Modular multiplicative inverse

Template:Short description In mathematics, particularly in the area of arithmetic, a modular multiplicative inverse of an integer Template:Mvar is an integer Template:Mvar such that the product Template:Mvar is congruent to 1 with respect to the modulus Template:Mvar.^[1] In the standard notation of modular arithmetic this congruence is written as

${\displaystyle ax\equiv 1(\mathrm{mod}m),}$

which is the shorthand way of writing the statement that Template:Mvar divides (evenly) the quantity Template:Math, or, put another way, the remainder after dividing Template:Mvar by the integer Template:Mvar is 1. If Template:Mvar does have an inverse modulo Template:Mvar, then there are an infinite number of solutions of this congruence, which form a congruence class with respect to this modulus. Furthermore, any integer that is congruent to Template:Mvar (i.e., in Template:Mvar's congruence class) has any element of Template:Mvar's congruence class as a modular multiplicative inverse. Using the notation of ${\displaystyle \bar{w}}$ to indicate the congruence class containing Template:Mvar, this can be expressed by saying that the modulo multiplicative inverse of the congruence class ${\displaystyle \bar{a}}$ is the congruence class ${\displaystyle \bar{x}}$ such that:

${\displaystyle \bar{a}{\cdot }_m\bar{x}=\bar{1},}$

where the symbol ${\displaystyle {\cdot }_m}$ denotes the multiplication of equivalence classes modulo Template:Mvar.^[2] Written in this way, the analogy with the usual concept of a multiplicative inverse in the set of rational or real numbers is clearly represented, replacing the numbers by congruence classes and altering the binary operation appropriately.

As with the analogous operation on the real numbers, a fundamental use of this operation is in solving, when possible, linear congruences of the form

${\displaystyle ax\equiv b(\mathrm{mod}m).}$

Finding modular multiplicative inverses also has practical applications in the field of cryptography, e.g. public-key cryptography and the RSA algorithm.^[3][4][5] A benefit for the computer implementation of these applications is that there exists a very fast algorithm (the extended Euclidean algorithm) that can be used for the calculation of modular multiplicative inverses.

Template:Main For a given positive integer Template:Mvar, two integers, Template:Mvar and Template:Mvar, are said to be congruent modulo Template:Mvar if Template:Mvar divides their difference. This binary relation is denoted by,

${\displaystyle a\equiv b(\mathrm{mod}m).}$

This is an equivalence relation on the set of integers, ${\displaystyle \mathbb{Z}}$, and the equivalence classes are called congruence classes modulo Template:Mvar or residue classes modulo Template:Mvar. Let ${\displaystyle \bar{a}}$ denote the congruence class containing the integer Template:Mvar,^[6] then

${\displaystyle \bar{a}=\{b\in \mathbb{Z}\mid a\equiv b(\mathrm{mod}m)\}.}$

A linear congruence is a modular congruence of the form

${\displaystyle ax\equiv b(\mathrm{mod}m).}$

Unlike linear equations over the reals, linear congruences may have zero, one or several solutions. If Template:Mvar is a solution of a linear congruence then every element in ${\displaystyle \bar{x}}$ is also a solution, so, when speaking of the number of solutions of a linear congruence we are referring to the number of different congruence classes that contain solutions.

If Template:Mvar is the greatest common divisor of Template:Mvar and Template:Mvar then the linear congruence Template:Math has solutions if and only if Template:Mvar divides Template:Mvar. If Template:Mvar divides Template:Mvar, then there are exactly Template:Mvar solutions.^[7]

A modular multiplicative inverse of an integer Template:Mvar with respect to the modulus Template:Mvar is a solution of the linear congruence

${\displaystyle ax\equiv 1(\mathrm{mod}m).}$

The previous result says that a solution exists if and only if Template:Math, that is, Template:Mvar and Template:Mvar must be relatively prime (i.e. coprime). Furthermore, when this condition holds, there is exactly one solution, i.e., when it exists, a modular multiplicative inverse is unique:^[8] If Template:Mvar and Template:Mvar are both modular multiplicative inverses of Template:Mvar respect to the modulus Template:Mvar, then

${\displaystyle ab\equiv a{b}^{\prime }\equiv 1(\mathrm{mod}m),}$

therefore

${\displaystyle a(b-b^{\prime })\equiv 0(\mathrm{mod}m).}$

If Template:Math, then Template:Math, and Template:Mvar won't even have a modular multiplicative inverse. Therefore, Template:Math.

