ETH Zürich

Departement Informatik

Diskrete
Mathematik

Ueli Maurer

Herbstsemester 2023
Vorwort

Viele Disziplinen der Wissenschaft, insbesondere der Natur- und Ingenieurwis-

senschaften, beruhen in einer zentralen Weise auf der Mathematik. Einerseits
erlaubt die Mathematik, Sachverhalte zu modellieren und damit den Diskurs
von einer intuitiven auf eine präzise und formale Stufe zu heben. Andererseits
erlaubt die Mathematik, wenn Sachverhalte einmal präzise modelliert sind (z.B.
die Statik als Teil der Physik), konkrete Probleme zu lösen (z.B. eine Brücke zu
dimensionieren).
Welche mathematischen Disziplinen sind für die Computerwissenschaften
(Informatik, Computer Science) speziell relevant? Was muss in der Informa-
tik modelliert werden? Welche Art von Problemen möchte man verstehen und
lösen können? Der gemeinsame Nenner der vielen möglichen Antworten ist,
dass es in der Informatik um diskrete, meist endliche Strukturen geht. Digita-
le Computer haben einen endlichen Zustandsraum, d.h. der Zustand ist exakt
beschreibbar als eine von endlich vielen Möglichkeiten. Zwei Zustände können
nicht, wie in der Physik, beliebig ähnlich sein. Es gibt nicht das Problem, dass
reellwertige Parameter (z.B. die Temperatur) nur approximativ gemessen wer-
den können. In der Informatik im engeren Sinn gibt es keine kontinuierlichen
Grössen.1
Das heisst natürlich nicht, dass sich die Informatik nicht mit Themen befasst,
bei denen kontinuierliche Grössen wichtig sind. Die Informatik ist ja auch eine
Hilfswissenschaft, z.B. für die Naturwissenschaften, wobei die Grenzen zwi-
schen der eigentlichen Wissenschaft und der Hilfswissenschaft in einigen Berei-
chen verschwommener werden. In Bereichen wie Computational Biology oder
Computational Chemistry werden wesentliche Beiträge direkt von der Informa-
tik beigesteuert. In diesen Bereichen der Informatik spielen reellwertig parame-
trisierte Systeme eine wichtige Rolle.2

1 Die Mathematik der Informatik sollte demnach einfacher verständlich sein als die kontinuier-

liche Mathematik (z.B. Analysis). Sollte dies dem Leser ab und zu nicht so erscheinen, so ist es
vermutlich lediglich eine Frage der Gewöhnung.
2 Die Numerik befasst sich unter anderem mit dem Thema der (in einem Computer unvermeid-

baren) diskreten Approximation reeller Grössen und den daraus resultierenden Problemen wie z.B.
numerische Instabilitäten.
 Das Teilgebiet der Mathematik, das sich mit diskreten Strukturen befasst,
heisst diskrete Mathematik. Der Begriff “diskret” ist zu verstehen als endlich oder
abzählbar unendlich. Viele Teilbereiche der diskreten Mathematik sind so wichtig,
dass sie vertieft in einer eigenen Vorlesung behandelt werden. Dazu gehören
die Theorie der Berechnung, also die Formalisierung der Begriffe Berechnung
und Algorithmus, welche in der Vorlesung “Theoretische Informatik” behan-
delt wird, sowie die diskrete Wahrscheinlichkeitstheorie. Eine inhaltliche Ver-
wandtschaft besteht auch zur Vorlesung über Algorithmen und Datenstruktu-
ren.
In dieser Lehrveranstaltung werden die wichtigsten Begriffe, Techniken und
Resultate der diskreten Mathematik eingeführt. Hauptziele der Vorlesung sind
nebst der Behandlung der konkreten Themen ebenso die adäquate Modellie-
rung von Sachverhalten, sowie das Verständnis für die Wichtigkeit von Ab-
straktion, von Beweisen und generell der mathematisch-präzisen Denkweise,
die auch beim Entwurf von Softwaresystemen enorm wichtig ist. Zudem wer-
den einige Anwendungen diskutiert, z.B. aus der Kryptografie, der Codierungs-
theorie oder der Algorithmentheorie. Diskrete Mathematik ist ein sehr breites
Gebiet. Entsprechend unterschiedliche Ansätze gibt es auch für den Aufbau ei-
ner Vorlesung über das Thema. Mein Ziel bei der Konzipierung dieser Lehr-
veranstaltung war es, speziell auf Themen einzugehen, die in der Informatik
wichtig sind, sowie dem Anspruch zu genügen, keine zentralen Themen der
diskreten Mathematik auszulassen. Ausnahmen sind die Kombinatorik und die
Graphentheorie, die früher als Kapitel 4 und 5 dieses Skriptes erschienen, in der
letzten Studienplanrevision aber in andere Vorlesungen verschoben wurden.
Die sechs Kapitel sind

1. Introduction and Motivation

2. Mathematical Reasoning and Proofs
3. Sets, Relations, and Functions
4. Number Theory
5. Algebra
6. Logic

Viele Beispiele werden nur an der Tafel oder in den Übungen behandelt. Die
Vorlesung und die Übungen bilden einen integralen Bestandteil der Lehrveran-
staltung und des Prüfungsstoffes. Es gibt kein einzelnes Buch, das den ganzen
Stoff der Lehrveranstaltung behandelt. Aber unten folgt eine Liste guter Bücher,
die als Ergänzung dienen können. Sie decken aber jeweils nur Teile der Vorle-
sung ab, gehen zum Teil zu wenig tief, oder sind zu fortgeschritten im Vergleich
zur Vorlesung.

• N. L. Biggs, Discrete Mathematics, Clarendon Press.

iv
 • K. H. Rosen, Discrete Mathematics and its Applications, fourth edition,
McGraw-Hill.
• A. Steger, Diskrete Strukturen, Band 1, Springer Verlag.
• M. Aigner, Diskrete Mathematik, Vieweg.
• J. Matousek, J. Nesetril, Discrete Mathematics, Clarendon Press.
• I. Anderson, A First Course in Discrete Mathematics, Springer Verlag.
• U. Schöning, Logik für Informatiker, Spektrum Verlag, 5. Auflage, 2000.
• M. Kreuzer and S. Kühling, Logik für Informatiker, Pearson Studium,
2006.

Das Skript ist aus verschiedenen Gründen englischsprachig verfasst, unter

anderem, weil daraus eventuell einmal ein Buch entstehen soll. Wichtige Begrif-
fe sind auf deutsch in Fussnoten angegeben. Das Skript behandelt mehr Stoff als
die Vorlesung. Abschnitte, die nicht Prüfungsstoff sind und vermutlich in der
Vorlesung auch nicht behandelt werden, sind mit einem Stern (∗) markiert und
in einem kleineren Font gedruckt. Im Verlauf der Vorlesung werde ich eventuell
einzelne weitere Teile als nicht prüfungsrelevant deklarieren.
Zum Schluss einige Überlegungen und Empfehlungen für die Arbeitswei-
se beim Besuch dieser Lehrveranstaltung. Die Lehrveranstaltung besteht aus
der Vorlesung, dem Skript, den Übungsblättern, den Musterlösungen, den
Übungsstunden, und dem Selbststudium. Die verschiedenen Elemente sind
aufeinander abgestimmt. Insbesondere ist die Vorlesung unter der Annahme
konzipiert, dass die Studierenden das Skript zu den behandelten Teilen nach
jeder Vorlesung lesen, allenfalls auch vorher als Vorbereitung. Es ist unabding-
bar, dass Sie das Skript regelmässig und detailiert erarbeiten, da dies dem
Konzept der Vorlesung entspricht. Ebenso ist es unabdingbar, zusätzlich zur
Übungsstunde mehrere Stunden pro Woche eigenständig oder in Teamarbeit
für das Lösen der Übungen aufzuwenden; ein Teil dieser Zeit soll vor der
Übungsstunde investiert werden.
Ich danke Giovanni Deligios und David Lanzenberger für viele konstruktive
Kommentare und die kritische Durchsicht des Manuskripts.

Zürich, im September 2023 Ueli Maurer

v
Contents

Vorwort iii

1 Introduction and Motivation 1

1.1 Discrete Mathematics and Computer Science . . . . . . . . . . . . 1
1.2 Discrete Mathematics: A Selection of Teasers . . . . . . . . . . . . 2
1.3 Abstraction: Simplicity and Generality . . . . . . . . . . . . . . . . 4

2 Math. Reasoning, Proofs, and a First Approach to Logic 7

2.1 Mathematical Statements . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1 The Concept of a Mathematical Statement . . . . . . . . . . 7
2.1.2 Composition of Mathematical Statements . . . . . . . . . . 8
2.1.3 Mathematical Statements in Computer Science . . . . . . . 10
2.2 The Concept of a Proof . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 Examples of Proofs . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Examples of False Proofs . . . . . . . . . . . . . . . . . . . 11
2.2.3 Two Meanings of the Symbol =⇒ . . . . . . . . . . . . . . . 12
2.2.4 Proofs Using Several Implications . . . . . . . . . . . . . . 12
2.2.5 An Informal Understanding of the Proof Concept . . . . . 13
2.2.6 Informal vs. Formal Proofs . . . . . . . . . . . . . . . . . . 13
2.2.7 The Role of Logic . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.8 Proofs in this Course . . . . . . . . . . . . . . . . . . . . . . 15
2.3 A First Introduction to Propositional Logic . . . . . . . . . . . . . 16
2.3.1 Logical Constants, Operators, and Formulas . . . . . . . . 16
2.3.2 Formulas as Functions . . . . . . . . . . . . . . . . . . . . . 18
2.3.3 Logical Equivalence and some Basic Laws . . . . . . . . . 19
2.3.4 Logical Consequence (for Propositional Logic) . . . . . . . 20
2.3.5 Lifting Equivalences and Consequences to Formulas . . . 21

vii
 2.3.6 Tautologies and Satisfiability . . . . . . . . . . . . . . . . . 22
2.3.7 Logical Circuits * . . . . . . . . . . . . . . . . . . . . . . . . 23
2.4 A First Introduction to Predicate Logic . . . . . . . . . . . . . . . . 23
2.4.1 Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.4.2 Functions and Constants . . . . . . . . . . . . . . . . . . . . 24
2.4.3 The Quantifiers ∃ and ∀ . . . . . . . . . . . . . . . . . . . . 24
2.4.4 Nested Quantifiers . . . . . . . . . . . . . . . . . . . . . . . 25
2.4.5 Interpretation of Formulas . . . . . . . . . . . . . . . . . . . 26
2.4.6 Tautologies and Satisfiability . . . . . . . . . . . . . . . . . 27
2.4.7 Equivalence and Logical Consequence . . . . . . . . . . . . 27
2.4.8 Some Useful Rules . . . . . . . . . . . . . . . . . . . . . . . 28
2.5 Logical Formulas vs. Mathematical Statements . . . . . . . . . . . 28
2.5.1 Fixed Interpretations and Formulas as Statements . . . . . 28
2.5.2 Mathematical Statements about Formulas . . . . . . . . . . 29
2.6 Some Proof Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.6.1 Composition of Implications . . . . . . . . . . . . . . . . . 30
2.6.2 Direct Proof of an Implication . . . . . . . . . . . . . . . . . 30
2.6.3 Indirect Proof of an Implication . . . . . . . . . . . . . . . . 30
2.6.4 Modus Ponens . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.6.5 Case Distinction . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.6.6 Proofs by Contradiction . . . . . . . . . . . . . . . . . . . . 32
2.6.7 Existence Proofs . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.6.8 Existence Proofs via the Pigeonhole Principle . . . . . . . . 34
2.6.9 Proofs by Counterexample . . . . . . . . . . . . . . . . . . 36
2.6.10 Proofs by Induction . . . . . . . . . . . . . . . . . . . . . . 36

3 Sets, Relations, and Functions 39

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.1.1 An Intuitive Understanding of Sets . . . . . . . . . . . . . 39
3.1.2 Russell’s Paradox . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 Sets and Operations on Sets . . . . . . . . . . . . . . . . . . . . . . 41
3.2.1 The Set Concept . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2.2 Set Equality and Constructing Sets From Sets . . . . . . . . 42
3.2.3 Subsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2.4 Union and Intersection . . . . . . . . . . . . . . . . . . . . . 44
3.2.5 The Empty Set . . . . . . . . . . . . . . . . . . . . . . . . . . 45

viii
 3.2.6 Constructing Sets from the Empty Set . . . . . . . . . . . . 46
3.2.7 A Construction of the Natural Numbers . . . . . . . . . . . 47
3.2.8 The Power Set of a Set . . . . . . . . . . . . . . . . . . . . . 48
3.2.9 The Cartesian Product of Sets . . . . . . . . . . . . . . . . . 48
3.3 Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.3.1 The Relation Concept . . . . . . . . . . . . . . . . . . . . . 49
3.3.2 Representations of Relations . . . . . . . . . . . . . . . . . 50
3.3.3 Set Operations on Relations . . . . . . . . . . . . . . . . . . 51
3.3.4 The Inverse of a Relation . . . . . . . . . . . . . . . . . . . . 51
3.3.5 Composition of Relations . . . . . . . . . . . . . . . . . . . 52
3.3.6 Special Properties of Relations . . . . . . . . . . . . . . . . 53
3.3.7 Transitive Closure . . . . . . . . . . . . . . . . . . . . . . . 55
3.4 Equivalence Relations . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.4.1 Definition of Equivalence Relations . . . . . . . . . . . . . 55
3.4.2 Equivalence Classes Form a Partition . . . . . . . . . . . . 56
3.4.3 Example: Definition of the Rational Numbers . . . . . . . 57
3.5 Partial Order Relations . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.5.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.5.2 Hasse Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.5.3 Combinations of Posets and the Lexicographic Order . . . 61
3.5.4 Special Elements in Posets . . . . . . . . . . . . . . . . . . . 61
3.5.5 Meet, Join, and Lattices . . . . . . . . . . . . . . . . . . . . 63
3.6 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.7 Countable and Uncountable Sets . . . . . . . . . . . . . . . . . . . 65
3.7.1 Countability of Sets . . . . . . . . . . . . . . . . . . . . . . . 65
3.7.2 Between Finite and Countably Infinite . . . . . . . . . . . . 66
3.7.3 Important Countable Sets . . . . . . . . . . . . . . . . . . . 67
3.7.4 Uncountability of {0, 1}∞ . . . . . . . . . . . . . . . . . . . 69
3.7.5 Existence of Uncomputable Functions . . . . . . . . . . . . 70

4 Number Theory 72
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1.1 Number Theory as a Mathematical Discipline . . . . . . . 72
4.1.2 What are the Integers? . . . . . . . . . . . . . . . . . . . . . 73
4.2 Divisors and Division . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.2.1 Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

ix
 4.2.2 Division with Remainders . . . . . . . . . . . . . . . . . . . 74
4.2.3 Greatest Common Divisors . . . . . . . . . . . . . . . . . . 75
4.2.4 Least Common Multiples . . . . . . . . . . . . . . . . . . . 77
4.3 Factorization into Primes . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.1 Primes and the Fundamental Theorem of Arithmetic . . . 77
4.3.2 Proof of the Fundamental Theorem of Arithmetic * . . . . 78
4.3.3 Expressing gcd and lcm . . . . . . . . . . . . . . . . . . . . 79
4.3.4 Non-triviality of Unique Factorization * . . . . . . . . . . . 79
4.3.5 Irrationality of Roots * . . . . . . . . . . . . . . . . . . . . . 80
4.3.6 A Digression to Music Theory * . . . . . . . . . . . . . . . . 80
4.4 Some Basic Facts About Primes * . . . . . . . . . . . . . . . . . . . 81
4.4.1 The Density of Primes . . . . . . . . . . . . . . . . . . . . . 81
4.4.2 Remarks on Primality Testing . . . . . . . . . . . . . . . . . 82
4.5 Congruences and Modular Arithmetic . . . . . . . . . . . . . . . . 83
4.5.1 Modular Congruences . . . . . . . . . . . . . . . . . . . . . 83
4.5.2 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . . . 84
4.5.3 Multiplicative Inverses . . . . . . . . . . . . . . . . . . . . . 86
4.5.4 The Chinese Remainder Theorem . . . . . . . . . . . . . . 87
4.6 Application: Diffie-Hellman Key-Agreement . . . . . . . . . . . . 88

5 Algebra 91
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.1.1 What Algebra is About . . . . . . . . . . . . . . . . . . . . . 91
5.1.2 Algebraic Structures . . . . . . . . . . . . . . . . . . . . . . 91
5.1.3 Some Examples of Algebras . . . . . . . . . . . . . . . . . . 92
5.2 Monoids and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.2.1 Neutral Elements . . . . . . . . . . . . . . . . . . . . . . . . 93
5.2.2 Associativity and Monoids . . . . . . . . . . . . . . . . . . 93
5.2.3 Inverses and Groups . . . . . . . . . . . . . . . . . . . . . . 94
5.2.4 (Non-)minimality of the Group Axioms . . . . . . . . . . . 95
5.2.5 Some Examples of Groups . . . . . . . . . . . . . . . . . . . 96
5.3 The Structure of Groups . . . . . . . . . . . . . . . . . . . . . . . . 97
5.3.1 Direct Products of Groups . . . . . . . . . . . . . . . . . . . 97
5.3.2 Group Homomorphisms . . . . . . . . . . . . . . . . . . . . 98
5.3.3 Subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.3.4 The Order of Group Elements and of a Group . . . . . . . 99

x
 5.3.5 Cyclic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.6 Application: Diffie-Hellman for General Groups . . . . . 101
5.3.7 The Order of Subgroups . . . . . . . . . . . . . . . . . . . . 101
5.3.8 The Group Z∗m and Euler’s Function . . . . . . . . . . . . . 102
5.4 Application: RSA Public-Key Encryption . . . . . . . . . . . . . . 104
5.4.1 e-th Roots in a Group . . . . . . . . . . . . . . . . . . . . . . 105
5.4.2 Description of RSA . . . . . . . . . . . . . . . . . . . . . . . 105
5.4.3 On the Security of RSA * . . . . . . . . . . . . . . . . . . . . 107
5.4.4 Digital Signatures * . . . . . . . . . . . . . . . . . . . . . . . 107
5.5 Rings and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.5.1 Definition of a Ring . . . . . . . . . . . . . . . . . . . . . . . 108
5.5.2 Units and the Multiplicative Group of a Ring . . . . . . . . 109
5.5.3 Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.5.4 Zerodivisors and Integral Domains . . . . . . . . . . . . . 110
5.5.5 Polynomial Rings . . . . . . . . . . . . . . . . . . . . . . . . 111
5.5.6 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.6 Polynomials over a Field . . . . . . . . . . . . . . . . . . . . . . . . 115
5.6.1 Factorization and Irreducible Polynomials . . . . . . . . . 115
5.6.2 The Division Property in F [x] . . . . . . . . . . . . . . . . . 117
5.6.3 Analogies Between Z and F [x], Euclidean Domains * . . . 118
5.7 Polynomials as Functions . . . . . . . . . . . . . . . . . . . . . . . 119
5.7.1 Polynomial Evaluation . . . . . . . . . . . . . . . . . . . . . 119
5.7.2 Roots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.7.3 Polynomial Interpolation . . . . . . . . . . . . . . . . . . . 120
5.8 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.8.1 The Ring F [x]m(x) . . . . . . . . . . . . . . . . . . . . . . . 121
5.8.2 Constructing Extension Fields . . . . . . . . . . . . . . . . 123
5.8.3 Some Facts About Finite Fields * . . . . . . . . . . . . . . . 125
5.9 Application: Error-Correcting Codes . . . . . . . . . . . . . . . . . 126
5.9.1 Definition of Error-Correcting Codes . . . . . . . . . . . . . 126
5.9.2 Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5.9.3 Codes based on Polynomial Evaluation . . . . . . . . . . . 128

6 Logic 130
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.2 Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

xi
 6.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.2.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.2.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
6.2.4 Proof Systems in Theoretical Computer Science * . . . . . . 136
6.3 Elementary General Concepts in Logic . . . . . . . . . . . . . . . . 136
6.3.1 The General Goal of Logic . . . . . . . . . . . . . . . . . . . 137
6.3.2 Syntax, Semantics, Interpretation, Model . . . . . . . . . . 137
6.3.3 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
6.3.4 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.3.5 Connection to Proof Systems * . . . . . . . . . . . . . . . . 139
6.3.6 Satisfiability, Tautology, Consequence, Equivalence . . . . 139
6.3.7 The Logical Operators ∧, ∨, and ¬ . . . . . . . . . . . . . . 140
6.3.8 Logical Consequence vs. Unsatisfiability . . . . . . . . . . 142
6.3.9 Theorems and Theories . . . . . . . . . . . . . . . . . . . . 142
6.4 Logical Calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.4.2 Hilbert-Style Calculi . . . . . . . . . . . . . . . . . . . . . . 144
6.4.3 Soundness and Completeness of a Calculus . . . . . . . . . 145
6.4.4 Some Derivation Rules . . . . . . . . . . . . . . . . . . . . . 146
6.4.5 Derivations from Assumptions . . . . . . . . . . . . . . . . 147
6.4.6 Connection to Proof Systems * . . . . . . . . . . . . . . . . 148
6.5 Propositional Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.5.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.5.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
6.5.3 Brief Discussion of General Logic Concepts . . . . . . . . . 149
6.5.4 Normal Forms . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.5.5 The Resolution Calculus for Propositional Logic . . . . . . 152
6.6 Predicate Logic (First-order Logic) . . . . . . . . . . . . . . . . . . 156
6.6.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
6.6.2 Free Variables and Variable Substitution . . . . . . . . . . . 156
6.6.3 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
6.6.4 Predicate Logic with Equality . . . . . . . . . . . . . . . . . 159
6.6.5 Some Basic Equivalences Involving Quantifiers . . . . . . 159
6.6.6 Substitution of Bound Variables . . . . . . . . . . . . . . . 160
6.6.7 Normal Forms . . . . . . . . . . . . . . . . . . . . . . . . . 161
6.6.8 Derivation Rules . . . . . . . . . . . . . . . . . . . . . . . . 162

xii
xiii

6.6.9 An Example Theorem and its Interpretations . . . . . . . . 162

6.7 Beyond Predicate Logic * . . . . . . . . . . . . . . . . . . . . . . . . 165
Chapter 1

Introduction and Motivation

1.1 Discrete Mathematics and Computer Science

Discrete mathematics is concerned with finite and countably infinite mathemati-
cal structures. Most areas within Computer Science make heavy use of concepts
from discrete mathematics. The applications range from algorithms (design and
analysis) to databases, from security to graphics, and from operating systems to
program verification.1
There are (at least) three major reasons why discrete mathematics is of cen-
tral importance in Computer Science:

1. Discrete structures. Many objects studied in Computer Science are dis-

crete mathematical objects, for example a graph modeling a computer net-
work or an algebraic group used in cryptography or coding theory. Many
applications exploit sophisticated properties of the involved structures.

2. Abstraction. Abstraction is of paramount importance in Computer Sci-

ence. A computer system can only be understood by considering a num-
ber of layers of abstraction, from application programs via the operating
system layer down to the physical hardware. Discrete mathematics, espe-
cially the way we present it, can teach us the art of abstraction. We refer to
Section 1.3 for a discussion.

3. Mathematical derivations. Mathematical reasoning is essential in any en-

gineering discipline, and especially in Computer Science. In many disci-
plines (e.g.2 mechanical engineering), mathematical reasoning happens in
1 We also refer to the preface to these lecture notes where the special role of mathematics for

Computer Science is mentioned.

2 “e.g.”, the abbreviation of the Latin “exempli gratia” should be read as “for example”.

1
1.2. Discrete Mathematics: A Selection of Teasers 2

the form of calculations (e.g. calculating the wing profile for an airplane).
In contrast, in Computer Science, mathematical reasoning often happens
in the form of a derivation (or, more mathematically stated, a proof). For
example, understanding a computer program means to understand it as
a well-defined discrete mathematical object, and making a desirable state-
ment about the program (e.g. that it terminates within a certain number
of steps) means to prove (or derive) this statement. Similarly, the state-
ment that a system (e.g. a block-chain system) is secure is a mathematical
statement that requires a proof.

1.2 Discrete Mathematics: A Selection of Teasers

We present a number of examples as teasers for this course. Each example is
representative for one or several of the topics treated in this course.3

Example 1.1. Consider a k × k chess board (ignoring the black/white coloring).

Prove or disprove the following statement: No matter which of the squares is
marked, the remaining area of the board (consisting of k 2 − 1 squares) can be
covered completely with (non-overlapping) L-shaped pieces of paper each con-
sisting of three squares.
This example allows us to informally introduce a few mathematical concepts
that will be discussed in detail later in this course. The above statement depends
on k. For certain k it is true and for certain k it is false. Let us therefore intro-
duce a so-called logical predicate P , a function from the natural numbers to {0, 1},
where 1 stands for true and 0 stands for false. Then P (k) = 1 means that the
statement is true for k, and P (k) = 0 means that the statement is false for k.
The case k = 2 is trivial: If any square (which is a corner square) is removed
from a 2 × 2 chess board, the remaining three squares form the given L-shape.
Hence we have P (2) = 1.
For k = 3, a simple counting argument shows that P (3) = 0. Since k 2 − 1 = 8
squares should be covered three at a time (by L-shapes), two squares remain at
the end. More generally, a solution can exist only if k 2 − 1 is divisible by 3. For
which k is this the case? In our notation we will (in Chapter 4) write

k 2 ≡3 1

for this condition, read as “k 2 is congruent to 1 modulo 3.” This condition is

equivalent to
k ≡3 1 or k ≡3 2.
3 The reader should not worry too much if he or she is not familiar with some of the concepts

discussed in this section, for example the interpolation of a polynomial, computation modulo a
number n, Euclid’s algorithm for computing greatest common divisors, or matrices.
3 Chapter 1. Introduction and Motivation

Hence we have P (k) = 0 for all k with k ≡3 0 (i.e.,4 the k divisible by 3).5
The case k = 4 can be solved easily by finding a solution for each of the three
types of squares (corner, edge, interior of board) that could be marked. Hence
we have proved P (4) = 1. This proof type will later be called a proof by case
distinction.
For the case k = 5 one can prove that P (5) = 0 by showing that there is (at
least) a square which, when marked, leaves an area not coverable by L-shapes.
Namely, if one marks a square next to the center square, then it is impossible to
cover the remaining area by L-shapes. This proof type will later be called a proof
by counterexample.
We have P (6) = 0 because 6 is divisible by 3, and hence the next interesting
case is k = 7. The reader can prove as an exercise that P (7) = 1. (How many
cases do you have to check?)
The question of interest is, for a general k, whether P (k) = 1 or P (k) = 0.
But one can prove (explained in the lecture) that

P (k) = 1 =⇒ P (2k) = 1,

i.e., that if the statement is true for some k, then it is also true for two times k.
This implies that P (2i ) = 1 for any i and also that P (7 · 2i ) = 1 for any i. Hence
we have P (8) = 1, and P (9) = 0, leaving P (10) and P (11) as the next open
cases. One can also prove the following generalization of the above-stated fact:

P (k) = 1 and P (ℓ) = 1 =⇒ P (kℓ) = 1.

We point out that, already in this first example, we understand the reasoning
leading to the conclusion P (k) = 0 or P (k) = 1 as a proof.
Example 1.2. Consider the following simple method for testing primality. Prove
or disprove that an odd number n is a prime if and only if 2n−1 divided by n
yields remainder 1, i.e., if
2n−1 ≡n 1.
One can easily check that 2n−1 ≡n 1 holds for the primes n = 3, 5, 7, 11, 13 (and
many more). Moreover, one can also easily check that 2n−1 6≡n 1 for the first odd
composite numbers n = 9, 15, 21, 25, etc. But is the formula a general primality
test? The solution to this problem will be given in Chapter 4.
Example 1.3. The well-known cancellation law for real numbers states that if
ab = ac and a 6= 0, then b = c. In other words, one can divide both sides by
a. How general is this law? Does it hold for the polynomials over R, i.e., does
4 “i.e.”,
the abbreviation of the Latin “id est”, should be read as “that is” (German: “das heisst”).
5 Thefact that the equation k 2 ≡p 1 has two solutions modulo p, for any prime p, not just for
p = 3, will be obvious once we understand that computing modulo p is a field (see Chapter 5) and
that every element of a field has either two square roots or none.
1.3. Abstraction: Simplicity and Generality 4

a(x)b(x) = a(x)c(x) imply b(x) = c(x) if a(x) 6= 0? Does it hold for the integers
modulo m, i.e., does ab ≡m ac imply b ≡m c if a 6= 0? Does it hold for the
permutations, when multiplication is defined as composition of permutations?
What does the condition a 6= 0 mean in this case? Which abstraction lies behind
the cancellation law? This is a typical algebraic question (see Chapter 5).
Example 1.4. It is well-known that one can interpolate a polynomial a(x) =
ad xd + ad−1 xd−1 + · · · a1 x + a0 of degree d with real coefficients from any d + 1
values a(αi ), for distinct α1 , . . . , αd+1 . Can we also construct polynomials over a
finite domain (which is of more interest and use in Computer Science), keeping
this interpolation property?
For example, consider computation modulo 5. There are 53 = 125 polyno-
mials a2 x2 + a1 x + a0 of degree 2 because we can freely choose three coefficients
from {0, 1, 2, 3, 4}. It is straight-forward (though cumbersome) to verify that if
we fix any three evaluation points (for example 0, 2, and 3), then the polyno-
mial is determined by the values at these points. In other words, two different
polynomials p and q result in distinct lists (p(0), p(2), p(3)) and (q(0), q(2), q(3))
of polynomial values. What is the general principle explaining this? For the
answer and applications, see Chapter 5.

1.3 Abstraction: Simplicity and Generality

A main theme of this course is abstraction. In everyday life, the term “abstract”
has a negative meaning. It stands for non-intuitive and difficult-to-understand.
For us, abstraction will have precisely the opposite meaning. It will stand for
simplicity and generality. I hope to be able to convey the joy and importance of
simplification and generalization by abstraction.
Indeed, abstraction is probably the most important principle in program-
ming and the design of information systems. Computers and computer pro-
grams are highly (perhaps unimaginably) complex systems. For a computer sys-
tem with only 1000 bits of storage, the number 21000 of system states is greater
than the number of atoms in the known universe. The immense complexity
of software systems is usually grossly underestimated, resulting in potentially
catastrophic software failures. For typical commercial software, failures are the
rule rather than the exception.
In order to manage the complexity, software systems are divided into com-
ponents (called modules, layers, objects, or abstract data types) that interact
with each other and with the environment in a well-defined manner. For ex-
ample, the Internet communication software is divided into a number of lay-
ers, each with a dedicated set of tasks. The IP layer transports packets between
computers, and the TCP layer manages reliable connections. The potential com-
plexity of the interaction between subsystems is channeled into clearly specified
interfaces. The behavior of a subsystem is described by a manageable number
5 Chapter 1. Introduction and Motivation

of rules. This is abstraction. Without abstraction, writing good software is im-

possible.
Abstraction means simplification. By an abstraction one ignores all aspects
of a system that are not relevant for the problem at hand, concentrating on the
properties that matter.
Abstraction also means generalization. If one proves a property of a system
described at an abstract level, then this property holds for any system with the
same abstraction, independently of any details.
Example 1.5. A standard Swiss chocolate consists of 6 rows of 4 pieces each. We
would like to break it into its 24 pieces using the minimal number of breaking
operations. The first breaking operation can break the chocolate in any of the
5 ways parallel to the short side, or in any of the 3 ways parallel to the long
side. Afterwards, a breaking operation consists of taking an arbitrary piece of
chocolate and breaking it along one of the marked lines. Stacking pieces is not
allowed. What is the minimal number of breaking operations needed to break
the chocolate into its 24 pieces? Is it better to first break the chocolate into two
equal pieces or to break off one row? Is it better to first break along a short or a
long line? Which abstraction explains the answer? Find a similar problem with
the same abstraction.
Example 1.6. Can the shape in Figure 1.1 be cut into 9 identical pieces? If not,
why? If yes, what is the abstraction that explains this? What would more gen-
eral examples with the same abstraction look like? Why would it be easier to
see the answer in such generalized examples?

a a

Figure 1.1: A shape to be cut into identical pieces.

Example 1.7. Extend the following sequence of numbers: 0, 1, 1, 3, 5,

11, 21, 43, 85, . . .. It is a natural human behavior to find a simple explanation
consistent with a given observation, i.e., to abstract.6 Which is the simplest rule
that defines the sequence? There may be several answers that make sense.
Example 1.8. Euclid’s well-known algorithm for computing the greatest com-
mon divisor of two positive integers a and b works as follows: In each step,
6 Unfortunately, this also leads to over-simplifications and inappropriate generalizations.
1.3. Abstraction: Simplicity and Generality 6

the larger integer is divided by the smaller integer, and the pair of integers is
replaced by the pair consisting of the smaller integer and the remainder of the
division. This step is repeated until the remainder is 0. The greatest common
divisor is the last non-zero remainder.
Essentially the same algorithm works for two polynomials a(x) and b(x), say
with integer (or real) coefficients, where the size of a polynomial is defined to
be its degree. In which sense are integer numbers and polynomials similar? At
which level of abstraction can they be seen as instantiations of the same abstract
concept? As we will see in Chapter 5, the answer is that they are both so-called
Euclidean domains, which is a special type of a so-called integral domain, which in
turn is a special case of a ring.
Chapter 2

Mathematical Reasoning,
Proofs, and a First Approach
to Logic

2.1 Mathematical Statements

2.1.1 The Concept of a Mathematical Statement
People make many statements in life, like “I love you”, “tomorrow it will rain”,
“birds can fly”, or “Roger Federer is the best tennis player”. By making the
statement, the person making it intends to claim that it is true. However, most
such statements are not sufficiently precise to be considered true or false, and
often they are subjective. This is in contrast to mathematical statements.

Definition 2.1. A mathematical statement (also called proposition) is a statement

that is true or false in an absolute, indisputable sense, according to the laws of
mathematics.
We often simply say “statement” instead of “mathematical statement”. A
mathematical statement that is known to be true is often called a theorem, a
lemma, or a corollary.1 A mathematical statement not known (but believed) to
be true or false is often called a conjecture. An assumption is a statement not
known to be true but assumed to be true in a certain line of reasoning. Some-
times, before a proof of a true mathematical statement is given, it is also called

1 The term “theorem” is usually used for an important result, whereas a lemma is an interme-

diate, often technical result, possibly used in several subsequent proofs. A corollary is a simple
consequence (e.g. a special case) of a theorem or lemma.

7
2.1. Mathematical Statements 8

assertion2 or claim. Examples of mathematical statements are

• 71 is a prime number.
• If p is a prime number, then 2p − 1 is also a prime number.
• Every natural number is the sum of at most four square numbers. (Exam-
ple: 22 = 42 + 22 + 12 + 12 and 74 = 62 + 52 + 32 + 22 .)
• Every even natural number greater than 2 can be expressed as the sum of
two primes.3 For example, 108 = 37 + 71 and 162 = 73 + 89.
• Any n lines ℓ1 , . . . , ℓn in the plane, no two of which are parallel, intersect
in one point (see Example 2.4).
• For the chess game there exists a winning strategy for the player making
the first move (playing “white”).

The first statement is easily shown to be true. The second statement is false,
and this can be proved by giving a counter-example: 11 is prime but 211 − 1 =
2047 = 23 ·89 is not prime.4 The third statement is true but by no means obvious
(and requires a sophisticated proof). The fourth statement is not known to be
true (or false). The fifth statement is false. The sixth statement is not known to
be true (or false).
Example 2.1. Consider the following statement which sounds like a statement
of interest in Computer Science: “There is no algorithm for factoring any n-
bit integer in n3 steps”. This is not a precise mathematical statement because
its truth (namely the complexity of the best algorithm) generally depends on
the particular computational model one is considering. A goal of Theoretical
Computer Science (TCS) is therefore to define precise models of computation
and the complexity of algorithms, allowing to make such claims precise.

If one makes a statement, say S, for example in the context of these lecture
notes, there can be two different meanings. The first meaning is that by stating
it one claims that S is true, and the second meaning is simply to discuss the
statement itself (for example as an assumption), independently of whether it is
true or not. We should try to distinguish clearly between these two meanings.

2.1.2 Composition of Mathematical Statements

We can derive new mathematical statements from given statements. For exam-
ple, when given three statements S, T , and U , then we can defined the following
well-defined statement: Exactly two the statements S, T , and U are true. Four
specific forms of derived statements are discussed below. Let S and T be math-
ematical statements.
2 German: Behauptung
3 Thisstatement is called the Goldbach conjecture and is one of the oldest unproven conjectures
in mathematics.
4 2p − 1 is prime for most primes p (e.g. for 2, 3, 5, 7, 13 and many more), but not all.
9 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

• Negation: S is false.
• And: S and T are (both) true.
• Or: At least one of S and T is true.
• Implication: If S is true, then T is true.

Examples of such derived statements are:

• “4 is even” is false.
• 4 is an even number and 71 is a prime number.
• 5 is an even number and 71 is a prime number.
• 5 is an even number or 71 is a prime number.

The first statement is false because “4 is even” is true. The second statement is
true because both statements “4 is an even number” and “71 is a prime number”
are true. In contrast, the third statement is false because the statement “5 is an
even number” is false. However, the fourth statement is again true because
“71 is a prime number” is true and hence it is irrelevant whether “5 is an even
number” is true or false.
For the first three types of statements, there is no particular notation used
in mathematics.5 However, interestingly, for the fourth type (implication) there
exists a notation that is often used, namely

S =⇒ T.

One also says “S implies T ”. The statement S =⇒ T is false if S is true and T is

false, and in all other three cases, S =⇒ T is true. In other words, the first three
statements below are true while the last one is false.

• 4 is an even number =⇒ 71 is a prime number.

• 5 is an even number =⇒ 71 is a prime number.
• 5 is an even number =⇒ 70 is a prime number.
• 4 is an even number =⇒ 70 is a prime number.

We point out that S =⇒ T does not express any kind of causality like “because S
is true, T is also true” (but see the discussion in Section 2.2.3).
Similarly, S ⇐⇒ T means that S is true if and only if T is true. This can
equivalently be stated as “S implies T and T implies S.”

5 Note that, when introducing logic and its symbols, we will for example use the symbol ∧ for

the logical “and” of two formulas, but we avoid using the symbols of logic outside of logic. Thus,
in order to avoid confusion, we avoid writing something like S ∧ T for “S and T .”
2.2. The Concept of a Proof 10

2.1.3 Mathematical Statements in Computer Science

Many statements relevant in Computer Science are mathematical statements
which one would like to prove. We give a few examples of such statements:

• Program P terminates (i.e., does not enter an infinite loop) for all inputs.
• Program P terminates within k computation steps for all inputs.
• Program P computes f (x) for every input x, where f is a function of in-
terest.
• Algorithm A solves problem S within accuracy ǫ.
• The error probability of file transmission system F in a file transmission is
at most p (where p can be a function of the file length).
• The computer network C has the property that if any t links are deleted,
every node is still connected with every other node.
• Encryption scheme E is secure (for a suitable definition of security).
• Cryptocurrency system C operates correctly as long as a majority of the
involved nodes behave honestly, even if all the other nodes behave arbi-
trarily maliciously.
• Database system D provides data privacy (for a suitable definition of pri-
vacy).

Programs, algorithms, encryption schemes, etc., are (complex) discrete

mathematical objects, and proving statements like those mentioned above is
highly non-trivial. This course is not about programs or algorithms, let alone
encryption schemes, but it provides the foundations so that later courses can
reason mathematically about these objects.

2.2 The Concept of a Proof

The purpose of a proof is to demonstrate (or prove) a mathematical statement S.
In this section we informally discuss the notion of a proof. We also discuss
several proof strategies. In Chapter 6 about logic, the notion of a proof in a
proof calculus will be formalized.

2.2.1 Examples of Proofs

We already gave examples of proofs in Chapter 1. We give one more simple
example.

Example 2.2. Claim: The number n = 2143 − 1 is not a prime.

Proof: n is divisible by 2047, as one can check by a (for a computer) simple
calculation.
11 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

That this is true can even be easily seen without doing a calculation, by prov-
ing a more general claim of which the above one is a special case:
Claim: n is not prime =⇒ 2n − 1 is not prime.6
Proof: If n is not a prime, then (by definition of prime numbers) n = ab with
a > 1 and a < n. Now we observe that 2a − 1 divides 2ab − 1:
b−1
X

2ab − 1 = (2a − 1) 2ia = (2a − 1) 2(b−1)a + 2(b−2)a + · · · + 2a + 1
i=0

as can easily be verified by a simple calculation. Since 2a − 1 > 1 and 2a − 1 <

2ab − 1, i.e., 2a − 1 is a non-trivial divisor of 2ab − 1, this means that 2ab − 1 is not
a prime, concluding the proof of the claim.
Let us state a warning. Recall from the previous section that

n is prime =⇒ 2n − 1 is prime

is a false statement, even though it may appear at first sight to follow from the
above claim. However, we observe that if S =⇒ T is true, then generally it does
not follow that if S is false, then T is false.
Example 2.3. An integer n is called a square if n = m · m for some integer m.
Prove that if a and b are squares, then so is a · b.

a and b are squares

.
=⇒ a = u · u and b = v · v for some u and v (def. of squares)
.
=⇒ a · b = (u · u) · (v · v) (replace a by u · u and b by v · v)
.
=⇒ a · b = (u · v) · (u · v). (commutative and associative laws)
.
=⇒ a · b is a square (def. of squares)

The above proof follows a standard pattern of proofs as a sequence of im-

.
plications, each step using the symbol =⇒. Such a proof step requires that the
justification for doing the step is clear. Often one justifies the proof step either in
the accompanying text or as a remark on the same line as the implication state-
ment (as in the above proof). But even more often the justification for the step
is simply assumed to be understood from the context and not explicitly stated,
which can sometimes make proofs hard to follow or even ambiguous.

2.2.2 Examples of False Proofs

As a next motivating example, let us prove a quite surprising assertion.7
6 It is understood that this statement is meant to hold for an arbitrary n.
7 This example is taken from the book by Matousek and Nesetril.
2.2. The Concept of a Proof 12

Example 2.4. Claim: Any n lines ℓ1 , . . . , ℓn in the plane, no two of which are
parallel, intersect in one point (i.e., have one point in common).
Proof: The proof proceeds by induction.8 The induction basis is the case n = 2:
Any two non-parallel lines intersect in one point. The induction hypothesis is
that any n lines intersect in one point. The induction step states that then this
must be true for any n+1 lines. The proof goes as follows. By the hypothesis, the
n lines ℓ1 , . . . , ℓn intersect in a point P . Similarly, the n lines ℓ1 , . . . , ℓn−1 , ℓn+1
intersect in a point Q. The line ℓ1 lies in both groups, so it contains both P and
Q. The same is true for line ℓn−1 . But ℓ1 and ℓn−1 intersect at a single point,
hence P = Q. This is the common point of all lines ℓ1 , . . . , ℓn+1 .

Something must be wrong! (What?) This example illustrates that proofs

must be designed with care. Heuristics and intuition, though essential in any
engineering discipline as well as in mathematics, can sometimes be wrong.
Example 2.5. In the lecture we present a “proof” for the statement 2 = 1.

2.2.3 Two Meanings of the Symbol =⇒

It is important to note that the symbol =⇒ is used in the mathematical literature
for two different (but related) things:

• to express composed statements of the form S =⇒ T (see Section 2.1.2),

• to express a derivation step in a proof, as above.
.
To make this explicit and avoid confusion, we use a slightly different symbol =⇒
.
for the second meaning.9 Hence S =⇒ T means that T can be obtained from S
by a proof step, and in this case we also know that the statement S =⇒ T is true.
However, conversely, if S =⇒ T is true for some statements S and T , there may
.
not exist a proof step demonstrating this, i.e. S =⇒ T may not hold.
.
An analogous comment applies to the symbol ⇐⇒, i.e., S ⇐⇒ T can be used
express that T follows from S by a simply proof step, and also S follows from T
by a simply proof step.

2.2.4 Proofs Using Several Implications

Example 2.3 showed a proof of a statement of the form S =⇒ T using a se-
. . .
quence of several implications of the form S =⇒ S2 , S2 =⇒ S3 , S3 =⇒ S4 , and
.
S4 =⇒ T .
8 Here we assume some familiarity with proofs by induction; in Section 2.6.10 we discuss them

in depth.
.
9 This notation is not standard and only used in these lecture notes. The symbol =⇒ is intention-
ally chosen very close to the symbol =⇒ to allow someone not used to this to easily overlook the
difference.
13 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

A proof based on several implications often has a more general form: The
implications do not form a linear sequence but a more general configuration,
where each implication can assume several of the already proved statements.
For example, one can imagine that in order to prove a given statement T , one
starts with two (known to be) true statements S1 and S2 and then, for some
statements S3 , . . . , S7 , proves the following six implications:
.
• S1 =⇒ S3 ,
.
• S1 =⇒ S4 ,
.
• S2 =⇒ S5 ,
.
• S3 and S5 =⇒ S6 ,
.
• S1 and S4 =⇒ S7 , as well as
.
• S6 and S7 =⇒ T .
Example 2.6. In the lecture we demonstrate the proof of Example 2.2 in the
above format, making every intermediate statement explicit.

