Interpolation at the complex roots of unity
The polynomial multiplication scheme entails converting from
coefficient form to point-value form by evaluating the polynomial at the
complex roots of unity, pointwise multiplying, and finally converting
from point-value form back to coefficient form by interpolating. We’ve
just seen how to evaluate, so now we’ll see how to interpolate the
complex roots of unity by a polynomial. To interpolate, we’ll write the
DFT as a matrix equation and then look at the form of the matrix
inverse.
From equation (30.4), we can write the DFT as the matrix product y
= Vna, where Vn is a Vandermonde matrix containing the appropriate
powers of ωn:
The ( k, j) entry of Vn is , for j, k = 0, 1, … , n − 1. The exponents of the entries of Vn form a multiplication table for factors 0 to n − 1.
For the inverse operation, which we write as
, multiply y by
the matrix
, the inverse of Vn.
Theorem 30.7
For j, k = 0, 1, … , n − 1, the ( j, k) entry of is
.
Proof We show that
, the n × n identity matrix. Consider the
( k, k′) entry of
:
This summation equals 1 if k′ = k, and it is 0 otherwise by the summation lemma (Lemma 30.6). Note that in order for the summation
lemma to apply, k′ − k must not be divisible by n. Indeed, it is not, since
−( n − 1) ≤ k′ − k ≤ n − 1.
▪
With the inverse matrix
defined,
is given by
for j = 0, 1, … , n − 1. By comparing equations (30.8) and (30.11), you can see that if you modify the FFT algorithm to switch the roles of a
and y, replace ωn by , and divide each element of the result by n, you get the inverse DFT (see Exercise 30.2-4). Thus,
is computable in
Θ( n lg n) time as well.
Thus, the FFT and the inverse FFT provide a way to transform a
polynomial of degree-bound n back and forth between its coefficient
representation and a point-value representation in only Θ( n lg n) time.
In the context of polynomial multiplication, we have shown the
following about the convolution a ⊗ b of vectors a and b: Theorem 30.8 (Convolution theorem)
For any two vectors a and b of length n, where n is an exact power of 2, where the vectors a and b are padded with 0s to length 2 n and · denotes the componentwise product of two 2 n-element vectors.
▪
Exercises
30.2-1
Prove Corollary 30.4.
30.2-2
Compute the DFT of the vector (0, 1, 2, 3).
30.2-3
Do Exercise 30.1-1 by using the Θ( n lg n)-time scheme.
30.2-4
Write pseudocode to compute
in Θ( n lg n) time.
30.2-5
Describe the generalization of the FFT procedure to the case in which n
is an exact power of 3. Give a recurrence for the running time, and solve
the recurrence.
★ 30.2-6
Instead of performing an n-element FFT over the field of complex
numbers (where n is an exact power of 2), let’s use the ring ℤ m of integers modulo m, where m = 2 tn/2 + 1 and t is an arbitrary positive integer. We can use ω = 2 t instead of ωn as a principal n th root of unity, modulo m. Prove that the DFT and the inverse DFT are well defined in
this system.
30.2-7
Given a list of values z 0, z 1, … , zn−1 (possibly with repetitions), show how to find the coefficients of a polynomial P( x) of degree-bound n + 1
that has zeros only at z 0, z 1, … , zn−1 (possibly with repetitions). Your procedure should run in O( n lg2 n) time. ( Hint: The polynomial P( x) has a zero at zj if and only if P( x) is a multiple of ( x − zj).)
★ 30.2-8
The chirp transform of a vector a = ( a 0, a 1, … , an−1) is the vector y =
( y 0, y 1, … , yn−1), where
and z is any complex number.
The DFT is therefore a special case of the chirp transform, obtained by
taking z = ωn. Show how to evaluate the chirp transform for any complex number z in O( n lg n) time. ( Hint: Use the equation to view the chirp transform as a convolution.)
Many of the FFT’s applications in signal processing require the utmost
speed, and so the FFT is often implemented as a circuit in hardware.
The FFT’s divide-and-conquer structure enables the circuit to have a
parallel structure so that the depth of the circuit—the maximum number
of computational elements between any output and any input that can
reach it—is Θ(lg n). Moreover, the structure of the FFT circuit has
several interesting mathematical properties, which we won’t go into here.
Butterfly operations
Notice that the for loop of lines 9–12 of the FFT procedure computes
the value
twice per iteration: once in line 10 and once in line 11. A
good optimizing compiler produces code that evaluates this common
subexpression just once, storing its value into a temporary variable, so
that lines 10–11 are treated like the three lines
This operation, multiplying the twiddle factor
by , storing the
product into the temporary variable t, and adding and subtracting t from
, is known as a butterfly operation. Figure 30.3 shows it as a circuit, and you can see how it vaguely resembles the shape of a
butterfly. (Although less colorfully, it could have been called a “bowtie”
operation.)
Figure 30.3 A circuit for a butterfly operation. (a) The two input values enter from the left, the twiddle factor is multiplied by
, and the sum and difference are output on the right. (b) A
simplified drawing of a butterfly operation, which we’ll use when drawing the parallel FFT
circuit.
Figure 30.4 The schema for the conquer and combine steps of an n-input, n-output FFT circuit, FFT n, shown for n = 8. Inputs enter from the left, and outputs exit from the right. The input values first go through two FFT n/2 circuits, and then n/2 butterfly circuits combine the results.
Only the top and bottom wires entering a butterfly interact with it: wires that pass through the middle of a butterfly do not affect that butterfly, nor are their values changed by that butterfly.
Recursive circuit structure
The FFT procedure follows the divide-and-conquer strategy that we
first saw in Section 2.3.1:
Divide the n-element input vector into its n/2 even-indexed and n/2 odd-indexed elements.
Conquer by recursively computing the DFTs of the two subproblems,
each of size n/2.
Combine by performing n/2 butterfly operations. These butterfly
operations work with twiddle factors ,
.
The circuit schema in Figure 30.4 follows the conquer and combine
steps of this pattern for an FFT circuit with n inputs and n outputs, denoted by FFT n. Each line is a wire that carries a value. Inputs enter
from the left, one per wire, and outputs exit from the right. The conquer
step runs the inputs through two FFT n/2 circuits, which are also
constructed recursively. The values produced by the two FFT n/2 circuits
feed into n/2 butterfly circuits, with twiddle factors ,
, to
combine the results. The base case of the recursion occurs when n = 1,
where the sole output value equals the sole input value. An FFT1
circuit, therefore, does nothing, and so the smallest nontrivial FFT
circuit is FFT2, a single butterfly operation whose twiddle factor is
.
Figure 30.5 The tree of input vectors to the recursive calls of the FFT procedure. The initial invocation is for n = 8.
Permuting the inputs
How does the divide step enter into the circuit design? Let’s examine
how input vectors to the various recursive calls of the FFT procedure
relate to the original input vector, so that the circuit can emulate the
divide step at the start for all levels of recursion. Figure 30.5 arranges the input vectors to the recursive calls in an invocation of FFT in a tree
structure, where the initial call is for n = 8. The tree has one node for each call of the procedure, labeled by the elements of the initial call as
they appear in the corresponding input vector. Each FFT invocation
makes two recursive calls, unless it has received a 1-element vector. The
first call appears in the left child, and the second call appears in the
right child.
Looking at the tree, observe that if you arrange the elements of the
initial vector a into the order in which they appear in the leaves, you can
trace the execution of the FFT procedure, but bottom up instead of top
down. First, take the elements in pairs, compute the DFT of each pair
using one butterfly operation, and replace the pair with its DFT. The
vector then holds n/2 two-element DFTs. Next, take these n/2 DFTs in
pairs and compute the DFT of the four vector elements they come from
by executing two butterfly operations, replacing two two-element DFTs
with one four-element DFT. The vector then holds n/4 four-element
DFTs. Continue in this manner until the vector holds two ( n/2)-element
DFTs, which n/2 butterfly operations combine into the final n-element
DFT. In other words, you can start with the elements of the initial
vector a, but rearranged as in the leaves of Figure 30.5, and then feed them directly into a circuit that follows the schema in Figure 30.4.
Let’s think about the permutation that rearranges the input vector.
The order in which the leaves appear in Figure 30.5 is a bit-reversal permutation. That is, letting rev( k) be the lg n-bit integer formed by reversing the bits of the binary representation of k, then vector element
ak moves to position rev( k). In Figure 30.5, for example, the leaves appear in the order 0, 4, 2, 6, 1, 5, 3, 7. This sequence in binary is 000,
100, 010, 110, 001, 101, 011, 111, and you can obtain it by reversing the
bits of each number in the sequence 0, 1, 2, 3, 4, 6, 7 or, in binary, 000,
001, 010, 011, 100, 101, 110, 111. To see in general that the input vector
should be rearranged by a bit-reversal permutation, note that at the top
level of the tree, indices whose low-order bit is 0 go into the left subtree
and indices whose low-order bit is 1 go into the right subtree. Stripping
off the low-order bit at each level, continue this process down the tree,
until you get the order given by the bit-reversal permutation at the
leaves.
The full FFT circuit
Figure 30.6 depicts the entire circuit for n = 8. The circuit begins with a bit-reversal permutation of the inputs, followed by lg n stages, each stage consisting of n/2 butterflies executed in parallel. Assuming that each butterfly circuit has constant depth, the full circuit has depth Θ(lg
n). The butterfly operations at each level of recursion in the FFT
procedure are independent, and so the circuit performs them in parallel.
The figure shows wires running from left to right, carrying values
through the lg n stages. For s = 1, 2, … , lg n, stage s consists of n/2 s groups of butterflies, with 2 s−1 butterflies per group. The twiddle
factors in stage s are ,
, where m = 2 s.
