Notes on Public Key Cryptography

And Primality Testing

Part 1: Randomized Algorithms
Miller–Rabin and Solovay–Strassen Tests

Jean Gallier
Department of Computer and Information Science
University of Pennsylvania
Philadelphia, PA 19104, USA
e-mail: [email protected]

c Jean Gallier

April 26, 2016

2
Contents

1 Public Key Cryptography 5

1.1 Public Key Cryptography; The RSA System . . . . . . . . . . . . . . . . . . 5
1.2 Correctness of The RSA System . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 Algorithms for Computing Powers and Inverses Modulo m . . . . . . . . . . 13
1.4 Finding Large Primes; Signatures; Safety of RSA . . . . . . . . . . . . . . . 18

2 Primality Testing Using Randomized Algorithms 25

3 Basic Facts About Groups, and Number Theory 29

3.1 Groups, Subgroups, Cosets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.2 Cyclic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.3 Primitive Roots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4 Rings and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5 The Structure of Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4 The Miller–Rabin Test 61

4.1 The Fermat Test; F -Witnesses and F -Liars . . . . . . . . . . . . . . . . . . . 61
4.2 Carmichael Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.3 The Miller–Rabin Test; MR-Witnesses and MR-Liars . . . . . . . . . . . . . 70
4.4 The Monier–Rabin Bound on the Size of the Set of MR-Liars . . . . . . . . . 79
4.5 The Least MR-Witness for n . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5 The Solovay–Strassen Test 87

5.1 Quadratic Residues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.2 The Legendre Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.3 The Jacobi Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.4 The Solovay–Strassen Test; E-Witnesses and E-Liars . . . . . . . . . . . . . 96
5.5 The Quadratic Reciprocity Law . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.6 Proof of the Quadratic Reciprocity Law . . . . . . . . . . . . . . . . . . . . . 103
5.7 Strong Pseudoprimes are Euler Pseudoprimes . . . . . . . . . . . . . . . . . 107

Bibliography 111

3
4 CONTENTS
Chapter 1

Public Key Cryptography

1.1 Public Key Cryptography; The RSA System

Ever since written communication was used, people have been interested in trying to conceal
the content of their messages from their adversaries. This has led to the development of
techniques of secret communication, a science known as cryptography.
The basic situation is that one party, A, say Albert, wants to send a message to another
party, J, say Julia. However, there is a danger that some ill-intentioned third party, Machi-
avelli, may intercept the message and learn things that he is not supposed to know about
and as a result, do evil things. The original message, understandable to all parties, is known
as the plain text. To protect the content of the message, Albert encrypts his message. When
Julia receives the encrypted message, she must decrypt it in order to be able to read it. Both
Albert and Julia share some information that Machiavelli does not have, a key. Without a
key, Machiavelli, is incapable of decrypting the message and thus, to do harm.
There are many schemes for generating keys to encrypt and decrypt messages. We are
going to describe a method involving public and private keys known as the RSA Cryptosys-
tem, named after its inventors, Ronald Rivest, Adi Shamir, and Leonard Adleman (1978),
based on ideas by Diffie and Hellman (1976). We highly recommend reading the orginal
paper by Rivest, Shamir, and Adleman [16]. It is beautifully written and easy to follow. A
very clear, but concise exposition can also be found in Koblitz [9]. An encyclopedic coverage
of cryptography can be found in Menezes, van Oorschot, and Vanstone’s Handbook [13].
The RSA system is widely used in practice, for example in SSL (Secure Socket Layer),
which in turn is used in https (secure http). Any time you visit a “secure site” on the
Internet (to read e-mail or to order merchandise), your computer generates a public key and
a private key for you and uses them to make sure that your credit card number and other
personal data remain secret. Interestingly, although one might think that the mathematics
behind such a scheme is very advanced and complicated, this is not so. Therefore, in this
section, we are going to explain the basics of RSA.
The first step is to convert the plain text of characters into an integer. This can be done

5
6 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

easily by assigning distinct integers to the distinct characters, for example, by converting
each character to its ASCII code. From now on, we assume that this conversion has been
performed.
The next and more subtle step is to use modular arithmetic. We assume that the reader
has some familiarity with basic facts of arithmetic (greatest common divisors, etc.). A
“gentle” exposition is given in Gallier [6], Chapter 5. We pick a (large) positive integer m
and perform arithmetic modulo m. Let us explain this step in more detail.
Recall that for all a, b ∈ Z, we write a ≡ b (mod m) iff a − b = km, for some k ∈ Z,
and we say that a and b are congruent modulo m. We already know that congruence is an
equivalence relation but it also satisfies the following properties.

Proposition 1.1. For any positive integer m, for all a1 , a2 , b1 , b2 ∈ Z, the following proper-
ties hold. If a1 ≡ b1 (mod m) and a2 ≡ b2 (mod m), then

(1) a1 + a2 ≡ b1 + b2 (mod m).

(2) a1 − a2 ≡ b1 − b2 (mod m).

(3) a1 a2 ≡ b1 b2 (mod m).

Proof. We only check (3), leaving (1) and (2) as easy exercises. Because a1 ≡ b1 (mod m)
and a2 ≡ b2 (mod m), we have a1 = b1 + k1 m and a2 = b2 + k2 m, for some k1 , k2 ∈ Z, and so

a1 a2 = (b1 + k1 m)(b2 + k2 m) = b1 b2 + (b1 k2 + k1 b2 + k1 mk2 )m,

which means that a1 a2 ≡ b1 b2 (mod m). A more elegant proof consists in observing that

a1 a2 − b1 b2 = a1 (a2 − b2 ) + (a1 − b1 )b2

= (a1 k2 + k1 b2 )m,

as claimed.

Proposition 1.1 allows us to define addition, subtraction, and multiplication on equiva-

lence classes modulo m. If we denote by Z/mZ the set of equivalence classes modulo m and
if we write a for the equivalence class of a, then we define

a+b = a+b
a−b = a−b
ab = ab.

The above make sense because a + b does not depend on the representatives chosen in the
equivalence classes a and b, and similarly for a − b and ab. Of course, each equivalence class
a contains a unique representative from the set of remainders {0, 1, . . . , m − 1}, modulo m,
1.1. PUBLIC KEY CRYPTOGRAPHY; THE RSA SYSTEM 7

so the above operations are completely determined by m × m tables. Using the arithmetic
operations of Z/mZ is called modular arithmetic.
For an arbitrary m, the set Z/mZ is an algebraic structure known as a ring. Addition
and subtraction behave as in Z but multiplication is stranger. For example, when m = 6,

2·3 = 0
3 · 4 = 0,

inasmuch as 2 · 3 = 6 ≡ 0 (mod 6), and 3 · 4 = 12 ≡ 0 (mod 6). Therefore, it is not true

that every nonzero element has a multiplicative inverse. However, it is known (see Gallier
[6], Chapter 5) that a nonzero integer a has a multiplicative inverse iff gcd(a, m) = 1 (use
the Bézout identity). For example,
5 · 5 = 1,
because 5 · 5 = 25 ≡ 1 (mod 6).
As a consequence, when m is a prime number, every nonzero element not divisible by m
has a multiplicative inverse. In this case, Z/mZ is more like Q; it is a finite field . However,
note that in Z/mZ we have
|1 + 1 +{z· · · + 1} = 0
m times

(because m ≡ 0 (mod m)), a phenomenom that does not happen in Q (or R).
The RSA method uses modular arithmetic. One of the main ingredients of public key
cryptography is that one should use an encryption function, f : Z/mZ → Z/mZ, which is
easy to compute (i.e., can be computed efficiently) but such that its inverse f −1 is practically
impossible to compute unless one has special additional information. Such functions are
usually referred to as trapdoor one-way functions. Remarkably, exponentiation modulo m,
that is, the function, x 7→ xe mod m, is a trapdoor one-way function for suitably chosen m
and e.
Thus, we claim the following.

(1) Computing xe mod m can be done efficiently .

(2) Finding x such that

xe ≡ y (mod m)
with 0 ≤ x, y ≤ m−1, is hard, unless one has extra information about m. The function
that finds an eth root modulo m is sometimes called a discrete logarithm.

We explain shortly how to compute xe mod m efficiently using the square and multiply
method also known as repeated squaring.
As to the second claim, actually, no proof has been given yet that this function is a
one-way function but, so far, this has not been refuted either.
8 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

Now, what’s the trick to make it a trapdoor function?

What we do is to pick two distinct large prime numbers, p and q (say over 200 decimal
digits), which are “sufficiently random” and we let

m = pq.

Next, we pick a random e, with 1 < e < (p − 1)(q − 1), relatively prime to
(p − 1)(q − 1).
Because gcd(e, (p − 1)(q − 1)) = 1, there is some d with 1 < d < (p − 1)(q − 1), such that
ed ≡ 1 (mod (p − 1)(q − 1)).
Then, we claim that to find x such that

xe ≡ y (mod m),

we simply compute y d mod m, and this can be done easily, as we claimed earlier. The reason
why the above “works” is that
xed ≡ x (mod m), (∗)
for all x ∈ Z, which we prove later.
Setting up RSA
In, summary to set up RSA for Albert (A) to receive encrypted messages, perform the
following steps.

1. Albert generates two distinct large and sufficiently random primes, pA and qA . They
are kept secret.
2. Albert computes mA = pA qA . This number called the modulus will be made public.
3. Albert picks at random some eA , with 1 < eA < (pA − 1)(qA − 1), so that
gcd(eA , (pA − 1)(qA − 1)) = 1. The number eA is called the encryption key and it will
also be public.
4. Albert computes the inverse, dA = e−1 A modulo mA , of eA . This number is kept secret.
The pair (dA , mA ) is Albert’s private key and dA is called the decryption key.
5. Albert publishes the pair (eA , mA ) as his public key.

Encrypting a Message
Now, if Julia wants to send a message, x, to Albert, she proceeds as follows. First, she splits
x into chunks, x1 , . . . , xk , each of length at most mA − 1, if necessary (again, I assume that
x has been converted to an integer in a preliminary step). Then she looks up Albert’s public
key (eA , mA ) and she computes

yi = EA (xi ) = xei A mod mA ,

1.1. PUBLIC KEY CRYPTOGRAPHY; THE RSA SYSTEM 9

for i = 1, . . . , k. Finally, she sends the sequence y1 , . . . , yk to Albert. This encrypted message
is known as the cyphertext. The function EA is Albert’s encryption function.
Decrypting a Message
In order to decrypt the message y1 , . . . , yk that Julia sent him, Albert uses his private key
(dA , mA ) to compute each
xi = DA (yi ) = yidA mod mA ,
and this yields the sequence x1 , . . . , xk . The function DA is Albert’s decryption function.
Similarly, in order for Julia to receive encrypted messages, she must set her own public
key (eJ , mJ ) and private key (dJ , mJ ) by picking two distinct primes pJ and qJ and eJ , as
explained earlier.
The beauty of the scheme is that the sender only needs to know the public key of the
recipient to send a message but an eavesdropper is unable to decrypt the encoded message
unless he somehow gets his hands on the secret key of the receiver.
Let us give a concrete illustration of the RSA scheme using an example borrowed from
Silverman [18] (Chapter 18). We write messages using only the 26 upper-case letters A, B,
. . . , Z, encoded as the integers A = 11, B = 12, . . . , Z = 36. It would be more convenient to
have assigned a number to represent a blank space but to keep things as simple as possible
we do not do that.
Say Albert picks the two primes pA = 12553 and qA = 13007, so that mA = pA qA =
163, 276, 871 and (pA − 1)(qA − 1) = 163, 251, 312. Albert also picks eA = 79921, relatively
prime to (pA − 1)(qA − 1) and then finds the inverse dA , of eA modulo (pA − 1)(qA − 1) using
the extended Euclidean algorithm (more details are given in Section 1.3) which turns out to
be dA = 145, 604, 785. One can check that

145, 604, 785 · 79921 − 71282 · 163, 251, 312 = 1,

which confirms that dA is indeed the inverse of eA modulo 163, 251, 312.
Now, assume that Albert receives the following message, broken in chunks of at most
nine digits, because mA = 163, 276, 871 has nine digits.

145387828 47164891 152020614 27279275 35356191.

Albert decrypts the above messages using his private key (dA , mA ), where dA = 145, 604, 785,
using the repeated squaring method (described in Section 1.3) and finds that

145387828145,604,785 ≡ 30182523 (mod 163, 276, 871)

47164891145,604,785 ≡ 26292524 (mod 163, 276, 871)
152020614145,604,785 ≡ 19291924 (mod 163, 276, 871)
27279275145,604,785 ≡ 30282531 (mod 163, 276, 871)
10 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

Figure 1.1: Pierre de Fermat, 1601–1665

35356191145,604,785 ≡ 122215 (mod 163, 276, 871)

which yields the message
30182523 26292524 19291924 30282531 122215,
and finally, translating each two-digit numeric code to its corresponding character, to the
message
THOMPSONISINTROUBLE
or, in more readable format
Thompson is in trouble

It would be instructive to encrypt the decoded message

30182523 26292524 19291924 30282531 122215
using the public key eA = 79921. If everything goes well, we should get our original message

145387828 47164891 152020614 27279275 35356191

back.
Let us now explain in more detail how the RSA system works and why it is correct.

1.2 Correctness of The RSA System

We begin by proving the correctness of the inversion formula (∗). For this, we need a classical
result known as Fermat’s little theorem.
This result was first stated by Fermat in 1640 but apparently no proof was published at
the time and the first known proof was given by Leibnitz (1646–1716). A different proof was
given by Ivory in 1806 and this is the proof that w give here. It has the advantage that it
can be easily generalized to Euler’s version (1760) of Fermat’s little theorem.
1.2. CORRECTNESS OF THE RSA SYSTEM 11

Theorem 1.2. (Fermat’s Little Theorem) If p is any prime number, then the following two
equivalent properties hold.
(1) For every integer, a ∈ Z, if a is not divisible by p, then we have

ap−1 ≡ 1 (mod p).

(2) For every integer, a ∈ Z, we have

ap ≡ a (mod p).

Proof. (1) Consider the integers

a, 2a, 3a, . . . , (p − 1)a

and let
r1 , r2 , r3 , . . . , rp−1
be the sequence of remainders of the division of the numbers in the first sequence by p.
Because gcd(a, p) = 1, none of the numbers in the first sequence is divisible by p, so 1 ≤
ri ≤ p − 1, for i = 1, . . . , p − 1. We claim that these remainders are all distinct. If not, then
say ri = rj , with 1 ≤ i < j ≤ p − 1. But then, because

ai ≡ ri (mod p)

and
aj ≡ rj (mod p),
we deduce that
aj − ai ≡ rj − ri (mod p),
and because ri = rj , we get,
a(j − i) ≡ 0 (mod p).
This means that p divides a(j − i), but gcd(a, p) = 1 so, by Euclid’s proposition, p must
divide j − i. However 1 ≤ j − i < p − 1, so we get a contradiction and the remainders are
indeed all distinct.
There are p − 1 distinct remainders and they are all nonzero, therefore we must have

{r1 , r2 , . . . , rp−1 } = {1, 2, . . . , p − 1}.

Using Property (3) of congruences (see Proposition 1.1), we get

a · 2a · 3a · · · (p − 1)a ≡ 1 · 2 · 3 · · · (p − 1) (mod p);

that is,
(ap−1 − 1) · (p − 1)! ≡ 0 (mod p).
12 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

Again, p divides (ap−1 − 1) · (p − 1)!, but because p is relatively prime to (p − 1)!, it must
divide ap−1 − 1, as claimed.
(2) If gcd(a, p) = 1, we proved in (1) that
ap−1 ≡ 1 (mod p),
from which we get
ap ≡ a (mod p),
because a ≡ a(modp). If a is divisible by p, then a ≡ 0(modp), which implies ap ≡ 0(modp),
and thus, that
ap ≡ a (mod p).
Therefore, (2) holds for all a ∈ Z and we just proved that (1) implies (2). Finally, if (2)
holds and if gcd(a, p) = 1, as p divides ap − a = a(ap−1 − 1), it must divide ap−1 − 1, which
shows that (1) holds and so, (2) implies (1).

It is now easy to establish the correctness of RSA.

Proposition 1.3. For any two distinct prime numbers p and q, if e and d are any two
positive integers such that
1. 1 < e, d < (p − 1)(q − 1),
2. ed ≡ 1 (mod (p − 1)(q − 1)),
then for every x ∈ Z we have
xed ≡ x (mod pq).

Proof. Because p and q are two distinct prime numbers, by Euclid’s proposition it is enough
to prove that both p and q divide xed − x. We show that xed − x is divisible by p, the proof
of divisibility by q being similar.
By condition (2), we have
ed = 1 + (p − 1)(q − 1)k,
with k ≥ 1, inasmuch as 1 < e, d < (p − 1)(q − 1). Thus, if we write h = (q − 1)k, we have
h ≥ 1 and
xed − x ≡ x1+(p−1)h − x (mod p)
≡ x((xp−1 )h − 1) (mod p)
≡ x(xp−1 − 1)((xp−1 )h−1 + (xp−1 )h−2 + · · · + 1) (mod p)
≡ (xp − x)((xp−1 )h−1 + (xp−1 )h−2 + · · · + 1) (mod p)
≡ 0 (mod p),
because xp − x ≡ 0 (mod p), by Fermat’s little theorem.
1.3. ALGORITHMS FOR COMPUTING POWERS AND INVERSES MODULO M 13

Remark: Of course, Proposition 1.3 holds if we allow e = d = 1, but this not interesting for
encryption. The number (p − 1)(q − 1) turns out to be the number of positive integers less
than pq that are relatively prime to pq. For any arbitrary positive integer, m, the number of
positive integers less than m that are relatively prime to m is given by the Euler φ function
(or Euler totient), denoted φ (see Niven, Zuckerman, and Montgomery [14], Section 2.1, for
basic properties of φ).
Fermat’s little theorem can be generalized to what is known as Euler’s formula: For
every integer a, if gcd(a, m) = 1, then

aφ(m) ≡ 1 (mod m).

Because φ(pq) = (p − 1)(q − 1), when gcd(x, φ(pq)) = 1, Proposition 1.3 follows from
Euler’s formula. However, that argument does not show that Proposition 1.3 holds when
gcd(x, φ(pq)) > 1 and a special argument is required in this case.
It can be shown that if we replace pq by a positive integer m that is square-free (does not
contain a square factor) and if we assume that e and d are chosen so that 1 < e, d < φ(m)
and ed ≡ 1 (mod φ(m)), then
xed ≡ x (mod m)
for all x ∈ Z (see Niven, Zuckerman, and Montgomery [14], Section 2.5, Problem 4).
We see no great advantage in using this fancier argument and this is why we used the
more elementary proof based on Fermat’s little theorem.
Proposition 1.3 immediately implies that the decrypting and encrypting RSA functions
DA and EA are mutual inverses for any A. Furthermore, EA is easy to compute but, without
extra information, namely, the trapdoor dA , it is practically impossible to compute DA =
EA−1 . That DA is hard to compute without a trapdoor is related to the fact that factoring
a large number, such as mA , into its factors pA and qA is hard. Today, it is practically
impossible to factor numbers over 300 decimal digits long. Although no proof has been
given so far, it is believed that factoring will remain a hard problem. So, even if in the next
few years it becomes possible to factor 300-digit numbers, it will still be impossible to factor
400-digit numbers. RSA has the peculiar property that it depends both on the fact that
primality testing is easy but that factoring is hard. What a stroke of genius!

1.3 Algorithms for Computing Powers and Inverses

Modulo m
First, we explain how to compute xn mod m efficiently, where n ≥ 1. Let us first consider
computing the nth power xn of some positive integer. The idea is to look at the parity of n
and to proceed recursively. If n is even, say n = 2k, then

xn = x2k = (xk )2 ,
14 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

so, compute xk recursively and then square the result. If n is odd, say n = 2k + 1, then
xn = x2k+1 = (xk )2 · x,
so, compute xk recursively, square it, and multiply the result by x.
What this suggests is to write n ≥ 1 in binary, say
n = b` · 2` + b`−1 · 2`−1 + · · · + b1 · 21 + b0 ,
where bi ∈ {0, 1} with b` = 1 or, if we let J = {j | bj = 1}, as
X
n= 2j .
j∈J

Then we have
2j j
P Y
xn ≡ x j∈J = x2 mod m.
j∈J

This suggests computing the residues rj such that

j
x2 ≡ rj (mod m),
because then, Y
xn ≡ rj (mod m),
j∈J

where we can compute this latter product modulo m two terms at a time.
For example, say we want to compute 999179 mod 1763. First, we observe that
179 = 27 + 25 + 24 + 21 + 1,
and we compute the powers modulo 1763:
1
9992 ≡ 143 (mod 1763)
2
9992 ≡ 1432 ≡ 1056 (mod 1763)
3
9992 ≡ 10562 ≡ 920 (mod 1763)
4
9992 ≡ 9202 ≡ 160 (mod 1763)
5
9992 ≡ 1602 ≡ 918 (mod 1763)
6
9992 ≡ 9182 ≡ 10 (mod 1763)
7
9992 ≡ 102 ≡ 100 (mod 1763).
Consequently,
999179 ≡ 999 · 143 · 160 · 918 · 100 (mod 1763)
≡ 54 · 160 · 918 · 100 (mod 1763)
1.3. ALGORITHMS FOR COMPUTING POWERS AND INVERSES MODULO M 15

≡ 1588 · 918 · 100 (mod 1763)

≡ 1546 · 100 (mod 1763)
≡ 1219 (mod 1763),
and we find that
999179 ≡ 1219 (mod 1763).
Of course, it would be impossible to exponentiate 999179 first and then reduce modulo 1763.
As we can see, the number of multiplications needed is O(log2 n), which is quite good.
The above method can be implemented without actually converting n to base 2. If n is
even, say n = 2k, then n/2 = k and if n is odd, say n = 2k + 1, then (n − 1)/2 = k, so we
have a way of dropping the unit digit in the binary expansion of n and shifting the remaining
digits one place to the right without explicitly computing this binary expansion. Here is an
algorithm for computing xn mod m, with n ≥ 1, using the repeated squaring method.
An Algorithm to Compute xn mod m Using Repeated Squaring

begin
u := 1; a := x;
while n > 1 do
if even(n) then e := 0 else e := 1;
if e = 1 then u := a · u mod m;
a := a2 mod m; n := (n − e)/2
endwhile;
u := a · u mod m
end

The final value of u is the result. The reason why the algorithm is correct is that after j
j
rounds through the while loop, a = x2 mod m and
i
Y
u= x2 mod m,
i∈J | i<j

with this product interpreted as 1 when j = 0.

Observe that the while loop is only executed n − 1 times to avoid squaring once more
unnecessarily and the last multiplication a · u is performed outside of the while loop. Also, if
we delete the reductions modulo m, the above algorithm is a fast method for computing the
nth power of an integer x and the time speed-up of not performing the last squaring step is
more significant. We leave the details of the proof that the above algorithm is correct as an
exercise.
Let us now consider the problem of computing efficiently the inverse of an integer a,
modulo m, provided that gcd(a, m) = 1. Full details are given in Gallier [6], Chapter 5.
16 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

The extended Euclidean algorithm can be used to find some integers x, y, such that

ax + by = gcd(a, b),

where a and b are any two positive integers. In our situation, a = m and b = a and we only
need to find y (we would like a positive integer).
When using the Euclidean algorithm for computing gcd(m, a), with 2 ≤ a < m, we
compute the following sequence of quotients and remainders.

m = aq1 + r1
a = r1 q 2 + r2
r1 = r2 q 3 + r3
..
.
rk−1 = rk qk+1 + rk+1
..
.
rn−3 = rn−2 qn−1 + rn−1
rn−2 = rn−1 qn + 0,

with n ≥ 3, 0 < r1 < b, qk ≥ 1, for k = 1, . . . , n, and 0 < rk+1 < rk , for k = 1, . . . , n − 2.

Observe that rn = 0. If n = 2, we have just two divisions,

m = aq1 + r1
a = r1 q2 + 0,

with 0 < r1 < b, q1 , q2 ≥ 1, and r2 = 0. Thus, it is convenient to set r−1 = m and r0 = a.

It can be shown (Gallier [6], Chapter 5) that if we set

x−1 = 1
y−1 = 0
x0 = 0
y0 = 1
xi+1 = xi−1 − xi qi+1
yi+1 = yi−1 − yi qi+1 ,

for i = 0, . . . , n − 2, then

mxn−1 + ayn−1 = gcd(m, a) = rn−1 ,

and so, if gcd(m, a) = 1, then rn−1 = 1 and we have

ayn−1 ≡ 1 (mod m).

1.3. ALGORITHMS FOR COMPUTING POWERS AND INVERSES MODULO M 17

Now, yn−1 may be greater than m or negative but we already know how to deal with that.
This suggests reducing modulo m during the recurrence and we are led to the following
recurrence.

y−1 = 0
y0 = 1
zi+1 = yi−1 − yi qi+1
yi+1 = zi+1 mod m if zi+1 ≥ 0
yi+1 = m − ((−zi+1 ) mod m) if zi+1 < 0,

for i = 0, . . . , n − 2.
It is easy to prove by induction that

ayi ≡ ri (mod m)

for i = 0, . . . , n − 1 and thus, if gcd(a, m) > 1, then a does not have an inverse modulo m,
else
ayn−1 ≡ 1 (mod m)
and yn−1 is the inverse of a modulo m such that 1 ≤ yn−1 < m, as desired. Note that we
also get y0 = 1 when a = 1.
We leave this proof as an exercise. Here is an algorithm.
An Algorithm for Computing the Inverse of a Modulo m
Given any natural number a with 1 ≤ a < m and gcd(a, m) = 1, the following algorithm
returns the inverse of a modulo m as y.

begin
y := 0; v := 1; g := m; r := a;
pr := r; q := bg/prc; r := g − pr q; (divide g by pr, to get g = pr q + r)
if r = 0 then
y := 1; g := pr
else
r = pr;
while r 6= 0 do
pr := r; pv := v;
q := bg/prc; r := g − pr q; (divide g by pr, to get g = pr q + r)
v := y − pv q;
if v < 0 then
v := m − ((−v) mod m)
else
18 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

v = v mod m
endif
g := pr; y := pv
endwhile;
endif;
inverse(a) := y
end

For example, we used the above algorithm to find that dA = 145, 604, 785 is the inverse
of eA = 79921 modulo (pA − 1)(qA − 1) = 163, 251, 312.
The remaining issues are how to choose large random prime numbers p, q, and how to
find a random number e, which is relatively prime to (p − 1)(q − 1). For this, we rely on a
deep result of number theory known as the prime number theorem.

1.4 Finding Large Primes; Signatures; Safety of RSA

Roughly speaking, the prime number theorem ensures that the density of primes is high
enough to guarantee that there are many primes with a large specified number of digits.
The relevant function is the prime counting function π(n).
Definition 1.1. The prime counting function π is the function defined so that

π(n) = number of prime numbers p, such that p ≤ n,

for every natural number n ∈ N.

