Rosen - Elementary number theory and its applications.pdf

Elementary
Number
Theory
andlts
Applications
KennethH. Rosen
AT&T Informotion
Systems
Laboratories
(formerly part of
Bell Laborotories)
A
YY
ADDISON-WESLEY
PUBLISHINGCOMPANY
Reading, Massachusetts
Menlo Park, California
London Amsterdam
Don Mills, Ontario Sydney

Cover: The iteration of the transformation
T(n) :
is depicted.The Collatz conjectureasserts
that with any
startingpoint, the iteration of ?"eventuallyreachesthe integer
one. (SeeProblem 33 of Sectionl.2of the text.)
Library of Congress Cataloging in Publication Data
Rosen,Kenneth H.
Elementary number theory and its applications.
Bibliography: p.
Includes index.
l. Numbers, Theory of. I. Title.
QA24l.R67 1984
rsBN 0-201-06561-4
512',.72 83-l1804
Reprinted with corrections, June | 986
Copyright O 1984by Bell Telephone Laboratories and
Kenneth H. Rosen. All rights reserved.No part of this
publication may be reproduced, stored in a retrieval system,or
transmitted, in any form or by any means, electronic,
mechanical,photocopying, recording, or otherwise,without
prior written permission of the publisher. printed in the United
States of America. Published simultaneously in Canada.
DEFGHIJ_MA_8987
n/2 if n is even
l Qn + l)/2 if n is odd

Preface
Number theory has long beena favorite subject for studentsand teachersof
mathematics. It is a classical subject and has a reputation for being the
"purest" part of mathematics, yet recent developmentsin cryptology and
computer scienceare based on elementary number theory. This book is the
first text to integrate these important applications of elementary number
theory with the traditional topics covered in an introductory number theory
course.
This book is suitable as a text in an undergraduatenumber theory courseat
any level. There are no formal prerequisitesneededfor most of the material
covered,so that even a bright high-schoolstudent could use this book. Also,
this book is designedto be a useful supplementarybook for computer science
courses,and as a number theory primer for computer scientistsinterestedin
learning about the new developmentsin cryptography. Some of the important
topics that will interest both mathematics and computer sciencestudents are
recursion,algorithms and their computationai complexity,computer arithmetic
with large integers, binary and hexadecimal representationsof integers,
primality testing, pseudoprimality,pseudo-randomnumbers,hashingfunctions,
and cryptology, including the recently-invented area of public-key
cryptography. Throughout the book various algorithms and their
computational complexitiesare discussed.
A wide variety of primality testsare
developedin the text.
Use of the Book
The core material for a coursein number theory is presentedin Chapters 1,
2, and 5, and in Sections3.1-3.3and 6.1. Section 3.4 containssome linear
algebra; this section is necessary background for Section 7.2; these two
sections can be omitted if desired. Sections 4.1, 4.2, and 4.3 present
traditional applications of number theory and Section 4.4 presents an
application to computer science; the instructor can decide which of these
sectionsto cover. Sections6.2 and 6.3 discussarithmetic functions. Mersenne
primes, and perfect numbers; some of this material is used in Chapter 8.
Chapter 7 covers the applications of number theory to cryptology. Sections
7.1, 7.3, and 7.4, which contain discussionsof classical and public-key

vt Preface
cryptography,shouldbe includedin all courses.
Chapter 8 dealswith primitive
roots; Sections8.1-8.4 should be coveredif possible. Most instructorswill
want to include Section 8.7 which deals with pseudo-randomnumbers.
Sections 9.1 and 9.2 are about quadratic residues and reciprocity, a
fundamental topic which should be covered if possible;Sections 9.3 and 9.4
deal with Jacobi symbols and Euler pseudoprimesand should interest most
readers. Section 10.1, which coversrational numbersand decimal fractions.
and SectionsI 1.1 and I 1.2 which discussPythagoreantriples and Fermat's
last theorem are coveredin most number theory courses. Sections10.2-10.4
and I 1.3 involvecontinuedfractions;thesesectionsare optional.
The Contents
The reader can determine which chapters to study basedon the following
descriptionof their contents.
Chapter I introducestwo importants tools in establishingresults about the
integers, the well-ordering property and the principle of mathematical
induction. Recursivedefinitionsand the binomial theorem are also developed.
The concept of divisibility of integers is introduced. Representationsof
integers to different bases are described, as are algorithms for arithmetic
operationswith integers and their computational complexity (using big-O
notation). Finally, prime numbers, their distribution, and conjecturesabout
primesare discussed.
Chapter 2 introducesthe greatestcommon divisor of a set of integers.The
Euclidean algorithm, used to find greatest common divisors, and its
computational complexity, are discussed,as are algorithms to express the
greatestcommon divisor as a linear combinationof the integersinvolved. The
Fibonacci numbers are introduced. Prime-factorizations, the fundamental
theorem of arithmetic, and factorization techniques are covered. Finally,
linear diophantineequationsare discussed.
Chapter 3 introduces congruences and develops their fundamental
properties. Linear congruencesin one unknown are discussed,
as are systems
of linear congruencesin one or more unknown. The Chinese remainder
theorem is developed,and its application to computer arithmetic with large
integersis described.
Chapter 4 developsapplicationsof.congruences. In particular, divisibility
tests,the perpetual calendar which providesthe day of the week of any date,
round-robin tournaments,and computer hashing functions for data storageare
discussed.

Preface
Chapter 5 developsFermat'slittle theoremand Euler's theoremwhich give
some important congruencesinvolving powers of integers. Also, Wilson's
theorem which gives a congruencefor factorialsis discussed.Primality and
probabilistic primality tests based on these results are developed.
Pseudoprimes, strong pseudoprimes, and Carmichael numbers which
masquarade
as primesare introduced.
Chapter 6 is concernedwith multiplicative functions and their properties.
Specialemphasisis devotedto the Euler phi-function,the sum of the divisors
function, and the number of divisors function and explicit formulae are
developed for these functions. Mersenne primes and perfect numbers are
discussed.
Chapter 7 givesa thorough discussion
of applicationsof number theory to
cryptology, starting with classicalcryptology. Character ciphers based on
modular arithmetic are described,as is cryptanalysisof theseciphers. Block
ciphers based on modular arithmetic are also discussed. Exponentiation
ciphers and their applications are described, including an application to
electronicpoker. The conceptof a public-key cipher systemis introduced and
the RSA cipher is describedin detail. Knapsackciphersare discussed,
as are
applications
of cryptographyto computerscience.
Chapter 8 includesdiscussions
of the order of an integer and of primitive
roots. Indices, which are similar to logarithms, are introduced. Primality
testingbasedon primitive roots is described.The minimal universalexponent
is studied. Pseudo-random numbers and means for generating them are
discussed.An applicationto the splicingof telephone
cablesis alsogiven.
Chapter 9 covers quadratic residues and the famous law of quadratic
reciprocity. The Legendreand Jacobisymbolsare introducedand algorithms
for evaluating them are developed. Euler pseudoprimes
and a probabilistic
primality test are covered. An algorithm for electronically flipping coins is
developed.
Chapter l0 coversrational and irrational numbers,decimal representations
of real numbers,and finite simplecontinuedfractionsof rationaland irrational
numbers. Special attention is paid to the continued fractions of the square
roots of po"itive integers.
Chapter 1l treats some nonlinear diophantine equations. Pythagorean
triples are described. Fermat's last theorem is discussed. Finallv. Pell's
equationis covered.
vtl

vill Preface
Problem Sets
After each sectionof the text there is a problemset containingexercises
of
variouslevelsof difficulty. Each set containsproblemsof a numericalnature;
these should be done to developcomputationalskills. The more theoretical
and challengingproblemsshould be done by studentsafter they have mastered
the computationalskills. There are many more problemsin the text than can
be realistically done in a course. Answers are providedat the end of the book
for selectedexercises,
mostly thosehaving numerical answers.
Computer Projects
After each sectionof the text there is a selectionof computer projects that
involve conceptsor algorithms discussedin that section. Students can write
their programs in any computer language they choose, using a home or
personalcomputer, or a minicomputer or mainframe. I encouragestudentsto
use a structuredprogramminglanguagesuch as C, PASCAL, or PL/ 1, to do
these projects. The projects can serveas good ways to motivate a student to
learn a new computer language, and can give those students with strong
computer science backgrounds interesting projects to tie together computer
science
and mathematics.
UnsolvedProblems
In the text and in the problemsetsunsolvedquestionsin number theory are
mentioned. Most of these problems have eluded solution for centuries. The
reader is welcome to work on these questions,but should be forewarned that
attempts to settle such problems are often time-consumingand futile. Often
peoplethink they have solvedsuch problems,only to discoversomesubtle flaw
in their reasoning.
Bibliography
At the end of the text there is an extensive
bibliography,split into a section
for books and one for articles. Further, each section of the bibliography is
subdivided by subject area. In the book section there are lists of number
theory texts and references,books which attempt to tie together computer
scienceand number theory, books on some of the aspectsof computer science
dealt with in the text, such as computer arithmetic and computer algorithms,
books on cryptography, and general references.In the articles section of the
bibliography, there are lists of pertinent expository and research papers in
number theory and in cryptography. Thesearticles should be of interestto the
reader who would like to read the original sourcesof the material and who
wants more details about someof the topicscoveredin the book.

Preface
Appendix
A set of five tables is included in the appendixto help studentswith their
computations and experimentation. Students may want to compile tables
different than those found in the text and in the appendix; compiling such
tableswould provide additional computer projects.
List of Symbols
A list of the svmbols used in the text and where they are defined is
included.
Acknowledgments
I would like to thank Bell Laboratoriesand AT&T Information Systems
Laboratories for their support for this project, and for the opportunity to use
the UNIX systemfor text preparation. I would like to thank George Piranian
for helping me developa lasting interest in mathematics and number theory.
Also I would like to thank Harold Stark for his encouragementand help,
startingwith his role as my thesisadvisor. The studentsin my number theory
coursesat the University of Maine have helped with this project, especially
Jason Goodfriend, John Blanchard, and John Chester. I am grateful to the
various mathematicianswho have read and reviewedthe book, including Ron
Evans, Bob Gold, Jeff Lagarias and Tom Shemanske. I thank Andrew
Odlyzko for his suggestions,Adrian Kester for his assistancein using the
UNIX system for computations,Jim Ackermann for his valuable comments,
and Marlene Rosenfor her editing help.
I am particularly grateful to the staff of the Bell Laboratories/American
Bell/AT&T Information ServicesWord ProcessingCenter for their excellent
work and patiencewith this project. Special thanks go to Marge Paradis for
her help in coordinating the project, and to Diane Stevens, Margaret
Reynolds, Dot Swartz, and Bridgette Smith. Also, I wish to express my
thanks to Caroline Kennedy and Robin Parsonwho typed preliminary versions
of this book at the University of Maine.
Finally, I would like to thank
offer specialthanks to my editor,
and enthusiasm.
Lincroft, New Jersey
December.1983
tx
the staff of Addison-Wesleyfor their help. I
Wayne Yuhasz,for his encouragement,
aid,
KennethH. Rosen

Contents
Chapterl.
l . l
1 . 2
1 . 3
t . 4
1 . 5
Chapter
2.
2 . 1
2.2
2.3
2,4
2.5
Chapter3.
3 . 1
3.2
3.3
3.4
Chapter4.
4 . 1
4.2
4.3
4.4
The Integers
The well-ordering
Divisibility
Representations
of int;;;;;....-'.....-'-.'.........
Computeroperations
with integers............
Prime numbers...
Greatest Common Divisors and Prime Factorization
Greatestcommon divisors
The Euclideanalgorithm...........
The fundamentaltheoremof arithmetic............
Factorizationof integersand the Fermat numbers
Linear diophantineequations
...............
Congruences
4
l 8
24
33
45
53
58
69
79
87
Introduction to congruences 9l
Linearcongruences.............. 102
The Chineseremainder theorem 107
Systemsof linear congruences.............. I 16
Applications of Congruences
Divisibilitytests......... .. 129
The perpetual
calendar............. 134
Round-robin
tournaments.......... .. 139
Computer file storageand hashingfunctions............... l4l

Contents
Chapter 5. Some Special Congruences
5.1 Wilson's theorem and Fermat's little theorem 147
5.2 Pseudoprimes.............. .. 152
5.3 Euler'stheorem 16l
Chapter6. MultiplicativeFunctions
6.1 Euler'sphi-function
............... 166
6.2 The sum and numberof divisors.............. 174
6.3 Perfectnumbersand Mersenneprimes 180
Chapter 7. Cryptology
7.l Characterciphers 188
7.2 Block ciphers 198
7.3 Exponentiation
ciphers............... .. 205
7.4 Public-keycryptography............. 212
7.5 Knapsackciphers 219
7.6 Some applicationsto computer science 227
Chapter 8. Primitive Roots
8.1 The order of an integer and primitive roots 232
8.2 Primitive roots for primes 238
8.3 Existenceof primitive roots 243
8.4 Index arithmetic 252
8.5 Primality testingusingprimitive roots......... 263
8.6 Universal exponents. 268
8.7 Pseudo-random
numbers............ .. 275
8.8 The splicingof telephone
cables .. 280
Chapter 9. Quadratic Residuesand Reciprocity
9.I Quadraticresidues 288
9.2 Quadratic reciprocity .. 304
9.3 The Jacobisymbol 314
9.4 Euler pseudoprimes............. 325
xl

xtl Contents
Chapter 10.
1 0 . 1
10.2
1 0 . 3
1 0 . 4
ChapterI l.
Decimal Fractions and Continued Fractions
Decimal fractions...
Finite continuedfractions
Infinite continued fractions
Periodiccontinued fractions
Some Nonlinear Diophantine Equations
Pythagorean
triples....
Fermat'slasttheorem.............
Pell'sequations
336
350
3 6 1
315
l . l
t . 2
1 . 3
3 9 1
397
4 0 1
Appendix.. 410
Answers to selectedproblems 426
Bibliography............. 438
List of symbols.... 445
Index 447

lntroduction
Number theory, in a general sense,is the study of numbers and their
properties.In this book,we primarilydealwith the integers,0,+1, +2,....
We will not axiomatically define the integers,or rigorouslydevelopinteger
arithmetic.l Instead,we discussthe interestingpropertiesof and relationships
betweenintegers. In addition, we study the applicationsof number theory,
particularlythosedirectedtowardscomputerscience.
As far back as 5000 years ago, ancient civilizations had developedways of
expressingand doing arithmetic with integers. Throughout history, different
methods have been used to denote integers. For instance, the ancient
Babyloniansused 60 as the base for their number system and the Mayans
used 20. Our method of expressingintegers, the decimal system,was first
developedin India approximately six centuries ago. With the advent of
modern computers,the binary system came into widespreaduse. Number
theory has been used in many ways to devisealgorithms for efficientcomputer
arithmetic and for computer operationswith large integers.
The ancient Greeks in the schoolof Pythagoras,2500 years ago, made the
distinction betweenprimes and composites. A prime is a positiveinteger with
no positive factors other than one and the integer itself. In his writings,
Euclid, an ancient Greek mathematician, included a proof that there are
infinitely many primes. Mathematicians have long sought formulae that
generateprimes. For instance,Pierre de Fermat, the great French number
theorist of the seventeenthcentury, thought that all integers of the form
22'+ 1 are prime; that this is false was shown, a century after Fermat made
this claim, by the renowned Swiss mathematician Leonard Euler, who
demonstratedthat 641 is a factor of 22'+ | .
The problem of distinguishing primes from compositeshas been extensively
studied. The ancientGreek scholarEratosthenes
deviseda method,now called
l. Such an axiomaticdevelopment
of the integersand their arithmetic can be found in Landau
t 6 l l .

Introduction
the sieve of Eratosthenes,that finds all primes lessthan a specifiedlimit. It
is inefficientto use this sieve to determine whether a particular integer is
prime. The problem of efficientlydetermining whether an integer is prirne has
long challengedmathematicians.
Ancient Chinese mathematiciansthought that the primes were precisely
thosepositiveintegersn such that n divides 2' - 2. Fermat showed that if n
is prime, then n does divide 2n - 2. However, by the early nineteenth
century, it was known that there are compositeintegersn such that n divides
2n - 2, such as n : 341 . Thesecompositeintegersare calledpseudoprimes
Becausemost compositeintegersare not pseudoprimes,
it is possibleto develop
primality tests based on the original Chinese idea, together with extra
observations. It is now possibleto efficiently find primes; in fact, primes with
as many as 200 decimal digits can be found in minutes of computer time.
The fundamental theorem of arithmetic, known to the ancient Greeks,
says that every positive integer can be written uniquely as the product of
primes. This factorization can be found by trial division of the integer by
primes less than its square-root; unfortunately, this method is very time-
consuming. Fermat, Euler, and many other mathematicians have produced
imaginative factorization techniques. However, using the most efficient
technique yet devised,billions of years of computer time may be required to
factor an integer with 200 decimal digits.
The German mathematician Carl Friedrich Gauss,consideredto be one of
the greatest mathematicians of all time, developed the language of
congruences in the early nineteenth century. When doing certain
computations,integersmay be replacedby their remainderswhen divided by a
specific integer, using the language of congruences. Many questionscan be
phrasedusing the notion of a congruencethat can only be awkwardly stated
without this terminology. Congruenceshave diverseapplicationsto computer
science,including applicationsto computer file storage,arithmetic with large
integers,and the generationof pseudo-random
numbers.
One of the most important applications of number theory to computer
scienceis in the area of cryptography. Congruencescan be used to develop
various types of ciphers. Recently, a new type of cipher system, called a
public-key cipher system, has been devised. when a public-key cipher is
used, each individual has a public enciphering key and a private deciphering
key. Messagesare encipheredusing the public key of the receiver. Moreover,
only the receivercan decipher the message,sincean overwhelmingamount of
computer time is required to decipherwhen just the encipheringkey is known.
The most widely used public-key cipher system relies on the disparity in
computer time required to find large primes and to factor large integers. In

lntrocluction
particular, to producean encipheringkey requiresthat two large primes be
found and then multiplied;this can be done in minuteson a computer. When
theselarge primes are known, the decipheringkey can be quickly found. To
find the deciphering key from the enciphering key requires that a large
integer,namely the product of the large primes,be factored. This may take
billionsof years.
In the following chapters,we discusstheseand other topics of elementary
number theory and its applications.

The Integers
1.1 TheWell-Ordering
Property
In this section,we discussseveralimportant tools that are useful for proving
theorems. We begin by stating an important axiom, the well-ordering
property.
The Well-Ordering Property. Every nonempty set of positive integers has a
least element.
The principle of mathematical induction is a valuable tool for proving
resultsabout the integers. We now state this principle, and show how to prove
it using the well-ordering property. Afterwards, we give an example to
demonstratethe use of the principle of mathematical induction. In our study
of number theory, we will use both the well-ordering property and the
principle of mathematical induction many times.
The Principle of Mathematical Induction. A set of positive integers that
contains the integer I and the integer n I I wheneverit contains n must be
the set of all positiveintegers.
Proof. Let S be a set of positive integers containing the integer I and the
integer n * | whenever it contains n. Assume that S is not the set of all
positive integers. Therefore, there are some positiveintegersnot contained in
.S. By the well-ordering property, since the set of positive integers not
contained in S is nonempty, there is a least positiveinteger n which is not in
. S . N o t e t h a t n 1 1 , s i n c el i s i n S . N o w s i n c en ) l , t h e i n t e g e rn - 1 i s
1

l.l The Well-Ordering ProPertY
a positive integer smaller than n, and hence must be in S. But since S
containsn - l, it must alsocontain (n-t) + | : n, which is a contradiction,
sincen is supposedlythe smallestpositiveinteger not in S. This showsthat S
must be the set of all positiveintegers. tr
To prove theoremsusing the principle of mathematical induction, we must
show two things. We must show that the statementwe are trying to prove is
true for l, the smallest positiveinteger. In addition, we must show that it is
true for the positive integer n * I if it is true for the positive integer n. By
the principle of mathematical induction, one concludesthat the set S of all
positiveintegersfor which the statementis true must be the set of all positive
integers. To illustrate this procedure, we will use the principle of
mathematical induction to establisha formula for the sum of the terms of a
geometricprogression.
Definition. Given real numbers4 and r. the real numbers
a, ar, er2,ot3r...
are said to form a geometric progression. Also, a is called the initial term
and r is called the common ratio.
Example. The numbers 5, -15,45, -135,... form a geometricprogression
with initial term 5 and commonratio -3.
In our discussionof sums, we will find summation notation useful. The
followingnotationrepresents
the sum of the real numberse1,o2,...,on.
2 o o : e r * a z * l a n
k-l
k, the index of summation, is a "dummy variable" and
letter, so that
n n
a k : 2 o i
j - t i - l
We note that the letter
can be replacedby any
5,
k-l
Example. We seethat

TheIntegers
)
2j:I+2+3+4+5:15,
j-r
)
2t2:2+2+2+2+2:10,
j-r
and
)
2 2i : 2 * 22+ 23+ 24+ 2s: 62 .
j-1
We also note that in summation notation, the index of summation may
range betweenany two integers,as long as the lower limit doesnot exceedthe
upper limit. If m and h are integerssuch that z ( n, then
b o o : a m * a ^ a 1 * * a n .
k-m
For instance.we have
5
> k2: 33+ 42+ 52: 50,
k;t
> 3k:30 + 3t + 32: 13,
fr:0
and
I
k--2
We now turn our attentionto sumsof terms of geometricprogressions.
The
sum of the termse) er, or2,...,
arn is
n
2 o r i : e * a r * a r 2 + * a r n ,
j-0
wherethe summationbeginswith 7 : g. We havethe followingtheorem.
Theorem l.l. If a and r ^re real numbersand r * l. then

Property
( 1 . 1 )
Proof. To prove that the formula for the sum of terms of a geometric
progressionis valid, we must first show that it holds for n : l. Then, we must
show that if the formula is valid for the positiveinteger n, it must also be true
for the positiveinteger n * l.
To start thingsoff, let n: l. Then, the left sideof (t.t) is a * ar, while
on the right sideof (1.1) we have
a r L - a _ a ? z - t ) _ a b * l ) ( r - 1 )
r - l r - l T :
a ( r * l ) : a * a r
So the formula is valid when n : l.
Now we assumethat (1.1) holds
assumethat
0.2) a l a r + a r z +
We must show that the formula also holds for the positive integer n * l.
What we must show is that
(t.:) a*ar+ar2+ * arn * arn*l : or@+t)+t_o
r-l
n ) , , n a r n * l - Q
E ori : a * ar * ar2 + * arn :
T .
j : o
i a r - t r a r ' ' : T
for the positive integer n. That is, we
' t a r ' - a r n * l - Q
I
ar'+2-e
r-l
To showthat (1.3) is valid, we add orn*r to both sidesof (1.2), to obtain
(t.+) (a*ar*ar2+...+arn) * ar'+r- arn+t:o
+ arr+t,
r - l
The left sideof (t.+) is identicalto that of (1.3). To showthat the right sides
are equal, we note that
arn+l-e
, or'*l (r- I )
T -
r-l r-1
o r n * l - a * a r ' + Z a r n * l
r-l
implies (t.:), we can concludethat (t.t)
a r n * l - a 1 ^ - n r r _
T A r
r - I
:
Sincewe haveshownthat 0.2)

The Integers
holds for all positiveintegersn. tr
Example. Let n be a positiveinteger. To find the sum
bro:r*2+22+ *2',
k:0
we useTheorem l.l with e : I and r : 2, to obtain
1 n * l _ I
. J - 1 n : r n * l _ r
2-l
l+2+22+
Hence, the sum of consecutivenonnegativepowers of 2 is one less than the
next largestpower of 2.
A slight variant of the principle of mathematical induction is also sometimes
useful in proofs.
The Second Principle of Mathematical Induction. A set of positive integers
which containsthe integer 1, and which has the property that if it containsall
the positiveintegers1,2,..., k , then it alsocontainsthe integerk + l, must
be the set of all positiveintegers.
Proof. Let T be a set of integers containing I and containing k + I if it
contains1,2,..., k. Let S be the set of all positiveintegersn such that all
the positiveintegerslessthan or equal to n are in Z. Then I is in S, and by
the hypotheses,
we seethat if k is in S, then k + | is in S. Hence, by the
principle of mathematical induction, S must be the set of all positiveintegers,
so clearly T is alsothe set of all positiveintegers. tr
The principle of mathematical induction providesa method for defining the
valuesof functions at positiveintegers.
Definition. We say the function f is defined recursively if the value of f at I
is specified
and if a rule is providedfor determiningf h*l) from f h) .
If a function is defined recursively, one can use the principle of
mathematical induction to show it is defineduniquely at each positiveinteger.
(Seeproblem 12 at the end of this section.)
We now give an example of a function defined recursively. We define the
factorial function f fu) : nt . First, we specifythat

1.1 The Well-Ordering ProPertY
f(r): I ,
andthenwegivethe rule for findin
g f h*1) fromf fu), namely
f h+r) : (n+r)'f
fu).
Thesetwo statementsuniquely definer!.
To find the value of f G) : 6! from the recursivedefinition of f h) : nl,
usethe secondproperty successively,
as follows
f 6) :6.f (5): 6.5.f
(4): 6.s.4'f
(3): 6's'4'3'f
(2):6's'4'3'2f0).
We now use the first statement of the definition to replacef 0) by its stated
value l. to concludethat
6 l : 6 ' 5 ' 4 ' 3 ' 2 ' l
: 7 2 0 .
In general,by successively
using the recursivedefinition, we seethat n! is the
product of the first n positiveintegers,i.e.
n! : l'2'3 n
For convenience,
and future use,we specifythat 0! : l.
We take this opportunity to define a notation for products, analogousto
summationnotation. The product of the real numbersa1, a2,...,a,is denoted
by
ft o, : ere2 an
j-r
The letter 7 aboveis a "dummy variable",and can be replacedarbitrarily.
Example. To illustrate the notation for productswe have
)
f I j : l ' 2 ' 3 ' 4 ' 5 : 1 2 0 .
j-r
5
II 2: 2.2.2.2.2:
25: 32.
j-r
5
fI Zi : 2.22.23.24.2s: 2r5
j-r

l0
We note that with this notation, n ! : fI ,r .
j-r
Factorialsare usedto definebinomial cofficients.
Definition. Let m and k be nonnegativeintegerswith k 4 m. The
r)
binomial
cofficien,
lT I isoenneo
uy
(^ /
r)
l*| mt
t r t : -
lk J kt(m_k)t
l^)
In computing
lO,J,
l^) m;
:--
lk ) kt@_k)l
k t
fzl
Example.To evaluate
the binomialcoefficien,
L,,J,
wenotethat
r
17| 7t 1.2.3.4.s.6.7s.6.7
f3J
:
3t4t
:
r23.r234:E:i)'
We now prove somesimple propertiesof binomial coefficients.
Proposition 1.2. Let n and k be nonnegativeintegerswith k ( n . Then
( i )
[ ; ] : [ ; ] : ,
r) r )
(ii) lll:l'.1
fkj
-
l,-t,)'
Proof. To seethat (i) is true, note that
TheIntegers
we seethat there is a good deal of cancellation,because
t.2.3... @-k)@-k+t) ... tu-t)m
k! t.2.3 fu-k)
(m-k+r) (m-r)m

Property 11
[;]
:# : n ' ' : l
n t
:t
and
_ n , . _
n !0!
[;]
. lr:,
commondenominator
ftl(n-k+t)!. This gives
+lr,
t;]
To verify (ii), we seethat
frl n; nt lr l-
l , l : : - : l , l t r
|.k
J kth-k)t tu-k)r(n-h-k))t ln-* )'
An important property of binomial coefficientsis the following identity.
Theorem 1.2. Let n and k be positiveintegerswith n > k. Then
|',]
, I nI_|,,*'l
loj
*
[o-,J:I r )
Proof. We perform the addition
by usingthe
t.
Uc
nth-k tl) ntk
ktfn-k+l
-
ktJtt-t(+il
nl((n-k +r) +k)
kth-k +t)t
ntfu*l)
klfu-k+r)t
(n+l)!
kth-k +r)t
[n+r
I
l l n
f k )
u

t2 The Integers
Theorem 1.2, we can easily construct Pascal'striangle, which
the binomial coefficients. In this triangle, the binomial coefficient
the (k+t)ttr number in the (n+l)th row. The first nine rows of
triangleare displayed
in Figure l.l.
I
l l
r2l
l33l
r4641
15101051
1615201561
172135352171
18285670562881
Figure
1.1.
'Plr"urt
triangle.
We seethat the exteriornumbersin the triangleare all l. To find an
interiornumber,wesimplyaddthe two numbers
in the positions
above,
andto
eitherside,of the positionbeingfilled. From Theorem
1.2,this yieldsthe
correctinteger.
Binomialcoefficients
occurin the expansions
of powersof sums. Exactly
howtheyoccuris described
by thebinomialtheorem.
The BinomialTheorem. Let x and y be variables
and n a positiveinteger.
Then
-2
y'+
Using
displavs
|,,]
|.r,l
rs
Pascal's
(x*y)n
:
[;]"..[T]".-',.
l:)..
+l,:r)*r.-,
+[,:,]'
or using summation notation,
2
+l:),'
y n -

1.1 The Well-Ordering ProPertY l3
^ ( n ]
G+y)n:2
l;l*"-tyt
j-0 J l
We provethe binomial theorem by mathematical induction. In the proof we
make useof summation notation.
Proof. We use mathematical induction. When n : l, according to the
binomial theorem.the formula becomes
frlfrl
(x*y)r-
loj"'.yo
+
I,,J"or'
lrlfrl
But because
lnl: lil:t,this states
that (x+y)r:x *y, whichis
t " J ^ /
obviouslytrue.
We now assumethe theorem is valid for the positive integer n, that is, we
assumethat
^ fn)
G+y)n
: 2 l ,lr'-iri .
j-0 r )
We must now verify that the correspondingformula holds with n replacedby
n * l, assumingthe resultholds for n. Hence,we have
(x+y)n+r - (xty)"(x+y)
'l
l, |,,.l I
:
la lil"-t'l l(x+r)
|.i:o
r )
J
, lnl , fr)
j-0 r ) j:0 J ./
We see that by removing terms from the sums and consequentlyshifting
indices.that

t4 TheIntegers
2l;).'-'.','
21,).'-'."'
: I n + l +
and
Hence, we find that
(x*Y)'+r - xn+r
By Theorem 1.2,we have
't
I
lxn-i+tri I yn+t
I
3l:).'-'''*'
:'Al,).'-'''.'
:21'!'1"-'*'
* y n + t
yj + yn*t
n
+>
j-r
t;l
+
[,1']
:
[';']
,
so we concludethat
k+y),,'+r
- ,,*, + bl':'fx,-i*,ri * yn+r
i-t I r )
n*t [n+rI
- S I l*n+t-iri
t1^l.j )
This establishes
the theorem. u
We now illustrate one useof the binomial theorem. If we let x : y : l. we
seefrom the binomial theorem that
^ lrl ,
2n:(t+t), : ) l rlt,-rli
: )
j-0 r ) j-o
This formula showsthat if we add all elementsof the
triangle, we get 2n. For instance,for the fifth row, we
rl
lnl
LJ,l
fu+l)th rowof Pascal's
find that

ProPertY
[;]
.
[l]
.
[l]
.
[l]
.
[l]
:, +4+6+
4+,:,6:24
15
l.l Problems
l. Find the valuesof the following sums
l0
a) >2
j-r
l 0
u) 2i
j-l
il rr2
j - l
)
l 0
c) 2j'
j-r
t 0
o) 22i.
j-r
2. Find the valuesof the following products
5 5
c) r. j'
b ) t r j 0 ) i l 2 i
j-t j-l
Find n ! for n equal to each of the first ten positiveintegers.
fro)frolfrolfrol frol
Find
lo,|'
|.,.l'I r.l'I tJ'^na
lroJ'
Find the binomial coefficients
|'qI fgI froI
fnl , fnl f,ol
l',l' loJ'
and
I o,J'
andverirv
that
lrj*loj: loJ
Show that a nonempty set of negativeintegershas a largestelement.
Use mathematical induction to prove the following formulae.
a) >,i:t+2+3+ + ,:n(nlD.
j - l L
5.
3 .
4.
6.
7 .
U ) 2 i ' : 1 2 + 2 2 + 3 2 + +
j - l
. t n ( n + l ) ( 2 n + l )
, a
6

t6
8 .
9.
The Integers
| 1 2
c) i.r': t'+ 23
+ 33
+ * n3: |
't'ftl
I
i-tt2l
Find
aformula
rcrft Zi.
j-l
Use the principle of mathematical induction to show that the value at each
positiveinteger of a function definedrecursivelyis uniquely determined.
what function f (n) is defined recursivelyby f 0) : 2 and f (n+D : 2f (n)
f o r n ) l ?
If g is definedrecursivelyby g(l) :2 and g(n) :2sb-D for n 7 2,
what is S(02
The secondprinciple of mathematical induction can be used to define functions
recursively. We specify the value of the function at I and give a rule for finding
f h+l) from the values of f at the first n positive integers. Show that the
valuesof a function so definedare uniquely determined.
We define a function recursively for all positive integers n bV "f
(l) : l,
f (2):5, and for n 2 2, f h+t):f h) + 2f (n-t). Show that f (n) :
2^ + el)n, using the secondprinciple of mathematical induction.
14. a) Let n be a positiveinteger. By expanding (l+(-l))'with the binomial
theorem.show that
r0.
l l .
t2.
t3.
, fr)
) (-r)o
lrJ
: o.
b) usepart(a),andthefactthat > f;l :2' , tofind
t-o '' J
f,l f,l l,l
loj
* IrJ
* loj
*
and
[,lf,l|,,l
['J*
l,J
*I'J
*
c ) F i n d t h e s u m l - 2 + 2 2 - 2 3 + + 2 t o o .
15. Show by mathematical induction that if n is a positive integer, then
(2n)t < 22'(nl)z.

1.1 The Well-Ordering ProPertY
. ["] [*l f'+rl
b ) S h o w t h a tl - l + 1 . , , | : l - - * , l , w h e n e v e r n i s a p o s i t i v e i n t e g e r .
l , ? J l t ? + r j l n , ' t
In this problem, we develop the principle of inclusion - exclusion. Suppose
that S is a set with n elements and let Pr, P2,.,., P, be t different properties
that an element of S may have. Show that the number of elements of S
possessing
none of the / properties is
n -ln(rr) + n(p) + + n@)l
+ln(Pt,Pz)
+ n(Pt,Pr)
+ + n(P,-r,P,)l
- {n(Pr,Pz,Pt)* n(PrPz,Pq) + * n(P,-2,P,4,P,)|
+ + (-l)'n (P1,P2,...,P,),
where n(Pi,,Pi,,..., P,,) is the number of elements of S possessingall of the
propertiesPi,,P;,,...,P;,.
The first expressionin brackets contains a term for each
property, the secondexpressionin bracketscontainsterms for all combinationsof
two properties,the third expressioncontains terms for all combinationsof three
properties,and so forth. (Hint: For each elementof S determine the number of
times it is counted in the above expression. If an element has k of the
lrl lpl ltl
properties,
show
it iscounted
t -
lrJ
+
Itl
- + (-l)ft
lrJ
,i-.t. This
equals zeroby problem la(a).)
The tower of Hanoi was a popular puzzle of the late nineteenth century. The
puzzle includes three pegs and eight rings of different sizes placed in order of
size,with the largeston the bottom, on one of the pegs. The goal of the puzzle is
to move all the rings, one at a time without ever placing a larger ring on top of a
smaller ring, from the first pbg to the second,using the third peg as an auxiliary
peg.
t7
16. The binomial coefficients
[;],*nr."
x is a variable, and n is a positiveinteger,
can be defined recursivelyby the equations
[l ]
: x and
| .I ,_n[,1
In+tJ:R l;l
|.".l x! ,
a ) S h o w t h a t i f x i s a p o s i t i v e i n t e g e r , t h e n [ o J : f f i , w h e r e k i s a n
i n t e g e r w i t h l ( k ( x .
t 7 .
1 8 .

l8 The Integers
a) Use mathematicalinductionto showthat the minimum number of movesto
transfer n rings, with the rules we have described,from one peg to another
i s 2 n - 1 .
b) An ancient legend tells of the monks in a tower with 64 gold rings and 3
diamond pegs. They started moving the rings, one move per second,when
the world was created. When they finish transferring the rings to the second
peg,the world ends. How long will the world last?
19. Without multiplying all the terms,showthat
i l 6 ! 7 ! : l 0 ! c ) 1 6 ! : l 4 t 5 t 2 l
b ) l 0 ! : 7 ! 5 ! 3 ! d ) 9 t - 7 13 ! 3 ! 2 ! .
20. Let an : (af a2l. ar-1!) - l, and on+t: af. a2t an_tl, where
o1,a2,...,etr-1
or€ positiveintegers. Show that an*1!: al. a2t onl.
21. Find all positive
integers
x, y,and z suchthat xt * yl: z!.
l.l Computer Projects
Write programsto do the following:
l. Find the sum of the terms of a geometricseries.
2. Evaluaten !
3. Evaluate binomial coefficients.
4. Print out Pascal'striangle.
5. List the movesirr the Tower of Hanoi puzzle (seeproblem l8).
6. Expand (x*y)", where n is a positiveinteger,using the binomial theorem.
1.2 Divisibility
When an integer is divided by a secondnonzerointeger,the quotient may or
may not be an integer. For instance,24/8: 3 is an integer,while l7/5:3.4
is not. This observationleadsto the following definition.
Definition. If a and b are integers, we say that a divides b if there is an
integer c such that b : ac. lf a divides b, we also say that a is a divisor or
factor of b.

1.2 Divisibility
I f a d i v i d e s
b w e w r i t ea l b , w h i l e i f a d o e s n o t d i v i d e b , w e w r i t e at r U .
Example. The following examples illustrate the concept of divisibility of
integers:
13| 182,
-5 | 90,t7l28g,e trqq,ltrso,
-l | :1,and1710.
Example. The divisorsof 6 are +1, *2, +3, and +6. The divisorsof 17 are
tl and tI7. The divisors of 100 are +1, *2,+4, +5, +10,
+20, +25, +50, and + 100.
In subsequentsections,we will need some simple propertiesof divisibility.
We now state and prove theseproperties.
P r o p o s i t i o n
1 . 3 . I f a , b , a n d c a r e i n t e g e r s w i t h a
l b a n db l r , t h e n a l c .
Proof. Since a I b and b I c, there are integers e and f with ae : b and
bf : ,. Hence,bf : be)f : aGf) : c, and we concludethat a I c. a
Example. Since1l | 66 and 66 | tla, Proposition
1.3tellsus that 11 | 198.
Proposition1.4. lf a,b,m, and n areintegers,
and if c la and c lD, then
c | (ma+nb).
Proof. Since c I a and c | 6, there are integers e and / such that a : ce and
b: cf. Hence,ma * nb: mce * ncf : c(me+nf). Consequently,
we see
that c | fua+nb). E
Example. Since3l2l and: I ll, Proposition
1.4tellsus that
3 | 6-zl - 3.33)
: lo5- 99: 6 .
The following theorem statesan important fact about division.
The Divisionl$f$* If a and b areintegerssuch that b > 0, then there
are unique integersq and r such that a : bq * r with 0 ( r < b.
In the equationgiven in the division algorithm, we call q the quotient and r
the remainder.
We note that a is divisible by
algorithm is zero. Before we
following examples.
b if and only if the remainderin the division
prove the division algorithm, consider the
t9

20 The Integers
E x a m p l e . I f a - . 1 3 3 a n d b : 2 1 , t h e n Q : 6 a n d r : 7 , s i n c e
1 3 3 : 2 1 ' 6 + 7 . L i k e w i s e ,
i f a : - 5 0 a n d b : 8 , t h e nq - - 7 a n d r : 6 ,
s i n c e- 5 0 : 8 ( - 7 ) + 6 .
For the proof of the division algorithm and for subsequent numerical
computations,we needto definea new function.
Definition. Let x be a real number. The greatest integer in x, denoted by
[x ], is the largestintegerlessthan or equalto x.
Example. We have the following values for the greatest integer in
x'. 12.21
: 2,131:3,andI-t.sl : -2.
The proposition below follows directly from the definition of the greatest
integer function.
Proposition 1.5. If x is a real number,then x-l < [x] ( x.
We can now prove the division algorithm. Note that in the proof we give
explicit formulae for the quotient and remainder in terms of the greatest
integer function.
Proof. Let q:la/bl and r: a - bla/bl. Clearlya: bq * r. To show
that the remainder r satisfies the appropriate inequality, note that from
Proposition1.5,it followsthat
G / b ) - l < t a / b l 4 a / b .
We multiply this inequalityby b, to obtain
a - b < b t a l b l 4 a .
Multiplying by -1, and reversingthe inequality,we find that
By addinge, we seethat
-a(-b[a/bl<b-a.
0 ( r - a - bla/bl < n.
To show that the quotient q and the remainder r are unique, assumethat
we havetwo equations
a: bqr* rr and a : bqz* rr, with 0 ( rr ( b and
0 ( rz < b. By subtracting the secondof thesefrom the first, we find that

1.2 Divisibility
Hence.we seethat
0:bQt-qr)+(r;r2)
rz - rr: b(qt-qr).
This tells us that D divides rz- rr. Since0 ( rr I b and 0 ( rz ( b, we
have -b < rz- rr 1b. This shows that b can divide rz- 11 only if
rz- 11:0, or, in other words,if 11: 12. Sincebqt + rt: bQz* 12 and
rt: 12 we also seethat Qr: Qz. This showsthat the quotientq and the
remainder r are unique. tr
E x a m p l e .L e t a : 1 0 2 8 a n d b : 3 4 . T h e n a : b q * r w i t h 0 ( r < b ,
where q :tt028/341:30 andr : 1028-11028/341.34:1028- 30.34:8.
With a : -380 and b :75,we havea : bq * r with 0 ( r < b,where
q : [-380/751 : -6and r : -380 - t-380/751 : -380 - (-6)75 : 70.
Given a positive integer d, we can classify integers according to their
remainders when divided by d. For example, with d : 2, we see from the
division algorithm that every integer when divided by 2leaves a remainder of
either 0 or l. If the remainder when n is divided by 2 is 0, then r : 2k for
some positiveinteger k, and we say n is even, while if the remainder when n
is dividedby 2 is l, then n:2k * I for someintegerk,and we sayn isodd.
Similarly, when d : 4, we see from the division algorithm that when an
integer n is divided by 4, the remainder is either 0,1,2, or 3. Hence, every
integeris of the form 4k,4k + l,4k * 2, or 4k + 3, where k is a positive
integer.
We will pursuethesematters further in Chapter 3.
1.2 Problems
l. Show
that3 lgg, s I t+S,7l343,and888| 0.
2. Decidewhichof the followingintegersaredivisibleby 22
2l
il0
b) 444
c) 1716
d) r92s44
e) -325r6
f) -195518.

22 The Integers
remainder in the division algorithm with divisor 17 and
c) -44
d) -100.
3. Find the quotient and
dividend
a) loo
b) 28e
6.
7.
8 .
9.
4. What can you conclude if a and b are nonzero integers such that a I b and
b l a ?
5. Show that if a, b, c, and d areintegerswith a and c nonzerosuch that a I b
and c I d, then ac I bd.
A r e t h e r e i n t e g e r s
a , b , a n d c s u c h t h a t a l b c , b u t a I b a n d a I c ) .
Show that if a, b,and c l0 are integers,
then a I t if and only if ac I bc.
Show that if a and b are positiveintegers and a I D, then a ( D.
Give another proof of the division algorithm by using the well-ordering property.
(Hint: When dividing a by b, take as the remainder the least positiveinteger in
the set of integersa-qb.)
Show that if a and b are odd positive integers,then there are integers s and ,
suchthat a : bs * /, whereI is odd and lrl < n.
When the integer a is divided by the interger b where b > 0, the division
algorithm givesa quotient of q and a remainder of r. Show that if 6 ,f a, when
-a is divided by b, the division algorithm gives a quotient of -(q*l) and a
remainder of b - r, while if 6 | a, the quotient is -q and the remainder is zero.
Show that if a, b, and c are integers with b ) 0 and c ) 0, such that when a
is divided by b the quotient is q and the remainder is r, and when q is divided
by c the quotient is / and the remainderis s, then when a is divided by bc, the
quotient is I and the remainder is bs * r.
il Extend the division algorithm by allowing negative divisors. In particular,
show that whenever a and b # 0 are integers, there are integers q and r
suchthat a : bq * r, where 0 ( r < lAl .
b) Find the remainderwhen 17 is dividedby -7.
Show that if a and D are positive integers, then there are integers q,r and
e : !.1 suchthat a: bq * er where-b/2 <er4 b/2.
Showthat if a andb arereal numbers,
then la+bl 2la] + [r].
Show that if a and b are positivereal numbers,then labl 2 Laltbl .
What is the correspondinginequality when both a and b are negative? When
one is negativeand the other positive?
1 0 .
1 2 .
1 3 .
14.
1 5 .
1 6 .

1.2 Divisibilitv
21. Show that the integer n is evenif and only if n - 2ln /21 : 0.
22. Show that if a is a real number, then [a ] + Ia + %l : l2al .
23. a) Show that the number of positive integers less than or equal to x that are
divisible by the positiveinteger d is given by [x/dl.
b) Find the number of positiveintegersnot exceeding1000 that are divisible by
5, by 25, by 125,and by 625.
c) How many integersbetween 100 and 1000 are divisible by 7? by 49'l
24. To mail a letter in the U.S.A. it costs 20 cents for the first ounce and l8 cents
for each additional ounce or fraction thereof. Find a formula involving the
greatest integer function for the cost of mailing a letter. Could it possiblycost
S 1.08or ,$I .28 to mail a letter?
25. Show that if a is an integer, then 3 dividesa3-a
26. Show that the sum of two even or of two odd integers is even,while the sum of
an odd and an eveninteger is odd.
27. Show that the product of two odd integers is odd, while the product of two
integersis evenif either of the integersis even.
28. Show that the product of two integers of the form 4ft * I is again of this form,
while the product of two integersof the form 4k * 3 is of the form 4ft * L
29. Show that the squareof every odd integer is of the form 8k + l.
23
17. What is the valueof [a ] + l-a I when a is a real number?
18. Show that if a is a real number then
a) -I-a I is the least integer greater than or equal to a.
b) la + %l is the integer nearestto a (when there are two integersequidistant
from a, it is the larger of the two).
19. Show that if n is an integerand x is a real number,then [x*n] : [xl + n .
20. Show that if m and n 0 are integers,then
(r r
I 1I1 | if m : kn - I for someintegerk.
|*+r1 .JL'
J
I _ i:ll I
I n I llyl*tif m:kn-lforsomeintegerk.
ILnl

24 The Integers
30. Show that the fourth power of every odd integer is of the form l6k + l.
31. Show that the product of two integersof the form 6k * 5 is of the form 6k * L
32. Show that the product of any three consecutiveintegersis divisible by 6.
33. Let n be a positiveinteger. We define
f
ln/2 if n is even
T(n) :
1Qn*D/z if n is odd.
We then form the sequence obtained by iterating T:
n, T(n), T(TQ)), f (f(f (n))),... . For instance,
startingwith n : 7 we have
7,11,17,26,13,20,10,5,8,4,2,1,2,1,2,1...
. A well-known conjecture,sometimes
called the Collatz coniecture, assertsthat the sequenceobtained by iterating Z
alwaysreachesthe integerI no matter which positiveintegern beginsthe sequence.
a) Find the sequence
obtainedby iterating Z startingwith n :29.
b) Show that the sequence
obtainedby iterating Z starting with n: (2k-l)/3,
where k is an evenpositiveinteger, k > l, always reachesthe integer l.
1.2 Computer Projects
l Decide whether an integer is divisible by a given integer.
2. Find the quotient and remainder in the division algorithm.
3. Find the quotient, remainder, and sign in the modified division algorithm given in
problem 14.
4. Investigate
the sequence
n, T(n), T(Th)), f (rQ (n))),... definedin problem
3 3 .
1.3 Representations
of Integers
The conventional
mannerof expressing
numbersis by decimalnotation. We
write out numbers using digits to representmultiples of powersof ten. For
instance,when we write the integer 34765,we mea;r
3 . 1 0 4
+ 4 . 1 0 3
+ 7 . 1 0 2
+ 6 . 1 0 1
+ 5 . 1 0 0 .
There is no particular reasonfor the useof ten as the baseof notation,other
than the fact that we have ten fingers. Other civilizationshave useddifferent

1.3 Representations
of Integers
bases,including the Babylonians,who used base sixty , and the Mayans, who
used base twenty Electronic computers use two as a base for internal
representationof integers,and either eight or sixteenfor display purposes.
We now show that every positiveinteger greater than one may be used as a
base.
Theorem 1.3. Let b be a positive integer with b > l. Then every positive
integer n can be written uniquely in the form
n : akbk * ap-1bk-rt * a1b I oo,
wherea; is an integerwith 0 ( o; < b-l for,/ :0, 1,..., k and the initial
coefficientak I O.
Proof . We obtain an expressionof the desiredtype by successively
applying
the division algorithm in the following way. We first divide n by b to obtain
n : b e o * o o , 0 ( a o < b - 1 .
Then we divide qoby b to find that
e o : b q 1 t a 6 0 ( a r ( 6 - t .
We continue this processto obtain
Q t : b q 2 t a 2 , 0 ( a 2 ( b - 1 ,
q r = b q 3 l a 3 , 0 ( a r ( b - 1 ,
Qk-z: bq*-r * ak-r, 0 ( a1-1 ( b-1,
Qk-t: b.0 * ap, 0 ( a1 ( b-t.
The last step of the processoccurs when a quotient of 0 is obtained. This is
guaranteedto occur, becausethe sequence
of quotientssatisfies
n ) q o ) q r ) q z > " ' > 0 ,
and any decreasing sequence of nonnegative integers must eventually
terminate with a term equaling0.
25

26 The Integers
From the first equationabovewe find that
n : b e o * a o .
We next replace{6 using the secondequation,to obtain
n : b(bqfta1) + as : bzqrI a1b I as,
Successively
substitutingfor qr, Q2,...,Qk_r,we have
n : b 3 q z + a 2 b 2
* a 1 b* o r ,
: =i:ri
::,-'**"::,t{,-'..
**olr'u**ol'
: at bk + a1r-1bk-r
* t aft * ao.
where0 ( a; < b-l for 7 : 0,1,...,kand a* I 0, sinceek : 4r-r is the last
nonzero quotient. Consequently,we have found an expansionof the desired
type.
To see that the expansion is unique, assume that we have two such
expansions
equal to n, i.e.
n : ekbk + a1r-ybk-t
* t a1b * ao
: c*bk * c1r-1bk-r
* * cft * ro,
where 0 ( ar (b and 0 ( c1(b (and if necessary
we add initial terms with
zero coefficients to have the number of terms agree). Subtracting one
expansionfrom the other, we have
( a r , - c ) b k + ( o , , - r - c 1 , - ) b k - t * * ( a ; c r ) b + ( a s - c a ) : 0 .
If the two expansions
are different,there is a smallestintegerj, O (
"l
< k,
such that ai # ci. Hence,
. f
br
l(a*-c*)b(-r
+
Gr,-c)bk-i +
* (ai+rci+r)b * G1-c1)] : o,
+ (a1+rci+)b r (ai-c1) : O.
so that

1.3 Representations
of Integers 27
Solving for ai-c; we obtain
aj-cj: (crr-ar)bk-j + * (c7+r-ai+)b
: bl(c1,-a1)bk-j-t + * (c7+r-or*,)
].
Hence,we seethat
bl
But since 0 ( a; < b and 0 ( c;
Consequently, b I h1-c) implies
assumptionthat the two expansions
6 expansion
of n is unique. !
For b - 2 . we seefrom Theorem 1.3that the followingcorollaryholds.
Corollary 1.1. Every positive integer may be representedas the sum of
distinct powersof two.
Proof. Let n be a positiveinteger. From Theorem 1.3 with b : 2, we know
t h a t n : a t r T k * a 1 r - 1 2 k - t* + a Q * a s w h e r ee a c h a ii s e i t h e r 0 o r 1 .
Hence, every positiveinteger is the sum of distinct powersof 2. tr
In the expansions
describedin Theorem 1.3,b is called the base or radix of
the expansion. We call base l0 notation, our conventionalway of writing
integers, decimal notation. Base 2 expansionsare called binary expansions,
base 8 expansionsare called octal expansions,
and base 16 expansionsare
called hexadecimal, or hex for short, expansions. The coefficientsai are
called the digits of the expansion. Binary digits are called bits (binary
digils) in computerterminology.
To distinguish representationsof integers with different bases,we use a
special notation. We write (apapa...aps)6 to represent the expansion
a * b k l a p a b k - r l t a f t * a o .
Example. To illustrate base b notation, note that Q3Ot : 2.72+ 3.7 + 6
a n d ( 1 0 0 1 0 0 1 1 ) 2
: 1 . 2 7
+ 1 . 2 4
+ 1 . 2 r+ 1 .
Note that the proof of Theorem 1.3 givesus a methodof finding the baseb
expansion of a given positive integer. We simply perform the division
algorithm successively,
replacing the dividend each time with the quotient, and
G1-c1).
< b, we know that -b < ai-c1 I b.
that ej : cj. This contradicts the
are different. We concludethat our base

28 The Integers
stop when we come to a quotient which is zero.
remaindersto find the baseb expansion.
Example. To find the base2 expansionof 1864,
successively:
We then read up the list of
we usethe divisionalgorithm
1864: 2.932 + 0,
932:2'466 +0,
466:2'233 +0
233-2'116+1,
116: 2'58 + 0,
58:2'29 +0,
29:2'14 +1,
14:2'7 +0,
7 : 2'3 + 1,
3 : 2'l + l,
| : 2'O + 1.
To obtain the base 2 expansionof 1984, we simply take the remaindersof
these
divisions.This shows
that (1864)ro: (11101001000)2.
Computers represent numbers internally by using a series of "switches"
which may be either "on" or "off". (This may be done mechanically using
magnetic tape, electrical switches,or by other means.) Hence, we have two
possiblestates for each switch. We can use "on" to representthe digit I and
"off" to representthe digit 0. This is why computersuse binary expansionsto
representintegersinternally.
Computers use base 8 or base 16 for display purposes. In base 16, or
hexadecimal, notation there are l6 digits, usually denoted by
0,1,2,3,4,5,6,7
,8,9,A,8,,C,D,,Eand F . The letters A,B,C,D,E , and F are
usedto representthe digits that correspond
to 10,11,12,13,14
and l5 (written
in decimal notation). We give the following example to show how to convert
from hexadecimalnotation to decimal notation.
Example. To convert (A35B0F) 16we write
( e l s n o r ) r e : 1 0 . 1 6 s + 3 ' 1 6 4
+ 5 ' 1 6 3
+ l l ' r c z + 0 ' 1 6+ 1 5
: (t o7o5679)rc.

1.3 Representationsof Integers
A simple conversion
We can write each hex
correspondence
given in
is possiblebetween binary and
digit as a block of four binary
Table l.l .
29
hexadecimalnotation.
digits according to the
Hex
Digit
Binary
Digits
Hex
Digit
Binary
Digits
0
I
2
3
4
5
6
7
0000
0001
0010
001
l
0100
0101
0110
0l l1
8
9
A
B
C
D
E
F
r000
1001
1010
1011
l 100
I l0l
1110
llll
Table1.1. Conversion
from hexdigitsto blocksof binarydigits.
Example. An example of conversionfrom hex to binary is (zFBrrc:
(tOt t 1110110011)2.
Each hex digit is convertedto a block of four binary
digits (the initial zerosin the initial block (OOIO)2
corresponding
to the digit
(2) rc are omitted).
To convertfrom binary to hex, consider(t t t tOl I I101001)2. We break this
into blocks of four starting from the right. The blocks are, from right to left,
1001,1110,1101,and 0011 (we add the initial zeros). Translatingeachblock
to hex,we obtain GOng)ru.
We note that a conversionbetweentwo different basesis as easy as binary
hex conversion,wheneverone of the basesis a power of the other.
1.3 Problems
l. Convert (1999)1sfrom decimal to base7 notation. Convert (6tOS)t from base7
to decimal notation.
2. Convert (tOtOOtOOO),from binary to decimal notation and (tgg+),0 from
decimal to binary notation.

30 The Integers
convert (10001II l0l0l)2 and (l I101001110)2
from binaryto hexadecimal.
convert (ABCDEF)rc, @nrecnD)to, and (9A08)rc from hexadecimal to
binary.
Explain why we really are using base 1000 notation when we break large decimal
integersinto blocksof three digits, separatedby commas.
a) Show that if D is a negative integer lessthan -1, then every integer n can
be uniquer';:.])::'::;'
. * a1b
* oo,
where a1,I 0 and O <a, < lb I for ./ : 0,1,2,...,k. We write
n : (apa1,-r...at
a6)6,just as we do for positivebases.
b) Find the decimalrepresentation
of (tOtOOt)-2and OZOTD-r.
c) Find the base-2 representations
of the decimalnumbers-7,-17, and 61.
Show that any weight not exceeding2k-l may be measured using weights of
1,2,22,...,2ft-1,
when all the weightsare placedin one pan.
Show that every integer can be uniquely representedin the form
e p 3 k * e p - . 3 k - t * * e f i l e s
where €i : -1,0, or I for ,/:0,1 ,2, ...,k. This expansion is called a
balanced ternary expansion.
9. Use problem 8 to show that any weight not exceeding $k -t) /Z may be
measuredusing weightsof 1,3, 3',...,3ft-1,when the weightsmay be placedin
either pan.
Explain how to convert from base3 to base9 notation, and from base9 to base3
notation.
Explain how to convert from base r to base rn notation, and from base rn
notation to baser notation, when r ) I and n are positiveintegers.
Show that if r: (a*a*-1...aps)6, then the quotientand remainderwhen n is
dividedby bi areq : (apa1,-1...a)6
and, : (aj-r...apo)t, respectively.
If the base b expansionof n is n : (apa1,-1...aps)6,
what is the base b
expansion
of b^ n"l
14. A Cantor expansionof a positiveinteger n is a sum
f l : o m m t * a ^ a ( m - l ) ! + * a 2 2 l* a 1 l !
3.
4.
5.
6.
7 .
8 .
r0.
l l .
1 2 .
1 3 .

1.3 Representationsof Integers
where eachai is an integer with 0 ( a; < i .
a) Find Cantor expansions
of 14, 56, and 384.
b) Show that every positiveinteger has a unique Cantor expansion.
15. The Chinese game of nim is played as follows. There are a number of piles of
matches, each containing an arbitrary number of matches at the start of the
game. A move consistsof a player removing one or more matches from one of
the piles. The players take turns, with the player removing the last match
winning the game.
A winning position is an arrangementof matches in piles so that if a player can
move to this position, then, no matter what the second player does, the first
player can continue to play in a way that will win the gom€; An example is the
position where there are two piles each containing one match; this is a winning
position,becausethe secondplayer must remove a match leaving the first player
the opportunity to win by removing the last match.
a) Show that the position where there are two piles, each with two matches,is
a winning position.
b) For each arrangementof matchesinto piles,write the number of matchesin
each pile in binary notation, and then line up the digits of these numbers
into columns (adding initial zeroes if necessaryto some of the numbers).
Show that a positionis a winning one if and only if the number of onesin
each column is even (Example: Three piles of 3, 4, and 7 give
0 l l
l l t
1 0 0
where each column has exactly two ones).
16. Let a be an integer with a four-digit decimal expansion,with not all digits the
same. Let a' be the integer with a decimal expansionobtained by writing the
digits of a in descending order, and let a" be the integer with a decimal
expansion obtained by writing the digits of a in ascending order. Define
T(a) : a'- a". For instance,
f(2318) 8731 1378 : 7358.
a) Show that the only integer with a four-digit decimal expansionwith not all
digitsthe samesuchthat T(a) : a is a :6174.
b) Show that if a is a positiveinteger with a four-digit decimal expansionwith
not all digits the same, then the sequence a, T (d, f (f G)) ,
T'QQ(a))),..., obtained by iterating T, eventually reaches the integer
6174. Becauseof this property, 6174 is called Kaprekar's constant.
3t

32 The Integers
17. Let b be a positive integer and let a be an integer with a four-digit base b
expansion,
with not all digits the same. Define TtG) : a'- a", wherea'is the
integer with base D expansion obtained by writing the base 6 digits of a in
descendingorder, and let d " is the integer with base 6 expansionobtained by
writing the baseb digits of a in ascendingorder.
il Let b : 5. Find the unique integer a6 with a four-digit base 5 expansion
such that TsGl : ao. Show that this integer aq is a Kaprekar constantfor
the base5, i.e., a , T(a), r(f b)), f (f Q(a))),... eventually
reaches
40, whenevera is an integer which a four-digit base5 expansionwith not all
digits the same.
b) Show that no Kaprekar constantexistsfor the base6.
Write programs to do the following:
l. Find the binary expansion of an integer from the decimal expansion of this
integer and vice versa.
2. Convert from base61 notation to baseb2 notation, where D1and b2are arbitrary
positiveintegersgreater than one.
3. Convert from binary notation to hexadecimalnotation and vice versa.
4. Find the base (-2) notation of an integer from its decimal notation (seeproblem
6 ) .
5. Find the balanced ternary expansionof an integer from its decimal expansion
(seeproblem 8).
6. Find the Cantor expansionof an integer from its decimal expansion(seeproblem
1 4 ) .
7. Play a winning strategy in the game of nim (seeproblem l5).
8. Find the sequence
a, T(a), T(Tfu)), r(rOQ))),... definedin problem 16,
where a is a positiveinteger, to discoverhow many iterationsare neededto reach
6174.
9. Let b be a positiveinteger. Find the Kaprekar constant to the base b, when it
exists (seeproblem 17).

1.3 Representations
of Integers 33
1.4 ComputerOperationswith Integers
We have mentionedthat computersinternally representnumbers using bits,
or binary digits. Computers have a built-in limit on the size of integersthat
can be used in machine arithmetic. This upper limit is called the word size,
which we denote by w. The word size is usually a power of 2, such as 235,
although sometimesthe word sizeis a power of 10.
To do arithmetic with integerslarger than the word size, it is necessaryto
devote more than one word to each integer. To store an integer n ) l4/,we
expressn in basew notation, and for each digit of this_
expansionwe use one
computer word. For instance, if the word size is 23s, using ten computer
words we can store integers as large u, 23s0-1, since integers less than 2350
have no more than ten digits in their base 235expansions. Also note that to
find the base 235expansionof an integer, we need only group together blocks
of 35 bits.
The first step in discussingcomputer arithmetic with large integers is to
describehow the basicarithmetic operationsare methodicallyperformed.
We will describethe classicalmethods for performing the basic arithmetic
operationswith integersin baser notation where r ) | is an integer. These
methodsare examplesof algorithms.
Definition. An algorithm is a specified set of rules for obtaining a desired
result from a set of input.
We will describe algorithms for performing addition, subtraction, and
multiplication of two n-digit integers a : (an4on-z...egi, and
b: (bn-1br-z...brbo)r,where initial digits of zero are addedif necessary
to
make both expansionsthe same length. The algorithms described are used
both for binary arithmetic with integerslessthan the word sizeof a computer,
and for multiple precision arithmetic with integers larger than the word size
w, usinglr as the base.
We first discussthe algorithm for addition. When we add a and b, we
obtain the sum
a I b: 5 airt+'i u,rt: 5 Gi + b1)ri.
j-o j-0 j:o
To find the base r expansionof the a * b, first note that by the division
algorithm, there are integersCs and ss such that

34 The Integers
a o * b s : C s r * r 0 , 0 ( s o 1 r .
Because as and bo are positive integers not exceeding r, we know that
0 ( ao * bo( 2r - 2 , so that co:0 or l ;here c6 is thecany to the next
place. Next, we find that there are integersc1 and s1 suchthat
a r * b r t C o : C { t r r , 0 ( s 1 ( r .
Since0 ( art br * Co ( 2r - 1, we know that Cr:0or l. proceeding
inductively,wefindintegersC;
ands; for 1 ( i ( n - I by
ai * b; * Ci-r: Crr trr, 0 ( s; ( r,
with C;:0 or 1. Finally, we let sr: Cn; , sincethe sum of two integers
with n digits has n * I digits when there is a carry in the nth place. We
conclude
that the baser expansion
for the sum is a * b: (srsn_,...J1.ss)7
.
When performing base r addition by hand, we can use the same familiar
techniqueas is used in decimal addition.
Example.To add (1101)2
and (l0l l)2 we write
I I
1 l 0 l
+ 1 0 0 1
1 0 1 1 0
where we have indicated carries by I's in italics written abovethe appropriate
column. We found the binary digits of the sum by noting that I * I :
l ' 2 + 0 , 0 + 0 + 1 : 0 ' 2 * 1 , I + 0 f 0 : O ' 2 + l , a n d 1 + l : 1 . 2 * 0 .
We now turn our attention to subtraction. We consider
a - b :'; airi -'i u,rt: 5 Gi - b)ri,
j-o j-0 j-0
where we assumethat a ) b. Note that by the divisionalgorithm, there are
integers^Bsand ds such that
o s - b o : 8 6 r * d g , 0 ( d o ( r ,
and sinceas and bs are positiveintegerslessthan r, we have

1.4 ComputerOperationswith Integers 35
- ( r - l ) < a s - b o ( r - 1 .
When aobo ) 0, we have,86:0. Otherwise,
whenas- bo 10, we have
Bo: - 1;Bo is the borrow from the next placeof the baser expansionof a.
We usethe divisionalgorithm again to find integersB1 and d1 suchthat
a 1 - b t + B o : B { * d r . 0 < d 1 1 r .
From this equation, we seethat the borrow B r : 0 as
> 0, and Bt: -l otherwise,since -r ( ar - br
proceedinductively to find integersB; and d;, such that
ai - btf Bi-r : Bir t di. 0 ( di
long as a1 - bt + Bo
* B o ( r - l . W e
1 r
< t < n - 2. We seethatBn4: 0, since
a ) b.
a - b : (dnadn-2...d1ds),.
with B; :0 or -1, for I
We canconclude
that
When performing base r subtraction by hand, we use the same familiar
techniqueas is usedin decimal subtraction.
Example. To subtract (tot to)2from(t tot l)2,wehave
-t
llotl
-10110
101
where the -l in italics above a column indicates a borrow. We found the
binary digits of the difference by noting that 1 - 0 : 0'2 * l,
1 - l : 0 ' 2 * 0 , 0 - l : - 1 ' 2 + 1 , l - 0 - l : 0 ' 2 + 0 , a n d 1 - l :
0'2+ 0.
Before discussing multiplication, we describe shifting. To multiply
(on-r...aps)7 by r^ , we need only shift the expansion left m places,
appendingthe expansionwith m zerodigits.
Example. To multiply (tOtt01)2 by 2s, we shift the digits to the left five
placesand appendthe expansion
with five zeros,obtaining (10110100000)2.

36 The Integers
To deal with multiplication, we first discussthe multiplication of an n-place
integerby a one-digitinteger. To multiply (an_1...ori;, by (il,, we first
notethat
o o b : Q o r * p o , 0 ( p s ( r ,
and 0 ( qo ( r - l, since0 ( aob ( (r-1)2. Next, we have
a f t + Q o : Q f * p r , 0 ( p t 1 t ,
and 0 ( qt ( r-1. In general,
we have
a;b * 7i-r: Qir I pi, 0 ( p; -< r
and 0 ( gr ( r - 1. Furthermore, we have pn: Qn_r. This yields
(or-1...a
r,o), (b), : (pnpn-r...p
g.o)
,.
To perform a multiplication of two n-placeintegerswe write
( n - t ) n - t
ab:al>biril:)Gb)ri.
li-r ) i-o
For each -/, we first multiply a by the digit b;, then shift to the left 7 places,
and finally add all of the n integerswe have obtainedto find the product.
When multiplying two integerswith baser expansions,we use the familiar
method of multiplying decimal integersby hand.
Example. To multiply (l l0l)2 and (t t tO)2we write
l l 0 l
x 1 1 1 0
0000
I l0l
1l0l
l10l
l 0 l l 0 1 l
Note that we first multiplied (1101)2by each
time by the appropriate number of places,and
integersto find our product.
0
digit of (t t 10)t, shifting each
then we added the appropriate

1.4 Computer Operationswith Integers
We now discuss integer division.
division algorithm
We wish to find the quotient q in the
31
a : b q
If the baser expansionof q is q
(n-r
a-b l>
[r-o
This tells us that
(L
4 nn {.t"',
v t-"r
f
+ R, 0 < R < b.
: (Qn-rQn-2...Q
14o)
, , then we have
<b.
To determinethe first digit Qrq of q, notice that
a - bqn-1vn-t
: uf'i qjri)+R.
U-o )
The right-hand side of this equationis not only positive,but also it is lessthan
brn-t, since 2 qiri g rn-l-l. Therefore,we know that
j-0
0 ( a - bqn-(n-l < brn-t.
O: Tt,
-tn.'l
Qn-r: la/brn-rl'
and
f o r i : 1 , 2 , . . . ,n . B y
(r.s)
eiril +R,0<R
R o : a
R i : R i - r - b q n - t r n - i
mathematical induction, we show that
(n-i-t I
R i :
| > q i r t l b + R .
l j - 0 )
We can obtain Qn-r by successively
subtracting br"-l from a until a negative
result is obtained,and then qn-1is one lessthan the number of subtractions.
To find the other digits of q,, we define the sequenceof partial remainders
Ri by
For i : 0, this is clearly correct, sinceR0 : a : qb + R. Now assumethat

38 TheIntegers
R f t :
Then
Rt+r : Rft - bqn-*-rrn-k-l
(n-k-t .
'l
:
I U
q i r i l b + R - b q n - * - r v n - k - l
l. .r-o )
fn-(k+r)-r .l
:| > qi"lb+R'
I j - 0 )
establishing
(1.5).
From (t.S), we see that 0 ( Ri < rn-ib, for i : 1,2,...,fl, since
n - i - l
i-0
O ( Ri < rn-tb, we seethat the digit qn-i is given by lRi-r/brn-il and can
be obtained by successively
subtracting brn-t from Ri-1 until a negativeresult
is obtained,and then qn-; is one lessthan the number of subtractions.This is
how we find the digits of q.
Example.To divide(tttOl)2 by (ttt)2, we let q: (qrqrqir. We subtract
Z2(ttl)z : (t t tOO), once from (t t tOt)z to obtain (l)2, and once more to
obtaina negative
result,
sothat Q2: l. Now Rl : (tttOl)t - (ttt00)t:
(1)2. We find that ql:0, sinceR1 - 2(1ll)2 is lessthan zero,and likewise
Qz:0. Hencethe quotientof the divisionis (100)2and the remainderis (l)2
We will be interestedin discussinghow long it takes a computer to perform
calculations. We will measure the amount of time needed in terms of
bit operations. By a bit operation we mean the addition, subtraction, or
multiplicationof two binary digits,the divisionof a two-bit integerby one-bit,
or the shifting of a binary integer one place. When we describethe number of
bit operations needed to perform an algorithm, we are describing the
computational complexity of this algorithm.
In describing the number of bit operationsneededto perforrn calculations
we will usebig-O notation.

1.4 Computer
Operations
with Integers
Definition. If f and g are functions taking positivevalues,definedfor all x in
a set S, then we say f is OQ) if there is a positiveconstantK such that
f G) < Kg(x) for all x in the setS.
Proposition 1.6. If / is OQ) and c is a positiveconstant,then cf is Ok).
Proof . If / is Ok), then there is a constantK suchthat f G) < Kg(x) for
all x under consideration. Hence cf G) < GK)gG). Therefore, y' is
oQ). n
Proposition
1.7.lf ft is O(gr)andf2isOkz),then
"ft+-fzisOQftg2)
andfJzisoQe).
Proof . If / is OQr) and f2 is Okz), then there are constantsK1 and K2
such that -f ,(*) < ,<1g1(x) and "fz(x) 1 K2g2(x) for all x under
consideration.Hence
f 1G) +f2G) ( Krsr(x) + x2g2k)
( Kkr(x) + sz?))
whereK is the maximum of K1 and K2. Hencef r + -f zis Ok, + gz).
Also
-f tk)f z(.x) ( Krsr G) K2s2G)
: ( K r K 2 ) k t ? ) g 2 ( x ) ) ,
so that "ff zis 0(96). tr
Corollary 1.2. If /1 andf 2are OG), then-f r + -f zis Ok).
Proof . Proposition 1.7 tells us that "f t + f z is O QS). But if
f t +
"fz
( KQs), thenf t +
"fz
( (zx)g, so that -f r +.f zis Ok). a
Using the big-O notation we can see that to add or subtract two r-bit
integerstakes Ofu) bit operations,while to multiply two n-bit integersin the
conventionalway takes OGz) bit operations(seeproblems 16 and 17 at the
end of this section). Surprisingly, there are faster algorithms for multiplying
large integers. To develop one such algorithm, we first consider the
multiplication of two 2n-bit integers, say a : (a2n4a2n_2...eflo)zand
b : (b2,6b,2n-2...bfti2.
We write a :2nAt f 46 and b :2nBr t Bs, where
-l
39

40 The Integers
At: (a2r-1a2n*2...a1711e17)2,
Ao: (an-1an-2...apg)2,
Bt: (b2n-ft2r-z...bn+t
br)2,and B0 : (br-t bn-z...brbiz. We will usethe identity
(t.e) ab : (22,+2,)ArBrr 2n(ArAi(ao-nr) + (2,+l)AoB0.
To find the product of a and 6 using (t.0), requires that we perform three
multiplicationsof n-bit integers (namely ArBr (A, - Ad(Bo- Br), and
AsBs), as well as a number of additions and shifts. If we let M(n) denotethe
number of bit operationsneededto multiply two n -bit integers,we find from
(t.0) ttrat
(r.z)
(1.8)
M (2n)< ru h) + Cn.
where C is a constant,sinceeach of the three multiplications of n -bit integers
takes M (n) bit operations,while the number of additions and shifts neededto
compute a'b via (t.0) does not depend on n, and each of these operations
takes O (n) bit operations.
From (t.Z), using mathematical induction, we can show that
a(zk) ( c(3k -2k),
where c is the maximum of the quantities M Q) and C (the constant in
(t.Z)). To carry out the induction argument,we first note that with k: l,
we haveMQ) ( c(3t -2t) : c, sincec is the maximum of M(2) and C.
As the induction hypothesis,we assumethat
MQk) ( c(3ft - 2k).
Then,using(1.7),we have
M (zk+t) ( 3u (zk) + czk
( 3c(lt - 2k) + c2k
( cak+t_ c.3.2k* c2k
( c(3ft+l- zk+t).
This establishes
that (1.8) is valid for all positiveintegersft.
Using inequality (t.8), we can prove the following theorem.
Theorem 1.4. Multiplication of two n-bit integers can be performed using
O(nto9'3)bit operations. (Note: log23 is approximately 1.585, which is

1.4 Computer
Operations
with Integers
considerably less than the exponent 2 that occurs in the estimate of the
number of bit operations needed for the conventional multiplication
algorithm.)
Proof . From (t.8) we have
M h) : M (ztos'n)( lzlttloerl+t;
< , (3ttot'nl+t_rltoe'nl+t;
( 3c.rllogrn
I ( 3c.3losr,
:3rnto93
(since 3lo8'n: ,'ot").
Hence, Mh) : glnroe'3l. tr
We now state, without proof, two pertinent theorems. Proofs may be found
in Knuth [50] or Kronsjii tSgl.
Theorem 1.5. Given a positive number e ) 0, there is an algorithm for
multiplication of two n-bit integersusing O(nr+') bit operations.
Note that Theorem 1.4 is a specialcaseof Theorem 1.5 with e : log23- l,
which is approximately0.585.
Theorem 1.6. There is an algorithm to multiply two n-bit integers using
O(n log2nlog2log2n)bit operations.
Since log2n and log2log2nare much smaller than n' for large numbers n,
Theorem 1.6 is an improvement over Theorem 1.5. Although we know that
M h) : O (n log2n log2log2n),for simplicity we will use the obvious fact that
M fu) : O (n2) in our subsequent
discussions.
The conventionalalgorithm describedaboveperforms a division of a 2n-bit
integer by an n-bit integer with O(n2) bit operations. However, the number
of bit operationsneededfor integer division can be related to the number of
bit operations needed for integer multiplication. We state the following
theorem,which is basedon an algorithm which is discussed
in Knuth 1561.
Theorem 1.7. There is an algorithm to find the quotient q:Ia/bl, when
the 2n-bit integer a is divided by the integer b having no more than n bits,
using O(M Q)) bit operations, where M fu) is the number of
bit operationsneededto multiply two n-bit integers.
4l

42 TheIntegers
1.4 Problems
l . A d d ( l 0 l l l l 0 l l ) 2 a n d ( t t o o t l l 0 l l ) 2 .
2. Subtract(tot t l0l0l)2 from (1101101100)2.
3. Multiply (t t rOr), and (l10001)2.
4. Find the quotientand remainderwhen (t totoon l)2 is dividedby (1101)2.
5. Add (ABAB)16and (BABA)rc.
6. Subtract (CAFE)16 from (rnno)ru.
7. Multiply (FACE) 16and (BAD)rc.
8. Find the quotientand remainderwhen Gneono),u is dividedby (enn.n)ru.
9. Explain how to add, subtract,and multiply the integers18235187and 22135674
on a computer with word size 1000.
10. Write algorithms for the basic operations with integers in base (-2) notation
(seeproblem 6 of Section 1.3).
11. Give an algorithm for adding and an algorithm for subtracting Cantor
expansions(seeproblem l4 of Section 1.3).
12. Show that if f 1 and f 2 are O(St) and O(g2), respectively,and c1 and c2 are
constants,
then c;f1 * ,zf z is O(g1 * g).
13. Show that if f is O(g), thenfr it OQk) for all positiveintegersk.
14. Show that a functionf is O(log2n) if and only if f is O(log,n) wheneverr ) l.
(Hint: Recallthat logon/log6n: logo6.)
15. Show that the baseb expansionof a positiveinteger n has llog6nl+t digits.
16. Analyzing the algorithms for subtraction and addition, show that with n-bit
integerstheseoperationsrequire O h) bit operations.
17. Show that to multiply an n-bit and an m-bit integer in the conventionalmanner
requires OQm) bit operations.
18. Estimate the number of bit operationsneededto find l+2+ * n
il by performing all the additions.
b) by using the identity l+2* I n: nh+l)/2, and multiplying and
shifting.

1.4 Computer Operations with Integers
19. Give an estimatefor the number of bit operationsneededto find
["1
a) n'. b)
|.o,|
43
21.
20. Give an estimate of the number of bit operations needed to find the binary
expansionof an integer from its decimal expansion'
il Show there is an identity analogousto (1.6) for decimal expansions.
b) Using part (a), multiply 73 and 87 performing only three multiplications of
one-digit integers,plus shifts and additions.
c) Using part (a), reduce the multiplication of 4216 and 2733 to three
multiplications of two-digit integers, plus shifts and additions, and then
using part (a) again, reduce each of the multiplications of two-digit
integers into three multiplications of one-digit integers, plus shifts and
additions. Complete the multiplication using only nine multiplications of
one-digit integers,and shifts and additions.
il lf A and B are nxn matrices, with entries aii and bii for I ( i ( n,
I ( f ( n, then AB is the nxn matrix with entries cii :
2 ai*b*j.
Show that n3 multiplications of integers are used to find AB dir:;;ly from
its definition.
b) Show it is possible to multiply two 2x2 matrices using only seven
multiplications of integersby using the identity
o,rf lb,, D'tl
o,,) lr,, t,,)
r r b r r* a n b z t
* (as-a2)(bzz-bn) -
a22(b
r-bzr-b e*b22)
w h e r e
x : a r r b r ,- ( a t t - c t 2 r - a 2 ) ( b n - b p * b 2 ) .
c) Using an inductiveargument,and splitting 2nx2n matricesinto four nxn
matrices,show that it is possibleto multiply two 2k x2k matrices using only
7ft multiplications,and lessthan 7ft+radditions.
22.
lo,,
lazr
l"
I
l x
I
x I ( a 2 1
* a 2 2 ) ( b n - b , , )
+ l
(a rrla 12-a21-a22)b22
|
x * (an-azt)(brr-brr)
+ I
( a 2 1* a 2 ) ( b r z - b ' , - ) |

44
The Integers
matrices can be multiplied using
of the matrices have less than c
23. A dozen equals 12 and a gross equals 122. Using base 12, or duodecimal.
arithmetic answerthe following questions.
il If 3 gross, 7 dozen,and 4 eggs are removed from a total of l l gross and 3
dozen eggs,how many eggsare left?
b) If 5 truckloads of 2 gross, 3 dozen, and 7 eggs each are delivered to the
supermarket, how many eggswere delivered?
c) If I I gross, I 0 dozen and 6 eggsare divided in 3 groups of equal size,how
many eggsare in each group?
24. A well-known rule used to find the square of an integer with decimal expansion
(an-1...apJro with final digit ao:5 is to find the decimal expansionof the
product (anan-1...a)rcl(anan-r...ar)ro
* ll and append this with the digits
(25)ro. For instance, we see that the decimal expansionof (tOS)2 begins with
16'17:272, so that (165)2:27225. Show that the rule just describedis valid.
25. In this problem, we generalizethe rule given in problem 24 to find the squaresof
integers with final base28 digit 8, where I is a positiveinteger. Show that the
base 28 expansionof the integer (ana,-1...afl0)z,astarts with the digits of the
base 28 expansionof the integer (anana...aflo)zn l(anan-1...ap0)zn
* ll and
ends with the digits Bl2 and 0 when B is even, and the digits G-l)12 and.B
when I is odd.
l. Perform addition with arbitrarily large integers.
2. Perform subtractionwith arbitrarily large integers.
3. Multiply two arbitrarily large integersusing the conventionalalgorithm.
4. Multiply two arbitrarily laige integersusing the identity (1.6).
5. Divide arbitrarily large integers,finding the quotient and remainder.
6. Multiply two n xn matrices using the algorithm discussed
in problem 22.
d) Conclude from part (c) that two nxn
O(nt"c7) bit operationswhen all entries
bits, where c is a constant.

1.5 Prime Numbers 45
1.5 Prime Numbers
The positive integer I has just one positive divisor. Every other positive
integer has at least two positive divisors, becauseit is divisible by I and by
itself. Integers with exactly two positive divisors are of great importance in
number theory; they are calledprimes.
Definition. A prime is a positiveinteger greater than I that is divisible by no
positiveintegersother than I and itself.
Example. The integers2,3,5,13,101
and 163 are primes.
Definition. A positiveinteger which is not prime, and which is not equal to l,
is called composite.
E x a m p l e . T h e i n t e g e r s 4 : 2 ' 2 , 8 : 4 ' 2 , 3 3 : 3 ' 1 1 ,1 l l : 3 ' 3 7 , a n d
l00l : 7'll' 13 are composite.
The primes are the building blocksof the integers. Later, we will showthat
every positiveinteger can be written uniquely as the product of primes.
Here, we briefly discuss the distribution of primes and mention some
conjecturesabout primes. We start by showingthat there are infinitely many
primes. The following lemma is needed.
Lemma 1.1. Every positiveinteger greater than one has a prime divisor.
Proof . We prove the lemma by contradiction; we assume that there is a
positive integer having no prime divisors. Then, since the set of positive
integers with no prime divisors is non-empty, the well-ordering property tells
us that there is a least positiveinteger n with no prime divisors. Since n has
no prime divisors and n divides n, we seethat n is not prime. Hence, we can
write n:ab with I 1 a 1 n and | < b 1 n. Becausea 1 n. a must have
a prime divisor. By Proposition 1.3, any divisor of a is also a divisor of n, so
that n must have a prime divisor, contradicting the fact that n has no prime
divisors. We can conclude that every positive integer has at least one prime
divisor. tr
We now show that the number of primes is infinite.
Theorem 1.8. There are infinitely many primes.

46 The Integers
Proof . Considerthe integer
Q n : n t t l , n 2 l .
Lemma 1.1. tells us that Q, has at least one prime divisor, which we denote
by gr. Thus, q, must be larger than n; for if 4, ( n, it would follow that
QnI n!, and then, by Propositionl.!, Q, | (er-rr) : l, which is impossible.
Since we have found u priJ.''lur*r, tt* r, for every positive integer n,
there must be infinitely many primes. tr
Later on we will be interestedin finding, and using, extremely large primes.
We will be concernedthroughout this book with the problem of determining
whether a given integer is prime. We first deal with this question by showing
that by trial divisionsof n by primes not exceedingthe square root of n, we
can find out whether n is prime.
Thedrem 1.9. If n is a composite integer, then n has a prime factor not
exceeding..1n.
Proof . Since n is composite, we can write n : ab, where a and b are
integers with | 1a ( D < n. we must have a 4 r/i, since otherwise
b 7 a > ,/; and ab > '/i.,/i : n. Now, by Lemma I.l, a must have a
prime divisor, which by Proposition 1.3 is also a divisor of a and which is
clearly lessthan or equal to ,/i . D
We can use Theorem 1.9 to find all the primes lessthan or equal to a given
positive integer n. This procedure is called the steveof Eratosthenes. We
illustrate its use in Figure 1.2 by finding all primes lessthan 100. We first
note that every compositeinteger lessthan 100 must have a prime factor less
than J00-: 10. Sincethe only primes lessthan l0 are 2,3,4,and 7, we only
need to check each integer lessthan 100 for divisibility by these primes. We
first cross out, below by a horizontal slash -, all multiples of 2. Next we
crossout with a slash / those integersremaining that are multiples of 3.
Then all multiples of 5 that remain are crossedout, below by a backslash.
Finally, all multiples of 7 that are left are crossedout, below with a vertical
slashl. ntt remaining integers(other than l) must be prime.

1.5 PrimeNumbers 41
+7+,/-1€-
+#17+h19+
+/*2e-3o-
3? 37 +S- 2{ {'F
1? 47 +F + {o-
+G .yr -5S- 59 -6F
<G 67 +h t{ 1+
I
-7G
T
-?& 7e -8€-
-8fi
"Yr +h 89 ++
9t 9j -9t- .y +OF
t23+
ll ++ 13 l+-
2{-*23+g-.
3l+2Ii+
4r+43 1+
>{+*s3*r-
61 4*tr#
7t+73.+
y{ t.> 83 't{=
I
tlt +> 2< +
5
yr
X

,{

r

Figure1.2. Finding
thePrimes
Less
Than100UsingtheSieve
of Eratosthenes.
Although the sieveof Eratosthenes
produces
all primeslessthan or equalto
a fixed integer,to determinewhether a particular integer n is prime in this
manner,it is necessary
to checkn for divisibility by all primesnot exceeding
G. This is quite inefficient;later on we will havebettermethodsfor deciding
whetheror not an integeris prime.
We know that there are infinitely many primes,but can we estimatehow
many primes there are lessthan a positivereal number x't One of the most
famous theorems of number theory, and of all mathematics, is the
prime number theorem which answersthis question. To state this theorem,
we introducesomenotation.
Definition. The functionr(x), wherex is a positivereal number,denotesthe
numberof primesnot exceeding
x.
Example. From our exampleillustratingthe sieveof Eratosthenes,
we seethat
o(tO): 4 andzr(tOO)
:25.
We now statethe prime numbertheorem.
The Prime NumberTheorem. The ratio of zr'(x)to x/log x approaches
one as
x growswithout bound. (Here log x denotesthe natural logarithm of x. In
thelanguage
of limits,we have lim zr(x)/+: l).
. I O B X

48
The Integers
The prime number theorem was conjecturedby Gauss in 1793,but it was
not proved until 1896, when a French mathematician J. Hadamard and a
Belgian mathematician C. J. de la Vall6e-Poussin produced independent
proofs. We will not prove the prime number theorem here; the varioui proofs
known are either quite complicated or rely on advanced mathematics. In
Table I .l we give some numerical evidence to indicate the validitv of the
theorem.
x rG) x /log x oG)/*
log x
ti G) r(x) /ti G)
103
104
105
106
107
108
l0e
l0l0
l 0 rI
l0l2
t0l3
168
t229
9592
78498
664579
5761455
50847534
455052512
4r18054813
37607912018
346065535898
144.8
1085.7
8685.9
72382.4
620420.7
5428681.0
48254942.4
43429448r.9
39481
31663.7
36191206825.3
t34072678387.r
1 . 1 6 0
1.132
l.104
1.085
1.071
1.061
1.054
1.048
1.043
r.039
1.036
1 7 8
-r 1246
9630
78628
664918
5762209
5084923s
45505561
4
4 1 1 8 1 6 5 4 0 1
3760795028r
34606564s8
10
0.9438202
0.9863563
0.9960540
0.9983466
0.9998944
0.9998691
0.9999665
0.9999932
0.999973r
0.9999990
0.9999997
Tablel.l. Approximations
to rG).
x'A"x
The prime number theorem tells us that x /log x is a good approximation to
rG) when x is large. It has beenshownthat an evenbetter approximationis
given by
ld'i,
)':*4{ =1
I ' {-/d X/V614
- L
tiG) :T O,
", log I
(whe--T d, -^^-,
," J,
"*
represents
theareaunderthecurve
y : lfiog t, andabove
the r-axis from t :2 to / : x). In Table l.l, one seesevidencethat /i(x) is
an excellentapproximationof zr(x).
frtaft.1',
I'^ nd r l'^- -L- =O
v r ylr 3
-
x4G ltlx
J

1.5 PrimeNumbers 49
We can now estimate the number of bit operationsneededto show that an
integer n is prime by trial divisionsof n by ail primes not exceeding',,6-. The
prime number theorem tells us that there are approximately
',/n
fioeJ; : 2-/i /log n primes not exceeding-6. To divide n by an integer
m takes O(log2n.log2m) Uit operations. Therefore, the number of bit
operations needed to show that n is prime by this method is at least
Q,/i/togilG log2n) - r,/i (where we have ignored thelog2m term sinceit
is at least l, eventhough it sometimesis as large as (log2n)/D . This method
of showing that an integer n is prime is very inefficient, for not only is it
necessary
to know all the primes not larger than ..li, but it is also necessary
to
do at least a constant multiple of ,/i bit operations. Later on we will have
more efficientmethodsof showingthat an integer is prime.
We remark here that it is not necessaryto find all primes not exceedingx
in order to compute zr(x). One way that zr(x) can be evaluated without
finding all the primes lessthen x is to use a counting argument basedon the
sieve of Eratosthenes (see problem l3). (Recently, very efficient ways of
finding r(x) using O (x3/s+c)bit operationshave beendevisedby Lagarias and
Odlyzko t6ql.)
We have shown that there are infinitely many primes and we have discussed
the abundanceof primes below a given bound x, but we have yet to discuss
how regularly primes are distributed throughout the positiveintegers. We first
give a result that shows that there are arbitrarily long runs of integers
containingno primes.
Proposition 1.8. For any positive integer n, there are at least n consecutive
compositepositiveintegers.
Proof. Considerthe n consecutivepositiveintegers
h + l ) ! + 2 , ( n + 1 ) !+ 3 , . . . , h+ l ) ! + n t l .
W h e n 2 < j ( n * l , w e k n o w t h a t T l ( n + l ) ! . B y P r o p o s i t i o n
1 . 4 ,i t
follows that 7 | (, + t)! +;. Hence, these n consecutiveintegers are all
composite. tr
Example. The sevenconsecutiveintegers beginning with 8! + 2 : 40322 are
all composite. (However, these are much larger than the smallest seven
consecutive
composites,
90, 91, 92, 93, 94, 95, and 96.)

50 TheIntegers
Proposition1.8 showsthat the gap betweenconsecutive
primes is arbitrarily
long. On the other hand, primes may often be close iogether. The only
consecutive
primes are 2 and 3, because2 is the only even prime. Howevei,
many pairs of primes differ by two; these pairs of pri-., are called
twin primes. Examplesare the primes5 and 7,ll and 13, l0l and 103,and
4967 and 4969. A famous unsettledconjectureassertsthat there are infinitelv
many twin primes.
There are a multitude of conjecturesconcerningthe number of primes of
variousforms. For instance,it is unknown whether there are infinitlly many
primesof the form n2 + | wheren is a positiveinteger. Questionssuchas this
may be easyto state,but are sometimesextremelydifficult to resolve.
We conclude this section by discussing perhaps the most notorious
conjectureabout primes.
Goldbach'sConjecture. Every even positive integer greater than two can be
written as the sum of two primes.
This conjecturewas stated by Christian Goldbach in a letter to Euler in
1742. It has beenverified for all even integerslessthan a million. One sees
by experimentation,
as the followingexampleillustrates,that usuallythere are
many sumsof two primes equal to a particular integer,but a proof that there
always is at least one such sum has not yet beenfound.
Example. The integers 10,24,and 100 can be written as the sum of two
primesin the followingways:
l0:3+7:5t5,
24:5+lg:7+17:llf13,
100:3+97:ll*gg:17+93
:29*71:41+59:47+53.
1.5 Problems
l. Determine
whichof the followingintegers
areprimes
a)
b)
l 0 l
1 0 3
c)
d)
l07
l l l
e ) I 1 3
f) tzt.

1.5 PrimeNumbers
Use the sieveof Eratosthenesto find all primes lessthan 200'
Find atl primes that are the differenceof the fourth powersof two integers.
Show that no integerof the form n3 * I is a prime,other than 2: 13+ l.
Show that if a and n are positive integers such that an-l is prime, then a : 2
and n is prime. (Hint: Use the identity ake-l : Qk-D (aka-t +
akQ-D+ + ak+l) .
In this problem, another proof of the infinitude of primes is given. Assume there
are only finitely many primes p r,Pz,...,Pn Form the integer
Q: prpz ... pn * l. Show that Q has a prime factor not in the abovelist.
Concludethat there are infinitely many primes.
Let Qn : ptpz " ' pn t l where Pt,Pz,...,Pn are the n smallest primes.
Determine the smallest prime factor of Q^ for n:1,2,3,4,5, and 6. Do you
think Q, is prime infinitely often? (tnis is an unresolvedquestion.)
Let pt,p2,...,pnbe the firstn primesand let m be an integerwith I 1m 1n.
Let Q be the product of a set of z primes in the list and let R be the product of
the remaining primes. Show that Q + R is not divisible by any primes in the
list, and hence must have a prime factor not in the list. Conclude that there are
infinitely many primes.
Show that if the smallest prime factor p of the positive integer n exceedsd6
then n/p must be prime or 1.
il Find the smallestfive consecutivecompositeintegers.
b) Find one million consecutivecompositeintegers.
Show that there are no "prime triplets",i.e. primesp, p + 2, and p + 4, other
than 3,5, and 7.
12. Show that every integer greater than 11 is the sum of two compositeintegers.
5 1
2.
3.
4.
5 .
6.
7 .
8 .
9.
10.
I l .
13. Use the principleof inclusion-exclusion
(problem 17 of Section1.1) to showthat
l-l . +l-ll
lp,I lp,l)
o(n):(o(.6-)-r)
- n
tl*
l*l .l*l . +lrnl
wherept,pz,...,p,
are the primeslessthan or equalto ^6 (with r:zr<Jill.
(Hint: Let propertyPi,,...,i,
be the propertythat an integeris divisibleby all of

Pi,,...,pi,,
and useproblem23 of Section 1.2.)
14. Use problem l3 to find zr(250).
15' il show that the polynomial x2 - x * 4l is prime for all integers x with
0 ( I < 40. Show, however,that it is compositefor x : 4i.
b) Show that if f (x) : onxn + an-,x;-t + * a1x r as where the
coefficientsare integers,then there is an integer y such that f(y) is composite.
(Hint: Assume that f(x) :p is prim., unJsho* p dividesf (x+kfl for ail
integersft ' conclude from the faci that a polynomial of degreez takes on each
value at most n times, that there is an integery suctr thatf(y) is composite.)
16' The lucky numbers are generated by the following sieving process. Start with
the positive integers. Begin the processby crossingout every secondinteger in
the list' starting your count with the integer t. other than I the smallestinteger
left is 3, so we continue by crossing out every third integer left, starting the
count with the integer l. The next integer left is 7, so we crossout every seventh
integer left. Continue this process,where at each stage we cross out every kth
integer left where & is the smallestinteger left other than one. The integersthat
remain are the lucky numbers.
a) Find all lucky numbers lessthan 100.
b) show that there are infinitery many rucky numbers.
coefficient
[;]
,,
52 The Integers
17. Show that if p is prime and I ( t ( p, then the binomial
divisibleby p.
l ' Decide whether an integer is prime using trial division of the integer by all
primes not exceedingits squareroot.
2. Use the sieveof Eratosthenesto find all primes lessthan 10000.
3' Find zr(n), the number of primeslessthan or equal to rz,usingproblem 13.
4. verify Goldbach'sconjecturefor all evenintegerslessthan 10000.
5. Find all twin primes lessthan 10000.
6. Find the first 100 primes of the form n2 + l.
7. Find the lucky numberslessthan 10000 (seeproblem 16).

Greatest
Common
Divisors
and PrimeFactorization
2.1 Greatest
Common
Divisors
If a and b are integers,that are not both zero, then the set of common
divisorsof a and6 is a finite setof integers,alwayscontainingthe integers*l
and -1. We are interestedin the largestintegeramongthe commondivisors
of the two integers.
Definition. The greotest common divisor of two integers a and b, that are
not both zero,is the largestintegerwhich dividesboth a and b.
The greatestcommondivisorof a and b is written as (a, b).
Example.The commondivisorsof 24 and 84 are t l, J.2,+3, 1.4,t6, and
+ 12. Hence Q+, g+) : 72. Similarly, lookingat setsof commondivisors,we
f i n dt h a t( 1 5 , 8 1 ): 3 , ( 1 0 0 , 5 ) : 5 , ( I 7 , 2 5 ): l , ( 0 , 4 4 ): 4 4 , ( - 6 , - 1 5 ) : 3 ,
and (-17, 289): 17.
We are particularly interestedin pairs of integers sharing no common
divisorsgreaterthan l. Such pairsof integersare calledrelatively prime.
Definition. The integersa and b are called relatively prime if a and b have
greatestcommondivisor (a, b) : l.
Example.SinceQ5,42) : 1,25 and42 are relativelyprime.
53

54 GreatestCommonDivisorsand primeFactorization
Note that since the divisorsof -c are the same as the divisorsof a, it
follows that (a, b) : (lal, la ll (where lc I denotesthe absolutevalue of a
which equalsa if a )0 and equals-a if a <0). Hence,we can restrict our
attentionto greatestcommondivisorsof pairsof positiveintegers.
We now provesomeproperties
of greatestcommondivisors.
Proposition 2.1. Let a, b, and c be integerswith G, b) : d. Then
(;) b/d, bld) : I
(ii) (atcb, b) : (a, b).
Proof. (D Let a and b be integerswith (a,b) : d. we will show that a/d
and b/d haveno commonpositivedivisorsother than 1. Assumethat e is a
positiveintegersuchthat e I Q/d) ande I Qtal. Then, there are integersk
and I with ald : ke andb/d :Qe, suchthat a : dek andb : de[. Hence.
de is a commondivisor of a and b. Sinced is the greatestcommondivisor of
o andb,e must be l . Consequently,
G /d , b/d) : l.
(ii) Let a, b, andc be integers. We will showthat the commondivisorsof a
and b are exactly the sameas the commondivisorsof a t cb and b. This
will showthat (a*cb , b) : G, b). Let e be a commondivisor of a and b .
By Proposition1.4,we seethat e I b*cb), so that e is a commondivisorof
a * cb and 6. It,f is a commondivisorof a * cb andb, then by Proposition
1.4,we seethat/ dividesb+cb) - cb : a, so thatf is a commondivisorof
a andb. HenceG*cb, b) : (a, b'). a
We will showthat the greatestcommondivisor of the integersa and b, that
are not both zero,can be written as a sum of multiplesof a andb. To phrase
this moresuccinctly,we usethe followingdefinition.
Definition. If a and b are integers,then a linear combination of a and b is a
sum of the form ma * nD, where both rn and,n are integers.
We can now state and prove the following theorem about greatestcommon
divisors.
Theorem 2.1. The greatestcommon divisor of the integersa and b, that are
not both zero,is the leastpositiveinteger that is a linear combinationof a and
b .
Proof. Let d be the least positiveinteger which is a linear combination of a
and b. (There is a least such positive integer, using the well-ordering
property, since at least one of two linear combinations l'a t 0'b and

2,1 GreatestCommonDivisors 55
GDa + 0'b,where
a 10, ispositive.)
Wewrite
rz.rlR==r*
?
d:ma*nb,
wherem andn arepbft@integers.Wewillshow thatd la andd lb.
By the divisionalgorithm,we have
a : d q * r , 0 ( r < d .
From'n"'o:'1'::^r:
:' ;: ;';::,b) : e-qm)a - qnb
This showsthat the integer r is a linear combinationof a and D. Since
0 ( r 1d, and d is the least positivelinear combinationof a and b, we
concludethat r : 0, and henced I o. In a similar manner,we can showthat
d I b.
We now demonstrate
that d is the greatestcommondivisorof a andb. To
showthis, all we needto showis that any commondivisorc of a and D must
d i v i d e d . S i n c e
d : m a * n b , i f c l a a n d c l b , P r o p o s i t i o nl . 4 t e l l s u s t h a t
c I d. tr
We haveshownthat the greatestcommondivisor of the integersa and b,
that are not both zero. is a linear combinationof a and b. How to find a
particular linear combinationof a and D equal to G, D) will be discussed
in
the next section.
We can alsodefinethe greatestcommondivisorof morethan two integers.
Definition. Let e1,e2,...,en be integers, that are not all zero. The
greatest common divisor of these integers is the largest integer which is a
divisor of all of the integers in the set. The greatest common divisor of
at, a2,...,
c, is denoted
by (a1,a2,,...,
an).
Example.We easilyseethat 02, 18,30) :6 and (10, 15,25) : 5.
To find the greatestcommondivisorof a set of more than two integers,we
can usethe followinglemma.
L,emma2.1. If a1,a2,...,
an are integers, that are not all zero, then
(a1, a2,..., an-1, an) : (a1, a2r..., (on-r, a)).
Proof. Any common divisor of the n integers ar, e2,...,en_t,en is, in
particular, a divisor of ar-1 and an, and therefore,a divisor of (an_1,an).

