Ctanujit Classes Of Mathematics

Statistics & Economics

Study Notes On Number Theory

1 DIVISIBILITY 1

1 Divisibility
Definition 1.1 An integer b is divisible by an integer a, written a | b, if there is
an integer x such that b = ax. We also say that b is a multiple of a, and that a
is a divisor of b.
Any integer a has ±1 and ±a as divisors. These divisors are called trivial.

The proof of the following simple properties are left to the reader.

Proposition 1.2 Let a, b and c be integers.

(i) If a | b and b 6= 0, then |a| ≤ |b|.
(ii) If a | b, then a | bc.
(iii) If a | b and b | c, then a | c.
(iv) If c | a and c | b, then c | (ax + by) for all integers x and y.
(v) If a | b and b | a, then a = ±b.
(vi) Assume c 6= 0. Then a | b if and only if ac | bc.

Definition 1.3 Every nonzero integer a has finitely many divisors. Conse-
quently, any two integers a and b, not both = 0, have finitely many common
divisors. The greatest of these is called the greatest common divisor and it is
denoted by (a, b).

In order not to have to avoid the special case a = b = 0, we also define (0, 0)
as the number 0. (One good reason for this choice will appear in Theorem 1.9.)
By definition, if at least one of the numbers a and b is nonzero, then

d = (a, b) ⇔ d | a ∧ d | b ∧ (x | a ∧ x | b ⇒ x ≤ d).

Obviously, (b, a) = (a, b) = (−a, b) = (a, −b) = (−a, −b), so when calculat-
ing the greatest common divisor of two numbers we may replace them by their
absolute values.

Example 1 The number 102 has the positive divisors 1, 2, 3, 6, 17, 34, 51, 102,
and the number −170 has the positive divisors 1, 2, 5, 10, 17, 34, 85, and 170.
The common positive divisors are 1, 2, 17, and 34. Hence (102, −170) = 34.
To determine the greatest common divisor by finding all common divisors is
obviously not a feasible method if the given numbers are large.

Proposition 1.4 For all integers n, (a, b) = (a − nb, b).

Proof. Write r = a − nb; then a = r + nb. Assuming c | b we now see from

Proposition 1.2 (iv) that c | a if and only if c | r. Consequently, the pairs a,
b and a, r have the same common divisors. In particular, they have the same
greatest common divisor.
We can extend the definition of greatest common divisor in a straightforward
way. Given n integers a1 , a2 , . . . , an not all zero, we define their greatest common
divisor (a1 , a2 , . . . , an ) to be the greatest integer which divides all the given
numbers. Finally, we define (0, 0, . . . , 0) = 0.
If (a, b) = 1 we say that a and b are relatively prime. More generally, the
integers a1 , a2 , . . . , an are called relatively prime if (a1 , a2 , . . . , an ) = 1, and they
are called pairwise relatively prime if any two of them are relatively prime.
1 DIVISIBILITY 2

Example 2 The numbers 4, 6, and 9 are relatively prime but not pairwise
relatively prime.

Theorem 1.5 (The Division Algorithm) Given integers a and b with a > 0 there
exist two unique integers q and r such that b = aq + r and 0 ≤ r < a.

The number q is called the quotient and r is called the (principal) remainder.
Obviously, q = [b/a] (= the greatest integer ≤ b/a).
Proof. Consider the arithmetic progression

. . . , b − 3a, b − 2a, b − a, b, b + a, b + 2a, b + 3a, . . .

This sequence contains a smallest non-negative number r. By definition, r =

b − qa for some integer q, and clearly 0 ≤ r < a. This proves the existence.
To prove uniqueness, suppose we also have b = aq ′ + r′ with 0 ≤ r′ < a.
Then
r − r′ = a(q ′ − q) and − a < r − r′ < a.
Thus a | (r − r′ ), and it follows that r − r′ = 0 or |a| ≤ |r − r′ |. Since the
latter case is excluded, we conclude that r − r′ = 0, that is r = r′ . Therefore
a(q − q ′ ) = 0, which implies q − q ′ = 0, i.e. q = q ′ .

More generally, we say that r′ is a remainder when b is divided by a whenever

there is an integer q ′ such that b = aq ′ + r′ without any further restriction on r′ .
If r′ is an arbitrary remainder and r is the principal remainder then obviously
r′ − r = na for some integer n, and conversely. For the principal remainder r
we either have 0 ≤ r ≤ a/2 or a/2 < r < a, and in the latter case the remainder
r′ = r − a satisfies the inequality −a/2 < r′ < 0. Hence, there is always a uniqe
remainder r satisfying the inequality −a/2 < r ≤ a/2. This is the remainder of
least absolute value. We thus have the following division algorithm, which for
some purposes is more efficient than the ordinary one.

Theorem 1.5’ (Modified Division Algorithm) Given integers a and b with a > 0
there exist two unique integers q and r such that b = aq +r and −a/2 < r ≤ a/2.

Example 3 37 = 2 · 13 + 11 = 3 · 13 − 2. 11 is the principal remainder and −2

is the remainder of least absolute value.

We now turn to an important class of subsets of Z.

Definition 1.6 A non-empty set A of integers is called an ideal if it is closed

under subtraction and under multiplication by arbitrary integers, that is if it
has the following two properties:
(i) x, y ∈ A ⇒ x − y ∈ A
(ii) x ∈ A, n ∈ Z ⇒ nx ∈ A.

Example 4 The sets {0}, Z, and {0, ±3, ±6, ±9, . . . } are ideals. More gener-
ally, given any integer g, the set A = {ng | n ∈ Z} consisting of all multiples of
g is an ideal. This ideal is said to be generated by the number g, and it will be
denoted by gZ. Thus, using this notation, 3Z = {0, ±3, ±6, ±9, . . . }.
Note that the trivial ideal {0} is generated by 0 and that the whole set Z is
generated by 1.
1 DIVISIBILITY 3

To show that a subset A of Z is an ideal it suffices to verify that (i) holds,

because we have the following result.

Proposition 1.7 A non-empty subset A of Z is an ideal if x, y ∈ A ⇒ x−y ∈ A.

Proof. Suppose A is a non-empty subset with property (i) of Definition 1.6, and
let x0 be an element of A. Since 0 = x0 − x0 we first note that 0 ∈ A. Then we
see that x ∈ A ⇒ −x = 0 − x ∈ A and that

x, y ∈ A ⇒ x, −y ∈ A ⇒ x + y ∈ A,

i.e. the set A is closed under addition.

Next assume that the implication x ∈ A ⇒ nx ∈ A holds for a certain
nonnegative integer n (this is certainly true for n = 0). Then we also have
x ∈ A ⇒ (n + 1)x = nx + x ∈ A. Hence, it follows by induction that the
implication x ∈ A ⇒ nx ∈ A holds for each nonnegative integer n. Finally, if
x ∈ A and n is a negative integer, then −n is positive, so it follows first that
(−n)x ∈ A and then that nx = −(−n)x ∈ A. This shows that property (ii) of
Definition 1.6 holds for A.
Remark. The ideal concept is a ring concept. A ring is a set with two operations,
addition and multiplication, satisfying certain natural axioms. The integers Z form a
ring, and another important example is given by the set of polynomials with ordinary
polynomial addition and multiplication as operations. For ideals in general rings,
property (ii) does not follow from property (i). Thus the ring Z is special in that
respect.
The ideals that are listed in Example 4 are all generated by a single number
g. We next show that all ideals of Z have this property.

Theorem 1.8 Every ideal A is generated by a unique nonnegative number g,

that is A = gZ = {ng | n ∈ Z}. If A is not equal to the zero ideal {0}, then the
generator g is the smallest positive integer belonging to A.

Proof. The zero ideal is generated by 0, so assume that A contains some nonzero
integer x0 . Since by (ii), A also contains the number −x0 (= (−1)x0 ), A cer-
tainly contains a positive integer. Let g be the least positive integer belonging
to A.
We will prove that A is generated by the number g. That ng belongs to A
for every integer n follows immediately from (ii), so we only have to prove that
there are no other numbers in A. Therefore, let b ∈ A and divide b by g. By
the division algorithm, there exist integers q and r with 0 ≤ r < g such that
b − qg = r. Since qg ∈ A it follows from (i) that r ∈ A, and since g is the least
positive integer in A, we conclude that r = 0. Hence b = qg as claimed.
We will now use Theorem 1.8 to characterize the greatest common divisor.
Let a and b be two integers and consider the set

A = {ax + by | x, y ∈ Z}.

