Technical ReportPDF Available

A Machine Assisted Proof of the Chinese Remainder Theorem

Technical Report

A Machine Assisted Proof of the Chinese Remainder Theorem

Abstract

We present a machine assisted proof of the Chinese Remainder Theorem by use of the VeriFun system.
A Machine Assisted Proof of the
Chinese Remainder Theorem
Christoph Walther
Fachbereich Informatik
Technische Universität Darmstadt ?
Abstract. We present a machine assisted proof of the Chinese Remainder
Theorem by use of the VeriFun system.
Keywords Modular Arithmetic, Chinese Remainder Theorem, Program
Veri…cation, Theorem Proving by Induction
1 Introduction
The Chinese Remainder Theorem (CRT for short) belongs to the basic repertoire
of Number Theory and is found in standard textbooks of this …eld. The theorem
states solvability of a system of modular equations and is formulated and proved
in text books like in the following way:
Chinese Remainder Theorem Let a1; : : : ; akbe a sequence of non-negative
integers and let m1; : : : ; mkbe a sequence of positive, pairwise co-prime integers.
Then the system of congruences [Xai]mod miwith i= 1; :::; k has a unique
solution in the residue class mod m1: : : mk.
Proof Let Mi:= (m1: : : mk)=miand let X:= a1M1I(M1; m1) + ::: +
akMkI(Mk; mk);where I(x; y)denotes some modular multiplicative inverse
of co-primes xand y, i.e. [xI(x; y)1] mod y if gcd(x; y)=1and y6= 0. Then
[XaiMiI(Mi; mi)] mod mibecause mijMjfor each j2 f1; :::; kgwith
j6=i, hence [Xai]mod mibecause [MiI(Mi; mi)1] mod mias Miand
miare co-prime.
If [x1ai]mod mias well as [x2ai]mod mifor each i2 f1; :::; kg, then
[x1x2]mod mi. Hence [x1x2]mod m1: : : mkas m1; : : : ; mkconsists of
pairwise co-primes only.
This theorem spurred researchers in the past to test usability and perfor-
mance of their favoured proof system, see e.g. [1,6] and also [2] for further ex-
periments. Subsequently we illustrate how the CRT is proven with the XeriFun
system1(see [4,5] for details of the system and its use for proofs in Number
Theory). XeriFun is implemented in Java and installers for running the system
under Windows,Unix/Linux or Mac are available from the web [3].
?Tech n ical R ep o rt V F R 1 8/ 03 — N ov em b er 1 6, 2 018 .
1An acronym for “A Veri…er for Functional Programs”.
structure bool <=true;false
structure N<=0;+(:N)
structure pair[@T1;@T2]<=[inx]([postx]1:@T1;[postx]2:@T2)
structure list[@T]<=ø;[inxr]:: (hd :@T;tl:list[@T])
function co-primes(k:list[N]):bool <=
if k =ø
then true
else if gcd(hd(k), (tl(k))) =1 then co-primes(tl(k)) else false end_if
end_if
function X(k:list[pair[N;N]];M:N):N<=
if k =ø
then 0
else let a := (hd(k))1;m:= (hd(k))2in a (M=m)I(M=m;m) + X(tl(k);M)end_let
end_if
Fig. 1. Data structures and procedures for the Chinese Remainder Theorem
2 Formulation of the CRT
XeriFun s object language consists of principles for de…ning polymorphic data
structures, procedures operating on them, and for statements (called “lemmas”)
about the data structures and procedures. The language allows Unicode and
ers in-, out-, pre- and post…x notation for function symbols so that readability
is increased by use of the familiar mathematical notation.
Fig. 1 displays the data structures used in this case study. The data structure
bool and the data structure Nfor natural numbers built with the constructors
0and +(: : :)for the successor function are the only prede…ned data structures
in the system. -(: : :)is the selector of +(: : :)thus denoting the predecessor
function. The data structures pair and list of Fig. 1 are user de…ned and represent
ordered pairs and linear lists.2The symbol denotes the pair-constructor and
the ith component of a pair is obtained by selector (: : :)i. Lists are built with the
constructors øfor the empty list and :: (given in in…x-notation). The functions
hd and tl (for head and tail) are the selectors of :: yielding the leftmost list
element and the list with the leftmost list element removed respectively.
Procedures are de…ned by if- and case-conditionals, functional composition
and recursion. Procedure calls are evaluated eagerly, i.e. call-by-value. Predi-
cates are de…ned by procedures with result type bool. Procedure co-primes of
Fig. 1 decides whether a number list consists of pairwise co-primes only (where
procedure function (k:list[N]):N<= . . . computes the product of the elements
in a number list k) and is an example of a predicate used in this case study.
