Theorem 2.47 Let m > 1 be a positive integer. Any reduced residue system modulo m is a group under multiplication modulo m. The group is of order
</J(m). Any two such groups are isomorphic, so we speak of the multiplicative group modulo m, denoted by Rm.
Proof Let us consider any reduced residue system r1, r2 ,. • ã, rn where n = <!J(m). This set is closed under multiplication modulo m by Theorem 1.8. The associative property of multiplication is inherited from the corre- sponding property for integers, because a( be) = (ab )c implies that a(bc) = (ab)c (mod m). The reduced residue system contains one element, say rj, such that rj = 1 (mod m), and this is clearly the unique identity element of the group. Finally, for each r;, the congruence xr; = rj (mod m) has a solution by Theorem 2.17, and this solution is unique within the reduced residue system r1, r2 , • • ã, rn. Two different reduced residue sys- tems modulo m are congruent, element by element, modulo m, and so we have an isomorphism between the two groups.
Notation We have been using the symbol e for the binary operation of the group, and we have found that in particular groups e may represent addition or multiplication or some other operation. In dealing with general groups it is convenient to drop the symbol e, just as the dot representing ordinary multiplication is usually omitted in algebra. We will write ab for a e b, abc for a e (b e c)= (a e b) e c, a2 for a e a, a3 for a e (a e
a), and so forth. Also, abed can be written for (a e b e c) e d =
(a e b) e (c e d) and so forth, as can be seen by applying induction to the associative law. We shall even use the word multiplication for the operation e, but it must be remembered that we do not necessarily mean the ordinary multiplication of arithmetic. In fact, we are dealing with general groups so that a need not be a number, just an abstract element of a group. It is convenient to write a0 fore, a-2 for (a-1)2, a-3 for (a-1)3
,
and so on. It is not difficult to show that am . an = am+n and (am)n = amn are valid under this definition, for all integers m and n.
Theorem 2.48 In any group G, ab = ac implies b = c, and likewise ba = ca implies b = c. If a is any element of a finite group G with identity element e, then there is a unique smallest positive integer r such that a' = e.
Proof The first part of the theorem is established by multiplying ab = ac on the left by a-1, thus a-1(ab) = a-1(ac), (a-1a)b = (a-1a)c, eb = ec, b = c. To prove the second part, consider the series of elements obtained by repeated multiplication by a,
Since the group is finite, and since the members of this series are elements of the group, there must occur a repetition of the form a• = a1 with, say, s < t. But this equation can be written in the form a•e = a•at-s, whence at-s = e. Thus there is some positive integer, t - s, such that at-s = e and the smallest positive exponent with this property is the value of r in the theorem.
Definition 2.11 Let G be any group, finite or infinite, and a an element of G. If a• = e for some positive integers, then a is said to be of finite order. If a is of finite order, the order of a is the smallest positive integer r such that a' = e. If there is no positive integers such that a• = e, then a is said to be of infinite order. A group G is said to be cyclic if it contains an element a such that the powers of a
comprise the whole group; such an element a is said to generate the group and is called a generator.
Consider the multiplicative group Rm of reduced residues (mod m) in Theorem 2.47. For which positive integers m is this a cyclic group? This question is equivalent to asking for the values of m for which a primitive root (mod m) exists, because a primitive root (mod m) can serve as a generator of a cyclic group, and if there is no primitive root, there is no
generator. Hence by Theorem 2.41 we conclude that Rm is cyclic if and only if m = 1, 2, 4, pa or 2pa, where p is an odd prime.
Theorem 2.48 shows that all the elements of a finite group are of finite order. Every group, finite or infinite, contains at least the single element e that is of finite order. There are infinite groups consisting entirely of elements of finite order.
If a cyclic group is finite, and has generator a, then the group consists of e, a, a2, a3,- • ã, a'-1, where r is the order of the element a. All other powers of a are superfluous because they merely repeat these.
Theorem 2.49 The order of an element of a finite group G is a divisor of the order of the group. If the order of the group is denoted by n, then an = e for every element a in the group.
