Content uploaded by Christoph Walther

Author content

All content in this area was uploaded by Christoph Walther on May 30, 2020

Content may be subject to copyright.

A Machine Assisted Proof of the

Chinese Remainder Theorem

Christoph Walther

Fachbereich Informatik

Technische Universität Darmstadt ?

Abstract. We present a machine assisted proof of the Chinese Remainder

Theorem by use of the VeriFun system.

Keywords Modular Arithmetic, Chinese Remainder Theorem, Program

Veri…cation, Theorem Proving by Induction

1 Introduction

The Chinese Remainder Theorem (CRT for short) belongs to the basic repertoire

of Number Theory and is found in standard textbooks of this …eld. The theorem

states solvability of a system of modular equations and is formulated and proved

in text books like in the following way:

Chinese Remainder Theorem Let a1; : : : ; akbe a sequence of non-negative

integers and let m1; : : : ; mkbe a sequence of positive, pairwise co-prime integers.

Then the system of congruences [Xai]mod miwith i= 1; :::; k has a unique

solution in the residue class mod m1: : : mk.

Proof Let Mi:= (m1: : : mk)=miand let X:= a1M1I(M1; m1) + ::: +

akMkI(Mk; mk);where I(x; y)denotes some modular multiplicative inverse

of co-primes xand y, i.e. [xI(x; y)1] mod y if gcd(x; y)=1and y6= 0. Then

[XaiMiI(Mi; mi)] mod mibecause mijMjfor each j2 f1; :::; kgwith

j6=i, hence [Xai]mod mibecause [MiI(Mi; mi)1] mod mias Miand

miare co-prime.

If [x1ai]mod mias well as [x2ai]mod mifor each i2 f1; :::; kg, then

[x1x2]mod mi. Hence [x1x2]mod m1: : : mkas m1; : : : ; mkconsists of

pairwise co-primes only.

This theorem spurred researchers in the past to test usability and perfor-

mance of their favoured proof system, see e.g. [1,6] and also [2] for further ex-

periments. Subsequently we illustrate how the CRT is proven with the XeriFun

system1(see [4,5] for details of the system and its use for proofs in Number

Theory). XeriFun is implemented in Java and installers for running the system

under Windows,Unix/Linux or Mac are available from the web [3].

?Tech n ical R ep o rt V F R 1 8/ 03 — N ov em b er 1 6, 2 018 .

1An acronym for “A Veri…er for Functional Programs”.

structure bool <=true;false

structure N<=0;+(:N)

structure pair[@T1;@T2]<=[inx]([postx]1:@T1;[postx]2:@T2)

structure list[@T]<=ø;[inxr]:: (hd :@T;tl:list[@T])

function co-primes(k:list[N]):bool <=

if k =ø

then true

else if gcd(hd(k), (tl(k))) =1 then co-primes(tl(k)) else false end_if

end_if

function X(k:list[pair[N;N]];M:N):N<=

if k =ø

then 0

else let a := (hd(k))1;m:= (hd(k))2in a (M=m)I(M=m;m) + X(tl(k);M)end_let

end_if

Fig. 1. Data structures and procedures for the Chinese Remainder Theorem

2 Formulation of the CRT

XeriFun ’s object language consists of principles for de…ning polymorphic data

structures, procedures operating on them, and for statements (called “lemmas”)

about the data structures and procedures. The language allows Unicode and

o¤ers in-, out-, pre- and post…x notation for function symbols so that readability

is increased by use of the familiar mathematical notation.

Fig. 1 displays the data structures used in this case study. The data structure

bool and the data structure Nfor natural numbers built with the constructors

0and +(: : :)for the successor function are the only prede…ned data structures

in the system. -(: : :)is the selector of +(: : :)thus denoting the predecessor

function. The data structures pair and list of Fig. 1 are user de…ned and represent

ordered pairs and linear lists.2The symbol denotes the pair-constructor and

the ith component of a pair is obtained by selector (: : :)i. Lists are built with the

constructors øfor the empty list and :: (given in in…x-notation). The functions

hd and tl (for head and tail) are the selectors of :: yielding the leftmost list

element and the list with the leftmost list element removed respectively.

