3 Congruences and Congruence Equations

A great many problems in number theory rely only on remainders when dividing by an integer. Recall
the division algorithm: given a ∈ Z and n ∈ N there exist unique q, r ∈ Z such that

a = qn + r, 0≤r<n (∗)

It is to the remainder r that we now turn our attention.

3.1 Congruences and Zn

Definition 3.1. For each n ∈ N, the set Zn = {0, 1, . . . , n − 1} comprises the residues modulo n.
Integers a, b are said to be congruent modulo n if they have the same residue: we write a ≡ b (mod n).

The division algorithm says that every integer a ∈ Z has a unique residue r ∈ Zn .

Example 3.2. We may write 7 ≡ −3 (mod 5), since applying the division algorithm yields

7 = 5×1+2 and − 3 = 5 × (−1) + 2

Indeed both 7 and 12 have residue 2 modulo 5.

As another example, we prove a very simple result.

Lemma 3.3. All squares of integers have remainders 0 or 1 upon dividing by 3.

Proof. Since every integer x has remainder 0, 1 or 2 upon division by 3, we have three mutually
exclusive cases to check:

• x ≡ 0 (mod 3) Write x = 3y for some integer y. But then

x2 = 9y2 = 3(3y2 ) ≡ 0 (mod 3)

• x ≡ 1 (mod 3) This time x = 3y + 1 for some integer y, and

x2 = 9y2 + 6y + 1 = 3(3y2 + 2y) + 1 ≡ 1 (mod 3)

• x ≡ 2 (mod 3) Finally x = 3y + 2 yields

x2 = 9y2 + 12y + 4 = 3(3y2 + 4y + 1) + 1 ≡ 1 (mod 3)

A perfect square therefore never has remainder 2.

This is very tedious notation. We’d far prefer to compute directly with remainders. Once we’ve
developed such, we’ll return to the Lemma to see how the proof improves. To start this process, we
observe that there is an easier way to check whether two integers are congruent modulo n.

1
Theorem 3.4. a ≡ b (mod n) ⇐⇒ n | ( a − b)

Proof. Suppose that a = q1 n + r1 and b = q2 n + r2 are the results of applying the division algorithm
to a, b modulo n. Plainly a ≡ b (mod n) ⇐⇒ r1 = r2 . We prove each direction separately:

(⇒) This is almost immediate:

r1 = r2 =⇒ a − nq1 = b − nq2 =⇒ a − b = n(q2 − q1 )

Since q2 − q1 is an integer, a − b is a multiple of n.

(⇐) Conversely, suppose that a − b = kn is a multiple of n. Then

r1 − r2 = ( a − nq1 ) − (b − nq2 ) = ( a − b) + n(q2 − q1 ) = n(k + q2 − q2 )

This says that r1 − r2 is an integer multiple of n. Recalling the proof of the division algorithm,
−n < r1 − r2 < n forces r1 − r2 = 0.

The Theorem says that we can compare remainders without computing quotients. In case the advantage
isn’t clear, we recall our earlier example.

Example (3.2 revisited). 7 ≡ −3 (mod 5) follows since 7 − (−3) = 10 is divisible by 5. There is

no need for us to express 7 and −3 using the division algorithm.

Our next goal is to define an arithmetic with remainders, again without calculating quotients.

Example 3.5. If x ≡ 3 and y ≡ 5 (mod 7), then there exist integers k, l such that x = 7k + 3 and
y = 7l + 5. But then

xy = 7(7kl + 5k + 3l ) + 15 = 7(7kl + 5k + 3l + 2) + 1 =⇒ xy ≡ 1 (mod 7)

It would be so much simpler if we could write

x ≡ 3, y ≡ 5 =⇒ xy ≡ 3 · 5 ≡ 15 ≡ 1 (mod 7)

Thankfully the next result justifies the crucial step.

Theorem 3.6 (Modular Arithmetic). Suppose that x ≡ a and y ≡ b (mod n). Then

1. x ± y ≡ a ± b (mod n)
2. xy ≡ ab (mod n)
3. For any m ∈ N, x m ≡ am (mod n)

Proof. We just prove 2: part 1 is similar, and part 3 is by induction using part 2 as the induction step.
By Theorem 3.4, there exist integers k, l such that x = kn + a and y = ln + b. But then
xy = (kn + a)(ln + b) = n(kln + al + bk) + ab =⇒ xy ≡ ab (mod n)

2
Examples 3.7. We can now easily compute remainders of complex arithmetic objects.

1. What is the remainder when 17113 is divided by 3?

Don’t bother asking your calculator: 17113 is 139 digits long! Instead we use modular arithmetic:

17 ≡ −1 (mod 3) =⇒ 17113 ≡ (−1)113 (Theorem 3.6, part 3.)

