Basic in

Joe Buhler, Stan Wagon July 29, 2007

Abstract A variety of number-theoretic algorithms are described and analyzed with an eye to providing background for other articles in this volume. Topics include Euclid’s , continued , factoring, primality, modular congruences, and quadratic fields.

1 Introduction

Our subject combines the ancient charms of number theory with the modern fascination with algorithmic thinking. Newcomers to the field can appreciate this juxtaposition by studying the many elementary pearls in the subject. The aim here is to describe a few of these gems with the combined goals of preparing the reader for subsequent articles in this volume, and luring him or her into pursuing full-length treatments of the subject, such as [2], [5], [10], [9], [16], [15], [37]. Many details will be left to the reader, and we will assume that he or she knows (or can look up) basic facts from number theory, algebra, and elementary programming.

2 Complexity, informally

Algorithms take input and produce output. The complexity of an algorithm A is a func- tion CA(n), defined to be the maximum, over all input I of size n, of the cost of running A on input I. Cost is often measured in terms of the number of “elemental opera- tions” that the algorithm performs and is intended, in suitable contexts, to approximate running time of actual computer programs implementing these algorithms. A formalization of these ideas requires precise definitions for “algorithm,” “input,” “output,” “cost,” “elemental operation,” and so on. We will give none. Instead, this section gives a series of algorithms answering number-theoretic ques- tions, and then discusses their complexity. This permits a quick survey of some al- gorithms of interest in number theory, and a discussion of complexity theory from a naive number theorists’ point of view. Fortunately, this informal and intuitive approach to complexity is usually sufficient for purposes of algorithmic number theory. Precise

1 foundations can be found in many texts on theoretical computer science or algorithmic complexity [13], [17] [19] . The first problem arises in elementary school. Problem 1. Multiplication: Given x and y, find their product xy. As stated, the question is woefully imprecise. We interpret it in the following natural (but by no means only possible) way. An algorithm to solve this problem takes the base b > 1 representation of integers x and y as input, given as strings of symbols. The algorithm (idealized computer program or Turing machine) follows a well-defined (”deterministic”) procedure to produce a string of output symbols which is the base b representation of the product xy. In practice, one might expect b to be 2, 10, 232, 264, etc. The natural notion of the size of an x is the total of the number of symbols (base b digits) in the input, perhaps augmented by a small constant to delimit the number and give its sign. For the sake of definiteness, we define the base-b size of x to be sizeb(x) := 1 + dlogb(1 + |x|)e, where logb is the logarithm to the base b, and due is the ceiling of u — the smallest integer greater than or equal to u. The size of an integer x is O(log(|x|)), where g(x) = O(f(x)) is a shorthand statement saying that g is in the class of functions such that there is a constant C such that 0 |g(x)| ≤ C|f(x)| for sufficiently large x. Note that O(logb(x)) = O(logb0 (x)) for b, b > 1. In particular, if we are interested in complexity only up to a constant factor, the choice of b is irrelevant. The multiplication algorithm that we all learned as youngsters takes O(n2) digit operations on input of size n. More precisely, if x and y have size at most n, then approximately n2 digit-sized multiplications, and n additions of n-digit intermediate products are required. Notice that the O() notation gracefully summarizes the running time of the algorithm; e.g., the complexity O(n2) is independent of base b, precise details of measuring the size of an integer, the definition of size of two inputs (as the maximum of the two integer inputs, or the total of their sizes), etc. An algorithm is said to take polynomial time if for some k its complexity is O(nk) for input of size n. Although this is a very flexible definition, with unclear relevance to computational practice, it has proven to be remarkably robust. In fact, it is sometimes reasonable to take “polynomial time” as synonymous with “efficient,” and in any case the notion has proved useful in both theory and practice. Of course, once it is known that a problem can be solved in polynomial time, it is interesting to find the smallest possible exponent k. For instance, in the 1970’s Sch¨onhage ([30]) discovered a striking algorithm for Multiplication that takes time O(n log(n) log log(n)) to multiply two n-digit integers. This unexpectedly low complexity led to a number of related “fast” algorithms; see [4] in this volume for arithmetic and algebraic examples. The elemental operations above are operations on single digits. The resulting notion of the complexity (running time) of an algorithm is called bit complexity, since if b = 2 then the underlying operations act on bits. In other contexts it might be more useful to assume that any arithmetic operation takes constant time (e.g., if all integers are

2 known beforehand to fit into a single computer word). When complexity of an algorithm is defined by counting arithmetic operations, the result is said to be the arithmetic complexity of the algorithm. In this model the cost of a single multiplication is O(1), showing that complexity depends dramatically on the underlying computational model. Problem 2. Exponentiation: Given x and a nonnegative integer n, compute xn. Again, problem is underspecified. We will assume that x is an element of a set that has a well-defined operation (associative with an identity element) that is written mul- tiplicatively; moreover, we will measure cost as the number of such operations required to compute xn on input x and n. We take the size of the input to be the size of the integer n. Although x16 can be computed with 15 multiplications in an obvious way, it is faster P i to compute it by 4 squarings. More generally, the binary expansion n = ai2 , ai ∈ {0, 1} implies that xn = xa0 (x2)a1 (x4)a4 ··· , (1) which suggests to a clever way to interleave multiplications and squarings: Right-to-left Exponentiation Input: x as above, and a nonnegative integer n Output: xn 1. y := 1 2. While n > 0 if n is odd, y = xy (ai is 1) x := x2, n := bn/2c 3. Return y Here “:=” denotes assignment of values to variables, “1” denotes the identity for the operation, and the floor buc is the largest integer less than or equal to u. The correctness of the algorithm is reasonably clear from (1) since for k ≥ 0, x2k is multiplied into y if and only if the k-th bit ak bit of the binary expansion of n is nonzero; it can proved more formally by showing by induction that at the beginning of Step 2, XN = xny is true, where X and N denote the initial values of the variables x and n. When n is 0 equation says that XN = y, so that y is the desired power. The usual inductive definition of Exp(x, n) := xn gives an obvious recursive algo- rithm:   1 if n = 0 Exp(x, n) = Exp(x2, n/2) if n > 0 is even (2)  x · Exp(x2, (n − 1)/2) if n is odd. Experienced programmers often implement recursive versions of algorithms because of their elegance and obvious correctness, and when necessary then convert them to equiv- alent, and possibly faster, iterative (non-recursive) algorithms. If this is done to the recursive program, the result is to Right-to-Left algorithm above. Curiously, if the clause for even n is changed to the mathematically equivalent Exp(x, n) = Exp(x, n/2)2, n even

3 (and similarly in the odd clause) then the corresponding iterative algorithm is genuinely different. Left-to-Right Exponentiation Input: x, a nonnegative integer n, and a power of two m such that n < m Output: xn 1. y := 1 2. While m > 1 m := m/2, y := y2 If n ≥ m then y := xy, n := n − m 3. Return y Correctness follows inductively by proving that at the beginning of Step 2, n < m and m n N y x = x . In contrast to the earlier algorithm, this version consumes the bits ai (in the binary expansion of n) starting with the leftmost, i.e., most significant, bit. The complexity of any of the versions of this algorithm (collectively called Exp in the sequel) is O(log(n)) since the number of operations is bounded by 2 · size2(n). This remarkable efficiency is put to innumerable uses in algorithmic number theory, as will be seen. Note that the naive idea of repeatedly multiplying by x takes time O(n), which is exponential in the size of the input. Remark 3. In a specific but important special case the left-to-right version of Exp is better than the right-to-left version. Suppose that our operation is “multiplying mod- ulo n” and that x is small relative to N. Then multiplications by the original x are likely to take less time than modular multiplications by an arbitrary integer X, 0 ≤ X < N. The left-to-right version preserves the original x (though the squarings involve arbitrary integers), whereas the right-to-left version modifies x and hence performs operations on arbitrary elements. In other words, with a different computational model (bit com- plexity, with the specific underlying operation “multiply modulo N”, and x assumed small) the left-to-right algorithm, either recursive or iterative, is significantly better than right-to-left exponentiation. Remark 4. To yet again highlight the dependence on assumptions, if the operation that we are considering is multiplication of integers, complexity is measured in terms of bit operations, and size of the input is defined to be the size of n plus the size of x ∈ Z, then the size of the output is exponential in the input size, so that any algorithm will be inefficient. This discussion scratches the surface of a great deal of theoretical and practical work. The overwhelming importance of exponentiation has led to many significant practical improvements; perhaps the most basic is to replace the base 2 expansion of n with a base b for b a small power of 2. On the theoretical side, there are many interesting results on finding the absolutely smallest possible number of operations required to compute xn ([16]). Problem 5. GCD: Given integers a and b, return the largest integer that is a of both a and b.

4 The (GCD) is denoted gcd(a, b). Perhaps the most fa- mous number-theoretic algorithm of all is due to Euclid. Using gcd(0, a) = a and gcd(±a, ±b) = gcd(a, b) it suffices to find the GCD of positive integers.

Euclid’s Algorithm Input: Positive integers a and b Output: gcd(a, b) While b > 0 {a, b} := {b, a rem b} Return a

Here r = a rem b is the remainder when a is divided by b, i.e., the unique integer r such that there is a q with a = qb+r, 0 ≤ r < b. The simultaneous assignment statement {a, b} = {b, a rem b} would be implemented in a more prosaic programming language by something along the lines of the three statements temp := b, b = a rem b, a = temp. The correctness of the algorithm can be verified by showing that the GCD of a and b doesn’t change at each step of the algorithm. Just as with multiplication, the remainder a rem b can be found in time log2(max(a, b)) with straightforward algorithms, and time log1+(max(a, b)) for any positive  if “asymp- totically fast” algorithms due to Sch¨onhage and Strassen are used. It isn’t too hard to work out that a > b after one step of the algorithm, and then the smallest number is halved in (at most) two steps of the algorithm. This means that the number of times that the loop is executed (i.e., the number of remainder operations) is bounded by O(log(max(a, b)). Thus the algorithm is efficient using either arithmetic or bit complex- ity. We will have much much more to say about Euclid’s algorithm later. If gcd(a, b) = 1 then a and b are said to be relatively prime, or coprime.

Problem 6. Primality: Given a positive integer n > 1, is n is a prime?

