CHINESE REMAINDER THEOREM

an introduction

OVERVIEW
Chinese Remainder Theorem RSA Decryption

CHINESE REMAINDER THEOREM

First found in an ancient Chinese puzzle: There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number?

CHINESE REMAINDER THEOREM

In modern notation

x = 2 (mod 3) x = 3 (mod 5) x = 2 (mod 7)

CHINESE REMAINDER THEOREM

A solution was given in a poem for the more general problem of

x = a1 (mod 3) x = a2 (mod 5) x = a3 (mod 7)

CHINESE REMAINDER THEOREM

Three men walking together for seventy miles,

Five plum trees with twenty one branches in flower,

Seven disciples gathering right by the half-moon,

One hundred and five and were back at the start

CHINESE REMAINDER THEOREM

What does the poem mean? x = a1 (mod 3) x = a2 (mod 5) x = a3 (mod 7)

x = 70a1 + 21a2 + 15a3 (mod 105)

CHINESE REMAINDER THEOREM

Why is the solution correct? x = 70a1 + 21 a2 + 15a3 (mod 105) x=0 a1 a2 +0 +a 03 (mod 5) 3) 7)

notice that 70 = 1 (mod 3) = 0 (mod 5) = 0 (mod 7) 21 = 0 (mod 3) = 1 (mod 5) = 0 (mod 7) 15 = 0 (mod 3) = 0 (mod 5) = 1 (mod 7)

CHINESE REMAINDER THEOREM

Solution for the puzzle
There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number?

x = 70(2) + 21(3) + 15(2) (mod 105) = 140 + 63 + 30 (mod 105) = 233 (mod 105) = 23 (mod 105)

CHINESE REMAINDER THEOREM

CRT Algorithm - Gauss If x = a1 (mod m1) = a2 (mod m2) = = an (mod mn) where m1, m2, , mn are relatively prime to each other, then the solution is

CHINESE REMAINDER THEOREM

CRT Algorithm - Gauss where

Mi =

m
k =1

yi = (M i ) (mod mi )
1

mi

(modulo inverses can be found using Extended Euclidean Algorithm see any elementary number theory book)

CHINESE REMAINDER THEOREM

Example x = 1 (mod 2) x = 2 (mod 3) x = 3 (mod 5) x = 4 (mod 7) M1=105 (mod 210) = 1 (mod 2) M2=70 (mod 210) = 1 (mod 3) M3=42 (mod 210) = 2 (mod 5) M4=30 (mod 210) = 2 (mod 7) y1=1 y2=1 y3=3 y4=4

x = (1)(105)(1)+(2)(70)(1)+(3)(42)(3)+(4)(30)(4) (mod 210) = 105 + 140 + 378 + 480 (mod 210) = 53 (mod 210)

CHINESE REMAINDER THEOREM

Extension of CRT Gauss
Previously, CRT is limited to cases where the moduli m1, m2, , mn are relatively prime to each other. Gauss showed how to convert problems where the moduli are not relatively prime to each other, to the known type mentioned earlier.

CHINESE REMAINDER THEOREM

Example x = 4 (mod 6) x = 2 (mod 7) x = 6 (mod 8) x = 7 (mod 9) After reduction x = 0 (mod 2) x = 1 (mod 3) x = 2 (mod 7) x = 6 (mod 8) = 0 (mod 2) x = 7 (mod 9) = 1 (mod 3)

x = 142 (mod 514)

RSA DECRYPTION
RSA Refresher Fermats little theorem For any prime p and any positive integer a. then ap-1=1 mod p. Eulers theorem (generalization of theorem above) If n and a are positive integers and a is co-prime to n. then a(n)=1 mod n, where (n) is Eulers totient function.

RSA DECRYPTION
RSA Refresher n = pq, p and q are safe primes (n) = (p-1)(q-1) choose a small e, such that it is co-prime to (n) choose d = e-1 (mod (n)) so that de = 1 (mod (n))

RSA DECRYPTION
RSA Refresher Let message = M (M<n) Encrypted message = C = Me (mod n) To decrypt find Cd = (Me)d (mod n) = Mk((n))+1 (mod n) =(M(n))k(M) (mod n) = M (mod n)

RSA DECRYPTION
Problems in practice The value e is chosen to be small so that public encryption can be done fast. However, d would usually be big, making decryption inevitably much slower than encryption. E.g.: p = 1289 q = 997 n = 1285133 (n) = 1282848 e=5 d = 769709

RSA DECRYPTION
Using CRT to accelerate decryption Since p and q are known by private key owner, we can use CRT to accelerate RSA decryption. To do that, we need to find out the following dp = e-1 (mod (p 1)) dpe = 1 (mod (p 1)) dq = e-1 (mod (q 1)) dqe = 1 (mod (q 1))

RSA DECRYPTION
Using CRT to accelerate decryption E.g.: p = 1289 p 1 = 1288 e=5 n = 1285133 q = 997 q 1 = 996 d = 769709 (n) = 1282848

dp = 5-1 (mod 1288) = 773 (mod 1288) dq = 5-1 (mod 996) = 797 (mod 996)

RSA DECRYPTION
Using CRT to accelerate decryption

Mp =C

dp

=M

ed p

(mod p) = M

k p ( p 1) +1

(mod p ) = M (mod p )

Mq = C

dq

=M

ed q

(mod q ) = M

k q ( q 1) +1

(mod q ) = M (mod q )

after finding Mp and Mq we use CRT to find M.

RSA DECRYPTION
PKCS One drawback of the classical Gaussian CRT algorithm is the need to do a modular reduction by M, which is rather computationally exhaustive. Thus, in PKCS #1 v2.1, the classical Gaussian CRT algorithm shown earlier is not used.

RSA DECRYPTION
PKCS Instead PKCS #1 v2.1, uses a special case of Garners algorithm for two moduli, which only needs to do modular reductions in p. In addition to finding Mp and Mq, we need to find qinv = q-1(mod p) (where p>q)

RSA DECRYPTION
PKCS An intermediate value h is then calculated h = qinv (Mp Mq) (mod p) this intermediate value is then used to calculate M directly M = Mq + hq

RSA DECRYPTION
Conclusion Even though we have to do two exponentiations instead of one and there are additional steps involved in doing CRT, overall, the decryption would be about four times faster.

REFERENCES
Rosen, Elementary Number Theory, 5th ed., AddisonWesley, Boston, 2005. Kaliski and Staddon, PKCS #1: RSA Cryptography Specifications Version 2.1, RSA Labs, 2003. Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, Fla., 1997 Shand and Vuillemin, Fast Implementation of RSA Cryptography, Proc. 11th IEEE Symp. Computer Arithmetic, Swartzlander, Irwin and Jullien, eds., pp. 252259, June 1993