≡ −1 (mod 3) (since 113 is odd)

Since −1 ≡ 2, we conclude that 17113 has remainder 2 when divided by 3.

2. Similarly, calculating remainders modulo 10 yields

21945 − 4312 ≡ (−1)45 − 312 ≡ −1 − 96 ≡ −1 − (−1)6 ≡ −1 − 1 ≡ −2 ≡ 8 (mod 10)

3. We find the remainder when 449 is divided by 67. Even with the assistance of a powerful
calculator, evaluating

449 = 316, 912, 650, 057, 057, 350, 374, 175, 801, 344

doesn’t help us! Instead we first search for a power of 4 which is small modulo 67: the obvious
choice is 43 = 64.

449 ≡ 4 · (43 )16 ≡ 4 · (−3)16 ≡ 4 · 316 (mod 67)

Next we search for a power of 3 which is small: since 34 = 81 ≡ 14 (mod 67) we obtain

449 ≡ 4 · (34 )4 ≡ 4 · 144 (mod 67)

Now observe that 142 = 196 ≡ −5 (mod 67) and we are almost finished:

449 ≡ 4 · (−5)2 ≡ 4 · 25 ≡ 100 ≡ 33 (mod 67)

Now that we have some better notation, here is a much faster proof of Lemma 3.3.

Proof. Modulo 3 we have:

02 ≡ 0, 12 ≡ 1, 22 ≡ 4 ≡ 1

Hence squares can only have remainders 0 or 1 modulo 3.

As an application, we can easily show that in a primitive Pythagorean triple ( a, b, c) exactly one of a
or b is a multiple of three. Just think about the remainders modulo 3:

a2 + b2 ≡ c2 (mod 3)

The only possibilities are 0 + 0 ≡ 0, 0 + 1 ≡ 1 and 1 + 0 ≡ 1, however the first says that all three of
a, b, c are divisible by three which results in a non-primitive triple.
Similar games can be played with other primes.

3
Congruence and Division By Theorem 3.6, we may add, subtract, multiply and take positive inte-
ger powers of remainders without issue. Division is another matter entirely: it simply does not work
in the usual sense.

Example 3.8. Since 54 − 30 = 24 is divisible by 8, we see that 54 ≡ 30 (mod 8). We’d like to divide
both sides this congruence by 6, however

6×9 ≡ 6×5 (mod 8) =⇒

̸ 9 ≡ 5 (mod 8)

since the right hand side is false. What can we try instead? Instead we follow the definition:

6×9 ≡ 6×5 (mod 8) =⇒ 6 × 9 = 6 × 5 + 8m for some1 m ∈ Z

We can’t automatically divide this by 6, but we can certainly divide through by 2:

3 × 9 = 3 × 5 + 4m =⇒ 3 | 4m =⇒ 3 | m =⇒ m = 3l for some l ∈ Z

We may now divide by 3 to correctly conclude

9 = 5 + 4l =⇒ 9 ≡ 5 (mod 4)

It appears that we were able to divide our original congruence by 6, but at the cost of dividing the
modulus by 2: it just so happens that 2 = gcd(6, 8). . .

Theorem 3.9. If k ̸= 0 and gcd(k, n) = d, then

ka ≡ kb (mod n) =⇒ a ≡ b (mod nd )

 
Proof. gcd(k, n) = d =⇒ gcd d, d
k n
= 1 so that n
d and k
d are coprime integers. Appealing to a
corollary2 of Bézout’s identity, we see that

n k n
ka ≡ kb =⇒ n | (ka − kb) =⇒ ( a − b) =⇒ ( a − b)
d d d
Otherwise said a ≡ b (mod nd ).

Examples 3.10. 1. We divide by 4 in the congruence 12 ≡ 28 (mod 8). Since gcd(4, 8) = 4 we also
divide the modulus by 4 to obtain

12 ≡ 28 (mod 8) =⇒ 3 ≡ 7 (mod 2)

2. We divide by 12 in the congruence 12 ≡ 72 (mod 30). Since gcd(12, 30) = 6, we conclude that

12 ≡ 72 (mod 30) =⇒ 1 ≡ 6 (mod 5)

1 It
is obvious that m = 3 but leaving this unsaid makes it easier to see a proof of the following theorem.
2 If
gcd( a, b) = 1 and a | bc, then a | c. This is the crucial step in the calculation, corresponding to the =⇒ arrows in both
the proof and the previous example.

