Solving Congruences

Many of these exercises are reasonably straightforward calculations, but the amount of arithmetic involved in some of them can be formidable. Look at the worked out examples in the text if you need help getting the hang of it. The theoretical exercises, such as #18 and #19 give you a good taste of the kinds of proofs in an elementary number theory course.

1. We simply need to show that 15 · 7

=

1 (mod 26), or in other words, that 15 · 7 - 1 is divisible by 26. But this quantity is 104, which is 26 · 4.

3. We want to find an integer k such that 4k is 1 greater than a multiple of 9. We compute 4 · 1 = 4 = 0 · 9 + 4, 4. 2 = 8 = 0. 9 + 8, 4. 3 = 12 = 1·9 + 3, 4. 4 = 16 = 1·9 + 7, 4. 5 = 20 = 2. 9 + 2, 4. 6 = 24 = 2. 9 + 6, 4 · 7

=

28

=

3 · 9

+

1. Therefore an inverse of 4 modulo 9 is 7.

5.

a)

Following the procedure of Example 2, we carry out the Euclidean algorithm to find gcd( 4, 9):

9=2·4+1 4

=

4 · 1

Then we work backwards to rewrite the gcd (the last nonzero remainder, which is 1 here) in terms of 4 and 9:

1=9-2·4

Therefore the Bezout coefficients of 9 and 4 are 1 and -2, respectively. The coefficient of 4 is our desired answer, namely -2, which is the same as 7 modulo 9. Note that this agrees with our answer in Exercise 3.

b) We proceed as above:

141=7.19 + 8 19

=

2. 8

+

3

8=2·3+2 3=1·2+1 2=2·1

Then we work backwards to rewrite the gcd (the last nonzero remainder, which is 1 here) in terms of 141 and 19:

1=3-1·2

= 3 - 1 . (8 - 2 . 3) = 3 . 3 - 1 . 8

= 3 . (19 - 2 . 8) - 1 . 8 = 3 . 19 - 7. 8

= 3. 19 - 7. (141 - 7. 19) = (-7). 141+52. 19 Therefore the Bezout coefficient of 19 is 52, and that is an inverse of 19 modulo 141.

c) We proceed as above:

89 = 1·55 + 34 55 = 1·34 + 21 34=1·21+13 21=1·13 + 8 13

=

1·8

+

5

8=1·5+3 5=1·3+2 3=1·2+1 2 = 1·2

Section 4.4 Solving Congruences 131

Then we work backwards to rewrite the gcd (the last nonzero remainder, which is 1 here) in terms of 89 and 55:

1=3-1·2

= 3 - 1 . (5 - 1 . 3) = 2 . 3 - 1 . 5

=

2 . (8 - 1 . 5) - 1 . 5

=

2 . 8 - 3 . 5

= 2. 8 - 3. (13 - 1 . 8) = 5. 8 - 3. 13

= 5 . (21 - 1 . 13) - 3 . 13 = 5 . 21 - 8 . 13

= 5. 21 - 8. (34 - 1. 21) = 13. 21 - 8. 34

= 13. (55 - 1 . 34) - 8. 34 = 13. 55 - 21 . 34

= 13. 55 - 21 . (89 - 1 . 55) = 34. 55 - 21 . 89 Therefore the Bezout coefficient of 55 is 34, and that is an inverse of 55 modulo 89.

d) We proceed as above:

232 = 2 . 89 + 54 89 = 1·54 + 35 54 = 1. 35 + 19 35

=

1. 19

+

16 19 = 1·16 + 3 16=5.3+1

3 = 3 · 1

Then we work backwards to rewrite the gcd (the last nonzero remainder, which is 1 here) in terms of 232 and 89:

1=16 - 5. 3

= 16 - 5. (19 - 1 . 16) = 6. 16 - 5. 19

= 6 . (35 - 1 . 19) - 5 . 19 = 6 . 35 - 11 . 19

= 6. 35 - 11. (54 - 1. 35) = 17. 35 - 11. 54

= 17. (89 - 1. 54) - 11. 54 = 17. 89 - 28. 54

= 17. 89 - 28 . (232 - 2 . 89) = 73 . 89 - 28 . 232 Therefore the Bezout coefficient of 89 is 73, and that is an inverse of 89 modulo 232.