2Identi…ers preceded by @denote type variables, and therefore polymorphic pairs and
lists are dened here.
2
lemma CRT (Existence)<=8k:list[pair[N;N]];a;m:N
iff: 02 hki2;
iffco-primes(hki2);
iff(am)2k;(X(k;(hki2)mod m)=(a mod m);trueg;
trueg;
trueg
Fig. 2. Formulation of the Chinese Remainder Theorem (Existence)
We aim to prove that procedure Xof Fig. 1 computes a solution for the
system of congruences given by a sequence a1; : : : ; akof non-negative integers
and a sequence m1; : : : ; mkof positive, pairwise co-prime integers which are re-
presented by a list (a1m1);:::;(akmk)of pairs. Procedure Xuses procedure
function I(x;y:N):N<= . . . which computes a modular multiplicative inverse
and is de…ned elsewhere [3,4]. To obtain a correct result, procedure Xmust be
called with m1: : : mkas the actual parameter for the formal parameter M.
The product m1: : : mkof the co-primes is formally given by the expression
(hki2), where procedure function [outx]h:i2(k:list[pair[@T1;@T2]]):list[@T2]
<= . . . computes the list of the second components of the pairs in a list kof
pairs. Formal parameter Mcannot be omitted by replacement of Mwith (hki2)
in the body of procedure Xas this would yield an incorrect result.3
Lemmas are de…ned with the conditional if:bool bool bool !bool as the
main connective, but negation :and case-conditionals may be used as well. Only
universal quanti…cation is allowed for the variables of a lemma. Fig. 2 displays the
existence part of the CRT in the system’s notation using (the elsewhere de…ned)
procedures 2and mod for deciding list membership and the computation of the
remainder function respectively.
3 Proofs of the CRT
When proving the CRT, we use our arithmetic proof library which ranges from
simple statements like associativity and commutativity of addition up to more
ambitious theorems about divisibility, primes and modular arithmetic. When
importing a de…nition or a lemma from a library into a case study, all program
elements and proofs the imported item depends on are imported as well. In the
sequel we will only list the lemmas which are essential to understand the proofs
and refer to [3] for a complete account of all used lemmas and their proofs.
The library lemmas4
8x; y; z:Nz6= 0 ![x+ (y mod z)x+y]mod z (1)
3Such a replacement corresponds to the re-de…nition of Miby (mi: : : mk)=miin
the text book proof of Sec. 1 yielding e.g. the non-solution 4(instead of 7) for the
system of congruences given by a1=a2= 1,m1= 2 and m2= 3.
4We use [ab]mod c as an abbreviation for (a mod c) = (b mod c).
3
8x; y; z:Nz6= 0 ![x(y mod z)xy]mod z (2)
are frequently used in the proofs for replacing a summand or a factor yin a
residue class mod z by (y mod z)to enable subsequent proof steps (see Sec. 4 for
an example). For sake of briefness, these lemma applications are not explicitly
noted in the subsequent presentation.
3.1 Existence Proof
Lemma CRT (Existence)of Fig. 2 is proven by structural (list) induction upon k.
The proof of the base case k=øis trivial and the induction conclusion simpli…es
in case (am) = ((hd(k))1(hd(k))2)to
m6= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m; (htl(k)i2)) = 1
![a(htl(k)i2)I((htl(k)i2); m) + X(tl(k); m (htl(k)i2)) a]mod m
(i)
using library lemma
8x; y:Ny6= 0 !(xy)=y =x. (3)
The system then applies auxiliary lemma
8m; n:N; k:list[pair[N;N]]
m6= 0 ^mjn^0=2 hki2!mjX(k; n (hki2)) (4)
(where ajbabbreviates (a mod b)=0) for replacing (X(tl(k); m (htl(k)i2))
mod m) by 0and rewriting proof obligation (i) to
m6= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m; (htl(k)i2)) = 1
![a(htl(k)i2)I((htl(k)i2); m)a]mod m (ii)
subsequently. Next we call the system to use library lemma
8x; y:Ny6= 0 ^gcd(x; y) = 1 ![xI(x; y)1] mod y (5)
causing the system to simplify proof obligation (ii) to true. Lemma 5 states
correctness of procedure Iin computing a modular multiplicative inverse for
any xco-prime to some y6= 0 and is formally proved elsewhere [3,4].
