Download THE CHINESE REMAINDER THEOREM INTRODUCED IN A

THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL
KONTEXT
Introduction
The rst Chinese problem in indeterminate analysis is encountered in a book written by the Chinese
mathematician Sun Tzi. The problem states: There are things of an unknown number which when
divided by 3 leave 2, by 5 leave 3, and by 7 leave 2. What is the smallest number?
This rudimentary question in Elementary Number Theory is best solved using the Chinese Remainder
Theorem (CRT). In general, the CRT can be interpreted as a consequence of the existence of a ringisomorphism between the rings
Zr1 ···rn
and
Zr1 × · · · × Zrn
. This lecture aims to provide techniques
to solve such sets of congruences and extends the use of CRT to polynomials.
In the end, the RSA public key encription algorithm is discussed and one important application of the
CRT during the decription process in RSA is explained.
Direct Products
Denition: Direct Products of Rings:
The direct product of the commutative rings
A := A1 × · · · × Ar
A1 , . . . , A r
with identity element is dened as the set
with componentwise addition and multiplication. For
(x1 , . . . , xr ) , (y1 , . . . , yr ) ∈ A
we thus know:
(x1 , . . . , xr ) + (y1 , . . . , yr ) := (x1 + y1 , . . . xr + yr )
and
(x1 , . . . , xr ) · (y1 , . . . yr ) := (x1 y1 , . . . xr yr )
The Chinese Remainder Theorem
For pairwise coprime
r1 , . . . , rn ∈ Z



Zr1 ···rn →
Zr1 × · · · × Zrn
ψ:


k + r1 · · · rn Z → (k + r1 Z, . . . , k + rn Z)
1
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
2
is a ring-isomorphism (meaning a bijective, additive and multiplicative homomorpishm).
Notice that this proof is not constructive.
simultaneous congruences.
It only proves the existence of a solution of a set of
Yet it does not tell an algorithm that calculates those solutions.
This
proof has an advantage over the constructive proof of CRT. It is more abstract and allows important
implications later on.
ψ
Proof:
is well dened and injective: For
r1 · · · rn
we know that
k + rZ = l + rZ ⇔ r | l − k
⇔ ri | l − k
∀i ∈ [n]
⇔ k + ri Z = l + ri Z ∀i ∈ [n]
⇔ ψ (k + rZ) = ψ (l + rZ)
Since we know
| Zr |= r =
n
Y
i=1
ψ
ri =
n
Y
| Zri |=| Zr1 × Zr2 · · · ×Zrn |
i=1
is also surjective and therefore bijective. It follows from the denition of the operations that
ψ
is
both additive and multiplicative.
Hence,
ψ
is a ring-isomorphism.
The ring-isomorphism
For pairwise coprime
k∈Z
ψ
is equivalent to the following statement of the Chinese Remainder Theorem:
r1 , · · ·, rn ∈ Z
and random
a1 , . . . , an ∈ Z
exists modulo
r1 · · · rn = r
exactly one
with
k ≡ ai (mod ri )
∀ i ∈ [n]
General algorithm to solve systems of congruences: (Repetition from Number
Theory)
To solve a system of congruences of the form
k ≡ a1 (mod r1 )
with pairwise coprime
r1 , . . . , rn ∈ Z
and random
∀i ∈ [n]
a1 , . . . , a n ∈ Z
take the following steps:
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
•
Set
r := r1 · · · rn
•
Find
ki ∈ Z
mit
and
si :=
r
ri for
3
i ∈ [n]
si ki ≡ (1 mod ri )
for
i ∈ [n]
Then
k = s1 k1 a1 + · · · + sn kn an
k + rZ.
is a solution of the above system of congruences. The set of solutions is
•
Example
x ≡
2 (mod 3)
x ≡
3 (mod 5)
x ≡
2 (mod 7)
r = 105, s1 = 35, s2 = 21, s3 = 15
•
nd
k1 , k2 , k3
satisfying:
35k1 ≡ 1 (mod 3)
21k2 ≡ 1 (mod 5)
15k3 ≡ 1 (mod 7)
k1 = 2, k2 = 1, k3 = 1.
