Review Sheet for Math 471 Midterm Fall 2014, Siman Wong Disclaimer: Note:
Review Sheet for Math 471 Midterm
Fall 2014, Siman Wong
Disclaimer: This review sheet serves to give a highlight of the topics to be covered in
your midterm. It does NOT replace your textbook and/or your lecture notes.
Note: On your exam you will be asked to recall the precise statement of some theorem
and/or recall the precise definition of an important terms. Know your theorems. Know
your definitions.
Oct 27: This is a draft, and I will continue to revise this in the coming days.
I post this now to help you get started on your review. Please check the course
website regularly for updates.
1. T HE BASIC TRICHOTOMY
In the past few weeks we have studied a number of topics, including (among many
others!)
• congruences and divisibility
• division algorithm
• unique factorization
• gcd and (extended) Euclidean algorithm
• Chinese remainder theorem
• Fermat’s little theorem and Fermat compositeness test; fast exponentiation
• Euler phi function
These are not disjoint topics – in fact they are closely related, and a key issue you should
address when you study for the exam is to understand the connections between these
topics. In this writeup I will try to outline some of these connections.
First, remember that
a ≡ b ( mod n) ⇐⇒ n|(b − a) ⇐⇒ gcd(n, b − a) = n.
Which one of these three forms to use depends on the situations; cf. the list of practice
problems for various examples.
In the special case of prime modulus we have the additional equivalence
p - a ⇐⇒ gcd( p, a) = 1.
This is totally false if p is NOT a prime! This is also a good place in the review notes to
point out that the Fundamental Theorem of Arithmetic allows us to give yield another
reformulation of GCD (even though the FTA was presented a bit later in the course):
gcd( a, b) = 1 ⇐⇒ the factorization of a and b have no common prime factors.
This reformulation can be quite useful, see for example practice problem #8. Note also
FTA has two parts, the existence of factorization and uniqueness, The uniqueness part is
subtle and makes use of both the addition and multiplication operations. The existence
part makes crucial use of the following result: Let p be a prime, and let a1 , . . . , an be integers.
If p|( a1 · · · an ) then p| ai for some i. See also PS#4 for a related result with p replaced by an
arbitrary integer.
c
1
Copyright 2014
SIMAN WONG
Speaking of GCD, first remember that if a, b 6= 0, then
gcd( a, b) = the largest positive integer that divides both a and b
= the smallest positive integer of the form as + bt.
To find gcd( a, b) we have the Euclidean algorithm. We also have the Extended Euclidean
algorithm, which not only determines gcd( a, b) but also two integers s, t so that
gcd( a, b) = as + bt.
Here’s a numerical example:
step 1
solve for 24 (i.e. output from step 1) and then plug into step 3
= 7 × 50 + 24
?
z
}|
)
{
step 3
step 4
50 = 2 × 24 + 2
= (−2) × 24 + 50 ⇒ 2
=
(−2) × 7 × 50 + (−1) × 374 +50
⇒ 2
374
step 2
step 5
=
50 × 15 + 374 × (−2)
Remember that s, t in the EEA are not unique! See Theorem 1.11 for the precise statement
about finding all possible solutions.
The EEA allows us to find the multiplicative inverse mod n of any α ∈ Z which is prime
to n. Make sure you know how to do that. More generally, make sure you know how to
perform EA and EEA by hand. You will need to do such calculation on your test.
Multiplicative inverses mod n are needed when, for example, you try to solve linear
diophantine equations ax + bx = c (note that this is an equality in integers). This depends on
gcd( a, b); see your notes for details. Here is the basic idea:
(i) Clearly a necessary condition for ax + bx = c to have integer solutions is that
gcd( a, b) divides c.
(ii) Suppose that in fact gcd( a, b)|c. Set d = gcd( a, b) and write a0 = a/d, b0 = b/d, c0 =
c/d. Then the original equation is equivalent to
(1)
a0 x + b0 y = c0 with gcd( a0 , b0 ) = 1.