The is an example of a decision problem, for which the output is either “yes” or “no.” Perhaps the most straightforward algorithm for Primality is the “trial division method:”√ for d = 2, 3,... test whether n is divisible by d. If divisibility√ holds for d ≤ n then n is composite (non-prime);√ if n is not divisible by any d ≤ n then n is prime. The time required is O( n), which is an exponential function of the size of n, and this algorithm is impractical for for even moderately large n. Fermat’s Little Theorem says that if n is a prime and a is coprime to n then an−1 ≡ 1 mod n. It is very efficient to check this condition using Exp. In the fa- vorable circumstance in which the prime of n−1 is known this can be used to prove primality via the following result.

Theorem 7. If a and n are integers such that an−1 ≡ 1 mod n, and a(n−1)/q 6≡ 1 mod n for all prime q of n − 1, then n is prime.

5 Proof. Let ord(a) denote the of a in the multiplicative group (Z/nZ)∗ of integers coprime to n, modulo n. The condition an−1 ≡ 1 mod n implies that ord(a) is a divisor of n − 1. Any proper divisor of n − 1 is a divisor of (n − 1)/q for some prime q. The second condition of the theorem says that ord(q) does not divide (n − 1)/q for any q, and we conclude that ord(a) = n − 1. Thus (Z/nZ)∗ has n − 1 elements and n is a prime, as claimed.

A generalization of this theorem due to Pocklington says that√ only a partial factor- ization of n − 1 is necessary: if m is a divisor of n − 1 with m > n, then n is a prime if an−1 ≡ 1 mod n, and a(n−1)/q 6≡ 1 mod n for prime divisors of m. Loosely, this says that primality is easy to test if n − 1 is half-factored. Unfortunately, this does not give an efficient : For large n no algorithm is known that efficiently factors or half-factors n − 1. One of the seminal algorithmic insights of the twentieth century was that algorithms might profit from having an auxiliary input consisting of nothing but “random” bits. In the case of primality testing, this means that if we are willing to substitute “over- whelming likelihood of being prime” for “provably a prime” then it is possible to find an efficient algorithm. As a first try, observe that if n is composite then an−1 should be, intuitively, a random integer modulo n. Thus we could choose several random a and report “probable prime” when Fermat’s congruence an−1 ≡ 1 mod n holds for all a, and “composite” if it fails for any one of them. Unfortunately, there are positive integers called Carmichael numbers (see [9]) such that the congruence holds for all a relatively prime to n. As a second try, we “take the square root” of the Fermat congruence. To explain this it is convenient to first review Legendre and Jacobi symbols. An integer a is a modulo p if it is a nonzero square, i.e., if there is an x (not divisible by p) such that x2 ≡ a mod p. Nonsquares are said to be nonresidues. This is encoded in the Legendre symbol  0 if p divides a a  = 1 if x is a quadratic residue mod p p  −1 if x is a quadratic nonresidue mod p Euler’s Criterion gives an explicit congruence for the Legendre symbol a ≡ a(p−1)/2 mod p. (3) p from which the Legendre symbol can be computed reasonably efficiently, using Exp in the multiplicative group (Z/pZ)∗. The Jacobi symbol generalizes the Legendre symbol and is defined, for an integer a and an positive odd positive integer b = Q pep , by reverting to the Legendre symbol when b is an odd prime, and enforcing multiplicativity in the denominator: e a Y a p = . b p p

6 The Jacobi symbol is multiplicative in both the numerator and denominator, depends only on a mod b, obeys the famous law of quadratic reciprocity a b  = (−1)((a−1)(b−1))/4, a, b odd. b a

Moreover, two “supplementary laws” are satisfied: (−1/b) = (−1)(b−1)/2, (2/b) = (−1)(b2−1)/8. These rules can be used to compute the Jacobi symbol without factoring b, along the lines of Euclid’s algorithm. In fact for the Legendre symbol it is is (somewhat) more efficient to use this rather than using Exp as described above.

2k Remark 8. Let n = Fk := 2 + 1 be the k-th . The reader may enjoy (n−1)/2 using Theorem 7 to show that if n = Fk and 3 ≡ −1 mod n then n is prime, and to prove using quadratic reciprocity that if n is prime then the congruence holds. Now we return to the problem of giving a a probabilistic polynomial time algorithm for primality. The key idea is to use Euler’s congruence a ≡ a(p−1)/2 mod p. p which gives a necessary condition for p to be prime. A probabilistic algorithm is similar to an ordinary (deterministic) algorithm except that it is an extra input string of random bits which for instance, enable the algorithm to choose uniformly randomly from a finite set.

Solovay-Strassen primality test Input: An integer k > 0, an odd integer n > 1, and a string of bits Output: “Prime” or “Composite” 1. For i = 1, 2, . . . , k Choose a randomly from {1, 2, . . . , n − 1}  a   a  If = 0 or 6= a(n−1)/2 mod n then n n Output “Composite” and halt. 2. Output “Prime”

It is clear that if the algorithm returns “Composite” then n is definitely composite, and some work shows that if it returns “Prime” then the probability that this is false (i.e., the of auxiliary input bit strings giving this false answer) is exponentially small as a function of k. Remark 9. A statement about the probability of something happening is a statement about the fraction of input bit strings for which that event happens. In the future, we will omit explicit mention of the input random bits. The input string is ignored in assessing the size of the input. Remark 10. In circumstances in which it is necessary to emphasize that an algorithm is not probabilistic, the algorithm is said to be “deterministic.”

7 Theorem 11. The Solovay-Strassen algorithm returns “Prime” if n is prime, and returns “Composite” with probability at least 1 − 1/2k if n is composite. Its running time is bounced by a polynomial in the size of n and log(1/) where  < 1/2k is the probability of an error. Proof. (Sketch.) The GCD and exponentiation steps can be done it at most time O(log3(n)) so each iteration takes polynomial time in n. If n is prime, then Euler’s congruence implies that the test returns “Prime.” If n is composite then the algorithm will return “Composite” unless for each of k random choices of a lies in the subgroup  a  E(n) := {a ∈ (Z/nZ)∗ : ≡ a(n−1)/2 mod n} n of the multiplicative group (Z/nZ)∗, sometimes called the group of “Euler liars” for the composite number n. With some work ([2]) it can be shown that |E(n)| ≤ φ(n)/2, so that the change of a composite number passing all k of these tests is at most 1 − 1/2k. The error probability is therefore  < 2−k, and the running time is k · O(log3(n)) < log(1/) log3(n). There is a rich literature on primality proving (or approximations thereto). From a theoretical point of view, primality proving came to definitive conclusion in 2002 when Manindra Agrawal, Neeraj Kayal, and Nitin Saxena showed [1] that primality testing could be done in polynomial time by a deterministic algorithm. For a description of this algorithm, and algorithms currently used in practice, see [34]. Problem 12. Quadratic Nonresidues: Given an odd prime p, find a quadratic nonresidue modulo p. This simple problem illustrates stark differences between theory and practice, and deterministic and probabilistic algorithms. If p is an odd prime there are (p − 1)/2 quadratic residues and (p − 1)/2 nonresidues mod p, so if a mod p is nonzero, then a has a 50/50 chance of being a nonresidue. Thus there is an obvious probabilistic algorithm: repeatedly choose a at random until a nonresidue is found. With overwhelming likelihood a nonresidue will be found quickly, and thus quadratic nonresidues can be found quickly with a probabilistic polynomial- time algorithm. However, no deterministic polynomial-time algorithm is known. Nothing seems to be better than testing a = 2, 3,... until arriving at a nonresidue. Although there are heuristic grounds to think that there is a nonresidue a = O(log p)1+), the best that can be proved is that one finds a nonresidue for a = O(p1/4), so the simple-minded search could take exponential time. It is known that if the so-called Extended Riemann Hypothesis is true then there is a nonresidue a < 2(log(p))2 = O(log(p))2 ([3]). Problem 13. Factoring: Given a positive integer n > 1, find a proper divisor m of n (a divisor m such that 1 < m < n).

8 Factoring appears to be much harder than primality, both in theory and practice. Trial division again gives an obvious algorithm that is impractical unless n is small. In fact, no deterministic factoring algorithm is known whose complexity is sub-exponential, i.e., less than cn for all c > 1. Factoring has fascinated mathematicians for centuries, and a vast menagerie of algo- rithms are known. One of the more striking ones is the so-called Pollard rho algorithm, due to John Pollard [25]. Let n be a composite integer that is not a prime power. (It is easy to check whether or not n is a perfect power by taking sufficiently accurate k-th roots for 2 ≤ k ≤ log2(n).) Let f : Z/nZ → Z/nZ be the function f(x) = x2 + 1, and let f k(x) = f(f(. . . f(x) ...)) denote the k-th iterate of f applied to x. Pollard’s algorithm is astonishing at first glance.

Pollard ρ factoring algorithm Input: A composite n > 1, not a prime power Output: A nontrivial factor of n 1. Choose a random x ∈ {0, 1, . . . n − 1} 2. For i := 1, 2,... g := gcd(f i(x), f 2i(x)) If g = 1, go to the next i If g = n then go to Step 1 and choose another x Else output g and halt

What could possibly be going on here? The birthday paradox in elementary prob- ability theory says that in a collection of 23 or more people it is more likely than not that two people will have the same birthday. More generally, if elements are randomly√ chosen, with replacement, from a set of size n, then we expect a duplication after O( n) choices [16]. Let p be an (unknown) prime divisor of n. Examples suggest that f k(x) mod p is indistinguishable from a random . Assuming that this is the case, the birthday √ paradox implies that the sequence repeats a value after O( p) steps, after which time it cycles. Thus the sequence of values mod p has the form

y1, . . . , ym, ym+1, . . . , ym+k = ym, ym+k+1 = ym+1,....

A little calculation shows that if i is the smallest multiple of k that exceeds m then yi = i 2i y2i. In the context of the Pollard ρ algorithm this means that p divides gcd(f (x), f (x)). Thus the GCDs in the algorithm will sooner or later be divisible by p. One catastrophe that can happen is that, by some strange coincidence, all primes dividing n happen to divide the GCD at the same time, though this is very unlikely in practice. Many further details (and optimizations) of this charming algorithm can be found, e.g., in [16] and [10]. The complexity of the algorithm is O(n1/4), which is unfortunately exponential as a function of the input size O(log(n)).