The set A is clearly closed under subtraction, i.e. A is an ideal, and by the
previous theorem, A is generated by a unique nonnegative number g. This
number has the following two properties:
1 DIVISIBILITY 4

(i) There exist integers x0 , y0 such that ax0 + by0 = g

(ii) For all integers x and y there exists an integer n such that ax + by = ng.
Taking x = 1 and y = 0 in (ii) we see that a = ng for some integer n and
hence g | a. Similarly, g | b, so g is a common divisor of a and b. Using (i), we
see that every common divisor of a and b is a divisor of g. In particular, the
greatest common divisor d = (a, b) divides g and hence d ≤ g. It follows that g
is the greatest common divisor, i.e. g = (a, b).
This is also true in the trivial case a = b = 0, for then g = 0 and we have
defined (0, 0) to be the number 0.
Our discussion is summarized in the following theorem.

Theorem 1.9 The ideal {ax+by | x, y ∈ Z} is generated by the greatest common

divisor (a, b), i.e.
(i) There exist integers x0 and y0 such that ax0 + by0 = (a, b).
(ii) ax + by is a multiple of (a, b) for all integers x and y.

The proof of Theorem 1.9 is easily extended to cover the case of n integers
a1 , a2 , . . . , an instead of two integers a and b. The general result reads as follows.

Theorem 1.9’ Let a1 , a2 , . . . , an be any integers. The ideal

{a1 x1 + a2 x2 + · · · + an xn | x1 , x2 , . . . , xn ∈ Z}
is generated by the greatest common divisor d = (a1 , a2 , . . . , an ), i.e.
(i) There exist integers y1 , y2 , . . . , yn such that a1 y1 + a2 y2 + · · · + an yn = d.
(ii) a1 x1 + a2 x2 + · · · + an xn is a multiple of d for all integers x1 , x2 , . . . , xn .

Corollary 1.10 If c | a and c | b, then c | (a, b), i.e. every common divisor of a
and b is a divisor of the greatest common divisor (a, b).

Proof. By Theorem 1.9 (i) we have ax0 + by0 = (a, b), and the conclusion of the
corollary now follows from Proposition 1.2 (iv).

Corollary 1.11 (i) (ca, cb)= c(a,

b) for every nonnegative integer c.
a b
(ii) If d = (a, b) 6= 0, then , = 1.
d d

Proof. (i) Write d = (a, b). By Theorem 1.9, the ideal {ax + by | x, y ∈ Z}
is generated by d. Now cax + cby = c(ax + by), so it follows that the ideal
{cax + cby | x, y ∈ Z} is generated by cd. But the latter ideal is according
to Theorem 1.9 also generated by the number (ca, cb). Since the nonnegative
generator is unique,
 we 
conclude that (ca, cb) = cd.
a b
(ii) By (i), d , = (a, b) = d. The result now follows upon division
d d
by d.

Theorem 1.12 If (a, b) = 1 and a | bc, then a | c.

Proof. Assume (a, b) = 1 and a | bc. Since clearly a | ac, it follows that a is a
common divisor of ac and bc. By Corollary 1.11, (ac, bc) = c(a, b) = c, and the
conclusion a | c now follows from Corollary 1.10.

Theorem 1.13 If a | c, b | c and (a, b) = 1, then ab | c.

1 DIVISIBILITY 5

Proof. By assumption, c = am for some integer m. Since b | am and (b, a) = 1,

we conclude from Theorem 1.12 that b | m, that is m = bn for some integer n.
Hence, c = abn, i.e. ab | c.

Theorem 1.14 If (a, b) = (a, c) = 1, then (a, bc) = 1.

Proof. By Theorem 1.9 there are integers x, y and z, w such that ax + by = 1

and az +cw = 1. Then by ·cw = (1−ax)(1−az) = 1−an, where n = x+z −axz
is an integer. Hence, an + bcyw = 1, and we conclude from Theorem 1.9 that
(a, bc) = 1.
We now turn to the problem of efficiently calculating the greatest common
divisor of two integers a and b. We can of course assume that both are non-
negative and that a ≥ b.
If b = 0 then (a, b) = (a, 0) = a and there is nothing more to do. Otherwise,
we use Proposition 1.4 to see that (a, b) = (a − nb, b) for all integers n. In
particular, using the ordinary division algoritm a = qb + r with 0 ≤ r < b we
obtain

(1) (a, b) = (a − qb, b) = (r, b) = (b, r).

If r = 0, then we are finished, because (a, b) = (b, 0) = b. Otherwise, (1) allows

us to replace the pair (a, b) with the smaller pair (b, r), where r < b < a, and
we can repeat the whole procedure. Since at each step we get a new pair with
smaller integers, we must finally reach a stage where one of the numbers is 0.
The whole procedure may be summarized as follows.

The Euclidean Algorithm

Let a and b be integers with a ≥ b ≥ 0. Put a0 = a and b0 = b.
(i) If b0 = 0, then (a, b) = a0 .
(ii) Otherwise, using the division algorithm calculate q and r such that a0 =
qb0 + r with 0 ≤ r < b0 .
(iii) Put a0 = b0 and b0 = r and go to (i).
The algorithm must terminate, because the successive b0 :s form a decreasing
sequence of non-negative integers.
Instead of using the principal remainder, we could also use the remainder of
least absolute value at each step. In general, this procedure will require fewer
iterations. This modified algorithm runs as follows:

The Euclidean Algorithm with least absolute remainder

Let a and b be integers with a ≥ b ≥ 0. Put a0 = a and b0 = b.
(i) If b0 = 0, then (a, b) = a0 .
(ii) Otherwise, using the division algorithm calculate q and r such that a0 =
qb0 + r with |r| ≤ b0 /2.
(iii) Put a0 = b0 and b0 = |r| and go to (i).
In (iii) we use the fact that (a0 , b0 ) = (a0 , −b0 ) so it does not matter that
we use |r| in order to get a nonnegative number b0 . Again, the algorithm must
terminate because at each step the new b0 is at most half of the old one.
1 DIVISIBILITY 6

Example 5 Let us calculate (247, 91). The ordinary division algorithm gives

247 = 2 · 91 + 65
91 = 1 · 65 + 26
65 = 2 · 26 + 13
26 = 2 · 13.

Hence (247, 91) = (91, 65) = (65, 26) = (26, 13) = (13, 0) = 13.
By instead using least absolute remainders, we obtain the following sequence
as a result of the division algorithm:

247 = 3 · 91 − 26
91 = 3 · 26 + 13
26 = 2 · 13.

Hence (247, 91) = (91, 26) = (26, 13) = (13, 0) = 13.

By Theorem 1.9, we know that the linear equation

ax + by = (a, b)

has at least one integer solution x0 and y0 . (We will see later that there are
in fact infinitely many integer solutions.) As a by-product of the Euclidean
Algorithm we have an algorithm for finding such a solution. Denoting the
successive pairs (a0 , b0 ) obtained during the process by (a0 , b0 ), (a1 , b1 ), (a2 , b2 ),
. . . , (an , bn ), with bn = 0, we have

a0 = a, b0 = b
ai = bi−1 , bi = ai−1 − qi bi−1 for suitable integers qi , i = 1, 2, . . . , n
an = (a, b).

It follows that each of the numbers ai and bi is a linear combination of the

previous ones ai−1 and bi−1 and hence ultimately a linear combination of a
and b, that is ai = xi a + yi b for suitable integers xi , yi , which can be found
by calculating “backwards”, and similarly for bi . In particular, this holds for
(a, b) = an .

Example 6 Going backwards in the calculations in Example 5, using the ab-

solute remainder variant, we find that

13 = 91 − 3 · 26 = 91 − 3 · (3 · 91 − 247) = 3 · 247 − 8 · 91.

Hence, the equation 247x + 91y = (247, 91) has x = 3, y = −8 as one of its
integer solutions.