Obviously, π(0) = π(1) = 0. We have π(10) = 4 because the primes no greater than 10
are 2, 3, 5, 7 and π(20) = 8 because the primes no greater than 20 are 2, 3, 5, 7, 11, 13, 17, 19.
The growth of the function π was studied by Legendre, Gauss, Chebyshev, and Riemann
between 1808 and 1859. By then, it was conjectured that
n
π(n) ∼ ,
ln(n)
for n large, which means that 
n
lim π(n) = 1.
n7→∞ ln(n)
However, a rigorous proof was not found until 1896. Indeed, in 1896, Jacques Hadamard
and Charles de la Vallée-Poussin independendly gave a proof of this “most wanted theorem,”
using methods from complex analysis. These proofs are difficult and although more elemen-
tary proofs were given later, in particular by Erdös and Selberg (1949), those proofs are still
quite hard. Thus, we content ourselves with a statement of the theorem.
1.4. FINDING LARGE PRIMES; SIGNATURES; SAFETY OF RSA 19

Figure 1.2: Pafnuty Lvovich Chebyshev, 1821–1894 (left), Jacques Salomon Hadamard,
1865–1963 (middle), and Charles Jean de la Vallée Poussin, 1866–1962 (right)

Figure 1.3: Paul Erdös, 1913–1996 (left), Atle Selberg, 1917–2007 (right)

Theorem 1.4. (Prime Number Theorem) For n large, the number of primes π(n) no larger
than n is approximately equal to n/ ln(n), which means that

n
lim π(n) = 1.
n7→∞ ln(n)

For a rather detailed account of the history of the prime number theorem (for short,
PNT ), we refer the reader to Ribenboim [15] (Chapter 4).
As an illustration of the use of the PNT, we can estimate the number of primes with 200
decimal digits. Indeed this is the difference of the number of primes up to 10200 minus the
number of primes up to 10199 , which is approximately

10200 10199
− ≈ 1.95 · 10197 .
200 ln 10 199 ln 10
Thus, we see that there is a huge number of primes with 200 decimal digits. The number of
natural numbers with 200 digits is 10200 − 10199 = 9 · 10199 , thus the proportion of 200-digit
numbers that are prime is
1.95 · 10197 1
199
≈ .
9 · 10 460
Consequently, among the natural numbers with 200 digits, roughly one in every 460 is a
prime.
 20 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

 Beware that the above argument is not entirely rigorous because the prime number
theorem only yields an approximation of π(n) but sharper estimates can be used to say
how large n should be to guarantee a prescribed error on the probability, say 1%.

The implication of the above fact is that if we wish to find a random prime with 200
digits, we pick at random some natural number with 200 digits and test whether it is prime.
If this number is not prime, then we discard it and try again, and so on. On the average,
after 460 trials, a prime should pop up,
This leads us the question: How do we test for primality?
Primality testing has also been studied for a long time. Remarkably, Fermat’s little
theorem yields a test for nonprimality. Indeed, if p > 1 fails to divide ap−1 − 1 for some
natural number a, where 2 ≤ a ≤ p − 1, then p cannot be a prime. The simplest a to try
is a = 2. From a practical point of view, we can compute ap−1 mod p using the method of
repeated squaring and check whether the remainder is 1.
But what if p fails the Fermat test? Unfortunately, there are natural numbers p, such
that p divides 2p−1 − 1 and yet, p is composite. For example p = 341 = 11 · 31 is such a
number.
Actually, 2340 being quite big, how do we check that 2340 − 1 is divisible by 341?
We just have to show that 2340 − 1 is divisible by 11 and by 31. We can use Fermat’s
little theorem. Because 11 is prime, we know that 11 divides 210 − 1. But,

2340 − 1 = (210 )34 − 1 = (210 − 1)((210 )33 + (210 )32 + · · · + 1),

so 2340 − 1 is also divisible by 11.

As to divisibility by 31, observe that 31 = 25 − 1, and

2340 − 1 = (25 )68 − 1 = (25 − 1)((25 )67 + (25 )66 + · · · + 1),

so 2340 − 1 is also divisible by 31.

A number p that is not a prime but behaves like a prime in the sense that p divides
2p−1 − 1, is called a pseudo-prime. Unfortunately, the Fermat test gives a “false positive”
for pseudo-primes.
Rather than simply testing whether 2p−1 − 1 is divisible by p, we can also try whether
3p−1 − 1 is divisible by p and whether 5p−1 − 1 is divisible by p, and so on.
Unfortunately, there are composite natural numbers p, such that p divides ap−1 − 1, for
all positive natural numbers a with gcd(a, p) = 1. Such numbers are known as Carmichael
numbers. The smallest Carmichael number is p = 561 = 3 · 11 · 17. The reader should try
proving that, in fact, a560 − 1 is divisible by 561 for every positive natural number a, such
that gcd(a, 561) = 1, using the technique that we used to prove that 341 divides 2340 − 1.
1.4. FINDING LARGE PRIMES; SIGNATURES; SAFETY OF RSA 21

Figure 1.4: Robert Daniel Carmichael, 1879–1967

It turns out that there are infinitely many Carmichael numbers. Again, for a thorough
introduction to primality testing, pseudo-primes, Carmichael numbers, and more, we highly
recommend Ribenboim [15] (Chapter 2). An excellent (but more terse) account is also given
in Koblitz [9] (Chapter V).
Still, what do we do about the problem of false positives? The key is to switch to
probabilistic methods. Indeed, if we can design a method that is guaranteed to give a false
positive with probablity less than 0.5, then we can repeat this test for randomly chosen
as and reduce the probability of false positive considerably. For example, if we repeat the
experiment 100 times, the probability of false positive is less than 2−100 < 10−30 . This is
probably less than the probability of hardware failure.
Various probabilistic methods for primality testing have been designed. One of them is the
Miller–Rabin test, another the APR test, and yet another the Solovay–Strassen test. Since
2002, it has been known that primality testing can be done in polynomial time. This result
is due to Agrawal, Kayal, and Saxena and known as the AKS test solved a long-standing
problem; see Dietzfelbinger [4] and Crandall and Pomerance [3] (Chapter 4). Remarkably,
Agrawal and Kayal worked on this problem for their senior project in order to complete their
bachelor’s degree. It remains to be seen whether this test is really practical for very large
numbers.
A very important point to make is that these primality testing methods do not provide a
factorization of m when m is composite. This is actually a crucial ingredient for the security
of the RSA scheme. So far, it appears (and it is hoped) that factoring an integer is a much
harder problem than testing for primality and all known methods are incapable of factoring
natural numbers with over 300 decimal digits (it would take centuries).
For a comprehensive exposition of the subject of primality-testing, we refer the reader to
Crandall and Pomerance [3] (Chapters 3 and 4) and again, to Ribenboim [15] (Chapter 2)
and Koblitz [9] (Chapter V). We give a thorough presentation of the Miller–Rabin and the
Solovay–Strassen tests in Chapters 4 and 5 (with complete proofs).
Going back to the RSA method, we now have ways of finding the large random primes
p and q by picking at random some 200-digit numbers and testing for primality. Rivest,
Shamir, and Adleman also recommend to pick p and q so that they differ by a few decimal
22 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY

digits, that both p − 1 and q − 1 should contain large prime factors and that gcd(p − 1, q − 1)
should be small. The public key, e, relatively prime to (p − 1)(q − 1) can also be found
by a similar method: Pick at random a number, e < (p − 1)(q − 1), which is large enough
(say, greater than max{p, q}) and test whether gcd(e, (p − 1)(q − 1)) = 1, which can be done
quickly using the extended Euclidean algorithm. If not, discard e and try another number,
and so on. It is easy to see that such an e will be found in no more trials than it takes to
find a prime; see Lovász, Pelikán, and Vesztergombi [12] (Chapter 15), which contains one
of the simplest and clearest presentations of RSA that we know of. Koblitz [9] (Chapter IV)
also provides some details on this topic as well as Menezes, van Oorschot, and Vanstone’s
Handbook [13].
If Albert receives a message coming from Julia, how can he be sure that this message
does not come from an imposter? Just because the message is signed “Julia” does not mean
that it comes from Julia; it could have been sent by someone else pretending to be Julia,
inasmuch as all that is needed to send a message to Albert is Albert’s public key, which is
known to everybody. This leads us to the issue of signatures.
There are various schemes for adding a signature to an encrypted message to ensure that
the sender of a message is really who he or she claims to be (with a high degree of confidence).
The trick is to make use of the the sender’s keys. We propose two scenarios.
1. The sender, Julia, encrypts the message x to be sent with her own private key, (dJ , mJ ),
creating the message DJ (x) = y1 . Then, Julia adds her signature, “Julia”, at the end
of the message y1 , encrypts the message “y1 Julia” using Albert’s public key, (eA , mA ),
creating the message y2 = EA (y1 Julia), and finally sends the message y2 to Albert.

When Albert receives the encrypted message y2 claiming to come from Julia, first he
decrypts the message using his private key (dA , mA ). He will see an encrypted message,
DA (y2 ) = y1 Julia, with the legible signature, Julia. He will then delete the signature
from this message and decrypt the message y1 using Julia’s public key (eJ , mJ ), getting
x = EJ (y1 ). Albert will know whether someone else faked this message if the result
is garbage. Indeed, only Julia could have encrypted the original message x with her
private key, which is only known to her. An eavesdropper who is pretending to be
Julia would not know Julia’s private key and so, would not have encrypted the original
message to be sent using Julia’s secret key.

2. The sender, Julia, first adds her signature, “Julia”, to the message x to be sent and
then, she encrypts the message “x Julia” with Albert’s public key (eA , mA ), creating
the message y1 = EA (x Julia). Julia also encrypts the original message x using her
private key (dJ , mJ ) creating the message y2 = DJ (x), and finally she sends the pair
of messages (y1 , y2 ).

When Albert receives a pair of messages (y1 , y2 ), claiming to have been sent by Julia,
first Albert decrypts y1 using his private key (dA , mA ), getting the message DA (y1 ) =
x Julia. Albert finds the signature, Julia, and then decrypts y2 using Julia’s public key
1.4. FINDING LARGE PRIMES; SIGNATURES; SAFETY OF RSA 23

(eJ , mJ ), getting the message x0 = EJ (y2 ). If x = x0 , then Albert has serious assurance
that the sender is indeed Julia and not an imposter.

The last topic that we would like to discuss is the security of the RSA scheme. This is a
difficult issue and many researchers have worked on it. As we remarked earlier, the security
of RSA hinges on the fact that factoring is hard. It has been shown that if one has a method
for breaking the RSA scheme (namely, to find the secret key d), then there is a probabilistic
method for finding the factors p and q, of m = pq (see Koblitz [9], Chapter IV, Section 2,
or Menezes, van Oorschot, and Vanstone [13], Section 8.2.2). If p and q are chosen to be
large enough, factoring m = pq will be practically impossible and so it is unlikely that RSA
can be cracked. However, there may be other attacks and, at present, there is no proof that
RSA is fully secure.
Observe that because m = pq is known to everybody, if somehow one can learn N =
(p − 1)(q − 1), then p and q can be recovered. Indeed N = (p − 1)(q − 1) = pq − (p + q) + 1 =
m − (p + q) + 1 and so,

pq = m
p + q = m − N + 1,

and p and q are the roots of the quadratic equation

X 2 − (m − N + 1)X + m = 0.

Thus, a line of attack is to try to find the value of (p − 1)(q − 1). For more on the security
of RSA, see Menezes, van Oorschot, and Vanstone’s Handbook [13].
24 CHAPTER 1. PUBLIC KEY CRYPTOGRAPHY
Chapter 2

Primality Testing Using Randomized

Algorithms; Introduction

In article 329 of his famous Disquisitiones Arithmeticae [7] (published in 1801, when he was
24 years old), C.F. Gauss writes (in Latin!):

“The problem of distinguishing prime numbers from composite numbers and

resolving the latter into their prime factors is known to be one of the most
important and useful in arithmetic. It has engaged the industry and wisdom of
ancient and moderm geometers to such an extent that it would be superfluous to
discuss the problem at length. Nevertherless we must confess that all methods
that have been proposed thus far are either restricted to very special cases or are
so laborious and difficult that even for numbers that do not exceed the limits of
tables constructed by estimable men, they try the patience of even the practiced
calculator. And these methods do not apply at all to larger numbers ... The
techniques that were previously known would require intolerable labor even for
the most indefatigable calculator.”

The problem of determining whether a given integer is prime is one of the better known
and most easily understood problems of pure mathematics. This problem has caught the
interest of mathematicians again and again for centuries. However, it was not until the 20th
century that questions about primality testing and factoring were recognized as problems
of practical importance, and a central part of applied mathematics. The advent of cryp-
tographic systems that use large primes, such as RSA, was the main driving force for the
development of fast and reliable methods for primality testing. Indeed, as we saw in ear-
lier sections of these notes, in order to create RSA keys, one needs to produce large prime
numbers. How do we do that?
One method is to produce a random string of digits (say of 200 digits), and then to
test whether this number is prime or not. As we explained earlier, by the Prime Number
Theorem, among the natural numbers with 200 digits, roughly one in every 460 is a prime.
Thus, it should take at most 460 trials (picking at random some natural number with 200

25
26 CHAPTER 2. PRIMALITY TESTING USING RANDOMIZED ALGORITHMS

digits) before a prime shows up. Note that we need a mechanism to generate random
numbers, an interesting and tricky problem, but for now, we postpone discussing random
number generation.
It remains to find methods for testing an integer for primality, and perhaps for factoring
composite numbers.
In 1903, at the meeting of the American Mathematical Society, F.N. Cole came to the
blackboard and, without saying a word, wrote down

267 − 1 = 147573952589676412927 = 193707721 × 761838257287,

and then used long multiplication to multiply the two numbers on the right-hand side to
prove that he was indeed correct. Afterwards, he said that figuring this out had taken him
“three years of Sundays.” Too bad laptops did not exist in 1903.
The moral of this tale is that checking that a number is composite can be done quickly
(that is, in polynomial time), but finding a factorization is hard. In general, it requires an
exhaustive search. Another important observation is that most efficient tests for composite-
ness do not produce a factorization. For example, Lucas had already shown that 267 − 1 is
composite, but without finding a factor.
In fact, although this has not been proved, factoring appears to be a much harder problem
than primality testing, which is a good thing since the safety of many cryptographic systems
depends on the assumption that factoring is hard!
Most algorithms for testing whether an integer n is prime actually test for compositeness.
This is because tests for compositeness usually try to find a counterexample to some property,
say A, implied by primality. If such a counterexample can be guessed, then it is cheap to
check that property A fails, and then we know for sure that n is composite. We also have a
witness (or certificate) that n is composite. If the algorithm fails to show that n is composite,
does this imply that n is prime? Unfortunately, no. This is because, in general, the algorithm
has not tested all potential countexamples. So, how do we fix the algorithm?
One possibility is to try systematically all potential countexamples. If the algorithm fails
on all counterexamples, then the number n has to be prime. The problem with this approach
is that the number of counterexamples is generally too big, and this method is not practical.
Another approach is to use a randomized algorithm. Typically, a counterexample is some
number a randomly chosen from the set {2, . . . , n − 2}. If the algorithm fails to report that
n is composite, we can call it again several times, each time picking (independently from
previous trials) another random number a. If the algorithm ever reports that a is a witness
to the fact that n is a composite during one of these trials, then for sure n is a composite.
But what if we call the algoritm say 20 times, and every time it fails to declare that n is a
composite. Can we be sure that n is a prime?
Not necessarily, but if the probability that the algorithm fails to report that n is composite
is small enough, say less than 1/2, then it can be shown that the conditional probability
 27

that n is composite, given that the algorithm fails to declare 20 times that n is composite,
is less than ln(n) · (1/2)20 (see Section 4.3).
Therefore, by running the algorithm repeatedly with independent random choices each
time, we can make the probability that the algorithm gives the wrong answer arbitrarily
small. Such a randomized algorithm is called a Monte Carlo algorithm.
Several randomized algorithms for primality testing have been designed, including the
Miller–Rabin and the Solovay–Strassen tests, to be discussed in Chapters 4 and 5. Then,
in the summer of 2002, a paper with the title “PRIMES is in P,” by Agrawal, Kayal and
Saxena, appeared on the website of the Indian Institute of Technology at Kanpur, India.
In this paper, it was shown that testing for primality has a deterministic (nonrandomized)
algorithm that runs in polynomial time. Finally, the long-standing open problem of “deciding
whether primality testing is in P” was settled in this amazing paper, by an algorithm usually
referred to as the AKS algorithm. We will not discuss this algorithm in these notes (but,
perhaps in another set of notes ...).
28 CHAPTER 2. PRIMALITY TESTING USING RANDOMIZED ALGORITHMS
Chapter 3

Basic Facts About Groups, Rings,

Fields, and Number Theory

3.1 Groups, Subgroups, Cosets

Definition 3.1. A group is a set G equipped with a binary operation · : G × G → G that
associates an element a · b ∈ G to every pair of elements a, b ∈ G, and having the following
properties: · is associative, has an identity element e ∈ G, and every element in G is invertible
(w.r.t. ·). More explicitly, this means that the following equations hold for all a, b, c ∈ G:
(G1) a · (b · c) = (a · b) · c. (associativity);
(G2) a · e = e · a = a. (identity);
(G3) For every a ∈ G, there is some a−1 ∈ G such that a · a−1 = a−1 · a = e. (inverse).
A group G is abelian (or commutative) if

a · b = b · a for all a, b ∈ G.

A set M together with an operation · : M × M → M and an element e satisfying only

conditions (G1) and (G2) is called a monoid . For example, the set N = {0, 1, . . . , n, . . .} of
natural numbers is a (commutative) monoid under addition. However, it is not a group.
Some examples of groups are given below.
Example 3.1.
1. The set Z = {. . . , −n, . . . , −1, 0, 1, . . . , n, . . .} of integers is a group under addition,
with identity element 0. However, Z∗ = Z − {0} is not a group under multiplication.
2. The set Q of rational numbers (fractions p/q with p, q ∈ Z and q 6= 0) is a group
under addition, with identity element 0. The set Q∗ = Q − {0} is also a group under
multiplication, with identity element 1.

29
30 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

3. Given any nonempty set S, the set of bijections f : S → S, also called permutations
of S, is a group under function composition (i.e., the multiplication of f and g is the
composition g ◦ f ), with identity element the identity function idS . This group is not
abelian as soon as S has more than two elements.
4. The set of n × n invertible matrices with real (or complex) coefficients is a group under
matrix multiplication, with identity element the identity matrix In . This group is
called the general linear group and is usually denoted by GL(n, R) (or GL(n, C)).

It is customary to denote the operation of an abelian group G by +, in which case the

inverse a−1 of an element a ∈ G is denoted by −a.
The identity element of a group is unique. In fact, we can prove a more general fact:
Fact 1. If a binary operation · : M × M → M is associative and if e0 ∈ M is a left identity
and e00 ∈ M is a right identity, which means that

e0 · a = a for all a ∈ M (G2l)

and
a · e00 = a for all a ∈ M, (G2r)
then e0 = e00 .
Proof. If we let a = e00 in equation (G2l), we get

e0 · e00 = e00 ,

and if we let a = e0 in equation (G2r), we get

e0 · e00 = e0 ,

and thus
e0 = e0 · e00 = e00 ,
as claimed.

Fact 1 implies that the identity element of a monoid is unique, and since every group is
a monoid, the identity element of a group is unique. Furthermore, every element in a group
has a unique inverse. This is a consequence of a slightly more general fact:
Fact 2. In a monoid M with identity element e, if some element a ∈ M has some left inverse
a0 ∈ M and some right inverse a00 ∈ M , which means that

a0 · a = e (G3l)

and
a · a00 = e, (G3r)
then a0 = a00 .
3.1. GROUPS, SUBGROUPS, COSETS 31

Proof. Using (G3l) and the fact that e is an identity element, we have

(a0 · a) · a00 = e · a00 = a00 .

Similarly, Using (G3r) and the fact that e is an identity element, we have

a0 · (a · a00 ) = a0 · e = a0 .

However, since M is monoid, the operation · is associative, so

a0 = a0 · (a · a00 ) = (a0 · a) · a00 = a00 ,

as claimed.

Remark: Axioms (G2) and (G3) can be weakened a bit by requiring only (G2r) (the exis-
tence of a right identity) and (G3r) (the existence of a right inverse for every element) (or
(G2l) and (G3l)). It is a good exercise to prove that the group axioms (G2) and (G3) follow
from (G2r) and (G3r).
If a group G has a finite number n of elements, we say that G is a group of order n. If
G is infinite, we say that G has infinite order . The order of a group is usually denoted by
|G| (if G is finite).
Given a group G, for any two subsets R, S ⊆ G, we let

RS = {r · s | r ∈ R, s ∈ S}.

In particular, for any g ∈ G, if R = {g}, we write

gS = {g · s | s ∈ S},

and similarly, if S = {g}, we write

Rg = {r · g | r ∈ R}.

From now on, we will drop the multiplication sign and write g1 g2 for g1 · g2 .
For any g ∈ G, define Lg , the left translation by g, by Lg (a) = ga, for all a ∈ G, and
Rg , the right translation by g, by Rg (a) = ag, for all a ∈ G. Observe that Lg and Rg are
bijections. We show this for Lg , the proof for Rg being similar.
If Lg (a) = Lg (b), then ga = gb, and multiplying on the left by g −1 , we get a = b, so Lg
injective. For any b ∈ G, we have Lg (g −1 b) = gg −1 b = b, so Lg is surjective. Therefore, Lg
is bijective.
Definition 3.2. Given a group G, a subset H of G is a subgroup of G iff
(1) The identity element e of G also belongs to H (e ∈ H);
32 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

(2) For all h1 , h2 ∈ H, we have h1 h2 ∈ H;

(3) For all h ∈ H, we have h−1 ∈ H.

The proof of the following proposition is left as an exercise.

Proposition 3.1. Given a group G, a subset H ⊆ G is a subgroup of G iff H is nonempty

and whenever h1 , h2 ∈ H, then h1 h−1
2 ∈ H.

If the group G is finite, then the following criterion can be used.

Proposition 3.2. Given a finite group G, a subset H ⊆ G is a subgroup of G iff

(1) e ∈ H;

(2) H is closed under multiplication.

Proof. We just have to prove that condition (3) of Definition 3.2 holds. For any a ∈ H, since
the left translation La is bijective, its restriction to H is injective, and since H is finite, it is
also bijective. Since e ∈ H, there is a unique b ∈ H such that La (b) = ab = e. However, if
a−1 is the inverse of a in G, we also have La (a−1 ) = aa−1 = e, and by injectivity of La , we
have a−1 = b ∈ H.

Definition 3.3. If H is a subgroup of G and g ∈ G is any element, the sets of the form gH
are called left cosets of H in G and the sets of the form Hg are called right cosets of H in
G.

The left cosets (resp. right cosets) of H induce an equivalence relation ∼ defined as
follows: For all g1 , g2 ∈ G,
g1 ∼ g2 iff g1 H = g2 H
(resp. g1 ∼ g2 iff Hg1 = Hg2 ). Obviously, ∼ is an equivalence relation.
Now, we claim that g1 H = g2 H iff g2−1 g1 H = H iff g2−1 g1 ∈ H.

Proof. If we apply the bijection Lg2−1 to both g1 H and g2 H we get Lg2−1 (g1 H) = g2−1 g1 H
and Lg2−1 (g2 H) = H, so g1 H = g2 H iff g2−1 g1 H = H. If g2−1 g1 H = H, since 1 ∈ H, we get
g2−1 g1 ∈ H. Conversely, if g2−1 g1 ∈ H, since H is a group, the left translation Lg2−1 g1 is a
bijection of H, so g2−1 g1 H = H. Thus, g2−1 g1 H = H iff g2−1 g1 ∈ H.

It follows that the equivalence class of an element g ∈ G is the coset gH (resp. Hg).
Since Lg is a bijection between H and gH, the cosets gH all have the same cardinality. The
map Lg−1 ◦ Rg is a bijection between the left coset gH and the right coset Hg, so they also
have the same cardinality. Since the distinct cosets gH form a partition of G, we obtain the
following fact:
3.1. GROUPS, SUBGROUPS, COSETS 33

Proposition 3.3. (Lagrange) For any finite group G and any subgroup H of G, the order
h of H divides the order n of G.

The ratio n/h is denoted by (G : H) and is called the index of H in G. The index (G : H)
is the number of left (and right) cosets of H in G. Proposition 3.3 can be stated as

|G| = (G : H)|H|.

The set of left cosets of H in G (which, in general, is not a group) is denoted G/H.
The “points” of G/H are obtained by “collapsing” all the elements in a coset into a single
element.
It is tempting to define a multiplication operation on left cosets (or right cosets) by
setting
(g1 H)(g2 H) = (g1 g2 )H,
but this operation is not well defined in general, unless the subgroup H possesses a special
property. This property is typical of the kernels of group homomorphisms, so we are led to

Definition 3.4. Given any two groups G and G0 , a function ϕ : G → G0 is a homomorphism

iff
ϕ(g1 g2 ) = ϕ(g1 )ϕ(g2 ), for all g1 , g2 ∈ G.

Taking g1 = g2 = e (in G), we see that

ϕ(e) = e0 ,

and taking g1 = g and g2 = g −1 , we see that

ϕ(g −1 ) = ϕ(g)−1 .

If ϕ : G → G0 and ψ : G0 → G00 are group homomorphisms, then ψ ◦ ϕ : G → G00 is also a

homomorphism. If ϕ : G → G0 is a homomorphism of groups, and H ⊆ G, H 0 ⊆ G0 are two
subgroups, then it is easily checked that

Im H = ϕ(H) = {ϕ(g) | g ∈ H}

is a subgroup of G0 called the image of H by ϕ, and

ϕ−1 (H 0 ) = {g ∈ G | ϕ(g) ∈ H 0 }

is a subgroup of G. In particular, when H 0 = {e0 }, we obtain the kernel Ker ϕ of ϕ. Thus,

Ker ϕ = {g ∈ G | ϕ(g) = e0 }.
34 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

It is immediately verified that ϕ : G → G0 is injective iff Ker ϕ = {e}. (We also write
Ker ϕ = (0).) We say that ϕ is an isomorphism if there is a homomorphism ψ : G0 → G, so
that
ψ ◦ ϕ = idG and ϕ ◦ ψ = idG0 .
In this case, ψ is unique and it is denoted ϕ−1 . When ϕ is an isomorphism we say the the
groups G and G0 are isomorphic. It is easy to see that a bijective homomorphism is an
isomorphism. When G0 = G, a group isomorphism is called an automorphism. The left
translations Lg and the right translations Rg are automorphisms of G.
We claim that H = Ker ϕ satisfies the following property:

gH = Hg, for all g ∈ G. (∗)

First, note that (∗) is equivalent to

gHg −1 = H, for all g ∈ G,

and the above is equivalent to

gHg −1 ⊆ H, for all g ∈ G. (∗∗)

This is because gHg −1 ⊆ H implies H ⊆ g −1 Hg, and this for all g ∈ G. But,

ϕ(ghg −1 ) = ϕ(g)ϕ(h)ϕ(g −1 ) = ϕ(g)e0 ϕ(g)−1 = ϕ(g)ϕ(g)−1 = e0 ,

for all h ∈ H = Ker ϕ and all g ∈ G. Thus, by definition of H = Ker ϕ, we have gHg −1 ⊆ H.

Definition 3.5. For any group G, a subgroup N of G is a normal subgroup of G iff

gN g −1 = N, for all g ∈ G.

This is denoted by N C G.

Observe that if G is abelian, then every subgroup of G is normal.

If N is a normal subgroup of G, the equivalence relation induced by left cosets is the
same as the equivalence induced by right cosets. Furthermore, this equivalence relation ∼ is
a congruence, which means that: For all g1 , g2 , g10 , g20 ∈ G,

(1) If g1 N = g10 N and g2 N = g20 N , then g1 g2 N = g10 g20 N , and

(2) If g1 N = g2 N , then g1−1 N = g2−1 N .

As a consequence, we can define a group structure on the set G/ ∼ of equivalence classes

modulo ∼, by setting
(g1 N )(g2 N ) = (g1 g2 )N.
3.1. GROUPS, SUBGROUPS, COSETS 35

This group is denoted G/N and called the quotient of G by N . The equivalence class gN of
an element g ∈ G is also denoted g (or [g]). The map π : G → G/N given by

π(g) = g = gN x

is clearly a group homomorphism called the canonical projection.

Given a homomorphism of groups ϕ : G → G0 , we easily check that the groups G/Ker ϕ

and Im ϕ = ϕ(G) are isomorphic. This is often called the first isomorphism theorem.

