\documentclass[% version=last,% a5paper,% 10pt,% headings=small,% bibliography=totoc,% index=totoc,% twoside,% reqno,% cleardoublepage=empty,% open=any,% draft=false,% %draft=true,% BCOR=2mm,% DIV=18,% %DIV=12,% headinclude=true,% pagesize]% {scrbook} \makeindex \usepackage{makeidx} \renewcommand{\captionformat}{ } \usepackage{scrpage2} \pagestyle{scrheadings} \ohead{\pagemark} \ihead{\headmark} \ofoot{} \usepackage{cclicenses} \usepackage{amssymb,amsmath,amsthm} \usepackage{url} \usepackage{verbatim} % allows a comment environment: \usepackage[all]{xy} \usepackage{pstricks} \usepackage{textcomp} % supposedly useful with \oldstylenums \usepackage{multicol} %\usepackage{showlabels} \usepackage[neverdecrease]{paralist} \usepackage{layout} \usepackage{hfoldsty} % this didn't work until I added missing % brackets to some of the files. \usepackage{graphicx,rotating} \hyphenation{Arith-metic} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \renewcommand{\leq}{\leqslant} \renewcommand{\geq}{\geqslant} \renewcommand{\setminus}{\smallsetminus} %\renewcommand{\phi}{\varphi} \newcommand{\Exists}[1]{\exists{#1}\;} \renewcommand{\emptyset}{\varnothing} \renewcommand{\epsilon}{\varepsilon} %%%%%%%%%%%%%%%%%%%%%%% \newcommand{\lto}{\Rightarrow} \renewcommand{\land}{\mathrel{\&}} %\newcommand{\size}[1]{\left|#1\right|} \newcommand{\size}[1]{\lvert#1\rvert} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \renewcommand{\theenumi}{\alph{enumi}} \renewcommand{\labelenumi}{\textnormal{\theenumi)}} \renewcommand{\theenumii}{\roman{enumii}} \renewcommand{\labelenumii}{\textnormal{(\theenumii)}} %%%%%%%%%%%%%%% \newcommand{\divides}{\mathrel{|}} \newcommand{\ndivides}{\mathrel{\nmid}} \newcommand{\ord}[2]{\operatorname{ord}_{#1}(#2)} \newcommand{\ls}[2]{\Bigl(\displaystyle\frac{#1}{#2}\Bigr)} % set-theoretic relations: \newcommand{\included}{\subseteq} % [the name suggests the meaning here] \newcommand{\nincluded}{\not\subseteq} % not included \newcommand{\pincluded}{\subset} % proper inclusion \newcommand{\includes}{\supseteq} \newcommand{\stnd}[1]{\mathbb{#1}} \newcommand{\N}{\stnd{N}} % natural numbers \newcommand{\Z}{\stnd{Z}} % integers \newcommand{\Q}{\stnd{Q}} % rationals %\newcommand{\Pri}{\stnd{P}} % primes \newcommand{\R}{\stnd{R}} % reals \newcommand{\C}{\stnd{C}} % complex numbers \newcommand{\mi}{\mathrm i} \newcommand{\me}{\mathrm e} \newcommand{\units}[1]{#1{}\!^{\times}} \newcommand{\Zmod}[1][n]{\Z_{#1}} \newcommand{\Zmodu}[1][n]{\units{\Zmod[#1]}} \newcommand{\scr}[1]{\operatorname{s}(#1)} \newcommand{\pred}[1]{\operatorname{pred}(#1)} \DeclareMathOperator{\lcm}{lcm} \DeclareMathOperator{\dee}{d} % \let\oldsqrt\sqrt \renewcommand{\sqrt}[1]{\oldsqrt{\vphantom1}{#1}} \newcommand{\rten}{\sqrt{10}} \newcommand{\dsp}{\,} % space between blocks of three digits \newcommand{\hw}[1]{\hfill{}\textnormal{[#1]}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Theorem-like environments % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %\newtheorem*{theorem*}{Theorem} \newtheorem*{lemma*}{Lemma} \newtheorem*{corollary}{Corollary} \newtheorem{theorem}{Theorem} \newtheorem{Atheorem}{Theorem}[chapter] % for appendix A \newtheorem{axdef}[theorem]{Axiom and definition} \newtheorem{lemma}{Lemma}[chapter] \newtheorem{problem}{Problem}[section] \renewcommand{\theproblem}{\arabic{section}.\arabic{problem}} \theoremstyle{definition} \newtheorem{definition}[theorem]{Definition} \newtheorem{xca}{Exercise}%[section] %\renewcommand{\thexca}{\arabic{section}.\arabic{xca}} \newtheorem*{solution}{Solution} \theoremstyle{remark} \newtheorem{remarks}[theorem]{Remarks} \newtheorem{remark}[theorem]{Remark} \newtheorem*{remark*}{Remark} %\numberwithin{section}{chapter} %\numberwithin{xca}{section} \numberwithin{equation}{chapter} \renewcommand{\theequation}{\fnsymbol{equation}} \begin{document} \title{Elementary Number Theory} \author{David Pierce} \date{\today} \uppertitleback{\center{ This work is licensed under the\\ Creative Commons Attribution--Noncommercial--Share-Alike License.\\ To view a copy of this license, visit\\ \url{http://creativecommons.org/licenses/by-nc-sa/3.0/}\\ \mbox{}\\ \cc \ccby David Pierce \ccnc \ccsa\\ \mbox{}\\ Mathematics Department\\ Middle East Technical University\\ Ankara 06531 Turkey\\ \url{http://metu.edu.tr/~dpierce/}\\ \url{dpierce@metu.edu.tr} } } \maketitle%[-1] \addchap{Preface} This book is for the course Elementary Number Theory (Math 365), given at METU in 2010/11. The book is based on my lectures in the same course, 2007/8. The lectures were based---and hence this book is based---mainly on Burton's text, \emph{Elementary Number Theory}~\cite{Burton}. I have made a few additions. Also, where it makes sense, I try to display the mathematics in pictures or tables, as for example in Chapter~\ref{ch:look} and in the account of the Chinese Remainder Theorem given in \S~\ref{sect:CRT-again}. Math 365 has this catalogue description: \begin{quote} Divisibility, congruences, Euler, Chinese Remainder and Wilson's Theorems. Arithmetical functions. Primitive roots. Quadratic resi\-dues and quadratic reciprocity. Diophantine equations. \end{quote} I ask students in addition to know something of the logical foundations of number theory. Appendix~\ref{ch:foundations} contains an account of these foundations, namely a derivation of basic arithmetic from the so-called Peano Axioms. Appendix~\ref{ch:exercises} contains the exercises made available to the 2007/8 class; Appendix~\ref{ch:exams}, the examinations given to that class, along with my solutions. I have not incorporated the exercises into the main text. One reason for this is to make it less obvious how the exercises should be done. The position of an exercise in a text is often a hint as to how the exercise should be done; and yet there are no such hints on examinations. Whereas the exercises in this book were originally found in 11 separate documents, issued roughly once a week, here the exercises are strung together in one numbered sequence. I have not changed the order of the exercises. In the 2007/8 class, I defined the set $\N$ of natural numbers as $\{0,1,2,3,\dots\}$; in the present book, I have decided to define it as $\{1,2,3,\dots\}$. I have tried to make the appropriate changes, except in Appendix~\ref{ch:exams}, but I may have missed something. I have not changed the examinations. Full names and dates of mathematicians given in the text are taken from the MacTutor History of Mathematics archive, \url{http://www-gap.dcs.st-and.ac.uk/~history/index.html}. However, I have not tried to trace the origin of all of the mathematics in these notes. \tableofcontents \chapter{Proving and seeing}\label{ch:look} \section{The look of a number} What can we say about the following sequence of numbers? \begin{equation*} 1,3,6,10,15,21,28,\dots \end{equation*} The terms increase by $2$, $3$, $4$, and so on. The numbers have an appearance, a \textbf{look:}\index{look} \begin{center} \psset{xunit=1cm,yunit=1.73cm} \begin{pspicture}(0,-0.6)(5.4,0) %\psgrid \psdots(0,0) (1,-0.2)(1.4,-0.2)(1.2,0) (2.4,-0.4)(2.8,-0.4)(3.2,-0.4)(2.6,-0.2)(3,-0.2)(2.8,0) (4.2,-0.6)(4.6,-0.6)(5,-0.6)(5.4,-0.6)(4.4,-0.4)(4.8,-0.4)(5.2,-0.4)(4.6,-0.2)(5,-0.2)(4.8,0) \end{pspicture} \end{center} In particular, the numbers are the \textbf{triangular numbers.}% \index{triangular number}% \index{number!triangular ---} Let us designate them by $t_1$, $t_2$, and so on. Then they can be given \textbf{recursively}\index{recursive definition} by \begin{align*} t_1&=1,& t_{n+1}&=t_n+n+1. \end{align*} The triangular numbers can also be given in various \textbf{closed forms:}% \index{closed form} \begin{equation}\label{eqn:tn} t_n=\sum_{k=1}^nk=\binom{n+1}{2}=\frac{n(n+1)}{2}. \end{equation} Indeed, we can prove this by \textbf{induction:}\index{induction} \begin{compactenum}[1.] \item The claim~\eqref{eqn:tn} is true when $n=1$. \item If the claim is true when $n=k$, so that $t_k=k(k+1)/2$, then \begin{align*} t_{k+1}=t_k+k+1 =\frac{k(k+1)}{2}+k+1 &=\frac{k(k+1)}{2}+\frac{2(k+1)}2\\ &=\frac{(k+2)(k+1)}{2} =\frac{(k+1)(k+2)}{2}, \end{align*} so the claim is true when $n=k+1$. \end{compactenum} By induction then, \eqref{eqn:tn} is true for all $n$. So equation~\eqref{eqn:tn} \emph{is} true; but we might ask further: \emph{why} is~\eqref{eqn:tn} true? One answer can be seen in a picture. First rewrite~\eqref{eqn:tn} as \begin{equation*} 2t_n=n(n+1). \end{equation*} Two copies of $t_n$ do indeed fit together to make an $n\times(n+1)$ array of dots: \begin{center} \begin{pspicture}(0,-1.2)(1.6,0) \psdots(0,0) (0.4,0) (0.8,0) (1.2,0) (0,-0.4)(0.4,-0.4)(0.8,-0.4) (0,-0.8)(0.4,-0.8) (0,-1.2) \psdots[dotstyle=o] (1.6,-0) (1.2,-0.4)(1.6,-0.4) (0.8,-0.8)(1.2,-0.8)(1.6,-0.8) (0.4,-1.2)(0.8,-1.2)(1.2,-1.2)(1.6,-1.2) \end{pspicture} \end{center} Similarly, $t_{n+1}+t_n=(n+1)^{2}$, since \begin{equation*} t_{n+1}+t_n=\frac{(n+1)(n+{2})}{2}+\frac{n(n+1)}{2} =\frac{n+1}{2}(n+{2}+n)=(n+1)^{2}; \end{equation*} but this can be seen in a picture: \begin{center} \begin{pspicture}(0,-1.6)(1.6,0) \psdots(0,0)(0.4,0)(0.8,0)(1.2,0)(1.6,0) (0,-0.4)(0.4,-0.4)(0.8,-0.4)(1.2,-0.4) (0,-0.8)(0.4,-0.8)(0.8,-0.8) (0,-1.2)(0.4,-1.2) (0,-1.6) \psdots[dotstyle=o] (1.6,-0.4) (1.2,-0.8)(1.6,-0.8) (0.8,-1.2)(1.2,-1.2)(1.6,-1.2) (0.4,-1.6)(0.8,-1.6)(1.2,-1.6)(1.6,-1.6) \end{pspicture} \end{center} What can we say about the following sequence? \begin{equation*} {1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,\dots} \end{equation*} It is the sequence of odd numbers. Also, the first $n$ terms seem to add up to $n^{2}$, that is, \begin{equation}\label{eqn:n2} \sum_{k=1}^n({2}k-1)=n^{2}. \end{equation} We can prove this by induction: \begin{compactenum}[1.] \item The claim is true when $n=1$. \item If the claim is true when $n=k$, then \begin{equation*} \sum_{j=1}^{k+1}({2}j-1) =\sum_{j=1}^k({2}j-1)+{2}k+1 =k^{2}+{2}k+1 =(k+1)^{2}, \end{equation*} so the claim is true when $n=k+1$. \end{compactenum} Therefore~\eqref{eqn:n2} is true for all $n$. A picture shows why: \begin{center} \psset{unit=4mm} \begin{pspicture}(1,1)(5,5) \psdots (1,1)(3,1)(5,1)(3,2)(5,2)(1,3)(2,3)(3,3)(5,3)(5,4)(1,5)(2,5)(3,5)(4,5)(5,5) \psdots[dotstyle=o](2,1)(4,1)(1,2)(2,2)(4,2)(4,3)(1,4)(2,4)(3,4)(4,4) \end{pspicture} \end{center} Finally, observe: \begin{equation*} {1},\underbrace{{3,5}}_8,\underbrace{{7,9,11}}_{{27}}, \underbrace{{13,15,17,19}}_{{64}},\underbrace{{21,23,25,27,29}}_{{125}},\dots \end{equation*} Does the pattern continue? As an exercise, write the suggested equation, \begin{equation*} n^{3}=\sum_{\dots}^{\dots}\dots, \end{equation*} and prove it. (The theorem was apparently known to Nicomachus of Gerasa \cite[II.20.5, p.