MA 311 NUMBER THEORY BUTLER UNIVERSITY FALL 2008

Transcription

1 MA 311 NUMBER THEORY BUTLER UNIVERSITY FALL 2008 SCOTT T. PARSELL 1. Introduction Number theory could be defined fairly concisely as the study of the natural numbers: 1, 2, 3, 4, 5, 6,.... We usually denote this set by N. The set of all integers (including 0 and the negatives) is denoted by Z. Is there anything about the natural numbers that s worth studying? It seems that we have a pretty good understanding of them once we ve learned to count! Perhaps surprisingly, this turns out to be a rich and fascinating field of study, bursting with unsolved problems. A good starting point for our investigations is to look at how the natural numbers factor. Primes. A prime number is a number greater than 1 that cannot be written as the product of two smaller natural numbers. The first few primes are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47,.... Integers exceeding 1 that are not prime are called composite. The primes are important because each natural number greater than 1 can be written as a product of primes, and this factorization is unique (up to the order of the factors). For example, 24 = and 105 = It is fairly easy to show that there are infinitely many prime numbers; we ll prove this in a later section. However, there remain many interesting unsolved (or partially solved) questions about the primes and how they are distributed. For example, How precisely can we estimate the number of primes less than x? (We know that x/ log x gives a good first approximation.) What about primes of the form 4n + 1, of the form 4n + 3, etc.? Are there infinitely many primes of the form n 2 + 1? How about of the form 2 n 1? Of the form 2 n + 1? Is there an efficient algorithm for finding a number s prime factorization or proving that a number is prime? (The difficulty of factoring efficiently is the basis of the security of RSA encryption.) Are there infinitely many pairs of twin primes, i.e., primes whose difference is two, such as 3 and 5)? If not, can anything be said about small gaps between primes asymptotically? (Goldbach s problem) Can every even integer exceeding 2 be written as the sum of two primes? Questions about the distribution of primes usually fall under the heading of analytic number theory because many of the techniques are based on real and complex analysis (i.e., mathematics related to calculus). 1

2 2 SCOTT T. PARSELL Divisibility and congruences. Along with the idea of factoring integers comes the notion of divisibility. We say that a divides b if there exists an integer k such that ak = b. For example, 4 divides 24 since 4 6 = 24, and 15 divides 105 since 15 7 = 105. Divisibility leads to the important idea of congruences. We say that a is congruent to b modulo n if n divides a b. In this case, we write a b (mod n). For example, 3 75 (mod 24) and 8 38 (mod 10). Arithmetic with congruences (sometimes called modular arithmetic) is useful for detecting certain types of periodic phenomena. For example, one could use arithmetic mod 24 to keep track of the hour of day (in military time) without regard to minutes, seconds, or day. One could use arithmetic mod 10 to keep track of the last digit of a positive number (or mod 100 to keep track of the last two digits). If n objects are arranged in a circle, then arithmetic mod n can be used to keep track of the positions of the objects as they are rearranged. We ll see some more interesting uses of congruences later on. For instance, they can be used to construct check-digit schemes to minimize errors in data entry. Facts about the computation of powers modulo n form the basis for constructing an RSA cryptosystem. Rings and fields. If one is doing arithmetic with congruences, say modulo 6, then effectively there are only 6 distinct numbers to work with, usually denoted by 0, 1, 2, 3, 4, and 5. Under this scheme, the number 0 actually stands for the set [0] 6 = {..., 24, 18, 12, 6, 0, 6, 12, 18, 24,... }. Similarly, 1 stands for [1] 6 = {..., 17, 11, 5, 1, 7, 13, 19,... }, and so on. However, it is convenient to pick one small integer (usually either the smallest positive integer or the one of smallest absolute value) to represent each congruence class. The integers themselves are an example of an abstract algebraic structure called a ring, which is basically a set equipped with addition and multiplication operations satisfying basic properties like associativity and the distributive law (we omit the precise definition of a ring here). The set of congruence classes {0, 1, 2, 3, 4, 5} can be viewed as a ring in its own right, sometimes denoted by Z/6Z or Z 6, with addition and multiplication defined modulo 6. For example, = 1 and 2 3 = 0 in the ring Z 6. One defect of rings is that multiplicative inverses do not exist in general. For example, 2 does not have a multiplicative inverse in Z, nor in Z 6. However, 2 does have a multiplicative inverse in Z 7, since 2 4 = 1 under mod 7 arithmetic. Special rings in which all nonzero elements have multiplicative inverses (such as the rational numbers, real numbers, and complex numbers) are called fields. It turns out that Z n = {0, 1, 2,..., n 1}, under arithmetic modulo n is a field if and only if n is prime. Our algebra with congruences will be influenced by these considerations. Just as the equation 2x = 1 can be solved over the rationals but not over the integers, the congruence 2x 1 (mod n) can be solved when n = 7 but not when n = 6 (in other words, the equation 2x = 1 has a solution over Z 7 but not over Z 6 ). One can construct further examples of rings by adjoining irrational or complex numbers to the set of integers. For example if i = 1, then the set Z[i] of all complex numbers of the form a + bi, where a and b are integers, forms a ring, known as the ring of Gaussian

