Modular Arithmetic on Elements of Small Norm in ... - Springer Link

Designs, Codes and Cryptography, 27, 93–110, 2002  C 2002 Kluwer Academic Publishers. Manufactured in The Netherlands.

Modular Arithmetic on Elements of Small Norm in Quadratic Fields M. J. JACOBSON, JR. Department of Computer Science, University of Manitoba, Winnipeg, MB, R3T 2N2

[email protected]

H. C. WILLIAMS [email protected] Dept. of Mathematics and Statistics, University of Calgary, Calgary, AB, T2N 1N4 Communicated by: C. J. Colbourn, D. R. Stinson, G. H. J. van Rees Abstract. We describe an algorithm which rapidly computes the coefficients of elements of small norm in quadratic fields modulo a positive integer. Our method requires that an approximation of the natural logarithm of that quadratic field element is known to sufficient accuracy. To demonstrate the efficiency and utility of our method, we apply it to eliminate a number of exceptional cases of a theorem of Dujella and Peth˝o [9] involving Diophantine triples. In particular, we are able to show that Theorem 1.2 of [9] is unconditionally true for all k ≤ 100 with the possible exception of k = 37, for which the theorem holds under the assumption of the Extended Riemann Hypothesis. Keywords: quadratic fields, Diophantine equations, units

Dedicated to Ron Mullin on the occasion of his 65th birthday.

1.

Introduction

Following Dujella [7], we define a set D of m positive integers to be a Diophantine m-tuple if the product of any two distinct elements of D increased by 1 is a perfect square. A well-known example of such a set is {1, 3, 8, 120}. No Diophantine m-tuple for m > 4 is known. Furthermore, Baker and Davenport [2] showed that if d is a positive integer such that {1, 3, 8, d} is a Diophantine quadruple, then d must be 120. This result was generalized by Dujella and Peth˝o [8] to all Diophantine triples of the form {1, 3, c}. Indeed, if {1, 3, c} is a Diophantine triple, then c = ck for some k ∈ Z+ where the sequence {ck } is given by c0 = 0,

c1 = 8,

ck+2 = 14ck+1 − ck + 8

(k ≥ 0).

Here we get ck + 1 = sk2 , 3ck + 1 = tk2 , where s0 = 1, s1 = 3, sk+2 = 4sk+1 − sk ; t0 = 1, t1 = 5, tk+2 = 4tk+1 − tk (k ≥ 0),

94

JACOBSON AND WILLIAMS

and it is easy to verify that ck±1 ck + 1 = (2ck ± sk tk )2 . The main result of [8] is the following theorem. THEOREM 1.1. Let k ∈ Z+ . If d is an integer which satisfies the system of equations d + 1 = x12 ,

3d + 1 = x22 ,

ck d + 1 = x32 ,

(1)

then d ∈ {0, ck−1 , ck+1 }. Every solution set {d, x1 , x2 , x3 } of (1) induces an integer point on the elliptic curve. E k : y 2 = (x + 1)(3x + 1)(ck x + 1),

(2)

where y = x1 x2 x3 and x = d. In Dujella and Peth˝o [9], it was shown that the converse of this is true provided that the rank of E k (Q) is equal to 2. Furthermore, the rank of E k (Q) for k ≥ 2 is at least 2. More specifically, the main result of [9] is Theorem 1.2. THEOREM 1.2. Let k ∈ Z+ . If rank(E k (Q)) = 2 or k ≤ 40, with the possible exceptions of k = 23 or 37, then all the integer points on (2) are given by (x, y) ∈ {(−1, 0), (0, ±1), (ck−1 , ±sk−1 tk−1 (2ck − sk tk )), (ck+1 , ±sk+1 tk+1 (2ck + sk tk ))}. One of the purposes of this note is to eliminate the possible exceptions in Theorem 1.2 and extend the value of k up to 100. In order to do this (see [9]), we must find all integer solutions of systems of equations of the form d1 x12 − d2 x22 = j1 d3 x12 − d2 x32 = j2 ,

(3)

where 1. d1 = 3D2 and D2 is a square-free divisor of ck − 1 = (tk + 2)(tk − 2)/3 2. d2 = D3 and D3 is a square-free divisor of ck − 3 = (sk + 2)(sk − 2) which is not divisible by 3 3. (d3 , j1 , j2 ) = (ck , 2, (ck − 1)/D2 ) or (2ck , 1, (ck − 1)/D2 ). In [9] the authors were able to solve the system (3) for all values of k ≤ 40 except for the cases k = 23,

d1 = 380631510488414383527682077, d2 = 11263976658479,

k = 23,

d3 = 253754340325609589018454720, j1 = j2 = 1 d2 = 11263976658479, d1 = 19509779867757, d3 = 25375430325609589018454720, j1 = 1,

j2 = 19509779867761

MODULAR ARITHMETIC ON ELEMENTS

k = 37,

95

d1 = 187060083,

d2 = 1489467623820555129, d3 = 1311942540724389723505929002667880175005208, j1 = 2, j2 = 21040446251556347115048521645334887.