7. We follow the hint. Suppose that we had two inverses of a modulo m, say b and c. In symbols, we would have ba

=

1 (mod m) and ca

=

1 (mod m) . The first congruence says that m divides ba - 1 , and the second says that m divides ca - 1. Therefore m divides the difference (ba -1) - (ca -1) = ba - ca. (The difference of two multiples of m is a multiple of m.) Thus ba =ca (mod m). It follows immediately from Theorem 7 in Section 4.3 (the roles of a, b, and c need to be permuted) that b

=

c (mod m), which is what we wanted to prove.

9. In Exercise 5a we found that an inverse of 4 modulo 9 is 7. Therefore we multiply both sides of this equation by 7, obtaining x

=

³⁵

=

8 (mod 9). As a check, we compute 4 · 8 = 32

=

5 (mod 9).

11. Our answers are not unique, of course-anything in the same congruence class works just as well.

a) In Exercise 5b we found that an inverse of 19 modulo 141 is 52. Therefore we multiply both sides of this equation by 52, obtaining x

=

²⁰⁸

=

67 (mod 141). As a check, we compute 19 · 67 = 1273

=

4 (mod 141).

b) In Exercise 5c we found that an inverse of 55 modulo 89 is 34. Therefore we multiply both sides of this equation by 34, obtaining x

=

¹¹⁵⁶

=

88 (mod 89). As a check, we compute 55 · 88

=

55 · ( -1) = -55

=

34 (mod 89).

132 Chapter 4 Number Theory and Cryptography

c) In Exercise 5d we found that an inverse of 89 modulo 232 is 73. Therefore we multiply both sides of this equation by 73, obtaining x

=

146 (mod 232). As a check, we compute 89 · 146 = 12994

=

2 (mod 232).

13. We follow the hint. Adding 6 to both sides gives the equivalent congruence 15x² + 19x + 6

=

0 (mod 11), because 5 + 6 = 11

=

^{0 (mod 11).} This factors as (5x + 3)(3x + 2)

=

0 (mod 11). Because there are no non-zero divisors of 0 working modulo 11, we conclude that the solutions are precisely the solutions of 5x + 3

=

0 (mod 11) and 3x + 2

=

0 (mod 11). We solve these by the method of Example 3. By inspection (trial-and-error) or working it out through the Euclidean algorithm and back-substituting, we find that an inverse of 5 modulo 11is9, and multiplying both sides of 5x+3

=

0 (mod 11) by 9 yields x+27

=

0 (mod 11), so x

=

^-27

=

6 (mod 11). Similarly, an inverse of 3 modulo 11 is 4, and we get x

=

^-8

=

3 (mod 11). So the solution set is {3, 6} (and anything congruent to these modulo 11 ). Plugging these values into the original equation to check, we have 15·32 +19 · 3 + 6 = 198

=

0 (mod 11) and 15·62 +19 · 6 + 6 = 660

=

0 (mod 11).

15. The hypothesis tells us that m divides ac- be, which is the product (a- b)c. Let m' be m/ gcd(c, m). Then m' is a factor of m, so certainly m' J(a - b)c. Now since all the common factors of m and c were divided out of m to get m', we know that m' is relatively prime to c. It follows from Lemma 2 in Section 4.3 that m' I a - b. But this means that a= b (mod m'), exactly what we were trying to prove.

17. We want to find numbers x such that x²

=

1 (mod p), in other words, such that p divides x2 - 1. Factoring this expression, we see that we are seeking numbers x such that p I ( x + 1) ( x - 1) . By Lemma 3 in Section 4.3, this can only happen if p

I

^x + 1 or p

I

^{x -} 1. But these two congruences are equivalent to the statements x

=

-1 (mod p) and x

=

1 (mod p) .

