ECM3704 Number Theory 2015–2016

Henri Johnston
H.Johnston@exeter.ac.uk
10th December 2015

Abstract
These notes are based on the lecture notes and handouts of Dr
Robin Chapman who gave this course in 2013–2014. The lectures
were originally typed up by Oliver Bond who sat in on the course that
year. The notes have since been completely rewritten, but consider-
able thanks is clearly due to both Robin and Oliver. All errors are my
own; please do email me if you find any.

1 Divisibility and primes

1.1 Divisibility
Definition 1.1. We recall the definitions of the following sets.
(i) N (the natural numbers) is defined to be {1, 2, 3, . . .} (note 0 ∈ / N).
(ii) Z (the integers) is defined to be {. . . , −3, −2, −1, 0, 1, 2, 3, . . .}.
(iii) Q (the rational numbers) is defined to be { ab | a, b ∈ Z, b 6= 0}.

Remark 1.2. (Z, +, ×) is a commutative ring with 1 and (Q, +, ×) is a field.

Definition 1.3. Given a, b ∈ Z, we say that ‘a divides b’ or ‘a is a divisor

of b’ or ‘b is a multiple of a’ or ‘a is a factor of b’ if and only if there exists
c ∈ Z such that b = ac. (If a 6= 0 this means ab ∈ Z.) The notation ‘a | b’
means ‘a divides b’.

Proposition 1.4. Let a, b, c, n, x, y ∈ Z. Divisibility has the following prop-

erties:
(i) a | a (reflexive property),
(ii) a | b and b | c implies a | c (transitive property),
(iii) a | b and a | c implies a | (xb ± yc) (linearity property),

1
 (iv) a | b implies an | bn (multiplication property),
(v) an | bn and n 6= 0 implies a | b (cancellation property),
(vi) 1 | n (1 divides every integer),
(vii) n | 0 (every integer divides 0),
(viii) 0 | n implies n = 0 (zero divides only zero),
(ix) a | b and b 6= 0 implies |a| ≤ |b| (comparison property),
(x) a | b and b | a implies |a| = |b|, i.e., a = ±b.
Proof. Checking the properties is straightforward. We check (iii) and leave
the others as an exercise. Since a | b and a | c there exist m, n ∈ Z such that
b = an and c = am. For any x, y ∈ Z we have
xb ± yc = xan ± yam = a(xn ± ym).
So we have found an integer q = xn ± ym such that xb ± yc = aq. Thus
a | (xb ± yc), as desired.

1.2 The Division Algorithm

Well-Ordering Principle (WOP). Every non-empty subset of N ∪ {0}
contains a least element.
Theorem 1.5 (The Division Algorithm). Given a ∈ Z, b ∈ N, there exist
unique integers q and r satisfying a = bq + r and 0 ≤ r < b.
Proof. We first establish the existence of such a pair of integers q and r.
Define S := {a − xb | x ∈ Z and a − xb ≥ 0}. Note that S 6= ∅ since:
• if a ≥ 0, by choosing m = 0, we get a − mb = a ≥ 0;
• if a < 0, by choosing m = a, we get a − mb = a − ab = (−a)(b − 1) ≥ 0
since −a > 0 and b > 0.
Hence S is a non-empty subset of N ∪ {0} and so by the Well-Ordering
Principle S contains a least element r ≥ 0. Since r ∈ S we have there exists
q ∈ Z such that a − qb = r, so a = qb + r. It remains to show that r < b.
Assume for a contradiction that r ≥ b and let r1 = r − b ≥ 0. Then
a = qb + r = qb + (r1 + b) = (q + 1)b + r1
and so a − (q + 1)b = r1 ∈ S and is smaller than r: a contradiction. Hence q
and r satisfy the required properties.
We now show that the pair q, r is unique. Assume that there is another
pair of integers q 0 , r0 such that a = q 0 b + r0 with 0 ≤ r0 < b. Then from
a = qb + r = q 0 b + r0 we have (q − q 0 )b = r0 − r. If q = q 0 then we must have
r = r0 and we are done. Suppose for a contradiction that q 6= q 0 . Then
b ≤ |q − q 0 ||b| = |r0 − r|.

2
However, since 0 ≤ r, r0 < b we must have |r0 − r| < b, which gives a
contradiction.

1.3 The Greatest Common Divisor

Theorem 1.6. Let a, b ∈ Z. Then there exists a unique d ∈ N ∪ {0} and
(non-unique) x, y ∈ Z such that
(i) d | a and d | b,
(ii) if e ∈ Z, e | a and e | b then e | d,
(iii) d = ax + by.

Proof. If a = b = 0, then it is easy to check that we must have d = 0. So

suppose that a and b are not both zero. Let

S = {am + bn | m, n ∈ Z and am + bn > 0}.

Now a2 +b2 > 0 so S is a non-empty subset of N. Hence by the Well-Ordering

Principle, S has a minimal element d > 0 and we can write d = ax + by for
some x, y ∈ Z.
By the Division Algorithm, a = qd + r for some q, r ∈ Z with 0 ≤ r < d.
Suppose for a contradiction that r 6= 0. Then

0 < r = a − qd = a − q(ax + by) = (1 − qx)a − qby.

Hence r ∈ S. But r < d, contradicting the minimality of d in S. So we must

have r = 0, i.e., d | a. The same argument also shows that d | b.
Suppose e ∈ Z, e | a and e | b. Then e divides any linear combination of
a and b, so in particular, e | d.
Suppose that e ∈ N ∪ {0} also satisfies (i) & (ii). Then e | d and d | e and
so d = ±e. But d, e ≥ 0 so we have d = e. Thus d is unique.

Corollary 1.7. If a, b ∈ Z then there exists a unique d ∈ N ∪ {0} such that

(i) d | a and d | b,
(ii) if e ∈ Z, e | a and e | b then e | d.

Proof. The existence of such a d is given by Theorem 1.6. In the proof of

uniqueness in Theorem 1.6, we only used properties (i) & (ii).

Definition 1.8. Let a, b ∈ Z. Then the d of Corollary 1.7 is called the

greatest common divisor of a and b and is written gcd(a, b). (Note this is the
same d as in Theorem 1.6.) This is sometimes also referred to as the highest
common factor and written as hcf(a, b). If gcd(a, b) = 1 then a and b are
said to be coprime or relatively prime.

3
 Combining Theorem 1.6, Corollary 1.7 and Definition 1.8, we have:
Bezout’s Identity. Given a, b ∈ Z there exist (non-unique) x, y ∈ Z such
that gcd(a, b) = ax + by.
Proposition 1.9. Let a, b, c ∈ Z. The gcd has the following properties:
(i) gcd(a, b) = gcd(b, a) (commutative law),
(ii) gcd(a, gcd(b, c)) = gcd(gcd(a, b), c) (associative law),
(iii) gcd(ac, bc) = |c| gcd(a, b) (distributive law),
(iv) gcd(a, 1) = gcd(1, a) = 1,
(v) gcd(a, 0) = gcd(0, a) = |a|,
(vi) c | gcd(a, b) if and only if c | a and c | b,
(vii) gcd(a + cb, b) = gcd(a, b).
Proof. Checking properties (i),(ii),(iv),(v) & (vi) is straightforward and is
left as an exercise. (For property (vi) use Bezout’s Identity and the linearity
property of divisibility).
We prove (iii). Let d = gcd(a, b) and let e = gcd(ac, bc). We wish to show
that e = |c|d. By property (vi), cd | e = gcd(ac, bc) since cd | ac and cd | bc.
By Bezout’s Identity, there exist x, y ∈ Z such that d = ax + by. Then
cd = acx + bcy.
But e | ac and e | bc and so by linearity of divisibility we have e | cd.
Therefore |e| = |cd|, i.e., e = |c|d.
Finally, we prove (vii). Let e = gcd(a + bc, b) and f = gcd(a, b). Then
e | (a + bc) and e | b. Thus by linearity of divisibility e | a. Hence e | a and
e | b so by property (vi), we have e | f . Similarly, f | a and f | b so again by
linearity of divisibility f | (a + bc). Thus f | (a + bc) and f | b and so again
by property (vi), we have f | e. Therefore e | f and f | e and f, e ≥ 0 so we
conclude that e = f .
Remark 1.10. Note that gcd(a, b) = 0 if and only if a = b = 0. Otherwise
gcd(a, b) ≥ 1.
Theorem 1.11 (Euclid’s Lemma). Let a, b, c ∈ Z. If a | bc and gcd(a, b) = 1
then a | c.
Proof. Suppose that a | bc and gcd(a, b) = 1. By Bezout’s Identity there
exist x, y ∈ Z such that 1 = ax + by. Hence c = acx + bcy. But a | acx and
a | bcy, so a | c by the linearity property of divisibility.
Theorem 1.12 (Solubility of linear equations in the integers). Let a, b, c ∈ Z.
The equation
ax + by = c
is soluble with x, y ∈ Z if and only if gcd(a, b) | c.

4
Proof. Let d = gcd(a, b). Then d | a and d | b so if there exist x, y ∈ Z such
that c = ax + by then d | c by linearity of divisibility. Now suppose that d | c.
Then we can write c = qd for some q ∈ Z. By Bezout’s Identity there exist
x0 , y 0 ∈ Z such that d = ax0 + by 0 . Hence c = qd = aqx0 + bqy 0 and so x = qx0
and y = qy 0 gives a suitable solution.

1.4 Euclid’s Algorithm

Theorem 1.13 (Euclid’s Algorithm). Let a, b ∈ N with a ≥ b > 0 and b - a.
Let r0 = a, r1 = b and apply the Division Algorithm repeatedly to obtain a
set of remainders r2 , r3 , . . . , rn , rn+1 defined successively by the relations

r0 = r1 q1 + r2 , 0 < r2 < r1 ,
r1 = r2 q2 + r3 , 0 < r3 < r2 ,
..
.
rn−2 = rn−1 qn−1 + rn , 0 < rn < rn−1 ,
rn−1 = rn qn + rn+1 , rn+1 = 0.

Then the last non-zero remainder, rn , is equal to gcd(a, b).

Proof. There is a stage at which rn+1 = 0 because the ri are strictly de-
creasing and non-negative. Recall from Proposition 1.9 (vii) that for any
x, y, z ∈ Z we have gcd(x, y) = gcd(x + zy, y). In particular, we have

gcd(ri , ri+1 ) = gcd(ri+1 qi+1 + ri+2 , ri+1 ) = gcd(ri+2 , ri+1 ) = gcd(ri+1 , ri+2 ).

Applying this result repeatedly gives

gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = gcd(r2 , r3 ) = · · · = gcd(rn−1 , rn ) = rn

where the last equality is because rn | rn−1 .

Remark 1.14. One can also use Euclid’s Algorithm to find x, y ∈ Z such that
gcd(a, b) = ax + by by ‘working backwards’.
Example 1.15. Work out the greatest common divisor of 841 and 160 and
express it as a linear combination of 841 and 160:

841 = 160 × 5 + 41
160 = 41 × 3 + 37
41 = 37 × 1 + 4
37 = 4×9+1
4 = 1 × 4 + 0.

5
Hence gcd(841, 160) = 1 (i.e. they are coprime) and working backwards gives:

1 = 37 × 1 − 4 × 9
= 37 × 1 − (41 − 37) × 9
= 37 × 10 − 41 × 9
= (160 − 3 × 41) × 10 − 41 × 9
= 160 × 10 − 41 × 39
= 160 × 10 − (841 − 160 × 5) × 39
= −39 × 841 + 205 × 160.

Note that such a solution is not unique. For example, we will also have

1 = (160 − 39) × 841 + (205 − 841) × 160 = 121 × 841 − 636 × 160.

1.5 The Extended Euclidean Algorithm

Instead of performing Euclid’s Algorithm to compute gcd(a, b) and then
‘working backwards’ to compute x, y ∈ Z such that gcd(a, b) = ax + by,
one can instead compute x, y during the course of performing Euclid’s Al-
gorithm. This is known as the Extended Euclidean Algorithm.
The sequences of quotients qi and remainders ri are defined as in Theorem
1.13. We also define sequences of integers xi , yi such that ri = axi +byi . Recall
that we defined rn to be the last non-zero remainder and that rn = gcd(a, b).
Therefore we have gcd(a, b) = rn = axn + byn and so we set (x, y) := (xn , yn ).
So how do we explicitly find xi and yi ? Recall that r0 = a and r1 = b.
Thus r0 = 1 × a + 0 × b and r1 = 0 × a + 1 × b, and so we set (x0 , y0 ) := (1, 0)
and (x1 , y1 ) := (0, 1). Now assume that i ≥ 2 and that xj , yj are known for
j < i. Then ri−2 = ri−1 qi−1 + ri and so we have

ri = ri−2 − ri−1 qi−1 = (axi−2 + byi−2 ) − (axi−1 + byi−1 )qi−1

= a(xi−2 − xi−1 qi−1 ) + b(yi−2 − yi−1 qi−1 ).

Thus we set xi := xi−2 − xi−1 qi−1 and yi := yi−2 − yi−1 qi−1 . In other words,
for i ≥ 2 we define (xi , yi ) recursively by

(xi , yi ) := (xi−2 , yi−2 ) − qi−1 (xi−1 , yi−1 ).

6
Example 1.16. We compute gcd(841, 160) and express it as a linear combin-
ation of 841 and 160 using the Extended Euclidean Algorithm.

i ri−2 ri−1 qi−1 ri xi yi

0 841 1 0
1 160 0 1
2 841 = 160 × 5 + 41 1 −5
3 160 = 41 × 3 + 37 −3 16
4 41 = 37 × 1 + 4 4 −21
5 37 = 4 × 9 + 1 −39 205
6 4 = 1 × 4 + 0

Therefore gcd(841, 160) = 1 = 841 × (−39) + 160 × 205.

1.6 Primes
Definition 1.17. Prime and composite numbers in N:
(i) A number p ∈ N with p > 1 is prime if and only if its only divisors are
1 and p (i.e. if n ∈ N and n | p then n = 1 or n = p).
(ii) A number n ∈ N with n > 1 is composite if and only if it is not prime
(i.e. n = ab for some a, b ∈ N with a, b > 1).
Note that n = 1 is neither prime nor composite.
Proposition 1.18. If n ∈ N with n > 1 then n has a prime factor.
Proof. We use strong induction, i.e., we prove that if for all m ∈ N with
1 < m < n, m has a prime factor, then n has a prime factor.
Case (i): if n is prime, then n is a prime factor of n.
Case (ii): If n is composite then n = ab where a, b ∈ N with a, b > 1. So
1 < a < n. By the induction hypothesis, there is a prime p with p | a. Hence
p | a and a | n, so by the transitivity property of divisibility p | n.
Proposition 1.19. If n ∈ N with n > 1 then we can write n = p1 p2 · · · pk
where k ∈ N and p1 , . . . , pk are (not necessarily distinct) primes.
Proof. If n is prime then the result is clear. So suppose that n is composite.
Then by Proposition 1.18 n has a prime factor, i.e., n = p1 n1 where p1
is prime and n1 ∈ N with n1 > 1. If n1 is prime, we are done. If n1 is
composite, it has a prime factor p2 and we can write n1 = p2 n2 where n2 ∈ N
with n2 > 1. If n2 is prime, we are done, otherwise we take out another
prime factor and keep on going. The process does eventually terminate since
n > n1 > n2 > · · · > 1. Hence after at most n steps we obtain a prime
factorisation of n.

7
Example 1.20. We have 666 = 3 × 222 = 3 × 2 × 111 = 3 × 2 × 3 × 37.
Theorem 1.21. There are infinitely many primes.
Euclid’s proof. For a contradiction, assume {p1 , p2 , . . . , pn } is a complete list
of primes. Consider N := 1 + p1 p2 . . . pn ∈ N. Then N > 1 so by Proposition
1.18, N has a prime factor p. However, every prime is supposedly one of
p1 , . . . , pn , so p = pi for some i. Then p = pi | (p1 . . . pn ), so p | (N − 1).
However, we also have p | N and we can write 1 = N − (N − 1), so p | 1,
which is a contradiction.

1.7 The Fundamental Theorem of Arithmetic

Lemma 1.22. Let n ∈ Z. If a prime p does not divide n then gcd(p, n) = 1.
Proof. Let d = gcd(p, n). Then d | p so by definition of prime either d = 1
or d = p. But d | n so d 6= p because p - n. Hence d = 1.
Theorem 1.23 (Euclid’s Lemma for Primes). Let a, b ∈ Z and let p a be
prime. If p | ab then p | a or p | b.
Proof. Assume that p | ab and that p - a. We shall prove that p | b. By
Lemma 1.22, gcd(p, a) = 1 so by Euclid’s Lemma (Theorem 1.11), p | b.
Remark 1.24. Euclid’s Lemma for Primes immediately generalises to several
factors: if p is prime and p | a1 a2 . . . ak then p | aj for some j.
Definition 1.25. Let n ∈ N and let p be a prime. Then

vp (n) := max{k ∈ N ∪ {0} : pk | n}.