(iii) Use EEA to find an integer solution (x 0 , y0 ) for the auxiliary equation a0 x 0 + b0 y0 = 1
(iv) Then (c0 x 0 , c0 y0 ) is one solution to (1), and hence the original equation. In particular,
the necessary condition in (i) is in fact sufficient!
(v) However: Not every integer solution to ax + by = c is of the form (c0 x 0 , c0 y0 ) for
some solution ( x 0 , y0 ) to (1); cf. your notes for a (counter)example and details.
This takes care of a single linear congruence in two variables. But what about systems
of linear congruences? Answer: the Chinese remainder theorem. Caveat: care must be
taken when you apply the CRT to non-pairwise coprime modulus. Here is an example.
Consider the system
x ≡ 6 ( mod 10), x ≡ 4 ( mod 14).
These congruences are equivalent to
(2)
x ≡ 6 ( mod 2),
x ≡ 6 ( mod 5),
x ≡ 4 ( mod 2)
x ≡ 4 ( mod 7)
Note that the two equations in (2) actually are the same! We can then turn these equations
to
x ≡ 0 ( mod 2), x ≡ 1 ( mod 5), x ≡ 4 ( mod 7).
c
2
Copyright 2014
SIMAN WONG
The moduli are now pairwise coprime! Apply the CRT and we get
x ≡ 56 ( mod 70).
On the other hand, consider the system
y ≡ 6 ( mod 12), y ≡ 4 ( mod 20).
These congruences are equivalent to
y ≡ 6 ( mod 4),
y ≡ 6 ( mod 3),
(3)
y ≡ 4 ( mod 4)
y ≡ 4 ( mod 5)
The two equations in (3) are clearly NOT consistent, so this system has no solution. Note:
• Make sure you know how to carry out CRT by hand and how to solve CRT problems with more than two congruences
• We can use CRT to solve non-linear congruences too. We worked out examples of
that in clas; cf. e.g. #1 on the list of Practice Problem.
2. E XPONENTIATION
So far we have focused on the addition, subtraction, multiplication and (when exists)
division operations (mod n). To compute ae ( mod n) we have the fast exponentiation
algorithm; it is based on a very simple observation:
a2
(4)
i +1
i
i
= a 2 ·2 = ( a 2 )2 .
See your notes/text for the precise statement; here is a simple numerical example:
5
3
1
0
543 ( mod 29) ≡ 532+8+2+1 ≡ 52 52 52 52 ( mod 29).
(5)
0
Clearly 52 ≡ 51 ( mod 17). To determine the three other terms on the right side of (5) we
successively applly (4):
1
52
2
52
3
52
4
52
5
52
=
=
=
=
=
0
( 52 ) 2
1
( 52 ) 2
2
( 52 ) 2
3
( 52 ) 2
4
( 52 ) 2
≡
≡
≡
≡
≡
25 ( mod 29)
(−4)2 ( mod 29)
162 ( mod 29)
(−5)2 ( mod 29)
(−4)2 ( mod 29)
≡
≡
≡
≡
≡
−4 ( mod 29),
16 ( mod 29),
24 ( mod 29) ≡ −5 ( mod 29),
25 ( mod 29) ≡ −4 ( mod 29)
16 ( mod 29)
Thus by
543 ≡ 16 · (−5) · (−4) · 5
(6)
(7)
by (5)
≡ 16 · (−4) · [(−5) · 5]
≡ 16 · (−4) · 4
≡ 32 · (−8)
≡ 3 · (−8)
≡ 5 ( mod 29).
since −25 ≡ 4 ( mod 29)
Note:
4
2
• In this example, FE requires that we compute 52 ( mod 29) and 52 ( mod 29) which are not not
needed in the final computation, but even so we only need to do (5 squares) + (4 multiplications),
which is a lot easier than computing 543 directly.
3
c
Copyright 2014
SIMAN WONG
• The reason I spell out steps like (6) and (7) is to remind you to watch out for such simplification.
To see why FE is useful, first recall Fermat’s little theorem, which we will state in two
forms. Fix a prime p. Then
(a) if ( a, p) = 1 then a p−1 ≡ 1 ( mod p);
(b) for any b ∈ Z we have b p ≡ b ( mod p).