Procedures are de…ned by if- and case-conditionals, functional composition

and recursion. Procedure calls are evaluated eagerly, i.e. call-by-value. Predi-

cates are de…ned by procedures with result type bool. Procedure co-primes of

Fig. 1 decides whether a number list consists of pairwise co-primes only (where

procedure function (k:list[N]):N<= . . . computes the product of the elements

in a number list k) and is an example of a predicate used in this case study.

2Identi…ers preceded by @denote type variables, and therefore polymorphic pairs and

lists are de…ned here.

2

lemma CRT (Existence)<=8k:list[pair[N;N]];a;m:N

iff: 02 hki2;

iffco-primes(hki2);

iff(am)2k;(X(k;(hki2)mod m)=(a mod m);trueg;

trueg;

trueg

Fig. 2. Formulation of the Chinese Remainder Theorem (Existence)

We aim to prove that procedure Xof Fig. 1 computes a solution for the

system of congruences given by a sequence a1; : : : ; akof non-negative integers

and a sequence m1; : : : ; mkof positive, pairwise co-prime integers which are re-

presented by a list (a1m1);:::;(akmk)of pairs. Procedure Xuses procedure

function I(x;y:N):N<= . . . which computes a modular multiplicative inverse

and is de…ned elsewhere [3,4]. To obtain a correct result, procedure Xmust be

called with m1: : : mkas the actual parameter for the formal parameter M.

The product m1: : : mkof the co-primes is formally given by the expression

(hki2), where procedure function [outx]h:i2(k:list[pair[@T1;@T2]]):list[@T2]

<= . . . computes the list of the second components of the pairs in a list kof

pairs. Formal parameter Mcannot be omitted by replacement of Mwith (hki2)

in the body of procedure Xas this would yield an incorrect result.3

Lemmas are de…ned with the conditional if:bool bool bool !bool as the

main connective, but negation :and case-conditionals may be used as well. Only

universal quanti…cation is allowed for the variables of a lemma. Fig. 2 displays the

existence part of the CRT in the system’s notation using (the elsewhere de…ned)

procedures 2and mod for deciding list membership and the computation of the

remainder function respectively.

3 Proofs of the CRT

When proving the CRT, we use our arithmetic proof library which ranges from

simple statements like associativity and commutativity of addition up to more

ambitious theorems about divisibility, primes and modular arithmetic. When

importing a de…nition or a lemma from a library into a case study, all program

elements and proofs the imported item depends on are imported as well. In the

sequel we will only list the lemmas which are essential to understand the proofs

and refer to [3] for a complete account of all used lemmas and their proofs.

The library lemmas4

8x; y; z:Nz6= 0 ![x+ (y mod z)x+y]mod z (1)

3Such a replacement corresponds to the re-de…nition of Miby (mi: : : mk)=miin

the text book proof of Sec. 1 yielding e.g. the non-solution 4(instead of 7) for the

system of congruences given by a1=a2= 1,m1= 2 and m2= 3.

4We use [ab]mod c as an abbreviation for (a mod c) = (b mod c).

3

8x; y; z:Nz6= 0 ![x(y mod z)xy]mod z (2)

are frequently used in the proofs for replacing a summand or a factor yin a

residue class mod z by (y mod z)to enable subsequent proof steps (see Sec. 4 for

an example). For sake of briefness, these lemma applications are not explicitly

noted in the subsequent presentation.

3.1 Existence Proof

Lemma CRT (Existence)of Fig. 2 is proven by structural (list) induction upon k.