Otherwise (am)2tl(k), and the induction conclusion rewrites with Lem-
ma 3 to
m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m1; (htl(k)i2)) = 1
![a1(htl(k)i2)I((htl(k)i2); m1) + X(tl(k); m1(htl(k)i2)a]mod m
(iii)
where a1stands for (hd(k))1and m1abbreviates (hd(k))2for sake of readability.
Since (am)2tl(k)^0=2 htl(k)i2entails m2 htl(k)i2^m6= 0, the system
subsequently uses library lemma
8n:N; k:list[N]n6= 0 ^n2k!nj(k)(6)
4
lemma CRT (Existence)generalized <=8k:list[pair[N;N]];a;m;n:N
iff: 02 hki2;
iffco-primes(hki2);
iff(am)2k;
iffgcd(n;(hki2)) =1;(X(k;n(hki2)mod m)=(a mod m);trueg;
trueg;
trueg;
trueg
Fig. 3. Generalization of the Chinese Remainder Theorem (Existence)
for replacing (a1(htl(k)i2)I((htl(k)i2); m1)mod m) by 0and simplifying
(iii) to
m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m1; (htl(k)i2)) = 1
![X(tl(k); m1(htl(k)i2)a]mod m (iv)
in turn. However, the induction hypothesis
8a0; m0:N0=2 htl(k)i2^(a0m0)2tl(k)^co-primes(htl(k)i2)
![X(tl(k); (htl(k)i2)a0]mod m0(IH)
cannot be used since (htl(k)i2does not match m1(htl(k)i2in (iv). This
failure is raised by parameter Mof procedure Xand necessitates a generalization
of the original statement which is displayed in Fig. 3.
When proving the generalization in case (am) = ((hd(k))1(hd(k))2)of
the induction step, proof obligation
m6= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)
^gcd(m;  (htl(k)i2)) = 1 ^gcd(n; m (htl(k)i2)) = 1
![an(htl(k)i2)I(n(htl(k)i2); m)a]mod m
(v)
is obtained after the use of Lemma 3 and 4. When applying Lemma 5 also here,
the system uses the library lemmas
8x; y; z:Ngcd(x; y)=1!gcd(x; y z) = gcd(x; z )(7)
8x; y; z:Ngcd(x; y z)=1!gcd(x; y )=1 (8)
to verify proof obligation
gcd(n(htl(k)i2); m)=1 (vi)
which justi…es the use of Lemma 5, thus …nishing the proof for this case.
The induction conclusion rewrites in case (am)2tl(k)to
m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)
^gcd(m1;  (htl(k)i2)) = 1 ^gcd(n; m1(htl(k)i2)) = 1
![X(tl(k); n m1(htl(k)i2)a]mod m
(vii)
5
function [inx]solves(x:N;k:list[pair[N;N]]):bool <=
if k =ø
then true
else let a := (hd(k))1;m:= (hd(k))2in
if (x mod m)=(a mod m)then (x solves tl(k)) else false end_if
end_let
end_if
lemma CRT (Uniqueness)<=8k:list[pair[N;N]];x1;x2:N
iff: 02 hki2;
iffco-primes(hki2);
iff(x1solves k);
iff(x2solves k);(x1mod (hki2)=(x2mod (hki2);trueg;
trueg;
trueg;
trueg
Fig. 4. Formulation of the Chinese Remainder Theorem (Uniqueness)
using the same argumentation as in the …rst proof attempt. Now the induction
hypothesis
8a0; m0; n0:N0=2 htl(k)i2^(a0m0)2tl(k)^co-primes(htl(k)i2)
^gcd(n0;  (htl(k)i2)) = 1 ![X(tl(k); n0(htl(k)i2)a0]mod m0(IH0)
can be applied by instantiating n0with nm1for replacing (X(tl(k); n m1
(htl(k)i2)mod m)in (vii) with (a mod m). The use of (IH0) is justi…ed by
proof obligation
m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)
^gcd(m1;  (htl(k)i2)) = 1 ^gcd(n; m1(htl(k)i2)) = 1
!gcd(nm1;  (htl(k)i2)) = 1
(viii)
which the system proves with Lemma 7 and 8, thus …nishing the proof also for
this case.
Finally, the original statement of Fig. 2 is proven with the generalization of
Fig. 3 by instantiating nwith 1.