Exercises
30.3-1
Show the values on the wires for each butterfly input and output in the
FFT circuit of Figure 30.6, given the input vector (0, 2, 3, −1, 4, 5, 7, 9).
30.3-2
Consider an FFT n circuit, such as in Figure 30.6, with wires 0, 1, … , n−1 (wire j has output yj) and stages numbered as in the figure. Stage s, for s = 1, 2 … , lg n, consists of n/2 s groups of butterflies. Which two wires are inputs and outputs for the j th butterfly circuit in the g th group in stage s?
30.3-3
Consider a b-bit integer k in the range 0 ≤ k < 2 b. Treating k as a b-
element vector over {0, 1}, describe a b × b matrix M such that the matrix-vector product Mk is the binary representation of rev( k).
Figure 30.6 A full circuit that computes the FFT in parallel, here shown for n = 8 inputs. It has
lg n stages, and each stage comprises n/2 butterflies that can operate in parallel. As in Figure
30.4, only the top and bottom wires entering a butterfly interact with it. For example, the top
butterfly in stage 2 has inputs and outputs only on wires 0 and 2 (the wires with outputs y 0 and y 2, respectively). This circuit has depth Θ(lg n) and performs Θ( n lg n) butterfly operations altogether.
30.3-4
Write
pseudocode
for
the
procedure
BIT-REVERSE-
PERMUTATION( a, n), which performs the bit-reversal permutation
on a vector a of length n in-place. Assume that you may call the procedure BIT-REVERSE-OF( k, b), which returns an integer that is the b-bit reversal of the nonnegative integer k, where 0 ≤ k < 2 b.
★ 30.3-5
Suppose that the adders within the butterfly operations of a given FFT
circuit sometimes fail in such a manner that they always produce a 0
output, independent of their inputs. In addition, suppose that exactly
one adder has failed, but you don’t know which one. Describe how you
can identify the failed adder by supplying inputs to the overall FFT
circuit and observing the outputs. How efficient is your method?
Problems
30-1 Divide-and-conquer multiplication
a. Show how to multiply two linear polynomials ax + b and cx + d using only three multiplications. ( Hint: One of the multiplications is ( a + b) ·
( c + d).)
b. Give two divide-and-conquer algorithms for multiplying two
polynomials of degree-bound n in Θ( n lg 3) time. The first algorithm
should divide the input polynomial coefficients into a high half and a
low half, and the second algorithm should divide them according to
whether their index is odd or even.
c. Show how to multiply two n-bit integers in O( n lg 3) steps, where each step operates on at most a constant number of 1-bit values.
30-2 Multidimensional fast Fourier transform
The 1-dimensional discrete Fourier transform defined by equation
(30.8) generalizes to d dimensions. The input is a d-dimensional array A
= ( aj 1, j 2,…, j ) whose dimensions are n
d
1, n 2, … , nd, where n 1 n 2 ⋯ nd =
n. The d-dimensional discrete Fourier transform is defined by the equation
for 0 ≤ k 1 < n 1, 0 ≤ k 2 < n 2, … , 0 ≤ kd < nd.
a. Show how to produce a d-dimensional DFT by computing 1-
dimensional DFTs on each dimension in turn. That is, first compute
n/ n 1 separate 1-dimensional DFTs along dimension 1. Then, using the
result of the DFTs along dimension 1 as the input, compute n/ n 2
separate 1-dimensional DFTs along dimension 2. Using this result as
the input, compute n/ n 3 separate 1-dimensional DFTs along
dimension 3, and so on, through dimension d.
b. Show that the ordering of dimensions does not matter, so that if you
compute the 1-dimensional DFTs in any order of the d dimensions,
you compute the d-dimensional DFT.
c. Show that if you compute each 1-dimensional DFT by computing the
fast Fourier transform, the total time to compute a d-dimensional
DFT is O( n lg n), independent of d.
30-3 Evaluating all derivatives of a polynomial at a point
Given a polynomial A( x) of degree-bound n, we define its t th derivative by
In this problem, you will show how to determine A( t)( x 0) for t = 0, 1, …
, n − 1, given the coefficient representation ( a 0, a 1, … , an−1) of A( x) and a point x 0.
a. Given coefficients b 0, b 1, … , bn−1 such that
show how to compute A( t)( x 0), for t = 0, 1, … , n − 1, in O( n) time.
b. Explain how to find b 0, b 1, … , bn−1 in O( n lg n) time, given for k = 0, 1, … , n − 1.
c. Prove that
where f( j) = aj · j! and
d. Explain how to evaluate
for k = 0, 1, … , n − 1 in O( n lg n)
time. Conclude that you can evaluate all nontrivial derivatives of A( x) at x 0 in O( n lg n) time.
30-4 Polynomial evaluation at multiple points
Problem 2-3 showed how to evaluate a polynomial of degree-bound n at
a single point in O( n) time using Horner’s rule. This chapter described how to evaluate such a polynomial at all n complex roots of unity in O( n lg n) time using the FFT. Now, you will show how to evaluate a
polynomial of degree-bound n at n arbitrary points in O( n lg2 n) time.
To do so, assume that you can compute the polynomial remainder
when one such polynomial is divided by another in O( n lg n) time. For example, the remainder of 3 x 3 + x 2 − 3 x + 1 when divided by x 2 + x +
2 is
(3 x 3 + x 2 − 3 x + 1) mod ( x 2 + x + 2) = −7 x + 5.
Given the coefficient representation of a polynomial
and n points x 0, x 1, … , xn−1, your goal is to compute the n values A( x 0), A( x 1), … , A( xn−1). For 0 ≤ i ≤ j ≤ n − 1, define the polynomials and Qij( x) = A( x) mod Pij( x). Note that Qij( x) has degree at most j − i.
a. Prove that A( x) mod ( x − z) = A( z) for any point z.
b. Prove that Qkk( x) = A( xk) and that Q 0, n−1( x) = A( x).
c. Prove that for i ≤ k ≤ j, we have both Qik( x) = Qij( x) mod Pik( x) and Qkj( x) = Qij( x) mod Pkj( x).
d. Give an O( n lg2 n)-time algorithm to evaluate A( x 0), A( x 1), … , A( xn−1).
30-5 FFT using modular arithmetic
As defined, the discrete Fourier transform requires computation with
complex numbers, which can result in a loss of precision due to round-
off errors. For some problems, the answer is known to contain only
integers, and a variant of the FFT based on modular arithmetic can
guarantee that the answer is calculated exactly. An example of such a
problem is that of multiplying two polynomials with integer coefficients.
Exercise 30.2-6 gives one approach, using a modulus of length Ω( n) bits
to handle a DFT on n points. This problem explores another approach
that uses a modulus of the more reasonable length O(lg n), but it requires that you understand the material of Chapter 31. Let n be an exact power of 2.
a. You wish to search for the smallest k such that p = kn + 1 is prime.
Give a simple heuristic argument why you might expect k to be
approximately ln n. (The value of k might be much larger or smaller,
but you can reasonably expect to examine O(lg n) candidate values of
k on average.) How does the expected length of p compare to the
length of n?
Let g be a generator of , and let w = gk mod p.
b. Argue that the DFT and the inverse DFT are well-defined inverse
operations modulo p, where w is used as a principal n th root of unity.
c. Show how to make the FFT and its inverse work modulo p in O( n lg n) time, where operations on words of O(lg n) bits take unit time.
Assume that the algorithm is given p and w.
d. Compute the DFT modulo p = 17 of the vector (0, 5, 3, 7, 7, 2, 1, 6).
( Hint: Verify and use the fact that g = 3 is a generator of .)
Chapter notes
Van Loan’s book [442] provides an outstanding treatment of the fast Fourier transform. Press, Teukolsky, Vetterling, and Flannery [365, 366]
offer a good description of the fast Fourier transform and its
applications. For an excellent introduction to signal processing, a
popular FFT application area, see the texts by Oppenheim and Schafer
[347] and Oppenheim and Willsky [348]. The Oppenheim and Schafer book also shows how to handle cases in which n is not an exact power
of 2.Fourier analysis is not limited to 1-dimensional data. It is widely
used in image processing to analyze data in two or more dimensions.
The books by Gonzalez and Woods [194] and Pratt [363] discuss multidimensional Fourier transforms and their use in image processing,
and books by Tolimieri, An, and Lu [439] and Van Loan [442] discuss the mathematics of multidimensional fast Fourier transforms.
Cooley and Tukey [101] are widely credited with devising the FFT in the 1960s. The FFT had in fact been discovered many times previously,
but its importance was not fully realized before the advent of modern
digital computers. Although Press, Teukolsky, Vetterling, and Flannery
attribute the origins of the method to Runge and König in 1924, an
article by Heideman, Johnson, and Burrus [211] traces the history of the FFT as far back as C. F. Gauss in 1805.
Frigo and Johnson [161] developed a fast and flexible
implementation of the FFT, called FFTW (“fastest Fourier transform in
the West”). FFTW is designed for situations requiring multiple DFT
computations on the same problem size. Before actually computing the
DFTs, FFTW executes a “planner,” which, by a series of trial runs,
determines how best to decompose the FFT computation for the given
problem size on the host machine. FFTW adapts to use the hardware
cache efficiently, and once subproblems are small enough, FFTW solves
them with optimized, straight-line code. Moreover, FFTW has the
advantage of taking Θ( n lg n) time for any problem size n, even when n is a large prime.
Although the standard Fourier transform assumes that the input
represents points that are uniformly spaced in the time domain, other
techniques can approximate the FFT on “nonequispaced” data. The
article by Ware [449] provides an overview.
1 Interpolation is a notoriously tricky problem from the point of view of numerical stability.
Although the approaches described here are mathematically correct, small differences in the inputs or round-off errors during computation can cause large differences in the result.