3 MA 311 NUMBER THEORY FALL integers. One can ask whether such a ring has any number-theoretic properties in common with the integers, such as unique factorization. It turns out that this ring does have unique factorization, but not all the integer primes remain prime in Z[i]. For instance, 2 = (1 + i)(1 i), but 3 remains irreducible. The numbers 1 + i and 1 i are primes in Z[i], and the number 6 has the unique prime factorization 6 = (1 + i) (1 i) 3. If we let δ = 5, then we can construct the ring Z[δ], which is the set of all complex numbers of the form a + bδ, where a and b are integers. Something bizarre happens when we try to factor 6 in this ring. We obviously have 6 = 2 3 and 6 = (1 + δ)(1 δ), and one can show that 2, 3, 1 + δ, and 1 δ are all irreducible in the ring Z[δ]. Thus we have two different factorizations for 6, which means that unique factorization fails in this ring! The study of primes and factorization in rings such as Z[i] and Z[δ] forms the basis for much of algebraic number theory. Here one makes heavy use of general results from modern algebra, so we won t pursue this branch of the subject very deeply. Diophantine equations. One area of number theory that we hope to touch on later in the course overlaps with both analytic and algebraic number theory. A diophantine equation is simply an equation (usually a polynomial in two or more variables) for which we seek integer (or sometimes rational) solutions; a classic example is the equation x 2 + y 2 = z 2. This equation has many integer solutions, such as (3, 4, 5) and (5, 12, 13). In fact, it can be shown that there are infinitely many integer solutions, and all the solutions can be described by an explicit parametrization. These are the so-called Pythagorean triples, which correspond to the lengths of the sides in right triangles. Interestingly, things become dramatically different if we change the equation to x 3 + y 3 = z 3. Here the only integer solutions are the trivial ones with xyz = 0. In fact, Fermat s Last Theorem asserts that if k is any integer exceeding 2 then the diophantine equation x k + y k = z k has only trivial solutions. This seemingly innocent conjecture remained unproven for over 300 years until deep work of Wiles resolved it in As another example, consider the diophantine equation y 2 = x This is an example of an elliptic curve, which more generally has the form y 2 = f(x), where f is a cubic polynomial. It turns out that the rational points lying on such a curve have an additive group structure, and this can be used as the basis for an encryption scheme and also for an efficient factoring algorithm. Wiles also exploited connections with elliptic curves in his proof of Fermat s Last Theorem. All this work on diophantine equations in few variables uses primarily algebraic techniques, so the detailed study of these topics is best left for a more advanced course. A theorem of Lagrange states that every positive integer can be expressed as the sum of four perfect squares. In other words, the diophantine equation x x x x 2 4 = n can be solved for every positive integer n. For instance, when n = 31 we can take x 1 = 5, x 2 = 2, x 3 = 1, and x 4 = 1. A generalization of this question known as Waring s problem asks what happens with higher powers. For instance, how large does s have to be in order to represent all integers as sums of s perfect cubes? (The answer turns out to be 9.) What if we only need to represent all sufficiently large integers? Here we know that 7 cubes suffice,

4 4 SCOTT T. PARSELL but it s conjectured that 4 would be enough! The type of diophantine equation involved in Waring s problem typically has enough variables that it can be attacked by analytic methods, and this has been a very active area of research over the past 20 years. We ll discuss some of the underlying ideas later in the course. In Waring s problem, one could also ask what happens if the variables are restricted to be primes. For example, the Goldbach problem mentioned earlier amounts to solving the equation p 1 +p 2 = n in primes p 1 and p 2 for every even n > 2. The general Waring-Goldbach problem considers the solubility of the diophantine equation p k p k s = n in primes p 1,..., p s for every n for which the underlying congruences are feasible. A variation known as a diophantine inequality arises when attempting to approximate irrational numbers by rational numbers. For instance, if we want to find a rational number close to 2, then we are looking for integer solutions to the inequality x/y 2 < ε, where ε is a small positive number. Dirichlet s theorem on diophantine approximation actually tells us that we can solve this inequality with ε replaced by an explicit function of the denominator, namely 1/y 2. Thus we can solve the diophantine inequality x 2y < 1/y. More general inequalities (for example, involving sums of kth powers) are a subject of current research interest. Where do we begin? We ve only scratched the surface of number theory by mentioning some of the important ideas and some of the interesting unsolved problems. In the next section, we ll start laying the foundations for our study by developing some actual machinery on divisibility, primes, and congruences. This will lead us to our first main goal, which is to understand RSA cryptography. Following that, we hope to touch on some of the more advanced topics mentioned above, such as the distribution of primes, the algebraic structure of Z n, Waring s problem, and diophantine approximation. 2. Divisibility Recall that if a, b Z, we say that a divides b (and write a b) if there exists k Z such that b = ak. For example, 2 divides 6, but 4 does not divide 6. When a divides b, we say that b is a multiple of a and that b is divisible by a. Two easy properties of divisibility that we ll find useful are given in the following lemma. Lemma 2.1. Let a, b, and c be integers. (a) If a b and b c, then a c. (b) If a b and a c, then a (bs + ct) for all integers s and t. Proof. If a b and b c, then we can write b = ak and c = bl for some integers k and l. We then have c = a(kl), which shows that a c. Similarly, if a b and a c, then we can write b = ak and c = al for some integers k and l. If s and t are arbitrary integers, we have bs + ct = aks + alt = a(ks + lt), which shows that a (bs + ct). The following divisibility exercise gives us a chance to review proof by mathematical induction. Example 2.2. Prove that n 5 n is divisible by 5 for every positive integer n.