A useful way to construct groups is the direct product construction. Given two groups G
an H, we let G × H be the Cartestian product of the sets G and H with the multiplication
operation · given by
(g1 , h1 ) · (g2 , h2 ) = (g1 g2 , h1 h2 ).

It is immediately verified that G × H is a group. Similarly, given any n groups G1 , . . . , Gn ,

we can define the direct product G1 × · · · × Gn is a similar way.

If G is an abelian group and H1 , . . . , Hn are subgroups of G, the situation is simpler.

Consider the map
a : H1 × · · · × Hn → G

given by
a(h1 , . . . , hn ) = h1 + · · · + hn ,

using + for the operation of the group G. It is easy to verify that a is a group homomorphism,
so its image is a subgroup of G denoted by H1 + · · · + Hn , and called the sum of the groups
Hi . The following proposition will be needed.

Proposition 3.4. Given an abelian group G, if H1 and H2 are any subgroups of G such
that H1 ∩ H2 = {0}, then the map a is an isomorphism

a : H1 × H2 → H1 + H2 .

Proof. The map is surjective by definition, so we just have to check that it is injective. For
this, we show that Ker a = {(0, 0)}. We have a(a1 , a2 ) = 0 iff a1 + a2 = 0 iff a1 = −a2 . Since
a1 ∈ H1 and a2 ∈ H2 , we see that a1 , a2 ∈ H1 ∩ H2 = {0}, so a1 = a2 = 0, which proves that
Ker a = {(0, 0)}.

Under the conditions of Proposition 3.4, namely H1 ∩ H2 = {0}, the group H1 + H2 is

called the direct sum of H1 and H2 ; it is denoted by H1 ⊕ H2 , and we have an isomorphism
H1 × H2 ∼ = H1 ⊕ H2 .
36 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

3.2 Cyclic Groups

Given a group G with unit element 1, for any element g ∈ G and for any natural number
n ∈ N, define g n as follows:
g0 = 1
g n+1 = g · g n .
For any integer n ∈ Z, we define g n by
(
gn if n ≥ 0
gn =
(g −1 )(−n) if n < 0.
The following properties are easily verified:
g i · g j = g i+j
(g i )−1 = g −i
gi · gj = gj · gi,
for all i, j ∈ Z.
Define the subset hgi of G by
hgi = {g n | n ∈ Z}.
The following proposition is left as an exercise.
Proposition 3.5. Given a group G, for any element g ∈ G, the set hgi is the smallest
abelian subgroup of G containing g.
Definition 3.6. A group G is cyclic iff there is some element g ∈ G such that G = hgi. An
element g ∈ G with this property is called a generator of G.

Cyclic groups are quotients of Z. For this, we use a basic property of Z. Recall that for
any n ∈ Z, we let nZ denote the set of multiples of n,
nZ = {nk | k ∈ Z}.
Proposition 3.6. Every subgoup H of Z is of the form H = nZ for some n ∈ N.
Proof. If H is the trivial group {0}, then let n = 0. If H is nontrivial, for any nonzero element
m ∈ H, we also have −m ∈ H and either m or −m is positive, so let n be the smallest
positive integer in H. By Proposition 3.5, nZ is the smallest subgroup of H containing n.
For any m ∈ H with m 6= 0, we can write
m = nq + r, with 0 ≤ r < n.
Now, since nZ ⊆ H, we have nq ∈ H, and since m ∈ H, we get r = m − nq ∈ H. However,
0 ≤ r < n, contradicting the minimality of n, so r = 0, and H = nZ.
3.2. CYCLIC GROUPS 37

Given any cyclic group G, for any generator g of G, we can define a mapping ϕ : Z → G
by ϕ(m) = g m . Since g generates G, this mapping is surjective. The mapping ϕ is clearly a
group homomorphism, so let H = Ker ϕ be its kernel. By a previous observation, H = nZ
for some n ∈ Z, so by the first homomorphism theorem, we obtain an isomorphism

ϕ : Z/nZ −→ G

from the quotient group Z/nZ onto G. Obviously, if G has finite order, then |G| = n. In
summary, we have the following result.
Proposition 3.7. Every cyclic group G is either isomorphic to Z, or to Z/nZ, for some
natural number n > 0. In the first case, we say that G is an infinite cyclic group, and in the
second case, we say that G is a cyclic group of order n.

The quotient group Z/nZ consists of the cosets m + nZ = {m + kn | k ∈ Z}, with m ∈ Z,

that is, of the equivalence classes of Z under the equivalence relation ≡ defined such that

x≡y iff x − y ∈ nZ iff x ≡ y (mod n).

We also denote the equivalence class x + nZ of x by x, or if we want to be more precise by

[x]n . The group operation is given by

x + y = x + y.

For every x ∈ Z, there is a unique representative, x mod n (the nonnegative remainder of

the division of x by n) in the class x of x, such that 0 ≤ x mod n ≤ n − 1. For this
reason, we often identity Z/nZ with the set {0, . . . , n − 1}. To be more rigorous, we can give
{0, . . . , n − 1} a group structure by defining +n such that

x +n y = (x + y) mod n.

Then, it is easy to see that {0, . . . , n − 1} with the operation +n is a group with identity
element 0 isomorphic to Z/nZ.
We can also define a multiplication operation · on Z/nZ as follows:

a · b = ab = ab mod n.

Then, it is easy to check that · is abelian, associative, that 1 is an identity element for ·, and
that · is distributive on the left and on the right with respect to addition. This makes Z/nZ
into a commutative ring. We usually suppress the dot and write a b instead of a · b.
Bezout’s identity implies that a ∈ Z/nZ is invertible with respect to multiplication iff
gcd(a, n) = 1.
Indeed, if a has inverse b in Z/nZ, then a b = 1, which means that

ab ≡ 1 (mod n),
38 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

that is ab = 1 + nk for some k ∈ Z, which is the Bezout identity

ab − nk = 1

and implies that gcd(a, n) = 1. Conversely, if gcd(a, n) = 1, then by Bezout’s identity there
exist u, v ∈ Z such that
au + nv = 1,
so au = 1 − nv, that is,
au ≡ 1 (mod n),
which means that a u = 1, so a is invertible in Z/nZ.
The group of invertible elements of the ring Z/nZ is denoted by (Z/nZ)∗ . Note that this
group is only defined if n ≥ 2.
Given any positive integer n ≥ 1, recall that the Euler ϕ-function (or Euler totient
function) is defined such that ϕ(n) is the number of integers a, with 1 ≤ a ≤ n, which are
relatively prime to n; that is, with gcd(a, n) = 1.1 Then, we see that the group (Z/nZ)∗ has
order ϕ(n).
For n = 2, (Z/2Z)∗ = {1}, the trivial group. For n = 3, (Z/3Z)∗ = {1, 2}, and for
n = 4, we have (Z/4Z)∗ = {1, 3}. Both groups are isomorphic to the group {−1, 1}. Since
gcd(a, n) = 1 for every a ∈ {1, . . . , n − 1} iff n is prime, we see that (Z/nZ)∗ = Z/nZ − {0}
iff n is prime, so Z/nZ is a field iff n is prime.
Even though in principle a finite cyclic group has a very simple structure, finding a
generator for a finite cyclic group is generally hard. For example, it turns out that the
multiplicative group (Z/pZ)∗ is a cyclic group when p is prime, but no efficient method for
finding a generator for (Z/pZ)∗ is known (besides a brute-force search). More generally, the
multiplicative group (Z/pk Z)∗ is a cyclic group when p is prime and k ≥ 1.
The notion of order an element in a group plays an important role.

Definition 3.7. Given a group G, for any g ∈ G, the order of g in G, denoted by ordG (g),
is either infinite if the cylic group hgi is infinite, or defined so that ordG (g) = |hgi| if hgi has
finite order.

The following characterization of the order of an element will be needed.

Proposition 3.8. Given a group G and an element g ∈ G, if g has finite order, then
ordG (g) = p is characterized as follows: p is the smallest positive integer such that g p = 1.
Furthermore, g, g 2 , . . . , g p = 1 are all distinct, and for any n such that g n = 1, then p divides
n.
1
We allow a = n to accomodate the special case n = 1.
3.2. CYCLIC GROUPS 39

Proof. We have the isomorphism Z/pZ ' G, so p ≡ 0 (mod p) and g p = 1. If q < p is a

positive integer such that g q = 1, then q = 1 in Z/pZ, a contradiction.
Conversely, if p is the least positive integer such that g p = 1, then g, g 2 , . . . , g p = 1 are
all distinct, since otherwise we would have g i = g j for some i, j with 1 ≤ i < j ≤ p, and then
we would have
g j−i = 1
with 0 < j −i < p, contradicting the minimality of p. For any n ∈ Z, we can write n = pq +r,
with 0 ≤ r < p, and we get
g n = g pq+r = (g p )q · g r = g r .
Then, it is clear that we have an isomorphism Z/pZ ' G.
If g n = 1, then writing n = pq + r, with 0 ≤ r < p, we get

1 = g pq+r = (g p )q · g r = g r ,

so g r = 1 with 0 ≤ r < p, contradicting the minimality of p, so r = 0 and p divides n.

The next proposition deals with subgroups of cyclic groups.

Proposition 3.9. Let G = hgi be a finite cyclic group of order n and let H be any subgroup
of G.

(a) The group H is cyclic and generated by some element g k , where k ≥ 1 is the least
integer such that g k ∈ H.

(b) The order d = |H| of H divides n and n = dk.

(c) We have H = {a ∈ G | ad = 1}, with d from (b).

(d) For every d ≥ 1, the set

Hd = {a ∈ G | ad = 1}
is a cyclic subgroup of G of order gcd(n, d).

(e) For every divisor d of n, there is a unique cyclic subgroup H of order d given by

H = {a ∈ G | ad = 1}.

Proof. If H = {1}, then all claims are true with k = n and d = 1. From now on, assume
that |H| > 1, and pick g k ∈ H with k ≥ 1 minimal. Since |H| > 1, we must have k < n.
(a) For any element g m ∈ H, we can write m = kq + r, with 0 ≤ r < k. Then, we have

g m = g kq+r = (g k )q · g r ,
40 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

and since g m , g k ∈ H, we have g r = (g k )−q · g m ∈ H. However, 0 ≤ r < k, contradicting the

minimality of k, so r = 0. It follows that H = hg k i is cyclic.
(b) Let us prove that k divides n. Let s = gcd(k, n). By Bezout’s theorem, we can write

s = ku + nv

for some u, v ∈ Z. Then, since g n = 1, we have

g s = g ku+nv = (g k )u · (g n )v = (g k )u ,

which shows that g s ∈ H. Since k is the least positive integer such that g k ∈ H, we must
have s = k; that is, k divides n. But then, g k must have order d = n/k, since the order of
g k is the smallest natural number h such that g kh = 1, and since n = dk is the order of g, it
must divide hk, which means that d must divide h, and so h = d.
(c) From (b), H = {g k , g 2k , . . . , g dk = 1}, and we have (g jk )d = (g dk )j = 1, which shows
that every a ∈ H satisfies the equation ad = 1. Conversely, if a ∈ H satisfies ad = 1, since
a = g i for some i, we have g id = 1, and since g has order n, the number n = kd must divide
id, which means that k must divide i. Consequently, a = (g k )i/k ∈ H.
(d) It is immediately verified that Hd is a subgroup of G. We have a = g i ∈ Hd iff
(g ) = g id = 1. Write r = gcd(d, n), n = n1 r and d = d1 r. Then gcd(n1 , d1 ) = 1. Since g
i d

has order n, the number n = n1 r divides id = id1 r, so n1 divides id1 . Since gcd(n1 , d1 ) = 1,
the number n1 divides i, and since 1 ≤ i ≤ n, we conclude that i = n1 , 2n1 , . . . , rn1 = n.
Therefore, Hd has order r = gcd(d, n).
(e) This follows immediately from (d).

Proposition 3.10. Let G = hgi be a finite cyclic group of order n. Then we have:

(a) For any a ∈ G, the order ordG (a) of a divides n.

(b) For any i, with 1 ≤ i ≤ n, the order of g i is n/gcd(i, n).

(c) For every divisor d of n, the group G contains ϕ(d) elements of order d.

Proof. (a) The order ordG (a) of a is the order of the cyclic group hai, and by Lagrange’s
theorem (Proposition 3.3), ordG (a) divides n.
(b) Write k = gcd(i, n), i = i1 k, and n = n1 k. The order d of g i is the smallest positive
integer such that (g i )d = g id = 1. Since g has order n, the number n = n1 k must divide
id = i1 kd, so that n1 divides i1 d. Since gcd(i1 , n1 ) = 1, the number n1 must divide d, and
so d = n1 = n/k, as claimed.
(c) By (b), we need to know how many i ∈ {1, . . . , n} have the property n/gcd(i, n) = d,
or equivalently
gcd(i, n) = n/d = k.
3.2. CYCLIC GROUPS 41

Obviously, i must be of the form i = jk, with 1 ≤ j ≤ d. Now,

k = gcd(i, n) = gcd(jk, dk) = k gcd(j, d),

so gcd(j, d) = 1. But, there are ϕ(d) integers i ∈ {1, . . . , d} such that gcd(j, d) = 1, which
yields (c).

Here is another useful proposition.

Proposition 3.11. For any abelian group G, if a is an element of finite order n1 , b is an

element of finite order n2 , and gcd(n1 , n2 ) = 1, then a + b has order n1 n2 .

Proof. The first step is to prove that hai ∩ hbi = {0}. This is because hai ∩ hbi is a subgroup
of both hai and hbi, so by Lagrange’s theorem, the order m of hai ∩ hbi divide both n1 and
n2 . Since gcd(n1 , n2 ) = 1, we must have m = 1. Next, we claim that if k(a + b) = 0, then
ka = kb = 0. This is because if k(a + b) = 0, then ka = −kb, so ka, kb ∈ hai ∩ hbi = {0},
which means that ka = 0 and kb = 0. Now, the order of a + b is the smallest positive integer
s such that s(a + b) = 0. From what we just proved, sa = 0 and sb = 0, and since n1 and
n2 are the orders of a and b respectively, n1 and n2 must divide s. Since gcd(n1 , n2 ) = 1, we
conclude that n1 n2 divides s. On the other hand, since n1 and n2 are the orders of a and b
respectively, n1 a = 0 and n2 b = 0, so n1 n2 (a + b) = n2 n1 a + n1 n2 b = 0, and since s is the
least positive integer such that s(a + b) = 0, we see that s divides n1 n2 , so we must have
s = n1 n2 .

We can now prove the following important fact.

Proposition 3.12. For every integer n ≥ 1, we have

X
n= ϕ(d).
d|n

Proof. By proposition 3.9, for every divisor d of n, there is a unique cyclic subgroup Cd of
Z/nZ of order d, and let Φd be the set of generators of Cd . Since by Proposition 3.9, every
element of Z/nZ generates some cyclic subgoup Cd , the subsets Φd form a partition of Z/nZ,
and since by Proposition 3.10, each group Cd has ϕ(d) generators, we conclude that
X X
n = |Z/nZ| = |Φd | = ϕ(d),
d|n d|n

as claimed.

Proposition 3.12 yields a very useful characterization of cyclic groups. The proof is due
to J.P. Serre.
42 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

Theorem 3.13. Let G be a finite group of order n. Then, G is cyclic iff for every divisor
d of n, there are at most d elements a ∈ G such that ad = 1. If G is cyclic, then it has ϕ(n)
generators.

Proof. If G is cyclic, we proved in Proposition 3.9 that for every divisor d of n there is a
unique subgroup of order d given by Hd = {a ∈ G | ad = 1}.
Let us now prove the converse. If there is some x ∈ G of order d, then the subgroup
hxi = {x, x2 , . . . , xd = 1} is cyclic of order d, and the d elements in hxi satisfy the equation
ad = 1. If some y ∈ G satisfies the equation y d = 1, then we already have d solutions in hxi,
so y ∈ hxi. In particular, all elements of G of order d are generators of hxi, and there are
ϕ(d) such elements. Hence, the number of elements of G of order d is either 0 or ϕ(d). If it
were 0 for some divisor d of n, then the formula
X
n= ϕ(d).
d|n

from Proposition 3.12 would say that G has strictly less than n elements, a contradiction.
Therefore, for every divisor d of n, there are ϕ(d) elements of order n. In particular, for
n = d, we have an element x of order n, which shows that G = hxi is cyclic.

We also have the following simple result which yields a short proof of a result of Euler.

Proposition 3.14. If G is any finite group of order n, then the order of any element g ∈ G
divides n. Thus,
g n = 1, for all g ∈ G.

Proof. The cyclic subgroup hgi is a subgroup of G, so by Lagrange’s theorem, its order k
divides the order of G. By Proposition 3.8, we have g k = 1, and since k divides n we get
g n = 1.

For any integer n ≥ 2, let (Z/nZ)∗ be the group of invertible elements of the ring Z/nZ.
This is a group of order ϕ(n). Then, Proposition 3.14 yields the following result.

Theorem 3.15. (Euler) For any integer n ≥ 2 and any a ∈ {1, . . . , n − 1} such that
gcd(a, n) = 1, we have
aϕ(n) ≡ 1 (mod n).

In particular, if n is a prime, then ϕ(n) = n − 1, and we get Fermat’s little theorem.

Theorem 3.16. (Fermat’s little theorem) For any prime p and any a ∈ {1, . . . , p − 1}, we
have
ap−1 ≡ 1 (mod p).
3.3. PRIMITIVE ROOTS 43

3.3 Primitive Roots

In this section, we prove that certain multiplicative groups of the form (Z/nZ)∗ are cyclic.
It turns out that the group (Z/nZ)∗ is cylic if n = 2, 4, pm , and 2pm , where p is an odd prime
and m ≥ 1. A generator for (Z/nZ)∗ is called a primitive root modulo n. This terminology
goes back to Euler, and is also used by Gauss in his Disquisitiones Arithmeticae [7]; see
Article 57. In fact, it is remarkable that most of the results of this section are due to Gauss.
Translations of the Disquisitiones Arithmeticae are available, for example, in French, and we
highly recommend reading Articles 52 through 93. Gauss’ style is strikingly lively and clear.
Basically all the results of this section are also proved in another famous book, namely the
Vorlesungen über Zahlentheorie, by Lejeune–Dirichlet [11]. This book was actually written
by Richard Dedekind and published in 1863 after Dirichlet’s death in 1859. The English
translation is by John Stillwell. We were amazed to see that most contemporary books on
number theory, including Apostol excellent’s book [1], give proofs of the existence of primitive
roots, and proofs of the quadratic reciprocity theorem, which are basically Dirichlet’s proofs.
First, we review a basic structure theorem for the rings of the form Z/nZ. For this, we
need the following form of the chinese remainder theorem.

Theorem 3.17. (Chinese remainder theorem, abstract version) For any integer n ≥ 1, if
n = n1 · · · nr where the ni are relatively prime in pair, which means that gcd(ni , nj ) = 1 for
all i 6= j, then we have an isomorphism

Z/nZ ∼
= Z/n1 Z × · · · × Z/nr Z.

Proof. Consider the map ϕ : Z/nZ → Z/n1 Z × · · · × Z/nr Z given by

ϕ(a) = (a mod n1 , . . . , a mod nr ).

The map ϕ is a homomorphism, so let’s determine its kernel Ker ϕ. We have ϕ(a) = (0, . . . , 0)
iff
a ≡ 0 (mod ni ), i = 1, . . . , nr ,

and since the ni are pairwise relatively prime, this is equivalent to

a≡0 (mod n1 · · · nr ).

Thus, Ker ϕ = nZ, and we get an injection

ϕ : Z/nZ −→ Z/n1 Z × · · · × Z/nr Z.

However, |Z/nZ| = n = n1 · · · nr and |Z/n1 Z × · · · × Z/nr Z| = n1 · · · nr , which shows that

ϕ is a bijection, and thus an isomorphism.
44 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

Theorem 3.17 does not explicitly tells us how to solve a system of congruences

x ≡ b1 (mod n1 )
..
.
x ≡ br (mod nr ),

but the following version of the chinese remainder theorem tells us how to do so.

Theorem 3.18. (Chinese remainder theorem) For any integer n ≥ 1, if n = n1 · · · nr where

the ni are relatively prime in pair, which means that gcd(ni , nj ) = 1 for all i 6= j, for any
b1 , . . . , br ∈ Z, there exists a unique x with 0 ≤ x ≤ n − 1 such that

x ≡ b1 (mod n1 )
..
.
x ≡ br (mod nr ).

Proof. Let mi = n/ni , for i = 1, . . . , r. Since the ni are pairwise relatively prime, we have
gcd(mi , ni ) = 1, so mi has a unique inverse m0i modulo ni ; that is,

mi m0i ≡ 1 (mod ni ).

Let
x = b1 m1 m01 + · · · + br mr m0r .
We claim that x is a solution of our congruences. Indeed, since each mj contains the factor
ni if i 6= j, we have

b1 m1 m01 + · · · + br mr m0r ≡ bi mi m0i (mod ni ),

and since mi m0i ≡ 1 (mod ni ), we get

b1 m1 m01 + · · · + br mr m0r ≡ bi (mod ni ),

as required. The uniqueness of x follows from Theorem 3.17. We can also observe that if x, y
are two solutions such that 0 ≤ x, y ≤ n − 1, then x ≡ y (mod ni ) for i = 1, . . . , r, which
implies x ≡ y (mod n), and thus x = y.

Interestingly, Theorem 3.17 also applies to the group (Z/nZ)∗ of units (invertible ele-
ments) of the ring Z/nZ. Note that we must have n ≥ 2.

Theorem 3.19. For any integer n > 1, if n = n1 · · · nr where the ni are relatively prime in
pair, which means that gcd(ni , nj ) = 1 for all i 6= j, then we have an isomorphism

(Z/nZ)∗ ∼
= (Z/n1 Z)∗ × · · · × (Z/nr Z)∗ .
3.3. PRIMITIVE ROOTS 45

Proof. By Theorem 3.17, we have an isomorphism

Z/nZ ∼
= Z/n1 Z × · · · × Z/nr Z.

However, an element (a1 , . . . , ar ) of the product ring Z/n1 Z × · · · × Z/nr Z is invertible iff
each ai is invertible in Z/ni Z, which shows that the above isomorphism induces a group
isomorphism
(Z/nZ)∗ ∼ = (Z/n1 Z)∗ × · · · × (Z/nr Z)∗ ,
as claimed.

As a corollary of Theorem 3.19, since the group (Z/ni Z)∗ has order ϕ(ni ), we obtain the
multiplicative property of the Euler ϕ-function.

Proposition 3.20. For any two positive integers m, n, if gcd(m, n) = 1, then

ϕ(mn) = ϕ(m)ϕ(n).

Since ϕ(p) = p − 1 when p is prime and ϕ(pk ) = pk − pk−1 = pk−1 (p − 1) if k ≥ 2 (wih

p prime), we can compute ϕ(n) for every n (we start with ϕ(1) = 1). Since every positive
integer n > 1 has a unique prime factorization

n = pk11 · · · pkr r ,

we get    
1 1
ϕ(n) = pk11 −1 · · · prkr −1 (p1 − 1) · · · (pr − 1) = n 1 − ··· 1 − .
p1 pr
Theorem 3.19 reduces the study of the group (Z/nZ)∗ to the stucture of the groups (Z/pk Z)∗ ,
where p is a prime and k ≥ 1. The case p = 2 is exceptional, but the case where p is an odd
prime is nice; namely, (Z/pk Z)∗ is a cylic group. We begin with the case k = 1.

Theorem 3.21. (Gauss) For every odd prime p, the group (Z/pZ)∗ is cyclic. It has ϕ(p − 1)
generators.

Proof. We use Theorem 3.13 applied to G = (Z/pZ)∗ and n = ϕ(p) = p − 1. Since p is

prime, Z/pZ is a field, for every divisor d of p − 1, the equation xd − 1 = 0 has at most
d roots in Z/pZ, and a fortiori in (Z/pZ)∗ . Therefore, (Z/pZ)∗ is cyclic and has ϕ(p − 1)
generators.

Integers a ∈ Z such that a mod p is a generator of (Z/pZ)∗ are called primitive roots
mod p.

Remark: Gauss’ proof is not all that different from the one we gave. For every divisor
d of p − 1, Gauss defines ψ(d) as the number of integers a, with a ≤ a ≤ p − 1, that
46 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

have order d, and then proves that ψ(d) = ϕ(d). For this, he proves Proposition 3.12; see
Articles 52–56 of the Disquisitiones Arithmeticae [7]. Gauss also warns about the danger of
regarding as established, statements which are not proved. He goes on to say that “nobody
has attempted to prove Theorem 3.21, except Euler,” and that Euler has talked extensively
about the necessity of proving it, but that his proof is flawed in two respects! A version of
the same proof is also given in Dirichlet [11] (Chapter 2, Section 30).
Gauss proposes an algorithm for finding a primitive root modulo p in Articles 73 and 74
in the Disquisitiones Arithmeticae [7]. The algorithm is as follows:
Step 1. Pick any integer a with 2 ≤ a ≤ p − 1, and find the order t of a, that is, the least
positive integer such that at ≡ 1 (mod p). If a has order p − 1, then it is a primitive root
modulo p. Otherwise, go to the next step.
Step 2. Find any any number b, with 2 ≤ b ≤ p − 1, such that b 6≡ ai (mod p), for
i = 1, . . . , t. Let u be the order of b, the least positive integer such that bu ≡ 1 (mod p). I
claim that u does not divide t.
This is because if u divides t, since bu ≡ 1 (mod p), we would get bt ≡ 1 (mod p), but
since the congruence X t ≡ 1 (mod p) has t solutions (a, a2 , . . . , at ), then we would have
b ≡ ai (mod p) for some i with 1 ≤ i ≤ t, a contradiction. If u = p − 1, then b is a primitive
root. Otherwise, let y be the least common multiple of t and u. Then, we can split y as
y = mn, where gcd(m, n) = 1, m divides t, and n divides u. As explained by Gauss in a
footnote, m and n can be obtained from prime factorizations of t and u. All prime powers
only in t are included in m, all prime powers only in u are included in n, and prime powers
both in t and u are included in m or n, it doesn’t matter. Then, a0 ≡ at/m (mod p) has
order m, b0 ≡ bu/n (mod p) has order n, and because gcd(m, n) = 1, the element c = a0 b0 has
order y = mn > t modulo p. If mn = p − 1, then c is a primitive root modulo p. Otherwise,
go back to Step 2 with a = c and t = y.
Since y > t in step 2, the order of t keeps increasing while dividing p − 1, so eventually
t = p − 1, and a primitive root is found. Gauss illutrates this process for p = 73, and finds
the primitive root 5. Gauss’ algorithm requires factoring y as mn with gcd(m, n) = 1, and
this step requires prime factorizations of t and u. For large p, this is not a practical method.
Still, it is impressive that Gauss gave an algorithm for finding a primitive root over 200 years
ago.
The above algorithm does not necessarily yield the smallest primitive root gp modulo p.
It is known that gp > C log p for infinitely many primes (for some constant C), and that
24
gp < p0.499 for all p > e2 (see Ribenboim [15], Chapter 2, Section II).
We now consider the case where n = pm , with p prime and m ≥ 2. We follow the beautiful
exposition given in Apostol [1]. As we mentioned earlier, this exposition is extremely close to
Dirichlet’s presentation (as written up by Dedekind) [11]. The following technical proposition
is needed.
3.3. PRIMITIVE ROOTS 47

Proposition 3.22. For any odd prime p, let g be a primitive root modulo p such that
g p−1 6≡ 1 (mod p2 ).
Then, for all i ≥ 2, we have
i−1 )
g ϕ(p 6≡ 1 (mod pi ).
Proof. We proceed by induction on i. The base case i = 2 is the hypothesis. For the
induction step, assume that
i−1
g ϕ(p ) 6≡ 1 (mod pi ). (∗)
By Euler’s theorem,
i−1 )
g ϕ(p ≡1 (mod pi−1 ),
so we have
i−1 )
g ϕ(p = 1 + kpi−1
for some k ∈ Z, and p does not divide k because of (∗). Raising the above equation to the
pth power, since ϕ(pi−1 ) = pi−1 − pi−2 , we get pϕ(pi−1 ) = ϕ(pi ), and
i p(p − 1) 2(i−1)
g ϕ(p ) = (1 + kpi−1 )p = 1 + kpi + k 2 p + rp3(i−1)
2
p − 1 2i−1
= 1 + kpi + k 2 p + rp3(i−1) ,
2
for some r ∈ Z. Now, 2i − 1 ≥ i + 1 and 3i − 3 ≥ i + 1 since i ≥ 2, so we get the congruence
i
g ϕ(p ) = 1 + kpi (mod pi+1 ),
where p does not divide k, and therefore
i
g ϕ(p ) 6≡ 1 (mod pi+1 ),
establishing the induction hypothesis.