19. a) If two of these integers were congruent modulo p, say ia and ja, where 1 ::::; i

<

j

<

p, then we would have p

I

ja - ia, or p

I

(j - i)a. By Lemma 2 (or Lemma 3) in Section 4.3, since a is not divisible by p, p must divide j - i. But this is impossible, since j - i is a positive integer less than p. Therefore no two of these integers are congruent modulo p.

b) By part (a), since no two of a, 2a, ... , (p - l)a are congruent modulo p, each must be congruent to a different number from 1 to p-1. Therefore if we multiply them all together, we will obtain the same product, modulo p, as if we had multiplied all the numbers from 1 to p - 1. In symbols,

a· 2a · 3a · · · (p - l)a

=

1 · 2 · 3 · · · (p - 1) (mod p).

The left-hand side of this congruence is clearly (p - 1)! · aP- 1, and the right-hand side is just (p - l)!, as desired.

c) Wilson's theorem says that (p - 1)! is congruent to -1 modulo p. Therefore the congruence in part (b) says that (-1) · ap-l

=

^{-1 (mod p).} Multiplying both sides by -1, we see that ap-l

=

^{1 (mod p),} as desired.

Note that we already assumed the hypothesis that p

,./'a

in part (a).

d) If p

I

a, then both sides of aP =a (mod p) are 0 modulo p, so the congruence holds. If not, then we just multiply the result obtained in part ( c) by a.

21. Since 2, 3, 5, and 11 are pairwise relatively prime, we can use the Chinese remainder theorem. The answer will be unique modulo 2 · 3 · 5 · 11 = 330. Using the notation in the text, we have a1 = 1, m1 = 2, a2 = 2, m2 = 3, a3 = 3, m3 = 5, a4 = 4, m4 = 11, m = 330, Ali= 330/2 = 165, M2 = 330/3 = 110, 1\13 = 330/5 = 66, l'vl4 = 330/11=30. Then we need to find inverses y, of M, modulo m, for i = 1,2,3,4.

This can be done by inspection (trial and error), since the moduli here are so small, or systematically using the Euclidean algorithm, as in Exercise 5; we find that y1 = 1, y2 = 2, y₃ = 1, and y₄ = 7 (for this last one, 30

=

8 (mod 11), so we want to solve 8y4 = 1 (mod 11), and we observe that 8 · 7 = 56

=

^{1 (mod 11) ). Thus}

our solution is x = 1 · 165 · 1 + 2 · 110 · 2 + 3 · 66 · 1 + 4 · 30 · 7 = 1643

=

323 (mod 330). So the solutions are all integers of the form 323 + 330k, where k is an integer.

Section 4.4 Solving Congruences 133

23. By definition, the first congruence can be written as x

=

3t

+

2 where t is an integer. Substituting this expression for x into the second congruence tells us that 3t

+

²

=

1 (mod 4), which can easily be solved to show that t

=

1 (mod 4). From this we can write t = 4u

+

1 for some integer u. Thus x = 3t

+

2 = 3(4u

+

1)

+

2 = 12u

+

5. We plug this into the third congruence to obtain 12u

+

5

=

3 (mod 5), which we easily solve to give u

=

4 (mod 5). Hence u = 5v

+

4, and so x = 12u

+

5 = 12(5v

+

4)

+

5 = 60v

+

53. We check our answer by confirming that 53

=

2 (mod 3), 53

=

1 (mod 4), and 53

=

3 (mod 5).

