Integers, Division, and Divisibilityrpruim/courses/m156/... · The rst two of these are the key to Euclid’s GCD Algorithm, which we will discuss shortly. The next two show that

Number Theory Notes (v. 4.23 – October 31, 2002) 1

Number Theory is the branch of mathematics that deals with integers and their properties, especiallyproperties relating to arithmetic operations like addition, subtraction, multiplication and division. As itturns out, there are a number of interesting computer-related applications of basic number theory.

Integers, Division, and Divisibility

The integers are closed under the operations of addition, subtraction and multiplication. This means thatif we add, subtract or multiply two integers we get another integer. But the integers are not closed underdivision. Sometimes when we divide one integer by another we get another integer, for example:

15÷ 5 = 3

But other times we do not:1

15÷ 4 = 3.75

We should stop here and point out an important connection between multiplication and division. Theseoperations are inverses of each other in the following sense:

a÷ b = c means b · c = a

Using this relationship between multiplication and division, we make the following definitions:

Let a and b be integers.

• If there is some integer c such that bc = a, we say that b divides a.

• If b divides a we say that b is a divisor (or factor) of a, and a is a multiple of b.

• We denote b divides a with the notation b | a.

• If b does not divide a we write b 6 | a.

For small integers, we can test if n | m by doing the division m÷ n to see if the result is an integer:

Example. Does 4 divide 9? Does 7 divide 21?

9÷ 4 = 2.25, so 4 6 | 9. 21÷ 7 = 3, so 7 | 21.

The following basic facts are all straightforward to prove from definition, but are useful enough tocollect into a lemma. The first two of these are the key to Euclid’s GCD Algorithm, which we willdiscuss shortly. The next two show that divisibility is a reflexive, transitive (but not symmetric) relationon the integers.

1One way to think about the rational numbers (fraction with integer numerator and denominator) is as the closure of theintegers under division. That is, the rationals are the smallest set that contains the integers and is closed under division.


Divisibility Lemma. Let a, b, x, y and z be integers. Then

1. If a | x and a | y, then a | (x + y). and a | (x − y). (We can abbreviate this by writinga | (x± y).)

2. If a | x and a | x± y, then a | y.

3. x | x

4. If x | y and y | z, then x | z.

5. If a | x, then a | kx for any integer k.

Proof. We’ll prove parts (1) and (4) and leave the rest as exercises. For part (1), suppose a | x and a | y.This means that there are integers m and n such that am = x and an = y. So x+y = am+an = a(m+n)which shows that a | x + y; and x− y = am− an = a(m− n) which shows that a | x− y.

For part (4), suppose If x | y and y | z. Then there must be integers m and n such that mx = y andny = z. But then z = ny = nmx, which shows that x | z. �

1. True or False:

a) 3 | 12 b) 3 | 13 c) 12 | 3 d) 13 | 3e) 3 | −12 f) −3 | 12 g) 0 | 12 h) 13 | 0

2. Finish the proof of the Divisibility Lemma by supplying proofs for parts (2), (3) and (5).

The Divisibility Lemma allows us to prove a number of divisibility tests.

3. a) Use the divisibility lemma to prove that an integer is divisible by 2 if and only if its last digitis divisible by 2. (So the last digit must be 0, 2, 4, 6, or 8.)

b) Use the divisibility lemma to prove that an integer is divisible by 5 if and only if its last digitis divisible by 5. (So the last digit must be 5 or 0.)

c) Use the divisibility lemma to prove that an integer is divisible by 10 if and only if its last digitis 0.

d) Use the divisibility lemma to prove that an integer is divisible by 4 if and only if its last twodigits form a two-digit integer that is divisible by 4. For example, 4332 is divisible by 4 because32 is divisible by 4.

e) For what integers is there a similar “look at the last few digits” test for divisibility? How doyou determine the number of digits to look at?

4. Here is a divisibility test for divisibility by 11: To see if x is divisible by 11, subtract the last digitof x from the number formed by taking all but the last digit x. Call the result y. Then x is divisibleby 11 if and only if y is.

Here is an example: To test 123456 consider 12345 − 6 = 12339, then 1233 − 9 = 1224, then122 − 4 = 118, then 11 − 8 = 3. Since 11 6 | 3, 11 6 | 123456.Prove that this test works.


5. Here is a divisibility test for divisibility by 7: To see if x is divisible by 7, double the last digit of xand subtract that from the result from the number formed by taking all but the last digit x. Callthe result y. Then x is divisible by 7 if and only if y is.

Here is an example: To test 123456 consider 12345 − 12 = 12333, then 1233 − 6 = 1227, then122 − 14 = 108, then 10− 16 = −6. Since 7 6 | −6, 7 6 | 123456.Prove that this test works.

6. Use the divisibility tests above to find which of 2, 4, 5, 7, and 11 divide the following numbers.a) 20097 b) 31031 c) 217217 d) 1357924680

We’ll learn about some more divisibility tests after we have learned a bit about modular arithmetic.

Primes and Composites

Every positive integer n except 1 has at least two positive divisors: 1 and n. Some integers have additionaldivisors as well. This leads to the following definition.

A prime is an integer p such that

• p > 1,

• p has exactly two positive divisors: 1 and p.

A composite is an integer greater than 1 that is not a prime.

The prime numbers play an important role throughout Number Theory because of their special prop-erties in relationship to divisibility.

One of the reasons that the primes have an important role in Number Theory is that they are themultiplicative building blocks for all integers.

The Fundamental Theorem of Arithmetic. Every positive integer greater than 1 canbe written uniquely as a product of two or more primes where the primes are written innon-decreasing order. Such a product is called the prime factorization of an integer.

Note that for a prime, the prime factorization consists just of the prime itself.

Example. Here are some example prime factorizations:

15 = 3 · 5 12 = 2 · 2 · 3 = 22 · 3 17 = 17 8210381 = 31 · 59 · 67 · 67 = 31 · 59 · 672

Proof. We can prove that every integer n > 1 has a prime factorization by induction on n. For a basecase, we simply note that n = 2 is prime.

Now consider some integer n and suppose that all integers less than n have prime factorizations. Thereare two cases to consider:


1. n is prime.

If n is prime, then we are done, since n is its unique factorization.

2. n is composite.