5 MA 311 NUMBER THEORY FALL Solution. We proceed by induction on n. First of all, we have = 0, which is clearly divisible by 5, since 0 = 5 0. This establishes the base case. Now suppose that n 1 is an integer and that n 5 n is divisible by 5. Then by the binomial theorem one has (n + 1) 5 (n + 1) = n 5 + 5n n n 2 + 5n + 1 n 1 = (n 5 n) + 5(n 4 + 2n 3 + 2n 2 + n). Here the first term on the right is divisible by 5 according to the induction hypothesis, and the second term is clearly divisible by 5 since n 4 + 2n 3 + 2n 2 + n is an integer. We therefore deduce from part (b) of Lemma 2.1 that (n + 1) 5 (n + 1) is divisible by 5, and the result now follows by induction. In the future, we will not always be quite so pedantic in writing, but the above solution serves as a good model for constructing proofs of this type. In general, to prove that a statement P (n) holds for all positive integers n, one must first establish P (1) and then prove the implication P (n) = P (n + 1). This principle is one of the fundamental axioms about the integers. It is equivalent to the well-ordering principle, which states that every non-empty subset of the positive integers has a smallest element. Greatest common divisors. The greatest common divisor of a and b is the largest positive integer that divides both a and b. It is denoted by gcd(a, b), or sometimes just (a, b) when there is no danger of confusion with an ordered pair. For example, gcd(4, 6) = 2, gcd(12, 51) = 3, and gcd(9, 16) = 1. If gcd(a, b) = 1, then we say that a and b are relatively prime (or coprime). We note that gcd(a, 0) = a for every non-zero integer a and that gcd(0, 0) is undefined. The least common multiple of a and b is the smallest positive integer that is a multiple of both a and b. It is denoted by lcm(a, b) or [a, b]. For example, lcm(4, 6) = 12. It is fairly easy to see that gcd(a, b)lcm(a, b) = ab. When a and b are small, one can compute gcd(a, b) fairly easily by looking at the prime factorizations of a and b and picking out the parts in common. For instance, 24 = and 180 = , so gcd(24, 180) = = 12. However, since factoring is expensive computationally, this is not an efficient method when a and b are large. A better method is based on the division with remainder algorithm learned in grade school. Theorem 2.3. (Division with remainder) For any integers a and b with b > 0, there exist unique integers q and r such that a = qb + r and 0 r < b. Proof. We first prove the existence of q and r. Consider the list of integers... a 3b, a 2b, a b, a, a + b, a + 2b, a + 3b,.... Since b > 0, we can select one with the smallest non-negative value, say r = a qb. If r b, then we find that r b = a qb b = a (q + 1)b is a non-negative number on our list with a smaller value than r, which contradicts our choice of q. Thus we have 0 r < b and a = qb + r. To check uniqueness, suppose there are integers q 1, q 2, r 1, and r 2 with a = q 1 b + r 1 = q 2 b + r 2 and 0 r 1, r 2 < q.

6 6 SCOTT T. PARSELL Then we have b(q 1 q 2 ) = r 2 r 1, and we may suppose without loss of generality that r 1 r 2. Then 0 r 2 r 1 < b r 1 b, and hence 0 b(q 1 q 2 ) < b, which implies that q 1 q 2 = 0. Thus q 1 = q 2, and it follows that r 1 = r 2. For example, if a = 48 and b = 9, then we can write 48 = , so we can take q = 5 and r = 3 in Theorem 2.3. We call q the quotient and r the remainder. Notice that r = 0 if and only if b divides a. Theorem 2.4. Let a and b be nonzero integers. Then gcd(a, b) is the smallest positive integral linear combination of a and b. That is, gcd(a, b) is the smallest positive value of as + bt, where s and t are integers. Proof. By taking s = a and t = b, we see that positive integral linear combinations exist, so we can let g denote the smallest such value. Write g = as 0 + bt 0. By Theorem 2.3, we can write a = qg + r = q(as 0 + bt 0 ) + r, where 0 r < g. Solving for r, we get r = a(1 qs 0 ) + b( qt 0 ), so r is an integral linear combination of a and b, and since r < g, the minimality of g implies that r = 0. Thus we see that g divides a, and we can apply a similar argument to deduce that g divides b. Thus g is a common divisor of a and b. Moreover, if d is any common divisor of a and b, then d divides both as 0 and bt 0, so d divides g. Thus we conclude that g = gcd(a, b). Corollary 2.5. The integers a and b are relatively prime if and only if there exist integers s and t such that as + bt = 1. Proof. If gcd(a, b) = 1, then it follows from Theorem 2.4 that as + bt = 1 for some integers s and t. Conversely, suppose that 1 can be expressed as a linear combination of a and b. Since Theorem 2.4 ensures that gcd(a, b) is the smallest positive integer with this property, we may conclude that gcd(a, b) = 1. For example, we have 9 ( 7) = 1, which shows that gcd(9, 16) = 1. An efficient algorithm for computing gcd(a, b) is based on the following simple result. Lemma 2.6. If a = qb + r, then gcd(a, b) = gcd(b, r). Proof. If d divides both a and b, then d clearly divides r = a qb, so d is a common divisor of b and r. Conversely, if d divides both b and r, then d clearly divides a = qb + r, so d is a common divisor of a and b. Therefore the set of common divisors of a and b is identical to the set of common divisors of b and r, so the greatest common divisors must be equal. The Euclidean Algorithm. We can compute the greatest common divisor very efficiently by successively applying Theorem 2.3 and Lemma 2.6. The gcd is the last non-zero

7 MA 311 NUMBER THEORY FALL remainder in this process. That is, to compute gcd(a, b), we write so that gcd(a, b) = r j. a = bq 1 + r 1 (0 < r 1 < b) b = r 1 q 2 + r 2 (0 < r 2 < r 1 ) r 1 = r 2 q 3 + r 3 (0 < r 3 < r 2 )... r j 2 = r j 1 q j + r j (0 < r j < r j 1 ) r j 1 = r j q j+1, Example 2.7. Use the Euclidean algorithm to compute d = gcd(630, 132), and find integers s and t such that d = 630s + 132t. Solution. We have 630 = = = = = 6 2, so the algorithm terminates with j = 4, and we have gcd(630, 132) = r 4 = 6. We can now work backwards through these equations to find the required integers s and t. We have so we can take s = 9 and t = = = 30 ( ) 2 = = ( ) = = ( ) 9 = , There is another way to organize the computations in the Euclidean algorithm that produces gcd(a, b) and the integers s and t simultaneously. The idea is to set up an augmented matrix consisting of a 2 2 identity matrix, followed by a and b in the third column. One then subtracts one a multiple of one row from the other until the entries in the third column divide one another. The multiples we use are exactly the quotients q 1, q 2,..., q j. Thus Example 2.7 could be handled as follows: [ ] [ ] [ ] [ ] [ ]