4
Division in the ring Zn The development of modular arithmetic (Theorem 3.6) shows that the set
of residues Zn = {0, 1, . . . , n − 1} modulo n has the algebraic structure of a ring.3 The interesting
question for us is when one can divide.
Recall in the real numbers that to divide by x means that we multiply by some element x −1 satisfying
xx −1 = 1: plainly this is possible provided x ̸= 0. The same idea holds in Zn .

Definition 3.11. Let x ∈ Zn . We say that y ∈ Zn is the inverse of x if xy ≡ yx ≡ 1 (mod n).

An element x is a unit if it has an inverse. A ring is a field if every non-zero element is a unit.

Example 3.12. By considering the multiplication tables for Z5 and Z6 , we can easily identify the
units and their inverses:

Z5 0 1 2 3 4 Z6 0 1 2 3 4 5
0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 1 0 1 2 3 4 5
2 0 2 4 1 3 2 0 2 4 0 2 4
3 0 3 1 4 2 3 0 3 0 3 0 3
4 0 4 3 2 1 4 0 4 2 0 4 2
5 0 5 4 3 2 1

There are plainly only two units in Z6 , namely 1 and 5. Moreover, each is its own inverse

1 · 1 ≡ 1, 5·5 ≡ 1 (mod 6)

Modulo 5, however, every non-zero residue is a unit:

1 · 1 ≡ 1, 2 · 3 ≡ 3 · 2 ≡ 1, 4·4 ≡ 1 (mod 5)
In the example, the units have a simple property in common.

Theorem 3.13. x ∈ Zn is a unit ⇐⇒ gcd( x, n) = 1.

Moreover, every non-zero x ∈ Zn is a unit (thus Zn is a field) if and only if n = p is prime.

Proof. (⇒) If xy ≡ 1 (mod n), then xy − λn = 1 for some λ ∈ Z. Plainly any common factor of x
and n divides 1, whence gcd( x, n) = 1.
(⇐) By Bézout’s identity, ∃λ, y ∈ Z such that

xy + nλ = 1 =⇒ xy ≡ 1 (mod n)

Plainly every non-zero x is a unit if and only if gcd( x, n) = 1 for all x ∈ {1, . . . , n − 1}. This is if and
only if n has no divisors except itself and 1: i.e. n is prime.

This result gels with Theorem 3.9: we can divide a congruence by k while remaining in Zn precisely
when d = gcd(k, n) = 1. Moreover, the proof tells us how to compute inverses: use Bézout!

Zn = Z
.
3 More formally, it inherits this structure from the integers as a factor ring: = {[0], [1], . . . , [n − 1]} is a set of
nZ
equivalence classes where x ∼ y ⇐⇒ x ≡ y (mod n). For this course, familiarity with this construction is unimportant.

5
Example 3.14. Find the inverse of 15 ∈ Z26 .
First observe that gcd(15, 26) = 1, so an inverse exists. Now apply the Euclidean algorithm and
Bézout’s identity:

26 = 1 · 15 + 11 =⇒ gcd(26, 15) = 1 = 4 − 3 = 4 − (11 − 2 · 4)

15 = 1 · 11 + 4 = 3 · 4 − 11 = 3(15 − 11) − 11
11 = 2 · 4 + 3 = 3 · 15 − 4 · 11 = 3 · 15 − 4(26 − 15)
4 = 1·3+1 = 7 · 15 − 4 · 26

from which we see that 15 · 7 ≡ 1 (mod 26): the inverse of 15 is therefore 7.

Exercises 3.1 1. Find the residues (remainders) of the following expressions:
(a) 64 − 38 · 48 (mod 5)
(b) 11732 + 11831 (mod 7)
(c) 35101340 − 27094444 (mod 24)
2. Suppose that d | m. Show that if a ≡ b (mod d ),
m
then
m m
a ≡ b, or b+ , or ··· , or b + ( d − 1) (mod m)
d d

3. Show that a positive integer is divisible by 3 if and only if the sum of its digits is divisible by 3.
(Hint: for example 471 = 4 · 100 + 7 · 10 + 1 . . .)
4. Suppose z ∈ N and that z ≡ 3 (mod 4). Prove that at least one of the primes p dividing z must
be congruent to 3 modulo 4.
5. (a) State the units in the ring Z48 .
(b) Find the inverse of 11 modulo 48.
(c) If 11x ≡ 2 (mod 48) for some x ∈ Z48 , find x.
6. Prove that inverses are unique: if y, z are inverses of x ∈ Zn , then y ≡ z (mod n).
7. A non-zero element x ∈ Zn is a zero divisor if ∃y ∈ Zn such that xy ≡ 0 (mod n). Prove that
Zn has zero divisors if and only if n is composite.
8. Suppose p is prime and a ̸≡ 0. Prove that the remainders 0, a, 2a, 3a, . . . , ( p − 1) a are distinct
modulo p, and thus constitute all of Z p .
9. Suppose r and s are odd. Prove the following:
rs − 1 r−1 s−1
(a) ≡ + (mod 2)
2 2 2
(b) r2 ≡ s2 ≡ 1 (mod 8)
(rs)2 − 1 r 2 − 1 s2 − 1
(c) ≡ + (mod 8)
8 8 8
10. Prove that (kk ) is periodic modulo 3 and find its period.
(Hint: First try to spot a pattern. . . )