2 Many other authors define ωn differently: ωn = e−2 πi/ n. This alternative definition tends to be used for signal-processing applications. The underlying mathematics is substantially the same with either definition of ωn.
3 The length n is actually what Section 30.1 referred to as 2 n, since the degree-bound of the given polynomials doubles prior to evaluation. In the context of polynomial multiplication, therefore, we are actually working with complex (2 n)th roots of unity.
4 The downside of iteratively updating ω is that round-off errors can accumulate, especially for larger input sizes. Several techniques to limit the magnitude of FFT round-off errors have been proposed, but are beyond the scope of this book. If several FFTs are going to be run on inputs of the same size, then it might be worthwhile to directly precompute a table of all n/2 values of
.
31 Number-Theoretic Algorithms
Number theory was once viewed as a beautiful but largely useless
subject in pure mathematics. Today number-theoretic algorithms are
used widely, due in large part to the invention of cryptographic schemes
based on large prime numbers. These schemes are feasible because we
can find large primes quickly, and they are secure because we do not
know how to factor the product of large primes (or solve related
problems, such as computing discrete logarithms) efficiently. This
chapter presents some of the number theory and related algorithms that
underlie such applications.
We start in Section 31.1 by introducing basic concepts of number theory, such as divisibility, modular equivalence, and unique prime
factorization. Section 31.2 studies one of the world’s oldest algorithms: Euclid’s algorithm for computing the greatest common divisor of two
integers, and Section 31.3 reviews concepts of modular arithmetic.
Section 31.4 then explores the set of multiples of a given number a, modulo n, and shows how to find all solutions to the equation ax = b (mod n) by using Euclid’s algorithm. The Chinese remainder theorem is
presented in Section 31.5. Section 31.6 considers powers of a given number a, modulo n, and presents a repeated-squaring algorithm for efficiently computing ab mod n, given a, b, and n. This operation is at the heart of efficient primality testing and of much modern
cryptography, such as the RSA public-key cryptosystem described in
Section 31.7. We wrap up in Section 31.8, which examines a randomized
primality test. This test finds large primes efficiently, an essential step in creating keys for the RSA cryptosystem.
Size of inputs and cost of arithmetic computations
Because we’ll be working with large integers, we need to adjust how to
think about the size of an input and about the cost of elementary
arithmetic operations.
In this chapter, a “large input” typically means an input containing
“large integers” rather than an input containing “many integers” (as for
sorting). Thus, the size of an input depends on the number of bits
required to represent that input, not just the number of integers in the
input. An algorithm with integer inputs a 1, a 2, …, ak is a polynomial-time algorithm if it runs in time polynomial in 1g a 1, 1g a 2, …, 1g ak, that is, polynomial in the lengths of its binary-encoded inputs.
Most of this book considers the elementary arithmetic operations
(multiplications, divisions, or computing remainders) as primitive
operations that take one unit of time. Counting the number of such
arithmetic operations that an algorithm performs provides a basis for
making a reasonable estimate of the algorithm’s actual running time on
a computer. Elementary operations can be time-consuming, however,
when their inputs are large. It thus becomes appropriate to measure how
many bit operations a number-theoretic algorithm requires. In this
model, multiplying two β-bit integers by the ordinary method uses
Θ( β 2) bit operations. Similarly, dividing a β-bit integer by a shorter integer or taking the remainder of a β-bit integer when divided by a shorter integer requires Θ( β 2) time by simple algorithms. (See Exercise
31.1-12.) Faster methods are known. For example, a simple divide-and-
conquer method for multiplying two β-bit integers has a running time of
Θ( β 1g 3), and O( β 1g β 1g 1g β) time is possible. For practical purposes, however, the Θ( β 2) algorithm is often best, and we use this bound as a
basis for our analyses. In this chapter, we’ll usually analyze algorithms
in terms of both the number of arithmetic operations and the number of
bit operations they require.
31.1 Elementary number-theoretic notions
This section provides a brief review of notions from elementary number
theory concerning the set ℤ = {…, –2, –1, 0, 1, 2, …} of integers and the
set ℕ = {0, 1, 2, …} of natural numbers.
Divisibility and divisors
The notion of one integer being divisible by another is key to the theory
of numbers. The notation d | a (read “d divides a”) means that a = kd for some integer k. Every integer divides 0. If a > 0 and d | a, then | d| ≤ | a|. If d | a, then we also say that a is a multiple of d. If d does not divide a, we write d ∤ a.
If d | a and d ≥ 0, then d is a divisor of a. Since d | a if and only if – d |
a, without loss of generality, we define the divisors of a to be nonnegative, with the understanding that the negative of any divisor of
a also divides a. A divisor of a nonzero integer a is at least 1 but not greater than | a|. For example, the divisors of 24 are 1, 2, 3, 4, 6, 8, 12,
and 24.
Every positive integer a is divisible by the trivial divisors 1 and a. The nontrivial divisors of a are the factors of a. For example, the factors of 20 are 2, 4, 5, and 10.
Prime and composite numbers
An integer a > 1 whose only divisors are the trivial divisors 1 and a is a prime number or, more simply, a prime. Primes have many special properties and play a critical role in number theory. The first 20 primes,
in order, are
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71.
Exercise 31.1-2 asks you to prove that there are infinitely many primes.
An integer a > 1 that is not prime is a composite number or, more simply, a composite. For example, 39 is composite because 3 | 39. We call
the integer 1 a unit, and it is neither prime nor composite. Similarly, the
integer 0 and all negative integers are neither prime nor composite.
The division theorem, remainders, and modular equivalence
Given an integer n, we can partition the integers into those that are multiples of n and those that are not multiples of n. Much number theory is based upon refining this partition by classifying the integers
that are not multiples of n according to their remainders when divided
by n. The following theorem provides the basis for this refinement. We
omit the proof (but see, for example, Niven and Zuckerman [345]).
Theorem 31.1 (Division theorem)
For any integer a and any positive integer n, there exist unique integers q and r such that 0 ≤ r < n and a = qn + r.
▪
The value q = ⌊ a/ n⌊ is the quotient of the division. The value r = a mod n is the remainder (or residue) of the division, so that n | a if and only if a mod n = 0.
The integers partition into n equivalence classes according to their
remainders modulo n. The equivalence class modulo n containing an integer a is
[ a] n = { a + kn : k ∈ ℤ}.
For example, [3]7 = {…, –11, –4, 3, 10, 17, …}, and [–4]7 and [10]7 also
denote this set. With the notation defined on page 64, writing a ∈ [ b] n is the same as writing a = b (mod n). The set of all such equivalence classes is
When you see the definition
you should read it as equivalent to equation (31.1) with the
understanding that 0 represents [0] n, 1 represents [1] n, and so on. Each class is represented by its smallest nonnegative element. You should
keep the underlying equivalence classes in mind, however. For example,
if we refer to –1 as a member of ℤ n, we are really referring to [ n – 1] n, since –1 = n – 1 (mod n).
Common divisors and greatest common divisors
If d is a divisor of a and d is also a divisor of b, then d is a common divisor of a and b. For example, the divisors of 30 are 1, 2, 3, 5, 6, 10, 15, and 30, and so the common divisors of 24 and 30 are 1, 2, 3, and 6. Any
pair of integers has a common divisor of 1.
An important property of common divisors is that
More generally, for any integers x and y,
Also, if a | b, then either | a| ≤ | b| or b = 0, which implies that The greatest common divisor of two integers a and b which are not both 0, denoted by gcd( a, b), is the largest of the common divisors of a and b. For example, gcd(24, 30) = 6, gcd(5, 7) = 1, and gcd(0, 9) = 9. If
a and b are both nonzero, then gcd( a, b) is an integer between 1 and min
{| a|, | b|}. We define gcd(0, 0) to be 0, so that standard properties of the gcd function (such as equation (31.9) below) hold universally.
Exercise 31.1-9 asks you to prove the following elementary properties
of the gcd function:
The following theorem provides an alternative and useful way to
characterize gcd( a, b).
Theorem 31.2
If a and b are any integers, not both zero, then gcd( a, b) is the smallest positive element of the set { ax + by : x, y ∈ ℤ} of linear combinations of a and b.
Proof Let s be the smallest positive such linear combination of a and b, and let s = ax + by for some x, y ∈ ℤ. Let q = ⌊ a/ s⌊. Equation (3.11) on page 64 then implies
a mod s = a – qs
= a – q( ax + by)
= a (1 – qx) + b (– qy),
so that a mod s is a linear combination of a and b as well. Because s is the smallest positive such linear combination and 0 ≤ a mod s < s (inequality (3.12) on page 64), a mod s cannot be positive. Hence, a mod s = 0. Therefore, we have that s | a and, by analogous reasoning, s | b.
Thus, s is a common divisor of a and b, so that gcd( a, b) ≥ s. By definition, gcd( a, b) divides both a and b, and s is defined as a linear combination of a and b. Equation (31.4) therefore implies that gcd( a, b)
| s. But gcd( a, b) | s and s > 0 imply that gcd( a, b) ≤ s. Combining gcd( a, b) ≥ s and gcd( a, b) ≤ s yields gcd( a, b) = s. We conclude that s, the smallest positive linear combination of a and b, is also their greatest common divisor.
▪
Theorem 31.2 engenders three useful corollaries.
Corollary 31.3
For any integers a and b, if d | a and d | b, then d | gcd( a, b).
Proof This corollary follows from equation (31.4) and Theorem 31.2,
because gcd( a, b) is a linear combination of a and b,
▪
Corollary 31.4
For all integers a and b and any nonnegative integer n, we have gcd( an, bn) = n gcd( a, b).
Proof If n = 0, the corollary is trivial. If n > 0, then gcd( an, bn) is the smallest positive element of the set { anx + bny : x, y ∈ ℤ}, which in turn is n times the smallest positive element of the set { ax + by : x, y ∈
ℤ}.
