# Number Theory

---

## Contents
```{contents}
```

---
---
---

## Arithmetic

### The bit complexity of numbers

We focus on bit complexity (of algorithms), the number of elementary operations on individual bits, because it reflects the amount of hardware, transistors and wires, necessary for implementing an algorithm.

It is a basic property of numbers that **for any base $b \ge 2$ the sum of any three single-digit numbers is at most two digits long**.

$
\begin{aligned}
b &=  2 && & 1 + 1 + 1 &= 11                                             &&= 1 \times  2^1 +  1 \times  2^0 \\
b &=  3 && & 2 + 2 + 2 &= 20                                             &&= 2 \times  3^1 +  0 \times  3^0 \\
b &= 10 && & 9 + 9 + 9 &= 27                                             &&= 2 \times 10^1 +  7 \times 10^0 \\
b &= 16 && & F + F + F &= 2D                                             &&= 2 \times 16^1 + 13 \times 16^0 \\
b &= 60 && & \lambda_{59} + \lambda_{59} + \lambda_{59} &= 2\lambda_{57} &&= 2 \times 60^1 + 57 \times 60^0 \\
\end  {aligned}
$

**How many digits are needed to represent the number $N \ge 0$ in base $b$?** $\lceil \log_b (N + 1) \rceil$ digits are needed to represent $N$ in base $b$.

With $k \ge 1$ digits in base $b$ we can express numbers up to $b^k - 1$.

base $2$
* with $1$ digits in base $2$ we can express numbers up to $2^1 - 1 = 1$
* with $2$ digits in base $2$ we can express numbers up to $2^2 - 1 = 3$
* with $3$ digits in base $2$ we can express numbers up to $2^3 - 1 = 7$
* with $4$ digits in base $2$ we can express numbers up to $2^4 - 1 = 15$

base $10$
* with $1$ digits in base $10$ we can express numbers up to $10^1 - 1 = 9$
* with $2$ digits in base $10$ we can express numbers up to $10^2 - 1 = 99$
* with $3$ digits in base $10$ we can express numbers up to $10^3 - 1 = 999$
* with $4$ digits in base $10$ we can express numbers up to $10^4 - 1 = 9999$

$
\begin{aligned}
b^k - 1 &= N \\
b^k     &= N + 1 \\
\log_b b^k &= \lceil \log_b (N + 1) \rceil \\
k          &= \lceil \log_b (N + 1) \rceil \\
\end  {aligned}
$

Base $2$

$
\begin{aligned}
\lceil \log_2 (\textcolor{green}{ 0} + 1) \rceil &= 1 \text{ b} \\
\lceil \log_2 (\textcolor{green}{ 1} + 1) \rceil &= 1 \text{ b} \\
\lceil \log_2 (\textcolor{green}{ 2} + 1) \rceil &= 2 \text{ b} \\
\lceil \log_2 (\textcolor{green}{ 3} + 1) \rceil &= 2 \text{ b} \\
\lceil \log_2 (\textcolor{green}{ 4} + 1) \rceil &= 3 \text{ b} \\ &\vdots \\
\lceil \log_2 (\textcolor{green}{ 7} + 1) \rceil &= 3 \text{ b} \\
\lceil \log_2 (\textcolor{green}{ 8} + 1) \rceil &= 4 \text{ b} \\ &\vdots \\
\lceil \log_2 (\textcolor{green}{15} + 1) \rceil &= 4 \text{ b} \\
\lceil \log_2 (\textcolor{green}{16} + 1) \rceil &= 5 \text{ b} \\ &\vdots \\
\lceil \log_2 (\textcolor{green}{31} + 1) \rceil &= 5 \text{ b} \\
\lceil \log_2 (\textcolor{green}{32} + 1) \rceil &= 6 \text{ b} \\ &\vdots \\
\lceil \log_2 (\textcolor{green}{63} + 1) \rceil &= 6 \text{ b} \\
\lceil \log_2 (\textcolor{green}{64} + 1) \rceil &= 7 \text{ b} \\
\end  {aligned}
$

**How much does the size of a number change when its base changes?**

The rule for converting logarithms from base $a$ to base $b$:

$\log_b N = \frac{1}{\log_a b} \log_a N \iff \log_a N = \log_b N \times \log_a b$

The size of integer $N$ in base $a$ is the same as its size in base $b$ times a constant factor $\log_a b$. Therefore, in big-$O$ notation the base is irrelevant and the size is written simply as $O(\log N)$

$\log N$ is the power to which $2$ must be raised to obtain $N$.

$\lceil \log N \rceil$ is the number of times $N$ must be halved to obtain unity. This will be useful when a number is halved at each iteration of an algorithm.

$\lceil \log (N + 1) \rceil$ is the number of bits in the binary representation of $N$.

$\lfloor \log N \rfloor$ is the depth of a complete binary tree with $N$ nodes.

$\log N = 1 + 1/2 + 1/3 + \dotsb + 1/N$ to within a constant factor.

---

### Addition

The rule that the sum of any three single-digit numbers is at most two digits allows us to add two numbers in any base in the following way: align their right-hand ends and then perform a single right-to-left pass in which the sum is computed digit by digit, maintaining the overflow as a carry. Since we know the individual sum is a two-digit number, the carry is always a single digit, and so at any given step, three single-digit numbers are added.

```txt
Carry  1     1 1 1
         1 1 0 1 0 1 (53)
         1 0 0 0 1 1 (35)
       -------------
       1 0 1 1 0 0 0 (88)
```

**Complexity**

Suppose both $x$ and $y$ are $n$ bits long. Then $x + y$ is at most $n + 1$ bits long and each bit of this sum is computed in a fixed amount of time.

$T(n) = c_1n + c_0 = O(n)$

Is there a faster algorithm? In order to add two $n$-bit numbers they must at least be read and their sum written, <span style="color: red;">which require n operations</span>. Therefore, the addition algorithm is optimal <span style="color: red;">up to multiplicative constants</span>.

It is true that in a single processor instruction integers can be added whose size in bits is within the word length of today's computers--$32$ perhaps. But it is often useful and necessary to handle numbers much larger than this, perhaps several thousand bits long. Adding and multiplying such large numbers on real computers is very much like performing the operations bit by bit.

**Implementation**

```c
#include <stdio.h>

int main (void) {
  long b1;
  long b2;

  int i = 0;
  int r = 0; // remainder
  int sum[20];

  printf("Enter the first  binary number: "); scanf("%ld", &b1);
  printf("Enter the second binary number: "); scanf("%ld", &b2);

  while (b1 != 0 || b2 != 0) {
    sum[i++] = (b1 % 10 + b2 % 10 + r) % 2;
    r        = (b1 % 10 + b2 % 10 + r) / 2;
    b1 /= 10;
    b2 /= 10;
  }

  if (r != 0)
    sum[i++] = r;
  --i;

  printf("Sum: ");
  while (i >= 0)
    printf("%d", sum[i--]);
  printf("\n");

  return 0;
}
```

---

### Multiplication

### Grade-School Binary Multiplication Algorithm

Multiply two numbers $x$ and $y$. Create an array of intermediate sums each representing the product of $x$ by a single digit of $y$. These values are appropriately left-shifted and then added up.

$13 \times 11$ or $x = 1101$ and $y = 1011$

```txt
        1 1 0 1 (13, multiplicand)
      x 1 0 1 1 (11, multiplier)
      ---------
        1 1 0 1 (1101 times 1)                  13 x 2^0 =  13
      1 1 0 1   (1101 times 1, shifted once)    13 x 2^1 =  26
    0 0 0 0     (1101 times 0, shifted twice)    0 x 2^2 =   0
+ 1 1 0 1       (1101 times 1, shifted thrice)  13 x 2^3 = 104
---------------
1 0 0 0 1 1 1 1 (binary 143)
```

In binary each intermediate row is either zero or $x$ itself, left-shifted an appropriate amount of times. Left-shifting multiplies by the base and right-shifting divides by the base, rounding down if necessary.

**Correctness**

**Complexity**

If $x$ and $y$ are both $n$ bits then there are $n$ intermediate rows with lengths of up to $2n$ bits, accounting for the shifts. The total time taken to add up these rows, two numbers at a time, is

$\underbrace{O(n) + O(n) + \dotsb + O(n)}_{n - 1 \text{ times}} = O(n^2)$

### Al Khwarizmi's multiplication by repeated halvings of the multiplier

Multiply two decimal numbers $x$ and $y$. Write them next to each other and then repeat the following: divide the first number by $2$, rounding down the result, and double the second number; continue until the first number reaches unity and then strike out all the rows in which the first number is even and add up whatever remains in the second column.

```txt
                      parity of multiplier 11
11    13              11 = 5 x 2 +  1
 5    26               5 = 2 x 2 +  1
 2    52 (strike out)  2 = 1 x 2 +  0
 1   104               1 = 0 x 2 +  1
--------
     143
```

### Multiplication à la Français

This algorithm implements the following recursive rule.

$
x \cdot y =
\begin{cases}
    2(x \cdot \lfloor y/2 \rfloor) & \text{if \textit{y} is even} \\
x + 2(x \cdot \lfloor y/2 \rfloor) & \text{if \textit{y} is odd} \\
\end  {cases}
$

```c
 INPUT    two n-bit integers x and y, where y >= 0
OUTPUT    their product

MULT (x, y)
1    if y = 0
2        return 0
3
4    z = MULT(x, floor(y/2))
5
6    if even(y)
7        return 2z
8    else
9        return 2z + x
```

EXAMPLE

algorithm decomposition

$x \cdot 25 = x \cdot 16 + x \cdot 8 + x \cdot 1$

For multiplication the terms $x \cdot 2^i$ come from repeated doubling

**Correctness**

The recursive rule is <span style="color: red;">transparently</span> correct. Checking that the algorithm is correct is a matter of verifying that it mimics the rule and that it handles the base case $y = 0$ properly.

