Counting Fermat witnesses

For the Fermat primality test, looking for a Fermat witness is the name of the game. Given an integer $n$ for which the “prime or composite” status is not known, if you can find a Fermat witness for $n$, you can conclude decisively that $n$ is not a prime number. If $n$ is a composite number in reality (but the status is not known to you), how likely is it to find a Fermat witness? In other words, when you use the Fermat primality test on a composite integer, what is the probability of the test giving the correct answer? Or what is the probability of making a mistake? In this post we answer these questions by having a detailed look at Fermat witnesses. This is done through a theorem (see Theorem 1 below) and by counting the numbers of Fermat witnesses of a series of composite integers.

____________________________________________________________________________

Fermat witness

What is a Fermat witness? A Fermat witness is a number that violates the conclusion of Fermat’s little theorem. Here’s the theorem:

Fermat’s little theorem
If $n$ is a prime number and if $a$ is an integer that is relatively prime to $n$, then $a^{n-1} \equiv 1 \ (\text{mod} \ n)$.

If we can find a number $a$ that is relatively prime to $n$ such that $a^{n-1} \not \equiv 1 \ (\text{mod} \ n)$, then we know for sure that $n$ is composite. Such a number $a$ is said to be a Fermat witness for the compositeness of $n$. For convenience, we say that a potential Fermat witness for the compositeness of $n$ is any integer $a$ in the interval $1 that is relatively prime to $n$.

To use the Fermat primality test on the integer $n$, we examine a random sample of potential Fermat witnesses for $n$. If one of the potential Fermat witnesses in the sample turns out to be a Fermat witness for $n$, we know with certainty that $n$ is composite. If none of the potential Fermat witnesses in the random sample is a Fermat witness, then $n$ is a likely a prime number.

As with most diagnostic tests, a test can make two types of mistakes – false positives or false negatives. For primality testing, we define a positive result as the outcome that says the number being tested is a prime number and a negative result as the outcome that says the number being tested is a composite number. Thus a false positive is identifying a composite number as a prime number and a false negative is identifying a prime number as a composite number. For the Fermat test, there is no false negative (see Case 1 in the next section). If the Fermat test gives a negative result, it would be a true negative.

On the other hand, the Fermat test can give a false positive. There are two cases for false positives. In one case (Case 2a), the probability of a false positive can be made as low as possible. For the other case (Case 2b), the probability of a false positive is virtually 100%.

____________________________________________________________________________

Looking at different cases

If $n$ is a prime number in reality (but the status is not known before the testing), the Fermat test will always give the correct result. The Fermat test will never make the mistake of declaring a prime number as composite. What if is $n$ is a composite number in reality? How would the test behave? It turns out that if $n$ is a composite number that has a Fermat witness, the test is an effective probabilistic primality test. On the other hand, if $n$ is a composite number that has no Fermat witness, the test will identify $n$ as a prime number (so the test fails completely). Here’s the cases we just describe:

• Case 1. $n$ is a prime number.
• Case 2. $n$ is a composite number.
• Case 2a. $n$ is a composite number that has a Fermat witness.
• Case 2b. $n$ is a composite number that has no Fermat witness.

Let’s look at the cases in more details. If $n$ is a prime number in reality, then it satisfies Fermat’s little theorem. The congruence $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ is always true. So the Fermat test will always give the correct result when the number being tested is a prime number in reality. In Case 1, it will never identify a prime number as a composite number. As mentioned above, the probability of a false negative is zero.

If $n$ is a composite number that has at least one Fermat witness, there is a chance that the Fermat test can identify $n$ as a prime (i.e. a false positive). However, the probability of making a mistake can be reducdd by increasing the number of potential witnesses to be calculated. Indeed, if we sample $k$ potential witnesses, there is at most a $2^{-k}$ chance of getting a wrong result. In Case 2a, the probability of error can be made so small that it is practically zero for all practical purposes. In this case, the Fermat test can work truly as a probabilistic primality test. In this case, the probability of a false positive can be made as small as possible.

The last case (Case 2b) is the weakest link in the Fermat test. Any composite number $n$ such that $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ for all $a$ relatively prime to $n$ is said to be a Carmichael number. When the Fermat test is applied on such a number, it will never give the correct conclusion (i.e. it will always give a false positive). It does not matter how many potential Fermat witnesses that are calculated. In fact, calculating $a^{n-1} \ (\text{mod} \ n)$ for a large number of values of $a$ can lead one to believe that this number $n$ is a prime number. In this case, the probability of a false positive is virtually 100%. So the case of Carmichael numbers cannot be totally ignored. There are infinitely many Carmichael numbers (proved in 1994). Fortunately, it is harder and harder to find Carmichael numbers as you move up in the number line. For an illustration that Carmichael numbers are rare, see a discussion in this previous post.

We will see below that for the composite numbers in Case 2a, the Fermat test has a very small probability of a false positive (identifying a composite number as a prime number). On the other hand, for the composite numbers in Case 2b, the Fermat test has a 100% probability of a false positive. Of course, when you test a number for primality, you do not know in advance what case it is. Thus the presence of Carmichael numbers is a concern.

____________________________________________________________________________

A floor for the count of Fermat witnesses

Theorem 1 below sets a floor for Fermat witnesses. Once again, in this theorem we only care about the composite numbers that have at least one Fermat witness. Recall that a potential Fermat witness for the compositeness of $n$ is an integer $a$ in the interval $1 such that $a$ and $n$ are relatively prime, i.e., $\text{GCD}(a,n) = 1$.

Theorem 1
Let $n$ be a composite integer that has at least one Fermat witness. Then at least half of the potential witnesses for the compositeness of $n$ are Fermat witnesses.

Proof of Theorem 1
Let $a$ be a Fermat witness for $n$. We claim that if $b$ is a potential Fermat witness that is not a Fermat witness, then $a \cdot b$ is a Fermat witness for $n$. First of all, $a \cdot b$ is relatively prime to $n$. Note that the product if two numbers, each of which is relatively prime to $n$, is once again a number that is relatively prime to $n$ (see Lemma 4 in this previous post). Thus $a \cdot b$ is a potential Fermat witness for $n$. The following shows that $a \cdot b$ is a Fermat witness for $n$.

$(a \cdot b)^{n-1}=a^{n-1} \cdot b^{n-1} \equiv a^{n-1} \not \equiv 1 \ (\text{mod} \ n)$

In the above derivation, we use the fact that $a$ is a Fermat witness for $n$ and that $b$ is not a Fermat witness for $n$, which means that $b^{n-1} \equiv 1 \ (\text{mod} \ n)$.

If all the potential Fermat witnesses are Fermat witnesses, then we are done since the conclusion of the theorem is true. Assume that at least one potential Fermat witness is not a Fermat witness. In fact, the following enumerates all potential Fermat witnesses that are not Fermat witnesses:

$b_1,\ b_2,\ \cdots, \ b_k$

where $k \ge 1$ and $b_i \not \equiv b_j \ (\text{mod} \ n)$ for all $i \ne j$. By the claim established earlier, the following numbers are all Fermat witnesses for $n$.

$a \cdot b_1, \ a \cdot b_2, \ \cdots, \ a \cdot b_k$

The above Fermat witnesses are all distinct. If $ab_i \equiv ab_j \ (\text{mod} \ n)$ where $i \ne j$, then we can multiply both sides by $a^{-1}$ and obtain $b_i \equiv b_j \ (\text{mod} \ n)$, which is not possible. What we have proved is that if there exists one Fermat witness for $n$ and if there are $k$ many distinct potential Fermat witnesses that are not Fermat witnesses, then there are at least $k$ many Fermat witnesses for $n$. This means that at most half of the potential witnesses are non-Fermat witnesses (if there are more than half, we get a contradiction). Thus at least half of the potential Fermat witnesses are Fermat witnesses. $\blacksquare$

There is another way to state Theorem 1. Recall that Euler’s phi function $\phi(n)$ is defined to be the number of integers $a$ in the interval $1 that are relatively prime to $n$. In other words, $\phi(n)$ is the count of the potential Fermat witnesses for $n$. With this in mind, Theorem 1 can be restated as the following:

Corollary 2
Let $n$ be a composite integer that has at least one Fermat witness. Then the number of Fermat witnesses for the compositeness of $n$ is at least $\displaystyle \frac{\phi(n)}{2}$.

____________________________________________________________________________

The significance of Theorem 1

Theorem 1 gives a floor on Fermat witnesses for one type of composite numbers, namely the composite numbers that have at least one Fermat witness (put another way, the composite numbers that are not Carmichael numbers). More importantly, Theorem 1 allows us to estimate the probability of error when using the Fermat test on such composite numbers.

When applying the Fermat test on a composite integer $n$ that has at least one Fermat witness, the only scenario in which the Fermat test can make an error (aside from calculation errors of course) is that all the random selections of $a$ are not Fermat witnesses. So you are so unlucky that you happen to pick all values of $a$ that are not Fermat witnesses. What is the probability of that?

Randomly select a potential Fermat witness for $n$, there is at least 50% chance that it is a Fermat witness and at most 50% chance that it is not a Fermat witness. We have the following statement:

If $n$ is a composite number that has at least one Fermat witness, and if you sample one potential Fermat witness for $n$, there is at most a 50% chance that it is not a Fermat witness.

If you pick two values of $a$ at random, there is at most $0.5^2=0.25=25 \%$ chance that both are not Fermat witnesses. If you pick three values of $a$ at random, there is at most $0.5^3=0.125=12.5 \%$ chance that you pick non-Fermat witnesses three times in a row. If you pick 10 potential witnesses at random, there is at most

$0.5^{10}=0.000977=0.0977 \%$

chance that all ten values of $a$ are not Fermat witnesses. In general, we can make the following statement:

If $n$ is a composite number that has at least one Fermat witness, then when sampling $k$ many potential Fermat witnesses for $n$, the probability that none of the $k$ potential witnesses is Fermat witness is $0.5^k$.

Recall that the only scenario in which the Fermat test can make a mistake when testing a composite number belonging to Case 2a is that the random sample of values of $a$ contains only non-Fermat witnesses. Thus when the sample size is large, the probability of error can be made very small.

The bottom line is that the more potential witnesses you sample, the less likely that you won’t pick a Fermat witness (i.e., it is more likely that you will pick one). Picking a Fermat witness is essentially a coin toss. If you toss a fair coin many times, it is not likely to get all tails (it is likely to get at least one head).

The calculation for each potential witness $a$ is $a^{n-1} \ (\text{mod} \ n)$. Exponentiation in modular arithmetic can be done using the fast powering algorithm, which is an efficient algorithm that involves repeated squarings and multiplications. Thus if the composite number $n$ happens to be a composite number with a Fermat witness, the Fermat test is very efficient (when used with the fast powering algorithm) and accurate.

Of course, when you test the primality of a number, you do not know which case it belongs to. If you want to avoid the case of Carmichael numbers entirely, you might want to try a primality test that can detect Carmichael numbers (e.g. the Miller-Rabin test).

____________________________________________________________________________

Counting examples

To reinforce the discussion in the previous sections, we count the Fermat witnesses for 10 integers. They are all small numbers (the largest one is a little over 200,000). These integers are composite integers that are not Carmichael numbers. So each has at least one Fermat witness. To count the witnesses, we create a computer program to determine the witness status for all $a$ in $1 that are relatively prime to $n$. The counts are shown in the following matrix.

Composite integers that are not Carmichael numbers

$\left[\begin{array}{rrrrrrrrr} \text{ } & \text{ } & \text{ } & \text{ } & \text{Fermat Witness} & \text{ } & \text{Fermat Witness} & \text{ } & \text{Fermat Witness} \\ n & \text{ } & \phi(n) & \text{ } & \text{Yes} & \text{ } & \text{No} & \text{ } & \text{Yes} \ \% \\ \text{ } & \text{ } & \text{ } & \text{ } & \text{ } & \text{ } & \text{ } \\ 91 & \text{ } & 72 & \text{ } & 36 & \text{ } & 36 & \text{ } & 50 \% \\ 221 & \text{ } & 192 & \text{ } & 176 & \text{ } & 16 & \text{ } & 91.67 \% \\ 341 & \text{ } & 300 & \text{ } & 200 & \text{ } & 100 & \text{ } & 66.67 \% \\ 5,777 & \text{ } & 5,616 & \text{ } & 5,600 & \text{ } & 16 & \text{ } & 99.72 \% \\ 10,873 & \text{ } & 10,660 & \text{ } & 10,656 & \text{ } & 4 & \text{ } & 99.96 \% \\ 21,809 & \text{ } & 21,504 & \text{ } & 21,248 & \text{ } & 256 & \text{ } & 98.81 \% \\ 50,113 & \text{ } & 42,948 & \text{ } & 42,912 & \text{ } & 36& \text{ } & 99.92 \% \\ 73,861 & \text{ } & 73,312 & \text{ } & 73,296 & \text{ } & 16 & \text{ } & 99.98 \% \\ 100,097 & \text{ } & 99,396 & \text{ } & 99,392 & \text{ } & 4 & \text{ } & 100 \% \\ 201,217 & \text{ } & 200,260 & \text{ } & 200,256 & \text{ } & 4 & \text{ } & 100 \% \end{array}\right]$

The first column is the 10 integers from 91 to 201,217. The second column is Euler’s phi function, which is the count of all integers $a$ that are relatively prime to $n$, which is the count of the potential Fermat witnesses for $n$. For $n=91$, there are 72 potential Fermat witnesses where exactly half are Fermat witnesses. For the other numbers on the list, the percentages of Fermat witnesses are a lot more than 50%. In fact, for most of them, the Fermat witness percentages are over 99%. For the last two numbers on the list the percentage is virtually 100%.

Consider 201,217, the last number on the list. Applying the Fermat test on the number, it will be hard not to pick up a Fermat witness. With only 4 potential witnesses that are not Fermat witness, it is certain to find one Fermat witness when more than 4 numbers are sampled. In fact, even if just 4 numbers are sampled, there is a virtually 100% chance that a Fermat witness will be found.

Take the number in the above table that has the largest number of non-Fermat witnesses ($n=21,809$), which has 256 non-Fermat witnesses. It has 21,504 potential witnesses. Out of a random sample of 20 such potential Fermat witnesses, the probability that none of them is a Fermat witness is $3.24 \cdot 10^{-39}$, which is practically zero.

The above calculations show that for composite numbers that have at least one Fermat witness, the Fermat test is very accurate with a very high probability. The key is to sample a large enough number of potential witnesses. However for Carmichael numbers, it is totally different story.

As discussed earlier, a Carmichael number is a composite number $n$ that has no Fermat witnesses. Specifically a composite number $n$ is a Carmichael number if $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ for all integers $a$ such that $1 and $a$ and $n$ are relatively prime. The following table is a demonstration of this property.

The first ten Carmichael numbers

$\left[\begin{array}{rrrrrrrrr} \text{ } & \text{ } & \text{ } & \text{ } & \text{Fermat Witness} & \text{ } & \text{Fermat Witness} & \text{ } & \text{Fermat Witness} \\ n & \text{ } & \phi(n) & \text{ } & \text{Yes} & \text{ } & \text{No} & \text{ } & \text{Yes} \ \% \\ \text{ } & \text{ } & \text{ } & \text{ } & \text{ } & \text{ } & \text{ } \\ 561 & \text{ } & 320 & \text{ } & 0 & \text{ } & 320 & \text{ } & 0 \% \\ 1,105 & \text{ } & 768 & \text{ } & 0 & \text{ } & 768 & \text{ } & 0 \% \\ 1,729 & \text{ } & 1,296 & \text{ } & 0 & \text{ } & 1,296 & \text{ } & 0 \% \\ 2,465 & \text{ } & 1,792 & \text{ } & 0 & \text{ } & 1,792 & \text{ } & 0 \% \\ 2,821 & \text{ } & 2,160 & \text{ } & 0 & \text{ } & 2,160 & \text{ } & 0 \% \\ 6,601 & \text{ } & 5,280 & \text{ } & 0 & \text{ } & 5,280 & \text{ } & 0 \% \\ 8,911 & \text{ } & 7,128 & \text{ } & 0 & \text{ } & 7,128& \text{ } & 0 \% \\ 10,585 & \text{ } & 8,064 & \text{ } & 0 & \text{ } & 8,064 & \text{ } & 0 \% \\ 15,841 & \text{ } & 12,960 & \text{ } & 0 & \text{ } & 12,960 & \text{ } & 0 \% \\ 29,341 & \text{ } & 25,920 & \text{ } & 0 & \text{ } & 25,920 & \text{ } & 0 \% \end{array}\right]$

The above table lists out the first ten Carmichael numbers. Though we can show that each one of them is a Carmichael number by using the Korselt’s Criterion (see here but you have to first factor the numbers). We calculate the Fermat witness status for each potential witness for each $n$ in the table. The above table is a visual demonstration of the fact that the column for the Fermat witnesses is entirely zero! So if you happen to test the primality on such numbers using the Fermat test, you will conclude that they are prime numbers unless you happen to sample a value of $a$ whose GCD with $n$ is greater than one (i.e., the only way you can determine the compositeness of a Carmichael number is to stumble into a GCD witness).