The next step if to “promote” a primitive root modulo p to a primitive root modulo pm .
For this, we use the following proposition.
Proposition 3.23. For any odd prime p, there is a primitive root g modulo p such that
g p−1 6≡ 1 (mod p2 ). (∗)
Proof. Let g be any primitive root modulo p. If (∗) holds, we are done. Otherwise, g p−1 ≡ 1
(mod p2 ), in which case we consider g1 = g + p. Obviously, g1 is a primitive root modulo p,
and we claim that it satisfies (∗). We have
g1p−1 = (g + p)p−1
= g p−1 + (p − 1)g p−2 p + tp2 ,
= g p−1 − g p−2 p + (t + g p−2 )p2 ,
48 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

for some t ∈ Z, and because g p−1 ≡ 1 (mod p2 ), we get

g1p−1 ≡ g p−1 − pg p−2 (mod p2 )

≡ 1 − pg p−2 (mod p2 ).

But, we cannot have pg p−2 ≡ 0 (mod p2 ), for this would imply that g p−2 ≡ 0 (mod p),
contradicting the fact that g is a primitive roots modulo p. Therefore, g1p−1 6≡ 1 (mod p2 ),
as claimed.

Finally, we can prove that primitive roots modulo pm exist.

Proposition 3.24. For any odd prime p, a primitive root g modulo p is a primitive root
modulo pm for all m ≥ 2 iff
g p−1 6≡ 1 (mod p2 ). (∗)

Proof. Suppose that g is a primitive root modulo pm for all m ≥ 1. In particular, g is a

primitive root modulo p2 . We have (by Fermat’s little theorem)

g p−1 ≡ 1 (mod p),

and since ϕ(p2 ) = p(p − 1) > p − 1, if

g p−1 ≡ 1 (mod p2 ),

then g can’t be a primitive root modulo p2 , so g p−1 6≡ 1 (mod p2 ) must hold.

Conversely, assume that the primitive root g modulo p satisfies (∗). We prove that g is
a primitive root modulo pm for all m ≥ 2. Let t be the order of g in (Z/pm Z)∗ . We need to
prove that
t = ϕ(pm ).
Since g t ≡ 1 (mod pm ), we also have g t ≡ 1 (mod p), and since g has order p − 1 modulo p,
we conclude that p − 1 divides t, so we can write

t = q(p − 1)
m
for some q ∈ Z. Since g ϕ(p ) ≡ 1 (mod pm ) and t is the order of g modulo pm , the number
t must divide ϕ(pm ) = pm−1 (p − 1); that is, q(p − 1) divides pm−1 (p − 1), so q divides pm−1 .
Therefore, we can write
t = pb (p − 1), with b ≤ m − 1.
If we can prove that b = m − 1, then we are done.
Assume by contradiction that b < m − 1. If so, b ≤ m − 2 and t = pb (p − 1) divides
m−2
p (p − 1) = ϕ(pm−1 ). As a consequence, from g t ≡ 1 (mod pm ), we get
m−1)
g ϕ(p ≡1 (mod pm ).
3.3. PRIMITIVE ROOTS 49

However, since by assumption

g p−1 6≡ 1 (mod p2 ),
Proposition 3.22 implies that
i−1 )
g ϕ(p 6≡ 1 (mod pi ) for all i ≥ 2,

a contradiction. Therefore, b = m − 1 and the proof is complete.

Putting Propositions 3.23 and 3.24, we obtain our theorem.

Theorem 3.25. (Gauss) For every odd prime p and every integer m ≥ 2, the group
(Z/pm Z)∗ is cyclic. Furthermore, it has ϕ(ϕ(pm )) = pm−2 (p − 1)ϕ(p − 1) primitive roots.

Remark: Gauss proves Theorem 3.25 in Articles 82–89 of the Disquisitiones Arithmeticae
[7]. The above proof is basically Dedekind’s proof [11] (Supplement V).
The case n = 2pm is easily handled.

Theorem 3.26. For every odd prime p and every integer m ≥ 1, the group (Z/2pm Z)∗
is cyclic. In fact, (Z/2pm Z)∗ ∼
= (Z/pm Z)∗ . Furthermore, there exist odd primitive roots g
modulo pm , and each such g is also a primitive root modulo 2pm .

Proof. Since p is an odd prime, gcd(2, p) = 1, so Theorem 3.19 yields an isomorphism

(Z/2pm Z)∗ ∼
= (Z/2Z)∗ × (Z/pm Z)∗ ∼
= (Z/pm Z)∗ ,

since (Z/2Z)∗ is the trivial group {1}.

If g is a primitive root modulo pm , then g + pm is also a primitive root modulo pm , and
since p is odd, either g or g+pm is odd (pm is odd). Let g be an odd primitive root modulo pm
and let t be its order modulo pm+1 . We need to prove that t = ϕ(2pm ) = ϕ(2)ϕ(pm ) = ϕ(pm ).
m
Now, t must divide ϕ(2pm ) = ϕ(pm ) (since g ϕ(2p ) ≡ 1 (mod 2pm )). On the other hand,
g t ≡ 1 (mod 2pm ), which implies g t ≡ 1 (mod pm ), so ϕ(pm ) divides t since g is a primitive
root modulo pm (it has order ϕ(pm ) modulo pm ). Therefore, t = ϕ(pm ) = ϕ(2pm ), as
claimed.

The situation for p = 2m with m ≥ 3 is quite different.

Proposition 3.27. (Gauss) If a is an odd integer, then for all m ≥ 3, we have

m )/2 m−2
aϕ(2 ≡ a2 ≡1 (mod 2m ).

Therefore, there are no primitive roots modulo 2m .

50 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

Proof. We proceed by induction on m. When m = 3, we need to show that a2 ≡ 1 (mod 8),

if a is odd. This is because a is of the form a = 2k + 1,

(2k + 1)2 = 4k 2 + 4k + 1 = 4k(k + 1) + 1,

and k(k + 1) is always even.

For the induction step, the induction hypothesis says that
m−2
a2 = 1 + 2m t,

for some t ∈ Z. Squaring both sides, we get

m−1
a2 = 1 + 2m+1 t + 22m t2 ,

so
m−1
a2 ≡1 (mod 2m+1 ),
establishing the induction hypothesis.

Remark: Gauss proves Proposition 3.27 in Article 90 of the Disquisitiones Arithmeticae

[7]. It also appears in Dirichlet-Dedekind [11] (Supplement V).
In summary, we proved that primitive roots exist if n = 2, 4, pm , or 2pm . We also showed
that they do not exist if n = 2m , with m ≥ 3. In fact, primitive roots do not exist in all the
remaining cases.
Proposition 3.28. Given any integer n ≥ 2, if n is not of the form n = 2, 4, pm , or 2pm ,
where p is an odd prime, then for any integer a with gcd(a, n) = 1, we have

aϕ(n)/2 ≡ 1 (mod n).

Therefore, there are no primitive roots modulo n.

Proof. We already proved that primitive roots do not exist if n = 2m with m ≥ 3. Therefore,
we may assume that n has a factorization of the form

n = 2k pk11 · · · pks s ,

where the pi are odd primes, s ≥ 1, ki ≥ 1, and k ≥ 0. Furthermore, since n is not of the
form n = 2, 4, pm , or 2pm , we have k ≥ 2 if s = 1, and s ≥ 2 if k = 0, 1. We have

ϕ(n) = ϕ(2k )ϕ(pk11 ) · · · ϕ(pks s ).

Pick a ∈ Z such that gcd(a, n) = 1. We need to prove that

aϕ(n)/2 ≡ 1 (mod n).

3.3. PRIMITIVE ROOTS 51

Let g be a primitive root modulo pk11 , and write

a ≡ gi (mod pk11 ).
Then, we have
k1
aϕ(n)/2 ≡ g iϕ(n)/2 ≡ g tϕ(p1 )
(mod pk11 ),
with
t = iϕ(2k )ϕ(pk22 ) · · · ϕ(pks s )/2.
We claim that t is an integer.
If k ≥ 2, then ϕ(2k ) = 2k−1 is even, so t is an integer. If k = 0 or k = 1, then s ≥ 2 and
the factor ϕ(pk22 ) = pk22 −1 (p2 − 1) is even, so t is also an integer.
Since k1
g ϕ(p1 )
≡1 (mod pk11 ),
from k1
aϕ(n)/2 ≡ g tϕ(p1 )
(mod pk11 ),
we obtain
aϕ(n)/2 ≡ 1 (mod pk11 ).
A similar proof shows that
aϕ(n)/2 ≡ 1 (mod pki i )
for i = 1, . . . s. We still need to prove that a similar congruence holds modulo 2k .
If k ≥ 3, since gcd(a, n) = 1, the number a must be odd, and by Proposition 3.27, we
have
k−2
aϕ(k)/2 ≡ a2 ≡ 1 (mod 2k ).
Since ϕ(2k ) divides ϕ(n), we get
aϕ(n)/2 ≡ 1 (mod 2k ), k ≥ 3.
If k ≤ 2, then we have
k
aϕ(2 ) ≡ 1 (mod 2k ).
But s ≥ 1, so
ϕ(n) = ϕ(2k )ϕ(pk11 ) · · · ϕ(pks s ) = ϕ(2k )pk11 −1 (p1 − 1)ϕ(pk22 ) · · · ϕ(pks s ) = 2rϕ(2k ),
for some integer r. Thus, ϕ(2k ) divides ϕ(n)/2, and
aϕ(n)/2 ≡ 1 (mod 2k )
holds for k ≤ 2. In summary, the congruences
aϕ(n)/2 ≡ 1 (mod pki i )
aϕ(n)/2 ≡ 1 (mod 2k )
52 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

hold for i = 1, . . . , s and k ≥ 0. Since the moduli are pairwise relatively prime, we obtain

aϕ(n)/2 ≡ 1 (mod n),

as claimed.

Putting everything together, we have the following remarkable result, most of which is
due to Gauss.
Theorem 3.29. The group (Z/nZ)∗ is cyclic iff n = 2, 4, pm , or 2pm , where p is an odd
prime and m ≥ 1. There are ϕ(ϕ(n)) primitive roots modulo n.

Surprisingly, even in the case where n = p is an odd prime, there is no known criterion
to determine whether an integer a is a primitive root modulo p. For example, we don’t know
how to determine if 2 is a primitive root modulo p, other than by computing all powers 2i
modulo p. In fact, we have the following conjecture made by Emil Artin around 1920:
Artin’s Conjecture. The number 2 is a primitive root for infinitely many primes.
Also, it is easy to see that a perfect square (a number of the form a2 ) and −1 are not
primitive roots. Artin also made the following conjecture.
The Generalized Artin Conjecture. Every integer which is not a perfect square and
is different from −1 is a primitive root for infinitely many primes.
It has been shown by Christopher Hooley (1967) that if the Extended Riemann Hypoth-
esis (ERH) holds, then the generalized Artin conjecture also holds. For a brief decription of
the ERH, see Section 4.5.
More can be said in the “bad” case n = 2k with m ≥ 3, Amazingly, 5 plays a special role.
Proposition 3.30. For any integers x, y, if x ≡ 1 + 4y (mod 8), then
k
x2 ≡ 1 + 2k+2 y (mod 2k+3 ),

for all k ≥ 0.
Proof. We proceed by induction on k. The case k = 0 is the hypothesis. For the induction
step, it is enough to prove that if a ≡ 1+2k+1 b (mod 2k+2 ) for any k ≥ 1, then a2 ≡ 1+2k+2 b
(mod 2k+3 ).
If a ≡ 1 + 2k+1 b (mod 2k+2 ), then a = 1 + 2k+1 b + c2k+2 , for some c, so we get

a2 = (1 + 2k+1 b + c2k+2 )2
= (1 + 2k+1 (b + 2c))2
= 1 + 2k+2 (b + 2c) + 22k+2 (b + 2c)2
= 1 + 2k+2 b + 2k+3 c + 22k+2 (b + 2c)2 ,
3.3. PRIMITIVE ROOTS 53

and because k ≥ 1, we have 2k + 2 ≥ k + 3, so we get

a2 ≡ 1 + 2k+2 b (mod 2k+3 ),

establishing the induction hypothesis.

Observe that if we set x = 5 and y = 1, then 5 ≡ 5 mod 8, so by Proposition 3.30, we

have
k
52 ≡ 1 + 2k+2 (mod 2k+3 ), for all k ≥ 0.
On the other hand, since 5 is odd, by Proposition 3.27, we have
m−2
52 ≡1 (mod 2m ).

Therefore, 5 has order 2m−2 modulo 2m . We can use this fact to prove the following result
(following Bourbaki [2], Chapter VII). This result is more or less implicit in Article 91 of the
Disquisitiones Arithmeticae [7]. It is explicitly proved in Dirichlet-Dedekind [11] (Supplement
V).
Theorem 3.31. For any m ≥ 3, the group (Z/2m Z)∗ is isomorphic to the direct product
{−1, 1} × h5i of the cyclic subgroup {−1, 1} generated by −1 and the cyclic subgroup h5i of
order 2m−2 generated by 5.
Proof. We already know that the cyclic subgroup group h5i generated by 5 has order 2m−2 .
We claim that −1 ∈/ h5i. Since −1 has order 2, and since ϕ(2) = 1, there is a unique element
of order 2 in (Z/2 Z)∗ , so if −1 ∈ h5i, then we must have
m

−1 ≡ 5m−3 ≡ 1 + 2m−1 (mod 2m ),

namely 2m−1 + 2 ≡ 0 (mod 2m ), which is false if m ≥ 1. Consequently, if H = {−1, 1} is

the subgroup generated by −1, we have H ∩ h5i = {0}. By Proposition 3.4, we have an
isomorphism
{−1, 1} × h5i ∼= {−1, 1} ⊕ h5i.
Now, (Z/2m Z)∗ has order 2m−1 , the subgroup h5i has order 2m−2 , and {−1, 1} has order 2,
so
(Z/2m Z)∗ = {−1, 1} ⊕ h5i
and we have an isomorphism (Z/2m Z)∗ ∼ = {−1, 1} × h5i.

Remarks: For n ≥ 3, we have the homomorphism π : (Z/2m Z)∗ → (Z/4Z)∗ given by

π(a mod 2m ) = a mod 4.

with gcd(a, 2m ) = 1. The kernel of this homomorphism is the subgroup U (2m ) of (Z/2m Z)∗
given by
U (2m ) = {a mod 2m | a ≡ 1 (mod 4)}.
54 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

The subgroup U (2m ) has order 2m−2 , and we have an isomorphism U (2m ) ∼
= h5i.
Another way to prove Theorem 3.25 is to proceed as follows (following Bourbaki [2],
Chapter VII). First, we show that p + 1 has order pm−1 in (Z/pm Z)∗ . For this we prove that
k
if p is an odd prime and x ≡ 1 + py (mod p2 ), then xp ≡ 1 + pk+1 y (mod pk+2 ), for all
k ≥ 0.
Then, using a primitive root of (Z/pZ)∗ , we can find an element y of order p − 1 in
(Z/pm Z)∗ . By proposition 3.11, since gcd(pm−1 , p − 1) = 1, we conclude that (p + 1)y has
order pm−1 (p − 1) = ϕ(pm ), so (p + 1)y is a primitive root modulo pm .

3.4 Rings and Fields

The groups Z, Q, R, C, Z/nZ, and Mn (R) are more than an abelian groups, they are also
commutative rings. Furthermore, Q, R, and C are fields. We now introduce rings and fields.

Definition 3.8. A ring is a set A equipped with two operations + : A × A → A (called

addition) and ∗ : A × A → A (called multiplication) having the following properties:

(R1) A is an abelian group w.r.t. +;

(R2) ∗ is associative and has an identity element 1 ∈ A;

(R3) ∗ is distributive w.r.t. +.

The identity element for addition is denoted 0, and the additive inverse of a ∈ A is
denoted by −a. More explicitly, the axioms of a ring are the following equations which hold
for all a, b, c ∈ A:

a + (b + c) = (a + b) + c (associativity of +) (3.1)
a+b=b+a (commutativity of +) (3.2)
a+0=0+a=a (zero) (3.3)
a + (−a) = (−a) + a = 0 (additive inverse) (3.4)
a ∗ (b ∗ c) = (a ∗ b) ∗ c (associativity of ∗) (3.5)
a∗1=1∗a=a (identity for ∗) (3.6)
(a + b) ∗ c = (a ∗ c) + (b ∗ c) (distributivity) (3.7)
a ∗ (b + c) = (a ∗ b) + (a ∗ c) (distributivity) (3.8)

The ring A is commutative if

a∗b=b∗a
for all a, b ∈ A.
3.4. RINGS AND FIELDS 55

From (3.7) and (3.8), we easily obtain

a∗0 = 0∗a=0 (3.9)

a ∗ (−b) = (−a) ∗ b = −(a ∗ b). (3.10)

Note that (3.9) implies that if 1 = 0, then a = 0 for all a ∈ A, and thus, A = {0}. The
ring A = {0} is called the trivial ring. A ring for which 1 6= 0 is called nontrivial . The
multiplication a ∗ b of two elements a, b ∈ A is often denoted by ab.

Example 3.2.

1. The additive groups Z, Q, R, C, are commutative rings.

2. The group R[X] of polynomials in one variable with real coefficients is a ring under
multiplication of polynomials. It is a commutative ring.

3. The group of n × n matrices Mn (R) is a ring under matrix multiplication. However, it

is not a commutative ring.

4. The group C(]a, b[) of continuous functions f : ]a, b[→ R is a ring under the operation
f · g defined such that
(f · g)(x) = f (x)g(x)
for all x ∈]a, b[.

When ab = 0 with b 6= 0, we say that a is a zero divisor . A ring A is an integral domain

(or an entire ring) if 0 6= 1, A is commutative, and ab = 0 implies that a = 0 or b = 0, for
all a, b ∈ A. In other words, an integral domain is a nontrivial commutative ring with no
zero divisors besides 0.

Example 3.3.

1. The rings Z, Q, R, C, are integral domains.

2. The ring R[X] of polynomials in one variable with real coefficients is an integral domain.

3. For any positive integer, n ∈ N, the group Z/nZ is a group under addition. We can
also define a multiplication operation by

a · b = ab = ab mod n,

for all a, b ∈ Z. The reader will easily check that the ring axioms are satisfied, with 0
as zero and 1 as multiplicative unit. The resulting ring is denoted by Z/nZ.2 Observe
2
The notation Zn is sometimes used instead of Z/nZ but it clashes with the notation for the n-adic
integers so we prefer not to use it.
56 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

that if n is composite, then this ring has zero-divisors. For example, if n = 4, then we
have
2 · 2 ≡ 0 (mod 4).
However, the reader should prove that Z/nZ is an integral domain iff n is prime (in
fact, it is a field).

4. The ring of n × n matrices Mn (R) is not an integral domain. It has zero divisors.

A homomorphism between rings is a mapping preserving addition and multiplication

(and 0 and 1).

Definition 3.9. Given two rings A and B, a homomorphism between A and B is a function
h : A → B satisfying the following conditions for all x, y ∈ A:

h(x + y) = h(x) + h(y)

h(xy) = h(x)h(y)
h(0) = 0
h(1) = 1.

Actually, because B is a group under addition, h(0) = 0 follows from

h(x + y) = h(x) + h(y).

Example 3.4.

1. If A is a ring, for any integer n ∈ Z, for any a ∈ A, we define n · a by

n·a=a
| + ·{z
· · + a}
n

if n ≥ 0 (with 0 · a = 0) and
n · a = −(−n) · a
if n < 0. Then, the map h : Z → A given by

h(n) = n · 1A

is a ring homomorphism (where 1A is the multiplicative identity of A).

2. Given any real λ ∈ R, the evaluation map ηλ : R[X] → R defined by

ηλ (f (X)) = f (λ)

for every polynomial f (X) ∈ R[X] is a ring homomorphism.

3.4. RINGS AND FIELDS 57

A ring homomorphism h : A → B is an isomorphism iff there is a homomorphism g : B →

A such that g ◦ f = idA and f ◦ g = idB . Then, g is unique and denoted by h−1 . It is easy
to show that a bijective ring homomorphism h : A → B is an isomorphism. An isomorphism
from a ring to itself is called an automorphism.
Given a ring A, a subset A0 of A is a subring of A if A0 is a subgroup of A (under
addition), is closed under multiplication, and contains 1. If h : A → B is a homomorphism
of rings, then for any subring A0 , the image h(A0 ) is a subring of B, and for any subring B 0
of B, the inverse image h−1 (B 0 ) is a subring of A.
A field is a commutative ring K for which A − {0} is a group under multiplication.
Definition 3.10. A set K is a field if it is a ring and the following properties hold:
(F1) 0 6= 1;
(F2) K ∗ = K − {0} is a group w.r.t. ∗ (i.e., every a 6= 0 has an inverse w.r.t. ∗);
(F3) ∗ is commutative.
If ∗ is not commutative but (F1) and (F2) hold, we say that we have a skew field (or
noncommutative field ).

Note that we are assuming that the operation ∗ of a field is commutative. This convention
is not universally adopted, but since ∗ will be commutative for most fields we will encounter,
we may as well include this condition in the definition.
Example 3.5.
1. The rings Q, R, and C are fields.
2. The set of (formal) fractions f (X)/g(X) of polynomials f (X), g(X) ∈ R[X], where
g(X) is not the null polynomial, is a field.
3. The ring C(]a, b[) of continuous functions f : ]a, b[→ R such that f (x) 6= 0 for all
x ∈]a, b[ is a field.
4. The ring Z/pZ is a field whenever p is prime.

A homomorphism h : K1 → K2 between two fields K1 and K2 is just a homomorphism

between the rings K1 and K2 . However, because K1∗ and K2∗ are groups under multiplication,
a homomorphism of fields must be injective.
First, observe that for any x 6= 0,

1 = h(1) = h(xx−1 ) = h(x)h(x−1 )

and
1 = h(1) = h(x−1 x) = h(x−1 )h(x),
58 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

so h(x) 6= 0 and
h(x−1 ) = h(x)−1 .
But then, if h(x) = 0, we must have x = 0. Consequently, h is injective.
A field homomorphism h : K1 → K2 is an isomorphism iff there is a homomorphism
g : K2 → K1 such that g ◦ f = idK1 and f ◦ g = idK2 . Then, g is unique and denoted by h−1 .
It is easy to show that a bijective field homomorphism h : K1 → K2 is an isomorphism. An
isomorphism from a field to itself is called an automorphism.
Since every homomorphism h : K1 → K2 between two fields is injective, the image f (K1 )
is a subfield of K2 . We also say that K2 is an extension of K1 . A field K is said to be
algebraically closed if every polynomial p(X) with coefficients in K has some root in K; that
is, there is some a ∈ K such that p(a) = 0. It can be shown that every field K has some
minimal extension Ω which is algebraically closed, called an algebraic closure of K. For
example, C is the algebraic closure of both Q and C.
Given a field K and an automorphism h : K → K of K, it is easy to check that the set
Fix(h) = {a ∈ K | h(a) = a}
of elements of K fixed by h is a subfield of K called the field fixed by h.
If K is a field, we have the ring homomorphism h : Z → K given by h(n) = n · 1. If h
is injective, then K contains a copy of Z, and since it is a field, it contains a copy of Q. In
this case, we say that K has characteristic 0. If h is not injective, then h(Z) is a subring of
K, and thus an integral domain, which is isomorphic to Z/pZ for some p ≥ 1. But then, p
must be prime since Z/pZ is an integral domain iff it is a field iff p is prime. The prime p is
called the characteristic of K, and we also says that K is of finite characteristic.
If K2 is a field extension of K1 , then K2 is a vector space over K1 . If the K1 -vector space
K2 has finite dimension m, we say that K2 is an extension of degree m over K1 . The degree
of K2 over K1 is denoted by [K2 : K1 ].
Finite fields are necessarily of finite characteristic. They can be completely classified,
which is the object of the next section.

3.5 The Structure of Finite Fields

Suppose K is a field of characteristic p. For every i, with 0 ≤ i ≤ p, the binomial coefficient
p


i
is given by  
p p!
= ,
i i!(p − i)!
so if 1 ≤ i ≤ p − 1, we have    
p p−1
i =p .
i i−1
Since 1 ≤ i ≤ p − 1 and p is prime, we have gcd(p, i) = 1, and so p divides pi .


3.5. THE STRUCTURE OF FINITE FIELDS 59

Proposition 3.32. If K is a field of characteristic p, the map (Frobenius map) σ : K → K

given by
σ(a) = ap
is an isomorphism of K onto a subfield of K denoted K p .
Proof. Since K is commutative, it is clear that σ(ab) = σ(a)σ(b). Obviously σ(0) = 0 and
p


σ(1) = 1. By the binomial formula and
using the fact that p divides i for i = 1, . . . , p − 1,
since K has characteristic p, we have pi = 0 for i = 1, . . . , p − 1, so we have

σ(a + b) = (a + b)p
p−1  
p
X p p−i i
=a + a b + bp
i=1
i
= ap + bp = σ(a) + σ(b).

Therefore, σ is a homomorphism, and as we remarked earlier, it is injective.

The field Z/pZ with p prime is also denoted by Fp . Here is the structure theorem for
finite fields (after J.P. Serre).
Theorem 3.33. Let K be a finite field.
(i) The field K is of characteristic p ≥ 2 (p prime). If K is of degree m over Fp , then K
has q = pm elements.
(ii) Let p be any prime, let m be any natural number m ≥ 1, and write q = pm . For any
algebraicaly closed field Ω of characteristic p, there exists a unique subfield Fq of Ω with
q elements. The map σq : Ω → Ω given by σq (x) = xq is an automorphism of Ω, and
the field Fq is the set of roots of the polynomial X q − X; that is, Fq = Fix(σq ).
(iii) Every finite field with q = pm elements is isomorphic to Fq .
Proof. (i) Since K is finite, the map Z −→ K given by n 7→ n · 1 cannot be injective, so K
must have characteristic p ≥ 2, and it contains Fp as a subfield. If K has dimension m as a
vector space over Fp , then it is obvious that K has pm elements.
(ii) We know from proposition 3.32 that the map σ : Ω → Ω given by σ(x) = xp is an
injective homomorphism. Since σq = σ m , the map σq is also an injective homomorphism.
Since Ω is algebraically closed, for any a ∈ K, the polynomial X q − a has a root in Ω, which
shows that σq is also surjective, thus an automorphism of Ω. Then, the field Fq fixed by σq
is a subfield of Ω. Since Fq is also the set of roots of the polynomial X q − X, it has at most
q roots. We claim that F (X) = X q − X has simple roots. From a result of algebra, this is
the case if the derivative F 0 (X) of F (X) is not the zero polynomial. But, since we are in
characteristic p and m ≥ 1, we have

F 0 (X) = qX q−1 − 1 = ppm−1 X q−1 − 1 = −1

60 CHAPTER 3. BASIC FACTS ABOUT GROUPS, AND NUMBER THEORY

so F 0 (X) is not zero. Therefore, F (X) has exactly q roots, and Fq has q = pm elements.
If K is any other subfield of Ω with q elements, since the multiplicative group K ∗ of K
is a finite group of order q − 1, we have

xq−1 = 1, for all x ∈ K ∗ ,

and so
xq − x = 0 for all x ∈ K,
which shows that K is fixed by σq , and so K ⊆ Fq . Since |K| = Fq | = q, we must have
K = Fq .
(iii) If K is a finite field with q = pm elements, then the reasoning in (ii) shows that K
is the set of roots of the polynomial F (X) = X q − X. This means that K is the splitting
field of Fp (the smallest field extension of Fp in which F (X) has all its roots). But, as Ω is
algebraically closed and contains a copy of Fp , it contains a splitting field K 0 of Fp . Since any
two splitting fields are isomorphic (see Lang [10], Chapter 5), the field K can be embedded
in Ω (as K 0 ), so by (ii) K is isomorphic to Fq .

