Chinese remainder theorem
The Chinese remainder theorem is a theorem of number theory, which states that, if one knows the remainders of the division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.
This theorem has this name because it is a theorem about remainders, which has been first discovered during the 3rd century by the Chinese mathematician Sun Tzu.
The Chinese remainder theorem is widely used for computing with large integers, as it allows replacing a computation for which one knows a bound on the size of the result by several similar computations on small integers.
- 1 History
- 2 Theorem statement
- 3 Proof
- 4 Finding the solution
- 5 Over principal ideal domains
- 6 Over univariate polynomial rings and Euclidean domains
- 7 Generalization to arbitrary rings
- 8 Applications
- 9 See also
- 10 Notes
- 11 References
- 12 Further reading
- 13 External links
The earliest known statement of the theorem, as a problem with specific numbers, appears in the 3rd-century book Sunzi's Mathematical Classic (孫子算經) by the Chinese mathematician Sun Tzu. Sun Tzu's work contains neither a proof nor a full algorithm. What amounts to an algorithm for solving this problem was described by Aryabhata (6th century). Special cases of the Chinese remainder theorem were also known to Brahmagupta (7th century), and appear in Fibonacci's Liber Abaci (1202). The result was later generalized with a complete solution called Dayanshu (大衍術) in Qin Jiushao's 1247 Mathematical Treatise in Nine Sections (數書九章, Shushu Jiuzhang).
The notion of congruences was first introduced and used by Gauss in his Disquisitiones Arithmeticae of 1801. Gauss illustrates the Chinese remainder theorem on a problem involving calendars, namely, "to find the years that have a certain period number with respect to the solar and lunar cycle and the Roman indiction." Gauss introduces a procedure for solving the problem that had already been used by Euler but was in fact an ancient method that had appeared several times.
The Chinese remainder theorem asserts that if the ni are pairwise coprime, and if a1, ..., ak are integers such that 0 ≤ ai < ni for every i, then there is one and only one integer x, such that 0 ≤ x < N and the remainder of the Euclidean division of x by ni is ai for every i.
This may be restated as follows in term of congruences: If the ni are pairwise coprime, and if a1, ..., ak are any integers, then there exists an integer x such that
and any two such x are congruent modulo N.
In abstract algebra, the theorem is often restated as: if the ni are pairwise coprime, the map
between the ring of integers modulo N and the direct product of the rings of integers modulo the ni. This means that for doing a sequence of arithmetic operations in one may do the same computation independently in each and then get the result by applying the isomorphism (from the right to the left). This may be much faster than the direct computation if N and the number of operations are large. This is widely used, under the name multi-modular computation, for linear algebra over the integers or the rational numbers.
The existence and the uniqueness of the solution may be proved independently. However the first proof of existence, given below, use the uniqueness.
Suppose that x and y are both solutions to all the congruences. As x and y give the same remainder, when divided by ni, their difference x − y is a multiple of each ni. As the ni are pairwise coprime, their product N divides also x − y, and thus x and y are congruent modulo N. If x and y are supposed to be non negative and less than N (as in the first statement of the theorem), then their difference may be a multiple of N only if x = y.
Existence (first proof)
maps congruence classes modulo N to sequences of congruence classes modulo ni. The proof of uniqueness shows that this map is injective. As the domain and the codomain of this map have the same number of elements, the map is also surjective, which proves the existence of the solution.
This proof is very simple, but does not provide any direct way for computing a solution. Moreover, it cannot be generalized to other situations where the following proof can.
Existence (constructive proof)
Existence may be established by an explicit construction of x. This construction may be split in two steps, firstly by solving the problem in the case of two moduli, and the second one by extending this solution to the general case by induction on the number of moduli.
Case of two moduli
We want to solve the system
where and are coprime.
Bézout's identity asserts the existence of two integers and such that
The integers and may be computed by Extended Euclidean algorithm.
A solution is given by
This shows that The second congruence is proved similarly, by exchanging the indices.