~263]{Nicomachus}, almost 2000 years ago.) \section{Patterns that fail} This is from Arnol$'$d's talk `On the teaching of mathematics' \cite{MR1618209}. Write the odd numbers as sums of odd numbers of summands: \begin{gather*} 1=1,\\ \begin{aligned} 3 &=3\\ &=1+1+1, \end{aligned}\\ \begin{aligned} 5 &=5\\ &={3}+1+1\\ &={2}+{2}+1\\ &=1+1+1+1+1, \end{aligned}\\ \begin{aligned} 7 &=7\\ &=5+1+1\\ &=4+{2}+1\\ &={3}+{3}+1\\ &={3}+{2}+{2}\\ &={3}+1+1+1+1\\ &={2}+{2}+1+1+1\\ &=1+1+1+1+1+1+1, \end{aligned} \end{gather*} and so on. Then we have \begin{equation*} \begin{array}{c|c} n &\text{\# sums for }n\\\hline 1&1\\ {3}&{2}\\ 5&4\\ 7&8\\ 9&16\\ 11&29 \end{array} \end{equation*} Thus the pattern ${2}^{0},{2}^1,{2}^{2},\dots$ breaks down. Is there a formula for the sequence of numbers of sums? \section{Incommensurability}\label{sect:incomm} \begin{theorem} No numbers solve the equation \begin{equation*} x^{2}={2}y^{2}. \end{equation*} \end{theorem} \begin{proof} Suppose $a^{2}={2}b^{2}$. Then $a>b$. Also, $a$ must be even: say $a=2c$. Consequently $4c^2=2b^2$, so $b^2=2c^2$. Thus we obtain a sequence \begin{equation*} a,b,c,\dots,k,\ell,\dots, \end{equation*} where always $k^2=2\ell^2$. But we have also $a>b>c>\dotsb$, which is absurd; there is no infinite descending sequence of numbers. Therefore no $a$ and $b$ exist such that $a^2=2b^2$. \end{proof} The proof here is said to be by the method of \textbf{infinite descent.}% \index{infinite descent}% \index{proof!--- by infinite descent} Geometrically, the theorem is that the side and diagonal of a square are \textbf{incommensurable:}% \index{incommensurable} there is no line segment that evenly divides each of them. We can see this as follows~\cite[v.~I, p.~19]{MR17:814b}. In Fig.~\ref{fig:square}, \begin{figure}[ht] \begin{center} \begin{pspicture}(-0.5,-0.5)(5.8,4.5) \psline(0,0)(4,0)(4,4)(0,4)(0,0)(4,4) \psline(1.172,1.172)(0,2.343)(4,4) \psarc[linestyle=dotted](4,4){4}{180}{225} \psline(5,1.8)(5.8,1.8) \uput[ul](0,4){$A$} \uput[ur](4,4){$B$} \uput[dr](4,0){$C$} \uput[dl](0,0){$D$} \uput[dr](1.172,1.172){$E$} \uput[l](0,2.343){$F$} \uput[u](5.4,1.8){$d$} \end{pspicture} \end{center} \caption{Incommensurability of diagonal and side}\label{fig:square} \end{figure} there is a square, $ABCD$. On the diagonal $BD$, the distance $BE$ is marked equal to $AB$. The perpendicular at $E$ meets $AD$ at $F$. The straight line $BF$ is drawn. Then triangles $ABF$ and $EBF$ are congruent, so $EF=AF$. Also, triangle $DEF$ is similar to $DAB$, so $DE=EF$. Suppose a straight line $d$ measures both $AB$ and $BD$. Then it measures $ED$ and $DF$, since \begin{align*} ED&=BD-AB,& DF&=AB-ED. \end{align*} The same construction can be performed with triangle $DEF$ in place of $DAB$. Since ${2}EDa_2>a_3>\dotsb$, which again is absurd. The same argument, adjusted, gives us a way to \emph{approximate} $\sqrt2$. Suppose there are $b_1$ and $b_2$ such that \begin{equation*} \frac{b_1}{b_2}=\sqrt 2-1. \end{equation*} Then \begin{equation*} \frac{b_2}{b_1}=\sqrt 2+1=\frac{b_1}{b_2}+2=\frac{b_1+2b_2}{b_2}. \end{equation*} If we define \begin{equation}\label{eqn:bn2} b_{n+2}=b_n+2b_{n+1}, \end{equation} then \begin{equation*} \frac{b_{n+1}}{b_{n+2}}=\sqrt 2-1. \end{equation*} Now however the sequence $b_1$, $b_2$, \dots, increases, so there is no obvious contradiction. But the definition~\eqref{eqn:bn2} alone yields \begin{equation*} \frac{b_{n+2}}{b_{n+1}} =2+\frac{b_n}{b_{n+1}} =2+\cfrac1{\cfrac{b_{n+1}}{b_n}} =2+\cfrac1{2+\cfrac{b_n}{b_{n-1}}} =2+\cfrac1{2+\cfrac1{2+\cfrac{b_{n-1}}{b_{n-2}}}} =\dotsb \end{equation*} If we just let $b_1=1$ and $b_2=2$, then by~\eqref{eqn:bn2} we get the sequence \begin{equation*} 1,2,5,12,27,66,\dots \end{equation*} Then the sequence \begin{equation*} \frac21,\frac52,\frac{12}5,\frac{27}{12},\frac{66}{27},\dots \end{equation*} of fractions converges to $\sqrt2+1$ (though we haven't proved this). One writes \begin{equation}\label{eqn:sqrt2} \sqrt{2}+{1}={2}+\cfrac{1}{{2}+\cfrac{1}{{2}+\cfrac{1}{{2}+\cfrac{1}{{2}+\cfrac{1}{\ddots}}}}}. \end{equation} \chapter{Numbers} \section{The natural numbers} The \emph{numbers} heretofore mentioned, namely $1$, $2$, $3$, and so on, are more precisely the \textbf{natural numbers.} They compose the set $\N$. Everything about $\N$ follows from the following five conditions. \begin{compactenum}[1.] \item There is a \textbf{first} natural number,% \index{first natural number}% \index{number!first natural ---, one} \textbf{one} or $1$. \item Each $n$ in $\N$ has a \textbf{successor,}% \index{successor}% \index{number!successor} $\scr n$. \item The number $1$ is not a successor. \item Distinct numbers have distinct successors: if $n\neq m$, then $\scr n\neq\scr m$. \item \textbf{proof by induction}% \index{induction}% \index{proof!--- by induction} is possible: a subset $A$ of $\N$ is the whole set, provided \begin{compactenum}[a)] \item $1\in A$, and \item whenever $n\in A$, then also $\scr n\in A$. \end{compactenum} \end{compactenum} \begin{theorem}[Recursion]% \index{Recursion Theorem}% \index{theorem!Recursion Th---} Suppose $A$ is a set with an element $b$, and $f\colon A\to A$. Then there is a \emph{unique} function $g$ from $\N$ to $A$ such that \begin{compactenum} \item $g(1)=b$, and \item $g(\scr n)=f(g(n))$ for all $n$ in $\N$. \end{compactenum} \end{theorem} For the proof, see Appendix~\ref{ch:foundations}. We now define addition by defining $x\mapsto m+x$ recursively: \begin{align*} m+1&=\scr m,& m+\scr n&=\scr{m+n}. \end{align*} Now the function $g$ in the Recursion Theorem is such that \begin{align*} g(1)&=b,&g(n+1)&=f(g(n)). \end{align*} We can then define multiplication by \begin{align*} m\cdot 1&=m,& m\cdot(n+1)&=m\cdot n+m. \end{align*} Also the ordering of $\N$ is defined recursively by the requirements \begin{align*} x&\not<1,&x0$; \textbf{negative,} if $a<0$. \section{Other numbers} Given integers $a$ and $b$, where $b\neq0$, we can form the \textbf{rational number} \begin{equation*} \frac ab \end{equation*} or $a/b$. The properties of rational numbers follow from the rule \begin{equation*} \frac ab=\frac xy\iff ay=bx. \end{equation*} The set of rational numbers is denoted by $\Q$ and is an \textbf{ordered field,} of which $\Z$ is an ordered sub-ring. Then $\Q$ has a \textbf{completion,} the set $\R$ of \textbf{real numbers;} this is a complete ordered field. The (unordered) field $\C$ of \textbf{complex numbers} consists of the formal sums $x+y\mi$, where $x$ and $y$ are in $\R$ and $\mi^2=-1$. Every equation $a+bx=0$, where $a$ and $b$ are integers, and $b\neq0$, has a solution in $\Q$, namely $-a/b$. In particular, there is a solution when $b=1$; but then the solution is just $-a$, an integer. More generally, if $a_0$, \dots, $a_{n-1}$ are integers, a solution in $\C$ to an equation \begin{equation*} a_0+a_1x+\dotsb+a_{n-1}x^{n-1}+x^n=0 \end{equation*} is called an \textbf{algebraic integer.} The algebraic integers are the subject of \textbf{algebraic number theory.} The only algebraic integers in $\Q$ are the usual integers---which in this context may be called \textbf{rational integers.} The study of $\R$ and $\C$ is \textbf{analysis.} That part of number theory that makes use of analysis is \textbf{analytic number theory.} One may observe for example that the function given by \begin{equation*} \Gamma(x)=\int_{0}^{\infty}e^{-t}t^{x-1}\dee x \end{equation*} satisfies $\Gamma(n+1)=n\Gamma(n)$, and $\Gamma(1)=1$, so that $G(n+1)=n!$. Our subject is \textbf{elementary number theory.} This means not that the subject is easy, but that our integers are just the rational integers, and we shall not use analysis. \chapter{Divisibility}\label{ch:divisibility} \section{Division and congruence} Henceforth minuscule letters will usually denote integers. If $a$ is such, let the set $\{ax\colon x\in\Z\}$ be denoted by $\Z a$ or $a\Z$ or \begin{equation*} (a). \end{equation*} Then $b\in(a)$ if and only if $a$ \textbf{divides}% \index{divides, divisor} $b$, or $a$ is a \textbf{divisor} of $b$; this situation is denoted by \begin{equation*} a\divides b. \end{equation*} If $c-b\in(a)$, then we may also write \begin{equation*} b\equiv c\pmod a, \end{equation*} saying $b$ and $c$ are \textbf{congruent}% \index{congruent numbers}% \index{number!congruent ---s} with respect to the \textbf{modulus}% \index{modulus, \emph{modulo}} $a$, or $b$ and $c$ are congruent \textbf{\emph{modulo}} $a$; also $c$ is a \textbf{residue}% \index{residue} of $b$ \emph{modulo} $a$. (This terminology and notation appear to be due to Johann Carl Friedrich Gauss,\index{Gauss} 1777--1855; they and many results in this book are set forth in Gauss's \emph{Disquisitiones Arithmeticae} \cite{Gauss}.) If the modulus $a$ is understood, we might write simply \begin{equation*} b\equiv c. \end{equation*} Congruence with respect to a given modulus is an equivalence-relation. The congru\-ence-class of $b$ \emph{modulo} $a$ is \begin{equation*} \{x\in\Z\colon b-x\in(a)\}. \end{equation*} If $a={0}$, then congruence \emph{modulo} $a$ is equality. Otherwise, there are $\size a$ congru\-ence-classes \emph{modulo} $a$, namely the classes of ${0}$, $1$, \dots, $\size a-1$. This is by the Division Theorem below. \begin{lemma*} If $0na=b$, which contradicts the original assumption. \end{proof} The property of $\N$ given by the lemma is that it is \textbf{archimedean.} \index{archimedean property of $\N$} \begin{theorem}[Division] If $a$ and $b$ are integers, and $a\neq{0}$, then the system \begin{align*} b&=ax+y,&{0}\leq y&<\size a \end{align*} has a unique solution. \end{theorem} \begin{proof} The set $\{z\in\N\colon z=b-ax\text{ for some $x$ in $\Z$}\}$ is non-empty (why?). Let $r$ be its least element (which exists by the Well Ordering Principle), and let $q$ be such that $r=b-aq$. Then $b=aq+r$ and ${0}\leq r<\size a$. \end{proof} In the notation of the proof, $q$ is the number times that $a$ \emph{goes into} $b$, and $r$ is the \textbf{remainder.}% \index{remainder} Every square has the form ${3}n$ or ${3}n+1$. Indeed, every number is ${3}k$ or ${3}k+1$ or ${3}k+{2}$, and \begin{gather*} ({3}k)^{2}={9}k^{2}={3}({3}k^{2}),\\ ({3}k+1)^{2}={9}k^{2}+6k+1={3}({3}k^{2}+{2}k)+1,\\ ({3}k+{2})^{2}={9}k^{2}+{12}k+4={3}({3}k^{2}+4k+1)+1. \end{gather*} An alternative argument can make use of the following: \begin{theorem}\label{thm:+.mod-n} If $a\equiv b$ and $c\equiv d$, then \begin{align*} a+c&\equiv b+d,& ac&\equiv bd. \end{align*} \end{theorem} \begin{proof} If $n\divides b-a$ and $n\divides d-c$, then $n\divides b-a+d-c$, that is, \begin{equation*} n\divides b+d-(a+c), \end{equation*} and also $n\divides(b-a)c+(d-c)b$, that is, \begin{equation*} n\divides bd-ac.\qedhere \end{equation*} \end{proof} In particular, congruent numbers have congruent squares. Since \begin{align*} {0}^{2}&={0},& 1^{2}&=1,& {2}^{2}&=4\equiv 1\pmod {3}, \end{align*} again we conclude that every square is $3n$ or $3n+1$ for some $n$. As suggested above, with respect to a positive modulus $n$, every integer is congruent to exactly one of the integers $0,1,\dots,n-1$. Therefore these integers are said to compose a \textbf{complete set of residues}% \index{complete set of residues}% \index{residue!complete set of ---s} \emph{modulo} $n$. Another complete set of residues \emph{modulo} $n$ is the set of $a$ such that \begin{equation*} -\frac n2a_{1}\geq{0}$. By \emph{strong} recursion (and the Division Theorem), we obtain a sequence $a_0,a_1,a_2,\dots$ by defining \begin{equation}\label{eqn:anq} a_n=a_{n+1}q+a_{n+{2}}\land {0}\leq a_{n+{2}}a_{1}>a_{2}>\dotsb \end{equation*} must stop. That is, let $a_m$ be the least element of $\{a_n\colon a_n>{0}\}$, so that $a_{m+1}={0}$. Then \begin{equation*} \gcd(a_{0},a_{1})=a_m. \end{equation*} For, if $a_{n+1}\neq{0}$, then $\gcd(a_n,a_{n+1})=\gcd(a_{n+1},a_{n+{2}})$ by~\eqref{eqn:anq}; so, by induction, \begin{equation*} \gcd(a_{0},a_{1})=\gcd(a_{1},a_{2})=\dotsb=\gcd(a_m,a_{m+1})=\gcd(a_m,{0})=a_m. \end{equation*} This method of finding a $\gcd$ is called the \textbf{Euclidean algorithm.