56 GreatestCommonDivisorsand PrimeFactorization
Also, any commondivisorof the n-2 integers4 t, a2,...,on_2,and (an_1,an),
must be a commondivisorof all n integers,for if it divides(on-r, an),it must
divide both cr-1 and an Since the set of n integersand the set of the first
n-2 integers together with the greatest common divisor of the last two
integershave exactly the same divisors,their greatestcommon divisors are
equal. tr
Example. To find the greatest common divisor of the three integers
105,140,and 350, we use Lemma 2.1 to see that (105,140.350) :
( 1 0 5 ,( 1 4 0 , 3 5 0 ) )
: ( l 0 5 , 7 0 ): 3 5 .
Definition. We say that the integers a1.e2,...,
e1 are mutually relatively
prime if (a1,e2,...,an) : l. These integers 4re called pairwise relatively
prime if for eachpair of integers
4; and a; from the set, (ai, a1): l, that is,
if eachpair of integersfrom the setis relativelyprime.
It is easyto seethat if integersare pairwiserelativelyprime, they must be
mutually relatively prime. However, the converseis false as the following
example
shows.
Example.Consider
the integers15,21, and 35. Since
(15,2r,35):
(ts,(2t,35)):(r5,7): r,
we seethat the three integersare
are not pairwiserelatively prime,
( 2 1 , 3 5 ) : 7 .
mutually relatively prime. However,they
b e c a u s e
( t S .z l ) : 3 , ( 1 5 , 3 5 ): 5 , a n d
2.1 Problems
l. Find the greatestcommondivisorof eachof the followingpairsof integers
i l 1 5 , 3 5
b ) 0 , l l l
c) -12. t8
d) 99,100
e ) 1l , l 2 l
f) 100,102
4.
Showthat if a andb areintegers
with (a, b) : l, then (a*b, a-b) : I or 2.
Show that if a and b are integers,that are not both zero, and c is a nonzero
integer,
then (ca, cb) : lclb, b.
What is (a2+b2,a*b), wherea and b arerelativelyprime integers,that are not
both zero?

2.1 GreatestCommonDivisors
Periodicalcicadasare insectswith very long larval periodsand brief adult lives.
For each speciesof periodical cicada with larval period of 17 years, there is a
similar species
with a larval periodof 13 years. If both the l7-year and l3-year
speciesemergedin a particular location in 1900, when will they next both
emergein that location?
a) Show that if a and b are both even integers,that are not both zero, then
(a,b) : 2fu
/2,b/2).
b) Show that if a is an even integer and b is an odd integer, then
G, b : G12,
b).
Showthat if a,b, andc areintegers
suchthat G,b): I and c I G*b), then
k , a ) : ( c , D ) - L
il Show that if a,b, and c are integerswith b,b): (a, c) : l, then
(a, bc) : L
b) Usemathematical
inductionto showthat if at, a2,...,anare integers,
and b is
another integer such that (ar b) : (az,b) : : (on,b) - l, then
( a p 2 ' ' o n ,b ) : l .
Showthat if a, b,and c areintegers
with c I ab, thenc | (a, c) (b, c).
a) Show that if a and b arepositiveintegerswith (a, b) : l, then (an, bn) : I
for all positiveintegersn.
b) Use part (a) to provethat if a and b are integerssuchthat a' I bn wheren
is a positiveinteger,then c I b.
Show that if a, b and c are mutually relatively prime nonzerointegers,then
G , b d : ( a , b ) ( a , c ) ,
Find a set of three integersthat are mutually relativelyprime, but not relatively
prime pairwise. Do not useexamples
from the text.
Find four integersthat are mutually relativelyprime, such that any two of these
integersare not relativelyprime.
Find the greatestcommondivisorof eachof the followingsetsof integers
a) 8, lo, 12
b ) 5 , 2 5 , 7 5
c) 99,9999,0
d ) 6 ,1 5 , 2 1
e) -7,28, -35
f) 0,0, l00l .
Find three mutually relatively prime integers from among the integers
66, 105,42,70,and 165.
Show that ar, a2,...,
an are integersthat are not all zero and c is a positive
integer,then (cat, caz,...,
can)- c(a6 a2...,an).
57
5.
6.
7.
8.
9.
10.
l l .
T2,
1 3 .
14.
1 5 .
1 6 .

58 Greatest Common Divisors and Prime Factorization
Show that the greatestcommondivisorof the integersat, o2,...,an, that are not
all zero,is the leastpositiveintegerthat is a linear combinationof a t, at,...,an.
Show that if k is an integer, then the six integers 6k-l, 6k +l ,
6k+2, 6k +3, 6k+5, are pairwise
relatively
prime.
Showthat if k is a positiveinteger,then 3k *2 and 5k+3 are relativelyprime.
t7.
r8.
r9.
20.
2t.
Show that every positiveinteger greater than
prime integers
greater than I .
a) Show that if a and b are relatively
(a'-b^)l(a-b).a-b) : I or n.
six is the sum of two relativelv
prime positive integers, then
b) Showthat if o andb arepositive
integers,
then((an-b'/G-b), a-b) :
(n(a,b)r-t,a-b).
2.1 Computer
Projects
l. Writea program
to findthegreatest
common
divisor
of twointegers.
2.2TheEuclidean
Algorithm
We are going to developa systematicmethod, or algorithm, to find the
greatestcommondivisor of two positiveintegers. This method is called the
Euclideanalgorithm. Before we discuss the algorithm in general, we
demonstrate
its usewith an example. We find the greatestcommondivisorof
30 and 72. First,we usethe divisionalgorithmto writeT2:30'2 + 12,and
we use Proposition
2.1 to note that $0,7D: (30,72- 2.30) : (10,t2).
Another way to seethat (J,0,7D: (30, 12) is to noticethat any common
divisor of 30 and 72 must also divide 12 because12 : 72 - 30'2. and
conversely,
any common divisor of 12 and 30 must also divide 72, since
72:30'2+ 12. Note we havereplaced
72by the smallernumber12 in our
computations
since02,30): (30, l2). Next, we usethe divisionalgorithm
againto write 30 : 2'12+ 6. Using the samereasoning
as before,we seethat
(30,12) : (12,6). Because 12: 6'2 * 0, we now see that
02, O : (6, 0) : 6. Consequently,
we can conclude that (72,30) : 6,
without findingall the commondivisorsof 30 and 72.
We now setup the generalformat of the Euclideanalgorithmfor computing
the greatestcommondivisorof two positiveinteger.
The EuclideanAlgorithm. Let rs : a and r r : b be nonnegative
integerswith
b I 0. If the division algorithm is successivelyapplied to obtain
ri: ri+tQi*,I ri+2 with 0 1 ri+2 1ri+t for 7 :0,1,2,...,n-2 and r, :0,
ot=bt *f^ O<rr<b

2.2 The EuclideanAlgorithm
then (a, b) -- r,-1, the last nonzeroremainder.
From this theorem,we seethat the greatestcommondivisor of c and b is
the last nonzero remainder in the sequenceof equations generated by
successively
usingthe divisionalgorithm,whereat eachstep,the dividendand
divisorare replacedby smallernumbers,namelythe divisorand remainder.
To provethat the Euclideanalgorithm producesgreatestcommondivisors,
the followinglemmawill be helpful.
Lemma 2.2. If c and d are integersand c : dq * r where c and d ate
integers,
then (c, d) : (d, r).
Proof. If an integere dividesboth c andd, then sincer : c-dq, Proposition
1 . 4 s h o w st h a t e l r . I f e l d a n d e l r , t h e n s i n c ec : d q l r , f r o m
Proposition1.4,we seethat e I c. Sincethe commondivisorsof c and d are
the sameasthe commondivisors
of d andr, we seethat k, d) : (d, r). tr
We now provethat the Euclideanalgorithmworks.
Proof. Let r0: e and rr : b be positive integers with a 7 b. By
successively
applyingthe divisionalgorithm,we find that
59
f g : r t Q t * r Z
f y : r 2 Q 2 * r t
tn-3
f n-2
I n-l
: fn-2Qn-Z * fn-t 0
: fn-lQn-t * fn 0
: lnQn
( rr-r
( r ,
a remainder of zero since the
) 0 cannot contain more
(a, b) : (rs,r1) : (rl, rz) :
rr) : (rr,0) : rn. Hence
0<
0<
r 2
r 3
We can assumethat we eventuallyobtain
sequence
of remainders
a: rolr1>. 12>.
than c terms. Bv Lemma 2.2. we seethat
(rr., r)
(a,b) :
(rn-r, fn-t) : (rr-r,
We illustratethe useof the Euclideanalgorithm with the followingexample.
Example. To find (252, 198), we use the division algorithm successively
to
obtain
r-. the last nonzeroremainder. tr

2 5 2 : l . 1 g g+ 5 4
1 9 8 : 3 ' 5 4 + 3 6
5 4 : 1 ' 3 6 + 1 8
36 : 2.18.
HenceQSZ. 198): 18.
Later in this section, we give estimates for the maximum number of
divisionsused by the Euclidean algorithm to find the greatestcommon divisor
of two positiveintegers. However,we first show that given any positiveinteger
n, there are integersa and b suchthat exactlyn divisionsare requiredto find
G, b) using the Euclideanalgorithm. First, we define a specialsequence
of
integers.
Definition. The Fibonacci numbers ur, u2, u3,... are defined recursively by
theequations
a t: u2: I and un: un-t * un-2forn 2 3.
Using the definition, we see that u3: tt2* yt: I t | : 2, u3l u2
: 2 * I : 3, and so forth. The Fibonaccisequence
beginswith the integers
1 , 1 , 2 , 3 , 5 , 8 1 3 , 2 1 , 3 4 , 5 5 ,8 9 , I 4 4 , . . . . E a c hs u c c e e d i n g
t e r m i s o b t a i n e d
by adding the two previousterms. This sequenceis named after the thirteenth
century ltalian mathematicianLeonardodi Pisa,alsoknown as Fibonacci,who
used this sequenceto model the population growth of rabbits (seeproblem 16
at the end of this section).
In our subsequentanalysisof the Euclidean algorithm, we wil! need the
following lower bound for the nth Fibonaccinumber.
Theorem 2.2. Let n be a positive integer and let cu: (l+-.8) /2. Then
u n l a n - 2 f o r n 7 3 .
Proof. We use the secondprinciple of mathematical induction to prove the
desired inequality. We have a 1 2: u3, so that the theorem is true for
n : 3 .
Now assumethat for all integersk with k 4 n, the inequality
ok-2 1 ut
holds.
Sincea : (l+rfr/2 is a solutionof x2 -x - I : 0, we havea2: a * l.
Hence,
otn-l : o2.on-3: (a*l).ar-3 : s1n-2 * an-3

2.2 The Euclidean Algorithm
By the induction hypothesis,we havethe inequalities
an-2 < un, otn-31 un-t ,
Therefore,we concludethat
o r ' - l l u n * u n - l - u n * l
This finishesthe proof of the theorem. tr
We now apply the Euclidean algorithm to the successive
Fibonaccinumbers
34 and 55 to find (34. 55). We have
5 5 : 3 4 ' l + 2 1
3 4 : 2 1 ' l + 1 3
2 l : l 3 ' l + 8
1 3 : 8 ' 1 + 5
8 : 5 ' 1 * 3
5 : 3 ' l * 2
3 : 2 ' l * I
2 : l ' 2 .
We observe that when the Euclidean algorithm is used to find the greatest
common divisor of the ninth and tenth Fibonacci numbers, 34 and 55, a total
of eight divisions are required. Furthermore, (34, 55) : 1. The following
theorem tells us how many divisionsare neededto find the greatestcommon
divisor of successive
Fibonaccinumbers.
Theorem 2.3. Let unrr and unt2 be successiveterms of the Fibonacci
sequence.Then the Euclideanalgorithm takesexactly n divisionsto show that
(un*r, ura2): l.
Proof. Applying the Euclidean algorithm, and using the defining relation for
the Fibonaccinumbers ui : uj-r I ui-z in each step,we seethat
l l n * 2 : U n * t ' l t U n ,
U n * l : U n ' l + U n - 1 ,
L t 4 : u 3 ' 1 * u 2 '
It3 : tt2'2.
Hence, the Euclidean algorithm takes exactly n divisions, to show that
(unq2,tlnqr): uz - l. E
6 1

We can now prove a theorem first proved by Gabriel Lame', a French
mathematician of the nineteenth century, which gives an estimate for the
number of divisions needed to find the greatest common divisor using the
Euclideanalgorithm.
Lam6's Theorem. The number of divisionsneededto find the greatestcommon
divisor of two positive integersusing the Euclidean algorithm doesnot exceed
five times the number of digits in the smaller of the two integers.
Proof. When we apply the Euclidean algorithm to find the greatest common
divisorof a : re and b :r 1 with a ) b, we obtain the following sequence
of
equations:
fn-2 : fn-tQn-t * rr, 0 ( rn 1 rn-t,
fn-l : tnQn,
We have used n divisions. We note that each of the quotientsQt, Q2,...,
Qn-l
is greaterthan or equalto l, and Qn 7 2, sincern 1rn-1. Therefore,
r r 2 l : u r ,
rn-t 2 2rn 2 2u2: u3,
rn-z 2 rn-t * rn 2 ut * u2: u4,
rn-l 2 rn-z * rn-t 2 uq * u3: tt5,
f g : r t Q t * r Z ,
f 1 : r Z 4 Z * r t ,
r z ) 1 3 * 1 4
b:'r2rz
0(rz1rr,
0 ( 1 3 1 r z ,
7 unq * un-z: u*
* rt 7 un * un-t : un+l
Thus, for there to be n divisions used in the Euclidean algorithm, we must
haveb 7 un+r. By Theorem 2.2, we know that unay ) qn-r for n ) 2 where
a: (l+.,8)/2. Hence,b ) an-r. Now, sinceloglsa > 1/5, we seethat
logrqb> h-l)loglsa > (CI-l)/5.
Consequently,
n - l ( S ' l o g l e b .

2.2 The Euclidean Algorithm 63
Let b havek decimal{igits, so that b < 10ftand loglsb < k. Hence,we see
that n - I < 5k and since /c is an integer,we can concludethat n < 5k.
This establishes
Lam6'stheorem. tr
The followingresultis a consequence
of Lam6'stheorem.
Corollary 2.1. The number of bit operationsneeded to find the greatest
common
divisor
oftwopositive
integers
a and, yy
ir;;i.:f$;:ri?',
Proof. We know from Lam6's theorem that O Qogra) divisions,each taking
O(log2a)2) bit operations,
are neededto find fu, b). Hence, by Proposition
1.7, (a, b) may be found usinga total of O((log2a)3)bit operations.D
The Euclideanalgorithmcan be usedto express
the greatestcommondivisor
of two integersas a linear combinationof theseintegers. We illustrate this by
expressing
(252, 198) : l8 as a linear combinationof 252and 198. Referring
to the stepsof the Euclideanalgorithm usedto find (252, 198), from the next
to the last step,we seethat
1 8 : 5 4 - l ' 3 6 .
From the secondto the last step,it followsthat
which impliesthat
Likewise,from the
so that
36:198-3'54,
18: 54- t.(198-3.54)
: 4.54- 1.198.
firststepwehave
5 4 : 2 5 2 - l ' 1 9 8 .
l8 - 4(252-1.198)
- 1.198
: 4.252- 5.198.
This last equationexhibits l8 : (252, 198) as a linear combinationof 252 and
l 98.
In general,to seehow d : (a, b) may be expressed
as a linear combination
of a and 6, refer to the seriesof equationsthat is generatedby use of the
Euclideanalgorithm. From the penultimateequation,we have
r n : ( a , b ) : r n - 2 - r n - r Q n - r
.
This expresses
b,b)'as a linearcombination
of rr-2e,fidrr-1. The second
to

last equationcan be usedto expressr2-1 &Srn-3 -rn-zen-z . Using this
equationto eliminate rn-1 in the previousexpression
for (4,6), we find
l n : l n - 3 - f n - 2 4 n - 2 ,
so that
b, b) : rn-2- (rn4-rn-zQn-z)en-r
-- (l+qrnQn-z)rn-z-
Qn-rrn-3,
which expresses
b, b) as a linear combinationof rn-2 zfid r,4. We continue
working backwardsthrough the stepsof the Euclidean algorithm to express
G, b) as a linear combinationof each precedingpair of remaindersuntil we
havefound (a, b) as a linearcombination
of to: a and 11- b. Specifically,
if we havefound at a particularstagethat
G , b ) : s r i l t r i t ,
then,since
ti: ti_2- ri_tQi_r,
we have
b,b) : s (ri-z*ri-g1-r) * tr1-r
: Q-sqt-)ri-r * sri-2.
This showshow to moveup through the equationsthat are generatedby the
Euclideanalgorithm so that, at each step,the greatestcommondivisor of a
andb may be expressed
as a linear combinationof a and b.
This method for expressingG, b) as a linear combinationof a and b is
somewhatinconvenientfor calculation,becauseit is necessary
to work out the
steps of the Euclidean algorithm, save all these steps, and then proceed
backwardsthrough the stepsto write G,b) as a linear combinationof each
successive
pair of remainders. There is another method for finding b,b)
which requiresworking through the stepsof the Euclidean algorithm only
once. The followingtheoremgivesthis method.
Theorem 2.4. Let a and b be positiveintegers. Then
f u , b ) : s n a + t n b ,
for n:0,1,2,..., where,sn andtn are the nth terms of the sequences
defined
recursivelyby
the
last
that

2.2 The EuclideanAlgorithm 65
S O : l , / 0 : 0 ,
s l : 0 , / l : l ,
and
si : Si*z- ?i-tsi-t, tj : tj-z -
Q1-zt1-t
for 7 :2,3, ...,fl, where the q;'s are the quotientsin the divisionsof the
Euclideanalgorithmwhenit is usedto find G,b).
Proof. We will provethat
Q.D ri : sia + tjb
for 7 : 0, I ,...,fl. Since G,b) : r, oncewe haveestablished
(2.2),we will
knowthat
G , b ) : s n a + t n b .
We prove (2.2) using the secondprincipleof mathematicalinduction. For
:0, we have a : r0: l'a * 0'b : ssa* tsb. Hence,Q.D is valid for
:0. Likewise,
b : rr:0'a + l'b: slc + tft, so that Q.D is valid for
: l .
Now, assume
that
r i : S i a + t j b
for 7 : 1,2,...,k-1. Then,from the kth stepof the Euclidean
algorithm,we
have
tk : rk-2 - r*_lQt-l .
Usingthe inductionhypothesis,
we find that
r1 : (s1-2a*tp-2b)- (s1raa*t1r-1b)
Q*-r
: (s1-2-s*-tq*-)a * Qp2-t*-rq*-)b
: S k a + t k b .
This finishesthe proof. tr
The following exampleillustratesthe use of this algorithm for expressing
(a,b) asa linearcombinationof a andb.
Example.Let a :252 and D : 198. Then
l
j
j

l o : 0 ,
I r : 1 ,
s o : l ,
s l : 0 ,
J 2 : S 0 - s q l : l - 0 ' l : 1 , t Z : t O - t t Q t : 0 - 1 . 1: - 1 ,
J 3: S t - S Z Q z : 0- l ' 3 : - 3 , t 3 : t t - 1 Z Q Z :1 - ( - l ) 3 : 4 ,
s 4 : s 2- s t Q t : I - ( - l ) ' t : 4 , t q : t z - t t Q z : - l - 4 . 1: - 5 .
Since14: 18: (252,198)and 14: s4o+ t4b,we have
18- (252,198): 4.252- 5.198.
It shouldbe notedthat the greatestcommondivisorof two integersmay be
expressedin an infinite number of different ways as a linear combination of
theseintegers. To seethis, let d : (a,b) and let d : so I tb be one way to
write d as a linear combinationof a and b, guaranteedto exist by the
previousdiscussion.Then
d : (s - k(b/d))a + Q - kb/d))b
for all integersk.
Example.With a :252 and b : 198, lB: (252,198): (+ - t Ik)252 +
(-S - l4k)198 whcneverk is an integer.
2.2 Problems
l. Use the Euclideanalgorithm to find the following greatestcommon divisors
il (45,75) c) (ooo,
r+r+)
b) 002,22D d) (2078S,
44350).
2. For each pair of integers in problem l, expressthe greatest common divisor of
the integersas a linear combinationof theseintegers.
3. For each of the following setsof integers,expresstheir greatestcommon divisor
as a linear combinationof theseintegers
il 6, 10,l5
b) 70,98,105
c) 280,330,405,490.
4. The greatest common divisor of two integers can be found using only
subtractions,parity checks,and shifts of binary expansions,without using any
divisions. The algorithm proceedsrecursivelyusing the following reduction

2.2 The Euclidean Algorithm 67
G.b):
i f a : b
if a and 6 are even
if a is even and b is odd
if a and b are odd.
a) Find (2106,8318)usingthis algorithm.
b) Show that this algorithm always producesthe greatestcommon divisor of a
pair of positiveintegers.
5. In problem 14 of Section 1.2, a modifieddivisionalgorithm is given which says
that if a and 6 > 0 are integers,then there exist unique integersq,r, and e
suchthat a : bq * er, wheree - tl,r ) 0, and -blz < er { bl2. We can
set up an algorithm, analogous to the Euclidean algorithm, based on this
modified division algorithm, called the least-remainder algorithm. It works as
follows. Let rs: a and rr: b, where a ) b 7 0. Using the modifieddivision
algorithm repeatedly,obtain the greatestcommon divisor of a and b as the last
nonzeroremainder rn in the sequence
of divisions
ro : rtQr * e2r2, -rtlz 1 e2r2 4 ,tlz
rn-Z: ln-tQn-tI enrn, -rn-tl2 I enrn 4, rn-tl2
fn-l : 7n4n'
a) Use the least-remainder
algorithmto find (384,226).
b) Show that the least-remainder algorithm always produces the greatest
commondivisorof two integers.
c) Show that the least-remainder
algorithm is alwaysfaster,or as fast, as the
Euclideanalgorithm.
d) Find a sequenceof integers v6,V1,v2,... such that the least-remainder
algorithmtakesexactlyn divisionsto find (vn*,, vn+z).
e) Show that the number of divisions needed to find the greatest common
divisor of two positiveintegersusing the least-remainder
algorithm is less
than 8/3 times the number of digits in the smallerof the two numbers,plus
413.
Let m and n be positiveintegersand let a be an integer greater than one. Show
that (a^-1, an-l) - a(^' n)- l.
In this problem, we discussthe game of Euclid. Two players begin with a pair
of positiveintegersand take turns making movesof the following type. A player
can movefrom the pair of positiveintegers{x,y} with x 2 y, to any of the pairs
[x-ty,yl, where / is a positive integer and x-ty 2 0. A winning move
I,
)2k lL,b
/2)
l{o/z,t)
[(a
-D,b)
6.
7.

consistsof moving to a pair with one elementequal to 0.
a) Show that every sequenceof moves starting with the pair {a, bl must
eventually
endwith the pair {0, (a, b)}.
b) show that in a game beginningwith the pair {a, b},1he first player may
play a winning strategyif a - 6 or if a 7 b0+ Jil/z; otherwisethe
second player mgr play a winning strategy. (Hint: First show that if
y < x ( y(t+VS)/Z then thge is a unique movefrom l*,Ol that goesto
a pair lt, r| with y > ze+Jil/z.)
In problems8 to 16,un refersto the nth Fibonaccinumber.
8. Showthat if n is a positive
integer,then rz
1l u2 I I ttr: un+z- l.
9. Showthat if n is a positiveinteger,thenunapn-r - u] : GD'.
10. Show that if n is a pqsitive integer, then un: (c'n-0/'..fs, where
o : (t+.,6) /2 andp : Q-'./-il/2.
ll. Showthat if m andn arepositiveintegerssuchthat m I n, then u^ | un.
12. Showthat if m andn arepositiveintegers,then (u^, un) : u(m,il.
13. Show that un is evenif and only if 3 | n.
(t 'l
t4. Letu: li i,.
Irn*, Itn I
a) Show that Un :
lu, u^_r)
.
b) Provethe result of problem 9 by consideringthe determinan
t of Un.
15. We define the generalized Fibonacci numbers recursively by the equations
gr- a, E2: b, and gn - gn-t* gr-zfor n 2 3. Showthat gn: oun-2* bun-1
for n )- 3.
16. The Fibonacci numbers originated in the solution of the following problem.
Supposethat on January I a pair of baby rabbits was left on an island. These
rabbits take two months to mature, and on March I they produceanother pair of
rabbits. They continually produce a new pair of rabbits the first of every
succeeding month. Each newborn pair takes two months to mature, and
producesa new pair on the first day of the third month of its life, and on the first
day of every succeedingmonth. Show that the number of pairs of rabbits alive
after n months is preciselythe Fibonacci number un, assumingthat no rabbits
everdie.
17. Show that every positiveinteger can be written as the sum of distinct Fibonacci
numbers.

2.3 The FundamentalTheorem of Arithmetic 69
2.2 ComputerProjects
l. Find the greatestcommondivisorof two integersusingthe Euclideanalgorithm.
2. Find the greatestcommon divisor of two integers using the modified Euclidean
algorithm given in problem 5.
3. Find the greatestcommondivisor of two integersusing no divisions(seeproblem
0.
4. Find the greatestcommondivisor of a set of more than two integers.
5. Expressthe greatestcommon divisor of two integers as a linear combination of
theseintegers.
6. Expressthe greatest common divisor of a
linear combinationof theseintegers.
set of more than two integers as a
7. List the beginningterms of the Fibonaccisequence.
8. Play the game of Euclid describedin problem 7.
2.3 The Fundamental
Theoremof Arithmetic
The fundamental theorem of arithmetic is an important result that shows
that the primes are the building blocks of the integers. Here is what the
theoremsays.
The Fundamental Theorem of Arithmetic.
written uniquelyas a productof primes,with
written in orderof nondecreasing
size.
Every positive integer can be
the prime factors in the product
Example. The factorizationsof somepositiveintegersare given by
240: 2.2.2.2.3.5
: 24.3.5,289
: 17.17
: 1i2.1001
: 7.11.13
.
Note that it is convenientto combine all the factors of a particular prime
into a power of this prime, such as in the previousexample. There, for the
factorization of 240, all the fdctors of 2 were combined to form 24.
Factorizationsof integersin which the factors of primes are combinedto form
powersare calledprime-powerfactorizations.
To prove the fundamental theorem of arithmetic, we need the following
lemmaconcerning
divisibility.
Lemma 2.3. lf a, b, and c are positiveintegerssuch that (a, b) : I and

a I bc, thena I c,
Proof. Since G,b): 1, there are integersx and y such that ax * by : y.
Multiplying both sidesof this equation by c, we have acx * bcy: c. By
Proposition1.4, a dividesacx * 6cy, sincethis is a linear combinationof a
andbc, both of which are divisibleby a. Hencea I c. a
The following corollary of this lemma is useful.
Corollary 2.2. If p dividasap2 an wherep is a prime and c r, a2,...,on
are positive integers,then there is an integer i with I < t ( n such that p
dividesa;.
Proof. We prove this result by induction. The case where n : I is trivial.
Assumethat the result is true for n. Considera product of n * t, integers,
ar az aral that is divisibleby the primep. Sincep I ar az on*t:
(a1a2 an)ana1,
we know from Lemma 2.3 that p I ar az en or
p I ar+r. Now, it p I ar az a' from the inductionhypothesis
thereis an
integer i with 1 < t ( n such Ihat p I ai. Consequently
p I a; for somei
withl <t < n*1. Thisestablishestheresult.
tr
We begin the proof of the fundamentaltheorem of arithmetic. First, we
show that every positiveinteger can be written as the product of primes in at
least one way. We use proof by contradiction. Let us assume that some
positive integer cannot be written as the product of primes. Let n be the
smallest such integer (such an integer must exist from the well-ordering
property). lf n is prime, it is obviouslythe product of a set of primes, namely
t h e o n e p r i m e n .S o n m u s t b e c o m p o s i t e .
L e t n : a b , w i t h | 1 a ( n a n d
| 1 b I n. But sincea and b are smallerthan n they must be the product
of primes. Then, since n : ab, we concludethat n is also a product of
primes. This contradictionshowsthat everypositiveintegercan be written as
the product of primes.
We now finish the proof of the fundmental theorem of arithmetic by
showingthat the factorizationis unique.
Supposethat there is a positiveinterger that has more than one prime
factorization. Then, from the well-ordering property, we know there is a least
integer n that hasat leasttwo different factorizationsinto primes:
f l : P t P z P s : Q t Q z Q t ,
wherept,p2,...,ps,Qt,...,4t
are all primes,with pr ( pz ( ( p, and
{ r ( 4 2 ( ( q ' .

2.3 The FundamentalTheorem of Arithmetic
We will showthat pt: Qr,p2: Q2,...,
and continueto showthat eachof
the successive
p's and q's are equal,and that the number of prime factorsin
the two factorizationsmust agree,that is s : /. To show that pr: Qr,
assumethat pr * qy Then, eitherpr ) 4r or pr 1 Qr By interchanging
the variables,
if necessary,
we can assumethat pr ( qr. Hence,pr 1q; for
i : 1,2,...,tsince41 is the smallest
of the q's. Hence,
pr trqi for all i. But,
from Corollary 2.2, we see that pr I qflz et : tt. This is a
contradiction. Hence, we can conclude that pr : Qr and
n/pr: pz pt ps : QzQt Qt. Sincenlpl is an integersmallerthan
n, and since n is the smallestpositive integer with more than one prime
factorization,nfpl con be written as a product of primesin exactly one way.
Hence, eachpi is equal to the correspondingq;, and s : /. This provesthe
uniqueness
of the prime factorizationof positiveintegers. tr
The prime factorizationof an integer is often useful. As an example,let us
find all the divisorsof an integerfrom its prime factorization.
Example. The positivedivisorsof 120: 233'5 are thosepositiveintegerswith
prime power factorizationscontainingonly the primes 2,3, and 5, to powers
lessthan or equalto 3, 1, and l, respectively.Thesedivisorsare
I 3 5 3'5:15
2 2'3: 6 2'5: 10 2'3'5: 30
22: 4 22.3
: 12 22.5
: 20 223.5: 6o
23:8 z3-3
: 24 23.5
: 40 23.3.s
: l2o .
Another way in which we can use prime factorizations is to find greatest
common divisors. For instance,supposewe wish to find the greatestcommon
divisorof 720 : 2432'5and 2100 : 223'52'7. To be a commondivisorof both
720 and 2100,a positiveintegercan containonly the primes2, 3, and 5 in its
prime-powerfactorization,and the power to which one of theseprimes appears
cannotbe larger than either of the powersof that prime in the factorizations
of 720 and 2100. Consequently,
to be a commondivisor of 720 and 2100,a
positiveinteger can contain only the primes 2,3, and 5 to powersno larger
than2, l, and l, respectively.Therefore,the greatestcommondivisor of 720
and2100is 22.3.5
: 60.
To describe, in general, how prime factorizations can be used to find
greatestcommondivsors,let min(a, D) denotethe smalleror minimum, of the
two numbersd and 6. Now let the prime factorizationsof a and b be
o : pi,pi2.. . p:., b : p'r,plz
.. . p:,,
where each exponentis a nonnegativeinteger and where all primes occurring
7 1

in the prime factorizationsof c and of b are included in both products,
perhapswith zeroexponents.We note that
fu,b): pl'"k"0,)plinb,'b, p:'n(oro,),
sincefor eachprimepi, a and b shareexactlymin(a;,6;) factorsof p;.
Prime factorizationscan also be usedto find the smallestinteger that is a
multiple of two positiveintegers. The problem of finding this integer arises
when fractions are added.
Definition. The least common multiple of two positiveintegersa and D is the
smallestpositiveintegerthat is divisibleby a andb.
The leastcommonmultiple of a and b is denotedby Io, bl.
Example. We have the following least common multiples: ll5,2l l: 105,
lZq,Xl : 72,lZ, Z0l : 2A,and [7, lll : 77.
Once the prime factorizations of a and b are known, it is easy to find
Ia,bl. If a : pi,pi, plr. and,
b : pi,pur2 .. . pun,wherept,pz,...,pn
are the primesoccurring in the prime-powerfactorizationsof a and b, then
for an integer to be divisible by both c and D, it is necessarythat in the
factorizationof the integer,eachp; occurswith a power at leastas large as ai
andbi. Hence,[a,b], the smallestpositiveintegerdivisibleby both a and b
is
la,bl: pl
*Grb,)
Omaxb,'b,) pf
*Gru')
wheremax(x,/) denotes
the larger,or maximum,of x andy.
Finding the prime factorization of large integers is time-consuming.
Therefore,we would prefer a method for finding the leastcommon multiple of
two integerswithout using the prime factorizationsof theseintegers. We will
showthat we can find the leastcommonmultiple of two positiveintegersonce
we know the greatest common divisor of these integers. The latter can be
foundvia the Euclideanalgorithm. First, we provethe followinglemma.
Iemma 2,4. If x and y are real numbers,then max(x,y) + min(x,y)
:x+y.
Proof.
If x)y, then min(x,y):y and max(x,!):x, so that
max(x,y)+min(x,y):x*y. If x <y, then min(xy):x and
max(x,y): y, andagain
wefindthatmax(x,y)+ min(x,y)- x + y. tr

To find Ia, b l, onceb, b) is known,we usethe followingtheorem.
Theorem2.5. lf a and b ate positiveintegers,then la,bl: ab/G,b),,
where Ia, b I and G, b) are the leastcommonmultiple and greatestcommon
divisorof c and b, respectively.
Proof. Let a and b have prime-powerfactorizationsa : p'pi' pl' and
t : pl'p!2 " ' p:', where the expnents are nonnegativeintegers and all
primes occurring in either factorization occur in both, perhaps with zero
exponents.
Now let M1: max(c;, b;) and ffii -min(a1,b1). Then,we have
la,blb,il:pY'pY' p{'pT'pT2
''' pf'
: O{,+^,r{'*^' bY'*^'
: pl'+b'Oo'+b' p:'*o'
: p'p;' pi'p"' po^'
: ab.
sinceMi + ffij: max(ay,bj) + min(ar',
b): a1* b1by Lemma2.4. tr
The followingconsequence
of the fundamentaltheoremof arithmeticwill be
needed
later.
Lemma 2.5. Let m andn be relatively prime positiveintegers. Then, if d is
a positivedivisorof mn, thereis a uniquepair of positivedivisorsd 1of m and
d2of n suchthat d : diz. Conversely,
if dl andd2 are positivedivisorof z
andn, respectively,
thend : dfl2is a positive
divisorsof mn.
Proof. Let the prime-power factorizations of m and n be m : pT'pT'
p:' and n: qi'qi2 " ' qi' . Since (m,n) - l, the set of primes
ptPz,...,Psand the set of primesQt,42,...,4t
have no commonelements.
Therefore,the prime-powerfactorizationof mn is
mn: pT'pT' p!'qi'qi' q:'.
Hence,if d is a positivedivisorof mn, then
d:pi'piz "' pi'q{'qI' q{'
w h e r e0 ( e i ( m i f o r i : 1 , 2 , . . . , s a n d 0 ( f ( n ; f o r 7 : 1 , 2 , . . . , t .
Now let

dt : p't'ptz'
and
dr: q{'qI' q{'.
Clearly
d : dfi2and(dr,d) : l. Thisisthedecomposition
ofd wedesire.
Conversely,
let dy and d2be positivedivisorsof m and n, respectively.Then
dr: p'r'ptr' p:'
where0 ( ei ( mi for i : 1,2,...,s, and
dr: q{'q[' q{'
where0 < /j ( n; for j : 1,2,...,t. The integer
d : dfi2: p'r'pi,. -. pi,q{,q[, q{'
is clearlya divisorof
mn: p?'pT' p!'qi'qi, ql,,
sincethe powerof suchprime occurringin the prime-powerfactorizationof d
is less than or equal to the power of that prime in the prime-power
factorization of mn. tr
A famous result of number theory deals with primes in arithmetic
progressions.
Dirichlet's Theorem on Primes in Arithmetic Progressions. Let a and b be
relatively prime positive integers. Then the arithmetic progression
an * b, fl : 1,2,3,..., contains
infinitelymanyprimes.
G. Lejeune Dirichlet, a German mathematician,proved this theorem in
1837. Since proofs of Dirichlet's Theorem are complicated and rely on
advanced techniques,we do not present a proof here. However, it is not
difficult to prove special cases of Dirichlet's theorem, as the following
proposition
illustrates.
Proposition 2.2. There are infinitely many primes of the form 4n * 3, where
n rsa positiveinteger.

Beforewe provethis result,we first provea usefullemma.
Lemma 2.6. lf a and b are integers both of the form 4n * l, then the
productab is alsoof this form.
Proof. Since a and b are both of the form 4n * l, there exist integersr and
s suchthat a : 4r * 1 and D : 4s * 1. Hence,
a b : ( + r + t ) ( 4 s + 1 ): 1 6 r s* 4 r * 4 s * l : 4 ( 4 r s + r * s ) * l ,
which is againof the form 4n * 1. tr
We now provethe desiredresult.
Proof. Let us assumethat there are only a finite number of primes of the
form4n f 3, sayPo: 3,Pt, P2,...,Pr. Let
Q : 4 p r p z P , * 3 .
Then, there is at leastoneprime in the factorizationof Q of the form 4n * 3.
Otherwise,all of theseprimeswould be of the form 4n * 1, and by Lemma
2.6, this would imply that O would also be of this form, which is a
contradiction. However,none of the primes po,Pr,...,,Pndivides 0. The
prime 3 doesnot divide Q, for if 3 I Q, then I I (0-ll : 4pt pz p,,
which is a contradiction. Likewise, none of the primes p; can divide Q,
because
pj I Q impliespi | (Q-4pr pz p) :3 which is absurd. Hence,
thereare infinitelymany primesof the form 4n * 3. tr
2.3 Problems
L Findtheprimefactorizations
of
a) 36 e) 222 D 5o4o
b) 3e D 2s6 j) sooo
c) 100 d sr5 k) 9s5s
d) 289 h) 989 D 9999.
2. Show that all the powers in the prime-power factorization of an integer n are
evenif and only if n is a perfect square.
3. Which positiveintegershave exactly three positivedivisors? Which have exactly
four positivedivisors?
4. Show that every positiveinteger can be written as the product of a squareand a
square-freeinteger. A square-free integer is an integer that is not divisible by

any perfectsquares.
5. An integer n is calledpowerful if whenevera prime p dividesn, p2 divrdesn.
Show that every powerful number can be written as the product of a perfect
squareand a perfectcube.
6. Show that if a andb arepositiveintegersanda3 | b2,then a I b.
7. Let p be a prime and n a positiveinteger. If p' I n, but po*' Itn, we say that
po exactly divides n, andwe write po ll n.
a) Showthat if po ll m andpb ll n, thenpo*b ll mn.
b) Showthat if po ll m, thenpko ll mk.
c) Showthat if po ll m andpb ll n, then ominb'b)
il m+ n.
8. a) Let n be a positiveinteger. Show that the powerof the prime p occurringin
the prime power factorizationof n ! is
ln/pl + Inlpzl + ln/p3l +
b) Use part (a) to find the prime-power factorizationof 20!.
9. How many zerosare there at the end of 1000!in decimal notation? How many
in baseeight notation?
10. Find all positiveintegersn such that n! ends with exactly 74 zerosin decimal
notation.
ll. Showthat if n is a positive
integerit is impossible
for n! to end with exactly153,
154,or 155zeroswhen it is written in decimalnotation.
12. This problem presentsan exampleof a systemwhere unique factorizationinto
primesfails. Let H be the set of all positiveintegersof the form 4ft*1, wherek
is a positive
integer.
a) Showthat the productof two elements
of 11is alsoin fI.
b) An elementh*l in 11is called a"Hilbert prime" if the only way it can be
written as the productof two integersin ^FIis h: h'l : l'ft, Find the 20
smallestHilbert primes.
c) Show everyelementof H can be factored into Hilbert primes.
d) Show that factorization of elements of FI into Hilbert primes is not
necessarily
uniqueby finding two different factorizations
of 693 into Hilbert
primes.
13. Which positiveintegersn aredivisibleby all integersnot exceeding,,/;t
14. Find the leastcommonmultiple of eachof the followingpairsof integers

1 6 .
t 7 .
1 8 .
1 9 .
a ) 8 ,1 2 d ) l l l , 3 o 3
b) 14,15 e) 256,5040
c) 28,35 f) 343,999.
15. Find the greatest
common
divisorand leastcommon
multipleof the following
pairsof integers
a) 22335s11,27355372
b) 2.3.5.7.1
I'13,17.t9.23.29
c) 2357
tt'3,2.3.5.1.1
t.t 3
d) 47tt7gtnl0lrmr,4l
rr83rrrl0l1000.
Showthat everycommonmultiple of the positiveintegersa and b is divisibleby
the leastcommonmultiple of a and b.
Which pairs of integersa and D have greatestcommon divisor 18 and least
commonmultiple 540?
Show that if a and b are positiveintegers,then (a, il | la, bl. When does
fu,b) : la, bl?
Show that if a and b are positiveintegers,then there are divisorsc of a and d
o f b w i t hG , d ) : I a n dc d : l a , b l .
Show that if a, b, and c are integers,then [a, Ull c if and only if a I c and
b I c .
21. a) Showthat if a and b arepositive
integers
then (a,b) : (a*b,la,bD.
b) Find the two positive integerswith sum 798 and least common multiple
l 0780.
Showthat if a,b, andc are positive
integers,then (la, bl, t) : lG, c), (b, c)l
andlfu, b) , cJ : ([4, cl, lb , cl).
a) Showthat if a,b, and c are positiveintegers,then
max(a,b,c): a * b * c - min(a,b) - min(a,c) - min(D,c)
* min(a,b,c).
b) Usepart (a) to showthat
[a,b,clla,b,cl : .
a,brcla
'br'c.) .
G,b) G,c) (b,c)
Generalizeproblem23 to find a formula for (ay,a2,...,on)'1d1,a2,...,an1
where
a1.a
2,...,a
n are positiveintegers.
25. The leastcommonmultiple of the integers a1,a2,...,an,
that are not all zero,is
the smallestpositiveinteger that is divisibleby all the integerso1,ct2,...,a,;
it is
20.
22.
23.
24.

denoted
by Ia5a2,...,an1.
il Find[6,10,15]
and[7,11,13j.
b) Show that laya2,...,an-1,anl
: l[,a1,a2,...,an-1l,anl.
26. Let n be a positive integer. How many pairs of positive
I a , b l : n ?
integerssatisfy
Prove that there are infinitely many primes of the form 6ft * 5, where k is a
positiveinteger.
Show that if a and b are integers, then the arithmetic progression
a, a*b, a*Zb,... containsan arbitrary numberof consecutive
composite
terms.
Find the prime factorizationsof
27.
28.
29.
a) l06-l
b) lo8-l
c) 2r5-l
d) 224-l
e) 230-l
f) 236-t.
30. A discountstore sellsa camera at a price lessthan its usual retail price of ,S99.
If they sell 88137 worth of this camera and the discounteddollar price is an
integer, how many camerasdid they sell?
31. il show that if p isa prime and,ais a positive
integerwithp I a2, thenp I a.
b) Show that if p is a prime, c is an integer, and n is a positive integer such
t h a t p l a n , t h e n
p l a .
Show that if a and b are positiveintegers,then a2 | b2 implies that a I b.
Show that if a,b, and c are positive integerswith (a,b) : I and ab : cn, then
there are positive integers d and,e such that a : dn and b : en.
Show that if aya2,...,an are pairwise relatively prime integers, then
l a 1 , c t 2 , . . . , a n l
: a p 2 ' ' ' s n .
32.
33.
34.
1. Find all positivedivisorsof a positiveinteger
2. Find the greatest common divisor of two
from its prime factorization.
positive integers from their prime
factorizations.
3. Find the least common multiple of two positive integers from their prime
factorizations.
4. Find the number of zerosat the end of the decimal expansionof n ! where n is a
positiveinteger.

2.4 Factorization of Integers and the Fermat Numbers
5. Find the prime factorizationof n! wheren is a positiveinteger.
2.4 Factorizationof Integersand the Fermat Numbers
From the fundamental theorem of arithmetic, we know that every positive
integercan be written uniquelyas the productof primes. In this section,we
discuss
the problemof determiningthis factorization. The most direct way to
find the factorization of the positive integer n is as follows. Recall from
Theorem 1.9 that n either is prime, or elsehas a prime factor not exceeding
6 . Consequently,
when we divide n by the primes 2,3,5,...not exceeding
,/i,*" either find a prime factorpr of n or elsewe concludethat r is prime.
If we have locateda prime factor p r of n, we next look for a prime factor of
nt: nlp1, beginningour searchwith the prime p1, sincenI has no prime
factor lessthan p1, nnd any factor of n1 is alsoa factor of n. We continue,if
necessary,determining whether any of the primes not exceedingrlr r divide
n1. We continue in this manner, proceedingrecursively,to find the prime
factorizationof n.
Example. Let n : 42833. We note that n is not divisible by 2,3 and 5, but
that 7 | n. We have
42833
- 7 .6119.
Trial divisions show that 6119 is not divisible by any of the primes
7,11,13,17,I9,
and23. However,
we seethat
6 l 1 9 : 2 9 ' 2 l l .
Since 29 > ,m, we know that 211 is prime. We conclude that the prime
factorizationof 42833is 42833- 7 ' 29 ' 2ll.
Unfortunately,this methodfor finding the prime factorizationof an integer
is quite inefficient. To factor an integer N, it may be necessary
to perform as
many as r(JF) divisions,altogether requiring on the order of JF bit
operations,since from the prime number theorem zr(JF) is approximately
,N /tog..N : 2,N AogN,and from Theorem 1.7,thesedivisionstake at least
log N bit operations each. More efficient algorithms for factorization have
been developed,requiring fewer bit operations than the direct method of
factorization previously described. In general, these algorithms are
complicatedand rely on ideasthat we havenot yet discussed.For information
about thesealgorithmswe refer the readerto Guy [66] and Knuth [561. We
note that the quickest method yet devised can factor an integer N in
79

80 GreatestCommonDivisors
and PrimeFactorization
approximately
e*p(@)
bit operations,
whereexpstandsfor the exponential
function.
In Table 2.1, we give the time requiredto factor integersof varioussizes
using the most efficient algorithm known, where the time for each bit
operationhas been estimatedas one microsecond(one microsecondis 10-6
seconds).
Number of decimal digits Number of bit operations Time
50
75
100
200
300
500
l.4x10r0
9.0xl0r2
2.3xl0r5
1.2x1023
l.5xl02e
l.3xl03e
3.9hours
104days
74 years
3.8xl0eyears
4.9x1015
years
4.2x102s
years
Table2.1. TimeRequired
ForFactorization
of LargeIntegers.
Later on we will showthat it is far easierto decidewhether an integer is
prime, than it is to factor the integer. This differenceis the basis of a
cyptographic
systemdiscussed
in Chapter7.
We now describea factorizationtechniquewhich is interesting,althoughit
is not always efficient. This techniqueis known as Fermat factorization and
is basedon the followinglemma.
Lemma 2.7. lf n is an odd positive integer, then there is a one-to-one
correspondence
between factorizations of n into two positive integers and
differences
of two squares
that equaln.
Proof. Let n be an odd positiveintegerand let n : ab be a factorization of n
into two positiveintegers. Then n can be written as the differenceof two
squares,
since
, lo+ul' lo-ul'
n : a D : l : l
-
l - l
| 2 ,l t 2 )'

2.4 Factorization
of Integersandthe FermatNumbers 81
whereG+b)12 and b-b)/2 are both integerssincea andb are both odd.
Conversely,
if n is the differenceof two squares,sayn: s2 - /2, then we
canfactorn by notingthat n : (s-l)(s+t). tr
To carry out the methodof Fermat factorization,we look for solutionsof
the equation,, : *2 - yz by searchingfor perfectsquares
of the form xz - n.
Hence,to find factorizationsof n, we searchfor a squareamong the sequence
of integers
t2-n, Q+Dz-n, (t+2)2-n,...
where I is the smallestinteger greater than ,/i . This procedureis guaranteed
to terminate,sincethe trivial factorizationn : n'l leadsto the equation
fn+rl' lr-rl'
n:
I r l- |. , ,l
Example. We factor 6077 using the method of Fermat factorization. Since
77 < ffi1 < 78, we look for a perfect squarein the sequence
782- 6077:7
792- 6077:164
802- 6077:323
8 1 2 - 6 0 7 7 : 4 8 4 : 2 2 2 .
Since 6077:812 - 222. we conclude that 6077: $l-2D(8t+zz) :
59.103.
Unfortunately, Fermat factorization can be very inefficient. To factor n
using this technique, it may be necessary to check as many as
Q + D 12- ,/n integers to determine whether they are perfect squares.
Fermat factorizationworks best when it is used to factor integershaving two
factorsof similar size.
The integers Fn :22' + I are called the Fermat numbers. Fermat
conjectured that these integers are all primes. Indeed, the first few are
primes, namely Fo:3, F1 : 5, F2: 17,F3 : 257, and F+: 65537.
Unfortunately,F5 :22'* 1 is composite
as we will now demonstrate.
Proposition 2,3. The Fermat numberF5: 22'+ 1 is divisibleby 641.
Proof. We will prove that 641 | fr without actually performing the division.
Note that

6 4 1: 5 . 2 7 + l : 2 a + 5 4 .
Hence.
22'+'
=Z'ile
-?;^i?ii:,:;o,2ii,Ii:,
fil 'r'*
'
Therefore,
weseethat 64t I F's. tr
The followingresult is a valuableaid in the factorization
of Fermat
numbers.
Proposition 2.4. Every prime divisor of the Fermat number F, :22' + | is
of the form2n+2k+ I.
The proof of Proposition2.4 is left until later. It is presented
as a problem
in Chapter 9. Here, we indicatehow Proposition2.4 is useful in determining
the factorizationof Fermat numbers.
Example. From Proposition 2.4, we know that every prime divisor of
F3:22'+ | :257 must be of the form 2sk * l: 32.k+ l. Sincethere
are no primesof this form lessthan or equal to ,/81, we can concludethat
Ft : 257is prime.
Example. In attemptingto factor F 6 : 22'+ l, we useProposition2.4 to see
that all its prime factorsare of the form 28k+ l:256.k * l. Hence,we
needonly perform trial divisionsof Foby thoseprimesof the form 256'k + |
that do not exceed -,,/Fu. After considerablectmputation, one finds that a
primedivisoris obtained
with k : l0?l,i.e. Z74li'l: (256.10?l+ l) I F6.
A great deal of effort has been devoted to the factorization of Fermat
numbers. As yet, no new Fermat primes have been found, and many people
believe that no additional Fermat primes exist. An interesting, but
impractical, primality test for Fermat numbersis givenin Chapter 9.
It is possibleto prove that there are infinitely many primes using Fermat
numbers. We begin by showingthat any two distinct Fermat numbersare
relativelyprime. The followinglemmawill be used.
Lemma 2.8. Let F1,:22' * I denotethe kth Fermat number, where k is a
nonnegative
integer. Then for all positiveintegersn , we have
FoFf z Fn-t: Fn - 2.
Proof. We will prove the lemma using mathematical induction. For n : 1,
the identity reads

2.4 Factorization of Integers and the Fermat Numbers 83
Fo : Fr - 2 '
This is obviouslytrue sinceF0 : 3 and Fr : 5. Now let us assumethat the
identity holdsfor the positiveintegern, so that
FoFf z'
' ' Fn-r: F, - 2.
With this assumption
we can easilyshowthat the identity holdsfor the integer
n * I, since
FoFfz Fn-rFr: (FsFf2 "' Fr-)Fn
- (Fn - z)Fn: (22'- D(22'+ t)
- ( 2 2 ' 1 2- l - 2 2 ' * ' - 2 : F r a 1 - 2 . t r
This leadsto the followingtheorem.
Theorem 2.6. Let m and n be distinct nonnegativeintegers. Then the
Fermat numbersF^ andF, arerelatively prime.
Proof. Let us assumethat m 1 n. From Lemma 2.8,we know that
F f f z ' ' ' F ^ ' " F r - r: F n - 2 .
Assumethat d is a commondivisorof F* and Fo. Then, Proposition1.4tells
us that
d I G, - FsF.o
2 Fm F,-1) :2.
Hence,either d:l or d:2. However,sinceF, and Fn are odd, d cannotbe
2. Consequently,
d:l and (F^,F) : I. tr
Using Fermat numberswe can give anotherproof that there are infinitely
many primes. First, we note that from Lemma 1.1,everyFermat number Fn
hasa prime divisorpr. Since (F*,F): l, we know that p^ # p, whenever
m # n. Hence,we can concludethat thereare infinitelymany primes.
The Fermat primes are also important in geometry. The proof of the
followingfamoustheoremmay be found in Ore [28].
Theorem 2.7. A regular polygonof n sidescan be constructedusing a ruler
and compass
if and only if n is of the form n:2opl "' pt wherep;,
i:1,2,...,t are distinctFermat primes anda is a nonnegative
integer.

2.4 Problems
l. Find the prime factorizationof the followingpositiveintegers
il egzgzt b) 1468789 c) SSOO8OZ9.
2. Using Fermat's factorization method,factor the following positiveintegers
a) 7709 d) I l02l
b) 73 e) 3200399
c) 10897 f) 24681023.
3. a) Show that the last two decimaldigits of a perfectsquaremust be one of the
followingpairs:00, el, e4,25, o6, e9, wheree standsfor any evendigit and o
standsfor any odd digit. (Hint: Show that n2, (50+n)2, and (50-n)2 all have
the same final decimal digits, and then consider those integers n with
0(n<2s.)
b) Explain how the result of part (a) can be used to speed up Fermat's
factorizationmethod.
Show that if the smallestprime factor of n is p, then xz-n will not be a perfect
squarefor x ) h+pz) lLp .
In this problem,we developthe method of Draim factorization. To searchfor a
factor of the positiveintegern - nr, we start by using the divisionalgorithm,to
obtain
i l 1: 3 q y * r y , 0 ( 1 1 ( 3 .
Settingntr - nr, we let
t/12: t/lt - Zqt, fl2: ttt2* 11.
We usethe divisionalgorithmagain,to obtain
f l 2 : 5 q 2 * 1 2 , 0 ( 1 2( 5 ,
and we let
3: rtl2 - 2qZ, fl1 : t143* t2.
We proceedrecursively,using the division algorithm, to write
nx : (2k+l)qy * ry, 0 ( 11 < 2k+1,
and we define
4.
5.

6.
2.4 Factorizationof Integers and the Fermat Numbers 85
fllk : m*-t-2Qt-t, ttk : ttl* * rt-t.
We stopwhenwe obtaina remaindet/1 : 0.
a) Show that n1 : knr - Qk+l) (qft q2*' ' ' + q,-) and rltk: n1-
2'(qftq2* *qo-r).
b) Showthat if (z*+t) I ,, then (2k+l) I nr andn:(2k*l)m1,11.
c) Factor5899usingthe methodof Draim factorization.
In this problem, we devel<lp
a factorization techniqueknown as Euler's method.
It'is applicablewhen the integerbeing factoredis odd and can be written as the
sum of two squares in two different ways. Let n be odd and let
n : a 2 * b 2 : c 2 + d 2 , w h e r ea a n d c a r eo d d p o s i t i v e
i n t e g e r s ,
a n d b a n d d
are evenpositiveintegers.
a) Let u: (a-c,b-d). Showthat u is evenand that if r: (a-c)lu and
s : (d-ilfu,then (r,s) : l, r(a*c) : s(d+b), ands I a+c.
b) Let sv : a*c. Showthat rv : d + b,e : (a+cd+b), andv is even.
c) Conclude
that n may be factoredasn:1fu12)2 + (v/2)zl(r2+ s2).
d) UseEuler'smethodto factor221:102 + ll2:52 + 142,2501
:502 + 12
: 492+ 102and 1000009
: 10002
+ 32:9722 + 2352.
Showthat any numberof the form 2an+2
* I can be easilyfactoredby the useof
the identity 4xa + 1 : (2x2+2x+l)(Zx2-Zx+t. Factor 218+1 using this
identity.
Show that if a is a positiveinteger and a^ *l is a prime, then m:2n for some
positive integer n. (Hint: Recall the identity a^*l: (aft + l)
(ak9-t)-akQ-D+ -ae+l) wherem:kQ and{ is odd).
Show that the last digit in the decimalexpansion
of F, - 2r + | is 7 if n 7 2.
(Hint: Using mathematicalinduction,show that the last decimal digit of 22' is
6.)
10. Use the fact that every prime divisorof Fa:2t + I :65537 is of the form
26k + | - 64k * I to verify that F4 is prime. (You shouldneedonly one trial
division.)
I l. Use the fact that every prime divisor of Fz: 22'+ | is of the form
21k + | : l28k * 1 to demonstrate that the prime factorization of F5 is
F. : 641'6700417.
Find all primesof the form 2T * 5, wheren is a nonnegative
integer.
Estimatethe number of decimal digits in the Fermat number Fn.
7 .
8 .
9.
r2.
1 3 .

l. Find the prime factorization of a positiveinteger.
2. Perform Fermat factorization.
3. Perform Draim factorization (seeproblem 5).
4. Check a Fermat number for prime factors,using Proposition2.4.
2.5 LinearDiophantine
Equations
Consider the following problem. A man wishes to purchase $510 of
travelerschecks. The checksare available only in denominationsof $20 and
$50. How many of eachdenomination
shouldhe buy? If we let x denotethe
number of $20 checksand y the number of $50 checksthat he should buy,
then the equation20x * 50y : 510 must be satisfied. To solvethis problem,
we need to find all solutions of this equation, where both x and y are
nonnegative
integers.
A related problem ariseswhen a woman wishesto mail a package. The
postalclerk determinesthe costof postageto be 83 centsbut only 6-centand
15-centstampsare available. Can somecombinationof thesestampsbe used
to mail the package? To answerthis, we first let x denotethe number of 6-
cent stampsand y the number of l5-cent stampsto be used. Then we must
have6x + I5y : 83, whereboth x andy are nonnegative
integers.
When we requirethat solutionsof a particular equationcome from the set
of integers,we havea diophantineequation. Diophantineequationsget their
name from the ancient Greek mathematician Diophantus, who wrote
extensivelyon suchequations. The type of diophantineequationax * by : c,
wherea, b, and c are integersis calleda linear diophanttneequationsin two
variables. We now develop the theory for solving such equations. The
following theorem tells us when such an equation has solutions,and when
there are solutions,explicitly describesthem.
Theorem 2.8. Let a and D be positiveintegerswith d : (a,b). The equation
ax*by:c has no integralsolutions
if dlc. lf dlc, then thereare
infinitely many integral solutions. Moveover,if x : x0, | - lo is a particular
solutionof the equation,then all solutionsare givenby
x : xo+ (b/d)n, ! : yo- fuld)n,

2.5 LinearDiophantine
Equations 87
wheren is an integer.
Proof. Assumethat x andy are integerssuchthat ax I by : g. Then,since
d l o a n d d l b , b y P r o p o s i t i o n
1 . 4 ,
d l t a s w e l l . H e n c e , ' r f
d t r c , t h e r e a r e
no integralsolutions
of the equation.
Now assume
that d | ,. From Theorem2.1,thereare integers
s and t with
(2.3) d:as+bt.
Sinced l r, thereis an integere with de : c. Multiplying both sidesof (2.3)
bv e. we have
c : d e : ( a s + b t ) e : a ( s e )
Hence, one solution of the equation is given by
-x0-'Ftf11*}f =7€.
+ bQe).
To showthat thereare infinitelymany solutions,
let x:nfo+ $liln and
y:Y0- G/d)n, wheren is an integer. We seethat this pair (x,y) is a
solution,since V rfi"v g rof14
a x t b y : o x s * a ( b l d ) n * b y o - b G l d ) i l : o x s t b y s : c .
We now showthat everysolutionof the equationax * by : c must be of the
form describedin the theorern. Supposethat x and y are integers with
ax I bY : c. Since
a x s* b y o : , ,
by subtractionwe find that
Gx * by) - (axs+ bys):0,
whichimpliesthat
Hence,
a& - x/ + bU -.yd :0.
a ( x - x o ) : b j o - y ) .
Dividingboth sides
of this lastequalityby d, we seethat
Gld) (x - xs) : (bld) Ut
- y).
By Proposition
2.1, we know that bld,bld): l. Using Lemma 2.3, it
@Io,.wlere
X * S€ rtacl I --te

follows that Q/d) | 9o- y). Hence, there is an integer n with
G/d)n:lo-l; this meansthaty -lo- G/iln. Now puttingthisvalue
of y into the equation a(x - xd : bOo- y), we find that
aG - xd : bb/d)n, whichimpliesthat x : x0 + (bld)n. D
We now demonstratehow Theorem 2.8 is used to find the solutionsof
particularlinear diophantineequations
in two variables.
Consider the problems of finding all the integral solutions of the two
diophantineequationsdescribedat the beginning of this section. We first
considerthe equation6x + I5y : 83. The greatestcommondivisor of 6 and
15 is (6,15) : 3. Since I / gl, we know that there are no integral solutions.
Hence,no combinationof 6- and l5-cent stampsgivesthe correctpostage.
Next, consider the equation 20x t 50y :519. The greatest common
divisorof 20 and 50 is (20,50): 10, and since l0 | 510, there are infinitely
many integral solutions. Using the Euclidean algorithm, wo find that
20eD * 50 : 10. Multiplying both sides by 51, we obtain
20(-102) + 50(51) : 510. Hence, a particular solution is given by
x0: - 102and./o:51. Theorem2.8 tellsus that all integralsolutions
are
of the form x : -102 * 5n andy : 5l - 2n. Sincewe want both x and y
to be nonnegative,
we must have - I02 + 5n ) 0 and 5l - 2n ) 0; thus,
n ) 20 2/5 and n 4 25 l/2. Since n is an integer, it follows that
n:21,22,23,24,or 25. Hence,
we havethe following
5 solutions:
Gy):
(3,9),(8,7),(13,5),(19,3),
and (23,t).
2.5Problems
l. Foreachof thefollowing
lineardiophantine
equations,
eitherfindall solutions,
or
showthat therearenointegralsolutions
a ) 2 x I 5 y : 1 1
b) l7x * l3y : 1gg
c) ZIx * l4y :147
d) 60x* l8y :97
e) t4o2x + t969y : r.
2. A studentreturningfrom Europechanges
his Frenchfrancsand Swissfrancs
into U.S.money.If he receives
$ll.9l and hasreceived
I7a for eachFrench
francand480 for eachSwissfranc,howmuchof eachtypeof currencydid he
exchange?

2.5 Linear DiophantineEquations 89
3. A grocer orders applesand orangesat a total cost of $8.39. If applescost him
25c each and oranges cost him 18c each and he ordered rnore apples than
oranges,how many of eachtype of fruit did he order? l€ I
4. A shopper spends a total of .85.49 for oranges, which cost l8o each, and
grapefruits, which cost 33c each. What is the minimum number of piecesof
fruit the shoppercould havebought?
5. A postal clerk has only l4-cent and 2l-cent stampsto sell. What combinations
of thesemay be usedto mail a packagerequiring postageof exactly
a) .t3.50 b) $4.00 c) $7.772
6. At a clambake,the total cost of a lobster dinner is $ I I and of a chicken dinner
is ,$8. What can you concludeif the total bill is
a) $777 b) $96 c) $692
7. Show that the lineardiophantine
equationafi1* a2x2* I anxn: b has
no solutionsif d / D, whered : (a1,a2,...,a11),
and hasinfinitely many solutionsif
d I b.
8. Findall integersolutions
of thefollowing
lineardiophantine
equations
a ) 2 x * 3 y l 4 z : 5
b ) 7 x * 2 l y * 3 5 2 : 8
d l0lx * 102y+ 1032
:1 .
9. Whichcombinations
of pennies,
dimes,
andquarters
havea totalvalue99c?
10. Howmanywayscanchange
bemadefor onedollarusing
a) dimesandquarters
b) nickels.
dimes,
andquarters
c) pennies,
nickels,
dimes,
andquarters?
I l. Findall integersolutions
of thefollowing
systems
of lineardiophantine
equations
a ) x * y * z : 1 0 0
x * 8 y * 5 0 2 : 1 5 6
b ) x + y + z : 1 0 0
x * 6y * 2lz :121
c ) x * y * z + w - 1 0 0
x t 2 y 1 3 z * 4 w - 3 0 0
x * 4 y * 9 z 1 ' 1 6 w - 1 0 0 0 .
12. A piggybank contains
24 coins,all nickels,dimes,and quarters. If the total
valueof thef,oins
istwodollars,
whatcombinations
of coinsarepossible?

13. Nadir Airways offers three types of tickets on their Bostonto New York flights.
First-classtickets are $70, second-class
ticketsare $55, and stand-bytickets are
$39. If 69 passengers
p^y a total of $3274 for their tickets on a particular
flight, how many of each type of tickets were sold?
14. Is it possible
to have50 coins,all pennies,
dimes,and quartersworth,$3?
15. Let a and b be relatively prime positiveintegersand let n be a positive integer.
We call a solution x )) of the linear diophantine equation ax * by : n
nonnegativewhen both x and y are nonnegative.
il Show that whenevern 2 G-l)(6-l) there is a nonnegativesolutionof
this equation.
b) Show that if n: ab - a - 6, then thereare no nonnegative
solutions.
c) Show that there are exactly (a-1)$-D/2 positiveintegersn such that
the equationhas a nonnegativesolution.
d) The post office in a small Maine town is left with stamps of only two
values. They discover that there are exactly 33 postage amounts that
cannotbe madeup usingthesestamps,including46c. What are the values
of the remainingstamps?
1. Find the solutionsof a linear diophantineequationin two variables.
2. Find the positivesolutionsof a linear diophantineequationin two variables.
3. Find the solutionsof a linear diophantineequation in an arbitrary number of
variables.
4. Find all positive integers n for which the linear diophantine equation
ax * by : n has no positivesolutions(seeproblem I 5).

Congruences
3.1 Introduction to Congruences
The special language of congruencesthat we introduce in this chapter is
extremely useful in number theory. This language of congruences was
developedat the beginningof the nineteenthcentury by Gauss.
Definition. lf a and b are integers,we say that a is congruent to b modulo
m i f m l ( a - b ) .
I f a i s c o n g r u e n t t o D
m o d u l o
m , w e w r i t e a = b ( m o d z ) . l f m I G - b ) ,
we write a # b (mod m), and say that a and b are incongruent modulo m.
Example. We have 22 = 4 (mod 9), since 9 | QZ-D : 18. Likewise
3 = -6 (mod 9) and 200 = 2 (mod 9).
Congruencesoften arise in everyday life. For instance,clocks work either
modulo 12 or 24 for hours, and modulo 60 for minutes and seconds.
calendars
work modulo 7 for days of the week and modulo 12 for months. Utility
meters often operate modulo 1000, and odometers usually work modulo
100000.
In working with congruences,it is often useful to translate them into
equalities. To do this, the following propositionis needed.
Proposition 3.1. If a and b are integers,then a = b (mod m) if and only if
there is an integer k such that a : b * km.

92 Congruences
Proof. If a:- b (mod m), then m I b-b). This means that there is an
integerk with km : a - b, sothat A : b * km.
Conversely,if there is an integer /< with a : b * km, then km : a - b.
Hencem I G-b), and consequently,
a = b (mod rn). tr
Example. We have 19 : -2 (mod 7) and 19 : -2 + 3'7.
The following proposition establishes some important properties of
congruences.
Proposition 3.2. Let m be a positiveinteger. Congruencesmodulo rn satisfy
the following properties:
(i) Reflexive property. If a is an integer,then a = a (mod m).
(ii) Symmetric property. If a and b are integers such that
a = b (mod m),then b = a (modrn).
(iii) Transitive property. If e, b, and c are integers with
a = b (mod m) andb :- c (mod m),then a 4 c (mod m ).
Proof.
(i) We seethat a = a (mod m), sincem I G-a) :0.
(iil If a: b (modm),thenm I Q-b). Hence,thereis an integerft
with km: a - b. This showsthat (-k)m: b - a. so that
m | (b-d. Consequently,
D =a (mod m).
(iii) If a = b (mod rz) and b =c (mod la), then m I G-b) and
m | (b-d. Hence,there are integersk and 0 with km: a - b
and Qm : b - c. Therefore, e - c : (a-D) + (b-c) :
km * Qm : (k+Dm. Consequently, m I G-d and
a ? c (mod z). tr
From Proposition 3.2, we see that the set of integers is divided into m
different sets called congruenceclassesmodulo m, each containing integers
which are mutually congruentmodulo m.
Example. The four congruenceclassesmodulo 4 are given by

3.1 Introductionto Congruences 93
Let a be an integer. Given the positiveinteger m, m ) l, by the division
algorithm, we have a : bm * r where 0 ( r ( ru - 1. From the equation
a: bm f r, we seethat a 3 r (mod z). Hence,every integeris congruent
modulo m to one of the integers of the set 0, 1,...,m- l, namely the
remainderwhen it is dividedby m. Sinceno two of the integers0, 1,...,m- |
are congruent modulo m, we have m integers such that every integer is
congruent to exactly one of these ln integers.
Definition. A complete system of residues modulo m is
such that every integer is congruent modulo m to exactly
set.
Example. The division algorithm shows that the
0, 1,2,...,m- | is a complete
system
of residues
modulorn.
setof least nonnegative
residuesmodulo m.
Example. Let m be an odd positive integer.
a set of integers
one integer of the
set of integers
This is called the
_ m - l
2
Then the set of integers
, m - 3 m - l
, r . . . t T r T
is a complete system of residues called the set of absolute least residues
modula m.
We will often do arithmetic with congruences. Congruenceshave many of
the same properties that equalities do. First, we show that an addition,
subtraction, or multiplication to both sides of a congruence preserves the
congruence.
Theorem3.1. If a, b, c, and m are integers with m ) 0 such that
a = b (modm). then
(il a*c=b+c(modm),
(iD e - c
--
S - c (modz).
(iiD ac bc (mod m).
Proof. Sincea = b (modm), we know that m I G-b). From the identity
G+d - (b+d - a - b, we seem llfu+d - $+c)1, so that (i) follows.
Likewise,(ii) followsfrom the fact that fu-c) - (b-c): a - b. To show
that (iiD holds,notethat ac - bc : cG-D. Sincem I Q-b), it follows
thatm I cb-b), andhence,
ac = bc (modm). tr
Example. Since l9 3 (mod 8), it follows from Theorem 3.1 that

94 Congruences
2 6 : 1 9 + 7 = 3 + 7 : l 0 ( m o d 8 ) , 1 5: 1 9 - 4 : 3 - 4 : - l ( m o d 8 ) ,
and 38 : l9'2 = 3'2: 6 (mod8).
What happenswhen both sidesof a congruenceare divided by an integer?
Considerthe following example.
Example.We have14:7.2:4.2:8 (mod6). But 7 * 4 (mod6).
This example shows that it is not necessarily true that we preserve a
congruencewhen we divide both sidesby an integer. However, the following
theorem givesa valid congruencewhen both sidesof a congruenceare divided
by the sameinteger.
Theorem 3.2. If a, b, c and m are integerssuch that m > 0, d : (c,m),
and ac = bc (mod z), then a :- b (mod m/d).
Proof. lf ac = bc (mod m),we know that m I Gc-bc): c(a-b). Hence,
there is an integer k with cb-b): km. By dividing both sidesby d, we
have G /il G-b) : k fu /d). Since (m /d ,c/d) : 1, from Proposition2.1 it
follows that m/d I Q-b). Hence,a :- b (mod m/il. a
Example. Since 50 = 20 (mod 15) and (10,5) : 5, we see that
50/10 : 20/10 (mod l5/il, or 5 = 2 (mod 3).
The following corollary, which is a special case of Theorem 3.2, is used
often.
Corollary 3.1. If a,b,c, and m are integerssuch that m 7 0, (c,m) : 1,
and ac = bc (mod la), then a = b (mod llz).
Example. Since 42 = 7 (mod 5) and (5,7) = 1, we can conclude that
42/7 :7/7 (mod 5), or that 6 : I (mod 5).
The following theorem, which is more general than Theorem 3.1, is also
useful.
Theorem 3.3. If e, b, c, d, and m are integers such that m ) 0,
a = b (mod nc), and c = d (mod rn), then
(i) a * c = b + d (modm),
(ii) a - c
-
fi - d (modm),
(iii) ac ? bd (mod m).
Proof. Since a = b (mod m) and c = d (mod m), weknow that m I G-U)

3.1 Introduction
to Congruences 95
a n d m l k - d ) . H e n c e ,t h e r ea r e i n t e g e r s
k a n d . 0 w i t h k m : a - b a n d
Q m : c - d .
To prove(i), notethat (c+c) - (b+d) : fu-b) + k-d): km * Qm:
(k+Dm. Hence, m ll,(a+c)
- (U+a)|. Therefore, Q * c = b *
d (modm).
To prove (ii), note that (a-c) - O-d) : b-b) - k-d) : km - Qm :
&-Dm. Hence,
mltG-c)-$-il1, sothat a - c
-
$ - d (modm)'
To prove (iii), note that ac - bd :ac - bc* bc - bd :
c G - b ) + O G - d ) : c k m t b Q m : m k k + b D . H e n c e , m I Q c - b i l .
Therefore,ac = bd (mod m). tr
Example. Since 13 = 8 (mod 5) and 7 =2 (mod 5), usingTheorem3.3 we
s e e t h a t 2 O - 1 3 + 7 : 8 + 2 : - 0 ( m o d 5 ) , 6 : 1 3 - 7
- 8 - 7 = I
(mod5), and 9l: l3'7 : 8'2:16 (mod5).
Theorem 3.4. If r612,,...,r^is a completesystemof residuesmodulom, and if
a is a fositive integer with (a ,fti) : 1, then
ar1 t b, ar2 * b,..., ar^ * b
is a completesystemof residues
moduloz.
Proof. First, we showthat no two of the integers
a r 1 * b , a r 2 * b , . . . ,a r ^ * b
are congruentmod ulom. To seethis, note that if
a r i * b = a r r * b ( m o d z ) ,
then, from (ii) of Theorem3.1,we know that
ari = ar1,(mod m) '
Because(a,m) : 1, Corollary 3.1 showsthat
rj : rp (mod m) .
Since,i # rp (mod m) if i # k, we concludethat i : k.
Since the set of integers in question consistsof m incongruent integers
modulo m, theseintegersmust be a completesystemof residuesmodulo ru. tr

96 Congruences
The following theorem showsthat a congruenceis preservedwhen both sides
are raisedto the samepositiveintegral power.
Theorem 3.5. rf a, b, k, and m are integers such that k 7 0, m ) 0, and
a = b (mod m), thenak = bk (mod m) .
Proof. Because
a = b (mod m), we haveml? - b). Since
ak - bk : (a-b) (ak-t+ak-zb+ . . . *abk-216k-11,
we see that G - DlGk - bk). Therefore, from Proposition1.2 it follows
that mlGk - Uk). Hence,ek : bk (mod m). tr
Example. Since 7 = 2 (mod 5), Theorem 3.5 tells us that 343: 73
= 23 = 8 (mod 5).
The following result showshow to combine congruencesof two numbers to
different moduli.
T h e o r e m3 . 6 . l f a : b ( m o d m y ) , a = b ( m o d f f i z ) , . . . ,
a = b ( m o d m 1 , )
wherea,b,ml, frt2,...,t/t1,
a;fointegerswith mt,frl2 ,...,t/r1
positive,then
a = b (mod lmpm2,...,mpl),
whereLm1,m2,...,rup1
is the leastcommonmultiple of mr,rrr2,...,t/tk.
P r o o f . S i n c ea = b ( m o d z l ) , a : - b ( m o df f i z ) , . . . ,
a = b ( m o dm t ) , w e
know that m, | (o - D,mzl G - b),...,m* IG-D. From problem20 of
Section2.3,we seethat
[ , m 1 , m 2 , . . . , m * ] l
Q - b ) .
Consequently,
a = b (modLm1,m2,...,m*l).
E
An immediate and useful consequenceof this theorem is the following
result.
C o r o l l a r y3 . 2 . l f a : D ( m o d z 1 ) , a = b ( m o df f i z ) , . . . ,a = b ( m o d z 1 )
where a and b are integers and ftt1,r/t2,...,,r,rt1,
are relatively prinie positive
integers,then
a = b (modn4rtltz." m).

3.1 Introduction to Congruences
Proof. Since ffi1,ftt2,...,t?11,
zfa pairwise relatively prime, problem 34 of Section
2.3 tells us that
l m 1 , m 2 , . . . , m k l
: f t l i l l 2 ' ' ' m k
Hence,from Theorem3.6 we know that
a :- b (mod wtfltz' ' ' m). a
In our subsequentstudies,we will be working with congruencesinvolving
large powersof integers. For example,we will want to find the leastpositive
residueo1 26+a
modulo 645. If we attempt to find this least positiveresidueby
first computing 2644,we
would havean integerwith 194decimaldigits,a most
undesirable thought. Instead, to find 26aamodulo 645 we first expressthe
exponent644in binary notation:
G4qro: (lolooooloo)2.
Next, we compute the least positive residues of 2,22,24,28
,...,2tt' by
successively
squaringand reducingmodulo 645. This givesus the congruences
2
22
2+
28
216
232
264
2128
22s6
2srz
2
4
16
256
391
16
256
391
l6
256
(mod645),
(mod645),
(mod649,
(mod645),
(mod645),
(mod645),
(mod645),
(mod645),
(mod649,
(mod64il.
We can now compute 2644modulo 645 by multiplying the least positive
residues
of the appropriatepowersof 2. This gives
26aa
- 2512+128+4
: 2512212824
= 256.391.
16
: 1 6 0 1 5 3 6 = I ( m o d 6 4 5 ) .
We have just illustrated a general procedure for modular exponentiation,
that is, for computing 6N modulo m where b, ffi, and N are positiveintegers.
We first expressthe exponentN in binary notation,as l{ : (arar-t...apo)2.
We then find the least positive residuesof b,b2,b4,...,b2'
modulorn, by
successively
squaringand reducingmodulo rn. Finally, we multiply the least
positiveresiduesmodulo m of bv for thosej with ai : l, reducing modulo rn
after eachmultiplication.

98 Congruences
In our subsequentdiscussions,
we will need an estimate for the number of
bit operations needed for modular exponentiation. This is provided by the
following proposition.
Proposition 3.3. Let b,m, and ,A/ be positive integerswithD < m.
Then the least positive residue of bN modulo m can be computed using
O (0og2m)2log2N)bit operations.
Proof. To find the least positive residue of bN(mod rn), we can use the
algorithm just described. First, we find the least positive residues of
b,b2,b4,...,62'modulo
m, where 2k < N < 2k*t, by successively
squaringand
reducingmoduloru. This requiresa total of O(0og2m)2log2N)bit operations,
becausewe perform [log2lf I squaringsmodulo m, eachrequiring o(Iogzm)2)
bit operations. Next, we multiply together the least positive residuesof the
integers bl correspondingto the binary digits of N which are equal to one,
and we reduce modulo m after each multiplication. This also requires
O(Qog2m)2log2,n/) bit operations, because there are at most log2N
multiplications, each requiring O((log2m)2) Uit operations. Therefore, a total
of O((log2m)2log2lf) bit operationsare needed. tr
3.f Problems
l. For which positiveintegersm are the following statementstrue
i l 2 7 : 5 ( m o dz )
b) 1000 -- 1 (mod rn)
c) l33l : 0 (mod ln)?
2. Show that if a is an even integer, then a2 = 0 (mod 4), and if a is an odd
integer, then a2 = I (mod 4).
3. Show that if a is an odd integer,then az = I (mod 8).
4. Find the least nonnegativeresiduemodulo l3 of
a) 22
b) 100
c) i00l
d) -l
e) -loo
f) -1000.
5.
6.
Show that if a, b, m, and n are integerssuch that m ) 0, n ) 0, n I m, and
a = b (mod rn), then a = b (mod n).
Show that if a,b,c, and m are integerssuch that c ) 0, mlO, and
a = b (mod rn), then ac J bc (mod mc).

3.1 Introductionto Congruences 99
7 . S h o w t h a t i f a , b , a n d c a r e i n t e g e r s w i t h c
) 0 s u c h t h a t a = b ( m o d c ) , t h e n
( a , c ) : ( b d .
8. Show that if ai =bi (mod z) for j : 1,2,...,n,
wherem is a positiveintegerand
Qi,bi, i : 1,2,...,n'areintegers,
then
n n
i l ) a 1 = ) b 1 ( m o d z )
j-t j-l
n n
b) fl ai:- fl b; (mod rn).
j-l '
t-t
r
In problems 9-11 construct tables for arithmetic modulo 6 using the least
nonnegativeresiduesmodulo 6 to representthe congruenceclasses.
9. Construct a table for addition modulo 6.
10. Construct a table for subtractionmodulo 6.
I l. Construct a table for multiplication modulo 6.
12. What time doesa clock read
a) 29 hours after it reads I I o'clock
b) 100 hours after it reads 2 o'clock
c) 50 hours before it reads 6 o'clock?
13. Which decimal digits occur as the final digit of a fourth power of an integer?
14. What can you concludeif a2 = 62 (mod p), where a and b are integersand p is
prime?
15. Show that if ak = bt (mod nr) and ak+t : bk+l (mod nr), wherea,b,k, and
m a r e i n t e g e r sw i t h k > 0 a n d m ) 0 s u c h t h a t ( a , m ) : 1 , t h e n
a = b (mod rn). If the condition (a,m): I is dropped,is the conclusionthat
a = b (mod z) still valid?
16. Show that if n is a positiveinteger, then
i l t + 2 + 3 + + ( n - l ) = 0 ( m o d n ) .
b ) 1 3 + 2 3 + 3 3 + + ( n - l ) 3 = o ( m o d n ) .
17. For which positiveintegersn is it true that
1 2+ 2 2 + 3 2 + * ( n - l ) 2 = o ( m o dn ) ?
18. Give a completesystemof residuesmodulo l3 consistingentirely of odd integers.
19. Show that if n = 3 (mod 4), then n cannot be the sum of the squaresof two
integers.
20. il Show that if p is prime, then the only solutions of the congruence
x2 =x (modp) arethoseintegers
x with x = 0 or I (modp).

100 Congruences
b) Show that if p is prime and ft is a positiveinteger,then the only solutionsof
x2 =x (mod pk) arethoseintegersx suchthat x E 0 or I (modpe).
21. Find the least positiveresiduesmodulo 47 of
Let t/t1,t/t2,...,nr be pairwise relatively prime positive integers. Let
M : mifiz' ' ' mp and Mj : M/mi for; - 1,2,...,k. Show that
M ( t r * M 2 a 2 * * M p a p
runs through a complete system of residues modulo M when a1,a2,...,a1,
run
through completesystemsof residuesmodulo rn1,nt2,...,r/t1,
respectively.
Explain how to find the sum z * v from the least positive residue of u * v
modulo m, where u and.v are positive integers less than z . (Hint: Assume
that u ( v and consider separately the caseswhere the least positive residue of
u I v is lessthan a, and where it is greater than v.)
on a computer with word size w, multiplicertion modulo n, where n I w f2, can
be performed as outlined. Let T:IJn + %1, and t : T2 - n. For each
computation, show that all the required computer arithmetic can be done without
exceedingthe word size. (This method was describedby Head t67]).
a) Show that lr | < r.
b) Show that if x and y are nonnegativeintegerslessthan n, then
x : a T * b , y : c T * d
where a,b,c, and d are integers such that 0 ( a ( Z, 0 < , < T,
0 ( c < T, and 0 < d < T.
c) Letz = ad * bc (mod n), with 0 ( z ( z. Show that
d ) L e t a c : e T * f w h e r e e a n d f a r e i n t e g e r s w i t h 0 ( e < T a n d
0 < / ( r . S h o w t h a t
xy : (z*et)T + ft * bd (mod n).
e ) L e t v : z * e r ( m o d n ) , w i t h 0 ( v ( n . S h o w t h a t w e c a n w r i t e
v : g T * h ,
where g and h are integerswith 0 ( g ( f,0 < h < T, and such that
xy : hT + V+S)t + bd (mod n).
232
a) b) 22w
c)
247
22.
23.
24.

3.1 Introduction
to Congruences 1 0 1
f) Show that the right-hand side of the congruence of part (e) can be
computed without exceedingthe word size by first finding j with
j = (f +s)l (mod n)
and 0 < j < n, and then finding /c with
k = j + D d ( m o d n )
a n d 0 < k < n . s o t h a t
x y : h T + f t ( m o d n ) .
This givesthe desiredresult.
25. Develop an algorithm for modular exponentiationfrom the base three expansion
of the exponent.
26. Find the least positiveresidueof
a) 3romodulo I I
b) 2r2modulo 13
c) 516modulo 17
d) 322modulo 23.
e) Can you proposea theorem from the abovecongruences?
27. Find the least positiveresiduesof
a) 5! modulo 7
b) 10!modulo 11
c) 12! modulo 13
d) 16! modulo 17.
e) Can you proposea theorem from the above congruences?
28. ProveTheorem 3.5 using mathematical induction.
29. Show that the least nonnegative residue modulo m of the product of two positive
integers lessthan m can be computed using O(logzm) bit operations.
30. a) Five men and a monkey are shipwrecked on an island. The men have
collected a pile of coconuts which they plan to divide equally among
themselvesthe next morning. Not trusting the other men, one of the group
wakes up during the night and divides the coconutsinto five equal parts with
one left over, which he gives to the monkey. He then hides his portion of
the pile. During the night, each of the other four men does exactly the
same thing by dividing the pile they find into five equal parts leaving one
coconut for the monkey and hiding his portion. In the morning, the men

102 Congruences
gather and split the remaining pile of coconuts into five parts and one is left
over for the monkey. What is the minimum number of coconuts the men
could havecollectedfor their original pile?
b) Answer the same question as in part (a) if instead of five men and one
monkey, there are n men and k monkeys, and at each stage the monkeys
receive one coconut each.
Write computer programs to do the following:
l. Find the least nonnegativeresidueof an integer with respectto a fixed modulus.
2. Perform modular addition and subtraction when the modulus is less than half of
the word sizeof the computer.
3. Perform modular multiplication when the modulus is less than half of the word
sizeof the computer using problem 24.
4. Perform modular exponentiationusing the algorithm describedin the text.
3.2 LinearCongruences
A congruenceof the form
ax = b (mod m)'
where x is an unknown integer, is called a linear congruencein one variable.
In this sectionwe will seethat the study of such congruences
is similar to the
study of linear diophantineequationsin two variables.
We first note that if x : xo is a solution of the congruence
ax 7 b (modm), and if x1 : r0 (modm), then ax13 axs- b (modz),
so that x 1 is also a solution. Hence, if one member of a congruenceclass
modulo m is a solution, then all members of this class are solutions.
Therefore,we'may ask how many of the m congruenceclassesmodulo m give
solutions;this is exactly the same as asking how many incongruent solutions
there are modulo m. The following theorem tells us when a linear congruence
in one variable has solutions, and if it does, tells exactly how many
incongruentsolutionsthere are modulo m.
Theorem 3.7. Let a, b, and m be integers with ru ) 0 and (a,m) : d. lf
d I b, then ax j D (mod rn) has no solutions. If d I b, then
ax 7 b (mod rn) has exactly d incongruentsolutionsmodulo z .

3.2 LinearGongruences 103
Proof. From Proposition3.1, the linear congruence ax 7 b (mod m) is
equivalent to the linear diophantine equation in two variables ax - m! : b.
The integer x is a solution of ax 7 b (mod m) if and only if there is an
integer y with ax - my : b. From Theorem2.8, we know that if d trb,
there are no solutions, while if d I b, ax - my : b has infinitely many
solutions,given by
x : r o * ( m / d ) t , l : l o + b / d ) t ,
where x : xo and y : !0 is a particular solution of the equation. The values
of x given above,
x : x o * ' ( m l d ) t ,
are the solutionsof the linear congruence;there are infinitely many of these.
To determine how many incongruent solutions there are, we find the
condition that describeswhen two of the solutionsxl : x0 + (m/d)tt and
x2: xo * (mld)tz are congruent modulo m. If these two solutions are
cbngruent,then
ro * fu/d)tr z xo * fu/d)t2(mod m).
Subtracting xo from both sidesof this congruence,we find that
fu/d)tr j @/d)t2 (modm).
Now (m,m/d) : m/d since@/d) | z, so that by
t r z 12(modd).
tt
"ore#
,ry*"see
that
A=h
This showsthat a complete set of incongruent solutionsis obtained by taking
x: xo+ (m/d)t, where / ranges through a complete system of residues
modulo d. One such set is given by x : xo + @/d)t where
/ : 0,1,2,...,d
- l. n
We now illustrate the useof Theorem
Example. To find allsolutions of 9x = 12 (mod l5), we first note that since
(9,tS) :3 and I l{hnere are exactly three incongruentsolutions. We can
find these solutions by first finding a particular solution and then adding the
appropriatemultiplesof l5/3 : 5.
To find a particular solution, we consider the linear diophantine equation
9x - l5y : 12. The Euclidean algorithm showsthat
A C,q,
r "v

104 Congruences
15:9'l + 6
9 :6'1 + 3
/' n 6:3'2,
0.t5)- ,))
so tha# s9 :'e.l : 9 - (tS-q.D :9-2 - 15. Hence9.8 - 15.4: 12, and
a particularsolutionof 9x - l5y : 12 is givenby
"o
: 8 and lo : 4.
From the proof of Theorem 3.7, we seethat a completeset of 3 incongruent
solutionsis given by t : x0 = 8 (mod l5), x : x0 + 5 = 13 (mod l5), and
x : x o + 5 ' 2 : 1 8 = 3 ( m o dl 5 ) .
We now considercongruences
of the specialform ax ? I (mod la). From
Theorem3.7, there is a solutionto this congruence
if and only if (a,m): l,
and then all solutions are congruent modulo rn. Given an integer a with
(a,m) : l, a solution of ax 7 I (mod lz) is called an inverse of
a modulo m. /
73 )ly = lF ai=F7 r3 ?- 2.5.I i =7- L{a,-'}'f.?{ ti'L
Example. Since the solutionsof 7x = I (mod 31) satisfyx = 9 (mod 3l),9,
and all integers congruent to 9 modulo 31, are inversesof 7 modulo 31.
Analogously,since 9'7 = I (mod 3l) , 7 is an inverseof 9 modulo 31.
When we have an inverse of a modulo z, we can use it to solve any
congruenceof the form ax 2 b (mod m). To seethis, let a be an inverseof
a modulo m , so that aa: I (mod rn). Then, if ax = D (mod m), we can
multiply both sides of this congruence by a to find that
a Gx) : ab (mod rn), so that x
-
[[ (mod ln ) .
Example. To find the solutions
of 7x:22(mod 31), we multiply both sides
of this congruence by 9,, an inverse of 7 modulo 31, to obtain
9-7x = 9-22(mod 31). Hence,x = 198 : 12 (mod 31).
We note here that if (a ,m) : l, then the linear congruence
ax j b (mod m) hasa unique solutionmodulo rn.
Example. To find all solutions of 7x = 4 (mod l2), we note that since
0,t2): l, there is a unique solutionmodulo 12. To find this, we needonly
obtain a solution of the linear diophantine equation 7x - l2y :4. The
Euclideanalgorithm gives
12:7' l + 5
7:5'l+2
5:2'2*l
2: 1.2.
[ : 5 - 2.2: 5 - 0-5.1).2: 5.3-2.7 : (12-7.1)
: 3 - 2.7-
Hence

3.2 Linear Congruences 105
12.3- 5.7. Therefore,a particular solutionto the linear diophantineequation
is xs : -20 and ys : 12. Hence, all solutionsof the linear congruences
are
givenby x = -20 = 4 (mod 12).
Later otr, we will want to know which integers are their own inverses
modulop wherep is prime. The following propositiontells us which integers
have this property.
Proposition 3.4. Let p be prime. The positive integer a is its own inverse
modulop if and only if a = | (modp) or e : -l (modp).
Proof. lf a :l(modp) or a : -l(modp), then a2 = l(modp), so that a
is its own inversemodulop.
Conversely,
if a is its own inverse
modulop, thena2: a'o: I (modp).
Hence, p I Gz-t). Since a2 - l: (a-l)(a+l), either p I G-l) or
p I G+t). Therefore,
eithera = I (modp) or q:- -1 (modp). E
3.2 Problems
l. Find all solutionsof eachof the followinglinearcongruences.
a)
b)
c)
3x = 2 (mod 7)
6x = 3 (mod 9)
l7x = 14 (mod 2l)
d) l5x = 9 (mod 25)
e) l28x = 833 (mod 1001)
f) 987x = 610 (mod 1597).
2 . L e t a , b , a n d m b e p o s i t i v e i n t e g e r s w i t h a
7 0 , m ) 0 , a n d ( a , m ) : L T h e
following method can be usedto solvethe linear congruenceax 2 b (mod m).
a) Show that if the integer x is a solution of ax = b (mod m), then x is also
a solution of the linear congruence
ag - -b[m/al (modzr).
where c1 is the least positive residue of m modulo a. Note that this
congruenceis of the same type as the original congruence,with a positive
integer smaller than a as the coefficientof x.
b) When the procedure of part (a) is iterated, one obtains a sequenceof
linear congruences with coefficients of x equal to
oo: cr ) a1) a2) Show that there is a positiveintegern with
d, : l, so that at the nth stage, one obtains a linear congruence
x = B ( m o d n ) .

106 Congruences
c) Use the method described in part (b) to solve the linear congruence
6x = 7 (mod 23).
3. An astronomer knows that a satellite orbits the earth in a period that is an
exact multiple of I hour that is less than I day. If the astronomer notes that
the satellite completes 11 orbits in an interval starting when a 24-hour clock
reads 0 hours and ending when the clock reads l7 hours,how long is the orbital
period of the satellite?
4 . F o r w h i c h i n t e g e r s cw i t h 0 ( c < 3 0 d o e s t h e c o n g r u e n c e l 2 x
= c ( m o d 3 0 )
have solutions? When there are solutions,how many incongruent solutionsare
there?
5. Find an inversemodulo 17 of
4 c ) 7
s d) re.
6. Show that if d'is an inverseof a modulo m and D is an inverseof D modulo m.
then a-i ir un inverseof ab modulo z.
7. Show that the linear congruence in two variables ax * by = c (mod z),
where a,b,c,and, m are integers,
m ) 0, with d : G,b,m), has exactlydm
incongruentsolutions,f d I c, and no solutionsotherwise.
8. Find all solutionsof the following linear congruencesin two variables
* 3 y : I ( m o d 7 ) c ) 6 x * 3 y = 0 ( m o d 9 )
+ 4v = 6 (mod 8) d) lOx * 5v = 9 (mod l5).
9. Let p be an odd prime and k a
x2 = I (mod pt) has exactly
x E - f l ( m o d p t ) .
10. Show that the congruence x2 = I (mod 2ft) has exactly four incongruent
solutions,namely x E tl or +(t+Zk-t) (mod 2ft), when k > 2. Show that
when k : I there is one solution and when k :2 there are two incongruent
solutions.
I l. Show that if a and m ^re relatively prime positive integers with a ( rn, then
an inverseof a modulo m can be found using O (log m) bit operations.
12. Show that if p is an odd prime and a is a positive integer not divisible by p,
then the congruence x2 = a (mod p) has either no solution or exactly two
incongruentsolutions.
a)
b)
a) 2x
b) 2x
positive integer. Show that the congruence
two incongruent solutions, namely

3.3 The Chinese Remainder Theorem 107
l. Solvelinear congruence
using the methodgiven in the text.
2. Solvelinearcongruences
using the methodgivenin problem2.
3 .
4.
5 .
Find inversesmodulo m of integersrelatively prime to ln where m is a positive
integer.
Solve linear congruencesusing inverses.
Solve linear congruencesin two variables.
3.3 The ChineseRemainderTheorem
In this sectionand in the one following,we discusssystemsof simultaneous
congruences.We will study two typesof such systems. In the first type, there
are two or more linear congruencesin one variable, with different moduli
(moduli is the plural of modulus). The secondtype consistsof more than one
simultaneouscongruencein more than one variable, where all congruences
havethe samemodulus.
First, we considersystemsof congruences
that involveonly one variable,but
different moduli. Such systemsarosein ancient Chinesepuzzlessuch as the
following: Find a number that leavesa remainderof I when divided by 3, a
remainderof 2 when divided by 5, and a remainderof 3 when divided by 7.
This puzzleleadsto the following systemof congruences:
I (mod 3). x 2 (mod5),x 3 (mod 7)
We now give a method for finding all solutions of systemsof simultaneous
congruences
such as this. The theory behind the solution of systemsof this
type is provided by the following theorem, which derivesits name from the
ancientChineseheritageof the problem.
The Chinese Remainder Theorem. Let rlt1,r/t2,...,trtrbe pairwise relatively
prime positiveintegers. Then the systemof congruence
a 1 ( m o dz 1 ) ,
a2(mod,m2),
ar(modm,),
x
x
hasa uniquesolutionmoduloM - tltfitz

108 Congruences
Proof. First, we construct a simultaneous solution to the system of
congruences. To do this, let Mk : M/mt : fttlll2. . . tytk_rntk+l . mr.
we know that (Mr, mt) : I from problem8 of Section2.1, since
(mi, mp) : I wheneveri I k. Hence, from Theorem3.'7,we can find an
inverse./r of M1 modulo mp, so that Mt lr, = I (mod mt). We now form
the sum
x : a t M 0 1 * a 2 M 2 1 , t 2 * * arMry,
The integer x is a simultaneous solution of the r congruences. To
demonstratethis, we must show that x ? ar, (mod m1) for k : 1,2,...,r.
since mt I Mi wheneverj * k, we have Mj :0 (mod nzp). Therefore,in
the sum for x, all terms except the kth term are congruent to 0 (mod m).
Hence,x ? etM*lr: ak (mod m*), sinceM*t = I (mod m).
We now show that any two solutionsare congruent modulo M. Let xs and
x 1 both be simultaneoussolutionsto the system of r congruences.Then, for
eachk, x0 E xr E ar (mod m*), so that mr | (xo-x). Using Theorem3.7,
we see that M l(xe-x1). Therefore,x0 E x1 (mod M). This showsthat the
simultaneoussolutionof the systemof r congruences
is unique modulo M. tr
We illustrate the use of the Chinese remainder theorem by solving the
systemthat arisesfrom the ancient Chinesepuzzle.
Example. To solvethe system
x = I (mod3)
x = 2 ( m o d 5 )
x = 3 (mod 7),
we have M - 3.5.7: 105, Mr: 105/3: 35, Mz: IA5/5: 21, and
Mt: 105/7: 15. To determine !r, we solve 35yr= I (mod 3), or
equivalently,2yr= I (mod 3). This yieldsjzr E 2 (mod 3). We find yzby
solving 2lyz: I (mod 5); this immediately giveslz = I (mod 5). Finally,
wefind ytby solvingr5yt= 1 (mod 7). Thisgives/r E I (mod 7). Hence,
x E l'35'2+ 2.21.1
+ 3.15.1
--
157= 52 (mod105).
There is also an iterative method for solving simultaneous systems of
congruences.We illustrate this method with an example. Supposewe wish to
solvethe system

3.3 The Chinese Remainder Theorem
x = l ( m o d
x = 2 ( m o d
x = 3 ( m o d
s)
6)
7 ) .
We use Proposition3.1 to rewrite the first congruenceas an equality, namely
x : 5t * l, where / is an integer. Inserting this expressionfor x into the
secondcongruence,we find that
5 r + l : 2 ( m o d 6 ) .
which can easily be solved to show that / : 5 (mod 6) Using Proposition
3.1 again, we write t : 6u * 5 where u is an integer. Hence,
x :5(6rz+5) * I : 30u 126. When we insert this expression
for x into the
third congruence,we obtain
30u t 26 = 3 (mod 7).
When this congruenceis solved,we find that u : 6 (mod 7). Consequently,
Proposition3.1 tells us thatu -7v * 6, wherev is an integer. Hence,
x : 30(7v+6) + 26 :210v + 206.
Translating this equality into a congruence,we find that
x : 2O6(mod 210),
and this is the simultaneoussolution.
Note that the method we have just illustrated shows that a system of
simultaneous questions can be solved by successively solving linear
congruences.This can be done even when the moduli of the congruences
are
not relatively prime as long as congruences
are consistent. (Seeproblems7-10
at the end of this section.)
The Chinese remainder theorem provides a way to perform computer
arithmetic with large integers. To store very large integersand do arithmetic
with them requires special techniques. The Chinese remainder theorem tells
us that given pairwise relatively prime moduli r/t1,r/12,...,ffi,,
a positiveinteger
n with n < M : rltiltz' ' ' mr is uniquely determined by its least positive
residuesmoduli mi for j : 1,2,...,r. Supposethat the word sizeof a computer
is only 100, but that we wish to do arithmetic with integers as large as 106.
First, we find pairwise relatively prime integers lessthan 100 with a product
exceeding
106;for instance,
we can take mt:99, r/t2:98, m3:97, and
mq: 95. We convert integerslessthan 106into 4-tuplesconsistingof their
least positive residuesmodulo mt, ffi2, n43, a;fidfti4. (To convert integers as

1 1 0 Congruences
large as 106into their list of least positiveresidues,we needto work with large
integers using multiprecision techniques. However, this is done only once for
each integer in the input and once for the output.) Then, for instance,to add
integers, we simply add their respective least positive residues modulo
tntt,t/t2,rn3, ?,fid ftr4, rrrzking use of the fact that if x = xi (mod m) and
! = li (mod m), then x * y : xi * y; (mod m). We then usethe Chinese
remainder theorem to convert the set of four least positiveresiduesfor the sum
back to an integer.
The following exampleillustratesthis technique.
Example. We wish to add x : 123684 and y : 413456 on a computer of
word size 100. We have
x = 33 (mod99),
x?8(mod98),
x:9(mod97),
x = 89 (mod95).
y = 32 (mod99),
y = 92 (mod98),
y : 42 (mod97),
y = 16(mod95),
so that
x + Y = 6 5 ( m o d 9 9 )
x + y : 2 ( m o d 9 8 )
x + Y = 51 (mod 97)
x + y : 1 0 ( m o d 9 5 ) .
We now use the Chinese remainder theorem to find x * y modulo
99'98'97'95.We haveM :99'98.97.95 : 89403930,
Mr: M/99:903070,
M z : M l 9 8 : 9 1 2 2 8 8 , M t : M l 9 7 : 9 2 1 6 9 0 , a n d M q : M l 9 5 : 9 4 1 0 9 4 .
We need to find the inverse of Mi (mod /i) for i : 1,2,3,4. To do this, we
solvethe following congruences(using the Euclideanalgorithm):
9O307Oy
t = 9ly r
- 1 (mod 99),
9 1 2 2 8 5 y 2 : 3 y z : I ( m o d 9 8 ) ,
921690y3: 93y3 = I (mod 97),
941094ya= 24yq = I (mod 95).
We find that yr:37 (mod 99), yz = 38 (mod 98), /r
--
24 (mod 97), and
!+= 4 (mod95). Hence,
x * y = 65'903070'37+ 2'912285'33+51'921690'24+ l0'941094'4
: 3397886480
= 537140(mod 39403930).
Since0 ( x * y < 89403930,we concludethat x + y : 537140.

