NUMBER THEORY AND CRYPTOGRAPHY

MATH3301
UNSW, 2024

The typed lecture notes don’t contain extras such as exercises or sections with the *
symbol from the written lecture notes. However, these notes have all the necessary content
from the lectures with minor modifications.

Lecture 7
Algebraic Equations modulo m. We want to know how to solve congruences of the
form
ax ≡ b mod m.
Definition (Congruence class). The congruence class of a modulo m is the set of all
integers which are congruent to a modulo m.
Thus two integers a, b are in the same congruence class modulo m if a ≡ b mod m. In
symbols, the congruence class is the set
{b | a ≡ b mod m}
We think of ‘≡’ as partitioning the integers into congruence classes. For example, con-
sider the congruence classes modulo 4:

. . . -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 . . .
-4 0 4
-3 1 5
-6 -2 2 6
-5 -1 3
If n is a solution to the congruence
ax ≡ b mod m
then in fact any n′ in the same congruence class modulo m is also a solution:
n ≡ n′ mod m =⇒ an ≡ an′ ≡ b mod m.
This means that if we want to know all the solutions to ax ≡ b mod m, we just need to
determine which congruence classes give rise to solutions.
Example. To find all solutions to
2x ≡ 4 mod 6
we just need to check x ∈ {0, 1, 2, 3, 4, 5}, since every integer is congruent to one of these.
After doing this, we see that x = 2, 5 are valid solutions, and they are the only valid
solutions in the set {0, 1, 2, 3, 4, 5}. This means that any other number that is in the
congruence class of 2 or 5 is also a solution, i.e. 2, −4, 8, −10, . . . are solutions, as well as
5, −1, 11, −7, . . ., and these are the only solutions
Note that sometimes mod m equations have no solutions. For example, by checking
every x ∈ {0, 1, 2, 3, 4, 5}, we can see that 2x ≡ 5 mod 6 has no solutions!
1
 NUMBER THEORY AND CRYPTOGRAPHY 2

Theorem (Linear congruences in one variable). The equation

ax ≡ b mod m
has solutions if and only if
gcd(a, m)|b.
Furthermore, if gcd(a, m)|b, then there are exactly gcd(a, m) distinct congruence classes
(modulo m) which solve the equation.
Proof. There exists a solution for ax ≡ b mod m if and only if there exists some integer
n such that
an ≡ b mod m.
The latter statement is true if and only if
an − b = km
for some integer k. In other words, there exists integers n, k such that
an + (−k)m = b.
This is equivalent to saying that the Diophantine equation
ax + my = b
has a solution, which holds if and only if gcd(a, m)|b (this was our main theorem on
Diophantine equations in 2 variables). This proves the first statement in the theorem.
For the second statement, suppose n is any solution of ax ≡ b mod m, set d :=
gcd(a, m), and consider the set of d integers
m m m
n, n + , n + 2 , . . . , n + (d − 1) .
d d d
We will prove
(i) Each of these integers is a solution to the equation ax ≡ b mod m,
(ii) They lie in distinct congruence classes modulo m,
(iii) Any solution of ax ≡ b mod m is congruent to one of these integers.
Together, these suffice to establish the second statement in the theorem.
For (i), let n + k m
d be one of the above integers. Then
 m a
a n+k = an + km ≡ an ≡ b mod m,
d d
since multiples of m are zero mod m.
For (ii), we check that when k1 , k2 ∈ {0, 1, . . . , d − 1} are distinct, then n + k1 md and
n + k2 md lie in distinct congruence classes modulo m. Without loss of generality, we may
assume that k1 > k2 . We do this by checking that their difference is not divisible by m:
m  m m
0 < n + k1 − n + k2 = (k1 − k2 ) < m,
d d d
since 0 < k1 − k2 < d.
We will prove (iii) next lecture. □
Example. Find all solutions to
6x ≡ 9 mod 15.
Here a = 6, b = 9, m = 15. Clearly gcd(a, m) = 3, which divides 9, so solutions exist. To
find all solutions, we execute the following steps:
(1) Use the extended Euclidean algorithm to write gcd(a, m) as a linear combination
of a and m:
3 = 15 − 2 × 6.
 NUMBER THEORY AND CRYPTOGRAPHY 3