Using Theorem 3.13, we obtain the following important result.

Theorem 3.34. For every prime p and every integer m ≥ 1, the multiplicative group F∗pm
of the finite field Fpm is a cyclic group with pm − 1 elements.

Proof. For any divisor d of pm − 1, the polynomial X d − 1 has at most d roots in F∗pm ,
therefore by Theorem 3.13, the group F∗pm is cyclic.

Any generator of F∗pm is called a primitive root of unity (to be more precise, a primitive
(pm − 1)th root of unity). Observe that the proof of theorem 3.34 actually shows that every
finite subgroup of the multiplicative subgroup K ∗ of any field K is cyclic.
Chapter 4

The Miller–Rabin Test

4.1 The Fermat Test; F -Witnesses and F -Liars

This chapter is heavily inspired by Dietzfelbinger [4] and Crandall and Pomerance [3]. The
Miller–Rabin test makes use of two basic properties of the prime numbers:
(1) Fermat’s little theorem, which says that if p is a prime and if a is any integer which is
not a multiple of p, then
ap−1 ≡ 1 (mod p).
Usually, we assume that 1 ≤ a ≤ p − 1.

(2) If p is a prime, then 1 has only trivial square roots, which means that the only solutions
a with 1 ≤ a ≤ p − 1 of the congruence

a2 ≡ 1 (mod p)

are a = 1 and a = p − 1.

To prove (2), observe that if a2 ≡ 1 (mod p), then a2 − 1 = (a + 1)(a − 1) is divisible by

p, and since p is prime, either p divides a − 1 or p divides a + 1. Because 1 ≤ a ≤ p − 1, we
conclude that a = 1 or a = p − 1. On the other hand, 1 and p − 1 are always square roots
of unity modulo p (even if p is not prime), since 12 ≡ 1 (mod p) and (p − 1)2 ≡ (−1)2 ≡ 1
(mod p).
It turns out that 1 and −1 are the only square roots of unity modulo n iff n is of the form
4, pm , or 2pm , where p is an odd prime.1 To prove this fact, we use the following proposition.
Proposition 4.1. If p is an odd prime, then there are exactly two square roots of unity
modulo pm and 2pm (m ≥ 1), namely 1 and −1. There is a unique square root of unity
modulo 2 (i.e. 1), two square roots of unity modulo 4 (i.e. ±1), and four square root of unity
modulo 2m if m ≥ 3, namely ±1 and 2m−1 ± 1.
1
I thank Peter Freyd for communicating this result to me.

61
62 CHAPTER 4. THE MILLER–RABIN TEST

Proof. First, assume that n = pm with p an odd prime In this case, we know that primitive
roots modulo pm exist, so pick one, say g. Then, every x ∈ (Z/pm Z)∗ can be written as x = g i ,
with 1 ≤ i ≤ ϕ(pm ) = pm−1 (p − 1), and x2 ≡ 1 (mod pm ) is equivalent to g 2i ≡ 1 (mod pm ).
Since g has order ϕ(pm ), the conguence g 2i ≡ 1 (mod pm ) holds iff ϕ(pm ) = pm−1 (p − 1)
divides 2i, that is, iff pm−1 ((p − 1)/2 divides i (since p is odd). Since 1 ≤ i ≤ pm−1 (p − 1),
there are only two possibilities: i = pm−1 ((p − 1)/2 and i = pm−1 ((p − 1), which correspond
to x = −1 and x = 1.
The case n = 2pm is analogous, since primitive roots also exist and since ϕ(2pm ) = ϕ(pm ).
The cases n = 2 and n = 4 are clear.
Assume that n = 2m with m ≥ 3. We are seeking solutions of the congruence x2 ≡ 1
(mod 2m ), with 1 ≤ x ≤ 2m − 1. Note that

(2m−1 + x)2 ≡ 22m−2 + 2m x + x2 ≡ x2 (mod 2m )

since m ≥ 3. Therefore, it is sufficient to find solutions x such that 1 ≤ x ≤ 2m−1 − 1. We

have x2 ≡ 1 (mod 2m ) iff (x − 1)(x + 1) ≡ 0 (mod 2m ), so there are three mutally exclusive
possibilities:

1. x ≡ 1 (mod 2m ). Since 1 ≤ x ≤ 2m − 1, we must have x = 1.

2. x ≡ −1 ≡ 2m − 1 (mod 2m ). Since 1 ≤ x ≤ 2m−1 − 1, this case is impossible.

3. x − 1 = h2i and x + 1 = k2m−i , with 1 ≤ i ≤ m − 1 and h, k > 0.

In the third case, we deduce that

x = h2i−1 + k2m−i−1
1 = k2m−i−1 − h2i−1 .

If 2 ≤ i ≤ m − 2, then 1 is divisible by 2, which is absurd. Therefore i = 1 or i = m − 1.

If i = 1, since x+1 = k2m−i , we have x = k2m−1 −1, and since k > 0 and 1 ≤ x ≤ 2m−1 −1,
we must have k = 1, so
x = 2m−1 − 1.
Since m ≥ 3, we have 2m−1 − 1 6≡ 1 (mod 2m ), and 2m−1 − 1 is a square root of unity distinct
from 1.
If i = m − 1, since x − 1 = h2i , we have x = h2m−1 + 1, and since 1 ≤ x ≤ 2m−1 − 1 and
h > 0, this case is impossible.
In summary, we proved that there are exactly two square roots of unity x = 1 and
x = 2m−1 − 1 such that 1 ≤ x ≤ 2m−1 − 1, and thus, exactly four square roots of unity
modulo 2m ; namely ±1 and 2m−1 ± 1.
4.1. THE FERMAT TEST; F -WITNESSES AND F -LIARS 63

Remark: The fact that there are precisely four square roots of unity modulo 2m when m ≥ 3
follows immediately from the fact that (Z/2m Z)∗ is isomorphic to the direct product of the
two cyclic subgroups {−1, 1} and h5i, both of even order (see Theorem 3.31).
Now, we can determine the exact number of square roots of unity modulo n.
Theorem 4.2. For any natural number n > 1, if the prime factorization of n is
n = 2m pj11 · · · pjkk ,
where p1 , . . . , pk are distinct odd primes and m + k ≥ 1, then the number s of disinct square
roots of unity modulo n is given by

k
2
 if m = 0 and k ≥ 1 or m = 1 and k ≥ 0
s = 2k+1 if m = 2 and k ≥ 0

 k+2
2 if m ≥ 3 and k ≥ 0.
Proof. First, consider the case where m = 0. Since p1 , . . . , pk are pairwise relatively prime,
the congruence x2 ≡ 1 (mod n) is equivalent to the k congruences
x2 ≡ 1 (mod pj11 )
..
.
x2 ≡ 1 (mod pj1k ).

From Proposition 4.1, each congruence x2 ≡ 1 (mod pj1i ) has the two solutions x = 1 and
j
x = −1 modulo pj i . By the Chinese remainder theorem, there is a bijection between the
set of solutions x modulo n and the set of k tuples of solutions (x1 , . . . , xk ) where xi is a
j
solution modulo pj i , and since there are 2k solutions (x1 , . . . , xk ) with xi = ±1, there are 2s
square roots modulo n.
If k = 0, then Proposition 4.1 says that the congruence x2 ≡ 1 (mod 2m ) has one solution
if m = 1, two solutions if m = 2, and 4 solutions if m ≥ 3.
If m ≥ 1 and k ≥ 1, since 2, p1 , . . . , pk are pairwise relatively prime, the congruence
2
x ≡ 1 (mod n) is equivalent to the k + 1 congruences
x2 ≡ 1 (mod 2m )
x2 ≡ 1 (mod pj11 )
..
.
x2 ≡ 1 (mod pj1k ).

Again, we use the Chinese remainder theorem. Each congruence x2 ≡ 1 (mod pj1i ) has the
two solutions 1 and −1, and the congruence x2 ≡ 1 (mod 2m ) has one solution if m = 1, two
solutions if m = 2, and 4 solutions if m ≥ 3. Therefore, there are 2k square roots if m = 1,
2 × 2k = 2k+1 square roots if m = 2, and 4 × 2k = 2k+2 square roots if m = 3.
64 CHAPTER 4. THE MILLER–RABIN TEST

For example, if p = 91 = 7 × 13, then 272 = 729 = 8 × 91 + 1, so 27 is a square root of 1

(mod 91). The other nontrivial square root of 1 (mod 91) is 64.
If we find some nontrivial square root of unity a modulo p, then we know that p is
composite (and a is a witness to the fact that p is composite). Unfortunately, if p is composite,
unless the number k of distinct primes dividing p is large, the number of nontrivial square
roots of unity modulo p (at most 2k+2 − 2) is a lot smaller than p, so it is not practical to
test a randomly chosen a ∈ {2, . . . , p − 2}.
Going back to (1), observe that if n ≥ 2, then by the binomial formula, we have

(n − 1)n−1 ≡ (−1)n−1 (mod n).

Consequently, if n ≥ 3 is odd, then

(n − 1)n−1 ≡ 1 (mod n),

and if n ≥ 4 is even, then

(n − 1)n−1 ≡ −1 (mod n).
(In the special case where n = 2, we have 1 ≡ −1 (mod 2).) Now, for any natural number
n ≥ 4, if 2 ≤ a ≤ n − 2 and if
ap−1 6≡ 1 (mod n),
then n is not prime, since Fermat’s little theorem does not hold. Since all primes except 2
are odd integers, we only need to test odd integers for compositeness and this suggests the
following test:
Fermat test: For any odd integer n ≥ 5, pick randomly some a ∈ {2, . . . , n − 2}.
If an−1 6≡ 1 (mod n), then return “n is composite,” else return “n is a probable prime.”
Of course, we compute exponentiation modulo n using fast algorithms based on repeated
squaring.

Definition 4.1. Let n ∈ N be any integer such that n ≥ 3.

(1) An integer a such that 2 ≤ a ≤ n − 1 is called a Fermat witness, for short an F -witness
for n, if an−1 6≡ 1 (mod n).

(2) If n is an odd composite, then an integer a with 1 ≤ a ≤ n − 1 is a Fermat liar , for

short an F -liar for n, if an−1 ≡ 1 (mod n). The set of F -liars for n is denoted by LFn .

Every even number n ≥ 4 has n − 1 has an F -witness. This is a bit of an overkill, since
every positive even number, except 2, is a composite. The number 1 is a trivial F -liar, and
by a previous observation, when n is an odd composite, n − 1 is always an F -liar.
A composite number n ≥ 4 such a ≥ 2 is an F -liar for n is called a Fermat pseudoprime
base a (for short, a pseudoprime base a).
4.1. THE FERMAT TEST; F -WITNESSES AND F -LIARS 65

It can be checked that 2 is an F -witness for all integers n ≥ 3 up to n = 340. However,

for n = 341 = 11 × 31, we get
2340 ≡ 1 (mod 341),
so 2 is an F -liar for 341, and 341 is a pseudoprime base 2. If we try a = 3, we find that

3340 ≡ 56 (mod 341),

so 3 is an F -witness for 341, and 341 is not a pseudoprime base 3. On the other hand, it is
easy to check that 91 = 7 × 13 is not a pseudoprime base 2, but it is a pseudoprime base 3.
The above considerations suggest the following question: if n ≥ 3 is a (odd) composite,
does it necessarily have some F -witness? The answer is yes, but this is not of practical use.
Recall that if n ≥ 2, the group (Z/nZ)∗ is the multiplicative group of units of the ring
Z/nZ; that is,
(Z/nZ)∗ = {a ∈ N | 1 ≤ a ≤ n − 1, gcd(a, n) = 1}.
Here and in several places later, with a slight abuse of notation, we are identifying the
equivalence class a of a with its representative a mod n.
The order (number of elements) of (Z/nZ)∗ is ϕ(n), where ϕ(n) is the number of integers
a, with 1 ≤ a ≤ n, which are relatively prime to n (gcd(a, n) = 1). The function n 7→ ϕ(n)
is the Euler ϕ-function, or totient function. We have ϕ(1) = 1, if p is prime and r ≥ 1, then
ϕ(pr ) = pr −pr−1 = pr−1 (p−1), and if m, n ≥ 1 and gcd(m, n) = 1, then ϕ(mn) = ϕ(m)ϕ(n);
see Section 3.2 and Proposition 3.20 for details.
Proposition 4.3. For any integer n ≥ 2, the following properties hold:
(1) For any integer a such that 1 ≤ a ≤ n − 1, if ar ≡ 1 (mod n) for some r ≥ 1, then
a ∈ (Z/nZ)∗ .

(2) If an−1 ≡ 1 (mod n) for all a with 1 ≤ a ≤ n − 1, then n is prime.

Proof. (a) if r = 1, then we must have a = 1, and if r ≥ 2, then ar−1 a ≡ 1 (mod n) shows
that a is a unit, so in both cases a ∈ (Z/nZ)∗ .
(b) If an−1 ≡ 1 (mod n) for all a with 1 ≤ a ≤ n − 1, then by (a), we have (Z/nZ)∗ =
{1, . . . , n − 1}, so gcd(a, n) = 1 for all a = 2, . . . , n − 1, which implies that n is prime.

By Proposition 4.3 (b), if n ≥ 4 is a composite, then it must have some F -witness.

Furthermore, by (a), the n − 1 − ϕ(n) elements of the set

{1, . . . , n − 1} − (Z/nZ)∗ = {a ∈ N | 2 ≤ a ≤ n − 2 | gcd(a, n) > 1}

must be F -witnesses (an−1 6≡ 1 (mod n)).

Unfortunately, this set is very slim for many composite numbers. For example, if n = pq
is the product of two distinct primes p and q, then this sets contains pq − 1 − (p − 1)(q − 1) =
66 CHAPTER 4. THE MILLER–RABIN TEST

p + q − 2 elements. If p and q are roughly equal, then p + q − 2 is very small in comparison

to n = pq.
The case n = 91 = 7 × 13 gives us a concrete idea of what is going on. There are 18
F -witnesses not in (Z/91Z)∗ (multiples of 7 and 13):

7, 14, 21, 28, 35, 42, 49, 56, 63, 70, 77, 84
13, 26, 39, 52, 65, 78.

There are 36 F -witnesses in (Z/91Z)∗ :

2, 5, 6, 8, 11, 15, 18, 19, 20, 24, 31, 32,

33, 34, 37, 41, 44, 45, 46, 47, 50, 54, 57, 58,
59, 60, 67, 71, 72, 73, 76, 80, 83, 85, 86, 89.

Finally, there and 36 F -liars (necessarily in (Z/91Z)∗ );

1, 3, 4, 9, 10, 12, 16, 17, 22, 23, 25, 27,

29, 30, 36, 38, 40, 43, 48, 51, 53, 55, 61, 62,
64, 66, 68, 69, 74, 75, 79, 81, 82, 87, 88, 90.

The Fermat test gives the wrong answer if the random choice for a hits one the 34 F -liars
other and 1 and 90, which has probabilty 34/88 = 17/44. Observe that 17/34 < 1/2. This
is a general fact, provided that the odd composite n has some F -witness in (Z/nZ)∗ . This
follows from the interesting fact that the set LFn of F -liars is a subgroup of (Z/nZ)∗ .
Proposition 4.4. For any integer n ≥ 2, the set LFn of F -liars is a subgroup of (Z/nZ)∗ .
Furthermore, if n is an odd composite and if n possesses at least some F -witness in (Z/nZ)∗ ,
then the probability that the Fermat test gives the wrong answer (n is prime) is at most 1/2.
Proof. Since 1 ≡ 1 (mod n), we have 1 ∈ LFn . Since (Z/nZ)∗ is a finite group, to show that
LFn is a subgroup, it suffices to show closure under multiplication. If an−1 ≡ 1 (mod n) and
bn−1 ≡ 1 (mod n), then (ab)n−1 ≡ an−1 bn−1 ≡ 1 (mod n), as desired.
By Lagrange’s theorem, the order |LFn | of LFn divides the order ϕ(n) of (Z/nZ)∗ . If
there is some F -witness in (Z/nZ)∗ , then LFn is a proper subgroup of (Z/nZ)∗ . Since n is a
composite and since LFn is a proper subgroup, we deduce that ϕ(n) < n − 1 and that |LFn | is
a proper divisor of ϕ(n), which implies that

|LFn | ≤ (n − 2)/2.

Thus, the probability that some a chosen in {2, . . . , n − 2} belongs to LFn − {1, n − 1} is
bounded by
(n − 2)/2 − 2 n−6 1
= < ,
n−3 2(n − 3) 2
since 2n − 12 < 2n − 6.
4.2. CARMICHAEL NUMBERS 67

The good news about Proposition 4.4 is that if n is an odd composite and if n has some
F -witness in (Z/nZ)∗ , then the probability that the Fermat test gives the wrong answer is
less than 1/2. By repeating the test ` times, each time choosing randomly and independently
some a in {2, . . . , n − 2}, we can make the probability of failure less than (1/2)` .2

4.2 Carmichael Numbers

The bad news is that there exist odd composites n such that LFn = (Z/nZ)∗ ; that is, n has
no F -witness in (Z/nZ)∗ . The smallest such number is 561 = 2 × 11 × 17. This number is a
pseudoprime in any base relatively prime to 561. Such “nasty” numbers were first discovered
by R. Carmichael in 1910, and motivates the following definition.

Definition 4.2. An integer n ≥ 3 for which an−1 ≡ 1 (mod n) for all a ∈ {2, . . . , n − 1},
with gcd(a, n) = 1, is called a probable prime. A composite integer n ≥ 3 which is a probable
prime is called a Carmichael number .

If n ≥ 4 is even, we observed that n − 1 is an F -witness for n, so a Carmichael number

must be odd.
Unfortunately for primality testing, there are infinitely many Carmichael numbers. This
fact was proved in 1994 by Alford, Granville and Pomerance. They also proved that there is
some integer x0 > 0, such that for all x ≥ x0 , the number C(x) of Carmichael numbers not
exceeding x satisfies C(x) > x2/7 .

Remark: The sufficiently large x0 is not known explicitly, but it is conjectured that it is
the 96th Carmichael number: 8719309.
Other authors define a Carmichael number as a composite integer n ≥ 3 for which

an ≡ a (mod n) for all a ∈ N.

This second definition implies the first (Definition 4.2), because if an ≡ a (mod n) and
gcd(a, n) = 1, then we can divide by a and we obtain an−1 ≡ 1 (mod n). Definition 4.2
implies the second definition, but this requires a little work. We can use of a criterion due
to A. Korselt. This criterion was found in 1899, eleven years before Carmichael actually
produced the first example. Presumably Korselt believed that such numbers did not exist,
and he developed a criterion as a first step in proving this.
2
We have to be careful about which conditional probability we are talking about. In this case, we are con-
sidering the conditional probability that the algorithm lies ` times (fails to report that n is composite), given
that n is composite. However, as a user of the algorithm, it is more useful to know the conditional probability
that n is composite, given that the algorithm runs ` times and each time fails to report that n is composite.
The two conditional probabilities are related by Bayes’s formula. The second conditional probability involves
the density of primes. A computation shows that the probability (1/2)` must be (approximately) multiplied
by ln n. We will come back to this point later on.
68 CHAPTER 4. THE MILLER–RABIN TEST

Theorem 4.5. (Korselt criterion) An integer n ≥ 2 is a Carmichael number iff the following
two conditions hold.
(1) The number n is composite and not divisible by the square of any prime (it is square-
free).
(2) For every prime p, if p divides n then p − 1 divides n − 1.
Proof. First, let n be a Carmichael number.
(1) Assume that n is divisible by the square of some prime p. Since n must be odd, we
can write n = pk m, where p ≥ 3 is a prime, k ≥ 2, and p does not divide m. We produce an
F -witness in (Z/nZ)∗ for n as follows:
Case 1. If m = 1, let a = p + 1. Clearly, gcd(p + 1, pk ) = 1. We claim that an−1 6≡ 1
(mod n). We proceed by contradiction. If an−1 ≡ 1 (mod n), then since p2 divides n, we
have an−1 ≡ 1 (mod p2 ). However, by the binomial formula, we have
n−1  
n−1 n−1
X n−1 i
a ≡ (1 + p) ≡ 1 + (n − 1)p + p ≡ 1 + (n − 1)p (mod p2 ).
i=2
i

Since an−1 ≡ 1 (mod p2 ), we deduce that (n − 1)p ≡ 0 (mod p2 ), which means that p2
divides (n − 1)p, and since p is prime, p divides n − 1. However, n − 1 = pk − 1 with k ≥ 2,
so p does not divide n − 1, a contradiction.
Case 2. If m ≥ 3, then we use the Chinese remainder theorem to find some a with
1 ≤ a < p2 m ≤ n so that
a ≡ p + 1 (mod p2 )
a ≡ 1 (mod m).
Since p2 divides a − (p + 1), the prime p does not divide a, so gcd(a, pk ) = 1. Since
a ≡ 1 (mod m), we also have gcd(a, m) = 1. Because gcd(pk , m) = 1 and n = pk m, we
conclude that gcd(a, n) = 1. We claim that an−1 6≡ 1 (mod n). As in case 1, we proceed
by contradiction. Then, by the same reasoning, we deduce that p divides n − 1. This time,
n − 1 = pk m − 1, and again p does not divide n − 1, a contradiction.
(2) By (1), n is a product of distinct primes. Assume that the prime p divides n. Since
p is prime, the group (Z/pZ)∗ is cyclic (see Theorem 3.21) so pick a generator g (a primitive
root modulo p). By the Chinese remainder theorem, we can find some b such that
b≡g (mod p)
b≡1 (mod n/p).
Since n is a product of distinct primes, the numbers p and n/p have no common factor, so
gcd(b, n) = 1. Since n is a Carmichael number, we have
bn−1 ≡ 1 (mod n),
4.2. CARMICHAEL NUMBERS 69

and since p divides n, we get

g n−1 ≡ bn−1 ≡ 1 (mod p).
Since g has order p − 1, the number p − 1 divides n − 1.
Conversely, assume that (1) and (2) hold. Let a ∈ {1, . . . , n − 1} be any integer such
that gcd(a, n) = 1. For any prime p dividing n, we also have gcd(a, p) = 1, so by Fermat’s
little theorem,
ap−1 ≡ 1 (mod p).
Since p − 1 divides n − 1, we also have
an−1 ≡ 1 (mod p).
Since the prime factors of n are all distinct, we deduce that
an−1 ≡ 1 (mod n),
which shows that n is a Carmichael number.

We leave it as an exercise to prove that if n is a Carmichael number, then

an ≡ a (mod n) for all n ∈ N.
Hint: use Theorem 4.5.
We saw in Theorem 4.5 that every Carmichael numbers contains distinct prime factors.
The number of distinct prime factors must be at least three.
Proposition 4.6. Every Carmichael number contains at least three distinct prime factors.
Proof. We make use of Theorem 4.5. Assume that some Carmichael number n is the product
of two distinct primes p and q. We may suppose that p < q. By Theorem 4.5, property (2)
says that p − 1 and q − 1 both divide n − 1. But, n − 1 = pq − 1 = p(q − 1) + p − 1, so
n−1 ≡ p−1 (mod (q −1)), and p−1 6≡ 0 (mod (q −1)) since q > p > 3, a contradiction.

If n is a Carmichael number, then LFn = (Z/nZ)∗ , so the set {1, . . . , n − 1} − (Z/nZ)∗ of

F -witnesses is quite thin, and the probabilty that the Fermat test gives the wrong answer
(n is prime) is
ϕ(n) − 2 ϕ(n) Y  1

> = 1− .
n−3 n p is prime
p
p|n

This bound is annoyingly close to 1 if n has only few large prime factors. For example, if
n = 651693055693681 = 72931 × 87517 × 102103,
we find that ϕ(n)/n > 0.99996. Repeating the test does not help, because if n has only 3
or 4 factors and if the smallest prime factor is p0 , then it is not hard to see that we would
have to repeat the test a number of times proportional to p0 to make the error probability
less than 1/2. Therefore, a new idea is necessary to break the curse of Carmichael numbers.
70 CHAPTER 4. THE MILLER–RABIN TEST

4.3 The Miller–Rabin Test; MR-Witnesses and MR-

Liars
The new idea is to make use of the nontrivial square root of unity test. If n ≥ 3 is an odd
integer, we can factor the largest power of 2 in n − 1; that is, we write

n − 1 = 2k t,

where t is odd. The point is that if n is prime, then for any a which is not a multiple of n,
i
the residues of at and a2 t (with 0 ≤ i ≤ k − 1) modulo n must satisfy some special condition.

Proposition 4.7. Let n be an odd prime, and write

n = 2k t, with t odd and k ≥ 1.

For any natural number a which is not a multiple of n, one of the following two conditions
must hold:

(1) either at ≡ 1 (mod n),

i
(2) or a2 t ≡ n − 1 (mod n), for some i with 0 ≤ i ≤ k − 1.

Proof. By Fermat’s little theorem, we have

an−1 ≡ 1 (mod n),

that is
k
a2 t ≡ 1 (mod n).
This implies that if we consider the list
2 k−1 t k
b0 = at , b1 = a2t , b2 = a2 t , . . . , bk−1 = a2 , bk = a2 t = an−1 ,

the last number is congruent to 1 modulo n, and since

i+1
 i 2
a2 t = a2 t ,

we have bi+1 = b2i , for i = 0, . . . , k − 1. There are only two possibilities:

(i) We have b0 = at ≡ 1 (mod n).

(ii) There is some bi such that bi 6≡ 1 (mod n), but b2i ≡ 1 (mod n), for some i with
0 ≤ i ≤ k − 1. Because n is prime, we know that b2i ≡ 1 (mod n) implies that bi ≡ ±1
(mod n), and since +1 is ruled out, we must have bi ≡ −1 ≡ n − 1 (mod n).

Case (i) corresponds to case (1) and case (ii) corresponds to case (2).
4.3. THE MILLER–RABIN TEST; MR-WITNESSES AND MR-LIARS 71

Proposition 4.7 implies that if we can find some natural number a such that

(a) at 6≡ ±1 (mod n), and

i
(b) a2 t 6≡ n − 1 (mod n), for all i with 1 ≤ i ≤ k − 1,

then n must be a composite. Clearly, a 6= 1, but a 6= n − 1 as well, since (n − 1)t ≡ −1,

because t is odd. The above leads to to the following definition.

Definition 4.3. Let n ≥ 3 be any odd integer, and write n − 1 = 2k t, with k ≥ 1 and t odd.

(1) A number a such that 2 ≤ a ≤ n − 2 is a Miller–Rabin witness, for short a MR-witness

for n, if the following two conditions hold:

(a) at 6≡ ±1 (mod n), and

i
(b) a2 t 6≡ n − 1 (mod n), for all i with 1 ≤ i ≤ k − 1.

