Lecture 16: More Numerical Calculations

In this lecture we’re going to focus on solving more numerical problems starting with

Solve $x^2 \equiv -1 \pmod{p}$ where $p$ is prime and $p \equiv 1 \pmod{4}$

We saw that by Wilson’s Theorem, that the solution is exactly

$$ \begin{align*} x = \left(\frac{p-1}{2}\right)! \end{align*} $$

But even though you might think now that we’re done, this formula is pretty useless. Because if $p$ was large, then we’ll have to perform tons of computations to figure out $x$. Can we find a faster method? Yes. Suppose we pick a number $b$ (we’ll discuss later how to pick it). Then we compute the following

$$ \begin{align*} a \equiv b^{\frac{p-1}{2}} \pmod{p} \end{align*} $$

Side Note: Before proceeding, why this form?? why did we raise $b$ to the power of $(p-1)/2$. This is because we know if we started with some number $b$ and raised it to that power, then this number will be congruent to either $-1$ or $1$. We're interested in the $-1$ case. But this is a good start. To see why it will be congruent to $\pm 1$, follow along

Square both sides above we see that

$$ \begin{align*} a^2 \equiv b^{(p-1)} \pmod{p} \end{align*} $$

But by Fermat, we know that $b^{(p-1)} \equiv 1 \pmod{p}$. Therefore,

$$ \begin{align*} a^2 &\equiv 1 \pmod{p} \\ a &\equiv \pm 1 \pmod{p} \end{align*} $$

Side Note: That's because we can re-write this to $a^2 - 1 \equiv 0 \pmod{p}$ which we can expand to $(a+1)(a-1) \equiv 0 \pmod{p}$. But because $p$ is prime, then $\mathbb{Z}_p$ is a field. So we have no zero divisors. Therefore, either $a+1 \equiv 0 \pmod{p}$ or $a-1 \equiv 0 \pmod{p}$.

Now, if $a \equiv -1 \pmod{p}$, then we’re done. Why? substitute for $a$ in

$$ \begin{align*} b^{\frac{p-1}{2}} \equiv a \pmod{p} \\ b^{\frac{p-1}{2}} \equiv -1 \pmod{p} \end{align*} $$

We want to write $b^{\frac{p-1}{2}}$ as a square. We know that $p \equiv 1 \pmod{4}$. Therefore,

$$ \begin{align*} p - 1 &= 4k \\ \frac{p - 1}{4} &= k \\ \frac{p - 1}{2} &= 2k \end{align*} $$

So yes, we can write $b$ as a square. To see this, observe that

$$ \begin{align*} b^{\frac{p-1}{2}} \equiv -1 \pmod{p} \\ b^{2k} \equiv -1 \pmod{p} \\ (b^{k})^2 \equiv -1 \pmod{p} \\ (b^{\frac{p-1}{4}})^2 \equiv -1 \pmod{p} \end{align*} $$

So this means that $x = b^{\frac{p-1}{4}}$

$$ \begin{align*} x = b^{\frac{p-1}{4}} \end{align*} $$

is a solution to $x^2 \equiv -1 \pmod{p}$. So now how do we choose $b$ such that we get it is congruent to $-1$ instead of being congruent to $1$? The easy way to just guess at random! Each guess has a probability of $0.5$ since it’s either going to be congruent to $1$ or $-1$.

But how fast is this? First of all, raising $b$ to the power of $(p-1)/2$ is polynomial in the input so it’s fast. The number of guesses will be bounded by $p/2$. But this is going to be exponential time. So the worst case of this algorithm is actually exponential time. However the average case is polynomial time.

Example

Solve $x^2 \equiv -1 \pmod{41}$

We saw above that the solution will have the form

$$ \begin{align*} x = b^{\frac{p-1}{4}} \end{align*} $$

We just need to guess $b$ such that $x$ becomes congruent to $-1$ and not $1$. Observe that since $p = 41$, then

$$ \begin{align*} x = b^{10} \end{align*} $$

We can start with $b = 2$ and compute $2^{10} \pmod{41}$. We saw in the previous lecture that we can do this fast by computing powers of $2$ so

$$ \begin{align*} 2^{2} &\equiv 4 \pmod{41} \\ 2^{4} &\equiv 16 \pmod{41} \\ 2^{8} &\equiv 16 \cdot 16 \pmod{41} \equiv 10 \pmod{41} \end{align*} $$

Therefore,

$$ \begin{align*} 2^{10} &\equiv 2^{2} \cdot 2^{8} \pmod{41} \\ 2^{10} &\equiv 4 \cdot 10 \pmod{41} \\ 2^{10} &\equiv -1 \pmod{41} \end{align*} $$

But this means that

$$ \begin{align*} (2^{10})^2 &\equiv 1 \pmod{41} \end{align*} $$

So this fails since its square is not congruent to $-1$ module $41$. Next, we can try $b = 3$. So

$$ \begin{align*} 3^{10} &\equiv 9 \pmod{41} \\ (3^{10})^2 &\equiv 81 \pmod{41} \\ &\equiv -1 \pmod{41} \end{align*} $$

That doesn’t work either. If we’re a computer, then this will go on to the next iteration. But notice that earlier we found out

$$ \begin{align*} 2^{10} &\equiv -1 \pmod{41} \end{align*} $$

which is

$$ \begin{align*} (2^{5})^2 &\equiv -1 \pmod{41} \end{align*} $$

Therefore, $x = 2^5$ is a solution in this case.