Restate (a) in another way, we get the Fermat compositeness test:
given an odd integer n > 1, if there exists b ∈ Z so that
bn−1 6≡ 1 ( mod n)
(8)
then n must be composite.
Recall that
Z/n := the set of integers (mod n)
(Z/n)× := the set of β ( mod n) with ( β, n) = 1
In particular, #(Z/n) = n and #(Z/n)× = φ(n). Returning to FLT, note that it requires
that the modulus be prime. For general modulus we have Euler’s theorem:
if ( a, n) = 1 then aφ(n) ≡ 1 ( mod n),
where
φ(n) := { a ( mod n) : ( a, n) = 1}.
We have a closed-form formula for computing φ(n):
φ(n) = n ∏(1 − 1p ).
p|n
So we can compute φ(n) easily provided that we know the prime factorization of n. And
when n = pq is the product of two distinct primes, we saw that knowing φ( pq) is equivalent to knowing the factorization n = pq. This observation is crucial for e.g. RSA.
3. P RIMITIVE ROOTS AND DISCRETE LOGS
Let p be a prime. Given an element g ∈ (Z/p)× ,
ord p ( g) := smallest positive integer r such that gr ≡ 1 ( mod p)
= smallest positive integer r such that g, g2 , . . . , gr are pairwise distinct mod p
For any b ∈ (Z/p)× , we have
(9)
bm ≡ 1 ( mod p) ⇐⇒ ord p (b)|m.
The proof of this result depends on EEA plus properties of GCD – make sure you understand the proof ! This is a useful property to keep in mind for e.g. solving for x m ≡
1 ( mod p) In conjunction with Fermat’s Little Theorem, (9) implies in particular that
(i) ord p ( g) | ( p − 1)
(ii) ord p (αi )|ord p (α) for every i ≥ 1, with equality if and only if (i, ord p (α)) = 1.
c
4
Copyright 2014
SIMAN WONG
(i) above raises a natural question: Is every divisor of p − 1 realizable as the order of an
element of (Z/p)× ? In particular, is there an element of order exactly p − 1? The answer
is yes: For every prime p there exists an element α ∈ (Z/p)× with ord p (α) = p − 1. Such
an element is called a primitive root mod p. Basic properties:
(i) every element of (Z/p)× is congruence mod p to a power of α;
(ii) αi ≡ 1 ( mod p) ⇐⇒ ( p − 1)|i;
(iii) αi ≡ α j ( mod p) ⇐⇒ ( p − 1)|(i − j);
Let α be a primitive root (mod p). Given any β ∈ (Z/p)× , the unique k ∈ Z/( p − 1) so
that β ≡ αk ( mod p) is called the discrete log of β ( mod p) with respect to base α; notation: logα ( β). Discrete log behaves in many ways similar to that of ordinary logarithm of
real numbers, for example
• logα ( ab) ≡ logα ( a) + logα (b) ( mod p − 1);
• logα ( ak ) ≡ k logα ( a) ( mod p − 1);
but keep in mind that
• discrete log is well-defined only (mod p − 1)
• the change-of-bases formula only makes sense if both bases are PR (mod p − 1)
This underlies the security of RSA and ElGamal – make sure you know how to carry
it out! Keep in mind that repeated application of RSA could undo the encryption; this
has to do with the order of an element in (Z/n)× . We also analyze the issue related to
repeated application of the affine ciphers.
We discussed two ways to solve a discrete log problem a ≡ g x ( mod p). First, Shank’s
Babysteps-Giantsteps algorithm, described below, asserts that it will terminate and com√
pute the discrete log in O( p) steps (note that your text works with a general group G;
we will stick to (Z/p)× and you do not need to know abstract algebra):
√
• Set n = 1 + b pc;
• Compute two lists modulo p:
1, g, . . . , gn
2
a, a · g−n , . . . , a · g−n ;
2
• Find a match between these two lists, say gi ≡ ag−kn ( mod p) with 0 ≤ i, k ≤ n;
• Then x = i + kn is a solution to a ≡ g x ( mod p).