(2) If n is composite, then any integer a with 1 ≤ a ≤ n − 1 is Miller–Rabin liar , for short
an MR-liar for n, iff a is not an MR-witness for n. The set of MR-liars for n is denoted
by LMRn , and we have

LMR
n = {a ∈ {1, . . . , n − 1}, either at ≡ 1 (mod n),
2i t
or a ≡n−1 (mod n), for some i with 0 ≤ i ≤ k − 1}.

The numbers a = 1 and a = n − 1 are trivial MR-liars. Observe that every MR-liar is
an F -liar: If at ≡ 1 (mod n), then

2k k
an−1 ≡ at ≡ (1)2 ≡ 1 (mod n),
i
and if a2 t ≡ n − 1 (mod n), for some i with 0 ≤ i ≤ k − 1, then
 i 2k−i k−i
n−1
a ≡ a2 t ≡ (−1)2 ≡ 1 (mod n),

since i ≤ k − 1.
Thus, LMR
n ⊆ LFn , but unfortunately, LMR
n is not a group. For example, if n = 325 =
2 2
5 × 13, then n − 1 = 2 × 81, and it is easy to verify that

72×81 ≡ 324 (mod 325)

322×81 ≡ 324 (mod 325)
22481 ≡ 274 (mod 325)
2242×81 ≡ 1 (mod 325)
2 ×81
2242 ≡1 (mod 325),
72 CHAPTER 4. THE MILLER–RABIN TEST

so 7 and 32 are both MR-liars, but their product 224 is a MR-witness. When n is not a
Carmichael number, LMRn is contained in LFn which is a proper subgroup of (Z/nZ)∗ , so the
proportion of MR-liars is less than 1/2, but when n is a Carmichael number, we need to find
another proper subgroup of (Z/nZ)∗ containing LMR n . Fortunately, this is possible.

An odd composite number n such that a with 2 ≤ a ≤ n − 2 is an MR-liar for n is called

a strong pseudoprime base a.
Because every MR-liar is an F -liar, every strong pseudoprime base a is a pseudoprime
base a. The converse is false.
For example, we saw earlier that n = 341 is a pseudoprime base 2. But 341 is not a strong
pseudoprime base 2, because 340 = 22 × 85, 285 ≡ 32 (mod 341), and 22×85 ≡ 1 (mod 341),
so 2 is an MR-witness for 341. In fact, 32 is a nontrivial square root of unity modulo 341.
Here is an example of a pseudoprime base 10 which is also a strong pseudoprime base
10, namely n = 91. Indeed, 90 = 2 × 45, and 1045 ≡ 90 (mod 91), which shows that 10 is
an MR-liar.
The Carmichael number n = 561 = 2 × 11 × 17 is a pseudoprime for every base relatively
prime to 561, and 560 = 24 × 35. For a = 2, we obtain

235 ≡ 263 (mod 561)

22×35 ≡ 2632 ≡ 166 (mod 561)
2 ×35
22 ≡ 1662 ≡ 67 (mod 561)
23 ×35
2 ≡ 672 ≡ 1 (mod 561)

Since 263 6≡ ±1 (mod 561), and 166, 67, 1 6≡ 560 (mod 561), the number 2 is an MR-witness
for 561, which is not a strong pseudoprime base 2.
We leave it as an exerxise to check that if n = 172947529, then n − 1 = 23 × 21618441,
with a = 17, we get
1721618441 ≡ 1 (mod 172947529),
so 17 is not an MR-witness for 172947529. With a = 3, we get

321618441 ≡ −1 (mod 172947529),

and 3 is not an MR-witness for 172947529 either. However, a = 23 is an MR-witness for

172947529, which happens to be a Carmichael number with factorization

172947529 = 307 × 613 × 919.

The idea to use the sequence b0 , . . . , bk of Proposition 4.7 to design a test for compos-
iteness was suggested around 1976 by J. Selfridge. Also around 1976, G. Miller designed
a deterministic test whose polynomial running time depends on the truth of the Extended
4.3. THE MILLER–RABIN TEST; MR-WITNESSES AND MR-LIARS 73

Riemann Hypothesis (for short, ERH), a yet famous unproved number-theoretic conjecture.
We will say a little more about it later. Some years later, around 1980, M. Rabin (and
independently L. Monier) found a way of making Miller’s test into a randomized algorithm.
This algorithm is now know as the Miller–Rabin test. Here it is.
Miller–Rabin test
The input is an odd integer n > 3.

procedure miller-rabin(n)
begin
Decompose n as n − 1 = 2k t, with t odd
Choose random integer a ∈ {2, . . . , n − 2};
b := at mod n;
if b = 1 or b = n − 1 then c := 0; return c; exit;
(∗ n is a strong pseudoprime base a ∗)
for i = 1 to k − 1 do
b := b2 mod n;
if b = n − 1 then c := 0; return c; exit
(∗ n is a strong pseudoprime base a ∗)
if b = 1 then c := 1; return c; exit (∗ n is composite ∗)
endfor ;
c := 1; return c (∗ n is composite ∗)
end

We need to show that the algorithm behaves correctly; that is, we need to show that n is
indeed composite when it returns the output c = 1 (“composite”). There are two ways that
i
this can happen. Let b0 = at mod n and ai = a2 t mod n, for i = 1, . . . , k.
(a) For some i, 1 ≤ i ≤ k − 1, the algorithm finds that b = 1. In order to reach this
condition, it must be the case that b0 , b1 , . . . , bi−1 ∈
/ {1, n − 1}, since otherwise the
program would have stopped. As soon as bi = 1, we also have bi+1 = . . . = bk = 1. But
then, b0 ∈
/ {1, −1} and bi 6= n − 1 for i = 1, . . . , k − 1, so a is an MR-witness and n is
indeed composite.

(b) The program goes trough all k − 1 rounds through the for loop and returns c = 1
(“composite”). In this case, all the tests (in the if statements) have failed, and we
must have bi ∈
/ {1, n − 1} for i = 0, . . . , k − 1. Again a is an MR-witness and n is
composite.

The computational complexity of this algorithm depends on what kind of fast algorithm
is used to compute exponentiation modulo n. As explained in Dietzfelbinger [4] (Chapter 5,
Section 5.2), it takes O(log2 n) arithmetic operations and O((log2 n)3 ) bit operations. If a
faster method is used for integer multiplication, then it takes O∼ ((log2 n)2 ) bit operations.
74 CHAPTER 4. THE MILLER–RABIN TEST

Here, the notation f = O∼ (g) means that f = O(g(log2 (g))k ), for some k ≥ 0; for details,
see Dietzfelbinger [4] (Chapter 2, Sections 2.2 and 2.3). In brief, the Miller–Rabin test is
polynomial in the bit length of the input n (of degree at most 3).
It remains to show that the probability that the Miller–Rabin test gives the wrong answer,
“strong pseudoprime,” when n is a composite, is less than 1/2. Monier and Rabin proved
that this probability is actually less than 1/4, but for now, we show that this probability is
less than 1/2 because the proof is simpler. We follow the nice proof given in Dietzfelbinger
[4] (Chapter 5).
We need to find an upper bound on |LMR MR
n |. As we explained earlier, the set Ln of
F
MR-liars is contained in Ln , but it is not a subgroup.
If n is not a Carmichael number, then LFn is a proper subgroup of (Z/nZ)∗ , so the reason-
ing used in the proof of Proposition 4.4 applies, and the fraction of MR-liars in {2, . . . , n−2}
is less than 1/2.
If n is a Carmichael number, then we can find a proper subgroup Bn of (Z/nZ)∗ that
contains LMR
n as follows. Write n−1 = 2k t, with t odd. Since t is odd, we have (n−1)t ≡ n−1
(mod n), so there is a largest index i ≥ 0 such that there is an MR-liar a0 with
i
a02 t ≡ n − 1 (mod n).

Denote this largest index by i0 . Since n is a Carmichael number, we have

k
a20 t ≡ an−1
0 ≡1 (mod n),

hence 0 ≤ i0 ≤ k − 1. Define Bn by
i
Bn = {a ∈ {1, . . . , n − 1} | a2 0 t mod n ∈ {1, n − 1}}.

The following proposition is the key ingredient.

Proposition 4.8. The set Bn defined above (for a Carmichael number n) has the following
properties:
(1) LMR
n ⊆ Bn .
(2) The set Bn is a subgroup of (Z/nZ)∗ .
(3) The group Bn is a proper subgroup of (Z/nZ)∗ .
Proof. (1) Pick any a ∈ LMR
n .
i
Case 1: at ≡ 1 (mod n). Then, a2 0 t ≡ 1 (mod n) as well, and thus a ∈ Bn .
i
Case 2: a2 t ≡ n − 1 (mod n), for some i with 0 ≤ i ≤ k − 1. By the maximality of i0 ,
we have i ≤ i0 . If i = i0 , then we get immediately that a ∈ Bn . If i < i0 , then
i
 i 2i0 −i
a2 0 t ≡ a2 t mod n ≡ 1 (mod n)
4.3. THE MILLER–RABIN TEST; MR-WITNESSES AND MR-LIARS 75

since i0 − i ≥ 1, and we conclude that a ∈ Bn .

(2) Obviously, 1 ∈ Bn . Since (Z/nZ)∗ , we only need to check that Bn is closed under
i i
multiplication. Pick a, b ∈ Bn . This means that a2 0 t mod n and b2 0 t mod n belong to
{1, n − 1}. Now, we have

1 · 1 ≡ 1 (mod n)
1 · (n − 1) ≡ n − 1 (mod n)
(n − 1) · 1 ≡ n − 1 (mod n)
(n − 1) · (n − 1) ≡ 1 (mod n),

which implies that

i i i
(ab)2 0 t ≡ a2 0 t b2 0 t ≡ 1 or n − 1 (mod n);
that is, ab ∈ Bn , as required.
(3) We need to find some a ∈ (Z/nZ)∗ which does not belong to Bn . We use the fact that
a Carmichael number can be written as the product n = n1 n2 of two distinct odd numbers
n1 and n2 such that gcd(n1 , n2 ) = 1, which is a consequence of the fact that a Carmichael
number is a product of (at least 3) distinct primes.
i
Recall that a0 is an MR-liar with a02 0 t ≡ n − 1 (mod n). Since n1 and n2 divide n, we
i i
also have a20 0 t ≡ n − 1 (mod n1 ) and a02 0 t ≡ n − 1 (mod n2 ). If we let a1 ≡ a0 (mod n1 ),
then by the Chinese remainder theorem, there is a unique a ∈ {0, . . . , n − 1} such that

a ≡ a1 (mod n1 )
a ≡ 1 (mod n2 ).

We claim that a ∈ (Z/nZ)∗ , but a ∈

/ Bn . First, we show that a ∈
/ Bn .
From a1 ≡ a0 (mod n1 ) and a ≡ a1 (mod n1 ), we get a ≡ a0 (mod n1 ), and since
i
a20 0 t ≡ n − 1 (mod n1 ), we get
i
a2 0 t ≡ n − 1 (mod n1 ). (∗)

From a ≡ 1 (mod n2 ), we get

i
a2 0 t ≡ 1 (mod n2 ). (∗∗)
Now, since n1 divides n, (∗) implies that
i
a2 0 t 6≡ 1 (mod n),

and since n2 divides n, (∗∗) implies that

i
a2 0 t 6≡ n − 1 (mod n).
76 CHAPTER 4. THE MILLER–RABIN TEST

i
Consequently, a2 0 t mod n ∈
/ {1, n − 1}, and thus a ∈
/ Bn . It remains to show that a ∈
∗
(Z/nZ) . By squaring (∗) and (∗∗) , we get
i +1 t i +1 t
a2 0 ≡1 (mod n1 ) and a2 0 ≡1 (mod n2 ),
and since gcd(n1 , n2 ) = 1, this yields
i +1 t
a2 0 ≡1 (mod n),
which shows that a ∈ (Z/nZ)∗ (by Proposition 4.3).

Proposition 4.8 shows that if n is a Carmichael number, then LMRn is contained in the
∗ MR
proper subgroup Bn of (Z/nZ) , and by the reasoning used when Ln is contained in the
proper subgroup LFn of (Z/nZ)∗ , we conclude that the fraction of MR-liars in {2, . . . , n − 2}
is also less than 1/2. In summary, we proved the following result.
Theorem 4.9. If n > 3 is an odd composite, then the fraction of MR-liars in {2, . . . , n − 2}
is less than 1/2. Consequently, the probability that the Miller–Rabin test gives the wrong
answer c = 0 (n is a strong pseudoprime base a), given that n is composite, is less than 1/2.

By repeating the Miller–Rabin test ` times, we can make the probability that the algo-
rithm gives the answer c = 0 every time arbitrarily smaller, given that n is composite. Here
is the algorithm.
Algorithm Probable Prime

begin
Decompose n as n − 1 = 2k t, with t odd
for i = 1 to ` do
c = miller-rabin(n);
if c = 1 then res = 1; return res; exit (∗ n is composite ∗)
endfor ;
res = 0; return res (∗ n is a probable prime ∗)
end
If the algorithm stops with res = 1, then n is definitely composite. If n is prime, then
the algorithm will runs through all ` steps and correctly return res = 0. If n is composite,
the algorithm may return the wrong answer res = 0, but the probability that this event
happens is bounded by (1/2)` .
We hinted earlier at the fact that the above conditional probabilily is not really what we
would like to know. To make this point clearer, let us define the events P, C, SP and SP ` by
P = {an odd integer n ≥ 3 is prime}
C = {an odd integer n ≥ 3 is a composite}
SP = {the miller-rabin procedure returns c = 0}
SP ` = {the miller-rabin procedure returns ` times c = 0}.
4.3. THE MILLER–RABIN TEST; MR-WITNESSES AND MR-LIARS 77

Observe that P = C, the complement of C. Then, we have the three conditional probabilities

Pr(P | SP ` ) = Pr(n is not composite | miller-rabin returns ` times c = 0)

= Pr(n is prime | miller-rabin returns ` times c = 0),
Pr(SP ` | P ) = Pr(miller-rabin returns ` times c = 0 | n is not composite)
= Pr(miller-rabin returns ` times c = 0 | n is prime)

and
Pr(SP ` | C) = Pr(miller-rabin returns ` times c = 0 | n is composite).
The third probability Pr(SP ` | C) is the one we have been considering so far, but we should
be more interested in the level of confidence that n is prime given that miller-rabin returns
res = 0, and this is the first probability Pr(P | SP ` ). This point is clearly articulated in
Hoffstein, Pipher and Silverman [8]; most of the literature ignores it, and it is important to
make it perfectly clear. Fortunately, Pr(P | SP ` ) can be obtained using Bayes’s formula:

Pr(SP ` | P )Pr(P )
Pr(P | SP ` ) = .
Pr(SP ` | P )Pr(P ) + Pr(SP ` | P )Pr(P )

To compute the probabilities on the righthand side, we use the fact that our Miller–Rabin
algorithm (the procedure miller-rabin, not the algorithm Probable Prime) is a Monte Carlo
algorithm, which means the following:

(1) If miller-rabin returns c = 1, then n definitely is composite (i.e. has property C). This
is expressed by

Pr(n composite | miller-rabin returns c = 1) = 1,

or more concisely as
Pr(C | SP ) = 1.

(2) If n is composite (has property C), then miller-rabin returns c = 1 for at least 1/2 of
the number of choices for a. This is expressed by
1
Pr(miller-rabin returns c = 1 | n is composite) ≥ ,
2
or more concisely as
1
Pr(SP | C) ≥ .
2
From property (1) of a Monte Carlo algorithm, by contrapositive, we see that if n is not
composite, then the algorithm always returns c = 0; that is,

Pr(miller-rabin returns c = 0 | n is prime) = 1,

78 CHAPTER 4. THE MILLER–RABIN TEST

or more concisely as
Pr(SP | P ) = 1.
It follows that
Pr(SP ` | P ) = Pr(SP | P )` = 1.
To evaluate Pr(SP ` | P ) = Pr(SP ` | C) we make use of the assumption that miller-rabin is
run ` independent times and that by property (2) of a Monte Carlo algorithm,
1
Pr(SP | C) ≥ ,
2
so we have
Pr(SP ` | C) = Pr(SP | C)`
= (1 − Pr(SP | C))`
 `
1
≤ 1−
2
 `
1
= .
2
The above derivation shows rigorously what we have been claiming: the probability that the
algorithm says ` times that n is not a composite when in fact it is, is very small. Indeed,
 `
1
Pr(SP ` | C) ≤ .
2
As we said earlier, the probability we really want to know is Pr(P | SP ` ). We have all the
ingredients to compute it, except for the probability Pr(P ). To estimate Pr(P ), we can make
use of the Prime Number Theorem, which implies that for n large enough, the fraction of
primes betwen 2 and n is approximately 1/ ln(n). Using this fact, we get (approximately!)
that Pr(P ) = 1/ ln(n), so
Pr(SP ` | P )Pr(P )
Pr(P | SP ` ) =
Pr(SP ` | P )Pr(P ) + Pr(SP ` | P )Pr(P )
1
1 · ln(n)
≥  
1 1
1 · ln(n) + 2−` 1 − ln(n)
1
=
1+ 2−` (ln(n)
− 1)
ln(n) − 1 ln(n)
=1− ` >1− ` .
2 + ln(n) − 1 2
Therefore,
ln(n)
Pr(P | SP ` ) > 1 − ,
2`
4.4. THE MONIER–RABIN BOUND ON THE SIZE OF THE SET OF MR-LIARS 79

(approximately), and we see that it is necessary to add a correction term approximately

equal to ln(n), but this correction term is quickly offset by making ` a little bigger.
Actually, Rabin and Monier independently proved in 1980 that if n is composite then
the Miller–Rabin procedure returns c = 1 for at least 3/4 of the number of choices for a
(provided that n > 9); that is
3
Pr(SP | C) ≥ .
4
Therefore, Pr(SP | C) ≤ 1/4, and for n large enough, we have

ln(n)
Pr(P | SP ` ) > 1 − .
4`
Rabin and Monier proved that if n > 9 is an odd composite, then

ϕ(n)
|LMR
n | ≤ .
4
The proof is harder than the proof of Proposition 4.8, but it is not out of reach given a little
bit of number theory. The general strategy is also to find a proper subgroup of (Z/nZ)∗ that
contains LMR
n and to estimate its order, to show that it is bounded by ϕ(n)/4. The proof
given in Crandall and Pomerance [3] (Chapter 3, Section 5) is presented in the next section.
This proof mixes combinatorial and number theoretic ideas in a beautiful and clever way,
but it can be omitted without causing a major gap in the understanding of the Miller–Rabin
test. The probability Pr(SP | C) ≤ 1/2 is good enough to prove that the Miller–Rabin test
can be trusted with a high degree of confidence.

4.4 The Monier–Rabin Bound on the Size of the Set

of MR-liars
Let n ≥ 2 be any integer and suppose that its prime factorization is

n = pj11 pj22 · · · pjkk , ji ≥ 1, i = 1, . . . , k.

Write ω(n) = k for the number of distinct prime factors in n. The key point is that LMR
n is
a subset of a group S(n) of the form

S(n) = {a ∈ (Z/nZ)∗ | am ≡ ±1 (mod n)},

for some suitable m (depending on n), such that m divides n − 1. Thus, to estimate the
order of this group, we need to find the number of solutions a (mod n) to the congruence

am ≡ ±1 (mod n).
80 CHAPTER 4. THE MILLER–RABIN TEST

We will see that the second congruence (the case −1) reduces to the first (the case +1), so we
are reduced to the problem of counting the number of solutions a (mod n) to the congruence

am ≡ 1 (mod n). (∗)

This is where some number theory comes in handy. Firstly, since the pji i are relatively prime,
a ∈ Z is a solution of (∗) iff a is a solution of the k congruences

am ≡ 1 (mod pji i ), i = 1, . . . , k. (∗∗)

Now, because pi is an odd prime, the group of units (Z/pji i Z)∗ of the ring Z/pji i Z is cyclic
(see Theorem 3.29). This means that there is some g ∈ (Z/pji i Z)∗ (called a primitive root
modulo pji i ) such that
ji ji
g, g 2 , . . . , g ϕ(pi )−1 , g ϕ(pi ) = 1
is a list of all elements in (Z/pji i Z)∗ . Then, we can easily determine when an element
a ∈ (Z/pji i Z)∗ is a solution of
am ≡ 1 (mod pji i ). (†)
If we write a = g k , for some k with 1 ≤ k ≤ ϕ(pji i ), then we must have

g km ≡ 1 (mod pji i ).

Now, g ∈ (Z/pji i Z)∗ has order ϕ(pji i ) (the smallest integer r such that g r ≡ 1 (mod pji i )), so
ϕ(pji i ) must divide km. If d = gcd(m, ϕ(pji i )) and if we write m = dm1 and ϕ(pji i ) = dn1 ,
then gcd(m1 , n1 ) = 1 and ϕ(pji i ) must divide km iff n1 divides km1 . Since gcd(m1 , n1 ) = 1,
the number n1 must divide k, and we find d solutions for k:

n1 , 2n1 , . . . , (d − 1)n1 , dn1 = ϕ(pji i ).

Therefore, we proved that equation (†) has

gcd(m, ϕ(pji i ))

solutions modulo pji i . Since m divides n − 1, it is not divisible by pi , and since ϕ(pji i ) =
pji i (pi − 1), we get

gcd(m, ϕ(pji i )) = gcd(m, pji i (pi − 1)) = gcd(m, pi − 1).

By the Chinese remainder theorem, the solutions of (∗) modulo n are in bijection with the
k-tuples (a1 , . . . , ak ), where each ai is a solution of (†) modulo pji i . It follows that the number
of solutions modulo n of the conguence am ≡ 1 (mod n) is
k
Y
gcd(m, pi − 1).
i=1

In summary, we proved the following result.

4.4. THE MONIER–RABIN BOUND ON THE SIZE OF THE SET OF MR-LIARS 81

Proposition 4.10. Let n ≥ 2 be any integer and suppose that its prime factorization is

n = pj11 pj22 · · · pjkk , ji ≥ 1, i = 1, . . . , k.

For any integer m ≥ 1 such that m divides n − 1, the number of solutions modulo n of the
conguence
am ≡ 1 (mod n)
is
k
Y
gcd(m, pi − 1).
i=1

An interesting corollary of Proposition 4.10 obtained by setting m = n − 1 is that every

odd composite number n is a pseudoprime for at least two nontrivial bases a 6= ±1 modulo
n, unless n is a power of 3.
We now return to the definition of the group S(n).
Definition 4.4. For any odd composite n, if n − 1 = 2s t, with t odd, then let ν(n) be the
largest integer such that 2ν(n) divides p − 1 for every prime factor p of n. Then let
ν(n)−1 t
S(n) = {a ∈ Z/nZ | a2 ≡ ±1 (mod n)}.

The following proposition shows why S(n) is relevant.

Proposition 4.11. For any odd composite integer n, the following properties hold:
(1) The set of MR-liars LMR
n is contained in S(n).
(2) The set S(n) is a subgroup of (Z/nZ)∗ .
Proof. (1) Pick any a ∈ LMR
n . There are two cases.
ν(n)−1 t
(i) If at ≡ 1 (mod n), then obviously a2 ≡ 1 (mod n), so a ∈ S(n).
i
(ii) There is some smallest index i with 0 ≤ i ≤ s − 1 such that a2 t ≡ −1 (mod n). For
i
any prime p dividing n, we also have a2 t ≡ −1 (mod p), and so
i+1 t
a2 ≡1 (mod p).

If k is the order of a in (Z/pZ)∗ , then k divides 2i+1 t but k does not divide 2i t (because k
is the least integer such that ak ≡ 1 (mod p)). If follows that 2i+1 is the exact power of 2
in the prime factorization of k. Since by Fermat’s little theorem, ap−1 ≡ 1 (mod p), we see
that k divides p − 1, and so 2i+1 divides p − 1. Since this holds for every prime p dividing n,
i ν(n)−1 t
we have i + 1 ≤ ν(n). Since a2 t ≡ −1 (mod n), if i + 1 < ν(n), then a2 ≡ 1 (mod n),
2ν(n)−1 t
else if i + 1 = ν(n), then a ≡ −1 (mod n). In both cases, a ∈ S(n).
(2) The proof that S(n) is a group is very similar to the fact that Bn is a group (see the
proof of Proposition 4.8) and is left an an exercise.
82 CHAPTER 4. THE MILLER–RABIN TEST

The next proposition gives a formula for the order of the group S(n).
Proposition 4.12. For any odd composite integer n, if we denote the number of distinct
prime factors of n by ω(n) and if n − 1 = 2s t with s, t and ν(n) as in Definition 4.4, then
the order of the group S(n) is given by
Y
|S(n)| = 2 · 2(ν(n)−1)ω(n) gcd(t, p − 1).
p|n

Proof. Since
ν(n)−1 t
S(n) = {a ∈ Z/nZ | a2 ≡ ±1 (mod n)},
ν(n)−1
we need to count the number s1 of solutions of the congruence a2 t
≡ 1 (mod n) and
2ν(n)−1 t
the number s2 of solutions of a ≡ −1 (mod n). As to the first congruence, if we let
ν(n)−1
m=2 t, by definition of ν(n), we know that 2ν(n) divides p−1 for every prime p dividing
n. Let n = pj11 · · · pjkk be prime factorization of n, where p1 , . . . , pk are the distinct prime
factors of n (with k = ω(n)). If we had ν(n) > s, then we could write pi = 1 + 2s+1 ui for
some integers ui , and then n − 1 = 2s t would yield

(2s+1 u1 + 1) · · · (2s+1 uk + 1) − 1 = 2s t,

which would imply that

2s+1 u = 2s t,
for some integer u. Since t is odd, this is impossible, and thus ν(n) ≤ s. Consequently,
m = 2ν(n)−1 t divides n − 1 = 2s t. By Proposition 4.10, we have
ω(n)
Y
s1 = gcd(m, pi − 1).
i=1

But m = 2ν(n)−1 t, t is odd and 2ν(n) divides each pi − 1, so

gcd(m, pi − 1) = gcd(2ν(n)−1 t, pi − 1) = 2ν(n)−1 gcd(t, pi − 1),

so we get
ω(n)
Y
(ν(n)−1)ω(n)
s1 = 2 gcd(t, pi − 1).
i=1
m
We now show that the congruence a ≡ −1 (mod n) has the same number of solutions as
the congruence am ≡ 1 (mod n). Observe that am ≡ −1 (mod n) iff a2m ≡ 1 (mod n) and
am 6≡ 1 (mod n). We observed earlier that ν(n) ≤ s, so 2m = 2ν(n) t divides n − 1 = 2s t, and
the number of solutions of a2m ≡ 1 (mod n) is
ω(n)
Y
ν(n)ω(n)
2s1 = 2 gcd(t, pi − 1).
i=1
4.4. THE MONIER–RABIN BOUND ON THE SIZE OF THE SET OF MR-LIARS 83

Since the number of solutions of am ≡ 1 (mod n) is s1 , it follows that the number s2 of

solutions of am ≡ −1 (mod n) is

s2 = 2s1 − s1 = s1 .

Therefore, the order of the group S(n) is indeed

Y
|S(n)| = 2 · 2(ν(n)−1)ω(n) gcd(t, p − 1),
p|n

as claimed.

Proposition 4.12 yields the main result of this section.