In order to solve a system like (3), it is necessary to be able to characterize solutions of a Diophantine equation of the form ax12 − bx22 = c

(4)

for given values of a, b, c such that ab is not a √ perfect square. This means that we need to determine the existence of some α = x + y ab (x, y ∈ Z) such that N (α) = α α¯ = x 2 − y 2 ab = ac. Notice that if a is squarefree, we√must have a | x. This is an instance of the discrete logarithm problem in the order Z[ ab]. The best available algorithms for doing this, particularly when ab is large, are the subexponential techniques described by Abel [1] and, more recently, by Jacobson [11,12]. Jacobson’s algorithm will produce an approximation to the value of log |α| + 1/2 log |N (α)| when such a value of α exists; otherwise, it will establish that there is no such α. However, when c is 1 or 2, there are (see Section 4) simpler methods of approaching the problem of the solubility √ of (4) which only require that we determine a coefficient of the fundamental unit of Q( ab) modulo 2a/c and 2b/c. The main difficulty that we encounter when performing the requisite calculations is the size of the numbers that may be involved. For example, in the first of the three cases given above for k = 23, the logarithm of the fundamental unit exceeds 5 × 1016 . This means that the least possible values of x1 and x2 in (3) are very large numbers, if they exist at all. In what follows we will develop an efficient technique, which is easily implemented on a computer, to determine the value of α mod m, given a basis of the ideal (α) in an order √ of Q( D), a value of m ∈ Z+ and an approximation to the value of log |α|.

2.

Orders, Ideals and Units in Real Quadratic Fields

In this section we will briefly review some elementary properties of real quadratic orders. Proofs of these results can be found in Cohen [4], Cohn [5] and Cox [6]. Let D be any positive non-square integer and let D = f 2 D0 , where D0 is square-free. We put    D when D ≡ D0 ≡ 1 (mod 4), D when D ≡ 0 (mod 4), D0 ≡ 1 (mod 4), =   4D when D0 ≡ 1 (mod 4). √ √ √ Let ω = ( + )/2 and consider the order O = O = Z + ωZ of Q( ) (= Q( D0 )). Any integral ideal a of O can be written as a = aZ + (b + cω)Z,

(5)

where a, b, c ∈ Z+ , c | b and c | a. In addition, the norm of a, written N (a), is the value of ac. If c = 1, we say that a is a primitive ideal of O. In particular, if a is a principal ideal of O (a = αO = (α) for some α ∈ O), then N (a) = |N (α)|.

96

JACOBSON AND WILLIAMS

A principal ideal is an example of an invertible ideal. An ideal of O is invertible if there exists an ideal b of O such that ab = (c), where c ∈ Z, c =  0. Invertible ideals a and b possess the following properties 1. N (a)N (b) = N (ab) 2. a¯a = (N (a)).

√ Here a¯ = aZ + (b + cω)Z ¯ when a is given by (5) and ω¯ = ( − )/2 is the conjugate of ω. We have the following proposition. PROPOSITION 1. If a is an invertible ideal of O and α ∈ a, then there exists an invertible ideal b of O such that (N (b))a = (α)b. Proof.

Since α ∈ a, we have a ⊃ (α). Thus,

(N (a)) = a¯a ⊃ (α)¯a, and therefore every element of (α)¯a is divisible by N (a). It follows that (α)¯a = N (a)c, where c is an ideal of O. From this we deduce that (α) = ca. Since (N (α)) = ca(α), ¯ we see that c is invertible; hence, (α)¯c = N (c)a. Putting b = c¯, we see that b is invertible and (α)b = (N (b))a. We also point out that if a = aZ + βZ (a ∈ Z+ , β ∈ O) is any primitive invertible ideal of ¯ N (β)/a ∈ Z and their greatest common divisor (a, β + β, ¯ N (β)/a) = 1. O, then a, β + β, Let ε ∈ O and suppose there exists some η ∈ O such that εη = 1. We call ε a unit of O, and it is well known that N (ε) = ±1 and m ε = ±ε ,

where m ∈ Z and ε (>1) is the fundamental unit of O. We denote by R (= log ε ) the regulator of O. Now consider the Pell equation T 2 − DU 2 = 1 (T, U ∈ Z). (6) √ √ Note that U > 0. Furthermore, √ if T + D U > 1, then 0 < T − D U < 1 and therefore T, √ √ T =  D U . It follows that if t, u is a solution of (6) and√1 < t + D u < T + D U, then√0 < t < T and 0 1 and t + D u is least. As the unit group of O is an abelian group of rank 1

97

MODULAR ARITHMETIC ON ELEMENTS

(see [5, p. 99]), if T, U is any other solution of (6) then √ T + DU = ±ε(D)m , where m ∈ Z. We now relate ε(D) to ε . Since ε ∈ O, we must have √ ε = (x + y )/2, where x, y ∈ Z, x ≡ y (mod 2) and x 2 − y 2 = ±4. ν It is not difficult to deduce that ε(D) = ε for some ν. Indeed, we have ν ∈ {1, 2, 3, 6}, and the value of ν can be computed from Table 1. From this we see that if we are given D and ε we can easily deduce the value of ν and ε(D) once we know the values of x and y modulo 8. ν Table 1. Values of ν such that ε = ε(D).

ν

D

y

D ≡ 1 (mod 4)

4| y 2 y

– –

1 2

D ≡ 5 (mod 16)

2 | y

x ≡ ±3y (mod 8) x ≡ ±y (mod 8)

3 6

D ≡ 13 (mod 16)

2 | y

x ≡ ±y (mod 8) x ≡ ±3y (mod 8)

3 6

D ≡ 2 (mod 4)

2| y 2 | y

– –

1 2

D ≡ 3 (mod 4)

x

–

–

1

D ≡ 0 (mod 4), D0 ≡ 1 (mod 4)

2| y 2 | y

– –

1 2

D ≡ 0 (mod 4), D0 ≡ 1 (mod 4)

–

–

1

3.

