MST Number Theory and Cryptographymath.fau.edu/yiu/MSTNT2014/MSTNT2014notes.pdf · 2014-08-14 ·...

MST Number Theoryand Cryptography

Paul Yiu

Department of MathematicsFlorida Atlantic University

Fall 2008(Revised 2014)

Chapters 1-30

Contents

1 Euclidean Algorithm and Linear Diophantine Equations 1011.1 Euclidean algorithm and gcd . . . . . . . . . . . . . . . . . . . . 1011.2 gcd(a, b) as an integer combination of a and b. . . . . . . . . . . . 1021.3 Linear Diophantine equations . . . . . . . . . . . . . . . . . . . . 1031.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

2 Representation of integers in base b 1052.1 Representation in a given base . . . . . . . . . . . . . . . . . . . . 1052.2 Binary expansions . . . . . . . . . . . . . . . . . . . . . . . . . . 105

2.2.1 Calculation of high powers by repeated squaring . . . . . . 1052.2.2 Parity of binomial coefficients . . . . . . . . . . . . . . . . 106

2.3 Highest power of a prime dividing a factorial . . . . . . . . . . . . 1062.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

3 Prime Numbers 1093.1 Infinitude of prime numbers . . . . . . . . . . . . . . . . . . . . . 1093.2 The sieve of Eratosthenes . . . . . . . . . . . . . . . . . . . . . . 1093.3 The Fundamental Theorem of Arithmetic . . . . . . . . . . . . . . 1113.4 The number-of-divisors function . . . . . . . . . . . . . . . . . . 1123.5 The sum-of-divisors function . . . . . . . . . . . . . . . . . . . . 1133.6 Perfect numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

4 Linear Congruences 1154.1 The ring of residues modulo n . . . . . . . . . . . . . . . . . . . . 1154.2 Simultaneous linear congruences . . . . . . . . . . . . . . . . . . 1164.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5 The Euler ϕ-function 1195.1 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

iv CONTENTS

6 Fermat-Euler theorem 1216.1 Primality test for Mersenne numbers . . . . . . . . . . . . . . . . 1216.2 Pseudoprimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7 Pythagorean Triangles 2017.1 Construction of Pythagorean triangles . . . . . . . . . . . . . . . . 2017.2 Fermat Last Theorem for n = 4 . . . . . . . . . . . . . . . . . . . 2027.3 Fermat’s construction of primitive Pythagorean triangles with con-

secutive legs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

8 Homogeneous quadratic equations in 3 variables 2078.1 Pythagorean triangles revisited . . . . . . . . . . . . . . . . . . . 2078.2 Rational points on a conic . . . . . . . . . . . . . . . . . . . . . . 2088.3 Integer triangles with a 60◦ angle . . . . . . . . . . . . . . . . . . 2088.4 Integer triangles with a 120◦ angle . . . . . . . . . . . . . . . . . 210

9 Heron triangles 2139.1 The Heron formula . . . . . . . . . . . . . . . . . . . . . . . . . 2139.2 Heron triangles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2149.3 Construction of Heron triangles . . . . . . . . . . . . . . . . . . . 2149.4 Heron triangles with sides in arithmetic progression . . . . . . . . 2159.5 Heron triangles with integer inradii . . . . . . . . . . . . . . . . . 216

10 Genealogy of Pythagorean triangles 21910.1 Two ternary trees of rational numbers . . . . . . . . . . . . . . . . 21910.2 Genealogy of Pythagorean triangles . . . . . . . . . . . . . . . . . 221

11 Polygonal numbers 22511.1 The polygonal numbers Pk,n . . . . . . . . . . . . . . . . . . . . . 22511.2 The equation Pk,a + Pk,b = Pk,c . . . . . . . . . . . . . . . . . . . 22611.3 Double ruling of S . . . . . . . . . . . . . . . . . . . . . . . . . . 22611.4 Primitive Pythagorean triple associated with a k-gonal triple . . . . 22711.5 Triples of triangular numbers . . . . . . . . . . . . . . . . . . . . 22811.6 k-gonal triples determined by a Pythagorean triple . . . . . . . . . 229

12 Quadratic Residues 30112.1 Quadratic residues . . . . . . . . . . . . . . . . . . . . . . . . . . 30112.2 The Legendre symbol . . . . . . . . . . . . . . . . . . . . . . . . 30212.3 −1 as a quadratic residue modp . . . . . . . . . . . . . . . . . . . 303

CONTENTS v

13 The law of quadratic reciprocity 30513.1 Gauss’ lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30513.2 The law of quadratic reciprocity . . . . . . . . . . . . . . . . . . . 307

14 Calculation of square roots 31114.1 Square roots modulo p . . . . . . . . . . . . . . . . . . . . . . . . 31114.2 Square roots modulo an odd prime power . . . . . . . . . . . . . . 31314.3 Squares modulo 2k . . . . . . . . . . . . . . . . . . . . . . . . . . 313

15 Primitive roots 31515.1 Periodicity of decimal expansions of rational numbers . . . . . . . 317

16 Sums of two and four squares 31916.1 Fermat’s two-square theorem . . . . . . . . . . . . . . . . . . . . 31916.2 Representation of integers as sums of two squares . . . . . . . . . 32016.3 Lagrange’s four-square theorem . . . . . . . . . . . . . . . . . . . 320

16.3.1 Descent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

17 Finite continued fractions 40117.1 Euler’s function F for finite continued fractions . . . . . . . . . . 40117.2 Cornacchia’ algorithm for a prime as a sum of two squares . . . . 402

18 Infinite continued fractions 405

19 Lagrange’s Theorem 40919.1 Purely periodic continued fractions . . . . . . . . . . . . . . . . . 40919.2 Eventually periodic continued fractions . . . . . . . . . . . . . . . 40919.3 Reduced quadratic irrationalities . . . . . . . . . . . . . . . . . . 41019.4 Proof of Lagrange’s theorem . . . . . . . . . . . . . . . . . . . . 410

20 The Pell Equation 41320.1 The equation x2 − dy2 = 1 . . . . . . . . . . . . . . . . . . . . . 413

20.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41520.2 The equation x2 − dy2 = −1 . . . . . . . . . . . . . . . . . . . . 41520.3 The equation x2 − dy2 = c . . . . . . . . . . . . . . . . . . . . . 41620.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

21 Sums of consecutive squares 42121.1 Sums of an odd number of consecutive squares. . . . . . . . . . . 42121.2 Even number of consecutive squares. . . . . . . . . . . . . . . . . 423

vi CONTENTS

22 Some simple cryptosystems 50122.1 Shift ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50122.2 Affine ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50222.3 A matrix encryption system . . . . . . . . . . . . . . . . . . . . . 505

23 A public key cryptosystem 50923.1 RSA-cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . 50923.2 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

24 Factoring integers 51324.1 Flipping a coin over the phone . . . . . . . . . . . . . . . . . . . 51324.2 The quadratic sieve . . . . . . . . . . . . . . . . . . . . . . . . . 51424.3 Factoring by continued fractions . . . . . . . . . . . . . . . . . . 515

25 Elliptic Curves 60125.1 Group law on y2 = x3 + ax2 + bx+ c . . . . . . . . . . . . . . . 60125.2 The discriminant . . . . . . . . . . . . . . . . . . . . . . . . . . . 60225.3 Points of finite order . . . . . . . . . . . . . . . . . . . . . . . . . 604

26 Factoring Integers 2 60526.1 Pollard’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 60526.2 Factoring with elliptic curves . . . . . . . . . . . . . . . . . . . . 606

27 Some examples of the use of elliptic curves 60927.1 The congruent number problem . . . . . . . . . . . . . . . . . . . 60927.2 Pairs of isosceles triangle and rectangle with equal perimeters and

equal areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61027.3 Triangles with a median, an altitude, and an angle bisector concurrent611

28 Heron triangles and Elliptic Curves 61328.1 The elliptic curve y2 = (x− k)2 − 4kx3 . . . . . . . . . . . . . . 613

28.1.1 Proof of Theorem 28.1 . . . . . . . . . . . . . . . . . . . . 616

29 The ring of Gaussian integers 70129.1 The ring Z[i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

29.1.1 Norm and units . . . . . . . . . . . . . . . . . . . . . . . . 70129.1.2 Gaussian primes . . . . . . . . . . . . . . . . . . . . . . . 701

29.2 An alternative proof of Fermat’s two-square theorem . . . . . . . . 703

30 Construction of indecomposable Heron triangles 70530.1 Primitive Heron triangles . . . . . . . . . . . . . . . . . . . . . . 705

30.1.1 Triple of simplifying factors . . . . . . . . . . . . . . . . . 70630.1.2 Decomposition of Heron triangles . . . . . . . . . . . . . . 707

CONTENTS vii

30.2 Gaussian integers . . . . . . . . . . . . . . . . . . . . . . . . . . 70830.2.1 Heron triangles and Gaussian integers . . . . . . . . . . . . 708

30.3 Orthocentric Quadrangles . . . . . . . . . . . . . . . . . . . . . . 71030.4 Indecomposable primitive Heron triangles . . . . . . . . . . . . . 711

30.4.1 Construction of Heron triangles with given simplifying factors712

Chapter 1

Euclidean Algorithm and LinearDiophantine Equations

1.1 Euclidean algorithm and gcd

The greatest common divisor (gcd) of two positive integers can be found withoutfactorization of the integers, instead by a simple application of the Euclidean algo-rithm.

Theorem 1.1 (Euclidean algorithm). Given integers a and b �= 0, there are uniqueintegers q and r satisfying

a = bq + r, 0 ≤ r < |b|. (1.1)

If r = 0, we say that a is divisible by b, or simply that b divides a, and write b|a.Suppose a = bq + c for integers a, b, c, and q (with q nonzero). It is easy to see

that every common divisor of a and b is a common divisor of b and c, and conversely.Denote by gcd(a, b) the greatest element of the (nonempty) set of common divisorsof a and b. Clearly, if b|a, then gcd(a, b) = b. In general, from (1.1), we havegcd(a, b) = gcd(b, r). These observations lead to a straightforward calculation ofthe gcd of two numbers. To be systematic, we write a = r−1 and b = r0 (assumedpositive).

r−1 =r0q0 + r1, 0 ≤ r1 < r0,

r0 =r1q1 + r2, 0 ≤ r2 < r1,

r1 =r2q2 + r3, 0 ≤ r3 < r2,

r2 =r3q3 + r4, 0 ≤ r4 < r3,

...

This division process eventually terminates since the remainders are decreasing,namely,

r−1 > r0 > r1 > r2 > · · ·

102 Euclidean Algorithm and Linear Diophantine Equations

and yet remain nonnegative. In other words, some rn divides the preceding rn−1

(and leaves a remainder rn+1 = 0).

...

rn−2 =rn−1qn−1 + rn, 0 ≤ rn < rn−1,

rn−1 =rnqn.

From these,

rn = gcd(rn−1, rn) = gcd(rn−2, rn−1) = · · · = gcd(r−1, r0) = gcd(a, b).

1.2 gcd(a, b) as an integer combination of a and b.

The above calculation of gcd(a, b) can be retraced to give gcd(a, b) as an integercombination of a and b. Here is a more efficient way to obtain such an expression.In the table below, the integers xk and yk are obtained from qk−1 in the same wayas rk, beginning with (x−1, x0) = (1, 0) and (y−1, y0) = (0, 1):

xk =xk−2 − qk−1xk−1, x−1 = 1, x0 = 0;

yk =yk−2 − qk−1yk−1, y−1 = 0, y0 = 1.

k qk rk xk yk

−1 a 1 00 q0 b 0 11 q1 r1 x1 y1...

......

......

n− 1 qn−1 rn−1 xn−1 yn−1

n qn rn xn ynn+ 1 qn+1 0

In each of these steps, rk = axk + byk. In particular,

gcd(a, b) = rn = axn + byn.

It can be proved that |xn| < b and |yn| < a.

Theorem 1.2. Let p be a prime number. For every integer a not divisible by p, thereexists an integer b such that ab− 1 is divisible by p.

Proof. If a is not divisible by the prime number p, then gcd(a, p) = 1. There areintegers b and c such that ab+ pc = 1. It is clear that ab− 1 is divisible by p.

1.3 Linear Diophantine equations 103

1.3 Linear Diophantine equations

Theorem 1.3. Let a, b, c be integers, a and b nonzero. Consider the linear Dio-phantine equation

ax+ by = c. (1.2)

1. The equation (1.2) is solvable in integers if and only if d := gcd(a, b) dividesc.

2. If (x, y) = (x0, y0) is a particular solution of (1.2), then every integer solu-tion is of the form

x = x0 +b

dt, y = y0 − a

dt,

where t is an integer.

3. For c = gcd(a, b), a particular solution (x, y) = (x0, y0) of (1.2) can befound such that |x0| < |b| and |y0| < |a|.

1.4 Exercises

1. Show that (n! + 1, (n+ 1)! + 1) = 1.

2. Instead of successive divisions, the gcd of two positive numbers can be foundby repeated subtractions. Make use of this to find gcd(2a − 1, 2b − 1) forpositive integers a and b.

3. Find a parametrization of the integer points on the line 5x+ 12y = 3.

4. In how many ways can a number of 49-cents and 110-cents stamps werepurchased with exactly 40 dollars?Is it possible to buy these with exactly 20 dollars?

5. Somebody received a check, calling for a certain amount of money in dollarsand cents. When he went to cash the check, the teller made a mistake and paidhim the amount which was written as cents, in dollars, and vice versa. Later,after spending $3.50, he suddenly realized that he had twice the amount ofthe money the check called for. What was the amount on the check?

6. Given relatively prime integers a and b, what is the largest integer whichcannot be written as ax+ by for nonnegative integers x and y?

104 Euclidean Algorithm and Linear Diophantine Equations

Chapter 2

Representation of integers in base b

2.1 Representation in a given base

Given any positive integer b > 1, every positive integer n has a unique representa-tion of the form

n = ckbk + ck−1b

k−1 + · · ·+ c1b+ c0

for nonnegative integers c0, c1, . . . , ck < b with cb nonzero.We usually write

n = (ckck−1 · · · c1c0)band call this the base b expansion of n.

2.2 Binary expansions

2.2.1 Calculation of high powers by repeated squaring

Let a > 1 be a fixed number, and n a large integer. The number an can be computedby repeated squaring, making use of the binary expansion of the exponent n. If

n = (ckck−1 · · · c1c0)2,we take successive squares k times beginning with a, and record them in the middlecolumn in the table below.

j a2j

cj

0 a1 a2

......

k a2k

product

106 Representation of integers in base b

Fill the column under cj with the corresponding binary digits of n. Then an is theproduct of those entries (in the middle column) with a 1 in the same row and thethird column.

2.2.2 Parity of binomial coefficients

Theorem 2.1 (Lucas). Let m = (akak−1 · · · a1a0)2 and n = (bkbk−1 · · · b1b0)2 bethe binary expansions of positive integers m ≥ n. The binomial coefficient

(mn

)is

odd if and only if for each i = 0, 1, . . . , k, ai = 1 whenever bi = 1.

Example 2.1.(5535

)is odd since

55 = 11011135 = 100011

.

On the other hand,(5525

)is even since

55 = 11011125 = 011001

.

2.3 Highest power of a prime dividing a factorial

The exponent of the highest power of 2 dividing 18! is, counting the asterisks alongthe rows in the matrix below, 9 + 4 + 2 + 1 = 16.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

∗ ∗ ∗ ∗∗ ∗

∗Proposition 2.2. The exponent of the highest power of a prime p dividing n! is[

n

p

]+

[n

p2

]+

[n

p3

]+ · · ·

Let n = (akak−1 · · · a1a0)p be the base p expansion of n. The exponent of thehighest power of p dividing n! is the sum of the following numbers:

ak ak−1 ak−2 · · · a2 a1ak ak−1 · · · a3 a2

ak · · · a4 a3· · ·· · · ak ak−1

· · · ak

Let R(p; k) be the integer whose base p expansion consists of k digits each ofwhich is 1. Clearly, R(p; k) = 1

p−1(pk − 1). Adding the numbers above along the

diagonals, we have

2.4 Exercises 107

ak ·R(p; k) + ak−1 ·R(p; k − 1) + · · ·+ a2 ·R(p; 2) + a1 ·R(p; 1)

= ak · pk − 1

p− 1+ ak−1 · p

k−1 − 1

p− 1+ · · ·+ a2 · p

2 − 1

p− 1+ a1 · p− 1

p− 1+ a0 · 1− 1

p− 1

=n− (ak + ak−1 + · · ·+ a1 + a0)

p− 1.

Corollary 2.3. Let α(n) denote the number of ones in the binary expansion of n.The exponent of the highest power of 2 dividing n! is n− α(n).Theorem 2.4 (Kummer). The exponent of the highest power of a prime p dividingthe binomial coefficient

(a+ba

)is equal to the number of carries in performing the

addition of a and b in base p.

2.4 Exercises

1. (a). Multiply in base 2: 11112 and 111112.

(b). Let h ≥ k be positive integers. Multiply in base 2 the numbers 11 · · · 1(h 1’s) and 11 · · · 1 (k 1’s). Distinguish between the cases h = k and h > k.

2. Solve the equation (bx−1)(by−1) = bz+1 for positive integers b > 1, x, y, z.

3. Multiply in base 7:

[12346]7 × [06]7 =

[12346]7 × [15]7 =

[12346]7 × [24]7 =

[12346]7 × [33]7 =

[12346]7 × [42]7 =

[12346]7 × [51]7 =

4. Find all positive integers n such that 213 + 210 + 2n is a square.

5. Find all positive integers n such that 214 + 210 + 2n is a square.

6. Ask your friend to write down a polynomial f(x) with nonnegative integercoefficients. Ask her for the value of f(1). She returns 7. Ask her for thevalue of f(8). She returns 4305. What is the polynomial?

108 Representation of integers in base b

7. (a) What is the highest power of 2 dividing 100! ?

(b) What is the highest power of 2 dividing the binomial coefficient(10050

)?

8. The exponent of the highest power of 2 dividing the binomial coefficient(nk

)is α(k) + α(n− k)− α(n).

9. How many zeros are there in the end of the decimal expansion of 1000!.Answer: 249.

Chapter 3

Prime Numbers

3.1 Infinitude of prime numbers

A positive integer > 1 is prime if it is not divisible by any positive integer otherthan 1 and itself.

Theorem 3.1 (Euclid). There are infinite many prime numbers.

Proof. If p1, p2, . . . , pk were all the primes, the number p1p2 · · · pk + 1, not beingdivisible by any of them, should admit a prime factor different from any of them.This is clearly a contradiction.

3.2 The sieve of Eratosthenes

If N is not a prime number, it must have a factor ≤ √N .Given an integer N , to determine all the prime numbers ≤ N , we proceed as

follows. Start with the sequence

2, 3, 4, 5, 6, . . . , N,

with each entry unmarked, and the set P = ∅.(1) Note the smallest entry a of the sequence that is not marked.(2) If a ≤ √N , mark each entry of the sequence which is a multiple of a, but

not equal to a, and replace P by P ∪ {a}.(3) If a >

√N , stop. The set P now consists of the totality of prime numbers

≤ N .

110 Prime Numbers

Primes below 10000

2 3 5 7 11 13 17 19 23 29 31 37 41 43 4753 59 61 67 71 73 79 83 89 97 101 103 107 109 113

127 131 137 139 149 151 157 163 167 173 179 181 191 193 197199 211 223 227 229 233 239 241 251 257 263 269 271 277 281283 293 307 311 313 317 331 337 347 349 353 359 367 373 379383 389 397 401 409 419 421 431 433 439 443 449 457 461 463467 479 487 491 499 503 509 521 523 541 547 557 563 569 571577 587 593 599 601 607 613 617 619 631 641 643 647 653 659661 673 677 683 691 701 709 719 727 733 739 743 751 757 761769 773 787 797 809 811 821 823 827 829 839 853 857 859 863877 881 883 887 907 911 919 929 937 941 947 953 967 971 977983 991 997 1009 1013 1019 1021 1031 1033 1039 1049 1051 1061 1063 1069

1087 1091 1093 1097 1103 1109 1117 1123 1129 1151 1153 1163 1171 1181 11871193 1201 1213 1217 1223 1229 1231 1237 1249 1259 1277 1279 1283 1289 12911297 1301 1303 1307 1319 1321 1327 1361 1367 1373 1381 1399 1409 1423 14271429 1433 1439 1447 1451 1453 1459 1471 1481 1483 1487 1489 1493 1499 15111523 1531 1543 1549 1553 1559 1567 1571 1579 1583 1597 1601 1607 1609 16131619 1621 1627 1637 1657 1663 1667 1669 1693 1697 1699 1709 1721 1723 17331741 1747 1753 1759 1777 1783 1787 1789 1801 1811 1823 1831 1847 1861 18671871 1873 1877 1879 1889 1901 1907 1913 1931 1933 1949 1951 1973 1979 19871993 1997 1999 2003 2011 2017 2027 2029 2039 2053 2063 2069 2081 2083 20872089 2099 2111 2113 2129 2131 2137 2141 2143 2153 2161 2179 2203 2207 22132221 2237 2239 2243 2251 2267 2269 2273 2281 2287 2293 2297 2309 2311 23332339 2341 2347 2351 2357 2371 2377 2381 2383 2389 2393 2399 2411 2417 24232437 2441 2447 2459 2467 2473 2477 2503 2521 2531 2539 2543 2549 2551 25572579 2591 2593 2609 2617 2621 2633 2647 2657 2659 2663 2671 2677 2683 26872689 2693 2699 2707 2711 2713 2719 2729 2731 2741 2749 2753 2767 2777 27892791 2797 2801 2803 2819 2833 2837 2843 2851 2857 2861 2879 2887 2897 29032909 2917 2927 2939 2953 2957 2963 2969 2971 2999 3001 3011 3019 3023 30373041 3049 3061 3067 3079 3083 3089 3109 3119 3121 3137 3163 3167 3169 31813187 3191 3203 3209 3217 3221 3229 3251 3253 3257 3259 3271 3299 3301 33073313 3319 3323 3329 3331 3343 3347 3359 3361 3371 3373 3389 3391 3407 34133433 3449 3457 3461 3463 3467 3469 3491 3499 3511 3517 3527 3529 3533 35393541 3547 3557 3559 3571 3581 3583 3593 3607 3613 3617 3623 3631 3637 36433659 3671 3673 3677 3691 3697 3701 3709 3719 3727 3733 3739 3761 3767 37693779 3793 3797 3803 3821 3823 3833 3847 3851 3853 3863 3877 3881 3889 39073911 3917 3919 3923 3929 3931 3943 3947 3967 3989 4001 4003 4007 4013 40194021 4027 4049 4051 4057 4073 4079 4091 4093 4099 4111 4127 4129 4133 41394153 4157 4159 4177 4201 4211 4217 4219 4229 4231 4241 4243 4253 4259 42614271 4273 4283 4289 4297 4327 4337 4339 4349 4357 4363 4373 4391 4397 44094421 4423 4441 4447 4451 4457 4463 4481 4483 4493 4507 4513 4517 4519 45234547 4549 4561 4567 4583 4591 4597 4603 4621 4637 4639 4643 4649 4651 46574663 4673 4679 4691 4703 4721 4723 4729 4733 4751 4759 4783 4787 4789 47934799 4801 4813 4817 4831 4861 4871 4877 4889 4903 4909 4919 4931 4933 49374943 4951 4957 4967 4969 4973 4987 4993 4999 5003 5009 5011 5021 5023 50395051 5059 5077 5081 5087 5099 5101 5107 5113 5119 5147 5153 5167 5171 51795189 5197 5209 5227 5231 5233 5237 5261 5273 5279 5281 5297 5303 5309 53235333 5347 5351 5381 5387 5393 5399 5407 5413 5417 5419 5431 5437 5441 54435449 5471 5477 5479 5483 5501 5503 5507 5519 5521 5527 5531 5557 5563 55695573 5581 5591 5623 5639 5641 5647 5651 5653 5657 5659 5669 5683 5689 56935701 5711 5717 5737 5741 5743 5749 5779 5783 5791 5801 5807 5813 5821 58275839 5843 5849 5851 5857 5861 5867 5869 5879 5881 5897 5903 5923 5927 59395953 5981 5987 6007 6011 6029 6037 6043 6047 6053 6067 6073 6079 6089 60916101 6113 6121 6131 6133 6143 6151 6163 6173 6197 6199 6203 6211 6217 62216229 6247 6257 6263 6269 6271 6277 6287 6299 6301 6311 6317 6323 6329 63376343 6353 6359 6361 6367 6373 6379 6389 6397 6421 6427 6449 6451 6469 64736481 6491 6521 6529 6547 6551 6553 6563 6569 6571 6577 6581 6599 6607 66196637 6653 6659 6661 6673 6679 6689 6691 6701 6703 6709 6719 6733 6737 67616763 6779 6781 6791 6793 6803 6823 6827 6829 6833 6841 6857 6863 6869 68716883 6899 6907 6911 6917 6947 6949 6959 6961 6967 6971 6977 6983 6991 69977001 7013 7019 7027 7039 7043 7057 7069 7079 7103 7109 7121 7127 7129 71517159 7177 7187 7193 7207 7211 7213 7219 7229 7237 7243 7247 7253 7283 72977307 7309 7321 7331 7333 7349 7351 7369 7393 7411 7417 7433 7451 7457 74597477 7481 7487 7489 7499 7507 7517 7523 7529 7537 7541 7547 7549 7559 75617573 7577 7583 7589 7591 7603 7607 7621 7639 7643 7649 7669 7673 7681 76877691 7699 7703 7717 7723 7727 7741 7753 7757 7759 7789 7793 7817 7823 78297841 7853 7867 7873 7877 7879 7883 7901 7907 7919 7927 7933 7937 7949 79517963 7993 8009 8011 8017 8039 8053 8059 8069 8081 8087 8089 8093 8101 81118117 8123 8147 8161 8167 8171 8179 8191 8209 8219 8221 8231 8233 8237 82438263 8269 8273 8287 8291 8293 8297 8311 8317 8329 8353 8363 8369 8377 83878389 8419 8423 8429 8431 8443 8447 8461 8467 8501 8513 8521 8527 8537 85398543 8563 8573 8581 8597 8599 8609 8623 8627 8629 8641 8647 8663 8669 86778681 8689 8693 8699 8707 8713 8719 8731 8737 8741 8747 8753 8761 8779 87838803 8807 8819 8821 8831 8837 8839 8849 8861 8863 8867 8887 8893 8923 89298933 8941 8951 8963 8969 8971 8999 9001 9007 9011 9013 9029 9041 9043 90499059 9067 9091 9103 9109 9127 9133 9137 9151 9157 9161 9173 9181 9187 91999203 9209 9221 9227 9239 9241 9257 9277 9281 9283 9293 9311 9319 9323 93379341 9343 9349 9371 9377 9391 9397 9403 9413 9419 9421 9431 9433 9437 94399461 9463 9467 9473 9479 9491 9497 9511 9521 9533 9539 9547 9551 9587 96019613 9619 9623 9629 9631 9643 9649 9661 9677 9679 9689 9697 9719 9721 97339739 9743 9749 9767 9769 9781 9787 9791 9803 9811 9817 9829 9833 9839 98519857 9859 9871 9883 9887 9901 9907 9923 9929 9931 9941 9949 9967 9973

3.3 The Fundamental Theorem of Arithmetic 111

3.3 The Fundamental Theorem of Arithmetic

Lemma 3.2. Let p be a prime. If p|ab, then p|a or p|b.

Proof. Write ab = pc for an integer c.Suppose p � |a, then gcd(a, p) = 1. There are integers x and y such that ax+py = 1.From this,

b = (ax+ py)b = (ab)x+ p(by) = (pc)x+ p(by) = p(cx+ by)

is divisible by p.

Theorem 3.3. Every positive integer > 1 is uniquely a product of powers of primenumbers.

Proof. (Existence) This follows easily from the fact that every integer > 1 is eithera prime or a product of primes.(Uniqueness) Suppose

N = p1p2 · · · ph,N = q1q2 · · · qk,

for prime numbers p1, . . . , ph, and q1, . . . , qk satisfying

p1 ≤ p2 ≤ · · · ≤ ph and q1 ≤ q2 ≤ · · · ≤ qk.

We must have h = k and pi = qi for each i = 1, . . . , h.If this is not true, there must be a least positive integer N with two distinct

factorizations as above. Note that none of the primes p1, . . . , ph is equal to any ofthe primes q1, . . . , qk, for if there is a common prime p in the two lists, then N/p isa smaller positive integer with two different prime factorizations. This contradictsthe minimality of N .

Now we may assume p1 > q1. Consider the number

N ′ = (p1 − q1)p2 · · · ph.

Clearly, p1− q1 is not divisible by q1. Therefore the prime q1 does not appear in thisfactorization of N ′. On the other hand, if we rewrite

N ′ = p1p2 · · · ph−q1p2 · · · ph = q1q2 · · · qk−q1p2 · · · ph = q1(q2 · · · qk−p2 · · · ph),

we have a factorization containing the prime divisor q1. Hence the number N ′ < Nhas non-unique factorizations into primes. This again contradicts the minimality ofN .

112 Prime Numbers

3.4 The number-of-divisors function

The number-of-divisors function:

d(n) := |{d ∈ N : d|n}| .Lemma 3.4. Let a and b be relatively prime, and let a′b′ divide ab.(a) If a′ is relatively prime to b, then a′ is a divisor of a.(b) If b′ is relatively prime to a, then b′ is a divisor of b.