Theorem 4.13. (Monier–Rabin) For every odd composite n > 9, we have

ϕ(n) n−1
|LMR
n | ≤ ≤ .
4 4
Proof. As usual, write n − 1 = 2s t, with t odd. By Proposition 4.11, LMR
n ⊆ S(n), so it
suffices to prove that |S(n)|/ϕ(n) ≤ 14 . By Proposition 4.12,
Y
|S(n)| = 2 · 2(ν(n)−1)ω(n) gcd(t, p − 1),
p|n

so we need to prove that

ϕ(n) 1 Y k−1 p−1
= p ν(n)−1
≥ 4,
|S(n)| 2 k 2 gcd(t, p − 1)
p kn

where the notation pk kn means that pk is the exact power of the prime p in the prime
factorization of n. Each factor
p−1
ν(n)−1
(∗)
2 gcd(t, p − 1)
is an even integer. There are several cases.
Case 1: ω(n) ≥ 3. In this case, at least three of the factors (∗) are equal to 2, so
ϕ(n)/|S(n)| ≥ 4.
Case 2: ω(n) = 2 and n is not squarefree. Then, some exponent k − 1 is at least 1, and
since all the primes p are odd, the product of the pk−1 is at least 3, each factor (∗) is at least
2, so ϕ(n)/|S(n)| ≥ 6.
Case 3: n = pq, for two distinct primes, p, q, with p < q. If 2ν(n)+1 divides q − 1, then
q − 1 = 2ν(n)+1 u, and t is odd, we get

2ν(n)−1 gcd(t, q − 1) = 2ν(n)−1 gcd(t, 2ν(n)+1 u) = 2ν(n)−1 gcd(t, u) ≤ 2ν(n)−1 u = (q − 1)/4,

84 CHAPTER 4. THE MILLER–RABIN TEST

and since the other fraction involving p − 1 is at least 2, and we get ϕ(n)/|S(n)| ≥ 4.
The remaining subcase is that 2ν(n) is the exact power of 2 in q − 1, and we can write
q − 1 = 2ν(n) u, where u is odd. Because n − 1 = pq − 1 = p(q − 1) + p − 1 and p < q, we see
that q − 1 does not divide n − 1. This implies that there is an odd prime q1 dividing q − 1 to
a higher power than it divides n − 1. Since n − 1 = 2s t and q − 1 = 2ν(n) u, we have t = q1h t1
and u = q1h+1 u1 for some h ≥ 1 and some t1 , u1 with gcd(q1 , t1 ) = 1. It follows that

2ν(n)−1 gcd(t, q − 1) = 2ν(n)−1 gcd(q1h t1 , 2ν(n) q1h+1 u1 )

= 2ν(n)−1 q1h gcd(t1 , q1 u1 )
= 2ν(n)−1 q1h gcd(t1 , u1 )
≤ 2ν(n)−1 q1h u1
(q − 1) q−1
= ≤ .
2q1 6

Since the other fraction is at least 2, we conclude that ϕ(n)/|S(n)| ≥ 6.

Case 4: n = pk , for some k ≥ 2. In this case, n − 1 = pk − 1 = 2s t with t odd. Since

k ≥ 2, we have
pk − 1 = (p − 1)(pk−1 + · · · + p + 1) = 2s t,
and since
p − 1 = 2ν(n) u
with u odd, we conclude that u is a divisor of t. Then

gcd(t, p − 1) = gcd(t, 2ν(n) u) = gcd(t, u) = u,

which implies that

p−1 2ν(n) u
= = 2,
2ν(n)−1 gcd(t, p − 1) 2ν(n)−1 u
and thus, ϕ(n)/|S(n)| = pk−1 . Therefore, unless pk = 9, we have ϕ(n)/|S(n)| ≥ 5. This last
case finishes the proof.

Remarks:

1. Another proof of Theorem 4.13 is given in Koblitz [9] (Chapter V, Proposition V.1.7).

2. The group S(n) is actually the group generated by the set LMR
n of MR-liars. This
result due to Jim Haglund is Problem 3.16 in Crandall and Pomerance [3].
4.5. THE LEAST MR-WITNESS FOR N 85

4.5 The Least MR-Witness for n

Theorem 4.13 shows that an odd composite n has at least 3n/4 MR-witnesses in the set
{2, . . . , n − 2}. A natural question then arises: what is the size of the smallest MR-witness,
W (n), for n? If, by luck, the size of W (n) is bounded by a constant, or a slow-growing func-
tion, then there is hope that a practical deterministic algorithm (that is, not a randomized
algorithm) can be found.
Unfortunately, there is no constant bound. Indeed, Alford, Granville and Pomerance
showed that for infinitely many odd composite n, we have

W (n) > (ln n)1/(3 ln ln ln n) .

In Crandall and Pomerance [3], it is also shown that W (n) ≥ 3 for infinitely many n (with
an explicit description). Around 1976, Gary Miller showed that W (n) = O((ln)2 ), assuming
that the Extended Riemann Hypothesis (for short ERH) holds. Then, Bach (1985) proved
that W (n) < 2(ln n)2 .
The ERH is a generalization of the Riemann Hypothesis (for short RH), one of the most
famous conjectures of mathematics. Explaining what is the ERH would lead us to far, and
we refer the reader to Crandall and Pomerance for an explanation [3] (Chapter 1, Section
1.4). However, we discuss briefly the RH.
The RH has to with the location of the zeros of the zeta function, ζ. For any real s > 1,
the function ζ(s) is given by
∞
X 1
ζ(s) = s
.
n=1
n
If we allow s to be a complex argument, then the above sum converges absolutely for Re(s) >
1. It is also possible to extend ζ to the entire complex plane (by analytic continuation), so
that ζ(s) is regular for every s except s = 1, where it has a simple pole with residue 1 (this
means that (s − 1)ζ(s) is holomorphic in C, with value 1 at s − 1). Two good sources are
Apostol [1] and Edwards [5]. Ribenboim’s lovely book [15] (especially Chapter 4) is also
highly recommended. The connection with prime numbers was noticed by Euler and is this:

Theorem 4.14. (Euler) If P denotes the set of all primes, then for every s ∈ C such that
Re(s) > 1,
Y 1
ζ(s) = .
p∈P
1 − p−s

The value ζ(s) of the zeta-function is known when s is an even integer, but ζ(s) is not
known for not a single odd integer! Remarkably, the location of the zeros of ζ has crucial
impact on the distribution of the primes. For example, the fact that ζ(s) 6= 0 on the line
Re(s) = 1 leads to the Prime Number Theorem. The Riemann Hypothesis, stated in 1859
by Riemann in an eight-page memoir, says this:
86 CHAPTER 4. THE MILLER–RABIN TEST

Conjecture (Riemann hypothesis (RH))

All the zeros of ζ in the critical strip 0 < Re(s) < 1 lie on the vertical line Re(s) = 1/2.
The RH has been verified by computer calculations for many values of n, but it still
remains one of the central conjectures of mathematics. It is equivalent to various statements
about the distribution of the primes. For example, von Koch proved in 1901 that the RH is
equivalent to the following fact:
√
|π(x) − Li(x)| < x · ln(x), for all x ≥ 2.01,

where π(x) is the number of primes not exceeding x, and the function Li (logarithmic integral)
is given by Z x
dt
Li(x) = .
2 ln t
It is easy to see that Z x
x dt 2
Li(x) = + 2
− .
ln x 2 (ln t) ln 2
It is amazing that Gauss conjectured in 1791 (at the age of fourteen) that π(x) ∼ Li(x). We
refer the reader to Crandall and Pomerance [3] (Chapter 1) for more on this topic.
The Extended Riemann Hypothesis (ERH) has to do with the zeros of the Dirichlet L-
functions L(s, χ), which generalizes the ζ-function. Here, χ denotes a Dirichlet character.
Apostol [1] is an excellent source to learn about L-functions. The ζ-function corresponds to
the special case χ = 1. The ERH says this:
Conjecture (Extended Riemann hypothesis (ERH))
For any Dirichlet character χ, all the zeros of L(s, χ) in the region Re(s) > 0 lie on the
vertical line Re(s) = 1/2.
Assuming the ERH, Bach’s result, that W (n) < 2(ln)2 , yields a deterministic algorithm
for testing for primality. Simply try the Miller–Rabin procedure for a = 2, 3, . . . , 2(ln n)2 .
Besides the fact that the ERH is still not proved, in practice, the randomized version of
the Miller–Rabin test is faster. As of now, if you want a reliable test, either you have to
have faith in the ERH, or faith that an event that has probability less than 10−30 will never
happen in our lifetime. This probability is much smaller than the probability of hardware
or software failure anyway!
Chapter 5

The Solovay–Strassen Test

5.1 Quadratic Residues

The Solovay–Strassen primality test was published in 1977, and thus slightly predates the
Miller–Rabin test. It is also a randomized algorithm of Monte Carlo type, and it gives the
output “composite,” given that the input n is composite, with probability greater than 1/2.
The Solovay–Strassen is based on a criterion due to Euler to test whether a number which
is not a multiple of a prime n is a quadratic residue. This test involves the Jacobi symbol,
which is a generalization of the Legendre symbol. Properties of the Jacobi symbol yield a
fast method for checking Euler’s criterion.
If p is a prime and m is an integer which is not a multiple of p, we can look for solutions
x of the quadratic congruence
x2 ≡ m (mod p). (∗)
First, note that since the modulus is prime, the above congruence has at most two solutions.
Indeed, Z/pZ is a field, so the polynomial x2 − m has at most two roots. Moreover, if x is a
solution of (∗), then so is −x, hence the number of solutions is either 0 or 2.
It is convenient to allow p to be any integer n ≥ 2.
Definition 5.1. Given any integer n ≥ 2, for any integer m such that gcd(m, n) = 1, we
say that m is a quadratic residue mod n if the congruence

x2 ≡ m (mod n) (†)

has a solution, and we write mRn. If (†) has no solution we say that m is a quadratic
nonresidue mod n and we write mRn.

Observe that the integers m such that gcd(m, n) > 1 are considered neither quadratic
residues nor quadratic nonresidues. When n = 2, every odd integer is a quadratic residue
and there are no quadratic nonresidues. This case is not very interesting, so typically we
assume that n ≥ 3.

87
88 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

Consider the example n = 13. The squares modulo 13 of the numbers in {1, 2, . . . , 12}
are
1, 4, 9, 3, 12, 10, 10, 12, 3, 9, 4, 1,
and thus, there are 6 = 12/2 quadratic residues:

1, 3, 4, 9, 10, 12.

For n = 26, the quadratic residues are

1, 3, 9, 17, 23, 25.

Because 26 is even, they must be odd. For n = 27, the quadratic residues are

1, 4, 7, 10, 13, 16, 19, 22, 25.

When n is prime, as in the case n = 13, there is the same number of quadratic residues
and nonresidues. This is a general fact.

Proposition 5.1. Let p be an odd prime. Then the set of quadratic residues is a subgroup
of Z/pZ of order (p − 1)/2. This subgroup consists of the residues modulo p of the numbers
 2
2 2 2 p−1
1 ,2 ,3 ,..., .
2

Proof. It is clear that 1 is a quadratic residue. If x2 ≡ a (mod p) and y 2 ≡ b (mod p), then

(xy)2 ≡ x2 y 2 ≡ ab (mod p),

so ab is also a quadratic residue, and the quadratic residues form a group.

If x2 ≡ y 2 (mod p), then

(x − y)(x + y) ≡ 0 (mod p).

Since p is prime, either p divides x − y or p divides x + y. But, 1 ≤ x, y ≤ (p − 1)/2, which

implies 2 ≤ x + y ≤ p − 1, so x − y must be divisible by p, and thus x = y. Therefore, the
residues modulo p of the square numbers listed in the Proposition are all distinct. Since

(p − k)2 ≡ k 2 (mod p),

every quadratic residue modulo p is congruent to a unique number in this list.

When p is an odd prime, we know that (Z/pZ)∗ is cyclic (see Theorem 3.21). If g is any
primitive root for (Z/pZ)∗ , Proposition 5.1 shows that the quadratic residues are the even
powers g 2i , and the quadratic nonresidues are the odd powers g 2i+1 , with 0 ≤ i ≤ (p − 3)/2.
5.2. THE LEGENDRE SYMBOL 89

We can use this fact to find square roots modulo p for primes of the form p = 4k + 3. Indeed,
if a = g 2i is any quadratic residue, then we claim that
x = a(p+1)/4 = ak+1
is a square root of a modulo p.
Since p = 4k + 3, we have (p − 1)/2 = 2k + 1, so g i(p−1)/2 is a quadratic nonresidue,
x ≡ a(p+1)/4 ≡ (g 2i )(p+1)/4 ≡ g i(p+1)/2 ≡ g i(p−1)/2 g i ≡ (−1)i g i (mod p),
and thus,
x2 ≡ (−1)2i g 2i ≡ a (mod p).
If p is a prime of the form p = 4k + 1, it is (a lot!) harder to find square roots modulo p; see
Crandall and Pomerance [3].

5.2 The Legendre Symbol

At this stage, it is convenient to introduce the Legendre symbol.
m


Definition 5.2. Let p be an odd prime. For any integer m, the Legendre symbol p
is
defined as follows:

  
m +1 if m is quadratic residue modulo p
= −1 if m is quadratic nonresidue modulo p
p 
0 if p divides m.


2

Observe that p1 = 1 and mp = 1 for every integer m which is not a multiple of p. For


7 3



a numerical example, 11 = −1, and 13 = 1.
If m ≡ n (mod p), then clearly mp = np , so the function m 7→ mp is periodic with

period p. We also have     

m·n m n
= ,
p p p
a very useful property for evaluating the Legendre symbol. To prove this property easily,
we establish Euler’s criterion. First, observe that for any m which is not a multiple of p, by
Fermat’s little theorem, we have
mp−1 ≡ 1 (mod p).
If p is odd, then we get
mp−1 ≡ (m(p−1)/2 − 1)(m(p−1)/2 + 1) ≡ 0 (mod p),
and it follows that m(p−1)/2 ≡ ±1 (mod p). Remarkably, m(p−1)/2 ≡ 1 (mod p) iff m is a
quadratic residue modulo p.
90 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

Theorem 5.2. (Euler’s criterion) If p is an odd prime, then for any integer m, we have
 
m
≡ m(p−1)/2 (mod p).
p

Proof. If m ≡ 0 (mod p), then both sides of the equation are 0, so the equation is trivially
true.
Suppose mp = 1, In this case, there is some x ∈ {1, . . . , p − 1} such that x2 ≡ m

(mod p), by Fermat’s little theorem, xp−1 ≡ 1 (mod p), and so,
 
(p−1)/2 2 (p−1)/2 p−1 m
m ≡ (x ) ≡x ≡1≡ (mod p).
p

This proves the formula if mp = 1.

Finally, assume that mp = −1. The polynomial x(p−1)/2 − 1 has degree (p − 1)/2, and

since Z/pZ is a field (since p is prime), it has at most (p − 1)/2 roots in Z/pZ. However, by
Proposition 5.1, the (p − 1)/2 quadratic residues are roots and the nonresidues are not, and
since m is a nonresidue, we must have

m(p−1)/2 6≡ 1 (mod p).

Since m(p−1)/2 ≡ ±1 (mod p), we conclude that

 
(p−1)/2 m
m ≡ −1 ≡ (mod p),
p

which finishes the proof.

Remark: Following Serre [17], another proof of Euler’s criterion can be given using some
algebra. Let Ω be an algebraic closure of Z/pZ. For any x ∈ (Z/pZ)∗ , let y ∈ Ω be a square
root of x,1 so that x = y 2 . Then,

y p−1 = x(p−1)/2 = ±1,

since xp−1 = 1 and (x(p−1)/2 )2 = 1 (in Z/pZ). Observe that x is a square in (Z/pZ)∗ iff
y ∈ (Z/pZ)∗ iff y p−1 = 1. For the second equivalence, note that if y p−1 = 1 and y ∈
/ (Z/pZ)∗ ,
then the equation z p−1 − 1 = 0 has p roots in Ω, since the p − 1 elements of (Z/pZ)∗ are roots
of z p−1 − 1 = 0, a contradiction since Ω is a field. It is obvious that the map x 7→ x(p−1)/2
is a homomorphism from (Z/pZ)∗ to {−1, +1}, and from the above discussion, its kernel is
the set (Z/pZ)∗2 of squares in (Z/pZ)∗ . Now, (Z/pZ)∗ is a cyclic group of order p − 1, so the
1
Instead of an algebraic closure of Fp = Z/pZ, we can use any field extension of Fp which contains a
square root of x.
5.2. THE LEGENDRE SYMBOL 91

above homomorphism must be surjective (otherwise, every element of (Z/pZ)∗ would have
order (p − 1)/2). It follows that (Z/pZ)∗2 is a subgroup of order (p − 1)/2 and that
 
x
= x(p−1)/2 = y p−1 in (Z/pZ)∗ .
p

It is now easy to establish the multiplicative property of the Legendre symbol.

Proposition 5.3. For any odd prime p and any integers m, n, we have
    
m·n m n
= .
p p p

Proof. If p divides m or p divides n, then p divides mn so mn m

p
= 0, and either p
= 0 or
n mn m



n

p
= 0; it follows that 0 = p = p p = 0.
If p divides neither m nor n, then p does not divide mn and by Euler’s criterion, we have
    
mn (p−1)/2 (p−1)/2 (p−1)/2 m n
≡ (mn) ≡m n ≡ .
p p p

The symbols mn

m
n

, p are all equal to +1 or −1, so mn − mp np is either 0, +2, or




,
p
p p
−2, and since mn m

n
mn

m

n

p
− p p
is divisible by p ≥ 3, we must have p
= p p
.

The following properties are also useful for evaluating the Legendre symbol.
Proposition 5.4. For any odd prime p, the following properties hold:
   
m n
(1) If m ≡ n (mod p), then = .
p p
 2  2   
m m ·n n
(2) If gcd(m, p) = 1, then = 1 and = .
p p p
 
−1 p−1
(3) = (−1) 2 , or equivalently
p
  (
−1 1 if p ≡ 1 mod 4
=
p −1 if p ≡ 3 mod 4.
 
2 p2 −1
(4) = (−1) 8 , or equivalently
p
  (
2 1 if p ≡ 1 mod 8 or p ≡ 7 mod 8
=
p −1 if p ≡ 3 mod 8 or p ≡ 5 mod 8.
92 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

Proof. Parts (1)–(3) of Proposition 5.4 follows from Euler’s criterion and Proposition 5.3.
The details are left to the reader. To prove (4), consider the (p − 1)/2 congruences:

p − 1 ≡ 1(−1)1 (mod p)
2 ≡ 2(−1)2 (mod p)
p − 3 ≡ 3(−1)3 (mod p)
4 ≡ 4(−1)4 (mod p)
..
.
p−1
r≡ (−1)(p−1)/2 (mod p),
2
where r = p − (p − 1)/2 or r = (p − 1)/2. Multiply all these together, and observe that every
integer on the left is even. We obtain
 
p−1
2 · 4 · 6 · · · (p − 1) ≡ !(−1)1+2+···+(p−1)/2 (mod p),
2

which yields    
p−1 p−1 2
2(p−1)/2
!≡ !(−1)(p −1)/8 (mod p).
2 2
However, ((p − 1)/2)! is not a multiple of p, so we get
 
2 2
= 2(p−1)/2 ≡ (−1)(p −1)/8 (mod p),
p

as claimed.

Part (3) of Proposition 5.4 says that −1 (equivalently p−1) is a quadratic residue modulo
p iff p is a prime of the form p = 4k + 1, and a nonresidue iff p is of the form p = 4k + 3. Part
(4) says that 2 is quadratic residue modulo p iff p is of the form p = 8k + 1 or p = 8k + 7,
and a nonresidue iff p is of the form p = 8k + 3 or p = 8k + 5.

Remark: Another proof of Part (4) can be given using a primitive eigth root of unity. Here
is a slick proof due to Jean–Pierre Serre (see [17]). If p is an odd prime, then p is of the
form 4k ± 1, so p2 − 1 ≡ 0 (mod 8). Since the multiplicative group of the finite field Fp2 is
cyclic of order p2 − 1, there is an element α ∈ F∗p2 which has order 8 (a primitive eigth root
of unity), and let y = α + α−1 . Since α has order 8, we have α4 = −1, so α2 + α−2 = 0, and
thus y 2 = (α + α−1 )2 = 2. Since Z/pZ = Fp is a subfield of Fp2 and α is a square root of 2
in Fp2 , from a previous remark and Euler’s criterion,
 
2
= y p−1 .
p
5.2. THE LEGENDRE SYMBOL 93

If p ≡ ±1 (mod 8), then y p = α + α−1 = y, and thus

 
2
= y p−1 = 1.
p
If p ≡ ±5 (mod 8), since α4 = −1, we get
y p = α5 + α−5 = −(α + α−1 ) = −y.
This implies that  
2
= y p−1 = −1.
p
Using Propositions 5.3 and 5.4, we can evaluate mp provided that we know how to factor

m. Actually, by extending mp to the Jacobi symbol and using the quadratic reciprocity

law, it is possible to evaluate mp using Euclidean division, without knowing how to factor.

Euler’s criterion has the following corollary which is the basis of the Solovay–Strassen
test.
Proposition 5.5. If p is an odd prime, then for any integer m ∈ {1, . . . , p − 1}, we have
 
m
m(p−1)/2 ≡ 1 (mod p).
p
Proof. Since m ∈ {1, . . . , p − 1}, the Legendre symbol mp is not zero, and Euler’s criterion

tells us that mp and m(p−1)/2 mod p are either both +1 or both −1, which implies that

their product is 1 modulo p.

By taking the contrapositive, it appears that we obtain a criterion for compositeness used
in the Solovay–Strassen test:
If n ≥ 3 is odd and if there is some a ∈ {2, . . . , n − 1} such that
 
a (n−1)/2
a 6≡ 1 (mod n),
n
then n is composite.
However, we haven’t yet defined na for a composite
number n. This can be done by

introducing the Jacobi symbol. Having made sense of na where n is composite, two issues
remain:
1. Proving that only a fraction of numbers in {2, . . . , n − 1} are liars, that is, satisfy the
condition of Proposition 5.5 even though n is composite.
2. Find an efficient method to evaluate na a(n−1)/2 modulo n.

Fortunately, at most half of the integers in {2, . . . , n − 1} are liars. For the second point,
we make use of the famous quadratic reciprocity law.
94 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

5.3 The Jacobi Symbol

The definition of the Jacobi symbol favors the quadratic reciprocity law at the expense of
m


the connection with quadratic residues. As a consequence, n = 1 does not necessarily
imply that m is a quadratic residue modulo n. On the positive side, properties of the Jacobi
m


symbol yield a more efficient algorithm for evaluating n .

Definition 5.3. Let P ≥ 3 be a positive odd integer and let
P = pj11 pj22 · · · pjkk be the prime
factorization of P . For any integer m, the Jacobi symbol m
P
is defined as follows:
   j1  j2  jk
m m m m
= ··· .
P p1 p2 pk
 
m
By convention, = 1.
1

Clearly,  
1
= 1,
P
and the Jacobi symbol agrees with the Legendre symbol
if P is prime. If gcd(m,
P ) > 1,
m m
then m is a multiple of some prime factor pi of P , so P = 0, and otherwise P = ±1.
Since the primes p1 , . . . , pk are all distinct, m is a quadratic residue modulo P iff m


p i
=1
m


for all pi , but is is possible that P = 1 even though m is a quadratic nonresidue modulo
P . For example, we have
    
2 2 2
= = (−1)(−1) = 1,
15 3 5

but 2 is not a quadratic residue modulo 15. On the other hand, if m

P
≡ −1 (mod p), then
gcd(m, P ) = 1 and m is a quadratic nonresidue modulo P .
The Jacobi symbol satisfies the following properties which are very useful for evaluating
it.
Proposition 5.6. For any odd positive integers m, n ≥ 3, and any integers a, b, the following
properties hold:
    
a·b a b
(1) = .
m m m
    
a a a
(2) = .
mn m n
   
a b
(3) If a ≡ b (mod m), then = .
m m
5.3. THE JACOBI SYMBOL 95

a2 · b
   
b
(4) If gcd(a, m) = 1, then = .
m m
   
a a
(5) If gcd(a, m) = 1, then 2
= .
m ·n n
 2k     2k+1    
2 ·a a 2 ·a 2 a
(6) = and = , for all k ≥ 1.
m m m m m
 
−1 m−1
(7) = (−1) 2 , or equivalently
m
  (
−1 1 if m ≡ 1 mod 4
=
m −1 if m ≡ 3 mod 4.

 
2 m2 −1
(8) = (−1) 8 , or equivalently
m
  (
2 1 if m ≡ 1 mod 8 or m ≡ 7 mod 8
=
m −1 if m ≡ 3 mod 8 or m ≡ 5 mod 8.

Proof. Parts (1)–(4) follow easily from Propositions 5.3 and 5.4, and Definition 5.3. Part

2
(5) follows from part (2). For part 6, observe that m4 = m2 = 1, and then apply (4)

repeatedly to eliminates factors of 4 in the “numerator.” For part (7), write m = p1 p2 · · · pk

as a product of odd prime factors pi , not necessarily distinct. Then, we have
k
Y k
X
m= (1 + pi − 1) = 1 + (pi − 1) + R,
i=1 i=1

where R consists of a sum of products of at least two factors of the form pi − 1, so that R is
a multiple of 4. Hence,
Xk
m≡1+ (pi − 1) (mod 4),
i=1
or
k
m − 1 X (pi − 1)
≡ (mod 2).
2 i=1
2
Therefore,
  k   k
−1 Y −1 Y Pk
= = (−1)(pi −1)/2 = (−1) i=1 (pi −1)/2 = (−1)(m−1)/2 ,
m i=1
pi i=1
96 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

as claimed.
For part (8), write
k
Y k
X
2 2
m = (1 + pi − 1) = 1 + (p2i − 1) + R,
i=1 i=1

where R is a sum of products of at least two factors of the form p2i − 1. Now, since pi ≡ ±1
(mod 4), we have p2i − 1 ≡ 0 (mod 8), and thus,
k
X
2
m ≡1+ (p2i − 1) (mod 64),
i=1

which yields
k
m2 − 1 X p2i − 1
≡ (mod 8).
8 i=1
8
The above congruence also holds modulo 2, so we get
  Y k   k
2 2 Y 2 2
= = (−1)(pi −1)/8 = (−1)(m −1)/8 ,
m i=1
pi i=1

as claimed.

Remark: Proposition 5.6 holds trivally if m = 1 or n = 1.

5.4 The Solovay–Strassen Test; E-Witnesses and E-

Liars
a


Now that we have the Jacobi symbol, m makes sense if m is an odd positive integer, and
we are we ready to present the Solovay–Strassen test. This test relies on the following fact:
If n ≥ 3 is odd and if there is some a ∈ {2, . . . , n − 1} such that
 
a (n−1)/2
a 6≡ 1 (mod n),
n
then n is composite.
Definition 5.4. Let n ≥ 3 be any odd integer.
(1) An integer a such that 2 ≤ a ≤ n − 1 is called an Euler witness, for short an E-witness
for n, if  
a (n−1)/2
a 6≡ 1 (mod n).
n
5.4. THE SOLOVAY–STRASSEN TEST; E-WITNESSES AND E-LIARS 97

(2) If n > 3 is an odd composite, then an integer a with 1 ≤ a ≤ n − 1 is an Euler liar ,

for short an E-liar for n, if
 
a (n−1)/2
a ≡ 1 (mod n).
n

The set of E-liars is denoted by LE n . An odd composite number n such that a with
2 ≤ a ≤ n − 2 is an E-liar for n is called an Euler pseudoprime base a.

15


Consider n = 325, a composite. For a = 15, we have gcd(15, 325) = 5, hence 325 = 0,
162
and 15 is an E-witness. For a = 2, we have 2 ≡ 129
(mod 325), so 2 is also an E-witness.
7
For a = 7, we have 7162 ≡ 324 (mod 325), and 325 = −1; consequently, 7 is an E-liar for
325.
The first fact to observe is that every E-liar is an F -liar.

Proposition 5.7. For any odd composite n > 3, we have LE F

n ⊆ Ln .

Proof. This is because, if a is an E-liar, then

 
a (n−1)/2
a ≡ 1 (mod n),
n

and since na ∈ {−1, 1}, we must have a(n−1)/2 ≡ ±1 (mod n), which yields

an−1 ≡ 1 (mod n),

showing that a is an F -liar.