Compact Representations

In order to deal with the exceptional cases in Theorem 1.2, we shall need to be able to compute units modulo a given integer; however, one of the difficulties in performing computations on units is that as gets large, the value of ε tends to become enormous. In order to handle this difficulty Buchmann et al. [3] developed the concept of a compact representation. For α ∈ O, we define the height of α by H (α) = 2 max(|α|, |α|). ¯ If α ∈ O, there always exists a compact representation of α, given by  k− j k   αj 2 α=γ , (7) dj j=1

98

JACOBSON AND WILLIAMS

where 1. k < log2 log2 H (α) + 2,

√ 2. d j ∈ Z+ , γ ∈ O, α j = (a j + b j )/2 ∈ O, a j , b j ∈ Z ( j = 1, 2, . . . , k), 3. H (γ ) ≤ |N (α)|, 4. d j < 1/2 , |a j | < 5/2 , |b j | < 2 ( j = 1, 2, . . . , k). The following result is proved in [3].

THEOREM 3.1. There is a deterministic polynomial (in log and k) time algorithm, which given a representation of the form (5) of a = (α) and a value for A ∈ Q such that |A − log |α|| < 1/16, will compute a compact representation for α. This algorithm is easily implemented on a computer and executes rapidly on numbers of O(log + log |N (α)|) bits. As pointed out in [3], compact representations are far more convenient √ for recording a value for α,√as it is possible for the values of x and y when α = (x + y )/2 to be of the order of bits, even when the values of a, b, c in (5) are small. This represents a great deal of space when is large. Thus, the representation (7) is much more convenient when R is large. √ In [3] it was also shown that if α = (x + y )/2, as above and we are given a positive integer m, we can use (7) to compute x and y (or α) modulo m in O(k) arithmetic operations on numbers of O(max{(k log ) + log m, log |N (α)|}) bits. Unfortunately, this procedure, while of polynomial complexity, is not very efficient because of the size of the numbers involved. In the remainder of this section, we will develop another technique for doing this, which is more convenient for implementation on a computer. We first point out that the problem of computing α mod m is very easy if (m, d j ) = 1 for all j, 1 ≤ j ≤ k. In this case we put A1 = α1 , D1 = d1 and compute Di+1 ≡ di+1 Di2

(mod m)

(i = 1, 2, . . . , k − 1)

Ai+1 ≡ αi+1 Ai2

(mod m)

(i = 1, 2, . . . , k − 1)

and

such that Ai+1 ∈ O. Then η ≡ γ Dk−1 Ak

(mod m).

However if some of the values of the di (i = 1, 2, . . . , k) are not relatively prime to m, we must make a modification to this simple process. In order to do this we observe that there can be many representations of the form (7) for α which satisfy by properties 1 and 2. During the process of computing a compact representation of α, the algorithm mentioned earlier produces a sequence of pairs (d0 , β0 ), (d1 , β1 ), . . . , (dk , βk )

MODULAR ARITHMETIC ON ELEMENTS

99

such that β j ∈ O, a j = d j Z + β j Z is a primitive, principal ideal in O (a j = d j A j in [3]), a0 = (1) = O, ak = (α) and a j = (γ j ), where γj = αj

 j−i j−1   αi 2 i=1

di

∈ O,

( j = 1, 2, 3, . . . , k).

Also, (d j−1 )2 a j = (α j )a2j−1

( j = 1, 2, . . . , k).

(8)

Now for any i (0 ≤ i ≤ k), let λi ∈ ai ; by Proposition 1 there must exist some ideal bi of O such that N (bi )ai = (λi )bi .

(9)

Also, bi = (κi ), where κi = λ¯ i γi /di ∈ O. If we put λ0 = 1, then b0 = a0 = (1), κ0 = 1, and since   γi−1 2 γi = αi (i = 1, 2, . . . , k), di−1 we get  κi = νi

κi−1 N (bi−1 )

2 (i = 1, 2, . . . , k),

(10)

where νi =

2 2 λ¯ i αi λi−1 N (bi )αi λi−1 λ¯ i αi N (bi−1 )2 = =± . 2 2 2 di λ¯ i−1 di−1 di−1 λi

By (8) and (9) we get 2

2

2 N (bi−1 )2 di−1 λi bi = αi λi−1 N (bi ) bi−1 ; hence, νi ∈ bi ⊆ O. If we put λk = N (ak ) = dk , then bk = ak , and by (10) we get 2k−i k   γ γk νi γ κk α= = =γ . dk dk N (bi ) i=1

(11)

Since αk and νk must have the same sign, we may assume that νi =

2 N (bi )αi λi−1 2 di−1 λi

(i = 1, 2, . . . , k)

(12)

in (11). In order to compute α mod m, we need to be able to find λi in each ai such that (N (bi ), m) = 1. From (9) and the multiplicative property of the norm, this means that we must find λi such that (N (λi )/N (ai ), m) = 1.

