Professional Documents
Culture Documents
Chinese Remainder Theorem
Chinese Remainder Theorem
an introduction
OVERVIEW
Chinese Remainder Theorem RSA Decryption
notice that 70 = 1 (mod 3) = 0 (mod 5) = 0 (mod 7) 21 = 0 (mod 3) = 1 (mod 5) = 0 (mod 7) 15 = 0 (mod 3) = 0 (mod 5) = 1 (mod 7)
x = 70(2) + 21(3) + 15(2) (mod 105) = 140 + 63 + 30 (mod 105) = 233 (mod 105) = 23 (mod 105)
Mi =
m
k =1
yi = (M i ) (mod mi )
1
mi
(modulo inverses can be found using Extended Euclidean Algorithm see any elementary number theory book)
x = (1)(105)(1)+(2)(70)(1)+(3)(42)(3)+(4)(30)(4) (mod 210) = 105 + 140 + 378 + 480 (mod 210) = 53 (mod 210)
RSA DECRYPTION
RSA Refresher Fermats little theorem For any prime p and any positive integer a. then ap-1=1 mod p. Eulers theorem (generalization of theorem above) If n and a are positive integers and a is co-prime to n. then a(n)=1 mod n, where (n) is Eulers totient function.
RSA DECRYPTION
RSA Refresher n = pq, p and q are safe primes (n) = (p-1)(q-1) choose a small e, such that it is co-prime to (n) choose d = e-1 (mod (n)) so that de = 1 (mod (n))
RSA DECRYPTION
RSA Refresher Let message = M (M<n) Encrypted message = C = Me (mod n) To decrypt find Cd = (Me)d (mod n) = Mk((n))+1 (mod n) =(M(n))k(M) (mod n) = M (mod n)
RSA DECRYPTION
Problems in practice The value e is chosen to be small so that public encryption can be done fast. However, d would usually be big, making decryption inevitably much slower than encryption. E.g.: p = 1289 q = 997 n = 1285133 (n) = 1282848 e=5 d = 769709
RSA DECRYPTION
Using CRT to accelerate decryption Since p and q are known by private key owner, we can use CRT to accelerate RSA decryption. To do that, we need to find out the following dp = e-1 (mod (p 1)) dpe = 1 (mod (p 1)) dq = e-1 (mod (q 1)) dqe = 1 (mod (q 1))
RSA DECRYPTION
Using CRT to accelerate decryption E.g.: p = 1289 p 1 = 1288 e=5 n = 1285133 q = 997 q 1 = 996 d = 769709 (n) = 1282848
dp = 5-1 (mod 1288) = 773 (mod 1288) dq = 5-1 (mod 996) = 797 (mod 996)
RSA DECRYPTION
Using CRT to accelerate decryption
Mp =C
dp
=M
ed p
(mod p) = M
k p ( p 1) +1
(mod p ) = M (mod p )
Mq = C
dq
=M
ed q
(mod q ) = M
k q ( q 1) +1
(mod q ) = M (mod q )
RSA DECRYPTION
PKCS One drawback of the classical Gaussian CRT algorithm is the need to do a modular reduction by M, which is rather computationally exhaustive. Thus, in PKCS #1 v2.1, the classical Gaussian CRT algorithm shown earlier is not used.
RSA DECRYPTION
PKCS Instead PKCS #1 v2.1, uses a special case of Garners algorithm for two moduli, which only needs to do modular reductions in p. In addition to finding Mp and Mq, we need to find qinv = q-1(mod p) (where p>q)
RSA DECRYPTION
PKCS An intermediate value h is then calculated h = qinv (Mp Mq) (mod p) this intermediate value is then used to calculate M directly M = Mq + hq
RSA DECRYPTION
Conclusion Even though we have to do two exponentiations instead of one and there are additional steps involved in doing CRT, overall, the decryption would be about four times faster.
REFERENCES
Rosen, Elementary Number Theory, 5th ed., AddisonWesley, Boston, 2005. Kaliski and Staddon, PKCS #1: RSA Cryptography Specifications Version 2.1, RSA Labs, 2003. Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, Fla., 1997 Shand and Vuillemin, Fast Implementation of RSA Cryptography, Proc. 11th IEEE Symp. Computer Arithmetic, Swartzlander, Irwin and Jullien, eds., pp. 252259, June 1993