2
Assuming that the above table is correct, evaluate 3470 (reduced mod 941)
without using your calculator. [Is 97 a square root of 1?]
The University of Sydney
MATH2068/2988 Number Theory and Cryptography
(iii) Find all the solutions of y4 ≡ 1 (mod 941).
(http://www.maths.usyd.edu.au/u/UG/IM/MATH2068/)
Semester 2, 2014
Lecturer: A.Fish
(iv) The aim in this part is to solve x2 ≡ 228 (mod 941). You are given that
228235 ≡ −1 (mod 941).
Tutorial 12
1.
In this exercise we use residue arithmetic modulo the prime 941.
(i)
As we shall see in the next part, if k is given then k235 can be computed using
11 multiplications. Find another solution. (For example, try 2, 4, 8, 9, 10, 19,
. . . , 141, 235.)
(ii)
Using a calculator, check (at least part of) the following table of powers of 6
(reduced mod 941).
i
2
4
8 16 32 64 72 73 146 219 235
i
6 36 355 872 56 313 105 283 757 921 857 1
(iii) Solve x2 ≡ 6 (mod 941). [Hint: find an even n with 6n ≡ 6.]
(For example, to find the residue of 1296 mod 941 using your calculator, divide 1296 by 941,
subtract off the integer part, and multiply back by 941.)
Solution.
(i) There are 3389 solutions, one of which is to successively compute ki for following sequence of values of i: 2, 4, 8, 9, 10, 19, 28, 47, 94, 141, 235.
No solution is provided, or (I hope) needed for Part (ii). However, you are hereby
warned that such calculator calculations may be required in the exam.
(iii) From the table we see that 6470 = (6235 )2 = 1; so 6 is a square mod 941.
So a solution definitely exists. But – better still – the table shows us that 6 raised
to an odd power (namely, 235) equals 1. So 6236 = 6, and the square roots of 6
must be ±6118 . From the table we see that 6118 = 105 × 313 × 56 × 355 × 36,
and on calculating this we find that it is 299. So the square roots of 6 are 299 and
−299 = 642.
2.
We continue to work with residue arithmetic mod 941.
(i)
Show that if r is a non-square mod 941 then r235 has order 4 mod 941, while
if r is a square then r235 has order 1 or 2 mod 941.
(ii)
Here is a table showing some powers of 3:
i 2 4
8
16 32 64 72 73 146 219 235
3i 9 81 915 676 591 170 285 855 809 60 97
(v)
(a)
If x is a solution of x2 ≡ 228, and y ≡ 228117 x, what is the residue of y2
(mod 941)? Use this to find both possible values for y.
(b)
Given that the inverse of 228117 mod 941 is 289, find x.
Given that 228117 ≡ 267 mod 941, use the extended Euclidean algorithm to
confirm that the inverse of 228117 mod 941 really is 289.
Solution.
(i) From lectures we know that if p is an odd prime then if r is a square mod p
1
1
then r 2 (p−1) ≡ 1 and if r is a nonsquare mod p then r 2 (p−1) ≡ −1. The first
of these facts follows immediately from Fermat’s Little Theorem: if r ≡ t 2 then
1
1
r 2 (p−1) ≡ (t 2 ) 2 (p−1) ≡ t p−1 ≡ 1. The other can be proved in several ways, all
of which make use of the fact that x2 ≡ 1 (mod p) has exactly the two solutions
1
1
x ≡ ±1 (mod p). Since 1 ≡ r p−1 ≡ (r 2 (p−1) )2 we see that r 2 (p−1) ≡ ±1 for all r.
One method of proof now is to use the theorem from lectures that a polynomial of
1
degree d can have at most d roots mod p. So x 2 (p−1) − 1 has at most 12 (p − 1)
roots. But we have seen that all the squares are roots, and since there are 12 (p − 1)
1
squares, these are the only roots. So the non-squares r do not satisfy r 2 (p−1) ≡ 1,
1
(p−1)
≡ −1. Alternatively, let b be a primitive root, and
and must therefore satisfy r 2
1
1
note that b 2 (p−1) 6≡ 1 since b has order p − 1 (mod p). Hence b 2 (p−1) ≡ −1. Now
1
1
1
(bn ) 2 (p−1) = (b 2 (p−1) )n ≡ (−1)n ; so if r ≡ bn then r 2 (p−1) is 1 if n is even and
−1 if n is odd. But we know that bn (reduced mod p) runs through all the nonzero
1
residues as n runs from 0 to p − 2. So half the values of r satisfy r 2 (p−1) ≡ 1 and
1
half satisfy r 2 (p−1) ≡ 1.
Applying these general results in the current situation, we know that if r is a nonsquare then r470 = −1 (in residue arithmetic mod 941). So if we put s = r235 then
s2 = −1. This certainly implies that s4 = 1 and s, s2 and s3 are all not equal to 1.