3.2 Uniqueness Proof
Procedure solves of Fig. 4 decides whether a non-negative integer xsolves the
system of congruences given by a pair-list k, and lemma CRT (Uniqueness)of
Fig. 4 formulates the uniqueness part of the Chinese Remainder Theorem. The
proof is by structural (list) induction also here. The base case is easily proved as 1
is the product of the empty number list. The induction conclusion rewrites to
m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^[x1a1]mod m1
^[x2a1]mod m1^(x1solves tl(k)) ^(x2solves tl(k))
^gcd(m1;  (htl(k)i2)) = 1 ![x1x2]mod m1(htl(k)i2)
(ix)
6
(where a1stands for (hd(k))1and m1abbreviates (hd(k))2also here) and we
apply library lemma
8x; y; z:Ny6= 0 ^z6= 0 ^yjx^zjx^gcd(y; z ) = 1 !yzjx(9)
with xreplaced by x1x2,yby m1and zby (htl(k)i2). The system responds
by rewriting (ix) with library lemma
8x; y; z:Nz6= 0 ^[xy]mod z !zj(xy)(10)
and the induction hypothesis
8x0
1; x0
2:N0=2 htl(k)i2^co-primes(htl(k)i2)^(x0
1solves tl(k))
^(x0
2solves tl(k)) ![x0
1x0
2]mod (htl(k)i2)(IH)
to m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^[x1a1]mod m1
^[x2a1]mod m1^(x1solves tl(k)) ^(x2solves tl(k))
^gcd(m1;  (htl(k)i2)) = 1 ^m1(htl(k)i2)j(x1x2)
![x1x2]mod m1(htl(k)i2).
(x)
After another call of Lemma 9 with yreplaced by m1and zby (htl(k)i2)like
before, but xnow replaced with x2x1, the system infers a further conjunction
m1(htl(k)i2)j(x2x1)in the antecedent of the proof goal by use of Lemma 10
and the induction hypothesis (IH). It then succeeds in proving the step case
with library lemma
8x; y; z:Nz6= 0 ^zj(xy)^zj(yx)![xy]mod z .5(11)
4 Conclusion
Fig. 5 displays the e¤ort for obtaining the proofs. Column Proc. counts the
number of user de…ned procedures, Lem. is the number of user de…ned lem-
mas, and Rules counts the total number of proof rule applications, separated
into user invoked (User) and system initiated (System) ones. Column %gives
the automation degree, i.e. the ratio between System and Rules,Steps lists the
number of inference steps of the system’s …rst-order theorem prover and Time
displays the needed computer time in seconds.6All termination proofs (hence
all required induction axioms in turn) had been obtained without user support.
Row CRT shows the e¤ort for proving the lemmas CRT (Existence)and CRT
(Uniqueness)as illustrated in Sec. 3.1 and 3.2, row Arith shows the e¤ort which
5As subtraction is dened here for non-negative integers only such that ab= 0
ab, both zj(xy)and zj(yx)are required to establish the congruence [xy]
mod z (where at least one of both requirements trivially holds), necessitating two
calls of Lemma 9 for proving the induction step.
6Time refers to running XeriFun 3.5 under Windows 7 Enterprise with an INTEL
Core i7-2640M 2.80 GHz CPU using Java 1.8.0_162.
7
Proc. Lem. Rules User System % Steps Time
CRT 3 4 32 12 20 62;5 827 22
Arith 11 83 417 52 365 87;5 5659 31
Total 14 87 449 64 385 85;7 6486 53
Fig. 5. Proof statistics
was previously required for the part of the arithmetic proof library which had
been imported when proving the CRT, and row Total displays the overall e¤ort.
As the numbers reveal, the proof of the CRT needs much user interaction.
This is because proof goals must be modi…ed interactively to more complex ones
in order to allow subsequent simpli…cations. Consider e.g. the expression
(a1(htl(k)i2)I((htl(k)i2); m1) + X(: : :)mod m)
in proof obligation (iii). For obtaining proof obligation (iv), Lemma 1 has to be
applied interactively in a …rst step yielding
((a1(htl(k)i2)I((htl(k)i2); m1)mod m) + X(: : :)mod m).
Then Lemma 2 must be used interactively for obtaining
((a1((htl(k)i2)mod m)I((htl(k)i2); m1)mod m) + X(: : :)mod m)(?)
Now the system can apply Lemma 6 for replacing ((htl(k)i2)mod m)with 0
and (?) with (X(: : :)mod m)in turn, thus obtaining proof obligation (iv).
The need for frequent user interactions when proving the CRT is mainly
raised by proof steps of this kind.
References
1. D. M. Russino¤. A Mechanical Proof of the Chinese Remainder Theorem. Dept.of
Comp. Sc., Univ. of Texas, 2000.