Fermat test does what it does well with the exception of Carmichael numbers. As mentioned earlier, if you want to avoid the trap of working with Carmichael numbers (as rare as they are), you can always switch to a test that will always detect Carmichael numbers (e.g. Miller-Rabin test).

____________________________________________________________________________

$\copyright \ 2014 \text{ by Dan Ma}$

Factorization versus primality testing

Let $n$ be a large positive integer whose “prime versus composite” status is not known. One way to know whether $n$ is prime or composite is to factor $n$ into its prime factors. If there is a non-trivial factor (one that is neither 1 nor $n$), it is composite. Otherwise $n$ is prime. This may sound like a reasonable approach in performing primality testing – checking whether a number is prime or composite. In reality, factoring and primality testing, though related, are very different problems. For a very large number (e.g. with at least 300 decimal digits), it is possible that, even with the state of the art in computing, factoring it may take more than a few million years. On the other hand, it will take a modern computer less than a second to determine whether a 300-digit number is prime or composite. Interestingly this disparity is one reason that makes the RSA work as a practical and secure cryptosystem. In this post, we use the RSA cryptosystem as an example to give a sense that factoring is a “hard” problem while primality testing is an “easy” problem. The primality test used in the examples is the Fermat primality test.

____________________________________________________________________________

The brute force approach

There is a natural and simple approach in factoring, which is to do trial divisions. To factor the number $n$, we divide $n$ by every integer $a$ in the range $1. Once a factor $a$ is found, we repeat the process with the complementary factor $\frac{n}{a}$ until all the prime factors of $n$ are found. This is simple in concept and is sure to produce the correct answer. For applications in cryptography, this brute force approach is essentially useless since the amount of time to try every candidate factor is prohibitively huge. The amount of time required may be more than the age of the universe if the brute force approach is used.

The brute force approach can be improved upon slightly by doing the trial divisions using candidate factors up to $\sqrt{n}$. It is well known that if a composite integer $n$ is greater than one, then it has a prime divisor $d$ such that $1. So instead of dividing $n$ by every number $a$ with $1, we can divide $n$ by every prime number $a$ with $1. But even this improved brute force approach will still take too long to be practical.

Let’s look at a quick example for brute force factoring. Let $n=96638243$. Note that $\sqrt{n}=\sqrt{96638243}=9676$. There are 1192 odd primes less than 9676. In dividing $n$ by these primes, we stop at 127 and we have $n=96638243=127 \cdot 737309$. We now focus the attention on $737309$. Note that $\sqrt{737309}=858.67$ and there are 147 odd primes less than 858. Dividing $737309$ by these 147 candidate factors, we find that none of them is a factor. We can conclude $737309$ is prime. Then we have the factorization $n=96638243=127 \cdot 737309$.

____________________________________________________________________________

Example of RSA

RSA is a public-key cryptosystem and is widely used for secure data transmission. The RSA public key consists of two parts. One is the modulus that is the product of two distinct prime factors. Suppose the modulus is called $N$ and we have $N=pq$ where $p$ and $q$ are distinct prime numbers. How large does $N$ have to be? The larger the $N$ is, the more secure RSA is. The current practice is that for corporate use the modulus is at least a 1024-bit number (the bit size is called the key length). If data is extra sensitive or if the data needs to be retained for a long time, then a larger key length should be used (e.g. 2048-bit). With a 1024-bit modulus $N=pq$, each prime factor is a 512-bit number. The other part of the RSA public key is the encryption key, which is an integer $e$ that is relatively prime to the integer $(p-1) \cdot (q-1)$.

Let’s say we want to generate a 1024-bit modulus. There are two challenges with a key of this size. One is that a reliable way is needed to obtain two prime numbers that are 512-bit long. Given a large integer that is at least 512-bit long, how do we determine reliably that it is prime? Is it possible to factor a 512-bit integer using the brute force approach? The other challenge is from the perspective of an attacker – successful factoring the 1024-bit modulus would break RSA and allow the attacker to read the secret message. Let’s look at the problem of the attacker trying to factor a 1024-bit number. A 1024-bit number is approximately $2^{1024}$. The following calculation converts it to a decimal basis:

$\displaystyle 2^{1024}=(10^{\text{log(2)}})^{1024} \approx 10^{308.25}$

We use $\text{log}(x)$ to denote the logarithm of base 10. Note that $1024 \cdot \text{log}(2)=308.25$. So a 1024-bit number has over 300 digits.

Let’s see what the challenge is if you want to factor a 1024-bit number. Suppose your chosen large number $n$ is such that $n \approx 10^{308}$. Note that $\sqrt{10^{308}}=10^{154}$. According to the improved brute force approach described above, in effect you will need to divide $n$ by every prime number less than $10^{154}$.

Now let’s get an estimate on the number of prime numbers less than $10^{154}$. According to the prime number theorem, the number of prime numbers at most $x$ is approximately

$\displaystyle \pi(x) \approx \frac{x}{\text{ln}x}$

where $\pi(x)$ is the number of primes at most $x$. Then $\pi(10^{154}) \approx 2.82 \cdot 10^{151}$. This is certainly a lot of prime numbers to check.

It is hard to comprehend such large numbers. Let’s put this into perspective. Currently the world population is about 7 billion. Let’s say each person in the world possesses a supercomputer that can check $10^{40}$ prime numbers per second (i.e. to check whether they are factors of the number $n$). This scenario clearly far exceeds the computing resources that are currently available. Suppose that the 7 billion supercomputers are available and that each one can check $10^{40}$ many primes per second. Then in each second, the following is the number of prime numbers that can be checked by the 7 billion supercomputers.

$\displaystyle 7 \cdot 10^9 \cdot 10^{40}=7 \cdot 10^{49} \text{ prime numbers per second}$

The following is the number of seconds it will take to check $2.82 \cdot 10^{151}$ many prime numbers:

$\displaystyle \frac{2.82 \cdot 10^{151}}{7 \cdot 10^{49}} \approx 4 \cdot 10^{101} \text{ seconds}$

The universe is estimated to be about 13 billion years old. The following calculation converts it to seconds.

$13 \text{ billion years}=13 \cdot 10^9 \cdot 365 \cdot 24 \cdot 3600 \approx 4 \cdot 10^{17} \text{ seconds}$

With 7 billion fast suppercomputers (one for each person in the world) running in the entire life of the universe, you can only finish checking

$\displaystyle \frac{4 \cdot 10^{17}}{4 \cdot 10^{101}}=\frac{1}{10^{84}}$

of the $2.82 \cdot 10^{151}$ many prime numbers. Note that $\frac{1}{10^{84}}$ is a tiny portion of 1%. So by taking the entire life of the universe to run the 7 billion supercomputers, each checking $10^{40}$ many candidate prime factors per second, you would not even make a dent in the problem!

The security of RSA rests on the apparent difficulty of factoring large numbers. If the modulus $N=pq$ can be factored, then an eavesdropper can obtain the private key from the public key and be able to read the message. The difficulty in factoring means there is a good chance that RSA is secure. In order to break RSA, an attacker would probably have to explore other possible vulnerabilities instead of factoring the modulus.

By carrying out a similar calculation, we can also see that factoring a 512-bit number by brute force factoring is also not feasible. Thus in the RSA key generation process, it is not feasible to use factoring as a way to test primality. The alternative is to use efficient primality tests such as Fermat test or Miller-Rabin test. The computation for these tests is based on the fast powering algorithm, which is a very efficient algorithm.

____________________________________________________________________________

The story told by RSA numbers

The required time of more than the life of the universe as discussed above is based on the naïve brute force approach of factoring. There are many other factoring approaches that are much more efficient and much faster, e.g., the quadratic sieve algorithm, the number field sieve algorithm, and the general number field sieve algorithm. For these methods, with ample computing resources at the ready, factoring a 1024-bit or 2048-bit number may not take the entire life of the universe but make take decades or more. Even with these better methods, the disparity between slow factoring and fast primality testing is still very pronounced and dramatic.

The best evidence of slow factoring even with using modern methods is from the RSA numbers. The RSA numbers are part of the the RSA Factoring Challenge, which was created in 1991 to foster research in computational number theory and the practical difficulty of factoring large integers. The challenge was declared inactive in 2007. The effort behind the successful factorization of some of these numbers gives us an idea of the monumental challenges in factoring large numbers.

According to the link given in the above paragraph, there are 54 RSA numbers, ranging from 330 bits long to 2048 bits long (100 decimal digits to 617 decimal digits). Each of these numbers is a product of two prime numbers. Of these 54 numbers, 18 were successfully factored (as of the writing of this post). They were all massive efforts involving large groups of volunteers (in some cases using hundreds or thousands of computers), spanning over months or years. Some of methods used are the quadratic sieve algorithm, the number field sieve algorithm, and the general number field sieve algorithm.

The largest RSA number that was successfully factored is the RSA-768, which is 768 bits long and has 232 decimal digits (completed in December 2009). The method used was the Number Field Sieve method. There were 4 main steps in this effort. The first step is the polynomial selection, which took half a year using 80 processors. The second step is the sieving step, which took almost two years on many hundreds of machines. If only using a single core 2.2 GHz AMD Opteron processor with 2 GB RAM, the second step would take about 1500 years! The third step is the matrix step, which took a couple of weeks on a few processors. The final step took a few days, which involved a great deal of debugging.

The number field sieve method is the fastest known method for factoring large numbers that are a product of two primes (i.e. RSA moduli). The effort that went into factoring RSA-768 was massive and involved many years of complicated calculations and processing. This was only a medium size number on the list!

Another interesting observation that can be made is on the RSA numbers that have not been factored yet. There are 36 unfactored numbers in the list. One indication that RSA is secure in the current environment is that the larger numbers in the list are not yet factored (e.g. RSA-1024 which is 1024-bit long). Successful factorization of these numbers has important security implication for RSA. The largest number on the list is RSA-2048, which is 2048-bit long and has 617 digits. It is widely believed that RSA-2048 will stay unfactored in the decades to come, barring any dramatic and significant advance in computing technology.

The factoring challenge for the RSA numbers certainly provides empirical evidence that factoring is hard. Of course, no one should be complacent. We should not think that factoring will always be hard. Technology will continue to improve. A 768-bit RSA modulus was once considered secure. With the successful factorization of RSA-768, key size of 768 bits is no longer considered secure. Currently 1024 bit key size is considered secure. The RSA number RSA-1024 could very well be broken in within the next decade.

There could be new advances in factoring algorithm too. A problem that is thought to be hard may eventually turn out to be easy. Just because everyone thinks that there is no fast way of factoring, it does not mean that no such method exists. It is possible that someone has discovered such a method but decides to keep it secret in order to maintain the advantage. Beyond the issue of factoring, there could be some other vulnerabilities in RSA that can be explored and exploited by attackers.

____________________________________________________________________________

Fermat primality test

We now give some examples showing primality testing is a much better approach (over factoring) if the goal is to check the “prime or composite” status only. We use Fermat primality test as an example.

Example 1
Let $n=15144781$. This is a small number. So factoring would be practical as a primality test. We use it to illustrate the point that the “prime or composite” status can be determined without factoring. One option is to use Fermat’s little theorem (hence the name of Fermat primality test):

Fermat’s little theorem
If $n$ is a prime number and if $a$ is an integer that is relatively prime to $n$, then $a^{n-1} \equiv 1 \ (\text{mod} \ n)$.

Consider the contrapositive of the theorem. If we can find an $a$, relatively prime to $n$ such that $a^{n-1} \not \equiv 1 \ (\text{mod} \ n)$, then we know for sure $n$ is not prime. Such a value of $a$ is said to be a Fermat witness for the compositeness of $n$.

If a Fermat witness is found, then we can say conclusively that $n$ is composite. On the other hand, if $a$ is relatively prime to $n$ and $a^{n-1} \equiv 1 \ (\text{mod} \ n)$, then $n$ is probably a prime. We can then declare $n$ is prime or choose to run the test for a few more random values of $a$.

The exponentiation $a^{n-1} \ (\text{mod} \ n)$ is done using the fast powering algorithm, which involves a series of squarings and multiplications. Even for large moduli, the computer implementation of this algorithm is fast and efficient.

Let’s try some value of $a$, say $a=2$. Using an online calculator, we have

$2^{15144780} \equiv 1789293 \not \equiv 1 \ (\text{mod} \ 15144781)$

In this case, one congruence calculation tells us that $n=15144781$ is not prime (if it were, the congruence calculation would lead to a value of one). It turns out that $n=15144781$ is a product of two primes where $n=15144781=3733 \cdot 4057$. Of course, this is not a secure modulus for RSA. The current consensus is to use a modulus that is at least 1024-bit long.

Example 2
Let $n=15231691$. This is also a small number (in relation what is required for RSA). Once again this is an illustrative example. We calculate $a^{15231690} \ (\text{mod} \ 15231691)$ for $a=2,3,4,5,6,7$, the first few values of $a$. All such congruence values are one. We suspect that $n=15231691$ may be prime. So we randomly choose 20 values of $a$ and compute $a^{15231690} \ (\text{mod} \ 15231691)$. The following shows the results.

$\left[\begin{array}{rrr} a & \text{ } & a^{n-1} \ \text{mod} \ n \\ \text{ } & \text{ } & n=15,231,691 \\ \text{ } & \text{ } & \text{ } \\ 3,747,236 & \text{ } & 1 \\ 370,478 & \text{ } & 1 \\ 12,094,560 & \text{ } & 1 \\ 705,835 & \text{ } & 1 \\ 10,571,714 & \text{ } & 1 \\ 15,004,366 & \text{ } & 1 \\ 12,216,046 & \text{ } & 1 \\ 10,708,300 & \text{ } & 1 \\ 6,243,738 & \text{ } & 1 \\ 1,523,626 & \text{ } & 1 \\ 10,496,554 & \text{ } & 1 \\ 10,332,033 & \text{ } & 1 \\ 10,233,123 & \text{ } & 1 \\ 3,996,691 & \text{ } & 1 \\ 4,221,958 & \text{ } & 1 \\ 3,139,943 & \text{ } & 1 \\ 1,736,767 & \text{ } & 1 \\ 12,672,150 & \text{ } & 1 \\ 12,028,143 & \text{ } & 1 \\ 8,528,642 & \text{ } & 1 \end{array}\right]$

For all 20 random values of $a$, $a^{15231690} \equiv 1 \ (\text{mod} \ 15231691)$. This represents strong evidence (though not absolute proof) that $n=15231691$ is a prime. In fact, we can attach the following probability statement to the above table of 20 random values of $a$.

If $n=15231691$ were a composite number that has at least one Fermat witness, there is at most a 0.0000953674% chance that 20 randomly selected values of $a$ are not Fermat witnesses.

In other words, if $n=15231691$ were a composite number that has at least one Fermat witness, there is at most a 0.0000953674% chance of getting 20 1’s in the above computation.

