NUMBER THEORY AND CRYPTOGRAPHY

MATH3301
BRYCE KERR, UNSW, 2024

The typed lecture notes don’t contain extras such as exercises or sections with the *
symbol from the written lecture notes. However, these notes have all the necessary content
from the lectures with minor modifications.

Lecture 4
Last week, we found a necessary and sufficient condition for solving linear Diophantine
equations, spread out over several results. We will restate and reprove it (all in one place
this time).
Theorem (Solution to linear Diophantine equation in 2 variables). Let a, b, c be fixed
integers. The equation
ax + by = c
has integer solutions if and only if gcd(a, b)|c.
Proof. First, suppose ax + by = c has a solution. Then there exist integers n, m such that
an + bm = c. Since gcd(a, b)|a and gcd(a, b)|b, the properties of divisibility imply
gcd(a, b)|(an + bm).
Thus, gcd(a, b)|c as desired.
For the converse, suppose that gcd(a, b)|c. Then there exists some integer d such that
c = d gcd(a, b). The extended Euclidean algorithm finds integers n and m such that
gcd(a, b) = an + bm.
But then
c = d gcd(a, b) = d(an + bm) = a(dn) + b(dm),
so x = dn, y = dm is a solution to the equation ax + by = c.
□
We are now equipped to prove the Fundamental Theorem of Arithmetic, but we need
some preliminary definitions and results first.
Definition (Relatively prime). We say a, b are relatively prime (or coprime) if gcd(a, b) =
1. Equivalently (due to the extended Euclidean algorithm), there exist n, m such that
an + bm = 1.
For example, 6 and 25 are relatively prime (despite not being prime themselves). The
following lemma clarifies the relationship between primarily and relative primality; it says
that a prime number is relatively prime with anything, except multiples of itself.
Lemma. Suppose p is prime and a is any integer which is not a multiple of p. Then p
and a are relatively prime.
Proof. Note that gcd(a, p)|p. But since p is prime, gcd(a, p) = 1 or gcd(a, p) = p. In the
former case, a and p are relatively prime. In the latter case, p = gcd(a, p)|a. □
The lemma allows us to prove the following proposition, which is the crucial ingredient
in the Fundamental Theorem:
1
 NUMBER THEORY AND CRYPTOGRAPHY 2

Proposition (Key property of primes). If p is prime, then

p|ab =⇒ p|a or p|b.
This may fail if p is not prime, for example 6|(4 × 3) = 12 but 6̸ | 4 and 6̸ | 3.
Importantly, this also fails in our imaginary world of only even numbers (where unique
prime decomposition also fails) even if p is an “even world prime”. For example, 18|(6 × 6)
but 18̸ | 6 (recall that 18 is an “even world prime”).
Proof. Suppose p|ab. If p|a, we are done, so we may assume that p̸ | a. By the previous
lemma, this implies that a and p are relatively prime, so we can write
1 = an + pm
for some integers n, m. Multiplying both sides by b:
b = abn + bpm
Since p|ab we can write ab = dp for some integer d, hence
b = dpn + bpm = p(dn + bm)
which means that p|b. □
An easy induction argument gives the following corollary:
Corollary. If p is prime, and p|(a1 · · · an ), then p|ai for some i.
Proof. We proceed by induction on n:
Base case: The case n = 2 is exactly the previous proposition.
Induction hypothesis: We may assume that if p|(a1 . . . an−1 ), then p|ai for some i.
Induction step: Suppose p|(a1 . . . an ). Since
a1 . . . an = (a1 . . . an−1 )an ,
we can apply the previous proposition with a = a1 . . . an−1 and b = an to deduce that
p|(a1 . . . an−1 ) or p|an
In the latter case, we’re done, and in the former case, the induction hypothesis says that
p|ai for some i, so we are also done! □
We are now ready to prove the Fundamental Theorem:
Theorem (Fundamental Theorem of Arithmetic). Let n ≥ 1 be an integer. Then n has
a unique decomposition into a product of primes. More precisely, if
n = p1 · · · pk = q1 · · · ql
where the pi and qi are all prime and are ordered such that p1 ≤ · · · ≤ pk and q1 ≤ · · · ≤ ql ,
then k = l, and
p1 = q1 , . . . , pk = qk .
Proof. We proceed by induction on n:
Base case: No primes divide n = 1. Therefore n = 1 can only be written as a product
of zero primes. In other words, we must have k = 0 and l = 0. Therefore k = l and pi = qi
for all i between 1 and k. (There are of course no such i, but the statement is still logically
speaking true!).
Induction hypothesis: We may assume for integers n′ ≥ 1 and satisfying n′ < n, then
′
n can be decomposed uniquely into a product of primes.
 NUMBER THEORY AND CRYPTOGRAPHY 3