The proof of the base case k=øis trivial and the induction conclusion simpli…es

in case (am) = ((hd(k))1(hd(k))2)to

m6= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m; (htl(k)i2)) = 1

![a(htl(k)i2)I((htl(k)i2); m) + X(tl(k); m (htl(k)i2)) a]mod m

(i)

using library lemma

8x; y:Ny6= 0 !(xy)=y =x. (3)

The system then applies auxiliary lemma

8m; n:N; k:list[pair[N;N]]

m6= 0 ^mjn^0=2 hki2!mjX(k; n (hki2)) (4)

(where ajbabbreviates (a mod b)=0) for replacing (X(tl(k); m (htl(k)i2))

mod m) by 0and rewriting proof obligation (i) to

m6= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m; (htl(k)i2)) = 1

![a(htl(k)i2)I((htl(k)i2); m)a]mod m (ii)

subsequently. Next we call the system to use library lemma

8x; y:Ny6= 0 ^gcd(x; y) = 1 ![xI(x; y)1] mod y (5)

causing the system to simplify proof obligation (ii) to true. Lemma 5 states

correctness of procedure Iin computing a modular multiplicative inverse for

any xco-prime to some y6= 0 and is formally proved elsewhere [3,4].

Otherwise (am)2tl(k), and the induction conclusion rewrites with Lem-

ma 3 to

m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m1; (htl(k)i2)) = 1

![a1(htl(k)i2)I((htl(k)i2); m1) + X(tl(k); m1(htl(k)i2)a]mod m

(iii)

where a1stands for (hd(k))1and m1abbreviates (hd(k))2for sake of readability.

Since (am)2tl(k)^0=2 htl(k)i2entails m2 htl(k)i2^m6= 0, the system

subsequently uses library lemma

8n:N; k:list[N]n6= 0 ^n2k!nj(k)(6)

4

lemma CRT (Existence)generalized <=8k:list[pair[N;N]];a;m;n:N

iff: 02 hki2;

iffco-primes(hki2);

iff(am)2k;

iffgcd(n;(hki2)) =1;(X(k;n(hki2)mod m)=(a mod m);trueg;

trueg;

trueg;

trueg

Fig. 3. Generalization of the Chinese Remainder Theorem (Existence)

for replacing (a1(htl(k)i2)I((htl(k)i2); m1)mod m) by 0and simplifying

(iii) to

m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^gcd(m1; (htl(k)i2)) = 1

![X(tl(k); m1(htl(k)i2)a]mod m (iv)

in turn. However, the induction hypothesis

8a0; m0:N0=2 htl(k)i2^(a0m0)2tl(k)^co-primes(htl(k)i2)

![X(tl(k); (htl(k)i2)a0]mod m0(IH)

cannot be used since (htl(k)i2does not match m1(htl(k)i2in (iv). This

failure is raised by parameter Mof procedure Xand necessitates a generalization

of the original statement which is displayed in Fig. 3.

When proving the generalization in case (am) = ((hd(k))1(hd(k))2)of

the induction step, proof obligation

m6= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)

^gcd(m; (htl(k)i2)) = 1 ^gcd(n; m (htl(k)i2)) = 1

![an(htl(k)i2)I(n(htl(k)i2); m)a]mod m

(v)

is obtained after the use of Lemma 3 and 4. When applying Lemma 5 also here,

the system uses the library lemmas

8x; y; z:Ngcd(x; y)=1!gcd(x; y z) = gcd(x; z )(7)

8x; y; z:Ngcd(x; y z)=1!gcd(x; y )=1 (8)

to verify proof obligation

gcd(n(htl(k)i2); m)=1 (vi)

which justi…es the use of Lemma 5, thus …nishing the proof for this case.

