CSC110/06-proofs/07-modular-arithmetic.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang="">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>6.7 Modular Arithmetic</title>
  <style>
    code{white-space: pre-wrap;}
    span.smallcaps{font-variant: small-caps;}
    span.underline{text-decoration: underline;}
    div.column{display: inline-block; vertical-align: top; width: 50%;}
    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
    ul.task-list{list-style: none;}
  </style>
  <link rel="stylesheet" href="../tufte.css" />
  <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js" type="text/javascript"></script>
  <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
  <![endif]-->
</head>
<body>
<div style="display:none">
\(
\newcommand{\NOT}{\neg}
\newcommand{\AND}{\wedge}
\newcommand{\OR}{\vee}
\newcommand{\XOR}{\oplus}
\newcommand{\IMP}{\Rightarrow}
\newcommand{\IFF}{\Leftrightarrow}
\newcommand{\TRUE}{\text{True}\xspace}
\newcommand{\FALSE}{\text{False}\xspace}
\newcommand{\IN}{\,{\in}\,}
\newcommand{\NOTIN}{\,{\notin}\,}
\newcommand{\TO}{\rightarrow}
\newcommand{\DIV}{\mid}
\newcommand{\NDIV}{\nmid}
\newcommand{\MOD}[1]{\pmod{#1}}
\newcommand{\MODS}[1]{\ (\text{mod}\ #1)}
\newcommand{\N}{\mathbb N}
\newcommand{\Z}{\mathbb Z}
\newcommand{\Q}{\mathbb Q}
\newcommand{\R}{\mathbb R}
\newcommand{\C}{\mathbb C}
\newcommand{\cA}{\mathcal A}
\newcommand{\cB}{\mathcal B}
\newcommand{\cC}{\mathcal C}
\newcommand{\cD}{\mathcal D}
\newcommand{\cE}{\mathcal E}
\newcommand{\cF}{\mathcal F}
\newcommand{\cG}{\mathcal G}
\newcommand{\cH}{\mathcal H}
\newcommand{\cI}{\mathcal I}
\newcommand{\cJ}{\mathcal J}
\newcommand{\cL}{\mathcal L}
\newcommand{\cK}{\mathcal K}
\newcommand{\cN}{\mathcal N}
\newcommand{\cO}{\mathcal O}
\newcommand{\cP}{\mathcal P}
\newcommand{\cQ}{\mathcal Q}
\newcommand{\cS}{\mathcal S}
\newcommand{\cT}{\mathcal T}
\newcommand{\cV}{\mathcal V}
\newcommand{\cW}{\mathcal W}
\newcommand{\cZ}{\mathcal Z}
\newcommand{\emp}{\emptyset}
\newcommand{\bs}{\backslash}
\newcommand{\floor}[1]{\left \lfloor #1 \right \rfloor}
\newcommand{\ceil}[1]{\left \lceil #1 \right \rceil}
\newcommand{\abs}[1]{\left | #1 \right |}
\newcommand{\xspace}{}
\newcommand{\proofheader}[1]{\underline{\textbf{#1}}}
\)
</div>
<header id="title-block-header">
<h1 class="title">6.7 Modular Arithmetic</h1>
</header>
<section>
<p>In this section, we’ll explore some properties of modular arithmetic that will be useful in the next chapter, when we study cryptographic algorithms based on modular arithmetic. First, recall the definition of modular equivalence from <a href="01-number-theory-definitions.html">6.1 An Introduction to Number Theory</a>.</p>
<div class="definition">
<p>Let <span class="math inline">\(a, b, n \in \Z\)</span>, and assume <span class="math inline">\(n \neq 0\)</span>. We say that <strong><span class="math inline">\(a\)</span> is equivalent to <span class="math inline">\(b\)</span> modulo <span class="math inline">\(n\)</span></strong> when <span class="math inline">\(n \mid a - b\)</span>. In this case, we write <span class="math inline">\(a \equiv b \pmod n\)</span>.<label for="sn-0" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-0" class="margin-toggle"/><span class="sidenote">One warning: the notation <span class="math inline">\(a \equiv b \pmod n\)</span> is not exactly the same as <code>mod</code> or <code>%</code> operator you are familiar with from programming; here, both <span class="math inline">\(a\)</span> and <span class="math inline">\(b\)</span> could be much larger than <span class="math inline">\(n\)</span>, or even negative.</span></p>