2. C. Schwarzweller. The Chinese Remainder Theorem, its Proofs and its Generali-
zations in Mathematical Repositories. Studies in Logic, Grammar and Rhetoric,
18(31):103–119, 2009.
3. VeriFun. http://www.verifun.de.
4. C. Walther. Formally Veri…ed Montgomery Multiplication. In H. Chockler and
G. Weissenbacher, editors, Proc. of the 30th Intern. Conf. on Computer Aided Veri-
cation (CAV 2018), volume 10982 of Lect. Notes in Comp. Science, pages 505–522,
Oxford, UK, 2018. Springer. https://doi.org/10.1007/978-3- 319-96142- 2_30.
5. C. Walther and N. Wasser. Fermat, Euler, Wilson - Three Case Studies in Number
Theory. J. Autom. Reasoning, 59(2):267–286, 2017. https://doi.org/10.1007/
s10817-016-9387-z.
6. H. Zhang and X. Hua. Proving the Chinese Remainder Theorem by the Cover
Set Induction. In D. Kapur, editor, Proc. 11th Intern. Conf. on Autom. Deduction
(CADE-11), volume 607 of Lect. Notes in Comp. Science, pages 431–445, Saratoga
Springs, NY, USA, 1992. Springer. https://doi.org/10.1007/3-540-55602-8_
182.
8
... The first known computerized formalization of the number-theoretical version of the Chinese remainder theorem was performed using the inductive engine of the Rewrite Rule Laboratory (RRL) by Zhang, and Hua [41]. After that, other formalizations of this theorem, also from the number-theoretical perspective, i.e., over the specific commutative ring of integers, have been reported: Schwarzweller discusses different aspects of formalizations of the CRT in Mizar, HOL Light, hol98 and Coq [36], and Russinoff [34] and Walther [40] shortly discussed number-theoretical formalizations of CRT in ACL2 and VeriFun, respectively. ...
Article
Full-text available
This paper presents a PVS development of relevant results of the theory of rings. The PVS theory includes complete proofs of the three classical isomorphism theorems for rings, and characterizations of principal, prime and maximal ideals. Algebraic concepts and properties are specified and formalized as generally as possible allowing in this manner their application to other algebraic structures. The development provides the required elements to formalize important algebraic theorems. In particular, the paper presents the formalization of the general algebraic-theoretical version of the Chinese remainder theorem (CRT) for the theory of rings, as given in abstract algebra textbooks, proved as a consequence of the first isomorphism theorem. Also, the PVS theory includes a formalization of the number-theoretical version of CRT for the structure of integers, which is the version of CRT found in formalizations. CRT for integers is obtained as a consequence of the general version of CRT for the theory of rings.
Conference Paper
Full-text available
We report on a machine assisted verification of an efficient implementation of Montgomery Multiplication which is a widely used method in cryptography for efficient computation of modular exponentiation. We shortly describe the method, give a brief survey of the VeriFun system used for verification, present the formal proofs and report on the effort for creating them. Our work uncovered a serious fault in a published algorithm for computing multiplicative inverses based on Newton-Raphson iteration, thus providing further evidence for the benefit of computer-aided verification. https://doi.org/10.1007/978-3-319-96142-2_30 (open access)
Article
Full-text available
We report on computer assisted proofs of three theorems from Number Theory, viz. Fermat’s Little Theorem, Euler’s generalization of Fermat’s statement and Wilson’s Theorem. Common to the formal proofs is that permutation of certain number lists has to be proved, which causes the main effort in the development. We give a short survey of the VeriFun system used in this experiment and illustrate the proofs before presenting them formally. We also discuss alternative solutions, report on the required effort and conclude with some experiences gained from this experiment.
Article
Full-text available
In the spirit of mathematical knowledge management theorems are proven with computer assistance to be included into mathematical repositories. In the mathematical literature one often finds not only different proofs for theorems, but also different versions or gener-alizations with a different background. In mathematical repositories, for obvious reasons, there is usually one version of a theorem with one proof only — the authors choose a version and a proof which can be formalized most easily. In this paper we argue that there are other issues to decide which proof of a theorem or which version of a theorem should be included in a repository. These basically depend on the intended further use of the theorem and the proof. We illustrate these issues in detail with the Chinese Remainder Theorem as an example.
Conference Paper
An experiment of the cover sel induction principle in RRL is presented with a proof of the Chinese Remainder theorem. To the best of our knowledge, this is the first machine proof of the theorem. The proof itself can be viewed as the correctness proof of a program which computes the least positive simultaneous solution of n congruence equations. We also discussed the problems involved in proving the theorem: designs of good specifications and induction schemes and control of rewriting.