ACTA ARITHMETICA LXIV 4 (1993) Geiierating units modulo an odd integer by addition and subtraction by H. W. LENSTRA, J R . (Berkeley, Cal.) An addition-subtraction chain is & finite sequence of integers that begins with l, and in which every member except the first one is the sum or the difference of two not necessarily different earlier members. THEOREM 1. Lei n be an odd integer, and let a be an integer satisfymg gcd(a, n) = 1. Then there exists an addition-subtraction chain that ends with a and that consists of integers that are relatwely pnme to n. This theorem is proved below. It answers a question that F. Alberto Grünbaum raised in connection with the phase problem in crystallography. In principle, one can use our proof of Theorem l to obtain an upper bound for the length of the addition-subtraction chain and for the absolute values of its members, but it is not likely to be a very good one. Let Z be the ring of integers, and let n £ Z,. Denote by Z/nZ the ring of integers modulo n. The image of an integerzyxwvutsrqponmlkjihgfedcbaZYXW α under th e n atural map Z —> Z / n Z is denoted by (a mod zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDC n}, or simply by a if there is no ambiguity about n. Let (Z / n Z )* be the group of units of Z / n Z , and let th e order of (Z / nZ )" be denoted by ψ (n). T H E O R E M 2. L et n be a positive odd integer, and let H C (Z / n Z )* be a subgroup containing — l with the property that if u € H is such that u - l <E (Z/nZ)*, then u-leH. Then H = (Z/nZ)*. We shall first prove Theorem 2. It will be used in the proof of Theorem 1. If n, H satisfy the conditions of Theorem 2, then we have (1) if u, v & H are such that u + v e (Z/nZ)*, then u + v € H. 1991 Mathemattcs Subject Classification 11A07, 11B75 Key words and phrases: addition-subtraction chain, coprime residue classes The author was supported by NSF under Grant No. DMS 90-02939 384 H. W. L e n st r a , Jr. To prove this, put zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA w = - uv~~ l. Then w G H an d w — l — — v~ l(u + v) 6 (Z / n Z )*, so w - l e - ff and therefore u + v = ~v(w - 1) E H. From (1) it follows th at 2 e - ff, 4 e - ff. (2) The proof of Theorem 2 depends on t h e following auxiliary result. L et n, H satisfy the conditions of Theorem 2, and let d be a divisor of n. Assume that the following conditions are satisfied: L E M M A. (i)gcd(d,n/ d) = l; (ii) there exists u e H, u φ l, with u = l mod d; (iii) for each u e H, u φ l, ωίί/ ι u = l mod d one has gcd(u - l, n) = d. T/ ien n / d zs α prime number, and the number of u € H with u = l mod d is (n/d) — 1. In the proof of the lemma we write e = n/d. We have gcd(d, e) — l, so by the Chinese remainder theorem we may identify Z / n Z with (Z/dZ) x (Z/eZ); in this identification, (a mod n) corresponds to (a mod d, a mod e), and we have (Z/raZ)* = (Z/dZ)* x (Z/eZ)*. Write / = { υ € (Z/eZ)* : (l, υ) G- ff}This is a subgroup of (Z / eZ )*, an d it is isomorphic to th e kernel of the n atural map H —> (Z / dZ )* th at sends w to (ω mod d). Condition (ii) of th e lemma is clearly equivalent to # / > l, an d condition (iii) to (3) v- l e (Z / eZ )* for all v El, v^ l. From # / > l it follows th at e > 1. We claim th at (4) >Γ χ = 0 (in Z / eZ ) . To prove this, choose υ e Ι , ν φ 1. Then υ / = J, so (v — 1) V^ a; = ^ ^ υχ —\ ^ x = 0 . By (3), this implies (4). N ext we show th at (5) ό + le(Z/eZ)* for all υ e / , υ ^ - l . Suppose th at υ € / is such that v + l ^ (Z/eZ)*. Then we have υ ^ 1. Also, from υ 2 