2.2.5 An Informal Understanding of the Proof Concept

There is a common informal understanding of what constitutes a proof of a
mathematical statement S. Informally, we could define a proof as follows:
Definition 2.2. (Informal.) A proof of a statement S is a sequence of simple, eas-
ily verifiable, consecutive steps. The proof starts from a set of axioms (things
postulated to be true) and known (previously proved) facts. Each step corre-
sponds to the application of a derivation rule to a few already proven state-
ments, resulting in a newly proved statement, until the final step results in S.

Concrete proofs vary in length and style according to

• which axioms and known facts one is assuming,

• what is considered to be easy to verify,
• how much is made explicit and how much is only implicit in the
proof text, and
.
• to what extent one uses mathematical symbols (like =⇒) as opposed to
just writing text.

2.2.6 Informal vs. Formal Proofs

Most proofs taught in school, in textbooks, or in the scientific literature are in-
tuitive but quite informal, often not making the axioms and the proof rules ex-
plicit. They are usually formulated in common language rather than in a rigor-
ous mathematical language. Such proofs can be considered completely correct
2.2. The Concept of a Proof 14

if the reasoning is clear. An informal proof is often easier to read than a pedantic
formal proof.
However, a proof, like every mathematical object, can be made rigorous and
formally precise. This is a major goal of logic (see Section 2.2.7 and Chapter 6).
There are at least three (related) reasons for using a more rigorous and formal
type of proof.

• Prevention of errors. Errors are quite frequently found in the scientific lit-
erature. Most errors can be fixed, but some can not. In contrast, a com-
pletely formal proof leaves no room for interpretation and hence allows to
exclude errors.

• Proof complexity and automatic verification. Certain proofs in Computer Sci-

ence, like proving the correctness of a safety-critical program or the se-
curity of an information system, are too complex to be carried out and
verified “by hand”. A computer is required for the verification. A com-
puter can only deal with rigorously formalized statements, not with semi-
precise common language, hence a formal proof is required.10

• Precision and deeper understanding. Informal proofs often hide subtle steps.
A formal proof requires the formalization of the arguments and can lead
to a deeper understanding (also for the author of the proof).

There is a trade-off between mathematical rigor and an intuitive, easy-to-

read (for humans) treatment. In this course, our goal is to do precise mathemat-
ical reasoning, but at the same time we will try to strike a reasonable balance
between formal rigor and intuition. In Chapters 3 to 5, our proofs will be in-
formal, and the Chapter 6 on logic is devoted to understanding the notion of a
formal proof.
A main problem in teaching mathematical proofs (for example in this course)
is that it is hard to define exactly when an informal proof is actually a valid
proof. In most scientific communities there is a quite clear understanding of
what constitutes a valid proof, but this understanding can vary from commu-
nity to community (e.g. from physics to Computer Science). A student must
learn this culture over the years, starting in high school where proof strategies
like proofs by induction have probably been discussed. There is no quick and
easy path to understanding exactly what constitutes a proof.
The alternative to a relatively informal treatment would be to do everything
rigorously, in a formal system as discussed in Chapter 6, but this would proba-
bly turn away most students and would for the most parts simply not be man-
ageable. A book that tries to teach discrete mathematics very rigorously is A
logical approach to discrete math by Gries and Schneider.
10 A crucial issue is that the translation of an informal statement to a formal statement can be
error-prone.
15 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

2.2.7 The Role of Logic

Logic is the mathematical discipline laying the foundations for rigorous mathe-
matical reasoning. Using logic, every mathematical statement as well as a proof
for it (if a proof exists) can, in principle, be formalized rigorously. As mentioned
above, rigorous formalization, and hence logic, is especially important in Com-
puter Science where one sometimes wants to automate the process of proving
or verifying certain statements like the correctness of a program.
Some principle tasks of logic (see Chapter 6) are to answer the following
three questions:

1. What is a mathematical statement, i.e., in which language do we write

statements?
2. What does it mean for a statement to be true?
3. What constitutes a proof for a statement from a given set of axioms?

Logic (see Chapter 6) defines the syntax of a language for expressing statements
and the semantics of such a language, defining which statements are true and
which are false. A logical calculus allows to express and verify proofs in a purely
syntactic fashion, for example by a computer.

2.2.8 Proofs in this Course

As mentioned above, in the literature and also in this course we will see proofs
at different levels of detail. This may be a bit confusing for the reader, especially
in the context of an exam question asking for a proof. We will try to be always
clear about the level of detail that is expected in an exercise or in the exam. For
this purpose, we distinguish between the following three levels:

• Proof sketch or proof idea: The non-obvious ideas used in the proof are
described, but the proof is not spelled out in detail with explicit reference
to all definitions that are used.
• Complete proof: The use of every definition is made explicit. Every proof
step is justified by stating the rule or the definition that is applied.
• Formal proof: The proof is entirely phrased in a given proof calculus.

Proof sketches are often used when the proof requires some clever ideas and
the main point of a task or example is to describe these ideas and how they fit
together. Complete proofs are usually used when one systematically applies the
definitions and certain logical proof patterns, for example in our treatments of
relations and of algebra. Proofs in the resolution calculus in Chapter 6 can be
considered to be formal proofs.
2.3. A First Introduction to Propositional Logic 16

2.3 A First Introduction to Propositional Logic

We give a brief introduction to some elementary concepts of logic. We point out
that this section is somewhat informal and that in the chapter on logic (Chap-
ter 6) we will be more rigorous. In particular, we will there distinguish between
the syntax of the language for describing mathematical statements (called for-
mulas) and the semantics, i.e., the definition of the meaning (or validity) of a
formula. In this section, the boundary between syntax and semantics is (inten-
tionally) not made explicit.

2.3.1 Logical Constants, Operators, and Formulas

Definition 2.3. The logical values (constants) “true” and “false” are usually de-
noted as 1 and 0, respectively.11

One can define operations on logical values:

Definition 2.4.
(i) The negation (logical NOT) of a propositional symbol A, denoted as ¬A, is
true if and only if A is false.
(ii) The conjunction (logical AND) of two propositional symbol A and B, de-
noted A ∧ B, is true if and only if both A and B are true.
(iii) The disjunction (logical OR) of two propositional symbols A and B, de-
noted A ∨ B, is true if and only if A or B (or both) are true.12

The logical operators are functions, where ¬ is a function {0, 1} → {0, 1} and
∧ and ∨ are functions {0, 1} × {0, 1} → {0, 1}. These functions can be described
by function tables, as follows:

A B A∧B A B A∨B
A ¬A 0 0 0 0 0 0
0 1 0 1 0 0 1 1
1 0 1 0 0 1 0 1
1 1 1 1 1 1

Logical operators can also be combined, in the usual way of combining func-
tions. For example, the formula

A ∨ (B ∧ C)
11 These values 1 and 0 are not meant to be the corresponding numbers, even though the same

symbols are used.

12 Sometimes ¬A, A ∧ B, and A ∨ B are also denoted as NOT(A), A AND B, and A OR B, respec-

tively, or a similar notation.

17 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

has function table

A B C A ∨ (B ∧ C)
0 0 0 0
0 0 1 0
0 1 0 0
0 1 1 1
1 0 0 1
1 0 1 1
1 1 0 1
1 1 1 1
A slightly more complicated example is (A ∧ (¬B)) ∨ (B ∧ (¬C)) with function
table
A B C (A ∧ (¬B)) ∨ (B ∧ (¬C))
0 0 0 0
0 0 1 0
0 1 0 1
0 1 1 0
1 0 0 1
1 0 1 1
1 1 0 1
1 1 1 0

Definition 2.5. A correctly formed expression involving the propositional sym-

bols A, B, C, . . . and logical operators is called a formula (of propositional logic).

We introduce a new, logical operator, implication, denoted as A → B and

defined by the function table

A B A→B
0 0 1
0 1 1
1 0 0
1 1 1

Note that A → B is true if and only if A implies B. This means that when A
is true, then also B is true. Note that A → B is false if and only if A is true and
B is false, or, stated differently, if B is false despite that A is true. A → B can be
understood as an alternative notation for ¬A ∨ B, which has the same function
table.

Example 2.7. Consider the following sentence: If student X reads the lecture
notes every week and solves the exercises (A), then student X will get a good
grade in the exam (B). This is an example of an implication A → B. Saying that
A → B is true does not mean that A is true and it is not excluded that B is true
2.3. A First Introduction to Propositional Logic 18

even if A is false, but it is excluded that B is false when A is true. Let’s hope the
statement A → B is true for you : -) .

Two-sided implication, denoted A ↔ B, is defined as follows:

A B A↔B
0 0 1
0 1 0
1 0 0
1 1 1

Note that A ↔ B is equivalent to (A → B) ∧ (B → A) in the sense that the two

formulas have the same function table.
We now discuss a few notational simplifications. We have already seen that
parentheses can sometimes be dropped in a formula without changing its mean-
ing. For example we can write A ∨ B ∨ C instead of A ∨ (B ∨ C) or (A ∨ B) ∨ C.
There are also precedence rules for logical operators which allow to simplify
the notation, in the same sense as in algebra one can write ab + c rather than
(a · b) + c because · binds stronger than +. However, to keep things simple and
avoid confusion, we will generally not make use of such rules, except that we
adopt the convention that ¬ binds stronger than anything else. For example,
we can write ¬A ∧ B instead of (¬A) ∧ B, or we can write A → ¬B instead of
A → (¬B).

2.3.2 Formulas as Functions

An arithmetic expression such as (a+b)·c can be understood as a function. If we

consider as domain the natural numbers N, the arithmetic expression (a + b) · c
corresponds to the function N3 → N assigning to every triple (a, b, c) the value
(a + b) · c, for example the value 42 to the triple (4, 2, 7) (because (4 + 2) · 7 = 42).
Analogously, a logical formula such as (A ∨ B) ∧ C can be interpreted as a
function from the set of truth assignments for the proposition symbols A, B, and
C to truth values, i.e., as a function {0, 1}3 → {0, 1}. For example, the function
evaluates to 1 for A = 0, B = 1, and C = 1.
Since in propositional logic13 the domain is finite, a function can be com-
pletely characterized by a function table. For example, the function table of the
function {0, 1}3 → {0, 1} corresponding to the formula (A ∧ (¬B)) ∨ (B ∧ (¬C))
is shown in the previous section.

13 but not for other logics such as predicate logic

19 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

2.3.3 Logical Equivalence and some Basic Laws

Different arithmetic expressions can correspond to the same function. For ex-
ample, the expressions (a + b) · c and (c · a) + (b · c) denote the same functions.
Analogously, different logical formulas can correspond to the same function.

Definition 2.6. Two formulas F and G (in propositional logic) are called equiva-
lent, denoted as F ≡ G, if they correspond to the same function, i.e., if the truth
values are equal for all truth assignments to the propositional symbols appear-
ing in F or G.

For example, it is easy to see that ∧ and ∨ are commutative and associative,
i.e.,
A∧B ≡ B∧A and A∨B ≡ B∨A
as well as
A ∧ (B ∧ C) ≡ (A ∧ B) ∧ C.
Because of this equivalence, we introduce the notational convention that such
unnecessary parentheses can be dropped:.

A ∧ B ∧ C ≡ A ∧ (B ∧ C).

Similarly we have
A ∨ (B ∨ C) ≡ (A ∨ B) ∨ C
and can write A ∨ B ∨ C instead, and we also have

¬(¬A) ≡ A.

Let us look at some equivalences involving more than one operation, which
are easy to check. The operator ∨ can be expressed in terms of ¬ and ∧, as
follows:
¬(A ∨ B) ≡ ¬A ∧ ¬B,
which also means that A ∨ B ≡ ¬(¬A ∧ ¬B). In fact, ¬ and ∧ are sufficient to
express every logical function (of propositional logic). Similarly we have

¬(A ∧ B) ≡ ¬A ∨ ¬B.

Example 2.8. A ↔ B ≡ (A → B) ∧ (B → A) ≡ (A ∧ B) ∨ (¬A ∧ ¬B).

Example 2.9. Here is a more complicated example which the reader can verify
as an exercise:

(A ∧ (¬B)) ∨ (B ∧ (¬C)) ≡ (A ∨ B) ∧ ¬(B ∧ C).

The following example shows a distributive law for ∧ and ∨. Such laws will
be discussed more systematically in Chapter 6.
2.3. A First Introduction to Propositional Logic 20

Example 2.10. (A ∧ B) ∨ C ≡ (A ∨ C) ∧ (B ∨ C).

We summarize the basic equivalences of propositional logic:

Lemma 2.1.
1) A ∧ A ≡ A and A ∨ A ≡ A (idempotence);
2) A ∧ B ≡ B ∧ A and A ∨ B ≡ B ∨ A (commutativity of ∧ and ∨);
3) (A ∧ B) ∧ C ≡ A ∧ (B ∧ C) and (A ∨ B) ∨ C ≡ A ∨ (B ∨ C) (associativity);
4) A ∧ (A ∨ B) ≡ A and A ∨ (A ∧ B) ≡ A (absorption);
5) A ∧ (B ∨ C) ≡ (A ∧ B) ∨ (A ∧ C) (first distributive law);
6) A ∨ (B ∧ C) ≡ (A ∨ B) ∧ (A ∨ C) (second distributive law);
7) ¬¬A ≡ A (double negation);
8) ¬(A ∧ B) ≡ ¬A ∨ ¬B and ¬(A ∨ B) ≡ ¬A ∧ ¬B (de Morgan’s rules).

2.3.4 Logical Consequence (for Propositional Logic)

For arithmetic expressions one can state relations between them that are more
general than equivalence. For example the relation a + b ≤ a + b + (c · c) between
the expressions a + b and a + b + (c · c). What is meant by the relation is that for
all values that a, b, and c can take on, the inequality holds, i.e., it holds for the
functions corresponding to the expressions.
Analogously, one can state relations between formulas. The perhaps most
important relation is logical consequence which is analogous to the relation ≤
between arithmetic expressions.

Definition 2.7. A formula G is a logical consequence14 of a formula F , denoted

F |= G,
if for all truth assignments to the propositional symbols appearing in F or G,
the truth value of G is 1 if the truth value of F is 1.
Intuitively, if we would interpret the truth values 0 and 1 as the numbers 0
and 1 (which we don’t!), then F |= G would mean F ≤ G (as functions).
Example 2.11. A ∧ B |= A ∨ B.
Example 2.12. Comparing the truth tables of the two formulas (A ∧ B) ∨ (A ∧ C)
and ¬B → (A ∨ C) one can verify that

(A ∧ B) ∨ (A ∧ C) |= ¬B → (A ∨ C).
14 German: (logische) Folgerung, logische Konsequenz
21 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

Note that the two formulas are not equivalent.

Example 2.13. The following logical consequence, which the reader can prove
as an exercise, captures a fact intuitively known to us, namely that implication
is transitive:15
(A → B) ∧ (B → C) |= A → C.

We point out (see also Chapter 6) that two formulas F and G are equivalent
if and only if each one is a logical consequence of the other, i.e.,16

F ≡G ⇐⇒ F |= G and G |= F.

2.3.5 Lifting Equivalences and Consequences to Formulas

Logical equivalences and consequences continue to hold if the propositional
symbols A, B, C . . . are replaced by other propositional symbols or by formulas
F, G, H . . .. At this point, we do not provide a proof of this intuitive fact. For
example, because of the logical consequences stated in the previous section we
have
F ∧G ≡ G∧F and F ∨G ≡ G∨F

as well as
F ∧ (G ∧ H) ≡ (F ∧ G) ∧ H

for any formulas F , G, and H.

The described lifting is analogous to the case of arithmetic expressions. For
example, we have
(a + b) · c = (a · c) + (b · c)

for any real numbers a, b, and c. Therefore, for any arithmetic expressions f , g,
and h, we have
(f + g) · h = (f · h) + (g · h).

Example 2.14. We give a more complex example of such a lifting. Because of

the logical consequence stated in Example 2.13, we have

(F → G) ∧ (G → H) |= F → H

for any formulas F , G, and H.

15 The
term “transitive” will be discussed in Chapter 3.
16 Notethat we DO NOT write F |= G ∧ G |= F because the symbol ∧ is used only between two
formulas in order to form a new (combined) formula, and F |= G and G |= F are not formulas.
2.3. A First Introduction to Propositional Logic 22

2.3.6 Tautologies and Satisfiability

Definition 2.8. A formula F (in propositional logic) is called a tautology17 or

valid18 if it is true for all truth assignments of the involved propositional sym-
bols. One often writes |= F to say that F is a tautology.

Example 2.15. The formulas A∨(¬A) and (A∧(A → B)) → B are tautologies.
One often wants to make statements of the form that some formula F is a
tautology. As stated in Definition 2.8, one also says “F is valid” instead of “F is
a tautology”.

Definition 2.9. A formula F (in propositional logic) is called satisfiable19 if it is

true for at least one truth assignment of the involved propositional symbols, and
it is called unsatisfiable otherwise.

The symbol ⊤ is sometimes used to denote a tautology, and the symbol ⊥

is sometimes used to denote an unsatisfiable formula. One sometimes writes
F ≡ ⊤ to say that F is a tautology, and F ≡ ⊥ to say that F is unsatisfiable. For
example, for any formula F we have

F ∨ ¬F ≡ ⊤ and F ∧ ¬F ≡ ⊥.

Example 2.16. The formula (A ∧ ¬A) ∧ (B ∨ C) is unsatisfiable, and the formula

A ∧ B is satisfiable.

The following lemmas state two simple facts that follow immediately from
the definitions. We only prove the second one.

Lemma 2.2. A formula F is a tautology if and only if ¬F is unsatisfiable.

Lemma 2.3. For any formulas F and G, F → G is a tautology if and only if F |= G.

Proof. The lemma has two directions which we need to prove. To prove the
first direction (=⇒), assume that F → G is a tautology. Then, for any truth
assignment to the propositional symbols, the truth values of F and G are either
both 0, or 0 and 1, or both 1 (but not 1 and 0). In each of the three cases it
holds that G is true if F is true, i.e., F |= G. To prove the other direction (⇐=),
assume F |= G. This means that for any truth assignment to the propositional
symbols, the truth values of G is 1 if it is 1 for F . In other words, there is no
17 German: Tautologie
18 German: allgemeingültig
19 German: erfüllbar
23 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

truth assignment such that the truth value of F is 1 and that of G is 0. This
means that the truth value of F → G is always 1, which means that F → G is a
tautology.

2.3.7 Logical Circuits *

A logical formula as discussed above can be represented as a tree where the leaves cor-
respond to the propositions and each node corresponds to a logical operator. Such a tree
can be implemented as a digital circuit where the operators correspond to the logical
gates. This topic will be discussed in a course on the design of digital circuits20 . The two
main components of digital circuits in computers are such logical circuits and memory
cells.

2.4 A First Introduction to Predicate Logic

The elements of logic we have discussed so far belong to the realm of so-called
propositional logic21 . Propositional logic is not sufficiently expressive to capture
most statements of interest in mathematics in terms of formulas. For example,
the statement “There are infinitely many prime numbers” cannot be expressed as
a formula in propositional logic (though it can of course be expressed as a sen-
tence in common language). We need quantifiers22 , predicates, and functions. The
corresponding extension of propositional logic is called predicate logic23 and is
substantially more involved than propositional logic. Again, we refer to Chap-
ter 6 for a more thorough discussion.

2.4.1 Predicates
Let us consider a non-empty set U as the universe in which we want to reason.
For example, U could be the set N of natural numbers, the set R of real numbers,
the set {0, 1}∗ of finite-length bit-strings, or a finite set like {0, 1, 2, 3, 4, 5, 6}.
Definition 2.10. A k-ary predicate24 P on U is a function U k → {0, 1}.

A k-ary predicate P assigns to each list (x1 , . . . , xk ) of k elements of U the

value P (x1 , . . . , xk ) which is either true (1) or false (0).
For example, for U = N we can consider the unary (k = 1) predicate
prime(x) defined by

1 if x is prime
prime(x) =
0 else.
20 German: Digitaltechnik
21 German: Aussagenlogik
22 German: Quantoren
23 German: Prädikatenlogik
24 German: Prädikat
2.4. A First Introduction to Predicate Logic 24

Similarly, one can naturally define the unary predicates even(x) and odd(x).
For any universe U with an order relation ≤ (e.g. U = N or U = R), the
binary (i.e., k = 2) predicate less(x, y) can be defined as

1 if x < y
less(x, y) =
0 else.

However, in many cases we write binary predicates in a so-called “infix” nota-

tion, i.e., we simply write x < y instead of less(x, y).
For the universe of all human beings, we can define a binary predicate child
as follows: child(x, y) = 1 if and only if x is y’s child. One can similarly define
predicates parent, grandparent, etc.

2.4.2 Functions and Constants

In predicate logic one can also use functions on U and constants (i.e., fixed el-
ements) in U . For example, if the universe is U = N, we can use the functions
add addition and multiplication mult and the constants 3 and 5. The formula

less(add(x, 3), add(x, 5))

can also be written in infix notation as

x + 3 < x + 5.

This is a true statement for every value x in U . In the next section we see how
we can express this as a formula.

2.4.3 The Quantifiers ∃ and ∀

Definition 2.11. For a universe U and predicate P (x) we define the following
logical statements:25
∀x P (x) stands for: P (x) is true for all x in U .
∃x P (x) stands for: P (x) is true for some x in U , i.e.,
there exists an x ∈ U for which P (x) is true.
More generally, for a formula F with a variable x, which for each value x ∈ U is
either true or false, the formula ∀x F is true if and only if F is true for all x in
U , and the formula ∃x F is true if and only if F is true for some x in U .

25 Inthe literature one also finds the notations ∀x: P (x) and ∀x. P (x) instead of ∀x P (x), and
similarly for ∃.
25 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

Example 2.17. Consider the universe U = N. Then ∀x (x ≥ 0) is true.26 Also,

∀x (x ≥ 2) is false, and ∃x (x + 5 = 3) is false.

The name of the variable x is irrelevant. For example, the formula ∃x (x+5 =
3) is equivalent to the formula ∃y (y + 5 = 3). The formula could be stated in
words as: “There exists a natural number (let us call it y) which, if 5 is added
to it, the result is 3.” How the number is called, x or y or z, is irrelevant for the
truth or falsity of the statement. (Of course the statement is false; it would be
true if the universe were the integers Z.)
Sometimes one wants to state only that a certain formula containing x is
true for all x that satisfy a certain condition. For example, to state that x2 ≥ 25
whenever x ≥ 5, one can write


∀x (x ≥ 5) → (x2 ≥ 25) .

A different notation sometimes used to express the same statement is to state

the condition on x directly after the quantifier, followed by “:”27

∀x ≥ 5 : (x2 ≥ 25).

2.4.4 Nested Quantifiers

Quantifiers can also be nested28 . For example, if P (x) and Q(x, y) are predicates,
then

∀x P (x) ∨ ∃y Q(x, y)
is a logical formula.

Example 2.18. The formula

∀x ∃y (y < x)
states that for every x there is a smaller y. In other words, it states that there is
no smallest x (in the universe under consideration). This formula is true for the
universe of the integers or the universe of the real numbers, but it is false for the
universe U = N.

Example 2.19. For the universe of the natural numbers, U = N, the predicate
prime(x) can be defined as follows:29

def

prime(x) ⇐⇒ x > 1 ∧ ∀y ∀z (yz = x) → ((y = 1) ∨ (z = 1)) .
26 But note that ∀x (x ≥ 0) is false for the universe U = R.
27 We don’t do this.
28 German: verschachtelt

def
29 We use the symbol “⇐⇒” if the object on the left side is defined as being equivalent to the object
on the right side.
2.4. A First Introduction to Predicate Logic 26

Example 2.20. Fermat’s last theorem can be stated as follows: For universe
N \ {0},30


¬ ∃ x ∃y ∃z ∃n (n ≥ 3 ∧ xn +y n = z n ) .

Example 2.21. The statement “for every natural number there is a larger prime”
can be phrased as


∀x ∃y y > x ∧ prime(y)

and means that there is no largest prime and hence that there are infinitely many
primes.
If the universe is N, then one sometimes uses m, n, or k instead of x and y.
The above formula could hence equivalently be written as


∀m ∃n n > m ∧ prime(n) .

Example 2.22. Let U = R. What is the meaning of the following formula, and
does it correspond to a true statement?


∀x x = 0 ∨ ∃y (xy = 1)

Example 2.23. What is the meaning of the following formula, and for which
universes is it true (or false)?


∀x ∀y (x < y) → ∃z((x < z) ∧ (z < y))

2.4.5 Interpretation of Formulas

A formula generally has some “free parts” that are left open for interpretation.
To begin with, the universe is often not fixed, but it is also quite common to
write formulas when the universe is understood and fixed. Next, we observe
that the formula


∀x P (x) → Q(x)

contains the predicate symbols P and Q which can be interpreted in different

ways. Depending on the choice of universe and on the interpretation of P and
Q, the formula can either be true or false. For example let the universe be N and
let P (x) mean that “x is divisible by 4”. Now, if Q(x) is interpreted as “x is odd”,
then ∀x (P (x) → Q(x)) is false, but if Q(x) is interpreted as “x is even”, then
∀x (P (x) → Q(x)) is true. However, the precise definition of an interpretation
is quite involved and deferred to Chapter 6.
30 In formulas with sequences of quantifiers of the same type one sometimes omits parentheses or

even multiple copies of the quantifier. For example one writes ∃xyz instead of ∃x ∃y ∃z. We will
not use such a convention in this course.
27 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

2.4.6 Tautologies and Satisfiability

The concepts interpretation, tautology, and satisfiability for predicate logic will
be defined in Chapter 6.
Informally, a formula is satisfiable if there is an interpretation of the involved
symbols that makes the formula true. Hence ∀x (P (x) → Q(x)) is satisfiable
as shown above. Moreover, a formula is a tautology (or valid) if it is true for all
interpretations, i.e., for all choices of the universe and for all interpretations of
the predicates.31
We will use the terms “tautology” and “valid” interchangeably. For example,


∀x (P (x) ∧ Q(x)) → (P (x) ∨ Q(x))

is a tautology, or valid.

2.4.7 Equivalence and Logical Consequence

One can define the equivalence of formulas and logical consequence for predi-
cate logic analogously to propositional logic, but again the precise definition is
quite involved and deferred to Chapter 6. Intuitively, two formulas are equiva-
lent if they evaluate to the same truth value for any interpretation of the symbols
in the formula.

Example 2.24. Recall Example 2.22. The formula can be written in an equivalent
form, as:



∀x x = 0 ∨ ∃y (xy = 1) ≡ ∀x ¬(x = 0) → ∃y (xy = 1) .

The order of identical quantifiers does not matter, i.e., we have for example:

∃x∃y P (x, y) ≡ ∃y∃x P (x, y) and ∀x∀y P (x, y) ≡ ∀y∀x P (x, y).

A simple example of a logical consequence is

∀x P (x) |= ∃x P (x).

It holds because if P (x) is true for all x in the universe, then it is also true for
some (actually an arbitrary) x. (Recall that the universe is non-empty.)
Some more involved examples of equivalences and logical consequences are
stated in the next section.
31 We will see in Chapter 6 that predicate logic also involves function symbols, and an interpreta-
tion also instantiates the function symbols by concrete functions.
2.5. Logical Formulas vs. Mathematical Statements 28

2.4.8 Some Useful Rules

We list a few useful rules for predicate logic. This will be discussed in more
detail in Chapter 6. We have


∀x P (x) ∧ ∀x Q(x) ≡ ∀x P (x) ∧ Q(x)

since if P (x) is true for all x and also Q(x) is true for all x, then P (x) ∧ Q(x) is
true for all x, and vice versa. Also,32


∃x P (x) ∧ Q(x) |= ∃x P (x) ∧ ∃x Q(x)

since, no matter what P and Q actually mean, any x that makes P (x)∧Q(x) true
(according to the left side) also makes P (x) and Q(x) individually true. But, in
contrast, ∃x (P (x) ∧ Q(x)) is not a logical consequence of ∃x P (x) ∧ ∃x Q(x), as
the reader can verify. We can write

∃x P (x) ∧ ∃x Q(x) 6|= ∃x (P (x) ∧ Q(x)).

We also have:
¬∀x P (x) ≡ ∃x ¬P (x)
and
¬∃x P (x) ≡ ∀x ¬P (x).
The reader can prove as an exercise that

∃y ∀x P (x, y) |= ∀x ∃y P (x, y)

but that
∀x ∃y P (x, y) 6|= ∃y ∀x P (x, y).

2.5 Logical Formulas vs. Mathematical Statements

A logical formula is generally not a mathematical statement because the symbols
in it can be interpreted differently, and depending on the interpretation, the
formula is true or false. Without fixing an interpretation, the formula is not a
mathematical statement.

2.5.1 Fixed Interpretations and Formulas as Statements

If for a formula F the interpretation (including the universe and the meaning
of the predicate and function symbols) is fixed, then this can be a mathematical
32 We point out that defining logical consequence for predicate logic is quite involved (see Chap-
ter 6), but intuitively it should be quite clear.
29 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

statement that is either true or false. Therefore, if an interpretation is under-

stood, we can use formulas as mathematical statements, for example in a proof
with implication steps. In this case (but only if a fixed interpretation is under-
stood) it is also meaningful to say that a formula is true or that it is false.
Example 2.25. For the universe N and the usual interpretation of < and >, the
formula ∃n (n < 4 ∧ n > 5) is false and the formula ∀n (n > 0 → (∃m m < n))
is true.

2.5.2 Mathematical Statements about Formulas

As mentioned, logical formulas are often not mathematical statements them-
selves, but one makes mathematical statements about formulas. Examples of
such mathematical statements are:

• F is valid (i.e., a tautology, also written as |= F ),

• F is unsatisfiable,
• F |= G.

The statement “F is valid” is a mathematical statement (about the formula F ).

Therefore we may for example write

F is valid =⇒ G is valid, (2.1)

as a mathematical statement about the formulas F and G. This statement is

different from the statement F |= G. In fact, for any formulas F and G, the
statement F |= G implies statement (2.1), but the converse is generally false:
Lemma 2.4. For any two formulas F and G, if F |= G, then (2.1) is true.

Proof. F |= G states that for every interpretation, if F is true (for that interpre-
tation), then also G is true (for that interpretation). Therefore, if F is true for
every interpretation, then also G is true for every interpretation, which is state-
ment (2.1).

2.6 Some Proof Patterns

In this section we discuss a few important proof patterns (which we could also
call proof methods or proof techniques). Such a proof pattern can be used to
prove one step within a longer proof, or sometimes also to directly prove a the-
orem of interest. Many proof patterns correspond to logical deduction rules.
One can define a logical calculus consisting of such deduction rules, but we will
defer the discussion of this topic to Chapter 6. Often, a given statement can be
proved in different ways, i.e., by using different proof patterns.
2.6. Some Proof Patterns 30

2.6.1 Composition of Implications

We first explain why the composition of implications, as occurring in many
proofs, is sound.

Definition 2.12. The proof step of composing implications is as follows: If S =⇒ T

and T =⇒ U are both true, then one concludes that S =⇒ U is also true.

The soundness of this principle is explained by the following lemma of

propositional logic which was already stated in Example 2.13.

Lemma 2.5. (A → B) ∧ (B → C) |= A → C.

Proof. One writes down the truth tables of the formulas (A → B) ∧ (B → C)

and A → C and checks that whenever the first evaluates to true, then also the
second evaluates to true.

2.6.2 Direct Proof of an Implication

Many statements of interest (as intermediate steps or as the final statement of
interest) are implications of the form S =⇒ T for some statements S and T .33

Definition 2.13. A direct proof of an implication S =⇒ T works by assuming S

and then proving T under this assumption.

2.6.3 Indirect Proof of an Implication

Definition 2.14. An indirect proof of an implication S =⇒ T proceeds by assum-

ing that T is false and proving that S is false, under this assumption.

The soundness of this principle is explained by the following simple lemma

of propositional logic, where A stands for “statement S is true” and B stands
for “statement T is true”.

Lemma 2.6. ¬B → ¬A |= A → B.

Proof. One can actually prove the stronger statement, namely that ¬B → ¬A ≡
A → B, simply by examination of the truth table which is identical for both
formulas ¬B → ¬A and A → B.
√
Example 2.26. Prove the following claim: If x > 0 is irrational,
√ then also x is
irrational. The indirect proof proceeds by assuming that x is not irrational and
33 Recall Section 2.1.2.
31 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

showing that then x is also not irrational. Here “not irrational” means rational,
i.e., we prove √
x is rational =⇒ x is rational
√ √
Assume hence that x is rational, i.e., that x = m/n for m, n ∈ Z. This means
that x = m2 /n2 , i.e., x is the quotient of two natural numbers (namely m2 and
n2 ) and thus is rational. This completes the proof of the claim.

2.6.4 Modus Ponens

Definition 2.15. A proof of a statement S by use of the so-called modus ponens

proceeds in three steps:
1. Find a suitable mathematical statement R.
2. Prove R.
3. Prove R =⇒ S.
The soundness of this principle is explained by the following lemma of
propositional logic. Again, the proof is by a simple comparison of truth tables.
Lemma 2.7. A ∧ (A → B) |= B.

Examples will be discussed in the lecture and the exercises.

2.6.5 Case Distinction

Definition 2.16. A proof of a statement S by case distinction proceeds in three

steps:
1. Find a finite list R1 , . . . , Rk of mathematical statements (the cases).
2. Prove that at least one of the Ri is true (at least one case occurs).
3. Prove Ri =⇒ S for i = 1, . . . , k.

More informally, one proves for a complete list of cases that the statement S
holds in all the cases.
The soundness of this principle is explained by the following lemma of
propositional logic.
Lemma 2.8. For every k we have
(A1 ∨ · · · ∨ Ak ) ∧ (A1 → B) ∧ · · · ∧ (Ak → B) |= B.

Proof. For a fixed k (say k = 2) one can verify the statement by examination
of the truth table. The statement for general k can be proved by induction (see
Section 2.6.10).
2.6. Some Proof Patterns 32

Note that for k = 1 (i.e., there is only one case), case distinction corresponds
to the modus ponens discussed above.
Example 2.27. Prove the following statement S: The 4th power of every natural
number n, which is not divisible by 5, is one more than a multiple of 5.
To prove the statement, let n = 5k + c, where 1 ≤ c ≤ 4. Using the usual
binomial formula (a + b)4 = a4 + 4a3 b + 6a2 b2 + 4ab3 + b4 we obtain:
n4 = (5k + c)4 = 54 k 4 + 4 · 53 k 3 c + 6 · 52 k 2 c2 + 4 · 5kc3 + c4 .
Each summand is divisible by 5, except for the last term c4 . The statement S is
hence equivalent to the statement that c4 is one more than a multiple of 5, for
1 ≤ c ≤ 4.
This statement S can be proved by case distinction, i.e., by considering all
four choices for c. For c = 1 we have c4 = 1, which is trivially one more than a
multiple of 5. For c = 2 we have c4 = 16, which is also one more than a multiple
of 5. The same is true for c = 3 where c4 = 81 and for c = 4 where c4 = 256.
This concludes the proof.
With a few insights from number theory and algebra we will see later that
the above statement holds when 5 is replaced by any odd prime number.

2.6.6 Proofs by Contradiction

Definition 2.17. A proof by contradiction of a statement S proceeds in three steps:

1. Find a suitable mathematical statement T .
2. Prove that T is false.
3. Assume that S is false and prove (from this assumption) that T is true (a
contradiction).

In many cases, the proof steps appear in a different order: One starts from
assuming that S is false, derives statements from it until one observes that one
of these statements is false (i.e., is the statement T in the above description). In
this case, the fact that T is false (step 2) is obvious and requires no proof.
The soundness of this principle is explained by the following lemma of
propositional logic which can again be proved by comparing the truth tables
of the involved formulas.
Lemma 2.9. (¬A → B) ∧ ¬B |= A.
Since ¬A → B is equivalent to A ∨ B, the principle of a proof by contradic-
tion can alternatively be described as follows: To prove S, one proves for some
statement T that either S or T is true (or both) and that T is false. This is justified
because we have
(A ∨ B) ∧ ¬B |= A.
33 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

√
Example 2.28. We discuss the classical proof of three statement that 2 is irra-
tional. (This is the statement S to be proved.) Recall (from basic number theory)
that a number a is rational if and only if a = m/n (i.e., m = an) for two relatively
prime34 integers m and n (i.e., with gcd(m, n) = 1).35
The proof by contradiction starts by assuming that S is false and deriving,
from this assumption, a false statement T . In the following derivation we may
use formulas as a compact way of writing statements, but the derivation itself
is “normal” mathematical reasoning and is not to be understood as a formula-
based logical reasoning.36

. √
S is false ⇐⇒ 2 is rational
.

⇐⇒ ∃m ∃n m2 = 2n2 ∧ gcd(m, n) = 1

We now consider, in isolation, the statement m2 = 2n2 appearing in the above

formula, derive from it another statement (namely gcd(m, n) ≥ 2), and then
plug this into the above formula. Each step below is easy to verify. For arbitrary
m and n we have

.
m2 = 2n2 =⇒ m2 is even
.
=⇒ m is even
.
=⇒ 4 divides m2
.
=⇒ 4 divides 2n2 (also using m2 = 2n2 )
.
=⇒ 2 divides n2
.
=⇒ n is even
.
=⇒ gcd(m, n) ≥ 2 (also using that m is even)

Hence we have


∃m ∃n m2 = 2n2 ∧ gcd(m, n) = 1

.

=⇒ ∃m ∃n m2 = 2n2 ∧ gcd(m, n) ≥ 2 ∧ gcd(m, n) = 1 .
| {z }
false for arbitrary m and n
| {z }
statement T , which is false

This concludes the proof by contradiction.

34 German: teilerfremd
35 gcd(m, n) denotes the greatest common divisor of m and n (see Section 4.2.3).
36 We can write ⇐⇒.
if the implication holds in both directions, but it would be sufficient to always
. .
replace ⇐⇒ by =⇒.
2.6. Some Proof Patterns 34

2.6.7 Existence Proofs

Definition 2.18. Consider a set X of parameters and for each x ∈ X a statement,

denoted Sx . An existence proof is a proof of the statement that Sx is true for at
least one x ∈ X . An existence proof is constructive if it exhibits an a for which Sa
is true, and otherwise it is non-constructive.

Example 2.29. Prove that there exists a prime37 number n such that n − 10 and
n + 10 are also primes, i.e., prove


∃n prime(n) ∧ prime(n − 10) ∧ prime(n + 10) .
| {z }
Sn

A constructive proof is obtained by giving the example n = 13 and verifying

that S13 is true.
Example 2.30. We prove that there are infinitely many primes by involving a
non-constructive existence proof.38 This statement can be rephrased as follows:
For every number m there exists a prime p greater than m; as a formula:


∀m ∃p prime(p) ∧ p > m .
| {z }
Sp

To prove this, consider an arbitrary but fixed number m and consider the state-
ments Sp parameterized by p: There exists a prime p greater than m, i.e., such
that prime(p) ∧ p > m is true.
To prove this, we use the known fact (which has been proved) that every
natural number n ≥ 2 has at least one prime divisor. We consider the specific
number m! + 1 (where m! = 2 · 3 · · · (m − 1) · m). We observe that for all k in
the range 2 ≤ k ≤ m, k does not divide m! + 1. In particular, no prime smaller
than m divides m! + 1. Because m! + 1 has at least one prime divisor, there exists
a prime p greater than m which divides m! + 1. Hence there exists a prime p
greater than m.39

2.6.8 Existence Proofs via the Pigeonhole Principle

The following simple but powerful fact is known as the pigeonhole principle40 .
This principle is used as a proof technique for certain existence proofs.41
37 Recall that prime(n) is the predicate that is true if and only if n is a prime number.
38 See also Example 2.21, where different variable names are used.
39 Note that p is not known explicitly, it is only known to exist. In particular, p is generally not

equal to m! + 1.
40 German: Schubfachprinzip
41 This principle is often described as follows: If there are more pigeons than pigeon holes, then

there must be at least one pigeon hole with more than one pigeon in it. Hence the name of the
principle.
35 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

Theorem 2.10. If a set of n objects is partitioned into k < n sets, then at least one of
these sets contains at least ⌈ nk ⌉ objects.42

Proof. The proof is by contradiction. Suppose that all sets in the partition have

at most ⌈ nk ⌉ − 1 objects. Then the total number of objects is at most k ⌈ nk ⌉ − 1 ,
which is smaller than n because
l n m   n   n
k −1 < k +1 −1 = k = n.
k k k

Example 2.31. Claim: Among 100 people, there are at least nine who were born
in the same month. The claim can be equivalently stated as an existence claim:
Considering any 100 people, there exists a month in which at least nine of them
have their birthday.
Proof. Set n = 100 and k = 12, and observe that ⌈100/12⌉ = 9.

Example 2.32. Claim: In any subset A of {1, 2, . . . , 2n} of size |A| = n + 1, there
exist distinct a, b ∈ A such that a | b (a divides b).43
For example, in the set {2, 3, 5, 7, 9, 10} we see that 3 | 9.
Proof. We write every ai ∈ A as 2ei ui with ui odd. There are only n possible
values {1, 3, 5, . . . , 2n − 1} for ui . Thus there must exist two numbers ai and aj
with the same odd part (ui = uj ). Therefore one of them has fewer factors 2
than the other and must hence divide it.

Example 2.33. Let a1 , a2 , . . . , an be a sequence of numbers (real or inte-

ger). A subsequence of length k of this sequence is a sequence of the form
ai1 , ai2 , . . . , aik , where 1 ≤ i1 < i2 < · · · < ik ≤ n. A sequence is called strictly
increasing (decreasing) if each term is strictly greater (smaller) than the preced-
ing one. For example, the sequence 3, 8, 2, 11, 1, 5, 7, 4, 14, 9 contains the increas-
ing subsequences 3, 5, 7, 9 and 2, 5, 7, 14 and the decreasing subsequences 3, 2, 1
and 8, 5, 4.
Claim: Every sequence of m2 + 1 distinct numbers (real or integer) contains ei-
ther an increasing or a decreasing subsequence of length m + 1. (Note that in
the above example, m = 3 and m2 + 1 = 10, and there is indeed an increasing
subsequence of length 4.)
Proof. We can associate with every position (1 ≤ ℓ ≤ m2 + 1) a pair (iℓ , dℓ ),
where iℓ (dℓ ) is the length of the longest increasing (decreasing) subsequence
beginning at position ℓ. The proof is by contradiction. Suppose the claim is
false, i.e., 1 ≤ iℓ ≤ m and 1 ≤ dℓ ≤ m for all ℓ. Then there are at most m2 pairs
42 In the literature, the pigeon hole principle often states only that there must be a set containing

at least two elements.

43 Note that this is tight. If we lower |A| from n + 1 to n, then the set A = {n, n + 1, . . . , 2n − 1}

contains no a, b ∈ A such that a | b.

2.6. Some Proof Patterns 36

(iℓ , dℓ ) that can occur. Thus the pigeonhole principle guarantees that there must
be two indices s < t with (is , ds ) = (it , dt ). But this leads to a contradiction.
Because the numbers are distinct, either as < at or as > at . If as < at , then,
since is = it , an increasing subsequence of length it + 1 can be built starting
at position s, taking as followed by the increasing subsequence beginning at at .
This is a contradiction. A similar contradiction is obtained if as > at .

2.6.9 Proofs by Counterexample

Proofs by counterexample are a specific type of constructive existence proof,
namely the proof that a counterexample exists.

Definition 2.19. Consider a set X of parameters and for each x ∈ X a statement,

denoted Sx . A proof by counterexample is a proof of the statement that Sx is not
true for all x ∈ X , by exhibiting an a (called counterexample) such that Sa is false.

Note that a proof by counterexample corresponds to an existence proof.

Example 2.34. Prove or disprove that for every integer n, the number n2 −n+41
is prime, i.e., prove
∀n prime(n2 − n + 41).
One can verify the quite surprising fact that prime(n2 − n + 41) is true for
n = 1, 2, 3, 4, 5, 6, . . ., for as long as the reader has the patience to continue to do
the calculation. But is it true for all n? To prove that the assertion ∀n prime(n2 −
n + 41) is false, i.e., to prove
¬∀n prime(n2 − n + 41),

it suffices to exhibit a counterexample, i.e., an a such that ¬prime(a2 − a + 41).