The union I ∪ J of two ideals I = aZ and J = bZ in Z need not be an

ideal. In fact, the union is an ideal if and only if one of the two ideals I and
J is a subset of the other, i.e. if and only if one of the two generators a and
b is divisible by the other. However, there is always a smallest ideal which
contains the union I ∪ J, namely the ideal (a, b)Z = {ax + by | x, y ∈ Z}. Thus,
the greatest common divisor (a, b) is (uniquely determined as) the non-negative
generator of the smallest ideal containing the union aZ ∪ bZ.
2 PRIME NUMBERS 7

On the other hand, it is completely obvious that the intersection I ∩J of two

ideals I = aZ and J = bZ is an ideal. (Indeed, the intersection of any number
of ideals is an ideal.) By definition, an integer x belongs to this intersection if
and only if a|x and b|x, i.e. if and only if x is a common multiple of a and b.
Thus, the ideal aZ ∩ bZ coincides with the set of all common multiples of
the numbers a and b. This observation leads us to the following concept, which
is dual to the concept of greatest common divisor.

Definition 1.15 Let a and b be two integers. The nonnegative generator of

the ideal aZ ∩ bZ is called the least common multiple of the two numbers,
and it is denoted by [a, b]. More generally, given any sequence a1 , a2 , . . . , an of
integers, we define their least common multiple [a1 , a2 , . . . , an ] to be the uniquely
determined nonnegative generator of the ideal a1 Z ∩ a2 Z ∩ · · · ∩ an Z.

Note that [a, b] = 0 if a = 0 or b = 0, because the intersection aZ ∩ bZ is

then equal to the trivial ideal {0}. If a and b are both nonzero, then aZ ∩ bZ
is a nontrivial ideal since it certainly contains the number ab. Thus, nontrivial
common multiples exist, and the least common multiple [a, b] is a positive integer
in that case.

Example 7 [30, 42]=210, because in the sequence 30, 60, 90, 120, 150, 180,
210, . . . of multiples of 30, the number 210 is the first one that is also a multiple
of 42.

Proposition 1.16 [ca, cb] = c[a, b] if c is a nonnegative number.

Proof. [ca, cb]Z = caZ ∩ cbZ = c(aZ ∩ bZ) = c[a, b]Z.

Proposition 1.17 Let a and b be nonnegative integers. Then [a, b] · (a, b) = ab.

Proof. If one of the two numbers equals zero, then [a, b] = ab = 0, wo we

may assume that a and b are both positive. Let d = (a, b). If d = 1, then
any common multiple of a and b must also by a multiple of ab, by Theorem
1.13, and it follows that ab must be the least common multiple of a and b, i.e.
ab = [a, b] = [a, b] · (a, b).
a b
a b 
If d > 1, then , = 1. According to the case just proved, , =
d d d d
a b
· . Now multiply this equality by d2 and apply Propostion 1.16 to obtain
d d
a b 
ab = d2 , = d · [a, b] = (a, b) · [a, b].
d d

2 Prime Numbers
Definition 2.1 An integer > 1 is called a prime number or a prime if it has
only trivial divisors. An integer > 1 which is not a prime is called composite.

Thus, p > 1 is a prime number if and only if 1 < x < p ⇒ x6 | p.

Theorem 2.2 Let p be a prime number. If p | bc, then p | b or p | c.

2 PRIME NUMBERS 8

Proof. Assume that p | bc but p6 | b. Since p has only trivial divisors, it follows
that (p, b) = 1. Hence p | c by Theorem 1.12.
Theorem 2.2 is easily extended to

Theorem 2.2’ Let p be a prime number. If p | b1 b2 · · · bn , then p | bi for some

i.
Proof. By Theorem 2.2, p | b1 b2 · · · bn ⇒ p | b1 ∨ p | b2 . . . bn . The result now
follows by induction.

Theorem 2.3 (The Fundamental Theorem of Arithmetic) Every integer n > 1

can be expressed as a product of primes in a unique way apart from the order of
the prime factors.

Proof. The existence of such a factorization is proved by induction. Assume

that every integer less than n can be written as a product of primes. If n is
a prime, then we have a factorization of n consisting of one prime factor. If n
is composite, than n = n1 n2 with 1 < n1 < n and 1 < n2 < n, and it follows
from the induction hypothesis that each of n1 and n2 is a product of primes.
Therefore, n is also a product of primes.
Now suppose that there is an integer with to different factorizations. Then
there is a least such number n. Let n = p1 p2 · · · pr = q1 q2 · · · qs , where each pi
and qj is a prime and where the two factorizations are different. Since p1 divides
the product q1 q2 · · · qs , it follows from Theorem 2.2′ that p1 divides one of the
prime numbers q1 , . . . , qs . Renumbering these numbers, we may assume that
p1 |q1 , which of course means that p1 = q1 . Dividing n by p1 we get a smaller
number
n
= p 2 p 3 · · · pr = q 2 q 3 · · · q s
p1
with two different prime factorizations, but this would contradict the assumption
that n is the smallest number with different factorizations.
If the prime factorizations of two given numbers are known, then we can
easily determine their greatest common divisor and least common multiple.

Proposition 2.4 Let a and b be two positive integers and write

mk
a = pm 1 m2
1 p2 · · · p k and b = pn1 1 pn2 2 · · · pnk k ,

where p1 , p2 , . . . , pk are different primes and m1 , m2 , . . . , mk and n1 , n2 , . . . , nk

are nonnegative integers. Put dj = min(mj , nj ) and Dj = max(mj , nj ); then

(a, b) = pd11 pd22 · · · pdkk and [a, b] = pD 1 D2 Dk

1 p 2 · · · pk .

Proof. Obvious.

Theorem 2.5 There exist infinitely many primes.

Proof. We will show that given any finite collection of primes p1 , p2 , . . . , pn there
is a prime q which does not belong to the collection. Let N = p1 p2 · · · pn + 1.
By Theorem 2.3, N has a prime factor q (which could be N itself). Since
(N, pj ) = (1, pj ) = 1 for each j whereas (N, q) = q, it follows that q 6= pj for
each j.
2 PRIME NUMBERS 9

On the other hand, there are arbitrarily large gaps in the sequence of primes:

Proposition 2.6 For any natural number k there exist k consecutive composite
numbers.

Proof. Consider the numbers (k + 1)! + 2, (k + 1)! + 3, . . . , (k + 1)! + (k + 1); they

are composite, because they are divisible by 2, 3, . . . , k + 1, respectively.
Let π(x) denote the number of primes that are less than or equal to the real
number x. Thus 

 0 if x < 2
1 if 2 ≤ x < 3





π(x) = 2 if 3 ≤ x < 5

 ..



 .
n if pn ≤ x < pn+1


where pn denotes the nth prime number.

We will give a crude estimate for π(x). To this end, we will need the following
inequality.

Lemma 2.7 Let x be a real number > 2. Then

X1
> ln ln x − 1.
p
p≤x

Here, the sum is over all primes p satisfying p ≤ x.

P ln ln x tends to ∞ with x it follows from the inequality above that the

Since
sum 1/p over all primes is infinite. This, of course, implies that there are
infinitely many primes. Thus, by proving Lemma 2.7 we will obtain a new proof
of Theorem 2.5.
Proof. Let p1 , p2 , . . . , pn denote all primes ≤ x, and put

N = {pk11 pk22 · · · pknn | k1 ≥ 0, k2 ≥ 0, . . . , kn ≥ 0},

i.e. N consists of 1 and all positive integers whose prime factorization only uses
the primes p1 , p2 , . . . , pn .
Since the factorization of any number ≤ x only uses primes that are ≤ x,
the set N contains all of the numbers 1, 2, 3, . . . , [x] (= the greatest integer
≤ x). Consequently,
[x] Z [x]+1
X 1 X 1 dt
≥ ≥ = ln([x] + 1) > ln x.
n n=1 n 1 t
n∈N

Now observe that

Y −1 Y  
1 1 1 1 X 1
1− = 1 + + 2 + ··· + k + ··· = .
p p p p n
p≤x p≤x n∈N
2 PRIME NUMBERS 10

Combining this with the previous inequality we obtain the inequality

Y −1
1
1− > ln x,
p
p≤x

and, by taking the logarithm of both sides, the inequality

X  −1
1
(1) ln 1 − > ln ln x.
p
p≤x

Now use the Maclaurin expansion of ln(1 + x) to get

x2 x3 x2 x2
 
1
− ln(1 − x) = x + + + · · · ≤ x + (1 + x + x2 + . . . ) = x +
2 3 2 2 1−x

for 0 ≤ x < 1. Since 1/(1 − x) ≤ 2 when x ≤ 21 , we conclude that the inequality

ln(1 − x)−1 = − ln(1 − x) ≤ x + x2

holds for x ≤ 12 . In particular, if p is a prime, then 1

p ≤ 12 , and consequently,

1 1 1
ln(1 − )−1 ≤ + 2 .
p p p
By summing these inequalities for all primes p ≤ x and comparing with (1), we
obtain

