The Chinese Remainder Theorem

http://www.di-mgt.com.au/crt.html#crackingrsa

DI Management Home > Mathematics > The Chinese Remainder Theorem

On this page we look at the Chinese Remainder Theorem (CRT), Gauss's algorithm to solve simultaneous linear congruences, a simpler method to solve congruences for small moduli, and an application of the theorem to break the RSA algorithm when someone sends the same encrypted message to three different recipients using the same exponent of e=3.

Theorem. Let n1,n2,...,nr be positive integers such that gcd(ni,nj)=1 for i j. Then the system of linear congruences x c1 (mod n1); x c2 (mod n2); ... ; x cr (mod nr) has a simultaneous solution which is unique modulo n1n2...nr.

Note that all the theorem says is that there is a unique solution. It doesn't actually say how to solve it. This is usually done using Gauss's algorithm. There is also a variant of . the CRT used to speed up the calculations in the RSA algorithm The name "Chinese" comes from an old Chinese puzzle allegedly posed by Sun Tsu Suan-Ching in 4 AD: There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number? In modern number theory, we would write that as a problem to solve the simultaneous congruences x 2 (mod 3) x 3 (mod 5) x 2 (mod 7) The Chinese Remainder Theorem (CRT) tells us that since 3, 5 and 7 are coprime in pairs then there is a unique solution modulo 3 x 5 x 7 = 105. The solution is x = 23. You can check that by noting that the relations

1 of 5

3/31/2011 12:34 AM

The Chinese Remainder Theorem

http://www.di-mgt.com.au/crt.html#crackingrsa

23 = 7 x 3 + 2 2 (mod 3) 23 = 4 x 5 + 3 3 (mod 5) 23 = 3 x 7 + 2 2 (mod 7) are all satisfied for this value of x.

Algorithm. Let N=n1n2...nr then x c1N1d1 + c2N2d2 + ... + crNrdr (mod N) where Ni = N/ni and di Ni-1 (mod ni).

The latter modular inverse di is easily calculated by the extended Euclidean algorithm. You can also use the bd_modinv utility in our Modular Arithmetic Freeware download.

Example
For the original "Chinese" problem above we have n1=3, n2=5, n3=7 N = n1n2n3 = 3 x 5 x 7 = 105 c1=2, c2=3, c3=2. Now N1 = N/n1 = 35 and so d1 = 35-1 (mod 3) = 2, N2 = N/n2 = 21 and so d2 = 21-1 (mod 5) = 1, and N3 = N/n3 = 15 and so d3 = 15-1 (mod 7) = 1. Hence x = (2 x 35 x 2) + (3 x 21 x 1) + (2 x 15 x 1) = 233 23 (mod 105)

Another example
x 1 (mod 3) x 2 (mod 4) x 3 (mod 5) Using Gauss's algorithm, n1=3, n2=4, n3=5 N = n1n2n3 = 3 x 4 x 5 = 60 c1=1, c2=2, c3=3. N1 = N/n1 = 20; d1 = 20-1 (mod 3) = 2 [check: 2x20=401 (mod 3)] N2 = N/n2 = 15; d2 = 15-1 (mod 4) = 3 [check: 3x15=451 (mod 4)] N3 = N/n3 = 12; d3 = 12-1 (mod 5) = 3 [check: 3x12=361 (mod 5)]

2 of 5

3/31/2011 12:34 AM

The Chinese Remainder Theorem

http://www.di-mgt.com.au/crt.html#crackingrsa

x c1N1d1 + c2N2d2 + c3N3d3 (mod N) x = (1x20x2) + (2x15x3) + (3x12x3) = 238 58 (mod 60) so a solution is x = 58. Note that this is "a" solution. Any integer that satisfies 58 + 60k for any integer k is also a solution, but the method gives you the unique solution in the range 0 x < n1n2n3.