The smallest such a is a = 41; note that 412 − 41 + 41 = 412 is not a prime.
Example 2.35. Prove or disprove that every positive integer ≥ 10 can be written
as the sum of at most three squares (e.g. 10 = 32 + 12 , 11 = 32 + 12 + 12 ,
12 = 22 + 22 + 22 , 13 = 32 + 22 , and 14 = 32 + 22 + 12 .). The statement can be
written as

∀n n ≥ 10 → ∃ x ∃y ∃z (n = x2 + y 2 + z 2 ) .
The statement is false because n = 15 is a counterexample.

2.6.10 Proofs by Induction

One of the most important proof technique in discrete mathematics are proofs
by induction, which are used to prove statements of the form ∀n P (n), where
the universe U is the set N = {0, 1, 2, 3, . . .} of natural numbers. Alternatively,
it can also be the set {1, 2, 3, . . .} of positive integers, in which case P (0) below
37 Chapter 2. Math. Reasoning, Proofs, and a First Approach to Logic

must be replaced by P (1). More generally, it can be the set {k, k + 1, k + 2, . . .}

for some k.
A proof by induction consists of two steps:

Proof by induction:
1. Basis step.44 Prove P (0).
2. Induction step. Prove that for any arbitrary n we have P (n) =⇒ P (n+1).

The induction step is performed by assuming P (n) (for an arbitrary n) and

deriving P (n+1). This proof technique is justified by the following theorem.45

Theorem 2.11. For the universe N and an arbitrary unary predicate P we have

P (0) ∧ ∀n (P (n) → P (n+1)) =⇒ ∀n P (n).

Let us discuss a few examples of proofs by induction.

P
Example 2.36. Prove that ni=0 2i = 2n+1 − 1 holds for allP n. To do a proof by
n
induction, let P (n) be defined by P (n) = 1 if and only if i=0 2i = 2n+1 − 1.
Step 1 is to prove P (0); this holds trivially because the sum consists of the single
term 20 = 1 and we also have 20+1 − 1 = 2 − 1P= 1. Step 2 is to prove that for an
n
arbitrary n, under the assumption P (n), i.e., i=0 2i = 2n+1 − 1, also P (n + 1)
Pn+1 i
is true, i.e., i=0 2 = 2(n+1)+1 − 1:
n+1
X n
X
2i = 2i + 2n+1 = (2n+1 − 1) + 2n+1 = 2(n+1)+1 − 1.
i=0 i=0

This concludes the proof of ∀n P (n).

Example 2.37. Determine the set of postages you can generate using only 4-cent
stamps and 5-cent stamps!
Obviously 1, 2, 3, 6, 7, and 11 cents cannot be obtained, while 4, 5, 8 = 4 + 4,
9 = 4 + 5, 10 = 5 + 5, 12 = 4 + 4 + 4, 13 = 4 + 4 + 5, 14 = 4 + 5 + 5, and
15 = 5 + 5 + 5, can be obtained. One can prove by induction that all amounts of
15 or more cents can indeed be obtained.
Let P (n) be the predicate that is true if and only if there exists a decomposition
of n + 15 into summands 4 and 5. We have just seen that P (0) is true. To prove
the induction step, i.e., ∀n(P (n) → P (n + 1)), assume that P (n) is true for an
arbitrary n. We distinguish two cases,46 namely whether or not the decompo-
sition of n + 15 contains a 4. If this is the case, then one can replace the 4 in
44 German: Verankerung
45 This theorem is actually one of the Peano axioms used to axiomatize the natural numbers. In
this view, it is an axiom and not a theorem. However, one can also define the natural numbers from
axiomatic set theory and then prove the Peano axioms as theorems. This topic is beyond the scope
of this course.
46 Note that this proof step is a proof by case distinction.
2.6. Some Proof Patterns 38

the decomposition by a 5, resulting in the sum n + 16. If the decomposition of

n + 15 contains no 4, then it contains at least three times the 5. We can therefore
obtain a decomposition of n + 16 by replacing the three 5 by four 4. In both
cases, P (n + 1) is true, hence we have proved P (n) → P (n + 1) and can apply
Theorem 2.11.
Chapter 3

Sets, Relations, and Functions

In this chapter we provide a treatment of the elementary concepts of set theory,

with the goal of being able to use sets in later parts of the course, for example
to define relations and functions. We will be more precise than the typical (very
informal) treatment of set theory in highschool, but we will also avoid the in-
tricacies of a full-fledged axiomatic treatment of set theory, showing only minor
parts of it.

3.1 Introduction
There seems to be no simpler mathematical concept than a set1 , a collection of
objects. Although intuitively used for a long time,2 the formulation of a set as a
mathematical concept happened as late as the end of the 19th century. For exam-
ple, in 1895 Cantor proposed the following wording: “Unter einer ‘Menge’ ver-
stehen wir jede Zusammenfassung M von bestimmten wohlunterschiedenen
Objekten unserer Anschauung oder unseres Denkens (welche die ‘Elemente’
von M genannt werden) zu einem Ganzen”.

3.1.1 An Intuitive Understanding of Sets

The reader is certainly familiar with statements like

• 5 ∈ N (where N denotes the set of natural numbers),

• −3 6∈ N,
• {3, 5, 7} ⊆ N, and
1 German: Menge
2 In fact, almost all of mathematics is based on the notion of sets.

39
3.1. Introduction 40

• {a, b} ∪ {b, c} = {a, b, c},

as well as with simple definitions like the following:

Definition 3.1. (Informal.) The number of elements of a finite set A is called its
cardinality and is denoted |A|.

Also, facts like

A ⊆ B ∧ B ⊆ C =⇒ A ⊆ C
or
A ∩ (B ∪ C) = (A ∩ B) ∪ (A ∩ C)
are well-known and seem obvious if one draws a figure with intersecting cir-
cles representing sets (so-called Venn-diagrams). However, many issues do not
seem to be clear mathematically, for example:

• Which objects can one use as elements of a set?

• Can a set itself be an element of a set?
• Can a set be an element of itself?
• How is set intersection or set union defined?
• How should the elements of a set be counted?
• Do the above-stated facts require a proof, or are they just “obvious” in an
informal sense?

This calls for a precise mathematical treatment with clear definitions, lemmas,
and proofs. The need for such a precise treatment also becomes obvious when
considering Russell’s paradox discussed below.

3.1.2 Russell’s Paradox

The set concept introduced by Cantor and axiomatized further by Frege seemed
very innocent and safe to work with. But in 1903, Bertrand Russell3 (1872-1970)
showed that set theory as understood at that point in time is inherently con-
tradictory. This came as a shock to the mathematics community. As a con-
sequence, set theory had to be based on much more rigorous grounds, on an
axiomatic foundation, a process started by Ernst Zermelo. It is still an active
area of research in mathematics which axioms can and should be used as the
foundation of set theory. The most widely considered set of axioms is called
Zermelo-Fraenkel (ZF) set theory. Axiomatic set theory is beyond the scope of
this course.
3 Russell was a very remarkable person. He was not only an outstanding philosopher and math-

ematician, but also politically active as a pacifist. Because of his protests against World War I he
was dismissed from his position at Trinity College in Cambridge and imprisoned for 6 months. In
1961, at the age of 89, he was arrested again for his protests against nuclear armament. In 1950 he
received the Nobel Prize for literature.
41 Chapter 3. Sets, Relations, and Functions

The problem with Cantor’s intuitive set theory is that, because it was not
clearly axiomatized, it makes the following apparently innocent (yet false) as-
sumption. Whenever one specifies a precise condition (i.e., a logical predicate
P ), allowing to distinguish between objects that satisfy the predicate and ob-
jects that don’t, then {x | P (x)}, the set of objects satisfying the predicate is
well-defined. Russell proposed the set

R = {A | A ∈
/ A}

of sets that are not elements of themselves. Note that there seems to be nothing
wrong with a set being an element of itself. For example, the set of sets contain-
ing at least 10 elements seems to be an element of itself, as it contains more than
10 elements. Similarly, the set of sets containing at most 10 elements is not an
element of itself.
Either R ∈ R or R ∈ / R. If R ∈ R, then by the definition of R, this implies
R∈ / R, a contradiction. Thus the only alternative is R ∈ / R. But again, by the
definition of R, this implies R ∈ R, again a contradiction. In other words, R ∈ R
if and only if R ∈ / R, a paradox that requires an explanation.
The problem, subsequently addressed by Zermelo’s axiomatization, is the
following: While for any set B and predicate P , {x ∈ B | P (x)} is actually a
well-defined set, {x | P (x)} is not. We must have a set to begin with before being
able to create new sets by selecting the elements satisfying a certain condition. In
other words, the universe U of objects one has in mind when writing {x | P (x)}
is not itself a set.4

3.2 Sets and Operations on Sets

3.2.1 The Set Concept
In set theory one postulates that there is a universe of possible sets and a uni-
verse of objects which can be elements of sets. Nothing prevents us from think-
ing that the two universes are the same, i.e., the elements of sets are also sets.
We further postulate a binary predicate E to be given, and if E(x, y) = 1 we say
that x is an element of y. We can call E the elementhood predicate. Instead of the
predicate E we use an infix notation and write x ∈ y rather than E(x, y) = 1.
We also use the short-hand x 6∈ y for ¬(x ∈ y), i.e., if x is not an element of y.
Now we can postulate certain properties that the elementhood predicate E
should satisfy, capturing the essence of set theory. This makes explicit that E is
not some arbitrary predicate, but that it really captures natural properties of sets.
In a systematic mathematical approach, one carefully chooses a list of axioms
4 In fact, in Zermelo-Fraenkel (ZF) set theory, the axioms exclude that a set can be an element of
itself.
3.2. Sets and Operations on Sets 42

and develops a theory (set theory) based on these axioms. There are indeed
several different (but related) axiom systems for set theory, and it is beyond the
scope of this course to discuss set theory in a formal sense.5 However, we will
informally introduce some of these properties/axioms in order to arrive at a
sufficiently precise treatment of sets.
When writing formulas, it will often be convenient to not only use the usual
logical variable symbols x, y, etc., but to use in the same formula symbols like A,
B, etc. This is convenient because it makes the formulas look closer to how set
theory is usually informally discussed. However, whether we use the symbol x
or A for a set is not mathematically relevant.

3.2.2 Set Equality and Constructing Sets From Sets

A set is completely specified by its elements, regardless of how it is described.6
There is no other relevant information about a set than what its elements are. In
other words, two sets A and B are equal (A = B) if (and only if) they contain the
same elements, independently of how A and B are described. In other words,
there can not be two different sets A and B which contain exactly the same
elements. This is called the axiom of extensionality in set theory. Since we are
not aiming for an axiomatic treatment of set theory, we state this simply as a
definition.

def
Definition 3.2. A = B ⇐⇒ ∀x (x ∈ A ↔ x ∈ B).

We postulate7 that if a is a set, then the set containing exactly (and only) a
exists, and is usually denoted as {a}. Similarly, for any finite list of sets, say a, b,
and c, the set containing exactly these elements exists and is usually denoted as
{a, b, c}.
Since a set is specified by its elements, we can conclude that if two sets, each
containing a single element, are equal, then the elements are equal. This can be
stated as a lemma (in set theory), and it actually requires a proof.

Lemma 3.1. For any (sets) a and b, {a} = {b} =⇒ a = b.

Proof. Consider any fixed a and b. The statement is an implication, which we

prove indirectly. Assume that a 6= b. Then {a} =
6 {b} because there exists an
5 Indeed, mathematicians are still working on fundamental questions regarding the theory of sets

(but not questions relevant to us).

6 For example, the set containing exactly the three natural numbers 1, 2, and 3 has many different

descriptions, including {1, 2, 3}, {3, 1, 2}, {1, 1 + 1, 1 + 1 + 1}, etc. All these descriptions refer to
the same set.
7 In axiomatic set theory this is guaranteed by appropriate axioms.
43 Chapter 3. Sets, Relations, and Functions

element, namely a, that is contained in the first set, but not in the second. Thus
we have proved that a 6= b =⇒ {a} = 6 {b}. According to Definition 2.14, this
proves {a} = {b} =⇒ a = b.

Note that, in contrast, {a, b} = {c, d} neither implies that a = c nor that b = d.
In a set, say {a, b}, there is no order of the elements, i.e.,

{a, b} = {b, a}.

However, in mathematics one wants to also define the concept of an (ordered)

list of objects. Let us consider the special case of ordered pairs. For the operation
of forming an ordered pair of two objects a and b, denoted (a, b), we define

def
(a, b) = (c, d) ⇐⇒ a = c ∧ b = d.

Example 3.1. This example shows that one can model ordered pairs by using
only (unordered) sets?8 This means that the sets corresponding to two ordered
pairs must be equal if and only if the ordered pairs are equal. A first approach is
def
to define (a, b) = {a, {b}}. However, this definition of an ordered pair fails be-
cause one could not distinguish whether the set {{b}, {c}} denotes the ordered
pair ({b}, c) or the ordered pair ({c}, b). The reader can verify as an exercise that
the following definition is correct:

def
(a, b) = {{a}, {a, b}}.

3.2.3 Subsets

Definition 3.3. The set A is a subset of the set B, denoted A ⊆ B, if every

element of A is also an element of B, i.e.,
def
A ⊆ B ⇐⇒ ∀x (x ∈ A → x ∈ B).

The following lemma states an alternative way for capturing the equality of
sets, via the subset relation. In fact, this is often the best way to prove that two
sets are equal.

Lemma 3.2. A = B ⇐⇒ (A ⊆ B) ∧ (B ⊆ A).

Proof. The proof first makes use (twice) of Definition 3.3, then uses the fact from
predicate logic that ∀F ∧ ∀G ≡ ∀(F ∧ G), then uses the fact from propositional
8 We
briefly address this question, although we will not make use of this later and will continue
to think about ordered pairs and lists in a conventional sense and with conventional notation.
3.2. Sets and Operations on Sets 44

logic that (C → D)∧(D → C) ≡ C ↔ D,9 and then makes use of Definitions 3.2.
For any sets A and B we have the following equivalences of statements about A
and B:
.
(A ⊆ B) ∧ (B ⊆ A) ⇐⇒ ∀x (x ∈ A → x ∈ B) ∧ ∀x (x ∈ B → x ∈ A)
.

⇐⇒ ∀x (x ∈ A → x ∈ B) ∧ (x ∈ B → x ∈ A)
.
⇐⇒ ∀x (x ∈ A ↔ x ∈ B)
.
⇐⇒ A = B

The next lemma states that the subset relation is transitive (a term discussed
later). The proof is left as an exercise.

Lemma 3.3. For any sets A, B, and C,

A ⊆ B ∧ B ⊆ C =⇒ A ⊆ C.

3.2.4 Union and Intersection

Let us discuss a few well-known operations on sets and the laws for these oper-
ations.

Definition 3.4. The union of two sets A and B is defined as

def
A ∪ B = {x| x ∈ A ∨ x ∈ B},

and their intersection is defined as

def
A ∩ B = {x| x ∈ A ∧ x ∈ B}.

The above definition can be extended from two to several sets, i.e., to a set
(or collection) of sets. Let A be a non-empty set of sets, with finite or infinite
cardinality. The only restriction on A is that its elements must be sets. Then we
define the union of all sets in A as the set of all x that are an element of at least
one of the sets in A:
[ def
A = {x| x ∈ A for some A ∈ A}.

Similarly, we define the intersection of all sets in A as the set of all x that are an
element of every set in A:
\ def
A = {x| x ∈ A for all A ∈ A}.
9 Here we use C and D rather than A and B to avoid confusion because A and B are used here
to denotes sets.
45 Chapter 3. Sets, Relations, and Functions

Example 3.2. Consider the set of sets


A = {a, b, c, d}, {a, c, e}, {a, b, c, f }, {a, c, d} .
S T
Then we have A = {a, b, c, d, e, f } and A = {a, c}.

Typically, the sets (elements) in a set A of sets are indexed by some index
set I: A = {Ai | i ∈ I}. In this
T case, one S
also writes {Ai }i∈I , and for the intersec-
tion and union one writes i∈I Ai and i∈I Ai , respectively.

Definition 3.5. The difference of sets B and A, denoted B\A is the set of elements
of B without those that are elements of A:
def
B \ A = {x ∈ B| x ∈
/ A}.

Since union, intersection, and complement are defined by logical operations

on set membership expressions (e.g. a ∈ A), that these set operations satisfy the
corresponding statements of Lemma 2.1, stated as a theorem.

Theorem 3.4. For any sets A, B, and C, the following laws hold:
Idempotence: A ∩ A = A;
A ∪ A = A;
Commutativity: A ∩ B = B ∩ A;
A ∪ B = B ∪ A;
Associativity: A ∩ (B ∩ C) = (A ∩ B) ∩ C;
A ∪ (B ∪ C) = (A ∪ B) ∪ C;
Absorption: A ∩ (A ∪ B) = A;
A ∪ (A ∩ B) = A;
Distributivity: A ∩ (B ∪ C) = (A ∩ B) ∪ (A ∩ C);
A ∪ (B ∩ C) = (A ∪ B) ∩ (A ∪ C);
Consistency: A ⊆ B ⇐⇒ A ∩ B = A ⇐⇒ A ∪ B = B.

Proof. The proof is straight-forward and exploits the related laws for logical op-
erations. For example, the two associative laws are implied by the associativity
of the logical AND and OR, respectively. The proof is left as an exercise.

3.2.5 The Empty Set

Definition 3.6. A set A is called empty if it contains no elements, i.e., if

∀x ¬(x ∈ A).
3.2. Sets and Operations on Sets 46

Lemma 3.5. There is only one empty set (which is often denoted as ∅ or {}).10

Proof. Let ∅ and ∅′ both be arbitrary empty sets. Since both are empty, every
element that is in ∅ (namely none) is also in ∅′ , and vice versa. This means
according to Definition 3.2 that ∅ = ∅′ , which means that there is only one
empty set.

Lemma 3.6. The empty set is a subset of every set, i.e., ∀A (∅ ⊆ A)

Proof. The proof is by contradiction: Assume that there is a set A for which
∅ 6⊆ A. This means that there exists an x for which x ∈ ∅ but x ∈ / A. But such
an x cannot exist because ∅ contains no element, which is a contradiction.
The above is a valid proof. Just to illustrate (as an example) that the same proof
could be made more formal and more precise we can write the proof as follows,
making use of logical transformation rules for formulas with quantifiers. Let A
be an arbitrary (but fixed) set. The proof is by contradiction (see Definition 2.17),
where the statement S to be proved is ∅ ⊆ A and as the statement T we choose
¬∀x (x ∈/ ∅), which is false because it is the negation of the definition of ∅. The
proof that the negation of S implies T (step 3 in Definition 2.17) is as follows:
.
¬(∅ ⊆ A) ⇐⇒ ¬∀x (x ∈ ∅ → x ∈ A) (def. of ∅ ⊆ A)
.
⇐⇒ ∃x ¬(x ∈ ∅ → x ∈ A) (¬∀x F ≡ ∃x ¬F )
.
⇐⇒ ∃x ¬(¬(x ∈ ∅) ∨ x ∈ A) (def. of →)
.
⇐⇒ ∃x (x ∈ ∅ ∧ ¬(x ∈ A)) (de Morgan’s rule)
.
=⇒ ∃x (x ∈ ∅) ∧ ∃x ¬(x ∈ A) (∃x (F ∧ G) |= (∃xF ) ∧ (∃xG))
.
=⇒ ∃x (x ∈ ∅) (F ∧ G implies F )
.
⇐⇒ ¬∀x ¬(x ∈ ∅). (¬∀x F ≡ ∃x ¬F )
.
⇐⇒ ∅ is not the empty set (Definition 3.6)

which is false, and hence we have arrived at a contradiction.

3.2.6 Constructing Sets from the Empty Set

At this point, the only set we know to exist, because we have postulated it, is
the empty set. We can hence construct new sets ∅. The set {∅} is a set with a
single element (namely ∅). It is important to note that {∅} is not the empty set
10 Wetake it for granted that ∅ is actually a set. But in an axiomatic treatment of set theory, this
must be stated as an axiom.
47 Chapter 3. Sets, Relations, and Functions

∅, i.e., {∅} 6= ∅. Note that |{∅}| = 1 while |∅| = 0. One can thus define a whole
sequence of such sets:

∅, {∅}, {{∅}}, {{{∅}}}, . . . .

Note that, except for the empty set, all these sets have cardinality 1.

Example 3.3. A few other sets constructed from the empty set are:
A = {∅, {∅}},
B = {{∅, {∅}}}, and
C = {∅, {∅}, {∅, {∅}}}.
Their cardinalities are |A| = 2, |B| = 1, and |C| = 3. Also, A ⊆ C and B ⊆ C.

Example 3.4. We have considered three relations between sets: ∈, =, and ⊆.

Which of these relations hold for the following sets?
A = {{∅}},
B = {{∅}, {∅, ∅}},
C = {∅, {∅}}, and
D = {∅, {∅, {∅}}}.
The answer is: B = A ⊆ C ∈ D.

3.2.7 A Construction of the Natural Numbers

We briefly discuss a way to define the natural numbers from basic set theory.
We use bold-face font to denote objects that we define here as special sets, and
then can observe that they can be seen as corresponding to the natural numbers
with the same symbol (but written in non-bold font). We define the sets

def def def def

0 = ∅, 1 = {∅}, 2 = {∅, {∅}}, 3 = {∅, {∅}, {∅, {∅}}}, . . .

The successor of a set n, which we can denote by s(n), is defined as

def
s(n) = n ∪ {n}.

For example, we have 1 = s(0) and 2 = s(1). We note that |0| = 0, |1| = 1,
|2| = 2, |3| = 3, . . ., and, more generally, that |s(n)| = |n| + 1.
An operation + on these sets 0, 1, 2, 3, . . ., which corresponds to addition of
numbers, can be defined recursively as follows:

def def
m+0 = m and m+s(n) = s(m+n).

One can also define a multiplication operation and prove that these operations
satisfy the usual laws of the natural numbers (commutative, associative, and
distributive laws).
3.2. Sets and Operations on Sets 48

3.2.8 The Power Set of a Set

Definition 3.7. The power set of a set A, denoted P(A), is the set of all subsets
of A:11
def
P(A) = {S| S ⊆ A}.

For a finite set with cardinality k, the power set has cardinality 2k (hence the
name ‘power set’ and the alternative notation 2A ).
Example 3.5. P({a, b, c}) = {∅, {a}, {b}, {c}, {a, b}, {a, c}, {b, c}, {a, b, c}} and
|P({a, b, c})| = 8.
Example 3.6. We have
P(∅) = {∅},
P({∅}) = {∅, {∅}},
P({∅, {∅}}) = {∅, {∅}, {{∅}}, {∅, {∅}}},
{1, 7, 9} ∈ P(N).

3.2.9 The Cartesian Product of Sets

Recall that two ordered pairs are equal if and only if both components agree,
i.e.,
def
(a, b) = (c, d) ⇐⇒ a = c ∧ b = d.
More generally, we denote an (ordered) list of k objects a1 , . . . , ak as (a1 , . . . , ak ).
Two lists of the same length are equal if they agree in every component.

Definition 3.8. The Cartesian product A × B of two sets A and B is the set of
all ordered pairs with the first component from A and the second component
from B: 
A × B = (a, b) a ∈ A ∧ b ∈ B .

For finite sets, the cardinality of the Cartesian product of some sets is the
product of their cardinalities: |A × B| = |A| · |B|.
Example 3.7. Prove or disprove the following statements:
(i) ∅ × A = ∅ .
(ii) A × B = B × A .

More generally, the Cartesian product of k sets A1 , . . . , Ak is the set of all lists
of length k (also called k-tuples) with the i-th component from Ai :

×ki=1 Ai = {(a1 , . . . , ak )| ai ∈ Ai for 1 ≤ i ≤ k}

11 In axiomatic set theory, the existence of the power set of every set must be postulated as an
axiom.
49 Chapter 3. Sets, Relations, and Functions

We point out that the Cartesian product is not associative, and in particular

×3i=1 Ai 6= (A1 × A2 ) × A3 .

3.3 Relations
Relations are a fundamental concept in discrete mathematics and Computer Sci-
ence. Many special types of relations (e.g., equivalence relations, order relations,
and lattices) capture concepts naturally arising in applications. Functions are
also a special type of relation.

3.3.1 The Relation Concept

Definition 3.9. A (binary) relation ρ from a set A to a set B (also called an (A, B)-
relation) is a subset of A × B. If A = B, then ρ is called a relation on A.

Instead of (a, b) ∈ ρ one usually writes

a ρ b,
and sometimes we write a6 ρ b if (a, b) ∈
/ ρ.
Example 3.8. Let S be the set of students at ETH and let C be the set of courses
taught at ETH. Then a natural relation from S to C is the “takes” relation. If
s ∈ S is a student and c ∈ C is a course, then (s, c) is in the relation if and only if
s takes course c. If we denote the relation by takes, we can write (s, c) ∈ takes
or s takes y.12 We can also consider the set P of professors at ETH and the
natural relation from P to C.
Example 3.9. Let H be the set of all human beings (alive or dead). Then
“child of” is a relation on H. If we denote the relation by childof, then
(x, y) ∈ childof (or equivalently x childof y) means that x is y’s child. Other
relations on H are “parent of”, “grandparent of”, “cousin of”, “ancestor of”,
“married to”, etc.
Example 3.10. On the integers Z we already know a number of very natural
relations: =, 6=, ≤, ≥, <, >, | (the ‘divides’ relation), and 6 | (does not divide).
Example 3.11. The relation ≡m on Z is defined as follows:
def
a ≡m b ⇐⇒ a − b = km for some k,
i.e., a ≡m b if and only if a and b have the same remainder when divided by m.
(See Section 4.2.)
12 Note that the relation takes can change over time, and in such an example we consider the
relation at a certain point in time.
3.3. Relations 50

Example 3.12. The relation {(x, y)| x2 + y 2 = 1} on R is the set of points on the
unit circle, which is a subset of R × R.

Example 3.13. For any set S, the subset relation (⊆) is a relation on P(S).

Example 3.14. Two special relations from A to B are the empty relation (i.e., the
empty set ∅) and the complete relation A × B consisting of all pairs (a, b).

Definition 3.10. For any set A, the identity relation on A, denoted idA (or simply
id), is the relation idA = {(a, a)| a ∈ A}.
2
Relations on a finite set are of special interest. There are 2n different rela-
tions on a set of cardinality n. (Why?)
The relation concept can be generalized from binary to k-ary relations for
given sets A1 , . . . , Ak . A k-ary relation is a subset of A1 × · · ·× Ak . Such relations
play an important role in modeling relational databases. Here we only consider
binary relations.

3.3.2 Representations of Relations

For finite sets A and B, a (binary) relation ρ from A to B can be represented as a
Boolean |A|× |B| matrix M ρ with the rows and columns labeled by the elements
ρ
of A and B, respectively. For a ∈ A and b ∈ B, the matrix entry Ma,b is 1 if a ρ b,
and 0 otherwise.

Example 3.15. Let A = {a, b, c, d} and B = {q, r, s, t, u}, and consider the re-
lation ρ = {(a, r), (a, s), (a, u), (b, q), (b, s), (c, r), (c, t), (c, u), (d, s), (d, u)}. The
matrix representation is
q r s t u
 
a 0 1 1 0 1
b  1 0 1 0 0 
Mρ =  
c  0 1 0 1 1 
d 0 0 1 0 1
where the rows and columns are labeled by the elements of A and B, respec-
tively.

For relations on a set A, the matrix is an |A| × |A| square matrix.

Example 3.16. For the set A = {1, 2, 3, 4, 5}, the relations =, ≥, and ≤ correspond
to the identity matrix,13 the lower triangular matrix, and the upper triangular
matrix, respectively.
13 The identity relation (=) on any finite set corresponds to the identity matrix.
51 Chapter 3. Sets, Relations, and Functions

An alternative representation of a relation ρ from A to B is by a directed

graph with |A| + |B| vertices14 labeled by the elements of A and B. The graph
contains the edge15 from a to b if and only if a ρ b. For a relation on a set A, the
graph contains only |A| vertices, but it can contain loops (edges from a vertex to
itself).

3.3.3 Set Operations on Relations

Relations from A to B are sets, and therefore we can apply any operation defined
on sets: union, intersection, and complement. In the matrix representation of
relations, these operations correspond to the position-wise logical OR, AND,
and negation, respectively. A relation can also be a subset of another relation.
Example 3.17. On the set Z, the relation ≤ ∪ ≥ is the complete relation,
≤ ∩ ≥ is the identity relation, and the complement of ≤ is the relation >.
Moreover, we have < ⊆ ≤ and = ⊆ ≥.
Example 3.18. For any relatively prime integers m and n, the relation ≡m ∩ ≡n
is ≡mn , as will be shown in Chapter 4. More generally, For general m and n,
the relation ≡m ∩ ≡n is ≡lcm(m,n) , where lcm(m, n) denotes the least common
multiple of m and n.

3.3.4 The Inverse of a Relation

Definition 3.11. The inverse of a relation ρ from A to B is the relation ρb from B

to A defined by
def 
ρb = (b, a) (a, b) ∈ ρ .

Note that for all a and b we have b ρb a ⇐⇒ a ρ b. An alternative notation

for the inverse of ρ is ρ−1 .
Example 3.19. Let H be the set of people, O the set of objects, and π the owner-
ship relation from H to O. The inverse π
b is the “owned by” relation determining
who owns an object.
Example 3.20. If φ is the parenthood relation on the set H of humans (i.e., a φ b
if a is a parent of b), then the inverse relation φb is the childhood relation.
Example 3.21. On the set Z, the inverse of the relation ≤ is the relation ≥. The
inverse of id is again id.
In the matrix representation, taking the inverse of a relation corresponds to
the transposition of the matrix. In the graph representation, taking the inverse
corresponds to inverting the direction of all edges.
14 German: Knoten
15 German: Kante
3.3. Relations 52

3.3.5 Composition of Relations

Definition 3.12. Let ρ be a relation from A to B and let σ be a relation from B

to C. Then the composition of ρ and σ, denoted ρ ◦ σ (or also ρσ), is the relation
from A to C defined by

def 

ρ◦σ = (a, c) ∃b (a, b) ∈ ρ ∧ (b, c) ∈ σ .

The n-fold composition of a relation ρ on a set A with itself is denoted ρn .

Lemma 3.7. The composition of relations is associative, i.e., we have ρ ◦ (σ ◦ φ) =

(ρ ◦ σ) ◦ φ.

Proof. We use the short notation ρσ instead of ρ ◦ σ. The claim of the lemma,
ρ(σφ) = (ρσ)φ, states an equality of sets, which can be proved by proving that
each set is contained in the other (see Section 3.2.3). We prove ρ(σφ) ⊆ (ρσ)φ;
the other inclusion is proved analogously. Suppose that (a, d) ∈ ρ(σφ). We
need to prove that (a, d) ∈ (ρσ)φ. For illustrative purposes, We provide two
formulations of this proof, first as a text and then in logical formulas.
Because (a, d) ∈ ρ(σφ), there exists b such that (a, b) ∈ ρ and (b, d) ∈ σφ.
The latter implies that there exists c such that (b, c) ∈ σ and (c, d) ∈ φ. Now,
(a, b) ∈ ρ and (b, c) ∈ σ imply that (a, c) ∈ ρσ, which together with (c, d) ∈ φ
implies (a, d) ∈ (ρσ)φ.
Now comes the more formal version of the same proof, where the justifica-
tion for each step is omitted:16
.

(a, d) ∈ ρ(σφ) =⇒ ∃b (a, b) ∈ ρ ∧ (b, d) ∈ σφ
.


=⇒ ∃b (a, b) ∈ ρ ∧ ∃c (b, c) ∈ σ ∧ (c, d) ∈ φ
.


=⇒ ∃b∃c (a, b) ∈ ρ ∧ (b, c) ∈ σ ∧ (c, d) ∈ φ
.


=⇒ ∃b∃c (a, b) ∈ ρ ∧ (b, c) ∈ σ ∧ (c, d) ∈ φ
.


=⇒ ∃c∃b (a, b) ∈ ρ ∧ (b, c) ∈ σ ∧ (c, d) ∈ φ
.


=⇒ ∃c ∃b (a, b) ∈ ρ ∧ (b, c) ∈ σ ∧ (c, d) ∈ φ
.

=⇒ ∃c (a, c) ∈ ρσ ∧ (c, d) ∈ φ
.
=⇒ (a, d) ∈ (ρσ)φ.

16 The justifications should be obvious, except perhaps for the following fact from predicate logic

(explained in Chapter 6) used several times in the proof: ∃x(F ∧ G) ≡ F ∧ ∃xG if x does not appear
in F .
53 Chapter 3. Sets, Relations, and Functions

Example 3.22. Consider the ownership relation π and the parenthood relation φ
as above. Then the relation φπ from H to O can be interpreted as follows: a φπ b
if and only if person a has a child who owns object b.

Example 3.23. If φ is the parenthood relation on the set H of humans, then the
relation φ2 is the grand-parenthood relation.17

In the matrix representation, composing two relations corresponds to a spe-

cial type of matrix multiplication. If the matrices are considered as integer ma-
trices (with 0 and 1 entries), then after the multiplication all entries > 1 are set
to 1.18 In the graph representation the composition corresponds to the natural
composition of the graphs, where a ρσ c if and only if there is a path from a
(over some b) to c.
The proof of the following lemma is left as an exercise.

Lemma 3.8. Let ρ be a relation from A to B and let σ be a relation from B to C. Then
the inverse ρc
σ of ρσ is the relation σ
bρb.

3.3.6 Special Properties of Relations

Definition 3.13. A relation ρ on a set A is called reflexive if

aρa
is true for all a ∈ A, i.e., if
id ⊆ ρ.

In other words, a relation is reflexive if it contains the identity relation id. In

the matrix representation of relations, reflexive means that the diagonal is all 1.
In a graph representation, reflexive means that every vertex has a loop (an edge
from the vertex to itself).

Example 3.24. The relations ≤, ≥, and | (divides) on Z \ {0} are reflexive, but
the relations < and > are not.

Definition 3.14. A relation ρ on a set A is called irreflexive if a6 ρ a for all a ∈ A,

i.e., if ρ ∩ id = ∅.19

17 Note that the notation φ2 is actually ambiguous; it could also denote the Cartesian product

φ × φ. But in these lecture notes no ambiguity will arise.

18 If the matrices are considered as Boolean matrices, then for multiplying two matrices one takes

the OR of all product terms contributing to an entry in the product matrix.

19 Note that irreflexive is not the negation of reflexive, i.e., a relation that is not reflexive is not

necessarily irreflexive.
3.3. Relations 54

Definition 3.15. A relation ρ on a set A is called symmetric if

a ρ b ⇐⇒ b ρ a
is true for all a, b ∈ A, i.e., if
ρ = ρb.

In the matrix representation of relations, symmetric means that the matrix is

symmetric (with respect to the diagonal).
A symmetric relation ρ on a set A can be represented as an undirected graph,
possibly with loops from a node to itself.
Example 3.25. The relation ≡m on Z is symmetric.
Example 3.26. The “married to” relation on the set H of humans is symmetric.

Definition 3.16. A relation ρ on a set A is called antisymmetric if

a ρ b ∧ b ρ a =⇒ a = b
is true for all a, b ∈ A, i.e., if
ρ ∩ ρb ⊆ id.

In a graph representation, antisymmetric means that there is no cycle of

length 2, i.e., no distinct vertices a and b with edges both from a to b and from b
to a. Note that antisymmetric is not the negation of symmetric.
Example 3.27. The relations ≤ and ≥ are antisymmetric, and so is the division
relation | on N: If a | b and b | a, then a = b. But note that the division relation
| on Z is not antisymmetric. Why?

Definition 3.17. A relation ρ on a set A is called transitive if

a ρ b ∧ b ρ c =⇒ a ρ c

is true for all a, b, c ∈ A.

Example 3.28. The relations ≤, ≥, <, >, |, and ≡m on Z are transitive.

Example 3.29. Let ρ be the ancestor relation on the set H of humans, i.e., a ρ b if
a is an ancestor of b. This relation is transitive.

Lemma 3.9. A relation ρ is transitive if and only if ρ2 ⊆ ρ.

Proof. The “if” part of the theorem (⇐=) follows from the definition of compo-
sition: If a ρ b and b ρ c, then a ρ2 c. Therefore also a ρ c since ρ2 ⊆ ρ.20 This
20 In set-theoretic notation: (a, c) ∈ ρ2 ∧ ρ2 ⊆ ρ =⇒ (a, c) ∈ ρ.
55 Chapter 3. Sets, Relations, and Functions

means transitivity.
Proof of the “only if” part (=⇒): Assume that ρ is transitive. To show that ρ2 ⊆ ρ,
assume that a ρ2 b for some a and b. We must prove that a ρ b. The definition
of a ρ2 b states that there exists c such that a ρ c and c ρ b. Transitivity of ρ
thus implies that a ρ b, which concludes the proof.

3.3.7 Transitive Closure

The reader can verify as an exercise that for a transitive relation ρ we have ρn ⊆ ρ
for all n > 1.

Definition 3.18. The transitive closure of a relation ρ on a set A, denoted ρ∗ , is

[
ρ∗ = ρn .
n∈N\{0}

In the graph representation of a relation ρ on A, we have a ρk b if and only

if there is a walk of length k from a to b in the graph, where a walk may visit a
node multiple times. The transitive closure is the reachability relation, i.e., a ρ∗ b
if and only if there is a path (of arbitrary finite length) from a to b.

Example 3.30. Consider the set P of all convex polygons. We can think of them
as being given as pieces of paper. By cutting a piece into two pieces with a
straight cut one can obtain new polygons. Let  be the relation defined as fol-
lows: a  b if and only if with a single straight-line cut (or no cut) one can ob-
tain b from a. Moreover, consider the covering relation ⊒, where a ⊒ b if and
only if a can completely cover b (if appropriately positioned). It is easy to see
that ⊒ is reflexive, anti-symmetric, and transitive21 whereas  is only reflexive
and antisymmetric. Note that ⊒ is the transitive closure of .

3.4 Equivalence Relations

3.4.1 Definition of Equivalence Relations

Definition 3.19. An equivalence relation is a relation on a set A that is reflexive,

symmetric, and transitive.

Example 3.31. The relation ≡m is an equivalence relation on Z.

21 Such a relation will be defined below as a partial order relation.

3.4. Equivalence Relations 56

Definition 3.20. For an equivalence relation θ on a set A and for a ∈ A, the set
of elements of A that are equivalent to a is called the equivalence class of a and is
denoted as [a]θ :22
def
[a]θ = {b ∈ A| b θ a}.

Two trivial equivalence relations on a set A are the complete relation A × A,

for which there is only one equivalence class A, and the identity relation for
which the equivalence classes are all singletons23 {a} for a ∈ A.

Example 3.32. The equivalence classes of the relation ≡3 are the sets

[0] = {. . . , −6, −3, 0, 3, 6, . . .},

[1] = {. . . , −5, −2, 1, 4, 7, . . .},
[2] = {. . . , −4, −1, 2, 5, 8, . . .}.

Example 3.33. Consider the set R2 of points (x, y) in the plane, and consider the
relation ρ defined by (x, y) ρ (x′ , y ′ ) ⇐⇒ x + y = x′ + y ′ . Clearly, this relation is
reflexive, symmetric, and transitive. The equivalence classes are the set of lines
in the plane parallel to the diagonal of the second quadrant.

The proof of the following theorem is left as an exercise.

Lemma 3.10. The intersection of two equivalence relations (on the same set) is an
equivalence relation.

Example 3.34. The intersection of ≡5 and ≡3 is ≡15 .

3.4.2 Equivalence Classes Form a Partition

Definition 3.21. A partition of a set A is a set of mutually disjoint subsets of A
that cover A, i.e., a set {Si |i ∈ I} of sets Si (for some index set I) satisfying
[
Si ∩ Sj = ∅ for i 6= j and Si = A.
i∈I

Consider any partition of a set A and define the relation ≡ such that two
elements are ≡-related if and only if they are in the same set of the partition. It
is easy to see that this relation is an equivalence relation. The following theorem
states that the converse also holds. In other words, partitions and equivalence
relations capture the same (simple) abstraction.
22 When the relation θ is understood, we can drop the subscript θ.
23 A singleton is a set with one element.
57 Chapter 3. Sets, Relations, and Functions

Definition 3.22. The set of equivalence classes of an equivalence relation θ, de-

noted by
def 
A/θ = [a]θ a ∈ A ,
is called the quotient set of A by θ, or simply A modulo θ, or A mod θ.

Theorem 3.11. The set A/θ of equivalence classes of an equivalence relation θ on A is

a partition of A.

Proof. Since a ∈ [a] for all a ∈ A (reflexivity of θ), the union of all equivalence
classes is equal to A. It remains to prove that equivalence classes are disjoint.
This is proved by proving, for any fixed a and b, that

a θ b =⇒ [a] = [b]

and
a 6 θ b =⇒ [a] ∩ [b] = ∅.
To prove the first statement we consider an arbitrary c ∈ [a] and observe that
.
c ∈ [a] ⇐⇒ c θ a (def. of [a])
.
=⇒ c θ b (use a θ b and transitivity)
.
⇐⇒ c ∈ [b] (def. of [b].)

Note that c ∈ [a] =⇒ c ∈ [b] (for all c ∈ A) is the definition of [a] ⊆ [b]. The state-
ment [b] ⊆ [a] is proved analogously but additionally requires the application of
symmetry. (This is an exercise.) Together this implies [a] = [b].
The second statement is proved by contradiction. Suppose it is false24 , i.e.,
a 6 θ b and [a] ∩ [b] 6= ∅, i.e., there exists some c ∈ [a] ∩ [b], which means that c θ a
and c θ b. By symmetry we have a θ c and thus, by transitivity, we have a θ b,
a contradiction. (As an exercise, the reader can write this proof as a sequence of
implications.)

3.4.3 Example: Definition of the Rational Numbers

We consider the set A = Z × (Z\{0}) and define the equivalence relation ∼ on
A as follows:
def
(a, b) ∼ (c, d) ⇐⇒ ad = bc.
This relation is reflexive ((a, b) ∼ (a, b) since ab = ba), symmetric (since ad =
bc =⇒ cb = da), and transitive. For the latter, assume (a, b) ∼ (c, d) and
24 Recall that ¬(A → B) ≡ A ∧ ¬B.
3.5. Partial Order Relations 58

(c, d) ∼ (e, f ). Then ad = bc and cf = de, and thus adcf = bcde. Canceling d
(which is 6= 0) gives
acf = bce.
We have to consider the cases c 6= 0 and c = 0 separately. If c 6= 0, then c can be
canceled, giving af = be. If c = 0, then a = 0 since d 6= 0 but ad = bc. Similarly,
e = 0, and thus we also have af = be. Therefore ∼ is transitive and hence an
equivalence relation.
To every equivalence class [(a, b)] we can associate the rational number a/b
(b 6= 0). It is easy to see that all pairs (u, v) ∈ [(a, b)] correspond to the same ra-
tional number, and two distinct rational numbers correspond to distinct equiv-
alence classes. Thus25
def

Q = Z × (Z\{0}) ∼.

3.5 Partial Order Relations

3.5.1 Definition
Taking the definition of an equivalence relation and simply replacing the sym-
metry condition by the anti-symmetry condition results in a completely differ-
ent, but even more interesting type of relation.

Definition 3.23. A partial order (or simply an order relation26 ) on a set A is a

relation that is reflexive, antisymmetric, and transitive. A set A together with
a partial order  on A is called a partially ordered set (or simply poset) and is
denoted as (A; ).27

In a graph representation of relations, a partial order has no cycles (but this

is of course not a complete characterization).
Example 3.35. The relations ≤ and ≥ are partial orders on Z, Q, or R. The
relations < and > are not partial orders because they are not reflexive (though
they are both transitive and, in fact, also antisymmetric because a < b ∧ b < a
is never true, i.e., < ∩ <
b = ∅).
Example 3.36. The division relation (|) is a partial order on N \ {0} or any subset
of N \ {0}.
Example 3.37. The subset relation on the power set of a set A is a partial order.
In other words, for any set A, (P(A); ⊆) is a poset.
25 This is a more fancy way of saying that two rational numbers a/b and c/d are the same number

if and only if the ratio is the same. But actually, this is the definition of the rational numbers. If the
reader is surprised, he or she is challenged to come up with a simpler definition.
26 German: Ordnungsrelation
27 Partial orders are often denoted by ≤ or by a similar symbol like  or ⊑.
59 Chapter 3. Sets, Relations, and Functions

Example 3.38. The covering relation on convex polygons (see Example 3.30) is
a partial order.

For a partial order relation  we can define the relation a ≺ b similar to how
the relation < is obtained from ≤:
def
a ≺ b ⇐⇒ a  b ∧ a 6= b.

