1. Fuw-Yi Yang1 Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 1 Integers Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker: Fuw-Yi Yang 楊伏夷 伏夷非征番, 道德經 察政章 (Chapter 58) 伏 者潛藏也 道紀章 (Chapter 14) 道無形象, 視之不可見者曰 夷

2. Fuw-Yi Yang2 Contents Basics Divisibility Representation of integers O- and  -notation Cost of +, *,  with remainder Polynomial time Greatest common divisor Euclidean algorithm Extended Euclidean algorithm Analysis of the Extended Euclidean algorithm Factoring into primes Exercise

3. Fuw-Yi Yang3 1.1 Basics N = {1, 2, 3, 4, 5,…} is the set of positive integers and Z = {0,  1,  2,  3, …} is the set of integers. The rational numbers are denoted by Q and the real number by R. N  Z  Q  R A set M of real numbers is called bounded from below if there is a real number  such that all elements of M are greater than . We also say that M is bounded from below by . Example. The set of positive integers is bounded from below by 0, but the set of even integers is not bounded from below.

4. Fuw-Yi Yang4 1.1 Basics For any real number , we write  = max{b  Z: b   }. Hence,  is the greatest integer, which is less than or equal to . This number exists because the set {b  Z: b   } is bounded from above. Example 1.1.1 We have  3.43  = 3 and  -3.43  = -4.

5. Fuw-Yi Yang5 1.1 Basics Finally we need induction. If a statement, which dependents on a positive integer n, is true for n = 1 and if the truth for any integer m with 1  m  n implies the truth for n + 1, then the statement is true for any positive integer n. Example 1.1.1 We wish to prove 1 + 2 + 3 + …+ n = n(n + 1) / 2. next page

6. Fuw-Yi Yang6 1.1 Basics Example 1.1.1 We wish to prove 1 + 2 + 3 + …+ n = n(n + 1) / 2. 1. basis: prove that the statement holds true for n =1.  It is clear that the statement holds true for n =1. 2. Inductive step: prove that if the statement holds for n = m, then the same statement also holds for n = m + 1.  Assume the statement holds true for n = m, then the same statement also holds for n = m + 1 as shown below.  m(m + 1) / 2 + (m + 1) = (m 2 + m + 2m + 2) / 2 = (m + 1)(m + 2) / 2

7. Fuw-Yi Yang7 1.2 Divisibility Definition 1.2.1 We say that a divides n if there is an integer b with n = ab. If a divides n, then a is called a divisor of n, n is called a multiple of a, and we write a | n. Example 1.2.2 We have 13 | 182 because 182 = 14 * 13. Likewise, we have -5 | 30 because 30 = (-6) * (-5). The divisors of 30 are  1,  2,  3,  5,  6,  10,  15,  30. Any integer a divides 0 (a | 0) because 0 = a * 0. The only integer that is divisible by 0 is 0 because n = 0 * b implies n = 0.

8. Fuw-Yi Yang8 1.2 Divisibility Theorem 1.2.3 1. If a | b and b | c, then a | c. 2. If a | b, then ac | bc for all c. 3. If c | a and c | b, then c | da + eb for all d and e. 4. If a | b and b  0, then |a|  |b|. 5. If a | b and b | a, then |a| = |b|. Proof:…

9. Fuw-Yi Yang9 1.2 Divisibility Theorem 1.2.4 If a and b are integers, b > 0, then there are uniquely determined integers q and r such that a = qb + r and 0  r < b, namely q =  a/b  and r = a - bq. Proof: If a = qb + r and 0  r < b, then 0  r/b < b/b, 0  a/b - q < 1, a/b  q > a/b - 1. Hence q =  a/b  and r = a - bq. In the above, the integer q is called the (intergral) quotient and r is the remainder of the division of a and b. We write r = a mod b. If a is replaced by a mod b, then we say that a is reduced modulo b.

