A Solution Existence Theorem for Modular Linear Equations

Last day, we were working up to an algorithm to give solutions of the equation `ax equiv b mod n`.
We argued that such an equation has `d` distinct solutions modulo `n`, where `d=gcd(a,n)`, or it has no solutions.
Before giving our Modular-Linear-Equation-Solver algorithm we need to give a last couple theorems.
The first shows such equations have a solution:

Theorem. Let `d=gcd(a,n)` and suppose `d=ax' + ny'` for some integers `x'` and `y'`. If `d | b`, then the equation `ax equiv b (mod n)` has as one of its solutions the value `x_0` where `x_0 = x'(b/d) mod n`.

Proof. Suppose `x_0 = x'(b/d) mod n`. Then
`ax_0 equiv ax'(b/d) (mod n)`
`equiv d(b/d) (mod n)`
` equiv b (mod n)`

On the Number of Solution

The second theorem gives the number of solutions.

Theorem. Suppose `ax equiv b (mod n)` is solvable and that `x_0` is a solution. Then this equation has exactly `d` solutions given by `x_i= x_0 + i(n/d)`, for `i=0,1,...`

Proof. Since `n/d > 0` and `0 le i(n/d) < n`, the values `x_0, x_1,..., x_d` are all distinct. Each will be a solution since `a x_i equiv a(x_0 + i(n/d)) equiv a x_0 + a i(n/d) equiv a x_0 equiv b(mod n)`. From our corollary earlier today, the equation either has `d` solutions or no solutions so we must have all of them.

Modular Linear Equation Algorithm

Given the above theorems we are now in position to give an algorithm for solving modular equations:

Modular-Linear-Equation-Solver(a, b, n) 
1. (d, x', y') = Extended-Euclid(a, n)
2. if d|b:
3.    x_0 = x'*(b/d) mod n 
4.    for i = 0 to d -1
5.        do print (x_0 + (i * (n/d)) mod n 
6. else print "no solutions"

In-Class Exercise

How many solutions will the equation `7x = 3 mod 21` have ?
How many solutions will the equation `14x = 7 mod 21` have ?
Work out any solutions using what we've learned so far.
Trick question... Evaluate:
`(a-p)(b-p) cdots (x-p)(y-p)(z-p).`
Post your solutions to the Apr 8 In-Class Exercise Thread.

About The Chinese Remainder Theorem

We have, in studying number theory, so far looked at a Greek Algorithm that is more than 2000 years old, so its time to look at a Chinese result that is also more than a thousand years old, the Chinese Remainder Theorem.
One of the earliest works with the Chinese Remainder Theorem in it was 孙子算经 (Sunzi Suan Jing) which was written between the 3rd and 5th century.
Some uses of it are:
- It tells us if `n` is the product of pairwise relatively prime numbers `n_0,...,n_k` then the structure of `ZZ_n` behaves as that of the Cartesian product `ZZ_(n_0) times ZZ_(n_1) times ... times ZZ_(n_k)`.
- It gives us efficient/parallel algorithms for certain operations like multiplication/division by allowing us to work modulo `n_i` (a small number) rather than modulo `n` (a potentially big number).

The Chinese Remainder Theorem

Theorem. Let `n = n_1 cdot n_2 cdots n_k`, where the `n_i` are pairwise relatively prime. Consider the correspondence `a <=> (a_1,...,a_k)` where `a_i= a mod n_i`. Then this is a bijection and preserves addition and product.

Proof. The preservation of plus and times is easy to check. Computing the `a_i`'s from `a` is also easy. To compute `a` from `(a_1,..,a_k)`, let `m_i = n/n_i`. Observe `gcd(m_i, n_i)=1` and also `m_j equiv 0 (mod n_i)` for `j != i`. Compute `t_i= m_i^(-1) (mod n_i)` using the Extended Euclidean Algorithm. Let `c_i= m_i cdot t_i` (here we are not computing `c_i` modulo anything). Finally, compute `a` as `(a_1 cdot c_1 + cdots + a_k cdot c_k).` Notice `a = sum_j a_j c_j equiv sum_j a_j (m_j cdot t_j) equiv a_i cdot c_i (mod n_i)` using `m_j equiv 0 (mod n_i)` for `j != i`. So `a equiv a_i cdot c_i equiv a_i cdot m_i cdot t_i equiv a_i (mod n_i)`.

Example

Find a number `a mod 30` such `a mod 2 equiv 1 mod 2`, `a mod 3 equiv 2 mod 3`, and `a mod 5 equiv 3 mod 5`.