Proof Let the element a have order r. It is readily seen that
(A) are r distinct elements of G. If these r elements do not exhaust the group, there is some other element, say b2 • Then we can prove that
(B)
are r distinct elements, all different from the r elements of A. For in the first place if b2a• = b2at, then a• = at by Theorem 2.48. And on the other hand, if b2a5 =at, then b2 = at-s, so that b2 would be among the powers of a.
If G is not exhausted by the sets A and B, then there is another element b3 that gives rise to r new elements
all different from the elements in A and B, by a similar argument. This process of obtaining new elements b2 , b3 , • • • must terminate since G is finite. So if the last batch of new elements is, say
then the order of the group G is kr, and the first part of the theorem is proved. To prove the second part, we observe that n = kr and a' = e by Theorem 2.48, whence an =e.
It can be noted that Theorem 2.49 implies the theorems of Fermat and Euler, where the set of integers relatively prime to the modulus m is taken as the group. In making this implication, you will see the necessity of translating the language and notation of group theory into that of number theory. In the same way we note that the language of Definition 2.7, that
"a belongs to the exponent h modulo m," is translated into group theoretic language as "the element a of the multiplicative group modulo m has order h." Also the "primitive root modulo m" of Definition 2.8 is called a "generator" of the multiplicative group modulo m in group theory.
Let G and H be two groups. We may define a multiplication on the ordered pairs (g, h) by setting (g1, h1) • (g2 , h2 ) = (g1g2 , h1h2 ) where it is assumed that the gi and h; lie in G and H, respectively. The ordered pairs, equipped with multiplication in this way, form a group G ® H, called the direct product of G and H. We may similarly form the direct product G ® H ® J of three groups by considering the ordered triples (g, h, j). It is a general theorem of group theory (which we do not prove here) that any finite abelian group is isomorphic to a direct product of cyclic groups. In the case of the multiplicative group Rm of reduced residues (mod m), we can explicitly determine this decomposition. Let m = P't'Pz2 • • • P:' be the c~monical factorization of m. By the Chinese Remainder Theorem we see that
After Definition 2.11 we noted that if p is an odd prime then RPa is cyclic.
It is easy to see that two cyclic groups are isomorphic if and only if they have the same order. Thus we speak of "the" cyclic group of order n, and denote it by Cn. In this notation, we would write RPa ~ C<I><Pa> for an odd prime p. For the prime 2 we have R2 ~ C1, R4 ~ C2 , and by Theorem 2.43 we see that R2a ~ C2 ® C2a-z for a ;;;;. 3. The ideas we used to prove Theorem 2.41 can be used to show, more generally, that a direct product G1 đ G2 đ ã ã ã đ G, of several groups is cyclic if and only if each G; is cyclic and the orders of the G; are pairwise relatively prime.
Definition 2.12 A ring is a set of at least two elements with two binary operations, e and 0, such that it is a commutative group under e , is closed under 0, and such that 0 is associative and distributive with respect to e . The identity element with respect to e is called the zero of the ring. If all the elements of a ring, other than the zero, form a commutative group under 0, then it is called a field.
It is customary to call e addition and 0 multiplication and to write a + b for a e b, ab for a 0 b. The conditions on 0 for a ring are then a(bc) = (ab)c, a(b +c)= ab + ac, (b + c)a = ba +ca. In general, the elements a, b, c, ã ã ã are not necessarily numbers, and the operations of addition and multiplication need not be the ordinary ones of arithmetic.
However, the only rings and fields that will be considered here will have numbers for elements, and the operations will be either ordinary addition and multiplication or addition and multiplication modulo m.
Theorem 2.50 The set Zm of elements 0, 1, 2, ã ã ã, m - 1, with addition and multiplication defined modulo m, is a ring for any integer m > 1. Such a ring is a field if and only if m is a prime.
Proof We have already seen in Theorem 2.46 that any complete residue system modulo m is a group under addition modulo m. This group is commutative, and the associative and distributive properties of multiplica- tion modulo m are inherited from the corresponding properties for ordinary multiplication. Therefore Zm is a ring.
Next, by Theorem 2.47 any reduced residue system modulo m is a group under multiplication modulo m. If m is a prime p, the reduced residue system of ZP is 1, 2,- ã ã, p - 1, that is, all the elements of ZP other than 0. Since 0 is the zero of the ring, ZP is a field. On the other hand if m is not a prime, then m is of the form ab with 1 < a ~ b < m.