**Complexity**

The algorithm terminates after $n$ recursive calls because at each call $y$ is halved (i.e., its number of bits is decreased by one). Each recursive call requires the following operations:
* a division by $2$ (a right shift)
* a test for odd/even (looking up the last bit)
* a multiplication by $2$ (a left shift)
* possibly, one addition

a total of $O(n)$ bit operations. The total running time is

$T(n) = O(n^2)$

Can we do better? Intuitively, it seems that multiplication requires adding about $n$ multiples of one of the inputs, and we know that each addition is linear, so it would appear that $n^2$ bit operations are inevitable. But we will see that we can de better.

---

### Division

To divide an integer $x$ by an integer $y \ne 0$ means to find a quotient $q$ and a remainder $r$, where $x = yq + r$ and $r \lt y$.

```c
 INPUT    two n-bit integers x and y, where y >= 1
OUTPUT    the quotient and the remainder of x divided by y

DIVIDE (x, y)
 1    if x = 0
 2        return (q, r) = (0, 0)
 3
 4    (q, r) = DIVIDE(floor(x/2), y)
 5    q = 2q
 6    r = 2r
 7    if odd(x)
 8        r = r + 1
 9    if r >= y
10        r = r - y
11        q = q + 1
12    return (q, r)
```

**Complexity** Like multiplication, division takes quadratic time.

$T(n) = O(n^2)$

---
---
---

$
\begin{aligned}
2^{32} - 1 &= 4294967295           &&= 3 \times 5 \times 17 \times 257 \times 65537 \\
2^{53} - 1 &= 9007199254740991     &&= 6361 \times 69431 \times 20394401 \\
2^{64} - 1 &= 18446744073709551615 &&= 3 \times 5 \times 17 \times 257 \times 641 \times 65537 \times 6700417 \\
\end  {aligned}
$

---

What's the largest value that $n$ bits can hold?

In [None]:
print(f'                 largest value')
print(f' 16-bit numbers {2** 16 - 1:55} = 2^ 16 - 1')
print(f' 20-bit numbers {2** 20 - 1:55} = 2^ 20 - 1')
print(f' 32-bit numbers {2** 32 - 1:55} = 2^ 32 - 1')
print(f' 40-bit numbers {2** 40 - 1:55} = 2^ 40 - 1')
print(f' 52-bit numbers {2** 52 - 1:55} = 2^ 52 - 1')
print(f' 53-bit numbers {2** 53 - 1:55} = 2^ 53 - 1')
print(f' 64-bit numbers {2** 64 - 1:55} = 2^ 64 - 1')
print(f'128-bit numbers {2**128 - 1:55} = 2^128 - 1')

                 largest value
 16-bit numbers                                                   65535 = 2^ 16 - 1
 20-bit numbers                                                 1048575 = 2^ 20 - 1
 32-bit numbers                                              4294967295 = 2^ 32 - 1
 40-bit numbers                                           1099511627775 = 2^ 40 - 1
 52-bit numbers                                        4503599627370495 = 2^ 52 - 1
 53-bit numbers                                        9007199254740991 = 2^ 53 - 1
 64-bit numbers                                    18446744073709551615 = 2^ 64 - 1
128-bit numbers                 340282366920938463463374607431768211455 = 2^128 - 1


---
---
---

Theorem

If $p$ is prime then $2^{p - 1}$ leaves the remainder $1$ on division by $p$.

Example

$2^{1000}$ leaves the remainder $562$ on division by $1001$ so $1001$ is composite.

$1001 = 7 \times 11 \times 13$

$2^{k^k}$ can be computed by successive squaring

$
\begin{aligned}
   1000  &= 2^3 + 2^5 + 2^6 + 2^7 + 2^8 + 2^9 \\
2^{1000} &= 2^{2^3} \times 2^{2^5} \times 2^{2^6} \times 2^{2^7} \times 2^{2^8} \times 2^{2^9} \\
2^{2^3}  &= 256 \\
2^{2^4}  &= 256^2 = 65536 \equiv 471 \mod 1001 \\
2^{2^5}  &= 471^2 = 221841 \equiv 620 \mod 1001 \\
2^{2^3} \times 2^{2^5} &\equiv 256 \times 620 = 158720 \equiv 562 \mod 1001 \\
2^{2^6} &\equiv 620^2 = 384400 \equiv 16 \mod 1001 \\
2^{2^3} \times 2^{2^5} \times 2^{2^6} &\equiv 562 \times 16 = 8992 \equiv 984 \mod 1001 \\
2^{2^7} &\equiv 16^2 \equiv 256 \mod 1001 \\
2^{2^3} \times 2^{2^5} \times 2^{2^6} \times 2^{2^7} &\equiv 984 \times 256 = 251904 \equiv 653 \mod 1001 \\
2^{2^8} &\equiv 471 \mod 1001 \\
2^{2^3} \times 2^{2^5} \times 2^{2^6} \times 2^{2^7} \times 2^{2^8} &\equiv 653 \times 471 = 307563 \equiv 256 \\
2^{2^9} &\equiv 620 \\
2^{1000} &= 2^{2^3} \times 2^{2^5} \times 2^{2^6} \times 2^{2^7} \times 2^{2^8} \times 2^{2^9} \equiv 620 \times 256 = 167168 \equiv 562 \\
\end  {aligned}
$

Any programming language which can do double precision can compute $2^{p - 1} \mod p$ in linear time.

__Induction__

Inductive definition of $\mathbb{N}$: $1 \in \mathbb{N}$ is the least member of $\mathbb{N}$. Given any $n \in \mathbb{N}$ the next member is $n + 1$.

---
---
---

## 2

We know that given integers $a$ and $b$ not both zero there are integers $x$ and $y$ s.t. $\gcd(a, b) = ax + by$. How do we find $x$ and $y$?
* Euclid's Algorithm - gives a very efficient algorithm, and is still the basis for many numerical methods in arithmetical applications

__Euclid's Algorithm__

$a, b \gt 0$, since multiplying either by $-1$ does not change $\gcd(a, b)$. We can replace $x$ by $-x$ and $y$ by $-y$.

Suppose $b \le a$. Let $r_0 = b, r_{-1} = a$

Apply the division algorithm iteratively as follows.

$
\begin{aligned}
r_{-1}  &= r_0 q_1 + r_1 && 0 \lt r_1 \le r_0 \\
r_0     &= r_1 q_2 + r_2 && 0 \lt r_2 \lt r_1 \\
r_1     &= r_2 q_3 + r_3 && 0 \lt r_3 \lt r_2 \\
\vdots \\
r_{s-3} &= r_{s-2} q_{s-1} + r_{s-1} && 0 \lt r_{s-1} \lt r_{s-2} \\
r_{s-2} &= r_{s-1} q_s \\
\end  {aligned}
$

We stop the moment there is a remainder equal to $0$. This could be $r_1$ if $b \mid a$, for example.

Since $r_j \lt r_{j-1}$ we must eventually have a zero remainder.

Euclid proved that $\gcd(a, b) = r_{s-1}$

$\text{Proof}$

$\gcd(a, b) \mid a$ and $\gcd(a, b) \mid b$ and so $\gcd(a, b) \mid r_1 = a - bq_1$. Repeating, $\gcd(a, b) \mid r_j$ for $j = 2, 3, \dotsc, s - 1$

Starting from the bottom, $r_{s-1} \mid r_{s-2}$, $r_{s-1} \mid r_{s-3}$, and so on until we have $r_{s-1} \mid b$ and $r_{s-1} \mid a$, and so $r_{s-1} \mid \gcd(a, b)$

Since $r_{s-1} \mid \gcd(a, b)$ and $\gcd(a, b) \mid r_{s-1}$ it is the case that $r_{s-1} = \gcd(a, b)$.

$\blacksquare$

EXAMPLE

$
\begin{aligned}
a &= & 10,678 \\
b &= &     42 \\
10,678 &= & 42 &\times & 254 &+ & 10 \\
    42 &= & 10 &\times &   4 &+ &  2 \\
    10 &= &  2 &\times &   5 \\
\end  {aligned}
$

$\gcd(10678, 42) = 2$

$x$ and $y$ can be found via back substitution, which is inefficient since it requires that all computations be stored.

$
\begin{aligned}
2 &= 42 - 10 \times 4 \\
  &= 42 - (10,678 - 42 \times 254) \times 4 \\
  &= 42 - 10,678 \times 4 + 42 \times 254 \times 4 \\
  &= 42 + 42 \times 254 \times 4 - 10,678 \times 4 \\
  &= 42 \times (1 + 254 \times 4) - 10,678 \times 4 \\
  &= 42 \times 1017 - 10,678 \times 4 \\
\end  {aligned}
$

__Extended Euclidean Algorithm__

$
\begin{aligned}
x_{-1} &:= 1 \\
y_{-1} &:= 0 \\
x_0    &:= 0 \\
y_0    &:= 1 \\
r_{-1} &= r_0 q_1 + r_1 && x_1 = x_{-1} - q_1 x_0 && y_1 = y_{-1} - q_1 y_0 \\
r_0    &= r_1 q_2 + r_2 && x_2 = x_0    - q_2 x_1 && y_2 = y_0    - q_2 y_1 \\
r_1    &= r_2 q_3 + r_3 && x_3 = x_1    - q_3 x_2 && y_3 = y_1    - q_3 y_2 \\
\vdots \\
r_{s-3} &= r_{s-2} q_{s-1} + r_{s-1} && x_{s-1} = x_{s-3} - q_{s-1} x_{s-2} && y_{s-1} = y_{s-3} - q_{s-1} y_{s-2} \\
r_{s-2} &= r_{s-1} q_s \\
\end  {aligned}
$

The claim is that $x = x_{s-1}, y = y_{s-1}$. More generally, the claim is that $r_j = ax_j + by_j$ and this can be proved by induction.

