Beruflich Dokumente
Kultur Dokumente
Remainder
Theorem in
cryptography
A brief overview of the
Chinese Remainder
Theorem and its use in
secret sharing and fast
RSA variants
1. INTRODUCTION
Around A.D. 100, the Chinese mathematician Sun-Tsu solved the problem of finding those
integers x that leave remainders 2, 3, and 2 when divided by 3, 5, and 7 respectively. One
such solution is x = 23; all solutions are of the form 23 + 105k for arbitrary integers k.
Let us look at a simple interpretation of the theorem. Let r and s be positive integers which
are relatively prime and let a and b be any two integers. Then there is an integer N such that
N = a (mod r) (1)
and
2
for i = 1, ..., r and for which the mi are pairwise relatively prime, the solution of the set of
congruences is
where
M = m1m2...mr (5)
Let the numbers n1, n2.....nk be positive integers which are relatively prime in pair, i.e. gcd
(ni, nj ) = 1 when i ≠ j. Furthermore, let n = n1n2 ..... nk and let x1, x2..... xk be integers. Then
the system of congruences
x ≡ x1 mod n1
x ≡ x2 mod n2
...
x ≡ xk mod nk,
The general case of CRT states that the simultaneous congruences can be solved even if the
ni's are not pairwise coprime. A solution x exists if and only if:
Note: If the moduli n1, n2. . . nr are not relatively prime in pairs, there may be no solution to
the congruence.
2. SECRET SHARING
Secret sharing refers to any method for distributing a secret amongst a group of
participants, where each participant is allocated a share of the secret. The secret can only
be reconstructed when the all the shares are recombined; individual shares are of no use on
their own. It was invented by both Adi Shamir and George Blakley in 1979, independently.
The initial applications of secret sharing were safeguarding cryptographic keys and
providing shared access to strategical resources. Threshold cryptography and some e-voting
schemes are more recent applications of the secret sharing schemes.
A very simple type of secret sharing is that in which each secret share is a plane and the
secret is the point at which the planes intersect. More generally, any n n-dimensional
hyperplanes intersect at a specific point. The secret may be encoded as any single
coordinate of the point of intersection. Each player is given enough information to define a
hyperplane; the secret is recovered by calculating the planes' point of intersection and then
taking a specified coordinate of that intersection. This forms the basis of Blakley's scheme of
secret sharing.
4
Another system called a (t, n)-threshold scheme (sometimes it is written as an (n, t)-
threshold scheme) works as follows, there is one dealer and n players. The dealer gives a
secret to the players, but only on certain specific conditions. The sharing is such that any
and only a group of t (for threshold) or more players can together reconstruct the secret but
no group of fewer than t players can. This idea was put to use by Adi Shamir, an Israeli
cryptographer.
Shamir’s secret sharing scheme uses the idea that k points are sufficient to define a
polynomial of degree k-1. Let us use the (k,n) threshold scheme to share our secret S,
assumed to be an element in a finite field F. We can choose (k-1) coefficients, a1, a2...ak-1 at
random and let a0 = S . Let us now build the polynomial,
Let us construct any n points out of it, for instance set i=1,2....n to retrieve (i,f(i)) out of it.
Each point (a pair of input to the polynomial and output) are then given to a participant.
Given any subset of k of these pairs, we can then find the coefficients of the polynomial
using interpolation and the secret is the constant term a0.
As we saw earlier, In threshold schemes, only the cardinality of the sets of shares is
important for recovering the secret. Mignotte and Asmuth-Bloom introduced threshold
secret sharing schemes based on the Chinese remainder theorem.
Mignotte’s threshold secret sharing scheme applies the general CRT for recovering the
secret making use of a special sequence of integers, referred to as the Mignotte
sequences.
o The secret S is chosen as a random integer such that i, where α = m1 ... mk and
β = mn−k+2 ... mn ;
o Given k distinct shares Ii1 ,..., Iik , the secret S is recovered using the standard
Chinese Remainder Theorem. The system of congruences shown below has a
unique solution modulo mi1 ... mik .
...
By the construction of our shares, this solution is nothing but the secret S to recover.
Mignotte’s scheme can be generalized by allowing modules that are not necessarily
pairwise coprime by introducing generalized Mignotte sequences. A generalized (k, n)-
Mignotte sequence is a sequence m1, ... ,mn of positive integers such that
where the parentheses (a , ... , b) is used for gcd and [a , ... , b] is used for lcm.
Generalized Mignotte’s scheme works just like Mignotte’s scheme, except for the fact
that, α = min1≤i1<···<ik≤n([{mi1 , ... , mik}]) and β = max1≤i1<···<ik−1≤n([{mi1 , ... ,mik−1}]).
This scheme, proposed by Asmuth and Bloom, also uses special sequences of integers.
A sequence of pairwise coprime positive integers r, m1 < ... < mn is chosen such that
o Given k distinct shares Ii1 , . . . , Iik , the secret S can be obtained as S = x0 mod r.
x0 is obtained, using the standard Chinese Remainder Theorem, as the unique
solution modulo mi1 · · ·mik of the system 6
...
3.3. A SUM UP
An important point to be noted here is that the Mignotte and Asmuth-Bloom (k,n)-
threshold secret sharing schemes based on the Chinese Remainder Theorem are not
perfect. A set of less than k shares contains some information about the secret.
Nevertheless, by a suitable choice of the sequences and the parameters (α in the
Asmuth-Bloom case), one can get a reasonable security factor. Quite obviously the
Asmuth-Bloom scheme is more secure, for it involves more random parameters.