Next we have Pohlig-Hellman. The idea is x is determined modulo p − 1, and since
p is prime, p − 1 is compoite, so we can write p − 1 = q1e1 · · · qrer . It then suffices to
e
first determine x ( mod qi i ) for each i and then use CRT. See §2.9 of your text + notes +
solutions to PS for examples.
4. S QUARE ROOTS MOD p
One useful application of primitive roots is that it allows us to compute square roots
modulo a prime p ≡ 3 ( mod 4): If an integer a is a square modulo p, then
(10)
a
p +1
4
( mod p) is a square-root of a ( mod p).
c
5
Copyright 2014
SIMAN WONG
There is a polynomial time algorithm for computing square roots modulo a general prime;
it makes use of more advanced mathematics and we did not discuss that in class. As for
a general modulus n: If we know the prime factorization n = p1e1 . . . prer , then we can first
e
find square-root modulo each pi i and then piece the answer back using CRT. In particular,
if n is product of distinct 3 ( mod 4) primes then we can find all square-roots very quickly.
However, currently there is no efficient algorithm for finding a single square root modulo
a general modulus, and as we saw in class, if n is a product of distinct prime and if we can
find all square roots modulo n then we can recover the factorization of n. This observation
is the theoretical underpinning of the protocol for coin-flipping over the phone.
5. P RIMALITY T ESTING
Given a composite number n, if b satisfies (8) then we say that b is a witness to the
compositeness of n. On other hand, if n is composite and an−1 ≡ 1 ( mod n), then we say
that n is a pseudoprime to base a. For example, 3 is a witness to the compositeness of
341 = 11 × 31, but 341 is a pseudoprime to base 2 (check!). There are composite numbers
with no witness (equivalently: composite numbers which are pseudoprime to every base).
The first example is 561 = 3 · 11 · 17; we can verified this using the Chinese remainder theorem – cf. problem1 #3.13(a) in PS#5; make sure you understand how to do that. Composite
numbers with no witness are called Carmichael numbers.
It is a deep theorem that there are infinitely many Carmichael numbers, so there is no
hope of using the Fermat compositeness test (which is very fast) as a primality test. We can
refine the Fermat compositeness test to give a fast, probabilistic primality test. The starting
point is the observation that, if p is an odd prime then p − 1 is even, so we can write
p − 1 = 2m for some integer m. Then FLT says that for any a with gcd( a, p) = 1, we have
( am )2 ≡ 1 ( mod p), in which case (see PS#3) am ≡ ±1 ( mod p). If am ≡ −1 ( mod p) then
there’s nothing else we can do; ditto if m is odd. But if m is even and if am ≡ 1 ( mod p),
then we can repeat this process. Formalize this process and we arrive at the
Miller-Rabin test. Let n > 1 be an odd number. Write n − 1 = 2k q with q odd. Suppose that
both of the following conditions hold:
(i) aq 6≡ 1 ( mod n), and
k −1
(ii) none of the numbers aq , a2q , . . . , a2 q is congruence to −1 ( mod n).
Then n is composite.
If n > 1 is odd and composite and if a satisfies the two conditions above, we say that a
is a Miller-Rabin witness for the compositeness of n. And if n > 1 is odd, composite and
passes the Miller-Rabin test for a (i.e. at least one of conditions (i), (ii) fails) we say that n
is a strong pseudoprime to base a. Unlike the case of the Fermat compositeness test, we
have the following result (which we did not proved in class): Let n > 1 be an odd composite
number. Then at least 3/4 of the numbers between 1 and n − 1 are Miller-Rabin witness for n.
1Note: The solution to #3.13(a) hinges upon an observation I stated and made use of many times: To
solve one or more congruence where the modulus is composite, it is often easier to first factor the modulus
into product of powers of distinct primes, study the system of congruences modulo each prime powers –
among other things, the new modulus will be smaller, and if the new modulus happens to be a prime then
we can use e.g. FLT – and then piece the final answer back together using CRT.