(2) Multiply both sides by b/ gcd(a, m) = 3 to get b as a linear combination of a and

m:
9 = 3 × 3 = 3 × 15 − 6 × 6 = 3m − 6a.
(3) Read the resulting equation modulo m to get a solution:
9 = 3 × 15 − 6 × 6
≡ −6 × 6 mod 15
so x ≡ −6 ≡ 9 mod 15 is a solution, which means that anything in the congruence
class of 9 is also a solution.
(4) Add multiples of m/ gcd(a, m) = 15/3 = 5 to get the remaining solutions. In our
case,
9, 14, 4
are the three congruence classes which solve the equation.
 NUMBER THEORY AND CRYPTOGRAPHY 4

Lecture 8
Last time we mostly proved the following result:
Theorem (Linear congruences in one variable). The equation
ax ≡ b mod m
has solutions if and only if
gcd(a, m)|b.
Furthermore, if gcd(a, m)|b, then there are exactly gcd(a, m) distinct congruence classes
(modulo m) which solve the equation.
Explicitly, if n satisfies ax ≡ b mod m and d = gcd(a, m), then
m m
n, n + , . . . , n + (d − 1)
d d
are also solutions, and
(i) these belong to distinct congruence classes modulo m
(ii) any solution to the equation is in fact congruent to one of these integers.
Today we will complete the proof of the proposition by proving (ii).
Remark. Any integer of the form n + k md is congruent to one of
m m
n, n + , . . . , n + (d − 1)
d d
This means that it is enough to show that if n′ is any solution to ax ≡ b mod m, then it
can be written as
m
n′ = n + k
d
Before we begin the proof, we need a few facts:
Proposition (Modular cancellation). Let d be a nonzero integer. Then
a ≡ b mod m ⇐⇒ da ≡ db mod dm
Proof. We have the following equivalences:
a ≡ b mod m ⇐⇒ a − b = km for some integer k
⇐⇒ da − db = kdm for some integer k
⇐⇒ da ≡ db mod dm
□
Lemma. If a, b are two integers, then a/ gcd(a, b) and b/ gcd(a, b) are relatively prime.
This should be intuitively clear because gcd(a, b) is the product of the common prime
factors of a and b. Dividing by gcd(a, b) gets rid of these factors.
Proof. To prove this, we use the fact that two integers are relatively prime if and only if
there is an integer linear combination of them which sums to one. To begin, we use the
extended Euclidean algorithm to find n, m such that
an + bm = gcd(a, b).
Dividing both sides by gcd(a, b), we get
a b
n+ m = 1.
gcd(a, b) gcd(a, b)
 NUMBER THEORY AND CRYPTOGRAPHY 5

a b
This gives an integer linear combination of gcd(a,b) and gcd(a,b) which sums to one, so they
are relatively prime.
We could also prove this lemma by using the fact that two integers are relatively prime
if and only if they have no common prime factors. We demonstrate this with an example,
say 30 and 80. Observe that
30 = 2 × 3 × 5
80 = 2 × 2 × 2 × 2 × 5
so gcd(30, 80) = 2 × 5 = 10. Now dividing both by gcd(30, 80) gets rid of all the common
factors, so we must be left with integers that are relatively prime, in this case 3 and 8. □
Lemma. If a|bc and gcd(a, b) = 1, then a|c.
Proof. We use the Fundamental Theorem to write the unique prime factorisations:
a = a1 . . . ak
b = b1 . . . bl
c = c1 . . . cm
where the ai , bi , ci are all prime. Since a|bc, this means that each ai is a bi or a ci . Since
gcd(a, b) = 1, this means that no ai is a bi . But then every ai must be a ci , so a|c. □
Proof of proposition concluded. Given that n, n′ are solutions to
ax ≡ b mod m
we aim to show that
m
n′ − n = k
d
for some integer k, where d = gcd(a, m).
Since n, n′ are both solutions,
an ≡ an′ mod m.
Therefore, since d divides a and m, we have by the proposition on modular cancellation:
a a m
n ≡ n′ mod ,
d d d
′
which means that d | d (n − n). Our first lemma above says that ad and m
m a
d are relatively
prime, so our second lemma implies that m |(n ′ − n). This exactly means we can write
d
m
n − n = k′ ,
′
d
′
for some integer k as required. □
In high school, when faced with the equation
2x = 5
we solve by dividing both sides by 2, or equivalently multiplying both sides by 1/2:
2x = 5 =⇒ x = 5/2.
But in modular arithmetic, we don’t always have numbers like 1/2, so we can’t always do
this. For example, we saw that
2x ≡ 5 mod 6
has no solutions.
Definition (Modulo m inverse). We say a is a modulo m inverse for a if
aa ≡ 1 mod m
 NUMBER THEORY AND CRYPTOGRAPHY 6

Intuitively, we may think of a as acting like 1/a in the modulo world.