$\text{Proof by induction}$

By construction it is the case that $r_{-1} = ax_{-1} + by_{-1}$ and $r_0 = ax_0 + by_0$.

$
\begin{aligned}
r_{-1} &= a \times 1 + b \times 0 = a \\
r_0    &= a \times 0 + b \times 1 = b \\
\end  {aligned}
$

Suppose $r_k = ax_k + by_k$ is established for all $j \le k$.

$
\begin{aligned}
r_{k+1}
&= r_{k-1} - q_{k+1} r_k \\
&= (ax_{k-1} + by_{k-1}) - q_{k+1} (ax_k + by_k) \\
&= ax_{k-1} + by_{k-1} - q_{k+1} ax_k - q_{k+1} by_k \\
&= ax_{k-1} - q_{k+1} ax_k + by_{k-1} - q_{k+1} by_k \\
&= a(x_{k-1} - q_{k+1} x_k) + b(y_{k-1} - q_{k+1} y_k) \\
&= ax_{k+1} + by_{k+1} \\
\end  {aligned}
$

$\blacksquare$

$\boxed{\gcd(a, b) = r_{s-1} = ax_{s-1} + by_{s-1}}$

EXAMPLE

$
\begin{aligned}
r_{-1} &= & 10,678 \\
r_0    &= &     42 \\
x_{-1} &= &      1 \\
x_0    &= &      0 \\
y_{-1} &= &      0 \\
y_0    &= &      1 \\
10,678 &= & 42 &\times & 254 &+ & 10 && \underset{x_1}{ 1} &= & 1 &- & 254 &\times & 0 && \underset{y_1}{-254} &= & 0 &- & 1 &\times &   254  \\
    42 &= & 10 &\times &   4 &+ &  2 && \underset{x_2}{-4} &= & 0 &- &   4 &\times & 1 && \underset{y_2}{1017} &= & 1 &- & 4 &\times & (-254) \\
    10 &= &  2 &\times &   5 \\
\end  {aligned}
$

$\gcd(10678, 42) = 2 = 10678 \times (-4) + 42 \times 1017$

__Linear Diophantine Equation__

Euclid's algorithm can be used to find the <span style="color: red;">complete solution in integers</span> to linear diophantine equations of the kind

$ax + by = c$ where $a$, $b$, and $c$ are integers, and $x$ and $y$ are all integers which satisfy this

$\text{Case 1}$ Both $a$ and $b$ are zero. ----- If $a = b = 0$ then the linear diophantine equation is not soluble unless $c = 0$; and then it is soluble by any $x$ and $y$, which is not very interesting.

$\text{Case 2}$ One of $a$ and $b$ is non-zero.

$\gcd(a, b) \mid (ax + by) \implies \gcd(a, b) \mid c$

Choose $x$ and $y$ s.t. $ax + by = \gcd(a, b)$. Then there is a solution

$
\begin{aligned}
ax + by &= \gcd(a, b) \\
\frac{ax + by}{\gcd(a, b)} &= 1 \\
c \frac{ax + by}{\gcd(a, b)} &= c \\
a \left( \frac{xc}{\gcd(a, b)} \right) + b \left( \frac{yc}{\gcd(a, b)} \right)
\end  {aligned}
$

Let's call this solution $x_0, y_0$. Consider any other solution $x, y$.

$
\begin{aligned}
ax + by &= c \\
ax + by - ax_0 - by_0 &= c - c = 0 \\
ax - ax_0 &= by_0 - by \\
a(x - x_0) &= b(y_0 - y) \\
\frac{a}{\gcd(a, b)}(x - x_0) &= \frac{b}{\gcd(a, b)}(y_0 - y) \\
\end  {aligned}
$

Recall that $\gcd \left( \frac{a}{\gcd(a, b)}, \frac{b}{\gcd(a, b)} \right) = 1$

$y_0 - y = z \frac{a}{\gcd(a, b)}$ for some $z$

$x - x_0 = z \frac{b}{\gcd(a, b)}$ for some $z$

Any $x$ and $y$ of this form give a solution, so we have found a complete solution set.

THEOREM

Suppose that $a$ and $b$ are not both zero, that $\gcd(a, b) \mid c$, and that $ax_0 + by_0 = c$. Then every solution of

$ax + by = c$

is given by

$x = x_0 + z \frac{b}{\gcd(a, b)}, y = y_0 + z \frac{a}{\gcd(a, b)}$

where $z$ is any integer.

The solutions $x$ all leave the same remainder on division by $\frac{b}{\gcd(a, b)}$ and likewise for $y$ on division by $\frac{a}{\gcd(a, b)}$.

__Lehman's Method__ based on differences of squares, and a small improvement over trial division

1. Apply trial division with $d = 2, 3, \dotsc, d \le n^{\frac{1}{3}}$
2. For $1 \le t \le n^{\frac{1}{3}} + 1$ consider the numbers $x$ with $\sqrt{4tn} \le x \le \sqrt{4tn + n^{\frac{2}{3}}}$ Check each $x^2 - 4tn$ to see if it is a perfect square $y^2$ (compute $4tn - \lfloor \sqrt{4tn} \rfloor^2$)
3. If there are $x$ and $y$ s.t. $x^2 - 4tn = y^2$ then compute $\gcd(x + y, n)$.
4. If there is no $t \le n^{\frac{1}{3}} + 1$ for which there are $x$ and $y$, then $n$ is prime.

EXAMPLE

$n = 10001$ and so $\lfloor (10001)^{\frac{1}{3}} \rfloor = 21$

Trial division with $d = 2, 3, 5, 7, 11, 13, 17, 19$ finds no factors.

$
\begin{aligned}
  t &= 1 \\
4tn &= 40004 \\
\lfloor \sqrt{4tn} \rfloor &= \lfloor \sqrt{40004} \rfloor = 200 \\
\left\lfloor \sqrt{4tn + n^{\frac{2}{3}}} \right\rfloor
&= \left\lfloor \sqrt{40004 + 21^2} \right\rfloor
= \left\lfloor \sqrt{40004 + 441} \right\rfloor
= \left\lfloor \sqrt{40445} \right\rfloor
= 201 \\
4tn - \lfloor \sqrt{4tn} \rfloor^2 &= 40004 - 200^2 = 40004 - 40000 = 4 = 2^2 \\
\end  {aligned}
$

$
\begin{aligned}
  x^2 &-& 4tn   &=& y^2 \\
(200^2 = 40000) &-& 40004 &=&  -4 \\
(201^2 = 40401) &-& 40004 &=& 397 \\
\end  {aligned}
$

$
\begin{aligned}
  t &= 2 \\
4tn &= 80008 \\
\lfloor \sqrt{4tn} \rfloor &= \lfloor \sqrt{80008} \rfloor = 282 \\
\left\lfloor \sqrt{4tn + n^{\frac{2}{3}}} \right\rfloor
&= \left\lfloor \sqrt{80008 + 21^2} \right\rfloor
= \left\lfloor \sqrt{80008 + 441} \right\rfloor
= \left\lfloor \sqrt{80449} \right\rfloor
= 283 \\
4tn - \lfloor \sqrt{4tn} \rfloor^2 &= 80008 - 282^2 = 80008 - 79524 = 484 = 22^2 \\
4tn - \left\lfloor \sqrt{4tn + n^{\frac{2}{3}}} \right\rfloor &= 80008 - 283^2 = 80008 - 80089 = -81 = -9^2 \\
\end  {aligned}
$

$
\begin{aligned}
  x^2 &-& 4tn   &=& y^2 \\
(282^2 = 79524) &-& 80008 &=& -484 \\
(283^2 = 80089) &-& 80008 &=&   81 \\
\end  {aligned}
$

$\gcd(x + y, n) = \gcd(283 + 9, 10001) = 73$

__Proof of Lehman's Method__
* depends on a subject called Diophantine approximation, via continued fractions, which in turn has some connections with Euclid's algorithm
* we can take a shortcut via Dirichlet

__Dirichlet Theorem__

For any real number $\alpha$ and any integer $Q \ge 1$ there exits integers $a$ and $q$ with $1 \le q \le Q$ s.t.

$\left| \alpha - \frac{a}{q} \right| \le \frac{1}{q(Q + 1)}$

As a consequence of casting out all common factors of $a$ and $q$ in $a/q$ we have

$\gcd(a, q) = 1$

__Proof of Lehman's Algorithm__

When there is a $d \mid n$ with $n^{\frac{1}{3}} \lt d \le n^{\frac{1}{2}}$ then there is a $t$ with $1 \le t \le n^{\frac{1}{3}} + 1$ and $x$ and $y$ s.t.