Proof. Suppose ab = a′b′c for some integer c.It is enough to prove (a).If a′ is relatively prime to b, then there are integers x and y such that a′x+ by = 1.From this,

a = a(a′x+ by) = a′(ax) + (ab)y = a′(ax) + (a′b′c)y = a′(ax+ b′c′y).

This shows that a′ divides a.

Corollary 3.5. Let a and b be relatively prime. Every divisor of ab is of the forma′b′, with a′|a and b′|b.Proposition 3.6. The number-of-divisors function is multiplicative, i.e., if a and bare relatively prime, then d(ab) = d(a)d(b).

Proposition 3.7. Let p be a prime. d(pk) = k + 1.

Proof. The divisors of pk are ph for h = 0, . . . , k.

Example 3.1. Find the least number n with d(n) = 12. Since

12 = 6 · 2 = 4 · 3 = 3 · 2 · 2,If d(n) = 12, n has one of the factorizations:

p11, p5q, p3q2, p2qr

for prime numbers p, 1, r. The smallest is 22 · 3 · 5 = 60.

Example 3.2. In how many ways can 1n

be written as 1x+ 1

yfor positive integers x

and y?If 1

x+ 1

y= 1

n, we obtain, by clearing denominators,

(x− n)(y − n) = n2.

Therefore each factorization of n2 into a product abwith a ≤ b determines uniquelyx ≤ y with 1

x+ 1

y= 1

n. There are exactly 1

2(d(n2) + 1) pairs.

3.5 The sum-of-divisors function 113

3.5 The sum-of-divisors function

The sum-of-divisors function:

σ(n) :=∑d|n

d.

Proposition 3.8. The number-of-divisors function is multiplicative, i.e., if a and bare relatively prime, then σ(ab) = σ(a)σ(b).

Proposition 3.9. Let p be a prime. σ(pk) = 1 + p+ · · ·+ pk = pk+1−1p−1

.

3.6 Perfect numbers

A perfect number is an integer equal to the sum of all of its divisors, including 1 butexcluding the number itself. Euclid had given the following rule of construction ofeven perfect numbers. If Mk := 1 + 2 + · · · + 2k−1 = 2k − 1 is a prime number, 1

then the number Nk := 2k−1Mk is perfect. Now, in terms of the function σ, aninteger n is perfect if σ(n) = 2n. Here is an easy proof of Euclid’s construction:

σ(Nk) =σ(2k−1Mk) = σ(2k−1)σ(Mk) = (2k − 1)(1 +Mk)

=Mk · 2k = 2 · 2k−1Mk = 2Nk.

Therefore, Nk is an even perfect number perfect.Euler has subsequently shown that every even perfect number must be for this

form. 2

Let N be an even perfect number, factored into the form N = 2k−1 ·m, wherek − 1 ≥ 1 and m is odd. Thus,

2N = σ(N) = σ(2k−1 ·m) = σ(2k−1)σ(m) = (2k − 1)σ(m).

It follows that

σ(m) =2N

2k − 1=

2k

2k − 1·m = m+

m

2k − 1.

Note that the number m2k−1

, being the difference σ(m)−m, is an integer. As such,it is a divisor of m. This expression shows that m has exactly two divisors. Fromthis we conclude that m

2k−1= 1 and m = 2k − 1 is a prime. This means that every

even perfect number must be of the form 2k−1(2k − 1) in which the factor 2k − 1 isa prime. This was exactly what Euclid gave.

1The number Mk = 2k − 1 is usually known as the k-th Mersenne number. There are only 44known Mersenne primes. The latest and greatest record is M32582657 which has 9808358 digits. Itis also the greatest known prime.

2It is not known if an odd perfect number exists.

114 Prime Numbers

3.7 Exercises

1. Show that 3, 5, 7 form the only prime triple.

2. Given any integer k ≥ 2, it is always possible to find a sequence of k con-secutive integers which are all composites.

3. If n is a positive integer, does there exist a positive integer k such that thesequence

k + 1, 2k + 1, 3k + 1, . . . , nk + 1

consists only of composite numbers ?

4. Prove that in the infinite sequence of integers

10001, 100010001, 1000100010001, . . .

there is no prime number.

5. If n =∏k

i=1 paii is the prime factorization of n, then n has altogether τ(n) =∏k

i=1(1 + ai) divisors.

6. Find all sequences of 49 consecutive integers whose squares add up to asquare.

7. Prove that for n ≥ 2, 1 + 12+ 1

3+ · · ·+ 1

nis never an integer.

8. (a) Show that√2 is not a rational number.

(b) More generally, for an integer N ,√N is a rational number if and only if

N is the square of an integer.

9. d(n) is an odd number if and only if n is a square.

10. Find the least number n with d(n) = 100.

11. Find the least number n with d(n) = 96.

Chapter 4

Linear Congruences

4.1 The ring of residues modulo n

Let n > 1 be a positive integer. We define a relation on the set of integers:

a ≡ b mod n if and only if a− b = nq for some q ∈ Z.

This is an equivalence relation. For each integer x, we write

[x] = {y ∈ Z : y ≡ x mod n}

and call this the residue class of x mod n. There are altogether n distinct residueclasses, represented by 0, 1, . . . , n− 1. We denote the set of residue classes by Zn.

The arithmetic operations of integers respect the congruence relation modulo n,i.e., if a ≡ a′ mod n and b ≡ b′ mod n, then

(i) a± b ≡ a′ ± b′ mod n,(ii) ab ≡ a′b′ mod n.Thus, there are an addition and a multiplication in the set Zn given by

[a] + [b] = [a+ b] and [a] · [b] = [ab].

Clearly, the additive and multiplicative identities are the residue classes [0] and [1]respectively. We summarize these by saying that Zn is a ring.

A unit in Zn is an element which has a multiplicative inverse. In other words,[a] ∈ Zn is a unit if and only if there exists b such that [a][b] = [1]. This means thatab−1 = nq for an integer q. From this, gcd(a, n) = 1. Conversely, if gcd(a, n) = 1,then there are integers b and q such that ab− nq = 1, from which [a][b] = 1.

Theorem 4.1. (a) In Zn, a residue class [a] is a unit if and only if gcd(a, n) = 1.(b) Zn is a field if and only if n is a prime number.

116 Linear Congruences

Example

The function f : Zm → Zn given by

f([x]m) = [x]n

is well defined if and only ifm is divisible by n. Here [x]m denotes the residue classof x modulo m; similarly for n.

4.2 Simultaneous linear congruences

An ancient Chinese problem: solve the simultaneous congruences

x ≡ 2 mod 3, x ≡ 3 mod 5, x ≡ 2 mod 7.

Solution. It is easier to solve the following analogous problems:

(1) x ≡ 1 mod 3, x ≡ 0 mod 5, x ≡ 0 mod 7.(2) x ≡ 0 mod 3, x ≡ 1 mod 5, x ≡ 0 mod 7.(3) x ≡ 0 mod 3, x ≡ 0 mod 5, x ≡ 1 mod 7.

For problem (1), we must have x ≡ 0 mod 35. Since 35 ≡ 2 mod 3, and 70 ≡1 mod 3, we may choose x1 = 70 for a solution of the first problem.

Similarly, for problem (2), x ≡ 0 mod 21. Since 21 ≡ 1 mod 5, we may choosex2 = 21 for a solution of the second problem.

For problem (3), x ≡ 0 mod 15, and we may choose x3 = 15 for a solution.Using these, we can find a solution to the original problem: x = 2x1 + 3x2 +

2x3 = 233. Since the least common multiple of 3,5,7 is 105, we may reduce thismodulo 105, and obtain x ≡ 23 mod 105 for the solution.

Theorem 4.2 (Chinese Remainder Theorem). Let n1, n2, . . . , nk be pairwise rela-tively prime integers. For arbitrary integers a1, a2, . . . , ak, the system of simultane-ous congruences

x ≡ a1 mod n1, x ≡ a2 mod n2, . . . , x ≡ ak mod nk,

has a unique solution modulo n1n2 · · ·nk.

Proof. For each i = 1, 2, . . . , n, the system of simultaneous linear congruences

x ≡ a1 mod n1, . . . , x ≡ ai mod ni, . . . , x ≡ ak mod nk,

has a unique solution xi mod n1n2 · · ·ni · · ·nk. The original problem has solutionx ≡ a1x1 + · · ·+ akxk mod n1n2 · · ·nk.

4.3 Exercises 117

4.3 Exercises

1. Solve the congruences

(a) 3x ≡ 5 (mod 7); (b) 4x ≡ 12 (mod 16); (c) 4x ≡ 10 (mod 24).

2. Find all residues modulo 12 which have multiplicative inverses.

3. Compute 21092 mod 1093 and 21092 mod 10932.

4. Show that every nonzero element of Zn is a unit if and only if n is a primenumber.

5. Solve the equation1! + 2! + 3! + · · ·+ n! = m2

for positive integers m and n.

6. Counting from the right end, what is the 2500th digit of 10,000! ?

7. An army has about 20,000 soldiers. If the soldiers line up 7 by 7, there is anincomplete line of 6 soldiers; if they line up 11 by 11, there is an incompleteline of 4; if they line up 13 by 13, there is also an incomplete line of 4; if theyline up 17 by 17, there is an incomplete line of 13. How many soldiers arethere in the army ?

118 Linear Congruences

Chapter 5

The Euler ϕ-function

For a positive integer n, the Euler ϕ-function ϕ(n) gives the number of units in Zn.This is the order of the group Z•

n of units of Zn.

Theorem 5.1. ϕ is a multiplicative function, i.e.,

ϕ(mn) = ϕ(m)ϕ(n) if gcd(m,n) = 1.

Proof. The function F : Zmn → Zm × Zn given by

F ([x]mn) = ([x]m, [x]n)

restricts to a bijection Z•mn → Z•

m × Z•n.

Lemma 5.2. Let p be a prime.(a) ϕ(p) = p− 1.

(b) ϕ(pk) = pk(1− 1

p

).

Proposition 5.3.

ϕ(n) = n∏p|n

(1− 1

p

).

ϕ(10i+ j) for 0 ≤ i, j ≤ 9

i \ j 0 1 2 3 4 5 6 7 8 90 1 1 2 2 4 2 6 4 61 4 10 4 12 6 8 8 16 6 182 8 12 10 22 8 20 12 18 12 283 8 30 16 20 16 24 12 36 18 244 16 40 12 42 20 24 22 46 16 425 20 32 24 52 18 40 24 36 28 586 16 60 30 36 32 48 20 66 32 447 24 70 24 72 36 40 36 60 24 788 32 54 40 82 24 64 42 56 40 889 24 72 44 60 46 72 32 96 42 60

120 The Euler ϕ-function

Example 5.1. We find all integers n for which ϕ(n) = 24.If p is a prime divisor of n, p− 1 must be a divisor of 24 This means p must be

one of 2, 3, 5, 7, 13.If n is not divisible by any of 5, 7, 13, then n = 2a3b for some integers a and

b, and ϕ(n) = 2a3b(1 − 12)(1 − 1

3) = 2a3b−1. From this, a = 3, b = 2, and

n = 23 · 32 = 72.If n is divisible by any of p = 5, 7, 13, n = pm, p � |m. From this, 24 =

ϕ(p)ϕ(m) = (p− 1)ϕ(m).If p = 5, ϕ(m) = 6, m = 7, 14, 18, n = 35, 70, 90.If p = 7, ϕ(m) = 4, m = 5, 8, 10, 12, n = 35, 56, 70, 84.If p = 13, ϕ(m) = 2, m = 3, 4, 6, n = 39, 52, 78.Summary: ϕ(n) = 24 if and only if n is one of the numbers

35, 39, 45, 52, 56, 70, 72, 78, 84, 90.

Example 5.2. We find all integers n for which ϕ(n) divides n.Clearly, n must be even, and every power of 2 satisfies the condition. Write

n = 2rk for r ≥ 1 and k > 1 odd. Then ϕ(n) = 2r−1ϕ(k). If k has l distinct primedivisors, then ϕ(k) is divisible by 2l−1 and ϕ(n) is divisible by 2k+l−1. From this,we must have l = 1, and k = ps for an odd prime p. Now, ϕ(n) = 2rps−1 · p−1

2. If

this divides n, we must have p−12

dividing the prime p. This is possible only whenp = 3. It follows that n = 2r · 3s.

5.1 Exercises

1. (a) Find all integers n for which ϕ(n) is an odd number.

(b) Find all n for which ϕ(n) = 2, 4, 6.

2. (a) Prove that if f(n) is a multiplicative function, then so is F (n) :=∑

d|n f(d).

(b) Make use of (a) to prove that∑

d|n ϕ(d) = n.

Chapter 6

Fermat-Euler theorem

Theorem 6.1 (Fermat-Euler). If gcd(a, n) = 1, aϕ(n) ≡ 1 mod n.

Proof. The function fa : Zn → Zn given by fa([x]) = [ax] induces a bijectionZ•

n → Z•n. This means that if x1, . . . , xϕ(n) are the elements of Z•

n, then [ax1], . . . ,[axϕ(n)] is a permutation of the same ϕ(n) elements. In other words,

[ax1] · · · [axϕ(n)] = [x1] · · · [xϕ(n)],

or(aϕ(n) − 1)x1 · · · xϕ(n) ≡ 0 mod n.

Since each of x1, . . . , xϕ is relatively prime to n, it follows that aϕ(n) − 1 ≡ 0 modn.

Corollary 6.2 (Fermat’s Little Theorem). Let p be a prime, and a an integer. If pdoes not divide a, then ap−1 ≡ 1 mod p.

6.1 Primality test for Mersenne numbers

A Mersenne number of is one of the form Mk := 2k − 1. A Mersenne prime givesrise to an even perfect number (see §3.6).

Theorem 6.3 (Fermat). If p is prime, then every prime divisor of Mp := 2p − 1 isof the form 2pk + 1 for some integer k.

Example 6.1. (a) To test the primality of M11 = 211 − 1 = 2047, we try to finddivisor of M11 of the form 22k + 1. For k = 1, it can be easily checked that2047 = 23 · 89. (The other divisor 89 = 22 · 4 + 1).

(b) To test the primality of M13 = 213 − 1 = 8191, we need only check primedivisors of the form 26k + 1 which are less than 90. These are 53 and 79. None ofthese divides 8191. We conclude that M13 is prime.

122 Fermat-Euler theorem

6.2 Pseudoprimes

The converse of Fermat’s little theorem is not true. If 2p−1 ≡ 1 (mod 4), onecannot conclude that p is a prime. Here is an example: p = 341 = 11 × 31 iscomposite, but 2340 ≡ 1 mod 341. A composite n is called a pseudoprime to base bif bn−1 ≡ 1 (mod n).

6.3 Exercises

1. Check that M17 = 131071 and M19 = 524287 are primes.

2. Find a prime divisor of M23 = 8388607.

3. Find a prime divisor of M29 = 536870911.

4. Consider M47 = 247 − 1 = 140737488355327. The beginning primes of theform 94k + 1 are

283, 659, 941, 1129, 1223, 1693, 1787, 2069,

2351, 2539, 2633, 3761, 4231, 4513, 4889, . . . .

(a) Find two prime divisors of M47 from this list.(b) Completely factorize M47.

5. Show that 561 is a 2-pseudoprime.

6. Show that 1729 is a 2- and 3-pseudoprime.

6.3 Exercises 123

Appendix: Mersenne primes

k Year Discoverer k Year Discoverer

2 Ancient 3 Ancient5 Ancient 7 Ancient13 Ancient 17 1588 P.A.Cataldi19 1588 P.A.Cataldi 31 1750 L.Euler61 1883 I.M.Pervushin 89 1911 R.E.Powers107 1913 E.Fauquembergue 127 1876 E.Lucas521 1952 R.M.Robinson 607 1952 R.M.Robinson1279 1952 R.M.Robinson 2203 1952 R.M.Robinson2281 1952 R.M.Robinson 3217 1957 H.Riesel4253 1961 A.Hurwitz 4423 1961 A.Hurwitz9689 1963 D.B.Gillies 9941 1963 D.B.Gillies11213 1963 D.B.Gillies 19937 1971 B.Tuckerman21701 1978 C.Noll, L.Nickel 23209 1979 C.Noll44497 1979 H.Nelson, D.Slowinski 86243 1982 D.Slowinski110503 1988 W.N.Colquitt, L.Welsch 132049 1983 D.Slowinski216091 1985 D.Slowinski 756839 1992 D.Slowinski,P.Gage859433 1993 D.Slowinski 1257787 1996 Slowinski and Gage1398269 1996 Armengaud, Woltman et al. 2976221 1997 Spence, Woltman, et.al.3021377 1998 Clarkson et. al 6972593 1999 Hajratwala et. al13466917 2001 Cameron, Woltman, 20996011 2003 Michael Shafer24036583 2004 Findlay 25964951 2005 Nowak30402457 2005 Cooper, Boone et al 32582657 2006 Cooper, Boone et al37156667 2008 Elvenich, Woltman et al 42643801 2009 Strindmo, Woltman et al43112609 2008 Smith, Woltman et al 57885161 2013

The most recently discovered Mersenne prime M57885161 has about 17.4 milliondigits, and is the largest known prime.

Appendix: Wilson’s theorem

Theorem 6.4 (Wilson). If p is prime, then (p− 1)! ≡ −1 mod p.

Proof. Since the statement is trivially true for p = 2, we shall assume p an oddprime. Consider the product of all the nonzero elements of Zp. This is clearly1 · 2 · · · (p− 1) = (p− 1)!. Apart from x = ±1, the remaining p− 3 elements canbe grouped into pairs of multiplicative inverses. Since each pair of multiplicativeinverses multiply to 1, we have

(p− 1)! = 1 · (−1) · 1 p−32 = −1 ∈ Zp.

This means (p− 1)! ≡ −1 mod p.

Remark. The converse of Wilson’s theorem is also true: If n is composite andn = ab for relatively prime divisors a, b > 1, then n = ab divides (n − 1)!, and(n−1)! ≡ 0 mod n. It remains to consider n = pk for a prime number p and k > 1.

124 Fermat-Euler theorem

The base p expansion of n− 1 = pk − 1 consists of k digits each of which is p− 1.Therefore, the exponent of the highest power of p dividing (n− 1)! is

pk − 1− k(p− 1)

p− 1= pk−1 + pk−2 + · · ·+ 1− k ≥ k

except when p = 2 and k = 2. This means that (n − 1)! ≡ 0 mod n except whenp = 2 and k = 2, in which case we have 3! ≡ 2 mod 4.

Chapter 7

Pythagorean Triangles

7.1 Construction of Pythagorean triangles

By a Pythagorean triangle we mean a right triangle whose side lengths are integers.Any common divisor of two of the side lengths is necessarily a divisor of the third.We shall call a Pythagorean triangle primitive if no two of its sides have a commondivisor. Let (a, b, c) be one such triangle. From the relation a2 + b2 = c2, we makethe following observations.

1. Exactly two of a, b, c are odd, and the third is even.

2. In fact, the even number must be one of a and b. For if c is even, then a and bare both odd. Writing a = 2h+ 1 and b = 2k + 1, we have

c2 = (2h+ 1)2 + (2k + 1)2 = 4(h2 + k2 + h+ k) + 2.

This is a contradiction since c2 must be divisible by 4.

3. We shall assume a odd and b even, and rewrite the Pythagorean relation inthe form

c+ a

2· c− a

2=

(b

2

)2

.

Note that the integers c+a2

and c−a2

are relatively prime, for any common divi-sor of these two numbers would be a common divisor c and a. Consequently,each of c+a

2and c−a

2is a square.

4. Writing c+a2

= u2 and c−a2

= v2, we have c = u2+ v2 and a = u2− v2. Fromthese, b = 2uv.

5. Since c and a are both odd, u and v are of different parity.

We summarize this in the following theorem.

Theorem 7.1. The side lengths of a primitive Pythagorean triangle are of the formu2 − v2, 2uv, and u2 + v2 for relatively prime integers u and v of different parity.

202 Pythagorean Triangles

7.2 Fermat Last Theorem for n = 4

Theorem 7.2 (Fermat). The area of a Pythagorean triangle cannot be a square.

Proof. Suppose to the contrary there is one such triangle, which we may assumeprimitive, with side lengths (u2 − v2, 2uv, u2 + v2), u, v being relative prime ofdifferent parity. The area A = uv(u2 − v2) being a square, and no two of u,v, u2 − v2 sharing common divisors, each of these numbers must be a square.We write u = a2, v = b2 so that u2 − v2 = a4 − b4 is also a square. Sincea4− b4 = (a2− b2)(a2 + b2) and the two factors are relatively prime, we must havea2− b2 = r2 and a2+ b2 = s2 for some integers r and s. From these, 2a2 = r2+ s2

and(2a)2 = 2(r2 + s2) = (r + s)2 + (r − s)2.

Thus, we have a new Pythagorean triangle (r− s, r+ s, 2a). This is a Pythagoreantriangle whose area is the square of an integer: 1

2(r − s)(r + s) = 1

2(r2 − s2) = b2.

But it is a smaller triangle since b2 = v is a proper divisor of A = uv(u2 − v2).By descent, beginning with one Pythagorean triangle with square area, we obtainan infinite sequence of Pythagorean triangles with decreasing areas, each of whichis a square integer; a contradiction.

Corollary 7.3 (Fermat Last Theorem for n = 4). The equation x4 + y4 = z4 doesnot have solutions in nonzero integers.

Proof. Suppose x4+y4 = z4 for positive integers x, y, z. The Pythagorean trianglewith sides z4 − y4, 2z2y2 and z4 + y4 has a square area

z2y2(z4 − y4) = z2y2x4 = (x2yz)2,

a contradiction.

Remark. This proof actually shows that the equation x2 + y4 = z4 has no solutionin nonzero integers.

7.3 Fermat’s construction of primitive Pythagoreantriangles with consecutive legs

Let a, b, c be the lengths of the sides of a right triangle, c the hypotenuse. Figures(a) and (b) below, together with the Pythagorean theorem, give the following tworelations

(a+ b− c)2 =2(c− a)(c− b), (7.1)

(a+ b+ c)2 =2(c+ a)(c+ b). (7.2)

7.3 Fermat’s construction of primitive Pythagorean triangles with consecutivelegs 203

c− b

c− a

c− b

c− a

a+ b− c

a+ b− c

(a) a, b, c from c−a and c− b

b

a

b

a

c

c

(b) a, b, c from c+a and c+b

Beginning with a right triangle (a, b, c), we construct a new right triangle (a′, b′, c′)with c′ − a′ = c + b and c′ − b′ = c + a. By a comparsion of (11.8) and (7.2), wehave a′ + b′ − c′ = a+ b+ c. From these,

a′ =2a+ b+ 2c,

b′ =a+ 2b+ 2c,

c′ =2a+ 2b+ 3c.

Note that b′ − a′ = b− a. This construction therefore leads to an infinite sequenceof integer right triangles with constant difference of legs. In particular, beginningwith (3,4,5), we obtain the sequence

(3, 4, 5), (20, 21, 29), (119, 120, 169), (696, 697, 985), . . .

of Pythagorean triangles with legs differing by 1.This construction gives all such Pythagorean triangles. Note that the above

construction is invertible: from a right triangle (a′, b′, c′) one can construct a smallerone (a, b, c) with the same difference between the legs. More precisely,

a =2a′ + b′ − 2c′,

b =a′ + 2b′ − 2c′, (7.3)

c =− 2a′ − 2b′ + 3c′.

Since a+ b+ c = a′ + b′ − c′ < a′ + b′ + c′, this inverse construction does yield asmaller triangle. However, it certainly cannot lead to a strictly decreasing sequenceof integer right triangles. Now, a = 2a′ + b′ − 2c′ must be a positive integer. Usingthe Pythagorean theorem, it is easy to deduce from 2a′ + b′ > 2c′ that 4a′ > 3b′, or


a′ > 3(b′−a′). This means that from every Pythagorean triangle with legs differingby 1, there is a descent, by repeated applications of (7.3), to a minimal integer righttriangle with shortest side not exceeding 3. It is clear that there is only one suchtriangle, namely, (3,4,5). This therefore shows that the above construction actuallygives all Pythagorean triangles with consecutive legs.

7.3 Fermat’s construction of primitive Pythagorean triangles with consecutivelegs 205

Appendix: Primitive Pythagorean triples < 1000

m,n a, b, c m, n a, b, c m, n a, b, c m, n a, b, c

2, 1 3, 4, 5 3, 2 5, 12, 13 4, 1 15, 8, 17 4, 3 7, 24, 255, 2 21, 20, 29 5, 4 9, 40, 41 6, 1 35, 12, 37 6, 5 11, 60, 617, 2 45, 28, 53 7, 4 33, 56, 65 7, 6 13, 84, 85 8, 1 63, 16, 658, 3 55, 48, 73 8, 5 39, 80, 89 8, 7 15, 112, 113 9, 2 77, 36, 859, 4 65, 72, 97 9, 8 17, 144, 145 10, 1 99, 20, 101 10, 3 91, 60, 10910, 7 51, 140, 149 10, 9 19, 180, 181 11, 2 117, 44, 125 11, 4 105, 88, 13711, 6 85, 132, 157 11, 8 57, 176, 185 11, 10 21, 220, 221 12, 1 143, 24, 14512, 5 119, 120, 169 12, 7 95, 168, 193 12, 11 23, 264, 265 13, 2 165, 52, 17313, 4 153, 104, 185 13, 6 133, 156, 205 13, 8 105, 208, 233 13, 10 69, 260, 26913, 12 25, 312, 313 14, 1 195, 28, 197 14, 3 187, 84, 205 14, 5 171, 140, 22114, 9 115, 252, 277 14, 11 75, 308, 317 14, 13 27, 364, 365 15, 2 221, 60, 22915, 4 209, 120, 241 15, 8 161, 240, 289 15, 14 29, 420, 421 16, 1 255, 32, 25716, 3 247, 96, 265 16, 5 231, 160, 281 16, 7 207, 224, 305 16, 9 175, 288, 33716, 11 135, 352, 377 16, 13 87, 416, 425 16, 15 31, 480, 481 17, 2 285, 68, 29317, 4 273, 136, 305 17, 6 253, 204, 325 17, 8 225, 272, 353 17, 10 189, 340, 38917, 12 145, 408, 433 17, 14 93, 476, 485 17, 16 33, 544, 545 18, 1 323, 36, 32518, 5 299, 180, 349 18, 7 275, 252, 373 18, 11 203, 396, 445 18, 13 155, 468, 49318, 17 35, 612, 613 19, 2 357, 76, 365 19, 4 345, 152, 377 19, 6 325, 228, 39719, 8 297, 304, 425 19, 10 261, 380, 461 19, 12 217, 456, 505 19, 14 165, 532, 55719, 16 105, 608, 617 19, 18 37, 684, 685 20, 1 399, 40, 401 20, 3 391, 120, 40920, 7 351, 280, 449 20, 9 319, 360, 481 20, 11 279, 440, 521 20, 13 231, 520, 56920, 17 111, 680, 689 20, 19 39, 760, 761 21, 2 437, 84, 445 21, 4 425, 168, 45721, 8 377, 336, 505 21, 10 341, 420, 541 21, 16 185, 672, 697 21, 20 41, 840, 84122, 1 483, 44, 485 22, 3 475, 132, 493 22, 5 459, 220, 509 22, 7 435, 308, 53322, 9 403, 396, 565 22, 13 315, 572, 653 22, 15 259, 660, 709 22, 17 195, 748, 77322, 19 123, 836, 845 22, 21 43, 924, 925 23, 2 525, 92, 533 23, 4 513, 184, 54523, 6 493, 276, 565 23, 8 465, 368, 593 23, 10 429, 460, 629 23, 12 385, 552, 67323, 14 333, 644, 725 23, 16 273, 736, 785 23, 18 205, 828, 853 23, 20 129, 920, 92924, 1 575, 48, 577 24, 5 551, 240, 601 24, 7 527, 336, 625 24, 11 455, 528, 69724, 13 407, 624, 745 24, 17 287, 816, 865 24, 19 215, 912, 937 25, 2 621, 100, 62925, 4 609, 200, 641 25, 6 589, 300, 661 25, 8 561, 400, 689 25, 12 481, 600, 76925, 14 429, 700, 821 25, 16 369, 800, 881 25, 18 301, 900, 949 26, 1 675, 52, 67726, 3 667, 156, 685 26, 5 651, 260, 701 26, 7 627, 364, 725 26, 9 595, 468, 75726, 11 555, 572, 797 26, 15 451, 780, 901 26, 17 387, 884, 965 27, 2 725, 108, 73327, 4 713, 216, 745 27, 8 665, 432, 793 27, 10 629, 540, 829 27, 14 533, 756, 92527, 16 473, 864, 985 28, 1 783, 56, 785 28, 3 775, 168, 793 28, 5 759, 280, 80928, 9 703, 504, 865 28, 11 663, 616, 905 28, 13 615, 728, 953 29, 2 837, 116, 84529, 4 825, 232, 857 29, 6 805, 348, 877 29, 8 777, 464, 905 29, 10 741, 580, 94129, 12 697, 696, 985 30, 1 899, 60, 901 30, 7 851, 420, 949 31, 2 957, 124, 96531, 4 945, 248, 977 31, 6 925, 372, 997

Chapter 8

Homogeneous quadratic equations in3 variables

8.1 Pythagorean triangles revisited

A primitive Pythagorean triangle (a, b, c) corresponds to a point (x, y) =(ac, b

c

)in

the first quadrant on the unit circle

x2 + y2 = 1.

