter form an orthocentric quadrangle, i.e., each of these four points is the orthocenter of the triangle with vertices at the remaining three points. If any of the four triangles is rational, then so are the remaining three. The convex hull of these four points is an acute - angled triangle Γ. We label the vertices A, B, C, and the orthocenter in the interior by H and use the following notation for triangles:

Γ=ABC, Γ1 = HBC, Γ2 = BHC, Γ3 = ABH.

Let t1, t2, t3 be the tangents of the half angles of Γ, z1, z2, z3 the associated Gaussian integers, and (g1,g2,g3) the corresponding simplifying factors. Then the tangents of the half angles of Γk are 1 − t 1 − t 1 i , j , and . 1+ti 1+tj tk

We ﬁrst assume that g1, g2, g3 are all odd, so that for i =1, 2, 3, di and ni are of different parity, (Proposition 30.4(3)). The triangle Γk has associated primitive Gaussian integers

√ √ − − − zi =(di + ni)+(di ni) √ 1=(1+ √ 1)zi, − − − zj =(dj + nj√)+(dj √nj) 1=(1+ 1)zj, − − · zk = nk + dk 1= 1 zk. (30.7) 30.4 Indecomposable primitive Heron triangles 711

From these, √ √ √ √ − − · − − · zjzk =(1+√ 1)√ 1 zjzk = gi(1 + √ 1)zi = gi √ 1 zi, − − · − − · zizk =(1+√ 1) 1 zizk = gj(1√ + 1)zj = gj 1 zj, − · − · zizj =2 1 zizj =2gkzk =2gk 1 zk.

Thus, the triangle Γk has simplifying factors (gi,gj, 2gk). Suppose now that one of the simplifying factors of Γ, say, gk is even. Then ni, di, nj, dj are all odd, and nk, dk have different parity. A similar calculation gk shows that the simplifying factors for the triangles Γi, Γj and Γk are (2gi,gj, 2 ), gk gk (gi, 2gj, 2 ), and (gi,gj, 2 ) respectively. We summarize these in the following proposition.

Proposition 30.7. The simplifying factors for the four (rational) triangles in an orthocentric quadrangle are of the form (g1,g2,g3), (2g1,g2,g3), (g1, 2g2,g3) and (g1,g2, 2g3), with g1, g2, g3 odd integers.

30.4 Indecomposable primitive Heron triangles

A routine computer search gives the following indecomposable, primitive Heron triangles with sides ≤ 100, excluding Pythagorean triangles:

(5, 29, 30; 72) (10, 35, 39; 168) (15, 34, 35; 252) (13, 40, 45; 252) (17, 40, 41; 336) (25, 34, 39; 420) (5, 51, 52; 126) (15, 52, 61; 336) (20, 53, 55; 528) (37, 39, 52; 720) (17, 55, 60; 462) (26, 51, 73; 420) (17, 65, 80; 288) (29, 65, 68; 936) (34, 55, 87; 396) (39, 55, 82; 924) (41, 50, 89; 420) (35, 65, 82; 1092) (26, 75, 91; 840) (39, 58, 95; 456) (17, 89, 90; 756) (26, 73, 97; 420) (41, 60, 95; 798) (51, 52, 97; 840)

We study the condition under which the primitive Heron triangle Γ0 =Γ0(t1,t2,t3) constructed in §?? is indecomposable. Clearly, Γ0 =Γ(t1,t2,t3) is indecomposable if this is so for the triangle Γ deﬁned by (30.3). More remarkable is the validity of the converse.

Theorem 30.8. A non-Pythagorean, primitive Heron triangle Γ0 =Γ0(t1,t2,t3) is indecomposable if and only if each of the simplifying factors gi, i =1, 2, 3, contains an odd prime divisor.

Proof. We ﬁrst prove the theorem for the triangle Γ:=Γ(t1,t2,t3) deﬁned by (30.3). Since Γ has area = n1d1n2d2n3d3, the height on the side ai = ginidi is given by 2njdjnkdk hi = . gi 712 Construction of indecomposable Heron triangles

Since the triangle does not contain a right angle, it is indecomposable if and only if none of the heights hi, i =1, 2, 3, is an integer. By Proposition 8(d), this is the case if and only if each of g1, g2, g3 contains an odd prime divisor. To complete the proof, note that the sides (and hence also the heights) of Γ0 1 are g times those of Γ. Here, g := gcd(a1,a2,a3)=gcd(n1d1,n2d2,n3d3) by Corollary 30.6. The heights of Γ0 are therefore

2njdjnkdk 2 · njdjnkdk hi = = . gi · g gi gcd(n1d1,n2d2,n3d3)

nj dj nkdk integer g h g Note that gcd(n1d1,n2d2,n3d3) is an prime to i.If i is not an integer, then i must contain an odd prime divisor, by Proposition 30.4(4) again.