}\index{Euclidean algorithm} In obtaining~\eqref{eqn:sqrt2} in \S~\ref{sect:incomm}, we used the Euclidean Algorithm (in particular, we used the algorithm given by Euclid in his Proposition X.2). As in Fig.~\ref{fig:ds}, \begin{figure}[ht] \begin{center} \begin{pspicture}(-0.5,-0.5)(4.5,4.5) \psline(0,0)(4,0)(4,4)(0,4)(0,0)(4,4) \psline(1.172,1.172)(0,2.343) \uput[r](4,2){$s$} \uput[d](2,0){$s$} \uput[u](2,4){$s$} \uput[dr](2,2){$d$} \uput[ul](2.586,2.586){$s$} % \uput[l](0,3.172){$d-s$} % \uput[ur](0.586,1.756){$d-s$} % \uput[ul](0.586,0.586){{$d-s$}} \end{pspicture} \end{center} \caption{Diagonal and side.}\label{fig:ds} \end{figure} let $d$ and $s$ be the diagonal and side of a square. Since $d^2-s^2=s^2$, we have \begin{equation*} \frac{d+s}s=\frac s{d-s}. \end{equation*} Since $s{0},\quad 25-7t>{0},\quad 75+{3}t>{0};\\ t>{0},\quad 7t<25,\quad {3}t>-75;\\ {0}1$ and for all positive integers $a$, \begin{equation*} a\divides b\lto a\in\{1,b\}. \end{equation*} \emph{Throughout these notes, $p$ and $q$ will always stand for primes.} Then \begin{equation*} \gcd(a,p)\in\{1,p\}, \end{equation*} so either $a$ and $p$ are co-prime, or else $p\divides a$. \begin{theorem}[Euclid, VII.30]\label{thm:Euclid} \index{theorem!Euclid's Th---}% \index{Euclid!---'s Theorem} If $p\divides ab$, then either $p\divides a$ or $p\divides b$. \end{theorem} \begin{proof} If $p\ndivides a$, then $\gcd(a,p)=1$, so $p\divides b$ by Theorem~\ref{thm:a|bc}. \end{proof} \begin{corollary} If $p\divides a_1\dotsb a_n$, where $n\geq1$, then $p\divides a_k$ for some $k$. \end{corollary} \begin{proof} Use induction. Indeed, the claim is true when $n=1$. Suppose it is true when $n=m$. Say $p\divides a_1\dotsb a_{m+1}$. By the theorem, we have that $p\divides a_1\dotsb a_m$ or $p\divides a_{m+1}$. In the former situation, by the inductive hypothesis, $p\divides a_k$ for some $k$. So the claim holds when $n=m+1$, assuming it holds when $n=m$. Therefore the claim does indeed hold for all $n$. \end{proof} \begin{theorem}[Fundamental Theorem of Arithmetic]% \index{Fundamental Theorem of Arithmetic}% \index{theorem!Fundamental Th--- of Arithmetic} Every positive integer is uniquely a product \begin{equation*} p_{1}\dotsm p_n \end{equation*} of primes, where \begin{equation*} p_{1}\leq\dotsb\leq p_n. \end{equation*} \end{theorem} \begin{proof} Trivially, $1=p_1\dotsm p_n$, where $n=0$. Suppose $m>1$. If $a$ is a divisor of $m$ that is greater than $1$, but is not prime, then $a$ has a divisor $b$ such that $1\frac m{p_{1}}>\frac m{p_{1}p_{2}}>\dotsb, \end{equation*} the sequence of primes must terminate by the Well Ordering Principle, and for some $n$ we have $m=p_{1}\dotsb p_n$. For uniqueness, suppose also $m=q_{1}\dotsb q_{\ell}$. Then $q_{1}\divides m$, so $q_{1}\divides p_i$ for some $i$ by the corollary to Theorem~\ref{thm:Euclid}, and therefore $q_{1}=p_i$. Hence \begin{equation*} p_{1}\leq p_i=q_{1}. \end{equation*} By the symmetry of the argument, $q_{1}\leq p_{1}$, so $p_{1}=q_{1}$. Similarly, $p_{2}=q_{2}$, \&c., and $n=\ell$. \end{proof} Alternatively, every positive integer is uniquely a product \begin{equation*} p_1{}^{a_1}\dotsm p_n{}^{a_n}, \end{equation*} where $p_1<\dotsb{0}$, then $\{a+bn\colon n\in\N\}$ contains infinitely many primes. \end{theorem} That is in an arithmetic progression whose initial term is prime to the common difference, there are infinitely many primes. It is moreover possible to find arbitrary long arithmetic progressions consisting entirely of primes:\footnote{This theorem is not mentioned in Burton \cite{Burton}.} \begin{theorem}[Ben Green and Terence Tao \cite{Green--Tao}, 2004] For every $n$, there are $a$ and $b$ such that each of the numbers $a, a+b, a+{2}b,\dots,a_nb$ is prime (and $b>{0}$). \end{theorem} Is it possible that each of the numbers \begin{equation*} a,a+b,a+{2}b,a+{3}b,\dots \end{equation*} is prime? Yes, if $b={0}$. What if $b>{0}$? Then No, since $a\divides a+ab$. But what if $a=1$? Then replace $a$ with $a+b$. Two primes $p$ and $q$ are \textbf{twin primes}% \index{twin primes}% \index{prime!twin ---s} if $\size{p-q}={2}$. The list of all primes begins: \begin{equation*} {2},\underbrace{{3},5,7}, \underbrace{11,13},\underbrace{17,19},23,\underbrace{29,31},37, \underbrace{41,43},47,\dots \end{equation*} and there are several twins. Are there infinitely many? People think so, but can't prove it. We do have: \begin{theorem}[Goldston, Pintz, Y\i ld\i r\i m \cite{GPY}, 2005] For every positive real number $\epsilon$, there are primes~$p$ and~$q$ such that ${0}1$, then $m^n\equiv0\pmod{m^2}$, so $m\equiv0\pmod{m^2}$, which is absurd unless $m=\pm1$. \section{Wilson's Theorem} %\section{October 18, 2007 (Thursday)} Can we solve $(p-1)!\equiv x\pmod p$? The answer is certainly not $0$. \begin{theorem}\label{thm:Wilson} Suppose $n>1$. Then $(n-1)!\equiv-1\pmod n$ if and only if $n$ is prime. \end{theorem} This is called \textbf{Wilson's Theorem}% \index{Wilson, ---'s Theorem} \index{theorem!Wilson's Th---} after John Wilson, 1741--1793, who apparently conjectured the result, but did not prove it. (It appears the result was also known to Abu Ali al-Hasan ibn al-Haytham,% \index{Haytham} 965--1039.) The result gives a theoretical test for primality, though not a practical one. \begin{proof}[Proof of theorem] One of the two directions should be easier; which one? Suppose $n$ is not prime, so that $n=ab$, where $10$. \end{compactenum} Indeed, suppose $\gcd(a,p^r)\neq1$. Then $\gcd(a,p^r)=p^k$ for some positive $k$. In particular, $p\divides a$. Conversely, if $p\divides a$, then $p\divides\gcd(a,p^r)$, so $\gcd(a,p^r)\neq1$. Therefore $\phi(p^r)$ is the number of integers $x$ such that $0\leq x0;\\ \phi(mn)&=\phi(m)\cdot\phi(n),&&\text{ if }\gcd(m,n)=1. \end{align*} Hence, if $n$ has the distinct prime divisors $p_1$, \dots, $p_s$, then \begin{equation*} \phi(n)=n\cdot\prod_{k=1}^s\Bigl(1-\frac1{p_i}\Bigr). \end{equation*} We can write this more neatly as \begin{equation}\label{eqn:phi-nn} \phi(n)=n\cdot\prod_{p\divides n}\Bigl(1-\frac1p\Bigr). \end{equation} For example, \begin{equation*} \phi(30)=30\cdot\Bigl(1-\frac12\Bigr)\cdot\Bigl(1-\frac13\Bigr)\cdot\Bigl(1-\frac15\Bigr)=30\cdot\frac12\cdot\frac23\cdot\frac45=8. \end{equation*} Since $180$ has the same prime divisors as $30$, we have \begin{equation*} \frac{\phi(180)}{\phi(30)}=\frac{180}{30}=6, \end{equation*} so $\phi(180)=6\phi(30)=48$. But $15$ and $30$ do not have the same prime divisors, and we cannot expect $\phi(15)/\phi(30)$ to be $15/30$, or $1/2$; indeed, $\phi(15)=\phi(3)\cdot\phi(5)=2\cdot 4=8=\phi(30)$. \begin{theorem}[Euler]% \index{Euler!---'s Theorem}% \index{theorem!Euler's Th---} If $\gcd(a,n)=1$, then \begin{equation*} a^{\phi(n)}\equiv1\pmod n. \end{equation*} \end{theorem} Fermat's Theorem is the special case when $n=p$. But we do \emph{not} generally have $a^{\phi(n)+1}\equiv a\pmod n$ for arbitrary $a$. For example, $\phi(12)=4$, but $2^5=32\equiv 8\pmod{12}$; so \begin{equation*} 2^{\phi(12)+1}\not\equiv2\pmod{12}. \end{equation*} \begin{proof}[Proof of Euler's Theorem] Assume $\gcd(a,n)=1$. We can write $\{x\in\Z\colon0\leq x1$ and $d\divides n$, the average member of $S^n_d$ is~$n/2$: \begin{equation*} \frac1{\size{S^n_d}}\sum_{x\in S^n_d}x=\frac n2. \end{equation*} \end{theorem} \begin{proof} When $n>1$, then $S^n_d$ has the permutation $x\mapsto n-x$, so \begin{equation*} 2\cdot\sum_{x\in S^n_d}x =\sum_{x\in S^n_d}x+\sum_{x\in S^n_d}(n-x) =\sum_{x\in S^n_d}(x+(n-x)) =\sum_{x\in S^n_d}n=n\cdot\size{S^n_d}.\qedhere \end{equation*} \end{proof} \begin{theorem}\label{thm:fnn} For all $n$, \begin{equation*} \frac{\phi(n)}n=\sum_{d\divides n}\frac{\mu(d)}d. \end{equation*} \end{theorem} \begin{proof} Applying the M\"obius Inversion Formula to~\eqref{eqn:sum-phi} yields \begin{equation*} \phi(n) =\sum_{d\divides n}\mu\Bigl(\frac nd\Bigr)\cdot d =\sum_{d\divides n}\mu(d)\cdot\frac nd =n\cdot\sum_{d\divides n}\frac{\mu(d)}d.\qedhere \end{equation*} \end{proof} Recalling~\eqref{eqn:phi-nn}, namely $\phi(n)=n\cdot\prod_{p\divides n}(1-1/p)$, we have now \begin{equation*} \prod_{p\divides n}\Bigl(1-\frac1p\Bigr)=\sum_{d\divides n}\frac{\mu(d)}d. \end{equation*} For example, \begin{align*} \sum_{d\divides12}\frac{\mu(d)}d &=\frac{\mu(1)}1+ \frac{\mu(2)}2+ \frac{\mu(3)}3+ \frac{\mu(4)}4+ \frac{\mu(6)}6+ \frac{\mu(12)}{12}\\ &=1-\frac12-\frac13+\frac16\\ &=1-\frac12-\frac13+\frac1{2\cdot3}\\ &=\Bigl(1-\frac12\Bigr)\Bigl(1-\frac13\Bigr) =\prod_{p\divides12}\Bigl(1-\frac1p\Bigr). \end{align*} \chapter{Primitive roots} \section{Order}%\asterism{} Recall Euler's Theorem: \begin{equation*} \gcd(a,n)=1\implies a^{\phi(n)}\equiv1\pmod n. \end{equation*} This can be improved in some cases. For example, $255=3\cdot5\cdot17$, so $\phi(255)=\phi(3)\cdot\phi(5)\cdot\phi(17)=2\cdot4\cdot16=128$, and hence \begin{equation*} \gcd(a,255)=1\implies a^{128}\equiv1\pmod{255}. \end{equation*} But by Fermat's Theorem, \begin{align*} 3\ndivides a&\implies a^2\equiv1\pmod 3\implies a^{16}\equiv1\pmod{3};\\ 5\ndivides a&\implies a^4\equiv1\pmod 5\implies a^{16}\equiv1\pmod{5};\\ 17\ndivides a&\implies a^{16}\equiv1\pmod{17}. \end{align*} Therefore $\gcd(a,255)=1\implies a^{16}\equiv1\pmod{3,5,17}$, that is, \begin{equation*} \gcd(a,255)=1\implies a^{16}\equiv1\pmod{255}. \end{equation*} If it exists, the \textbf{order}% \index{order} of $a$ \emph{modulo} $n$ is the least positive $k$ such that \begin{equation*} a^k\equiv1\pmod n. \end{equation*} If such $k$ does exist, then $a^k-1=n\cdot\ell$ for some $\ell$, so \begin{equation*} a\cdot a^{k-1}-n\cdot\ell=1, \end{equation*} and therefore $\gcd(a,n)=1$. Conversely, if $\gcd(a,n)=1$, then $a^{\phi(n)}\equiv 1\pmod n$, so $a$ has an order \emph{modulo} $n$. Assuming $\gcd(a,n)=1$, let us denote the order of $a$ \emph{modulo} $n$ by \begin{equation*} \ord na. \end{equation*} For example, what is $\ord{17}2$? Just compute powers of $2$ \emph{modulo} $17$: \begin{equation*} 2,\ 4,\ 8,\ 16\equiv-1,\ -2,\ -4,\ -8,\ -16\equiv 1. \end{equation*} Then $\ord{17}2=8$. We also have \begin{multline*} 3,\ 9\equiv-8,\ -24\equiv-7,\ -21\equiv-4,\ -12\equiv5,\ 15\equiv-2,\ -6,\ -18\equiv-1,\\ -3,\ 8,\ 7,\ 4,\ -5,\ 2,\ 6,\ 1. \end{multline*} So $\ord{17}3=16$. Note how, in each computation, halfway through, we just change signs. %\section{November 20, 2007 (Tuesday)} In the latter case, we computed \begin{equation*} \begin{array}{|c*{8}{|r}|}\hline k&1&2&3&4&5&6&7&8\\\hline 3^k\pmod{17}&3&-8&-7&-4&5&-2&-6&-1\\\hline\hline k&9&10&11&12&13&14&15&16\\\hline 3^k\pmod{17}&-3&8&7&4&-5&2&6&1\\\hline \end{array} \end{equation*} %Hence $16$ is the least positive $k$ such that $3^k\equiv1\pmod{17}$, so $\ord{17}3=16$. From this table, we can extract \begin{equation*} \begin{array}{|c*{8}{|r}|}\hline k&1&2&3&4&5&6&7&8\\\hline (-8)^k\pmod{17}&-8&-4&-2&-1&8&4&2&1\\\hline \end{array} \end{equation*} which means $\ord{17}{-8}=8$. Likewise, $\ord{17}{-4}=4$, and $\ord{17}{-1}=2$. So we have \begin{equation*} \begin{array}{|c*{8}{|r}|}\hline a & 1& 2& 3& 4& 5& 6& 7& 8\\\hline \ord{17} a & 1& &16& & & & & \\\hline \ord{17}{-a}& 2& & & 4& & & & 8\\\hline \end{array} \end{equation*} How can we complete the table? For example, what is $\ord{17}{-7}$? Since $-7\equiv3^3\pmod{17}$, and $\gcd(3,16)=1$, we have $\ord{17}{-7}=16$. Likewise, $\ord{17}5=16$. But $\ord{17}{-2}=16/\gcd(6,16)=8$, since $-2\equiv3^6\pmod{17}$. This is by a general theorem to be proved presently. We complete the table thus: \begin{equation*} \begin{array}{|c*{8}{|r}|}\hline a & 1& 2& 3& 4& 5& 6& 7& 8\\\hline \ord{17} a & 1& 8&16& 4&16&16&16& 8\\\hline \ord{17}{-a}& 2& 8&16& 4&16&16&16& 8\\\hline \end{array} \end{equation*} \begin{theorem}\label{thm:ord} Suppose $\gcd(a,n)=1$. Then \begin{enumerate} \item\label{item:ak1} $a^k\equiv1\pmod n$ if and only if $\ord na\divides k$; \item\label{item:nas} $\ord n{a^s}=\ord na/\gcd(s,\ord na)$; \item\label{item:akal} $a^k\equiv a^{\ell}$ if and only if $k\equiv\ell\pmod{\ord na}$. \end{enumerate} \end{theorem} \begin{proof} For~\eqref{item:ak1}, the reverse direction is easy. For the forward direction, suppose $a^k\equiv1\pmod n$. Now use division: \begin{equation*} k=\ord na\cdot s+r \end{equation*} for some $s$ and $r$, where $0\leq r<\ord na$. Then \begin{equation*} 1\equiv a^k\equiv a^{\ord na\cdot s+r}\equiv(a^{\ord na})^s\cdot a^r\equiv a^r\pmod n. \end{equation*} By minimality of $\ord na$ as an integer $k$ such that $a^k\equiv 1\pmod n$, we conclude $r=0$. This means $\ord na\divides k$. To prove~\eqref{item:nas}, by~\eqref{item:ak1} we have, \emph{modulo} $n$, \begin{equation*} (a^s)^k\equiv 1\iff a^{sk}\equiv1\iff \ord na\divides sk\iff\frac{\ord na}{\gcd(s,\ord na)}\divides k, \end{equation*} but also \begin{equation*} (a^s)^k\equiv 1\iff \ord n{a^s}\divides k \end{equation*} Hence \begin{equation*} \frac{\ord na}{\gcd(s,\ord na)}\divides k\iff \ord n{a^s}\divides k. \end{equation*} This is true for all $k$. Since orders are positive, we conclude \begin{equation*} \frac{\ord na}{\gcd(s,\ord na)}= \ord n{a^s}. \end{equation*} Finally,~\eqref{item:akal} follows from~\eqref{item:ak1}, since \begin{align*} a^k\equiv a^{\ell}\pmod n&\iff a^{k-\ell}\equiv 1\pmod n\\ &\iff\ord na\divides k-\ell\\ &\iff k\equiv\ell\pmod{\ord na}. \end{align*} (We have used that $\gcd(a,n)=1$, so that $a^{-\ell}$ exists.) \end{proof} Hence, from \begin{equation*} \begin{array}{|c*{9}{|r}|}\hline k&1&2&3&4&5&6&7&8&9\\\hline 2^k\pmod{19}&2&4&8&-3&-6&7&-5&9&-1\\\hline 2^{k+9}\pmod{19}&-2&-4&-8&3&6&-7&5&-9&1\\\hline \end{array} \end{equation*} we obtain \begin{equation*} \begin{array}{|c*{9}{|r}|}\hline a&1&2&3&4&5&6&7&8&9\\\hline \ord{19}a&1&18&18&9&9&9&3&6&9\\\hline \ord{19}{-a}&2&9&9&18&18&18&6&3&18\\\hline \end{array} \end{equation*} since \begin{align*} \ord{19}{2^k}=18 &\iff\gcd(k,18)=1\\ &\iff k\equiv1,5,7,11,13,17\pmod{18}\\ &\iff 2^k\equiv2,-6,-5,-4,3,-9\pmod{19};\\ \ord{19}{2^k}=9 &\iff\gcd(k,18)=2\\ &\iff k\equiv2,4,8,10,14,16\pmod{18}\\ &\iff 2^k\equiv4,-3,9,-2,6,5\pmod{19},\\ \ord{19}{2^k}=6 &\iff\gcd(k,18)=3\\ &\iff k\equiv3,15\pmod{18}\\ &\iff 2^k\equiv8,-7\pmod{19},\\ \ord{19}{2^k}=3 &\iff\gcd(k,18)=6\\ &\iff k\equiv6,12\pmod{18}\\ &\iff 2^k\equiv7,-8\pmod{19},\\ \ord{19}{2^k}=2 &\iff\gcd(k,18)=9\\ &\iff k\equiv9\pmod{18}\\ &\iff 2^k\equiv-1\pmod{19}. \end{align*} If $d\divides 18$, let $\psi_{19}(d)$ be the number of incongruent residues \emph{modulo} $19$ that have order $d$. Then we have \begin{equation*} \begin{array}{|r|r|}\hline d&\psi_{19}(d)\\\hline 18&6\\\hline 9&6\\\hline 6&2\\\hline 3&2\\\hline 2&1\\\hline 1&1\\\hline \end{array} \end{equation*} Note that $\psi_{19}(d)=\phi(d)$ here. This is no accident, by Theorem~\ref{thm:psi-phi} below. \section{Groups}%\asterism{} We can understand what we are doing algebraically as follows. The set of congruence classes \emph{modulo} $n$ is denoted by \begin{equation*} \Zmod \end{equation*} or $\Z/(n)$ or $\Z/n\Z$. On this set, by Theorem~\ref{thm:+.mod-n}, addition and multiplication are well-defined: the set is a \textbf{ring.}% \index{ring} The set of multiplicatively invertible elements of the ring is denoted by \begin{equation*} \Zmodu. \end{equation*} This set is closed under multiplication and inversion: it is a (multiplicative) \textbf{group.}% \index{group} Suppose $k\in\Zmodu$. (More precisely one might write the element as $k+(n)$ or $\bar k$.) Then we have the function \begin{equation*} x\mapsto k^x \end{equation*} from $\Z$ to $\Zmodu$. Since $k^{x+y}=k^x\cdot k^y$, this function is a \textbf{homomorphism}% \index{homomorphism}% \index{function!homomorphism} from the additive group $\Z$ to the multiplicative group $\Zmodu$. We have shown that the function $x\mapsto 2^x$ is surjective onto $\Zmodu[19]$, and its kernel is $(18)$. Call this function $f_2$. Then (by the First Isomorphism Theorem for Groups) $f_2$ is an \textbf{isomorphism}% \index{isomorphism}% \index{function!isomorphism} from $\Zmod[18]$ onto $\Zmodu[19]$: \begin{align*} \Zmod[18]&\cong\Zmodu[19],\\ (\{0,1,2,\dots,17\},+)&\cong(\{1,2,3,\dots,18\},{}\cdot{}). \end{align*} We have \begin{equation*} \begin{array}{|c*{9}{|r}|}\hline x&0&1&2&3&4&5&6&7&8\\\hline f_2(x)&1&2&4&8&16&13&7&14&9\\\hline f_2(x+9)&18&17&15&11&3&6&12&5&10\\\hline \end{array} \end{equation*} \section{Primitive roots of primes}%\asterism{} If $\gcd(a,n)=1$, and $\ord na=\phi(n)$, then $a$ is called a \textbf{primitive root}% \index{primitive root} of $n$. So we have shown that $3$, but not $2$, is a primitive root of $17$, and $2$ is a primitive root of $19$. There is no formula for determining primitive roots: we just have to look for them. But once we know that $2$ is a primitive root of $19$, then we know that $2^5$, $2^7$, $2^{11}$, $2^{13}$, and $2^{17}$ are primitive roots---or rather, $-6$, $-5$, $-4$, $3$, and $-9$ are primitive roots. In particular, the number of primitive roots of $19$ is $\phi(18)$. To prove generally that the number of primitive roots of $p$ is $\phi(p-1)$, we shall need the following (attributed to Joseph-Louis Lagrange, 1736--1813.)% \index{Lagrange, ---'s Theorem}% \index{theorem!Lagrange's Th---} \begin{theorem}[Lagrange]\label{thm:Lagrange-n}% Every congruence of the form \begin{equation*} x^n+a_1x^{n-1}+\dotsb+a_{n-1}x+a_n\equiv0\pmod p \end{equation*} has $n$ solutions or fewer (\emph{modulo} $p$). \end{theorem} \begin{proof} Use induction. The claim is easily true when $n=1$. Suppose it is true when $n=k$. Say the congruence \begin{equation}\label{eqn:x^(k+1)} x^{k+1}+a_1x^k+\dotsb+a_kx+a_{k+1}\equiv0\pmod p \end{equation} has a solution $b$. Then we can factorize the left member, and rewrite the congruence as \begin{equation*} (x-b)\cdot(x^k+c_1x^{k-1}+\dotsb+c_{k-1}x+c_k)\equiv0\pmod p. \end{equation*} Any solution to this that is different from $b$ is a solution of \begin{equation*} x^k+c_1x^{k-1}+\dotsb+c_{k-1}x+c_k\equiv0\pmod p. \end{equation*} But by inductive hypothesis, there are at most $k$ such solutions. Therefore~\eqref{eqn:x^(k+1)} has at most $k+1$ solutions. This completes the induction and the proof. \end{proof} How did we use that $p$ is prime? We needed to know that, if $f(x)$ and $g(x)$ are polynomials, and $f(a)\cdot g(a)\equiv0\pmod p$, then either $f(a)\equiv0\pmod p$, or else $g(a)\equiv0\pmod p$. That is, if $mn\equiv0\pmod p$, then either $m\equiv0\pmod p$ or $n\equiv0\pmod p$. That is, if $p\divides mn$, then $p\divides m$ or $p\divides n$. This fails if $p$ is replaced by a composite number. \begin{theorem}\label{thm:psi-phi} If $d\divides p-1$, let $\psi_p(d)$ be the number of incongruent residues \emph{modulo} $p$ that have order $d$. Then \begin{equation*} \psi_p(d)=\phi(d). \end{equation*} \end{theorem} \begin{proof} Every number prime to $p$ has an order \emph{modulo} $p$, and this order divides $\phi(p)$, which is $p-1$; so \begin{equation*} \sum_{d\divides p-1}\psi_p(d)=p-1. \end{equation*} By Gauss's Theorem, \ref{thm:Gauss}, we have $\sum_{d\divides p-1}\phi(d)=p-1$; therefore \begin{equation}\label{eqn:sum_d|p-1} \sum_{d\divides p-1}\psi_p(d)=\sum_{d\divides p-1}\phi(d). \end{equation} Hence, to establish $\psi_p(d)=\phi(d)$, it is enough to show that $\psi_p(d)\leq\phi(d)$ whenever $d\divides p-1$. Indeed, if we show this, but $\psi_p(e)<\phi(e)$ for some divisor $e$ of $p-1$, then \begin{equation*} \sum_{d\divides p-1}\psi_p(d) =\sum_{\substack{d\divides p-1\\d\neq e}}\psi_p(d)+\psi_p(e) <\sum_{\substack{d\divides p-1\\d\neq e}}\phi(d)+\phi(e) = \sum_{d\divides p-1}\phi(d), \end{equation*} contradicting~\eqref{eqn:sum_d|p-1}. If $\psi_p(d)=0$, then certainly $\psi_p(d)\leq\phi(d)$. So suppose $\psi_p(d)\neq0$. Then $\ord pa=d$ for some $a$. In particular, $a$ is a solution of the congruence \begin{equation}\label{eqn:x^n-1} x^d-1\equiv0\pmod p. \end{equation} But then every power of $a$ is a solution, since $(a^k)^n=(a^n)^k$. Moreover, if $0< k<\ell\leq d$, then \begin{equation*} a^k\not\equiv a^{\ell}\pmod p \end{equation*} by Theorem~\ref{thm:ord}. Hence the numbers $a$, $a^2$, \dots, $a^d$ are incongruent solutions to the congruence~\eqref{eqn:x^n-1}. Moreover, by Lagrange's Theorem, \ref{thm:Lagrange-n}, every solution is congruent to one of these solutions. Among these solutions, those that have order $d$ \emph{modulo} $p$ are just those powers $a^k$ such that $\gcd(k,d)=1$, again by Theorem~\ref{thm:ord}. The number of such powers is just $\phi(d)$. Therefore $\psi_p(d)=\phi(d)$, under the assumption $\psi_p(d)>0$; in any case, $\psi_p(d)\leq\phi(d)$. \end{proof} \begin{corollary} Every prime number has a primitive root. \end{corollary} \begin{proof} $\psi_p(p-1)=\phi(p-1)\geq1$. \end{proof} From analysis, we have the exponential function $x\mapsto\me^x$ or $\exp$ from $\R$ to $\units{\R}$, where $\units{\R}=\R\setminus\{0\}$ (the multiplicatively invertible real numbers). We have \begin{equation*} \exp(x+y)=\exp(x)\cdot\exp(y). \end{equation*} The range of $\exp$ is the interval $(0,\infty)$, which is closed under multiplication and inversion. Also $\exp$ is injective. So $\exp$ is an isomorphism from $(\R,+)$ onto $((0,\infty),{}\cdot{})$. We have been looking at a similar isomorphism in discrete mathematics. If $a$ is a primitive root of $n$, then $x\mapsto a^x$ is an isomorphism from $\Zmod[\phi(n)]$ to $\Zmodu$. In particular, a prime $p$ does have a primitive root $a$, and then $x\mapsto a^x$ is an isomorphism from $\Zmod[p-1]$ to $\Zmodu[p]$. Therefore $\Zmodu[p]$ is a cyclic group, and $\Zmodu$ is cyclic if and only if $n$ has a primitive root. For example: \begin{compactenum} \item $\Zmodu[2]=\{1\}$, so $1$ is a primitive root of $2$. \item $\Zmodu[3]=\{1,2\}$, and $2^2\equiv1\pmod3$, so $2$ is a primitive root of $3$. \item $\Zmodu[4]=\{1,3\}$, and $3^2\equiv1\pmod4$, so $3$ is a primitive root of $4$. \item $\Zmodu[5]=\{1,2,3,4\}$, and $2^2\equiv4$, $2^3\equiv3$, and $2^4\equiv1\pmod 5$, so $2$ is a primitive root of $5$. \item $\Zmodu[6]=\{1,5\}$, and $5^2\equiv1\pmod6$, so $5$ is a primitive root of $6$. \item $\Zmodu[7]=\{1,2,3,4,5,6\}$, and we have \begin{equation*} \begin{array}{|c*{6}{|r}|}\hline k &1&2&3&4&5&6\\\hline 2^k&2&4&1& & & \\\hline 