10. Fuw-Yi Yang10 1.3 Representation of Integers In books, integers are written in decimal expansion. On computers, binary expansion is used. More generally, integers can be represented using the co-called g-adic expansion. Example 1.3.1 We have log 2 8 = 3 because 2 3 = 8. Also log 8 8 = 1 because 8 1 = 8. Example 1.3.2 The sequence (0, 1, 1, 1, 0) is an element of {0, 1} 5. Also {1, 2} 2 = {(1, 1), (1, 2), (2, 1), (2, 2)}.

11. Fuw-Yi Yang11 1.3 Representation of Integers Theorem 1.3.3 Let g be an integer, g > 1. For each positive integer a, there is a uniquely determined positive integer k and a uniquely determined sequence (a 1, …, a k )  {0,…,g - 1} k with a 1  0 and (Eq. 1.1). In addition, k =  log g a  + 1, and a i is the intergral quotient of (a - ) by g k - i for 1  i  k. Proof: see next page.

12. Fuw-Yi Yang12 1.3 Representation of Integers Proof: 1. uniqueness of k: g k - 1  a  g k, hence k =  log g a  + 1. 2. uniqueness of sequence (a 1, …, a k ): 2.1 basis: for k = 1, set a 1 = a. 2.2 inductive step: let k > 1 and there is a representation as Eq. 1.1, then, 0  a - a 1 g k - 1 < g k – 1 and therefore 0  a / g k - 1 - a 1 < 1. Therefore, a 1 is the intergral quotient of a divided by g k – 1 and is uniquely determined. Set a = a - a 1 g k - 1. Either we have a = 0, in which case a i = 0, 0  i  k or a = is the uniquely determined representation of a by the induction hypothesis (the statement is true for k = m). Next page

13. Fuw-Yi Yang13 1.3 Representation of Integers It is clear that a representation Eq. 1.1 exists. We only need to set a 1 =  a / g k - 1  and to take the other coefficients from the representation a = a - a 1 g k - 1. end of proof

14. Fuw-Yi Yang14 1.3 Representation of Integers Definition 1.3.4 The sequence (a 1, …, a k ) from Theorem 1.3.3 is called the g-adic expansion of a. Its element are called digits. Its length is k =  log g a  + 1. If g = 2, the sequence is called the binary expansion of a. If g = 16, then the sequence is called the hexadecimal expansion of a. Instead of (a 1, …, a k ), we also write a 1 a 2 … a k. Example 1.3.5 The sequence 10101 is the binary expansion of 2 4 + 2 2 + 2 0 = 21.

15. Fuw-Yi Yang15 1.3 Representation of Integers Example 1.3.6 Determine the binary expansion of 105. Since 2 6 < 105 < 2 7, it is of length 7. a 1 =  105 / 2 6  = 1, a = a - a 1 2 6 = 41, a = a; a 2 =  41 / 2 5  = 1, a = a - a 2 2 5 = 9, a = a; a 3 =  9 / 2 4  = 0, a = a - a 3 2 4 = 9, a = a; a 4 =  9 / 2 3  = 1, a = a - a 4 2 3 = 1, a = a; a 5 =  1 / 2 2  = 0, a = a - a 5 2 2 = 1, a = a; a 6 =  1 / 2 1  = 0, a = a - a 6 2 3 = 1, a = a; a 7 =  1 / 2 0  = 1, a = a - a 7 2 0 = 0;

16. Fuw-Yi Yang16 1.4 O- and  -Notation When designing a cryptographic algorithm, it is necessary to estimate how much computing time and how much storage it requires. To simplify such estimates, we introduce the O- and  -notation. Let k be a positive integer, X, Y,  N k and f : X  R  0, g : Y  R  0, functions. We write f = O(g) if there are positive integers B and C such that for all (n 1, …, n k )  N k with n i > B, 1  i  k the following is true: 1. (n 1, …, n k )  X  Y; that is,f(n 1, …, n k ) and g(n 1, …, n k ) are defined. 2. f(n 1, …, n k )  Cg(n 1, …, n k ). This means that almost always f(n 1, …, n k )  Cg(n 1, …, n k ). We also write g =  (f). If g is constant, then we write f = O(1).