X1 X 1
(2) + > ln ln x.
p p2
p≤x p≤x

1/p2 over all primes ≤ x can be estimated as follows

P
Here the sum
X 1 ∞ ∞ ∞  
X 1 X 1 X 1 1
≤ ≤ = − = 1,
p2 n=2
n2 n=2
n(n − 1) n=2 n − 1 n
p≤x

and by combining this inequality with (2) we obtain the desired result
X1
> ln ln x − 1.
p
p≤x

Lemma 2.8 Z x
X1 π(x) π(u)
= + du.
p x 2 u2
p≤x

Proof. Let p1 < p2 < · · · < pn denote the primes ≤ x. Then

x n−1
X Z pk+1 π(u) Z x
π(u) π(u)
Z
du = du + du
2 u2 p k
u2 p n
u2
k=1
n−1
X Z pk+1 k Z x
n
= du + du
pk u2 pn u
2
k=1
2 PRIME NUMBERS 11

n−1    
X 1 1 1 1
= k − +n −
pk pk+1 pn x
k=1
n−1 X k−1n
X k n n
= − + −
pk pk pn x
k=1 k=2
n
X 1 π(x)
= − .
pk x
k=1

Theorem 2.9 For any ǫ > 0 and any real number ω, there exists a number
x > ω such that
x
π(x) > (1 − ǫ) .
ln x
Remark. For those who know the definition of lim sup we can state Theorem 2.9 as
π(x)
follows: lim supx→∞ x/ ln x
≥ 1.

Proof. Assume the theorem to be false. Then there is an ǫ > 0 and a real
number ω such that π(x) ≤ (1 − ǫ) lnxx for all x > ω. But then
Z x Z ω Z x Z x
π(u) π(u) π(u) 1
2
du = 2
du + 2
du ≤ C + (1 − ǫ) du
2 u 2 u ω u ω u ln u
= C + (1 − ǫ)(ln ln x − ln ln ω) = D + (1 − ǫ)(ln ln x),

where C and D are constants (depending on ω). Since obviously π(x) < x, it
now follows from Lemma 2.8, that
X1
≤ (1 − ǫ) ln ln x + Constant.
p
p≤x

This contradicts Lemma 2.7.

Theorem 2.9 can be sharpened considerably. The following result was con-
jectured by Gauss and proven by J. Hadamard and Ch. de la Vallée
Poussin in 1896 using advanced methods from the theory of functions of a
complex variable.

Theorem 2.10 (The Prime Number Theorem)

π(x)
lim = 1.
x→∞ x/ ln x
The proof is too complicated to be given here.
We will now derive heuristically some conclusions from the Prime Number
Theorem. Firstly, it follows that π(x)/x < C/ ln x for some constant C, and
hence the ratio π(x)/x approaches 0 and the ratio (x − π(x))/x approaches 1
as x tends to infinity. Since n − π(n) is the number of composite numbers less
than or equal to n, the ratio (n−π(n))/n represents the proportion of composite
numbers among the first n integers. That this ratio tends to 1 means in a certain
sense that “almost all” positive integers are composite.
On the other hand, primes are not particularly scarce, because the logarithm
function grows very slowly. By the Prime Number Theorem we can use x/ ln x
3 THE LINEAR DIOPHANTINE EQUATION AX+BY=C 12

as an approximation of π(x). If x is a large number and y is small compared to

x then ln(x + y) ≈ ln x, and hence
x+y x y
π(x + y) − π(x) ≈ − ≈ .
ln(x + y) ln x ln x
This means that in a relatively small interval of length y around the large number
x there are approximately y/ ln x primes, and we can expect to find a prime in
the interval if the length is about ln x. If the primes were randomly distributed
the probability of a large number x being prime would be approximately 1/ ln x.
Taking for example x = 10100 we have ln x ≈ 230. Thus, if we choose an integer
N “at random” in the neigborhood of 10100 the probability that N is prime is
roughly 1/230. Of course, we can raise this probability to 1/115 by avoiding
the even numbers, and if we make sure that N is not divisible by 2, 3, or 5,
the probability that N is prime grows to about 1/60. Thus, provided we use an
efficient primality test, we can produce a very large prime by first choosing a
number N at random not divisible by 2, 3, or 5 (and some other small primes)
and testing it for primality. If N turns out to be a prime, then we are happy,
otherwise we consider the next integer in the sequence N + 2, N + 4, N + 6,
. . . that is not divisible by 3 and 5 (and the other selected small primes) and
test this for primality. Because of the Prime Number Theorem we feel confident
that we will find a prime after not too many tries.

3 The Linear Diophantine Equation ax+by=c

Let a, b and c be integers and consider the equation

(1) ax + by = c.

We are interested in integer solutions x and y, only.

From section 1 we already know a lot about the equation. By Theorem 1.9,
the set {ax + by | x, y ∈ Z} coincides with the set of all multiples n(a, b) of
the greatest common divisor of a and b. It follows that equation (1) is solvable
if and only if (a, b) | c. Moreover, the Euclidean algorithm provides us with
a method for finding a solution x0 , y0 of the equation ax + by = (a, b), and
by multiplying this solution by c/(a, b) we will get a solution of the original
equation (1). What remains is to find the general solution given one particular
solution. The complete story is summarized in the following theorem.

Theorem 3.1 The equation ax + by = c has integer solutions if and only if

(a, b) | c. If x0 , y0 is a solution, then all integer solutions are given by
b a
x = x0 + n, y = y0 − n, n ∈ Z.
(a, b) (a, b)
Proof. The numbers x and y defined above are integers, and one immediately
verifies that they satisfy the equation. To see that these are all solutions, assume
that x, y is an arbitrary integer solution. Then ax + by = ax0 + by0 . It follows
that a(x − x0 ) = b(y0 − y), and that
a b
(2) (x − x0 ) = (y0 − y),
d d
3 THE LINEAR DIOPHANTINE EQUATION AX+BY=C 13

where we have written d = (a, b) for short. Since ad , db = 1, we conclude from

Theorem 1.12 that db is a divisor of x − x0 , i.e. there exists an integer n such

that x − x0 = db n. By inserting this into (2) and simplifying, we also obtain
y − y0 = − ad n.

The case (a, b) = 1 is so important that it is worth stating separately.

Corollary 3.2 Suppose that (a, b) = 1. Then the linear equation ax + by = c has
integer solutions for all integers c. If x0 , y0 is a solution, then all solutions are
given by
x = x0 + bn, y = y0 − an, n ∈ Z.

According to Theorem 3.1, the distance between two consecutive x-solutions

is b/d and the distance between two consecutive y-solutions is a/d, where d =
(a, b). It follows that, provided the equation is solvable, there is a solution (x, y)
with 0 ≤ x ≤ b/d − 1. We can find this solution by successively trying x = 0,
x = 1, . . . , solving the equation for y until an integer value for y is found. Of
course, we can also solve the equation by looking for a solution y in the interval
0 ≤ y ≤ a/d − 1. Hence, we can easily solve the equation ax + by = c by trial
and error whenever at least one of the numbers a/d and b/d is small.

Example 1 Solve the equation

247x + 91y = 39.

Solution 1: The equation is solvable, because (247, 91) = 13 and 13 | 39. Since
91
13 = 7 the equation has an integer solution with 0 ≤ x ≤ 6. Trying x = 0, 1,
2, we find that x = 2 gives the integer value y = −5. Therefore, the general
solution of the equation is x = 2 + 7n, y = −5 − 19n.
Solution 2: In Example 6, section 1, we found that x = 3, y = −8 solves
the equation 247x + 91y = 13. By multiplying this solution by 3, we get the
particular solution x0 = 9, y0 = −24 to our given equation, and the general
solution is x = 9 + 7n, y = −24 − 19n. This parametrization of the solutions
is different from that above, but the set of solutions is of course the same as in
solution no. 1.
Solution 3: The solution above uses the Euclidean algorithm. We will now give
another method, which is more or less equivalent to the Euclidean algorithm,
but the presentation is different. To solve

(3) 247x + 91y = 39

we start by writing 247 = 2 · 91 + 65, 247x = 91 · 2x + 65x and 247x + 91y =

65x + 91(2x + y). Introducing new integer variables x1 = x, y1 = 2x + y, we
now rewrite equation (3) as

(4) 65x1 + 91y1 = 39.