Every rational point on the unit circle can be expressed in terms of the slope of theline joining the point to a fixed point, say P = (−1, 0) on the circle. Thus, solvingthe equations

y =t(x+ 1),

x2 + y2 =1,

simultaneously, we obtain (x, y) = (−1, 0) = P or

(x, y) = P (t) =

(1− t21 + t2

,2t

1 + t2

).

This is a point in the first quadrant if and only if 0 < t < 1. By putting t = qp

for

relatively prime integers p > q, and we obtain(

p2−q2

p2+q2, 2pq

p2+q2

). It follows that the

sidelengths of a primitive Pythagorean triangle can be written in the form

(a, b, c) =1

g

(p2 − q2, 2pq, p2 + q2

)for suitable choice of p and q. Here,

g = gcd(p2 − q2, 2pq) = gcd(p2 − q2, 2) = gcd(p− q, 2).

208 Homogeneous quadratic equations in 3 variables

To avoid repetition of representing a primitive Pythagorean triangle by both

(x, y) and (y, x) in the first quadrant, we note that(

1−t2

1+t2, 2t

1+t2

)=

(2s

1+s2, 1−s2

1+s2

)if

and only if s = 1−t1+t

. Thus, the rational number t = qp

and s = q′p′ =

p−qp+q

representthe same primitive Pythagorean triangle. Note that gcd(p− q, 2) = 1 if and only ifgcd(p′ − q′, 2) = 2. Thus, we may always restrict p and q of different parity.

8.2 Rational points on a conic

The method in the preceding section applies to a general (nonsingular) homoge-neous equation in 3 variables, or after dehomogenization, to a nonsingular conic inthe Cartesian plane. Suppose a nonsingular conic f(x, y) = c contains a rationalpoint P = (x0, y0). Then by passing through P lines of rational slope t to intersectthe conic again, we obtain a parametrization of the rational points on the curve.

Proposition 8.1. (1) The rational solutions of x2−dy2 = 1 can be parametrized inthe form

(x, y) =

(1 + dt2

1− dt2 ,2t

1− dt2).

(2) The positive integer solutions of x2 − dy2 = z2 can be parametrized in theform

(x, y, z) =1

g

(p2 + dq2, 2pq, p2 − dq2) ,

where g = gcd(p2 + dq2, 2pq, p2 − dq2).

8.3 Integer triangles with a 60◦ angle

If triangle ABC has C = 60◦, then

c2 = a2 − ab+ b2. (8.1)

Integer triangles with a 60◦ angle therefore correspond to rational points in the firstquadrant on the curve

x2 − xy + y2 = 1. (8.2)

Note that the curve contains the point P = (−1,−1). By passing a line of rationalslope t through P to intersect the curve again, we obtain a parametrization of therational points. Now, such a line has equation y = −1 + t(x + 1). Solving thissimultaneously with (8.2) we obtain (x, y) = (−1,−1) = P , and

(x, y) =

(2t− 1

t2 − t+ 1,t(2− t)t2 − t+ 1

),

8.3 Integer triangles with a 60◦ angle 209

which is in the first quadrant if 12< t ≤ 2. By symmetry, we may simply take

12< t ≤ 1 to avoid repetition. Putting t = q

pfor relatively prime integers p, q, and

clearing denominators, we obtain

a =p(2q − p),b =q(2p− q),c =p2 − pq + q2,

with p2< q ≤ p.

gcd(a, b) = gcd(2pq − p2, 2pq − q2)= gcd((p− q)(p+ q), q(2p− q))= gcd((p− q)(p+ q), 2p− q)

since gcd(p− q, q) = gcd(p+ q, q) = gcd(p, q) = 1. Now,gcd(p− q, 2p− q) = gcd(p− q, p) = 1 andgcd(p + q, 2p − q) = gcd(p + q, 3p) = gcd(p + q, 3). This gives gcd(a, b) =gcd(p+ q, 3).

Proposition 8.2. The primitive integer triangles with a 60◦ angle are given by

1

g

(p(2q − p), q(2p− q), p2 − pq + q2

),

where p and q are relatively prime positive integers satisfying p2< q ≤ p and

g = gcd(p+ q, 3).

p q (a, b, c)

1 1 (1, 1, 1)

3 2 (3, 8, 7)

4 3 (8, 15, 13)

5 3 (5, 21, 19)

5 4 (5, 8, 7)

6 5 (24, 35, 31)

7 4 (7, 40, 37)

7 5 (7, 15, 13)

7 6 (35, 48, 43)

8 5 (16, 55, 49)

8 7 (16, 21, 19)

9 5 (9, 65, 61)

9 7 (45, 77, 67)

9 8 (63, 80, 73)

10 7 (40, 91, 79)

10 9 (80, 99, 91)


ExerciseA standard calculus exercise asks to cut equal squares of dimension x from the

four corners of a rectangle of length a and breadth b so that the box obtained byfolding along the creases has a greatest capacity.

a

b

x

The answer to this problem is given by

x =a+ b−√a2 − ab+ b2

6.

How should one choose relatively prime integers a and b so that the resulting x isan integer? For example, when a = 5, b = 8, x = 1. Another example is a = 16,b = 21 with x = 3.

8.4 Integer triangles with a 120◦ angle

If triangle ABC has C = 120◦, then

c2 = a2 + ab+ b2. (8.3)

Integer triangles with a 120◦ angle therefore correspond to rational points in the firstquadrant on the curve

x2 + xy + y2 = 1. (8.4)

Note that the curve contains the point Q = (−1, 0). By passing a line of rationalslope t through P to intersect the curve again, we obtain a parametrization of therational points. Now, such a line has equation y = t(x + 1). Solving this simulta-neously with (8.2) we obtain (x, y) = (−1, 0) = Q, and

Q(t) =

(1− t2

t2 + t+ 1,t(2 + t)

t2 + t+ 1

),

which is in the first quadrant if 0 < t < 1. It is easy to check that Q(t) andQ(

1−t1+2t

)are symmetric about the line y = x. To avoid repetition we may restrict

to 0 < t <√3−12

.

8.4 Integer triangles with a 120◦ angle 211

Putting t = qp

for relatively prime integers p, q satisfying q <√3−12p, and

clearing denominators, we obtain

a =p2 − q2,b =q(2p+ q),

c =p2 + pq + q2,

with 0 < q < p. Note that

gcd(p2 − q2, q(2p+ q) = gcd((p+ q)(p− q), q(2p+ q))

= gcd((p+ q)(p− q), 2p+ q)

= gcd(p− q, 2p+ q)

= gcd(p− q, 3p)= gcd(p− q, 3).

Proposition 8.3. The primitive integer triangles with a 120◦ angle are given by

1

g

(p2 − q2, q(2p+ q), p2 + pq + q2

),

where q <(√

3−12

)p are relatively prime positive integers and g = gcd(p− q, 3).

p q (a, b, c)

3 1 (8, 7, 13)

4 1 (5, 3, 7)

5 1 (24, 11, 31)

6 1 (35, 13, 43)

7 1 (16, 5, 19)

7 2 (45, 32, 67)

8 1 (63, 17, 73)

9 1 (80, 19, 91)

9 2 (77, 40, 103)

10 1 (33, 7, 37)

10 3 (91, 69, 139)

Exercise1 (a) Show that a number c is a sum of two consecutive squares if and only if

2c− 1 is a square.(b) Suppose an integer triangle contains a 120◦ angle with its two arms differing

by 1. Show that the length of the longest side is a sum of two consecutive squares.

2. It is known that the centroid of a triangle of sides a, b, c lies on its incircle ifand only if

5(a2 + b2 + c2) = 6(ab+ bc+ ca).

Find a parametrization of all such primitive triangles.

Chapter 9

Heron triangles

9.1 The Heron formula

LetABC be a triangle with sidelengthsBC = a,CA = b,AB = c, and semiperime-ter s = 1

2(a+ b+ c). If the incircle touches the sides BC, CA and AB respectively

at X , Y , and Z,

AY = AZ = s− a, BX = BZ = s− b, CX = CY = s− c.

s− b s− c

s− c

s− a

s− a

s− c

Z

X

Y

I

C

A

B

The radius r of the incircle and the area of the triangle are given by

r =

√(s− a)(s− b)(s− c)

s,

=√s(s− a)(s− b)(s− c).

The latter one is the famous Heron formula. Explicitly in terms of a, b, c, it can bewritten as

2 =1

16

(2a2b2 + 2b2c2 + 2c2a2 − a4 − b4 − c4) . (9.1)

Remark. The inradius of a right triangle is r = s− c.Exercise

Given a positive integer r, determine all Pythagorean triangles with inradius r.

214 Heron triangles

s− a

s− a

s− b

s− b

r

r

s− c

s− c

C A

B

First consider the case of primitive Pythagorean triangles. The one with parametersp > q (of different parity) has inradius r = q(p − q). Note that p − q must be odd, and q

does not contain any prime divisor of p − q. There are 2k choices of p − q, where k is thenumber of odd prime divisors of r. In particular, there is only one (primitive) Pythagoreantriangle of inradius 1, which is the (3, 4, 5) triangle.

9.2 Heron triangles

A Heron triangle is an integer triangle with integer area. Here are some fundamentalfacts about Heron triangles.

Proposition 9.1. (1) The semiperimeter of a Heron triangle is an integer. (2) Thearea of a Heron triangle is a multiple of 6.

Proof. It is enough to consider primitive Heron triangles, those whose sides arerelatively prime.

(1) Note that modulo 16, each of a4, b4, c4 is congruent to 0 or 1, according asthe number is even or odd. To render in (9.1) the sum 2a2b2 + 2b2c2 + 2c2a2 −a4 − b4 − c4 ≡ 0 modulo 16, exactly two of a, b, c must be odd. It follows that theperimeter of a Heron triangle must be an even number.

(2) Since a, b, c are not all odd nor all even, and s is an integer, at least oneof s − a, s − b, s − c is even. This means that is even. We claim that at leastone of s, s − a, s − b, s − c must be a multiple of 3. If not, then modulo 3, thesenumbers are +1 or −1. Since s = (s− a) + (s− b) + (s− c), modulo 3, this mustbe either 1 ≡ 1 + 1 + (−1) or −1 ≡ 1 + (−1) + (−1). In each case the products(s− a)(s− b)(s− c) ≡ −1 (mod 3) cannot be a square. This justifies the claimthat one of s, s− a, s− b, s− c, hence , must be a multiple of 3.

9.3 Construction of Heron triangles

Let t1 = tan A2, t2 = tan B

2, and t3 = tan C

2. Since A

2+ B

2+ C

2= π

2, we have

t1t2 + t2t3 + t3t1 = 1. If we construct a triangle with sides 1t2+ 1

t3, 1

t3+ 1

t1, and

9.4 Heron triangles with sides in arithmetic progression 215

1t1+ 1

t2, then it has inradius 1 and area

√1

t1· 1t2· 1t3

(1

t1+

1

t2+

1

t3

)=

1

t1t2t3.

Writing ti = piqi

for relatively prime integers pi, qi, i = 1, 2, and magnifying thetriangle by a factor p1p2p3, we obtain a Heron triangle with sides

a = p1(p2q3 + p3q2), b = p2(p3q1 + p1q3), c = p3(p1q2 + p2q1),

and area p1p2p3q1q2q3 and inradius p1p2p3.

p1q2p3 p1p2q3

p1p2q3

q1p2p3

q1p2p3

p1q2p3p1p2p3

p1p2p3 p1p2p3Z

X

Y

I

C

A

B

Note that these integers satisfy

p1p2q3 + p1q2p3 + q1p2p3 = q1q2q3,

orp3q3

=q1q2 − p1p2p1q2 + p2q1

.

9.4 Heron triangles with sides in arithmetic progres-sion

Consider a primitive Heron triangle with sides in arithmetic progression. By Propo-sition 9.1, the sidelengths are 2a−d, 2a, 2a+d for integers a and d. The semiperime-ter being s = 3a, we require (3a)(a)(a+d)(a−d) = 3a2(a2−d2) to be an integer.This means

a2 − d2 = 3b2 (9.2)

for an integer b. With x =: ad, y := b

d, we transform this condition into x2−3y2 = 1.

The Heron triangles with sides in arithmetic progression, therefore, correspond to

216 Heron triangles

the rational points in the first quadrant on the curve x2 − 3y2 = 1. Now, suchrational points can be parametrized as

(x, y) =

(1 + 3t2

1− 3t2,

2t

1− 3t2

), 0 < t <

1√3.

The integer solutions of (9.2) are therefore

a = p2 + 3q2, d = p2 − 3q2, b = 2pq

for relatively prime p, q satisfying p2 > 3q2. This gives a Heron triangle (2a −d, 2a, 2a + d; 3ab). In each case, we obtain a primitive Heron triangle by dividingthe sidelengths by the g = gcd(2a, d) (and correspondingly by g2).

Here are the primitive Heron triangles with sides in A.P., generated by takingp ≤ 7: 1

p q (a, b, c; )

2 1 (13, 14, 15; 84)3 1 (3, 4, 5; 6)4 1 (25, 38, 51; 456)5 1 (17, 28, 39; 210)5 2 (61, 74, 87; 2220)6 1 (15, 26, 37; 156)7 1 (29, 52, 75; 546)7 2 (85, 122, 159; 5124)7 3 (65, 76, 87; 2394)7 4 (193, 194, 195; 16296)

ExerciseIs there a Heron triangle whose sides are in geometric progression?

9.5 Heron triangles with integer inradii

We determine all Heron triangles with a given positive integer r as inradius. This isequivalent to the solution of

uvw = r2(u+ v + w) (9.3)

in positive integers u, v, w. We shall assume u ≥ v ≥ w (so that A ≤ B ≤ C).The Heron triangle in question has sides a = v+w, b = w+ u, and c = u+ v. Weshall distinguish between three cases. In each case, we find appropriate bounds forv and w to determine if the corresponding u is an integer.

1Note that some of these Heron triangles have consecutive integers as sidelengths, namely(3, 4, 5; 6), (13, 14, 15; 84), and (193, 194, 195; 1629). These correspond to d = 1. We shall treatthis case in detail when we study the Pell equation. There is one such “small” triangle missing fromthe table, corresponding to (p, q) = (9, 5).

9.5 Heron triangles with integer inradii 217

Proposition 9.2. (1) For obtuse Heron triangles with given inradius r, it is enoughto check if

u =r2(v + w)

vw − r2 . (9.4)

is an integer for w < r and r2

w< v < r(r+

√r2+w2)w

.(2) For acute Heron triangles with given inradius r, it is enough to check if u

given by (9.4) is integer for

w <√3r and w ≤ v ≤ (

√2 + 1)r.

(3) For Pythagorean triangles with given inradius r, it is enough to check ifu = r(v+r)

v−ris an integer for r < v < (

√2 + 1)r.

Proof. The expression (9.4) follows easily from (9.3).(1) Since C

2≥ π

4, w < r. Clearly vw−r2 > 0. From u = r2(v+w)

vw−r2≥ v, we have,

after clearing denominator, wv2 − 2r2v − r2w < 0. Hence, r2

w< v < r(r+

√r2+w2)w

.(2) If the triangle is acute angled, all u, v, w are greater than r. Since C

2> π

6,

rw> tan π

3= 1√

3, we have w <

√3r. Also, B

2> π

8. This means r

v> 1√

2+1and

v < (√2 + 1)r.

(3) In the Pythagorean case, r = w, so that (9.3) becomes uv = r(u+v+r), andu = r(v+r)

v−r≥ v. By clearing denominator, r(v+ r) ≤ v(v− r), v2− 2rv− r2 ≤ 0,

(v − r)2 ≤ 2r2, v < (√2 + 1)r.

Example 9.1. A Heron triangle is said to be perfect if its area is numerically equalto its perimeter. Equivalently, a perfect Heron triangle has inradius 2. Using Propo-sition 9.2 above,(i) for obtuse triangles, we need only check w = 1, and 4 < v ≤ 8. For v = 5, 6, 8,the corresponding u is an integer. These give three obtuse Heron triangles.

w v u (a, b, c; )

1 5 24 (6, 25, 29; 60)1 6 14 (7, 15, 20; 42)1 8 9 (9, 10, 17; 36)

(ii) There is no acute Heron triangle with inradius 2. We need only check w = 3and v = 3, 4.

(iii) The only Pythagorean triangles with inradius 2 are (6, 8, 10; 24) and (5, 12, 13; 30).

218 Heron triangles

Chapter 10

Genealogy of Pythagorean triangles

10.1 Two ternary trees of rational numbers

Consider the rational numbers in the open interval (0, 1). Each of these is uniquelyin the form q

p, for relatively prime positive integers p > q. We call p+ q the height

of the rational numbers.The rational numbers in (0, 1) with odd heights can be arranged in a ternary tree

with root 12, as follows. For a rational number t of odd heights, the numbers 1

2−t,

12+t

, and t1+2t

are also in (0, 1) and have odd heights. We call these the descendantsof t and label them the left (L), middle (M), and right (R) respectively. If we writet = q

p, then these three descendants are p

2p−q, p

2p+qand q

p+2q, and have greater

heights. Thus, the rational number 12

has left descendant 25, middle descendant 2

3,

and right descendant 14.

s = 12−t

s = 12+t

s = t1+2t

0 1

1

t

s

On the other hand, each rational number s ∈ (0, 1) \ {13, 1

2} with odd height

is the descendant of a unique rational number t, which we call its parent. In fact,s = n

mis

220 Genealogy of Pythagorean triangles

(i) the left descendant of 2− 1s= 2n−m

nif 1

2< s < 1,

(ii) the middle descendant of 1s− 2 = m−2n

nif 1

3< s < 1

2, and

(iii) the right descendant of s1−2s

= nm−2n

if 0 < s < 13.

Thus, every rational number in (0, 1) of odd height is in the ternary tree withroot 1

2:

12

23

25

14

34

38

27

58

512

29

47

49

16

The same applies to rational numbers with even heights. They constitute aternary tree with root 1

3:

12

23

25

14

34

38

27

58

512

29

47

49

16

13

35

37

15

57

513

311

711

717

313

59

511

17

Therefore, each rational parameter s ∈ (0, 1) \ {13, 1

2} has a unique “genealogy

sequence” tracing back to the root 12. For example,

23

36

L←− 10

23

M←− 3

10

R←− 3

4

L←− 2

3

L←− 1

2.

Consider one of these ternary trees. If we “flatten” the entire tree by listing thevertices in order, beginning with the “root”, going down through each level fromleft to right, what is the position of a vertex with a known genealogy sequence?

10.2 Genealogy of Pythagorean triangles 221

Suppose this genealogy sequence has k terms, i.e., the vertex is k levels below theroot. Convert it into an integer N in base 3 expansion by

L→ 0, M → 1, R→ 2

respectively. Then the position of the vertex in the list is 12(3k+1)+N . For example,

the rational number 2336

is in position 12(35 + 1) + 012003 = 122 + 45 = 167, with a

genealogy sequence

23

36

L←− 10

23

M←− 3

10

R←− 3

4

L←− 2

3

L←− 1

2.

Exercise(1) What is the 1000-th vertex in this list from the ternary tree of rational num-

bers of odd heights, and what is its genealogy sequence?

40

169

R←− 40

89

M←− 9

40

R←− 9

22

M←− 4

9

M←− 1

4

R←− 1

2.

(2) Show that the rational numbers t and 1−t1+t

belong to different ternary trees.How are their genealogy sequences related?

10.2 Genealogy of Pythagorean triangles

The ternary trees in the preceding sections can be translated into a genealogy ofPythagorean triangles. A Pythagorean triangle (or its similarity class) is generatedby a positive rational number t = q

pof odd height. The tree with root 1

2translates

into

(3, 4, 5)

(5, 12, 13) (21, 20, 29) (15, 8, 17)

(7, 24, 25)

(55, 48, 73)

(45, 28, 53) (39, 80, 89)

(119, 120, 169)

(77, 36, 85) (33, 56, 65)

(65, 72, 97)

(35, 12, 37


We find the descendants of a Pythagorean triangle (a, b, c) in terms of the sides

a = p2 − q2, b = 2pq, c = p2 + q2.

The left descendant is generated by p2p−q

and has sides

al = (2p− q)2 − p2 = 3p2 − 4pq + q2 = a− 2b+ 2c,

bl = 2(2p− q)p = 4p2 − 2pq = 2a− b+ 2c,

cl = (2p− q)2 + p2 = 5p2 − 4pq + q2 = 2a− 2b+ 3c.

The middle descendant is generated by p2p+q

and has sides

am = (2p+ q)2 − p2 = 3p2 + 4pq + q2 = a+ 2b+ 2c,

bm = 2(2p+ q)p = 4p2 + 2pq = 2a+ b+ 2c,

cm = (2p+ q)2 + p2 = 5p2 + 4pq + q2 = 2a+ 2b+ 3c.

The right descendant is generated by qp+2q

and has sides

ar = (p+ 2q)2 − q2 = p2 + 4pq + 3q2 = −a+ 2b+ 2c,

br = 2(p+ 2q)q = 2pq + 4q2 = −2a+ b+ 2c,

cr = (p+ 2q)2 + q2 = p2 + 4pq + 5q2 = −2a+ 2b+ 3c.

Depending on the value of qp, the parent of (a, b, c) is generated by one the

fractions 2q−pq

, p−2qq

, and qp−2q

. Since these fractions have the same numeratorand denominators, up to permutation and change of signs, they all generate thePythagorean triangle

a′ = |q2 − (2q − p)2| = | − p2 + 4pq − 3q2| = |a+ 2b− 2c|,b′ = |2q(2q − p)| = | − 2pq + 4q2| = |2a+ b− 2c|,c′ = q2 + (2q − p)2 = p2 − 4pq + 5q2 = −2a− 2b+ 3c.

Consider a right triangle ABC with vertices A = (0, b), B = (a, 0), and C =(0, 0), with semiperimeter s = 1

2(a+ b+ c). The incenter and the excenters are the

points

I = (s− c, s− c), Ia = (s− b, −(s− b)), Ib = (−(s− a), s− a), Ic = (s, s).

The circles with these centers and respective radii r = s− c, ra = s− b, rb = s−a,and rc = s are tangents to the sidelines of the triangle. According to the famousFeuerbach theorem, each of these circles is tangent to the nine-point circle, whichis the circle passing the midpoints of the three sides. This circle has center N =(a4, b

4

)and radius c

4. The following theorem gives a nice geometric interpretation

of the genealogy of Pythagorean triangles.

10.2 Genealogy of Pythagorean triangles 223

Theorem 10.1. The right triangles with hypotenuses NIa, NIb, NIc and sidesparallel to BC and AC are similar to the descendants of ABC. The one withhypotenuseNI (and sides parallel toBC andAC) is similar to the parent ofABC.

Proof. The following table shows the sidelengths of the right triangles involvedeach magnified by a factor 4:

horizontal vertical hypotenuse

NI |a+ 2b− 2c| |2a+ b− 2c| −2a− 2b+ 3c parentNIa a− 2b+ 2c 2a− b+ 2c 2a− 2b+ 3c leftNIb −a+ 2b+ 2c −2a+ b+ 2c −2a+ 2b+ 3c rightNIc a+ 2b+ 2c 2a+ b+ 2c 2a+ 2b+ 3c middle

B

A

C

I

Ia

Ib

Ic

N

Chapter 11

Polygonal numbers

11.1 The polygonal numbers Pk,nThe n-th triangular number is

Tn = 1 + 2 + 3 + · · ·+ n =1

2n(n+ 1).

The first few of these are 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, . . . .

The pentagonal numbers are the sums of the arithmetic progression

1 + 4 + 7 + · · ·+ (3n− 2) + · · ·

The n-th pentagonal number is Pn = 12n(3n− 1). Here are the beginning ones:

1, 5, 12, 22, 35, 51, 70, 92, 117, 145, . . .

More generally, for a fixed k, the k-gonal numbers are the sums of the arithmeticprogression 1 + (k − 1) + (2k − 3) + · · · . The nth k-gonal number is

Pk,n =1

2n((k − 2)n− (k − 4)).

226 Polygonal numbers

11.2 The equation Pk,a + Pk,b = Pk,c

By a k-gonal triple, we mean a triple of positive integers (a, b, c) satisfying

Pk,a + Pk,b = Pk,c. (11.1)

A 4-gonal triple is simply a Pythagorean triple satisfying a2 + b2 = c2. We shallassume in the present chapter that k �= 4. By completing squares, we rewrite (11.1)as

[2(k − 2)a− (k − 4)]2 + [2(k − 2)b− (k − 4)]2

= [2(k − 2)c− (k − 4)]2 + (k − 4)2, (11.2)

and note, by dividing throughout by (k − 4)2, that this determines a rational pointon the surface S:

x2 + y2 = z2 + 1, (11.3)

namely,P (k; a, b, c) := (ga− 1, gb− 1, gc− 1), (11.4)

where g = 2(k−2)k−4

. This is always an integer point for k = 3, 5, 6, 8, with corre-sponding g = −2, 6, 4, 3. For k = 3 (triangular numbers), we shall change signs,and consider instead the point

P ′(3; a, b, c) := (2a+ 1, 2b+ 1, 2c+ 1). (11.5)

The coordinates of P ′(3; a, b, c) are all odd integers exceeding 1.

11.3 Double ruling of S

The surface S, being the surface of revolution of a rectangular hyperbola about itsconjugate axis, is a rectangular hyperboloid of one sheet. It has a double ruling, i.e.,through each point on the surface, there are two straight lines lying entirely on thesurface.

Let P (x0, y0, z0) be a point on the surface S. A line � through P with directionnumbers p : q : r has parametrization

� : x = x0 + pt, y = y0 + qt, z = z0 + rt.

11.4 Primitive Pythagorean triple associated with a k-gonal triple 227

Substitution of these expressions into (11.3) shows that the line � is entirely con-tained in the surface S if and only if

px0 + qy0 = rz0, (11.6)

p2 + q2 = r2. (11.7)

It follows that

r2 = r2(x20 + y20 − z20)= r2(x20 + y20)− (px0 + qy0)

2

= (p2 + q2)(x20 + y20)− (px0 + qy0)2

= (qx0 − py0)2.This means

qx0 − py0 = εr, ε = ±1. (11.8)

Solving equations (11.6) and (11.8), we determine the direction numbers of the line.We summarize this in the following proposition.

Proposition 11.1. The two lines lying entirely on the hyperboloid S : x2 + y2 =z2 + 1 and passing through P (x0, y0, z0) have direction numbers

x0z0 − εy0 : y0z0 + εx0 : x20 + y20

for ε = ±1.

In particular, if P is a rational point, these direction numbers are rational.

11.4 Primitive Pythagorean triple associated with ak-gonal triple

Let P be the rational point determined by a k-gonal triple (a, b, c), as given by(11.4), for k ≥ 5 and (11.5) for k = 3 (triangular numbers). We first note that the


coordinates of P all exceed 1. This is clear for k = 3, and for k ≥ 5, it followsfrom the fact that g = 2(k−2)

k−4> 2. The direction numbers of the ruling lines on S

through the point P , as given in Proposition 1, are all positive. In view of (11.7),we may therefore choose a primitive Pythagorean triple (p, q, r) for these directionnumbers. As is well known, every such triple is given by

p = m2 − n2, q = 2mn, r = m2 + n2 (11.9)

for relatively prime integers m > n of different parity.We study the converse question of determining k-gonal triples from (primitive)

Pythagorean triples.

11.5 Triples of triangular numbers

Given a primitive Pythagorean triple (p, q, r) as in (11.9), we want to determinea triangular triple (a, b, c) corresponding to it. Given an odd integer z0 > 1, weobtain, from (11.6) and (11.8),

x0 =pz0 + εq

r, y0 =

qz0 − εpr

. (11.10)

We claim that it is possible to choose z0 > 1 so that x0 and y0 are also oddintegers > 1.

By the euclidean algorithm, there are odd integers u and v such that qu+ rv =1. (Note that v must be odd, since q is even. If u is even, we replace (u, v) by(u − r, v + q), in which both entries are odd). Clearly, the integer z0 = εpu issuch that qz0 − εp = εp(qu − 1) is divisible by r. This makes y0 an integer. Thecorresponding x0 is also an integer. Replacing z0 by z0 + rt for a positive integer tif necessary, the integers z0, x0, and y0 can be chosen greater than 1. From (11.10),the integers x0 and y0 are both odd, since p and q are of different parity and z0 isodd.

We summarize this in the following theorem.

Theorem 11.2. Let (p, q, r) be a primitive Pythagorean triple. There are two infi-nite families of triangular triples (aε(t), bε(t), cε(t)), ε = ±1, such that one of thelines �ε(P ), P = P ′(3; aε(t), bε(t), cε(t)), has direction numbers p : q : r.

11.6 k-gonal triples determined by a Pythagorean triple 229

Triangular triples from primitive Pythagorean triples

(m,n) (p, q, r) (a+(0), b+(0), c+(0)) (a−(0), b−(0), c−(0))(2, 1) (3, 4, 5) (2, 2, 3) (3, 5, 6)(4, 1) (15, 8, 17) (9, 4, 10) (5, 3, 6)(3, 2) (5, 12, 13) (4, 9, 10) (5, 14, 15)(6, 1) (35, 12, 37) (20, 6, 21) (14, 5, 15)(5, 2) (21, 20, 29) (6, 5, 8) (14, 14, 20)(4, 3) (7, 24, 25) (6, 20, 21) (7, 27, 28)(8, 1) (63, 16, 65) (35, 8, 36) (27, 7, 28)(7, 2) (45, 28, 53) (35, 21, 41) (9, 6, 11)(5, 4) (9, 40, 41) (8, 35, 36) (9, 44, 45)

11.6 k-gonal triples determined by a Pythagorean triple

Now, we consider k ≥ 5. We shall adopt the notation

h′ :={h if h is odd,h2

if h is even,

for an integer h.