17. Fuw-Yi Yang17 1.5 Cost of +, *, and / with remainder In many cryptographic applications, multi-precision integers must be added, multiplied, and divided with remainder. To estimate the running time of such applications, we must study how long such operations take. To do so, one has to choose a model of computation that is as similar as possible to real computations.

18. Fuw-Yi Yang18 1.5 Cost of +, *, and / with remainder Here we only use a naïve model, which, however, yields reasonable estimates. Let a and b be integers. 1. Adding a and b requires time O(max{size a, size b}). 2. Multiplying a and b requires time O((size a)( size b)). 3. Dividing a with remainder by b requires time O((size b)( size q)), where q is the quotient. All algorithms use space O(size a + size b).

19. Fuw-Yi Yang19 1.6 Polynomial time When analyzing a cryptographic algorithm, we must show that it works efficiently but is difficult to break. We make the notion of efficiency more precise. Suppose an algorithm receives as input integers z 1,…,z n. We say that the algorithm has polynomial running time if there are nonnegative integers e 1,…,e n such that the running time of the algorithm is O((size z 1 ) e 1 ) ((size z 2 ) e 2 )…((size z n ) e n ). An algorithm is considered to be efficient if it has polynomial running time. Observe, however, that in order for the algorithm to be efficient in practice, the exponent e i and the O-constant must be small.

20. Fuw-Yi Yang20 1.7 Greatest common divisor We define the greatest common divisor of two integers. Definition 1.7.1 A common divisor of a and b is an integer that divides both a and b. Theorem 1.7.2 Among all common divisors of two integers a and b, which are not both zero, there is exactly one greatest (with respect to  ). It is called the greatest common divisor (gcd) of a and b. Proof. Let a  0, By Theorem 1.2.3, all divisors of a are bounded by |a|. Therefore, among the common divisors of a and b there is a unique greatest. end of proof

21. Fuw-Yi Yang21 1.7 Greatest common divisor For completeness, we set the greatest common divisor of 0 and 0 to 0. Hence, the greatest common divisor of two numbers is never negative. Example 1.7.3 The greatest common divisor of 18 and 30 is 6. The greatest common divisor of -10 and 30 is 10. The greatest common divisor of integers a 1, …, a k, k  1 is defined as follows. If at least one of the a i is nonzero, then gcd(a 1, …, a k ) is the greatest positive integer that divides all the a i. If all the a i are zero, then we set gcd(a 1, …, a k ) = 0.

22. Fuw-Yi Yang22 1.7 Greatest common divisor We present an important way of representing a greatest common divisor. We need the following notion. If  1, …,  k are real numbers, then we have  1 Z + …+  k Z = {  1 z 1 + …+  k z k : z k  Z, 1  i  k}. This is the set of all integer linear combination of the a i. Example 1.7.4 The set of all integer linear combination of 3 and 4 is 3Z + 4Z. It contains 1 = 3*(-1) + 4*(1). It therefore also contains all integer multiples of 1. Hence, this set is Z.

23. Fuw-Yi Yang23 1.7 Greatest common divisor Theorem 1.7.5 The set of all integer linear combination of a and b is the set of all integers multiples of gcd(a, b); i.e. aZ + bZ = gcd(a, b)Z. Proof. For a = b = 0, the assertion is obviously correct, so let a or b be nonzero. Set I = aZ + bZ. Let g be the smallest positive integer in I. We claim that I = gZ. 1. Choose a nonzero element c in I. 2. By Theorem 1.2.4, there are q, r with c = qg + r and 0  r < g. 3. Therefore, r = c - qg belongs to I. 4. But g is the smallest positive integer in I, it must r = 0 and c = qg. It remains to be shown that g = gcd(a, b). Next page