If n is composite, then there are two integers a and b such that ab = n. Each of a and b is largerthan 1 and smaller than n, for otherwise their product would be too small or too large. Thus a andb have prime factorizations. The prime factorization of n is then the product of these two primefactorizations (with the terms rearranged into non-decreasing order).

The proof that this factorization is unique is left as an exercise.

�

It is not a trivial matter to quickly determine whether a large number is prime, and even less trivialto quickly determine the factors of a number that is composite. Just recently (summer 2002) it wasannounced for the first time that an algorithm exists that runs in polynomial time (in the number of digitsof an integer) and can tell whether a number is prime. Factoring algorithms have been the focus of muchstudy for many years, and the difficulty of factoring certain large integers – integers with several hundreddigits – is important for the security of many secret codes. We will study an important example of this,called RSA, once we have laid the groundwork necessary to understand this cryptographic system.

One way we might try to find the factorization of an integer n is by trial division. That is, we couldcheck each positive integer a that is less than n and see if a divides n. While this certainly works, it takesan enormous amount of time when n is large. If n has 100 digits, we would need to try roughly 10100

different divisors. This is so many, that no computer could put even a small dent in the project in ourlifetime.

Still one could try to improve things by only trying some of the possible values of a. The followinglemma provides two ways we could reduce the search.

Trial Division Lemma. If n is a composite, then

1. n has a factor less than or equal to√

n; in fact,

2. n has a prime factor less than or equal to√

n.

7. Prove the Trial Division Lemma.

Using the Trial Division Lemma, we could modify the method of trial division to only try numbersup to

√n. In our example of a 100-digit number, this would reduce the number of candidates to roughly

1050 – much smaller than 10100, but still too large to be successfully automated. Of course even fewer ofthese are primes, so there will be fewer potential divisors to check if we only check the primes, but thereare two problems with trying to modify the trial division algorithm to check only primes. First, it is notclear how we identify which numbers are the primes. We may spend more time figuring out if a numberis prime than we would spend checking if it divides n. Second, there would still be too many to check.A famous result known as the Prime Number Theorem says that the number of primes less than x is


approximately x/ ln(x). This allows us to approximate the number of primes less than 1050. As it turnsout, there are still more than 1047 primes to be checked.

Despite the failure of these ideas to give efficient methods for determining if large numbers are primeor composite, they are useful for smaller computations.

Example. Which of the numbers 101–109 are primes?

We only need to check prime numbers less than 10, since 112 = 121 > 109. So we only need tocheck whether 2, 3, 5, and 7 are divisors. 102, 104, 106, and 108 are divisible by 2. Of the remainingnumbers, 105 is divisible by 3. None of the remaining numbers is divisible by 5 or 7. So 101, 103,107 and 109 are primes.

A procedure known as the sieve of Eratosthenes can be used to find all primes less than n in asystematic (and time consuming) way.

Common Divisors, Common Multiples

Let a and b be integers, not both zero.

• A number d such that d | a and d | b is called a common divisor of a and b.

• A number m such that a | m and b | m is called a common multiple of a and b.

• The largest common divisor of a and b is called the greatest common divisor of a andb and denoted gcd(a,b).

• The smallest positive common multiple of a and b is called the least common multipleof a and b and denoted lcm(a,b).

• If gcd(a, b) = 1, then we say that a and b are relatively prime, since there is no primethat divides both a and b.

Note that lcm(a, b) ≤ ab (why?) and gcd(a, b) ≥ 1 (why?) One way to find the gcd of two integers isto list out all of the divisors of each number and find the largest.

Example. Evaluate gcd(24, 36), gcd(12, 25), and gcd(15, 45).

The divisors of 24 are 1, 2, 3, 4, 6, 8, 12, 24; the divisors of 36 are 1, 2, 3, 4, 6, 9, 12, 18, 36; sogcd(24, 36) = 12.

The divisors of 12 are 1, 2, 3, 4, 6, 12; the divisors of 25 are 1, 5, 25; so gcd(12, 25) = 1.

The divisors of 15 are 1, 3, 5, 15; the divisors of 45 are 1, 3, 5, 9, 15, 45; so gcd(15, 45) = 15.

Another way to determine the the gcd or lcm of two numbers is by looking at the prime factorizationsof the two numbers involved.


Example. Evaluate gcd(24, 36) and lcm(24, 36) by considering the prime factorizations of 24 and36.

24 = 23 · 3; 36 = 22 · 32. So gcd(24, 36) = 22 · 3 = 12, since 22 · 3 divides both numbers, butany higher power of 2 or 3 or any other prime will fail to divide one or both numbers. Similarly,lcm(24, 36) = 23 · 32 = 72, since every multiple of both 24 and 36 must have at least 3 2’s and 23’s in its prime factorization. This same reasoning allows us to find any gcd or lcm from a primefactorization of each number. If a prime occurs a times in one number and b times in the other,then it will occur min(a, b) times in the gcd and max(a, b) times in the lcm.

Example. Find gcd(12, 25), lcm(12, 25), gcd(15, 45), and lcm(15, 45) by considering the primefactorizations of the numbers involved.

12 = 22 · 3; 25 = 52. So gcd(12, 25) = 1, since there is no prime that divides both numbers. Andlcm(12, 25) = 22 · 3 · 52 = 300.

15 = 3 · 5; 45 = 32 · 5. So gcd(15, 45) = 15, and lcm(15, 45) = 45.

Note that as a side effect of the method just illustrated, we can see that gcd(n,m) · lcm(n,m) = n ·m.

8. Evaluate gcd(26, 48), gcd(45, 54), gcd(32, 56).

9. Evaluate lcm(26, 48), lcm(45, 54), lcm(32, 56).

10. For the following, express your answers in terms of prime factorizations.

a) Evaluate gcd(23 · 32 · 5, 22 · 34 · 52 · 7) and lcm(23 · 32 · 5, 22 · 34 · 52 · 7).b) Evaluate gcd(25 · 52 · 11 · 172, 23 · 34 · 53 · 72 · 17) and lcm(25 · 52 · 11 · 172, 23 · 34 · 53 · 72 · 17).

Euclid’s Algorithm

Of course the methods above are only good if we can factor the numbers involved. Since this is not trivialto do for large numbers, we would like to have a better method.