8 8 SCOTT T. PARSELL Every row [x y z] of every matrix in this computation has the property that 630x + 132y = z, because this is satisfied by the initial matrix and is preserved by the row operations. Therefore, the required integers s and t appear to the left of gcd(a, b) in the final matrix. In the worst case, the Euclidean algorithm takes on the order of log n steps to compute gcd(a, b), where n = max( a, b ). The function log n grows very slowly as n, so the algorithm runs very quickly on a computer. Primes. Recall that an integer n > 1 is said to be prime if its only positive factors are 1 and n. One can generate all the primes up to N using the Sieve of Eratosthenes to successively strike out all the proper multiples of 2, 3, 5, etc. If an integer less than N is not prime, then it has a prime divisor less than N, so one can terminate this process at N. The integers that remain uncrossed are the primes up to N. Lemma 2.8. (Euclid s Lemma) Let a and b be integers, and let p be a prime. If p ab, then p a or p b. Proof. Suppose that p divides ab but that p does not divide a. Since p is prime, we must have gcd(a, p) = 1, so by Theorem 2.4 there exist integers s and t such that as + pt = 1. Multiplying through by b, we obtain abs + pbt = b. Since p ab and p p, we deduce from part (b) of Lemma 2.1 that p b. Note that Lemma 2.8 fails if p is not prime. For example, 6 12 = 3 4, but 6 does not divide 3 or 4. One can easily show by induction that Lemma 2.8 can be extended to products of more than two integers. That is, if p is a prime dividing the product a 1 a m, then p must divide at least one of the a i. As a simple application of Euclid s Lemma, we perform the following entertaining exercise. Example 2.9. Prove that 2 is irrational. Solution. We proceed by contradiction. If 2 were rational, then we could write 2 = a/b for some positive integers a and b with (a, b) = 1. After squaring both sides and clearing denominators, we find that 2b 2 = a 2, and hence in particular that 2 a 2. Since 2 is prime, it now follows from Euclid s Lemma that 2 a, so we can write a = 2c for some integer c. Substituting this into our previous equation yields 2b 2 = 4c 2, or b 2 = 2c 2. Thus 2 b 2 and hence by Euclid s Lemma we have 2 b. We have now deduced that both a and b are divisible by 2, contradicting our original assumption that (a, b) = 1. This contradiction forces us to conclude that 2 is in fact irrational. Note that there is little difficulty in generalizing the argument to handle p, where p is any prime. In fact it is not hard to see that n is irrational if and only if n fails to be a perfect square, but this requires information about factoring composite integers. The following result is the most important application of Euclid s Lemma and, as its name suggests, is fundamental to our study of number theory. Theorem (Fundamental Theorem of Arithmetic) Every integer n > 1 can be written as a product of prime factors, and this factorization is unique up to the order of the factors.

9 MA 311 NUMBER THEORY FALL Proof. The existence of factorizations follows easily by induction on the size of the integer n. For the base case, it suffices to note that n = 2 is prime. Now suppose that n 2 and that every integer k with 2 k n 1 has a factorization into primes. If n is prime, then we are done. Otherwise, we may write n = ab where 2 a, b n 1, and the induction hypothesis shows that a and b both have factorizations, which combine to produce a factorization of n. To prove uniqueness, we induct on the number of factors. Suppose that n = p 1 p r = q 1 q s, where the p i and q i are primes, and we may assume without loss of generality that r s. If r = 1, then clearly s = 1, so p 1 = q 1. Now let r > 1, and suppose that unique factorization holds for all integers with fewer than r prime factors. Since p 1 q 1 q s, we have p 1 q i (and hence p 1 = q i ) for some i by an easy extension of Euclid s Lemma. By relabeling, we may suppose that i = 1, and hence we may divide through by p 1 to get p 2 p r = q 2 q s. The induction hypothesis now implies that r = s and that p 2,..., p r is a permutation of q 2,..., q s, and the uniqueness follows. In rings where unique factorization fails, like Z[ 5], the problem is that the notions of irreducible and prime do not correspond. The property in Lemma 2.8 is used as the definition of prime, but there are irreducible elements that don t satisfy this property. For example, 2 is irreducible in Z[ 5], but it is not prime in this ring because 2 divides 6 = (1 + 5)(1 5), but 2 does not divide or 1 5 Theorem There are infinitely many primes. Proof. Assume to the contrary that there are only finitely many primes, say p 1, p 2,..., p n, and let N = p 1 p 2 p n + 1. We know from Theorem 2.10 that N has at least one prime factor, say q. We cannot have q = p i for some i because this would imply that q divides 1 = N p 1 p 2 p n. This is a contradiction, so we conclude that there must be infinitely many primes. This theorem was first proved by Euclid, and we ve given his original proof. Many other proofs have been discovered since Euclid s time. A more general theorem of Dirichlet states that there are infinitely many primes of the form p = qn + a whenever q and a are relatively prime. For example, there are infinitely many primes of the form p = 4n + 1 and also of the form p = 4n + 3. A weak version of the prime number theorem states that if π(x) denotes the number of primes up to x, then π(x) x/ log x asymptotically, in the sense that lim x π(x) x/ log x = 1. One could interpret this by saying that the probability that the integer x is prime is roughly 1/ log x. Throughout these notes log x denotes the natural (base e) logarithm. Theorem There are arbitrarily large gaps between consecutive primes.