▪
Corollary 31.5
For all positive integers n, a, and b, if n | ab and gcd( a, n) = 1, then n | b.
Proof Exercise 31.1-5 asks you to provide the proof.
▪
Relatively prime integers
Two integers a and b are relatively prime if their only common divisor is 1, that is, if gcd( a, b) = 1. For example, 8 and 15 are relatively prime, since the divisors of 8 are 1, 2, 4, and 8, and the divisors of 15 are 1, 3,
5, and 15. The following theorem states that if two integers are each
relatively prime to an integer p, then their product is relatively prime to
p.
Theorem 31.6
For any integers a, b, and p, we have gcd( ab, p) = 1 if and only if gcd( a, p) = 1 and gcd( b, p) = 1 both hold.
Proof If gcd( a, p) = 1 and gcd( b, p) = 1, then it follows from Theorem 31.2 that there exist integers x, y, x′, and y′ such that ax + py = 1,
bx′ + py′ = 1.
Multiplying these equations and rearranging gives
ab( xx′) + p( ybx′ + y′ ax + pyy′) = 1.
Since 1 is thus a positive linear combination of ab and p, it is the smallest positive linear combination. Applying Theorem 31.2 implies
gcd( ab, p) = 1, completing the proof in this direction.
Conversely, if gcd( ab, p) = 1, then Theorem 31.2 implies that there
exist integers x and y such that
abx + py = 1.
Writing abx as a( bx) and applying Theorem 31.2 again proves that gcd( a, p) = 1. Proving that gcd( b, p) = 1 is similar.
▪
Integers n 1, n 2, …, nk are pairwise relatively prime if gcd( ni, nj) = 1
for 1 ≤ i < j ≤ k.
Unique prime factorization
An elementary but important fact about divisibility by primes is the
following.
Theorem 31.7
For all primes p and all integers a and b, if p | ab, then p | a or p | b (or both).
Proof Assume for the purpose of contradiction that p | ab, but that p ∤
a and p ∤ b. Because p > 1 and ab = kp for some k ∈ ℤ, equation (31.10) gives that gcd( ab, p) = p. We also have that gcd( a, p) = 1 and gcd( b, p) =
1, since the only divisors of p are 1 and p, and we assumed that p divides neither a nor b. Theorem 31.6 then implies that gcd( ab, p) = 1, contradicting gcd( ab, p) = p. This contradiction completes the proof.
▪
A consequence of Theorem 31.7 is that any composite integer can be
uniquely factored into a product of primes. Exercise 31.1-11 asks you to
provide a proof.
Theorem 31.8 (Unique prime factorization)
There is exactly one way to write any composite integer a as a product
of the form
where the pi are prime, p 1 < p 2 < … < pr, and the ei are positive integers.
▪
As an example, the unique prime factorization of the number 6000 is
24 · 31 · 53.
Exercises
31.1-1
Prove that if a > b > 0 and c = a + b, then c mod a = b.
31.1-2
Prove that there are infinitely many primes. ( Hint: Show that none of the primes p 1, p 2, …, pk divide ( p 1 p 2 ⋯ pk) + 1.) 31.1-3
Prove that if a | b and b | c, then a | c.
31.1-4
Prove that if p is prime and 0 < k < p, then gcd( k, p) = 1.
31.1-5
Prove Corollary 31.5.
31.1-6
Prove that if p is prime and 0 < k < p, then . Conclude that for all integers a and b and all primes p,
( a + b) p = ap + bp (mod p).
31.1-7
Prove that if a and b are any positive integers such that a | b, then ( x mod b) mod a = x mod a
for any x. Prove, under the same assumptions, that
x = y (mod b) implies x = y (mod a)
31.1-8
For any integer k > 0, an integer n is a kth power if there exists an integer a such that ak = n. Furthermore, n > 1 is a nontrivial power if it is a k th power for some integer k > 1. Show how to determine whether a given β-bit integer n is a nontrivial power in time polynomial in β.
31.1-9
Prove equations (31.6)–(31.10).
31.1-10
Show that the gcd operator is associative. That is, prove that for all
integers a, b, and c, we have
gcd( a, gcd( b, c)) = gcd(gcd( a, b), c).
★ 31.1-11
Prove Theorem 31.8.
31.1-12
Give efficient algorithms for the operations of dividing a β-bit integer by
a shorter integer and of taking the remainder of a β-bit integer when divided by a shorter integer. Your algorithms should run in Θ( β 2) time.
31.1-13
Give an efficient algorithm to convert a given β-bit (binary) integer to a
decimal representation. Argue that if multiplication or division of
integers whose length is at most β takes M( β) time, where M( β) = Ω( β), then you can convert binary to decimal in O( M( β) 1g β) time. ( Hint: Use a divide-and-conquer approach, obtaining the top and bottom halves of
the result with separate recursions.)
31.1-14
Professor Marshall sets up n lightbulbs in a row. The lightbulbs all have
switches, so that if he presses a bulb, it toggles on if it was off and off if
it was on. The lightbulbs all start off. For i = 1, 2, 3, …, n, the professor
presses bulb i, 2 i, 3 i, …. After the last press, which lightbulbs are on?
Prove your answer.
In this section, we describe Euclid’s algorithm for efficiently computing
the greatest common divisor of two integers. When we analyze the
running time, we’ll see a surprising connection with the Fibonacci
numbers, which yield a worst-case input for Euclid’s algorithm.
We restrict ourselves in this section to nonnegative integers. This
restriction is justified by equation (31.8), which states that gcd( a, b) =
gcd(| a|, | b|).
In principle, for positive integers a and b, their prime factorizations suffice to compute gcd( a, b). Indeed, if
with 0 exponents being used to make the set of primes p 1, p 2, …, pr the same for both a and b, then, as Exercise 31.2-1 asks you to show,
The best algorithms to date for factoring do not run in polynomial time.
Thus, this approach to computing greatest common divisors seems
unlikely to yield an efficient algorithm.
Euclid’s algorithm for computing greatest common divisors relies on
the following theorem.
Theorem 31.9 (GCD recursion theorem)
For any nonnegative integer a and any positive integer b,
gcd( a, b) = gcd( b, a mod b).
Proof We will show that gcd( a, b) and gcd( b, a mod b) divide each other. Since they are both nonnegative, equation (31.5) then implies that
they must be equal.
We first show that gcd( a, b) | gcd( b, a mod b). If we let d = gcd( a, b), then d | a and d | b. By equation (3.11) on page 64, a mod b = a – qb, where q = ⌊ a/ b⌊. Since a mod b is thus a linear combination of a and b, equation (31.4) implies that d | ( a mod b). Therefore, since d | b and d | ( a mod b), Corollary 31.3 implies that d | gcd( b, a mod b), that is, Showing that gcd( b, a mod b) | gcd( a, b) is almost the same. If we now let d = gcd( b, a mod b), then d | b and d | ( a mod b). Since a = qb +
( a mod b), where q = ⌊ a/ b⌊, we have that a is a linear combination of b and ( a mod b). By equation (31.4), we conclude that d | a. Since d | b and d | a, we have that d | gcd( a, b) by Corollary 31.3, so that Using equation (31.5) to combine equations (31.14) and (31.15)
completes the proof.
▪
Euclid’s algorithm
Euclid’s Elements (circa 300 B.C.E.) describes the following gcd
algorithm, although its origin might be even earlier. The recursive
procedure EUCLID implements Euclid’s algorithm, based directly on
Theorem 31.9. The inputs a and b are arbitrary nonnegative integers.
EUCLID( a, b)
1 if b == 0
2
return a
3 else return EUCLID( b, a mod b)
For example, here is how the procedure computes gcd(30, 21):
EUCLID(30, 21) = EUCLID(21, 9)
= EUCLID(9, 3)
= EUCLID(3, 0)
This computation calls EUCLID recursively three times.
The correctness of EUCLID follows from Theorem 31.9 and the
property that if the algorithm returns a in line 2, then b = 0, so that by equation (31.9), gcd( a, b) = gcd( a, 0) = a. The algorithm cannot recurse indefinitely, since the second argument strictly decreases in each
recursive call and is always nonnegative. Therefore, EUCLID always
terminates with the correct answer.
The running time of Euclid’s algorithm
Let’s analyze the worst-case running time of EUCLID as a function of
the size of a and b. The overall running time of EUCLID is
proportional to the number of recursive calls it makes. The analysis
assumes that a > b ≥ 0, that is, the first argument is greater than the second argument. Why? If b = a > 0, then a mod b = 0 and the procedure terminates after one recursive call. If b > a ≥ 0, then the procedure makes just one more recursive call than when a > b, because in this case EUCLID( a, b) immediately makes the recursive call
EUCLID( b, a), and now the first argument is greater than the second.
Our analysis relies on the Fibonacci numbers Fk, defined by the
recurrence equation (3.31) on page 69.
Lemma 31.10
If a > b ≥ 1 and the call EUCLID( a, b) performs k ≥ 1 recursive calls, then a ≥ Fk+2 and b ≥ Fk+1.
Proof The proof proceeds by induction on k. For the base case of the
induction, let k = 1. Then, b ≥ 1 = F 2, and since a > b, we must have a ≥
2 = F 3. Since b > ( a mod b), in each recursive call the first argument is strictly larger than the second. The assumption that a > b therefore holds for each recursive call.
Assuming inductively that the lemma holds if the procedure makes k
– 1 recursive calls, we shall prove that the lemma holds for k recursive
calls. Since k > 0, we have b > 0, and EUCLID( a, b) calls EUCLID( b, a
mod b) recursively, which in turn makes k – 1 recursive calls. The inductive hypothesis then implies that b ≥ Fk+1 (thus proving part of the lemma), and a mod b ≥ Fk. We have
b + ( a mod b) = b + ( a – b ⌊ a/ b⌊) (by equation (3.11))
≤ a,
since a > b > 0 implies ⌊ a/ b⌊ ≥ 1. Thus,
a ≥ b + ( a mod b)
≥ Fk+1 + Fk
= Fk+2.