9 In the last 20 years, probabilistic factoring algorithms have emerged that factor n in time Ln[1/2; 1] in practice, where a 1−a Ln[a; c] = exp (c + o(1))(log(n)) (log log(n)) . (the o(1) goes to 0 as n goes to infinity). This function interpolates between polynomial time, for a = 0, and exponential time, for a = 1, and its peculiar shape seems to arise from formulas for the density of smooth numbers [14], where a number is y-smooth if all of its prime factors are less than or equal to y. Most of these algorithms are heuristic in the sense that proofs of their correctness rely on plausible hypotheses that have not been proved, but work very well in practice. One of the most important of these algorithms is the Method, due to Hendrik Lenstra [23] [27] which is an L[1/2; 1] algorithm that that has the virtue, of considerable significance in some applications, that it finds smaller factors faster. More recently, John Pollard described an algorithm for factoring numbers of the form n = a · bk + c, k large. This was later generalized to arbitrary positive integers 2/3 n, and is called the Number Field Sieve; its heuristic complexity is Ln[1/3; 4/3 ] = Ln[1/3; 1.92 ...]. The unproved assertions on which this complexity is based are natural statements concerning the proportion of values of polynomials that are smooth; these seem true in practice but their proof seems beyond currently known techniques. Details of this algorithm can be found in [21] [40]. Problem 14. Discrete Logarithms: Given an element x of an explicitly represented finite G, and a generator g of that group, find a nonnegative integer k such that x = gk. The difficulty of the discrete logarithm problem (DLOG) depends on the size of the group and on the specific explicit representation of the group. The group G = Z/nZ = {0, 1, 2, . . . , n−1} of integers modulo n under addition is cyclic, and the discrete logarithm problem is easy, with the usual representation. The discrete logarithm problem for the multiplicative group G = (Z/pZ)∗ = {1, 2, 3, . . . , p − 1} of integers modulo a prime (represented naturally) is hard, and it is thought that its difficulty is comparable to the difficulty of factoring an integer of the size of p. The best known algorithm has 2/3 (heuristic) complexity Lp[1/3; 4 · 3 ] see [26] and [29]. Remark 15. Interest in the DLOG problem has been stimulated by cryptographic applications, e.g., the famous Diffie-Hellman protocol: If A and B want to have a public conversation which ends with them sharing a secret that no onlooker could reasonably discover, then they start by (publicly) agreeing on a suitable cyclic group G of order n together with a generator g of that group. Then A chooses a random integer a < n, and communicates ga to B, in public. Similarly B chooses a random integer b and transmits gb to A over a public channel. They can then each privately compute a joint secret s = (ga)b = (gb)a. The most obvious way for an eavesdropper to defeat this is to intercept ga, solve the implicit DLOG problem to find a, to intercept gb and compute s = (gb)a. More generally,

10 the eavesdropper can succeed if he or she can find gab knowing g, ga, and gb. No efficient algorithm to do this is known if G is a large cyclic subgroup of prime order in (Z/pZ)∗ for suitable p, or for a large cyclic subgroup G of the group of points E(Fp) on a suitable elliptic curve E over a finite field Fp := Z/pZ. The representation of a cyclic group in the group of points of an elliptic curve seems particularly opaque, and in this case no sub-exponential discrete logarithm algorithms are known at all. For details on these cases, see [26], [27], [29]. It is known that the difficulty of the abstract discrete logarithm problem in a group is not much greater than the difficulty of the problem in the largest cyclic subgroup of prime order. In the case of the multiplicative group G = (Z/pZ)∗ of order p − 1 it is therefore customary to choose a prime p such that p − 1 has a large prime divisor q, and to choose G to be the subgroup of order q. Similarly, in the case of elliptic curves it is customary in cryptographic applications to choose an elliptic curve E such that the order of E(Fp) has a large prime divisor. Discrete logarithms in a cyclic group of order 2n give an example of this principle. Let g be a generator of a cyclic group G of order 2n. There is a chain of subgroups

1 = G0 ⊂ G1 ⊂ G2 ⊂ · · · ⊂ Gn−1 ⊂ Gn = G

m where Gm has 2 elements. To find the logarithm of a ∈ G with respect to g, note that 2n−1 a is of order 1 or 2. In the first case, a lies in Gn−1. In the second case, ag lies in the subgroup. In either case we recurse. This gives an efficient discrete logarithm problem cyclic groups whose order is a power of two. Problem 16. Square Roots Modulo a Prime: Given an odd prime p and a quadratic residue a, find an x such that x2 ≡ a mod p. We start by showing how to efficiently reduce this problem to Quadratic Non- residues. This means that modular square roots can be found once a quadratic non- residue is known. Let a be a quadratic residue. Write p − 1 = 2tq, where q is odd. The element aq lies in the subgroup G of (Z/pZ)∗ of order 2t, and b = gq is a generator of that group. By the remark above on discrete logarithms in cyclic groups whose order is a power of 2, we can efficiently solve the discrete logarithm problem aq = bk. Note that k is even since a(p−1)/2 ≡ 1 mod p. Simple calculation shows that x = a(p−q)/2bk/2 is a square root of a: x2 = a(p−q)bk = a(p−q)aq = ap ≡ a mod p. The running time of the above procedure depends on t, i.e., the power of 2 that divides p− 1. The conclusion is that square roots modulo p can be found efficiently if quadratic nonresidues can be found efficiently; i.e., the problem is easy in practice, easy theoreti- cally if probabilistic algorithms are allowed, and hard theoretically if only deterministic algorithms are allowed.

11 More recently, Ren´eSchoof discovered a deterministic polynomial time algorithm [31] for finding square roots modulo a prime, using elliptic curves (!). In practice, This algorithm is not competitive with the probabilistic algorithms above since the exponent on log(p) is large. However, Schoof’s paper has had an enormous impact on the study of elliptic curves over finite fields [27], since it also pioneered techniques for finding the order of the group E(Fp). Problem 17. Modular Square Roots: Given an integer n and an integer a, determine whether a is a square modulo n, and find an x such that x2 ≡ a mod p if x exists. If the prime factorization of n is known, then the algorithm above can be combined with Hensel’s Lemma and the Chinese Remainder (discussed later) to find a square root of a modulo n. However, the working algorithmic number theorist is often confronted with integers n whose prime factorization is unknown. In this case, no efficient modular square root algorithm is known. In fact, more is true: Modular Square Roots is, in a sense to be made precise shortly, is equivalent to Factoring. The argument referred to outlines one half of this equivalence — that an efficient factoring algorithm gives an efficient algorithm for finding modular square roots. Suppose, conversely, that we have an efficient algorithm for Modular Square Roots. To factor n, first check that it is odd and not a perfect power. Then choose a random y and apply the efficient Modular Square Roots algorithm to a = y2 mod n to get an x such that

x2 ≡ y2 mod n.

Any common divisor of x and y is a factor of n, so assume that x and y have no common divisor larger than 1. If p is a factor of n then p divides x2 − y2 = (x − y)(x + y). In addition, it divides exactly one of the factors x − y or x + y (if it divides both, it would divide their sum 2x and their difference 2y). If y is random, and the algorithm for Modular Square Roots returns a random square root of a, then p has a 50/50 chance of dividing x + y or x − y. This is true of any other prime factor q, and there is a 50/50 chance that p and q will divide different factors. In that case, greatest common divisor gcd(x − y, n) will be a proper factor of n. If this fails, try again by choosing another random y. After k choices, the probability that n remains unfactored is 2−k. Thus Factoring and Modular Square Roots are equivalent in difficulty in practice. Remark 18. Replacing square roots by eth roots for e > 2 leads to a problem closely related to the RSA cryptosystem, perhaps the most famous of all public-key crypto- graphic systems. Let n = pq be the product of two primes, and G = (Z/nZ)∗. The RSA cryptosystem uses exponentiation as a mixing transformation on G. If e > 1 is an integer relatively prime to (p − 1)(q − 1) then the encryption map E : G → G defined by

E(x mod n) = xe mod n

12 is a bijection that can be computed efficiently using Exp. The decryption mapping is D(y) = yd where the integer d is defined by the congruence ed ≡ 1 mod (p − 1)(q − 1). The decryption exponent d can be found efficiently using the Extended Euclidean Al- gorithm described in the next section. If if n and e are chosen suitably, then finding D(y) without knowing p and q requires the solution of a modular eth roots problem. It is plausible that this is equivalent to factoring, but no proof of this is known. Problem 19. Bounded Modular Square Roots: Given an integer n and integers a and b, determine whether there is an integer x such that x < b and x2 ≡ a mod n. It may seem somewhat peculiar to require that the square root be below a fixed bound. In fact, it turns out that this makes the problem (probably) much harder than Modular Square Roots — it is a so-called NP complete problem. Briefly, a decision problem is in P if there is a polynomial-time algorithm for it. A decision problem is in NP if there is an algorithm f(x, y) in P that takes an instance x of a problem and a “certificate” y as input, such that for every “yes” instance x there is a certificate y such that f(x, y) returns ”yes.” Bounded Modular Square Roots is certainly in NP : given an instance (a, b, n), the integer x is a certificate: the verifications that x < b and x2 ≡ a mod n can be done in polynomial time. Membership in NP doesn’t imply that finding the certificate is easy, but merely that it exists; if certificates could be found easily the problem would be in P . Finally, a decision problem is NP -complete if it at least as hard as any other problem in NP , in the sense that any other problem in NP can be reduced to it. The notion of “reduction” needs to be defined precisely, and involves ideas similar to the equivalence of Factoring and Modular Square Roots sketched above. Finally, a discussion of the complexity of number-theoretic problems would be in- complete mentioning a problem for which no algorithm exists whatsoever.

Problem 20. Diophantine Equations: Given a polynomial f(x1, . . . , xn) with in- tegral coefficients in n variables, is there n-tuple of integers x such that f(x) = 0? A famous result of Matiysevich, building on work of Julia Robinson, Martin Davis, Hilary Putnam, and others, shows that this is an undecidable problem [20], [11]. In other words, there does not exist an algorithm, efficient or otherwise, that determines whether a is solvable.

3 Euclid’s Algorithm

Euclid’s algorithm, given above, has been an extraordinarily fertile source of algorithmic ideas, and can be viewed as a special case of famous modern algorithms, including Hermite normal form algorithms, lattice basis reduction algorithms, and Gr¨obner basis algorithms.

13 The GCD of integers a and b is the unique nonnegative integer d such that

dZ = aZ + bZ.