Let’s suppose we want to determine D = gcd(a, b). Looking over what we know about divisibility, wesee that for any natural number d,

d | a and d | b ⇐⇒ d | b and d | a− b

Therefore gcd(a, b) = gcd(b, a − b). Furthermore, if a ≥ b, then 0 ≤ a − b ≤ a, so we have reducedour gcd problem to a gcd problem involving smaller numbers. This suggests a recursive solution to thegcd problem. We just need to identify a base case. Since the numbers involved are non-negative anddecreasing, a likely candidate is for a base case is when one or the other number is 0. So what is gcd(0, x)?Well, x is the largest integer that divides x, and x | 0 because 0 · x = 0. So gcd(0, x) = x.

Here is a representation of the algorithm we have been describing:


//Euclid’s Algorithm -- First try.

unsigned int gcd(unsigned int a, unsigned int b) {

if (a = 0) { return b; }

if (b = 0) { return a; }

if (a >= b) { return gcd(b, a-b); }

return gcd(a, b-a);

}

Example. Compute gcd(1234,3080) using the algorithm above.

gcd(1234, 3080) = gcd(1846, 1234)

= gcd(1234, 612)

= gcd(622, 612)

= gcd(612, 10)

= gcd(602, 10)

= gcd(592, 10)

...

= gcd(12, 10)

= gcd(10, 2)

= gcd(8, 2)

...

= gcd(2, 2)

= gcd(2, 0)

= 2

Notice the omitted steps in the example above. In those places the algorithm is repeatedly subtractingthe same amount. We could speed up the algorithm if we could do all that subtracting in one step.Fortunately, we can. For example, when computing gcd(622, 10), we need to subtract 10 from 622 until weare left with a value smaller than 10 (namely 2). This idea motivates the definitions of the next sectionand will lead to an improved algorithm for the gcd. But first, here is a chance to try your hand at thealgorithm in its unimproved form.

11. Trace the gcd algorithm above to compute gcd(578, 238).


Euclid’s Algorithm Improved

Our improved version of Euclid’s Algorithm makes use of division to skip over the repeated subtraction ofour first attempt.

Definition of the mod operator.Let a and b be integers with b > 0. When we divide b by a there is a remainder (possibly 0)left over. That is,

b = qa + r r ∈ [0, a− 1]

We define b mod a = r (the remainder when dividing b by a).

The number q is called the quotient when dividing b by a.

Definition of the mod relations.We say that a ≡ b (mod n) if n | a− b.

The number n in the definition of the mod relation is called the modulus of the relation.

Example. Determine the values of 18 mod 6, 18 mod 5, and −18 mod 5.

Since 18 = 3 · 6, 18 mod 6 = 0. Since 18 = 3 · 5 + 3, 18 mod 5 = 3. Since −18 = −4 · 5 + 2,18 mod 5 = 2.

Be sure you understand how the last example above was done. In particular, the mod operator alwaysproduces a non-negative result and −a mod b and a mod b are usually (but not always) different. Thisis not the same as the mod operator in many programming languages which handle negative numberdifferently.

It is also important to note that “mod” is used in two different ways a mod b is an integer, buta ≡ b (mod n) is a statement that is either true or false.

12. For what values of a and b with b > 2 is a mod b = −a mod b?

13. Show that for a fixed n, the relation aRb if and only if a ≡ b (mod n) is an equivalence relation onthe integers.

The equivalences classes mod n are sometimes called congruence classes. As we will see, we will be ableto do arithmetic not just with integers but with congruence classes of integers.

14. a) Find three elements of the congruence class of 7 mod 13.

b) Find three elements of the congruence class of 13 mod 7.

c) Find three elements of the congruence class of 0 mod 13.

Now we are in a position to describe an improved version of Euclid’s algorithm.


//Euclid’s Algorithm -- Improved Version.

unsigned int gcd(unsigned int a, unsigned int b) {

if (a = 0) { return b; }

if (b = 0) { return a; }

return gcd(b, a mod b);

}

15. Trace the improved gcd algorithm above to compute gcd(578, 238).

Analysis of Euclid’s Algorithm

So how good is Euclid’s Algorithm? That depends, of course, a good deal on the numbers involved. Let’slook at the work involved in Euclid’s Algorithm in a slightly different format. This time we’ll display theDivision Algorithm at each step.

Example. Compute gcd(1234,3080) using the improved version of Euclid’s Algorithm.

3080 = 2 · 1234 + 6121234 = 2 · 612 + 10

612 = 61 · 10 + 210 = 5 · 2 + 0

Notice that the last non-zero remainder is the gcd.

In general, if computing gcd(a, b) requires n recursive calls and we let let rn = a and rn−1 = b, then wecan write this as

rn = qn−1 · rn−1 + rn−2

rn−1 = qn−2 · rn−2 + rn−3...

r2 = q2 · r1 + r0

r1 = q1 · r0 + 0

Sometimes using division and finding the remainder reduces the numbers very quickly as when we finda quotient of 61 in the third step above. Of course, if the quotient is 1, then division is no better thansubtraction. So the worst thing that could happen would be a quotient of 1 each time.

rn = rn−1 + rn−2

rn−1 = rn−2 + rn−3...

r2 = r1 + r0

r1 = r0 + 0


This should look familiar. If we let r0 = 1, then this rn is the nth Fibonacci number. So the algorithmperforms worst if a and b are consecutive Fibonacci numbers. Since the nth Fibonacci number is approxi-mately ϕn (where ϕ is the Golden ratio), we see that if the algorithm requires more than ϕn recursive calls,then a ≥ ϕn. Taking logarithms and expressing this using the contrapositive we see that if a < n log(ϕ),then the number of recursive calls is less than log(n). So the number of recursive calls required by Euclid’salgorithm is O(log n) where n is the larger of a and b. In other words, the number of recursive calls islinear in the length of the decimal (or binary) representations of a and b.

Modular Arithmetic

Modular arithmetic is useful for much more than an improved version of Euclid’s algorithm. In order to seesome other applications of modular arithmetic, we need to learn a bit more about the modular arithmeticsystem.

The following statements are all equivalent. That is for a given a, b, and n, either all thestatements are true or all the statements are false.

1. a ≡ b (mod n)

2. n | b− a

3. a− b = nk for some integer k

4. a = nk + b for some integer k

5. a mod n = b mod n.

Proof. We can show that the statements are equivalent by showing that each one implies the next andthat the last implies the first.