10 10 SCOTT T. PARSELL Proof. Given an integer n > 1, we ll construct a list of n consecutive composite numbers. If we let a = (n + 1)! + 2, then the n numbers a, a + 1, a + 2,..., a + n 1 are all composite, since k + 2 divides a + k = (n + 1)! + (k + 2) for k = 0, 1, 2..., n 1. At the other extreme, the Twin Primes Conjecture states that there are infinitely pairs of primes whose difference is 2, for instance (3, 5), (5, 7), (11, 13), (17, 19), (29, 31), (41, 43),.... Those familiar with analysis may wish to observe that if p n denotes the nth prime then Theorem 2.12 is equivalent to the statement that lim sup(p n+1 p n ) =, while the Twin Primes Conjecture asserts that lim inf(p n+1 p n ) = 2. In spite of some recent breakthroughs in this area, we do not even know for sure that lim inf(p n+1 p n ) <. This indicates that we re not very close to a proof of the Twin Primes Conjecture! Perfect numbers and Mersenne primes. A positive integer is said to be perfect if it is the sum of its proper positive divisors (that is, not including the number itself). For example, 6 = and 28 = are perfect. The first few perfect numbers are 6, 28, 496, 8128, It is believed that there are infinitely many perfect numbers, but this is not known. Another open problem is to determine whether there are any odd perfect numbers (it s believed that the answer is no). Theorem A positive even integer m is perfect if and only if we can write m = 2 n 1 (2 n 1), where 2 n 1 is prime. Proof. First suppose that p = 2 n 1 is prime. We need to show that m = 2 n 1 p is perfect. The proper positive divisors of m are so their sum is 1, 2, 4, 8,..., 2 n 1, p, 2p, 4p, 8p,..., 2 n 2 p, 2 n 1 + p(2 n 1 1) = p + (2 n 1 1)p = 2 n 1 p = m. This shows that m is perfect. Conversely, suppose that m is an even perfect number. We need to show that there is an integer n such that m = 2 n 1 (2 n 1) and 2 n 1 is prime. Since m is even, we can write m = 2 a t, where a 1 and t is odd. Let S denote the sum of all the positive divisors of t (i.e., the sum of the odd positive divisors of m). Since m is perfect, we know that the sum of all the positive divisors of m is equal to 2m, so we have have 2m = S + 2S + 4S + 8S a S = (2 a+1 1)S, and thus S = 2m 2 a+1 1 = 2a+1 t 2 a+1 1 = (2a+1 1)t + t 2 a+1 1 = t + t 2 a+1 1.

11 MA 311 NUMBER THEORY FALL Since S and t are integers, we see that u = t/(2 a+1 1) is an integer, and u < t since a 1. Thus u and t are two distinct divisors of t. It follows that they are the only positive divisors of t, whence t is prime and u = 1. Thus we have t = 2 a+1 1, so on setting n = a + 1 we get where 2 n 1 is prime. m = 2 n 1 t = 2 n 1 (2 n 1), Primes of the form 2 n 1 are called Mersenne primes. As a result of Theorem 2.13, finding even perfect numbers is equivalent to finding Mersenne primes. Notice that 6 = 2 1 (2 2 1), 28 = 2 2 (2 3 1), 496 = 2 4 (2 5 1), 8128 = 2 6 (2 7 1), and = 2 12 (2 13 1). The following theorem restricts the possibilities somewhat. Theorem If 2 n 1 is prime, then n is prime. Proof. We prove the contrapositive. Suppose that n is composite. Then we can write n = ab for some integers a and b with 1 < a, b < n. Then we have 2 n 1 = 2 ab 1 = (2 a ) b 1 = (2 a 1)(1 + 2 a + 2 2a (b 1)a ). Here we have used the factorization x b 1 = (x 1)(1 + x + x x b 1 ) with x = 2 a. Since 1 < a < n, we have 1 < 2 a 1 < 2 n 1, and hence we conclude that 2 n 1 is composite. The converse of Theorem 2.14 is false. That is, there exist primes p for which 2 p 1 is not prime. The smallest example is = 2047 = There are 46 known Mersenne primes, the largest of which is 2 43,112, This was discovered in August 2008 and has 12,978,189 digits. The largest known perfect number is therefore 2 43,112,608 (2 43,112,609 1). This world-record prime was actually the 45th Mersenne prime to be discovered. The 46th one was found about two weeks later but has only 11,185,272 digits. To join the Great Internet Mersenne Prime Search (GIMPS), go to 3. Congruences Let n be a positive integer, and let a and b be arbitrary integers. We say that a and b are congruent modulo n if n divides a b. In this case, we write a b (mod n). For example, we have 37 2 (mod 5), 37 3 (mod 5), and 24 0 (mod 6). Notice that a 0 (mod n) if and only if n a and that a b (mod n) if and only if we can write a = b + kn for some integer k. Lemma 3.1. If a c (mod n) and b d (mod n), then a + b c + d (mod n) and ab cd (mod n). Proof. Suppose that a c (mod n) and b d (mod n). Then there exist integers k and l such that a = c + kn and b = d + ln. We then have a + b = c + d + (k + l)n and ab = cd + (kd + lc + kln)n, which shows that a + b c + d (mod n) and ab cd (mod n). This lemma allows us to manipulate congruences algebraically as we do with equations.

12 12 SCOTT T. PARSELL Example 3.2. For what integers x does the congruence 4x (mod 7) hold? Solution. Subtracting 1 from both sides shows that the congruence is equivalent to 4x 2 (mod 7). Multiplying both sides by 2 now gives 8x 4 (mod 7), which is the same as x 4 (mod 7), since 8 1 (mod 7). Hence the congruence is satisfied by all integers x of the form x = 4 + 7k, where k is an integer. Lemma 3.3. (Cancellation) If ab ac (mod n) and (a, n) = 1, then b c (mod n). Proof. Suppose that ab ac (mod n) and (a, n) = 1. Then n divides ab ac = a(b c). Since (a, n) = 1, it follows by imitating the proof of Euclid s Lemma that n divides b c (exercise). Thus we have b c (mod n). Note that Lemma 3.3 may fail without the assumption that (a, n) = 1. For instance, we have (mod 6), but 5 14 (mod 6). Example 3.4. For what values of x does the congruence 4x (mod 7) hold? Solution. Here the congruence is equivalent to 4x 4 (mod 7), and since (4, 7) = 1 we may apply Lemma 3.3 to conclude that x 1 (mod 7). Hence the congruence holds for all integers x of the form x = 1 + 7k, where k is an integer. Residue Classes. It is easy to see that congruence modulo n defines an equivalence relation on the set of integers and therefore partitions the integers into equivalence classes. Our solutions to Examples 3.2 and 3.4 indicate how these are defined. In Example 3.4, for instance, the solution was the set of all integers congruent to 1 modulo 7, that is, all integers x that can be expressed in the form x = 1 + 7k for some integer k. We call this set the residue class of 1 modulo 7. It is sometimes denoted by [1] or [1] 7. Thus [1] 7 = {..., 20, 13, 6, 1, 8, 15, 22,... }. Similarly, the solution of Example 3.2 is the set of all integers in the residue class [4] 7 = {..., 17, 10, 3, 4, 11, 18,... }. In general, we let [a] or [a] n denote the residue class of a modulo n, which is defined to be the set of all integers of the form a + kn, where k Z. It is often convenient to view each residue class as a single element in a number system. Therefore, we let Z n denote the set of residue classes modulo n. Technically, we have Z n = {[0] n, [1] n, [2] n,..., [n 1] n }, but Lemma 3.1 allows us to work with any set of representatives, such as {0, 1, 2,..., n 1}, when doing computations. Thus we often dispense with the brackets and just think of Z n as the set {0, 1, 2,..., n 1} under mod n arithmetic. With this viewpoint, we could say that the congruence in Example 3.4 has the unique solution x = 1 in Z 7. Addition and multiplication in Z 7 can be represented by the following tables:

