Introduction to Number Theory 1

c Eli Biham - March 29, 2011

203 Introduction to Number Theory 1
 Division
Definition: Let a and b be integers. We say that a divides b, or a|b if d
s.t. b = ad. If b 6= 0 then |a| |b|.
Division Theorem: For any integer a and any positive integer n, there are
unique integers q and r such that 0 r < n and a = qn + r.
The value r = a mod n is called the remainder or the residue of the division.

Theorem: If m|a and m|b then m|a + b for any integers , .

Proof: a = rm; b = sm for some r, s. Therefore, a + b = rm + sm =
m(r + s), i.e., m divides this number. QED

c Eli Biham - March 29, 2011

204 Introduction to Number Theory 1
 Division (cont.)
If n|(a b), i.e., a and b have the same residues modulo n: (a mod n) =
(b mod n), we write a b (mod n) and say that a is congruent to b
modulo n.
The integers can be divided into n equivalence classes according to their residue
modulo n:
[a]n = {a + kn : k ZZ}
Zn = {[a]n : 0 a n 1}
or briefly
Zn = {0, 1, . . . , n 1}

c Eli Biham - March 29, 2011

205 Introduction to Number Theory 1
 Greatest Common Divisor
Let a and b be integers.

1. gcd(a, b) (the greatest common divisor of a and b) is

gcd(a, b) = max(d : d|a and d|b)

(for a 6= 0 or b 6= 0).
Note: This definition satisfies gcd(0, 1) = 1.

2. lcm(a, b) (the least common multiplier of a and b) is

lcm(a, b) = min(d > 0 : a|d and b|d)

(for a 6= 0 and b 6= 0).

3. a and b are coprimes (or relatively prime) iff gcd(a, b) = 1.

c Eli Biham - March 29, 2011

206 Introduction to Number Theory 1
 Greatest Common Divisor (cont.)
Theorem: Let a, b be integers, not both zero, and let d be the smallest positive
element of S = {ax + by : x, y IN }. Then, gcd(a, b) = d.
Proof: S contains a positive integer because |a| S.
By definition, there exist x, y such that d = ax + by. d |a|, thus there exist
q, r such that
a = qd + r, 0 r < d.
Thus,

r = a qd = a q(ax + by) = a(1 qx) + b(qy) S.

r < d implies r = 0, thus d|a.

By the same arguments we get d|b.
d|a and d|b, thus d gcd(a, b).
On the other hand gcd(a, b)|a and gcd(a, b)|b, and thus gcd(a, b) divides any
linear combination of a, b, i.e., gcd(a, b) divides all elements in S, including d,
and thus gcd(a, b) d. We conclude that d = gcd(a, b). QED

c Eli Biham - March 29, 2011

207 Introduction to Number Theory 1
 Greatest Common Divisor (cont.)
Corollary: For any a, b, and d, if d|a and d|b then d| gcd(a, b).
Proof: gcd(a, b) is a linear combination of a and b.
Lemma: For m 6= 0

gcd(ma, mb) = |m| gcd(a, b).

Proof: If m 6= 0 (WLG m > 0) then gcd(ma, mb) is the smallest positive

element in the set {amx+bmy}, which is m times the smallest positive element
in the set {ax + by}.

c Eli Biham - March 29, 2011

208 Introduction to Number Theory 1
 Greatest Common Divisor (cont.)
Corollary: a and b are coprimes iff

x, y such that xa + yb = 1.

Proof:
() Let d = gcd(a, b), and xa + yb = 1. d|a and d|b and therefore, d|1, and
thus d = 1.
() a and b are coprimes, i.e., gcd(a, b) = 1. Using the previous theorem, 1 is
the smallest positive integer in S = {ax + by : x, y IN }, i.e., x, y such that
ax + by = 1. QED

c Eli Biham - March 29, 2011

209 Introduction to Number Theory 1
 The Fundamental Theorem of Arithmetic
The fundamental theorem of arithmetic: If c|ab and gcd(b, c) = 1 then
c|a.
Proof: We know that c|ab. Clearly, c|ac.
Thus,
c| gcd(ab, ac) = a gcd(b, c) = a 1 = a.
QED

c Eli Biham - March 29, 2011

210 Introduction to Number Theory 1
 Prime Numbers and Unique Factorization
Definition: An integer p 2 is called prime if it is divisible only by 1 and
itself.
Theorem: Unique Factorization: Every positive number can be repre-
sented as a product of primes in a unique way, up to a permutation of the order
of primes.