Let us consider a sequence of congruence equations
where the are pairwise coprime. The two first equations have a solution provided by the method of the previous section. The set of the solutions of these two first equations is the set of all solutions of the equation
As the other are coprime with this reduces solving the initial problem of k equations to a similar problem with equations. Iterating the process, one gets eventually the solutions of the initial problem
Existence (direct construction)
For constructing a solution, it is not necessary to make an induction on the number of moduli. However, such a direct construction involves more computation with large numbers, which makes it less efficient and less used. Nevertheless, Lagrange interpolation is a special case of this construction, applied to polynomials instead of integers.
Let be the product of all moduli but one. As the are pairwise coprime, and are coprime. Thus Bézout's identity applies, and there exist integers and such that
A solution of the system of congruences is
In fact, as is a multiple of for we have
Finding the solution
As an example, consider the problem of finding an integer x such that
As the result must be a nonnegative integer less than the product of moduli (here 60), a simple method consists in considering successively the integers up to 60, and computing the remainders of the division by 3, 4, 5, until getting the result (here 39).
However, one may obtain the result faster by considering only the integers, which are congruent to 4 modulo 5 (the largest modulus); that is 4, 9 = 4 + 5, 14 = 9 + 5, ... For each of them, compute the remainder by 4 (the second largest modulus) until getting a number congruent to 3 modulo 4. Then one can proceed by adding 20 = 5×4 at each step, and computing only the remainders by 3. This gives
- 4 mod 4 → 0. Continue
- 4 + 5 = 9 mod 4 →1. Continue
- 9 + 5 = 14 mod 4 → 2. Continue
- 14 + 5 = 19 mod 4 → 3. OK, continue by considering remainders modulo 3 and adding 5×4 = 20 each time
- 19 mod 3 → 1. Continue
- 19 + 20 = 39 mod 3 → 0. OK, this is the result.
This method works well for hand-written computation with a product of moduli that is not too big. However it is much slower than other methods, for very large products of moduli.
Using the existence construction
Bézout's identity for 3 and 4 is
Putting this in the formula given for proving the existence gives
for a solution of the two first congruences, the other solutions being obtained by adding to −9 any multiple of 3×4 = 12. One may continue with any of these solutions, but the solution 3 = −9 +12 is smaller (in absolute value) and thus leads probably to an easier computation
Bézout identity for 5 and 3×4 = 12 is
Applying the same formula again, we get a solution of the problem:
The other solutions are obtained by adding any multiple of 3×4×5 = 60, and the smallest positive solution is −21 + 60 = 39.
Over principal ideal domains
In § Theorem statement, the Chinese remainder theorem has been stated in three different ways: in terms of remainders, of congruences and of a ring isomorphism. The statement in terms of remainders does not apply, in general to principal ideal domains, as remainders are not defined in such rings. However, the two other version make sense over a principal ideal domain R: it suffices to replace "integer" by "element of the domain", and by R. These two versions of the theorem are true in this context, because the proofs (except for the first existence proof), are based on Euclid's lemma and Bézout's identity, which are true over every principal domain.
However, in general, the theorem is only an existence theorem, and does not provide any way for computing the solution, unless if one has an algorithm for computing the coefficients of Bézout's identity.
Over univariate polynomial rings and Euclidean domains
The statement in terms of remainders given in § Theorem statement cannot be generalized to any principal ideal domain, but its generalization to Euclidean domains is straightforward. The univariate polynomials over a field is the typical example of a Euclidean domain, which is not the integers. therefore, we state the theorem for the case of a ring of univariate domain over a field For getting the theorem for a general Euclidean domain, it suffices to replace the degree by the Euclidean function of the Euclidean domain.
The Chinese remainder theorem for polynomials is thus: Let (the moduli) be, for i=1, ..., k, pairwise coprime polynomials in . Let be the degree of , and be the sum of the If are polynomials such that or for every i, then, there is one and only one polynomial , such that and the remainder of the Euclidean division of by is for every i.
The construction of the solution may be done as in § Existence (constructive proof) or § Existence (direct proof). However, the latter construction may be simplified by using, as follows, partial fraction decomposition instead of extended Euclidean algorithm.