[1 =⇒ 2]: This is just the definition of a ≡ b (mod n).

[2 =⇒ 3]: Suppose n | a− b. This means there is an integer k such that kn = a− b.

[3 =⇒ 4]: If a− b = nk, then a = nk + b.

[4 =⇒ 5]: Suppose a = nk + b, and write b = qn + r for some r ∈ [0, n). Then b mod n = r. Buta = nk + b = nk + qn + r = (k + q)n + r, so a mod n = r, too.

[5 =⇒ 1]: If a mod n = r = b mod n, then there are integers q and k such that a = qn + r andb = kn + r. So a− b = qn + r − (kn + r) = (q − k)n, so n | a− b, which means a ≡ b (mod n). �

Basic Modular Arithmetic Lemma. If a ≡ x (mod n) and b ≡ y (mod n), then

1. a + b ≡ x + y (mod n)

2. a− b ≡ x− y (mod n)

3. a · b ≡ x · y (mod n)

So we can do modular arithmetic by taking any member of a congruence class.


Proof. Since a ≡ x (mod n) and b ≡ y (mod n), there are integers q and k such that a = nk + x andb = nq + y. So a + b = nk + nq + x + y = (k + q)n + x + y, which shows that a + b ≡ x + y (mod n).Similarly, a− b = nk − nq + x− y = (k − q)n + x− y, which shows that a − b ≡ x− y (mod n). Finally,ab = (nk +x)(nq +y) = kqn2 +nky+nqx+xy, n(kqn+ky+ qx)+xy, which shows that ab ≡ xy (mod n).�

The importance of the Modular Arithmetic Lemma is that we can do arithmetic (at least addition,subtraction, and multiplication) with congruence classes.

Example. Determine the congruence class mod 12 of each of the following numbers: a) 119+149b) 119 · 149 c) 119149 d) 149119

Working mod 12 we see that 119 ≡ −1, and 149 ≡ 5. So 119 + 149 ≡ −1 + 5 ≡ 4, 119 · 149 ≡−1 · 5 ≡ −5 ≡ 7, 119149 ≡ (−1)149 ≡ −1 ≡ 11 (because 149 is odd), and 149119 ≡ 5119, which mustbe congruent to some number between 0 and 11. To determine which number, let’s begin makinga list of powers of 5 (mod 12):

51 ≡ 5

52 ≡ 5 · 5 ≡ 25 ≡ 1

53 ≡ 52 · 5 ≡ 1 · 5 ≡ 5

54 ≡ 53 · 5 ≡ 5 · 5 ≡ 1

Ah, we see an easy pattern here: Since 119 is odd, 149119 ≡ 5119 ≡ 5.

There are a couple very important things to notice in the example above. First, notice that we are notallowed to reduce the exponent to some member of its equivalence class, only the base of the exponentiation.Second, notice that, we began with the phrase “Working mod 12 . . . ”, and then omitted the (mod 12)everywhere. This is very common and makes writing up modular arithmetic much nicer. As long as onlyone modulus is involved and it is clear what the modulus is, we will drop the modulus from the notation.

We can use modular arithmetic to give some nice proofs of some more divisibility tests.

Example. Here is a divisibility test for 3: Add the digits of x. If the sum is divisible by 3, thenx is divisible by 3. Use modular arithmetic to prove that this test works.

Let xi be a sequence of length k such that each xi is a digit and x =∑k

i=0 xi10i. So if x = 1234,

then k = 3, x0 = 4, x1 = 3, x2 = 2, and x3 = 1. Let S =∑k

i=0 xi be the sum of the digits of x.

We will show something stronger, namely that x ≡ S (mod 3). Notice that 10i ≡ 1i ≡ 1 (mod 3)So a10i ≡ a (mod 3), and

S =k∑

i=0

xi ≡k∑

i=0

xi10i = x .

That is, mod 3, each digit of x is equivalent to its contribution to the value of x, so the sum of thedigits will be in the same congruence class as x itself.

You will be given a chance to prove some additional divisibility tests in the exercises below.


16. For each of the numbers below, determine its congruence class mod 15. In each case your answershould be a number between 0 and 14 (inclusive).

a) 124 + 1507 b) 124 · 1507 c) 1241507 d) 1507124

17. Repeat problem 16 with the modulus 25.

18. Here is a divisibility test for 9: Add the digits of x. If the sum is divisible by 9, then x is divisibleby 9. Use modular arithmetic to prove that this test works.

19. Here is a divisibility test for 11: Let S be the alternating sum of the digits of x (add the every otherdigit, subtract the others). Then x is divisible by 11 if and only if S is divisible by 11. (Example:11 6 | 1234567 because 1 − 2 + 3 − 4 + 5 − 6 + 7 = 4, which is not divisible by 11.) Use modulararithmetic to prove that this test works.

The Modular Arithmetic Lemma handles the cases of addition, subtraction, and multiplication mod n.Division is a bit trickier. Recall that multiplication and division are inverse operations. That is for realnumbers x, y, and q

x÷ y = q means q · y = x

So the division question “What is a÷ b (mod n)?” amounts to asking whether we can find a number qsuch that qb ≡ a and determining what q is. Or, more generally, we are interested in solving congruenceslike

Ax + B ≡ C (mod n) (1)

where A, B, C, and n are known and x is the unknown to be solved for. If B = 0, we have exactly theinverse of division.

Forget for a moment that we are working mod n. Suppose all the numbers in equation 1 were just realnumbers. Then the problem would become an easy example of high school algebra, which we might solvethe following way:

Ax + B = C

Ax = C −B

(1

A)Ax =

1

A(C −B)

x =1

A(C −B)

How much of this works in modular arithmetic (mod n)? The first step is fine, since it involves additionand subtraction. The second step is almost good, we just need something to take the place of 1

A , sincethat might not be an integer. This intuition motivates the following definition.

Inverses. The inverse of a (mod n) is an integer q such that qa ≡ 1 (mod n).


There is not always an inverse. 0 never has an inverse (because 0 · x = 0 6≡ 1 (mod n)). Of course, weweren’t allowed to take the reciprocal of zero ( 1

0 ) either, so this is not a problem. But other inverses alsomight fail to exist. Fortunately, it is easy to determine if there is an inverse and to find it if it exists usinginformation from Euclid’s Algorithm. We’ll see this shortly, but first some examples.