13 MA 311 NUMBER THEORY FALL A set such as {0, 1, 2,..., n 1} that contains exactly one representative of each equivalence class is called a complete residue system modulo n. Complete residue systems are not unique; for instance {0, 1, 2, 3, 4, 5, 6} and { 3, 2, 1, 0, 1, 2, 3} are equally valid complete residue systems modulo 7, and either one could be used to represent Z 7. Solving Linear Congruences. We want to develop a systematic procedure for finding the solutions of a congruence of the shape ax b (mod n). The following lemma is an important starting point. Lemma 3.5. (Multiplicative Inverses) If (a, n) = 1, then there is an integer c such that ca 1 (mod n). Moreover, the residue class of c modulo n is unique. Proof. Since (a, n) = 1, we know from Corollary 2.5 that there exist integers s and t with as + nt = 1. We then have as = 1 nt, which shows that as 1 (mod n), so we can take c = s. Now suppose that c is any other integer with c a 1 (mod n). Then and the uniqueness claim follows. c c (ca) (c a)c c (mod n), If ca 1 (mod n), then we say that c is the inverse of a modulo n, and we sometimes write c = a 1 or c = a 1 mod n. Lemma 3.5 shows that when (a, n) = 1, the congruence ax b (mod n) has a unique solution in Z n, given by x = a 1 b. In view of Corollary 2.5, it is easy to see that Lemma 3.5 can be strengthened to an if and only if statement. That is, a has a multiplicative inverse modulo n if and only if (a, n) = 1. In order to find a 1 when (a, n) = 1, we apply the Euclidean algorithm to find integers s and t with as + nt = 1. We then have as 1 (mod n), so s a 1 (mod n). For small values of n, we can often find inverses by inspection without resorting to the Euclidean algorithm. Example 3.6. Solve the congruence 4x 3 (mod 9). Solution. Since (4, 9) = 1 we know that 4 has a multiplicative inverse modulo 9, and we find by inspection that 4 1 = 7 in Z 9 since 4 7 = 28 1 (mod 9). Multiplying through by 7 now gives x 21 3 (mod 9), and hence x = 3 is the unique solution in Z 9. Example 3.7. Solve the congruence 91x 5 (mod 64). Solution. We can start by observing that (mod 64), so the congruence is equivalent to 27x 5 (mod 64). Since (27, 64) = 1, we can again find a unique solution modulo 64 by

14 14 SCOTT T. PARSELL multiplying through 27 1, but finding the inverse by inspection is not quite as easy as it was in Example 3.6. Thus we apply the Euclidean algorithm: [ ] [ ] [ ] [ ] [ ] This shows that 64 ( 8) = 1 and hence that (mod 64). Hence we have 27 1 = 19 in Z 64. Thus x is the unique solution modulo 64. What, if anything, can we say about the solutions to the congruence ax b (mod n) when (a, n) > 1? The following theorem provides the answer. Theorem 3.8. Write d = (a, n). The congruence ax b (mod n) has a solution if and only if d divides b. In this case, there are exactly d solutions modulo n, spaced n/d apart. Proof. If x is a solution to the congruence, then we have ax = b + kn for some integer k, and thus b = ax kn. Since d a and d n, we must have d b by Lemma 2.1. Therefore the congruence has no solution if d does not divide b. Now suppose that d b. Then since ax b = kn if and only if ax b = k n, we see that the d d d congruence is equivalent to a d x b (mod n d d ). Since (a/d, n/d) = 1, Lemma 3.5 shows that there is a unique solution x 0 modulo n/d and hence d distinct solutions modulo n, given by x = x 0 + m(n/d) for 0 m d 1. Example 3.9. Describe the solutions of the congruence 6x 5 (mod 9). Solution. We have (6, 9) = 3, which fails to divide 5, so Theorem 3.8 tells us that there is no solution. Example Describe the solutions of the congruence 24x 9 (mod 33). Solution. We have (24, 33) = 3, which divides 9, so the proof of Theorem 3.8 shows that the congruence is equivalent to 8x 3 (mod 11). Since 8 1 = 7 in Z 11, we find that x = 10 is the unique solution modulo 11. It follows that there are exactly 3 solutions modulo 33, represented by the residue classes x = 10, x = 21, and x = 32. Applications to check digit schemes. Congruences can be used to construct a method for reducing errors in data entry. Suppose we have a list of 9-digit identification numbers of the form x 1 x 2... x 9 to enter into a computer. We can add a 10th digit x 10 satisfying the congruence x 10 x x 9 (mod 10); that is, x 10 is the sum of the previous 9 digits modulo 10. We can now enter our ID numbers in the form x 1 x 2... x 10 and program our computer to reject our entry if the above congruence is not satisfied. For example, the number would be entered as The number x 10 (in this case 5) is called a check digit. This scheme will catch any errors in which only a single digit is mistyped; for instance, the erroneous entry for the ID number above would be rejected. Many other errors will be caught as well, and this

