Cryptography and Information Security

Fall, 2002

Module 2
Chinese Remainder Theorem,
Discrete Logarithms
 Chinese Remainder Theorem (CRT) –
Why ?

• used to speed up modulo computations

• working modulo a product of numbers
– eg. mod M = m1m2..mk
• Chinese Remainder theorem lets us work in
each moduli mi separately
• since computational cost is proportional to
size, this is faster than working in the full
modulus M
 CRT
• If there is a set of different argument equations, where one
variable is consistent with different moduli, which are
relatively prime, then CRT states that the variable has a
unique solution for all the moduli.
• x mod m1 =a1
• x mod m2=a2
• ….x mod mk=ak
• x=(a1*M1*M-1 + a2*M2*M-2 +…..+ ak*Mk*M-k ) mod M
• provided gcd(mi,mj)=1 for all i,j from 1 to k and i != j
 Procedure to solve using CRT
• Step 1: Extract / calculate m1, m2,……mk
• Step 2: M= m1*m2*m3*…..*mk
• Step 3: Mi=M/mi  M1=M/m1, M2=M/m2 …….
• Step 4: Extract / calculate a1,a2,…….ak
• Step 5: Calculate Mi-1 for all i=1 to k
• Step6: Calculate x=(a1*M1*M-1 + a2*M2*M-2 +…..+
ak*Mk*M-k ) mod M
 Example
• x mod 3=2, x mod 5=3, x mod 7 =2. Solve x.
ai mi M Mi Mi-1
2 3 105 35 2
3 5 21 1
2 7 15 1

• M=m1*m2*m3= 105
• M1=105/m1=35, M2=105/m2=21, M3=105/m3=15
• M1. M-1 mod m1 =1  35*M-1 mod 3 = 1  M-1 = 2
• M2. M-2 mod m2 =1  21*M-2 mod 5 = 1  M-2 = 1
• M3. M-3 mod m3 =1  15*M-3 mod 7 = 1  M-3 = 1
• x=(a1*M1*M-1 + a2*M2*M-2 +a3*M3*M-3 ) mod M
• x=(2*35*2 + 3*21*1 + 2*15*1) mod 105  233 mod 105
• X = 23
 CRT with non co-prime moduli
• If there is a set of different argument equations, where one
variable is consistent with different moduli, then CRT states that
the variable has a unique solution for all the moduli.
• x mod m1 =a1
• x mod m2=a2
• ….x mod mk=ak
• where gcd(mi,mj)=1 might not be true for all I,j, but
• gcd(mi.mj) divides ai-aj for all 1<=I,j,<=k, I !=j
• Moreover, if a solution exists, then it is uniquely modulo L ( where
L = lcm(m1,m2,..mk) ).
• Modifications required are find new set of ni from 1 to k , s.t. they
are co-prime to each other and L=n1*n2*…..*nk
• Generate sj, for all j 1 to k, s.t. sj (mod L/nj)=0 AND sj (mod nj)=1
• Solve x=(a1*s1+ a2*s2+…..+ak*sk)
 Primitive Roots
• from Euler’s theorem have aø(n)mod n=1
• consider ammod n=1, GCD(a,n)=1
– must exist for m= ø(n) but may be smaller
– once powers reach m, cycle will repeat
• if smallest is m= ø(n) then a is called a
primitive root
• if p is prime, then successive powers of a
"generate" the group mod p
• these are useful but relatively hard to find
 Discrete Logarithms
• the inverse problem to exponentiation is to find
the discrete logarithm of a number modulo p
• that is to find x where ax = b mod p
• written as x=loga b mod p or x=dloga,p(b)
• if a is a primitive root then always exists,
otherwise may not
– x = log3 4 mod 13 (x st 3x = 4 mod 13) has no answer
– x = log2 3 mod 13 = 4 by trying successive powers
• whilst exponentiation is relatively easy, finding
discrete logarithms is generally a hard problem
 Simple Example
• If we take a prime number, 7 and one of its primitive root, say,
5
• 5x mod 7 can be calculated easily, if x is given
• However, if 5x mod 7 =3 is given, finding x is difficult, as one
has to try out 7-1=6 cases to substitute x and get the unique
remainder as 7. This is true, as the primitive root of a prime
number n will generate n-1 unique remainder values. X=5
• If the prime number n is very large, it becomes practically
impossible to try out the n-1 computations to get to the
answer.