3^k&3&2&6&4&5&1\\\hline \end{array} \end{equation*} so $3$ (but not $2$) is a primitive root of $7$. \item $\Zmodu[8]=\{1,3,5,7\}$, but $3^2\equiv1$, $5^2\equiv1$, and $7^2\equiv1\pmod 8$, so $8$ has no primitive root. \end{compactenum} We have shown that primes have primitive roots, but the converse fails: not every number with a primitive root is prime. In fact, we shall show in \S~\ref{sect:comp-roots} that the following numbers have primitive roots: \begin{compactenum} \item powers of odd primes; \item $2$ and $4$; \item doubles of powers of odd primes. \end{compactenum} %%\section{November 27, 2007 (Tuesday)} %[Exam day; I work problems only.] %\section{November 29, 2007 (Thursday)} \section{Discrete logarithms} The inverse of the function $\exp$ from $\R$ onto $(0,\infty)$ is the logarithm function $\log$, where as noted in \S~\ref{sect:unproved}, $\log x=\int_1^x(\mathrm dt/t)$. More precisely, this function $\log$ is $\log_{\me}$ or $\ln$, since the notation $\log$ is sometimes used for $\log_{10}$, that is, the inverse of $x\mapsto 10^x$. We can use similarly terminology for the inverse of an isomorphism $x\mapsto b^x$ from $\Zmod[p-1]$ to $\Zmodu[p]$. Here $b$ must be a primitive root of $p$, and if $b^x\equiv y\pod p$, we can write \begin{equation*} x\equiv\log_by\pmod{(p-1)}. \end{equation*} For example, \emph{modulo} $17$, we have \begin{equation*} \begin{array}{*{17}{|r}|}\hline k&0&1&2& 3& 4&5& 6& 7& 8& 9&10&11&12&13&14&15\\\hline 3^k&1&3&9&10&13&5&15&11&16&14& 8& 7& 4&12& 2& 6\\\hline \end{array} \end{equation*} Reordering, we have \begin{equation*} \begin{array}{*{17}{|r}|}\hline 3^k&1& 2&3& 4&5& 6& 7& 8&9&10&11&12&13&14&15&16\\\hline k&0&14&1&12&5&15&11&10&2& 3& 7&13& 4& 9& 6& 8\\\hline \end{array} \end{equation*} If $3^k=\ell$, then we can denote $k$ by $\log_3\ell$. But we can think of these numbers as congruence classes: \begin{equation*} 3^k\equiv\ell\pmod{17}\iff k\equiv\log_3\ell\pmod{16}. \end{equation*} The usual properties hold: \begin{equation*} \log_3(xy)\equiv\log_3x+\log_3y\pmod{16}; \qquad\log_3{x^n}\equiv n\log_3x\pmod{16}. \end{equation*} For example, \begin{equation*} \log_3(11\cdot 14)\equiv\log_311+\log_314\equiv7+9\equiv16\equiv0\pmod{16}, \end{equation*} and therefore $11\cdot14\equiv3^0\equiv1\pmod{17}$. We can define logarithms for any modulus that has a primitive root; then the base of the logarithms will be a primitive root. If $b$ is a primitive root of a modulus $n$, and $\gcd(a,n)=1$, then there is some $s$ such that \begin{equation*} b^s\equiv a\pmod n. \end{equation*} Then $s$ is unique \emph{modulo} $\phi(n)$. Indeed, by Theorem~\ref{thm:ord}, \begin{equation*} b^x\equiv b^y\pmod n\iff x\equiv y\pmod{\phi(n)}. \end{equation*} Then $\log_ba$ can be defined as the least non-negative such $s$. Another application of logarithms, besides multiplication problems, is congruences of the form \begin{equation*} x^d\equiv a\pmod n, \end{equation*} again where $n$ has a primitive root $b$. The last congruence is then equivalent to \begin{gather*} \log_b(x^d)\equiv\log_ba\pmod{\phi(n)},\\ d\log_bx\equiv\log_ba\pmod{\phi(n)}. \end{gather*} If this is to have a solution, then we must have \begin{equation*} \gcd(d,\phi(n))\divides \log_ba. \end{equation*} For example, let's work \emph{modulo} $7$: \begin{equation*} \begin{array}{*{7}{|r}|}\hline k&0&1&2&3&4&5\\\hline 3^k&1&3&2&6&4&5\\\hline \end{array} \quad \begin{array}{*{7}{|r}|}\hline \ell&1&2&3&4&5&6\\\hline \log_3\ell&0&2&1&4&5&3\\\hline \end{array} \end{equation*} Then we have, for example, \begin{equation*} x^3\equiv2\pmod7 \iff3\log_3x\equiv2\pmod6, \end{equation*} so there is no solution, since $\gcd(3,6)=3$, and $3\ndivides 2$. But we also have \begin{align*} x^3\equiv6\pmod7 &\iff3\log_3x\equiv3\pmod6\\ &\iff\log_3x\equiv1\pmod2\\ &\iff\log_3x\equiv1,3,5\pmod6\\ &\iff x\equiv 3^1,3^3,3^5\pmod7\\ &\iff x\equiv3,6,5\pmod7. \end{align*} We expect no more than $3$ solutions, by the Lagrange's Theorem. Is there an alternative to using logarithms? As $6\equiv3^3\pmod7$, we have \begin{equation*} x^3\equiv6\pmod7\iff x^3\equiv3^3\pmod7; \end{equation*} but we cannot conclude from this $x\equiv3\pmod7$. %\section{December 4, 2007 (Tuesday)} For congruences \emph{modulo} $11$, we can use the following table: \begin{equation*} \begin{array}{|c|*{10}{|r}||c|}\hline k& 0& 1& 2& 3& 4& 5& 6& 7& 8& 9&\log_2\ell\mod{10}\\\hline 2^k\mod{11}&1 & 2& 4&-3& 5&-1&-2&-4& 3&-5&\ell\\\hline \end{array} \end{equation*} We have then \begin{align*} 4x^{15}\equiv7\pmod{11} &\iff4x^5\equiv7\pmod{11}\\ &\iff\log_2(4x^5)\equiv\log_27\pmod{10}\\ &\iff\log_24+5\log_2x\equiv\log_27\pmod{10}\\ &\iff2+5\log_2x\equiv7\pmod{10}\\ &\iff5\log_2x\equiv5\pmod{10}\\ &\iff\log_2x\equiv1\pmod{2}\\ &\iff\log_2x\equiv1,3,5,7,9\pmod{10}\\ &\iff x\equiv 2^1,2^3,2^5,2^7,2^9\pmod{11}\\ &\iff x\equiv2,8,10,7,6\pmod{11}. \end{align*} Why are there five solutions? \begin{theorem} Suppose $n$ has a primitive root, $\gcd(a,n)=1$, and \begin{equation*} d=\gcd(k,\phi(n)). \end{equation*} The following are equivalent: \begin{enumerate} \item\label{item:x^k} The congruence \begin{equation}\label{eqn:cong} x^k\equiv a\pmod n \end{equation} is soluble. \item\label{item:d} The congruence~\eqref{eqn:cong} has $d$ solutions. \item\label{item:a^phi} $a^{\phi(n)/d}\equiv1\pmod n$. \end{enumerate} \end{theorem} \begin{proof} The following are equivalent: \begin{gather*} x^k\equiv a\text{ is soluble }\pmod n;\\ k\log x\equiv \log a\text{ is soluble }\pmod{\phi(n)};\\ d\divides\log a;\\ \phi(n)\divides\frac{\phi(n)}d\cdot\log a;\\ \frac{\phi(n)}d\cdot\log a\equiv0\pmod{\phi(n)};\\ \log(a^{\phi(n)/d})\equiv0\pmod{\phi(n)};\\ a^{\phi(n)/d}\equiv1\pmod n. \end{gather*} Thus~\eqref{item:x^k}$\Leftrightarrow$\eqref{item:a^phi}. Trivially,~\eqref{item:d}$\Rightarrow$\eqref{item:x^k}. Finally, assume~\eqref{item:x^k}, so that $d\divides\log a$, as above. Letting $r$ be the base of the logarithms, we have \begin{align*} x^k\equiv a\pmod n &\iff k\log x\equiv\log a\pmod{\phi(n)}\\ &\iff\frac kd\cdot\log x\equiv\frac{\log a}d\pmod{\frac{\phi(n)}d}\\ &\iff\log x\equiv\frac{\log a}k\pmod{\frac{\phi(n)}d}\\ &\iff\begin{aligned}[t] \log x&\equiv\frac{\log a}k+\frac{\phi(n)}d\cdot j\pmod{\phi(n)},\\ & \text{ where }j\in\{0,1,\dots,d-1\} \end{aligned}\\ &\iff \begin{aligned}[t] x&\equiv r^{(\log a)/k}\cdot(r^{\phi(n)/d})^j\pmod n,\\ &\text{ where }j\in\{0,1,\dots,d-1\}. \end{aligned} \end{align*} These $d$ solutions are incongruent, as $\ord nr=\phi(n)$. \end{proof} \section{Composite numbers with primitive roots}\label{sect:comp-roots} We know that all primes have primitive roots. Now we show that the numbers with primitive roots are precisely: \begin{equation*} 2,4,p^s,2\cdot p^s, \end{equation*} where $p$ is an odd prime, and $s\geq1$. We shall first show that the numbers \emph{not} on this list do \emph{not} have primitive roots: \begin{lemma*} If $k>2$, then $2\divides\phi(k)$. \end{lemma*} \begin{proof} Suppose $k>2$. Then either $k=2^s$, where $s>1$, or else $k=p^s\cdot m$ for some odd prime $p$, where $s>0$ and $\gcd(p,m)=1$. In the first case, $\phi(k)=2^s-2^{s-1}=2^{s-1}$, which is even. In the second case, $\phi(k)=\phi(p^s)\cdot\phi(m)$, which is even, since $\phi(p^s)=p^s-p^{s-1}$, the difference of two odd numbers. \end{proof} \begin{theorem} If $m$ and $n$ are co-prime, both greater than $2$, then $mn$ has no primitive root. \end{theorem} \begin{proof} Suppose $\gcd(a,mn)=1$. (This is the only possibility for a primitive root.) Then $a$ is prime to $m$ and $n$, so \begin{gather*} a^{\phi(m)}\equiv 1\pmod m;\qquad a^{\phi(n)}\equiv 1\pmod n;\\ a^{\lcm(\phi(m),\phi(n))}\equiv 1\pmod{m,n},\\ a^{\lcm(\phi(m),\phi(n))}\equiv 1\pmod{\lcm(m,n)},\\ a^{\lcm(\phi(m),\phi(n))}\equiv 1\pmod{mn}. \end{gather*} By the lemma, $2$ divides both $\phi(m)$ and $\phi(n)$, so \begin{equation*} \lcm(\phi(m),\phi(n))\divides\frac{\phi(m)\phi(n)}2, \end{equation*} that is, $\lcm(\phi(m),\phi(n))\divides\phi(mn)/2$. Therefore \begin{equation*} \ord{mn}a\leq\frac{\phi(mn)}2, \end{equation*} so $a$ is not a primitive root of $mn$. \end{proof} \begin{theorem} If $k\geq1$, then $2^{2+k}$ has no primitive root. \end{theorem} \begin{proof} Any primitive root of $2^{2+k}$ must be odd. Let $a$ be odd. We shall show by induction that \begin{equation*} a^{\phi(2^{2+k})/2}\equiv1\pmod{2^{2+k}}. \end{equation*} Since $\phi(2^{2+k})=2^{2+k}-2^{1+k}=2^{1+k}$, it is enough to show \begin{equation*} a^{2^k}\equiv1\pmod{2^{2+k}}. \end{equation*} The claim is true when $k=1$, since $a^2\equiv1\pmod8$ for all odd numbers $a$. Suppose the claim is true when $k=\ell$: that is, \begin{equation*} a^{2^{\ell}}\equiv1\pmod{2^{2+\ell}}. \end{equation*} This means \begin{equation*} a^{2^{\ell}}=1+2^{2+\ell}\cdot m \end{equation*} for some $m$. Now square: \begin{equation*} a^{2^{1+\ell}} =(a^{2^{\ell}})^2 =(1+2^{2+\ell}\cdot m)^2=1+2^{3+\ell}\cdot m+2^{4+2\ell}\cdot m^2. \end{equation*} Hence $a^{2^{1+\ell}}\equiv1\pmod{2^{3+\ell}}$, so our claim is true when $k=\ell+1$. \end{proof} Now for the positive results. These will use the following. \begin{lemma*} Let $r$ be a primitive root of $p$, and $k>0$. Then \begin{equation*} \ord{p^k}r=(p-1)p^{\ell} \end{equation*} for some $\ell$, where $0\leq\ell2$, so that $p\divides\binom p2$, we have \begin{align*} r^{(p-1)\cdot p^{\ell}} &\equiv1+p^{1+\ell}\cdot m\pmod{p^{2+\ell)}}\\ &\not\equiv 1\pmod{p^{2+\ell}}. \end{align*} Therefore we must have \begin{equation*} \ord{p^{2+\ell}}r=(p-1)\cdot p^{1+\ell}=\phi(p^{2+\ell}), \end{equation*} which means $r$ is a primitive root of $p^{2+\ell}$. \end{proof} For example, $3$ has the primitive root $2$, since $2\not\equiv1\pmod3$, but $2^2\equiv1\pmod3$. Hence, either $2$ or $5$ is a primitive root of $9$, by Theorem~\ref{thm:p^2}. In fact, both are. Using $5\equiv-4\pmod9$, we have: \begin{equation*} \begin{array}{|c|r|r|}\hline k&2&3\\\hline 2^k\pmod9&4&-1\\\hline (-4)^k\pmod9&-2&-1\\\hline \end{array}, \end{equation*} so the order of $2$ and $-4$ is not $2$ or $3$ \emph{modulo} $9$; hence it must be $6$, since this is $\phi(9)$. By Theorem~\ref{thm:p^n} then, $27$ has $6$ non-congruent primitive roots, each congruent \emph{modulo} $9$ to one of $2$ and $-4$; those roots then are $-13$, $-7$, $-4$, $2$, $5$, and $11$. Indeed, $\phi(27)=18$ and we have \begin{equation*} \begin{array}{|c|*{7}{|r}|r|}\hline k& 2& 3& 4& 5& 6& 7& 8& 9\\\hline (-13)^k\pmod{27}& 7&-10& -5& 11& -8& -4& -2&-1\\\hline (-4)^k\pmod{27}&-11&-10& 13& 2& -8& 5& 7&-1\\\hline 5^k\pmod{27}& -2&-10& 4& -7& -8&-13&-11&-1\\\hline (-7)^k\pmod{27}& -5& 8& -2& 13& 10&-11& 4&-1\\\hline 2^k\pmod{27}& 4& 8&-11& 5& 10& -7& 13&-1\\\hline 11^k\pmod{27}& 13& 8& 7& -4& 10& 2& -5&-1\\\hline \end{array} \end{equation*} But does $18$ have a primitive root? The numbers $2$ and $-4$ cannot be primitive roots of $18$, since they are not prime to it; but $\phi(18)=6$ and we have \begin{equation*} \begin{array}{|c|r|r|}\hline k&2&3\\\hline (-7)^k\pmod{18}&-5&-1\\\hline 5^k\pmod{18}&7&-1\\\hline \end{array} \end{equation*} so $-7$ and $5$ are primitive roots of $18$. \begin{theorem} If $p$ is an odd prime, and $r$ is a primitive root of $p^s$, then either $r$ or $r+p^s$ is a primitive root of $2p^s$---whichever