The Chinese Remainder Theorem

Similar documents
The Chinese Remainder Theorem

Discrete Square Root. Çetin Kaya Koç Winter / 11

Diffie-Hellman key-exchange protocol

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

Solutions for the Practice Final

Assignment 2. Due: Monday Oct. 15, :59pm

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

NUMBER THEORY AMIN WITNO

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Number Theory/Cryptography (part 1 of CSC 282)

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

DUBLIN CITY UNIVERSITY

L29&30 - RSA Cryptography

Cryptography, Number Theory, and RSA

CHAPTER 2. Modular Arithmetic

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Distribution of Primes

Collection of rules, techniques and theorems for solving polynomial congruences 11 April 2012 at 22:02

Math 319 Problem Set #7 Solution 18 April 2002

Modular Arithmetic. claserken. July 2016

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Fermat s little theorem. RSA.

Final exam. Question Points Score. Total: 150

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 4 October 2013

Is 1 a Square Modulo p? Is 2?

MATH 324 Elementary Number Theory Solutions to Practice Problems for Final Examination Monday August 8, 2005

Foundations of Cryptography

Data security (Cryptography) exercise book

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

University of British Columbia. Math 312, Midterm, 6th of June 2017

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

LECTURE 3: CONGRUENCES. 1. Basic properties of congruences We begin by introducing some definitions and elementary properties.

Introduction to Cryptography CS 355

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

Public-key Cryptography: Theory and Practice

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Solutions to Exam 1. Problem 1. a) State Fermat s Little Theorem and Euler s Theorem. b) Let m, n be relatively prime positive integers.

Primitive Roots. Chapter Orders and Primitive Roots

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

MTH 3527 Number Theory Quiz 10 (Some problems that might be on the quiz and some solutions.) 1. Euler φ-function. Desribe all integers n such that:

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

Discrete Math Class 4 ( )

Sheet 1: Introduction to prime numbers.

Quadratic Residues. Legendre symbols provide a computational tool for determining whether a quadratic congruence has a solution. = a (p 1)/2 (mod p).

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Applications of Fermat s Little Theorem and Congruences

Problem Set 6 Solutions Math 158, Fall 2016

SOLUTIONS FOR PROBLEM SET 4

EE 418: Network Security and Cryptography

Math 127: Equivalence Relations

Algorithmic Number Theory and Cryptography (CS 303)

CS70: Lecture 8. Outline.

Number Theory - Divisibility Number Theory - Congruences. Number Theory. June 23, Number Theory

1 Introduction to Cryptology

Public Key Encryption

Solutions for the 2nd Practice Midterm

SOLUTIONS TO PROBLEM SET 5. Section 9.1

Application: Public Key Cryptography. Public Key Cryptography

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

MA/CSSE 473 Day 9. The algorithm (modified) N 1

DUBLIN CITY UNIVERSITY

The number theory behind cryptography

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

Number-Theoretic Algorithms

Math 412: Number Theory Lecture 6: congruence system and

Modular Arithmetic. Kieran Cooney - February 18, 2016

Number Theory and Security in the Digital Age

Exam 1 7 = = 49 2 ( ) = = 7 ( ) =

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

Solutions for the Practice Questions

Overview. The Big Picture... CSC 580 Cryptography and Computer Security. January 25, Math Basics for Cryptography

12. Let Rm = {0,1,2,..., m 1} be a complete residue system modulo ra. Let a be an integer. When is a Rm = {0,1 a, 2 a,...

MAT Modular arithmetic and number theory. Modular arithmetic

1.6 Congruence Modulo m

Outline Introduction Big Problems that Brun s Sieve Attacks Conclusions. Brun s Sieve. Joe Fields. November 8, 2007

Wilson s Theorem and Fermat s Theorem

ALGEBRA: Chapter I: QUESTION BANK

Math 255 Spring 2017 Solving x 2 a (mod n)

Week 1. 1 What Is Combinatorics?