So s has order 4. On the other hand if r is a square and we put s = r235 then
s2 = r470 = 1, which means that s must have order 1 or 2. (Note that s has order 1
if and only if s = 1, while s has order 2 if and only if s = p − 1 = −1.)
(ii) Since 3235 6= ±1 we deduce that 3235 does not have order 1 or 2; so it must
have order 4. Thus 3470 = (3235 )2 must be −1 rather than 1. Of course −1 means
940 when we are working with residues mod 941.
(iii) By Part (ii) we know that 97 = 3235 is a solution of y2 = −1, and hence also
a solution of y4 = 1. Clearly therefore −97 = 844 must be a solution also. And ±1
are two more obvious solutions. We know from lectures that y4 − 1 can have at most
4
3
4 roots mod p; so the four we have found are the only ones.
(iv) If y = 228117 x then y2 = 228234 x2 = 228235 , given that x2 = 228. So using the
given information, y2 = −1. We have just seen that 1, 97, 844 and 940 are the only
solutions of y4 = 1, and so 97 and 844 are the only solutions of y2 = −1.
−117
We have that x = 228
y = 97 × 289 or 844 × 289. On calculation we find that
these two solutions are 744 and 197.
(v) The extended Euclidean algorithm is discussed in the notes for Week 1 and
Week 2, and we did some examples in Tutorial 1. So this question is revision of
something you really should know well!
941
267
0
1
1
0
140
3
3−
1
127
1
4
1−
13
1
7−
2
10
3
1
9
1
3
67 74− 289
19− 21
82−
0
3
The last nonzero number in the top row is the gcd of the two numbers a and b that
we started with. So gcd(941, 267) = 1, as it had to be since 941 is prime. And if we
let s be the last number in the third row and t the last number in the fourth row (so
that s and t are in the same column as gcd(a, b)) then gcd(a, b) equals either at − bs
(if the number of columns in the table is even) or bs − at (if it is odd). So here we
have 267 × 289 − 941 × 82 = 1, and so 267 × 289 ≡ 1 (mod 941). This confirms
that 289 is the inverse of 267.
3.
Given that 5 is a primitive root mod 257, solve 5i ≡ 2 (mod 257) where 0 ≤ i < 256.
[Hint: 5i ≡ 2 gives 58i ≡ 28 = 256 ≡ −1. Use 5128 ≡ −1 to deduce that i = 32` + 16
for some `. You are given that the inverse of 516 is 8. Your task becomes to solve
532` ≡ 2 × 8. By raising both sides to the power 4, deduce that ` = 2m for some m,
then show that m is odd. By now i = 128k + 80 for some k. Show that the inverse
of 580 is 85 ≡ −128 and deduce that k is even. So i = 80.]
Solution.
Since 5 is a primitive root mod 257 (and 257 is prime) we know that there is an i in
{0, 1, . . . , 255} such that 5i = 2 (using residue arithmetic mod 257). This gives
58i = (5i )8 = 28 = 256 = −1.
1
The fact that 5 is a primitive root guarantees that 5 2 (p−1) = −1; that is, 5128 = −1.
So 5128 = 58i , whence 8i ≡ 128 modulo 256 (since ord257 (5) = 256). Dividing
through by 8 gives i ≡ 16 (mod 32). So i = 32` + 16 for some `.
Puuting i = 32` + 16 in the equation 5i = 2 gives 532` 516 = 2, and so
532` = 2 × 5−16 = 2 × 8 = 16
(1)
since we are told that 5−16 = 8. Raising both sides of (1) to the power 4 we find
that
(5128 )` = (532` )4 = 164 = 2562 = (−1)2 = 1,
and since 5128 = −1 we conclude that ` is even. So we may write ` = 2m.
Combining ` = 2m with i = 32` + 16 gives i = 64m + 16, while Eq. (1) gives
564m = 16. Squaring gives
(5128 )m = 162 = −1,
whence m is odd; say m = 2k + 1 for some k.
We now have i = 64m + 16 = 64(2k + 1) + 16 = 128k + 80, and so 5i = 2 becomes
5128k 580 = 2. That is,
(−1)k = (5128 )k = 2 × 5−80 .
(2)
Now we were told that 5−16 = 8, and raising this to the power 5 gives 5−80 = 85 . So
now
5−80 = 85 = (23 )5 = 215 = 28 × 27 = 256 × 128 = −128,
giving 2 × 5−80 = −256 = 1. So Eq. (2) says that (−1)k = 1, whence k is even.
Writing k = 2u gives i = 128k + 80 = 256u + 80, and since i ∈ {0, 1, . . . , 255} it
follows that i = 80.