6
3.2 Congruence Equations and Lagrange’s Theorem
In this section we consider polynomial congruence equations p( x ) ≡ 0 (mod m). The simplest type
are linear: in fact we know how to solve these already.

∃ x ∈ Z s.t. ax ≡ c (mod m) ⇐⇒ ∃ x, y ∈ Z s.t. ax + my = c

This last is a linear Diophantine equation; we need only rephrase our work from earlier.

Theorem 3.15. Let d = gcd( a, m). The equation ax ≡ c (mod m) has a solution iff d | c. If x0 is a
solution, then all solutions are given by
m
x = x0 + k :k∈Z
d
Moreover, modulo m, there are exactly d solutions, namely

m 2m ( d − 1) m
x0 , x0 + , x0 + , . . . , x0 +
d d d

Examples 3.16. 1. We solve the congruence equation 15x = 4 (mod 133).

By the Euclidean algorithm/Bézout, we see that

133 = 8 · 15 + 13 =⇒ d = gcd(15, 133) = 1 = 13 − 6 · 2 = 13 − 6(15 − 13)

15 = 1 · 13 + 2 = 7 · 13 − 6 · 15
13 = 6 · 2 + 1 = 7(133 − 8 · 15) − 6 · 15
= 7 · 133 − 62 · 15

Since d = 1 and d | 4, there is exactly one solution. Moreover, modulo 133, we see that

15 · (−62) ≡ 1 =⇒ 15 · (−248) ≡ 15 · 18 ≡ 4 (mod 133)

whence x0 = 18 is the unique solution.a

2. We solve the linear congruence 1288x ≡ 21 (mod 1575).

Assume we have applied the Euclidean algorithm and Bézout’s identity to obtain

d = gcd(1575, 1288) = 7 = 1575 · 9 − 1288 · 11

Since 7 | 21, there are precisely seven solutions. Indeed

7 ≡ 1288(−11) (mod 1575) =⇒ x = −33 ≡ 1542 (mod 1575)

1575
Moreover, m
d = 7 = 225, whence all solutions are

{ x ≡ −33 + 225k : k = 0, . . . , 6} = {192, 417, 642, 867, 1092, 1317, 1542}

a Because gcd(15, 133) = 1, we see that 15 is a unit modulo 133. Indeed the Bézout calculation says that its inverse is

15−1 ≡ −62 ≡ 71 ∈ Z133 . Since 133 = 7 · 19, the units are precisely those elements which are divisible by neither 7 nor 19.

7
Higher degree congruences While we were able to give a complete description of the solutions to
a linear congruence, for higher order polynomials, things quickly become very messy. We start with
a simple example of a quadratic congruence which can easily be solved by inspection.

Example 3.17. Consider the quadratic equation x2 + 3x ≡ 0 (mod 10). One can easily check by
plugging in the remainders 0, . . . , 9 that the solutions to this equation are

x ≡ 0, 2, 5, 7 (mod 10)

This is perhaps surprising, since we are used to quadratic equations having at most two solutions.
Now consider the same equation modulo the prime divisors of 10. Since 10 | d ⇐⇒ 2 | d and 5 | d, we
see that
(
x2 + 3x ≡ 0 (mod 2)
x2 + 3x ≡ 0 (mod 10) ⇐⇒
x2 + 3x ≡ 0 (mod 5)

By substituting values for x, we easily check that sanity is restored: each congruence now has two
solutions!

x2 + 3x ≡ 0 (mod 2) ⇐⇒ x ≡ 0, 1 (mod 2)
2
x + 3x ≡ 0 (mod 5) ⇐⇒ x ≡ 0, 2 (mod 5)

We can even factorize in the familiar manner:

x2 + 3x ≡ x2 − x ≡ x ( x − 1) (mod 2)
2 2
x + 3x ≡ x − 2x ≡ x ( x − 2) (mod 5)

Modulo 10, however, we have two distinct factorizations:

x2 + 3x ≡ x ( x − 7) ≡ ( x − 2)( x − 5) (mod 10)

For general polynomial congruences, the same sort of thing is true. The number of solutions and
types of factorizations are more predictable when the modulus is prime.