25. We simply translate the steps of the calculation given in the proof of Theorem 2 into pseudocode. Of course, hidden in line 7 below is a multi-step process of finding inverses in modular arithmetic, which can be accom-plished by using the Euclidean algorithm and back-substituting, as in Example 2. The last loop reduces the answer x to its simplest form modulo m. All solutions are then of the form x

+

mk, where m is the product of the moduli and k is an integer.

procedure chinese( m1 , m2, ... , mn : relatively prime positive integers; a1 , a2 , . . . , an : integers) m:= 1

fork:= 1 ton m :=m·mk fork:= 1 ton

Mk:= m/mk Yk := Mi;¹ mod mk x := 0

fork:= 1 ton

x := x

+

akMkYk while x

2:

m

x := x-m

return x {the smallest solution to the system { x

=

^ak (mod mk), k = 1, 2, ... , n } }

27. We cannot apply the Chinese remainder theorem directly, since the moduli are not pairwise relatively prime.

However, we can, using the Chinese remainder theorem, translate these congruences into a set of congruences that together are equivalent to the given congruence. Since we want x

=

4 (mod 12), we must have x

=

4

=

1 (mod 3) and x

=

4

=

0 (mod 4). Similarly, from the third congruence we must have x

=

1 (mod 3) and x

=

2 (mod 7). Since the first congruence is consistent with the requirement that x

=

1 (mod 3), we see that our system is equivalent to the system x

=

7 (mod 9), x

=

0 (mod 4), x

=

2 (mod 7). These can be solved using the Chinese remainder theorem (see Exercise 21 or Example 5) to yield x

=

16 (mod 252). Therefore the solutions are all integers of the form 16

+

252k, where k is an integer.

29. We will argue for the truth of this statement using the Fundamental Theorem of Arithmetic. What we must show is that m1 m 2 · · · mn

I

^{a -} b. Look at the prime factorization of both sides of this proposition. Suppose that p is a prime appearing in the prime factorization of the left-hand side. Then p

I

^mJ for some j. Since the m, 's are relatively prime, p does not appear as a factor in any of the other m, 's. Now we know from the hypothesis that mJ

I

^{a -} b. Therefore a - b contains the factor p in its prime factorization, and p must appear to a power at least as large as the power to which it appears in m₁ . But what we have just shown is that each prime power pr in the prime factorization of the left-hand side also appears in the prime factorization of the right-hand side. Therefore the left-hand side does, indeed, divide the right-hand side.

31. We are asked to solve the simultaneous congruences x

=

1 (mod 2) and x

=

1 (mod 3). The solution will be unique modulo 2 · 3

=

6. By inspection we see that the answer is simply that x

=

1 (mod 6). The solution set is { ... ,-ll,-5,1,7,13, ... }.

33. Fermat's little theorem tells us that 712

=

1 (mod 13). Note that 121 712-10 . 7 = (712)10. 7

=

110 . 7 = 7 (mod 13).

10 · 12

+

1. Therefore 7¹²¹

134 Chapter 4 Number Theory and Cryptography

35. Fermat's little theorem tells us that under the given conditions ap-l = 1 (mod p). Therefore aP- 2 . a =

a· aP-2 = aP-l = 1 (mod p). This is precisely the definition that aP-2 is an inverse of a modulo p.

37. a) We calculate 2340 = (2 10 )34 = 134 = 1 (mod 11), since Fermat's little theorem says that 210 = 1 (mod 11).

b) We calculate 2340 = (2·⁵)68 =3268 =168 =1(mod31), since 32=1(mod31).

c) Since 11 and 31 are relatively prime, and 11·31 = 341, it follows from the first two parts and Exercise 29 that 2340 = 1 (mod 341).

39. a) By Fermat's little theorem we know that 56 = 1 (mod 7); therefore 51998 = (56)333 = 1333 = 1 (mod 7), and so 52003 = 55 · 51998 = 3125 · 1 = 3 (mod 7). So 52003 mod 7 = 3. Similarly, 510 = 1 (mod 11);

therefore 52000 = (5 10 )200 = 1²⁰⁰ = 1 (mod 11), and so 52003 = 53 · 52000 = 125 · 1 = 4 (mod 11). So 52003 mod 11 = 4. Finally, 512 = 1 (mod 13); therefore 51992 = (5 12 )166

=

¹¹⁶⁶

=

1 (mod 13), and so 52003 = 5¹¹ · 51992

=

48,828, 125 · 1

=

8 (mod 13). So 52003 mod 13 = 8.