c Eli Biham - March 29, 2011

211 Introduction to Number Theory 1
 Prime Numbers and Unique Factorization (cont.)
Proof: Every number can be represented as a product of primes, since if one
element is not a prime, it can be further factored into smaller primes.
Assume that some number can be represented in two distinct ways as products
of primes:
p 1 p 2 p 3 p s = q1 q2 q3 qr
where all the factors are prime, and no pi is equal to some qj (otherwise discard
both from the product).
Then,
p1|q1q2q3 qr .
But gcd(p1, q1) = 1 and thus

p1|q2q3 qr .

Similarly we continue till

p1|qr .
Contradiction. QED

c Eli Biham - March 29, 2011

212 Introduction to Number Theory 1
 Euclids Algorithm
Let a and b be two positive integers, a > b > 0. Then the following algorithm
computes gcd(a, b):
r1 = a
r0 = b
for i from 1 until ri = 0
qi, ri : ri2 = qiri1 + ri and 0 ri < ri1
k=i-1
Example: a = 53 and b = 39.

53= 1 39 + 14
39= 2 14 + 11
14= 1 11 + 3
11= 3 3 + 2
3= 1 2 + 1
2= 2 1 + 0

Thus, gcd(53, 39) = 1.

c Eli Biham - March 29, 2011
213 Introduction to Number Theory 1
 Extended Form of Euclids Algorithm
Example (cont.): a = 53 and b = 39.

53= 1 39 + 14 14= 53 39
39= 2 14 + 11 11= 39 2 14 = 2 53 + 3 39
14= 1 11 + 3 3= 14 1 11 = 3 53 4 39
11= 3 3 + 2 2= 11 3 3 = 11 53 + 15 39
3= 1 2 + 1 1= 3 1 2 = 14 53 19 39
2= 2 1 + 0

Therefore, 14 53 19 39 = 1.
We will use this algorithm later as a modular inversion algorithm, in this case
we get that (19) 39 34 39 1 (mod 53).
Note that every ri is written as a linear combination of ri1 and ri2, and
ultimately, ri is written as a linear combination of a and b.

c Eli Biham - March 29, 2011

214 Introduction to Number Theory 1
 Proof of Euclids Algorithm
Claim: The algorithm stops after at most O(log a) steps.
Proof: It suffices to show that in each step ri < ri2/2:
For i = 1: r1 < b < a and thus in a = q1b + r1, q1 1. Therefore,
a 1b + r1 > r1 + r1, and thus a/2 > r1.
For i > 1: ri < ri1 < ri2 and thus ri2 = qiri1 + ri, qi 1. Therefore,
ri2 1ri1 + ri > ri + ri, and thus ri2/2 > ri.
After at most 2 log a steps, ri reduces to zero. QED

c Eli Biham - March 29, 2011

215 Introduction to Number Theory 1
 Proof of Euclids Algorithm (cont.)
Claim: rk = gcd(a, b).
Proof:
rk | gcd(a, b): rk |rk1 because of the stop condition. rk |rk and rk |rk1 and
therefore rk divides any linear combination of rk1 and rk , including rk2. Since
rk |rk1 and rk |rk2, it follows that rk |rk3. Continuing this way, it follows that
rk |a and that rk |b, thus rk | gcd(a, b).
gcd(a, b)|rk : rk is a linear combination of a and b; gcd(a, b)|a and gcd(a, b)|b,
therefore, gcd(a, b)|rk .
We conclude that rk = gcd(a, b). QED

c Eli Biham - March 29, 2011

216 Introduction to Number Theory 1
 Groups
A group (S, ) is a set S with a binary operation defined on S for which
the following properties hold:

1. Closure: a b S For all a, b S.

2. Identity: There is an element e S such that e a = a e = a for

all a S.

3. Associativity: (a b) c = a (b c) for all a, b, c S.

4. Inverses: For each a S there exists an unique element b S such

that a b = b a = e.