100

JACOBSON AND WILLIAMS

Let a = dZ + βZ be any primitive ideal in O and let λ ∈ a. Then λ = xd + yβ (x, y ∈ Z), N (a) = d, and ¯ y + (N (β)/d)y 2 . N (λ)/N (a) = d x 2 + (β + β)x ¯ a3 = N (β)/d and put h 1 = a1 , h 2 = a1 + a2 + a3 , h 3 = a3 . Since Let a1 = d, a2 = β + β, (a1 , a2 , a3 ) = 1, we must have (h 1 , h 2 , h 3 ) = 1. We now require the following simple algorithm. ALGORITHM 1. Given h ∈ Z, m ∈ Z+ , find r, s ∈ Z+ such that m = r s, (r, h) = 1 and any prime factor of s must also divide h. 1. Put g1 = (m, h), r1 = m/g1 , s1 = g1 , i = 1. 2. If gi > 1, put gi+1 = (ri , gi ) ri+1 = ri /gi+1 si+1 = gi+1 si i ← i +1 go to 2 else r = ri ,

s = si .

Proof of correctness. We note that rj =

m , sj

sj =

j 

gi .

i=1

It follows that since r j ∈ Z, we must find some j such that g j = 1 and j = O(log m). Also, r j s j = m, r j | ri (i ≤ j), g j | gi (i ≤ j). We now show that (r j , g1 ) = 1. Certainly (r j , g j ) = 1; suppose (r j , gk ) = 1 for some k such that 2 ≤ k ≤ j. Since gk = (rk−1 , gk−1 ), we get (rk , gk−1 /gk ) = 1. Also, r j | rk , and therefore (r j , gk−1 /gk ) = 1. Since (r j , gk ) = 1, we must have (r j , gk−1 ) = 1; thus, we may conclude by induction that (r j , g1 ) = 1. Since (r1 , h/g1 ) = 1 and r j | r1 , we get (r j , h/g1 ) = 1. Since (r j , g1 ) = 1, we must have (r j , h) = 1. If p is any prime such that p | s j , then p | gi for some i ≤ j; it follows that p | g1 and p | h. Thus, r = r j and s = s j satisfy the requirements of the algorithm and it executes in O(log m) arithmetic operations on numbers of O(log max{m, h}) bits. We now use Algorithm 1 to put m = r 1 s1 ,

s 1 = r 2 s2 ,

s2 = r 3 s3 ,

where (ri , h i ) = 1 and any prime which divides si must divide h i (i = 1, 2, 3). We get m = r1r2r3 s3 and (r1 , r2 ) = (r2 , r3 ) = (r3 , r1 ) = 1. If p is a prime and p | s3 , then p | s2 and p | s1 , but this means that p | (h 1 , h 2 , h 3 ), which is impossible. Thus m = r1 r2 r3 .

MODULAR ARITHMETIC ON ELEMENTS

101

We next use the Chinese remainder theorem to find x, y such that 0 < x, y < m, x ≡ 1 (mod r1r2 ), x ≡ 0 (mod r3 ), y ≡ 1 (mod r2r3 ), y ≡ 0 (mod r1 ). If λ = xd + βy and p is a prime which divides m and N (λ)/d, then since N (λ)/d ≡ h i (mod ri ) (i = 1, 2, 3), we must have p | h i for some i ∈ {1, 2, 3}, which is contrary to the construction of the ri values. Hence (N (λ)/N (a), m) = 1.

(13)

Thus, given m and a = dZ + βZ, we have produced an algorithm that computes a value for λ ∈ a such that (12) holds and this algorithm will execute in O(log m) arithmetic operations ¯ |N (β)|/d}) bits. on numbers of O(log max{m, d, |β + β|, To compute α mod m, we need to find a sequence λ1 , λ2 , . . . , λk such that λi ∈ ai and (N (λi )/di , m) = 1. We do this by putting λi = N (ai ) = di , whenever (m, di ) = 1 and by using the process described above whenever (m, di ) > 1. Thus N (bi ) = N (λi )/di and we can use (12) to compute the values of νi in (11). Since (N (bi ), m) = 1 for all i ∈ {1, 2, . . . , k}, we can use (11) to compute α (mod m) by the method explained at the beginning of this discussion. Note that we must evaluate each νi in (12) exactly, not just modulo m. The overall complexity of this algorithm is O(k log m) arithmetic operations on numbers of binary size O(log max{m, , |N (α)|}).

4.

Determining the Solubility of Norm Equations

We have now developed general methods which can be used to attack Diophantine equations of the form (4), where a, b, c can be quite large positive integers such that ab is not a perfect square. We should, however, remark that the authors of [9] enjoyed some success simply by considering (4) when c = 1, 2. We will now show how to solve ax 2 − by 2 = c,

(14)

where c = 1, 2; one of a or b > 1; (a, b) = (ab, c) = 1 and ab is not a perfect square. Indeed, as mentioned in [9], Grelak and Grytczuk (see [10]) showed that (14) has a solution if and only if (2a/c) | v1 + 1 and (2b/c) | v1 − 1, √ where v1 + ab u 1 = ε(ab). We will need a slightly more general result than this. We first √ note that y) is a solution of √ (14), we√may assume with no √ if (x, √ √ generality √ √ loss of √ that a x + b y > c. Furthermore, if a x + b y >√ c, then 0 < a x − b y < c, √ √ √ b y+ √ c. Thus, and we must have x, y > 0. It is also easy to see √b y < √a x < √ √ that      if (x , y ) is also a solution of (14) such that a x + b y > c and a x + √ √ √b y <   √a x + b y, we must have 0 < x < x, 0 < y < y. We define λ to be that value of a√x + b y such that (x, y) is a solution of (14) and λ is the least such value for which λ > c. THEOREM 4.1. (See Theorem 1.7 of [15]) Under the definition of λ given above, ε(ab) = λ2 /c.