24. Fuw-Yi Yang24 1.7 Greatest common divisor It remains to be shown that g = gcd(a, b). 1. g is a common divisor of a and b, since a, b  I, and I = gZ. 2. g  I, there are x, y with g = ax + by. 3. If d is a common divisor of a and b, then d is also a divisor of g. 4. Theorem 1.2.3 implies |d|  g. (d | g, g  0,  |d|  g) 5. g = gcd(a, b). end of proof

25. Fuw-Yi Yang25 1.7 Greatest common divisor Corollary 1.7.6 For all a, b, n the equation ax + by = n is solvable in integers x and y if and only if gcd(a, b) divides n. Proof. If there are x and y with ax + by = n, then n  aZ + bZ and by Theorem 1.7.5 we have n  gcd(a, b) Z, which implies that n is a multiple of gcd(a, b). Conversely, if n is a multiple of gcd(a, b), then n is an element of gcd(a, b) Z. It follows from Theorem 1.7.5 that n  aZ + bZ. Therefore, there are integers x and y with ax + by = n. end of proof

26. Fuw-Yi Yang26 1.7 Greatest common divisor Corollary 1.7.7 There are integers x and y with ax + by = gcd(a, b). Proof. From Corollary 1.7.6. Corollary 1.7.8 There is exactly one nonnegative common divisor of a and b, which is divisible by all other common divisors of a and b, namely the greatest common divisor of a and b. Proof. By Corollary 1.7.7 there are integers x and y with ax + by = gcd(a, b). Therefore every common divisor of a and b is a divisor of gcd(a, b). Conversely, let g be a nonnegative divisor of a and b that is divisible by every common divisors of a and b. If a = b = 0, then g = 0. If a or b is nonzero, then by Theorem 1.2.3 every common divisor of a and b is  g. Therefore g = gcd(a, b). end of proof

27. Fuw-Yi Yang27 1.8 Euclidean algorithm The Euclidean algorithm determines the greatest common divisor of two integers very efficiently. It is based on the following theorem. Theorem 1.8.1 (|a|  |b|) 1. If b = 0, then gcd(a, b) = |a|. 2. If b  0, then gcd(a, b) = gcd(|b|, a mod |b|). Proof. The first assertion is obviously correct. We prove the second assertion. By Theorem 1.2.4, there is an integer q with a = q|b| + (a mod |b|). (a = qb + r) Therefore the greatest common divisor of a and b divides the greatest common divisor of |b| and (a mod |b|) and vice versa. Since both greatest common divisors are nonnegative, the assertion follows from Theorem 1.2.3. end of proof

28. Fuw-Yi Yang28 1.8 Euclidean algorithm Example 1.8.2 We want to compute gcd(100, 35). From Theorem 1.8.1, we obtain gcd(100, 35) = gcd(35, 100 mod 35) = gcd(35, 5) = gcd(5, 35 mod 5) = gcd(5, 0) = 5.

29. Fuw-Yi Yang29 1.8 Euclidean algorithm The following Theorem prove the correctness of the Euclidean algorithm (euclid(int a, int b, int gcd)). euclid(int a, int b, int gcd) { int r a = |a|, b = |b| while (b  0) { r = a % b, a = b, b = r} gcd = a } Theorem 1.8.3 The Euclidean algorithm computes the greatest common divisor of a and b. next page

30. Fuw-Yi Yang30 1.8 Euclidean algorithm Theorem 1.8.3 The Euclidean algorithm computes the greatest common divisor of a and b. Proof. To prove that the Euclidean algorithm terminates and yields gcd(a, b), we introduce some notation. We set r 0 = |a|, r 1 = |b| and for k  1 and r k  0 r k+1 = r k-1 mod r k. --- 1.3 Then r 2, r 3,… is the sequence of remainders that are computed in the while-loop of the Euclidean algorithm. Also after the kth iteration of the while-loop, we have a = r k, b = r k +1. next page