Detailed Solutions of Problems 18 and 21 on the 2017 AMC 10 A (also known as Problems 15 and 19 on the 2017 AMC 12 A)

Practice Midterm 2 Solutions

Number Theory. Konkreetne Matemaatika

Congruence. Solving linear congruences. A linear congruence is an expression in the form. ax b (modm)

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

SMT 2013 Advanced Topics Test Solutions February 2, 2013

Modular arithmetic Math 2320

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

MAT199: Math Alive Cryptography Part 2

6.2 Modular Arithmetic

Implementation / Programming: Random Number Generation

Transcription:

The Chinese Remainder Theorem Theorem. Let n 1,..., n r be r positive integers relatively prime in pairs. (That is, gcd(n i, n j ) = 1 whenever 1 i < j r.) Let a 1,..., a r be any r integers. Then the r congruences x a i (mod n i ) for i = 1,..., r have common solutions. Any two common solutions are congruent modulo. n = n 1 n r The proof gives an algorithm for computing the common solution. 1

Proof: For j = 1,..., r, the number n/n j is an integer and gcd(n/n j, n j ) = 1, so there is an integer b j such that (n/n j )b j 1 (mod n j ). Clearly, (n/n j )b j 0 (mod n i ) if i j. Let x 0 = Then x 0 = r r j=1 (n/n j )b j a j = j=1 j=1 (n/n j )b j a j. r δ ij a j a i (mod n i ). Thus there is a common solution x 0. If x 1 is another common solution, then n i (x 0 x 1 ) for each i, so n (x 0 x 1 ) because the moduli are relatively prime in pairs. 2

Example: Solve the system of congruences x 1 (mod 7) x 3 (mod 10) x 8 (mod 13). Note that the hypotheses of the Chinese remainder theorem are satisfied in this example because any two of the moduli 7, 10, 13 are relatively prime. We have n 1 = 7, n 2 = 10, n 3 = 13, a 1 = 1, a 2 = 3, a 3 = 8 and n = 910. Then n/n 1 = 10 13 4 (mod 7). The extended Euclidean algorithm gives b 1 4 1 2 (mod 7). Likewise, b 2 1 1 1 (mod 10) and b 3 5 1 8 (mod 13). Then x 130 2 1+91 1 3+70 8 8 463 (mod 910). 3

Solving x 2 a (mod n) We have said nothing (so far) about whether one can solve x 2 a (mod n) when n is a composite number. We have also said nothing about how to solve it if it has a solution. There are probabilistic polynomial time algorithms (Tonelli and Cipolla) to compute square roots of QR s mod p, where p is prime. They work well for numbers of hundreds of digits, but are too complicated to present here. 4

Here is a simple algorithm that finds square roots of QR s modulo any prime p 3 (mod 4), that is, it works for half of the primes. If p 3 (mod 4), then the solutions to x 2 a (mod p) are x 1 a (p+1)/4 (mod p) and x 2 = p x 1. To see that this works, note that x 2 1 a(p+1)/2 a a (p 1)/2 a (mod p) since a (p 1)/2 +1 (mod p) by Euler s Criterion and the fact that a is a QR mod p. (When a is a quadratic nonresidue modulo p, with p 3 (mod 4), a is a quadratic residue modulo p, and the formulas for x 1 and x 2 give the two square roots of a modulo p because x 2 1 a(p+1)/2 a a (p 1)/2 a (mod p) since a (p 1)/2 1 (mod p) by Euler s Criterion and the fact that a is a QNR mod p.) 5

Now I will tell you how to solve x 2 a (mod n) when n = pq is the product of two primes p q 3 (mod 4), an important special case. Separately solve y 2 a (mod p), with solutions y 1 and y 2, and z 2 a (mod q), with solutions z 1 and z 2. Then use the CRT four times to solve the four systems x y i (mod p) x z j (mod q) for i = 1, 2; j = 1, 2. This will produce four different roots to x 2 a (mod n). 6

Example. Find all four square roots of 11 modulo 133. Factor 133 = 7 19. We must first solve x 2 11 (mod p) for p = 7 and for p = 19. 11 mod 7 = 4, which happens to be 2 2. So the solution to x 2 11 (mod 7) is x ±2 (mod 7), or x 2 or 5 (mod 7). 11 mod 19 = 11, so we use exponentiation: x 11 (19+1)/4 = 11 5 7 (mod 19). So the solution to x 2 11 (mod 19) is x ±7 (mod 19), or x 7 or 12 (mod 19). 7

We have to solve the four CRT problems: x 1 2 (mod 7) x 1 7 (mod 19). x 2 2 (mod 7) x 2 12 (mod 19). x 3 5 (mod 7) x 3 7 (mod 19). x 4 5 (mod 7) x 4 12 (mod 19). 8

We begin the CRT by solving 19x + 7y = 1 by the extended Euclidean algorithm. It gives 19(3) + 7( 8) = 1. We have found both b 1 and b 2 in the CRT by one extended Euclidean algorithm. In all four CRT problems we have n 1 = 7, n 2 = 19, b 1 = 3 and b 2 8 11 (mod 19). In the first CRT, we have a 1 = 2 and a 2 = 7. The solution is x 1 = 19 3 2+7 11 7 = 653 121 (mod 133). We also get x 4 = 133 x 1 = 133 121 = 12. In the second CRT, we have a 1 = 2 and a 2 = 12. The solution is x 2 = 19 3 2+7 11 12 = 1038 107 (mod 133). We also get x 3 = 133 x 2 = 133 107 = 26. The four square roots of 11 modulo 133 are 121, 107, 26, 12. 9

