modular multiplicative inverse

In mathematics, particularly in the area of arithmetic, a modular multiplicative inverse of an integer is an integer such that the product is congruent to 1 with respect to the modulus .. In the standard notation of modular arithmetic this congruence is written as
:$ax \equiv 1 \pmod,$
which is the shorthand way of writing the statement that divides (evenly) the quantity , or, put another way, the remainder after dividing by the integer is 1. If does have an inverse modulo , then there is an infinite number of solutions of this congruence, which form a congruence class with respect to this modulus. Furthermore, any integer that is congruent to (i.e., in 's congruence class) has any element of 's congruence class as a modular multiplicative inverse. Using the notation of $\overline$ to indicate the congruence class containing , this can be expressed by saying that the ''modulo multiplicative inverse'' of the congruence class $\overline$ is the congruence class $\overline$ such that:
: $\overline \cdot_m \overline = \overline,$
where the symbol $\cdot_m$ denotes the multiplication of equivalence classes modulo ..
Written in this way, the analogy with the usual concept of a multiplicative inverse in the set of rational or real numbers is clearly represented, replacing the numbers by congruence classes and altering the binary operation appropriately.

As with the analogous operation on the real numbers, a fundamental use of this operation is in solving, when possible, linear congruences of the form
: $ax \equiv b \pmod.$
Finding modular multiplicative inverses also has practical applications in the field of cryptography, e.g. public-key cryptography and the RSA algorithm. A benefit for the computer implementation of these applications is that there exists a very fast algorithm (the extended Euclidean algorithm) that can be used for the calculation of modular multiplicative inverses.

Modular arithmetic

For a given positive integer , two integers, and , are said to be congruent modulo if divides their difference. This binary relation is denoted by,
:$a \equiv b \pmod.$
This is an equivalence relation on the set of integers, $\mathbb$, and the equivalence classes are called congruence classes modulo or residue classes modulo . Let $\overline$ denote the congruence class containing the integer , then
:$\overline = \.$
A linear congruence is a modular congruence of the form
:$ax \equiv b \pmod.$
Unlike linear equations over the reals, linear congruences may have zero, one or several solutions. If is a solution of a linear congruence then every element in $\overline$ is also a solution, so, when speaking of the number of solutions of a linear congruence we are referring to the number of different congruence classes that contain solutions.

If is the greatest common divisor of and then the linear congruence has solutions if and only if divides . If divides , then there are exactly solutions.

A modular multiplicative inverse of an integer with respect to the modulus is a solution of the linear congruence
:$ax \equiv 1 \pmod.$
The previous result says that a solution exists if and only if , that is, and must be relatively prime (i.e. coprime). Furthermore, when this condition holds, there is exactly one solution, i.e., when it exists, a modular multiplicative inverse is unique: If and are both modular multiplicative inverses of respect to the modulus , then
:$ab \equiv ab' \equiv 1 \pmod ,$
therefore
:$a(b-b') \equiv 0 \pmod.$
If , then , and won't even have a modular multiplicative inverse. Therefore, .

When has a solution it is often denoted in this way −
:$x \equiv a^ \pmod,$
but this can be considered an abuse of notation since it could be misinterpreted as the reciprocal of $a$ (which, contrary to the modular multiplicative inverse, is not an integer except when is 1 or −1). The notation would be proper if is interpreted as a token standing for the congruence class $\overline$, as the multiplicative inverse of a congruence class is a congruence class with the multiplication defined in the next section.

Integers modulo

The congruence relation, modulo , partitions the set of integers into congruence classes. Operations of addition and multiplication can be defined on these objects in the following way: To either add or multiply two congruence classes, first pick a representative (in any way) from each class, then perform the usual operation for integers on the two representatives and finally take the congruence class that the result of the integer operation lies in as the result of the operation on the congruence classes. In symbols, with $+_m$ and $\cdot_m$ representing the operations on congruence classes, these definitions are
:$\overline +_m \overline = \overline$
and
:$\overline \cdot_m \overline = \overline.$
These operations are well-defined, meaning that the end result does not depend on the choices of representatives that were made to obtain the result.

The congruence classes with these two defined operations form a ring, called the ring of integers modulo . There are several notations used for these algebraic objects, most often $\mathbb/m\mathbb$ or $\mathbb/m$, but several elementary texts and application areas use a simplified notation $\mathbb_m$ when confusion with other algebraic objects is unlikely.

The congruence classes of the integers modulo were traditionally known as ''residue classes modulo m'', reflecting the fact that all the elements of a congruence class have the same remainder (i.e., "residue") upon being divided by . Any set of integers selected so that each comes from a different congruence class modulo m is called a complete system of residues modulo . The division algorithm shows that the set of integers, form a complete system of residues modulo , known as the least residue system modulo . In working with arithmetic problems it is sometimes more convenient to work with a complete system of residues and use the language of congruences while at other times the point of view of the congruence classes of the ring $\mathbb/m\mathbb$ is more useful.