Theorem 11.3. Let k ≥ 5 and g = 2(k−4)k−2

. The primitive Pythagorean triple (p, q, r)defined in (11.9) by relatively prime integers m > n with different parity corre-sponds to a k-gonal triple if and only if one of 2n

gand 2(m−n)

gis an integer.

Proof. As in (11.10) above, the rational points through which the surface S containsa line of direction numbers p : q : r are of the form

(pz + εq

r,qz − εp

r, z). (11.11)

Suppose this corresponds to a k-gonal triple (a, b, c), so that z = rc − 1. From(11.4), we obtain, for ε = 1,

a =m+ n

(k − 2)′(m2 + n2)· [(k − 2)′(m− n)c+ (k − 4)′n], (11.12)

b =n

(k − 2)′(m2 + n2)· [(k − 2)′ · 2mc− (k − 4)′(m− n)]. (11.13)

Note that (k−2)′ and (k−4)′ are always relatively prime, since gcd(k−2, k−4) = 1or 2 according as k is odd or even.

From these expressions,


a2 + b2 − c2 = 2(k − 4)′n(k − 2)′2(m2 + n2)

· [(k − 2)′(m− n)c+ (k − 4)′n].

We claim that n must be divisible by (k − 2)′ for a, b, c to be integers. Letd := gcd(n, (k − 2)′), so that

n = d · n∗, (k − 2)′ = d · (k − 2)∗

for relatively prime integers n∗ and (k − 2)∗.

a2 + b2 − c2 = 2(k − 4)′n∗

(k − 2)∗2(m2 + n2)· [(k − 2)∗(m− n)c+ (k − 4)′n∗].

Since (k − 2)∗ is prime to each of (k − 4)′ and n∗, the only possible prime divisorof (k−2)∗ is 2. This means that (k−2)∗ is a power of 2, (possibly 1). If (k−2)∗ iseven, then after cancelling a common divisor 2, the numerator of a2+b2−c2 is odd,and the denominator is even. This cannot be an integer. It follows that (k−2)∗ = 1,justifying the claim that n must be divisible by (k − 2)′.

Since g = 2(k−2)′(k−4)′ , the condition that n be divisible by (k − 2)′ is equivalent

to 2ng

being an integer. Under this condition, there is a unique positive integerc0 < m2+n2 for which a0 defined by (11.13) is an integer. Note that a20+ b

20− c20 is

also an integer. Since b0 is rational, it too must be an integer. Every k-gonal tripleassociated with the primitive Pythagorean triple (p, q, r) is of the form

at = a0 + pt, bt = b0 + qt, ct = c0 + rt

for a positive integer t.For ε = −1, the treatment is exactly the same, with n replaced bym−n. Indeed,

we have

a =m− n

(k − 2)′(m2 + n2)· [(k − 2)′(m+ n)c− (k − 4)′n],

b =m

(k − 2)′(m2 + n2)· [(k − 2)′ · 2nc+ (k − 4)′(m− n)].

Since m and n are relatively prime, the integer (k − 2)′ > 1 cannot divide bothn and m − n. This means that a primitive Pythagorean triple (p, q, r) correspondsto at most one line on S associated with k-gonal triples (for k ≥ 5).

Indeed, if k = 4h + 2, (k − 2)′ is the even number 2h, and cannot divide theodd integer m − n. It follows that only those pairs (m,n), with n a multiple of 2hgive (4h+2)-gonal pairs. For example, by choosing m = 2h+1, n = 2h, we have

p = 4h+ 1, q = 8h2 + 4h, r = 8h2 + 4h+ 1,a0 = 4h+ 1, b0 = 8h2 + 2h+ 1, c0 = 8h2 + 2h+ 2.

11.6 k-gonal triples determined by a Pythagorean triple 231

These give an infinite family of (4h+ 2)-gonal triples:

at = (4h+ 1)(t+ 1),bt = 8h2 + 2h+ 1 + (8h2 + 4h)t,ct = 8h2 + 2h+ 2 + (8h2 + 4h+ 1)t.

(4h+ 2)− gonal triples

(h, k, g) (m,n) (p, q, r) (a, b, c)

(1, 6, 4) (3, 2) (5, 12, 13) (5, 11, 12)

(5, 2) (21, 20, 29) (14, 13, 19)

(5, 4) (9, 40, 41) (9, 38, 39)

(7, 2) (45, 28, 53) (18, 11, 21)

(7, 4) (33, 56, 65) (11, 18, 21)

(7, 6) (13, 84, 85) (13, 81, 82)

(9, 2) (77, 36, 85) (11, 5, 12)

(9, 4) (65, 72, 97) (13, 14, 19)

(9, 8) (17, 144, 145) (17, 140, 141)

(11, 2) (117, 44, 125) (104, 39, 111)

(11, 4) (105, 88, 137) (60, 50, 78)

(11, 6) (85, 132, 157) (68, 105, 125)

(11, 8) (57, 176, 185) (38, 116, 122)

(11, 10) (21, 220, 221) (21, 215, 216)

(2, 10, 83) (5, 4) (9, 40, 41) (9, 37, 38)

(7, 4) (33, 56, 65) (33, 55, 64)

(9, 4) (65, 72, 97) (52, 57, 77)

(9, 8) (17, 144, 145) (17, 138, 139)

(11, 4) (105, 88, 137) (90, 75, 117)

(11, 8) (57, 176, 185) (57, 174, 183)

(3, 14, 125 ) (7, 6) (13, 84, 85) (13, 79, 80)

(11, 6) (85, 132, 157) (85, 131, 156)

Chapter 12

Quadratic Residues

12.1 Quadratic residues

Let n > 1 be a given positive integer, and gcd(a, n) = 1. We say that a ∈ Z•n is a

quadratic residue mod n if the congruence x2 ≡ a mod n is solvable. Otherwise,a is called a quadratic nonresidue mod n.

1. If a and b are quadratic residues mod n, so is their product ab.

2. If a is a quadratic residue, and b a quadratic nonresidue mod n, then ab is aquadratic nonresidue mod n.

3. The product of two quadratic residues mod n is not necessarily a quadraticresidue mod n. For example, in Z•

12 = {1, 5, 7, 11}, only 1 is a quadraticresidue; 5, 7, and 11 ≡ 5 · 7 are all quadratic nonresidues.

Proposition 12.1. Let p be an odd prime, and p � a. The quadratic congruenceax2 + bx+ c ≡ 0 mod p is solvable if and only if (2ax+ b)2 ≡ b2 − 4ac mod p issolvable.

Theorem 12.2. Let p be an odd prime. Exactly one half of the elements of Z•p are

quadratic residues.

Proof. Each quadratic residue modulo p is congruent to one of the following 12(p−

1) residues.

12, 22, . . . , k2, . . . ,

(p− 1

2

)2

.

We show that these residue classes are all distinct. For 1 ≤ h < k ≤ p−12

, h2 ≡k2 mod p if and only if (k − h)(h + k) is divisible by p, this is impossible sinceeach of k − h and h+ k is smaller than p.

Corollary 12.3. If p is an odd prime, the product of two quadratic nonresidues is aquadratic residue.

302 Quadratic Residues

12.2 The Legendre symbol

Let p be an odd prime. For an integer a, we define the Legendre symbol

(a

p

):=

{+1, if a is a quadratic residue mod p,

−1, otherwise.

Lemma 12.4.(

abp

)=

(ap

)(bp

).

Proof. This is equivalent to saying that modulo p, the product of two quadraticresidues (respectively nonresidues) is a quadratic residue, and the product of aquadratic residue and a quadratic nonresidue is a quadratic nonresidue.

For an odd prime p,(

−1p

)= (−1) 1

2(p−1). This is a restatement of Theorem 12.6

that −1 is a quadratic residue mod p if and only if p ≡ 1 mod 4.

Theorem 12.5 (Euler). Let p be an odd prime. For each integer a not divisible byp, (

a

p

)≡ a

12(p−1) mod p.

Proof. Suppose a is a quadratic nonresidue mod p. The mod p residues 1, 2, . . . , p−1 are partitioned into pairs satisfying xy = a. In this case,

(p− 1)! ≡ a12(p−1) mod p.

On the other hand, if a is a quadratic residue, with a ≡ k2 ≡ (p − k)2 mod p,apart from 0,±k, the remaining p − 3 elements of Zp can be partitioned into pairssatisfying xy = a.

(p− 1)! ≡ k(p− k)a 12(p−3) ≡ −a 1

2(p−1) mod p.

Summarizing, we obtain

(p− 1)! ≡ −(a

p

)a

12(p−1) mod p.

Note that by putting a = 1, we obtain Wilson’s theorem: (p− 1)! ≡ −1 mod p. By

comparison, we obtain a formula for(

ap

):

(a

p

)≡ a

12(p−1) mod p.

12.3 −1 as a quadratic residue modp 303

12.3 −1 as a quadratic residue modp

Theorem 12.6. Let p be an odd prime. −1 is a quadratic residue mod p if and onlyif p ≡ 1 mod 4.

Proof. If x2 ≡ −1 mod p, then (−1) p−12 ≡ xp−1 ≡ 1 mod p by Fermat’s little

theorem. This means that p−12

is even, and p ≡ 1 mod 4.Conversely, if p ≡ 1 mod 4, the integer p−1

2is even. By Wilson’s theorem,

((p− 1

2)!)2 =

p−12∏

i=1

j2 =

p−12∏

i=1

j · (−j) ≡p−12∏

i=1

j · (p− j) = (p− 1)! ≡ −1 mod p.

The solutions of x2 ≡ −1 mod p are therefore x ≡ ±(p−12)!.

Here are the square roots of−1 mod p for the first 20 primes of the form 4k+1:

p√−1 p

√−1 p√−1 p

√−1 p√−1

5 ±2 13 ±5 17 ±4 29 ±12 37 ±641 ±9 53 ±23 61 ±11 73 ±27 89 ±3497 ±22 101 ±10 109 ±33 113 ±15 137 ±37149 ±44 157 ±28 173 ±80 181 ±19 193 ±81

Theorem 12.7. There are infinitely many primes of the form 4n+ 1.

Proof. Suppose there are only finitely many primes p1, p2, . . . , pr of the form 4n+1.Consider the product

P = (2p1p2 · · · pr)2 + 1.

Note that P ≡ 1 mod 4. Since P is greater than each of p1, p2, . . . , pr, it cannotbe prime, and so must have a prime factor p different from p1, p2, . . . , pr. Butthen modulo p, −1 is a square. By Theorem 12.6, p must be of the form 4n + 1, acontradiction.

In the table below we list, for primes < 50, the quadratic residues and theirsquare roots. It is understood that the square roots come in pairs. For example, theentry (2,7) for the prime 47 should be interpreted as saying that the two solutionsof the congruence x2 ≡ 2 mod 47 are x ≡ ±7 mod 47. Also, for primes of theform p = 4n + 1, since −1 is a quadratic residue modulo p, we only list quadraticresidues smaller than p

2. Those greater than p

2can be found with the help of the

square roots of −1.

304 Quadratic Residues

Quadratic residues mod p and their square roots

3 (1, 1)5 (−1, 2) (1, 1)7 (1, 1) (2, 3) (4, 2)11 (1, 1) (3, 5) (4, 2) (5, 4) (9, 3)13 (−1, 5) (1, 1) (3, 4) (4, 2)17 (−1, 4) (1, 1) (2, 6) (4, 2) (8, 5)19 (1, 1) (4, 2) (5, 9) (6, 5) (7, 8) (9, 3) (11, 7) (16, 4)

(17, 6)23 (1, 1) (2, 5) (3, 7) (4, 2) (6, 11) (8, 10) (9, 3) (12, 9)

(13, 6) (16, 4) (18, 8)29 (−1, 12) (1, 1) (4, 2) (5, 11) (6, 8) (7, 6) (9, 3) (13, 10)31 (1, 1) (2, 8) (4, 2) (5, 6) (7, 10) (8, 15) (9, 3) (10, 14)

(14, 13) (16, 4) (18, 7) (19, 9) (20, 12) (25, 5) (28, 11)37 (−1, 6) (1, 1) (3, 15) (4, 2) (7, 9) (9, 3) (10, 11) (11, 14) (12, 7)

(16, 4)41 (−1, 9) (1, 1) (2, 17) (4, 2) (5, 13) (8, 7) (9, 3) (10, 16) (16, 4)

(18, 10) (20, 15)43 (1, 1) (4, 2) (6, 7) (9, 3) (10, 15) (11, 21) (13, 20) (14, 10)

(15, 12) (16, 4) (17, 19) (21, 8) (23, 18) (24, 14) (25, 5) (31, 17)(35, 11) (36, 6) (38, 9) (40, 13) (41, 16)

47 (1, 1) (2, 7) (3, 12) (4, 2) (6, 10) (7, 17) (8, 14) (9, 3)(12, 23) (14, 22) (16, 4) (17, 8) (18, 21) (21, 16) (24, 20) (25, 5)(27, 11) (28, 13) (32, 19) (34, 9) (36, 6) (37, 15) (42, 18)

Chapter 13

The law of quadratic reciprocity

13.1 Gauss’ lemma

Theorem 13.1 (Gauss’ Lemma). Let p be an odd prime, and a an integer not divis-

ible by p. Then(

ap

)= (−1)μ where μ is the number of residues among

a, 2a, 3a, . . . . . . ,p− 1

2a

falling in the range p2< x < p.

Proof. Every residue modulo p has a unique representative with least absolutevalue, namely, the one in the range −p−1

2≤ x ≤ p−1

2. The residues described

in the statement of Gauss’ Lemma are precisely those whose representatives arenegative. Now, among the representatives of the residues of

a, 2a, · · · p− 1

2a,

say, there are λ positive ones,

r1, r2, . . . , rλ,

and μ negative ones−s1,−s2, . . . ,−sμ.

Here, λ+ μ = p−12

, and 0 < ri, sj <p2.

Note that no two of the r’s are equal; similarly for the s’s. Suppose that ri = sjfor some indices i and j. This means

ha ≡ ri mod p; ka ≡ −sj mod p

for some h, k in the range 0 < h, k < 12(p − 1). Note that (h + k)a ≡ 0 mod p.

But this is a contradiction since h + k < p − 1 and p does not divide a. It followsthat

r1, r2, . . . , rλ, s1, s2, . . . , sμ

306 The law of quadratic reciprocity

are a permutation of 1, 2, . . . , 12(p− 1). From this

a · 2a · · · p− 1

2a = (−1)μ1 · 2 · · · p− 1

2,

and a12(p−1) = (−1)μ. By Theorem 12.5,

(ap

)= (−1)μ.

Example

Let p = 19 and a = 5. We consider the first 9 multiples of 5 mod 19. These are

5, 10, 15, 20 ≡ 1, 25 ≡ 6, 30 ≡ 11, 35 ≡ 16, 40 ≡ 2, 45 ≡ 7.

4 of these exceed 9, namely, 10, 15, 11, 16. It follows that(

519

)= 1; 5 is a quadratic

residue mod 19. 1

Theorem 13.2. (2

p

)= (−1)� 1

4(p+1)� = (−1) 1

8(p2−1).

Equivalently, (2

p

)=

{+1 if p ≡ ±1 mod 8,

−1 if p ≡ −3 mod 8.

Proof. We need to see how many terms in the sequence

2 · 1, 2 · 2, 2 · 3, . . . , 2 · p− 1

2

are in the range p2< x < p. If p = 4k + 1, these are the numbers 2k + 2, . . . , 4k,

and there are k of them. On the other hand, if p = 4k + 3, these are the numbers2k + 2, . . . , 4k + 2, and there are k + 1 of them. In each case, the number of termsis [1

4(p+ 1)].

Example

Square root of 2 mod p for the first 20 primes of the form 8k ± 1.

p√2 p

√2 p

√2 p

√2 p

√2

7 3 17 6 23 5 31 8 41 1747 7 71 12 73 32 79 9 89 2597 14 103 38 113 51 127 16 137 31151 46 167 13 191 57 193 52 199 20

Proposition 13.3 (Euler). Let p > 3 be a prime number of the form 4k + 3. Ifq = 2p + 1 is also prime, then the Mersenne number Mp = 2p − 1 has a primefactor 2p+ 1 and is composite.

1Indeed 5 ≡ 92 mod 19.

13.2 The law of quadratic reciprocity 307

Proof. Note that the prime q is of the form 8k + 7, and so admits 2 as a quadraticresidue. By Theorem 13.2,

2p = 212(q−1) ≡

(2

q

)= 1 mod q.

This means that q = 2p + 1 divides Mp = 2p − 1. If p > 3, 2p + 1 < 2p − 1, andMp is composite.

For example, M11 = 211 − 1 is divisible by 23 since 23 = 2 · 11 + 1 is prime.Similarly, M23 = 223 − 1 is divisible by 47, and M83 = 283 − 1 is divisible by 167.

13.2 The law of quadratic reciprocity

Theorem 13.4 (Law of quadratic reciprocity). Let p and q be distinct odd primes.(p

q

)(q

p

)= (−1) p−1

2· q−1

2 .

Equivalently, when at least one of p, q ≡ 1 mod 4, p is a quadratic residue mod qif and only if q is a quadratic residue mod p. 2

Proof. (1) Let a be an integer not divisible by p. Suppose, as in the proof of Gauss’Lemma above, of the residues a, 2a, . . . p−1

2a, the positive least absolute value rep-

resentatives are r1, r2, . . . , rλ, and the negative ones are −s1, −s2, . . . , −sμ. Thenumbers a, 2a, . . . , p−1

2a are a permutation of⌊hia

p

⌋p+ ri, i = 1, 2, . . . , λ,

and ⌊kja

p

⌋p+ (p− sj), j = 1, 2, . . . , μ,

where h1, . . . , hλ, k1, . . . , kμ are a permutation of 1, 2, . . . , p−12

. Considering thesum of these numbers, we have

a ·12(p−1)∑m=1

m =p

12(p−1)∑m=1

⌊ma

p

⌋+

λ∑i=1

ri +

μ∑j=1

(p− sj)

=p

12(p−1)∑m=1

⌊ma

p

⌋+

λ∑i=1

ri +

μ∑j=1

sj +

μ∑j=1

(p− 2sj)

=p

12(p−1)∑m=1

⌊ma

p

⌋+

12(p−1)∑m=1

m+ μ · p− 2

μ∑j=1

sj.

2For p ≡ q ≡ 3 mod 4, p is a quadratic residue mod q if and only if q is a quadratic nonresiduemod p.


In particular, if a is odd, then

μ ≡12(p−1)∑m=1

⌊ma

p

⌋mod 2,

and by Gauss’ lemma, (a

p

)= (−1)

∑ 12 (p−1)

m=1 �map �.

(2) Therefore, for distinct odd primes p and q, we have(q

p

)= (−1)

∑ 12 (p−1)

m=1 �mqp �,

and (p

q

)= (−1)

∑ 12 (q−1)

n=1 �npq �.

1 2 p2

12

q2

n

m(3) In the diagram above, we consider the lattice points (m,n) with 1 ≤ m ≤

p−12

and 1 ≤ n ≤ q−12

. There are altogether p−12· q−1

2such points forming a

rectangle. These points are separated by the line L of slope qp

through the point(0,0).

For each m = 1, 2, . . . , p−12

, the number of points in the vertical line through

(m, 0) underL is �mqp�. Therefore, the total number of points under L is

∑ 12(p−1)

m=1

⌊mqp

⌋.

Similarly, the total number of points on the left side of L is∑ 1

2(q−1)

n=1

⌊npq

⌋. From

these, we have

12(p−1)∑m=1

⌊mq

p

⌋+

12(q−1)∑n=1

⌊np

q

⌋=p− 1

2· q − 1

2.

It follows that (p

q

)(q

p

)= (−1) p−1

2· q−1

2 .

13.2 The law of quadratic reciprocity 309

The law of quadratic reciprocity can be recast into the following form:

(p

q

)=

⎧⎨⎩−(

qp

), if p ≡ q ≡ 3 mod 4,

+(

qp

), otherwise.

Examples

1.(

59131

)= − (

13159

)= − (

1359

)= − (

5913

)= − (

713

)= − (

137

)= − (−1

7

)=

−(−1) = 1.

2.(3497

)=

(297

) (1797

). Now,

(297

)= +1 by Theorem 13.2, and

(17

97

)=

(97

17

)=

(12

17

)=

(3

17

)(4

17

)=

(3

17

)=

(17

3

)=

(2

3

)= −1.

3. For which primes p is 3 a quadratic residue ?(3

p

)= (−1) p−1

2

(p3

)= (−1)k+ 1

2(ε−1)ε = (−1)k

provided p = 6k + ε, ε = ±1. This means 3 is a quadratic residue mod p ifand only if k is even, i.e., p = 12m± 1.

Chapter 14

Calculation of square roots

14.1 Square roots modulo p

1. Let p be a prime of the form 4k + 3. If(

ap

)= 1, then the square roots of

a mod p are ±a 14(p+1).

Proof. (a

14(p+1)

)2

≡ a12(p+1) = a

12(p−1) · a =

(a

p

)a = a mod p.

2. Let p be a prime of the form 8k + 5. If(

ap

)= 1, then the square roots of

a mod p are

• ±a 18(p+3) if a

14(p−1) ≡ 1 mod p,

• ±2 14(p−1) · a 1

8(p+3) if a

14(p−1) ≡ −1 mod p.

Proof. Note that(a

18(p+3)

)2

≡ a14(p+3) = a

14(p−1) · a mod p.

Since(

ap

)= a

12(p−1) ≡ 1 mod p, we have a

14(p−1) ≡ ±1 mod p.

If a14(p−1) ≡ 1 mod p, then this gives a

18(p+3) as a square root of a mod p.

If a14(p−1) ≡ −1 mod p, then we have

a ≡ −(a

18(p+3)

)2

≡(y

p

)(a

18(p+3)

)2

≡(y

14(p−1)a

18(p+3)

)2

312 Calculation of square roots

for any quadratic nonresidue y mod p. Since p ≡ 5 mod 8, we may simplytake y = 2.

Examples

1. Let p = 23. Clearly 2 is a quadratic residue mod 23. The square roots of 2are ±26 ≡ ±18 ≡ ∓5 mod 23.

2. Let p = 29. Both 6 and 7 are quadratic residues mod 29.

Since 77 ≡ 1 mod 29, the square root of 7 are ±74 ≡ ±23∓ 6 mod 29.

On the other hand, Since 67 ≡ −1 mod 29, the square roots of 6 are±27·64 ≡±12 · 20 ≡ ±8 mod 29.

Proposition 14.1. Let p be an odd prime and p − 1 = 2λu, u odd. Consider thecongruence x2 ≡ a mod p. Let b be any quadratic nonresidue mod p. Assumethat au �≡ ±1 mod p, and that μ > 1 is the smallest integer for which (au)2

μ ≡−1 mod p.(a) If μ = λ− 1, then the congruence has no solution.(b) If μ ≤ λ − 2, then au ≡ (bu)2

λ−μ−1k for some odd number k < 2μ+1. Thesolutions of the congruence are

x ≡ ±a 12(u+1)b2

λ−μ−2(2μ+1−k)u mod p.

Example 14.1. Consider the congruence x2 ≡ 215 mod 257. Here 257−1 = 28 ·1.In the notation of the above theorem, u = 1. With a = 215, the order of au = 215modulo 257 is 128:

2152 ≡ 222; 2154 ≡ 197; 2158 ≡ 2;21516 ≡ 4; 21532 ≡ 16; 21564 ≡ 256 ≡ −1.

This means μ = 6. Let b = 3, a quadratic nonresidue of 257. The successivepowers of bu ≡ 3 are, modulo 257,

32 ≡ 9; 34 ≡ 81; 38 ≡ 136;316 ≡ 249; 332 ≡ 64; 364 ≡ 241;3128 ≡ 256 ≡ −1.

Now, au = 215 should be an odd power of (bu)2λ−μ−1 ≡ 32 ≡ 9. In fact,

93 ≡ 729 ≡ 215 mod 257.

This means k = 3. The solutions of the congruence are

x ≡ ±215 · 320(27−3) ≡ ±215 · 3125 ≡ · · · ≡ ±230 ≡ 27 mod 257.

14.2 Square roots modulo an odd prime power 313

14.2 Square roots modulo an odd prime power

The quadratic congruence x2 ≡ 2 mod 7 clearly has solutions x ≡ ±3 mod 7. Wewant to solve the congruence x2 ≡ 2 mod 72 by seeking a solution of the formx ≡ 3 + 7b.

2 ≡ (3 + 7b)2 = 9 + (6b) · 7 + b2 · 72 = 2 + (1 + 6b) · 7 mod 72

Choose b so that 1 + 6b ≡ 0 mod 7. This gives b ≡ 1 mod 7 and x ≡ 10 mod72.Exercise

1. Show that 9, 16, 23, 30, 37, 44 are all squares modulo 49. (Of course, it isclear for 9 and 16).

Answer: Squares roots modulo 49:

2 9 16 23 30 37 4410 3 45 38 31 24 17

(Note that these square roots form an arithmetic progression of common difference42 mod 49).

2. Proceed to solve the congruences x2 ≡ 2 mod 73. and x2 ≡ 2 mod 74.

Proposition 14.2. Let p be an odd prime. Suppose x2 = a mod pk has solutionx ≡ ck mod pk. Let γ be the multiplicative inverse of 2c1 ∈ Z•

p. Then with bk ≡γ · a−c2k

pkmod p, We have a solution ck+1 = ck+bkp

k mod pk+1 of x2 ≡ a mod pk+1.

Example 14.2. The solutions of the congruences x2 ≡ 12345 mod 7k for k ≤ 8are as follows:

k 1 2 3 4 5 6 7 8x mod 7k 2 37 37 380 5182 89217 677462 3148091

The base 7 expansions of these solutions are x ≡ ±12355210527.

14.3 Squares modulo 2k

Here are the squares modulo 2k, up to k = 7.

Z4 : 0, 1,Z8 : 4,Z16 : 9,Z32 : 16, 17, 25,Z64 : 33, 36, 41, 49, 57,Z128 : 64, 65, 68, 73, 81, 89, 97, 100, 105, 113, 121.

314 Calculation of square roots

It is easy to see that the analogue of Proposition 8.2.2 is no longer true. Forexample, 1 is clearly a square of Z4; but 5 = 1 + 4 is not a square in Z8.

Suppose c ∈ Z2k is a square. Let h be the smallest integer such that c = (a+2h)2

for some a ∈ Z2h−1 . Since c = (a+2h)2 = a2+2h+1a+22h, we must have h+1 < k,and h ≤ k − 2.

From this, we infer that 5 is not a square, and the squares in Z8 are 0, 1, 4. Also,apart from these, the squares in Z16 are 42 = 0, 52 = 9, 62 = 4, and 72 = 1. Thismeans that the squares in Z16 are 0, 1, 4 and 9.

Proposition 14.3. Let k ≥ 3. For every square c ∈ Z•2k

, c+2k is a square in Z•2k+1 .

Proof. Clearly, if c = 1, c + 2k = 1 + 2k = (1 + 2k−1)2 ∈ Z2k+1 . If c �= 1, wewrite c = (a + 2h)2 for 1 ≤ h ≤ k − 2 and a ∈ Z2k−3 . Then, (a + 2h + 2k−1)2 =c+ 2k(a+ 2h) + 22k−2. Since a is a unit, modulo 2k+1, this is c+ 2k.

Corollary 14.4. A residue given in binary expansion

a = (ak−1ak−2 · · · a1a0)2,

is a quadratic residue mod 2k if and only if on the right of the rightmost digit 1there is an even number (possibly none) of zeros, and on its left there are at leasttwo zeros.

Chapter 15

Primitive roots

Let a ∈ Z•n. By the Fermat-Euler theorem (Theorem 6.1), aϕ(n) = 1, there is a

smallest positive integer d := ordn(a) such that ad = 1 ∈ Z•n. Such an integer,

called the order of a in Z•n, must be a divisor of ϕ(n).

Example 15.1. (a) n = 13; ϕ(13) = 12:

a 1 2 3 4 5 6 7 8 9 10 11 12ord13(a) 1 12 3 6 4 12 12 4 3 6 12 2

In this case, there exist elements of order 12, for example, a = 2, 6. This meansthe first 12 powers of a are all distinct, and hence exhaust all the units of Z•

13:

n 1 2 3 4 5 6 7 8 9 10 11 12

2n 2 4 8 3 6 12 11 9 5 10 7 16n 6 10 8 9 2 12 7 3 5 4 11 1

In this case, the group of units Z•13 is a cyclic group, with generator a. A gener-

ator of Z•n is called a primitive root for n.

(b) n = 16; ϕ(16) = 8:

a 1 3 5 7 9 11 13 15

ord16(a) 1 4 4 2 2 4 4 2

The group Z•16 is not cyclic in this case, and there is no primitive root for 16.

Proposition 15.1. If ordn(a) = t, then

ordn(ak) =

t

gcd(t, k).