In general, if $n$ has at least one Fermat witness, the probability that all $k$ randomly selected values of $a$ with $1 are not Fermat witnesses is at most $0.5^k$. For $k=20$, $0.5^{20}=0.000000953674$, which is 0.0000953674%. The probability statement should give us enough confidence to consider $n=15231691$ a prime number.

There is a caveat that has to be mentioned. For the above probability statement to be valid, the number $n$ must have at least one Fermat witness. If a number $n$ is composite, we would like the test to produce a Fermat witness. It turns out that there are composite numbers that have no Fermat witnesses. These numbers are called Carmichael numbers. If $n$ is such a number, $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ for any $a$ that is relatively prime to the number $n$. In other words, the Fermat test will always indicate “probably prime” for Carmichael numbers. Unless you are lucky and randomly pick a value of $a$ that shares a common prime factor with $n$, the Fermat test will always incorrectly identify a Carmichael number $n$ as prime. Fortunately Carmichael numbers are rare, even though there are infinitely many of them. In this previous post, we estimate that a randomly selected 1024-bit odd integer has a less than one in $10^{88}$ chance of being a Carmichael number!

The Fermat test is a powerful test when the number being tested is a prime number or a composite number that has a Fermat witness. For Carmichael numbers, the test is likely to produce a false positive (identifying a composite number as prime). Thus the existence of Carmichael numbers is the biggest weakness of the Fermat test. Fortunately Carmichael numbers are rare. Though they are rare, their existence may still make the Fermat test unsuitable in some situation, e.g., when you test a number provided by your adversary. If you really want to avoid situations like these, you can always switch to the Miller-Rabin test.

____________________________________________________________________________

$\copyright \ 2014 \text{ by Dan Ma}$

An upper bound for Carmichael numbers

It is well known that Fermat’s little theorem can be used to establish the compositeness of some integers without actually obtaining the prime factorization. Fermat’s little theorem is an excellent test for compositeness as well as primality. However, there are composite numbers that evade the Fermat test, i.e. the Fermat test will fail to indicate that these composite integers are composite. These integers are called Carmichael numbers. However, Carmichael numbers are rare. We illustrate this point by doing some calculation using an upper bound for Carmichael numbers.

Let $p$ be a prime number. According to Fermat’s little theorem, $a^{p-1} \equiv 1 \ (\text{mod} \ p)$ for all integer $a$ that is relatively prime to $p$ (i.e., the GCD of $a$ and $p$ is 1). The Fermat primality test goes like this. Suppose that the “composite or prime” status of the positive integer $n$ is not known. We randomly pick a number $a \in \left\{2,3,\cdots,n-1 \right\}$. If $a$ is relatively prime to $n$ and if $a^{n-1} \not \equiv 1 \ (\text{mod} \ n)$, then we are certain that $n$ is composite even though we may not know its prime factorization. Such a value of $a$ is said to be a Fermat witness for (the compositeness of) $a$. If $a^{n-1} \equiv 1 \ (\text{mod} \ n)$, then $n$ is probably prime. But to be sure, repeat the calculation with more values of $a$. If the calculation is done for a large number of randomly selected values of $a$ and if the calculation for every one of the values of $a$ indicates that $n$ is probably prime, we will have high confidence that $n$ is prime. In other words, the probability of making a mistake is very small.

However here is a wrinkle in the Fermat test. There are composite numbers which have no Fermat witnesses. These numbers are called Carmichael numbers. Specifically a positive composite integer $n$ is a Carmichael number if $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ for all $a$ relatively prime to $n$. In other words, if $n$ is a Carmichael number, the Fermat test always indicates $n$ is probably prime no matter how many values of $a$ you use in the test. Fortunately Carmichael numbers are rare. The upper bound discussed below gives an indication of why this is the case.

____________________________________________________________________________

An upper bound

For each positive integer $n$, let $C(n)$ be the number of Carmichael numbers that are less than $n$. The following is an upper bound for $C(n)$.

$\displaystyle C(n)

The formula is found here (credited to Richard G. E. Pinch). We use this upper bound to find out the chance of encountering a Carmichael numbers. As shown below, the upper bound can overestimate $C(n)$. The main point we like to make is that even with the overestimation of Carmichael numbers represented by the above upper bound, the number of Carmichael number is extremely small in relation to $n$. This is even more so when $n$ is large (e.g. a 1024-bit integer). Thus for a randomly selected 1024-bit odd number, the probability that it is a Carmichael number is practically zero (see Examples 4 and 5 below).

____________________________________________________________________________

Examples

Example 1
The first 10 Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, 29341. Furthermore, there are only 16 Carmichael numbers less than 100,000. Let $n=10^5$. According to the above formula, the following is the upper bound for $C(10^5)$:

$\displaystyle C(10^5)<10^5 \cdot \text{exp}\biggl(-\frac{(\text{ln} \ 10^5) \ (\text{ln} \ \text{ln} \ \text{ln} \ 10^5)}{\text{ln} \ \text{ln} \ 10^5} \biggr)=1485$

The bound of 1485 is a lot more than the actual count of 16. Even with this inflated estimate, when you randomly select an odd positive integer less than 10,000, the probability of getting a Carmichael number is $0.0297$. With the actual count of 16, the probability is 0.00032.

Example 2
Here’s another small example. There are only 2,163 Carmichael numbers that are less than 25,000,000,000. Let $n=2.5 \cdot 10^{10}$.

$\displaystyle C(2.5 \cdot 10^{10})<2.5 \cdot 10^{10} \cdot \text{exp}\biggl(-\frac{(\text{ln} \ 2.5 \cdot 10^{10}) \ (\text{ln} \ \text{ln} \ \text{ln} \ 2.5 \cdot 10^{10})}{\text{ln} \ \text{ln} \ 2.5 \cdot 10^{10}} \biggr)=4116019$

This inflated bound is a more than 1900 times over the actual count of 2163. But even with this inflated bound, the probability of a random odd integer being Carmichael is under 0.00033 (about 3 in ten thousands). With the actual count of 2163, the probability is 0.00000017 (less than one in a million chance).

Example 3
Here’s a larger example. A calculation was made by Richard G. E. Pinch that there are 20,138,200 many Carmichael numbers up to $10^{21}$. Let’s compare the actual probability and the probability based on the upper bound. The following is the upper bound of $C(10^{21})$.

$\displaystyle C(10^{21})<10^{21} \cdot \text{exp}\biggl(-\frac{(\text{ln} \ 10^{21}) \ (\text{ln} \ \text{ln} \ \text{ln} \ 10^{21})}{\text{ln} \ \text{ln} \ 10^{21}} \biggr) \approx 4.6 \cdot 10^{13}$

The actual count of 20,138,200 is about $2 \cdot 10^{7}$. So $4.6 \cdot 10^{13}$ is an inflated estimate. The following shows the probability of randomly selecting an odd integer that is Carmichael (both actual and inflated).

$\displaystyle \text{inflated probability}=\frac{4.6 \cdot 10^{13}}{0.5 \cdot 10^{21}}=\frac{4.6 \cdot 10^{13}}{5 \cdot 10^{20}}=\frac{0.92}{10^{7}} \approx \frac{1}{10.9 \cdot 10^6} <\frac{1}{10^6}$

$\displaystyle \text{actual probability}=\frac{2 \cdot 10^{7}}{0.5 \cdot 10^{21}}=\frac{2 \cdot 10^{7}}{5 \cdot 10^{20}}=\frac{0.4}{10^{13}} = \frac{1}{25 \cdot 10^{12}} <\frac{1}{10^{12}}$

Even with the inflated upper bound, the chance of randomly picking a Carmichael number is less than one in a million. With the actual count of 20,138,200, the chance of randomly picking a Carmichael number is less than one in a trillion!

Remark
The number $10^{21}$ is quite small in terms of real world applications. For example, in practice, the RSA algorithm requires picking prime numbers that are at least 512-bit long. The largest 512-bit numbers are approximately $10^{154}$. What is the chance of randomly picking a Carmichael number in this range? First, let’s look at the Carmichael numbers up to the limit $10^{100}$. Then we look at $10^{154}$.

Example 4
Here’s the estimates for $C(10^{100})$ based on the above upper bound.

$\displaystyle C(10^{100})<10^{100} \cdot \text{exp}\biggl(-\frac{(\text{ln} \ 10^{100}) \ (\text{ln} \ \text{ln} \ \text{ln} \ 10^{100})}{\text{ln} \ \text{ln} \ 10^{100}} \biggr) \approx 7.3 \cdot 10^{68}$

$\displaystyle \text{probability}=\frac{7.3 \cdot 10^{68}}{0.5 \cdot 10^{100}}=\frac{7.3 \cdot 10^{68}}{5 \cdot 10^{99}}=\frac{1.46}{10^{31}} \approx \frac{1}{6.8 \cdot 10^{30}} <\frac{1}{10^{30}}$

Thus the chance of randomly picking a Carmichael number under $10^{100}$ is less than one in $10^{30}$, i.e., practically zero.

Example 5
Here’s the example relevant to the RSA algorithm. As mentioned above, the RSA algorithm requires that the modulus in the public key is a product of two primes. The current practice is for the modulus to be at least 1024 bits. Thus each prime factor of the modulus is at least 512-bit. A 512-bit number can be as large as $10^{154}$ in decimal terms. When picking candidate for prime numbers, it is of interest to know the chance of picking a Carmichael number. We can get a sense of how small this probability is by asking: picking an odd integer under the limit $10^{154}$, what is the chance that it is a Carmichael number? Here’s the estimates:

$\displaystyle C(10^{154})<10^{154} \cdot \text{exp}\biggl(-\frac{(\text{ln} \ 10^{154}) \ (\text{ln} \ \text{ln} \ \text{ln} \ 10^{154})}{\text{ln} \ \text{ln} \ 10^{154}} \biggr) \approx 3.7 \cdot 10^{107}$

$\displaystyle \text{probability}=\frac{3.7 \cdot 10^{107}}{0.5 \cdot 10^{154}}=\frac{7.4}{10^{47}}=\frac{0.74}{10^{46}} < \frac{1}{10^{46}}$

Thus a randomly selected odd integer under $10^{154}$ has a less than one in $10^{46}$ chance of being a Carmichael number!

Example 6
In some cases, for stronger security, the modulus in the RSA should be longer than 1024 bits, e,g, 2048 bits. If the modulus is a 2048-bit number, each prime in the modulus is a 1024-bit number. A 1024-bit number can be as large as $10^{308}$ in decimal terms. In picking an odd integer under the limit $10^{308}$, what is the chance that it is a Carmichael number? Here’s the estimates:

$\displaystyle C(10^{308})<10^{308} \cdot \text{exp}\biggl(-\frac{(\text{ln} \ 10^{308}) \ (\text{ln} \ \text{ln} \ \text{ln} \ 10^{308})}{\text{ln} \ \text{ln} \ 10^{308}} \biggr) \approx 5 \cdot 10^{219}$

$\displaystyle \text{probability}=\frac{5 \cdot 10^{219}}{0.5 \cdot 10^{308}}=\frac{5 \cdot 10^{219}}{5 \cdot 10^{307}} \approx \frac{1}{10^{88}}$

Thus a randomly selected odd integer under $10^{308}$ has a less than one in $10^{88}$ chance of being a Carmichael number!

Remark
The above examples demonstrate that Carmichael numbers are rare. Even though the Fermat primality test “fails” for these numbers, the Fermat test is still safe to use because Carmichael numbers are hard to find. However, if you want to eliminate the error case of Carmichael numbers, you may want to consider using a test that will never misidentify Carmichael numbers. One possibility is to use the Miller-Rabin test.

____________________________________________________________________________

$\copyright \ 2014 \text{ by Dan Ma}$

Introducing Carmichael numbers

This is an introduction to Carmichael numbers. We first discuss Carmichael numbers in the context of Fermat primality test and then discuss several basic properties. We also prove Korselt’s criterion, which gives a useful characterization of Carmichael numbers.

___________________________________________________________________________________________________________________

Fermat Primality Test

Fermat’s little theorem states that if $p$ is a prime number, then $a^p \equiv a \ (\text{mod} \ p)$ for any integer $a$. Fermat primality test refers to the process of using Fermat little theorem to check the “prime vs. composite” status of an integer.

Suppose that we have a positive integer $n$ such that the “prime vs. composite” status is not known. If we can find an integer $a$ such that $a^n \not \equiv a \ (\text{mod} \ n)$, then we know for certain that the modulus $n$ is composite (or not prime). For example, let $n = \text{8,134,619}$. Note that $2^{8134619} \equiv 3024172 \ (\text{mod} \ 8134619)$. So we know right away that $n = \text{8,134,619}$ is not prime, even though we do not know what its prime factors are just from applying this test.

Given a positive integer $n$, whenever $a^n \not \equiv a \ (\text{mod} \ n)$, we say that $a$ is a Fermat witness for (the compositeness of) the integer $n$. Thus $2$ is a Fermat witness for $n = \text{8,134,619}$.

What if we try one value of $a$ and find that $a$ is not a witness for (the compositeness of) $n$? Then the test is inconclusive. The best we can say is that $n$ is probably prime. It makes sense to try more values of $a$. If all the values of $a$ we try are not witnesses for $n$ (i.e. $a^n \equiv a \ (\text{mod} \ n)$ for all the values of $a$ we try), then it “seems likely” that $n$ is prime. But if we actually declare that $n$ is prime, the decision could be wrong!

Take $n=\text{10,024,561}$. For several randomly chosen values of $a$, we have the following calculations:

$\displaystyle 5055996^{10024561} \equiv 5055996 \ (\text{mod} \ 10024561)$

$\displaystyle 4388786^{10024561} \equiv 4388786 \ (\text{mod} \ 10024561)$

$\displaystyle 4589768^{10024561} \equiv 4589768 \ (\text{mod} \ 10024561)$

$\displaystyle 146255^{10024561} \equiv 146255 \ (\text{mod} \ 10024561)$

$\displaystyle 6047524^{10024561} \equiv 6047524 \ (\text{mod} \ 10024561)$

The above calculations could certainly be taken as encouraging signs that $n=\text{10,024,561}$ is prime. With more values of $a$, we also find that $a^{10024561} \equiv a \ (\text{mod} \ 10024561)$. However, if we declare that $n=\text{10,024,561}$ is prime, it turns out to be a wrong conclusion.

In reality, $n=\text{10,024,561}$ is composite with $\text{10,024,561}=71 \cdot 271 \cdot 521$. Furthermore $a^{10024561} \equiv a \ (\text{mod} \ 10024561)$ for any integer $a$. So there are no witnesses for $n=\text{10,024,561}$. Any composite positive integer that has no Fermat witnesses is called a Carmichael number, in honor of Robert Carmichael who in 1910 found the smallest such number, which is 561.

Fermat primality test is always correct if the conclusion is that the integer being tested is a composite number (assuming there is no computational error). If the test says the number is composite, then it must be a composite number. In other words, there are no false negatives in using Fermat primality test as described above.

On the other hand, there can be false positives as a result of using Fermat primality test. If the conclusion is that the integer being tested is a prime number, it is possible that the conclusion is wrong. For a wrong conclusion, it could be that there exists a witness for the number being tested and that we have missed it. Or it could be that the number being tested is a Carmichael number. Though Carmichael numbers are rare but there are infinitely many of them. So we cannot ignore them entirely. For these reasons, Fermat primality test as described above is often not used. Instead, other extensions of the Fermat primality test are used.

___________________________________________________________________________________________________________________

Carmichael Numbers

As indicated above, a Carmichael number is a positive composite integer that has no Fermat witnesses. Specifically, it is a positive composite integer that satisfies the conclusion of Fermat’s little theorem. In other words, a Carmichael number is a positive composite integer $n$ such that $a^n \equiv a \ (\text{mod} \ n)$ for any integer $a$.

Carmichael numbers are rare. A recent search found that there are $\text{20,138,200}$ Carmichael numbers between $1$ and $10^{21}$, about one in 50 trillion numbers (documented in this Wikipedia entry on Carmichael numbers). However it was proven by Alford, Granville and Pomerance in 1994 that there are infinitely many Carmichael numbers (paper).

