CSE 311 Lecture 15:
Modular Exponentiation and Induction

Emina Torlak and Kevin Zatloukal

Topics

Modular equations: A quick review of Lecture 14.
Modular exponentiation: A fast algorithm for computing $a^k\ \text{mod}\ m$.
Mathematical induction: A method for proving statements about all natural numbers.
Using induction: Using induction in formal and English proofs.
Example proofs by induction: Example proofs about sums and divisibility.

$\newcommand{hilite}[2]{\color{#1}{#2}}$ $\newcommand{qed}{\square}$ $\newcommand{\N}{\mathbb{N}}$ $\newcommand{\Z}{\mathbb{Z}}$ $\newcommand{\mod}[2]{#1\ \text{mod}\ #2}$ $\renewcommand{\div}[2]{#1\ \text{div}\ #2}$ $\newcommand{\congruent}[3]{#1\equiv #2\,(\text{mod}\,#3)}$ $\newcommand{\gcd}[2]{\text{GCD}(#1, #2)}$ $\newcommand{ra}[1]{\color{SteelBlue}{#1}}$ $\newcommand{rb}[1]{\color{MediumSeaGreen}{#1}}$ $\newcommand{rule}[2]{\begin{array}{c}#1\\ \hline \therefore #2\end{array}}$

Modular equations

A quick review of Lecture 14.

Bézout’s theorem and multiplicative inverses

Bézout’s theorem: If $a$ and $b$ are positive integers, then there exist integers $s$ and $t$ such that $\gcd{a}{b} = sa + tb$.

We can compute $s$ and $t$ using the extended Euclidean algorithm.

If $\gcd{a}{m} = 1$, then $\mod{s}{m}$ is the multiplicative inverse of $a$ modulo $m$:

$1 = \mod{(sa+tm)}{m} = \mod{sa}{m}$, so we have
$\congruent{sa}{1}{m}$.

These inverses let us solve modular equations.

Using multiplicative inverses to solve modular equations

Solve: $\congruent{7x}{1}{26}$

① Compute GCD and keep the tableau.

$\begin{align} \gcd{26}{7} &= \gcd{7}{5} = \gcd{5}{2} \\ &= \gcd{2}{1} = \gcd{1}{0} \\ &= 1 \end{align}$

② Solve the equations for $r$ in the tableau.

③ Back substitute the equations for $r$.

$\begin{align} 1 &= 5 - 2 * (7 - 1*5) \\ &= (-2) * 7 + 3 * 5 \\ &= (-2) * 7 + 3 * (26 - 3 * 7) \\ &= 3*26 + (-11) * 7 \\ \end{align}$

④ Solve for $x$.

Multiplicative inverse of 7 mod 26
- $\mod{(-11)}{26}=15$
So, $x=26k + 15$ for $k\in\Z$.

Solving a more general equation

Solve: $\congruent{7y}{3}{26}$

We computed that 15 is the multiplicative inverse of 7 modulo 26:: That is, $\congruent{7 * 15}{1}{26}$.
By the multiplication property of mod, we have: That is, $\congruent{7 * 15 * 3}{1 * 3}{26}$.
So, any $\congruent{y}{15 * 3}{26}$ is a solution.: That is, $y = 19 + 26k$ for any $k\in\Z$ is a solution.

A useful proof technique based on modular equations

Suppose that $x,y\in\Z$ and $(x, y)$ satisfies linear equations: $ax + by = c$ and $dx + ey = f$,; where $a,b,c,d,e,f$ are integer coefficients.
Then $(x, y)$ also satisfies the corresponding equations mod $m > 0\in\Z$:: $\congruent{ax + by}{c}{m}$ and $\congruent{dx + ey}{f}{m}$.
The reverse doesn’t hold. Can you think of a counterexample?: $(0, 0)$ is a solution to $\congruent{x + y}{2}{2}$ and $\congruent{2x + 2y}{4}{2}$.; But it’s not a solution to $x + y = 2$ and $2x + 2y = 4$.
The contrapositive is a useful proof technique:: You can prove that a system of linear equations with integer coefficients has no integer solutions by showing that those equations modulo $m$ have no solutions.

Modular exponentiation

A fast algorithm for computing $a^k\ \text{mod}\ m$.

The modular exponentiation problem: $\mod{a^k}{m}$

How would you compute $\mod{78365^{81453}}{104729}$?

Naive approach: First compute ${78365^{81453}}$.; Then take the result modulo $104729$.