ExerciseLet p be a prime. If in Z•

p = Zp \ {0} there is an element of order t, then thereare exactly ϕ(t) elements of order t.

316 Primitive roots

Theorem 15.2. Let p be an odd prime.(a) For each divisor t of p− 1, there are exactly ϕ(t) elements of Z•

p = Zp \ {0} oforder t.(b) There are exactly ϕ(p− 1) primitive roots for p.

Smallest primitive root g for prime p. 1

p g p g p g p g p g

3 2 5 2 7∗ 3 11 2 13 217∗ 3 19∗ 2 23∗ 5 29∗ 2 31 337 2 41 6 43 3 47∗ 5 53 259∗ 2 61∗ 2 67 2 71 7 73 579 3 83 2 89 3 97∗ 5 101 2

Example 15.2. (a) Let p be a Sophie-Germain prime, i.e., q = 2p+1 is also prime.(i) If p ≡ 1 (mod 4), then p+ 1 is primitive root modulo q.(ii) If p ≡ 3 (mod 4), then p is a primitive root modulo q.

Proof. If p ≡ 1 (mod 4), 2p+ 2 ≡ 1 (mod q) and

1 =

(1

q

)=

(2p+ 2

q

)=

(2

q

)(p+ 1

q

).

Note that(

2q

)= −1. From this (p + 1)p ≡

(p+1q

)= −1 (mod q), the order of

p+ 1 mod q is 2p, and p+ 1 is a primitive root.

Next, if p ≡ 3 (mod 4), then 2p ≡ −1 (mod q), and(

−1q

)=

(2pq

). Again,(

pq

)= −1, and p is a primitive root for q.

The beginning Sophie Germain primes

4k + 1 : 5 29 41 53 89 113 173 233 . . .4k + 3 : 3 11 23 83 131 179 191 239 . . .

Exercise2. If p is a Fermat prime, then every quadratic nonresidue mod p is a primitive

root for p.3. If p ≡ 3 (mod 4) and q = 1

2(p − 1) are both primes, then −3 is a primitive

root for p.4. Let p ≡ 3 (mod 4) be a prime. If a ∈ Z•

p has order 12(p − 1), then −a is a

primitive root for p.

1Those with asterisks are primes admitting 10 for a primitive root.

15.1 Periodicity of decimal expansions of rational numbers 317

5. If p ≡ 3 (mod 8) and q = 12(p − 1) are both primes, then 2 is a primitive

root for p.6. If p ≡ 7 (mod 8) and q = 1

2(p − 1) are both primes, then −2 is a primitive

root for p.7. Referring to Example 8.2.7 above, how many primitive roots does 73 have ?

List them. What about 29 ?8. For an odd prime p, a primitive root for pk is also a primitive root for p.9. If g is a primitive root for an odd prime p and if gp−1 − 1 is divisible by p2,

then g is not a primitive root for pk, k ≥ 2.10. Let g be a primitive root for an odd prime p.(a) If p ≡ 1 (mod 4), then −g is also a primitive root for p.(b) If p ≡ 3 (mod 4), then −g has order 1

2(p− 1) in Z•

p.Artin’s conjecture: If g is a nonzero integer, not a square nor −1, then there areinfinitely many primes p such that g is a primitive root mod p.

Theorem 15.3. A positive integer n admits primitive roots if and only if n is 1, 2, 4, pa

or 2pa for an odd prime p and a ≥ 1.

15.1 Periodicity of decimal expansions of rational num-bers

Let r = ab

be a reduced fraction in which b = 2h5kn, with gcd(n, 10) = 1. If l =max(h, k), then the decimal expansion of r is a period of length after l terms, andthe length of the period is the order of 10 in the group of units of Z•

n. In particular,if p is a prime admitting 10 as a primitive root, then the decimal expansion of 1

pis

periodic with period p− 1. For examples,

1

17= 0.0588235294117647;

1

19= 0.052631578947368421;

1

23= 0.0434782608695652173913;

1

29= 0.0344827586206896551724137931.

Example 15.3. The prime 31 does not admit 10 as a primitive root. To find theperiod of 1

31, we determine the order of 10 in Z31. Now, 3 is a primitive root of 31,

and 314 = 10. By Theorem 15.3, ord31(14) = 15.

1

31= 0.032258064516129.

318 Primitive roots

Chapter 16

Sums of two and four squares

16.1 Fermat’s two-square theorem

Theorem 16.1. Let p be an odd prime. p is a sum of two squares if and only ifp ≡ 1 (mod 4). In this case, the expression is unique.

Proof. (Euler) Since p ≡ 1 (mod 4), the equation x2 + y2 = mp is solvable inintegers for some m. We want to show that the smallest possible value of m is 1.Note that we may choose |x|, |y| < p

2so that m < p

2. If m �= 1, it cannot divide

both of x and y, for otherwise m2|x2 + y2 = mp and m|p, contrary to m < p2.

Now choose integers a and b such that x1 = x − am and y1 = y − bm satisfy|x1|, |y1| ≤ m

2. Note that x1 and y1 cannot be both zero, and

0 < x21 + y21 ≤m2

2.

It follows that x21 + y21 = m′m for some m′ ≤ m2< m. Now,

m2m′p = (x2 + y2)(x21 + y21) = (xx1 + yy1)2 + (xy1 − yx1)2,

and

xx1 + yy1 = x(x− am) + y(y − bm) = (x2 + y2)− (ax+ by)m = mXxy1 − yx1 = x(y − bm)− y(x− am) = m(−bx+ ay) = mY

for some X and Y . From this it follows that

X2 + Y 2 = m′p

with m′ < m. By descent, we finally reach an equation x2 + y2 = p.Uniqueness: If p = a2 + b2 = x2 + y2, where a < b and x < y are all positive,

then

p2 = (a2 + b2)(x2 + y2) = (ax+ by)2 + (ay − bx)2 = (ax− by)2 + (ay + bx)2

320 Sums of two and four squares

Note that

(ax+ by)(ay + bx) = ab(x2 + y2) + (a2 + b2)xy = p(ab+ xy).

This means that one of ax+by and ay+bx is divisible by p. Since ax+by, ay+bx ≤p, we must have ay − bx = 0 or ax− by = 0. In other words, x

y= a

bor b

a. Indeed,

xy= a

b. It follows that we must have x = a and y = b.

16.2 Representation of integers as sums of two squares

We say that a representation n = x2 + y2 is primitive if gcd(x, y) = 1.

Lemma 16.2. If n has a prime divisor q ≡ 3 (mod 4), then it does not have aprimitive representation.

Proof. Suppose to the contrary that n = x2+y2 is a primitive representation. Sinceq divides n, it does not divide any of x and y. In the field Zq, we write y = ax forsome a. This means that 0 = x2 + y2 = x2(1+ a2). Since x �= 0, we have a2 = −1in Zq, q ≡ 3 mod 4, a contradiction.

Theorem 16.3.n = 2a

∏i

pbii∏j

qcjj

be the prime factorization of n in which the p’s and q’s are respectively primes ofthe form 4k + 1 and 4k + 3. The number n is expressible as a sum of two squaresif and only if each of the exponents cj is even.

Proof. (Sufficiency) Since 2 = 12 + 12, and every pi is a sum of two squares, ifevery cj is even, by repeatedly using the composition formula

(a2 + b2)(x2 + y2) = (ax+ by)2 + (ay − bx)2

we easily obtain n as a sum of two squares.(Necessity) Let n be divisible by a prime q ≡ 3 (mod 4), with highest power

qc, c odd. Consider a representation n = x2 + y2, with gcd(x, y) = d > 1. Let qc′

be the highest power of q dividing d. (Possibly, c′ = 0). Write x = dX , y = dY .Then gcd(X, Y ) = 1. Let N = X2 + Y 2. The highest power of q dividing N isqc−2c′ . This is positive since c is odd, contradicting Lemma 16.2 above.

16.3 Lagrange’s four-square theorem

Theorem 16.4. Every positive integer can be represented as a sum of four squaresof nonnegative integers.

16.3 Lagrange’s four-square theorem 321

Lemma 16.5 (4-square identity).

(x21 + x22 + x23 + x24)(y21 + y22 + y23 + y24) = z21 + z22 + z23 + z24 ,

where

z1 = x1y1 + x2y2 + x3y3 + x4y4,

z2 = x1y2 − x2y1 + x3y4 − x4y3,z3 = x1y3 − x2y4 − x3y1 + x4y2,

z4 = x1y4 + x2y3 − x3y2 − x4y1.

Therefore it is enough to prove Lagrange’s theorem for prime numbers.

Lemma 16.6. Let p be a prime number. There are integers x and y such thatx2 + y2 + 1 ≡ 0 (mod p).

Proof. The set S := {x2 ∈ Zp : x ∈ Z} has exactly p+12

elements; so does the setT := {−(x2 + 1) ∈ Zp : x ∈ Z}. Now,

|S ∩ T | = |S|+ |T | − |S ∪ T | ≥ p+ 1

2+p+ 1

2− p = 1.

Therefore, there are integers x and y satisfying x2 ≡ −(y2 + 1) (mod p), i.e.,x2 + y2 + 1 ≡ 0 (mod p).

16.3.1 Descent

Let p be a prime number. There are integers x and y such that x2+y2+1 is divisibleby p. We write this in the form x21 + x22 + x23 + x24 = kp for some integer k. Clearly,we may assume |x1|, |x2|, |x3|, |x4| ≤ p−1

2< p

2. This means kp < 4 · (p

2

)2= p2

and k < p. If k �= 1, we shall show that x1, x2, x3, x4 can be replaced by anotherquadruple with a smaller k. Then, by descent, we shall ultimately reach k = 1.

Suppose k is even. We may assume x1 ≡ x2 (mod 2) and x3 ≡ x4 (mod 2).Then (

x1 + x22

)2

+

(x1 − x2

2

)2

+

(x3 + x4

2

)2

+

(x3 − x4

2

)2

=x21 + x22 + x23 + x24

2

=k

2· p

with a smaller multiplier for p.

322 Sums of two and four squares

Suppose k is odd. For i = 1, 2, 3, 4, choose yi ≡ xi with |yi| < k2. Note that

y21 + y22 + y23 + y24 ≡ x21 + x22 + x23 + x24 (mod k). Write y21 + y22 + y23 + y24 = kqfor some q < k. Note that q must be nonzero. 1

Apply the four-square identity to the two quadruples xi and yi. The left handside is (kp)(kq) = k2pq. On the right hand side, z2, z3, z4 are clearly divisible byk; so is z1 because z1 = x1y1 + x2y2 + x3y3 + x4y4 ≡ x21 + x22 + x23 + x24 ≡ 0(mod k). Writing zi = kwi for i = 1, 2, 3, 4, we have, from the 4-square identity,w2

i + w22 + w2

3 + w24 = qp for q < k.

1

Chapter 17

Finite continued fractions

17.1 Euler’s function F for finite continued fractions

Every rational number ab

can be written as a finite continued fraction in the form

a

b= q1 +

1

q2 +1

q3 +1

. . . +1

qn

,

where q1, q2, . . . , qn are the quotients in the Euclidean algorithm sequence for (a, b):putting r0 = a, r1 = b, we define qk and rk for k = 1, . . . , n by

r0 = r1q1 + r2,

r1 = r2q2 + r3,

...

rn−2 = rn−1qn−1 + rn,

rn−1 = rnqn.

Here, qk = � rk−1

rk�, and

r1 > r2 > r3 > · · · > rn > 0.

The number rn is the gcd of a and b. If we assume the rational number given in itslowest terms, then rn = 1.

We shall write the continued fraction above simply as [q1, q2, . . . , qn]. Now, it iseasy to compute the following.

[q1] =q11,

402 Finite continued fractions

[q1, q2] =q1q2 + 1

q2,

[q1, q2, q3] =q1q2q3 + q1 + q3

q2q3 + 1,

[q1, q2, q3, q4] =q1q2q3q4 + q1q2 + q1q4 + q2q3 + 1

q2q3q4 + q2 + q4,

...

Euler has given a very elegant procedure of computing finite continued frac-tions:

[q1, q2, . . . , qk] =F (q1, q2, . . . , qk)

F (q2, . . . , qk),

where F is the function obtained in the following way: F (q1, q2, . . . , qk) is the sumq1q2 · · · qk and all products obtained by deleting pairs of consecutive factors, withthe stipulation that if k is even, deleting all consecutive pairs leads to the emptyproduct 1.

Note that

F (q1, q2, . . . , qk) = F (qk, · · · , q2, q1);F (q1, q2, . . . , qk+1) = F (q1, q2, . . . , qk−1) + qk+1F (q1, q2, . . . qk).

In the euclidean algorithm sequence,

rk = F (qk+1, qk+2, . . . , qn),

for k = 0, 1, 2, . . . , n.

17.2 Cornacchia’ algorithm for a prime as a sum oftwo squares

Like the sequence rk, we use the same recurrence relations to generate two se-quences sk and tk, using the same qk but with different initial values

(iv) s0 = 1, s1 = 0;(v) t0 = 0, t1 = 1.It is clear that rk = ask + btk for each k.

Proposition 17.1. (1) rk = ask + btk for every k. In particular, btk ≡ rk (mod a).(2) The sequences (sk) and (tk) are alternating in sign. More precisely,

sk = (−1)k|sk| and tk = (−1)k+1|tk|,

for k = 0, 1, 2, . . . , n+ 1.

17.2 Cornacchia’ algorithm for a prime as a sum of two squares 403

(3) The sequences (|sk|) and (|tk|) satisfy

|sk+1| = |sk−1|+ qk|sk|,|tk+1| = |tk−1|+ qk|tk|.

(4) The sequence (|tk|) is increasing. Consequently, the reversal of (|tk|) is aeuclidean algorithm sequence.

Theorem 17.2 (Cornacchia). Let p ≡ 1 (mod 4) be a prime, and q the “smallerpositive square root” of −1 mod p. If x and y are the first two remainders in theeuclidean algorithm sequence of (p, q), then p = x2 + y2.

Proof. In the euclidean algorithm table for the pair (a, b) = (p, q) (ending in ndivisions), we make the following observations.(1) n is even.(2) The sequence (|tk|) is the reversal of (rk); i.e., |tk| = rn+1−k for every k ≤ n.(3) The sequence (qk) is palindromic; i.e., qn+1−k = qk for every k ≤ n.(4) r2k + t2k is divisible by p for every k.(5) Let n = 2m. In the sequence (rk), rm is the first term smaller than

√p.

Clearly, |tn+1| = p. Since rn = 1, we have qtn ≡ 1 mod p, and tn ≡ −q modp. It follows that tn = −q or p − q. The reversal of (|tk|) is a euclidean algorithmsequence ending in exactly n divisions (as the sequence (rk)). If |tn| = p − x, thesequence of division would be

p, p− q, q, . . .which would be longer than the division sequence of (p, q), a contradiction. Thus,(1) n is even, and(2) the reversal of sequence (|tk|) is the euclidean algorithm sequence of (p, q),which is exactly the sequence (rk).(3) is an immediate consequence of (2).(4) follows from qtk ≡ rk mod p. Squaring, we have r2k ≡ q2t2k ≡ −t2k mod p, andr2k + t2k ≡ 0 mod p.(5) Write n = 2m. Note that rm = F (qm+1, qm+2, . . . , q2m), and p = r0 =F (q1, q2, . . . , q2m). Now,

r2m = rm · rm= F (qm+1, qm+2, . . . , q2m)F (qm+1, qm+2, . . . , q2m)= F (qm, qm−1, . . . q1)F (qm+1, qm+2, . . . , q2m)= F (q1, q2, . . . qm)F (qm+1, qm+2, . . . , q2m).

It is clear that each term in the product is contained in F (q1, q2, . . . , q2m). Thisshows that r2m < p. On the other hand,

r2m−1 = rm−1 · rm−1

404 Finite continued fractions

= F (qm, qm+1, qm+2, . . . , q2m)F (qm, qm+1, qm+2, . . . , q2m)= F (qm+1, qm, qm−1, . . . q1)F (qm, qm+1, qm+2, . . . , q2m)= F (q1, q2, . . . qm, qm+1)F (qm, qm+1, qm+2, . . . , q2m).

Every product in F (q1, q2, . . . , q2m) is contained in this product. This shows thatr2m−1 > p.

Now, since r2m + r2m+1 = r2m + t2n−m = r2m + t2m is divisible by p, and rm+1 <rm <

√p, the sum r2m + r2m+1 being positive and smaller than 2p, must be p.

Chapter 18

Infinite continued fractions

Associated with an infinite continued fraction [q0, q1, q2, q3, . . . , qn, . . . ] is a se-quence of convergents which are finite continued fractions:

Pk

Qk

= [q0, q1, . . . , qk].

The numerators Pk and Qk can be determined recursively as follows.

Pk = Pk−2 + qkPk−1, P−2 = 0, P−1 = 1,Qk = Qk−2 + qkQk−1, Q−2 = 1, Q−1 = 0.

Example 18.1. 1. The successive convergents of the continued fraction [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]are computed easily using these relations.

k −2 −1 0 1 2 3 4 5 6 7 8 9qk 1 2 3 4 5 6 7 8 9 10Pk 0 1 1 3 10 43 225 1393 9976 81201 740785 7489051Qk 1 0 1 2 7 30 157 972 6961 56660 516901 5225670

2. Here are the convergents of the continued fraction [1, 2, 1, 3, 1, 4, 1, 5, 1, 6]and their differences:

1 32

43

1511

1914

9167

11081

641472

751553

51473790

12

−16

133

−1154

1938

−15427

138232

−1261016

12095870

Note that the numerators of the differences are all ±1.

Lemma 18.1. Pk

Qk− Pk−1

Qk−1= (−1)k−1

Qk−1Qk.

Proof. Write Pk

Qk− Pk−1

Qk−1= Nk

Qk−1Qk. We have

Nk = PkQk−1 −QkPk−1

406 Infinite continued fractions

= (Pk−2 + qkPk−1)Qk−1 − (Qk−2 + qkQk−1)Pk−1

= −(Pk−1Qk−2 −Qk−1Pk−2)= −Nk−1.

Since N1 = 1, we have by easy induction Nk = (−1)k−1N1 = (−1)k−1, and theresult follows.

Theorem 18.2. Let q0, q1, . . . , qn, . . . be an infinite sequence of positive integers,q0 possibly zero. The infinite continued fraction

a := [q0, q1, q2, . . . , qn, . . . ]

is always well defined, i.e., limn→∞[q0, q1, . . . , qn] exists. This limit is always anirrational number.

Proof. For each n ≥ 0, let an be the n-th convergent Pn

Qn. By the above lemma,

an+2−an = (an+2−an+1)+(an+1−an) = (−1)n+1

Qn+1Qn+

(−1)nQnQn−1

=(−1)n(Qn+1 −Qn−1)

Qn−1QnQn+1.

Note that (Qn) is an increasing sequence of positive integers, (this is clear fromthe recurrence relation for Qn). It follows that a0, a2, a4, . . . is an increasing se-quence, and a1, a3, a5, . . . is a decreasing sequence. Furthermore, each a2h+1 isgreater than every a2k:

a0 < a2 < a4 < · · · < a2k < · · · · · · < a2h+1 < a5 < a3 < a1.

It follows that the subsequences a2n and a2n+1 are convergent; indeed, they con-verge to a common limit since

limn→∞

a2n+1 − limn→∞

a2n = limn→∞

(a2n+1 − a2n) = limn→∞

1

Q2nQ2n+1

= 0

since the sequence (Qn) of positive integers is strictly increasing. The commonlimit a of these two subsequences is the infinite continued fraction [q0, q1, . . . , qn, . . . ].This number a is irrational since its continued fraction expansion is not finite.

Let ζ be a real, irrational number, The continued fraction expansion of ζ can befound recursively as follows.

ζ0 = ζ, q0 = [ζ0]; ζn+1 =1

ζn − [ζn], qn+1 = [ζn+1].

Then,ζ = [q0, q1, q2, . . . , qn, . . . ].

407

Theorem 18.3 (Lagrange). Let d be a nonsquare integer. The continued fractionexpansion of of a quadratic irrationality of the form a+ b

√d, a, b ∈ Q, is eventually

periodic; i.e., there exist k and l such that in the expansion

a+ b√d = [q0, q1, . . . , qn, . . . ],

qk+nl+i = qk+i for n ≥ 0, 0 ≤ i < l.

Theorem 18.4. Let d be a rational number which is not a square. The continuedfraction expansion of d is of the form

√d = [q0, q1, q2, . . . , q2, q1, 2q0],

where q0 = [√d].

Example 18.2. 1. Continued fraction expansions of√d, d < 50. Those with

asterisks have periods of odd lengths.

√2∗ = [1, 2];

√27 = [5, 5, 10];√

3 = [1, 1, 2];√28 = [5, 3, 2, 3, 10];√

5∗ = [2, 4];√29∗ = [5, 2, 1, 1, 2, 10];√

6 = [2, 2, 4];√30 = [5, 2, 10];√

7 = [2, 1, 1, 1, 4];√31 = [5, 1, 1, 3, 5, 3, 1, 1, 10];√

8 = [2, 1, 4];√32 = [5, 1, 1, 1, 10];√

10∗ = [3, 6];√33 = [5, 1, 2, 1, 10];√

11 = [3, 3, 6];√34 = [5, 1, 4, 1, 10];√

12 = [3, 2, 6];√35 = [5, 1, 10];√

13∗ = [3, 1, 1, 1, 1, 6];√37∗ = [6, 12];√

14 = [3, 1, 2, 1, 6];√38 = [6, 6, 12];√

15 = [3, 1, 6];√39 = [6, 4, 12];√

17∗ = [4, 8];√40 = [6, 3, 12];√

18 = [4, 4, 8];√41∗ = [6, 2, 2, 12];√

19 = [4, 2, 1, 3, 1, 2, 8];√42 = [6, 2, 12];√

20 = [4, 2, 8];√43 = [6, 1, 1, 3, 1, 5, 1, 3, 1, 1, 12];√

21 = [4, 1, 1, 2, 1, 1, 8];√44 = [6, 1, 1, 1, 2, 1, 1, 1, 12];√

22 = [4, 1, 2, 4, 2, 1, 8];√45 = [6, 1, 2, 2, 2, 1, 12];√

23 = [4, 1, 3, 1, 8];√46 = [6, 1, 3, 1, 1, 2, 6, 2, 1, 1, 3, 1, 12];√

24 = [4, 1, 8];√47 = [6, 1, 5, 1, 12];√

26∗ = [5, 10];√48 = [6, 1, 12].

2. Some simple patterns:√a2 + 1 = [a, 2a];√a2 − 1 = [a− 1, 1, 2a− 2];√a2 + a = [a, 2, 2a];√a2 + 2 = [a, a, 2a];√a2 − 2 = [a− 1, 1, a− 2, 1, 2a− 2].

408 Infinite continued fractions

Chapter 19

Lagrange’s Theorem

19.1 Purely periodic continued fractions

Let a be represented by a purely periodic continued fraction:

ζ = [q0, q1, . . . , qk].

This means ζ = [q0, q1, . . . , qk, ζ]. Let Pk−1

Qk−1and Pk

Qkbe the last two convergents of

the finite continued fraction [q0, q1, . . . , qk]. Then,

ζ =Pk−1 + ζPk

Qk−1 + ζQk

.

From this, we see that ζ is a root of the quadratic equation

Qkx2 − (Pk −Qk−1)x− Pk−1 = 0.

Since the product of the two roots of this equation, being−Pk−1

Qk, is negative, exactly

one of them is positive. This must be the number ζ , and it is clear that this is anumber of the form a + b

√d, a, b ∈ Q. Here, d cannot be a square, for otherwise,

the number ζ would have been rational.

19.2 Eventually periodic continued fractions

It follows that a number with eventually periodic continued fraction expansion isalso a quadratic irrationality. Consider

μ = [p0, p1, . . . , ph, q1, . . . , qk].

Let ζ be the irrational number with purely periodic continued fraction expansion[q1, . . . , qk]. This is of the form a+ b

√d according to §19.1. If h = 0, then

μ = [p0, ζ] = p0 +1

ζ

410 Lagrange’s Theorem

is clearly of the form a′ + b′√d, a′, b′ ∈ Q. If h ≥ 1, let P ′

Q′ and PQ

be the last twoconvergents of the continued fraction [p0, . . . , ph]. Then

μ = [p0, . . . , ph, ζ] =P ′ + ζP

Q′ + ζQ.

This also is of the form a′ + b′√d, a′, b′ ∈ Q.

We have therefore proved the easier half of Lagrange theorem: every eventuallyperiodic continued fraction represents a quadratic irrationality. The proof of theconverse is more difficult, and requires a more detailed analysis of numbers withpurely periodic continued fraction expansions.

19.3 Reduced quadratic irrationalities

Let ζ = [q0, q1, . . . , qk]. It is the positive root of the quadratic equation

x = [q0, q1, . . . , qk, x].

Note that q0 − x = −1[q1,...,qk,x]

, and this can be rewritten as

[q0,−1x

] =−1

[q1, . . . , qk, x].

Continuing, we obtain

[qk, qk−1, . . . , q1, q0,−1x

] =−1x.

This means ζ is the positive root of x = [q0, q1, . . . , qk, x] if and only if −1ζ

isthe positive root of y = [qk, qk−1, . . . , q0, y]. Consequently, it follows that everyequation of the form x = [q0, . . . , qk, x] has exactly one positive root ζ > 1, andone negative root between−1 and 0. This negative root is necessarily the conjugateζ . We shall say that a quadratic irrationality ζ is reduced if it satisfies the condition

ζ > 1 > 0 > ζ > −1.We may paraphrase the conclusion by saying that a purely periodic continued frac-tion represents a reduced quadratic irrationality.

19.4 Proof of Lagrange’s theorem

Consider now a general quadratic irrationality of the form

ζ =P +√d

Q,

19.4 Proof of Lagrange’s theorem 411

where P , Q and d are integers. By replacing P , Q and d by suitable integer multi-ples, we may assume that d−P 2

Qis an integer, and we shall work with this assump-

tion, and write d = P 2 +QQ′ for an integer Q′.

Lemma 19.1. If the quadratic irrationality ζ = P+√d

Qis reduced, then the integers

P and Q are positive, and

P < [√d], Q < P +

√d < [2

√d].

Now, let ζ = P+√d

Qbe a quadratic irrationality with d − P 2 = QQ′ for some

integer Q′. For every integer m,

1

ζ −m=

Q

P −mQ+√d=

Q(−P +mQ+√d)

d− (P −mQ)2=−P +mQ+

√d

1Q [d− (P −mQ)2]

=−P +mQ+

√d

Q′ + 2mP −m2Q.

Note that in this expression,

d− (−P +mQ)2 = (d− P 2) + 2mPQ−m2Q2 = Q(Q′ + 2mP −m2Q).

It follows that we can obtain the continued fraction expansion of ζ by working out

P0 = P, Q0 = Q, Q−1 = Q′,

ζk =Pk +

√d

Qk

, qk = [ζk],

Pk+1 = −Pk + qkQk,

Qk+1 = Qk−1 + 2qkPk − q2kQk =d− P 2

k+1

Qk

.

Note that ζ = [q0, . . . , qn−1, ζn]. In particular,

ζ =Pn−2 + ζnPn−1

Qn−2 + ζnQn−1

.

Consider the conjugate

ζ =Pn−2 + ζnPn−1

Qn−2 + ζnQn−1

.

From this,

ζn = −Qn−2ζ − Pn−2

Qn−1ζ − Pn−1

= −Qn−2

Qn−1

·ζ − Pn−2

Qn−2

ζ − Pn−1

Qn−1

.

Since the sequence Pn

Qnconverges to ζ , we can choose N large enough so that ζN

lies between −1 and 0. In other words, ζN is reduced.

412 Lagrange’s Theorem

It follows as a consequence of this observation that in the construction of thecontinued fraction expansion of ζ above, all ζn, n ≥ N , are reduced. By Lemma19.1, we have

0 < Pn <√d, 0 < Qn < 2

√d, for every n ≥ N.

There must exist distinct integers h, k ≥ N such that

Ph = Pk, Qh = Qk.

If we choose h and k = h + r to be the smallest possible integers for which thesehold, then for every integer t ≥ 0 and 0 ≤ s < r,

Ph+tr+s = Ph+s, Qh+tr+s = Qh+s.

From this,qh+tr+s = qh+s.

This completes the proof of Lagrange’s theorem.

Corollary 19.2. The continued fraction expansion of a reduced quadratic irra-tionality is purely periodic.

Proof. It is enough to show that if ζ = [q0, q1, . . . , qr] is reduced, then indeed,q0 = qr. (The general case follows by induction). Let θ = [q1, . . . , qr]. Since q0+ 1

θ

is reduced,

q0 +1

θ> 1 > 0 > q0 +

1

θ> −1.

From this, q0 = [−1θ]. However, −1

θhas continued fraction expansion [qr, . . . , q1].

It follows tht qr = q0.

Exercise

1. If x is reduced, then so is 1x−[x]

.

2. If a quadratic irrationality ζ > 1 satisfies ζ < −1, then the continued fractionexpansion of ζ has one single term before the period. 1

1Solution. There is a positive integer c such that c + ζ lies between −1 and 0. In other words,c+ ζ is reduced, and has periodic continued fraction expansion [q0, . . . , qr]. Then,

ζ = [q1 − c, q2, . . . , qr, qr].

Chapter 20

The Pell Equation

20.1 The equation x2 − dy2 = 1

Let d be a fixed integer. We consider the Pell equation x2 − dy2 = 1. Clearly, if dis negative or is a (positive) square integer, then the equation has only finitely manysolutions.

