Multiple Moduli
8.1 THE CHINESE REMAINDER THEOREM
This method of solving these types of congruences is very effective, but we can develop an even faster method of solving such systems if we only require that the moduli be pairwise relatively prime. Note, however, that the previous method has no such requirement. The proof of proposition 27 describes the new method; it is called the Chinese Remainder The-orem, since the Chinese have known its results since ancient times. However, we must first establish the two following facts:
PROPOSITION 25. Suppose integers a1,a2, . . . , anare pairwise relatively prime. Then (a1a2. . . an)|cif and only if a1|c,a2|c, . . . , an|c.
8.1 The Chinese Remainder Theorem 163
Proof. Clearly, if the product p= (a1a2. . . an) divides c, then each ai,i= 1, 2, . . . , n likewise divides c, since each ai|p, and p|c. Conversely, suppose each aidividesc. Then the prime factorization of cmust contain the prime factorization of each ai, and since these are pairwise relatively prime, no aican have a prime factor in common with any other. Thus, the prime factorization of ccontains the prime factorization of the product
p, and so p|c. I
The next proposition is what we really need for the Chinese Remainder Theorem, and using the previous result makes its proof very simple. You are requested to do this.
PROPOSITION 26. Leta⬅b(modm1),a⬅b(modm2), . . . , a⬅b(modmn) where a1,a2, . . . , anare pairwise relatively prime. Then we have a⬅b(modm1m2. . . mn).
PROPOSITION 27. (THE CHINESE REMAINDER THEOREM.)
Supposem1,m2, . . . , mnare pairwise relatively prime. Then the system of congruences x⬅a1(modm1)
x⬅a2(modm2) . . . x⬅an(modmn) has a unique solution modulo M=m1m2. . . mn; namely,
x⬅a1M1M1⬘+a2M2M2⬘+ . . . + anMnMn⬘(modM) whereMi=M/miandMi⬘is an inverse of Mimodulomi∀i= 1, 2, . . . , n.
Proof. Let all the quantities be defined as stated in the proposition. First, note that Mi= m1m2. . . mi⫺1mi⫹1. . . mnandmiare relatively prime for any i. To see this, note that each miis relatively prime to mk∀i≠k, and so if we have an integer pgreater than 1 which dividesmi, it cannot divide any other mk, and hence cannot divide the product m1m2. . . mi⫺1mi⫹1. . . mn=Mi. Thus, proposition 22 says that an inverse Mi⬘ofMimodulomiexists.
Then the integer given by
x=a1M1M1⬘+a2M2M2⬘+ . . . + anMnMn⬘ simultaneously solves the system of congruences
x⬅a1(modm1) x⬅a2(modm2)
. . . x⬅an(modmn).
To see this, note that mk|Miwheni⫽k, hence giving us Mi⬅0 (mod mk). Thus, all terms ofxmodulomkvanish except the kth term, and so we have
x⬅akMkMk⬘⬅ak⭈1⬅ak(modmk)
for any k. That is, xis also a solution to the individual congruences of the system. To show this solution is unique (in the sense that all other solutions are congruent to it modulo M), let xand yboth be simultaneous solutions to the previous system. Note now that we have x⬅y⬅ak
(modmk)∀k, and proposition 26 tells us then that x⬅y(modM), as desired. I
E
XAMPLE.
We’ll use the Chinese Remainder Theorem (CRT) to solve the same system (*);that is, the system
x⬅3 (mod 4) x⬅0 (mod 5) x⬅0 (mod 7) x⬅8 (mod 9).
(Note that the moduli are pairwise relatively prime.) The proof of CRT shows us how to get our solutions very quickly by computing M= 4 ⭈5⭈7⭈9 = 1260, and
M1= 1260/4 = 315, M2= 1260/5 = 252, M3= 1260/7 = 180, M4= 1260/9 = 140.
We then compute inverses yiof each Mimodulomi:
M1⬘= 3 (an inverse of 315 modulo 4) M2⬘= 3 (an inverse of 252 modulo 5) M3⬘= 3 (an inverse of 180 modulo 7) M4⬘= 2 (an inverse of 140 modulo 9) To get our solution, we now simply form the sum
x=a1M1M1⬘+a2M2M2⬘+a3M3M3⬘+a4M4M4⬘
= 3 ⭈315⭈3 + 0 ⭈252⭈3 + 0 ⭈180⭈7 + 8 ⭈140⭈2
= 5075
⬅35 (mod 1260).
This is exactly the same solution we obtained earlier, only perhaps less directly but cer-tainly more quickly. (Note that computing M2,M3,y2andy3isn’t even necessary in this example, because they vanish in the final computation.)