Induction step: Let p be the smallest prime dividing n. Then since n = q1 · · · ql , we

have
p|q1 · · · ql .
By the previous corollary, p|qi for some i. Since qi is prime, p = 1 or p = qi . But since
p is prime, p cannot be 1. Therefore we must have p = qi . Since p is the smallest prime
dividing n, and q1 ≤ · · · ≤ ql , we must have p = q1 .
By the same reasoning applied to the factorization n = p1 · · · pk , we conclude p = p1 .
It follows that p1 = q1 .
But now since
p1 · · · pk = n = q1 q2 · · · ql = p1 q2 · · · ql ,
we may cancel p1 on both sides to obtain
p2 · · · pk = q2 · · · ql .
Now let = p2 · · · pk . Observe that n′ = n/p1 < n. Therefore by the induction hypothesis,
n′
the two factorizations n′ = p2 · · · pk and n′ = q2 · · · ql must be the same—in other words,
k − 1 = l − 1 and p2 = q2 , . . . , pk = qk It follows that k = l and p1 = q1 , . . . , pk = qk .
□
The fundamental theorem gives us a useful and intuitive way of thinking about divisi-
bility. But first, we introduce the concept of multiplicity. The multiplicity with which a
prime p divides n is defined to be the number of times p occurs in the prime factorization
n = p1 · · · pk . For example, since 12 = 2 × 2 × 3, the prime 2 divides 12 with multiplicity
2, and 3 divides it with multiplicity 1. All other primes divide it with multiplicity 0. We
will often use the following notation:
ordp (n) = multiplicity with which p divides n
So ord2 (12) = 2, ord3 (12) = 1, and ordp (12) = 0 for all primes p > 3.
Corollary (Divisibility via Prime Factorizations).
(1) d | n ⇐⇒ all primes occurring in the prime decomposition of d also occur in the
prime decomposition of n, and not with larger multiplicity.
(2) gcd(a, b) = product of all primes occurring in the prime factorisations of both a
and b, taken with multiplicity.
For example, we have 12 = 2 × 2 × 3 and 18 = 2 × 3 × 3. So although the same primes
divides 12 and 18, the multiplicity with which 2 divides 12 is larger, and hence 12 does
not divide 18. Similarly, 18 does not divide 12 because the multiplicity of 3 in 18 is larger.
For the gcd part, take 180 and 135: 180 = 2 × 2 × 3 × 3 × 5 and 135 = 3 × 3 × 3 × 5, so
gcd(180, 135) = 3 × 3 × 5 = 45.
 NUMBER THEORY AND CRYPTOGRAPHY 4

Lecture 5
Si numerus a numerorum b, c differentiam metitur, b et c secundum a congui
dicuntur, sin minus, incongrui : ipsum a modulum appellamus.1
With this opening sentence, Gauss introduced the world to modular arithmetic in his
magnum opus, the Disquisitiones Arithmeticae. It was completed in 1798, when he was
21, although it was not published until 1801.
Modular arithmetic will play a central role in our class as well. Here are two examples
of patterns that baffled mathematicians in the centuries preceding Gauss.

Pattern 1 (Wilson’s Theorem): Let p be any prime. Then (p − 1)! + 1 is divisible by p.