The RSA algorithm is an algorithm for public-key cryptography named after Ron Rivest, Adi
Shamir and Len Adleman, who invented it in 1977. The RSA algorithm can be used for both
public key encryption and digital signatures.
For faster decryption the In RSA-CRT is used where the Chinese Remainder Theorem is
applied during decryption. It results in a decryption much faster than modular
exponentiation. RSA-CRT differs from the standard RSA in key generation and decryption
steps.
Let us sum up the steps of the RSA algorithm and look into the major differences introduced
in the RSA-CRT algorithm.
4.1. OPERATION
7
The RSA algorithm involves three steps: key generation, encryption and decryption.
o Generate two large random primes, p and q, of approximately equal size such
that their product n = p×q is of the required bit length, e.g. 1024 bits.
o Compute n = pq and φ(n) = (p-1)(q-1). Here, n is used as the modulus for both
the public and private keys
o Choose an integer e, 1 < e < φ(n) , such that gcd(e, φ(n)) = 1. d is released as the
public key exponent.
o Compute the secret exponent d, 1 < d < φ(n), such that the congruence relation,
ed ≡ (mod φ(n)) is satisfied.
The public key consists of the modulus n and the public (or encryption) exponent e. The
private key consists of the modulus n and the private (or decryption) exponent d which
must be kept secret.
The RSA-CRT key generation scheme is developed keeping in mind the fact that the
value of d, the secret exponent cannot be made short. As soon as d < N 0.292, RSA system
can be totally broken. Let us have a look at the scheme,
o Let p and q be very be two very large primes of nearly the same size such that
gcd (p - 1, q - 1) = 2.
o Pick two random integers dp and dq such that gcd (dp, p-1) = 1, gcd (dq, q-1) = 1
and dp ≡ dq (mod 2).
The public key is (n, e) and the private key is (p, q, dp, dq). Since gcd (dp, p-1) = 1 and
d ≡ dp mod p-1, we have gcd (d, p-1) = 1. Similarly, gcd (d, q-1) = 1. Hence
gcd (d, φ(n) )=1.
8
To apply the Chinese Remainder Theorem in step 4, the respective moduli have to be
relatively prime for a solution to necessarily exist. We observe that p-1 and q-1 are even
numbers and hence we cannot directly apply the Chinese Remainder Theorem.
However, gcd ((p-1)/2, (q-1)/2) = 1. Since gcd (dp, p-1)=1 and gcd (dq, q-1) = 1, essentially
dp, dq are odd integers and dp-1, dq-1 are even integers. We have gcd (d, p-1) = 1, which
implies that d is odd and d-1 is even.
By applying the cancellation law and taking the common factor 2 out, we have
Using Chinese Remainder Theorem we find the secret exponent d such that
d = (2×d’) +1.
4.1.2. ENCRYPTION
o Obtains the recipient B's public key (n, e) who has in turn kept the private key
secured.
4.1.3. DECRYPTION
If c is not divisible by p and dp ≡ d mod p-1, then cdp ≡ cd (mod p). For decryption we find
mp = Cdp(mod p) = cd(mod p) and mq = cdq(mod q) = cd(mod q).
Then using Chinese Remainder Theorem, we find a solution for m = mp(mod p) = cd(mod
p), m = mq = cdq(mod q) = Cd(mod q).
An efficient method replacing the usual binary right to left method is the method of
representing the private key by using the Chinese Remainder Theorem (CRT). The
private key is represented as a quintuple (p, q, dp, dq, and qInv), where p and q are prime
factors of n, dp and dq are known as the CRT exponents, and qInv is the CRT coefficient.
The CRT method of decryption is four times faster overall than calculating
m = cd (mod n). The extra values for the private key are :-
These are pre-computed and saved along with p and q as the private key. To compute
the message m given c does the following:-
m1 = c dp mod p
m2 = c dq mod q
h = qInv(m1 - m2) mod p
m = m2 + hq
Even though there are more steps in this procedure, the modular exponentiation to be
carried out uses much shorter exponents and so it is less expensive overall.
Rebalanced RSA-CRT
We shall now look into another RSA variant, the Rebalanced RSA-CRT. The main aim of
Rebalanced RSA-CRT is to speed up RSA decryption by shifting the work to the
encrypter. This behavior is particularly useful for RSA decryption in mobile devices like
cellular phones whose life is limited by its battery. Rebalanced RSA-CRT decryption is
over three times faster than the standard RSA. The only difference between RSA-CRT
and Rebalanced RSA-CRT is in choosing the values of dp and dq. In Rebalanced RSA-CRT, 10
the size of e and d are of the order of φ(n), where as in standard RSA, e is usually a 16-
bit or 32-bit integer.
4.2. SUM UP
The main drawback with this scheme is that the task of the encrypter is enormous, even
for a high-end computer. But since it is a one time act it does not matter much in the
long run.
5. CONCLUSIONS
Here we discussed the mathematics behind the Chinese remainder theorem and studied its
application to a k-threshold system for secret sharing. We also saw how its use in certain RSA
variants like RSA-CRT and the Rebalanced RSA-CRT significantly reduces the computation time
by eliminating the need of modular exponentiation.
6. AKNOWLEDGEMENTS
I would like to thank Mr. P. V. Kiran Kumar for his paitient proof reading.
7. BIBLIOGRAPHY
http://en.wikipedia.org/wiki/RSA , http://en.wikipedia.org/wiki/Chinese_remainder_theorem
“Compartmented Secret Sharing Based on the Chinese Remainder Theorem” - Sorin Iftene
http://www.di-mgt.com.au/rsa_alg.html
11