This equation has smaller coefficients. Note that if x1 and y1 are integers, then
x = x1 and y = y1 − 2x are integers, too. Hence, solving (4) for integer values
is equivalent to solving (3) for integer values.
3 THE LINEAR DIOPHANTINE EQUATION AX+BY=C 14

The same procedure can now be repeated. Write 91 = 65 + 26 and 65x1 +

91y1 = 65(x1 + y1 ) + 26y1 in order to replace equation (4) with the equivalent
equation
(5) 65x2 + 26y2 = 39, with x2 = x1 + y1 , y2 = y1 .
We continue, noting that 65 = 2 · 26 + 13, and obtain
(6) 13x3 + 26y3 = 39, with x3 = x2 , y3 = 2x2 + y2 .
Now 26 = 2 · 13, so
(7) 13x4 + 0y4 = 39, with x4 = x3 + 2y3 , y4 = y3 .
From (7) we conclude that x4 = 39/13 = 3 whereas y4 is an arbitrary integer,
n say. Going backwards, we find
y3 = y4 = n, x3 = x4 − 2y3 = 3 − 2n
x2 = x3 = 3 − 2n, y2 = y3 − 2x2 = n − 2(3 − 2n) = −6 + 5n
y1 = y2 = −6 + 5n, x1 = x2 − y1 = 3 − 2n + 6 − 5n = 9 − 7n
x = x1 = 9 − 7n, y = y1 − 2x = −6 + 5n − 2(9 − 7n) = −24 + 19n.

For linear equations with more than two variables we have the following
result, which follows immediately from Theorem 1.9′ .

Theorem 3.3 The linear equation a1 x1 + a2 x2 + · · · + an xn = c has integer

solutions if and only if (a1 , a2 , . . . , an ) | c.

The third solution method in Example 1 can easily be adopted to take care
of equations with more than two variables.

Example 2 Solve the equation

6x + 10y + 15z = 5
for integer solutions.
Solution: The equation is solvable, because (6, 10, 15) = 1. Consider the least
coefficient 6 and write 10 = 6 + 4 and 15 = 2 · 6 + 3. Introducing new variables
x1 = x + y + 2z, y1 = y, and z1 = z we can rewrite our linear equation as
6x1 + 4y1 + 3z1 = 5.
Since 6 = 2 · 3 and 4 = 3 + 1, we put x2 = x1 , y2 = y1 , and z2 = 2x1 + y1 + z1 .
This change of variables transforms our equation into
0x2 + y2 + 3z2 = 5.
Now 1 is the least non-zero coefficient, and we put x3 = x2 , y3 = y2 + 3z2 , and
z3 = z2 . Our equation now reads
0x3 + y3 + 0z3 = 5
with the obvious solution x3 = m, y3 = 5, z3 = n, m and n being arbitrary
integers. Going backwards we get after some easy calculations:
x = 5 + 5m − 5n, y = 5 − 3n, z = −5 − 2m + 4n, m, n ∈ Z.
4 CONGRUENCES 15

4 Congruences
Definition 4.1 Let m be a positive integer. If m | (a − b) then we say that a is
congruent to b modulo m and write a ≡ b (mod m). If m6 | (a − b) then we say
that a is not congruent to b modulo m and write a 6≡ b (mod m).

Obviously, a ≡ b (mod m) is equivalent to a = b + mq for some integer q.

We now list some useful properties, which follow easily from the definition.

Proposition 4.2 Congruence modulo m is an equivalence relation, i.e.

(i) a ≡ a (mod m) for all a.
(ii) If a ≡ b (mod m), then b ≡ a (mod m).
(iii) If a ≡ b (mod m) and b ≡ c (mod m), then a ≡ c (mod m).

Proof. We leave the simple proof to the reader.

Our next proposition shows that congruences can be added, multiplied and
raised to powers.

Proposition 4.3 Let a, b, c and d be integers.

(i) If a ≡ b (mod m) and c ≡ d (mod m), then a + c ≡ b + d (mod m).
(ii) If a ≡ b (mod m) and c ≡ d (mod m), then ac ≡ bd (mod m).
(iii) If a ≡ b (mod m), then ak ≡ bk (mod m) for all non-negative integers k.
(iv) Let f (x) be a polynomial with integral coefficients. If a ≡ b (mod m) then
f (a) ≡ f (b) (mod m).

Proof. (i) is left to the reader.

(ii) If a ≡ b (mod m) and c ≡ d (mod m), then a = b + mq and c = d + mr
for suitable integers q and r. It follows that ac = bd + m(br + dq + mqr). Hence
ac ≡ bd (mod m).
(iii) Taking c = a and d = b in (ii) we see that a ≡ b (mod m) implies a2 ≡ b2
(mod m). Applying (ii) again, we get a3 ≡ b3 (mod m), and the general case
follows by induction. P
n
(iv) Suppose f (x) = j=0 cj xj . Using (iii) we first obtain aj ≡ bj (mod m)
j j
for each j, and then Pcnj a ≡ cj j b P(mod m) by (ii). Finally, repeated application
n
of (i) gives f (a) = j=0 cj a ≡ j=0 cj bj = f (b) (mod m).

Remark on the computation of powers. In many applications we need

to compute powers ak modulo m. The naive approach would invoke k − 1
multiplications. This is fine if k is small, but for large numbers k such as
in the RSA-algorithm, to be discussed in section 7, this is prohibitively time
consuming. Instead, one should compute ak recursively using the formula
(
k (ak/2 )2 = (a[k/2] )2 if k is even,
a = (k−1)/2 2 [k/2] 2
a · (a ) = a · (a ) if k is odd.

Thus, ak is obtained from a[k/2] by using one multiplication (squaring) if k is

even, and two multiplications (squaring followed by multiplication by a) if k is
odd. Depending on the value of k, the innermost computation of the recursion
will be a2 or a3 = a · a2 .
4 CONGRUENCES 16

The total number of multiplications required to compute ak from a using

recursion is of the order of magnitude log k, which is smallPcompared to k.
r
Indeed, if k has the binary expansion k = αr αr−1 . . . α1 α0 = j=0 αj 2j , (with
αr = 1), then [k/2] = αr αr−1 . . . α1 , and k is odd if α0 = 1 and even if α = 0.
It now easily follows that the number of squarings needed equals r, and that
the number of extra multiplications by a equals the number of nonzero digits
αj minus 1. Thus, at most 2r multiplications are needed.

Example 1 The computation of 31304 (mod 121) by recursion can be summa-

rized in the following table:

k 1304 652 326 163 162 81 80 40 20 10 5 4 2 1

k
3 (mod 121) 81 9 3 27 9 3 1 1 1 1 1 81 9 3

The numbers in the top row are computed from left to right. If a number
is even, the next number is obtained by dividing it by 2, and if a number is
odd the next one is obtained by subtracting 1. The numbers in the bottom
row are computed from right to left. For instance, 34 = (32 )2 ≡ 92 ≡ 81,
35 = 3 · 34 ≡ 3 · 81 ≡ 243 ≡ 1, 3326 = (3163 )2 ≡ 272 ≡ 3.

We next investigate what happens when the modulus is multiplied or divided

by a number. The simple proof of the following proposition is left to the reader.

Proposition 4.4 Let c be an arbitrary positive integer, and let d be a positive

divisor of m.
(i) If a ≡ b (mod m), then ac ≡ bc (mod mc).
(ii) If a ≡ b (mod m), then a ≡ b (mod d).

In general, congruences may not be divided without changing the modulus.

We have the following result.

Proposition 4.5 Let c be a non-zero integer.

(i) If ca ≡ cb (mod m), then a ≡ b (mod m/(c, m))
(ii) If ca ≡ cb (mod m) and (c, m) = 1, then a ≡ b (mod m).
m  c
Proof. (i) Let d = (c, m). If ca ≡ cb (mod m), then m | c(a−b) and  (a−b).
d d
m c
m 
Since , = 1, it follows that  (a − b), i.e. a ≡ b (mod m/d).
d d d
(ii) is a special case of (i).