Inverses may or may not exist. For example, we can check the set {0, 1, 2, 3, 4, 5} to see
that 2 does not have an inverse modulo 6. On the other hand, since
5 × 5 = 25 ≡ 1 mod 6
we see that 5 is its own inverse modulo 6.
Corollary. The integer a has a modulo m inverse if and only if gcd(a, m) = 1. In this
case, the modular inverses all lie in the same congruence class.
Proof. To say that an integer a has a modulo m inverse is exactly equivalent to saying
that the equation
ax ≡ 1 mod m
has a solution. By the theorem, this happens if and only if gcd(a, m) | 1, which happens
if and only if gcd(a, m) = 1.
The second statement follows from the second statement of the theorem, that when a
solution exists, the number of congruence classes of solutions is gcd(a, m), which in this
case is 1. □
Observation. If we have an equation
ax ≡ b mod m
and there exists a modulo m inverse for a, we can do as we did in high school and multiply
both sides by a to solve for x.
Example. Solve 5x ≡ 3 mod 6.
We just verified that 5 is its own inverse modulo 6, so we multiply both sides by 5:
5 × 5x ≡ 5 × 3 mod 6
x ≡ 15 ≡ 3 mod 6
Solve 5x ≡ 4 mod 6:
5 × 5x ≡ 5 × 4 mod 6
x ≡ 2 mod 6
Warning. A modular inverse of an integer a behaves, modulo m, like the reciprocal of a.
But it is an integer, not a fraction. So 5 is an inverse of 7 modulo 17 (since 5 × 7 = 35 ≡ 1
mod 17), but this has nothing to do with the usual fractional inverse of 7, namely the
rational number 1/7. It doesn’t even make sense to consider rational numbers modulo m.
It only makes sense to consider integers.
Also the modular inverses of a, and even whether a has a modular inverse, definitely
depend on m. For instance 7 is an inverse of 5 modulo 17, but not modulo 10 because
5 × 7 ̸≡ 1 mod 10.
 NUMBER THEORY AND CRYPTOGRAPHY 7

Lecture 9
If a modulo m inverse of a exists, then we may cancel the a’s on both sides of an
equation.
Corollary. Suppose gcd(a, m) = 1. Then
ab ≡ ac mod m ⇐⇒ b ≡ c mod m.
Proof. Note that
b ≡ c mod m =⇒ ab ≡ ac mod m
always holds. For the other direction, note that gcd(a, m) = 1 implies there exists a
modulo m inverse a. Therefore
ab ≡ ac mod m =⇒ aab ≡ aac mod m
=⇒ b ≡ c mod m,
since aa ≡ 1 mod m. □
Example. Solve 3x ≡ 9 mod 11.
Note that gcd(3, 11) = 1. We may rewrite this as
3x ≡ 3 × 3 mod 11.
By the corollary, we can just cancel the 3’s from both sides of the equation:
x≡3 mod 11.
Warning: If we try this when gcd(a, m) > 1, then we won’t get all of the solutions! For
example
3x ≡ 9 mod 12
yields a solution
x ≡ 3 mod 12
by cancelling the 3, but we miss the other solutions of
x ≡ 7, 11 mod 12.
In these cases, we still need to use our proposition from last time.

Solving systems of equations. The next natural question is: how do we find solutions
to a system of equations?
a1 x ≡ b1 mod m1
a2 x ≡ b2 mod m2
..
.
ar x ≡ br mod mr
We will answer this question for a special case:
Theorem (Chinese Remainder Theorem). Let m1 , . . . , mr be pairwise relatively prime
integers. Then the system
x ≡ a1 mod m1
x ≡ a2 mod m2
..
.
x ≡ ar mod mr
is solved by a unique congruence class modulo M := m1 m2 . . . mr .
 NUMBER THEORY AND CRYPTOGRAPHY 8