•
Solution
≡1 (mod 5)
≡1 (mod 7)
z }| {
z }| {
z }| {
x = (5 · 7) · 2 ·2 + (3 · 7) · 1 ·3 + (3 · 5) · 1 ·2
{z
} |
{z
} |
{z
}
|
≡2 (mod 3)
≡3 (mod 5)
≡2 (mod 7)
≡1 (mod 3)
Intuitively, you construct a set of summands such that each summand contains factors congruent to
0
modulo the other moduli.
The only dicult thing is to nd the
•
ki .
With small numbers a fast solution is trying some numbers. There are only
4 numbers to check,
if it's mod5!
•
The extended Euklidean algorithm does always work, though it takes longer:
you need the form
r
· ki ≡ 1 (mod ri )
ri
at + bs = gcd (a, b):
⇔
r
ki + ri c = 1 = gcd
ri
r
ri
, ri
(c ∈ Z)
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
•
k1
Example with
of the above problem:
get the form
at + bs = gcd (a, b):
(3 · 5) · k1 ≡ 1 (mod 7)
Now
k1
4
⇔
(3 · 5) k1 + 7c = 1 = gcd ((3 · 5) , 7)
(c ∈ Z)
can be computed with the extended Euclidean algorithm:
35 = 11 · 3 + 2
⇔
2 = 1 · 35 − 11 · 3
3=1·2+1
⇔
1 = 1 · 3 − 1 · 2 = 12 · 3 − 1 · 35
k1 = −1 ≡ 2 (mod 3)
The proof that such
ki
exist is indirectly given by the extended Euklidian Algorithm and can be found
1. Since r and
i
si
are coprime for all
here
i ∈ [n]
, one can nd those
Algorithm.
•
Assume
Find
Example with Polynomials
p(x)
is a polynomial with the following characteristics:
•
p(x)
x−1
= q(x) +
3
x−1
•
p(x)
x−2
= z(x) +
2
x−2
•
p(x)
x−3
= w(x) +
(−1)
x−3
p(x).
Solution: Using the CRT for Polynomials, we nd:
r(x) = (x − 1)(x − 2)(x − 3)
and we set
• r1 = (x − 1) , a1 = 3
• r2 = (x − 2) , a2 = 2
• r3 = (x − 3) , a3 = −1
Using Long Division, we nd
r
ri k i
≡ 1 (mod ri )
∀i ∈ {1, 2, 3}
• (x − 2)(x − 3)k1 ≡ 1 (mod (x − 1)) ⇒ k1 =
1Karpnger/Meyberg
Algebra Lemma 5.13
1
2
:
ki
using the extended Euklidian
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
• (x − 1)(x − 3)k2 ≡ 1 (mod (x − 2)) ⇒ k2 = −1
• (x − 1)(x − 2)k3 ≡ 1 (mod (x − 3)) ⇒ k3 =
1
2
Therefore, we nd:
p(x) = (x − 2)(x − 3)
1
2
(3) + (x − 1)(x − 3) (−1) (2) + (x − 1) (x − 2)
1
2
(−1)
= −x2 + 2x + 2
Remark: CRT can be extended to polynomials as long as the moduli
ri
are coprime!!
5
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
6
The RSA Algorithm
The RSA Algorithm is the rst public-key encription system ever developed and has become an important factor in many of today's applications. Its safety largely depends on the factoring problem prime factorization requires splitting an integer into factors that are prime numbers. Multiplying two
prime integers together is easy, but as far as we know, factoring the product of two (or more) prime
numbers is dicult.
•
Key-Generation
p
First, two large prime numbers
stored.
n
and
q
are randomly chosen. Their product,
n = p·q
is found and
is called the RSA-Modul and is used as a modulus for both encription and decription.
Next, another prime number
e
with
1 < e < ϕ (n) = (p − 1) (q − 1)
and
gcd (e, ϕ (n)) = 1. e
is called
the public exponent.
Additionally, a natural number
d
with
1 < d < ϕ(n)
and
d · e ≡ 1mod (ϕ (n))
. This number is found
using the extended Euklidian algorithm.
The public key consists of the tupel
•
(n, e)
and the private key is
d.
Encription
The sender encripts a message
k
using the encription function:
E (k) = k e mod n
Since
(n, e)
•
is public, anybody can encript messages.
Decription
The receiver decripts the code
c
using the decription function:
D (c) = cd mod n
Since
d
is private and can only be calculated knowing
know the private key
d
can decript messages.
(p, q),
which are also private, only those who
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
7
A thorough proof of the RSA Algorithm
This proof probably is not the most elegant way to proof the RSA Algorithm.
Our goal here is to
explain every step using only elementary number theory. We try to avoid statements such as Clearly
it follows.. , As an obvious consequence... and others you will nd in most text books.
The Problem.
Given positive integers n, e, d such that
(1)
n=p·q
(2)
gcd (e, ϕ (n)) = 1
, where
p
and
q
are distinct primes
(This requirement is necessary to ensure that the modular inverse in (3)
exists)
(3)
ed ≡ 1 (modϕ (n))
(4) Dene the public key transformation of a message
m
(5) Dene the private key transformation of a message
0 ≤ m < n, m = D (E (m))
(6) Prove that, for
for
m
for
0≤m<n
0≤m<n
to be
to be
E (m) = me mod n
D (m) = md mod n
(Decription)
Concepts from Number Theory we Need for the Proof.
(1) A
prime number
is dened as an integer, greater than one, which is only divisible by the
number one and itself.
a
(2) Two numbers
(3) The
and
b
which have no common factors other than one are said to be
greatest common divisor
of two integers
a
and
b
coprime.
is the largest integer that divides both
numbers.
(4)
a
and
b
are coprime if and only if
(5) The notation
(6) If
(7)
mn | a
”mod”
n|a
then
”mod”
m|a
and
n
divides
n|a
a
and thus there exists an integer
for any integers
as a binary operation: The notation
is equal to the
(8)
means
gcd (a, b) = 1
remainder
on dividing
b
my
(a)
n|a−b
(b)
a − b = nk
n
such that
denes a binary operation where
”a ≡ b (mod n) ”
means
a
and
b
, or, equivalently,
k∈N
(9) The two ways of using
”mod”
are related:
a
n, 0 ≤ a < n
, or
with
a=n·d
.
”a = bmod n”
as a congruence relation: The notation
remainder when divided by
m, n
d
a ≡ m (mod n) ⇔ a mod n = b mod n
have the same
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
(10) Properties of Congruence: for a xed positive integer
(a)
a ≡ a (mod n)
(b)
a ± b ≡ b ± a (mod n)
(c)
ab ≡ ba (mod n)
(d)
abc ≡ (ab) c ≡ a (bc) (mod n)
and any integers
(e) If
a ≡ b (mod n)
then
(f ) If
a ≡ b (mod n)
and
b ≡ c (mod n)
then
a ≡ c (mod n)
(g) If
a ≡ b (mod n)
and
c ≡ d (mod n)
then
a ± c ≡ b ± d (mod n)
(h) If
a ≡ b (mod n)
then
(i)
(11) If
(12)
n
a ≡ 0 (mod n)
m
n
and
8
a, b, c, d.
b ≡ a (mod n)
ar ≡ br (mod n),
if and only if
are coprime and
for any integer
and
ac ≡ bd (mod n)
r≥1
n|a
a ≡ b (mod n)
and
a ≡ b (mod m)
then
a ≡ b (mod mn)
ϕ (n) is the Euler phi function or totient function dened to be the number of positive integers
not exceeding
(13) For any prime
(14) If
m
n
and
n
which are relatively prime to
p , ϕ (p) = p − 1
are coprime, then
(15) Fermat's little Theorem: If
1,
then
n.