Multiplicative group of integers modulo

Not every element of a complete residue system modulo has a modular multiplicative inverse, for instance, zero never does. After removing the elements of a complete residue system that are not relatively prime to , what is left is called a reduced residue system, all of whose elements have modular multiplicative inverses. The number of elements in a reduced residue system is $\phi(m)$, where $\phi$ is the Euler totient function, i.e., the number of positive integers less than that are relatively prime to .

In a general ring with unity not every element has a multiplicative inverse and those that do are called units. As the product of two units is a unit, the units of a ring form a group, the group of units of the ring and often denoted by if is the name of the ring. The group of units of the ring of integers modulo is called the multiplicative group of integers modulo , and it is isomorphic to a reduced residue system. In particular, it has order (size), $\phi(m)$.

In the case that is a prime, say , then $\phi(p) = p-1$ and all the non-zero elements of $\mathbb/p\mathbb$ have multiplicative inverses, thus $\mathbb/p\mathbb$ is a finite field. In this case, the multiplicative group of integers modulo form a cyclic group of order .

Example

For any integer $n>1$, it's always the case that $n^2-n+1$ is the modular multiplicative inverse of $n+1$ with respect to the modulus $n^2$, since $(n+1)(n^2-n+1)=n^3+1$. Examples are $3\times3 \equiv 1 \pmod$, $4\times7 \equiv 1 \pmod$, $5\times13 \equiv 1 \pmod$ and so on.

The following example uses the modulus 10: Two integers are congruent mod 10 if and only if their difference is divisible by 10, for instance
:$32 \equiv 2 \pmod$ since 10 divides 32 − 2 = 30, and
:$111 \equiv 1 \pmod$ since 10 divides 111 − 1 = 110.

Some of the ten congruence classes with respect to this modulus are:
:$\overline = \$
:$\overline = \$
:$\overline = \$ and
:$\overline = \.$

The linear congruence has no solutions since the integers that are congruent to 5 (i.e., those in $\overline$) are all odd while is always even. However, the linear congruence has two solutions, namely, and . The and 2 does not divide 5, but does divide 6.

Since , the linear congruence will have solutions, that is, modular multiplicative inverses of 3 modulo 10 will exist. In fact, 7 satisfies this congruence (i.e., 21 − 1 = 20). However, other integers also satisfy the congruence, for instance 17 and −3 (i.e., 3(17) − 1 = 50 and 3(−3) − 1 = −10). In particular, every integer in $\overline$ will satisfy the congruence since these integers have the form for some integer and
:$3(7 + 10 r) - 1 = 21 + 30 r -1 = 20 + 30 r = 10(2 + 3r),$
is divisible by 10. This congruence has only this one congruence class of solutions. The solution in this case could have been obtained by checking all possible cases, but systematic algorithms would be needed for larger moduli and these will be given in the next section.

The product of congruence classes $\overline$ and $\overline$ can be obtained by selecting an element of $\overline$, say 25, and an element of $\overline$, say −2, and observing that their product (25)(−2) = −50 is in the congruence class $\overline$. Thus, $\overline \cdot_ \overline = \overline$. Addition is defined in a similar way. The ten congruence classes together with these operations of addition and multiplication of congruence classes form the ring of integers modulo 10, i.e., $\mathbb/10\mathbb$.

A complete residue system modulo 10 can be the set where each integer is in a different congruence class modulo 10. The unique least residue system modulo 10 is . A reduced residue system modulo 10 could be . The product of any two congruence classes represented by these numbers is again one of these four congruence classes. This implies that these four congruence classes form a group, in this case the cyclic group of order four, having either 3 or 7 as a (multiplicative) generator. The represented congruence classes form the group of units of the ring $\mathbb/10\mathbb$. These congruence classes are precisely the ones which have modular multiplicative inverses.

Computation

Extended Euclidean algorithm

A modular multiplicative inverse of modulo can be found by using the extended Euclidean algorithm.

The Euclidean algorithm determines the greatest common divisor (gcd) of two integers, say and . If has a multiplicative inverse modulo , this gcd must be 1. The last of several equations produced by the algorithm may be solved for this gcd. Then, using a method called "back substitution", an expression connecting the original parameters and this gcd can be obtained. In other words, integers and can be found to satisfy Bézout's identity,

:$ax + my = \gcd(a, m)= 1.$

Rewritten, this is

:$ax - 1 = (-y)m,$

that is,

:$ax \equiv 1 \pmod,$

so, a modular multiplicative inverse of has been calculated. A more efficient version of the algorithm is the extended Euclidean algorithm, which, by using auxiliary equations, reduces two passes through the algorithm (back substitution can be thought of as passing through the algorithm in reverse) to just one.

In big O notation, this algorithm runs in time , assuming , and is considered to be very fast and generally more efficient than its alternative, exponentiation.