(Note that this set is always non-empty as it must contain 0; moreover, it is

clear that it is bounded above.) In other words, k is the unique non-negative
integer such that pk | n but pk+1 - n. Equivalently, vp (n) = k if and only if
n = pk n0 where n0 ∈ N and p - n0 . (For the right to left implication, use the
cancellation property of divisibility.)
Example 1.26. The following example illustrates the definition of vp (n).
• v2 (720) = 4 because 720
16
= 45 is odd, so 24 | 720 but 25 - 720.
• v3 (720) = 2 because 3 - 80 = 720
9
, so 32 | 720 but 33 - 720.
• v5 (720) = 1 because 5 - 144 = 7205
, so 5 | 720 but 52 - 720.
• If p ≥ 7 then vp (720) = 0 because p - 720.
Lemma 1.27. Let n, m ∈ N and let p be a prime. Then

vp (mn) = vp (m) + vp (n).

8
Proof. Let k = vp (m) and ` = vp (n). Then we can write m = pk m0 where
p - m0 and similarly n = p` n0 where p - n0 . Then mn = pk+` m0 n0 . By Euclid’s
Lemma for Primes, p - m0 n0 . Therefore vp (mn) = k + `.
Theorem 1.28 (The Fundamental Theorem of Arithmetic). Let n ∈ N with
n > 1. Then
(i) (Existence) The number n can be written as a product of primes.
(ii) (Uniqueness) Suppose that
n = p1 · · · pr = q 1 · · · qs
where each pi and qj is prime. Assume further that
p1 ≤ p2 ≤ · · · ≤ pr and q1 ≤ q2 ≤ · · · ≤ qs .
Then r = s and pi = qi for all i.
Proof. The existence of a factorisation into primes is just Proposition 1.19.
Thus it remains to show uniqueness. Let ` be any prime. Then by Lemma
1.27 we have
v` (n) = v` (p1 · · · pr ) = v` (p1 ) + · · · + v` (pr ).
However, 
1 if ` = pi ,
v` (pi ) =
0 6 pi .
if ` =
Therefore
v` (n) = # of i for which ` = pi
= # of times ` appears in the factorisation n = p1 · · · pr .
Similarly,
v` (n) = # of times ` appears in the factorisation n = q1 · · · qs .
Thus every prime ` appears the same number of times in each factorisation,
giving the desired result.
Remark 1.29. Another way of interpreting this result is to say that for n ∈ N
v (n) vp2 (n)
n = p1p1 p2 · · · pvrpr (n)
where p1 , . . . , pr are the distinct prime factors of n. Note that we take the
empty product to be 1, which covers the case n = 1.
Lemma 1.30. Let n = ri=1 pai i where each ai ∈ N ∪ {0} and the pi ’s are
Q
distinct
Q primes. The set of positive divisors of n is the set of numbers of the
form ri=1 pci i where 0 ≤ ci ≤ ai for i = 1, . . . , r.
Proof. Exercise.

9
2 Modular Arithmetic
2.1 Congruences
Definition 2.1. Suppose a, b ∈ Z and n ∈ N. We write a ≡ b mod n (or
a ≡ b (mod n)), and say ‘a is congruent to b mod n’, if and only if n | (a − b).
If n - (a − b) we write a 6≡ b mod n and say that ‘a and b are incongruent
mod n’.

Remark 2.2. In particular, a ≡ 0 mod m if and only if m | a.

Examples 2.3. (i) 4 ≡ 30 mod 13 since 13 | (4 − 30) = −26.
(ii) 17 6≡ −17 mod 4 since 17 − (−17) = 34 but 4 - 34.
(iii) n is even if and only if n ≡ 0 mod 2.
(iv) n is odd if and only if n ≡ 1 mod 2.
(v) a ≡ b mod 1 for every a, b ∈ Z.

Proposition 2.4. Let n ∈ N. Being congruent mod n is an equivalence

relation, i.e., the relation is:
(i) Reflexive: For all a ∈ Z we have a ≡ a mod n.
(ii) Symmetric: Let a, b ∈ Z. If a ≡ b mod n then b ≡ a mod n.
(iii) Transitive: Let a, b, c ∈ Z. If a ≡ b mod n and b ≡ c mod n then
a ≡ c mod n.

Proof. The proof follows at once from the following properties of divisibility:
(i) n | 0.
(ii) If n | (a − b) then n | (b − a).
(iii) If n | (a − b) and n | (b − c) then n | (a − b) + (b − c) = (a − c).

Proposition 2.5. Congruences respect addition, subtraction and multiplic-

ation. Let n ∈ N and let a, b, α, β ∈ Z. Suppose that a ≡ α mod n and
b ≡ β mod n. Then
(i) a + b ≡ α + β mod n,
(ii) a − b ≡ α − β mod n, and
(iii) ab ≡ αβ mod n.
Moreover, if f (x) ∈ Z[x] then f (a) ≡ f (α) mod n.

Proof. We will check that ab ≡ αβ mod n; the rest is an exercise. Since

a ≡ α mod n, we have n | (a − α) and so a = α + ns for some s ∈ Z.
Similarly, b = β + nt for some t ∈ Z. Hence

ab = (α + ns)(β + nt) = αβ + n(sβ + tα + nst)

and so n | (ab − αβ). Therefore ab ≡ αβ mod n, as required.

10
Example 2.6. Let n ∈ N and write n in decimal notation
k
X
n= ai × 10i where 0 ≤ ai ≤ 9 and ai ∈ N ∪ {0} for all i.
i=0

Define f (x) by
k
X
f (x) = ai x i .
i=0

Then, since 10 ≡ −1 mod 11, we see that n = f (10) ≡ f (−1) mod 11,
whence 11 | n ⇐⇒ 11 | f (−1) ⇐⇒ 11 | (a0 − a1 + a2 − a3 + . . . + (−1)k ak ).
This gives an easy way to test integers for divisibility by 11.
Example 2.7. Does the equation x2 − 3y 2 = 2 have a solution with x, y ∈ Z?
Let x, y ∈ Z. Note that x2 − 3y 2 ≡ x2 mod 3. Now x ≡ 0, 1 or 2 mod 3, so
x2 ≡ 0, 1 or 4 mod 3. But 4 ≡ 1 mod 3 so in fact x2 ≡ 0 or 1 mod 3. Hence
x2 − 3y 2 ≡ x2 6≡ 2 mod 3 and so x2 − 3y 2 6= 2.

Theorem 2.8. There are infinitely many primes p with p ≡ 3 mod 4.

Proof. If p is a prime then p ≡ 0, 1, 2 or 3 mod 4. But p 6≡ 0 mod 4 because

4 - p. If p ≡ 2 mod 4 then p = 4k + 2 for some k ∈ Z so 2 | p and so in fact
p = 2. Therefore there are three types of primes:
(i) p = 2,
(ii) p ≡ 1 mod 4,
(iii) p ≡ 3 mod 4.
Let N ∈ N. It suffices to show that there exists a type (iii) prime with
p > N . Let M = 4(N !) − 1. Then M ≥ 3 and so by the existence statement
of Fundamental Theorem of Arithmetic (i.e. Proposition 1.19) M has a prime
factorisation M = p1 p2 · · · pk . If p is a prime such that p ≤ N then M ≡
−1 mod p so p - M . Hence pj > N for all j. Moreover, pj 6= 2 for all j because
M is odd. Therefore for each j we have pj ≡ 1 or 3 mod 4. If pj ≡ 3 mod 4
for any j then we are done. If this is not the case then pj ≡ 1 mod 4 for
all j, and so M ≡ 1 × · · · × 1 ≡ 1 mod 4; but by definition of M we have
M ≡ −1 ≡ 3 mod 4 - contradiction!
Remark 2.9. Congruences do not respect division. For example, 4 ≡ 14 mod
10 but 2 6≡ 7 mod 10.

Proposition 2.10. Let a, b, s ∈ Z and d, n ∈ N.

(i) If a ≡ b mod n and d | n then a ≡ b mod d.
(ii) Suppose s 6= 0. Then a ≡ b mod n if and only if as ≡ bs mod ns.

11
Proof. (i) follows from the transitivity property of divisibility; (ii) follows
from the multiplication and cancellation properties.

Theorem 2.11 (Cancellation Law for Congruences). Let a, b, c ∈ Z and

n ∈ N. Let d = gcd(c, n). Then ac ≡ bc mod n ⇐⇒ a ≡ b mod nd . In
particular, if n and c are coprime, then ac ≡ bc mod n ⇐⇒ a ≡ b mod n.

Proof. Since d = gcd(c, n), we may write n = dn0 and c = dc0 where n0 , c0 ∈ Z.
Suppose ac ≡ bc mod n. Then n | c(a − b) and hence the cancellation
property of divisibility gives n0 | c0 (a − b). However, gcd(n0 , c0 ) = 1 and so
n0 | (a − b) by Euclid’s Lemma. Thus a ≡ b mod n0 .
Suppose conversely that a ≡ b mod n0 . Then n0 | (a−b) and so n | d(a−b).
But d | c so d(a − b) | c(a − b) and thus n | c(a − b) by the transitive property
of divisibility. Thus ac ≡ bc mod n.

Proposition 2.12. Let a, m, n ∈ Z. If m and n are coprime and if m | a

and n | a then mn | a.

Proof. Since m | a we can write a = mc for some c ∈ Z. Now n | a = mc

and gcd(m, n) = 1 so by Euclid’s Lemma, n | c. Thus by the multiplicative
property of divisibility, mn | mc = a.

Corollary 2.13. Let m, n ∈ N be coprime and let a, b ∈ Z. If a ≡ b mod m

and a ≡ b mod n then a ≡ b mod mn.

Proof. We have n | (a − b) and m | (a − b). Since m and n are coprime we

therefore have mn | (a − b) by Proposition 2.12, i.e., a ≡ b mod mn.

2.2 Residue classes and complete residue systems

Proposition 2.14. Let a, b ∈ Z and n ∈ N. If a ≡ b mod n and |b − a| < n
then a = b.

Proof. Since n | (a − b), by the comparison property of divisibility we have

n ≤ |a − b| unless a − b = 0.
Recall Proposition 2.4 that congruence modn is an equivalence relation.

Definition 2.15. Consider a fixed modulus n ∈ N. For a ∈ Z we write [a]n

for the equivalence class of a mod n. Thus

[a]n = {x ∈ Z | x ≡ a mod n} = {a + qn | q ∈ Z}.

This is called the residue class of a modulo n.

12
Example 2.16. Consider the case n = 2. Then

[0]2 = {x ∈ Z | x ≡ 0 mod 2} = {the even integers},

[1]2 = {x ∈ Z | x ≡ 1 mod 2} = {the odd integers}.

To understand the results in this section, it is often helpful to think of the

case n = 2 and odd and even integers.
Proposition 2.17. Let n ∈ N. The n residue classes [0]n , [1]n , . . . , [n − 1]n
are disjoint and their union is the set of all integers. In other words, every
x ∈ Z is congruent modulo n to precisely one element of {0, 1, 2, . . . , n − 1}.
Proof. The integers 0, 1, 2, . . . , n−1 are incongruent modulo n by Proposition
2.14. Hence the residue classes [0]n , [1]n , . . . , [n − 1]n are distinct and thus
disjoint (recall that distinct equivalences classes are always disjoint). Now
every integer x must be in exactly one of these classes because by the Division
Algorithm we can write x = qn + r where 0 ≤ r < n, so x ≡ r mod n and
hence x ∈ [r]n .
Definition 2.18. Let n ∈ N. If S is a subset of Z containing exactly one
element of each residue class modulo n we say that S is a complete residue
system modulo n.
Remark 2.19. Proposition 2.17 says that S = {0, 1, 2, . . . , n−1} is a complete
residue system modulo n. Note that if S is any complete residue system
modulo n we must have |S| = n because Proposition 2.17 shows that there
are precisely n residue classes modulo n. In fact, any set consisting of n
integers, incongruent modulo n, is a complete residue system modulo n.
Examples 2.20. Let n ∈ N. Then

{0, 1, . . . , n − 1},
{1, . . . , n},
{1, n + 2, 2n + 3, 3n + 4, . . . , n2 },
{x ∈ Z | −n/2 < x ≤ n/2},

are all complete residue systems modulo n.

Proposition 2.21. Let n ∈ N and k ∈ Z. Assume k and n are coprime. If
{a1 , . . . , an } is a complete residue system modulo n then so is {ka1 , . . . , kan }.
Proof. If kai ≡ kaj mod n then by the cancellation law for congruences (The-
orem 2.11) we have ai ≡ aj mod n since gcd(k, n) = 1. Therefore no two
(distinct) elements in the set {ka1 , . . . , kan } are congruent modulo n. Since
there are n elements in this set, it forms a complete residue system.

13
Example 2.22. The set {0, 1, 2, 3, 4} is a complete residue system mod 5. Now
gcd(2, 5) = 1 so {2 × 0, 2 × 1, 2 × 2, 2 × 3, 2 × 4} = {0, 2, 4, 6, 8} is also a
complete residue system mod 5.

2.3 Linear Congruences

The most basic congruences are linear congruences, i.e., those of the form

ax ≡ b mod n

to be solved for x. When the modulus n is small we can just use brute force,
i.e., just try every possible value of x mod n. However, this quickly becomes
impractical as n increases.
Theorem 2.23 (Linear congruences with exactly one solution). Let a, b ∈ Z
and let n ∈ N. Suppose that a and n are coprime. Then the linear congruence

ax ≡ b mod n (1)

has exactly one solution.

Proof. We need only test the numbers 1, 2, . . . , n since they constitute a
complete residue system. Therefore we consider the products a, 2a, . . . , na.
Since a and n are coprime, Proposition 2.21 shows that these numbers also
constitute a complete system of residues modulo n. Hence exactly one of
the elements of this set is congruent to b modulo n. In other words, there is
exactly one x satisfying (1).
Example 2.24. Let a = 160, b = 3 and n = 841. That is, we wish to solve

160x ≡ 3 mod 841. (2)

Applying the Extended Euclidean Algorithm in this case shows that

gcd(160, 841) = 1 = 160 × 205 + 841 × (−39). (3)

(We did this calculation in Example 1.16.) Thus by Theorem 2.23 there is
exactly one solution. Moreover, reducing equation (3) mod 841 gives

160 × 205 ≡ 1 mod 841

and so multiplying through by 3 gives

160 × (205 × 3) ≡ 160 × 615 ≡ 3 mod 841.

Therefore x := 205 × 3 = 615 is the unique solution to (2) modulo 841.

14
Theorem 2.25 (Solubility of a linear congruence). Let a, b ∈ Z and let
n ∈ N. Then the linear congruence

ax ≡ b mod n (4)

has one or more solutions if and only if gcd(a, n) | b.

Proof. By definition, the congruence (4) is soluble if and only if n | (b − ax)
for some x ∈ Z, and this is true if and only if b − ax = ny for some x, y ∈ Z.
Hence (4) is soluble if and only if

ax + ny = b

for some x, y ∈ Z. Therefore the result now follows from Theorem 1.12
(solubility of linear equations in the integers).
Theorem 2.26. Let a, b ∈ Z and let n ∈ N. Let d = gcd(a, n). Suppose that
d | b and write a = da0 , b = db0 and n = dn0 . Then the linear congruence

ax ≡ b mod n (5)

has exactly d solutions modulo n. These are given by

t, t + n0 , t + 2n0 , . . . , t + (d − 1)n0 , (6)

where t is the unique solution, modulo n0 , of the linear congruence

a0 x ≡ b0 mod n0 . (7)

Proof. Every solution of (5) is a solution of (7) and vice versa by Proposition
2.10. Since a0 and n0 are coprime, (7) has exactly one solution t modulo n0
by Theorem 2.23. Thus the d numbers in (6) are solutions of (7) and hence
of (5). No two of these are congruent modulo n since the relations

t + rn0 ≡ t + sn0 mod n with 0 ≤ r < d, 0 ≤ s < d

imply
rn0 ≡ sn0 mod n, and hence r ≡ s mod d,
where the last implication follows from Proposition 2.10 (note n/n0 = d).
But 0 ≤ |r − s| < d so r = s by Proposition 2.14.
It remains to show that (5) has no solutions other than those listed in (6).
If y is a solution of (5) then ay ≡ b mod n. But we also have at ≡ b mod n
and so ay ≡ at mod n. Thus y ≡ t mod n0 by the cancellation law for
congruences (Theorem 2.11). Hence y = t + kn0 for some k ∈ Z. But

15
r ≡ k mod d for some r ∈ Z such that 0 ≤ r < d. Therefore by Proposition
2.10 we have

kn0 ≡ rn0 mod n, and so y ≡ t + rn0 mod n.

Therefore y is congruent modulo n to one of the numbers in (6).

Algorithm 2.27 (How to solve general linear congruences). Let a, b ∈ Z
and let n ∈ N. Suppose we wish to solve the linear congruence

ax ≡ b mod n. (8)

First apply the Extended Euclidean Algorithm to compute d := gcd(a, n) and

find x0 , y 0 ∈ Z such that
ax0 + ny 0 = d. (9)
If d - b then there are no solutions by Theorem 2.25. Otherwise, there are
exactly d solutions modulo n by Theorem 2.26, which we can find as follows.
Write a = da0 , b = db0 and n = dn0 . Dividing (9) through by d gives

a0 x0 + n0 y 0 = 1.