Primality Testing (Simple Method)

Is $x$ prime?

The first method that we already saw is to test all factors up to the square root of $x$. This is okay for up to a few hundred. If $x$ is really large, then this method is slow since it takes $\sqrt{x}$ steps. So it’s exponential in the number of digits in $x$.

Side Note: Why exponential? Let $n$ the number of digits in $x$. Then approximately, $n = \log(x)$. We can re-write this as $2^n = x$. Then, the algorithm takes $\sqrt{x} = x^{1/2} = (2^n)^{1/2} = 2^{n/2}$ steps.

Primality Testing (Difference of Squares)

Next, the second method writes $x$ as the difference of squares. Then

$$ \begin{align*} x &= a^2 - b^2 \\ &= (a - b)(a + b) \end{align*} $$

This method was used by Fermat to factor numbers. As an example, take $x = 7313$. Pick squares slightly larger than $x$. Trying this

$$ \begin{align*} 85^2 &= 7225 \\ 86^2 &= 7396 \quad (7396 - 7313 = 83 \ \text{is not a square}) \\ 87^2 &= 7569 \quad (7569 - 7313 = 256 = 16^2) \end{align*} $$

Then, we can factor $x$ to see that

$$ \begin{align*} x &= (87 + 16)(87 - 16) \\ &= 103 \cdot 71 \end{align*} $$

This method works best if $x = a \cdot b$ with $a$ and $b$ close.

Primality Testing (Fermat's Theorem)

Another method to test primes is asking if

$$ \begin{align*} a^{m-1} \equiv 1 \pmod{m} \end{align*} $$

If this is not true, then we know that $m$ is not prime. So now we want to improve this test a little bit. Suppose that

$$ \begin{align*} a^{2n} \equiv 1 \pmod{m} \end{align*} $$

If $m$ is prime, then this implies that

$$ \begin{align*} (a^{n})^2 \equiv 1 \pmod{m} \end{align*} $$

But this means that (since we have no zero divisors)

$$ \begin{align*} a^{n} \equiv \pm 1 \pmod{m} \end{align*} $$

So now instead of computing $a^{m-1}$, we can instead compute $a^{\frac{m-1}{2}}$ and check that

$$ \begin{align*} a^{\frac{m-1}{2}} \equiv \pm 1 \pmod{m} \end{align*} $$

If this is false. Then,

$$ \begin{align*} (a^{\frac{m-1}{2}})^2 &\not\equiv (\pm 1)^2 \pmod{m} \\ a^{m-1} &\not\equiv 1 \pmod{m} \end{align*} $$

So $m$ can’t be prime.

Example

Is $561$ prime?

To use the Fermat test, we want to check if

$$ \begin{align*} a^{561 - 1} \equiv 1 \pmod{561} \end{align*} $$

To use the improved test, we want to see if

$$ \begin{align*} a^{\frac{561 - 1}{2}} &\equiv \pm 1 \pmod{561} \\ a^{280} &\equiv \pm 1 \pmod{561} \end{align*} $$

To use successive squaring, the professor says to factor $m - 1$ into $2^c \cdot d$ where $d$ is odd. Then pick some number, say $a=2$ since it’s the smallest choice. Then

$$ \begin{align*} 560 = 2^4 \cdot 35 \end{align*} $$

Now, take $2^d = 2^{35}$ and use successive squaring until you reach $(a^d)^{2^c} = a^{m-1}$

$$ \begin{align*} 2^{35} &\equiv (2^{10})^3 \cdot 2^5 \equiv (463)^3 \cdot 2^5 \equiv 166 \cdot 32 \equiv 263 \pmod{561} \\ 2^{70} &\equiv (263)^2 \equiv 166 \pmod{561} \\ 2^{140} &\equiv (166)^2 \equiv 67 \pmod{561} \\ 2^{280} &\equiv (67)^2 \equiv 1 \pmod{561} \end{align*} $$

At first glance, this seems to suggest $561$ could be prime since the final result is $1$ but notice that

$$ \begin{align*} (67)^2 \equiv 1 \pmod{561} \end{align*} $$

However, $67 \not\equiv \pm 1 \pmod{561}$ so $67$ is a non-trivial square root of $1$. If $561$ was prime, then only $-1$ and $1$ can only be square roots of $1 \pmod{p}$. So $561$ is not a prime! in fact, we saw that the end result was $1$ because it is a Carmichael number.

References

Math115a by Richard E Borcherds