102

JACOBSON AND WILLIAMS

√ Proof. Certainly λ2 /c ∈ Z[ ab] and N (λ2 /c) = 1; hence, λ2 /c = ε(ab)m . Since ε(ab) > 1 and λ2 /c > 1, we must have m ∈ Z+ . Suppose 2 | m. In this case we get √ λ/ c = ε(ab)m/2 , which means that √ √ √ √ a x + b y = c(v + u ab)

(u, v ∈ Z).

(15) √ We  √ may suppose with no loss of generality that b > 1. Solving for a (assuming x = cb u), we get √ √ √ √ √ √ √ √ cv− b y ( c v − b y)(x + cb u) √ = a= = r1 b + r2 c, 2 2 x − cbu x − cb u √ √ √ where r1 , r2 ∈ Q. Since ( b r1 + c r2 )2√∈ Q, we must have bc ∈ Q. If c = 2, this is √ b ∈ Q then a ∈ Q which is also impossible impossible because 2  | b. If c = 1, and √ √ because ab ∈ Q. Thus, we must have c = 1 and x = b u. However, in this case we get b | c from (14) which is also impossible. Thus, m must be odd. Put m = 1 + 2k and suppose k > 0. We get µ = ε(ab)−k λ < λ.

Since ε(ab)−2k λ2 /c = ε(ab) > 1, √ √ √ √ √ we also get µ > c.√But if µ = a X + b Y (X, Y ∈ Z) and µ = a X − b Y, then √ µ = ε(ab)k ( a x − b y) and µµ = λλ = c √ with c < µ < λ, a contradiction to the definition of λ. Hence k = 0 and ε(ab) = λ2 /c.

THEOREM 4.2. Let m be any odd integer. Equation (14) has a solution in integers if and only if (2a/c) | vm + 1 and (2b/c) | vm − 1, √ where vm + u m ab = ε(ab)m . Proof. Suppose (14) has a solution in integers, then by Theorem 4.1 there exists a solution (x, y) of (14) such that √ √ ( ax + by)2 ε(ab) = . c Let m = 2k + 1. We have √ √ √ √ ( ax + by)2 (v2k + abu 2k ) v2k+1 + ab u 2k+1 = ; c

103

MODULAR ARITHMETIC ON ELEMENTS

hence, v2k+1 = v2k

(ax 2 + by 2 ) 2ab + x yu 2k . c c

Since, v2k = 2vk2 − 1 and vk2 ≡ 1 (mod ab), we must have v2k ≡ 1 (mod 2ab). Also, (ax 2 + by 2 )/c ≡ −1 (mod 2a/c) and (ax 2 + by 2 )/c ≡ 1 (mod 2b/c) by (14). Thus (2a/c) | vm + 1 and (2b/c) | vm − 1. If (2a/c) | vm + 1 and (2b/c) | vm − 1, then since vm2 − 1 = abu 2m , we get c(vm + 1) c(vm − 1) = (u m c/2)2 . 2a 2b Now if c = 2, we get v1 = (ax 2 + by 2 )/2 = by 2 + 1. Also, by (14) 2 | y means that 2 | x which means that 4 | c which cannot be so. It follows that 2 | v1 . Since v1 | vm whenever m is odd, we see that for c = 1 or 2   c(vm + 1) c(vm − 1) , = 1; 2a 2b hence c(vm + 1) = r 2, 2a

c(vm − 1) = s2 2b

(r, s ∈ Z)

and ar 2 − bs 2 = c. Now suppose that D = ab and m η = ε ,

√ ν where m is odd. We know that ε(ab) = ε√ where ν ∈ {1, 2, 3, 6}. Also, ηµ ∈ Z[ D] for some µ ∈ {1, 2, 3, 6}, and if η = (x + y D)/2, µ can be computed by using Table 1. Now ηµ = ε(D)k , µm = kν and N (η) = N (ε ). We have 2 | ν if and only if N (ε ) = −1, and 2 | µ if and only if N (η) = −1. It follows that 2 | ν if and only if 2 | µ, and therefore k must be odd. Thus, if √ ηµ ≡ v + u ab (mod 2ab/c) we can easily determine whether or not (14) has a solution by examining the value of v mod 2a/c and 2b/c. Thus, it remains to find a compact representation for any η which is an odd power of ε . This can be done as long as we can find an odd integral multiple of R , and this can be achieved, even for quite large values of , by using the subexponential methods described in [11,12]. These techniques, under suitable Riemann hypotheses, will compute R , but all we need here is any odd integral multiple of R . The subexponential methods

104

JACOBSON AND WILLIAMS

will compute an integral multiple S of R without appealing to any unproved assumption. This can be easily refined to produce an odd multiple of R which is computed correctly and unconditionally. (One simply divides S by 2 and then determines whether an ideal of distance S/2 from (1) has norm 1; if so replace S by S/2 and try again until no such ideal is found.) The resulting value of S is an odd multiple of R .