Thus reducing mod n0 gives a0 x0 ≡ 1 mod n0 and multiplying through by b0

gives a0 (b0 x0 ) ≡ b0 mod n0 . Therefore t := b0 x0 is the unique solution to a0 x ≡
b0 mod n0 (the solution is unique because gcd(a0 , n0 ) = 1). Now by Theorem
2.26 the solutions to (8) are t, t + n0 , t + 2n0 , . . . , t + (d − 1)n0 .
Example 2.28. Let a = 33, b = 21 and n = 54. That is, we wish to solve

33x ≡ 21 mod 54. (10)

We apply the Extended Euclidean Algorithm as follows.

i ri−2 ri−1 qi−1 ri xi yi

0 54 0 1
1 33 1 0
2 54 = 33 × 1 + 21 −1 1
3 33 = 21 × 1 + 12 2 −1
4 21 = 12 × 1 + 9 −3 2
5 12 = 9 × 1 + 3 5 −3
6 9 = 3 × 3 + 0

Therefore

gcd(54, 33) = 3 = ax5 + ny5 = 33 × 5 + 54 × (−3). (11)

16
Thus there are exactly 3 solutions. Moreover, we have a0 = 11, b0 = 7 and
n0 = 18 and we may take x0 = 5 and y 0 = −3. Hence
1 = a0 x0 + n0 y 0 = 11 × 5 + 18 × (−3).
Reducing mod n0 = 18 gives
11 × 5 ≡ 1 mod 18
and multiplying through by b0 = 7 gives
11 × (7 × 5) ≡ 7 mod 18.
Hence t ≡ 7 × 5 ≡ 35 ≡ 17 mod 18 is the unique solution to
11x ≡ 7 mod 18.
Therefore the set of solutions to (10) modulo 54 is
{17, 17 + (1 × 18), 17 + (2 × 18)} = {17, 35, 53}.

2.4 The ring Z/nZ and its units

Definition 2.29. Let n ∈ N. We write Z/nZ = {[a]n : 0 ≤ a ≤ n − 1} (so
that # (Z/nZ) = n). We set [a]n + [b]n := [a + b]n and [a]n [b]n := [ab]n . (Note
that Proposition 2.5 shows that these operations are well-defined).
Lemma 2.30. The set Z/nZ, with the above operations, is a commutative
ring with 0 = [0]n and 1 = [1]n .
Proof. Omitted and non-examinable.
Definition 2.31. Let n ∈ N. We write
(Z/nZ)× = {[a]n ∈ Z/nZ : ∃[b]n ∈ Z/nZ such that [a]n [b]n = [1]n }.
This is the set of units of Z/nZ, and is an abelian group under multiplication
(check this!)
Proposition 2.32 (Units of Z/nZ). Let n ∈ N and a ∈ Z. Then [a]n ∈
(Z/nZ)× if and only if gcd(a, n) = 1.
Proof. If [a]n ∈ (Z/nZ)× then the linear congruence ax ≡ 1 mod n has a
solution, and so by Theorem 2.25 (solubility of a linear congruence) we have
gcd(a, n) | 1. But n > 0 so in fact gcd(a, n) = 1.
Suppose conversely that gcd(a, n) = 1. Then by Theorem 2.23 (linear
congruences with exactly one solution), the congruence ax ≡ 1 mod n has
exactly one solution, and so [a]n ∈ (Z/nZ)× .

17
Definition 2.33. Let n ∈ N and let a ∈ Z such that gcd(a, n) = 1. Then
the unique solution to ax ≡ 1 mod n is called the multiplicative inverse of a
modulo n and is denoted [a]−1 −1
n = [a ]n or a
−1
mod n.
Z ×


Example 2.34. 12Z = {[1]12 , [5]12 , [7]12 , [11]12 }.

2.5 Chinese Remainder Theorem

Theorem 2.35 (Chinese Remainder Theorem - a special case ). Let n, m ∈ N
be coprime and let a, b ∈ Z be given. Then the pair of linear congruences
x ≡ a mod m
x ≡ b mod n
has a solution x ∈ Z. Moreover, if x0 is any other solution then we have
x0 ≡ x mod mn.
Proof. Since n and m are coprime there exist a0 , b0 ∈ Z such that a0 n ≡
1 mod m and b0 m ≡ 1 mod n (use Theorem 2.23 or Theorem 2.25). Define
x := aa0 n + bb0 m. Then x ≡ aa0 n ≡ a mod m and x ≡ bb0 m ≡ b mod n.
Hence x is a solution to the given pair of linear congruences.
Suppose x0 ≡ a mod m and x0 ≡ b mod n. Then m | (x − x0 ) and n |
(x − x0 ). Since m and n are coprime, it now follows from Proposition 2.12
that mn | (x0 − x). Hence x ≡ x0 mod nm.
Remark 2.36. We have used that m and n are coprime twice in the above
proof. This hypothesis is necessary because, for example, the pair of congru-
ences x ≡ 2 mod 12, x ≡ 4 mod 20 has no solution.
Example 2.37. Solve the following system of congruences:
x ≡ 2 mod 3,
x ≡ 3 mod 7.
Note that 3 and 7 are indeed coprime because they are distinct primes.
Following the proof, we set a = 2, m = 3, b = 3, n = 7. We have mn =
3 × 7 = 21 and
7a0 ≡ 1 mod 3 =⇒ take a0 = 1,
3b0 ≡ 1 mod 7 =⇒ take b0 = 5.
(Note that in more complicated situations we can use the Extended Euclidean
Algorithm to compute multiplicative inverses modulo m and n.) Therefore
x = aa0 n + bb0 m = (2 × 1 × 7) + (3 × 5 × 3) = 14 + 45 = 59,
and the smallest positive integer solution is 17 ≡ 59 mod 21 .

18
Theorem 2.38 (Chinese Remainder Theorem). Let n1 , n2 , . . . , nt ∈ N with
gcd(ni , nj ) = 1 whenever i 6= j, (i.e. the ni are “coprime in pairs”) and let
a1 , a2 , . . . , at ∈ Z be given. Then the system of congruences

x ≡ a1 mod n1
..
.
x ≡ at mod nt

has a solution x ∈ Z. Moreover, if x0 is any other solution, then x0 ≡

x mod N , where N := n1 · · · nt .

Proof. Define Ni := N/ni . Then gcd(Ni , ni ) = 1, since ni is coprime to

all the factors of Ni . Hence by Theorem 2.23 (or by Theorem 2.25) there
exists xi ∈ Z such that Ni xi ≡ 1 mod ni . Define x := ti=1 ai Ni xi . Thus
P
x ≡ ak Nk xk mod nk since nk | Ni for all i 6= k. Therefore x ≡ ak (Nk xk ) ≡
ak mod nk for all k.
Suppose x0 ≡ ak mod nk for all k. Then x0 ≡ x mod nk for all k. Thus
nk | (x0 − x) for all k. Since the ni are pairwise coprime it now follows
from Proposition 2.12 that N := n1 n2 · · · nt | (x0 − x). This yields x0 ≡
x mod N .
Example 2.39. Solve the following system of congruences:

x ≡ 2 mod 3,
x ≡ 3 mod 5,
x ≡ 2 mod 7.

Note that the 3, 5 & 7 are indeed coprime in pairs because they are distinct
primes. Following the proof, we put N := 3 × 5 × 7 = 105, N1 = 35, N2 = 21,
N3 = 15 and we have

35x1 ≡ 1 mod 3 =⇒ take x1 = 2,

21x2 ≡ 1 mod 5 =⇒ take x2 = 1,
15x3 ≡ 1 mod 7 =⇒ take x3 = 1.

(Note that in more complicated situations we can use the Extended Euclidean
Algorithm to compute multiplicative inverses modulo n.) Therefore

x = 2N1 x1 + 3N2 x2 + 2N3 x3 = (2 × 35 × 2) + (3 × 21 × 1) + (2 × 15 × 1) = 233,

and the smallest positive integer solution is 23 ≡ 233 mod 105 .

19
2.6 Euler ϕ-function
Definition 2.40. For n ∈ N, we define Euler’s totient function, or the ϕ-
function, by

ϕ(n) := #{a ∈ N : 1 ≤ a ≤ n, gcd(a, n) = 1}.

Remark 2.41. ϕ(1) = 1 and for p prime, ϕ(p) = #{1, 2, 3, . . . , p − 1} = p − 1.

Remark 2.42. By Proposition 2.32 and the fact that {1, 2, . . . , n} is a com-
plete residue system modulo n, we have that ϕ(n) = # (Z/nZ)× . Note that
since gcd(0, n) = gcd(n, n) = n for n ∈ N, we also have

ϕ(n) = #{a ∈ Z : 0 ≤ a < n, gcd(a, n) = 1}.

Theorem 2.43. Let m, n ∈ N be coprime. Then ϕ(mn) = ϕ(m)ϕ(n).

Proof. Let a ∈ Z with 0 ≤ a < mn and define b, c ∈ Z by

a ≡ b mod m and a ≡ c mod n,

where 0 ≤ b < m and 0 ≤ c < n. The Chinese Remainder Theorem tells us

that there is a bijective correspondence between choices of a and choices of
pairs (b, c). We now show that gcd(a, mn) = 1 ⇔ gcd(b, m) = gcd(c, n) = 1.
We shall use Proposition 2.32 (units of Z/nZ) several times.
Suppose gcd(a, mn) = 1. Then the congruence ax ≡ 1 mod mn has a
solution r ∈ Z, i.e, ar ≡ 1 mod mn. By Proposition 2.10 (i) we have ar ≡
1 mod m since m | mn. Hence br ≡ ar ≡ 1 mod m and so the congruence
bx ≡ 1 mod m is soluble; thus gcd(b, m) = 1. Similarly, gcd(c, n) = 1.
Suppose conversely that gcd(b, m) = gcd(c, n) = 1. The congruences
bx ≡ 1 mod m and cy ≡ 1 mod n are soluble so there exist s, t ∈ Z such
that bs ≡ 1 mod m and ct ≡ 1 mod n. Since m and n are coprime, by the
Chinese Remainder Theorem there exists r ∈ Z such that r ≡ s mod m and
r ≡ t mod n. Hence ar ≡ bs ≡ 1 mod m and ar ≡ ct ≡ 1 mod n and so
x = ar is the solution to the simultaneous linear equations

x ≡ 1 mod m and x ≡ 1 mod n.

By the Chinese Remainder Theorem ar ≡ 1 mod mn. Hence gcd(a, mn) = 1.

Therefore the number of integers a with 0 ≤ a < mn which are coprime
to mn, i.e. ϕ(mn), is equal to the number of pairs of integers (b, c) with
0 ≤ b < m, gcd(b, m) = 1 and 0 ≤ c < n, gcd(c, n) = 1, i.e., ϕ(m)ϕ(n).
Theorem 2.44. Let p be prime and let r ∈ N. Then

ϕ(pr ) = pr − pr−1 = pr−1 (p − 1).

20
Proof. For all m ∈ N, either gcd(pr , m) = 1 or p | m (but not both). Thus

ϕ(pr ) = #{m ∈ N : m ≤ pr , p - m}
= #{m ∈ N : m ≤ pr } − #{m ∈ N : m ≤ pr , p | m}
= pr − pr−1 = pr−1 (p − 1).

Examples 2.45. We can use these theorems to compute ϕ(n) as follows:

• ϕ(10) = ϕ(2 × 5) = ϕ(2)ϕ(5) = (2 − 1)(5 − 1) = 1 × 4 = 4.
• ϕ(12) = ϕ(22 × 3) = ϕ(22 )ϕ(3) = (22 − 2)(3 − 1) = 2 × 2 = 4.
• ϕ(100) = ϕ(22 × 52 ) = ϕ(22 )ϕ(52 ) = (22 − 2)(52 − 5) = 2 × 20 = 40.
• ϕ(1001) = ϕ(11 × 91) = ϕ(11)ϕ(91) = 10ϕ(7 × 13) = 10ϕ(7)ϕ(13) =
10 × 6 × 12 = 720.

Proposition 2.46. Let n ∈ N. By the Fundamental Theorem of Arithmetic,

we may write n = pe11 · · · perr where the pi ’s are distinct primes and each
ei ∈ N. Then
Yr
ϕ(n) = (pi − 1)pei −1 .
i=1

Proof. By Theorems 2.43 and 2.44 we have

r
Y r
Y r
Y
ei −1
ϕ(n) = ϕ(pe11 · · · perr ) = ϕ(pei i ) = ei
(pi − pi ) = (pi − 1)piei −1 .
i=1 i=1 i=1

Corollary 2.47. Let n ∈ N. Then

Y 1

ϕ(n) = n 1−
p
p|n

where the product runs over all distinct prime divisors of n.

Proof. From the above we have

r r r Y 
Y
ei −1
Y
ei −1
Y
−1 1
ϕ(n) = (pi − 1)pi = pi (1 − pi ) = n (1 − pi ) = n 1− .
i=1 i=1 i=1
p
p|n

21
 P
Proposition 2.48. For any n ∈ N we have d|n ϕ(d) = n.

Proof. We classify the elements of {1, 2, . . . , n} according their greatest com-

mon divisor with n. Thus
[
{a ∈ N : a ≤ n} = {a ∈ N : a ≤ n, gcd(n, a) = d} (disjoint union).
d|n
P
Hence n = d|n Rd where Rd := #{a ∈ N : 1 ≤ 1a ≤ n, gcd(n, a) = d}. If
d | n then we can write n = dn0 with n ∈ N and by the distributive law for
gcd’s (Proposition 1.9 (iii)) we have gcd(n, a) = d if and only if a = da0 with
gcd(n0 , a0 ) = 1. Moreover, a ≤ n if and only if a0 ≤ n0 . It follows that

Rd = #{a0 ∈ N : 1 ≤ a0 ≤ n0 , gcd(n0 , a0 ) = 1},

and hence Rd = ϕ(n0 ). Therefore n = d|n ϕ( nd ). However, when d | n we

P
have n = d · nd ; thus when d runsPover the positive divisors of n, so does
e = nd , and therefore we have n = e|n ϕ(e).
Example 2.49. For n = 12 we have

φ(1) + φ(2) + φ(3) + φ(4) + φ(6) + φ(12) = 1 + 1 + 2 + 2 + 2 + 4 = 12.

2.7 Exponentiation
Example 2.50. What is 3k mod 19 as k varies?
k 0 1 2 3 4 5 6 7 8 9 10
3k mod 19 1 3 9 8 5 15 7 2 6 18 16

k 11 12 13 14 15 16 17 18 19 20
k
3 mod 19 10 11 14 4 12 17 13 1 3 9
Notice that the sequence repeats after a certain point. We can use the fact
that 318 ≡ 1 mod 19 to simplify calculations. For example, by the Division
Algorithm we have 100 = 5 × 18 + 10 so

3100 ≡ (318 )5 310 ≡ 15 310 ≡ 310 ≡ 16 mod 19.

Proposition 2.51. Let n ∈ N and a ∈ Z. There exists r ∈ N such that

ar ≡ 1 mod n if and only if gcd(a, n) = 1.

Proof. Suppose there exists r ∈ N such that ar ≡ 1 mod n. Then ar−1 is a

solution to ax ≡ 1 mod n and so gcd(a, n) = 1 by Proposition 2.32 (units
of Z/nZ). Suppose conversely that gcd(a, n) = 1. There are only finitely

22
many possible values of ak mod n so there exist i, j ∈ N with i < j such that
ai ≡ aj mod n. Since gcd(a, n) = 1 we may apply the cancellation law for
congruences (Theorem 2.10) i times to obtain aj−i ≡ 1 mod n. Thus we may
take r = j − i.

Definition 2.52. Let n ∈ N, a ∈ Z and suppose that gcd(a, n) = 1. Then

the least d ∈ N such that ad ≡ 1 mod n is called the order of a mod n, and
written ordn (a).

Proposition 2.53. Let n ∈ N, a ∈ Z and suppose that gcd(a, n) = 1.

For r, s ∈ Z we have ar ≡ as mod n if and only if r ≡ s mod ordn (a).

Proof. Let k = ordn (a). Then ak ≡ 1 mod n. Assume without loss of gener-
ality that r > s. Suppose that r ≡ s mod k. Then there exists t ∈ N such
that r = s + tk. Hence

ar = as akt = as (ak )t ≡ as mod n.

Suppose conversely that ar ≡ as mod n. Since gcd(a, n) = 1 we may apply

the cancellation law for congruences (Theorem 2.10) s times to obtain ar−s ≡
1 mod n. By the Division Algorithm, there exist u, t ∈ N ∪ {0} such that
r − s = tk + u where 0 ≤ u < k. Then

ar−s = au+tk = au (ak )t ≡ au 1t ≡ au mod n

and so au ≡ 1 mod n. But 0 ≤ u < k and k is the least positive integer such
that ak ≡ 1 mod n and so we must have u = 0. Therefore k | (r − s), i.e.,
r ≡ s mod k.

Corollary 2.54. Let n ∈ N, a ∈ Z and suppose that gcd(a, n) = 1.

Let k ∈ Z. Then ak ≡ 1 mod n if and only if ordn (a) | k.

Proof. Just take r = k and s = 0 in Proposition 2.53.

Corollary 2.55. Let n ∈ N, a ∈ Z and suppose that gcd(a, n) = 1. Then

the numbers 1, a, a2 , . . . , aordn (a)−1 are incongruent mod n.

Proof. Combine Propositions 2.14 and 2.53.