$4tn \le x^2 \le 4tn + n^{\frac{2}{3}}, x^2 - y^2 = 4tn$

The runtime is bounded by $n^{\frac{1}{3}}$

---
---
---

## Congruence and Residues

---

### Residues

<span style="color: #0096FF;"><b>RESIDUE CLASS MODULO M</b></span>

<div style="color: #0096FF;">

Let $m \in \mathbb{N}$ and define the residue class $\bar{r} \text{ modulo } m$ by

$\bar{r} = \{ x \in \mathbb{Z} : m \mid (x - r) \}$

</div>

$
\begin{aligned}
\bar{0} &= \{ x \in \mathbb{Z} : m \mid x \}       && \text{residue class } \bar{0} \mod m \\
\bar{1} &= \{ x \in \mathbb{Z} : m \mid (x - 1) \} && \text{residue class } \bar{1} \mod m \\
\bar{2} &= \{ x \in \mathbb{Z} : m \mid (x - 2) \} && \text{residue class } \bar{2} \mod m \\
\vdots \\
\overline{m - 1} &= \{ x \in \mathbb{Z} : m \mid (x - m + 1) \} && \text{residue class } \overline{m - 1} \mod m \\
\end  {aligned}
$

<span style="color: #0096FF;"><b>COMPLETE SYSTEM OF RESIDUES MODULO M</b></span>

<div style="color: #0096FF;">

By the division algorithm every integer is in one of

$\overline{0}, \overline{1}, \dotsc, \overline{m - 1}$

This is called a _complete system of residues modulo_ $m$.

</div>

Arithmetic can be performed on residue classes just as if they were numbers.

The residue class $\bar{0}$ behaves like the number $0$, since $\bar{0}$ is the set of multiples of $m$, and adding any one of them to an element of $\bar{r}$ does not change the remainder.

Thus for any $r$

$\bar{0} + \bar{r} = \bar{r} = \bar{r} + \bar{0}$

Suppose we are given any two residue classes $\bar{r}$ and $\bar{s}$ modulo $m$:

$
\begin{aligned}
\bar{r} &= \{ x \in \mathbb{Z} : m \mid (x - r) \} \\
\bar{s} &= \{ y \in \mathbb{Z} : m \mid (y - r) \} \\
\end  {aligned}
$

Let $t$ be the remainder of $r + s$ on division by $m$:

$r + s = mz + t$

Then the elements of $\bar{r}$ and $\bar{s}$ are of the form $r + mx$ and $s + my$ and it is known that $r + s = t + mz$ for some $z$. Thus

$
\begin{aligned}
r + mx + s + my = t + m(x + y + z) \in \bar{t}
\end  {aligned}
$

Thus it makes sense to write $\bar{r} + \bar{s} = \bar{t}$ and then we have $\bar{r} + \bar{s} = \bar{s} + \bar{r}$.

It is also the case that $\overline{r} + \overline{-r} = \overline{0}$

---

### Congruence

<span style="color: #0096FF;"><b>CONGRUENCE RELATION</b></span>

<div style="color: #0096FF;">

If $a$ and $b$ are integers and $m$ is a positive integer then $a$ _is congruent to_ $b$ _modulo_ $m$ if $m$ divides $a - b$. (Another way to state this is as follows: Let $m \in \mathbb{N}$. If two integers $a$ and $b$ satisfy $m \mid a - b$ then...)

</div>

$
\begin{aligned}
a \equiv b \mod m &\iff m | (a - b) &&\iff a = b + km \\
a \equiv 0 \mod m &\iff m | a       &&\iff a = km \\
a \equiv 1 \mod m &\iff m | (a - 1) &&\iff a = 1 + km \\
\end  {aligned}
$

We say that $a \equiv b \mod m$ is a _congruence_ and that $m$ is its _modulus_.

<div style="color: #50C878;"><b>Example</b></div>

$253 \equiv 13 \,(\text{mod } 60)$ because $253 - 13$ is a multiple of $60$. ($253$ minutes is $4$ hours and $13$ minutes.)

$59 \equiv -1 \,(\text{mod } 60)$ because $59 - (-1)$ is a multiple of $60$. (When it's $59$ minutes past the hour it's also one minute short of the next hour.)

<span style="color: #0096FF;"><b>THEOREM</b></span> [Rosen]

$a \equiv b \mod m$ represents a relation on the set of integers.

$a \textbf{ mod } m = b$ represents a function.

<div style="color: #0096FF;">

Let $a$ and $b$ be integers and $m$ be a positive integer. Then $a \equiv b \mod m$ iff $a \textbf{ mod } m = b \textbf{ mod } m$. ("a and b are congruent modulo m iff a and b have the same remainder when divided by m")

</div>

#### Properties of the congruence relation

Reflexivity

$x \equiv x \mod m$

Symmetry

$x \equiv y \mod m \iff y \equiv x \mod m$

Transitivity

If $x \equiv y \mod m$ and $y \equiv z \mod m$ then $x \equiv z \mod m$.

Congruences modulo $m$ partition the integers into equivalence classes.

Additions preserve congruence

If $x \equiv y \mod m$ and $z \equiv t \mod m$ then $x + z \equiv y + t \mod m$.

Multiplications preserve congruences

If $x \equiv y \mod m$ and $z \equiv t \mod m$ then $xz \equiv yt \mod m$.

If $x \equiv y \mod m$ then for any $n \in \mathbb{N}$ it is the case that $x^n \equiv y^n \mod m$ (using induction on $n$).

If $f$ is a polynomial with integer coefficients and $x \equiv y \mod m$ then $f(x) \equiv f(y) \mod m$.

**Associativity**

$x + (y + z) \equiv (x + y) + z \quad(\text{mod } N)$

**Commutativity**

$xy \equiv yz \quad(\text{mod } N)$

**Distributivity**

$x(y + z) \equiv xy + xz \quad(\text{mod } N)$

The four rules imply that while performing a sequence of arithmetic operations it is legal to reduce intermediate results to their remainders modulo $N$ at any stage:

$2^{345} \equiv (2^5)^{69} \equiv 32^{69} \equiv 1^{69} \equiv 1 \quad(\text{mod } 31)$

---

### Modular Arithmetic

Modular arithmetic operates with the remainders of integers when they are divided by a fixed positive integer called the modulus.
For the applications such as primality testing and cryptography it is necessary to deal with numbers which are much larger than 32 bits but whose range is nonetheless limited. Modular arithmetic is a system for dealing with restricted ranges of integers.

Ways to think about modular arithmetic
* modular arithmetic limits numbers to a predefined range $\{ 0, 1, \dotsc, N - 1 \}$ and wraps around whenever you try to leave this range.
* modular arithmetic deals with all the integers, but divides them into $N$ equivalence classes each of the form $\{ i + kN : k \in \mathbb{Z} \}$ for some $i$ between $0$ and $N - 1$

#### Modular Addition

To add two numbers $x$ and $y$ modulo $N$ we start with regular addition. $x$ and $y$ are each in the range $0$ to $N - 1$ so their sum is in the range $0$ to $2(N - 1)$. When the sum exceeds $N - 1$ we subtract $N$ so that it falls back into the range $0$ to $N - 1$. The overall computations consists of an addition and a possible subtraction of numbers which never exceed $2N$.

$T(n) = O(n)$ where $n = \lceil \log N \rceil$

#### Modular Multiplication

To multiply two numbers $x$ and $y$ modulo $N$, we start with regular multiplication and then reduce the answer modulo $N$. The product can be as large as $(N - 1)^2$ but this is still at most $2n$ bits long since $\log (N - 1)^2 = 2 \log (N - 1) \le 2n$. To reduce the answer modulo $N$ we compute the remainder upon dividing it by $N$ using the quadratic-time division algorithm. Multiplication thus remains a quadratic operation.

**Complexity**

$T(n) = \underbrace{\quad\quad O(n^2) \quad\quad}_{\text{multiplication}} + \underbrace{\quad\quad O(n^2) \quad\quad}_{\text{reduction modulo \textit{N} via division}} = O(n^2)$

#### Modular Division

In ordinary arithmetic there is just one tricky case--division by zero. In modular arithmetic there are other tricky cases.

When division is legal, its running time is

$T(n) = O(n^3)$

#### Modular Exponentiation

Can $x^y \mod N$ be computed quickly for values of $x$, $y$, and $N$ that are several hundred bits long? The result is some number modulo $N$ and is therefore itself a few hundred bits long. The raw value $x^y$ could be much longer. When $x$ and $y$ are just $20\text{-b}$ numbers $x^y$ is at least $(2^{19})^{2^{19}} = 2^{(19)(524,288)}$ which is about ten million bits long. Imagine what would happen if $y$ is a $500\text{-b}$ number. To make sure the numbers we are dealing with never grow too large, we need to perform all intermediate computations modulo $N$.

Calculate $x^y \mod N$ by repeatedly multiplying by $x \mod N$. The resulting sequence of intermediate products $x \mod N \to x^2 \mod N \to \dotsb \to x^y \mod N$ consists of numbers smaller than $N$, so the individual multiplications do not take too long. But if $y$ is $500$ bits long we need to perform $y - 1 \approx 2^{500}$ multiplications which is exponential in the size of $y$.

It will be better to start with $x$ and repeatedly square modulo $N$: $x \mod N \to x^2 \mod N \to x^4 \mod N \to x^8 \mod N \to \dotsb \to x^{2^{\lfloor \log y \rfloor}} \mod N$.

Each squaring takes $O(\log^2 N)$ and there are $\log y$ multiplications

To determine $x^y \mod N$ multiply together the subset of these powers corresponding to $1$ s in the binary representation of $y$.

EXAMPLE

algorithm decomposition

$x^{25} = x^{11001_2} = x^{10000_2} \cdot x^{1000_2} \cdot x^{1_2} = x^{16} \cdot x^8 \cdot x^1$

For multiplication the terms $x \cdot 2^i$ come from repeated doubling. For exponentiation the terms $x^{2^i}$ come from repeated squaring

This algorithm implements the following recursive rule.