A system of congruences can be replaced by one congruence in the following

way:

Proposition 4.6 Let m1 , m2 , . . . , mr be positive integers. The following two

statements are then equivalent:
(i) a ≡ b (mod mi ) for i = 1, 2, . . . , r.
(ii) a ≡ b (mod [m1 , m2 , . . . , mp ]).

Proof. Suppose a ≡ b (mod mi ) for all i. Then (a − b) is a common multiple

of all the mi s, and therefore [m1 , m2 , . . . , mp ] | (a − b). This means that a ≡ b
(mod [m1 , m2 , . . . , mr ]).
4 CONGRUENCES 17

Conversely, if a ≡ b (mod [m1 , m2 , . . . , mr ]), then a ≡ b (mod mi ) for each

i, since mi | [m1 , m2 , . . . , mr ].

For the rest of this section, we fix a positive integer m which we will use as
modulus.

Definition 4.7 Let a be an integer. The set a = {x ∈ Z | x ≡ a (mod m)}

of all integers that are congruent modulo m to a is called a residue class, or
congruence class, modulo m.

Since the congruence relation is an equivalence relation, it follows that all

numbers belonging to the same residue class are mutually congruent, that num-
bers belonging to different residue classes are incongruent, that given two in-
tegers a and b either a = b or a ∩ b = ∅, and that a = b if and only if a ≡ b
(mod m).

Proposition 4.8 There are exactly m distinct residue classes modulo m, viz. 0,
1, 2, . . . , m − 1.

Proof. According to the division algorithm, there is for each integer a a unique
integer r belonging to the interval [0, m − 1] such that a ≡ r (mod m). Thus,
each residue class a is identical with one of the residue classes 0, 1, 2, . . . , m − 1,
and these are different since i 6≡ j (mod m) if 0 ≤ i < j ≤ m − 1.

Definition 4.9 Chose a number xi from each residue class modulo m. The re-
sulting set of numbers x1 , x2 , . . . , xm is called a complete residue system modulo
m.

The set {0, 1, 2, . . . , m−1} is an example of a complete residue system modulo

m.

Example 2 {4, −7, 14, 7} is a complete residue system modulo 4.

Lemma 4.10 If x and y belong to the same residue class modulo m, then
(x, m) = (y, m).

Proof. If x ≡ y (mod m), then x = y + qm for some integer q, and it follows

from Proposition 1.4 that (x, m) = (y, m).

Two numbers a and b give rise to the same residue class modulo m, i.e. a = b,
if and only if a ≡ b (mod m). The following definition is therefore consistent
by virtue of Lemma 4.10.

Definition 4.11 A residue class a modulo m is said to be relatively prime to m

if (a, m) = 1.

Definition 4.12 Let φ(m) denote the number of residue classes modulo m that
are relatively prime to m. The function φ is called Euler’s φ-function. Any set
{r1 , r2 , . . . , rφ(m) } of integers obtained by choosing one integer from each of the
residue classes that are relatively prime to m, is called a reduced residue system
modulo m.
4 CONGRUENCES 18

The following two observations are immediate consequences of the defini-

tions: The number φ(m) equals the number of integers in the interval [0, m − 1]
that are relatively prime to m. {y1 , y2 , . . . , yφ(m) } is a reduced residue system
modulo m if and only if the numbers are pairwise incongruent modulo m and
(yi , m) = 1 for all i.

Example 3 The positive integers less than 8 that are relatively prime to 8 are
1, 3, 5, and 7. It follows that φ(8) = 4 and that {1, 3, 5, 7} is a reduced residue
system modulo 8.

Example 4 If p is a prime, then the numbers 1, 2, . . . , p − 1 are all relatively

prime to p. It follows that φ(p) = p − 1 and that {1, 2, . . . , p − 1} is a reduced
residue system modulo p.

Example 5 Let pk be a prime power. An integer is relatively prime to pk if and

only if it is not divisible by p. Hence, in the interval [0, pk − 1] there are pk−1
integers that are not relatively prime to p, viz. the integers np, where n = 0, 1,
2, . . . , pk−1 − 1, whereas the remaining pk − pk−1 integers in the interval are
relatively prime to p. Consequently,
 
1
φ(pk ) = pk − pk−1 = pk 1 − .
p

Theorem 4.13 Let (a, m) = 1. Let {r1 , r2 , . . . , rm } be a complete residue sys-

tem, and let {s1 , s2 , . . . , sφ(m) } be a reduced residue system modulo m. Then
{ar1 , ar2 , . . . , arm } is a complete and {as1 , as2 , . . . , asφ(m) } is a reduced residue
system modulo m.

Proof. In order to show that the set {ar1 , ar2 , . . . , arm } is a complete residue
system, we just have to check that the elements are chosen from distinct residue
classes, i.e. that i 6= j ⇒ ari 6≡ arj (mod m). But by Proposition 4.5 (ii),
ari ≡ arj (mod m) implies ri ≡ rj (mod m) and hence i = j.
Since (si , m) = 1 and (a, m) = 1, we have (asi , m) = 1 for i = 1, 2, . . . , φ(m)
by Theorem 1.14. Hence as1 , as2 , . . . , asφ(m) are φ(m) numbers belonging to
residue classes that are relatively prime to m, and by the same argument as
above they are chosen from distinct residue classes. It follows that they form a
reduced residue system.

Theorem 4.14 (Euler’s theorem) If (a, m) = 1, then

aφ(m) ≡ 1 (mod m).

Proof. Let {s1 , s2 , . . . , sφ(m) } be a reduced residue system modulo m. By The-

orem 4.13, the set {as1 , as2 , . . . , asφ(m) } is also a reduced residue system. Con-
sequently, to each si there corresponds one and only one asj such that si ≡ asj
(mod m). By multiplying together and using Proposition 4.3 (ii), we thus get
φ(m) φ(m)
Y Y
(asj ) ≡ si (mod m),
j=1 i=1

and hence
5 LINEAR CONGRUENCES 19

φ(m) φ(m)
Y Y
aφ(m) sj ≡ si (mod m).
j=1 i=1

Since (si , m) = 1, we can use Proposition 4.5 (ii) repeatedly to cancel the si ,
and we obtain aφ(m) ≡ 1 (mod m).

The following theorem is an immediate corollary.

Theorem 4.15 (Fermat’s theorem) If p is a prime and p6 | a, then

ap−1 ≡ 1 (mod p).

For every integer a, ap ≡ a (mod p).

Proof. If p6 | a, then (a, p)=1. Since φ(p) = p − 1 by Example 4, the first part
now follows immediately from Euler’s theorem. By multiplying the congruence
by a, we note that ap ≡ a (mod p), and this obvioulsy holds also in the case
a ≡ 0 (mod p).

Example 6 Modulo 7 we get 31 ≡ 3, 32 ≡ 2, 33 ≡ 6, 34 ≡ 4, 35 ≡ 5, and

finally 36 ≡ 1 in accordance with Fermat’s theorem. Similarly, 21 ≡ 2, 22 ≡ 4,
23 ≡ 1, and hence 26 ≡ 1.

5 Linear Congruences
The congruence

(1) ax ≡ b (mod m)

is equivalent to the equation

(2) ax − my = b

where we of course only consider integral solutions x and y. We know from

Theorem 3.1 that this equation is solvable if and only if d = (a, m) divides b,
and if x0 , y0 is a solution then the complete set of solution is given by
m a
x = x0 + n, y = y0 + n.
d d
We get d pairwise incongruent x-values modulo m by taking n = 0, 1, . . . ,
d − 1, and any solution x is congruent to one of these. This proves the following
theorem.

Theorem 5.1 The congruence

ax ≡ b (mod m)

is solvable if and only if (a, m) | b. If the congruence is solvable, then it has

exactly (a, m) pairwise incongruent solutions modulo m.

We have the following immediate corollaries.

5 LINEAR CONGRUENCES 20

Corollary 5.2 The congruene ax ≡ 1 (mod m) is solvable if and only if (a, m) =

1, and in this case any two solutions are congruent modulo m.

Corollary 5.3 If (a, m) = 1, then the congruence ax ≡ b (mod m) is solvable

for any b and any two solutions are congruent modulo m.