▪
The following theorem is an immediate corollary of this lemma.
Theorem 31.11 (Lamé’s theorem)
For any integer k ≥ 1, if a > b ≥ 1 and b < Fk+1, then the call EUCLID( a, b) makes fewer than k recursive calls.
▪
To show that the upper bound of Theorem 31.11 is the best possible,
we’ll show that the call EUCLID( Fk+1, Fk) makes exactly k – 1
recursive calls when k ≥ 2. We use induction on k. For the base case, k =
2, and the call EUCLID( F 3, F 2) makes exactly one recursive call, to EUCLID(1, 0). (We have to start at k = 2, because when k = 1 we do
not have F 2 > F 1.) For the inductive step, assume that EUCLID( Fk, Fk−1) makes exactly k – 2 recursive calls. For k > 2, we have Fk > Fk−1
> 0 and Fk+1 = Fk + Fk−1, and so by Exercise 31.1-1, we have Fk+1
mod Fk = Fk−1. Because EUCLID( a, b) calls EUCLID( b, a mod b) when b > 0, the call EUCLID( Fk+1, Fk) recurses one time more than the call EUCLID( Fk, Fk−1), or exactly k – 1 times, which meets the upper bound given by Theorem 31.11.
Since Fk is approximately
, where ϕ is the golden ratio
defined by equation (3.32) on page 69, the number of
recursive calls in EUCLID is O(1g b). (See Exercise 31.2-5 for a tighter bound.) Therefore, a call of EUCLID on two β-bit numbers performs
O( β) arithmetic operations and O( β 3) bit operations (assuming that multiplication and division of β-bit numbers take O( β 2) bit operations).
Problem 31-2 asks you to prove an O( β 2) bound on the number of bit
operations.
The extended form of Euclid’s algorithm
By rewriting Euclid’s algorithm, we can gain additional useful
information. Specifically, let’s extend the algorithm to compute the
integer coefficients x and y such that
where either or both of x and y may be zero or negative. These coefficients will prove useful later for computing modular multiplicative
inverses. The procedure EXTENDED-EUCLID takes as input a pair of
nonnegative integers and returns a triple of the form ( d, x, y) that satisfies equation (31.16). As an example, Figure 31.1 traces out the call EXTENDED-EUCLID(99, 78).
EXTENDED-EUCLID( a, b)
1 if b == 0
2
return ( a, 1, 0)
3 else ( d′, x′, y′) = EXTENDED-EUCLID( b, a mod b) 4
( d, x, y) = ( d′, y′, x′ – ⌊ a/ b⌊ y′) 5
return ( d, x, y)
The EXTENDED-EUCLID procedure is a variation of the
EUCLID procedure. Line 1 is equivalent to the test “b == 0” in line 1 of
EUCLID. If b = 0, then EXTENDED-EUCLID returns not only d = a
in line 2, but also the coefficients x = 1 and y = 0, so that a = ax + by. If
b ≠ 0, EXTENDED-EUCLID first computes ( d′, x′, y′) such that d′ =
gcd( b, a mod b) and
As in the EUCLID procedure, we have d = gcd( a, b) = d′ = gcd( b, a mod b). To obtain x and y such that d = ax + by, let’s rewrite equation (31.17), setting d = d′ and using equation (3.11):
Figure 31.1 How EXTENDED-EUCLID computes gcd(99, 78). Each line shows one level of the recursion: the values of the inputs a and b, the computed value ⌊ a/ b⌊, and the values d, x, and y returned. The triple ( d, x, y) returned becomes the triple ( d′, x′, y′) used at the next higher level of recursion. The call EXTENDED-EUCLID(99, 78) returns (3, –11, 14), so that gcd(99, 78) = 3 = 99 · (–11) + 78 · 14.
d = bx′ + ( a – b ⌊ a/ b⌊) y′
= ay′ + b( x′ – ⌊ a/ b⌊ y′).
Thus, choosing x = y′ and y = x′ – ⌊ a/ b⌊ y′ satisfies the equation d = ax
+ by, thereby proving the correctness of EXTENDED-EUCLID.
Since the number of recursive calls made in EUCLID is equal to the
number of recursive calls made in EXTENDED-EUCLID, the running
times of EUCLID and EXTENDED-EUCLID are the same, to within
a constant factor. That is, for a > b > 0, the number of recursive calls is O(1g b).
Exercises
31.2-1
Prove that equations (31.11) and (31.12) imply equation (31.13).
31.2-2
Compute the values ( d, x, y) that the call EXTENDED-EUCLID(899, 493) returns.
31.2-3
Prove that for all integers a, k, and n,
Use equation (31.18) to show that a = 1 (mod n) implies gcd( a, n) = 1.
31.2-4
Rewrite EUCLID in an iterative form that uses only a constant amount
of memory (that is, stores only a constant number of integer values).
31.2-5
If a > b ≥ 0, show that the call EUCLID ( a, b) makes at most 1 + log ϕ b recursive calls. Improve this bound to 1 + log ϕ( b/gcd( a, b)).
31.2-6
What does EXTENDED-EUCLID( Fk+1, Fk) return? Prove your
answer correct.
31.2-7
Define the gcd function for more than two arguments by the recursive
equation gcd( a 0, a 1, …, an) = gcd( a 0, gcd( a 1, a 2, …, an)). Show that the gcd function returns the same answer independent of the order in
which its arguments are specified. Also show how to find integers x 0, x 1, …, xn such that gcd( a 0, a 1, …, an) = a 0 x 0 + a 1 x 1 + ⋯ + anxn.
Show that the number of divisions performed by your algorithm is O( n
+ 1g(max { a 0, a 1, …, an})).
31.2-8
The least common multiple 1cm( a 1, a 2, …, an) of integers a 1, a 2, …, an is the smallest nonnegative integer that is a multiple of each ai. Show
how to compute 1cm( a 1, a 2, …, an) efficiently using the (two-argument) gcd operation as a subroutine.
Prove that n 1, n 2, n 3, and n 4 are pairwise relatively prime if and only if gcd( n 1 n 2, n 3 n 4) = gcd( n 1 n 3, n 2 n 4) = 1.
More generally, show that n 1, n 2, …, nk are pairwise relatively prime if and only if a set of ⌈1g k⌉ pairs of numbers derived from the ni are relatively prime.
Informally, you can think of modular arithmetic as arithmetic as usual
over the integers, except that when working modulo n, then every result
x is replaced by the element of {0, 1, …, n – 1} that is equivalent to x, modulo n (so that x is replaced by x mod n). This informal model suffices if you stick to the operations of addition, subtraction, and
multiplication. A more formal model for modular arithmetic, which
follows, is best described within the framework of group theory.
Finite groups
A group ( S, ⊕) is a set S together with a binary operation ⊕ defined on S for which the following properties hold:
1. Closure: For all a, b ∈ S, we have a ⊕ b ∈ S.
2. Identity: There exists an element e ∈ S, called the identity of the group, such that e ⊕ a = a ⊕ e = a for all a ∈ S.
3. Associativity: For all a, b, c ∈ S, we have ( a ⊕ b) ⊕ c = a ⊕ ( b ⊕
c).
4. Inverses: For each a ∈ S, there exists a unique element b ∈ S, called the inverse of a, such that a ⊕ b = b ⊕ a = e.
As an example, consider the familiar group (ℤ, +) of the integers ℤ
under the operation of addition: 0 is the identity, and the inverse of a is
– a. An abelian group ( S, ⊕) satisfies the commutative law a ⊕ b = b ⊕ a
for all a, b ∈ S. The size of group ( S, ⊕) is | S|, and if | S| < ∞, then ( S,
⊕) is a finite group.
The groups defined by modular addition and multiplication
We can form two finite abelian groups by using addition and
multiplication modulo n, where n is a positive integer. These groups are based on the equivalence classes of the integers modulo n, defined in
To define a group on ℤ n, we need suitable binary operations, which
we obtain by redefining the ordinary operations of addition and
multiplication. We can define addition and multiplication operations for
ℤ n, because the equivalence class of two integers uniquely determines
the equivalence class of their sum or product. That is, if a = a′ (mod n) and b = b′ (mod n), then
a + b = a′ + b′ (mod n),
ab
= a′ b′
(mod n).
Thus, we define addition and multiplication modulo n, denoted + n and
· n, by
(We can define subtraction similarly on ℤ n by [ a] n – n [ b] n = [ a – b] n, but division is more complicated, as we’ll see.) These facts justify the
common and convenient practice of using the smallest nonnegative
element of each equivalence class as its representative when performing
computations in ℤ n. We add, subtract, and multiply as usual on the
representatives, but we replace each result x by the representative of its
class, that is, by x mod n.
Figure 31.2 Two finite groups. Equivalence classes are denoted by their representative elements.
(a) The group (ℤ6, +6). (b) The group
.
Using this definition of addition modulo n, we define the additive group modulo n as (ℤ n, + n). The size of the additive group modulo n is |
ℤ n| = n. Figure 31.2(a) gives the operation table for the group (ℤ6, +6).
Theorem 31.12
The system (ℤ n, + n) is a finite abelian group.
Proof Equation (31.19) shows that (ℤ n, + n) is closed. Associativity and commutativity of + n follow from the associativity and commutativity of
+:
([ a] n + n [ b] n) + n [ c] n = [ a + b] n + n [ c] n
= [( a + b) + c] n
= [ a + ( b + c)] n
= [ a] n + n [ b + c] n
= [ a] n + n ([ b] n + n [ c] n),
[ a] n + n [ b] n = [ a + b] n
= [ b + a] n
= [ b] n + n [ a] n.