Here dZ denotes the principal in the of integers consisting of all multiples of d, and aZ + bZ := {ax + by : x, y ∈ Z}. To prove that d exists, it suffices to consider nonzero a and b, in which case d can be taken to be the least positive element of aZ+bZ. Indeed, if z = ax + by is an arbitrary element of aZ + bZ then z = qd + r, 0 ≤ r < d. Since r = z − qd is a nonnegative element of aZ + bZ, it follows that r = 0, and z is a multiple of d as claimed. Assuming that a and b are nonzero we have proved that d = gcd(a, b) is the smallest positive integral linear combination of a and b. One can also prove that d is the largest integer that divides both a and b, that it is the positive divisor divisible by all other divisors, and that it can be given in terms of prime by Y Y Y gcd(a, b) = pmin(ap,bp) if a = pap , b = pbp . p p p

The Greeks would have been more comfortable with the following geometric definition of the GCD: if a > b > 0 then consider a rectangle of width a and height b. Remove a b by b square from one end of the rectangle. Continue removing maximal subsquares (squares with one side being a side of the rectangle) until the remaining rectangle is a square. The side length of the remaining square is the “common unit of measure” of a and b, i.e., their GCD. For instance, if a = 73 and b = 31, then the removal of two maximal subsquares leaves an 11 by 31 rectangle, the removal of two further maximal squares leaves a 11 by 9 rectangle, the removal of one maximal subsquare leaves a 2 by 9 rectangle, the removal of four maximal subsquares leaves a 2 by 1 rectangle, and the removal of one maximal subsquare leaves a unit square. This procedure makes sense for arbitrary real numbers, leading the notion of a con- tinued fraction; this process terminates for an a by b rectangle if and only if a/b is a .

3.1 Extended In many applications of the Euclidean algorithm the identity aZ + bZ = dZ needs to be made explicit; i.e., we need to find x and y such that ax + by = d = gcd(a, b). To do this it suffices to augment Euclid’s algorithm given earlier.

Extended Euclidean Algorithm (Eea) Input: Positive integers a and b Output: x, y, z where z = gcd(a, b) and z = ax + by {X,Y,Z} := {1, 0, a} {x, y, z} := {0, 1, b} While z > 0

14 q := bZ/zc {X, Y, Z, x, y, z} := {x, y, z, X − qx, Y − qy, Z − qz} Return X,Y,Z

Simple algebra shows that at every step

aX + bY = Z, ax + by = z (4) so that the triples encode elements of the ideal aZ + bZ. Moreover, Z − qz = Z rem z so that the Z recapitulates the ordinary Euclidean algorithm, and this augments that algorithm as claimed. The execution of the algorithm on input a = 73 and b = 31 is summarized in the following table, where each row describes the state of the computation just after q is computed.

X Y Z x y z q 1 0 73 0 1 31 2 0 1 31 1 -2 11 2 1 -2 11 -2 5 9 1 -2 5 9 3 -7 2 4 3 -7 2 -14 33 1 2 -14 33 1 31 -73 0

Thus gcd(73, 31) = 1 and (−14) · 73 + 33 · 31 = 1. The reader should notice that from the third row onwards X and Y have opposite signs, and their values increase in absolute value in successive rows. It isn’t hard to verify that (for positive a and b) this is always the case. What is the running time of this algorithm? It can be shown that the number of arithmetic operations required is linear in the input size. Briefly, the argument is as fol- lows. The worst case is when the quotients q are always 1. An induction argument shows that if this is the case and n iterations of the loop are required then a ≥ Fn+2, b ≥ Fn+1, where Fn denotes the n√-th (F1 = F2 = 1, Fn+1 = Fn + Fn−1). Using n Fn = O(ϕ ), ϕ = (1 + 5)/2, it follows that n = O(log(a)), as desired. A more careful accounting of the bit complexity, using the fact that the size of the integers decreases during the course of the algorithm, shows that the bit complexity is O((log(a))2). On occasion it is useful to formulate the Euclidean algorithm in terms of 2 by 2 matrices. Say that the matrix associated to a row X, Y, Z, x, y, z, q is

 XY  M := . x y

Then by (4)  a   Z  M = . b z

15 The matrix M 0 of the next row is easily checked to be

 0 1  M 0 = M. 1 −q

Iterating this in the specific calculation above gives

 1   0 1   0 1   0 1   0 1   0 1   73  = . (5) 0 1 −2 1 −4 1 −1 1 −2 1 −2 31

Now we consider an application of the Eea. Example 21. The inverse of an element (Z/nZ)∗ can be computed using the Eea. Indeed, if gcd(a, n) = 1 then there are x, y such that ax + ny = 1, which says that (a mod n)−1 = x mod n. If n = p is a prime, then Fermat’s little theorem suggests another way to compute inverses using Exp:(a mod p)−1 = ap−2 mod p. How do these two ideas compare? Exp requires O(log(p)) multiplications. If classical arithmetic is used (i.e., multiplication of k-bit integers takes time O(k2)), then inversion via computing ap−2 has bit complexity O(log(p)3) since the integers are all of size O(log(p)). On the other hand, the Eea version has bit complexity O(log(p)2). If fast arithmetic is used, the algorithm using Exp takes time O(log(p)2+), for any  > 0, and the Eea takes time O(log(p)1+), where the  in the exponent comes from higher order logarithmic factors in the fast arithmetic complexity estimates. All of the ideas in the Eea apply to any in which division with “smaller” remainder exists. For instance, the ring F [x] of polynomials over a field F admits a division algorithm for which the remainder polynomial has smaller degree than the divisor. And the ring Z[i] := {a + bi : a, b ∈ Z} of Gaussian integers inside the complex numbers has this property if “size” is the absolute value, and we take the quotient in ring to be the result of taking the quotient in the complex numbers and rounding to the nearest integer.

3.2 Continued fractions The partial quotients of the continued fraction expansion of a real number α are the terms of the (finite or infinite) sequence a0, a1,... defined as follows.

Continued Fraction of a Real Number Input: A real number α Output: A sequence ai of integers α0 := α For i := 0, 1,... Output ai := bαic Halt if αi = ai αi+1 := 1/(αi − ai)

16 √ Example 22. If α = 73/31 the partial quotients are 2, 2, 1, 4, 2. If α = 11 the partial quotients are ultimately periodic: 3, 3, 6, 3, 6, 3, 6,.... The reader should verify that the above procedure terminates, so that the sequence of partial quotients is finite, if and only if α is a rational number. Although written as if was an algorithm, this is a mathematical construct rather than an algorithm, for several reasons: (a) it may fail to terminate, (b) real numbers can not be represented in finite terms suitable for a computer, and (c) testing real numbers for equality is (algorithmically) problematic. The relationship between αi and αi+1 can be written as 1 αi = ai + . (6) αi+1 Iterating this for α = 73/31 gives the finite continued fraction 73 1 = 2 + = [2; 2, 1, 1, 4, 2] 31 1 2 + 1 1 + 1 4 + 2 where [a0; a1, . . . , an] denotes the value of a finite continued fraction with partial quo- tients ai. The values of the successive partial continued fractions of a real number are called convergents of the continued fraction; e.g., the convergents of the continued fraction for 73/31 are [2] = 2 [2; 2] = 9/2 [2; 2, 1] = 11/9 [2; 2, 1, 4] = 31/11 [2; 2, 1, 4, 2] = 73/31.

√ they represent quadratic irrational numbers a + b d, where a, b, d are rational numbers (and d is a nonsquare). For instance, if α denotes the purely periodic continued fraction [3; 6, 3, 6, 3, 6,...] then 1 α = 3 + . 1 6 + α √ Clearing fractions gives 2α2 − 6α − 1 = 0, i.e., α = (3 + 11)/2.

Proposition 23. Let [a0; a1, a2,...] be the continued fraction of a real number α, and let αn = [an; an+1,...] be as above. Define xi, yi recursively by

x−1 = 0, x0 = 1, xn+1 = an+1xn + xn−1, n ≥ 0 (7)

y−1 = 1, y0 = a0, yn+1 = an+1yn + xn−1, n ≥ 0.

17 Then xn and yn are coprime for all n, and yn/xn = [a0; a1, . . . , an] is the n-th convergent of the continued fraction. Moreover, y α + y α = n n+1 n−1 . (8) xnαn+1 + xn−1 Remark 24. There are several commonly used notations for convergents; the rationale for the choice here will become evident later.

Proof. An easy induction argument using the recursion shows that xnyn−1 − xn−1yn = n (−1) . In particular, xn and yn are coprime. The fact that yn/xn is a convergent follows from an induction argument: y a y + y n+1 = n+1 n n−1 xn+1 an+1xn + xn−1 a (a y + y ) + y = n+1 n n−1 n−2 n−1 an+1(anxn−1 + xn−2) + xn−1 (a + 1/a )y + y = n n+1 n−1 n−2 (an + 1/an+1)xn−1 + xn−2 1 = [a0; a1, . . . , an + ] an+1 = [a0; a1, . . . , an, an+1].

Note the subtlety that the induction assumption is applied to the penultimate continued fraction, and that its earlier convergents are identical to the earlier convergents of the final continued fraction. The last statement in the theorem can also be proved by induction. As with the Euclidean algorithm, it is sometimes convenient to formulate continued fractions in terms of 2 by 2 matrices, e.g., defining     ak 1 yk yk−1 Mk := ,Pk := (9) 1 0 xk xk−1 and observing that the Proposition says that

Pk = M0M1 ··· Mk .

A careful look at the convergents of the continued fraction of 73/31 reveals that they recapitulate Euclidean algorithm! This is easy to verify using the matrix perspective and the identity  a 1 −1  0 1  = . 1 0 1 −a Indeed, multiplying the relation

 73   1  = P 31 4 0

18 −1 repeatedly on the left by the Mk gives the the earlier EEA formula (5), and the Eea formula can be reversed in a similar way to give a continued fraction. Note also that the matrix formulation recovers

n+1 ynxn−1 − yn−1xn = (−1) (10) n+1 since the determinant of each Mk is −1 and det(Pn) = (−1) .

3.3 Rational Approximation

Let α, αn, an, yn, xn be as in the previous section. Dividing (10) by xnxn−1 gives y y (−1)n+1 n − n−1 = . xn xn−1 xnxn−1

Iterating this identity and using y0/x0 = a0 gives the marvelous formula

yn 1 1 n 1 = a0 + = + ··· (−1) . (11) xn x0x1 x1x2 xn−1xn

Since the xn = anxn−1 +xn−2 are strictly increasing it follows that the convergents yn/xn converge to a real number α0. Proposition 25. With the above notation, α0 = α. For even n, the convergents increase and approach α from below; for odd n the convergents decrease and approach α from above. Both yn/xn − α and yn − xnα alternate in sign, and decrease in absolute value. Moreover,

1 yn 1 < α − < . xn(xn + xn+1) xn xnxn+1 Proof. To show that α = α0, use (8): n+1 yn ynαn+1 + yn−1 yn (−1) 1 α − = − = ≤ (12) xn xnαn+1 + xn−1 xn xn(xnαn+1 + xn−1) xnxn+1 since αn+1 ≥ bαn+1c = an+1. All of the other statements follow (with considerable algebraic juggling) from (11) and basic facts about alternating series.