6
c
Copyright 2014
SIMAN WONG
Thanks to this result, we can turn the Miller-Rabin test into a very practical and efficient
probabilistic primality testing algorithm.
6. FACTORIZATION
Unlike primality testing, at present we have no efficient algorithm – even probabilistic
ones – for factorization. In class we discussed four different factorization algorithms,
each with different strengths and weaknesses (and as I pointed out in class, none of these
can factor a typical large numbers (say over 1000 binary digits), a topic of major current
research focus):
• Trial Division: good for picking √
out small prime factors, but for a general composite number n it could take up to n steps before we can pick out a prime factors;
• Difference of squares: good for factoring integers with two factors a, b which are
‘close’
• Pollard p − 1 test: good for picking out prime factors p for which all prime factors
of p − 1 are small
• Pollard Rho test: good for ‘low-intermediate’ size factors; has low memory requirements.
We will discuss the last three algorithms in a bit more detail shortly, but what you should
keep in mind is that the strength of each of these algorithm collectively have non-trivial
implications for the primes p, q we can use in RSA.
Difference of squares
If n = ab with a ≥ b, then with X = ( a + b)/2 and Y = (√
a − b)/2 we have n = X 2 − Y 2 ;
the
√ converse also holds. Since a ≥ b, we have that a ≥ x, in which case X ≥ X0 :=
[ n] + 1.
To apply the difference of squares method, we start with X = X0 and test whether or
not X 2 − n is a perfect square; if so, use the converse formulae√above to recover a and b; if
not, increase X by 1 and repeat. This could take as much as n steps to factor n. On the
other hand, if a, b are very close then Y is tiny, in which case it would not take very long
(cf. for example problem #3.23 in PS#6).
Pollard p − 1 method
Basic idea: if p is a divisor of n so that all prime divisors of p − 1 are small, then we
should be able to find a small m so that ( p − 1)|m, in which case Fermat’s Little Theorem
would give
am ≡ 1 ( mod p).
But then p would divide gcd(n, ( am − 1)). With luck this gcd would then gives you a
proper factor of n.
• choose an integer k which is the multiple of all integers ≤ B for some pre-arranged
bound B (e.g. k = B!, or k = the LCM of all integers ≤ B)
• choose integers a between 2 and n − 2 which is prime to n (do you know why we
want avoid a = 1 or n − 1?)
• set b ≡ ak ( mod p) – fast exponentiation, of course!
• set d = gcd(n, b)
c
7
Copyright 2014
SIMAN WONG
• we are done if d is a non-trivial divisor of n, otherwise try a different a and/or
bigger B
Pollard ρ method
Basic idea: fix a polynomial, such as f ( x ) = x2 + 1; plus an initial value, such as
x0 = 2. Then generate a sequence xi+1 := f ( xi ) ( mod n). Note that xi+1 depends solely
on xi ( mod n). Since there are at most n distinct possible values for xi , that means the
sequence x0 , x1 , x2 , . . . eventually becomes periodic (whence the loop in ‘ρ’). In symbolic
forms that means xi ≡ x j ( mod n) for some i 6= j. If n has a proper prime divisor p, then
the sequence xi ( mod n) will also be eventually periodic, but perhaps (with luck!) with a
shorter period. That means by computing lots of gcds like gcd(n, xi − x j ) then with luck
we might be able to pick out p.
√
Recall that trial division always find a factor (if there is one) in no more than n steps.
From
the Birthday paradox, heuristically the Pollard ρ method can find a factor in about
√
4
n steps.
Example. Factor n = 4087 using f ( x ) = x2 + x + 1 and x0 = 2
(1) x1 = f (2) = 7; gcd( x1 − x0 , n) = gcd(7 − 2, 4087) = 1;
(2) x2 = f (7) = 57; gcd( x2 − x1 , n) = gcd(57 − 7, 4087) = 1;
(3) x3 = f (57) = 3307; gcd( x3 − x1 , n) = 1;
(4) x4 = f (3307) = 2745 ( mod 4087); gcd( x4 − x3 , n) = 1;
(5) x5 = f (2745) = 1343 ( mod 4087); gcd( x5 − x3 , n) = 1;
(6) x6 = f (1343) = 2626 ( mod 4087); gcd( x6 − x3 , n) = 1;
(7) x7 = f (2626) = 3734 ( mod 4087); gcd( x7 − x3 , n) = 61.