3.3 The Chinese Remainder Theorem 1 1 1
On most computersthe word sizeis a large powerof 2, with 235a common
value. Hence,to use modular arithmetic and the Chineseremaindertheorem
to do computer arithmetic, we need integerslessthan 235that are pairwise
relatively prime which multiply together to give a large integer. To find such
integers,we use numbersof the form 2m - l, where m is a positiveinteger.
Computerarithmetic with thesenumbersturns out to be relativelysimple (see
Knuth t57l). To producea set of pairwiserelatively prime numbersof this
form, we first provesomelemmata.
Lemma 3.1. If a and b are positiveintegers,then the least positiveresidueof
Za - I modulo 2b - I is 2' - 1, where r is the least positiveresidueof a
modulob.
Proof. From the division algorithm, c : bq * r where r is the
residue of a modulo b. We have (2o-l) :
(Zb_DebQ-t)+r a + 2b+,+2,)+ (2,-l), which shows
remainderwhen 2a - I is divided by 2b - I is 2' - l; this is the
residueof 2o - 1 modulo 26 - 1. D
We useLemma 3.1 to Prove
Lemma 3.2. lf a and b are
divisorof 2o - 1 and 2' - 1 is
least pos'itive
12b++r
-1) :
that the
leastpositive
the following result.
positive integers, then the greatest common
2k,b)- 1.
we
0 ( 1 2 ( 1 1
0 ( r : ( - r z
Proof. When we perform the Euclideanalgorithm with a : ro and b -
obtain
f g : r t Q t * r Z
f 1
: r 2 Q 2 - t r 3
: l n - 2 Q n - 2 *
0<
wherethe last remainder, is the greatestcommondivisorof a and b.
Using Lenrma 3.1. and the stepsof the Euclideanalgorithm with a : rs
and b : , r, when we perform the Euclidean algorithm on the pair
2a - I : Ro and2b - I : R1, w€ obtain

112 Congruences
Rs :RrQr*Rz
R1 :RzQz*R:
R 2 : 2 " - |
R 3 : 2 " -
Rn-r : Rn-zQn-z* Rn-l ^
Rn-z: Rn-tQn-t.
--,'-r
Rn-t : 2r'-t-1
Here the last non-zeroremainder,Rn-l : )r'-r - I : 2G'b)- l, is the greatest
commondivisorof Ro and R1. tr
From Lemma 3.2, we have the following proposition.
Proposition 3.5. The positiveintegers2a - 1 and 2b - I are relatively prime
if and only if a and b arerelatively prime.
We can now use Proposition3.5 to producea set of pairwise relatively prime
integers,each of which is lessthan 235,with product greater than a specified
integer. Supposethat we wish to do arithmetic with integersas large as 2186.
We p:gk lfir:2t5 - I, tltz:zto - l, t/t3:233 - l, t7t4- ztt - l,
tns: 22e
- l, and r/t6:22s - l. Since the exponents
of 2 in the expressions
for the mi are relatively prime, by Proposition 3.5 the M i's are pairwise
relatively prime. Also, we have M : H!fl2nt3n4qrflsftio2 2t86. we can now
use modular arithmetic and the Chinese remainder theorem to perform
arithmeticwith integersas large as 2186.
Although it is somewhat awkward to do computer operations with large
integers using modular arithmetic and the Chinese remainder theorem, there
are some definite advantagesto this approach. First, on many high-speed
computers, operations can be performed simultaneously. So, reducing an
operation involving two large integers to a set of operationsinvolving smaller
integers,namely the least positiveresiduesof the large integerswith respectto
the various moduli, leads to simultaneous computations which may be
performed more rapidly than one operation with large integers. Second,even
without taking into account the advantagesof simultaneous computations,
multiplication of large integersmay be done faster using theseideasthan with
many other multiprecision methods. The interested reader should consult
Knuth t561.

3.3 The Chinese RemainderTheorem 1 1 3
3.3 Problems
l. Find all the solutionsof eachof the followingsystems
of congruences.
b ) x = l ( m o d 2 )
x = 2(mod 3)
x = 3(mod 5)
x = 0(mod 2)
x = O(mod3)
x E l(mod 5)
x = 6(mod 7)
d ) x : 2 ( m o d l l )
x = 3(mod 12)
x = 4(mod 13)
x E 5(mod 17)
x = 6(mod l9).
A troop of 17 monkeys store their bananas in elevenpiles of equal size with a
twelfth pile of six left over. When they divide the bananasinto 17 equal groups
none remain. What is the smallestnumber of bananasthey can have?
As an odometercheck, a specialcounter measuresthe miles a car travels modulo
7. Explain how this counter can be used to determine whether the car has been
driven 49335, 149335,or 249335 miles when the odometer reads 49335 and
works modulo 100000.
4. Find a multiple of I I that leavesa remainder of I when divided by each of the
integers2,3,5,and 7.
5. Show that there are arbitrarily long strings of integerseach divisible by a perfect
square. (Hint: Use the Chinese remainder theorem to show that there is a
simultaneous solution to the system of congruences x 5 0 (mod 4),
x = -l (mod 9), x: -2 (mod 25),..., x
- -ls*l (mod p|), where p1, is the
kth prime.)
6" Show that if a,b, and c are integerswith (a,b) :1, then there is an integer n
suchthat Gn*b.c) : l.
In problems7-10 we will considersystemsof congruenceswhere the moduli of
the congruences
are not necessarilyrelatively prime.
Show that the systemof congruences
x 4 a1 (mod rn1)
x :- a2 (mod m2)
has a solution if and only if (m6m2) | Gra). Show that when there is a
solution,it is unique modulo (lmvmzl). (Hint: Write the first congruenceas
x : a, * km, where ft is an integer, and then insert this expressionfor x into
the secondcongruence.)
Using problem 7, solvethe following simultaneoussystemof congruences
a ) x : 4 ( m o d l l ) c )
x = 3(mod 17)
2.
3 .
7 .
8.

1 1 4 Congruences
b)
-
a t x :
y -
4 (mod 6)
1 3 ( m o d 1 5 )
x = 7 ( m o d l 0 )
x = 4 ( m o d 1 5 ) .
9. Show that the systemof congruences
x t a1 (modz1)
x z az (mod m2)
-
v, 3 4, (mod ln")
has a solution if and only if (m;,m1) | G, - a) for all pairs of integers(i,7)
with I (i <l (r. Show that if a solutionexists,then it is unique modulo
lm1, m2,...,ffi,l. (Hint: Use problem7 and mathematicalinduction.)
10. Using problem 9, solvethe following systemsof congruences
a ) x = 5 ( m o d 6 )
x = 3 ( m o d l 0 )
x = 8 ( m o d 1 5 )
d) .r = 2 (mod 6)
x = 4 ( m o d 8 )
x = 2 ( m o d 1 4 )
x = 14 (mod 15)
x = 7 ( m o d 9 )
x = 2 (mod l0)
x = 3 ( m o d 1 2 )
x = 6 ( m o d l 5 ) .
b)
c)
x = 2 (mod 14)
x = 16 (mod 2l) e)
x : l0 (mod 30)
x = 2 ( m o d 9 )
x = 8 ( m o d 1 5 )
x = l0 (mod 25)
l l .
t2.
What is the smallestnumber of eggsin a basket if one egg is left over when the
eggsare removed2,3,4,5,or 6 at a time, but no eggsare left over when they are
removed7 ata time?
Using the Chinese remainder theorem, explain how to add and how to multiply
784 and 813 on a computerof word size 100.
13. A positive integer x * | with n base b digits is called an
automorph to the base b if the last n baseb digits of xz are the same as those
o f x .
a) Find the base l0 automorphswith four or fewer digits.
b) How many base b automorphs are there with n or fewer base b digits, if b
has prime-power factorization 6 : pl' pl' ' ' ' pl,' Z
14. According to the theory of biorhythms, there are three cycles in your life that
start the day you are born. These are the physical, emotional, and intellectual
cycles, of lengths 23,28, and 33 days, respectively. Each cycle follows a sine

3.3 The ChineseRemainder
Theorem 1 1 5
curve with period equal to the length of that cycle,starting with amplitude zero,
climbing to amplitude I one quarter of the way through the cycle,droppingback
to amplitude zero one half of the way through the cycle, dropping further to
amplitude minus one three quartersof the way through the cycle,and climbing
back to amplitude zeroat the end of the cycle.
Answer the following questionsabout biorhythms,measuringtime in quarter
days (sothat the units will be integers).
a) For which days of your life will you be at a triple peak, where all of your
three cyclesare at maximum amplitudes?
b) For which days of your life will you be at a triple nadir, where all three of
your cycleshave lowestamPlitude?
c) When in your life will all three cyclesbe a neutral position(amplitude0)?
15. A set of congruences
to distinct moduli greater than one that has the property
that every integer satisfiesat least one of the congruencesis called a covering set
of congruences.
a) Show the set of congruences x = 0 (mod 2), x = 0 (mod 3),
x = | (mod 4), x = I (mod 6), and x = ll (mod 12) is a coveringset of
congruences.
b) Show that the set of congruences x = 0 (mod
x = 0 (mod 5), x = 0 (mod7), x = I (mod6), x
( m o d l 4 ) , x = 2 ( m o d l 5 ) , x = 2 ( m o d2 l ) , x 7
(mod 35), x = 5 (mod 42), x = 59 (mod 70), and x
coveringset of congruences.
l. Solve systemsof linear congruences
of the type found
theorem.
x = 0 ( m o d 3 ) ,
( m o d l 0 ) , x = l
( m o d 3 0 ) , x - 4
104(mod 105)is a
Let m be a positive integer with prime-power factorization
^ : zo'p'r'pi' p:' . Show that the congruencex2 = 1 (mod m) has exactly
2'+' solutions
wheree : }if a6 : 0 or l, € : I if a6 : 2, ande : 2 if as} 2.
(Hint: Use problems9 and l0 of Section 2.3.)
The three childrenin a family havefeet that are 5 inches,7 inches,and 9 inches
long. When they measurethe length of the dining room of their house using
their feet, they each find that there are 3 inches left over. How long is the
dining room?
),
r l
2)
it
the Chineseremainder
2. Solvesystems
of linear congruences
of the type givenin problems7-10.
3. Add large integersexceedingthe word size of the computer using the Chinese
remainder theorem.

1 1 6 Congruences
4. Multiply large integers exceedingthe word size of the computer using the
Chineseremainder theorem.
5. Find automorphsto the baseD, where b is a positiveinteger greater than one
(seeproblem 13).
6. Plot biorhythm charts and find triple peaksand triple nadirs (seeproblem l4).
3.4 Systemsof Linear Congruences
We will considersystemsof more than one congruenceinvolvingthe same
number of unknowns as congruences,
where all congruences
have the same
modulus. We beginour study with an example.
Supposewe wish to find all integers x and y such that both of the
congruences
3x * 4y :5 (mod 13)
2x t 5y = 7 (mod 13)
are satisfied. To attempt to find the unknownsx and |, we multiply the first
congruenceby 5 and the secondby 4, to obtain
I 5x * 20y = 25 (mod13)
8x * 20y :- 28 (mod13).
We subtractthefirst congruence
from the second,
to find that
7x = -3 (mod l3).
Since 2 is an inverseof 7 (mod 13), we multiply both sides of the above
congruences
by 2. This gives
2'7 x : -2'3 (mod 13),
which tells us that
x = 7 (mod l3).
Likewise,we can multiply the first congruenceby 2 and the secondby 3, to
seethat

3.4 Systems of Linear Congruences
6x * 8y = l0 (mod13)
6x * l5y
--
2l (modl3).
Whenwesubtract
thefirstcongruence
fromthesecond,
weobtain
7y = 11 (mod 13).
both sidesof this congruence
by 2, an inverseof 7
Z " l y : 2 ' l l ( m o dl 3 ) ,
v = 9 (mod l3).
What we haveshownis that any solution(xy) must satisfy
x = 7 (mod l3), y = 9 (mod l3).
When we insert thesecongruences
for x and y into the original system,we see
that thesepairs actually are solutions,
since
Hence, the solutions of this system of congruencesare
x = 7 (mod 13) and v = 9 (mod l3).
l3)
I3).
all pairsG,y) with
We now give a generalresult concerningcertain systerns
of two congruences
in two unknowns.
Theorem3.8. Let a,b,c,d,€,f ,and m be integers
with m ) 0, suchthat
(L,m) : l, whereA: ad-bc. Then,the systemof congruences
a x * b y : e ( m o d m )
c x * d y : f ( m o d m )
has a unique solution modulo m givenby
"
= 4 @e-bfl (mod ln)
y = L Gf -ce) (mod m),
where A ir un inverseof A modulo m.
Proof. We multiply the first congruenceof the systemby d and the secondby
b. to obtain
117
To solvefor y, we multiply
modulo 13 . We get
so that
3x * 4y : 3'7+ 4'9: 57 =5 (mod
2x * 5v = 2'7+5'9 : 59: 7 (mod

1 1 8 Congruences
adx * bdy = de (mod m)
bcx * bdy = bf (mod m) .
Then, we subtract the secondcongruencefrom the first, to find that
Gd-bc) x = de-bf (mod m),
or, sinceA: ad-bc,
Ax = de-bf (mod rn).
Next, we multiply both sidesof this congruence
by A, an inverseof A modulo
m, to concludethat
x = A @e-bfl (mod la).
In a similar way, we multiply the first congruence
by c and the secondby a,
to obtain
acx * bcy = ce (mod m)
acx * ady = af (mod m).
We subtract the first congruencefrom the second,to find that
Gd-bc)y : of -ce (mod z)
or
Ly : af -ce (mod na).
Finally, we multiply both sidesof the abovecongruence
by r to seethat
y = I bf -cd (mod z).
We have shown that if (x,y) is a solution of the systemof congruences,
then
x = A @e-bf) (mod z) , y = L bf -ce) (mod z).
We can easily check that anX such pair G,y) is a solution. When
x=A @e-bfl (mod m) andy: ibf -tri (mod m), we have

3.4 Systems of Linear Congruences 1 1 9
a x * b y gE @r-bn + bA Gf -ce)
L bde-abf -abf -bce)
L, fud-bc) e
e (modm),
and
cx * dy :
4 tat-bn + dE Gf -ce)
:- L Gde-brf + adf-cde)
= a bd-bdf
= A'L,f
:
/ (modm).
This establishes
the theorem. tr
By similar methods,we may solve systemsof r congruences
involving n
unknowns. However,we will developthe theory of solving such systems,as
well as larger systems,by methods taken from linear algebra. Readers
unfamiliar with linear algebra may wish to skip the remainderof this section.
Systemsof r linear congruences
involving n unknowns will arise in our
subsequent
cryptographicstudies. To study thesesystemswhen r is large, it
is helpful to use the languageof matrices. We will use some of the basic
notionsof matrix arithmetic which are discussed
in most linear algebratexts,
suchas Anton t0Ol.
We needto definecongruences
of matrices beforewe proceed.
Definition. Let A and B be nxk matriceswith integer entries,with (i,/)th
entriesaii and br7, respectively. We say that A is congruent to B modulo m
i f a i i - b i j ( m o dm ) f o r a l l p a i r s ( i , 7 ) w i t hI < t ( n a n d t ( , r < k . W e
write A
-
B (mod m) if I is congruentto B modulom.
The matrix congruence A = B (mod m) provides a succinct way of
expressing the nk congruences o,j = bi1 (mod m) for I ( i ( rz and
I ( 7 < /c.
Example. We easilyseethat
f" 3l
L8 12)
(q 3l
l: rJ (mod
rr)'
needed.
The followingproposition be

120 Gongruences
Proposition 3.6. lf A and B are nxk matriceswith A : B (mod m), C is
an kxp matrix and D is a pxn matrix, all with integer entries,then
AC = ^BC(mod m) andDA = DB (mod m).
Proof. Let the entriesof A and B be a;i and b,7,respectively,for I ( i ( n
a n d l ( 7 < k , a n d l e t t h e e n t r i e so f C b e c i i n f o r l < i < k a n d
1 ( 7 ( p. The (i,/)th entriesof AC and BC are ) ai1c1iand 2 bi,c,j,
respectively.
SinceA
--B (mod m),weknow thuto,,'--Lb;,(mod ,)j'rc, utt
i and k. Hence, from Theorem 3.3 we see that b o,,r,j z
n
' : l
2 bnc,i (mod ne). Consequently,
AC
---
BC (mod la).
t : l
The proof that DA : DB (mod m) is similar and is omitted. tr
Now let us considerthe systemof congruences
Q n r X t * a n Z X Z *
*er, xn
---
b1 (modm)
*?r, x, 2 b2 (modm)
lann xn : bn (mod rn ).
Q t t X t l a n x z *
A Z tX t * a Z ZX Z t
Using matrix notation,we seethat
to the matrix conqruence
AX = B
this systemof /, congruences
(mod lz ).
is equivalent
Q t t a n
azt azz
Q l n
Q 2 n
X 1
X 2
xn
b y
bz
bn
whereA :
Anl An2 Onn
, a n d B :
,X:
Example. The system
3x*.4y
2xt5y
(mod 13)
(mod l3)
:{
can be written as

3.4 Systemsof LinearCongruences 121
b 4l f'l fsl
| | | [ - Ll (modl3).
12 sJ lyj L7J
We now develop a method for solving congruences of- the form
AX = B (mod m). This method is basedon finding a matrix I such that
7Z - 1 (mod m), where1 is the identity matrix.
Definition. lf A and,q arenxn matricesof integersand if
f'o ol
l l
tra -,qI:/ (mod
z), where
I : lo
t
...
ol
istheidentity
matrix
of
ll
100 t,l
order n, then 7 is said to be an inverseof A modulo m .
If A is an inverseof A and B : 7 (moOrn), then ^Bis also an inverseof
A. This followsfrom Proposition3.6,sinceBA = AA = I (mod m).
Conversely,
if 81 and 82are both inverses
of A,then Br= 82(modm). To
seethis, usingProposition3.6 and the congruence
B1A = BzA = I (modm),
we haveBABI: B2ABr (modlcl). SinceABt:1 (modm), we conclude
that Bt Z Bz (mod ln).
Example. Since
:;l [t:): [t,[] =
[;?]
(m.d
5,
and
1,r
4l Ir 3.l
: f" xl : |,rol (mod5),
|.12) l.24) 15il,l l0rJ
we seethat the 1-^+riv['
ol
,. ^
[r l]
natrix
l, r,Jisaninverse
of
l, o)modulo
5.
The followingproposition
givesan easymethodfor findinginverses
for 2x2
matrices.
Proposition
3.7. Let A -
t:')
be a matrix of integers,such that
A : detA : ad-bc ts relativelyprime to the positiveintegerm. Then,the

122 Congruences
matrix
r =fo-ul
: o
l-. o)'
wherea is the inverse
of A modulom,isan inverse
of I modulom.
Proof. To verify that tbg matrix 7 ir an invers
e of A modulo ra, we need
only verify that AA = AA =I (mod z).
To seethis, note that
f"
u)-l a -ol -fad-bc o l
A A : | , l 4 l l : n l . l
Va)-l-c oJ--l 0 -bc+ad)
-faol faao I frol
= ^|-ooj=l
o ooj=lo',l:
1(mod
z)
and
-f a -n) (" ol - fad-bc o I
A A = L I | | - t : A I I
--f-.
a)lrd) al0 -bc+ad)
[aol faaol l,r
ol
: A
fooJ
:
I o lo,l=
[o',l: I (mod
m)'
wheref ir un inverseof A (mod m), which existsbecause(a,.d : l. tr
ir+l
Example.Let A :
lr r,J. Since2 is an inversedetA:7 modulo13,we
have
tr_2 1.
s _+l: |,ro_sl
= |'rosl
(moar).
l-23) l-46) l.e6J
To provide a formula for an inverseof an nxn matrix where n is a positive
integer, we need a result from linear algebra. This result may be found in
Anton [60; page 791. It involvesthe notion of the adjoint of a matrix, which
is definedas follows.
Definition. The adjoint of an nxn malrix A is the nn matrix with (i,;)th
entry Cyi, where Cii is (-l)t+i times the determinantof the matrix obtained
by deletingthe ith row and 7th column from A. Thg adjoint of I is denoted

3.4 Systems of Linear Congruences 123
by adj(l).
Theorem 3.9. If A is an nxn matrix with detA* 0, then
A GdjA) : (det A) I , where adj A is the adjoint of A.
Using this theorem,the followingpropositionfollowsreadily.
Proposition 3.8. If A is an nn matrix with integer entries and rn is a
positiveintegersuch that (det 'q,U) :1, then the matrix A : A (adj A) is
an inverseof I modulom, whereA is an inverseof A : det A modulom.
Proof. If (det A,m) : l, then we know that detA * 0. Hence, from
Theorem3.9.we have
A a d j A : ( d e t n l : A 1 .
Since (det Z,nl) : l, there is an inverseA of A : det I moduloz. Hence,
A (A adj A) = A ' {.zLdj
nE - afl = I (mod m),
and
e tuolilA - [ (uojA ' A) - aar : 1 (mod
rn).
This showsthat 7 :^ ' (adj l) is an inverseof I moduloru. tr
fzsol
Example. Let A :
120
2|.. Then detA: -5. Since(detA,7) :1, and an
u 23J
inverseof det A : -5 is 4 (mod 7), we find that
I:4(.:,djA):4
-2-3 sl l-a-tz2ol fezel
-s o tol: l-ro o ool- ltosl(modi),
4 r-r0J t 0 4-40) 1242)
We can usean inverseof I modulo m to solvethe system
AX : B (mod m),
where (det A,m) : l. By Proposition3.6, when we multiply both sidesof this
congruence
by an inverseA of A, we obtain

124 Congruences
A Ux): LB (modm)
(,q,4x -
4B (modm)
X : A B (modn).
Hence,we find the solutionX by forming A B (mod m ).
Note that this methodprovidesanotherproof of Theorem3.8. To
ret AX: B, whereA :
l:'),
x :
t;]
and B -
A : det A : ad - bc is relativelyprime to ln, then
f"l -f a -t)f,l - fa,- nrl
l..l:X=A B-Ai_, || |-^,,_),1(modm).
lyj
-1'-1'"--l-.
")lf)-ulo,
..r
This demonstrates
that (x,y) is a solutionif and only if
x = A,(de-bfl (mod z), y = I bf -ce) (mod lz).
Next, we give an exampleof the solutionof a systemof three congruences
in three unknownsusingmatrices.
Example. We considerthe systemof three congruences
2x1* 5x2t 6xt: 3 (mod7)
2x1* xt j 4 (mod 7)
x r * 2 x 2 * 3 x : : I ( m o d7 ) .
This is equivalentto the matrix congruence
seethis,
[;]
If
lz
sol
[",] f,l
12
oIIl"'l = lalr.noo
rl.
lrzr,l
l",j
-
I'J
'^'^"-
we havepreviously
shownthat the matrix ll 3 :
lzsel
|.242
l?: lJ
tmoo
z) Hence'
we
have
is an inverse of

3.4 Systems of Linear Congruences 125
[*,1 fozellrl [r'l lol
l",l lrosll.l : ltl: I'l(mod7)
l-l:l^.^lll:l-.1:
l',J lz+zjL'J lro) lrj
Beforeleavingthis subject,we shouldmention that many methodsusedfor
solving systems of linear equations may be adapted to solve systems of
congruences. For instance,Gaussian elimination may be adapted to solve
systemsof congruences
wheredivisionis alwaysreplacedby multiplicationby
inverses
moduloru. Also, there is a methodfor solvingsystems
of congruences
analagousto Cramer's rule. We leave the developmentof these methodsas
problemsfor thosereadersfamiliar with linear algebra.
3.4 Problems
l. Findthesolutions
of thefollowingsystems
of linearcongruences.
a ) x * 2 y
2 x * y
b ) x * 3 y
3 x t 4 y
d 4 x
2x
I (mod 5)
I (mod 5)
I (mod 5)
2 (mod 5)
(mod 5)
(mod 5).
(mod 7)
(mod 7)
+y
+3v
Z. Find the solutionsof the following systemsof linear congruences.
a ) 2 x * 3 y
x * 5 y
b ) 4 x * y = 5 ( m o d 7 )
x * 2 y = 4 ( m o d 7 ) .
3. What are the possibilitiesfor the number of incongruent solutionsof the system
of linear congruences
a x * b y : c ( m o d p )
dx * ey :
f (mod fl,
wherep is a prime and a,b,c d,e, andf are positiveintegers?
4. Find the matrix C such that

126 Congruences
5 .
fz'l f+ol
Q-
lor,l llJ
(mod5)
and all entriesof C are nonnegativeintegerslessthan 5.
Use mathematical induction to prove that if A and B are nxn matrices with
integer entries such that A = B(mod m ), then Ak : Bk(modm) for all
positiveintegersk.
A matrix A * I is called involutory modulo m if 42 = 1 (mod z).
14
nl
a) Show that
| | 22)
is involutory modulo 26.
b) Show that if A is a 2x2 involutory matrix modulo m, then
d e t A : t l ( m o d r n ) .
Find an inversemodulo 5 of each of the.following matrices
forl
il lr ol
i',i
b) |.,oJ
lzz)
c)
lt ,J
Find an inversemodulo 7 of each of the following matrices
frrol
a)
lt 0 t
I
[ 0 1 l J
frz:l
b) lr2sl
u 46J
r)
lr r r 0l
ll l0ll
^) | |
v'
ll0rll'
l0r r r,J
Use the resultsof problem 8 to find all solutionsof each of the following systems
a) x+y : I (mod 7)
x * z z 2 ( m o d 7 )
Y * z = 3 ( m o d 7 )
6.
7 .
8 .
9 .

3.4 Systemsof LinearCongruences
b) x*2y*32 : I (mod 7)
x * 3 y * 5 2 = l ( m o d 7 )
x * 4 y l 6 z = l ( m o d 7 )
(mod 7)
(mod 7)
(mod 7)
(mod 7).
How many incongruent solutions
congruenceshave
a ) x * y * z i
2 x * 4 y * 3 2 :
b ) 2 x * 3 y * z
x * 2 y * 3 2
2 x * z
c ) 3 x * y * 3 2 = I ( m o d 5 )
x * 2 y t 4 z : 2 ( m o d 5 )
4 x * 3 y * 2 2 : 3 ( m o d 5 )
127
does each of the following systems of
1 0 .
c) x*y *z =
x*y *w :
x t z i w :
Y*z *w =
i l 2 x * y * z
x * 2 y * z
x * y * 2 2
I (mod 5)
I (mod 5)
3 (mod 5)
I (mod 5)
I (mod 5)
(mod 5)
(mod 5)
(mod 5).
t2.
1 3 .
Developan analogueof Cramer's rule for solvingsystemsof n linear congruences
in n unknowns.
Develop an analogue of Gaussian elimination to solve systems of n linear
congruencesin z unknowns (where m and n may be different).
A magic square is a square array of integers with the property that the sum of
the integers in a row or in a column is always the same. In this problem, we
presenta method for producing magic squares.
a) Show that the n2 integers0,1,...,n2-l are put into the n2 positionsof an
n x/, square,without putting two integersin the same position,if the integer
k is placed in the i th row and 7th column, where
i = a * c k * e { k l n l ( m o d n ) ,
j = b + d k + f l k / n l ( m o d n ) ,
I < t ( n , 1 ( / ( n ,
kf -de,n) : l.
and a,b,c d,e, andf are integers with
Show that a magic square
(c,n) : (d ,n) : (e,n) : (7,n) : l.
b) produced part (a)

128 Congruences
c) The positive and negative diagonals of an nxn square consist of the
integers in positions (t1), where i + j = k (mod n) and
t- j =ft (modn),respectively,
wherek isa giveninteger. Asquareis
called diabolic if the sum of the integersin a positiveor negativediagonal is
always the same. Show that a diabolic square is produced using the
procedure given in part (a) if Gtd,n) : (c-d,n) : G*f ,n) :
G-f ,n) : l.
l. Find the solutionsof a systemof two linear congruencesin two unknowns using
Theorem3.8.
2. Find inversesof 2x2 matricesusing Proposition3.7.
3. Find inversesof nxn matncesusing Theorem 3.9.
4. Solvesystemsof n linear congruences
in n unknownsusing inversesof matrices.
5. Solve systems of n linear congruencesin n unknowns using an analogue of
Cramer'srule (seeproblem ll).
6. Solve system of n linear congruencesin m unknowns using an analogue of
Gaussianelimination(seeproblem l2).
7. Producemagic squaresby the method given in problem 13.

Applicationsof Gongruences
4.1 Divisibility Tests
Using congruences,we can develop divisibility tests for integers based on
their expansionswith respectto different bases'
We begin with testswhich use decimal notation. In the following discussion
let n: (oooo-r...apo)rc. Thenfl:QklOft + arr-J0t-l+ * 4110* oo,
with 0 ( o.r ( 9 for,t:0,1, 2,...,k.
First, we develop tests for divisibility. by powers.. of 2. Since
l0 = 0 (mod 2), Theorem 3.5 tells us that 10/ :0 (mod 2r) for all positive
integers7. Hence,
n = (a) 1s(mod 2),
n = (arao)ro(mod22),
n 3 (azarao)ro
(mod 23),
(ai-fii-2. . .azarao)
to (mod2/)
Thesecongruences
tell us that to determinewhether an integer n is divisible
by 2, we only needto examineits last digit for divisibility by 2. Similarly, to
determine whether n is divisible by 4, we only need to check the integer made
up of the last two digits of n for divisibility by 4. In general, to test n for
divisibility by 2i, we only need to check the integer made up of the last 7
digits of n for divisibility by 2i .
n :
r29

130 Applications of Congruences
E x a m p l e .L e t n : 3 2 6 8 8 0 4 8 . w e s e e t h a t 2 l n s i n c e z l g , a l , s i n c e
4 | 49,8 l, since
s | +a, 16 | nsincet6 | g04g,but 32 /r since'lzi gso+g.-
To develop tests for divisibility by powers of 5, first note that since
l0 = 0 (mod 5), we have lY :0 (mod 5/). Hence, divisibility tests for
powersof 5 are analogousto thosefor powersof 2. We only needto check the
integermade up of the last 7 digits of n to determinewhethern is divisiblebv
5 i .
Example.Let n: 15535375.Since s I s, 5 | n, sincezs lls,25 | n, since
125 | 375,125 | n, but since625| slls,625 I n.
Next, we developtests for divisibility by 3 and by 9. Note that both the
congruences l0 : I (mod 3) and l0 = I (mod 9) hold. Hence,
10e : I (mod 3) and (mod 9). This givesus the usefulcongruences
(apa1r-1...aps)
: ekl0& + a*_tl0k-l + * alO * a6
: e k * a p 4 * ' . . + a r * a s ( m o d3 ) a n d ( m o d9 ) .
Hence, we only needto check whether the sum of the digits of n is divisible by
3, or by 9, to seewhethern is divisibleby 3, or by 9.
Example. Let n : 412783s. Then, the sum of the digits of n is
4+ | +2+ 7 + 8 + 3 + 5:30. Since
I lrobut 9 lt},3l nbutgln.
A rather simple test can be found for divisibility by I L Since
l0 : -l (mod I l), we have
(a1ra1r-1...aps)t0:
aklOk + a1r-110k-r
* * alO * as
: ak(-l)ft * a*-r(-t)t-t + -at * as (mod I l).
This shows that (apap-1....aps)
rc is divisible by I l, if and only if
os- at * o2- + (-I)kap, the integer formed by alternatelyadding
and subtracting the digits, is divisible by I l.
Example. We see that 723160823is divisibleby 11, sincealternatelyadding
a n d s u b t r a c t i n g
i t s d i g i t s y i e l d s i - z + g - 0 + 6 - l + 3 - z * 7 : 2 2
which is divisible ll. On the other hand, 33678924is not divisible bv 11.
since4 - 2 + 9 - 8 + 7 - 6 + 3 - 3 :4 is not divisible
by ll.
Next, we developa test to simultaneouslytest for divisibility by the primes
7,ll, and 13. Note that 7'll'13 : l00l and 103: 1000: -l (modl00l).
Hence.

4.1 Divisibility Tests 1 3 1
(a1,a1r-r...adro:
aklOk+ a*-JOft-l + * alO * c6
: (ao* l0ar * 100a) + 1000(ar* 1}aa* 10045)
*
(tOOO)'(ou
+ l0a7t 100a6)r
= (100a2* 10cr+ a0) - (l00ar * l}aa* a) *
(t00ar * l0a7 + a) -
= (a2a,as),.- (o 5aaa3),s
* (a sa7a6)rc- (mod 1001).
This congruencetells us that an integer is congruent modulo l00l to the
integer formed by successively
adding and subtracting the three-digit integers
with decimal expansionsformed from successive
blocks of three decimal digits
of the original number, where digits are grouped starting with the rightmost
digit. As a consequence,
since7,11, and l3 are divisorsof 1001,to determine
whetheran integeris divisible
by 7,11, or 13,we only needto checkwhetherthis
alternatingsum and difference
of blocksof threedigitsis divisibleby 7,11, or
1 3 .
Example. Let n - 59358208. Since the alternating sum and differenceof the
integers formed from blocks of three digits, 208 - 358 + 59 : -91, is
divisibleby 7 and 13,but not by 11,we seethat r is divisibleby 7 and 13,but
n o t b y I L
-----*?.ll
of theTvisibility testswe have developedthus far are basedon decimal
representations. We now develop divisibility tests using base b
representations,
where b is a positiveinteger.
Divisibility Test 1. If d I b and 7 and k are positive integers with i < k,
then (a1...aps)6 is divisibleby di if and only if (a1-r...apo)uis divisibleby
4i.
Proof. Since b = 0 (mod d), Theorem 3.5 tells us
Hence,
(apa1r-1...aps)6:
arrbk* " '+ albl + ai-fti-l
= a j - f t j - r + " ' + a 1 b * a s
: (ai-t...aPs)6 (mod d/).
that bj :0 (modd/).
+ "'+aft*as
Consequently,
d I Q1,a1r-1...aps)6
if and only if d I G1-t...aps)6. -
DivisibilityTest 2. lf d | (b-t), then n: (ap...aps)6is divisiblebyd if and
only if ap t ' '' + ar t as is divisible
by d.
Proof. Sinced | $-l), we haveb = I (mod d), so that by Theorem 3.5 we
know that bj - I (mod d) for all positiveintegersb. Hence,(ap...aflo)r:

132
a l r b kI t a f t I a o z a t *
d l n i f a n d o n l y i f d l ( a * +
Example.Let n : (1001001
I ll)2.
that3lr, since
n = | - 1+ 1- I
and3l(z+t).
.
Opplications of Congruences
* a1t a6 (modd). This showsthat
* a 1 t a s ) . t r
Then, using Divisibility Test 3, we see
+ 0 - 0 + 1 - 0 + 0 - l : 0 ( m o d 3 )
Divisibility Test.3. lf d | (b + l), then n : (ap...aps)6 is divisibleby d if
and only if (-I)kap * -ar * a6 is divisibleby d.
Proof. Since d I ft + 1), we have g: -l (mod d). Hence,bi = (-l)/
(mod d), and consequently,
n : (a1, ...aps)b : (-t)k a1, + - o1
* ao (mod d). Hence, d I n if and only if d | ((-l)o oo + -a1
* as). n
Example.
Let n: (7F28A6)16
(in hex notation).Then,sincezl te, from
Divisibility
Testl, we knowthat2 | n, sincezl e. Likewise,
since4 | 16,we
seethat aln, since4tr6. By Divisibility
Test Z, since3l(f6-l),
5l(t6-1), and 15l(16-t), and 7+F+2+8 +A *6:(30),u, we
knowthat 3 | n, sinceI | (:O)16,
while5 tr, and I 5 I n, since
5 / (30)ro
and
ts / (30)ro. Furthermore,
by DivisibilityTest 3, since 17 | (16+ l) and
n =6- A +8 -2* F -7: (,q)ru(modl7), weconclude
thatl7 trr,
since17I (D rc.
4.1Problems
l. Determine
thehighest
powerof 2 dividingeachof the followingpositive
integers
a) 201984
b) 1423408
c) 89375744
d) 4t578912246.
2. Determine the highest power of 5 dividing eachof the following positiveintegers
112250 c) 235555790
4860625 d) 48126953125.
3. Which of the following integersare divisible by 3? Of those that are, which are
divisible by 9?
18381 c) 987654321
65412351 d) 78918239735
a)
b)
a)
b)

4.1 DivisibilityTests 133
4. Which of the following integersare divisible by I I
a) 10763732 c) 674310976375
b) 108632001s d) 89243t00645372
5. A repunit is an integerwith decimalexpansion
containingall l's.
a) Determine which repunits are divisible by 3; and which are divisible by 9.
b) Determine which repunits are divisible by I l.
c) Determinewhich repunitsare divisibleby 1001. Which are divisibleby 7?
b y 1 3 ?
d) Determine which repunits with fewer than l0 digits are prime.
6. A base b repunit is an integer with baseb expansioncontaining all 1's.
il Determine which baseD repunits are divisible by factors of 6 - l.
b) Determine which baseb repunits are divisible by factors of b * l.
7. A base b palindromic integer is an integer whose base 6 representationreads
the same forward and backward.
il Show that every decimal palindromic integer with an even number of digits
is divisibleby I l.
b) Show that every base7 palindromic integer with an even number of digits is
divisibleby 8.
8. Develop a test for divisibility by 37, based on the fact that 103= I (mod 37).
Use this to check 443692and I 1092785for divisibility by 37.
9. Devisea divisibility test for integersrepresentedin baseb notation for divisibility
by n where n in a divisor of b2 + l. (Hint: Split the digits of the base b
representationof the integer into blocksof two, starting on the right).
10. Use the test you developedin problem 9 to decidewhether
il (tot t 101lo)2is divisibleby 5.
b) (12100122)3
rsdivisibleby 2, and whetherit is divisibleby 5.
c) (36470124$8 is divisible by 5, and whether it is divisible by 13.
d) (SS:ZO+t
320219)ro
is divisibleby 101.
ll. An old receipt has faded. It reads 88 chickensat a total of $x4.2y where x and
y ^re unreadabledigits. How much did each chicken cost?
12. Use a congruencemodulo 9 to find the missing digit, indicated by a question
mark: 89878'58965: 5299?56270.
13. We can check a multiplication c : ab by determining whether the congruence
c 2 ab (mod rn) is valid. where m is anv modulus. If we find that

c # ab (mod z), then we know an error has beenmade. When we take m :9
and use the fact that an integer in decimal notation is congruent modulo 9 to the
sum of its digits, this check is called casting out nines. Check each of the
following multiplications by castingout nines
il 875961-2753
: 2410520633
b) t4789.23567 : 348532367
c) 24789'43717
: 1092700713.
d) Are your checksfoolproof?
14. What combinationsof digits of a decimal expansionof an integer are congruent
to this integer modulo 99? Use your answer to devisea check for multiplication
based on casting out ninety nines. Then use the test to check the
multiplicationsin problem 13.
1. Determine the highest powersof 2 and of 5 that divide an integer.
2. Test an integer for divisibility by 3,7,9, ll, and 13. (Use congruences
modulo
l00l for divisibilityby 7 and 13.)
3. Determine the highest power of each factor of b that divides an integer from the
baseb expansionof the integer.
4. Test an integer from its baseb expansion,for divisibility by factors of b - I and
of b + L
4.2ThePerpetual
Calendar
In this section,we derive a formula that givesus the day of the week of any
day of any year. Since the days of the week form a cycle of length seven,we
use a congruencemodulo 7. We denoteeach day of the week by a number in
the set 0, I,2,,3, 4,5,6, settingSunday:0, Monday : l, Tuesday:2,
Wednesda! : 3, Thursday : 4, Fridey :5, and Saturday : $.
Julius Caesarchangedthe Egyptian calendar,which was basedon a year of
exactly 365 days, to a new calendarwith a year of averagelength 365 V4days,
with leap years every fourth year, to better reflect the true length of the year.
However, more recent calculationshave shown that the true length of the year
is approximately 365.2422days. As the centuriespassed,the discrepancies
of
0.0078 days per year added up, so that by the year 1582 approximately l0
extra days had been added unnecessarilyas leap years. To remedy this, in

4.2 The Perpetual Calendar 13s
1582 PopeGregory set up a new calendar. First, l0 days were added to the
date,so that October5, 1582,becameOctober15, 1582 (and the 6th through
the l4th of October were skipped). It was decidedthat leap yearswould be
preciselythe years divisible by 4, except those exactly divisible by 100,i.e.,
the yearsthat mark centuries,would be leap yearsonly when divisibleby 400.
As an example,the years 1700, 1800, 1900, and 2100 are not leap years but
1600 and 2000 are. With this arrangement,the averagelength of a calendar
year is 365.2425days, rather close to the true year of 365.2422days. An
error of 0.0003 days per year remains,which is 3 days per 10000 years. In
the future, this discrepancy will have to be accounted for, and various
possibilitieshave beensuggested
to correct for this error.
In dealing with calendar dates for various parts of the world, we must also
take into account the fact that the Gregorian calendar was not adopted
everywherein 1582. In Britain, the Gregoriancalendarwas adoptedonly in
1752,and by then, it was necessary
to add I I days. Japanchangedover 1873,
the Soviet Union and nearby countriesin 1917.while Greeceheld out until
1923.
We now set up our procedure for finding the duy of the week in the
Gregorian calendar for a given date. We first nrust make some adjustments,
becausethe extra day in a leap year colmesat the end of February. We take
care of this by renumberingthe months, starting each year in March, and
consideringthe months of January and February part of the precedingyear.
For instance,February 1984,is considered
the 12th month of 1983,and May
1984,is considered
the 3rd month of 1984. With this convention,for the day
of interest, let k : day of the month, z : month, and N : year, with
N : 100C + IZ, where C : century and Y : particular year of the century.
F o r e x a m p l e ,
J u n e 1 2 , 1 9 5 4 ,h a s k : 1 2 , f r 7 : 4 , N : 1 9 5 4 , C : 1 9 , a n d
Y : 5 4 .
We useMarch 1, of eachyear as our basis. Letdy represent
the day of the
week of March 1, in year I{. We start with the year 1600 and computethe
day of the week March l, falls on in any given year. Note that between
March I of year l/ - I and March I of year ly', if year N is not a leap year,
365 days have passed,and since 365 : I (mod 7), we seethat du : dN_,
* I (mod 7), while if year l/ is a leap year, since there is an extra day
betweenthe consecutivefirsts of March, we see that dy = dx_r + 2 (mod 7).
Hence, to find dys from drooo,we must find out how many leap years have
occurred betweenthe year 1600 and the year N (not including 1600, but
including N). To compute this, we first note that there are [(nrr - 160c)/41
years divisible by 4 between 1600 and N, there are [Or-t600)/1001 years
divisibleby 100 between1600 and N, and there are ICnr- 1600)/4001years
divisible by 400 between 1600 and N. Hence, the number of leap years

136 Applications
of Congruences
between1600and N is
t0,r- rc00D/41-
tor - 1600)/1001
+ tcnr- 1600)/4001
: lN/41- 400- lX/t001+ t6 + Ir{/4001
- 4
: lN/41- lw/tool + It//4ool- 388.
(We have used Proposition1.5 to simplify this expression).Now putting this
in terms of C and Y , we seethat the number of leap yearsbetween1600and
l/ is
lzsc+ v/Dl - tc + v/r0o)l+1,rc/0
+ v/400)l-ras
:25C + IY/41- C + tC/41- 388
= 3C + lC/41+ lY/41- 3 (mod7).
Herewe haveagainusedProposition
1.5,the inequality
Y/100 ( 1, and the
equation|,rc/4 + V /4001 : lc /+l (which follows from problem 20 of
Section
1.2,sinceY/400< llq.
We can now compute d1yfrom drcoo
year that has passed,plus an extra day
N. This givesthe following formula:
d x = d r c o o + 1 0 0 c + Y - 1 6 0 0 +
by shifting drcooby one day for every
for each leap year between 1600 and
3C + IC/41+ lYl4l- 3 (mod7).
Simplifying,we have
dx : drcoo
- 2c + y + tc/41+ ly/41 (mod7).
Now that we havea formula relating the day of the week for March l, of any
year, with the day of the week of March 1, 1600,we can use the fact that
March |, 1982, is a Monday to find the day of the week of March I , 1600.
For 1982,
since.ly': 1982,wehaveC : 19,andY :82, and sincedptz: l,
it follows that
| = drcoo- 38 + 82 + [19/41+ ts2/41 :- drcoo- 2 (mod 7).
Hence, drcoo:3, so that March 1, 1600,was a Wednesday.When we insert
the value of d16ss,
the formula for d1,,becomes
du : 3 - 2C + Y + lC/41 + IYl4l (mod 7).
We now use this formula to compute the day of the week of the first day of
each month of year l{. To do this, we have to use the number of days of the
week that the first of the month of a particular month is shifted from the first
of the month of the precedingmonth. The months with 30 days shift the first
of the followingmonth up 2 days,because30 : 2 (mod 7), and thosewith 31

4.2 The Perpetual Calendar 137
days shift the first of the following month up 3 days,because31 : 3 (mod 7)'
Therefore,we must add the following amounts:
from March l, to APril l: 3 daYs
from April l, to May I : 2 daYs
from May l, to June l: 3 daYs
from June l, to July I : 2 daYs
from July 1, to August 1: 3 daYs
from August 1, to Septemberl: 3 daYs
from September1, to October I : 2 daYs
from October l, to November l: 3 days
from November 1, to December 1: 2 days
from Decemberl, to January l: 3 daYs
from January 1, to February 1: 3 daYs.
We need a formula that gives us the same increments. Notice that we have
1l incrementstotaling 29 days,so that each incrementaverages
2.6 days. By
inspection,we find that the function lZ.6m - 0.21- 2 has exactly the same
incrementsas rn goesfrom I to I l, and is zero when m : l. Hence, the day
of the week of the first day of month m of year N is given by by the least
positiveresidueof dy + [2.6m - 0.21- 2 modulo7.
To find W, the day of the week of day k of month m of year.ly', we simply
add k-l to the formula we have devisedfor the day of the week of the first
day of the samemonth. We obtain the formula:
w - k + 12.6m
- o.2l- 2C+ Y + IYl4l + lcl4l (mod
7).
We can usethis formula to find the day of the week of any date of any year
in the Gregorian calendar.
Example. To find the duy of the week of January 1, 1900, we have
c : 18, Ir: 99,m: ll, and k : | (since we considerJanuary as the
eleventh month of the preceding year). Hence, we have
w
-
I + 28 - 36 + 99 + 4 + 24 :- I (mod 7), so that the first day of the
twentieth century was a Monday.
4.2 Problems
l. Find the day of the week of the day you were born, and of your birthday this
Year.

138 Applications
of Congruences
2. Find the day of the week of the following important dates in U. S. history (use
the Julian calendar before 1752, and the Gregorian calendar from I 752 to the
present)
il October 12, 1492 (Columbus sights land in the Caribbean)
b) May 6, 1692 (peter Minuit buys Manhattan from the natives)
c) June 15, 1752 (BenjaminFranklin inventsthe lighteningrod)
d July 4, 1776 (U. S. Declaration of Independence)
e) March 30, 1867 (U. S. buys Alaska from Russia)
f) March 17, 1888 (Great blizzard,in the Eastern u. s.)
d February 15, 1898 (U. S. BattleshipMaine blown up in Havana Harbor)
h) July 2, 1925 (Scopesconvictedof teachingevolution)
i) July 16, 1945 (First atomic bomb exploded)
j) July 20, 1969 (First man on the moon)
k) August 9,1974 (Nixon resigns)
l) March 28, 1979 (Three Mile Island nuclear mishap).
3' To correct the small discrepancybetween the number of days in a year of the
Gregorian calendar and an actual year, it has been suggestedthat the years
exactly divisible by 4000 should not be leap years. Adjust the formula for the
day of the week of a given date to take this correctioninto account.
4. Which of your birthdays, until your one hundredth, fall on the same dav of the
week as the day you were born?
5. Show that days with the same calendar date in two different years of the same
century, 28, 56, or 84 years apart, fall on the identical day of the week.
6. A new calendar called the International Fixed Calendar has been proposed. In
this calendar, there are 13 months, including all our presentmonths, plus a new
month, called So/, which is placed between June and July. Each month has 28
days, except for the June of leap years which has an extra day (leap years are
determined the same way as in the Gregorian calendar). There is an extra day,
Year End Day, which is not in any month, which we may consideras December
29. Devisea perpetualcalendar for the International Fixed Calendar to give day
of the week for any calendardate.
l. To givethe day of the weekof any date.
2. To print out a calendarof any year.
3. To print out a calendarfor the International Fixed Calendar (Seeproblem 6).

4.3 Round-Robin
Tournaments 139
4.3 Round-RobinTournaments
Congruencescan be used to schedule round-robin tournaments. In this
section,we show how to schedulea tournament for I/ different teams, so that
each team plays every other team exactly once. The method we describewas
developed
by Freund t65].
First note that if N is odd. not all teams can be scheduledin each round,
sincewhen teams are paired, the total number of teams playing is even. So, if
N is odd, we add a dummy team, and if a team is paired with the dummy
team during a particular round, it draws a bye in that round and does not
play. Hence, we can assumethat we always have an even number of teams,
with the addition of a dummy team if necessary.
Now label the N teamswith the integers1,2,3,...,If-1, N. We construct
a schedule,pairing teams in the following way. We have team i, with i * N,
play team j, with j I N and j # i, in the kth round if
i + j: k (mod /V-l). This schedulesgames for all teams in round k,
except for team N and the one team i for which 2i : k (mod li-l). There
is one such team because Theorem 3.7 tells us that the congruence
2x :- k (mod /V-l) has exactly one solution with I ( x < .A/-1, since
(2, N-l) : 1. We match this team i with team ^A{
in the kth round.
We must now show that each team plays every other team exactly once.
We considerthe first tr/-l teams. Note that team i, where I < t <,Af-l,
plays team l/ in round k where 2i : k (mod lf-l), and this happensexactly
once. In the other rounds, team i does not play the same team twice, for if
team i played team 7 in both roundsk and k', then i + j = k (mod l/-l),
and i + j = k' (mod N-l) which is an obvious contradiction because
k # k'(mod N-l). Hence, since each of the first lf-l teams plays .Af-l
games, and does not play any team more than once, it plays every team
exactly once. Also, team I{ plays N-l games, and since every other team
plays team N exactly once,team N plays every other team exactly once.
Example. To schedule a round-robin tournament with 5 teams, labeled
I,2,3,4, and 5, we includea dummy team labeled6. In round one,team I
playsteamT where| + j = l(mod 5). This istheteamj:5 sothat teamI
plays team 5. Team 2 is scheduled in round one with team 4, since the
s o l u t i o n
o f 2 + j = l ( m o d 5 ) i s 7 : 4 . S i n c ei : 3 i s t h e s o l u t i o n
o f t h e
congruence2i = 1 (mod 5), team 3 is paired with the dummy team 6, and
hence,draws a bye in the first round. If we continue this procedureand finish
schedulingthe other rounds,we end up with the pairingsshownin Figure 4.1,
where the opponentof team i in round k is given in the kth row and i th
column.

Team
Round
I 2 3 4 5
I 5 4 bye 2 I
2 bye 5 4 3 2
3 2 I 5 bye 3
4 3 bye I 5 4
5 4 3 2 I bye
140 Applications
of Congruences
Figure 4.1. Round-Robin Schedulefor Five Teams.
4.3 Problems
1. Set up a round-robin tournament schedulefor
a) 7 teams c) 9 reams
b) 8 teams d) 10 teams.
2. In round-robin tournament scheduling,we wish to assigna home team and an
away team for each game so that each of n teams, where n is odd, plays an
equal number of home gamesand away games. Show that if when i + j is odd,
we assign the smaller of i and 7 as the home team, while if i + 7 is even, we
assign the larger of f and 7 as the home team, then each team plays an equal
number of home and away games.
3. In a round-robin tournament scheduling,use problem 2 to determine the home
team for each game when there are
a) 5 teams b) 7 teams c) 9 teams.
l. Scheduleround-robin tournaments.

4.4 Computer File Storage and Hashing Functions
2. Using problem 2, scheduleround-robin tournamentsfor an odd number of teams,
specifyingthe home team for each game.
4.4 ComputerFile StorageAnd Hashing Functions
A university wishesto store a file for each of its studentsin its computer.
The identifying number or key for each file is the social security number of
the studentenrolled. The socialsecurity number is a nine-digit integer,so it is
extremely unfeasible to reserve a memory location for each possible social
security number. Instead, a systematicway to arrange the files in memory,
using a reasonableamount of memory locations,should be used so that each
file can be easily accessed.Systematic methods of arranging files have been
developedbasedon hashtngfunctions . A hashing function assignsto the key
of each file a particular memory location. Various types of hashing functions
have been suggested,but the type most commonly used involves modular
arithmetic. We discuss this type of hashing function here. For a general
discussion
of hashingfunctionsseeKnuth [52] or Kronsjii t581.
Let k be the key of the file to be stored; in our example, k is the social
security number of a student. Let m be a positive integer. We define the
hashingfunction h (k) by
h ( k ) = k ( m o d , m ) ,
where 0 < ft(k) < m,so that h(k) is the leastpositiveresidueof k modulo
m. We wish to pick n intelligently, so that the files are distributed in a
reasonable
way throughoutthe z differentmemory locations0, 1,2,..., m-|.
The first thing to keep in mind is that z should not be a power of the base
b which is used to representthe keys. For instance,when using socialsecurity
numbers as keys, ra should not be a power of 10, such as 103,becausethe
value of the hashing function would simply be the last several digits of the
k"y; this may not distribute the keys uniformly throughout the memory
locations. For instance, the last three digits of early issued social security
numbers may often be between 000 and 099, but seldom between 900 and
ggg. Likewise,it is unwiseto use a number dividing 6t * a where k and a
are small integersfor the modulus rn. In such a case,h (k) would dependtoo
strongly on the particular digits of the key, and different keyswith similar, but
rearranged,digits may be sent to the same memory location, For instance,if
m: lll, then,sincelll | (tO3-l) :999, we have 103= 1 (mod 111),so
that the socialsecuritynumbers064212 848 and 064 848 212 are sentto the
samememory location,since
t4l

142 Applications
of Congruences
h@64 2r2 S4$ = 064 2r2 848= 064 + 2r2+ 848 = ll24 : 14 (mod 111),
and
h(0648482rD
= 064848
2r2:064 + 848
+ 2r2= rr24: 14(mod
lll).
To avoid such difficulties, z should be a prime approximating the number
of available memory locations devoted to file storage. For instance, if there
are 5000 memory locationsavailablefor storageof 2000 student files we could
pick m to be equal to the prime 49G9.
We have avoided mentioning the problem that arises when the hashing
function assignsthe same memory location to two different files. When this
occurs,we say the there is a collision. We needa method to resolvecollisions,
so that files are assignedto different memory locations. There are two kinds
of collision resolutionpolicies. In the first kind, when a collision occurs.extra
memory locationsare linked together to the first memory location. When one
wishesto accessa file where this collision resolutionpolicy has been used,it is
necessaryto first evaluatethe hashingfunction for the particular key involved.
Then the list linked to this memory location is searched.
The secondkind of collision resolutionpolicy is to look for an open memory
location when an occupiedlocation is assignedto a file. Various suggestions,
such as the following techniquehave beenmade for accomplishingthis.
Starting with our original hashing function ho(k): h(k), we define a
sequence
of memory locationsft1(ft),h2(k),... . We first attempt to place the
file with key ft at location hs(k). If this location is occupied,we move to
locationht(k). If this is occupied,
we moveto locationh2&), etc.
We can choose the sequenceof functions hj(k) in various ways. The
simplestway is to let
hj(k) = h(k) * 7 (modm),0 ( ft;(k) < m.
This placesthe file with key ft as near as possiblepast locationh &). Note
that with this choiceof h1(k), all memory locationsare checked,so if there is
an open location,it will be found. Unfortunately,this simple choiceof h1(k)
leads to difficulties; files tend to cluster. We see that if kt * k2 and
hi(k): h1(k) for nonnegative
integersi and 7, then h;q,(k): hi+1,(k2)
for k : 1,2,3,...,so that exactlythe samesequence
of locationsare tracedout
once there is a collision. This lowersthe efficiencyof the searchfor files in the
table. We would like to avoid this problem of clustering, so we choosethe
function h1(k) in a differentway.

4.4 ComputerFile Storageand HashingFunctions 143
To avoid clustering,we use a techniquecalled double hashtng. We choose,
as before,
h ( k ) = k ( m o d m ) ,
with 0 < ft (/c) < m, where m is prime, as the hashingfunction. We take a
secondhashingfunction
g(k): k + I (mod
m-2),
where 0 < g(k) < m - l, so that G(k), m) : l.
probingsequence
h j ( k ) - h ( k ) + i s ( k ) ( m o dz ) ,
where0 ( ft;(k) < m. Since Q(k), tn) : l, as 7 runs throughthe integers
0, 1,2,..., m - 1, all memory locationsare traced out. The ideal situation
would be for m-2 to also be prime, so that the valuesg(ft) are distributedin
a reasonableway. Hence,we would like m-2 and m to be twin primes.
Example. In our example using social security numbers,both m : 4969, and
m-2 : 4967 are prime. Our probing sequence
is
hj(k) - h(k) + i s(k) (mod 4e6e),
w h e r e 0 < h j ( k ) < 4 9 6 9 , h ( k ) = k ( m o d 4 9 6 9 ) ,a n d s ( k ) = k + l
(mod 4967).
Supposewe wish to assignmemory locationsto files for studentswith social
securitvnumbers:
kt: 344401659 k6 : 3J2500191
kz: 325510778 k7 : 034367980
kt:2t2 228844 ks : 546332t90
kq: 329938t57 ks : 509496993
ks:047 900l5l krc: 132489973.
Sincekt = 269,kz = 1526,and k3 : 2854(mod496r, we assign
the first
three files to locations 269,1526, and 2854, respectively.Since kq =
1526(mod4969),
but location
1526is taken,
wecompute
h1 (k) = h(k) +
S(k) : 1526+ 216: 1742(mod4969, since S(k)
: I + kq =
216(mod496D. Sincelocation1742is free,we assign
the fourthfile to this
location.The fifth, six,seventh,
andeighthfilesgo into the available
locations
3960,4075,2376,and 578, respectively,
becauseks = 3960,ko = 4075,
k.t = 2376,and frs- 578(mod4969). We find that ks = 578(mod496il:
We take as a

144 Applicationsof Congruences
because
location578 is occupied,
we computeh1(kq) + s&):57g + 2002
: 2580 (mod 4969), where S(k) : I * ks = 2002 (mod 4g6D. Hence, we
assignthe ninth file to the free location 2580. Finally, we find that kro E
1526(mod 4967),but location1526is taken. we computehr (krd = h(Lrc)
+ g(k,o) : 1526+ 216: 1742(mod 496r, because
S:(/cro)
:' krc: 216
(mod 4967), but location 1742 is taken. Hence, we continue by finding
h2(krc)_ h(krc) + 2g(kd: l95g (mod 496qi)
and in this available
location,we placethe tenth file.
Table 4.1 lists the assignmentsfor the files of students by their social
securitynumbers. [n the table,the file locationsare shownin boldface.
344 40r 659
325510778
2r2 228844
329938 ts7
047900l5l
372500l9l
034367980
546332r90
509 496993
t32 489973
269
r526
2854
1526
3960
4075
2376
s78
578
r526
1742
2580
t742 1958
We
Hence,
( 4 . 1 )
and
(4.2)
Table 4.1. Hashing Functionfor Student Files.
wish to find conditions where double hashing leads to clustering.
we find conditionswhen
h i ( k ) : h 1 ( k 2 )
h i + t ( k 1 ) : h i + r ( k ) ,
so that the two consecutive
terms of two probesequences
agree. If both (+.t)
and @.D occur,then
h(k) + ig(k1) = h(k) + jg(k2) (modz)
SocialSecurity
Number
h 1 ( k ) h 2 ( k )

4.4 Computer File Storage and Hashing Functions 145
and
h ( k ) + ( t + l ) g ( k r )
Subtractingthe first of thesetwo
= h&) + (j + r)g(k) (modz).
congruences
from the second,we obtain
: g(k2) (mod rn),
g(k)
so that
kr = kz (modm-2)'
SinceS(k) : g(k), we can substitutethis into the first congruence
to obtain
h(k) : h(kz) (modrn),
which showsthat
k r = k 2 ( m o dm ) .
Consequently,
since(m-2, m) : 1, Theorem3.6 tells us that
kt = k2 (modm(m-D).
Therefore, the only way that two probing sequencescan agree for two
consecutive
terms is if the two keysinvolved,k1 and k2,lre congruentmodulo
m(m-Z). Hence, clusteringis extremelyrare. Indeed,rf m(m-z) > k for
all keysk, clusteringwill neveroccur.
4.4 Problems
l. A parking lot has l0l parking places. A total of 500 parking stickers are sold
and only 50-75 vehiclesare expectedto be parked at a time. Set up a hashing
function and collision resolution policy for assigning parking places based on
licenseplatesdisplayingsix-digit numbers.
2. Assign memory locationsfor studentsin your class,using as keys the day of the
month of birthdays of studentswith hashingfunction hG) = K (mod l9),
a) with probingsequence
h1(K) - h(K) + 7 (mod l9).
b) with probing sequence hjK) = h(K) + i's(r<),0 ( .l ( 16, where
g ( r ) : I + K ( m o d l 7 ) .
3. Let the hashingfunction be ft(rK) = K(mod rn), with 0 < ft(f) < m, andlet
the probing sequencefor collision resolutionbe lr; (f ) = h K) + jq (mod m) ,
0 ( ft;(f) < m, for j :1,2,..., m-1. Show that all memory locationsare

probed
a) if ln is prime and I ( q ( m -1.
b) if m :2' andq is odd.
4. A probing sequence for resolving collisions where the hashing function is
h&) = K(mod
z), 0 < l,(K) < m, is given by nifn = hG)
+ jQh (f) + 1) (mod m), O < lij(K) < m.
il Show that if z is prime, then all memory sequences
are probed.
b) Determine conditionsfor clustering to occur, i.e., when hj(K) : h1(K) and
hi*,(K) : hi+,(K) for r : I,2,...
5. Using the hashing function and probing sequenceof the example in the text, find
open memory locations for the files of students with social security numbers:
krr: 137612044,k12
: 505576452,
kn: 157170996,
kro: 131220418.(eaa
theseto the ten files already stored.)
Write programs to assign memory locations to student files, using the hashing
function h(k) = ft(modl02l), 0 < l,(k) < l}2l, where the keys
"r.
the social
security numbers of students.
l. Linking files together when collisionsoccur.
2. Using hj(D = h(k) * 7 (mod l02l), -/ : 0, 1,2,... as the probingsequence.
3 . U s i n gh j ( k ) = h ( k + j ' S & ) , j : 0 , 1 , 2 , . . . w h e r eg ( k ) : | + k ( m o d l 0 l 9 )
as the probing sequence.

Some SpecialCongruences
5.1 Wilson'sTheoremand Fermat'sLittle Theorem
In this section,we discusstwo important congruences
that are often useful
in number theory. We first discussa congruence
for factorialscalledWilson's
theorem.
Wilson'sTheorem. If p is prime, then (p-t)t = -t (modp).
The first proof of Wilson'sTheoremwas given by the Frenchmathematician
Joseph Lagrange in 1770. The mathematicianafter whom the theorem is
named, John Wilson, conjectured, but did not prove it. Before proving
Wilson'stheorem,we usean exampleto illustratethe idea behindthe proof.
Example. Let p:7. We have (7-l)! :6! : l'2'3'4'5'6. We will rearrange
the factors in the product, grouping together pairs of inversesmodulo 7. We
note that 2'4
-
I (mod 7) and 3'5 = I (mod 7). Hence,
6! : 1.O.4.(g.S).6= 1.6 = -l (mod7). Thus, we haveverifieda special
caseof Wilson'stheorem.
We now use the technique illustrated in the example to prove Wilson's
theorem.
Proof. When p:2, we have Q-l)t = t : -l (mod 2). Hence,the theorem
is true for p:2. Now, let p be a prime greater than 2. Using Theorem 3.7,
for eachintegera with I ( a { p-I, thereis an inverse
t, I < a 4 p-1,
with aa: 1 (modp). From Proposition3.4, the only positiveintegersless
than p that are their own inversesare I and p-1. Therefore,we can group
l4'I

148 Some Special Congruences
the integersfrom 2 to p-2 into Q4)/2 pairs of integers,with the productof
eachpair congruentto I modulop. Hence,we have
2.3 Q-).Q-D = r (modp).
We concludethe proof by multiplying both sidesof the abovecongruence
by I
andp-l to obtain
b-1)! :1.2.3' .Q-3)b-Db-l) = t.(p-r) = -r (modp).tr
An interestingobservationis that the converseof Wilson's theorem is also
true, as the followingtheoremshows.
Theorem 5.1. If n is a positiveintegersuchthat h-l)t = -l (mod n), then
n is prime.
Proof. Assume that n is a compositeintegerand that (n-l)! = -l (mod n).
since n is composite,we have n:ob, where | 1 a I n and | < b 1 n.
Sincea 1n, we know that a I h-l)!, because
a is one of then-l numbers
multiplied togetherto form (n-l)!. Since h-l)t = -l (mod n), it follows
that n I t(r-l)! + ll. This means,by the useof Proposition
1.3,that a also
divides h-l)t + t. From Proposition 1.4, since a | (n-Dl and
a l [ h - l ) ! + l l , w e c o n c l u d e
t h a t a l t ( : n - l ) ! + I ] - ( n - l ) ! : l . T h i s i s
an obviouscontradiction,sincea ) l. tr
We illustratethe useof this resultwith an example.
Example. Since (6-l)! : 5! : 120 = 0 (mod 6) ,
obviousfact that 6 is not prime.
As we can see,the converseof Wilson's theorem
To decide whether an integer n is prime,
h-l)! : -1 (mod n). Unfortunately,this is an
n - 1 multiplications modulo n are needed to
O h (log2n)z) bit operations.
When working with congruences
involvingexponents,
the following theorem
is of great importance.
Fermat's Little Theorem.
thenaP-t = I (modp).
C,(PS6'","1
,)
Proof. Con'sider
'the p - |
are divisibleby p, for if p
Theorem 5.1 verifies the
givesus a primality test.
we determine whether
impractical test because
find (rr'-l)|, requiring
If p is prime and a is a positiveinteger
integersa,2a, ..., (p-l)a. None of theseintegers
I ia, then by Lemma 2.3,p I j, sincep tra. This
'(-o,r),=L
with p I a,

5.1 Wilson's Theorem and Fermat's Little Theorem 149
is impossiblebecauseI ( 7 ( p-1. Furthermore, no two of the integers
a, 2a, ..., (p-Da are congruent modulo p. To See this, assume that
ja = ka (modfl. Then, from Corollary 3.1, since (a,p) : l, we have
j = k (modp). This is impossible,since7 and k are positiveintegersless
t h a n p - I .
Since the integers a, 2a, ..., (p-l)a are a set of p-l integers all
incongruent to zero,and no two congruent modulo p, we know that the least
positive residuesof c, 2e,..., (p-l)a, taken in some order, must be the
integers 1,2, ...,p-1. As a consequence,
the product of the integers
a,2a,..., (p-l)a is congruentmodulo p to the product of the first p-l
positiveintegers. Hence,
a'2a Q-I)a
: l'2 (p-r) (mod
p).
Therefore,
Since(p-l)!, p) :
aP-t(p-l)! : (p-l)! (modp) .
l, usingCorollary3.1,we cancelQ-l)! to obtain
aP-t = I (modp). tr
We illustratethe ideasof the proof with an example.
Example. Let p:7 and a:3. Then, l'3 = 3(mod 7), 2'3 = 6 (mod 7),
3.3 = 2 (mod 7), 4'3 = 5 (mod 7), 5'3 = I (mod 7), and 6'3 = 4 (mod 7).
Consequently,
(t.l).Q.r.(r.r).(+.1).(5.3).(6.3)
= 3.6.2.s.1.4
(mod
7),
so that 36.1.2.3.4.5.6
= 3.6.2'5'l'4(mod7). Hence,36'6!
therefore.36 = I (mod 7).
On occasion, we would like to have a congruence
theoremthat holds for all integersa, given the prime p.
the followingresult.
= 6! (mod 7), and
like Fermat's little
This is suppliedby
Theorem 5.2. If p is prime and a is a positive integer, then
e P : a ( m o d p ) .
Proof. lf p I a,by Fermat'slittle theoremwe know that ap-t: I (modp).
Multiplying both sidesof this congruence
by a, we find that ap = a (mod p).
l f p l a , t h e n p l a p a s w e l l , s o t h a ta P = a = O ( m o d p ) . T h i s f i n i s h e s t h e
proof,sinceaP = a (modp) it p I a and if pla. tr

150 SomeSpecialCongruences
Fermat's little theorem is useful in finding the least positive residuesof
powers.
Example. We can find the least positiveresidueof 3201
modulo I I with the
help of Fermat'slittle theorem. We know that 310: I (mod ll). Hence.
32or
: (3ro)20.
3= 3 (mod ll) .
A useful applicationof Fermat's little theorem is providedby the following
result.
Theorem5.3. If p is prime anda is an
inverse
of c modulop.
Proof. If p tra, then Fermat's
a'aP-2: sP-t = I (modp). Hence,aP-2
Example. From Theorem 5.3, we know
integerwith p I a, then aP-2 is an
little theorem tells us that
is an inverseof a modulop.
that 2e:512 = 6 (mod ll) is an
inverseof 2 modulo I 1.
Theorem 5.3 givesus another way to solvelinear congruences
with respect
to prime moduli.
Corollary 5.1. lf a and b are positiveintegersand p is prime with p I a,
then the solutionsof the linear congruenceax = 6 (modp) are the integers
x suchthat x = aP-2b (modp).
Proof. Supposethat ax = b (mod p). Since p I a, we know from Theorem
5.2 that aP-2 is an inverseof c (modil. Multiplying both sidesof the
original congruence
by sP-z,we have
aP-2ax = aP-2b(mod p).
Hence,
x 7 aP-2b (modp). tr
5.1 Problems
l. Using Wilson's
modulo 7.
2. Using Fermat's
t 1 .
theorem, find the
little theorem, find
least positive
the least positive
residueof 8'9'10.
I l. 12.I 3
residue oP 2toooooo
modulo

?,
4.
5 .
5.1 Wilson's Theorem and Fermat's Little Theorem 1 5 1
Showthat 31s: I (mod I l2).
Using Fermat'slittle theorem,find the last digit of the base7 expansion
of 3r00.
Using Fermat'slittle theorem,find the solutionsof the linear congruences
a) 7x = 12 (mod 17) b ) 4 x = l l ( m o d l 9 ) .
6. Showthat if n isacompositeintegerwith n * 4,then h - )t = O (mod n).
7. Show that if p is an odd prime,then 2Q - 3)! : -l (modp).
8. Show that if n is odd and 3 /n, then n2 = | (mod 24).
9. Show that 42 | h' - n) for all positiveintegersn.
10. Showthat if p andq aredistinctprimes,thenpe-t * qP-r: I (modpq).
I l. Show that p is prime and a and b are integerssuch that ap = bP (mod p), then
aP = bP (modp2).
12. Show that if p is an odd prime, then 1232 (p-42(p-2)2 =
1-11b+t)/z(mod p).
1 3 . S h o w t h a t i f p i s p r i m e a n d p = 3 ( m o d 4 ) , t h e n{ ( p - t l Z l l = * I ( m o d p ) .
14. a) Let p be prime and supposethat r is a positiveinteger lessthen p such that
(-l)'r! _ -l (modp). Showthat Q-r*l)!
: -l (modp).
b) Usingpart (a), showthat 6l! = 63! = -l (mod 71).
15. Using Wilson'stheorem,show that if p is a prime andp = I (mod 4), then the
congruence x2
- -l (mod p) has two incongruent solutions given by
x E t l(p-)/zll (modp).
1 6 . S h o w t h a t i f p i s a p r i m e a n d O 1 k < - p , t h e n Q - k ) ! ( k - l ) !
= (-l)e (modp).
17. Showthat if p is prime anda is an integer,
then pllap + Q-l)! al.
18. For which positiveintegersn is na * 4n prime?
19. Show that the pair of positiveintegersn and n * 2 are twin primesif and only if
4l(n-l)l + tl + n = 0 (mod n(n * 2)), wheren I l.
2 0 . S h o w t h a t t h e p o s i t i v e i n t e g e r s n
a n d n * k , w h e r e n ) k a n d k i s a n e v e n
positive integer, are both prime if and only if (k!)'z[(n-t)t + t]
+ n ( k ! - l ) ( k - l ) ! = 0 ( m o dn ( n + k ) ) .
lzo)
21. Show that if p is prime,then ll | = 2 (modp).
l p )
22. a) In problem 17 of Section 1.5, we showedthat the binomial coefficient
['),
where I < k ( p - l, is divisibleby p when p is prime. Use this fact and the
binomial theorem to show that if a and b are integers, then

(a + b)p = ap * 6z (modp).
b) Use part (a) to prove Fermat's little theorem by mathematical induction.
(Hint: In the induction step,use part (a) to obtain a congruencefor fu + l)p.)
23. Using problem 16 of Section 3.3, prove Gauss' generaltzation of Wilson's
theorem, namely that the product of all the positiveintegerslessthan m that are
relatively prime to rn is congruent to I (mod z), unlessffi : 4,p,, or 2p, where
p is an odd prime and I is a positive integer, in which case,it is congruent to
-l (mod rn).
24. A deck of cards is shuffiedby cutting the deck into two piles of 26 cards. Then,
the new deck is formed by alternating cards from the two piles,starting with the
bottom pile.
a) Show that if a card begins in the cth position in the deck, it will be in the
Dth positionin the new deck whereb = 2c (mod 53) and I < 6 <52.
b) Determine the number of shuffies of the type described above that are
neededto return the deck of cards to its original order.
25. Let p be prime and let a be a positiveinteger not divisibleby p. We define the
Fermat quotient qob) by qp(a): (ap-t-l)/p. Show that if a and,b are
positive integers not divisible by the prime p, then
qGb) :
er(a) + qo$) (modp).
26. Let p be prime and let a1,a2,...,ap
and b ,,b2,...,b,
be completesystems
of residues
modulo p Show that a1bya2b2,...,aobo
is not a complete system of residues
modulop.
l. Find all Wilson primes lessthan 10000. A Wilson prime is a prime p for which
(p - l)! : -l (modp2).
2. Find the primesp lessthan 10000for which Zp-t = I (mod p2).
3. Solve linear congruences
with prime moduli via Fermat's little theorem.
5.2 Pseudoprimes
Fermat'slittle theoremtells us that if n is prime and b is any integer,then
bn = b (mod n). Consequently,if we can find an integer b such that
b' + b (mod n), then we know that n is composite.
Example. We can show 63 is not prime by observingthat

5.2 Pseudoprimes 153
263
:2eo.2t : (26)ro.23
:64to23 -__
23 = g + 2 (mod 63).
Using Fermat'slittle theorem,we can showthat an integeris composite. It
would be even more useful if it also provided a way to show that an integer is
prime. The ancientChinesebelievedthat if 2'= 2 (mod n), then n must be
prime. Unfortunately, the converseof Fermat's little theorem is not true, as
the following exampleshows.
Example. Let n - 341: 11.31. By Fermat'slittle theorem,we seethat 210
= I (mod l1), so that 23ao: (2t0;3+-
t (mod l1). Also 23a0: (25)68=
(32)6s= t (mod 3l). Hence,by Theorem3.1,we have2340: I (mod 341).
By multiplying both sides of this congruence by 2, we have
2341
-
2 (mod 341), eventhough 341 is not prime.
Examplessuch as this lead to the following definition.
Definition. Let b be a positive integer. If n is a compositepositive integer
andb' = b (mod n), then n is calleda pseudoprimeto the base b.
Note that if (b,n): 1, then the congruence
bn = b (mod n) is equivalent
to the congruence
bn-t: I (mod n). To seethis, note that by Corollary3.1
we can divide both sidesof the first congruenceby b, since (b,n) : l, to
obtain the secondcongruence.By Theorem 3.1, we can multiply both sidesof
the second congruencs by b to obtain the first. We will often use this
equivalentcondition.
Example. The integers 341: I l'31, 561 : 3'l 1'17 and 645: 3'5'43 are
pseudoprimes
to the base2, sinceit is easilyverified that 2340
: I (mod 341),
256o
--
I (mod 561). and 26aa
= I (mod 645).
If there are relatively few pseudoprimes
to the baseb, then checking to see
whether the congruence b' = D (mod n) holds is an effective test; only a
small fraction of compositenumbers passthis test. In fact, the pseudoprimes
to the base b have been shown to be much rarer than prime numbers. In
particular, there are 455052512 primes, but only 14884 pseudoprimesto the
base 2, less than 1010. Although pseudoprimes
to any given base are rare,
there are, nevertheless,
infinitely many pseudoprimesto any given base. We
will prove this for the base2. The following lemma is useful in the proof.
Lemma 5.1. lf d and n are positive integers such that d divides rz, then
2d - 1 divides 2n - l.
Proof. Since d I n, there is a positive integer / with dt : n. By setting
x : 2 d i n t h e i d e n t i t vx t - I - ( x - 1 ) ( x t - l + x t - z + + l ) , w e f i n d

1 2 d Q - r )
+ 2 d o - D a + 2 d + l ) . C o n s e q u e n t l y ,
t h a t 2 n - t : ( 2 d - l )
Od - t) | Q' - D. tr
We can now prove that there are infinitely many pseudoprimes
to the base
2.
Theorem 5.4. There are infinitely many pseudoprimes
to the base2.
Proof. We will show that if r is an odd pseudoprimeto the base 2, then
m : 2' - I is also an odd pseudoprimeto the base 2. Since we have at least
one odd pseudoprime
to the base 2, namely fls:341, we will be able to
constructinfinitely many odd pseudoprimes
to the base2 by taking ns: 341
andn1ra1
:2n'- I for k :0, 1,2,3,.... Theseodd integers
are all different,
s i n c e
n o I n t 1 n z 1 . ' . 1 n * ( n 1 1 1(
To continue the proof, let n be an odd pseudoprime,so that n is composite
and 2n-t = I (mod n). Since n is composite, w€ have n : dt with
1 1 d 1 n a n d l < / 1 n . w e w i l l s h o w t h a t m : 2 n - r i s a l s o
pseudoprimeby first showing that it is composite,and then by showing that
2^-t = I (modz).
To see that m is composite, w€ use Lemma 5.1 to note that
Qd - t) | (Z' - l): m. To show that 2^-t: I (modre), we first note
that since2n :2 (modn), there is an integerk with 2n - 2: kn. Hence,
2^-t : 22'-2: 2kn. By Lemma 5.1, we know that
m : (2n - l) | (2kn- l) : 2^-l - l. Hence, 2m-t - I : 0 (modz), so
that 2^-t = I (mod re). We concludethat z is also a pseudoprimeto the
base2. rl
If we want to know whether an integer n is prime, and we find that
2n-t : I (mod n), we know that n is either prime or n is a pseudoprimeto
the base2. One follow-upapproachis to test n with other bases. That is, we
check to seewhether bn-r : I (mod n) for variouspositiveintegers6. If we
find any valuesof b with (b,n): I and bn-r # | (mod n), then we know
that n is composite.
Example. We haveseenthat 341 is a pseudoprime
to the base2. Since
7 3: 3 4 3 = 2 ( m o d3 4 1 )
and
zto: 1024: I (mod341).

5.2 Pseudoprimes 1 5 5
we have
73a0
- 03)tt3l = 2t137: (210)1t.23.7
: 8.7 = 56 # I (mod 341).
Hence,we seethat 341 is composite,
sinceTzto1l (mod 341).
Unfortunately, there are compositeintegersr? that cannot be shown to be
compositeusing the above approach,becausethere are integers which are
pseudoprimes
to every base,that is, there are compositeintegersn such that
b'-t = I (modn), for all b with (b,n): l. This leadsto the following
definition.
Definition. A composite integer which satisfiesbn-t : I (mod n) for all
positiveintegersb with (b,il : I is calleda Carmichael number.
Example. The integer561:3'11'17 is a Carmichaelnumber. To seethis,
note that if (b, 561) : l, then (b,3) : (b,l l) : (b,17): l. Hence,from
Fermat's little theorem, we have b2 = I (mod 3), 610: I (mod I l), and
616
--
I (mod 17). Consequently,
b560: (b2)280: I (mod3), bs60: (b10)56
= I (mod ll), and 6560: (bl6)35= I (mod l7). Therefore,by Theorem
3.1,b560
= I (mod 561) for all b with (b,n) : L
It has beenconjecturedthat there are infinitely many Carmichaelnumbers,
but so far this has not been demonstrated. We can prove the following
thecrem,which providesconditionswhich produceCarmichaelnumbers.
Theorem 5.5. If n: Qt Qz q1, where the qi's are distinct primes that
satisfy Qi
- 1) | (,4- l) for all j, then n is a Carmichaelnumber.
Proof. Let b be a positiveinteger with (b,n) : l. Then (b,q1): I for
j :1,2,...,k, and hence,
by Fermat'slittle theorem,
bQt-r
-
I (modQ) for
j : 1 , 2 , . . . , k . S i n c e Q i
- l ) | ( n - l ) f o r e a c h i n t e g e rj : 1 , 2 , . . . , k ,
there are integers.
/; with r;(q, - l) : n - L Hence,for each /, we know
that b'-t : 6Q'-r)tt'-t t-oO qrl. Therefore,by Corollary 3.2, we seethat
bn-t : I (mod n), and we concludethat n is a Carmichaelnumber. D
Example. Theorem 5.5 showsthat 6601 :7'23'41 is a
because J, 23, and 4I are all prime, 6 :
Ql - t) | oooo,
and4o: (+t- t) | oooo.
The converseof Theorem 5.5 is also true, that is, all
are of the form Qflz Q* where the Qj's are
Qi-l) | tr-l) for allj. We provethis fact in Chapter
Carmichael number,
Q - t) | oooo,
22:
Carmichaelnumbers
distinct primes and
8 .

Once the congruence
bn-r : I (mod n) has beenverified,another possible
approachis to considerthe least positiveresidueoS 6h-D/2 modulo r. We
note that if x : 6(,-t)/2,then x2: bn-t: I (mod r). rf n is prime, by
Proposition 3.4, we know that either x = I or x = -l (mod n).
Consequently,
once we have found that b"-t: I (mod n), we can check to
seewheth", 6tu-t)/2= + I (mod n). If this congruencedoes not hold. then
we know that n is composite.
Example. Let b:5 and let n:561, the smallest
Carmichael
number. we
find that 5(561-t)/2:5280
= 67 (mod 561). Hence,56l is composite.
We continuedeveloping
primality testswith the followingdefinitions.
Definition. Let n be a positive integer with n-l : 2't, where s is a
nonnegativeinteger and / is an odd positive integer. We say that n passes
Miller's test for the base b if either bt = I (mod n) or b/' : -l (mod n)
f o r s o m e T w i t h 0 < l ( s - 1 .
We now show that if n is prime, then /, passesMiller's test for all basesD
with n I b.
Theorem 5.6. lf n is prime and b is a positive integer with n I b, then n
passes
Miller's test for the baseD.
Proof. Let n-l :2"/, where s is a nonnegativeinteger and I is an odd
p o s i t i v e
i n t e g e r .L e t x 1 r : 6 { J . - t ) / z ' - 6 ? : - ' t , f o rk : 0 , l , 2 , . . . , s . S i n c e n i s
prime, Fermat's little theorem tells us that x0: bn-t :1 (mod n). By
Proposition 3.4,, since x? : 16{n-r)/z1z:xo E I (mod n), either
xt i -l (modn) or rr E I (modn). If rr E I (modn), since
x?,: xr E I (modn), either xz? -l (modn) or xz71 (modru). In
general,if we have found that xs: xl : x27 : xk = I (mod n),
with k ( s, then, since x?+t : x* 3 I (mod n), we know that either
x*+r 7 -l (mod n) or xr+r t 1 (mod n).
Continuing this procedure for k : l, 2,...,s, we find that either
x* ? I (modn), for k :0, 1,...,s, or xt7 -l (modn) for someinteger/c.
Hence,n passes
Miller's test for the baseb. n
If the positive integer n passesMiller's test for the base 6, then either
bt = I (mod n) or bvt : -l (mod n) for some7 with 0 < j ( s -1, where
n - | :2't and r is odd.
In either case, we have bn-t = I (mod n), since bn- - 162tt12'-t
for
J:0, 1,2,..., s, so that an integern that passes
Miller'stestfor the baseb
is automaticallya pseudoprime
to the baseb. With this observation,
we are

5.2 Pseudoprimes 157
led to the following definition.
Definition. lf n is compositeand passes
Miller's test for the base6, then we
sayn is a strong pseudoprime to the base b.
Example. Let n :2047 :23'89. Then 220a6
:'(21r)186: (ZO+A)186
: 1
(mod 204D, so that 2047 is a pseudoprimeto the base 2. Since 22046/2
:
2to23: (2tl)e3: (zo+g)e3: I (mod 2047), 2047 passesMiller's test for
the base2. Hence, 2047 is a strong pseudoprimeto the base2.
Although strong pseudoprimesare exceedinglyrare, there are still infinitely
many of them. We demonstratethis for the base 2 with the following
theorem.
Theorem 5.7. There are infinitely many strong pseudoprimes
to the base2.
Proof. We shall show that if n is a pseudoprime to the base 2, then
N :2'-l is a strong pseudoprime
to the base2.
Let n be an odd integer which is a pseudoprimeto the base2. Hence, n is
composite, and Zn-r : I (mod n). From this congruence, we see that
2'-r -l : nk for someintegerk; furthermore,k must be odd. We have
,Af- I : 2n-2 : 2(2n-r-l) : Ztnk;
this is the factorizationof /V-l into an odd integerand a powerof 2.
We now note that
2?v-r)/2:2nk : (Zn)k = I (mod /V)
b e c a u s e
2 n : ( z n - t ) + t : I { * I = I ( m o d , n { ) .T h i s d e m o n s t r a t e s t h a t N
passes
Miller's test.
In the proof of Theorem 5.4, we showed that if n is composite,then
N : 2'-l also is composite. Hence, N passes Miller's Test and is
composite,so that N is a strong pseudoprimeto the base 2. Since every
pseudoprimen to the base 2 yields a strong pseudoprime2n-1 to the base 2
and since there are infinitely many pseudoprimesto the base 2, we conclude
that there are infinitely many strong pseudoprimes
to the base2. tr
The following observationsare useful in combination with Miller's test for
checking the primality of relatively small integers. The smallest odd strong
pseudoprimeto the base2 is 2047,so that if n 1 2047,r is odd, and n passes
Miller's test to the base2, then n is prime. Likewise,1373653is the smallest

odd strong pseudoprimeto both the bases2 and 3, giving us a primality test
for integerslessthan 1373653. The smallestodd strong pseudoprimeto the
bases2,3, and 5 is 25326001,and the smallestodd strongpseudoprime
to all
the bases2,3,5, and 7 is 3215031751.Also, lessthan 25.10e,
the only odd
integerwhich is a pseudoprime
to all the bases
2,3,5, and 7 is 3251031751.
This leadsus to a primality test for integerslessthan 25.10e. An odd integer
n is prime if n < 25'10e,n passes
Miller's test for the bases2,3,5, and 7,
andn I 3215031751.
There is no analogyof a Carmichaelnumber for strongpseudoprimes.This
is a consequence
of the following theorem.
Theorem 5.8. If n is an odd compositepositiveinteger, then r passesMiller's
testfor at most Q-l)/4 bases
b with I < b ( n - l.
We proveTheorem5.8 in Chapter 8. Note that Theorem5.8 tells us that if
t? passes
Miller's testsfor more than (n-l)/4 baseslessthan n, then n must
be prime. However,this is a rather lengthy way, worsethan performingtrial
divisions,to show that a positiveintegern is prime. Miller's test doesgive an
interestingand quick way of showingan integern is "probablyprime". To see
this, take at random an integer b with I < D ( n - I (we will see how to
make this "random"choicein Chapter 8). From Theorem5.8, we seethat if n
is compositethe probability that r? passesMiller's test for the base b is less
than I/4. If we pick k different baseslessthan n and perform Miller's tests
for eachof thesebaseswe are led to the followingresult.
Rabin's Probabilistic Primality Test. Let n be a positive integer. Pick k
different positive integerslessthan n and perform Miller's test on n for each
of these bases. If n is compositethe probability that n passesall k tests is
lessthan 0/4k.
Let n be a compositepositiveinteger. Using Rabin's probabilisticprimality
test, if we pick 100 different integersat random between I and n and,perform
Miller's test for eachof these100 bases,
then the probability than n passes
all
the tests is lessthan 10-60,an extremely small number. In fact, it may be
more likely that a computer error was made than that a compositeinteger
passes
all the 100 tests. Using Rabin's primality test doesnot definitelyprove
that an integer n that passes
all 100 tests is prime, but doesgive extremely
strong,indeedalmostoverwhelming,
evidence
that the integeris prime.
There is a famous conjecture in analytic number theory called the
generalized Riemann hypothesis. A consequenceof this hypothesis is the
followingconjecture.

5.2 Pseudoprimes 1s9
Conjecture 5.1. For everycompositepositiveintegern, there is a baseb with
b < 70 (log2n)2,such that n fails Miller's test for the baseb.
If this conjectureis true, as many number theoristsbelieve,the following
resultprovidesa rapid primality test.
Proposition 5.1. If the generalizedRiemann hypothesis
is valid, then there is
an algorithm to determine whether a positive integer n is prime using
O ((log2n)5)Uit operations.
Proof. Let b be a positive integer less than n. To perform Miller's test for
the base b on n takes O (logzn)3) bit operations,becausethis test requires
that we perform no more than log2n modular exponentiations,each using
O(logzb)2) Ult operations. Assumethat the generalizedRiemann hypothesis
is true. lf n is composite,then by Conjective 5.1, there is a base 6 with
| < b < 70 (log2n)2such that n fails Miller's test for b. To discoverthis b
requireslessthan O(log2n)3)'O((togzn)z) : O((log2n)5) Uit operations,by
Proposition1.7. Hence, after performing O((log2n)s) bit operations,we can
determinewhethern is compositeor prime. I
The important point about Rabin's probabilistic primality test and
Proposition5.1 is that both results indicate that it is possibleto check an
integern for primality using only O((log2n)ft) bit operations,
where k is a
positiveinteger. This contrastsstrongly with the problem of factoring. We
have seenthat the best algorithm known for factoring an integer requiresa
numberof bit operations
exponentialin the squareroot of the logarithm of the
number of bits in the integer being factored,while primality testing seemsto
require only a number of bit operationslessthan a polynomialin the number
bits of the integer tested. We capitalize on this differenceby presentinga
recentlyinventedcipher systemin Chapter 7.
5.2 Problems
Show that 9l is a pseudoprimeto the base3.
Show that 45 is a pseudoprime
to the bases17 and 19.
Show that the even integer n : 161038:2'73' l 103 satisfiesthe congruence
2n = 2 (mod n). The integer 161038is the smallesteven pseudoprimeto the
base2.
Show that every odd compositeinteger is a pseudoprimeto both the base I and
the base-1.
Show that if n is an odd compositeinteger and n is a pseudoprimeto the basea,
then n is a pseudoprimeto the basen - a.
l .
2.
3 .
4.
5 .

9.
10.
l l .
160 SomeSpecialCongruences
6 , S h o w t h a t i f n : ( a z p - - l ) / G 2 - l ) , w h e r e a i s a n i n t e g e r ,
a ) l , a n d p i s a n
odd prime not dividing a(a2 - l), then n is a pseudoprimeto the base a.
Conclude that there are infinitely many pseudoprimes
to any basea. (Hint: To
establish that ao-t = I (mod n), show that 2p | (, - 1), and demonstratethat
a2P:2 (modn).)
7. Show that every compositeFermat number F^ : 22' + I is a pseudoprimeto the
base2.
8. Show that if p is prime and the Mersenne number Mo : 2P - I is composite,
then Mo is a pseudoprimeto the base 2.
Show that if z is a pseudoprime to the bases a and b, then n is also a
pseudoprimeto the baseaD.
Show that if n is a pseudoprimeto the basea, then n is a pseudoprimeto the
basea-,where d' is an inverseof a modulo n.
a) Show that if n is a pseudoprimeto the base c, but not a pseudoprimeto the
base6, then n is not a pseudoprimeto the baseaD.
b) Show that if there is an integer b with (b,n) : I such that n is not a
pseudoprime
to the baseD, then n is a pseudoprime
to lessthan or equal6 Ah)
different basesa with I ( a ( n. (Hint: Show that the setsc t, o2,..., a, and
ba1,ba2,...,
ba, have no common elements,where ot, o2, ...,ar are the basesless
than n to which n is a pseudoprime.)
12. Show that 25 is a strong pseudoprimeto the base7.
13. Show that 1387 is a pseudoprime,but not a strong pseudoprimeto the base2.
14. Show that 1373653is a strong pseudoprimeto both bases2 and,3.
15. Show that25326001 is a strongpseudoprime
to bases2,3, and 5.
Showthat the followingintegers
areCarmichael
numbers
il 2821
:7'13'31
b) 10585
: 5.29'73
c) 29341
: l3'37'61
d) 314821
: 13.6r.397
e) 27845
: 5'17'29.113
f) 172081
:7-13.31.61
g) 564651361
: 43.3361.3907.
Finda Carmichael
numberof the form7.23.qwhereg is an oddprime.
a) Showthatevery
integer
of the form(6m+l)(l2m+l)(tg,n +t), where
m isa
positive
integersuchthat 6m*l,l2mll, and l8m*l are all primes,is a
Carmichael
number.
1 6 .
1 7 .
1 8 .

5.2 Pseudoprimes
b) Conclude from part (a)
: 2 t 1 . 4 2 1 . 6 3 1 .
I 1 8 9 0 1 5 2 1
Carmichaelnumbers.
19. Show that if n is a positive
O ((logzn)2) bit operations.
1 6 1
that 1729- 7'13'l
9, 294409
: 37'73'
109,55164051
: 271'541'81l.
and 72947529
- 307'613'919
are
with n = 3 (mod 4), then Miller's test takes
I . Given a positive integer n, determine whether n satisfies the congruence
bn-t = I (mod n) where b is a positive integer lessthan n; if it does,then n is
either a prime or a pseudoprimeto the baseD.
2. Given a positiveinteger integer n, determinewhether n passes
Miller's test to the
baseb; if it doesthen n is either prime or a strong pseudoprimeto the baseb.
3. Perform a primality test for integers lessthan 25'l0e basedon Miller's tests for
the bases2,3,5, and 7. (Use the remarksthat follow Theorem5.7.)
4. Perform Rabin's probabilisticprimality test.
5. Find Carmichael numbers.
5.3 Euler's Theorem
Fermat's little theorem tells us how to work with certain congruences
involvingexponentswhen the modulusis a prime. How do we work with the
correspondingcongruencesmodulo a compositeinteger? For this purpose,we
first definea specialcounting function.
Definition. Let n be a positive integer. The Euler phi-function Qh) is
defined to be the number of positive integers not exceeding n which are
relativelyprime to n.
In Tabte 5.1 we displaythe valuesof @(n) for I ( r ( 12. The valuesof
d(,n) for I ( n < 100are givenin Table 2 of the Appendix.
Table 5.1. The Valuesof Euler'sPhi-functionfor I ( n < 12.
n 2 3 4 5 6 7 8 9 l0 il I2
6h) I 2 2 4 2 6 4 6 4 l0 4

In Chapter6, we study the Euler phi-functionfurther. In this section,we
use the phi-function to give an analogue of Fermat's little theorem for
compositemoduli. To do this, we needto lay somegroundwork.
Definition. A reducedresidue system modulo n is a set of Ofu) integers
such that eachelementof the set is relativelyprime to n, and no two different
elementsof the set are congruentmodulon.
Example. The set 1,3,5,7 is a reducedresiduesystemmodulo8. The set
-3, -1, l, 3 is alsosucha set.
we will needthe followingtheoremabout reducedresiduesystems.
Theorem 5.9. lf r1,r2,...,t6G) is a reducedresiduesystemmodulon, and if
a is a positiveintegerwith (a,fl) : l, then the setet1, et2, ...,ot6h) is alsoa
reducedresiduesystemmodulor.
Proof. To show that each integerari is relativelyprime to n, we assumethat
(ar1,n) ) l. Then, there is a prime divisor p of (ari,n). Hence, either
p I a or p I 11. Thus, we either havep I a and p I n,'o, p I ri and p I n.
However,we cannot have both p I r; and p I n, since r; is a member of a
reduced residue modulo n, and both p I a and p I n cannot hold since
(a,n): l. Hence, we can conclude that ar1 and n are relatively prime for
j : l , 2 , . . ' ,Q h ) .
To demonstratethat no two ari's are congruentmodulo n, we assumethat
arj = ar1,(mod n), where j and k are distinct positive integers with
1 < j ( d ( n ) a n d I < k ( d ( n ) . S i n c e( a , n ) : l , b y C o r o l l a r y 3 . l w e s e e
that r; : rk (mod n). This is a contradiction,sincer7 and r,1coffie from the
original setof reducedresidues
modulor?,so that ri # rr (mod n). tr
We illustratethe useof Theorem5.9 by the followingexample.
Example. The set 1,3,5,7 is a reducedresiduesystemmodulo 8. Since
( 3 , 8 ): l , f r o m T h e o r e m
5 . 9 ,t h e s e t 3 ' l : 3 , 3 ' 3 : 9 , 3 . 5 : 1 5 ,3 ' 7: 2 1 i s
alsoa reducedresiduesystemmodulo8.
We now state E,uler's
theorem.
Euler's Theorem. If m is a positive integer and
(a,m) : l, then sotu) = I (mod rn).
Before we prove Euler's theorem, we illustrate the
with an example.
a is an integer with
idea behind the proof

5.3 Euler's Theorem 163
Example. We know that both
reducedresiduesystemsmodulo
residues
modulo8. Therefore,
(3.
l).(3.3).
(3.s).
(3.7): l'3'5'7(mod8),
l'3'5'7(mod8).
3 4 ' l ' 3 ' 5 ' 7
=
8) : l, we conclude
that
3+_ 3d(a)
: I (mod g).
We now usethe ideasillustratedby this exampleto proveEuler'stheorem.
Proof. Let rr,rZ, ...,ro(^) denotethe reducedresiduesystemmade up of the
positiveintegersnot exceedingm that are relativelyprime to m. By Theorem
5.9, since (a,m) : l, the set Qt1,aty,...,ar6(m)is also a reducedresidue
systemmodulo lz. Hence, the least positiveresiduesof ar1,Qr2,...,or6(m)
must be the integers11,12,..., r6(m)in some order. Consequently,
if we
multiply togetherall terms in eachof thesereducedresiduesystems,
we obtain
16(^) (mod la) .
r o(m)
(mod z ) .
Since (rg2 ra(^), m) : l, from Corollary 3.1, we can concludethat
oo(m)= I (modm). D
We can use Euler's Theorem to find inversesmodulo m. lf a and m are
relativelyprime, we know that
s't6(m)-t : 44(m)
-
1 (mod rn).
Hence,o6(m)-tis an inverse
of a modulom.
Example. We know that 20@-t - 26-t : 25: 32:5 (mod 9) is an inverse
of 2 modulo9.
We can solve linear congruences using this observation. To solve
ax j D (mod z ), where (a,m) : I , we multiply both sides of this
the sets l, 3, 5, 7 and 3'1,3'3,3'5,3'7 are
8. Hence,they have the same least positive
Thus,
ar pr2
a6(^)
r {z
aryfu't -- r| rz
' r6(m)j r(z

164
congruence
by aah)-l to obtain
oo(m)-t
o*
Therefore, the Solutions
y : of(m)-tb (modm).
Example. The solutions
x = 3d(10)-1.7
-
33.J:9 (mod
Some Special Congruences
-: qQ(m)-tb
(modm).
are those integers
of 3x = 7 (mod l0)
l0), since
d(I0) : 4.
such that
are given by
5.3
l .
Problems
Finda reduced
residue
system
modulo
a ) 6
b)e
c) lo
d) t4
e) 16
f) 17.
2.
3.
4.
Find a reducedresiduesystemmodulo 2^ , wherem is a positiveinteger.
Show if c t, c2,...,c6(m) is a reduced residue system modulo m , then
c 1 * c 2 * * , o h ) : 0 ( m o dl n ) .
Show that if m is a positive integer and a is an integer relatively prime to m,
then I I a * a2 * I ofh)-t = 0 (mod m).
Use Euler's theorem to find the least positiveresidueo1 3100000
modulo 35.
Show that if a is an integer,thena7 = a (mod 63).
Show that if a is an integer relatively prime to 32760, then
a t 2 = l ( m o d 3 2 7 6 C D .
Show that cd(b)I 6ab) : I (mod ab), if a and b are relatively prime positive
integers.
Solve the following linear congruences
using Euler's theorem
il 5x = 3 (mod 14)
b) 4x = 7 (mod 15)
c) 3x = 5 (mod 16).
Show that the solutionsto the simultaneoussystemof congruences
5 .
6.
7.
8.
9.
1 0 .