e / and υ 2 - l = (υ - l)(v + 1) £ (Z / eZ )* it follows by (3) th at • u2 = 1. Then (v - l)(w + 1) = 0, which by (3) implies th at v + l = 0, so v — — 1. This proves (5). Let v e / , υ φ - 1 . Then ( l, υ) € H and (l, υ) + (1,1) = (2,υ + 1) e (Z / dZ )* x (Z / eZ )* = (Z/ raZ)*, so (2,υ + 1) e # . By (2), this implies th at (1,(υ + 1)/ 2) = ( 2, υ + 1) ·2~ 1 e H, and therefore (υ + 1)/ 2 e / a n d u + 1 e 21. Generating units modulo an odd integerzyxwvutsrqponmlkjihgfed 385 This proves that 7 + l C (27) U {0}. The cardinality of 7 + l is one less than that of (27) U {0}. We can determine the missing element by comparing the sums of the elements in the two sets. P utting k = φΐ we find from (4) that V^ χ — k mod e, x€/+l \ J χ =0 . xe(27)U{0} Therefore we have (6) ( 7 + l ) U { - f c m o d e } = (27) U {0} . Comparing the cardinalities of the two sets we see that (—k mod e) ^ 7 + 1, that is, (7) (-k - l mod e) g I. Since k is the order of a subgroup of (Z/eZ)*, we have l < k < φ(ε) < e, so (- k mod e) ^ 0. Therefore (6) shows that (- k mod e) <E 27, so (l, - k/ 2) e 77 and hence (2, —k) = 2 · (l, —k/ 2) e 77. However, from (7) we see that (2, - k) - l = (l, - k - 1) i H, so (l, - k - 1) £ (Z/ nZ)*. Therefore we have (8) gcd(fc + l, e) > 1. From (—k mod e) Φ 0 and (6) we find that 0 e 7+ 1, that is, - l € 7. Because - l has order 2 it follows that the order A; of 7 is even. From - 7 = 7 and (6) we obtain (9) (7 - 1) U {k mod e} = (27) U {0} . We deduce that if l < i < k, then (i mod e) e 7 if i is odd and (i mod e) € 27 if i is even. This is proved by induction on i, the case i = l being obvious. If i is even, 2 < i < k, then by the inductive assumption we have i — l e 7, so i = (i - 1) + l G 7 + l, and from (6) and i Φ 0 one gets i e 27. If i is odd, l < i < k, then by the inductive assumption we have i — l <Ξ 27, and from (9) and i Φ k + l one obtains i e 7. We claim that actually 7 = {± 1, ± 3, . . . , ±(k - 1)}, 27 = {± 2, ± 4, . . . , ±k} . The inclusions D follow from what we just proved combined with — l e 7. To show equality it suffices to prove that the k elements of each of the sets on the right are pairwise distinct modulo e; and this follows from the fact that all differences are even and less than 2e in absolute value. Since all elements of7 are relatively prime to e, the description of 7 given above shows that e has no prime divisor less than k. Therefore (8) implies that k + l is the least prime divisor of e. Suppose that e is not a prime number. Then k < e/ 2, so the description of 7 given above shows that 2 ^ 7 . Hence 4 ^ 27, which by the description 384 H. W. L e n st r a , Jr. l 1 To prove this, put zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA w = - uv~ . Then w G H and w - l = - v' (u + υ) Ε (Z / n Z )*, so w ~ l e H and therefore - u + v = - u(u> - 1) e - ff. From (1) it follows th at (2) 2 e F, 4 e ff . The proof of Theorem 2 depends on the following auxiliary result. Lei n, H satisfy the conditions of Theorem 2, and let d be a divisor of n. Assume that the following conditions are satisfied: L E M M A. (i) gcd(d,n/ d) = l; (ii) there exists u e H, u ^ l, «ηΐ/ι ti Ξ l mod d; (iii) for each u e - ff, u φ l, w'i/ ι u Ξ l mod d one / las gcd(w —l, n ) = <i Γ/ ien n/ d is a prime number, and the number of u & H with u = l mod d is (n/ d) - 1. In the proof of th e lemma we write e = n/ d. We have gcd(d, e) = l, so by the Chinese remainder theorem we may identify Z / n Z with (Z/ dZ) X (Z / eZ ); in this identification, (a mod n) corresponds to (a mod d!, a mod e), and we have (Z / n Z )* = (Z / dZ )* χ (Z / eZ )*. Write / = {w € (Z/eZ)* : (l, υ) G # } · This is a subgroup of (Z / eZ )*, and it is isomorphic to the kernel of the n atural map H —> (Z / dZ )* th at sends it to (it mod d). Condition (ii) of the lemma is clearly equivalent to # 1 > l, and condition (iii) to (3) υ- l € (Z/eZ)* for all v G / , υ φ Ι . From # / > l it follows th at e > 1. We claim th at (4) χ = 0 (in Z/ eZ) . To prove this, choose v € I, v ^ l. Then υ / = / , so (w — i) y^ χ = y^ υχ - y^ χ = o . \ ' z._ / ' - χζΐ χ&Ι 1 ' - 1 x£l By (3), this implies (4). N ext we show th at (5) v + l e (Z / eZ )* for all v € / , v + - l . Suppose that v € / is such that v + l ^ (Z/eZ)*. Then we have υ 7^ l. Also, from υ 2 e I and w2 - l = (υ - 1)(υ + 1) g (Z / eZ )* it follows by (3) th at υ 2 = 1. Then (v - 1)(υ + 1) = 0, which by (3) implies th at v + l = 0, so v = —1. This proves (5). Let v e / , v ^ - l. Then ( l, υ) e H and (l, v) + (1,1) = (2,υ + 1) 6 (Z / dZ )* x (Z / eZ )* = (Z / n Z )*, so (2,υ + 1) € -ff. By (2), this implies that (l,(u + l)/2) = ( 2, υ + 1) ·2^ 1 6 H, and therefore (υ + 1)/ 2 G / a n d u + 1 e 21. Generatmg umts modulo an odd integerzyxwvutsrqponmlkjihgfedcbaZYXW 385 This proves that I + l C (27) U {0}. The cardinality of 7 + l is one less than that of (27) U {0}. We can determine the missing element by comparing the sums of the elements in the two sets. P utting k = # 7 we find from (4) that χ = k mod e, J χ = 0. ze(2/ )u{o} Therefore we have ( 7 + l ) U {- fc m o d e } = (27)U {0}. (6) Comparing the cardinalities of the two sets we see that (—k mod e) 0 7 + 1, that is, (7) (~k- l m ode) 0 7 . Since k is the order of a subgroup of (Z/ eZ)*, we have l < k < φ(β) < e, so (- k mod e) ^ 0. Therefore (6) shows that (- k mod e) £ 27, so (l, - k/ 2) <Ξ 77 and hence (2, - k) = 2 · (l, - k/ 2) 6 77. However, from (7) we see that (2, - fc) - l = (l, - k - 1) 0 77, so (l, - fe - 1) 0 (Z / nZ )*. Therefore we have (8) gcd(fe+ l, e) > 1. From (- fc mod e) ^ 0 and (6) we find that 0 e 7+ 1, that is, — l e 7. Because - l has order 2 it follows that the order fc of 7 is even. From - 7 = 7 and (6) we obtain (9) (7 - 1) U {fc mod e} = (27) U {0}. We deduce that if l < i < fc, then (i mod e) e 7 if i is odd and (i mod e) 6 27 if i is even. This is proved by induction on i, the case i = l being obvious. If i is even, 2 < i < fc, then by the inductive assumption we have i —l e 7, so i = (i — 1) + l e 7 + l, and from (6) and i ^ 0 one gets i e 27. If i is odd, l < i < fc, then by the inductive assumption we have i — l 6 27, and from (9) and i ^ k + l one obtains z e 7. We claim that actually 7 = {± 1, ± 3, . . . , ± (fc - 1)}, 27 = {± 2, ± 4, . . . , ± fc} . The inclusions D follow from what we just proved combined with —l G 7. To show equality it suffices to prove that the fc elements of each of the sets on the right are pairwise distinct modulo e; and this follows from the fact that all differences are everi and less than 2e in absolute value. Since all elements of 7 are relatively prime to e, the description of 7 given above shows that e has no prime divisor less than fc. Therefore (8) implies that fc + l is the least prime divisor of e. Suppose that e is not a prime number. Then fc < e/ 2, so the description of 7 given above shows that 2 0 7 . Hence 4 0 27, which by the description 386 H. W. Lenstra, Jr. of 27 given above implies that k = 2. Then the number k + l — 3 divides e, so 3 does not divide d. From (2) and (l, -1) 6 77 we obtain (2, - 