NUMBER THEORY AND CRYPTOGRAPHY

MATH3301
UNSW, 2024

Lecture 10
Today, we’ll explore Wilson’s Theorem. We state and prove it, and then we look at
some problems where we can apply it.
Theorem 0.1 (Wilson’s Theorem). An integer n is prime if and only if
(n − 1)! ≡ −1 mod n.
To see how we can approach this, let’s look at a toy example that will give us some
insight as to what is going on. Suppose n = 7. We aim to show that
6! = 6 · 5 · 4 · 3 · 2 · 1 ≡ −1 mod 7.
Notice that
6 ≡ −1 mod 7
1 ≡ 1 mod 7
so it is enough to show that
5·4·3·2≡1 mod 7.
Note that 2, 3, 4, 5 all have inverses modulo 7, since any of these numbers are relatively
prime with 7 (this is immediate since 7 is prime). But also notice that
2 = 2−1 ≡ 4 mod 7
−1
3 ≡5 mod 7
so
5 · 4 · 3 · 2 = (5 · 3) · (4 · 2) ≡ 1 mod 7.
From this example, we see that the general strategy (for one direction) should be to pair up
the numbers 2, 3, . . . , p − 2 with their modulo p inverse, which will show that the product
is congruent to 1. Then since p − 1 ≡ −1 mod 7 we’ll have our result.

Proof of Wilson’s Theorem. There are two directions to the proof, since it’s an ‘if and only
if’ statement.
(i) Suppose n = p is a prime. We aim to show that (p − 1)! ≡ −1 mod p. Note that
when p = 2, we don’t need to prove anything, since we can easily see that
(2 − 1)! = 1! = 1 ≡ −1 mod 2.
Suppose that p > 2. We’ll proceed using the strategy from the example, that is, pair
up the numbers 2, 3, . . . , p − 2 with their inverses. It is enough to check three things:
• an inverse of a ∈ {2, . . . , p − 2} exists and is from the same set.
• any two distinct numbers from {2, . . . , p − 2} have distinct inverses.
• no a ∈ {2, . . . , p − 2} is its own inverse.
1
 NUMBER THEORY AND CRYPTOGRAPHY 2

If these three things hold, then we may rearrange the product

2 · 3 · . . . · (p − 2)
so that each number is next to its inverse, with none left over. We may then deduce
that
2 · 3 · . . . · (p − 2) ≡ 1 mod p.
To check the first, note that a ∈ {2, . . . , p − 2} is always relatively prime with p,
since p is prime, so a−1 exists. Now suppose for contradiction that a−1 ≡ ±1 mod p.
Then
1 ≡ aa−1 ≡ ±a mod p.
But this contradicts the fact that a ∈ {2, . . . , p − 2} since reducing any number in
the set will never get ±1.
The second one follows because
a−1 ≡ b−1 mod p ⇐⇒ 1 ≡ aa−1 ≡ ab−1 mod p
−1
⇐⇒ b ≡ ab b≡a mod p.
For the third, suppose that a ≡ a−1 mod p. Then
a2 ≡ 1 mod p
and hence
p|(a2 − 1).
Since a2 − 1 = (a − 1)(a + 1), by a previous result, p|(a − 1) or p|(a + 1). This implies
that
a ≡ ±1 mod p
so a ̸∈ {2, . . . , p − 2}.
(ii) Suppose (n − 1)! ≡ −1 mod n. We aim to show that n is prime. Suppose for
contradiction that n is not prime, that is, there exists some 1 < a < n such that a|n.
Since a < n, by definition of factorial, we have
a|(n − 1)!.
Also, by assumption, n|((n − 1)! + 1), hence
a|((n − 1)! + 1).
Therefore
a|((n − 1)! + 1 − (n − 1)!) = 1.
But then a must be 1, a contradiction since we require that 1 < a < n. Therefore n
cannot be composite, and hence is prime.
□
Remark. Wilson’s Theorem gives us our first (non-trivial) primality test. We check if n is
prime or not by checking whether or not
(n − 1)! ≡ −1 mod n.
Let’s look at some problems that we can apply Wilson’s Theorem to.
Example.
 NUMBER THEORY AND CRYPTOGRAPHY 3

(i) Prove that if p is an odd prime, then 2(p − 3)! ≡ −1 mod p.

Notice that by definition

(p − 1)! = (p − 1)(p − 2)(p − 3)!.
What is (p − 1)(p − 2) modulo p? Expanding the brackets, we see that
(p − 1)(p − 2) = p2 − 3p + 2 ≡ 2 mod p
so conveniently, we have
2(p − 3)! ≡ (p − 1)(p − 2)(p − 3)! ≡ (p − 1)! ≡ −1 mod p.
In other examples, it might not work so conveniently. A general method is to rewrite
2(p − 3)! in terms of something with (p − 1)! in it, and see what happens from there.
So we can write
2(p − 3)! ≡ 2(p − 1)!(p − 1)−1 (p − 2)−1 mod p.
By Wilson’s Theorem, the right hand side is congruent to −2(p − 1)−1 (p − 2)−1
modulo p. Since (p − 1)−1 ≡ −1 mod p,
2(p − 3)! ≡ −2(p − 1)−1 (p − 2)−1 ≡ 2(p − 2)−1 mod p.
Now, what does (p − 2)−1 do? Note that we have
(p − 2)−1 ≡ (−2)−1 ≡ −(2−1 ) mod p
so therefore
2(p − 3)! ≡ 2(p − 2)−1 ≡ −(2 · 2−1 ) ≡ −1 mod p.
(ii) Prove that if p is prime and k is an integer such that 0 < k < p, then
(p − k)!(k − 1)! ≡ (−1)k mod p.
Again, the strategy is to rewrite (p − k)!(k − 1)! in terms of something with (p − 1)!
in it. We do so by writing
(p − k)!(k − 1)! ≡ (p − 1)!(k − 1)!(p − 1)−1 (p − 2)−1 . . . (p − k − 1)−1 mod p
−1 −1 −1
≡ (−1)(k − 1)!(p − 1) (p − 2) . . . (p − (k − 1)) mod p.
where the second congruence follows by Wilson’s Theorem. Now observe that for
any 1 ≤ r ≤ k,
r(p − r)−1 ≡ −1 mod p.
This is true because
(p − r)−1 ≡ (−r)−1 ≡ −r−1 mod p.
Now, we may pair up the terms in (k − 1)!(p − 1)−1 (p − 2)−1 into k − 1 pairs of the
form r · (−r−1 ). Therefore
(p − k)!(k − 1)! ≡ (p − 1)!(k − 1)!(p − 1)−1 (p − 2)−1 . . . (p − k − 1)−1 mod p
≡ (−1)(k − 1)!(p − 1)−1 (p − 2)−1 . . . (p − (k − 1))−1 mod p
k−1
≡ (−1)(−1) mod p
≡ (−1)k mod p.
 NUMBER THEORY AND CRYPTOGRAPHY 4

(iii) Try this one as an exercise: Suppose p is a prime such that p ≡ 1 mod 4, and a is
an integer satisfying a2 ≡ −1 mod p, then
 
p−1
a≡± ! mod p.
2
(iv) Also, try this one: (Incomplete Wilson’s Theorem). Let p be a prime. For what
values of 1 ≤ r ≤ p − 1 is
(p − 1)(p − 2) . . . (p − r) ≡ −1 mod p?
Notice that for r = 1, then this is simply p − 1 ≡ −1 mod p. For r = p − 1, p − 2,
this is Wilson’s Theorem. What about for other values?
 NUMBER THEORY AND CRYPTOGRAPHY 5