Definition 3.24. For a poset (A; ), two elements a and b are called comparable28
if a  b or b  a; otherwise they are called incomparable.

Definition 3.25. If any two elements of a poset (A; ) are comparable, then A is
called totally ordered (or linearly ordered) by .

Example 3.39. (Z; ≤) and (Z; ≥) are totally ordered posets (or simply totally
ordered sets), and so is any subset of Z with respect to ≤ or ≥. For instance,
({2, 5, 7, 10}; ≤) is a totally ordered set.

Example 3.40. The poset (P(A); ⊆) is not totally ordered if |A| ≥ 2, nor is the
poset (N; |).

3.5.2 Hasse Diagrams

Definition 3.26. In a poset (A; ) an element b is said to cover29 an element a if

a ≺ b and there exists no c with a ≺ c and c ≺ b (i.e., between a and b).

Example 3.41. In a hierarchy (say of a company), if a ≺ b means that b is superior

to a, then b covers a means that b is the direct superior of a.

Definition 3.27. The Hasse diagram of a (finite) poset (A; ) is the directed graph
whose vertices are labeled with the elements of A and where there is an edge
from a to b if and only if b covers a.

The Hasse diagram is a graph with directed edges. It is usually drawn such
that whenever a ≺ b, then b is placed higher than a. This means that all arrows
are directed upwards and therefore can be omitted.

Example 3.42. The Hasse diagram of the poset ({2, 3, 4, 5, 6, 7, 8, 9}; |) is shown
in Figure 3.1 on the left.
28 German: vergleichbar
29 German: überdecken
3.5. Partial Order Relations 60

Example 3.43. A nicer diagram is obtained when A is the set of all divisors of
an integer n. The Hasse diagram of the poset ({1, 2, 3, 4, 6, 8, 12, 24}; |) is shown
in Figure 3.1 in the middle.

{a,b,c}
24

8 12
8 {a,c}
{a,b} {b,c}

6 9 4 6
4 {a} {b} {c}

2 3

2 3 5 7 1 {}

Figure 3.1: The Hasse diagrams of the posets ({2, 3, 4, 5, 6, 7, 8, 9}; |),
({1, 2, 3, 4, 6, 8, 12, 24}; |), and (P({a, b, c}); ⊆).

Example 3.44. The Hasse diagram of the poset (P({a, b, c}); ⊆) is shown in Fig-
ure 3.1 on the right.

Example 3.45. For the two Hasse diagrams in Figure 3.2, give a realization as
the divisibility poset of a set of integers.

Figure 3.2: Two Hasse diagrams.

Example 3.46. Consider the covering30 relation on the convex polygons dis-
cussed in Example 3.30. A polygon a is covered by a polygon b if b can be
placed on top of a such that a disappears completely. Are there sets of six poly-
gons resulting in a poset with the left (or right) Hasse diagram in Figure 3.2?

30 The term “cover” is used here in a physical sense, not in the sense of Definition 3.26.
61 Chapter 3. Sets, Relations, and Functions

3.5.3 Combinations of Posets and the Lexicographic Order

Definition 3.28. The direct product of posets (A; ) and (B; ⊑), denoted
(A; ) × (B; ⊑), is the set A × B with the relation ≤ (on A × B) defined by
def
(a1 , b1 ) ≤ (a2 , b2 ) ⇐⇒ a1  a2 ∧ b 1 ⊑ b 2 .

Theorem 3.12. (A; ) × (B; ⊑) is a partially ordered set.

The proof is left as an exercise. The reader can verify that when replacing ∧
by ∨, the resulting relation is in general not a partial order relation.
A more interesting order relation on A × B is defined in the following theo-
rem, whose proof is left as an exercise.
Theorem 3.13. For given posets (A; ) and (B; ⊑), the relation ≤lex defined on A×B
by
def
(a1 , b1 ) ≤lex (a2 , b2 ) ⇐⇒ a1 ≺ a2 ∨ (a1 = a2 ∧ b1 ⊑ b2 )
31
is a partial order relation.

The relation ≤lex is the well-known lexicographic order of pairs, usually con-
sidered when both posets are identical. The lexicographic order ≤lex is useful
because if both (A; ) and (B; ⊑) are totally ordered (e.g. the alphabetical order
of the letters), then so is the lexicographic order on A × B (prove this!).
The lexicographic order can easily be generalized to the k-tuples over some
alphabet Σ (denoted Σk ) and more generally to the set Σ∗ of finite-length strings
over Σ. The fact that a total order on the alphabet results in a total order on Σ∗
is well-known: The telephone book has a total order on all entries.

3.5.4 Special Elements in Posets

We define a few types of special elements that a poset can have.

Definition 3.29. Let (A; ) be a poset, and let S ⊆ A be some subset of A. Then
1. a ∈ A is a minimal (maximal) element of A if there exists no b ∈ A with b ≺ a
(b ≻ a).32
2. a ∈ A is the least (greatest) element of A if a  b (a  b) for all b ∈ A.33
3. a ∈ A is a lower (upper) bound34 of S if a  b (a  b) for all b ∈ S.35
4. a ∈ A is the greatest lower bound (least upper bound) of S if a is the greatest
(least) element of the set of all lower (upper) bounds of S.36

31 Recall def
that for a partial order  we can define the relation ≺ as a ≺ b ⇐⇒ a  b ∧ a 6= b.
def
32 The relations  and ≻ are defined naturally by a  b ⇐⇒ b  a and a ≻ b ⇐⇒ def
b ≺ a.
3.5. Partial Order Relations 62

Minimal, maximal, least, and greatest elements are easily identified in a

Hasse diagram.
The greatest lower bound and the least upper bound of a set S are sometimes
denoted as glb(S) and lub(S), respectively.

Example 3.47. Consider the poset ({2, 3, 4, 5, 6, 7, 8, 9}; |) shown in Figure 3.1. It
has no least or greatest elements, but 2, 3, 5, and 7 are minimal elements, and 5,
6, 7, 8 and 9 are maximal elements. The number 2 is a lower bound (actually the
greatest lower bound) of the subset {4, 6, 8}, and the subset {4, 9} has no lower
(nor upper) bound.

Example 3.48. The poset ({1, 2, 3, 4, 6, 8, 12, 24}; |) shown in Figure 3.1 has both
a least (1) and a greatest (24) element. The subset {8, 12} has the three lower
bounds 1, 2, and 4, and 4 is the greatest lower bound of {8, 12}. Actually, this
poset is special in that any set of elements has a greatest lower bound and a least
upper bound. How can glb(S) and lub(S) be defined?

Example 3.49. The poset (P({a, b, c}); ⊆) shown in Figure 3.1 has both a least
element, namely ∅, and a greatest element, namely {a, b, c}.

Example 3.50. In the poset (Z+ ; |), 1 is a least element but there is no greatest
element.

Definition 3.30. A poset (A; ) is well-ordered37 if it is totally ordered and if

every non-empty subset of A has a least element.38

Note that every totally ordered finite poset is well-ordered. The property of
being well-ordered is of interest only for infinite posets. The natural numbers N
are well-ordered by ≤. Any subset of the natural numbers is also well-ordered.
More generally, any subset of a well-ordered set is well-ordered (by the same
order relation).

33 Note that a least or a greatest element need not exist. However, there can be at most one least

element, as suggested by the word “the” in the definition. This follows directly from the antisym-
metry of . If there were two least elements, they would be mutually comparable, and hence must
be equal.
34 German: untere (obere) Schranke
35 Note that the definitions of the least element and of a lower bound differ only in that a lower

bound can be outside of the considered subset S (and therefore need not be unique).
36 Note that for a poset (A; ) and a subset S ⊆ A, restricting  to S results in a poset (S; ).
37 German: wohlgeordnet
38 The least element is defined naturally (see Definition 3.29).
63 Chapter 3. Sets, Relations, and Functions

3.5.5 Meet, Join, and Lattices

Definition 3.31. Let (A; ) be a poset. If a and b (i.e., the set {a, b} ⊆ A) have a
greatest lower bound, then it is called the meet of a and b, often denoted a ∧ b.
If a and b have a least upper bound, then it is called the join of a and b, often
denoted a ∨ b.

Definition 3.32. A poset (A; ) in which every pair of elements has a meet and
a join is called a lattice39 .

Example 3.51. The posets (N; ≤), (N \ {0}; | ), and (P(S); ⊆) are lattices, as the
reader can verify.
Example 3.52. The poset ({1, 2, 3, 4, 6, 8, 12, 24}; |) shown in Figure 3.1 is a lat-
tice. The meet of two elements is their greatest common divisor, and their join
is the least common multiple. For example, 6 ∧ 8 = 2, 6 ∨ 8 = 24, 3 ∧ 4 = 1, and
3 ∨ 4 = 12. In contrast, the poset ({2, 3, 4, 5, 6, 7, 8, 9}; |) is not a lattice.

3.6 Functions
The concept of a function is perhaps the second most fundamental concept in
mathematics (after the concept of a set). We discuss functions only now, after
having introduced relations, because functions are a special type of relation, and
several concepts defined for relations (e.g. inversion and composition) apply to
functions as well.

Definition 3.33. A function f : A → B from a domain40 A to a codomain41 B is

a relation from A to B with the special properties (using the relation notation
a f b):42
1. ∀a ∈ A ∃b ∈ B af b (f is totally defined),


2. ∀a ∈ A ∀b, b′ ∈ B a f b ∧ a f b′ → b = b ′
(f is well-defined).

As the reader certainly knows, a function f can be understood as a mapping

from A to B, assigning to every a ∈ A a unique element in B, usually denoted
as f (a). One writes f : A → B to indicate the domain and codomain of f , and
f : a 7→ “expression in a”
(e.g. f : a 7→ a2 or, equivalently, f : x 7→ x2 ) to define the function.
39 German: Verband
40 German: Definitionsbereich
41 German: Bildbereich, Wertebereich
42 Here we use the convenient notation ∀a ∈ A and ∃b ∈ B.
3.6. Functions 64

43
Definition 3.34. The set of all functions A → B is denoted as B A .

One can generalize the function concept by dropping the first condition (to-
tally defined), i.e., allowing that there can exist elements a ∈ A for which f (a) is
not defined.

Definition 3.35. A partial function A → B is a relation from A to B such that

condition 2. above holds.
Two (partial) functions with common domain A and codomain B are equal
if they are equal as relations (i.e., as sets). f = g is equivalent to saying that the
function values of f and g agree for all arguments (including, in case of partial
functions, whether or not it is defined).

Definition 3.36. For a function f : A → B and a subset S of A, the image44 of S

under f , denoted f (S), is the set

def
f (S) = {f (a) | a ∈ S}.

Definition 3.37. The subset f (A) of B is called the image (or range) of f and is
also denoted Im(f ).

Example 3.53. Consider the function f : R → R defined by f (x) = x2 . The

image of the interval [2, 3] is the interval [4, 9]. The range of f is the set R≥0 of
non-negative real numbers.

Definition 3.38. For a subset T of B, the preimage45 of T , denoted f −1 (T ), is the

set of values in A that map into T :

def
f −1 (T ) = {a ∈ A| f (a) ∈ T }.

Example 3.54. Consider again the function f (x) = x2 . The preimage of the
interval [4, 9] is [−3, −2] ∪ [2, 3].

43 This notation is motivated by the fact that if A and B are finite, then there are |B||A| such

functions.
44 German: Bild
45 German: Urbild
65 Chapter 3. Sets, Relations, and Functions

Definition 3.39. A function f : A → B is called

1. injective (or one-to-one or an injection) if for a 6= a′ we have f (a) 6= f (a′ ),

i.e., no two distinct values are mapped to the same function value (there
are no “collisions”).
2. surjective (or onto) if f (A) = B, i.e., if for every b ∈ B, b = f (a) for some
a ∈ A (every value in the codomain is taken on for some argument).
3. bijective (or a bijection) if it is both injective and surjective.

Definition 3.40. For a bijective function f , the inverse (as a relation, see Defini-
tion 3.11) is called the inverse function46 of f , usually denoted as f −1 .

Definition 3.41. The composition of a function f : A → B and a function g : B →

C, denoted by g ◦f or simply gf , is defined by (g ◦f )(a) = g(f (a)).47

Example 3.55. Consider again the function f (x) = x3 + 3 and g(x) = 2x2 + x.
Then g ◦ f (x) = 2(f (x))2 + f (x) = 2x6 + 13x3 + 21.

Lemma 3.14. Function composition is associative, i.e., (h ◦ g) ◦ f = h ◦ (g ◦ f ).

Proof. This is a direct consequence of the fact that relation composition is asso-
ciative (see Lemma 3.7).

3.7 Countable and Uncountable Sets

3.7.1 Countability of Sets

Countability is an important concept in Computer Science. A set that is count-
able can be enumerated by a program (even though this would take unbounded
time), while an uncountable set can, in principle, not be enumerated.

46 Itis easy to see that this is a function

47 Note that the composition of functions is the same as the composition of relations. However,
unfortunately, different notation is used: The composition of relations f and g is denoted f ◦g while,
if considered as functions, the same resulting composition is denoted as g ◦ f . (The reason is that
one thinks of functions as mapping “from right to left”.) Because of this ambiguity one must make
explicit whether the symbol ◦ refers to function or relation composition.
3.7. Countable and Uncountable Sets 66

Definition 3.42.
(i) Two sets A and B equinumerous48 , denoted A ∼ B, if there exists a bijection
A → B.
(ii) The set B dominates the set A, denoted A  B, if A ∼ C for some subset
C ⊆ B or, equivalently, if there exists an injective function A → B.
(iii) A set A is called countable49 if A  N, and uncountable50 otherwise.51

Example 3.56. The set Z = {. . . , −2, −1, 0, 1, 2, . . .} of integers is countable, and

Z ∼ N. A bijection f : N → Z is given by f (n) = (−1)n ⌈n/2⌉.

Lemma 3.15. 52
(i) The relation ∼ is an equivalence relation.
(ii) The relation  is transitive: A  B ∧ B  C =⇒ A  C.
(iii) A ⊆ B =⇒ A  B.

Proof. Proof of (i). Assume A ∼ B and B ∼ C, i.e., there exist bijections f : A →

B and g : B → C. Then g ◦ f is a bijection A → C and hence we have A ∼ C.
Proof of (ii). If there is an injection from A to B and also an injection from B to
C, then their composition is an injection from A to C. (We omit the proof of this
statement.)
Proof of (iii). If A ⊆ B, then the identity function on A is an injection from A
to B.

A non-trivial theorem, called the Bernstein-Schröder theorem, is stated with-

out proof.53 It is not needed in this course.

Theorem 3.16. A  B ∧ B  A =⇒ A ∼ B.

3.7.2 Between Finite and Countably Infinite

For finite sets A and B, we have A ∼ B if and only if |A| = |B|. A finite set has
never the same cardinality as one of its proper subsets. Somewhat surprisingly,
for infinite sets this is possible.
48 German: gleich mächtig
49 German: abzählbar
50 German: überabzählbar
51 Recall that N = {0, 1, 2, 3, . . .}.
52 Here ∼ and  should be understood as relations on a given set of sets.
53 An elegant proof of this theorem is given in Proofs from THE BOOK by M. Aigner and G. Ziegler.
67 Chapter 3. Sets, Relations, and Functions

Example 3.57. Let O = {1, 3, 5, . . .} be the set of odd natural numbers. Of

course, O is countable since the identity function is a (trivial) injection from
O to N. Actually, there is even a bijection f : N → O, namely f (n) = 2n + 1.
Indeed, Theorem 3.17 below states a more general fact.

Theorem 3.17. A set A is countable if and only if it is finite or if A ∼ N.

The theorem can be restated as follows: There is no cardinality level between

finite and countably infinite.

Proof. A statement of the form “if and only if” has two directions. To prove the
direction ⇐=, note that if A is finite, then it is countable, and also if A ∼ N, then
A is countable.
To prove the other direction (=⇒), we prove that if A is countable and infinite,
then A ∼ N. According to the definition, A  N means that there is a bijection
f : A → C for a set C ⊆ N. For any infinite subset of N, say C, one can define a
bijection g : C → N as follows. According to the well-ordering principle, there
exists a least element of C, say c0 . Define g(c0 ) = 0. Define C1 = C \ {c0 }.
Again, according to the well-ordering principle, there exists a least element of
C1 , say c1 . Define g(c1 ) = 1. This process can be continued, defining inductively
a bijection g : C → N. Now g ◦ f is a bijection A → N, which proves A ∼ N.

3.7.3 Important Countable Sets

def
Theorem 3.18. The set {0, 1}∗ = {ǫ, 0, 1, 00, 01, 10, 11, 000, 001, . . .} of finite binary
sequences is countable.54

Proof. We could give an enumeration of the set {0, 1}∗, i.e., a bijection be-
tween {0, 1}∗ and N, but to prove the theorem it suffices to provide an injection
{0, 1}∗ → N, which we define as follows. We put a “1” at the beginning of the
string and then interpret it as an natural number using the usual binary repre-
sentation of the natural numbers. For example, the string 0010 is mapped to the
number 18.55

Theorem 3.19. The set N×N (= N2 ) of ordered pairs of natural numbers is countable.

Proof. A possible bijection f : N → N2 is given by f (n) = (k, m), where k

and m are determined using the following equations: k + m = t − 1 and
54 Hereǫ denotes the empty string.
55 Notethat without prepending a 1, different strings (e.g. 0010 and 00010) would result in the
same integer and hence the mapping would not be an injection.
3.7. Countable and Uncountable Sets 68

m = n − 2t , where t > 0 is the smallest integer such that t+1 2 > n. This cor-
responds to the enumeration of the pairs (k, m) along diagonals with constant
sum k + m. More concretely, we enumerate the pairs as follows: (0, 0), (1, 0),
(0, 1), (2, 0), (1, 1), (0, 2), (3, 0), (2, 1), (1, 2), (0, 3), (4, 0), (3, 1), · · ·. It is easy to
see that this is a bijection N → N2 , hence N2 is countable.

An alternative proof works as follows. We have N ∼ {0, 1}∗ and hence N ×

N ∼ {0, 1}∗ × {0, 1}∗. Hence it suffices to show a bijection {0, 1}∗ × {0, 1}∗ →
{0, 1}∗. The concatenation of the two sequences is not a bijection because a bit-
string can be split in many ways into two strings. One possibility to map a pair
(a, b) of bit-strings to a single bit-string is as follows:

(a, b) 7→ 0|a| ||1||a||b,

where we first encode the length |a| of a and then append a and b.
Corollary 3.20. The Cartesian product A × B of two countable sets A and B is count-
able, i.e., A  N ∧ B  N =⇒ A × B  N.

Proof. We first prove A×B  N×N by exhibiting an injection g : A×B → N×N,

namely g(a, b) = (f1 (a), f2 (b)). That g is an injection can be proved as follows:
.
(a, b) 6= (a′ , b′ ) =⇒ a 6= a′ ∨ b 6= b′ (definition of pairs)
. ′ ′
=⇒ f1 (a) 6= f1 (a ) ∨ f2 (b) 6= f2 (b ) (f1 and f2 are injections)
.


=⇒ f1 (a), f2 (b) 6= f1 (a′ ), f2 (b′ ) (definition of pairs).

Using A × B  N × N (just proved) and N × N  N (Theorem 3.19) now gives

A × B  N because  is transitive (Lemma 3.15(i)).
Corollary 3.21. The rational numbers Q are countable.

Proof. Every rational number can be represented uniquely as a pair (m, n) where
m ∈ Z, n ∈ N \ {0}, and where m and n are relatively prime. Hence Q  Z × N.
According to Example 3.56, Z is countable, i.e., Z  N. Thus, according to
Corollary 3.20, Z × N  N. Hence, using transitivity of , we have Q  N (i.e.,
Q is countable).

The next theorem provides some other important sets that are countable.

Theorem 3.22. Let A and Ai for i ∈ N be countable sets.

(i) For any n ∈ N, the set An of n-tuples over A is countable.
(ii) The union ∪i∈N Ai of a countable list A0 , A1 , A2 , . . . of countable sets is count-
able.
(iii) The set A∗ of finite sequences of elements from A is countable.
69 Chapter 3. Sets, Relations, and Functions

Proof. Statement (i) can be proved by induction. The (trivial) induction basis is
that A1 = A is countable. The induction step shows that if An is countable, then
also An+1 ∼ An × A is countable. This follows from Corollary 3.20 because both
An and A are countable.
We omit the proof of (ii).
We now prove (iii), which implies (i), and hence gives an alternative proof
for (i). We define an injection A∗ → {0, 1}∗. This is achieved by using an ar-
bitrary injection f : A → {0, 1}∗ and defining the natural injection g : A∗ →
({0, 1}∗)∗ as follows: For a sequence of length n in A∗ , say (a1 , . . . , an ), we let


g(a1 , . . . , an ) = f (a1 ), . . . , f (an ) ,

i.e., each element in the sequence is mapped separately using f . Now it only
remains to demonstrate an injection ({0, 1}∗)∗ → {0, 1}∗, which can be achieved
as follows.56 We replace every 0-bit in a sequence by 00 and every 1-bit by 01,
which defines a (length-doubling) injection {0, 1}∗ → {0, 1}∗. Then we con-
catenate all obtained expanded sequences, always separated by 11. This is an
injection because the separator symbols 11 can be detected and removed and
the extra 0’s can also be removed. Hence a given sequence can be uniquely de-
composed into the component sequences, and hence no two sequences of binary
(component) sequences can result in the same concatenated sequence.

Example 3.58. We illustrate the above injection ({0, 1}∗)∗ → {0, 1}∗ by an ex-
ample. Consider the sequence (0100, 10111, 01, 1) of bit-sequences. Now 0100
is mapped to 00010000, 10111 is mapped to 0100010101, etc. and the final con-
catenated sequence is 000100001101000101011100011101, which can uniquely be
decomposed into the original four sequences.

3.7.4 Uncountability of {0, 1}∞

We now consider semi-infinite binary sequences (s0 , s1 , s2 , s3 , . . .). One can in-
terpret such a binary sequence as specifying a subset of N: If si = 1, then
i is in the set, otherwise it is not. Equivalently, we can understand a semi-
infinite sequence (s0 , s1 , s2 , s3 , . . .) as a function N → {0, 1}, i.e., as a predi-
cate on N. For example, the primality predicate prime : N → {0, 1} (where
prime(n) = 1 if and only if n is prime) corresponds to the semi-infinite se-
quence 001101010001010001010001000001010000001 . . ..

Definition 3.43. Let {0, 1}∞ denote the set of semi-infinite binary sequences or,
equivalently, the set of functions N → {0, 1}.

56 Notethat a simple concatenation of the sequences does not work because the concatenated
sequences can not uniquely be decomposed into the original sequences, i.e., this is not an injection.
3.7. Countable and Uncountable Sets 70

Theorem 3.23. The set {0, 1}∞ is uncountable.

Proof. This is a proof by contradiction. To arrive at a contradiction, assume that

a bijection f : N → {0, 1}∞ exists.57 Let βi,j be the jth bit in the i-th sequence
f (i), where for convenience we begin numbering the bits with j = 0:

def
f (i) = βi,0 , βi,1 , βi,2 , βi,3 , . . . .

Let b be the complement of a bit b ∈ {0, 1}. We define a new semi-infinite binary
sequence α as follows:

def
α = β0,0 , β1,1 , β2,2 , β3,3 , . . . .

Obviously, α ∈ {0, 1}∞, but there is no n ∈ N such that α = f (n) since α

is constructed so as to disagree in at least one bit (actually the nth bit) with
every sequence f (n) for n ∈ N. This shows that f cannot be a bijection, which
concludes the proof.

This proof technique is known as Cantor’s diagonalization argument; it has

also other applications.
By interpreting the elements of {0, 1}∞ as the binary expansion of a real
number in the interval [0, 1], and vice versa, one can show that the interval [0, 1]
(and hence R itself), is uncountable.58

3.7.5 Existence of Uncomputable Functions

The above theorem states that there are uncountably many functions N → {0, 1}.
On the other hand, every computer program, regardless of the programming
language it is written in, corresponds to a finite string of symbols. Without loss
of generality, one can think of a program as a finite binary sequence p ∈ {0, 1}∗).
Hence the set of programs is countable, whereas the set of functions N → {0, 1}
is uncountable. If every program computes at most one function, there must be
functions N → {0, 1} not computed by a program. This for Computer Science
fundamental consequence of Theorem 3.23 is stated below.

Definition 3.44. A function f : N → {0, 1} is called computable if there is a

program that, for every n ∈ N, when given n as input, outputs f (n).

57 Here we make use of Theorem 3.17 which implies that {0, 1}∞ is countable if and only if such

a bijection exists.
58 A subtlety, which is not a problem in the proof, is that some real numbers have two representa-

tions as bit-strings. For example, the number 0.5 has representations 10000000 · · · and 0111111 · · ·.
71 Chapter 3. Sets, Relations, and Functions

Corollary 3.24. There are uncomputable functions N → {0, 1}.

In fact, essentially all such functions are uncomputable. Those that are com-
putable are rare exceptions. For example, the function prime : N → {0, 1} is
computable.
Is there a specific uncomputable function? A prominent example is the so-
called Halting problem defined as follows: Given as input a program (encoded
as a bit-string or natural number) together with an input (to the program), de-
termine whether the program will eventually stop (function value 1) or loop
forever (function value 0) on that input. This function is uncomputable. This is
usually stated as: The Halting problem is undecidable.
This theorem can also be proved by a diagonalization argument similar to
the one above. The theorem has far-reaching consequences in theoretical and
practical Computer Science. It implies, for example, that it is impossible to write
a program that can verify (in the most general case) whether a given program
satisfies its specification, or whether a given program contains malicious parts.
Chapter 4

Number Theory

4.1 Introduction
Number theory is one of the most intriguing branches of mathematics. For a
long time, number theory was considered one of the purest areas of mathemat-
ics, in the sense of being most remote from having applications. However, since
the 1970’s number theory has turned out to have intriguing and unexpected
applications, primarily in cryptography.
In this course we discuss only some basic number-theoretic topics that have
applications in Computer Science. In addition to the rich applications, a sec-
ond reason for discussing the basics of number theory in a course in Computer
Science is as a preparation for the chapter on algebra (Chapter 5).

4.1.1 Number Theory as a Mathematical Discipline

Number theory (in a strict sense1 ) is the mathematical theory of the natural
numbers N = {0, 1, 2, . . .} or, more generally, of the integers, Z. The laws of
the integers are so natural, simple, and well-known to us that it is amazing how
apparently simple questions about the integers turn out to be extremely difficult
and have resisted all attacks by the brightest mathematicians.
Example 4.1. A simple conjecture unproven to date is that there are infinitely
many prime pairs, i.e., primes p such that p + 2 is also prime. The first prime
pairs are (3, 5), (5, 7), (11, 13), and (17, 19).
Example 4.2. Can one find a triangle with a 90◦ angle whose three sides a, b, and
c have integer lengths? An equivalent question is whether there exist positive
1 Ina more comprehensive understanding, number theory refers to a richer mathematical theory
which also includes topics like, for instance, algebraic extensions of the rational numbers.

72
73 Chapter 4. Number Theory

integers a, b, and c such that a2 + b2 = c2 . The answer is yes. Examples are

32 + 42 = 52 and 122 + 52 = 132 . A straight-forward generalization of this
question is whether there exist positive integers a, b, c, and n ≥ 3 such that an +
bn = cn . The answer (no such integers exist) is known as Fermat’s last theorem,
which remained one of the most famous open conjectures until Andrew Wiles
settled the question some years ago, using highly sophisticated mathematics.

Example 4.3. The recent proof of the Catalan conjecture by Preda Mihailescu,
who worked at ETH Zürich, is another break-through in number theory. This
theorem states that the equation am − bn = 1 has no other integer solutions but
32 − 23 = 1 (for m, n ≥ 2).

4.1.2 What are the Integers?

In this course we are trying to present a rigorous mathematical treatment of the

material. Consequently, in order to present number theory, it appears that we
would first have to define the integers, so we know what we are talking about,
in contrast to the intuitive understanding of numbers acquired since the early
years at school. However, such a formal, axiomatic treatment of the integers is
beyond the scope of the course.
In this chapter we take the usual approach where we assume that we know
what numbers and operations on numbers are and that we also know the basic
facts about numbers (e.g. the commutative, associative and distributive laws,
etc.) which we can use to prove statements. But we should point out that in such
an informal approach it is difficult (if not impossible) to draw the dividing line
between facts that are well-known and facts that require a proof. For example,
why is there no integer between 0 and 1, why is −0 = 0, and why is a2 ≥ 0
for all a ∈ Z? What is the complete list of facts we consider known, and which
facts require a proof? The answer is not clear unless one states a list of axioms.
For example, we will show an interesting proof of the fact that every number
can be factored uniquely into primes. This is definitely a theorem that requires
a proof, even though, after many years of mathematical education, the reader
may consider it a well-known basic fact.
The integers are a special case of a mathematical structure called a ring,
which will be discussed in Chapter 5. In this chapter we mention in a few places
that concepts like divisors, greatest common divisors, ideals, etc. can be defined
for any ring, not just for the integers.
4.2. Divisors and Division 74

4.2 Divisors and Division

4.2.1 Divisors
Definition 4.1. For integers a and b we say that a divides b, denoted a | b, if there
exists an integer c such that b = ac. In this case, a is called a divisor2 of b, and b
is called a multiple3 of a. If a 6= 0 and a divisor c exists it is called the4 quotient
when b is divided by a, and we write c = ab or c = b/a. We write a6 | b if a does
not divide b.

Note that every non-zero integer is a divisor of 0. Moreover, 1 and −1 are

divisors of every integer.

4.2.2 Division with Remainders

In the previous section we defined division of a by d for any divisor d of a.
In this section we generalize division to the case where d is not a divisor of a
and hence division yields a remainder5 . The following theorem was proved by
Euclid around 300 B.C.

Theorem 4.1 (Euclid). For all integers a and d 6= 0 there exist unique integers q and
r satisfying
a = dq + r and 0 ≤ r < |d|.

Here a is called the dividend, d is called the divisor, q is called the quotient, and
r is called the remainder. The remainder r is often denoted as Rd (a) or sometimes
as a mod d.

Proof. We carry out this proof in a detailed manner, also to serve as an example
of a systematic proof.
We define S to be the set of possible nonnegative remainders:
def
S = {s| s ≥ 0 and a = dt + s for some t ∈ Z}.

We prove the following three claims by first proving 1), then proving that 1)
implies 2), and then proving that 2) implies 3).

1) S is not empty.
2) S contains an r < |d|.
3) The r of claim 2) is unique.
2 German: Teiler
3 German: Vielfaches
4 One can prove that it is unique.
5 German: Rest
75 Chapter 4. Number Theory

Proof of 1): We use case distinction and prove the statement for three cases (one
of which is always satisfied):
Case 1: a ≥ 0. Then a = d0 + a and hence a ∈ S.
Case 2: a < 0 and d > 0. Then a = da + (1 − d)a and thus (1 − d)a ∈ S since
(1 − d)a ≥ 0 because both (1 − d) and a are ≤ 0.
Case 3: a < 0 and d < 0. Then a = d(−a) + (1 + d)a and thus (1 + d)a ∈ S since
(1 + d)a ≥ 0 because both (1 + d) and a are ≤ 0.
Proof that 1) implies 2): Because S is not empty, it has a smallest element
(due to the well-ordering principle), which we denote by r. We now prove that
r < |d|, by contradiction, i.e., assuming r ≥ |d|. By definition of S we have
a = dq + r for some q. We make a case distinction: d > 0 and d < 0. If d > 0,
then
a = d(q + 1) + (r − |d|),
hence r − |d| ≥ 0 and therefore r − |d| ∈ S, which means that r is not the smallest
element of S, a contradiction. If d < 0, then a = d(q − 1) + (r − |d|), and the same
argument as above shows that r − |d| ∈ S, a contradiction.
Proof that 2) implies 3): It remains to prove that r is unique. We give a proof
only for d > 0; the case d < 0 is analogous and is left as an exercise. The proof
is by contradiction. Suppose that there also exist r′ 6= r with 0 ≤ r′ < |d| and
such that a = dq ′ + r′ for some q ′ . We distinguish the three cases q ′ = q, q ′ < q,
and q ′ > q. If q ′ = q, then r′ = a − dq ′ = a − dq = r, a contradiction since we
assumed r′ 6= r. If q ′ < q, then q − q ′ ≥ 1, so
r′ = a − dq ′ = (a − dq) + d(q − q ′ ) ≥ r + d.
Since r′ ≥ r + d ≥ d, the condition 0 ≤ r′ < |d| is violated, which is a contra-
diction. A symmetric argument shows that q ′ > q also results in a contradic-
tion,

4.2.3 Greatest Common Divisors

Definition 4.2. For integers a and b (not both 0), an integer d is called a greatest
common divisor6 of a and b if d divides both a and b and if every common divisor
of a and b divides d, i.e., if


d | a ∧ d | b ∧ ∀c (c | a ∧ c | b) → c | d .

The concept of a greatest common divisor applies not only to Z, but to more
general structures (e.g. polynomial rings). If d and d′ are both greatest common
divisors of a and b, then d | d′ and d′ | d. For the integers Z, this means that
d′ = ±d, i.e., there are two greatest common divisors. (But for more general
structures there can be more than two greatest common divisors.)
6 Note that the term “greatest” does not refer to the order relation ≤ but to the divisibility relation.
4.2. Divisors and Division 76

Definition 4.3. For a, b ∈ Z (not both 0) one denotes the unique positive greatest
common divisor by gcd(a, b) and usually calls it the greatest common divisor. If
gcd(a, b) = 1, then a and b are called relatively prime7 .

Lemma 4.2. For any integers m, n and q, we have

gcd(m, n − qm) = gcd(m, n).

Proof. It is easy to prove (as an exercise) that every common divisor of m and
n − qm (and therefore also the greatest) is also a common divisor of m and n,
and vice versa.

This lemma implies in particular that

gcd(m, Rm (n)) = gcd(m, n),

which is the basis for Euclid’s well-known gcd-algorithm: Start with m < n and
repeatedly replace the pair (m, n) by the pair (Rm (n), m) until the remainder
is 0, at which point the last non-zero number is equal to gcd(m, n).

Definition 4.4. For a, b ∈ Z, the ideal generated by a and b8 , denoted (a, b), is the
set
def
(a, b) = {ua + vb | u, v ∈ Z}.
Similarly, the ideal generated by a single integer a is

def
(a) = {ua | u ∈ Z}.

The following lemma implies that every ideal in Z can be generated by a

single integer.

Lemma 4.3. For a, b ∈ Z there exists d ∈ Z such that (a, b) = (d).

Proof. If a = b = 0, then d = 0. Assume now that at least one of the numbers is

non-zero. Then (a, b) contains some positive numbers, so (by the well-ordering
principle) let d be the smallest positive element in (a, b). Clearly (d) ⊆ (a, b)
since every multiple of d is also in (a, b). It remains to prove (a, b) ⊆ (d). For any
c ∈ (a, b) there exist q and r with 0 ≤ r < d such that c = qd + r. Since both c
and d are in (a, b), so is r = c − qd. Since 0 ≤ r < d and d is (by assumption) the
smallest positive element in (a, b), we must have r = 0. Thus c = qd ∈ (d).

Lemma 4.4. Let a, b ∈ Z (not both 0). If (a, b) = (d), then d is a greatest common
divisor of a and b.
7 German: teilerfremd
8 German: durch a und b erzeugtes Ideal
77 Chapter 4. Number Theory

Proof. d is a common divisor of a and b since a ∈ (d) and b ∈ (d). To show that d
is a greatest common divisor, i.e., that every common divisor c of a and b divides
d, note that c divides every integer of the form ua + vb, in particular d.

The following corollary follows from Lemmas 4.3 and 4.4.

Corollary 4.5. For a, b ∈ Z (not both 0), there exist u, v ∈ Z such that
gcd(a, b) = ua + vb.
Example 4.4. For a = 26 and b = 18 we have
gcd(26, 18) = 2 = (−2) · 26 + 3 · 18.
Also, for a = 17 and b = 13 we have
gcd(17, 13) = 1 = (−3) · 17 + 4 · 13.

An extension of Euclid’s well-known gcd-algorithm allows to efficiently

compute not only gcd(a, b), but also u and v such that gcd(a, b) = ua + vb.

4.2.4 Least Common Multiples

The least common multiple is a dual concept of the greatest common divisor.
Definition 4.5. The least common multiple l of two positive integers a and b, de-
noted l = lcm(a, b), is the common multiple of a and b which divides every
common multiple of a and b, i.e.,


a | l ∧ b | l ∧ ∀m (a | m ∧ b | m) → l | m .

4.3 Factorization into Primes

4.3.1 Primes and the Fundamental Theorem of Arithmetic
In this section we prove the well-known fact that prime factorization of integers
is unique. This statement is true more generally for certain types of rings (see
Chapter 5), for example for the ring of polynomials over a field. Even though
rings were not introduced so far, we give hints as to how a formulation can be
generalized from the integers to more general rings.
Definition 4.6. A positive integer p > 1 is called prime if the only positive di-
visors of p are 1 and p. An integer greater than 1 that is not a prime is called
composite9 .10
9 German: zusammengesetzt
10 Note that 1 is neither prime nor composite.
4.3. Factorization into Primes 78

This notion of having only trivial divisors extends to other rings, for example
the ring of polynomials over R. In such a general context, the property is called
irreducible rather than prime. The term prime is in general used for the property
that if p divides a product of elements, then it divides at least one of them (see
Lemma 4.7 below). For the integers, these two concepts are equivalent. The next
lemma states one direction of this equivalence.
The following theorem is called the fundamental theorem of arithmetic.

Theorem 4.6. Every positive integer can be written uniquely (up to the order in which
factors are listed) as the product of primes.11

4.3.2 Proof of the Fundamental Theorem of Arithmetic *

Lemma 4.7. If p is a prime which divides the product x1 x2 · · · xn of some integers x1 , . . . , xn ,
then p divides one of them, i.e., p | xi for some i ∈ {1, . . . , n}.

Proof. The proof is by induction on n. The claim is trivially true for n = 1 (induction
basis). Suppose it is true for some general n (induction hypothesis). To prove the claim
for n + 1 (induction step), suppose that p | x1 · · · xn+1 . We let y := x1 · · · xn (and hence
p | yxn+1 ) and look at the two cases p | y and p6 | y separately. If p | y, then p | xi for
some 1 ≤ i ≤ n, due to the induction hypothesis, and we are done. If p6 | y, then, since p
has no positive divisor except 1 and p, we have gcd(p, y) = 1. By Corollary 4.5 there are
integers u and v such that up + vy = 1. Hence we have

xn+1 = (up + vy)xn+1 = (uxn+1 )p + v(yxn+1 ).

Because p divides both terms (uxn+1 )p and v(yxn+1 ) in the sum on the right side, it
follows that it also divides the sum, i.e., p | xn+1 , which concludes the proof.

We now prove Theorem 4.6:

Proof. We first need to prove that a factorization into primes exists and then that it is
unique.
The existence is proved by contradiction. Every prime can obviously be factored into
primes. Let n be the smallest positive integer which has no prime factorization. Since
it can not be a prime, we have n = km with 1 < k, m < n. Since both k and m can be
factored into primes, so can km = n, a contradiction. Hence there is no smallest n that
cannot be factored into primes, and therefore every n ≥ 1 can be factored into primes.
To prove the uniqueness of the prime factorization, suppose towards a contradiction
that an integer n can be factored in two (possibly different) ways as a product of primes,

n = pa1 1 pa2 2 · · · par r = q1b1 q2b2 · · · qsbs ,

where the primes p1 , . . . , pr and also the primes q1 , . . . , qs are put in an increasing order
and where we have written products of identical primes as powers (here ai > 0 and
11 Note that 1 has zero prime factors, which is allowed.
79 Chapter 4. Number Theory

bi > 0). Then for every i, pi | n and thus pi | q1b1 q2b2 · · · qsbs . Hence, by Lemma 4.7,
pi | qj for some j and, because qj is a prime and pi > 1, we have pi = qj . Similarly for
every j, qj = pi for some i. Thus the set of primes are identical, i.e., r = s and pi = qi
for 1 ≤ i ≤ r. To show that the corresponding exponents ai and bi are also identical,
suppose that ai < bi for some i. We can divide both expressions by pai i , which results
in two numbers that are equal, yet one is divisible by pi while the other is not. This is
impossible since if two numbers are equal, then they have the same divisors.

4.3.3 Expressing gcd and lcm

The fundamental theorem of arithmetic assures that integers a and b can be writ-
ten as Y Y f
a= pei i and b= pi i .
i i
This product can be understood in two different ways. Either it is over all
primes, where all but finitely many of the ei are 0, or it is over a fixed agreed set
of primes. Either view is correct. Now we have
Y min(e ,f )
i i
gcd(a, b) = pi
i

and Y max(ei ,fi )

lcm(a, b) = pi .
i
It is easy to see that
gcd(a, b) · lcm(a, b) = ab
because for all i we have
min(ei , fi ) + max(ei , fi ) = ei + fi .

4.3.4 Non-triviality of Unique Factorization *

It is worth-while pointing out that this theorem is not self-evident, as it may appear to
the reader completely familiar with it. There are in fact examples of rings in which the
unique factorization into irreducible elements does not hold. We give two examples, one
with unique factorization into irreducible elements, and one without.
√
Example 4.5. Let i = −1 denote the complex imaginary unit. The Gaussian integers
√
Z[i] = Z[ −1] = {a + bi | a, b ∈ Z}
are the complex numbers whose real and imaginary parts are both integers. Since the
norm (as complex numbers) is multiplied when two elements of Z[i] are multiplied, the
units (actually four) are the elements with norm 1, namely 1, i, −1, and −i. Units are
elements that divide every other element. An irreducible element p in Z[i] is an element
whose only divisors are units and associates of p (i.e., elements up where u is a unit).
By a generalization of the arguments given for Z one can show that factorization into
irreducible elements is unique in Z[i]. (This is not obvious.)
4.3. Factorization into Primes 80

Example 4.6. Consider now a slightly twisted version of the Gaussian integers:
√ √
Z[ −5] = {a + b 5i | a, b ∈ Z}.

Like the Gaussian integers, this set is closed with respect to addition and multiplication
(of complex numbers). For example,
√ √ √
(a + b 5i)(c + d 5i) = ac − 5bd + (bc + ad) 5i.
√
The only units in Z[ −5] are 1 and −1. One can check√easily, by ruling √ out all possible
divisors with smaller norm, that the elements 2, 3, 1 + 5i, and 1 − 5i are irreducible.
The element 6 can be factored in two different ways into irreducible elements:
√ √
6 = 2 · 3 = (1 + 5i)(1 − 5i).

4.3.5 Irrationality of Roots *

As a consequence of the unique prime factorization we can prove:
√
Theorem 4.8. n is irrational unless n is a square (n = c2 for some c ∈ Z).
√
Proof. Suppose n = a/b for two integers a and b. Then a2 = nb2 . If n is not a square,
it contains at least one prime factor p with an odd power. Since the number of prime
factors p in any square is even, we have a contradiction: a2 contains an even number of
factors p while nb2 contains an odd number of factors p. This is impossible according to
Theorem 4.6.

Note that this proof is simpler and more general than the proof given in Example 2.28
because there we have not made use of the unique prime factorization of the integers.

4.3.6 A Digression to Music Theory *

An octave in music corresponds to the doubling of the frequency of a tone. Similarly, a
fifth12 corresponds to a ratio 3 : 2, a musical fourth13 corresponds to a ratio 4 : 3, and a
major and minor third14 correspond to the ratios 5 : 4 and 6 : 5, respectively.
No multiple of fifths (or fourths) yields a multiple of octaves, since otherwise we
would have ( 32 )n = 2m for some n and m, which is equivalent to 3n = 2m+n . This
implies that one cannot tune a piano so that all intervals are correct since on the piano
(considered to be extended to many octaves), one hits a higher octave after a certain
number (namely 12) of fifths. It can be viewed as a number-theoretic miracle that tuning
a piano is nevertheless possible with only very small inaccuracies. If one divides the
octave
√ into 12 equal (half-tone) intervals, a half-tone corresponds to a frequency ratio of
12
2 ≈ 1.05946. Three, four, five, and seven half-tones yield frequency ratios of
21/4 = 1.1892 ≈ 6/5,
12 German: Quinte
13 German: Quarte
14 German: Terz
81 Chapter 4. Number Theory

21/3 = 1.2599 ≈ 5/4,

25/12 = 1.33482 ≈ 4/3, and
27/12 = 1.49828 ≈ 3/2,

approximating the minor third, major third, fourth, and fifth astonishingly well.
One can view these relations also as integer approximations. For example, we have
531′ 441 = 312 ≈ 219 = 524′ 288, which implies that ( 23 )12 ≈ 27 , i.e., 12 fifths are approxi-
mately seven octaves.
√
A piano for which every half-tone has the same frequency ratio, namely 12 2, is called
a well-tempered15 piano. The reason why music is a pleasure, despite its theoretically
unavoidable inaccuracy, is that our ear is trained to “round tones up or down” as needed.