Thus 4087 = 61 × 67.
Note: In practice you do not test the gcd of n with all xi − x j – that would be too many
testing! To cut down the number of pairs involved, use the Floyd cycle-finding algorithm,
i.e. it suffices to find i so that
?
xi ≡ x2i ( mod m).
A clever little trick to compute x2i − xi without storing all the x’s:
x <- x1; y <- f(x1 );
while x 6= y do
x <- f(x); y <- f(y); y <- f(y);
end do
7. P ROTOCOLS
With regard to the various protocols discussed in class, of course you should know
how these schemes works and how to carry it out by hand. But equally importantly (if
not more so!), make sure you understand how the number theory comes in and how the
arithmetic influence the implementation of these algorithms.
Note: The Midterm will not cover coin-flipping, zero-knowledge proof, bit commitment, and key distribution.
RSA Cryptosystem
Say Alice wants to send an encrypted message to Bob:
c
8
Copyright 2014
SIMAN WONG
• Bob picks distinct primes p, q; an integer (e, φ( pq)) = 1; and make public n = pq
and e
• Alice takes her message M, encrypts it as E := Me ( mod p), and sends E to Bob
• Bob decrypts this by
– find d so that de ≡ 1 ( mod φ(n));
– compute Ed ( mod p)
Note:
• do not recycle n
• beware of repeated encryptions
• other ways to break RSA...
ElGamal cryptosystem
• Public data: large prime p and a primitive root α ( mod p). Also, each user picks a
secret key a and makes public A := α a ( mod p)
• to send a message M ∈ (Z/p)× to the user Alice, Bob needs to do the following:
– pick a random k ∈ Z with gcd( p − 1, k) = 1;
– send the following pair of elements of (Z/p)× :
(c1 := αk ( mod p), c2 := MAk ( mod p))
– NOTE: the sender does NOT have to know a to carry out this transmission!
• since Alice knows aAlice , to read this message she simply computes
c2 (c1−a ) ( mod p)
• an outside would have a hard time reading Alice’s message since he cannot compute c1−a ( mod p) from the public information A and the intercepted c1 = αk
Other Topics I have not mentioned in this writeup but you need to know:
• Diffie-Hellman key exchange
• Shamir scheme (via Lagrange interpolation)
• various ways to attack these protocols, how (not) to choose parameters
• how to make optimal choices of parameters in RSA, and how to use the Prime
Number Theorem to estimate the number of such optimal parameters
• ...
9
c
Copyright 2014
SIMAN WONG
Practice Problems for Math 471 Midterm, Fall 2014.
These problems serve to give you additional practice on the course material and to give
you an idea of the kind and variety of questions you might encounter on your actual
exam. There are more problems here then you can be expected to complete during your
actual exam, and your midterm WILL have problems different from the ones below.
#1. Solve the congruence 4x2 + 3x + 7 ≡ 7 ( mod 91).
#2. Compute 2340 ( mod 19). Show your work.
#3. Solve the following system of congruences. Show you work!
x ≡ 3 ( mod 13)
≡ 4 ( mod 6)
≡ 2 ( mod 10)
#4. Find all pairs of integers x, y so that gcd(408, 312) = 408x + 312y. Show your work.
#5. Let p be a ODD prime. By pairing up elements mod p with their multiplicative
inverses, show that ( p − 1)! ≡ −1 ( mod p).
#6. True or false (and why):
(1) φ(n) is even for every n > 2.
(2) If gcd( a, b) = 1 and gcd(b, c) = 1, then gcd( a, c) = 1.
(3) If gcd( a, b) > 1 and gcd(b, c) > 1, then gcd( a, c) > 1.