</div>
<p>This definition captures the idea that <span class="math inline">\(a\)</span> and <span class="math inline">\(b\)</span> have the <em>same remainder</em> when divided by <span class="math inline">\(n\)</span>. You should think of this congruence relation as being analogous to numeric equality, with a relaxation. When we write <span class="math inline">\(a = b\)</span>, we mean that the numeric values of <span class="math inline">\(a\)</span> and <span class="math inline">\(b\)</span> are literally equal. When we write <span class="math inline">\(a \equiv b \pmod n\)</span>, we we mean that if you look at the remainders of <span class="math inline">\(a\)</span> and <span class="math inline">\(b\)</span> when divided by <span class="math inline">\(n\)</span>, those remainders are literally equal.</p>
<p>We will next look at how addition, subtraction, and multiplication all behave in an analogous fashion under modular arithmetic. The following proof is a little tedious because it is calculation-heavy; the main benefits here are practicing reading and using a new definition, and getting comfortable with this particular notation.</p>
<div class="theorem">
<p>For all <span class="math inline">\(a, b, c, d, n \in \Z\)</span>, if <span class="math inline">\(n \neq 0\)</span>, if <span class="math inline">\(a \equiv c \pmod n\)</span> and <span class="math inline">\(b \equiv d \pmod n\)</span>, then:</p>
<ol type="1">
<li><span class="math inline">\(a + b \equiv c + d \pmod n\)</span></li>
<li><span class="math inline">\(a - b \equiv c - d \pmod n\)</span></li>
<li><span class="math inline">\(ab \equiv cd \pmod n\)</span></li>
</ol>
<div class="translation">
<p>We will only show how to translate and prove (2), and leave (1) and (3) as exercises. <span class="math display">\[\forall a, b, c, d, n \in \Z,~ \big(n \neq 0 \AND (n \DIV a - c) \AND (n \DIV b - d) \big) \IMP n \DIV (a - b) - (c - d).\]</span></p>
</div>
<div class="proof">
<p>Let <span class="math inline">\(a, b, c, d, n \in \Z\)</span>. Assume that <span class="math inline">\(n \neq 0\)</span>, <span class="math inline">\(n \DIV a - c\)</span>, and <span class="math inline">\(n \DIV b - d\)</span>. This means we want to prove that <span class="math inline">\(n \DIV (a-c) - (b-d).\)</span></p>
<p>By the <a href="05-greatest-common-divisor.html#theorem:divide_lin_comb">Divisibility of Linear Combinations Theorem</a>, since <span class="math inline">\(n \DIV (a-c)\)</span> and <span class="math inline">\(n \DIV (b - d)\)</span>, it divides their difference:</p>
<p><span class="math display">\[\begin{align*}
  n &amp;\DIV (a-c) - (b-d) \\
  n &amp;\DIV (a-b) - (c-d)
\end{align*}\]</span></p>
</div>
</div>
<h2 id="modular-division">Modular division</h2>
<p>The above example stated that addition, subtraction, and multiples all preserve modular equivalence—but what above division? The following statement is a “divide by <span class="math inline">\(k\)</span>” property, but is actually <strong>False</strong>:<label for="sn-1" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-1" class="margin-toggle"/><span class="sidenote"> A good exercise is to disprove this statement!</span> <span class="math display">\[
\forall a, b, k, n \in \Z,~ n &gt; 0 \land ak \equiv bk \pmod n \Rightarrow a \equiv b \pmod n
\]</span></p>