one is odd. \end{theorem} \begin{proof} Let $r$ be an odd primitive root of $p^s$, so that $\gcd(r,2p^s)=1$. Let $n=\ord{2p^s}r$. We want to show $n=\phi(2p^s)$. We have \begin{equation*} n\divides\phi(2p^s). \end{equation*} Also $r^n\equiv1\pmod{2p^s}$, so $r^n\equiv1\pmod{p^s}$, and therefore \begin{equation*} \ord{p^s}r\divides n. \end{equation*} But $\ord{p^s}r=\phi(p^s)=\phi(2p^s)$. Hence \begin{equation*} \phi(2p^s)\divides n. \end{equation*} So $n=\phi(2p^s)$. \end{proof} \chapter{Quadratic reciprocity} \section{Quadratic equations}%\asterism{} Now we return to high-school-like problems. With respect to the modulus $11$, let us solve \begin{equation}\label{eqn:241} x^2-4x-1\equiv0. \end{equation} We have $x^2-4x-1\equiv x^2-4x-12\equiv(x-6)(x+2)$, so the solutions to~\eqref{eqn:241} include $6$ and $-2$, or rather $6$ and $9$. Since the modulus is prime, these are the \emph{only} incongruent solutions, by Lagrange's Theorem, \ref{thm:Lagrange-n}. Alternatively, $x^2-4x-1\equiv x^2+7x+10\equiv(x+5)(x+2)$, so $x$ is $-5$ or $-2$, that is, $6$ or $9$ again. To solve \begin{equation*} 3x^2-4x-6\equiv0\pmod{13}, \end{equation*} we can search for a factorization as before; but we can also \textbf{complete the square:} \index{complete the square} \begin{align*} 3x^2-4x-6\equiv0 &\iff x^2-\frac43x-2\equiv0\\ &\iff x^2-\frac43x+\frac49\equiv2+\frac49\\ &\iff\Bigl(x-\frac23\Bigr)^2\equiv\frac{22}9\equiv1\\ &\iff x-\frac23\equiv\pm1\\ &\iff x\equiv\frac23\pm1\\ &\iff x\equiv\frac53\text{ or }\frac{-1}3\\ &\iff x\equiv6\text{ or }4. \end{align*} Here we can divide by $3$ and $9$ because they are invertible \emph{modulo} $13$; indeed, $3\cdot9\equiv1\pmod{13}$, so $1/3\equiv9$ and $1/9\equiv 3\pmod{13}$. If we take this approach with the first problem, we have, \emph{modulo} $11$, \begin{align*} x^2-4x-1\equiv0 &\iff x^2-4x+4\equiv5\\ &\iff(x-2)^2\equiv5. \end{align*} If $5$ is a square \emph{modulo} $11$, then there is a solution; if not, not. But $5\equiv16\equiv4^2$, so we have \begin{align*} x^2-4x-1\equiv0 &\iff(x-2)^2\equiv4^2\\ &\iff x-2\equiv\pm4\\ &\iff x\equiv 2\pm 4\\ &\iff x\equiv 6\text{ or }9, \end{align*} as before. But the congruence \begin{equation*} x^2\equiv5\pmod{13} \end{equation*} has no solution. How do we know? One way is by trial. As $2$ is a primitive root of~$13$, and $0$ is not a solution of the congruence, every solution would be a power of $2$. But we have, \emph{modulo} $13$, \begin{equation*} \begin{array}{*{13}{|r}|}\hline k&0&1&2&3&4&5&6&7&8&9&10&11\\\hline 2^k&1&2&4&-5&3&6&-1&-2&-4&5&-3&-6\\\hline 2^{2k}&1&4&3&-1&-4&-3&1&4&3&-1&-4&-3\\\hline \end{array} \end{equation*} and $5$ does not appear on the bottom row. So $5$ is not a square \emph{modulo} $13$. Now we shall work out an easier way to find such results. \section{Quadratic residues} Henceforth let $p$ be an odd prime, and $\gcd(a,p)=1$. If $p\ndivides a$, we say $a$ is a \textbf{quadratic residue}% \index{quadratic!--- residue}% \index{residue!quadratic ---} of $p$ if the congruence \begin{equation*} x^2\equiv a\pmod p \end{equation*} is soluble; otherwise, $a$ is a \textbf{quadratic non-residue}% \index{quadratic!--- non-residue}% \index{residue!quadratic non-{}---}% \index{non-residue, quadratic} of $p$. So we have just seen that the quadratic residues of $13$ are $\pm1$, $\pm 3$, and $\pm4$, or rather $1$, $3$, $4$, $9$, $10$, and $12$; the quadratic non-residues are $2$, $5$, $6$, $7$, $8$, and $11$. So there are six residues, and six non-residues. We shall see that this equality is not accidental (by Theorem~\ref{thm:eq} below). \begin{theorem}[Euler's Criterion]% \index{Euler!---'s Criterion}% \index{theorem!Euler's Criterion} Let $p$ be an odd prime, and $\gcd(a,p)=1$. Then $a$ is a quadratic residue of $p$ if and only if \begin{equation*} a^{(p-1)/2}\equiv1\pmod p. \end{equation*} \end{theorem} \begin{proof} Let $r$ be a primitive root of $p$. If $x^2\equiv a\pmod p$ has a solution, then that solution is $r^k$ for some $k$. Then \begin{equation*} a^{(p-1)/2}\equiv((r^k)^2)^{(p-1)/2}\equiv(r^k)^{p-1}\equiv1\pmod{p} \end{equation*} by Fermat's Theorem (\S~\ref{sect:FT}). In any case, $a\equiv r^{\ell}\pmod p$ for some $\ell$. Suppose $a^{(p-1)/2}\equiv1\pmod p$. Then \begin{equation*} 1\equiv(r^{\ell})^{(p-1)/2}\equiv r^{\ell\cdot(p-1)/2}\pmod p, \end{equation*} so $\ord pr\divides \ell\cdot(p-1)/2$, that is, \begin{equation*} p-1\divides\ell\cdot\frac{p-1}2. \end{equation*} Therefore $\ell/2$ is an integer, that is, $\ell$ is even. Say $\ell=2m$. Then $a\equiv r^{2m}\equiv(r^m)^2\pmod p$. \end{proof} What other congruence class can $a^{(p-1)/2}$ belong to, besides $1$? Only $-1$, since $a^{p-1}\equiv1\pmod p$, by Fermat's Theorem. So $a^{(p-1)/2}\equiv-1\pmod p$ if and only if $a$ is a quadratic non-residue of $p$. Another way to prove this is the following: Suppose $a$ is a quadratic non-residue of $p$. If $b\in\{1,\dots,p-1\}$, then the congruence \begin{equation*} bx\equiv a\pmod p \end{equation*} has a unique solution in $\{1,\dots,p-1\}$, and we may denote the solution by $a/b$. Then $b\neq a/b$, since $a$ is not a quadratic residue of $p$. Now we define a sequence $(b_1,\dots,b_{p-1})$ recursively. If $b_k$ has been chosen when $k<\ell2$. With these properties, we can calculate many Legendre symbols. For example, \begin{gather*} \ls{50}{19}=\ls{12}{19}=\ls2{19}^2\ls3{19}=\ls3{19},\\ 3^{(19-1)/2}\equiv 3^9\equiv 3^8\cdot3\equiv 9^4\cdot 3\equiv 81^2\cdot 3\equiv5^2\cdot 3\equiv6\cdot3\equiv 18\equiv-1\pmod{19}, \end{gather*} so $(50/19)=-1$, which means the congruence $x^2\equiv50\pmod{19}$ has no solution. We may ask whether~\eqref{eqn:cases} has a simpler form, owing to the existence of only finitely many $p$ satisfying one of the case. This possibility fails. \begin{theorem} There are infinitely many primes $p$ such that $p\equiv3\pmod 4$. \end{theorem} \begin{proof} Suppose $(q_1,q_2,\dots,q_n)$ is a list of primes. We shall prove that there is a prime $p$, not on this list, such that $p\equiv3\pmod 4$. Let \begin{equation*} s=4q_1\cdot q_2\dotsm q_n-1. \end{equation*} Then $s\equiv3\pmod 4$. Then $s$ must have a prime factor $p$ such that $p\equiv 3\pmod 4$. Indeed, if all prime factors of $s$ are congruent to $1$, then so must $s$ be. But $p$ is not any of the $q_k$. \end{proof} This argument fails when $3$ is replaced by $1$, since $3^2\equiv1\pmod4$. Nonetheless, we still have: \begin{theorem} There are infinitely many primes $p$ such that $p\equiv1\pmod 4$. \end{theorem} \begin{proof} Suppose $(q_1,q_2,\dots,q_n)$ is a list of primes. We shall prove that there is a prime $p$, not on this list, such that $p\equiv1\pmod 4$. Let \begin{equation*} s=2q_1\cdot q_2\dotsm q_n. \end{equation*} Then $s^2+1$ is odd, so it is divisible by some odd prime $p$, which is distinct from each of the $q_k$. This means $s^2+1\equiv0\pmod p$, so $s$ is a solution of the congruence $x^2\equiv-1\pmod p$. Then $(-1/p)=1$, so $p\equiv 1\pmod 4$, by~\eqref{eqn:cases} above. \end{proof} From the rules so far, we obtain the following table: \begin{equation*} \begin{array}{|c*{12}{|r}|}\hline a&1&2&3&4&5&6&7&8&9&10&11&12\\\hline (a/13)&1& &1&1& & & & &1& 1& & 1\\\hline \end{array} \end{equation*} Indeed, under the squares $1$, $4$, and $9$, we put $1$. Also $4^2=16\equiv3$, so $(3/13)=1$. Finally, by~\eqref{eqn:cases}, we have $(-1/13)=1$; or we can just compute this: $(-1)^{(13-1)/2}=(-1)^6=1$. Hence the table will be symmeti $(13-a/13)=(-a/13)=(-1/13)\cdot(a/13)=(a/13)$; in particular, $(10/13)=1$ and $(12/13)=1$. So half of the slots have been filled with $1$. The other half must take $-1$, by the following. \begin{theorem}\label{thm:eq} For all odd primes $p$, \begin{equation*} \sum_{k=1}^{p-1}\ls kp=0. \end{equation*} \end{theorem} \begin{proof} Let $r$ be a primitive root of $p$. Then \begin{equation*} \sum_{k=1}^{p-1}\ls kp =\sum_{k=1}^{p-1}\ls{r^k}p =\sum_{k=1}^{p-1}\ls rp^k =\sum_{k=1}^{p-1}(-1)^k=0, \end{equation*} since $r^{(p-1)/2}\equiv-1\pmod p$, since $r$ is a primitive root. \end{proof} So now we have \begin{equation*} \begin{array}{|c*{12}{|r}|}\hline a&1& 2&3&4& 5& 6& 7& 8&9&10&11&12\\\hline (a/13)&1&-1&1&1&-1&-1&-1&-1&1& 1&1-& 1\\\hline \end{array} \end{equation*} \section{Gauss's Lemma} \begin{lemma*}[Gauss]% \index{lemma!Gauss's L---}% \index{theorem!Gauss's Lemma}% \index{Gauss!---'s Lemma} Let $p$ be an odd prime, and $\gcd(a,p)=1$. Then \begin{equation*} \ls ap=(-1)^n, \end{equation*} where $n$ is the number of elements of the set \begin{equation*} \bigl\{a,2a,3a,\dots,\frac{p-1}2a\bigr\} \end{equation*} whose remainders after division by $p$ are greater than $p/2$. \end{lemma*} For example, to find $(3/19)$, we can look at \begin{equation*} 3,\; 6,\; 9,\; 12,\; 15,\; 18,\; 21,\; 24,\; 27, \end{equation*} whose remainders on division by $19$ are, respectively, \begin{equation*} 3,\; 6,\; 9,\; 12,\; 15,\; 18,\; 2,\; 5,\; 8. \end{equation*} Of those, $12$, $15$, and $18$ exceed $19/2$, and these are three; so \begin{equation*} \ls3{19}=(-1)^3=-1. \end{equation*} \begin{proof}[Proof of Gauss's Lemma] If $1\leq k\leq p-1$, let $b_k$ be such that \begin{align*} 1&\leq b_k\leq p-1,& ka&\equiv b_k\pmod p. \end{align*} Then $\{1,2,\dots,p-1\}=\{b_1,b_2,\dots,b_{p-1}\}$, because the $b_k$ are distinct: \begin{equation*} b_k=b_{\ell}\iff ka\equiv\ell a\iff k\equiv\ell. \end{equation*} In the set $\{b_1,b_2,\dots,b_{(p-1)/2}\}$, let $n$ be the number of elements that are greater than $p/2$. We want to show \begin{equation*} (-1)^n=\ls ap. \end{equation*} There is some permutation $\sigma$ of $\{1,2,\dots,(p-1)/2\}$ such that \begin{equation*} b_{\sigma(1)}>b_{\sigma(2)}>\dotsb>b_{\sigma(n)}>\frac p2>b_{\sigma(n+1)}>\dotsb >b_{\sigma((p-1)/2)}. \end{equation*} Observe now that \begin{equation*} b_{p-k}=p-b_k; \end{equation*} indeed, both numbers are in $\{1,2,\dots,p-1\}$, and \begin{equation*} b_{p-k}\equiv(p-k)a\equiv-ka\equiv-b_k\equiv p-b_k\pmod p. \end{equation*} In particular, if $1\leq k\leq(p-1)/2$, then $p-b_k\notin\{b_1,b_2,\dots,b_{(p-1)/2}\}$. Since $\sigma$ just permutes the set of such $k$, we have \begin{equation*} \{p-b_{\sigma(1)},p-b_{\sigma(2)},\dotsc,p-b_{\sigma(n)}, b_{\sigma(n+1)},\dotsc b_{\sigma((p-1)/2)}\}=\Bigl\{1,2,\dots,\frac{p-1}2\Bigr\}. \end{equation*} Now take products: \begin{align*} \frac{p-1}2! &\equiv(p-b_{\sigma(1)})(p-b_{\sigma(2)})\dotsm(p-b_{\sigma(n)}) b_{\sigma(n+1)}\dotsm b_{\sigma((p-1)/2)}\\ &\equiv(-1)^n\cdot b_{\sigma(1)}\dotsm b_{\sigma((p-1)/2)}\\ &\equiv(-1)^n\cdot b_1\dotsm b_{(p-1)/2}\\ &\equiv(-1)^n\cdot a\cdot2a\cdot3a\dotsm\frac{p-1}2a\\ &\equiv(-1)^n\cdot\frac{p-1}2!\cdot a^{(p-1)/2}\pmod p. \end{align*} Therefore, since $p\ndivides((p-1)/2)!