23
2.8 Euler-Fermat Theorem
Definition 2.56. Let n ∈ N. A subset R of Z is said to be a reduced residue
system modulo n if
(i) R contains ϕ(n) elements,
(ii) no two elements of R are congruent modulo n, and
(iii) for every r ∈ R we have gcd(r, n) = 1.

Remark 2.57. If R is a reduced residue system modulo n then

(Z/nZ)× = {[a]n : a ∈ R}.

Proposition 2.58. Let n ∈ N and let k ∈ Z. If {a1 , a2 , . . . , aϕ(n) } is a re-

duced residue system modulo n and gcd(k, n) = 1 then {ka1 , ka2 , . . . , kaϕ(n) }
is also a reduced residue system modulo n.

Proof. If kai ≡ kaj mod n then by the cancellation law for congruences (The-
orem 2.11) we have ai ≡ aj mod n since gcd(k, n) = 1. Therefore no two ele-
ments in the set {ka1 , . . . , kaϕ(n) } are congruent modulo n. Moreover, since
gcd(ai , n) = gcd(k, n) = 1 we have gcd(kai , 1) = 1 (check this!) so each kai
is coprime to n.

Theorem 2.59 (The Euler-Fermat Theorem). Let n ∈ N, a ∈ Z and suppose

that gcd(a, n) = 1. Then aϕ(n) ≡ 1 mod n.

Proof. Let {b1 , b2 , . . . , bϕ(n) } be a reduced residue system modulo n. Then

since gcd(a, n) = 1 the set {ab1 , ab2 , . . . , abϕ(n) } is also a reduced residue
system by Proposition 2.58. Hence the product of all the integers in the
first set is congruent modulo n to the product of those in the second set.
Therefore
b1 · · · bϕ(n) ≡ aϕ(m) b1 · · · bϕ(n) mod n.
Since each bi is coprime to n, we may apply the cancellation law for congru-
ences (Theorem 2.11) ϕ(n) times to obtain the desired result.

Corollary 2.60. Let n ∈ N, a ∈ Z and suppose that gcd(a, n) = 1. Then

ordn (a) | ϕ(n).

Proof. Combine the Euler-Fermat Theorem and Corollary 2.54.

Example 2.61. We have ϕ(12) = ϕ(22 )ϕ(3) = 2 × 2 = 4. So for every a ∈ Z
with gcd(a, 12) = 1 we must have ord12 (a) = 1, 2 or 4. In fact, ord12 (1) = 1
and ord12 (5) = ord12 (7) = ord12 (11) = 2, so working mod 12 there is no
element element of order ϕ(12) = 4.

24
Corollary 2.62. Let p be prime and let a ∈ Z such that p - a. Then
ap−1 ≡ 1 mod p.

Proof. This follows immediately from the Euler-Fermat Theorem (Theorem

2.59) since ϕ(p) = p − 1.
Example 2.63. We saw in Example 2.50 that ord19 (3) = 18 = ϕ(19). We also
have ord19 (8) = 6, which is a factor of 18.

Theorem 2.64 (Fermat’s Little Theorem). Let p be prime and let a ∈ Z.

Then ap ≡ a mod p.

Proof. If p - a this follows easily from Corollary 2.62. If p | a then both ap

and a are congruent to 0 mod p.
Remark 2.65. Sometimes the result of Corollary 2.62 is also referred to as
Fermat’s Little Theorem.
Remark 2.66. Many of the results in this section and the previous section
can thought of in terms of group theory once we recall that (Z/nZ)× is
an (abelian) group. For example, ordn (a) is the order of [a]n in (Z/nZ)× .
Moreover, Lagrange’s Theorem in group theory tells us that the order of an
element divides the order of the group; so ordn (a) divides ϕ(n) = #(Z/nZ)×
which gives the Euler-Fermat Theorem.

2.9 Binary powering algorithm

We briefly illustrate this algorithm with an example.
Example 2.67. Suppose that we want to compute 3499 mod 997 efficiently.
Note that 997 is prime so Fermat’s Little Theorem tells us that 3996 ≡ 1 mod
997. Unfortunately, this doesn’t appear to help us. First we find the binary
expansion of 499 as follows:

499 = 28 + 243
= 28 + 27 + 115
= 28 + 27 + 26 + 51
= 28 + 27 + 26 + 25 + 19
= 28 + 27 + 26 + 25 + 24 + 3
= 28 + 27 + 26 + 25 + 24 + 21 + 20 .

25
So the binary expansion of 499 is 111110011. Now by squaring the previous
term each time, we have
1
32 ≡ 9 (mod 997)
22
3 ≡ 92 ≡ 81 (mod 997)
23
3 ≡ 812 ≡ 6561 ≡ 579 ≡ −418 (mod 997)
24
3 ≡ (−418)2 ≡ 4182 ≡ 174724 ≡ 249 (mod 997)
25
3 ≡ 2492 ≡ 62001 ≡ 187 (mod 997)
26
3 ≡ 1872 ≡ 34969 ≡ 74 (mod 997)
27
3 ≡ 742 ≡ 5476 ≡ 491 (mod 997)
28
3 ≡ 4912 ≡ 804 ≡ −193 (mod 997).

Therefore
0 1 4 5 6 7 8
3499 ≡ 32 × 32 × 32 × 32 × 32 × 32 × 32 (mod 997)
≡ 3 × 9 × 249 × 187 × 74 × 491 × (−193) (mod 997)
≡ 27 × 46563 × 36334 × (−193) (mod 997)
≡ 27 × 701 × 442 × (−193) (mod 997)
≡ 18927 × (−85306) (mod 997)
≡ (−16) × 436 (mod 997)
≡ −6976 (mod 997)
≡ 3 (mod 997).

Note that the advantage of this method is that it minimizes the number of
multiplications we need to perform and that each integer we consider has at
most twice the number of digits as the modulus.

2.10 Polynomial Congruences

Theorem 2.68 (Lagrange’s polynomial congruence theorem). Let

f (x) = a0 + a1 x + · · · + ad xd ∈ Z[x]

and let p be a prime with p - ad . Then f (x) ≡ 0 mod p has at most d solutions
mod p.

Remark 2.69. More generally, any polynomial equation of degree d over a

field has at most d solutions (note that Z/pZ = Fp is a field).

26
Proof. The proof is by induction on d. When d = 1 the congruence is linear:

a1 x + a0 ≡ 0 mod p.

Since a1 6≡ 0 mod p we have gcd(a1 , p) = 1 and so there is exactly one solution

by Theorem 2.23 (linear congruences with exactly one solution).
Assume that the theorem is true for polynomials of degree d − 1. Suppose
for a contradiction that the congruence f (x) ≡ 0 mod p has d+1 incongruent
solutions modulo p, say x0 , x1 , x2 , . . . , xd where f (xk ) ≡ 0 mod p for each
k = 0, 1, . . . , d. Recall that for any r ∈ N we have the algebraic identity

xr − y r = (x − y)(xr−1 + xr−2 y + xr−3 y 2 + · · · + xy r−2 + y r−1 ).

Thus we also have an algebraic identity

d
X d
X
f (x) − f (x0 ) = ar (xr − xr0 ) = ar (x − x0 )gr (x)
r=1 i=1

where each gr ∈ Z[x] is of degree r − 1 and has leading

P coefficient 1. Hence
we have f (x) − f (x0 ) = (x − x0 )g(x) where g(x) = dr=1 ar gr (x) is of degree
d − 1 and has leading coefficient ad . Thus

f (xk ) − f (x0 ) = (xk − x0 )g(xk ) ≡ 0 mod p,

since f (xk ) ≡ f (x0 ) ≡ 0 mod p. But xk − x0 6≡ 0 mod p if k 6= 0 so we must

have g(xk ) ≡ 0 mod p for each k 6= 0 (we may apply the cancellation law
for congruences (Theorem 2.11) because gcd(x − x0 , p) = 1). But this means
that the congruence g(x) ≡ 0 mod p has d incongruent solutions modulo p,
contradicting the induction hypothesis.
Example 2.70. Note that x2 − 1 ≡ 0 mod 8 has 4 roots, namely 1, 3, 5, 7 mod
8. This is not a counterexample to Theorem 2.68, however, because 8 is not
prime (and Z/8Z is not a field).

Corollary 2.71. Let a ∈ Z and let p be an odd prime. If a2 ≡ 1 mod p then

a ≡ ±1 mod p.

Proof. Lagrange’s polynomial congruence theorem (Theorem 2.68) says that

a2 ≡ 1 mod p has at most two solutions. But it is clear that a ≡ ±1 mod p
are solutions and these must be distinct because p is odd. Therefore, we have
found all the solutions.

27
Example 2.72. Let p and q be distinct odd primes. Consider the congruence
x2 ≡ 1 mod pq.
It is clear that x ≡ ±1 mod pq are solutions, but are there other solutions?
By the Chinese Remainder Theorem we have
x2 ≡ 1 mod pq
⇐⇒ both x2 ≡ 1 mod p and x2 ≡ 1 mod q
⇐⇒ both x ≡ ±1 mod p and x ≡ ±1 mod q.
Thus there are four solutions modulo pq. Note that

x ≡ 1 mod p
x ≡ 1 mod pq ⇐⇒
x ≡ 1 mod q
and 
x ≡ −1 mod p
x ≡ −1 mod pq ⇐⇒
x ≡ −1 mod q
which are the “easy” solutions we already mentioned. It remains to solve the
two pairs of congruences
 
x ≡ 1 mod p x ≡ −1 mod p
and
x ≡ −1 mod q x ≡ 1 mod q.
Note that we can use a trick here to save work: if x is the solution to one of
these pairs of congruences then −x is the solution to the other congruence.
Consider the following explicit example. We wish to find all solutions to
x2 ≡ 1 mod 145.
Thus it is clear that x ≡ ±1 mod 145 gives two solutions, but we also want
to find the other two solutions. Note that 145 = 5 × 29 and that both 5 and
29 are prime. Thus we want to solve

x ≡ 1 mod 5
x ≡ −1 mod 29.
By the Extended Euclidean Algorithm, we have
gcd(5, 29) = 1 = 6 × 5 − 1 × 29
Thus using the construction of the Chinese Remainder Theorem we may take
x ≡ (−1) × 6 × 5 + 1 × (−1) × 29 ≡ −59 mod 145.
Check that this really is a solution:
(−59)2 = 3481 = 1 + 24 × 145 ≡ 1 mod 145.
Therefore the solutions of x2 ≡ 1 mod 145 are x ≡ ±1, ±59 mod 145.

28
2.11 Hensel Lifting
The Chinese Remainder Theorem shows that the problem of solving a poly-
nomial congruence
f (x) ≡ 0 mod n
can be reduced to solving a system of congruences

f (x) ≡ 0 mod pei i (i = 1, . . . , r)

where n = pe11 · · · perr is the prime factorisation of n. We show that this can
be further reduced to congruences with prime moduli together with a set of
linear congruences.

Theorem 2.73 (Hensel’s Lemma). Let p be prime. Let f (x) ∈ Z[x] and let
f 0 (x) ∈ Z[x] be its formal derivative. If a ∈ Z satisfies

f (a) ≡ 0 mod p, f 0 (a) 6≡ 0 mod p

then for each n ∈ N there exists an ∈ Z such that

f (an ) ≡ 0 mod pn and an ≡ a mod p. (12)

Moreover, an is unique modulo pn .

Example 2.74. Suppose we want to solve x2 ≡ −1 mod 54 . This is the same

as solving the equation f (x) ≡ 0 mod 54 where f (x) = x2 + 1. Note that
f 0 (x) = 2x. An exhaustive search shows that x = ±2 are the solutions to
f (x) ≡ 0 mod 5. Choose a = 2. Then f (a) ≡ 0 mod 5 and f 0 (a) = 2 × 2 =
4 6≡ 0 mod 5. Thus we may apply Hensel’s Lemma. Write a2 = 2+5t1 . Then
we have

f (2 + 5t1 ) ≡ 0 mod 52 ⇐⇒ (2 + 5t1 )2 + 1 ≡ 0 mod 52

⇐⇒ 4 + 20t1 + 25t21 + 1 ≡ 0 mod 52
⇐⇒ 5 + 20t1 ≡ 0 mod 52
⇐⇒ 1 + 4t1 ≡ 0 mod 5
⇐⇒ 4t1 ≡ −1 mod 5
⇐⇒ t1 ≡ 1 mod 5.

Thus we may take a2 = 2+5×1 = 7. Check: 72 = 49 ≡ −1 mod 25. We could

now set a3 = 7+52 t2 and find t2 by solving the congruence f (a3 ) ≡ 0 mod 53 .

29
But instead we can take a short-cut as follows. Write a4 = 7 + 52 t3 and try
to solve mod 54 directly. Then we have

f (7 + 52 t3 ) ≡ 0 mod 54 ⇐⇒ (7 + 52 t3 )2 + 1 ≡ 0 mod 54
⇐⇒ 49 + (14 × 25)t3 + 54 t23 + 1 ≡ 0 mod 54
⇐⇒ 50 + (14 × 25)t3 ≡ 0 mod 54
⇐⇒ 2 + 14t3 ≡ 0 mod 52
⇐⇒ 1 + 7t3 ≡ 0 mod 52
⇐⇒ 7t3 ≡ −1 mod 52
⇐⇒ t3 ≡ 7 mod 52 .

So we have a4 = 7 + 52 × 7 = 182. Check: 1822 = 33, 124 ≡ −1 mod 54 . Note

that if we had started with the solution a = −2 then we would have ended
up with the solution a4 = −182.
Remark 2.75. Even if the hypotheses of Hensel’s Lemma are not satisfied,
we can still try to use the same technique to solve the given polynomial
equation. However, in this case, the solutions are not guaranteed to exist or
to be unique.
Lemma 2.76. Let f ∈ Z[X] and let f 0 (X) be its formal derivative. Then
there exists g ∈ Z[X, Y ] satisfying the polynomial identity

f (X + Y ) = f (X) + f 0 (X)Y + g(X, Y )Y 2 .

Proof. This formula comesP

from isolating the first two terms in the binomial
theorem. Writing f (X) = di=0 ci X i we have
d
X d
X
i
f (X + Y ) = ci (X + Y ) = c0 + ci (X i + iX i−1 Y + gi (X, Y )Y 2 )
i=0 i=1

where gi (X, Y ) ∈ Z[X, Y ]. Thus

d
X d
X d
X
i i−1
f (X + Y ) = ci X + ici X Y + ci gi (X, Y )Y 2
i=0 i=1 i=1
0 2
= f (X) + f (X)Y + g(X, Y )Y
Pd
where g(X, Y ) := i=1 ci gi (X, Y ). This gives the desired identity.
Remark 2.77. The identity of Lemma 2.76 is similar to Taylor’s formula:

f (x + h) = f (x) + f 0 (x)h + (f 00 (x)/2!)h2 + · · · .

30
The problem is that the terms Taylor’s formula have factorials in the denom-
inator, which can cause problems when reducing modulo powers of p: think
about f 00 (x)/2! mod 2, for example.
Proof of Hensel’s Lemma. We will prove by induction that for each n ∈ N
there exists a an ∈ Z satisfying (12) that is unique mod pn . The case n = 1
is trivial using a1 = a. We now suppose the inductive hypothesis holds for
n = k and show it holds for n = k + 1. The idea is to consider ak + pk tk and
see if tk ∈ Z can be chosen in such a way that ak + pk tk satisfies the required
properties of ak+1 .
By Lemma 2.76 with X = ak and Y = pk tk there exists zk ∈ Z such that

f (ak + pk tk ) = f (ak ) + f 0 (ak )pk tk + zk p2k t2k ≡ f (ak ) + f 0 (ak )pk tk mod pk+1

where the congruence follows since k + 1 ≤ 2k. In f 0 (ak )pk tk mod pk+1 the
factors f 0 (ak ) and tk only matter mod p since it already contains a factor
of pk and the modulus is pk+1 . Thus recalling that ak ≡ a mod p we have
f 0 (a)pk tk ≡ f 0 (ak )pk tk mod pk+1 . Therefore we have

f (ak + pk tk ) ≡ 0 mod pk+1 ⇐⇒ f (ak ) + f 0 (a)pk tk ≡ 0 mod pk+1 (13)

⇐⇒ f 0 (a)tk ≡ −f (ak )/pk mod p,

where the ratio −f (ak )/pk is in Z since we have f (ak ) ≡ 0 mod pk by the
induction hypothesis, and the last equivalence follows from Proposition 2.10.
But f 0 (a) 6≡ 0 mod p so gcd(f 0 (a), p) = 1 and thus by Theorem 2.23 (linear
congruences with exactly one solution) the last congruence (mod p) has a
solution tk , which is unique mod p.
We set ak+1 = ak + pk tk . Then we have f (ak+1 ) ≡ 0 mod pk+1 and
ak+1 ≡ ak mod pk , so in particular ak+1 ≡ a mod p. It remains to show
uniqueness. Suppose there exists bk+1 ∈ Z with f (bk+1 ) ≡ 0 mod pk+1 and
bk+1 ≡ a mod p. Then we also have f (bk+1 ) ≡ 0 mod pk and so by the
uniqueness of ak we must have bk+1 ≡ ak mod pk . Thus bk+1 = ak + pk sk
for some sk ∈ Z. But (13) and the proceeding discussion shows that sk ≡
tk mod p and thus we must have ak+1 ≡ bk+1 mod pk+1 , as desired.
Remark 2.78. An adaptation of the above proof shows that under the as-
sumptions of Hensel’s Lemma, in principle one can always lift from a solution
mod pk to a solution mod p2k . Moreover, for m ≥ n ≥ 1 we always have
am ≡ an mod pn .