<p>For the real numbers, division <span class="math inline">\(\frac{x}{y}\)</span> has a single gap: when <span class="math inline">\(y = 0\)</span>. As we’ll see in the next theorem, division in modular arithmetic can have many such gaps, but we can also predict exactly where these gaps will occur.</p>
<div id="theorem:modular-inverse" class="theorem" data-label="Modular inverse">
<p>(<em>Modular inverse</em>) Let <span class="math inline">\(n \in \Z^+\)</span> and <span class="math inline">\(a \in \Z\)</span>. If <span class="math inline">\(\gcd(a, n) = 1\)</span>, then there exists <span class="math inline">\(p \in \Z\)</span> such that <span class="math inline">\(ap \equiv 1 \pmod n\)</span>.</p>
<p>We call this <span class="math inline">\(p\)</span> a <strong>modular inverse of <span class="math inline">\(a\)</span> modulo <span class="math inline">\(n\)</span></strong>.</p>
</div>
<div class="translation">
<p><span class="math inline">\(\forall n \in \Z^+, \forall a \in \Z,~ \gcd(a, n) = 1 \Rightarrow \big(\exists p \in \Z,~ ap \equiv 1 \pmod n \big)\)</span></p>
</div>
<div class="proof">
<p>Let <span class="math inline">\(n \in \Z^+\)</span> and <span class="math inline">\(a \in Z\)</span>. Assume <span class="math inline">\(\gcd(a, n) = 1\)</span>.</p>
<p>Since <span class="math inline">\(\gcd(a, n) = 1\)</span>, by the <a href="05-greatest-common-divisor.html#theorem:gcd_characterization">GCD Characterization Theorem</a> we know that there exist integers <span class="math inline">\(p\)</span> and <span class="math inline">\(q\)</span> such that <span class="math inline">\(pa + qn = \gcd(a, n) = 1\)</span>.</p>
<p>Rearranging this equation, we get that <span class="math inline">\(pa - 1 = qn\)</span>, and so (by the definition of divisibility, taking <span class="math inline">\(k = q\)</span>), <span class="math inline">\(n \mid pa - 1\)</span>.</p>
<p>Then by the definition of modular equivalence, <span class="math inline">\(pa \equiv 1 \pmod n\)</span>.</p>
</div>
<p>From this theorem about modular inverses, we can build up a form of division for modular arithmetic. To gain some intuition, first think about division <span class="math inline">\(\frac{a}{b}\)</span> as the <em>solution</em> to an equation of the form <span class="math inline">\(ax = b\)</span>. We’ll turn this into a statement about modular equivalence now.</p>
<div class="example">
<p>Let <span class="math inline">\(a \in \Z\)</span> and <span class="math inline">\(n \in \Z^+\)</span>. If <span class="math inline">\(\gcd(a, n) = 1\)</span>, then for all <span class="math inline">\(b \in \Z\)</span>, there exists <span class="math inline">\(k \in \Z\)</span> such that <span class="math inline">\(ak \equiv b \pmod n\)</span>.</p>
<div class="translation">
<p>This statement is quite complex! Remember that we focus on translation to examine the structure of the statement, so that we know how to set up a proof. We aren’t going to expand every single definition for the sake of expanding definitions.</p>
<p><span class="math display">\[\forall n \in \Z^+, \forall a \in \Z,~ \gcd(a, n) = 1 \Rightarrow
    \big(\forall b \in \Z,~ \exists k \in \Z,~ ak \equiv b \pmod n \big).\]</span></p>
</div>
<div class="discussion">
<p>So this is saying that under the given assumptions, <span class="math inline">\(b\)</span> is “divisible” by <span class="math inline">\(a\)</span> modulo <span class="math inline">\(n\)</span>. This comes after the theorem about modular inverses, so that should be useful. The conclusion is “there exists a <span class="math inline">\(k \in \Z\)</span> such that…” so that I know that at some point I’ll need to define a variable <span class="math inline">\(k\)</span> in terms of <span class="math inline">\(a\)</span>, <span class="math inline">\(b\)</span>, and/or <span class="math inline">\(n\)</span>, which satisfies the congruence.</p>
