Mathematics is the Queen of Sciences and Arithmetic is the Queen of Mathematics Carl Friedrich Gauss 1 1.1 Prime numbers Definitions, examples and basic properties Let us start with recalling/formalising the principle of division with remainder. Theorem 1.1 (The division algorithm). Let a and b be natural numbers with b 6= 0. There exist unique natural numbers q and r such that a = bq + r and 0 6 r < b. Proof. To show existence, note that if a < b then q = 0 and r = a will do; otherwise consider q = b ab c, i.e. the largest integer such that bq 6 a, and define r = a − bq. It follows that a = bq + r and r > 0. Furthermore, r > b would imply a > b(q + 1) contradicting our choice of q, and so 0 6 r < b as required. To show uniqueness, suppose there exist q, q 0 , r r0 such that a = bq + r = bq 0 + r0 and 0 6 r, r0 < b. Note that if r = r0 , then bq = bq 0 and, since b 6= 0, we have q = q 0 as required. So suppose r < r0 or r > r0 . Without loss of generality r < r0 , which, in turn, impllies that q > q 0 (as otherwise a = bq + r < bq 0 + r0 = a), and so b · 1 = b > r0 > r0 − r = (a − bq 0 ) − (a − bq) = b(q − q 0 ) > b · 0, which implies that 0 < q − q 0 < 1 giving a contradiction. Note 1.2. The division algorithm can be extended to the whole set Z of integers. Definition 1.3. Using the same notation as in Theorem 1.1, we say that b is the divisor, q is the quotient and r is the remainder. Definition 1.4. Suppose that a and b are integers. We say that b divides a, which is denoted by b|a, if there exists an integer x such that a = bx. We also say that a is divisible by b or that b is a divisor or a factor of a. So, for example, 4 divides 8; 15 is divisible by 3; and 7 is a divisor of 14. Note also that every integer is divisible by 1 and itself. Definition 1.5. Let a > 2 be an integer. We say that a is prime if its only positive divisors are 1 and a. If a has other divisors, we say a is composite. [Consequently, a is composite if there exist b, c with 2 6 b, c < a and a = bc.] 1 Note 1.6. The integer 1 is neither composite nor prime. Examples 1.7. • Primes: 2, 3, 5, 104729. • Twin primes: (3, 5), (5, 7), (821, 823). • Mersenne primes (of the form 2n − 1): 7, 127. n • Fermat primes (of the form 22 + 1): 3, 5, 17, 257, 65537. • James Bond primes: 4007, 6007, 9007. • Grothendieck prime: 57. We shall now proceed to describe some results associated with the concept prime numbers, but before that let us state some basic divisibility properties. Lemma 1.8. Let a, b and c be integers. Then (a) if a|b and b|c then a|c; (b) if a|b and a|c then a|(λb+µc) for any integers λ, µ. In particular, a|(b±c); (c) if a|b then a|bc. Proof. ad (a) Suppose that a|b and b|c. There exist x and y such that b = ax and c = by. But then c = by = (ax)y = a(xy) and so a|c. The remaining statements can be proved in a similar manner and are left as an exercise for the reader. Prime numbers are the building blocks the integers are made of. Lemma 1.9. Let a > 2 be an integer. Then a has a prime divisor. Proof. We argue by contradiction. Suppose the statement is not true, and let a be the smallest positive integer with no prime divisor. Then a cannot be prime, and so, in particular, there exists b such that 2 6 b < a and b|a. By assumption, b has a prime divisor p, which then, by Lemma 1.8 (a), divides a. Note 1.10. For those familiar with the terminology, note that what we used in the proof was actually the method of (strong) mathematical induction. In fact, a much stronger result is true. Theorem 1.11 (Fundamental Theorem of Arithmetic). Any integer greater than 1 can be expressed as a product of (not necessarily distinct) prime numbers. Furthermore, such a representation is unique up to the order of the factors. So, for example, 10 = 2 × 5 and 1200 = 24 × 3 × 52 . 2 Sketch proof. The proof of existence is almost identical to that of Lemma 1.9. The proof of uniqueness (usually) relies on the fact that if p is prime and p|ab then p|a or p|b, which we shall discuss next week. For a detailed proof we refer the reader to, for example, [1, p. 41]. Theorem 1.12 (Euclid). There are infinitely many primes. Proof. Suppose, for a contradiction, that there are only finitely many primes. List them as p1 , p2 , . . . , pk , and consider N = p1 × p2 × · · · × pk + 1. Clearly N > 2 (2 is on our list). Lemma 1.9 implies that N has a divisor p that is prime and as such must have appeared on our list. In other words, p = pi for some i. But then p|(p1 × · · · × pk ) = (N − 1), which means, by Lemma 1.8 (b), that p|1 and p = ±1. Contradiction. 1.2 Primality testing. Sieve of Eratosthenes Suppose we are given a number n and we want to check whether it is prime. A naive approach would be to check whether n is divisible√by 2, 3, . . . , n − 1. In fact, if n is composite, it must √ have a factor not exceeding n, so it is enough to only check integers 2, . . . , n. We can shrink the list even further by removing all even integers except for 2, for if n is divisible by an even integer, it must be divisible by 2. Likewise, it is not necessary to check any multiples of 3 except for 3 itself, and so on. These observations lie at the heart of the Sieve of Eratosthenes (κοσκινον Ερατοσθενους) algorithm, which allows us to find the prime numbers between 2 and n: (1) Write out the integers we are interested in: 2, 3, . . . , n. (2) Set p = 2, the first prime number. (3) Remove all multiples of p that do not exceed n: 2p, 3p, . . . . (4) Find the first number remaining on the list after p and replace p with this number. Note that this number must be prime. (5) Repeat the last two steps until p2 does not exceed n. (6) The numbers that remained on the list are prime. There are many other tests for primality, for example Fermat’s Little Theorem, which we shall see in a few weeks. 