31
2.12 Primitive Roots
Recall Corollary 2.60: if n ∈ N , a ∈ Z with gcd(a, n) = 1 then ordn (a) | ϕ(n).
In this section, we shall be interested in the case that ordn (a) = ϕ(n).

Definition 2.79. Let n ∈ N. We say that a ∈ Z is a primitive root mod n

if and only if gcd(a, n) = 1 and ordn (a) = ϕ(n).

Remark 2.80. This is equivalent to requiring [a]n to be a generator for the

abelian group (Z/nZ)× , which must therefore be cyclic.
Example 2.81. Let n = 5 and abbreviate [x]n = [x]5 to [x]. Then we have

[2]0 = [1], [2]1 = [2], [2]2 = [4], [2]3 = [8] = [3], [2]4 = [16] = [1].

Therefore ord5 (2) = 4 = ϕ(5) and so 2 is a primitive root of 5.

Remark 2.82. For some values of n there are no primitive roots. For example,
every non-trivial element of (Z/8Z)× = {[1]8 , [3]8 , [5]8 , [7]8 } has order 2, and
so (Z/8Z)× is not cyclic. Example 2.61 shows that the same is true for
(Z/12Z)× .

Lemma 2.83. Let n ∈ N and a ∈ Z with gcd(a, n) = 1. Then for k ∈ Z we

have
ordn (a)
ordn (ak ) = .
gcd(ordn (a), k)
In particular, ordn (ak ) = ordn (a) if and only if gcd(ordn (a), k) = 1.

Proof. Let f = ordn (a). The integer ordn (ak ) is the least d ∈ N such that
adk ≡ 1 mod n. By Corollary 2.54 this is also the least d ∈ N such that
dk ≡ 0 mod f . But by the cancellation law for congruences (Theorem 2.11)
this last congruence is equivalent to the congruence d ≡ 0 mod fh where h =
gcd(f, k). But it is clear that the least positive solution to this congruence
is d = fh and so ordn (ak ) = fh , as asserted.
Example 2.84. We saw in Example 2.50 that 3 is a primitive root mod 19,
i.e., ord19 (3) = ϕ(19) = 18. Thus ord19 (33 ) = ord19 (8) = 18/ gcd(18, 3) =
18/3 = 6.

Theorem 2.85. Let p be prime and let d ∈ N be a divisor of p − 1. Then

there are exactly ϕ(d) elements a mod p such that ordp (a) = d. In particular,
there are ϕ(p − 1) primitive roots modulo p.

32
Proof. Fix a prime p and for any d ∈ N such that d | (p − 1) define

A(d) = {a ∈ N : 1 ≤ a ≤ p − 1, ordp (a) = d}.

Let ψ(d) = #A(d) ≥ 0. We aim to show that ψ(d) = ϕ(d).

Since the sets A(d) partition {1, 2, . . . , p − 1} we have
X
ψ(d) = p − 1.
d|(p−1)

By Proposition 2.48 we also have

X
ϕ(d) = p − 1.
d|(p−1)

Therefore if we can show that ψ(d) ≤ ϕ(d) for all d | (p−1) then
P ψ(d) = ϕ(d)
for all such d. (Otherwise, if ψ(d0 ) < ϕ(d) for some d0 , then d|(p−1) ψ(d) <
P
d|(p−1) φ(d) - contradiction.)
If ψ(d) = 0 then ψ(d) ≤ ϕ(d) and so we are done. So we are reduced to
considering the case ψ(d) ≥ 1. Then A(d) 6= ∅ and so a ∈ A(d) for some a.
Hence ordp (a) = d and so ad ≡ 1 mod p. Then (ai )d ≡ 1 mod p for all i ∈ Z.
In particular, the d numbers

a, a2 , . . . , ad (14)

are solutions of the polynomial congruence

xd − 1 ≡ 0 mod p. (15)

By Corollary 2.55 the numbers listed in (14) are incongruent mod p since
ordp (a) = d. Moreover, (15) has at most d solutions by Lagrange’s polyno-
mial congruence theorem (Theorem 2.68). Therefore the d numbers in (14)
must be all the solutions of (15) mod p. Hence each number in A(d) must be
congruent to ak mod p for some k = 1, . . . , d. By Lemma 2.83 ordp (ak ) = d if
and only if gcd(k, d) = 1. In other words, among the d numbers in (14) there
are ϕ(d) which have order d modulo p. Thus we have shown that ψ(d) = ϕ(d)
if ψ(d) 6= 0, as required.
Example 2.86. There are ϕ(19 − 1) = ϕ(18) = 6 primitive roots mod 19.
Thus there are ϕ(19) − 6 = 12 elements of (Z/19Z)× that are not primitive
roots.
Corollary 2.87. Let p be prime. Then there exists a primitive root g mod-
ulo p (note that g need not be unique). In other words, (Z/pZ)× is cyclic.
Moreover, for any a ∈ Z with p - a there exists k ∈ Z such that a ≡ g k mod p.

33
Proof. The existence of a primitive root follows from Theorem 2.85 since
ϕ(p − 1) ≥ 1. By definition of primitive root, ordp (g) = p − 1 and so
1, g, g 2 , . . . , g p−2 are congruent modulo p, in some order, to 1, 2, . . . , p − 1
(use Corollary 2.55), which gives the last claim.
Theorem 2.88 (The primitive root test). Let n ∈ N and let a ∈ Z with
gcd(a, n) = 1. Then a is a primitive root modulo n if and only if
aϕ(n)/q 6≡ 1 mod n
for every prime q dividing ϕ(n).
Proof. If aϕ(n)/q ≡ 1 mod n for some prime q dividing ϕ(n) then ordn (a) ≤
ϕ(n)/q < ϕ(n) and so a cannot be a primitive root mod n.
Suppose conversely that aϕ(n)/q 6≡ 1 mod n for every prime q dividing
ϕ(n). Write ϕ(n) = q1r1 · · · qsrs where the qi ’s are distinct primes and each ri ∈
N. Let m = ordn (a). Then m | ϕ(n) by Corollary 2.60 and so m = q1t1 · · · qsts
where for each i we have 0 ≤ ti ≤ ri . Suppose m < ϕ(n). Then there exists
r −1
a j such that tj < rj . Hence m divides q1r1 · · · qj j · · · qsrs = (ϕ(n)/qj ). But
am ≡ 1 mod n and so aϕ(n)/qj ≡ 1 mod n, contradicting our hypothesis.
Example 2.89. Find a primitive root modulo 31. Since 31 is prime, we have
ϕ(31) = 31 − 1 = 30 = 2 × 3 × 5. Thus given a ∈ Z with 31 - a we need to
check that
a15 6≡ 1 mod 31, a10 6≡ 1 mod 31, and a6 6≡ 1 mod 31
Try a = 2. Then 210 ≡ (25 )2 ≡ 322 ≡ 12 ≡ 1 mod 31. Thus 2 is not a
primitive root mod31.
Try a = 3. First note that 35 = 243 ≡ −5 mod 31. Then we have
• 36 = 35 × 3 ≡ −5 × 3 ≡ −15 ≡ 16 6≡ 1 mod 31.
• 310 = (35 )2 ≡ (−5)2 ≡ 25 6≡ 1 mod 31.
• 315 = 35 × 310 ≡ −5 × 25 ≡ −125 ≡ −1 6≡ 1 mod 31.
Therefore 3 is a primitive root modulo 31.
Theorem 2.90. Let p be an odd prime. If g is a primitive root mod p then
g is also a primitive root mod pe for all e ≥ 1 if and only if g p−1 6≡ 1 mod p2 .
Proof. Not examinable (but statement is examinable). See Apostal, Intro-
duction to Analytic Number Theory, Chapter 10, for example.
Theorem 2.91. Let n ∈ N. Then (Z/nZ)× is cyclic ⇔ there exists a prim-
itive root modulo n ⇔ n = 1, 2, 4, pe , 2pe where e ∈ N and p is an odd prime.
Proof. Not examinable (but statement is examinable). See Apostal, Intro-
duction to Analytic Number Theory, Chapter 10, for example.

34
2.13 Wilson’s Theorem
Theorem 2.92 (Wilson’s Theorem). An integer p ≥ 2 is prime if and only
if (p − 1)! ≡ −1 mod p.
Example 2.93. For p = 5, we have (5 − 1)! = 4! = 24 ≡ −1 mod 5; but for
p = 6, we have (6 − 1)! = 5! = 120 ≡ 0 mod 6.
Proof. Suppose n is composite. Then there exists d dividing n with 1 <
d < n. Therefore d | (n − 1)! and d | n. So if (n − 1)! ≡ −1 mod n then
n | ((n−1)!+1) and so d | ((n−1)!+1). Hence d | 1 = ((n−1)!+1)−(n−1)!.
Contradiction. Hence (n − 1)! 6≡ −1 mod n.
Suppose p is prime. The case p = 2 is easy, so we can and do assume
that p is odd. Each a in {1, 2, . . . , p − 1} is coprime to p and therefore has
a unique inverse a−1 ∈ {1, 2, . . . , p − 1} modulo p, that is aa−1 ≡ 1 mod p.
Note that (a−1 )−1 ≡ a mod p. If a = a−1 then 1 ≡ aa−1 = a2 mod p. By
Corollary 2.71 we then have a ≡ ±1 mod p and so a = 1 or a = p − 1. In the
product
(p − 1)! = 1 × 2 × 3 × · · · × (p − 2) × (p − 1)
we pair off each term, save for 1 and p − 1, with its inverse modulo p. We
thus have (p − 1)! ≡ 1 × (p − 1) ≡ −1 mod p.
Example 2.94. As an illustration, consider the case p = 11. Then

10! = 1 × 2 × 3 × 4 × 5 × 6 × 7 × 8 × 9 × 10
= 1 × (2 × 6) × (3 × 4) × (5 × 9) × (7 × 8) × 10
≡ 1 × 1 × 1 × 1 × 1 × 10 = 10 ≡ −1 mod 11.

Alternative proof of Wilson’s Theorem using primitive roots. If n is compos-

ite we proceed as before. Again, we are reduced to considering the case where
p is an odd prime. Let g be a primitive root modulo p (this exists by Corol-
lary 2.87). Then the numbers 1, g, g 2 , . . . , g p−2 are congruent modulo p, in
some order, to 1, 2, . . . , p − 1. Hence

(p − 1)! ≡ 1gg 2 · · · g p−2 = g 1+2+···+(p−2) mod p.

The sum 1 + 2 + · · · + (p − 2) is the sum of an arithmetic progression with

p − 2 terms, and so equals
(p − 2) + 1 (p − 2)(p − 1)
(p − 2) = .
2 2
Hence
(p − 1)! ≡ g (p−2)(p−1)/2 mod p.

35
 Since p is odd we have p = 2k + 1 for some k ∈ N. As k < 2k = p − 1
then g k 6≡ 1 (mod p) but g 2k = g p−1 ≡ 1 (mod p) because ordp (g) = p − 1 by
definition of g (or use Fermat’s little theorem). Since (g k )2 = g 2k ≡ 1 mod p
we have g k ≡ ±1 mod p by Corollary 2.71. Hence g k ≡ −1 mod p. We finally
conclude that
(p − 1)! ≡ g (p−2)(p−1)/2 = g (2k−1)k = (g k )2k−1 ≡ (−1)2k−1 = −1 mod p.

3 Quadratic Residues
3.1 Quadratic Residues
We shall study the theory of quadratic congruences modulo an odd prime p.
By the familiar technique of completing the square one can reduce any such
congruence to the form
x2 ≡ a mod p.
Example 3.1. Consider the case p = 11.
x 0 1 2 3 4 5 6 7 8 9 10
2
x mod 11 0 1 4 9 5 3 3 5 9 4 1
Notice the symmetry in this table. This is because for any odd prime p and
any k ∈ Z we have (p − k)2 ≡ (−k)2 ≡ k 2 mod p. For example, 32 ≡ (−3)2 ≡
(11 − 3)2 ≡ 82 mod 11. Also notice that

 one solution if a ≡ 0 mod 11,
2
x ≡ a mod 11 has two solutions if a ≡ 1, 3, 4, 5, 9 mod 11,
no solutions if a ≡ 2, 6, 7, 8, 10 mod 11.


Lemma 3.2. Let p be an odd prime and let a ∈ Z. Consider

x2 ≡ a mod p. (16)
If p | a then (16) is equivalent to x ≡ 0 mod p. Otherwise, if p - a and
(16) has a solution x ≡ b mod p then p - b and x ≡ −b is another, different
solution.
Proof. If x ≡ 0 mod p then clearly x2 ≡ 0 mod p. The converse follows from
Euclid’s Lemma for Primes (Theorem 1.23): if x2 ≡ 0 mod p then p | x2 so
we must have p | x, i.e., x ≡ 0 mod p.
Suppose that p - a and b2 ≡ a mod p. Then clearly (−b)2 ≡ b2 ≡ a mod p.
If b ≡ −b mod p then 2b ≡ 0 mod p so b ≡ 0 mod p by the Cancellation Law
for Congruences (Theorem 2.11) since p is odd. But then a ≡ b2 ≡ 0 mod p,
contradicting the assumption that p - a.

36
Definition 3.3. Let p be an odd prime, and suppose we have a ∈ Z such
that p - a. Then a is a Quadratic Residue of p if there exists x ∈ Z such that
x2 ≡ a mod p, and a is Quadratic Non-Residue if not.
Proposition 3.4. Let p be an odd prime. Then every reduced residue system
mod p contains exactly (p − 1)/2 quadratic residues and (p − 1)/2 quadratic
non-residues mod p. The quadratic residues belong to the residue classes
containing the numbers
12 , 22 , 32 , . . . , ((p − 1)/2)2 . (17)
Proof. First we show that the list of numbers in (17) are distinct mod p.
Indeed, if x2 ≡ y 2 mod p with 1 ≤ x ≤ (p − 1)/2 and 1 ≤ y ≤ (p − 1)/2 then
(x − y)(x + y) ≡ 0 mod p.
But 1 < (x + y) < p so (x + y) is coprime to p. So by the Cancellation
Law for Congruences (Theorem 2.11) we must have (x − y) ≡ 0 mod p, hence
x ≡ y mod p and so x = y (by Proposition 2.14). The remaining squares are
((p + 1)/2)2 , ((p + 3)/2)2 , . . . , (p − 2)2 , (p − 1)2 .
Since (p − k)2 ≡ (−k)2 ≡ k 2 mod p for every k ∈ Z with 1 ≤ k ≤ (p − 1)/2,
these are congruent to
((p − 1)/2)2 , ((p − 3)/2)2 , . . . , 22 , 12 .
These are precisely the numbers in (17). Hence there are precisely (p − 1)/2
quadratic residues mod p, and so there are (p − 1) − (p − 1)/2 = (p − 1)/2
quadratic non-residues mod p.

3.2 The Legendre Symbol

Definition 3.5. Let p be an odd prime. For any a ∈ Z, we define the
Legendre Symbol to be

   +1, p - a and a is a quadratic residue of p,
a
= −1, p - a and a is a quadratic non-residue of p,
p
0, p | a.

2
 By Lemma 3.2 we see that the congruence x ≡ a mod p has
Remark 3.6.
precisely ap + 1 distinct solutions modulo p.
 
Remark 3.7. Note that we always have p1 = 1. Moreover, if a, b ∈ Z with
   
a ≡ b mod p then ap = pb (this is sometimes known as periodicity).
5 7
−1, 22




Examples 3.8. 11 = 1, 11 =
 11
= 0.
2
If m ∈ Z with p - m then mp = 1.

37
3.3 Euler’s Criterion
Lemma 3.9. Let p be an odd prime and let g be a primitive root mod p. Let
a ∈ Z with p - a. Then a ≡ g k mod p for some k ∈ Z and a is a quadratic
residue mod p if and only if k is even.

Proof. First note that a primitive root g mod p exists by Corollary 2.87, so
a ≡ g k mod p for some k ∈ Z. Suppose k is even. Then k = 2j for some
j ∈ Z and so a ≡ (g j )2 mod p. Thus a is a quadratic residue mod p. Suppose
conversely that a is quadratic residue mod p. Then a ≡ b2 mod p for some
b ∈ Z with p - b. Then b ≡ g r for some r ∈ Z and so g k ≡ (g r )2 ≡ g 2r mod p.
Thus k ≡ 2r mod p − 1 by Proposition 2.53 since ordp (g) = ϕ(p) = p − 1. So
k ≡ 2r mod 2 since 2 | (p − 1). Hence k ≡ 0 mod 2, i.e., k must be even.