Theorem 3.18 (Lagrange). Let p be prime and f ( x ) a polynomial with integer coefficients and de-
gree n modulo p. Then f ( x ) ≡ 0 (mod p) has at most n distinct roots.

Lagrange’s Theorem is useless for congruences such as x39 + 25x2 + 1 ≡ 0 (mod 17): since there are
only 17 distinct values of x to try, the congruence has a maximum of 17 solutions, not 39.
Before proving Lagrange’s Theorem, we need one additional ingredient.

Lemma 3.19 (Factor Theorem in Z[ x ]). Suppose f ( x ) is a polynomial with integer coefficients and
that c ∈ Z. Then there exists a unique polynomial q( x ), also with integer coefficients, such that

f ( x ) = ( x − c)q( x ) + f (c)

Moreover, f (c) = 0 if and only if ( x − c) is a factor of f ( x ). This is also true modulo any n.

8
Proof. Suppose f ( x ) = an x n + · · · + a0 is given. Since x − c is linear, we require deg q = n − 1. Write
q( x ) = qn−1 x n−1 + · · · + q0 , let r be constant, and consider

an x n + · · · + a0 = ( x − c)(qn−1 x n−1 + · · · + q1 x + q0 ) + r
= qn−1 x n + (qn−2 − cqn−1 ) x n−1 + · · · + (q0 − cq1 ) x + r − cq0

Equating the coefficients of 1, x, x2 , . . . , x n yields the (n + 1) × (n + 1) linear algebra problem

c c2 c n −2 c n −1
 a0   1 −c
0 0 0
 r   r  1  a0 
q0 q0
a1 0 1 −c 0 0
q1 q1 01 c c n −3 c n −2 a1
a2 0 0 1 0 0 a2
  .  =⇒  .  =
0 0 1 c n −4 c n −3
 ..  =   . 
    
.. ..   ..   ..   .. .. .. 
  
.  . . . .

a n −1 0 0 0 1 −c q n −2 q n −2 00 0 1 c a n −1
an 0 0 0 0 1 q n −1 q n −1 00 0 0 1 an

Since the inverse matrix has integer coefficients, it follows that each q j and r are uniquely defined
integers. Finally, since f ( x ) = ( x − c)q( x ) + r, evaluation at x = c yields r = f (c).

We are now ready to prove Lagrange: let us first reiterate the crucial observation from the Factor
Theorem: for any n,

f (c) ≡ 0 (mod n) ⇐⇒ ∃q( x ) such that f ( x ) ≡ ( x − c)q( x ) (mod n)

Proof of Lagrange. Suppose f ( x ) = an x n + · · · is a polynomial with integer coefficients and degree n

modulo p: that is, p ∤ an . Moreover, assume that f (c1 ) ≡ 0 (mod p). By the factor theorem, there
exists a unique polynomial q1 ( x ) with integer coefficients, such that

f ( x ) = ( x − c1 ) q1 ( x ) + f ( c1 ) ≡ ( x − c1 ) q1 ( x ) (mod p)

Plainly q1 ( x ) = an x n−1 + · · · has degree n − 1 modulo p. If c2 ̸≡ c1 is another root modulo p, then

0 ≡ f (c2 ) ≡ (c2 − c1 )q1 (c2 ) =⇒ q1 (c2 ) ≡ 0 (mod p)

The last step is where we need p to be prime.4 We may therefore factor out ( x − c2 ) from q1 ( x ) modulo
p, and thus from f ( x ). Repeating the process, if there are n distinct roots, then f ( x ) factorizes as

f ( x ) ≡ ( x − c1 ) · · · ( x − c n ) q n ( x ) (mod p)

where qn ( x ) has degree n − n = 0: it is necessarily the constant an . Finally, if ξ ̸≡ ci for any i, then

f ( ξ ) ≡ a n ( ξ − c1 ) · · · ( ξ − c n ) ̸ ≡ 0 (mod p)

since there are no zero divisors in Z p . We conclude that f ( x ) ≡ 0 has no further roots modulo p.

In fact the ring of polynomials with coefficients in Z p has a Euclidean algorithm which can be used
to prove a unique factorization theorem: there is only one way to factorize a polynomial modulo p.
We won’t prove it, but you are welcome to use the fact nonetheless.
4 p | (c − c1 )q1 (c2 ) and gcd(c2 − c1 , p) = 1, whence p | q1 (c2 ).
2

9
Examples 3.20. 1. By testing the values5 x ≡ 0, 1, −1 (mod 7), we see that

f ( x ) ≡ x3 − x (mod 7)

has these distinct solutions. By Lagrange, it has no other solutions. Indeed this example factor-
izes very easily

f ( x ) ≡ x ( x − 1)( x + 1)

2. Lagrange only says that there are at most n solutions modulo p. It is straightforward to check
(let x = 0, 1. . . ) that the polynomial f ( x ) ≡ x2 + x + 1 (mod 2) has no solutions.