5.3 Euler's Theorem 165
x i ar (mod rnr)
*
=
o, (mod mz)
x ? a, (mod m),
where the mi are pairwiserelatively prime, are given by
x j a,ul'^) + a2M!@) a + a,M!t^') (mod u)'
w h e r eM : m 1 m 2 m , a n dM j : M / m i f o r T : 1 , 2 , . . . , r .
I l. Using Euler'stheorem,find
a) the last digit in the decimalexpansion
o17t000
b) the last digit in the hexadecimal
expansion
oP51100$000.
12. Find @(n)for the integers
n with 13 ( n < 20.
13. a) Show every positive integer relatively prime to l0 divides infinitely many
repunits (seeproblem 5 of Section 4.1). (Hint: Note that the n -digit repunit
l i l . . . l l : ( t o ' - t ) / q . )
b) Show every positiveinteger relativelyprime to b dividesinfinitely many base
b repunits(seeproblem6 of Section4.1).
14. Show that if m isa positiveinteger,m ) 1, then o^ = am-6(m)(mod rn) for all
positiveintegersa.
l. Solvelinear congruences
using Euler'stheorem.
2. Find the solutionsof a systemof linear congruences
using Euler's theorem and
the Chineseremaindertheorem(seeproblem l0).

Multiplicative
Functions
6.1 The Euler Phi-function
In this chapter we study the Euler phi-function and other functions with
similar properties.First, we presentsomedefinitions.
Definition. An arithmetic function is a function that is definedfor all positive
integers.
Throughoutthis chapter,we are interestedin arithmetic functionsthat have
a specialproperty.
Definition. An arithmetic function f is called multiplicative if
f fun) : f (m)f fu) wheneverm andn arerelativelyprime positiveintegers.
Example. The function f h) : I for all n is multiplicative because
f ( m n ) : 1 , f ( m ) : 1 , a n d f ( n ) : 1 , s o t h a t f h n ) : f ( m ) f h ) .
Similarly, the function g(n) : n is multiplicative, since
g(mn) :mn : g(m)efu). Notice that ffun) :1(m)fh) and
g(mn): g(m)Sh) for all pairs of integersm and n, whether or not
(m,n) : l. Multiplicative functionswith this property are called completely
mult iplicativefunctions.
If / is a multiplicativefunction,then we can find a simpleformula forf fu)
giventhe prime-powerfactorizationof n.
Theorem6.1. If / is a multiplicative
functionand if n: pi'pi, ... pi'it
166

6.1 TheEulerPhi'function 167
the prime-power factorization of the
f tu): f Qi)f Qi) " "fQi).
Proof. Sincef is multiplicativeand Qi',pi'
' ' ' p!) : l, we see that
f tu): f bi'pi'"'p:) : f Qi''Q?"'pi)): f Qi)-f
Qi'p'
"'p:').
Since
bi' , p'"' p!'):1, weknowthat
f bi' p'"' p!'): f bi')
-fQi'... pl'),ro that
f(n): -fQi') f Qi) f Qi' p:). continuing
in thisway,wefindthatf h) : f Qi) f bi) .f (p')
We nowreturnto the Eulerphi'function.First,we
primes
andthenat primepowers.
f Q?) a
considerits valuesat
Theorem 6.2. If p is prime. then 0b) : p - l. Conversely,if p is a
positive
integerwith d(p)
- p - l, thenp is prime.
Proof. If p is prime then everypositiveintegerlessthan p is relativelyprime
to p. Sincethere arep - I suchintegers,
we haveQQ) : p - l.
Conversely,if
p is composite,
thenp hasa divisord with | < d 1p,and,
of course,p and d are not relativelyprime. Sincewe know that at leastone
of the p - | integers| ,2, ...,p - l, namelyd, is not relativelyprime to p,
d 0 ) ( p - 2 . H e n c e , i f
0 Q ) : p
- l , t h e n p m u s t b e p r i m e .
t r
We now find the valueof the phi-functionat prime powers.
Theorem 6.3. Let p be a prime and a a positive integer. Then
6e:po-po-t. = f
o-'fp_D
' zZ
Proof. The positiveintegers'less-than
po that are not relatively prime to p are
thoseintegersnot exceeding
po that are divisibleby p. There are exactlypo-l
such integers,so there arepo - po-r integerslessthan po that are relatively
primeto po. Hence,
6b") : po -
Po-r. n
Example. Using Theorem6.3, we find that d(53) : 53- 52: 100,
O ( z t } ): 2 t 0 - 2 e: 5 1 2 , a n dd ( t t 2 ) : 1 1 2
- 1 1: 1 1 0 .
To find a formula for @(n), given the prime factorizationof n, we must
showthat d is multiplicative. We illustratethe idea behindthe proof with the
followingexample.
Example.Let m:4 andn:9, sothat mn:36. We list the integers
from
I to 36 in a rectangularchart, as shownin Figure6.1.
positive integer n, then

168
Now suppose r
( m , r ) : d ) 1 .
sinceanv element
Multiplicative
Functions
OOe@@2,@@33
,O@,5@@27@@
22
18
t4
l0
32
28
24
20
l6
t2
34
36
Figure6.1.
Neither the secondnor fourth row contains integers relatively prime to 36,
since each element in these rows is not relatively prime to 4, and hencenot
relatively prime to 36, We enclosethe other two rows; each element of these
rows is relativelyprime to 4. Within eachof theserows,there arc 6 integers
relatively prime to 9. We circle these;they are the 12 integersin the list
relativelyprime to 36. HenceOGO : 2.6 - OU)O(il.
We now stateand provethe theoremthat showsthat @is multiplicative.
Theorem 6.4. Let m and n be relatively prime positive integers. Then
Qfun): Q(m)th).
Proof. We display the positive integers not exceedingmn in the following
way.
I m*l 2m*l ... 6-l)m*l
2 m*2 2m*2 h-l)m*2
3 m*3 2m*3 h-I)m*3
2m 3m
not exceeding m. Suppose
row is relatively prime to mn,
km * r, where k is an integer
l s a
Then no
of this
posltlve lnteger
number in the rth
row is of the form

6.1 TheEulerPhFfunction 169
with I < t < n - l, and d | &m*r), sinced | * andd I r.
Consequently,to find those integersin the display that are relatively prime
to mn, we needto look at the rth row only if (m,r) : l. If fuI) :1 and
I ( r ( m, we must determinehow many integersin this row are relatively
prime to mn. The elements in this row are r , m * r ,
2m * r,..., h-l)m * r. Since (r,m) : l, each of these integers is
relativelyprime to m. By Theorem3.4, the n integersin the rth row form a
completesystemof residues
modulor. Hence,exactlyQh) of theseintegers
are relativelyprime to n. Sincethesed(n) integersare alsorelativelyprime
to m, they are relativelyprime to mn.
Since there are S(m) rows, each containingd(n) integersrelativelyprime
to mn, we canconclude
thal Q(mn) : O(m)efu). tr
CombiningTheorems6.3 and 6.4,we derivethe followingformula for 0Q).
Theorem 6.5. Let n : por'pi' . . . pir' be the prime-power factorization of
the positiveintegern. Then
6h):n0-lttr-
l)
tr-.!l .
Pr Pz Pt
Proof. Since @is multiplicative, Theorem6.1 tells us that if the prime-power
factorization of n is n : pl,pl, pf,,, th"n
0h): o?i)obi,) oht')
.
In addition, from Theorem6.3 we know that
Obi')- pf'- p?-t: p;,(l- +)
Pi
forT : 1,2,...,k.
Hence,
Qh): pi'T- L)ri,(l - I)
Pr Pz
pi,'o- t
)
P*
pi:o-
ftt-
Lt (r-!)
P*
: n(L- Il(l - !)
Pr Pz
This is the desiredformula for d(n). D
(l-I).
Pr,

170 Multiplicative Functions
we illustratethe useof rheorem 6.5 with the followingexample.
Example. Using Theorem6.5,we notethat
d(roo)
: o(22s2):
loo(l
-
il(l
-
+)
: 4o
.
and
0020: o(2432s)
: t2oe-
ilrr
-
|l tr -
We now introduce a type of summation notation which
l .
=)-192.
)
is usefulin working
with multiplicativefunctions.
Let f be an arithmeticfunction. Then
2,f (d)
d l n
represents
the sum of the valuesof f at all the positivedivisorsof n.
Example. If / is an arithmeticfunction,then
> f U) : f (r)+f Q)+f 0) +f U)+f (O+f 0D .
d l t 2
For instance.
> d2: 12+ 22+ 32+ 42+ 62+ 122
d l t 2
: l * 4 + g + 1 6 + 3 6 + 1 4 4 : Z l O .
The following result, which states that n is the sum of the values of the
phi-functionat all the positivedivisorsof n, will alsobe usefulin the sequel.
Theorem 6.6. Let n be a positiveinteger. Then
2A@l:n'
d l n
Proof. We split the setof integersfrom I to n into classes.Put the integerm
into the classCa if the greatestcommondivisorof m andn is d. We seethat
m is in C4,i.e. (m,n) : d,if andonlyif fu/d,n/d) : l. Hence,the number
of integersin Ca is the numberof positiveintegersnot exceedingn/d that are
relatively prime to the integer n/d. From this observation,we seethat there

6.1 The Euler Phi'function
aregh/d) integersin C1. Sincewe divided the integersI to n into disjoint
classes
and eachintegeris in exactlyoneclass,n is the sum of the numbersof
elements
in the differentclasses.Consequently,
we seethat
As d runs through the positiveintegersthat divide n, nfd also runs through
thesedivisors,sothat
Thisproves
thetheorem.tr
Example.We illustrate
theproofof Theorem
6.6whenn : 18. Theintegers
from I to 18canbesplitintoclasses
C4whered I 18suchthat theclassC7
contains
those
integers
m with (m,18): d. We have
c1 : {1,5,7,ll, 13,17} C6 : {6,12}
c2 : {2,4,8, 10,14,16} Cg : {g}
C3 : {3,15} Crr: {tg}.
We seethat the classCa contains0081d) integers,
as the six classes
contain
d(18): 6, O(9): 6, 0(6):2, O(3):2, 0(2): l, and d(1): I
integers,
respectively.
We notethat 18: d(18)+ O(g)+ ,O(0)
+ ,0(3)+
QQ)+d(1):2atal.
d l l 8
6.1 Problems
l. Find the value of the Euler phi-function for eachof the following integers
171
n : > Qhld)
d l n
n:>0fu1d)-DfU)
d l n d l ,
a) 100
b) 2s6
c) l00l
i l l
b ) 2
c ) 3
d) 2.3.5.7'rr.13
e) lo!
f) 20t .
2. Find all positiveintegersn suchthat d(n) hasthe value
d ) 6
e) 14
f) 24.

3. For which positiveintegersn is 6fu)
a) odd
b) divisible by 4
c) equal to n/2 ?
4. Show that if n is a positiveinteger, then
fa@ if n isodd
QQn):
lrrh) if n iseven
.
5' Show that if z is a .positiveinteger having k distinct odd prime divisors,then
d(n) is divisibleby 2k.
6. For which positiveintegersn is Qh) a power of 2?
7. Showthat if n and k arepositiveintegers,thenQ(mk) : mk-16(m) .
8. For which positiveintegerslz doesQfu) divide m ?
9. Show that if a and b arepositiveintegers,then
Qbb): (a,b)6G)O$)lOKa,il)
.
10. Showthat if m and,
n arepositiveintegerswith nr I n, then Qfu) | oh).
11. ProveTheorem6.5, using the principleof inclusion-exclusion
(seeproblem lZ of
Section1 l).
12. show that a positiveinteger n is compositeif and only if oh) ( n - .,,6-.
13. Let n be a positive integer. Define the sequenceof positive integers fl1,n2,13,...
recursively
by nr: Qh) and n1.,1
: 6(n*') for ft : r,2,3,.... show that thereis
a positiveinteger r such that n, - 1.
14. Two arithmetic functions/ and I may be multiplied using the Dirichlet product
which is definedbv
V*s)(n)
: 2f @)shlil .
a) Showthatf*g : g*.f.
b) Showthat (/*g) *h : f* Q*h) .
c) Showthat if r is themultiplicative
functiondefined
by
| , r i f n : l
,{n):
lo ifn ) l,
then rf - f*t : f for all arithmeticfunctions/.

1 5 .
t6.
6.1 The Euler Phi-function 173
d) The arithmetic function g is said to be the inverseof the arithmetic functton
.f it f*S : g*-f : ,. Show that the arithmetic function / has an inverse if
and only if f 0) I 0. Show that if / has an inverseit is unique. (Hint:
When f 0) # 0, find the inverse
.f-t of/ by calculating/(n) recursively,
usingthe fact that '(n) -
> f U)f-tfuld).)
dln
Show that if f andg arc multiplicative functions,then the Dirichlet product/*g
is alsomultiplicative.
Show that the Miibius function defined by
t
It
if n - I
l(-t)' if z is square-free
with primefactorization
p . n ) : 1 n : p r p z . . . p s
I
lO if n hassquarefactorlargerthan I
t
is multiplicative.
Showthatif n isa positive
integer
greater
thanone,then) p@) :0.
dl n
Let f be an arithmetic function. Show that if F is the arithmetic function
definedby
F(n): >f @),
' dln
then
f h):2p@)Fhld).
dln
This result is called the Miibius inversionformula.
Use the Mobius inversionformula to show that if f is an arithmetic function and
F is the arithmetic function definedby
F(n): >f @),
dln
thenif F is multiplicative,
sois/.
UsingtheMobiusinversion
formulaandthefact that n -
> 0h /il , provethat
a) Q(p'): p' - p'-',where
p isa primeandt is. *rr;:, integer.
17.
18.
19.
20.

174 Multiplicative
Functions
b) d(n ) is multiplicative.
21. Show that the function f (n):ne is completelymultiplicative for every real
numberk.
22. a) we define Liouville's function r(n) by I(r) : l and for n ) | by
(n) : (-l)4'|+4r+"'+a', if the prime-power factorization of n is
n: pi'pi' .'. p:'. Showthat tr(n) is completely
multiplicative.
b) Show that if n is a positive integer then ) tr(n) equals 0 if z is not a
perfect square,and equals I if n is a perfect square.
23. a) Show that it f and g are multiplicative functions then fg is also
multiplicative.
b) Show that if f and g arc completely multiplicative functions then /g is also
completelymultiplicative.
24. Show that tf f is completely multiplicative, then f (il : f @r)",.f(pr)o,
'
f (p^)"' when the prime-powerfactorization of n is n : pi'pi' . . . p:"..
25. A functionf that satisfies
the equationf (mn) :7(m) + "f
(n) for all relatively
prime positive integers m and n is called additive, and if the above equation
holds for all positiveintegersm and n, f is called completely additive.
a) Show that the function-f (n) : log n is completelyadditive.
b) Show that if <^r(n)is the function that denotesthe number of distinct prime
factors of n, then <^r
is additive, but not completelyadditive.
c) Show that if / is an additive function and if g(n):zfb), then g is
multiplicative.
l. Find valuesof the Euler phi-function.
2. Find the integerr in problem13.
6.2 The Sumand Numberof Divisors
We will also study two other arithmetic functionsin somedetail. One of
theseis the sum of the divisorsfunction.
Definition. The sum of the divisors function, denoted by o, is defined by
settingo(n) equalto the sum of all the positivedivisorsof n.

6.2 The Sum and Numberof Divisors 1 7 5
In Table6.1 we give oh) for 1 ( n < 12 The valuesof o(n) for
I ( n < 100are givenin Table 2 of the Appendix'
Table6.1. TheSumof theDivisors
for I ( n ( 12 .
The other functionwhich we will studyis the numberof divisors.
Definition. The numberof divisorsfunction,denotedby r, is definedby setting
r(n) equalto the numberof positivedivisorsof n.
In Table6.2 we give ,h) for I ( n ( tZ. The values of ,Q) for
1 ( n < 100are givenin Table2 of the Appendix.
Table6.2. The Numberof Divisors
for I ( n ( 12 '
Note that we can express
o(n) and z(n) in termsof summation
notation. It
is simpleto seethat
oh):Dd
d l n
and
,(n):>1.
d l n
To provethat o and r are multiplicative,we usethe followingtheorem.
Theorem 6.7. If / is a multiplicativefunction, then the arithmetic function
F (n)
d l n
Beforewe provethe theorem,we illustratethe ideabehindits proof with the
following example. Let
"f be a multiplicative function, and let
Ffu)
d l n
n I 2 3 4 5 6 7 8 9 r0 l l t2
o Q ) I
a
J 4 7 6 t2 8 l 5 l 3 1 8 t2 28
n I 2 3 4 5 6 7 8 9 10 l l t2
rh) I 2 2 3 2 4 2 4 3 4 2 6

176 Multiplicative
Functions
r(60) : r(4)F(15). Each of the divisorsof 60 may be written as the
productof a divisorof 4 and a divisorof 15 in the followingway: l:1.1,
2 : 2 ' 1 , 3 : 1 . 3 ,4 : 4 . 1 , 5 - 1 . 5 ,6 : 2 . 3 , I 0 : 2 . 5 , 1 2- 4 . 3 , 1 5: 1 . 1 5 .
20 :4'5, 30 : 2'15, 60 : 4-15(in eachproduct,the first factor is the divisor
of 4 , and the secondis the divisorof I 5). Hence,
F(60)
: f(r) +/o +f$) +f(q) +f$) +f6) +/(10)+f02)
+f (rs)+/(zo)+ f Q0 +/(60)
:.f (r'1)
+f Q.D+f 0.3)+f u.D+f 0.5)+f o.3)
+fQ.il +f(4., +f(r.ls)+f(4.il +fQ.l5)+fQ.rs)
:f (t)f(l) +f Q)f(r)+f (l)7(:)+f @)f(r)+f (fDj6)
+f Q)f(r)+f Ql|(s)+f (Df(g)+f ol7(rs)+f @f 6)
+f Q)f(rs)+f Q)f 0s)
: (/(t)+fQ) +7Q))(/(rl+fG) +f$) +/(ls))
: F(4)F(rS).
we nowprove
Theorem
6.7usingtheideaillustrated
by theexample.
Proof. To showthat F is a multiplicative
function,we mustshowthatif m
andn arerelatively
primepositive
integers,
thenF (md : F (m)r 0). Solet
usassume
that(m,n) : l. We have
F (mn) :
02,^n"f
u) '
By Lemma2.5,
since(m,n): l , eachdivisor
of mn canbewrittenuniquely
astheproduct
of relatively
primedivisors
dlof m andd2ofn, andeachpair
of divisors
d1 of m andd2 of n corresponds
to a divisord - dfi2 of mn.
Hence,
wecanwrite
F(mn):
Since/ is multiplicative
and since(dbd): l, we seethat
> f Utd2)
drl^
drln

6.2 TheSumand Numberof Divisors 177
F (mn) :
Now that we know o and r are multiplicative, we can derive formulae for
their values basedon prime factorizations. First, we find formulae for o(r)
and rh) when n is the powerof a prime.
Lemma 6.1. Let p be prime and a a positiveinteger. Then
o(po): (t+p+p2+ *po) : Po*'-l
p-l
and
r ( p o ) : a * 1 .
are l, p, p' ,...,po-t, po. Consequently,
po has
so that r(po) : a * l. Also, we note that
* pa-t* po :
#,
where we have used
Lemma 6.1 with p :5 and a: 3, we find that
s4- I
fi:156andz(53)-l*3:4.
The abovelemma and the fact that o and r ate multiplicative lead to the
following formulae.
Theorem 6.8. Let the positive integer n have prime factorization
n : p i ' p i 2 . . . p : ' . T h e n
2 f Q)f @z)
drln
drln
2fQ)ZfVz)
drl^ drl,
Ffu)Ffu).
tr
Proof. The divisors of po
exactly a*l divisors,
o ( p o ) : 1 * p + p z +
Theorem1.1. tr
Example. When we apply
o ( 5 3 ) : 1 * 5 + 5 2 + 5 3 :
o(n):ry
Pt-r
pl'*'-l
Pz-l
p!'*'-l : i
P,-l j-r
pl'*'-l
Pi-l

178 Multiplicative
Functions
r(n): (c1+l)
(az+D (c,*t) :
rI,
G1+D.
Proof. Since both o and r are multiplicative, we see that o(n) :
o(pi'p3' pi): obi)obi) o(pi) and r(n): ,ei,pi,
' ' ' p:') : ,(p1') ,Qi') ,Qi'). Inserting the values for oe!,) and
,Qi) found in Lemma 6.1,we obtain the desiredformulae. D
we illustratehow to useTheorem6.8 with the followingexample.
Example. Using Theorem6.8,we find that
o(200)
: o(2352)
: r!-,, g : 15.31
: 465
2-t 5-l
and
r(2oo) :
"(2352):
(3+t) Q+D : 12.
Also
o(lz0 : o(2a.32.s)
: T-,1 . 32-l . 52-l :31. 13.6:241g
2-l 3-l 5-l
and
r(24.32.il:
(4+l)(z+t)(t+t)
: 3o.
6.2 Problems
l. Findthesumof thepositive
integer
divisors
of
a) 35
b) te6
c) looo
d) 2r0o
e) 2'3'5'7'll
f) 2s345372t1
g) lo!
h) 201.
2. Find the number of positiveinteger divisorsof
i l 3 6 d ) 2 . 3 . s . 7 . 1 1 . 1 3 . 1 7 . 1 9
b) 99 e) 2i2.s3.74.115.134.17s.19s
c) r44 f) 20t.
3. Which positiveintegershavean odd number of positivedivisors?

6.2 TheSumand Numberof Divisors 179
4. For which positiveintegersn is the sum of divisorsof n odd?
5. Find all positiveintegersn with a(n) equalto
a) 12
b) l8
c) 24
d) 48
e) 52
f) 84
6. Find the smallestpositiveintegern with r(n) equalto
a ) l d ) 6
b ) 2 d t 4
c) 3 f) 100.
7. Showthat if k > | is an integer,then the equationrh) : ft hasinfinitely many
solutions.
8. Which positiveintegershaveexactly
a) two positive divisors
b) three positivedivisors
c) four positivedivisors?
g. What is the product of the positivedivisorsof a positiveinteger n ?
10. Let o1,h) denote the sum of the kth powers of the divisors of n, so that
o1,h) :
2 dk. Note that o1h) : sfu).
dln
a) Find or(4), or(6) and o{12).
b) Give a formula for o1(p), wherep is prime'
c) Give a formula for o1(po), wherep is prime, and a is a positiveinteger.
d) Show that the function op is multiplicative'
e) Using parts (c) and (d), find a formula for o;(n), wheren has prime-power
factorizationn : pi'pi' . . . p:;.
11. Find all positive
integers
n suchthat d(n) + oQ):2n.
12. Show that no two positiveintegershavethe sameproduct of divisors.
13. Show that the number of pairs of positiveintegerswith least commonmultiple
equal to the positiveinteger n is r(nz).
14. Let n be a positive integer. Define the sequenceof integers fl1,tr2,rt3,...
b!
n1: r(n) and n1.,1
: r(n*) for ft :1,2,3,.... Show that there is a positive
integer r such that 2 : f,r : flr1t : rlr+2:
15. Showthat a positiveintegern is composite
if and only if o(n) > n + ,/i.

180 Multiplicative
Functions
16. Showthat if n is a positiveinteger thenr(n)z :
)r(d)3
dl n
l. Find the number of divisorsof a positiveinteger.
2. Find the sum of the divisorsof a positiveinteger.
3. Find the integer r definedin problem 14.
6.3 Perfect Numbersand MersennePrimes
Becauseof certain mystical beliefs, the ancient Greeks were interestedin
those integersthat are equal to the sum of all their proper positive divisors.
Theseintegersare calledperfect numbers.
Definition. If n is a positiveinteger and o(n) : 2n, then n is called a perfect
number.
Example.Sinceo(6): l+2 + 3 +6:12, we seethat 6 is perfect.we
a l s on o t et h a t o ( 2 8 ) : 1 + 2 + 4 + 7 + 1 4 * 2 8 : 5 6 . s o t h a t 2 8 i s a n o t h e r
perfect number.
The ancient Greeks knew how to find all even perfect numbers. The
following theoremtells us which evenpositiveintegersare perfect.
Theorem 6.9. The positiveinteger n is an evenperfect number if and only if
n :2m-r(2^-l)
wherem is a positiveintegersuchthat 2^-l is prime.
Proof. First, we showthat if n:2m-r(2^-l) where2^-l is prime,then n
is perfect. We notethat sincezn-l is odd,we have(2m-r,2m-l) : 1. Since
o is a multiplicative function, we seethat
o(n) - o(2^-t)o(2^-l) .
Lemma6.1 tellsus that o(2^-r):2^-l and o(2^-l):2^, sincewe are
assumingthat 2m-l is prime. Consequently,

6.3 PerfectNumbers
andMersenne
Primes 1 8 1
o(n) : Q^-l)2^ :2n ,
demonstrating
that n is a perfectnumber.
To show that the converseis truenlet n be an evenperfect number. Write
n :2'l wheres and t arepositive
integers
and f is odd. Since(2t,t) : 1,we
seefrom Lemma 6.1 that
o(n) : o(2':) : o(2')o(t) : (2'+t-t)o(l)
(6.1)
Sincen is perfect,we have
G'D o(n) : 2n : 2s+r1
Combining(6.1) and (6.2) showsthat
(6.3) (2'+r-1)o(i : 2s+t1
Since(2s+r,2s+t-l): l, from Lemma2.3we seethat 2'+1lo(r). Therefore,
thereis an integerq suchthat o(t) - 2'+rQ. Insertingthis expression
for o(t)
into (6.3) tells us that
(2s+r_l)2s*rq- 2'*rt ,
(2'+t-l)q : 1 .
and,therefore,
(6.4)
Hence,q I t andq # t.
When we replace/ by the expression
on the left-hand side of (6.4), we find
that
( 6 . 5 ) t + q : ( 2 s + t - t ) q+ q : 2 ' + r q : o Q ) .
We will show that q : 1. Note that if q * l, then there are at least three
distinct positive divisors of t , namely 1, q, and t . This implies that
oQ) 2 t + q -| 1,whichcontradicts
(6.5). Hence,4: I and,from (6.4),we
conclude
that / :2s+l-1. Also,from (6.5),we seethat oQ): t + l, sothat
t must be prime, since its only positive divisors are I and t. Therefore,
n :2t (2r+l-1), where2s+l-1 is prime. tr
From Theorem6.9 we seethat to find even perfect numbers,we must find
primesof the form 2t-1. In our searchfor primesof this form, we first show
that the exponentru must be Prime.
Theorem 6.10. If la is a positiveinteger and2^-l is prime, then m must be

182 Multiplicative
Functions
pnme.
Proof. Assume that m is not prime, so that m : ab where | 1 a 1 m and,
| < b 1 m . T h e n
2m-l : 2ab
-, - (Zo-l) 12a(b-D
a2a(b-D
q...q1o+l) .
Sinceboth factorson the right sideof the equationare greaterthan I, we see
that 2m-l is compositeif m is not prime. Therefore,if 2^-l is prime, then
nr must alsobe prime. tr
From Theorem6.10 we seethat to searchfor primesof the form 2^-1, we
needto consideronly integersm that are prime. Integersof the form 2m-l
have been studied in great depth; these integers are named after a French
monk of the seventeenth
century,Mersenne,who studiedtheseintegers.
Definition. If m is a positiveinteger,then M^:2^-I is called the mth
Mersennenumber,and,if p is prime and Mp:2p-l is alsoprime, thenM,
is called a Mersenneprime.
Example. The Mersenne
numberM7:27-I is prime,whereas
the Mersenne
numberMn:2rr-I :2047 : 23.89is composite.
It is possibleto provevarioustheoremsthat help decidewhether Mersenne
numbersare prime. One such theoremwill now be given. Related resultsare
found in the problemsof Chapter9.
Theorem 6.11. rf p is an odd prime, then any divisor of the Mersenne
numberMp :2p-l is of the form 2kp + I wherek is a positiveinteger.
Proof. Let q be a prime -dividing Mp - 2p - I. From Fermat's little
theorem,
we know thatql(ze-t-t). Also,from Lemma1.2 we knowthat
(6.6) (T -t, 2c-t-t) : 2$t-D - f. ll
Since q is a common divisor of zp-l and zc-t-L we know that
Qp-t,24-t-l) > l. Hence,(p,q-l): p, sincethe only other possibility,
namely (p,q-l) : I, would imply from (6.6) that (Zp-t,2Q-t-l) : l.
Hence p | (q-t), and, therefore, there is a positive integer m with
q - | : mp. Since q is odd we see that m must be even,so that m : Zk.
wherek isapositiveinteger.
Hence,
q:mp * I - 2kp+1 . tr
We can use Theorem6.1I to help decide whether Mersennenumbersare
prime. We illustratethis with the followingexamples.

6.3 PerfectNumbers
and Mersenne
Primes 183
Example.To decidewhetherMB:2r3-l: 8191is prime,we only needlook
for a prime factor not exceedinglml : 90.504.... Furthermore, from
Theorem6.11,any suchprime divisormust be of the form 26k + L The only
candidates
for primesdividinB Mnless than or equal to1fTp are 53 and79.
Trial divisioneasilyrulesout thesecases,
sothat M s is prime.
Example.To decide
whetherMzt:223-r:8388607 is prime,we only need
to determine whether M zt is divisible by a prime less than or equal to
ffi: 2896.309...
of the form 46k + l. The first prime of this form is 47.
A trial divisionshowsthat 8388607:47'178481, sothat M4is composite.
Because
there are specialprimality testsfor Mersennenumbers,it hasbeen
possibleto determinewhether extremelylarge Mersennenumbersare prime.
Following is one such primality test. This test has been used to find the
largest known Mersenneprimes, which are the largest known primes. The
proofof this testmay be found in Lenstra[7t] and Sierpifiski[351.
The Lucas-LehmerTest. Let p be a prime and let Mo : 2! -l denotethe pth
Mersennenumber. Definea sequence
of integersrecursivelyby settingtr:4,
a n d f o r k > 2 ,
r* ? rtq -2 (modM), 0 ( rr I Mo .
Then,M, is prime if and only if rp-1 - 0 (mod M) .
We usean exampleto illustratean applicationof the Lucas-Lehmertest.
Example.considerthe Mersenne
numberM5:25 - I - 3l' Then r,: 4,
r z z 4 2 - 2 : 1 4 ( m o d 3 l ) , r t 4 A 2 - 2 - 8 ( m o d 3 1 ) , a n d r + 2
82- 2:0 (mod31). Sincertt 0 (mod31),we conclude
that M5:31 is
prime.
The Lucas-Lehmertest can be performed quite rapidly as the following
corollarystates.
Corollary 6.1. Let p be prime and let Mp : 2p - | denotethe pth Mersenne
number. It is possibleto determine whetherMo is prime using OQ3) bit
operations.
Proof. To determine whether Mp is prime using the Lucas-Lehmer test
requiresp - | squaringsmodulo iV* eachrequiring O((log M)2): O(p2)
bit operations. Hence, the Lucas-Lehmer test requires O Q3) bit
operations.tr

Much activity has beendirectedtoward the discoveryof Mersenneprimes,
especiallysince each new Mersenneprime discoveredhas becomethe largest
prime known, and for each ngw Mersenne prime, there is a new perfect
number. At the presenttime, a total of 29 Mersenneprimes are known and
these include all Mersenne primes Me with p ( 62981 and with
75000 < p < 100000. The known Mersenneprimesare listedin Table 6.3.
I
2
2
6
+
2
1'2
9a
'zz
ig
zf)
q+
8t)
72
2 h
^ l
-7s
3b
Lbb
p Number of decimal
digits in Mo
Date of Discovery
2
3
5
7
l3
I1
t9
3l
6l
89
107
t27
52r
607
r279
2203
2281
32r7
4253
4423
9689
994r
I 1213
r9937
2r701
23209
44497
86243
r32049
I
L
I
I
I
2
3
4
6
6
10
19
27
33
39
157
183
386
664
687
969
1281
t332
29r7
2993
3376
6002
6533
6987
I 3395
25962
397
5I
anclent
trmes
ancient
times
ancient
times
ancient
times
Mid 15thcentury
1603
1603
1772
1883
l91l
l9l4
t876
t952
t952
1952
1956
1952
t957
1961
1961
I963
I963
1963
t97|
I978
r979
1979
1983
I983
9l
Table 6.
5050
reKnown Mersenne
f 9 t
Primes.
) q
(,
?
5z

6.3 PerfectNumbers
and Mersenne
Primes 185
Computerswere used to find the 17 largest Mersenneprimes known. The
discovery by high school students of the 25th and 26th Mersenne prime
receivedmuch publicity, including coverageon the nightly news of a major
television network. An interesting account of the search for the 27th
Mersenneprime and related historical and computational information may be
found in [77]. A report of the discoveryof the 28th Mersenneprime is given
in [64]. It has been conjectured but has not been proved, that there are
infinitelymany Mersenneprimes.
We have reduced the study of even perfect numbers to the study of
Mersenneprimes. We may ask whether there are odd perfect numbers. The
answer is still unknown. It is possibleto demonstratethat if they exist, odd
perfect numbers must have certain properties (see problems 1l-14, for
example). Furthermore, it is known that there are no odd perfect numbers
lessthan 10200,
and it has beenshownthat any odd perfect number must have
at least eight different prime factors. A discussionof odd perfect numbers
may be found in Guy [17], and information concerningrecent resultsabout
odd perfectnumbersis givenby Hagis [681.
6.3 Problems
Find the six smallestevenperfect numbers.
Show that if n is a positive integer greater than l, then the Mersennenumber
Mn cannotbe the power of a positive integer.
If n is a positiveinteger, then we say that n is deficient if ofu) 1 2n , and we
say that n is abundant if oh) ) 2n. Every integer is either deficient, perfect,
or abundant.
a) Find the six smallestabundant positiveintegers.
b) Find the smallestodd abundant positiveinteger.
c) Show that everyprime power is deficient.
d) Show that any divisor of a deficientor perfect number is deficient.
e) Show that any multiple of an abundant or perfect number is abundant.
f) Show that if n -2m-t(2^-l) , where ra is a positiveinteger such that
2 -l is composite,then n is abundant.
4. Two positive integers m and n are called an amicable pair
o(m : o(n) : m * n. Show that each of the following pairs of integers
amicablepairs
l .
2.
3.
if
are

186
5. a)
a)
b)
c)
Multiplicative
Functions
220,294
1 1 8 4 ,
l 2 1 0
797
5A,
98730.
Showthat if n is a positive
integer
with n ) 2, suchthat3.2n-t-1,3.2n-1,
and32'22n-r-1
areall prime,then2n(3'2'-t-DQ.2'-l) and2n(32.22n't-l)
c) Mn
d) Mzs.
6.
form an amicablepair.
b) Find threeamicablepairsusingpart (a).
An integer n is called k-perfect if o(il: kn. Note that a perfect number is
2-perfect.
a) Showthat 120: 23.3.5is 3-perfect.
b) Showthat 30240: 2s32.5.,is 4-perfect.
c) Showthat 14182439040
- 27.34.5.7.n2.17.19
is 5-perfect.
d) Find all 3-perfectnumbersof the form n -2k.3.p, where p is an odd
prime.
e) Showthat if n is 3-perfectand 3 I n, then 3n is 4-perfect.
A positiveintegern is calledsuperperfectif oGh)) : Zn.
a) Showthat 16 is superperfect.
b) Showthat if n : 2e where2q+t-l is prime, then n is superperfect.
c) Show that every even superperfect number is of the form n : 2q where
zq+t-l is prime.
d) Showthat if n : p2 wherep is an odd prime,'thenn is not superperfect.
Use Theorem6.ll to determinewhether the following Mersennenumbers are
pnme
a) M7
b) Mn
a) M3
b ) M 7 .
c) Mn
d Mn.
7.
8 .
9' Use the Lucas-Lehmer test to determine whether the following Mersenne
numbersare prime
10. a) Show that if n is a positive integer and 2n i L is prime, then either
Qn+l) | M^ or Qn+D | (a,+D. (Hint: Use Fermat's little theorem to
showthat Mn(Mn+z) = O (mod 2z+l).)
b) Use part (a) to show that Ms and My arecomposite.

1 1 .
6.3 Perfect Numbers and Mersenne Primes 187
a) Show that if n is an odd perfectnumber,then n : pom2 wherep is an odd
p r i m e a n d p7 a z I ( m o d 4 ) .
b) Use part (a) to show that if n is an odd perfect number, then
n = l ( m o d 4 ) .
Show that if n - pom2 is an odd perfect number where p is prime, then
n = p ( m o d 8 ) .
:**
that if n is an odd perfect number, then 3, 5, and 7 are not all divisorsof
Show that if n is an odd perfect number then n has
a) at least three different prime divisors.
b) at least four different prime divisors.
Find all positiveintegersn such that the productof all divisorsof n other than n
is exactly n2. (Theseintegersare multiplicative analoguesof perfect numbers.)
Let n be a positive integer. Define the sequencafl1,tt2,rt3,...,
recursively by
n1 : o(n) - n andflk+r: oQ) - np fot k - 1,2,3,...
.
a) Show that if n is perfect,then n : nt : fi2: tt3:
b) Showthat if n and m arean amicablepair, then n1 : ftt, ttz- tt, tt3: t/t,
n4: n,... and soon, f.e.,the sequence
fl1,tt2,t13,...
is periodicwith period2.
c) Find the sequence
of integers
generated
if n :12496:24'll'71.
It has been conjecturedthat for all
n1,n2,n3,...
ispefiodic.
6.3 Computer
Projects
Write programs
to dothefollowing:
l. Classifypositive
integers
according
to
abundant
(see
problem3).
n, the sequence of integers
whether they are deficient, perfect, or
2. Use Theorem6.ll to look for factorsof Mersennenumbers.
3. Determine whether Mersennenumbersare prime using the Lucas-Lehmertest.
4. Given a positiveinteger n, determineif the sequence
definedin problem 16
peric.ic.
5. Find amicablepairs.
t2.
1 3 .
14.
1 5 .
16.

Cryptology
7.1 Character
Ciphers
From ancient times to the present, secret messageshave been sent.
Classically, the need for secret communication has occurred in diplomacy and
in military affairs. Now, with electronic communication coming into
widespreaduse, secrecyhas become an important issue. Just recently, with
the advent of electronic banking, secrecy has become necessary even for
financial transactions. Hence, there is a great deal of interest in the
techniquesof making messages
unintelligible to everyoneexcept the intended
receiver.
Before discussing specific secrecy systems, we present some terminology.
The discipline devoted to secrecysystemsis called cryptology. Cryptography
is the part of cryptology that deals with the design and implementation of
secrecy systems, while cryptanalysis is aimed at breaking these systems. A
messagethat is to be altered into a secretform is calledplaintext. A cipher is
a method for altering a plaintext message into ciphertext by changing the
letters of the plaintext using a transformation. The key determines the
particular transformation from a set of possibletransformationsthat is to be
used. The processof changing plaintext into ciphertext is called encryption or
enciphering, while the reverse processof changing the ciphertext back to the
plaintext by the intended receiver, possessingknowledge of the method for
doing this, is called decryption or deciphering. This, of course, is different
from the processsomeoneother than the intended receiver uses to make the
messageintelligible through cryptanalysis.
188

7.1 Character Ciphers
In this chapter, we present secrecysystems
The first of these had its origin with Julius
systemwe will discusswas inventedin the late
start by translating letters into numbers. We
the letters of English and translate them into
shownin Table 7.1.
189
basedon modular arithmetic.
Caesar. The newest secrecy
1970's. In all thesesystems
we
take as our standard alphabet
the integers from 0 to 25, as
letter A B C D E F G H I J K L M N o P a R S T I I
V w X Y Z
numerical
equivalent
0 I 2 3 4 5 6 7 8 9 l 0 l l t 2 l 3 t 4 l 5 l 6 t 7 l 8 l 9 20 2 l 22 23 24 25
Table7.1. The NumericalEquivalents
of Letters.
Of course,if we were sendingmessages
in Russian,Greek, Hebrew or any
other languagewe would usethe appropriatealphabetrange of integers. Also,
we may want to include punctuation marks, a symbol to indicate blanks, and
perhapsthe digits for representingnumbers as part of the message. However,
for the sake of simplicity, we restrict ourselvesto the letters of the English
alphabet.
First, we discusssecrecysystemsbased on transforming each letter of the
plaintext messageinto a different letter to produce the ciphertext. Such
ciphers are called character or monographic ciphers, since each letter is
changedindividually to another letter by a substitution. Altogether, there are
26! possibleways to producea monographictransformation. We will discuss
a set that is basedon modular arithmetic.
A cipher, that was used by Julius Caesar, is based on the substitution in
which each letter is replaced by the letter three further down the alphabet,
with the last three letters shifted to the first three letters of the alphabet. To
describe this cipher using modular arithmetic, let P be the numerical
equivalentof a letter in the plaintext and C the numerical equivalent of the
corresponding
ciphertext letter. Then
C:P+3(mod26), 0<C<25.
The correspondence
betweenplaintext and ciphertext is given in Table 7.2.

190 Cryptology
Table7.2. The Correspondence
of Lettersfor the CaesarCipher.
To encipher a messageusing this transformation, we first change it to its
numerical equivalent, grouping letters in blocks of five. Then we transform
each number. The grouping of letters into blocks helps to prevent successful
cryptanalysis based on recognizing particular words. We illustrate this
procedureby encipheringthe message
THIS MESSAGE IS TOP SECRET.
Broken into groups of five letters, the messageis
THISM ESSAG EISTO PSECR ET.
Converting the letters into their numerical equivalents,we obtain
1 9 7 8 1 8 1 2 4 l 8 1 8 0 6 4 8 1 8 1 9 1 4
1 5 l 8 4 3 1 7 4 1 9 .
Using the Caesartransformation Q
-
P*3 (mod 26), this becomes
2 t 3 9 7 1 1 2 1 2 2 1 7
22 l0 11
18 2t 7
2t 15 721
620722
Translating back to letters,we have
WKLVP HVVDJ HLVWR SVHGU HW.
This is the message
we send.
The receiver deciphers it in the following manner. First, the letters are
converted to numbers. Then, the relationship P = C-3 (mod 26),
0 < P ( 25, is used to change the ciphertext back to the numerical version
of the plaintext, and finally the messageis convertedto letters.
We illustrate the deciphering procedure with the following message
encipheredby the Ceasarcipher:
plaintext
A
0
B
I
c
2
D
3
E
4
F
5
G
6
H I
8
J
9
K
l 0
L
l l
M
t 2
N
l 3
o
l 4
P
l 5
a
l 6
R
t 7
S
l 8
T
t 9
U
20
V
21
w
22
X
23
Y
24
Z
25
ciphertext
3
D
4
E
5
F
6
G
7
H
8
I
9
J
l 0
K
l l
L
t 2
M
l 3
N
t 4
o
l 5
P
l 6
a
t 7
R
1 8
S
l 9
T
20
U
2 l
V
22
w
23
X
24
Y
25
z
0
A
I
B
2
c

7.1 CharacterCiPhers 1 9 1
WKLVL VKP.ZZ HGHFL SKHU.
First, we changetheseletters into their numerical equivalents,to obtain
2 2 | 0 l l 2 l l 1 2 1 l 0 | 7 2 5 2 5 7 6 7 5 | | 1 8 1 0 7 2 0 .
Next, we perform the transformation P : C-3 (mod 20 to change this to
plaintext, and we obtain
1 9 7 8 1 8 8 1 8 7 1 4 2 2 2 2 4 3 4 2 8 1 5 7 4 1 7 .
We translatethis back to letters and recoverthe plaintext message
THISI SHOWW EDECI PHER.
By combining the appropriate letters into words, we find that the message
reads
THIS IS HOW WE DECIPHER.
The Caesar cipher is one of a family of similar ciphers described by u
shft transformation
C:P+k (mod26),0<C<25,
where k is the key representingthe size of the shift of letters in the alphabet.
There are 26 different transformations of this type, including the case of
k = 0 (mod 26), where letters are not altered, since in this case
C
-
P (mod 26).
More generally,we will considertransformationsof the type
( z . t ) C - a P * b ( m o d 2 6 ) , 0 < C < 2 5 ,
where a and b are integers with (a,26) : l. These are called
ffine transformations. Shift transformationsare affine transformationswith
a:1. We require that G,26): 1, so that as P runs through a complete
systemof residuesmodulo 26, C also does. There are O(2O : 12 choicesfor
a, and 26 choicesfor b, giving a total of 12'26:312 transformationsof this
type (one of theseis C = P (mod 26) obtainedwhen a:l and D-0). If the
rliationship between plaintext and ciphertext is describedby (7.1), then the
inverserelationshipis given bY

192 Cryptology
P = arc-b) (mod
26), 0 < P < 25.
wherea is an inverseof a (modZO.
As an example of such a cipher, let a:7 and b:r}, so that
c = 7P + l0 (mod 26). Hence,p = l5(c-10) = l5c+6 (mod 26). since
15 is an inverseof 7 modulo 26. The correspondence
betweenletters is given
in Table 7.3.
Tabfe
7.3. TheCorrespondence
of Letters
fortheCipher
withC = 7p+10 (mod26).
To illustratehow we obtainedthis correspondence,
notethat the plaintext
letter L with numericalequivalent1l corresponds
to the ciphertextletter J,
since
7'll + l0:87 = 9 (mod26) and9 is thenumerical
equivalent
of J.
To illustratehowto encipher,
notethat
PLEASESEND MONEY
is transformed
to
LJMKG MGXFQ EXMW.
Alsonotethat theciphertext
FEXEN XMBMK JNHMG MYZMN
corresponds
to the plaintext
DONOT REVEA LTHES ECRET.
or combining
the appropriate
letters
plaintext
A B C D E F G H I J K L M N o P a R S T U V w X Y Z
0 2 3 4 5 6 I 8 9 l 0 l l t 2 l 3 1 4 1 5 l 6 t 7 l 8 l 9 20 2 l 22 23 24 25
ciphertext
r0 t 7 24 5 t2 l 9 0 7 T4 2 l 2 9 l 6 23 4 l l l 8 25 6 l 3 20 8 l 5 22 3
K R Y F M T A H o V c J a X E L S z G N v B I P w D

7.1 GharacterCiPhers
193
DO NOT REVEAL THE SECRET.
We now discusssomeof the techniques
directed at the cryptanalysisof
ciphers based on affine transformations. In attempting to break a
monographiccipher, the frequencyof letters in the ciphertextis compared
with the frequency of letters i; ordinary text. This gives information
concerning
the .orr"rpondence
between
letters. In variousfrequency
countsof
Englishtext, onefindi the percentages
listedin Table7.4 fot the occurrence
of
tneZe lettersof the alphabet. Countsof letter frequencies
in otherlanguages
maybefoundin [48] and[52].
Table 7.4. The Frequenciesof Occurrence of the Letters of the Alphabet.
From this information,we seethat the most frequentlyoccurringlettersare
E,T,N,O, and A, in that order. We can use this informationto determine
which cipher basedon an affinetransformationhas beenusedto enciphera
message.
First, supposethat we know in advancethat a shift cipher has been
employedio encipher a message;each letter- of the messagehas been
transformedby ; correspondence
C
- P+k (mod26),0 < C < 25. To
cryptanal
yzetheciPhertext
YFXMP CES PZ C J TDF DPQFW QZCPY
NTAS P CTYRX PDDLR PD ,
we first countthe numberof occurrences
of eachletter in the ciphertext. This
is displayed
in Table?.5.
letter A B c D E F G H I J K L M N o P a R S T U V w X Y z
frequency
(in Vo)
7 I 3 4 l 3 3 2 3 8 < l < l 4 3 8
'l
3 < l 8 6 9 3 I <1 z < l

194
Cryptology
Table7.5. The Numberof Occurrences
of Lettersin a Ciphertext.
We notice that the most frequently occurring letter in the ciphertext is p with
the letters c,D,F,T, and y occurring with relatively high frequency. our
initial guess would be that P representsE, since E is the -ort frequently
occurringletter in English text. If this is so, then 15:4fk (mod i6), s;
that ft = I I (mod 26) Consequently,
we would have C = p+11 (mod 26)
and P : c-l1 (mod 26). This correspondence
is givenin Table 7.6.
Table 7.6. correspondenceof Letters for the Sample ciphertext.
Using this correspondence, we attempt to decipher the message. we obtain
N U M B E R T H E O R Y I S U S E F U L F O R E N
C I P H E R I N G M E S S A G E S .
This can easilybe read as
NUMBER THEORY IS USEFUL FOR
ENCIPHERING MESSAGES.
Consequently,we made the correct guess. If we had tried this transformation,
and insteadof the plaintext, it had producedgarbled text, we would have tried
another likely transformation based on the frequency count of letters in the
ciphertext.
letter A B C D E F G H I J K L M N o P a R S T U V w X Y Z
number of
occurrences
I 0 4 5 I 3 0 0 0 0 I 0 2 2 a
J 0 0 I I 3 2
ciphertext
A B C D E F G H I J K L M N o P a R S T U V w X Y Z
0 I 2 3 4 ) 6 7 8 9 l 0 l l l 2 l 3 t 4 l 5 l 6 1 1 l 8 t 9 20 21 22 23 24 25
plaintext
l 5 l 6 t 7 l 8 l 9 20 2 l 22 23 24 25 0 I 2 3 4 5 6 I 8 9 l 0 il t2 l 3 t 4
P a R S T U V w Z Y z A B C D E F G H J K L M N o

7.1 Charaeter
CiPhers
195
Now, supposewe know that an affine transformationof the form
C : a p+i (mod26), 0 < C < 25, has been used for enciphering' For
instance,
suppose
wewishto cryptan
alyzethe enciphered
message
US LEL
ELYUS
QL LQL
RYZDG
FALGU
SLJFE
JUTCC
LRYXD
YXS RV
HRGUS
PTGVT
OLPU.
YRTPS
J URTU
L BRYZ
L J LLM
J ULYU
URKLT
ULVCU
CYREK
LYPD J
SLDAL
YGGFV
URJRK
LVEXB
LJTJU
TJRWU
The first thing to do is to count
displayed
in Table7.7
the occurrencesof each letter; this count is
Table7.7. The Number of Occurrences
of Lettersin a Ciphertext.
With this information, we guessthat the letter L, which is the most frequently
occurring letter in the ciphertext, correspondsto E, while the letter U, which
occurs with the secondhighest frequency, correspondsto T. This implies, if
the transformation is of the form C
--
aP*b (mod 26), the pair of
congruences
4a*b
--
11 (mod 26)
l9a+b : 20 (mod 26).
By Theorem 3.8, we seethat the solution of this system is a E 11 (mod 26)
andb : 19 (mod 26).
If this is the correct encipheringtransformation,then using the fact that 19 is
an inverseof I I modulo 26, the deciphering transformation is
p --_
19 (C-19) : t9C-361 = 19C + 3 (mod 26), 0 < P < 25.
This givesthe correspondence
found in Table 7.8.
letter A B c D E F G H I J K L M N o P a R S T U v w X Y z
number of
occurrences
2 2 4 4 5 3 6 0 l 0 3 22 I 0 I 4 2 t 2 5 8 l 6 J I 3 l 0 2

196
With this correspondence,
becomes
Cryptology
we try to read the ciphertext. The ciphertext
Table 7.8. The correspondence of Letters for the Sample ciphertext.
THEBE
BERTH
VE EVE
ORKIN
UDENT
HE SUB
STAPP
EORY I
RYHOM
GONTH
CANMA
JECT.
ROACH
STOAT
EWORK
ESEEX
STERT
TOL EA
TEMPT
PROBL
E RCIS
HEIDE
RNNUM
TOSOL
EMBYW
ESAST
ASOFT
We leave it to the reader to combine the appropriate letters into words to see
that the message
is intelligible.
7.1 Problems
1 .
2.
3.
4.
5.
using the caesar cipher, encipher the messageATTACK AT DAWN.
Decipher the ciphertext message LFDpH LVDZL FRerx HUHG that has
been enciphered using the Caesar cipher.
Encipher the message SURRENDER IMMEDIATELY using the affine
transformationC = llp+18 (mod 26).
Decipher the message RToLK TOIK, which was enciphered using the affine
transformation C = 3p+24 (mod 26).
If the most common letter in a long ciphertext, enciphered by a shift
transformation C = P+k (mod 26) is Q, then what is the most likely value of
k 1
ciphertext
A B C D E F G H I J K L M N o P a R S T U V w X Y z
0 I 2 3 4 5 6 ,7 8 9 l 0 l l t2 l 3 t 4 l 5 l 6 t 7 r8 l 9 20 21 22 23 24 25
plaintext
3 22 l 5 8 I 20 l 3 6 25 l 9 l l 4 23 t6 9 2 2 l r4 0 t 9 t2 5 24 t 1 t 0
D w P I B U N G z S L E X a J C V o H A T M P Y R K

6.
7.
7.1 CharacterCiPhers 197
If the two most common letters in a long ciphertext, enciphered by an affine
transformation C = aP*b (mod 26) are W and B, respectively, then what are
the most likely values for a and b?
Given two ciphers, plaintext may be enciphered by using one of the ciphers, and
by then using the other cipher. This procedure producesa product cipher '
a) Find the product cipher obtained by using the transformation C : 5P +13
(mod 26) followed by the transformation c = l7P+3 (mod 26).
b) Find the product cipher obtained by using the transformation C : aP+b
(mod 26) followed by the transformation C = cP*d (mod 26), where
Q , 2 6 ) : ( c , 2 6 ) * 1 .
A Vignbre cipher operates in the following way. A sequence of letters
Qr!r,...,0r, with numerical equivalents k1,k2,...,
kn, servesas the key. Plaintext
messages are split into blocks of length n. To encipher a plaintext block of
letters with numerical equivalents PbPz,...,P, to obtain a ciphertext block of
letters with numerical equivalentscr,cz,...,cn,we use a sequenceof shift ciphers
with
ci 7 pi * k; (mod 26), 0 ( ci ( 25,
for i : 1,2,...,n. In this problem, we use the word SECRET as the key for
a Vigndre cipher.
a) Using this Vigndre cipher, encipher the message
DO NOT OPEN THIS ENVELOPE.
b) Decipher the following message which was enciphered using this
Vigndre cipher:
WBRCSL AZGJMG KMFV.
c) Describe how cryptanalysis of ciphertext, which was enciphered
using a Vigndre cipher, can be carried out.
l. Encipher messages
using the Caesarcipher.
2. Encipher messages
using the transformation C : P+k (mod26), where k
is a given integer.
3. Encipher messages
using the transformation C = aP+6 (mod26), where
a and b are integers with (a,26) : I.
8.

198
Cryptotogy
Decipher messages
that have beenencipheredusing the caesar cipher.
Decipher messagesthat have been enciphered using the transformation
C = P+k (mod26), where ft is a given integer.
Decipher messagesthat have been enciphered using the transformation
c = aP+6 (mod26), where a and b are integerswith (a,26): r.
Cryptanalyze, using frequency counts, ciphertext that was enciphered
using a transformation of the form c = p+k (mod26) where k is an
unknown integer.
cryptanalyze, using frequency counts, ciphertext that was enciphered
using a transformation of the form c = ap*D (mod26) where a and b
are unknown integerswith (a,26)- l.
Encipher messages
using vigndre ciphers (seeproblem g).
Decipher messages
that have beenencipheredusing vigndre ciphers.
7.2 Block Ciphers
We have seenthat monographicciphers basedon substitutionare vulnerable
to cryptanalysis based on the frequency of occurrence of letters in the
ciphertext. To avoid this weakness, cipher systems were developed that
substitute for each block of plaintext letters of a specified length, a block of
ciphertext letters of the same length. Ciphers of this sort are called block or
polygraphic ciphers. In this section, we will discusssome polygraphic ciphers
basedon modular arithmetic; thesewerOdevelopedby Hill [87] around 1930.
First, we consider digraphic ciphers; in these ciphers each block of two
letters of plaintext is replaced by a block of two letters of ciphertext. We
illustrate this processwith an example.
The first step is to split the messageinto blocks of two letters (adding a
dummy letter, say X, at the end of the message,
if necessary,
so that the final
block has two letters). For instance,the message
is splitup as
THE GOLD IS BURIED IN ORONO

7.2 Block Giphers
Next, these letters are translated into
previouslydone) to obtain
1 9 7 4 6 1 4 1 1 3 8
1 3 1 4 1 7 1 4 1 3 1 4 .
199
their numerical equivalents (as
l8r 20t7 84 38
Each block of two plaintext numbers P,Pz is converted into a block of two
ciphertextnumbersC 1C2:
Cr = 5Pr + lTPz (mod 26)
Cz= 4Pt + lSPz (mod26).
For instance,the first block l9 7 is convertedto.6 25, because
Cr = 5'19+ l7'7 : 6 (mod26)
C z = 4 ' 1 9+ 1 5 ' 7 : 2 5 ( m o d2 6 ) .
After performing this operationon the entire message,
the following ciphertext
is obtained:
6 2 5 t 8 2 2 3 1 3 2 1 2 3 9 2 5 2 3 4 r 4 2 r 2 1 7 2 1 l l 8 l 7 2 .
When theseblocksare translatedinto letters,we have the ciphertext message
GZ SC XN VC DJ ZX EO VC RC LS RC.
The deciphering procedure for this cipher system is obtained by using
Theorem 3.8. To find the plaintext block Pfz correspondingto the ciphertext
block CrCz, we usethe relationship
Pr = lTCt t 5Cz (mod 26)
Pz = l8Cr * 23Cz (mod 26).
The digraphic cipher system we have presented here is conveniently
describedusing matrices. For this cipher system,we have
/ ' r / ) r )
lc,l ls 17llP,
l
I l=t tl l(mod26).
lc,) L4 tsj lP,j
In 5'l
From Proposition3.7, we see that the matrix | | is an inverse of
6 r7'|
lts n)
| | modulo 26. Hence, Proposition3.6 tells us that deciphering can be
l+ lsJ
done using the relationship

ln general, a Hill cipher system may be obtained
blocks of n letters, translating the letters into their
forming ciphertext using the relationship
Q
-
AP (mod20.
200
Since det A = 5 (mod 26),
block of length three, we use
Cryptology
(mod 26).
by splitting plaintext into
numerical equivalents,and
[;;]
=
[:
;]
[:;]
C1
C2
P 1
P2
whereA is an nxn matrix with (det A,26) : I, C : a n d P :
and where C1C2...C, is the ciphertext block that correspondsto the plaintext
block P1P2...Pn Finally, the ciphertext numbersare translatedback to letters.
For deciphering,we use the matrix A, an inverseof A modulo 26, which may
be obtained using Proposition 3.8. Since AA : / (mod 26), we have
Zc = Z<,qn = (2,4p -p (mod
26).
Hence, to obtain plaintext from ciphertext, we usethe relationship
P : ZC (JrrlOd
2f.).
We illustratethisprocedure
usi andtheenciphering
matrix
cn Pn
A :
l9
25
I
ngn:3
["2
ls
23
lro 7
we have (det A,26)
the relationship
: l. To encipher a plaintext

7.2 Block CiPhers
201
STO PPA YME NTX.
We translatetheselettersinto their numericalequivalents
181914 15150 24124 131923.
We obtainthe first blockof ciphertextin the followingway:
[.'l [" z 'nl ["] [']
tllll.ll.l
1.,
l:ls n rtl |tnl-ltnl
(mod26).
Itlllll^l
[.,j [ro 7 t J |.toj U3
,;
Encipheringthe entire plaintextmessage
in the samemanner,we obtain the
ciphertextmessage
81913 13415 0222 20110.
Translating
this message
into letters,
wehaveour ciphertext
message
TTN NEP ACW ULA.
takes a
[c') ["'l
Ittt
lcrl = e lP'l (mod
26).
[',1[",J
To encipher the messageSTOP PAYMENT, we first split the messageinto
blocks of tht"" letters, adding a final dummy letter X to fill out the last block.
We have plaintext blocks
The deciphering process for this polygraphic cipher system
ciphertext block and obtains a plaintext block using the transformation
f"'l [.'l
tt_tl
lprl = 7 lrrl (mod
26)
rrll
L",J lt'j
where

202
Cryptology
6 -5 ll
Z: -l -10
is an inverseof I modulo 26, which may be obtainedusing proposition 3.g.
Becausepolygraphicciphersoperatewith blocks,rather than with individual
letters, they are not vulnerable to cryptanalysis based on letter frequency.
However, polygraphic ciphers operating with blocks of sizen are vulnerable to
cryptanalysis based on frequenciesof blocks of size n. For instance,with a
digraphic cipher system, there are 262: 676 digraphs, blocks of length two.
Studies have been done to compile the relative fiequencies of digraphs in
typical English text. By comparing the frequenciis of digraphs in the
ciphertext with the average frequencies of digraphs, it is ofGn possible to
successfullyattack digraphic ciphers. For example,accordingto somecounts,
the most common digraph in English is TH, followed closelyby HE. If a Hill
digraphic cipher system has been employed and the most common digraph is
KX, followed by YZ, we may guessthat the ciphertext digraphs KX and vZ
correspondto TH and HE, respectively. This would mean that the blocks
19 7 andT 4 are sent to 1023 and21 25, respectively. If A is the enciphering
matrix, this implies that
,lrn ?l_
ta
Iz 4) :
l0 2l
23 25
(mod 26).
isaninverse
"t [? l)
(mod 26)
, wefind
that
whichrgives
12e
A-
[s 23
possible
key. After attemptingto decipher
the ciphertextusing
to transformthe ciphertext,we would know if our guesswas
lzt r7')
:
ltt 2)
(mod
26)'
n correspondences
between plaintext blocks of sizen
size n, for instance if we know that the ciphertext
1,2,...,n, correspond to the plaintext blocks
respectively,then we have
correct.
In general,if we know
and ciphertext blocks of
blocks C1iC2i...Cni,j :
PryP2i...Pni,
j : 1,2,...,n,

7.2 Block Ciphers
(mod26),
for 7 - 1,2,...,fl.
Thesen congruences
can be succinctlyexpressed
using the matrix congruence
A P = C ( m o d 2 6 ) ,
where P and C arc nxn matriceswith ryth entries Pl; and Cii, respectively.
If (det p,26): l, then we can find the encipheringmatrix A via
A = CF (mod 26),
where P is an inverseof P modulo 26.
Cryptanalysis using frequenciesof polygraphs is only worthwhile for small
valuesof n, where n is the sizeof the polygraphs. When n:10, for example,
there are 26t0,which is approximately l.4x10la, polygraphsof this length.
Any analysis of the relative frequencies of these polygraphs is extremely
infeasible.
7.2 Problems
l. Using the digraphic cipher that sendsthe plaintext block Pf2to the ciphertext
block CrCz with
Cr = 3Pt + I0P2 (mod 26)
Cz = 9Pt + 7P2 (mod 26),
encipherthe messageBEWARE OF THE MESSENGER.
2. Decipher the ciphertext messageUW DM NK QB EK, which was enciphered
using the digraphic cipher which sends the plaintext block Pfz into the
ciphertext block CrCz with
Cr = 23Pt + 3Pz (mod 26)
Cz = IOP| + 25P2 (mod 26).
3. A cryptanalyst has determined that the two most common digraphs in a
ciphertext messageare RH and NI and guessesthat these ciphertext digraphs
correspond to the two most common diagraphs in English text, TH and HE. If
,[:]
il

4.
204
Cryptotogy
the plaintext was encipheredusing a Hill digraphic cipher describedby
Cr = aP1* bP2 (mod 26)
Cz = cP1 * dP2 (mod 26).
what are a,b,c, and,
d2
How many pairs of letters remain unchanged when encryption is performed using
the following digraphic ciphers
il Cr E 4pt + 5p2 (mod 26)
Cz = 3Pt + P2 (mod 26)
b) Cr = lpt + I7p2 (mod26)
Cz = Pt + 6Pz (mod26)
c) Cr = 3Pt + 5Pz (mod26)
Cz = 6Pt + 3P2 (mod26)?
5. Showthat if the^enciphering
matrix A in the Hill ciphersystemis involutory
modulo26,i.e, 42 = 1 (mod26), then A alsoserves
asa deciphering
matrix for
this ciphersystem.
A cryptanalysthasdeterminedthat the threemostcommontrigraphs(blocksof
length three) in a ciphertextare, LME, wRI and zyC andgu"rr", that these
ciphertexttrigraphscorrespond
to the three most commontrigraphsin English
text, THE, AND, and THA. If the plaintextwas enciphered
using a Hill
trigraphic cipher describedby C = AP (mod26), what are the entriesof the
3x3 enciphering
matrixA?
Find the product cip^her.
obtained by using the digraphic Hill cipher with
encipherins
matrix
.[f lij followedby usingthe digraphicHill cipherwith
encipherins
."tri*
[r5, )
Showthat the productcipherobtainedfrom two digraphicHill ciphersis againa
digraphicHill cipher.
Showthat the productcipher obtainedby encipheringfirst usinga Hill cipher
with blocksof sizem andthen usinga Hill cipherwith blocksof sizen is again
a Hill cipherusingblocksof sizelm,nl.
Find the 6x6 enciphering
matrix corresponding
to the productcipherobtainedby
first usingthe Hill cipherwith enciphering
matrix
t} | J,
rotto*"d by usingthe
Hillcipher
withenciphering.",r,*
fl A ?l
[ 0 I l J
A transposition cipher is a cipher where blocks of a specifiedsize are enciphered
by permuting their characters in a specified manner. For instance, plaintext
blocks of length five, P1P2P3PaP5, may be sent to ciphertext blocks
c1c2c3cac5: P4PIPIPP3. Show that every such transposition cipher is a
6.
7.
8.
9.
10.
1 1 .

7.3 ExPonentiation
Ciphers 205
Hill cipher with an enciphering matrix that contains only 0's and I's as entries
with the property that each row and each column containsexactly one 1.
7.2 Computer Proiects
using a Hill cipher.
2. Decipher messages
that were encipheredusing a Hill cipher.
3. Cryptanalyze messagesthat were enciphered using a digraphic Hill cipher, by
analyzing the frequency of digraphs in the ciphertext.
7.3 Exponentiation
Ciphers
In this section,we discussa cipher, based on modular exponentiation,that
was inventedin 1978 by Pohlig and Hellman [9t1. We will seethat ciphers
producedby this systemare resistantto cryptanalysis.
Let p be an odd prime and let e, the encipheringkey, be a positiveinteger
with (e,p-l) : l. To encipher a message,
we first translate the letters of the
messageinto numerical equivalents (retaining initial zeros in the two-digit
numerical equivalentsof letters). We use the same relationshipwe have used
before.as shown in Table 7.9.
Table7.9. Two-digitNumericalEquivalents
of Letters.
Next, we group the resulting numbers into blocks of 2m decimal digits,
where 2m is the largest positiveeveninteger such that all blocks of numerical
equivalentscorrespondingto m letters (viewed as a single integer with 2m
decimaldigits)
arelessthanp,e.g.if 2525< p <252525,then m:2.
For each plaintext block P, which is an integer with 2m decimal digits, we
form a ciphertext block C using the relationship
C = P e ( m o d p ) , 0 ( C < p .
The ciphertext messageconsistsof these ciphertext blocks which are integers
letter A B c D E F G H I J K L M N o P a R S T U V w X Y z
numerical
equivalent
00 0r 02 03 04 05 06 0'l 08 09 l 0 l l t2 l 3 t 4 l 5 l 6 t 7 l 8 l 9 20 2 l 22 23 24 25

206
Cryptology
we illustrate the encipheringtechniquewith the following
less than p.
example.
Example' Let the prime to be used as the modulusin the enciphering
procedure
bep : 2633and let the enciphering
key to be usedasthe .*ponrni
in the modularexponentiation
be e :29, so thai (r,p-l) - (2g,2$;): l.
To encipher
theplaintextmessage,
THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER,
wefirst convertthe lettersof themessage
into theirnumerical
equivalents,
and
thenform blocksof lengthfour from thesedigits,to obtain
1907 0818 0818 0013 0423
0012 l5l I 0414 0500 1304
2315 l4l3 0413 1908 0019
0814 1302 081
s 07a4 nn .
Note that we haveaddedthe two digits 23, corresponding
to the letterX, at
theendof themessage
to fill out the final blockof fbur digits.
We next translateeachplaintextblockP into a ciphertextblock C using
therelationship
C=pzs (mod263r,0< C <2633.
For instance,
to obtainthe first ciphertextblockfrom the first plaintextblock
wecompute
C : 19072e
= 2199 (mod 263i.
To efficientlycarry out the modular exponentiation,
we use the algorithm
givenin Section3.1. When we encipherthe blocksin this way, we find that
theciphertext
message
is
2199
2425
to72
2064
t745
t729
l54l
l35l
1745
1619
1701
t704
r206
0935
I 553
1841
2437
0960
0735
r459
To decipher a ciphertext block c, we need to know a deciphering key,
namely an integer d such that de = | (mod p-l), so that d is an inverseof
e (mod p-l), which exists since (e,p-l): l. If we raise the ciphertext
block C to the dth power modulop,wa recoverour plaintext block p, since

7.3 ExponentiationGiphers 207
Cd = (p")d : ped = pkQ-t)+t = (pp-t)k p = P (modp),
where de : ki-l) + l, for some integer k, since de = I (mod p-l)'
(Note that we have used Fermat's little theorem to see that
pn-t -
I (modp).)
Example. To decipher the ciphertext blocks generated using the prime
moduius p : 2633 and the encipheringkey e : 29, we need an inverseof e
modulo j-t : 2632. An easycomputation,as done in Section-
3.2, showsthat
d : 2269 is such an inverse. To decipher the ciphertext block C in order to
find the correspondingplaintext block P, we usethe relationship
P : 9226e(mod 263i.
For instance,to decipherthe ciphertext block 2199,we have
P = 2lgg226e: 1907 (mod 263r.
Again, the modular exponentiationis carried out using the algorithm given in
Section3.2.
For each plaintext block P that we encipher by computing P' (mod p), we
use only O(tog2il3) bit operations,as Proposition3.3 demonstrates. Before
we decipherwe needto find an inversed of e modulo p-1. This can be done
using O(log il bit operations (seeproblem ll of Section 3.2), and,this needs
to be done only once. Then, to recoverthe plaintext block P from a ciphertext
block C, we simply needto compute the leait positiveresidueof Cd modulop;
we can do this using OKlog2p)3) bit operations. Consequently, the processos
of enciphering and deciphering using modular exponentiation can be done
rapidly.
On the other hand, cryptanalysis of messagesenciphered using modular
exponentiation generally cannot be done rapidly. To see this, supposewe
know the prime p used as the modulus, and moreover, supposewe know the
plaintext block P correspondingto a ciphertext block C, so that
C = P' (modp).
0.2)
For successfulcryptanalysis, we need to find the enciphering key e. When the
relationship Q.D holds, we say that e is the logarithm of C to the base
p modulo p. There are various algorithms for finding logarithms to a given
base modulo a prime. The fastest such algorithm requires approximately
.*p(.,,6Ep log-mgp) bit operations(see[81]). To find logarithmsmodulo a
prime with n decimal digits using the fastest known algorithm requires
approximately the same number of bit operationsas factoring integers with

208
Cryptology
the same number of decimal digits, when the fastest known factoring
algorithm is used. Consulting Table 2.1, we see that finding logarithms
modulo a prime p requires an extremely long time. For instance, when p has
100 decimal digits, finding logarithmr rnodulo p requires approximately
74yearc, whereaswhen p has 200 decimal digiis, approxim"i"ry 3.gxl0!
years are required.
we should mention that for primes p where p-l has only smalr prime
factors, it is possible to use special techniques to find logarithms modulo p
using o (logzp) bit operations. Clearly, this sort of prime should not be used
as a modulus in this cipher system. Taking a prime p : 2q * l, where q is
also prime, obviatesthis difficulty.
-
Modular exponentiation is useful for establishing common keys to be used
by two or more individuals. These common keys may, for instance, be used as
keys in a cipher system for sessionsof data communication, and should be
constructed so that unauthorized individuals cannot discover them in a feasible
amount of computer time.
Let p be a large prime and let a be an integer relatively prime to p. Each
individual in the network picks a key k that is an integei relatively prime to
p-l ' When two individuals with keys &1 and k2 wisi to exchangea key, the
first individual sendsthe secondthe inieger-71, where
./r E at'(modp), 0 < yr ( p,
and the secondindividual finds the common key K by computing
K: yf'=a&'&'(-odp), o <K <p.
similarly,thesecond
individualsends
thefirst theinteger
y2 where
lz = ak' (mod
p), o 1 yz 1 p,
andthe first individualfindsthe commonkeyK by computing
K : yl' =o&'&'(*od p), o < K < p.
We notethat otherindividuals
in the networkcannotfind this commonkey
K in a feasibleamountof computertime, sincethey mustcomputelogarithmi
modulop to find K.
In a similar manner,a commonkey can be sharedby any group of z
individuals.If theseindividualshavekeysk t,k2,...,kn, ihey can sharethe
commonkey

7.3 ExponentiationCiPhers 209
K - ak'k""4 (mod P)'
We leave an explicit description of a method used to produce this common key
K as a problem for the reader.
An amusing application of exponentiation ciphers has been described by
Shamir, Rivest, una eat.man [961. They show that by using exponentiation
ciphers, a fair game of poker may be played by two players communicating via
computers. Suppose Alex and Betty wish to play poker. First, they jointly
chooie a large pii-" p. Next, they individually choosesecretkeys e1aJrd €2'
to be used as exponentsin modular exponentiation. Let Er, and Er, represent
the correspondingenciphering transformations, so that
8",(M) = M" (mod p)
Er,(M) = M" (mod p),
where M is a plaintext message. Let dl and d2be the inversesof el and e2
modulo p respectively, and let Dr, and D", be the corresponding deciphering
transformations, so that
D",(C) = cd.' (mod p)
D,:,(c) = cd'(mod p),
where C is a ciphertext message.
Note that enciphering transformations commute, that is
Er,(E
",(M))
: Er,(Er,(M)),
slnce
To play electronic
messages
(M")', :_ (M',)', (modp).
poker, the deck of cards is represented
by the 52
M r : .TWO OF CLUBS'
,r:."THREE oF CLUBS"
M sz: "ACE OF SPADES."
When Alex and Betty wish to play poker electronically, they use the
following sequenceof steps. We supposeBetty is the dealer.

ll.
lll.
210
Cryptotogy
Betty usesher enciphering transformation to encipher the 52 messages
for the cards. She obtains Er,(M 1),Er,(Mr),...,er, (arl.-- Betty
shuffies the d".,k, by randomly riordering the enciphered messages.
Then shesendsthe 52 shuffiedencipheredmessages
to Alex.
Alex selects,at random, five of the encipheredmessages
that Betty has
sent him. He returns these five messagesto Betty and she deciphers
them to find her hand, using her deciphering transformation Drr, since
D,,(E",(M)) : M for all messagesM. Alex cannot determine which
cards Betty has, since he cannot decipher the enciphered messages
Er,(M), j : 1,2,...,52.
Alex selects five other enciphered messagesat random. Let these
messages
be C1, Cz, Cl, Ca, and C5, where
Cj : Err(Mi,),
i : r,2,3,4,5. Alex enciphersthese five previously encipheredmessages
using his encipheringtransformation. He obtains the fivi messages
Cjr : Er,(C) : Er,(Er,(1,t,,))
i : 1,2,3,4,5. Alex sendsthesefive messages
that have been enciphered
twice (first by Betty and afterwards by Alex) to Betty.
Betty usesher deciphering transformation D", to find
D",(C;*)
: D",(E
",(n",(*t,)))
: Drr(Er,(Er,(M,,)))
- Eer(Mi,),
since Er,(Er,(M)) :8",(Er,(M)) and Dr.(Er,(M)) - M for all
messages
M. Betty sendsthe fivesmessage
E",(Mi) back to Alex.
v. Alex useshis decipheringtransformationDr, to obtain his hand, since
D",(E",(M;,)) : M;,.
When a game is played where it is necessaryto deal additional cards,
such as draw poker, the samestepsare followed to deal additional cards
from the remaining deck. Note that using the procedure we have
described, neither player knows the cards in the hand of the other
player, and all hands are equally likely for each player. To guarantee
that no cheating has occurred, at the end of the game both players
reveal their keys,so that each player can verify that the other player was
lv.

211
7.3 ExponentiationCiPhers
actually dealt the cards claimed.
A description of a possibleweaknessin this scheme,and how it may
be overcome,may be found in problem 38 of Section9.1.
7.3 Problems
Using the prime p - l0l and enciphering key e : 3, encipher the message
GOOD MORNING using modular exponentiation'
What is the plaintext message that corresponds to the ciphertext
l2t3Og02053g 120g 1234 1103 1374 produced using modular exponentiation
with modulusp : 2591 and encipheringkey e : 13 2
3. Show that the enciphering and deciphering procedures are identical when
enciphering is done using modular exponentiation with modulus P - 3l and
enciphering key e : ll
With modulus p - 29 and unknown enciphering key e, modular exponentiation
produces the ciphertext 04 19 19 ll 04 24 09 15 15. Cryptanalyze the
ubou" cipher, if it is also known that the ciphertext block 24 correspondsto the
plaintexi letter U (with numerical equivalent 20). (Hint: First find the
iogarithm of 24 to the base 20 modulo 29 using some guesswork.)
Using the method described in the text for exchanging common keys, what is the
"o..on
key that can be used by individualswith keys kt:27 and kr:31
when the modulus is p : l0l and the baseis a : 51'
6. What is the group key K that can be shared by four individuals with
k1 : ll, k2:12, k3:17, kc:19 using the modulusP * 1009 and
a : 3 1 .
7. Describe a procedure to allow n individuals to share the comrnon key described
in the text.
7.3 Computer Proiects
using modular exponentiation.
2. Decipher messagesthat have been enciphered using modular exponentiation.
3. Cryptanalyze ciphertext that has been encipheredusing modular exponentiation
when a correspondencebetween a plaintext block P and a ciphertext block C is
known.
4. Produce common keys for individuals in a network.
l .
2.
4.
5 .
keys
base

212
Gryptology
5. Play electronic poker using encryption via modular exponentiation.
7.4 Public-KeyCryptography
If one of the cipher systemspreviouslydescribedin this chapter is used to
establish secure communications within a network, then each pair of
communicants must employ an enciphering key that is kept secret from the
other individuals in the network, sincl oncethe encipheringkey in one of those
cipher systems is known, the deciphering key can be fiund using a small
amount of computer time. Consequently,to maintain secrecythe enciphering
keys must themselvesbe transmitted ovei a channelof securecommunications.
To avoid assigninga key to each pair of individuals that must be kept secret
from the rest of the network, a new type of cipher system, called a
public-key cipher system, has been recentiy introduced. In ttris type of
cipher system, enciphering keys can be made-public, since an unrealistically
large amount of computer time is required to find a deciphering
transformation from an enciphering transformation. To use a public-key
cipher system to establish secret communications in a network of n
individuals, each individual produces a key of the type specified by the cipher
system,retaining certain private information that went into the constructionof
the enciphering transformation E (D, obtained from the key ft according to a
specifiedrule. Then a directory of the n keys k1, k2,...,k, is published. wtrn
individual i wishes to send a messageto individual ], the letters of the
messageare translated into their numerical equivalents and combined into
blocks of specified size. Then, for each plaintlxt block p a corresponding
ciphertext block c - E1,,(p) is computed using the enciphering
transformation Ekt. To decipher the message, individual 7 applies the
deciphering transformation D1r,to each ciphertext block C to find p, i.e.
Dk,(C) - Pkt(Eo,(r)) : f.
Since the deciphering transformation Do, cannot be found in a realistic
amount of time by anyoneother than individual -/, no unauthorizedindividuals
can decipher the message,even though they know the key k;. Furthermore,
cryptanalysis of the ciphertext message, even with knowiedge of ki, is
extremely infeasibledue to the large amount of computer time needed.
The Rfl cipher system, recently invented by Rivest, Shamir, and
tgl? Adleman lgl], is a puitic-key cipher systembasedon modular exponentiation
where the keys are pairs (e,n), consistingof an exponente and a modulus n
that is the product of two large primes, i.e. n: pq, wherep and.q are large

7.4 Public-KeY
CrYPtograPhY
{ ,n+t -,,"lulus, P
'^ 1 q',te
frirte
L L e^qvh7
21s
C docryrily
P'1
pubi,c
;
Secm{:
primes, so that G,Q(il): l. To enciphera message,
we first translatethe
ietters into their numerical equivalentsand then form blocks of the largest
possiblesize (with an even number of digits). To encipher a plaintext block
P, we form a ciphertext block C bY
E @ ) : C z P ' ( m o d n ) , 0 1 C 1 n .
The deciphering procedure requires knowledge of an inverse d of e modulo
Qh), which existssinceG,Qh)) : l. To decipherthe ciphertextblock C, we
find e"l- | - ri4{")
D (O = Cd : (P')d : Ped: Pkdh)
+t
_ (poft);kp = p (mod n),
where ed: kth) * I for someintegerk, sinceed = I (mod Ob)), and by
Euler's theorem, we have pa(fi)--
1 (mod n), when (P, n) : | (the
probability that P and n are not relatively prime is extremely small; see
problem 2 at the end of this section) . The pair (d, n) is a deciphering key.
To illustrate how the RSA cipher system works, we present an example
where the enciphering modulus is the product of the two primes 43 and 59
(which are smaller than the large primes that would actually be used). We
have n : 43 ' 59 : 2537 as the modulus and e - 13 as the exponentfor the
RSA cipher. Note that we have (e, Qh)) : (13, 42' 58) : l. To encipher
the message
PUBLIC KEY CRYPTOGRAPHY.
wq first translate the letters into their numerical equivalents,and then group
thesenumbers together into blocks of four. We obtain
1520 01I l 0802 1004
2402 1724 l5l9 1406
1700 1507 2423,
where we have added the dummy letter X : 23 at the end-of the passageto
fill out the final block.
We encipher each plaintext block into a ciphertext block, using the
relationship
C = Prt (mod 2537)
For instance,when we encipher the first plaintext block 1520, we obtain the
ciphertext block

214
Cryptology
C = (1520)13
= 95 (mod 253D.
Encipheringall the plaintext blocks,we obtain the ciphertext message
0095 1648 l4l0 t299
081I 2333 2132 0370
I 185 1457 1084.
In order to decipher messages
that were encipheredusing the RSA cipher,
we must find an inverse of e : 13 modulo oeslil : o(43. 5i) :
42' 58 : 2436- A short computation using the Euclidean algorithm, as done
in section 3.2, shows that d :937 is an inverse of 13 modulo 2436.
Consequently,to decipherthe cipher text block C, we usethe relationship
P
- ge37 (mod 253D,0 <p < 2532,
which is valid because
ge37: (pr3)e37- (p2az6)sp= p (mod 2537):
note that we have used Euler's theorem to seethat
pQQs37)
- p2436
-
t (mod 2537),
when (P, 2537) : | (which is true for all of the plaintext blocks in our
example).
To understand how the RSA cipher system fulfills the requirements of a
public-key cipher system, first note that each individual can find two large
primes p and q, with 100 decimal digits, in just a few minutes of computer
time. These primes can be found by picking odd integers with 100 digits at
random; by the prime number theorem, the probability that such an integer is
prime is approximately 2tog 10100.Hence, we expect to find a prime after
examining an averageof l/OAog 10100),
or approximately ll5, such integers.
To test these randomly chosen odd integers for primality, we use Rabin's
probabilistic primality test discussedin Section 5.2. For each of these 100-
digit odd integerswe perform Miller's test for 100 baseslessthan the integer;
the probability that a compositeinteger passes
all thesetestsis lessthan 10-60.
The procedurewe have just outlined requiresonly a few minutes of computer
time to find a 1OO-digit
prime, and each individual needdo it only twice.
Once the primes p and q have
should be chosen with (e,e(pq)) :
take any prime greater than both p
should be true that 2' > fl : pQ,
been found, an enciphering exponent e
l. One suggestionfor choosing e is to
and q. No matter how e is found, it
so that it is impossible to recover the

plaintext block P, P # O or 1, just by taking the eth root of the integer C
w i t h C = P , ( m o d n ) , 0 1 C 1 n . A s l o n g a s 2 , } | | , e v e r y m e s s a g e o t h e r
than p : 0 and l, is encipheredby exponentiationfollowed by u reduction
modulon.
We note that the modular exponentiationneededfor enciphering messages
using the RSA cipher system can be done using only a few secondsof
computer time when th; modulus, exponent, and base in the modular
exponentiationhave as many as 200 decimal digits' Also, using the Euclidean
algorithm, we can rapidly find an inverse d of the enciphering exponent e
rnldulo 6(r) when the primes p and q are known' so that
0h) :6(Pq) : (P-l)(q-l) is known'
To seewhy knowledgeof the encipheringkey (e, n) does not easily lead to
the decipheringkey (d] n), note that to find d, an inverseof e modulo 6h),
requiresthat we first find Qh):OQq): (p-l)(q-l)' Note that finding
Q0) is not easier than factoring the JIlSgg-t?
. To se7-y!5 no.!1that
i i n : n - o0) +l andp - q :'/mq :!Q+d'-4n' so
7.4 Public-KeYCrYPtograPhY
215
if,u, p : t/2lQ+Q + Q-il and q : Vzl|+q) + (p-q)|, and consequently
p and q can easily U" found when n : pq and 6h) : b-l)Q-l) are
known. Note that when p and q both have around 100 decimal digits,
n - pq has around 200 decimaldigits. From Table 2.1, we seethat usingthe
fastest factorization algorithm known, 3.8xlOe years of computer time are
required to factor an inleger of this size. Also, if the integer d is known, but
o(n) is not, then n may also be factored easily, since ed - I is a multiple of
eh) and there are special algorithms for factoring an integer n using any
multiple of 6h) (seeMill.r t72D. It has not beenproventhat it is impossible
to decipher messages enciphered using the RSA cipher system without
factoring n, but so far no such method has been discovered' As yet,all
decipherlngmethodssuggested
that work in generalare equivalentto factoring
n, and as we have remarked, factoring large integers Seems to be an
intractable problem, requiring tremendousamountsof computer time.
A few extra precautionsshould be taken in choosingthe primes p and q to
be used in the RSA cipher system to prevent the use of special rapid
techniquesto factor n : pq. For example,both p - | and q - I should have
large pri-. factors, (p - l, q - l) should be small, and p and q should have
decimal expansionsdiffering in length by a few digits'
For the RSA cipher system, once the modulus n has been factored, it is
easy to find the deciphering transformation from the enciphering
transformation. It may be possible to somehow find the deciphering
transformation from the enciphering transformation without factoring n,
althoughthis seemsunlikely. Rabin [92] has discovered
a variant of the RSA

216
Cryptotogy
cipher system for which factorization of the modulus n has almost the same
computational complexity as obtaining the deciphering transformation from
the enciphering transformation. To describe Rabin,s cipher system, ret
n : pq, where p and q are odd primes, and let b be an integer with
0 < 6 1 n. To encipherthe plaintexi message
p, we form
e : p@+b) (modn).
We will not discussthe decipheringprocedurefor Rabin ciphers here, because
it relies on some concepts we havi not yet developed (see problem 36 in
Section 9'l). However, we remark that there are foui possibleualue, of p for
each ciphertext c such that e
- p(p+b) (mod n), an ambiguity which
complicates the deciphering process. when p and q are known, the
deciphering procedure for a Rabin cipher can be carriei out rapidly since
O(log n) bit operationsare needed.
Rabin has shown that if there is an algorithm for decipheringin this cipher
system, without knowledge of the primes p and q, that ."qui.", f hf ait
operations, then there is an algorithm for the factorization of n requiiing only
2$ (n) * log n) bit operations. Hence the processof deciphering messages
encipheredwith a Rabin cipher without knowledgeof p and-q is a problernof
computational complexity similar to that of factori zation.
Public-key cipher systemscan also be used to send signedmessages.When
signaturesare used, the recipient of a messageis sure that the messagecame
from the sender, and can convince an impartial judge that only the sender
could be the source of the message. This authentication is needed for
electronic mail, electronic banking, and electronic stock market transactions.
To see how the RSA cipher system can be used to send signed messages,
supposethat individual i wishesto senda signedmessageto individualj. itr.
first thing that individual i doesto a plaintext block p is to compute
S - Do,(P) = pd' (mod n;),
where (di, n) is the deciphering key for individual f , which only individual i
knows. Then, if ni t n1, where (ei, n) is the encipheringkey ior individual
7, individual i enciphersS by forming
, : E k t ( S ) = S ' , ( m o d n ; ) , 0 < C 1 n j .
wh..l ni I n; individual i sprits ,s into blocks of size less than nj and
encipherseach block using the enciphering transformation 81r,.
For deciphering, individual 7 first uses the private deciphering
transformation Dp, to recoverS, since

7.4 Public-Key CrYPtograPhY
D1,,(C)- PktGp,(S)) : s.
To find the plaintext messa
ge P , supposedlysent by individual i, individual 7
next usesthe pubtic enciphering transformation Eq, since
81,(s) - fi,kt(Dr,(P)) : P.
Here, we have used the identity Ep,(Dp,(P)) : P, which follows from the fact
that
Ep,(Dp,(P))
= (Pd')" -
Pd'e': P (mod n;)'
since
diei :- I (mod Oh)).
The combination of the plaintext block P and the signed version S convinces
individual 7 that the message actually came from individual i. Also,
individual i cannot deny sending the message, since no one other than
individual f could have produced the signed message S from the original
message
P.
The RSA cipher system relies on the difference in the computer time needed
to find primes and the computer time neededto factor. In Chapter 9, we will
use this same difference to developa technique to "flip coins" electronically.
7.4 Problems
217
l .
2.
Find the primesp andq if n : PQ- 4386607
andd(n) : 4382136.
Suppose
a cryptanalystdiscovers
a message
P that is not relativelyprime to the
enciphering
modulusn : pq usedin a RSA cipher.
a) Showthat thecryptanalyst
canfactorn. fP," ) . p or
1
b) Showthat it is extremelyunlikelythat sucha message
can be discovered
by
demonstrating
that the probabilitythat a message
P is not relativelyprime
to n i, !+ 1-!,
and if p andq are bothlargerthan l0rm,this
p q p q
probability
is leisthin 10-s.
What is the ciphertext that is producedwhen the RSA cipher with key
(e,n) : G,266il is usedto encipherthe message
BEST WISHES?
If the ciphertext message produced by the RSA cipher with key
(e,n) : (s,zggt) is 05041874034705152088235607360468, what is the
3.
4.

218
Cryptology
plaintext message?
5. Harold and Audrey have as their RSA keys (3,23.4D and (7,31.59),
respectively.
a) Using the method in the text, what is the signed ciphertext sent by Harold
to Audrey, when the plaintext messageis cHEERs tranorot
b) Using the method in the text, what is the signed ciphertext sent by Audrey
to Harold when the plaintext messageis SINCERELY AUDREY?
In problems 6 and
'7,
we present two methods for sending signed messagesusing the
RSA cipher system, avoiding possiblechangesin block sizes.
6. Let H be a fixed integer. Let each individual have two pairs of enciphering keys:
k - (e,n) and k* - (e,n*) with n < H <n*, where n and n* are both the
product of two primes. Using the RSA cipher system, individual f can send a
signedmessage
P to individual T by sendingE*.(D1,,(p)).
il Show that is is not necessaryto change block sizeswhen the transformation
Eor.is applied after Dp, has been applied.
b) Explain how individual 7 can recover the plaintext messa
ge P, and why no
one other than individual l' could have sent the message.
c) Let individual f have enciphering keys (3,11.71) and Q2}.4D so that
781 : 1l'71 < 1000 < ll89 - 29'41,and let individualj have enciphering
keys (7,19.47)and,(7,31.3D,so that g93: lg.4j < 1000 < II47:31.37.
What ciphertext messagedoes individual f send to individual 7 using the
method given in this problem when the signed plaintext messageis HELLO
ADAM? What ciphertext messagedoes individual j send to individual f
when the signed plaintext messageis GOODBYE ALICE?
7. il Show that if individuals f and y have enciphering keys k; - (ei,n) and
ki : (ei,n), respectively, where both n; and ni are products of two distinct
primes, then individual i can send a signed messageP to individual 7 without
needing to change the size of blocks by sending
Er,(Dr,(P)) if n, < n,
Dp,(Ep,@)) if ni ) ni .
b) How can individual T recover p?
c) How can individual j/ guarantee that a messagecame from individual i ?
d) Let ki - (11,47.61) and ki - (13,43.59). Using the method describedin part
(a), what does individual f send to individual 7 if the messageis REGARDS
FRED, and what does individual 7 send to individual i if the message is
REGARDS ZELDA?

2r9
1.5 Knapsack CiPhers
8. Encipher the message SELL NOW using the
C = P(r+s) (mod
2573).
Rabin ciPher
?.4 Computer Projects
1. Encipher messageswith an RSA cipher'
2. Decipher messagesthat were enciphered using an RSA cipher.
3. Send signed messagesusing an RSA cipher and the method described in the text'
4. Send signed messagesusing an RSA cipher and the method in problem 6'
5. Send signal messagesusing an RSA cipher and the method in problem 7'
6. Encipher messagesusing a Rabin cipher'
7.5 Knapsack
Ciphers
In this section,we discusscipher systemsbasedon the knapsack problem.
Given a set of positiveintegersQr,a2,..., an and a SumS of a subsetof these
integers, the knapsack problem askswhich of these integers add together to
give S. Another way to phrase the knapsack problem is to ask for the values
of xyx2,..., xn, each either 0 or 1, such that
( 7 . 3 ) S : a r x r * a 2 x 2 * l a r x n '
We usean exampleto illustrate the knapsackproblem.
Example. Let (a1,o2,o3,aa,a5)
: (2,'7,8,11,12).By inspection,w€ see that
there are two subsets of these five integers that add together to give 21,
namely 2l -- 2+8+l | : 2*7*12. Equivalently, there are exactly two
solutions
to the equation2x1* 7x2* 8x3 * llxa * l2x5:21, with Ii :0
or I for i : 1,2,3,4,5,namely xr : x3: x4: l, x2: 15 : 0, and
X l : X Z : X 5 : l , X 3 : I + : 0 .
To verify that equation (7.3) holds, where each.x, is either 0 or 1, requires
that we perform at most n additions. On the other hand, to search by trial
and error for solutionsof (2.3), may require that we check all 2n possibilities
for (x1, x2,...,rn). The best method known for finding a solution of the
knapsack problem requires O(2n/2) bit operations,which makes a computer
solution of a general knapsack problem extremely infeasible even when
n : 100.

220
Gryptology
certain values of the integers e1,a2,...,en make the solution of the
knapsack problem much easier than the- solutlon in the general case. For
instance, if ai : )i-1, to find the solution of
S - A r x r * a 2 x 2 - l " : I a n x r , w h e r e r i : 0 o r I f o r i : 1 , 2 , . . . , f t ,
simply requiresthat we find the binary expansionof S. We can also produce
easyknapsackproblemsby choosingthe integersd1, oz,...,cn so that the sum
of the first 7-l of these integers is alwayrl.r, than the Tiir int"ger, i.e. so
that
j-r
2o,{oi,
i - l
If a sequenceof integers d1,e2,...,an
sequencesuper-increasing.
Example. The sequence 2, 3,7, 14,27 is super-increasing because
3 > 2,7 > 3+2,14> 7+3+2,
and
27> l4+i+3+2.
To seethat knapsack problems involving super-increasingsequencesare easy
to solve,we first consideran example.
Example. Let us find the integersfrom the set 2,3,7,14,27 that have 37 as
their sum. First, we note that since2+ 3 + 7 + 14 < 27, a sum of integers
from this set can only be greater than 27 if the sum contains the integer 27.
Hence,if 2x1* 3x2* 7x3* l4xa* 27x5- 37 with each .x;:0 or l, we
must have 15 : I and 2x1* 3x2* 7x3| l4xa: 19. Since 14 > 10, x4
must be 0 and we have 2x1* 3x2* 7x3: 10. Since 2 + 3 ( 7, we must
have x, : 1 and therefore2x1l3x2:3. Obviously,we hava x2: I and
rr - 0. The solutionis 37 - 3 + 7 + 27.
In general, to solve knapsack problems for a super-increasingseeuolco 41,
a2,...,
an, i.e. to find the valuesof xt, x2, ...,xn with ,S : atxl * a2x2*
* enxn and x;:0 or I for i:1,2,..., n when.S is given,we usethe
following algorithm. First, we find x, by noting that
[r ir S Z an
r,:toif S(an.
Then, we find xn-r, xn-2,...,x1, in succession,
using the equations
j : 2,3,...,n.
satisfies
this inequality,we call the

7.5 KnapsackCiphers
x j -
for7 : n-l,n-2,...,1.
To seethat this,algorirhmworks,
n
s-
t-i+l
n
.s-
;-;+l
221
if
first note that if xn :0 when S 7 an,
n
i-j+1
then)orrr( 2o, len <S,contradicting
i-l i-l
the condition ! o1*i : S
,
j-'
j-r
Similarly, if xy : 0 when S -
;-j+l
7 oj, then ) a;x; ( 2 *, +
i - l t - l
a j *
r-i+l
Using this algorithm, knapsack problems based on super-increasing
sequencescan be solved extremely quickly. We now discussa cipher system
based on this observation. This cipher system was invented by Merkle and
Hellman [90], and was considered a good choice for a public-key cipher
systemuntil recently. we will comment more about this later.
The ciphers that we describe here are basedon transformed super-increasing
sequences.To be specific,let or, a2,...,an be super-increasing
and let m be a
positive integer with lz ) 2ao. Let w be an integer relatively prime to m
with inverse w modulo m. We form the sequence b1, b2,...,b, where
bj : wai (mod m) and 0 < bi 1 m. we cannot use a specialtechnique to
solve a knapsack problem of the type ^g :
b b,", where ,S is a positive
i - l
integer, since the sequence
when fr is known. we can find
is not super-increasing. However,
(7.4) wT : i fr|,r, :
h o,r, (modlz)
j-l i-l
sincefibi =ai (mod m). From (7.0 we seethat
So: Zo,r,
t - l
whereSs is the leastpositiveresidueof frS moduloz. We can easilvsolve
the equation

222
Cryptology
So:
D o,r,,
i - l
sinceer, e2,...,an is super-increasing.This solvesthe knapsackproblem
s : !, b,r,,
i-l
sincebi = wa; (mod m) and 0 ( D; I m. We illustrate this procedurewith
an example.
Example. The super-increasingsequence(oya2,a3,a4,a5):(3,5,9,20,44) can
be transformed into the sequence(b3 b2, by bq, b5): (23,6g,69,5,11)by
taking bi = 67a1 (mod 89), for 7 : 1,2,3,4,5. To solvethe knapsackproblem
23x1+ 68 xz* 69 x3* Sxa* llx5:84, we can multiply both sidesof this
equation by 4 , an inverseof 67 modulo 89 , and reduce modulo 89, to obtain
the congruence 3x1 * 5x2* 9x3 * 20xa* 44x5= 336 = 69 (mod g9).
s i n c e 8 9 > 3 + 5 + 9 + 2 0 + 4 4 , w e c a n c o n c l u d et h a t 3 x 1* 5 x 2 *
9x3 * 20xa * 44x5: 69. The solution of this easy knapsack problem is
xs : x4: x2: I and x3 : rr : 0. Hence, the original knapsack problem
hasas its solution68 * 5 + 1l : 84.
The cipher system based on the knapsack problem works as follows. Each
individual chooses a super-increasing sequence of positive integers of a
specified length, say N, e.g. ar, a2,..., aN, as well as a modulus m with
m ) 2ay and a multiplier w with (m,w) :1. The transformed sequence
b1,b2,...,
by, where bi = wai (mod m), 0 < bi 1 m, for j - 1,2,...,N, is
made public. When someonewishes to send a messageP to this individual,
the messageis first translated into a string of 0's and I's using the binary
equivalentsof letters, as shown in Table 7.10. This string of zerosand onesis
next split into segmentsof length N (for simplicity we supposethat the length
of the string is divisible by N; if not, we can simply fill out the last block with
all l's). For each block, a sum is computedusing the sequence
bvbz,...,bxi
for instance,the block x1x2...x11
gives S: Drxr * b2x2* * byxy.
Finally, the sumsgeneratedby each block form the ciphertext message.
We note that to decipher ciphertext generated by the knapsack cipher,
without knowledge of m and w, requires that a group of hard knapsack
problems of the form
(7.s) S : b r x r f b 2 x 2 * * b y x y
be solved. on the other hand, when m and w are known, the knapsack
problem (z.s) can be transformedinto an easyknapsackproblem, since

223
letter
binary
equivalent letter
binary
equivalent
A
B
C
D
E
F
G
H
I
J
K
L
M
00000
00001
00010
0001
I
00100
00101
001r0
00111
01000
0100r
01010
01011
0l100
N
o
P
a
R
S
T
U
V
w
X
Y
Z
01101
0lll0
0llll
10000
10001
10010
l00l I
10100
l0l0l
10110
l0l l1
l 1000
11001
7.5 KnapsackCiphers
Table 7.10. The Binary Equivalents of Letters.
wIS: frbp1 * frb2x2I
z a t x l * a 2 x 2 *
' * wbyx7,1
* ayxy (mod m ),
where frbj: a; (mod 22), where w-is an inverseof w modulo m, so that
(7.6) So - afi1 * a2x2l * a1vx1v,
where Ss is the least positive residueof wlS modulo rn. We have equality in
(7.6), sinceboth sidesof the equation are positiveintegersless than m which
are congruentmodulo ltt.
We illustrate the enciphering and deciphering proceduresof the knapsack
cipher with an example. We start with the super-increasing sequence
(a1,a2,a3,Q4,Q5tA6,A7,Qg,Qg,,Ato)
: (2,1I '14'29'58'lI9'24I'480'959'1917)' We
take m: 383? as the encipheringmodulus,so that m ) 2a1s,?fld w : l00l
as the multiplier, so that (m,w):1, to transform the super-increasing
sequence
into the sequence(2002,3337,2503,2170,
503,172,3347,855,709,417).
To encipher the message
REPLY IMMEDIATELY,

Cryptology
we first translate the letters of the message into their five digit binary
equivalents,as shown in Table 7.10,,and thenlroup thesedigits into blocksof
ten, to obtain
1000100100 0llltOl0ll 1100001000
0110001100 0010000011 0100000000
1 0 0 1 1 0 0 1 0 0 0 1 0 1 I 1 1 0 0 0 .
For each block of ten binary digits, we form a sum by adding together the
appropriate terms of the sequence(2002, 3337, 2503, 2170, sd:, t 72, 3347,
855,709, 417) in the slotscorrespondingto positionsof the block containing a
digit equal to l. This givesus
3360 12986 8686 10042 3629 3337 5530 s72s.
For instance,we computethe first sum, 3360, by adding 2002,503, and g55.
To decipher,we find the least positiveresiduemodulo 3837 of 23 times each
sum' since 23 is an inverse of 1001 modulo 3837, and then we solve the
corresponding easy knapsack problem with respect to the original super-
increasing sequence (2,11,14,29,59,119,241,4g0,959,lglT). For example, to
decipherthe first block, we find that 3360.23:540(mod 3837), and then note
that 540 : 480 + 58 + 2. This tells us that the first block of plaintext binary
digitsis 1000100100.
Recently, Shamir [g+] trasshown that knapsackciphers are not satisfactory
for public-key cryptography. The reason is that there is an efficient algorithm
for solving knapsack problems involving sequences b1, b2,...,b, with
bi: wai (modm), where w and m are relatively prime poritiue integersand
ar, o2,...,an is a super-increasingsequence. The algorithm found by Shamir
can solve these knapsack problems using only O @ hD bit operations, where
P is a polynomial, instead of requiring exponential time,
"r
ir required for
general knapsack problems, involving sequencesof a general nature.
There are several possibilities for altering this cipher system to avoid the
weaknessfound by Shamir. One such possibility is to choose a sequenceof
pairs of relatively prime integers (w1,m1),,
(w2,m2),...,(w,mr), and then
form the seriesof sequences

7.5 KnapsackGiPhers 22s
7w1ai(modzr)
:rrijt' (mod m z)
bj') =w,b j'-rt (modz"),
for j : l, 2, ..., n. We then usethe final sequ
enceb[') , b$'),..., bl') as the
enciphering
sequence.
As of mid-1983,
no efficientalgorithmhad beenfound
for solving knapsackproblems involving sequences
obtained by iterating
modular multiplicationswith different moduli (although there are several
promisingmethodsfor the productionof suchalgorithms).
b9)
;;,,
7.5 Problems
l. Decidewhethereachof the followingsequences
is super-increasing
a) (3,5,9,19,40)
b) (2,6,10,15,36)
c) (3,7,17,30,59)
d (l l,2l,4l,8l,l5l).
2.
3 .
4.
5 .
Show that if 41, a2,...,
dn is a super-increasing
sequence,
then c; 2 A-r for
j - 1,2,
.", f,'
Show that the sequencea1,a2,...,a21is super-increasing
if ai+r ) 2ai for
j - 1,2,...,fl-l'.
Findall subsets
of theintegers
2,3,4,7, 11,13,16thathave18astheirsum.
Find the sequence obtained from the super-increasing sequence
(1,3,5,10,20,41,80)
when modular multiplicationis applied with multiplier
w : 17andmodulvs
m : 162.
Encipher the messageBUY NOW using the knapsackcipher basedon the
sequence
obtainedfrom the super-increasing
sequence
(17,19,37,81,160),
by
performing modular multiplication with multiplier w :29 and modulus
m : 3 3 1 .
Decipherthe ciphertext402 105150325 that was enciphered
by the knapsack
cipher basedon the sequence
(306,374,233,L9,259).
This sequence
is obtained
by using-modularmultiplicationwith multiplier w : 17 and modulusm : 464,
to transformthe super-increasing
sequence
(I8,22,4I,83,179).
Find the sequence
obtainedby applyingsuccessively
the modularmultiplications
with multipliersand moduli (7,92), (11,95),and (6,101),respectively,
on the
super-increasing
sequence
(3,4,8,I7,33,67)
.
6.
7 .
8.