An application of finding square roots modulo n is the Rabin-Blum Oblivious Transfer or Coin Flipping Protocol. In it, Alice reveals a secret to Bob with probability 0.5. In the Oblivious Transfer version, Alice doesn t know whether Bob got the secret or not (and this outcome must be acceptable to both participants). In the Coin Tossing version, Bob tells Alice whether he got the secret. He wins the coin toss if he did get it; loses otherwise. 10

Alice s secret is the factorization of a number n = pq which is the product of two large primes p q 3 (mod 4). 1. Alice sends n to Bob. 2. Bob picks a random x in n < x < n with gcd(x, n) = 1. Bob computes a = x 2 mod n and sends a to Alice. 3. Knowing p and q, Alice computes the four solutions to x 2 a (mod n). They are x, n x, y and n y, for some y. These are just four numbers to Alice. She doesn t know which ones are x and n x. She chooses one of the four numbers at random and sends it to Bob. 4. If Bob receives x or n x, he learns nothing. But, if Bob receives y or n y, he can factor n by computing gcd(x + y, n) = p or q. 11

Why can Bob factor n if he gets y or n y? Theorem. If n = pq is the product of two distinct primes, and if x 2 y 2 (mod n), but x ±y (mod n), then gcd(x + y, n) = p or q. Proof: We are given that n divides (x+y)(x y) but not (x+y) or (x y). Hence, one of p, q must divide (x + y) and the other must divide (x y). 12

It is easy to modify the Oblivious Transfer protocol to let Alice give Bob the content of an arbitrary file with probability 0.5. Alice s secret is the content of the file. Alice enciphers the file using AES with secret key K. She gives the ciphertext of the file to Bob. Alice chooses two large primes p q 3 (mod 4), sets n = pq and chooses 0 < e < n with gcd(e, (p 1)(q 1)) = 1. This sets up an RSA public key cipher with public key n and e. Alice enciphers K as C = K e mod n. Alice gives Bob C and e. Then Alice and Bob do the Oblivious Transfer protocol, Alice sending n to Bob in Step 1. If Bob learns the factorization of n = pq in Step 4, then Bob finds d with ed 1 (mod (p 1)(q 1)) by extended Euclid. He finds K = C d mod n, and deciphers the file using K as the AES key. 13

Zero-Knowledge Proofs This protocol is closely related to the oblivious transfer protocol. The difference is that Alice wants to convince Bob that she knows the factors of n = pq, but does not want to reveal the factors to Bob. Alice (the prover) convinces Bob (the verifier) that she knows the prime factorization of a large composite number n, but does not give Bob any hint which would help him find the factors of n. Bob learns nothing about the factorization of n during the protocol that he could not have deduced on his own without Alice s help. Roughly speaking, Bob gives Alice some quadratic residues modulo n and Alice replies with their square roots. The difficulty with this simple approach is that when Alice replies to Bob with a square root, there is a 50% chance that she will reveal the factorization of n to Bob, as in the oblivious transfer protocol. 14

Here is a good way to do the zero-knowledge proof protocol: Alice knows n, p and q. Bob knows n but not p or q. 1. Alice chooses a in n < a < n and computes b = a 2 mod n. 2. At the same time, Bob chooses c in n < c < n and computes d = c 2 mod n. 3. Alice sends b to Bob and Bob sends d to Alice. 4. Alice receives d and solves x 2 bd (mod n). (Note that this is possible because bd is a QR and she can compute its square root because she knows the factors of n.) Let x 1 be one solution of this congruence. 5. At the same time, Bob tosses a fair coin and gets Heads or Tails each with probability 0.5. Bob sends H or T to Alice. 15

6. If Alice receives H, she sends a to Bob. If Alice receives T, she sends x 1 to Bob. 7. If Bob sent H to Alice, then he receives a from Alice and checks that a 2 b (mod n). If Bob sent T to Alice, then he receives x 1 from Alice and checks that x 2 1 bd (mod n). Alice and Bob repeat steps 1 through 7 many (20 or 30) times. If the check in step 7 is always okay, then Bob accepts that Alice knows the factorization of n. But if Alice ever fails even one test, then Bob concludes that Alice is lying. Why does this protocol work? Why does Bob not learn the factors of n? 16

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback