2. 《孫子算經》卷下第二十六題
written between AD300 and AD470
Do not know the actual time of writing
有物不知其數
三三數之剩二
五五數之剩三
七七數之剩二
問物幾何?
2
In today’s notation:
X ≡ 2 mod 3
X ≡ 3 mod 5
X ≡ 2 mod 7
Find X
3. • X ≡ a1 mod m1
• X ≡ a2 mod m2
• X ≡ a3 mod m3
• X ≡ ( a1 m2 m3 (m2 m3
-1 mod m1 ) +
a2 m1 m3 (m1 m3
-1 mod m2 ) +
a3 m1 m2 (m1 m2
-1 mod m3 )
) mod m1 m2 m3
Solution to CRT
3
a-1 mod m
is the inverse modulus
see next page
4. • a-1 mod m
• a and m must be relative prime
• There exists a value t where
at = mx + 1 (for some x)
• t is the inverse modulus of a
• t ≡ a-1 mod m
• It can also be express as
at ≡ 1 mod m
• Inverse Modulus can be found by tries and errors
• or by Extended Euclidean Algorithm
– which is Euclidean Algorithm going backward
(擴展歐幾里得算法)
Inverse Modulus
4
5. • X ≡ 2 mod 3
• X ≡ 3 mod 5
• X ≡ 2 mod 7
• X ≡ ( 2*5*7* ((5*7)-1 mod 3 ) +
3*3*7* ((3*7)-1 mod 5) +
2*3*5* ((3*5)-1 mod 7)
) mod (3*5*7)
Chinese Remainder Theorem in 孫子算經
5
CRT only works if 3,
5, 7 are pairwise
relative prime
6. (5*7)-1 mod 3 ) => 35-1 mod 3 => 35Y1 = 3*X1 + 1
Y1 = 2, X1 = 23
(3*7)-1 mod 5) => 21-1 mod 5 => 21Y2 = 5*X2 + 1
Y2 = 1, X2 = 4
(3*5)-1 mod 7 => 15-1 mod 7 => 15Y3 = 7*X3 + 1
Y3 = 1, X3 = 2
Find the inverse moduli
6
7. • X ≡ 2 mod 3; X ≡ 3 mod 5 ; X ≡ 2 mod 7
• X ≡ ( 2*5*7* ((5*7)-1 mod 3 ) +
3*3*7* ((3*7)-1 mod 5) +
2*3*5* ((3*5)-1 mod 7)
) mod (3*5*7)
X ≡ ( 70 * 2 + 63 * 1 + 30 * 1 ) mod 105
≡ (140 + 63 + 30 ) mod 105
≡ 233 mod 105
X = 23
Back to the original problem
7
8. • For
X ≡ a1 mod m1
X ≡ a2 mod m2
…
X ≡ ak mod mk
• And m1 to mk are pairwise relative prime
• There exists a value of X where …
CRT in general
8
9. • M ≡ m1 * m2 * … * mk
• M1 ≡ M/m1 ; M2 ≡ M/m2 ;… ; Mk ≡ M/mk
• Find the inverse moduli of
y1 ≡ M1
-1 mod m1 ; y2 ≡ M2
-1 mod m2 ; … ;
yk ≡ Mk
-1 mod mk
X ≡ (a1*M1*y1 + a2*M2*y2 +…+ak*Mk*yk) mod M
CRT in general (cont.)
9
10. • Crack a low value e in RSA
• e can be computed faster in RSA if it is
3 (binary 11)
17 (binary 10001)
65537 (binary 1000000000000001)
• NEVER use 3 as e in RSA
Why? See next page
What is the application of Chinese
Remainder Theorem?
10
11. • Hacking H listen to all the packages sent
among A, B, C and F
• A tries to send the same message M to B, C
and F using 3 different RSA keys
(eb, Kb), (ec, Kc), (ef, Kf)
• Values of eb, ec and ef are all 3
• The message M is encrypted as MB, MC, Mf
Low value e RSA hacking
11
12. • Mb = M**eb mod Kb
• Mc = M**ec mod Kc
• Mf = M**ef mod Kf
With eb, ec, ef = 3
Rearrange left and right parts
• M3 ≡ Mb mod Kb
• M3 ≡ Mc mod Kc
• M3 ≡ Mf mod Kf
Low value e RSA hacking (cont.)
12
M3 can be found using
Chinese Remainder Theorem
M is the cubic root of M3
You do not need to know db, dc or df
13. • Find 11-1 mod 3220 by Extended Euclidean Algorithm
• 3220 = 11 * 292 + 8 -> ( 8 = 3220 – 11 * 292 ) [1]
• 11 = 8 * 1 + 3 -> ( 3 = 11 – 8 * 1 ) [2]
• 8 = 3 * 2 + 2 -> ( 2 = 8 – 3 * 2 ) [3]
• 3 = 2 * 1 + 1 (First phase finish when the remainder is 1, start second phase)
• Reverse the steps by rearranging the equations
• 1 = 3 – 2 * 1 (using [3])
• 1 = 3 – (8-3*2) * 1
• 1 = 3 – 8 + 3 * 2
• 1 = 3 * 3 – 8 (using [2])
• 1 = (11-8*1) *3 – 8
• 1 = 3*11 - 8*3 – 8
• 1 = 3 * 11 – 8 * 4 (using [1])
• 1 = 3 * 11 – ( 3220 – 11 * 292 ) * 4 (Keep 11 and 3220 as two variables)
• 1 = 3 * 11 – 3220 * 4 + 4 * 11 * 292 (compute the other values)
• 1 = 11 * ( 3 + 4 * 292 ) – 3220 * 4
• 1 = 11 * 1171 – 3220 * 4 (Answer is 1171 )
11-1 mod 3220 = 1171
11*t = 3220*X+1 X any number < 11
13
It appears using Extended Euclidean Algorithm is
slower than tries and errors
In this special case because 11 is small and you only
need to try 10 times
If the value of Y in Y-1 mod M = R is large
Extended Euclidean Algorithm is much faster
14. • Chinese Reminder Theorem is used in many
Crypto-algorithm as lots of crpyto-algorithm
depends on Modulus Arithmetic
• It is a case where something invented long
time ago finds an application 1600 years later
About CRT
14