Thus, we want to find a polynomial , which satisfies the congruences
Let us consider the polynomials
The partial fraction decomposition of gives k polynomials with degrees such that
Then a solution of the simultaneous congruence system is given by the polynomial
In fact, we have
This solution may have a degree larger that The unique solution of degree less than may be deduced by considering the remainder of the Euclidean division of by This solution is
They are pairwise coprime if the are all different. The remainder of the division by of a polynomial is
Now, let be constants (polynomials of degree 0) in Both Lagrange interpolation and Chinese remainder theorem assert the existence of a unique polynomial of degree less than k such that
for every i.
Lagrange interpolation formula is exactly the result, in this case, of the above construction of the solution. More precisely, let
The partial fraction decomposition of is
In fact, reducing the right-hand side to a common denominator one gets and the numerator is equal to one, as being a polynomial of degree less than k, which takes the value one for different values of
Using the above general formula, we get the Lagrange interpolation formula
Hermite interpolation is an application of Chinese remainder theorem for univariate polynomials, which may involve moduli of arbitrary degrees (Lagrange interpolation involves only moduli of degree one).
The problem consists of finding a polynomial of the least possible degree, such that the polynomial and its first derivatives take given values at some fixed points.
More precisely, let be elements of the ground field and, for let be the values of the first derivatives of the sought polynomial at (including the 0th derivative, which is the value of the polynomial itself). The problem is to find a polynomial such that its jth derivative takes the value at for and
Let us consider the polynomial
This is the Taylor expansion at up to the order of the unknown polynomial Therefore, we must have
The Chinese remainder theorem asserts that there exists exactly one polynomial of degree less than the sum of the which satisfies these congruences.
There are several ways for computing the solution One may use the method described at the beginning of § Over univariate polynomial rings and Euclidean domains. One may also use the constructions given in § Existence (constructive proof) or § Existence (direct proof).
Generalization to arbitrary rings
The Chinese remainder theorem can be generalized to any ring, by using coprime ideals (also called comaximal ideals). Two ideals I and J are coprime if there are elements and such that This relation plays the role of Bézout's identity in the proofs related to this generalization, which, otherwise are very similar. The generalization may be stated as follows.
between the quotient ring and the direct product of the where "" denotes the image of the element in the quotient ring defined by the ideal Moreover, if is commutative, then the ideal intersection I is equal to the product of the ideals
Fast Fourier transform
The prime-factor FFT algorithm (also called Good-Thomas algorithm) uses the Chinese remainder theorem for reducing the computation of a fast Fourier transform of size to the computation of two fast Fourier transforms of smaller sizes and (providing that and are cop rime).
Most implementations of RSA use the Chinese remainder theorem during signing of HTTPS certificates and during decryption.
The Chinese remainder theorem can also be used in secret sharing, which consists of distributing a set of shares among a group of people who, all together (but no one alone), can recover a certain secret from the given set of shares. Each of the shares is represented in a congruence, and the solution of the system of congruences using the Chinese remainder theorem is the secret to be recovered. Secret sharing using the Chinese remainder theorem uses, along with the Chinese remainder theorem, special sequences of integers that guarantee the impossibility of recovering the secret from a set of shares with less than a certain cardinality.
Range ambiguity resolution
Dedekind's Theorem on the Linear Independence of Characters. Let M be a monoid and k an integral domain, viewed as a monoid by considering the multiplication on k. Then any finite family ( fi )i∈I of distinct monoid homomorphisms fi : M → k is linearly independent. In other words, every family (αi)i∈I of elements αi ∈ k satisfying
must be equal to the family (0)i∈I.
Proof. First assume that k is a field, otherwise, replace the integral domain k by its quotient field, and nothing will change. We can linearly extend the monoid homomorphisms fi : M → k to k-algebra homomorphisms Fi : k[M] → k, where k[M] is the monoid ring of M over k. Then, by linearity, the condition
Next, for i, j ∈ I; i ≠ j the two k-linear maps Fi : k[M] → k and Fj : k[M] → k are not proportional to each other. Otherwise fi and fj would also be proportional, and thus equal since as monoid homomorphisms they satisfy: fi (1) = 1 = fj (1), which contradicts the assumption that they are distinct.