In order to understand the extent to which the y/n/xn are superb approximations α by rational numbers, the following definition is convenient. If (x, y) is a point in the XY -plane, then the distance from (x, y) to the line Y = αX along the vertical line X = x, is |y − αx|. Say that (x, y), x > 0 is a best approximator to α if x and y are relatively prime and (x, y) has the smallest vertical distance to Y = αX among all integer points with denominator at most x, i.e., |y − αx| < |v − uα| for all integers u, v with 0 < u < x. Note that if x is fixed and y is the nearest integer to xα then |y−αx| < 1, i.e., |y/x−α| < 1/x. The following theorem says that convergents give rational approximations that are better by an order of magnitude in that |y/x − α| < 1/x2, and, moreover, that any sufficiently good rational approximation comes from a convergent.

19 Theorem 26. Let α be a real number, and (x, y) a pair of coprime integers with x > 0. Then: (a) The pair (x, y) is a best approximator to α if and only if y/x is a convergent in the continued fraction expansion of α. (b) Any best approximator (x, y) to α satisfies y 1 − α < . x x2

(c) If y 1 − α < x 2x2 then (x, y) is a best approximator to α. The convergents in the continued fraction of α are lattice points (points with integer coordinates) in the plane, and they are unusually close to the line Y = αX. The points alternate back and forth over the line, and each point (x, y) is closer to the line than all points with smaller X. Since any best approximator yn/xn comes from a convergent, it follows that the open parallelogram

{(x, y) : 0 < x < xn+1, |y − αx| < |yn − αxn|} contains no lattice points other than the origin. If you are standing at the origin of the plane looking in the direction of y = αx, then the lattice points (x, y) ∈ Z2 that are closest to the line occur alternately on both sides of the line, and become “very close” to the line. This makes it difficult to illustrate this with graphically, since the convergents approximate so well that they quickly appear to be on the line. In the following figure, we help the reader by holding a magnifying glass over three points, in the case where the line is Y = αX for the golden ratio α = φ = [1; 1, 1, 1, ··· ]; the coordinates of the convergents (Fn,Fn+1) are consecutive Fibonacci numbers.

Now we prove the theorem. Proof. By the last inequality in Theorem 25 a convergent of the continued fraction satisfies yn 1 1 α − < < 2 . xn xnxn+1 xn Therefore (b) follows once (a) has been proved. To prove (a), assume that (x, y) is an arbitrary pair of coprime integers with x < xn. Define a, b by the equation         a −1 x yn yn−1 x = Pn = . b y xn xn−1 y

20 Figure 1: Convergents to the golden ratio

21 Both a and b are integers since det(Pn) = ±1; in fact, explicit algebra gives

n+1 n+1 a = (−1) (xn−1y − yn−1x), b = (−1) (−xny + ynx).

Since x < xn, and xn, yn are coprime, it follows that b is nonzero. Moreover, the equation x = axn + bxn−1 shows that a and b are of opposite sign or a = 0. If a = 0 then the coprimality of xn−1 and yn−1 implies that x is a multiple of xn−1. Thus (x, y) is not a best approximator ((xn−1, yn−1) has a smaller denominator), and not a convergent. If a is nonzero then

y − xα = (ayn + byn−1) − (axn + bxn−1)α

= a(yn − xnα) + b(yn−1 − xn−1α)

implies that |y − xα| ≥ |yn−1 − xn−1α| (since a and b, and yn − xnα and yn−1 − xn−1α, have opposite signs). From Proposition 25

|yn − xnα| < |yn−1 − xn−1α| ≤ |y − xα| so (xn, yn) is a best approximator, proving half of (a). On the other hand, if xn−1 < x < xn, the displayed inequality shows that (x, y) is not a best approximator, proving the other half of (a). To prove (c), suppose that a coprime pair (x, y) satisfies |y − xα| < 1/(2x). For a coprime pair (u, v) with 0 < v < y,

1 ≤ |yu − xv| = |v(y − xα) − y(v − uα)| ≤ |v(y − xα)| + |y(v − uα)|.

From v|y − xα| < v/2x < 1/2 it follows that

|v − uα| > (y/v)|y − xα| > |y − xα| which shows that (x, y) is a best approximator and therefore a convergent, as desired. Part (c) of the theorem will play a critical role at two points in the sequel.

4 Modular Equations

The goal of this section is to consider the problem of solving polynomial congruences, i.e., given n ∈ Z+, and f(X) ∈ Z[X], find x ∈ Z/nZ such that f(x) ≡ 0 mod n. We sequentially consider the cases in which n a prime, prime power, and arbitrary positive integer.

22 4.1 Equations Modulo Primes Congruences modulo a prime p are more or less equivalent to finding roots of polynomials in the field Fp := Z/pZ. According to Fermat’s Little Theorem, every element of Fp is a root of the polynomial xp − x; comparing degrees and leading coefficients shows that

p Y x − x = (x − a) ∈ Fp[x].

a∈Fp

p It follows that if f(x) ∈ Fp[x] is an arbitrary polynomial then gcd(f(x), x − x) is the product of all linear factors x − a where a is a root of f. Similarly the roots of x(p−1)/2 = 1 are the quadratic residues modulo p, so

(p−1)/2 Y x − 1 = (x − a) ∈ Fp[x]

a∈Rp where Rp denotes the set of quadratic residues modulo p. This suggests the following elegant algorithm for finding all roots of a polynomial in Fp[x]. Cantor–Zassenhaus(f, p) Input: A prime p and a polynomial f ∈ Fp[x] Output: A list of the roots of f 1. f := gcd(f, xp − x) 2. If f has degree 1, Return its root 3. Choose b at random in Fp g := gcd(f(x), (x + b)(p−1)/2 − 1) If 0 < deg(g) < deg(f) then Return Cantor–Zassenhaus(g) ∪ Cantor–Zassenhaus(f/g) Else, go to Step 3 The correctness follows from the earlier remarks — at Step 3 f(x) is a product of distinct linear factors x − a, and then g is the product of all x − a such that a + b is a quadratic residue. If b is random then we would expect about half of factors of f to divide g. Moreover, the algorithm takes (probabilistic) polynomial time since the input size for a (general) polynomial over Fp is n log(p) and all operations take time bounded by a polynomial in n and log(p).

4.2 Equations Modulo Prime Powers The next case is prime powers. The key idea originates with Kurt Hensel and gives an explicit construction, in favorable situations, of a “lifting” of a solution to f(x) ≡ 0 mod pn to a solution modulo p2n. Perhaps the most basic nontrivial example is f(x) = x2 −a modulo pk, p odd. If x2 ≡ a mod p then simple algebra shows that y2 ≡ a mod p2, where y = (x2 +a)(2x)−1 mod p. This is just Newton’s Lemma from calculus: f(x) x2 − a x2 + a y = x − = x − = . f 0(x) 2x 2x

23 The general story is as follows. Theorem 27. (Hensel’s Lemma, a.k.a. Newton’s method) Let p be a prime, f(x) ∈ Z[x] a polynomial with integer coefficients, and a ∈ Z an integer such that

f(a) ≡ 0 mod pk, f 0(a) 6≡ 0 mod p .

Then b ≡ a − f(a)/f 0(a) mod p2k is the unique integer modulo p2k that satisfies

f(b) ≡ 0 mod p2k, b ≡ a mod pk.

Remark 28. Since u = f 0(a) is relatively prime to p it is relatively prime to any power of p and has an inverse modulo that power, computable with the Eea. Thus the division in the formula in in the theorem makes sense. We remark that it is possible to use Newton’s method (for rational functions) to find inverses modulo prime powers by taking f(x) = u − 1/x. Specifically, if au ≡ 1 mod pk then bu ≡ 1 mod p2k, where b = a − f(a)/f 0(a) = a(2 − au).

Proof. Replacing f(x) by f(x + a), it suffices to prove the result when a = 0. Thus we are trying to find a root of f(x) ≡ 0 mod p2k, given

2 0 f(x) = c0 + c1x + c2x + ··· , c0 = f(0), c1 = f (0).

k By hypothesis, c0 ≡ 0 mod p and c1 6≡ 0 mod p. It follows that b = −c0/c1 is the unique integer modulo p2k such that b ≡ 0 mod pk, f(b) ≡ 0 mod p2k, proving the theorem. The reader will find it instructive to find a square root of, say, −11 modulo 38. A more general version of Hensel’s Lemma says that if the power of p that divides f(a) is strictly bigger than twice the power of p that f 0(a) then a can be uniquely lifted to a root. In practice, it is often better to just replace f(x) by g(x) = f(a + px)/pm for as large an m as possible, searching for roots of g mod p by brute force, and repeating this process until we arrive at a polynomial satisfying the hypothesis of the Theorem.