When Template:Math has a solution it is often denoted in this way −

${\displaystyle x\equiv a^{-1}(\mathrm{mod}m),}$

but this can be considered an abuse of notation since it could be misinterpreted as the reciprocal of ${\displaystyle a}$ (which, contrary to the modular multiplicative inverse, is not an integer except when Template:Mvar is 1 or -1). The notation would be proper if Template:Mvar is interpreted as a token standing for the congruence class ${\displaystyle \bar{a}}$, as the multiplicative inverse of a congruence class is a congruence class with the multiplication defined in the next section.

The congruence relation, modulo Template:Mvar, partitions the set of integers into Template:Mvar congruence classes. Operations of addition and multiplication can be defined on these Template:Mvar objects in the following way: To either add or multiply two congruence classes, first pick a representative (in any way) from each class, then perform the usual operation for integers on the two representatives and finally take the congruence class that the result of the integer operation lies in as the result of the operation on the congruence classes. In symbols, with ${\displaystyle {+}_m}$ and ${\displaystyle {\cdot }_m}$ representing the operations on congruence classes, these definitions are

${\displaystyle \bar{a}{+}_m\bar{b}=\overline{a+b}}$

and

${\displaystyle \bar{a}{\cdot }_m\bar{b}=\overline{ab}.}$

These operations are well-defined, meaning that the end result does not depend on the choices of representatives that were made to obtain the result.

The Template:Mvar congruence classes with these two defined operations form a ring, called the ring of integers modulo Template:Mvar. There are several notations used for these algebraic objects, most often ${\displaystyle \mathbb{Z}/m\mathbb{Z}}$ or ${\displaystyle \mathbb{Z}/m}$, but several elementary texts and application areas use a simplified notation ${\displaystyle {\mathbb{Z}}_m}$ when confusion with other algebraic objects is unlikely.

The congruence classes of the integers modulo Template:Mvar were traditionally known as residue classes modulo m, reflecting the fact that all the elements of a congruence class have the same remainder (i.e., "residue") upon being divided by Template:Mvar. Any set of Template:Mvar integers selected so that each comes from a different congruence class modulo m is called a [[Complete residue system modulo m|complete system of residues modulo Template:Mvar]].^[9] The division algorithm shows that the set of integers, Template:Math form a complete system of residues modulo Template:Mvar, known as the [[Least residue system modulo m|least residue system modulo Template:Mvar]]. In working with arithmetic problems it is sometimes more convenient to work with a complete system of residues and use the language of congruences while at other times the point of view of the congruence classes of the ring ${\displaystyle \mathbb{Z}/m\mathbb{Z}}$ is more useful.^[10]

Template:Main Not every element of a complete residue system modulo Template:Mvar has a modular multiplicative inverse, for instance, zero never does. After removing the elements of a complete residue system that are not relatively prime to Template:Mvar, what is left is called a reduced residue system, all of whose elements have modular multiplicative inverses. The number of elements in a reduced residue system is ${\displaystyle \varphi (m)}$, where ${\displaystyle \varphi }$ is the Euler totient function, i.e., the number of positive integers less than Template:Mvar that are relatively prime to Template:Mvar.