The induction conclusion rewrites in case (am)2tl(k)to

m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)

^gcd(m1; (htl(k)i2)) = 1 ^gcd(n; m1(htl(k)i2)) = 1

![X(tl(k); n m1(htl(k)i2)a]mod m

(vii)

5

function [inx]solves(x:N;k:list[pair[N;N]]):bool <=

if k =ø

then true

else let a := (hd(k))1;m:= (hd(k))2in

if (x mod m)=(a mod m)then (x solves tl(k)) else false end_if

end_let

end_if

lemma CRT (Uniqueness)<=8k:list[pair[N;N]];x1;x2:N

iff: 02 hki2;

iffco-primes(hki2);

iff(x1solves k);

iff(x2solves k);(x1mod (hki2)=(x2mod (hki2);trueg;

trueg;

trueg;

trueg

Fig. 4. Formulation of the Chinese Remainder Theorem (Uniqueness)

using the same argumentation as in the …rst proof attempt. Now the induction

hypothesis

8a0; m0; n0:N0=2 htl(k)i2^(a0m0)2tl(k)^co-primes(htl(k)i2)

^gcd(n0; (htl(k)i2)) = 1 ![X(tl(k); n0(htl(k)i2)a0]mod m0(IH0)

can be applied by instantiating n0with nm1for replacing (X(tl(k); n m1

(htl(k)i2)mod m)in (vii) with (a mod m). The use of (IH0) is justi…ed by

proof obligation

m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)

^gcd(m1; (htl(k)i2)) = 1 ^gcd(n; m1(htl(k)i2)) = 1

!gcd(nm1; (htl(k)i2)) = 1

(viii)

which the system proves with Lemma 7 and 8, thus …nishing the proof also for

this case.

Finally, the original statement of Fig. 2 is proven with the generalization of

Fig. 3 by instantiating nwith 1.

3.2 Uniqueness Proof

Procedure solves of Fig. 4 decides whether a non-negative integer xsolves the

system of congruences given by a pair-list k, and lemma CRT (Uniqueness)of

Fig. 4 formulates the uniqueness part of the Chinese Remainder Theorem. The

proof is by structural (list) induction also here. The base case is easily proved as 1

is the product of the empty number list. The induction conclusion rewrites to

m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^[x1a1]mod m1

^[x2a1]mod m1^(x1solves tl(k)) ^(x2solves tl(k))

^gcd(m1; (htl(k)i2)) = 1 ![x1x2]mod m1(htl(k)i2)

(ix)

6

(where a1stands for (hd(k))1and m1abbreviates (hd(k))2also here) and we

apply library lemma

8x; y; z:Ny6= 0 ^z6= 0 ^yjx^zjx^gcd(y; z ) = 1 !yzjx(9)

with xreplaced by x1x2,yby m1and zby (htl(k)i2). The system responds

by rewriting (ix) with library lemma

8x; y; z:Nz6= 0 ^[xy]mod z !zj(xy)(10)

and the induction hypothesis

8x0

1; x0

2:N0=2 htl(k)i2^co-primes(htl(k)i2)^(x0

1solves tl(k))

^(x0

2solves tl(k)) ![x0

1x0

2]mod (htl(k)i2)(IH)

to m16= 0 ^0=2 htl(k)i2^co-primes(htl(k)i2)^[x1a1]mod m1

^[x2a1]mod m1^(x1solves tl(k)) ^(x2solves tl(k))

^gcd(m1; (htl(k)i2)) = 1 ^m1(htl(k)i2)j(x1x2)

![x1x2]mod m1(htl(k)i2).

(x)

After another call of Lemma 9 with yreplaced by m1and zby (htl(k)i2)like

before, but xnow replaced with x2x1, the system infers a further conjunction

m1(htl(k)i2)j(x2x1)in the antecedent of the proof goal by use of Lemma 10

and the induction hypothesis (IH). It then succeeds in proving the step case

with library lemma

8x; y; z:Nz6= 0 ^zj(xy)^zj(yx)![xy]mod z .5(11)

4 Conclusion

Fig. 5 displays the e¤ort for obtaining the proofs. Column Proc. counts the

number of user de…ned procedures, Lem. is the number of user de…ned lem-

mas, and Rules counts the total number of proof rule applications, separated

into user invoked (User) and system initiated (System) ones. Column %gives

the automation degree, i.e. the ratio between System and Rules,Steps lists the

number of inference steps of the system’s …rst-order theorem prover and Time

displays the needed computer time in seconds.6All termination proofs (hence

all required induction axioms in turn) had been obtained without user support.