Lecture 11
Today we look at Fermat’s Little Theorem (‘FLT’) and examine an application used to
find prime factors of numbers, known as Pollard’s p − 1 algorithm.
Theorem 0.2 (FLT). If p is a prime and a is an integer such that p̸ | a, then
ap−1 ≡ 1 mod p.
As an example, consider p = 7 and a = 3. Then
36 = (32 )3 = 93 ≡ 23 ≡ 8 ≡ 1 mod 7.
Proof. Consider the set of numbers
{a, 2a, . . . , (p − 1)a}.
We aim to show that modulo p, this set reduces to the set
{1, 2, . . . , p − 1}.
To do this, we must prove two statements:
(i) none of these numbers are congruent to 0 modulo p.
(ii) no two are congruent to each other.
For (i), suppose that p|ka for some 1 ≤ k ≤ p − 1. We have proved previously that this
implies that p|k or p|a. But by assumption p̸ | a and p can never divide k = 1, 2, . . . , p − 1.
Therefore we reach a contradiction.
For (ii), suppose that two distinct numbers are congruent. That is, suppose that
ka ≡ ja mod p, k ̸≡ j mod p.
Notice that a−1 exists since p̸ | a and hence gcd(a, p) = 1. Multiplying both sides by a−1 ,
we get
kaa−1 ≡ jaa−1 mod p =⇒ k ≡ j mod p
which contradicts our assumption that k ̸≡ j mod p.
Therefore {a, 2a, . . . , (p − 1)a} = {1, 2, . . . , p − 1} under modulo p (but possibly in a
different order). Multiplying the numbers in each set together, we must have
a(2a)(3a) . . . (p − 1)a ≡ 1(2)(3) . . . (p − 1) mod p.
The left hand side is equal to ap−1 (p
− 1)! and the right hand side is equal to (p − 1)!.
Notice that each factor of (p−1)! is coprime to p (since the factors are one of 1, 2, . . . , p−1,
all less than p). Therefore we can multiply both sides by each of these inverses successively
to ‘cancel’ the (p − 1)! term (alternatively, use Theorem 0.1). Thus we obtain
ap−1 ≡ 1 mod p.
□
Example.
(i) Reduce 3100 mod 7.
By FLT, we know that 36 ≡ 1 mod 7. We may write
3100 = (36 )16 · 34 ≡ 116 · 34 ≡ 81 ≡ 4 mod 7.
(ii) Show that when p, q are distinct primes, pq−1 + q p−1 ≡ 1 mod pq.
By FLT, we have
pq−1 + q p−1 ≡ 0 + q p−1 ≡ 1 mod p
q−1 p−1 q−1
p +q ≡p +0≡1 mod q
 NUMBER THEORY AND CRYPTOGRAPHY 6

We want modulo pq, so recall that the Chinese remainder theorem gives us a result
modulo the product of the separate moduli. We have essentially obtained the system
x≡1 mod p
x≡1 mod q.
and want to know x ≡? mod pq. The Chinese remainder theorem gives us exactly
what we want! If we apply the theorem, we will see that
x≡1 mod pq.
NOTE: whenever we need to reduce modulo a product, we should try the Chinese
remainder theorem.
(iii) Prove that if p is prime and p > 3, then
2p−2 + 3p−2 + 6p−2 ≡ 1 mod p.
Note that since p > 3, p̸ | 2, 3, 6, so 2−1 , 3−1 , 6−1
all exist. By FLT, we may deduce
that
a−1 ≡ ap−2
whenever p̸ | a (simply multiply both sides of FLT by a−1 ). Therefore
2p−2 + 3p−2 + 6p−2 ≡ 2−1 + 3−1 + 6−1 mod p.
Now observe that 2 · 3 · 6−1 ≡ 6 · 6−1 ≡ 1 mod p, so multiplying both sides by 2−1
shows that
3 · 6−1 ≡ 2−1 mod p.
Similarly, we may show that
2 · 6−1 ≡ 3−1 mod p.
Thus
2p−2 + 3p−2 + 6p−2 ≡ 2−1 + 3−1 + 6−1 mod p
≡ 3 · 6−1 + 2 · 6−1 + 6−1 mod p
−1
≡6·6 mod p
≡ 1 mod p.
Pollard’s p − 1 algorithm. This is a method to find prime factors of large numbers n.
It is effective only when n has prime divisors p such that (p − 1) is a divisor of k! for some
small integer k. In particular, it is most effective when all the prime factors of p are small.
Approach: Suppose we want to find a prime factor p > 2 of n. Observe that by FLT,
2p−1 ≡ 1 mod p.
But if (p − 1)|k!, then k! = A(p − 1). Therefore
2k! = 2A(p−1) = (2p−1 )A ≡ 1A ≡ 1 mod p
and hence p|(2k! − 1). Use the division algorithm to write
2k! − 1 = qn + Mk .
Since p|n and p|(2k! − 1), we can conclude p|Mk . Therefore p| gcd(n, Mk ). So looking for
prime factors of n is reduced to looking for prime factors of gcd(n, Mk ), a smaller number.
Using these facts, the algorithm specifies that:
(1) Starting from k = 1, compute Mk by reducing 2k! − 1 modulo n, and then compute
gcd(n, Mk ).
(2) Repeat for k = 2, 3, . . . until we reach a k such that gcd(n, Mk ) > 1.
 NUMBER THEORY AND CRYPTOGRAPHY 7