If a group (S, ) satisfies the commutative law a b = b a for all a, b S

then it is called an Abelian group.
Definition: The order of a group, denoted by |S|, is the number of elements
in S. If a group satisfies |S| < then it is called a finite group.
Lemma: (Zn, +n) is a finite Abelian additive group modulo n.

c Eli Biham - March 29, 2011

217 Introduction to Number Theory 1
 Groups (cont.)
Basic Properties:
Let:
k
M
ak = a = |a a
{z. . . a} .
i=1 k

a0 = e

1. The identity element e in the group is unique.

Every element a has a single inverse, denoted by a1. We define ak =

2. L
k 1
i=1 a .

3. am an = am+n.

4. (am)n = anm.

c Eli Biham - March 29, 2011

218 Introduction to Number Theory 1
 Groups (cont.)
Definition: The order of a in a group S is the least t > 0 such that at = e,
and it is denoted by order(a, S).
For example, in the group (Z3, +3), the order of 2 is 3 since 2 + 2 4 1,
2 + 2 + 2 6 0 (and 0 is the identity in Z3).

c Eli Biham - March 29, 2011

219 Introduction to Number Theory 1
 Subgroups
Definition: If (S, ) is a group, S S, and (S , ) is also a group, then
(S , ) is called a subgroup of (S, ).
Theorem: If (S, ) is a finite group and S is any subset of S such that
a b S for all a, b S , then (S , ) is a subgroup of (S, ).
Example: ({0, 2, 4, 6}, +8) is a subgroup of (Z8, +8), since it is closed under
the operation +8.
Lagranges theorem: If (S, ) is a finite group and (S , ) is a subgroup
of (S, ) then |S | is a divisor of |S|.

c Eli Biham - March 29, 2011

220 Introduction to Number Theory 1
 Subgroups (cont.)
Let a be an element of a group S, denote by (hai, ) the set:

hai = {ak : order(a, S) k 1}

Theorem: hai contains order(a, S) distinct elements.

Proof: Assume by contradiction that there exists 1 i < j order(a, S),
such that ai = aj . Therefore, e = aji in contradiction to fact that order(a, S) >
j i > 0. QED
Lemma: hai is a subgroup of S with respect to .
We say that a generates the subgroup hai or that a is a generator of hai.
Clearly, the order of hai equals the order of a in the group. hai is also called a
cyclic group.
Example: {0, 2, 4, 6} Z8 can be generated by 2 or 6.
Note that a cyclic group is always Abelian.

c Eli Biham - March 29, 2011

221 Introduction to Number Theory 1
 Subgroups (cont.)
Corollary: The order of an element divides the order of group.
Corollary: Any group of prime order must be cyclic.
Corollary: Let S be a finite group, and a S, then a|S| = e.
Theorem: Let a be an element in a group S, such that as = e, then
order(a, S)|s.
Proof: Using the division theorem, s = q order(a, S) + r, where 0 r <
order(a, S). Therefore,

e = as = aqorder(a,S)+r = (aorder(a,S))q ar = ar .

Due to the minimality of order(a, S), we conclude that r = 0. QED

c Eli Biham - March 29, 2011

222 Introduction to Number Theory 1
 Fields
Definition: A Field (S, , ) is a set S with two binary operations and
defined on S and with two special elements denoted by 0, 1 for which the
following properties hold:

1. (S, ) is an Abelian group (0 is the identity with regards to ).

2. (S \ {0}, ) is an Abelian group (1 is the identity with regards to ).

3. Distributivity: a (b c) = (a b) (a c).

Corollary: a S, a 0 = 0.
Proof: a 0 = a (0 0) = a 0 a 0, thus, a 0 = 0.
Examples: (Q, +, ), (Zp , +p, p) where p is a prime.

c Eli Biham - March 29, 2011

223 Introduction to Number Theory 1
 Inverses
Lemma: Let p be a prime. Then,

ab 0 (mod p)

iff
a 0 (mod p) or b 0 (mod p).

Proof:
() From p|a or p|b it follows that p|ab.
() p|ab. If p|a we are done. Otherwise, p 6 |a.
Since p a prime it follows that gcd(a, p) = 1. Therefore, p|b (by the fundamental
theorem of arithmetic). QED

c Eli Biham - March 29, 2011

224 Introduction to Number Theory 1
 Inverses (cont.)
Definition: Let a be a number. If there exists b such that ab 1 (mod m),

then we call b the inverse of a modulo m, and write b = a1 (mod m).
Theorem: If gcd(a, m) = 1 then there exists some b such that ab 1
(mod m).
Proof: There exist x, y such that

xa + ym = 1.