4.4 Some Basic Facts About Primes *

4.4.1 The Density of Primes
The following fact was known already to Euclid.

Theorem 4.9. There are infinitely many primes.

Proof. To arrive at a contradiction, suppose Q that the set of primes is finite, say P =
{p1 , . . . , pm }. Then the number n = m i=1 p i + 1 is not divisible by any of the primes
p1 , . . . , pm and hence n is either itself a prime, or divisible by a prime not in {p1 , . . . , pm }.
In either case, this contradicts the assumption that p1 , . . . , pm are the only primes.

This is a non-constructive existence proof. We now give a constructive existence

proof for another number-theoretic fact.

Theorem 4.10. Gaps between primes can be arbitrarily large, i.e., for every k ∈ N there exists
n ∈ N such that the set {n, n + 1, · · · , n + k − 1} contains no prime.

Proof. Let n = (k + 1)! + 2. Then for any l with 2 ≤ l ≤ k + 1, l divides (k + 1)! = n − 2

and hence l also divides (k + 1)! + l = n − 2 + l, ruling out n, n + 1, . . . , n + k − 1 as
possible primes.

Example 4.7. The largest gap between two primes below 100 is 8. Which are these
primes?

There exists a huge body of literature on the density and distribution of primes. We
only state the most important one of them.

Definition 4.7. The prime counting function π : R → N is defined as follows: For any real
x, π(x) is the number of primes ≤ x.

15 German: wohltemperiert
4.4. Some Basic Facts About Primes * 82

The following theorem proved by Hadamard and de la Vallée Poussin in the 19th
century states that the density of primes ≤ x is approximately 1/ ln(x). This shows that
if one tries to find a large (say 1024 bit) prime, for instance for cryptographic purposes,
then a randomly selected odd integer has reasonable chances of being prime. Much more
precise estimates for π(x) are known today.
π(x) ln(x)
Theorem 4.11. lim = 1.
x→∞ x
Two of the main open conjectures on prime numbers are the following:
Conjecture 4.1. There exist infinitely many twin primes, i.e., primes p for which also
p + 2 is prime.
Conjecture 4.2 (Goldbach). Every even number greater than 2 is the sum of two primes.

4.4.2 Remarks on Primality Testing

How can we test whether a given integer n is a prime? We can test whether any smaller
prime is a divisor of n. The following lemma provides a well-known √ short-cut. In a
practical implementation, one might not have a list of primes up to n and can instead
simply try all odd numbers as possible divisors.
√
Lemma 4.12. Every composite integer n has a prime divisor ≤ n.

Proof.√If n is composite,
√ it has a divisor a with
√ 1<√ a < n. Hence n = ab for b > 1. Either
a ≤ n√ or b ≤ n since otherwise ab > n · n = n. Hence n has a divisor √ c with
1 < c ≤ n. Either c is prime or, by Theorem 4.6, has a prime divisor d < c ≤ n.

For large integers, trial-division up to the square root is hopelessly inefficient. Let us
briefly discuss the algorithmic problem of testing primality.
Primes are of great importance in cryptography. In many applications, one needs to
generate very large primes, with 1024 or even 2048 bits. In many cases, the primes must
remain secret and it must be infeasible to guess them. They should therefore be selected
uniformly at random from the set of primes in a certain interval, possibly satisfying some
further restrictions for security or operational reasons.
Such primes can be generated in three different ways. The first approach is to select
a random (odd) integer from the given interval (e.g. [101023 , 101024 − 1]) and to apply
a general primality test. Primality testing is a very active research area. The record
in general primality testing is around 8.000 decimal digits and required sophisticated
techniques and very massive computing power. As a celebrated theoretical breakthrough
(with probably little practical relevance), it was proved in 2002 that primality testing is
in P, i.e., there is a worst-case polynomial-time algorithm for deciding primality of an
integer.16
The second approach is like the first, but instead of a primality test one performs a
probabilistic compositeness test. Such a test has two outcomes, “composite” and “pos-
sibly prime”. In the first case, one is certain that the number is composite, while in the
16 M. Agrawal, N. Kayal, and N. Saxena, PRIMES is in P, Annals of Mathematics vol. 160, pp. 781–
793.
83 Chapter 4. Number Theory

other case one has good chances that the number is a prime, without being certain. More
precisely, one can fix a (very small) probability ǫ (e.g. ǫ = 10−100 ) and then perform
a test such that for any composite integer, the probability that the test does not output
“composite” is bounded by ǫ.
A third approach is to construct a prime together with a proof of primality. As we
might see later, the primality of an integer n can be proved if one knows part of the
factorization of n − 1.

4.5 Congruences and Modular Arithmetic

4.5.1 Modular Congruences
We consider the following motivating example:
Example 4.8. Fermat’s famous “last theorem”, proved recently by Wiles, states
that the equation xn + y n = z n has no solution in positive integers x, y, z for
n ≥ 3. Here we consider a similar question. Does x3 + x2 = y 4 + y + 1 have a
solution in integers x and y?
The answer is “no”, and the proof is surprisingly simple: Obviously, x must be
either even or odd. In both cases, x3 + x2 is even. On the other hand, y 4 + y + 1
is odd no matter whether y is even or odd. But an even number cannot be equal
to an odd number.

Here is another example whose solution requires a generalization of the

above trick.
Example 4.9. Prove that x3 − x = y 2 + 1 has no integer solutions.

Definition 4.8. For a, b, m ∈ Z with m ≥ 1, we say that a is congruent to b modulo

m if m divides a − b. We write a ≡ b (mod m) or simply a ≡m b, i.e.,

def
a ≡m b ⇐⇒ m | (a − b).

Example 4.10. We have 23 ≡7 44 and 54321 ≡10 1. Note that a ≡2 b means that
a and b are either both even or both odd.
Example 4.11. If a ≡2 b and a ≡3 b, then a ≡6 b. The general principle underly-
ing this example will be discussed later.

The above examples 4.8 and 4.9 make use of the fact that if an equality holds
over the integers, then it must also hold modulo 2 or, more generally, modulo
any modulus m. In other words, for any a and b,

a = b =⇒ a ≡m b (4.1)
4.5. Congruences and Modular Arithmetic 84

for all m, i.e., the relation ≡m is reflexive (a ≡m a for all a). It is easy to verify
that this relation is also symmetric and transitive, which was already stated in
Chapter 3:

Lemma 4.13. For any m ≥ 1, ≡m is an equivalence relation on Z.

The implication (4.1) can be turned around and can be used to prove the
inequality of two numbers a and b:

a 6≡m b =⇒ a 6= b.

The following lemma shows that modular congruences are compatible with
the arithmetic operations on Z.

Lemma 4.14. If a ≡m b and c ≡m d, then

a + c ≡m b + d and ac ≡m bd.

Proof. We only prove the first statement and leave the other proof as an exercise.
We have m | (a − b) and m | (c − d). Hence m also divides (a − b) + (c − d) =
(a + c) − (b + d), which is the definition of a + c ≡m b + d.

Corollary 4.15. Let f (x1 , . . . , xk ) be a multi-variate polynomial in k variables with

integer coefficients, and let m ≥ 1. If ai ≡m bi for 1 ≤ i ≤ k, then

f (a1 , . . . , ak ) ≡m f (b1 , . . . , bk ).

Proof. Evaluating a polynomial can be achieved by a sequence of additions and

multiplications. In each such step the congruence modulo m is maintained,
according to Lemma 4.14.

4.5.2 Modular Arithmetic

There are m equivalence classes of the equivalence relation ≡m , namely
[0], [1], . . . , [m − 1]. Each equivalence class [a] has a natural representative
Rm (a) ∈ [a] in the set
Zm := {0, . . . , m − 1}
of remainders modulo m.17
In the following we are often interested only in the remainder of an integer
(e.g. the result of a computation) modulo some modulus m. Addition and mul-
tiplication modulo m can be considered as operations on the set Zm . We will be
interested in this structure in Chapter 5 where we will see that it is an important
example of a so-called ring.
17 Recall that Rm (a) denotes the remainder when a is divided by m.
85 Chapter 4. Number Theory

Example 4.12. Is n = 84877 · 79683 − 28674 · 43879 even or odd? The answer
is trivial and does not require the computation of n. The product of two odd
numbers is odd, the product of an even and an odd numbers is even, and the
difference of an odd and an even number is odd. Thus n is odd.

The following lemma establishes the simple connection between congruence

modulo m and remainders modulo m. The proof is easy and left as an exercise.

Lemma 4.16. For any a, b, m ∈ Z with m ≥ 1,

(i) a ≡m Rm (a).
(ii) a ≡m b ⇐⇒ Rm (a) = Rm (b).

The above lemma together with Lemma 4.14 implies that if in a computation
involving addition and multiplication one is interested only in the remainder of
the result modulo m, then one can compute remainders modulo m at any in-
termediate step (thus keeping the numbers small), without changing the result.
This is referred to as modular arithmetic.

Corollary 4.17. Let f (x1 , . . . , xk ) be a multi-variate polynomial in k variables with

integer coefficients, and let m ≥ 1. Then



Rm f (a1 , . . . , ak ) = Rm f (Rm (a1 ), . . . , Rm (ak )) .

Proof. By Lemma 4.16 (i) we have ai ≡m Rm (ai ) for all i. Therefore, using
Corollary 4.15 we have f (a1 , . . . , ak ) ≡m f (Rm (a1 ), . . . , Rm (ak )). Thus, using
Lemma 4.16 (ii) we obtain the statement to be proved.

Example 4.13. Compute 7100 modulo 24. We make use of the fact that 72 =
49 ≡24 1. Thus R24 (7100 ) = R24 ((72 )50 ) = R24 (R24 (72 )50 ) = R24 (150 ) =
R24 (1) = 1.

Example 4.14. Remainders can be used to check the correctness of calculations

(which were, for instance, carried out by hand). If an error occurred during
the computation, it is likely that this error also occurs when the computation
is considered modulo some m. To check the result n of a computation one
can compare Rm (n) with the remainder modulo m obtained by continuously
reducing intermediate results of the computation. The modulus m = 9 is es-
pecially suited because R9 (n) can be easily computed by adding the decimal
digits of n (prove this!), and computing the remainder modulo 9 of this sum.
For instance, to check whether 247 · 3158 = 780026 is correct one can compute
R9 (247) = R9 (2 + 4 + 7) = 4 and R9 (3158) = R9 (3 + 1 + 5 + 8) = 8 to ob-
tain R9 (247 · 3158) = R9 (4 · 8) = 5. On the other hand we have R9 (780026) =
R9 (7 + 8 + 2 + 6) = 5. Hence the result can be correct.
4.5. Congruences and Modular Arithmetic 86

Example 4.15. A similar test can be performed for m = 11. R11 (n) can be com-
puted by adding the decimal digits of n with alternating sign modulo 11. This
test, unlike that for m = 9, detects the swapping of digits.

Example 4.16. The larger m, the more likely it is that a calculation error is de-
tected. How could one implement a similar test for m = 99, how for m = 101?

4.5.3 Multiplicative Inverses

Consider the problem of finding the solutions x for the congruence equation

ax ≡m b.

Obviously, if x is a solution, then so is x + km for any k ∈ Z. Hence we can

restrict the consideration to solutions in Zm . Of special interest is the case where
gcd(a, m) = 1 and b = 1.

Lemma 4.18. The congruence equation

ax ≡m 1

has a solution x ∈ Zm if and only if gcd(a, m) = 1. The solution is unique.

Proof. (=⇒) If x satisfies ax ≡m 1, then ax = km + 1 for some k. Note that

gcd(a, m) divides both a and m, hence also ax−km, which is 1. Thus gcd(a, m) =
1. Therefore, if gcd(a, m) > 1, then no solution x exists.
(⇐=) Assume now that gcd(a, m) = 1. According to Corollary 4.5 there
exist integers u and v such that ua + vm = gcd(a, m) = 1. Since vm ≡m 0 we
have ua ≡m 1. Hence x = u is a solution in Z, and thus x = Rm (u) is a solution
in Zm .
To prove uniqueness of x in Zm , suppose there is another solution x′ ∈ Zm .
Then ax − ax′ ≡m 0, thus a(x − x′ ) ≡m 0 and hence m divides a(x − x′ ). Since
gcd(a, m) = 1, m must divide (x − x′ ).18 Therefore Rm (x) = Rm (x′ ) and hence
Rm (x) is the unique solution in Zm .

Definition 4.9. If gcd(a, m) = 1, the unique solution x ∈ Zm to the congruence

equation ax ≡m 1 is called the multiplicative inverse of a modulo m. One also uses
the notation x ≡m a−1 or x ≡m 1/a.

Example 4.17. The multiplicative inverse of 5 modulo 13 is 8 since

5 · 8 = 40 ≡13 1.
18 If k divides mn and gcd(k, n) = 1, then k divides m. (Prove this!)
87 Chapter 4. Number Theory

The multiplicative inverse of a modulo m can efficiently be computed using

the so-called extended Euclidean algorithm. Note that if gcd(a, m) 6= 1, then a
has no multiplicative inverse modulo m.

4.5.4 The Chinese Remainder Theorem

We now consider a system of congruences for an integer x.

Example 4.18. Find an integer x for which x ≡3 1, x ≡4 2, and x ≡5 4. A

solution is x = 34 as one can easily verify. This is the only solution in Z60 , but
by adding multiples of 60 to x one obtains further solutions.

The following theorem, known as the Chinese Remainder Theorem (CRT),

states this for general systems of congruences. The proof of the theorem is con-
structive: it shows how a solution x can be constructed efficiently.

Theorem 4.19. Let m1 , m2 , . . . , mr be pairwise relatively prime integers and let M =

Q r
i=1 mi . For every list a1 , . . . , ar with 0 ≤ ai < mi for 1 ≤ i ≤ r, the system of
congruence equations

x ≡ m1 a 1
x ≡ m2 a 2
...
x ≡ mr a r

for x has a unique solution x satisfying 0 ≤ x < M .

Proof. Let Mi = M/mi . Hence gcd(Mi , mi ) = 1 because every factor mk (where

k 6= i) of Mi is relatively prime to mi , and thus so is Mi . Thus there exists an Ni
satisfying
Mi Ni ≡mi 1.
Note that for all k 6= i we have Mi ≡mk 0 and thus

Mi Ni ≡mk 0.

Therefore
r
X
ai M i N i ≡ mk ak
i=1

for all k. Hence the integer x defined by

r
!
X
x = RM ai M i N i
i=1
4.6. Application: Diffie-Hellman Key-Agreement 88

satisfies all the congruences. In order to prove uniqueness, observe that for two
solutions x′ and x′′ , x′ − x′′ ≡mi 0 for all i, i.e., x′ − x′′ is a multiple of all the mi
and hence of lcm(m1 , . . . , mr ) = M . Thus x′ ≡M x′′ .

The Chinese Remainder Theorem has several applications. When one is in-
terested in a computation modulo M , then the moduli mi can be viewed as a
coordinate system. One can project the numbers of interest modulo the mi , and
perform the computation in the r projections (which may be more efficient than
computing directly modulo M ). If needed at the end, one can reconstruct the
result from the projections.

Example 4.19. Compute R35 (21000 ). We can do this computation modulo 5 and
modulo 7 separately. Since 24 ≡5 1 we have 21000 ≡5 1. Since 23 ≡7 1 we have
21000 ≡7 2. This yields 21000 ≡35 16 since 16 is the (unique) integer x ∈ [0, 34]
with x ≡5 1 and x ≡7 2.

4.6 Application: Diffie-Hellman Key-Agreement

Until the 1970’s, number theory was considered one of the purest of all math-
ematical disciplines in the sense of being furthest away from any useful ap-
plications. However, this has changed dramatically in the 1970’s when crucial
applications of number theory in cryptography were discovered.
In a seminal 1976 paper19 , Diffie and Hellman proposed the revolutionary
concept of public-key cryptography. Most security protocols, and essentially all
those used on the Internet, are based on public-key cryptography. Without this
amazing and paradoxical invention, security on the Internet would be unthink-
able.
Consider the key distribution problem. In order to encrypt the communica-
tion between two parties, say Alice and Bob, they need a secret key known only
to them. How can they obtain such a key in a setting, like the Internet, where
they initially share no secret information and where they are connected only
by an insecure communication channel to which a potential adversary has ac-
cess? We describe the famous Diffie-Hellman protocol which allows to solve
this seemingly paradoxical problem.
The Diffie-Hellman protocol (see Figure 4.2), as originally proposed20 , makes
use of exponentiation modulo a large prime p, for instance with 2048 bits. While
y = Rp (g x ) can be computed efficiently (how?), even if p, g and x are numbers
of several hundred or thousands of digits, computing x when given p, g and y
is generally (believed to be) computationally infeasible. This problem is known
19 W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Transactions on Information

Theory, vol. 22, no. 6, pp. 644-654, 1976.

20 Since then, other versions, for instance based on elliptic curves, have been proposed.
89 Chapter 4. Number Theory

as (a version of) the discrete logarithm problem. The security of the Diffie-Hellman
protocol is based on this asymmetry in computational difficulty. Such a func-
tion, like x 7→ Rp (g x ), is called a one-way function: it is easy to compute in one
direction but computationally very hard to invert.21
The prime p and the basis g (e.g. g = 2) are public parameters, possibly
generated once and for all for all users of the system. The protocol is symmetric,
i.e., Alice and Bob perform the same operations. The exchange of the so-called
public keys yA and yB must be authenticated, but not secret.22 It is easy to see that
Alice and Bob end up with the same value kAB = kBA which they can use as
a secret key for encrypting subsequent communication.23 In order to compute
kAB from yA and yB , an adversary would have to compute either xA or xB ,
which is believed to be infeasible.

Alice insecure channel Bob

select xA at random select xB at random
from {0, . . . , p−2} from {0, . . . , p−2}

yA := Rp (g xA ) yB := Rp (g xB )
yA
✲
yB
✛
xA xB
kAB := Rp (yB ) kBA := Rp (yA )

xA
kAB ≡p yB ≡p (g xB )xA ≡p g xA xB ≡p kBA

Figure 4.1: The Diffie-Hellman key agreement protocol.

A mechanical analogue of a one-way function is a padlock without a key.24

The mechanical analog of the Diffie-Hellman protocol is shown in Figure 4.2.
Alice and Bob can exchange their locks (closed) and keep a copy in the open
state. Then they can both generate the same configuration, namely the two locks
21 It is not known whether one-way functions actually exist, but it is conjectured that exponentia-

tion modulo a prime p is a one-way function for most p.

22 This can be achieved by recognizing the other party’s voice in a phone call or, indirectly, by the

use of public-key certificates.

23 More precisely, they can derive a common secret key, for example by applying a hash function

to KAB .
24 A padlock with a key corresponds to a so-called trapdoor one-way function which is not consid-

ered here.
4.6. Application: Diffie-Hellman Key-Agreement 90

Alice Bob
insecure channel

x x
A A
yA=g A yB=g B B B

xA xB
yA
A

yB B

xx xx
B

kAB=g B A kBA=g A B

B
A

A
Figure 4.2: Mechanical analog of the Diffie-Hellman protocol.

interlocked. For the adversary, this is impossible without breaking open one of
the locks.
Another famous (and more widely used) public-key cryptosystem, the so-
called RSA-system invented in 1977 and named after Rivest, Shamir and Adle-
man25 , will be discussed later. Its security is based on the (conjectured) compu-
tational difficulty of factoring large integers.

25 They received the Turing award in 2003.

Chapter 5

Algebra

5.1 Introduction
5.1.1 What Algebra is About
In a nutshell, algebra is the mathematical study of structures consisting of a set
and certain operations on the set. Examples are the integers Z, the rational num-
bers Q, and the set of polynomials with coefficients from some domain, with the
respective addition and multiplication operations. A main goal in algebra is to
understand the properties of such algebraic systems at the highest level of gen-
erality and abstraction. For us, an equally important goal is to understand the
algebraic systems that have applications in Computer Science.
For instance, one is interested in investigating which properties of the inte-
gers are responsible for the unique factorization theorem. What do the integers,
the polynomials with rational or real coefficients, and several other structures
have in common so that the unique factorization theorem holds? Why does it
not hold for certain other structures?
The benefit of identifying the highest level of generality and abstraction is
that things often become simpler when unnecessary details are eliminated from
consideration, and that a proof must be carried out only once and applies to all
structures captured at the given level of generality.

5.1.2 Algebraic Structures

Definition 5.1. An operation on a set S is a function1 S n → S, where n ≥ 0 is

called the “arity”2 of the operation.

1 In some cases, the function is only partial.

2 German: Stelligkeit

91
5.2. Monoids and Groups 92

Operations with arity 1 and 2 are called unary and binary operations, respec-
tively. An operation with arity 0 is called a constant; it is a fixed element from
the set S, for instance the special element 1 in Z. In many cases, only binary
operations are actually listed explicitly,

Definition 5.2. An algebra (or algebraic structure or Ω-algebra) is a pair hS; Ωi

where S is a set (the carrier3 of the algebra) and Ω = (ω1 , . . . , ωn ) is a list of
operations on S.4

5.1.3 Some Examples of Algebras

We give a few examples of algebras, some of which we will discuss in more
detail later.
Example 5.1. hZ; +, −, 0, ·, 1i denotes the integers with the two binary opera-
tions + and ·, the unary operation − (taking the negative) and the two constants
0 and 1, the neutral elements of addition and multiplication.

We sometimes omit some details and write simply hZ; +, ·i instead of

hZ; +, −, 0, ·, 1i when the negation operation and the special elements 0 and 1
are understood. More generally, we sometimes drop unary and nullary opera-
tions. This notation is actually more common in the literature (but less precise).
This is a purely notational issue.
Example 5.2. hZm ; ⊕i (and hZm ; ⊙i) denote the integers modulo m with addi-
tion modulo m (and multiplication modulo m) as the only binary operation.
Example 5.3. hP(A); ∪, ∩, i is the power set of a set A with union, intersection,
and complement operations.

5.2 Monoids and Groups

In this section we look at algebras hS; ∗i with one binary operation and possibly
one unary and one nullary operation. The binary operation can be denoted
arbitrarily, for instance by ∗. It is often denoted +, in which case it is called
addition, or ·, in which case it is called multiplication. But it is important to note
that the name of the operation is not of mathematical relevance.
We discuss three special properties that hS; ∗i can have, (1) neutral elements,
(2) associativity, and (3) inverse elements, as well as combinations of these.
3 German: Trägermenge
4 This definition, though very general, does not capture all algebraic systems one might be inter-
ested in. A more general type of algebraic system, called heterogeneous algebraic systems, can have
several carrier sets.
93 Chapter 5. Algebra

5.2.1 Neutral Elements

Definition 5.3. A left [right] neutral element (or identity element) of an algebra
hS; ∗i is an element e ∈ S such that e ∗ a = a [a ∗ e = a] for all a ∈ S. If
e ∗ a = a ∗ e = a for all a ∈ S, then e is simply called neutral element.

If the operation is called addition, then e is usually denoted as 0, and if it is

called multiplication, then e is usually denoted as 1.

Lemma 5.1. If hS; ∗i has both a left and a right neutral element, then they are equal.
In particular hS; ∗i can have at most one neutral element.

Proof. Suppose that e and e′ are left and right neutral elements, respectively.
Then, by definition, e ∗ e′ = e′ (considering e as a left neutral element), but also
e ∗ e′ = e (considering e′ as a right neutral element). Thus e′ = e.

Example 5.4. The empty sequence ǫ is the neutral element of hΣ∗ ; |i, where Σ∗
is the set of sequences over the alphabet Σ and | denotes concatenation of se-
quences.

5.2.2 Associativity and Monoids

The operation in the previous example, sequence concatenation, has a very use-
ful property: When all sequences are written one after the other, with spaces
between sequences, it does not matter in which order one performs the concate-
nation operations. In short, sequence concatenation is associative.

Definition 5.4. A binary operation ∗ on a set S is associative if a∗(b∗c) = (a∗b)∗c

for all a, b, c ∈ S.

Not all operations are associative:

Example 5.5. An example of a non-associative operation on the integers is ex-

c
ponentiation: (ab )c =
6 a(b ) in general.

Associativity is a very special property of an operation, but it is of crucial

importance in algebra. Associativity of ∗ means that the element a1 ∗ a2 ∗ · · · ∗ an
(for any a1 , . . . , an ∈ S) is uniquely defined and independent of the order in
which elements are combined. For example,

(((a ∗ b) ∗ c) ∗ d) = ((a ∗ b) ∗ (c ∗ d)) = (a ∗ ((b ∗ c) ∗ d)).

Pn
This Q
justifies the use of the notation i=1 ai if the operation ∗ is called addition,
n
and i=1 ai if the operation ∗ is called multiplication.
5.2. Monoids and Groups 94

Note that up to now, and also in the next section, we do not yet pay attention
to the fact that some operations are commutative. In a sense, commutativity is
less important than associativity.
Some standard examples of associate operations are addition and multipli-
cation in various structures: Z, N, Q, R, and Zm .

Definition 5.5. A monoid is an algebra hM ; ∗, ei where ∗ is associative and e is

the neutral element.
Some standard examples of monoids are hZ; +, 0i, hZ; ·, 1i, hQ; +, 0i, hQ; ·, 1i,
hR; +, 0i, hR; ·, 1i, hZm ; ⊕, 0i, and hZm ; ⊙, 1i.

Example 5.6. hΣ∗ ; | , ǫi is a monoid since, as mentioned above, concatenation of

sequences is associative.

Example 5.7. For a set A, the set AA of functions A → A form a monoid with re-
spect to function composition. The identity function id (defined by id(a) = a for
all a ∈ A) is the neutral element. According to Lemma 3.7, relation composition,
and therefore also function composition, is associative. The algebra hAA ; ◦, idi is
thus a monoid.

5.2.3 Inverses and Groups

Definition 5.6. A left [right] inverse element5 of an element a in an algebra hS; ∗, ei

with neutral element e is an element b ∈ S such that b ∗ a = e [a ∗ b = e]. If
b ∗ a = a ∗ b = e, then b is simply called an inverse of a.

To prove the uniqueness of the inverse (if it exists), we need ∗ to be associa-

tive:

Lemma 5.2. In a monoid hM ; ∗, ei, if a ∈ M has a left and a right inverse, then they
are equal. In particular, a has at most one inverse.

Proof. Let b and c be left and right inverses of a, respectively, i.e., we have b ∗ a =
e and a ∗ c = e, Then

b = b ∗ e = b ∗ (a ∗ c) = (b ∗ a) ∗ c = e ∗ c = c,

where we have omitted the justifications for the steps.

Example 5.8. Consider again hAA ; ◦, idi. A function f ∈ AA has a left inverse
only if it is injective, and it has a right inverse only if it is surjective. Hence f has
an inverse f −1 if and only if f is bijective. In this case, f ◦ f −1 = f −1 ◦ f = id.
5 or simply left [right] inverse.
95 Chapter 5. Algebra

Now follows one of the most fundamental definitions of algebra.

Definition 5.7. A group is an algebra hG; ∗,b, ei satisfying the following axioms:
G1 ∗ is associative.
G2 e is a neutral element: a ∗ e = e ∗ a = a for all a ∈ G.
G3 Every a ∈ G has an inverse element b a, i.e., a ∗ b
a=ba ∗ a = e.

We can write hG; ∗i (or simply G if ∗ is understood) instead of hG; ∗,b, ei. If
the operation ∗ is called addition (+) [multiplication (·)], then the inverse of a is
denoted −a [a−1 or 1/a] and the neutral element is denoted 0 [1].
Some standard examples of groups are hZ; +, −, 0i, hQ; +, −, 0i, hQ \
{0}; ·,−1 , 1i, hR; +, −, 0i, hR \ {0}; ·,−1 , 1i, and hZm ; ⊕, ⊖, 0i.

Definition 5.8. A group hG; ∗i (or monoid) is called commutative or abelian6 if

a ∗ b = b ∗ a for all a, b ∈ G.

We summarize a few facts we encountered already earlier for the special case
of the integers Z. The group is the right level of abstraction for describing these
facts. The proofs are left as exercises.

Lemma 5.3. For a group hG; ∗,b, ei, we have for all a, b, c ∈ G:
c
(i) (b
a) = a.
(ii) ad
∗ b = bb ∗ b
a.
(iii) Left cancellation law: a ∗ b = a ∗ c =⇒ b = c.
(iv) Right cancellation law: b ∗ a = c ∗ a =⇒ b = c.
(v) The equation a ∗ x = b has a unique solution x for any a and b.
So does the equation x ∗ a = b.

5.2.4 (Non-)minimality of the Group Axioms

In mathematics, one generally wants the axioms of a theory to be minimal. One
can show that the group axioms as stated are not minimal. One can simplify
axiom G2 by only requesting that a ∗ e = a; call this new axiom G2’. The equa-
tion e ∗ a = a is then implied (by all axioms). The proof of this fact is left as an
exercise. Similarly, one can simplify G3 by only requesting that a ∗ b a = e; call
this new axiom G3’. The equation b a ∗ a = e is then implied. The proof for this is
as follows:
a∗a
b a ∗ a) ∗ e
= (b (G2’ )
a∗b
a ∗ a) ∗ (b
= (b b
a) (G3’, i.e., def. of right inverse of b
a)
6 Named after the Norwegian mathematician Niels Henrik Abel.
5.2. Monoids and Groups 96

= b a∗b
a ∗ (a ∗ (b b
a)) (G1)
= b a) ∗ b
a ∗ ((a ∗ b b
a) (G1)
a ∗ (e ∗ b
= b b
a) (G3)
b
a ∗ e) ∗ b
= (b a (G1)
a∗b
= b b
a (G2’)
= e (G3’, i.e., def. of right inverse of b
a)

5.2.5 Some Examples of Groups

Example 5.9. The set of invertible (non-singular) n × n matrices over the real
numbers with matrix multiplication form a group, with the identity matrix as
the neutral element. This group is not commutative for n ≥ 2.

Example 5.10. Recall that the sequences with concatenation and the empty se-
quence as the neutral element form a non-commutative monoid. This is not a
group because inverses cannot be defined (except for the empty sequence).

Example 5.11. For a given structure R supporting addition and multiplication

(to be called a ring later), let R[x] denote the set of polynomials with coefficients
in R. hZ[x]; +i, hQ[x]; +i, and hR[x]; +i are abelian groups, where + denotes
polynomial addition. hZ[x]; ·i, hQ[x]; ·i, and hR[x]; ·i are commutative monoids,
where · denotes polynomial multiplication. The neutral element is the polyno-
mial 1. Like hZ; ·i, hR[x]; ·i is not a group, for any R.

Example 5.12. Let Sn be the set of n! permutations of n elements, i.e., the set
of bijections {1, . . . , n} → {1, . . . , n}. A bijection f has an inverse f −1 . Sn is a
subset of the set of functions {1, . . . , n} → {1, . . . , n}. It follows from the asso-
ciativity of function composition that the composition of permutations is also
associative. The group hSn ; ◦,−1 , idi is called the symmetric group on n elements.
Sn is non-abelian for n ≥ 3.

Another important source of (usually non-abelian) groups are symmetries

and rotations of a geometric figure, mapping the figure to itself (but permut-
ing the vertices). The neutral element is the identity mapping and the inverse
element is, for an axial or point symmetry, the element itself. For a rotation,
the inverse element is the inverse rotation. To form a group, the closure under
composition must be considered. For example, the composition of two axial
symmetries corresponds to a rotation by twice the angle between the axes. Such
a group is a subset (a subgroup) of the set of permutations of the vertices.

Example 5.13. Consider a square in the plane, with nodes labeled A, B, C, D.

Now consider operations which map the square to itself, but with the vertices
97 Chapter 5. Algebra

permuted. Consider the four reflections with respect to one of the two mid-
dle parallels or one of the two diagonals. The closure under composition of
these four elements also includes the four rotations by 0◦ (the neutral element),
by 90◦ , 180◦, and by 270◦ . These 8 elements (reflections and rotations) form a
group, which we denote by S✷ . It is called the symmetry group of the square. If
the vertices of the square are labeled A, B, C, D, then these eight geometric op-
erations each corresponds to a permutation of the set {A, B, C, D}. For example,
the rotation by 90◦ corresponds to the permutation (A, B, C, D) → (B, C, D, A).
Note that the set of four rotations also form a group, actually a subgroup of the
above described group and also a subgroup of the group of permutations on
{A, B, C, D}.7

Example 5.14. It is left as an exercise to figure out the symmetry group of the
three-dimensional cube.

5.3 The Structure of Groups

5.3.1 Direct Products of Groups

Definition 5.9. The direct product of n groups hG1 ; ∗1 i , . . . , hGn ; ∗n i is the alge-
bra
hG1 × · · · × Gn ; ⋆i,
where the operation ⋆ is component-wise:

(a1 , . . . , an ) ⋆ (b1 , . . . , bn ) = (a1 ∗1 b1 , . . . , an ∗n bn ).

Lemma 5.4. hG1 × · · ·× Gn ; ⋆i is a group, where the neutral element and the inversion
operation are component-wise in the respective groups.

Proof. Left as an exercise.

Example 5.15. Consider the group hZ5 ; ⊕i × hZ7 ; ⊕i. The carrier of the group is
Z5 × Z7 . The neutral element is (0, 0). If we denote the group operation by ⋆,
[
then we have (2, 6) ⋆ (4, 3) = (1, 2). Also, (2, 6) = (3, 1). It follows from the
Chinese remainder theorem that hZ5 ; ⊕i × hZ7 ; ⊕i is isomorphic to hZ35 ; ⊕i, a
concept introduced in the following subsection.

7 We point out that one can consider the described operations also as bijections of the real plane,
i.e., as functions R2 → R2 .
5.3. The Structure of Groups 98

5.3.2 Group Homomorphisms

Homomorphisms are a central concept in mathematics and also in Computer
Science. A homomorphism is a structure-preserving function from an algebraic
structure into another algebraic structure. Here we only introduce homomor-
phisms of groups.

Definition 5.10. For two groups hG; ∗,b, ei and hH; ⋆,e, e′ i, a function ψ : G → H
is called a group homomorphism if, for all a and b,

ψ(a ∗ b) = ψ(a) ⋆ ψ(b).

If ψ is a bijection from G to H, then it is called an isomorphism, and we say that

G and H are isomorphic and write G ≃ H.

We use the symbol e for the inverse operation in the group H. The proof of
the following lemma is left as an exercise:

Lemma 5.5. A group homomorphism ψ from hG; ∗,b, ei to hH; ⋆,e, e′ i satisfies

(i) ψ(e) = e′ ,
(ii) ψ(b g for all a.
a) = ψ(a)

The concept of an isomorphism is more general than for algebraic systems in

the strict sense, and it applies to more general algebraic structures, for instance
also to relations and hence to graphs.

Example 5.16. The group hZ6 ; ⊕i × hZ10 ; ⊕i is isomorphic to hZ2 ; ⊕i × hZ30 ; ⊕i.
The isomorphism ψ : Z6 × Z10 → Z2 × Z30 is easily checked to be given by
ψ((a, b)) = (a′ , b′ ) where a′ ≡2 a (i.e., a′ = R2 (a)) and b′ is given by b′ ≡3 a and
b′ ≡10 b (where the Chinese remainder theorem can be applied).

Example 5.17. The logarithm function is a group homomorphism from hR>0 , ·i

to hR, +i since log(a · b) = log a + log b.

We give two familiar examples of relevant homomorphisms that are not iso-
morphisms.

Example 5.18. If one considers the three-dimensional space R3 with vector ad-
dition, then any projection on a plane through the origin or a line through the
origin are homomorphic images of R3 . A special case is the projection onto an
axis of the coordinate system, which abstracts away all but one coordinate.

Example 5.19. Consider the set of real-valued n × n matrices. The determinant

is a homomorphism (with respect to multiplication) from the set of matrices to
R. We have det(AB) = det(A) det(B).
99 Chapter 5. Algebra

5.3.3 Subgroups
For a given algebra, for example a group or a ring (see Section 5.5), a subalgebra
is a subset that is by itself an algebra of the same type, i.e., a subalgebra is a sub-
set of an algebra closed under all operations. For groups we have specifically:

Definition 5.11. A subset H ⊆ G of a group hG; ∗,b, ei is called a subgroup of G

if hH; ∗,b, ei is a group, i.e., if H is closed with respect to all operations:
(1) a ∗ b ∈ H for all a, b ∈ H,
(2) e ∈ H, and
(3) b
a ∈ H for all a ∈ H.

Example 5.20. For any group hG; ∗,b, ei, there exist two trivial subgroups: the
subset {e} and G itself.

Example 5.21. Consider the group Z12 (more precisely hZ12 ; ⊕, ⊖, 0i). The
following subsets are all the subgroups: {0}, {0, 6}, {0, 4, 8}, {0, 3, 6, 9},
{0, 2, 4, 6, 8, 10}, and Z12 .

Example 5.22. The set of symmetries and rotations discussed in example 5.13,
denoted S✷ , constitutes a subgroup (with 8 elements) of the set of 24 permuta-
tions on 4 elements.

5.3.4 The Order of Group Elements and of a Group

In the remainder of Section 5.3 we will use a multiplicative notation for groups,
i.e., we denote the group operation as “·” (which can also be omitted) and use
the corresponding multiplicative notation. But it is important to point out that
this is only a notational convention that entails no loss of generality of the kind
of group operation. In many cases (but not always) we denote the neutral ele-
ment of a multiplicatively written group as 1. The inverse of a is denoted a−1
or 1/a, and a/b stands for ab−1 . Furthermore, we use the common notation for
powers of elements: For n ∈ Z, an is defined recursively:

• a0 = e,
• an = a · an−1 for n ≥ 1, and
• an = (a−1 )|n| for n ≤ −1.

It is easy to see that for all m, n ∈ Z

am · an = am+n and (am )n = amn .

5.3. The Structure of Groups 100

Definition 5.12. Let G be a group and let a be an element of G. The order8 of

a, denoted ord(a), is the least m ≥ 1 such that am = e, if such an m exists, and
ord(a) is said to be infinite otherwise, written ord(a) = ∞.

By definition, ord(e) = 1. If ord(a) = 2 for some a, then a−1 = a; such an a is

called self-inverse.

Example 5.23. The order of 6 in hZ20 ; ⊕, ⊖, 0i is 10. This can be seen easily since
60 = 10 · 6 is the least common multiple of 6 and 20. The order of 10 is 2, and we
note that 10 is self-inverse.

Example 5.24. The order of any axial symmetry in the group S✷ (see exam-
ple 5.13) is 2, while the order of the 90◦ -rotation (and also of the 270◦-rotation)
is 4.

Example 5.25. The order of any integer a 6= 0 in hZ; +i is ∞.

Example 5.26. Consider the group S5 of permutations on the set {1, 2, 3, 4, 5}.
What is the order of the permutations described by (1, 2, 3, 4, 5) → (3, 1, 2, 4, 5),
by (1, 2, 3, 4, 5) → (1, 2, 3, 5, 4), and by (1, 2, 3, 4, 5) → (2, 3, 1, 5, 4)?

The following lemma implies that the sequence of powers of an element of a

finite group is periodic. It does not hold in every monoid (why?).

Lemma 5.6. In a finite group G, every element has a finite order.

Proof. Since G is finite, we must have ar = as = b for some r and s with r < s
(and some b). Then as−r = as · a−r = b · b−1 = e.

Definition 5.13. For a finite group G, |G| is called the order of G.9

5.3.5 Cyclic Groups

If G is a group and a ∈ G has finite order, then for any m ∈ Z we have

am = aRord(a) (m) .

Definition 5.14. For a group G and a ∈ G, the group generated by a, denoted hai,
is defined as
def
hai = {an | n ∈ Z}.
8 German: Ordnung
9 Note that the term “order” has two different (but related) meanings.
101 Chapter 5. Algebra

It is easy to see that hai is a group, actually the smallest subgroup of a group
G containing the element a ∈ G. For finite groups we have
def
hai = {e, a, a2 , . . . , aord(a)−1 }.

Definition 5.15. A group G = hgi generated by an element g ∈ G is called cyclic,

and g is called a generator of G.

Being cyclic is a special property of a group. Not all groups are cyclic! A
cyclic group can have many generators. In particular, if g is a generator, then so
is g −1 .
Example 5.27. The group hZn ; ⊕i is cyclic for every n, where 1 is a generator.
The generators of hZn ; ⊕i are all g ∈ Zn for which gcd(g, n) = 1, as the reader
can prove as an exercise.
Example 5.28. The additive group of the integers, hZ; +, −, 0i, is an infinite
cyclic group generated by 1. The only other generator is −1.

Theorem 5.7. A cyclic group of order n is isomorphic to hZn ; ⊕i (and hence abelian).

In fact, we use hZn ; ⊕i as our standard notation of a cyclic group of order n.

Proof. Let G = hgi be a cyclic group of order n (with neutral element e). The
bijection Zn → G : i 7→ g i is a group isomorphism since i ⊕ j 7→ g i+j =
gi ∗ gj .

5.3.6 Application: Diffie-Hellman for General Groups

The Diffie-Hellman protocol was described in Section 4.6 for the group Z∗p (this
notation is defined below), but the concept of a group was not yet introduced
there. As an application of general cyclic groups we mention that the Diffie-
Hellman protocol works just as well in any cyclic group G = hgi for which com-
puting x from g x (i.e., the discrete logarithm problem) is computationally infeasi-
ble. Of course, one needs to apply a suitable mapping from G to a reasonable
key space.
Elliptic curves (not discussed here) are an important class of cyclic groups
used in cryptography.

5.3.7 The Order of Subgroups

The following theorem is one of the fundamental results in group theory. We
state it without proof.
5.3. The Structure of Groups 102

Theorem 5.8 (Lagrange). Let G be a finite group and let H be a subgroup of G. Then
the order of H divides the order of G, i.e., |H| divides |G|.

The following corollaries are direct applications of Lagrange’s theorem.

Corollary 5.9. For a finite group G, the order of every elements divides the group order,
i.e., ord(a) divides |G| for every a ∈ G.

Proof. hai is a subgroup of G of order ord(a), which according to Theorem 5.8

must divide |G|.

Corollary 5.10. Let G be a finite group. Then a|G| = e for every a ∈ G.

Proof. We have |G| = k · ord(a) for some k. Hence

 k
a|G| = ak·ord(a) = aord(a) = ek = e.

Corollary 5.11. Every group of prime order10 is cyclic, and in such a group every
element except the neutral element is a generator.

Proof. Let |G| = p with p prime. For any a, the order of the subgroup hai divides
p. Thus either ord(a) = 1 or ord(a) = p. In the first case, a = e and in the latter
case G = hai.

Groups of prime order play a very important role in cryptography.

5.3.8 The Group Z∗m and Euler’s Function

We noted earlier that the set Zm = {0, . . . , m − 1} is a group with respect to
addition modulo m, denoted ⊕. We also noted that multiplication modulo m,
denoted ⊙ (where the modulus m is usually clear from the context), is of interest
as well. However, Zm is not a group with respect to multiplication modulo m.
For example, in Z12 , 8 has no inverse. We remember (see Section 4.5.3) that
a ∈ Zm has a multiplicative inverse if and only if gcd(a, m) = 1. In order to
obtain a group, we must exclude those a from Zm for which gcd(a, m) 6= 1.
Thus we define

def
Definition 5.16. Z∗m = {a ∈ Zm | gcd(a, m) = 1}.

10 i.e., |G| = p for some prime p.

103 Chapter 5. Algebra

Definition 5.17. The Euler function ϕ : Z+ → Z+ is defined as the cardinality of

Z∗m :
ϕ(m) = |Z∗m |.

Example 5.29. Z∗18 = {1, 5, 7, 11, 13, 17}. Hence ϕ(18) = 6.

If p is a prime, then Z∗p = {1, . . . , p − 1} = Zp \ {0}, and ϕ(p) = p − 1.

Qr
Lemma 5.12. If the prime factorization of m is m = i=1 pei i , then11
r
Y
ϕ(m) = (pi − 1)piei −1 .
i=1

Proof. For a prime p and e ≥ 1 we have

ϕ(pe ) = pe−1 (p − 1)

since exactly every pth integer in Zpe contains a factor p and hence ϕ(pe ) =
pe−1 (p − 1) elements contain no factor p. For a ∈ Zm we have gcd(a, m) = 1 if
and only if gcd(a, pei i ) = 1 for i = 1, . . . , r. Since the numbers pei i are pairwise
relatively prime, the Chinese remainder theorem implies that there is a one-
to-one correspondence between elements of Zm and lists (a1 , . . . , ar ) with ai ∈
Zpei i . Hence, using the above, there is also a one-to-one correspondence between
Qr
elements of Z∗m and lists (a1 , . . . , ar ) with ai ∈ Z∗pei . There are i=1 (pi − 1)piei −1
i
such lists.