For example:

p (p − 1)! + 1
2 (2 − 1)! + 1 = 2
3 (3 − 1)! + 1 = 3
5 (5 − 1)! + 1 = 25 = 5 × 5
11 3628801 = 329891 × 11
13 479001601 = 36846277 × 13
.. ..
. .
Note that p is not a factor of (p − 1)! or 1, but when we add it, it becomes a factor of
the sum. What makes this pattern difficult to grapple with is that prime factors behave
unpredictably with respect to addition.

Pattern 2 (Fermat’s Little Theorem): Fix a prime p. If a is any integer, ap − a is divisible

by p. For example, let us fix p = 7.

a a7 − a
1 0
2 7
2 − 2 = 126 = 7 × 18
3 37 − 3 = 2184 = 7 × 312
4 47 − 4 = 16380 = 7 × 2340
.. ..
. .
Through modular arithmetic, we will be able to prove these results, and gain some
insight as to why they work. In order to introduce the key idea of modular arithmetic, let
us first consider a much more naı̈ve problem:
Problem. Find the last digit of 971216 + 523121 .
Evidently, we do not want to multiply out this number in full detail. What makes this
problem trivial is the following simple observation (think for yourselves why it is true!):
Observation.
(a) The last digit of ab only depends on the last digit of a and the last digit of b.
(b) The last digit of a + b only depends on the last digit of a and the last digit of b.
By observation (b), it’s enough to find the last digit of 971216 and 523121 individually,
and then sum them.

1If a number a divides the difference of the numbers b and c, b and c are said to be congruent relative
to a; if not, b and c are noncongruent. The number a is called the modulus.
 NUMBER THEORY AND CRYPTOGRAPHY 5

Last digit of 971216 : Using observation (a) (216 times), we deduce that the last digit of
971216 must be the same as the last digit of 1216 , i.e. 1.

Last digit of 523121 : Similarly, the last digit of 523121 must be the same as the last digit
of 3121 . Now powers of 3 are not as nice as powers of 1. To get around this, we write out
a few powers of 3, until we see that 34 = 81. To exploit this fact, we write

3121 = (34 )30 × 3 = 8130 × 3.

Now it is enough to find the last digits of 8130 and 3 (observation (a) again). Using ob-
servation (b), the last digit of 8130 is 1, so the last digit of 3121 = 8130 × 3 is 3.

In conclusion, the last digit of 971216 + 523121 is 3 + 1 = 4.

Modular arithmetic is really just a way of generalising observation (a) and (b) to arbi-
trary bases (not just base 10), and exploiting these observations for maximum leverage.
Definition (Congruence modulo m). Let a, b, m be integers. We say a is congruent to b
modulo m if m|(a − b). Equivalently, a and b have the same remainder after division by
m. We write this as a ≡ b mod m.
Here are some examples:
a ≡ b mod 10 ⇐⇒ a and b have the same last digit.
a ≡ b mod 2 ⇐⇒ a and b are both even or both odd.
a ≡ b mod 12 ⇐⇒ A clock looks the same after a hours or b hours.
Make sure you understand these examples!

Here is the key proposition that makes modular arithmetic work. Note that when
m = 10, this simply reduces to our statement about last digits.
Proposition (Addition/multiplication commutes with reduction modulo m). Suppose
a ≡ a′ and b ≡ b′ mod m. Then:
(1) a + b ≡ a′ + b′ mod m
(2) ab ≡ a′ b′ mod m
In this context, the word “commutes” means that it doesn’t matter which order you do
things. In other words, we can add a and b first then reduce modulo m or we can reduce
modular m first (to get a′ and b′ ) and then add. Either way, we get the same answer.
Proof. By our assumptions, m|(a − a′ ) and m|(b − b′ ). First, we show m|((a + b) − (a′ + b′ )):
a + b − (a′ + b′ ) = (a − a′ ) + (b − b′ )
which is divisible by m by the properties of divisibility. Next, we show m|(ab − a′ b′ ):
ab − a′ b′ = ab − a′ b + a′ b − a′ b′
= (a − a′ )b + a′ (b − b′ )
which is divisible by m by properties of divisibility. □
 NUMBER THEORY AND CRYPTOGRAPHY 6