$, we have \begin{equation*} 1\equiv(-1)^n\cdot a^{(p-1)/2}\equiv(-1)^n\cdot(a/p)\pmod p. \end{equation*} As both $(-1)^n$ and $(a/p)$ are $\pm1$, the claim follows. \end{proof} We shall use Gauss's Lemma to prove the Law of Quadratic Reciprocity, by which we shall be able to relate $(p/q)$ and $(q/p)$ when both $p$ and $q$ are odd primes. Meanwhile, besides the direct application of Gauss's Lemma to computing Legendre symbols, we have: \begin{theorem}\label{thm:8} If $p$ is an odd prime, then \begin{equation*} \ls2p= \begin{cases} 1,&\text{ if }p\equiv\pm1\pmod 8;\\ -1,&\text{ if }p\equiv\pm3\pmod 8. \end{cases} \end{equation*} \end{theorem} \begin{proof} To apply Gauss's Lemma, we look at the numbers \begin{equation*} 2\cdot1,\;2\cdot2,\;\dotsc,\; 2\cdot\frac{p-1}2. \end{equation*} Each is its own remainder on division by $p$. Hence $(2/p)=(-1)^n$, where $n$ is the number of integers $k$ such that \begin{equation*} \frac p2<2k\leq p-1, \end{equation*} or rather $p/4\dotsb>b_{\sigma(n)}>\frac p2>b_{\sigma(n+1)}>\dotsb b_{\sigma((p-1)/2)}, \end{equation*} and we showed $(a/p)=(-1)^n$ after first showing \begin{equation*} \Bigl\{1,2,\dots,\frac{p-1}2\Bigr\}= \{p-b_{\sigma(1)},\dotsc,p-b_{\sigma(n)}, b_{\sigma(n+1)},\dotsc b_{\sigma((p-1)/2)}\}. \end{equation*} Now take sums: \begin{equation*} \sum_{k=1}^{(p-1)/2}k=\sum_{k=1}^n(p-b_{\sigma(k)})+ \sum_{\ell=n+1}^{(p-1)/2}b_{\sigma(\ell)}. \end{equation*} Subtracting this from~\eqref{eqn:G} (and using that $\sum_{k=1}^{(p-1)/2}b_{\sigma(k)}= \sum_{k=1}^{(p-1)/2}b_k$) gives \begin{equation*} (a-1)\cdot\sum_{k=1}^{(p-1)/2}k =p\cdot\Bigl(\sum_{k=1}^n\left[\frac{ka}p\right]-n\Bigr) + 2\cdot\sum_{k=1}^nb_{\sigma(k)}. \end{equation*} Since $a-1$ is even, but $p$ is odd, we conclude \begin{equation*} \sum_{k=1}^n\left[\frac{ka}p\right]\equiv n\pmod 2, \end{equation*} which yields the claim. \end{proof} \begin{theorem}[Law of Quadratic Reciprocity] If $p$ and $q$ are distinct odd primes, then \begin{equation}\label{eqn:pqn} \ls pq\ls qp=(-1)^n, \end{equation} where \begin{equation*} n=\frac{p-1}2\cdot\frac{q-1}2. \end{equation*} \end{theorem} This Law was: \begin{compactitem} \item conjectured by Euler, 1783;\index{Euler} \item imperfectly proved by Legendre, 1785, 1798;\index{Legendre} \item discovered and proved independently by Gauss, 1795, at age 18. \end{compactitem} The following proof is due to Gauss's student Eisenstein. \begin{proof}[Proof of Quadratic Reciprocity] By the lemma, we have~\eqref{eqn:pqn}, where \begin{equation*} n=\sum_{k=1}^{(q-1)/2}\left[\frac{kp}q\right]+ \sum_{\ell=1}^{(p-1)/2}\left[\frac{\ell q}p\right]. \end{equation*} So it is enough to show \begin{equation*} \frac{p-1}2\cdot\frac{q-1}2= \sum_{k=1}^{(q-1)/2}\left[\frac{kp}q\right]+ \sum_{\ell=1}^{(p-1)/2}\left[\frac{\ell q}p\right]. \end{equation*} First consider the example where $p=5$ and $q=7$. Then \begin{gather*} \frac{p-1}2\cdot\frac{q-1}2=2\cdot3=6;\\ \begin{split} \sum_{k=1}^{(q-1)/2}\left[\frac{kp}q\right]+ \sum_{\ell=1}^{(p-1)/2}\left[\frac{\ell q}p\right] &= \left[\frac{5}7\right]+ \left[\frac{10}7\right]+ \left[\frac{15}7\right]+ \left[\frac{7}5\right]+ \left[\frac{14}5\right]\\ &= 0+1+2+1+2=6. \end{split} \end{gather*} Here $6$ is the number of certain points in a lattice, as in Fig.~\ref{fig:qr}. \begin{figure}[ht] \begin{center} \begin{pspicture}(-1,-6)(8,1) \multips(0,0)(1,0){8}{\psdots[dotsize=1pt 1](0,0)(0,-1)(0,-2)(0,-3)(0,-4)(0,-5)} \psline(0,0)(7,-5) \uput[ul](0,0){$(0,0)$} \uput[ur](7,0){$(0,7)$} \uput[dl](0,-5){$(5,0)$} \uput[dr](7,-5){$(5,7)$} \multips(1,-1)(1,0){3}{\psdots[dotsize=3pt 1](0,0)(0,-1)} \uput[u](1,0){$\left[\displaystyle\frac57\right]$} \uput[u](2,0){$\left[\displaystyle\frac{10}7\right]$} \uput[u](3,0){$\left[\displaystyle\frac{15}7\right]$} \uput[l](0,-1){$\left[\displaystyle\frac75\right]$} \uput[l](0,-2){$\left[\displaystyle\frac{14}5\right]$} \end{pspicture} \end{center} \caption[Quadratic reciprocity]{Quadratic reciprocity in case $p=5$, $q=7$. The diagonal separates sets $A$ and $B$. The label $\left[\frac{10}7\right]$, for example, is also the number (which is $1$) of points of $A$ that lie below it.}\label{fig:qr} \end{figure} In general, $((p-1)/2)\cdot((q-1)/2)$ is the number of ordered pairs $(\ell,k)$ of integers such that \begin{align*} 1&\leq\ell\leq\frac{p-1}2,& 1&\leq k\leq\frac{q-1}2. \end{align*} Then $\ell/k\neq p/q$, since $p$ and $q$ are co-prime. Hence the set of these pairs $(\ell,k)$ is a disjoint union $A\cup B$, where \begin{align*} (\ell,k)\in A&\iff \frac{\ell}k<\frac pq;\\ (\ell,k)\in B&\iff\frac{\ell}k>\frac pq\iff\frac k{\ell}<\frac qp. \end{align*} Hence \begin{gather*} A=\Bigl\{(\ell,k)\in\Z\times\Z\colon 1\leq k\leq\frac{q-1}2\land 1\leq\ell\leq\left[\frac{kp}q\right]\Bigr\},\\ B=\Bigl\{(\ell,k)\in\Z\times\Z\colon 1\leq\ell\leq\frac{p-1}2\land 1\leq k\leq\left[\frac{\ell q}p\right]\Bigr\}, \end{gather*} so \begin{equation*} \frac{p-1}2\cdot\frac{q-1}2=\size{A\cup B}=\size A+\size B= \sum_{k=1}^{(q-1)/2}\left[\frac{kp}q\right]+ \sum_{\ell=1}^{(p-1)/2}\left[\frac{\ell q}p\right].\qedhere \end{equation*} \end{proof} Again, the more useful form of the theorem is \begin{equation*} \ls qp= \begin{cases} (p/q),&\text{ if }p\equiv1\text{ or }q\equiv 1\pmod 4;\\ -(p/q),&\text{ if }q\equiv3\equiv p\pmod 4. \end{cases} \end{equation*} Hence, for example, \begin{equation*} \ls{47}{199} =-\ls{199}{47} =-\ls{11}{47} =\ls{47}{11} =\ls3{11} =-\ls{11}3 =-\ls23=1. \end{equation*} We have used here the formula for $(2/p)$ in Theorem~\ref{thm:8}. What about $(3/p)$? We can compute: \begin{equation*} \ls 3p=\left\{ \begin{aligned} \ls p3,&\text{ if }p\equiv1\pmod 4\\ -\ls p3,&\text{ if }p\equiv 3\pmod 4 \end{aligned}\right\},\quad \ls p3= \begin{cases} 1,&\text{ if }p\equiv1\pmod 3\\ -1,&\text{ if }p\equiv2\pmod 3. \end{cases} \end{equation*} By the Chinese Remainder Theorem, we have \begin{align*} \left\{ \begin{aligned} p&\equiv1\pod 4\\ p&\equiv1\pod 3 \end{aligned} \right\}&\iff p\equiv1\pod{12},& \left\{ \begin{aligned} p&\equiv1\pod 4\\ p&\equiv2\pod 3 \end{aligned} \right\}&\iff p\equiv5\pod{12},\\ \left\{ \begin{aligned} p&\equiv3\pod 4\\ p&\equiv1\pod 3 \end{aligned} \right\}&\iff p\equiv7\pod{12},& \left\{ \begin{aligned} p&\equiv3\pod 4\\ p&\equiv2\pod 3 \end{aligned} \right\}&\iff p\equiv11\pod{12}. \end{align*} Actually this is not by the CRT. Direct computation gives the leftward implications $\Leftarrow$; then the rightward implications $\Rightarrow$ follow by contraposition, so to speak. But the CRT establishes the rightward implication in any one case, without consideration of the others.) Therefore \begin{equation*} \ls 3p= \begin{cases} 1,&\text{ if }p\equiv\pm1\pmod p,\\ -1,&\text{ if }p\equiv\pm5\pmod p. \end{cases} \end{equation*} \section{Composite moduli}%\asterism{} Assuming $\gcd(a,n)=1$, we know when the congruence $x^2\equiv a\pmod n$ has solutions, provided $n$ is an odd prime; but what about the other cases? When $n=2$, then the congruence always has the solution $1$. If $\gcd(m,n)=1$, and $\gcd(a,mn)=1$, then the congruence $x^2\equiv a\pmod{mn}$ is soluble if and only if the system \begin{equation*} \left\{ \begin{aligned} x^2&\equiv a\pmod m,\\ x^2&\equiv a\pmod n \end{aligned} \right. \end{equation*} is soluble. By the Chinese Remainder Theorem, the system is soluble if and only if the individual congruences are separately soluble. Indeed, suppose $b^2\equiv a\pmod m$, and $c^2\equiv a\pmod n$. By the Chinese Remainder Theorem, there is some $d$ such that $d\equiv b\pmod m$ and $d\equiv c\pmod n$. Then $d^2\equiv b^2\equiv a\pmod m$, and $d^2\equiv c^2\equiv a\pmod n$, so $d^2\equiv a\pmod{mn}$. For example, suppose we want to solve \begin{equation*} x^2\equiv365\pmod{667}. \end{equation*} Factorize $667$ as $23\cdot29$. Then we first want to solve \begin{align*} x^2&\equiv365\pmod{23},& x^2&\equiv365\pmod{29}. \end{align*} But we have $(365/23)=(20/23)=(5/23)=(23/5)=(3/5)=-1$ by the formula for $(3/p)$, so the first of the two congruences is insoluble, and therefore the original congruence is insoluble. It doesn't matter whether the second of the two congruences is insoluble. Contrast with the following: $(2/11)=-1$, and $(7/11)=-(11/7)=-(4/7)=-1$; so the congruences \begin{align*} x^2&\equiv2\pmod{11},&x^2&\equiv7\pmod{11} \end{align*} are insoluble; but $x^2\equiv14\pmod{11}$ is soluble. Now consider \begin{equation*} x^2\equiv361\pmod{667}. \end{equation*} One may notice that this has the solutions $x\equiv\pm19$; but there are others, and we can find them as follows. We first solve \begin{align*} x^2&\equiv16\pmod{23},&x^2&\equiv13\pmod{29}. \end{align*} The first of these is solved by $x\equiv\pm4\pmod{23}$ (and nothing else, since $23$ is prime). For the second, note $13\equiv42,71,100\pmod{29}$, so $x\equiv\pm10\pmod{29}$. So the solutions of the original congruence are the solutions of one of the following systems: \begin{align*} & \left\{ \begin{aligned} x&\equiv 4 \pmod{23},\\ x&\equiv 10\pmod{29} \end{aligned} \right\}, && \left\{ \begin{aligned} x&\equiv 4\pmod{23},\\ x&\equiv -10\pmod{29} \end{aligned} \right\},\\ & \left\{ \begin{aligned} x&\equiv -4\pmod{23},\\ x&\equiv 10\pmod{29} \end{aligned} \right\}, && \left\{ \begin{aligned} x&\equiv -4\pmod{23},\\ x&\equiv -10\pmod{29} \end{aligned} \right\}. \end{align*} One finds $x\equiv\pm19, \pm280\pmod{667}$, or $x\equiv648,280,387,19\pmod{667}$. So now $x^2\equiv a\pmod n$ is soluble if and only if the congruences \begin{equation*} x^2\equiv a\pmod{p^{k(p)}} \end{equation*} are soluble, where $n=\prod_{p\divides n}p^{k(p)}$. \begin{theorem} If $p$ is odd, and $a$ is prime to $p$, then the following are equivalent: \begin{enumerate} \item $(a/p)=1$, \item the congruence \begin{equation}\label{eqn:x2a} x^2\equiv a\pmod{p^k} \end{equation} is soluble for some positive $k$, \item the congruence~\eqref{eqn:x2a} is soluble for all positive $k$. \end{enumerate} \end{theorem} \begin{proof} Suppose $b^2\equiv a\pmod{p^{\ell}}$ for some positive $\ell$. This means \begin{equation*} b^2=a+c\cdot p^{\ell} \end{equation*} for some $c$. Then \begin{align*} (b+p^{\ell}\cdot y)^2 &=b^2+2bp^{\ell}\cdot y+p^{2\ell}\cdot y^2\\ &=a+(c+2by)p^{\ell}+p^{2\ell}\cdot y^2 \end{align*} Therefore $(b+p^{\ell}\cdot y)^2\equiv a\pmod{p^{\ell+1}} \iff c+2by\equiv0\pmod p$. But the latter congruence is soluble, since $p$ is odd. \end{proof} We must finally consider powers of $2$. \begin{theorem} Suppose $a$ is odd. Then: \begin{enumerate} \item $x^2\equiv a\pmod 2$ is soluble; \item $x^2\equiv a\pmod 4$ is soluble if and only if $a\equiv 1\pmod 4$; \item the following are equivalent: \begin{enumerate} \item\label{item:8} $x^2\equiv a\pmod 8$ is soluble; \item\label{item:some} $x^2\equiv a\pmod{2^{2+k}}$ is soluble for some positive $k$; \item\label{item:all} $x^2\equiv a\pmod{2^{2+k}}$ is soluble for all positive $k$; \item\label{item:a18} $a\equiv 1\pmod 8$. \end{enumerate} \end{enumerate} \end{theorem} \begin{proof} The first two parts are easy. So, are~\eqref{item:8}$\Leftrightarrow$\eqref{item:a18} and~\eqref{item:all}$\Rightarrow$\eqref{item:some}$\Rightarrow$\eqref{item:8}. We shall show~\eqref{item:8}$\Rightarrow$\eqref{item:all} by induction. Suppose $b^2\equiv a\pmod{2^{2+\ell}}$ for some positive $\ell$. Then $b^2=a+2^{2+\ell}\cdot c$ for some $c$. Hence \begin{align*} (b+2^{1+\ell}\cdot y)^2 &=b^2+2^{2+\ell}\cdot by+2^{2+2\ell}\cdot y^2\\ &=a+2^{2+\ell}\cdot c+2^{2+\ell}\cdot by+2^{2+2\ell}\cdot y^2\\ &=a+2^{2+\ell}\cdot(c+by)+2^{2+2\ell}\cdot y^2, \end{align*} and this is congruent to $a$ \emph{modulo} $p^{3+\ell}$ if and only if $c+by\equiv 0\pmod 2$. But this congruence is soluble, since $b$ is odd (since $a$ is odd). \end{proof} \chapter{Lagrange} %\section{}%\asterism{} A \textbf{Diophantine equation}% \index{Diophantus, Diophantine equation} (named after Diophantus, of the 3rd century \textsc{c.e.