Theorem 5.13. hZ∗m ; ⊙,−1 , 1i is a group.

Proof. Z∗m is closed under ⊙ because if gcd(a, m) = 1 and gcd(b, m) = 1, then

gcd(ab, m) = 1. This is true since if ab and m have a common divisor > 1, then
they also have a common prime divisor > 1, which would be a divisor of either
a or b, and hence a common divisor of a and m or of b and m, contradicting that
gcd(a, m) = 1 and gcd(b, m) = 1.
The associativity of ⊙ is inherited from the associativity of multiplication in
Z. Moreover, 1 is a neutral element and inverses exist (see Section 4.5.3). Thus
hZ∗m ; ⊙,−1 , 1i is a group.

Example 5.30. In Z∗18 = {1, 5, 7, 11, 13, 17} we have 5 ⊙ 13 = 11 and 11−1 = 5
since 11 ⊙ 5 = 1 (i.e., R18 (11 · 5) = 1).
Y  
11 Alternatively, 1
ϕ(m) could be defined as ϕ(m) = m · 1− .
p
p|m
p prime
5.4. Application: RSA Public-Key Encryption 104

Example 5.31. In Z∗11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} we have 4 ⊙ 6 = 2 and 7−1 = 8

since 7 ⊙ 8 = 1.

Now we obtain the following simple but powerful corollary to Theorem 5.8.

Corollary 5.14 (Fermat, Euler). For all m ≥ 2 and all a with gcd(a, m) = 1,

aϕ(m) ≡m 1.

In particular, for every prime p and every a not divisible by p,

ap−1 ≡p 1.

Proof. This follows from Corollary 5.10 for the group Z∗m of order ϕ(m).

The special case for primes was known already to Fermat.12 The general
case was proved by Euler, actually before the concept of a group was explicitly
introduced in mathematics.
We state the following theorem about the structure of Z∗m without proof. Of
particular importance and interest is the fact that Z∗p is cyclic for every prime p.

Theorem 5.15. The group Z∗m is cyclic if and only if m = 2, m = 4, m = pe , or

m = 2pe , where p is an odd prime and e ≥ 1.
Example 5.32. The group Z∗19 is cyclic, and 2 is a generator. The powers of 2
are 2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10, 1. The other generators are
3, 10, 13, 14, and 15.

5.4 Application: RSA Public-Key Encryption

The RSA public-key cryptosystem, invented in 1977 by Rivest, Shamir, and
Adleman13 , is used in many security protocols on the Internet, for instance in
TLS/SSL. Like the Diffie-Hellman protocol it allows two parties to communi-
cate securely, even if the communication channel is insecure, provided only that
12 This result can be used as a primality test. Actually, the term “compositeness test” is more ap-

propriate. To test whether a number n is prime one chooses a base a and checks whether an−1 ≡n 1.
If the condition is violated, then n is clearly composite, otherwise n could be a prime. Unfortunately,
it is not guaranteed to be a prime. In fact, there are composite integers n for which an−1 ≡n 1 for
all a with gcd(a, n) = 1. (Can you find such an n?) For more sophisticated versions of such a
probabilistic test one can prove that for every composite n, the fraction of test values for which the
corresponding condition is satisfied is at most 1/4. Thus, by repeating the test sufficiently many
times, the confidence that n is prime can be increased beyond any doubt. This is useful in practice,
but it does not provide a proof that n is prime.
13 R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-

key cryptosystems, Communications of the ACM, Vol. 21, No. 2, pp. 120–126, 1978.
105 Chapter 5. Algebra

they can authenticate each other’s public keys (respectively the Diffie-Hellman
values). Moreover, the RSA system can be used as a digital signature scheme
(see below). RSA was the first cryptographic system offering this important
functionality.

5.4.1 e-th Roots in a Group

To understand the RSA system, all we need is the following simple theorem
which is a consequence of Lagrange’s theorem (Theorem 5.8).

Theorem 5.16. Let G be some finite group (multiplicatively written), and let e ∈ Z be
relatively prime to |G| (i.e. gcd(e, |G|) = 1). The function x 7→ xe is a bijection and
the (unique) e-th root of y ∈ G, namely x ∈ G satisfying xe = y, is

x = yd ,

where d is the multiplicative inverse of e modulo |G|, i.e.,

ed ≡|G| 1.

Proof. We have ed = k · |G| + 1 for some k. Thus, for any x ∈ G we have

k
(xe )d = xed = xk·|G|+1 = (x|G| ) · x = x,
| {z }
=1

which means that the function y 7→ y d is the inverse function of the function
x 7→ xe (which is hence a bijection). The under-braced term is equal to 1 because
of Corollary 5.10.

When |G| is known, then d can be computed from ed ≡|G| 1 by using the
extended Euclidean algorithm No general method is known for computing e-th
roots in a group G without knowing its order. This can be exploited to define a
public-key cryptosystem.

5.4.2 Description of RSA

Motivated by the Diffie-Hellman protocol also based on modular exponentia-
tion, Rivest, Shamir and Adleman suggested as a possible class of groups the
groups Z∗n , where n = pq is the product of two sufficiently large secret primes,
p and q. The order of Z∗n ,

|Z∗n | = ϕ(n) = (p − 1)(q − 1),

5.4. Application: RSA Public-Key Encryption 106

Alice insecure channel Bob

Generate
primes p and q
n=p·q
f = (p−1)(q−1)
select e
n, e plaintext
d ≡f e−1 ✲ m ∈ {1, . . . , n − 1}

c ciphertext
m = Rn (cd ) ✛ c = Rn (me )

Figure 5.1: The naı̈ve RSA public-key cryptosystem. Alice’s public key is the
pair (n, e) and her secret key is d. The public key must be sent to
Bob via an authenticated channel. Bob can encrypt a message, rep-
resented as a number in Zn , by raising it to the eth power modulo n.
Alice decrypts a ciphertext by raising it to the dth power modulo n.

can be computed only if the prime factors p and q of n are known.14 The (public)
encryption transformation is defined by

m 7→ c = Rn (me ),

and the (secret) decryption transformation is defined by

c 7→ m = Rn (cd ),

where d can be computed according to

ed ≡(p−1)(q−1) 1.

The naı̈ve15 RSA public-key cryptosystem16 is summarized in Figure 5.1.

The RSA system is usually (for instance in the TLS/SSL protocol) used only
for key management, not for encrypting actual application data. The message
14 One can show that one can efficiently compute p and q when given (p − 1)(q − 1). (How?)
15 The described version of using RSA is not secure, for several reasons. One reason is that it is
deterministic and therefore an attacker can check potential messages by encrypting them himself
and comparing the result with the ciphertext.
16 The RSA encryption was defined above as a permutation on Z∗ . But one can show that encryp-
n
tion and decryption work for all m ∈ Zn . Thus the condition gcd(m, n) = 1 need not be checked.
107 Chapter 5. Algebra

m is an encryption key (typically a short-term session key) for a conventional

cryptosystem which is used to encrypt the actual application data (e.g. of a TLS
session).

5.4.3 On the Security of RSA *

Let us have a brief look at the security of the RSA public-key system.17 It is not known
whether computing e-th roots modulo n (when gcd(e, ϕ(n)) = 1) is easier than factoring
n, but it is widely believed that the two problems are computationally equivalent.18 Fac-
toring large integers is believed to be computationally infeasible. If no significant break-
through in factoring is achieved and if processor speeds keep improving at the same rate
as they are now (using the so-called Moore’s law), a modulus with 2048 bits appears to
be secure for the next 15 years, and larger moduli (e.g. 8192 bits) are secure for a very
long time.
Obviously, the system is insecure unless Bob can make sure he obtains the correct
public key from Alice rather than a public key generated by an adversary and posted in
the name of Alice. In other words, the public key must be sent from Alice to Bob via an
authenticated channel. This is usually achieved (indirectly) using a so-called public-key
certificate signed by a trusted certification authority. One also uses the term public-key
infrastructure (PKI). Explaining these concepts is beyond the scope of this course.
It is important to point out that for a public-key system to be secure, the message
must be randomized in an appropriate manner. Otherwise, when given an encrypted
message, an adversary can check plaintext messages by encrypting them and comparing
them with the given encrypted message. If the message space is small (e.g. a bit), then
this would allow to efficiently break the system.

5.4.4 Digital Signatures *

The RSA system can also be used for generating digital signatures. A digital
signature can only be generated by the entity knowing the secret key, but it can
be verified by anyone, e.g. by a judge, knowing the public key. Alice’s signature
s for a message m is
s = Rn (z d ) for z = m||h(m),
where || denotes concatenation and h is a suitable function introducing redun-
dancy into the message and the string z is naturally understood as an element
of Zn .19 A signature can be verified by raising it to the e-th power modulo n and
checking that it is of the correct form m||h(m). The message is recovered from
the signature.
17 But note that a cryptographic security analysis is much more involved.
18 In fact, for a generic model of computation, this equivalence was proved in: D. Aggarwal and U.
Maurer, Breaking RSA generically is equivalent to factoring, IEEE Transactions on Information Theory,
vol. 62, pp. 6251–6259, 2016.
19 This can be a so-called cryptographic hash function. Without such additional redundancy, every

s ∈ Z∗n would be a legitimate signature, and hence forging a signature would be trivial.
5.5. Rings and Fields 108

5.5 Rings and Fields

We now consider algebraic systems with two binary operations, usually called
addition and multiplication.

5.5.1 Definition of a Ring

Definition 5.18. A ring hR; +, −, 0, ·, 1i is an algebra for which

(i) hR; +, −, 0i is a commutative group.
(ii) hR; ·, 1i is a monoid.
(iii) a(b + c) = (ab) + (ac) and (b + c)a = (ba) + (ca) for all a, b, c ∈ R
(left and right distributive laws).
A ring is called commutative if multiplication is commutative (ab = ba).20

Example 5.33. Z, Q, R, and C are (commutative) rings.

Example 5.34. hZm ; ⊕, ⊖, 0, ⊙, 1i is a commutative ring. Since hZm ; ⊕, ⊖, 0i is

an abelian group and hZm ; ⊙, 1i is a monoid, it only remains to check the dis-
tributive law, which is inherited from the distributive law for the integers.

We list some simple facts about rings.

Lemma 5.17. For any ring hR; +, −, 0, ·, 1i, and for all a, b ∈ R,
(i) 0a = a0 = 0.
(ii) (−a)b = −(ab).
(iii) (−a)(−b) = ab.
(iv) If R is non-trivial (i.e., if it has more than one element), then 1 6= 0.

Proof. Proof of (i): We have

0 = −(a0) + a0 (0 = −b + b for all b ∈ R, e.g. for b = a0)

= −(a0) + a(0 + 0) (0 + 0 = 0)
= −(a0) + (a0 + a0) (distributive law)
= (−(a0) + a0) + a0 (associativity of +)
= 0 + a0 (−b + b = 0 for all b ∈ R )
= a0 (0 + b = b for all b ∈ R)
20 One can show (as an exercise) that ring addition must be commutative, i.e., commutativity of

addition follows from the remaining ring axioms. The stated ring axioms are hence not minimal.
The word “commutative” in (i) could be dropped.
109 Chapter 5. Algebra

The dual equation 0a = 0 is proved similarly.21

The proofs of (ii), (iii), and (iv) are left as exercises.

This lemma makes explicit that in a non-trivial ring, 0 has no multiplicative

inverse since, according to (i) and (iv), 0a = 1 is not possible. Thus requesting
hR; ·, 1i to be a group rather than a monoid would make no sense.

Definition 5.19. The characteristic of a ring is the order of 1 in the additive group
if it is finite, and otherwise the characteristic is defined to be 0 (not infinite).

Example 5.35. The characteristic of hZm ; ⊕, ⊖, 0, ⊙, 1i is m. The characteristic of

Z is 0.

5.5.2 Units and the Multiplicative Group of a Ring

Definition 5.20. An element u of a ring R is called a unit22 if u is invertible, i.e.,

uv = vu = 1 for some v ∈ R. (We write v = u−1 .23 ) The set of units of R is
denoted by R∗ .

Example 5.36. The units of Z are −1 and 1: Z∗ = {−1, 1}.

Example 5.37. The units of R are all non-zero elements of R: R∗ = R \ {0}.

Example 5.38. The ring of Gaussian integers (see Example 4.5) contains four
units: 1, i, −1, and −i. For example, the inverse of i is −i.

Example 5.39. The set of units of Zm is Z∗m (Definition 5.16).24

Lemma 5.18. For a ring R, R∗ is a multiplicative group (the group of units of R).

Proof. We need to show that R∗ is closed under multiplication, i.e., that for
u ∈ R∗ and v ∈ R∗ , we also have uv ∈ R∗ , which means that uv has an in-
verse. The inverse of uv is v −1 u−1 since (uv)(v −1 u−1 ) = uvv −1 u−1 = uu−1 = 1.
R∗ also contains the neutral element 1 (since 1 has an inverse). Moreover, the
associativity of multiplication in R∗ is inherited from the associativity of multi-
plication in R (since elements of R∗ are also elements of R and the multiplication
operation is the same).
21 This also follows from commutativity of multiplication, but the proof shows that the statement

holds even for non-commutative rings.

22 German: Einheit
23 The inverse, if it exists, is unique.
24 In fact, we now see the justification for the notation Z∗ already introduced in Definition 5.16.
m
5.5. Rings and Fields 110

5.5.3 Divisors
In the following R denotes a commutative ring.

Definition 5.21. 25 For a, b ∈ R we say that a divides b, denoted a | b, if there

exists c ∈ R such that b = ac. In this case, a is called a divisor26 of b and b is
called a multiple27 of a.

Note that every non-zero element is a divisor of 0. Moreover, 1 and −1 are

divisors of every element.
Lemma 5.19. In any commutative ring,

(i) If a | b and b | c, then a | c, i.e., the relation | is transitive.

(ii) If a | b, then a | bc for all c.
(iii) If a | b and a | c, then a | (b + c).

Proof. Proof of (i). a | b =⇒ ∃d (b = ad). Also, b | c =⇒ ∃e (c = be). Thus

c = be = (ad)e = a(de), i.e., a | c.
The proofs of (ii) and (iii) are left as an exercise.

As mentioned in Section 4.2.3, the concept of a greatest common divisor not

only applies to integers, but to any commutative ring:

Definition 5.22. For ring elements a and b (not both 0), a ring element d is called
a greatest common divisor of a and b if d divides both a and b and if every common
divisor of a and b divides d, i.e., if


d | a ∧ d | b ∧ ∀c (c | a ∧ c | b) → c | d .

5.5.4 Zerodivisors and Integral Domains

Definition 5.23. An element a 6= 0 of a commutative ring R is called a zerodivi-
sor28 if ab = 0 for some b 6= 0 in R.

Definition 5.24. An integral domain29 is a (nontrivial30

) commutative ring with-
out zerodivisors: ∀a ∀b ab = 0 → a = 0 ∨ b = 0 .

25 Recall that this definition was already stated as Definition 4.1 for the special case of integers.
26 German: Teiler
27 German: Vielfaches
28 German: Nullteiler
29 German: Integritätsbereich
30 i.e., 1 6= 0
111 Chapter 5. Algebra

Example 5.40. Z, Q, R, and C are integral domains.

Example 5.41. Zm is not an integral domain if m is not a prime. Any element of

Zm not relatively prime to m is a zerodivisor.

Lemma 5.20. In an integral domain, if a | b, then c with b = ac is unique (and is

denoted by c = ab or c = b/a and called quotient).31

Proof. Suppose that b = ac = ac′ for some c and c′ . Then

0 = ac + (−(ac′ )) = a(c + (−c′ ))

and thus, because a 6= 0 and there are no zero-divisors, we must have c+(−c′ ) =
0 and hence c = c′ .

5.5.5 Polynomial Rings

Definition 5.25. A polynomial a(x) over a commutative ring R in the indetermi-

nate x is a formal expression of the form
d
X
a(x) = ad xd + ad−1 xd−1 + · · · + a1 x + a0 = ai xi .
i=0

for some non-negative integer d, with ai ∈ R. The degree of a(x), denoted

deg(a(x)), is the greatest i for which ai 6= 0. The special polynomial 0 (i.e.,
all the ai are 0) is defined to have degree “minus infinity”.32 Let R[x] denote the
set of polynomials (in x) over R.

Actually, it is mathematically better (but less common) to think of a poly-

nomial simply as a finite list (a0 , a1 , . . . , ad−1 , ad ) of elements of R. There is no
need to think of a variable x which suggests that it can be understood as a func-
tion R → R. A polynomial can, but need not, be considered as such a function
(see Section 5.7).
Addition and multiplication in R[x] are defined as usual. Consider polyno-
Pd Pd′
mials a(x) = i=0 ai xi of degree d and b(x) = i=0 bi xi of degree d′ . The sum
of a(x) and b(x) is a polynomial of degree at most max(d, d′ ) and is defined as

max(d,d′ )
X
a(x) + b(x) = (ai + bi ) xi ,
i=0

31 Note that the terms ab (or b/a) are defined only if a | b.

32 The interpretation of “minus infinity” is that it is a quantity which remains unchanged when an
arbitrary integer is added to it.
5.5. Rings and Fields 112

where here and in the following coefficients with index greater than the degree
are understood to be 0. The product of a(x) and b(x) is defined as33
d+d ′
i
! d+d ′ !
X X X X
i
a(x)b(x) = ak bi−k x = au bv xi
i=0 k=0 i=0 u+v=i
d+d′
= + · · · + (a0 b2 + a1 b1 + a2 b0 )x2 + (a0 b1 + a1 b0 )x + a0 b0 .
ad b d ′ x
Pi P
The i-th coefficient of a(x)b(x) is k=0 ak bi−k = u+v=i au bv , where the sum
is over all pairs (u, v) for which u + v = i as well as u ≥ 0 and v ≥ 0.
The degree of the product of polynomials over a ring R is, by definition, at
most the sum of the degrees. It is equal to the sum if R is an integral domain,
which implies that the highest coefficient is non-zero: ad bd′ 6= 0 if ad 6= 0 and
bd′ 6= 0.
Example 5.42. Consider the ring Z7 and let a(x) = 2x2 +3x+1 and b(x) = 5x+6.
Then
a(x) + b(x) = 2x2 + (3 + 5)x + (1 + 6) = 2x2 + x
and
a(x)b(x) = (2 · 5)x3 + (3 · 5 + 2 · 6)x2 + (1 · 5 + 3 · 6)x + 1 · 6 = 3x3 + 6x2 + 2x + 6.

Theorem 5.21. For any commutative ring R, R[x] is a commutative ring.

Proof. We need to prove that the conditions of Definition 5.18 (i.e., the ring ax-
ioms) are satisfied for R[x], assuming they are satisfied for R. We first observe
that since multiplication in R is commutative, so is multiplication in R[x].
Condition (i) requires that R[x] is an abelian group with respect to (poly-
nomial) addition. This is obvious from the definition of addition. Associativ-
ity and commutativity of (polynomial) addition are inherited from associativ-
ity and commutativity of addition in R (because R is a ring). The neutral el-
ement is the polynomial 0, and the inverse in the group (i.e., the negative) of
P P
a(x) = di=0 ai xi is −a(x) = di=0 (−ai )xi .
Condition (ii) requires that R[x] is a monoid with respect to (polynomial)
multiplication. The polynomial 1 is the neutral element, which is easy to see.
That multiplication is associative can be seen as follows. Let a(x) and b(x) as
P ′′
above, and c(x) = di=0 ci xi . Using the above definition of a(x)b(x), we have
′
   
d+d
X +d′′ Xi X


a(x)b(x) c(x) =   au bv  ci−j  xi
i=0 j=0 u+v=j

33 Note
P ′
that, for example, the highest coefficient d+d
k=0 ak bi−k is in the formula defined as a sum
of d + d′ + 1 terms, but all but one of them (namely for k = d) are zero.
113 Chapter 5. Algebra

d+d ′
+d′′
!
X X
= (au bv )cw xi .
i=0 u+v+w=i


If one computes a(x) b(x)c(x) , one arrives at the same expression, by mak-
ing use of associativity of multiplication in R, i.e., the fact that (au bv )cw =
au (bv cw ) = au bv cw .
Condition (iii), the distributive law, can also be shown to follow from the
distributive law holding for R.

Lemma 5.22.
(i) If D is an integral domain, then so is D[x].
(ii) The units of D[x] are the constant polynomials that are units of D: D[x]∗ = D∗ .

Proof. Left as an exercise.

Example 5.43. Lemma 5.22 implies that for an integral domain D, the set D[x][y]
of polynomials in y with coefficients in D[x], is also an integral domain. One can
also view the elements of D[x][y] as polynomials in two indeterminates, denoted
D[x, y].

5.5.6 Fields

Definition 5.26. A field34 is a nontrivial commutative ring F in which every

nonzero element is a unit, i.e., F ∗ = F \ {0}.

In other words, a ring F is a field if and only if hF \ {0}; ·,−1 , 1i is an abelian

group.

Example 5.44. Q, R, and C are fields, but Z and R[x] (for any ring R) are not
fields.

Theorem 5.23. Zp is a field if and only if p is prime.

Proof. This follows from our earlier analysis of Z∗p , namely that Zp \ {0} is a
multiplicative group if and only if p is prime.

In the following we denote the field with p elements by GF(p) rather than
Zp . As explained later, “GF” stands for Galois field. Galois discovered finite
fields around 1830.
34 German: Körper
5.5. Rings and Fields 114

Fields are of crucial importance because in a field one can not only add,
subtract, and multiply, but one can also divide by any nonzero element. This
is the abstraction underlying many algorithms like those for solving systems of
linear equations (e.g. by Gaussian elimination) or for polynomial interpolation.
Also, a vector space, a crucial concept in mathematics, is defined over a field,
the so-called base field. Vector spaces over R are just a special case.
Example 5.45. Solve the following system of linear equations over Z11 :

5x ⊕ 2y = 4
2x ⊕ 7y = 9

Solution: Eliminate x by adding 2 times the first and ⊖5 = 6 times the second
equation, resulting in

(2 ⊙ 5 ⊕ 6 ⊙ 2) x + (2 ⊙ 2 ⊕ 6 ⊙ 7) y = 2 ⊙ 4 ⊕ 6 ⊙ 9,
| {z } | {z } | {z }
=0 =2 =7

which is equivalent to 2y = 7. Thus y = 2−1 ⊙ 7 = 6 ⊙ 7 = 9. This yields

x = 2−1 ⊙ (9 ⊖ 7 ⊙ y) = 6 ⊙ (9 ⊕ 4 ⊙ 9) = 6 ⊙ 1 = 6.

Later we will describe a few applications of finite fields. Here we give an-
other example of a finite field.
Example 5.46. We describe a field with 4 elements, F = {0, 1, A, B}, by giving
the function tables of addition and multiplication:

+ 0 1 A B · 0 1 A B
0 0 1 A B 0 0 0 0 0
1 1 0 B A 1 0 1 A B
A A B 0 1 A 0 A B 1
B B A 1 0 B 0 B 1 A

This field is not isomorphic to the ring Z4 , which is not a field. We explain the
construction of this 4-element field in Section 5.8.2.
Theorem 5.24. A field is an integral domain.

Proof. In a field, every non-zero element is a unit, and in an integral domain,

every non-zero element must not be a zero-divisor. It hence suffices to show
that in any commutative ring, a unit u ∈ R is not a zerodivisor. To arrive at a
contradiction, assume that uv = 0 for some v. Then we must have v = 0 since

v = 1v = u−1 uv = u−1 0 = 0,

and hence u is not a zerodivisor.

115 Chapter 5. Algebra

5.6 Polynomials over a Field

Recall Definition 5.25 of a polynomial over a ring R. As mentioned several
times, the set R[x] of polynomials over R is a ring with respect to the standard
polynomial addition and multiplication. The neutral elements of addition and
multiplication are the polynomials 0 and 1, respectively.
Polynomials over a field F are of special interest, for reasons to become clear.
Namely, they have properties in common with the integers, Z.

5.6.1 Factorization and Irreducible Polynomials

For a, b ∈ Z, if b divides a, then also −b divides a. The analogy for polynomials
is as follows. If b(x) divides a(x), then so does v · b(x)
for any nonzero v ∈ F be-
cause if a(x) = b(x) · c(x), then a(x) = vb(x) · v −1 c(x) . Among the polynomials
vb(x) (for v ∈ F ), which are in a certain sense associated to each other, there is
a distinguished one, namely that with leading coefficient 1. This is analogous
to b and −b being associated in Z (see Section 5.6.3) and the positive one being
distinguished.

Definition 5.27. A polynomial a(x) ∈ F [x] is called monic35 if the leading coef-
ficient is 1.

Example 5.47. In GF(5)[x], x + 2 divides x2 + 1 since x2 + 1 = (x + 2)(x + 3).

Also, 2x + 4 divides x2 + 1 since x2 + 1 = (2x + 4)(3x + 4). More generally,
v · (x + 2) divides x2 + 1 for any v ∈ GF(5) because x2 + 1 = v(x + 2) · v −1 (x + 3).

One can factor polynomials, similarly to the factorization of integers.

Example 5.48. In GF(7)[x] we have

x3 + 2x2 + 5x + 2 = (x + 5)(x2 + 4x + 6).

In GF(2)[x] we have

x6 + x5 + x4 + x3 + 1 = (x2 + x + 1)(x4 + x + 1).

Definition 5.28. A polynomial a(x) ∈ F [x] with degree at least 1 is called irre-
ducible if it is divisible only by constant polynomials and by constant multiples
of a(x).

The notion of irreducibility in F [x] corresponds to the notion of primality in

Z, in a sense to be made more precise in Section 5.6.3.
35 German: monisch, normiert
5.6. Polynomials over a Field 116

It follows immediately from the definition (and from the fact that the degrees
are added when polynomials are multiplied) that every polynomial of degree 1
is irreducible. Moreover, a polynomial of degree 2 is either irreducible or the
product of two polynomials of degree 1. A polynomial of degree 3 is either
irreducible or it has at least one factor of degree 1. Similarly, a polynomial of
degree 4 is either irreducible, has a factor of degree 1, or has an irreducible
factor of degree 2.
Irreducibility of a polynomial of degree d can be checked by testing all irre-
ducible polynomials of degree ≤ d/2 as possible divisors. Actually, it suffices to
test only the monic polynomials because one could always multiply a divisor by
a constant, for example the inverse of the highest coefficient. This irreducibil-
ity test is very similar to the primality test which checks all divisors up to the
square root of the number to be tested.

Example 5.49. In GF(5)[x], x2 + 2 is irreducible since (as one can check) x + α

does not divide x2 + 2, for all α ∈ GF(5).

Example 5.50. In GF(7)[x], x2 + 4x + 6 is irreducible since x + α does not divide

x2 + 4x + 6, for all α ∈ GF(7).

Example 5.51. In GF(2)[x], x2 + x + 1 is irreducible because neither x nor x + 1

divides x2 + x + 1. It is easy to see that this is the only irreducible polynomial
of degree 2 over GF(2). There are two irreducible polynomials of degree 3 over
GF(2), namely x3 + x + 1 and x3 + x2 + 1. Moreover, there are three irreducible
polynomials of degree 4 over GF(2), which the reader can find as an exercise.

Not only the concepts of divisors and division with remainders (see below)
carries over from Z to F [x], also the concept of the greatest common divisor can
be carried over. Recall that F [x] is a ring and hence the notion of a greatest
common divisor is defined. For the special type of ring F [x], as for Z, one can
single out one of them.

Definition 5.29. The monic polynomial g(x) of largest degree such that g(x) |
a(x) and g(x) | b(x) is called the greatest common divisor of a(x) and b(x), de-
noted gcd(a(x), b(x)).

Example 5.52. Consider GF(7)[x]. Let a(x) = x3 + 4x2 + 5x + 2 and b(x) =

x3 + 6x2 + 4x + 6. One can easily check that a(x) = (x + 1)(x2 + 3x + 2) and
b(x) = (x + 3)(x2 + 3x + 2). Thus gcd(a(x), b(x)) = x2 + 3x + 2.

Example 5.53. Consider GF(2)[x]. Let a(x) = x3 +x2 +x+1 and b(x) = x2 +x+1.
Then gcd(a(x), b(x)) = 1.
117 Chapter 5. Algebra

5.6.2 The Division Property in F [x]

Let F be a field. The ring F [x] has strong similarities with the integers Z (see
Section 5.6.3). Both these integral domains have the special property that one
can divide one element a by another element b 6= 0, resulting in a quotient q
and a remainder r which are unique when r is required to be “smaller” than
the divisor. In case of the integers, the “size” of b ∈ Z is given by the absolute
value |b|, and the “size” of a polynomial b(x) ∈ F [x] can be defined as its degree
deg(b(x)).

Theorem 5.25. Let F be a field. For any a(x) and b(x) 6= 0 in F [x] there exist a
unique q(x) (the quotient) and a unique r(x) (the remainder) such that

a(x) = b(x) · q(x) + r(x) and deg(r(x)) < deg(b(x)).

Proof sketch. We first prove the existence of q(x) and r(x) and then the unique-
ness. If deg(b(x)) > deg(a(x)), then q(x) = 0 and r(x) = a(x). We thus assume
that deg(b(x)) ≤ deg(a(x)). Let a(x) = am xm + · · · and b(x) = bn xn + · · · with
n ≤ m, where “· · ·” stands for lower order terms. The first step of polynomial
division consists of subtracting am bn−1 b(x)xm−n from a(x), resulting in a poly-
nomial of degree at most m − 1.36 Continuing polynomial division finally yields
q(x) and r(x), where deg(r(x)) < deg(b(x)) since otherwise one could still sub-
tract a multiple of b(x).
To prove the uniqueness, suppose that

a(x) = b(x)q(x) + r(x) = b(x)q ′ (x) + r′ (x),

where deg(r(x)) < deg(b(x)) and deg(r′ (x)) < deg(b(x)). Then

b(x)[q(x) − q ′ (x)] = r′ (x) − r(x).

Since deg(r′ (x) − r(x)) < deg(b(x)), this is possible only if q(x) − q ′ (x) = 0, i.e.,
q(x) = q ′ (x), which also implies r′ (x) = r(x).37

In analogy to the notation Rm (a), we will denote the remainder r(x) of the
above theorem by Rb(x) (a(x)).
Example 5.54. Let F be the field GF(7) and let a(x) = x3 + 2x2 + 5x + 4 and
b(x) = 2x2 + x + 1. Then q(x) = 4x + 6 and r(x) = 2x + 5 since

(x3 + 2x2 + 5x + 4) = (2x2 + x + 1) · (4x + 6) + (2x + 5),

36 Note that here it is important that F is a field since otherwise the existence of b−1 is not guar-
n
anteed.
37 Note that here we have made use of the fact that deg(u(x)v(x)) = deg(u(x)) + deg(v(x)). We

point out that this only holds in an integral domain. (Why?) Recall that a field is an integral domain
(Theorem 5.24).
5.6. Polynomials over a Field 118

Example 5.55. In GF(2)[x] we have

(x4 + x3 + x2 + 1) : (x2 + 1) = x2 + x with remainder x + 1.

Note that in GF(2), −1 = 1. For example, −x = x and −x2 = x2

5.6.3 Analogies Between Z and F [x], Euclidean Domains *

In this section we describe the abstraction underlying both Z and F [x].

Definition 5.30. In an integral domain, a and b are called associates, denoted a ∼ b, if

a = ub for some unit u.

Definition 5.31. In an integral domain, a non-unit p ∈ D \ {0} is irreducible if, whenever

p = ab, then either a or b is a unit.38

The units in Z are 1 and −1 and the units in F [x] are the non-zero constant polyno-
mials (of degree 0). In Z, a and −a are associates.

Example 5.56. In Z, 6 and −6 are associates. In GF(5)[x], x2 + 2x + 3, 2x2 + 4x + 1,

3x2 + x + 4, and 4x2 + 3x + 2 are associates.

For a ∈ D one can define one associate to be distinguished. For Z the distinguished
associate of a is |a|, and for a(x) ∈ F [x] the distinguished associate of a(x) is the monic
polynomial associated with a(x). If we consider only the distinguished associates of
irreducible elements, then for Z we arrive at the usual notion of prime numbers.39
We point out that the association relation is closely related to divisibility. The proof
of the following lemma is left as an exercise.

Lemma 5.26. a ∼ b ⇐⇒ a | b ∧ b | a.

There is one more crucial property shared by both integral domains Z and F [x] (for
any field F ), described in the following abstract definition.

Definition 5.32. A Euclidean domain is an integral domain D together with a so-called

degree function d : D \ {0} → N such that
(i) For every a and b 6= 0 in D there exist q and r such that a = bq + r and d(r) < d(b)
or r = 0.
(ii) For all nonzero a and b in D, d(a) ≤ d(ab).
√
Example 5.57. The Gaussian√ integers Z[ −1] discussed earlier are a Euclidean domain
where the degree of a + bi is a + b , i.e., the absolute value (of complex numbers).
2 2

One can prove that in a Euclidean domain, the greatest (according to the degree func-
tion) common divisor is well-defined, up to taking associates, i.e., up to multiplication
38 In
other words, p is divisible only by units and associates of p.
39 There is a notion of a prime element of a ring,
which is different from the notion of an irreducible
element, but for the integers Z the two concepts coincide.
119 Chapter 5. Algebra

by a unit. The condition d(r) < d(b) guarantees that the gcd can be computed in the
well-known manner by continuous division. This procedure terminates because d(r)
decreases monotonically in each division step.
The following theorem can be proved in a manner analogous to the proof of the
unique factorization theorem for Z. One step is to show that a Euclidean domain is a
principle ideal domain.

Theorem 5.27. In a Euclidean domain every element can be factored uniquely (up to taking
associates) into irreducible elements.

5.7 Polynomials as Functions

5.7.1 Polynomial Evaluation
For a ring R, a polynomial a(x) ∈ R[x] can be interpreted as a function R → R
by defining evaluation of a(x) at α ∈ R in the usual manner. This defines a
function R → R : α 7→ a(α).

Example 5.58. Consider the field GF (5) and the polynomial a(x) = 2x3 +3x+1.
Then a(0) = 1, a(1) = 1, a(2) = 3, a(3) = 4, and a(4) = 1.

The following lemma is easy to prove:

Lemma 5.28. Polynomial evaluation is compatible with the ring operations:

• If c(x) = a(x) + b(x), then c(α) = a(α) + b(α) for any α.

• If c(x) = a(x) · b(x), then c(α) = a(α) · b(α) for any α.

5.7.2 Roots

Definition 5.33. Let a(x) ∈ R[x]. An element α ∈ R for which a(α) = 0 is called
a root40 of a(x).

Example 5.59. The polynomial x3 − 7x + 6 in R[x] has 3 roots: −3, 1, and 2. The
polynomial x2 + 1 in R[x] has no root. The polynomial (x3 + 2x2 + 5x + 2) in
GF(7)[x] has 2 as its only root. The polynomial (x4 + x3 + x + 1) in GF(2)[x] has
the root 1.

Lemma 5.29. For a field F , α ∈ F is a root of a(x) if and only if x − α divides a(x).

40 German: Nullstelle oder Wurzel

5.7. Polynomials as Functions 120

Proof. (=⇒) Assume that α is a root, i.e., a(α) = 0. Then, according to Theo-
rem 5.25, we can write a(x) as

a(x) = (x − α)q(x) + r(x),

where deg(r(x)) < deg(x − α) = 1, i.e., r(x) is a constant r, where

r = a(x) − (x − α)q(x).

Setting x = α in the above equation gives

r = a(α) − (α − α)q(α) = 0 − 0 · q(α) = 0.

Hence x − α divides a(x).

(⇐=) To prove the other direction, assume that x − α divides a(x), i.e., a(x) =
(x − α)q(x) for some q(x). Then a(α) = (α − α)q(α) = 0, i.e., α is a root of
a(x).

Lemma 5.29 implies that an irreducible polynomial of degree ≥ 2 has no

roots.
Corollary 5.30. A polynomial a(x) of degree 2 or 3 over a field F is irreducible if and
only if it has no root.41

Proof. A reducible polynomial of degree 2 or 3 has a factor of degree 1 and hence

a root. An irreducible polynomial has no root because according to Lemma 5.29,
such a root would correspond to a (linear) factor.

Theorem 5.31. For a field F , a nonzero42 polynomial a(x) ∈ F [x] of degree d has at
most d roots.

Proof. To arrive at a contradiction, suppose Qthat a(x) has degree d but e > d
e
roots, say α1 , . . . , αe . Then the polynomial i=1 (x − αi ) divides a(x). Since this
is a polynomial of degree e, a(x) has degree at least e, and hence more than d,
which is a contradiction.

5.7.3 Polynomial Interpolation

It is well-known that a polynomial of degree d over R can be interpolated from
any d + 1 values. Since the proof requires only the properties of a field (rather
than the special properties of R), this interpolation property holds for polyno-
mials over any field F . This fact is of crucial importance in many applications.
41 Note that this statement is not true for polynomials of degree ≥ 4.
42 Note that every α ∈ F is a root of the polynomial 0.
121 Chapter 5. Algebra

Lemma 5.32. A polynomial a(x) ∈ F [x] of degree at most d is uniquely determined by

any d+1 values of a(x), i.e., by a(α1 ), . . . , a(αd+1 ) for any distinct α1 , . . . , αd+1 ∈ F .

Proof. Let βi = a(αi ) for i = 1, . . . , d + 1. Then a(x) is given by Lagrange’s

interpolation formula: d+1
X
a(x) = βi ui (x),
i=1

where the polynomial ui (x) is given by

(x − α1 ) · · · (x − αi−1 )(x − αi+1 ) · · · (x − αd+1 )

ui (x) = .
(αi − α1 ) · · · (αi − αi−1 )(αi − αi+1 ) · · · (αi − αd+1 )

Note that for ui (x) to be well-defined, all constant terms αi − αj in the denomi-
nator must be invertible. This is guaranteed if F is a field since αi − αj 6= 0 for
i 6= j. Note also that the denominator is simply a constant and hence ui (x) is in-
deed a polynomial of degree d. It is easy to verify that ui (αi ) = 1 and ui (αj ) = 0
P
for j 6= i. Thus the polynomials a(x) and d+1 i=1 βi ui (x) agree when evaluated at
any αi , for all i. We note that a(x) has degree at most d.43
It remains to prove the uniqueness. Suppose there is another polynomial
a′ (x) of degree at most d such that βi = a′ (αi ) for i = 1, . . . , d + 1. Then a(x) −
a′ (x) is also a polynomial of degree at most d, which (according to Theorem 5.31)
can have at most d roots, unless it is 0. But a(x) − a′ (x) has indeed the d + 1 roots
α1 , . . . , αd+1 . Thus it must be the 0-polynomial, which implies a(x) = a′ (x).

5.8 Finite Fields

So far we have seen the finite field GF (p), where p is prime. In this section we
discuss all other finite fields.

5.8.1 The Ring F [x]m(x)

We continue to explore the analogies between the rings Z and F [x]. In the same
way as we can compute in the integers Z modulo an integer m, yielding the ring
hZm ; ⊕, ⊖, 0, ⊙, 1i, we can also compute in F [x] modulo a polynomial m(x). Let
Rm(x) (a(x)) denote the (unique) remainder when a(x) is divided by m(x). The
concept of congruence modulo m(x) is defined like congruence modulo m. For
a(x), b(x) ∈ F [x],

def

a(x) ≡m(x) b(x) ⇐⇒ m(x) | a(x) − b(x) .
43 The degree can be smaller than d.
5.8. Finite Fields 122

The proof of the following lemma is analogous to the proof that congruence
modulo m is an equivalence relation on Z.
Lemma 5.33. Congruence modulo m(x) is an equivalence relation on F [x], and each
equivalence class has a unique representative of degree less than deg(m(x)).
Example 5.60. Consider R[x] or Q[x]. We have, for example,
5x3 − 2x + 1 ≡3x2 +2 8x3 + 1 ≡3x2 +2 − 16
3 x+1

as one can easily check. Actually, the remainder when 5x3 − 2x + 1 is divided
by 3x2 + 2 is − 16
3 x + 1.
Example 5.61. Consider GF(2)[x]. Example 5.55 can be rephrased as Rx2 +1 (x4 +
x3 + x2 + 1) = x + 1.

Definition 5.34. Let m(x) be a polynomial of degree d over F . Then

def 
F [x]m(x) = a(x) ∈ F [x] deg(a(x)) < d .

We state a simple fact about the cardinality of F [x]m(x) when F is finite.

Lemma 5.34. Let F be a finite field with q elements and let m(x) be a polynomial of
degree d over F . Then |F [x]m(x) | = q d .

Proof. We have

F [x]m(x) = ad−1 xd−1 + · · · + a1 x + a0 a0 , . . . , ad−1 ∈ F .
There are q d choices for a0 , . . . , ad−1 .

F [x]m(x) is derived from F [x] in close analogy to how the ring Zm is derived
from the ring Z.

Lemma 5.35. F [x]m(x) is a ring with respect to addition and multiplication mod-
ulo m(x).44

Proof. F [x]m(x) is a group with respect to polynomial addition.45 The neutral

element is the polynomial 0 and the negative of a(x) ∈ F [x]m(x) is −a(x). Asso-
ciativity is inherited from F [x].
44 It is important to point out that we are considering three algebraic systems, namely F , F [x],

and F [x]m(x) . Each system has an addition and a multiplication operation, and we use the same
symbols “+” and “·” in each case, letting the context decide which one we mean. This should cause
no confusion. The alternative would have been to always use different symbols, but this would
be too cumbersome. Note that, as mentioned above, addition (but not multiplication) in F [x] and
F [x]m(x) are identical.
45 Note that the sum of two polynomials is never reduced modulo m(x) because the degree of the

sum is at most the maximum of the two degrees. In other words, a(x)+ b(x) in F [x] and a(x)+ b(x)
in F [x]m(x) are the same operation when restricted to polynomials of degree less than deg(m(x)).
123 Chapter 5. Algebra

F [x]m(x) is a monoid with respect to polynomial multiplication. The neutral

element is the polynomial 1. Associativity of multiplication is inherited from
F [x], as is the distributive law.

The following lemma can be proved in analogy to Lemma 4.18.

Lemma 5.36. The congruence equation

a(x)b(x) ≡m(x) 1

(for a given a(x)) has a solution b(x) ∈ F [x]m(x) if and only if gcd(a(x), m(x)) = 1.
The solution is unique.46 In other words,

F [x]∗m(x) = a(x) ∈ F [x]m(x) gcd(a(x), m(x)) = 1 .

Inverses in F [x]∗m(x) can be computed efficiently by a generalized version of

Euclid’s gcd-algorithm, which we do not discuss here.

5.8.2 Constructing Extension Fields

The following theorem is analogous to Theorem 5.23 stating that Zm is a field if
and only if m is prime.

Theorem 5.37. The ring F [x]m(x) is a field if and only if m(x) is irreducible.47

Proof. For an irreducible polynomial m(x), we have gcd(a(x), m(x)) = 1 for all
a(x) 6= 0 with deg(a(x)) < deg(m(x)) and therefore, according to Lemma 5.36,
a(x) is invertible in F [x]m(x) . In other words, F [x]∗m(x) = F [x]m(x) \ {0}. If m(x)
is not irreducible, then F [x]m(x) is not a field because nontrivial factors of m(x)
have no multiplicative inverse.

In Computer Science, the fields of most interest are finite fields, i.e., F [x]m(x)
where F itself is a finite field. But before we discuss finite fields, we illustrate
this new type of field based on polynomial arithmetic using a well-known ex-
ample of an infinite field.
Example 5.62. The polynomial x2 + 1 is irreducible in R[x] because x2 + 1 has no
root in R. Hence, according to Theorem 5.37, R[x]x2 +1 is a field. The elements
of R[x]x2 +1 are the polynomials of degree at most 1, i.e., of the form ax + b.
Addition and multiplication are defined by

(ax + b) + (cx + d) = (a + c)x + (b + d)

46 This b(x) (if it exists) is called the inverse of a(x) modulo m(x).
47 F [x] is called an extension field of F .
m(x)
5.8. Finite Fields 124

and

(ax + b) · (cx + d) = Rx2 +1 ((ax + b) · (cx + d))

= Rx2 +1 (acx2 + (bc + ad)x + bd)
= (bc + ad)x + (bd − ac).

The last step follows from the fact that Rx2 +1 (x2 ) = −1. The reader may have
noticed already that these addition and multiplication laws correspond to those
of the complex numbers C when ax + b is interpreted as the complex number
b + ai. Indeed, R[x]x2 +1 is simply C or, more precisely, R[x]x2 +1 is isomorphic to
C. In fact, this appears to be the most natural way of defining C.

