CHINESE

REMAINDER
THEOREM
an introduction

OVERVIEW
Chinese Remainder Theorem
RSA Decryption

CHINESE REMAINDER THEOREM

First found in an ancient Chinese puzzle:
There are certain things whose number is unknown.
Repeatedly divided by 3, the remainder is 2;
by 5 the remainder is 3; and by 7 the remainder is 2.
What will be the number?

CHINESE REMAINDER THEOREM

In modern notation

x = 2 (mod 3)
x = 3 (mod 5)
x = 2 (mod 7)

CHINESE REMAINDER THEOREM

A solution was given in a poem for the more
general problem of

x = a1 (mod 3)
x = a2 (mod 5)
x = a3 (mod 7)

CHINESE REMAINDER THEOREM

Three men walking together for seventy miles,

Five plum trees with twenty one branches in flower,

Seven disciples gathering right by the half-moon,

One hundred and five and were back at the start

CHINESE REMAINDER THEOREM

What does the poem mean?
x = a1 (mod 3)
x = a2 (mod 5)
x = a3 (mod 7)

x = 70a1 + 21a2 + 15a3 (mod 105)

CHINESE REMAINDER THEOREM

Why is the solution correct?
x = 70a1 + 21 a2 + 15a3 (mod 105)
x = 0a1

+ 0a2

+ a03

(mod 5)
3)
7)

notice that
70 = 1 (mod 3) = 0 (mod 5) = 0 (mod 7)
21 = 0 (mod 3) = 1 (mod 5) = 0 (mod 7)
15 = 0 (mod 3) = 0 (mod 5) = 1 (mod 7)

CHINESE REMAINDER THEOREM

Solution for the puzzle
There are certain things whose number is unknown.
Repeatedly divided by 3, the remainder is 2;
by 5 the remainder is 3; and by 7 the remainder is 2.
What will be the number?

x = 70(2) + 21(3) + 15(2) (mod 105)

= 140 + 63 + 30 (mod 105)
= 233 (mod 105)
= 23 (mod 105)

CHINESE REMAINDER THEOREM

CRT Algorithm - Gauss
If x = a1 (mod m1) = a2 (mod m2) = = an (mod mn)
where m1, m2, , mn are relatively prime to each other,
then the solution is

CHINESE REMAINDER THEOREM

CRT Algorithm - Gauss
where
n

Mi =

k =1

yi = (M i ) (mod mi )
1

mi

(modulo inverses can be found using Extended Euclidean

Algorithm see any elementary number theory book)

CHINESE REMAINDER THEOREM

Example
x = 1 (mod 2)
x = 2 (mod 3)
x = 3 (mod 5)
x = 4 (mod 7)

M1=105 (mod 210) = 1 (mod 2)

M2=70 (mod 210) = 1 (mod 3)
M3=42 (mod 210) = 2 (mod 5)
M4=30 (mod 210) = 2 (mod 7)

y1=1
y2=1
y3=3
y4=4

x = (1)(105)(1)+(2)(70)(1)+(3)(42)(3)+(4)(30)(4) (mod 210)

= 105 + 140 + 378 + 480 (mod 210)
= 53 (mod 210)

CHINESE REMAINDER THEOREM

Extension of CRT Gauss
Previously, CRT is limited to cases where the moduli
m1, m2, , mn are relatively prime to each other. Gauss
showed how to convert problems where the moduli are not
relatively prime to each other, to the known type
mentioned earlier.

CHINESE REMAINDER THEOREM

Example
x = 4 (mod 6)
x = 2 (mod 7)
x = 6 (mod 8)
x = 7 (mod 9)

x = 142 (mod 514)

After reduction
x = 0 (mod 2)
x = 1 (mod 3)
x = 2 (mod 7)
x = 6 (mod 8) = 0 (mod 2)
x = 7 (mod 9) = 1 (mod 3)

RSA DECRYPTION
RSA Refresher
Fermats little theorem
For any prime p and any positive integer a.
then ap-1=1 mod p.
Eulers theorem (generalization of theorem above)
If n and a are positive integers and a is co-prime to n.
then a(n)=1 mod n, where (n) is Eulers totient function.

RSA DECRYPTION
RSA Refresher
n = pq, p and q are safe primes
(n) = (p-1)(q-1)
choose a small e, such that it is co-prime to (n)
choose d = e-1 (mod (n)) so that de = 1 (mod (n))

RSA DECRYPTION
RSA Refresher
Let message = M (M<n)
Encrypted message = C = Me (mod n)
To decrypt find Cd = (Me)d (mod n)
= Mk((n))+1 (mod n)
=(M(n))k(M) (mod n)
= M (mod n)

RSA DECRYPTION
Problems in practice
The value e is chosen to be small so that public encryption
can be done fast.
However, d would usually be big, making decryption
inevitably much slower than encryption.
E.g.:
p = 1289
q = 997
n = 1285133
(n) = 1282848
e=5
d = 769709

RSA DECRYPTION
Using CRT to accelerate decryption
Since p and q are known by private key owner, we can use
CRT to accelerate RSA decryption.
To do that, we need to find out the following
dp = e-1 (mod (p 1)) dpe = 1 (mod (p 1))
dq = e-1 (mod (q 1)) dqe = 1 (mod (q 1))

RSA DECRYPTION
Using CRT to accelerate decryption
E.g.: p = 1289
p 1 = 1288
e=5
n = 1285133

q = 997
q 1 = 996
d = 769709
(n) = 1282848

dp = 5-1 (mod 1288) = 773 (mod 1288)

dq = 5-1 (mod 996) = 797 (mod 996)

RSA DECRYPTION
Using CRT to accelerate decryption

Mp =C

dp

Mq = C

dq

=M

ed p

=M

ed q

(mod p) = M

(mod q ) = M

k p ( p 1) +1

k q ( q 1) +1

(mod p ) = M (mod p )

(mod q ) = M (mod q )

after finding Mp and Mq we use CRT to find M.

RSA DECRYPTION
PKCS
One drawback of the classical Gaussian CRT algorithm is
the need to do a modular reduction by M, which is rather
computationally exhaustive.
Thus, in PKCS #1 v2.1, the classical Gaussian CRT
algorithm shown earlier is not used.

RSA DECRYPTION
PKCS
Instead PKCS #1 v2.1, uses a special case of Garners
algorithm for two moduli, which only needs to do modular
reductions in p.
In addition to finding Mp and Mq, we need to find
qinv = q-1(mod p) (where p>q)

RSA DECRYPTION
PKCS
An intermediate value h is then calculated
h = qinv (Mp Mq) (mod p)
this intermediate value is then used to calculate M directly
M = Mq + hq

RSA DECRYPTION
Conclusion
Even though we have to do two exponentiations instead of
one and there are additional steps involved in doing CRT,
overall, the decryption would be about four times faster.

REFERENCES
Rosen, Elementary Number Theory, 5th ed., AddisonWesley, Boston, 2005.
Kaliski and Staddon, PKCS #1: RSA Cryptography
Specifications Version 2.1, RSA Labs, 2003.
Menezes, van Oorschot and Vanstone, Handbook of
Applied Cryptography, CRC Press, Boca Raton, Fla., 1997
Shand and Vuillemin, Fast Implementation of RSA
Cryptography, Proc. 11th IEEE Symp. Computer
Arithmetic, Swartzlander, Irwin and Jullien, eds., pp. 252259, June 1993