This works but is very inefficient …: The intermediate result ${78365^{81453}}$ is a 1,324,257-bit number!; But we only need the remainder mod 104,729, which is 17 bits.

To keep the intermediate results small, we use fast modular exponentiation.

Repeated squaring: $\mod{a^k}{m}$ for $k = 2^i$

If $k = 2^i$, we can compute $\mod{a^k}{m}$ in just $i$ steps.

Note that $\congruent{\mod{a}{m}}{a}{m}$ and $\congruent{\mod{b}{m}}{b}{m}$. So, we have $\mod{ab}{m} = \mod{((\mod{a}{m})(\mod{b}{m}))}{m}$.

For example:
$\begin{align} \mod{a^2}{m} &= \mod{(\mod{a}{m})^2}{m} \\ \mod{a^4}{m} &= \mod{(\mod{a^2}{m})^2}{m} \\ \mod{a^8}{m} &= \mod{(\mod{a^4}{m})^2}{m} \\ \mod{a^{16}}{m} &= \mod{(\mod{a^8}{m})^2}{m} \\ \mod{a^{32}}{m} &= \mod{(\mod{a^{16}}{m})^2}{m} \\ \end{align}$

What if $k$ is not a power of 2?

Fast exponentiation: $\mod{a^k}{m}$ for all $k$

Note that 81453 is 10011111000101101 in binary.: $81453 = 2^{16} + 2^{13} + 2^{12} + 2^{11} + 2^{10} + 2^{9} + 2^{5} + 2^{3} + 2^{2} + 2^{0}$; $a^{81453} = a^{2^{16}} * a^{2^{13}} * a^{2^{12}} * a^{2^{11}} * a^{2^{10}} * a^{2^{9}} * a^{2^{5}} * a^{2^{3}} * a^{2^{2}} * a^{2^{0}}$

$\begin{align} \mod{a^{81453}}{m} = ((((((((((& \mod{a^{2^{16}}}{m} \,* \\ & \mod{a^{2^{13}}}{m}) \text{ mod } m \,* \\ & \quad \mod{a^{2^{12}}}{m}) \text{ mod } m \,* \\ & \quad\quad \mod{a^{2^{11}}}{m}) \text{ mod } m \,* \\ & \quad\quad\quad \mod{a^{2^{10}}}{m}) \text{ mod } m \,* \\ & \quad\quad\quad\quad \mod{a^{2^{9}}}{m}) \text{ mod } m \,* \\ & \quad\quad\quad\quad\quad \mod{a^{2^{5}}}{m}) \text{ mod } m \,* \\ & \quad\quad\quad\quad\quad\quad \mod{a^{2^{3}}}{m}) \text{ mod } m \,* \\ & \quad\quad\quad\quad\quad\quad\quad \mod{a^{2^{2}}}{m}) \text{ mod } m \,* \\ & \quad\quad\quad\quad\quad\quad\quad\quad \mod{a^{2^{0}}}{m}) \text{ mod } m)\\ \end{align}$

Fast exponentiation computes $\mod{a^k}{m}$ using $\leq 2\log k$ multiplications mod $m$.

The fast exponentiation algorithm

$\begin{align} \mod{a^{2j}}{m} &= \mod{(\mod{a^j}{m})^2}{m} \\ \mod{a^{2j+1}}{m} &= \mod{((\mod{a}{m}) * (\mod{a^{2j}}{m}))}{m} \end{align}$

Example implementation:

// Assumes a > 0, k >= 0, m > 0.
public static long fastModExp(long a, long k, long m) {
    if (k == 0) {            // k = 0
        return 1;
    } else if (k % 2 == 0) { // k is even
        long tmp = fastModExp(a, k/2, m);
        return (tmp * tmp) % m;
    } else {                // k is odd
        long tmp = fastModExp(a, k-1, m);
        return (a * tmp) % m;
    }
}

$\mod{78365^{81453}}{104729} = 45235$

Using fast modular exponentiation: RSA encryption

Alice chooses random 512-bit (or 1024-bit) primes $p, q$ and exponent $e$.: Alice computes $m=pq$ and broadcasts $(m, e)$, which is her public key.; She also computes the multiplicative inverse $d$ of $\mod{e}{(p-1)(q-1)}$, which serves as her private key.
To encrypt a message $a$ with Alice’s public key, Bob computes $C = \mod{a^e}{m}$.: This computation uses fast modular exponentiation.; Bob sends the ciphertext $C$ to Alice.
To decrypt $C$, Alice computes $\mod{C^d}{m}$.: This computation also uses fast modular exponentiation.; It works because $\mod{C^d}{m} = a$ for $0 < a < m$ unless $p\vert a$ or $q \vert a$.