The smallest Carmichael number is $561=3 \cdot 11 \cdot 17$. A small listing of Carmichael numbers can be found in this link, where the example of $n=\text{10,024,561}$ is found.

Carmichael numbers must be odd integers. To see this, suppose $n$ is a Carmichael number and is even. Let $a=-1$. By condition (1) of Theorem 1, we have $(-1)^n=1 \equiv -1 \ (\text{mod} \ n)$. On the other hand, $-1 \equiv n-1 \ (\text{mod} \ n)$. Thus $n-1 \equiv 1 \ (\text{mod} \ n)$. Thus we have $n \equiv 2 \ (\text{mod} \ n)$. It must be the case that $n=2$, contradicting the fact that $n$ is a composite number. So any Carmichael must be odd.

The following theorem provides more insight about Carmichael numbers. A positive integer $n$ is squarefree if its prime decomposition contains no repeated prime factors. In other words, the integer $n$ is squarefree means that if $\displaystyle n=p_1^{e_1} p_2^{e_2} \cdots p_t^{e_t}$ is the prime factorization of $n$, then all exponents $e_j=1$.

Theorem 1 (Korselt’s Criterion)

Let $n$ be a positive composite integer. Then the following conditions are equivalent.

1. The condition $a^n \equiv a \ (\text{mod} \ n)$ holds for any integer $a$.
2. The condition $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ holds for any integer $a$ that is relatively prime to $n$.
3. The integer $n$ is squarefree and $p-1 \ \lvert \ (n-1)$ for any prime divisor $p$ of $n$.

Proof of Theorem 1

$1 \Longrightarrow 2$
Suppose that $a$ is relatively prime to the modulus $n$. Then let $b$ be the multiplicative inverse of $a$ modulo $n$, i.e., $ab \equiv 1 \ (\text{mod} \ n)$. By (1), we have $a^n \equiv a \ (\text{mod} \ n)$. Multiply both sides by the multiplicative inverse $b$, we have $a^{n-1} \equiv 1 \ (\text{mod} \ n)$.

$2 \Longrightarrow 3$
Let $\displaystyle n=p_1^{e_1} p_2^{e_2} \cdots p_t^{e_t}$ be the prime factorization of $n$ where $p_i \ne p_j$ for $i \ne j$ and each exponent $e_j \ge 1$. Since $n$ must be odd, each $p_j$ must be an odd prime.

We first show that each $e_j=1$, thus showing that $n$ is squarefree. To this end, for each $j$, let $a_j$ be a primitive root modulo $p_j^{e_j}$ (see Theorem 4 in the post Primitive roots of powers of odd primes). Consider the following system of linear congruence equations:

$x \equiv a_1 \ (\text{mod} \ p_1^{e_1})$

$x \equiv a_2 \ (\text{mod} \ p_2^{e_2})$

$\cdots$
$\cdots$
$\cdots$

$x \equiv a_t \ (\text{mod} \ p_t^{e_t})$

Since the moduli $p_j^{e_j}$ are pairwise relatively prime, this system must have a solution according to the Chinese Remainder Theorem (a proof is found here). Let $a$ one such solution. For each $j$, since $a_j$ is a primitive root modulo $p_j^{e_j}$, $a_j$ is relatively prime to $p_j^{e_j}$. Since $a \equiv a_j \ (\text{mod} \ p_j^{e_j})$, $a$ is relatively prime to $p_j^{e_j}$ for each $j$. Consequently, $a$ is relatively prime to $n$. By assumption (2), we have $a^{n-1} \equiv 1 \ (\text{mod} \ n)$.

Now fix a $j$ with $1 \le j \le t$. We show that $e_j=1$. Since $a^{n-1} \equiv 1 \ (\text{mod} \ n)$, $a^{n-1} \equiv 1 \ (\text{mod} \ p_j^{e_j})$. Since $a \equiv a_j \ (\text{mod} \ p_j^{e_j})$, we have $a_j^{n-1} \equiv 1 \ (\text{mod} \ p_j^{e_j})$. Note that the order of $a_j$ modulo $p_j^{e_j}$ is $\phi(p_j^{e_j})=p_j^{e_j-1}(p_j-1)$. Thus we have $p_j^{e_j-1}(p_j-1) \ \lvert \ (n-1)$. If $e_j>1$, then $p_j \ \lvert \ (n-1)$, which would mean that $p_j \ \lvert \ 1$. So it must be the case that $e_j=1$. It then follows that $(p_j-1) \ \lvert \ (n-1)$.

$3 \Longrightarrow 1$
Suppose that $n=p_1 p_2 \cdots p_t$ is a product of distinct prime numbers such that for each $j$, $(p_j-1) \ \lvert \ (n-1)$.

Let $a$ be any integer. First we show that $a^n \equiv a \ (\text{mod} \ p_j)$ for all $j$. It then follows that $a^n \equiv a \ (\text{mod} \ n)$.

Now fix a $j$ with $1 \le j \le t$. First consider the case that $a$ and $p_j$ are relatively prime. According to Fermat’s little theorem, $a^{p_j-1} \equiv 1 \ (\text{mod} \ p_j)$. Since $(p_j-1) \ \lvert \ (n-1)$, $a^{n-1} \equiv 1 \ (\text{mod} \ p_j)$. By the Chinese Remainder Theorem, it follows that $a^{n-1} \equiv 1 \ (\text{mod} \ n)$ and $a^n \equiv a \ (\text{mod} \ n)$. $\blacksquare$

Examples
With Korselt’s criterion, it is easy to verify Carmichael numbers as long as the numbers are factored. For example, the smallest Carmichael number is $561=3 \cdot 11 \cdot 17$. The number is obviously squarefree. furthermore $560$ is divisible by $2$, $10$ and $16$.

The number $\text{10,024,561}= 71 \cdot 271 \cdot 521$ is discussed above. We can also verify that this is a Carmichael number: $70 \ \lvert \ \text{10,024,560}$, $270 \ \lvert \ \text{10,024,560}$ and $520 \ \lvert \ \text{10,024,560}$.

Here’s three more Carmichael numbers (found here):

$\text{23,382,529} = 97 \cdot 193 \cdot 1249$

$\text{403,043,257} = 19 \cdot 37 \cdot 43 \cdot 67 \cdot 199$

$\text{154,037,320,009} = 23 \cdot 173 \cdot 1327 \cdot 29173$

We end the post by pointing out one more property of Carmichael numbers, that Carmichael numbers must have at least three distinct prime factors. To see this, suppose that $n=p \cdot q$ is a Carmichael number with two distinct prime factors $p$ and $q$. We can express $n-1$ as follows:

$n-1=pq-1=(p-1)q+q-1$

Since $n$ is Carmichael, $p-1 \ \lvert \ (n-1)$. So $n-1=(p-1)w$ for some integer $w$. Plugging this into the above equation, we see that $p-1 \ \lvert \ (q-1)$. By symmetry, we can also show that $q-1 \ \lvert \ (p-1)$. Thus $p=q$, a contradiction. So any Carmichael must have at least three prime factors.

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

In a previous post called Solving Quadratic Congruences, we discuss the solvability of the quadratic congruence

$x^2 \equiv a \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

where $p$ is an odd prime and $a$ is relatively prime to $p$. In this post, we continue to discuss the solvability of equation (1) from the view point of quadratic residues. In this subsequent post, we discuss specific algorithms that produce solutions to such equations.

____________________________________________________________________________

Definition

Let $p$ be an odd prime. Let $a$ be an integer that is not divisible by $p$ (equivalently relatively prime to $p$). Whenever equation (1) has solutions, we say that the number $a$ is a quadratic residue modulo $p$. Otherwise, we say that the number $a$ is a quadratic nonresidue modulo $p$. When the context is clear, the word quadratic is sometimes omitted.

The term quadratic residues is more convenient to use. Instead of saying the equation $x^2 \equiv a \ (\text{mod} \ p)$ has a solution, we say the number $a$ is a quadratic residue for the modulus in question. The significance of the notion of quadratic residue extends beyond the convenience of having a shorter name. It and and the Legendre symbol lead to a large body of beautiful and deep results in number theory, the quadratic reciprocity theorem being one of them.

One property of the quadratic congruence equation (1) is that when equation (1) has solutions, it has exactly two solutions among the set $\left\{1,2,3,\cdots,p-1 \right\}$ (see Lemma 1 in the post Solving Quadratic Congruences). Thus among the integers in the set $\left\{1,2,3,\cdots,p-1 \right\}$, $\displaystyle \frac{p-1}{2}$ of them are quadratic residues and the other half are quadratic nonresidues modulo $p$.

For example, consider the modulus $p=11$. Among the numbers in the set $\left\{1,2,3,\cdots,10 \right\}$, the numbers $1,3,4,5,9$ are quadratic residues and the numbers $2,6,7,8,10$ are quadratic nonresidues. See the following two tables.

$\displaystyle \begin{bmatrix} x&\text{ }&x^2 \equiv \ (\text{mod} \ 11) \\\text{ }&\text{ }&\text{ } \\ 1&\text{ }&1 \\ 2&\text{ }&4 \\ 3&\text{ }&9 \\ 4&\text{ }&5 \\ 5&\text{ }&3 \\ 6&\text{ }&3 \\ 7&\text{ }&5 \\ 8&\text{ }&9 \\ 9&\text{ }&4 \\ 10&\text{ }&1 \end{bmatrix}$

The above table shows the least residues of $x^2$ for $x \in \left\{1,2,3,\cdots,10 \right\}$. It shows that there $x^2$ can only be $1,3,4,5,9$. Thus these are the quadratic residues. The table below shows the status of residue/nonresidue among the integers in $\left\{1,2,3,\cdots,10 \right\}$.

$\displaystyle \begin{bmatrix} x&\text{ }&\text{residue or nonresidue mod } 11 \\\text{ }&\text{ }&\text{ } \\ 1&\text{ }&\text{residue} \\ 2&\text{ }&\text{nonresidue} \\ 3&\text{ }&\text{residue} \\ 4&\text{ }&\text{residue} \\ 5&\text{ }&\text{residue} \\ 6&\text{ }&\text{nonresidue} \\ 7&\text{ }&\text{nonresidue} \\ 8&\text{ }&\text{nonresidue} \\ 9&\text{ }&\text{residue} \\ 10&\text{ }&\text{nonresidue} \end{bmatrix}$

____________________________________________________________________________

Legendre Symbol

The notion of quadratic residues is often expressed using the Legendre symbol, which is defined as follows:

$\displaystyle \biggl(\frac{a}{p}\biggr)=\left\{\begin{matrix}1&\ \text{if } a \text{ is a quadratic residue modulo }p \\{-1}&\ \text{if } a \text{ is a quadratic nonresidue modulo }p \end{matrix}\right.$

The bottom number $p$ in the above notation is an odd prime. The top number $a$ is an integer that is not divisible by $p$ (equivalently relatively prime to $p$). Despite the appearance, the Legendre symbol is not the fraction of $a$ over $p$. It follows from the definition that the symbol has the value of one if the equation $x^2 \equiv a \ (\text{mod} \ p)$ has solutions. It has the value of negative one if the equation $x^2 \equiv a \ (\text{mod} \ p)$ has no solutions.

For example, $\displaystyle \biggl(\frac{a}{11}\biggr)=1$ for $a=1,3,4,5,9$ and and $\displaystyle \biggl(\frac{a}{11}\biggr)=-1$ for $a=2,6,7,8,10$. To evaluate $\displaystyle \biggl(\frac{11}{3}\biggr)$, consider the equation $x^2 \equiv 11 \ (\text{mod} \ 3)$, which is equivalent to the equation $x^2 \equiv 2 \ (\text{mod} \ 3)$. This last equation has no solutions. Thus $\displaystyle \biggl(\frac{11}{3}\biggr)=-1$.

The quadratic reciprocity law discussed below allows us to calculate $\displaystyle \biggl(\frac{11}{3}\biggr)$ by flipping $\displaystyle \biggl(\frac{3}{11}\biggr)$. In certain cases, flipping the symbol keeps the same sign. In other cases, flipping introduces a negative sign (as in this example).

____________________________________________________________________________

Basic Properties

Euler’s Criterion is a formula that determines whether an integer is a quadratic residue modulo an odd prime. We have the following theorem. A proof of Euler’s Criterion is found in this post.

Theorem 1 (Euler’s Criterion)

Let $p$ be an odd prime number. Let $a$ be a positive integer that is not divisible by $p$. Then the following property holds.

$\displaystyle \biggl(\frac{a}{p}\biggr) \equiv \displaystyle a^{\frac{p-1}{2}} \ (\text{mod} \ p)$

The following lemma shows a connection between the notion of quadratic residue and the notion of primitive roots.

Lemma 2

Let $p$ be an odd prime. Let $g$ be a primitive root modulo $p$. Let $a$ be a positive integer that is not divisible by $p$. Then we have the following equivalence.

1. The number $a$ is a quadratic residue modulo $p$ if and only if $a \equiv g^{2k} \ (\text{mod} \ p)$ for some integer $k$.
2. Or equivalently, the number $a$ is a quadratic nonresidue modulo $p$ if and only if $a \equiv g^{2k+1} \ (\text{mod} \ p)$ for some integer $k$.

Proof of Lemma 2
A primitive root $g$ exists since the modulus $p$ is prime (see Theorem 1 in the post Primitive roots of prime moduli). Furthermore, any integer that is not divisible by $p$ is congruent to a unique element of the set $\left\{g^1,g^2,g^3,\cdots,g^{p-1} \right\}$. Thus for the number $a$ in question, either $a \equiv g^{2k}$ or $a \equiv g^{2k+1}$. We can conclude that the first bullet point in the lemma is equivalent to the second bullet point.

We prove the first bullet point. First we show the direction $\Longleftarrow$. Suppose $a \equiv g^{2k} \ (\text{mod} \ p)$. Clearly the equation $x^2 \equiv a \ (\text{mod} \ p)$ has a solution since $(g^k)^2 \equiv a \equiv g^{2k} \ (\text{mod} \ p)$.

Now we show the direction $\Longrightarrow$. We prove the contrapositive. Suppose that $a \equiv g^{2k+1} \ (\text{mod} \ p)$. We wish to show that $a$ is a quadratic nonresidue modulo $p$. Suppose not. Then $t^2 \equiv a \ (\text{mod} \ p)$ for some $t$. It follows that $p \not \lvert \ t$. Note that if $p \ \lvert \ t$, $p \ \lvert \ a$, which is not true. By Fermat’s little theorem, we have $t^{p-1} \equiv 1 \ (\text{mod} \ p)$. We have the following derivation.

$\displaystyle (g^{2k+1})^{\frac{p-1}{2}} \equiv (t^{2})^{\frac{p-1}{2}} \equiv t^{p-1} \equiv 1 \ (\text{mod} \ p)$

On the other hand, we can express $\displaystyle (g^{2k+1})^{\frac{p-1}{2}}$ as follows:

$\displaystyle (g^{2k+1})^{\frac{p-1}{2}} \equiv g^{k(p-1)} \cdot g^{\frac{p-1}{2}} \equiv (g^{p-1})^k \cdot g^{\frac{p-1}{2}} \equiv 1^k \cdot g^{\frac{p-1}{2}} \equiv g^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p)$

Note that the last congruence $g^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p)$ contradicts the fact that $g$ is a primitive root modulo $p$ since $p-1$ is the least exponent that such that $g^{p-1} \equiv 1 \ (\text{mod} \ p)$. So $a$ cannot be a quadratic residue modulo $p$. We have proved that if $a \equiv g^{2k+1} \ (\text{mod} \ p)$, then $a$ is a quadratic nonresidue modulo $p$. Equivalently, if $a$ is a quadratic residue modulo $p$, then $a \equiv g^{2k} \ (\text{mod} \ p)$. Thus the lemma is established. $\blacksquare$

We can also obtain an alternative proof by using Theorem 1 (Euler’s Criterion). We show $\Longleftarrow$ of both bullet points.