Example. Find the inverse of each number between 1 and 6 mod 7.

We don’t have any tools for this yet, so we’ll just do some multiplication and see what happens:1 · 1 ≡ 1, so 1 is its own inverse. 2 · 4 ≡ 8 ≡ 1, so 2 and 4 are inverses. 3 · 5 ≡ 15 ≡ 1, so 3 and 5are inverses. Finally 6 · 6 ≡ −1 · (−1) ≡ 1, so 6 is its own inverse.

Example. Verify the following claims mod 35: a) 3 and 12 are inverses, b) 11 and 16 are inverses,c) 6 is its own inverse. d) 5 has no inverse.

3(12) = 36 ≡ 1; (11)(16) = 176 ≡ 1; 6 · 6 = 36 ≡ 1; but 5 has no inverse since 5x is always divisibleby 5, but 35k + 1 is never divisible by 5, so there is no number x such that 5x ≡ 1 (mod 35).

So when does a number have an inverse, and how do we find it in a more systematic way?

Inverse Lemma. a has an inverse (mod n) if and only if gcd(a, n) = 1.

GCD Lemma. For any a and n, we can always find integers s and t such that

gcd(a, b) = sa + tb

by running Euclid’s GCD Algorithm and back-substituting for each remainder.

Notice that if gcd(a, n) = 1, then the gcd lemma tells us that there are integers s and t such that

1 = sa + tn

from which we see that s is an inverse of a (mod n) (and t is an inverse of n (mod a)). To see this, justinterpret the equation mod n or mod a.

Proof of Inverse Lemma. First suppose that ax ≡ 1 (mod n), and gcd(a, n) = 1. Then there is aninteger q such that a = qn + 1. Clearly, d | a, and d | qn. But this means that d | 1 (by the DivisibilityLemma), so d = 1. This shows that if a has an inverse mod n, then gcd(a, n) = 1.

For the other direction, we will use the GCD Lemma, which we will prove shortly. If gcd(a, n) = 1,then there are integers s and t such that 1 = sa + tn. So q ≡ sa + tn ≡ sa (mod n), which shows that s isthe inverse of a mod n. �

Proof of GCD Lemma. Let’s begin this proof with an example. Suppose we want to find the gcd of35 and 16. Using Euclid’s Algorithm, we can record our work as follows:

35 = 2 ∗ 16 + 3

16 = 5 ∗ 3 + 1

3 = 3 ∗ 1 + 0


Starting from the second to last equation, we can get expressions for 1 (the gcd of 16 and 35) in termsof the remainders used in the algorithm by “back-substituting”:

1 = 16− 5 ∗ 3

3 = 35− 2 ∗ 16

Using this we see that

1 = 16− (5)(3)

= 16− 5(35 − 2(16))

= 16− 5(35) + 10(16)

= 11(16) − 5(35)

A complete proof of this fact can be given using proof by induction on the number of steps used byEuclid’s Algorithm. �

Notice that with inverses in hand, we can now solve linear congruences.

Example. Solve the congruence 11x ≡ 9 (mod 35).

Recall from the example above that 11 and 16 are inverses mod 35. This leads to a solution thatlooks almost like high school algebra.

11x ≡ 9

(16)(11)x ≡ (16)(9)

x ≡ (16)(9)

x ≡ 144 ≡ 4

(All the congruences are mod 35, of course.)

20. Working mod 50, which of the following numbers have an inverse: a) 3 b) 4 c) 5 d) 7 e) 10?(You do not need to find the inverses.)

21. Working mod 123, two pairs among the following numbers are inverses. Which pairs? How do youknow? (Do not use Euclid’s Algorithm for this problem.)

17 24 29 38 55 85 101

22. True or false. Explain.

a) 1 has an inverse mod n for any n.

b) n− 1 has an inverse mod n for any n.


c) If a is a prime number, then a has an inverse mod n for any n.

d) If a has an inverse mod b, then b has an inverse mod a.

23. Use the extended version of Euclid’s Algorithm to find the following inverse, or show that there is nosuch inverse.

a) the inverse of 13 mod 55

b) the inverse of 55 mod 13

c) the inverse of 11 mod 55

d) the inverse of 16 mod 55

A bit more advanced Number Theory

We can use the tools above to show a few more advanced things that will be useful for RSA. They are only“advanced” in the sense that we will justify them by using the results we have already established (ratherthan directly from the definitions). Except for the last one, these are still straightforward results.

1. First Cancellation Lemma. If gcd(a, c) = 1 and a | bc, then a | b.Reason: Write 1 = sa + tc (gcd lemma). Then b = sab + tcb. a | sab, and a | tcb (because a | bc), soa | b (divisibility lemma).

2. Second Cancellation Lemma. If gcd(n, c) = 1 and ac ≡ bc (mod n), then a ≡ b (mod n).

Reason: n | ac− bc, so n | c(a− b), so n | (a− b) (cancellation lemma), so a ≡ b (mod n).

Alternative Reason: c has an inverse mod n. Call it d. Then a ≡ acd ≡ bcd ≡ b (mod n).

3. Prime Divisibility Lemma: If p | a1 · a2 · · · · an, then p | ai for some i

Reason: repeated use of First Cancellation Lemma.

4. Unique Factorization. Every integer can be factored as a product of primes in exactly one way(up to the order of the primes involved).

Reason: Show that any two factorizations are the same because “everything cancels”. (Uses Cancel-lation Lemma and Prime Divisibility Lemma.)

5. Chinese Remainder Theorem. Let m1,m2, . . . ,mk be pairwise relatively prime positiveintegers (this means that gcd(mi,mj) = 1 whenever i 6= j), and let a1, a2, . . . , ak be any integers.Then there is a number x such that x mod mi = ai for each i. (i.e., x ≡ ak (mod m)k for each k.) Infact, there is always exactly one such number in the range [0,M − 1], where M is the product of allthe mi’s

(a) Example: Find x so that x mod 3 = 1, x mod 5 = 2, and x mod 8 = 3.

Solution: The idea is to fill in the following boxes with integers:

x = · 40 + · 24 + · 15


where 40 = 5× 8, 24 = 3× 8, and 15 = 3× 5 (products of all but one modulus).

The value in the first box will determine x mod 3, because the rest is divisible by 3; the value inthe second box will determine x mod 5 because the rest is divisible by 5; the value in the thirdbox will determine x mod 8 because the rest is divisible by 8.