3 1.3 A practice example We shall show that the square of any integer is either of the form 3k or 3k + 1. Indeed, let n be an integer. By the division algorithm, there exist q, r with n = 3q + r and 0 6 r < 3. Three cases are possible: • r = 0, so that n = 3q and n2 = (3q)2 = 3(3q 2 ), • r = 1, so that n = 3q + 1 and n2 = 3(3q 2 + 2q) + 1, • r = 2, so that n = 3q + 2 and n2 = 3(3q 2 + 4q + 1) + 1, and we get the required result in each case. 4 We might call Euclid’s method the granddaddy of all algorithms, because it is the oldest nontrivial algorithm that has survived to the present day Donald Knuth 2 Highest common factor. Euclidean algorithm Definition 2.1. Let a and b be integers. We say that d > 0 is the highest common factor (or greatest common divisor ) of a and b, denoted by (a, b), hcf(a, b) or gcd(a, b), if (a) d|a and d|b (“common factor”), and (b) if c|a and c|b then c|d (“highest”). If hcf(a, b) = 1, we say that a and b are coprime (or relatively prime). So, for example hcf(4, 6) = 2 whereas 2 and 5 are coprime. One approach for finding hcf(a, b) is via the prime factorisation of a and b (which exists by the Fundamental Theorem of Arithmetic). For example, 180 = 22 × 32 × 5, 24 = 23 × 3, and so hcf(180, 24) = 22 × 3 = 12. However, when it comes to large numbers, prime factorisation is not very computationally efficient, and Euclidean Algorithm comes into the picture. We need an intermediate result first. Lemma 2.2. Let a and b be positive integers, and let q, r be such that a = bq + r and 0 6 r < b If hcf(b, r) exists then so does hcf(a, b) and moreover hcf(a, b) = hcf(b, r). Proof. For simplicity denote d = hcf(b, r). We want to show that d = hcf(a, b) so we need to check that it satisfies the conditions of Definition 2.1. (a) To show that d is a common factor of a and b: by assumption, d|b, and we also have that d|r, so d|(bq + r) = a. (b) To show that any common factor of a and b must divide d: let c be a common factor of a and b. Then c|(a − bq) = r. But also c|b. Thus, by definition, c|hcf(b, r) = d. 5 So instead of looking at hcf(a, b), we can try to find hcf(b, r), which should be easier because the numbers are smaller. And, unless r = 0, we can divide b by r to get even smaller numbers, and so on. Theorem 2.3 (Euclidean algorithm). Let a and b be positive integers. Then (a) hcf(a, b) exists and is unique. (b) (Bézout’s identity) There exist integers x, y such that hcf(a, b) = ax + by. (1) Proof. (a) Without loss of generality assume that a > b. We know that there exist q0 and r0 such that a = bq0 + r0 and 0 6 r0 < b. If r0 6= 0, then we can continue the process: there exist q1 and r1 with b = r0 q1 + r1 and 0 6 r1 < r0 and, providing r1 6= 0, we can do this again: r0 = r1 q2 + r2 and 0 6 r2 < r1 ··· Suppose we continue this process for as long as we can, which is known as the Euclidean algorithm. We obtain a strictly decreasing sequence of nonegative integers b > r0 > r1 > · · · > 0. But such sequence can only have finitely many terms, which means that at some point we cannot continue. This can only happen if the corresponding remainder is zero (otherwise we could divide by it): rk−2 = rk−1 qk + rk and 0 6 rk < rk−1 ; rk 6= 0; rk−1 = rk qk+1 + 0. Now, rk is a factor of rk−1 and so rk = hcf(rk−1 , rk ). Therefore, applying Lemma 2.2 recursively, we get rk = hcf(rk−1 , rk ) = hcf(rk−2 , rk−1 ) = ... = hcf(r0 , r1 ) = hcf(b, r0 ) = hcf(a, b) that is, hcf(a, b) exists and is equal to the last nonzero remainder in the Euclidean algorithm. For uniqueness note that if d = hcf(a, b) = d0 then d|a and d|b implying that d|d0 (as every common factor of a and b is divisible by d0 ), and, by the same reasoning, d0 |d so that d = d0 . 6 (b) To express hcf(a, b) in terms of a and b, we retrace back the steps of our Euclidean algorithm: hcf(a, b) = rk = rk−2 − rk−1 qk = rk−2 − (rk−3 − rk−2 qk−1 ) qk [rk−1 = rk−3 − rk−2 qk−1 ] = rk−2 (1 − qk−1 qk ) − rk−3 qk = ··· = ax + by. Example 2.4. Find hcf(112, 20) and express it as a combination of 112 and 20. 