31. Fuw-Yi Yang31 1.8 Euclidean algorithm Then r 2, r 3,… is the sequence of remainders that are computed in the while-loop of the Euclidean algorithm. Also after the kth iteration of the while-loop, we have a = r k, b = r k +1. It follows from Theorem 1.8.1 that the greatest common divisor of a and b is not changed in the algorithm, so we only need to prove that there is k such that r k = 0. But this follows from the fact that by Eq. 1.3 the sequence (r k ) k  1 is strictly decreasing. This concludes the correctness proof for the Euclidean algorithm. end of proof

32. Fuw-Yi Yang32 1.8 Euclidean algorithm The Euclidean algorithm compute gcd(a, b) very efficiently. To prove the efficiency, we estimate the number of iterations required by the algorithm. For simplicity, we assume a > b > 0. This is no restriction, since the Euclidean algorithm requires one step to determine gcd(a, b) (if b = 0) or to produce this situation. Let r n be the last nonzero remainder in the sequence (r k ). Then n is the number of iterations, which the algorithm requires to compute gcd(a, b). Furthermore, since r k+1 = r k-1 mod r k, --- 1.3 let q k =  r k-1 / r k , 1  k  n. --- 1.4 Then q k is the quotient of r k-1 divided by r k, and we have r k-1 = q k r k + r k+1. --- 1.5

33. Fuw-Yi Yang33 1.8 Euclidean algorithm Example 1.8.4 If a = 100 and b = 35, then we obtain the remainder sequence: Lemma 1.8.5 We have q k  1 for 1  k  n - 1 and q n  2. Proof. Since r k-1 > r k > r k+1, it follows from Eq. 1.5 that q k  1 for 1  k  n. Suppose q n = 1. Then r n-1 = r n, and this is impossible because the sequence of remainders is strictly decreasing. Therefore q n  2. end of proof k 0 1 2 3 4 rkqkrkqk 100 35 30 5 0 2 1 6

34. Fuw-Yi Yang34 1.8 Euclidean algorithm Theorem 1.8.7 In the Euclidean algorithm, let a > b > 0. Also, let  = (1 + 5 1/2 ) / 2. Then the number of iterations in the algorithm is at most (log b) / (log  ) + 1 < 1.441 * log 2 b + 1. Proof. end of proof

35. Fuw-Yi Yang35 1.9 Extended Euclidean algorithm Corollary 1.7.7 tells us that there are integers x, y with gcd(a, b) = ax + by. In this section, we extend the Euclidean algorithm in such a way that it also determines such coefficients x and y.

36. Fuw-Yi Yang36 1.9 Extended Euclidean algorithm — example Example: Compute x, y s.t. ax + by = gcd(a, b) The example computes expressions of the form r i = a x i + b y i --- 11 for the remainder in each step i of the Euclidean algorithm. From r k+1 = r k-1 mod r k, --- 1.3 we have r i = r i-2 -  r i-2 / r i-1  r i-1. Also, by Eq. 11, r i = ax i-2 + by i-2 -  r i-2 / r i-1  (ax i-1 + by i-1 ) = a (x i-2 -  r i-2 / r i-1  x i-1 ) + b (y i-2 -  r i-2 / r i-1  y i-1 ) The first two argument r 1 and r 2 : r 1 = a = a 1 + b 0 (x 1 = 1, y 1 = 0) r 2 = b = a 0 + b 1 (x 2 = 0, y 2 = 1) Example: next page