For congruences with small moduli there is a simpler method (useful in exams!). To solve the previous problem, write out the numbers x 3 (mod 5) until you find a number congruent to 2 (mod 4), then increase that number by multiples of 5 x 4 until you find number congruent to 1 (mod 3). x 3 (mod 5): x = 3,8,13,18 2(mod 4) x 18 (mod 20): x = 18,38,58 1(mod 3) x 58 (mod 60). [increase by 5] [increase by 5 x 4]

We find it easier to start with the largest modulus and work downwards. To solve the original Chinese problem: x 2 (mod 7): x = 2,9,16,23 3(mod 5) x 23 (mod 35): x = 23 2(mod 3) x 23 (mod 105). [increase by 7]

Alice sends the same message m encrypted using the RSA algorithm to three recipients with different moduli n1,n2,n3 all coprime to each other but using the same exponent e=3. Eve recovers the three ciphertext values c1,c2,c3 and knows the public keys (n,e=3) of all the recipients. Can Eve recover the message without factoring the moduli? Yes. Eve uses Gauss's algorithm above to find a solution x, in the range 0 x < n1n2n3, to the three simultaneous congruences x c1 (mod n1) x c2 (mod n2) x c3 (mod n3) We know from the Chinese Remainder Theorem that m3 < n1n2n3, so it follows that x = m3 and so m can be recovered by simply computing the integer cube root of x. Note that the cube root does not involve any modular arithmetic and so is straightforward to compute (well, as straightforward as computing any cube root is).

Example

3 of 5

3/31/2011 12:34 AM

The Chinese Remainder Theorem

http://www.di-mgt.com.au/crt.html#crackingrsa

There are three recipients with public keys (57,3), (77,3) and (65,3). That is, we have e=3 and n1=19x3=57, n2=11x7=77, n3=13x5=65 Alice encrypts the message m=10 using RSA to all three, as follows, c1 = 103 mod 57 = 31; c2 = 103 mod 77 = 76; c3 = 103 mod 65 = 25 and these three ciphertext values c1, c2, c3 are intercepted by Eve. She then uses Gauss's algorithm as follows N = n1n2n3 = 57x77x65 = 285285 N1 = N/n1 = 77x65 = 5005; d1 = 5005-1 (mod 57) = 31 N2 = N/n2 = 57x65 = 3705; d2 = 3705-1 (mod 77) = 60 N3 = N/n3 = 57x77 = 4389; d3 = 4389-1 (mod 65) = 44 x c1N1d1 + c2N2d2 + c3N3d3 (mod N) x = (31x5005x31) + (76x3705x60) + (25x4389x44) = 26532505 1000 (mod 285285) So m is the cube root of 1000, that is m=10, as required. She did not need to factor the moduli. To compute the modular inverses, we used the bd_modinv function in our Modular Arithmetic Freeware package >bd_modinv 5005 57 5005^-1 mod 57 = 31 >bd_modinv 3705 77 3705^-1 mod 77 = 60 >bd_modinv 4389 65 4389^-1 mod 65 = 44

Comment
In practice with RSA we would be looking at much larger moduli in the order of 1000 or 2000 bits (i.e. numbers about 300 to 600 decimal digits long, probably too big for your pocket calcuator), but the same principles apply. You would need to use a computer package that does large integer arithmetic (like our free BigDigits software). It is most likely that any three moduli in practice will be coprime, so the method is likely to be successful.

How to prevent this type of attack

1. Use a larger exponent, like 65537 (0x10001). This makes it harder, but it is much better to 2. Add some random bits to the message - at least 64 bits worth. Make sure every message ever encrypted always has different random bytes added. This is known as salting the message and will prevent many other attacks, too. Obviously, the

4 of 5

3/31/2011 12:34 AM

The Chinese Remainder Theorem

http://www.di-mgt.com.au/crt.html#crackingrsa

recipient needs to know how to remove the random bytes after decrypting the message. For more on weaknesses in RSA and how to combat them, see our RSA algorithm page.

[MENE97] Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography, CRC Press LLC, 1997. The complete book is available on-line. M381 Mathematics and Computing: A Third Level Course, Number Theory Handbook, The Open University, 1996.

Feedback or questions: Send us a message. This page last first published 23 October 2010 and last updated 19 February 2011 Copyright 2010-11 DI Management Services Pty Limited ABN 78 083 210 584 Sydney, Australia. www.di-mgt.com.au. All rights reserved. Home | Services | About Us | Projects | Links | Cryptography | CryptoSys API | CryptoSys PKI | DBXanalyzer | BigDigits | Wclock | Su Doku | About This Site | Contact | Email Us

5 of 5

3/31/2011 12:34 AM