112 = 20 × 5 + 12 20 = 12 × 1 + 8 12 = 8×1+4 8 = 4 × 2 + 0, and so hcf(112, 20) = 4. Furthermore, hcf(112, 20) = 4 = 12 − 8 × 1 = 12 − (20 − 12 × 1) × 1 = 20 × (−1) + 12 × 2 = 20 × (−1) + (112 − 20 × 5) × 2 = 112 × 2 + 20 × (−11). Theorem 2.3 provides a number of interesting corollaries. Corollary 2.5. Let a, b, c be integers and suppose that c|ab and hcf(c, a) = 1. Then c|b. Proof. By the Euclidean Algoritm, there exist x, y with 1 = cx + ay. After multiplying both parts of the equation by b we get b = (cx)b + (ay)b = c(xb) + (ab)y. Clearly c|c and, by assumption, c|ab, so c|c(xb) + (ab)y = b as required. Note 2.6. The condition hcf(c, a) = 1 is necessary: 4|(2 × 2) but 4 6 |2. Now, if p is prime and p 6 |a, we must necessarily have hcf(p, a) = 1, and so, rewriting Corollary 2.5 accordingly, we get Corollary 2.7. Let p be a prime such that p|ab. Then p|a or p|b. 7 A classical application of this result is the proof of the uniqueness part of the Fundamental Theorem of Arithmetic. Proof of uniqueness of prime factorisation. We shall proceed by contradiction and assume that N is the smallest integer that can be written as a product of primes in (at least) two ways: N = pe11 · · · pekk = q1f1 · · · qlfl . Now, p1 |N = q1f1 · · · qlfl and so, applying Corollary 2.7 repeatedly, we conclude that there exists i with p1 |qifi = qi qi · · · qi . Appealing to Corollary 2.7 again, we conclude that p1 |qi . But qi is prime, and p1 > 1, which is only possible if qi = p1 . Without loss of generality assume that i = 1 and so we have M := pe11 −1 · · · pekk = N N = = q1f1 −1 · · · qlfl . p1 q1 Since M < N , its factorisation into primes must be unique. Consequently k = l and (up to a rearrangement of the indices on the right) p1 = q1 , . . . , pk = qk , e1 = f1 , . . . , ek = fk . Contradiction. The proof of the following result is similar to that of Corollary 2.5 and is left as an exercise on one of the problem sheets. Corollary 2.8. Suppose that hcf(a, b) = 1, a|c and b|c. Then ab|c. We shall finish with a couple of observations. Note 2.9. (a) The worst case scenario occurs when the algorithm is applied to two consecutive √ Fibonacci numbers. Since nth Fibonacci number is roughly equal to φn / 5, the complexity of the algorithm is O(log n). (b) The integers x, y satisfying (1) are not unique and in fact there are infinitely many of them. It can be shown that if (x, y) is any solution to (1), then all solutions are described by the set kb ka x+ , y− | k is an integer . hcf(a, b) hcf(a, b) For example, 4 = 112 × 2 + 20 × (−11) = 112 × 7 + 20 × (−39). (c) Equation (1) is an example of a Diophantine equation of first order. It is an easy consequence of the Euclidean Algorithm that an equation ax+by = c is soluble (in integers) if and only if hcf(a, b)|c. (d) The concept of hcf can be generalised in several directions. On the one hand, it can be extended to more than two variables. On the other hand, it can be applicable to other structures, such as rings of polynomials (long division), Gaussian integers (which are numbers of the form a + ib with √ a, b integers and i = −1) or, more generally, Euclidean domains. 8 Gauss once said “Mathematics is the queen of the sciences and number-theory the queen of mathematics.” If this be true we may add that the Disquisitiones is the Magna Charta of number-theory. M.Cantor 3 3.1 Modular (aka clock) arithmetic Introduction Suppose that it is now 9 o’clock. What will the time be in 8 hours? In “normal” arithmetic this would be 9 + 8 = 17 o’clock. But if we live in a 12-hour clock world, then it will actually be 5. So in the clock arithmetic (which is arithmetic modulo 12 ) we have 9 + 8 = 5. We can generalise the notion as follows. Definition 3.1. Let n be a positive integer. We say that integers a and b are congruent modulo n if n|(a − b). This is denoted as a≡b (mod n). [Equivalently, a ≡ b (mod n) if a = b + kn for some integer k.] Some authors use notation a ≡ b (n) or even a = b (n). So, for example, 1 ≡ 13 (mod 12) and −1 ≡ 1 (mod 2), but 1 6≡ 5 (mod 3). In general, if we are dealing with arithmetic modulo n, then all multiples of n can be ignored, and so instead of dealing with original numbers we can look at their remainder when divided by n thus restricting ourselves to the numbers {0, 1, . . . , n − 1} or {−n + 1, . . . , −1, 0}. We shall often identify numbers with their remainders, so that the sentence “find a (mod n)” will mean “find the remainder of a when divided by n”. We start with some basic properties of congruences. Their proof is very much in the spirit of that of Lemma 1.8 and is left as an exercise for the reader. Lemma 3.2. Let a, b, c and d be integers and let n be a positive integer. Then (a) a ≡ a (mod n); (b) if a ≡ b (mod n) then b ≡ a (mod n); (c) if a ≡ b (mod n) and b ≡ c (mod n) then a ≡ c (mod n); (d) if a ≡ b (mod n) and c ≡ d (mod n) then a ± c ≡ b ± d (mod n); 9 (e) if a ≡ b (mod n) and c ≡ d (mod n) then ac ≡ bd (mod n). In particular, ak ≡ bk (mod n) for any k. Note that the implications in part (e) of Lemma 3.2 are not reversible. For example, 2×2 ≡ 0×0 (mod 4) but of course 2 6≡ 0 (mod 4). Things are different however if include certain (co-)primality restrictions. Theorem 3.3. Suppose that ac ≡ bc (mod n). If, in addition, hcf(n, c) = 1, then a ≡ b (mod n). Proof. By assumption n|(ac − bc) = (a − b)c and hcf(n, c) = 1. Corollary 2.5 implies that n|(a − b) as required. Corollary 3.4. Let p be prime and suppose that ac ≡ bc (mod p) and p 6 |c. Then a ≡ b (mod p). Examples 3.5. (a) Calculate the remainder of 25260 + 26025 (mod 3). Note that 25 ≡ 1 (mod 3) and so 25260 ≡ 1260 = 1 (mod 3). Similarly, 260 ≡ 2 ≡ −1 (mod 3) and so 26025 ≡ (−1)25 = −1 (mod 3). Thus 25260 + 26025 ≡ 1 + (−1) = 0 (mod 3), and the remainder is 0. (b) The square of an integer never has remainder 2 when divided by 3. Indeed, let a be an integer and let r be its remainder when divided by 3 so that a ≡ r (mod 3). Then a2 ≡ r2 (mod 3) and three cases are possible • if r = 0, then a2 ≡ 02 = 0 (mod 3), • if r = 1, then a2 ≡ 12 = 1 (mod 3), • if r = 2, then a2 ≡ 22 = 4 ≡ 1 (mod 3), so a2 can only have a remainder 0 or 1 when divided by 3. (c) What is the remainder of 1! + 2! + · · · + 100! when divided by 12? First note that k! contains a factor of 12 = 3 × 4 whenever k > 4, which means that 4! ≡ 0 (mod 12), . . . , 100! ≡ 0 (mod 12). Thus 1! + 2! + · · · + 100! ≡ 1! + 2! + 3! + 0 + · · · + 0 ≡ 1 + 2 + 6 ≡ 9 (mod 12), and the remainder is 9. 