To get the appropriate values for each box, we solve the equations B1 ·40 ≡ 1 (mod 3), B2 ·24 ≡2 (mod 5), B3 · 15 ≡ 3 (mod 8), which we can do using inverses.

mod3 mod5 mod8B1 · 40 ≡ 1 B2 · 24 ≡ 2 B3 · 15 ≡ 3B1 · 1 ≡ 1 B2 · (−1) ≡ 2 B3 · (−1) ≡ 3

B1 ≡ 1 B2 · (−1)(−1) ≡ 2(−1) B3 · (−1)(−1) ≡ 3(−1)B1 ≡ 1 B2 ≡ −2 ≡ 3 B3 ≡ −3 ≡ 5

Now putting each Bi back into its box we get

x = 1 · 40 + 3 · 24 + 5 · 15 = 40 + 72 + 75 = 187

Or, choosing different values for the Bi’s:

x = 1 · 40 + -2 · 24 + 5 · 15 = 40− 48 + 75 = 67

Note that 187 − 67 = 120 = 3 · 5 · 8. This is not a coincidence. The set of all solutions to thissystem of congruences is a congruence class mod 120. One way to see why this should be is tonotice that adjusting the number in one of the boxes by a multiple of the appropriate modulus (3or 5 or 8) changes the value of x by a multiple of 120. The proof is more easily given by workingwith our properties of modular arithmetic. You will be asked to prove this in an exercise.

(b) This method will always work if the moduli are pairwise relatively prime, because in that casethe required inverses will exist.

6. Fermat’s Little Theorem. If p is a prime then for any a, ap ≡ a (mod p). Furthermore, ifa 6≡ 0 (mod p), then ap−1 ≡ 1 (mod p).

First notice that if a ≡ 0 (mod p), then an ≡ 0 (mod p) for any n. So the only interesting case iswhen a 6≡= (mod p).

Here is the basic idea: There will be a number a such that the numbers a, a2, a3, . . . ap−1 (mod p) areall distinct and not 0, so 1 can’t occur in the list until all the other non-zero numbers (mod p) haveoccurred. (Proving such an a always exists is the tricky part.) This means that ap−1 ≡ 1. For othernumbers b, b ≡ ad for some d, so bp−1 ≡ (ad)p−1 ≡ (ap−1)d ≡ 1d ≡ 1.

24. Prove the Unique Factorization Lemma by induction on the number of primes in the prime factor-ization. [Note: This is a slightly different approach than the one used in class.]

25. a) Check that the two solutions given in the Chinese Remainder example are indeed correct bydoing the modular arithmetic.

b) Find another solution and show that it is correct.


c) Prove that the set of all solutions is [67]120, the congruence class of 67 mod 120. [Hint: Youneed to show two things: (i) if x ≡ 67 (mod 120), then x is a solution; (ii) if x is a solution,then x ≡ 67mod120.]

26. Find the smallest positive number x such that x ≡ 2 (mod 3), x ≡ 1 (mod 4) and x ≡ 3 (mod 5).

27. Find the smallest positive number x such that x ≡ 2 (mod 5), x ≡ 4 (mod 6) and x ≡ 5 (mod 7).Describe the set of all solutions.

28. Find the smallest positive number x such that x ≡ 1 (mod 2), x ≡ 2 (mod 3) x ≡ 3 (mod 5) andx ≡ 4 (mod 11). Describe the set of all solutions.

29. 6, 10, and 15 are not pairwise relatively prime, so the Chinese Remainder Theorem does not apply.But is there an integer x such that x ≡ 5 (mod 6), x ≡ 7 (mod 10), x ≡ 2 (mod 15)?

If so, find the two smallest positive solutions. If not, explain why not.

30. Calculate the following.

a) 210 mod 11 [Hint: Use Fermat’s Little Theorem.]

b) 2340 mod 11 [Hint: How does part (a) help?]

c) 2340 mod 31 [Hint: What is 25 mod 31?]

d) 2340 mod 341 [Hint: How do parts (b) and (c) help?]

31. Use Fermat’s Little Theorem to calculate the following. [Hint: How do parts (a), (b), and (c) helpfor part (d).]

a) 3302 mod 5

b) 3302 mod 7

c) 3302 mod 11

d) 3302 mod 385 (Note: 385 = 5 · 7 · 11.)

32. Use Fermat’s Little Theorem to calculate the following. [Hint: How do parts (a), (b), and (c) helpfor part (d).]

a) 52003 mod 7

b) 52003 mod 11

c) 52003 mod 13

d) 52003 mod 1001


Applications of Number Theory to Codes

Number Theory has numerous applications for various kinds of codes. The most famous of these is probablyRSA encryption (named after its inventors Rivest, Shamir and Adelman) which is one of the most commonlyused public key encryption schemes. But there are many other types of codes as well. Error-detectingcodes are designed to detect common types of errors in communication. Simple error-detecting codesinclude ISBN and UPC codes. Error-correcting codes not only detect that an error has occurred but,provided there are not too many errors, correct the errors. Error-correcting codes are used in applicationslike CD-players so that the music can be rendered even if a few bits here and there are misread. Botherror-detecting and error-correcting codes can be used to prevent data-transmission errors.

Data compression could be thought of as a kind of code as well, as can the storing of any data ina computer. In each of these cases some information is begin stored electronically in a form that is notthe same as the information itself, but from which the information can be retrieved. We will look at oneexample of this sort of code, which I will call Chinese Remainder coding, that allows us to do arithmeticwith larger integers than we would otherwise be able to store in a machines internal registers.

Cryptographic codes are used to transmit a message from a sender to a recipient in such a waythat an eavesdropper cannot discover the message. Applications of cryptography range from secure remotelogins, to on-line banking and purchasing, to national security. Private key cryptographic schemes rely onkeeping a secret key, known only to the sender and recipient. This key must, of course, be communicatedbetween the recipient and sender, and then safely guarded. Public key cryptographic schemes, do notrequire the use of shared secret key. Instead, only the recipient must know the the secret key. Furthermore,anyone can send a message to the recipient using a public key to code the message, and even though anyonecan know how the message was coded (the public key), only the recipient is able to decode the message ina reasonable efficient manner.