$
x^y =
\begin{cases}
        (x^{\lfloor y/2 \rfloor})^2 & \text{if \textit{y} is even} \\
x \cdot (x^{\lfloor y/2 \rfloor})^2 & \text{if \textit{y} is odd}  \\
\end  {cases}
$

```c
 INPUT    two n-bit integers x and N, and an integer exponent y
OUTPUT    x^y mod N

MODEXP (x, y, N)
1    if y = 0
2        return 1
3
4    z = MODEXP(x, floor(y/2), N)
5
6    if even(y)
7        return  z^2 mod N
8    else
9        return xz^2 mod N
```

**Correctness**

The recursive rule is <span style="color: red;">transparently</span> correct. Checking that the algorithm is correct is a matter of verifying that it mimics the rule and that it handles the base case $y = 1$ properly.

**Complexity**

Let $n$ be the size in bits of $x$, $y$, and $N$ (whichever is the largest of the three). As with multiplication, the algorithm will halt after at most $n$ recursive calls and during each call it multiplies $n$-bit numbers (doing computation modulo $N$ saves us here) for a total running time of

$T(n) = \underbrace{\quad\quad O(n) \quad\quad}_{\text{recursive calls}} \times \underbrace{\quad\quad O(n^2) \quad\quad}_{\text{multiplication}} = O(n^3)$

---

### Reduced Residues

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Theorem 3.]

<div style="color: #0096FF;">

Suppose that $m \in \mathbb{N}$, $k \in \mathbb{Z}$, $\gcd(k, m) = 1$, and

$\overline{a_1}, \overline{a_2}, \dotsc, \overline{a_m}$

forms a complete system of residues modulo $m$. Then so does

$\overline{ka_1}, \overline{ka_2}, \dotsc, \overline{ka_m}$

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

<div style="color: red;">

Since there are $m$ residue classes it need only be checked that they are disjoint.
</div>

Consider any two residue classes $\overline{ka_i}$ and $\overline{ka_j}$ and let $ka_i + mx$ and $ka_j + my$ be typical members of each, respectively.

If they were the same integer then $ka_i + mx = ka_j + my \iff ka_i - ka_j = my - mx \iff k(a_i - a_j) = m(y - x)$.

But then $m \mid k(a_i - a_j)$ and since $\gcd(k, m) = 1$ it would be the case that $m \mid a_i - a_j$; that $\overline{a_i}$ and $\overline{a_j}$ be the same residue class; and that $i = j$.

$\blacksquare$

<span style="color: #50C878;"><b>$\bar{0}, \bar{1}, \bar{2}$ is a complete system of residues modulo $m$</b></span>

$
\begin{aligned}
\bar{0} &= \{ x \in \mathbb{Z} : 3 \mid (x - 0) \} = \{ 3x \} \\
\bar{1} &= \{ x \in \mathbb{Z} : 3 \mid (x - 1) \} = \{ 3x + 1 \} \\
\bar{2} &= \{ x \in \mathbb{Z} : 3 \mid (x - 2) \} = \{ 3x + 2 \} \\
\end  {aligned}
$

$\gcd(2, 3) = 1$

$
\begin{aligned}
\bar{0} &= \{ x \in \mathbb{Z} : 3 \mid (x - 0) \} = \{ 3x \} \\
\bar{2} &= \{ x \in \mathbb{Z} : 3 \mid (x - 2) \} = \{ 3x + 2 \} \\
\bar{4} &= \{ x \in \mathbb{Z} : 3 \mid (x - 4) \} = \{ 3x + 4 \} = \{ 3(x + 1) + 1 \} = \{ 3x + 1 \} \\
\end  {aligned}
$

<span style="color: #0096FF;"><b>ARITHMETIC FUNCTION</b></span>

<div style="color: #0096FF;">

A function defined on $\mathbb{N}$ is called arithmetic.
</div>

<span style="color: #0096FF;"><b>TOTIENT FUNCTION</b></span>

<div style="color: #0096FF;">

Euler's totient function $\phi(n)$ is the number of $x \in \mathbb{N}$ with $1 \le x \le n$ and $\gcd(x, n) = 1$.
</div>

If $p$ is prime then all the $x$ with $1 \le x \le p - 1$ satisfy $\gcd(x, p) = 1$, but $\gcd(p, p) = p \ne 1$. Thus $\boxed{\phi(p) = p - 1}$.

<span style="color: #50C878;"><b>$\phi(n)$ up to $30$</b></span>

$
\begin{aligned}
\phi( 1) &=&  1 &&& \gcd(1, 1) = 1 \\
\phi( 2) &=&  1 &&& \\
\phi( 3) &=&  2 &&& \\
\phi( 4) &=&  2 &&& \{ 1, 3 \} \\
\phi( 5) &=&  4 &&& \\
\phi( 6) &=&  2 &&& \{ 1, 5 \} \\
\phi( 7) &=&  6 &&& \\
\phi( 8) &=&  4 &&& \{ 1, 3, 5, 7 \} \\
\phi( 9) &=&  6 &&& \{ 1, 2, 4, 5, 7, 8 \} \\
\phi(10) &=&  4 &&& \{ 1, 3, 7, 9 \} \\
\phi(11) &=& 10 &&& \\
\phi(12) &=&  4 &&& \{ 1, 5, 7, 11 \} \\
\phi(13) &=& 12 &&& \\
\phi(14) &=&  6 &&& \{ 1, 3, 5, 9, 11, 13 \} \\
\phi(15) &=&  8 &&& \{ 1, 2, 4, 7, 8, 11, 13, 14 \} \\
\phi(16) &=&  8 &&& \{ 1, 3, 5, 7, 9, 11, 13, 15 \} \\
\phi(17) &=& 16 &&& \\
\phi(18) &=&  6 &&& \{ 1, 5, 7, 11, 13, 17 \} \\
\phi(19) &=& 18 &&& \\
\phi(20) &=&  8 &&& \{ 1, 3, 7, 9, 11, 13, 17, 19 \} \\
\phi(21) &=& 12 &&& \{ 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 \} \\
\phi(22) &=& 10 &&& \{ 1, 3, 5, 7, 9, 13, 15, 17, 19, 21 \} \\
\phi(23) &=& 22 &&& \\
\phi(24) &=&  8 &&& \{ 1, 5, 7, 11, 13, 17, 19, 23 \} \\
\phi(25) &=& 20 &&& \{ 1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 16, 17, 18, 19, 21, 22, 23, 24 \} \\
\phi(26) &=&    &&& \\
\phi(27) &=&    &&& \\
\phi(28) &=&    &&& \\
\phi(29) &=& 28 &&& \\
\phi(30) &=&  8 &&& \{ 1, 7, 11, 13, 17, 19, 23, 29 \} \\
\end  {aligned}
$

<span style="color: #0096FF;"><b>SET OF REDUCED RESIDUES MODULO M</b></span>

<div style="color: #0096FF;">

A set of $\phi(m)$ distinct residue classes $\bar{r}$ modulo $m$ with $\gcd(r, m) = 1$ is called a set of reduced residues modulo $m$.

</div>

One way of thinking about reduced residues is to start from a complete set of fractions with denominator $m$ in the interval $(0, 1]$

$
\begin{aligned}
\frac{1}{m}, \frac{2}{m}, \dotsc, \frac{m}{m}
\end  {aligned}
$

and remove just the ones whose numerator has a common factor $d \gt 1$ with $m$. What is left are the $\phi(m)$ reduced fractions with denominator $m$. Alternatively instead of removing the non-reduced ones we just write them in their lowest form. Then for each divisor $k$ of $m$ we obtain all the reduced fractions with denominator $k$.

<div class="full-width">

$
\begin{aligned}
\frac{1}{30} && \frac{2}{30} && \frac{3}{30} && \frac{4}{30} && \frac{5}{30} && \frac{6}{30} && \frac{7}{30} && \frac{8}{30} && \frac{9}{30} && \frac{10}{30} && \frac{11}{30} && \frac{12}{30} && \frac{13}{30} && \frac{14}{30} && \frac{15}{30} && \frac{16}{30} && \frac{17}{30} && \frac{18}{30} && \frac{19}{30} && \frac{20}{30} && \frac{21}{30} && \frac{22}{30} && \frac{23}{30} && \frac{24}{30} && \frac{25}{30} && \frac{26}{30} && \frac{27}{30} && \frac{28}{30} && \frac{29}{30} && \frac{30}{30} \\
\\
\frac{1}{30} && && && && && && \frac{7}{30} && && && && \frac{11}{30} && && \frac{13}{30} && && && && \frac{17}{30} && && \frac{19}{30} && && && && \frac{23}{30} && && && && && && \frac{29}{30} && \\
\\
\frac{1}{30} && \frac{1}{15} && \frac{1}{10} && \frac{2}{15} && \frac{1}{6} && \frac{1}{5} && \frac{7}{30} && \frac{4}{15} && \frac{3}{10} && \frac{1}{3} && \frac{11}{30} && \frac{2}{5} && \frac{13}{30} && \frac{7}{15} && \frac{1}{2} && \frac{8}{15} && \frac{17}{30} && \frac{3}{5} && \frac{19}{30} && \frac{2}{3} && \frac{7}{10} && \frac{11}{15} && \frac{23}{30} && \frac{4}{5} && \frac{5}{6} && \frac{13}{15} && \frac{9}{10} && \frac{14}{15} && \frac{29}{30} && 1 \\
\end  {aligned}
$

$
\begin{aligned}
k &=  1 && 1                                                                                                                    & \phi( 1) = 1 \\
k &=  2 && \frac{1}{ 2}                                                                                                         & \phi( 2) = 1 \\
k &=  3 && \frac{1}{ 3}, \frac{2}{ 3}                                                                                           & \phi( 3) = 2 \\
k &=  5 && \frac{1}{ 5}, \frac{2}{ 5}, \frac{ 3}{ 5}, \frac{ 4}{ 5}                                                             & \phi( 5) = 4 \\
k &=  6 && \frac{1}{ 6}, \frac{5}{ 6}                                                                                           & \phi( 6) = 2 \\
k &= 10 && \frac{1}{10}, \frac{3}{10}, \frac{ 7}{10}, \frac{ 9}{10}                                                             & \phi(10) = 4 \\
k &= 15 && \frac{1}{15}, \frac{2}{15}, \frac{ 4}{15}, \frac{ 7}{15}, \frac{ 8}{15}, \frac{11}{15}, \frac{13}{15}, \frac{14}{15} & \phi(15) = 8 \\
k &= 30 && \frac{1}{30}, \frac{7}{30}, \frac{11}{30}, \frac{13}{30}, \frac{17}{30}, \frac{19}{30}, \frac{23}{30}, \frac{29}{30} & \phi(30) = 8 \\
\end  {aligned}
$

$
\begin{aligned}
\sum_{k \mid 30} \phi(k) = 30 = \phi(1) + \phi(2) + \phi(3) + \phi(5) + \phi(6) + \phi(10) + \phi(15) + \phi(30)
\end  {aligned}
$

</div>

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Theorem 3.7]

<div style="color: #0096FF;">

For each $m \in \mathbb{N}$ we have

$
\begin{aligned}
\sum_{k \mid m} \phi(k) = m = \phi(1) + \phi(2) + \dotsb + \phi(m)
\end  {aligned}
$

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

See the above.