Thus,
xa 1 (mod m).
QED
Conclusion: a has an inverse modulo m iff gcd(a, m) = 1. The inverse can
be computed by Euclids algorithm.

c Eli Biham - March 29, 2011

225 Introduction to Number Theory 1
 Zn
Definition: Zn is the set of all the invertible integers modulo n:

Zn = {i Zn| gcd(i, n) = 1}.

Theorem: For any positive n, Zn is an Abelian multiplicative group under

multiplication modulo n.
Proof: Exercise.
Zn is also called an Euler group.
Example: For a prime p, Zp = {1, 2, . . . , p 1}.

c Eli Biham - March 29, 2011

226 Introduction to Number Theory 1
 Zn (cont.)
Examples:

Z2 = {0, 1} Z2 = {1}
Z3 = {0, 1, 2} Z3 = {1, 2}
Z4 = {0, 1, 2, 3} Z4 = {1, 3}
Z5 = {0, 1, 2, 3, 4} Z5 = {1, 2, 3, 4}
Z1 = {0} Z1 = {0} !!!!!

c Eli Biham - March 29, 2011

227 Introduction to Number Theory 1
 Eulers Function
Definition: Eulers function (n) represents the number of elements in Zn :

(n) = |Zn | = |{i Zn | gcd(i, n) = 1}|

(n) is the number of numbers in {0, . . . , n 1} that are coprime to n.

Note that by this definition (1) = 1 (since Z1 = {0}, which is because
gcd(0, 1) = 1).

c Eli Biham - March 29, 2011

228 Introduction to Number Theory 1
 Eulers Function (cont.)
Theorem: Let n = pe11 pe22 pel l be the unique factorization of n to distinct
primes. Then,
Y Y 1
(n) = (pei i1(pi 1)) = n (1 ).
pi

Proof: Exercise.
Note: If the factorization of n is not known, (n) is not known as well.
Conclusions: For prime numbers p 6= q, and any integers a and b

1. (p) = p 1.

2. (pe) = (p 1)pe1 = pe pe1.

3. (pq) = (p 1)(q 1).

4. If gcd(a, b) = 1 then (ab) = (a)(b).

c Eli Biham - March 29, 2011

229 Introduction to Number Theory 1
 Eulers Function (cont.)
Theorem: X
(d) = n.
d|n

Proof: In this proof, we count the numbers 1, . . . , n in a different order. We

divide the numbers into distinct groups according to their gcd d with n, thus
the total number of elements in the groups is n.
It remains to see what is the number of numbers out of 1, . . . , n whose gcd
with n is d.
Clearly, if d 6 |n, the number is zero.
Otherwise, let d|n and 1 a n be a number such that gcd(a, n) = d.
Therefore, a = kd, for some k {1, . . . , n/d}. Substitute a with kd, thus
gcd(kd, n) = d, i.e., gcd(k, n/d) = 1.

c Eli Biham - March 29, 2011

230 Introduction to Number Theory 1
 Eulers Function (cont.)
It remains to see for how many ks, 1 k n/d, it holds that

gcd(k, n/d) = 1.

But this is the definition of Eulers function, thus there are (n/d) such ks.
Since we count each a exactly once
X
(n/d) = n.
d |n

n
If d|n then also d = d divides n, and thus we can substitute n/d with d and
get X
(d) = n.
d|n

QED

c Eli Biham - March 29, 2011

231 Introduction to Number Theory 1
 Eulers Theorem
Theorem: For any a and m, if gcd(a, m) = 1 then

a(m) 1 (mod m).

Proof: a is an element in the Euler group Zm . Therefore, as a corollary from

Lagrange Theorem, a|Zm| = a(m) = 1 (mod m). QED

c Eli Biham - March 29, 2011

232 Introduction to Number Theory 1
 Fermats Little Theorem
Fermats little theorem: Let p be a prime number. Then, any integer a
satisfies
ap a (mod p).

Proof: If p|a the theorem is trivial, as a 0 (mod p). Otherwise p and a

are coprimes, and thus by Eulers theorem

ap1 1 (mod p)

and
ap a (mod p).
QED

c Eli Biham - March 29, 2011

233 Introduction to Number Theory 1

Properties of Elements in the Group Zm
Definition: For a, m such that gcd(a, m) = 1, let h be the smallest integer
(h > 0) satisfying
ah 1 (mod m).
(Such an integer exists by Eulers theorem: a(m) 1 (mod m)). We call h

the order of a modulo m, and write h = order(a, Zm ).