4.3 Digression: p-adic numbers Hensel’s Lemma takes an especially pleasing form in the p-adic numbers. Since p-adic numbers arise in several subsequent chapters, we discuss them briefly here. Further details can be found in, e.g., [35], [6], and [18]. Fix a prime p. An absolute value can be defined on the rational numbers by

n |x|p = ρ where 0 < ρ < 1, x = pny, n is an integer (positive or negative), and y is a rational number whose numerator and denominator are relatively prime to p. By convention, |0|p = 0. Under this absolute value, powers of p are “small.” It turns out that the choice of ρ < 1 is immaterial to anything here, though in situations in which the p- adic absolute values are needed for all p, it is often convenient to take a “normalized”

24 value ρ = 1/p. The absolute value above satisfies the “non-archimedean” inequality |x + y|p ≤ max(|x|p, |y|p), which is stronger than the triangle inequality. In addition, it is sometimes useful to write vp(x) = n, i.e., vp(x) is the power of p dividing x in the sense that x/pvp(x) is a rational number with numerator and denominator relatively prime to p. The “absolute value” |x|p gives the rational numbers Q the structure of a metric space by setting the distance between x and y to be |x − y|p. The completion Qp of this metric space is called the p-adic numbers, and that the p-adic numbers are a locally compact topological field under the extension of the above metric. A nonzero element a of Qp can be represented concretely as a “Laurent series in p,”, i.e., k k+1 k+2 a = akp + ak+1p + ak+1p + ··· where k is an integer, the digits an are integers chosen in the range 0 ≤ an < p, and k ak 6= 0. Set vp(a) = k and |a| = ρ . Arithmetic operations are easy to visualize in this Laurent representation, at least approximately, by thinking of pn as being very small if n is very large (analogous in some ways to the usual realization of real numbers as decimal expansions.) The subset for which vp(a) = k ≥ 0 is the unit disk ( ) X n Zp = anp = {x ∈ Qp : |x|p ≤ 1}, n≥0 which is a subring of Qp and is called the ring of p-adic integers. The p-adic numbers are a bit peculiar when first encountered, but it turns out that they beautifully capture the idea of calculating “modulo arbitrarily large powers of p.” The reader might enjoy proving that

2 3 −1 = 1 + 2 + 2 + 2 + ··· in Q2, and the fact that infinite series in Qp converge if and only if their terms go to zero. Suppose that we are interested in roots of f(x) ∈ Zp[x]. (By clearing denominators the problem of finding roots for f(x) ∈ Qp[x] readily reduces to f(x) ∈ Zp[x].) Finding 2 ∞ roots x = a0 + a1p + a2p + ··· to f(x) = 0 amounts to solving f(x) ≡ 0 modulo p , and Hensel’s Lemma above can be used to prove that if a ∈ Z/pZ satisfies |f(a)|p <  0 and |f (a)| = 1 then there is a unique b ∈ Zp such that

f(b) = 0, and |b − a| < .

This idea arises in many other contexts, and as an example, we consider the problem of factoring polynomials whose coefficients are p-adic integers. If g and g are polynomials with p-adic coefficients then G is said to lift g if the coefficients of G are congruent to the coefficients of g modulo p.

Theorem 29. If f, g, h ∈ Zp[x] are monic polynomials that satisfy f ≡ gh mod p and gcd(g mod p, h mod p) = 1 then there are unique G and H in Zp[x] such that f = GH and G and H lift g and h respectively.

25 We sketch a proof of the theorem. Since p-adic integers are approximated arbitrarily closely by integers, it suffices to show how to lift a factorization of integer polynomials modulo p to factorizations modulo arbitrarily large powers of p. It turns out to be essential to simultaneously lift a certificate of the fact that g and h are relatively prime. Assume that we are given polynomials f, g, h, r, s with integer coefficients such that

f ≡ gh mod pk, rg + sh ≡ 1 mod pk, where deg(r) < deg(h), deg(s) < deg(g); we need to find G, H, R, S satisfying a similar congruence modulo p2k. Note that the hypotheses of the theorem allow us to find r and s for k = 1, using the Euclidean Algorithm for polynomials. The pair r, s is said to be a coprimality certificate of g and h mod pk. Before proving the theorem it is useful to show how to use a coprimality certificate mod pk to represent any polynomial as a suitable linear combination of g and h modulo pk.

k Lemma 30. If rg + sh ≡ 1 mod p , then for all u ∈ Zp[x] there are A, B ∈ Z[x] such that Ag + Bh ≡ u mod pk. If deg(u) < deg(g) + deg(h) then we can take deg(A) < deg(h), deg(B) < deg(g). Proof. Multiplying the certificate by u gives u ≡ rgu + shu = (ru)g + (su)h mod pk so the first statement is immediate. To verify the statement about degrees, we have to work harder. Let A be the remainder when ru is divided by h, i.e., ru = q1h + A, deg(A) < deg(h). Similarly, let B be the remainder when su is divided by g, i.e., su = q2h + B, deg(B) < deg(g). Then

k Ag + Bh = (ru − q1h)g + (su − q2g)h = (rg + sh)u − (q1 + q2)gh ≡ u + Qgh mod p where Q = −q1 − q2. Since gh is monic of degree deg(g) + deg(h) and all other terms in the congruence have degree strictly less than deg(g) + deg(h) modulo pk it follows that Q ≡ 0 mod pk, finishing the proof. Now we prove the theorem by simultaneously showing how to lift the factorization, and lift the certificate, i.e., find the desired G, H, R, S given g, h, r, s. To lift the factorization write f = gh + pku, and use Lemma 30 to find A, B with u ≡ Ag + Bh mod pk; it is straightforward to check that G = g + pkB, and H = h + pkA satisfy f ≡ GH mod p2k. To lift the certificate rg + sh = 1 mod pk, write rg + sh = 1 + pku, use Lemma 30 to find u ≡ Ag + Bh mod pk and check that RG + SH ≡ 1 mod p2k where R = r + pkA and S = s + pkB.

4.4 Chinese Remainder Theorem Finally, we come to the case of solving polynomial equations modulo arbitrary positive integers n, given that we can solve the equations modulo the prime power divisors of n.

26 The Chinese Remainder Theorem gives an immediate way for doing this, by giving an explicit recipe for using solutions f(x1) ≡ 0 mod n1, f(x2) ≡ 0 mod n2 to produce an x in Z/(n1n2)Z such that f(x) ≡ 0 mod n1n2, when the ni are coprime. Theorem 31. (Chinese Remainder Theorem) If m and n are relatively prime, and a and b are arbitrary integers, then there is an integer c such that

c ≡ a mod m, c ≡ b mod n.

Any two such integers c are congruent modulo mn.

Proof. Apply the Eea to m and n to find x and y such that mx + ny = 1. The integer

c = any + bmx is obviously congruent to a mod m and b mod n. If c0 also satisfies these congruences then d = c−c0 is divisible by the coprime integers m and n, and hence by mn. Thus c and c0 are congruent modulo mn as claimed. This can be stated more algebraically as follows.

Corollary 32. If gcd(m, n) = 1 then the rings Z/(mn)Z and Z/mZ × Z/nZ are iso- morphic via the map x mod mn 7→ (x mod m, x mod n). Also, ϕ(mn) = ϕ(m)ϕ(n) where ϕ is the Euler ϕ-function.

Indeed, the first statement in the Chinese Remainder Theorem above says that the map is surjective, and the second says that it is injective. Units in the direct product of two rings are pairs (u, v) where u and v are units in the respective rings, so the multiplicativity of ϕ follows from the first statement. As promised, the theorem shows how to combine modular solutions to polynomial equations: if f(a) ≡ 0 mod m and f(b) ≡ 0 mod n then apply the Chinese Remainder Theorem to find a c such that c ≡ a mod m and c ≡ b mod n; these congruences imply that f(c) ≡ 0 mod mn. By induction, this technique generalizes to more than 2 moduli: if n1, n2, . . . , nk are pairwise relatively prime, and ai are given then there is an integer x, unique modulo the product of the ni, such that x ≡ ai mod ni for 1 ≤ i ≤ k. Q In fact, there are two natural inductive proofs. The product of k moduli n = ni could be reduced to the k = 2 case by n = n1m, where m is the product of the ni for i > 1, or n = m1m2 where each mi is the product of approximately half of the ni. The latter method is significantly more efficient in practice: with reasonable assumptions, the first method takes O(k2) arithmetic operations, and the second takes O(k log(k)) arithmetic operations.

27 5 Quadratic Extensions

A quadratic extension√ of the rational numbers is a subset of the complex numbers of the√ form {a + b d : a, b ∈ Q} where d is a nonsquare in Q. This field, usually denoted Q( d), is isomorphic to the quotient Q[x]/I where I = (x2 − d) is the generated by the irreducible polynomial x2 − d. More generally, a quadratic extension L of an arbitrary field K is isomorphic to K[x]/(f(x)) '{a + bα : a, b ∈ F } where f(x) is an irreducible quadratic polynomial and α is a root of that polynomial. In this section we consider four algorithms that either illuminated by, or directly apply to, quadratic field extensions.

5.1 Cipolla Let p be an odd prime. A natural and direct algorithm, originally due to Cipolla, finds square roots modulo an odd prime p by taking a single exponentiation in a quadratic extension of Fp = Z/pZ. Unlike the modular square root algorithm presented earlier, it has a running time that is independent of the power of 2 that divides p − 1. 2 A polynomial f(X) = X −aX+b ∈ Fp[X] is irreducible if and only if its discriminant 2 D := a − 4b is a quadratic nonresidue. If f(X) is irreducible then K := Fp[X]/(f(X)) is a field with p2 elements. If α = [X] denotes the coset of X, then K can be described explicitly as the set of linear polynomials a + bα, a, b, ∈ Fp} added in the usual way, and multiplied using the rule α2 = aα − b to reduce a product to a linear polynomial. p In any field that contains Fp the map ϕ(x) = x is a field automorphism of K, sometimes called the Frobenius map. Indeed, it is obvious that ϕ is multiplicative, and ϕ(x + y) = (x + y)p = xp + yp follows from the fact that the interior binomial coefficients are divisible by p. Moreover ϕ(x) = x if and only if x ∈ Fp, since every element of Fp is a root of the polynomial xp − x, and a polynomial of degree p can have at most p roots in a field.

Cipolla’s modular square root algorithm Input: An odd prime p and a quadratic residue b ∈ Fp 2 Output: u ∈ Fp such that x = b 1. Select random a until a2 − 4b is a nonresidue modulo p 2. Return α(p+1)/2, where α := a root of x2 − ax + b

Assume that a successful a has been found in the Step 1 (presumably each a has a 50% chance). With the earlier notation, f(X) = X2 − aX + b is irreducible, and K = {a + bα}. Apply the Frobenius automorphism ϕ to the equation α2 − aα + b = 0 to find that β := αp is also a root of f, so that f(X) = (X − α)(X − β). Comparing coefficients gives b = α · β = α · αp = α(p+1) so that α(p+1)/2 is a square root of b, as desired. Although the exponentiation is done in K, the final result lies in Fp.

28 Example 33. Let p = 37, a = 34. Easy Legendre symbol calculations show that 34 is a quadratic residue modulo 37, and b = 1 produces a nonresidue in Step 1, so that f(x) = x2 − x + 34 is irreducible. We compute α(p+1)/2 = α19 using Exp; at each step of the calculation we replace α2 by α − 34 = α + 3 and reduce the coefficients modulo 37. The following table summarizes the calculation:

k αk 2 α + 3 4 α2 + 6α + 9 = 7α + 12 8 49α2 + 168α + 144 = 32α + 32 = −5(α + 1) 9 −5(α2 + α) = −5(2α + 3) 18 25(4α2 + 12α + 9) = 30α + 7 19 30α2 + 7α = 16

As predicted, the final result lies in the field with 37 elements, and 162 ≡ 34 mod 97.