b) We now apply the Chinese remainder theorem to the results of part (a), as in Example 5. Let m = 7 · 11 · 13 = 1001,

llfi

= m/7 = 143, 1112 = m/11 = 91, and M3 = m/13 = 77. We see that 5 is an inverse of 143 modulo 7. since 143

=

3 (mod 7), and 3 · 5 = 15

=

1 (mod 7). Similarly, 4 is an inverse of 91 modulo 11, and 12 is an inverse of 77 modulo 13. (An algorithm to compute inverses-if we don't want to find them by inspection as we've done here-is illustrated in Example 2.) Therefore the answer is (3 · 143 · 5

+

4 · 91·4

+

8 · 77 · 12) mod 1001=10993 mod 1001

=

983.

41. Let q be a (necessarily odd) prime dividing 2P - 1. By Fermat's little theorem, we know that q

I

2q-l - 1.

Then from Exercise 37 in Section 4.3 we know that gcd(2P- l, 2q-l -1) = 2gcd(p.q-l) -1. Since q is a common divisor of 2P - 1 and 2q-l - 1, we know that gcd(2P - 1, 2q-l - 1)

>

1. Hence gcd(p, q - 1)

=

p, since the only other possibility, namely gcd(p, q - 1) = 1, would give us gcd(2P - 1, 2q-l - 1) = 1. Hence p I q - 1, and therefore there is a positive integer m such that q - 1 = mp. Since q is odd, m must be even, say m = 2k, and so every prime divisor of 2P - 1 is of the form 2kp

+

1. F\lfthermore, products of numbers of this form are also of this form, since (2k1p

+

1)(2k2p

+

1) = 4k1k2p2

+

2k1p

+

2k2p

+

1

=

2(2k1k2p

+

k1

+

k3)p

+

1.

Therefore all divisors of 2P - 1 are of this form.

43. To decide whether 2¹¹ - 1 = 204 7 is prime, we need only look for a prime factor not exceeding

J2647

~ 45.

By Exercise 41 every such prime divisor must be of the form 22k

+

1. The only candidate is therefore 23. In fact 2047

=

23 · 89, so we conclude that 2047 is not prime.

We can take the same approach for 217 - 1 = 131,071, but we need either computer algebra software or patience with a calculator. By Exercise 41 every prime divisor of 217 - 1 must be of the form 34k

+

1, so we need to try all such divisors (or at least those that are not obviously nonprime) up to .Jl31,071 ~ 362, which means up to k = 10. No number of this form divides 131,071, so we conclude that it is prime.

45. First note that 2047

=

23·89, so 2047 is composite. To apply Miller's test, we write 2047-1

=

2046

=

2·1023, so s = 1 and t = 1023. We must show that either 21023 = 1 (mod 204 7) or 21023 = -1 (mod 204 7) . To compute, we write 21023 = (2^{11 )}93 ₌ 204893

=

193 = 1 (mod 2047), as desired. (We could also compute this using the modular exponentiation algorithm given in Section 4.2-see Example 12 in that section.)

47. We factor 2821

=

7·13·31. We must show that this number meets the definition of Carmichael number, namely that b2820

=

1 (mod 2821) for all b relatively prime to 2821. Note that if gcd(b, 2821) = 1, then gcd(b, 7) = gcd(b, 13) = gcd(b, 31) = 1. Using Fermat's little theorem we find that b⁶ = 1 (mod 7), b12 = 1 (mod 13), and b³⁰

=

1 (mod 31). It follows that b2820 =

(b6)

470 = 1 (mod 7), b2820 = (b12)235 = 1 (mod 13), and b2820 = (b30 )94

=

1 (mod 31). By Exercise 29 (or the Chinese remainder theorem) it follows that b2820

=

1 (mod 2821), as desired.

Section 4.4 Solving Congruences 135 the pair (1, 0). The exercise is simply asking us to tabulate these remainders, as in Example 7.

0 = (0, 0)

We want our answer reduced modulo m, so we divide by 89403930 and take the remainder, obtaining 537140.