ϕ (m) ϕ (n) = ϕ (mn)
p is a prime and a is any integer, then ap ≡ a (mod p).
If
gcd (a, p) =
ap−1 ≡ 1 (mod p)
The Solution.
The proof is based on the fact that the modulus
n
is the product of two numbers
which - because they are primes and not equal - are coprime to each other.
Proof:
From equations (4) and (5) we nd that
If we can prove that
m = med mod n
We know from equation (3) that
Since
p
and
q
we will be done.
ed ≡ 1 (mod ϕ (n)).
are coprime, we know by (14), that
Therefore we nd
d
D (E (m)) = (me mod n) mod n = med mod n.
Using (8a) , this can be expressed as
ϕ (n) = ϕ (p) ϕ (q)
ϕ (p) ϕ (q) | ed − 1
Now we use (6) to split the above expression into two:
ϕ (p) | ed − 1
and
ϕ (q) | ed − 1
ϕ (n) | ed−1
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
This can be rewritten using (8b) :
Since
p
9
ed − 1 = kϕ (p)
ed − 1 = k (p − 1) (∗)
is prime it follows from (13), that
Now consider the case of any integer
m
raised to the powered modulo
p.
We can say that
med ≡ med−1+1 (mod p)
or
med ≡ med−1 · m (mod p)
Substituting
Since
p
Case 1:
(∗)
for
ed − 1
we get
med ≡ mk(p−1) · m (mod p) (∗∗)
is prime, we need to consider to cases.
p
and
m
are coprime, so
gcd (p, m) = 1
mp−1 ≡ 1 (mod p)
Fermat's little Theorem (15) tells us that
By (10h) we can raise this to the power of any positive integer
Combining this result with
(∗∗)
k
to get
mk(p−1) ≡ 1k ≡ 1 (mod p)
we obtain
med ≡ 1 · m (mod p)
Case 2:
m
m
is an exact multiple of
p,
so
gcd (m, p) = p
to the power of any positive integer will still be divisible by
so we have
Since
p
med ≡ 0 (mod p)
divides
m
Thus, for all m,
and so
p
and
q
(if
p|m
then
p
also divides
med )
and
by (10i)
m ≡ 0 (mod p),
we have
med ≡ 0 ≡ m (mod p)
med ≡ m (mod p)
By the same argument we can derive that
Since
p
med ≡ m (mod q).
are coprime by denition, we can use (11) to combine the above results:
m (mod pq) ≡ m (mod n)
med ≡
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
By symmetry (10e) we nd that
Since we limit
Thus
0 ≤ m < n,
to
there will only be one integer solution to this congruence relation.
m = med (mod n)
•
Choose
Worked Example
p = 11
Calculate
Choose
Find
m
m ≡ med (mod n)
d
and
q = 7 ⇒ n = 11 · 7 = 77
ϕ (n) = (11 − 1) · (7 − 1) = 60
e = 13
with
13 · d ≡ 1 (mod 60)
using the extended Euklidian algorithm:
60 = 4 · 13 + 8 ⇔ 8 = 1 · 60 − 4 · 13
13 = 1 · 8 + 5 ⇔ 5 = 1 · 13 − 1 · 8 = 1 · 13 − 1 · 60 + 4 · 13 = 5 · 13 − 1 · 60
8 = 1 · 5 + 3 ⇔ 3 = 1 · 8 − 1 · 5 = 1 · 60 − 4 · 13 − 5 · 13 + 1 · 60 = 2 · 60 − 9 · 13
5 = 1 · 3 + 2 ⇔ 2 = 1 · 5 − 1 · 3 = 5 · 13 − 1 · 60 − 2 · 60 + 9 · 13 = 14 · 13 − 3 · 60
3 = 1 · 2 + 1 ⇔ 1 = 1 · 3 − 1 · 2 = 2 · 60 − 9 · 13 − 14 · 13 − 3 · 60 = −1 · 60 − 23 · 13
1 = gcd (e, ϕ (n)) = k · ϕ (n) + d · e = −1 · 60 − 23 · 13
⇒ d ≡ −23 (mod 60) ⇒ d = 37
Encript the message
k=2
.