This example raises a natural question: Can we define other extension fields
of R, or, what is special about C? There are many other irreducible polynomials
of degree 2, namely all those corresponding to a parabola not intersecting with
the x-axis. What is, for example, the field R[x]2x2 +x+1 ? One can show that
R[x]m(x) is isomorphic to C for every irreducible polynomial of degree 2 over
R. Are there irreducible polynomials of higher degree over R? The answer, as
we know, is negative. Every polynomial in R[x] can be factored into a product
of polynomials of degree 1 (corresponding to real roots) and polynomials of
degree 2 (corresponding to pairs of conjugate complex roots). The field C has
the special property that a polynomial of degree d has exactly d roots in C. For
the field R, this is not true. There are no irreducible polynomials of degree > 1
over C.

Example 5.63. The polynomial x2 + x + 1 is irreducible in GF(2)[x] because it

has no roots. Hence, according to Theorem 5.37, GF(2)[x]x2 +x+1 is a field. The
elements of GF(2)[x]x2 +x+1 are the polynomials of degree at most 1, i.e., of the
form ax + b. Addition is defined by

(ax + b) + (cx + d) = (a + c)x + (b + d).

Note that the “+” in ax + b is in GF(2) (i.e., in Z2 ), and the middle “+” in
(ax + b) + (cx + d) is to be understood in GF(2)[x]x2 +x+1 , i.e., as polynomial
addition. Multiplication is defined by

(ax + b) · (cx + d) = Rx2 +x+1 ((ax + b) · (cx + d))

= Rx2 +x+1 (acx2 + (bc + ad)x + bd)
= (bc + ad + ac)x + (bd + ac).

The last step follows from the fact that Rx2 +x+1 (x2 ) = −x − 1 = x + 1 (since
−1 = 1 in GF(2)). It now becomes clear that this field with 4 elements is that of
Example 5.46. The reader can check that A = x and B = x + 1 works just as well
as A = x + 1 and B = x.
125 Chapter 5. Algebra

+ 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
0 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
2
1 0 x+1 x x +1 x2 2
x +x+1 x2 + x
x 0 1 x2 + x 2
x +x+1 x2 x2 + 1
x+1 0 x2 + x + 1 x2 + x 2
x +1 x2
x2 0 1 x x+1
x2 + 1 0 x+1 x
x2 + x 0 1
2
x +x+1 0

Figure 5.2: The addition table for GF(8) constructed with the irreducible poly-
nomial x3 + x + 1.

· 0 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
0 0 0 0 0 0 0 0 0
1 1 x x+1 x2 x2 + 1 x2 + x x2 + x + 1
x x2 x2 + x x+1 1 x2 + x + 1 x2 + 1
x+1 x2 + 1 x2 + x + 1 x2 1 x
x2 x2 + x x x2 + 1 1
2
x +1 x2 + x + 1 x+1 x2 + x
x2 + x x x2
x2 + x + 1 x+1

Figure 5.3: The multiplication table for GF(8) constructed with the irreducible
polynomial x3 + x + 1.

Example 5.64. The polynomial x3 + x + 1 over GF(2) is irreducible since it has

no roots (it evaluates to 1 for both 0 and 1). The field GF(8) (also written GF(23 ))
consists of the 8 polynomials of degree ≤ 2 over GF(2). The tables for addition
and multiplication are shown in Figures 5.2 and 5.3. In this field we have, for
example,

(x + 1)/(x2 + 1) = (x + 1)(x2 + 1)−1 = (x + 1)x = x2 + x.

5.8.3 Some Facts About Finite Fields *

Theorem 5.37 gives us a method for constructing a new field from an existing field F ,
provided we can find an irreducible polynomial m(x) in F [x]. When F is a finite field,
then so is F [x]m(x) . The proofs of most facts stated in this section are beyond the scope
of this course.
The theory of finite fields was founded by the French mathematician Evariste Galois
5.9. Application: Error-Correcting Codes 126

(1811–1832).48 In his honor, finite fields are called Galois fields. A field with q elements is
usually denoted by GF(q) (independently of how it is constructed).
Theorem 5.38. For every prime p and every d ≥ 1 there exists an irreducible polynomial of
degree d in GF(p)[x]. In particular, there exists a finite field with pd elements.

The following theorem states that the finite fields we have seen so far, Zp for prime
p and GF(p)[x]m(x) for an irreducible m(x), are all finite fields. There are no other finite
fields. Moreover, one obtains no new finite fields by taking an irreducible polynomial,
′
say of degree d′ , over some extension field GF(pd ), resulting in the field GF(pdd ). Such
a field can always be constructed directly using an irreducible polynomial of degree dd′
over GF(p).

Theorem 5.39. There exists a finite field with q elements if and only if q is a power of a prime.
Moreover, any two finite fields of the same size q are isomorphic.

The last claim justifies the use of the notation GF(q) without making explicit how the
field is constructed. Different constructions yield different representations (naming) of
the field elements, but not different fields. However, it is possible that some representa-
tions are better suited than others for the efficient hardware or software implementation
of the field arithmetic.
Theorem 5.40. The multiplicative group of every finite field GF(q) is cyclic.

Note that the multiplicative group of GF(q) has order q − 1 and has ϕ(q − 1) genera-
tors.
Example 5.65. One can check that the fields GF(22 ) and GF(23 ) have multiplicative
groups of orders 3 and 7, which are both prime. Therefore all elements except 1 (and
0 of course) are generators of the multiplicative group.

5.9 Application: Error-Correcting Codes

5.9.1 Definition of Error-Correcting Codes
Finite fields are of great importance in Computer Science and have many appli-
cations, one of which is discussed in this section.
Error-correcting codes are used in many communication protocols and other
applications. For example, the digital information on a CD is stored in such a
manner that even if some of the information is lost (e.g. because of a scratch or
dirt on the disc), the entire information can still be reconstructed without quality
degradation, as long as sufficiently much of the data is still available.
48 His interest was in proving that polynomial equations over R of fifth or higher degree have in

general no closed form solution in radicals (while equations of up to fourth degree do). His major
contributions to mathematics were recognized by the leading mathematicians only many years after
his death. He died in a duel at the age of 21. The story goes that he wrote down major parts of his
theory during the last night before the duel.
127 Chapter 5. Algebra

There are two types of problems that can occur in data transmission or when
reading data from a storage medium. First, data can be erased, meaning that
when reading (or receiving) it one realizes that it is missing. Second, data can
contain errors. The second type of problem is more severe because it is not even
known where in a data stream the errors occurred. A good error-correcting
scheme can handle both problems.

Definition 5.35. A (n, k)-encoding function E for some alphabet A is an injective

function that maps a list (a0 , . . . , ak−1 ) ∈ Ak of k (information) symbols to a list
(c0 , . . . , cn−1 ) ∈ An of n > k (encoded) symbols in A, called codeword:

E : Ak → An : (a0 , . . . , ak−1 ) 7→ E((a0 , . . . , ak−1 )) = (c0 , . . . , cn−1 ).

For an encoding function E one often consider the set

C = Im(E) = {E((a0 , . . . , ak−1 )) | a0 , . . . , ak−1 ∈ A}

of codewords, which is called an error-correcting code.

Definition 5.36. An (n, k)-error-correcting code over the alphabet A with |A| = q
is a subset of An of cardinality q k .

It is natural to use as the alphabet A = {0, 1}, i.e., to take bits as the basic unit
of information. However, for several reasons (one being the efficiency of encod-
ing and in particular decoding), one often considers larger units of information,
for example bytes (i.e., A = {0, 1}8).

Definition 5.37. The Hamming distance between two strings of equal length over
a finite alphabet A is the number of positions at which the two strings differ.

Definition 5.38. The minimum distance of an error-correcting code C, denoted

dmin (C), is the minimum of the Hamming distance between any two codewords.

Example 5.66. The following code is a (5, 2)-code over the alphabet {0, 1}:

{(0, 0, 0, 0, 0), (1, 1, 1, 0, 0), (0, 0, 1, 1, 1), (1, 1, 0, 1, 1)}.

The minimum distance is 3.

5.9.2 Decoding

Definition 5.39. A decoding function D for an (n, k)-encoding function is a func-

tion D : An → Ak .
5.9. Application: Error-Correcting Codes 128

The idea is that a good decoding function takes an arbitrary list

(r0 , . . . , rn−1 ) ∈ An of symbols49 and decodes it to the most plausible (in some
sense) information vector (a0 , . . . , ak−1 ). Moreover, a good decoding function
should be efficiently computable.
The error-correcting capability of a code C can be characterized in terms of
the number t of errors that can be corrected. More precisely:

Definition 5.40. A decoding function D is t-error correcting for encoding func-

tion E if for any (a0 , . . . , ak−1 )


D (r0 , . . . , rn−1 ) = (a0 , . . . , ak−1 )


for any (r0 , . . . , rn−1 ) with Hamming distance at most t from E (a0 , . . . , ak−1 ) .
A code C is t-error correcting if there exists E and D with C = Im(E) where D is
t-error correcting.

Theorem 5.41. A code C with minimum distance d is t-error correcting if and only if
d ≥ 2t + 1.

Proof. (⇐=) If any two codewords have Hamming distance at least 2t + 1 (i.e.,
differ in at least 2t+1 positions), then it is impossible that a word (r0 , . . . , rn−1 ) ∈
An could result from two different codewords by changing t positions. Thus if
(r0 , . . . , rn−1 ) has distance at most t from a codeword (c0 , . . . , cn−1 ), then this
codeword is uniquely determined. The decoding function D can be defined to
decode to (one of) the nearest codeword(s) (more precisely, to the information
resulting (by E) in that codeword).
(=⇒) If there are two codewords that differ in at most 2t positions, then there
exists a word (r0 , . . . , rn−1 ) which differs from both codewords in at most t po-
sitions; hence it is possible that t errors can not be corrected.

Example 5.67. A code with minimum distance d = 5 can correct t = 2 errors.

The code in Example 5.66 can correct a single error (t = 1).

5.9.3 Codes based on Polynomial Evaluation

A very powerful class of codes is obtained by polynomial interpolation if A has
a field structure, i.e., A = GF(q) for some q:

49 Forexample the list of symbols received after transmission of a codeword over a noisy channel
or read from a storage medium like a CD.
129 Chapter 5. Algebra

Theorem 5.42. Let A = GF(q) and let α0 , . . . , αn−1 be arbitrary distinct elements of
GF(q). Consider the encoding function


E((a0 , . . . , ak−1 )) = a(α0 ), . . . , a(αn−1 ) ,

where a(x) is the polynomial

a(x) = ak−1 xk−1 + · · · + a1 x + a0 .

This code has minimum distance n − k + 1.

Proof. The polynomial a(x) of degree k−1 can be interpolated from any k values,
i.e., from any k codeword symbols. If two polynomials agree for k arguments
(or, equivalently, if two codewords agree at k positions), then they are equal.
This means that two different codewords cannot agree at k positions. Hence any
two codewords disagree in at least n − k + 1 positions.

An (n, k)-code over the field GF(2d ) can be interpreted as a binary (dn, dk)-
code (over GF(2)). The minimum distance of this binary code is at least that of
the original code because two different GF(2d )-symbols must differ in at least
one bit (but can of course differ in more than one bit).
Example 5.68. Polynomial codes as described are used for storing information
on Compact Discs. In fact, the coding scheme of CD’s makes use of two different
such codes, but explaining the complete scheme is beyond the scope of this
course on discrete mathematics. The field is GF(28 ) defined by an irreducible
polynomial of degree 8 over GF(2) and the two codes are a (32, 28)-code over
GF(28 ) and a (28, 24)-code over GF(28 ), both with minimum distance 5.
Chapter 6

Logic

6.1 Introduction
In Chapter 2 we have introduced some basic concepts of logic, but the treat-
ment was quite informal. In this chapter we discuss the foundations of logic
in a mathematically rigorous manner. In particular, we clearly distinguish be-
tween the syntax and the semantics of a logic and between syntactic derivations
of formulas and logical consequences they imply. We also introduce the con-
cept of a logical calculus and define soundness and completeness of a calculus.
Moreover, we discuss in detail a concrete calculus for propositional logic, the
so-called resolution calculus.
At a very general level, the goal of logic is to provide a framework for ex-
pressing mathematical statements and for expressing and verifying proofs for
such statements. A more ambitious, secondary goal can be to provide tools for
automatically or semi-automatically generating a proof for a given statement.
A treatment of logic usually begins with a chapter on propositional logic1
(see Section 6.5), followed by a chapter on predicate (or first-order) logic2 (see
Section 6.6), which can be seen as an extension of propositional logic. There are
several other logics which are useful in Computer Science and in mathematics,
including temporal logic, modal logic, intuitionistic logic, and logics for rea-
soning about knowledge and about uncertainty. Most if not all relevant logics
contain the logical operators from propositional logic, i.e., ∧, ∨, ¬ (and the de-
rived operators → and ↔), as well as the quantifiers (∀ and ∃) from predicate
logic.
Our goal is to present the general concepts that apply to all types of log-
ics in a unified manner, and then to discuss the specific instantiations of these
1 German: Aussagenlogik
2 German: Prädikatenlogik

130
131 Chapter 6. Logic

concepts for each logic individually. Therefore we begin with such a general
treatment (see Sections 6.2, 6.3, and 6.4) before discussing propositional and
predicate logic. From a didactic viewpoint, however, it will be useful to switch
back and forth between the generic concepts of Sections 6.2, 6.3, and 6.4 and the
concrete instantiations of Sections 6.5 and 6.6.
We give a general warning: Different treatments of logic often use slightly or
sometimes substantially different notation.3 Even at the conceptual level there
are significant differences. One needs to be prepared to adopt a particular no-
tation used in a particular application context. However, the general principles
explained here are essentially standard.
We also refer to the book by Kreuzer and Kühling and that by Schöning
mentioned in the preface of these lecture notes.

6.2 Proof Systems

6.2.1 Definition
In a formal treatment of mathematics, all objects of study must be described in
a well-defined syntax. Typically, syntactic objects are finite strings over some
alphabet Σ, for example the symbols allowed by the syntax of a logic or simply
the alphabet {0, 1}, in which case syntactic objects are bit-strings. Recall that Σ∗
denotes the set of finite strings of symbols from Σ.
In this section, the two types of mathematical objects we study are

• mathematical statements of a certain type and

• proofs for this type of statements.

By a statement type we mean for example the class of statements of the form
that a given number n is prime, or the class of statements of the form that a
given graph G has a Hamiltonian cycle (see below), or the class of statements of
the form that a given formula F in propositional logic is satisfiable.
Consider a fixed type of statements. Let S ⊆ Σ∗ be the set of (syntactic
representations of) mathematical statements of this type, and let P ⊆ Σ∗ be the
set of (syntactic representations of) proof strings.4
Every statement s ∈ S is either true or false. The truth function

τ : S → {0, 1}
3 For example, in some treatments the symbol ⇒ is used for →, which can be confusing.
4 Membership in S and also in P is assumed to be efficiently checkable (for some notion of effi-
ciency).
6.2. Proof Systems 132

assigns to each s ∈ S its truth value τ (s). This function τ defines the meaning,
called the semantics, of objects in S.5
An element p ∈ P is either a (valid) proof for a statement s ∈ S, or it is not.
This can be defined via a verification function

φ : S × P → {0, 1},

where φ(s, p) = 1 means that p is a valid proof for statement s.

Without strong loss of generality we can in this section consider

S = P = {0, 1}∗,

with the understanding that any string in {0, 1}∗ can be interpreted as a state-
ment by defining syntactically wrong statements as being false statements.

Definition 6.1. A proof system6 is a quadruple Π = (S, P, τ, φ), as above.

We now discuss the two fundamental requirements for proof systems.

Definition 6.2. A proof system Π = (S, P, τ, φ) is sound7 if no false statement

has a proof, i.e., if for all s ∈ S for which there exists p ∈ P with φ(s, p) = 1, we
have τ (s) = 1.

Definition 6.3. A proof system Π = (S, P, τ, φ) is complete8 if every true state-

ment has a proof, i.e., if for all s ∈ S with τ (s) = 1, there exists p ∈ P with
φ(s, p) = 1.

In addition to soundness and completeness, one requires that the function

φ be efficiently computable (for some notion of efficiency).9 We will not make
this formal, but it is obvious that a proof system is useless if proof verification is
computationally infeasible. Since the verification has to generally examine the
entire proof, the length of the proof cannot be infeasibly long.10

5 In the context of logic discussed from the next section onwards, the term semantics is used in a

specific restricted manner that is compatible with its use here.

6 The term proof system is also used in different ways in the mathematical literature.
7 German: korrekt
8 German: vollständig
9 The usual efficiency notion in Computer Science is so-called polynomial-time computable which

we do not discuss further.

10 An interesting notion introduced in 1998 by Arora et al. is that of a probabilistically checkable proof

(PCP). The idea is that the proof can be very long (i.e., exponentially long), but that the verification
only examines a very small random selection of the bits of the proof and nevertheless can decide
correctness, except with very small error probability.
133 Chapter 6. Logic

6.2.2 Examples
Example 6.1. An undirected graph consists of a set V of nodes and a set E of
edges between nodes. Suppose that V = {0, . . . , n − 1}. A graph can then be
described by the so-called adjacency matrix, an n×n-matrix M with {0, 1}-entries,
where Mi,j = 1 if and only if there is an edge between nodes i and j. A graph
with n nodes can hence be represented by a bit-string of length n2 , by reading
out the entries of the matrix row by row.
We are now interested in proving that a given graph has a so-called Hamilto-
nian cycle, i.e., that there is a closed path from node 1 back to node 1, following
edges between nodes, and visiting every node exactly once. We are also inter-
ested in the problem of proving the negation of this statement, i.e., that a given
graph has no Hamiltonian cycle. Deciding whether or not a given graph has a
Hamiltonian cycle is considered a computationally very hard decision problem
(for large graphs).11
To prove that a graph has a Hamiltonian cycle, one can simply provide the
sequence of nodes visited by the cycle. A value in V = {0, . . . , n − 1} can be
represented by a bit-string of length ⌈log2 n⌉, and a sequence of n such numbers
can hence be represented by a bit-string of length n⌈log2 n⌉. We can hence define
S = P = {0, 1}∗.
Now we can let τ be the function defined by τ (s) = 1 if and only if |s| = n2
for some n and the n2 bits of s encode the adjacency matrix of a graph containing
a Hamiltonian cycle. If |s| is not a square or if s encodes a graph without a
Hamiltonian cycle, then τ (s) = 0.12 Moreover, we can let φ be the function
defined by φ(s, p) = 1 if and only if, when s is interpreted as an n × n-matrix
M and when p is interpreted as a sequence of n different numbers (a1 , . . . , an )
with ai ∈ {0, . . . , n − 1} (each encoded by a bit-string of length ⌈log2 n⌉), then
the following is true:
Mai ,ai+1 = 1
for i = 1, . . . , n − 1 and
Man ,a1 = 1.
This function φ is efficiently computable. The proof system is sound because a
graph without Hamiltonian cycle has no proof, and it is complete because every
graph with a Hamiltonian cycle has a proof. Note that each s with τ (s) = 1 has
at least n different proofs because the starting point in the cycle is arbitrary.

Example 6.2. Let us now consider the opposite problem of proving the inex-
istence of a Hamiltonian cycle in a given graph. In other words, in the above
example we define τ (s) = 1 if and only if |s| = n2 for some n and the n2 bits
11 The best known algorithm has running time exponential in n. The problem is actually NP-

complete, a concept that will be discussed in a later course on theoretical Computer Science.
12 Note that τ defines the meaning of the strings in S, namely that they are meant to encode graphs

and that we are interested in whether a given graph has a Hamiltonian cycle.
6.2. Proof Systems 134

of s encode the adjacency matrix of a graph not containing Hamiltonian cycle.

In this case, no sound and complete proof system (with reasonably short and
efficiently verifiable proofs) is known. It is believed that no such proof system
exists.

Example 6.3. Let again S = P = {0, 1}∗ , and for s ∈ {0, 1}∗ let n(s) de-
note the natural number whose (standard) binary representation is s, with the
convention that leading 0’s are ignored. (For example, n(101011) = 43 and
n(00101) = 5.) Now, let τ be the function defined as follows: τ (s) = 1 if and
only if n(s) is not a prime number. Moreover, let φ be the function defined
by φ(s, p) = 1 if and only if n(s) = 0, or if n(s) = 1, or if n(p) divides n(s) and
1 < n(p) < n(s). This function φ is efficiently computable. This is a proof system
for the non-primality (i.e., compositeness) of natural numbers. It is sound be-
cause every s corresponding to a prime number n(s) has no proof since n(s) 6= 0
and n(s) 6= 1 and n(s) has no divisor d satisfying 1 < d < n(s). The proof sys-
tem is complete because every natural number n greater than 1 is either prime
or has a prime factor q satisfying 1 < q < n (whose binary representation can
serve as a proof).

Example 6.4. Let us consider the opposite problem, i.e., proving primality of
a number n(s) represented by s. In other words, in the previous example we
replace “not a prime” by “a prime”. It is far from clear how one can define a
verification function φ such that the proof system is sound and complete. How-
ever, such an efficiently computable function φ indeed exists. Very briefly, the
proof that a number n(s) (henceforth we simply write n) is prime consists of
(adequate representations of):
1) the list p1 , . . . , pk of distinct prime factors of n − 1,
2) a (recursive) proof of primality for each of p1 , . . . , pk 13
3) a generator g of the group Z∗n .

The exact representation of these three parts of the proof would have to be made
precise, but we omit this here as it is obvious how this could be done.
The verification of a proof (i.e., the computation of the function φ) works as
follows.

• If n = 2 or n = 3, then the verification stops and returns 1.14

• It is tested whether p1 , . . . , pk all divide n − 1 and whether n − 1 can be

written as a product of powers of p1 , . . . , pk (i.e., whether n − 1 contains
no other prime factor).
13 recursive means that the same principle is applied to prove the primality of every p , and again
i
for every prime factor of pi − 1, etc.
14 One could also consider a longer list of small primes for which no recursive primality proof is

required.
135 Chapter 6. Logic

• It is verified that
g n−1 ≡n 1
and, for all i ∈ {1, . . . , k}, that

g (n−1)/pi 6≡n 1.

(This means that g has order n − 1 in Z∗n ).

• For every pi , an analogous proof of its primality is verified (recursively).

This proof system for primality is sound because if n is not a prime, then there
is no element of Z∗n of order n − 1 since the order of any element is at most ϕ(n),
which is smaller than n − 1. The proof system is complete because if n is prime,
then GF (n) is a finite field and the multiplicative group of any finite field, i.e.,
Z∗n , is cyclic and has a generator g. (We did not prove this statement in this
course.)15

6.2.3 Discussion
The examples demonstrate the following important points:

• While proof verification must be efficient (in some sense not defined here),
proof generation is generally not (or at least not known to be) efficient. For
example, finding a proof for the Hamiltonian cycle example requires to
find such a cycle, a problem that, as mentioned, is believed to be very
hard. Similarly, finding a primality proof as discussed would require the
factorization of n − 1, and the factoring problem is believed to be hard.
In general, finding a proof (if it exists) is a process requiring insight and
ingenuity, and it cannot be efficiently automated.
• A proof system is always restricted to a certain type of mathematical state-
ment. For example, the proof system of Example 6.1 is very limited in the
sense that it only allows to prove statements of the form “graph G has a
Hamiltonian cycle”.
• Proof verification can in principle proceed in very different ways. The
proof verification method of logic, based on checking a sequence of rule
applications, is (only) a special case.
• Asymmetry of statements and their negation: Even if a proof system exists
for a certain type of statements, it is quite possible that for the negation of
the statements, no proof system (with efficient verification) exists.
15 Actually, a quite efficient deterministic primality test was recently discovered by Agrawal et al.,

and this means that primality can be checked without a proof. In other words, there exists a trivial
proof system for primality with empty proofs. However, this fact is mathematically considerably
more involved than the arguments presented here for the soundness and completeness of the proof
system for primality.
6.3. Elementary General Concepts in Logic 136

6.2.4 Proof Systems in Theoretical Computer Science *

The concept of a proof system appears in a more concrete form in theoretical computer
science (TCS), as follows. Statements and proofs are bit-strings, i.e., S = P = {0, 1}∗ .
The predicate τ defines the set L ⊆ {0, 1}∗ of strings that correspond to true statements:
L = {s | τ (s) = 1}.
Conversely, every subset L ⊆ {0, 1}∗ defines a predicate τ . In TCS, such a set L of strings
is called a formal language, and one considers the problem of proving that a given string
s is in the language, i.e., s ∈ L. A proof for s ∈ L is called a witness of s, often denoted as
w, and the verification function φ(s, w) defines whether a string w is a witness for s ∈ L.
One then considers the special case where the length of w is bounded by a polynomial
of the length of s and where the function φ must be computable in polynomial time, i.e.,
by a program with worst-case running time polynomial in the length of s. Then, the
important class NP of languages is the set of languages for which such a polynomial-
time computable verification function exists.
As mentioned in a footnote, a type of proof system of special interest are so-called
probabilistically checkable proofs (PCP).
An important extension of the concept of proof systems are so-called interactive
proofs.16 In such a system, the proof is not a bit-string, but it consists of an interaction
(a protocol) between the prover and the verifier, where one tolerates an immensely small
(e.g. exponentially small) probability that a verifier accepts a “proof” for a false state-
ment. The reason for considering such interactive proofs are:
• Such interactive proofs can exist for statements for which a classical (non-
interactive) proof does not exist. For example, there exists an interactive proof
system for the non-Hamiltonicity of graphs.
• Such interactive proofs can have a special property, called zero-knowledge, which
means that the verifier learns absolutely nothing (in a well-defined sense) during
the protocol, except that the statement is true. In particular, the verifier cannot
prove the statement to somebody else.
• Zero-knowledge proofs (especially non-interactive versions, so-called NIZK’s) are
of crucial importance in a large number of applications, for example in sophisti-
cated block-chain systems.

6.3 Elementary General Concepts in Logic

The purpose of this section is to introduce the most basic concepts in logic in a
general manner, not specific to a particular logic. However, this section is best
appreciated by considering concrete examples of logics, in particular proposi-
tional logic and predicate logic. Without discussing such examples in parallel to
introducing the concepts, this section will be hard to appreciate. We will discuss
the general concepts and the concrete examples in parallel, going back and forth
between Section 6.3 and Sections 6.5 and 6.6.
16 This
topic is discussed in detail in the Master-level course Cryptographic Protocols taught by
Martin Hirt and Ueli Maurer.
137 Chapter 6. Logic

6.3.1 The General Goal of Logic

A goal of logic is to provide a specific proof system Π = (S, P, τ, φ) for which

a very large class of mathematical statements can be expressed as an element
of S.
However, such a proof system Π = (S, P, τ, φ) can never capture all possible
mathematical statements. For example, it usually does not allow to capture
(self-referential) statements about Π, such as “Π is complete”, as an element of
S. The use of common language is therefore unavoidable in mathematics and
logic (see also Section 6.7).
In logic, an element s ∈ S consists of one or more formulas (e.g. a formula,
or a set of formulas, or a set of formulas and a formula), and a proof consists of
applying a certain sequence of syntactic steps, called a derivation or a deduction.
Each step consists of applying one of a set of allowed syntactic rules, and the
set of allowed rules is called a calculus. A rule generally has some place-holders
that must be instantiated by concrete values.
In standard treatments of logic, the syntax of S and the semantics (the func-
tion τ ) are carefully defined. In contrast, the function φ, which consists of ver-
ifying the correctness of each rule application step, is not completely explicitly
defined. One only defines rules, but for example one generally does not define
a syntax for expressing how the place-holders of the rules are instantiated.17

6.3.2 Syntax, Semantics, Interpretation, Model

6.3.3 Syntax
A logic is defined by the syntax and the semantics. The basic concept in any logic
is that of a formula18 .

Definition 6.4. The syntax of a logic defines an alphabet Λ (of allowed symbols)
and specifies which strings in Λ∗ are formulas (i.e., are syntactically correct).

The semantics (see below) defines under which “conditions” a formula is

true (denoted as 1) or false (denoted as 0).19 What we mean by “conditions”
needs to be made more precise and requires a few definitions.
Some of the symbols in Λ (e.g. the symbols A and B in propositional logic
or the symbols P and Q in predicate logic) are understood as variables, each of
which can take on a value in a certain domain associated to the symbol.

17 Ina fully computerized system, this must of course be (and indeed is) defined.
18 German: Formel
19 There are logics (not considered here) with more than two truth values, for example a logic with

confidence or belief values indicating the degree of confidence in the truth of a statement.
6.3. Elementary General Concepts in Logic 138

6.3.4 Semantics

Definition 6.5. The semantics of a logic defines (among other things, see below)
a function free which assigns to each formula F = (f1 , f2 , . . . , fk ) ∈ Λ∗ a subset
free(F ) ⊆ {1, . . . , k} of the indices. If i ∈ free(F ), then the symbol fi is said to
occur free in F .20

The same symbol β ∈ Λ can occur free in one place of F (say f3 = β where
3 ∈ free(F )) and not free in another place (say f5 = β where 5 6∈ free(F )).
The free symbols of a formula denote kind of variables which need to be
assigned fixed values in their respective associated domains before the formula
has a truth value. This assignment of values is called an interpretation:

Definition 6.6. An interpretation consists of a set Z ⊆ Λ of symbols of Λ, a do-

main (a set of possible values) for each symbol in Z, and a function that assigns
to each symbol in Z a value in its associated domain.21

Often (but not in propositional logic), the domains are defined in terms of a
so-called universe U , and the domain for a symbol in Λ can for example be U , or
a function U k → U (for some k), or a function U k → {0, 1} (for some k).

Definition 6.7. An interpretation is suitable22 for a formula F if it assigns a value

to all symbols β ∈ Λ occurring free in F .23

Definition 6.8. The semantics of a logic also defines a function24 σ assigning to

each formula F , and each interpretation A suitable for F , a truth value σ(F, A)
in {0, 1}.25 In treatments of logic one often writes A(F ) instead of σ(F, A) and
calls A(F ) the truth value of F under interpretation A.26

20 The term “free” is not standard in the literature which instead uses special terms for each specific

logic, but as we see later it coincides for the notion of free variables in predicate logic.
21 There may be restrictions for what is an allowed interpretation.
22 German: passend
23 A suitable interpretation can also assign values to symbols β ∈ Λ not occurring free in F .
24 We assume that the set of formulas and the set of interpretations are well-defined.
25 Note that different free occurrences of a symbol β ∈ Λ in F are assigned the same value, namely

that determined by the interpretation.

26 This notation in the literature is unfortunately a bit ambiguous since A is used for two differ-

ent things, namely for an interpretation as well as for the function induced by the interpretation
which assigns to every formula the truth value (under that interpretation). We nevertheless use the
notation A(F ) instead of σ(F, A) in order to be compatible with most of the literature.
139 Chapter 6. Logic

Definition 6.9. A (suitable) interpretation A for which a formula F is true, (i.e.,

A(F ) = 1) is called a model for F , and one also writes
A |= F.
More generally, for a set M of formulas, a (suitable) interpretation for which all
formulas in M are true is called a model for M , denoted as
A |= M.
If A is not a model for M one writes A 6|= M.

6.3.5 Connection to Proof Systems *

We now explain how the semantics of a logic (the function σ in Definition 6.8) is con-
nected to the semantics of a proof systems (the function τ in Definition 6.1).
First we should remark that one can treat logic in a similarly informal manner as
one treats other fields of mathematics. There can be variations on how much is formal-
ized in the sense of proof systems. Concretely, there are the following two options for
formalizing a logic:

• In addition to formulas, also interpretations are considered to be formal objects,

i.e., there is a syntax for writing (at least certain types of) interpretations. In this
case, statements can correspond to pairs (F, A), and the function σ corresponds to
the function τ (in the sense of proof systems).
• Only formulas are formal objects and interpretations are treated informally, e.g. in
words or some other informal notation. This is the typical approach in treatments
of logic (also in this course). This makes perfect sense if the formal statements one
wants to prove only refer to formulas, and not to specific interpretations. Indeed,
many statements about formulas are of this form, for example the statement that a
formula F is a tautology, the statement that F is satisfiable (or unsatisfiable), or the
statement that a formula G is a logical consequence of a formula F , i.e., F |= G.
Note that to prove such statements it is not necessary to formalize interpretations.

6.3.6 Satisfiability, Tautology, Consequence, Equivalence

Definition 6.10. A formula F (or set M of formulas) is called satisfiable27 if there

exists a model for F (or M ),28 and unsatisfiable otherwise. The symbol ⊥ is used
for an unsatisfiable formula.29

27 German: erfüllbar
28 Note that the statement that M is satisfiable is not equivalent to the statement that every formula
in M is satisfiable.
29 The symbol ⊥ is not a formula itself, i.e., it is not part of the syntax of a logic, but if used in

expressions like F ≡ ⊥ it is to be understood as standing for an arbitrary unsatisfiable formula. For

example, F ≡ ⊥ means that F is unsatisfiable.
6.3. Elementary General Concepts in Logic 140

Definition 6.11. A formula F is called a tautology30 or valid31 if it is true for every

suitable interpretation. The symbol ⊤ is used for a tautology.

The symbol ⊥ is sometimes called falsum, and ⊤ is sometimes called verum.

Definition 6.12. A formula G is a logical consequence32 of a formula F (or a set

M of formulas), denoted
F |= G (or M |= G ),
if every interpretation suitable for both F (or M ) and G, which is a model for F
(for M ), is also a model for G.33

Definition 6.13. Two formulas F and G are equivalent, denoted F ≡ G, if every

interpretation suitable for both F and G yields the same truth value for F and
G, i.e., if each one is a logical consequence of the other:
def
F ≡G ⇐⇒ F |= G and G |= F.

A set M of formulas can be interpreted as the conjunction (AND) of all for-

mulas in M since an interpretation is a model for M if and only if it is a model
for all formulas in M .34 If M is the empty set, then, by definition, every in-
terpretation is a model for M , i.e., the empty set of formulas corresponds to a
tautology.

Definition 6.14. If F is a tautology, one also writes |= F .

That F is unsatisfiable can be written as F |= ⊥.

6.3.7 The Logical Operators ∧, ∨, and ¬

Essentially all logics contain the following recursive definitions as part of the
syntax definition.

Definition 6.15. If F and G are formulas, then also ¬F , (F ∧ G), and (F ∨ G)

are formulas.

30 German: Tautologie
31 German: gültig, allgemeingültig
32 German: (logische) Folgerung, logische Konsequenz
33 The symbol |= is used in two slightly different ways: with a formula (or set of formulas), and

also with an interpretation on the left side. This makes sense because one can consider a set M of
formulas as defining a set of interpretations, namely the set of models for M .
34 More formally, let G be any formula (one of the many equivalent ones) that corresponds to the

conjunction of all formulas in M . Then M |= F if and only if G |= F .

141 Chapter 6. Logic

A formula of the form (F ∧ G) is called a conjunction, and a formula of the

form (F ∨ G) is called a disjunction.
We introduce some notational conventions for the use of parentheses. The
outermost parentheses of a formula can be dropped, i.e., we can write F ∧ G
instead of (F ∧ G). Moreover, parentheses not needed because of associativity
of ∧ or ∨ (which is actually a consequence of the semantics defined below) can
also be dropped.
The implication introduced in Section 2.3 can be understood simply as a
notational convention: F → G stands for ¬F ∨G.35 Similarly, the symbol F ↔ G
stands for (F ∧ G) ∨ (¬F ∧ ¬G).
The semantics of the logical operators ∧, ∨, and ¬ is defined as follows (in
any logic where these operators exist):

Definition 6.16.
A((F ∧ G)) = 1 if and only if A(F ) = 1 and A(G) = 1.
A((F ∨ G)) = 1 if and only if A(F ) = 1 or A(G) = 1.
A(¬F ) = 1 if and only if A(F ) = 0.

Some basic equivalences were already discussed in Section 2.3.2 and are now
stated for any logic that includes the logical operators ∧, ∨, and ¬ :

Lemma 6.1. For any formulas F , G, and H we have

1) F ∧ F ≡ F and F ∨ F ≡ F (idempotence);
2) F ∧ G ≡ G ∧ F and F ∨ G ≡ G ∨ F (commutativity);
3) (F ∧ G) ∧ H ≡ F ∧ (G ∧ H) and (F ∨ G) ∨ H ≡ F ∨ (G ∨ H) (associativity);
4) F ∧ (F ∨ G) ≡ F and F ∨ (F ∧ G) ≡ F (absorption);
5) F ∧ (G ∨ H) ≡ (F ∧ G) ∨ (F ∧ H) (distributive law);
6) F ∨ (G ∧ H) ≡ (F ∨ G) ∧ (F ∨ H) (distributive law);
7) ¬¬F ≡ F (double negation);
8) ¬(F ∧ G) ≡ ¬F ∨ ¬G and ¬(F ∨ G) ≡ ¬F ∧ ¬G (de Morgan’s rules);
9) F ∨ ⊤ ≡ ⊤ and F ∧ ⊤ ≡ F (tautology rules);
10) F ∨ ⊥ ≡ F and F ∧ ⊥ ≡ ⊥ (unsatisfiability rules).
11) F ∨ ¬F ≡ ⊤ and F ∧ ¬F ≡ ⊥.

Proof. The proofs follow directly from Definition 6.16. For example, the claim
35 Alternatively, one could also define → to be a symbol of the syntax, in which case one would

also need to extend the semantics to provide an interpretation for →. This subtle distinction be-
tween notational convention or syntax extension is not really relevant for us. We can simply use the
symbol →.
6.3. Elementary General Concepts in Logic 142

¬(F ∧ G) ≡ ¬F ∨ ¬G follows from the fact that for any suitable interpretation,
we have A(¬(F ∧ G)) = 1 if and only if A(F ∧ G) = 0, and hence if and only if
either A(F ) = 0 or A(G) = 0, i.e., if and only if either A(¬F ) = 1 or A(¬G) = 1,
and hence if and only if A(¬F ∨ ¬G) = 1.

6.3.8 Logical Consequence vs. Unsatisfiability

We state the following facts without proofs, which are rather obvious. These
lemmas are needed for example to make use of the resolution calculus (see Sec-
tion 6.5.5), which allows to prove the unsatisfiability of a set of formulas, to also
be able to prove that a formula F is a tautology, or to prove that a formula G is
logical consequence of a given set {F1 , F2 , . . . , Fk } of formulas.

Lemma 6.2. A formula F is a tautology if and only if ¬F is unsatisfiable.

Lemma 6.3. The following three statements are equivalent:

1. {F1 , F2 , . . . , Fk } |= G,
2. (F1 ∧ F2 ∧ · · · ∧ Fk ) → G is a tautology,
3. {F1 , F2 , . . . , Fk , ¬G} is unsatisfiable.

6.3.9 Theorems and Theories

We can consider at least four types of statements one may want to prove in the
context of using a logic:

1. Theorems in an axiomatically defined theory (see below),

2. Statements about a formula or a set of formulas, for example that F is

satisfiable or that a set M of formulas is unsatisfiable.

3. The statement A |= F for a given interpretation A and a formula F .

4. Statements about the logic, for example that a certain calculus for the logic
is sound.

To describe the first type of statements, consider a fixed logic, for instance
predicate logic discussed in Section 6.6, and consider a set T of formulas, where
the formulas in T are called the axioms of the theory. Any formula F for which

T |= F
143 Chapter 6. Logic

is called a theorem in theory T . For example, the axioms of group theory are three
formulas in predicate logic, and any theorem in group theory (e.g. Lagrange’s
theorem) is a logical consequence of the axioms.
Consider two theories T and T ′ , where T ′ contains all the axioms of T plus
one or more additional axioms. Then every theorem in T is also a theorem in T ′
(but not vice versa). In the special case where T = ∅, a theorem in T = ∅ is a
tautology in the logic. Tautologies are useful because they are theorems in any
theory, i.e., for any set of axioms.


Example 6.5. The formula ¬∃x∀y P (y, x) ↔ ¬P (y, y) is a tautology in predi-
cate logic, as proved in Section 6.6.9.

6.4 Logical Calculi

6.4.1 Introduction

As mentioned in Section 6.3.1, the goal of logic is to provide a framework for ex-
pressing and verifying proofs of mathematical statements. A proof of a theorem
should be a purely syntactic derivation consisting of simple and easily verifiable
steps. In each step, a new syntactic object (typically a formula, but it can also be
a more general object involving formulas) is derived by application of a deriva-
tion rule or inference rule, and at the end of the derivation, the desired theorem
appears. The syntactic verification of a proof does not require any intelligence
or “reasoning between the lines”, and it can in particular be performed by a
computer.
Checking a proof hence simply means to execute a program. Like in com-
puter programming, where the execution of a program is a dumb process while
the design of a program is generally an intelligent, sometimes ingenious pro-
cess, the verification of a proof should be a dumb process while devising a proof
is an intelligent, creative, and sometimes ingenious process.
A well-defined set of rules for manipulating formulas (the syntactic objects)
is called a calculus. Many such calculi have been proposed, and they differ in
various ways, for example in the syntax, the semantics, the expressiveness, how
easy or involved it is to write a proof, and how long a proof will be.
When defining a calculus, there is a trade-off between simplicity (e.g. a small
number of rules) and versatility. For a small set of rules, proving even sim-
ple logical steps (like the substitution of a sub-formula by an equivalent sub-
formula) can take a very large number of steps in the calculus.
It is beyond the scope of this course to provide an extensive treatment of
various logical calculi.
6.4. Logical Calculi 144

6.4.2 Hilbert-Style Calculi

As mentioned, there are different types of logical calculi. For the perhaps most
intuitive type of calculus, the syntactic objects that are manipulated are formu-
las. This is sometimes called a Hilbert-style calculus. There is also another type
of calculi, often called sequent calculi (which we will not discuss in this course),
where the syntactic objects are more complex objects than just formulas. The
following refers to Hilbert-style calculi.

Definition 6.17. A derivation rule or inference rule36 is a rule for deriving a for-
mula from a set of formulas (called the precondition or premises). We write

{F1 , . . . , Fk } ⊢R G

if G can be derived from the set {F1 , . . . , Fk } by rule R.37

The derivation rule {F1 , . . . , Fk } ⊢R G is often also written as

F1 F2 · · · Fk
(R),
G
where spaces separate the formulas above the bar.
Derivation is a purely syntactic concept. Derivation rules apply to syntac-
tically correct (sets of) formulas. Some derivation rules (e.g. resolution, see
Section 6.5.5) require the formulas to be in a specific format.
Typically such a derivation rule is defined as a rule that involves place-holders
for formulas (such as F and G), which can be instantiated with any concrete
formulas. In order to apply such a rule one must instantiate each place-holder
with a concrete formula.

Definition 6.18. (Informal.) The application of a derivation rule R to a set M of

formulas means
1. Select a subset N of M .
2. For the place-holders in R: specify formulas that appear in N such that
N ⊢R G for a formula G.
3. Add G to the set M (i.e., replace M by M ∪ {G}).

Example 6.6. Two derivation rules for propositional and predicate logic are

{F ∧ G} ⊢ F and {F, G} ⊢ F ∧ G
36 German: Schlussregel
37 Formally, a derivation rule is a relation from the power set of the set of formulas to the set of
formulas.
145 Chapter 6. Logic

The left rule states that if one has already derived a formula of the form F ∧ G,
where F and G are arbitrary formulas, then one can derive F . The second rule
states that for any two formulas F and G that have been derived, one can also
derive the formula F ∧ G. For example, an application of the right rule yields

{A ∨ B, C ∨ D} ⊢ (A ∨ B) ∧ (C ∨ D),

where F is instantiated as A ∨ B and G is instantiated as C ∨ D. More rules are

discussed in Section 6.4.4.

Definition 6.19. A (logical) calculus38 K is a finite set of derivation rules: K =

{R1 , . . . , Rm }.

Definition 6.20. A derivation39 of a formula G from a set M of formulas in a

calculus K is a finite sequence (of some length n) of applications of rules in K
(see Def. 6.18), leading to G. More precisely, we have
• M0 := M ,
• Mi := Mi−1 ∪ {Gi } for 1 ≤ i ≤ n, where N ⊢Rj Gi for some N ⊆ Mi−1
and for some Rj ∈ K, and where
• Gn = G.
We write
M ⊢K G
if there is a derivation of G from M in the calculus K.
The above treatment of syntactic derivation is not completely general. In
some contexts (e.g. in so-called Natural Deduction for predicate logic, which is
a so-called sequent calculus), one needs to keep track not only of the derived
formulas, but also of the history of the derivation, i.e., the derivation steps that
have led to a given formula.

6.4.3 Soundness and Completeness of a Calculus

A main goal of logic is to formalize reasoning and proofs. One wants to per-
form purely syntactic manipulations on given formulas, defined by a calculus,
to arrive at a new formula which is a logical consequence. In other words, if we
use a calculus, the syntactic concept of derivation (using the calculus) should be
related to the semantic concept of logical consequence.