<p>I notice that the hypothesis here (<span class="math inline">\(\gcd(a, n) = 1\)</span>) matches with the hypothesis from the previous theorem, so that seems to be something I can use. That gives me a <span class="math inline">\(p \in \Z\)</span> such that <span class="math inline">\(ap \equiv 1 \pmod n\)</span>…</p>
<p>Wait, I can multiply both sides by <span class="math inline">\(b\)</span>, right?!</p>
</div>
<div class="proof">
<p>Let <span class="math inline">\(a \in \Z\)</span> and <span class="math inline">\(n \in \Z^+\)</span>. Assume <span class="math inline">\(\gcd(a, n) = 1\)</span>, and let <span class="math inline">\(b \in \Z\)</span>. We want to prove that there exists <span class="math inline">\(k \in \Z\)</span> such that <span class="math inline">\(ak \equiv b \pmod n\)</span>.</p>
<p>First, using the previous <em>Modular Inverses</em> theorem, since we assmed <span class="math inline">\(\gcd(a, n) = 1\)</span>, we know that there exists <span class="math inline">\(p \in \Z\)</span> such that <span class="math inline">\(ap \equiv 1 \pmod n\)</span>.</p>
<p>Second, we know from (3) of our first example above that we can modular equivalence preserves multiplication, and so we know <span class="math inline">\(apb \equiv b \pmod n\)</span>.</p>
<p>Then we let <span class="math inline">\(k = pb\)</span>, and we have that <span class="math inline">\(ak \equiv b \pmod n\)</span>.</p>
</div>
</div>
<p>These two theorems bring together elements from all of our study of proofs so far. We have both types of quantifiers, mixed with a larger implication. We used the <a href="05-greatest-common-divisor.html#theorem:gcd_characterization">GCD Characterization Theorem</a> for a key step in our proof. This illustrates the power of separating ideas into different statements and using each one to prove the next, just like we separate code into different functions in our programs!</p>
<h2 id="exponentiation-and-order">Exponentiation and order</h2>
<p>The last ingredient we’ll need to understand for our study of cryptography next week is the patterns that emerge when it comes to exponentiation in modular arithmetic. In normal arithmetic, powers of positive integers increase without bound, but in modular arithmetic we can focus on the <em>remainders</em> of powers, and discover some wonderful properties. For example, <span class="math inline">\(10^{13}\)</span> is a very large number indeed, but <span class="math inline">\(10^{13} \equiv 3 \pmod 7\)</span>! In fact, because there are only a finite number of remainders for any given <span class="math inline">\(n \in \Z^+\)</span>, for any <span class="math inline">\(a \in \Z\)</span> the infinite sequence of <em>remainders</em> of <span class="math inline">\(a^0\)</span>, <span class="math inline">\(a^1\)</span>, <span class="math inline">\(a^2\)</span>, <span class="math inline">\(a^3\)</span>, <span class="math inline">\(\dots\)</span> must repeat at some point.</p>