5.

Implementation and Computational Results

We have implemented the methods described in [9] to numerically verify Theorem 1.2 for all values of k ≤ 100, using the techniques described above to deal with the exceptional cases k = 23 and 37 and any other cases where the simple congruence criteria from [9] did not suffice to demonstrate the insolubility of (3). Our code is written with the C++ library LiDIA [14] and compiled with the GNU g++ compiler version 2.91.66. The program was run on an 800 MHz Pentium III processor running Linux. The entire computation required just under 22 hours of CPU time. A total of 24167328 systems of equations of the form (3) were generated, and as illustrated in Table 2, for the vast majority, the congruence conditions from [9] were sufficient to verify insolubility. The eight remaining cases are listed in Table 3. The first six were found by Dujella and Peth˝o [9], and they were able to handle 19, 23/3 and 35. The case k = 19 was dealt with by examining the system of equations modulo 5, and the fundamental units corresponding to one of the two equations from 23/3 and 35 were sufficiently small that they could be computed explicitly. For the remaining five cases, 23/1, 23/2, 37, 88, and 96, the fundamental units involved were too large to compute explicitly. However, using the methods described above we were nevertheless able to prove unconditionally that one of the corresponding equations is insoluble, and thus that the systems of equations are insoluble, for the three cases k = 23/1, k = 23/2, and k = 96. For the cases k = 37 and k = 88 we found that by Theorem 4.1 the first equation d1 x12 − d2 x22 = j1 is soluble, and we were thus unable to prove that (3) is insoluble using our method. We provide the details of the computation for the first case only. The computations for the remaining cases are similar, so for those cases we only give the data.

Table 2. Insolubility criteria statistics. Insolubility Condition

# Cases

Theorem 1 from [9] −d2 j2 ≡ 1 (mod 8)  1( p odd, p | D2 ) ( j1 d1 / p) = ( j2 d3 / p) =  1( p odd, p | D2 )  1(q odd, q | d1 ) (− j1 d2 /q) =  1(r odd, r | d3 ) (− j2 d2 /r ) = (d2 d3 / p1 ) =  1( p1 odd, p1 | j2 , ord p1 ( j2 ) is odd)

98 (0%) 18124152 (74%) 5739426 (23%) 0 (0%) 292573 (1%) 11066 (0%) 5 (0%)

Satisfied all congruence criteria

8 (0%)

105

MODULAR ARITHMETIC ON ELEMENTS Table 3. Systems which passed the congruence criteria. k

d1 , d2 , d3 , j1 , j2

19

d1 = 251210975091, d2 = 44809, d3 = 3371344269872647091408, j1 = 2, j2 = 40261110431

23/1

d1 = 380631510488414383527682077, d2 = 11263976658479, d3 = 253754340325609589018454720, j1 = j2 = 1

23/2

d1 = 19509779867757, d2 = 11263976658479, d3 = 25375430325609589018454720, j1 = 1, j2 = 19509779867761

23/3

d1 = 58529339603283, d2 = 1, d3 = 126877170162804794509227360, j1 = 2, j2 = 6503259955919

35

d1 = 20288310329233162249058888791445649852717, d2 = 2254256703248129138784320976827294428079, d3 = 13525540219488774832705925860963766568480, j1 = j2 = 1

37

d1 = 187060083, d2 = 1489467623820555129, d3 = 1311942540724389723505929002667880175005208, j1 = 2, j2 = 21040446251556347115048521645334887

88

d1 = 292983362419056814383407231344054712604820708226547, d2 = 1, d3 = 2861308355145879762324327632991842621067013782183517600/ 4287643702014283940212676853246492879680879008, j1 = 2, j2 = 292983362419056814383407231344054712604820708226543

96

d1 = 11026135853493713136245395422048912696347119870354223043, d2 = 1, d3 = 4052522395323317794484953639977747679484653481672429651/ 4567827617611799470255173285411996561337107767591762560, j1 = 2, j2 = 11026135853493713136245395422048912696347119870354223039

Case k = 23/1 We consider the equation d1 X 2 − d2 Y 2 = j1

(16)

where d1 = 380631510488414383527682077,

d2 = 11263976658479,

By Theorem 4.2 solutions exist if and only if vm ≡ −1 (mod 2d1 ) and

vm ≡ 1 (mod 2d2 ), √ for any odd integer m where vm + u m D = ε(D)m and D = d1 d2 . Using the subexponential algorithm from [11] we compute = 4D = 17149697798492417156044884407530873523532 log η ≈ 56215946005018981.71362

j1 = 1.