Mathematical induction

A method for proving statements about all natural numbers.

How would you prove this theorem?

Mods and exponents: For all integers $a, b, m > 0$ and $k \geq 0$, $\congruent{a}{b}{m} \rightarrow \congruent{a^k}{b^k}{m}$.

Proof (almost):: Let $a, b, m > 0\in\Z$ and $k \geq 0\in\Z$ be arbitrary. Suppose that $\congruent{a}{b}{m}$.; By the multiplication property, we know that if $\congruent{a}{b}{m}$ and $\congruent{c}{d}{m}$, then $\congruent{ac}{bd}{m}$. So, taking $c$ to be $a$ and $d$ to be $b$, we have $\congruent{a^2}{b^2}{m}$.; Applying this reasoning repeatedly, we have $\begin{align} (\congruent{a}{b}{m} \wedge \congruent{a}{b}{m}) &\rightarrow (\congruent{a^2}{b^2}{m}) \\ (\congruent{a^2}{b^2}{m} \wedge \congruent{a}{b}{m}) &\rightarrow (\congruent{a^3}{b^3}{m}) \\ &\ldots \\ (\congruent{a^{(k-1)}}{b^{(k-1)}}{m} \wedge \congruent{a}{b}{m}) &\rightarrow (\congruent{a^k}{b^k}{m}).\\ \end{align}$; This, uhm, completes the proof? $\qed$

We don’t have a proof rule to say “perform this step repeatedly.”

Perform a step repeatedly with induction!

Induction$\rule{P(0); \forall k. P(k)\rightarrow P(k+1)}{\forall n. P(n)}$

Domain: natural numbers ($\N$).

Induction is a logical rule of inference that applies (only) over $\N$.: If we know that a property $P$ holds for 0, and; we know that $\forall k. P(k)\rightarrow P(k+1)$, then; we can conclude that $P$ holds for all natural numbers.

// f(x) = x for all x >= 0.
public int f(int x) {
  if (x == 0) { return 0; }
  else        { return f(x - 1) + 1; }
}

Induction is essential for reasoning about programs with loops and recursion.

Induction: how does it work?

Induction$\rule{P(0); \forall k. P(k)\rightarrow P(k+1)}{\forall n. P(n)}$

Domain: natural numbers ($\N$).

Suppose that we are given $P(0)$ and $\forall k. P(k)\rightarrow P(k+1)$.

How does that give us $P(k)$ for a concrete $k$ such as $5$?

1.	First, we have $P(0)$.	$P(0)$
2.	Since $P(k)\rightarrow P(k+1)$ for all $k$, we have $P(0)\rightarrow P(1)$.	$\ \Downarrow_{\ P(0)\rightarrow P(1)}$
3.	Applying Modus Ponens to 1 and 2, we get $P(1)$.	$P(1)$
4.	Since $P(k)\rightarrow P(k+1)$ for all $k$, we have $P(1)\rightarrow P(2)$.	$\ \Downarrow_{\ P(1)\rightarrow P(2)}$
5.	Applying Modus Ponens to 3 and 4, we get $P(2)$.	$P(2)$
$\vdots$		$\ \Downarrow_{\ P(k)\rightarrow P(k+1)}$
11.	Applying Modus Ponens to 9 and 10, we get $P(5)$.	$P(5)$

Using induction

Using induction in formal and English proofs.

Using the induction rule in a formal proof

Induction$\rule{P(0); \forall k. P(k)\rightarrow P(k+1)}{\forall n. P(n)}$

1.	Prove $P(0)$
2.	Let $k\geq0$ be an arbitrary integer

3.1.	Assume that $P(k)$ is true
3.2.	$\ldots$
3.3.	Prove $P(k+1)$ is true

4.	$P(k) \rightarrow P(k+1)$	Direct Proof Rule
5.	$\forall k. P(k) \rightarrow P(k+1)$	Intro $\forall$: 2, 4
6.	$\forall n. P(n)$	Induction: 1, 5

Using the induction rule in a formal proof: key parts

Induction$\rule{P(0); \forall k. P(k)\rightarrow P(k+1)}{\forall n. P(n)}$

Prove $P(0)$

Base case

Let $k\geq0$ be an arbitrary integer

3.1.