<p>For example, let’s see what happens for each of the possible bases modulo 7:<label for="sn-2" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-2" class="margin-toggle"/><span class="sidenote"> Because exponentiation by positive integers corresponds to repeated multiplication, which behaves “nicely” with modular arithmetic, the list below covers all possible integers. For example, because <span class="math inline">\(10 \equiv 3 \pmod 7\)</span>, we also know that <span class="math inline">\(10^{13} \equiv 3^{13} \pmod 7\)</span>.</span></p>
<ul>
<li>0: <span class="math inline">\(0^1 \equiv 0 \pmod 7\)</span>, <span class="math inline">\(0^2 \equiv 0 \pmod 7\)</span></li>
<li>1: <span class="math inline">\(1^1 \equiv 1 \pmod 7\)</span>, <span class="math inline">\(1^2 \equiv 1 \pmod 7\)</span></li>
<li>2: <span class="math inline">\(2^1 \equiv 2 \pmod 7\)</span>, <span class="math inline">\(2^2 \equiv 4 \pmod 7\)</span>, <span class="math inline">\(2^3 \equiv 1 \pmod 7\)</span>, <span class="math inline">\(2^4 \equiv 2 \pmod 7\)</span></li>
<li>3: <span class="math inline">\(3^1 \equiv 3 \pmod 7\)</span>, <span class="math inline">\(3^2 \equiv 2 \pmod 7\)</span>, <span class="math inline">\(3^3 \equiv 6 \pmod 7\)</span>, <span class="math inline">\(3^4 \equiv 4 \pmod 7\)</span>, <span class="math inline">\(3^5 \equiv 5 \pmod 7\)</span>, <span class="math inline">\(3^6 \equiv 1 \pmod 7\)</span>, <span class="math inline">\(3^7 \equiv 3 \pmod 7\)</span></li>
<li>4: <span class="math inline">\(4^1 \equiv 4 \pmod 7\)</span>, <span class="math inline">\(4^2 \equiv 2 \pmod 7\)</span>, <span class="math inline">\(4^3 \equiv 1 \pmod 7\)</span>, <span class="math inline">\(4^4 \equiv 4 \pmod 7\)</span></li>
<li>5: <span class="math inline">\(5^1 \equiv 5 \pmod 7\)</span>, <span class="math inline">\(5^2 \equiv 4 \pmod 7\)</span>, <span class="math inline">\(5^3 \equiv 6 \pmod 7\)</span>, <span class="math inline">\(5^4 \equiv 2 \pmod 7\)</span>, <span class="math inline">\(5^5 \equiv 3 \pmod 7\)</span>, <span class="math inline">\(5^6 \equiv 1 \pmod 7\)</span>, <span class="math inline">\(5^7 \equiv 5 \pmod 7\)</span></li>
<li>6: <span class="math inline">\(6^1 \equiv 6 \pmod 7\)</span>, <span class="math inline">\(6^2 \equiv 1 \pmod 7\)</span>, <span class="math inline">\(6^3 \equiv 6 \pmod 7\)</span></li>
</ul>
<p>No matter which base we start with, we enter a cycle. For example, the cycle starting with 2 is <span class="math inline">\([2, 4, 1, 2, \dots]\)</span>. We say this cycle has length 3, since it takes three elements in the sequence for the 2 to repeat. Here are the cycle lengths for each possible <span class="math inline">\(a \in \{0, 1, \dots, 6\}\)</span>:</p>
<table>
<thead>
<tr class="header">
<th><span class="math inline">\(a\)</span></th>
<th>Cycle length</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>0</td>
<td>1</td>
</tr>
<tr class="even">
<td>1</td>
<td>1</td>
</tr>
<tr class="odd">
<td>2</td>
<td>3</td>
</tr>
<tr class="even">
<td>3</td>
<td>6</td>
</tr>
<tr class="odd">
<td>4</td>
<td>3</td>
</tr>
<tr class="even">
<td>5</td>
<td>6</td>
</tr>
<tr class="odd">
<td>6</td>
<td>2</td>
</tr>
</tbody>
</table>
<p>For each base other than 0, there is another way of looking at the cycle length: the cycle length for base <span class="math inline">\(a\)</span> is the smallest positive integer <span class="math inline">\(k\)</span> such that <span class="math inline">\(a^k \equiv 1 \pmod 7\)</span>. For example, <span class="math inline">\(2^3 \equiv 1 \pmod 7\)</span>, and the cycle repeats at <span class="math inline">\(2^4 \equiv 2^3 \cdot 2 \equiv 2 \pmod 7\)</span>.</p>
<p>This “cycle length” is a fundamental property of modular exponentiation, and warrants its own definition.</p>
<div class="definition">
<p>Let <span class="math inline">\(a \in \Z\)</span> and <span class="math inline">\(n \in \Z^+\)</span>. We define the <strong>order of <span class="math inline">\(a\)</span> modulo <span class="math inline">\(n\)</span></strong> to be the smallest positive integer <span class="math inline">\(k\)</span> such that <span class="math inline">\(a^k \equiv 1 \pmod n\)</span>, when such a number exists.</p>
<p>We denote the order of <span class="math inline">\(a\)</span> modulo <span class="math inline">\(n\)</span> as <span class="math inline">\(\text{ord}_n(a)\)</span>.</p>
</div>
<p>Something you might notice from our above table is that the cycle length for the remainders modulo 7 always divides 6. Here is another table, this time for modulo 17.</p>
<table>
<thead>
<tr class="header">
<th><span class="math inline">\(a\)</span></th>
<th>Cycle length</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>0</td>
<td>1</td>
</tr>
<tr class="even">
<td>1</td>
<td>1</td>
</tr>
<tr class="odd">
<td>2</td>
<td>8</td>
</tr>
<tr class="even">
<td>3</td>
<td>16</td>
</tr>
<tr class="odd">
<td>4</td>
<td>4</td>
</tr>
<tr class="even">
<td>5</td>
<td>16</td>
</tr>
<tr class="odd">
<td>6</td>
<td>16</td>
</tr>
<tr class="even">
<td>7</td>
<td>16</td>
</tr>
<tr class="odd">
<td>8</td>
<td>8</td>
</tr>
<tr class="even">
<td>9</td>
<td>8</td>
</tr>
<tr class="odd">
<td>10</td>
<td>16</td>
</tr>
<tr class="even">
<td>11</td>
<td>16</td>
</tr>
<tr class="odd">
<td>12</td>
<td>16</td>
</tr>
<tr class="even">
<td>13</td>
<td>4</td>
</tr>
<tr class="odd">
<td>14</td>
<td>16</td>
</tr>
<tr class="even">
<td>15</td>
<td>8</td>
</tr>
<tr class="odd">
<td>16</td>
<td>2</td>
</tr>
</tbody>
</table>
<p>A similar pattern emerges: the cycle length for these bases always divides 16, which is one less than 17. And again, for each base <span class="math inline">\(a\)</span> other than 0, the cycle length corresponding to <span class="math inline">\(a\)</span> is the least positive integer <span class="math inline">\(k\)</span> such that <span class="math inline">\(a^k \equiv 1 \pmod{17}\)</span>.</p>
<p>Here is one more interesting fact about cycle length: because it is a number <span class="math inline">\(k\)</span> such that <span class="math inline">\(a^k \equiv 1 \pmod{17}\)</span>, <em>any</em> multiple <span class="math inline">\(n\)</span> of <span class="math inline">\(k\)</span> also satisfies <span class="math inline">\(a^n \equiv 1 \pmod{17}\)</span>. For example, <span class="math inline">\(13^4 \equiv 1 \pmod{17}\)</span>, and so <span class="math inline">\(13^{40} \equiv (13^4)^{10} \equiv 1^{10} \equiv 1 \pmod{17}\)</span>.</p>
<p>Combining these two observations allows us to conclude that, at least for 17, <em>every</em> base <span class="math inline">\(a\)</span> other than 0 satisfies <span class="math inline">\(a^{16} \pmod{17}\)</span>. It is a remarkable fact that this turns out to generalize to every prime number. Proving this theorem is beyond the scope of this course, but we’ll state it formally here to let you marvel at it for a moment.</p>
<div class="theorem">
<p>(<em>Fermat’s Little Theorem</em>) Let <span class="math inline">\(p, a \in \Z\)</span> and assume <span class="math inline">\(p\)</span> is prime and that <span class="math inline">\(p \nmid a\)</span>. Then <span class="math inline">\(a^{p - 1} \equiv 1 \pmod p\)</span>.</p>
</div>
<!-- <div translation>
$\forall p, a \in \Z,~ \mathit{Prime}(p) \land p \nmid a \Rightarrow a^{p - 1} \equiv 1 \pmod p$.