37. Fuw-Yi Yang37 1.9 Extended Euclidean algorithm --example Example: Compute x, y s.t. 120x + 23y = gcd(120, 23) r 1 = 120 = 120 * 1 + 23 * 0 (x 1 = 1, y 1 = 0) r 2 = 23 = 120 * 0 + 23 * 1 (x 2 = 0, y 2 = 1) r i = r i-2 -  r i-2 /r i-1  r i-1, r i = a (x i-2 -  r i-2 /r i-1  x i-1 ) + b (y i-2 -  r i-2 /r i-1  y i-1 ) r 3 = 5 = 120 - 5 * 23 = (120 * 1 + 23 * 0) - 5 * (120 * 0 + 23 * 1) = 120 * 1 + 23 * (-5) r 4 = 3 = 23 - 4 * 5 = (120 * 0 + 23 * 1) - 4 * (120 * 1 + 23 * (-5)) = 120 * (-4) + 23 * (21) r 5 = 2 = 5 - 1 * 3 = (120 * 1 + 23 * (-5)) - 1 * (120 * (-4) + 23 * (21)) = 120 * (5) + 23 * (-26) r 6 = 1 = 3 - 1 * 2 = (120 * (-4) + 23 * (21)) - (120 * (5) + 23 * (-26)) = 120 * (-9) + 23 * (47) r 7 = 0 = 2 - 1 * 2 end of example

38. Fuw-Yi Yang38 1.9 Extended Euclidean algorithm Corollary 1.7.7 tells us that there are integers x, y with gcd(a, b) = ax + by. As in Section 1.8, we denote by r 0, …, r n+1 the sequence of remainders and by q 1, …, q n the sequence of quotients that are computed in the course of the algorithm. We now explain the construction of two sequence (x k ) and (y k ), such that x = (-1) n x n and y = (-1) n+1 y n are the required coefficients.

39. Fuw-Yi Yang39 1.9 Extended Euclidean algorithm We set x 0 = 1, x 1 = 0, y 0 = 0, y 1 = 1. Furthermore, we let x k+1 = q k x k + x k-1, y k+1 = q k y k + y k-1, 1  k  n. ---1.7 (normal form r i = a (x i-2 -  r i-2 / r i-1  x i-1 ) + b (y i-2 -  r i-2 / r i-1  y i-1 )) We assume that a and b are nonnegative. Theorem 1.9.1 We have r k = a (-1) k x k + b (-1) k+1 y k for 0  k  n + 1. Proof. 1. r 0 = a = a * 1 + b * 0 = a x 0 + b y 0 2. r 1 = b = a * 0 + b * 1 = a x 1 + b y 1 end of proof

40. Fuw-Yi Yang40 1.9 Extended Euclidean algorithm Theorem 1.9.1 We have r k = a (-1) k x k + b (-1) k+1 y k for 0  k  n + 1. Proof. 1. r 0 = a = a * 1 - b * 0 = a x 0 - b y 0 2. r 1 = b = a * (-1)0 + b * 1 = -a x 1 + b y 1 3. let k  2 and suppose that the assertion is true for all k< k. 4. Then r k = r k-2 -  r k-2 / r k-1  r k-1 = r k-2 - q k-1 r k-1 r k = a (-1) k-2 x k-2 + b (-1) k-1 y k-2 - q k-1 (a (-1) k-1 x k-1 + b (-1) k y k-1 ) = a (-1) k (x k-2 + q k-1 x k-1 ) + b (-1) k+1 (y k-2 + q k-1 y k-1 ) = a (-1) k x k + b (-1) k+1 y k. end of proof Note we have x = (-1) n x n, y = (-1) n+1 y n, and r n = a (-1) n x n + b (-1) n+1 y n.

41. Fuw-Yi Yang41 1.9 Extended Euclidean algorithm Example 1.9.2 Compute x, y s.t. 100x + 35y = gcd(100, 35) r 1 = 100 = 100 * 1 + 35 * 0 (x 1 = 1, y 1 = 0) r 2 = 35 = 100 * 0 + 35 * 1 (x 2 = 0, y 2 = 1) r i = r i-2 -  r i-2 /r i-1  r i-1, r i = a (x i-2 -  r i-2 /r i-1  x i-1 ) + b (y i-2 -  r i-2 /r i-1  y i-1 ) r 3 = 30 = 100 - 2 * 35 = (100 * 1 + 35 * 0) - 2 * (100 * 0 + 35 * 1) = 100 * 1 + 35 * (-2) r 4 = 5 = 35 - 1 * 30 = (100 * 0 + 35 * 1) - 1 * (100 * 1 + 35 * (-2)) = 100 * (-1) + 35 * (3) r 5 = 0 = 30 - 6 * 5 end of example