The identity element of (ℤ n, + n) is 0 (that is, [0] n). The (additive) inverse of an element a (that is, of [ a] n) is the element – a (that is, [– a] n or [ n –
a] n), since [ a] n + n [– a] n = [ a – a] n = [0] n.
▪
Using the definition of multiplication modulo n, we define the
multiplicative group modulo n as
. The elements of this group are
the set of elements in ℤ n that are relatively prime to n, so that each one has a unique inverse, modulo n:
To see that is well defined, note that for 0 ≤ a < n, we have a = ( a +
kn) (mod n) for all integers k. By Exercise 31.2-3, therefore, gcd( a, n) = 1
implies gcd( a + kn, n) = 1 for all integers k. Since [ a] n = { a + kn : k ∈
ℤ}, the set is well defined. An example of such a group is
where the group operation is multiplication modulo 15. (We have
denoted an element [ a]15 as a, and thus, for example, we denote [7]15 as 7.) Figure 31.2(b) shows the group
. For example, 8 · 11 = 13
(mod 15), working in . The identity for this group is 1.
Theorem 31.13
The system
is a finite abelian group.
Proof Theorem 31.6 implies that
is closed. Associativity and
commutativity can be proved for · n as they were for + n in the proof of
Theorem 31.12. The identity element is [1] n. To show the existence of
inverses, let a be an element of and let ( d, x, y) be returned by EXTENDED-EUCLID( a, n). Then we have d = 1, since
, and
or equivalently,
ax = 1 (mod n).
Thus [ x] n is a multiplicative inverse of [ a] n, modulo n. Furthermore, we claim that
. To see why, equation (31.20) demonstrates that the
smallest positive linear combination of x and n must be 1. Therefore, Theorem 31.2 implies that gcd( x, n) = 1. We defer the proof that inverses are uniquely defined until Corollary 31.26 in Section 31.4.
▪
As an example of computing multiplicative inverses, suppose that a
= 5 and n = 11. Then EXTENDED-EUCLID( a, n) returns ( d, x, y) =
(1, –2, 1), so that 1 = 5 · (–2) + 11 · 1. Thus, [–2]11 (i.e., [9]11) is the
multiplicative inverse of [5]11.
When working with the groups (ℤ n, + n) and
in the remainder
of this chapter, we follow the convenient practice of denoting
equivalence classes by their representative elements and denoting the
operations + n and · n by the usual arithmetic notations + and · (or juxtaposition, so that ab = a · b) respectively. Furthermore, equivalences modulo n may also be interpreted as equations in ℤ n. For example, the
following two statements are equivalent:
ax = b (mod n)
and
[ a] n · n [ x] n = [ b] n.
As a further convenience, we sometimes refer to a group ( S, ⊕)
merely as S when the operation ⊕ is understood from context. We may
thus refer to the groups (ℤ n, + n) and
as just ℤ n and ,
respectively.
We denote the (multiplicative) inverse of an element a by ( a−1 mod
n). Division in is defined by the equation a/ b = ab−1 (mod n). For example, in we have that 7−1 = 13 (mod 15), since 7 · 13 = 91 = 1
(mod 15), so that 2/7 = 2 · 13 = 11 (mod 15).
The size of is denoted ϕ( n). This function, known as Euler’s phi function, satisfies the equation
so that p runs over all the primes dividing n (including n itself, if n is prime). We won’t prove this formula here. Intuitively, begin with a list of
the n remainders {0, 1, …, n – 1} and then, for each prime p that divides n, cross out every multiple of p in the list. For example, since the prime divisors of 45 are 3 and 5,
If p is prime, then
, and
If n is composite, then ϕ( n) < n – 1, although it can be shown that for n ≥ 3, where γ = 0.5772156649 … is Euler’s constant. A somewhat simpler (but looser) lower bound for n > 5 is
The lower bound (31.23) is essentially the best possible, since
Subgroups
If ( S, ⊕) is a group, S′ ⊆ S, and ( S′, ⊕) is also a group, then ( S′, ⊕) is a subgroup of ( S, ⊕). For example, the even integers form a subgroup of
the integers under the operation of addition. The following theorem,
whose proof we leave as Exercise 31.3-3, provides a useful tool for
recognizing subgroups.
Theorem 31.14 (A nonempty closed subset of a finite group is a subgroup)
If ( S, ⊕) is a finite group and S′ is any nonempty subset of S such that a
⊕ b ∈ S′ for all a, b ∈ S′, then ( S′, ⊕) is a subgroup of ( S, ⊕).
▪
For example, the set {0, 2, 4, 6} forms a subgroup of ℤ8, since it is
nonempty and closed under the operation + (that is, it is closed under
+8).The following theorem, whose proof is omitted, provides an
extremely useful constraint on the size of a subgroup.
Theorem 31.15 (Lagrange’s theorem)
If ( S, ⊕) is a finite group and ( S′, ⊕) is a subgroup of ( S, ⊕), then | S′| is a divisor of | S|.
▪
A subgroup S′ of a group S is a proper subgroup if S′ ≠ S. We’ll use the following corollary in the analysis in Section 31.8 of the Miller-Rabin primality test procedure.
Corollary 31.16
If S′ is a proper subgroup of a finite group S, then | S′| ≤ | S|/2.
▪
Subgroups generated by an element
Theorem 31.14 affords us a straightforward way to produce a subgroup
of a finite group ( S, ⊕): choose an element a and take all elements that can be generated from a using the group operation. Specifically, define
a( k) for k ≥ 1 by
For example, taking a = 2 in the group ℤ6 yields the sequence
a(1), a(2), a(3), … = 2, 4, 0, 2, 4, 0, 2, 4, 0, ….
We have a( k) = ka mod n in the group ℤ n, and a( k) = ak mod n in the group . We define the subgroup generated by a, denoted 〈 a〉 or (〈 a〉, ⊕), by
〈 a〉 = { a( k) : k ≥ 1}.
We say that a generates the subgroup 〈 a〉 or that a is a generator of 〈 a〉.
Since S is finite, 〈 a〉 is a finite subset of S, possibly including all of S.
Since the associativity of ⊕ implies
a( i) ⊕ a( j) = a( i+ j),
〈 a〉 is closed and therefore, by Theorem 31.14, 〈 a〉 is a subgroup of S.
For example, in ℤ6, we have
〈0〉 = {0},
〈1〉 = {0, 1, 2, 3, 4, 5},
〈2〉 = {0, 2, 4}.
Similarly, in , we have
〈1〉 = {1},
〈2〉 = {1, 2, 4},
〈3〉 = {1, 2, 3, 4, 5, 6}.
The order of a (in the group S), denoted ord( a), is defined as the smallest positive integer t such that a( t) = e. (Recall that e ∈ S is the group identity.)
For any finite group ( S, ⊕) and any a ∈ S, the order of a is equal to the size of the subgroup it generates, or ord( a) = |〈 a〉|.
Proof Let t = ord( a). Since a( t) = e and a( t+ k) = a( t) ⊕ a( k) = a( k) for k ≥ 1, if i > t, then a( i) = a( j) for some j < i. Therefore, as we generate elements by a, we see no new elements after a( t). Thus, 〈 a〉 = { a(1), a(2),
…, a( t)}, and so |〈 a〉| ≤ t. To show that |〈 a〉| ≥ t, we show that each element of the sequence a(1), a(2), …, a( t) is distinct. Suppose for the purpose of contradiction that a( i) = a( j) for some i and j satisfying 1 ≤ i
< j ≤ t. Then, a( i+ k) = a( j+ k) for k ≥ 0. But this equation implies that a( i+( t– j)) = a( j+( t– j)) = e, a contradiction, since i + ( t – j) < t but t is the least positive value such that a( t) = e. Therefore, each element of the sequence a(1), a(2), …, a( t) is distinct, and |〈 a〉| ≥ t. We conclude that ord( a) = |〈 a〉|.
▪
Corollary 31.18
The sequence a(1), a(2), … is periodic with period t = ord( a), that is, a( i)
= a( j) if and only if i = j (mod t).
▪
Consistent with the above corollary, we define a(0) as e and a( i) as a( i mod t), where t = ord( a), for all integers i.
Corollary 31.19
If ( S, ⊕) is a finite group with identity e, then for all a ∈ S, a(| S|) = e.
Proof Lagrange’s theorem (Theorem 31.15) implies that ord( a) | | S|, and so | S| = 0 (mod t), where t = ord( a). Therefore, a(| S|) = a(0) = e.
▪
Exercises
31.3-1
Draw the group operation tables for the groups (ℤ4, +4) and
.
Show that these groups are isomorphic by exhibiting a one-to-one
correspondence f between ℤ4 and such that a+ b = c (mod 4) if and only if f( a)· f( b) = f( c) (mod 5).
31.3-2
List all subgroups of ℤ9 and of .
31.3-3
Prove Theorem 31.14.
31.3-4
Show that if p is prime and e is a positive integer, then
ϕ( pe) = pe–1( p – 1).
31.3-5
Show that for any integer n > 1 and for any
, the function
defined by fa( x) = ax mod n is a permutation of .
31.4 Solving modular linear equations
We now consider the problem of finding solutions to the equation
where a > 0 and n > 0. This problem has several applications. For example, we’ll use it in Section 31.7 as part of the procedure to find keys in the RSA public-key cryptosystem. We assume that a, b, and n are given, and we wish to find all values of x, modulo n, that satisfy equation (31.26). The equation may have zero, one, or more than one
such solution.
Let 〈 a〉 denote the subgroup of ℤ n generated by a. Since 〈 a〉 = { a( x) : x > 0} = { ax mod n : x > 0}, equation (31.26) has a solution if and only if [ b] ∈ 〈 a〉. Lagrange’s theorem (Theorem 31.15) tells us that |〈 a〉| must be a divisor of n. The following theorem gives us a precise
characterization of 〈 a〉.