</div>

<div discussion>
This proof is one of the most novel that we'll see in this course.
It is based not on a calculation or manipulation of inequalities, but rather a very clever construction of a function with particularly useful properties.
We wouldn't expect you to come up with this proof idea yourselves (we certainly didn't when we first learned this!), but you should be able to read through the proof below and understand it.
</div>

<div proof>
Let $p, a \in \Z$ and assume $p$ is prime and that $p \nmid a$.
We'll prove that $a^{p - 1} \equiv 1 \pmod p$.

First, we define the following set: let $S = \{x \mid x \in \Z \land 1 \leq x < p \}$.
We define the function $f: S \to S$ as $f(x) = ax \% n$, where $\%$ denotes the remainder operation.
We leave it as an exercise to prove that $f$ is well-defined, i.e., for all $x \in S$, it's true that $f(x) \in S$ as well.
Note that from ths definition, we have $f(x) \equiv ax \pmod p$ for all $x \in S$.
Next, we'll prove the following key property of this function $f$.

**Proving that $f$ is a bijection.**
Since $S$ is finite, it is enough to prove that $f$ is one-to-one.
Let $x, y \in S$ and assume $f(x) = f(y)$.
Then by the definition of $f$, we know that $ax \equiv ay \pmod p$.
Since $p \nmid a$, we know that $\gcd(p, a) = 1$, and so by the modular cancellation theorem (**TODO**:check name/reference), we know that $x \equiv y \pmod p$.
Since $x$ and $y$ are both in the range 1 to $p - 1$, this means $x = y$.
So $f$ is one-to-one.

Now here is the key idea: consider the product
\begin{align*}
\prod_{x \in S} f(x) &\equiv \prod_{x \in S} ax \pmod p \tag{since $f(x) \equiv ax \pmod p$} \\
\prod_{x \in S} f(x) &\equiv a^{|S|} \prod_{x \in S} x \pmod p
\end{align*}
But since $f$ is a bijection on $S$, the products $\prod_{x \in S} f(x)$ and $\prod_{x \in S} x$ are equal: they're both expressions multiplying all elements of $S$ modulo $p$!
Moreover, since all elements of $S$ have a gcd of $1$ with $p$, we can apply the cancellation law to both sides of the equivalence to obtain
$$1 \equiv a^{|S|} \pmod p.$$
Finally, we know that $|S| = p - 1$, and so $a^{p-1} \equiv 1 \pmod p$.
</div> -->
<h2 id="eulers-theorem">Euler’s Theorem</h2>
<p>Fermat’s Little Theorem is quite beautiful in its own right, but is limited in scope to prime numbers. It turns out that the key to generalizing this theorem lies with our very last definition in this chapter.</p>
<!-- It turns out that we can generalize it to any positive modulus by studying our above proof a bit more closely.
Why did we need that $p$ is prime?
In two places: so that we could use the assumption $p \nmid a$ to apply the cancellation theorem to $ax \equiv ay \pmod p$,
and later to apply the cancellation theorem to
$\prod_{x \in S} f(x) \equiv a^{|S|} \prod_{x \in S} x \pmod p$.
The cancellation theorem doesn't just apply to prime numbers, though; it applies to any pair of numbers $a$ and $n$ such that $\gcd(a, n) = 1$.