(All of these calculations are not difficult using a scientific calculator.) Finally, let us check our answer:

136 Chapter 4 Number Theory and Cryptography 57. A computer algebra system such as Maple facilitates the modular arithmetic calculations. We repeatedly

multiply by 3 and reduce modulo 17. We get 3°

=

1 (mod 17), 3¹

=

3 (mod 17), 3²

=

9 (mod 17), 3³

=

27

=

10 (mod 17) , and so on. Thus log₃ 1

=

0, log₃ 3

=

1, log₃ 9

=

2, log₃ 10

=

3, and so on. If we collect the data and present them in order of increasing argument, we get the required table. (Of course log₃ 0 does not exist.)

log₃ 1

=

0 log₃ 2

=

14 log₃ 3

=

1 log₃ 4

=

12 log₃ 5

=

5 log₃ 6

=

15 log₃ 7

=

11 log₃ 8

=

10 log₃ 9

=

2 log₃ 10

=

3 log₃ 11

=

7 log₃ 12

=

13 log₃ 13

=

4 log₃ 14

=

9 log₃ 15

=

6 log₃ 16 = 8

59. We need to prove that if the congruence x²

=

^{a (mod p)} has any solutions at all, then it has exactly two solutions. So let us assume that s is a solution. Clearly -s is a solution as well, since (-s)² = s^2. Furthermore, -s =fas (mod p), since if it were, we would have 2s

=

^{0 (mod p),} which means that p

I

2s. Since p is an odd prime, that means that p

Is,

^{so that} s

=

^{0 (mod p). Therefore a= 0 (mod p),} contradicting the conditions of the problem.

It remains to prove that there cannot be more than two incongruent solutions. Suppose that s is one solution and that t is a second solution. We have s²

=

^t2 (mod p). This means that p

I

s² - t², that is, p I ( s

+

t) ( s - t) . Since p is prime, Lemma 3 in Section 4. 3 guarantees that p I s - t or p I s

+

t. This means that t

=

s (mod p) or t

=

-s (mod p). Therefore any solution t must be either the first solution or its negative.

In other words, there are at most two solutions.

61. There is really almost nothing to prove here. The value (~) depends only on whether or not a is a quadratic residue modulo p, i.e., whether or not the equivalence x² =a (mod p) has a solution. Obviously, this depends only on the equivalence class of a modulo p.

63. By Exercise 62 we know that (~) (~)

=

^{a(p-lJ/2b(p-lJ/2}

⁼

^(ab)(p-l)/2

= (;)

(mod p). Since the only values either side of this equivalence can take on are ±1, being congruent modulo p is the same as being equal.

65. We follow the hint. Working modulo 5, we want to solve x²

=

4. It is easy to see that there are exactly two solutions modulo 5, namely x

=

2 and x

=

3. Similarly there are only the solutions x

=

1 and x

=

6 modulo 7. Therefore we want to find values of x modulo 5 · 7

=

35 such that x

=

2 or 3 (mod 5) and x

=

¹

or 6 (mod 7). We can do this by applying the Chinese remainder theorem (as in Example 5) four times, for the four combinations of these values. For example, to solve x

=

2 (mod 5) and x

=

1 (mod 7), we find that m

=

35, Mi

=

7, M2

=

5, y1

=

3, Y2

=

3, so x

=

^{2 · 7 · 3}

⁺

^{1 · 5 · 3}

⁼

⁵⁷

=

22 (mod 35). Doing the similar calculation with the other three possibilities yields the other three solutions modulo 35: x = 8, x = 13, and x

=

27.

67. To compute logra (modp), we need to solve re= a (modp) fore. The brute force approach is just to compute re mod p for e = 0, 1, 2, ... , p - 2 until we get the answer a. This requires about p iterations, each of which can be done with O(logp) bit operations, since we need only multiply the previous value by r and find the remainder upon division by p. At worst, we require all p iterations; on average, only half that many.

In either case, the time complexity is O(plogp), which is prohibitively large if pis, say, a 200-digit number.

在文檔中 Student's Solutions Guide (頁 139-146)