(3) If gcd(n, Mk ) is prime, then we’re done. If not, repeat the algorithm again but
this time for gcd(n, Mk ).
Example. Find a prime factor of 689.
(1) k = 1, 21! − 1 = 1 ≡ 1 mod 689, gcd(1, 689) = 1.
(2) k = 2, 22! − 1 = 3 ≡ 3 mod 689, gcd(3, 689) = 1.
(3) k = 3, 23! − 1 = 63 ≡ 63 mod 689, gcd(63, 689) = 1.
(4) k = 4, 24! − 1 = (23! )4 − 1 ≡ 65 mod 689, gcd(65, 689) = 13.
(5) Since 13 is prime, we are done! We have found that 13|689.
Here are three easy corollaries of FLT, the proofs are left as exercises.
Corollary 0.3. If a is any positive integer, then ap ≡ a mod p.
Corollary 0.4. If p̸ | a, then a−1 ≡ ap−2 mod p.
Corollary 0.5. If a, b are positive integers such that p̸ | a, then
ax ≡ b mod p
has solution x ≡ ap−2 b mod p.
 NUMBER THEORY AND CRYPTOGRAPHY 8

Lecture 12
Today we look at Euler’s Theorem, which allows us to generalise FLT to non-primes.
We begin with some definitions.
Definition 0.6 (Euler’s ϕ-function, or totient function). We define ϕ(n) to be the number
positive integers less than n that are coprime to n. More precisely,
ϕ(n) := #{1 ≤ k ≤ n : gcd(k, n) = 1}.
For example, ϕ(10) = 4 since 1, 3, 7, 9 are coprime to 10 but 2, 4, 5, 6, 8, 10 are not.
Definition 0.7 (Reduced residue system). A reduced residue system modulo n (r.r.s. for
short) is a set of ϕ(n) distinct integers modulo n such that each integer is coprime to n.
For example, {1, 3, 7, 9} is a r.r.s. modulo 10. But note that {11, 23, 67, 99} is also a
r.r.s. modulo 10.
Theorem 0.8. If
{r1 , r2 , . . . , rϕ(n) }
is a r.r.s modulo n, and gcd(a, n) = 1, then
{ar1 , ar2 , . . . , arϕ(n) }
is also a r.r.s modulo n.
Proof. This is very similar the first step in our proof of FLT. We check that
(i) for each j, arj is coprime to n.
(ii) no two distinct ari and arj are congruent modulo n.
For (i), assume for contradiction that gcd(arj , n) = d > 1. Then d has a prime divisor
p, so p|arj and p|n. Since p|arj , p|a or p|rj . The former case contradicts our assumption
that gcd(a, n) = 1, and the latter case contradicts the assumption that gcd(rj , n) = 1
(which is given from Definition 0.7).
For (ii), assume that there exist distinct arj ≡ ark mod n. This means that rj ̸≡ rk
mod n. Since gcd(a, n) = 1, a−1 exists modulo n, so we may multiply this both sides to
cancel the a. Thus
arj ≡ ark mod n =⇒ rj ≡ rk mod n
which contradicts arj , ark being distinct. □
Theorem 0.9 (Euler’s Theorem). If gcd(a, n) = 1, then aϕ(n) ≡ 1 mod n.
Proof. Let
{r1 , r2 , . . . , rϕ(n) }
be a r.r.s modulo n. We just showed that
{ar1 , ar2 , . . . , arϕ(n) }
is also a r.r.s modulo n. Therefore
(ar1 )(ar2 ) . . . (arϕ(n) ) ≡ r1 r2 . . . rϕ(n) mod n
aϕ(n) r1 r2 . . . rϕ(n) ≡ r1 r2 . . . rϕ(n) mod n.
Note that ri−1 exists for each 1 ≤ i ≤ ϕ(n) as they are coprime to n. We can multiply
both sides by r1−1 r2−1 . . . rϕ(n)
−1
to cancel all of the ri , and thus