Obviously, it is equivalent to the order of a in the Euler group Zm .

c Eli Biham - March 29, 2011

234 Introduction to Number Theory 1
 (cont.)
Properties of Elements in the Group Zm
Conclusions: For a, m such that gcd(a, m) = 1

1. If as 1 (mod m), then order(a, Zm

)|s.

2. order(a, Zm )|(m)

3. If m is a prime, then order(a, Zm )|m 1.

4. The numbers )1
1 2 3 order(a,Zm
1, a , a , a , . . . , a
are all distinct modulo m.

Proof: Follows from the properties of groups.

QED

c Eli Biham - March 29, 2011

235 Introduction to Number Theory 1
 Modular Exponentiation
Given a prime q and a Zq we want to calculate ax mod q.
Denote x in binary representation as

x = xn1xn2 . . . x1x0,
Pn1
where x = i=0 xi2i.
Therefore, ax mod q can be written as:
x 2(n1) xn1 2(n2) xn2
a =a a a2x1 ax0

c Eli Biham - March 29, 2011

236 Introduction to Number Theory 1
 An Algorithm for Modular Exponentiation

(n1) x (n2) x
ax = a2 n1
a2 n2
a2x1 ax0

Algorithm:

r1
for i n 1 down to 0 do
r r2axi mod q (axi is either 1 or a)

At the end
n1
Y Pn1
xi 2i ( xi 2i )
r= a =a i=0 = ax (mod q).
i=0

Complexity: O(log x) modular multiplications. For a random x this complexity

is O(log q).

c Eli Biham - March 29, 2011

237 Introduction to Number Theory 1
 An Algorithm for Modular Exponentiation (cont.)
An important note:

(xy) mod q = ((x mod q)(y mod q)) mod q,

i.e., the modular reduction can be performed every multiplication, or only at

the end, and the results are the same.
The proof is given as an exercise.

c Eli Biham - March 29, 2011

238 Introduction to Number Theory 1
 The Chinese Remainder Theorem
Problem 1: Let n = pq and let x Zn. Compute x mod p and x mod q.
Both are easy to compute, given p and q.
Problem 2: Let n = pq, let x Zp and let y Zq . Compute u Zn such
that

u x (mod p)
u y (mod q).

c Eli Biham - March 29, 2011

239 Introduction to Number Theory 1
 The Chinese Remainder Theorem (cont.)
Generalization: Given moduli m1, m2, . . . , mk and values y1, y2, . . . , yk .
Compute u such that for any i {1, . . . , k}

u yi (mod mi).

We can assume (without loss of generality) that all the mis are coprimes in
pairs (i6=j gcd(mi, mj ) = 1). (If they are not coprimes in pairs, either they
can be reduced to an equivalent set in which they are coprimes in pairs, or
else the system leads to a contradiction, such as u 1 (mod 3) and u 2
(mod 6)).
Example: Given the moduli m1 = 11 and m2 = 13 find a number u
(mod 11 13) such that u 7 (mod 11) and u 4 (mod 13).
Answer: u 95 (mod 11 13). Check: 95 = 11 8 + 7, 95 = 13 7 + 4.

c Eli Biham - March 29, 2011

240 Introduction to Number Theory 1
 The Chinese Remainder Theorem (cont.)
The Chinese remainder theorem: Let m1 , m2, . . . , mk be coprimes in
and let y1, y2, . . . , yk . Then, there is an unique solution u modulo
pairs Q
m = mi = m1 m2 mk of the equations:

u y1 (mod m1)
u y2 (mod m2)
..
u yk (mod mk ),

and it can be efficiently computed.

c Eli Biham - March 29, 2011

241 Introduction to Number Theory 1
 The Chinese Remainder Theorem (cont.)
Example: Let

u 7 (mod 11) u 4 (mod 13)

then compute
u ? (mod 11 13).