$\blacksquare$

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Theorem 3.9]

<div style="color: #0096FF;">

Suppose that $\gcd(k, m) = 1$ and that

$a_1, a_2, \dotsc, a_{\phi(m)}$

forms a set of reduced residue classes modulo $m$. Then

$ka_1, ka_2, \dotsc, ka_{\phi(m)}$

also forms a set of reduced residue classes modulo $m$.

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

<div style="color: red;">

In view of the earlier theorem the residue classes $ka_j$ are distinct, and since $\gcd(a_j, m) = 1$ it is the case that $(ka_j, m) = 1$, so they give $\phi(m)$ distinct reduced residue classes. So they are all of them in some order.</div>

$\blacksquare$

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Theorem 3.10]

<div style="color: #0096FF;">

Suppose $m, n \in \mathbb{N}$ and $\gcd(m, n) = 1$, and consider the $xn + ym$ with $1 \le x \le m$ and $1 \le y \le n$. Then they form a complete set of residues modulo $mn$. If in addition $x$ and $y$ satisfy $\gcd(x, m) = 1$ and $\gcd(y, n) = 1$ then they form a reduced set.

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

<div style="color: red;">

If $xn + ym \equiv x'n + y'm \mod mn$ then $xn \equiv x'n \mod m$, so $x \equiv x' \mod m$, $x = x'$. Likewise $y = y'$. Hence in either case the $xn + ym$ are distinct modulo $mn$.

In the unrestricted case we have $mn$ objects, so they form a coomplete set.

In the restricted case $\gcd(xn + ym, m) = \gcd(xn, m) = \gcd(x, m) = 1$ and likewise $\gcd(xn + ym, n) = 1$, so $\gcd(xn + ym, mn) = 1$ and the $xn + ym$ all belong to reduced residue classes.

Now let $\gcd(z, mn) = 1$. Choose $x', y', x, y$ so that

$
\begin{aligned}
x'n + y'm &= 1 \\
x &\equiv x'z \mod m \\
y &\equiv y'z \mod n \\
\end  {aligned}
$

Then $xn + ym \equiv x'zn + y'zm = z \mod mn$ and hence every reduced residue is included.

$\blacksquare$

</div>

<span style="color: #50C878;"><b>$6x + 5y \mod 30$</b></span>

$
\begin{array}{cc|cccc|}
  & x & 1 & 2 & 3 & 4 & 5 \\
y & \\ \hline
1 & & 11 & 17 & 23 & 29 &  5 \\ \hline
2 & & 16 & 22 & 28 &  4 & 10 \\
3 & & 21 & 27 &  3 &  9 & 15 \\
4 & & 26 &  2 &  8 & 14 & 20 \\ \hline
5 & &  1 &  7 & 13 & 19 & 25 \\ \hline
6 & &  6 & 12 & 18 & 24 & 30 \\
\end  {array}
$

The $30$ numbers $1$ through $30$ each appear exactly once. The $8$ reduced residue classes occur precisely in the intersection of rows $1$ and $5$ and columns $1$ through $4$.

$\gcd(x = 1, 2, 3, 4, m = 5) = \gcd(y = 1, 5, n = 6)$

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Corollary 3.12]

<div style="color: #0096FF;">

If $\gcd(m, n) = 1$ then $\phi(mn) = \phi(m) \phi(n)$.

</div>

$
\begin{aligned}
\gcd( 1, n) = 1 && \phi(  n) &= \phi( 1) \phi( n) &&=  \phi(n) \\
\gcd( 2, n) = 1 && \phi( 2n) &= \phi( 2) \phi( n) &&=  \phi(n) \\
\gcd( 3, n) = 1 && \phi( 3n) &= \phi( 3) \phi( n) &&= 2\phi(n) \\
\gcd( 4, n) = 1 && \phi( 4n) &= \phi( 4) \phi( n) &&= 2\phi(n) \\
\gcd( 5, n) = 1 && \phi( 5n) &= \phi( 5) \phi( n) &&= 4\phi(n) \\
\gcd( 6, n) = 1 && \phi( 6n) &= \phi( 6) \phi( n) &&= 2\phi(n) \\
\gcd( 7, n) = 1 && \phi( 7n) &= \phi( 7) \phi( n) &&= 6\phi(n) \\
\gcd( 8, n) = 1 && \phi( 8n) &= \phi( 8) \phi( n) &&= 4\phi(n) \\
\gcd( 9, n) = 1 && \phi( 9n) &= \phi( 9) \phi( n) &&= 6\phi(n) \\
\gcd(10, n) = 1 && \phi(10n) &= \phi(10) \phi( n) &&= 4\phi(n) \\
\end  {aligned}
$

<span style="color: #0096FF;"><b>MULTIPLICATIVE FUNCTION</b></span> [Vaughan Definition 3.13]

<div style="color: #0096FF;">

If an arithmetical function $f$ which is not identically $0$ satisfies

$f(mn) = f(m) f(n)$

whenever $\gcd(m, n) = 1$ then $f$ is called multiplicative.

</div>

<span style="color: #0096FF;"><b>COROLLARY</b></span> [Vaughan Corollary 3.14]

<div style="color: #0096FF;">

Euler's function is multiplicative.

</div>

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Theorem 3.15]

<div style="color: #0096FF;">

If $n = p^k$ then the number of reduced residue classes modulo $p^k$ is the number of $x$ with $1 \le x \le p^k$ and $p \nmid x$.

This is $p^k - N$ where $N$ is the number of $x$ with $1 \le x \le p^k$ and $p \mid x$, and $N = p^{k - 1}$. Thus

$\phi(p^k) = p^k - p^{k - 1} = p^k (1 - 1/p)$

Let $n \in N$. Then

$
\begin{aligned}
\phi(n) = n \prod_{p \mid n} (1 - 1/p)
\end  {aligned}
$

where when $n = 1$ we interpret the product as an empty product $1$.

Note that $\phi(n^2) \ne \phi(n)^2$.

</div>

<span style="color: #50C878;"><b>EXAMPLE</b></span>

$
\begin{aligned}
n = 2^2 &=     4 &&&     2 = 2   \times 1 &= 2^2 - 2   &&= | \{ 1, 3 \} | \\
n = 2^3 &=     8 &&&     4 = 2^2 \times 1 &= 2^3 - 2^2 &&= | \{ 1, 3, 5, 7 \} | \\
n = 2^4 &=    16 &&&     8 = 2^3 \times 1 &= 2^4 - 2^3 &&= | \{ 1, 3, 5, 7, 9, 11, 13, 15 \} | \\
n = 2^5 &=    32 &&&    16 = 2^4 \times 1 &= 2^5 - 2^4 &&= \dots \\
n = 2^6 &=    64 &&&    32 = 2^5 \times 1 &= 2^6 - 2^5 &&= \dots \\
\\
n = 3^2 &=     9 &&&     6 = 3   \times 2 &= 3^2 - 3   &&= | \{ 1, 2, 4, 5, 7, 8 \} | \\
n = 3^3 &=    27 &&&    18 = 3^2 \times 2 &= 3^3 - 3^2 &&= | \{ 1, 2, 4, 5, 7, 8, 10, 11, 13, 14, 16, 17, 19, 20, 22, 23, 25, 26 \} | \\
n = 3^4 &=    81 &&&    54 = 3^3 \times 2 &= 3^4 - 3^3 &&= \dots \\
n = 3^5 &=   243 &&&   162 = 3^4 \times 2 &= 3^5 - 3^4 &&= \dots \\
n = 3^6 &=   729 &&&   486 = 3^5 \times 2 &= 3^6 - 3^5 &&= \dots \\
\\
n = 5^2 &=    25 &&&    20 = 5   \times 4 &= 5^2 - 5   &&= | \{ 1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 16, 17, 18, 19, 21, 22, 23, 24 \} | \\
n = 5^3 &=   125 &&&   100 = 5^2 \times 4 &= 5^3 - 5^2 &&= \dots \\
n = 5^4 &=   625 &&&   500 = 5^3 \times 4 &= 5^4 - 5^3 &&= \dots \\
n = 5^5 &=  3125 &&&  2500 = 5^4 \times 4 &= 5^5 - 5^4 &&= \dots \\
n = 5^6 &= 15625 &&& 12500 = 5^5 \times 4 &= 5^6 - 5^5 &&= \dots \\
\end  {aligned}
$