5.2 Lucas-Lehmer Theorem 7 gives a method for verifying primality of n when the factorization of n − 1 is known. A similar primality test, attributed to Lucas and Lehmer, enables the primality of n to be established efficiently if the prime factorization of n + 1 is known. Let f(X) = X2 −aX+b ∈ Z[x] be a polynomial with integer coefficients, D := a2 −4b its discriminant, and R := Z[X]/(f(X)). Let α := [X] and β := a − α be the two roots of f in R. k k k k For k ≥ 0 define Vk = α + β ∈ R. Since both ck = α and ck = β satisfy the recursion ck+1 = ack − bck−1 their sum Vk also does, by linearity. Since the first two values V0 = 2 and V1 = a are integers it follows that all of the Vk are integers. The easily established recursions

2 k k V2k = Vk − 2b ,V2k+1 = VkVk+1 − ab can be used to give an algorithm (mimicking ideas in Exp) that computes Vn in O(log(n)) arithmetic operations on integers. Theorem 34. With the above notation, let n be an odd positive integer, and assume that D, a, b satisfy D = −1, gcd(n, b) = 1. n

Let m = (n + 1)/2. If Vm ≡ 0 mod n, and gcd(Vm/q, n) = 1 for all prime divisors q of m then n is prime. Proof. Let p be a prime divisor of n. Working modulo p, i.e., in

K := R/pR = Z[x]/(p, f(x)) = Fp[x]/(f(x)),

29 we see that f(x) ∈ Fp[x] is irreducible so that the ideas of the preceding section apply. Since b is coprime to n, and hence coprime to p, it follows from αβ = b that β is nonzero in K. Let u = β/α = αp/α = αp−1 ∈ K. m m m 2m The equation Vm ≡ 0 mod p implies that α = −β , i.e., u = −1 and u = 1. 2m/q Similarly, the equations Vm/q 6≡ 0 mod p imply that u 6= 1 for all prime divisors q of m. Therefore u has order 2m = n + 1 in K. Since

up+1 = αp−1p+1 = αp2−1 = 1 it follows that p + 1 is divisible by n + 1, which implies that n = p, i.e., that n is a prime as claimed.

Remark 35. The converse is true (with some work): if p = n is a prime then V(p+1)/2 ≡ 0 mod p, and V(p+1)/(2q) 6≡ 0 mod p for all odd prime divisors of p + 1. Remark 36. As in the earlier primality test relying on the factorization of n − 1, it can be shown√ that it suffices to consider all prime divisors of a factor of n + 1 that is larger than n.

5.3 Units in quadratic fields √ If d is√ a rational number that is not a perfect square then the degree of Q( d) = {a + b d : a, b ∈ Q} over Q is two (the degree√ of a field K ⊂ L is the dimension of L as a vector space over K). The field F = Q( d) is unchanged if we replace d by de2, so we will from now on that that d is√ a squarefree integer (i.e., not divisible by any perfect 2 squares n√> 1). If d < 0 then Q( d) is said to be an imaginary quadratic field, and if d > 0, Q( d) is said to be a real quadratic field. A number field is a field having finite degree over Q. These fields are the core subject matter of algebraic number theory, and are of critical√ importance in several subsequent articles in this volume, e.g. [39]. Quadratic fields Q( d) already illustrate many of the ideas that come up in studying number fields in general, and are a vast and fertile area of study. √ Let F = Q( d). The ring of integers OF in F is the set of v ∈ F that are roots of a monic polynomial with integer coefficients; this ring plays the role, in F , that the integers do in Q.

Proposition 37. With the above notation, OF = Z[ω] where √  d if d ≡ 2, 3 mod 4 ω = √ (1 + d)/2 if d ≡ 1 mod 4

30 √ Thus OF = Z[ d] if d ≡ 2, 3 mod 4, and √ ! √ 1 + d x + y d O = Z[ω] = {x + y : x, y ∈ Z} = { : x, y ∈ Z, x ≡ y mod 2} F 2 2 if d ≡ 1 mod 4. √ The key idea of the proof is that if v = x + y d ∈ F is an algebraic integer then it satisfies the equation X2 − 2xX + (x2 − dy2) = 0, which implies that x and therefore y are either integers or half-integers; we leave the details to the reader. The units in the integers (elements with multiplicative inverses) are trivial: Z∗ = {±1}. In order to find units in quadratic fields we introduce some standard terminology. √ √ • If v = x + y d ∈ F then v0 = x − y d is the conjugate of v. √ • The norm of v = x + y d ∈ F is √ √ N(v) = vv0 = (x + y d)(x − y d) = x2 − dy2 ∈ Q.

It is easy to check that (uv)0 = u0v0 for all u, v ∈ F . From this it follows easily that the norm map is multiplicative, i.e., that N(uv) = N(u)N(v). 2 2 Note that if d ≡ 2, 3 mod√ 4 then N(x + yω) = (x + yω)(x − yω) = x − dy , while if d ≡ 1 mod 4 and ω = (1 + d)/2 then (d − 1) N(x + yω) = (x + yω)(x + yω0) = x2 − xy − y2. 4

Lemma 38. An element u in OF is a unit if and only if N(u) = ±1. Proof. If N(u) = ±1 then u(±u0) = 1 and u is a unit. If v is a unit then there is a u ∈ OF such that uv = 1. Taking the norm and using the multiplicativity of the norm gives N(u)N(v) = 1, so that N(u) is a unit in Z, i.e., N(u) = ±1. In imaginary quadratic fields there are only finitely many units, and they are easy to determine by considering the explicit form of the norm mapping given above; the details of are again left to the reader, and the result is: √ Theorem 39. Units in an imaginary quadratic field F = Q( d), d < 0, are:

 {±1, ±i} if d = −1 ∗  2 OF = {±1, ±ω, ±ω } if d = −3  {±1} if d < −3 √ For later use, note that the units of the ring Z[ d] are {±1}, unless d = −1. Finding units in (the ring of integers of) real quadratic√ fields is considerably more interesting. In the case d ≡ 2, 3 mod 4, a unit u = x + y d gives a solution of Pell’s equation [22] x2 − dy2 = ±1.

31 If d ≡ 1 mod 4 then units u = x + yω give solutions to x2 − xy − y2(d − 1)/4 = ±1, which becomes X2 − dY 2 = ±4 after multiplying by 4 and completing the square. Thus the problem of finding units in real quadratic fields is equivalent to Pell’s equation or a variant. The central fact that units can be found by calculating the continued fraction of ω. √ ∗ Theorem 40. If F = Q( d), d > 0 and u = x − yω is a unit in OF with x and y positive, then x/y is a convergent in the continued fraction expansion of ω. If u = x + yω is a unit then −u, u0, and −u0 are all units. If u is a unit, then one of ±u, ±u0 has the form x − yω with x, y positive, so the restriction to positive x, y is unimportant: any unit can be obtained from a convergent by changing the sign and/or taking a conjugate. Simple examples show that not all convergents correspond to units. However, the theorem guarantees that if we examine each convergent of the continued fraction of ω in turn we will, sooner or later, run across any given unit (up to sign and conjugacy). Proof. Assume that u = x − yω is a unit with x and y positive. If d ≡ 2, 3 mod 4, then d ≥ 2, and x2 − dy2 − ±1. Therefore x2/y2 = d ± 1/y2 ≥ 1 and x ≥ y, and x √ √ + d ≥ 1 + 2 ≥ 2. (13) y From x √  x √  x2 1 − d + d = − d = y y y2 y2 and (13) we get

x √ 1 − d < y 2y2 so that, by Theorem 26, x/y is a best approximator to ω and is a convergent in the continued fraction of ω. The case d ≡ 1 mod 4 is similar, but slightly more involved. If u = x − yω is a unit then x2 − xy − cy2 = ±1, where c = (d − 1)/4 ≥ 1. This implies that x2 x 1 − = c ± . (14) y y y2 In the case in which y = 1 and d = 5, the theorem can be checked directly. (One finds that x = 1 or√x = 2 and that both values of x/y are convergents in the continued fraction of ω = (1+ 5)/2.) Otherwise, y > 1 or d > 5 the right-hand side of (14) is at least 3/4. Thus r = x/y is positive and satisfies r2 − r ≥ 3/4; it follows that r ≥ 3/2. The proof now follows the outline of the earlier case: in the equation (r − ω)(r − ω0) = ±1/y2, the second factor √ d − 1 3 r + ≥ + 1 ≥ 2 2 2 can be bounded below and the resulting inequality |r − ω| ≤ 1/2y2 implies that r = x/y is a convergent in the continued fraction of ω as desired.

32 There is much more to say about continued fractions of arbitrary quadratic irra- tionals. We enumerate some of the most important facts, which can be found in many sources.

1. The continued fraction of a real number√α is periodic if and only if α is a quadratic irrational (an irrational element of Q( d) for some d).

2. The continued fraction of a quadratic irrational α is purely periodic, i.e., has no pre-period before periodicity, if and only if α > 1 and −1 < α0 < 0.

∗ 3. Units in real quadratic fields OF correspond, as above, to convergents in the con- ∗ tinued fraction expansion of ω; the first such unit u encountered generates OF up to sign, i.e., ∗ n OF = {±u : n ∈ Z}' Z × Z/2Z. √ √ 4. The period√ of the continued fraction of ω is O( d). The continued fraction of d and (1 + d)/2 have the respective shapes

[a; P, 2a], [a, P, 2a − 1]

where a is a positive integer and the sequence√ P = p1, p2, . . . , p2, p1 is a palindrome. The fundamental generating unit of Q( d) has norm −1 if and only if P has even length.

Units in real quadratic√ fields can also be found by computing continued fractions of other elements in Q( √d); e.g., if d ≡ 1 mod 4 then units can be found by computing the continued fraction of d. A much more general picture can be found in a discussion of the real quadratic case in [33].