First, $\Longleftarrow$ of the first bullet point. Suppose $a \equiv g^{2k} \ (\text{mod} \ p)$. Then $\displaystyle (g^{2k})^{\frac{p-1}{2}} \equiv (g^{p-1})^k \equiv 1^k \equiv 1 \ (\text{mod} \ p)$. Thus $\displaystyle \biggl(\frac{a}{p}\biggr)=1$ and $a$ is a quadratic residue modulo $p$ by Euler’s Criterion.

Now $\Longleftarrow$ of the second bullet point. Suppose $a \equiv g^{2k+1} \ (\text{mod} \ p)$. Then $\displaystyle (g^{2k+1})^{\frac{p-1}{2}} \equiv (g^{p-1})^k \cdot g^{\frac{p-1}{2}} \equiv g^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$. The last congruence $g^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$ because $g$ is a primitive root. Thus $\displaystyle \biggl(\frac{a}{p}\biggr)=-1$ and $a$ is a quadratic nonresidue modulo $p$ by Euler’s Criterion. $\blacksquare$

Remark
Each number in the set $\left\{1,2,3,\cdots,p-1 \right\}$ is congruent to a power of the primitive root $g$ in question. Lemma 2 indicates that the even powers are the quadratic residues while the odd powers are the quadratic nonresidues. The following lemma is a corollary of Lemma 2.

Lemma 3

Let $p$ be an odd prime. Then we have the following.

1. If $a$ and $b$ are quadratic residues modulo $p$, then $ab$ is a quadratic residue modulo $p$.
2. If $a$ is a quadratic residue and $b$ is a quadratic nonresidue modulo $p$, then $ab$ is a quadratic nonresidue modulo $p$.
3. If $a$ and $b$ are quadratic nonresidues modulo $p$, then $ab$ is a quadratic residue modulo $p$.

Proof of Lemma 3
Let $g$ be a primitive root modulo $p$. Then we express each residue or nonresidue as a power of $g$ and then multiply the two powers of $g$ by adding the exponents as in the following.

$\displaystyle g^{2j} \cdot g^{2k}=g^{2(j+k)}$

$\displaystyle g^{2j} \cdot g^{2k+1}=g^{2(j+k)+1}$

$\displaystyle g^{2j+1} \cdot g^{2k+1}=g^{2(j+k+1)}$

The first product above has an even exponent. Thus the product of two quadratic residues is a quadratic residue (the first bullet point). The second product above has an odd exponent. Thus the product of a quadratic residue and a quadratic nonresidue is a nonresidue (second bullet point). The third product above has an even exponent. Thus the product of two nonresidues is a residue. $\blacksquare$

One part of the following theorem is a corollary of Lemma 3.

Theorem 4

Let $p$ be an odd prime. Then we have the following results.

1. If $p \not \lvert \ a$ and $a \equiv b \ (\text{mod} \ p)$, then $\displaystyle \biggl(\frac{a}{p}\biggr)=\biggl(\frac{b}{p}\biggr)$.
2. If $p \not \lvert \ a$, then $\displaystyle \biggl(\frac{a^2}{p}\biggr)=1$.
3. if $p \not \lvert \ a$ and $p \not \lvert \ b$, then $\displaystyle \biggl(\frac{a}{p}\biggr) \cdot \biggl(\frac{b}{p}\biggr)=\biggl(\frac{ab}{p}\biggr)$.

Proof of Theorem 4
The first and second bullets points are straightforward. We prove the third bullet point, which follows from Lemma 3. Given $a$ and $b$, they would fall into one of the three cases of Lemma 3. Translating each case of Lemma 3 will give the correct statement in Legendre symbol. $\blacksquare$

____________________________________________________________________________

Quadratic reciprocity is a property that indicates how $\displaystyle \biggl(\frac{p}{q}\biggr)$ and $\displaystyle \biggl(\frac{q}{p}\biggr)$ are related when both $p$ and $q$ are odd prime. Even thought the statement of the theorem is easy to state and understand, it is an unexpected and profound result. Our goal here is quite simple – state the theorem and demonstrate how it can be used to simplify calculations. We have the following theorems.

Let $p$ and $q$ be two distinct odd prime numbers. The following statement holds.

$\displaystyle \biggl(\frac{q}{p}\biggr)=\left\{\begin{matrix} \displaystyle \biggl(\frac{p}{q}\biggr) &\ \text{if } p \equiv 1 \ (\text{mod} \ 4) \text{ or } q \equiv 1 \ (\text{mod} \ 4) \\{\displaystyle -\biggl(\frac{p}{q}\biggr)}&\ \text{if } p \equiv q \equiv 3 \ (\text{mod} \ 4) \end{matrix}\right.$

Theorem 6

Let $p$ and $q$ be two distinct odd prime numbers. The following statement holds.

$\displaystyle \biggl(\frac{2}{p}\biggr)=\left\{\begin{matrix} 1 &\ \text{if } p \equiv 1 \ (\text{mod} \ 8) \text{ or } p \equiv 7 \ (\text{mod} \ 8) \\{-1}&\ \text{if } p \equiv 3 \ (\text{mod} \ 8) \text{ or } p \equiv 5 \ (\text{mod} \ 8) \end{matrix}\right.$

Theorem 7

Let $p$ and $q$ be two distinct odd prime numbers. The following statement holds.

$\displaystyle \biggl(\frac{-1}{p}\biggr)=\left\{\begin{matrix} 1 &\ \text{if } p \equiv 1 \ (\text{mod} \ 4) \\{-1}&\ \text{if } p \equiv 3 \ (\text{mod} \ 4) \end{matrix}\right.$

Theorems 4, 5, 6 and 7 are tools for evaluating Legendre symbols. We demonstrate with examples.

____________________________________________________________________________

Examples

Example 1
Is $1776$ a quadratic residue modulo the prime $1777$?

We evaluate the symbol $\displaystyle \biggl(\frac{1776}{1777}\biggr)=\biggl(\frac{-1}{1777}\biggr)$. Note that $1777 \equiv 1 \ (\text{mod} \ 4)$. By Theorem 7, $\displaystyle \biggl(\frac{-1}{1777}\biggr)=1$. It follows that $1776$ is a quadratic residue modulo the prime $1777$. Furthermore, $x^2 \equiv 1776 \ (\text{mod} \ 1777)$ has solutions.

Example 2
Solve $x^2 \equiv 899 \ (\text{mod} \ 50261)$.

Note that $50261$ is a prime while $899$ is not since $899=29 \cdot 31$. After applying Theorem 4, we have:

$\displaystyle \biggl(\frac{899}{50261}\biggr)=\displaystyle \biggl(\frac{29}{50261}\biggr) \displaystyle \biggl(\frac{31}{50261}\biggr)$.

Now we can start using quadratic reciprocity.

\displaystyle \begin{aligned} \displaystyle \biggl(\frac{899}{50261}\biggr)&=\displaystyle \biggl(\frac{29}{50261}\biggr) \biggl(\frac{31}{50261}\biggr) \\&=\displaystyle \biggl(\frac{50261}{29}\biggr) \biggl(\frac{50261}{31}\biggr) \\&=\displaystyle \biggl(\frac{4}{29}\biggr) \biggl(\frac{10}{31}\biggr) \\&=\displaystyle \biggl(\frac{2}{29}\biggr)^2 \biggl(\frac{2}{31}\biggr) \biggl(\frac{5}{31}\biggr) \\&=(-1)^2 \cdot 1 \cdot 1 \\&=1 \end{aligned}

The above derivation is the result of applying Theorems 4, 5 and 7. Of particular importance is the repeated applications of Theorem 5 (Quadratic Reciprocity) so that the numbers in the Legendre symbols are much smaller than the ones we start with.

As useful as it is, the theorem for quadratic reciprocity does not show us how to solve the equation $x^2 \equiv 899 \ (\text{mod} \ 50261)$. See Example 2 in the post Solving Quadratic Congruences to see how it can be solved.

____________________________________________________________________________

$\copyright \ 2013 - 2015 \text{ by Dan Ma}$
Revised December 9, 2015

This post is an introductory discussion on the congruence equations of the form $x^2 \equiv a \ (\text{mod} \ p)$ where the modulus $p$ is an odd prime and the number $a$ is relatively prime to $p$. A discussion on the related notion of quadratic residues is found here. Specific algorithms for solving quadratic congruence eqautions with odd prime moduli are discussed in this subsequent post.

____________________________________________________________________________

Simple Example

We start off with a simple example. Calculate $x^2$ modulo $m=11$ for $x=0,1,2,\cdots,10$.

$0^2 \equiv 0 \ (\text{mod} \ 11)$

$1^2 \equiv 1 \ (\text{mod} \ 11)$

$2^2 \equiv 4 \ (\text{mod} \ 11)$

$3^2 \equiv 9 \ (\text{mod} \ 11)$

$4^2 \equiv 5 \ (\text{mod} \ 11)$

$5^2 \equiv 3 \ (\text{mod} \ 11)$

$6^2 \equiv 3 \ (\text{mod} \ 11)$

$7^2 \equiv 5 \ (\text{mod} \ 11)$

$8^2 \equiv 9 \ (\text{mod} \ 11)$

$9^2 \equiv 4 \ (\text{mod} \ 11)$

$10^2 \equiv 1 \ (\text{mod} \ 11)$

The above calculation shows that the values of $x^2$ modulo $m=11$ can only be $1,3,4,5,9$. So equations such as $x^2 \equiv a \ (\text{mod} \ 11)$ for $a=1,3,4,5,9$ have solutions. For example, the solutions for the equation $x^2 \equiv 5 \ (\text{mod} \ 11)$ are $x=4$ and $x=7$.

On the other hand, the equations $x^2 \equiv b \ (\text{mod} \ 11)$ for $b=2,6,7,8,10$ have no solutions.

Also note that whenever $a \ne 0$ and the equation $x^2 \equiv a \ (\text{mod} \ 11)$ has a solution, the solutions come in pairs.

____________________________________________________________________________

Let $m$ be an odd prime number. Let $a$ be an integer that is not divisible by $p$ (equivalently relatively prime to $p$). The object of interest here is the quadratic congruence equation $x^2 \equiv a \ (\text{mod} \ p)$. It turns out that each such equation has exactly two solutions whenever the number $a$ and the modulus $p$ are relatively prime (as demonstrated in the above simple example). The following lemma and corollary confirm what we see in the above example.

Lemma 1

Let $p$ be an odd prime number. Let $a$ be an integer that is not divisible by $p$. Then the equation

$x^2 \equiv a \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

has no solutions or exactly two solutions.

Proof of Lemma 1
If equation (1) has no solutions, then we are done. Suppose it has at least one solution, say $x=r$. We have $r^2 \equiv a \ (\text{mod} \ p)$. It follows that $x=-r \equiv p-r \ (\text{mod} \ p)$ is a solution of equation (1) too.

We claim $x=r$ and $x=p-r$ are distinct modulo $p$. To see this, suppose $p-r \equiv r \ (\text{mod} \ p)$. Then $p \ \lvert \ (p-2r)$. Because $p$ is an odd prime, $p \not \lvert \ 2$. So $p \ \lvert \ r$. This implies that $p \ \lvert \ r^2$. Because $p \ \lvert \ (r^2-a)$, $p \ \lvert \ a$, contradicting the assumption that $p \not \lvert \ a$. Thus $p-r \not \equiv r \ (\text{mod} \ p)$, demonstrating that equation (1) has at least two solutions.

It remains to be shown that any solution of equation (1) must be congruent to one of $x=r$ and $x=p-r$. Suppose $t^2 \equiv a \ (\text{mod} \ p)$. Then $t^2 \equiv r^2 \ (\text{mod} \ p)$. It follows that $p \ \lvert \ (t-r)(t+r)$. Thus $p$ must divide one of the two factors (Euclid’s lemma). The case $p \ \lvert \ (t-r)$ implies $t \equiv r \ (\text{mod} \ p)$. The case $p \ \lvert \ (t+r)$ implies $t \equiv -r \ (\text{mod} \ p)$. $\blacksquare$

Corollary 2

Let $p$ be an odd prime number. The equation $x^2 \equiv a \ (\text{mod} \ p)$ has exactly two solutions for $\displaystyle \frac{p-1}{2}$ many numbers $a \in \left\{1,2,\cdots,p-1 \right\}$ and has no solutions for the other $\displaystyle \frac{p-1}{2}$ numbers $a \in \left\{1,2,\cdots,p-1 \right\}$.

Remark
For the even prime $p=2$, the equation $x^2 \equiv a \ (\text{mod} \ 2)$ is not an interesting one. For $x^2 \equiv 0 \ (\text{mod} \ 2)$, $x=0$ is the only solution. For $x^2 \equiv 1 \ (\text{mod} \ 2)$, $x=1$ is the only solution.

For composite moduli, the quadratic equation $x^2 \equiv a \ (\text{mod} \ m)$ can have more than two solutions. For example, $x^2 \equiv 1 \ (\text{mod} \ 8)$ has four solutions $x=1,3,5,7$.

For these reasons, we only work with odd prime moduli for quadratic congruences.

____________________________________________________________________________

General Case

What about the general case of the quadratic congruence equation of the following form?

$\alpha y^2+\beta y+\gamma \equiv 0 \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (2)$

Of course, we only consider the equations where $\alpha \not \equiv 0 \ (\text{mod} \ p)$ and $p$ is an odd prime. It turns out that equation (2) can be replaced by an equivalent congruence equation of the same form as equation (1) above. So the general case of equation (2) presents no new problem. We just convert equation (2) to its equivalence and solve it accordingly. We now discuss how this is done.

The coefficient $\alpha$, the coefficient of the $y^2$ term, has a multiplicative inverse modulo $p$. So multiplying equation (2) by $\alpha^{-1}$ gives the following equation.

$y^2+\alpha^{-1} \beta y+\alpha^{-1} \gamma \equiv 0 \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (3)$

So we can now focus on solving equation (3), which has the same solutions as equation (2). Consider the coefficient of the $y$ term. If the coefficient $\alpha^{-1} \beta$ is even, we can complete the square and obtain an equivalent equation of the same form as equation (1). If the coefficient $\alpha^{-1} \beta$ is odd, then we can add $p$ to it and obtain an even coefficient. We can then proceed to complete the square as in the even case. We demonstrate with two examples.

Consider the equation $3 y^2+4y+1 \equiv 0 \ (\text{mod} \ 11)$. Since $4 \cdot 3 \equiv 1 \ (\text{mod} \ 11)$. The multiplicative inverse of $4$ is $3$. So we multiply $4$ across and obtain $y^2+16y+4 \equiv 0 \ (\text{mod} \ 11)$. The coefficient of the $y$ term is even. We complete the square as follows.

$y^2+16y+4 \equiv 0 \ (\text{mod} \ 11)$

$y^2+16y+64 \equiv 64-4 \ (\text{mod} \ 11)$

$(y+8)^2 \equiv 60 \ (\text{mod} \ 11)$

$(y+8)^2 \equiv 5 \ (\text{mod} \ 11)$

The last equation in the above derivation is of the form $x^2 \equiv 5 \ (\text{mod} \ 11)$ where the solutions are $x=4$ and $x=7$. Thus we have $y+8 \equiv 4 \ (\text{mod} \ 11)$ and $y+8 \equiv 7 \ (\text{mod} \ 11)$. These two congruences give $y \equiv 7 \ (\text{mod} \ 11)$ and $y \equiv 10 \ (\text{mod} \ 11)$.

For the odd case, consider the equation $5 y^2+y+8 \equiv 0 \ (\text{mod} \ 11)$. The multiplicative inverse of $5$ is $9$ as $5 \cdot 9 \equiv 1 \ (\text{mod} \ 11)$. After multiplying by the inverse, we obtain $y^2+9y+72 \equiv 0 \ (\text{mod} \ 11)$. We further reduce $72$ modulo $11$ to get $y^2+9y+6 \equiv 0 \ (\text{mod} \ 11)$. Note that the coefficient of the $y$ term is odd. So we add modulus to that coefficient to obtain the equation $y^2+20y+6 \equiv 0 \ (\text{mod} \ 11)$. We then proceed to complete the square as follows.