10 (d) Show that 230 − 1 is divisible by 31. Note that 25 = 32 ≡ 1 (mod 31). Hence 230 = (25 )6 ≡ 16 = 1 (mod 31), which means that 31|(230 − 1) as required. Note 3.6. Parts (a)–(c) of Lemma 3.2 show that ≡ is a reflexive, symmetric and transitive relation respectively, and hence it is an equivalence relation. For any integer a we denote the corresponding equivalence class by [a], so that [a] = {b : b ≡ a (mod n)} = {. . . , a − 2n, a − n, a, a + n, a + 2n, . . .}. We can then define arithmetic operations by setting [a] + [b] := [a + b], −[a] := [−a], [a][b] := [ab], and, with respect to these operations, the resulting structure, usually denoted by Z/nZ = Zn , forms a commutative ring. If n is prime, then this ring is a field, so that we can not only add, subtract and multiply, but also divide by nonzero elements. 11 3.2 Theorems of Fermat and Euler Theorem 3.7 (Fermat’s Little Theorem). Let p be a prime and a be an integer such that p 6 |a. Then ap−1 ≡ 1 (mod p). Proof. Firstly, consider the set S = {a, 2a, . . . , (p − 1)a}. We claim that all elements in S are distinct modulo p. Indeed, let i and j be integers such that 1 6 i, j 6 p − 1 and ia ≡ ja (mod p). (2) This means that p|a(i − j) and, since p 6 |a, Corollary 2.7 implies that p|(i − j), so that i − j = kp for some integer k. However, the first part of equation (2) implies that (−1) × p < −p + 2 = 1 − (p − 1) 6 i − j 6 (p − 1) − 1 = p − 2 < 1 × p. This forces k to be 0, which, in turn, implies that i = j as required. So, S consists of p−1 elements, which are all distinct (mod p). Furthermore, none of these elements can be divisible by p as neither are a, 1, . . . , (p − 1). This means that mod p the elements of S are precisely 1, 2, . . . , p − 1, possibly in another order. Consequently, a × 2a × · · · × (p − 1)a ≡ 1 × 2 · · · × (p − 1) (mod p), and so ap−1 (p − 1)! ≡ (p − 1)! (mod p). Being prime, p does not divide any of the factors of (p − 1)!. Thus, by Corollary 3.4, we can cancel (p − 1)! meaning that ap−1 ≡ 1 (mod p) as required. Note 3.8. There is another proof of Fermat’s Litte Theorem, which can often be found in books. It is actually really neat, but requires some knowledge of group theory. The idea is as follows: the numbers 1, . . . , p − 1 are the invertible elements mod p and as such form a group under multiplication (so that we can multiply elements and take inverses). Let now a be an element in this group, so that hcf(a, p) = 1 and a 6 |p. By Lagrange’s Theorem, the order of a, i.e. smallest n with an ≡ 1 (mod p), must divide the order of the group, which is p − 1, and the result follows. Corollary 3.9. Let a be any integer and p be any prime. Then ap ≡ a (mod p). 12 Proof. If p 6 |a, Fermat’s Little Theorem implies that ap−1 ≡ 1 (mod p) and we just multiply both sides of the congruence by a. Otherwise p|a, which means that a ≡ 0 ≡ ap (mod p) and we are done. Corollary 3.10. Let n be an integer. If there exists an integer a with an 6≡ a (mod n), then n is not prime. For example, 2117 ≡ 44 6≡ 2 (mod 117), and so 117 is not a prime. Indeed, 117 = 13 × 32 . Examples 3.11. (a) Example 3.5 (b) revisited: Calculate 230 (mod 31). 31 is prime and 30 = 31 − 1, so 230 ≡ 1 (mod 31). (b) Calculate 542 (mod 11). Note that 510 ≡ 1 (mod 11), which means that 4 540 = 510 ≡ 14 = 1 (mod 11), and so 542 ≡ 52 = 25 ≡ 3 (mod 11). Note 3.12. Note that Fermat’s theorem is not a sufficiency result and so cannot be used for determining primality. As an illustration, it can be shown that a560 ≡ 1 (mod 561) for all a coprime to 561, and yet 561 is not prime: 561 = 3 × 11 × 17. Such numbers are called Carmichael numbers. Fermat did not provide a proof of his theorem, saying that it was too long (how typical of him!). Leibniz provided a proof of the result, but did not publish it, and it was Euler who first published his own version of the proof. He also came up with a generalisation of the result, which we shall now proceed to explore, but first we need to establish the terminology. Definition 3.13. Let n be a natural number. We define φ(n) to be the number of natural numbers not exceeding n that are coprime to n, i.e. φ(n) = #{a ∈ N : a 6 n, hcf(a, n) = 1}. The function φ is also called Euler’s phi-function or totient. Note 3.14. Continuing with the language of group theory, alternatively, φ(n) is the number of elements that are invertible mod n. So, for example, to find φ(12) we need to count all positive integers that are smaller than 12 and are coprime to 12. These are 1, 5, 7 and 11, and so φ(12) = 4. Similarly, φ(1) = 1 and φ(30) = 8. If n does not have many divisors, it may be easier to calculate the number of integers it is