Theorem 20.1. Let d be a nonsquare, positive integer. The totality of positive solu-tions of the Pell equation x2 − dy2 = 1 form an infinite sequence (xn, yn) definedrecursively by

xn+1 = axn + dbyn,yn+1 = bxn + ayn; x1 = a, y1 = b,

where (x1, y1) = (a, b) is the fundamental solution (with a, b smallest possible)obtained from the continued fraction expansion

√d = [q0, q1, . . . , qk],

as follows. Let Pk−1

Qk−1the (k − 1)−th convergent of

√d.

(a). If the length of the period is even, then (a, b) = (Pk−1, Qk−1) is the smallestpositive solution of the Pell equation x2 − dy2 = 1.

(b). If the length of the period is odd, then the smallest positive solution of theequation x2 − dy2 = 1 is (a, b) = (P 2

k−1 + dQ2k−1, 2Pk−1Qk−1).

Examples

1. The fundamental solution of the Pell equation x2 − 2y2 = 1 is (3,2). Thisgenerates an infinite sequence of nonnegative solutions (xn, yn) defined by

xn+1 = 3xn + 4yn, yn+1 = 2xn + 3yn; x0 = 1, y0 = 0.

414 The Pell Equation

The beginning terms are

n 1 2 3 4 5 6 7 8 9 10 . . .xn 3 17 99 577 3363 19601 114243 665857 3880899 22619537 . . .yn 2 12 70 408 2378 13860 80782 470832 2744210 15994428 . . .

2. Fundamental solution (a, b) of x2 − dy2 = 1 for d < 100:

d a b d a b d a b2 3 2 3 2 1 5 9 46 5 2 7 8 3 8 3 110 19 6 11 10 3 12 7 213 649 180 14 15 4 15 4 117 33 8 18 17 4 19 170 3920 9 2 21 55 12 22 197 4223 24 5 24 5 1 26 51 1027 26 5 28 127 24 29 9801 182030 11 2 31 1520 273 32 17 333 23 4 34 35 6 35 6 137 73 12 38 37 6 39 25 440 19 3 41 2049 320 42 13 243 3482 531 44 199 30 45 161 2446 24335 3588 47 48 7 48 7 150 99 14 51 50 7 52 649 9053 66249 9100 54 485 66 55 89 1256 15 2 57 151 20 58 19603 257459 530 69 60 31 4 61 1766319049 22615398062 63 8 63 8 1 65 129 1666 65 8 67 48842 5967 68 33 469 7775 936 70 251 30 71 3480 41372 17 2 73 2281249 267000 74 3699 43075 26 3 76 57799 6630 77 351 4078 53 6 79 80 9 80 9 182 163 18 83 82 9 84 55 685 285769 30996 86 10405 1122 87 28 388 197 21 89 500001 53000 90 19 291 1574 165 92 1151 120 93 12151 126094 2143295 221064 95 39 4 96 49 597 62809633 6377352 98 99 10 99 10 1

3. Pell’s equations whose fundamental solutions are very large:

d a b421 3879474045914926879468217167061449 189073995951839020880499780706260541 3707453360023867028800645599667005001 159395869721270110077187138775196900601 38902815462492318420311478049 1586878942101888360258625080613 464018873584078278910994299849 18741545784831997880308784340661 16421658242965910275055840472270471049 638728478116949861246791167518480580673 4765506835465395993032041249 183696788896587421699032600769 535781868388881310859702308423201 19320788325040337217824455505160919 4481603010937119451551263720 147834442396536759781499589937 480644425002415999597113107233 15701968936415353889062192632949 609622436806639069525576201 19789181711517243032971740991 379516400906811930638014896080 12055735790331359447442538767

20.2 The equation x2 − dy2 = −1 415

4. The equation x2 − 4729494y2 = 1 arises from the famous Cattle problem ofArchimedes, and has smallest positive solution

x = 109931986732829734979866232821433543901088049,y = 50549485234315033074477819735540408986340.

Exercise

1. Solve the Pell equations (a) x2 + 3y2 = 1; (b) x2 − 4y2 = 1 for integersolutions. 1

2. Find the 10 smallest nonnegative solutions of the Pell equation x2− 3y2 = 1.2

3. For a positive, nonsquare integer n, let (an, bn) be the fundamental solutionof the Pell equation x2 − ny2 = 1. If n is a square, set bn = 0.

(a) Show that every positive integer occurs infinitely often in the sequence(bn).

(b) Determine all occurrences of pk, p prime, k > 0, in the sequence (bn).

4. Deduce that if p is a prime of the form 4k + 1, then the continued fractionexpansion of

√p has odd period.

20.1.1

If (a, b) is the fundamental solution of the Pell equation x2 − dy2 = 1, generatingthe infinite sequence of nonnegative solutions (x0, y0) = (1, 0), (x1, y1) = (a, b),(x2, y2), . . . , (xn, yn), . . . , then

xn+1 = 2axn − xn−1; yn+1 = 2ayn − yn−1.

20.2 The equation x2 − dy2 = −1Indeed, if the length of the period of the continued fraction expansion of

√d is odd,

then (Pk−1, Qk−1) is the smallest positive solution of the equation

x2 − dy2 = −1.Only when this period is odd does this equation have solutions.

1(a). (x, y) = (±1, 0); (b). (x, y) = (±1, 0).2

n 1 2 3 4 5 6 7 8 9 10 11 . . .xn 2 7 26 97 362 1351 5042 18817 70226 262087 978122 . . .yn 1 4 15 56 209 780 2911 10864 40545 151316 564719 . . .


Examples

1. Smallest positive solution (a, b) of x2− dy2 = −1 for the first 24 values of d:

d a b d a b d a b2 1 1 5 2 1 10 3 113 18 5 17 4 1 26 5 129 70 13 37 6 1 41 32 550 7 1 53 182 25 58 99 1361 29718 3805 65 8 1 73 1068 12574 43 5 82 9 1 85 378 4189 500 53 97 5604 569 101 10 1

2. If p ≡ 1 (mod 4) is prime, then the equation x2 − py2 = −1 is solvable.

Proof. Let (a, b) be the fundamental solution of x2 − py2 = 1. This meansa2 − 1 = pb2. Note that a must be odd, for otherwise a2 − 1 ≡ −1 (mod 4),but pb2 ≡ 1 (mod 4), a contradiction. Consequently, gcd(a+ 1, a− 1) = 2,and we have

(i) a+ 1 = 2r2, a− 1 = 2ps2, or

(ii) a+ 1 = 2pr2, a− 1 = 2s2, for some nonnegative integers r and s.

In (i), we have r2 − ps2 = 1, with r < a, a contradiction since (a, b) is thesmallest positive solution of x2 − py2 = 1. It follows that (ii) holds, and wehave s2 − pr2 = −1.

20.3 The equation x2 − dy2 = c

Let d be a nonsquare integer, and c an integer other than 0,±1. Clearly, the equation

x2 − dy2 = c

is solvable only if d is a quadratic residue modulo c (Exercise). This condition,however, is not sufficient to guarantee existence of solutions. Consider the contin-ued fraction expansion of

√d:√d = [q0, q1, . . . , qk],

with the first k convergents

Pi

Qi

= [q0, q1, . . . , qi], i = 0, 1, 2, . . . , k − 1.

Theorem 20.2. If |c| < √d, and x2− dy2 = c is solvable, then c must be one of thenumbers P 2

i − dQ2i , i = 0, 1, 2, . . . , k − 1.

20.4 Applications 417

Theorem 20.3. Let c > 1 be a positive integer.(a) If the equation x2−dy2 = c is solvable, it must have a fundamental solution

(u, v) in the range

0 < |u| ≤√

1

2(a+ 1)c, 0 ≤ v ≤ b√

2(a+ 1)· √c.

Every solution appears in a doubly infinite sequence (xn, yn)

un+1 = aun + dbvn,vn+1 = bun + avn, u1 = u, v1 = v,

for some (u, v) in the range above.(b) Same conclusion for the equation x2− dy2 = −c, except that it must have a

solution (u, v) in the range

0 ≤ |u| ≤√

1

2(a− 1)c, 0 < v ≤ b√

2(a− 1)· √c.

Example 20.1. Consider the equation x2 − 23y2 = 4 · 11 · 23. It is easy to seethat x and y must be both even, and 23 divides x. With x = 46h, y = 2k, we have23h2 − k2 = 11, or k2 − 23h2 = −11. The fundamental solution of x2 − 23y2 = 1being (a, b) = (24, 5), we need only find y in the range 1 ≤ h ≤ 2 It is now easy tosee that only h = 2 gives k = 9. From this we obtain (x1, y1) = (92, 18). The othersolutions are generated recursively by

xn+1 = 24xn + 115yn, yn+1 = 5xn + 24yn, x1 = 92, y1 = 18.

Here are the first 5 solutions.

n 1 2 3 4 5 . . .xn 92 4278 205252 9847818 472490012 . . .yn 18 892 42798 2053412 98520978 · · ·

20.4 Applications

1. Which triangular numbers are squares ? Suppose the k−th triangular numberTk =

12k(k+1) is the square of n. n2 = 1

2k(k+1); 4k2 +4k+1 = 8n2 +1;

(2k + 1)2 − 8n2 = 1. The smallest positive solution of the Pell equationx2−8y2 = 1 being (3, 1), we have the solutions (ki, ni) of the equation givenby

2ki+1 + 1 = 3(2ki + 1) + 8ni,ni+1 = (2ki + 1) + 3ni, k0 = 1, n0 = 1.


This means

ki+1 = 3ki + 4ni + 1,ni+1 = 2ki + 3ni + 1, k0 = 1, n0 = 1.

The beginning values of k and n are as follows.

i 0 1 2 3 4 5 6 7 8 9 10 . . .ki 1 8 49 288 1681 9800 57121 332928 1940449 11309768 65918161 . . .ni 1 6 35 204 1189 6930 40391 235416 1372105 7997214 46611179 . . .

2. Find all integers n so that the mean and the standard deviation of n consecu-tive integers are both integers.

If the mean of n consecutive integers is an integer, n must be odd. We maytherefore assume the numbers to be−m ,−(m− 1), . . . , −1, 0, 1, . . . , m− 1,

m. The standard deviation of these number is√

13m(m+ 1). For this to be an

integer, we must have 13m(m+ 1) = k2 for some integer k. m2 = m = 3k2;

n2 = (2m + 1)2 = 12k2 + 1. The smallest positive solution of the Pellequation n2 − 12k2 = 1 being (7,2), the solutions of this equations are givenby (ni, ki), where

ni+1 = 7ni + 24ki,ki+1 = 2ni + 7ki, n0 = 1, k0 = 0.

The beginning values of n and k are

i 1 2 3 4 5 6 7 8 . . .ni 7 97 1351 18817 262087 3650401 50843527 708158977 . . .ki 2 28 390 5432 75658 1053780 14677262 204427888 . . .

3. Find all Pythagorean triangles the lengths of whose two shorter sides differby 1.

Let x and x + 1 be the two shorter sides of a Pythagorean triangle, withhypotenuse y. Then y2 = x2 + (x + 1)2 = 2x2 + 2x + 1. From this,2y2 = (2x + 1)2 + 1. The equation With z = 2x + 1, this reduces to thePell equation z2 − 2y2 = −1, which we know has solutions, with the of thisequations are (zn, yn) given recursively by smallest positive one (1, 1), andthe equation z2−2y2 = 1 has smallest positive solution (3, 2). It follows thatthe solutions are given recursively by

zn+1 = 3zn + 4yn,yn+1 = 2zn + 3yn, z0 = 1, y0 = 1.

20.4 Applications 419

If we write zn = 2xn + 1, these become

xn+1 = 3xn + 2yn + 1,yn+1 = 4xn + 3yn + 2, x0 = 0, y0 = 1.

The beginning values of xn and yn are as follows.

n 1 2 3 4 5 6 7 8 9 10 . . .xn 3 20 119 696 4059 23660 137903 803760 4684659 27304196 . . .yn 5 29 169 985 5741 33461 195025 1136689 6625109 38613965 . . .

4. Find eleven consecutive positive integers, the sum of whose squares is thesquare of an integer.

Answer:

182 + 192 + · · ·+ 282 = 772,382 + 392 + · · ·+ 482 = 1432,4562 + 4572 + · · ·+ 4662 = 15292,8542 + 8552 + · · ·+ 8642 = 28492,91922 + 91932 + · · ·+ 92022 = 305032,171322 + 171332 + · · ·+ 171422 = 568372,...

Chapter 21

Sums of consecutive squares

21.1 Sums of an odd number of consecutive squares.

Suppose the sum of the squares of 2k + 1 consecutive positive integers is a square.If the integers are b, b± 1, . . . , b± k. We require

(2k + 1)b2 +1

3k(k + 1)(2k + 1) = a2

for an integer a. From this we obtain the equation

a2 − (2k + 1)b2 =1

3k(k + 1)(2k + 1). (Ek)

1. Suppose 2k + 1 is a square. Show that (Ek) has solution only when k =6m(m + ε) for some integers m > 1, and ε = ±1. In each case, the number ofsolutions is finite.

Number of solutions of (Ek) when 2k + 1 is a square

2k + 1 25 49 121 169 289 361 529 625 841 961 . . .0 1 1 2 7 3 5 3 3 10 . . .

2. Find the unique sequence of 49 (respectively 121) consecutive positive inte-gers whose squares sum to a square.

Answer: 252 + 262 + · · ·+ 732 = 3572; 2442 + 2452 + · · ·+ 3642 = 33662;Remark: The two sequences of 169 consecutive squares whose sums are squares

are

302 + 312 + · · ·+ 1982 = 16122;5102 + 5112 + · · ·+ 6782 = 77482.

422 Sums of consecutive squares

3. Suppose 2k + 1 is not a square. If k + 1 is divisible 9 = 32 or by any primeof the form 4k + 3 ≥ 7, then the equation (Ek) has no solution.

4. Show that for the following values of k < 50, the equation (Ek) has nosolution:

k = 6, 8, 10, 13, 17, 18, 20, 21, 22, 26, 27, 30, 32,34, 35, 37, 40, 41, 42, 44, 45, 46, 48, . . .

5. Suppose p = 2k + 1 is a prime. If the Legendre symbol(− 1

3k(k+1)

p

)= −1,

then the equation (Ek) has no solution.6. Show that for the following values of k < 50, the equation (Ek) has no

solution:

1, 2, 3, 8, 9, 14, 15, 20, 21, 26, 33, 39, 44.

We need only consider (Ek) for the following values of k:

5, 7, 11, 16, 19, 23, 25, 28, 29, 31, 36, 38, 43, 47, 49.

7. Check that among these, only for k = 5, 11, 16, 23, 29 are the equations (Ek)solvable.

8. From the data of Example 20.1, work out 5 sequences of 23 consecutiveintegers whose squares add up to a square in each case.

Answer:

72 + 82 + · · ·+ 292 = 922;8812 + 8822 + · · ·+ 9032 = 42782;

427872 + 427882 + · · ·+ 428092 = 2052522;20534012 + 20534022 + · · ·+ 20534232 = 98478182;

· · · · · · · · ·

9. Consider the equation (E36) : a2 − 73b2 = 12 · 37 · 73. Check that thisequation does in fact have solutions (u, v) = (4088, 478), (23360, 2734).

10. Make use of the fundamental solution of x2 − 73y2 = 1, namely, (a, b) =(2281249, 267000), to obtain two sequences of solutions of (E73):

Answer:

(4088, 478), (18642443912, 2181933022), (85056113063608088, 9955065049008478), . . .(23360, 2734), (106578370640, 12474054766), (486263602888235360, 56912849921762734), . . .

This means, for example, the sum of the squares of the 73 numbers with center478 (respectively 2734) is equal to the square of 4088 (respectively 23360).

21.2 Even number of consecutive squares. 423

21.2 Even number of consecutive squares.

Suppose the sum of the squares of the 2k consecutive numbers

b− k + 1, b− k + 2, . . . , b, . . . , b+ k − 1, b+ k,

is equal to a2. This means

(2a)2 − 2k(2b+ 1)2 =2k

3(4k2 − 1). (E ′

k)

Note that the numbers 2k, 4k2 − 1 are relatively prime.1. Show that the equation (E ′

k) has no solution if 2k is a square.2. Suppose 2k is not a square. Show that if 2k + 1 is divisible by 9, or by any

prime of the form 4k + 1, then the equation (E′k) has no solution.

3. Show that for k ≤ 50, the equation (E ′k) has no solution for the following

values of k:

k = 3, 4, 5, 9, 11, 13, 15, 17, 21, 23, 24, 27, 29, 31, 33,35, 38, 39, 40, 41, 45, 47, 49.

4. Let k be a prime. Show that the equation (E ′k) can be written as

(2b+ 1)2 − 2ky2 = −4k2 − 1

3.

By considering Legendre symbols, show that the equation (E′k) has no solution for

the following values of k ≤ 50:

k = 5, 7, 17, 19, 29, 31, 41, 43.

5. By using Theorem 10.5.3, check that, excluding square values of 2k < 100,the equation (E ′

k) has solutions only for k = 1, 12, 37, 44.The case 2k = 2 has been dealt with in Example 10.6.3.6. Show that (34, 0), (38, 3), (50, 7) are solutions of (E”12). Construct from

them three infinite sequences of expressions of the sum of 24 consecutive squaresas a square.

Answer:

252 + 262 + · · ·+ 482 = 1822;442 + 452 + · · ·+ 672 = 2742;762 + 772 + · · ·+ 992 = 4302.

7. Show that (185, 2), (2257,261), and (2849, 330) are solutions of (E′37).

Construct from them three infinite sequences of expressions of the sum of 74 con-secutive squares as a square.

424 Sums of consecutive squares

Answer:

2252 + 2262 + · · ·+ 2982 = 22572;2942 + 2952 + · · ·+ 3672 = 28492;

130962 + 130972 + · · ·+ 131792 = 7638652.

8. Show that and (242, 4) and (2222,235) are solutions of (E′44). Construct from

them two infinite sequences of expressions of the sum of 88 consecutive squares asa square.

Answer:

1922 + 1932 + · · ·+ 2792 = 22222;59252 + 59262 + · · · 60122 = 559902.

Remark: The equation (E ′26) : x2 − 52y2 = 18 · 52 · 53 does indeed have

two infinite sequences of solutions generated by the particular solutions (338, 36),(2002,276), and the fundamental solution (649,90) of the Pell equation x2−52y2 =1. None of these, however, leads to a solution of (E′

26) since all the y’s are even.

Chapter 22

Some simple cryptosystems

A cryptosystem consists of(i) encryption and decryption (or enciphering and deciphering) algorithms, usuallyassumed known, and(ii) encryption and decryption keys.

A plaintext is enciphered using an encryption key, sent to a receiver, who deci-phers the ciphertext by finding an appropriate decryption key.

22.1 Shift ciphers

The simplest cryptosystem is the shift ciphers. The encryption algorithm is simplyshifting the alphabet by a fixed number. Clearly the decryption algorithm is ofthe same kind. The encryption key is the number of spaces shifted forward orbackward. For example, the plaintext

A point is that which has no part. A line is length without breadth.The extremities of a line are points

is shifted 5 places forward to yield the ciphertext

FUTNSYNXYMFYBMNHMMFXSTUFWYFQNSJNXQJSLYMBNYMTZYGWJFIYMYMJJCYWJRNYNJXTKFQNSJFWJUTNSYX

The receiver of the ciphertext, knowing the encryption algorithm but not thekey, first studies the frequencies of the various letters in the ciphertext, and makesuse of known frequency statistics to figure out the appropriate shift to decipher themessage.

A B C D E F G H I J K L M0 2 1 0 0 8 1 1 1 9 1 1 8N O P Q R S T U V W X Y Z10 0 0 3 1 6 5 3 0 4 5 12 1

502 Some simple cryptosystems

Here are the percentage frequencies of letters in English:

a b c d e f g h i j k l m8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2 0.8 4.0 2.4

n o p q r s t u v w x y z6.7 7.5 1.9 0.1 6.0 6.3 9.1 2.8 1.0 2.3 0.1 2.0 0.1

The most frequently occurring letters in a reasonably long passage in Englishare e, followed by t, a, o, i, n.

For the current ciphertext, it is reasonable to decipher by a shift that makes Y← e, or N← e, or J← e.

If we decipher by Y← e, shifting 6 places forward, the first few letters FUTNS-YNXY yield laztyetde, which is not a meaningful text. This is also the case with N← e, 9 places backward. The next one, J← e, 5 places backward, easily deciphersthe message.

ExerciseA shift cipher yields the following ciphertext:

FSDHN WHQJN XJVZF QYTFW NLMYF SLQJI YWNFS LQJNSBMNHM TSJTK YMJXN IJXFG TZYYM JWNLM YFSLQ JNXJVZFQYT YMJWF INZXF SIYMJ GFXJN XJVZF QYTYM JHNWHZRKJW JSHJ

with frequency count:A B C D E F G H I J K L M0 1 0 1 0 12 2 6 4 18 2 5 9

N O P Q R S T U V W X Y Z12 0 0 7 1 8 6 0 3 7 7 12 6

Decipher the message.

22.2 Affine ciphers

An affine cipher is a generalization of the shift cipher. The letters in the alphabetsare replaced by the numbers 0, 1, . . . , 26.

a b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12A B C D E F G H I J K L M

n o p q r s t u v w x y z13 14 15 16 17 18 19 20 21 22 23 24 25N O P Q R S T U V W X Y Z

22.2 Affine ciphers 503

The encryption algorithm is to encode a letter corresponding to an integer xby the letter corresponding to the integer αx + β mod 26 obtained by some affinesubstitution. To make decryption possible, the encryption key (affine substitution)x �→ αx+ b mod 26 is required to be invertible, so that the decryption key is of thesame form x �→ ax + b mod 26 for some integers a, b. This means that α and ashould be units in Z26.

Suppose we decide that two certain LETTERS (represented by integers x1 andx2) are the ciphertexts of two letters (represented by integers y1 and y2. The coeffi-cients of the decryption key are determined by

ax1 + b = y1

ax2 + b = y2.

From these, a(x1 − x2) = y1 − y2 mod 26 should have a solution a ∈ Z26. Thecorresponding value of b can be easily determined.

Example 22.1. Suppose by an affine cipher we have the following ciphertext:

HXOFS SGSRP KMFOB EEOOM ECPSF NASKE IXSAI ORSBSKBHAH JOEAP IOAHE KPLSK FHOLE KIIOE EICPF ORSJJSQOLF WLOKH OBSPS MWDSE XKCCP LESSP APLOO LHXOSPJWBA EGAEH XCHHX OBOMC WFOCL OMCPL RSBHX OOCBJAOBFS SGEAP HXOEO BAOE

To decipher this we first study the frequencies of the letters:

A B C D E F G H I J K L M11 10 9 1 16 8 3 12 6 5 8 9 5N O P Q R S T U V W X Y Z1 26 12 1 4 20 0 0 0 4 8 0 0

(1) The most frequently occurring letters are O (26 times) and S (20 times). Itis reasonable to take O← e and S← t. This suggests a decryption key which takes14 �→ 4 and 18 �→ 19.

Note that the congruence (18− 14)a ≡ 19− 4 mod 26, i.e., 4a ≡ 5 mod 26, isclearly unsolvable.

(2) We try O← e, and S← a, with decryption key 14 �→ 4 and 18 �→ 0. Thisgives a = −1 and b = 18, and the decryption key x �→ 18− x mod 26:

A B C D E F G H I J K L Ms r q p o n m l k j i h gN O P Q R S T U V W X Y Zf e d c b a z y x w v u t

With this, the first few letters HXOFSSGSRP correspond to jtclyykyzb, an un-intelligible string.


(3) We make another attempt: O← e and S← o with decryption key 14 �→ 4and 18 �→ 14. Here, 4a ≡ 10 mod 26 has solution a ≡ 9 mod 13. Modulo 26, a iseither 9 or 22. Since a is a unit in Z26, we choose a = 9. From this b ≡ 4−14×9 ≡8 mod 26.

The decryption key x �→ 9x+ 8 mod 26 yields the deciphering

A B C D E F G H I J K L Mx 0 1 2 3 4 5 6 7 8 9 10 11 12

9x+ 8 8 17 0 9 18 1 10 19 2 11 20 3 12i r a j s b k t c l u d m

N O P Q R S T U V W X Y Zx 13 14 15 16 17 18 19 20 21 22 23 24 25

9x+ 8 21 4 13 22 5 14 23 6 15 24 7 16 25v e n w f o x g p y h q z

Applying this to the ciphertext, we obtain

HXOFSSGSRP KMFOBEEOOM ECPSFNASKE IXSAIORSBSthebookofn umbersseem sanobvious choiceforoKBHAHJOEAP OAHEKPLSK FHOLEKIIOE EICPFORSJJurtitlesin ceitsundou btedsucces scanbefollSQOLFWLOKH OBSPSMWDSE XKCCPLESSP APLOOLHXOSowedbydeut eronomyjos huaandsoon indeedtheoPJWBAEGAEH XCHHXOBOMC WFOCLOMCPL RSBHXOOCBJnlyriskist hattherema ybeademand fortheearlAOBFSSGEAP HXOEOBAOEierbooksin theseries

The book of numbers seems an obvious choice for our title, since itsundoubted success can be followed by Deuteronomy, Joshua, and soon. Indeed the only risk is that there may be a demand for the earlierbooks in the series.

J. H. Conway and R. K. Guy, The Book of Numbers, Preface.

Example 22.2. Decipher the following message obtained by an affine substitution:

FRFYM JRFYN HNFSQ NPJFU FNSYJ WTWFUTJYNX FRFPJ WTKUF YYJWS XNKMN XUFYYJWSXF WJRTW JUJWR FSJSY YMFSY MJNWXNYNXG JHFZX JYMJD FWJRF IJTKN IJFX

Frequency count:A B C D E F G H I J K L M0 0 0 1 0 18 1 2 2 18 3 0 5N O P Q R S T U V W X Y Z11 0 2 1 6 7 5 5 0 10 8 13 1

22.3 A matrix encryption system 505

A B C D E F G H I J K L Mx 0 1 2 3 4 5 6 7 8 9 10 11 12

decrypt key

N O P Q R S T U V W X Y Zx 13 14 15 16 17 18 19 20 21 22 23 24 25

decrypt key

22.3 A matrix encryption system

Consider a cryptosystem that makes use of 25 symbols for the alphabet, by confus-ing z with x. Identify a, b, c, . . . y with 0, 1, 2, . . . 24, and write these numbers inbase 5:

a b c d e f g h i j k l m00 01 02 03 04 10 11 12 13 14 20 21 22A B C D E F G H I J K L M

n o p q r s t u v w x,z y23 24 30 31 32 33 34 40 41 42 43 44N O P Q R S T U V W X,Z Y

For encryption, we choose an invertable 2 × 2 matrix P =

(a bc d

)and a

column vector Q =

(uv

)over the field Z5. Treat each of the 2-digit number as a

column vector X and, multiply by P to encode a X �→ PX +Q ∈ Z25.

For P to be invertible, its determinant ad − bc must be nonzero in Z5. Thiscondition is also sufficient. In this case, the inverse is given by

(a bc d

)−1

= (ad− bc)−1

(d −b−c a

).

The decryption key is a transformation of the same kind, namely,X �→ AX+Bfor some invertible matrix A and column matrix B.

For example, with P =

(2 40 3

), Q =

(13

), we have

a b c d e f g h i j k l mX 00 01 02 03 04 10 11 12 13 14 20 21 22

PX +Q 13 01 44 32 20 33 21 14 02 40 03 41 34I B Y R K S L J C U D V T

n o p q r s t u v w x,z yX 23 24 30 31 32 33 34 40 41 42 43 44

PX +Q 22 10 23 11 04 42 30 43 31 24 12 00M F N G E W P X,Z Q O H A


With this encryption key, the plaintext Let no one ignorant of geometry enterhere is enciphered into

VKPMFFMKCLMFEIMPFSLKFTKPEAKMPKEJKEK

The decryption key is X �→(3 10 2

)X −

(11

).

Example 22.3. Consider the following message obtained from a matrix encryption:

THLLTLENGXSAYTLEAIRTHLKIEXQCYCTYVISOELHLNYCBCXCTA

Here, a frequency count

A B C D E F G H I J K L M3 1 5 0 4 0 1 3 3 0 1 7 0N O P Q R S T U V W X,Z Y2 1 0 1 1 2 6 0 1 0 3 4

suggests L← e, T← t, C← iWe find a decryption key X �→ AX +B such that

A

(21

)+B =

(04

),

A

(34

)+B =

(34

),

A

(02

)+B =

(13

).

By subtraction, we have

A

(13

)=

(30

)and A

(31

)=

(14

).

These can be combined into one single matrix equation

A

(1 33 1

)=

(3 10 4

).

From this,

A =

(3 10 4

)(1 33 1

)−1

=

(0 14 2

),

and B =

(04

)−

(0 14 2

)(21

)=

(44

).

22.3 A matrix encryption system 507

Therefore, the decryption key is

X �→(0 14 2

)X −

(11

).