Assume we found two numbers a and b such that

a 1 (mod 11) a 0 (mod 13)

and
b 0 (mod 11) b 1 (mod 13)

Then,
u 7a + 4b (mod 11 13).

c Eli Biham - March 29, 2011

242 Introduction to Number Theory 1
 The Chinese Remainder Theorem (cont.)
We remain with the problem of finding a and b. Notice that a is divisible by
13, and a 1 (mod 11).
Denote the inverse of 13 modulo 11 by c 131 (mod 11). Then,

13c 1 (mod 11)

13c 0 (mod 13)

We conclude that

a 13c 13(131 (mod 11)) (mod 11 13)

and similarly
b 11(111 (mod 13)) (mod 11 13)

Thus,
u 7 13 6 + 4 11 6 810 95 (mod 11 13)

c Eli Biham - March 29, 2011

243 Introduction to Number Theory 1
 The Chinese Remainder Theorem (cont.)
Proof: m/mi and mi are coprimes, thus m/mi has an inverse modulo mi.
Denote
li (m/mi)1 (mod mi)
and
bi = li(m/mi).

bi 1 (mod mi)
bi 0 (mod mj ), j 6= i (since mj |(m/mi)).

The solution is

u y1b1 + y2b2 + + yk bk
m
X
yibi (mod m).
i=1

c Eli Biham - March 29, 2011

244 Introduction to Number Theory 1
 The Chinese Remainder Theorem (cont.)
We still have to show that the solution is unique modulo m. By contradiction,
we assume that there are two distinct solutions u1 and u2, u1 6 u2 (mod m).
But any modulo mi satisfy u1 u2 0 (mod mi), and thus

mi|u1 u2.

Since mi are pairwise coprimes we conclude that

Y
m= mi|u1 u2

which means that

u1 u2 0 (mod m).
Contradiction. QED

c Eli Biham - March 29, 2011

245 Introduction to Number Theory 1
 Z Z
Zab a b

Consider the homomorphism : Zab Za Zb ,
(u) = ( = u mod a, = u mod b).

Lemma: u Zab iff Za and Zb , i.e.,
gcd(ab, u) = 1 iff gcd(a, u) = 1 and gcd(b, u) = 1.
Proof:
() Trivial (k1ab + k2u = 1 for some k1 and k2).
() By the assumptions there exist some k1, k2, k3, k4 such that

k1a + k2u = 1 and k3b + k4u = 1.

Thus,
k1a(k3b + k4u) + k2u = 1
from which we get
k1k3ab + (k1k4a + k2)u = 1.

QED

c Eli Biham - March 29, 2011

246 Introduction to Number Theory 1
 Z Z (cont.)
Zab a b
Lemma: is onto.
Proof: Choose any Za and any Zb, we can reconstruct u, using the

Chinese remainder theorem, and u Zab from previous lemma.
Lemma: is one to one.
Proof: Assume to the contrary that for Za and Zb there are u1 6 u2
(mod ab). This is a contradiction to the uniqueness of the solution of the
Chinese remainder theorem.
QED
We conclude from the Chinese remainder theorem and these two Lemmas that

Zab is 1-1 related to Za Zb .
For every Za and Zb there exists a unique u Zab
such that u
(mod a) and u (mod b), and vise versa.
Note: This can be used to construct an alternative proof for (pq) = (p)(q),
where gcd(p, q) = 1.

c Eli Biham - March 29, 2011

247 Introduction to Number Theory 1
 Lagranges Theorem
Theorem: A polynomial of degree n > 0
f (x) = xn + c1xn1 + c2xn2 + . . . + cn1x + cn
has at most n distinct roots modulo a prime p.
Proof: It is trivial for n = 1.
By induction:
Assume that any polynomial of degree n 1 has at most n 1 roots. Let a be
a root of f (x), i.e., f (a) 0 (mod p).
We can write
f (x) = (x a)f1(x) + r (mod p)
for some polynomial f1(x) and constant r (this is a division of f (x) by (x a)).