In a general ring with unity not every element has a multiplicative inverse and those that do are called units. As the product of two units is a unit, the units of a ring form a group, the group of units of the ring and often denoted by Template:Math if Template:Mvar is the name of the ring. The group of units of the ring of integers modulo Template:Mvar is called the multiplicative group of integers modulo Template:Mvar, and it is isomorphic to a reduced residue system. In particular, it has order (size), ${\displaystyle \varphi (m)}$.

In the case that Template:Mvar is a prime, say Template:Mvar, then ${\displaystyle \varphi (p)=p-1}$ and all the non-zero elements of ${\displaystyle \mathbb{Z}/p\mathbb{Z}}$ have multiplicative inverses, thus ${\displaystyle \mathbb{Z}/p\mathbb{Z}}$ is a finite field. In this case, the multiplicative group of integers modulo Template:Mvar form a cyclic group of order Template:Math.

For any integer ${\displaystyle n>1}$, it's always the case that ${\displaystyle n^2-n+1}$ is the modular multiplicative inverse of ${\displaystyle n+1}$ with respect to the modulus ${\displaystyle n^2}$, since ${\displaystyle (n+1)(n^2-n+1)=n^3+1}$. Examples are ${\displaystyle 3\times 3\equiv 1(\mathrm{mod}4)}$, ${\displaystyle 4\times 7\equiv 1(\mathrm{mod}9)}$, ${\displaystyle 5\times 13\equiv 1(\mathrm{mod}16)}$ and so on.

The following example uses the modulus 10: Two integers are congruent mod 10 if and only if their difference is divisible by 10, for instance

${\displaystyle 32\equiv 2(\mathrm{mod}10)}$ since 10 divides 32 − 2 = 30, and

${\displaystyle 111\equiv 1(\mathrm{mod}10)}$ since 10 divides 111 − 1 = 110.

Some of the ten congruence classes with respect to this modulus are:

${\displaystyle \bar{0}=\{\cdots ,-20,-10,0,10,20,\cdots \}}$

${\displaystyle \bar{1}=\{\cdots ,-19,-9,1,11,21,\cdots \}}$

${\displaystyle \bar{5}=\{\cdots ,-15,-5,5,15,25,\cdots \}}$ and

${\displaystyle \bar{9}=\{\cdots ,-11,-1,9,19,29,\cdots \}.}$

The linear congruence Template:Math has no solutions since the integers that are congruent to 5 (i.e., those in ${\displaystyle \bar{5}}$) are all odd while Template:Math is always even. However, the linear congruence Template:Math has two solutions, namely, Template:Math and Template:Math. The Template:Math and 2 does not divide 5, but does divide 6.

Since Template:Math, the linear congruence Template:Math will have solutions, that is, modular multiplicative inverses of 3 modulo 10 will exist. In fact, 7 satisfies this congruence (i.e., 21 − 1 = 20). However, other integers also satisfy the congruence, for instance 17 and −3 (i.e., 3(17) − 1 = 50 and 3(−3) − 1 = −10). In particular, every integer in ${\displaystyle \bar{7}}$ will satisfy the congruence since these integers have the form Template:Math for some integer Template:Mvar and

${\displaystyle 3(7+10r)-1=21+30r-1=20+30r=10(2+3r),}$

is divisible by 10. This congruence has only this one congruence class of solutions. The solution in this case could have been obtained by checking all possible cases, but systematic algorithms would be needed for larger moduli and these will be given in the next section.

The product of congruence classes ${\displaystyle \bar{5}}$ and ${\displaystyle \bar{8}}$ can be obtained by selecting an element of ${\displaystyle \bar{5}}$, say 25, and an element of ${\displaystyle \bar{8}}$, say −2, and observing that their product (25)(−2) = −50 is in the congruence class ${\displaystyle \bar{0}}$. Thus, ${\displaystyle \bar{5}{\cdot }_{10}\bar{8}=\bar{0}}$. Addition is defined in a similar way. The ten congruence classes together with these operations of addition and multiplication of congruence classes form the ring of integers modulo 10, i.e., ${\displaystyle \mathbb{Z}/10\mathbb{Z}}$.