ISBN Numbers

Note: ISBN numbers are discussed on page 104 of the textbook. Stay tuned for more applications . . .

33. The ISBN number for a book is 0-201-029 8-X. What is the missing digit (represented by the box)?

34. This problem discusses some of the errors that are detected by the ISBN code.

a) Show that if the first two digits of an ISBN number are reversed, then the resulting number isnot a legal ISBN number. (Unless, of course, the two digits were the same. This same caveatapplies to each part of this problem.)

b) Show that if any two consecutive digits in an ISBN number are reversed, then the result is nota legal ISBN number.

c) Show that if any two digits (not necessarily consecutive) are interchanged, then then the resultis not a legal ISBN number.

d) Show that if the third digit is incorrectly typed, then then the result is not a legal ISBN number.

e) Show that if any one digit is incorrectly typed, then then the result is not a legal ISBN number.


Chinese Remainder Codes

Suppose that there is a maximum size integer that can be handled by the CPU of some computer. Forexample, suppose that the maximum is 4. This is, of course, unrealistically small, but we will see that theideas presented here scale well. Now suppose we need to work with numbers as large as 11. What are weto do?

We will use a (3, 4)-code for the numbers: Instead of storing a number x, which may be too largeto process, we will store a pair of numbers: x mod 3 and x mod 4. So our coding scheme looks like thefollowing:

0←→(0,0) 6←→(0,2)1←→(1,1) 7←→(1,3)2←→(2,2) 8←→(2,0)3←→(0,3) 9←→(0,1)4←→(1,0) 10←→(1,2)5←→(2,1) 11←→(2,3)

There are two important features of this coding scheme:

1. Provided the moduli are pairwise relatively prime, it is possible to recover x from its Chinese Re-mainder code by using the Chinese Remainder Algorithm.

Suppose that the (m,n)-code for x is (a, b). Then x is a number such that x ≡ a (mod m) andx ≡ b (mod n). This system of congruences has a unique solution mod mn, provided m and n arerelatively prime.

2. Addition, subtraction, and multiplication can be performed on the codes component-wise.

If we have (m,n)-codes (a, b) for x and (c, d) for y, then the code for x+ y is (a+ c, b + d), where theaddition is done mod m in the first coordinate and mod n in the second. Similar statements hold forthe other operations.

This means that all the internal arithmetic can be done just by manipulating the codes and ignoringwhat they represent. We only need to convert back to decimal notation when we need to display aresult. (This is, by the way, much like what happens in a computer with binary representations ofnumbers. The computer simply does the arithmetic in binary and converts to decimal only whenoutput is requested.)

Of course, we are not limited to using just two moduli. The numbers 99, 98, 97 and 95 are pairwiserelatively prime, so (99, 98, 97, 95)-codes will allow us to handle number from 0 to (99)(98)(97)(95) − 1 =89403929 while only needing to do arithmetic with two digit numbers.

A more interesting example is (235 − 1, 234 − 1, 233 − 1, 231 − 1, 229 − 1, 223 − 1) codes. One can checkthat these moduli are all relatively prime numbers that use at most 35 bits. The codes can be used torepresent any number up to 2184. So six 35-bit numbers can represent one 184-bit number.

35. Below are (13, 14, 15)-codes for some numbers:

x←→ (2, 7, 5) y ←→ (11, 11, 11) z ←→ (0, 1, 2)


a) What is the largest number that can be represented by such a code?

b) What is the (13, 14, 15)-code for x + y? x− y? xy?

c) Determine the values of x, y, and z.

d) Is it easy to do comparison using Chinese Remainder codes? (Can we tell which of x and y islarger by looking at their codes?)

Cryptography

By an encryption scheme, we mean a pair of algorithms E (encoding) and D (decoding) with the followingrelationship.

message encryption encrypted message decryption original message again

M → C = E(M) → M = D(C) = D(E(M))

That is, there is some message M which is to be communicated from the sender to the recipient. Butinstead of transmitting M , the message is coded as C = E(M) (the encrypted message, some times calledcypher text as opposed to the message which is called plain text). The recipient then uses the decryptionalgorithm D to decrypt: D(C) = M , retrieving the original message.

In a private key encryption scheme, the sender and recipient agree on some information (secretly) thatare used to encrypt and decrypt. This information is called a private key Since no on else (presumably)knows the private key, only the sender and receiver can (efficiently) encrypt and decrypt.

The traditional Caesar cypher is a trivial example of private key encryption. In order to highlightthe number theory and prepare ourselves for things to come, we’ll describe the Caesar cypher by firstconverting each letter of the message to a number: A becomes 0, B becomes 1, etc.

A B C D E F G H I J K L M

0 1 2 3 4 5 6 7 8 9 10 11 12

N O P Q R S T U V W X Y Z

13 14 15 16 17 18 19 20 21 22 23 24 25

Then we convert the number x to x + 3 mod 26. Finally we convert the numbers back into letters.

02 04 00 18 00 17 02 24 15 07 04 17 → 05 07 03 21 03 20 05 01 18 10 07 20↑ ↓

CAESAR CYPHER FHDVDU FBSKHU

Decoding is done by shifting in the other direction: y 7→ y − 3 mod 26. But notice that since −3 ≡22 (mod 26), subtracting 3 is the same as adding 22 (mod 26). So another way to describe decryption isto say that it is the same thing as encryption but with a different key. Of course, one must keep both keyssecret, since it is trivial to determine one from the other.


Of course, we could shift by some other amount than 3, so there are 26 possible secret keys (perhapswe shouldn’t really count the key 0). As is, this is incredibly insecure: one can simply try all 26 keysuntil the result is a reasonable message. Some improvement could be gained by converting blocks of lettersto a number instead of single letters. For example, if we converted two-letter blocks, there would be26 × 26 = 676 possible blocks, and we could work mod 676 and have 675 non-zero keys to choose from.Similarly, if we used 50-letter blocks, their would be 2650 keys, and it would become much more difficultto simply search through the keys and crack the code.

But the Caesar cypher is not touted as a serious cryptographic scheme even its modified form. Itis susceptible to other kinds of attacks, and there are better private-key schemes. It is only of interestbecause it demonstrates a simple use of modular arithmetic, because it was actually used by the RomanEmpire (reportedly with the private key of 3) for sending secret messages, and because it bears an amazingsimilarity with RSA.