Then the elements of Zm other than 0 do not form a group under multiplication modulo m because there is no inverse for the element a, no solution of ax = 1 (mod m). Thus Zm is not a field.
Some questions can be settled very readily by using the fields ZP. For example, consider the following problem: prove that for any prime p > 3 the sum
1
+ 2
(p- 1)
if written as a rational number ajb has the property that pia. In the field ZP the term 1jj2 in the SUm is r 2 or x2 where X is the least positive integer such that xj = 1 (mod p). Hence in ZP the problem can be put in the form, prove that the sum 1-2 + 2-2 + ... +(p- n-2 is the zero element of the field. But the inverses of 1, 2, 3, ã ã ã, p - 1 are just the same elements again in some order, so we can write
For this final sum there is a well-known formula for the sum of the squares of the natural numbers giving p(p - 1X2p - l)j6. But this is zero in ZP, because of the factor p, except in the cases p = 2 and p = 3 where division by 6 is meaningless.
PROBLEMS
1. Prove that the multiplicative group modulo 9 is isomorphic to the additive group modulo 6.
2. Prove that the additive group modulo m is cyclic with 1 as generator.
Prove that any one of </J(m) elements could serve as generator.
3. Prove that any two cyclic groups of order m are isomorphic.
4. Prove that the group of all integers under addition is an infinite cyclic group.
5. If a is an element of order r of a group G, prove that ak = e if and only if rlk.
6. What is the smallest positive integer m such that the multiplicative group modulo m is not cyclic?
7. A subgroupS of a group G is a subset of elements of G that form a group under the same binary operation. If G is finite, prove that the order of a subgroup S is a divisor of the order of G.
8. Prove Theorem 2.49, for the case in which the group is commutative, in a manner analogous to the proof of Theorem 2.8.
9. Prove Theorem 2.8 by the method used in the proof of Theorem 2.49.
10. Let G consist of all possible sequences (a1, a2 , a3 , • • • ) with each a; = 1 or -1. Let (a1, a2 , a3 , • • • ) e (b1, b2 , b3 , • • • ) =
(a1b1, a2b2 , a3b3 , • • ã ). Show that G is an infinite group all of whose elements are of finite order.
•11. Let G consist of a, b, c, d, e, f and let e be defined by the following table.
~ e a b c d f
e e a b c d f
a a e d f b c
b b f e d c a
c c d f e a b
d d c a b f e
f f b c a e d
Show that G is a noncommutative group.
12. Prove that the multiplicative group modulo p is cyclic if p is a prime.
13. Exhibit the addition and multiplication tables for the elements of the field of residues modulo 7.
14. Prove that the set of all integers under ordinary addition and multi- plication is a ring but not a field.
15. Prove that the set of all even integers under ordinary addition and multiplication is a ring.
16. Prove that the set 0, 3, 6, 9 is a ring under addition and multiplication modulo 12.
17. Prove that in any field aO = Oa = 0 for every element a.
•18. Let a be a divisor of m, say m = aq with 1 < a < m. Prove that the set of elements 0, a, 2a, 3a, ã ã ã, (q - l)a, with addition and multipli- cation modulo m, forms a ring. Under what circumstances is it a field?
19. Prove that the set of all rational numbers forms a field.
20. An integral domain is a ring with the following additional properties:
(i) there is a unique identity element with respect to multiplication;
(ii) multiplication is commutative; (iii) if ab = ac and a * 0, then
b = c. Prove that any field is an integral domain. Which of the following are integral domains?
(a) the set of all integers;
(b) the set Zm of Theorem 2.50.
21. Let m be a positive integer and consider the set of all the divisors of m. For numbers in this set define two operations 0 and e by a 0 b = (a, b), a e b = [a, b ], g. c. d. and l.c.m. Prove that 0 and e
are associative and commutative. Prove the distributive law a 0 (b e c) = (a 0 b) e (a 0 c) and its dual a e (b 0 c) = (a e
b)0(a e c). Show that a 0a =a e a= a. Also prove 10a = 1 and 1 e a = a, so that 1 behaves like an ordinary zero, and m 0 a = a, and m e a = m. Define a relation @ as a@b if a 0 b =a.