15 MA 311 NUMBER THEORY FALL scheme can be applied to data strings of any length. One notable disadvantage is that it does not detect errors in which two digits are interchanged; for example, the entry would be accepted by our computer as a valid ID even though it may have resulted from mistyping 54 as 45. In order to detect errors resulting from interchanging digits, one can employ a more sophisticated scheme. We illustrate by examining the International Standard Book Number (ISBN) system. These numbers are 10 digits long and come in 4 blocks; for instance, the ISBN for Niven, Zuckerman, and Montgomery, Introduction to the Theory of Numbers, 5th edition, is The first digit indicates the country of publication, the second block encodes the publisher (Wiley), the third block identifies the title and edition, and the fourth block is a check digit. If the first nine digits are x 1,..., x 9, then the check digit x 10 is determined by the congruence 9 x 10 ix i x 1 + 2x 2 + 3x x 9 (mod 11). i=1 Thus in the above case, we would compute x (mod 11). We find x 10 by reducing the above expression modulo 11 to obtain one of the standard representatives 0, 1, 2..., 9, 10. (In the event that x 10 = 10, the ISBN uses X instead.) It turns out that this scheme protects both against mistyping a single digit and against interchanging two unequal digits, as long as only one of these errors occurs in a given entry. Theorem If A = x 1 x 2... x 10 is a valid ISBN and B = x 1x 2... x 10 is obtained from A by altering exactly one digit or interchanging two unequal digits, then B is not a valid ISBN. Proof. Note that since 10 1 (mod 11) our check digit test for a valid ISBN is equivalent to the congruence 10 ix i 0 (mod 11). i=1 Suppose that B is obtained from A by replacing some digit x j by x j, where x j = x j. Then 10 i=1 ix i = ( 10 ) ix i jx j + jx j j(x j x j ) 0 (mod 11) i=1 by Euclid s Lemma, since 11 does not divide j or x j x j. Suppose instead that B is obtained from A by interchanging the jth and kth digits, where j = k and x j = x k. Then we can write x j = x k and x k = x j, and hence 10 i=1 ix i ( 10 ) ix i + jx k + kx j jx j kx k (k j)(x j x k ) 0 (mod 11) i=1 by Euclid s Lemma, since 11 does not divide k j or x j x k. Example The code number was obtained from a valid ISBN by interchanging two adjacent digits. What was the original ISBN?

16 16 SCOTT T. PARSELL Solution. Adopting the notation from the proof of Theorem 3.11, we have 10 i=1 ix i = = (mod 11). Suppose the adjacent digits x j and x j+1 were interchanged in the original ISBN. Then by applying the last displayed equation in the proof of Theorem 3.11 with k = j + 1, we see that x j+1 x j = x j x j+1 3 (mod 11). In the given code, we have x 6 x 5 = 3, and there is no other pair of adjacent digits with this property, so these must be the ones that were interchanged. It follows that the original ISBN was In the above example, we were able to use the ISBN scheme not only to detect an error but also to correct it, assuming we were fairly confident that the error involved transposing adjacent digits. Of course, if there was more than one adjacent pair (x j, x j+1) in the erroneous code with x j+1 x j = 3, then we d be less successful. Recently, the above system (known as ISBN-10) has been phased out in favor of a 13-digit code that is compatible with the UPC/EAN scheme. Here the check digit is determined by the congruence x 1 + 3x 2 + x 3 + 3x 4 + x x 12 + x 13 0 (mod 10), and a 12-digit UPC is converted to this form by putting an extra 0 at the beginning. Since the arithmetic now occurs in Z 10, there is no need to allow X as a possible check digit. This scheme (known as ISBN-13) still detects all single-digit errors but unfortunately no longer detects all transpositions. Many recent books contain both the ISBN-10 and ISBN-13 codes. Fermat s Little Theorem. In many applications of congruences, it is important to be able to compute powers of an integer efficiently modulo some number n. In the case where n is a prime, we have the following useful result. Theorem (Fermat s Little Theorem) If p is a prime not dividing a, then a p 1 1 (mod p). Proof. Suppose that p does not divide a, and consider the product X = a 2a 3a (p 1)a = a p 1 [1 2 3 (p 1)] = a p 1 (p 1)!. Suppose that 1 i, j p 1 and that ia ja (mod p). Since (a, p) = 1, Lemma 3.3 implies that i j (mod p), and hence that i = j. Therefore, the integers a, 2a, 3a,..., (p 1)a represent all the non-zero residue classes modulo p, and hence their product, X, must be congruent modulo p to (p 1) = (p 1)!. That is, we have a p 1 (p 1)! (p 1)! (mod p). Now since all the prime factors of (p 1)! are smaller than p, we find that p and (p 1)! are relatively prime, and thus Lemma 3.3 implies that a p 1 1 (mod p).