RSA

RSA is a public-key encryption scheme. In a public key encryption scheme, there are two categories ofinformation used in the encryption/decryption algorithms:

• Public information:

– Freely available (to sender, recipient and eaves droppers).

– Different for each recipient.

– Senders of messages use this information to encrypt.

• Secret information:

– Only the recipient knows it (recipient hopes).

– Recipient uses this to decrypt.

The scheme is amazingly easy to describe. It is very similar to the Caesar cypher, but instead of codingthe message using (modular) addition, we will use (modular) exponentiation. So the system consists of amodulus and two exponents, one to encrypt and one to decrypt.

• Public information: integers n and e

• Private information: integer d

• Encryption algorithm: C = E(M) = M e (mod n)

• Decryption algorithm: D(C) = Cd (mod n)

Here we are assuming that the text message has been parsed into “blocks” and that each block is coded asa number mod n. (n will be large, say around 400 bits.) Of course, not just any n, d, and e will do. Weneed to choose them in such a way that

1. Decryption works: M = D(E(M)). That is, (M e)d ≡M (mod n).

2. The scheme is secure: It is not easy to determine d if you know e and n. [Recall that for the Caesarcypher, if someone knows how encoding was done, they know how to decode, too.]


3. The scheme is practical: Suitable e, d, and n can be found reasonably efficiently, and the algorithmsD and E can be performed efficiently.

Number theory (modular arithmetic) is what allows us to make all of this work.

Showing that RSA decoding works

Choosing the parameters: n, e, and d

Here’s how we choose n, e, and d:

• First choose two large primes p and q. (Keep these secret.)

• Let n = pq.

• Choose e and d so that they are inverses mod (p − 1)(q − 1). (Note that e has an inverse d ifgcd(e, (p− 1)(q − 1)) = 1. There will be many such e.)

Why this works

So why does this work? Remember the goal: we want (M e)d ≡M (mod n). Let’s look at this more closely.(M e)d ≡M ed, so we want M ed ≡M . This follows from M ed−1 ≡ 1, so let’s see how to achieve that.

Since gcd(p, q) = 1, by the Chinese Remainder Theorem we can break this into two pieces: M ed−1 ≡1 (mod p) and M ed−1 ≡ 1 (mod q).

By Fermat’s Little Theorem, M p−1 ≡ 1 (mod p) and M q−1 ≡ 1 (mod q). Since e and d are inversesmod (p − 1)(q − 1), we can write ed = 1 + k(p − 1)(q − 1). So M ed−1 ≡ Mk(p−1)(q−1) ≡ (Mp−1)k(q−1) ≡1k(q−1) ≡ 1 (mod p). By a similar argument M ed−1 ≡ 1 (mod q), hence M ed−1 ≡ 1 (mod n), soM ed ≡ 1M ≡M (mod n).

A few comments on RSA

1. Finding large primes p and q is reasonably easy.

About 1 in every 460 200-digit numbers is a prime. There are randomized methods to check whethera number is prime that work most of the time, so if we try 1000 or so 200-digit numbers, we willprobably have found 2 primes. This cost is a one-time off-line cost of using RSA.

2. M e (mod n) can be computed reasonably efficiently.

The obvious algorithm (raise M to the eth power by repeated multiplication) is terrible: it takesabout 2400 steps if e is a 400-bit number! But repeated squaring (doing the modular arithmetic aswe go) is much better:

M e = M e/2 ·M e/2 or M e = M e/2 ·M e/2 ·M

This requires only about log2(e) steps to compute (i.e., only a few hundred steps for 400-bit numbers –in general, linear in the length of e). Repeated squaring can be implemented recursively or iteratively.Figuring out which of the two cases applies is particularly easy from the binary representation of e.

So RSA is reasonably efficient to use.


3. RSA is not nearly as efficient to use as some private key systems.

One use of RSA is to communicate a private key pair over an insecure channel, after which the twoparties can use a faster private-key system like DES.

4. No method is (publicly) known that can determine d from e and n that does not easily yield afactorization of n. So RSA seems to be about as hard to crack as factoring large numbers. But thereis no mathematical proof that we won’t eventually be able to factor efficiently.

This means that RSA is reasonably secure: no one who will admit it knows a good algorithm forfactoring 400-bit numbers. (Of course, the size bound here keeps growing as both machines andalgorithms improve.)

5. RSA can also be used to do electronic signatures.

To confirm you authored something, code with your decoding algorithm (using d) to encode yourmessage (or just a signature). The recipient can decode with e. If you are the only one who hasaccess to d, then you are the only one who could have sent the message.

This works because (M e)d = M ed = (Md)e.

36. We can think of RSA as a modification of the Caesar cypher in which we replace addition mod nwith exponentiation mod n. We could also consider a scheme that used multiplication instead ofaddition. See the table below.

Scheme parameters encoding decoding

Caesar n,d,e C = M + e mod n M = C + d mod nd = n− e

Multiplication n,d,e C = M · e mod n M = C · d mod nd = ??

RSA n,d,e C = M e mod n M = Cd mod nn = pqed ≡ 1 (mod (p− 1)(q − 1))

a) What is the relationship between e and d in the multiplicative scheme?

b) How does the multiplicative scheme compare with the other two in terms of its quality? Couldit be used as a private key scheme? If so, would it be any better or worse than the additiveCaesar cypher? Could it be used as a public key scheme? If so, would it be any better or worsethan RSA?

37. In this problem we will show that that if n = pq, where p and q are prime, and someone knows nand (p− 1)(q− 1), then they can determine p and q. Note that this means we better make sure thatwe keep (p− 1)(q − 1) secret when using RSA!

a) Show that if n and (p− 1)(q − 1) are known, then we can determine s = p + q. [Hint: what isn− (p− 1)(q − 1)?]

b) Express n in terms of p and s.

c) Why is it easy to figure out p if we know n and s?


Credits

Thanks to the following students for finding errors of various sorts in this manuscript:

Name Number of errors reported first

Randy Buikema 3Jack Cheung 2Nate Dykens 2Justin Kent 1Andrew Meneely 3Dennis Sidharta 1Dan Russcher 1

October 31, 2002

Documents

Integers, Division, and Divisibilityrpruim/courses/m156/... · The rst two of these are the key to Euclid’s GCD Algorithm, which we will discuss shortly. The next two show that