9.
10.
226
Write programs
to do the following:
1. Solveknapsack
problems
by trial anderror.
Cryptology
What processcan be employed to decipher messagesthat have been enciphered
using knapsack ciphers that involve sequences arising from iterating modular
multiplications with different moduli?
A multiplicative knapsack problem is a problem of the following type: Given
positive integers aya2,...,an and a positive integer P, find the subset, or subsets,
of these integers with product P, or equivalently, find all solutions of
P - ai'ai'." oi'
where xj - 0 or I for j : 1,2,...,n.
il Find all productsof subsetsof the integers2,3,5,6,and l0 equal to 60.
b) Find all productsof subsetsof the integers8,13,17,21,95,121
equal to 15960.
c) Show that if the integets a1,a2,...,an
are mutually relatively prime, then the
multiplicative knapsack problem P:ai'ai'"'oI', rj-0 or I for
j : I,2,...,n, is easily solved from the prime factorizations of the integers
P,ayo2,...,an,and show that if there is a solution,then it is unique.
d) Show that by taking logarithmsto the baseb modulo m,where (b,m): I
and 0 < b < m, the multiplicative knapsack problem
P-ai'ai'"'ol'
is converted into an additive knapsack problem
S - a1x1 * a2x2 * * anxn
where S, @1,
e20...;dnate the logarithms of
modulo m, respectively.
e) Explain how parts (c) and (d) can be used to produce ciphers where
messagesare easily deciphered when the mutually relatively prime integers
a1, a2t...;an are known, but cannot be deciphered quickly when the integers
d, dzr...,an AreknOwn.
to the base6
2.
3.
Solve knapsack problems involving super-increasingsequences.
Encipher messagesusing knapsack ciphers.
Decipher messagesthat were enciphered using knapsack ciphers.
Encipher and decipher messages using knapsack ciphers involving sequences
arising from iterating modular multiplications with different moduli.

7.6 SomeApplicationsto ComputerScience 227
6. Solve multiplicative knapsack problems involving sequencesof mutually relatively
prime integers (seeProblem 10).
7.6 Some Applications to Computer Science
In this section we describe two applications of cryptography to computer
science. The Chinese remainder theorem is used in both applications.
The first application involvesthe encipheringof a database. A database is
a collection of computer files or records. Here we will show how to encipher
an entire databasi so that individual files may be deciphered without
jeopardizing the security of other files in the database'
Supposethat a databaseB containsthe n files Fv Fz,,-.-,
Fn' Since each
file is a string of 0's and I's, we can considereach file to be a binary integer.
We first choose n distinct primes rltr, t7r2,...1r/tn with m1 ) F1 for
j :1,2,...,fr. As the ciphertextwe usean integerC that is congruentto F;_
modulo mi for j :1,2,...,n; the existence
of such an integeris guaranteed
by the ihin.t" remainder theorem. We let M - fttr trtz mn and
fui: M/ry forT :1,2,...,n. Furthermore,
let ,i-
!i.'-lf
wherey; is an
inverseof Ml modulo rz;. For the ciphertext, we take the integer C with
C:br,r,(modM), 0<C <M.
j-r
The integerser, €2,..., €n serveas the write subkeysof the cipher.
To retrieve the 7th file F; from the ciphertext C, we simply note that
F i = C ( m o d m ) , 0 ( F ; 1 m i .
We call the moduli my r/121
...r mn the read subkeys of the cipher. Note that
knowledgeof mi permits accessonly to file7; for accessto the other files,it is
necessaryto know the moduli other than mi.
We illustrate the encipheringand decipheringproceduresfor databaseswith
the following examPle.
Example. Suppose our database contains four files Fr, Fz, F3,lfid Fa,
represented
by ih" binu.y integers(01I l)2, (1001)r,(t t00)2, iIDd (t t t t)2, or
in decimal notationFr:7, Fz:9, Ft: 12 and Fq: 15' We pick four
primes, filr: 11,m2: 13,trl3: 17, and trl4: 19, greater than the
correspondingintegers representingthe files. To encipher this database,we

228
Cryptology
use the chineseremaindertheoremto find the ciphertextc which is the
positive
integer
with C=7(modlt), C=9(moit3), C= 12(modl7),
and c = 15(modl9), lessthanM: ll.l3.l7.l9:461g9. To compute
c
we first find Mr -. 13.17.19
: 4199, Mz: 1l.l7.lg: 3553,
Mt: l1'13'19:2717,and Mt- ll.l3. 17:2431. W. easilyfind that
lr-7,y2: l0,.pr: ll and /+: lg areinverses
of Mi modulomj for
j:1,2,3,4. Hence,
the writesubkeys
artae1: 4199.i: 29393,
e2:
3553'10: 35530,
e3- 27l7.ll : 2ggg7,
and,
eo: 243l.lg: 4375g.
To
constructthe ciphertext,wenotethat
Q :
e 1 F 1 l e 2 F 2 * e 3 F 3* e q F c
= 29393.7+ 35530.9+ 29887.12
+ 43758.15
= 1540535
= 16298 (mod 46189),
so that c:16298. The read subkeysare the integersmi, j - 1,2,3,4. To
recover the file F7 from C, we simply find the least positive residue of C
modulo rn7. For instance,we find F1 by noting that
F r = 1 6 2 9 8 = 7 ( m o d t l ) .
We now discussanother application of cryptography, namely a method for
sharing secrets. Supposethat in a communications network,-there is some
vital, but extremely sensitiveinformation. If this information is distributed to
severalindividuals, it becomesmuch more vulnerable to exposure;on the other
hand, if this information is lost, there are seriousconsequences.An example
of such information is the master key K used for accessto the password file
in a computer system.
In order to protect this master key K from both loss and exposure, we
construct shadows kv kz, ..., k, which are given to r different individuals.
We will show that the key K can be produced easily from any s of these
shadows,where s is a positive integer less than r, whereas the knowledge of
less than s of these shadowsdoes not permit the key K to be found. Because
at least s different individuals are neededto find K, the key is not vulnerable
to exposure. In addition, the key K is not vulnerable to loss, since any .t
individuals from the r individuals with shadowscan produce K. Schemeswith
the propertieswe havejust describedare called (s,r) threshold schemes.
To develop a system that can be used to generate shadows with these
properties, we use the chinese remainder theorem. we choose a prime p
greater than the key K and a sequenceof pairwise relatively prime integeis
rTtbftiz, ..., ffir that are not divisible by p, such that

7.6 Some Applications to Computer Science 229
m t 1 m z 1 1 l t t r ,
and
0.7) tTlt lllz ffi, ) Pffirffir-t frlFs*z
Note that the inequality (7.7) statesthat the product of the s smallestof the
integers n; is g."utr.- than the product of p and the s-l largest of, the
intelgers
m'1. nt-om Q.l), we see ttrat if M - tttttTtz n' then A/p is
greater than the product of any set of s-l of the intege$ mi.
Now let I be a nonnegativeinteger less than M /p that is chosenat random.
Let
K o : K * t P '
s o t h a t 0 ( K o ( M - l ( s i n c e 0 ( K o : K * t p < p + t p : ( l + l ) p (
( M / p ) p : M ) .
To producethe shadowskr kz, ...,kr, we let k1 be the integerwith
ki = Ks (mod rn;), 0 ( k; I mi,
for 7 : 1,2,...,r. To see that the master key K can be found by any s
individuals possessing
shadows,from the total of r individuals with shadows,
supposethat the s shadowski,,ki,,..., ki, are available. Using the Chinese
remainder theorem, we can easily find the least positiveresidueof Ks modulo
Mi where Mi: Hj,ffij, ftri,. Since we know that 0 ( Ko < M 4 Mi,
we can determineKs, and then find K : Ko - tp.
On the other hand, suppose that we know only the s- 1 shadows
kr,, k,r, ...,k,,-r. By the Chinese remainder theorem' we can determine the
least positiveresiduea of Ks modulo M; where Mi : ffii,ffii, Hi,-,' With
these shadows,the only information we have about Ks is that a is the least
positive residueof Kq modulo Mi and 0 ( Ko < M - Consequently,we only
know that
K o : a * x M ; ,
where 0 ( x < M/Mt From 0.1), we can conclude that M /Mi ) p, so
that as .r ranges through the positive integers less than M lM, ox takes every
valuein a full setof residues
modulop. Since(m1,P): I for i : 1,2, ...,s ,
we know that (Mi,p) : l, and consequently,a * xMi runs through a full set
of residuesmodulo p as x does. Hence, we see that the knowledgeof s-l
shadows is insufficient to determine Ko, as Ks could be in any of the p

230
Cryptology
congruenceclassesmodulop.
we usean exampleto illustrate this thresholdscheme.
Example. Let K :4 be the master key. we will use a (2,3) threshold
schemeof the kind just describedwitir p -7, r11: ll, ftr2:12, and
trt3:17, so thatM : Dtirt2:132 ) pmt: ll9. We pick t :iqrandomly
from among the positive integers less than M /p : 132/7. This gives us
K o : K i t p : 4 * 1 4 . 7
: 1 0 2 .
The three shadowskvkz, and ft3 are the least positiveresiduesof Ks modulo
l7lt, f/12,and m3, i.e.
= 3 (modll)
= 6 (mod12)
= 0 (modl7),
so that the three shadowsarekl : 3, kz:6, and kr : 0.
We can recover the master key K from any two of the three shadows.
Suppose we know that kr: 3 and kr : 0. Using the Chinese remainder
theorem, we can determine Ks modulo n7t/tt: ll.lj - lg7, i.e. since
Ko = 3 (mod ll) and Ko = 0 (mod 17) we have ko = 102 (mod 1g7).
Since0 ( Ko < M :132 < 187,we know that K6 :102, and consequently
the master key is K : Ks - tp : lO2 - 14.7: 4.
We will develop another threshold scheme in problem 12 of Sectiong.2.
The interested reader should also consult Denning [47] for related topics in
cryptography.
7.6 Problems
l. Supposethat the databaseI contains four files, F1 :4, Fz- 6, Ft: 10, and
F+: 13. Let ml : 5, ntz:7, fti3- ll, andma - 16 be the readsubkevs
of the
cipher used to encipher the database.
il What are the write subkeysof the cipher?
b) what is the ciphertext c corresponding to the database?
2. When the database I with three files Fr Fz, and ^F3is enciphered using the
method described in the text, with read subkeys ft:1 : 14, fir2: 15, and
nt3:19, the corresponding
ciphertext is c:619. If file F3 is changedfrom
Fr - ll to F3 : 12,what is the updated value of the ciphertext c?
kr = 102
kz = 102
kt = 102

7.6 Some Applications to Computer Science 231
3. Decomposethe master key K : 3 into three shadowsusing a (2'3) threshold
schemeof the type describedin the text with p - 5' mr : 8' t/tz: 9' m3 : ll
and with t -- 13.
4. Show how to recover the master key K
found in Problem 3.
from each of the three pairs of shadows
l. Using the systemdescribedin the text, encipherdatabasesand recoverfiles from
the ciphertext versionof databases'
2. Update files in the ciphertext versionof databases(seeproblem 2)'
3. Find the shadowsin a thresholdschemeof the type describedin the text.
4. Recover the master key from a set of shadows'

PrimitiveRoots
8.1 The Order of an Integer and primitive Roots
From Euler's theorem, if m is a positive integer and if a is an integer
relatively prime to m, then s6(m) = | (mod m). Therefore, at least one
positiveinteger x satisfiesthe congrueneea* = 1 (mod rz). Consequently,by
the well-ordering property, there is a least positive integer x satiifying this
congruence.
Definition. Let a and m be relatively prime positive integers. Then, the least
positive integer x such that e* = I (mod z) is called the order of a
modulo m.
We denotethe order of a modulo m by ord_a.
Example. To find the order of 2 modulo 7, we compute the least positive
residuesmodulo 7 of powersof 2. We find that
2t = 2 (mod7), 22 4 (mod 7), 23 I (mod 7).
Therefore, ord,72:
Similarly, to find
3 .
the order of 3 modulo 7 we compute
3 (mod 7), 32 : 2 (mod 7), 33 = 6 (mod 7)
4 (mod 7), 3s = 5 (mod 7), 36 = I (mod 7).
3 t
3e
We seethat ord73: 6.

8.1 The Order of an Integerand PrimitiveRoots 233
In orderto find all solutions
of the congruence
a* = I (modm), we need
the followingtheorem.
Theorem8.1. lf a and n aterelativelyprime integerswith n > 0, then the
positive
integerx is a solutionof the congruence
a' = I (modn) if andonly
if ord,a I x.
Proof. If ordra I x, thenx : k'ordnc wherek is a positiveinteger' Hence,
a * - o k ' o r d ' a : ( a o ' d ' o ) k = l ( m o d n ) .
Conversely,if a* =
x
I (mod n), wo first usethe division algorithm to write
: q'ordna * r, 0 ( r ( ordra.
From this equation, we seethat
a, : oa'ord.a*r - (aord,o)e gr - a, (mod n).
Since a' = I (mod n), we know that a' = I (mod n). From the inequality
0 ( r ( ord, Q, we conclude that r:0, since, by definition, y : ordna is the
least positive integer such that.av = I (mod n). Becausef :0, we have
x : a'ordna. Therefore,ordna I x. D
This theorem leadsto the following corollary'
Corollary 8.1. lf a and n are relatively prime integers with n ) 0, then
ordna
I Ofu).
Proof. Since (a,n) : 1, Euler's theorem tells us that
qb(': l (modn).
Using Theorem8.1,we concludethat ordra I O(n)' n
We can use Corollary 8.1 as a shortcut when we compute orders. The
following example illustrates the procedure.
Example. To find the order of 5 modulo 17, we first note that 0(ll7) : 16.
sinceihe onty positivedivisorsof 16 are 1,2,4,8, and 16, from corollary 8.1
theseare the only possiblevaluesof ord175. Since
5r = 5 (mod l7),52 = 8 (mod l7),54:13 (mod l7),
58 = 16 (mod 17), 516= I (mod l7),
we concludethat ord175- 16.

234 Primitive Roots
0, then
only if
The following theorem will be useful in our subsequent
discussions.
Theorem 8.2. rf a and n are relatively prime integers with n )
ai = aj , (mod n) where r and 7 are nonnegative integers, if and
i = j (mod ordna).
Proof. Suppose
that i = j (modordna), and 0 < j < t.
i : j * k'ordra, wherek is a positive
integer. Hence,
ai : ojrk'ord'a : aj(ao'd.o)o = a/ (mod n ).
Then, we have
s i n c e o o r d ' a = l ( m o d n ) .
Conversely,
assume
that ai = ar (mod n) with i > j. Since (a,n): l, we
know that (ai,n) : 1. Hence,using Corollary 3.1, the congruence
ai = ai ai-i = ai (mod n)
implies,by cancellationof a/, that
a i - j : I ( m o d n ) .
From Theorem 8.1, it follows that ordra divides i - j, or equivalently,
i = j (mod ord,a). tr
Given an integer n, we are interested in integers a with order modulo n
equalto Qfu). This is the largestpossible
order modulor.
Definition. If r and n are relatively prime integers with n ) 0 and if
ordrr :6h), then r is calleda primitive root modulo n.
Example. We have previouslyshown that ord73: 6 : 00). Consequently,3
is a primitive root modulo 7. Likewise, since ord75: 6, as can easily be
verified, 5 is alsoa primitive root modulo 7.
Not all integers have primitive roots. For instance,there are no primitive
roots modulo 8. To seethis, note that only integerslessthan 8 and relatively
primeto 8 are 1,3,5, and7, and ord3l: l, whileords3: ords5: ords7:2.
Since d(8) : 4, there are no primitive roots modulo 8. In our subsequent
discussions,we will find all integers possessing
primitive roots.
To indicate one way in which primitive roots are useful, wo
following theorem.
Theorem 8.3. lf r and n are relatively prime positive integers with n ) 0
and if r is a primitive root modulo n, then the integers
the

8.1 The Order of an Integer and Primitive Roots 235
t l , f 2 ' " ' ' ' 6 b )
form a reducedresidueset modulo n.
Proof. To demonstratethat the first @(r) powersof the primitive root r form
a reduced residue set modulo n, we only need to show that they are all
relatively prime to n, and that no two are congruentmodulo n.
Since G,n):1, it followsfrom problem8 of Section2'1 that (rk,n):1
for any positiveinteger k. Hence, thesepowersare all relatively prime to n '
To show that no two of thesepowersare congruentmodulo n, assumethat
ri = r/ (mod n) .
From Theorem8.2, we see that i = i (mod Qfu))' However' for
I < t ( O(n) and 1 < j < 0h), the congruence
i = / (mod d(n)) implies
that i : j . Hence, no i*o of these powers are congruent modulo n. This
showsthat we do have a reducedresiduesystemmodulo r. D
Example. Note that 2 is a primitive root modulo 9, since
22 = 4,2t = g, and 26 = I (mod 9). From Theorem8.3, we seethat the first
OO) :6 powers of 2 form a reduced residue system modulo 9. These are
Zt = 2 (mod 9), 22 = 4 (mod 9), 23 = 8 (mod 9), 24 = 7 (mod 9),
2s = 5 (mod 9), and 26 = 1 (mod 9).
When an integer possesses
a primitive root, it usually has many primitive
roots. To demonstratethis, we first prove the following theorem'
Theorem 8.4. If ord-a : / and if r,lis a positiveinteger,then
ord- (a") : t lQ,D .
P r o o f . L e t J : o r d - ( a " ) , v : ( t , u ) , t : t v v , a n d u : t l t v ' F r o m
Proposition2.1, we know that (r yu1) : l.
Note that
(a")t': (ar',)Qlv): (at)u': I (modrn),
since ord.^a: t. Hence,Theorem8.1 tells us that s I tr'
On the other hand, since
(at : eus = I (mod rn),
we know that I I zs. Hence, tp I u1vs, slld consequently,
tt | ,tt. Since

236 Primitive Roots
Q6u): l, usingLemma2.3,weseethat /, |
".
Now, sinces I tr and t, I r, we conclude
that,s : I t: t/v : t/(t,u). This
provesthe result. tr
We have the following corollary of Theorem g.4.
Corollary 8.2. I et r be a primitive root modulo z where m is an integer,
m 2 r. Then r' is a primitive root modulo m if and,onlyif (u,o(d ) : l:
Proof. From Theorem 8.4, we know that
ord,^r' : ord^rf (u,ord*r)
: Q(m)/fu,0@D
.
consequently, ord- ru : efu), and ru is a primitive root modulo m, if and
onlyif (u,Q(m)) : t. D
This leadsimmediately to the following theorem.
Theorem 8.5' If the positive integer m has a primitive root, then it has a
total of Q@fu)) incongruentprimitive roots.
Proof. Let r be a primitive root modulo rn. Then Theorem 8.3 tells us that
the integersr, 12,...,vbh) form a reducedresiduesystemmodulo ,,. From
Corollary 8.2, we know that r" is a primitive root modulo rn if and only if
(u,a(*)): l. since there ut" r*""ily o@@)) such integersa, there are
exactly0@@)) primitive rootsmoduloru. tr
Example. Let m: 11. A little computationtells us that 2is a primitive root
modulo 11. since ll has a primitiveroot,we know that 11 hasa@ol)) :4
incongruent primitive roots. It is easiry seen that 2, 6,7, and g are four
incongruentprimitive roots modulo I l.
8.1 Problems
1. Determine the
a) order of 2
b) order of 3
modulo 5 c)
modulo l0 d)
order of l0 modulo 13
order of 7 modulo 19.

8.1 The Order of an Integer and Primitive Roots 237
2. Find a primitive root modulo
d) 13
e) 14
f) 18.
3. Show that the integer 12 has no primitive roots'
4. How many incongruent primitive roots does 13 have? Find a set of this many
incongruentprimitive roots modulo 13.
5. Show that if dis an inverseof c modulon, then ordna: ordnd.
6. Show that if n is a positive integer and a and 6 are integers relatively prime to n
suchthat (ordna,ordnD) : l, then ord'(ab) : ordna'ordnb'
7. Find a formula for ordnGil if a and b are integers relatively prime to n when
ordna and ordrb are not necessarilyrelatively prime'
g. Decide whether it is true that if n is a positiveinteger and d is a divisor of Qh),
then there is an integer a with ordna : d.
g. Show that if a is an integer relatively prime to the positive integer m and
ordâ : s/, then ordât : s .
10. Show that if m is a positive integer and a is an integer relatively prime to z
such that ordâ - tlt - 1, then rr is prime.
I 1. Show that r is a primitive root modulo the odd prime p if and only if
,e_D/e * I (modp)
for all prime divisorsq of P-1.
Show that if r is a primitive root modulo the positive integer m, then i is also a
primitive root modulo m, if i is an inverse of r modulo m '
Show that ordp 2 ( 2'*1, where Fn : 2T * I is the nth Fermat number.
Let p be a prime divisor of the Fermat number Fn:2v * l'
a) Show that ordo2 :Zn*r.
b) From part (a), conclude that 2n+r | (p-1), so that p must be of the form
z"+rk + l.
15. Let m: an - 1, wherea andn arepositiveintegers. Show that ordra : n and
conclude that n I O@).
16. a) Show that if p and q are distinct odd primes, then pq is a pseudoprime to
the base2 if and only if ordo2| 0-t) and ordo2 | Q-D.
b) Use part (a) to decide which of the following integers are pseudoprimes to
the base2: 13'67,19'73,23'89,29'97.
il4
b)5
c) l0
12.
1 3 .
14.

PrimitiveRoots
Show that if p and q are distinct odd primes, then pq is a pseudoprime to the
base2 if and only if MoMo: (2p-r)ei-D ir" prrriJoprimeto the base2.
There is a method for deciphering messagesthat were enciphered by an RSA
cipher, without knowledge of the deciphering key. This method is based on
iteration. Supposethat the public key ie,il ir"o ro. enciphering is known, but
the deciphering key (d,il is not. To decipher a ciphertext block C, we form a
s e q u e n c e
C t , C z , C 3 , . . . s e t t i n g C r= C " ( m o d n ) , 0 < C 1 1 n a n d C ; + 1
E
C7Y
(mod n), 0 < Ci+t 1 n forj - 1,2,3,...
.
a) Show that C1 = Cd (mod n), 0 1 C1 1 n.
b) Show that there is an index 7 such that C1: C and Cj_t : p, where p is
the original plaintext message. Show that this indei 7' is a divisor of
ord,61n,1e
c) Let n:47'59 ande :17. Using iteration,find the plaintextcorresponding
to the ciphertext 1504.
(Note: This iterative method for attacking RSA ciphersis seldomsuccessfulin a
reasonable amount of time. Moreover, the primes p and q may be chosen so
that this attack is almost always futile. Seepioblem l3 of Section g.2.)
Write projects to do the following:
238
l. Find the order of c modulo rn, when a and m are relatively
2.
3 .
lntegers.
Find primitive roots when they exist.
Attempt to decipher RSA ciphers by iteration (seeproblem r g).
8.2 PrimitiveRootsfor primes
In this sectionand in the one following, our objectiveis to determine which
integershave primitive roots. In this ,..tion, we show that every prime has a
primitive root. To do this, we first needto study porynomialcongru"nces.
Let f (x) be a polynomial with integer coefficients. We say that an integer
c is a root of f (x) modulo m it f(c) = 0 (mod z). It i, *ryio rr. that if
c is a root of f (x) modulo m, then every integer congruent to c modulo m is
alsoa root.
Example. The polynomial f (i : x2 * x * t has exactly two incongruent
rootsmodulo T,namely x = 2 (mod 7) andx = 4 (mod 7).
1 7 .
1 8 .

8.2 PrimitiveRootsfor Primes 239
Example. The polynomial gG) : x7 * 2 has no roots modulo 5.
Example. Fermat's little theorem tells us that if p is prime, then the
polynomial hQ) - rP-t - t has exactly p-l incongruentroots modulo p,
n a m e l y
x = I , 2 , 3 , . . . ,
P - l ( m o dP ) .
We will need the following important theorem concerning roots of
polynomialsmodulop wherep is a prime.
Lagrange'sTheorem. Let f (x) : arxn + an4xn-r * + afi * cs be a
potyno.nial of degree n with integer coefficientsand with leading coefficient an
noi Oiuiribleby p. Then f k) has at most n incongruentroots modulo p.
Proof. To prove the theorem, we use mathematical induction' When rt : l'
*e hauef (;: atx I aowithp f c1. A rootof /G) modulop rsa solution
of the linear congruence a 1x 2 -as (modp). By Theorem3'7, since
(a1,p): l, this linear congruencehas exactly one solution,so that there is
exactly one root modulop of f G). Clearly, the theorem is true for n : l '
Now supposethat the theorem is true for polynomialsof degreen - l' and
let fk) U" a polynomial of degreen with leading coefficientnot divisible by
p. Assume that ihe polynomialf G) has n f I incongruent roots modulo p '
s?r!cs,cr,,..,cn,
so that f k) = 0 (modp) for k :0,1,,...,,fl.We have
rG)
-rGo)
=i:l:'_-,iirr;.,:,;'y,"_;,;;q
]]i .,a_ii',[.,,",
"+
ar)y(x-cs) (xn-z * x'-3cg* + xcfi-3 + c6-2')
+ * a1(x-cs)
: (x-cs)g (x),
where g(x) is a polynomial of degreen - | with leading coefficienta,. we
now showthat cr,cz,....,cn
are all rootsof g(x) modulop. Letk be an integer,
1 < k ( r. Sincef G) :
f (c) : 0 (mod p), we have
f Gr,) -
f (rr) : (ct -co)skt) = 0 (modP) '
From Corollary 2.2, we know that gk) : 0 (mod p), since
c1,- co# 0 (modp). Hence, c1 is a root of g(x) modulo p' This shows
that the polynomial g(x), which is of degree n - | and has a leading
coefficient not divisible by P, has n incongruent roots modulo p' This
contradictsthe induction hypothesis. Hence,f G) must have no more than n
incongruentroots modulop. The induction argument is complete' tr
We use Lagrange'stheorem to prove the following result.

240 PrimitiveRoots
Theorem 8.6. Let p be prime and let d be a divisor of p-1. Then the
polynomialxd - I has exactly d incongruentroots modulop.
Proof. Let p-l : de. Then
xP-r- | : (xd-1;1"d(e-t) a rdG-D I * x, * l)
: (xd-l)g(x) .
From Fermat's little theorem,we seethat xP-r - I hasp-l incongruentroots
modulo p. Furthermore, from Corollary 2.2, we know that any root of
xP-t - I modulo p is either a root of x7 - I modulo p or u rooi of g(x)
modulop.
Lagrange'stheoremtells us that g(x) has at most dG-l): p - d - |
roots modulo p. Since every root of xP-r - I modulo p that is not a root of
g(x) modulo
.p must be a root of xd - I modulo p, we know that the
polynomial xd - | has at least Q-D
-
Q-d-r): d incongruentroots
modulop. On the other hand, Lagrange'stheorem tells us that it has at most
d incongruent roots modulo p. Consequently, xd - I has precisely d
incongruentroots modulo p. tr
Theorem 8.6 can be used to prove the following result which tells us how
many incongruentintegershave a given order modulop.
Theorem 8.7. Let p be a prime ancl let d be a positivedivisor of p-1. Then
the number of incongruentintegersof order d modulop is equat to o@).
Proof. For each positiveinteger d dividing p-1, let F@) denote the number
of positiveintegersof order d modulo p that are less thanp. Since the order
modulop of an integernot divisiblebyp dividesp-1, it followsthat
p-l :
d l p - l
FromTheorem
6.6,we knowthat
p-l :
d l p - r
We will showthat F(d) < O@) whend I e-D. This inequality,
together
with theequality
d l p - r d l p - r

8.2 PrimitiveRoots for Primes 241
implies that F (d) : O@) for each positivedivisor d of p-1.
Let dl
thereis an
b-l). If F(d) :0, it is clearthat F(d) < O@). Otherwise,
integera of orderd modulo
p. Sinceotdra : d, theintegers
a , a 2 t . " , Q d
7
l 3
t 7
are incongruent modulo p. Furthermore, each of these powersof a is a root
of *d -1 modulo p, since bk)d
- (ad)k = | (modp) for all positive
integers k. From Theorem 8.6, we know that xd - I has exactly d
incongruent roots modulo P, So every root modulo p is congruent to one of
these powersof a. However, from Theorem 8.4, we know that the powersof
a with order d are thoseof the form a& with (kd): l' There are exactly
O@) such integers k with I < k < d, and consequently,if there is one
element of order d modulo p, there must be exactly 0U) such positive
integerslessthan d. Hence,FU) < 'd(d).
Therefore,we can concludethat F (d) : OU), which tells us that there are
precisely O@) incongruent integers of order d modulo p ' D
The following corollary is derived immediately from Theorem 8'7'
Corollary 8.3. Every prime has a primitive root'
Proof. Let p be a prime. By Theorem 8.7, we know that there ate |Q-l)
incongruent integers of order p-l modulo p. Since each of these is, by
definition, a primitive root, p has 6Q-l) primitive roots.
The smallestpositiveprimitive root of each prime lessthan 1000 is given in
Table 3 of the APPendix.
8.2 Problems
1. Find the numberof primitiverootsof the followingprimes:
1 9
29
47.
2. Let r be a primitive root of the prime p with p = | (mod 4)' Show that -r is
also a primitive root.
3. Show that if p is a prime and p : I (mod 4), there is an integer x such that
x2 = -l (modp). (Hint: Use Theorem 8.7 to show that there is an integer x
of order 4 modulo P.)
d)
e)
f)
a)
b)
c)

242 PrimitiveRoots
a) Find the number of incongruentroots modulo 6 of the polynomialx2 - x.
b) Explain why the answerto part (a) doesnot contradict Lagrange'stheorem.
il Use Lagrange's theorem to show that if p is a prime and /(x) is a
polynomial of degree n with integer coefficients and more than n roots
modulo p, then p dividesevery coefficientof /(x).
b) Let p be prime. Using part (a), show that every coefficient of the
polynomial
f (x) : (x-l) (x-D ... (*-p+l) - xp-t + I is divisibtebyp.
c) Using part (b), give a proof of Wilson's theorem. (Hint: Consider the
constantterm of f (x).)
Find the least positive residue of the product of a set of d(p_t) incongruent
primitive roots modulo a prime p.
A systematic method for constructing a primitive root modulo a prime p is
outlined in this problem. Let the prime factorization of ee) : p-l be
p-l : q'q'; q',,whereQr,ez, ...,qt areprime.
a) Use Theorem8.7 to show that there are integers d1, a2,...,a, such that
ordrat : q'i, ordra2: q|, ..., ordoa,: q:,.
b) Use problem 6 of section 8.1 to show that a : aflz-.. a, is a primitive root
modulop.
c) Follow the procedure outlined in parts (a) and (b) to find a primitive root
modulo 29.
Let the positive integer n have prime-power factorization n: pl,pi,...p?.
Show that the number of,incongruent bases modulo n for *tti.tt n is a
pseudoprimeto that baseis I (n-1, pi-D .
Use problem 8 to show that every odd composite integer that is not a power of 3
is a pseudoprimeto at least two basesother than i l.
Show that if p is prime and p :2q
! l, where q is prime and a is a positive
integer with I 1 a I p-1, then p -a2 is a primitive root modulo p.
il Supposethat /(x) is a polynomial with integer coefficientsof degreen-1.
Let x1,x2,...,xn be n incongruent integers modulo p. Show that for all
integersx, the congruence
.fk)
i-t
i-_t,
t^rold^s'
-.*h"1". F is an inverse of xj-xi (mod n). This technique
for finding f (x) modulo p is called Lagrange interpolation.
6.
7.
4.
5.
8.
9.
10.
I l .

8.3 The Existence of Primitive Roots 243
b) Find the least positiveresidueof /(5) modulo 1l if /(x) is a polynomial of
degree3 with f 0)
--
S,f Q) = 2,andf G) = 4 (mod l1).
12. In this problem, we develop a threshold scheme for protection of master keys in a
computer system, different than the scheme discussedin Section 7.6. Let f (x)
be a randomly chosenpolynomial of degreer-1, with the condition that K, the
master key, is the constant term of the polynomial. Let p be a prime, such that
p > K and p ) s. The s shadowskrkz, ..., k, are computed by finding the
least positiveresidueof f G) modulop for i :1,2,..., s where xt,xz,...,.xr are
randomly chosenintegersincongruentmodulo p, i.e.,
ki = f(x;) (modp), o ( k; ( p,
for; -
a) Use Lagrange interpolation, described in problem I l, to show that the
master key K can be determined from any r shadows.
b) Show that the master key K cannot be determined from less than r
shadows.
c ) L e t K : 3 3 , p : 4 7 , t : 4 , a n d s : 7 . L e t f G ) : 4 x 3 + x z +
3lx + 33. Find the sevenshadowscorrespondingto the values of /(x) at
1,2,3,4,5,6,
and 7.
d) Show how to find the
and / (4) .
key from the four shadows
f 0), f Q), f Q),
13. Show that an RSA cipher with encipheringmodulus n: pq is resistantto attack
by iteration(seeproblem18 of Section8.1) if p:2p'+ I and q:2q'* l,
where p' and q' are primes.
1. Find a primitive root of a prime using problem 7.
2. Implement the thresholdschemegiven in problem 12.
8.3 The Existenceof PrimitiveRoots
In the previoussection,we showedthat every prime has a primitive root. In
this section,we will find all positiveintegershaving primitive roots. First, we
will show that every power of an odd prime possesses
a primitive root. We
begin by consideringsquaresof primes.
Theorem 8.8. If p is an odd prime with primitive root r, then either r or

244 PrimitiveRoots
r * p is a primitive root modulop2.
Proof. Since r is a primitive root modulop, we know that
Let n : ordozr,so that
ordrr:0Q):p-1.
r'= I (modp2).
since a congruencemodulo p'obviously holds modulop, wa have
rn = I (modp).
From Theorem 8.1, it follows that
p - l : o r d r r l n .
On the other hand, Corollary g.l tells us that
nlOQ2):p(p-t).
Sincen I p(p-t) and p-l I n,, either n : p-l
n : p (p-l), then r is a primitiveroot modulop2,
Otherwise,
wehaven : p-1, sothat
r P - t = 1 ( m o d p 2 ) .
Let s : r+p. Then, sinces E r (mod p), s is alsoa primitive root modulo
p. Hence, ordo"r equals either p-l or p (p-l). we will show that
ordo,r * p-1. The binomial theorem tells us that
.rp-r : (rtp)o-r : 7p-t + Q_Dro-rp * 1p;I)rr_rp, +
z v4-t + (p-Dp.rP-2 (modp2).
Hence,using (S.t), we seethat
sP-r = I + (p-l)p.70-2: l - prp-z (modp2).
From this last congruence,we can concludethat
or n:p(p-l). If
since ordrrr: Q(pz).
(s.1)
sp-t# l (modp2).
To seethis, note that if 5P-l : l^(mod p2), thenprp-z = 0 (modp2). This
last congruence implies that rp-2 = 0 (mod p), which is impossible, since

8.3 The Existence of Primitive Roots 245
p tr, (remember r is a primitive root of p). Hence, ordrus: p (p -l) :
O $. Consequently,
s : r*p is a primitive root of p' ' a
Example. The prime p :7 has r : 3 as a primitive root. From the proof of
Theorem8.8,we seethat r : 3 is alsoa primitiveroot modulop2 :49' since
rP-t - 36 + I (mod 49)'
We note that it is extremelyrare for the congruence
rP-t = I (modp2)
to hold when r is a primitive root modulo the prime p. Consequently,
it is
very seldomthat a primitive root r modulo the prime p is not alsoa primitive
root modulop'. The smallestprime p for which there is a primitive root that
is not also a primitive root modulo p2 is p : 497. For the primitive root l0
modulo487,we have
10486: 1 (mod 4872).
Hence, l0 is not a primitive root modulo 4872,but by Theorem 8.8, we know
that 497: 10 + 487is a primitive root modulo 4872.
We now turn our attentionto arbitrary powersof primes.
Theorem 8.9. Let p be an odd prime, then pk has a primitive root for all
positive integers ft . Moreover, if r is a primitive root modulo p2, then r is a
primitive root modulopo, for all positiveintegersk.
Proof. From Theorem 8.8, we know that p has a primitive root r that is also
a primitive root moduloP2,so that
(8.2) rp-t # 1 (modp2).
Using mathematicalinduction,we will
yn'-'$-t) 1
provethat for this primitive root r,
I (modpft)
(8.3)
for all positiveintegersk. Once we have established
this congruence,
we can
show that r is alsoa primitive root modulo pk by the following reasoning. Let
n : ord6r.
From Theorem 6.8, we know that n I OQ: O*-r(p-l). On the other
hand,since

246 PrimitiveRoots
7n - I (modpk),
we alsoknow that
r n = I ( m o d p ) .
From Theorem 8.1, we see that p-l : 6e) | n. Becausee-Dl r, and
n I o*-rQ-I), we know that n:'p'(p-l), wh'ere
l is an integersuchthat
0 ( r ( k - t . I f n : p ' ( p - l ) w i t h / < k - 2 , t h e n
7p'-2(p-t)
: (7p'@-t)1r'-rn
: l (modpk),
which would contradict (8.3). Hence, ordotr: pk-t b-D : oeo).
Consequently,r is alsoa prirnitive root modulopk.
All that remainsis to prove (8.3) using mathematicalinduction. The case
of k:2 followsfrom (8.2). Let us assumethe assertionis true for the positive
i n t e g e r k > 2 . T h e n
7nt-t(t_t)
# l (modpk).
since G,p) : l, we know that (r,pk-t) : 1. consequently,from Euler's
theorem,we know that
Therefore,there
wherep trd, since
powerof bothsides
yP'-'(P-l) -
We take the pth
binomial theorem,
* (dpk-t1n
0 + dp*-t1o
| + p@pt-r, * (|)o'Urk-t)2 +
| * dpk (modpo*').
conclude
that
vPL-2(o-D : ,Q(Pk-tt
an integerd suchthat
yo'-'Q-t): I * dpk-t,
by hypothesisyP'-'(P-t)* t (moApk).
of the aboveequation,to obtain,via the
Sincep I d, we can
,.P^-'(P-r)
# I (modpo*t).
completesthe proof by induction. tr
Example. From a previousexample,we know that r : 3 is a primitive root

8.3 The Existenceof PrimitiveRoots 247
modulo 7 and 72. Hence, Theorem 8.9 tells us that r : 3 is also a primitive
root modulo 7k for all positiveintegersk.
It is now time to discusswhether there are primitive roots modulo powersof
Z. We first note that both 2 and 22: 4 have primitive roots, narnely 1 and 3,
respectively. For higher powersof 2, the situation is different, as the following
theorem shows;there are no primitive roots modulo thesepowersof 2.
Theorem 8.10. If a is an odd integer,and if k is an integer,k ) 3, then
aOQL)/2
: e2'-': 1 (mod 2k).
proof. We prove this result using mathematical induction. If a is an odd
integer,then a : 2b t 1, where b is an integer.Hence,
a2 : (2b+ 1)2: 4b2+ 4b * I : 4b$ + 1) + 1.
Since either b or b * 1 is even,we seethat 8 | 4b (b + l), so that
a2 :- I (mod 8).
This is the congruence
of interestwhen k :3.
Now to complete the induction argument, let us assumethat
a2'-' = I (mod 2k) .
Then there is an integer d suchthat
e 2 ' - ' : l + d ' z k .
Squaring both sidesof the above equality, we obtain
e2'-': | + d2k+r q 422zk.
This yields
e2'-'= 1 (modzk+r),
which completesthe induction argument. n
Theorem 8.10 tells us that no power of 2, other than 2 and 4, has a
primitive root, since when a is an odd integer, ord2ta# OQk) , since
a6Q')lz : 1 (mod 2k) .
Even though there are no primitive roots modulo 2k for k > 3, there always
is an element of largest possible order, namely OQ I 2, as the following
theorem shows.

248 PrimitiveRoots
Theorem 8.11. Let k 7 3be an integer. Then
ord2.5: O(Zk)D:2k-2.
Proof. Theorem 8.10 tells us that
52'-'= I (mod 2k).
for k 2 3. From Theorem 8.1, we see that ordr.S I Z*-2. Therefore, if we
show that ordr.5 | 2l"-t , we can concludethat
ord2.5- 2k-2.
To show that ordr,S tr2k-3, we will prove by mathematical induction that
f o r k ) 3 ,
52,-'= | + 2k_t * I (mod 2k).
For k : 3. we have
Now assumethat
5:l+4(mod8).
52'-': l+zk-I (mod2ft).
This means
that thereis a positive
integerd suchthat
S2'-'_(1
+2k-r)+dZk.
Squaring
bothsides,
wefind that
52'-'
: (l + 2k-t)2+ 20 + zk-t)dZk + (dzk)z
so that
52,-,= 0 + 2k-r)2 : | + 2k + 22k-2: I + 2t (mod Zk+ .
This completesthe induction argument and showsthat
ordr'5 : O(2k)/2' tr
We have now demonstratedthat all powersof odd primes possess
primitive
roots,while the only powersof 2 having primitive roots are 2 and 4. Next, we
determine which integersnot powersof primes, i.e. those integersdivisible by
two or more primes, have primitive roots. We will demonstratethat the only
positive integers not powers of primes possessingprimitive roots are twice

powersof odd primes.
We first narrow down the set of positiveintegerswe need considerwith the
following result.
Theorem 8.12. If r is a positiveinteger that is not a prime power or twice a
prime power, then n doesnot have a primitive root.
Proof. Let n be a positive integer with prime-power factorization
,-p,p'i...p';.
Let us assumethat the integer n has a primitive root r. This means that
(r,n) : I and ordnr :6h). Since (r,n) : l, we know that (r,p') : l,
wheneverpt is one of the prime powersoccurring in the factorizationof r. By
Euler's theorem, we know that
ro@'): I (mod P) .
Now let U be the leastcommonmultiple of Q(p'r), OQ'il,..-,0(p';), i-e.
u : [oQ'),
aQ'il,...,0b'il1.
SinceObh I U, weknowthat
ru = t (modP,l')
fori : l, 2 ,...,m. Fromthislastcongruence,
weseethat
ordrr:6Q)<U.
FromTheorem
6.4,since@is multiplicative,
wehave
Qh): oi'p?''' p';): 6(p't')o7'il ob';l'
Thisformulafor d(n) andtheinequality
$fu) < U implythat
oQ')
o,'il''' oa'il ( td(p'r'),oQ';)'...,
ob'il.
Since the product of a set of integers is less than or equal to their least
common multiple only if the integers are pairwise relatively prime (and then
the less than or equal to relation is really just an equality), the integers
Q(p'r'),0$';),..., OQ';) must be pairwise relatively prime'

250 Primitive Roots
We notethate(pt) : rt-r(p-l), sothatee,) is even
if p is odd,or if
p : 2 and t > Z. Hence,the numbers
e(p'r'),
Oe'il,...,Oe,; arenot
pairwiserelativelyprime unlessm: I andn is a primspower o, *:2 and
the factorization of n is n : 2p', where p is an odd prime and / is a positive
integer. tr
We have now limited considerationto integersof the form n : 2p,, where
p is an odd prime and r is a positive integer. We now show that all such
integershave primitive roots.
Theorem 8.13. rf p is an odd prime and r is a positive integer, then 2pt
possesses
a primitive root. In fact, if r is a primitive root modulopt, then if r
is odd it is also a primitive root modulo 2pt, while if r is even, r * pt is a
primitive root modulo 2pt.
Proof. If r is a primitive root modulo pt , then
rob') = I (modp,),
and no positiveexponentsmaller than 6(pt) has this property. From Theorem
6.4, we note that O(zp') : 0Q) 66t7 : e(p,), so that ,6(2n')
--
1 (mod p') .
If r is odd, then
,o(zp')= I (mod 2).
Thus, by corollary 3.2, we see that rQQp';: I (mod 2p,). since no smaller
power of r is congruent to I modulo 2pt , we conclude that r is a primitive
root modulo 2pt .
On the other hand, if r is even,then r
(r + P'10{zP')
*p' Hence,
Since r * p' = r (mod p'), we seethat
I (mod 2)
I (modp')
G * pt )QQP')
Therefore,(r + ot1oQfl: I (mod 2p'), and as no smallerpowerof r *pr is
congruentto 1 modulo 2pt, we concludethat r * p' is a primitive root modulo
2p'. rt
Example. Earlier this sectionwe showedthat 3 a primitive root modulo

7t for all positiveintegers/. Hence, since 3 is odd, Theorem 8.13 tells us that
3 is also a primitive root modulo 2'7t for all positiveintegers/. For instance,
3 is a primitive root modulo 14.
Similarly, we know that 2 is a primitive root modulo 5' for all positive
integers/. Hence,since2 + 5t is odd, Theorem 8.13 tells us that 2 * 5t is a
primitive root modulo 2.5t for all positive integers f. For instance,2T is a
primitive root modulo 50.
CombiningCorollary 8.3 and Theorems8.9, 8.12,8.13,we can now describe
which positive integers have a primitive root.
Theorem 8.14. The positive integer n possesses
a primitive root if and only if
f r : 2 , 4 , p ' , o r 2 p t ,
wherep is an odd prime and / is a positiveinteger.
8.3 Problems
l. Which of the integers4,10,16,22and 28 have a primitive root?
a) lf c) r72
b) B2 d) D2.
3. Find a primitive root, for all positiveintegersk, modulo
a) 3k c) l3k
b ) l l e d ) n k .
a ) 6 c ) 2 6
b) 18 e) 338.
5. Find all the primitive roots modulo 22.
6. Show that there are the same number of primitive roots modulo 2pt as there are
of p' , where p is an odd prime and r is a positive integer.
7. Show that if rn has a primitive root, then the only solutionsof the congruence
x2 = I (mod m) arex E t I (mod z).

252 PrimitiveRoots
8. Let n be a positive integer possessinga primitive root. Using this primitive root,
prove that the product of all positive integerslessthan n and relatively prime to
n is congruent to -l modulo n. (When n is prime, this result is Wilson's
Theorem.)
9. Show that although there are no primitive roots modulo 2& where k is an integer,
k > 3, every odd integer is congruent to exactly one of the integers (-1)"50,
wherea:0 or I and B is an integersatisfying0 < B ( 2ft-2-1.
Write computer programsto do the following:
l. Find primitive roots modulo powersof odd primes.
2. Find primitive roots modulo twice powers of odd primes.
8.4 Index Arithmetic
In this section we demonstrate how primitive roots may be used to do
modular arithmetic. Let r be a primitive root modulo the positive integer m
(so that m is of the form describedin Theorem8.14). From Theorem8.3, we
know that the integers
r , 1 2 , 1 3
form a reducedsystemof residuesmodulo nr. From this fact, we seethat if a
is an integer relatively prime to m, then there is a unique integer x with
1 ( x 4 6 @ ) s u c h t h a t
r' a (modm).
This leadsto the following definition.
Definition. Let m be a positiveinteger with primitive root r. If a is a positive
integer with (a,m): l, then the unique integerx with I (x(d(z) and
r* = a (mod m) is called the index of a to the base r modulo m. With
this definition,we havea - ,ind'a (mod m ).
If x is' the index of a to the base r modulo m, rhen we write x : indra,
where we do not indicate the modulus m in the notation, sinceit is assumed"to
be fixed. From the definition, we know that if a and b are integersrelatively
prime lo m and a = b (mod m), then ind,a : indrb.
Example. Let m : 7. We have seenthat 3 is a primitive root modulo 7 and

8.4 lndex Arithmetic 253
that 3r = 3 (mod7),32 = 2 (mod7),33= 6 (mod7),34 =4 (mod7),
35= 5 (mod 5). and 36= I (mod 7).
Hence, modulo 7 we have
ind3l : 6, indt2 : 2, indl3 : 1,
ind34: 4, indr5 : 5, indr6 : 3.
With a different primitive root modulo 7, we obtain a different set of indices.
For instance,calculationsshowthat with respectto the primitive root 5,
ind5l : 6, inds2: 4, inds3: 5,
ind54: 2, ind.55
: l, inds6: 3.
We now develop some propertiesof indices. These properties are somewhat
similar to those of logarithms, but instead of equalities,we have congruences
modulo6@).
Theorem 8.15. Let m be a positive integer with primitive root r, and let a
and b be integersrelativelyprime to m. Then
(i) ind,l =0 (mod Qfu)).
(ii) ind,Gb) = ind,a * ind,b (mod O@))
(iii) ind,ak
--
la. ind,a (mod 6h)) if k is a positiveinteger.
Proof of G). From Euler's theorem, we know that ,6(m): I (mod z).
Since r is a primitive root modulo m, no smaller positive power of r is
congruentto 1 modulorn. Hence,ind,l : 6(m) = O (mod Qfu)) .
To prove this congruence,note that from the definition of
Proof of (ii).
indices,
and
Hence,
,ind,Gb) = 7ind,a
* ind,D
(mod rn ).
Using Theorem8.2,we concludethat
ind,(ab) : ind,a * ind,b (mod 6@)).
,ind'Qil : ab (mod ,,, )
,ind,a*ind,b- ,ind,o ,ind,b = Ab (mOd ,, ).

254 PrimitiveRoots
Proof of Gii). To
definition, we have
and
Hence,
Using Theorem 8.2,
namely
ind,ak
-
ft. ind,a (mod 6fuD, a
Example. From the previous examples,we seethat modulo 7, ind52: 4 and
ind53:5. SinceAQ) :6, part (ii) of Theorem8.15tellsus that
ind56- inds2.3: inds2t ind53:4 t 5:9 = 3 (mod6).
Note that this agreeswith the value previouslyfound for ind56.
From part (iii) of Theorem8.15,we seethat
ind53a= 4'inds3= 4.5 : 20 = 2 (mod 6).
Note that direct computation givesthe sameresult, since
ind53a
- indsSl - inds4: 2.
Indices are helpful in the solution of certain typesof congruences.Consider
the following examples.
Example. We will use indices to solve the congruence6xr2 : I 1 (mod 17).
We find that 3 is a primitive root of 17 (since 38 = -l (mod l7)). The
indicesof integersto the base3 modulo l7 aregivenin Table 8.1.
Table8.1. Indices
to the Base3 Modulo17.
Taking the index of each side of the congruenceto the base 3 modulo 17,
we obtain a congruence
modulod(t7) : 16,namely
prove the congruence of interest, first note that, by
,ind',ar
-:
ak (mod m )
,k'ind'a = (rind'o)P : ak (mod rn).
,ind,aL = rk'
ind'o
(mod rn ).
this leads us immediately to the congruencewe want,
a I 2 3 4 5 6 7 8 9 10 1 l t2 13 l 4 t5 1 6
ind3a 1 6 1 4 I r2 5 l5 l l l0 2 3 7 l 3 4 9 6 8

ind3(6xr2)= ind3l| :'l (mod 16).
Using (ii) and (iii) of Theorem8.15,we obtain
ind3(6xr2)- ind36* ind3(x12)
:, 15 + 12'ind3x(mod 16).
Hence,
1 5 + 1 2 ' i n d 3 x = 7 ( m o d 1 6 )
or
255
1 2 ' i n d 3 x = 8 ( m o d 1 6 ) .
Using Corollary 3.1,upon divisionby 4 we find that
ind3x : 2 (mod 4).
Hence,
ind3x : 2,6, 10,or 14 (mod 16).
consequently,from the definition of indices,we find that
x 2 32,36,
3toor 3la (mod 17),
(note that this congruence holds modulo 17)' Since
32:- 9,36 : 15,310
-
8, and 314: 2 (mod l7), we conclude
that
x 3 9 , 1 5 , 8 , o r 2 ( m o d1 7 ) .
Since each step in the computations is reversible,there are four incongruent
solutionsof the original congruencemodulo l7'
Example. We wish to find all solutionsof the congruence7'= 6 (mod 17).
When we take indices to the base 3 modulo 17 of both sides of this
congruence,we find that
ind3(7') : ind36: 15 (mod 16).
From part (iii) of Theorem8.15,we obtain
ind3(7') : x'ind37: llx (mod 16).
Hence.

256
llx : 15 (mod 16).
Since3 is an inverseof I I modulo16, we
congruence
aboveby 3, to find that
x = 3.15
:45 : 13
All steps
in thiscomputation
arereversible.
PrimitiveRoots
multiply both sides of the linear
(mod 16).
Therefore,the solutionsof
1 7 )
7* = 6 (mod
are given by
x = t3 (mod 16).
Next, we discusscongruencesof the form xk = a (mod m), wherem is a
positive integer with a primitive root and (a,m) : l. First, we present a
definition.
Definition' lf m and k are positive integers and a is an integer relatively
prime to ffi, then
.we say that a is a kth power residue if * if the
congruence
xk = a (mod,m) has a solution.
When z is an integer possessing
a primitive root, the following theorem
gives a useful criterion for an integer a relatively prime to m to be a kth
power residueof m.
Theorem 8.16. Let m be a positive integer with a primitive root. If k is a
positiveinteger a1d o is an integer relatively prime to m, then the congruence
xk = a (mod m) hasa solutioriif and only-ii
o Q h ) l d = l ( m o d l n )
where d : (k,6(m)). Furthermore, if there are solutions of
xk : a (mod m)' thenthere are exactly d incongruentsolutionsmodulo rn.
Proof. Let r be a primitive root modulo the positiveinteger 17. We note that
the congruence
x k (mod z)
holdsif and only
(8.1) k' ind,x ind,a (mod6@)).
Now let d: (k,e(m)) and y : ind,x, so that x (mod z ). From

257
Theorem3.?,we notethat it d trindra, then the linear congruence
(8.2) ky : ind"o (mod Qfu))
has no solutions,and hence, there are no integers x satisfying (8
l). If
d lind'a, then there are exactly d integersy incongruentmodulo d(z) such
that (8.2) holds,and hence,exactly d integersx incongruentmodulo z such
rhat (8.1) holds. Sinced I ind,a if and only if
@@)/ilind,a = o (mod Q(m)),
and this congruenceholdsif and only if
o o h ) / d : 1 ( m o d r z ) .
the theorem is true. tr
We note that Theorem 8.16 tells us that if p is a prime, k is a positive
integer, and a is an integer relatively prime to p, then a is a kth power
residueof p if and only if
oQ-D/d: 1 (modp),
whered : (k,p-l). We illustratethis observation
with an example.
Example. To determinewhether 5 is a sixth power residueof 17, i.e. whether
the congruence
x6 = 5 (mod 17)
has a solution,we determinethat
5t6/(6,16)
: 58 = -l (mod l7).
Hence,5 is not a sixth powerresidueof 17.
A table of indiceswith respectto the least primitive root modulo each prime
lessthan 100 is given in Table 4 of the Appendix.
We now presentthe proof of Theorem 5.8. We state this theorem again for
convenience.
Theorem 5.8. If n is an odd compositepositiveinteger, then r passesMiller's
testfor at most fu-l)/4 bases
b with I < , 1n-1.
We needthe following lemma in the proof of Theorem 5.8.

Lemma 8.1. Let p be an odd prime and let e andq be positiveintegers.
Then the number of incongruent solutions of the congruence
xe-t = I (mod
pr) is (q,pr-re-D.
Proof' Let r be a primitive root of p' . By taking indiceswith respectto r,
we see that x4: I (modp,) if and only if qy = 0 (mod6e,D where
y : ind'x . using Theorem3.j, we seethat there are exactli e,6er))
incongruentsolutionsof gy :0 (mod|e"D. consequently,
there are
Q,6Q")) : (q,p'-tb-l)) incongruent
solutions
of xe = 1 {-oAp'). tr
We nowproceed
with a proofof Theorem5.g.
Proof. Let n-l : 2't, wheres is a positiveintegerand,
t is an odd positive
integer.For n to bea strongpseudoprime
to the baseD, either
258
PrimitiveRoots
bt : I (mod n)
b2tt : -1 (mod n)
f o r s o m e i n t e g e r T w i t h 0( 7 ( s - l . I n e i t h e r c a s e , w e h a v e
b n - t = I ( m o d n ) .
Let the prime-power
factorizationof n ben : pi,pi, . . . p',,. From Lemma
8.1, we know that there are (n-r, p'/Qi-l)) : h-l,pi-l) incongruent
solutions
of xn-r: I (modp7) , j :1,2,...,r. Consequently,
the Chinese
remainder
theorem
tellsus that thereareexactlvfI h-,p1-l) incongruent
solutionsof x'-l = I (mod n).
j-r
To prove the theorem, we first consider the case where the prime-power
flactorizationof n containsa prime powerp[. with exponente* 2 2. Since
bo-D /pt : t/p't-t- t/p't < z/g
(the largestpossible
value occurswhenpj :3 and ei :2), we seethat

259
r
fI
; : l
tu-r,pj-r)
< fI Q;t)
j-r
l i - l
ll**
"+"
l+,r)
Since 0n-l) for n > 9 , we seethat
(n-l ,p,-l) ( (r -r)14.
Consequently,
there areat most Q-Dla integersb, I < 6 ( n , for which n
is a strong pseudoprimeto the baseb.
The othercaseto consider
is when n: PPz"'P. wherePt,Pz,.-.,Pr
are
distinct odd primes. Let
pt - | : 2t'tr, i : 1,2,...,r,
where s; is a positiveinteger and /; is an odd positiveinteger. We reorder the
primespr,p2,...,p,,
(if necessary)
so thatsr ( sz ( ( s, ' We note that
h-l,pi-l) : 2*ink') (t,t,).
The number of incongruentsolutionsof x' = I (mod pi) is T : (t,t;). From
problem 15 at the end of this section,there are 2il; incongruent solutionsof
*y''= -l (modp;) when O ( f ( si-I, and no solutions
otherwise. Hence,
using the Chinese remainder theorem, there are TrTz"'7, incongruent
solutionsof xt : I (mod n), and 2i' TrTz"'7, incongruent solutionsof
x/, = -1 (mod n) when0 ( 7 ( s1-1. Therefore,
there area total of
[ ,,-' I I Z"'-tI
TrTz"' T, lt* > 2t'l- TrTz"' T,lt + .;; I
l , r - o J t L )
integersb with 1< D ( n-1, for which n is a strong pseudoprimeto the
Uasetr. (We haveusedTheorem l.l to evaluatethe sum in the last formula.)
Now note that
?"*f r
u
j:r

260 PrimitiveRoots
6h) : (pr-l) (pz-l)
We will showthat
(pr-l) : tiz tr1t'*s'*
"' *s,
W h e n s r : J 2 , w e h a v e( n - l , p r l ) : 2 ' T r a n d ( n - l , p z - l ) : 2 t T z . L e t
us assume that pr ) pz. Note that T1 * t1, for if Tr: tr, then
rrrz'
" r,[,*ro] *,,r,ro,
| 2',-t )
which provesthe desiredresult. BecauseTrTz. . . 7, ( r1r, tr, we can
achieveour goal by showingthat
(8.3)
[,*l'-t lrr',*',*''
*r,< r/4.
| z',-t)
Sincesr ( sz ( ( s, , we seethat
f,* Uf ,r',*',*
'as,
( f,*''.'-tf,r,,,
| 2'-t )' l.
^
2,
-l J''
I 2 " r - l
- -
2", 2"r(2, -l)
:l++-l
2"t 2,-l 2rtr(2, -l)
| 2',-2
I -
2'-l 2"'(2'-l)
-<l
-
2r-r
From this inequality,we concludethat (s.r) is valid when r ( 3.
W h e n r : 2 , w e h a v en : p p 2 w i t h p r | : 2 t r t 1 a n d p z - l : 2 t r t z , w i t h
rr ( sz. If s1 ( s2,then (S.f) is againvalid, since
I rt',-, I -L.
( ''"
I r ^ )
[t. ?)/2',*',:['. +]/lz",z',-',)
:[+.
#),,"-"
*+

(pt-l) I (n-l), sothat
n : prpzZ pz= 1 (mod
pr-l),
261
we know that
t2l3 . Hence,
whichimpliesthatP2 ) Pr,
Tr ( tr / 3. Similarlv,lf
7
TrTz4 t12/3,and
sincelr
t
a contradiction.Since T1# t'1,
t 1 pz then T2 # tr, so that 7"2(
^2s, , I
*
2'":t
l/r"'* ;
, wehave
3)
| -,2r, , l
TtTzlr+ f | < r t222"16
: 6h)16,
l r )
which proves the theorem for this final case' since
oh) /6 ( (n-r) /6 < (/,-r) /4. tr
By analyzingthe inequalitiesin the proof of Theorem 5.8, we can seethat
the probability that n is a strong pseudoprimeto the randomly chosenbaseD,
1 < b ( n-1, is closeto ll4 only for integersn with prime factorizationsof
the form n : prp2withPr: | + 2q1andPz: I t 4q2, where{1 and Q2are
odd primes, or n : qflzQt with Pr: | + 2qr,P2: | * 2q2, and
pz: I t 2q3,where Qr,ez,andq3aredistinctodd primes(seeproblem16).
8.4 Problems
l. Write out a table of indicesmodulo 23 with respectto the primitive root 5.
2. Find all the solutions of the congruences
a) 3xs = I (mod 23) b) 3xta = 2 (mod 23).
3. Find all the solutionsof the congruences
il 3' :- 2 (mod 23) b) 13" = 5 (mod 23)'
4. For which positive integers a is the congruenceaxa = 2 (mod 13) solvable?
5. For which positive integers 6 is the congruence 8x7 : b (mod 29) solvable?
6. Find the solutionsof 2x = x (mod 13), using indicesto the base2 modulo 13.
7. Find all the solutionsof x' : x (mod 23).
8. Show that if p is an odd prime and r is a primitive root of p, then ind,(p-|) :
(p-r)/2.

9.
10.
l l .
262
PrimitiveRoots
Let p be an odd prime. Show that the congruencex4 = _l(modp) has a
solution if and only if p is of the form gfr + l.
Prove that there are infinitely many primes of the form 8ft*1. (Hint: Assume
that p6p2,...,pn are the only primes of this form. Let e - (ppz. . . p)a+l .
Show that Q must lave an odd prime factor different than j1p2,...,pn, and by
problem 9, necessarilyof the form 8k+l .)
From problem 9 of Section 8.3, we know that if a is a positiveinteger, then there
are unique integers a and B with a : 0 or I and 0 < B ( Z*-i-t such that
a = (-l)" 5p (mod 2ft). Define the index system of a modulo 2k to be equal
to the pair (a,B).
a) Find the index systemsof 7 and 9 modulo 16.
b) Develop rules for the index systems modulo 2& of products and powers
analogousto the rules for indices.
c) Use the index system modulo 32 to find all solutionsof j xs = I I (mod 32)
and 3' = 17 (mod 32).
12. Let n : 2"p'pj ' ' ' ph be the prime-power factorization of n. Let a be an
integer relatively prime to n. Let r1,r2,...,r^ be primitive roots of pti,p'i,..., p';,
respectively, and let 71 : ind", a (mod p'1), 72 : ind", a (mod ptl),
...,1m:ind,.a (mod p'il. rc /o ( 2, let rs be a primitive root of 2t,,and let
7e : ind,. a (mod 2t). If ls 2 3,let (a,p) be the index systemof c modulo 2k,
so that a = (-l)'5P (mod 2t). Define the index system of a modulo n to be
(1o,1r,72, ...,y) if to ( 2 and (a,8,7t,^12,...,1^)
if to Z 3.
a) Show that if n is a positive integer, then every integer has a unique index
systemmodulo n.
b) Find the index systemsof 17 and 4l (mod lZ0) (in your computations,use
2 as a primitive root of the prime factor 5 of 120).
c) Develop rules for the index systems modulo n of products and powers
analogousto those for indices.
d) Use an index system modulo 60 to find the solutions of
I lx7 : 43 (mod 60).
Let p be a prime, p ) 3. Show that if p =2 (mod 3) then every integer not
divisible by 3 is a third-power, or cubic, residueof p, while if p : I (mod 3), an
integera isa cubic residueof p if and only i1 o@-t)/3: I (modp).
Let e be a positive integer with e 7 2.
il Show that if ft is a positive integer, then every odd integer a is a kth power
residueof 2".
b) Show that if /c is even, then an integer a isa /<th power residue of 2" if and
only if a ? | (mod (4k ,2')).

1 5 .
1 6 .
8.5 PrimalityTests UsingPrimitiveRoots 263
c) Show that if /< is a positive integer, then the number of incongruent kth
power residuesof 2" is
2"-r
b.2) h,2"-2)
'
(Hint: Use problem I 1.)
Let N - 2ju be a positive integer with 7 a nonnegativeinteger and a an odd
positiveinteger and let p-l:2"/, where s and t are positiveintegerswith I
odd. Show that there aie 2j (t,u) incongruent solutionsof xN
- -l (modp) if
0 ( ,l ( s-1, and no solutionsotherwise'
a) Show that the probability that n is a strong pseudoprime for a base b
randomly chosen with I < 6 < n-l is near (n-l)/4 only when n has a
prime factorization of the form n : ptPz where Pr: | * Zqr and
pz: | * 4qz with q1 and q, prime or n: PPtPt where Pt: | * Zqr,
pz: | * 2qz,pt : | * 2q3with q r,Tz,Qt
distinct odd primes.
b) Find the probability that n : 49939'99877is a strong pseudoprimeto the
baseb randomly chosenwith 1 < b < n - l'
l. Construct a table of indices modulo a particular primitive root of an integer.
Z. Using indices, solve congruences of the form axb = c (mod nr) where
a,b,c,andm are integers with c ) 0, m ) 0, and where z has a primitive
root.
3. Find kth power residuesof a positive integer m having a primitive root, where k
is a positiveinteger.
4. Find index systemsmodulo powersof 2 (seeproblem l1)'
5. Find index systemsmodulo arbitrary positiveintegers (seeproblem l2).
8.5 PrimalityTestsUsingPrimitiveRoots
From the conceptsof orders of integersand primitive roots, we can produce
useful primality tests. The following theorem presentssuch a test.
Theorem 8.f 7. If n is a positiveinteger and if an integer x existssuch that
xn-t = I (mod n)
and

264
PrimitiveRoots
* G - t ) / a # l ( m o d n )
for all prime divisorsq of n - 1, then n is prime.
Proof. Since xn-r: I (mod n), Theoremg.l tells us that ord,x | (n-l).
we will show that ordrx : n - r. Suppose that ord,,x # n - l. Since
ordrx | (n-t), there is an integer k with n - | : k.ordrx and since
o r d r x l n - l , w e k n o w t h a t k > l . L e t q b e a p r i m e d i v i s o r o f
k . T h e n
*h-r)h : *klqord,r: (xord.xS&/d= I (mod n).
However, this contradicts the hypothesesof the theorem, so we must have
ordnx : n - l. Now, sinceordnx ( O(n) and6h) ( n _ l, it followsthat
Qh) : n - l. RecallingTheorem6.2,we know that n must be prime. tr
Note that Theorem 8.17 is equivalent to the fact that if there is an integer
with order modulo n equal to n- , then n must be prime. We illustrate the
useof Theorem8.17 with an example.
Example. Let n:1009. Then llr008: I (mod 1009). The prime divisors
of 1008 are 2,3, and 7 . we see that rlt008/2:11504- -i (mod 1009),
111008/3
: 11336
= 3:4 (mod 1009), and 11l00tf: 11144
_ 934 (mod l00g).
Hence,by Theorem8.17 we know that 1009is prime.
The following corollary of Theorem 8.17 gives a slightly more efficient
primality test.
Corollary 8.4. If n is an odd positive integer and if x is a positive integer
suchthat
and
* h - D / 2
- - l ( m o d r u )
, h _ r ) / c * l ( m o d n )
for all odd prime divisorsq of n - l, then n is prime.
Proof. Since *b-r)/2: - I (mod n), we seethat
xr-r : 1*b-D/212= (-l)2 = | (mod n).
Since the hypotheses
of Theorem 8.17 are met, we know that n is prime. D
Example. Let n :2003. The odd prime divisorsof n-l :2002 are 7,ll,

8.5 Primality Tests Using Primitive Roots 265
and 13. Since 52002/2:
51001
= -1 (mod 2003), 52002/t
=.5T
u:874
(mod 2003), lzooz,tr- 5183
- 886 (mod 2003), and 52oo2/13
: 5154
: 633 (mod 2003), we seefrom Corollary 8.4 that 2003 is prime.
To determinewhether an integer n is prime using either Theorem8.17 or
Corollary 8.4, it is necessary
to know the prime factorizationof n - l' As we
have remarked before, finding the prime factorizationof an integer is a time-
consumingprocess. Only when we have some a priori information about the
factorizationof n - | are the primality tests given by these results practical.
Indeed, with such information these tests can be useful. Such a situation
occurs with the Fermat numbers; in Chapter 9 we give a primality test for
thesenumbersbasedon the ideasof this section.
It is of interest to ask how quickly a computer can verify primality or
compositeness.We answerthesequestionsas follows.
Theorem 8.18. If n is composite,this can be proved with O(logzilz) bit
operations.
Proof. If n is composite, there are integers a and b with | 1 a 1 fi,
| < b 1 n, and n - ab. Hence, given the two integersa and b, we multiply
a and,b and verify that n : ab. This takes O (logzn)2) bit operations and
proves that n is comPosite. tr
We can use Theorem8.17 to estimatethe number of bit operationsneeded
to prove primality when the appropriateinformation is known.
Theorem 8.19. If n is prime, this can be proven using O((logzn)a) bit
operations.
Proof. We use the secondprinciple of mathematical induction. The induction
hypothesisis an estimate for f h), where f h) is the total number of
multiplications and modular exponentiationsneededto verify that the integer
n is prime.
We demonstrate
that
f b) ( 3 (lognltosD- 2.
First, we note that / (2) : l. We assume that for all primes Q, with
q < n, the inequality
holds.
f (q) ( 3 (loeqltosD-2

266
PrimitiveRoots
To prove that n is prime, we use Corollary 8.4. Once we have the numbers
2o, qr,...,Qt,and x that supposedly
satisfy
( i ) n - l : 2 o q f l 2 . . Q t ,
(ii) q; is prime for i : L, 2,...,t,
(iii) *G-t)/2
--l (modn),
and
(iv) r(/.-t)/L = I (mod n), for i : l, 2,...t,
we need to do I multiplications to check (i), t * 1 modular
check (iii) and (iv), and -f (q) multiplications and modular
check (ii), that q; is prime for i : I ,2,..., t. Hence.
fh):t*(r+t)+ifQ,)
,
t-'
( 2l + I + ) ((l togq;fiogD - 2)
:t*(fnogDtoeQflz...Q)
: Gflog2)log2qflz...q) - 2
( (3/og z)log(Z'qfl2. . . q) - 2
: 3(log ntog D - 2 .
Now each multiplicationrequiresO((logzil2) bit operationsand each
modularexponentiation
requiresO(logzd3) bit operations.Sincethe total
number of multiplications and modular exponentiationsneeded is
f h) : o (log2n), the total number of bit operations needed is
oKlogzn)(log2n)3)
: o((logzn)a). n
Theorem8.19 was discoveredby Pratt. He interpretedthe result as
showingthat everyprimehasa "succinct
certification
of primality."It should
be noted that Theorem8.19 cannot be used to find this short proof of
primality, for the factorizationof n - | and the primitive root x of n are
required.More information
on thissubjectmaybefoundin Lenstra[Zt].
Recently,an extremelyefficientprimality test has been developed
by
Adleman, Pomerance,
and Rumely. We will not describethe test here
because
it relieson concepts
not developed
in this book. We note,that to
exponentlatrons
to
exponentiationsto

8.5 Primality Tests Using Primitive Roots 267
determine whether an integer is prime using this test requires less than
(log2n;clog,logrlog,n
bit operations, where c is a constant. For instance, to
determine whether a too-digit integer is prime requiresjust 40 secondsand to
determinewhether a 200-digitintegeris prime requiresjust l0 minutes' Even
a 1000-digit integer may be checkedfor primality in a reasonableamount of
time, one week. Fo, more informationabout this test see[63] and [74].
8.5
l .
2.
a
J .
Problems
Show that
Show that
Show that
and
l0l is prime usingTheorem8.17with x :2'
257 rs prime usingCorollary 8.4 with x : 3'
if an integer x existssuch that
x2r:1 (mod F")
*'r-l* I (mod F,),
then the Fermat number Fn :2Y * I is prime.
4. Let n be a positive integer. Show that if the prime-power factorization of n - |
i s n - l : p i ' p i ' . . ' p i ' a n df o r 7 : 1 , 2 , . . . , / ,t h e r ee x i s t s
a n i n t e g e rx y s u c h
that
*|n-'t', * 1(modn)
x i - t = I ( m o d n ) ,
then n is prime.
Let n be a positiveinteger such that
n-l:mirni'
j-r
where m is a positive integer, ot, a2,..., ar Are poSitive integerS, and qt, Q2,...,Qr
are relatively prime integers greater than one. Furthermore, let br, b2,"', b, be
positive integers such that there exist integers xt, xz,"', x, with
and
5 .
and
x,!-r
--
I (mod n)

268
6'!'-t)/e'-l,n) : I
for;: 1,2,...,r, where everyprime factor of q; is greater
for ; : 1,2,...,
r, and
<(r+fiu?1,.
j-1
Showthat n is prime.
8.5 Computer
Projects
write programs
to showthat a positive
integern is primeusing
l. Theorem
8.17.
2. Corollary8.4.
3. Problem
4.
4. Problem5.
Primitive Roots
than or equal to b;
8.6 UniversalExponents
Let n be a positive integer with prime-power factori zation
, : p,p,i p,; .
If a isaninteger
relatively
primeto n, thenEuler's
theorem
tellsusthat
aAQ')= I (modpt)
wheneverpt is one of the prime powers occurring in the factorizatron of n
As in the proof of Theorem 8.12, let
u : l6Qi'),
07,il,...,
ob,;)l,
theleast
common
multiple
of theintegers
OQ! ), i : 1,2,...,
m. Since
ohhlu
for i : 1,2,...,n, usingTheorem8.1 we seethat
au = t(modp,1')
for i : 1,2,...,m. Hence,from Corollary 3.2, it followsthat

8.6 UniversalExPonents 269
aU = I (modn).
This leadsto the following definition.
Definition. A universal exponent of the positive
U such that
au = I (mod n),
for all integersa relatively prime to n.
integern is a Positive
integer
Example. Sincethe PrimePower
that u : lOQ3),O(:),d(52)l :
600.
From Euler's theorem, we know that d(n) is a universal exponent. As we
have already demonstrated,
the intege
r (J - IAQ),,0|'il,...,ybh)l is also a
universal exponent of n: p'ip'; p';. We are interested in finding the
smallest positiveuniversalexponentof n.
Definition. The least universal exponent of the positive integer n is called the
minimal universal exponent of n, and is denotedby I(n)'
We now find a formula for the minimal universal exponentl,(n), basedon
the prime-power factorization of n.
First, note that if n has a primitive root, then tr(n) - 6fu). Since powers
of odd primes possess
primitive roots, we know that
I(p') : 6(p'),
wheneverp is an odd prime and / is a positive integer. Similarly, we have
tr(2): b(2): I and tr(4): O(4):2, sinceboth 2 and 4 have primitive
roots. On the other hand, if t 2 3, then we know from Theorem 8.10 that
a2'-': 1(mod 2t)
and ord,a : 2'-2, so that we can concludethat X(2t) : zt-z 1f t > 3.
We have found tr(r) when n is a power of a prime. Next, we turn our
attention to arbitrary positive integers n '
Theorem 8.20. Let n be a positive integer with prime-power factorization
factorization of 600 is 23'3'52, it follows
12,2,201 : 20 is a universal exponentof

270
Primitive Roots
, : 2'"p'p'i
I
r m .
Then (n ), the minimal universarexponentof n, is givenby
tr(n
) : h(2'.)
, eb'r,),...,
Oe';)l,
Moreover, there exists an integer a such that ord,na: ), (r), the largest
possible
order of an integermodulon.
Proof. Let a be an integer with (a, n) : l. For convenience,
let
M - tr(zt)
, o(p'i),
o7'il,...,
Qbill .
Since M is divisible by all of the integers X(2/g, e(p'r,) : x(pl,),
6Q';l : ^(p';),..., QQil : xb'il, and since oxb'): t (moo p,) for all
prime-powersin the factorization of n, we seethat
aM = l (modp,),
wheneverp' is a prime-poweroccurring in the factorizationof n.
Consequently,
from Corollary 3.2, we can concludethat
aM = I (modn).
The last congruenceestablishes
the fact that M is a universal exponent.
We must now show that M is the least universal exponent. To do this, we
find an integera suchthat no positivepowersmallerthan the Mth powerof a
is congruentto I modulo n. With this in mind, let r; be a primitive root of
Pi
We considerthe systemof simultaneous
congruences
x = 3 ( m o d 2 " )
x j 1 1 ( m o d p l ' )
x : 12 (moap';)
r- (mod p';).
By the Chineseremaindertheorem,there is a simultaneous
solutiona of this
system which is unique modulo n : 2'"p'ip'i p';: we will show that

8.6 Universal
ExPonents 271
ordn a - M. To prove this claim, assume that .l{ is a positive integer such
that
a N = I ( m o d n ) .
Then, if pt is a prime-powerdivisorof n, we have
a N = 1 ( m o d p ' ) ,
so that
ordo,c | .lf.
But, sincea satisfieseachof lhe m * I congruences
of the system,we have
ordo,a: X(pt),
for each prime power in the factorization. Hence, from Theorem 8'1, we have
b,) |r{
for all prime powersp' in the factorization of n. Therefore, from Corollary
3.2.
weknowthat
M: [tr(2"),(p1'),
x(pti)
,...,xb';)l| /{'
Since aM = I (modn) and MIN whenever
aN = 1(modn), we can
concludethat
ordna : M.
This shows that M - (n) and simultaneouslyproducesa positive integer a
with ord,a : )r(n). tr
Example. Since the prime-powerfactorization of 180 is 2232'5,from Theorem
8.20 it follows that
x (180) : Io(22), o(32),d(5) | : 1.2,
6, 4l : 12.
To find an integer a with ordlsga : 12,first we find primitive roots modulo 32
and 5. For instance, we take 2 and 3 as primitive roots modulo 32 and 5,
respectively. Then, using the Chinese remainder theorem, we find a solution
of the systemof congruences
1=iiililil

272
Primitive Roots
obtaining a = 83 (mod 180). From the proof of Theorem g.20, we see that
ord1ss83
- 12.
Example. Let n :26325.7.13.17.19-37.73.
Then.we have
(n) : [x(26),
a(32),.d(5),
oOD, d(I9), o(37),
o(7rl
: [,24,
2.3, 22,24,2.32,2232,
23321
: 2 4 . 3 2
: 144.
Hence, whenever a is a positive integer relatively prime to
26'32'5'17'17'rg'37.73
we know that at44
: r (moo 26.32.5.17.rg.37.37.7r.
We now return to the Carmichael numbersthat we discussed
in Section 5.2.
Recall that a Carmichael number is a composite integer that satisfies
bn-r : I (mod n) for all positiveintegersD with (b, n) : r-. we provedthat
if rt : Q.r4z 4k, where Qv Q2,...,
e* are distinct primes satisfying
@i
-
1) | tn-l) for i : r,2,...,,k,ih.n i it u carmichaer number. Here, we
provethe converseof this result.
Theorem 8.21. rf n ) 2 is a carmichael number, then n : Qtez Qk,
yh.r-. ^the -
q;'s are distinct primes such that (qi - r)'l'(n-rl i;;
j : 1 , 2 , . . . ,
k .
Proof. If n is a Carmichael number, then
br-t : I (mod n)
for all positiveintegers6 with (b,n): l. Theorem8.20 tells us that there is
an integer a with ordna : X(n), where I(n) is the minimal universal
exponent,and sincean-r = I (mod re),Theoremg.l tells us that
r(n)l(n_l).
Now n must be odd, for if n was even,then n-l would be odd, but tr(n) is
even (sincen ) 2), contradictingthe fact that ),(n) | (r-l).
We now show that n must be the product of distinct primes. Supposer has
a prime-powerfactorpt with t>2. Then
r Q ' ) : 0 ( p ' ) : p t - t ( p - l ) | x ( n ) : n - t .
This implies that p | (n-l), which is impossiblesincep I n.Consequently,n
must be the product of distinct odd primes, say

8.6 UniversalExPonents 273
tt :
QtQz Qtc'
We conclude the proof by noting that
(qi) : O(q) : (qi-D I r(n) : n-l' E
We can easily prove more about the prime factorizations of Carmichael
numbers.
Theorem 8.22. A Carmichael number must have at least three different odd
prime factors.
proof. Let n be a carmichael number. Then n cannot have just one prime
factor, since it is composite, and is the product of distinct primes. So assume
that n : pq, wherep andq areodd primes with p>q' Then
n - l : p q - l : ( p - D q + Q - 1 ) = q - l + 0 ( m o dp - l ) '
which shows that (p-l) I (n-l) Hence, n cannot be a Carmichael number
if it hasjust two different prime factors. E
8.6 Problems
l. Find tr(n). the
il 100
b) r44
c) 222
d) 884
2. Findall
a ) l
02
c ) 3
3. Findthe largest
4. Find an integer
a) 12
b) ls
c) 20
minimal universal exponent of n, for the following values of n
e) 2n3t'52'7
f) 2s32'52'73'l
l2'13'17'19
e) 1o!
h) 20!.
positiveintegersn suchthat tr(n) is equalto
d ) 4
e ) 5
C I 6 .
integern with tr(z) : 12.
with the largestpossible
ordermodulo
d) 36
e) 40
f) 63.

274
Primitive Roots
Show that if m is a positiveinteger, then tr(rr) divides6fu) .
show that if m and n are rerativery prime positive integers, then
|r(mn) : [tr(re), tr(n)].
Let n be the largest positiveinteger satisfying the equation),(n) : a, where c is
a fixed positiveinteger. Show that if la is another solution of tr(z) : a,then m
dividesn.
Show that if n is a positive integer, then there are exactly d(I(n)) incongruent
integerswith maximal order modulo z.
Show that if a and m are relatively prime positive integers, then the solutions of
the congruence ax = b(mod m) are the integers x such that
x = at'(m)-tb(mod m ).
show that if c is a positive integer greater than one, then the integers
l' ,2' ,-.-,(m-l)' form_a complete systemof residuesmodulo m if and,
only if z
is square-freeand (c,tr(m)) : l.
a) Show that if c and m are positive integers then the congruence
x" = r (mod m) hasexactly
fI (l + (c-t, Obi))
j-l
incongruent solutions, where m has prime-power factorization
m : pi'pi, . .. p:..
b) Show that x' = x(mod z) has exactly 3, solutions if and only if
( c - 1 , 6 ( m ) ) : 2 .
Use problem l1 to show that there are always at least 9 plaintext messages
that
are not changedwhen encipheredusing an RSA cipher.
Show that there are no carmichael numbers of the form 3pq where p and q are
primes.
Find all carmichael numbers of the form 5pq where p and q are primes.
Show that there are only a finite number of carmichael numbers of the
fl : pqr, where p is a fixed prime, and q and r are also primes.
Show that the deciphering exponent d for an RSA cipher with enciphering
(e,n) can be taken to be an inverseof e modulo ),(n) .
l. Find the minimal universalexponentof a positiveinteger.
5.
6.
7.
8 .
9.
10.
l l .
12.
1 3 .
t4.
1 5 .
16.
form
key

8.7 Pseudo'Random
Numbers 275
2.
;j"O
""
integer with order modulo n equal to the minimal universalexponentof
3. Given a positive integer M, find all positive integers n with minimal universal
exponentequal to M.
4. Solve linear congruencesusing the method of problem 9'
8.7 Pseudo-Random
Numbers
Numbers chosen randomly are often useful in computer simulation of
complicated phenomena. To perform simulations, some method for generating
random numbers is needed. There are various mechanical means for
generating random numbers, but these are ineffficient for computer use'
Instead, a systematic method using computer arithmetic is preferable' One
such method, called the middte ' square method, introduced by Von
Neumann, works as follows. To generatefour-digit random numbers,we start
with an arbitrary four-digit number, say 6139. We square this number to
obtain 37687321',and *. tuk. the middle four digits 6873 as the second
random number. We iterate this procedure to obtain a sequenceof random
numbers,always squaring and removingthe middle four-digits to obtain a new
random number from the precedingone. (ttre square of a four-digit number
has eight or fewer digits. Those with fewer than eight digits are considered
eigtrt-digit numbersby adding initial digits of 0')
Sequences produced by the middle-square method are' in reality, not
randomly chosen. When the initial four-digit number is known, the entire
,"qu.n.. is determined. However, the sequenceof numbers produced appears
to be random, and the numbers producedare useful for computer simulations.
The integersin sequences
that have been chosenin some methodical manner,
but appearto be random, are calledpseudo-random numbers.
It turns out that the nriddle-square method has some unfortunate
weaknesses.The most undesirable feature of this method is that, for many
choices of the initial integer, the method produces the same small set of
numbersover and over. For instance,starting with the four-digit integer 4100
and using the middle-square method, we obtain the sequence
8100,6100,2100,4100,8100,6100,2100,... which only givesfour different
numbersbefore rePeating.
The most commonly used method for generatingpseudo-randomnumbers is
called the linear congruential method which works as follows. A set of
integerst/t, e, c, and xs is chosenso that m ) 0, 2 < a 4' m, 0 < c 4 m'
and 0 ( xo ( z. The sequence of pseudo-random numbers is defined

276
Primitive Roots
recursively
by
xn+r 3 axn * c (mod m), 0 ( xr+r 1 r/t,
for ft :0, 1,2,3 ,.... We call m the modulus, a the multiplier, c the
increment, and xs the seed of the pseudo-randomnumber generator. The
following examplesillustrate the lineai congruentialmethod.
E x a m p l e . W i t h m : 1 2 , a - 3 , c : 4 , a n d r 0 : 5 , w e o b t a i n
xt E 3'5 + 4=7 (mod 12),so that xr: j. Similarly,
we find that x2: 1,
s i n c ex z = 3 . 7 + 4 : I ( m o d I 2 ) , x 3 : 7 , s i n c e x : E 3 . 1+ 4 = 7 ( m o dl 2 ) ,
and so on' Hence, the generator producesjust three different integers before
repeating. The sequence of pseudo-iandom numbers obtained is
5 , 7 , I , 7 , 1 , 7 , 1 , . . . .
With frt : 9, e : '1,
c : 4, and x0 : 3, we obtain the sequence
3, 7, 8, 6, l, 2, 0, 4, 5,3,... . This sequencecontains g different numbers
beforerepeating.
The following theorem tells us how to find the terms of a sequenceof
pseudo-randomnumbers generatedby the linear congruential method directly
from the multiplier, the increment,and the seed.
Theorem 8.24. The terms of the sequence generated by the linear
congruentialmethod previouslydescribedare given by
akxo+ c(ak-l) /(a-l) (modla), 0 ( xr 1 m.
Proof. We prove this result using mathematical induction. For k : l, the
formula is obviously true, since rr E axs* c (modm),0 ( xr 1m.
Assumethat the formula is valid for the ftth term. so that
x* z akxo + c(ak-l)/b_l) (modt?t), 0 ( xr I m.
xk+t * c ( m o d z ) , 0 ( x r + r 1 t / t ,
we have
xr+r s a(akxs+ c(ak-l)/fu-l)) + c
= a k + t x o* c ( a G k - l ) / G - t ) + t
= ak+lxo* c(ak+r-D/G-D (modz),
which is the correct formula for the (k+t)ttr term. This demonstratesthat
the formula is correct for all positiveintegersk. tr
X1,

8.7 Pseudo-Random
Numbers 277
The period length of a linear-congruential pseudo-randomnumber generator
is the maximum length of the sequenceobtained without repetition. We note
that the longest possibleperiod length for a linear congruential generator is
the modulus m. The following theorem tells us when this maximum length is
obtained.
Theorem 8.25. The linear congruential
period length m if and only if (c, m) :
dividing m, and a = | (mod 4) if a | ^.
generator produces a sequenceof
l, a = 1 (mod p) for all primes p
Becausethe proof of Theorem 8.25 is complicated and quite lengthy we
omit it. For the proof, the reader is referred to Knuth t561.
The case of the linear congruential generator with c : 0 is of special
interest becauseof its simplicity. In this case,the method is called the pure
multiplicative congruential method. We specify the modulus la, multiplier a,
and seedxs. The sequenceof pseudo-randomnumbers is defined recursively
by
xnal - axo (mod m), 0 1 xn+t 1 m.
In general,we can expressthe pseudo-randomnumbers generatedin terms of
the multiplier and seed:
xn
---
a'xo (mod m), 0 1 xn+t 1 m.
If { is the period length of the sequenceobtained using this pure multiplicative
generator,then f is the smallestpositiveinteger such that
xs:- a[xs (mod la).
If (xo,m) : l, usingCorollary 3.1,we have
o I = 1 ( m o d z ) .
From this congruence,we know that the largestpossibleperiod length is tr(lrr),
where X(rz) is the minimal universalexponentmodulo z.
For many applications,the pure multiplicative generator is used with the
modulusm equalto the Mersenneprime M3r:23r - l. When the modulus
m is a prime, the maximum period length is rn-1, and this is obtained when
a is a primitive root of rn. To find a primitive root of M 31that can be used
with good results,we frrst demonstratethat 7 is a primitive root of M t.
Proposition 8.1. The integer7 is a primitive root of M31:23r-1.

Proof. To showthat 7
showthat
278
is a primitive root of M31- )31
,wt'-Dh 1y (modMt)
for all prime divisors q of Mt-r. with this information,
that ord2r,,7: My-|. To find the factorizationof M31_1,
PrimitiveRoots
it is sufficientto
we can
we note
conclude
that
My-l : 231
- 2: 2(230-l) : 2(215-t)(Zl5+t)
: z(zs-t)(2to+2s+t)
(zs+t
)(210-zs+t)
: 2.32-7.1
1.3
l.I51.33
1.
If we showthat
,(Mrr_t)/q q-
f o r q : 2 , 3 , 7 , I l , 3 1 ,l 5 l , a n d 3 3 1 ,
of M31- 214748364j. Since
I (mod M y)
then we know that 7 is a primitive root
I (mod M y)
1(mod M t)
1(mod M t)
I (mod M y)
I (mod M y)
1(mod M z)
I (mod M y)
we seethat 7 is a primitive root of M31. E
In practice' we do not want to use the primitive root 7 as the generator,
since the first few integers generated are imall. Instead, we find a larger
primitive root using Corollary 8.2. We take a power of 7 where the exponent
is relativelyprime_
to M3;r. For instance,since (s, Mrr-1): l, corollary
8.2 tellsus that 75:16807 is alsoa primitiveroot. since (l3,Mrr- l) : l,
another possibilityis to use 7t3 : 2s22462g2(mod Mt) as the multiplier.
We havely touched briefly on the important subject of pseudo-random
numbers' For a thorough discussion of the generation and statistical
propertiesof pseudo-randomnumbersseeKnuth tset.
7{Mil-t)/2
7(Mrrt)13
7(M-Dn
7(Mr
t)/rr
7(Mrfr)/3r
7(M,t-r)/rsl
7(Mrft)/33r
2147483646
+
rsr347773s
+
12053628s
+
1969212174
+
st2+
s35044134
+
176188s083
+
8.7 Problems
l Find the sequenceof
middle-squaremethod,
two-digit pseudo-random numbers generated using the
taking 69 as the seed.

8.7 Pseudo-RandomNumbers 279
Find the first ten terms of the sequenceof pseudo-randomnumbers generated by
the linear congruential method with x0 : 6 and xn+rz 5x, * 2 (mod 19)'
What is the period length of this generator?
Find the period length of the sequenceof pseudo-random numbers generated by
the linear congruential method with x6 :2 and xn+t 7 4xn * 7 (mod 25)'
Show that if either a : 0 or a - I is used for the multiplier in the generationof
pseudo-random numbers by the linear congruential method, the resulting
."qu.n"" would not be a good choice for a sequenceof pseudo-randomnumbers'
Using Theorem 8.25, find those integers a which give period length .m,
where
(r, i) : l, for the linear congruential generator xnal
-:axn
I c (mod m),
where
2.
3 .
4.
5 .
6. Show that every linear congruential pseudo-random number generator can be
simply expressedin terms of a linear congruential generator with increment
c : 1 and seed0, by showing that the terms generated by the linear congruential
generator xn+r7 axn * c (mod lrt), with seed xe, can be expressedas xn =
6 y, + xo (mod m), where b :- (a-1) xo * c (mod m), yo:0' and ln+t ?
a l n * I ( m o d l n ) .
Find the period length of the pure multiplicative pseudo-random number
generatorxn Z cxn-r (mod 231-l) when the multiplier c is equal to
a ) m : 1 0 0 0
b) nr - 30030
a)z
b)3
c) m : 106-l
d) m :225-1.
7.
c) 4 e) 13.
d)s
8 .
9.
Show that the maximal possibleperiod length for a pure multiplicative generator
of the form xnal
-3
QXn (mod 2"), e 2 3, is 2'-2. Show that this is obtained
when a
-:
t3 (mod 8).
Another way to generate pseudo-random numbers is to use the
Fibonacci generator. Let m be a positiveinteger. Two initial integersx6 and x1
less than m are specifiedand the rest of the sequenceis generated recursively by
the congruolce.r2al :- xn * xn-1 (mod rn), 0 ( xn+r 1 m'
Find the first eight pseudo-random numbers generated by the Fibonacci
generator
with modulusn : 3l and initial valuesx0: I and xt:24.
Find a good choice for the multiplier a in the pure multiplicative pseudo-random
number generator xn+rZ axn (mod l0l). (Hint: Find a primitive root of 101
that is not too small.)
Find a good choice for the multiplier c in the pure multiplicative pseudo-random
number generator xn i axn-r (mod 22s-1). (Hint: Find a primitive root of
10.
l l .