Assume that $P(k)$ is true

Inductive
hypothesis

3.2.	$\ldots$
3.3.	Prove $P(k+1)$ is true

Inductive
step

4.	$P(k) \rightarrow P(k+1)$	Direct Proof Rule
5.	$\forall k. P(k) \rightarrow P(k+1)$	Intro $\forall$: 2, 4
6.	$\forall n. P(n)$	Induction: 1, 5

Conclusion

Translating to an English proof: the template

① Let $P(n)$ be [ definition of $P(n)$ ].: We will show that $P(n)$ is true for every integer $n\geq 0$ by induction.
② Base case ($n=0$):: [ Proof of $P(0)$. ]
③ Inductive hypothesis:: Suppose that $P(k)$ is true for an arbitrary integer $k\geq 0$.
④ Inductive step:: We want to prove that $P(k+1)$ is true.; [ Proof of $P(k+1)$. This proof must invoke the inductive hypothesis somewhere. ]
⑤ The result follows for all $n\geq 0$ by induction.

Prove $P(0)$

Base case

Let $k\geq0$ be an arbitrary integer

3.1.

Assume that $P(k)$ is true

Inductive
hypothesis

3.2.	$\ldots$
3.3.	Prove $P(k+1)$ is true

Inductive
step

4.	$P(k) \rightarrow P(k+1)$	Direct Proof Rule
5.	$\forall k. P(k) \rightarrow P(k+1)$	Intro $\forall$: 2, 4
6.	$\forall n. P(n)$	Induction: 1, 5

Conclusion

Induction dos and don’ts:

Do write out all 5 steps.
Do point out where you are using the inductive hypothesis in step ④.
Don’t assume $P(k+1)$!

Example proofs by induction

Example proofs about sums and divisibility.

What is $\sum_{i=0}^{n}2^i$ for an arbitrary $n\in\N$?

Recall that $\sum_{i=0}^{n}2^i = 2^0 + 2^1 + \ldots + 2^n$.

Let’s look at a few examples:: $\sum_{i=0}^{0}2^i = 1$; $\sum_{i=0}^{1}2^i = 1 + 2 = 3$; $\sum_{i=0}^{2}2^i = 1 + 2 + 4 = 7$; $\sum_{i=0}^{3}2^i = 1 + 2 + 4 + 8 = 15$; $\sum_{i=0}^{4}2^i = 1 + 2 + 4 + 8 + 16 = 31$

It looks like this sum is $2^{n+1}-1$.: Let’s use induction to prove it!

Prove $\sum_{i=0}^{n}2^i = 2^{n+1}-1$ for all $n\in\N$

① Let $P(n)$ be $\sum_{i=0}^{n}2^i = 2^0 + 2^1 + \ldots + 2^n = 2^{n+1}-1$.: We will show that $P(n)$ is true for every integer $n\geq 0$ by induction.
② Base case ($n = 0$):: $\sum_{i=0}^{0}2^i = 2^0 = 1 = 2^{0+1} - 1$ so $P(0)$ is true.
③ Inductive hypothesis:: Suppose that $P(k)$ is true for an arbitrary integer $k\geq 0$.
④ Inductive step: Assume $P(k)$ to prove $P(k+1)$, not vice versa!: We want to prove that $P(k+1)$ is true, i.e., $\sum_{i=0}^{k+1}2^i = 2^{k+2}-1$. Note that $\sum_{i=0}^{k+1}2^i = ($$\sum_{i=0}^{k}2^i$$) + 2^{k+1} = ($$2^{k+1}-1$$) + 2^{k+1}$ by the inductive hypothesis. From this, we have that $(2^{k+1} - 1) + 2^{k+1} =$ $2 * 2^{k+1} - 1 =$ $2^{k+1+1} - 1 =$ $2^{k+2} - 1$, which is exactly $P(k+1)$.
⑤ The result follows for all $n\geq 0$ by induction.

Prove $\sum_{i=0}^{n}i = n(n+1)/2$ for all $n\in\N$

① Let $P(n)$ be $\sum_{i=0}^{n}i = 0 + 1 + \ldots + n = n(n+1)/2$.: We will show that $P(n)$ is true for every integer $n\geq 0$ by induction.
② Base case ($n = 0$):: $\sum_{i=0}^{n}i = 0 = 0(0+1)/2$ so $P(0)$ is true.
③ Inductive hypothesis:: Suppose that $P(k)$ is true for an arbitrary integer $k\geq 0$.
④ Inductive step:: We want to prove that $P(k+1)$ is true, i.e., $\sum_{i=0}^{k+1}i = (k+1)(k+2)/2$. Note that $\sum_{i=0}^{k+1}i = ($$\sum_{i=0}^{k}i$$) + (k + 1) = ($$k(k+1)/2$$) + (k+1)$ by the inductive hypothesis. From this, we have that $(k(k+1)/2) + (k+1) =$ $(k+1)(k/2 + 1) =$ $(k+1)(k+2)/2$, which is exactly $P(k+1)$.
⑤ The result follows for all $n\geq 0$ by induction.