Theorem 3.10 (Euler’s Criterion). If p is an odd prime and a ∈ Z then

 
a p−1
≡ a 2 mod p.
p

Proof. This is obvious if p | a. So suppose that p - a. Let g be a primitive root

mod p. Then there exists k ∈ Z such that a ≡ g k mod p. Since ordp (g) = p−1
we have g p−1 ≡ 1 mod p and g (p−1)/2 6≡ 1 mod p. But Corollary 2.71 says that
g (p−1)/2 ≡ ±1 mod p. Therefore g (p−1)/2 ≡ −1 mod p. Then

a(p−1)/2 ≡ (g k )(p−1)/2 ≡ (g (p−1)/2 )k ≡ (−1)k mod p.

The result now follows from Lemma 3.9.

Alternative proof
 of Euler’s Criterion. Again, we may suppose that p - a.
a
Suppose that p = 1. Then there exists b ∈ Z with p - b such that
a ≡ b2 mod p. Thus by Fermat’s Little Theorem (Corollary 2.62) we have
 
(p−1)/2 2 (p−1)/2 p−1 a
a ≡ (b ) ≡b ≡1≡ mod p.
p
 
Now suppose that ap = −1 and consider the polynomial

f (x) = x(p−1)/2 − 1.

Since f (x) has degree (p − 1)/2, Lagrange’s polynomial congruence theorem

(Theorem 2.68) says that the congruence

f (x) ≡ 0 mod p

38
has at most (p − 1)/2 solutions. But we have shown that the quadratic
residues mod p are solutions, and Proposition 3.4 says there are (p − 1)/2
of them. Hence none of the quadratic non residues are solutions and so
a(p−1)/2 6≡ 1 mod p. But by Fermat’s Little Theorem (Corollary 2.62) we have
a(p−1) ≡ 1 mod p and so by Corollary 2.71 a(p−1)/2 ≡ ±1 mod p. Therefore
 
(p−1)/2 a
a ≡ −1 ≡ mod p.
p

This completes the proof.

Theorem 3.11 (Multiplicativity

  of the
 Legendre
 Symbol). Let p be an odd
ab a b
prime. Let a, b ∈ Z. Then p = p p
.
     
Proof. If p | a or p | b then p | ab so abp
= 0 and either a
p
= 0 or b
p
= 0.
Hence we have the desired result in this case.
Suppose p - a and p - b. Then by Euclid’s Lemma for Primes we have
p - ab. Moreover, by Euler’s Criterion we have
    
ab (p−1)/2 (p−1)/2 (p−1)/2 a b
≡ (ab) =a b ≡ mod p,
p p p

and both sides are 1 or −1. If they were different, we would have +1 ≡
−1 mod p and so p | 2, which gives a contradiction as p is odd.

Theorem 3.12. If p is an odd prime then

  
−1 p−1 +1, p ≡ 1 mod 4,
= (−1) 2 =
p −1, p ≡ 3 mod 4.

In other words, x2 ≡ −1 mod p is soluble if and only if p ≡ 1 mod 4.

Proof. By Euler’s Criterion we have

 
−1 p−1
≡ (−1) 2 mod p,
p

and both sides are +1 or −1. If they were different, we would have +1 ≡
−1 mod p and so p | 2, which gives a contradiction as p is odd.

39
Example 3.13. Can we solve x2 ≡ 13 mod 17?
   
13 −4
= by periodicity (Remark 3.7)
17 17
   
−1 2 2
= by multiplicativity (Theorem 3.11)
17 17 17
 
−1
= as (±1)2 = 1
17
= (−1)(17−1)/2 since 17 ≡ 1 mod 4 (use Theorem 3.12)
= (−1)8 = 1

Hence the congruence is soluble! Note that this proof that a solution exists
cannot be adapted to provide a concrete solution. It is purely an existence
argument.

Theorem 3.14. There are infinitely many primes p with p ≡ 1 mod 4.

Proof. It suffices to show that for any N ∈ N there exists a prime p with
p > N and p ≡ 1 mod 4. Let M = (2(N !))2 + 1. If p is a prime with p ≤ N
then M ≡ 1 mod p and so p - M . Let p be a prime factor of M . Then p > N .
As M is odd, p is also odd. Then we have (2(N !))2 ≡ −1 mod p and so the
congruence x2 ≡ −1 mod p is soluble. Therefore p ≡ 1 mod 4 by Theorem
3.12.

3.4 Gauss’ Lemma

Definition 3.15. Let a ∈ Z and n ∈ N. We write λ(a, n) for the unique
integer such that a ≡ λ(a, n) mod n and 0 ≤ λ(a, n) < n. In other words,
λ(a, n) is the remainder when the Division Algorithm is applied to a and n.
(This is not a standard notation, and is intended merely for temporary use
in our discussion of quadratic residues.)

Theorem 3.16 (Gauss’ Lemma). Let p be an odd prime and let a ∈ Z with
p - a. Then
 
a
= (−1)Λ where Λ := #{j ∈ N : 1 ≤ j ≤ p−1
2
, λ(aj, p) > p2 }.
p

Example 3.17. Let p = 13 and a = 5.

If j = 1 then λ(aj, p) = λ(5, 13) = 5 < 13/2.
If j = 2 then λ(aj, p) = λ(10, 13) = 10 > 13/2.
If j = 3 then λ(aj, p) = λ(15, 13) = 2 < 13/2.

40
If j = 4 then λ(aj, p) = λ(20, 13) = 7 > 13/2.
If j = 5 then λ(aj, p) = λ(25, 13) = 12 > 13/2.
If j = 6 then λ(aj, p) = λ(30, 13) = 4
< 13/2.
5
Hence Λ = #{2, 4, 5} = 3 and so 13 = (−1)3 = −1.
p−1
Proof. Let Sa := {aj : 1 ≤ j ≤ 2
} and define

{r1 , . . . , rm } = {λ(aj, p) : aj ∈ Sa , 0 < λ(aj, p) < p2 },

{s1 , . . . , sn } = {λ(aj, p) : aj ∈ Sa , p2 < λ(aj, p) < p},

so that n = Λ. Note that λ(aj, p) 6= p2 since p2 6∈ Z and that λ(aj, p) 6= 0,
since p - a and p - j. Also note that if j1 6= j2 then λ(aj1 , p) 6= λ(aj2 , p) since

λ(aj1 , p) = λ(aj2 , p) =⇒ aj1 ≡ aj2 mod p

=⇒ j1 ≡ j2 mod p (by cancellation law; note p - a)
=⇒ j1 = j2 (since 0 < j1 , j2 < p).
p−1
Hence m + n = #Sa = 2
. We claim that

{r1 , . . . , rm , (p − s1 ), . . . , (p − sn )} = {1, 2, . . . , p−1

2
}.

Clearly ri , (p − sj ) ∈ {1, 2, . . . , p−1

2
} and there are p−1
2
elements ri , (p − sj ),
so it suffices to show that they are all different. We have already shown
that ri 6= rj and si 6= sj for i 6= j. To show that ri 6= p − sj we argue by
contradiction. If ri + sj = p, let ri = λ(aj1 , p) and sj = λ(aj2 , p). Then

ri + sj = p = λ(aj1 , p) + λ(aj2 , p) ≡ aj1 + aj2 ≡ a(j1 + j2 ) mod p.

Hence a(j1 + j2 ) ≡ 0 mod p. So by Euclid’s lemma for primes, either p | a or

p | (j1 + j2 ). However, p - a by assumption and 2 ≤ j1 + j2 ≤ p − 1 so that
p - (j1 + j2 ) - contradiction. Therefore ri 6= p − sj , which proves the claim.
Now, on the one hand, we have

r1 r2 · · · rm (p − s1 ) · · · (p − sn ) = 1 × 2 × · · · × p−1 = p−1


2 2
!
n
≡ r1 r2 · · · rm s1 s2 · · · sn (−1) mod p.

On the other hand, by the definition of ri , sj ,

p−1 p−1
2 2
Y Y p−1
p−1


r1 r2 · · · rm s1 s2 · · · sn = λ(aj, p) ≡ (aj) = a 2
2
! mod p.
j=1 j=1

Therefore p−1
p−1 p−1
! ≡ (−1)n a 2



2 2
! mod p.

41
 p−1


Now, since p - 2
!, the cancellation law for congruences shows that
p−1
1 ≡ (−1)n a 2 mod p.
p−1
 
Thus a 2 ≡ (−1)n mod p and so ap ≡ (−1)n mod p by Euler’s Criterion
(Theorem 3.10). Both sides are +1 or −1 and if they were different, we would
have +1 ≡−1 mod p and so p | 2, which gives a contradiction as p is odd.
Therefore ap = (−1)n = (−1)Λ as required.
Definition 3.18. For any x ∈ R we set bxc := max{n ∈ Z : n ≤ x}. For
example, b3c = 3, bπc = 3 and b−πc = −4.
Corollary 3.19. If p is an odd prime then
  
2 (p2 −1)/8 +1, p ≡ ±1 mod 8,
= (−1) =
p −1, p ≡ ±3 mod 8.
Proof. We shall apply Gauss’ Lemma (Theorem 3.16) for a = 2, so that
 
2
= (−1)Λ where Λ = #{1 ≤ j ≤ p−12
: λ(2j, p) > p2 }.
p
Note that for 1 ≤ j ≤ p−1 2
we have 2 ≤ 2j ≤ p − 1 and so λ(2j, p) = 2j.
Moreover, 2j < 2 if and only if j < p4 , and p2 < 2j < p if and only if
p
p
4
< j < p2 . It follows that Λ = #{j ∈ N : p4 < j < p2 }. We have
# j : p4 < j < p2 = # j ≤ p−1 − # j < p4 = p−1 − p4 .
    
2 2

Since p is odd, precisely one of the following cases must occur:

(i) p = 8k + 1 =⇒ p−1
p
2
= 4k, =
4  
2k =⇒ Λ = 2k,
p−1 p
(ii) p = 8k + 3 =⇒ 2
= 4k + 1,  4  = 2k =⇒ Λ = 2k + 1,
p−1
(iii) p = 8k + 5 =⇒ 2
= 4k + 2,  p4  = 2k + 1 =⇒ Λ = 2k + 1,
(iv) p = 8k + 7 =⇒ p−1 2
= 4k + 3, p4 = 2k + 1 =⇒ Λ = 2k + 2.
Hence
(−1)Λ = +1 ⇐⇒ p = 8k + 1 or 8k + 7 ⇐⇒ p ≡ ±1 mod 8.
We note that if p = 8k + r then
p2 − 1 r2 + 16rk + 64k 2 − 1 r2 − 1 r2 − 1
= = + 2(kr + 4k 2 ) ≡ mod 2.
8 8 8 8
By checking the cases r = ±1, ±3 we deduce that
p2 − 1

0 mod 2, p ≡ ±1 mod 8,
≡
8 1 mod 2, p ≡ ±3 mod 8,
and the result follows.

42
 2


Example 3.20. Since 1009 ≡ 1 mod 8 we have 1009
= 1. Since 1997 ≡
2


−3 mod 8 we have 1997 = −1. (Note that 1009 and 1997 are both prime.)

Theorem 3.21. There are infinitely many primes p with p ≡ −1 mod 8.

Proof. It suffices to show that for any N ∈ N there exists a prime p with
p > N and p ≡ −1 mod 8. Let M = 8(N !)2 − 1. If p is a prime with p ≤ N
then M ≡ −1 mod p and so p - M .
Let p be a prime factor of M . Then p is odd and p > N . Moreover,

(4(N !))2 ≡ 16(N !)2 ≡ 2M + 2 ≡ 2 mod p.

 
Thus p2 = +1 and so p ≡ ±1 mod 8 by Corollary 3.19. But if all prime
factors of M were congruent to 1 mod 8, then we would have M ≡ 1 mod 8,
which is not the case. Therefore M must have at least one prime factor p
with p ≡ −1 mod 8 and p > N .

Lemma 3.22. Let p be an odd prime and let a ∈ Z with a odd and p - a.
Then
  (p−1)/2
a t
X
= (−1) where t = bak/pc .
p k=1

Proof. Recall the notation from the proof of Gauss’ Lemma (Theorem 3.16).
For any j ∈ Z we have λ(aj, p) ≡ aj mod p, with 0 ≤ λ(aj, p) < p. Here
λ(aj, p) = aj − pk for some k ∈ Z such that j 0k ≤ aj − pk < p. It follows
that k ≤ p < k + 1, and hence that k = ajp . We therefore deduce that
aj
j k
λ(aj, p) = aj − p ajp . Using this expression we now have

m n (p−1)/2 (p−1)/2   
X X X X aj
ri + si = λ(aj, p) = aj − p .
i=1 i=1 j=1 j=1
p

Hence, since a and p are odd, we have

(p−1)/2 (p−1)/2   m n
X X aj X X
j− ≡ ri + si mod 2, (∗).
j=1 j=1
p i=1 i=1

Recall from the proof of Gauss’ Lemma (Theorem 3.16) that

{r1 , . . . , rm , (p − s1 ), . . . , (p − sn )} = {1, 2, . . . , p−1

2
}.

43
Thus
m n (p−1)/2
X X X
ri + np + si ≡ j mod 2,
i=1 i=1 j=1

and hence
m n (p−1)/2
X X X
ri + si ≡ n + j mod 2.
i=1 i=1 j=1

Comparing this with (∗), we see that

(p−1)/2  
X aj
n≡ mod 2,
j=1
p

and the result follows from Gauss’ Lemma (Theorem 3.16).

3.5 The Law of Quadratic Reciprocity

Theorem 3.23 (The Law of Quadratic Reciprocity - LQR). If p and q are
distinct odd primes, then
  
   
p q p−1 q−1
 + q , if p ≡ 1 mod 4 or q ≡ 1 mod 4,
= (−1)( 2 )( 2 ) = p
q p  − q , if p ≡ q ≡ 3 mod 4.
p

Proof. To prove the Law of Quadratic Reciprocity it suffices, by Lemma 3.22,

to show that
(p−1)/2 
X qk  (q−1)/2
X  pk  p − 1 q − 1
+ = × .
k=1
p k=1
q 2 2

We shall count the points in

R := (x, y) ∈ N × N : 0 < x < p2 , 0 < y < 2q



in two different ways. First note that since p and q are odd, we have

#R = #{x : 0 < x < p2 } × #{y : 0 < y < 2q } = p−1

2
× q−1
2
.

We now find another expression for #R. If a point (x, y) were on the line
from (0, 0) to ( p2 , 2q ) we would have y = qx p
and hence py = qx. However,
then we would have p | qx, which is impossible by Euclid’s lemma for primes,
since p - q and p - x (recall that 0 < x < p/2). Thus there are no points
(x, y) of R on the line from (0, 0) to ( p2 , 2q ).

44
 How many points (x, y) of R are there below (or on) the diagonal? For
each value of x with 1 ≤ x ≤ p−12
, the pairs (x, y) below the diagonal must
satisfy 1 ≤ y ≤ p x. However, there are b qx
q
p
c such values of y. It follows that
the total number of points below (or on) the line y = qx/p is
(p−1)/2 
X qk 
.
k=1
p
Similarly, there are
(q−1)/2  
X pk
k=1
q
points above (or on) the line. It follows that
(p−1)/2 
X qk  (q−1)/2 X  pk 
#R = + .
k=1
p k=1
q
Comparing the two expressions for #R gives the result.
29


Example 3.24. What is 53 ? In other words, can we solve x2 ≡ 29 mod 53?
Note that 29 and 53 are both prime. Use LQR:
   
29 53
= (by LQR since 29 ≡ 1 mod 4)
53 29
 
24
= (by periodicity since 53 ≡ 24 mod 29)
29
 
2×2×2×3
=
29
 3  
2 3
= (by multiplicativity).
29 29

We now use LQR and Corollary 3.19 repeatedly:

 
2
= −1 (by Corollary 3.19 since 29 ≡ −3 mod 8)
29
   
3 29
= (by LQR since 29 ≡ −3 mod 4)
29 3
 
2
= (by periodicity since 29 ≡ 2 mod 3)
3
= −1 (by Corollary 3.19 since 3 ≡ 3 mod 8).
29


Thus 53 = (−1)4 = +1, and hence x2 ≡ 29 mod 53 is soluble.

45
Example 3.25. Recall that in Example 2.67 we used the binary powering
algorithm to show that 3499 ≡ 3 mod 997.
We now perform this computation in a different way. Note that 997 is a
prime and that 997 ≡ 1 mod 4. Moreover, 997 ≡ 1 mod 3. Hence by LQR
we have      
3 997 1
= = = 1.
997 3 3
However, Euler’s Criterion (Theorem 3.10) gives
 
3
≡ 3(997−1)/2 ≡ 3498 mod 997.
997
Hence 3498 ≡ 1 mod 997 and so 3499 ≡ 3 mod 997.
Note that we were “lucky” with the choice of exponent here in that is was
close to (997−1)/2. In general, if p is prime and a ∈ Z with p - a then we can
use LQR and Euler’s Criterion to compute a(p−1)/2 mod p. (In particular, we
must have a(p−1)/2 ≡ ±1 mod p.)
 
Example 3.26. Determine p3 where p ≥ 5 is a prime.
By LQR we have
   
3 p (p−1)(3−1)/4 (p−1)/2 p
 
= (−1) = (−1) .
p 3 3
To determine p3 we need to know the value of p mod 3. To determine

(−1)(p−1)/2 we need to know the value of (p − 1)/2 mod 2, or equivalently,

the value of p mod 4. Thus there are only four cases to consider, p ≡ 1, 5, 7
or 11 mod 12. Note that the other cases are excluded because ϕ(12) = 4 and
p must be coprime to 12 (since p ≥ 5).
Case (i): p ≡ 1 mod 12. In this case p ≡ 1 mod 3 so p3 =1.