}) is a polynomial equation with integer coefficients for which the solutions sought are integers. Then \begin{equation*} x^2+y^2=z^2 \end{equation*} is a Diophantine equation among whose solutions are $(3,4,5)$ and $(5,12,13)$ are solutions. The additional condition $x=y$ yields the Diophantine equation \begin{equation*} 2x^2=z^2, \end{equation*} which we know from \S~\ref{sect:incomm} is not soluble. We considered Diophantine equations $ax+by=c$ in Chapter~\ref{ch:divisibility}. Now we shall show that, if $n$ is a natural number, then the Diophantine equation \begin{equation*} x^2+y^2+z^2+w^2=n \end{equation*} is soluble. If $p$ is an odd prime, we know that the congruence $x^2\equiv-1\pmod p$ is soluble if and only if $(-1/p)=1$, that is, $(-1)^{(p-1)/2}=1$, that is, $p\equiv 1\pmod 4$. \begin{lemma*} For every prime $p$, the congruence \begin{equation*} x^2+y^2\equiv-1\pmod p \end{equation*} is soluble. \end{lemma*} \begin{proof} The claim is easy when $p=2$. So assume now $p$ is odd. We define two sets: \begin{gather*} A=\Bigl\{x^2\colon0\leq x\leq\frac{p-1}2\Bigr\},\\ B=\Bigl\{-y^2-1\colon0\leq x\leq\frac{p-1}2\Bigr\}. \end{gather*} We shall show that $A$ and $B$ have elements representing the same congruence class \emph{modulo} $p$; that is, $A$ contains some $a$, and $B$ contains some $b$, such that $a\equiv b\pmod p$. To prove this, note first that distinct elements of $A$ are incongruent, and likewise of $B$. Indeed, if $a_0$ and $a_1$ are between $0$ and $(p-1)/2$ inclusive, and $a_0{}^2\equiv a_1{}^2\pmod p$, then $a_0\equiv\pm a_1\pmod p$. If $a_0\equiv-a_1$, then $a_0=p-a_1$, which is absurd. Hence $a_0\equiv a_1\pmod p$, so $a_0=a_1$. Hence the elements of $A$ represent $(p-1)/2+1$ distinct congruence classes \emph{modulo} $p$, and so do the elements of $B$. Since $2((p-1)/2+1)=p+1$, and there are only $p$ distinct congruence classes \emph{modulo} $p$, there must be a class represented both in $A$ and in $B$, by the \textbf{Pigeonhole Principle.}% \index{Pigeonhole Principle}% \index{theorem!Pigeonhole Principle} \end{proof} Another way to express the lemma is that, for all primes $p$, there are $a$, $b$, and $m$ such that \begin{equation*} a^2+b^2+1=mp. \end{equation*} Hence there are $a$, $b$, $c$, $d$, and $m$ such that \begin{equation*} a^2+b^2+c^2+d^2=mp. \end{equation*} We shall show that we can require $m=1$. We can combine this with the following: \begin{theorem}[Euler]\label{thm:Euler-4}% \index{Euler!---'s Theorem}% \index{theorem!Euler's Th---} The product of two sums of four squares is the sum of four squares. \end{theorem} \begin{proof} One can confirm that \begin{equation*} (a^2+b^2+c^2+d^2)(q^2+r^2+s^2+t^2)= \begin{aligned}[t] (aq&+br+cs+dt)^2+{}\\ (ar&-bq+ct-ds)^2+{}\\ (as&-bt-cq+dr)^2+{}\\ (at&+bs-cr-dq)^2 \end{aligned} \end{equation*} by expanding each side. \end{proof} \begin{theorem}[Lagrange] Every positive integer is the sum of four squares. \end{theorem} \begin{proof} By the lemma and Euler's Theorem (\ref{thm:Euler-4}), it is now enough to show the following. Let $p$ be a prime. Suppose $m$ is a positive integer such that \begin{equation}\label{eqn:abcd} a^2+b^2+c^2+d^2=mp \end{equation} for some $a$, $b$, $c$, and $d$. We shall show that the same is true for some smaller positive $m$, unless $m$ is already $1$. First we show that, if $m$ is even, then we can replace it with $m/2$. Indeed, if $a^2+b^2=n$, then \begin{equation*} \Bigl(\frac{a+b}2\Bigr)^2+ \Bigl(\frac{a-b}2\Bigr)^2=\frac n2, \end{equation*} and if $n$ is even, then so are $(a\pm b)/2$. In~\eqref{eqn:abcd} then, if $m$ is even, then we may assume that $a^2+b^2$ and $c^2+d^2$ are both even, so \begin{equation*} \Bigl(\frac{a+b}2\Bigr)^2+ \Bigl(\frac{a-b}2\Bigr)^2+ \Bigl(\frac{c+d}2\Bigr)^2+ \Bigl(\frac{c-d}2\Bigr)^2=\frac m2\cdot p. \end{equation*} Henceforth we may assume $m$ is odd. Then there are $q$, $r$, $s$ and $t$ \emph{strictly} between $-m/2$ and $m/2$ such that \begin{equation*} q\equiv a,\quad r\equiv b,\quad s\equiv c,\quad t\equiv d\pmod m. \end{equation*} Then \begin{equation*} q^2+r^2+s^2+t^2\equiv0\pmod m, \end{equation*} but also $q^2+r^2+s^2+t^23$. \end{xca} \begin{xca} If $p\equiv1\pmod3$ then $p\equiv1\pmod6$. \end{xca} \begin{xca} If $n\equiv2\pmod3$, then $n$ has a factor $p$ such that $p\equiv2\pmod3$. \end{xca} \begin{xca} Find all primes of the form $n^3-1$. \end{xca} \begin{xca} Find all $p$ such that $3p+1$ is square. \end{xca} \begin{xca} Find all $p$ such that $p^2+2$ is prime. \end{xca} \begin{xca} $n^4+4$ is composite unless $n=\pm1$. \end{xca} \begin{xca} If $n$ is positive, then $8^n+1$ is composite. \end{xca} \begin{xca} Find all integers $n$ such that the equation \begin{equation*} x^2=ny^2 \end{equation*} has only the zero solution. Prove your findings. \end{xca} \begin{xca} If $p_0<\dotsb1$), but $\{n\colon\sigma(n)=k\}$ is finite. \end{xca} \begin{xca} Let $m\in\Z$. The number-theoretic function $n\mapsto n^m$ is multiplicative. \end{xca} \begin{xca} Let $\omega(n)$ be the number of \emph{distinct} prime divisors of $n$, and let $m$ be a non-zero integer. Then $n\mapsto m^{\omega(n)}$ is multiplicative. \end{xca} \begin{xca} Let $\Lambda(n)= \begin{cases} \log p,&\text{ if $n=p^m$ for some positive $m$};\\ 0,&\text{ otherwise.} \end{cases}$ \begin{compactenum} \item $\log n=\displaystyle\sum_{d\divides n}\Lambda(d)$. \item $\Lambda(n)=\displaystyle\sum_{d\divides n}\mu\Bigl(\frac nd\Bigr)\log d$. \item $\Lambda(n)=-\displaystyle\sum_{d\divides n}\mu(d)\log d$. \end{compactenum} \end{xca} \begin{xca}\label{ex:f-mult} Suppose $n=p_1{}^{k(1)}\dotsm p_r{}^{k(r)}$, where the $p_i$ are distinct. \begin{compactenum} \item\label{item:f-mult} If $f$ is multiplicative and non-zero, then $\displaystyle\sum_{d\divides n}\mu(d)\cdot f(d)=\prod_{i=1}^r(1-f(p_i))$; \item $\displaystyle\sum_{d\divides n}\mu(d)\cdot\tau(d)=(-1)^r$. \end{compactenum} \end{xca} %\section{Exercise Set} %set VII \begin{xca} $f(568)=f(638)$ when $f\in\{\tau,\sigma,\phi\}$. \end{xca} \begin{xca} Solve: \begin{compactenum} \item $n=2\phi(n)$. \item $\phi(n)=\phi(2n)$. \item $\phi(n)=12$. (Do this without a table. There are 6 solutions.) \end{compactenum} \end{xca} \begin{xca} Find a sequence $(a_n\colon n\in\N)$ of positive integers such that \begin{equation*} \lim_{n\to\infty}\frac{\phi(a_n)}{a_n}=0. \end{equation*} (If you assume that there \emph{is} an answer to this problem, then it is not hard to see what the answer must be. To actually \emph{prove} that the answer is correct, recall that, formally, \begin{equation*} \sum_n\frac 1n=\prod_p\frac1{1-\frac1p}, \end{equation*} so $\displaystyle\lim_{n\to\infty}\prod_{k=1}^n\frac1{1-\frac1{p_k}}=\infty$ if $(p_k\colon k\in\N)$ is the list of primes.) \end{xca} \begin{xca} \begin{compactenum} \item Show $a^{100}\equiv1\pmod{1000}$ if $\gcd(a,1000)=1$. \item Find $n$ such that $n^{101}\not\equiv n\pmod{1000}$. \end{compactenum} \end{xca} \begin{xca}\label{ex:a13} \begin{compactenum} \item Show $a^{24}\equiv1\pmod{35}$ if $\gcd(a,35)=1$. \item\label{a13} Show $a^{13}\equiv a\pmod{35}$ for all $a$. \item Is there $n$ such that $n^{25}\not\equiv n\pmod{35}$? \end{compactenum} \end{xca} \begin{xca} If $\gcd(m,n)=1$, show $m^{\phi(n)}\equiv n^{\phi(m)}\pmod{mn}$. \end{xca} \begin{xca} If $n$ is odd, and is not a prime power, and if $\gcd(a,n)=1$, show $a^{\phi(n)/2}\equiv 1\pmod n$. (This generalizes Exercise~\ref{ex:a13}\eqref{a13}.) \end{xca} \begin{xca} Solve $5^{10000}x\equiv1\pmod{153}$. \end{xca} \begin{xca} Prove $\displaystyle\sum_{d\divides n}\mu(d)\phi(d)=\prod_{p\divides n}(2-p)$. (This is a special case of Exercise~\ref{ex:f-mult}\eqref{item:f-mult}.) \end{xca} \begin{xca} If $n$ is \textbf{squarefree}% \index{squarefree number}% \index{number!squarefree ---} (has no factor $p^2$), and $k\geq0$, show \begin{equation*} \sum_{d\divides n}\sigma(d^k)\phi(d)=n^{k+1}. \end{equation*} \end{xca} \begin{xca} $\displaystyle\sum_{d\divides n}\sigma(d)\phi\Bigl(\frac nd\Bigr)=n\tau(n)$. \end{xca} \begin{xca} $\displaystyle\sum_{d\divides n}\tau(d)\phi\Bigl(\frac nd\Bigr)=\sigma(n)$. \end{xca} %\section{Exercise Set} %set VIII \begin{xca} We have $(\pm3)^2\equiv2\pmod7$. Compute the orders of $2$, $3$, and~$-3$, \emph{modulo} $7$. \end{xca} \begin{xca} Suppose $\ord na=k$, and $b^2\equiv a\pmod n$. \begin{compactenum} \item Show that $\ord nb\in\{k,2k\}$. \item Find an example for each possibility of $\ord nb$. \item Find a condition on $k$ such that $\ord nb=2k$. \end{compactenum} \end{xca} \begin{xca} This is about $23$: \begin{compactenum} \item\label{part:a} Find a primitive root of least absolute value. \item How many primitive roots are there? \item Find these primitive roots as powers of the root found in~\eqref{part:a}. \item Find these primitive roots as elements of $[-11,11]$. \end{compactenum} \end{xca} \begin{xca} Assuming $\ord pa=3$, show: \begin{compactenum} \item $a^2+a+1\equiv0\pmod3$; \item $(a+1)^2\equiv a\pmod 3$; \item $\ord p{a+1}=6$. \end{compactenum} \end{xca} \begin{xca} Find all elements of $[-30,30]$ having order $4$ \emph{modulo} $61$. \end{xca} \begin{xca} $f(x)\equiv0\pmod n$ may have more than $\deg(f)$ solutions: \begin{compactenum} \item Find four solutions to $x^2-1\equiv0\pmod{35}$. \item Find conditions on $a$ such that the congruence $x^2-a^2\equiv0\pmod{35}$ has four distinct solutions, and find these solutions. \item If $p$ and $q$ are odd primes, find conditions on $a$ such that the congruence $x^2-a^2\equiv0\pmod{pq}$ has four distinct solutions, and find these solutions. \end{compactenum} \end{xca} \begin{xca} If $\ord na=n-1$, then $n$ is prime. \end{xca} \begin{xca} If $a>1$, show $n\divides\phi(a^n-1)$. \end{xca} \begin{xca} If $2\ndivides p$ and $p\divides n^2+1$, show $p\equiv1\pmod4$. \end{xca} \begin{xca}\mbox{} \begin{compactenum} \item Find conditions on $p$ such that, if $r$ is a primitive root of $p$, then so is $-r$. \item If $p$ does not meet these conditions, then what is $\ord p{-r}$? \end{compactenum} \end{xca} %\section{Exercise Set} %set IX \begin{xca}\label{IX.1} For $(\Z/(17))^{\times}$: \begin{compactenum} \item\label{IX.1(a)} construct a table of logarithms using $5$ as the base; \item\label{IX.1(b)} using this (or some other table, with a different base), solve: \begin{compactenum} \item $x^{15}\equiv14\pmod{17}$; \item $x^{4095}\equiv14\pmod{17}$; \item $x^4\equiv4\pmod{17}$; \item $11x^4\equiv7\pmod{17}$. \end{compactenum} \end{compactenum} \end{xca} \begin{xca} If $n$ has primitive roots $r$ and $s$, and $\gcd(a,n)=1$, prove \begin{equation*} \log_sa\equiv\frac{\log_ra}{\log_rs}\pmod{\phi(n)}. \end{equation*} \end{xca} \begin{xca} In $(\Z/(337))^{\times}$, for any base, show \begin{equation*} \log(-a)\equiv\log a+168\pmod{336}. \end{equation*} \end{xca} \begin{xca} Solve $4^x\equiv13\pmod{17}$. \end{xca} \begin{xca} How many primitive roots has $22$? Find them. \end{xca} \begin{xca}\label{IX.6} Find a primitive root of $1250$. \end{xca} \begin{xca} Define the function $\lambda$ by the rules \begin{align*} \lambda(2^k)&= \begin{cases} \phi(2^k),&\text{ if }00;\\ 0,&\text{ if }n\leq0