$y^2+20y+100 \equiv 100-6 \ (\text{mod} \ 11)$

$(y+10)^2 \equiv 94 \ (\text{mod} \ 11)$

$(y+10)^2 \equiv 6 \ (\text{mod} \ 11)$

The last equation in the above derivation is of the form $x^2 \equiv 6 \ (\text{mod} \ 11)$, which has no solutions (based on the simple example above). Thus the original equation $5 y^2+y+8 \equiv 0 \ (\text{mod} \ 11)$ has no solutions.

____________________________________________________________________________

Examples

To solve the quadratic congruence $x^2 \equiv a \ (\text{mod} \ p)$, one way is to compute the entire table of values for $x^2$ modulo $p$. For very small prime such as the simple example above, this approach is workable. For large primes, this requires a lot of computational resources.

To further illustrate the quadratic congruences, we work three examples with help from Euler’s Criterion and from using Excel to do some of the calculations.

According to Euler’s Criterion, the equation $x^2 \equiv a \ (\text{mod} \ p)$ has solutions if and only if $\displaystyle a^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p)$. Equivalently, the equation $x^2 \equiv a \ (\text{mod} \ p)$ has no solutions if and only if $\displaystyle a^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$. So the solvability of the quadratic congruence equation can be translated as a modular exponentiation calculation.

The computation for $\displaystyle a^{\frac{p-1}{2}} \ (\text{mod} \ p)$ can be done directly using an online modular arithmetic calculator or using the fast-powering algorithm (discussed in the post Congruence Arithmetic and Fast Powering Algorithm). For a discussion and a proof of Euler’s Criterion, see the post Euler’s Criterion.

When Euler’s Criterion indicates there are solutions, how do we find the solutions? We demonstrate using the following examples.

Example 1
Solve $x^2 \equiv 5 \ (\text{mod} \ 61)$.

According to Euler’s Criterion, the equation $x^2 \equiv 5 \ (\text{mod} \ 61)$ has solutions since $5^{30} \equiv 1 \ (\text{mod} \ 61)$. To find the solutions, we keep adding the modulus to $a=5$ until we get a perfect square.

$\displaystyle x^2 \equiv 5 \equiv 5+61 \equiv 5+2(61) \equiv \cdots \equiv 5+20(61)=1225=35^2 \ (\text{mod} \ 61)$

So we have $x^2 \equiv 35^2 \ (\text{mod} \ 61)$, which gives $x=35$ and $x=-35$. The solutions are $x \equiv -35 \equiv 26 \ (\text{mod} \ 61)$ and $x \equiv 35 \ (\text{mod} \ 61)$.

Example 2
Solve $x^2 \equiv 899 \ (\text{mod} \ 50261)$.

Since $899^{25130} \equiv 1 \ (\text{mod} \ 50261)$, the equation has solutions. We then add the modulus repeatedly to $899$ until we get a perfect square (with the aid of an Excel spreadsheet).

$\displaystyle x^2 \equiv 899 \equiv 899+50261 \equiv 899+2(50261) \equiv \cdots \equiv 899+4297(50261)=215972416=14696^2 \ (\text{mod} \ 50261)$

So we have $x^2 \equiv 14696^2 \ (\text{mod} \ 50261)$, which gives $x=14696$ and $x=-14696$. The solutions are $x \equiv 14696 \ (\text{mod} \ 50261)$ and $x \equiv -14696 \equiv 35565 \ (\text{mod} \ 50261)$.

Example 3
Solve $x^2 \equiv 13961 \ (\text{mod} \ 50261)$.

Since $13961^{25130} \equiv -1 \ (\text{mod} \ 50261)$, the equation has no solutions according to Euler’s Criterion.

____________________________________________________________________________

$\copyright \ 2013 - 2015 \text{ by Dan Ma}$
Revised December 9, 2015

Euler’s Criterion

In this post we discuss a beautiful connection between Fermat’s little theorem and the solvability of a quadratic congruence equation. The discussion leads to a theorem that is commonly called Euler’s Criterion.

___________________________________________________________________________________________________________________

The Setting

Let $p$ be an odd prime number. Let $a$ be a positive integer that is relative prime to $p$. According to Fermat’s little theorem, we have $\displaystyle a^{p-1} \equiv 1 \ (\text{mod} \ p)$, which can be written as $\displaystyle (a^{\frac{p-1}{2}})^2 \equiv 1 \ (\text{mod} \ p)$. So the number $\displaystyle a^{\frac{p-1}{2}}$ represent solutions to the equation $y^2 \equiv 1 \ (\text{mod} \ p)$. It can be shown that the equation $y^2 \equiv 1 \ (\text{mod} \ p)$ has exactly two solutions. The number $\displaystyle a^{\frac{p-1}{2}}$ has two possibilities. They are:

$\displaystyle a^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p) \ \ \ \ \text{or} \ \ \ \ a^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$

The result we wish to highlight is that each of the above two cases corresponds to either the solvability or non-solvability of the following quadratic congruence equation.

$x^2 \equiv a \ (\text{mod} \ p) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

___________________________________________________________________________________________________________________

Euler’s Criterion

The result indicated at the end of the preceding section is known as Euler’s Criterion. We have the following theorem.

Theorem 1 (Euler’s Criterion)

Let $p$ be an odd prime number. Let $a$ be a positive integer that is relative prime to $p$.

1. The equation $x^2 \equiv a \ (\text{mod} \ p)$ has solutions if and only if $\displaystyle a^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p)$.
2. $\text{ }$

3. The equation $x^2 \equiv a \ (\text{mod} \ p)$ has no solutions if and only if $\displaystyle a^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$.

Examples
Take $x^2 \equiv 899 \ (\text{mod} \ 50261)$ as an example. To determine whether this equation is solvable, we can check each integer in the interval $1 \le x <50261$. Euler's Criterion reduces the solvability question to a modular exponential problem. It can be shown that $\displaystyle 899^{\frac{50261-1}{2}}=899^{25130} \equiv 1 \ (\text{mod} \ p)$. Thus $x^2 \equiv 899 \ (\text{mod} \ 50261)$ has solutions.

On the other hand, the equation $x^2 \equiv 13961 \ (\text{mod} \ 50261)$ has no solutions since $\displaystyle 13961^{25130} \equiv -1 \ (\text{mod} \ p)$.

Proof of Theorem 1
We prove the first bullet point. The two bullet points in Theorem 1 are equivalent. We need only prove one of them.

$\Longrightarrow$
Suppose that $x^2 \equiv a \ (\text{mod} \ p)$ has solutions. Let $x=t$ be one solution. Then we have $t^2 \equiv a \ (\text{mod} \ p)$. The following derivation establishes the direction of $\Longrightarrow$.

$\displaystyle a^{\frac{p-1}{2}} \equiv (t^2)^{\frac{p-1}{2}} \equiv t^{p-1} \equiv 1 \ (\text{mod} \ p)$

Applying Fermat’s little theorem, which gives $t^{p-1} \equiv 1 \ (\text{mod} \ p)$ (giving the last congruence in the above derivation). To apply Fermat’s theorem, we need to show that $p \not \lvert \ t$. Suppose that $p \ \lvert \ t$. Then $p \ \lvert \ t^2$ and $t^2 \equiv 0 \ (\text{mod} \ p)$. It follows that $a \equiv 0 \ (\text{mod} \ p)$, contradicting the fact that $a$ is relatively prime to the modulus $p$.

$\Longleftarrow$
Suppose that $x^2 \equiv a \ (\text{mod} \ p)$ has no solutions. we make the following claim.

For each number $h \in \left\{1,2,\cdots,p-1 \right\}$, there exists a number $k \in \left\{1,2,\cdots,p-1 \right\}$ with $h \ne k$ such that $hk=a$.

To prove the above claim, let $k=h^{-1}a$. It is clear that $hk=a$. It remains to be shown that $h \ne k$. Suppose that $h=h^{-1}a$. Then $h^2=a$, implying that $x^2 \equiv a \ (\text{mod} \ p)$ has a solution. Thus $h \ne k$.

It follows from the claim that the set $\left\{1,2,\cdots,p-1 \right\}$ consists of $\displaystyle \frac{p-1}{2}$ many pairs of numbers, each with product $a$. So we have the following:

$\displaystyle 1 \cdot 2 \cdots p-1 \equiv a^{\frac{p-1}{2}} \ (\text{mod} \ p)$

According to Wilson’s theorem, $\displaystyle 1 \cdot 2 \cdots p-1 \equiv -1 \ (\text{mod} \ p)$. Consequently, $\displaystyle a^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$.

We have shown that if the equation $x^2 \equiv a \ (\text{mod} \ p)$ has no solutions, then $\displaystyle a^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$. Equivalently if $\displaystyle a^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p)$, then the equation $x^2 \equiv a \ (\text{mod} \ p)$ has solutions. $\blacksquare$

___________________________________________________________________________________________________________________

The statement that the equation $x^2 \equiv a \ (\text{mod} \ p)$ has solutions is commonly described by the term quadratic residue. We say that the number $a$ is a quadratic reside modulo $p$ if the equation $x^2 \equiv a \ (\text{mod} \ p)$ has solutions. If the number $a$ is not a quadratic reside modulo $p$, we say that it is a quadratic nonresidue modulo $p$. Whenever there is no need to make a distinction between quadratic and higher power, we will just omit the word quadratic and refer to residues and nonresidues.

Euler’s Criterion can be restated using the term quadratic residues.

Theorem 1 (Euler’s Criterion)

Let $p$ be an odd prime number. Let $a$ be a positive integer that is relative prime to $p$.

1. The number $a$ is a quadratic residue modulo $p$ if and only if $\displaystyle a^{\frac{p-1}{2}} \equiv 1 \ (\text{mod} \ p)$.
2. $\text{ }$

3. The number $a$ is a quadratic nonresidue modulo $p$ if and only if $\displaystyle a^{\frac{p-1}{2}} \equiv -1 \ (\text{mod} \ p)$.

___________________________________________________________________________________________________________________

Legendre Symbol

For those who like to be economical in the statements of mathematical results, the Legendre symbol can be used. The Legendre symbol $\displaystyle \biggl(\frac{a}{p}\biggr)$ is defined as follows:

$\displaystyle \biggl(\frac{a}{p}\biggr)=\left\{\begin{matrix}1&\ \text{if } a \text{ is a quadratic residue modulo }p \\{-1}&\ \text{if } a \text{ is a quadratic nonresidue modulo }p \end{matrix}\right.$

Euler’s Criterion can be restated as follows:

Theorem 1 (Euler’s Criterion)

Let $p$ be an odd prime number. Let $a$ be a positive integer that is relative prime to $p$. Then the following property holds.

$\displaystyle \biggl(\frac{a}{p}\biggr) \equiv \displaystyle a^{\frac{p-1}{2}} \ (\text{mod} \ p)$

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

An elementary algorithm for finding primitive roots

In the previous post Finding Primitive Roots, we demonstrate one approach for finding all primitive roots of a prime modulus. In this post, we summarize the ideas behind that example.

Throughout this discussion $m$ is a positive integer that is used as the modulus for modular arithmetic, and $a$ is assumed to be a positive integer that is relatively prime to $m$ such that $0 \le a \le m-1$.

According to Fermat’s little theorem, if the modulus $m$ is prime, then $a^{m-1} \equiv 1 \ (\text{mod} \ m)$. If the modulus is relaxed to include non-prime integers as well, then we have Euler’s theorem which states that $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ where $\phi(m)$ is Euler’s phi function. For any modulus $m$, $\phi(m)$ is simply the numbers of possible values of $a$ that are relatively prime to $m$. For example, $\phi(m)=10$ if $m=11$ and $\phi(m)=4$ if $m=10$.

So it is always the case that $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$. Another way to say this is that the number $\phi(m)$ is always a solution to the following congruence equation.

$\displaystyle a^x \equiv 1 \ (\text{mod} \ m) \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

With this above discussion in mind, we define the notion of order. The order of $a$ modulo $m$ is the least positive integer solution to the congruence equation (1).

Furthermore, the number $a$ is said to be a primitive root modulo $m$ if the least positive integer solution to (1) is $\phi(m)$.

Note that even though the notions of order and primitive root are defined here for integers $a$ that are relatively prime to $m$ with $0 \le a \le m-1$, the definitions are also valid for positive $a$ outside the range $0 \le a \le m-1$. Relaxing the definitions can make some proofs go easier (e.g. Theorem 2 below).

___________________________________________________________________________________________________________________

An Approach in Finding Primitive Roots

We now summarize the ideas discussed in the previous post Finding Primitive Roots.

Recall that $a$ is a positive integer less than $m$ that is relatively prime to $m$. How do we check if $a$ is a primitive root? On the face of it, we need to check that no positive integer less than $\phi(m)$ is a solution to equation (1). It turns out that we only need to check positive integers less than $\phi(m)$ that are divisors of $\phi(m)$. We have the following theorem.

Theorem 1

The following conditions are equivalent.

1. The number $a$ is a primitive root modulo $m$.
2. Every positive divisor $k$ of $\phi(m)$ with $k < \phi(m)$ is not a solution of the congruence equation (1).

$\text{ }$
If we know that there exists a primitive root for a modulus, the followng theorem tells us how to find the other primitive roots.

Theorem 2

Suppose the number $a$ is a primitive root modulo $m$. Then there are exactly $\phi(\phi(m))$ many primitive roots modulo $m$. They are obtained by finding the least residues of the numbers $a^j$ where the exponents $j$ are taken from the following set.

$\left\{j: 1 \le j \le \phi(m) \text{ and } j \text{ is relatively prime to } \phi(m) \right\} \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (2)$

Thus the above two theorems taken together form an algorithm for finding primitve roots of a modulus (if one is known to exist to begin with). We can use Theorem 1 to find a primitive root. Once we have found one, we can raise it to exponents that are relatively prime to the number $\phi(m)$ to find the remaining primitive roots. Since there are $\phi(\phi(m))$ many positive integers that are less than $\phi(m)$ and relatively prime to $\phi(m)$, there are $\phi(\phi(m))$ many primitive roots modulo $m$ (if one exists).

Before proving the theorems, let’s look at a quick example.

For $m=11$, $\phi(11)=10$. The candidates for primitive roots modulo $m=11$ are in the set $\left\{2,3,4,\cdots,10 \right\}$. The divisors of $\phi(11)=10$ are $1,2,5$. According to Theorem 1, we only need to raise these numbers to exponents that are divisors of $\phi(11)=10$.

Note that $2^1 \equiv 2 \ (\text{mod} \ 11)$, $2^2 \equiv 4 \ (\text{mod} \ 11)$ and $2^5 \equiv 10 \ (\text{mod} \ 11)$. Thus $a=2$ is a primitive root modulo $m=11$.

The positive integers that are less than $\phi(11)=10$ and that are relatively prime to $\phi(11)=10$ are $1, 3, 7, 9$. So there are four primitive roots modulo $m=11$. They are:

\displaystyle \begin{aligned} \text{ }&2^1 \equiv 2 \ (\text{mod} \ 11) \\&2^3 \equiv 8 \ (\text{mod} \ 11) \\&2^7 \equiv 7 \ (\text{mod} \ 11) \\&2^9 \equiv 6 \ (\text{mod} \ 11) \end{aligned}

___________________________________________________________________________________________________________________

Proof of Theorems

Proof of Theorem 1

The direction $1 \Longrightarrow 2$ is clear. If $a$ is a primitive root modulo $m$, then by definition, no positive integer less than $\phi(m)$ can be a solution to the congruence equation (1).

$2 \Longrightarrow 1$
Let $h$ be the order of $a$ modulo $m$. The key to the proof is that $h$ must be a divisor of $\phi(m)$ (see Theorem 4 and Corollary 5 in the post Defining Primitive Root). For the sake of completeness, we provide the proof here.

Since $h$ is the least positive solution of the congruence equation (1), $h \le \phi(m)$. Using the division algorithm, we have $\phi(m)=q \cdot h+r$ for some integers $q$ and $r$ where $0 \le r . We have the following calculation.