3. Factorize f ( x ) = x3 + 2x2 + 4x + 3 over Z5 .

By inspection we see that x ≡ ±1, −2 are solutions. By Lagrange’s Theorem these are the only
solutions and we can factorize

f ( x ) ≡ ( x − 1)( x + 1)( x + 2) (mod 5)

We know that the factorization is unique and there are no other solutions, but it is worth seeing
it played out in stages.

f ( x ) ≡ x3 + 2x2 + 4x + 3 ≡ ( x − 1)( x2 + 3x + 7) (spot x ≡ 1 and factorize)

≡ ( x − 1)( x2 + 3x + 2) (simplify)
≡ ( x − 1)( x + 1)( x + 2) (spot x ≡ −1 and factorize)

Aside: How to factorize? If you have trouble factorizing the previous example, here is a simple
algorithm. Since f (1) ≡ 0, we know that f ( x ) ≡ ( x − 1)q( x ) for some quadratic q( x ).
1. Since we need an x3 term, the first coefficient of q( x ) is plainly x2 :
x3 + 2x2 + 4x + 3 ≡ ( x − 1)( x2 + · · · )

2. We now have − x2 on the right hand side, but we want 2x2 . We therefore need to add 3x2 by
inserting a linear term into q( x ):
x3 + 2x2 + 4x + 3 ≡ ( x − 1)( x2 + 3x + · · · )

3. We now have −3x on the right hand side, but we want 4x. We therefore add 7x by inserting a
constant term into q( x ):
x3 + 2x2 + 4x + 3 ≡ ( x − 1)( x2 + 3x + 7)

4. Verify that the factorization is correct by multiplying the constants:

x3 + 2x2 + 4x + 3 ≡ ( x − 1)( x2 + 3x + 7)
Indeed 3 ≡ −7 (mod 5) so we’re done.
This approach works for any linear division and has the advantage of being able to write down the
answer in one line. Of course, you’re welcome to write it out using long division!
5 Plainly −1 ≡ 2 (mod 3): it is simply easier to use ‘smaller’ representatives when calculating.

10
Examples 3.21. 1. Find all roots of f ( x ) ≡ x4 + 2x3 + 2x − 1 (mod 7) and factorize.
We start by trying values: plainly f (0) ≡ −1 and f (1) ≡ 4 are non-zero. However
f (2) ≡ 16 + 16 + 4 − 1 ≡ 2 + 2 + 4 − 1 ≡ 0 (mod 7)
so we factor out x − 2:
f ( x ) ≡ ( x − 2)( x3 + 4x2 + 8x + 18) ≡ ( x − 2)( x3 − 3x2 + x − 3) (mod 7)
x ≡ 3 is a root of the cubic, so we factor out x − 3:
f ( x ) ≡ ( x − 2)( x − 3)( x2 + 1) (mod 7)
It is easily checked that x2 + 1 ≡ 0 (mod 7) has no solutions, so we’re done.
2. Compare with Example 3.17. Modulo 6 we have a non-unique factorization:
f ( x ) ≡ x2 − 5x ≡ x ( x − 5) ≡ ( x − 2)( x − 3) (mod 6)
Re-read the proof of Lagrange’s Theorem and make sure you understand where the argument
fails!
3. Wind all solutions to x2 + 14x − 3 ≡ 0 (mod 18). Rather than try all remainders 0, 1, . . . , 17,
here is a more systematic approach.
If x is a solution, then both
(
x2 + 14x − 3 ≡ x2 − 1 ≡ 0 (mod 2) =⇒ x odd, and,
x2 + 14x − 3 ≡ x2 + 5x − 3 ≡ 0 (mod 9) =⇒ x2 + 2x ≡ 0 (mod 3)
Plainly x ≡ 0, 1 (mod 3) (since 3 is prime, this is in line with Lagrange). We therefore try
x ≡ 0, 1, 3, 4, 6, 7 (mod 9) and observe that only x ≡ 6, 7 (mod 9) work. We therefore have to
solve two different sets of equations:
( (
x ≡ 1 (mod 2) x ≡ 1 (mod 2)
or
x ≡ 6 (mod 9) x ≡ 7 (mod 9)
We have two sets of simultaneous equations. In general, the Chinese Remainder Theorem
(later) can deal with these, but these are so simple that there is no need. For instance
x≡6 (mod 9) =⇒ x ≡ 6, 15 (mod 18)
Since x must also be odd (and 18 is even), only x ≡ 15 (mod 18) will do. Similarly, the second
simultaneous congruence has solution x ≡ 7 (mod 18).
4. Find all solutions to x3 − 2x + 1 ≡ 0 (mod 12).
We easily spot that x ≡ 1 (mod 12) is a solution. Are there others? Considering the primes
dividing 12 we see that any solution must satisfy
x3 − 2x + 1 ≡ ( x − 1)( x2 + x − 1) ≡ 0 (mod 2) and (mod 3).
It is clear by inspection that the only solutions modulo 2 and 3 are x ≡ 1. It follows that any
solution must satisfy x ≡ 1 (mod 6). Stepping this up to modulo 12, we should try x ≡ 1 and
x ≡ 7 (mod 12). The first is certainly a solution. As for the latter,
73 − 2 · 7 + 1 ≡ 7 · 49 − 14 + 1 ≡ 7 − 2 + 1 ≡ 6 (mod 12)
It follows that the only solution is x ≡ 1 (mod 12).