Note that the existence of a solution in Corollories 5.2 and 5.3 can also be
deduced from Euler’s theorem. By taking x0 = aφ(m)−1 and x1 = bx0 we obtain
ax0 = aφ(m) ≡ 1 (mod m) and ax1 = bax0 ≡ b (mod m).
However, in order to solve the congruence (1) it is usually more efficient to
solve the equivalent equation (2) using the methods from section 3. Another
possibility is to replace the congruence (1) by a congruence with a smaller
modulus and then reduce the coefficients in the following way:
In (1) we can replace the numbers a and b with congruent numbers in the
interval [0, m − 1], or still better in the interval [−m/2, m/2]. Assuming this
done, we can now write equation (2) as

(3) my ≡ −b (mod a)

with a module a that is less than the module m in (1). If y = y0 solves (3), then
my0 + b
x=
a
is a solution to (1). Of course, the whole procedure can be iterated again and
again until finally a congruence of the form z ≡ c (mod n) is obtained.

Example 1 Solve the congruence

(4) 296x ≡ 176 (mod 114).

Solution: Since 2 divides the numbers 296, 176, and 114, we start by replacing
(4) with the following equivalent congruence:

(5) 148x ≡ 88 (mod 57).

Now, reduce 148 and 88 modulo 57. Since 148 ≡ −23 and 88 ≡ −26, we can
replace (5) with

(6) 23x ≡ 26 (mod 57).

Now we consider instead the congruence

57y ≡ −26 (mod 23),

which of course is quivalent to

(7) 11y ≡ −3 (mod 23).

Again, replace this with the congruence

23z ≡ 3 (mod 11)

which is at once reduced to

z≡3 (mod 11).

6 THE CHINESE REMAINDER THEOREM 21

Using this solution, we see that

23 · 3 − 3
y= =6
11
is a solution to (7) and that all solutions have the form y ≡ 6 (mod 23). It now
follows that
57 · 6 + 26
x= = 16
23
solves (6) and the equivalent congruence (4), and that all solutions are of the
form x ≡ 16 (mod 57), which can of course also be written as x ≡ 16, 73 (mod
114).

Concluding remarks. These remarks are intended for readers who are familiar with
elementary group theory.
Let Z∗m denote the set of all residue classes modulo m that are relatively prime
to the module m. We can equip Z∗m with a multiplication operation by defining the
product of two residue classes as follows:

a · b = ab.

For this definition to be well behaved it is of course necessary that the residue class ab
be dependent on the residue classes a and b only, and not on the particular numbers
a and b chosen to represent them, and that ab belong to Z∗m . However, this follows
from Proposition 4.3 (ii) and Theorem 1.14.
The multiplication on Z∗m is obviously associative and commutative, and there is
an identity element, namely the class 1. Moreover, it follows from Corollary 5.2 that
the equation a · x = 1 has a unique solution x ∈ Z∗m for each a ∈ Z∗m . Thus, each
element in Z∗m has a unique multiplicative inverse.
This shows that Z∗m is a finite abelian (commutative) group. The order of the
group (i.e. the number of elements in the group) equals φ(m), by definition of the
Euler φ-function.
One of the first theorems encountered when studying groups reads: If n is the
order of a finite group with identity element e, then an = e for every element a in the
group. Applying this result to the group Z∗m , we recover Euler’s theorem, since the
statement
a φ(m) = 1
is just another way of saying that

aφ(m) ≡ 1 (mod m)

holds for every number a that is relatively prime to m.

6 The Chinese Remainder Theorem

Let us start by considering a system of two congruences
(
x ≡ a1 (mod m1 )
x ≡ a2 (mod m2 )

where (m1 , m2 ) = 1. The first congruence has the solutions x = a1 +m1 y, y ∈ Z,

and by substituting this into the second congruence, we obtain a1 + m1 y ≡ a2
(mod m2 ), that is m1 y ≡ a2 − a1 (mod m2 ). Now, since (m1 , m2 ) = 1, this
6 THE CHINESE REMAINDER THEOREM 22

congruence has solutions of the form y = y0 + m2 n and hence x = a1 + m1 y0 +

m1 m2 n. This shows that the system has a unique solution x ≡ x0 (mod m1 m2 ).
Consider now a system of three congruences

 x ≡ a1 (mod m1 )

(1) x ≡ a2 (mod m2 )

x ≡ a3 (mod m3 )


where the moduli m1 , m2 and m3 are pairwise relatively prime. As shown above,
we can replace the first two congruences with an equivalent congruence of the
form x ≡ x0 (mod m1 m2 ), and hence the whole system (1) is equivalent to a
system of the form
(
x ≡ x0 (mod m1 m2 )
(2)
x ≡ a3 (mod m3 ).

Now, by assumption (m1 m2 , m3 ) = 1, and hence (2) has a unique solution

x ≡ x1 (mod m1 m2 m3 ).
By induction, it is now very easy to prove the following general result.

Theorem 6.1 (The Chinese Remainder Theorem) The system

x ≡ a1 (mod m1 )



 x ≡ a2 (mod m2 )


(3) ..



 .

x ≡ ar (mod mr )

where m1 , m2 , . . . , mr are pairwise relatively prime, has a unique solution mod-

ulo m1 m2 · · · mr .

Proof. We will give a second proof of the theorem and also derive a formula for
the solution.
Let for each j = 1, 2, . . . , r, δj be an integer satisfying
(
1 (mod mj )
δj ≡
0 (mod mi ), if i 6= j.

Then obviously
r
X
(4) x= δj a j
j=1

satisfies the system (3).

It remains  that the numbers δj exist. Put m = m1 m2 · · · mr . By
 to prove
m
assumption , mj = 1 and hence, by Corollary 5.2, there is a number bj
mj
such that
m
bj ≡ 1 (mod mj ).
mj
6 THE CHINESE REMAINDER THEOREM 23

m
The numbers δj = bj will now clearly have the desired properties.
mj
This proves the existence of a solution x to (3). To prove that the solution
is unique modulo m, suppose x′ is another solution. Then x ≡ x′ (mod mj )
holds for j = 1, 2, . . . , r, and it follows from Proposition 4.6 that x ≡ x′
(mod m1 m2 · · · mr ).
Formula (4) is particularly useful when we are to solve several systems (3)
with the same moduli but with different right hand members a1 , a2 , . . . , ar .

Example 1 Let us solve the system


 x ≡ 1 (mod 3)

x ≡ 2 (mod 4)

x ≡ 3 (mod 5).


Solution 1: Using the method in our first proof of the Chinese Remainder
Theorem, we replace the first congruence by x = 1 + 3y. Substituting this
into the second congruence we obtain 3y + 1 ≡ 2 (mod 4) or 3y ≡ 1 (mod 4).
This congruence has the solutions y ≡ −1 (mod 4), i.e. y = −1 + 4z. Hence,
x = −2 + 12z, and substituting this into the last congruence we end up in the
congruence 12z − 2 ≡ 3 (mod 5) or 12z ≡ 5 ≡ 0 (mod 5). This congruence has
the unique solution z ≡ 0 (mod 5), that is z = 5t and x = −2 + 60t. Hence, the
system has the unique solution x ≡ −2 (mod 60).
Solution 2: Let us instead use the method of the second proof. Then we have
first to find numbers b1 , b2 , and b3 such that

20b1 ≡ 1 (mod 3), 15b2 ≡ 1 (mod 4), 12b3 ≡ 1 (mod 5).

One easily obtains b1 = 2, b2 = 3, and b3 = 3. Next, we compute δ1 = 20b1 = 40,

δ2 = 15b2 = 45, and δ3 = 12b3 = 36. Finally,

x = δ1 + 2δ2 + 3δ3 = 40 + 90 + 108 = 238 ≡ 58 (mod 60).