Lecture 6
In the last lecture we defined a ≡ b mod m to mean any of the following (they are all
equivalent):
(i) m|(a − b)
(ii) a and b have the same remainder upon division by a
(iii) a = b + km where k is some (possibly negative) integer
We then proved the following proposition.
Proposition (Addition/multiplication commutes with reduction modulo m). Suppose
a ≡ a′ and b ≡ b′ mod m. Then:
(1) a + b ≡ a′ + b′ mod m
(2) ab ≡ a′ b′ mod m
Remark. It follows easily (by induction) that if ai ≡ a′i mod m for i = 1, . . . , n, then
a1 + . . . + an ≡ a′1 + . . . + a′n mod m
and
a1 . . . an ≡ a′1 . . . a′n mod m
Today, we will take a careful look at how this proposition gets used by sketching some
applications of modular arithmetic. Soon, however, you will start using it on autopilot
without thinking too much. First though, one more piece of terminology. Observe that
any integer a is congruent modulo m to exactly one of 0, 1, . . . , m − 1. Indeed, the division
algorithm tells us that
a = qm + r for some integer 0 ≤ r < m,
so a − r = qm is divisible by m. Because of this, we will use the phrase ‘reduce a modulo
m’ to mean ‘find which of 0, 1, . . . , m − 1 that a is congruent to’.
Notation. Sometimes people use the notation “a mod m” for the reduction of a modulo
m. So then we have an equivalence
a ≡ b mod m ⇐⇒ a mod m = b mod m.
Warning: On the left side the “ mod m” indicates that the ≡ symbol is to be understood
as a congruence modulo m, whereas on the right side, the = is an ordinary equality between
two integers in the range 0, . . . , m − 1.
With this terminology, let us re-examine our problem from last time:
Problem. Find the last digit of 971216 + 523121 :
Expressed with our new terminology, the problem is asking us to reduce 971216 + 523121
modulo 10. Since addition commutes with reduction modulo m, it is enough to reduce
971216 and 523121 separately and then add. Let’s start with 971216 .
We can think of 971216 as a product of 216 numbers (all of which happen to be the
same), so in order to reduce 971216 modulo 10, we can first reduce 971 modulo 10 and
then multiply. Since
971 ≡ 1 mod 10
then
971216 ≡ 1216 ≡ 1 mod 10
A similar argument shows that since
523 ≡ 3 mod 10
 NUMBER THEORY AND CRYPTOGRAPHY 7

we have
523121 ≡ 3121 mod 10
While this is an improvement, we must further simplify 3121 modulo 10. To do this, we
break up this product into simpler numbers. Ideally, we want something like 1 raised to
some power, since this is easily computed,. This leads us to the observation from last time
that 34 = 81 and 3121 = (34 )30 × 3 = 8130 × 3. We now use our proposition and the fact
that
81 ≡ 1 mod 10
to deduce that
523121 ≡ 3121 ≡ (34 )30 × 3 ≡ 8130 × 3 ≡ 1 × 3 ≡ 3 mod 10.
Therefore,
971216 + 523121 ≡ 1 + 3 ≡ 4 mod 10.
From now on, when you do this kind of problem, I don’t expect you to justify every
step in such pedantic detail. You can just write:
971216 + 523121 ≡ 1216 + 3121 mod 10
4 30
≡ 1 + (3 ) ·3 mod 10
≡ 1 + 8130 · 3 mod 10
30
≡ 1 + 1 · 3 mod 10
≡ 4 mod 10
Let us try a similar problem:
Problem. Reduce 175 · 4737 modulo 12.
There are many ways of proceeding; we could start by observing that
175 ≡ 55 ≡ 7 mod 12.
We also have
47 ≡ 11 ≡ −1 mod 12.
Putting this together, we get
175 · 4737 ≡ 7 · (−1)37 ≡ −7 mod 12.
To get this into the range {0, 1, . . . , 11} we just add 12:
175 · 4737 ≡ 7 · (−1)37 ≡ −7 ≡ 5 mod 12.