A complete residue system modulo 10 can be the set {10, −9, 2, 13, 24, −15, 26, 37, 8, 9} where each integer is in a different congruence class modulo 10. The unique least residue system modulo 10 is {0, 1, 2, ..., 9}. A reduced residue system modulo 10 could be {1, 3, 7, 9}. The product of any two congruence classes represented by these numbers is again one of these four congruence classes. This implies that these four congruence classes form a group, in this case the cyclic group of order four, having either 3 or 7 as a (multiplicative) generator. The represented congruence classes form the group of units of the ring ${\displaystyle \mathbb{Z}/10\mathbb{Z}}$. These congruence classes are precisely the ones which have modular multiplicative inverses.

Template:Main Template:Wikibooks A modular multiplicative inverse of Template:Mvar modulo Template:Mvar can be found by using the extended Euclidean algorithm.

The Euclidean algorithm determines the greatest common divisor (gcd) of two integers, say Template:Mvar and Template:Mvar. If Template:Mvar has a multiplicative inverse modulo Template:Mvar, this gcd must be 1. The last of several equations produced by the algorithm may be solved for this gcd. Then, using a method called "back substitution", an expression connecting the original parameters and this gcd can be obtained. In other words, integers Template:Mvar and Template:Mvar can be found to satisfy Bézout's identity,

${\displaystyle ax+my=\gcd (a,m)=1.}$

Rewritten, this is

${\displaystyle ax-1=(-y)m,}$

that is,

${\displaystyle ax\equiv 1(\mathrm{mod}m),}$

so, a modular multiplicative inverse of Template:Mvar has been calculated. A more efficient version of the algorithm is the extended Euclidean algorithm, which, by using auxiliary equations, reduces two passes through the algorithm (back substitution can be thought of as passing through the algorithm in reverse) to just one.

In big O notation, this algorithm runs in time Template:Math, assuming Template:Math, and is considered to be very fast and generally more efficient than its alternative, exponentiation.

As an alternative to the extended Euclidean algorithm, Euler's theorem may be used to compute modular inverses.^[11]

According to Euler's theorem, if Template:Mvar is coprime to Template:Mvar, that is, Template:Math, then

${\displaystyle a^{\varphi (m)}\equiv 1(\mathrm{mod}m),}$

where ${\displaystyle \varphi }$ is Euler's totient function. This follows from the fact that Template:Mvar belongs to the multiplicative group ${\displaystyle (\mathbb{Z}/m\mathbb{Z})}$^× if and only if Template:Mvar is coprime to Template:Mvar. Therefore, a modular multiplicative inverse can be found directly:

${\displaystyle a^{\varphi (m)-1}\equiv a^{-1}(\mathrm{mod}m).}$

In the special case where Template:Mvar is a prime, ${\displaystyle \varphi (m)=m-1}$ and a modular inverse is given by

${\displaystyle a^{-1}\equiv a^{m-2}(\mathrm{mod}m).}$

This method is generally slower than the extended Euclidean algorithm, but is sometimes used when an implementation for modular exponentiation is already available. Some disadvantages of this method include:

• The value ${\displaystyle \varphi (m)}$ must be known and the most efficient known computation requires Template:Mvar's factorization. Factorization is widely believed to be a computationally hard problem. However, calculating ${\displaystyle \varphi (m)}$ is straightforward when the prime factorization of Template:Mvar is known.
• The relative cost of exponentiation. Though it can be implemented more efficiently using modular exponentiation, when large values of Template:Mvar are involved this is most efficiently computed with the Montgomery reduction method, that method, itself, requiring a modular inverse mod Template:Mvar, which is what was to be calculated in the first place. Without the Montgomery method, the standard binary exponentiation, which requires division mod Template:Mvar at every step, is a slow operation when Template:Mvar is large.