(4) The affine cipher x 7→ (3x − 4) ( mod 56) does not encrypt any message (viewed
as a number (mod 56)) back to itself.
(5) If gcd( a, b) = 1, then the equation ax + by = 1 has a unique integer solution ( x, y).
Note: Your midterm will not have T/F problems — you must justify your answers!
#7. Use mathematical induction to show that if n is a positive integer, then 2n divides
(n + 1) × (n + 2) × · · · × (2n).
#8. Prove or disprove: gcd(n, φ(n)) = 1 if and only if n is a prime.
#9. Determine all integers n so that φ(n) = 10. Explain your reasoning.
#10. Let p, q be distinct primes. Let a ∈ Z be a non-zero integers so that ( a, p) = ( a, q) =
1. Show that a pq−1 ≡ a p−1 aq−1 ( mod pq).
#11. Determine all possible pairs (α ( mod 6), β ( mod 10)) for which the following system of congruences is solvable:
x ≡ 3 ( mod 13)
≡ α ( mod 6)
≡ β ( mod 10)
c
10
Copyright 2014
SIMAN WONG
NOTE: you do not have to actually find the integer solutions x.
#12. Fix b prime to p. Show that the congruence x k ≡ b ( mod p) is solvable if and only
if b( p−1)/d ≡ 1 ( mod p), where d := gcd(k, φ( p)).
#13. Solve the congruence 4x9 ≡ 7 ( mod 13).
#14. Show that 1729 is a Carmichael number.
#15. Let m be a primitive root modulo an odd prime p. Show that, for any prime
q|( p − 1), we must have that m( p−1)/q 6≡ 1 ( mod p).
#16. Let p be an odd prime, and let π be a primitive root mod p. Show that logπ (−1) =
( p − 1)/2.
#17. Prove that if p is a prime and x2 ≡ y2 ( mod p), then x ≡ ±y ( mod p).
general this is false if p is not prime!
Note: in
#18. Does bφ(35)/3 ≡ 1 ( mod 35) implies that b is a perfect cube mod 35?
#19. Show that φ(n) = n/3 if and only if n is divisible by 2 and 3 and no other primes.
#20. (a) Compute φ( p2 ) where p is a prime.
(b) Show that p2 is a pseudoprime to base b if and only if b p−1 ≡ 1 ( mod p2 ).
(c) Show that if p2 is a pseudoprime to base b and p is odd, then it is also a strong
pseudoprime to base b.
#21. Make sure you know how to carry the Pollard p − 1 test, Fermat factorization,
Fermat compositeness test, Miller-Rabin, RSA, ElGamal, etc.
a −2
#22. For any odd integer n and any integer a ≥ 3, show that n2
≡ 1 ( mod 2a ).
(Hint: what does it mean for n to be odd? what happen then if you raise n to some
power?)
#23. Let t, n be positive integers with n > 1. Suppose there exists a primitive root mod
p. Show that if t|φ( p) then x t ≡ 1 ( mod p) has exactly φ( p)/t distinct roots mod p.
#24. Show that there exists x 6≡ 1 ( mod p) with x3 ≡ 1 ( mod p) if and only if p ≡
1 ( mod 3).
#25. Prove that if n is a pseudoprime base 2, then 2n − 1 a strong pseudoprime base 2.
#26. Let n be an integer not divisible by 3. Show that n7 ≡ n ( mod 63).
11
c
Copyright 2014
SIMAN WONG
#27. For any positive integers A, B, show that LCM( A, B) · GCD ( A, B) = AB.
#28. If gcd(ord p (α), ord p ( β)) = 1, show that ord p (αβ) = ord p (α) · ord p ( β)
#29. Prove or explain why it is false: (Z/35)× has an element of order 5.
#30. What is the order of 2 in (Z/49)× ?
#31. Find all bases b ∈ (Z/561)× such that 561 is a strong pseudoprime base b.
#32. Use the Pollard ρ test to factor n = 7031 using f ( x ) = x2 − 1, x0 = 5.
12
c
Copyright 2014
SIMAN WONG
© Copyright 2024