280 PrimitiveRoots
225-l and then take an appropriate power of this root.)
12. Find the multiplier a and increment c of the linear congruential pseudo-random
number generator xn+rt axn * c (mod 1003), 0 ( xn+r < 1003, if xs: l,
x 2 : 4 O 2 , a n dx 3 : 3 6 1 .
13. Find the multiplier a of the pure multiplicative pseudo-random number
generator xnal- QXn (mod 1'000), 0 ( xn11 < 1000, if 313 and 145 are
consecutiveterms generated.
Write programsto generatepseudo-randomnumbersusing the following generators:
l. The middle-sequence
generator.
2. The linear congruentialgenerator.
3. The pure multiplicative generator.
4. The Fibonacci generator (seeproblem 9).
8.8 An Application to the Splicing of TelephoneCables
An interestingapplication of the precedingmaterial involvesthe splicing of
telephonecables. We base our discussionon the expositionof Ore [28], who
relates the contentsof an original article by Lawther [70], reporting on work
done for the SouthwesternBell TelephoneCompany.
To developthe application, we first make the following definition.
Definition. Let m be a positiveinteger and let a be an integer relatively prime
to m. The + I - exponent of a modulo ru is the smallestpositiveinteger x
such that
+ I (mod rn).
We are interestedin determining the largest possible+ 1 - exponentof an
integer modulo m; we denote this by },s(rn). The following two theorems
relate the value of the maximal + I - exponenttrs(z) to }.(m), the minimal
universalexponentmodulo rz.
First, we considerpositiveintegersthat possess
primitive roots.
Theorem 8.26. lf m isa positiveinteger,m ) 2, with aprimitive root, then
the maximal *l - exponenttrs(rn
) equals0@) / 2: )r@) / 2.
e t

8.8 An Applicationto the Splicingof TelephoneCables 281
Proof. We first note that if m has a primitive root, then (z) : 6(m).
From problem 5 of Section6.1, we know that g(m) is even,so that 0@) I Z
is an integer, if m ) 2. Euler's Theorem tells us that
ootu) :1oatu) lzlz -
I (mod lz),
for all integersa with (a,m) : 1. From problem 7 of Section8.3, we know
that when m has a primitive root, the only solutionsof x2 = I (mod m) are
x = - t l ( m o d r u ) . H e n c e ,
s f h ) l 2 : t | ( m o dz ) .
This implies that
s(r,)(d(z)lz.
Now let r be a primitive root of modulo m with f I - exponent e. Then
re = t | (mod la),
so that
r 2 ' = 1 ( m o d z ) .
Since ord^r : 6(m), Theorem 8.1 tells us that 6fu) | 2e, or equivalently,
that (6(m) /D I e. Hence, the maximum +l - exponentL6(z) is at least
Q@) / Z. However, we know that l(rn ) 4 6fu) /2. Consequently,
l,s(rzr):
6fu) /2:fu) /2. tr
We now will find the maximal + I - exponentof integerswithout primitive
roots.
Theorem 8.27. lf m is a positive integer withciut a primitive root, then the
maximal +1 - exponent6(rn) equalsI(m), the minimal universal exponent
o f m .
Proof. We first show that if a is an integer of order )t(m) modulo z with + I
- exponente such that
ottu)/2# _t (mod z),
then e : X(z). Consequently,once we have found such an integer a, we will
have shownthat ),q(tn) : tr(lz).
Assume that a is an integer of order xfu) modulo m with + I - exponente
such that

282 PrimitiveRoots
o)'tu)/2# -r (mod ru).
Since o" = + I (mod rn), it follows that az, = I (mod z). From
Theorem8.1, we know that >rfu) l2e. since x@) l2e and e ( (z),
either e:t(m)/2 or e:x(m). To see that er,(m)/2, note that
ae :- +1 (mod ln), but o),@)/2
* I (mod rn), since ord^o:(m), and
o>'(-)/z# -t (mod z) , by hypothesis. Therefore, we can conclude that if
ord. a : )r(m), a has +l - exponent e, and a, = _l (mod z), then
e : h,(m).
We now find an integer a with the desiredproperties. Let the prime-power
factorization of m be m - 2'op'r' p'; . . . p'r'. we consider severalcases.
We first consider those rn with at least two different odd prime factors.
Among the prime-powersp!' diriding ffi,, let pl be one with the smallest power
of 2 dividi"g Obh. Let ri be a primitive root of p',,for i: 1,2,...,s. Let a
be an integer satisfyingthe simultaneouscongruences
Q : 5 (mod 2')
(mod pj') for all i with i # j
(moa
p!).
Such an integer a is guaranteedto exist by the
Note that
ord.a: [I(2tg
, Ob','),...,
Oe!)
and, by
,(m).
,!(P'j' -
' l
our choice we know that this
(mod
p!),
/ 2,...,6Qb1,
least common multiple equals
know that otb/) /' =
a l r i
)
o-ri
^ ,.
or pl,
)
e : r j - we
remainder theorem.
where
When
I (modp!). Because
Oeh / z I x@) / z,weknow
that
It(d /2 - t (mod
p!),
so that
otr(*)/'
* -t (mod rn).
Consequently,
the + I - exponentof a is I(z).
The next casewe considerdealswith integersof the form rn - 2toott
p is an odd prime,tr2l and to) 2, sincem hasno primitiveroots.
to: 2 or 3, we have

8.8 An Application to the splicing of Telephone Gables 283
x(,n)
:12,eQ')l
: dQi').
Let.a be a solutionof the simultaneouscongruences
a = l ( m o d 4 )
a t r (mod p'i),
where r is a primitive root of p'1'. We seethat ord- a : lr(m) ' Because
ox@)/2 -
1 (mod 4),
we know that
ox(n)
/2 + _l(mod ru).
Consequently,
the +1 - exponentof a is f (z)'
When ts 2 ,,let a be a solutionof the simultaneous
congruences
a = 3 ( m o d 2 t ' )
a
-:
r (mod p'il;
the Chinese remainder theorem tells us that such an integer exists. We see
that
ord-
"
: ^::,:;
,:':',i :i:':';:,*ll;:'l
',::';, ""n"'
Thus,
ox('.'.)
/2 + _t (modrc),
sothat the 1l - exponent
of a is tr(rn
).
Finally,when m:2'o with ts2 3, from Theorem
8.tl we know that
ord-5 : X(na),
but
5r(nr)
/2 = 152)0(m)
/4 - 1 (mod8).
Therefore,
we seethat
5r(m
) /, + _1 (modru);
we concludethat the +1 - exponentof 5 is l(lz)'
This finishesthe argument sincewe have dealt with all caseswhere m
not have a primitive root. tr

284 PrimitiveRoots
We now develop a system for splicing telephonecables. Telephonecables
are made up of concentric layers of insulated copper wire, as illustrated in
Figure 8.1, and are producedin sectionsof specifiedlength.
Figure8.1. A cross-section
of onelayerof a telephone
cable.
Telephonelines are constructedby splicing together sectionsof cable. When
two wires are adjacent in the same layer in multiple sectionsof the cable,
there are often problems with interferenceand crosstalk. Consequently,two
wires adjacent in the same layer in one sectionshould not be adjacent in the
same layer in any nearby sections. For practical purpose,the splicing system
should be simple. We use the following rules to describethe system. Wires in
concentric layers are spliced to wires in the corresponding layers of the next
section, following identical splicing direction at each connection. In a layer
with m wires, we connect the wire in position j in one section, where
I < i ( rn to the wire in positionS(j) in the next section,where S(i) is the
least positive residueof I + (j-l)s modulo m. Here, s is called the spread
of the splicing system. We seethat when a wire in one sectionis splicedto a
wire in the next section,the adjacent wire in the first sectionis splicedto the
wire in the next sectionin the position obtained by counting forward s modulo
m from the position of the last wire splicedin this section. To have a one-to-
one correspondencebetween wires of adjacent sections,we require that the
spread s be relatively prime to the number of wires z. This shows that if
wires in positions j and k are sent to the same wire in the next section, then
.S(j) : S (k) and

8.8 An Applicationto the Splicingof TelephoneCables 285
I + (j-l)s : I + (k-l)s (modz),
so that js = ks (mod m ). Since (m, s) : l, from Corollary 3.1 we seethat
j = k (mod z ), which is imPossible.
I *l
4-7
7 -4
This is illustratedin figure8.2.
Example. Let us connect 9 wires with
correspondence
2-3
5*9
8*6
a spreadof 2. We have the
3*5
6-2
9-8.
Figure8.2. Splicingof 9 wireswith spreadof 2.
The following proposition tells us the correspondence
of wires in the first
sectionof cable to the wires in the nth section.
Proposition 8.2. Let S'(7) denotethe position of the wire in the nth section
splicedto the 7th wire of the first section. Then
.S'(j) = I + (7-l)s'-r (modz).
Proof. For n : 2, by the rules for the splicing system,we have
s2(j) : I + (r-l)s (mod rn),
so the propositionis true for n : 2. Now assumethat
S'(j) : I + (7-1)sn-r (modla).
the next section,we have the wire in position S'(7) spliced to the
Then,

286
PrimitiveRoots
wirein position
gn+r(r) = I + (,Sr(,r)-t),
=li f1;i)',*
dm)
This showsthat the propositionis true. D
In a splicing system, we want to have wires adjacent in one section
separated as long as possible in the following sections. After n splices,
Proposition8.2 tells us that the adjacentwires in the 7th and j+l th positions
are connected to wires in positions Sr(j) = I + (7_l)s, (mod rn) and
,s'(j+l): I t jsn (mod m), respectively.These wiies are adjacent in the
nth sectionif, and only if,
.S'(i) - S'in(i+t) : r | (modm).
or equivalently,
(t + (j-l)s') - (l+7sn) = + I (modln),
which holdsif and onlv if
s n : t l ( m o d m ) .
We can now apply the material at the beginning of this section. To keep
adjacent wires in the first sectionseparatedas long as possible,we should pick
for the spreads an integerwith maiimar + l - .^ponrnt o(n).
Example. with 100 wires, we should choosea spread s so that the f I
exponentof s is ro(too) : ^,(100): 20. The appropriatecomputationssho-
that s : 3 is such a spread.
8.8 Problems
l. Find the maximal t I - exponentof
a)
b)
c)
t7
22
24
d) 36
e) 99
f) 100.
2. Find an integer with maximal * I - exponentmodulo
il 13 il2s

8.8 An Application to the Splicing of Telephone Cables 287
e)
f)
b) 14
c) t5
36
60.
3. Devisea splicing schemefor telephonecablescontaining
a) 50 wires b) 76 wires c) 125 wires.
4. Show that using any splicing system of telephonecableswith ln wires arranged
in a concentric layer, adjacent wires in one section can be kept separatedin at
most [ @-l) / 2] successive
sectionsof cable. Show that when lz is prime this
upper limit is achievedusing the systemdevelopedin this section.
1. Findmaximal tl -exPonents.
2. Developa schemefor splicing telephonecablesas describedin this section.

QuadraticResidues
9.1 Quadratic Residues
Let p be an odd prime and
chapter, we devoteour attention
p? We beginwith a definition.
a an integer relatively prime to p. In this
to the question:Is a a perfect squaremodulo
Definition. If m is a positive integer, we say that the integer a is a
quadratic residue of m if (a,/k) : I and the ctngruence ,, = a (mod m)
has a solution. If the congruen
ce x2 = a (moa d has no solution, we say
that a is a quadratic nonresidue of m.
Example. To determine which integers are quadratic residues of I l, we
compute the squares of the ^ integers r,2, 3,...,r0. we find that
12:102: t (mod
tt), 22= 92: it,noO-iii,
'
32: g2- 9 (mod
ll),
42: '12:5 (mod
ll), and 52: 62= t frnoJ
rrl. Hence,
thequadratic
residuesof I I are I, 3, 4, 5, and 9; the integers 2, 6,7, g, and 10 are
quadraticnonresidues
of I l.
Note that the quadratic residuesof the positive integer m arejust the ftth
power residuesof m with /<:2, as definedin Section 8.4. We will show that if
p is an odd prime, then there are exactly as many quadratic residues as
quadratic nonresidues
of p among the integlrs r,2,...,p - r. To demonstrate
this fact, we usethe following lemma.
Lemma 9.1. Let p be an odd prime and a
Then, the congruence
an integer not divisible by p.
288

9.1 QuadraticResidues 289
x 2 = a ( m o d p )
has either no solutionsor exactly two incongruentsolutionsmodulop.
Proof. lf x2 : c (mod p) has a solution, say x : xo, then we can easily
demonstrate that x : -r0 is a second incongruent solution. Since
(-xo)': *& = c (modp), we see that -xs is a solution. We note that
xo # -xs (modp), for if xo E
2xo:0 (modp). This is imPossible
x& = a (modp)
and
p tra).
To show that there are no more than two
x : xo and x : xt are both solutions of
x& = x? = a (madp), so that x& - x?
H e n c e , p l ( x s + x 1 ) o r p l ( x o - x r ) ,
xr E xe (modp). Therefore,if there is a
are exactly two incongruentsolutions. tr
This leadsus to the following theorem.
Definition. Let p
Legendre symbol
f,l
IrJ
-xs (modp), then we have
since p is odd and p trxo (since
incongruentsolutions,assumethat
x2 = a (modp). Then, we have
: (xo*x r) (xo-x r) = 0 (modp).
so that x |
:- -xe (mod P) or
solutionof x2 = a (mod p), there
Theorem 9.1. If p is an odd prime, then there are exactly Q-l)12 quadratic
residuesof p and Q-l) /2 quadratic nonresiduesof p among the integers
1 , 2 , ' . ' , p- l '
Proof. To find all the quadratic residuesof p among the integers 1,2,...,p-l
we compute the least positiveresiduesmodulo p of the squaresof the integers
1,2,...,p - l. Since there are p - | squares to consider and since each
congruencex2: c (modp) has either zero or two solutions,there must be
exactly Q-D/2 quadraticresiduesof p amongthe integers1,2,...,p-1. The
remaining p-l - (p-l)/z- Q-l)lZ positive integers less than p-l are
quadratic nonresidues
of p. tr
The special notation associatedwith quadratic residuesis describedin the
following definition.
b e a
frl
L'J
_{
l.
n odd prime and a an integer not divisible by p. The
is defined by
I if a is a quadratic residue of p
-l if a is a quadratic nonresidueof p.
Example. The previousexampleshowsthat the Legendre
symt
I o I
'ors
Itt ,J'

290
Q : l ,
Proof. First, assumethat
hasa solution,sayx : ro.
ob-r)/2 -
Hence,if
lal :fgl :f'l-f'l-f'ol ,
[,',l-[u,J:[" ,l:l" ,J:l" ,l
:-r
we now presenta criterion for deciding whether an integer is a quadratic
residueof a prime. This criterion is useful in demonstratingpropertiesof the
Legendresymbol.
Euler's criterion' Let p be an odd prime and let a be a positive integer not
divisibleby p. Then
r I
lgl= ob-D/27^odp).
lp )
QuadraticResidues
[+]
:[#]
:'
rl
l* |
: t Then,
thecongruence
x2 : a (mod
p)
lp )
UsingFermat'slittle theorem,
weseethat
Gl1<n-rtt':*B-t = t(modp).
know that -
ob-t)/2(modp).
2,...,10,havethe followingvalues:
lrl :lrl :fol-
[",l-[,,l:[,J:
Now consider the case where
l* I
: - t Then, the congruence
x.2= a (modp) hasno solutions.o-i?{.orem 3.7,for eachinteger
i such
that I S t < p-1, thereis a uniqueinteger
7 with I < j ( p_1, suchthat
ii - c(modp). Furthermore,
sin-ce
theioniruence*i L otiroo pl hasno
solutions,
we know thati * j. Thus,*.."i groupthe integers
r,Z,...,p-l
i.nto(r -l) /2 pairseachwith productc. Multipiyingthesepairstogether,
we
findthat
(p-l)t = ah-t)/21-odp).
Wilson'stheoremtellsus that (p-l)t = _l (modp), we seethat
-l = ob-t)/2(modp).

9.1 Quadratic Residues
and
Hence.
[a) = GDe-t)/2
(mod
p).
Ip )
- o$-t)/z6b-r)/z
: (ab1e-t)/z
: ltl (mod
p).
lp )
291
In this case,we also have |,"]
-
o$-t)/2(modp). D
l.pJ
Example. Lel p :23 and c :5. Since5ll : -l (mod 23), Euler'scriterion
rs'l
rellsus that
l;l
: -1. Hence,5 is a quadraticnonresidue
of 23.
We now prove somepropertiesof the Legendresymbol.
Theorem 9.2. ilet p be an odd prime and a and b integersnot divisible by p .
Then
(i) ir a =D (mod
p),then
[;]
:
t;]
(ii) ["] fbI-f4)
lp)lp) Lp )
(iii) f4l :,
Ip )
Proof of 0. lf a = D (modp), then x2=a (modp)
ltut.,u
solutionif and
onlyif x2= b (mod
p) hasa solution.
Hence,
l* I
:
l+ |
lp ) lp )
Proof of (iil. By Euler's criterion, we know that
fal = o(o-r)/z
(mod
p), Iql = 6b-D/z
(mod
p),
l . p J - -
' ^ ! v s r l '
V ) - "
Sincethe only possible
valuesof a Legendresymbolare * I, we concludethat

292
QuadraticResidues
[;]
itl:l+)
Proof
of Gii).sincef:l : *r , from
part(ii)it follows
that
lp )
lor) r-lr )
l,): tflt?):,tr
Part (ii) of Theorem 9.2 has the following interestingconsequence.The
product of two quadratic residues,or of two quadratic nonresidues,
of a prime
is a quadratic residue of that prime, whereas the product of a quadratic
residueand a quadratic nonresidueis a quadratic nonresidue.
using Euler's criterion, we can classify those primes having _ l as a
quadraticresidue.
Theorem 9.3. If p is an odd prime, then
r)(
l-rl Jrif p: l(mod4)
l - , : I
f p J t-r if p --l (mod4).
Proof. By Euler'scriterion,weknowthat
[ -' ]
I
'
| = (-1)(r-t)/21-odp).
[r )
If p : I (mod 4), thenp :4k * I for someintegerft. Thus,
(1){o-Dtz: (_l)2k : l,
r)
sothatl+f
: r. rf p = 3 (mod4),
then
p:4k*3 forsome
integer
fr.
lp )
Thus.
1-9{o-D/t: (-l)zk+t - -1.
(-, l
s o t h a t |
^
| = - t . t r
Lp )
The following elegant result of Gauss provides another criterion to
determine whether an integer a relatively prime to the prime p is a quadratic
residueof p.

Gauss'
is the
Q , 2 A ,
Irl
l - l =
lp )
9,1 Quadratic Residues 293
Lemma. LeI p be an odd prime and a an integer with (a,p) : l. Ii s
number of least positive residues modulop of the integers
3e,...,((p-D/Da that are greater thanp/2, then the Legendresymbol
= ( - l ) ' .
proof. Let u1, u2,...,1ts
represent the least positive residuesof the integers
a, 2a, 3o,...,((p-D /Da that are greaterthanp /2, and let v1,v2,...,v;
be the
least positive residues of these integers that are less than p 12. Since
Qa,p): I forall 7 with t (,r ( b-l)/2, allof theseleastpositiveresidues
arein theset 1,2,...,P
- l.
We will show that p-ut, P-u2,..., P-ur, v1,v2,.'.,v1
comprisethe set of
integers 1,2,...,(p-D/2, in some order. To demonstratethis, it sufficesto
show that no two of these integers are congruent modulo p, since there are
exactly Q-l)/2 numbersin the set,and all are positiveintegersnot exceeding
(p-D/2.
It is clear that no two of the ai's are congruentmodulop and that no two
of the v;'s are congruentmodulop;if a congruence
of eitherof thesetwo sorts
held, wb would have ma z na (mod p) where m and n are both positive
integers not exceeding Q-D12. Since p tra, this implies that
7n - n (mod p) which is impossible.
In addition, one of the integersP
-
4 cannot be congruent to a, vit for if
such a congruenceheld, we would have ma 3 p - na (modp), so that
l )
so
ma t -na (modil. Sincep tra, this impliesthat m
-- -n (modp) . This
is impossible
because
bothm andn arein thesetl, 2,...,(p-l)/2.
Now that we know that
integersl, 2,...,(p-l) 12,in
(P-')(P-uz) ' '
p - Ul, P
- 112,...'P- Ur, Vl, V2,,..., Vt afe the
someorder. we concludethat
(p-u)v 1v2 vt :- (mod p ),
t+l
which impliesthat
(e.l
) ( - t ) ' u l t z ' u r v 1 v 2 vt (modp ).
[n:i,
f z )
BUt, sinCe ll1, ll2,...rlls,vl, VZ,...rvt are
a,2a,...,((p-t)/Da, we also know that
the least positive residues of

294
@.2)
Quadratic
Residues
utuz' Lt,vtv2-..vt
z a.2a...1+1"
lz )
p - r ( )
: oT l+lr (moo
p).
l.- )
Hence,from (9.1) and (9.2),we seethat
p - t ( I r l
(-r)'a
'
lf lr= l+lr(moap).
l L j l t )
Because
(p,((p-D/DD: l, thiscongruence
implies
that
(-t),a+:l (modp).
By multiplying both sidesby (-l)', we obtain
p-l
a 2 : ( - t ) ' ( m o d p ) .
Since Euler's criterion tells
establishing
Gauss
p-tr)
usthata 2 :
lil (mod
p),itfollowsthar
lp )
r)
l* | = (-l)' (mod
p),
tp )
tr
Exampte.
Let o:5 andp: ll. To find t+l by Gauss.
lemma,
we
compute
the leastpositive
residues
of r.5,2.5:llslo s,and5.5. These
are
5, 10,4,9, and 3, respectively.Since.,exactlytwo of these are greater than
ll/2,Gauss'lemma
tells
usrhatl+ | : (-l)2: l.
l r r J
Using Gauss' lemma, we can characterizeall primes that have 2 as a
quadraticresidue.
Theorem 9.4. If p is an odd prime, then
r )
lZl:(-1)g,-rvs.
[p J

9.1 Quadratic Residues 29s
Hence, 2 is a quadratic residue
quadratic nonresidueof all primesp
all primes p : + I (mod 8) and a
+ 3 (mod 8).
Proaf. FromGauss'lemma,we knowthat if s is the numberof leastpositive
residues
of the integers
r)
1.2,
2.2,
3.2,
...,
l+1.'
- )
rl
thataregreater
than
pl2,then l+ |
: (-l)'. Since
allthese
integers
areless
lp )
than p, we only need to count those greater than p /2 to find how many have
leastpositiveresiduegreater than p /2.
The integer2j, where I ( 7 ( b-l)/z, is lessthan pl2when i 4 pla.
Hence, there are Ip/41 integers in the set less than p /2. Consequently,there
n - l
are s
L
that
of
To prove the theorem,
: I (mod 2).
Nowconsider
+ - b /ql. rf p
l '
integer k and
: (-D+-tP/al
we must show that
+ - el = {p'-1)/8
(mod
2).
2
'4-
To establish this, we need to consider the congruenceclass of p modulo 8,
since, as we will see,both sidesof the above congruencedependonly on the
congruenceclassof p modulo 8.
We firstconsider
b'-l)/5. If p = +l(mod 8), thenp:8k +l whereft
is an integer,so that
(p'-l)/8 - ((sk+t)2-t)/8: G+k2+r6k)/8:8k2+ 2k:0 (mod2).
If p : + 3 (mod 8), thenP : 8k + 3 wherek is an integer,so that
(p'-l)/8 : ((st + iz-D/s: (64k2+ 48k + 8)/8 :8k2 + 6k +l
for some
I (mod8),thenp :8k + |

296
QuadraticResidues
l f p
ifp
d
2
- -tp/+l:4k -lztc + t/41
:2k = 0 (mod
2);
if p :3 (mod 8), thenp : gk * 3 for someintegerk, and
+
-b/ql : 4k+ I - t2*+ 3/41
: 2k+l = I (mod
2);
= 5 (mod 8), thenp : Bk f 5 for someintegerk, and
n - l
T
-tp/ql : 4k + 2 - [ztc+ S/4]: 2k +l = I (mod
2);
= 7 (mod 8), then p : Bk * 7 for someintegerk, and
n - l
T
- lp/ql:4k + 3 - Izn + 7/41
:2k + 2 = 0 (mod
2).
Hence,
(Z) : 1-1y(r,-r)/8
.
p
Fromthecomputations
of thecongruence
class
of (pz_l)/g
that l3l:l if p:+l(mod8), while
lp )
p = r 3 (mod8). tr
Example.FromTheorem
9.4,weseethat
[+]
:[+]
-[*):[+]
:,
Comparing the congruenceclassesmodulo Z of
*
- Ip /41 and (pz-D /A
for the four possiblecongruenceclassesof the odd irime p modulo g, we see
that we alwavs nar"
*
-
b/ql = {pr-1)/8 (mod 2).
,(mod
2), we see
l?):
-, if
while
f+l
:f+l:fal:fzl :
[3J [sJ It'.l Ir,l-
We now presentan exampleto show how to
(".l
I
L
l : _ . 1
[2eJ
Legendresymbols.
Theorem9.2 to obtain
[+]
:
evaluate
Exampte.
To evaluate
f+1, we usepart(i) of
Iu )'

lvt
|."
9.1 Quadratic Residues 297
lg
:
L'
To evaluate
In the next section, we state and prove a theorem of fundamental
importance for the evaluation of Legendre symbols. This theorem is called
the law of quadratic reciProcitY.
The differencein the length of time neededto find primes and to factor is
the basisof the RSA cipher discussed
in Chapter 7. This differenceis alsothe
basisof a method to "flip coins" electronicallythat was inventedby Blum [821.
Resultsabout quadratic residuesare usedto developthis method.
SupposeIhat n : pq, where p and q are distinct odd primes and suppose
that the congruence
x2 = a (modn), O 1a 1tt, has a solutionx : x0.
We show that there are exactly four incongruent solutionsmodulo n. To see
t h i s , l e t x o E x l ( m o d p ) , 0 ( x t 1 p , a n d l e t x o E x 2 ( m o d q ) ,
0 ( x2 < q. Then the congruence x2 = a (mod p) has exactly two
incongruentsolutions,namely x z x' (modp)
'and
x = P
-x1 (modp).
Similarly the congruence x2 : c (mod g) has exactly two incongruent
solutions,
namelyx 2 xz (mod q) andx = Q
- x2 (mod g).
From the Chinese remainder theorem, there are exactly four incongruent
solutionsof the congruencex2 = a (mod n) ; thesefour incongruentsolutions
are the unique solutions modulo pq of the four sets of simultaneous
congruences
r t 2
= |
3
| : t.since317
=9 (mod1l).
lilJ
Iesl
lii l,
since 8e: -2 (mod
13)' we have
t1l [U l. Because
t3 = I (mod
4), Theorem
e.3
. L13,lI t3 J
I
|
: t. Since 13 = -3 (mod 8), we seefrom Theorem9.4
,n
., fql :_1.
Consequently,
[ ,, t
(modp)
(mod q)
x1 (modp)
Q
- xz (mod q)
We denotesolutionsof (i) and (ii)
and (iv) are easily seento be n-y
- x1 (modp)
(mod q)
- x1 (modp)
- x2 (modq).
by x and y, respectively.Solutionsof (iii)
and n-x, respectively.
(ii)
(iii) x = p
xzxz
x
x
x
x
x
x
(iv)

298
QuadraticResidues
We also note that when p = q = 3 (mod 4), the solutions of
x2: a (modp) and of x2: a (mod q) ur" , - ;'o<i*rto (modp) and
x = t oQ+1)/4
(mod g), respectively. ny eut.r,, criterion, we know that
oQ-D/2- l:l: I (mod
p) andoe-D/z-l+l:l (modq)(recall
that
l p )
r
l q )
^ r r r v u Y /
we are assuming that x2 : a (mod pq) hur'
"
solution, so that a is a
quadratic residueof both p andq) . Hence.
1oV+r)/t72
: eQ+D/2
- ob-D/z.a =a (modp)
and
1oQ+t)/t12
: eQ+o/z: oe-Dlz.a =a (modq).
Using the chinese remainder theorem, together with the explicit solutions
just constructed' we can easily find the four incongruent solutions of
x2 = a (mod n) . The following exampleillustrates this procedure.
Example' Supposewe know a priori that the congruence
x2 = 860 (mod I l02t)
has a solution'since 11021:103'107, to find the four incongruentsolutions
we solvethe congruences
x2 :860 = 36 (mod 103)
and
x 2 : g 6 0 : 4 ( m o d l 0 7 ) .
The solutionsof thesecongruences
are
; : + 3 6 ( r o : + D / q - + 3 6 2 6 = + 6 (mod103)
and
r = + 4Qo7+D/a
= t 427: * 2 (mod 107),
respectively. Using the chinese remainder theorem, we obtain x 4 *. 2r2,
* 109 (mod ll02l) as the solutions of the four systemsof congruences
describedby the four possiblechoicesof signs in the system of congruences
x = + 6 (mod 103),x = + 2 (mod 107).
we can now describe a method for electronicaily flipping coins. suppose
that Bob and Alice are communicating electronically. etice !i.t, two distinct

9.1 QuadraticResidues 299
large primesp and q, with p = q = 3 (mod 4). Alice sendsBob the integer
n : pq. Bob picks, at random, a positiveinteger x less than n and sendsto
Alice the integera with x2 : a (mod n),0 ( a I n. Alice finds the four
solutions
of x2 = a (mod n), namelyx, !, fr-x, andn-y. Alice picksoneof
these four solutions and sends it to Bob. Note that since x + y : 2* t #
0 (modp) and x + y = 0 (modq), we have G+y,n): q, and similarly
G+h-y), n) : p. Thus, if Bob receives
either y or n-y, he can rapidly
factor n by using the Euclidean algorithm to find one of the two prime factors
of n. On the other hand, if Bob receiveseither x or n-x, he has no way to
factor n in a reasonablelength of time.
Consequently,Bob wins the coin flip if he can factor n, whereasAlice wins
if Bob cannot factor n. From previouscomments,we know that there is an
equal chance for Bob to receivea solution of x2 = a (mod n) that helps him
rapidly factor n, or a solution of x2 = a (mod r) that does not help him
factor n. Hence,the coin flip is fair.
9.1 Problems
l. Find all the quadratic residuesof
a ) 3 c ) 1 3
b)s d) te.
r.t
2. Findthevalue
of theLegendre
symbols
l+ I,for7
: 1,2,3,4,5,and
6.
3. Evaluate the Legendresymbol
il using Euler's criterion.
b) usingGauss'lemma.
4. Let a and b be integersnot divisible by the prime p. Show that there is either
one or three quadratic residuesamong the integersa, b , and ab.
5. Show that if p then
is an odd prime,
(
ll
- 1
l-r
i f p
i t p
I or 3 (mod 8)
-l or -3 (mod 8).
) r
Pn
6. Show that if the prime-power factorization of n is
n : p?"*t
pl"*t ' " pi"*tpili'
and q is a prime not dividing n, then

300
QuadraticResidues
lorl
t7l
Show that if p is prime andp - 3 (mod 4), then te_0/Zll = (_t), (modp),
where I is the number of positive integers less than p /2 that are quadratic
residuesof p.
show that if b is a positiveinteger not divisibreby the prime p, then
i*l. l+1.
i+l. +f"'-pol
:o
lp) lp) [pJ I p )
"
Let p be prime and a a quadratic residueof p. Show that if p = | (mod 4),
then -a is also a quadratic residueof p, whili it p = 3 (mod i), th"n _a is a
quadratic nonresidueof p.
Consider the quadratic congruenceax2 * bx * c = 0 (modp), where p is
prime and a,b, and c are integerswith p I a.
il Let'p :2. Determine which quadratic congruences(mod 2) havesolutions.
b) Let p be an odd prime and let d : b2 - 4ac. show that the congruence
axz + bx * r
=
0 (mod p) is equivarent to the congruence
y2 = d (modp), where y :2ax t b. Concludethat if d =0 (modp),
then there is exactly one solution x modulo p, if d is a quadratic residueof
p, then there are two incongruent solutions, while if d is a quadratic
nonresidueof p, then there are no solutions.
Find all solutionsof the quadratic congruences
a ) x 2 + x * l = 0 ( m o d 7 )
b ) x 2 + 5 x + l : 0 ( m o d 7 )
c ) x 2 + 3 x + l = 0 ( m o d 7 ) .
Show that if p is prime andp 2 7, then
a) there are always two consecutivequadratic residuesof p (Hint: First show
that at leastone of 2,5,and r0 is a quadraticresidu. oip.)
b) there are always two quadratic residuesof p that differ by 2.
c) there are always two quadratic residuesof p that differ by 3.
7.
8.
9.
10.
12.
1 3 . Show that if a is a quadratic residue of the
x2 = a (mod p) are
i l x E - F a n + l( m o dp ) , i f p : 4 n * 3 .
b) x E * 22n+ron+r
(modp), if p :gn * 5.
p, then the solutionsof

9.1 Ouadratic Residues 301
| 4 . S h o w t h a t i f p i s a p r i m e a n d p : 8 n * l , a n d r i s a p r i m i t i v e r o o t m o d u l o p ,
then the solutionsof x2 = I 2 (mod p) are given by
x E t (r1n t r') (modp),
where the * sign in the first congruencecorrespondsto the + sign inside the
parentheses
in the secondcongruence.
15. Find all solutions
of the congruence
x2 = I (mod l5).
16. Let p be an odd prime, e a positiveinteger, and a an integer relatively prime to
p .
a) Show that the congruencex2: a (modp"), has either no solutionsor
exactly two incongruentsolutionsmodulo p".
Show that there is a solution to the congruencex2 = a (mod p'*') if and
only if there is a solution to the congruencex2 = a(mod p"). Conclude
that the congruencex2 = c(modp") has no solutionsif a is a quadratic
nonresidueof p, and exactly two incongruent solutionsmodulo p if a is a
quadratic residueof p.
Let n be an odd integer. Find the number of incongruent solutionsmodulo
n of the congruence
x2 = a(mod n), where n has prime-powerfactorization
| !-l lgl
n : p'ipti ' . ' p';, in terms of the Legendresymbols l-
' a - - - J
[ p , j " " ' , l o . ) '
Find the number of incongruentsolutionsof
il x2 : 3l (mod 75)
b) x2 : 16 (mod 105)
c) x2 : 46 (mod 231)
d) x2 = l156 (mod 32537stt6).
Show that the congruencex2 = a(mod 2"), where e is an integer,e 2 3, has
either no solutionsor exactly four incongruentsolutions. (Hint: Use the fact that
(*x)2 : (2e-t*x)2 (mod 2").)
Show that there are infinitely many primes of the form 4k * l. (Hint: Assume
that pt,p2,...,pn
are the only such primes. Form N :4(ppz"'P)2 * l, and
show, using Theorem 9.3, that N has a prime factor of the form 4k * I that is
not oneof p1,p2,...,pn.)
Show that there are infinitely many primes of the form
a ) 8 k - l b ) 8 & + r c ) 8 f r + 5 .
(Hint: For each part, assumethat there are only finitely many primesPr,P2,...,Pn
of the particular form. For part (a) look at @ppz"'P)2 - 2, for part (b),
lookat (prpr"'p)2 * 2, and for part (c), lookat (ppz"'p,)z + 4. In each
b)
c)
t 7 .
1 8 .
20.

302
QuadraticResidues
part' show that there is a prime factor of this integer of the required form not
among the primespr,p2,...,pn use Theorems9.3 and9.4.)
21. Show that if p is an odd prime,.then the congruencex2 = a (modpn) has a
solution for all positiveintegersn if and only if a"is a quadratic residueof p.
22' show that if p is an odd prime with primitive root r , and a is a positiveinteger
not divisibleby p, then a is a quadratic residueof p if and onty irino"a is even.
23' Show that every primitive root of an odd primep is a quadratic nonresidueof p.
24. Let p be an odd prime. Show that there are (p-D/z _ 6e_D quadratic
nonresidues
of p that are not primitive roots of p.
25' Let p and'q :2p * I both be odd primes. Show that the p-l primitive roots
of q are the quadratic residuesof g, other than the nonresidue2p of q .
26' show that i! p and' q - 4p
.*
I are both primes and if a is a quadratic
nonresidue
of q with ordoa * 4,thena is a primitive root of q.
27' Show that a prime p is a Fermat prime if and only if every quadratic nonresidue
of p is alsoa primitive root of p.
J -- - '-'J 1-*uras1
.
28. Show that a prime divisor p of the Fermat number Fn : 22.* I must be of the
form 2n+2k+ r. (Hint, show that irioz - 2n+1. Then show that
2$-tttz = I (mod p) usingTheorem9.4. conclude that 2n+tle-D/2)
a) Show that if p isa primeof the form4ft * 3 and q :Zp * I is prime, then
q dividesthe Mersenne number Mo : 2p-L (Hint: Consider thl Legendre
s y m b o ll : 1 . )
l q )
b) Frompart (a),showthat nl Mr,47l M23,and503
1Mrr.
Showthat if n is a positive
integerand 2n*r is prime,and if n s0 or
3(mod4), then 2n * | dividesthe Mersenne
numberMo:2n_1, whiteif
n jl or2 (mod4),then
r2n
* I divides
Mn*2:2n t L (Hint:Considerthe
Legendre
symboll+ |
"na
useTheorem
9.4.)
l z n + r )
Showthat if p is an oddprime,then
p - 2 ( . ' . - ' l
'>
l/(i+l) l:_,.
t-"- [ p
)
'
(Hint:
First
show
thar
f+l
:
[+l *n".r7-isaninverse
of7 modulo
p).
I P J t P )
-"
29.
30.
32' Let p be an odd prime. Among pairs of consecutivepositiveintegerslessthan p,
let (RR), (RN), (NR), ano (Nu) denote the number of pairs of two quadratic

9.1 Quadratic Residues 303
residues, of a quadratic residue followed by a quadratic nonresidue, of a
quadratic nonresidue followed by a quadratic residue, and of two quadratic
nonresidues,
respectively.
il Show that
(RR) + (RN) :
(NR) + (NN) :
(RD + (NR) :
(RN) + (NN) :
lU-'-t-17{n-r/21
lb
-'*t-11{r-D/21
l<n-r>'r
lr-u
33.
34.
b) Using problem 30, show that
^ (
' t
,il
l t(t+l) | : (no + (NN)- (RN)
- (NR)
: -r.
t:' I P )
-
c) From parts (a) and (b), find (RD, (RN), (NR), and (NN).
Use Theorem8.15 to proveTheorem9.1.
Let p and q be odd primes. Show that
a) 2 is a primitive root of q, if q : 4p * 1.
b) 2 is a primitiverootof q,if p isof the form 4/<* I and Q:2p * l.
c) -2is a primitiveroot of q,if p is of the form4k - I and Q :2p * l.
d) -4 is a primitive root of q, if q : 2p * | '
35. Find the solutionsof x2 = 482 (mod 2773) (notethat 2773:41'59).
36. In this problem, we developa method for decipheringmessages
encipheredusing
a Rabin cipher. Recall that the relationship between a ciphertext block C and
the corresponding plaintext block P in a Rabin cipher is
C = P Q+O) (mod n), where n: pq, p and q are distinct odd primes,and b
is a positiveinteger lessthan n.
a) Show that C *a 3 (f+6)2(modn), wherea =(lD2 (modn), and 2 is
an inverseof 2 modulo n.
b) Using the algorithm in the text for solving congruences of the type
x2 = a (mod n), together with part (a), show how to find a plaintext block
P from the correspondingciphertext block C. Explain why there are four
possible plaintext messages. (This ambiguity is a disadvantageof Rabin
ciphers.)
c) Using problem 35, decipher the ciphertext message 18190459 0803 that
wasenciphered
usingthe Rabin cipherwith D - 3 and n:47'59:2773.

304
QuadraticResidues
37' Let p be an odd prime and let c be the ciphertext obtained by modular
exponentiation, with exponent e and modulus p, from the plaintext p, Le.,
c = p' (modp),0 < c ( n, where(e,p-l) :1. show tnalc is a quadratic
residueof p if and only if p is a quadratic residueof p .
38' a) Show that the secondplayer in a game of electronicpoker (seeSection 7.3)
can obtain an advantageby noting which cards have numerical equivalents
that are quadratic residuesmodulo p . (Hint: Use problem 37.)
b) Show that the advantage of the second player noted in part (a) can be
eliminated if the numerical equivalents of cards thai are quadratic
nonresiduesare all multiplied by a fixed quadratic nonresidue.
39' Show that if.the probing sequencefor resolvingcollisionsin a hashing schemeis
h1(K) = h(K) + ai * biz (modn), wherJ n<x> ir u 6urting*function,z is
a positive integer, and a and 6 are integerswith (b ,m) : l, thJn only half the
possiblefile locations are probed. This is called the quadratic search.
l. Evaluate Legendresymbolsusing Euler's criterion.
2. Evaluate Legendresymbolsusing Gauss' lemma.
3' Flip coins electronicallyusing the proceduredescribedin this section.
4' Decipher messages
that were encipheredusing a Rabin cipher (seeproblem 35).
9.2 TheLaw of QuadraticReciprocity
f
Ol elegrant.,
theoremof Gaussrelates
|9 I "'o |* I, where
p and,
q arebothodd
lq) lp)
the law of quadratic reciprocity, tells us
x2 : p (mod q) has solutions,once we know
the congruence
x2 = p(mod q), wherethe roles
the two Legendre symbols
This theorem, called
whether the congruence
whether there are solutions of
of p and q are switched.
We now state this famous theorem.
The Law of Quadratic Reciprocity. Let p andq be odd prirnes. Then
f ) f
, l
p - t . q - l
lzlle_l
_ eD-,
^,
.
tq ) lp )

9.2 The Law of Quadratic Reciprocity 305
Before we prove this result, we will discussits consequences
and its use. We
first note that the quantity Q-D/2 is even when p =-l(mod 4) and odd
whenp = i(mod4). Consequently,
we seethat
+ +
is evenif
p =t (mod
4) or q = | (mod
4), while
+ +
is odd if
p = q = 3(mod 4). Hence,we have
folInl Jr rf p:l(mod4)orq=t(mod4) (orboth)
|.;l F)-- l-t irP:q=3(mod4)'
Since
theonlypossible
values
"
l+'l uno [+
.|
"r.
t l, wesee
that
lq) lp)
{ r )
I l"l tt p =t(mod 4)orq =t(mod 4) (orboth)
[n-l
:.lt'.o'.,
lq,| l-["I uo =q=3(mod4).
I tp J
Thismeans
thatif p and
q areodd
primes,
then[+l
:
[*'l ""t.ss
both
lq,) .,lP J,
p and
q arecongruent
to3 modulo
4,andinthat.ur.,
[t]
: -[;]
Example. Let p: 13 and q:17. Since
,P
=rq = | (mod4), the law of
quadratic
reciprocity
tellsusthat
|# I
:
Ii+ l.
From
part(i) ofrheorem
e.2,weknowtl
. Itt'l lq
' ''
,;il1l;
r
i:11
;:il;:.'il.":'_.
1""""
followsthat
l",J: |.,, j:
/
thatl*l : t
I I / J
Example. Let P : 7 and Q : 19-
quadratic reciprocity, we know
Theorem
9.2,wesee
that t+ I
l./ )
3(mod4) , from the law of
r)
I12 l. From Dart (i) of
L7 )
using the iaw of quadratic
Sincerp
=
q =
that
lil
:-
:
l+l
Again'

306
reciprocity,
since5 = l(mod 4) and 7 = j(mod 4),
f-T
part .,(i) of Theorem 2.2 and Theorem
l+l- l?l: -' Hence
[+l : ,
[5J [5J
r' rrv','lvutrl
we can use the law of quadratic reciprocity and Theorems 9.2 and9.4 to
evaluate Legendre symbols. Unfortunately,
"pii..
factorizations must be
computedto evaluateLegendresymbolsin this wav.
Example.
Wewillcalculate
l:rt I
73
: 23
3"";;,;,"_ ,"Jm,::""::1,:'j:;:"'"""
, we
factor
[+l :[+l :l-,' lfg-l
IrooeJtroor
J- [t*n,Ji,*r,J
To evaluate the two l-sgsndre symborson the right side of this equarity, we
usethe law of quadratic reciprocity. Since tOoq i I (mod 4), ;. seethat
Izt ] frooeI
Ir' l:[1ql
Irooej:tr ,|'lrootj
=
l3r )
Using Theorem 9.2, paft (i), we have
Irooql lzol
lx ,l:t",l
By parts(ii) and (iii) of Theorem
9.2.
lpl:lzri :l
123) [zr )- t
The law of quadratic reciprocity, part
tell us that
[+]:[+]
Quadratic Residues
we have
9.4, we
and Theorem 9.4
: - 1
+J
:[+]
know that
[' l-
IzrJ-
(rtl
ITj
: :t+]

9.2 The Law of Quadratic Reciprocity
where
Proof. Consider the
a, 2a,...,((p-l)lDa; let
vt, v2,...,
v, be thoseless
where the remainder is
equationsof this sort, we
r)
lgl: 1-11rb'il,
lp)
(P-r)/2
Tb,p)
j-r
least positive residues
u1, 112,...,
It, be those greater
307
of the integers
than p /2 and let
tells us that
Likewise,using the law
9.4, we find that
lul: fll :
|.r' ,|
-
|.tt .|
:
lzl:
l3J
of quadratic reciprocity, Theorem 9.2, and Theorem
[+]
:[+]
[+]
-[+]
:
:-[+):-'
[+]
:[+]
consequently,
[*]
:
(-
Therefore,
l# I : t-r)(-l) : t
[ , 0 0 9 )
We now presentone of the many possibleapproachesfor proving the law of
quadratic reciprocity. Gauss,who first proved this result, found eight different
iroofs, and an article published a few years ago offered what was facetiously
ialled the l52nd proof of the law of quadratic reciprocity. Before presenting
the proof, we give a somewhattechnical lemma, which we use in the proof of
this important law.
an odd prime and a is an odd integer not divisible by p,
Lemma
then
rfp
than p /2. The division algorithm
ja : pljo lpl + remainder,
one of the uj's or vj's. By adding the Q-l)/Z
obtain

308
(e.3)
(e.4)
QuadraticResidues
@-Dlz b-D /2 r ,
.Z ia: a pf,ia/pl
*iui+iv1.
r - ' J - t j : l j : l
As we showed
in the proofof Gauss'
lemma,the integers
p _ ur,...,
p _ us,
vt,...,vt are precis.ely
the integers
1,2,...,b-l)/2, ii someo.j... Hence,
summing
all theseintegers,
weobtain
b-r)/2 s 1
Z i: Q-u)+ ) vi:ps- i q+ !,r1.
j : r j : r j _ r j : l t * l
Subtracting(9.4) from (9.3), we find that
g_r)/z (p_D/2 (p_D/2 r
j : t j - t j _ t j _ l
or equivalently,
sinceT(a,p) :t')'' Ija/pl,
. (p-t) /2
i'l
( a - l )
j : I j : r
Reducing this last equationmodulo 2, sincea and, are odd, yields
o = T(a,p) - s (mod
Hence,
T ( a , p ) = s ( m o d 2 ) .
To finish the proof, we note that from Gauss,lemma
| , )
tLl: (-t)'.
tp )
Consequently,
p
D.
(-t)" : (-1)r6,e), it followsthat
r)
lgl:1-1;r(a,r). g
lp )
AlthoughLemma9.2 is usedprimarilyas a tool in the proofof the law of
quadraticreciprocity,
it canalsobeusedto evaruate
Legend^re
symbols.
Example.To find
|'+ I , usingLemma9.2, weevaluate
the sum
l ' ^ J

The Law of OuadraticReciprocity 309
17
j/rrl : I7lul + t r4/rtl+ I2rltll + [28/ll]+ t3s/l1l
:0+ I + I +2+3:7.
(tl
Hence,
l+l
: (-l)7: -1.
L " J
r )
Likewise,
tofindI+ t, wenote
that
l./ )
3
) tr rilll : lrrl7l + t22l7l+ l33l7l: 1* 3 * 4 - 8,
j : l
r)
so
thart+ | : (-l)8: l.
L/ )
Beforewe presenta proof of the law of quadraticreciprocitY,
we usean
example
to illustratethe methodof proof.
Let p : 7 and Q : ll. We consider pairs of integers k ,y) with
7-l :3 andI ( v <
llll :5. There
are 15suchpairs'We
l(x<;:3andl(Y'- 2
notethat no-n.of thesepairssatisfyllx : 7y, sincethe equalityllx :7y
i.pfi"r that 1t l1y, sotirateitherit I Z,whichis absurd,
or 11ly, whichis
impossible
because
t ( y ( 5.
We dividethese15pairsinto two groups,
depending
on the relativesizesof
llx and7y.
The pairsof integersG,y) with I ( x < 3, I ( y { 5, and llx > 7y
urc pr..isely thosepairs satisfyingI ( x ( 3 and 1 ( y ( 11xl7. For a
fixed integerx with 1 ( x ( 3, there are lttx/ll allowable
valuesof y.
Hence,the total number of pairs satisfyingI ( x < 3, 1 ( / ( 5, and
llx ) 1y is
3
2 tt tlTl: ttt/tl + 122/71
+ I33l7l: I * 3 + 4 : 8;
j:1
theseeight pairsare (l,l), (2,D, (2,2), (2,3), (3,1), (3,2), (3,3) and (3,4)'
The pairs of integers G,y) with I ( x < 3, I ( y ( 5, and llx 1 7y
*r. pr..isely those pairs satisfying I ( y ( 5 and 1 ( x 4 7y/tt. For a
fixed integer y with I ( y ( 5, there are lly/ttl allowable values of x.
Hence, the total number of pairs satisfying I ( x < 3, I ( y ( 5, and
llx ( 7y is
5
j-1

310 QuadraticResidues
+ [tLltr]+ [2r/rtl+ I28ln
] + [3sll
1]
+ 1+ 2*3:7.
(1,3),
(1,4),
(1,5),
(2,4),
(2,5),and(3,5)
5
j-r
ltj /ttl : Ij lrrl
:0*l
Thesesevenpairs are (l,2) ,
Consequently,we seethat
1 l - 1 7 - l
T;:5'3:
3 5
15: ) trrjlll+ > ltjltll : 8* 7.
j-r j-r
Hence,
rr-l .7-l i,rrrr,r,
* i, rtinl
( _ t ) 2 2 : ( _ l ) ; * ' i - l
3 5
2lni/tl )Iti/rrl
(- I )i-' (- I )r-'
3
Since Lemma g.2 tells r.^ +L^+ | rr I Z,'rj/tl
rs that
17 |
: (-1;r-t and
5 t /
(t
'l
..Ittrr"t lt lfrrl
t-'rr-r
l#l
:(-1)i-t,weseethat I ll " | :(-t) 2 2
r,'J [11J|.7 )
This establishesthe special case of the law of quadratic reciprocity when
p : 7 a n d q : l l .
We now prove the law of quadratic reciprocity, using the idea illustrated in
the example.
Proof. We consider pairs of integers (x,y) with I ( x ( Q
-l) /2 and
I ( y ( (q-D/2. There ur" 2-l o-l
; T
such pairs. We divide t-hese
pairs
into two groups,dependingon the relative sizesof qx andpy.
First, we note that qx I py for all of these pairs. For if qx : py, then
q l p y , w h i c h i m p l i e st h a t q l p o r q l y . H o w e v e r ,
s i n c eq a n d p a r e
distinctprimes,we know that q lp,and sinceI ( y ( (q-i12, we know
that q I y.
To enumerate the pairs of integers (xy) with I ( x ( Q-I)/z,
1 ( y ( (q -l) /2, and qx > py, we note that thesepairs are preciselythose
where I (x ( (p-l)/2and I (y 4qx/n. For each fixed value of the
integer x, with 1 ( x 4 b-1012, there are Iqx/pl integers satisfying
I ( y 4 qx /n. Consequently,the total number of pairs of integers G,y)

Q-t)t2
withl (x ( Q-D/2,t (v ( Q-D/2,andqx> Pvis
?,
Iqilpl'
We now considerthe pairs of integersG,il with 1 ( x ( b -l) 12,
1 ( y ( (q-D 12,and qx < py . Thesepairs are preciselythe pairs of
integlrs
G,il with 1(y ( (q-D/Zand 1(x 4pylq. Hence,foreach
fixed value of the integery, where I ( y ( (q-1) 12, there are exactly
lpy lql integersx satisfying I ( x 4 pylq. This showsthat the total
nurnu..ofpairselil/r.g"rt (i,y) with I ( x ( b-D/2,1 (y ( (q-t)/z,
andqx < py is
j-r
Adding the numbers of pairs in these classes,and recalling that the total
numberof suchpairs,,
'=rt '+,we seethat
')''
hilpt
*'ni'',r,,d:+'+ ,
j-| i-r
or using the notation of Lemma 9.2,
T(q,p) + TQ,q) -
Hence,
9.2 The Law of Quadratic Reciprocity 3 1 1
Lemma
: [".| Hence
lq)
This concludesthe proof of the law of quadratic reciprocity. n
The law of quadratic reciprocity has many applications. One use is to prove
the validity of the following primality test for Fermat numbers.
Pepin'sTest. The Fermat number F^ : 22' + I is prime if and only if
3G'-r)12: -l (mod F-).
proof. We will first show that F* is prime if the congruencein the statement
of the theorem holds. Assume that
p - l . q - l
2 2
p - l . q - r
2 2
,-t1rQ'il+r@,q): (- 11r(e'n)
1-11r{n'c)
: (-t)
9.2tellsusthat 1-1yr(a,r)
: ["'l ."0 1-gr{o.o)
lp J
f l f P - t . q - l
lzll4l:(-t) 2 2
l.qJl.pJ

3G^-r)/2: -l (mod F*).
Then, by squaringboth sides,we obtain
3F.-1= I (mod F*).
From this congruence,
we seethat if p is a prime dividing F*,then
3F.-l = I (modp),
and hence,
ordo3 | {f ^-I) : 22'.
Consequently,ordr3 must be a power of 2. However,
ordo3
tr2''-': (F^-D/2,
since 3G^-t)/2
- -l (mod F*) . Hence, the only
o1do3:22^ : F^ - l. Since ordo3: Fm-t ( p - I
that p : F^, and consequently,
F^ must be prime.
Conversely,if
Fr:22'* I is prime for m ) l, then
reciprocity tells us that
312
(e.5)
since F^ = |
Now, using
(e.6)
This finishesthe proof.
Example.Letm:2.
:[+J
:[+]
= 2 (mod 3).
we know that
QuadraticResidues
possibility is that
and p I F*, we see
the law of quadratic
we concludethat
t*l
(mod 4) and F^
Euler's criterion,
t*l3G'-t)/'(-od F-).
Fromthetwo equations
involvingI I I
[". j'
3(J'._r)/2
_ _1
(9.5)and(s.e),
(modF).
tr
Then F2:
aFr-t)lz _
2 2 ' + l : 1 7 a n d
38: -1 (mod l7).

9.2 The Law of QuadraticReciprocity
By Pepin'stest,we seethat F2 : l7 is prime'
Let m :5. Then Fs:22' + l:232 t I : 4294967297-
We notethat
3G,-D/2: 12": 32t41483648
- 10324303* -l (mod 4294967297).
Hence,by Pepin'stest,we seethat F5 is composite'
9.2 Problems
l. Evaluate the following Legendresymbols
a ,
[ * ]
u,[+l
c,t*l
2. Using the law of quadratic reciprocity,show that if p is an odd prime, then
313
d)
e)
[-u]
[64r.J
f:ul
leer
J
Iros]
l*'l
[;]
:
3. Show that if p is an odd Prime, then
p = tl (mod 12)
p = t5 (mod 12).
i f p = t ( m o d 6 )
if p = -l (mod 6).
{lii
[-rI
[7J
:
{l
4.
5.
6.
Find a congruencedescribingall primes for which 5 is a quadratic residue'
Find a congruencedescribingall primes for which 7 is a quadratic residue.
Show that there are infinitely many primes of the form 5Ic * 4' (Hint: Let n be
a positive integer and form Q : 5(tnr'2
+ 4' Show that Q has a prime divisor of
the form 5k + 4 greater than n. To do this, use the law of quadratic reciprocity
to showthat if a primep dividesQ, then | ? |
- t I
t ) l

7 .
3 1 4 Quadratic Residues
Use Pepin'stest to showthat the following Ferntatnumbersare primes
a) Fr : 5 b) F3 - z5i c) F4: 65537.
From Pepin'stest,concludethat 3 is a primitive root of every Fermat prime.
In this problem,we give anotherproof of the law of quadraticreciprocity. Let p
and q be distinctodd primcs. Let R be the interior of the rectanglewith vertices
o: (o,o),
A: b/2,0, B: Q/2,0,and
C : b/2,q/D.
a) Show that the number of lattice points (pointswith integer coordinates)in
R i , P - l . q - l
2 2
b) Show that there are no lattice pointson the diagonalconnectingO and C.
c) Show that the number of lattice pointsin the triangle with verticesO, A, C
Q-D/2
is
i - l
d) Show that the number of lattice points in the triangle with verticesO, B,
Q_r)/2
and C is
j - l
e) Concludefrom parts (a), (b), (c), and
Q-t)/2 Q-D/2
j - t j - l
Derivethe law of quadraticreciprocityusingthis equationand Lemma
l. EvaluateLegendresymbols,usingthe law of quadraticreciprocity.
2. Determinewhether Fermat numbersare prime usingPepin'stest.
9.3 The Jacobisymbol
In this section,
we definethe Jacobisymbol. This symbolis a generalization
of the Legendresymbol studiedin the previoustwo sections. Jacobisymbols
are useful in the evaluationof Legendresymbolsand in the definitionof a
typeof pseudoprime.
Definition. Let n be a positive integer with prime factorization
n:p'ipti 'p; and let a be a positiveintegerrelativelyprime to n. Then,
8 .
9 .
(d) that

9.3 The Jacobi sYmbol 3 1 5
of the equality are Legendre
the Jacobi
where the
symbols.
Example.
and
; I
t' denned
bY
l:[*]'
t-hand side
p'p'; " ' p';
on the righ
t
I
S
t;l lh)'
symbol
[.] :
l, ,|
symbol
From the definition of the Jacobi symbol,we seethat
['l: lzl : lz)'let
l45,1
1."ij
:lil
l;l
:(-r)2(-r):-r'
#l:[+*l
:[+l[+l
[+]
:[+l
:
[+]'[+l'[+]
: '-D2
t2(-'l):
-r
Whenr is prime,the Jacobisymbolis the sameas the Legendre
symbol'
However,
whenn is composite,
the valueof the Jacobisymbollq I Oottnor
'
lr)
tell us whether the congruencex2 = a (mod n) has solutions..,
*. do know
that if the congruence
x2 = a (mod n) has solutions,then l* |
- t To see
ln)
this, note that if p is a prime divisor of n and if x2 =a (modn) has
solutions,then the congruencex2 = a (modp) also has solutions. Thus,
r I f -l m ( ^ )t
Ii | : t Consequently,
|+ I : II |* I
: l. To seethatit is possible
lp)..
'
ln) i-1lPi)
t l
that I
g
| : 1 when there are no solutionsto xz : a (mod n), let a : 2 and
ln )
n: t5.Nore
that
[+l
:
t+.|t?l
: (-r)(-1):r. However,
there
are
t ^- r t - J l.) ,l
no solutionsto x2 i 2 (mod i S), rin* the congruences
x2 = 2 (mod 3) and
x2 = 2 (mod 5) haveno solutions.
We now show that the Jacobi symbol enjoyssomepropertiessimilar to those
of the Legendresymbol.
[+l
l*l

3 1 6
QuadraticResidues
Theorem 9.5. Let n be an odd positive integer and let a and b be integers
relativelyprime to n. Then
ll: l*)
i f a : D ( m o d n ) , t h e n
lol: ["]fql
I n ) ln ) ln )
r)
|
-t
| : t_ 11h-D/z
f tr )
'
/)
ILl :1-1) (n':-r)/a
.
ln )
[+):l*)"[#]"
l*)'-
:[;]"l*)"
{t)"
[*]
" l*)'-
l*)''
:
[;] [*]
(i)
(ii)
(iii)
(iv)
Proof- In the proof of all four parts of this theoremwe use the prime
factorization
n : p,p'i . . p';.
Proof of (i). we knowthat if p is a rrime.,dividinqn,
thena =b (modp).
Hence,from Theoremg.z G we have l* |
:
l+ | consequentry,
we see
that
IDJ lp)
i*l: f*l"l+J" [-tL'-lo)"lol" Iol'':fal
f,,J lo,Jlp,) lo^,|
:lr'l
lo,t lp^):l;j
Proofof (i). FromTheorem
9.2 (ii), we knowthat fq) : |
, I i a I
Hence.
rv"' rrrvvrwttt
7'L Ir'f' ws Klluw
lo, ,l ltl F)'

9.3 The Jacobi sYmbol
317
of Gril. Theorem 9.3 tells us that if p is prime' then
- (-11 Q-r)/2.
ConsequentlY,
f-r I l'-rl"l-r
'l"
. [-' ]"
l-l: ll_ l"'rll
ln,| LP,)lPrJ tP^)
: (- ,1tJn;t/2+
t'(p'-t)/Z+ '" + t^(p^-r)/2
Proof
t+l
From the prime
n -
SinceQi-l) is
and
factorization of n, we have
(r + Qr-l))"(l + bz-l))"''' (t * (p^-l))''
even.it follows that
(t + (pi-l))" = | + tib,-t) (mod4)
(l + r,(pi-l))(r + r, Qi-D): I + tiQl-t) + tibi-l) (mod4).
Therefore,
n = 1 + t l p r - t ) + t 2 ( p 2 - i + ' ' ' + t ^ ( p ^ - l ) ( m o d4 ) '
This impliesthat
Q-D/2 = tJprD12 * tz(pz-D12
+ + t^(p*-D12(mod
2) .
r'
Combining
thiscongruence
for (n-1)lZ wittttheexpression
for
l+J
'no*t
/ ) n - l
r l r -
that |
-'
| : (-l) 2
l,r )
r)
Proofof (iil .If p isprime,
then l+l
: (-1;(r'l-r)/8
' Hence'
lp)
Izl : Il" [z] t+'lt : (_l),,bi_t,tts+t,gt-r)/8+
+t^Qi-rtt
L,J lp'J lp,) lp^)
As in the proof of (iii), we note that
n2: (r+ (p?-r)"
0 + @?-l))"
"' (t + bT-l))".

318
QuadraticResidues
Since
pl-I = 0 (mod
8),wesee
that
0 + Q?-l))', = | + tie?-l) (mod
64)
and
(l+r,b?-l))(l+ 4el-t)) = | * t;e?_D+ t,A? t) (mod
64).
Hence,
n2:t+tJp?-D+tze?-D+ + t^(pT-l) (mod64).
This impliesthat
(n2-t)/8: tJp?-D/B+ tze?-D/s+... + t*(p3,_l)/8
(mod
s).
combining
thiscongruence
for (n2- l)/g withtheexpression
for [el teils
f
"'l
ln )
u s t h a t l L l : 1 - 1 ; ( n ' - t ) / 8. D
ln )
We now demonstratethat the reciprocity law holds for the Jacobi symbol as
well as the Legendresymbol.
Theorem 9.6. Let n and m be relatively prime odd positiveintegers.Then
f l f I m - t n - l
lrl-| lLl: (_t) , , .
lm )l n )
Proof. Let the prime factorizations of rn and
n : ql'q!, . . . qor,.we seethat
and
l*):
n bem : pl,pl, .
w)'"'
" p!' and
lr):,4
tt)':,q,s
t ( n l 4 / s r
IIl;l :rtrt
j-t I I'J ) j-t i-t It)"''
Thus,

9.3 The Jacobi symbol
From
Hence,
319
q'l
h )
at
fn,-,
I
l r l
t - )
l+l
[*]
:,g
the law of quadratic reciProcit
t*l
tr)
|^)[, I
[7J
l;):
We note that
,s
ti*l
t
y, we know th
[o,-,1
:(-rllrj
10tu'
l
r
f| ff(-l)
( ' r "): (-l)'-'l-' /
t - l j - l
t,p,
",1+l
',[+]
:z",1+]
,.a''t+]
As we demonstratedin the proof of Theorem 9.5 (iii),
Doif+] =* (mod2)
j - t ( o ) z
and
5u,[+]
=n - l
2
(mod 2).
Thus,
r s
^fr,-tl ^[Qr-tl =.-l +(mod2).
(e.8)
i-t i-r J
Therefore,from (g.Z) and (9.8), we can concludethat
f ) f ) m - l n - l
lLllal:(_r) 2 2 tr
I n )lm )
We now developan efficientalgorithm for evaluatingJacobi symbols. Let a
and b be relatively prime positive integers with a < b. Let Ro : Q and
R r : D Using the division algorithm and factoring out the highest power of
two dividing the remainder,we obtain

32A
Quadratic Residues
R o : R f l r + 2 t ' R 2 , ,
where s1 is a nonnegativeinteger and R2 is an odd positive integer lessthan
R I ' When we successivelyuse the division algorithm, and factor out the
highestpower of two dividing remainders,we obtain
R r : R z e z + 2 " ' R 3
* r : R f l t + 2 " R a
Rr-r : Rn_2Qn_2
* 2t.-rRn_1
Rn-z: Rn-tQr-, + 2t.-t. I ,
where s; is a nonnegativeinteger and R; is an odd positive integer lessthan
&-r for i : 2,3,...,n-l Note that the number of division,,"qu-ir"dto reach
the final equationdoesnot exceedthe number of divisionsrequiied to find the
greatestcommon divisor of a and b using the Euclideanalgorithm.
we illustrate this sequence
of equationswith the following example.
E x a m p l e .
L e t a : 4 0 1 a n d b : l l l . T h e n
4 0 1: 1 1 1 . 3 + 2 2 . n
l l l - 1 7 . 6 + 2 0 . 9
1 7 : 9 . 1 + 2 3 . 1 .
Using the sequenceof equations we have described, together with the
propertiesof the Jacobi symbol, we prove the following theorem, which gives
an algorithm for evaluatingJacobi symbols.
Theorem 9.7. Let a and b be positiveintegerswith a > b . Then
f ^ ' l n i - r
& ! a ! * * f , R , - r
+ . . . + R " _ , - t R . _ r _ r
l + l : ( - l ) ' ' t
+ " ' + s ' - r -
8 - r z 2 2 2
l b )
'
wherethe integersR; and s;,,t :1,2,...,n-l , are as previouslydescribed.
Proof. From the first equationand (i), (ii) and (iv) of Theorem 9.5. we have
fgl-
la,|-i+l
:[+]
: : (-1)

9.3 The Jacobi symbol
321
usingTheorem9.6,the reciprocity
law for Jacobisymbols,
wehave
t*l
:'-')+
+t#l
so that
f ^ I
R,-l R,-l ni-t-
[ n, I
l+l:(-r)T
LDJ IR,J
Similarly, using the subsequent
divisions,we find that
lgl :,-,rTry*n#i+l
[ ^, ,|
'/
1R;+r
J
forT :2,3,...,n-t *nen we combineall the equalities,
we obtainthe desired
expression
forl+ I tr
'
[b ,l
The followingexample
illustrates
the useof Theorem
9.7.
Example. To evaluate
[++],
we use the sequence
of divisionsin the
previous
example
andTheorem
9.7. Thistellsusthat
[+or
l:,-,lt F*o'"lt*'
n't'.ttr!:r
+*!+ +:r.
l.111
J
The following corollary describes the computational complexity of the
algorithm for evaluatingJacobisymbolsgiven in Theorem 9.7.
Corollary 9.1. Let a and D
,,be
relatively prime positiveintegerswith a > b '
Then the Jacobi symbol l+ | can be evaluated using O(loezb)3) bit
"
l b )
operations.
rt
Proof. To find lf I uting Theorem9.7,we performa sequence
of O1ogzb)
t.D
J
divisions. To seethis, note that the number of divisionsdoes not exceedthe
number of divisions needed to find G,b) using the Euclidean algorithm.
Thus, by Lam6's theorem we know that O (log2b) divisions are needed. Each

322
QuadraticResidues
divisioncan be doneusingo ((lo^gzD2)
.bit operations.Eachpair of integers
fl.u.nd
si can be found usingo(logzb) bit operations
on"" ih" appropriate
divisionhasbeencarriedout.
consequently,
o((log2D)3)bit operations
are requiredto find the integers
R;,s7,
i :1,2,"',n-t
lr.T
a andb. Finaily,to evaluate
the exponent
of -l
in the expression
for
l+l in Theorem9.7,we usethe last threebits in the
lD )
binary expansion:
of Ri,i : r,2,...,,n-r and the last bit in the binary
expansions
of sy,,r
: r,,2,...,n-r. Therefore,
we use0(lo926) additional
bit
operations
to find I+l Sinceo((log2D)3)
+ ooog2b): o(tog2,D2), the
lD )
corollarvholds. tr
9.3 Problems
I. Evaluate
thefollowingJacobisymbols
2.
a, t+] b, [*]
b,[*] , lx)
c,[*] 'tml
For which positive integers n that are relatively
symbor
t*l
equar
r?
For which positive integers n that are relatively
symbor
|.+l
equar
r?
5. Let n be an odd square-free.,
positive integer.
such
that
(a,n): I and
l;,J
: -t
3.
4.
to 15 does the Jacobi
to 30 does the Jacobi
positive and
Let a and b be relatively prime integers such that b is odd and
a : (-l)'2'q where q is odd. Show that
b-l br-l
: (-l)--'r
+
l-'' ["1
lb )
Show that there is an integer a

6 .
9.3 The Jacobi sYmbol
323
Let n be an odd square-freepositiveinteger'
r
a ) S h o wt h a t ) l + l : 0 , w h e r et h e s u m i s t a k e no v e r a l lk i n a r e d u c e d
s e t
ln )
of residues
modulon. (Hint: Useproblem5')
b) Frompart (a), show
11"
,n. numberof integers
in a reduc?O"ti'ofresidues
modulon suchttut I
O
| : I is equalto thenumber*itn l* I
: -t.
lrj
"---r--
l'J
Let a and b:ro be relatively prime odd positiveintegerssuch that
A : l O Q t * e 1 r 1
t O : r l Q 2 I e 2 r 2
f n - l : f n - t Q n - t * e n f n
where q; is a nonnegativeeven integol, €; : t l, r; iS a positive integer with
ri 1 ri t, for t : 1,2,...,frj , and rn : l. These equations are obtained by
successively
using the modified division algorithm given in problem l0 of Section
t . 2 .
f^'l
a) Show that the Jacobisymbol | * I i, given by
-
l.DJ
7.
l++*++:. *t-f'+l
: ( - l ) [ t 2 2 2 2 2 )
b) Showthat theJacobisymbol[+.| t, givenbv
l D )
t ' ^ l
l+| : (-r)r'
lb;
where T is the number of integersi, I <, ( n, with ri-r 7 ciri = 3
(mod 4).
8. Show that if a and b are odd integers and (a,b): l, then the following
reciprocity law holds for the Jacobi symbol:
I a-t b-t
(
" lt b l-l-(-r);-;
ira<oandb<o
lr;l-lll;l-J
:
l,_
a-'b-'
' ) ' - - ' J
[ ( - l ) 2
2 o t h e r w i s e .
f"l
Irl

324
QuadraticResidues
In problems
9-15wedealwith theKronecker symbolwhichis defined
asfollows.
1 P"
u positive
integerthat is not a perfect,quu." suchthat aE0 or I (mod4).
oenne
Let
We
l")
ttt:
l
Show that if
flt 7 nz (mod
i f a = l ( m o d 8 )
- l i f a = 5 ( m o d 8 ) .
i'
[;):the
Legendresymbo'
[;]
if p is an odd prime such that p/a
[;]
:,q[f]" ir(o"t):I andn
9. Evaluate the following Kronecker symbols
a ,
[ * ]
b ,
[ * ]
c ,
[ * ]
For problems 10-15 let a be a positive integer that is not a perfect square such that
a= 0 or I (mod 4).
("1 ( z l "
l0' Showthat
[;]
:
tftl
it zla, where
thesvmbol
on therightis a Jacobi
symbol.
[*):
:
IIpi is the prime factorizationof n.
./- I
Show that if n1and,n2t,re positiveintegersand if (app2) :
Show that if n is a positive integer relatively prime to a and if a is odd, then
rl r )
ILI: I n I
f ;J
:
[l]J'
whileif a iseven,
anda :2't where
t isodd,then
r - l . z - l f )
(_r)
2 2
tTrll
1 3 .
['l
l;J
tt1 and
I al), then
,? uti positive.,integers relatively prime to a and
lsl: lLl.
f't ,J lnz )
,l
- t -
n )
Show that if alo, then there existsa positiveinteger n with

325
9.4 Euler Pseudoprimes
15. Show that if a 10. then
l. EvaluateJacobisymbolsusingthe methodof Theorem9.7.
2. Evaluate Jacobi symbolsusing problems4 and 7.
3. Evaluate Kronecker symbols (definedin the problem set).
al
IFJ
: Jr
[- r
if a > 0
i f a < 0 .
and let b be an integer not divisibleby p.
( ' t
_ l4l(modp).
lp )
Hence,if we wish to test the positiveintegern for primality, we can take an
integerb, with (b, il : l, and determinewhether
r,'l
6h-D/2
: lg I (mod
n),
ln )
9.4 Euler Pseudoprimes
Let p be an odd prime number
By Euler'scriterion,we know that
6b-t)lz
wherethe symbolon the right-handsideof the
symbol.If wefindthatthiscongruence
fails,thenr
Example.Let n :341 and b :2. We calculate
Since341: -3 (mod8), usingTheorem
9.5 (iv),
congruence is the Jacobi
is composite.
that 2r7o= 1 (mod 341).
(t I
we seethat | -. I : -1.
l.34r
.l
Conseque
ntly,2t7o
g
[+
(mod 341). This demonstratesthat 341 is not
prime.
Thus, we can definea type of pseudoprimebasedon Euler's criterion.
Definition. An odd, composite,positiveinteger n that satisfiesthe congruence

6h_D/2
__
f
ql
,_"dn),
l" )
where 6 is a positiveinteger is called an Euler pseudoprimeto the base
b.
An Euler pseudoprime to the base b is a composite integer that
masquerades
as a prime by satisfying the congruencegiven in the definition.
Example.Letn:1105 andb:2. wecalculatethat 2s.s2-I (modll05).
Since'1105= I (mod
8), we see that l+] : t. Hence,
r I lllos)
-
2552
--
I+ | (-oa l 105). Because
I r05 is composite,
it is an Euler
l-1105
,l
pseudoprime
to thebase
2.
326
QuadraticResidues
The following propositionshowsthat everv Eulerpseudoprime
to thebase
D
is a pseudoprimeto this base.
Proposition 9.1. If n is an Euler
pseudoprime
to the baseD.
pseudoprimeto the base b, then n is a
Proof. If n is an Eulerpseudoprime
to the base6, then
6G-t)/2
-
fal (mod
n).
ln )
Hence, by squaring both sidesof this congruence,we find that
( 2
16b-D/212-
lql (modz).
lr)
(. )
Sincelgl: t l, we seethat
l, )
pseudoprime
to thebase
D. tr
= I (mod n). This means that n
Not every pseudoprimeis an Euler pseudoprime. For example, the integer
341 is not an Euler pseudoprimeto the base 2, as we have shown. but is a
pseudoprimeto this base.
we know that every Euler pseudoprimeis a pseudoprime. Next, we show
that the converseis true, namely that every strong pseudoprimeis an Euler
pseudoprime.

9.4 EulerPseudoPrimes
327
Theorem 9.8. lf n is a strong pseudoprimeto the base b, then n is an Euler
pseudoprime
to this base.
Proof. Let n be a strong pseudoprimeto the base b. Then if n - | : 2't '
where / is odd, eithe-r bt : I (mod n) or b2" = -1 (mod n) where
0 ( r ( s-1. Let n: fI pi'be the prime-power
factorization
of n '
f : l
First, considerthe casewhere b' = I (mod n)' Let p be a prime divisor of
n. Since b, = l(modp), we know that ordo6lr. Becauser is odd, we see
that ordob is alsoodd. Hence, ordrb I b-l)12,since ordob is an odd divisor
of the eveninteger 6Q) - p -1. Therefore,
6Q-r)/2= I (modP)'
Consequently,
by Euler'scriterion
f a l
, wehave
|-;j
: t
r
To compute
the JacobisymbolI+ I' we notethat
ln )
p dividingn. Hence,
lil:'for all primes
lnl
: l+] -ft
Inr
lfrrl
=t
Since bt =1 (mod n), we know that b'-r :
we have
Illo':r.
IP'J
(b')2' = I (mod n). Therefore,
|r
b,-t:[a[=t(modn).
ln )
We concludethat n is an Euler pseudoprimeto the baseb.
Next. considerthe casewhere
6rt : -l (modn)
for somer with 0 ( r ( s - 1. If p is a prime divisorof n, then
b2't= -l (modp).
Squaring both sidesof this congruence'we obtain

328
b2"', = l (modp).
This impliesthat ordob | 2'+rv, but that ordobI z,t. Hence,
where c is an
2'+tl(p-l).
Therefore,we
we have
Becausec is odd, we
(e.e)
r e c a l l i n g t h a t d : ( p
pr : 2'rrdi + l, it fol
Quadratic Residues
ordrb : 2'*rc,
odd integer. Since ordobl(p-l) and 2,+tlordrb, it followsthat
havep :2r+rd * l, whered is an integer. Since
6(ord,b)/2
- -l (modp),
r
I
A
| = 6Q-D/z : 66rd,b/z)((p-D/ord,b)
lp )
- (- r!Q-l)/otd,u: (-11Q-r)/2*', (mod p).
knowthat (-t)' : -1. Hence,
r)
l+ | : (-1)rr-r)rz'*'
: (-l)d,
lp)
-I) /2'+t. Since each prime p; divid ing n is of the form
lows that
m
n : fI pj'.
t - l
m
:
fI (2'+td,+ l)o,
,;,
:
fI (l + 2'+raid;)
t - l
m
= I + 2'+t > aidi (mod 22r+2).
m
) r sZ/
i - l
Therefore.
t2'-t : h-D/2 a;di (mod 2'+t).

329
9.4 EulerPseudoprimes
This congruenceimPliesthat
12s-t-r = i aidi (mod 2)
i - l
and
(9.10) 66-r/2 : (6rt7z:-'- : (-t)'.*
On the other hand, from (9.9), we have
lnl: ft[+.|.
: fr((-r)d,).,
InJ ,.:r|.p,J i_r
Therefore,combining the previousequation
6(n-t)/z
- [ql
ln)
2 o'd'
: (-1)t-t (mod n).
m ^) .fo,o,
: fI el)"'"' : (-1)i-t
t - l
with (9.10),we seethat
(mod n).
Consequently,n is an Euler pseudoprimeto the baseD' tr
Although every strong pseutloprimeto the base D is an Euler pseudoprime
to this base,note that not every Euler pseudoprimeto the base b is a strong
pseudoprimeto the baseb, as the following example shows.
Example. We have previously shown that the integer 1105 is an Euler
pseudoprimeto the base2. However, 1105 is not a strong pseudoprimeto the
base2 since
2(llos-l)/2
:2552: I (mod 1105),
while
20t0s-r)/22
:2276: 7gl + t 1 (mod ll05).
Although an Euler pseudoprime to the base b is not always a strong
pseudoprime to this base, when certain extra conditions are met, an Euler
pseudoprimeto the baseD is, in fact, a strong pseudoprimeto this base. The
following two theoremsgive resultsof this kind.
Theorem 9.9. If n : 3 (mod 4) and n is an Euler pseudoprime to the base
b, then n is a strongpseudoprime
to the baseb.

330
Quadratic Residues
Proof. From the congruencen = 3 (mod 4), we know that n-l : 22.t where
t : (n-l)/z is odd' Sincen is an Euler pseudoprime
to the baseb, it follows
that
bt : 6..'-t)/2
-
f
ql (mod
n).
ln )
r
tbl
Drnce l- | : +1, we know that either bt = l (modn) or
ln )
b' = -l (modn). Hence,
oneof thecongruences
in thedefinition
of a strong
pseudoprimeto the base b must hold. consequently,n is a strong
pseudoprime
to thebaseb. tr
Theorem9.10. If n is an Eulerpseudoprime
to the base6 and lal : -r.
l n l
then n is a strong pseudoprimeto the baseb.
'/
Proaf. We write n-l : 2't , where / is odd and s is a positiveinteger. Since
n is an Euler pseudoprimeto the baseb, we have
br-,t
: 6,.'-r)/2
-
fa l (mod
n).
ln)
r)
Butsincel4 I : -t, wesee
that
ln)
b'r-' = -l (mod r).
This is one of the congruences
in the definition of a strong pseudoprimeto the
baseb. Since n is composite,it is a strong pseudoprimeto ihe base,. tr
Using the conceptof Euler pseudoprimality,we will developa probabilistic
primality test. This test was first suggested
by Solovayand Stiassen[7g].
Before presentingthe test, we give somehelpful lemmata.
b'r-' = -l (mod r).
Lemma 9.3. If n is an odd positiveinteger that is not a
there is at least one integer b with | < b I ft,(b,n) :
perfect sguare,then
r, andl4 | : -,,
ln )
where is the Jacobi symbol.

9.4 Euler Pseudoprimes 331
Proof. If n is prime, the existenceof such an integer b is guaranteed by
Theorem 9.1. If n is composite,sincen is not a perfectsquare,we can write
n: rs where (r,s) : I and r: p', with p an odd prime and e an odd
positiveinteger.
Now let / be a quadratic nonresidueof the prime p; such a / exists by
Theorem 9.1. We use the Chineseremainder theorem to find an integer b
with 1 < b 1 n, (b,n) : 1, and suchthat b satisfies
the two congruences
Then,
b = t (mod r)
b = | (mods).
fal (ul
|,bl"-(_r),-_r,
f;J
:
l7): tp)
and
[*]
: , Since
[*]
:
ii] t1],',
ro,,ows
that
[*]
: -' r
Lemma 9.4. Let n be an odd composite
integer. Then thereis at leastone
integer
D with | < b I n, (b,n) : 1,and
r
66-D/z1 l4 | (mod
n).
ln)
integers not exceedingn and relatively
r )
l4 | (mod
n).
ln)
Proof. Assumethat for
primeto n, that
(e.1
l)
positive
6h-t)/2 :
Squaring both sides of this congruence tells us that
r t 2
l A l
b,-t : l3 I = (+ l)z : I (mod
n),
ln )
if (b,n) : I Hence, n must be a Carmichael number. Therefore, from
Theorem8.21,we know that n: Qt4z"'e, , whereQt,Qz,...,Qr
are distinct
odd primes.
We will now showthat

332
QuadraticResidues
6h-t)/2= 1(modn)
for all integers b with I ( b ( n and (b,n) :1. Suppose that b is an
integer such that
6h-r)/2: -l (mod n).
we use the chinese remainder theorem to find an integer a with
| 1 a { f l , ( a , n ) : l . a n d
a = b ( m o d q 1 )
a :- | (modQzQs.
. . q,).
Then, we observe
o.r2)
while
(e.13)
From congruences
that
oG-1)/2
-
6b-D/z: _l (modq1),
o ( n - r ) / Z
= I ( m o d e z Q t . . . Q , ) .
O.lD and (9.13),we seethat
o h _ t ) / 2
* + 1 ( m o d n ) ,
contradictingcongruence
(q.tt). Hence,we must have
6(,-t)/2= I (modn),
for all D with I < , ( n and (b,n) - r. Consequentry,
from the definition
of an Euler pseudoprime,we know that
6".-t)/2:|,a
j : I (mod
n)
l, )
for all D with I < b ( n and (b,n) : r. However,Lemma 9.3 tells us that
this is impossible. Hence, the original assumptionis false. There must be at
leastoneinteger6 with | < b 1 fl, (b,,D: l, and
|r
6G-D/z1 l4 | (modn). tr
ln )
We can now state and prove the theorem that
probabilisticprimality test.
the basis of the

9.4 Euler Pseudoprimes 333
Theorem 9.11. Let n be an odd composite integer. Then, the number of
positiveintegerslessthen n, relatively prime to n , that are basesto which n is
an Euler pseudoprime,is lessthan 6fu) /2.
Proof. From Lemma 9.4, we know that there is an integer b with
I < b 1 n , ( b , n ) : l , a n d
(s.rq 6b-r)/2
l f
ql (mod
n).
lnJ
Now, let e1,e2,...,e^denote the positive integers less than n satisfying
1 ( a; ( n, (ai,n) : l, and
r)
(e.ls) afn-rtrz
-
lLl (mod
n),
In )
for; : 1,2,...,m.
Let rr{2,...,rm be the least positiveresiduesof the integersbayba2,...,ba^
modulo n. We note that the integers rj are distinct and (ri,n): I for
j : 1,Z,...,frt.
Furthermore,
(e.16)
For, if it were true that
then we would have
,(n-,)t21
[+]
(mod
n).
,e-,)/2
-
[+]
(mod
n),
$a)(n-,)/2
-
l+l r-"0,r
This would imply that,
6h-t)/2o(n-t)/2
: t+l
Ir1J
and since(9.14) holds.we would have
[+]
(mod n),

334
QuadraticResidues
6."-t/2
_ fqI
l, )'
contradicting(9.14).
Since aj, j :1,2,...,m, satisfies the congruence (9.15) while
rj, j :1,2,...,n, doesnot, as (g.to) shows,
we know thesetwo setsof integers
share no common elements. Hence, looking at the two setstogether,we have
a total of 2m distinct positive integers lessthan n and,relativ-elyprime to n.
Since there are Qh) integers less than n that are relatively prime to /r, we
can conclude that 2m < qfu), so that m < eh)/2.
-filis
proves the
theorem. tr
From Theorem 9.1l, we seethat if n is an odd compositeinteger, when an
integer b is selectedat random from the integers 1,2,,....,n-1,
th; probability
that n is an Euler pseudoprimeto the base 6 is less than I/2. This leads to
the following probabilistic primality test.
The Solovay-StrassenProbabilistic Primality Test. Let n be a positive integer.
Select,at random, ft integersbpb2,...,boLorr the integers i,2,...,r-r. For
eachof theseintegersbj,j : 1,2,...,k,determinewhether
t+]
(modn)
6Q-t)/2
If any of these congruencesfails, then n is composite. If n is prime then all
these congruences hold. If n is composite, the probability that all k
congruences
hold is lessthan l/2k. Therefore,if n passes
this test n is ,,almost
certainlyprime."
Since every strong pseudoprimeto the base b is an Euler pseudoprimeto
this base, more composite integers pass the Solovay-Strassenprobabilistic
primality test than the Rabin probabilistic primality test, altirough both
requireO(kQag2n)3) bit operations.
9.4 Problems
l. Show that the integer 561 is an Euler pseudoprimeto the base2.
2. Show that the integer 15841 is an Euler pseudoprimeto the base
pseudoprimeto the base2 and a Carmichael number.
3. Show that if n is an Euler pseudoprimeto the basesa and 6. then n
pseudoprimeto the basea6.
2, a strong
is an Euler

4 .
5 .
9.4 EulerPseudoprimes 335
Show that if n is an Euler pseudoprime
pseudoprime
to the basen-b.
Show that if n= 5 (mod 8) and n is an
is a strong pseudoprimeto the base2.
6. Show that if n = 5 (mod 12) and n is an Euler pseudoprime
to the base3, then
n is a strong pseudoprimeto the base3.
7. Find a congruencecondition that guaranteesthat an Euler pseudoprimeto the
base5 satisfying this congruencecondition is a strong pseudoprimeto the base5.
n have prime-power factorization
zfqi for i:1,2,...,ffi, where
| * 2kq. Show that n is an Euler
6"II ((n-l)/2, p1-t)
j-l
l < b ( n , w h e r e
i f k r : 1 ,
/Z if kj < k and a; is odd for some j
otherwise.
9.4 Computer
Projects
Write programs
to do the following:
Determine if an integer passesthe test for Euler pseudoprimes
to the baseb.
Perform the Solovay-Strassen
probabilisticprimality test.
to the baseb, then n is also an Euler
Euler pseudoprimeto the base 2, then r
8. Let the composite positive integer
, : pl,pi, . . . ph, where pi : | *
k r ( k z ( < k - , a n d w h e r e n :
pseudoprimeto exactly
different basesb with
(
12
Dr:11
It
t

10
DecimalFractionsand
GontinuedFractions
10.1 DecimalFractions
In this chapter, we will discussrational and irrational numbers and their
representationsas decimal fractions and continued fractions. we begin with
definitions.
Definition. The real number a is called rational
are integerswith b * 0. If a is not rational. then
The following theorem tells
quotient (when the divisor is
rational.
a - a/b, where a and b
say that u is irrational.
If a is a rational number then we may write a as the quotient of two
integers in infinitely many ways, for if ot: afb, whereo uni b are integers
with b ;t' 0, then a : ka f kD wheneverfr is a nonzero integer. It is easy to
seethat a positiverational number may be written uniquely as the quotient of
two relatively prime positive integers; when this is done we say that the
rational number is in lowest terms.
Example. We note that the rational number ll/Zl is in lowest terms. We
also seethat
-tt/-21 - tt/2r : 22/42: 33/63
:
us that the sum, difference, product, and
not zero) of two rational number is again

1O.1 DecimalFractions
337
Theorem 10.1. Let a and B be rational numbers. Then a + 0, a - 0' a9'
anda/0 (when P+0 are rational'
Proof. Since a and p are rational, it follows that a : alb and B : cld' where
e, b, c, and d are integers with b * 0 and d * O' Then' each of the
numbers
a * B : a/b + cld : (ad*bc)/bd'
a - 0: a/b - c/d : (ad-bc)lbd'
a 0 - b / b ) ' k / d ) - a c f b d ,
a/0 : b /b) lG ld) : adlbc @*0 '
is rational, since it is the quotient of two integers with denominatcr different
from zeto. D
The next two resultsshow that certain numbers are irrational' We start by
considering ,/T
Proposition 10.1. The number '/T is irrational'
Proof. Suppose that .,,6 : alb, where c and b are relatively prime integers
with b I 0. Then, we have
2: a2lb2,
so that
2b2: a2.
Since 2lor,problem 3l of Section2.3 tells us that2la. Let q :2c, so that
b 2: 2 c 2 .
Hence,21b,, and by problem3l of Section2.3,2 alsodivides6. However,
since G,b)':1, we^know that 2 cannot divide both a and b' This
contradiction showsthat .6 is irrational' B
We can also use the following more general result to show that .6 it
irrational.
Theorem 10.2. Let o( be a root of the polynomial x' * cnlxn-t *
* cp * cs wherethe coefficients
ca,ct,...,cn-r,are integerswith cs * 0.
Then a is either an integer or an irrational number'
Proof. Supposethat a is rational. Then we can write ot: alb whete a and b

338 DecimafFractionsand ContinuedFractions
are relatively prime integers with b - o. Since ot is
x' + cr-1xn-l * * cp * ,0, we have
b / b ) , r c , _ t G / 6 y , - t * + c J a / D * c a : 0 .
Multiplying by bn, we find that
an + cn_pn-tb + * cpbo-r + csbn: 0.
Since
x,'-::'il
^:,,;;'i-. ,,n*'
u* * ,
''!n',*n',
u'^o!,',
u"rli-"
o;ui,
or
p
Since p I b and b I an , we know that p I a, Hence, by problem 3l of
Section 2.3, w: see that pla. Howiver, since (a, b) : l, this is a
contradiction which shows that b : t 1. Consequently,if a is rational then
d : * o, so that a must be an integer. tr
we illustratethe useof Theorem 10.2with the followingexample.
Example' Let a be a positiveinteger that is not the mth power of an integer,
so that "/i it not an integer. ThJn x/i i, irrationat by Theorem 10.1, since
"</7it a rootof xm- a. consequently,
such
";;.^
ur'^.,8,-18,-r:g'fr:";;
are irrational.
The numbers zr and e are both irrational. We will not prove that either of
thesenumbersare irrational here;the readercan find proofsin Itg].
We now considerbase 6 expansionsof real numbers, where b is a positive
integer,b > l. Let a be a real number,and ret a:Ial be the integerpart
of a, so that r:o--[a] is the fractionalpart of a and ot:a *7 with
0 < 7 < I' From Theorem 1.3,the integera has a unique baseb expansion.
We now show that the fractional part ^yalso has a unique base6 expansion.
Theorem 10.3. Let 7 be a real number with 0 ( y ( l, and let b be a
positiveinteger, b > | . Then T can be uniquely written as
r: ; ci/bi
j-r
a root of
where the coefficientsc;
the restriction that for
n 2 N a n d c , l b - 1 .
are integerswith 0 ( c;
every positive integer l/
< 6-l forj : 1,2,...,
with
there is an integern with

1O,1 Decimal Fractions
339
In the proof of Theorem 10.3,we deal with infinite series' We will usethe
following formula for the sum of the terms of an infinite geometricseries'
Theorem 10.4. Lets and r be real nurnberswith lr[ < t. Then
V ori: a/0-').
j-0
For a proof of Theorem 10.4,see[62]. (Most calculusbookscontaina proof')
We can now ProveTheorem 10'3'
Proof. We first let
c 1 : I b T l ,
so that 0 ( cr ( b_1, since0 < b7 < b. In addition,let
^ fr : b l - c r : b ^ Y
- l b l l '
s o t h a t 0 ( ? r ( l a n d
c 1 , 7 l
^ Y :
b
1
b
'
and ^yg for k : 2,3,..., bY
ck : [bfr-r]
We recursivelYdefinec1
and
nlk-t:+.+'
s o t h a t 0 ( c r ( b - t , s i n c e0 ( b z t - r 1 b , a n d 0 ( r t < I ' T h e n '
follows that
C 1 C " t C n
+ ^ Y ,
7:T* Ur*
*
n, b,
Since0 ( ln ( l, we seethat a 4lr/bn < l/bn. consequently,
)tgntO'
:0.
Therefore.we can concludethat

340
so that
( 1 0 . 1 )
Since c;
(10.2)
while
(10.3)
j:k+t
DecimalFractionsand ContinuedFractions
To showthat this expansion
is unique,assumethat
r : ; c 1 / b i : ; d j / b i ,
j - l j : l
whereo
5
r, < b-l and 0 ( d, < b-1, and,for everypositive
integer.v,
thereareintegers
n andm withi, * D-l andd* r b-1. Assume
that k is
the smallestindex-for which cr,* d1r,andassumethat c1,7 dr, (the case
cr 4 dp is handled
by switching
therores
of thetwoexpansions).
Then
o :
; k1-d1)lbi : (c*-d) /bk *
,i',
ki-d) /bj ,
j _ k + l
7: lim
n < 6
6
:
' )
r ,
.{,t " J
j : l
G1,-d1)
/bk :
; e1-c1)/bi
j - k + t
) d*, we have
b*-d) /bo > ,/uo.
j - k + l
l l L K + l
: ( b - l ) " u ,
| _ t/b
: l/bk,
where we have usedTheorem 10.4 to evaluatethe sum on the right-hand side
of the inequality. Note that equality holds in (10.3) if and only if
dj - c.i: b-l for al! i with 7 ) t 1t, and this occurs if and only if
dj :.b-l-and ci:0 for i 2 k+t. However,suchan instance
is excludedby
the hypotheses
of the theorem. Hence, the inequality in (tO.:) is strict, and
therefore, (to.z) and (10.3) contradict (to.t). ttris showsthat the baseb
expansionof a is unique. tr

1O.1 Decimal Fractions 341
The unique expansionof a real number in the form ). c1/bi is called the
J - t
base b expansionof this number and is denotedby kp2ca..)6.
To find the baseb expansion(.cp2ca..)6 of a real number 7, wo can use
the recursive formula for the digits given in the proof of Theorem 10.3,
namely
ck : lbt*-J ,
for k : 1,2,3,...
^fk : by*-t - lblt -J ,
where^Yo: ^Y,
Example. Let (.cp2ca..)
6 be the base8 expansion
of l/6.
- t -
c 1: [ 8 '
; l : 1 , ,
o
_ l _
c 2 : [ 8 ' ; ' l : 2 ,
J
_ )_
ca:[8']l-5,
J
_ t -
c a : [ 8 ' T l : 2 ,
J
cs:[8'?t:t,
^yt:8
+
-l :
^y2:s
+
-2:
^y3:B
+
-5-
74:8 +
-2-
^ys-s
+-s:
Then
I
T,
2
t'
I
T'
2
T'
I
T,
and so on. We seethat the expansionrepeatsand hence,
t/6 : (1252525..)8.
We will now discussbase b expansionsof rational numbers. We will show
that a number is rational if and only if its base D expansionis periodic or
terminates.
Definition. A base D expansion (.cp2ct..)r is said to terminate if there is a
positiveintegern suchthat c, - cn*l - cn+z: : 0.
Example. The decimalexpansion
of l/8, (.125000...)ro
: (.125)ro,terminates.
Also, the base6 expansion
of 419,(.24000...)o
- (24)6, terminates.
To describethosereal numberswith terminating baseb expansion,we prove
the following theorem.

342
Theorem10.5. The real numbera, 0 <
expansion
if andonlyif a is rational
anda
q I 1, has a terminating base D
: r/s, where 0 ( r ( s and every
prime factor of s alsodividesD.
Proof. First, supposethat a has a terminating base6 expansion,
(c 1c2...c)
6 .
d :
Then
Q :
b'
so that a is rational, and can be written with a denominatordivisibleonly by
primesdividing b.
Conversely,
suppose
that 0 ( a ( l, and
a : r f s .
where each prime dividing s alsodivides6. Hence,there
bN, that is divisible by s (for instance,take N to be the
the prime-power factorizationof s). Then
b N o t : b * r / t : e r ,
where sa : bN,, and a is a positive integer since slbr. Now let
(a*a^-1...aps)6 be the baseb expansion
of or. ln"n
a^b^*o^-tb^-r + . . . * atb*ag
is a power of D, say
largest exponentin
a : a r / b N :
: d*b--N + am_tbm-l-fl
: ( . 0 0 . . . a
m o m - t . . . a , a s )y .
6u
+ *a1b|-tr+ aob-N
Hence,a has a terminatingbase6 expansion.D
Note that every terminating base b expansion can be written as a
nonterminatingbase6 expansion
with a tail-endconsistingentirelyof the digit
b - 1 , s i n c e ( . c p 2 . . . c ^ ) r - ( c p 2 . . . c m - l b - l b - i . . . l u p i r
instance,(12)to: (.ttlll...)ro . This is why we require in Theorem10.3
that for every integer N there is an integer n, such that n ) N and

343
1O.1 Decimal Fractions
cn# b-l; without this restrictionbaseb expansions
would not
A baseb expansionthat doesnot terminate may be periodic,
I 13: (.333...)
1s'
| /6 : (.1666.'.)
to'
and
| /7 : (.t+ztst 142857
142857
..) rc'
be unique.
for instance
expanslon
Definition. A base b expansion (.cp2ca..)6 is called periodic if there are
positiveintegersN and k such that cn11: cn for n 7 N '
W e d e n o t e b y ( c p 2 . . . c v 1 - , ' ] ] - " * 1 - ' ) 6 t h e p e r i o d i c b a s e b
(.cp 2...c
7,1-
rclr...cry+
t -( tt...c
N+t-rc.nv
"') a' For instance'we have
r/3 : (.J)_.,0
,
716
: (.16)
ro,
and
ll7 : (.taxsz)ro.
Note that the periodic parts of the decimal expansionsof 1/3 and l/7 begin
immediately, while in the decimal expansionof l/6 the digit I proceedsthe
periodic pirt of the expansion. We call the part of a periodic base b
L*punsion precedingthe periodic part the pre-period, and the periodic part
thi period, where we take the period to have minimal possiblelength'
Example. The base 3 expansionof 2/45 is (.ootorzr)r. The pre-periodis
(001)3and the periodis (Ot2l)3.
The next theorem tells us that the rational numbers are those real numbers
with periodic or terminating baseb expansions. Moreover, the theorem gives
the lengths of the pre-period and periods of base b expansionsof rational
numbers.
Theorem 10.6. Let b be a positiveinteger. Then a periodic baseb expansion
representsa rational number. Conversely,the base b expansionof a rational
number either terminates or is periodic. Furthero if 0 < a ( 1, a: rfs,
where r and J are relatively prime positive integers, and s : T(J where every
prime factor af T divides 6 and (U ,b) : 1, then the period length of the base
b
""punrion
of a is ordyb, and the pre-period length is .l/, where N is the
smaliestpositiveintegersuchthat TlbN.

344 DecimalFractionsand ContinuedFractions
Proof. First,suppose
that the baseD expansion
of a is periodic,
sothat
a: (.crrr...r*ffi)o
c 1 c t
I - J -
b 6 2
C 1 C ' ;
I - J -
b 6 2
where we have usedTheorem 10.4to seethat
€ l
s ^ _
t"^ ojo
6tc
, I b k - l
r - . _
b k
Since a is the sum of rational numbers, Theorem l0.l tells us that a is
rational.
Conversely,supposethat 0 ( a ( l, a : r /s, where r and s are relatively
prime positive integers, s : T(J, where every prime factor of T divides b,
Ql,b): 1, and I/ is the smallestintegersuch-that Tlb*
Since Tlb*, we haveaT: bN, where c is a positiveinteger. Hence
(10.4) b N a : b N L - o r
T U U
Furthermore,
wecanwrite
(r0.5) ar c
i:n*i,
where A and C are integerswith
0 < I < 6N, 0 < c < u.
and(c,u): l. (the inequality
forA follows
since
0 ( bNa: + < bN.
U
which results from the inequality 0 ( a ( I when both sidesare multiplied
by bN) . The fact that (C,tl): I followseasilyfrom the condition (r,s) : l.
From Theorem1.3,A hasa baseb expansion
A : (anan_t...epo)u.
lf U : l, then the base b expansion of a terminates as shown above.
Otherwise,Iet v : ord,ub. Then,

34s
b'#:
Qu+t)c
U
(modU).
C j
-+
62
where(cp2ca...)6
is thebase
b expansion
o'
t,so
that
where To :
(10.8)
ck : lblt -J , ^yk- b'yt-r - lbl*-J
for k :1,2,3,.... From (10.7)we seethat
* r"] t ru.
(tO.S),
notingthat 0 ( T, ( l,
(10.6)
where/ is an
(10.7)
Equatingthe
wefind that
(ro.s)
+t,
However,we alsohave
+ c' * al.
b' b')
integer,sinceb' = |
( - ( t
b'+:b'l]+
U L A
C
T,
(- (
b' *: lr,bu-t+ c2b'-z
+
U
fractionalpartsof (10.6)and
C
4 t : -
I v
u '
ConsequentlY,
we seethat
^Yv:
": t'
so that from the recursivedefinitionof c1,c2,...
we can concludeIhzt cpau: c1,
for k : 1,2,3,.,.. Hence
$
nuta periodicbaseb expansion
c - (n-rcr-Q6.
U
Combining (tO.+) and (10.5), and insertingthe baseb expansions
of A and
9. *. huu,
U'
bNa : (anan-1...atao
. c p2...cv)
6.
Dividing both sidesof (10.9) by bN, we obtain
a : (.00.
..anan-r...opoffi) u,
(where we have shifted the decimal point in the base b expansionof brya N

346 Decimal Fractions and Continued Fractions
spaces to the left to obtain the base b expansion of a). In this base D
expansionof a, the pre-period(.00...a,
an-t...ipo)a is of length N, beginning
with.A/ - h*1) zeros,and the periodf.ngit, ir r.
We have shown that there is a baseb expansionof a with a pre-period of
length r/ and a period of length v. To finish the proof, we must ,t o* that we
cannot regroup the base b expansionof a, so that either the pre-period has
length lessthan ry', or the period has length lessthan v. To do this, suppose
that
q: (.crrr...trffi)u
C 1 C t
:
b
*;* , cM+k
-;m
*#*(*)la.
k f t M - t + c2 b M - 2 q +cM)(bk-t) + Gyar6k-t+ f cTaap)
bM (bk -t)
Sinceq.: rfs, with (r,s) : l, we seethat slbM$k_D. Consequently,
TlbM
uTd ul(tk-o. Hence, M > N, and vlk (from Theoremg.l, since
bk = I (mod tD and v : ord,ub). Therefore,'the pre-periodlength cannot be
lessthan ,^/ and the period length cannot be lessthan v. D
We can use Theorem 10.6 to determine the lengths of the pre-period and
period of decimal expansions.Let a: r/s, 0 < a ( l, and , :2", 5r,, ,
where (1,10): l. Then, from Theorem 10.6 the pre-period has length
max (s1,s2)and the periodhas length ord,l0.
Example. Let ot:5/28. since 2g - 22.7,,Theorem
10.6tells us that the pre-
rylt:d
has length 2 and the period has length ord710: 6. Since
5/28 : (fiasll4z), we seethat theselengthsare correct.
Note that the pre-period and period lengths of a rational number r fs, in
lowestterms,dependsonly on the denominators, and not on the numerator/.
we observe that from Theorem r0.6, a base b expansion that is not
terminating and is not periodic representsan irrational number.
Example. The number with decimal expansion
or: .10100100010000...,
consisting of a one followed by a zero, a one followed by two zeros, a one
followed by three zeroes, and so on, is irrational because this decimal
expansiondoesnot terminate, and is not periodic.