not coprime to. 13 Examples 3.15. (a) Let p be a prime. There are p numbers that do not exceed p and of those only p is not coprime to p. Consequently, φ(p) = p − 1. So, for example, φ(4007) = 4006. (b) Let p be a prime and e be a positive integer. Then 1 . φ(pe ) = pe − pe−1 = pe 1 − p So, for example, φ(169) = φ(132 ) = 132 − 131 = 156. The proof of the statement is similar and is left as an exercise on one of the problem sheets. (c) Let p and q be two distinct primes. Without loss of generality assume p < q. There are pq elements that do not exceed pq. Of those, the numbers that are not coprime to pq are multiples of p up to qp and multiples of q up to pq: p 2p 3p . . . (q − 1)p qp total: q q 2q 3q . . . (p − 1)q pq total: p But pq appears twice on our list, so φ(pq) = pq − p − q + 1 = (p − 1)(q − 1). (3) So, for example, φ(143) = φ(11 × 13) = (11 − 1) × (13 − 1) = 120. Note that we have shown that if p and q are distinct prime numbers, then φ(pq) = φ(p)φ(q). In fact, this is a specific case of a more general result, the proof of which can be found for example in [1, p. 133]. Theorem 3.16. The function φ is multiplicative, that is φ(mn) = φ(m)φ(n) whenever m and n are coprime. The result, combined with the Fundamental Theorem of Arithmetic and Example 3.15 (b) gives a recipe for calculating φ(n) for any n. Corollary 3.17. Let n be an integer, and let n = pe11 · · · pekk be its (unique) representation as a product of distinct primes. Then 1 1 ··· 1 − . φ(n) = pe11 − pe11 −1 · · · pekk − pkek −1 = n 1 − p1 pk 14 To illustrate, 100 = 22 × 52 , so φ(100) = (22 − 21 )(52 − 51 ) = 2 × 20 = 40. Theorem 3.18 (Euler). Let a and n be integers with hcf(a, n) = 1. Then aφ(n) ≡ 1 (mod n). Before we proceed, note that if n is a prime not dividing a then hcf(a, n) = 1 and φ(n) = (n − 1), and we immediately get Fermat’s Little Theorem. Proof of Theorem 3.18. We shall proceed in the spirit of our proof of Theorem 3.7. Let 1 6 b1 < b2 < · · · < bφ(n) 6 n be the integers not exceeding n that are coprime to n, and consider the set S = {ab1 , ab2 , . . . , abφ(n) }. Suppose that abi ≡ abj (mod n) for some i, j with 1 6 i, j 6 φ(n) so that n|a(bi − bj ). Coprimality of a and n implies that n|(bi − bj ) and so bi − bj is an integer multiple of n. However, (−1) × n < 1 − n 6 bi − bj 6 n − 1 < 1 × n, and so bi − bj = 0 meaning that i = j. So S has φ(n) elements, which are all distinct mod n and which are all coprime to n (since a and all bi are). Consequently modulo n the elements of S are precisely b1 , . . . , bφ(n) , perhaps in a different order. So φ(n) φ(n) aφ(n) Y bi = (ab1 )(ab2 ) · · · (abφ(n) ) ≡ b1 b2 · · · bφ(n) i=1 Y bi (mod n). i=1 Qφ(n) Qφ(n) Coprimality of n and i=1 bi implies, by Theorem 3.3, that i=1 bi can be cancelled and so aφ(n) ≡ 1 (mod n) as required. Note 3.19. There is an alternative proof of Euler’s Theorem, which is identical to that described in Note 3.8 and follows from the fact that the set of elements invertible mod n forms a group under multiplication. The group is often called the group of units and its order is consequently φ(n). Examples 3.20. (a) Find the remainder of 3201 when divided by 100. We already saw that φ(100) = φ(22 × 52 ) = 40, and so 340 ≡ 1 (mod 100). Consequently, 3200 = (340 )5 ≡ 15 = 1 (mod 100) and 3201 ≡ 3 (mod 100). (b) Find the unit digit of 7100 by means of Euler’s theorem. Translating the question into the language of congruences, we need to evaluate 7100 (mod 10). Note that φ(10) = φ(2 × 5) = (2 − 1)(5 − 1) = 4, and so 7100 = (74 )25 ≡ 125 = 1 (mod 10). 15 3.3 Linear congruences and Chinese Remainder Theorem Suppose we want to solve the equation ax = b. (4) If there are no restrictions on x then, provided a 6= 0, the equation has a unique solution: x = ab . If we require all terms to be integers, then (4) has one solution, ab , if a|b and no solutions otherwise. But suppose now that we work in modulo arithmetic: given a, b and n we want to find x such that ax ≡ b (mod n). (5) In the spirit of the previous section, one approach is just to check whether any of the numbers a × 0, a × 1, . . . , a × (n − 1) satisfy (5). Example 3.21. By checking 0, 1 and 2, we see that the solution to the equation 2x ≡ 1 (mod 3) is x ≡ 2 (mod 3). Whilst the trial and error method works in general, let us try to derive a general algorithm for solving such equations. Note that (5) is soluble ⇔ ⇔ ⇔ ∃ (there exists) x such that n|(ax − b) ∃ x such that ∃ y such that ax − b = ny ∃ x, y such that the equation b = ax − ny is soluble. Thus solubility of ax ≡ b (mod n) is equivalent to solubility of ax − ny = b. Theorem 3.22. Let A, B and C be integers. The equation Ax + By = C (6) is soluble in integers (in x and y) if and only if hcf(A, B)|C. Proof. For simplicity we shall denote hcf(A, B) by d. ⇒ Suppose there exist x and y satisfying (6). By definition, d|A and d|B, so d|Ax + By = C as required. ⇐ Suppose that d|C, that is, there exists z with C = dz. By Euclidean Algorithm, there exist x and y with d = Ax + By, which means that C = dz = (Ax + By)z = A(xz) + B(yz) and the pair (xz, yz) provide a required solution to (6). Combined with the previous argument, this gives the following Theorem 3.23. The equation ax ≡ b (mod n) is soluble if and