Prove a @a, that @ is transitive, and that a @b if and only if a e b =b.
Prove that if m is not divisible by any square other than 1, then corresponding to each divisor a there is a divisor a' such that a 0 a'= 1, a e a'= m. (These algebras with square-free m are examples of Boolean algebras.)
22. Prove that for any prime p > 2 the sum
1 1 1
- + - + .. ã+----;:-
13 23 (p-1)3
if written as a rational number ajb, has the property that pia. (H)
•23. Let Vn denote the vector space of dimension n over the field Z P of integers modulo p. Show that if W is a subspace of Vn of dimension m, then card(W) = pm. Show that the number of n X n matrices A with entries considered (mod p) for which det (A) ¥= 0 (mod p) is exactly (pn- 1Xpn- PXPn - p 2) ... (pn-pn-l). (H)
NOTES ON CHAPTER 2
§2.1 It was noted in this section that (i) a = a (mod m), (ii) a =
b (mod m) if and only if b =a (mod m), and (iii) a = b (mod m) and b = c (mod m) imply a = c (mod m). Thus the congruence relation has the (i) reflexive property, (ii) the symmetric property, and (iii) the transitive property, and so the congruence relation is a so-called equivalence relation.
Although the classification of integers by the remainder on division by a fixed modulus goes back at least as far as the ancient Greeks, it was Gauss who introduced the congruence notation.
§2.3 It is often observed of mathematics that there are far more theorems than ideas. The idea used in the proof of Theorem 2.18 is found in many other contexts. For example, Lagrange constructed a polynomial of degree at most n that passes through the n + 1 points (x0 , y0 ), (x1, y1), • • ã, (xn, Yn) by first constructing the polynomials
lj(x) = (x- x0)(x- x1) • • • (x- xj_1)(x-xj+l) ã ã ã (x- xn) ' (xj- x0)(xj- x1) • • • (xj- xj_1)(xj-xj+l) ã ã ã (xj- xn) which have the property that lj(x) = 1, lj(x) = 0 fori * j. Here we are assuming that the xj are distinct. Then
n
P(x) = L, Yjlj(x)
j~O
is a polynomial with the desired properties. (This polynomial P(x) is unique. To see this, suppose that Q(x) is another such polynomial. Then the polynomial R(x) = P(x)- Q(x) has degree at most nand vanishes at the n + 1 points xj. But a polynomial that has more zeros than its degree must vanish identically. Thus P(x) and Q(x) are identical.)
The less symmetric procedure applied in Example 4 is similarly analogous to the Hermite formula for polynomial interpolation, by which a polynomial is written in the form
n j-1
P(x)= L:cjO(x-x;).
j~ 1 i= I
(When j = 1 there is no i within the prescribed range, and the resulting empty product is taken to have value 1.) We see that P(x1) = c1, P(x2 ) = c1 + c2(x2 - x1), P(x3 ) = c1 + c2(x3 - x1) + cix3 - x1Xx3 - x2 ), and so on. Thus we may take c1 so that P(x1) has the desired value. Having chosen c1, we may take c2 so that P(x2 ) has the desired value, and so on.
This may be compared with Problem 24 at the end of the section.
§2.4 Readers interested in the numerical aspects of number theory may wish to consult the text by Rosen listed in the General References at the end of this book. Number-theoretic algorithms are discussed by D. H.
Lehmer, "Computer Technology Applied to the Theory of Numbers,"
pages 117-151 in the book edited by LeVeque; in Chapter 4 of Volume 2 of Knuth; and in the book edited by Lenstra and Tijdeman. Many of the algorithms that we have discussed can be made more efficient in various ways. For example, when factoring by trial division, one may restrict the trial divisors to prime values.
Before 1970, trial division was essentially the fastest factoring method known. Since then, improved algorithms have been invented that allow us to factor much larger numbers than we could formerly. Some of these algorithms involve quite sophisticated mathematics, as in the case of the elliptic curve method of Hendrik Lenstra, which we discuss in Section 5.8.