Java Algorithm. Suppose we write a static method in the BigIntegerMath class to solve such sets of congruences; we can call it solveCRT(). We can make it solve systems of the form
8.1 The Chinese Remainder Theorem 165
x⬅a1(modm1) x⬅a2(modm2)
...
x⬅an(modmn).
If any individual congruence does not have a unique solution, we will throw an excep-tion; likewise if the moduli are not pairwise relatively prime. We will pass in the values of aiandmias arrays of BigIntegers, and the solution will be returned as an array of two Big-Integers, say answer[]. Then answer[0] will contain the residue solution, and answer[1] will containM, the product of the individual moduli.
Here is the program:
//Finds simultaneous solutions to a linear system of congruences //involving only one variable and multiple moduli.
public static BigInteger[] solveCRT(BigInteger[] residue, BigInteger[] modulus) { //See if the number of moduli and residues match
if (residue.length!=modulus.length) throw new IllegalArgumentException (“Residues and moduli are in different amounts.”);
//See if the moduli are pairwise relatively prime for (int i=0; i<modulus.length-1; i++) {
for (int j=i+1; j<modulus.length; j++) {
if (!(modulus[i].gcd(modulus[j]).equals(ONE))) throw new IllegalArgumentException
(“Moduli are not pairwise relatively prime.”);
} }
//Form the product of the individual moduli BigInteger M=new BigInteger(“1”);
for (int i=0; i<modulus.length; i++) M=M.multiply(modulus[i]);
//Form the solution as in the Chinese Remainder Theorem BigInteger solution=new BigInteger(“0”);
for (int i=0;i<modulus.length; i++) { BigInteger Mi=M.divide(modulus[i]);
solution=solution.add(residue[i].multiply(Mi).multiply (Mi.modInverse(modulus[i])));
}
solution=lnr(solution,M);
FIGURE 8.1
//Answer must be returned as a two dimensional array.
BigInteger[] result=new BigInteger[2];
result[0]=solution;
result[1]=M;
return result;
}
I have written an applet called TestCRTApplet which allows you to solve these types of systems using the Chinese Remainder Theorem. It can be run from the book’s website, and a screen shot follows (see Figure 8.1). The Chinese Remainder Theorem has many impor-tant applications in cryptography, and it is equally useful to both the cryptographer and the cryptanalyst. We will investigate many of these applications in upcoming chapters.
EXERCISES
1. Solve the following systems of linear congruences using the Chinese Remainder The-orem (CRT).
a. x⬅23 (mod 26) x⬅2 (mod 31) x⬅5 (mod 17) b. x⬅1 (mod 26) x⬅1 (mod 33) x⬅1 (mod 35) c. 5x⬅3 (mod 18)
3x⬅4 (mod 7) 2x⬅5 (mod 25) 6x⬅10 (mod 11)
Exercises 167 2. Solve the previous systems of linear congruences without using the Chinese
Remain-der Theorem.
3. Willie the woodchuck is building a dam for his family. After gnawing down trees all day he stacks the logs in the mud in rows of 5, and notices he has 1 left over. Disgrun-tled, he stacks them in rows of 6 and notices he has 2 logs remaining. Highly upset now, Willie chews one of the logs to bits in a fit of rage (so he has 1 less log now), then stacks the logs in rows of 7 and has none remaining. What is the minimum number of logs Willie produced that day?
4. Francine the dancing gorilla is dividing up coconuts for her family. If she divides them up equally among all her 46 children, she has 3 coconuts left over, but if she divides them up only among her 25 favorite children, she has 2 coconuts remaining. What is the minimum number of coconuts Francine has?
5. Redneck Slim is planting petunias for his sweetheart Daisy Mae. If he places them in 9 rows, he has 2 plants left over. If he puts them in 10 rows, he has 3 plants left over, but if he puts them in 11 rows he has exactly 1 plant left over for his date Saturday night. What is the minimum number of petunia plants?
6. Show that the system of congruences x⬅a1(modm1)
x⬅a2(modm2)
⯗
x⬅an(modmn)
has a solution iff the gcd of miandmkdividesai⫺akwhere 1 ≤i<k≤n. This can serve as a check for systems which do not have moduli that are pairwise relatively prime.
7. Solve the following systems of linear congruences:
a. x⬅7 (mod 24) x⬅23 (mod 56) b. x⬅80 (mod 95) x⬅4 (mod 38) x⬅50 (mod 60)
8. Write a static solveMultipleModuli() method in the BigIntegerMath class to find a par-ticular solution to linear systems of congruences with multiple moduli that need not be pairwise relatively prime. (Thus, you cannot use the Chinese Remainder Theorem.)