2 ) e 77. Since (2, -2) + l = (3, - 1 ) e (Z/nZ)* we have (3, -1) e 77, so also (3,1) = (3, - 1 ) - (l, - 1 ) e 77. From (3,1) + l = (4,2) € (Z/nZ)* we get (4,2) e ff, <Ξ 77. This contradicts the fact which by (4,4) = 4 6 77 implies that (1,2)zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONM that 2 ^ 7 . We conclude that e is a prime number. Then zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQ k + l = e, so we have # 1 = k = e — 1. This completes the proof of the lemma. We now prove Theorem 2 by induction on n. The case n = l is obvious, so let n > 1. Let it first be assumed that n has a repeated prime factor. Let p be a prime number for which p2 divides n, and write n = dpm, where d φ 0 mod p and m > 2. Then condition (i) of the lemma is satisfied. We prove that for any integer l with l < l < m - l the image of 77 under the natural map / : Z/ nZ - > Z/ dplZ is the füll unit group (Z/dp'Z)*. By the induction hypothesis, it suffices for this to check that - l e fH and that for any w £ fH with w - l € (Z/dplZ)* orie has w - l € /ff. The first of these follows from - l e 77 and / ( - l ) = - 1 . To prove the second, choose u 6 77 with w = f(u}. Then f(u - 1) = w - l, so from 10 - l 6 (Z/dp'Z)* and the fact that n and dp' have the same prime factors it follows that u - l e (Ζ/ ηΖγ. Therefore one has M - l e 77, which leads to the desired conclusion w — l = f(u — l) & fH. Applying what we just proved to l = l one finds that # 77 > <^(dp) > ψ(ά). Therefore the natural map g: H - » (Z/ dZ)* is not injective, and the kernel of g contains an element u ^ 1. This means that condition (ii) of the lemma is satisfied. The conclusion of the lemma does not hold, since n/ d = pm is not a prime number. Therefore condition (iii) of the lemma is not satisfied, and there exists - u e 77 with u ^ l, u = l mod d, gcd(w - l, n) ^ d. Then we have gcd(u — l, n} — dp1 for some integer l with l < l < m — l, so we can write u = l + drp1 for some integer r with r φ. 0 mod p. It follows that for each non- negative integer i there is an integer rt with upl = l + drtpl+\ r, φ 0 mod p. Orie proves this by induction on i, by means of the binomial theorem. In particular, we see that upm~ l = l, upm~ l~ l φ l (in Z/ dpmZ = Z / n Z ), so the order of u equals pm~ l. Now consider the natural map / : 77 —> (Z/ dp'Z)*. We showed above that / is surjective, so # / ff = ψ(άρ1}. The kernel of / contains u, so # k e r / > Generating units modulo an odd integerzyxwvutsrqponmlkjihgfedcbaZYXW 387 pm- '. Hence we have # H = # k e r / · # fH > pm~ l · ψ(άρ1} = φ (η), and therefore H = (Z/ raZ)*, δs required. Let it next be supposed t hat n has no repeated prime factor, so that it is squarefree. Let d = max{gcd(« - l,ri) : u £ H, u =£ 1}; note that this is well-defined, since — l ς .ff, —l 7^ 1. Then conditions (ii) and (iii) of the lemma are clearly satisfied. Condition (i) is also satisfied, since n is squarefree. The lemma now implies th at the number n/ d, which we denote by e, is a prime number, and th at th e kernel of th e n atural m ap g- .H- ^ (Z / dZ )* has order e — 1. We claim th at g is surjective. By th e induction hypothesis, it suffices for this to check th at — l e gH and th at for any w € gH with w - l € (Z/dZ)* one has tu - l e p£T. The first of these follows from - l e .ff and p(—1) = — 1. To prove the second, we identify (Z/raZ)* with (Z/dZ)* x (Z/eZ)*, äs we did in the proof of the lemma. Then from # k e r # = e - l it follows that {1} x (Z/eZ)* C H, and this implies that H = gH x (Z/eZ)*. Therefore, if w; 6 gif then for each v 6 (Z/eZ)* the element u = (ω, υ) belongs to JT. Choose v ^ 1; then u —l G (Z / n Z )*, so M —l 6 - ff, which leads to the desired conclusion u; - l = # (Μ - 1) G p- ff. The surjectivity of 5 implies th at H - - = gH x (Z / eZ )* = (Z / dZ )* x (Z / eZ )* = (Z / n Z )*, äs required. This completes the proof of Theorem 2. Theorem 2 admits the following reformulation. Let n be a positive odd integer, and let a subset S C (Z/nZ)* be called additively closed if for any u,v £ S with M + t> G (Z/nZ)* one has ΐί + υ € 5. With this terminology, Theorem 2 implies that ί/ie onfo/ additively closed subset of (Z / n Z )* containing l are<i —l w (Z/ raZ)* zise/ / . To prove this, denote by .ff th e intersection of all additively closed subsets of (Z / n Z )* th at contain l and - l It clearly suffices to prove th at H = (Z / n Z )*. Obviously, - ff itself is additively closed, and so is —H. Also, —H contains both —l and l, so by definition of H we have H C —H. It follows th at H = —H. N ext let u & H. Then u~ 1H is additively closed, and it contains l and —l, so we have H = u~ lH. This implies th at H is a subgroup of (Z / n Z )*. The conditions of Theorem 2 are satisfied, so we find th at H = (Z / n Z )*, äs required. We now prove Theorem 1. Let n be an odd integer, and let the set Γ C Z consist of all integers a for which an addition- subtraction chain äs in the conclusion of the theorem exists. We need to prove that T corisists of all integers that are relatively prime to n. If a, b G T are such that gcd(a + 6, n) = l, then one clearly has a + b G T, and likewise for α — b. By induction on i one finds th at 2* e T for all non- negative integers i. From 1 — 2 = —l one obtains — l e Γ, and this readily implies t h at T = —T. 388 H. W. Lenstra, Jr. Let / be a positive integer for which 2l = l mod n, and put m = 2l — 1. Then m is a positive odd integer, and m is a multiple of n. By induction on i we prove that im+1 E T for all non-negative integers i. For i = 0 this is clear, so let i > 0. Then we have (i — l)m + l € T by the inductive assumption, and from ((i - l)m + 1) + 2l = im + 2 and gcd(im + 2,n) = gcd(2, n) = l it follows that im + 2 e T. By (im + 2) H- (—1) = im + l, gcd(im + l,n) = l this implies that im + l € T, äs asserted. From (im + 1) - 2 = im — l we find that also im — l e T for all non-negative integers i. Withzyxwvutsrqponmlkjihgfedc Γ = zyxwvutsrqponmlkjihgfedcb —T it follows that im ± l e Γ for all integers i. Let 5 C (Z/ mZ)* be the set of residue classes (a mod m) with the property that gcd(a, m) = l and α + mZ C T. We just proved that (l rnod m ), ( - 1 mod m) € S1, and one readily verifies that S is additively closed, äs defined above (with m in the role of n). Hence, by what we proved above, we have S = (Z/mZ)*, and therefore every integer that is relatively prime to m belongs to T. Now let α e Z, gcd(a, n) = 1. For every prime number p dividing m, choose a p e Z such that a p ^ 0 mod p, ap φ a mod p; this can be done since m is odd. N ext, let b € Z be such that b = ap mod p for each prime number p dividing m. Then we have gcd(fr, m) = gcd(a —fe,τη) = l, so 6, α —& 6 T1, and therefore α = b + (a - b) e T. This proves Theorem 1. Acknowledgements. The author thanks F . Alberto Grünbaum for suggesting the problem solved in this paper, and George Bergman, Everett Howe, and Carl Pomerance for helpful comments. DEPARTMENT OF MATHEMATICS UNIVERSITY OF CALIFORNIA BERKELEY, CALIFORNIA 94720 USA Received on 23.12.1992 (2361)