Divisibility tests. Now let’s use modular arithmetic to prove some well-known divisibility
tests. Let a be an integer, written in base 10, with digits an , . . . , a1 , a0 . By ‘written in
base 10’ we mean that
Xn
n n−1
a = an (10 ) + an−1 (10 ) + . . . + a1 (10) + a0 = ai (10i )
i=0

Proposition (Divisibility tests).

(1) a is divisible by 3 if and only if
an + an−1 + . . . + a1 + a0
is divisible by 3
 NUMBER THEORY AND CRYPTOGRAPHY 8

(2) a is divisible by 9 if and only if

an + an−1 + . . . + a1 + a0
is divisible by 9
(3) a is divisible by 11 if and only if
n
X
n
a0 − a1 + a2 − . . . + an (−1) = ai (−1)i
i=0
is divisible by 11
Proof. First note that by definition, m|a if and only if a ≡ 0 mod m. Then
a = an (10n ) + an−1 (10n−1 ) + . . . + a1 (10) + a0 ≡ an + . . . + a0 mod 3
since 10 ≡ 1 mod 3. So if
a≡0 mod 3
if and only if
an + . . . + a0 ≡ 0 mod 3.
The proof for divisibility by 9 follows similarly, using the fact 10 ≡ 1 mod 9 which
leads to the formula
Xn
a≡ ai mod 9.
i=0
The proof for divisibility by 11 is also similar, using the fact 10 ≡ −1 mod 11 which
leads to the formula
Xn
a≡ ai (−1)i mod 11.
i=0
□
Problem. There is a similar test for divisibility by any integer m, but they do become
more and more complicated. For instance, consider m = 7. Show that a is divisible by 7
if and only if the number
(1a0 + 3a1 + 2a2 − 1a3 − 3a4 − 2a5 ) + (1a6 + 3a7 · · · ) + · · ·
is divisible by 7. As indicated, the pattern of the coefficients here is 1, 3, 2, −1, −3, −2 and
repeats in groups of 6 after that.
Can you find a similar rule for divisibility by 13? By 37?
Non-linear Diophantine Equations. Fix an integer k, and consider the equation
x2 + y 2 = kz 2
where we look for integer solutions for x, y, z. Clearly, the trivial solution
(x, y, z) = (0, 0, 0)
always exists, so we look for non-trivial solutions, where at least one of x, y, z is non-zero.
The case k = 1 is the familiar Pythagorean equation x2 + y 2 = z 2 . Some solutions
include (x, y, z) = (3, 4, 5), (5, 12, 13). The case k = 2 yields the equation
x2 + y 2 = 2z 2
with solutions (1, 1, 1), (2, 2, 2), (3, 3, 3), . . .. However, things are different for the case
k = 3.
 NUMBER THEORY AND CRYPTOGRAPHY 9

Proposition. The equation

x2 + y 2 = 3z 2
has no non-trivial solutions.
Proof. Suppose (for contradiction) that there exists a non-trivial solution (x, y, z) =
(a, b, c). Then
a2 + b2 = 3c2
We may assume that at least one of a, b, c is odd, because if it were not true, then
(a/2, b/2, c/2) is also a solution. We may repeat this process of dividing by two to get a
new solution until at least one of a, b, c is odd.
Now the key idea is this: if two integers are equal then they must be equal modulo m
for any m. Thus, if a2 + b2 = 3c2 , we must have
a2 + b2 ≡ 3c2 mod m
It turns out that we will want to take m = 4 (it is a matter experience to know which
modulus to take). By reducing a, b, c modulo 4, we may further assume that a, b, c ∈
{0, 1, 2, 3}. But now observe that in modulo 4 world, we have
n n2 mod 4
0 0
1 1
2 0
3 1
In other words, any square is congruent to 0 or 1 modulo 4. Therefore a2 + b2 ≡ 0, 1 or 2
while 3c2 ≡ 0 or 3. The only way to get an equality is if
a2 + b2 ≡ 3c2 ≡ 0 mod 4,
and this happens only if a2 , b2 , c2
≡ 0 mod 4. But in this case, a, b, c must all be even,
which contradicts our assumption that one of a, b, c was odd. □