$1 \equiv a^{\phi(m)}=(a^h)^q \cdot a^r \equiv (1)^q \cdot a^r \equiv a^r \ (\text{mod} \ m)$

So we have $a^r \equiv 1 \ (\text{mod} \ m)$ and $0 \le r . Since $h$ is the least positive solution of (1), the only possibility is that $r=0$. Hence $\phi(m)=q \cdot h$ and $h$ is a divisor of $\phi(m)$.

Now back to the proof for $2 \Longrightarrow 1$. We claim that $h=\phi(m)$, implying that $a$ is a primitive root modulo $m$. If $h<\phi(m)$, then $h$ is a positive divisor of $\phi(m)$ with $h<\phi(m)$ such that $h$ is a solution of the congruence equation (1) (i.e. the condition 2 does not hold). Thus if condition 2 holds, condition 1 must hold. $\blacksquare$

Proof of Theorem 2
Theorem 2 is the combined result of Theorem 6 and Corollary 7 in the post Defining Primitive Root. To make this post as self contained as possible, we repeat the proof, showing just the essential parts.

We do need one theorem from the previous post Defining Primitive Root. Let $w$ be a positive integer that is relatively prime to the modulus $m$. Let $k$ be the order of $w$ modulo $m$. Theorem 4 in this post states that for any , $w^n \equiv 1 \ (\text{mod} \ m)$ if and only if $k \ \lvert \ n$.

There are exactly $\phi(\phi(m))$ many elements in the above set indicated by (2). So there are these many powers of $a$. The first thing to show is that the powers $a^j$ are all distinct congruent modulo $m$. Hence their least residues are also distinct.

To see this, suppose $a^j \equiv a^i \ (\text{mod} \ m)$ where $i, j \le \phi(m)$ with $i \le j$. We want to show $i=j$. Suppose that $i. Since $a^i$ is relatively prime to $m$, we can cancel out $a^i$ on both sides and obtain $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. Since $j-i<\phi(m)$ and $a$ is a primitive root modulo $m$, $a^{j-i} \not \equiv 1 \ (\text{mod} \ m)$. So $i=j$. Thus if $i \ne j$, then $a^j \not \equiv a^i \ (\text{mod} \ m)$.

The next thing to show is that $a^j$ is a primitive root modulo $m$ for any $j$ in the above set (2). Suppose $j$ is one such element of the set (2). Then $j$ and $\phi(m)$ are relatively prime.

Let $h$ be the order of $a^j$ modulo $m$. We have $a^{j \cdot h}=(a^h)^j \equiv 1 \ (\text{mod} \ m)$. Since $a$ is a primitive root modulo $m$, it follows that $\phi(m) \ \lvert \ j \cdot h$ (according Theorem 4 in Defining Primitive Root). Since $\phi(m)$ and $j$ are relatively prime, $\phi(m) \ \lvert \ h$.

On the other hand, $(a^j)^{\phi(m)}=(a^{\phi(m)})^j \equiv 1 \ (\text{mod} \ m)$. Since $h$ is the order of $a^j$, it follows that $h \ \lvert \ \phi(m)$ (also using Theorem 4 in Defining Primitive Root).

With $\phi(m) \ \lvert \ h$ and $h \ \lvert \ \phi(m)$, we have $h=\phi(m)$. Thus $a^j$ is a primitive root modulo $m$ and so is its least residue. $\blacksquare$

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

Defining Primitive Root

In this post, we define the notion of primitive root and prove some elementary results. Instead of jumping right into the definition, we take a leisurely approach by first looking at some of the related basic notions.

___________________________________________________________________________________________________________________

Setting Up the Scene

Two positive integers $a$ and $b$ are relatively prime if they do not share any prime factors, i.e., their greatest common divisor is one (the only positive integer that can divide both numbers is one). For example, $a=9$ and $b=14$ are relatively prime, as are $a=9$ and $b=35$. If $a$ and $b$ are relatively prime, we also say that $a$ is relatively prime to $b$ or $b$ is relatively prime to $a$. Our notation for greatest common divisor is $\text{GCD}(a,b)$.

In working with modular arithmetic where the modulus is the positive integer $m$, every integer is congruent modulo $m$ to exactly one number in the set $\left\{0,1,2,\cdots,m-1 \right\}$. The numbers in this set are called the least residues modulo $m$. In doing modulus $m$ calculation, for some purposes we only need to reduce the result to one number in this set. For convenience, we use the notation $\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$.

An even more interesting set is the set of all integers $a$ in $\mathbb{Z}_m$ such that $a$ and the modulus $m$ are relatively prime. To facilitate the discussion, we describe this set as follows:

\displaystyle \begin{aligned} (\mathbb{Z}_m)^*&=\left\{a \in \mathbb{Z}_m: a \text{ is relatively prime to } m \right\} \\&=\left\{a \in \mathbb{Z}_m:\text{GCD}(a,m) =1 \right\} \end{aligned}

When the modulus $m$ is a prime number, $(\mathbb{Z}_m)^*=\left\{1,2,\cdots,m-1 \right\}$, the non-zero elements of $\mathbb{Z}_m$. The following theorem gives some indication why $(\mathbb{Z}_m)^*$ is an interesting set, which provides alternative characterizations of $(\mathbb{Z}_m)^*$.

Theorem 1

Let $a$ be an integer in $\mathbb{Z}_m$. The following conditions are equivalent.

1. $\text{GCD}(a,m)=1$.
2. There is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.
3. Some positive power of $a$ modulo $m$ is $1$, i.e., $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$.

$\text{ }$

The proof of Theorem 1 can be found in the post Euler’s phi function, part 1.

The Euler’s phi function, denoted by $\phi(m)$, is the number of integers $a$ where $0 \le a \le m-1$ such that $a$ and the modulus $m$ are relatively prime. In light of the above discussion, $\phi(m)$ is the number of elements in the set $(\mathbb{Z}_m)^*$. It is also the case that $\phi(m)$ is the number of elements in $\mathbb{Z}_m$ that satisfies any one of the three conditions in Theorem 1.

___________________________________________________________________________________________________________________

Defining Primitive Root

When we are interested in the power of a number being one congruence modulo $m$, according to Theorem 1, the base has to be a number that is relatively prime to the modulus. We have already come across two such situations – Fermat’s little theorem and its generalization, Euler’s theorem.

Theorem 2 (Fermat’s little theorem)

Let the modulus $m$ be a prime number. Then $a^{m-1} \equiv 1 \ (\text{mod} \ m)$ for any integer $a$ that is relatively prime to $m$.

$\text{ }$

Theorem 3 (Euler’s theorem)

It is the case that $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ for any integer $a$ that is relatively prime to $m$.

$\text{ }$

Theorem 2 follows from Theorem 3, which is proved in the post Euler’s phi function, part 1.

Definitions
We now define the notion of primitive root. Let $a$ be an integer in $\mathbb{Z}_m$ that is relatively prime to the modulus $m$. Based on the above theorems, $a^k \equiv 1 \ (\text{mod} \ m)$ for some positive integer $k$. By the order of $a$ modulo $m$, we mean the least positive integer $k$ such that $a^k \equiv 1 \ (\text{mod} \ m)$. The number $a$ is a primitive root modulo $m$ if the order of $a$ modulo $m$ is the number $\phi(m)$.

By Theorem 3, the order of $a$ modulo $m$ is always $\le \phi(m)$. We will see below that the order always divides $\phi(m)$ (see Theorem 4).

One comment. The notions of order and primitive roots are defined above for integers in $\mathbb{Z}_m$. In actuality, the two notations can be defined for all positive integers. It is just that we are interested in finding primitive roots among the residues, i.e., the elements of the set $\mathbb{Z}_m$. In some cases, it will be helpful to think of orders of numbers outside of $\mathbb{Z}_m$ and think of numbers outside of $\mathbb{Z}_m$ as primitive roots (e.g. in the proof of Theorem 6 below).

Suppose that the modulus $m$ is a prime number. Fermat’s little theorem tells us that $a^{m-1} \equiv 1 \ (\text{mod} \ m)$ for any $a$ that is relatively prime to $m$. Is $m-1$ the only exponent for which the power of $a$ is one? Take $m=11$. The following table gives the powers of $a$ modulus $m=11$ where $1 \le a \le 10$.

$\displaystyle \begin{bmatrix} a^1&a^2&a^3&a^4&a^5&a^6&a^7&a^8&a^9&a^{10} \\\text{ }&\text{ }&\text{ } \\ 1&1&1&1&1&1&1&1&1&1 \\ 2&4&8&5&10&9&7&3&6&1 \\ 3&9&5&4&1&3&9&5&4&1 \\ 4&5&9&3&1&4&5&9&3&1 \\ 5&3&4&9&1&5&3&4&9&1 \\ 6&3&7&9&10&5&8&4&2&1 \\ 7&5&2&3&10&4&6&9&8&1 \\ 8&9&6&4&10&3&2&5&7&1 \\ 9&4&3&5&1&9&4&3&5&1 \\ 10&1&10&1&10&1&10&1&10&1 \end{bmatrix}$

The above table shows that for $a=2,6,7,8$, the number $10$ is the least exponent for which the power of $a$ is one. In other words, the order for these $a$ is $\phi(11)=10$. The numbers $a=2,6,7,8$ are primitive roots modulo $m=11$. The other values of $a$ are not primitive roots. The order for $a=1$ is $1$. The order for $a=10$ is $2$. The order for $a=3,4,5,9$ is $5$.

Note that in the above table, for the numbers $a$ that are primitive roots, the set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(11)} \right\}$ equals the set $\left\{1,2,3,\cdots,10 \right\}$. So a primitive root generates by powering all the least residues that are relatively prime to the modulus.

Let’s look at a modulus that is not prime. Take $m=10$. The following table gives the powers of $a$ modulus $m=10$ where $1 \le a \le 9$.

$\displaystyle \begin{bmatrix} a^1&a^2&a^3&a^4&a^5&a^6&a^7&a^8&a^9 \\\text{ }&\text{ }&\text{ } \\ 1&1&1&1&1&1&1&1&1 \\ 2&4&8&6&2&4&8&6&2 \\ 3&9&7&1&3&9&7&1&3 \\ 4&6&4&6&4&6&4&6&4 \\ 5&5&5&5&5&5&5&5&5 \\ 6&6&6&6&6&6&6&6&6 \\ 7&9&3&1&7&9&3&1&7 \\ 8&4&2&6&8&4&2&6&8 \\ 9&1&9&1&9&1&9&1&9 \end{bmatrix}$

Note that $\phi(10)=4$ since $(\mathbb{Z}_{10})^*=\left\{1,3,7,9 \right\}$ is the set of all the least residues that are relatively prime to $m=10$. In terms of powers of $a$, we should only focus on $\left\{1,3,7,9 \right\}$. The following is the reduced table.

$\displaystyle \begin{bmatrix} a^1&a^2&a^3&a^4&a^5&a^6&a^7&a^8&a^9 \\\text{ }&\text{ }&\text{ } \\ 1&1&1&1&1&1&1&1&1 \\ 3&9&7&1&3&9&7&1&3 \\ 7&9&3&1&7&9&3&1&7 \\ 9&1&9&1&9&1&9&1&9 \end{bmatrix}$

Note that $a^4 \equiv 1 \ (\text{mod} \ 10)$ for all four $a$. But only $a=3,7$ are primitive roots modulo $m=10$.

Also note that in the above table, for the numbers $a$ that are primitive roots, the set $\left\{a^1,a^2,a^3,a^4 \right\}$ equals the set $\left\{1,3,7,9 \right\}$. So a primitive root generates by powering all the least residues that are relatively prime to the modulus.

Not all moduli have primitive roots. Take $m=8$. The least residues that are relatively prime to $m=8$ are the set $\left\{1,3,5,7 \right\}$. Note that $a^2 \equiv 1 \ (\text{mod} \ 8)$ for every $a$ in this set. Thus no number $a$ in this set can have order = $\phi(8)=4$.

___________________________________________________________________________________________________________________

Elementary Results

One observation can be made about the above small tables for $m=11$ and $m=10$ is that all exponents for which the power of $a$ is one are the multiples of the order. We have the following theorem.

Theorem 4

Let $a$ be an integer where $0 \le a \le m-1$ such that $a$ is relatively prime to the modulus $m$. Suppose $k$ is the order of the number $a$ modulo $m$. Then $a^n \equiv 1 \ (\text{mod} \ m)$ if and only if $n$ is a multiple of $k$.

Proof of Theorem 4

$\Longleftarrow$
This direction is clear. If $n=q \cdot k$ for some integer $q$, then $a^n=(a^k)^q \equiv 1 \ (\text{mod} \ m)$.

$\Longrightarrow$
Suppose that $a^n \equiv 1 \ (\text{mod} \ m)$. By the division algorithm, we have $n=q \cdot k+r$ for some integers $q$ and $r$ where $0 \le r . We have the following:

$a^n=(a^k)^q \cdot a^r \equiv a^r \ (\text{mod} \ m)$

Since $r and $a^r \equiv 1 \ (\text{mod} \ m)$, it must be the case that $r=0$, implying that $n=q \cdot k$. $\blacksquare$

We have the following corollary.

Corollary 5

Let $a$ be an integer where $0 \le a \le m-1$ such that $a$ is relatively prime to the modulus $m$. Suppose $k$ is the order of the number $a$ modulo $m$. Then $\phi(m)$ is a multiple of $k$.

Another observation from the above small tables is that a primitive root, through powering, is a generator of the least residues that are relatively prime to the modulus.

Theorem 5

Let $a$ be an integer where $0 \le a \le m-1$ such that $a$ is relatively prime to the modulus $m$. The following conditions are equivalent.

1. The number $a$ is a primitive root modulo $m$.
2. The set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$, where each $a^j$ is considered as the least residues modulo $m$, is precisely the set $(\mathbb{Z}_m)^*$.

$\text{ }$

Recall that $(\mathbb{Z}_m)^*$ is the set of all $a \in \mathbb{Z}_m=\left\{0,1,2,3,\cdots,m-1 \right\}$ such that $a$ is relatively prime to $m$.

Proof of Theorem 5

$1 \Longrightarrow 2$
Suppose that the number $a$ is a primitive root modulo $m$. The first step in showing condition 2 is to show that the $\phi(m)$ numbers in the set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ are distinct congruent modulo $m$. Then it follows that their least residues modulo $m$ are distinct too.

Suppose $a^j \equiv a^i \ (\text{mod} \ m)$ where $i,j \le \phi(m)$. We want to show that $i=j$. Suppose $i. Then cancel out $a^i$ on both sides of the equation since $a^i$ is relatively prime to $m$. We have $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. But $j-i<\phi(m)$. Since $a$ is a primitive root modulo $m$, we cannot have $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. So it must be the case that $j=i$. So if $a^j \equiv a^i \ (\text{mod} \ m)$, then $i=j$. Equivalently, if $i \ne j$, $a^j \not \equiv a^i \ (\text{mod} \ m)$. Thus the least residues modulo $m$ of the values in $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ are distinct too.

Since $a^i$ is relatively prime to $m$, its least residue is also relatively prime to $m$. Now the least residues modulo $m$ of the values in $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ consist of $\phi(m)$ numbers inside $(\mathbb{Z}_m)^*$, which is also a set of $\phi(m)$ many numbers. So the two sets must equal.

$2 \Longrightarrow 1$
We show the contrapositive of $2 \Longrightarrow 1$. Suppose that the order of $a$ modulo $m$ is $j$ where $1 \le j<\phi(m)$. So $a^j \equiv 1 \ (\text{mod} \ m)$ and $a^{j+1} \equiv a \ (\text{mod} \ m)$. So $a$ and $a^{j+1}$ are two elements in the set $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ that are congruent to each other. This means that the least residues of $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ have less than $\phi(m)$ many values. In other words, the number $a$, through powering, cannot generate all the least residues that are relatively prime to the modulus $m$. $\blacksquare$

The following theorem and corollary give the number of primitive root modulo $m$ as long as it is known that there is a primitive root modulo $m$.

Theorem 6

Let $a$ be a primitive root modulo $m$. Then for any positive integer $k$, the least residue of $a^k$ is a primitive root modulo $m$ if and only if $k$ is relatively prime to $\phi(m)$.