347
The number d in the above example is concocted so that its decimal
expansionis clearly not periodic. To show that naturally occurring numbers
such as e and 7( are irrational, we cannot use Theorem 10.6, becausewe do
not have explicit formulae for the decimal digits of thesenumbers' No matter
how many decimal digits of their expansionswe compute, we still cannot
concludethat they are irrational from ihis evidence,becausethe period could
be longer than the number of digits we have computed'
10.1 Problems
l .
2.
3.
Show that dE is irrational
a) by an argumentsimilar to that given in Propositionl0'l'
b) usingTheorem 10.2.
Show that :/i + ..6 is irrational.
Show that
a) log23is irrational.
b) logob is irrational, where p is a prime and b is a positive integer which
is not a Power of P -
show that the sum of two irrational numbers can be either rational or
irrational.
4.
5. Show that the product of two irrational numbers can be either rational or
irrational.
6. Find the decimal expansionsof the following numbers
a) 2/5
b) slt2
c) r2113
7. Find the base
a) rl3
b) rl4
c) rls
d) 8lrs
e ) l l l l l
f) 1/1001.
8 expansionsof the following numbers
d) r16
e) rlrz
f) r122.
8. Find the fraction, in lowestterms, representedby the following expansions
a) .rz b) .i c) n.

9' Find the fraction, in lowest terms, representedby the following expansions
a) (.rzi, c) (.iT),,
b) (.oar6 d) (M),6.
l0' For which positiveintegersD doesthe base6 expansionof l r/zro terminate?
I l ' Find the pre'period and period lengths of the decimal expansionsof the
following rational numbers
il 7/t2 d) rc/23
b) tt/30 e) B/s6
c) t/7s f) t/6t.
12' Find the pre'period and period lengths of the base 12 expansionsof the
following rational numbers
a) t/+ d) s/24
b) r/B e) 17h32
c) 7/ro f) 7860.
13' Let b be a positive
integer.Showthat the periodlengthof the base6
expansion
of l/m ism - I if andonlyif z ispiimeand, i,
"
primitive
root
of m.
14. Forwhichprimes
p doesthedecimalexpansion
of l/p haveperiodlengthof
a ) l d ) 4
b ) 2 e ) 5
c ) 3 f ) 6 ?
15. Findthe baseb expansions
of
a) r/(b-r) b) r/6+D .
16. Showthat thebase
D expansion
of t/G-1)z;, 1.9ffirJp1;u.
17. Showthat therealnumberwith base6 expansion
(otzt.,.o-tlol rr2..)t,
constructed by successivelylisting the base b expansionsof the integers, is
irrational.
18. Show that
+.#.#.#.#

1O.1 Decimal Fractions
349
r9.
20.
is irrational, wheneverD is a positiveinteger larger than one.
Let byb2,fur... !s an infinite sequenceof positive integers greater than one'
Show that every real number can be representedas
,o*?.#+#;+,
where cs,c1,cz,c!,...
are integerssuch that 0 ( ct ( bp for k : I'2'3'""
a) Show that every real number has an expansion
C r C t r t +
to+l! *
zl* 3!
where cs,c1,c2,c!,-.-
are integersand 0 ( ct ( k for k : l'2'3'""
b) show that every rational number has a terminating expansionof the type
describedin Part (a).
Zl. Supposethat p is a prime and the base b expansionof llp is ('t,tr'-oJ"
so that the period length of the base b expansionof llp is p - l. show that
if z is a positiveinteger with I ( ln ( p, then.
m /p : (.cya1...coac
( 2...c1sacP)
6'
where k : indtm modulo P.
Show that if p is prime and l/p - ('ffi)6 has an even period length'
k :2t, thenci * ci+t: b-l for.,;r
: 1,2,"',t
The Farey seriesFn of order n is the set of fractions hlk whete h and' k
are integers,0 ( ft < k ( n, and (h,k): 1, in ascendingorder' Here, we
include 0 and I in the forms i and I respectively' For instance, the Farey
I
seriesof order 4 is
a) Find the Farey seriesof order 7.
b) Show that if a/b and c/d are successiveterms of a Farey series' then
b d - a c : 1 .
c) Show that if a/b, c/d, and e/f are successive
terms of a Farey series,
then
c a * e
7- E7'
22.
23.
0 l 1 1 2 3 l
T'T,T'T'7,7,T

3so DecimalFractionsand ContinuedFractions
d) Show that if a/b and,c/d are successive
ordern, then b*d ) n.
terms of the Farey seriesof
24. Let n be a positiveinteger,n ) l. Showthat I
not an integer.
l0.l Computer
Projects
Write computer
programs
to do thefollowing:
I ' Find the base6 expansionof a rational number, where b is a positiveinteger.
2' Find the numerator and denominator of a rational number in lowesr rerms
from its baseb expansion.
3' Find the pre-period and period lengths of the base D expansion of a rational
number, where b is a positiveinteger.
4' List the terms of the Farey seriesof order n where n is a positive integer (see
problem23).
10.2 Finite ContinuedFractions
Using the Euclidean algorithm we
continuedfractions. For instance, the
following sequence
of equations:
62:2.23 + lG
23: l.16+ 7
16:2-7 + 2
7:3-2 + l.
Whenwedividebothsides
of eachequation
by thedivisorof that equation,
we
obtain
62:r*16:,)r I
23 23
L
nlr6
?3-:t+L:t* I
16 16 16/7
16 : I + Z: r + I
7 7 7/2
+:3 +!.
2 2'
By combining
theseequations,
wefind that
can express rational numbers as
Euclidean algorithm produces the

3 5 1
1O.2 Finite Continued Fractions
62 :2+
23
:2+
:2*
:2*
1
23116
t
I
I - L :
r'
rc17
I
1+h
I
1+
2++-
3*;
The final expression
in the abovestring of equations
is a continuedfraction
expansion
of 62123.
We nowdefinecontinued
functions'
Definition
. A finite continued
fraction is an expression
of the form
I
a o t
a t l
ctz *
1
+-
an-rt L
an
where Qg,a1,a2,...,an
ale real numbers with Q1,Q2,Q3',"''
an positive' The real
numbers ej,a2,...,Q'narecalled lhe partial quotients of the continued fraction'
The continued fraction is called simple if the real numbers as,cr,...,an are all
integers.
Becauseit is cumbersome to fully write out continued fractions, we use the
notation Lso;a1,e2,...,Ctn|
to represent the continued fraction in the above
definition.
We will now show that every finite simple continued fraction representsa
rational number. Later we will demonstratethat every rational number can
be expressedas a finite simple continued fraction'

Theorem l0'7 ' Every finite simple continued fraction representsa rational
number.
Proof' we will prove the theorem using mathematical induction. For n : 1
we have
[ a o ; a r l : o o +
I * a o a r * l
a l o g
which is rational. Now assume.that for the positive integer k the simple
continuedfraction [ag;at,e2,...,ekl
is rational whlnevst as,or,...,ok
are integers
with a r,...,akpositive. Let as,at,...,ek+t
be integerswith er,...,ek+tpositive.
Note that
[ag.a1,...,ak+tl
: ag +
Ia;a2,..., a1r.a1ra1l
By the induction hypothesis,[a ria2,...,
ek,ek+r] is rational; hence,there are
integersr and s, with s*0, such that this continued fraction equals r/s.
Then
lao;a1,...,
ak,ok+tl : ag +
agr*S
which is again a rational number. tr
We now show, using the Euclidean algorithm, that every rational number
can be written as a finite simple continuedfraction.
Theorem 10.8. Every rational number can be expressedby u finite simple
continuedfraction.
Proof. Letx:a/b wherea andb areintegerswithb > 0. Letrs-a and
r't : b. Then the Euclidean algorithm prodr.", the following sequenceof
equations:
I
r/s

1O.2 FiniteContinuedFractions
r O : r 1 Q 1 * 1 2
r | : r 2 Q 2 * 1 3
1 2 : r 3 Q t l 1 4
:
ln-3 : fn'ZQn-Z* fr-t
f n - Z : f n - 1 Q n - 1 * f n
fn-l : tnQn
In the above equations 4z,Qt,.",Qn
equationsin fractional form we have
L :
l o
:
b / 1
t t :
r2
r Z :
r 3
Substituting
weobtain
(l 0.10)
Similarly, substituting
we obtain
353
Q 1 r 2 ( t t ,
0 ( 1 3 1 r r ,
0 ( r a 1 1 3 ,
0 ( r n - 1 1 t n - z ,
0 ( r n l r n - t
are positive integers. Writing these
t t I
Qr*;:qt+ 6
. 1 3 I
q2+;:Q2.Trt
ta, I
nr*;:et* rrt^
ln-3
:
tn-l -L I
:
Qn-2
-t -
rn-2 tn-2 rn-2/rn-t
l n - 2 : - L
, n
- n - - . + 4
r n - l '
Q n - l t
;
: q n - l - , n - r , / r ,
fn-l
: , Q N
rn
the value of r1/r2from the secondequationinto the first equation'
a l
T : 4 t t , t
4z r
,rlry
the value of r2fr3 from the third equation into (10.10)

354
Q z *
Continuing in this manner, we find that
Q r *
c
b
T:
q't+
Q z *
Q t *
* Q n - t
Hence
t:rnriQz,...,
qnl. This showsthat every
written as a finite simplecontinuedfraction. !
We note that continued fractions for rational
From the identity
Qt*+
rilrt
I
, l
Qn
rational number can be
numbers are not unique.
every rational number can be written as a
exactly two ways,one with an odd number
number (seeproblem 8 at the end of this
an : Gn-l) +
we seethat
[ag;a
1,e2,...,
en_t,onl: Iag;a1,ct2,...,
en_t,en
whenevera, ) L
Example. We have
1
#
: [o;I ,l,l,31
: [o;l,l,l,2,
I ].
I I
In fact, it can be shown that
finite simple continuedfraction in
of terms, the other with an even
section).
Next, we will discussthe numbersobtainedfrom a finite continuedfraction
by cutting off the expression
at variousstages.
Definition. The continuedfractions[as;a1,o2,...,
a1l, whereft is a nonnegative
integer less than n, is called the kth convergenr of the continued fraction

For k : l, we seethat
Cr : lao;a1l: as +
Hence.the theoremis valid for k : 0
Now assume that the theorem is
2 < k 1 n T h i s m e a n s t h a t
( 1 0 . 1 1 ) C k : [ ' a o ; a r , . . . ,
Q k l :
1O.2 FiniteContinuedFractions 355
[ao;a1,e2,...,
Qnl The kth convergentis denotedby Ct '
In our subsequentwork, we will need some propertiesof the convergentsof
a continued fraction. We now develop these properties, starting with a
formula for the convergents.
Theorem 10.9. Lel ag,a1,e2,...,
an be real numbers,with a 1;a/;...,a, positive'
Let the sequences
P0,Pt,...,
Pn and qs,qt,"',Qnbe definedrecursivelyby
P o : a O Q o : I
P t : a s o l * l q 1 : a r
and
: okPk-t
Then the
t P*-z Q k : a p Q t - t t q * - z
for /c : 2,3,..., kth convergent
Ck : I'ao;at,.'.,
okl is givenby
Cp --
P*lqr'
proof. we will prove this theorem using mathematical induction. For k : 0
we have
Co: lael : asll : Polqo.
P*
n .
! :
a o a t * l
: P t
a 1 a 1 Q t
a n d k : l
true for the positive integer k where
P k : a * P x - r * P t - z
Q* atrQt
-t * qtr-z'
Becauseof the way in which the p;'s and 4y'sare defined,we seethat the real
numbers p*-r,p*-z,Qk-1, and Q*-z depend only on the partial quotients
e0,er,...,
ak-r . Conr"quently, we can replace the real number ap by
a* * lla*+t in (t0'l I), to obtain

3s6 Decimal Fractions and
Ct+r : [ag;at,...,ok,ok+rl
: Iao:a1,...,
(tk_t,ok
+l
o k + t
.
*)nr-,*q*-z
["^
Continued Fractions
+!l
ap
P*-r t p*-z
l"r
a*n(arp*-r * p*-z) * p1,-1
a p a l ( a l r Q r r - t * Q t _ ) * q t _ t
_ o*+Pt * P*-r
a*+fi* * q*-r
_ P*+t
Q*+t
This finishesthe proof by induction. D
we illustratehow to useTheorem 10.9with the followingexample.
Example. we have 173/55: [3;6,r,71. we computethe sequences
p1 andq,
f o rj : 0 , 1 , 2 , 3 , b y
Po: 3
Pt:3'6+l: 19
Pz: l'19+3:22
Pt:7'22+19: 173
Q o : I
Q l : 6
Q z : l ' 6 * l : 7
43- 7'7+6: 55.
Hence,the convergents
of the abovecontinuedfraction are
Co : po/qo: 3/l : 3
C t : P t / q t : 1 9 / 6
Cz: pz/qz : 22/7
C t : p J q t : 1 7 3 / 5 5 .
We now state and proveanotherimportant propertyof the convergents
of a
continuedfraction.
Theorem 10.10. Let k be a positiveinteger,k 2 | Let the /cth convergent
of the continuedfraction las;ar,...,onlbe c1 : p*/qt, wherept< and,
q1,ai as

'1O.2FiniteContinuedFractions 357
definedin Theorem 10.9. Then
PrrT*-r' P*-t4t'
: (-l)k-l'
Proof. We use mathematical induction to prove the theorem' For k : I we
have
P t Q o -P o T 1 : ( a s a l + l ) ' l - a s a t: l '
Assumethe theorem is true for an integer k where I < ft I tt , so that
Pt Q*-r
-
P*-rQt
: (-l)t-l'
Then, we have
Pt+rQt
-
P*Qt+t (arr+rpt* pr-)qr, -
P*(arrttQ** Qr-)
P t - t Q t
-
P tq * - t : - ( - l ) k - t : ( - 1 ) k '
so that the theorem is true for k + l. This finishesthe proof by induction. tr
we illustrate this theorem with the example we used to illustrate Theorem
10.9.
Example. For the continuedfraction [3;6,1,71
we have
P o Q t
-
P r Q o : 3 ' 6- 1 9 ' l : - l
P r Q z - P z Q l
: 1 9 ' 7- 2 2 ' 6: I
PzQt
-
PtQz: 22'55- 173'7: -1'
As a consequence
of Theorem 10.10,we seethat the convergentspt lqx for
k:1,2,... are in lowestterms. Corollary10.1demonstrates
this.
Corollary 10.1. Let C*: p*lqr, be the kth convergent of the simple
continuedfraction las;ar,...,8211,
wherethe integersPt and qp are as definedin
Theorem 10.9. Then the integersPr, and qy are relativelyprime.
Proof. Let d : (p*,q*). From Theorem 10.10,we know that
P * Q * - r
-
Q * P * - r : ( - l ) k - l '
Hence, from ProPosition1-2we have
d I el)k-r.
Therefore,d : l. B

3s8 Decimal Fractions and Continued Fractions
we alsohavethe foilowingusefurcoroilaryof Theoremr0.10.
corollary 10.2- L?t ck : pr/qp be the kth convergent of
continuedfractionlao:a1,e2,...,
e11l Then
the simple
for all inregers
k with I < ft
Cp-
{- ) * - r
C1,- Cr-r :
QtrQ*_r
n Also,
^ a l r G ) k
- x - 2 :
QtQt-z
for all integers
k with 2 < k ( n .
Proof. From Theorem10.10we know thatplrQ*_t-
Q*pr_r: (_l)k-l
We obtainthe first identitv.
n r p r _ r ( _ t ) k - l
Ck - Cft-r : ''n -
Qr Qt-r QtQ*_r
by dividing
To obtain
both sidesby qrQ*_r .
the secondidentity,notethat
r . - r - P t ' P t ' - z P * Q r - z - P * - z Q *
L t - L k - z : - : -
Q* Q*-z Q*Q*-z
sincePk : atp*-r * p*-z andq2 : okek-r * q*-2, we seethat the numerator
of the fractionon the right is
P*Q*-z- prr-zQ*: (a*p*_t * p*_z)qk_2
- p*_z(arQr,_r
* Qr_z)
- at(Ptr-tQtt-z
- p*-zQ*-)
: arr(-l)k- 2,
where we have used Theorem
Pr-tQt,-z-
Pt-zQ*-r : (- Dk-z.
Therefore,we find that
C p - C k - z :
a 1 , G D k
Q*4 tr-z
is the second identity of the corollary. tr
10.r0 that

1O.2 Finite Continued Fractions
359
Using corollary 10.2we can provethe followingtheoremwhich is useful
whendeveloping
infinitecontinuedfractions'
Theorem l0.ll. Let c1 be the kth convergent
of the finite simplecontinued
fractionlag:at,Q2,...,
Qnl. Then
C r ) C l ) C s ) '
Co ( Cz 1 Cq 1 '
and everyodd-numbercd
convergent
Cri*r ' i :0'l'2"" is greaterthan every
even numberedconvergentCzi,-l: 0,1.2,"'
Proof. SinceCorollary10.2tellsus that, for k : /'3'"''rt'
C1r-C*-z:#'
we know that
Cp 1 C*-z
C* ) C*-z
Ct 7 Ct ) Cs
whenk isodd,and
whenk iseven. Hence
and
Co ( Cz 1 Cq 1
To show that every odd-numberedconvergentis greater than every even'
numberedconvergent,
note that from Corollary 10.2we have
C z ^ - C z r ' -
( - l ) 2 - - r ' o '
n - l
-
Q z ^ Q z ^ ' t
so that Cz^-t 7 Cz^. To compareC21,and Cri-r, we seethat
Czj-r) Crj*z*-l > Crj*ro ) Cz*'
so that every odd-numberedconvergentis greaterthan every even-numbered
convergent.tr

360
Example. Considerthe
convergentsare
finite simplecontinuedfraction 12:3,1,1,2,41.
Then
C o - 2 / l - 2
C 1 - 7 / 3 : 2 . 3 3 3 3 . . .
C z - 9 / 4 : 2 . 2 5
C : : 1 6 / 7 : 2 . 2 8 5 7 . . .
C + : 4 l / l S : 2 . 2 7 7 7 . . .
Cs : ftA/79 : 2.2784...
.
the
We seethat
Co : 2 1 Cz: 2.25I Ca : 2.2777...
( Cs :2.2784... ( Cr :2.2957... ( Cr :2.3333...
10.2 Problems
l ' Find the rational number, expressedin lowest terms, representedby each of the
following simple continued fractions
a) IZ;ll e) [r;r]
b) [t;z,z] f) [l;l,l]
c) [0;5,0] e) [I;t,l,l]
d ) [ 3 ; 7 , 1
5 , 1
] h ) [ l ; I , l , l , l ] .
2' Find the simple continued fraction expansion not terminating with the partial
quotient one,of each of the following rational numbers
il 6/s d) slsss
b) 22t7 e) -4311001
c) t9/29 f) 873/4867.
Find the convergentsof each of the continued fractions found in problem
Let up denote the kth Fibonaccci number. Find the simple continued
terminating with the partial quotient of one, of u1,-,1fup,
where ft is a
2 .
fraction,
positive
lnteger.
5. Show that if the simple
a, a.)1, is [a6;at,...,akl,
continued fraction expressionof the rational number
then the simple continued fraction expressionof l/a is
l};a o,ar,...,ak'l.
6. Showthat if ae * 0, then

1O.3 InfiniteContinuedFractions 361
P * / p * - r
: I o o i a * - t ,
. - . , a 1 , a s l
and
q* /q tr-r: I'au:ar-r,"',a2,a11,
where Ck-r: p*-t/qrr-r and C* : pt lq*,k ) l,are successive
convergents
of the
continuedfraction la6;a1,...,an1 (Hint: Use the relationP*
: a*P*-1 * pp-2 to
showthat pt /p*-r: ar * I/(px-t/p*-).
Show that q1,) u1,for k:1,2,... where c*: p*lqr is the kth convergentof the
simple continued fraction las;a1,...,an1
and all denotesthe kth Fibonacci number'
Show that every rational number has exactly two finite simple continued fraction
expansions.
Let lao;ar,a2,...,a211
be the simple continued fraction expansion of rls where
(r,s): I and r)l Show that this continued fraction is symmetric, i'e.
os: a21tat
: an-td2: an-2,...,
if and onlyif s l(r2+t) if n is oddand s l(r2-t) if
n is even. (Hint: Use problem6 and Theorem 10.10).
10. Explain how finite continued fractions for rational numbers, with both plus and
minus signs allowed, can be generated from the division algorithm given in
problem 14 of section1.2'
ll. Let as,ar,a2,...,ak
be real numberswith a r,o2,...positive
and let x be a positive
real number. Show that Ias;a1,.'.,ar,l
1 lao;a6--.,a1,*xl if k is odd and
Ias;a1,...,at1
> [ao;a1,.'.,o1r*x]
if t is even.
l. Find the simple continued fraction expansionof a rational number
2. Find the convergentsof a finite simple continued fraction.
10.3 InfiniteContinued
Fractions
Supposethat we have an infinite sequence
of positiveintegersQo,Qt,ay,...
.
How can we define the infinite continued fraction Las,at,a2,...l?To make
sense of infinite continued fractions, we need a result from mathematical
analysis. We state the result below, and refer the reader to a mathematical
analysisbook,suchas Rudin lezl, for a proof.
Theorem ll.l2. Let xs,x r,x2,... be a Sequence
of real numbers Such that
xo ( xr ( xz (... and x7,< u for k : 0,1,2,...for somereal numberu, or
x o 2 x r 2 x z 7 . . . a n dx t 2 L f o r k : 0 , 1 , 2 , . . . f o r s o m er e a l n u m b e rl .
7 .
8.
9.

Then the terms of the sequencexu,xr,x2,...tend to a limit x, i.e. there exists
a real number x such that
14to:"'
Theorem 10'12tells us that the terms of an infinite sequence
tend to a limit
in two specialsituations,when the terms of the sequence
are increasingand all
lessthan an upper bound, and when the terms of the sequenceare decreasing
and all are greaterthan a lower bound.
We can now define infinite continuedfractionsas limits of finite continued
fractions,as the following theorem shows.
Theorem 10.13. Let as,e
1,ct2,...be an infinite sequenceof integers with
ar,Qz,... positive,and let ck : lag;a1,a2,...,e1a1Then the convergentscp
tend to a limit ot.i.e
J4to:"'
Before proving Theorem l0.l 3 we note that the limit a describedin the
statement of the theorem is called the value of the infinite simple continued
fraction [as;at,o2,...1
.
To prove Theorem 10.13,we will show that the infinite sequence
of even-
numbered convergentsis increasing and has an upper bound and that the
infinite sequenceof odd-numberedconvergentsis decreasingand has a lower
bound. We then show that the limits of thesetwo sequences,
guaranteedto
exist by Theorem 10.12,are in fact equal.
We now will proveTheorem10.13.
Proof. Let m be an even positive integer.
cr ) ct) cs )
ca1cz1cq1
and C2i 7 Czn+t whenever 2j 4 m and
possible
valuesof m, we seethat
Cr ) Ct>. Cs)
co(czlc+(
From Theorem 10.1l, we seethat
) C^-t
1C^,
2k + | <. m . By considering all
) Czn-t ) Czn+,
1 Czn-z 1 C2n I
and czi ) Cz**t for all positive integers j and k. we see that the
hypothesesof Theorem rc.12 are satisfied for each of the two sequences
C1,C3,C2,...
and Cs,Cz,C4,...
. Hence,the sequence
C1,C3,C5,...
tendsto a

1O.3 lnfinite Continued Fractions
363
limit d1 and the sequence
Cs,C2,C4,"' tendsto a limit a2 ' i'e'
) i * c " * r
: d r
and
) * c "
: o ( 2 '
Our goal is to show that these two limits a1 and oQ are equal' Using
Corollary 10.2we have
Czn+r
- Ctn : lzn*t - Pzn -
(-l)(z'+tl-t
* z n
Q z n + t Q z n Q z n + l Q z , Q z n + l Q z n
Since e* 2 k for all positiveintegers/c (seeproblem7 of Section 10.2), we
know that
and hence
I
ezn+rQzn
-
(zn+l)Qn)
Czn*t - Cz,
Qzn+tQzn
tendsto zero,i.e.
nlim
(Czra1- C2n): 0.
Hence,the sequences
C1,C3,Cs,...and Cg,C2,C4,...
havethe Samelimit, since
j* (cr,*t - cz) :
,lg
Czn*t
-
,lg
cz, : o.
Therefore ayr: aq, z11d
we concludethat all the convergentstend to the limit
d : (rr : dz. This finishesthe proof of the theorem' D
Previously, we showed that rational numbers have finite simple continued
fractions. Next, we will show that the value of any infinite simple continued
fraction is irrational.
Theorem 10.14. Let os,,o1,e2,...
be integerswith a1,Q2,...positive. Then
Iao;ar,,a
2,...1
is irrational.
Proof. Let a : las;at,ctz,...l
and let

364
denotethe /cth
shows that C2,
However,from
Cr : pr/qp :
convergentof
a. When
( a ( Czr+t, sothat
0 ( a - Czn I
Corollary 10.2,we know
Czn*t - C2n:
[ao;a
t,...,akl
n is a positiveinteger,Theorem 10.I I
Czn*t - Czo .
that
I
4 z n + t Q z n
'
this meansthat
0 ( a - C z n : a -
and therefore,we have
Pzn
a
4zn Qzn+tQzn
0 1 aq2, - pzn 1 l/qzr+t .
Assume that a is rational, so that ot: e/b where a and b are
b + A. Then
o a o Q r " - p z n < I
,
b Qzr+t
and by multiplying this inequalityby b we seethat
0 1 a q 2 n - b p z n
Qz n + t
integerswith
Note that aq2, - bpzn is an integer for all positiveintegersn. However,since
Qzr+r) 2n*I, there is an integer n such that Qzn+t> b, so that
b/Qzr+t < I . This is a contradiction,sincethe integeraQzn- bprn cannotbe
between0 and I . We concludethat a is irrational. n
We have demonstrated that every infinite simple continued fraction
representsan irrational number. We will now show that every irrational
number can be uniquely expressed
by an infinite simplecontinuedfraction, by
first constructing such a continued fraction, and then by showing that it is
unique.

1O.3 Infinite Continued Fractions
365
Theorem f0.15. Let a: cvO
be an irrational number and define the sequence
Q0,
Qt, Q2,'..reCufsivelY
bY
c r k + l
: I / b t - a )
the value of the infinite, simple continued
Proof. From the recursivedefinition given above,we seethat ap is an integer
for every k. Further, we can easily show using mathematical induction that
a7,is irrational for every k. We first note that d0 : a is irrational' Next, if
we assum
e that a1, is irrational, then we can easily see that a,p1' is also
irrational,sincethe relation
d k + r : l / ( a t - a * )
I
o t k : A * * L s
q k + l
thenby Theorem
10.1,
andap is an integer,
we
a p l a t l a p * | ,
0 ( a 1 - a p < 1 .
a(k+t: 1l@* - ap) ) l,
a k + r : [ a r + r l ) 1
fsr k : 0, I , 2, ... . This meansthat all the integers
Note that by repeatedlyusing (tO.t2) we seethat
Qk : lapl,
for k : 0, l, 2,.... Then a is
fractionLag;
ar, az,-..1.
implies
that
(10.12)
and if d;611
were rational,
Now, sincea7,is irrational
so that
Hence,
and consequently,
a7. would also be rational'
know that 47,I at, and

366
Q : d 0 : a o *
a o *
DecimalFractionsand
I
I
: [as;al
u l
l .
: Ia6;a1,a2l
a t - f L
a2
ContinuedFractions
: Iag;al,o z,...,ctk,atr+ll.
: Q o *
a t i
az -f
* a 1 r *
I
otk+l
what we must now showis that the valueof las;at,o2,...,ek,c,k+1]
tendsto a
as ft tendsto infinity, i.e., as k growswithout bound. From Theorem 10.9,we
seethat
a : fag;ar,...,ok,ak+ll
:
a*+tP* * pt+t
at+rT* * q*-r
where Cj : pi/qi is the 7th convergent
of las;afl2,...1. Hence
a-Cp :
a*+rPr * p*-t pt
dtc+tQ* * q*-t Q*
-(Prqrr-t -
Prr-tQ*)
(ar+gr, * q*-)q*
( - t ) t
(ar+g* * q*r)qt
'
where we have used Theorem 10.10 to simplify the
hand sideof the secondequality. Since
a*+rQ* * qt-r ) at+flt * q*-r :
we seethat
numerator
Q k + | ,
on the right-

367
lo-c*L'*
QtrQx+t
SinceQr,2 k (from problem7 of Section10.2),we note that llq*qn*t tends
to zero as k tends to infinity. Hence, Cp tends to a as k tends to infinity' or
phrased differently, the value of the infinite simple continued fraction
las;a1,a2,...1is
a. tr
To show that the infinite simple continued fraction that representsan
irrational number is unique,we prove the following theorem.
Theorem 10.16. If the two infinite simple continued fractions las;at,a2,...1
and lbo;br,bz,...lrepresentsthe same irrational number, then ar: bx for
k : 0 , 1 , 2 , . . .
Proof. Suppose that a: lag;at,a2,...1. Then, since Co : 4o and
Ct: ao * l/at, Theorem10.11
tellsus that
a o 1 a 1 a g * I f a 1 ,
so that ao: lc-l. Further, we note that
[ag;a1,a2,."1
: ao
since
a : la s;ar,a2,...1
:
olgl[aoia
1,a
2,...,apl
: l i m ( a o + ,
I
, )
/<
-- lq 1ia2,Q3,...,apI
: d o *
: a o l
lim Ia1,o2,...,apl
/<--
I
--.
l O 1 i O
2 , O3 , .. .I
Supposethat
Our remarksshowthat
las;a1,a
2,...1
: lb oib
r,b2,...1.
a O : b O : l o l

and that
ao*+:bo
Io 1;a2,...1 " Ib ,.bz,...l
'
so that
Ia;a2,...!: [btibz,...l
.
Now assume
that a1r: bk, and that laptl;a1ra2,...1
:[bn*r;bt+2,...1.Usingthe
sameargument, we seethat apal : bpa1,o.1d,
a*+rl +- : bk-t+ '
I
Lapa2io1ra3,...l lb**t;b*+t,..1
'
which impliesthat
['ap,z;a1ra3,...
] : lb 1ra2;b
1ra3,...
I .
Hence,by mathematicalinductionwe see that a2 : b1,for k :0,1,2,... . D
To find the simple continued fraction expansionof a real number, we use
the algorithm given in Theorem 10.15. We illustrate this procedurewith the
following example.
Example. Let a : G. We find that
ao:lrfil:2, ant,
t
"E+Z
:G5:T
368
Since d3 :
ez: [Jo+zl: q
: J6+2
{e+z _
Qt:r*r:2, I
s . ) _ _
(J6,*2)-z
'2'
I
q { E . . . . . . . . : - :
-
Qo+D-4
d 1
2
n Hence
w e S e et h a t a 3 : o t , a 4 : e 2 , . . . , a n d s OO
^f6: 12;2,4,2,4,2,4,...1.
The simple continued fraction of -,.6'is periodic. We will discuss
simple continuedfractions in the next section.
The convergentsof the infinite simple continued fraction of an irrational
number are good approximationsto a. In fact, if p*/qt, is the 7th convergenr
of this continuedfraction, then, from the proof of Theorem 10.15,we know
that

369
1O.3 InfiniteContinuedFractions
so that
l"-polqol < llq*qx+t
lo - polqxl< tlq? ,
sinceQt I Q*+r.
The next theorem and corollary show that the convergentsof the simple
continued fraction of a are the best rational approximationsto a, in the sense
that prrlql is closer to a than any other rational number with a denominator
lessthan q1.
Theorem 10.17. Let a be an
the convergentsof the infinite
integerswith s ) 0 such that
irrational
numberandlet n1le1,
i :1,2,"', be
simplecontinued
fractionof a' If r and s are
lso-rl < lqo"-pol
thens 7 qr*t.
proof. Assume that lso-r | < lqr,o-pnl, but that 1 ( s I q*+r. We
considerthe simultaneousequations
P t x * P t + r l : r
Q t x * Q * + t ! : 5 .
By multiplying the first equation by Q* and the second by px, and then
subtracting the secondfrom the first' we find that
(Pt+rqr-PxQt +)Y - tQk - sP* '
From Theorem 10.10,we know tharppag* -
Pt Qt+l : (-l)fr, so that
y : (-l)k (rq1,-sP).
Similarly, multiplying the first equation by Qlrayand the secondby ppal and
then subtracting the first from the second,we find that
x : (-l)k(sppa;rQ*+).
W e n o t e t h a t x # O a n d y # Q . I f x : 0 t h e n s P t + t : r 4 k + t ' S i n c e
(px*t,qrr*) : l, Lemma 2.3 tells us that q*+tls, which implies that
Qt+t ) s, contraryto our assumption.If y :0, then r : pkx and s : Qkx'
so that

lso-rl : l" llqp-pr,l) lqro-p*l,
sinceIrl > l, contrary
to ourassumption.
we will now showthat x andy haveopposite
signs. First,suppose
y <0. Since
Qkx:s -Qt<+tl,weknowthatx
) 0,because{1x
) 0
Q* ) 0. When / ) 0, since Qtc+r!
2 q1ra1
) s, we see
that
and
that
Q k x : s -
Q * + r ! ( 0 , s o t h a t x ( 0 .
From Theoreml0.l l, we know that either
Pt+t/q*+r ( a ( Pr/q1r. In either case. we
Qr+p - p*+r haveoppositesigns.
Pt/qt ( a ( p*+r/qx+t or that
easily see that Qtea- pt, and
Fromthesimultaneous
equations
westarted
with,weseethat
lso-r | : lQorIql,lp)a - (po*+p**t)l
: lx(qp-pr) + yQ1,ap-p;-;it
combining the conclusions
of the previoustwo paragraphs,
we see that
x(qpa-pr) and!(Q*+p-p,t*r) havethesame
sign,sothat
lso-rl : l{ llqoo-pol
+ lyllq**p-pr,+rl
2 lxllqoo-pnl
) lqto-pr,l,
sincel*l>t. Thiscontradicts
ourassumption.
We haveshownthat our assumption
is false,and consequently,
the proofis
complete.tr
be an irrationalnumberand let pi/qi, j:1,2,... be
infinite simple continued fraction-of *. lf r/s is a
r and .r are integerswith s ) 0, suchthat
lo-r/tl < l"-p*/qol,
Corollary 10.3. Let q
the convergentsof the
rational number,where
then s ) q*.
Proof. Supposethat s ( qt and that
lo-r/sl < l"-pr,lqr,l.

371
By multiplying thesetwo inequalities,
we find that
sla-r lsl < qol"-Polqol
so that
lsa-tl < lqod-Pxl ,
violatingthe conclusion
of Theorem l0'17' tr
Example. The simple continued fraction of 7( is
o:li;j,15,1,292,1,1,1,2,1,j,...1.Note that there is no discernible
patternin
the sequenceof partial quotients. The convergentsof this continued fraction
are the best rational approximationsto r. The first five are 3, 22/7' 3331106'
3351113,
and 103993/33102.We concludefrom Corollary10.3 that 2217is
the best rational approximationof t with denominator less than 106, that
31.5lll3 is the besi rational approximationof zr with denominatorless than
33102.and soon.
we conclude this section with a result that shows that any
close rational approximation to an irrational number must be a
of the infinite simplecontinuedfraction expansion
of this number.
Theorem 10.18. lf a is an irrational number and if r ls is a rational number
in lowestterms,wherer and s are integerswith s ) 0, suchthat
lo-r/sl < t/2s2,
then r/s is a convergentof the simple continuedfraction expansionof a.
proof. Assume that r/s is not a convergentof the simple continued fraction
expansionof a. Then, there are successive
convergentspxlqx and ppallqp*t
suchthat Qn 4 s I Qrr+t From Theorem10.17,we seethat
lqoo-pol
< It ".-rl:
slq-r/sl < t/zs'
Dividing by qr we obtain
lo-polqol < 1l2sq*.
Since we know that tpo-rqol > t (we know that sP*-rQr is a nonzero
integersincer ls #pplqr), it followsthat
Finally,
sufficiently
convergent

372
(where we have used
above). Hence,we see
Consequently,
| - lspt-rq*l
- x
sQ* , sQ*
: lor
'-
tl
lqo sl
ll
I qrl
. l * l
2tq* 2s2
the triangle inequality
that
t/2sqp I t/2s2
to obtain the secondinequality
F:l
Zsqp ) 2s2,
which implies that q1,) s, contradicting the assumption. tr
10.3 Problems
L Find the simple continued fractions of the following real numbers
a) ,rf2
b) ^f3
c) -,/i
d) r+.6
.
2' Find the first five partial quotients of the simple continued fractions of the
following real numbers
a) 1/,
b) 2r
Find the best rational approximation to zrwith a denominatorlessthan 10000.
The infinite simple continued fraction expansionof the number e is
e : l2;1,2,1,1,4,
l,1,6,
1,1,g,...1.
thefirsteightconvergents
of thecontinued
fractionof e
c) (e-l)/(e+l)
d) (e2-t)/(e2+D.
a)

5 .
6 .
1O.3 Infinite Continued Fractions 373
b) Find the best rational approximation to e having a denominator less than
100.
Let d be an irrational number with simple continued fraction expansion
o : loo;ot,a2,...f Show that the simple continued fraction of -ot is
[ - a s - l ; 1 , a , - l , a s , a 3 , . . . l i fa 1 2 I a n d [ - a s - l ; a 2 l l d v " ' l i f a t : 1 '
Show that if p*lqx and,p1,a/q1a1 2f€ consecutiveconvergentsof the simple
continued fraction of an irrational number a, then
lo- pr/qrl < tlzqo'
lo - po*r/qo*,1
( l/2qla.
(Hint: First showthat lo - pr*r/q**,1
+ lo- polqol- lpo*r/q&+r
- pr,/qtl:
l/q*q**t usingCorollarY10.2.)
7. Let a be an irrational number , a ) I
simple continued fraction of l/a is the
the simple continued fraction of a .
Let a be an igational number, and let pllei denote the jth convergent of the
simple continued fraction expansionof a. Show that at least one of any three
consecutiveconvergentssatisfiesthe inequality
la- pileil < t/G/-sqil.
Conclude that there are infinitely many rational numbers plq, where p and q
are integerswith q # O,such that
l''- plql<rlG6q.
Show that if a - (l +lf9/2, then there are only a finite number of rational
numbersplq , where p and q are integers,q # 0, such that
lo-plql<t/(,/-sq2).
(Hint: Consider the convergents of the simple continued fraction expansion
or..6.)
10. If a and B are two real numbers, we say that p is equivalent to a if there are
integersa,b,c, andd ,such that ad - bc : il and 0 :
#
a) Show that a real number a is equivalent to itself.
b) Show that if a and p are real numbers with p equivalent to a , then a is
equivalent to B Hence, we can say that two numbers a and B are
equivalent.
. Show that the kth convergentof the
reciprocal of the (k-t)th convergentof
8 .
9.

c) Show that if a,S, andl, are real numbers such that a and B are equivalent
and B and l, are equivalent,then a and l, are equivalent.
d) Show that any two rational numbers are equivalent.
e) Show that two irrational numbers a and p areequivalentif and only if the
tails of their simple continued fractions agree, i.e.
a : Iag;a1,a2,...,ai,c1,c2,c3,...1
and g : [bo:b1,b2,...,b1r,c1,c2,ca,...1.
where
ai,t:0,1,2,...j, b1,i:0,1,2,...,k and c;, j : 1,2,3,...are intejers, all positive
except perhaps as and bs .
I I ' Let a be an irrational number, and let the simple continued fraction expansionof
a be a : Ias;aba2,.-.1. Let p*/q* denote, as usual, the &th convergent of this
continued fraction. We define the pseudoconvergntsof this continued fraction to
be
P*t/q*., : (tP*-r + pr-)/QQ*t * Q*-z),
where k is a positiveinteger, k > 2, and t is an integer with 0 < r I at, .
a) Show that each pseudoconvergentis in lowest terms
b) Show that the sequenceof rational numbers pt ,z/q*,2,...,
pk,o,-,/Qk,a,_,,
p*/e*
is increasingif k is even,and decreasingif ft is odd
c) Show that if r and r are integerswith s ) 0 such that
lo-rlsl ( l" -p*.,/q*.,|
where k is a positiveintegerand 0<r 1ak, then slqt ,, or
rfs : p*_t/q*_r.
d) Find the pseudoconvergents
of the simple continuedfraction of zrfor
k - 2 .
l. Find the simple continued fraction of a real number.
2. the bestrational approximations
to an irrational number.
10.4 Periodic ContinuedFractions
We call the infinite simple continuedfraction [as;at,az,...lperiodic if there
are positive integersN and k such that an : ara1, for all positive integers n
with n > N. We usethe notation

1O.4 PeriodicContinuedFractions
lag;at,o2,...,oN-r,m
to express
the periodic
infinitesimplecontinued
fraction
I a o:a l,a 2,...,Q
N - l,a N rQ
N + 1,"',a N +k -1'41y'41y
1 1'"' l'
375
For instance, tt;Z,lAl denotes the infinite simple continued fraction
I I ;2,3,4,3,4,3,4,...1.
In Section10.1, we showed that the base b expansionof a number is
periodicif and only if the number is rational. To characterize
thoseirrational
numbers with periodic infinite simple continued fractions, we need the
following definition.
Definition. The real number a is said to be a quadratic irrational if a is
irrational and if a is a root of a quadratic polynomial with integer coefficients,
i.e.
A a 2 + B a * C : 0 ,
whereA,B, and C are integers.
Example. Let a :2 * ,/7. Then a is irrational, for if a were rational, then
by Theorem10.1,a -2- .,,6would be rational,contradicting
Theorem10.2.
Next, note that
a2 - 4a t | : (7+4,fi - 4Q+,/t * I : o.
Hence a is a quadratic irrational.
We will show that the infinite simple continued fraction of an irrational
number is periodic if and only if this number is a quadratic irrational. Before
we do this, we first developsomeuseful resultsabout quadratic irrationals.
Lemma 10.f. The real number a is a quadraticirrational if and only if there
are integersa,b, and c with , > 0 and c 10, such t"hatb is not a perfect
squareand
: : (a+Jt) lc.
Proof. If a is a quadratic irrational, then a is irrational, and there are
integersA,B, and C such that Aaz + Ba t C :0. From the quadratic
formula. we know that

376 Decimaf
Fractions
andContinued
Fractions
-B*GQAC
( I : -
2A
Since a is a real number, we have82 - 4AC ) 0, and sincea is irrational,
82 - 4AC is
-not a perfect square and A r^0. By either taking
e : - B , b : 8 2 - 4 A C , c : 2 4 o , o : b , b : g 2 _ 4 ; t ,
- r ^ :
_ Z U , w O
have our desiredrepresentationof a.
Conversely,
if
where
a,b,andc areinte*.r-,
;;
'r"
,ti"i:O, and6 nota perrect
square,
then by Theorems10.1 and 10.2, we can easily see that a is irrational.
Further, we note that
c o 2 - 2 a c a + ( a 2 - b 2 ) : 0 .
so that c is a quadraticirrational. tr
The following lemma will be used when we show that periodic simple
continuedfractions representquadratic irrationals.
Lemma 10.2. If a is a quadratic irrational and if r,s ,t, and u are integers,
then (ra*s)/(to*u) is either rationalor a quadraticirrational.
Proof. From Lemma 10.1,there are integersa,b, and,
c with b > 0. c # 0.
and b not a perfect squaresuch that
a: (a+Jb)/c.
fur*cl)+rJb
(atrcu)+t Jt
IGr+cil +r JF lI ht +cil -t.'.6|
IGt *cu)+t .,/blt(at+cu)
-t ./nI
lGr *cs(at*cu)-rtblt[r (attcD -t Gr*cl)l../T
(at *cu)2-t2b

1O.4 Periodic Continued Fractions
377
Hence,from Lemma l0.l (ra*s)/Qa+d is a quadraticirrational'unlessthe
;;;d;i";,
"t
G is zero, which would imply that this number is rational' tr
In our subsequentdiscussions
of simple continued fractions of quadratic
irrationalswe *iil usethe notionof the conjugateof a quadraticirrational'
Definition. Let a -- (a+JD lc be a quadratic irrational' Then the coniugate
of a, denotedby o', is definedby a' : (a-Jb)lc'
Lemma 10.3. If the quadratic irrational d. is a root of the polynomial
Axz + Bx * C : 0, then the other root of this polynomialis a', the conjugate
of a.
Proof. From the quadratic formula, we see that the two roots of
A x z + B x * C : 0 a r e
_B*[EW
ZA
If a is one of these roots, then a' is the other root, becausethe sign of
tr4AC is reversedto obtain a' from a. tr
The following lemma tells us how to find the conjugatesof arithmetic
expressions
involvingquadraticirrationals'
Lemma 10.4. If a' : (aftbffd)/c1 and ,,2: (a2*bzJd)f cz are quadratic
irrationals,then
(i) (a1+a2)' -- al t a'2
(ii) (a;c.2)' : o| - d'2
(iii) (ap)' : d'td2
(iv) (c"rlc.)': a't/o.z.
The proof of (iv) will be given here; the proofs of the other parts are easier.
These appear at the end of this section as problems for the reader'
Proof of (iv). Note that

While
t G ftbr.'./Z)
/r,
v l l q )
".' Gr+bz,/cl)/cz
_ cr(a,+br/7) G 2-.b
z,/T)
_
: lb2)''/7
,,
, t , G;brE)/cz
. ^ l r s l - - - 7
-
"
--
" (or-brrE) /cz
cz(arbtQ)Gr+br,/V)
c{a 2- b2,/7 ) (az+b2,/7 )
_ kzapz-czbftzd) - (czazbrczaft)fi
Hence (at/a)' : or'r/a'2.D
The fundamental result about periodic simple continued fractions is
Lagrange's Theorem. (Note that this theorem is different than Lagrange,s
theorem on polynomial congruncesdiscussed
in Chapter 8. In this chapter we
do not refer to that result.)
Lagrange'sTheorem. The infinite simple continued fraction of an irrational
number is periodic if and only if this number is a quadratic irrational.
We first prove that a periodic continued fraction representsa quadratic
irrational. The converse,that the simple continued fraition of a quadratic
irrational is periodic,will be proved after a specialalgorithm for obtaining the
continuedfraction of a quadratic irrational is developed.
Proof. Let the simple continued fraction of a be periodic, so that
a : la g;at,,e
2,..,,a
N -r,ffi|
Now let
Then
0 : la1s;aN+r,...,41r+ft
l

379
1O.4 Periodic Gontinued Fractions
and from
( 1 0 . 1 3 )
where p*lq* andp1r-r/Q1r-1
ata convergents
of Ia11;av"1'"''oru+kl'Since the
simple continuedf.u.tlon of p is infinite, B is irrational, and from (tO't3) we
have
qr,02
t Qr,-r-P)0
- P*-r: a'
so that p is a quadratic irrational. Now note that
a : lag;a1,Q2,...,Q
N-r,01,
so that from Theorem 10'9 we have
0pr,r-ftPN-z
'a;;:fr;'
wherepN-t/qN-1 and pr,t-zlqN-2ute
convergents
of [ao;a t.a2'"''o7'1-11'
SinceB
is a q*Oruii. irrational, Lemma 10.2 tells us that a is also a quadratic
irrational (we know that at is irrational because it has an infinite simple
continuedfraction exPansion).D
To develop an algorithm for finding the simple continued fraction of a
quadratic irrational, we needthe following lemma'
Lemma 10.5. If a is a quadratic irrational, then d. can be written as
: @+,/V)/Q,
whereP,Q,andd are integefs,Q*O,d > O,d is nota perfect
square,
and
Q I Q - P 2 ) .
Proof. Since a is a quadratic irrational, Lemma 10.1tells us that
, : (a+Jb)lc,
where a,b, and c are integers, b > 0 , and c # 0 . We multiply both the
numerator and denominatorof this expressionfor q by Itl to obtain
g : lal;aN*I,...,4N
**,01,
Theorem 10.9,it followsthat
^ 1P*tP*-t
t) -
oq*tq*-r'

a . -
(where
we haveusedthe factthat lrl: -,tr. Now let p : alcl,e: clcl,
andd:bc2. Thenp,e, andd areintegers,
e l0 since
,70,d >O
(since6 > 0), d is not iperfect lQuaresinceb is not a perfectsquare,
and
finally
el@-p since
d-p2:6rz'oirz :;rbjoif:;T'(ilorl. n
We nowpresent
an algorithmfor findingthe sample
continued
fractions
of
quadratic
irrationals.
Theorem 10.19. Let a be a quadraticirrational,so
are integers Ps,Qs,and d such that
@o+,/7)/Qo,
that by Lemma 10.5there
whereQ0*0,d > 0, d is nota perfect
square,
andeel@-p&). Recursively
define
dk:(ro+,/7)/Qr,
Ctk: [a1],
P k + r : a t Q t - P k ,
Q**r : (d-roL*t)/Q*,
for k : 0,1,2,... Thena : fag;at,a2,...1.
Proof. using mathematical induction, we will show that pk and e* are
integerswith Q1,* 0 ande*l@-rp, for k:0,r,2,.... First,notethat this
assertionis true for k : 0 from the hypothesesof the theorem. Now assume
that P1 and Qp are integerswith e* * 0 and e*l@_p?i. Then
P k + r : a * Q t - P p
is alsoan integer. Further,
Q*+r: @-rf *r11qo
: [d-(o*Q,,-pr)2]/e*
: @-rfi/Qo + (2a1,P1,-a?er).
Since Qrl@-pil, by the inductionhyporhesis,
we see
and since d is not a perfect square, we see
Q*+t : @-rf*;/Qo t o . Since
that Qpal is an integer,
that d I Pi, so that
Q* : U-rf*1/Qo*t

1O.4 PeriodicContinuedFractions 381
we can concludethat Q1,ql@-pt*t) . This finishesthe inductiveargument.
To demonstratethat the integerses,a1,a2,...are the partial quotientsof the
simplecontinuedfraction of a', we useTheorem 10.15. If we can showthat
o(k+t
: llbr-ap),
then we know that a : fas;a1,a2,...1.
Note that
Pk + ,/7
a p - a k :
A f
- a p
: l^/7 - G*Qr,- P)llQ*
: G/7 - pt+) lQ*
: G/V- P**')(JV+ P*+)/er,G/T
+ P**r)
: @-rl*)/Q*QI + Pr*r)
: Q*Qr,n/Qr,G/7+ Pt*,)
: Q**r/('/i + Pr,*)
: lla*+r ,
wherewe haveusedthe definingrelation for Qp* to replaced-Ppzarwith
QtQ**r. Hence,
wecanconclude
thata : las;a1,e2,...f
. D
We illustratethe useof the algorithmgivenin Theorem10.19with the
followingexample.
Example.Let a : Q+J1)/2 . UsingLemma10.5,wewrite
: G+.,/N)
/4
fork:
wherewe setPo : 6, Q.o: 4
P r : 2 ' 4 - 6 : 2 ,
Qr
: (28-22)/4:6,
P 2 : l ' 6 - 2 : 4 ,
Qz : Og-+2)/o:2,
, and d : 28. Henceoo: [a] : 2, and
a 1
O 1
ot2
A 2
Q + ..E)/e,
IQ+,/z$/61
: r,
G+,,/Tg/2,
t

P3 - 4'2-!:4, d3 : e+.,m)/6,
Qt : Qg-+2)/2:6 o3 : tG+6>Jil:r,
P4 : l'6-4:2, d4 : e+rFZ$/q,
Qq - (28-22)/6:4, a4 : t7+.'-z$/il: t,
Ps - l'4-2:2, a5 : e+r/-Z$/6,
Qs - Q8-22)/4:6, a5 : t(z+,,/N)/61
: l,
andso,withrepetition,
since
pr: p5 ander: es. Hence,
weseethat
G+.n) /2 : I2;1,4,1,1,r,4,r,
1,...
I
: I2;1,4,1,11.
We now finishthe proofof Lagrange's
Theoremby showingthat the simple
continued
fractionexpansion
of a quadraticirrationalis periodic.
Proof (continued). Let a be a quadraticirrational,sothat by Lemma 10.5
wecanwritea as
o : (po + .,8) /eo .
Furthermore,
by Theorem
10.19
wehaveo: lao;ar,ez,...l
where
dk : (r1, + ,,/7)/Q* ,
ap : [apl,
Pwr : atQ*-Pk*t,
Q*r : Q -rf *1 /Qo*r,
f o r k :
Sincea
Taking
seethat
(ro.r+)
:Ia
s;a'
"")'lrl,o;
]:ffi_ll;l
Ijl"_
conjugatesof both sidesof this equation,
o' : (pr,-p'* * p*-) /(qt,-p'n
(tO.t4) for ol1,
, ws find that
that
* q*-).
and using Lemma 10.4,
* q*-).
When we solve

( P*-z
I
, -ex-,l"
-
tr- |
dk:
qk^ t , p*t t
,*t l
Note that the convergen
ts p*-z/Q1r-2and p*-rlqrr-t tend to a as k tends to
infinity, so that
t fr' - P*-t
I Q*-t
| , P*-z
la.
-
I Q*-z
tends
o ' t > -
to 1. Hence,there is an integerN suchthat
0 for k > l, we have
383
a'* 10 for k > N. Since
Zfi r0.
Qr
ly',
<d.
otk-Otk :
Pp + Jd Po-Jd
Q* Q*
sothatQ*> 0fork>N.
SinceQ*Qrr*,- d - P?*r,weseethat for k 2
0t ( Q*Q**r-- d - P?*t
Als ofork>N,wehave
Pl*, (d: Pl*t-Q*Qx*r,
sothat
- ,/7 I P*+r < -,/7.
From the inequalities 0 ( 0r ( d and - -,[d < P*+r <-r/7, that hold for
k > N , we seethat there are only a finite number of possiblevalues for the
pair of integersPx,Qx for k > N . Since there are infinitely many integersk
w i t h k > N , t h e r e a r e t w o i n t e g e r s i a n d T s u c h t h a t P i : P i a n d Q i : Q i
with i < j . Hence, from the defining relation for cu;., we seethat o(i : di
conseque
"t'*:;:;,";:"',i: ,-,,i:"',oi,*,'lo,ol,.;:,,':,.:,:
i:i-,,,
Hence
: Ia g;al,o2,...,ai-1,Qi,o
i +1,...,a
i -tl .
This shows that a has a periodic simple continued fraction. D

Next, we investigatethose periodic simple continued fractions that are
purely periodic, i.e. thosewithout a pre_period.
Definition. The continued fraction [as;at,ez,...fis called purely periodic if
thereis an integern suchthata1r: entk, for k :0,1 ,2,...,so
that
lag;at,az,...l:Iffi.
Example' The continued fraction tl;jl: (t+.1:) /2 is purely periodic while
[2;2,41: JA is not.
The next definition and theorem describe those quadratic irrationals with
purely periodic simple continuedfractions.
Definition. A quadratic irrational at if called reduced if a ) I and
-l ( a' ( 0, wherea'is the conjugate
of a .
Theorem 10.20. The simplecontinuedfraction of the quadraticirrational a is
purely periodic iI-and only if a is reduced. Further, if a is reduced and
a: l,as;at,e2,...,enl
then the continuedfraction of - l/oi i, to;o,,_ffi
Proof. First, assumethat a is a reduced quadratic irrational. Recall from
Theorem 10.15that the partial fractionsof the simplecontinuedfraction of a
are given by
f o r k : where
ek : lapl, otk+t : l/@tr-o*),
ato: d We see that
l / q t + t : e k - a k ,
using Lemma 10.4, we see that
l/a'*+t: c,'k
- a1r.
we can prove, by mathematical induction, that - I ( a1 ( 0 for
k:0,1,2,.... First,note that sincec.0: a is reduced,
-l l ao < 0. Now
assumethat -r 1 a'1,< 0 . Then, sincea* 21 for k :0,1,2,-... (notethat
ao2 I sincea > 1), we seefrom (tO.t5) that
l/ott+r < -1,
so that -l 1 a'k+t< 0 . Hence,-l < a) 10 for /c :
and taking conjugates,
(ro.
rs)

38s
Next. note that from (to.t5) we have
d ' k : a * * l l a ' * + t
1 a'* < 0 , it follows that
- l 1 a * * l f a ' 1 r a 1
t
<0.
and since-l
Consequently,
so that
Since
there
with
o i - l
we
di-z
(10.1
6)
-l - l/a'*+t 1 ax 1 -lf a'rr+r
,,
e k : [ - 1 / o r * r ].
a is a quadratic irrational, the proof of Lagrange'sTheorem showsthat
u.. nonn.gativeintegersi and i' i,< 7, such that ai 7-oi,
and hence
-1/u';: -l/aj. Since ai-t:l-t/ai il anOoi-t :I-t/a,| , we seethat
j t ,
j - l
: ej-'.. Furthermore, since oti-t: ai-t I llai and , dj-: : oj-t + llai
a l s o s e e t h a t a i - 1 : o i - r C o n t i n u i n g t h i s a r g u m e n t ' w € s e e t h a t
: o(j-z)ai-3: aj-30..',and finally, that ag : aj-i ' Since
d0 : a : Iag;a1,...,oi-i-t,ai-il
: la o;a 1,...,e
i -i -1,041
:loo.gr,Gl,
we seethat the simple continuedfraction of a is purely periodic.
To prove the converse,assumethat a is a quadratic irrational with a purely
periodiccontinuedfractiono:|ffio|.Sincea:|ag;a1,Q2,,...,a2,ot|,
Theorem 10.9tells that
aP* * P*-t
a:ffi,
where pr,_tlq*_r and p1rlq1,3;fethe (k-l)th and kth convergentsof the
continuedfraction expansion
of a . From (tO.t6), we seethat
(10.17) er,a2* (q*-rP)o -
Pt-r
: 0.
Now, let p be the quadratic irrational such
with the period of the simple continued
0 : lo*iek-r,...,at,ao,Al,
so that by Theorem
that g :latiatc-l,...,at,aol
, i.e.
fraction for a reversed. Then
10.9,it followsthat

D opi + pi-,
P - - . _ -
Fqr * q*-r
where pi-t/qL and pr,/q* are the (ft-l)th and kth convergentsof the
continued fraction expansionof B . Note, however,from probremi of section
10.2.that
Pt /p1r-1: lanian-1,...,et,eol
: pi/qi
and
Qt/q2-1 : farion-r,...,a2,e
l! : pL /qi_t.
Sincepi-t /qi-, ?d
pi/qi are convergents,
we know that they are in lowest
terms' Also, P*/pp-, and qp/q1-1 ilre in lowestterms, since Theorem 10.10
tells us that ppqp-r - p*-rQk : (-t)e-t . Hence,
pi - p*, Qt : pk-r
and
Pk-t - 4t<,Qt<-t: ek-t.
Insertingthesevaluesinto (l0.lg). we seethat
p,: 0p* * qr
1p*-r * qrt
Therefore,we know that
P r $ 2 * ( q * t - p r ) | - Q * : o
(ro.rs)
Thisimplies
(ro.
rq)
From
(to.tz)
that
er,Gt/ilz * (q*-r- pt) Gtlp) - pk_t:
and (10.19),we seethat the two rootsof the
4*x2 * (q*-r - p)x - p*-t : 0
quadraticequation
: -t/8. Since
s 7 ' : - l / p < 0 .
are a and -1/0, so that by the quadratic equation,we have a
0 : lanian-t,...,at,aol,
we see that p > I, so that -l <
Hence,a is a reducedquadratic irrational.
Furthermore,note that sincefi : -l/ot,. it follows that

10.4 PeriodicContinuedFractions 387
-l/o':ffiol' tr
We now find the form of the periodic simple continued fraction of '/D ,
where D is a positiveinteger that is not a perfect square' Although 6 is not
reduced, since its conjug-ate-,/D is not between -l and 0, the quadratic
r.*,o*r"i6-t; .6-ii r.duced,
since
its conjugate,
l,/Dl - '[5 ' does
lie
between-1 and 0. Therefore,from Theorem 10.20,we know that the
continued
fractionor [.lill +.,/D is purelyperiodic.Sincethe initialpartial
quotient of the simple continued fraction of tJD | +
"/D
is
iffaf + ,/Dl:21,/Dl:2a0, whereao:I../Dl ' wecanwrite
I,/DI+-,/D:tml-
: I2ao;at,Q
2,...,a
n,2Q
g,al,...,Q
rl'
Subtracting ao : ,/6 from both sidesof this equality, we find that
./D : la g;a3a2,...,2ag,,a
1,a
2,...2a
0,...1
:log;orro'zmol.
To obtain even more information about the partial quotients of the
continued fraction of ,/D, we note that from Theorem 10.20, the simple
continuedfraction expansionof -l /$'IDl -
"/D)
can be obtainedfrom that
for t.,6l + ..lD , by reversingthe period, so that
r/G/D-t.D1):tffi.
But also note that
6 -t-6-l:lo;orprGol,
so that by taking reciprocals,we find that
|/G/
D - t.D-l) - tor;o
rGrl -
Therefore,when we equatethesetwo expressions
for the
fractionof llG/D - t.D]) , weobtain
A l : Q n r Q 2 : C l n - y s . . . ; O n : O l ,
so that the periodic part of the continued fraction for ..lD
the first to the penultimate term.
simple continued
is symmetricfrom
In conclusion,we seethat the simple continued fraction of 16 has the form
..ld:loo;ffi.

388
We illustratethis with someexamples.
Example. Note that
8-
.16l
,Fqe -
,,/Te :
and
[4;l,3,1
,8]
ts,ffii.rol
16;l
,2,1
,1,2,6,2,1
,l,2,1
,l2l
[8;1,2,
l,I,5,4,5,
1,1,2,1,
I6l
-,/ri: tq;ml,
where each continued fraction has a pre-period of rength l and a period
ending with twice the first partial quotient which is symmetric from the first to
the next to the last term.
The simple continued fraction expansionsof ,E fo, positiveintegersd such
that d is not a perfect square and d < 100 can be found in Table 5 of the
Appendix.
10.4 Problems
l. Find thesimplecontinued
fractions
of
a) Jt d) ,/41
b) Jr r e) 6
c) Jzt r) ,/-gq.
2.
3 .
Find the simple continued fractions of
il o+,fi /z
b) Qq+,81)lt
c) (tt-.E)t.
Find the quadratic irrational with simple continuedfraction expansion
il [z;t,5]
b) tz;rSI
c) t2JJI.
4 . i l L e t d b e a p o s i t i v e
,,/N isla:Tdl.
Show that the simple continued fraction of

389
b) Uggrrt (a) to find the simple
continued
fractions
oi tffit't'fZgg' and
J22r0.
5. Let d be a integer,d 2 2'
a) Show that the simple continued fraction of ,/F is [d-l ;@l'
b) show that the simple continuedfraction of JFd is [d- t;zla-zl.
c) Ugparts (a) and (b) to find the simple continued fractions of rfg9' tffg'
,lnz. and..G60'
Shorylhat if d ,l un int"g.t, d > 3 , then the simple continued fraction of
,tm is[d-1'lH,l2d-21.
Show that if d is a positive integer, then the simple continued fraction of
'/fu. rsld;c$71.
Find the simple continued fraction expansionsof ,/6,.6f , anO -l,ft-gt
be an odd positiveinteger'
a)
6.
b)
c)
7. Let d
a) fraction of JF+ is
8.
9.
Show that the simple continued
ld;ffil,ird>l'
b) Show that thr __qgple continued fraction of J d2-q
la-lM,zd-zi,f d>3.
Show that the simple continued fraction of Ji , where d is a positive integer,
has period length one if and only if d : a2+l *here a is a nonnegativeinteger.
Show that the simple continued fraction of Jd , where d is a positive integer,
has period length two if and only if d : a2 + b where a and b are integers,
b > l , a n db l a .
prove that if 6,1: (ar+brJrl)lct and a2-- (a2*urJd)/c, ^re quadratic
irrationals, then
a) (a1*42)' : c,'t* o''2
b) (a1-a2)' : d'r - d2
c) (c''c.z)' : ot't'or2.
Which of the following quadratic irrationals have purely periodic continued
fractions
10.
1 1 .
a) l+.6
b) 2 + ,/-B
c) 4+',m
c) (tt - ,/-toltg
d) e + ,f?l)/z
e) (tz + -'.ft-g)l:t
12. Supposethat a : G+JF)/c, where 4,b, and c are integers,b ) 0, and b is
noi u perfecl square. Show that is a reduced quatratic irrational if and only if
o l a < J U a n d J b - a 1 c 1 ' J b * a 1 2 J b

13. Show that if
1
ir-u reducedquadratic jrrational, then _ l/a, is also a reduced
quadratic irrational.
14' Let k be a positiveinteger. Show that there are infinitely mgy positiveintegers
D, such that the simple continued fraction expansionof ,/6 h., , period of
length k. (Hint: Let at:2, e2:5, and for k > 3 let a1,:2ak_t I a*_z
Show that if p : (tar + l)2 * 2a1,-1
* r, where / is a nonnegativeinteger,
then rD has a period of length k + l.)
15' Let k be a
lgsitiu:
iF:r. Let Dk - (3k+t)2 + 3 Show that the simple
continued fraction of JOp has a period of length 6ft.
Write computer programsto do the following:
1' Find the quadratic irrational that is the value of a periodic simple continued
fraction.
2' Find the periodic simple continuedfraction expansionof a quadratic irrational.

11
some NonlinearDiophantine
Equations
11.1 Pythagorean
TriPles
The Pythagoreantheoremtells us that the sum of the squaresof the lengths
of the legs of a right triangle equals the square of the length of the
hypothenrur.. Conversely,any triangle for which the sum of the squaresof
the lengthsof the two shortestsidesequalsthe squareof the third side is a
right triangle. Consequently,to find all right triangles with integral side
lengths, we need to find all triples of positive integers x ,y,z satisfying the
diophantineequation
(rr.t) x 2 + ! 2 : 2 2
Triples of positive integers satisfying this equation are called
Pythagorean triPles.
Example. The triples 3,4,5; 6,8,10; and 5,12,,13are Pythagorean triples
because
32+ 42 : 5'.62 + 82: 102,and 52+ 122: 132.
Unlike most nonlinear diophantine equations,it is possibleto explicitly
describe all the integral solutions of (ll.l). Before developingthe result
describingall Pythagoreantriples,we needa definition.
Definition. A Pythagorean
triple x,!,2 is calledprimitive if (x,y,z) : l.
Example. The Pythagoreantriptes 3,4,5 and 5,I2,I3 are primitive' whereas
3 9 1

392 Some Nonlinear Diophantine Equations
the Pythagorean
triple 6,g,10is not.
Let x,!,2 be a pythagorean triple with (x,y,z) : d . Then, there are
integers xr, t,zr with x : dxi,y : dyt,, J ir,
""A
"i-r'r,,r1,21):
l.
Furthermore,because
we have
x 2 + y 2 : 2 2 ,
G / d ) 2 + ( y / i l 2 : ( z / d ) 2 ,
so that
x?+y?:r?.
Hence,xt,!t,21 is a primitive pythagoreantriple, and the original triple x,!,2
is simply an integralmultiple of this primitive pytgagoreantriple.
Also, note that any integral multiple of a primitive (or for that matter any)
Pythagoreantriple is again a pythagoreantriple. If x1])t,zt is a primitive
Pythagoreantriple, then we have
x? + y?: r?,,
and hence.
@ x ) 2 + ( d y r ) r : ( d z ) 2 ,
so that dx 1,dy1,dz
1is a Pythagoreantriple.
Consequently, all Pythagorean triples can be found by forming integral
multiples of primitive Pythagoreantriples. To find all primitive pythago*un
triples,we needsomelemmata. The first lemma tells us that any two integers
of a primitive Pythagoreantriple are relatively prime.
Lemma 11.1. If x,!,z is a
G,y) : (x ,z) : (y,z) : l.
primitive Pythagorean triple, then
Proof. supposex ,! ,z is a primitive pythagoreantriple and (x ,y) > l. Then,
thereis a primep such tha,t
p^l (xy), sothat p I x andp I y. Sincep I x
andp l.-y,*. know thatp | (r'+ y') :22. Because
p l;r,'*..un conclude
that p I z (using problem 32 of Section 3.2). This is a contradiction since
(x ,y,z) : l. Therefore
, (x g) : l. In a similar manner we can easilvshow
that (x ,z) : (y,z) : l. D

11.1 Pythagorean TriPles
393
Next, we establisha lemma about the parity of the integersof a primitive
PythagoreantriPle.
Lemma 11.2. If x,y,z is a primitive Pythagoreantriple, then x is evenand y
is odd or x is odd and Y is even'
Proof. Let x ,!,z be a Primitive
that (x ,y : 1, so that x and
both be odd. If x and Y were
we would have
)
x -
Pythagoreantriple. By Lemma 1l '1, we know
y cannot both be even. Also x and y cannot
both odd, then (from problem 2 of Section 2'1)
= vz = I (mod 4),
so that
2 2 : x 2 * y 2
This is impossible(again from problem
and y is odd, or vice versa. E
The final lemma that we need is a consequence
of the fundamental theorem
of arithmetic. It tells us that two relatively prime integers that multiply
togetherto give a squaremust both be squares'
Lemma 11.3. If r,s, and t are positive integers such that (r,s) : I and
; : t2, then there are integersz and n suchthat r : m2 and s : n2.
Proof. If r :1 or s : l, then the lemma is obviously true, so we may
,upptr. that r ) I and s ) 1. Let the prime-power factorizationsof r,,s, and
l b e
,:p1,pi2... p:",
s : p:,i p:,it p:"
and
t : ql' ql' quo'.
Since (r,s ) : l, the primes occurring in the factorizations of r and s are
distinct. Sincers : t2, we have
pi'pi' pi"pi,+ipi,n pl,': q?"q'ru' qiur'
From the fundamental theorem of arithmetic, the prime-powers occurring on
= 2(mod4).
2 of Section
2.1). Therefore,
x is even

the two sidesof the above equationare the same. Hence, eachpi must be
equal to Qi for some j with matching exponents,so that a; : 2bi.
consequently,everyexponenta; is even,and thereforeai/2 is an integer. we
seethat r - m2 and , : 12, wherem andn arethe integers
and
We can now prove the desired result that describes all primitive
Pythagorean
triples.
Theorem ll.l. The positive integers x,l,z form a primitive pythagorean
triple, with y even,if and only if there are relativelyprime positiveintegers172
and n, |/t ) n, with m odd and n evenor m evenand,
n odd, such that
x : m2-n2
'r7-'#ir'
Prot{. Let x ,y,z be a primitive Pythagorean
triple. Lemma I 1.2tells us that
x is odd and y is even,or vice versa. Since we have assumedthat y is even,
x and z are both odd. Hence,z*x andz-x areboth even,so that there are
positive
integers
r ands with r : (z+i/2and s : (z-il/2.
Sincex2+y2:22, we havey2: z2-x2: (z*x)G-x). Hence.
a./2 a-/z
m : p t ' P 2 '
n: pi,r('pi,C'
a / 2
Pu"
a / 2
Pr" !
Ir)' lz+x]f,-"1
lr): I , .lt ' J:"
w e n o t et h a t ( r , s ) : 1 . T o s e et h i s ,l e t ( r , s ) : d . S i n c ed l , a n d d l s ,
d l G + s ) - z a n d , d l ( r - s ) : x . T h i s m e a n st h a t d l ( * , r ) : 1 , s o t h a t
d : 1 .
Using Lemma I 1.3, we see that there are integersla and n such that
r : m2 and,
s : n2. Writing x,y,andz in termsof m andn we have
x : r - . s : m 2 - n 2 .
y:rM:rffi:2mn.

11.1 PYthagoreanTriPles
395
z : r * s : m 2 + n 2 .
we seealso that (m ,n) : 1, sinceany common divisor of m and n must also
Oi"iO"
-x
: m2-n2',y :2mn, andz : *'+r', and we know that (x,y,z) : l'
We also note that rn and n cannot both be odd, for if they were' then x y '
and z would all be even, contradicting the condition (x,y ,z) : l ' Since
(m,n) : I and m andn cannot both be odd, we seem is even and n is odd,
or vice versa. This shows that every primitive Pythagoreantriple has the
appropriateform.
To seethat everYtriPle
x : m2-n2
y : 2 m n
: 2 m 2 * n 2 ,
where m and n are positive integers, m ) n, (m,n) : 1, and
m * n (mod 2), forms a primitive Pythagoreantriple, first note that
x2 + y2 : (m2-n2)2+ (2mn)2
: (ma-2m2n2+n4)* 4m2n2
: ^4 * 2m2n2
t na
: (m2+n2)2
: 22.
To seethat these values of x,y, and z are mutually relatively .prime, assume
that (x,y,z): d ) !. Then,thereis a primep-such thatp l^(x,y,z)^.We
note that p * 2, sincex is odd (becausex: m2-n2 where mz and n2 have
ofporit" parity). Also, note that because
p I,x andp l t, p I G+i:2m2
an'dp lit-;:2n2. Hencep I m and p In, contradicting
the fact that
(*,i) :1. Therefore, (r,y,z) : l, and xoy,z is a primitive Pythagorean
triple. This concludesthe proof. D
The following example illustrates the use of Theorem I I .l to produce
Pythagorean
triPles.
Example. Let m:5 and n:2, so that (m,n): I, ffi * n (mod2), and
m ) n. Hence,Theorem 1I .1 tells us that
x : m 2 - n 2 : 5 2 - 2 2 : 2 1
Y : 2 m n : 2 ' 5 ' 2 : 2 0
z : m 2 + n 2 : 5 2 + 2 2 : 2 9
is a primitive Pythagoreantriple.

396
We list the primitive pythagorean
rn :< 6 in Table I l.l.
triples generatedusing Theorem I l.l with
Table 11.1. SomePrimitive pythagoreanTriples.
m n x : m2-n2 y : 2 m n t : m2+n2
2
3
4
4
5
5
6
6
I
2
I
3
2
4
I
5
3
5
15
7
2l
9
35
1l
4
t2
8
24
20
40
r2
60
5
l3
l7
25
29
4l
37
6t
I l.l Problems
l. Find all
2.
3.
4.
5 .
6.
il primitive Pythagoreantriples x,l,z with z
b) Pythagoreantriples x,!,2 with z < 40.
Show that if x,!,2 is a primitive pythagorean
divisibleby 3.
Show that if x ,!,z is a Pythagoreantriple, then
divisibleby 5.
Show that if x,l,z is a Pythagorean triple, then
divisible by 4.
Show that every positive integer greater than
Pythagoreantriple.
L e t x l - 3 ,l t : 4 , z t : 5 , a n d l e t
recursivelvbv
< 40.
triple, then either x or y is
exactly one of x,y , and,z is
at least one of x,y, and z is
three is part of at least one
for n :2,3,4, ..., be defined

11.2 Fermat'sLastTheorem
397
x n t l - 3 x n * Z z n * l
! n + r - 3 x n * 2 z o * 2
z n + t - 4 x n * 3 z n * 2 '
Show that xnln,zn is a Pythagoreantriple'
7. Showthat if x,!,2 isa Pythagorean
triplewithy:x + l, thenx,l,Z isoneof
the Pythagoreantriples given in problem 6'
g. Find all solutionsin positiveintegersof the diophantineequationx2 I 2y2 : t2'
g. Find all solutionsin positiveintegersof the diophantineequationx2 * 3y2: t2-
10. Find all solutions in positive integers of the diophantine equation
w 2 + x z r y ' : t ' .
Find all Pythagoreantriples containing the integer 12.
Find formulae for the integersof all Pythagoreantriples x,l,z with z - y*l
Find formulae for the integersof all Pythagoreantriples x,l,z with z - y * 2'
Show that the number of Pythagoreantriples x,-y,z (with x2 + y2 : z2) with a
fixed integer x is (rk2)-l)/2if x is odd, and (r!2l4-1)/2 if x is even.
Find all solutionsin positiveintegersof the diophantineequation*' * py' : 22,
w h e r e p i s a p r i m e .
I l .
12.
1 3 .
14.
1 5 .
l. Find all Pythagorean
triplesxJ,z with xy,and z lessthan a given bound.
2. Find all Pythagoreantriples containing a given integer'
ll.2 Fermat's Last Theorem
In the previous section, we showed that the diophantine equation
x2 + y2 : z2 has infinitely many solutionsin nonzerointegersx, !, z . What
happenswhen we replace the exponent two in this equation with an integer
grrut.. than two? Next to the discussion
of the equationxz + y2 : z2 in his
copy of the works of Diophantus,Fermat wrote in the margin:
"However, it is impossibleto write a cube as the sum of two cubes,a fourth
power as the sum of two fourth powers and in general any power the sum of
two similar powers. For this I have discovereda truly wonderful proof, but
the margin is too small to contain it."

Since Fermat made this statementmany peoplehave searchedfor a proof of
this assertion without success. Even trrouitr no ,or...t proof has yet been
discovered,the foilowing conjectureis knowi as Fermat,s rasttheorem.
Fermat's Last Theorem. The diophantineequation
x ' + l n : z n
hasno solutionsin nonzerointegersx, r, z when n is an integer with n D 3.
Currently' we know that Fermat's last theorem is true for all positiveintegers
n with 3 ( n <125000. In this section,
we will showthat the specialcaseof
Fermat's last theorem with n: 4 is true. That is, we will ,ho* that the
diophantineequation
x a + ! 4 : 2 4
has no solutionsin nonzerointegersx, !, z. Note that if we could also show
that the diophantineequations
x P + Y P : 7 P
has no solutionsin nonzerointegersx,!,2 wheneverp is an odd prime, then
we would know that Fermat's last theorem is true (seeproblem 2 at the end of
this section).
The proof we will give of the special case of n - 4 uses the
method of infnite descent devised by Fermat. This method is an offshoot of
the well-ordering property, and shows that a diophantine equation has no
solutions by showing that for every solution there is a "smaller', solution.
contradicting the well-orderingproperty.
Using the method of infinite descent we will show that the diophantine
equationxa + !4 : 22. has no solutionsin nonzerointegersx, !, andz. This
is strongerthan showingthat Fermat'slast theoremis true for n: 4, because
any solution
of xa + y4: ta: (22)2
givesa solution
of xa * va:22.
Theorem 11.2. The diophantineequation
hasnosolutions
in nonzer"
,",.*1,
**',ro,r:
t'
Proof. Assume that the above equation has a solution in nonzero integers
x,l,z. Since we may replaceany number of the variableswith their negatives

11.2 Fermat's Last Theorem
without changingthe validity of the equation'we
positiveintegers'
We may also supposethat (x,y) : 1' To see
x : dx1 andy = dY,, with (xvYt) : 1' wherex1
since xa + Y4
: '2 ' vtehave
( d x ) 4 + ( d Y r ) 4 : 2 2 ,
so that
399
may assume
that x,Y,z are
this, let (x,Y) : d. Then
andy 1itroPositive
integers'
that d' I t.
da(xf + Yf):'2'
Hence do | ,', and, by problem 32 of Section 2'2' we know
Therefore
, z : d'r r, wherez 1is a positiveinteger' Thus'
d a ( x f + y f ) : ( d 2 t r ) ' : d o r ? ,
so that
xf+yl:t?.
This givesa solutionof xa + ya: '2 in positiveintegers
x : xt'! : lr'z
: zr
with (xr,yr) : 1.
So, suppose
that x: x,,l :10, z : z.'is a.solution
of xa + y4: z2' where
xo, lo, andzsare positiveintegerswith (xe,-/o): 1 ' We will showthat there
is anothersolutionin positiveintegers
x : xr,! : lt, z: zt with (xr'yl) : 1'
suchthat 21 1 zs.
Sincexd + yt : zl,we have
Gilz+ (y&)2:
zE,
so that x&, y&, ,o is a Pythagoreantriple. Furthermore,we have
l-fi, r&> - i, ro. if p is a primesuchthatp I x3 andp I y&' thenp I xs
;;';'l'ro, contradicting
the fact that (xq,lrq): l. Hence,
*3,yE, zs is a
prim-itive
iythagoreantriple,and by Theorem-
11.1,we knowthat thereafe
positive
integers
z andn with (z ,n), m # rl (mod2) ' and
x& : m2-n2
!& : Zmn
zo: m2+n2,
wherewe haveinterchanged
x62andyfr, if necessary'
to makeyfr the even
integer
of thisPair.

From the equationfor xfr, we seethat
x & + n 2 : m 2 .
Since (m,n) : l, it foilows that x,s,n,m is a primitive pythagoreantripre.
Again usingTheorem I I .1, we seethat thereare fositive integersr and s with
(r,s) : l, r # s (mod2). and
ro : ,2-s2
n : 2 r s
m - r2+s2.
Since m is odd and (m,n) : l, we know that (m,2d : l. We note that
because
y&: (2dm, Lemma ll.3 tells us that there are positiveintegers
z1
a n d w w i t h m : t ? a n d 2 n : w 2 . S i n c ew i s e v e n ,w : 2 v w h e r ev i s a
positiveinteger,so that
v 2: n / 2 : r s .
since (r,s): I , Lemma 11.3tellsus that thereare positiveintegersx1 erd
y1 suchthat r : xl and s : y? . Note that since(r,s) : l, it easiryfolows
that (xl,-yr): l. Hence.
400
x{+yf:
where x t,! t,z1 ?re positive integers with
zt I 26, because
z r ( z f : m 2 < m 2 + n 2 - r o .
To completethe proof, assumethat xa * y4 : z2 hasat least one integral
solution' By the well-orderingproperty,we know that amongthe solutionsin
positiveintegers,there is a solutionwith the smallestvalueis of the variable
z However, we have shown that from this solution we can find another
solution with a smaller value of the variable z, leading to a contradiction.
This completesthe proof by the method of infinite descent. n
Readers interested in the history of Fermat's last theorem and how
investigationsrelating to this conjecture led to the genesisof the theory of
algebraicnumbersare encouraged
to consultthe booksof Edwards Il4l and
RibenboimIrt]. A great deal of researchrelatingto Fermat'slast theoremis
underway. Recently,the German mathematicianFaltingsestablished
a result
that showsthat for a fixed positiveintegern, n > 3, the diophantineequation
xn + yn : z' has at most a finite number of solutionswhere x g, and,
z are
integersand (x,-y) : l.
- 2
z l
(r r,y1) : l. Moreover, we have

401
11.3 Pell'sEquation
ll.2 Problems
l. show that if x,! ,z is a Pythagorean triple and n is an integer n ) 2' then
x " * y n # z n .
2.. Show that Fermat's last theorem is a consequenceof Theorem I l '2' and the
assertionthat xP * yp : zP has no solutions in nonzero integers when p is an
odd prime.
3. Using Fermat's little theorem,show that if p is prime and
a) if xp-l * yn-t : zP-r, then p | *yt .
b) if xP + lP : zP, then p | (x+Y-z).
4. Show that the diophantine equation xo-yo: z2 has no
integers using the method of infinite descent'
5 . U s i n g p r o b l e m 4 , s h o w t h a t t h e a r e a o f a r i g h t t r i a n g l e
never a Perfect square.
6. Show that the diophantine equation xa + 4ya - z2 has no solutions in nonzero
integers.
i. Show that the diophantine equation x' - 8y4: z2 has no solutions in nonzero
integers.
l .
Show that the diophantineequationxa + 3ya : z4 has infinitely many solutions'
Show that in a Pythagorean triple there is at most one perfect square'
Show that the diophantine equation xz + y2: z3 has infinitely many integer
solutions by showing that for each positive integer k the integers
x : 3k2-1, | - k(k2-3), z : k2 * I form a solution.
Computer Proiects
Write a computer program to search for solutionsof diophantine equationssuch
a s x n * Y n : z n .
11.3 Pell's Equation
In this section,we study diophantineequationsof the form
x 2 - d y ' , : r ,
solutions in nonzero
with integer sides is
8.
9.
10.
tt.2
(11.2)
where d and n are fixed integers. When d <0 and n (0, there are no
solutionsof (11.2). When d < 0 and n ) 0, there can be at most a finite

402
numberof solutions,
sincethe equation
x2 - dyr: n impliesthat l"l < fi
il*
lrl < JM. Also, notethat whend is a perfect,quur., sayd : D2,
x2 - dy': x2 - Dry : G+Dfl(x-Dy) - n
Hence,any solution
of Qt.D, whend is a perfectsquare,
corresponds
to a
simultaneous
solution
of theequations
::'d=;,
where a and b are integerssuch that n : ab. In this case,there are only a
finite number of solutions,since there is at most one solution in integers of
thesetwo equationsfor each factorization n : ab
For the rest of this section,we are interestedin the diophantineequation
x2 - dy':n, whered andn areintegers andd is a positiveintegerwhich is
not a perfect square. As the following theorem shows,the simpL continued
fraction of -,/v is very useful for the study of this equation.
Theorem 11.3. Let d and n be integerssuch that d > 0, d is not a perfect
square, and lrl < r/7. .lf x2 - dyI: n, then xfy is a convergentof the
simple continuedfraction of ^/7.
Proof. First considerthe casewheren ) A. Sincex2 _ dyr: n,wesee that
(tr.:) G+y./7)G -y,/V) : n
From(tt.:), weseethatx - y.,/7 ) 0, sothatx > yrT. consequently,
>0,
and since0 1 n < ,8, we seethat
ta G -,/7v)
Y W
v
: x2-dY2
y G + y,/7)
* _,/7
v

Since 0 <
convergent
When n
- f r

YQYJA)
fi
t
q I 1
Zy'rld
: l
) rr2
L!
1
.,17< +, Theorem
10.18tells
2v'
-r
1 fractionof JL
slmple contlnueo
403
us that x ly must be a
x _
v
of the
( 0. we divide both sidesof x2 - dy' : n by -d, to obtain
v2
- ,fr*':-3
By a similar argument to that given when n ) 0 o we see that y /x is a
convergent of the simple continuid fraction expansionof ll.r/7' Therefore'
from problem 7 of Slction 10'3, we know tB *l!,:1l,j.,/x) must be a
converyentof the simplecontinuedfractionof './d : l/(l/{cl ) ' u
we have shown that solutionsof the diophantineequation x2 - dy': n,
*h;;
^1"1
. .n, are gifn by the convergents of the simple continued
fraction expansion of fi. The next theorem will help us use these
convefgentsto find solutionsof this diophantineequation'
Theorem 11.4. Let d be a positive integer that is not ^ perfect square'
il; dk : (io + ',/hlQr, oo: [47.1, P*+r --!*Q! - 'o'' and
O;';-r:
(;"- pt*'JlQ*, t* L :0,1,2,... where ao: Jd ' Furthermore'Iet
;J;r denote tie kth convergentof the simple continued fraction expansionof
Jd. Then
pt-dqt:(-1)&-rgp*1.
Before we proveTheorem 11.4,we prove a useful lemma.
L e m m a 1 1 . 4 .L e t r * s r / V : t + r t / l w h e r er , s , t , a n d u ^ t e r a t i o n a l
numbers and d is a positive integer that is not a perfect square. Then r : t
a n d s : u .
proof. Since r * s,/7 : t * u,/7, *"see that if s # u then
,/7 - r-t
u-s

444
Some Nontinear Diophantine Equations
By Theorem 10.1, (r-t)/(u-s) is rational,and by Theorem r0.2 Jv i,
irrational. Hence,s : u, and consequently
r : t. A
We can now prove Theorem I 1.4.
Proof. Since^E : o,0: Ias;ar,e2,...,ek,otk+tL,
Theorem 10.9tells us that
tj ott+tp* I p*_t
-vs
,rt"rrqk+ qrr'
Since dk+t : (pt *, + ,/7)/er+r
JV:
(P**t
we have
+ ,8)p* * e*+pr,_t
(P**, + ,/V)qr * et +rQ*_t
Therefore,we seethat
dqt t (Pt+flt, I Qt +rQtr-r)fi : (pr,+tpr,* e*+rpt,-r) + p*fi.
From Lemma 11.4, we find that dqr,
Pt+fl* f Qt+rQn-t: pk When we multiply tt.
by qt and the secondby pt, subtract the first
simplify, we obtain
pt - dqi : (ptqt -t - pr-tQ*)eo*,: (- l)o-teo*r,
wherewe haveusedrheorem 10.10to completethe proof. tr
The specialcase of the diophantineequation x2 _ dy, : , with n : I is
called Pell's equation. we will use Theorems ll.3 and rr.4 to find all
solutionsof Pell'sequationand the relatedequationx2 - dy, : -t.
Theorem 1l'5' Let d be a positive integer that is not a perfect square. Let
px/qt denote the kth convergent of the simple continued fraction of .8,
k : 1,2,3,"' and let n be the period length of this continuedfraction. Then,
y.!"n ,r,
even, the positive solutions of the diophantine equation
x- - ay" : I are
r*
:
lin- t, ! : Qir-t, j : 1,2,3,...,
and the diophantine
equation x2 - dy' : - l has no solutions. when n is odd, the positive
solutions
of x2 - d!':1 are x : p2jn-r,! : Qzin_r,
j :1,2,3,... and the
solutions
of xz - dy': -l arex : pei_Dn_r,l : Qei_r)n_r,
j - 1,2,3,....
Pyoof. Theorem 1r.3 tells us that if xo,ro is a positive solution of
x2 - dy': tl, then x0: p*2!o: Q* wherep*/q1, is a convergent
of the
simple continuedfraction of ,/7 . On the other hand, from Theorem I 1.4 we
know that
: P*+tPt,* Q*+et -r and
first of these two equations
from the second,and then

405
p t - d q ? : ( - l ) f t - r 2 1 * 1 ,
w h e r e Q x * t i s a s d e f i n e d i n t h e s t a t e m e n t o f T h e o r e m l l . 4 .
Becausethe period cf the continued expansion oL"/j is n, we know that
Qjn
: Qo:I for7 : 1,2,3,"',
('int"J'l :
"tf
' Hence'
pk-, - d q?^-t: (- l)i'Qni : (- I)/n'
This equation
x 2 - d y z : l
o f x 2 - d y ' :
j : 1,2,3,...
To show that the diophantine equations
have no solutionsother than those already
implies that n lk and that Q1 # -l for 7 :
We first notethat if Qt*t: l, then
c,k+l: P1ra1
* 'ftr'
Sinceok+l : la1ra,.a1r1z,...l,
the continuedfraction expansiOn
of a1a1is purely
periodic. Hence, Theoiem !0.20 tells us that -1 1 a*+r: Pk+r- ''17 < O'
This impliesthat Pk+t:lr/71, sothat dk : c"o,
andnlk'
T o s e e t h a t Q l # - l f o r 7 : l , 2 , 3 , " " n o t e t h a t Q i : - l i m p l i e s t h a t
dj : -pi -G.
-'Sin""
ct; has a purely periodic simple continued fraction
expansion,we know that
- l < e i : - P i + ^ f t t < 0
and
d j : - P j - - . / 7 > t .
From the first of these inequalities, we see that Pi > -r/7 and, from the
second,we see that Pi < -l -fi. Since these two inequalities for p1 are
contradictory,we seethat Qt # -1-
Since we have found all solutionsof x2-dy2: I and x2-dy2: -1, where
x and y arc positiveintegers,we have completedthe proof. n
We illustrate the useof Theorem 11.5with the following examples'
Example. Since the simple continued fraction of .,8 is tl;f ,f 'f ,f ,el the
shows that when n is even Pin-t, Qin-t is a solution of
for 7 :1,2,3,..., and when n is odd,Pzin-t,421n-t
is-a solution
I and Pz(j-Dr-r,Qz(i-Dn-,is a solutionof x2 - dy': -l for
x2 - dy' :1 and x2 - dy2: -1
found, we will show that Qpal: I
1.2.3...
.

406
positivesolutions
of the diophantine
equationx2
. .l3yr:
I are pni_t,et.'j_t,
i : l'2'3"" *T]: p1_o1/e.roi-r
is the (roi-l)th ctnvergent
or ,r," simple
continued fraction expansion of .,m. The least po-ritiu" sorution is
pe:649, {e : 180. The positive solutionsof the diophantine equation
x2-13y2 : -I are Prci-o,Qtoi-oi: 1,2,3,...;the least positive solution is
P q : 1 8 , q a
: 5 .
Example. Since the continued fraction of -,.fr is t3;Wl, the positive
solutionsof x2 - t4y2_: I are pai-1,e4j-r,
j : r,.2,3,...wherep+i-tbqi-r is
the 7th convergentof the simple continuedfraction expansionof Vl4. The
least positive sohltion is pt: 15, Qt: 4. The diophantine equation
xz - l4y2 : -1 has no rotuiionr, since the period length of the simple
continuedfraction expansionaf ,/la is even.
We concludethis sectionwith the following theorem that showshow to find
all the positivesolutionsof pell's equationx2-- dyt : I from the leastpositive
solution, without finding subsequentconvergentsof the continued fraction
expansionof ,/7.
Theorem 11.6. L9t xg1 be the least positive solution of the diophantine
equation x2 - dyL : l, where d is a positive integer that is not a perfect
square. Then all positivesolutionsxk,lk are given by
xtr*yrfi:(xt*yrr/v)o
(Notethat xp andy1,aredetermined
by the useof Lemma
fork:
I 1.4).
Proof. We need to show that x1r,y1,is a solution for k :
every solution is of this form.
To show that x1,/r -.!! a solution, tst note that by taking conjugates,it
follows that x1,- ytrfi: (x r- lr,,/T)k, becausefrom Lemma 10.4, the
conjugateof a power is the power of the conjugate. Now, note that
xt - dyt : (xp+ yr,fi)G,, - yr,fi)
: (xr t y16)o (", - yrE)k
: (x?- ayilo
: 1 .
Hencexk,lt is a solution for fr :
To show that every positive solution is equal to
integer ft, assumethat X,y is a positive solution
k : 1,2,3,.... Then thereis an integerr suchthat
and that
x*,lt< for some positive
different from x*,lk for

407
(xl + yJ7)" < x + Y./7 ( (xt * v]/a)n*t'
When we multiply this inequalityby (x t * y rfi)-"' we obtain
I < (xr- rrfi)n(x + YJd) ( xt + YIIA'
since
x? - dy?:1 implies
thatxt - !t,[i : (x1* yt,[d)-t.
Now let
s * /./7 :(r, - yrfi)'(x + YJI),
and note that
s 2 - d t z : ( s - tJa)(s+ t,/D
: (xt
: (*?
- l
- t .
+ yf/7)'8 - Y,l7)Gt
- dy?)'8' - dYz)
- yrfi)n(X + YJA)
We seethat s,/ is a solutionof x2 - dy': l, and furthermore,we know that
i .; ,fr'.'"*;;';r",lV.--Mor.oner, since
we knowthats + t-,/7> 1,
wesee
that0 < (s + tJa)-r < 1. Hence
1 -
r : +t(st r,/7>
+(s - r.'.ff)l
> o
/-
and
, : 1[(s + t-./7)
- (s- t',17)]
> o.
2Jd
This meansthat s,/ is a positivesolution,so that s 2 x1,and t'2 y1, by the
choice of x1,y1 as the smallest-positivesolution' But this contradicts the
inequality s * f ../7 < xr * ytfi. ThereforeX,I' must be xpy1, for some
choiceof /c. tr
To illustratethe useof Theorem I1.6, we havethe followingexample'
Example. From a previousexamplewe know that the least positivesolution of
the diophantine
equationx2 - l3y': I is xt:649, -Pr: 180' Hence' all
positivesolutionsare given by xt, yp where
x* * yr,./n : (649+ tgo[Lte .
For instance,we have

408
x z *
Hence x2:842361, y2
x2 - l3y2 : l, otherthan
SomeNonlinear
Diophantine
Equations
y2,8 : 842361
+ 233640.,/l
t
: 233640 is the least positive solution of
X1- 649,y' : 180.
ll.3 Problems
l ' Find all the solutionsof eachof the foilowing diophantineequations
a ) x 2 + 3 y 2 : 4
b ) x 2 + 5 y 2: 7
c ) 2 x 2+ 7 y 2 : 3 0 .
2' Find all the solutionsof eachof the following diophantineequations
a ) x ' - y ' : B
b) x2 - 4y2: 40
c) 4xz - 9/2 : loo.
3' For which of the following values of n does the diophantine equation
x2 - 3ly' : n havea solution
4. Find the least positivesolutionof the diophantineequations
a) x2 - 29y2: -1
b) x2 - 29yz: 1.
5. Find the three smallest positive
a ) l
b) -1
c ) 2
x 2 - 3 7 y 2 : 1 .
6. For each of the
equationx2 - drz
il2
b)3
c ) 6
d ) 1 3
d) -3
d 4
f) -s?
following values
: -l has solutions
e) tj
f) 3l
e) 4r
h) s0.
solutions of the diophantine equation
of d determine whether the diophantine
7. The least positive solution of the diophantine equation xz - 6lyz : 1 is
xt:1766319049, lt- 2261i398A. Find the least positivesolutionother than
x t,l t.

11.3 Pell's Equation 409
8. S!g* that if pr/qt is a converggntof the simple continued fraction expansionof
Jd thenlp?- dq?l< | + zJd.
9. Show that if d is a positiveinteger divisible by a prime of the form 4ft * 3, then
the diophantineequationx2 - dy': -l has no solutions.
Let d and n be positive integers.
il Show that if r,s is a solution of the diophantineequation x2 - dyz : I and
X,Y is a solution of the diophantine equation x2 - dy' : , then
Xr + dYs, Xs t Yr is alsoa solutionof x2 - dy': r.
b) Show that the diophantine equation x2 - dyz: n either has no solutions,or
infinitelv many solutions.
I l. Find those right triangles having legs with lengths that are consecutiveintegers.
(Hint: use Theorem 11.1 to write the lengths of the legs as x -.r2 - 12 and
y :2st, where s and t are positiveintegerssuch that (s,t) : l, s ) / and s
and t have opposite parity. Then x-y:il implies that
( s - r ) 2 - 2 t 2 : + 1 . )
12. Show that each of the following diophantineequationshas no solutions
a ) x a - 2 y a : 1 b ) x 4 - 2 y 2 - - 1 .
1. Find those integers n with lrl < Ji such that the diophantine equation
x2 - dyz: rz has no solutions.
2. Find the least positive solutionsof the diophantine equationsx2 - dy': I and
x 2 - d y 2- - 1 .
3. Find the solutionsof Pell's equation from the least positivesolution (seeTheorem
I 1 . 6 ) .