Theorem 31.20
For any positive integers a and n, if d = gcd( a, n), then we have
〈 a〉 = 〈 d〉
= {0, d, 2 d, …, (( n/ d) – 1) d}
in ℤ n, and thus
|〈 a〉| = n/ d.
Proof We begin by showing that d ∈ 〈 a〉. Recall that EXTENDED-EUCLID( a, n) returns a triple ( d, x, y) such that ax + ny = d. Thus, ax
= d (mod n), so that d ∈ 〈 a〉. In other words, d is a multiple of a in ℤ n.
Since d ∈ 〈 a〉, it follows that every multiple of d belongs to 〈 a〉, because any multiple of a multiple of a is itself a multiple of a. Thus, 〈 a〉
contains every element in {0, d, 2 d, …, (( n/ d) – 1) d}. That is, 〈 d〉 ⊆ 〈 a〉.
We now show that 〈 a〉 ⊆ 〈 d〉. If m ∈ 〈 a〉, then m = ax mod n for some integer x, and so m = ax + ny for some integer y. Because d = gcd( a, n), we know that d | a and d | n, and so d | m by equation (31.4). Therefore, m ∈ 〈 d〉.
Combining these results, we have that 〈 a〉 = 〈 d〉. To see that |〈 a〉| =
n/ d, observe that there are exactly n/ d multiples of d between 0 and n – 1, inclusive.
▪
Corollary 31.21
The equation ax = b (mod n) is solvable for the unknown x if and only if d | b, where d = gcd( a, n).
Proof The equation ax = b (mod n) is solvable if and only if [ b] ∈ 〈 a〉, which is the same as saying
( b mod n) ∈ {0, d, 2 d, …, (( n/ d) – 1) d}, by Theorem 31.20. If 0 ≤ b < n, then b ∈ 〈 a〉 if and only if d | b, since the members of 〈 a〉 are precisely the multiples of d. If b < 0 or b ≥ n, the corollary then follows from the observation that d | b if and only if d | ( b mod n), since b and b mod n differ by a multiple of n, which is itself a multiple of d.
▪
Corollary 31.22
The equation ax = b (mod n) either has d distinct solutions modulo n, where d = gcd( a, n), or it has no solutions.
Proof If ax = b (mod n) has a solution, then b ∈ 〈 a〉. By Theorem 31.17, ord( a) = |〈 a〉|, and so Corollary 31.18 and Theorem 31.20 imply
that the sequence ai mod n, for i = 0, 1, …, is periodic with period |〈 a〉| =
n/ d. If b ∈ 〈 a〉, then b appears exactly d times in the sequence ai mod n, for i = 0, 1, …, n – 1, since the length-( n/ d) block of values 〈 a〉 repeats exactly d times as i increases from 0 to n–1. The indices x of the d positions for which ax mod n = b are the solutions of the equation ax =
b (mod n).
▪
Theorem 31.23
Let d = gcd( a, n), and suppose that d = ax′ + ny′ for some integers x′
and y′ (for example, as computed by EXTENDED-EUCLID). If d | b, then the equation ax = b (mod n) has as one of its solutions the value x 0, where
x 0 = x′( b/ d) mod n.
Proof We have
ax 0 = ax′( b/ d) (mod n)
= d( b/ d) (mod n) (because ax′ = d (mod n))
= b
(mod n),
and thus x 0 is a solution to ax = b (mod n).
▪
Theorem 31.24
Suppose that the equation ax = b (mod n) is solvable (that is, d | b, where d = gcd( a, n)) and that x 0 is any solution to this equation. Then, this equation has exactly d distinct solutions, modulo n, given by xi = x 0
+ i( n/ d) for i = 0, 1, …, d – 1.
Proof Because n/ d > 0 and 0 ≤ i( n/ d) < n for i = 0, 1, …, d – 1, the values x 0, x 1, …, xd–1 are all distinct, modulo n. Since x 0 is a solution of ax = b (mod n), we have ax 0 mod n = b (mod n). Thus, for i = 0, 1,
…, d – 1, we have
axi mod = a( x 0 + in/ d) mod n
n
= ( ax 0 + ain/ d) mod n
= ax 0 mod n (because d | a implies that ain/ d is a multiple of n)
= b (mod n),
and hence axi = b (mod n), making xi a solution, too. By Corollary 31.22, the equation ax = b (mod n) has exactly d solutions, so that x 0, x 1, …, xd–1 must be all of them.
▪
We have now developed the mathematics needed to solve the
equation ax = b (mod n). The procedure MODULAR-LINEAR-
EQUATION-SOLVER prints all solutions to this equation. The inputs
a and n are arbitrary positive integers, and b is an arbitrary integer.
MODULAR-LINEAR-EQUATION-SOLVER( a, b, n)
1 ( d, x′, y′) = EXTENDED-EUCLID( a, n)
2 if d | b
3
x 0 = x′( b/ d) mod n
4
for i = 0 to d – 1
5
print ( x 0 + i( n/ d)) mod n
6 else print “no solutions”
As an example of the operation of MODULAR-LINEAR-
EQUATION-SOLVER, consider the equation 14 x = 30 (mod 100) (and
thus a = 14, b = 30, and n = 100). Calling EXTENDED-EUCLID in
line 1 gives ( d, x′, y′) = (2, –7, 1). Since 2 | 30, lines 3–5 execute. Line 3
computes x 0 = (–7)(15) mod 100 = 95. The for loop of lines 4–5 prints
the two solutions, 95 and 45.
The procedure MODULAR-LINEAR-EQUATION-SOLVER
works as follows. The call to EXTENDED-EUCLID in line 1 returns a
triple ( d, x′, y′) such that d = gcd( a, n) and d = ax′ + ny′. Therefore, x′ is a solution to the equation ax′ = d (mod n). If d does not divide b, then the equation ax = b (mod n) has no solution, by Corollary 31.21. Line 2
checks to see whether d | b, and if not, line 6 reports that there are no solutions. Otherwise, line 3 computes a solution x 0 to ax = b (mod n), as Theorem 31.23 suggests. Given one solution, Theorem 31.24 states
that adding multiples of ( n/ d), modulo n, yields the other d – 1 solutions.
The for loop of lines 4–5 prints out all d solutions, beginning with x 0
and spaced n/ d apart, modulo n.
MODULAR-LINEAR-EQUATION-SOLVER performs O(1g n +
gcd( a, n)) arithmetic operations, since EXTENDED-EUCLID
performs O(1g n) arithmetic operations, and each iteration of the for loop of lines 4–5 performs a constant number of arithmetic operations.
The following corollaries of Theorem 31.24 give specializations of
particular interest.
Corollary 31.25
For any n > 1, if gcd( a, n) = 1, then the equation ax = b (mod n) has a unique solution, modulo n.
▪
If b = 1, a common case of considerable interest, the x that solves the equation is a multiplicative inverse of a, modulo n.
Corollary 31.26
For any n > 1, if gcd( a, n) = 1, then the equation ax = 1 (mod n) has a unique solution, modulo n. Otherwise, it has no solution.
▪
Thanks to Corollary 31.26, the notation a−1 mod n refers to the multiplicative inverse of a, modulo n, when a and n are relatively prime.
If gcd( a, n) = 1, then the unique solution to the equation ax = 1 (mod n) is the integer x returned by EXTENDED-EUCLID, since the equation
gcd( a, n) = 1 = ax + ny
implies ax = 1 (mod n). Thus, EXTENDED-EUCLID can compute
a−1 mod n efficiently.
Exercises
31.4-1
Find all solutions to the equation 35 x = 10 (mod 50).
31.4-2
Prove that the equation ax = ay (mod n) implies x = y (mod n) whenever gcd( a, n) = 1. Show that the condition gcd( a, n) = 1 is necessary by supplying a counterexample with gcd( a, n) > 1.
31.4-3
Consider the following change to line 3 of the procedure MODULAR-
LINEAR-EQUATION-SOLVER:
3 x 0 = x′( b/ d) mod ( n/ d)
With this change, will the procedure still work? Explain why or why not.
★ 31.4-4
Let p be prime and f( x) = ( f 0 + f 1 x + ⋯ + ftxt) (mod p) be a polynomial of degree t, with coefficients fi drawn from ℤ p. We say that a ∈ ℤ p is a zero of f if f( a) = 0 (mod p). Prove that if a is a zero of f, then f( x) = ( x – a) g( x) (mod p) for some polynomial g( x) of degree t – 1.
Prove by induction on t that if p is prime, then a polynomial f( x) of degree t can have at most t distinct zeros modulo p.
31.5 The Chinese remainder theorem
Around 100 C.E., the Chinese mathematician Sun-Tsŭ solved the
problem of finding those integers x that leave remainders 2, 3, and 2
when divided by 3, 5, and 7 respectively. One such solution is x = 23,
and all solutions are of the form 23+105 k for arbitrary integers k. The
“Chinese remainder theorem” provides a correspondence between a
system of equations modulo a set of pairwise relatively prime moduli
(for example, 3, 5, and 7) and an equation modulo their product (for
example, 105).
The Chinese remainder theorem has two major applications. Let the
integer n be factored as n = n 1 n 2 ⋯ nk, where the factors ni are pairwise relatively prime. First, the Chinese remainder theorem is a descriptive
“structure theorem” that describes the structure of ℤ n as identical to that of the Cartesian product
with componentwise
addition and multiplication modulo ni in the i th component. Second, this description helps in designing efficient algorithms, since working in
each of the systems can be more efficient (in terms of bit operations)
than working modulo n.