only if hcf(a, n)|b. Corollary 3.24. Let p be a prime. The equation ax ≡ b (mod p) is soluble if and only if either p 6 |a or p divides both a and b. 16 Note 3.25. If b = 1 then Theorem 3.23 says that the elements that are invertible mod n are precisely those that are coprime to n. In particular, if p is prime, all of 1, 2, . . . , p − 1 are invertible mod p. Consequently, Z/pZ, which consists precisely of (equivalence classes of) these elements is a field. Theorem 3.23 provides an algorithm for solving linear congruences via the Euclidean Algorithm (although for small n this may be an overkill). Note 3.26. As noted above, x is a solution to ax ≡ b (mod n) then so is x + nk for any integer k. In fact, if hcf(a, n) = 1 then these are the only solutions. However, when this is not the case, there may be more than one incongruent solution mod n. For example, the equation 18x ≡ 30 (mod 42) has solutions x ≡ 4, 11, 18, 25, 32, 39 (mod 42), which are precisely the distinct values of (the unique) solution to 3x ≡ 5 (mod 7). Notice that 3 = 18/6, 5 = 30/6 and 7 = 42/6. Too much for a coincidence? Indeed, this is just an example of a more general rule: note that h = hcf(a, n), then Theorem 3.23 ensures that h|b. Consequently, a = ha0 , b = hb0 and n = hn0 . But then ⇔ ⇔ ⇔ ⇔ ax ≡ b (mod n) ax − b = kn ha0 x − hb0 = khn0 a0 x − b0 = kn0 a0 x ≡ b0 (mod n0 ) soluble for some n the latter now being uniquely soluble as hcf(a0 , b0 ) = hcf(a, b)/h = 1! Example 3.27. Find a solution to 11x ≡ 3 (mod 17). Note that hcf(11, 17) = 1. Furthermore, by the Euclidean Algorithm, 17 = 11 × 1 + 6 11 = 6×1+5 6 = 5×1+1 5 = 5 × 1 + 0, and so 1 = hcf(11, 17) = 6−5 = 6 − (11 − 6 × 1) = 6 × 2 − 11 × 1 = (17 − 11 × 1) × 2 − 11 × 1 = 17 × 2 − 11 × 3, 17 and so 3=1×3 = (17 × 2 − 11 × 3) × 3 = 17 × 6 − 11 × 9 ≡ 11 × (−9) (mod 17), and −9 is a solution. As well as −9 + 17k for any integer k, e.g. 8. Suppose now that we want to solve several linear congruences simultaneously. Theorem 3.28 (Chinese Remainder Theorem). Let n1 , n2 , . . . , nr be mutually coprime, that is, hcf(ni , nj ) = 1 whenever i 6= j, and suppose we are also given integers a1 , a2 , . . . , ar . Then the simultaneous system of congruences x x ≡ a1 (mod n1 ) ≡ a2 (mod n2 ) ··· x ≡ ar (mod nr ) is soluble and, moreover, the solution is unique modulo N = n1 n2 · · · nr . Proof. To show existence, we define, for each i, Y N Ni := = nj . ni j=1...r j6=i Then (Ni , ni ) = 1 and, by Theorem 3.23, there exists xi such that Ni xi ≡ 1 (mod ni ). Furthermore, if j 6= i then ni |Nj and so Nj ≡ 0 (mod ni ). Consequently, if we define x= r X aj Nj xj , j=1 then, for each i, x ≡ ai Ni xi ≡ ai (mod ni ) as required. Since N ≡ 0 (mod ni ) for each i, for every solution x every x + N k is also a solution. Conversely, suppose that y is another simultaneous solution, that is, for every i we have x ≡ ai (mod ni ) and y ≡ ai (mod ni ). This implies that x − y ≡ 0 (mod ni ), that is, ni |(xQ − y). However, the ni r are mutually coprime, so Corollary 2.8 implies that i=1 ni |(x − y), and so x ≡ y (mod N ) as required. 18 Example 3.29 (Sun Tsu, 5th(?) century AD). Find a number that leaves the remainders 2, 3 and 2 when divided by 3, 5 and 7 respectively. Translating the question into the language of congruences, we are looking for x such that x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7), so that n1 = 3, n2 = 5, n3 = 7 (mutually coprime) and a1 = 2, a2 = 3, a3 = 2. Following the proof of the Chinese remainder theorem, we define N = n1 n2 n3 = 3 × 5 × 7 = 105 and N1 = N = 5 × 7 = 35; n1 N2 = N = 3 × 7 = 21; n2 N3 = N = 3 × 5 = 15. n3 So we now need to solve three equations, either by the Euclidean Algoritm or by trial and error: (1) 35x ≡ 1 (mod 3). This gives x1 = −1. (2) 21x ≡ 1 (mod 5). This gives x2 = 1. (3) 15x ≡ 1 (mod 7). This gives x3 = 1. Thus one solution is 3 X ai Ni xi = 2 × 35 × (−1) + 3 × 21 × 1 + 2 × 15 × 1 = 23, i=1 and all solutions are given by the set {23 + 105k : k is an integer}. Example 3.30. Solve the following simultaneous system of equations: 10x ≡ 2 (mod 26) 7x ≡ 3 (mod 20). We first need to solve the congruences separately to transform them into the form x ≡ ai (mod ni ). We have (1) 10x ≡ 2 (mod 26). This is equivalent to 5x ≡ 1 (mod 13), which, in turn, has x ≡ −5 (mod 13) as a solution. (2) 7x ≡ 3 (mod 20). This gives x ≡ 9 (mod 20). 19 So, the initial system of equations is equivalent to x ≡ x ≡ −5 (mod 13) 9 (mod 20), and, with notation as above, we have a1 = −5, a2 = 9, N = 13 × 20 = 260, N1 = 20, N2 = 13, and we need to solve (1) 20x ≡ 1 (mod 13). This gives x1 = 2. (2) 13x ≡ 1 (mod 20). This gives x2 = −3. Thus the answer is x ≡ −5 × 20 × 2 + 9 × 13 × (−3) = −31 (mod 260). Note 3.31. Suppose we are trying to solve the linear congruence 5x ≡ 4 (mod 231). Note that 231 = 3 × 7 × 11, and so the above is equivalent to simultaneously solving 5x ≡ 4 (mod 3) 5x ≡ 4 (mod 7) 5x ≡ 4 (mod 11), and we are now in the familiar situation of the previous example! The details of the remaining calculations are left as an exercise for the reader. 