106

JACOBSON AND WILLIAMS

in just under 23 seconds of √ CPU time. Under the Extended Riemann Hypothesis (ERH) η is the fundamental unit of Q( ), but since the ideal of distance (log η)/2 from (1) has norm =  ±1, we know unconditionally that it is at worst an odd power of the fundamental unit. Using Table 1 we compute that ε(D)k = η1 for some odd integer k. From the approximation of log η we compute√a compact representation of η and using the methods of Section 3 we find that η1 ≡ v + u d1 d2 (mod 2d1 ) where v = 405102057633460036156322648 u = 79924395854730621904965955. Since v ≡ −1 (mod 2d1 ), by Theorem 4.2, (16) is insoluble and the system of equations corresponding to the case k = 23/1 is also insoluble. Once log η is computed, the rest of the computation is very fast. In total, only about 26.5 seconds of CPU time were required. Note that in practice it is unnecessary to apply the procedure involving Algorithm 1 to ensure that (N (bi ), 2d1 ) = 1 for each of the bi in the compact representation of η1 . Applying the reduction operator to ai will rapidly find a suitable equivalent ideal whose norm is coprime to 2d1 . Case k = 23/2 We consider the equation d1 X 2 − d2 Y 2 = j1

(17)

where d1 = 19509779867757,

d2 = 11263976658479,

j1 = 1

and compute = 4d1 d2 = 879030820169913437491046412 log η ≈ 177783042675.27970 √ in about 3 seconds. From Table 1 we compute that ε(d1 d2 )k = η1 ≡ v + u d1 d2 (mod 2d1 ) where v = 14492696679550,

u = 34328263354357.

Since v ≡ −1 (mod 2d1 ), by Theorem 4.2, (17) is insoluble and the system of equations corresponding to the case k = 23/2 is also insoluble. In total, only 5.4 seconds of CPU time were required. Case k = 37 We consider the equation d1 X 2 − d2 Y 2 = j1

(18)

107

MODULAR ARITHMETIC ON ELEMENTS

where d1 = 187060083,

d2 = 1489467623820555129,

j1 = 2

and compute = 1114479749358225681467262828 log η ≈ 1086376640760.93598 √ in 3.92 seconds. From Table 1 we compute that ε(d1 d2 )k = η1 ≡ va + u a d1 d2 (mod d1 ) where va = 187060082, u a = 32043503 √ and η1 ≡ vb + u b d1 d2 (mod d2 ) where vb = 1,

u b = 178548333566137540.

Since v ≡ −1 (mod d1 ) and v ≡ 1 (mod d2 ), by Theorem 4.2, (18) is soluble. In total, only 6.13 seconds of CPU time were required. Case k = 88 We consider the equation d1 X 2 − d2 Y 2 = j1

(19)

where d1 = 292983362419056814383407231344054712604820708226547, d2 = 1, j1 = 2 and compute = 1171933449676227257533628925376218850419282832906188 log η ≈ 646898777797993906080322.51011 √ in 10 minutes 53.78 seconds. From Table 1 we compute that ε(d1 d2 )k = η1 ≡ v + u d1 d2 (mod d1 ) where v = 292983362419056814383407231344054712604820708226546 u = 142959904910272007193309536294031489153754442273875. Since v ≡ −1 (mod d1 ) and d2 = 1 | v − 1, by Theorem 4.2, (19) is soluble. In total, only 10 minutes 56.96 seconds of CPU time were required. Case k = 96 We consider the equation d1 X 2 − d2 Y 2 = j1

(20)

108

JACOBSON AND WILLIAMS

where d1 = 11026135853493713136245395422048912696347119870354223043, d2 = 1, j1 = 2 and compute = 44104543413974852544981581688195650785388479481416892172 log η ≈ 17694341564349621139544358.11566 √ in 23 minutes 13.91 seconds. From Table 1 we compute that ε(d1 d2 )k = η1 ≡ v + u d1 d2 (mod 2d1 ) where v = 2465224764373973919143409411562495693760065276803692870 u = 3787929147870168538500735055992591255285986394499686884. Since v ≡ −1 (mod d1 ), by Theorem 4.2, (20) is insoluble and the system of equations corresponding to the case k = 96 is also insoluble. In total, only 23 minutes 17.41 seconds of CPU time were required.

Remaining Exceptional Cases In an effort to eliminate the remaining cases k = 37 and k = 88, we attempted to apply a similar strategy to that applied in [9] to eliminate k = 19. By considering (3) modulo various primes for the case k = 88, we were led to the following simple observation: PROPOSITION 2. If, for some prime p we have p  | d1 d2 d3 , p | d3 j1 − d1 j2 , and (d1 j1 / p) = (d1 d3 / p) = −1, then (3) has no solutions. Proof. By eliminating x12 in (3) we obtain that a necessary condition for the solubility of (3) is that d1 d2 x32 − d2 d3 x22 = d3 j1 − d1 j2

(21)

has solutions. For any prime p | d3 j1 − d1 j2 we have d1 d2 x32 ≡ d2 d3 x22

(mod p)

and if p  | d2 d1 x32 ≡ d3 x22

(mod p).

Thus, (d1 x32 / p) = (d3 x22 / p) is a necessary condition for the solubility of (21). If p  | x2 , p  | x3 , and p  | d1 d3 this implies (d1 / p) = (d3 / p), or equivalently, (d1 d3 / p) = 1. Finally, since d12 x12 ≡ d1 j1 (mod p) if p | x2 , the condition (d1 j1 / p) = −1 ensures that p  | x2 and the condition that p  | d1 d3 implies that p  | x3 . By applying Proposition 2, we were able to eliminate k = 88 with the prime 1987. In addition, we found that the cases k = 23/2 and k = 96 could be eliminated using the primes

MODULAR ARITHMETIC ON ELEMENTS

109

58556269 and 269626202984126279, respectively. Unfortunately, we were not able to eliminate k = 37 with Proposition 2. For our next attempt to eliminate the case k = 37 we applied the methods of [12] to determine whether the norm equation d3 x12 − d2 x32 = j2

(22)