Also p ≡ 1 mod 4 so (p − 1)/2 is even. Hence p3 = 1.

Case (ii): p ≡ 5 mod 12. In this case p ≡ 2 mod 3 so
p 2 2
= = (−1)(3 −1)/8 = −1.
3 3
 
Also p ≡ 1 mod 4 so (p − 1)/2 is even. Hence p3 = −1.
Case (iii): p ≡ 7 mod 12. In this case p ≡ 1 mod 3 so p3  =1.

Also p ≡ 3 mod 4 so (p − 1)/2 is odd. Hence p3 = −1.

p
= 23 = −1.



Case (iv): p ≡ 11 mod 12. In this case p ≡ 2 mod 3 so  3 
Also p ≡ 3 mod 4 so (p − 1)/2 is odd. Hence p3 = 1.

46
Summarising our results, we have
  
3 +1, if p ≡ ±1 mod 12,
=
p −1, if p ≡ ±5 mod 12.

3.6 The Jacobi Symbol

Definition 3.27. Let n be an odd positive integer with prime factorisation
n = pe11 · · · perr . Then for any a ∈ Z we define the Jacobi symbol na by

a r  ei
Y a
= ,
n i=1
pi

a


where the symbols on the right are Legendre symbols. We also define 1
= 1.

Theorem
and let a ∈ Z.

3.28. Let n be an odd positive integer
(i) na
= ±1
if a and n are coprime and na = 0 otherwise,
(ii) na
= nb
whenever a ≡
b mod
n,

(iii) ab a b a a a


n 
= n n
and mn
= m n
,
a2
(iv) n
= 1 whenever a and n are coprime.

Proof. These properties are easily deduced from the corresponding properties
of the Legendre Symbol.
Remark 3.29. Let n be an odd positive integer with prime factorisation n =
pe11 · · · perr . If the congruence

x2 ≡ a mod n
 
has a solution then pai = 1 for each i and hence na = 1. However, the

an even number of factors −1 could appear

converse is not true since because
a
in the defining product of n . This is illustrated in the following example.
Example 3.30. We have
    
2 2 2
= = (−1)(−1) = 1.
15 3 5
2


Even though 15 = 1 the congruence x2 ≡ 2 mod 15 is insoluble because
2
x ≡ 2 mod 3 has no solutions.

Theorem 3.31. If n is an odd positive integer then −1

n
= (−1)(n−1)/2 .

47
Proof. Write n = p1 p2 · · · pr where the odd prime factors pi are not necessar-
ily distinct. Then we have
r
Y r
X X
n= (1 + pi − 1) = 1 + (pi − 1) + (pi − 1)(pj − 1) + · · · .
i=1 i=1 i6=j

But each factor pi − 1 is even so each sum after the first is divisible by 4.
Hence r
X
n≡1+ (pi − 1) mod 4,
i=1

which gives
r
1 X1
(n − 1) ≡ (pi − 1) mod 2.
2 i=1
2
Therefore
  Y r   Y r
−1 −1 Pr
= = (−1)(pi −1)/2 = (−1) i=1 (pi −1)/2 = (−1)(n−1)/2 ,
n i=1
pi i=1

which gives the desired result.

Theorem 3.32. If n is an odd positive integer then

  
2 (n2 −1)/8 +1, n ≡ ±1 mod 8,
= (−1) =
n −1, n ≡ ±3 mod 8.

Proof. Write n = p1 p2 · · · pr where the odd prime factors pi are not necessar-
ily distinct. Then we have
r
Y r
X X
n2 = (1 + p2i − 1) = 1 + (p2i − 1) + (p2i − 1)(p2j − 1) + · · · .
i=1 i=1 i6=j

Since each pi is odd, we have p2i − 1 ≡ 0 mod 8 so

r
X
2
n ≡1+ (p2i − 1) mod 64
i=1

hence r
1 2 X1
(n − 1) ≡ (p2i − 1) mod 8.
8 i=1
8

48
This also holds modulo 2, hence
  Y r   r
2 2 Y 2 2
= = (−1)(pi −1)/8 = (−1)(n −1)/8 .
n i=1
pi i=1

As n is odd we must have n ≡ ±1, ±3 mod 8 and by checking the cases

n = ±1, ±3 we deduce that
n2 − 1

0 mod 2, n ≡ ±1 mod 8,
≡
8 1 mod 2, n ≡ ±3 mod 8.
This completes the proof.
Theorem 3.33 (Reciprocity Law for Jacobi symbols). Let m and n be
coprime odd positive integers. Then
m  n  
(m−1)(n−1)/4 +1 if m ≡ 1 mod 4 or n ≡ 1 mod 4,
= (−1) =
n m −1, if m ≡ n ≡ 3 mod 4.
Proof. Write n = p1 p2 · · · pr where the odd prime factors pi are not necessar-
ily distinct. Similarly, write m = q1 q2 · · · qs where the odd prime factors qj
are not necessarily distinct. (Note that since m and n are coprime, we have
pi 6= qj for all i, j.) Then
m  n  Y r Y s   
pi qj
= = (−1)t
n m i=1 j=1
q j p i

for some t ∈ Z. Applying the  quadratic

   reciprocity law (Theorem 3.23) to
pi qj
the first factor of each term qj pi
, we see that we can take
r X
s r s
X 1 1 X 1 X 1
t= (pi − 1) (qj − 1) = (pi − 1) (qj − 1).
i=1 j=1
2 2 i=1
2 j=1
2

However, the same argument as in the proof of Theorem 3.31 shows that
r
1 X1
(n − 1) ≡ (pi − 1) mod 2
2 i=1
2

and the corresponding result holds for 21 (m − 1). Therefore

n−1m−1
t≡ mod 2,
2 2
which completes the proof.

49
Example 3.34. Determine whether 888 is a quadratic residue or nonresidue
of the prime 1999. We have
   3    
888 2 111 111
= =
1999 1999 1999 1999
111


since 1999 ≡ −1 mod 8. To calculate 1999 using Legendre symbols, we
would write     
111 3 37
=
1999 1999 1999
and apply the quadratic reciprocity law to each factor on the right. However,
the calculation is much simpler with the Jacobi symbol since we have
     
111 1999 1
=− =− = −1
1999 111 111
since 111 ≡ 1999 ≡ 3 mod 4 and 1999 ≡ 1 mod 111. Therefore 888 is a
quadratic nonresidue of 1999.
Example 3.35. Determine whether −104 is a quadratic residue or nonresidue
of the prime 997. Since 104 = 23 × 13 we have
    3  
−104 −1 2 13
=
997 997 997 997
 3  
2 13
= since 997 ≡ 1 mod 4
997 997
 
13
=− since 997 ≡ −3 mod 8
997
 
997
=− since 997 ≡ 1 mod 4
13
 
9
=− since 997 ≡ 9 mod 13
13
= −1 since 9 is a square.
Therefore −104 is a quadratic nonresidue of 997.

4 Sums of Squares
4.1 Pythagorean triples
Definition 4.1. A Pythagorean triple (x, y, z) is a triple of positive integers
satisfying
x2 + y 2 = z 2 .

50
If gcd(x, y, z) = 1 then (x, y, z) is called a primitive Pythagorean triple.

Remark 4.2. If g = gcd(x, y, z) then (x/g, y/g, z/g) is also a Pythagorean

triple. It follows that if g > 1, (x, y, z) can be obtained from the “smaller”
primitive Pythagorean triple (x/g, y/g, z/g) by multiplying each entry by g.
Thus it is natural to focus on primitive Pythagorean triples.
It will be useful to note a basic fact about primitive Pythagorean triples.

Theorem 4.3. Let (x, y, z) be a primitive Pythagorean triple. Then gcd(x, y) =

gcd(x, z) = gcd(y, z) = 1.

Proof. Suppose gcd(x, y) > 1. Then there is a prime p with p | x and p | y.

Then z 2 = x2 + y 2 ≡ 0 (mod p). As p | z 2 then by Euclid’s Lemma for primes
we have p | z and so p | gcd(x, y, z), contradicting (x, y, z) being a primitive
Pythagorean triple. Thus gcd(x, y) = 1.
The proofs that gcd(x, z) = 1 and gcd(y, z) = 1 are similar.
Considering things modulo 4 we can determine the parities of the numbers
in a primitive Pythagorean triple.

Theorem 4.4. If (x, y, z) is a primitive Pythagorean triple, then one of x

and y is even, and the other odd. (Equivalently, x + y is odd.) Also z is odd.

Proof. Note that if x is even then x2 ≡ 0 (mod 4) and if x is odd then

x2 ≡ 1 (mod 4). If x and y are both odd then x2 ≡ y 2 ≡ 1 (mod 4). Hence
z 2 ≡ x2 + y 2 ≡ 2 (mod 4), which is impossible. If x and y are both even,
then gcd(x, y) ≥ 2 contradicting Theorem 4.3. We conclude that one of x
and y is even, and the other is odd.
In any case, z ≡ z 2 = x2 + y 2 ≡ x + y (mod 2), so z is odd.
As the rôles of x and y in Pythagorean triples are symmetric, it makes
little loss in generality in studying only primitive Pythagorean triples with x
odd and y even.
We can now prove a theorem characterizing primitive Pythagorean triples

Theorem 4.5. Let (x, y, z) be a primitive Pythagorean triple with x odd.

Then there are r, s ∈ N with r > s, gcd(r, s) = 1 and r + s odd, such that
x = r2 − s2 , y = 2rs and z = r2 + s2 .
Conversely, if r, s ∈ N with r > s, gcd(r, s) = 1 and r + s odd, then
(r2 − s2 , 2rs, r2 + s2 ) is a primitive Pythagorean triple.

51
Proof. Let (x, y, z) be a primitive Pythagorean triple with x odd. Then y is
even and z is odd. Let a = 12 (z − x), b = 21 (z + x) and c = y/2. Then a, b,
c ∈ N. Also
(z − x)(z + x) z 2 − x2 y2
ab = = = = c2 .
4 4 4
Let g = gcd(a, b). Then g | (a + b) and g | (b − a); that is g | z and g | x. As
gcd(x, z) = 1, by Theorem 4.3, then g = 1, that is gcd(a, b) = 1.
Let p be a prime factor of a. Then p - b, so vp (b) = 0. Hence

vp (a) = vp (a) + vp (b) = vp (ab) = vp (c2 ) = 2vp (c)

is even. Thus a is a square. Similarly b is a square. Write a = s2 and

b = r2 where r, s ∈ N. Then gcd(r, s) | a and gcd(r, s) | b; as a and b are
coprime, gcd(r, s) = 1. Now x = b − a = r2 − s2 ; therefore r > s. Also
z = a + b = r2 + s2 . As c2 = ab = r2 s2 , c = rs and so y = 2rs. Finally as x
is odd, then 1 ≡ x = b − a ≡ r2 − s2 ≡ r2 + s2 ≡ r + s mod 2; that is r + s
is odd. This proves the first half of the theorem.
To prove the second part, let r, s ∈ N with r > s, gcd(r, s) = 1 and r + s
odd. Set x = r2 − s2 , y = 2rs and z = r2 + s2 . Certainly y, z ∈ N and also
x ∈ N as r > s > 0. Also

x2 + y 2 = (r2 − s2 )2 + (2rs)2 = (r4 − 2r2 s2 + s4 ) + 4r2 s2 = r4 + 2r2 s2 + s4 = z 2 .

Hence (x, y, z) is a Pythagorean triple. Certainly y is even, and x = r2 −s2 ≡

r − s ≡ r + s (mod 2): x is odd. To show that (x, y, z) is a primitive
Pythagorean triple we examine g = gcd(x, z). Since x is odd, g is odd. Also
g | (x + z) and g | (z − x), that is g | 2r2 and g | 2s2 . As r and s are coprime,
then gcd(2r2 , 2s2 ) = 2, and so g | 2. As g is odd g = 1. Hence (x, y, z) is a
primitive Pythagorean triple.
We now apply this to the proof of Fermat’s last theorem for exponent 4.

Theorem 4.6. There do not exist x, y, z ∈ N with

x4 + y 4 = z 4 . (18)

Proof. In fact we prove a stronger result. We claim that there are no x, y,

u ∈ N with
x4 + y 4 = u 2 . (19)
A natural number solution (x, y, z) to (18) gives one for (19), namely (x, y, u) =
(x, y, z 2 ). Thus it suffices to prove that (19) is insoluble over N.

52
 We use Fermat’s method of descent. Given a solution (x, y, u) of (19) we
produce another solution (x0 , y 0 , u0 ) with u0 < u. This is a contradiction if we
start with the solution of (19) minimizing u.
Let (x, y, u) be a solution of (19) over N with minimum possible u. We
claim first that gcd(x, y) = 1. If not, then p | x and p | y for some prime p.
Then p4 | (x4 + y 4 ), that is, p4 | u2 . Hence p2 | u. Then (x0 , y 0 , u0 ) =
(x/p, y/p, u/p2 ) is a solution of (19) in N with u0 < u. This is a contradiction.
Hence gcd(x, y) = 1.
As gcd(x, y) = 1 then gcd(x2 , y 2 ) = 1, and so (x2 , y 2 , u) is a primitive
Pythagorean triple by (19). By the symmetry of x and y we may assume
that x2 is odd and y 2 is even, that is, x is odd and y is even. Hence by
Theorem 4.5 there are r, s ∈ N with gcd(r, s) = 1

x2 = r 2 − s 2 , y 2 = 2rs, u = r 2 + s2 .

Then x2 + s2 = r2 , and as gcd(r, s) = 1 then (x, s, r) is a primitive Py-

thagorean triple. As x is odd, there exist a, b ∈ N with gcd(a, b) = 1 and

x = a2 − b 2 , s = 2ab, r = a2 + b 2

by Theorem 4.5. Then

y 2 = 2rs = 4(a2 + b2 )ab,

equivalently (y/2)2 = ab(a2 + b2 ) = abr. (Recall that y is even.) If p is prime

and p | gcd(a, r) then b2 = (a2 + b2 ) − a2 ≡ 0 (mod p) and so p | b by Euclid’s
Lemma for primes. This is impossible, as gcd(a, b) = 1. Thus gcd(a, r) = 1.
Similarly gcd(b, r) = 1. Now abr is a square. If p | a, then p - b and p - r.
Thus vp (a) = vp (abr) is even, and so a is a square. Similarly b and r are
squares. Write a = x02 , b = y 02 and r = u02 where x0 , y 0 , u0 ∈ N. Then

u02 = a2 + b2 = x04 + y 04

so (x0 , y 0 , u0 ) is a solution of (19). Also

u0 ≤ u02 = a2 + b2 = r ≤ r2 < r2 + s2 = u.

This contradicts the minimality of u in the solution (x, y, u) of (19). Hence

(19) is insoluble over N. Consequently (18) is insoluble over N.

4.2 Sums of Squares

Definition 4.7. For k ∈ N we let Sk = {a21 + · · · + a2k : a1 , . . . , ak ∈ Z} be
the set of sums of k squares. Note that we allow zero; e.g. 1 = 12 + 02 ∈ S2 .

53
Theorem 4.8. The sets S2 and S4 are closed under multiplication. That is:
(i) If m, n ∈ S2 then mn ∈ S2 .
(ii) If m, n ∈ S4 then mn ∈ S4 .
Proof. Let m, n ∈ S2 . Then m = a2 + b2 and n = r2 + s2 where a, b, r,
s ∈ Z. By the two-square formula,

(a2 + b2 )(r2 + s2 ) = (ar − bs)2 + (as + br)2 ,

it is immediate that mn ∈ S2 .
Let m, n ∈ S4 . Then m = a2 + b2 + c2 + d2 and n = r2 + s2 + t2 + u2
where a, b, c, d, r, s, t, u ∈ Z. By the four-square formula,

(a2 + b2 + c2 + d2 )(r2 + s2 + t2 + u2 )
= (ar − bs − ct − du)2 + (as + br + cu − dt)2
+ (at − bu + cr + ds)2 + (au + bt − cs + dr)2 ,

it is immediate that mn ∈ S4 .
Remark 4.9. The two-square formula comes from complex numbers:

(a2 + b2 )(c2 + d2 ) = |a + bi|2 |c + di|2

= |(a + bi)(c + di)|2
= |(ac − bd) + (ad + bc)i|2
= (ac − bd)2 + (ad + bc)2 .

Similarly the four-square formula comes from the theory of quaternions (if
you know what they are).

4.3 Sums of Two Squares

We can restrict the possible factorizations of a sum of two squares.
Theorem 4.10. Let p be a prime with p ≡ 3 (mod 4) and let n ∈ N. If
n ∈ S2 then vp (n) is even.
Proof. Let n = a2 + b2 with a, b ∈ Z and suppose p | n. We aim to show
that p | a and p | b. Suppose p - a. Then there is c ∈ Z with ac ≡ 1 (mod p).
Then
0 ≡ c2 n = (ac)2 + (bc)2 ≡ 1 + (bc)2 (mod p).
   