5.4 The Smith–Cornacchia algorithm Throughout this section integers d and n satisfy 0 < d < n, and we consider solutions x, y to x2 + dy2 = n. (15) Note that the problem of solving this equation is equivalent to  √   √  x + y −d x − y −d = n, (16) √ i.e., to factoring n in the imaginary quadratic field Q( −d) into the product of conjugate elements. Coprime solutions x, y are said to be primitive. In this case, y is coprime to n and the signature of the solution is the unique integer t, 0 < t < n, such that x/y ≡ t mod n, i.e., x ≡ ty mod n. Note that

t2 + d = (x2 + dy2)/y2 ≡ 0 mod n.

33 If t is a potential signature, i.e.,√ a square root of −d modulo√ n, then it is easily checked that the set I := n Z + (t√+ −d) Z := {an + b(√t + −d): a, b ∈ Z} of integer linear combinations of n and t + −d is an ideal in Z[ −d]. Moreover, the equation 2 2 x + dy = n has a solution√ with signature d if and only if I is a principal√ ideal in the sense√ that I = (x + y −d) consists of all multiples (by elements of Z[ −d]) of x + y −d. Let (x, y) be a primitive solution to x2 + dy2 = n with signature t. Define z := ((ty − x)/n so that t z x − = . n y ny Dividing the inequality |2xy| ≤ x2 + y2 ≤ x2 + dy2 = n by 2ny2 gives

t z x 1 − = . n y ny 2y2 By Theorem 26(c) this implies z/y is a convergent of the (finite) continued fraction of t/n. Thus to solve (15) it suffices to compute the continued fraction of t/n and see whether any of the denominators give valid solutions y in the equation x2 + dy2 = n. In fact, it is slightly simpler to merely keep track of the remainders in the Euclidean 2 2 algorithm applied to t and n; indeed√ |x| = |ty − nz| is a remainder, and x + dy = n can be solved for y. Since x√≤ n, the remainders have to be calculated at least to the point that they drop below n.

Example 41. If d = 5 and n = 12829 then we first have to find a square root t of −5 modulo 12829. Since n is a prime, the square root is unique up to sign; in fact, Cipolla’s algorithm gives t = ±3705 without difficulty. The sequence of remainders in the Euclidean algorithm is

12829, 3705, 1714, 277, 52, 17, 1. √ In fact, the first x below 12829 works:

x = 52, y = p(n − x2)/5 = 45, 522 + 5 · 452 = 12829.

2 2 Theorem 42. If a primitive solution√ to x + dy = n has signature t then |x| is the largest remainder that is less than n in the Euclidean algorithm applied to n and t. Moreover, (x, y) is essentially the unique solution with signature t: if (u, v) is another such solution then (x, y) = ±(u, v) if d > 1, and if d = 1 reversal is also possible, i.e., (x, y) = ±(u, v) or (x, y) = ±(v, u). √ Proof. (See also [24], [32].) Let x be the first remainder less than n. Assume that the equation has some solution (u, v) with signature t: u2 +dv2 = n, u ≡ ty mod n. Assume

34 that u 6= ±x. Then |u| is a subsequent term in the remainder sequence for t and n. By the Euclidean algorithm, there are z, z0 such that x = yt − zn, u = vt − z0n. The remainders decrease in absolute value, so x > u, and the coefficients of t increase in absolute value, so |y| < |v|. We know that x2 + dy2 ≡ (t2 + d)y2 ≡ 0 mod n. Moreover n − dv2 x2 + dy2 < n + dv2 = n + d · < 2n. d Since we also know that x2 + dy2 is divisible by n it follows that x2 + dy2 = n. To show uniqueness assume, as above, that there are two solutions (x, y) and (u, v) with signature t. The equation √ √ √ x + y −d = (a + b −d)(u + v −d) reduces to two equations for integers a, b: x = ua − bvd, y = va + ub. Solving, one finds that ux + dvy −vx + uy a = , b = . n n The congruences x ≡ ty mod√ n, u ≡ tv mod n imply√ that a and b√are integers. Thus there is an α in the ring Z[ √−d] such that √x + y −d = α(u + v −d), and similarly there is a β such that u + v −d = β(x + y −d). Substituting,√ we find that αβ = 1; i.e., that α and β are units. If d > 1 then the only units in Z[ −d] are ±1, and if d = 1 then ±i are also units, finishing the proof. Finally, we state the obvious algorithm. Smith–Cornacchia Algorithm Input: Relatively prime positive integers d and n. Output: All primitive solutions to x2 + dy2 = n 1. Find all solutions to t2 + d ≡ 0 mod n. 2. For each solution t, find the first positive remainder x in the Euclidean algorithm applied to t and n; if y := p(n − x2)/d is an integer, output (x, y). Note that it is perfectly possible that there are no solutions to x2 +dy2 = n. Also, the step 2 of the algorithm is efficient, but step 1 might not be: as remarked earlier, solving the modular square root problem is probably exactly as hard as hard as factoring n. In many situations the algorithm is applied when n is known to be prime, in which case there is only one solution and the algorithm finds it quickly. Example 43. The special case d = 1 ([5]) is interesting. By Euler’s criterion, the only odd primes p such that −1 is a quadratic residue modulo p congruent to 1 mod 4, and this algorithm gives a constructive proof of Euler’s result that these are exactly the primes that are the sum of two squares. Moreover, it shows that if z is a Gaussian integer then the factorization of z in Z[i] reduces to the problem of factoring N(z) in the integers.

35 References

[1] Manindra Agrawal, Neeraj Kayal, Nitin Saxena; “PRIMES is in P,” Ann. of Math. 2004 160 781–793.

[2] Eric Bach, Jeffrey Shallit; Algorithmic Number Theory. Volume 1. Efficient Algo- rithms MIT Press, 1996

[3] Eric Bach; “Explicit Bounds for Primality Testing and Related Problems,” Math. Comp., 55 1990 pp. 355-380.

[4] Daniel Bernstein; “Fast multiplication and applications,” this volume.

[5] David Bressoud, Stan Wagon; A course in computational number theory, Key Col- lege Publishing, 2000.

[6] J.W.S. Cassels; “Local Fields” London Math. Soc. Student Texts 3 Cambridge University Press, 1986.

[7] M. Cipolla, “La determinazione assintotica dell’nimo numero primo” Rend. Ac- cad. Sci. Fis. Mat. Napoli 8 1902 132–166.

[8] David Cox; Primes of the form x2 + ny2. Fermat, class field theory and complex multiplication John Wiley 1989.

[9] Richard Crandall, Carl Pomerance; Prime Numbers. A Computational Perspective. Second Edition Springer-Verlag, 2005.

[10] Henri Cohen; “A Course in Computational Algebraic Number Theory” Graduate Texts in Math. 138, Springer-Verlag, 1993.

[11] Martin Davis, “Hilbert’s Tenth Problem is Unsolvable,” American Mathematical Monthly, 80 1973 233-269.

[12] Pierre Flajolet, Brigitte Vall´ee; “Continued fraction algorithms, functional opera- tors, and structure constants” Theoret. Comput. Sci. 194 1998 1–34.

[13] M. Garey, D. Johnson; Computers and Intractability: A Guide to the Theory of NP-Completeness W. H. Freeman, 1979.

[14] Andrew Granville; “Smooth numbers: computational theory and beyond,” this volume.

[15] Joachim von zur Gathen, J¨urgenGerhard; Modern Computer Algebra. Second Edition Cambridge University Press, 2003.

[16] Donald Knuth; The Art of Computer Programming. Volume 2. Seminumerical Al- gorithms, (2nd edition), Addison-Wesley, 1981.

36 [17] John Hopcroft, Rajeev Motwani, Jeffrey D. Ullman: Introduction to Automata Theory, Languages, and Computation Addison Wesley, 2006.

[18] Neal Koblitz; p-adic numbers, p-adic analysis, and zeta functions. Second Edition Graduate Texts in Mathematics 58 Springer-Verlag 1984.

[19] Dexter Kozen; Theory of Computation Springer-Verlag, 2006.

[20] Yuri Matiyasevich; Hilbert’s Tenth Problem, MIT Press, Cambridge, Mas- sachusetts, 1993.

[21] A. K. Lenstra, H. W. Lenstra, Jr., eds.; The development of the number field sieve, Lecture Notes in Math. 1554 Springer-Verlag, 1993.

[22] Hendrik Lenstra, Jr.; “Solving the Pell equation,” this volume.

[23] Hendrik Lenstra, Jr.; “Factoring Integers with Elliptic Curves ” Annals of Math. 126, 1987, 649–673.

[24] Abderrahmane Nitaj; “L’algorithme de Cornacchia.” Exposition. Math. 13, 1995, 358–365.

[25] J. M. Pollard, “Monte Carlo Methods for Index Computation (modp), Math. Comp.,, 32 1978, 918-924.

[26] Carl Pomerance, “Elementary Thoughts on Discrete Logarithms,” this volume

[27] Bjorn Poonen; “Elliptic Curves,” in this volume.

[28] A. J. van der Poorten, “An introduction to continued fractions” in Diophantine Analysis, ed. by J. H. Loxton and A. J. van der Poorten, London Mathematical Society Lecture Note Series 109 1986.

[29] Oliver Schirokauer, “The impact of the Number Field Sieve on the Discrete Loga- rithm Problem in finite fields,” this volume

[30] Arnold Sch¨onhage; “Schnelle Berechnung von Kettenbruchentwicklungen” Acta In- formatica 1 1971 139–144.

[31] Ren´eSchoof; “Elliptic curves over finite fields and the computation of square roots mod p” Math. Comp. 44 1985 483–494.

[32] Ren´eSchoof; “Counting points of elliptic curves over finite fields” J. Th. des Nom- bres Bordeaux, 7 1995 219–254.

[33] Ren´eSchoof; Computing Arakelov class groups this volume

[34] Ren´eSchoof; “Four primality testing algorithms,” this volume

37 [35] J.-P. Serre; A course in arithmetic, Graduate Texts in Mathematics, 7, Springer- Verlag, 1973.

[36] Peter Shor; Polynomial-Time Algorithms for Prime Factorization and Discrete Log- arithms on a Quantum Computer SIAM J.Sci.Statist.Comput. 26 1997 1484

[37] Victor Shoup, A Computational Introduction to Number Theory and Algebra Cam- bridge University Press, 2005.

[38] Nigel Smart; “The algorithmic resolution of Diophantine equations” London Math- ematical Society Student Texts 41 Cambridge University Press, 1998

[39] Peter Stevenhagen; “The Arithmetic of Number Rings,” in this volume.

[40] Peter Stevenhagen; “Number Field Sieve,” in this volume.

[41] Noriko Yui; “Congruent number problems in dimension one and two,” this volume.

38