√ has solutions. This is equivalent to testing whether there exists an α ∈ Q( √ d2 d3 ) of norm j2 d3 , which is in turn an instance of the discrete logarithm problem in Q( d2 d3 ). Using the algorithm described in [12], we found that all 8 of the principal ideals of norm d2 d3 were principal in just over 5 hours of CPU time. The natural logarithms (distances) or the principal ideals (α1 ), (α2 ), . . . , (α8 ) are listed below. log(|α1 |) = 876210579323390081444356009.46446 log(|α2 |) = 9826301943043003464134907226.63085 log(|α3 |) = 4549977132998014180827669128.59598 log(|α4 |) = 3496505491641870381161077784.49181 log(|α5 |) = 6507057513433886801196064776.77874 log(|α6 |) = 5453585872077743001529473432.67457 log(|α7 |) = 177261062032753718222235334.63970 log(|α8 |) = 9127352425752367100912786551.80609 From this information, we constructed compact representations of each of the αi and verified that indeed N (αi ) = j2 d3 . In addition, we used the methods of the previous section to compute αi mod l for 5 random primes l and verified that each αi does yield a solution of (22) modulo l. If αi = X i + (d2 d3 /4)Yi , then it is easy to show that x1 = X i /d3 , x3 = Yi /2 is a solution of (22). Therefore, both equations in (3) have solutions individually. Finally, in a last attempt to eliminate the case k = 37, we applied the methods of [12] to determine whether the norm equation d1 x32 − d3 x22 = (d3 j1 − d1 j2 )/d2

(23)

has global solutions. As with the local approach applied in Proposition 2 to the same equation, this is a necessary condition for the solubility √ of the system (3). After 2 hours and 46 minutes of CPU time, we computed a unit η ∈ Q( d1 d3 ) with log η ≈ 6851106675369184895740.24677 and found that there were no solutions of (23). Under the assumption of the ERH, η is in √ fact the fundamental unit of Q( d1 d3 ) and the output that there are no solutions of (23) is correct. Thus, under the ERH, the system of equations (3) has no solutions and Theorem 1.2 of [9] is true for all k ≤ 100. Unfortunately, we know of no way to remove the assumption of the ERH for k = 37.

110 6.

JACOBSON AND WILLIAMS

Further Applications

Since Pell equations tend to occur naturally in many Diophantine problems, we expect that our methods will be very useful in other settings. For example, in [13] the problem of finding all integral solutions of the Sch¨affer equation y 2 = 1k + 2k + · · · + (x − 1)k ,

k≥2

(24)

is reduced to examining the modular solutions of certain Pell equations. By making use of our methods, the authors of [13] were able to find all integral solutions of (24) for k ≤ 70 assuming the Extended Riemann Hypothesis. Since the discriminants of these Pell equations frequently had as many as 53 decimal digits, to our knowledge this computation would not have been possible without the methods presented in this paper.

References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.

C. S. Abel, Ein Algorithmus zur Berechnung der Klassenzahl und des Regulators reellquadratischer Ordnungen, Ph.D. Thesis, Universit¨at des Saarlandes, Saarbr¨ucken, Germany (1994). A. Baker and H. Davenport, The equations 3x 2 − 2 = y 2 and 8x 2 − 7 = z 2 , Quart. J. Math. Oxford Ser. (2), Vol. 20 (1969) pp. 129–137. J. Buchmann, C. Thiel and H. C. Williams, Short representation of quadratic integers, Computational Algebra and Number Theory, Mathematics and its Applications, Vol. 325 (1995) pp. 159–185. H. Cohen, A course in computational alegraic number theory, Graduate Texts in Mathematics, Vol. 138, Springer (1993). H. Cohn, Advanced Number Theory, Dover Publications, New York (1980). D. A. Cox, Primes of the Form x 2 + ny 2 , Wiley, New York (1989). A. Dujella, On Diophantine quintuples, Acta Arith., Vol. 81 (1997) pp. 69–79. A. Dujella and A. Peth˝o, A generalization of a theorem of Baker and Davenport, Quart. J. Math. Oxford Ser. (2), Vol. 49 (1998) pp. 291–306. A. Dujella and A. Peth˝o, Integer points on a family of elliptic curves, Publ. Math. Debrecen, Vol. 56 (2000) pp. 321–335. A. Grelak and A. Grytczuk, On the Diophantine equation ax 2 − by 2 = c, Publ. Math. Debrecen, Vol. 44 (1994) pp. 291–299. M. J. Jacobson, Jr., Subexponential Class Group Computation in Quadratic Orders, Ph.D. Thesis, Technische Universit¨at Darmstadt, Darmstadt, Germany (1999). M. J. Jacobson, Jr., Computing discrete logarithms in quadratic orders, Journal of Cryptology, Vol. 13 (2000) pp. 473–492. ´ Pint´er and P. G. Walsh, A computational approach for solving y 2 = 1k + 2k + · · · + x k , M. J. Jacobson, Jr., A. submitted to Math. Comp. (2001). The LiDIA Group, LiDIA: a c++ library for computational number theory, Software, Technische Universit¨at Darmstadt, Germany (1997), See http://www.informatik.tu-darmstadt.de/TI/LiDIA. P. G. Walsh, The Pell Equation and Powerful Numbers, Master’s Thesis, University of Calgary, Calgary, Alberta (1988).