CMSC203 Discrete Structures, Sections 0201, Spring 2008

The Chinese Remainder Theorem

Richard Chang, CSEE Dept, University of Maryland Baltimore County
Updated: March 1, 2008


An Example

To understand the purpose of the Chinese Remainder Theorem consider the following Table:

  0 1 2 3 4 5 6 7 8 9 10 11 12
0 0 40 15 55 30 5 45 20 60 35 10 50 25
1 26 1 41 16 56 31 6 46 21 61 36 11 51
2 52 27 2 42 17 57 32 7 47 22 62 37 12
3 13 53 28 3 43 18 58 33 8 48 23 63 38
4 39 14 54 29 4 44 19 59 34 9 49 24 64

The entries in the table are integers from 0 through 64. We use these 65 numbers because 5 × 13 = 65. The number is placed in a row and column according to its remainder after dividing by 5 and by 13. For example, the number 57 is in row 2 and column 5 because 57 % 5 = 2 and 57 % 13 = 5. If you start from the top left with 0 and scan down the diagonal to find 1, 2, 3 and 4, you will notice a very nice pattern in this table. The numbers in increasing order march down the diagonals and wrap around to the top — 5, 6, 7, 8 and 9 make the next diagonal. This proceeds across the table until we get to 10, 11 and 12 and notice that the numbers then wrap around to the left side of the table where 13 and 14 are in the lower left.

This diagonal pattern continues until all 65 numbers are used. The interesting part is that each number appears in its own entry in the table. The diagonals did not overlap. Why is that? Well, because 5 and 13 are prime. (Actually, because gcd(5, 13) = 1, but we'll get to that later.) If you construct this table with 6 and 12 (a good exercise), you will see that this this pattern does not hold for all pairs of numbers.

Great. So what is the Chinese Remainder Theorem? Well, if you give me an integer x between 0 and 64, it is easy for me to figure out where x belongs in the table. I just have to compute x % 5 and x % 13. These are easy computations. What if we ask the question in the other direction? Given two remainders a1 and a2, find a number x such that x % 5 = a1 and x % 13 = a2. Again, this is easy because you just look at row a1 and column a2 of the table and use that number. For example, if a1 = 3 and a2 = 11, you just say 63. Okay, now do it without looking at the table. Then, it becomes harder.

So here's the problem. You are given two prime numbers, p1 and p2, and two remainders a1 and a2. Now, find a number x, where 0 ≤ xp1p2, such that

x % p1 = a1
x % p2 = a2.
How do we compute x? How do we know x even exists? We can construct the table above with p1 and p2 instead of 5 and 13, but that seems like a waste of time just for one entry. Also, it is very expensive when p1 and p2 are large (think thousands of digits). The Chinese Remainder Theorem tells us that x always exists and how to find it.


The Baby Version

Let us first look at a baby version of the Chinese Remainder Theorem using just two prime numbers. It is less confusing.

Baby Chinese Remainder Theorem.  Let p1 and p2 be prime numbers. Given integers a1 and a2, there exists a unique x, 0 ≤ x < p1p2, such that

xa1   (mod p1)
xa2   (mod p2).

Comment: Here the notation xa1  (mod p1) just means x % p1 = a1. We are switching to notation used in number theory. It's a bit confusing at first, but it is good to be familiar with this standard notation. The confusing part is that the (mod p1) does not indicate multiplication. It is a side comment that the ≡ is modulo p1. Now, on to the proof.

Proof: First we show that x exists, then we show that it is unique. We can use x computed by:

x = ( a1p2y1 + a2p1y2 ) % (p1 p2)
where y1 is the inverse of p2 modulo p1 and y2 is the inverse of p1 modulo p2. That is, y1 and y2 are the numbers that give us:
p2y1 ≡ 1   (mod p1)
p1y2 ≡ 1   (mod p2)
(Recall that we can find inverses using the Extended Euclid Algorithm.) Now let us compute x % p1 and x % p2.
xa1 p2 y1 + a2 p1 y2    (mod p1)      [since p1 divides p1 p2]
   ≡ a1 p2 y1 + 0    (mod p1)      [since p1 divides a2 p1 y2]
   ≡ a1 ⋅ 1    (mod p1)      [since p2 y1 ≡ 1   (mod p1)]
   ≡ a1    (mod p1)
Similarly,
xa1 p2 y1 + a2 p1 y2    (mod p2)      [since p2 divides p1 p2]
   ≡ 0 + a2 p1 y2    (mod p2)      [since p2 divides a1 p2 y1]
   ≡ a2 ⋅ 1    (mod p2)      [since p1 y2 ≡ 1   (mod p2)]
   ≡ a2    (mod p2)
Thus, we have shown that the number x exists. Suppose that some other number x', 0 ≤ x' < p1 p2, also satisfies the congruences:
x'a1   (mod p1)
x'a2   (mod p2).
Then, x and x' have the same remainders after dividing by p1 and p2. This means their difference must be divisible by p1 and by p2. Thus, there must exist integers k1 and k2 such that
xx' = k1p1
xx' = k2p2.
Thus, k1 p1 = k2 p2. That means p1 divides k2 p2. Since p2 is prime, p1 must divide k2. So, for some integer k', k2 = k' p1. Then, we have:
xx' = k2 p2 = k' p1 p2.
Now, recall that both x and x' are non-negative integers less than p1 p2. So, the absolute value of their difference must be less than p1 p2. Thus, k' must be 0 and x = x'. Therefore, x is unique.
QED

Example: Let's return to our example where p1 = 5 and p2 = 13. How would we use the Chinese Remainder Theorem to find an x such that x % 5 = 3 and x % 13 = 11? First, we compute y1 and y2. We need to find the inverse of 13 modulo 5 and the inverse of 5 modulo 13. We can use the Extended Euclid Algorithm to do this, or just a little bit of guessing:

13 ⋅ 2 = 26,    26 % 5 = 1
5 ⋅ 8 = 40,    40 % 13 = 1
So, y1 = 2 and y2 = 8. Thus, we compute x to be:
x = ( 3 ⋅ 13 ⋅ 2 + 11 ⋅ 5 ⋅ 8 ) % 65
   = (78 + 440) % 65
   = 518 % 65
   = 63
You can confirm that 63 % 5 = 3 and 63 % 13 = 11, but it is more interesting to think about why
( 3 ⋅ 13 ⋅ 2 + 11 ⋅ 5 ⋅ 8 ) % 5 = 3
and why
( 3 ⋅ 13 ⋅ 2 + 11 ⋅ 5 ⋅ 8 ) % 13 = 11.
We know that (3⋅13⋅2) % 5 = 3 because 13 and 2 are inverses modulo 5 so 3⋅13⋅2 ≡ 3⋅1 ≡ 3  (mod 5). Also, 11⋅5⋅8 ≡ 0  (mod 5) because 5 appears as a factor in 11⋅5⋅8. Thus, 3⋅13⋅2 + 11⋅5⋅8 ≡ 3 + 0 ≡ 3  (mod 5). Similarly, when we look at x modulo 13, we get 3⋅13⋅2 + 11⋅5⋅8 ≡ 0 + 11⋅1 ≡ 11.


The General Version

The baby version of the Chinese Remainder Theorem is already enough for us to prove that in the RSA algorithm, encryption followed by decryption returns the original message. The general version of the Chinese Remainder Theorem improves upon the baby version in two ways. First, we can have any number of moduli, not just two. Also, instead of requiring the moduli to be prime, we only require them to be relatively prime (i.e, their greatest common divisor is 1). We can do this because we know from the Extended Euclid that if gcd(m1,m2) = 1 then m1 has an inverse modulo m2 and m2 has an inverse modulo m1. It is not necessary for m1 and m2 to be prime for inverses to exist.

Chinese Remainder Theorem.  Let m1, m2, m3, ... mn be positive integers that are pairwise relatively prime. (I.e., for all i and j where ij, gcd(mi, mj) = 1.)   Let m = m1 m2 m3 ⋅ ⋅ ⋅ mn.   Given integers a1, a2, a3, ... an, there exists a unique x, 0 ≤ x < m, such that

xa1   (mod m1)
xa2   (mod m2)
xa3   (mod m3)
...
xan   (mod mn).

