Professional Documents
Culture Documents
Chinese Remainder Theorem: An Introduction
Chinese Remainder Theorem: An Introduction
REMAINDER
THEOREM
an introduction
OVERVIEW
Chinese Remainder Theorem
RSA Decryption
x = 2 (mod 3)
x = 3 (mod 5)
x = 2 (mod 7)
x = a1 (mod 3)
x = a2 (mod 5)
x = a3 (mod 7)
+ 0a2
+ a03
(mod 5)
3)
7)
notice that
70 = 1 (mod 3) = 0 (mod 5) = 0 (mod 7)
21 = 0 (mod 3) = 1 (mod 5) = 0 (mod 7)
15 = 0 (mod 3) = 0 (mod 5) = 1 (mod 7)
Mi =
k =1
yi = (M i ) (mod mi )
1
mi
y1=1
y2=1
y3=3
y4=4
After reduction
x = 0 (mod 2)
x = 1 (mod 3)
x = 2 (mod 7)
x = 6 (mod 8) = 0 (mod 2)
x = 7 (mod 9) = 1 (mod 3)
RSA DECRYPTION
RSA Refresher
Fermats little theorem
For any prime p and any positive integer a.
then ap-1=1 mod p.
Eulers theorem (generalization of theorem above)
If n and a are positive integers and a is co-prime to n.
then a(n)=1 mod n, where (n) is Eulers totient function.
RSA DECRYPTION
RSA Refresher
n = pq, p and q are safe primes
(n) = (p-1)(q-1)
choose a small e, such that it is co-prime to (n)
choose d = e-1 (mod (n)) so that de = 1 (mod (n))
RSA DECRYPTION
RSA Refresher
Let message = M (M<n)
Encrypted message = C = Me (mod n)
To decrypt find Cd = (Me)d (mod n)
= Mk((n))+1 (mod n)
=(M(n))k(M) (mod n)
= M (mod n)
RSA DECRYPTION
Problems in practice
The value e is chosen to be small so that public encryption
can be done fast.
However, d would usually be big, making decryption
inevitably much slower than encryption.
E.g.:
p = 1289
q = 997
n = 1285133
(n) = 1282848
e=5
d = 769709
RSA DECRYPTION
Using CRT to accelerate decryption
Since p and q are known by private key owner, we can use
CRT to accelerate RSA decryption.
To do that, we need to find out the following
dp = e-1 (mod (p 1)) dpe = 1 (mod (p 1))
dq = e-1 (mod (q 1)) dqe = 1 (mod (q 1))
RSA DECRYPTION
Using CRT to accelerate decryption
E.g.: p = 1289
p 1 = 1288
e=5
n = 1285133
q = 997
q 1 = 996
d = 769709
(n) = 1282848
RSA DECRYPTION
Using CRT to accelerate decryption
Mp =C
dp
Mq = C
dq
=M
ed p
=M
ed q
(mod p) = M
(mod q ) = M
k p ( p 1) +1
k q ( q 1) +1
(mod p ) = M (mod p )
(mod q ) = M (mod q )
RSA DECRYPTION
PKCS
One drawback of the classical Gaussian CRT algorithm is
the need to do a modular reduction by M, which is rather
computationally exhaustive.
Thus, in PKCS #1 v2.1, the classical Gaussian CRT
algorithm shown earlier is not used.
RSA DECRYPTION
PKCS
Instead PKCS #1 v2.1, uses a special case of Garners
algorithm for two moduli, which only needs to do modular
reductions in p.
In addition to finding Mp and Mq, we need to find
qinv = q-1(mod p) (where p>q)
RSA DECRYPTION
PKCS
An intermediate value h is then calculated
h = qinv (Mp Mq) (mod p)
this intermediate value is then used to calculate M directly
M = Mq + hq
RSA DECRYPTION
Conclusion
Even though we have to do two exponentiations instead of
one and there are additional steps involved in doing CRT,
overall, the decryption would be about four times faster.
REFERENCES
Rosen, Elementary Number Theory, 5th ed., AddisonWesley, Boston, 2005.
Kaliski and Staddon, PKCS #1: RSA Cryptography
Specifications Version 2.1, RSA Labs, 2003.
Menezes, van Oorschot and Vanstone, Handbook of
Applied Cryptography, CRC Press, Boca Raton, Fla., 1997
Shand and Vuillemin, Fast Implementation of RSA
Cryptography, Proc. 11th IEEE Symp. Computer
Arithmetic, Swartzlander, Irwin and Jullien, eds., pp. 252259, June 1993