Solution. First we compute: `m_1 = 30/2 = 15`, `m_2 = 30/3 = 10`, `m_3 = 30/5 = 6`. Next we compute `t_i = (m_i)^(-1) mod n_i`. Abbreviate Extended-Euclid(a, b) as EE(a,b). For `i=1`, Extended-Euclid(15, 2) makes the calls:
EE(15,2)
EE(2, 1)
EE(1, 0) which returns `(1, 1, 0)`
So EE(2, 1) returns `(1, 0, 1 - |__2/1__| cdot 0) = (1, 0, 1)`
So EE(15,2) returns `(1, 1, 0 - |__15/2__| cdot 1) = (1, 1, -7)`
This tells us `15 cdot 1 - 7 cdot 2 = 1`. i.e., `15 cdot 1 equiv 1 mod 2`, therefore, `t_1 = 15^(-1) = 1 mod 2`. Similarly, we can compute Extended-Euclid(10, 3) to get `t_2 = 10^(-1) = 1 mod 3`, and compute Extended-Euclid(6, 5) to get `t_3 = 6^(-1) = 1 mod 5`. From this we have `c_1 = m_1 cdot t_1 = 15 cdot 1 = 15`, `c_2 = 10 cdot 1 = 10`, `c_3 = 6 cdot 1 = 6`. So finally `a = a_1 cdot c_1 + a_2 cdot c_2 + a_3 cdot c_3 = 1 cdot 15 + 2 cdot 10 + 3 cdot 6 = 15 + 20 + 18 = 53 mod 30 = 23 mod 30.` One can check `23 equiv 1 mod 2`, `23 equiv 2 mod 3`, and `23 equiv 3 mod 5`.

Powers of an Element

The following two useful theorems are corollaries of earlier results about the size of `ZZ_n^star` and Lagrange's Theorem:
Theorem. For any integer `n gt 1`, `a^(phi(n)) equiv 1 (mod n)` for all `a in ZZ_n^star`.
Theorem. If `p` is prime, then `a^(p - 1) equiv 1 (mod p)` for all `a in ZZ_p^star`.
The next theorem tells us the values of n for which `ZZ_n^star` is cyclic.
Theorem (#). The values of `n gt 1` for which `ZZ_n^star` is cyclic (that is, generated by one element) are `2`, `4`, `p^e`, and `2p^e`, for all primes `p gt 2` and all positive integers `e`.
Proof Idea. Both of our textbooks skip the proof of this. It can be found in An Introduction to The Theory of Numbers. Niven, Zuckerman, Montgomery. 5th Ed. Wiley. 1991. The cases 2 (which consists of 1 element) and 4 which consists of 3 are trivial. For the case of `ZZ_p^star` one can show if `a` has order `h` mod `p` and `b` has order `k` mod `p` and `h` and `k` are relatively prime, then `ab` will have order `hk` mod `p`. This is applied to the prime factorization of `p-1` to get generators for each of `p-1`'s factors and combine them to get a generator of `ZZ_p^star`. One then shows if `g` generates `ZZ_p^star` then `g+tp`, `t ne 0` generates `ZZ_{p^2}^star`. One then can show if `p` is an odd prime and `g` generates `p^2`, that `g` also generates `ZZ_{p^e}^star` for `e > 2`. (To see one shows earlier powers can't be congruent to `1 mod p^e` using the binomial theorem.) One next shows it follows that either `g` or `g + p^e` will generate `ZZ_{2p^e}^star`. Finally, one can show if `n` isn't of the above form, then it can be expressed as a product of two relatively prime numbers `n_1` and `n_2`, and that the order of every element in `ZZ_n^star` will be at most the least common multiple of `phi(n_1)` and `phi(n_2)` which will be strictly less than `phi(n)`.

More Powers of an Element

`g` is a primitive root or generator of `ZZ_n^star` if `langle g rangle = ZZ_n^(star)`.
If g is a primitive root then the equation `g^x equiv a mod n` has a solution called the discrete logarithm or index of `a mod n`, which we write as `i\n\d_(n, g)(a)`.
The next theorem concerns the discrete logarithm problem which is connected to factoring which is the basis of RSA.

Theorem (##). If `g` is a primitive root of `ZZ_n^star`, then the equation `g^x equiv g^y (mod n)` holds if and only if the equation `x equiv y mod phi(n)` holds.

Proof. Suppose `x equiv y mod phi(n)` holds. Then `x= y + k phi(n)` for some `k`. So `g^x equiv g^(y + k phi(n)) equiv g^y g^(k phi(n)) equiv g^y 1^k equiv g^y (mod n)`. Conversely, suppose `g^x equiv g^y (mod n)` holds. Since `g` is a generator, `|langle g rangle|= phi(n)`. So we know `g` is periodic with period `phi(n)`. Therefore, if `g^x equiv g^y (mod n)` we must have `x equiv y mod phi(n)`.

Modular Equations, Chinese Remaindering, Discrete Log, RSA

Outline