Theorem 11.3
Let
n
be a Carmichael number, and suppose
n
=
p
1
· · ·
p
r
. Let
n

1 = 2
h
m
, where
m
is odd, and for
1
≤
i
≤
r
, let
p
i

1 = 2
h
i
m
i
, where
m
i
is odd. Let
h
0
= max
{
h
i
}
, and define
P
n
:=
{
u
∈
Z
*
n
:
u
m
2
h
0

1
= [
±
1 mod
n
]
}
. Then we have:
(i)
h
0
≤
h
;
(ii) for all
u
∈
Z
*
n
,
u
m
2
h
0
= 1
;
(iii)
P
n
is a subgroup of
Z
*
n
, and
P
n
( Z
*
n
.
Proof.
As
n
is Carmichael, each
p
i

1 divides
n

1. It follows that
h
0
≤
h
. That proves (i). It
also follows that
m
i

m
for each
i
.
Again, by the Chinese Remainder Theorem, we have an isomorphism of
Z
*
n
with the group
Z
*
p
1
× · · · ×
Z
*
p
r
, where each
Z
*
p
i
is cyclic of order
p
i

1.
Since each
p
i

1 divides
m
2
h
0
, it follows that each
Z
*
p
i
is annihilated by the (
m
2
h
0
)power map.
It follows from the Chinese Remainder Theorem that
Z
*
n
is also annihilated by the (
m
2
h
0
)power
map. That proves (ii).
To prove (iii), first note that
P
n
is the preimage of the subgroup
{
[
±
1 mod
n
]
}
under the
(
m
2
h
0

1
)power map, and hence is itself a subgroup of
Z
*
n
. Now,
h
0
=
h
i
for some
i
, and without
loss of generality, assume
i
= 1.
Let
α
= [
a
mod
p
1
]
∈
Z
*
p
1
be a generator for
Z
*
p
1
.
Since
α
has
order
m
1
2
h
0
, it follows that
α
m
1
2
h
0

1
has order 2, which means that
α
m
1
2
h
0

1
= [

1 mod
p
1
]. Since
m
1

m
and
m
is odd, it follows that
α
m
2
h
0

1
= [

1 mod
p
1
]. By the Chinese Remainder Theorem,
there exists an integer
b
such that
b
≡
a
(mod
p
1
) and
b
≡
1 (mod
p
j
) for
j
6
= 1. We claim that
b
m
2
h
0

1
6≡ ±
1 (mod
n
). Indeed, if
b
m
2
h
0

1
≡
1 (mod
n
), then we would have
b
m
2
h
0

1
≡
1 (mod
p
1
),
which is not the case, and if
b
m
2
h
0

1
≡ 
1 (mod
n
), then we would have
b
m
2
h
0

1
≡ 
1 (mod
p
2
),
which is also not the case. That proves
P
n
( Z
*
n
.
2
From the above theorem, we can easily derive the following result:
Theorem 11.4
If
n
is prime, then
L
0
n
=
Z
*
n
. If
n
is composite, then

L
0
n
 ≤
(
n

1)
/
2
.
Proof.
Let
n

1 =
m
2
h
, where
m
is odd. For
α
∈
Z
*
n
, let define the sequence of group elements
s
i
(
α
) :=
α
m
2
i
for 0
≤
i
≤
h
. We can characterize the set
L
0
n
as follows: it consists of all
α
∈
Z
*
n
such that
s
h
(
α
) = [1 mod
n
], and for 1
≤
i
≤
h
,
s
i
(
α
) = [1 mod
n
] implies
s
i

1
(
α
) = [
±
1 mod
n
].
First, suppose
n
is prime.
By Fermat’s little theorem, for
α
∈
Z
*
n
, we know that
s
h
(
α
) =
[1 mod
n
]. Moreover, if
s
i
(
α
) = [1 mod
n
] for 1
≤
i
≤
h
, then as
s
i

1
(
α
)
2
= [1 mod
n
], and the
only square roots of [1 mod
n
] are [
±
1 mod
n
], we have
s
i

1
(
α
) = [
±
1 mod
n
].