This is the key to generalizing Fermat's Little Theorem. -->
<div class="definition">
<p>We define the function <span class="math inline">\(\varphi : \Z^+ \to \N\)</span>, called the <strong>Euler totient function</strong> (or <strong>Euler phi function</strong>), as follows:</p>
<p><span class="math display">\[\varphi(n) = \big| \big\{ a \mid a \in \{1, \dots, n - 1\},~ \text{and $\gcd(a, n) = 1$} \big\} \big|.\]</span></p>
</div>
<p>Here are some examples of the Euler totient function:</p>
<ul>
<li><span class="math inline">\(\varphi(5) = 4\)</span>, since <span class="math inline">\(\{1, 2, 3, 4\}\)</span> are all coprime to 5.</li>
<li><span class="math inline">\(\varphi(6) = 2\)</span>, since only <span class="math inline">\(\{1, 5\}\)</span> are coprime to 6.</li>
<li>In general, for any prime number <span class="math inline">\(p\)</span>, <span class="math inline">\(\varphi(p) = p - 1\)</span>, since all the numbers <span class="math inline">\(\{1, 2, \dots, p - 1\}\)</span> are coprime to <span class="math inline">\(p\)</span>.<label for="sn-3" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-3" class="margin-toggle"/><span class="sidenote"> Exercise: prove this using the definition of prime!</span></li>
<li><span class="math inline">\(\varphi(15) = 8\)</span>, since the numbers <span class="math inline">\(\{1, 2, 4, 7, 8, 11, 13, 14\}\)</span> are all coprime to 15. Note that the ``removed’’ numbers are all multiples of 3 or 5, the prime factors of 15.</li>
<li>In general, for any two distinct primes <span class="math inline">\(p\)</span> and <span class="math inline">\(q\)</span>, <span class="math inline">\(\varphi(pq) = (p - 1)(q - 1)\)</span>, although this is certainly not obvious, and requires a proof!</li>
</ul>
<p>With the Euler totient function in hand, we can now state the generalization of Fermat’s Little Theorem, which is something we’ll use in the next chapter.</p>
<div id="theorem:eulers-theorem" class="theorem">
<p>(<em>Euler’s Theorem</em>). For all <span class="math inline">\(a \in \Z\)</span> and <span class="math inline">\(n \in \Z^+\)</span>, if <span class="math inline">\(\gcd(a, n) = 1\)</span> then <span class="math inline">\(a^{\varphi(n)} \equiv 1 \pmod n\)</span>.</p>
<!-- <div class="proof">
Let $n \in \Z^+$ and let $a \in \Z$, and assume $\gcd(a, n) = 1$.

Let $S = \{x \mid x \in \Z \land 1 \leq x < n \land \gcd(x, n) = 1 \}$.
We define the function $f: S \to S$ as $f(x) = ax \% n$, where $\%$ denotes the remainder operation.
We leave it as an exercise to prove that $f$ is well-defined, i.e., for all $x \in S$, it's true that $f(x) \in S$ as well.
Note that from ths definition, we have $f(x) \equiv ax \pmod n$ for all $x \in S$.

First, we prove that $f$ is a bijection.
Since $S$ is finite, it is enough to prove that $f$ is one-to-one.
Let $x, y \in S$ and assume $f(x) = f(y)$.
Then by the definition of $f$, we know that $ax \equiv ay \pmod n$.
By the cancellation theorem, since $\gcd(a, n) = 1$, we know that $x \equiv y \pmod n$.
Since $x$ and $y$ are both in the range 1 to $n - 1$, this means $x = y$.
So $f$ is one-to-one.

Now here is the key idea: consider the product
\begin{align*}
\prod_{x \in S} f(x) &\equiv \prod_{x \in S} ax \pmod n \tag{since $f(x) \equiv ax \pmod n$} \\
\prod_{x \in S} f(x) &\equiv a^{|S|} \prod_{x \in S} x \pmod n
\end{align*}
But since $f$ is a bijection on $S$, the products $\prod_{x \in S} f(x)$ and $\prod_{x \in S} x$ are equal: they're both expressions multiplying all elements of $S$!
Moreover, since all elements of $S$ have a gcd of $1$ with $n$, we can apply the cancellation law to both sides of the equivalence to obtain
$$1 \equiv a^{|S|} \pmod n.$$
Finally, by the definition of the Euler totient function, we know that $|S| = \varphi(n)$, and so $a^{\varphi(n)} \equiv 1 \pmod n$.
</div> -->
</div>
</section>
<footer>
<a href="https://www.teach.cs.toronto.edu/~csc110y/fall/notes/">CSC110 Course Notes Home</a>
</footer>
</body>
</html>