$
\begin{aligned}
\phi( 1) &=  1 \prod_{p \mid  1} (1 - 1/p)                                          && := &  1 \\
\phi( 2) &=  2 \prod_{p \mid  2} (1 - 1/p) =  2 \times (1 - 1/ 2)                   &&  = &  1 \\
\phi( 3) &=  3 \prod_{p \mid  3} (1 - 1/p) =  3 \times (1 - 1/ 3)                   &&  = &  2 \\
\phi( 4) &=  4 \prod_{p \mid  4} (1 - 1/p) =  4 \times (1 - 1/ 2)                   &&  = &  2 \\
\phi( 5) &=  5 \prod_{p \mid  5} (1 - 1/p) =  5 \times (1 - 1/ 5)                   &&  = &  4 \\
\phi( 6) &=  6 \prod_{p \mid  6} (1 - 1/p) =  6 \times (1 - 1/ 2)(1 - 1/3)          &&  = &  2 \\
\phi( 7) &=  7 \prod_{p \mid  7} (1 - 1/p) =  7 \times (1 - 1/ 7)                   &&  = &  6 \\
\phi( 8) &=  8 \prod_{p \mid  8} (1 - 1/p) =  8 \times (1 - 1/ 2)                   &&  = &  4 \\
\phi( 9) &=  9 \prod_{p \mid  9} (1 - 1/p) =  9 \times (1 - 1/ 3)                   &&  = &  6 \\
\phi(10) &= 10 \prod_{p \mid 10} (1 - 1/p) = 10 \times (1 - 1/ 2)(1 - 1/5)          &&  = &  4 \\
\phi(11) &= 11 \prod_{p \mid 11} (1 - 1/p) = 11 \times (1 - 1/11)                   &&  = & 10 \\
\phi(12) &= 12 \prod_{p \mid 12} (1 - 1/p) = 12 \times (1 - 1/ 2)(1 - 1/3)          &&  = &  4 \\
\phi(13) &= 13 \prod_{p \mid 13} (1 - 1/p) = 13 \times (1 - 1/13)                   &&  = & 12 \\
\phi(14) &= 14 \prod_{p \mid 14} (1 - 1/p) = 14 \times (1 - 1/ 2)(1 - 1/7)          &&  = &  6 \\
\phi(15) &= 15 \prod_{p \mid 15} (1 - 1/p) = 15 \times (1 - 1/ 3)(1 - 1/5)          &&  = &  8 \\
\phi(16) &= 16 \prod_{p \mid 16} (1 - 1/p) = 16 \times (1 - 1/ 2)                   &&  = &  8 \\
\phi(17) &= 17 \prod_{p \mid 17} (1 - 1/p) = 17 \times (1 - 1/17)                   &&  = & 16 \\
\phi(18) &= 18 \prod_{p \mid 18} (1 - 1/p) = 18 \times (1 - 1/ 2)(1 - 1/3)          &&  = &  6 \\
\phi(19) &= 19 \prod_{p \mid 19} (1 - 1/p) = 19 \times (1 - 1/19)                   &&  = & 18 \\
\phi(20) &= 20 \prod_{p \mid 20} (1 - 1/p) = 20 \times (1 - 1/ 2)(1 - 1/5)          &&  = &  8 \\
\phi(21) &= 21 \prod_{p \mid 21} (1 - 1/p) = 21 \times (1 - 1/ 3)(1 - 1/7)          &&  = & 12 \\
\phi(22) &= 22 \prod_{p \mid 22} (1 - 1/p) = 22 \times (1 - 1/ 2)(1 - 1/11)         &&  = & 10 \\
\phi(23) &= 23 \prod_{p \mid 23} (1 - 1/p) = 23 \times (1 - 1/23)                   &&  = & 22 \\
\phi(24) &= 24 \prod_{p \mid 24} (1 - 1/p) = 24 \times (1 - 1/ 2)(1 - 1/3)          &&  = &  8 \\
\phi(25) &= 25 \prod_{p \mid 25} (1 - 1/p) = 25 \times (1 - 1/ 5)                   &&  = & 20 \\
\phi(26) &= 26 \prod_{p \mid 26} (1 - 1/p) = 26 \times (1 - 1/ 2)(1 - 1/13)         &&  = & 12 \\
\phi(27) &= 27 \prod_{p \mid 27} (1 - 1/p) = 27 \times (1 - 1/ 3)                   &&  = & 18 \\
\phi(28) &= 28 \prod_{p \mid 28} (1 - 1/p) = 28 \times (1 - 1/ 2)(1 - 1/7)          &&  = & 12 \\
\phi(29) &= 29 \prod_{p \mid 29} (1 - 1/p) = 29 \times (1 - 1/29)                   &&  = & 28 \\
\phi(30) &= 30 \prod_{p \mid 30} (1 - 1/p) = 30 \times (1 - 1/ 2)(1 - 1/3)(1 - 1/5) &&  = &  8 \\
\end  {aligned}
$

---

<span style="color: #0096FF;"><b>EULER'S THEOREM</b></span> [Vaughan Theorem 3.17]

<div style="color: #0096FF;">

Suppose that $m \in \mathbb{N}$ and $a \in \mathbb{Z}$ with $\gcd(a, m) = 1$. Then

$a^{\phi(m)} \equiv 1 \mod m$

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

Let $a_1, a_2, \dotsc, a_{\phi(m)}$ be a reduced set modulo $m$.

Then $aa_1, aa_2, \dotsc, aa_{\phi(m)}$ is another. Hence

$
\begin{aligned}
a_1 a_2 \dots a_{\phi(m)} &\equiv aa_1 aa_2 \dots aa_{\phi(m)}             & \mod m \\
                          &\equiv  a_1  a_2 \dots  a_{\phi(m)} a^{\phi(m)} & \mod m \\
                        1 &\equiv                  a^{\phi(m)}             & \mod m && \text{since } \gcd(a_1 a_2 \dots a_{\phi(m)}, m) = 1 \\
\end  {aligned}
$

$\blacksquare$

<span style="color: #50C878;"><b>Example</b></span>

$
\begin{aligned}
m &= 17        & a &= 3 & 3^{16}    &\equiv 1 \mod 17 \\
m &= 341561645 & a &= 2 & 2^{m - 1} &\equiv 1 \mod m  \\
\end  {aligned}
$

<span style="color: #0096FF;"><b>FERMAT'S LITTLE THEOREM</b></span> [Vaughan Corollary 3.18]

<div style="color: #0096FF;">

Let $p$ be a prime and $a \in \mathbb{Z}$. Then

$a^p \equiv a \mod p$

If $p \nmid a$ then

$a^{p - 1} \equiv 1 \mod p$

</div>

"If $p$ is prime and $p$ does not divide $a$ then $a^{p - 1} \equiv 1 \mod p$"

The converse of this statement will lead us to the notion of Fermat pseudoprimes.

<span style="color: #50C878;"><b>Example</b></span>

$
\begin{aligned}
p &= 17, a = 3 && 3^{17} \equiv 3 \mod 17 \\
\end  {aligned}
$

---

### Fermat pseudoprimes


Pseudoprimes are composite integers masquerading as primes.

Could Fermat's theorem give us a primality test? Unfortunately, it is possible that

$a^{n - 1} \equiv 1 \mod n$

when $n$ is ___not prime___, although this is rare. For example, when $n = 341,561,645$ then

$2^{n - 1} \equiv 1 \mod n$

Such $n$ are called (Fermat) pseudoprimes.

<span style="color: #0096FF;"><b>FERMAT PSEUDOPRIME</b></span>

<div style="color: #0096FF;">

A pseudoprime $m$ to the base $a$ is a composite integer $m$ that masquerades as a prime by satisfying the congruence

$a^{m - 1} \equiv 1 \mod m$

</div>

<div style="color: red;">

There are $245$ pseudoprimes less than $10^6$ (compared to $78498$ primes less than $10^6$).

</div>

<span style="color: #50C878;"><b>Base-2 Fermat Pseudoprimes</b></span>

$
\begin{aligned}
n &= 341       &&= 11 \times 31                       & 2^{341 - 1} &\equiv 1 \mod 341 \\
n &= 341561645 &&= 5 \times 67 \times 773 \times 1319 & 2^{n - 1}   &\equiv 1 \mod n \\
\end  {aligned}
$

$3^{341 - 1} \equiv 56 \ne 1 \mod 341$ suggests a possible primality test.

Given $n$, try trial division a few times (say for $d = 2, 3, 5, 7$) and then check $a^{n - 1} \equiv 1 \mod n$ successively for $a = 2, 3, 5, 7$.

Unfortunately, one still encounters false positives.

$561 = 3 \times 11 \times 17$ satisfies $a^{560} \equiv 1 \mod 561$ for all $a$ with $\gcd(a, 561) = 1$.

---

### Carmichael Numbers

<span style="color: #0096FF;"><b>CARMICHAEL NUMBER</b></span> [Vaughan Definition 3.19]

<div style="color: #0096FF;">

A composite $n$ which satisfies $a^{n - 1} \equiv 1 \mod n$ for all $a$ with $\gcd(a, n) = 1$ is called a Carmichael number.

</div>

"A Carmichael number is a composite integer that is a pseudoprime to all bases $a$ coprime prime to it."

There are infinitely many Carmichael numbers. The smallest is $561$ and there are $2163$ of them below $25 \times 10^9$.

---

### Mersenne Primes

<span style="color: #0096FF;"><b>MERSENNE PRIME</b></span> [Vaughan Definition 3.20]

<div style="color: #0096FF;">

Define $M(n) = 2^n - 1$. If it is prime then it is a Mersenne prime.

</div>

If $n = ab$ then $M(ab) = (2^a - 1)(2^{a(b - 1)} + \dotsb + 2^a + 1)$.