A B C D E F G H I J K L M00 01 02 03 04 10 11 12 13 14 20 21 2244 01 13 20 32 43 00 12 24 31 42 04 11y b i k r x a h o q w e g

N O P Q R S T U V W X Y23 24 30 31 32 33 34 40 41 42 43 4423 30 41 03 10 22 34 40 02 14 21 3 3n p v d f m t u c j l s

Thus, we decode the message asTHLLT LENGX SAYTL EAIRT HLKIE XQCYCtheet ernal myste ryoft hewor ldisiTYVIS OELHL NYCBC XCTAtscom prehe nsibi lity

The eternal mystery of the world is its comprehensibility.

1

1Answer to Example 22.2: A mathematician, like a painter or a poet, is a maker of patterns.If his patterns are more permanent than theirs, it is because they are made of ideas. (G.H. Hardy, A Mathematician’s Apology, §10).

Chapter 23

A public key cryptosystem

23.1 RSA-cryptosystems

The RSA-cryptosystem 1 is a public key cryptosystem based on the difficulty offactorization of large integers. Let p and q be prime numbers, and N = pq, with

ϕ(N) = ϕ(pq) = (p− 1)(q − 1) = N + 1− p− q.

Let e be an integer prime to ϕ(N), so that there exists d with ed ≡ 1 mod ϕ(N).In such a cryptosystem, plaintexts and ciphertexts are converted into numbers

< N . Here are some standard ways to do this.(1) The letters in the alphabets are first converted into two-digit numbers and

then concatenated to form a large number (not exceeding N ). If N is a 100-digitnumber, then we agree to concatenate strings of 40 letters into 80-digit numbers. Inorder to avoid “missing zeros” in the leftmost positions, we may agree to convert,for example, a,b,c, . . . into 10, 11, . . . , 35.

(2) Suppose N > 26k. We may regard a block of k letters (under the usualidentification of a, b, c, . . . by 0, 1, . . . , 25) as the base 26-expansion of an integer.For example if N ≈ 500, 000, we may convert blocks of 4 letters like math into

12 · 263 + 0 · 262 + 19 · 26 + 7 = 211413

and other numbers < N .In the examples below, we shall make use of this scheme.For texts involving numbers < N , the RSA-cryptosystem has

(i) encryption key RSAe = (N, e) which converts a plaintext x into a ciphertextxe mod N , and(ii) decryption key RSAd = (N, d) which converts a ciphertext x into a plaintextxd mod N .

1Named after Rivest, Shamir and Adleman

510 A public key cryptosystem

Example 23.1. Here is an illustration with small primes. Let N = 1271 (which isthe product of two small primes, 31 and 41). Here ϕ(N) = 1200. We treat texts as2-letter blocks, and use the encryption key RSAe(1271, 7). Given the plaintext no,we(i) convert it into the number x = 13 · 26 + 14 = 352,(ii) compute 3527 mod 1271, getting 602, and(iii) write 602 = 23 · 26 + 4, corresponding to XE.

For the decryption key, we first find ϕ(1271) = 1200 and the inverse of 7 mod1200, which is d = 343. This leads to RSAd(1271, 343). Therefore, to decode themessage,(i’) convert XE into the integer 602,(ii’) compute 602343 mod 1271, getting 352,(iii’) write 352 = 13 · 26 + 14 and decipher the text as no.

Given a large number N which is known to be the product of two large primenumbers, it is very difficult to factor N , (equivalently to find ϕ(N)), and thereforethe inverse d = e−1 mod N .

Bob publishes on his website his encryption key

fB := RSAe(N, e)

and conceals his decryption key

f−1B := RSAd(N, d).

He invites messages sent to him encrypted by his public key.Alice does so. She takes a plaintext x, encodes it according to fB(x) = xe mod

N , and sends it to Bob as a ciphertext y < N . When Bob receives this, he deciphersby using his own (concealed) decryption key and retrieves x = yd mod N as theplaintext.

Even when a spy (Eve) intercepts Alice’s message, she has no reasonable meansof deciphering, even though Bob’s encryption key has been made public.

23.2 Signature

Alice and Bob, by publishing their own encryption keys:

Alice: fA := RSAe(Na, ea)Bob: fB := RSAe(Nb, eb)

can communicate without fearing intercepted messages being decoded easily. Alicewants to send a message (in the form of a number x < N := min(Na, Nb)) to Bobin such a way that Bob knows that the message is from her. It is not enough to just

23.2 Signature 511

send fB(x) to Bob. Instead, Alice sends z := fB ◦ f−1A (x). In other words, Alice

applies(i) to x her own (concealed) decryption key f−1

A to get y, and then(ii) to y Bob’s public key fB to get z.Alice then sends z to Bob. When Bob receives z, he applies(i) first his own decryption key f−1

B to get w (which is the same as y above), andthen(ii) to w Alice’s public key fA to get a meaningful message x.

Since Alice is (supposedly) the only person knowing f−1A , Bob knows that this

message has been sent by Alice.

Example 23.2. Suppose Alice’s public key is fA = RSAe(1247, 11). Her con-cealed decryption key is f−1

A = RSAd(1247, 107). Bob uses the public key fB =RSAe(1271, 7) and conceals his own decryption key f−1

B = RSAd(1271, 343).To send the message no (corresponding to the number x = 352) to Bob, Alice

(i) uses her own decryption key to find y = 352107 ≡ 796 mod 1247,(ii) applies Bob’s public key to get z = 7967 ≡ 259 mod 1271and sends z (or the corresponding ciphertext JZ).

When Bob receives JZ (or the number 259), he(i’) applies his own decryption key to get w = 259343 ≡ 796 mod 1271,(ii’) applies Alice’s public key to get x = 7967 ≡ 352 mod 1247, which corre-sponds to the plaintext no.

512 A public key cryptosystem

Chapter 24

Factoring integers

24.1 Flipping a coin over the phone

Alice and Bob play a coin-flipping game over the phone.(1) Alice chooses two large distinct prime numbers p and q, both congruent to

3 mod 4, computes the product N = pq and gives it to Bob, concealing the primesp and q.

(2) Bob takes a random integer x < N2

, sticks it to one side of a coin. He thencomputes y = x2 mod N and gives it to Alice.

Modulo N , this number y has four square roots ±A and ±B. One of them iscongruent to x mod N . Over the telephone, Alice would give Bob a number. Shewins if her number is congruent ±x mod N , and loses if not.

(3) Alice, using the primes p and q can actually compute the four square rootsof y mod N . This is what she would do. Since p, q ≡ 3 mod 4, p+1

4and q+1

4are

integers. Alice puts

a ≡ yp+14 mod p and b ≡ y

q+14 mod q.

It is easy to check that a2 ≡ y mod p and b2 ≡ y mod q. By the Chinese remaindertheorem, Alice finds A mod N and B mod N satisfying

A ≡ a mod p, A ≡ b mod q,

andB ≡ a mod p, B ≡ −b mod q.

Alice sticks ±A to one side of her coin, and ±B to the other side. She chooses oneface and reports the numbers (±A or±B) to Bob. She wins if her number coincideswith Bob’s, and loses otherwise. In other words, Alice wins if and only if her cointurns up the same face as Bob’s.

(5) Receiving Alice’s number, Bob informs her if she wins or loses.

514 Factoring integers

Suppose Bob tells Alice that she loses. How can Alice make sure that Bob doesnot lie? If Alice really loses, she would have given a distinct square root of y otherthan x. This means Bob now has both square roots±A and±B of y mod N . FromA2 ≡ B2 mod N , he should be able to factor N = pq (by giving gcd(A − B, N)as a nontrivial divisor).

Here is an illustration with very small primes.

Example 24.1. Alice chooses p = 43 and q = 59 (both prime numbers of the form4k + 3). She computes the product

N = pq = 2537

and gives it to Bob.Bob chooses the number x = 1234, and gives Alice

y = x2 ≡ 556 mod N.

When Alice receives y, she first computes a = 55611 ≡ (−3)11 ≡ 13 mod 43and b = 55615 ≡ 2515 ≡ 5 mod 59, and then determines A and B, by the Chineseremainder theorem,

A ≡ 13 mod 43, A ≡ 5 mod 59⇒ A ≡ 1303 ≡ −1234 mod 2537,

and

B ≡ 13 ≡ 43, B ≡ −5 mod 59⇒ B ≡ 1647 ≡ −890 mod 2537.

Therefore, Alice wins if she gives 1234 or 1304, loses if she gives 890 or 1647.Suppose she gives 890 to Bob. Bob would tell her that she loses and confirms

by giving her the divisor gcd(1234− 890, 2537) = 43 of N .

24.2 The quadratic sieve

Lemma 24.1. Given an integer N , if there are integers x, y satisfying

x2 ≡ y2 mod N, but x �= ±y mod N,

then N is composite with a nontrivial divisor gcd(x− y, N).

Examples (1) For N = 799, we have

302 ≡ 101 mod N and 642 ≡ 101 mod N.

This means that modulo N , 0 ≡ 642 − 302 ≡ (64− 30)(64 + 30) ≡ 2 · 17 · 2 · 47.Since N is odd, we obtain the divisors 17 and 47. Indeed, 799 = 17 · 47.

24.3 Factoring by continued fractions 515

(2) Let N = 3837523. We have

93982 = 55 · 19 mod N,

190952 = 22 · 5 · 11 · 13 · 19 mod N,

19642 = 32 · 133 mod N,

170782 = 26 · 32 · 11.

Multiplication gives

(9398 · 19095 · 1964 · 17078)2 ≡ (24 · 32 · 53 · 11 · 132 · 19)2 mod N,

or22303872 ≡ 25867052 mod N.

Thus, gcd(3837523, 2586705 − 2230387) = gcd(3837523, 356318) = 1093 is adivisor of N . The other divisor is 3511.

24.3 Factoring by continued fractions

Since the convergents of the continued fraction expansion of√N are very good

rational approximations to√N , it is expected that for such a convergent P

Q, P 2 −

NQ2 is a small integer (in comparison with N ), and so have a factorization into“small primes”. This observation provides a reasonable way of performing thequadratic sieve.

Example 24.2. Let N = 2537. From the continued fraction expansion of√N = [50, 2, 1, 2, 2, 12, 5, 1, 5, 2, 5, 1, 5, 12, 2, 2, 1, 2, 100],

we compute

qk 50 2 1 2 2 · · ·Pk 50 101 151 403 957 · · ·

P 2k mod N −37 53 −32 41 −8 · · ·

From these,

1512 ≡ − 25 mod N

9572 ≡ − 23 mod N.

Therefore, (151 · 957)2 ≡ (24)4 mod N . From this, we obtain gcd(151 · 957 −24, 2537) = 59. This gives the factorization 2537 = 59 · 43.

516 Factoring integers

Example 24.3. Consider again N = 3837523, with continued fraction 1

√N = [1958, 1, 23, 1, 3, 1, 13, 1, 1, 4, 4, 1, 1, 5, 16, 1, 1, 1, 2, 1, 5,

2, 2, 1, 3, 1, 1, 3, 1, 1, 3, 1, 1, 1, 3, 5, 1, 61, 2, 1, 6, · · ·].

If we restrict to very small primes, we find with the 36-th convergent q35 = 5,P35 = 428399. Here,

4283992 ≡ 3249 ≡ (3 · 19)2 mod N.

This gives gcd(428399 − 3 · 19, N) = 3511 as a divisor. The other divisor isgcd(428399 + 3 · 19, N) = 1093.Exercise

1. Let N = 642401. Make use of

5161072 ≡ 7 mod N and 1877222 ≡ 22 · 7 mod N

to factor N .

2. Let N = 2288233. Make use of

8805252 ≡ 2 mod N, 20572022 ≡ 3 mod N, 6485812 ≡ 6 mod N

to factor N .

1The period has length 1162. We list here the first 40 entries of the period.

Chapter 25

Elliptic Curves

25.1 Group law on y2 = x3 + ax2 + bx + c

Consider an elliptic curve

(E) y2 = f(x) := x3 + ax2 + bx+ c.

We shall write a point P on (E) in the form P = (x[P ], y[P ]), and put the identityat a point of infinity, so that

y[−P ] = −y[P ].

P

QP ∗ Q

P + Q

Consider a line of slope m passing through P . It has equationy − y[P ] = m(x − x[P ]). It intersects the elliptic curve (E) at points whose x-coordinates are the roots of the equation

(mx+ (y[P ]−mx[P ]))2 = x3 + ax2 + bx+ c,

or equivalently,

x3 − (m2 − a)x2 − (2m(y[P ]−mx[P ])− b)x+ c− (y[P ]−mx[P ])2 = 0.

602 Elliptic Curves

Since the sum of the three roots of the cubic is m2 − a, we make the followingconclusions.

(1) If the line is the tangent at P , then(i) m = f ′(x[P ])

2y[P ],

(ii) the third intersection has x-coordinate

m2 − a− 2x[P ] =f ′(x[P ])2

4y[P ]2− a− 2x[P ]

=x[P ]4 − 2bx[P ]2 − 8cx[P ] + (b2 − 4ac)

4y[P ]2

=x[P ]4 − 2bx[P ]2 − 8cx[P ] + (b2 − 4ac)

4(x[P ]3 + ax[P ]2 + bx[P ] + c).

The y-coordinate can be computed from the equation of the line.

x[2P ] =x[P ]4 − 2bx[P ]2 − 8cx[P ] + (b2 − 4ac)

4(x[P ]3 + ax[P ]2 + bx[P ] + c).

(2) If the line joins two points P1 and P2 on (E), then(i) m = y[P1]−y[P2]

x[P1]−x[P2];

(ii) the third intersection has x-coordinate

m2 − a− x[P1]− x[P2]

=

(y[P1]− y[P2]

x[P1]− x[P2]

)2

− a− (x[P1] + x[P2])

=x[P1]x[P2](x[P1] + x[P2] + 2a) + b(x[P1] + x[P2]) + 2c− 2y[P1]y[P2]

(x[P1]− x[P2])2.

The y-coordinate can be computed from the equation of the line.

25.2 The discriminant

The discriminant of the cubic f(x) := x3 + ax2 + bx+ c is the number

D := −4a3c+ a2b2 + 18abc− 4b3 − 27c2.

Theorem 25.1 (Nagell-Lutz). Let P = (x, y) be a finite order point of (E) : y2 =x3 + ax2 + bx+ c. Then either y = 0 (in which case P has order 2) or y2|D.

Theorem 25.2 (Mazur). The torsion group of the rational points of an elliptic curveover Q is one of the following 15 groups:

(i) Zn with n = 1, 2, 3, . . . , 9, 10, 12;(ii) Z2n ⊕ Z2 with n = 1, 2, 3, 4.

25.2 The discriminant 603

Example 25.1. y2 = x3 + 17 has two obvious integer points P = (−2, 3) andQ = (−1, 4).

h \ k −1 0 1

−2 (2,−5) (8, 23)(−206

81 , −541729

)−1 (4, 9) (−2,−3) (52,−375)0 (1,−4) ∞ (−1, 4)1 (52, 375) (−2, 3) (4,−9)2

(−20681 ,

541729

)(8,−23) (2, 5)

Also 3P + 2Q = (43, 280) and 2P + 3Q = (5234, 378661).

O

PQ

R

P ∗ Q

Q ∗ R

P + Q

Q + R

P ∗ (Q + R) = (P + Q) ∗ R

604 Elliptic Curves

Example 25.2. y2 = x3 − 43x+ 166 has an integer point P = (3, 8).

2P = (−5,−16),3P = (11,−32),4P = (11, 32).

This means that 4P = −3P and 7P = 0. The point generates a cyclic group oforder 7.

25.3 Points of finite order

Consider an elliptic curve

y2 = f(x) = x3 + ax2 + bx+ c.

(1) A point P = (x, y) has order 2 if and only if y = 0. In this case, x is a rootof f(x).

(2) A point P = (x, y) has order 3 if and only if x is a root of

3x4 + 4ax3 + 6bx2 + 12cx+ (4ac− b2) = 0.

Proof. x[2P ] = x[P ].

Theorem 25.3 (Nagell-Lutz). Let y2 = x3 + ax2 + bx+ c, a, b, c ∈ Z be a nonsin-gular cubic curve with discriminant D. If (x, y) is a rational point of finite order,then x and y are integers and either y = 0 (in which case P has order 2) or y2|D.

Example 25.3. y2 = x3 + 5x2 + 4x = x(x+ 1)(x+ 4) has three rational roots.The points (0, 0), (−1, 0), and (−4, 0) are order 2 points.Discriminant = 24 · 32.y2 = 22: x = −2, (−2, 2), (−2,−2).y2 = 22 · 32: x = 2, (2, 6), (2,−6).For each of these, x(2P ) = 0. This means that these are order 4 points.

Theorem 25.4 (Mazur). The torsion group of the rational points of an elliptic curveover Q is one of the following 15 groups:

(i) Zn with n = 1, 2, 3, . . . , 9, 10, 12;(ii) Z2n ⊕ Z2 with n = 1, 2, 3, 4.

Example 25.4.

Elliptic Curve Torsion group Discriminanty2 = x3 + 2 0 −22 · 33y2 = x3 + x Z2 −22y2 = x3 + 4 Z3 −24 · 33y2 = x3 + 4x Z4 −28

Chapter 26

Factoring Integers 2

26.1 Pollard’s algorithm

To factor a large composite integer N , first choose a number K, say of the form

lk = LCM[1, 2, . . . , k],

and compute gcd(2lk − 1, N). 1 If this is between 1 and N , then it gives a factor-ization of N .

To execute the computations efficiently, note that if we write ck = kgcd(k,lk−1)

and bk = 2lk mod N , then(i) lk = cklk−1,(ii) bk ≡ bckk−1 mod N .

Example 26.1. N = 2537:

k ck lk bk := 2lk mod N gcd(bk − 1, N)

2 2 2 4 13 3 6 64 14 2 12 −978 15 5 60 −586 16 1 60 −586 17 7 420 1162 43

This gives 2537 = 43 · 59.

Example 26.2. Let N = 246082373.

1The base 2 may be replaced by other a in the range 1 < a < N .

606 Factoring Integers 2

k ck lk bk := 2lk mod N gcd(bk − 1, N)

1 1 1 2 12 2 2 22 ≡ 4 13 3 6 43 ≡ 64 14 2 12 642 ≡ 4096 15 5 60 (4096)5 ≡ −51132818 16 1 60 −51132818 17 7 420 (−51132818)7 ≡ 60592910 18 2 840 (60592910)2 ≡ −30746792 19 3 2520 (−30746792)3 ≡ −115141632 2521

Note gcd(b9 − 1, N) = gcd(−115141633, N) = 2521 since

(−115141633)(21806) + (246082373)(10203) = 2521.

Thus, we have found a divisor 2521 of 246082373. This gives

246082373 = 2521 · 97613.Example 26.3. N = 618240007109027021. It takes k = 243 to get the divisor250387201 and factorization

N = 250387201 · 2469135821.

26.2 Factoring with elliptic curves

Given an elliptic curvey2 = x3 + bx+ c, ((E):)

with integer coefficients and a prime number p, we consider

y2 ≡ x3 + bx+ c (mod p). ((E)p:)

The addition laws

x(P1 + P2) =m2 − x(P1)− x(P2),

x(2P ) = λ2 − 2x(P ),

apply to (E)p since

m =y(P1)− y(P2)

x(P1)− x(P2), λ =

3x2 + a

2y

can be interpreted as elements of Zp.

26.2 Factoring with elliptic curves 607

Example 26.4. Consider (E)5 : y2 = x3+4x+4 (mod 5). There are only finitelymany points on the curve, namely,

(0, 2), (0, 3), (1, 2), (1, 3), (2, 0), (4, 2), (4, 3), ∞.

In computing (1, 2) + (4, 3), we have m = 3−24−1

= 13≡ 2 mod 5. Therefore,

x3 ≡ 22 − 1− 4 ≡ 4 mod 5,

y3 ≡ 2(4− 1) + 2 ≡ 3 mod 5,

we have (1, 2) + (4, 3) = (4,−3) = (4, 2) ∈ (E)5.

Example 26.5. Consider (E)2011 : y2 = x3+4x+4 (mod 2011). With P = (1, 3),we compute 2P by first evaluating at (1, 3):

2ydy = (3x2 + 4)dx⇒ dy

dx=

7

6.

Now, since 2011 + 6 · (−335) = 1, we have λ = 76≡ 7 × (−335) = −334.

Therefore,

x2 ≡ λ2 − 2 · 1 ≡ 949 mod 2011,

y2 ≡ − 334(949− 1) + 3 ≡ −902 mod 2011,

we have 2(1, 3) = (949, 902) ∈ (E)2011. Similarly, 3P = (410,−824) ∈ (E)2011.Now we work out an example when the prime p is replaced by a composite.Consider (E)2773 : y2 ≡ x3 + 4x + 4 (mod 2773), again with P = (1, 3).

Since 2773− 6 · 462 = 1, we have λ = 76≡ 7× (−462) = −461. Therefore from

x2 ≡ λ2 − 2 · 1 ≡ −1002 mod 2773,

y2 ≡ − 461(−1002− 1) + 3 ≡ −705 mod 2773,

we have 2(1, 3) = (−1002, 705).Now, we we compute 3P = 2P + P , we have

m =705− 3

−1002− 1=

702

1003.

Attempting to find the inverse of 1003modulo 2773, we have instead gcd(2773, 1003) =59 = 2773 · 4− 1003 · 11.

Thus, the calculation fails to give 3P , but it yields a factorization of 2773 =59 · 47.

608 Factoring Integers 2

Chapter 27

Some examples of the use of ellipticcurves

27.1 The congruent number problem

The area of an integer right triangle (Pythagorean) is always a multiple of 6. Fi-bonacci asked for a right triangle with rational sides whose area is 5, and gave asan example . More generally, a positive integer n is called a congruent number if itis the area of a rational right triangle.

Proposition 27.1. n is a congruent number if there is a rational number x such thatx2 − n and x2 + n are both squares of rational numbers. In other words, n is thecommon difference of three rational squares in arithmetic progression.

The lengths of the sides of the right triangle are√x2 + n±√x2 − n and 2x.

Let (a, b, c) be a rational right triangle with hypotenuse c and area n. From

(a+ b)2 = c2 + 4n,

(a− b)2 = c2 − 4n,

we have (a2 − b2)2 = c4 − 16n2 or(a2 − b2

4

)2

=( c2

)4

− n2.

Let x =(c2

)2and y = (a2−b2)c

8. Multiplying the above equation throughout by x,

we havey2 = x3 − n2x.

Proposition 27.2. Let (x, y) be a rational point on the elliptic curve y2 = x3−n2x.Suppose x is a square (rational number) with even denominator (when expressed inlowest terms). Then there is a rational right triangle of area n and hypotenuse 2x.

610 Some examples of the use of elliptic curves

Example 27.1. The Pythagorean triangle (3, 4, 5) with area 6 corresponds to therational point P =

(254, −35

8

)on the elliptic curve y2 = x3 − 36x. Since 2P =(

144240119600

, 17265563992744000

), and 1442401

19600=

(1201140

)2, this corresponds to the rational right

triangle(

710, 120

7, 1201

70

)and area 6.

Example 27.2. More interesting is Fibonacci’s example, the three rational squares(3112

)2,(4112

)2,(4912

)2in arithmetic progression of common difference 5. This means

that the rational triangle(32, 20

3, 41

6

)has area 5. This corresponds to the rational

point P =(1681144

, −62279,288

)on the elliptic curve y2 = x3 − 25x. Now,

2P =

(11183412793921

2234116132416,468238010077154040511

2226216297771777024

).

What rational triangle of area 5 does this give?

Example 27.3. Since there is no Pythagorean triangle with square area, no squarerational number can be a congruent number.Exercise

Euler had found that 3372 ± 7 · 1202 are both squares, being the squares of 463and 113 respectively. Make use of this to find two rational right triangles with area7.

27.2 Pairs of isosceles triangle and rectangle with equalperimeters and equal areas

The isosceles (5, 5, 6) and the rectangle 6× 2 both have perimeter 16 and area 12.More generally, we seek an isosceles triangle with sides (m2 + n2, m2 +

n2, 2(m2 − n2). It has perimeter 4m2, height 2mn, and area 2mn(m2 − n2). Arectangle of integer dimensions p×q has the same perimeter and area as the triangleif and only if

p+ q = 2m2,

pq = 2mn(m2 − n2).

Note that (p− q)2 = (p+ q)2 − 4pq = 4m4 − 8mn(m2 − n2). If we put

x =2n

m, y =

p− qm2

,

this condition becomesy2 = x3 − 4x+ 4.

27.3 Triangles with a median, an altitude, and an angle bisector concurrent611

Exercise(1) Clearly, the point (1, 1) is on the curve. With 1 = 2n

m, we takem = 2, n = 1.

This gives the isosceles triangle (5, 5, 6) and rectangle 6× 2 as above.(2) There is another obvious point P = (2, 2). Indeed, on the elliptic curve

2P = (0, 2), 3P = (−2,−2), 4P = (1,−1).

k ±kP (m,n) side and base p× q perimeter, area

−4 (1, 1) (2, 1) 5, 6 2× 6 (16, 12)

7(109 , 26

27

)(9, 5) 106, 112 42× 120 (324, 5040)

−10 (8849 ,

554343

)(49, 44) 4337, 930 462× 4340 (9604, 2005080)

13(206961 ,

5289429791

)(961, 103) 934130, 1825824 103664× 1743378 (3694084, 180725536992)

−15 (936210609 ,

11755661092727

)(10609, 4681) 134462642, 181278240 52009232× 173092530

27.3 Triangles with a median, an altitude, and an an-gle bisector concurrent

Given triangle ABC, the altitude on BC, the bisector of angle B and the medianon AB are concurrent if and only if

cos β =a

c+ a.

B C

A

D

EF

P

By the law of cosines, cos β = c2+a2−b2

2ca, we have

a3 − ab2 + a2c− b2c− ac2 + c3 = 0.

By putting x = 2cc+a

and y = 2bc+a

, this becomes

y2 = x3 − 4x+ 4

again. If (x, y) is a rational point on the elliptic curve, then a : b : c = 2− x : y : x.To satisfy the triangle inequality, we require y < 2 and 1

2(2 − y) < x < 1

2(y + 2).

Here are some examples generated from multiples of P = (2, 2):

612 Some examples of the use of elliptic curves

k ±kP (a, b, c)

−4 (1, 1) (1, 1, 1)

7(109 , 26

27

)(12, 13, 15)

−10 (8849 ,

554343

)(35, 277, 308)

13(206961 ,

5289429791

)(26598, 26447, 3193)

−15 (936210609 ,

11755661092727

)(610584, 587783, 482143)

18(589456483025 ,

324783646335702375

)(130866415, 162391823, 204835960)

−21 (9286907857017601 ,

578576841362430539905151

)(79912701162, 289288420681, 350627203989)

Chapter 28

Heron triangles and Elliptic Curves

28.1 The elliptic curve y2 = (x− k)2 − 4kx3

A triangle is determined, up to similarity, by a set of three positive real numbers{t1, t2, t3} satisfying the relation

t1t2 + t2t3 + t3t1 = 1. (28.1)

Such are indeed the tangents of the half - angles of the triangle. If the triangle isscaled to have unit semiperimeter, the lengths of the sides are

t1(t2 + t3), t2(t3 + t1), and t3(t1 + t2),

and the area is k = t1t2t3. From the inequality of arithmetic and geometric means,it is easy to see that k2 ≤ 1

27, with equality precisely in the case of an equilateral

triangle. We study triangles with rational sides and rational areas. It is clear thatfor such triangles, the parameters t1, t2, and t3 are all rational. Since such trianglescannot be equilateral, we shall assume k2 < 1

27. Elimination of t3 leads to

t21t22 − (t1 − k)t2 + kt1 = 0.

A given rational number t1 determines a rational number t2, and consequently atriangle with rational sides and rational area, if and only if (t1 − k)2 − 4kt31 is arational square. A rational point (x, y) on the elliptic curve

Ek : y2 = (x− k)2 − 4kx3,

therefore, determines rational numbers

t1 = x, t2 =x+ y − k

2x2, t3 =

x− y − k2x2

. (28.2)

614 Heron triangles and Elliptic Curves

These parameters in turn define a genuine triangle provided x > k, (see Lemma 2below), the sides of the triangles being

a = t1(t2 + t3) =x− kx

,

b = t2(t3 + t1) =x+ y + k

2x,

c = t3(t1 + t2) =x− y + k

2x.

Given a triangle with unit semiperimeter and rational area k, we shall show thatthe associated elliptic curves Ek has positive rank, provided that the triangle is non-isosceles. This leads to the following theorem on the existence of arbitrary numberof Heron triangles equal in perimeter and in area.

Theorem 28.1. Given a non-isosceles rational triangle T (of semiperimeter 1) anda positive integer N , there are an integer s and N noncongruent Heron trianglesall having the same area and perimeter as sT .

The qualification of non-isosceles triangle is essential. An example is providedby the case of the isosceles with sides (5,5,6), with t1 = t2 = 1

2, and t3 = 3

4, and

k = t1t2t3 = 316

. The elliptic curve Ek has rank 0, (See Proposition 10), showingthat there are no other triangles of unit semiperimeter with the same value of k.However, such an isosceles triangle has equal perimeter and equal area as anotherisosceles triangle, then the elliptic curve has positive rank, and the statement of thetheorem remains valid.

Guy [??, D16] reports that the problem of finding as many different triples ofpositive integers as possible with the same sum and the same product has beensolved by A. Schinzel, that there are arbitrarily many. Theorem 1 offers a solution tothe same problem: an arbitrary number of such triples, with the additional propertythat the sum and the product multiply to a square, can be constructed from any tripleof distinct positive integers x, y, z with the same property, i.e., xyz(x+y+z) = A2

for an integer A. Any such triple defines a Heron triangle with sides x + y, y + z,z + x, and area A.