38 German: Kalkül
39 German: Herleitung
6.4. Logical Calculi 146

Definition 6.21. A derivation rule R is correct if for every set M of formulas and
every formula F , M ⊢R F implies M |= F :
M ⊢R F =⇒ M |= F.

Example 6.7. The two rules of Example 6.6 are correct, but the rule
{F → G, G → F } ⊢ F ∧ G
is not correct. To see this, note that if F and G are both false, then F → G and
G → F are true while F ∧ G is false.

Definition 6.22. A calculus K is sound40 or correct if for every set M of formu-

las and every formula F , if F can be derived from M then F is also a logical
consequence of M :
M ⊢K F =⇒ M |= F,
and K is complete41 if for every M and F , if F is a logical consequence of M ,
then F can also be derived from M :

M |= F =⇒ M ⊢K F.

A calculus is hence sound and complete if

M ⊢K F ⇐⇒ M |= F,
i.e., if logical consequence and derivability are identical. Clearly, a calculus is
sound if and only if every derivation rule is correct. One writes ⊢K F if F can
be derived in K from the empty set of formulas. Note that if ⊢K F for a sound
calculus, then |= F , i.e., F is a tautology.

6.4.4 Some Derivation Rules

In this section we discuss a few derivation rules for propositional logic and any
logic which contains propositional logic. We do not provide a complete and
compactly defined calculus, just a few rules. For singleton sets of formulas we
omit the brackets “{” and “}”.
All equivalences, including the basic equivalences of Lemma 6.1, can be used
as derivation rules. For example, the following derivation rules are correct:
¬¬F ⊢ F F ∧G ⊢ G∧F ¬(F ∨ G) ⊢ ¬F ∧ ¬G
Other natural and correct rules, which capture logical consequences, not equiv-
alences, are:
F ∧G ⊢F F ∧G ⊢ G {F, G} ⊢ F ∧ G
40 German: widerspruchsfrei
41 German: vollständig
147 Chapter 6. Logic

F ⊢ F ∨G F ⊢ G∨F
{F, F → G} ⊢ G {F ∨ G, F → H, G → H} ⊢ H.

Such rules are not necessarily independent. For example, the rule F ∧ G ⊢
G ∧ F could be derived from the above three rules as follows: F can be derived
from F ∧ G and G can also be derived from F ∧ G, resulting in the set {F ∧
G, F, G}. {G, F } is a subset of {F ∧ G, F, G} and hence one of the above rules
yields {G, F } ⊢ G ∧ F .
The last rule discussed above captures case distinction (two cases). It states
that if one knows that F or G is true and that each of them implies H, then we
can conclude H. Such a proof step is in a sense non-constructive because it may
not be known which of F or G is true.
To begin a derivation from the empty set of formulas, one can use any rule
of the form ⊢ F , where F is a tautology. The best-known such rule is

⊢ F ∨ ¬F

called “tertium non datur (TND)” (in English: “there is no third [alternative]”),
which captures the fact that a formula F can only be true or false (in which
case ¬F is true); there is no option in between.42 Another rule for deriving a
tautology is
⊢ ¬(F ↔ ¬F ).
Example 6.8. The following rule can be understood as capturing the principle
of proof by contradiction. (Why?)

{F ∨ G, ¬G} ⊢ F.

The reader can prove the correctness as an exercise.

Which set of rules constitutes an adequate calculus is generally not clear, but
some calculi have received special attention. One could argue both for a small
set of rules (which are considered the fundamental ones from which everything
else is derived) or for a large library of rules (so there is a large degree of freedom
in finding a short derivation).

6.4.5 Derivations from Assumptions

If in a sound calculus K one can derive G under the assumption F , i.e., one can
prove F ⊢K G, then one has proved that F → G is a tautology, i.e., we have

F ⊢K G =⇒ |= (F → G).
42 However, in so-called constructive or intuitionistic logic, this rule is not considered correct be-
cause its application does not require explicit knowledge of whether F or ¬F is true.
6.5. Propositional Logic 148

One could therefore also extend the calculus by the new rule
⊢ (F → G),
which is sound. Here F and G can be expressions involving place-holders for
formulas.
Example 6.9. As a toy example, consider the rules ¬¬F ⊢ F and ¬(F ∨G) ⊢ ¬F .
Let H be an arbitrary formula. Using the second rule (and setting F = ¬H) we
can obtain ¬(¬H ∨ G) ⊢ ¬¬H. Thus, using the first rule (and setting F = H) we
can obtain ¬¬H ⊢ H. Hence we have proved ¬(¬H ∨ G) ⊢ H. As usual, this
holds for arbitrary formulas G and H and hence can be understood as a rule.
When stated in the usual form (with place holders F and G, the rule would be
stated as ¬(¬F ∨ G) ⊢ F .

More generally, we can derive a formula G from several assumptions, for

example

{F1 , F2 } ⊢K G =⇒ |= (F1 ∧ F2 ) → G .

6.4.6 Connection to Proof Systems *

Let us briefly explain the connection between logical calculi and the general concept of
proof systems (Definition 6.2).
In a proof system allowing to prove statements of the form M |= G, one can let
the set S of statements be the set of pairs (M, G). One further needs a precise syntax
for expressing derivations. Such a syntax would, for example, have to include a way to
express how place-holders in rules are instantiated. This aspect of a calculus is usually
not made precise and therefore a logical calculus (alone) does not completely constitute
a proof system in the sense of Definition 6.2. However, in a computerized system this
needs to be made precise, in a language specific to that system, and such computerized
system is hence a proof system in the strict sense of Section 6.2.

6.5 Propositional Logic

We also refer to Section 2.3 where some basics of propositional logic were intro-
duced informally and many examples were already given. This section concen-
trates on the formal aspects and the connection to Section 6.3.

6.5.1 Syntax

Definition 6.23. (Syntax.) An atomic formula is a symbol of the form Ai with

i ∈ N.43 A formula is defined as follows, where the second point is a restatement
(for convenience) of Definition 6.15:
• An atomic formula is a formula.
• If F and G are formulas, then also ¬F , (F ∧G), and (F ∨G) are formulas.
43 A is usually not used. This definition guarantees an unbounded supply of atomic formulas,
0
149 Chapter 6. Logic

A formula built according to this inductive definition corresponds naturally

to a tree where the leaves correspond to atomic formulas and the inner nodes
correspond to the logical operators.

6.5.2 Semantics
Recall Definitions 6.5 and 6.6. In propositional logic, the free symbols of a formula
are all the atomic formulas. For example, the truth value of the formula A ∧ B is
determined only after we specify the truth values of A and B. In propositional
logic, an interpretation is called a truth assignment (see below).

Definition 6.24. (Semantics.) For a set Z of atomic formulas, an interpretation

A, called truth assignment44 , is a function A : Z → {0, 1}. A truth assignment A
is suitable for a formula F if Z contains all atomic formulas appearing in F (see
Definition 6.7). The semantics (i.e., the truth value A(F ) of a formula F under
interpretation A) is defined by A(F ) = A(Ai ) for any atomic formula F = Ai ,
and by Definition 6.16 (restated here for convenience):
A((F ∧ G)) = 1 if and only if A(F ) = 1 and A(G) = 1.
A((F ∨ G)) = 1 if and only if A(F ) = 1 or A(G) = 1.
A(¬F ) = 1 if and only if A(F ) = 0.

Example 6.10. Consider the formula

F = (A ∧ ¬B) ∨ (B ∧ ¬C)

already discussed in Section 2.3. The truth assignment A : Z → {0, 1} for

Z = {A, B} that assigns A(A) = 0 and A(B) = 1 is not suitable for F because
no truth value is assigned to C, and the truth assignment A : Z → {0, 1} for
Z = {A, B, C, D} that assigns A(A) = 0, A(B) = 1, A(C) = 0, and A(D) = 1 is
suitable and also a model for F . F is satisfiable but not a tautology.

6.5.3 Brief Discussion of General Logic Concepts

We briefly discuss the basic concepts from Section 6.3.6 in the context of propo-
sitional logic.
Specializing Definition 6.13 to the case of propositional logic, we confirm
Definition 2.6: Two formulas F and G are equivalent if, when both formulas
are considered as functions M → {0, 1}, where M is the union of the atomic
formulas of F and G, then the two functions are identical (i.e., have the same
function table).
but as a notational convention we can also write A, B, C, . . . instead of A1 , A2 , A3 , . . ..
44 German: (Wahrheits-)Belegung
6.5. Propositional Logic 150

Specializing Definition 6.12 to the case of propositional logic, we see that G

is a logical consequence of F , i.e., F |= G, if the function table of G contains a 1
for at least all argument for which the function table of F contains a 1.45

Example 6.11. F = (A ∧ ¬B) ∨ (B ∧ ¬C) is a logical consequence of A and ¬C,

i.e., {A, ¬C} |= F . In contrast, F is not a logical consequence of A and B, i.e.,
{A, B} 6|= F .

The basic equivalences of Lemma 6.1 apply in particular to propositional

logic.

6.5.4 Normal Forms

Definition 6.25. A literal is an atomic formula or the negation of an atomic for-

mula.

Definition 6.26. A formula F is in conjunctive normal form (CNF) if it is a con-

junction of disjunctions of literals, i.e., if it is of the form

F = (L11 ∨ · · · ∨ L1m1 ) ∧ · · · ∧ (Ln1 ∨ · · · ∨ Lnmn )

for some literals Lij .

Example 6.12. The formula (A ∨ ¬B) ∧ (¬A ∨ B ∨ ¬D) ∧ ¬C is in CNF.

Definition 6.27. A formula F is in disjunctive normal form (DNF) if it is a disjunc-

tion of conjunctions of literals, i.e., if it is of the form

F = (L11 ∧ · · · ∧ L1m1 ) ∨ · · · ∨ (Ln1 ∧ · · · ∧ Lnmn )

for some literals Lij .

Example 6.13. The formula (B ∧ C) ∨ (¬A ∧ B ∧ ¬C) is in DNF.

Theorem 6.4. Every formula is equivalent to a formula in CNF and also to a formula
in DNF.

Proof. Consider a formula F with atomic formulas A1 , . . . , An with a truth table

of size 2n .
45 If
the truth values 0 and 1 were interpreted as numbers, then F |= G means that G is greater or
equal to F for all arguments. This also explains why F |= G and G |= H together imply F |= H.
151 Chapter 6. Logic

Given such a formula F , one can use the truth table of F to derive an equiv-
alent formula in DNF, as follows. For every row of the function table evaluating
to 1 one takes the conjunction of the n literals defined as follows: If Ai = 0 in
the row, one takes the literal ¬Ai , otherwise the literal Ai . This conjunction is a
formula whose function table is 1 exactly for the row under consideration (and
0 for all other rows). Then one takes the disjunction of all these conjunctions. F
is true if and only if one of the conjunctions is true, i.e., the truth table of this
formula in DNF is identical to that of F .
Given such a formula F , one can also use the truth table of F to derive an
equivalent formula in CNF, as follows. For every row of the function table eval-
uating to 0 one takes the disjunction of the n literals defined as follows: If Ai = 0
in the row, one takes the literal Ai , otherwise the literal ¬Ai . This disjunction
is a formula whose function table is 0 exactly for the row under consideration
(and 1 for all other rows). Then one takes the conjunction of all these (row-wise)
disjunctions. F is false if and only if all the disjunctions are false, i.e., the truth
table of this formula in CNF is identical to that of F .
Example 6.14. Consider the formula F = (A ∧ ¬B) ∨ (B ∧ ¬C) from above.
The function table is
A B C (A ∧ ¬B) ∨ (B ∧ ¬C)
0 0 0 0
0 0 1 0
0 1 0 1
0 1 1 0
1 0 0 1
1 0 1 1
1 1 0 1
1 1 1 0
We therefore obtain the following DNF
F ≡ (¬A ∧ B ∧ ¬C) ∨ (A ∧ ¬B ∧ ¬C) ∨ (A ∧ ¬B ∧ C) ∨ (A ∧ B ∧ ¬C)
as the disjunction of 4 conjunctions. And we obtain the following CNF
F ≡ (A ∨ B ∨ C) ∧ (A ∨ B ∨ ¬C) ∧ (A ∨ ¬B ∨ ¬C) ∧ (¬A ∨ ¬B ∨ ¬C).
as the conjunction of 4 disjunctions.

It is often useful to transform a given formula into an equivalent formula in

a certain normal form, but the CNF and the DNF resulting from the truth table
as described in the proof of Theorem 6.4 are generally exponentially long. In
fact, in the above example F is already given in disjunctive normal form, and
the procedure has resulted in a much longer (equivalent) formula in DNF.
A transformation to CNF or DNF can also be carried out by making use of
the basic equivalences of propositional logic.
6.5. Propositional Logic 152

Example 6.15. For the formula ¬ (A∧¬B)∨(B∧C) ∨D we derive an equivalent
formula in CNF, using the basic equivalences of Lemma 6.1:



¬ (A ∧ ¬B) ∨ (B ∧ C) ∨ D ≡ ¬(A ∧ ¬B) ∧ ¬(B ∧ C) ∨ D


≡ (¬A ∨ ¬¬B) ∧ (¬B ∨ ¬C) ∨ D


≡ (¬A ∨ B) ∧ (¬B ∨ ¬C) ∨ D
≡ ((¬A ∨ B) ∨ D) ∧ ((¬B ∨ ¬C) ∨ D)
≡ (¬A ∨ B ∨ D) ∧ (¬B ∨ ¬C ∨ D).

In the first step we have used F ∧ G ≡ ¬(¬F ∨ ¬G), which is a direct con-
sequence of rule 8) of Lemma 6.1. In the second step we have applied rule 8)
twice, etc.

6.5.5 The Resolution Calculus for Propositional Logic

Resolution is an important logical calculus that is used in certain computer al-
gorithms for automated reasoning. The calculus is very simple in that it consists
of a single derivation rule. The purpose of a derivation is to prove that a given
set M of formulas (or, equivalently, their conjunction) is unsatisfiable.
As mentioned earlier (see Lemma 6.2), this also allows to prove that a for-
mula F is a tautology, which is the case if and only if ¬F is unsatisfiable. It also
allows to prove that a formula F is a logical consequence of a set M of formulas
(i.e., M |= F ), as this is the case if and only if the set M ∪ {¬F } is unsatisfiable
(see Lemma 6.3).
The resolution calculus assumes that all formulas of M are given in conjunc-
tive normal form (CNF, see Definition 6.26). This is usually not the case, and
therefore the formulas of M must first be transformed into equivalent formulas
in CNF, as explained earlier. Moreover, instead of working with CNF-formulas
(as the syntactic objects), one works with an equivalent object, namely sets of
clauses.
Recall (Definition 6.25) that a literal is an atomic formula or the negation of
an atomic formula. For example A and ¬B are literals.

Definition 6.28. A clause is a set of literals.

Example 6.16. {A, ¬B, ¬D} and {B, C, ¬C, ¬D, E} are clauses, and the empty
set ∅ is also a clause.

Definition 6.29. The set of clauses associated to a formula

F = (L11 ∨ · · · ∨ L1m1 ) ∧ · · · ∧ (Ln1 ∨ · · · ∨ Lnmn )

153 Chapter 6. Logic

in CNF, denoted as K(F ), is the set

def 
K(F ) = {L11 , . . . , L1m1 } , . . . , {Ln1 , . . . , Lnmn } .
The set of clauses associated with a set M = {F1 , . . . , Fk } of formulas is the
union of their clause sets:
k
def [
K(M ) = K(Fi ).
i=1

The idea behind this definition is that a clause is satisfied by a truth assign-
ment if and only if it contains some literal that evaluates to true. In other words,
a clause stands for the disjunction (OR) of its literals. Likewise, a set K(M ) of
clauses is satisfied by a truth assignment if every clause in K(M ) is satisfied by it.
In other words, a set of clauses stands for the conjunction (AND) of the clauses.
Vk
The set M = {F1 , . . . , Fk } is satisfied if and only if i=1 Fi is satisfied, i.e., if and
only if all clauses in K(M ) are satisfied. Note that the empty clause corresponds to
an unsatisfiable formula and the empty set of clauses corresponds to a tautology.
Note that for a given formula (not necessarily in CNF) there are many equiv-
alent formulas in CNF and hence many equivalent sets of clauses. Conversely,
to a given set K of clauses one can associate many formulas which are, how-
ever, all equivalent. Therefore, one can naturally think of a set of clauses as a
(canonical) formula, and the notions of satisfiability, equivalence, and logical
consequence carry over immediately from formulas to clause sets.

Definition 6.30. A clause K is a resolvent of clauses K1 and K2 if there is a literal

L such that L ∈ K1 , ¬L ∈ K2 , and46



K = K1 \ {L} ∪ K2 \ {¬L} . (6.1)

Example 6.17. The clauses {A, ¬B, ¬C} and {¬A, C, D, ¬E} have two resol-
vents: If A is eliminated, we obtain the clause {¬B, ¬C, C, D, ¬E}, and if C
is eliminated, we obtain the clause {A, ¬B, ¬A, D, ¬E}. Note that clauses are
sets and we can write the elements in arbitrary order. In particular, we could
write the latter clause as {A, ¬A, ¬B, D, ¬E}.

It is important to point out that resolution steps must be carried out one by
one; one cannot perform two steps at once. For instance, in the above exam-
ple, {¬B, D, ¬E} is not a resolvent and can also not be obtained by two res-
olution steps, even though {¬B, D, ¬E} would result from {A, ¬B, ¬C} and
{¬A, C, D, ¬E} by eliminating A and ¬C from the first clause and ¬A and C
from the second clause.47
46 For a literal L, ¬L is the negation of L, for example if L = ¬A, then ¬L = A.
47 A simpler example illustrating this is that {{A, B}, {¬A, ¬B}} is satisfiable, but a “double”
resolution step would falsely yield ∅, indicating that {{A, B}, {¬A, ¬B}} is unsatisfiable.
6.5. Propositional Logic 154

Given a set K of clauses, a resolution step takes two clauses K1 ∈ K and

K2 ∈ K, computes a resolvent K, and adds K to K. To be consistent with
Section 6.4.2, one can write the resolution rule (6.1) as follows:48

{K1 , K2 } ⊢res K,

where equation (6.1) must be satisfied. The resolution calculus, denoted Res,
consists of a single rule:
Res = {res}.
Recall that we write K ⊢Res K if K can be derived from K using a finite num-
ber of resolution steps.49

Lemma 6.5. The resolution calculus is sound, i.e., if K ⊢Res K then K |= K.50

Proof. We only need to show that the resolution rule is correct, i.e., that if K is a
resolvent of clauses K1 , K2 ∈ K, then K is logical consequence of {K1 , K2 }, i.e.,

{K1 , K2 } ⊢res K =⇒ {K1 , K2 } |= K.

Let A be an arbitrary truth assignment suitable for {K1 , K2 } (and hence also for
K). Recall that A is a model for {K1 , K2 } if and only if A makes at least one
literal in K1 true and also makes at least one literal in K2 true.
We refer to Definition 6.30 and distinguish two cases. If A(L) = 1, then
A makes at least one literal in K2 \ {¬L} true (since ¬L is false). Similarly, if
A(L) = 0, then A makes at least one literal in K1 \ {L} true (since L is false).
Because one of the two cases occurs, A makes at least one literal in K = (K1 \
{L}) ∪ (K2 \ {¬L}) true, which means that A is a model for K.

The goal of a derivation in the resolution calculus is to derive the empty

clause ∅ by an appropriate sequence of resolution steps. The following theorem
states that the resolution calculus is complete with respect to the task of proving
unsatisfiability.

Theorem 6.6. A set M of formulas is unsatisfiable if and only if K(M ) ⊢Res ∅.

Proof. The “if” part (soundness) follows from Lemma 6.5: If K(M ) ⊢Res ∅,
then K(M ) |= ∅, i.e., every model for K(M ) is a model for ∅. Since ∅ has no
model, K(M ) also does not have a model. This means that K(M ) is unsatisfiable.
48 In the literature, one usually does not use the symbol ⊢ in the context of resolution.
49 In the lecture we introduce a natural graphical notation for writing a sequence of resolution
steps.
50 For convenience, the clause K is understood to mean the singleton clause set {K}. In other

words, the truth value of a clause K is understood to be the same the truth value of {K}.
155 Chapter 6. Logic

It remains to prove the “only if” part (completeness with respect to unsatis-
fiability). We need to show that if a clause set K is unsatisfiable, then ∅ can be
derived by some sequence of resolution steps. The proof is by induction over
the number n of atomic formulas appearing in K. The induction basis (for n = 1)
is as follows. A clause set K involving only literals A1 and ¬A1 is unsatisfiable
if and only if it contains the clauses {A1 } and {¬A1 }. One can derive ∅ exactly
if this is the case.
For the induction step, suppose that for every clause set K′ with n atomic
formulas, K′ is unsatisfiable if and only if K′ ⊢Res ∅. Given an arbitrary
clause set K for the atomic formulas A1 , . . . , An+1 , define the two clause sets K0
and K1 as follows. K0 is the clause set for atomic formulas A1 , . . . , An obtained
from K by setting An+1 = 0, i.e.,
• by eliminating all clauses from K containing ¬An+1 (which are satisfied
since ¬An+1 = 1), and
• by eliminating from each remaining clause the literal An+1 if it appears in
it (since having An+1 in it can not contribute to the clause being satisfied).

K is satisfiable under the constraint An+1 = 0 if and only if K0 is satisfiable.

Analogously, K1 is obtained from K by eliminating all clauses containing
An+1 and by eliminating from each remaining clause the literal ¬An+1 if it ap-
pears in it. K is satisfiable under the constraint An+1 = 1 if and only if K1 is
satisfiable.
If K is unsatisfiable, it is unsatisfiable both for An+1 = 0 and for An+1 = 1,
i.e., both K0 and K1 are unsatisfiable. Therefore, by the induction hypothesis,
we have K0 ⊢Res ∅ and K1 ⊢Res ∅. Now imagine that the same resolution
steps leading from K0 to ∅ are carried out on K, i.e., with An+1 . This derivation
may or may not involve clauses (of K) that contain An+1 . In the latter case (i.e.,
An+1 not contained), the derivation of ∅ from K0 is also a derivation of ∅ from
K, and in the other case it corresponds to a derivation of {An+1 } from K.
Analogously, the derivation of ∅ from K1 corresponds to a derivation of ∅
from K or to a derivation of {¬An+1 } from K.
If in any of the two cases we have a derivation of ∅ from K, we are done
(since ∅ can be derived from K, i.e., K ⊢Res ∅). If this is not the case, then
we have a derivation of {An+1 } from K, i.e., K ⊢Res {An+1 } as well as a
derivation of {¬An+1 } from K, i.e., K ⊢Res {¬An+1 }. From these two clauses
one can derive ∅ by a final resolution step. This completes the proof.
6.6. Predicate Logic (First-order Logic) 156

6.6 Predicate Logic (First-order Logic)

We also refer to Section 2.4 where some basics of predicate logic were introduced
informally. Predicate logic is an extension of propositional logic, i.e., proposi-
tional logic is embedded in predicate logic as a special case.

6.6.1 Syntax
Definition 6.31. (Syntax of predicate logic.)
• A variable symbol is of the form xi with i ∈ N.51
(k)
• A function symbol is of the form fi with i, k ∈ N, where k denotes the
number of arguments of the function. Function symbols for k = 0 are
called constants.
(k)
• A predicate symbol is of the form Pi with i, k ∈ N, where k denotes the
number of arguments of the predicate.
• A term is defined inductively: A variable is a term, and if t1 , . . . , tk are
(k)
terms, then fi (t1 , . . . , tk ) is a term. For k = 0 one writes no parentheses.
• A formula is defined inductively:
(k)
– For any i and k, if t1 , . . . , tk are terms, then Pi (t1 , . . . , tk ) is a for-
mula, called an atomic formula.
– If F and G are formulas, then ¬F , (F ∧ G), and (F ∨ G) are formulas.
– If F is a formula, then, for any i, ∀xi F and ∃xi F are formulas.

∀ is called the universal quantifier, and ∃ is called the existential quantifier.

A formula constructed according to this inductive definition corresponds
naturally to a tree where the leaves correspond to terms and the inner nodes
correspond to the logical operators and the quantifiers.
To simplify notation, one usually uses function symbols f, g, h, where the
number of arguments is implicit, and for constants one uses the symbols a, b, c.
Similarly, one uses predicate symbols P, Q, R, where the number of arguments is
implicit. Moreover, one uses variable names x, y, z instead of xi , and sometimes
also u, v, w or k, m, n. To avoid confusion one can also use (∀x F ) and (∃x F )
instead of ∀x F and ∃x F .

6.6.2 Free Variables and Variable Substitution

Definition 6.32. Every occurrence of a variable in a formula is either bound or
free. If a variable x occurs in a (sub-)formula of the form ∀x G or ∃x G, then it is
bound, otherwise it is free.52 A formula is closed53 if it contains no free variables.
51 x
0 is usually not used.
52 The occurrence of a variable x immediately following a quantifier is also bound.
157 Chapter 6. Logic

Note that the same variable can occur bound and free in a formula. One can
draw the construction tree (see lecture) of a formula showing how a formula is
constructed according to the rules of Definition 6.31. Within the subtree corre-
sponding to ∀x or ∃x, all occurrences of x are bound.
Example 6.18. In the formula


F = Q(x) ∨ ∀y P (f (x, y)) ∧ ∃x R(x, y) ,

the first two occurrences of x are free, the other occurrences are bound. The last
occurrence of y is free, the other occurrences are bound.

Definition 6.33. For a formula F , a variable x and a term t, F [x/t] denotes the
formula obtained from F by substituting every free occurrence of x by t.

Example 6.19. For the formula F of Example 6.18 we have

F [x/g(a, z)] = Q(g(a, z)) ∨ ∀y P (f (g(a, z), y)) ∧ ∃x R(x, y) .

6.6.3 Semantics
Recall Definitions 6.5 and 6.6. In predicate logic, the free symbols of a formula are all
predicate symbols, all function symbols, and all occurrences of free variables. An inter-
pretation, called structure in the context of predicate logic, must hence define a
universe and the meaning of all these free symbols.

Definition 6.34. An interpretation or structure is a tuple A = (U, φ, ψ, ξ) where

• U is a non-empty universe,
• φ is a function assigning to each function symbol (in a certain subset of all
function symbols) a function, where for a k-ary function symbol f , φ(f )
is a function U k → U .
• ψ is a function assigning to each predicate symbol (in a certain subset of
all predicate symbols) a function, where for a k-ary predicate symbol P ,
ψ(P ) is a function U k → {0, 1}, and where
• ξ is a function assigning to each variable symbol (in a certain subset of all
variable symbols) a value in U .

For notational convenience, for a structure A = (U, φ, ψ, ξ) and a function

symbol f one usually writes f A instead of φ(f ). Similarly, one writes P A instead
of ψ(P ) and xA instead of ξ(x). One also writes U A rather than U to make A
explicit.
53 German: geschlossen
6.6. Predicate Logic (First-order Logic) 158

We instantiate Definition 6.7 for predicate logic:

Definition 6.35. A interpretation (structure) A is suitable for a formula F if it

defines all function symbols, predicate symbols, and freely occurring variables
of F .

Example 6.20. For the formula

F = ∀x P (x) ∨ P (f (x, a)) ,
a suitable structure A is given by U A = N, by aA = 3 and f A (x, y) = x + y,
and by letting P A be the “evenness” predicate (i.e., P A (x) = 1 if and only if x is
even). For obvious reasons, we will say (see below) that the formula evaluates
to true for this structure.
Another suitable structure A for F is defined by U A = R, aA = 2, f A (x, y) =
xy and by P A (x) = 1 if and only if x ≥ 0 (i.e., P A is the “positiveness” predi-
cate). For this structure, F evaluates to false (since, for example, x = −2 makes
P (x) and P (f (x, a)) = P (2x) false).

The semantics of a formula is now defined in the natural way as already

implicitly discussed in Section 2.4.

Definition 6.36. (Semantics.) For an interpretation (structure) A = (U, φ, ψ, ξ),

we define the value (in U ) of terms and the truth value of formulas under that
structure.
• The value A(t) of a term t is defined recursively as follows:
– If t is a variable, i.e., t = xi , then A(t) = ξ(xi ).
– If t is of the form f (t1 , . . . , tk ) for terms t1 , . . . , tk and a k-ary function
symbol f , then A(t) = φ(f )(A(t1 ), . . . , A(tk )).
• The truth value of a formula F is defined recursively by Definition 6.16
and
– If F is of the form F = P (t1 , . . . , tk ) for terms t1 , . . . , tk and a k-ary
predicate symbol P , then A(F ) = ψ(P )(A(t1 ), . . . , A(tk )).
– If F is of the form ∀x G or ∃x G, then let A[x→u] for u ∈ U be the same
structure as A except that ξ(x) is overwritten by u (i.e., ξ(x) = u):

1 if A[x→u] (G) = 1 for all u ∈ U
A(∀x G) =
0 else

1 if A[x→u] (G) = 1 for some u ∈ U
A(∃x G) =
0 else.

This definition defines the function σ(F, A) of Definition 6.8. Note that the
definition is recursive not only on formulas (see the second bullet of the defini-
159 Chapter 6. Logic

tion), but also on structures. Namely, A(∀x G) and A(∃x G) are defined in terms
of all structures A[x→u] (G) for u ∈ U . To evaluate the truth value of a formula
F = ∀x G one needs to apply Definition 6.36 recursively, for formula G and all
structures A[x→u] .
The basic concepts discussed in Section 6.3 such as satisfiable, tautology,
model, logical consequence, and equivalence, are now immediately instantiated
for predicate logic.
Note that the syntax of predicate logic does not require nested quantified
variables in a formula to be distinct, but we will avoid such overload of variable
names to avoid any confusion. For example, the formula ∀x (P (x) ∨ ∃y Q(y)) is
equivalent to ∀x (P (x) ∨ ∃x Q(x)).

6.6.4 Predicate Logic with Equality

Reexamining the syntax of predicate logic it may surprise that the equality sym-
bol “=” is not allowed. For example, ∃x f (x) = g(x) is not a formula. However,
one can extend the syntax and the semantics of predicate logic to include the
equality symbol “=” with its usual meaning. This is left as an exercise.

6.6.5 Some Basic Equivalences Involving Quantifiers

In addition to the equivalences stated in Lemma 6.1), we have:

Lemma 6.7. For any formulas F , G, and H, where x does not occur free in H, we have
1) ¬(∀x F ) ≡ ∃x ¬F ;
2) ¬(∃x F ) ≡ ∀x ¬F ;
3) (∀x F ) ∧ (∀x G) ≡ ∀x (F ∧ G);
4) (∃x F ) ∨ (∃x G) ≡ ∃x (F ∨ G);
5) ∀x ∀y F ≡ ∀y ∀x F ;
6) ∃x ∃y F ≡ ∃y ∃x F ;
7) (∀x F ) ∧ H ≡ ∀x (F ∧ H);
8) (∀x F ) ∨ H ≡ ∀x (F ∨ H);
9) (∃x F ) ∧ H ≡ ∃x (F ∧ H);
10) (∃x F ) ∨ H ≡ ∃x (F ∨ H).

Proof. We only prove statement 7). The other proofs are analogous.
We have to show that every structure A that is a model for (∀x F ) ∧ H is
also a model for ∀x (F ∧ H), and vice versa.
6.6. Predicate Logic (First-order Logic) 160

Recall that the definition of the semantics of a formula ∀x G for a structure

A is that, for all u ∈ U , A[x→u] (G) = 1.
To prove the
first direction, i.e., (∀x F ) ∧ H |= ∀x (F ∧ H), suppose that
A (∀x F ) ∧ H = 1 and hence54 that (i) A(∀x F ) = 1 and that (ii) A(H) = 1.
Recall that (i) means that A[x→u] (F ) = 1 for all u ∈ U , and (ii) means that
A[x→u] (H) = 1 for all u ∈ U (since x does not occur free in H and hence
A[x→u] (H) = A(H)). Therefore A[x→u] (F ∧ H) = 1 for all u ∈ U , which means
that A(∀x (F ∧ H)) = 1, which was to be proved.
To prove the
other direction, i.e. ∀x (F ∧ H) |= (∀x F ) ∧ H, suppose that
A ∀x (F ∧ H) = 1, i.e., for all u ∈ U , A[x→u] (F ∧ H) = 1, which means that (i)
A[x→u] (F ) = 1 for all u ∈ U and (ii) A[x→u] (H) = 1 for all u ∈ U . By definition,
(i) means that A(∀x F ) = 1. Moreover, because x does not occur free in H, by (ii)
we have A[x→u] (H) = A(H) = 1 for all u, which by definition means A |= H.
Hence A |= (∀x F ) ∧ H.

The following natural lemma is stated without proof.

Lemma 6.8. If one replaces a sub-formula G of a formula F by an equivalent (to G)

formula H, then the resulting formula is equivalent to F .

Example 6.21. ∀y Q(x, y) is a sub-formula of ∃x (P (x) ∨ ∀y Q(x, y)). Therefore

∃x (P (x) ∨ ∀y Q(x, y)) ≡ ∃x (P (x) ∨ ¬∃y ¬Q(x, y))

because ∀y Q(x, y) ≡ ¬∃y ¬Q(x, y).

6.6.6 Substitution of Bound Variables

The following lemma states that the name of a bound variable carries no seman-
tic meaning and can therefore be replaced by any other variable name that does
not occur elsewhere. This is called bound substitution.

Lemma 6.9. For a formula G in which y does not occur, we have

• ∀x G ≡ ∀y G[x/y],
• ∃x G ≡ ∃y G[x/y].

Proof. For any structure A = (U, φ, ψ, ξ) and u ∈ U we have

A[x→u] (G) = A[y→u] (G[x/y]).

Therefore ∀x G is true for exactly the same structures for which ∀y G[x/y] is
true.
54 according to the semantics of ∧, see Definition 6.36
161 Chapter 6. Logic

Example 6.22. The formula ∀x ∃y (P (x, f (y)) ∨ Q(g(x), a)) is equivalent to the
formula ∀u ∃v (P (u, f (v)) ∨ Q(g(u), a)) obtained by substituting x by u and y
by v.

Definition 6.37. A formula in which no variable occurs both as a bound and

as a free variable and in which all variables appearing after the quantifiers are
distinct is said to be in rectified55 form.

By appropriately renaming quantified variables one can transform any for-

mula into an equivalent formula in rectified form.

6.6.7 Normal Forms

It is often useful to transform a formula into an equivalent formula of a specific
form, called a normal form. This is analogous to the conjunctive and disjunctive
normal forms for formulas in propositional logic.

Definition 6.38. A formula of the form

Q1 x1 Q2 x2 · · · Qn xn G,

where the Qi are arbitrary quantifiers (∀ or ∃) and G is a formula free of quanti-

fiers, is said to be in prenex form56 .

Theorem 6.10. For every formula there is an equivalent formula in prenex form.

Proof. One first transforms the formula into an equivalent formula in rectified
form and then applies the equivalences of Lemma 6.7 move up all quantifiers in
the formula tree, resulting in a prenex form of the formula.
Example 6.23.



¬ ∀x P (x, y) ∧ ∃y Q(x, y, z) ≡ ¬ ∀u P (u, y) ∧ ∃v Q(x, v, z)
≡ ¬∀u P (u, y) ∨ ¬∃v Q(x, v, z)
(1)
≡ ∃u ¬P (u, y) ∨ ¬∃v Q(x, v, z)
(2)
≡ ∃u ¬P (u, y) ∨ ∀v ¬ Q(x, v, z)
(10)

≡ ∃u ¬P (u, y) ∨ ∀v ¬ Q(x, v, z)


≡ ∃u ∀v ¬ Q(x, v, z) ∨ ¬P (u, y)
55 German: bereinigt
56 German: Pränexform
6.6. Predicate Logic (First-order Logic) 162

(8)


≡ ∃u ∀v ¬Q(x, v, z) ∨ ¬P (u, y)


≡ ∃u ∀v ¬Q(x, v, z) ∨ ¬P (u, y)


≡ ∃u ∀v ¬P (u, y) ∨ ¬ Q(x, v, z) .

In the first step we have renamed the bound variables, in the second step we
made use of the equivalence ¬(F ∧ G) ≡ ¬F ∨ ¬G (Lemma 6.1 8)), and then we
have applied the rules of Lemma 6.7, as indicated. We have also made explicit
the use of the commutative law for ∨ (Lemma 6.1 2)). In the second last step,
the removal of parentheses is made explicit. The last step, again making use
of Lemma 6.1 2), is included (only) to arrive at a form with the same order of
occurrence of P and Q.

One can also transform every formula F into a formula G in prenex form that
only contains universal quantifiers (∀). However, such a formula is in general
not equivalent to F , but only equivalent with respect to satisfiability. In other
words, F is satisfiable if and only if G is satisfiable. Such a normal form is called
Skolem normal form. This topic is beyond the scope of this course.

6.6.8 Derivation Rules

It is beyond the scope of this course to systematically discuss derivation rules
for predicate logic, let alone an entire calculus. But, as an example, we discuss
one such rule, called universal instantiation (or also universal elimination). It states
that for any formula F and any term t, one can derive from the formula ∀xF the
formula F [x/t], thus eliminating the quantifier ∀:57

∀xF ⊢ F [x/t]

This rule is justified by the following lemma (proof left as an exercise).

Lemma 6.11. For any formula F and any term t we have

∀xF |= F [x/t].

6.6.9 An Example Theorem and its Interpretations

The following apparently innocent theorem is a powerful statement from which
several important corollaries follow as special cases. The example illustrates
that one can prove a general theorem in predicate logic and, because it is a tau-
tology, it can then be instantiated for different structures (i.e., interpretations),
for each of which it is true.
57 Note that if x does not occur free in F , the statement still holds but in this case is trivial.
163 Chapter 6. Logic

Theorem 6.12. ¬∃x∀y P (y, x) ↔ ¬P (y, y) .

Recall that the statement

of the theorem means that the formula
¬∃x∀y P (y, x) ↔ ¬P (y, y) is a tautology, i.e., true for any suitable structure,
i.e., for any universe and any choice of the predicate P .

Proof. We can transform the formula by equivalence transformations:

¬∃x ∀y P (y, x) ↔ ¬P (y, y) ≡ ∀x ¬∀y P (y, x) ↔ ¬P (y, y)


≡ ∀x ∃y ¬ P (y, x) ↔ ¬P (y, y)


≡ ∀x ∃y P (y, x) ↔ P (y, y) ,

where we have made use of ¬(F ↔ ¬G) ≡ (F ↔ G), which is easily checked
to hold by comparing the truth tables of ¬(A ↔ ¬B) and (A ↔ B)


To see that the latter formula (i.e., ∀x ∃y P (y, x) ↔ P (y, y) ) is a tautology,
let A be an arbitrary suitable interpretation, which defines the universe U A and
the predicate P A . Below we omit the superscripts A and write simply U and P .
Since A is arbitrary, it suffices to show that


A(∀x ∃y P (y, x) ↔ P (y, y) ) = 1.

This can be shown as follows: For every u ∈ U we have

A(P (u, u) ↔ P (u, u)) = 1.

Hence for every u ∈ U we have

A[x→u][y→u] (P (y, x) ↔ P (y, y)) = 1,

and therefore for every fixed u ∈ U we have

A[x→u] (∃y P (y, x) ↔ P (y, y)) = 1,

and therefore we have

A(∀x ∃y P (y, x) ↔ P (y, y)) = 1,

as was to be shown.

Let us now interpret Theorem 6.12. We can instantiate it for different uni-
verses and predicates. The first interpretation is Russel’s paradox:

Corollary 6.13. There exists no set that contains all sets S that do not contain them-
selves, i.e., {S| S 6∈ S} is not a set.
6.6. Predicate Logic (First-order Logic) 164

Proof. We consider the universe of all sets58 and, to be consistent with the chap-
ter on set theory, use the variable names R instead of x and S instead of y.59
Moreover, we consider the specific predicate P defined as P (S, R) = 1 if and
only if S ∈ R. Then Theorem 6.12 specializes to


¬∃R ∀S S ∈ R ↔ S 6∈ S .

This formula states that there is no set R such that for a set (say S) to be in R is
equivalent to not being contained in itself (S 6∈ S).

It is interesting to observe that Russell’s paradox is a fact that holds more

generally than in the universe of sets and where P (x, y) is defined as x ∈ y. We
state another corollary:

Example 6.24. The reader can investigate as an exercise that Theorem 6.12 also
explains the so-called barber paradox (e.g. see Wikipedia) which considers a
town with a single barber as well as the set of men that do not shave themselves.

The following corollary was already stated as Theorem 3.23.

Corollary 6.14. The set {0, 1}∞ is uncountable.

We prove the equivalent statement: Every enumeration of elements of

{0, 1}∞ does not contain all elements of {0, 1}∞.

Proof. We consider the universe N and a fixed enumeration of elements of

{0, 1}∞, and we interpret P (y, x) as the yth bit of the xth sequence

of the enu-
meration. Then Theorem 6.12, ¬∃x∀y P (y, x) ↔ ¬P (y, y) , states that there
exists no index x, i.e., no sequence in the enumeration, such that for all y, the yth
bit on that sequence is equal to the negation of the yth bit on the yth sequence.
But the sequence given by y 7→ ¬P (y, y) is a well-defined sequence in {0, 1}∞,
and we just proved that it does not occur in the enumeration.

Note that the proof of this corollary contains Cantor’s diagonalization argu-
ment, which is hence implicite in Theorem 6.12.
We discuss a further use of the theorem. If we understand a program as de-
scribable by a finite bit-string, or, equivalently, a natural number (since there is
a bijection between finite bit-strings and natural numbers), and if we consider
programs that take a natural number as input and output 0 or 1, then we ob-
tain the following theorem. (Here we ignore programs that do not halt (i.e.,
58 The universe of all sets is not a set itself. Formally, the universe in predicate logic need not be a

set (in the sense of set theory), it can be a “collection” of objects.

59 The particular variable names (R and S) are not relevant and are chosen simply to be compatible

with the chapter on set theory where sets were denoted by capital letters and Russel’s proposed set
was called R. Here we have deviated from the convention to use only small letters for variables.
165 Chapter 6. Logic

loop forever), or, equivalently, we interpret looping as output 0.) The following
corollary was already stated as Corollary 3.24.60
Corollary 6.15. There are uncomputable functions N → {0, 1}.

Proof. We consider the universe N, and a program is thought of as represented

by a natural number. Let P (y, x) = 1 if and only if the bit that
program x outputs
for input y is 1. Theorem 6.12, ¬∃x∀y P (y, x) ↔ ¬P (y, y) , states that there
exists no program x that (for all inputs y) computes the function y 7→ ¬P (y, y),
i.e., this function is uncomputable.

The above corollary was already discussed as Corollary 3.24, as a direct

consequence of Corollary 6.14 (i.e., of Theorem 3.23). The proof given here is
stronger in the sense that it provides a concrete function, namely the function
y 7→ ¬P (y, y), that is not computable.61 We state this as a corollary:
Corollary 6.16. The function N → {0, 1} assigning to each y ∈ N the complement of
what program y outputs on input y, is uncomputable.

We point out that the corollary does not exclude the existence of a program
that computes the function for an overwhelming fraction of the y, it excludes
only the existence of a program that computes the function for all but finitely
many arguments.

6.7 Beyond Predicate Logic *

The expressiveness of every logic is limited. For example, one can not express meta-
theorems about the logic as formulas within the logic. It is therefore no surprise that the
expressiveness of predicate logic is also limited.
The formula F = ∀x∃y P (x, y) can equivalently be stated as follows: There exists a
(unary) function f : U → U such that ∀x P (x, f (x)). The function f assigns to every x
one of the y for which P (x, y). Such a y must exist according to F .
In other words, the pair of quantifiers ∀x∃y is equivalent to the existence of a func-
tion. However, we can not write this as a formula since function symbols are not vari-
ables and can not be used with a quantifier. The formula ∃f P (x, f (x)) is not a formula
in predicate (or first-order) logic. Such formulas exist only in second-order logic, which
is substantially more involved and not discussed here.
Predicate logic is actually more limited than one might think. As an example, con-
sider the formula
∀w ∀x ∃y ∃z P (w, x, y, z).
60 Explaining the so-called Halting problem, namely to decide whether a given program halts for

a given input, would require a more general theorem than Theorem 6.12, but it could be explained
in the same spirit.
61 This function of course depends on the concrete programming language which determines the

exact meaning of a program and hence determines P .

6.7. Beyond Predicate Logic * 166

In this formula, y and z can depend on both w and x. It is not possible to express, as a
formula in predicate logic, that in the above formula, y must only depend on w and z
must only depend on x. This appears to be an artificial restriction that is not desirable.