Rosen - Elementary number theory and its applications.pdf

0
I
2
3
4
)
6
7
8
9
t0
n
t2
1 3
1 4
1 5
l6
t 7
l 8
l9
20
2l
22
23
24
25
26
27
28
29
30
3 l
32
33
34
35
3
3 - 3 -
3 - 3
7
3 - 3 -
3 - 3
7 ^
3 - 3 -
7 3 - 3
3 - 3 7
l l 3 - 3
7 - -
3 l l 3 -
3 - 3
7 - - 1 3
3 - 3 -
3 1 1 3
3 7 3 l l
3 7 3
1 3 -
3 - 3 -
3 1 3 3
- l l - 7
3 - 3 -
3 - 3
7 1 7
3 - 3 1 3
7 3 - 3
- l l
3 t 7 3 7
3 - 3
l l 7 - -
3 - 3 -
4A
4l
42
43
44
45
46
47
48
49
50
5 1
52
53
54
55
56
57
58
59
60
6l
62
63
64
65
66
67
68
69
70
7l
72
73
74
75
412
Appendix
Tabfe1. FactorTable.
Theleastprimefac1o1,of
.::h.odd positive
integerlessthan 10000
andnotdivisibleby
fiveis givenin thetable. ThJinitial digitsof tile integeiarelistedto thesideandthe
lastdigit is at thetopof thecolumn.primesareindicated
with a dash..
1 3 7 9 1 3 7 9 1 3 7 9 1 3 7 9
- 1 3 1 1 -
3 7 3 -
3 7 3
1 9 _
3 - 3 -
l t 3 - 3
7
3 l l 3 -
1 3 3 - 3
- r 7 7 _
3 - 3 -
7 3 l I 3
1723
3 1 3 3 7
3 - 3
1 9 7 - 1 3
3 - 3 -
3 - 3
7 l l - 1 9
3 - 3 -
3 - 3
1 3 -
3 7 3 t 7
3 7 3
_ l l
3 - 3 -
3 2 3 3
l l - - 7
3- 3r3
317 3
- 1 9 7 -
3 2 3 3 -
7 3 - 3
t 7 - 1 l -
3 - 3 7
3 - 3
3 7 3 -
2 9 3 7 3
23--
3 - 3 l r
1 3 3 - 3
7
3 1 9 3 2 9
t 7 3 - 3
- l l 7 -
3 1 3 3 -
7 3 - 3
- 2 3 - 1 3
3 8 3 7
3 t 3 - 3
7 - t l
3 - 3 2 3
3 - 3
7 t 7 1 9 -
3 - 3 -
3 1 3 3
t 7 -
3 7 3 -
3 7 3
1 t -
3 2 9 3 1 3
2 3 3 - 3
7
3 - 3 -
l t 3 - 3
1 9 - 7 -
3 l l 3 t 7
80
8 l
82
83
84
85
86
87
88
89
90
9r
92
93
94
95
96
97
98
99
100
l0l
t02
103
rc4
t20
t2l
r22
123
t24
125
r26
t27
128
t29
130
1 3 1
r32
r33
134
135
136
r37
r38
139
140
t4l
r42
r43
144
145
3 l l 3 -
3 1 9 3
3 1 7 3
7 - - 2 3
3 - 3 -
3 - 3
1 7 f i 2 9 _
3 7 3 -
1 3 3 7 3
3 11 9
3 - 3 -
3 - 3
7
3 1 3 3 -
3 - 3
r r 3 1 7 1 3
3 1 7 3 1 9
7 3 2 3 3
- 2 9 - 3 7
3 - 3 7
3 1 9 3
1 3 7 t t -
3 2 3 3 -
1 7 3 1 3 3
7 - - -
3 - 3 -
l l 3 - 3
3 1-
3 7 3 1 3
3 7 3
3 - 3 -
1 9 3 1 1 3
- 1 7 3 7 7
3 - 3 1 1
3 2 9 3
2 3 - 7 -
3 - 3 -
105
106
107
r08
109
l l 0
l l l
lt2
l l 3
rt4
l l 5
7 3 3 1 3
1319
t46
147
148
r49
150
r 5 l
rs2
153
r54
t55

Appendix 413
Table 1. (Continued).
r379 1 3 7 9 1 3 7 9 1 3 7 9
36
37
38
39
160
r6l
t62
r63
t64
r65
r66
r67
r68
r69
170
17l
172
173
174
175
176
177
178
179
180
l 8 l
r82
r83
184
185
186
t87
188
189
r90
l9l
76
77
78
79
2m
201
202
203
204
205
206
207
208
209
210
2tl
2t2
2r3
2t4
2t5
2r6
217
2t8
2r9
220
22r
222
223
224
225
226
227
228
229
230
231
l l 6
rt7
1 1 8
l l 9
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
? 5 S
256
257
2s8
259
260
26r
262
263
264
265
266
267
268
269
270
27r
156
t57
158
159
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
29s
296
297
298
299
300
301
302
303
304
305
306
307
308
309
3r0
3 l l
1 9 3 - 3
7 - t 3 -
3 - 3 -
t 7 3 - 3
7 - -
3 - 3 -
3 - 3
7 2 3 - l l
3 3 1 3 1 7
t 3 3 - 3
l l -
3 7 3 2 3
4 1 3 7 3
1 9 -
3 1 3 3 -
2 9 3 r 7 3
- - l l 7
3 - 3 3 7
3 - 3
r 7 - 7 -
3 4 1 3 2 9
7 3 - 3
1 3 -
3 l l 3 7
3 1 3 3
7 2 3 t 7
3 - 3 3 1
3 l l 3
7 1 9 - 4 3
3 1 7 3 l r
3 - 3
3 7 3 -
3 1 3 7 3
- l t - 2 3
3 - 3 r 9
7 t 3 -
3 - 3 r 9
l l 3 - 3
7 1 3 - 1 7
3 - 3 7
3 - 3
4 3 7 - -
3 r 9 3 -
1 3 3 2 3 3
7 - t l 2 9
3 - 3 -
t 9 3 3 t 3
3 7 3 -
u 3 7 3
29 t3
3 l l 3 -
3 - 3
- - 1 9 7
3 - 3 t 7
3 l l 3
l 3 4 t 7 -
3 3 7 3 r l
7 3 1 3 3
3 r - - 4 7
3 - 3 7
3 1 7 3
2 3 7 - -
3 - 3 r 3
3 3 7 3
7 3 1- -
3 - 3 4 3
3 - 3
2 9 - - l l
3 7 3 -
3 7 3
3 - 3 7
3 l t 3
7 -29
3 - 3 l l
7 3 2 9 3
- 1 9 - 4 1
3 - 3 7
l l 3 - 3
7 - 3 1
3 l l 3 -
2 3 3 - 3
7 - - 3 7
3 1 3 3 1 9
4 7 3 l l 3
4 t - 2 3 1 3
3 7 3 l l
3 7 3
- t 7 4 3 -
3 - 3 -
3 - 3
t 3 l t 1 7 7
3 3 1 3 -
2 9 3 1 3 3
7 2 3
3 r 9 3 -
7 3 - 3
- 4 3 3 7 r 1
3 - 3 7
1 9 3 - 3
l l 7 - -
3 - 3 t 7
3 - 3
7 - - -
3 - 3 -
3 7 3 - 3
l l -
7 3 - 3
- 1 1t 9 -
3 - 3 7
3 7 3 - 3
7 5 3
3 2 9 3 -
7 3 r t 3
1 9 - - 1 7
3 - 3 7
3 - 3
7 4 7 t 9
3 1 3 3 -
4 3 3 - 3
7 r l - 1 3
3 - 3 -
4 t 3 - 3
2 3 3 7- 2 9
3 7 3 -
l 7 3 7 3
t 3 - - l l
3 - 3 -
3 1 3 3
t t t 9 2 9 7
3 4 1 3 -
3 3 1 3
- 2 3 7 -
3 - 3 1 3
7 3 - 3
- t 7 1 1-
3 4 3 3 7
3 - 3
3 7 7 1 7 -
3 - 3 -
1 1 3 1 9 3
7 2 9 1 3 -
3 l 1 3 -

414
Appendix
l 3 7 9 1 3 7 9 1 3 7 9 1 3 7 9
192
r93
r94
195
r96
r97
198
r99
232
233
234
235
236
237
238
239
:oo
361
362
363
364
365
366
367
368
369
370
37r
372
373
374
375
376
377
378
379
380
272
273
274
275
276
277
278
279
400
40r
402
403
404
405
406
40'7
408
409
4r0
4tr
412
413
414
4t5
416
4t7
4 1 8
419
420
3t2
3 r 3
3r4
3 1 5
316
317
3 1 8
3le-
440
44r
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
320
321
322
323
324
325
326
327
328
329
330
3 3 1
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
381
382
383
384
385
386
387
t 7 3 4 1 3
- - 1 3 7
3 2 9 3 -
3 1 9 3
3 7 1 3 7 t l
3 - 3 -
7 3 - 3
1 1-
3- 3-
1 3 3 - 3
- l 1 7 -
3 5 3 3 4 r
7 3 1 7 3
3 1 3 3 7
3 2 9 3
r 7 7 1 9l l
3 3 7 3 -
3 - 3
7-3r-
3 - 3 -
3 4 7 3
1 3 - _ - 1 7
3 7 3 -
3 7 3
- - l l 3 l
3 r 7 3 -
3 4 3 3
l 9 4 r - 7
3 - 3 1 3
l l 3 2 3 3
4 7 - 7 1 9
3 l l 3 -
7 3 - 3
n 2 3 t 3 t 7
3 - 3 -
3 - 3
- 1 3 - 7
3 r 7 3 2 3
3 - 3
7 -
3 - 3 -
1 3 3 - 3
2 3 - - 7
3 - 3 1 9
3 - 3
l l - 7 4 l
3 1 3 3 -
7 3 1 9 3
- 1 3
3 2 9 3 7
3 - 3
7 t t _
3 4 7 3 -
6 1 3 - 3
7 - 3 7 -
3 1 9 3 2 3
l l 3 1 3 3
- 5 3
3 7 3 -
1 9 3 7 3
t 7 - - 2 9
3 - 3 3 1
3 7 3 -
3 7 3
- 1 34 t -
3 - 3 3 l
l l 3 - 3
1 7 4 7 - 7
3 1 1 3 -
3 - 3
_ 1 9
3 - 3 -
3 - 3
2 9 3 7t t 7
3 1 3 3 -
3 - 3
3 t t 7 7 1 3
3 - 3 -
7 3 6 1 3
l 7 -
3 l l 3 7
3 2 3 3
t 3 7 - -
3 - 3 -
4 1 3 1 l 3
7 - - -
3 2 3 3 1 1
4 3 3 - 3
3747 5359
3 7 3 1 3
3 7 3
- l t
3 4 1 3 -
3 1 9 3
- - 3 1 7
3 - 3 -
3 t 7 3
7 t l
;
3
23
2 3 3 1 3 3
1 9 7 * -
3 2 9 3 4 7
3 - 3
7 1 7 2 3 t 9
3 - 3 1 3
3 - 3
4 3 - t 7 l I
3 7 3 3 1
3 7 3
t t 4 t - -
3 - 3 -
3 - 3
5 9 - 1 3 7
3 - 3 -
3 5 3 3
1 3 - 4 3
7 3 4 7
3 7 3
2 9 -
3 1 9 3 l l
3 - 3
* 3rz37
3 7 3 -
l r 3 7 3
1943
3 l l 3 2 3
3 - 3
- 6 t - 7
3 - 3 4 r
1 7 3 1 1 3
7 6 7
3 - 3 l l
7 3 - 3
1 3 -
3 - 3 7
3 7 3 l l 3
- - 4 3 7
3 - 3 1 1
2 3 3 - 3
7 1 7
3 - 3 5 3
7 3 - 3
421
422
423
424
42s
426
427
4s9
460
461
462
463
464
465
466
467
347 3 2 3 3 7

Appendix
348
349
350
351
352
3s3
354
355
356
357
358
359
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
s00
501
5 9 3 1 l 3
7 1 3 -
3 3 1 3 l l
3 - 3
7 1 3 - -
3 - 3 -
3 - 3
5 31 1
3 7 3 4 3
3 7 3
1737
3 - 3 5 9
:tn- 3-
t7 - - 61
3 7 3 1 1
3 7 3
4729 37 13
3 - 3 -
7 3 - 3
1 11 35 93 l
3 1 9 3 ' , l
2 9 3 - 3
6 1 7 - -
3 4 3 3 -
1 9 3 - 3
7 - l r 1 7
3 - 3 2 9
1 3 3 4 1 3
- 2 3 - 5 3
:-Tl r 7t
4 1 5
3 1 3 4 3 3
- 1 3 7 3 7
3 - 3 1 7
't 353 3
2 9 -
3 - 3 ' , l
1 1 3 4 7 3
7 6 7 -
3 1 1 3 1 9
1 3 3 1 7 3
7 - - -
- 1 1 1 3 -
3 r 7 3 7
4 7 3 - 3
7 - -
3 - 3 -
3 3 r 3
7 - - r l
3 5 9 3 3 7
t 7 3 - 3
tr 294123
3 7 3 -
1 3 3 7 3
-Tt1 qt*-
3 1 3 3 1 7
2 3 3 - 3
- 1 3
3 7 3 2 9
5 9 3 7 3
-1923rr
3- 3-
3 1 7 3
1167- 7
3 - 3 -
388
389
390
39r
392
393
394
39s
396
397
398
399
5zo
521
522
523
524
525
526
527
s28
428
429
430
431
432
433
434
435
436
437
438
439
468
469
470
471
4',72
473
474
475
476
477
478
502
503
3 2 3 3 4 3
3 3 1 3
- 1 l - 7
3 1 9 3 -
6 7 3 5 9 3
1 3 - 7 -
3 1 7 3 -
-r
313 3
- 1 l
3 - 3 7
3 - 3
1 1 7 - -
3 - 3 1 3
1 7 3 - 3
7 - 1 9 -
3 - 3 -
3 2 9 3
ll 47
3 7 3 -
4 7 3 1 3 3
t 7 - 7 7 3
3 - 3 1 9
7 3 - 3
- 5 3 1 1 2 3
3 3 1 3 7
4 1 3 1 9 3
7 - 1 7
3 - 3 -
1 1 3 - 3
7 - - -
3 1 1 3 6 1
3 - 3
s29
530
5 3 1
532
533
534
535
s36
537
538
s39
540
54r
542
543
560
561
562
563
564
565
566
s67
568
s69
570
571
572
573
5',74
) t )
576
5',77
578
579
580
581
582
583
479_
600
601
602
603
604
605
606
607
608
609
610
6 1 1
612
6 1 3
614
615
6r6
617
6 1 8
619
620
621
3 1 3 4 1 3
7 - 1 7 1 3
3 4 3 3 -
3 - 3
3 - 3 - _
1 7 3 - 3
7 t l 1 3
3 r 9 3 -
3 7 3 - 3
7 - - 2 3
3 - 3 7 3
1 1 3 - 3
1 3 - 5 9 -
3 7 3 -
3 7 3
- r 7 3 1 4 1
3 - 3 2 9
3 1 1 3
1'1 '7
I
3 - 3 l 1
3 4 7 3
6 r - 7 3 1
3 - 3 3 7
'7
323 3
4 11 1
3 - 3 7
3 - 3
'7
13-
3 2 3 3 r 7
3 7 3 -
5 3 3 7 3
1 3- 1 1-
3 - 3 4 1
3 1 3 3
- 2 9 - 7
3 5 9 3 t 7
1 1 3 - 3
' t -
3 1 1 3 1 3
7 3 7 3 3
2 9 2 3 s 3 -
3 - 3 7
3 1 1 3
4 ^ -
| - J I
3 - 3 1 1
^ a
5 - J
7 1 9 1 3 -
622
623

4 1 6
504
505
506
507
508
509
510
5 l l
512
513
514
5 1 5
516
517
5 1 8
5 1 9
640
64r
7 r 3 7 3
- 3 1 1 3 _
3 6 1 3 3 7
I r 3 - 3
- 1 3 - 7
3 l t 3 _
3 - 3
1 9 - 7 -
3 4 7 3 2 3
7 3 l l 3
5 3 3 7 - 1 9
3 - 3 7
1 3 3 - 3
7 3 1_
3 7 r 3 -
2 9 3 - 3
37 1943 t3
3 1 l 3 7
3 - 3
s 9 7 4 1 4 7
3 1 7 3 -
3 l l 3
7 2 3 2 9 - _
3 - 3 l l
3 1 3 3
- 4 3 7 3 6 7
3 7 3 2 3
1 7 3 7 3
- l l 6 l _
3 4 7 3 1 3
3 1 3 - 3
- - 7 9 7
3 - 3 -
3 - 3
- 2 9 7 1 1
3 1 9 3 -
1 3 _
3 7 3 5 3
4 3 3 7 3
- 1 3
3 - 3 l l
1 7 3 2 3 3
7
3 3 7 3 -
3 - 3
- l l 7 2 9
3 2 3 3 3 1
7 3 - 3
6 7 - 1 9 -
3 - 3 7
3 3 7 3
7 2 9 t l
3 - 3 1 l
7 3 t 7 3
t 9 -
3 - 3 7
3- 3-
3_ 3
- l l
3 7 3 -
3 7 3
4 3 7 1- 1 7
3 - 3 1 9
2 3 3 6 1 3
3 t - - 7
3 1 7 3 _
1 3 3 1 9 3
11- 7 s9
3 6 7 3 4 7
7 3 4 3 3
- 3 1 - 5 3
3 1 3 3 7
1 9 3 - 3
7 -
3 3 1 3 -
7 3 - 3
1 3 - - l l
3 - 3 7
5 3 3 1 3 3
il 7 1929
3 - 3 3 7
2 3 3 - 3
7 6 7 - -
3 7 t 3 1 3
3 t 7 3
- - l t 4 l
3 7 3 -
3 7 3
1 7 3 7 5 3 -
3 7 3 3 4 7
1 l 3 8 3 3
1 9 - 1 3 7
544
545
546
547
548
549
550
551
552
553
s54
555
556
s57
s58
559
680
681
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
720
721
722
723
724
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
760
761
Appendix
7 9 3 - 3
7 1 3 - t r
3 - 3 -
3 - 3
l l 6 l - 1 9
3 7 3 -
3 7 3
- 59- tl
3 - 3 -
1 3 3 - 3
t 7 - t t 7
3 - 3 -
3 - 3
2 3 - 7 -
3 1 3 3 _
7 3 - 3
l l - - 7
3 2 3 3 1 9
3 2 9 3
1 3 1 7 7 -
3 - 3 -
7 3 t 3 3
642
643
644
645
646
647
648
649
650
651
652
6s3
654
655
656
657
658
659
682
683
684
685
686
687
688
689
690
69r
692
693
694
695
696
697
698
699
3 4 r 3
1 3 7 - 1 9
3 - 3 -
3 1 3 3
7 - 7 t 8 3
3 6 1 3 -
5 7 3 - 3
- 3 1- l t
3 7 3 1 3
2 9 3 7 3
l l 5 3
3 1 7 3 -
3 - 3
- 1 9 - 7
3 - 3 2 9
3 - 3
725
726
727
728
129
730
73r
732
733
734
735
736
737
738
739
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
4 7 7 9 1 1 -
3 - 3 7
3 - 3
7 4 3 _
3 - 3 1 3
l l 3 - 3
7 - - 5 9
3 1 1 3 7 1
3 6 1 3
2 3 -
3 7 3 1 7
t 9 3 7 3
3 1 4 3 1 3 -
3 - 3 1 l

417
Appendix
Table 1. (Continued)'
1 3 7 9 1 3 7 9 1 3 7 9 1 3 7 9
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
800
801
802
803
804
805
806
807
808
809
810
8 1 1
812
8 1 3
814
8 1 5
700
701
'702
703
704
705
706
707
708
709
7r0
7tl
7t2
713
7t4
715
7t6
717
7 1 8
7t9
840
841
842
843
844
845
846
847
848
849
850
851
852
8s3
854
855
'740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
920
92r
922
923
924
925
926
927
928
929
930
931
932
933
934
935
7 3 - 3
1 1 1 7 1 3 -
3 3 7 3 7
1 9 3 - 3
2 9 7 1 7 6 1
3 - 3 -
3 5 9 3
7 - l r -
3 4 1 3 -
3 3 7 3
1 9 -
3 7 3 -
l l 3 7 3
5 3 - - 2 3
3 l l 3 1 7
43 329 3
- - 6 7 7
3 1 3 3 -
3 1 l 3
7 1 3
3 5 3 3 -
3 - 3
1 3 7 1 2 3 7
3 2 9 3 -
1 l 3 1 3 3
8 3 - 7 -
3 l l 3 -
7 3 4 1 3
- 5 9
3 - 3 7
3 l l 3
7 - 2 3
3 - 3 1 l
47 379 3
7 r7 -29
3 31 3 4r
- 4 7 7 4 3
3 - 3 -
7 3 - 3
7 9 1 3 3 1 -
3 - 3 7
1 l 3 - 3
2 3 7 3 7 -
3 1 1 3 -
7 3 3 1 9 3
7 4 1 4 7 3 r
3 - 3 -
1 3 3 1 1 3
3 7 3 1 1
3 7 3 7 3
- 2 3 1 7 -
3 1 3 3 6 7
7 r 3 - 3
43rr- 7
3 - 3 2 3
3 1 3 7 3
t 3 4 7 1 9 -
a a
5 -
3 l l 3
23-- 7
379 3ll
3- 3
433776r
3r7 313
7 329 3
-114767
3- 3 7
3- 3
19 7--
3- 383
r7 343 3
3 1 1 3 3 1
3 - 3
4 11 3 1 1 7
3 - 3 4 3
7 3 l l 3
- 2 9
3 r 7 3 7
3 1 3 - 3
7 - -
3 5 9 3 -
1 3 3 - 3
7 r l - 7 3
3 - 3 -
t 7 3 - 3
- 1 9
3 7 3 -
3 7 3
67- - 1l
3 - 3 -
3 7 1 3
1 3 - - 2 3
3 7 3 -
3 7 3
- l l
3 3 7 3 -
5 3 3 1 7 3
7
3 1 9 3 1 3
8 3 3 - 3
t 7 - 7 l l
3 2 9 3 s 9
7 3 3 7 3
11- 79-
3 - 3 7
3 2 3 3
7 1 3 1 7
29 331 3
7 3 1 3 - 7
3 - 3 -
4 1 3 t 7 3
- 11 7 47
3 - 3 2 9
7 3 - 3
3 - 3 7
1 3 3 5 3 3
7 - r l
3 4 1 3 *
8 9 3 - 3
7 - - r 7
3r3 3*
373 3
1 9 - 3 1 1 3
3 7 3 7 9
2 3 3 7 3
6 l - 1 1 1 9
3 - 3 -
6 1 3 r 3 3
- 2 3 - l 1
3 7 3 -
3 7 3
il 19-47
3 s 9 3 1 3
7 3 3 - 3
- - 3 7 7
3 - 3 r 7
7 1 3 4 r 3
- 6 7 7 -
3 - 3 1 9
7 3 - 3
1 3 -
3 4 7 3 7

418
Appendix
1 3 7 9 1 3 7 9 1 3 7 9 1 3 7 9
8 1 6
8 1 7
8 1 8
8 1 9
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
856
857
858
859
860
86r
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
970
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
9tl
912
913
9r4
9 1 5
916
917
9r8
919
980
981
936
937
938
939
940
94r
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
990
991
3 - 3
- 1 1 1 3 -
3 7 3 1 9
3 7 3
5 9 1 3 2 9 _
3 4 3 3 _
3 1 9 3
7
3 - 3 7 3
37 323 3
l 1 - 7 -
3 - 3 r 7
7 3 - 3
_ 4 3
3 1 9 3 7
3 - 3
5 3 7 t t -
3 1 3 3 3 1
t 9 3 1 7 3
7 - 6 r 1 3
3 - 3 -
i l 3 - 3
1783
3 7 3 3 7
3 1 3 3
7 - 5 9 -
3 - 3 -
3 2 3 3
3 l - l l -
3 7 3 1 3
3 7 3
t 9 t 7
3 2 3 3 -
l 1 3 - 3
7 - 1 3 1 1
3 - 3 2 3
3 3 1 3
l l 1 3
3 7 3 -
7 9 3 7 3
3 7 - -
3 8 9 3 5 3
3 - 3
4 t t 7 t t 7
3 - 3 -
1 3 3 - 3
- 1 9 7 -
3 - 3 -
7 3 - 3
3 1 - 2 3 -
3 1 1 3 7
3 - 3
7 - 1 3
3 - 3 1 9
3 l l 3
7 3 1 6 7 -
3 - 3 1 l
5 9 3 1 9 3
8 9 3 11 8 7
3 l l 3 -
3 7 t 3
3 - 3 -
3 4 7 3
7 1 3 1 1 8 9
3 1 7 3 -
3 - 3
7l 29
3 7 3 -
l r 3 7 3
8 3 -
3 l l 3 -
1 3 3 - 3
4 7 4 3 2 9 7
3 3 1 3 6 1
3 l l 3
1 9 - 7 -
3 3 1 3 1 l
7 3 - 3
23- - 13
3 4 t 3 7
3 - 3
7 8 9 s 3
3 - 3 6 7
3 - 3
7 2 9 1 7 -
3 - 3 1 7
3 - 3
l l 3 1 7 3
7 _ 8 3
3 l l 3 4 1
3 - 3
7 - 2 3 9 7
3 - 3 -
3 l l 3
3 7 3 l l
t 3 3 7 3
- 1 7
3 - 3 -
1 9 3 5 3 3
- l l - 7
3 1 3 3 3 7
3 3 1 3
- 8 9 7 t 3
3 - 3 -
7 3 - 3
- 4 11 9l 1
3 7 3 3 7
t 7 3 6 1 3
1 1 7 - 4 3
3 5 3 3 2 9
3 - 3
r r 2 3 4 7 7
3 - 3 -
3 1 9 3
- 6 1 7 -
3 3 7 3 2 3
7 3 - 3
1 3 - u t 7
3 6 7 3 7
9 7 3 1 3 3
838
839
960
961
962
963
964
965
966
967
968
969
971
972
973
974
975
976
977
978
979
a n 4
t -
3 - 3 -
7 3 r t 3
43 t3
3 2 9 3 7
3 - 3
1 9 7 4 1
982
983
984
985
986
987
988
989
7 t t 3 r -
3 - 3 -
1 3 3 4 3 3
- 5 9
3 7 3 7 r
3 7 3
4 t - - l l
3 1 3 3 1 9
992
993
994
99s
996
997
998
999
Reprinted with permission from u. Dudley, Elementary Number Theory, Second
Edition, copyrighto 1969 and l97g by w. H. Freeman and company. All rights
reserved.

4 1 9
Appendix
Table 2. Valuesof SomeArithmetic Functions'
I
3
4
6
t 2
I
l 5
l 3
l 8
t 2
28
t 4
24
24
3 l
l 8
39
20
42
32
36
24
60
3 l
42
40
56
30
72
32
63
48
54
48
9 l
38
60
56
90
42
96
44
84
78
72
48
124
57
I
2
2
J
2
4
2
4
3
4
2
6
2
4
4
5
2
6
2
6
4
4
2
8
3
4
4
6
2
8
2
6
4
4
4
9
2
4
4
8
2
8
2
6
6
4
2
l 0
3
I
I
2
2
4
2
6
4
6
4
l 0
4
t 2
6
I
8
l 6
6
l 8
8
t 2
l 0
22
8
20
t 2
l 8
t 2
28
I
30
l 6
20
l 6
24
t 2
36
l 8
24
l 6
40
t 2
42
20
24
22
46
l 6
42
I
2
3
4
5
6
'l
I
9
l 0
l l
t 2
l 3
l 4
l 5
l 6
t'l
l 8
l 9
2A
2 l
22
23
24
25
26
2'I
28
29
30
3 l
32
33
34
35
36
5 I
38
39
40
4 l
42
43
44
45
46
4"1
48
49

420
Appendix
93
72
98
54
120
72
120
80
90
60
168
62
96
104
127
84
144
68
r26
96
t44
72
r95
74
n4
t24
140
96
168
80
1 8 6
t2r
r26
84
224
108
t32
120
180
90
234
n2
r68
128
t44
t20
252
98
t7l
r56
217
50
5 l
52
53
54
55
56
57
58
59
60
6r
62
63
64
65
66
67
68
69
7A
7 l
72
73
74
75
76
1 1
78
79
80
8 l
82
83
84
85
86
87
88
89
90
9 l
92
93
94
95
96
9',|
98
99
100
20
32
24
52
l 8
40
24
36
28
58
l 6
60
30
36
32
48
20
66
32
44
24
70
24
72
36
40
36
60
24
78
32
54
40
82
24
64
42
56
40
88
24
72
44
60
46
72
32
96
42
60
40
6
4
6
2
8
4
8
4
4
2
t 2
2
4
6
7
4
8
2
6
4
8
2
t 2
2
4
6
6
4
8
2
t 0
5
4
2
t 2
4
4
4
8
2
t 2
4
6
4
4
4
t 2
2
6
6
9

421
Appendix
Table 3. PrimitiveRootsModuloPrimes
The leastprimitiveroot r modulop foreachprimep, p < 1000is givenin the table'
2
l l
5
6
3
5
3
2
6
l l
2
2
2
3
3
2
J
2
2
l l
2
3
I
5
2
3
2
5
2
l 7
7
3
5
2
2
3
5
6
3
5
6
7
709
719
727
733
739
743
7 5 r
751
76r
769
773
787
797
809
8 1 1
82r
823
827
829
839
853
857
859
863
877
881
883
887
907
9 l l
919
929
937
94r
947
953
967
97r
977
983
991
997
r5
2
3
l 3
2
J
2
1 3
n
J
2
1
)
2
3
2
2
2
2
2
3
3
5
2
3
7
7
3
2
3
2
3
3
l l
5
2
2
z
5
2
5
3
2
439
443
449
457
46r
463
467
479
487
49r
499
s03
s09
521
523
541
547
5 ) /
563
569
57r
577
587
593
599
601
607
6 1 3
617
6r9
63r
641
643
647
653
659
601
673
677
683
691
701
l 9
5
2
t
2
3
2
6
3
7
7
6
3
5
2
6
5
3
3
2
5
T 7
l0
2
3
10
2
2
3
7
6
2
2
5
2
5
3
21
2
2
7
5
l 9 l
193
r97
199
2tl
223
227
229
233
239
241
251
257
263
269
271
277
28r
283
293
307
3 1 1
3 1 3
317
331
33',1
347
349
3s3
359
367
373
379
383
389
397
401
409
4 1 9
421
43r
433
1
2
2
3
2
2
3
2
5
2
3
2
6
3
5
2
2
2
2
7
5
3
2
3
5
2
5
2
6
3
3
2
3
2
2
6
5
2
5
2
2
2
2
3
5
7
1 l
l 3
t 7
l 9
23
29
3 1
3',1
4l
43
47
53
59
6 l
67
7 I
7 3
79
83
89
97
l 0 l
103
107
109
1 1 3
127
1 3 1
r37
139
t49
l 5 l
1 5 7
163
r67
r73
179
l 8 l

422
Appendix
Table4. Indices
p Numbers
I
l :
l :
l !
) 1
29
3 r
3i
4l
43
47
53
59
6l
67
7 l
73
79
83
89
97
I r(
l t 2
Ito
l 8
22
28
30
36
40
42
46
52
58
60
66
70
72
78
82
88
96 'ilil,Y,l
'il;i
l^ilrrl
trlfr|JIl,li
p Numbers
t 7 1 8 l 1 9 20 2 l 22 23 24 25 26 27 28 29 30 3 l 32 33
l9
23
29
3 l
37
4l
43
47
53
59
6l
67
7 l
73
79
83
89
97
l0
7
2l
7
7
33
38
t6
l 0
40
47
64
49
2l
2l
56
6
89
el
rzlrs
l l I e
z6i 4
1 7 1 3 5
16I e
zslrc
1 2 l 4 s
3 s l ' 3 7
4 3 1 3 8
t3li26
1 3 l l 0
5 8 11 6
2 0 1 6 2
6 1 3 2
6 3 1 4 7
r 8 1 3 5
7 8 1 8 1
5
24
8
25
34
37
37
49
8
24
17
40
17
70
29
t4
69
l 3
t7
29
22
t4
36
6
3 l
t 0
55
62
27
39
54
80
82
5
l t
26
t7
3 l
29
t 5
25
7
26
l6
60
37
63
72
25
t 2
24
20
27
l 5
36
t6
5
39
l 5
57
28
l 5
46
26
60
57
77
8
l 3
29
l 3
40
28
20
53
9
42
44
30
l 3
75
49
76
I
l 6
l0
l0
4
8
2
42
t2
44
30
56
2
46
54
52
2
l9
5
t 2
l 7
l 7
29
25
46
4l
20
45
67
38
78
39
59
Indices
t l
rslr+l
rlrol I
6 l 3 4 l 2 l
sI rrI j
3l sl4r
t 4 l 2 2 l 3 s
s l 1 1 6 1 4 6
3 4 1 2 0 1 2 8
nlsrlrs
s t l 2 s l 4 4
aI rrI oa
1 8 l 4 e l 3 5
3 l 6 l l l l
s 2 l t 0 l 1 2
3l2slse
l 8 l 3 l 1 3
I
l 5
t4
23
l l
39
l 3
57
29
55
60
l 5
67
l 8
87
9
9
28
34
3
33
49
59
47
l l
l l
56
38
3 l
46
5
l0
9
44
f
5
5
5
30
40
20
5
80
74
20
l 8
3 l
27
23
t 7
2l
32
57
6l
69
t4
85
60
Reprinted
with permission
from J. V. Uspensky
andM. A. Heaslet,
Elementary
Number Theory,
McGraw-Hill Book Company.CopyrightO 1939.

423
Appendix
Numbers
p
3'l
4 l
43
47
s3
59
6 l
67
7 l
78
79
83
89
97
I
r9
23
34
l l
4l
48
65
55
29
25
57
22
27
l9
2 l
l 8
33
9
24
l l
38
29
34
37
35
63
32
t 8
2
l 4
30
36
44
l4
l 4
64
28
l0
64
34
t 6
32
42
30
55
39
22
2A
64
t 9
20
l l
9 l
35
4
l 7
38
39
27
l l
22
70
36
48
5 l
l 9
6
33
3 l
4 l
3'l
46
58
65
65
35
67
24
95
20
22
9
50
9
2s
l 8
46
25
74
30
30
6 l 2 l
t s l 2 4
4 s 1 3 2
1 4 l l l
5 4 1 5 6
s 3 1 6 3
2 5 1 3 3
tl+t
7 5 1 5 8
4 0 1 8 1
2 l l l 0
8 5 1 3 9
In
I
1 3|
'))|
33I
431
el
481
5rI
4el
7 t l
2el
4 l
dices
I
431
8l
271
ri I
6rl
431
7rI
761
261
281
58 1
4 l
29
48
34
27
l 0
l 3
64
7
72
45
23
40
1 6
58
29
2 l
54
30
6 l
73
l 5
44
23
20
50
9
3 l
59
23
54
84
2l
54
l0
43
50
38
l 7
76
65
l4
23
36
38
46
2
66
28
l 6
74
62
p
Numbers
50 5 l 52 53 54 )) 56 ) t 58 59 60 6 l 62 63 64 65
53
59
6 l
67
7 l
'73
79
83
89
97
43
r3
45
3 l
62
l 0
50
55
68
36
27
32
53
5 t
5
27
22
46
7
63
76
47
42
2 l
5 l
3
42
79
55
93
22
33
57
23
53
'7'7
59
78
l 0
3 5
t 9
52
l 4
26
53
l 9
)
3 l
37
8
59
56
52
5 l
66
87
2 l
52
26
t 9
57
65
l l
4 l
37
30
32
49
42
68
33
37
36
55
29
36
45
4
43
t 5
1 3
75
47
3 l
36
J
5
3 l
34
43
67
30
56
66
23
7 l
l9
l 5
43
Inc
69
58
45
66
69
64
Lices
48
I 17
lle
160
l3e
147
t 8 0
35
53
45
55
70
83
75
6
36
48
24
6
8
t 2
34
67
60
1 8
22
5
26
p
Numbers
66 67 68 69
't0 'tl 72 73 74 75
't6 I I 78 79 80 8 l
67
7 l
78
79
83
89
97
33
63
69
73
t 5
1 3
94
47
50
48
45
56
57
6 l
J I
29
58
38
6 l
4l
52
2'7
50
58
5 l
35
42
4l
36
79
66
44
5 l
33
62
l t
36
t 4
65
50
50
44
69
20
28
23
zl
27
29
4'l
44
53
72
40
49
67
53
43
32
77
2 l
Inc
39
68
40
J J
lices
I
143
142
t 3 0
3 l
46
4 l
42
4
88
p
Numbers
82 83 84 85 86 87 88 89 90 9 1 92 93 94 95 96
83
89
97
4 l
37
23
6 l
t 7
26
'73
76
90
45
38
60
83
44
92 s 4l ' 7 e 1 5 61 4 9
Ind
201
lces
22 82 48

Appendix
p Indices
8 e { t 0 l l t
I 5 7
6
4
3
2
l2 t 6
l 5
t4
l 3
l l
I
Ir
l '
l !
2.
2l
3 l
3''
4 1
43
4'l
53
59
6l
67
7 l
73
79
83
89
97
2l rl | | |
21 41 3l rl I
3l 21 6l 41 5l I
2l 4l8l slrol I
2l 4l 8l 3l aln
3l elrolnl slrs
21 4l sl rol rgl 7)
5l 2ltol +lzol rl
21 4l altol :l 6l
3l el271rolzelrcl
21 4l al roltzlztl
olrelrrlzslztl:Bl
3l slzt llslzel+rl
slzs
I rrI r+lzzlul
2l 4l 8lt6l:zlrrl
zl +l slrolrzl si
zl 4l alrel:zl :l
2l 4l sl roltzleql
Tl4elsqlsrlsrl zl
slzslszl+rlstl sl
3l elztl zl elrsl
zl 4l sl roltzloal
3l el27lsrloslrzl
s l 2 s l 2 8 l 4 3 l 2 t l s l
t 2 l 2 l a l r
t4l elrs;rzlrslrrl rl olrzl s
17l16lllI tlzzl rslzrI nl lsl I
rz1z+! rs! I I rsI t I vl zalzt I zs
t7| 20I 2eI zsI n I al z+lroI :oI zsI
t7I 34l3t l2sI n I zelrsI :oI z:I s I
zeltolrel32l28l +lz+lztl glrsl
37
l2s;rzI roI ro| +l rzl rclzzl ztl
n | 8| 40lrzI r: I re| +lI ztl +tl n I
z2l44l
rsI rz| :+| rsI m I t I Al zal
t0| z0| 40| 2t | +z! zsI soI +rI zt I +eI
6l t21z+l+tI tsI qI rsI :oI rt I zzl
r I 5sl+rlul rsl ol rsl :ol sl roi
14121
1+21
+s| :r | +lztl s+I z:I rsI
ril 2l lol sol:r I el+sl olsol a I
,11+lrzlxlzt I slz+lzzlsslrol
15
| t I t+| zaI seI zqI ssI t: I ee| +qI
itl64l t+l+zly lzzI eo
I zoI oo
I zl
ol ol lol s:I zrI ul zgl+s| +el:eI
7l3l6l 'l I
ul el slrol zl I
trlrolr+l al tl 4
ll
Numbers
p Indices
t 7 l 8 t9 20 2 l
I 23
22 24 25 26 27 28 29 30 3r 32 33
1 9
23
29
3 l
37
4 1
43
47
53
59
6 l
67
7 l
73
79
83
89
9?
l0
l 5
2 l
22
l 8
26
26
38
J
33
44
20
62
20
48
l 5
6
83
I
I
6
l 3
4
36
33
35
2
6
27
40
8
27
65
30
t 8
2t
26
l 2
35
34
l 9
l 0
t 2
t 4
54
t 3
56
62
37
60
54
38
t 2
23
5
33
40
l4
3
24
28
47
26
37
l 8
32
37
73
93
l 4
t 7
l 5
29
35
42
l 5
48
56
33
s2
46
t 7
t 7
74
4 l
77
I
I
)
t4
2 1
5
40
28
43
53
5
37
38
t 2
5 l
65
34
94
l 0
I I
)
30
34
46
33
47
l0
7
53
60
74
47
I 3
82
20
2
l 0
t 6
t 6
42
l 3
35
20
l 4
t 6
8
64
l l
39
22
l l
6
20
t 4
)
22
26
l l
40
28
4l
40
34
22
28
t 3
22
l 8
3
2
l 5
1 6
52
22
l 9
56
3
54
23
44
84
65
I Numbers
I rsI r I
lr:l tlzr
| 6 l t 2 l 2 4
Irzltrlzz
| 2l 6l18
33124126
sll4el4s
44l2els8
38l15l30l
4sl23l46l
2 t l 5 1 3 5 1
srl:el:+l
6 e l 4 e l 6 8 l
s| 'oIzo
I
t+1++l+tl
z+ltslul
I
l l
9
I I
36
37
57
60
25
32
24
46
40
40
79
22
l 3
33
39
21
) 5
59
50
l l
47
59
80
3 l
1
37
I 3
42
5 l
57
33
6
1 6
t 9
't7
4
35
t4
t'l
39
35
3r
43
53
66
42
57
7 l
t2
78

425
Appendix
p
Indices
34 3 5 1 3 6 37 38 39 40 4l 42 4t 4 4 i | 4 5 i . 4 64',1 48 49
17
4l
43
47
53
59
6 l
6',1
7 l
73
79
83
89
97
28
20
3 l
34
9
27
45
65
l0
35
l 3
59
36
2
19
38
t
29
l 8
54
29
63
70
29
39
35
l 9
l 0
I
23
zl
4
36
49
58
59
&
72
38
70
57
50
1 5
20
20
l9
39
55
5 l
22
68
35
57
82
56
8
17
6
38
l 9
49
35
t 2
48
26
3 l
68
86
I
8
30
23
38
37
3
l 3
2l
78
62
26
42
I
24
9
46
l 7
l 3
6
20
32
76
4 l
78
l6
29
45
39
34
26
t 2
69
l 4
70
82
56
80
I
37
25
9
52
24
57
70
52
8 l
79
1 2
M
50
l 8
43
48
44
58
77
79
59
60
I
Numbers
rl
32llel I
47l4rl2e
36113126
25l50l3e
2el58l4e
24l|26140
71163123
?3l6rl2s
?5167151
88186180
el45l31
5
52
t'l
3 l
67
42
t )
l9
62
58
l0
45
34
162
143
164
:l61
138
l8
t 9 6
20
3 t
1
l5i
I 17
128
143
|t16
124
1 9 2
p
lndices
53
59
6r
67
'll
13
19
83
89
97
40
3
l 4
47
48
61
50
69
72
72
27
6
28
27
52
43
7 l
55
38
69
I
t 2
56
54
9
69
55
27
25
54
24
5 l
4 l
63
53
I
54
75
76
48
4l
t 5
l 5
46
zl
25
47
89
37
2l
30
34
l l
63
50
<)
57
l 5
42
60
25
))
3 1
l7
6',7
9 l
30
23
53
33
56
t4
34
23
67
I
46
39
1 8
6l
42
68
69
44
3 l
1 l
55
l 3
47
53
29
26
I
22
30
65
62
23
87
33
N
M
68
33
28
46
83
68
I
mbers
I
2 1 l | 4 2
5 0 1 6 6
r e l 2 2
5 t 1 5
rlrs
7 1 1 3 5
4 9 1 5 1
17
36
37
45
36
l6
6l
72
48
t4
34
39
39
56
p
Indices
. , ' r i i i i i i
ool
etloaloslio lurlnltt lralrslttltt lzt lre180
| 8t
67
7 l
73
19
83
89
97
I
60
49
10
6l
55
70
65
26
30
39
76
59
29
57
l l
78
50
4
6 l
20
6 l
66
33
73
I
38
20
63
5
3
44
60
43
l 5
1 5
I
22
3
45
75
66
6
46
84
40
l 2
49
32
4 l
24
58
63
44
48
85
24
53
l 3
7',|
23
2(
) i
I t
I
{umbt
I
t
'ls2
' 170
i l 9 0
r
l2r
132
1 6 2
42
l9
p
Indices
82 8 3 1 8 4 8 5 1 8 6 1 8 7 1 8 8 8 9 1 9 0 9 t 1 9 2 1 9 3 94 95 96
83
89
97
I
2r
95
6 3I l l
8 7 1 4 7
3 3 l l o l 3 0
4l I ll I 55
I
8 l 1 7 1 8 5 37 88 52
N
66
umbr
lrs
lrs

Table 5. Simple ContinuedFractions
for Square Roots of positive lntegers
d
d
J7 J7
| , I r,,ll i
l: lrr:1-l I
is ltz,ql I
lolt2:2+t I
lt lrz;r,TJ'+t l
ls )r2;yet I
I l 0 | [ 3 : 6 ] |
Itt I l:;:,ot I
I tz I t:;Nl I
InItl,r.r,T,l,ol I
| 'o I f3:LAGt I
i t 5 I [ 3 ; t , 6 ] |
ln|t+:st I
Jts J l+;+,al I
I ,nI r+;1i;l)"rl I
I 20 I Ia:2,81 i
Izt I t4;iJJJJst I
|,z I t+rr,xJ.r"sl I
I 23| [+:t.l,r,s] |
I zqI t4;l
,81 |
I zeI ts;rol I
I,, I rs:s,
ror I
j 28 j ts;3,2,:,
rol I
I2eI ts:ttJ;Jot I
I :o I Is:z,rol l
I ,' I ts;r,r-:_:;rr,rol I
I 3 2 | t 5 : l , l , l , l o l I
| :l I ts;r,f
r,ro1 |
l:+ I ts;r,+rlot I
l:s lts:_ol I
I i 7 | t 6 : l 2 l I
i:a j to;o,ut L
l:r 116'aJI l;
]qolto;:J2l l;
io'lto:fut i;
I 42 ) [6:2,t21 | .
lo,llu,@,,rl l;
a a l | . 6 : l . l , l , 2 , l . l . t . l 2 l l .
4s lt6;r,t]Jm1 l;
+e1ro,ffirli
47[ [o;t,s,
r,tzl I g
48lle;r,rzl lq
soltz;l+l l;
5r I tt:t.tql I ;
szltt:+ttfV.u, ln
t -
I t 7 ; 3 , 1 , 1 , 3 . 1 4 1
Itz;zre;J.r+t
I tt,T,zl,tqi
I t't;zr+l
t -
I t 7 ; l , t , 4 , l . l . l 4 l
t -
I I 7 : l , l , l , l . l . l . t 4 l
Itt;nd.tqt
| [l:l,z,t,t+1
I tz;r,q3JJtr,raJJat
I t 7 ; 1 , 6 ,
|, l 4 l
Itz;1r+t
I [a;to]
Its;sT't
-
I l E ; 5 2 1 . 1 , 7 , 1 . t . 2 , 5 , t 6 1
| [s:+.
ro]
--
t 8 : 3 , 3 , 1
, 4 . 1
. 3 . 3 . 1 6 1
ts;zT;,
rJ,lot
--
l8;22,-l
,1.t,z,z,t
ol
[8;2,16J
[ 8 ; 1 . 1 , 5 , 5 , 1 . 1 . 1 6 1
t g ;
l ,rJ , l , G t
[ 8 ;
l ,r, l, l 6 ]
-
I E ;
1 , 2 ,
l ,1 , 5 , 4 , 5 .
t ,t , Z ,
t ,tO ]
[ 8 : 1 , 3 , 2 , 3 , l , l 6 J
ts:r,q,T.
t6l
ta;ffi.I
[ 8 ; l , l 6 l
[9;I8]
Iq;eJ8t
[ 9 ; 6 , l 8 l
t q ; {I , l , a , I 8 t
tq:1.1..-r'r.sJJJmr
[9;3,181
tq;2JJ,l2,l8t
[ry,zJal
[ 9 ; 2 , 1 8 ]
[ 9 ;l , l , 5 ,I . 5 .l . I . l 8 l
l9:l ,l ,2.4.2.1
. 1.181
_--
I9:1
,1,4.6.4.t
.1.1Sl
rg;mr
[ 9 ; 1 , 2 , 1 , 1 8 ]
lq;t,:,r,rsl
tg:t,s],rrr;l,l.ill
53
54
55
56
5 7
58
59
60
6 l
62
63
65
66
61
68
69
70
7 l
72
73
11
I
/) |
76 1
771
78I
7el
80I
82I
83I
341
t 5 |
- - l
16l
J 7 l
18i
rel
'oi
l l
I
t't I
- l
3l
4l
't
6l
- l
8 i [q;t,a,t,te]
q i lg;iJTl
426

Answersto Selected Problems
Sectionl.l
1. a) 20b) s5 c) :as d) 2046
2. a) 32b) 120c) 14400
d) 32768
3. t. 2. 6, 24,120,720,
5040,
40320,
362880,
3628800
4 . l , 1 2 0 ,
2 5 2 , 1 2 0 ,
I
5 . 8 4 .1 2 6 .
2 1 0
g . 2n
n+D/2
1 0 . 2 n
rr. 65536
21
. x : y : l. z :2
Section 1.2
l . 9 9 : 3 ' 3 3 ,1 4 5: 5 ' 7 9 ,3 4 3: 7 ' 4 9 , 0 : 8 8 8 ' 0
2 . a ) . c ) , d ) , e )
3 . a ) 5 , 1 5 b ) 1 7 , 0 c ) - 3 , 7 d ) - 6 , 2
4 . a : * . b
1 3 . b ) 3
11. 0 if a is an integer,-l otherwise.
2 3 . b ) 2 0 0 . 4 0 , 8 ,I c ) 1 2 8 ,l 8
2 4 . 2 0 + l 8 [ x - l ] , S t . 0 8n o ,$ 1 . 2 8Y e s
Section 1.3
l. (5554)r,(2fi2) rc
2. (328)ro.
(l I I I loooooo)2
3. (trs) ,u,(74E)6
4 . ( t O t O t 0 l
I I l 0 0 l l 0 l I l l 0 l I I l ) 2 , ( t t O tI 1 l 0 l I I I l 0 l 0 l l 0 0 l I l 0 l l 0 l ) 2 ,
( r o o tl o l o o o o o l o l
l ) 2
6 . b ) - 3 9 , 2 6
c ) ( t o o l ) - 2 ,
( l l 0 0 l l ) - 2 ,( 1 0 0 1 l 0 l ) - z
1 4 .i l t + : 2 ' 3 1 + l ' 2 1 . , 5 6 : 2 ' 4 t
+ l ' 3 !+ l ' 2 ! , 3 8 4 : 3 ' 5 !+ l ' 4 !
Section1.4
l . ( r o o t 0 l
l o l l o ) 2
2 . ( r t t i l o l l l ) z
3 . ( r o tt 0 0 0 l l 0 l ) 2
4 . ( l l l o ) 2 .( l o o o l ) 2
5 . ( t o o 6 5 ) r o
6. (338F)
re
't
. (8705736)
r6
8. (l I C)rc,(2895)ro

428
Answers to Selected problems
23' a) 7gross,7do,zen,andgeggs
b) il gross,5dozen,and
lreggs
c) 3 gross,I I dozen,
and6 eggs
Section1.5
I
a) prime b) prime c) prime d) compositee) prime f) composite
7 . 3 , 7 , 3 1 , 2 1 1 , 2 3 1 1 , 5 9
r0. il 24,25,26,27,29b) 100000.l
+ 2,1000001!+
3,...,1000001!+
1000001
t 4 . 5 3
16. a) 1,3,7,9,13,15,21,25,31,33,37,43,49,51,63,67,69,73,75,7g,g7.93.99
Section2.1
l . i l 5 b ) l l l c ) o d ) I e ) r r i l 2
4. I if a is oddandb isevenor viceversa,2 otherwise
5 . 2 t 2 l
1 4 . i l 2 b ) s c ) s s d ) 3 e ) t f ) 1 0 0 1
15. 66,70,105;
66,70,165;
or 42,70,165
19. (3k+2,5k+3): I since
s3k+D_3(5k+3) : I
Section2,2
l . a ) r s b ) 6 d Z d ) s
2. a) rs :2.45 + (-l)75 b) 6 - 6.222
+ (_13)102
c) z:65'1414 + (-r38)666d) 5 :800.44350
+ (-1101)20185
3 . a ) I : l ' 6 + l . l 0 + ( - t ) t 5 b ) 7 : 0 . 7 0 + ( _ l ) 9 g+ 1 . 1 0 5
c) 5 : -5.280+ 4.330
+ (-t)+os+ 1.490
4 . i l Z
s . i l 2
Section2.3
l. il 22.32
b) 3.13c) 22.52d) 172d,2.l.ll f) 28 g) s.rol il 23.43i) 24.32.5.7
| 2653k) 3.5.72.
I3 l) 9.1
l.l0l t, 1t,
,l i
8 . b ) 2 r 8 '
3 8 . 5 4 .
7 . 1
1 . 1 3 .
t 7 . t g
9. 249,331
10. 300,301,302,303,304
|2. b) 5,9,
| 3,1
7,2
l,Zg,3
3,37,4
1,49,53,57,6
1,69,7
3,7
7,gg,g
3.g7
.lOl
d) 693 : 21.33: 9.77
il 24 b) 210c) r+o d) I l2l I e)soo+oil 3426s7
i l 2 23 35 37 2 . 2 13 ss 57 7 b ) 1 , 2 . 3 . 5 . 7 . 1 1 . 1 3 . 1 7 . 1 9 . 2 3 . 2 9
d 2 . s . 1 1 , 2 3 . 3 . 5 7 . 7 .
1 1 1 3 . 1 3
d ) 1 0 1 1 0 0 0 , 4 l f i
4 7 r r 7 g | rg 3 i l r l 0 l r 0 0 l
18,540;
36,270:54,
180;90. 108
308,490
a) 30,l00l
afuc)2.:r,r5r
f) 33.5.7.
I 3.19.37.73.
109
1 0 3
1 4 .
1 5 .
1 7 .
2 1 .
25.
29.
30.
d) 32.5.7
.13.t7.24te) 52.
13.41.6t.1321

429
Answers to Selected Problems
a)3 t)ze d242
a ) x : 9 8 - 6 n , ! : | * 7 n ,
c ) x : 5 0 * n , l :
- 1 0 0 +
(nickels,
dimes,
quarters)
:
( 8 .1 6 , 0 )
9 first-class,
l9 second-class,
9. 0 | 2 3 4 5 1 0 . 0 | 2 3 4 5 l l . x 0 r 2 3
Section2.4
l. il zz'ql'eu b) 7'37'53'107
c) t92'3r'4969
2. u) r:.sqr b) 73 c) tz'6+t d) 103'107e) toot'1999 f) 4957'4967
5 . d 1 7 , 3 4 7 6 . d ) 1 3 ' 1 7 , 4 1 . 6 1 , 2 9 3 ' 3 4 1 3
7 . 5 ' 1 3 ' 3 ? ' 1 0 9
l z ' 5 l 3 ' 2 n l o g r c 2
Section2.5
l . a ) x : 3 3 * 5 n . 1 : - l l - 2 n b ) x : * 3 0 0 * l 3 n ' y - 4 O O - 1 1 n
;13:::il;4,-"44r, d)no
sorution
'il
,x'ZI cb1 y =-zi^n
-
i l x : 8 8 9 + 1 9 6 9
n , Y : - 6 3 3 - 1 4 0 2 n
2. 39 French
francs,
I I Swiss
francs
3. 17apples,
23oranges 8-'l.
"Pt
0f
4 . l 8
5. a) (14-centstamps,2l-centstamps)
=(25,0),(22,2),(19,4),(16,6),(13,8)'
(10,1o),(?, 12),(4,14),(1, 16)
b) no solution
c) (14-cent
stamps,2l-cent
stamps)
=(54,1)' (51'3)' (48' 5)'(45'7)'
(42,g),(39,11),(36,l3), (33,15),(30,l7),(27' 19)'(24',2r',(21',23)',
(18,25),(15,2:7),(12,
29),(9,31),(6, 33),(3, 35),(0',37)
z - l-n b) no solution
3n, z : 150-3n, w -- fr
( 2 0 ,0 . 4 ) , ( 17 , 4 , 3 ) , ( 1 4 ,8 , 2 ) , ( 1 1 ,1 2 ,1 ) '
4l standby 14. no 15. 7 centsand 12 cents
Section3.1
l. a) l,2JlP$ 1,3,9,27,3J,111,333,999
..'it
"ff2,
4. il g b) b c) o d) 12 d + f) I
1 0 .
I l .
t2.
1 3 .
0
I
2
J
4
5
12. a) 4 o'clockb) 6 o'clockc) 4 o'clock
I 3. 0.I,5,6
1 4 . a 7 + b ( m o d p )
17. n 7 + I (mod 6)
1 8 . 1 , 3 , 5 , 7 , 9 , 1
l , l 3 , 1 5 , 1 7 , 1 9 , 2 1 , 2 3 , 2 5
2 t . a q z l r ) z c ) t 8
26. a) t b) I cl f O) I e) ap-t = 1 (modp) whenp is prime andpla
27. a) -1 b) -l c) -t d) -l e) (p-l)! : -l (modp) whenp is prime
30. a) 15621
2 3 4 5
3 4 5 0
4 5 0 1
5 0 1 2
0 r 2 3
t 2 3 4
l0r
lr 2
l23
t 3 4
t -
lo,
l s 0
0
I
z
J
4
5
0
I
2
J
.+
5
0
I
L
J
4
5
0
0
0
0
0
0
0
J
0
J
0
J
0
2
+
0
2
4
0 5 4
1 0 5
2 r 0
3 2 1
4 3 2
5 4 3
3 2 1
4 3 2
5 4 3
0 5 4
1 0 5
2 1 0
5
0
5
A
J
2
I

L a) x:3 (mod 7) b) x:2,5,g (mod 9) c) x=7 (mod 2l) d) no solurion
e ) x = 8 1 2 ( m o d l 0 0 l ) f ) x : 1 5 9 6 ( m o d t 5 g 7 )
2. c) x=5 (mod 23)
3. I t hours
4. 6-0,6,12,18,24(mod 30), 6 solutions
s.a)r:D7c)sd)t6
8. a) (x,y)
= (0,5),t,D.,e.O,(3,3),(4,0),(5,4),(6,1)
(mod
7)
b) (x,y)
= (t,l),(1,3),(t,5),tr,zl,t:,ol
,G,zi,ii',qj,ir,ul,(5,1),(5,3),(5,5),(5,7),
(7,0),
(7,2).(7,4),(l.0
(mod
g)
c) (x,y)= (0,0),
(0,3),
(0,6),
(I,I),(I,4),
(I,7)
,(2,2)
,(2,5),
(2,g),
(3,0),
(3,3),
(3,6),
(4,1),(4,4),(4,D,$,D,
(5,5),(5,gl,re,ol,ro,:J,-ii,il
,(7,1),(7,4),(7,7),(g,2),
(8,5),(g,g)(mod 9)
d) no solution
Section 3.3
l ' a ) x = 3 7 ( m o dl g 7 ) b ) x : 2 3 ( m o d3 0 ) c ) x : 6 ( m o d2 r 0 )
d) x = 150999(mod 554268)
4 . 2 l 0 l * 2 0 1
8. a) x = 28 (mod 30) b) no solution
10. a) x :23 (mod30) b) x = 100 (mod210) c) no solurion
d) x : 44 (mod g40) e) no solution
i l . 3 0 t
| 3. 0000,0001,0625,9376
17. 26 feet6 inches
430
Section3.2
Section 3.4
l. a) (x,y) = (2,2) (mod
(4,1) (mod 5)
2 . a ) ( x , y )= ( 0 , 4 ) ,( l , l ) ,
3 . 0 , l , p , o r p 2
5) b) nosolution c) (x,y)= (0,2),(1,3),(2,4),(:,0) or
(2,5),(3,2),(4,6),(5,3),(6,0)(mod7) b) nosolution
4. a)
1. a)
8. a)
(
l0
t )
t -
{
l0
U
{q
I
l4
l r
l r
rl ls rl fr
ol b)lo 2l c)l,
/ / t -
4 3J [z o 6l
t ol b)lz' ol c)
4 4 ) l l 4 o j
4l
rJ
ls
l )
l5
[ 4
5 5 4
5 4 5
4 5 5
5 5 5
9 . a ) x : 0 , y E 7 , 2 - 2 ( m o d 7 ) b ) x :
c )
"
= 5 , - y = 5 , , = 5 , w = 5 ( m o d7 )
r 0 . i l 0 b ) 5 c ) 2 s d ) l
l , - y E 0 , 2 = 0 ( m o d7 )

4 3 1
Section 4.2
Section 4.1
l. a) 28 b) 24 c) 2ro d) 2t
2. a) 53 b) 54 c) 5r c) 5e
3. a) by 3, not by 9 b) by 3, and 9 c) by 3' and 9 d) not bv 3
4. a) no b) Yes c) no d) no
5. a) thosewith their number of digits divisibleby 3, and by 9 b) thosewith an
evennumber of digits c) thosewith their numbcr of digits divisibleby 6
(sameior 7 and for 13) d) I 1
8. ozro2n-t...aps-azno2n-t
azn-z* * a5 aaa3l at apo (mod 3l)'
37tr4$6e2.3711
l09278s
10. a) no b) not by 3, by 5 c) not by 5' not by 13 d) yes
l l . 7 3 e
12.
'!-6
I 3. a) incorrect b) incorrect c) passes
castingout ninescheck d) no' for example
part (c) is incorrect,but passes
check
2. a) Friday b) Friday c) Monday d) Thursday
e) Saturday f) Saturday g) Tuesday h) Thursday
i) Monday j) Sunday k) Friday l) Wednesday
Section 4.3
l . a ) Tcanr
Round
') 3 ,4
t () 1
I 1 6 b)'c 3
')
2 b-vc 1 6 5
,| t l
' - - l
' ) l
- l
-- ----- 1
3 ) I 1 6 b)'c -l I
4 3 b,c 1 o 4
5 ,1
J 2 I 1 b r c 5
6 5 .4 bvc ) I 1 o
1 o 5 4 3 2 ) b l c
3 . a ) H o m et e a m s :
R o u n dl : 4 , 5 . R o u n d2 : 2 , 3 ,R o u n d3 : 1 , 5 ,R o u n d4 : 3 , 4 ' R o u n d5 :
t . 2
Section 4.4
5. 558,1002,2t-t4,4

432
Section 5.1
l . _ l l "
2 . I
4 . 4
5. a) x : 9 (mod 17) b) ,r : 17 (mod 19)
1 8 . I
24. 52
Section 5.2
t7. 7.23.67
Section 5.3
l . a ) 1 , 5 b ) 1 . 2 , 4 , 5 , 7 , g
c ) 1 , 3 , 7 , 9d ) 1 , 3 , 5 , 9 , , . 1 3e ) t , : . s , 2 , 9 . , , t 3 . 1 5
) 1 1 1 m - l
r
a r . J . . , L I
5 . l l
9. a) x :9 (mod 14) b) x : 13 (mod 15) c) -r = 7 (mod t6)
l l . a ) r b ) I
1 2 . d ( 1 3 ): 1 2 , 0 0 4 : 6 . a ( 1 6 ) : 8 , d ( I 7 ) : 1 6 , , r ( r 8 )
: 6 , o ( t g ) : t 8 , d ( 2 0 ): 8
Section 6.1 il f
l. il +o b) t28 d t2o il 5760
2' a) 1,2 b) 3, 4, 6 d no sorurion d) 7, 9, 14,and rg e) no sorution
f) 35, 39, 45, 52, 56,70,J2,7g, g4, g0
3' il l' z b) thoseintegers
n suchthat 8 | n:al n. andn hasat leastonc odd prinrc
factor;n has at reasttwo odd prime factors;or n hasa prime factor p = t (mod 4)
c ) z k , k : 1 , 2 , . _ .
Section 6.2
1. a) 48 b) 399 d 2sqo d) 2r0r_l e) 6912
2 . i l 9 b ) 6 c ) r s i l 2 s 6
3. perfect squares
4' thosepositiveintegersthat haveonly evenpowersof odd primesin their prime-
power factorization
5. a) 6,r r b) r0,r7 c) | 4,| 5,21
,23 d) 33,35,4
7 e) no sorution f) 44,65
6 . a ) t 0 2 d q d ) t 2 d t g z f ) 4 5 3 6 0
8' a) primes b) squaresof primes c) productsto two distinct primesor cubesof
primes
9 . nr(n) /2
10.a) 73,252.2044
b) r +pk c) (pku+rt_D/gk_Do ii<tta,*t)_D/Qf_t)
j : l
Section 6.3
1. 6, 29, 496,g I 2g, 33550336,
g5ggg69056

433
3 . i l t 2 , 1 8 , 2 0 , 2 4 , 3 0 , 3 6
b ) 9 4 5
7. a),c) Prime
8. a),b),d) Prime
Section7.1
l. DWWDFNDWGDZQ
2. I CAME I SAW I coNQUERED
3. IEXXK FZKXCUUKZC STKJW
4. PHONEHOME
5 . t 2
6 . 9 . t 7
7. il C:7P + 16(mod26) b) C:acP
8. A)VSPFXHHIPKLBKIPMIEGTG
Section7.2
RL OQNZ OF XM CQ KE QI VD AZ
IGNORE
THIS
Il 24]
12425)
d 2 6
0 0 0
3 1 0
3 1 0
2 t 3
2 t 7
0 0 s
Section7.3
l . t 4 t 7 t 7 2 7 l l 1 76 5 7 6 0 77 6
Z. DO NOT READTHIS
4. GOODGUESS
5. 92
6 . 1 5 0
Section7.4
l . 1 4 5 3 ,
3 0 1 9
3 . 1 2 1 5
1 2 2 4
t 4 7 l 0 0 2 3
0 l 1 6
4. EAT CHOCOLATECAKE
* bc 'r d (mod 26)
b) EXPLOSIVESINSIDE
l .
2.
a
J .
4.
6 .
ol
ol
0l
rlI
'l
r l
[52
13r
1 2 I
ro
loo
l0
0
l . 0 0
a) t b) l3
Iz t: I I
I I 23101
12537 )
i. digraphic
Hill cipherwith enciphering
matrix
Itj 163]
t 4

434
5' a) 037103540858085800871359
0354000000871543I 7g7053sb)001
g 0977
ffi8 #l 3l1i'u*
0274
0872
082r
0073
084s
07400000
0008
0r48
0803
04r5
6' d 00420056048104810763000000510000 029402620995049505:|'ag72
00000734015206470972
7 ' d ) 1 3 8 3
1 8 1 2 0 3 5 2 0 0 0 0
1 3 8 3
0 1 3 0
1 0 8 0
r 3 5 rr 3 8 3r 8 1 2 0 1 3 0 0 g 7 2 r 2 0 8
0 9 5 6
00000972l5l5 0937129712082273l5l5 0000
8. 0872I 15215370169
Section7.5
l. a) yes b) no c) yes d) no
4 . l 8 : 2 * 1 6: 2 * 3 * 1 3: 3 * 4 * l I : 7 * l I
5. (tz,st,g5,g,
16,4g,64)
6. 6242382306332274
g. (44,37,7
4,7
2,50,24)
1 0 .a ) 0 o: 2 . 3 . 1 0 : 2 . 5 . 6 : 6 . 1 0
b ) 1 5 9 6 0 :g . 2 1 . 9 5
Section7,6
l. a) 3696,
2640,5600,3g5
b) 53g9
2. 829
Section8.1
l . i l 4 0 4 c ) 6
2 . a ) 3 b ) 2 ,3 c ) 3 , 7 d ) 2 , 6 , 7 ,l l e ) 3 ,5 f ) 5 , I I
4 . 4
16. il 23.89
18. d 2209
Section8.2
L a ) 2 0 4 c ) 8 d ) 6 e ) t 2 f ) 2 2
4. il q b) themodulus
is notprime
6. 1
il. b) 6
1 2 .c ) 2 2 , 3 7 ,
g , 6 ,g ,3 g .2 6
Section8.3
l. 4, 10,22
2 . i l z 0 2 c ) : i l 2
3 . i l 2 0 2 d z d ) 3
4 . a ) 5 b ) 5 c ) r s d ) 1 5
5 . 7 . 1 3 . 1 7 .
t 9
Section 8.4
l . i n d 5 l: 2 2 , i n d 5 2 : 2 . i n d 5 3
: 1 6 , i n d 5 4 : 4 , i n d 5 J : I, ind56: 18,ind57: 19.

435
i n d 5 8 : 6 , i n d 5 9 : l 0 . i n d 5 l 0 : 3 ' i n d s l l : 9 ' i n d : 1 2 : 2 0 ' i n d 5 l 3 : 1 4 ' i n d i 1 4 : 7 1 '
i n d 5 l 5 : l 7 , i n d 5 l 6 : 8 . i n d 5 l 7 : 7 ' i n d 5 l 8 : 1 2 ' i n d s l g : 1 5 ' i n d r 2 O : 5 '
i n d 5 2 l: 1 3 ,i n d 5 2 2 : l l
2. a) -r=9 (mod 23) b) x=9'14 (mod 23)
3. .) x : 7, 18 (mod 22) b) no solution
-1. a : 2.5,tlr 6 (rnod l3)
5. b : 8.9.20.
or 2l (mod 29)
6. ,r 3 10,16,57,
59.90.99.1
I 5.1
34,144.1
45.I49, or | -52(r.Ilod
I -56)
T . x = I ( m o d2 2 ) .a - 0 ( r n o d2 3 ) ,o r x E 1 , 1 2 . 4 5 . 4 1 . 7 t t ' 9 1 ' 9 3 ' 1 0 0 ' 1 3 7 ' 1 3 9 ' 1 4 4 '
183'
l 85.188,210,229,23
l ' 232.?.52.254,27
5,277
.32l ,323,367'369'3tt
6,,1|3.41
5,4.]0'
459,461.
or 496 (mod 506)
lt. a) (t,Z), (0,2) c) -x = 29 (mod l2), 't - 42 (nrod8)
1 2 b ) ( 0 , 0 , 1 , l ) , ( 0 , 0 ' 1 , 4 ) d ) ' x = 1 7 ( m o d6 0 )
l 6 . b ) ( 4 9 9 3 8 . g g 8 . 7 O 1 @ . 4 9 9 3 9 9 9 8 1 1 ) : ' 7 4 9 9 9 2 4 9 . . ,
Section8.6
r . a ) 2 0 b ) 1 2 c ) : 0 d ) 4 8
2. a) t,z b) 3,4, 6' 8. 12.24
80.120,240 e) nosolution
I68.252.504
3 . 6 5 5 2 0
4 . a ) t t b ) 2 c ) l d ) l l e ) t g f ) 3 8
I4. 5.I 3'l'l'29.5'lT'29,
5',29'13
Section 8.7
l . 6 9 , 7 6 , 1 7 , 9 2 , 4 6 ,
I I '
7 . 6 . 1 3 , 1 0 , 1 4 , 1 5 , l , 7 '
3 . l 0
" 7 .a ) l t b ) 7 1 5 8 2 7 8 8 2
9 . 1 , 7 4 , 2 5 ,I 8 , I 2 , 3 0 '
Section 8.8
l . a ) s b ) 5 d 2 d ) 6
2 . a ) 2 b ) 3 d 2 i l 2
3. a) usesPread
s : 3 b)
Section 9.1
I . a ) t b ) I , 4 c ) I , 3 , 4 , 9 , 1 0 , 1
2
2 . l , l , - 1 , 1 , - 1 , - l
I l. a) -r = 2,4 (mod 7) b) -r =
1 5 . . r = 1 , 4 , 1 1 , 1 4
( m o dl 5 )
36. c) DETOUR
e) tgo f) 388080 g) 8o+o h) I254
I l 328000
c) nosolutiond) 5, l0' 15.16,20,
30'40'48'60'
f ) z .q , 1 4 ,1 8 .2 1 . 2 8 , 3 6 . 4 2 . 5 6 , 6 3 .
1 2 ' 8 4 '1 2 6 '
12.14.19.36,29,84,
5, 25.62.84.
-s'25.62'"
18.16.6, l3-....
period
length
is9
c) 3l d) 195225786
c) loz3z+
tttz:
l l . l 0
e) 30 i) 20
e ) 5 t ) 7
usespread
s: 2l c) uscsPrcad
s : 2
d ) 1 , 4 , - s , 6 , 7 , 9 . 1
l , l 6 . l 7
| (mod 7) c) no solution

436
23. a)
Answersto Setectedproblems
Section 9.2
l . a ) - l b ) - l c ) _ l d ) _ l e ) r f ) l
4 . p = + l ( m o d 5 )
5 . p = + 1 , * 3 , + g ( m o d 2 g )
Section 9.3
l . a ) r b ) - l c ) r d ) l e ) _ l f ) l
2 . n : 1 , 7 , 1 1 , 1 7 , 4 3 , 4 9 , 5 3 , o r 5 9
( m o d 6 0 )
3 . n = 1 , 7 , 1 3 , 1 7 , 1 9 , 2 9 3 7 , 7 1 , g 3 ,
9 1 , 1 0 1 , 1 0 3 , 1 0 7 , 1 0 9 , 1 1 3 ,
o r I l 9 ( m o d 1 2 0 )
9. a) -l b) -l c) -r
Section l0.l
6. a).lb) .ar6c).92nr6 d).5 e)xOq
i. a)(:s)g b) (.2)s
c) (.r+o:),ai'f.'i6,
8 u)3 b)+ dL
25 90 33
s. u)Sb)+.)Ad) el6
343 70 20 I 365
10. b :2s'3s'5"7"',
where
s1,.92,s3,
andsaarenonnegative
integers,
nota1 zero
ll. a) 2,1 b) l,t c) z,t d) 0,22 e) 3.e rl o.o1
12. a) l,o b) 2,0 c) 1,4 d) 2,1 e) l,l f) 2.4
t 4 . a ) 3 b ) l 1 d t t d ) l 0 l d + t . z T D 7 . 1 3
f) .000999
e) (.052)6f) (.02721350564)R
3/2 d s/3 h) 8/5
e)[- |;1,22,3,1,1.2,21
0 l I 1 I 2 t _ 2 3 1 4 3 2 5 3 4 5 6 l
T'i'6'T';'t't't';,r,7,T';,
;';,;';,;,;
Section
10.2
l. il t5/7 0 t0/7 d olzl d) 3ss/ll3 d z f)
2. a) [t;s] U)B;zl c) [0;1,1,1,9]
d) [0;199,1,4]
f) [o;5,
l,l,z,l,4,l,2ll
Section10.3
I. a) [l;2,2,2,...1
b) [ t;1,2,1,2,1
,2,...)c) [2;4,4,4,..)
d) [ t;1,1,1,...J
2. 4_l,L!,s,t b) 6J,l,l,J c) 0,2,6,10,14
d) 0,1
,3,5,7
? 3 1 2 6 8 9
99532
/ ^ 2 3 8 i l 1 9 9 7 1 0 6 1 9 3
l- l'3'4 ^7'32'39'7t:
o,
+
ll. d) 21 4t 69 9l l13-135'157t7g'201223z4s 267z}s 3ll
g t5'22'29'36,Jt,E-'T,d,7l '7g 'g5 ,lt,f
Section 10.4
l.
") IU,t,t,+1
b)t3;:,61
c)ta;l":,r.sl
a)to;FrZt
2 . a ) [ l ; 2 ]
3. a)(z: +.,/Til/rc b) (-l +,/+sl/z c) (s+ .,Fazlto
4. b)[lo;20]
, 117:frl,
I4t:il)

437
5. c)[q;j,J8],
tto:z2o|lte;Tt4I?q,2,+t1
6. d to:ffil, 17
:7,t41,
Il6;l,t5,1,321
I l. b), c), e)
Section I l.l
l. a) 3,4,5:5,12,13;
15,8,17:'7,24,25:21,2O,29:35,12,37
b) 3'4'5;6'8'10;
5',12',13;9'
12,15;15,8,17:12,16,20:7,24,25;15,20,25;
10'24'26:21'20'29;
l8'24'30;30'16'34;
21,28,35,35,12,37
; I 5,36,39;24,32,40
1 ' - 2 - - I ( m 2 + Z n 2 )
w h e r em a n d n a r e p o s i t i v e i n t e g e r s .
8 . x :
; ( m " - Z n " ) , Y
: n l n , z :
t
i ^ l
,: L(2^2-nz),! : ^r,, :
+Q.m2+n2)
wherem andn a(e positiveintegers,
*>it,li, andn iseven
I | , ) , r ? r - - ^ ^ - - - ^ - , { , - ^ - o ^ ^ " i t i ' r ,
9. , - l-{^z-3n2),y
: mn,, -
f,(^2+3n2)
where m and n are positiveintegers,
*rrTln,andm = n(mod 2)
Section 11.3
l . a ) x : ! 2 , y : 0 ; x : + l , y : ! l b ) n o s o l u t i o n c ) x : + l ' y : + 2
2 . a ) x : t 3 , y : * l b ) n o s o l u t i o n c ) x - + 5 ' l : 0 ; x : * 1 3 ' y : + 3
3. a) x : 70,y : 13 b) x :9801, Y
: 1820
5' X : l 52Q,
y : 273 ; x : 4620799,y : 829920;x : 42703566796801,
Y
: 766987012160
6. a), d), e), g), h) Yes b)' c)' f) no
'1.
x : 6239'765965'120528801,
! : 19892016576262330040

Bibliography
BOOKS
Number Theory
l ' w. W. Adams and L. J. Goldstein, Intoduction to Number Theory,
Prentice-Hall,EnglewoodCliffs, New Jersey,1g76.
2. G. E. Andrews,Number Theory,w. B. Saunders,philadelphia, lg7l.
3. T. A. Apostol, Introduction to Analytic Number Theory, Springer-
Verlag,New York, 1976.
4. R' G. Archibald, An Introduction to the Theory of Numbers, Merrill,
Columbus,Ohio, 1970.
5. I. A. Barnett, Elements of Number Theory, prindle, weber, and
Schmidt, Boston,1969.
6. A. H. Beiler, Recreations in the Theory of Numbers, 2nd ed., Dover,
New York, 1966.
7. E. D. Bolker,ElementaryNumber Theory,Benjamin,New york, 1970.
8. Z. I. Borevich and I. R. Shafarevich,Number Theory, Academic press,
New York, 1966.
9. D. M. Burton, Elementary Number Theory, Allyn and Bacon, Boston,
t976.
10. R. D. Carmichael, The Theory of Numbers and Diophantine Analysis,
Dover,New York, 1959(reprintof the original 1914and l9l5 editions).
I l. H. Davenport, The Higher Arithmetic, 5th ed., Cambridge University
Press,Cambridge,1982.
12. L. E, Dickson, History of the Theory of Numbers, three volumes,
chelsea,New York, 1952 (reprint of the l9l9 original).
13. L. E. Dickson, Introduction to the Theory of Numbers, Dover,
New York 1957 (reprint of the original 1929edition).
438

1 4 .
439
BibliograPhY
20.
21.
22.
23.
24.
H. M. Edwards,Fermat's Last Theorem,Springer-verlag,
New York'
1911
.
A . A . G i o i a , T h e T h e o r y o f I Y t t m b e r s , M a r k h a m ' C h i c a g o l 9 7 0 .
E. Grosswald,,Topics
from the Theoryof Numbers,2nd ed., Birkhausero
Boston,
1982.
R. K. Guy, l.)nsolvedProblems in l,{umber Theory, springer-verlag,
New York, 1981
.
G. H. Hardy and E. M. Wright, An Introduction to the Theory of
1,,{umbers,
5th ed.,Oxford UniversityPress,
Oxford, 1919'
L. Hua, Introduction to Number Theory, Springer-verlag, New York
l 982.
K. Ireland and M. L Rosen, A Classical Introduction to Modern
IYumberTheory,Springer-Verlag,
New York, 1982'
E. Landau,ElementaryNumber Theory,Chelsea,
New York, 1958'
W. J. LeVeque, Fundamentals of Number Theory, Addispn-Wesley,
Reading,Massachusetts,
1977
.
w. J. LeVeque, Reviewsin Number TheOry, six volumes, American
MathematicalSociety,Washington,
D.C., 1974'
C. T. Long, Elementary Introduction to Number Theory, 2nd ed.,
Heath, Lexington,Massachusetts,
1972.
15.
16.
t'7.
1 8 .
1 9 .
25. G. B. Matthews,Theory of Numbers,Chelsea,New York (no date)'
26. I. Niven and H. S. Zuckerman, An Introduction to the Theory of
Numbers,4th ed.,Wiley, New York, 1980.
2l. O. Ore, An Invitation to Number Theory, Random House,New York'
t967.
28. O. Ore, Number Theory and its History, McGraw-Hill, New York,
I 948.
29. A. J. Pettofrezzo and D. R. Byrkit, Elements of Number Theory,
Prentice-Hall,EnglewoodCliffs, New Jersey,1970'
30. H. Rademacher, Lectures on Elementary [t{umber Theory, Blaisdell,
New York 1964,reprint Krieger, 1977
.
31. P. Ribenboim,1-JLectureson Fermat's Last Theorem,Springer-Verlag,
New York, 1919.

34.
35.
36.
440
Bibliography
32. J. Roberts, Elementary Number Theory, MIT press, cambridge,
Massachusetts,
1977.
33. D. shanks,solvedand unsolvedproblemsin Number Theory,2nd ed.,
Chelsea,
New york. 197g.
J. E. Shockley, Introduction to Number Theory, Holt, Rinehart, and
Winston, 1967.
w. Sierpifski, Elementary Theory of Numbers, polski Akademic Nauk,
Warsaw, 1964.
w. Sierpifiski, A selection of problems in the Theory of Numbers,
PergammonPress,New york, 1964.
w. Sierpirlski, 250 problems in Elementory Number Theory, polish
ScientificPublishers,
Warsaw, 1g70.
H. M. Stark, An Introduction to Number Theory, Markham, chicago,
1970;reprint MIT press,cambridge, Massachuseits,
r9ig.
B. M. Stewart, The Theory of Numbers, 2nd, ed., Macmiilan,
New York, 1964.
J. v. Uspensky and M. A. Heaslet, Elementary Number Theory,
McGraw-Hill, New York. lg3g.
4l' C' Vanden Eyden, Number Theory, International Textbook, Scranton,
Pennsylvania,
1970.
42. I. M. vinogradov. Elements of Number Theory, Dover, New york,
t954.
Number Theory with Computer Science
37.
38.
39.
40.
43.
44.
45.
A. M. Kirch, Elementary Number Theory: A computer Approach,
Intext, New York, 1974.
D. G. Malm, A computer Laboratory Manual for Number Theory,
COMPress,Wentworth,New Hampshire, 1979.
D. D. spencer, computers in Number Theory, computer science press,
Rockville,Maryland, 1982.

441
BibliograPhY
CryptographY
46. B. Bosworth, codes, ciphers, and computers, Hayden, Rochelle Park,
New JerseY,1982.
47. D. E. R. Denning, Cryptography and Data Security, Addison.Wesley,
Reading, Massachusetts,
1982'
48. w. F. Friedman, Elements of Cryptanalysis, Aegean Park Press,
Laguna Hills, California, 1978'
4 9 . A . G e r s h o , e d . , A d v a n c e s i n C r y p t o g r a p h y ' D e p t ' o f E l e c t r i c a l a n d
computer Engineering,Univ. calif. Santa Barbara, 1982.
50. D. Kahn, The Codebreakers,the Story of Secret Writing' Macmillan'
New York' 1967.
A. G. Konheim, Cryptography: A Primer, Wiley' New York' 1981'
S. Kullback, s/atis tical Methods in cryptanalysis, Aegean Park Press,
Laguna Hills, California, 1976.
C. H. Meyer and S. M. Matyas' Cryptography: A New Dimension
Computer Data Security, Wiley, New York, 1982'
A. sinkov, Elementary cryptanalysis, Mathematical Association
America, Washington,D.C., 1966'
Computer Science
55. K. Hwang, Computer Arithmetic: Principles, Architecture and Design'
WileY, New York, 1979.
56. D. E. Knuth, Art
'of computer Programming: semi-Numertcal
Algorithms volume 2, 2nd €d., Addison wesley, Reading
Massachusetts,
l98l .
57. D. E. Knuth, Art of computer Programming: sorting and searching,
volume 3, Addison-wesley,Reading,Massachusetts,
1973.
58. L. Kronsjo, Algorithms: Their complexity and Efficiency, wiley, New
York, 1979.
59. N. S. Szab5and R. J. Tanaka, Residue
Arithmetic and its Applications
to Computer Technology,McGraw-Hill' 1967'
51.
52.
53.
54.
tn
of

442
General
Bibliography
H. Anton, ElementaryLinear Algebra, 3rd ed.,Wiley, New York, 1981.
E. Landau, Foundationsof Analysfs, 2nd ed., Chelsea,New York, 1960.
W. Rudin, Principles of Mathematical Analysis, 2nd ed., McGraw-Hill,
New York 1964.
60.
61.
62.
ARTICLES
Numben
Theory
63. Ll M. Adleman, C. Pomerancq and R. S. Rumely, "On distinguishing
prlime numbers from composite numbers," Annals of Mathematics,
volume 117 (1983),173-2A6.
64. J. Ewing, t 286243-lis prime," The Mathematical Intelligencer, Volume
5 ( 1 9 8 3 ) , 6 0 .
65. J.lE. Freund, "Round Robin Mathematicso"American Mathematical
tullonthly,
Volume 63 (1956), ll2-114.
66. R. K. Guy, "How to factor a number" Proceedings of the Ftfth
Manitoba Coderence on Numerical Mathematics, Utilitas, Winnepeg,
Manitoba, 197
5, 49-89.
A. K. Head, "Multiplicationmodulo n," BIT, Volume 20 (tgSO), 115-
I 1 6 .
P. Hagis, Jr., "Sketch of a proof that an odd perfect number relatively
prime to 3 has at least eleven prime factors," Mathematics of
Computations,Volume 46 0983), 399-404.
J. C. Lagarias and A. M. Odlyzko, "New algorithms for computing
n(ff)," Bell LaboratoriesTechnicalMemorandumTM-82-1 I 218-57.
H. P. Lawther, Jr., "An applicationof number theory to the splicingof
telephonecables,"
American Mathematical Monthly,Yolume 42 (tggS),
8 l - 9 1
.
H.1 W. Lenstra, Jr., "Primality testing," Studieweek Getaltheorie en
Co[nputers, 1-5 September 1980, Stichting Mathematisch Centrum,
Arfrsterdam.Holland.
I ot.
l
68.
69.
70.
71.

443
BibliograPhY
72. G. L. Miller, "Riemann'shypothesis
and testsfor primality
"'
Proceedings
of thq seventhAnnual Ac:M symposium on the Theory of computing,
234-239.
1,73.
C. pomerance, "Recent developments in primality testing"' The
i'
-'
urrir*"rical Intelligencer,
volume 3 (lgg l), 97-105.
lq. C. pomerance,"The search for primes," Scientific American' Volume
241(tgSD, 136'147.
.15.
M. o. Rabin,
,,probabilistic
algorithmsfor lesting primality," Journal of
Number Theory,Volume 12 0980)' 128-138'
./6. R. Rumely,
,,Recent advances in primality testing," Notices of the
American Mathematical Sociely,Volume 30 (1983),4,75-47,7,
77. D. Slowinski, "searching for the 2'7th Mersenne prime"' Journal of
Recreational
Mathematics,
Volume I I (1918/9),258-261'
7 8 .
7 9 .
R. Solovay and V. Strassen'"A fast Monte Carlo
SIAM Journal for Computing, Volume 6 09ll)'
v o l u m e7 ( 1 9 7 8 ) ,
1 1 8 .
H. C. Williams, "The influence of computers in
number theory," Computers and Mathematics
test for PrimalitY,"
84-85 and erratum,
the develoPmentof
with APPlications,
Volume
8 (1982),75-93'
g0. H. c. williams, "Primalitytestingon a computer",
Ars combinatorica'
volume
5 (1978)
,127-185'
CryptograPhY
81. L. M. Adleman, "A subexponential
algorithm for the discretelogarithm
problem with applications to cryptogiaphy," Proceedings of the 2ath
Annual Sy*:,porium on the Fonia'tioit of Computer Science' 1979' 55'
60.
g2. M. Blum, "coin-flipping by telephone- a protocolfor solvingimpossible
problems,"IEEE Proceedings'Spring Compcon" 133-137'
83. w. Diffie and M. Hellman, "New directions in cryptography"' IEEE
Transactions
on Idormation Theory,Volume 22 (l976),644-655'
g4. D. R. Floyd, "Annotatedbibliographicalin conventionaland public key
cryptograpnr,.Cryptologia,Volume 7 (1983)' 12'24'

444
85.
86.
87.
88.
89.
90.
91.
92.
93.
Bibliography
J. Gordon, "Use of intractable problems
Privacy,Volume 2 (19g0), l7g-fg4.
M. E. Hellman, "The mathematics
ScientfficAmerican, Volume 241 (1979)
L. S. Hill, "Concerning certain linear
cryptography," American Mathematical
l 35-154.
rn cryptography," Information
of public-key cryptography,"
t46-t57.
transformation apparatus of
Monthly, Volume 3g (1931).
A. Lempel, "cryptology in transition," computing surveys, volume ll
Q979), 285-303.
R. J. Lipton, "How to cheat at mental poker,,,and ,,An
improved power
encryption method," unpublished reports, Department of computer
Science,Universityof California,Berklir'y, 1979.
R. c. Merkle and M. E. Hellman, "Hiding information and signaturesin
trapdoor knapsacks," IEEE Transactiins in Idormatioi Theory,
Volume24 (1979),525-530.
s. Pohlig and M. Hellman, "An improved argorithm for computing
logarithms over GF(p) and its .ryptog.upt i. significance,,' IEEE
Transactionson Information Theory, volume 24 (rgj"$, roC_iio.
M. o. Rabin,. "Digitalized signatures and public-key functions as
intractable as factorization," MIT Laboratory for computer science
Technical Report LCS/TR-212, cambridge, Massachusetts,rg7g.
R. L. Rivest,A. Shamir, and L. M. Adleman, "A method for obtaining
digital signaturesa1d public-key cryptosystems,"
communications of the
ACM, Volume 2t (1979), tZO-126.
A. shamir, uA polynomial time algorithm for breaking the basic
Merkle-Hellman cryptosystem," proceedings of the 2ird Annual
symposium of the Foundations of computeiscie,nce, r45-r52.
A. Shamir, "How to share a secret," communications of the ACM,
Volume22 0979), 612-6t3.
A. Shamir, R. L. Rivest, and L. M. Adleman, "Mentar poker,,, The
Mathematical Gardner, ed. D. A. Klarner, wadsworth International,
Belmont,California, 198l, 37-43.
94.
95.
96.

List of SYmbols
t
2
n t
II
l*)
I t
t.kJ
olb
olt
lxl
(a1ra1r-1...afl0)
t
Summation, 5
Factorial, 8
Product, 9
Binomialcoeficient,l0
Divides, 19
Doesnot divide, 19
Greatest
integer,20
Baseb exPansion,
27
Computer
wordsize, 33
Big-O notation,38
Numberof Primes,47
Greatestcommondivisor,
Greatestcommondivisor
Fibonaccinumber, 60
LeastcommonmultiPle,
53
(of n integers),
72
Minimum, 72
Maximum, 72
Exactlydivide, 76
Leastcommon
multiple(of n integers),
Fermatnumber, 81
Congruent,9l
Not congruent,91
Inverse,104
Congruent
(matrices),I l9
Inverse(of matrix), l2l
Identity lnatrix, l2l
Adjoint, 122
Hashingfunction, 141
Euler'sphi-function,l6l
ov)
,r(.x)
G,b)
(a 1,,a2,..-,an)
un
la,bl
min(xy)
max(x,y)
p'lln
ta1,a2,...,anl
F,
a = b(mod z)
a # b(mod nr)
a
A:B(modra)
7
I
adj Ca)
h (k)
6h)
55
77

dln
f*s
ph)
o(n)
r(n)
M-
E*(P)
D*(c)
ord.a
ind,a
I(n )
X6(n
)
|t
Is-l
lp )
r)
lLl
ln J
(c p2ca..)6
( . c1 . . . c r - 1 r b
Fn
Iag;a1,a2,...,,e111
Ck :
Pr/qr
[ag;at,az,...l
Iag;a
r,...,o
*-,,ffifr|'
Q ,
List of Symbols
Summation
overdivisors,170
Dirichletproduct, 172
Miibiusfunction. 173
Sumof divisors
function, I74
Numberof divisors
function
, 17s
Mersenne
number.l g2
Enciphering
transformation,ZI2
Deciphering
transformation,212
Orderof a modulom. Z3Z
Indexof a to the baser, 252
Minimal universal
exponent,269
Maximal+l - exponent,
2g0
Legendre
symbol, 289
Jacobi
symbol,314
BaseD expansion,
341
Periodic
base
6 expansion,
343
Fareyseries
of ordern, 349
Finitesimple
continued
fraction,351
Convergent
of a continued
fraction, 354
Infinitesimplecontinued
fraction, 362
Periodic
continued
fraction, 3i4
Conjugate,377

lndex
Absolute least residues, 93
Abundant integer, 185
Additive function, 174
Affine transformation, l9l
Algorithm, 33,58
division, 19
Euclidean, 58
for addition, 33
for division, 3'7,41
for matrix multiPlication, 43
for modular exPonentiation,97
for modular multiPlication, 100
for multiplication, 35,39
for subtraction, 34
least-remainder, 67
Amicable pair, 185
Approximation,
bestrational, 37|
by rationals, 369
Arithmetic function, 166,418
Arithmetic, fundamental
theorem of, 2,69
Arithmetic progression,
primesin, 74
AutomorPh, 114
Babylonians,1,25
Balancedternary exPansion, 30
Base, 27
BaseD expansion,27,341
Best rational aPProximation, 371
Big-O notation, 38,39
Binary notation, 27
Binomial coeffficient,l0
Binomial theorem, 12
Biorhythms, I l4
Bit operation, 38
Bits, 27
Block cipher, 198
Borrow, 35
Caesar.Julius, 189
Caesarcipher, 189
Calendar, 134
Gregorian, 135
InternationalFixed, 138
Cantor expansion, 30
Card shuffiing, 152
Carmichaelnumber, 155'272
Carry, 34
Casting out nines, 134
Character ciPher, 189
Chinese,ancient, 2,107,
Chineseremainder theorem, 107
Cicada, periodic, 5'l
Cipher, 188
block, 198
Caesar, 189
character, 189
digraphic, 198
exponentiation, 205
Hill, 198
iterated knapsack, 224
knapsack, 221
monographic, 189
polygraphic, 198
product, 19'l
public-key, 2,212
Rabin, 215
RSA, 212
substitution, 189
transposition, 204
Vigndre, 197
Ciphertext, 188
Clustering, 142
Coconut problem, 101
Coefficients,binomial, 10
Coin flipping, 298
Collatz conjecture, 24
Collision. 142
Common key, 208
Common ratio, 5
Complete systemof residues, 93
Completelyadditivefunction, 174

448
Index
Completelymultiplicative
function, 166
Composite, 1,45
Computationalcomplexity, 3g
of addition, 39
of Euclidean algorithm, 62
of division,4 -
of matrix multiplication, 43
of multiplication, 39
of subtraction, 39
Computerarithmetic, 33,109
Computer files, 141,227
Computer word size, 33,109
Congruence,2,gl
linear, 102
of matrices, I l9
Congruenceclass. 92
Conjecture,
Ccllatz, 24
Goldbach, 50
Conjugate, 377
Continuedfraction, 350
finite, 351
infinite, 362
periodic, 374 425
purely periodic, 3g3
simple, 351
Convergent, 354
Coversionof bases, Zg
Coveringset of congruences,I l5
Cryptanalysis,188
Cryptography, 188
Cryptology, 188
Cubic residue, 262
Database, 227
Day of the week, 134
Decimal notation, 27
Deciphering, 186
Decipheringkey, 213
Decryption, 188
Deficientinteger, 185
Descent,proof by, 398
Diabolicmatrix, 127
Digraphiccipher, 198
Diophantineequations, 86,391
linear, 86
Diophantus, 86
Dirichlet, G. Lejeune, 74
Dirichlet product, 172
Dirichlet's theorem on primes in
arithmetic progression, 74
Divide, l8
Divisibility, l8
Divisibilitytests, lZ9
Divisionalgorithm, l9
Divisor, l8
Double hashing, 143
Draim factorization, g4
Duodecimal notation, 44
Electronic poker, 209,304
Enciphering, 188
Encryption, 188
Equation,
diophantine, 86
Pell's, 404
Eratosthenes, I
Eratosthenes,
sieveof, 2,46
Euclid, I
Euclideanalgorithm, 5g
Euler. L.. I
Eulerphi-function,
l6l,l67
Eulerpseudoprime,
325
Euler'scriterion. 290
Euler'sfactorizationmethod, g5
Euler'stheorem, 161
Exactly divide. i6
Expansion,
baseb, 27
Cantor, 30
continuedfraction, 350
periodic baseb, 343
periodiccontinuedfunction, 374
terminating, 341
t l-exponent, 280
Exponentiation
cipher, 205
Factor, l8
Factor table, 4ll
Factorial function, 8
Factorization, 69,79
Draim, 84
Euler, 85

lndex
Fermat. 80
prime, 68
prime-power, 69
speedof, 80,215
Faltings,G., 400
Farey series, 349
Fermat, P. de, 1,397
Fermat factorization, 80
Fermatnumber, 81,302,31
1
Fermat prime, 8l
Fermat quotient, 152
Fermat's last theorem, 398
Fermat's little theorem, 148
Fibonacci, 60
Fibonacci numbers, 60
generalized, 68
Fibonacci pseudo-randomnumber
generator, 219
Frequencies,
of letters, 193
of digraphs, 202
of polygraphs, 203
Function.
additive, 174
arithmetic, 166
completelyadditive, l7 4
completely multiPlicative, 166
Euler phi, 161
factorial, 8
greatestinteger, 20
hashing, 141
Liouville's
, 174
Mobius, l'73
multiplicative, 166
number of divisors. 175
sum of divisors. 174
Fundamental Theorem of
Arithmetic, 69
Game of Euclid, 67
Gauss,C. G., 2,47
Gauss' generalization of
Wilson's theorem, 152
Gauss'lemma, 293
GeneralizedRiemann hypothesis, 158
GeneralizedFibonacci numbers, 68
Geometric progression, 5
Goldbach,C., 50
Goldbach'sconjecture, 50
Greatestcommon divisor, 53
Greatest integer function, 20
Greeks,ancient, 2
Hadamard,J., 48
Hanoi, tower of, l'l
Hashing, 141
double, 143
quadratic, 304
Hashing function, 141
Hexadecimal notation, 27
Hilbert prime, 76
Hill cipher, 198
Identity matrix moduloz, l2l
Inclusion-exclusion,
principleof, 17,51
Incongruent, 9l
Index of an integer, 252,421
Index of summation, 5
Index system, 262
Induction, mathematical, 4
Infinite simple continued fraction,
Infinitude of primes, 45,82
Integer,
a b d u n d a n t , 1 8 5
deficient, 185
palindromic, 133
powerful, 16
square-free,75
Inverse of an arithmetic function,
Inversemodulo lrr, 104
Inverseof a matrix modulo nr, l2I
Involutory matrix, 126,244
Irrational number, 336,36'l
Jacobi symbol, 314
Kaprekar constant, 3l
Key, l4l
common, 208
deciphering, 213
enciphering, 212
mastero 228
public, 212
shared, 208
362
t73

450
Knapsack cipher, 221
Knapsack problem, 219
k-perfect number, 186
Kronecker symbol, 324
k th power residue, 256
Lagrange,J., 147
Lagrange interpolation, 242
Lagrange'stheorem
(on continued functions), 378
Lagrange'stheorem
(on polynomial congruences)
, 219
Lam6, G., 62
Lam6's theorem, 62
Law of quadratic reciprocity, 297,314
Least common multiple, 72
Least nonnegativeresidue, 93
Least-remainder
algorithm, 67
Legendresymbol, 289
Lemma, Gauss'. 293
Linear combination, 54
greatestcommon divisor as a, 54,63
Linear congruence, 102
Linear congruential method, 275
Liouville's function, 114
Logarithms modulo p, 207
Lowest terms, 336
Lucas-Lehmertest, 183
Lucky numbers, 52
Magic square, 127
Master key, 228
Mathematical induction. 4
Matrix, involutory, 126
Matrix multiplication, 43
Maximal t1-exponent, 280
Mayans, 1,25
Mersenne,M., 182
Mersennenumber. 182
Mersenneprime, 182
Method of infinitedescent, 398
Middle-squaremethod, 275
Miller's test, 156
Minimal universalexponent, 269
Mobius function, 173
Mobius inversionformula, 173
Modular exponentiation, 97
algorithm for, 97
Monographic cipher, 189
Monkeys, l0l
Multiple precision, 33
Multiplication, 35,39
matrix, 43
Multiplicative function, 166
Multiplicative knapsackproblem, 226
Mutually relatively prime, 56
Nim. 3l
Notation,
big-O, 38
binary, 27
decimal, 27
duodecimal, 44
hexadecimal, 27
octal, 27
product, 9
s u m m a t i o n , 5 , l 7 0
Number,
Carmichael, 155,2'12
Fermat, 8l
Fibonacci, 60
generalizedFibonacci, 68
irrational. 336
k-perfect, 186
lucky, 52
Mersenne, 182
perfect, 180
rational, 336
superperfect, 186
Number of divisorsfunction. 175
Octal notation, 27
Operation, bit, 38
Order of an integer, 232
Pairwise relatively prime, 56
Palindromicinteger, 133
Partial remainder, 37
Partial quotient, 351
Pascal'striangle, 12
Pell's equation, 404
Pepin'stest, 3l I
Perfect number, 180
Period,
Index

lndex
of a baseb exPansion, 343
of a continued fraction, 374
Periodicbaseb exPansion, 343
Periodiccicada, 5'l
Periodiccontinuedfraction, 374
Plaintext, 188
Poker. 209,304
PolygraphicciPher, 198
Powerful integer, 76
Prepperiod, 343
Primality test, 153,263
probabilistic, 158,334
Primes, 1,45
Fermat, 8l
Hilbert, 76
in arithmetic Progressions,
74
infinitude of, 45
Mersenne, 182
Wilson, 152
Prime number theorem, 47
Prime-powerfactorization, 69
Primitive root, 234,24342O
Primitive Pythagorean
triPle, 391
Principleof inclusion-exclusion,
l7
Principleof mathematicalinduction,
second, 8
Probabilisticprimality test, 158'334
Probing sequence, 143
Problem,
knapsack, 219
multiplicativeknaPsack,226
Product, Dirichlet, 172
Product ciPher, 192
Property,
reflexive, 92
symmetric, 92
transitive, 92
well-ordering, 4
Pseudoconvergent,374
Pseudoprime,2,153
Euler, 325
strong, 157
Pseudo-randomnumbers, 275
Pseudo-random
number generator'
Fibonacci, 279
linear congruential, 275
middle'square,275
451
pure multiPlicative, 277
Public-key
ciPher, 2,212
Purelyperiodiccontinuedfraction' 383
Pythagoras, 1
Pythagorean
triPle, 391
Pythagorean
theorem, 391
Quadratichashing, 304
Quadraticirrational, 375
Quadraticnonresidue,288
Quadratic reciProcitYlaw, 297,304
Quadraticresidue, 288
Quotient, l9
Fermat, l52
partial, 351
Rabbits, 68
Rabin'sciphersystem,215,303
Rabin'sprobabilisticPrimalitY
test, I 58,214,3
34
Rationalnumber, 336
Read subkeY, 227
Recursivedefinition, 8
Reducedresiduesystem, 162
Reducedquadraticirrational, 384
ReflexiveproPertY, 92
Regular polygon,
constructabilitY, 83
Relativelyprime, 53
mutually, 56
pairwise, 56
Remainder, l9
Repunit, 133,165
Residue,
cubic, 262
k th power, 256
least nonnegative, 93
quadratic, 288
Residues,
absoluteleast, 93
completesYstemof, 93
reduced, 162
Root of a polynomialmodulorn, 238
Round-robintournament, 139
RSA cipher system, 212,274
SecondprinciPleof

4s2
mathematical induction. 8
Seed, 276
Shadows, 228
Shift transformation. l9l
Shifting, 35
Sieveof Eratosthenes, 2,46
Signature, 216
Signed message, 216,218
Solovay-Strassen
probabilistic
primality test, 334
Splicing of telephonecables, 284
Spread of a splicing scheme, 284
Square-freeinteger, 75
Strong pseudoprime, 157
Subkey,
read, 227
write, 227
Substitution cipher, 189
Succinct certificateof primality, 266
Sum of divisorsfunction, 174
Summation notation, 5
Super-increasingsequence, 22O
Superperfectnumber, 186
Symbol,
Jacobi. 314
Kronecker, 324
Legendre, 289
Symmetric property, 92
System of residues,
complete, 93
reduced, 162
Systemof congruences,107,1
l6
Telephonecables, 284
Terminating expansion, 341
Test,
divisibility, 129
Lucas-Lehmer, 183
Miller's, 156
Pepin's, 3l I
primality, 153,263
probalisticprimality, 158,334
Theorem,
binomial, 12
Chineseremainder. 107
Dirichlet's, 74
Eulerns,l6l
Fermat's last, 398
Fermat'slittle. 148
Lagrange's (on continued
fractions), 378
Lagrange's (on polynomial
congruences), 239
Lam6's, 62
Wilson's, 147
Threshold scheme, 228,243
Tower of Hanoi. 17
Transitive property,
Transpositioncipher,
Triangle,
Pascal's, l2
Pythogrean, 391
Twin primes, 50
Universal exponent, 269
Vall6e-Poussin,
C. de la, 48
Vignrire ciphers, 197
Weights, problem of, 30
Well-ordering property, 4
Wilson,J., 147
Wilson prime, 152
Wilson's theorem, 147
Gauss' generalizationof, 152
Word size, 33,104
Write subkey, 22'l
lndex
92
204

Rosen - Elementary number theory and its applications.pdf

More Related Content

What's hot (20)

Similar to Rosen - Elementary number theory and its applications.pdf (20)

More from Sahat Hutajulu (20)

Recently uploaded (20)

Rosen - Elementary number theory and its applications.pdf