Therefore, the kernels Ker Fi and Ker Fj are distinct. Since k[M]/Ker Fi ≅ Fi(k[M]) = k is a field, Ker Fi is a maximal ideal of k[M] for every i ∈ I. Because they are distinct and maximal the ideals Ker Fi and Ker Fj are coprime whenever i ≠ j. The Chinese Remainder Theorem (for general rings) yields an isomorphism:
Consequently, the map
is surjective. Under the isomorphisms k[M]/Ker Fi → Fi(k[M]) = k, the map Φ corresponds to:
for every vector (ui)i∈I in the image of the map ψ. Since ψ is surjective, this means that
for every vector
Consequently, (αi)i∈I = (0)i∈I. QED.
- Covering system
- Hasse principle
- Residue number system
- Secret sharing using the Chinese remainder theorem
- Gauss & Clarke 1986, Art. 32-36
- Katz 1998, p. 197
- Dauben 2007, p. 302
- Kak 1986
- Leonardo Pisano; Sigler, Laurence E. (translator into English) (2002), Fibonacci's Liber Abaci, Springer-Verlag, pp. 402–403, ISBN 0-387-95419-8
- Dauben 2007, p. 310
- Ireland & Rosen 1990, p. 36
- Ore 1988, p. 247
- Ore 1988, p. 245
- Ireland & Rosen 1990, p. 34
- Ireland & Rosen 1990, p. 35
- Duchet 1995
- Rosen 1993, p. 136
- Ireland & Rosen 1990, p. 181
- Dauben, Joseph W. (2007), "Chapter 3: Chinese Mathematics", in Katz, Victor J., The Mathematics of Egypt, Mesopotamia, China, India and Islam : A Sourcebook, Princeton University Press, pp. 187–384, ISBN 978-0-691-11485-9
- Duchet, Pierre (1995), "Hypergraphs", in Graham, R. L.; Grötschel, M.; Lovász, L., Handbook of combinatorics, Vol. 1, 2, Amsterdam: Elsevier, pp. 381–432, MR 1373663. See in particular Section 2.5, "Helly Property", pp. 393–394.
- Gauss, Carl Friedrich; Clarke, Arthur A. (translator into English) (1986), Disquisitiones Arithemeticae (Second, corrected ed.), New York: Springer, ISBN 978-0-387-96254-2
- Ireland, Kenneth; Rosen, Michael (1990), A Classical Introduction to Modern Number Theory (2nd ed.), Springer-Verlag, ISBN 0-387-97329-X
- Kak, Subhash (1986), "Computational aspects of the Aryabhata algorithm" (PDF), Indian Journal of History of Science 21 (1): 62–71
- Katz, Victor J. (1998), A History of Mathematics / An Introduction (2nd ed.), Addison Wesley Longman, ISBN 978-0-321-01618-8
- Ore, Oystein (1988) , Number Theory and Its History, Dover, ISBN 978-0-486-65620-5
- Rosen, Kenneth H. (1993), Elementary Number Theory and its Applications (3rd ed.), Addison-Wesley, ISBN 978-0201-57889-8
- Cormen, Thomas H.; Leiserson, Charles E.; Rivest, Ronald L.; Stein, Clifford (2001), Introduction to Algorithms (Second ed.), MIT Press and McGraw-Hill, ISBN 0-262-03293-7. See Section 31.5: The Chinese remainder theorem, pp. 873–876.
- Ding, Cunsheng; Pei, Dingyi; Salomaa, Arto (1996), Chinese Remainder Theorem: Applications in Computing, Coding, Cryptography, World Scientific Publishing, pp. 1–213, ISBN 981-02-2827-9
- Hungerford, Thomas W. (1974), Algebra, Graduate Texts in Mathematics, Vol. 73, Springer-Verlag, pp. 131–132, ISBN 978-1-4612-6101-8
- Knuth, Donald (1997), The Art of Computer Programming, Volume 2: Seminumerical Algorithms (Third ed.), Addison-Wesley, ISBN 0-201-89684-2. See Section 4.3.2 (pp. 286–291), exercise 4.6.2–3 (page 456).