What number divides $2^{2n}-1$ for every $n\in\N$?

Let’s look at a few examples:: $2^{2*0} - 1 = 1 - 1 = 0 = 3 * 0$; $2^{2*1} - 1 = 4 - 1 = 3 = 3 * 1$; $2^{2*2} - 1 = 16 - 1 = 15 = 3 * 5$; $2^{2*3} - 1 = 64 - 1 = 63 = 3 * 21$; $2^{2*4} - 1 = 256 - 1 = 255 = 3 * 85$

It looks like $3 \vert (2^{2n}-1)$.: Let’s use induction to prove it!

Prove $3 \vert (2^{2n}-1)$ for all $n\in\N$

① Let $P(n)$ be $3 \vert (2^{2n}-1)$.: We will show that $P(n)$ is true for every integer $n\geq 0$ by induction.
② Base case ($n = 0$):: $2^{2 * 0} - 1 = 1 - 1 = 0 = 3*0$ so $P(0)$ is true.
③ Inductive hypothesis:: Suppose that $P(k)$ is true for an arbitrary integer $k\geq 0$.
④ Inductive step:: We want to prove that $P(k+1)$ is true, i.e., $3 \vert (2^{2(k+1)}-1)$. By inductive hypothesis, $3 \vert (2^{2k}-1)$ so $2^{2k}-1 = 3j$ for some integer $j$. We therefore have that $2^{2(k+1)} - 1 $ $=$ $2^{2k+2} - 1$ $=$ $4($$2^{2k}$$) - 1$ $=$ $4($$3j+1$$) - 1$ $=$ $12j + 3 = 3(4j + 1)$. So $3 \vert (2^{2(k+1)}-1)$, which is exactly $P(k+1)$.
⑤ The result follows for all $n\geq 0$ by induction.

Summary

Fast modular exponentiation efficiently computes $\mod{a^k}{m}$.: Important practical applications include public-key cryptography (RSA).
Induction lets us prove statements about all natural numbers.: A proof by induction must show that $P(0)$ is true (base case).; And it must use the inductive hypothesis $P(k)$ to show that $P(k+1)$ is true (inductive step).

$a$ $=$	$q$ $*$	$b$ $+$	$r$
$26$ $=$	$3$ $*$	$7$ $+$	$5$
$7$ $=$	$1$ $*$	$5$ $+$	$2$
$5$ $=$	$2$ $*$	$2$ $+$	$1$

$r$ $=$	$a$ $-$	$q$ $*$	$b$
$5$ $=$	$26$ $-$	$3$ $*$	$7$
$2$ $=$	$7$ $-$	$1$ $*$	$5$
$1$ $=$	$5$ $-$	$2$ $*$	$2$

CSE 311 Lecture 15: Modular Exponentiation and Induction

Topics

Modular equations

Bézout’s theorem and multiplicative inverses

Using multiplicative inverses to solve modular equations

Solving a more general equation

A useful proof technique based on modular equations

Modular exponentiation

The modular exponentiation problem: $\mod{a^k}{m}$

Repeated squaring: $\mod{a^k}{m}$ for $k = 2^i$

Fast exponentiation: $\mod{a^k}{m}$ for all $k$

The fast exponentiation algorithm

Using fast modular exponentiation: RSA encryption

Mathematical induction

How would you prove this theorem?

Perform a step repeatedly with induction!

Induction: how does it work?

Using induction

Using the induction rule in a formal proof

Using the induction rule in a formal proof: key parts

Translating to an English proof: the template

Example proofs by induction

What is $\sum_{i=0}^{n}2^i$ for an arbitrary $n\in\N$?

Prove $\sum_{i=0}^{n}2^i = 2^{n+1}-1$ for all $n\in\N$

Prove $\sum_{i=0}^{n}i = n(n+1)/2$ for all $n\in\N$

What number divides $2^{2n}-1$ for every $n\in\N$?

Prove $3 \vert (2^{2n}-1)$ for all $n\in\N$

Summary

CSE 311 Lecture 15:
Modular Exponentiation and Induction