11
Exercises 3.2 1. Solve the following equations for x, or show that there is no solution:

(a) 3x − 4 ≡ 7 (mod 11)

(b) 12x + 5 ≡ 7 (mod 16)
(c) 7x − 9 ≡ 5 (mod 21)

2. Solve the following polynomial congruence equations modulo a prime.

(a) x2 + 4x + 3 ≡ 0 (mod 11)

(b) x3 − 4x ≡ 0 (mod 17)
(c) x2 + 4x + 1 ≡ 0 (mod 13)
(d) x4 + 4x + 2 ≡ 0 (mod 7)
(e) x3 + x2 − 2 ≡ 0 (mod 13)
(f) x3 − 100x ≡ 0 (mod 997)

You can solve these by trial and error, but can you do them systematically?

3. Solve the following polynomial congruence equations modulo a composite.

(a) x2 + 4x + 5 ≡ 0 (mod 10)

(b) x2 + 4x + 3 ≡ 0 (mod 15)
(c) x3 + x2 − 2 ≡ 0 (mod 39)

4. Suppose that gcd( a, b) = 1. Prove that

(
x ≡ 0 (mod a)
x ≡ 0 (mod ab) ⇐⇒
x ≡ 0 (mod b)

What goes wrong when a, b are not coprime?

5. Informally explain why a quadratic congruence ax2 + bx + c ≡ 0 (mod 15) has at most four
distinct solutions.

12
3.3 Powers and Fermat’s Little Theorem
Fermat’s Little6 Theorem provides a useful trick for simplifying large powers in congruences.

Theorem 3.22 (Fermat’s Little Theorem). If p is prime and p ∤ a then a p−1 ≡ 1 (mod p)

Proof. Recall Exercise 3.2.8, where we saw that the remainders a, 2a, . . . , a( p − 1) are distinct and
non-zero: they are simply 1, 2, . . . , p − 1 in a different order. Multiply these lists together to obtain

a p −1 ( p − 1 ) ! ≡ ( p − 1 ) !
(mod p)

Since p is prime and gcd ( p − 1)!, p = 1, we divide by ( p − 1)! for the result.

Examples 3.23. The power of Fermat’s Little Theorem to simplify calculations is considerable.
Imagine how tedious the following would be without it!

1. Since 239 is not divisible by the prime 137, we instantly see that

239136 ≡ 1 (mod 137)

2. We compute the remainder when 6698 is divided by the prime 97.

6698 ≡ 6697−1 · 662 ≡ 662 (mod 97)

2
≡ (−31) ≡ 961 ≡ −9
≡ 88 (mod 97)

3. We solve the high-degree congruence x74 ≡ 12 (mod 37).

First note that 37 is prime and that if there is a solution x, then it is non-zero. The theorem
therefore applies, and we see that

x37−1 ≡ x36 ≡ 1 (mod 37)

Since 74 = 36 × 2 + 2 we conclude that

12 ≡ x74 ≡ ( x36 )2 · x2 ≡ x2 (mod 37)

We have therefore reduced the congruence to something much more manageable.

This new equation can be solved by brute force: by considering numbers congruent to 12 mod-
ulo 37, we don’t have far to look before we find a perfect square!

12, 49, . . .