Row CRT shows the e¤ort for proving the lemmas CRT (Existence)and CRT

(Uniqueness)as illustrated in Sec. 3.1 and 3.2, row Arith shows the e¤ort which

5As subtraction is de…ned here for non-negative integers only such that ab= 0 i¤

ab, both zj(xy)and zj(yx)are required to establish the congruence [xy]

mod z (where at least one of both requirements trivially holds), necessitating two

calls of Lemma 9 for proving the induction step.

6Time refers to running XeriFun 3.5 under Windows 7 Enterprise with an INTEL

Core i7-2640M 2.80 GHz CPU using Java 1.8.0_162.

7

Proc. Lem. Rules User System % Steps Time

CRT 3 4 32 12 20 62;5 827 22

Arith 11 83 417 52 365 87;5 5659 31

Total 14 87 449 64 385 85;7 6486 53

Fig. 5. Proof statistics

was previously required for the part of the arithmetic proof library which had

been imported when proving the CRT, and row Total displays the overall e¤ort.

As the numbers reveal, the proof of the CRT needs much user interaction.

This is because proof goals must be modi…ed interactively to more complex ones

in order to allow subsequent simpli…cations. Consider e.g. the expression

(a1(htl(k)i2)I((htl(k)i2); m1) + X(: : :)mod m)

in proof obligation (iii). For obtaining proof obligation (iv), Lemma 1 has to be

applied interactively in a …rst step yielding

((a1(htl(k)i2)I((htl(k)i2); m1)mod m) + X(: : :)mod m).

Then Lemma 2 must be used interactively for obtaining

((a1((htl(k)i2)mod m)I((htl(k)i2); m1)mod m) + X(: : :)mod m)(?)

Now the system can apply Lemma 6 for replacing ((htl(k)i2)mod m)with 0

and (?) with (X(: : :)mod m)in turn, thus obtaining proof obligation (iv).

The need for frequent user interactions when proving the CRT is mainly

raised by proof steps of this kind.

References

1. D. M. Russino¤. A Mechanical Proof of the Chinese Remainder Theorem. Dept.of

Comp. Sc., Univ. of Texas, 2000.

2. C. Schwarzweller. The Chinese Remainder Theorem, its Proofs and its Generali-

zations in Mathematical Repositories. Studies in Logic, Grammar and Rhetoric,

18(31):103–119, 2009.

3. VeriFun. http://www.verifun.de.

4. C. Walther. Formally Veri…ed Montgomery Multiplication. In H. Chockler and

G. Weissenbacher, editors, Proc. of the 30th Intern. Conf. on Computer Aided Veri-

…cation (CAV 2018), volume 10982 of Lect. Notes in Comp. Science, pages 505–522,

Oxford, UK, 2018. Springer. https://doi.org/10.1007/978-3- 319-96142- 2_30.

5. C. Walther and N. Wasser. Fermat, Euler, Wilson - Three Case Studies in Number

Theory. J. Autom. Reasoning, 59(2):267–286, 2017. https://doi.org/10.1007/

s10817-016-9387-z.

6. H. Zhang and X. Hua. Proving the Chinese Remainder Theorem by the Cover

Set Induction. In D. Kapur, editor, Proc. 11th Intern. Conf. on Autom. Deduction

(CADE-11), volume 607 of Lect. Notes in Comp. Science, pages 431–445, Saratoga

Springs, NY, USA, 1992. Springer. https://doi.org/10.1007/3-540-55602-8_

182.

8