Example. An ancient Chinese general wants to know how many troops he has after a
battle. He lines them up in rows of 9 and finds he has 1 soldier left over. He lines them up
in rows of 10 and finds he has 5 soldiers left over. Finally, he lines them up in rows of 11
and again he has 1 soldier left over. By direct observation, he knows that he has between
1000 and 2000 troops. How many troops does he have exactly?
To phrase the problem in terms of modular arithmetic, let n be the number of troops.
Our information tells us that n is a solution to the following system of congruences:
x≡1 mod 9
x≡5 mod 10
x≡1 mod 11.
Our theorem says that n is uniquely determined up to multiples of 9 × 10 × 11 = 990, and
the proof of the theorem will give us a method for finding n explicitly.
The proof of the Chinese remainder theorem will require the following simple lemma.
Lemma. Suppose a1 , . . . , ak are pairwise relatively prime, and suppose ai |b for each i =
1, . . . , k. Then (a1 . . . ak )|b.
Proof. We will leave the proof of this lemma as an exercise, but let’s give an example
to see that the statement is false without the assumption of relative primality. Consider
10 and 15, which are not relatively prime. We have 10 | 30 and 15 | 30, but clearly their
product 150 does not divide 30. □
Proof of theorem. We first construct a solution to the system
x ≡ a1 mod m1
x ≡ a2 mod m2
..
.
x ≡ ar mod mr .
Set M := m1 m2 . . . mr , and define
M M M
M1 := , M2 := , . . . , Mr := .
m1 m2 mr
Q
Note that Mi and mi are relatively prime, because Mi = j̸=i mj , and our hypotheses
imply that mj is relatively prime to mi for all j ̸= i. This means that a modulo mi inverse
exists for Mi , i.e. there exist integers M1 , M2 , . . . , Mr such that
M 1 M1 ≡ 1 mod m1
M 2 M2 ≡ 1 mod m2
..
.
Mr Mr ≡ 1 mod mr .
Now consider the integer
n = a 1 M1 M1 + a 2 M 2 M2 + . . . + a r M r M r .
I claim that n is a solution to the system of equations. To check this, reduce n modulo
mi for each i. Since Mj is a multiple of mi for each j ̸= i, reducing modulo mi kills every
term except the ith one. Thus, we have
n ≡ ai Mi Mi ≡ ai mod mi ,
 NUMBER THEORY AND CRYPTOGRAPHY 9

since Mi Mi ≡ 1 mod mi . Thus, n is a solution to the system of congruences as desired.

In order to classify all solutions to the system of congruences, it remains to prove the
following two statements.
(i) n + kM is a solution for any integer k.
(ii) if n′ is a solution, then n′ = n + kM for some integer k.
(i) says that every integer in modulo M congruence class of n is a solution to the system
of equations, while (ii) says that all possible solutions lie in this congruence class. The
proof of (i) is easy. Since M = m1 m2 . . . mr , reducing modulo mi will send any multiple
of M to 0, thus
n + kM ≡ ai + kM ≡ ai mod mi
for any i.
To prove (ii), we look at the difference of two solutions n and n′ :
n′ − n ≡ a1 − a1 ≡ 0 mod m1
′
n − n ≡ a2 − a2 ≡ 0 mod m2
..
.
n′ − n ≡ ar − ar ≡ 0 mod mr .
This precisely says that
m1 |(n′ − n), m2 |(n′ − n), . . . , mr |(n′ − n).
Since m1 , m2 , . . . , mr are pairwise relatively prime, we may apply the lemma to deduce
that
M = m1 m2 . . . mr |(n′ − n)
and thus
n′ = n + kM
for some integer k. □
Example (Continued). We now have the tools to solve
x≡1 mod 9
x≡5 mod 10
x≡1 mod 11.
We may apply the Chinese Remainder Theorem since 9, 10, 11 are pairwise relatively prime.
In this problem, m1 = 9, m2 = 10, m3 = 11, a1 = 1, a2 = 5 and a3 = 1. Compute
M1 = 990/9 = 110
M2 = 990/10 = 99
M3 = 990/11 = 90
and
M1 ≡ 5 mod 9
M2 ≡ −1 mod 10
M3 ≡ 6 mod 11.
Thus our solution (up to a multiple of M ) is
n = 1 × 110 × 5 + 5 × 99 × (−1) + 1 × 90 × 6 = 595
 NUMBER THEORY AND CRYPTOGRAPHY 10

Any integer of the form n = 595 + 990k satisfies the system. The number of troops the
general had left is the integer of this form that lies between 1000 and 2000, namely
595 + 990 = 1585.