The condition that the moduli m1 , m2 , . . . , mr be pairwise relatively prime is

absolutely essential for the conclusion of Theorem 6.1. Without that condition
the system (3) is either unsolvable or there are more than one incongruent
solution modulo m1 m2 · · · mr . Necessary and sufficient for the system to be
solvable is that (mi , mj ) | (ai − aj ) for all i 6= j. A given system can be solved
or proved unsolvable by reasoning as in the first solution of Example 1.
We will now derive some important consequences of Theorem 6.1. Given a
positive integer n we let C(n) denote a fixed complete residue system modulo
n. The subset of all numbers in C(n) that are relatively prime to n forms a
reduced residue system which we denote by R(n). The set R(n) contains φ(n)
numbers. To be concrete, we could choose C(n) = {0, 1, 2, . . . , n − 1}; then
R(n) = {j | 0 ≤ j ≤ n − 1 and (j, n) = 1}.
Let now m1 and m2 be two relatively prime numbers and put m = m1 m2 .
Then C(m) and the Cartesian product C(m1 ) × C(m2 ) contain the same number
of elements, viz. m. We will construct a bijection τ between these two sets.
Given x ∈ C(m) and j = 1 or 2, we denote by xj the unique number in
C(mj ) that satisfies xj ≡ x (mod mj ). We then define τ (x) = (x1 , x2 ).
6 THE CHINESE REMAINDER THEOREM 24

A map between two sets with the same number of elements is a bijection if
and only if it is surjective. But surjectivity of the map τ follows immediately
from the Chinese Remainder Theorem, because given (x1 , x2 ) ∈ C(m1 ) × C(m2 ),
there is a (unique) x ∈ C(m) such that x ≡ x1 (mod m1 ) and x ≡ x2 (mod m2 ),
which amounts to saying that τ (x) = (x1 , x2 ).
We will next identify the image τ (R(m)) of the reduced residue system R(m)
under the map τ . Since

(x, m) = 1 ⇔ (x, m1 ) = (x, m2 ) = 1

and
x ≡ xj (mod mj ) ⇒ ((x, mj ) = 1 ⇔ (xj , mj ) = 1)
it follows that x ∈ R(m) ⇔ τ (x) ∈ R(m1 ) × R(m2 ). Thus, τ maps the set
R(m) bijectively onto the Cartesian product R(m1 ) × R(m2 ). The former set
has φ(m) elements and the latter has φ(m1 )φ(m2 ) elements. Since the two sets
must have the same number of elements, we have proved the following important
theorem about Euler’s φ-function.

Theorem 6.2 If m = m1 m2 , where the integers m1 and m2 are relatively prime,

then
φ(m) = φ(m1 )φ(m2 ).

Corollary 6.3 If n = pk11 pk22 · · · pkr r , where p1 , p2 , . . . , pr are different primes,

then     
1 1 1
φ(n) = n 1 − 1− ··· 1 − .
p1 p2 pr
Proof. By repeated application of Theorem 6.2, we obtain

φ(m1 m2 · · · mr ) = φ(m1 )φ(m2 ) · · · φ(mr )

if the integers m1 , m2 , . . . , mr are pairwise relatively prime. In particular, this

holds when the numbers mi are powers of distinct primes. By Example 5 in
section 4, φ(pk ) = pk−1 (p − 1) = pk (1 − 1/p) if p is prime.
Pn
A polynomial f (x) = i=0 ai xi with coefficients ai ∈ Z is called an integral
polynomial, and the congruence

f (x) ≡ 0 (mod m),

is called a polynomial congruence. An integer a is called a solution or a root of

the polynomial congruence if f (a) ≡ 0 (mod m).
If a is a root of the polynomial congruence and if b ≡ a (mod m), then b is
also a root. Therefore, in order to solve the polynomial cogruence it is enough
to find all roots that belong to a given complete residue system C(m) modulo
m, e.g. to find all solutions among the numbers 0, 1, 2, . . . , m − 1. By the
number of roots of a polynomial congruence we will mean the number of such
incongruent roots.
6 THE CHINESE REMAINDER THEOREM 25

Next, consider a system

f1 (x) ≡ 0 (mod m1 )



 f2 (x) ≡ 0 (mod m2 )


..



 .

fr (x) ≡ 0 (mod mr )

of polynomial congruences, where the moduli m1 , m2 , . . . , mr are assumed to be

pairwise relatively prime. By a solution of such a system we mean, of course,
an integer which solves simultaneously all the congruences of the system. If a
is a solution of the system, and if b ≡ a (mod m1 m2 · · · mr ), then b is also a
solution of the system, since for each j we have b ≡ a (mod mj ). Hence, to
find all solutions of the system it suffices to consider solutions belonging to a
complete residue system modulo m1 m2 · · · mr ; by the number of solutions of the
system we will mean the number of such incongruent solutions.

Theorem 6.4 Let

f1 (x) ≡ 0 (mod m1 )



 f2 (x) ≡ 0 (mod m2 )


(5) ..



 .

fr (x) ≡ 0 (mod mr )

be a system of polynomial congruences, and assume that the the moduli m1 , m2 ,

. . . , mr are pairwise relatively prime. Let Xj be a complete set of incongruent
solutions modulo mj of the jth congruence, and let nj denote the number of
solutions. The number of solutions of the system then equals n1 n2 · · · nr , and
each solution of the system is obtained as the solution of the system

x ≡ a1 (mod m1 )



 x ≡ a2 (mod m2 )


..



 .

x ≡ ar (mod mr )

with (a1 , a2 , . . . , ar ) ranging over the set X1 × X2 × · · · × Xr .

Of course, a set Xj might be empty in which case nj = 0

Proof. Write m = m1 m2 · · · mr , let C(mj ) be a complete residue system modulo
mj containing the solution set Xj (j = 1, 2, . . . , r), and let C(m) be a complete
residue system modulo m containing the solution set X of the system (5) of
congruences. By the Chinese Remainder Theorem we obtain a bijection

τ : C(m) → C(m1 ) × C(m2 ) × · · · × C(mr )

by defining
τ (x) = (x1 , x2 , . . . , xr ),
where each xj ∈ C(mj ) is a number satisfying the congruence xj ≡ x (mod mj ).
6 THE CHINESE REMAINDER THEOREM 26

If a ∈ X, then a is a solution of each individual congruence in the system (5).

Consequently, if aj ∈ C(mj ) and aj ≡ a (mod mj ), then aj is a solution of the
j th congruence of the system, i.e. aj belongs to the solution set Xj . We conclude
that τ (a) = (a1 , a2 , . . . , ar ) belongs to the set X1 ×X2 ×· · ·×Xr for each a ∈ X,
and the image τ (X) of X under τ is thus a subset of X1 × X2 × · · · × Xr .
Conversely, if τ (a) = (a1 , a2 , . . . , ar ) ∈ X1 ×X2 ×· · ·×Xr , then a solves each
individual congruence and thus belongs to X. This follows from Proposition
4.3, because a ≡ aj (mod mj ) and fj (aj ) ≡ 0 (mod mj ) for each j. Hence,
the bijection τ maps the subset X onto the subset X1 × X2 × · · · × Xr , and we
conclude that the number of elements in X equals n1 n2 · · · nr .

Example 2 Consider the system

(
x2 + x + 1 ≡ 0 (mod 7)
2x − 4 ≡ 0 (mod 6).

By trying x = 0, ±1, ±2, ±3, we find that x ≡ 2 (mod 7) and x ≡ −3 (mod 7)

are the solutions of the first congruence. Similarly, we find that x ≡ −1 (mod 6)
and x ≡ 2 (mod 6) solve the second congruence. We conclude that the system
has 4 incongruent solutions modulo 42. To find these, we have to solve each of
the following four systems:
( (
x ≡ 2 (mod 7) x ≡ 2 (mod 7)
x ≡ −1 (mod 6) x≡2 (mod 6)
( (
x ≡ −3 (mod 7) x ≡ −3 (mod 7)
x ≡ −1 (mod 6) x≡ 2 (mod 6).

We use the solution formula (4) obtained in the proof of the Chinese Remainder
Theorem. Thus, we determine b1 and b2 such that
42 42
b1 ≡ 1 (mod 7) and b2 ≡ 1 (mod 6).
7 6
We easily find that b1 = −1 and b2 = 1 solve these congruences, and hence we
can take δ1 = −6 and δ2 = 7. We conclude that four different solutions modulo
42 of our original system are

x1 = −6 · 2 + 7 · (−1) = −19 ≡ 23
x2 = −6 · 2 + 7 · 2 = 2
x3 = −6 · (−3) + 7 · (−1) = 11
x4 = −6 · (−3) + 7 · 2 = 32.

We now turn to an important special case of Theorem 6.4.

Theorem 6.5 Let f (x) be an integral polynomial. For each positive integer m,
let X(m) denote a complete set of roots modulo m of the polynomial congruence

f (x) ≡ 0 (mod m),

and let N (m) denote the number of roots.