The second fact is that the number of E-liars is at most half of the number of elements
in (Z/nZ)∗ . The reason is that LEn is a proper subgroup of (Z/nZ) .
∗

Theorem 5.8. If n > 3 is an odd composite, then the set LE

n of E-liars is a proper subgroup
of (Z/nZ)∗ .
∗
Proof. We already know that LE F E E
n ⊆ Ln
⊆ (Z/nZ) . Obviously, 1 ∈ Ln . If a, b ∈ Ln , then we
have na a(n−1)/2 ≡ 1 (mod n) and nb b(n−1)/2 ≡ 1 (mod n). By property (1) of the Jacobi

symbol (Proposition 5.6), we get

     
a·b (n−1)/2 a (n−1)/2 b (n−1)/2
(a · b) ≡ a b ≡ 1 · 1 ≡ 1 (mod n)
n n n

which shows that ab ∈ LE E F

n . Therefore, Ln is a subgroup of Ln .

It remains to show that there is some a ∈ (Z/nZ)∗ which does not belong to LE
n ; that is,
that there is some E-witness in (Z/nZ)∗ . There are two cases:
98 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

Case 1. The number n contains some square factor p, for some prime p ≥ 3. In this
case, when we proved (1) of Korselt’s criterion (Theorem 4.5), we produced an F -witness a
in (Z/nZ)∗ . By Proposition 5.7, we conclude that a is an E-witness in (Z/nZ)∗ .
Case 2. The number n is squarefree, so we can write n = pm, for some odd prime p and
some odd number m ≥ 3 which is not a multiple of p.
Let b ∈ {1, . . . , p − 1} be some quadratic nonresidue modulo p, so that pb = −1. Using

the Chinese remainder theorem, we find some a with 1 ≤ a ≤ n − 1 such that

a ≡ b (mod p)
a ≡ 1 (mod m).
We claim that a is an E-witness in (Z/nZ)∗ . Since b is a nonresidue modulo p, the prime p
does not divide a, and gcd(a, m) = 1, so gcd(a, n) = 1 and a ∈ (Z/nZ)∗ .
Next, observe that
       
a a a b 1
= = = (−1) · 1 = −1.
n p m p m
If a were an E-liar, then the fact that na = −1 would imply that

a(n−1)/2 ≡ −1 (mod n).

Since m divides n, we would have
a(n−1)/2 ≡ −1 (mod m),
contradicting the fact that a ≡ 1 (mod m). Therefore, a is indeed an E-witness in (Z/nZ)∗
for n.

Theorem 5.8 implies that the order |LE E

n | of the group Ln divides the order ϕ(n) of
∗
(Z/nZ) , and therefore,
ϕ(n) n−1
|LE
n| ≤ ≤ .
2 2
Here is the Solovay–Strassen primality test.
Solovay–Strassen test
The input is an odd integer n > 3.

procedure solovay-strassen(n)
begin
Choose random integer a ∈ {2, . . . , n − 2};
a

(n−1)/2
if n a 6≡ 1 (mod n)
then c := 1; return c; exit; (∗ n is a composite ∗)
else c := 0; return c (∗ n is a probable prime ∗)
end
5.5. THE QUADRATIC RECIPROCITY LAW 99

The Solovay–Strassen test is a Monte-Carlo algorithm. If the procedure returns c = 1,

then n is composite: that is,

Pr(n composite | solovay strassen return c = 1) = 1.

If n is composite, then the solovay-strassen test returns c = 1 for at least 1/2 of the number
of choices for a; that is,
1
Pr(solovay strassen return c = 1 | n is composite) ≥ .
2
If we repeat the Solovay–Strassen test ` times, as in the case of the Miller–Rabin test, we
obtain the fact that
 `
1
Pr(solovay strassen return ` times c = 0 | n is composite) ≤ ,
2

and that (approximately)

ln(n)
Pr(n is prime | solovay strassen return ` times c = 0) ≥ 1 − .
2`

We still have to show how the Jacobi symbol can be evaluated quickly. For this, we need
the quadratic reciprocity law.

5.5 The Quadratic Reciprocity Law

The quadratic reciprocity law , first stated by Euler (in a complicated form) around 1744–
1746, was rediscovered in 1785 by Legendre who gave a partial proof. Gauss discovered the
quadratic reciprocity independently at the age of eighteen and was the first one to give a
complete proof in 1796. In fact, according to Dedekind [11] (Chapter 3, Section 42), Gauss
gave six different proofs of the quadratic reciprocity law! A seventh proof was found in
Gauss’ Nachlass. Curiously, some authors (including Apostol) claim that Gauss gave eight
different proofs.
The quadratic recipocity law sates that if p and q are distinct odd primes, then pq = pq

unless p ≡ q ≡ 3 (mod 4), in which case pq = − pq . The extension of the quadratic

reciprocity law to the Jacobi symbol for distinct odd integers m, n ≥ 3 such that gcd(m, n) =
1 is easy.

Theorem 5.9. (Quadratic reciprocity law) If m and n are any odd integers m, n ≥ 3 such
that gcd(m, n) = 1, then    
m m−1 n−1 n
= (−1) 2 2 .
n m
100 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

Equivalently,  
n
   if m ≡ 1 mod 4 or n ≡ 1 mod 4
m 
m 
= 
n n
− if m ≡ 3 mod 4 and n ≡ 3 mod 4.


m
Furthermore,

1
=1
m
 
−1 m−1
= (−1) 2
m
 
2 m2 −1
= (−1) 8 ,
m

or equivalently (
 
−1 1 if m ≡ 1 mod 4
=
m −1 if m ≡ 3 mod 4,
and   (
2 1 if m ≡ 1 mod 8 or m ≡ 7 mod 8
=
m −1 if m ≡ 3 mod 8 or m ≡ 5 mod 8.

Observe

that
the quadratic reciprocity law holds trivially if gcd(m, n) > 1, since in this
m n
case n = m = 0.

Remark: We could define the Legendre symbol for n = 2. Since every odd number m =
2k + 1 is a quadratic residue modulo 2 and there are no quadratic nonresides, we can set
  (
m +1 if m is odd
=
2 0 if m is even.

But then, the quadratic reciprocity law fails. Similarly, we could define the Jacobi symbol if
n is even, but this is futile since

the quadratic reciprocity law also fails. This is the reason
why the Legendre symbol p is only defined for an odd prime p and the Jacobi symbol m
m


n
for a positive odd integer n.
We prove the quadratic reciprocity law in section 5.6, but first we show how it can be
used togther with the properties stated in Proposition 5.6 to evaluate quickly the Jacobi
symbol.
We use the following steps recursively to evaluate the Jacobi symbol na .

/ {1, . . . , n − 1}, compute a mod n

(1) Reduce modulo n. If a ∈ n
.
5.5. THE QUADRATIC RECIPROCITY LAW 101

(2) If a = 0, then the result is 0.

(3) If a = 1, then the result is 1.

a/4

(4) Remove factors of 4 from the numerator. If 4 divides a, then compute n
.

(5) Remove factors of 2 from the numerator. If 2 divides a, then if n ≡ 1, 7 (mod 8),
compute a/2 a/2



n
, else if n ≡ 3, 5 (mod 8), compute − n
.

(6) Apply quadratic reciprocity, case
1. If n > a > 1 and (a ≡ 1 (mod 4) or n ≡ 1

(mod 4)), then compute n moda
a
.

(7) Apply quadratic reciprocity, case 2. If n > a, a ≡ 3 (mod 4) and n ≡ 3 (mod 4), then
compute − n mod a


a
.

The rules for evaluating the Jacobi symbol are more powerful than the rules for evaluating
the Legendre symbol because in (6) and (7) it is not necessary to assume that a is prime.
Thus, there is no need for factoring a, which is a great advantage, because factoring is
generally considered hard.
Here is an illustration of the use of the above rules to evaluate a Jacobi symbol. Consider
 
773
.
1373

In the present case, 773 and 1373 are prime, so we are in fact computing the Legendre
symbol. We have
           
773 6 600 4 150 5 75 6 23 7 6 5
= = =− =− = =
1373 773 773 773 75 23
     
3 6 2 5 1 3
=− = = 1.
23 3 3

Therefore, 773 is a quadratic residue modulo 1373. Another way to show this is to use the
Euler criterion and to compute 773686 mod 1373 (we find that the result is indeed 1).
The following example taken from Hoffstein, Pipher and Silverman [8] shows the superi-
ority of the Jacobi symbol. Consider computing
 
228530738017
,
9365449244297

where the two numbers involved are indeed prime (check it using Miller-Rabin or Solovay–
Strassen!). By the quadratic reciprocity law, we get
   
228530738017 9365449244297
= ,
9365449244297 228530738017
102 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

and since 9365449244297 ≡ 224219723617 (mod 228530738017), we have

   
9365449244297 224219723617
= .
228530738017 228530738017

Now, although this is not obvious, 224219723617 is composite, so to proceed with the Leg-
endre symbol we need to factor 224219723617, not an easy task. With the Jacobi symbol,
we can apply the law of quadratic reciprocity and then reduce modulo the denominator and
we get      
224219723617 228530738017 4311014400
= = .
228530738017 224219723617 224219723617
Since 4311014400 = 210 · 4209975, we get
       
4311014400 4209975 224219723617 665092
= = = .
224219723617 224219723617 4209975 4209975

We will let the reader finish the computation and eventually find that the answer is −1.
Here is an iterative algorithm for evaluating the Jacobi symbol na where n ≥ 3 is an

odd integer.
Evaluation of the Jacobi Symbol

function jacobi(n, a)
b := a mod n; c := n; s := 1;
while b ≥ 2 do
while 4 | b do
b := b/4
endwhile;
if 2 | b then
if c ≡ 3, 5 (mod 8) then s := −s endif;
b := b/2
endif;
if b = 1 then return s exit endif;
if b ≡ c ≡ 3 (mod 4) then s := −s endif;
b := c mod b; c := b
endwhile;
return s · b
end

It is not hard to see that the invariant

   
b a
s· =
c n
5.6. PROOF OF THE QUADRATIC RECIPROCITY LAW 103

is maintained during execution of the program. Also, if gcd(a, n) > 1, then at some point
b becomes 0, so there is no need to compute gcd(a, n). We
leave it as an exercise to prove
a
that the above program computes the Jacobi symbol n ; for help, consult Dietzfelbinger
[4] (Section 6.3). It is also easy to prove that the number of iterations of the main while
loop is O(log n) and that that the program runs in O((log n)2 ) bit operations if |a| < n (see
Crandall and Pomerance [3], Chapter 2).
It is remarkable that deciding whether a is a quadratic residue modulo n can be done
quickly (in polynomial time in log n), basically the same complexity as computing the gcd.
However finding a square root in Z/pZ is hard (with p prime). So far, no known polynomial-
time algorithm is known. It is known that if the ERH holds, then there is a quadratic
nonresidue d < 2(log p)2 . From this, a square root can be found in polynomial time, if it
exists. If n is composite, there is no known fast method for computing square roots. In fact,
it can be shown that doing so is essentially equivalent to factoring n. We will elaborate on
these points later.

5.6 Proof of the Quadratic Reciprocity Law

At least 150 proofs of the quadratic reciprocity law have been published. Gauss himself gave
seven different proofs. We follow a short proof using “Gauss sums” due to Jean-Pierre Serre
[17]. This proof is not entirely elementary because it uses the fact that if p and q are distinct
odd primes, then there is a field extension Ω of Fp = Z/pZ in which there is an element of
order q (a primitive qth root of unity). Any algebraic closure of Fp will do. Since pq−1 ≡ 1
(mod q) (by Fermat’s little theorem), the finite field Fpq−1 also works, since its multiplicative
group is cyclic of order pq−1 − 1.
Theorem 5.10. (Quadratic reciprocity law for primes (Gauss)) For any two distinct odd
primes p, q, we have    
p p−1 q−1 q
= (−1) 2 2 .
q p
Proof. Let Ω be any field extension of Fp = Z/pZ in which there is a primitive qth root of
unity, for example Ω = Fpq−1 . If w ∈ Ω is a primitive qth root of unity, define the Gauss sum
y by
Xa
y= wa ,
a∈Fq
q

with 0q = 0. Then, we have two steps.

Step 1. We prove that

y 2 = (−1)(q−1)/2 q.
Step 2. We prove that  
p−1 p
y = .
q
104 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

If we assume that Step 1 and Step 2 have been established, by Step 1, y is a square root of
(−1)(q−1)/2 q, and by a previous remark

(−1)(q−1)/2 q
 
= y p−1 ,
p

so by Step 2
(−1)(q−1)/2 q
   
p
= .
p q
On the other hand, by Proposition 5.3 and Proposition 5.4, we have

(−1)(q−1)/2 q (−1)(q−1)/2
        
p q (p−1)(q−1)/4 q
= = = (−1) ,
q p p p p

which proves the desired formula.

Proof of Step 1. We have

 X    X    X  ab  X  X  a(c − a) 
2 a a b b a+b
y = w w = w = wc ,
a∈F
q b∈F
q a,b∈F
q c∈F a∈F
q
q q q q q

by making the change of variable c = a + b. Now, if a 6= 0, we have a(c − a) = −a2 (1 − ca−1 ),

so
  2  
−a (1 − ca−1 ) 1 − ca−1 −1
   2   
a(c − a) a −1 (q−1)/2 1 − ca
= = = (−1) ,
q q q q q q

and thus, X
(−1)(q−1)/2 y 2 = Sc wc ,
c∈Fq

with
X  1 − ca−1 
Sc = .
a∈F∗q
q

If c = 0, then
X1
S0 = = q − 1.
a∈F∗q
q

Otherwise, d = 1 − ca−1 runs over Fq − {1}, and we have

X  1 − ca−1  X d    X   
1 d 1
 
1
Sc = = − = − =− = −1,
a∈F∗q
q d∈Fq
q q d∈F∗
q q q
q
5.6. PROOF OF THE QUADRATIC RECIPROCITY LAW 105

since in F∗q there are as many squares as nonsquares (see Proposition 5.1). As a consequence.
X X X
Sc wc = S0 + Sc wc = q − 1 − wc = q,
c∈Fq c∈F∗q c∈F∗q

wc = −1 (because w is a primitive qth root of unity, so wq = 1,

P
since c∈F∗q

0 = wq − 1 = (w − 1)(wq−1 + · · · + q + 1),

which implies wq−1 + · · · + q + 1 = 0, and thus, wc = wq−1 + · · · + q = −1), which

P
c∈F∗q
proves Step 1.

Proof of Step 2. Since Ω is a field of characteristic p, we have

(x1 + · · · + xm )p = xp1 + · · · + xpm ,

for all x1 , . . . , xm ∈ Ω, so we get

X  a p Xa
p ap
y = w = wap
a∈Fq
q a∈Fq
q

since p is odd, and by making the change of variable b = ap, we get

X  bp−1  X  p 2  bp−1  X  bp    X 
p b
 
p
p b b b b
y = w = w = w = w = y.
b∈Fq
q b∈F
q q b∈F
q q b∈F
q q
q q q

 
p−1 p
Therefore, y = , as claimed.
q

The proof of the quadratic reciprocity law for the Jacobi symbol is now easy to obtain.
For the reader’s convenience, we repeat the statement of the theorem.

Theorem 5.11. (Quadratic reciprocity law for the Jacobi symbol) If m and n are any odd
integers m, n ≥ 3 such that gcd(m, n) = 1, then
   
m m−1 n−1 n
= (−1) 2 2 .
n m

Equivalently,  
   n if m ≡ 1 mod 4 or n ≡ 1 mod 4
m 
m 
= 
n n
− if m ≡ 3 mod 4 and n ≡ 3 mod 4.


m
106 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

Proof. Write the prime factorizations of m and n as m = p1 · · · ps and n = q1 · · · qt , where

the pi and qj are primes. Then, we have
   s Y
t   
m n Y pi qj
= = (−1)r ,
n m i=1 j=1
qj pi

for some integer r. Applying the quadratic reciprocity law for primes to each factor, we find
that
s X t s t
X (pi − 1) (qj − 1) X pi − 1 X qj − 1
r= = .
i=1 j=1
2 2 i=1
2 j=1
2

During the proof of part (7) of Proposition 5.6, we showed that

s
X pi − 1 m−1
≡ (mod 2)
i=1
2 2
t
X qj − 1 n−1
≡ (mod 2).
j=1
2 2

Therefore,
(m − 1) (n − 1)
r≡ (mod 2),
2 2
which proves our formula.

Another way of proving the law of quadratic reciprocity (for primes) is to use Gauss sets.
Given any odd prime p, any subset S of F∗p = {1, 2, . . . , p − 1} such that

F∗p = S ∪ −S

is called a Gauss set. In particular,

 
p−1
S= 1, 2, . . . ,
2
is a Gauss set. Then, for any s ∈ S and any a ∈ F∗p , we can write

as = es (a)sa ,

for some sa ∈ S and with es (a) = ±1. (Of course, as is multiplication in Fp , so as ≡ es (a)sa
(mod p).)
Lemma 5.12. (Gauss’ lemma) For any odd prime p and any a ∈ F∗p , we have
  Y
a
= es (a).
p s∈S
5.7. STRONG PSEUDOPRIMES ARE EULER PSEUDOPRIMES 107

Proof. First, observe that is s 6= s0 , then sa 6= s0a , since otherwise we would have s = ±s0 ,
contradicting the fact that F∗p = S ∪ −S. Therefore, the map s 7→ sa is a bijection of S. If
we multiply the equations
as = es (a)sa
for all s ∈ S, we get
Y Y Y Y Y
(p−1)/2
a s= es (a) sa = es (a) s,
s∈S s∈S s∈S s∈S s∈S

which implies that Y

a(p−1)/2 = es (a).
s∈S

However, we know that  

a
= a(p−1)/2 ,
p
which proves the lemma.

As an application of Lemma 5.12, the reader should reprove that

 
2
= (−1)(p−1)/2 ,
p

by setting a = 2 and using the set S from above. It turns out that
 
2
= (−1)(n(p) ,
p

where n(p) is the number of integers s such that

p−1 p−1
<s≤ .
4 2
Several elementary proofs of the law of quadratic reciprocity can be obtained from Gauss’
lemma. For example, see Apostol [1] (Chapter 9, Sections 9.4, 9.5). A striking proof due to
Eisenstein (1845) using a trigonometric identity is given in Serre [17].

5.7 Strong Pseudoprimes are Euler Pseudoprimes

We conclude this chapter by showing that every strong pseudoprime base a is also an Euler
pseudoprime base a. This is another indication that the Miller–Rabin test is somewhat
better than the Solovay–Strassen test (recall that the proportion of MR-liars is at most 1/4,
whereas the proportion of E-liars is at most 1/2). We follow Koblitz’s proof [9] (Chapter
V).
108 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

We begin with an easy result, but first, observe that if a is an E-liar, then
 
a (n−1)/2
a ≡ 1 (mod n),
n

which implies that gcd(a, n) = 1, and since na ∈ {−1, 1}, the above condition is equivalent

to  
a
≡ a(n−1)/2 (mod n).
n

Proposition 5.13. If n is any composite of the form n = 4k + 3, then n is a strong

pseudoprime base a iff n is an Euler pseudoprime base a.

Proof. Since n = 4k + 3, we have n − 1 = 2(2k + 1), so n − 1 = 2s t with s = 1 and

t = (n − 1)/2. Thus, n is a strong pseudoprime base a iff a(n−1)/2 ≡ ±1 (mod n). If n is an
Euler pseudoprime, then the above congruence holds, by definition.
Conversely, assume that a(n−1)/2 ≡ ±1 (mod n). Then, since (n − 3)/4 = k is an integer,
we have
   (n−3)/4 2    (n−3)/2    (n−3)/2   n−1)/2 
a a a a a a ·a a
= = = = ,
n n n n n n n

and because (n − 1)/2 = 2k + 1, we have

 
−1
= −1,
n

which implies that  

a
≡ a(n−1)/2 (mod n),
n
as desired.

The case were n = 4k + 1 is more involved.

Theorem 5.14. If n is a strong pseudoprime base a, then n is an Euler pseudoprime base

a.

Proof. Write n = 2s t with t odd and assume that a in an MR-liar for n, which means that
either

(a) at ≡ 1 (mod n), or

i
(b) a2 t ≡ n − 1 (mod n), for some i with 0 ≤ i ≤ s − 1.
5.7. STRONG PSEUDOPRIMES ARE EULER PSEUDOPRIMES 109

We consider several cases.

Case 1. Assume that at ≡ 1 (mod n). In this case, since (n − 1)/2 = 2s−1 t, we have

a(n−1)/2 ≡ 1 (mod n).

We also have    t   t
1 a a
1= = = ,
n n n
   
a a
and since t is odd, = 1, so ≡ a(n−1)/2 (mod n).
n n
Case 2. Assume that (b) holds for i = s − 1; that is, a(n−1)/2 ≡ −1 (mod n). We must
show that na = −1.

0
Let p be any prime divisor of n and write p−1 = 2s t0 , with t0 odd. We make the following
claim:
Claim. We have s0 ≥ s and
  (
a −1 if s0 = s
=
p 1 if s0 > s.

Proof of the claim. From

s−1 t
a(n−1)/2 = a2 ≡ −1 (mod n),

raising both sides to the power t0 we we obtain

 t
2s−1 t0
a ≡ −1 (mod n),

and since p divides n, we also have

 t
2s−1 t0
a ≡ −1 (mod p).

If we had s0 < s, then we would not have

s0 t0
ap−1 ≡ a2 ≡1 (mod p),

contradicting Fermat’s little theorem. Thus, s0 ≥ s. If s0 = s, then

 t
2s−1 t0
a ≡ −1 (mod p)
110 CHAPTER 5. THE SOLOVAY–STRASSEN TEST

implies that  
a s0 −1 0
≡ a(p−1)/2 = b2 t ≡ −1 (mod p).
p
On the other hand, if s0 > s, then the congruence
 t
2s−1 t0
a ≡ −1 (mod p)

0 s0 −1 t0
raised to the power 2s −s implies that a2 a


≡ a(p−1)/2 ≡ 1 (mod p), and p
= 1.

Write n as a product of primes (not necessarily distinct), n = p1 p2 · · · pm , and let k be

0
the number of primes p such that s0 = s when we write p − 1 = 2s t0 with t0 odd, counting
such a prime with its multiplicity. By the claim, s0 ≥ s and
  Y m  
a a
= = (−1)k .
n i=1
p i

On the other hand, working modulo 2s+1 , we see that p ≡ 1 (mod 2s+1 ) unless p is one of the
k primes for which s0 = s, in which case p ≡ 1 + 2s (mod 2s+1 ). Since n = 1 + 2s t ≡ 1 + 2s
(mod 2s+1 ), we have

1 + 2s ≡ p1 · · · pm ≡ (1 + 2s )k ≡ 1 + k2s (mod 2s+1 ),

using the binomial formula in the last step. The congruence

2s ≡ k2s (mod 2s+1 )

implies that k is odd, hence  

a
= (−1)k = −1,
n
as was to be proved.
i
Case 3. Assume that (b) holds for i < s − 1; that is, a2 t ≡ −1 (mod n). Raising this
congruence to the power 2s−1−i , we get a(n−1)/2 ≡ 1 (mod n), so we have to prove that
0
a
= 1. As in case 2, write p − 1 = ss t0 with t0 odd for every prime factor p of n.


n
Claim. We have s0 ≥ i + 1 and
  (
a −1 if s0 = i + 1
=
p 1 if s0 > i + 1.

The proof of the above claim is identical to the proof of the claim in Case (2). Similarly
to Case (2), let k be the number of primes (not necessarily distinct) such that s0 = i + 1. As
in Case (2), we have  
a
= (−1)k .
n
5.7. STRONG PSEUDOPRIMES ARE EULER PSEUDOPRIMES 111

On the other hand, since i < s − 1, we have n = 1 + 2s t ≡ 1 (mod 2i+2 ), and also

n ≡ p1 · · · pm ≡ (1 + 2i+1 )k ≡ 1 + k2i+1 (mod 2i+2 ),

which implies
2s t ≡ k2i+1 (mod 2i+2 ).
Since i + 2 ≤ s, the number k must be even, and
 
a
= (−1)k = 1,
n

as desired.

There are examples of composite numbers n such that n is an Euler pseudoprime base
a but n is not a strong pseudoprime base a. This behavior is observed for numbers of the
form (6m + 1)(12m + 1)(18m + 1), where each factor is prime and m is odd; see Exercise 17
in Section 1 of Chapter V of Koblitz [9].
Acknowlegments: I wish to thank Dan Guralnik for inspiring me to write up the review
sections on groups. I learned about Theorem 3.13 from his wonderful’s lectures in ESE 680-
001. Not too surprisingly, I found that this theorem is used by J.P. Serre in his outstanding
Lectures in Arithmetic [17]. I also thank Peter Freyd, Ron Donagi and Steve Shatz. Peter
made a number of suggestions/corrections. In particular, he brought to my attention the
facts about square roots of unity stated as Proposition 4.1 and Theorem 4.2. Ron and Steve
pointed out that Theorem 3.31 implies that there are four square roots of unity when n = 2m
with m ≥ 3.
112 CHAPTER 5. THE SOLOVAY–STRASSEN TEST
Bibliography

[1] Tom M. Apostol. Introduction to Analytic Number Theory. Undergraduate Texts in

Mathematics. Springer, first edition, 1976.

[2] Nicolas Bourbaki. Algèbre, Chapitres 4-7. Eléments de Mathématiques. Masson, 1981.

[3] Richard Crandall and Carl Pomerance. Prime Numbers. A Computational Perspective.
Springer, second edition, 2005.

[4] Martin Dietzfelbinger. Primality Testing in Polynomial Time. From Randomized Algo-
rithms to “Primes is in P”. LNCS 3000. Springer, first edition, 2004.

[5] Harold M. Edwards. Riemann’s Zeta Function. Dover, first edition, 2001.

[6] Jean H. Gallier. Discrete Mathematics. Universitext. Springer Verlag, first edition, 2011.

[7] Carl Friedrich Gauss. Recherches Arithmétiques. Edition Jacques Gabay, first edition,
1807. French Translation of the Disquisitiones Arithmeticae.

[8] Jeffrey H. Hoffstein, Jill Pipher, and Joseph H. Silverman. An Introduction to Math-
ematical Cryptography. Undergraduate Texts in Mathematics. Springer, first edition,
2008.

[9] Neal Koblitz. A Course in Number Theory and Cryptography. GTM No. 114. Springer
Verlag, second edition, 1994.

[10] Serge Lang. Algebra. Addison Wesley, third edition, 1993.

[11] Peter Gustav Lejeune-Dirichlet. Lectures on Number Theory, volume 16 of History of

Mathematics. AMS, first edition, 1999. Translation by John Stillwell of Vorlesungen
über Zahlentheorie with supplements by Richard Dedekind, 1863.

[12] L. Lovász, J. Pelikán, and K. Vesztergombi. Discrete Mathematics. Elementary and

Beyond. Undergraduate Texts in Mathematics. Springer, first edition, 2003.

[13] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied
Cryptography. CRC Press, fifth edition, 2001.

113
114 BIBLIOGRAPHY

[14] Ivan Niven, Herbert S. Zuckerman, and Hugh L. Montgomery. An Introduction to the
Theory of Numbers. Wiley, fifth edition, 1991.

[15] Paulo Ribenboim. The Little Book of Bigger Primes. Springer-Verlag, second edition,
2004.

[16] R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.

[17] Jean-Pierre Serre. A Course in Arithmetic. Graduate Text in Mathematics, No. 7.

Springer, first edition, 1973.

[18] Joseph H. Silverman. A Friendly Introduction to Number Theory. Prentice Hall, third
edition, 2006.