This implies that −1 p
= 1, but we know that −1
p
= −1 when p ≡ 3
(mod 4). This contradiction proves that p | a. Similarly p | b. Thus p2 |
(a2 + b2 ) = n and n/p2 = (a/p)2 + (b/p)2 ∈ S2 .

54
 Let n ∈ S2 and k = vp (n). We have seen that if k > 0 then k ≥ 2 and
n/p2 ∈ S2 . Note that vp (n/p2 ) = k − 2. Similarly if k − 2 > 0 (that is if
k > 2) then k −2 ≥ 2 (that is k ≥ 4) and n/p4 ∈ S2 . Iterating this argument,
we find that if k = 2r + 1 is odd, then n/p2r ∈ S2 and vp (n/p2r ) = 1, which
is impossible. We conclude that k is even.
Remark 4.11. If n ∈ N, we can write n = rm2 where m2 is the largest square
dividing n and r is squarefree, that is either r = 1 or r is a product of
distinct primes. If any prime factor p of r is congruent to 3 modulo 4 then
vp (n) = 1 + 2vp (m) is odd, and n ∈ / S2 . Hence, if n ∈ S2 , the only possible
prime factors of r are p = 2 and the p congruent to 1 modulo 4. Obviously
2 = 12 + 12 ∈ S2 . It would be nice if all primes congruent to 1 modulo 4 were
also in S2 . Fortunately, this is the case.

Theorem 4.12. Let p be a prime with p ≡ 1 (mod 4). Then p ∈ S2 .

 
Proof. As p ≡ 1 (mod 4) then −1
p
= 1 and so there exists u ∈ Z such that
u2 ≡ −1 (mod p). Let
√
A = {(m1 , m2 ) : m1 , m2 ∈ Z, 0 ≤ m1 , m2 < p}
√
= {(m1 , m2 ) : m1 , m2 ∈ Z, 0 ≤ m1 , m2 ≤ b pc}.
√
Then A has (1 + b pc)2 elements and so |A| > p.
For m = (m1 , m2 ) ∈ R2 define φ(m) = um1 + m2 . Then φ : R2 −→ R is
a linear map, and if m ∈ Z2 then φ(m) ∈ Z.
As |A| > p, the φ(m) for m ∈ A can’t all be distinct modulo p. Hence
there are distinct m, n ∈ A with φ(m) ≡ φ(n) (mod p). Let a = m − n.
Then by linearity φ(a) = φ(m) − φ(n) ≡ 0 (mod p). Write a = (a, b). Then
√ √ √
a = m1 − n1 where 0 ≤ m1 , n1 < p so that |a| < p. Similarly |b| < p.
Then a2 + b2 < 2p. As m 6= n then a 6= (0, 0) and so a2 + b2 > 0. But
0 ≡ φ(a) = ua + b (mod p). Hence b ≡ −ua (mod p) and so

a2 + b2 ≡ a2 + (−ua)2 ≡ a2 (1 + u2 ) ≡ 0 (mod p)

As a2 + b2 is a multiple of p, and 0 < a2 + b2 < 2p, then a2 + b2 = p. We

conclude that p ∈ S2 .
 
Alternative proof (constructive). As p ≡ 1 (mod 4) then −1 p
= 1 and so
there exists u ∈ Z such that u2 ≡ −1 (mod p). In other words, there exists
m ∈ N such that u2 + 1 = mp. Note that we can assume |u| < p2 , so
2 2
u2 + 1 < p4 + 1 < p2 . Thus 1 ≤ m < p2 .

55
 The idea is as follows. Given a representation a2 + b2 = mp, with 1 ≤
m < p, use this to find another representation c2 + d2 = m0 p with 1 ≤ m0 <
m. Then repeat this process until it terminates (as it must) with m0 = 1,
giving the desired solution. Note that the starting point is the representation
u2 + 12 = mp of the first paragraph.
So suppose that a2 + b2 = mp for some m ∈ N with 1 < m < p. (If m = 1
then we are already done.) Then there exist a0 , b0 ∈ Z with a ≡ a0 mod m,
0 +bb0 0 −ba0
|a0 | ≤ m2 and b ≡ b0 mod m, |b0 | ≤ m2 . Let c = aa m and d = ab m . Now

aa0 + bb0 ≡ a2 + b2 ≡ 0 mod m and ab0 − ba0 ≡ ab − ba ≡ 0 mod m,

and so c, d ∈ Z. Moreover, (a0 )2 + (b0 )2 ≡ a2 + b2 ≡ 0 mod m and so

2 (aa0 + bb0 )2 + (ab0 − ba0 )2

2 (a2 + b2 )(a02 + b02 ) p(a02 + b02 )
c +d = = =
m2 m2 m
is in fact an integer and a multiple of p. In other words, c2 + d2 = m0 p for
2 2 2
some m0 ∈ Z. Now a02 ≤ m4 and b02 ≤ m4 , so a02 + b02 ≤ m2 . Thus

a02 + b02 m
0 ≤ m0 = ≤ < m < p.
m 2
If m0 = 0 then a0 = b0 = 0. Thus m | a and m | b and so m2 | (a2 + b2 ) = mp.
Thus m | p. But p is prime and 1 < m < p, so m - p - contradiction.
Therefore 1 ≤ m0 < m.
Remark 4.13. In order to make this into an algorithm for finding an expres-
sion p = ab + b2 when p is a prime with p ≡ 1 mod 4, we need to solve the
equation u2 ≡ −1 mod p. (This is the hard part.) Write p = 4k + 1 where
k ∈ N. Let g be a primitive root mod p. Then ordp (g) = ϕ(p) = p − 1 = 4k
and g 0 , g 1 , g 2 , . . . , g 4k−1 are congruent to 1, 2, . . . , p − 1 in some order. Now
x = g 2k is a solution to x2 ≡ 1 mod p and x 6≡ 1 mod p, so g 2k ≡ −1 mod p
by Corollary 2.71. If t ≡ g r mod p where r is odd then tk is a solution of
x2 ≡ −1 (mod p) since 2kr ≡ 2k mod 4k (note that 4k = ordp (g) and use
Proposition 2.53). Thus if we pick t ∈ {1, . . . , p − 1} at random, there is a
50% chance that t ≡ g r mod p with r odd. Given such an t, we set u = tk .
Example 4.14. Let p = 1997. Note that p is prime and p ≡ 1 mod 4. Writing
p = 4k + 1 we have k = (p − 1)/4 = (1997 − 1)/4 = 499. Try t = 2. Then
2499 ≡ 1585 ≡ −412 mod 1997 (one can use the binary powering algorithm
to do this). Note that we chose −412 instead of 1585 because | − 412| =
412 < 1997/2. Check that (−412)2 ≡ −1 mod 1997. Set a = 412 and b = 1.
Then a2 + b2 = 169745 = 85 × 1997, so m = 85.

56
 Now 412 ≡ −13 mod 85. So take a0 = −13 and b0 = 1. Set
aa0 + bb0 412 × (−13) + 1 × 1
c= = = −63
m 85
ab0 − ba0 412 × 1 − 1 × (−13)
d= = = 5.
m 85
Now we have 632 + 52 = 3994 = 2 × 1997. Now let a = 63, b = 5 and m = 2.
Then 63 ≡ 1 mod 2 and 5 ≡ 1 mod 2. So we take a0 = b0 = 1 and
aa0 + bb0 63 × 1 + 5 × 1
c= = = 34
m 2
ab0 − ba0 63 × 1 − 5 × 1
d= = = 29.
m 2
Now we have 342 + 292 = 1997, so we are done.
Remark 4.15. In the above example, we need to compute 2499 mod 1997 effi-
ciently. The way to do this is to use the binary powering algorithm that was
introduced in §2.9.
We now give the computation of 2499 mod 1997 (note that in Example 2.67
we worked mod 997 rather than 1997). First we find the binary expansion of
499 as follows:
499 = 28 + 243
= 28 + 27 + 115
= 28 + 27 + 26 + 51
= 28 + 27 + 26 + 25 + 19
= 28 + 27 + 26 + 25 + 24 + 3
= 28 + 27 + 26 + 25 + 24 + 21 + 20 .
So the binary expansion of 499 is 111110011. (This part is exactly the same
as in Example 2.67). Now by squaring the previous term each time, we have
1
22 ≡ 4 (mod 1997)
22
2 ≡ 42 ≡ 16 (mod 1997)
23
2 ≡ 162 ≡ 256 (mod 1997)
24
2 ≡ 2562 ≡ 65536 ≡ 1632 ≡ −365 (mod 1997)
25
2 ≡ (−365)2 ≡ 2663424 ≡ 1423 ≡ −574 (mod 1997)
26
2 ≡ (−574)2 ≡ 329476 ≡ 1968 ≡ −29 (mod 1997)
27
2 ≡ (−29)2 ≡ 841 (mod 1997)
28
2 ≡ 8412 ≡ 707281 ≡ 343 (mod 1997).

57
Therefore
0 1 4 5 6 7 8
2499 ≡ 22 × 22 × 22 × 22 × 22 × 22 × 22 (mod 1997)
≡ 2 × 4 × (−365) × (−574) × (−29) × 841 × 343 (mod 1997)
≡ (−2920) × 16646 × 288463 (mod 1997)
≡ 1074 × 670 × 895 (mod 1997)
≡ 719580 × 670 × 895 (mod 1997)
≡ 660 × 895 (mod 1997)
≡ 1585 (mod 1997).
We can now characterize the elements of S2 .
Theorem 4.16 (Two-square theorem). Let n ∈ N. Then n ∈ S2 if and only
if vp (n) is even whenever p is a prime congruent to 3 modulo 4.
Proof. If n ∈ S2 , p is prime and p ≡ 3 (mod 4) then vp (n) is even by
Theorem 4.10.
If vp (n) is even whenever p is a prime congruent to 3 modulo 4 then
n = rm2 where each prime factor p of r is either 2 or congruent to 1 modulo 4.
By Theorem 4.12 all primes p with p ≡ 1 mod 4 lie in S2 . Moreover, 2 =
12 + 12 ∈ S2 . Hence by Theorem 4.8 r ∈ S2 . Hence r = a2 + b2 where a,
b ∈ Z and so n = rm2 = (am)2 + (bm)2 ∈ S2 .
The representation of a prime as a sum of two squares is essentially unique.
Theorem 4.17. Let p be a prime. If p = a2 + b2 = c2 + d2 with a, b, c,
d ∈ N then either a = c and b = d or a = d and b = c.
Proof. Consider
(ac + bd)(ad + bc) = a2 cd + abc2 + abd2 + b2 cd
= (a2 + b2 )cd + ab(c2 + d2 )
= pcd + pab
= p(ab + cd).
As p | (ac+bd)(ad+bc) then by Euclid’s lemma for primes either p | (ac+bd)
or p | (ad + bc). Assume the former — the latter case can be treated by
reversing the rôles of c and d. Now ac + bd > 0 so that ac + bd ≥ p. Also
(ac + bd)2 + (ad − bc)2 = a2 c2 + 2abcd + b2 d2 + a2 d2 − 2abcd + b2 c2
= a2 c2 + b2 d2 + a2 d2 + b2 c2
= (a2 + b2 )(c2 + d2 )
= p2 .

58
As ac + bd ≥ p, the only way this is possible is if ac + bd = p and ad − bc = 0.
Then ac2 + bcd = cp and ad2 − bcd = 0, so adding gives a(c2 + d2 ) = cp, that
is ap = cp, so that a = c. Then c2 + bd = p = c2 + d2 so that bd = d2 , so that
b = d.
Example 4.18. Find two “essentially different” ways of writing 629 = 17 ×
37 as the sum of two squares. First note that 17 and 37 are both primes
congruent to 1 mod 4, and thus each can be written as the sum of two squares
in a unique way. In fact, 17 = 42 + 12 and 37 = 62 + 12 . Then

629 = |4 + i|2 |6 + i|2 = |(4 + i)(6 + i))|2 = |23 + 10i|2 = 232 + 102
629 = |4 + i|2 |6 − i|2 = |(4 + i)(6 − i))|2 = |25 + 2i|2 = 252 + 22 .

4.4 Sums of Four Squares

We wish to prove the theorem of Lagrange to the effect that all natural
numbers are sums of four squares. It is crucial to establish this for primes.
Theorem 4.19. Let p be a prime. Then p ∈ S4 .
Proof. If p ≡ 1 (mod 4) then there are a, b ∈ Z with p = a2 + b2 + 02 + 02
(Theorem 4.12) so that p ∈ S4 . Also 2 = 12 + 12 + 02 + 02 ∈ S4 and
3 = 12 + 12 + 12 + 02 ∈ S4. We  may assume that p > 3 and that p ≡ 3
−1
(mod 4). As a consequence p = −1.
 
Let w be the smallest positive integer with wp = −1. (Note that this
forces w ≥ 2.) Then
      
w−1 −w −1 w
= 1 and = = 1.
p p p p

Hence there are u, v ∈ Z with w − 1 ≡ u2 (mod p) and −w ≡ v 2 (mod p).

Then 1 + u2 + v 2 ≡ 1 + (w − 1) − w ≡ 0 (mod p).
Let
√
B = {(m1 , m2 , m3 , m4 ) : m1 , . . . , m4 ∈ Z, 0 ≤ m1 , . . . , m4 < p}
√
= {(m1 , m2 , m3 , m4 ) : m1 , . . . , m4 ∈ Z, 0 ≤ m1 , . . . , m4 < b pc}.
√
Then B has (1+b pc)4 elements. Hence |B| > p2 . For m = (m1 , m2 , m3 , m4 )
define ψ(m) = (um1 + vm2 + m3 , −vm1 + um2 + m4 ). Then ψ : R4 −→ R2 is
a linear map. If m ∈ Z4 then ψ(m) ∈ Z2 . We write (a, b) ≡ (a0 , b0 ) (mod p)
if a ≡ a0 (mod p) and b ≡ b0 (mod p). If we have a list (a1 , b1 ), . . . , (aN , bN )
of vectors in Z2 with N > p2 , then there must be some distinct i and j with

59
(ai , bi ) ≡ (aj , bj ) (mod p). This happens for the vectors ψ(m) with m ∈ B as
|B| > p2 . Thus there are distinct m, n ∈ B with ψ(m) ≡ ψ(n) (mod p). Let
a = m − n. Then ψ(a) = ψ(m) − ψ(n) ≡ (0, 0) (mod p). Let a = (a, b, c, d).
√ √
Then a = m1 − n1 where 0 ≤ m1 , n1 < p so that |a| < p. Similarly |b|,
√
|c|, |d| < p. Then a2 + b2 + c2 + d2 < 4p. As m 6= n then a 6= (0, 0, 0, 0)
and so a2 + b2 + c2 + d2 > 0.
Now (0, 0) ≡ ψ(a) = (ua + vb + c, −va + ub + d) (mod p). Hence c ≡
−ua − vb (mod p) and d ≡ va − ub (mod p). Then

a2 + b2 + c2 + d2 ≡ a2 + b2 + (ua + vb)2 + (va − ub)2

= (1 + u2 + v 2 )(a2 + b2 ) ≡ 0 (mod p)

where the last equality holds because we previously showed that 1+u2 +v 2 ≡
0 mod p. As a2 + b2 + c2 + d2 is a multiple of p, and 0 < a2 + b2 + c2 + d2 < 4p,
then we must have a2 + b2 + c2 + d2 ∈ {p, 2p, 3p}.
When a2 + b2 + c2 + d2 = p then certainly p ∈ S4 . Alas, we need to
consider the bothersome cases where a2 + b2 + c2 + d2 = 2p or 3p.
Suppose that a2 + b2 + c2 + d2 = 2p. Then a2 + b2 + c2 + d2 ≡ 2 (mod 4)
so that two of a, b, c, d are odd and the other two even. Without loss of
generality a and b are odd and c and d are even. Then 21 (a + b), 12 (a − b),
1
2
(c + d) and 12 (c − d) are all integers, and a simple computation gives
2 2 2 2
a2 + b2 + c2 + d2
   
a+b a−b c+d c−d
+ + + = =p
2 2 2 2 2

so that p ∈ S4 .
Finally suppose that a2 + b2 + c2 + d2 = 3p. Then a2 + b2 + c2 + d2 is a
multiple of 3 but not 9. As a2 ≡ 0 or 1 (mod 3) then either exactly one or all
four of a, b, c and d are multiples of 3. But the latter case is impossible (for
then a2 + b2 + c2 + d2 would be a multiple of 9), so without loss of generality
3 | a and b, c, d ≡ ±1 (mod 3). By replacing b by −b etc., if necessary, we
may assume that b ≡ c ≡ d ≡ 1 (mod 3). Then 31 (b + c + d), 13 (a + b − c),
1
3
(a + c − d), 13 (a + d − b), are all integers, and a simple computation gives
 2  2  2  2
b+c+d a+b−c a+c−d a+d−b
+ + +
3 3 3 3
2 2 2 2
a +b +c +d
= =p
3
so that p ∈ S4 .
We can now prove Lagrange’s four-square theorem.

60
Theorem 4.20 (Lagrange). If n ∈ N then n ∈ S4 .

Proof. Either n = 1 = 12 + 02 + 02 + 02 ∈ S4 , or n is a product of a sequence

of primes. By Theorem 4.19, each prime factor of n lies in S4 . Then since
S4 is closed under multiplication (Theorem 4.8), we have n ∈ S4 .

61