20 4 Modern Number Theory Mathematicians are like Frenchmen: whatever you say to them they translate into their own language and forthwith it is something entirely different Johann Wolfgang von Goethe 4.1 RSA encryption RSA is a method of public key cryptography. Officially, the algorithm was invented in 1977 by Rivest, Shamir and Adleman (hence the name), however, an essentially the same method was already described by Clifford Cocks in 1973 in a classified paper. The system uses two keys: a public one, used for encryption, and a private one, used for decryption. The private key is chosen and used by the recipient only, which means that there is no need for transmitting it to other people, which greatly increases the level of security. To describe the algorithm, we need three characters: • Alice, the sender of the message; • Bob, the recipient of the message; • (optional) Eve, a malicious eavesdropper. The process of transmitting the message is as follows: (i) Bob picks two distinct (large) primes p and q and calculates n = pq. He then chooses an integer e satisfying hcf(e, (p − 1)(q − 1)) = 1. The values of e and n are then announced publicly. (ii) Alice picks a secret message she wants to send to Bob, plaintext, and converts it into a numerical string M , called ciphertext. The conversion is done using (for example) the following table: A = 00 B = 01 C = 02 ... Z = 25 , = 26 . =27 ? = 28 ! = 39 21 0 = 29 1 = 30 2 = 32 ... 9 = 38 (iii) Alice then encrypts the message by calculating N := M e (mod n), possibly splitting M into smaller pieces first, if M > n. The value of N is announced publicly. (iv) To decrypt the message, Bob picks d with the property de ≡ 1 (mod (p − 1)(q − 1)) and calculates N d (mod n). Note that the string does indeed correspond to Alice’s message: (mod n) : Nd ≡ (M e )d (mod n) = M ed = M 1+k(p−1)(q−1) k = M × M φ(n) as de ≡ 1 (mod (p − 1)(q − 1)) ≡ M × 1k by Euler’s Theorem as φ(n) = φ(pq) = (p − 1)(q − 1) = M. Example 4.1. In this example we shall be following the above notation. Suppose that Alice wants to send a secret message “The answer is forty two” to Bob. She somehow signals to Bob that she is about to send him a message, and so he must generate a public key. (i) Bob picks two large primes p = 43 and q = 71. In this case n = 3053 and (p − 1)(q − 1) = 2940, and so he needs to choose e with hcf(e, 2940) = 1, say e = 11. The pair (n = 3053, e = 11) is then announced publicly. (ii) The plaintext Alice wants to send is “The answer is forty two”. She converts it into ciphertext using the table from page 22: T = 19 A = 00 I = 08 F = 05 T = 19 H = 07 N = 13 S = 18 O = 14 W = 22 E = 04 S = 18 R = 17 O = 14, W = 22 E = 04 T = 19 Y = 24 R = 17 so Alice’s message is M = 19070400131822041708180514171924292214. (iii) Alice now needs to calculate N := M e (mod n), but she first needs to split M into blocks whose value is less than n = 3053. In our case blocks of length 4 (corresponding to two letters) will do, since we are only using letters and so the biggest possible value of a two-letter combination is 2525, corresponding to “zz”. So, 14 , M = 1907 | {z } 1318 | {z} 2204 | {z} 1708 | {z} 1805 |{z } 1417 |{z } 1924 |{z } 1922 |{z } |{z} |{z } 0400 block 1 block 2 block 3 block 4 block 5 block 6 block 7 block 8 block 9 block 10 22 which gives, mod 3053, 190711 ≡ 2611 40011 ≡ 1227 11 ≡ 2291 11 ≡ 2558 11 1708 ≡ 2038 180511 ≡ 2020 11 ≡ 1134 11 ≡ 2516 11 ≡ 2987 1411 ≡ 440. 1318 2204 1417 1924 1922 Thus the public message Alice trasmits to Bob is N := 2611 1227 2291 2558 2038 2020 1134 2516 2987 440. (iv) Bob now needs to pick d with the property 11d ≡ 1 (mod 2940), for which he can use our good old friend Euclidean algorithm: 2940 = 11 × 267 + 3 11 = 3×3+2 3 = 2 × 1 + 1; hcf(2940, 11) = 1 = 3−2×1 = 3 − (11 − 3 × 3) × 1 = 3 × 4 − 11 = (2940 − 11 × 267) × 4 − 11 = 2940 × 4 − 11 × 1069, and so he can pick d = −1069 + 2940 = 1871. He now needs to calcu- 23 late N d (mod n = 3053): 26111871 ≡ 1907 12271871 ≡ 400 2291 1871 ≡ 1318 2558 1871 ≡ 2204 2038 1871 ≡ 1708 20201871 ≡ 1805 1134 1871 ≡ 1417 2516 1871 ≡ 1924 2987 1871 ≡ 1922 4401871 ≡ 14, and so Alice’s ciphertext was 1907 400 1318 2204 1708 1805 1417 1924 1922 14, which can now be translated into the plaintext message “The answer is forty two” (or, rather, “TH EA NS WE RI SF OR TY TW O”) using the conversion table on page 22. Note 4.2. • A bit of terminology: n is called the modulus; e is called the (encryption) exponent and d is known as the decryption exponent. • In order to apply Euler’s theorem, we need to ensure that M , or each of its blocks, is coprime to n. This is a very likely event if p and q are very large, but still needs to be looked at. • An efficient way of calculating xd (mod n) is via binary expansion: if d = a0 + a1 × 2 + a2 × 22 + · · · + ak × 2k , ai = 0, 1, then we can calculate recursively x0 := x, xi+1 := x2i (mod n) i (so that xi = x2 (mod n)), in which case xd = xa0 0 × xa1 1 × · · · × xakk (mod n). • If Eve manages to discover the value of φ(n), then, also knowing n, she can easily calculate p and q thus being able to decrypt a message. Otherwise, however, she needs to come up with an efficient prime factorisation algorithm. To make Eve’s life harder, p and q should be chosen far apart. 