One notable advantage of this technique is that there are no conditional branches which depend on the value of Template:Mvar, and thus the value of Template:Mvar, which may be an important secret in public-key cryptography, can be protected from side-channel attacks. For this reason, the standard implementation of Curve25519 uses this technique to compute an inverse.

It is possible to compute the inverse of multiple numbers Template:Mvar, modulo a common Template:Mvar, with a single invocation of the Euclidean algorithm and three multiplications per additional input.^[12] The basic idea is to form the product of all the Template:Mvar, invert that, then multiply by Template:Mvar for all Template:Math to leave only the desired Template:Math.

More specifically, the algorithm is (all arithmetic performed modulo Template:Mvar):

1. Compute the prefix products $b_i={\prod }_{j=1}^i{a}_j=a_i{b}_{i-1}$ for all Template:Math.
2. Compute Template:Math using any available algorithm.
3. For Template:Mvar from Template:Mvar down to 2, compute
   • Template:Math and
   • Template:Math.
4. Finally, Template:Math.

It is possible to perform the multiplications in a tree structure rather than linearly to exploit parallel computing.

Finding a modular multiplicative inverse has many applications in algorithms that rely on the theory of modular arithmetic. For instance, in cryptography the use of modular arithmetic permits some operations to be carried out more quickly and with fewer storage requirements, while other operations become more difficult.^[13] Both of these features can be used to advantage. In particular, in the RSA algorithm, encrypting and decrypting a message is done using a pair of numbers that are multiplicative inverses with respect to a carefully selected modulus. One of these numbers is made public and can be used in a rapid encryption procedure, while the other, used in the decryption procedure, is kept hidden. Determining the hidden number from the public number is considered to be computationally infeasible and this is what makes the system work to ensure privacy.^[14]

As another example in a different context, consider the exact division problem in computer science where you have a list of odd word-sized numbers each divisible by Template:Math and you wish to divide them all by Template:Math. One solution is as follows:

1. Use the extended Euclidean algorithm to compute Template:Math, the modular multiplicative inverse of Template:Math, where Template:Math is the number of bits in a word. This inverse will exist since the numbers are odd and the modulus has no odd factors.
2. For each number in the list, multiply it by Template:Math and take the least significant word of the result.

On many machines, particularly those without hardware support for division, division is a slower operation than multiplication, so this approach can yield a considerable speedup. The first step is relatively slow but only needs to be done once.

Modular multiplicative inverses are used to obtain a solution of a system of linear congruences that is guaranteed by the Chinese Remainder Theorem.

For example, the system

Template:Mvar ≡ 4 (mod 5)

Template:Mvar ≡ 4 (mod 7)

Template:Mvar ≡ 6 (mod 11)

has common solutions since 5,7 and 11 are pairwise coprime. A solution is given by

Template:Mvar = Template:Math (7 × 11) × 4 + Template:Math (5 × 11) × 4 + Template:Math (5 × 7) × 6

where

Template:Math = 3 is the modular multiplicative inverse of 7 × 11 (mod 5),

Template:Math = 6 is the modular multiplicative inverse of 5 × 11 (mod 7) and

Template:Math = 6 is the modular multiplicative inverse of 5 × 7 (mod 11).

Thus,

Template:Mvar = 3 × (7 × 11) × 4 + 6 × (5 × 11) × 4 + 6 × (5 × 7) × 6 = 3504

and in its unique reduced form

Template:Mvar ≡ 3504 ≡ 39 (mod 385)

since 385 is the LCM of 5,7 and 11.

Also, the modular multiplicative inverse figures prominently in the definition of the Kloosterman sum.

• Inversive congruential generator – a pseudo-random number generator that uses modular multiplicative inverses
• Rational reconstruction (mathematics)

Template:Reflist

• Template:Citation
• Template:Citation
• Template:Cite book
• Template:Citation

• Template:MathWorld
• Guevara Vasquez, Fernando provides a solved example of solving the modulo multiplicative inverse using Euclid's Algorithm