Let k be a rational number < 13√3. The cubic polynomial

fk(x) := (x− k)2 − 4kx3 (28.3)

has three distinct real roots separated by k and 3k, since

f(−∞) = +∞,f(k) = −4k4 < 0,f(3k) = 4k2(1− 27k2) > 0,

f(+∞) = −∞.

28.1 The elliptic curve y2 = (x− k)2 − 4kx3 615

This means that the elliptic curve Ek has two components, one of which is com-pact. A point (x, y) on Ek lies in the compact component if and only if x > k. ByLemma 2 below, a point on Ek corresponds to a genuine triangle if and only if itslies in the compact component.

Lemma 28.2. A point (x, y) on the elliptic curve Ek defines a genuine triangle ifand only if x > k.

Proof. From (28.2), t2 + t3 = x−kx2 and t2t3 = y2

4x4 . It is clear that t1, t2, t3 are allpositive (and defines a genuine triangle) if and only if x > k.

The addition law of Ek is given by

x(P +Q) =1

4k(1− λ2)− x(P )− x(Q),

where

λ =

{y(P )−y(Q)x(P )−x(Q)

, if P �= Q,x(P )−k−6k·x(P )2

y(P ), if P = Q.

Lemma 28.3. Let P be a point on the compact component of EK . The six points±P , ±P ± I all represent the same (similarity class of) rational triangles.

Proof. Write P = (t1, t21(t2 − t3)). Then, for ε = ±1,

ε(P + I) = (t2, εt22(t3 − t1)),

ε(P − I) = (t3, εt23(t1 − t2)).

Let P and Q be two distinct points on Ek, one on each of the two components.By the convexity of the compact component, it is clear that the sum P + Q lies inthe compact component. Now, if P is a point in the compact component, then 2Pmust be in the noncompact one. It follows by induction that all odd multiples of Pare in the compact component, and hence define genuine rational triangles.

Example 28.1. For k = 16, the cubic polynomial fk(x) = 1

36(1−12x+36x2−24x3)

is irreducible.

Example 28.2. For k = 1681331

= 23·3·7113

, the cubic polynomial

fk(x) = −4k(x− 56

33)(x2 − 699

2464x+

9

484).

The rational root 5633

corresponds to the isosceles Heron triangle (65, 65, 112). Onthe same curve, there are rational points with x = 2

11, 811, 2122

, corresponding to theHeron triangle (37, 100, 105), also of perimeter 242 and area 1848.

Example 28.3. For k = 60343

, the cubic polynomial fk(x) has three rational roots15112

< 1235

< 2021

. The larger two correspond respectively to the isosceles trian-gles (24, 37, 37) and (29, 29, 40), both with perimeters 98 and area 420. On Ek

lie also the rational points with x = 514, 47, 67, corresponding to the Heron triangle

(25, 34, 39), with the same perimeter and area.

616 Heron triangles and Elliptic Curves

28.1.1 Proof of Theorem 28.1

A non-isosceles triangle with semiperimeter 1 and area k corresponds to a pointP in the component of the elliptic curve Ek. Such a point cannot have finite or-der, and so generates an infinite cyclic subgroup of Ek. The points mP lies in thecompact component precisely when m is odd. For any given integer N , the points(2m− 1)P , 1 ≤ m ≤ N , all lie in the compact component, and therefore representrational triangles Tm, each of semiperimeter 1 and area k. Let s be the least commonmultiple of the denominators of the lengths of sides of these N triangles. Magni-fying each of them by the factor s, we obtain a sequence of N Heron triangles, allwith semiperimeter s, and area ks2.

Example 28.4. The right triangle (3,4,5) corresponds to the point P (1, 16) on the

curve E1/6. The primitive Heron triangles corresponding the points P , 3P , 5P , 7P ,and 9P , with their semiperimeters and areas, are as follows.

(3, 4, 5; 6, 6),(287, 468, 505; 630, 66150),(3959527, 3997940, 5810001; 6883734, 7897632297126),(3606573416251, 5935203156525, 6344028032612; 7942902302694,

10514949498356941266609606),(480700822846118327460, 630296830413008002763, 795751643958885119197;

953374648609005724710, 151487203435057523536941712814925384097350).

The LCM of the semiperimeters being

s = 1447986121797526457728510272387457724310,

magnifying these triangles by appropriate factors, we obtain five Heron triangles,all with semiperimeter s and area

= 349443968153040187579733428603820320155254000034420331290213618794580660829350.

The following example shows that the hypothesis of non-isoscelesity is essen-tial.

Remark. Let k = 12· 12· 34= 3

16. The elliptic curve is cyclic of order 6. In particular,

it has rank 0.

This value of k arises from the isosceles triangle (5, 5, 6). By Proposition 7,there is no other (noncongruent) triangle of unit semiperimeter and the same area.On the other hand, Example 1 shows that for the isosceles triangle (65,65,126), theassociated elliptic curve has positive rank.

Chapter 29

The ring of Gaussian integers

29.1 The ring Z[i]

29.1.1 Norm and units

By the ring of Gaussian integers we mean

Z[i] := {a+ bi : a, b ∈ Z}.

Each element of Z[i] is called a Gaussian integer. For α = a + bi, we define thenorm N(α) := a2 + b2 ∈ Z. One important property of the norm is its multiplica-tivity:

Lemma 29.1. For α, β ∈ Z[i],

N(αβ) = N(α)N(β).

A Gaussian integer α is a unit if it is invertible in Z. If α is a unit with mul-tiplicative inverse β, then αβ = 1 and N(α)N(β) = N(αβ) = N(1) = 1. Thismeans that N(α) = 1 and α = ±1, or ±i.

Proposition 29.2. The only units in Z[i] are ±1 and ±i.

29.1.2 Gaussian primes

Two Gaussian integers α and β are associate if α = εβ for some unit ε ∈ Z[i].Exercise

1. Show that the relation of being associate is an equivalence relation on Z[i].

2. Show that 2 is not a prime in Z[i].

702 The ring of Gaussian integers

A Gaussian integer π ∈ Z[i] is prime if(i) π is not a unit in Z[i], and(ii) π = αβ ∈ Z[i]⇒ α or β is a unit in Z[i].

Proposition 29.3. The ring of Gaussian integers satisfies the euclidean algorithm:for α, β ∈ Z[i] with β �= 0, there are γ and δ ∈ Z[i] satisfying(i) α = βγ + δ,(ii) N(δ) < N(β).

Proof. Regarding α and β as complex numbers, we have αβ= x + iy for rational

numbers x and y. Let a and b be integers such that |x − a| ≤ 12

and |y − b| ≤ 12.

The numbers γ := a + bi and δ := β((x − a) + (y − b)i) satisfy δ = α − βγ andso is a Gaussian integer. Since∣∣∣∣ δβ

∣∣∣∣2

= (x− a)2 + (y − b)2 ≤ 1

4+

1

4≤ 1

2,

we have N(δ) < N(β).

Therefore, we have a notion of gcd in Z[i]. The gcd of two Gaussian integers isdefined up to a unit.

Corollary 29.4. The ring of Gaussian integers is a Bezout domain: for α, β ∈ Z[i],there are γ, δ ∈ Z[i] such that

gcd(α, β) = αγ + βδ.

Proposition 29.5. The following two statements are equivalent.(i) π ∈ Z[i] is a prime.(ii) π|αβ ∈ Z[i]⇒ π|α or π|β.

Theorem 29.6. The primes in Z[i] are precisely(i) the primes p ≡ 3 (mod 4) in Z,(ii) ±1± i which have norm 2, and(iii) a+ bi for which a2 + b2 is an odd prime p ≡ 1 (mod 4) in Z.

Corollary 29.7 (Unique factorization). Every nonzero Gaussian integer can be de-composed “uniquely” into a product of Gaussian primes: if

α = π1 · · · πh = ψ1 · · ·ψk

for Gaussian primes π1, . . . , π1 and ψ1, . . .ψk, then(i) h = k,(ii) after a suitable permutation of ψ1, . . . , ψk, for i = 1, 2, . . . , k, the Gaussianprimes πi and ψi are associate.

29.2 An alternative proof of Fermat’s two-square theorem 703

29.2 An alternative proof of Fermat’s two-square the-orem

Since p ≡ 1 (mod 4), −1 is a quadratic residue. This means that there exists aninteger a ≤ p−1

2such that a2 + 1 is divisible by p. Note that a2 + 1 < p2.

Regarded as Gaussian integers, a2 + 1 = (a + i)(a − i). We claim that p doesnot divide a + i nor a − i; otherwise, p2 = N(p) ≤ N(a + i) = a2 + 1 < p2, acontradiction. This means that p is not a prime in Z[i] and there is a factorizationof p = αβ ∈ Z[i], in which none of α, β is a unit, i.e., N(α), N(β) > 1. It followsfrom

p2 = N(p) = N(α)N(β)

that N(α) = N(β) = p, and p is a sum of two squares of integers.

704 The ring of Gaussian integers

Chapter 30

Construction of indecomposableHeron triangles

30.1 Primitive Heron triangles

Given a triangle ABC with sidelengths BC = a, CA = b and AB = c, we lets := 1

2(a+ b+ c) be the semiperimeter, and

t1 = tanA

2, t2 = tan

B

2, t3 = tan

C

2.

These satisfyt1t2 + t2t3 + t3t1 = 1. (30.1)

r

r

r

s− b s− c

s− c

s− a

s− a

s− b

I

X

Y

Z

A

B C

We shall assume throughout this chapter that all sidelengths of triangles are ra-tional. Such a triangle is called a rational triangle if its area is rational. Equiv-alently, t1, t2, t3 are all rational numbers. Putting ti = ni

di, i = 1, 2, 3, with

gcd(ni, di) = 1, we rewrite (30.1) in the form

n1n2d3 + n1d2n3 + d1n2n3 = d1d2d3. (30.2)

706 Construction of indecomposable Heron triangles

A rational triangle, under a suitable magnification, gives a primitive Heron tri-angle, one with integer sides which are relatively prime, and with integer area. Infact, by putting

a =n1(d2n3 + n2d3),

b =n2(d3n1 + n3d1), (30.3)

c =n3(d1n2 + n1d2),

we obtain a Heron triangle with semiperimeter s = n1n2d3 + n1d2n3 + d1n2n3 =d1d2d3 and area = n1d1n2d2n3d3. A primitive Heron triangle Γ0 results bydividing by the sides by g := gcd(a1, a2, a3).

30.1.1 Triple of simplifying factors

Unless explicitly stated otherwise, whenever the three indices i, j, k appear al-together in an expression or an equation, they are taken as a permutation of theindices 1, 2, 3.

Note that from (30.1) or (30.2), any one of ti, tj , tk can be expressed in termsof the remaining two. In the process of expressing ti =

ni

diin terms of tj =

nj

djand

tk =nk

dk, we encounter certain “simplifying factors”, namely,

gi := gcd(djdk − njnk, njdk + djnk),

so that

gini = djdk − njnk,gidi = djnk + njdk, (30.4)

We shall call (g1, g2, g3) the triple of simplifying factors for the numbers (t1, t2, t3),or of the similarity class of triangles they define.

Example 30.1. For the (13, 14, 15; 84), we have t1 = 12, t2 = 4

7and t3 = 2

3. From

1− t2t3t2 + t3

=7 · 3− 4 · 27 · 2 + 4 · 3 =

13

26=

1

2,

it follows that g1 = 13. Similarly, g2 = 1 and g3 = 5. On the other hand, for theindecomposable Heron triangle (25, 34, 39; 420), we have (t1, t2, t3) = ( 5

14, 4

7, 6

7).

The simplifying factors are (g1, g2, g3) = (5, 17, 13).

Example 30.2. For (15, 34, 35; 252), the simplifying factors are (g1, g2, g3) = (5, 17, 5).Exercise

For the sidelengths given in (30.3), we have

a = g1n1d1, b = g2n2d2, c = g3n3d3.

30.1 Primitive Heron triangles 707

30.1.2 Decomposition of Heron triangles

A Heron triangle Γ := (a1, a2, a3; ) is said to be decomposable if there are (non-degenerate) Pythagorean triangles Γ1 := (x1, y, a1; 1), Γ2 := (x2, y, a2; 2), andε = ±1 such that

a3 = εx1 + x2, = ε 1 + 2.

According as ε = 1 or −1, we shall say that Γ is obtained by juxtaposing Γ1 andΓ2, (Γ = Γ1 ∪ Γ2), or by excising Γ1 from Γ2, (Γ = Γ2 \ Γ1).

In general, a Heron triangle is decomposable into two Pythagorean componentsif and only if it has at least one integer height.

Theorem 30.1. A primitive Heron triangle can be decomposed into two Pythagoreancomponents in at most one way.

Proof. This follows from three propositions.(1) A primitive Pythagorean triangle is indecomposable. 1

(2) A primitive, isosceles, Heron triangle is decomposable, the only decompo-sition being into two congruent Pythagorean triangles. 2

(3) If a non-Pythagorean Heron triangle has two integer heights, then it cannotbe primitive. 3

1Proof of (1). We prove this by contradiction. A Pythagorean triangle, if decomposable, ispartitioned by the altitude on the hypotenuse into two similar but smaller Pythagorean triangles.None of these, however, can have all sides of integer length by the primitivity assumption on theoriginal triangle.

2Proof of (2). The triangle being isosceles and Heron, the perimeter and hence the base must beeven. Each half of the isosceles triangle is a (primitive) Pythagorean triangle, (m2−n2, 2mn,m2+n2), with m, n relatively prime, and of different parity. The height on each slant side of the isoscelestriangle is

2mn(m2 − n2)

m2 + n2,

which clearly cannot be an integer. This shows that the only way of decomposing a primitive isosce-les triangle is into two congruent Pythagorean triangles.

3Proof of (3). Let (a, b, c; ) be a Heron triangle, not containing any right angle. Suppose theheights on the sides b and c are integers. Clearly, b and c cannot be relatively prime, for otherwise,the heights of the triangle on these sides are respectively ch and bh, for some integer h. This isimpossible since, the triangle not containing any right angle, the height on b must be less than c,Suppose therefore gcd(b, c) = g > 1. We write b = b′g and c = c′g for relatively prime integersb′ and c′. If the height on c is h, then that on the side b is ch

b = c′hb′ . If this is also an integer, then

h must be divisible by b′. Replacing h by b′h, we may now assume that the heights on b and c arerespectively c′h and b′h. The side c is divided into b′k and ±(c− b′k) �= 0, where g2 = h2 + k2. Itfollows that

a2 = (b′h)2 + (c′g − b′k)2

= b′2(h2 + k2) + c′2g2 − 2b′c′gk= g[g(b′2 + c′2)− 2b′c′k]

From this it follows that g divides a2, and every prime divisor of g is a common divisor of a, b, c.The Heron triangle cannot be primitive.


30.2 Gaussian integers

We shall associate with each positive rational number t = nd, n, d relatively prime,

the primitive, positive Gaussian integer z(t) := d + n√−1 ∈ Z[

√−1]. Here, wesay that a Gaussian integer x+ y

√−1 is

• primitive if x and y are relatively prime, and

• positive if both x and y are positive.

The norm of the Gaussian integer z = x+y√−1 is the integerN(z) := x2+y2.

The norm in Z[√−1] is multiplicative:

N(z1z2) = N(z1)N(z2).

The argument of a Gaussian integer z = x + y√−1 is the unique real number

φ = φ(z) ∈ [0, 2π) defined by

cosφ =x√

x2 + y2, sinφ =

y√x2 + y2

.

A Gaussian integer z is positive if and only if 0 < θ(z) < 12π. Each positive

Gaussian integer z = x+ y√−1 has a complement

z∗ := y + x√−1 =

√−1 · z,where z := x− y√−1 is the conjugate of z. Note that N(z∗) = N(z), and

φ(z) + φ(z∗) =π

2. (30.5)

for each pair of complementary positive Gaussian integers.Recall that the units of Z[

√−1] are precisely ±1 and ±√−1. An odd (rational)prime number p ramifies into two non - associate primes π(p) and π(p) in Z[

√−1],namely, p = π(p)π(p), if and only if p ≡ 1 (mod 4). For applications in the presentpaper, we formulate the unique factorization theorem in Z[

√−1] as follows.

Proposition 30.2. Let g > 1 be an odd number. There is a primitive Gaussianinteger θ satisfying N(θ) = g if and only if each prime divisor of g is congruent to1 (mod 4).

30.2.1 Heron triangles and Gaussian integers

Consider the Heron triangle Γ := Γ(t1, t2, t3) with sides given by (30.3). In termsof the Gaussian integers zi := z(ti) = di + ni

√−1, the relations (30.4) can berewritten as

gizi =√−1 · zjzk = (zjzk)

∗. (30.6)

30.2 Gaussian integers 709

Lemma 30.3. N(zi) = gjgk.

Proof. From the relation (30.6), we have

g2iN(zi) = N(zj)N(zk).

Combining these, we have

(gigjgk)2 = N(zi)N(zj)N(zk),

and the result follows easily.

Proposition 30.4. (1) gi is a common divisor of N(zj) and N(zk).(2) At least two of gi, gj , gk exceed 1.(3) gi is even if and only if all nj , dj , nk and dk are odd.(4) At most one of gi, gj , gk is even, and none of them is divisible by 4.(5) gi is prime to each of nj , dj , nk, and dk.(6) Each odd prime divisor of gi, i = 1, 2, 3, is congruent to 1 (mod 4).

Proof. (1) follows easily from Lemma 30.3.(2) Suppose g1 = g2 = 1. Then, N(z3) = 1, which is clearly impossible.(3) is clear from the relation (30.4).(4) Suppose gi is even. Then nj , dj , nk, dk are all odd. This means that gi, being

a divisor ofN(zj) = d2j +n2j ≡ 2 (mod 4), is not divisible by 4. Also, djdk−njnk

and njdk + djnk are both even, and

(djdk − njnk) + (njdk + djnk)

= (dj + nj)(dk + nk)− 2njnk

≡ 2 (mod 4),

it follows that one of them is divisible by 4, and the other is 2 (mod 4). Aftercancelling the common divisor 2, we see that exactly one of ni and di is odd. Thismeans, by (c), that gj and gk cannot be odd.

(5) If gi and nj admit a common prime divisor p, then p divides both nj andn2j + d2j , and hence dj as well, contradicting the assumption that dj + nj

√−1 beprimitive.

(6) is a consequence of Proposition 30.2.

Proposition 30.5. gcd(g1, g2, g3) = 1.

Proof. We shall derive a contradiction by assuming a common rational prime divi-sor p ≡ 1 (mod 4) of gi, gj , gk, with positive exponents ri, rj , rk in their primefactorizations. By the relation (30.6), the product zjzk is divisible by the rationalprime power pri . This means that the primitive Gaussian integers zj and zk shouldcontain in their prime factorizations powers of the distinct primes π(p) and π(p).


The same reasoning also applies to each of the pairs (zk, zi) and (zi, zj), so thatzk and zi (respectively zi and zj) each contains one of the non - associate Gaussianprimes π(p) and π(p) in their factorizations. But then this means that zj and zk aredivisible by the same Gaussian prime, a contradiction.

Corollary 30.6. If a, b, c are given as in (30.3), then

gcd(a, b, c) = gcd(n1d1, n2d2, n3d3).

Proof. This follows from the expressions (30.3): ai = ginidi, for i = 1, 2, 3, andProposition 30.5.

ExerciseProve that a Heron triangle is Pythagorean if and only if its triple of simplifying

factors is of the form (1, 2, g), for an odd number g whose prime divisors are all ofthe form 4m+ 1.

30.3 Orthocentric Quadrangles

Now we consider a rational triangle which does not contain a right angle. Thevertices and the orthocenter form an orthocentric quadrangle, i.e., each of thesefour points is the orthocenter of the triangle with vertices at the remaining threepoints. If any of the four triangles is rational, then so are the remaining three. Theconvex hull of these four points is an acute - angled triangle Γ. We label the verticesA, B, C, and the orthocenter in the interior by H and use the following notation fortriangles:

Γ = ABC, Γ1 = HBC, Γ2 = BHC, Γ3 = ABH.

Let t1, t2, t3 be the tangents of the half angles of Γ, z1, z2, z3 the associatedGaussian integers, and (g1, g2, g3) the corresponding simplifying factors. Then thetangents of the half angles of Γk are

1− ti1 + ti

,1− tj1 + tj

, and1

tk.

We first assume that g1, g2, g3 are all odd, so that for i = 1, 2, 3, di and ni areof different parity, (Proposition 30.4(3)). The triangle Γk has associated primitiveGaussian integers

z′i = (di + ni) + (di − ni)√−1 = (1 +

√−1)zi,z′j = (dj + nj) + (dj − nj)

√−1 = (1 +√−1)zj,

z′k = nk + dk√−1 =

√−1 · zk. (30.7)

30.4 Indecomposable primitive Heron triangles 711

From these,

z′jz′k = (1 +

√−1)√−1 · zjzk = gi(1 +√−1)zi = gi

√−1 · z′i,z′iz

′k = (1 +

√−1)√−1 · zizk = gj(1 +√−1)zj = gj

√−1 · z′j,z′iz

′j = 2

√−1 · zizj = 2gkzk = 2gk√−1 · z′k.

Thus, the triangle Γk has simplifying factors (gi, gj , 2gk).Suppose now that one of the simplifying factors of Γ, say, gk is even. Then

ni, di, nj , dj are all odd, and nk, dk have different parity. A similar calculationshows that the simplifying factors for the triangles Γi, Γj and Γk are (2gi, gj ,

gk2),

(gi, 2gj ,gk2), and (gi, gj,

gk2) respectively.

We summarize these in the following proposition.

Proposition 30.7. The simplifying factors for the four (rational) triangles in anorthocentric quadrangle are of the form (g1, g2, g3), (2g1, g2, g3), (g1, 2g2, g3) and(g1, g2, 2g3), with g1, g2, g3 odd integers.

30.4 Indecomposable primitive Heron triangles

A routine computer search gives the following indecomposable, primitive Herontriangles with sides ≤ 100, excluding Pythagorean triangles:

(5, 29, 30; 72) (10, 35, 39; 168) (15, 34, 35; 252) (13, 40, 45; 252) (17, 40, 41; 336)(25, 34, 39; 420) (5, 51, 52; 126) (15, 52, 61; 336) (20, 53, 55; 528) (37, 39, 52; 720)(17, 55, 60; 462) (26, 51, 73; 420) (17, 65, 80; 288) (29, 65, 68; 936) (34, 55, 87; 396)(39, 55, 82; 924) (41, 50, 89; 420) (35, 65, 82; 1092) (26, 75, 91; 840) (39, 58, 95; 456)(17, 89, 90; 756) (26, 73, 97; 420) (41, 60, 95; 798) (51, 52, 97; 840)

We study the condition under which the primitive Heron triangle Γ0 = Γ0(t1, t2, t3)constructed in §?? is indecomposable. Clearly, Γ0 = Γ(t1, t2, t3) is indecompos-able if this is so for the triangle Γ defined by (30.3). More remarkable is the validityof the converse.

Theorem 30.8. A non-Pythagorean, primitive Heron triangle Γ0 = Γ0(t1, t2, t3) isindecomposable if and only if each of the simplifying factors gi, i = 1, 2, 3, containsan odd prime divisor.

Proof. We first prove the theorem for the triangle Γ := Γ(t1, t2, t3) defined by(30.3).

Since Γ has area = n1d1n2d2n3d3, the height on the side ai = ginidi is givenby

hi =2njdjnkdk

gi.


Since the triangle does not contain a right angle, it is indecomposable if and only ifnone of the heights hi, i = 1, 2, 3, is an integer. By Proposition 8(d), this is the caseif and only if each of g1, g2, g3 contains an odd prime divisor.

To complete the proof, note that the sides (and hence also the heights) of Γ0

are 1g

times those of Γ. Here, g := gcd(a1, a2, a3) = gcd(n1d1, n2d2, n3d3) byCorollary 30.6. The heights of Γ0 are therefore

h′i =2njdjnkdkgi · g =

2

gi· njdjnkdkgcd(n1d1, n2d2, n3d3)

.

Note that njdjnkdkgcd(n1d1,n2d2,n3d3)

is an integer prime to gi. If h′i is not an integer, then gimust contain an odd prime divisor, by Proposition 30.4(4) again.

Corollary 30.9. Let Γ be a primitive Heron triangle. Denote by Γi, i = 1, 2, 3, theprimitive Heron triangles in the similarity classes of the remaining three rationaltriangles in the orthocentric quadrangle containing Γ. The four triangles Γ and Γi,i = 1, 2, 3, are either all decomposable or all indecomposable.

Example 30.3. From the orthocentric quadrangle of each the indecomposable Herontriangles (15, 34, 35; 252) and (25,34,39;420), we obtain three other indecompos-able primitive Heron triangles.

(a1, b1, c1) (g1, g2, g3) (a1, b1, c1) (g1, g2, g3)(15, 34, 35; 252) (5, 17, 5) (25, 34, 39; 420) (5, 17, 13)(55, 17, 60; 462) (5, 17, 10) (285, 187, 364; 26334) (5, 17, 26)(119, 65, 180; 1638) (5, 17, 10) (700, 561, 169; 30030) (10, 17, 13)(65, 408, 385; 12012) (5, 34, 5) (855, 952, 169; 62244) (5, 34, 13)

30.4.1 Construction of Heron triangles with given simplifyingfactors

Theorem 30.10. Let g1, g2, g3 be odd numbers satisfying the following conditions.(i) At least two of g1, g2, g3 exceed 1.(ii) The prime divisors of gi, i = 1, 2, 3, are all congruent to 1 (mod 4).(iii) gcd(g1, g2, g3) = 1.

Suppose g1, g2, g3 together contain λ distinct rational (odd) prime divisors. Thenthere are 2λ−1 distinct, primitive Heron triangles with simplifying factors (g1, g2, g3).

Proof. Suppose (g1, g2, g3) satisfies these conditions. By (ii), there are primitiveGaussian integers θi, i = 1, 2, 3, such that gi = N(θi). Since gcd(g1, g2, g3) = 1,if a rational prime p ≡ 1 (mod 4) divides gi and gj , then, in the ring Z[

√−1], theprime factorizations of θi and θj contain powers of the same Gaussian prime π orπ.

30.4 Indecomposable primitive Heron triangles 713

Therefore, if g1, g2, g3 together contain λ rational prime divisors, then there are2λ choices of the triple of primitive Gaussian integers (θ1, θ2, θ3), correspondingto a choice between the Gaussian primes π(p) and π(p) for each of these rationalprimes. Choose units ε1 and ε2 such that z1 = ε1θ2θ3 and z2 = ε2θ3θ1 are positive.

Two positive Gaussian integers z1 and z2 define a positive Gaussian integer z3via (30.6) if and only if

0 < φ(z1) + φ(z2) <π

2. (30.8)

Since φ(z∗1) + φ(z∗2) = π − (φ(z1) + φ(z2)), it follows that exactly one of thetwo pairs (z1, z2) and (z∗1 , z

∗2) satisfies condition (30.8). There are, therefore, 2λ−1

Heron triangles with (g1, g2, g3) as simplifying factors.

Making use of Theorems 30.8, 30.10, and Proposition 30.7, it is now easy toconstruct indecomposable primitive Heron triangles from any triples of odd integers(g1, g2, g3), each greater than 1, and satisfying the conditions of Theorem 30.10. Forexample, by choosing g1, g2, g3 from the first few primes of the form 4k + 1, weobtain the following primitive Heron triangles, all indecomposable:

(g1, g2, g3) (d1, n1) (d2, n2) (d3, n3) (a, b, c;)(5, 13, 17) (14, 5) (7, 6) (7, 4) (25, 39, 34; 420)

(5, 14) (9, 2) (8, 1) (175, 117, 68; 2520)(11, 10) (7, 6) (8, 1) (275, 273, 68; 9240)(10, 11) (9, 2) (7, 4) (275, 117, 238; 13860)

(5, 13, 29) (4, 19) (12, 1) (8, 1) (95, 39, 58; 456)(16, 11) (8, 9) (8, 1) (110, 117, 29; 1584)(11, 16) (12, 1) (7, 4) (220, 39, 203; 3696)(19, 4) (8, 9) (7, 4) (95, 234, 203; 9576)

(5, 17, 29) (22, 3) (12, 1) (2, 9) (55, 34, 87; 396)(18, 13) (9, 8) (9, 2) (65, 68, 29; 936)(18, 13) (12, 1) (6, 7) (195, 34, 203; 3276)(22, 3) (9, 8) (7, 6) (55, 204, 203; 5544)

(13, 17, 29) (22, 3) (16, 11) (10, 11) (39, 136, 145; 2640)(22, 3) (19, 4) (5, 14) (429, 646, 1015; 87780)(18, 13) (19, 4) (11, 10) (1521, 646, 1595; 489060)(18, 13) (16, 11) (14, 5) (1521, 1496, 1015; 720720)

Further examples can be obtained by considering the orthocentric quadrangle ofeach of these triangles.

MST Number Theory and Cryptographymath.fau.edu/yiu/MSTNT2014/MSTNT2014notes.pdf · 2014-08-14 ·...

Documents

Transcript of MST Number Theory and Cryptographymath.fau.edu/yiu/MSTNT2014/MSTNT2014notes.pdf · 2014-08-14 ·...