24 • In order to establish security of the system, RSA Laboratories used to offer money for finding prime factorisation of certain large (around 500 digits) numbers that were precisely of the form pq. • RSA algorithm can be used for creating digital signatures to verify the identity of the sender. 4.2 Number Theory flavours It is of course impossible to precisely partition the subject into a list of subtopics — there are many overlaps between the areas and furthermore, many questions may be solved using techniques from different areas of mathematics (or physics!). However, depending on the methods used and questions asked, number theory includes, although is not limited to, the following branches: Elementary Number Theory This is the area we have been looking at in this course. The term “elementary” reflects the fact that the results are self-contained and do not require techniques from other areas of mathematics. Examples of topics covered by this branch include divisibility and Euclid’s algorithm, arithmetic functions (such as Euler’s φ-function), linear congruences and quadratic residues. Many theorems and conjectures may be stated in elementary number-theoretic terms, even though the proof may requre very complex techniques. Examples include Fermat’s Last Theorem, Twin Prime Conjecture and many more. Analytic Number Theory This is an area that uses techniques from Calculus and (Complex) Analysis to tackle number-theoretic problems. Its classical result is Theorem (Prime Number Theorem, Gauss). For any integer n we define π(n) to be the number of primes not exceeding n, that is, π(n) := #{p : p 6 n and p is prime}. Then lim n→∞ π(n) = 1, n/ ln(n) or, equivalently, n . ln n In other words, the probability that a (randomly chosen and large) number n is prime is about 1/ ln(n), and the gap between two consecutive primes near n is about ln(n). π(n) ∼ Another analytic number theory result says that π and e are transcendental, that is, cannot be solutions of a polynomial with rational coefficients. 25 Algebraic Number Theory Here we use abstract algebra settings in a number-theoretic environment, and instead of dealing with integers, we often look at bigger structures, for example the ring of Gaussian√integers Z[i], in which every √ element has the form a + ib with a, b ∈ Z and√i = −1, or quadratic fields Q[ d], in which every element has the form a + db with a, b ∈ Q. We also extend the notion of 1, primality, divisibility, unique factorisation and so on. It turns out that with correct terminology, many results we covered in this course hold in a much more general setting. Algebraic Number Theory provides provides various methods for solving Diophantine equations, such as the one in Fermat’s Last Theorem which, among other things, explored the relation between elliptic curves and modular forms. Elliptic curves are also used in cryptography and prime factorisation. Combinatorial Number Theory This area looks at the relation between number theory, combinatorics and other related areas. One of the most famous results in the area is Theorem (Green–Tao, 2004). The sequence of prime numbers contains arbitrarily long arithmetic progressions. Note that the proof is not constructive, so if we want to find an arithmetic progression of length k, we need to employ other methods. 4.3 Who wants to be a millionaire? Here are a couple of problems you may want to look at in your spare time. They are all unsolved, and the proof of, or a counterexample to, most is associated with a prize of up to $ 1,000,000 (not to mention eternal mathematical fame!) Conjecture. There are infinitely many Mersenne primes. (recall: a prime is called Mersenne if it is of the form 2n − 1.) Conjecture. Every Fermat number with n > 5 is composite. n (recall: a number is called Fermat if it is of the form 22 + 1.) Conjecture (Twin primes conjecture). There are infinitely many pairs of twin primes. Conjecture (Goldbach conjecture). Every even integer greater than 2 can be expressed as a sum of two primes. Conjecture (Riemann hypothesis). The zeroes of the Riemann zeta function, which is the analytic continuation of the function ζ(s) = ∞ X 1 , ns n=1 have the form of either −2k with k positive integer, or 26 1 2 + it with t real. 4.4 Further general info There is of course much more to the subject, but the course is too short for us to be able to learn about everything so you are encouraged to browse through the numerous books and web-pages to learn more. In addition to the number theoryspecific list provided at the end of the course, here are a few more resources of general interest: • G.H. Hardy, A Mathematician’s Apology: a classical well-written essay describing the beauty and aesthetics of Mathematics. May be really inspirational though a bit outdated and depressing at times and should not be taken too seriously. • Tim Gowers, Mathematics: A Very Short Introduction: another book on the subject of mathematics as a subject, with definitions of many commonly used mathematical concepts and discussions on commonly asked sociological questions. • http://www.tricki.org/: a wiki-style website developed by Gowers, which is intended to be a repository of useful problem-solving techniques. • http://www.theoremoftheday.org/: does what is says on the tin! 27 References [1] D. M. Burton. Elementary number theory. McGraw-Hill, seventh edition, 2010. 28