Using Euler's theorem

As an alternative to the extended Euclidean algorithm, Euler's theorem may be used to compute modular inverses.

According to Euler's theorem, if is coprime to , that is, , then

:$a^ \equiv 1 \pmod,$

where $\phi$ is Euler's totient function. This follows from the fact that belongs to the multiplicative group $(\mathbb/m\mathbb)$^× if and only if is coprime to . Therefore, a modular multiplicative inverse can be found directly:

:$a^ \equiv a^ \pmod.$

In the special case where is a prime, $\phi (m) = m - 1$ and a modular inverse is given by
: $a^ \equiv a^ \pmod.$

This method is generally slower than the extended Euclidean algorithm, but is sometimes used when an implementation for modular exponentiation is already available. Some disadvantages of this method include:
*The value $\phi (m)$ must be known and the most efficient known computation requires 's factorization. Factorization is widely believed to be a computationally hard problem. However, calculating $\phi (m)$ is straightforward when the prime factorization of is known.
*The relative cost of exponentiation. Though it can be implemented more efficiently using modular exponentiation, when large values of are involved this is most efficiently computed with the Montgomery reduction method, that method, itself, requiring a modular inverse mod , which is what was to be calculated in the first place. Without the Montgomery method, the standard binary exponentiation, which requires division mod at every step, is a slow operation when is large.

One notable ''advantage'' of this technique is that there are no conditional branches which depend on the value of , and thus the value of , which may be an important secret in public-key cryptography, can be protected from side-channel attacks. For this reason, the standard implementation of Curve25519 uses this technique to compute an inverse.

Multiple inverses

It is possible to compute the inverse of multiple numbers , modulo a common , with a single invocation of the Euclidean algorithm and three multiplications per additional input. The basic idea is to form the product of all the , invert that, then multiply by for all to leave only the desired .

More specifically, the algorithm is (all arithmetic performed modulo ):
# Compute the prefix products $b_i = \prod_^i a_j = a_i b_$ for all .
# Compute using any available algorithm.
# For from down to 2, compute
#* and
#* .
# Finally, .

It is possible to perform the multiplications in a tree structure rather than linearly to exploit parallel computing.

Applications

Finding a modular multiplicative inverse has many applications in algorithms that rely on the theory of modular arithmetic. For instance, in cryptography the use of modular arithmetic permits some operations to be carried out more quickly and with fewer storage requirements, while other operations become more difficult. Both of these features can be used to advantage. In particular, in the RSA algorithm, encrypting and decrypting a message is done using a pair of numbers that are multiplicative inverses with respect to a carefully selected modulus. One of these numbers is made public and can be used in a rapid encryption procedure, while the other, used in the decryption procedure, is kept hidden. Determining the hidden number from the public number is considered to be computationally infeasible and this is what makes the system work to ensure privacy.

As another example in a different context, consider the exact division problem in computer science where you have a list of odd word-sized numbers each divisible by and you wish to divide them all by . One solution is as follows:
# Use the extended Euclidean algorithm to compute , the modular multiplicative inverse of , where is the number of bits in a word. This inverse will exist since the numbers are odd and the modulus has no odd factors.
# For each number in the list, multiply it by and take the least significant word of the result.

On many machines, particularly those without hardware support for division, division is a slower operation than multiplication, so this approach can yield a considerable speedup. The first step is relatively slow but only needs to be done once.

Modular multiplicative inverses are used to obtain a solution of a system of linear congruences that is guaranteed by the Chinese Remainder Theorem.

For example, the system
:: ≡ 4 (mod 5)
:: ≡ 4 (mod 7)
:: ≡ 6 (mod 11)
has common solutions since 5,7 and 11 are pairwise coprime. A solution is given by
: = (7 × 11) × 4 + (5 × 11) × 4 + (5 × 7) × 6
where
: = 3 is the modular multiplicative inverse of 7 × 11 (mod 5),
: = 6 is the modular multiplicative inverse of 5 × 11 (mod 7) and
: = 6 is the modular multiplicative inverse of 5 × 7 (mod 11).
Thus,
: = 3 × (7 × 11) × 4 + 6 × (5 × 11) × 4 + 6 × (5 × 7) × 6 = 3504
and in its unique reduced form
: ≡ 3504 ≡ 39 (mod 385)
since 385 is the LCM of 5,7 and 11.

Also, the modular multiplicative inverse figures prominently in the definition of the Kloosterman sum.

See also

* Inversive congruential generator – a pseudo-random number generator that uses modular multiplicative inverses
* Rational reconstruction (mathematics)

Notes

References

*
*
*
*

External links

*

Guevara Vasquez, Fernando
provides
solved example
of solving the modulo multiplicative inverse using Euclid's Algorithm


provides fast algorithms to compute multiplicative inverses modulo powers of 2.
{{DEFAULTSORT:Modular Multiplicative Inverse
Modular arithmetic
Binary operations