Thus x ≡ 7 is a solution, which says that x ≡ −7 ≡ 30 is another. By Lagrange’s Theorem,

there are at most two solutions to this congruence: we conclude

x74 ≡ 12 ⇐⇒ x ≡ 7, 30 (mod 37)

6 To distinguish it from his famous Last Theorem. The little theorem is often abbreviated FℓT, and the last FLT.

13
Riffle-shuffling
As a fun example of Fermat at work, consider a standard ‘riffle’ shuffle of a 52-card deck of playing
cards. The process is as follows:
• Label the cards 1, 2, 3, . . . 52 from bottom to top.
• Cut the deck into two stacks of 26 cards.
• Alternate cards from the bottom of each stack: position x moves to position s( x ), where
x 1 2 3 ··· 25 26 27 28 · · · 50 51 52
s( x ) 2 4 6 · · · 50 52 1 3 · · · 47 49 51
It is not hard to give a formula to this function:
s : {1, 2, . . . , 52} → {1, 2, . . . , 52} : x 7→ 2x (mod 53)

52 26
51 52
50 25
49 51
24
50
23
28 49
27
26
25 4
30
3
29
4 2
3 28
2 1
1 27
We can now ask some simple questions:
1. If we keep perfectly shuffling the pack, will it eventually end up in the starting arrangement
and how long with it take?
2. Of all possible arrangements of a deck, how many can be achieved just by shuffling?
Fermat’s Little Theorem makes these questions easy to answer:
1. Shuffling n times produces the function
s n : x 7 → 2n x (mod 53)
Since 53 is prime, s52 ( x ) ≡ 252 x ≡ x (mod 53), whence every card ends up in its starting
position after 52 riffle shuffles. It is tedious to check, but in fact this is the minimum number of
shuffles required.
2. Even though there are 52! ≈ 1068 potential arrangements of 52 cards in a deck, perfect shuffling
of a new pack can only result in a comparatively tiny 52 distinct arrangements. Thankfully
shuffling is rarely perfect, even when performed by a pro!
You should be able to think up several modifications of this problem, and we’ll return to it later. . .

14
We finish with another nice result tying together Lagrange and Fermat.

Corollary 3.24 (Wilson’s Theorem). If p is prime then ( p − 1)! ≡ −1 (mod p)

Proof. Consider the polynomial congruence

g( x ) ≡ ( x p−1 − 1) − ( x − 1)( x − 2) · · · x − ( p − 1) ≡ 0 (mod p)

• Multiply out and cancel the leading x p−1 terms to see that g has degree at most p − 2. Lagrange
says that g( x ) ≡ 0 has at most p − 2 distinct roots.
• Fermat says that g( x ) ≡ 0 has at least p − 1 distinct roots, namely x ≡ 1, 2, . . . , p − 1.

The only way to make sense of this is if g( x ) is not really a polynomial! It must be identically zero
modulo p. It follows that

x p−1 − 1 ≡ ( x − 1)( x − 2) · · · x − ( p − 1) (mod p)

Finally, evaluate at x ≡ 0 for the result.

If you’re having trouble understanding the proof, try an example! When p = 3 we have
g( x ) ≡ x2 − 1 − ( x − 1)( x − 2) ≡ x2 − 1 − x2 + 3x − 2 ≡ 3x − 3 ≡ 0 (mod 3)
The point is that while g( x ) might look like it has degree ≤ 1, it is in fact the zero polynomial.

Exercises 3.3 1. Solve the following congruences with the assistance of Fermat’s Little Theorem.
(a) x86 ≡ 6 (mod 29) (b) x39 ≡ 8 (mod 13) (c) x502 ≡ 16 (mod 101)

2. Let p be prime. By describing the distinct roots of x p−1 − 1 ≡ 0 and factorizing, prove that

x p−1 − 1 ≡ a( x − 1)( x − 2) · · · x − ( p − 1) (mod p)

for some non-zero a ∈ Z p . Hence provide an alternative proof of Wilson’s Theorem.

p
p!
3. Recall the binomial theorem: ( x + y) p = ∑ ( kp) x k y p−k , where ( pr) = r!( p−r )!
(this is an integera ).
k =0

(a) If p is prime and 1 ≤ r ≤ p − 1, prove that p ( pr). Hence prove that

( x + y) p ≡ x p + y p (mod p)
p p
(b) For any integers x1 , . . . , xn , prove that ( x1 + · · · + xn ) p ≡ x1 + · · · + xn (mod p).
(c) Prove that a p ≡ a (mod p) for all integers a. Hence give an alternative proof of Fermat.

4. (a) Suppose a deck has 30 cards. Argue that riffle shuffling will eventually reset the deck.
(b) How many shuffles do you really need when there are 30 cards? It is a lot less than 30. . .
(c) Suppose that a deck has 2m cards. What might go wrong with the argument?
a Can you convince yourself of this? How many ways can you choose r objects from p?

15