Corollary 30.9. Let Γ be a primitive Heron triangle. Denote by Γi, i =1, 2, 3, the primitive Heron triangles in the similarity classes of the remaining three rational triangles in the orthocentric quadrangle containing Γ. The four triangles Γ and Γi, i =1, 2, 3, are either all decomposable or all indecomposable. Example 30.3. From the orthocentric quadrangle of each the indecomposable Heron triangles (15, 34, 35; 252) and (25,34,39;420), we obtain three other indecomposable primitive Heron triangles.

(a1,b1,c1) (g1,g2,g3) (a1,b1,c1) (g1,g2,g3) (15, 34, 35; 252) (5, 17, 5) (25, 34, 39; 420) (5, 17, 13) (55, 17, 60; 462) (5, 17, 10) (285, 187, 364; 26334) (5, 17, 26) (119, 65, 180; 1638) (5, 17, 10) (700, 561, 169; 30030) (10, 17, 13) (65, 408, 385; 12012) (5, 34, 5) (855, 952, 169; 62244) (5, 34, 13)

30.4.1 Construction of Heron triangles with given simplifying factors

Theorem 30.10. Let g1, g2, g3 be odd numbers satisfying the following conditions. (i) At least two of g1, g2, g3 exceed 1. (ii) The prime divisors of gi, i =1, 2, 3, are all congruent to 1 (mod 4). (iii) gcd(g1,g2,g3)=1. Suppose g1, g2, g3 together contain λ distinct rational (odd) prime divisors. Then λ−1 there are 2 distinct, primitive Heron triangles with simplifying factors (g1,g2,g3).

Proof. Suppose (g1,g2,g3) satisﬁes these conditions. By (ii), there are primitive Gaussian integers θi, i =1, 2, 3, such that gi = N(θi). Since gcd(g1,g√2,g3) =1, if a rational prime p ≡ 1 (mod 4) divides gi and gj, then, in the ring Z[ −1], the prime factorizations of θi and θj contain powers of the same Gaussian prime π or π. 30.4 Indecomposable primitive Heron triangles 713

Therefore, if g1, g2, g3 together contain λ rational prime divisors, then there are λ 2 choices of the triple of primitive Gaussian integers (θ1,θ2,θ3), corresponding to a choice between the Gaussian primes π(p) and π(p) for each of these rational primes. Choose units 1 and 2 such that z1 = 1θ2θ3 and z2 = 2θ3θ1 are positive. Two positive Gaussian integers z1 and z2 define a positive Gaussian integer z3 via (30.6) if and only if π 0 <φ(z )+φ(z ) < . (30.8) 1 2 2 ∗ ∗ − Since φ(z1)+φ(z2)=π (φ(z1)+φ(z2)), it follows that exactly one of the ∗ ∗ λ−1 two pairs (z1,z2) and (z1,z2 ) satisfies condition (30.8). There are, therefore, 2 Heron triangles with (g1,g2,g3) as simplifying factors. Making use of Theorems 30.8, 30.10, and Proposition 30.7, it is now easy to construct indecomposable primitive Heron triangles from any triples of odd integers (g1,g2,g3), each greater than 1, and satisfying the conditions of Theorem 30.10. For example, by choosing g1,g2,g3 from the first few primes of the form 4k +1,we obtain the following primitive Heron triangles, all indecomposable:

(g1,g2,g3) (d1,n1) (d2,n2) (d3,n3) (a, b, c; ) (5, 13, 17) (14, 5) (7, 6) (7, 4) (25, 39, 34; 420) (5, 14) (9, 2) (8, 1) (175, 117, 68; 2520) (11, 10) (7, 6) (8, 1) (275, 273, 68; 9240) (10, 11) (9, 2) (7, 4) (275, 117, 238; 13860) (5, 13, 29) (4, 19) (12, 1) (8, 1) (95, 39, 58; 456) (16, 11) (8, 9) (8, 1) (110, 117, 29; 1584) (11, 16) (12, 1) (7, 4) (220, 39, 203; 3696) (19, 4) (8, 9) (7, 4) (95, 234, 203; 9576) (5, 17, 29) (22, 3) (12, 1) (2, 9) (55, 34, 87; 396) (18, 13) (9, 8) (9, 2) (65, 68, 29; 936) (18, 13) (12, 1) (6, 7) (195, 34, 203; 3276) (22, 3) (9, 8) (7, 6) (55, 204, 203; 5544) (13, 17, 29) (22, 3) (16, 11) (10, 11) (39, 136, 145; 2640) (22, 3) (19, 4) (5, 14) (429, 646, 1015; 87780) (18, 13) (19, 4) (11, 10) (1521, 646, 1595; 489060) (18, 13) (16, 11) (14, 5) (1521, 1496, 1015; 720720)

Further examples can be obtained by considering the orthocentric quadrangle of each of these triangles.