Theorem 31.27 (Chinese remainder theorem)
Let n = n 1 n 2 ⋯ nk, where the ni are pairwise relatively prime. Consider the correspondence
where
, and
ai = a mod ni
for i = 1, 2, …, k. Then, mapping (31.27) is a one-to-one mapping (bijection) between ℤ n and the Cartesian product
.
Operations performed on the elements of ℤ n can be equivalently
performed on the corresponding k-tuples by performing the operations
independently in each coordinate position in the appropriate system.
That is, if
a ↔ ( a 1, a 2, …, ak),
b ↔ ( b 1, b 2, …, bk),
then
Proof Let’s see how to translate between the two representations.
Going from a to ( a 1, a 2, …, ak) requires only k “mod” operations. The reverse—computing a from inputs ( a 1, a 2, …, ak)—is only slightly more complicated.
We begin by defining mi = n/ ni for i = 1, 2, …, k. Thus, mi is the product of all of the nj’s other than ni: mi = n 1 n 2 ⋯ ni−1 ni+1 ⋯ nk. We next define
for i = 1, 2, …, k. Equation (31.31) is well defined: since mi and ni are relatively prime (by Theorem 31.6), Corollary 31.26 guarantees that
mod ni exists. Here is how to compute a as a function of the ai and ci:
We now show that equation (31.32) ensures that a = ai (mod ni) for i
= 1, 2, …, k. If j ≠ i, then mj = 0 (mod ni), which implies that cj = mj = 0
(mod ni). Note also that ci = 1 (mod ni), from equation (31.31). We thus have the appealing and useful correspondence
ci ↔ (0, 0, …, 0, 1, 0, …, 0),
a vector that has 0s everywhere except in the i th coordinate, where it has
a 1. The ci thus form a “basis” for the representation, in a certain sense.
For each i, therefore, we have
which is what we wished to show: our method of computing a from the
ai’s produces a result a that satisfies the constraints a = ai (mod ni) for i
= 1, 2, …, k. The correspondence is one-to-one, since we can transform
in both directions. Finally, equations (31.28)–(31.30) follow directly
from Exercise 31.1-7, since x mod ni = ( x mod n) mod ni for any x and i
= 1, 2, …, k.
▪
We’ll use the following corollaries later in this chapter.
Corollary 31.28
If n 1, n 2, …, nk are pairwise relatively prime and n = n 1 n 2 ⋯ nk, then for any integers a 1, a 2, …, ak, the set of simultaneous equations x = ai (mod ni),
for i = 1, 2, …, k, has a unique solution modulo n for the unknown x.
▪
Corollary 31.29
If n 1, n 2, …, nk are pairwise relatively prime and n = n 1 n 2 ⋯ nk, then for all integers x and a,
for i = 1, 2, …, k if and only if
x = a (mod n).
▪
As an example of the application of the Chinese remainder theorem,
suppose that you are given the two equations
a = 2 (mod 5),
a = 3 (mod 13),
so that a 1 = 2, n 1 = m 2 = 5, a 2 = 3, and n 2 = m 1 = 13, and you wish to compute a mod 65, since n = n 1 n 2 = 65. Because 13−1 = 2 (mod 5) and 5−1 = 8 (mod 13), you compute
c 1 = 13 · (2 mod 5) = 26,
c 2 = 5 · (8 mod 13) = 40,
and
a = 2 · 26 + 3 · 40 (mod 65)
= 52 + 120
(mod 65)
= 42
(mod 65).
Figure 31.3 An illustration of the Chinese remainder theorem for n 1 = 5 and n 2 = 13. For this example, c 1 = 26 and c 2 = 40. In row i, column j is shown the value of a, modulo 65, such that a mod 5 = i and a mod 13 = j. Note that row 0, column 0 contains a 0. Similarly, row 4, column 12
contains a 64 (equivalent to −1). Since c 1 = 26, moving down a row increases a by 26. Similarly, c 2 = 40 means that moving right by a column increases a by 40. Increasing a by 1 corresponds to moving diagonally downward and to the right, wrapping around from the bottom to the top and from the right to the left.
See Figure 31.3 for an illustration of the Chinese remainder theorem, modulo 65.
Thus, you can work modulo n by working modulo n directly or by
working in the transformed representation using separate modulo ni
computations, as convenient. The computations are entirely equivalent.
Exercises
31.5-1
Find all solutions to the equations x = 4 (mod 5) and x = 5 (mod 11).
31.5-2
Find all integers x that leave remainders 1, 2, and 3 when divided by 9,
8, and 7, respectively.
31.5-3
Argue that, under the definitions of Theorem 31.27, if gcd( a, n) = 1, then
31.5-4
Under the definitions of Theorem 31.27, prove that for any polynomial
f, the number of roots of the equation f( x) = 0 (mod n) equals the
product of the number of roots of each of the equations f( x) = 0 (mod
n 1), f( x) = 0 (mod n 2), …, f( x) = 0 (mod nk).
Along with considering the multiples of a given element a, modulo n, we often consider the sequence of powers of a, modulo n, where
:
a 0, a 1, a 2, a 3, …,
modulo n. Indexing from 0, the 0th value in this sequence is a 0 mod n =
1, and the i th value is ai mod n. For example, the powers of 3 modulo 7
are
and the powers of 2 modulo 7 are
In this section, let 〈 a〉 denote the subgroup of generated by a through repeated multiplication, and let ord n( a) (the “order of a, modulo n”) denote the order of a in . For example, 〈2〉 = {1, 2, 4} in
, and ord7(2) = 3. Using the definition of the Euler phi function ϕ( n)
as the size of (see Section 31.3), we now translate Corollary 31.19
into the notation of to obtain Euler’s theorem and specialize it to ,
where p is prime, to obtain Fermat’s theorem.
Theorem 31.30 (Euler’s theorem)
For any integer n > 1,
▪
Theorem 31.31 (Fermat’s theorem)
If p is prime, then
Proof By equation (31.22), ϕ( p) = p – 1 if p is prime.
▪
Fermat’s theorem applies to every element in ℤ p except 0, since
. For all a ∈ ℤ p, however, we have ap = a (mod p) if p is prime.
If
, then every element in is a power of g, modulo n,
and g is a primitive root or a generator of . For example, 3 is a primitive root, modulo 7, but 2 is not a primitive root, modulo 7. If
possesses a primitive root, the group is cyclic. We omit the proof of
the following theorem, which is proven by Niven and Zuckerman [345].
Theorem 31.32
The values of n > 1 for which is cyclic are 2, 4, pe, and 2 pe, for all primes p > 2 and all positive integers e.
▪
If g is a primitive root of and a is any element of , then there
exists a z such that gz = a (mod n). This z is a discrete logarithm or an index of a, modulo n, to the base g. We denote this value as ind n, g( a).
Theorem 31.33 (Discrete logarithm theorem)
If g is a primitive root of , then the equation gx = gy (mod n) holds if and only if the equation x = y (mod ϕ( n)) holds.
Proof Suppose first that x = y (mod ϕ( n)). Then, we have x = y + kϕ( n) for some integer k, and thus
gx = gy+ kϕ( n)
(mod n)
= gy · ( gϕ( n)) k (mod n)
= gy · 1 k
(mod n) (by Euler’s theorem)
= gy
(mod n).
Conversely, suppose that gx = gy (mod n). Because the sequence of powers of g generates every element of 〈 g〉 and |〈 g〉| = ϕ( n), Corollary 31.18 implies that the sequence of powers of g is periodic with period
ϕ( n). Therefore, if gx = gy (mod n), we must have x = y (mod ϕ( n)).
▪
Let’s now turn our attention to the square roots of 1, modulo a
prime power. The following properties will be useful to justify the
primality-testing algorithm in Section 31.8.
Theorem 31.34
If p is an odd prime and e ≥ 1, then the equation
has only two solutions, namely x = 1 and x = −1.
Proof By Exercise 31.6-2, equation (31.33) is equivalent to
pe | ( x − 1)( x + 1).
Since p > 2, we can have p | ( x − 1) or p | ( x + 1), but not both.
(Otherwise, by property (31.3), p would also divide their difference ( x +
1) – ( x − 1) = 2.) If p ∤ ( x – 1), then gcd( pe, x − 1) = 1, and by Corollary 31.5, we would have pe | ( x + 1). That is, x = −1 (mod pe).
Symmetrically, if p ∤ ( x + 1), then gcd( pe, x + 1) = 1, and Corollary 31.5
implies that pe | ( x − 1), so that x = 1 (mod pe). Therefore, either x = −1
(mod pe) or x = 1 (mod pe).
▪
A number x is a nontrivial square root of 1, modulo n, if it satisfies the equation x 2 = 1 (mod n) but x is equivalent to neither of the two
“trivial” square roots: 1 or −1, modulo n. For example, 6 is a nontrivial
square root of 1, modulo 35. We’ll use the following corollary to
Theorem 31.34 in Section 31.8 to prove the Miller-Rabin primality-testing procedure correct.
Corollary 31.35
If there exists a nontrivial square root of 1, modulo n, then n is composite.
Proof By the contrapositive of Theorem 31.34, if there exists a
nontrivial square root of 1, modulo n, then n cannot be an odd prime or a power of an odd prime. Nor can n be 2, because if x 2 = 1 (mod 2),
then x = 1 (mod 2), and therefore, all square roots of 1, modulo 2, are
trivial. Thus, n cannot be prime. Finally, we must have n > 1 for a nontrivial square root of 1 to exist. Therefore, n must be composite.
▪
Raising to powers with repeated squaring
A frequently occurring operation in number-theoretic computations is
raising one number to a power modulo another number, also known as
modular exponentiation. More precisely, we would like an efficient way
to compute ab mod n, where a and b are nonnegative integers and n is a positive integer. Modular exponentiation is an essential operation in
many primality-testing routines and in the RSA public-key
cryptosystem. The method of repeated squaring solves this problem
efficiently.