17 MA 311 NUMBER THEORY FALL We can use Fermat s Little Theorem to compute powers modulo a prime very efficiently by applying division with remainder to the exponent. Usually we are interested in the least non-negative representative for a particular residue class; this is sometimes called the residue and denoted by the MOD symbol. For instance, the residue of 8 modulo 5 is 8 MOD 5 = 3. Example Compute MOD 13. Solution. Since 13 is prime and doesn t divide 2, Theorem 3.13 implies that (mod 13). Moreover, division with remainder yields 2008 = , so Thus we have MOD 13 = = = (2 12 ) (mod 13). Fermat s Little Theorem also yields a negative test for primality, which is often faster than trial division. If b is a positive integer not divisible by n and we can show that b n 1 1 (mod n), then we may conclude that n is not prime. However, the converse of this is false. For example, (mod 341), and yet 341 = is not prime. So this does not give a way to prove that an integer is prime. We ll return to this topic in the next section. Reduced residues and Euler s Theorem. Recall that a has a multiplicative inverse modulo n if and only if (a, n) = 1. When n is prime, the residues with this property are just 1, 2, 3,..., n 1. In general, we write φ(n) for the number of positive integers less than or equal to n that are relatively prime to n. This is known as Euler s phi function. For instance, we have φ(1) = 1, φ(2) = 1, φ(3) = 2, φ(4) = 2, φ(5) = 4, φ(6) = 2, φ(7) = 6, φ(8) = 4, φ(9) = 6, and φ(10) = 4. Notice that φ(p) = p 1 whenever p is prime. The property of being relatively prime to n depends only on the residue class of an integer, since (a, n) = (a+kn, n) for any integer k by Lemma 2.6. Therefore, we can view φ(n) as the number of residue classes modulo n that are relatively prime to n. Any set of representatives for these classes is called a reduced residue system modulo n. For instance, {1, 2, 3, 4} is a reduced residue system modulo 5, while {1, 3, 7, 9} and { 3, 1, 1, 3} are reduced residue systems modulo 10. We often use Z n to denote a reduced residue system modulo n. Those familiar with abstract algebra may wish to note that Z n forms a group under multiplication. The following result generalizes Fermat s Little Theorem to the case of composite moduli. Theorem (Euler s Theorem) If a and n are positive integers with (a, n) = 1, then a φ(n) 1 (mod n). Proof. Let b 1,..., b φ(n) denote the positive integers less than or equal to n that are relatively prime to n, and let r i = ab i MOD n be the residue of ab i modulo n. Suppose that 1 i, j φ(n) and r i = r j. Then ab i ab j (mod n), which implies that b i b j (mod n) since (a, n) = 1. Since b 1,..., b φ(n) are distinct integers between 1 and n, we must have i = j. This shows that r 1,..., r φ(n) are distinct. Moreover, it is clear that (r i, n) = 1 for each i, so {r 1,..., r φ(n) } is a reduced residue system modulo n. In particular, we have b 1 b φ(n) r 1 r φ(n) ab 1 ab φ(n) a φ(n) b 1 b φ(n) (mod n). Since b 1 b φ(n) is relatively prime to n, we conclude that a φ(n) 1 (mod n), as desired. Example Compute MOD 12.

18 18 SCOTT T. PARSELL Solution. We have φ(12) = 4 and (5, 12) = 1, so Theorem 3.15 implies that (mod 12). Since 999 = , we have Thus we have MOD 12 = = = (5 4 ) (mod 12). In turns out that φ(n) can be computed easily provided that the prime factorization of n is known. This follows from the following important theorem about simultaneous congruences. We say that integers m 1,..., m r are pairwise relatively prime if (m i, m j ) = 1 whenever i = j. Theorem (Chinese Remainder Theorem) Let m 1,..., m r be pairwise relatively prime positive integers, and let b 1,..., b r be any integers. There exists an integer x satisfying the system of congruences x b 1 (mod m 1 ), x b 2 (mod m 2 ),..., x b r (mod m r ), and x is unique modulo m 1 m r. Proof. Let M = m 1 m r, and for each i write M i = M/m i. Since the m i are pairwise relatively prime, we have (M i, m i ) = 1, and thus Theorem 3.8 shows that there is a unique integer s i modulo m i satisfying the congruence It is easy to check that the integer M i s i b i (mod m i ). x = M 1 s 1 + M 2 s M r s r satisfies our system of congruences. If x is another solution to the system, then we have x x (mod m i ) for each i, and hence x x is divisible by m i. Since the m i are pairwise relatively prime, it follows easily that x x is divisible by M, which establishes uniqueness modulo M. Example Solve the system of congruences x 1 (mod 5), 2x 4 (mod 6), 3x 2 (mod 7). Solution. We first rewrite the system in a form to which Theorem 3.17 applies. In view of Theorem 3.8, we see that the system is equivalent to x 1 (mod 5), x 2 (mod 3), x 3 (mod 7), and we may now employ the proof of Theorem 3.17 with m 1 = 5, m 2 = 3, and m 3 = 7 to produce a unique solution modulo M = 105. We must find integers s 1, s 2, and s 3 satisfying the congruences 21s 1 1 (mod 5), 35s 2 2 (mod 3), 15s 3 3 (mod 7). We see easily by inspection that s 1 = 1, s 2 = 1, and s 3 = 3 are solutions, and thus x = = 101 is the unique solution of the original system modulo 105. Hence the solutions are precisely the integers of the form x = k, where k Z.

19 MA 311 NUMBER THEORY FALL The Chinese Remainder Theorem also allows us to deal with systems of congruences in which the moduli are not pairwise relatively prime. The technique is to convert the system to an equivalent one in which all the moduli are distinct prime powers. Example Find all solutions of the system x 1 (mod 36) and x 5 (mod 56). Solution. By the Chinese Remainder Theorem, the first congruence is equivalent to the pair x 1 (mod 4) and x 1 (mod 9), and the second congruence is equivalent to the pair x 5 (mod 8) and x 5 (mod 7). The congruences modulo powers of 2 must contain either redundant or contradictory information, so we examine these more carefully. If x 5 (mod 8), then we can write x = 8k + 5 = 4(2k + 1) + 1, for some k Z, and it follows that x 1 (mod 4). Since x 5 (mod 8) implies x 1 (mod 4), the latter congruence is redundant and may be eliminated from consideration. We have therefore reduced to the system x 5 (mod 8), x 1 (mod 9), x 5 (mod 7), and here the moduli are pairwise relatively prime, so Theorem 3.17 applies. We know that the unique solution modulo M = 504 is given by where s 1, s 2, and s 3 are integers satisfying or equivalently, x = 63s s s 3, 63s 1 5 (mod 8), 56s 2 1 (mod 9), 72s 3 5 (mod 7), 7s 1 5 (mod 8), 2s 2 1 (mod 9), 2s 3 5 (mod 7). We see that s 1 = 3, s 2 = 5, and s 3 = 6 satisfy these congruences, and thus is the unique solution modulo 504. x = = (mod 504) Example Find all solutions of the system x 1 (mod 36) and x 3 (mod 56). Solution. As in the previous example, the Chinese Remainder Theorem implies that the system is equivalent to x 1 (mod 4), x 3 (mod 8), x 1 (mod 9), x 3 (mod 7). But if x 3 (mod 8), then we have x = 8k + 3 = 4(2k) + 3 for some integer k, which shows that x 3 (mod 4). Hence these two congruences are inconsistent, and we conclude that the system has no solution.