The fastest general-purpose factoring algorithm known today is the quadratic sieve, proposed by Carl Pomerance in 1982. Using it, te Riele factored a 92-digit number in 1988. Using the same amount of time on the same machine, but with trial division instead of the quadratic sieve, one would expect to be able to factor numbers only up to 29 digits. Twenty years earlier, the IBM 360/91 was the fastest computer. If one substituted this earlier machine for the NEC SX/2 that te Riele used, then in the same time one might factor a 25 digit number by trial division and a 73 digit number by the quadratic sieve. Thus we see that the new algorithms have had a much greater impact on factoring than the improvements in the hardware. Further discussion of factoring techniques may be found in the lecture notes of Carl Pomerance and in the book by Hans Riesel, both listed in the General References, and also in the survey article "How to factor a number," by R. K. Guy, in Proc. Fifth Manitoba Conf. Numer.
Math., Utilitas, Winnipeg (1975), 49-89.
§2.5 The permutation used here is known as a trapdoor function because of the difficulty of computing the inverse permutation. The particular method discussed is known as the RSA method, after Rivest, Shamir, and Adleman, who proposed the method in 1978.
§2.6 In our appeal to Taylor's theorem we have again made a small use of analysis. A more extensive use of analysis is found in Section 8.2, where we investigate arithmetic functions by means of Dirichlet series.
Analysis of a somewhat different variety is used in proofs of irrationality or
transcendence. A simple example of this is found in our proof that 7T is irrational, in Section 6.3.
The study of congruences (mod pk) leads naturally to the theory of p-adic numbers. Solutions of a congruence that lift to arbitrarily high powers of p correspond to the p-adic roots of the equation. The sequence of solutions of the congruence generated by letting n run to infinity form a sequence of approximations to the p-adic root in much the same way that truncations of the decimal expansion of a real number form approxima- tions to the real number being expanded. An attractive introduction to p-adic numbers is found in Chapter 1 of the text by Borevich and
Shafarevich.
§2.7 Let f(x) be a fixed polynomial with integral coefficients. The number N(p) of solutions of the congruence f(x) = O(mod p) fluctuates asp varies, but it can be shown that iff is irreducible then L.P0 N(p)- xjlog x as x ~ oo. This is derived from the prime ideal theorem, which is a
generalization of the prime number theorem to algebraic number fields.
The discussion of the polynomial f(x) in (2.7) can be generalized to composite moduli. This generalization, which is by no means obvious, was discovered by Bauer in 1902. Accounts of Bauer's congruence are found in
§§8.5-8.8 of the book by Hardy and Wright, and in articles by Gupta and Wylie, J. London Math. Soc., 14 (1939).
§2.8 In 1769, Lambert stated without proof that every prime number has a primitive root. Euler introduced the term primitive root, but his proof of their existence is flawed by gaps and obscurities. Our account, based on Lagrange's result Corollary 2.29, is similar to the method proposed by Legendre in 1785.
For further discussion of methods of proving primality, see the article
"Primality testing" in Lenstra and Tijdeman, H. C. Williams, "Primality testing on a computer," Ars Combinatoria 5 (1978), 127-185, or Chapter 4 of Riesel. The original account of Atkin's method of proving primality is found in the paper of A. 0. L. Atkin and F. Morain, "Elliptic curves and primality proving," Math. Camp., to appear. The method is briefly de- scribed in A. K. Lenstra and H. W. Lenstra, Jr., "Algorithms in number theory" in Handbook of Theoretical Computer Science (ed. J. van Leeuwen), North-Holland, to appear.
§2.9 The algorithm RESSOL was invented and named by Dan Shanks, "Five number-theoretic algorithms," (Proc. Second Manitoba Con- ference on Numerical Mathematics (1972), 51-70). A similar algorithm for determining u so that n = cu (mod p ), had been given in 1891 by Tonelli.
D. H. Lehmer ("Computer technology applied to the theory of numbers,"
Studies in Number Theory, (W. J. LeVeque, ed.), Math. Assoc. Amer.
(1969), 117-151) has given a different algorithm for finding solutions of quadratic congruences.