aϕ(n) ≡ 1 mod n.
□
 NUMBER THEORY AND CRYPTOGRAPHY 9

As mentioned before, Euler’s Theorem generalises FLT, which means that Euler’s Tho-
erem implies FLT. Why is this true? If n = p is prime, then ϕ(n) = ϕ(p) = p − 1. The
reason is that since p is prime, it is coprime to each of 1, 2, . . . , p − 1. Applying Euler’s
Theorem,
aϕ(p) = ap−1 ≡ 1 mod p.
Example.
(i) Find the last digit of 31000 .
By Euler’s Theorem, 3ϕ(10) = 34 ≡ 1 mod 10. Since 31000 = (34 )250 , then
31000 ≡ 1250 ≡ 1 mod 10.
Therefore the last digit of 31000 is 1.
(ii) Show that aϕ(b) + bϕ(a) ≡ 1 mod ab.
This is similar to part (ii) of the example from last time, and is left as an exercise.
(iii) Solve 3x ≡ 7 mod 10.
Multiplying by 3−1 both sides gives us x ≡ 3−1 · 7 mod 10. What is 3−1 modulo
10? By Euler’s Theorem, 3ϕ(10) = 34 ≡ 1 mod 10. Multiplying both sides of this by
3−1 , we can show that
3−1 ≡ 33 ≡ 7 mod 10.
Therefore
x ≡ 7 · 7 ≡ 49 ≡ 9 mod 10.
How can we compute ϕ(n)? One way is to list all the integers less than n and check
each one. But is there an easier way? The following results give us some shortcuts.
Theorem 0.10. Let p1 and p2 be distinct primes. Then
ϕ(p1 p2 ) = ϕ(p1 )ϕ(p2 ) = (p1 − 1)(p2 − 1).
Proof. If a and p1 p2 have a common divisor, it is either p1 , p2 some multiple of these. In
the set {1, 2, . . . , p1 p2 }, there are:
• p2 multiples of p1 , namely p1 , 2p1 , . . . , p2 p1 .
• p1 multiples of p2 , namely p2 , 2p2 , . . . , p1 p2 .
• one multiple of both p1 and p2 , namely p1 p2 .
Thus we can count how many are coprime to p1 p2 by excluding all multiples of p1 and p2 .
We get p1 p2 − p1 − p2 . But then we have excluded p1 p2 twice, so we add one back in again
to get
ϕ(p1 p2 ) = p1 p2 − p1 − p2 + 1 = (p1 − 1)(p2 − 1) = ϕ(p1 )ϕ(p2 ).
□
We can use induction to prove that ϕ(p1 p2 . . . pn ) = ϕ(p1 ) . . . ϕ(pn ). This is left as an
exercise. To see the effectiveness of this, consider ϕ(30). Since 30 = 2 · 3 · 5, ϕ(30) =
ϕ(2)ϕ(3)ϕ(5) = 1 · 2 · 4 = 8.
What about powers of primes?
Theorem 0.11. If p is prime, and e ≥ 1, then
ϕ(pe ) = pe−1 (p − 1).
Proof. If a and pe have a common divisor, it must be some multiple of p. Thus we just
need to count which of {1, 2, . . . , pe } are multiples of p. It is easy to see that these are
p, 2p, 3p, . . . , pe−1 p = pe
 NUMBER THEORY AND CRYPTOGRAPHY 10

and that there are pe−1 of these. Therefore

ϕ(pe ) = pe − pe−1 = pe−1 (p − 1).
□
Theorem 0.12. For distinct primes p1 , . . . , pn , and any e1 , . . . , en ,
ϕ(pe11 . . . penn ) = ϕ(pe11 ) . . . ϕ(penn ).
This proof is left as an exercise. It is a good idea to first prove that ϕ(pe11 pe22 ) =
ϕ(pe11 )ϕ(pe22 ), and then use induction. This step can be proved by induction using Theorems
0.10 and 0.11, or by a counting argument.
We can now compute ϕ(n) easily for any n, as long as we have its prime factorisation.
For example, let us compute ϕ(2000). Since 2000 = 2 × 103 = 2 × 23 × 53 = 24 × 53 , then
ϕ(2000) = ϕ(24 )ϕ(53 )
= 23 (2 − 1)52 (5 − 1)
= 8 × 25 × 4
= 800.