42. Fuw-Yi Yang42 1.10 Analysis of the extended Euclidean algorithm Theorem 1.10.5 The extended Euclidean algorithm uses O((size a) (size b)) to compute gcd(a, b) including a representation gcd(a, b) = ax + by. end of theorem

43. Fuw-Yi Yang43 1.11 Factoring into primes A central notion of elementary number theory is that of a prime number. Prime numbers are used in many cryptographic algorithms. In this section, we introduce prime numbers and prove that every positive integer is a product of primes in which the factors are unique up to permutation. Definition 1.11.1 An integer p > 1 is called a prime number if it has exactly two positive divisors, namely 1 and p. We denote the set of all primes (prime numbers) by P. An integer a > 1 that is not a prime is called composite.

44. Fuw-Yi Yang44 1.11 Factoring into primes Theorem 1.11.2 Every integer a > 1 has a prime divisor. Proof. The integer a has a divisor that is greater than 1, namely a. Among all divisors of a that are greater than 1, let p be the smallest. Then p must be prime. Otherwise, p would have a divisor b with 1 < b < p  a. This contradicts the assumption that p is the smallest divisor of a that is greater than 1. end of proof

45. Fuw-Yi Yang45 1.11 Factoring into primes Theorem 1.11.3 If a prime number divides the product of two integers, then it divides at least one factor. Proof. Suppose that the prime number p divides ab but not a. 1. p is a prime number,  gcd(a, p) = 1. 2. By Corollary 1.7.7, there are integers x, y with 1 = ax + py. 3. 1 = ax + py  b = axb + pyb. 4. p divides ab  p divides b. end of proof

46. Fuw-Yi Yang46 1.11 Factoring into primes Corollary 1.11.4 If a prime number p divides a product q 1 …q k of prime numbers, then p is equal to one of the factors q 1,…,q k. Proof. The proof uses induction on k. 1. If k = 1, then p is a divisor of q 1 which is greater than 1, hence p = q 1. 2. If k > 1, then p divides q 1 (q 2 …q k ). By Lemma 1.11.3, the prime p divides q 1 or (q 2 …q k ). 3. Both q 1 and (q 2 …q k ) have fewer than k factors, the assertion follows from the induction hypothesis. end of proof

47. Fuw-Yi Yang47 1.11 Factoring into primes Theorem 1.11.5 Every integer a > 1 can be written as the product of prime numbers. Up to permutation, the factors in this product are uniquely determined. Proof. The proof uses induction on a. 1. If a = 2, the theorem is true. 2. If a > 2, then by Theorem 1.11.2, there is a prime divisor p of a. If a / p = 1, then a = p and the assertion holds. Let a / p > 1. By the induction hypothesis, a / p is a product of primes. (a > a / p,  a / p satisfies Theorem 1.11.5) 3. Therefore a is also a product of primes. This proves the existence of the prime factor decomposition of a. Next page show the uniqueness.

48. Fuw-Yi Yang48 1.11 Factoring into primes 4. Let a = p 1 …p k and a = q 1 …q l be factorization of a into prime numbers. 5. By Corollary 1.11.4, the prime p 1 is equal to one of the primes q 1,…,q l. 6. By permuting the q i, we can make sure that p 1 = q 1. 7. But by the induction hypothesis, the factorization of a / p 1 = a / q 1 into prime numbers is unique. 8. Hence, k = l and p i = q i for 1  i  k after an appropriate permutation of the q i. end of proof

49. Fuw-Yi Yang49 1.11 Factoring into primes Theorem 1.11.6 The French mathematician Pierre de Fermat thought that all of the so-called Fermat numbers F i = 2 2 i + 1 are primes. F 0 = 3, F 1 = 5, F 2 = 17, F 3 = 257,… However, F 5 = 641* 6700417.