c = 213 (mod 77) = 8192 (mod 77) = 30 (mod 77) ⇒ c = 30
Decript the code
c = 30
.
3037 (mod 77) = 2 (mod 77) ⇒ k = 2
•
.
The Chinese Remainder Theorem Applied in the Decription Process of RSA
10
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
The decription of RSA requires exponentiation modulo
smaller values of the exponent
Since the modulus
n
n.
11
The decription eciency increases with
d.
used in RSA encription and decription usually is
1024 bit
long, the decription
requires 1024 squarings modulo n and 512 multiplications modulo n.
•
What you do:
Knowing
d, p, q
calculate
mp = cd mod p
mq = cd mod q
Then, using CRT, solve
m ≡ mp mod p
m ≡ mq mod q
To solve the congruence, calculate whole numbers
yp
and
yq with yp p + yq q = 1
and set
m =
(mp yq q + mq yp p) mod n.
Exercises
Easy ones: (use the CRT!).
a):
Replace stars with digits so that 454** is divisible by 2, 7 and 9
b):
Peter prepared some lollipops for his party. If he divides them evenly for ve people, then two
pieces will be left over. If he divides them for four people one lollipop will be left. But he can
divide them evenly for three people. What the smallest number of lollipops Peter could have
had
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
c):
12
nd solutions of the system:
4x
≡ 2 (mod 6)
3x
≡ 5 (mod 7)
2x
≡ 4 (mod 11)
d):
2x ≡ 11 (mod 2275)
e):
5832 · 6639 mod 840
Five Pirates and a Monkey.
Five pirates and a monkey are shipwrecked on an island. The pirates
have collected a pile of coconuts which they plan to divide equally among themselves the next morning.
Not trusting the others, one pirate wakes up during the night and divides the coconuts into ve equal
parts with one left over, which he gives to the monkey. The pirate then hides his portion of the pile.
During the night, each of the other pirates does exactly the same thing by dividing the pile he nds
into ve equal parts leaving one coconut for the monkey and hiding his portion. In the morning, the
pirates gather and split the remaining pile of coconuts into ve equal parts and again one is left over
for the monkey. What is the smallest number of coconuts the pirates could have collected for their
original pile?
Eggs in the Basket.
(From Brahmagupta, 7th century A.D.) A girl was carrying a basket of eggs,
and a man driving a horse hit the basket and broke all the eggs. Wishing to pay for the damage, he
asked the girl how many eggs there were. The girl said she did not know, but she remembered that
when she counted them by twos, there was one left over; when she counted them by threes, there were
two left over; when she counted them by fours, there were three left over; when she counted them by
ves, there were four left; and when she counted them by sixes, there were ve left over. Finally, when
she counted them by sevens, there were none left over. `Well,' said the man, `I can tell you how many
you had.' What was his answer?
Putnam 1955:
factor?
Do there exist
1, 000, 000 consecutive integers each of which contains a repeated prime
THE CHINESE REMAINDER THEOREM INTRODUCED IN A GENERAL KONTEXT
13
Putnam 2006:
Alice and Bob play a game in which they take turns removing stones from a heap
that initially has
n
stones. The number of stones removed at each turn must be one less than a prime
number. The winner is the player who takes the last stone. Alice plays rst. Prove that there are
innitely many
6
leaving
11;
n such that Bob has a winning strategy. (For example, if n = 17, then Alice might take
then Bob might take
1
leaving
10;
then Alice can take the remaining stones to win.)