Since f (a) 0 (mod p) then r 0 (mod p) and we get

f (x) = (x a)f1(x) (mod p).
Thus, any root b 6= a of f (x) is also a root of f1(x):
0 f (b) (b a)f1(b) (mod p)
c Eli Biham - March 29, 2011
248 Introduction to Number Theory 1
 Lagranges Theorem (cont.)
which causes
f1(b) 0 (mod p).
f1 is of degree n 1, and thus has at most n 1 roots. Together with a, f has
at most n roots. QED
Note: Lagranges Theorem does not hold for composites, for example:

x2 4 0 (mod 35)

has 4 roots: 2, 12, 23 and 33.

c Eli Biham - March 29, 2011

249 Introduction to Number Theory 1
 Generators
Definition: a is called a generator of Zn if order(a, Zn ) = (n).
Not all groups posses generators. If Zn possesses a generator g, then Zn is
cyclic.
If g is a generator of Zn and a is any element of Zn then there exists a z such
that g z a (mod n). This z is called the discrete logarithm or index of
a modulo n to the base g. We denote this value as indn,g (a) or DLOGn,g (a).

c Eli Biham - March 29, 2011

250 Introduction to Number Theory 1
 The Number of Generators
Theorem: Let h be the order of a modulo m. Let s be an integer such that
gcd(h, s) = 1, then the order of as modulo m is also h.
Proof: Denote the order of a by h and the order of as by h.

(as)h (ah)s 1 (mod m).

Thus, h|h.
On the other hand,
ash (as)h 1 (mod m)
and thus h|sh. Since gcd(h, s) = 1 then h|h.
QED

c Eli Biham - March 29, 2011

251 Introduction to Number Theory 1
 The Number of Generators (cont.)
Theorem: Let p be a prime and d|p 1. The number of integers in Zp of
order d is (d).
Proof: Denote the number of integers in Zp which are of order d by (d). We
should prove that (d) = (d).
Assume that (d) 6= 0, and let a Zp have an order d (ad 1 (mod p)).
The equation xd 1 (mod p) has the following solutions

1 ad, a1, a2, a3, . . . , ad1,

all of which are distinct.

We know that x ai (mod p) has an order of d iff gcd(i, d) = 1, and thus
the number of solutions with order d is (d) = (d).

c Eli Biham - March 29, 2011

252 Introduction to Number Theory 1
 The Number of Generators (cont.)
We should show that the equality holds even if (d) = 0. Each of the integers
in Zp = {1, 2, 3, . . . , p 1} has some order d|p 1. Thus, the sum of (d) for
all the orders d|p 1 equals |Zp |:
X
(d) = p 1.
d|p1

P
As we know that d|p1 (d) = p 1, it follows that:
X
0 = ((d) (d)) =
d|p1
X X
= ((d) (d)) + ((d) (d)) =
d|p1,(d)=0 d|p1,(d)6=0
X X X
= (d) + 0= (d)
d|p1,(d)=0 d|p1,(d)6=0 d|p1,(d)=0

c Eli Biham - March 29, 2011

253 Introduction to Number Theory 1
 The Number of Generators (cont.)
Since (d) 0, then (d) = 0 (d) = 0. We conclude that for any d:

(d) = (d).

QED

c Eli Biham - March 29, 2011

254 Introduction to Number Theory 1
 The Number of Generators (cont.)
Conclusion: Let p be a prime. There are (p 1) elements in Zp of order
p 1 (i.e., all of them are generators).
Therefore, Zp is cyclic.
Theorem: The values of n > 1 for which Zn is cyclic are 2, 4, pe and 2pe for
all odd primes p and all positive integers e.
Proof: Exercise.

c Eli Biham - March 29, 2011

255 Introduction to Number Theory 1
 Wilsons Theorem
Wilsons theorem: Let p be a prime.

1 2 3 4 . . . (p 1) 1 (mod p).

Proof: Clearly it holds for p = 2. It suffices thus to prove it for p 3.

Let g be a generator of Zp. Then,

Zp = {1, g, g 2, g 3, . . . , g p2}

and thus

1 2 3 4 . . . (p 1) 1 g g 2 g 3 . . . g p2
g (p2)(p1)/2 (mod p).

c Eli Biham - March 29, 2011

256 Introduction to Number Theory 1
 Wilsons Theorem (cont.)
If g (p1)/2 1 (mod p), then it follows that

1 2 3 4 . . . (p 1) g (p2)(p1)/2 (mod p)
(1)p2 1 (mod p).

It remains to show that g (p1)/2 1 (mod p). From Euler theorem it

follows that
g p1 1 (mod p).

Thus,
0 g p1 1 (g (p1)/2 + 1)(g (p1)/2 1) (mod p).
g (p1)/2 6 1 (mod p) since order(g, Zp) = p 1 (and p is odd), and thus it
must be that g (p1)/2 1 (mod p).
QED

c Eli Biham - March 29, 2011

257 Introduction to Number Theory 1