Proof Idea: Before we proceed with the formal proof, let's think how we can extend the proof of the baby version to the full version. Having pairwise relatively prime moduli instead of prime moduli won't change much. Prime numbers gave us inverses and so will relatively prime numbers. We need to duplicate the trick that made the second term disappear when we mod out by p1 and made the first term disappear when we mod out by p2. Suppose that n = 5 and we have 5 moduli. We can define x by:

x = ( a1 t1 + a2 t2 + a3 t3 + a4 t4 + a5 t5 ) % m
But, what do we pick for t1, t2, t3, t4 and t5? It would be very convenient if tj ≡ 0  (mod mi) whenever ji. For example, for m4 we would get:
xa1 ⋅ 0 + a2 ⋅ 0 + a3 ⋅ 0 + a4 t4 + a5 ⋅ 0   (mod m4)
  ≡ a4 t4   (mod m4)
This could be accomplished if t1, t2, t3 and t5 are divisible by m4 and t4 is not. To get this to work for all mi, we want
t1 divisible by m2 m3 m4 m5
t2 divisible by m1 m3 m4 m5
t3 divisible by m1 m2 m4 m5
t4 divisible by m1 m2 m3 m5
t5 divisible by m1 m2 m3 m4
So, we let ti have as a factor m/mi. (Recall that m = m1 m2 m3 m4 m5.) But we're not done because we want ti ≡ 1  (mod mi). To do this, let yi be the inverse of m/mi mod mi. Now the i-th term in x looks like ai (m/mi) yi and x becomes
x = ( a1 (m/m1) y1 + a2 (m/m2) y2 + a3 (m/m3) y3 + a4 (m/m4) y4 + a5 (m/m5) y5 ) % m
and we have the desired effect. If you understand the proof idea for n = 5, the formal proof should be much easier to follow.

Proof: We define x as follows:

n
x =   ( aj (m/mj) yj ) % m
j = 1
where yj is the inverse of m/mj modulo mj. Since mi divides m
n
x % mi   =   ( aj (m/mj) yj ) % mi
j = 1
 
i − 1 n
=   ( aj (m/mj) yj ) % mi   +   ai (m/mi) yi % mi   +   ( aj (m/mj) yj ) % mi.
j = 1 j = i + 1
 
Since mi divides (m/mj) for all ji, the terms in the two summations are 0. Thus,
x % mi  =  0  +  ai (m/mi) yi % mi  +  0  =  ai (m/mi) yi % mi.
Since m/mi and yi are inverses modulo mi:
x % mi  =  ai ⋅ 1 % mi  =  ai % mi.
Thus, for all i, 0 ≤ in, xai  (mod mi).

Finally, suppose that there is some x' where 0 ≤ x' < m such that for all i, 0 ≤ in, x'ai  (mod mi). Then, xx'  (mod mi) for all i. Then, there must be integers k1, k2, k3, ... kn, such that for all i

xx'  =  ki mi.
Since m1, m2, m3, ... mn are pairwise relatively prime (i.e., no pair have a common factor greater than 1) and since xx' is divisible by each mi, it must be the case that xx' is divisible by m = m1 m2 m3 ⋅ ⋅ ⋅ mn. However, both x and x' are non-negative integers less than m. So, the absolute value of their difference must also be less than m. The only way for a number to be divisible by m and have absolute value less than m is for that number to be 0. Thus, x = x' and x is unique.
QED


Example: The reason that the Chinese Remainder Theorem is named such is because Sun Tzu (544BC – 496BC) mentioned it in his Mathematical Manual. In essence, he asked for a number x such that

x ≡ 2   (mod 3)
x ≡ 3   (mod 5)
x ≡ 2   (mod 7).
Let's find x using the proof above. Here, n = 3, m1 = 3, m2 = 5, m3 = 7, a1 = 2, a2 = 3 and a3 = 2. So, we get
m = 3 ⋅ 5 ⋅ 7 = 105
m/m1 = 105 / 3 = 5 ⋅ 7 = 35
m/m2 = 105 / 5 = 3 ⋅ 7 = 21
m/m3 = 105 / 7 = 3 ⋅ 5 = 15
Now we need to calculate the inverses y1, y2 and y3. For large numbers, we would use the Extended Euclid Algorithm, but these numbers are small enough for guessing. For example:
m/m1 % m1 = 35 % 3 = 2
2 ⋅ 2 = 4 ≡ 1    (mod 3).
So, y1 = 2. Similarly, 21 % 5 = 1 and the inverse of 1 is just 1. That gives us y2 = 1. Finally, 15 % 7 = 1 again, so y3 = 1. Then, we have
x  =  ( a1 (m/m1) y1 + a2 (m/m2) y2 + a3 (m/m3) y3 ) % m
    =  ( 2⋅35⋅2 + 3⋅21⋅1 + 2⋅15⋅1) % 105
    =  233 % 105
    =  23
Finally, you can check that 23 % 3 = 2, 23 % 5 = 3 and 23 % 7 = 2. So, our solution is indeed correct.


Last Modified: 1 Mar 2008 17:26:11 EST by Richard Chang
to Spring 2008 CMSC 203 Section Homepage