Proof of Theorem 6

$\Longrightarrow$
Suppose that $k$ is not relatively prime to $\phi(m)$. So $d=\text{GCD}(k,\phi(m))>1$. Then we have:

$\displaystyle (a^k)^{\frac{\phi(m)}{d}}=(a^{\phi(m)})^{\frac{k}{d}} \equiv 1 \ (\text{mod} \ m)$

With $\displaystyle b=\frac{\phi(m)}{d}<\phi(m)$ and $(a^k)^b \equiv 1 \ (\text{mod} \ m)$, it follows that $a^k$ is not a primitive root modulo $m$. Hence the least residue of $a^k$ modulo $m$ is also not a primitive root. Thus if the least residue of $a^k$ is a primitive root modulo $m$, it must be that $\text{GCD}(k,\phi(m))=1$.

$\Longleftarrow$
Suppose $\text{GCD}(k,\phi(m))=1$. Let $\alpha$ be the order of $a^k$ modulo $m$. By the definition of order, $a^{k \cdot \alpha}=(a^k)^\alpha \equiv 1 \ (\text{mod} \ m)$. Based on the fact that the order of $a$ modulo $m$ is $\phi(m)$, we have $\phi(m) \ \lvert \ k \cdot \alpha$ (also using Theorem 4). Since $\text{GCD}(k,\phi(m))=1$, it must be the case that $\phi(m) \ \lvert \ \alpha$.

On the other hand, $(a^k)^{\phi(m)}=(a^{\phi(m)})^k \equiv 1 \ (\text{mod} \ m)$. Using the fact that the order of $a^k$ is $\alpha$ (and using Theorem 4), $\alpha \ \lvert \ \phi(m)$.

With $\phi(m) \ \lvert \ \alpha$ and $\alpha \ \lvert \ \phi(m)$, it follows that $\alpha = \phi(m)$. This implies that $a^k$ is a primitive root modulo $m$, and so is its least residue modulo $m$. $\blacksquare$

Corollary 7

Suppose that there exists a primitive root modulo $m$. Then there are exactly $\phi(\phi(m))$ many primitive roots modulo $m$.

Proof of Corollary 7

Let $a$ be a primitive root modulo $m$. By Theorem 6, the least residue of $a^k$ is a primitive roots modulo $m$ if and only if $k$ is relatively prime to the number $\phi(m)$. There are precisely $\phi(\phi(m))$ many such numbers $k$.

Furthermore, according to Theorem 5, the least residues of the values in $\left\{a^1,a^2,a^3,\cdots,a^{\phi(m)} \right\}$ are all distinct. Thus the least residues of the powers $a^k$ for the $\phi(\phi(m))$ many $k$ are primitive roots modulo $m$. $\blacksquare$

___________________________________________________________________________________________________________________

An Algorithm

The theorems and corollaries in this post form an elementary algorithm for finding primitive roots of a modulus (if one is known to exist). The algorithm is described in the post An elementary algorithm for finding primitive roots. An example is given in the post Finding Primitive Roots.

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$

Euler’s phi function, part 1

This is our first post of an introductory discussion on Euler’s phi function. The next post on phi function is here.

___________________________________________________________________________________________________________________

Setting Up the Scene

The starting point of this discussion is the relative primality of two integers. Two positive integers $a$ and $b$ are relatively prime if $1$ is the only common divisor of $a$ and $b$. Note that $a$ and $b$ need not be prime. For example, $a=9$ and $b=14$ are relatively prime, as are $a=9$ and $b=35$. It is clear that $a$ and $b$ are relatively prime if and only if they share no common prime factors. The last point is equivalent to the condition that the greatest common divisor of $a$ and $b$ is $1$. Our notation for greatest common divisor is $\text{GCD}(a,b)$.

If $a$ and $b$ are relatively prime, we also say that $a$ is relatively prime to $b$ or $b$ is relatively prime to $a$. In the remainder of the blog post, $m$ is always a positive integer that is the modulus used for modular arithmetic.

In modular arithmetic where the modulus is $m$, we only need to focus on $m$ distinct numbers, namely the elements in the set $\left\{0,1,2,\cdots,m-1 \right\}$. Any integer is congruent modulo $m$ to exactly one element of this set (the elements of this set are also called the least residues modulo $m$). For convenience, we use the notation $\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$.

An even more interesting set is the set of all integers $a$ in $\mathbb{Z}_m$ such that $a$ and the modulus $m$ are relatively prime. To facilitate the discussion, we describe this set as follows:

$(\mathbb{Z}_m)^*=\left\{a \in \mathbb{Z}_m:\text{GCD}(a,m) =1 \right\}$

When the modulus $m$ is a prime number, $(\mathbb{Z}_m)^*=\left\{1,2,\cdots,m-1 \right\}$, the non-zero elements of $\mathbb{Z}_m$. When the modulus is not prime, there are fewer least residues that are relatively prime to the modulus. The following shows $(\mathbb{Z}_m)^*$ for the first several integers.

$(\mathbb{Z}_{2})^*=\left\{1 \right\}$

$(\mathbb{Z}_{3})^*=\left\{1,2 \right\}$

$(\mathbb{Z}_{4})^*=\left\{1,3 \right\}$

$(\mathbb{Z}_{5})^*=\left\{1,2,3,4 \right\}$

$(\mathbb{Z}_{6})^*=\left\{1,5 \right\}$

$(\mathbb{Z}_{7})^*=\left\{1,2,3,4,5,6 \right\}$

$(\mathbb{Z}_{8})^*=\left\{1,3,5,7 \right\}$

$(\mathbb{Z}_{9})^*=\left\{1,2,4,5,7,8 \right\}$

$(\mathbb{Z}_{10})^*=\left\{1,3,7,9 \right\}$

$(\mathbb{Z}_{11})^*=\left\{1,2,3,4,5,6,7,8,9,10 \right\}$

The following theorem gives some indication why $(\mathbb{Z}_m)^*$ is an interesting set, which provides alternative characterizations of $(\mathbb{Z}_m)^*$.

Theorem 1

Let $a$ be an integer in $\mathbb{Z}_m$. The following conditions are equivalent.

1. $\text{GCD}(a,m)=1$.
2. There is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.
3. Some positive power of $a$ modulo $m$ is $1$, i.e., $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$.

$\text{ }$

The number $b$ indicated in condition 2 is said to be the multiplicative inverse of $a$. Theorem 1 says that only the least residues that are relatively prime to the modulus have multiplicative inverses. Condition 3 tells us that to have a power congruent to one, which is of interest in many situations, the base must be relatively prime to the modulus.

We need the following lemma to prove Theorem 1.

Lemma 2

If $\text{GCD}(a,m)=1$, then for any positive integer $n$, $a^n$ is also relatively prime to $m$.

Proof of Lemma 2
Suppose $\text{GCD}(a,m)=1$. By the extended Euclidean algorithm, we have the following:

$ax+my=1 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (1)$

for some integers and $x$ and $y$.

We prove by induction on $n$. When $n=1$, lemma is true. Suppose that $a^n$ is relatively prime to $m$ where $n \ge 1$. We show that $a^{n+1}$ is relatively prime to $m$. Multiple both sides of (1) by $a^n$. We have $a^{n+1} x+m (ya^n)=a^n$. Let $d=\text{GCD}(a^{n+1},m)$. Note that $d$ is a divisor of the left-hand side of $a^{n+1} x+m (ya^n)=a^n$. So $d$ is a divisor of $a^n$. Now we know that $d$ is a common divisor of $a^n$ and $m$. Then $d=1$, which means that $a^{n+1}$ is relatively prime to $m$. $\blacksquare$

Proof of Theorem 1

$\bold 3 \bold \Longrightarrow \bold 2$
Suppose that $a^n \equiv 1 \ (\text{mod} \ m)$ for some positive integer $n$. If $n=1$, then let $b=1$. If $n>1$, then let $b=a^{n-1}$. Either way, there is $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$.

$\bold 2 \bold \Longrightarrow \bold 1$
Suppose there is a $b \in \mathbb{Z}_m$ such that $a \cdot b \equiv 1 \ (\text{mod} \ m)$. Then we have

$ab+my=1 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (2)$

for some integer $y$.

Let $d=\text{GCD}(a,m)$. Since $d$ divides both numbers in the left-hand side of (2), $d \ \lvert \ 1$. Then $d=1$.

$\bold 1 \bold \Longrightarrow \bold 3$
Suppose $\text{GCD}(a,m)=1$. Consider the $a^1,a^2,a^3,\cdots$ and then consider their least residues modulo $m$. By Lemma 2, each $a^n$ and $m$ are relatively prime. Hence the least residue of $a^n$ and $m$ are also relatively prime. But there are only finitely many least residues modulo $m$. So there exist positive integers $i the least residues of $a^i$ and $a^j$ are identical.

We have $a^j \equiv a^i \ (\text{mod} \ m)$. Since $a^i$ and $m$ are relatively prime, we can cancel out $a^i$ on both sides. Thus $a^{j-i} \equiv 1 \ (\text{mod} \ m)$. $\blacksquare$

___________________________________________________________________________________________________________________

Euler’s Phi Function

The Euler’s phi function, denoted by $\phi(m)$, is the number of integers $a$ where $0 \le a \le m-1$ such that $a$ and the modulus $m$ are relatively prime. In light of the above discussion, $\phi(m)$ is the number of elements in the set $(\mathbb{Z}_m)^*$. It is also the case that $\phi(m)$ is the number of elements in $\mathbb{Z}_m$ that satisfies any one of the three conditions in Theorem 1.

If the modulus $m$ is a prime number, then $\phi(m)=m-1$. The following shows several values of $\phi(m)$.

\displaystyle \begin{aligned} &\phi(2)=1 \\&\phi(3)=2 \\&\phi(4)=2 \\&\phi(5)=4 \\&\phi(6)=2 \\&\phi(7)=6 \\&\phi(8)=4 \\&\phi(9)=6 \\&\phi(10)=4 \\&\phi(11)=10 \end{aligned}

When the modulus $m$ is a prime number, Fermat’s little theorem tells us that $a^{\phi(m)}=a^{m-1} \equiv 1 \ (\text{mod} \ m)$ for any $a \in (\mathbb{Z}_m)^*=\left\{1,2,3,\cdots,m-1 \right\}$. This fact is true even when the modulus is not prime if the power is kept as $\phi(m)$. We have the following theorem.

Theorem 3 (Euler’s Theorem)

We have $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ for any integer $a$ that is relatively prime to the modulus $m$.

Theorem 3 can also be stated as: $a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$ for any $a \in (\mathbb{Z}_m)^*$. The proof is amazingly similar to that of Fermat’s little theorem (see the post Proving Fermat’s Little Theorem). We use the following lemma in proving Theorem 3.

Lemma 4

If integers $h$ and $k$ satisfy any condition in Theorem 1, then so does the product $h \cdot k$.

Proof of Lemma 4

Since the 3 conditions in Theorem 1 are equivalent, it does not matter which one we pick. Condition 2 is probably the most convenient. So we show that if $h$ has a multiplicative inverse and $k$ has a multiplicative inverse, then $h \cdot k$ has a multiplicative inverse modulo $m$.

Suppose $h \cdot h_0 \equiv 1 \ (\text{mod} \ m)$ and $k \cdot k_0 \equiv 1 \ (\text{mod} \ m)$ for some integers $h_0$ and $k_0$ in $\mathbb{Z}_m$. We multiply the two congruences and obtain:

$h \cdot h_0 \cdot k \cdot k_0=(h \cdot k) \cdot (h_0 \cdot k_0) \equiv 1 \ (\text{mod} \ m)$

if $h_0 \cdot k_0$ is in $\mathbb{Z}_m$, then it is the multiplicative inverse of $h \cdot k$. If not, then take the least residue mod $m$. $\blacksquare$

Proof of Theorem 3

Let $a$ be an integer that is relatively prime to the modulus $m$, i.e., $\text{GCD}(a,m)=1$. Let $\left\{t_1,t_2,t_3,\cdots,t_{\phi(m)} \right\}$ enumerate the $\phi(m)$ many elements of $(\mathbb{Z}_m)^*$. Multiply these elements by $a$ and we have the following set:

$A=\left\{a \cdot t_1,a \cdot t_2,a \cdot t_3,\cdots,a \cdot t_{\phi(m)} \right\}$

Consider the least residues modulo $m$ of the members of the set $A$. We have:

$B=\left\{b_1,b_2,b_3,\cdots,b_{\phi(m)} \right\}$

Note that for each $b_j \in B$, $b_j \in \mathbb{Z}_m$ and $b_j \equiv a \cdot t_j \ (\text{mod} \ m)$. We have two claims.

• The numbers $b_i$ and $b_j$ are distinct whenever $i \ne j$.
• Each $b_j$ is relatively prime to the modulus $m$, i.e., $b_j \in (\mathbb{Z}_m)^*$ for each $j$.

The first claims tells us that the set $B$ has $\phi(m)$ many distinct elements. The second claims tells us that the set $B$ is a subset of $(\mathbb{Z}_m)^*=\left\{t_1,t_2,t_3,\cdots,t_{\phi(m)} \right\}$. Since the subset $B$ has $\phi(m)$ many distinct elements and $(\mathbb{Z}_m)^*$ has $\phi(m)$ many distinct elements, they must equal. So we have $B=(\mathbb{Z}_m)^*$. With this information, we have the following congruence equation.

$\displaystyle at_1 \cdot a t_2 \cdot a t_3 \cdots a t_{\phi(m)} \equiv t_1 \cdot t_2 \cdot t_3 \cdots t_{\phi(m)} \ (\text{mod} \ m)$

Because each $t_j$ is relatively prime to the modulus, we can cancel out all $t_j$ and obtain:

$\displaystyle a^{\phi(m)} \equiv 1 \ (\text{mod} \ m)$

So the theorem hinges on the two claims listed above. We now prove them one by one. To show the first claim, suppose $b_i=b_j$. Then $a \cdot t_i \equiv a \cdot t_j \ (\text{mod} \ m)$. We can cancel out $a$ on both sides since $a$ is relatively prime to $m$. We have $t_i \equiv t_j \ (\text{mod} \ m)$. Since both $t_i$ and $t_j$ are least residues mod $m$, for them to be congruent to each other, the only possibility is $t_i=t_j$. Thus $i=j$. The contrapositive of what we just show is that if $i \ne j$, then $b_i \ne b_j$. So the numbers $b_j$ are all distinct.

To show the second claim, note that $b_j \equiv a \cdot t_j \ (\text{mod} \ m)$. Both $a$ and $t_j$ are relatively prime to $m$. So by Lemma 4, $a \cdot t_j$ is relatively prime to $m$. Hence $b_j$ is relatively prime to the modulus $m$. $\blacksquare$

___________________________________________________________________________________________________________________

The setting for the phi function deserves some comments. The sets $\mathbb{Z}_m$ and $(\mathbb{Z}_m)^*$ defined above can be considered as algebraic objects.

The set $\mathbb{Z}_m=\left\{0,1,2,\cdots,m-1 \right\}$ along with addition and multiplication modulo $m$ is a ring. Thus $\mathbb{Z}_m$ is often called the ring of integers modulo $m$.

Based on Theorem 1 and Lemma 4, the set $(\mathbb{Z}_m)^*$ with the multiplication modulo $m$ is a group, i.e., it is a set with a binary operation called multiplication such that every element has an inverse.

Let the modulus $m$ is a prime number. As indicated above, $(\mathbb{Z}_m)^*=\left\{1,2,\cdots,m-1 \right\}$. An interesting angle is that $\mathbb{Z}_m$ can be considered a commutative ring in which every non-zero element has a multiplicative inverse, i.e., $\mathbb{Z}_m$ is a field (in fact a finite field).

Though we do not focus too much on the algebraic side of things in this blog, $\mathbb{Z}_m$, as a field, plays an important role in number theory and has applications in cryptography.

___________________________________________________________________________________________________________________

$\copyright \ 2013 \text{ by Dan Ma}$