Thus for $M(n)$ to be prime it is necessary that $n$ be prime. However, that is not sufficient.

<span style="color: #50C878;"><b>Example</b></span>

$
\begin{aligned}
M( 2) &=& 2^2    - 1 &=&    3 &                                && \text{} \\
M( 3) &=& 2^3    - 1 &=&    7 &                                && \text{} \\
M( 5) &=& 2^5    - 1 &=&   31 &                                && \text{} \\
M( 7) &=& 2^7    - 1 &=&  127 &                                && \text{} \\
M(11) &=& 2^{11} - 1 &=& 2047 &= \textcolor{red}{23 \times 89} && \text{not a Mersenne prime} \\
\end  {aligned}
$

---
---
---

## Linear Congruence

---

Linear congruences have the form

$ax \equiv b \mod m$

To solve linear congruences, inverses modulo $m$ are employed. Work backward through the steps of the Euclidean algorithm to find inverses modulo $m$. Once an inverse of $a$ modulo $m$ has been found, solve the linear congruence by multiplying both sides by the inverse.

---

We have already solved $ax \equiv b \mod m$ in principle since it is equivalent to $ax + my = b$. (Bézout!)

<span style="color: #0096FF;"><b>THEOREM</b></span> [Vaughan Theorem 3.22]

<div style="color: #0096FF;">

The congruence $ax \equiv b \mod m$ is soluble iff $\gcd(a, m) \mid b$, and the general solution is given by the residue class $x_0$ modulo $m/\gcd(a, m)$. $x_0$ can be found by applying Euclid's algorithm.

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

<div style="color: red;">

The congruence $ax \equiv b \mod m$ is equivalent to the equation $ax + my = b$:

\begin{align}
ax \equiv b \mod m \iff m \mid (ax - b) \iff ax - b = mk \iff ax + my = b \text{ with } y = -k
\end  {align}

and there can be no solution if $\gcd(a, m) \nmid b$.

If $\gcd(a, m) \mid b$ then Euclid's algorithm solves

$
\begin{aligned}
\frac{a}{\gcd(a, m)} x + \frac{m}{\gcd(a, m)} y = \frac{b}{\gcd(a, m)}
\end  {aligned}
$

Let $x_0, y_0$ be such a solution and let $x, y$ be any solution. Then $a/\gcd(a, m)(x - x_0) \equiv 0 \mod m/\gcd(a, m)$ and since

$
\begin{aligned}
\gcd \left( \frac{a}{\gcd(a, m)}, \frac{m}{\gcd(a, m)} \right) = 1
\end  {aligned}
$

it follows that $x$ is in the residue class $x_0 \mod m/\gcd(a, m)$

</div>

$\blacksquare$

<span style="color: #0096FF;"><b>WILSON'S THEOREM</b></span> [Vaughan Theorem 3.23]

<div style="color: #0096FF;">

Let $p$ be prime. Then $(p - 1)! \equiv -1 \mod p$.

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

$
\begin{aligned}
p &= 2 && (2 - 1)! \equiv -1 \mod 2 \\
p &= 3 && (3 - 1)! \equiv -1 \mod 3 \\
\end  {aligned}
$

Suppose $p \ge 5$. Observe now that $x^2 \equiv 1 \mod p$ implies that $x \equiv \pm 1 \mod p$.

Thus the numbers $2, 3, \dotsc, p - 2$ can be paired off into $\frac{p - 3}{2}$ mutually exclusive pairs $a, b$ s.t. $ab \equiv 1 \mod p$.

Thus $(p - 1)! \equiv p - 1 \equiv -1 \mod p$

$\blacksquare$

This theorem actually gives a necessary and sufficient condition for $p$ to be prime, since if $p$ were to be composite then $\gcd((p - 1)!, p) \gt 1$. However, it is useless because $(p - 1)!$ grows very rapidly.

---

### Chinese Remainder Theorem

<span style="color: #0096FF;"><b>SYSTEM OF LINEAR CONGRUENCES</b></span>

<div style="color: #0096FF;">

$
\begin{cases}
a_1 x &\equiv b_1 \mod q_1 \\
a_2 x &\equiv b_2 \mod q_2 \\
\dots \\
a_r x &\equiv b_r \mod q_r \\
\end  {cases}
$

</div>

There can only be a solution when each individual equation is soluble, so we require $\gcd(a_j, q_j) \mid b_j$ for every $j$.

Then we know that each individual equation is soluble by some residue class modulo $q_j / \gcd(a_j, q_j)$.

Thus for some values of $c_j$ and $m_j$ this reduces to

$
\begin{cases}
x &\equiv c_1 \mod m_1 \\
\dots \\
x &\equiv c_r \mod m_r \\
\end  {cases}
$

Suppose for some $i$ and $j \ne i$ we have $\gcd(m_i, m_j) = d \gt 1$. Then $x$ has to satisfy $c_i \equiv x \equiv c_j \mod d$. This imposes conditions on $c_j$ which can get complicated. Thus it is convenient to assume that $\gcd(m_i, m_j) = 1$ when $i \ne j$.

<span style="color: #0096FF;"><b>CHINESE REMAINDER THEOREM</b></span>

The Chinese Remainder Theorem is about solving systems of linear congruences modulo pairwise coprime moduli.

<div style="color: #0096FF;">

Suppose that $\gcd(m_i, m_j) = 1$ for every $i \ne j$.

Then the system

$
\begin{cases}
x &\equiv c_1 \mod m_1 \\
\dots \\
x &\equiv c_r \mod m_r \\
\end  {cases}
$

has as its complete solution precisely the members of a unique residue class modulo $m_1 m_2 \dots m_r$.

</div>

<span style="color: #0096FF;"><b>Proof</b></span>

_EXISTENCE_

Let $M = m_1 m_2 \dots m_r$ and $M_j = M / m_j$, so that $\gcd(M_j, m_j) = 1$.

We know that there is an $N_j$ so that $M_j N_j \equiv c_j \mod m_j$. (Solve $yM_j \equiv c_j \mod m_j$ in $y$.)

Let $x$ be any member of the residue class $N_1 M_1 + \dotsb + N_r M_r \mod M$.

Then for every $j$, since $m_j \mid M_i$ when $i \ne j$ we have $x \equiv N_j M_j \equiv c_j \mod m_j$.

So the residue class $x \mod M$ gives a solution.

_UNIQUENESS_

Suppose $y$ is also a solution of the system.

Then for every $j$ we have $y \equiv c_j \equiv x \mod m_j$ and so $m_j \mid y - x$.

Since the $m_j$ are pairwise coprime we have $M \mid y - x$, so $y$ is in the residue class $x$ modulo $M$.

$\blacksquare$

<span style="color: #50C878;"><b>Example</b></span>

$
\begin{aligned}
x &\equiv \underset{c_1}{3} \mod \underset{m_1}{\phantom{2}4} \\
x &\equiv \underset{c_2}{5} \mod \underset{m_2}{21} \\
x &\equiv \underset{c_3}{7} \mod \underset{m_3}{25} \\
\end  {aligned}
$

$
\begin{aligned}
M   &=          m_1          \times m_2          \times m_3  = & 2100 \\
M_1 &= \phantom{m_1          \times}m_2          \times m_3  = &  525 \\
M_2 &=          m_1 \phantom{\times m_2}         \times m_3  = &  100 \\
M_3 &=          m_1          \times m_2 \phantom{\times m_3} = &   84 \\
\end  {aligned}
$

Solve

$
\begin{aligned}
525 N_1 &\equiv 3 \mod \phantom{2}4 \\
100 N_2 &\equiv 5 \mod 21 \\
 84 N_3 &\equiv 7 \mod 25 \\
\end  {aligned}
$

reduces to

$
\begin{aligned}
     N_1 &\equiv 3 \mod \phantom{2}4 \\
(-5) N_2 &\equiv 5 \mod 21 \\
   9 N_3 &\equiv 7 \equiv -18 \mod 25 \\
\end  {aligned}
$

$
\begin{aligned}
N_1 &= 3 \\
N_2 &= 20 \\
N_3 &= 23 \equiv -2 \mod 25 \\
\end  {aligned}
$

$
\begin{aligned}
x
&\equiv N_1 M_1 + N_2 M_2 + N_3 M_3 \mod M \\
&= 3 \times 525 + 20 \times 100 + 23 \times 84 \mod 2100 \\
&= 5507 \mod 2100 \\
&\equiv 1307 \mod 2100 \\
\end  {aligned}
$

---
---
---

## Primitive Roots

<span style="color: #0096FF;"><b>PRIMITIVE ROOT</b></span>

<div style="color: #0096FF;">

A primitive root of a prime $p$ is an integer $r$ s.t. every integer not divisible by $p$ is congruent to a power $r$ modulo $p$.

</div>

---
---
---

## Discrete Logarithms

A discrete logarithm is analogous to an ordinary logarithm.

In general, finding discrete logarithms is a difficult problem and is the basis for the security of many cryptographic systems.

<span style="color: #0096FF;"><b>DISCRETE LOGARITHM</b></span>

<div style="color: #0096FF;">

If $r$ is a primitive root of $p$ and $r^e \equiv a \mod p$ then $e$ is the discrete logarithm of $a$ modulo $p$ to the base $r$.

</div>

---
---
---

## Acknowledgements

`2006` Dasgupta, Sanjoy; Christos Papadimitriou; & Umesh Vazirani. _Algorithms_. Chapter 1. McGraw-Hill.

`2018` Rosen, Kenneth. _Discrete Mathematics and its Applications_ 8e. McGraw-Hill.

`2023` Vaughan, Robert. _A Course of Elementary Number Theory_.

---