The Chinese Remainder Theorem

Similar documents
The Chinese Remainder Theorem

Discrete Square Root. Çetin Kaya Koç Winter / 11

Diffie-Hellman key-exchange protocol

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Assignment 2. Due: Monday Oct. 15, :59pm

Solutions for the Practice Final

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

NUMBER THEORY AMIN WITNO

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Fermat s little theorem. RSA.

DUBLIN CITY UNIVERSITY

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Math 319 Problem Set #7 Solution 18 April 2002

Modular Arithmetic. claserken. July 2016

Number Theory/Cryptography (part 1 of CSC 282)

b) Find all positive integers smaller than 200 which leave remainder 1, 3, 4 upon division by 3, 5, 7 respectively.

Cryptography, Number Theory, and RSA

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

Algorithmic Number Theory and Cryptography (CS 303)

Data security (Cryptography) exercise book

Collection of rules, techniques and theorems for solving polynomial congruences 11 April 2012 at 22:02

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Distribution of Primes

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 4 October 2013

Introduction to Cryptography CS 355

Foundations of Cryptography

Introduction. and Z r1 Z rn. This lecture aims to provide techniques. CRT during the decription process in RSA is explained.

University of British Columbia. Math 312, Midterm, 6th of June 2017

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

CHAPTER 2. Modular Arithmetic

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Solutions to Exam 1. Problem 1. a) State Fermat s Little Theorem and Euler s Theorem. b) Let m, n be relatively prime positive integers.

LECTURE 3: CONGRUENCES. 1. Basic properties of congruences We begin by introducing some definitions and elementary properties.

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

MTH 3527 Number Theory Quiz 10 (Some problems that might be on the quiz and some solutions.) 1. Euler φ-function. Desribe all integers n such that:

Final exam. Question Points Score. Total: 150

Is 1 a Square Modulo p? Is 2?

Application: Public Key Cryptography. Public Key Cryptography

Sheet 1: Introduction to prime numbers.

Algorithmic Number Theory and Cryptography (CS 303)

CS70: Lecture 8. Outline.

Primitive Roots. Chapter Orders and Primitive Roots

Applications of Fermat s Little Theorem and Congruences

L29&30 - RSA Cryptography

EE 418: Network Security and Cryptography

SOLUTIONS FOR PROBLEM SET 4

Public-key Cryptography: Theory and Practice

The number theory behind cryptography

Public Key Encryption

Number Theory - Divisibility Number Theory - Congruences. Number Theory. June 23, Number Theory

The congruence relation has many similarities to equality. The following theorem says that congruence, like equality, is an equivalence relation.

Exam 1 7 = = 49 2 ( ) = = 7 ( ) =

SOLUTIONS TO PROBLEM SET 5. Section 9.1

MATH 324 Elementary Number Theory Solutions to Practice Problems for Final Examination Monday August 8, 2005

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

1 Introduction to Cryptology

MA/CSSE 473 Day 9. The algorithm (modified) N 1

DUBLIN CITY UNIVERSITY

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

CMPSCI 250: Introduction to Computation. Lecture #14: The Chinese Remainder Theorem David Mix Barrington 24 February 2012

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

Discrete Math Class 4 ( )

Number Theory and Security in the Digital Age

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

CMath 55 PROFESSOR KENNETH A. RIBET. Final Examination May 11, :30AM 2:30PM, 100 Lewis Hall

Solutions for the Practice Questions

Outline Introduction Big Problems that Brun s Sieve Attacks Conclusions. Brun s Sieve. Joe Fields. November 8, 2007

1.6 Congruence Modulo m

Number Theory. Konkreetne Matemaatika

ALGEBRA: Chapter I: QUESTION BANK

Problem Set 6 Solutions Math 158, Fall 2016

CS 787: Advanced Algorithms Homework 1

An interesting class of problems of a computational nature ask for the standard residue of a power of a number, e.g.,

Solutions for the 2nd Practice Midterm

Congruence. Solving linear congruences. A linear congruence is an expression in the form. ax b (modm)

MAT Modular arithmetic and number theory. Modular arithmetic

Math 412: Number Theory Lecture 6: congruence system and

SMT 2013 Advanced Topics Test Solutions February 2, 2013

Modular arithmetic Math 2320

Calculators will not be permitted on the exam. The numbers on the exam will be suitable for calculating by hand.

Classical Cryptography

MAT199: Math Alive Cryptography Part 2

Introduction to Modular Arithmetic

6.2 Modular Arithmetic

Implementation / Programming: Random Number Generation

Introduction to Number Theory 2. c Eli Biham - November 5, Introduction to Number Theory 2 (12)

Modular Arithmetic. Kieran Cooney - February 18, 2016

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Math 127: Equivalence Relations

Detailed Solutions of Problems 18 and 21 on the 2017 AMC 10 A (also known as Problems 15 and 19 on the 2017 AMC 12 A)

Wilson s Theorem and Fermat s Theorem

12. Let Rm = {0,1,2,..., m 1} be a complete residue system modulo ra. Let a be an integer. When is a Rm = {0,1 a, 2 a,...

Numbers (8A) Young Won Lim 5/22/17

Number Theory and Public Key Cryptography Kathryn Sommers

Transcription:

The Chinese Remainder Theorem Theorem. Let m and n be two relatively prime positive integers. Let a and b be any two integers. Then the two congruences x a (mod m) x b (mod n) have common solutions. Any two common solutions are congruent modulo mn. The proof gives an algorithm for computing the common solution. 1

Proof: Since gcd(m,n) = 1, the Extended Euclidean Algorithm provided integers c and d with mc+nd = 1. Then c m 1 (mod n) and d n 1 (mod m). Let x 0 = mcb+nda. Then and x 0 nda 1 a a (mod m) x 0 mcb 1 b b (mod n). Thus there is a common solution x 0. If x 1 is another common solution, then m (x 0 x 1 ) and n (x 0 x 1 ), so mn (x 0 x 1 ) because gcd(m,n) = 1. 2

Example: Solve the system of congruences x 1 (mod 7) x 3 (mod 10). Note that the hypotheses of the Chinese remainder theorem are satisfied in this example because 7 and 10 are relatively prime. We have m = 7, n = 10, a = 1, b = 3 and mn = 70. The extended Euclidean algorithm gives 7(3)+10( 2) = 1, so c = 3 and d = 2. Then the solution is x x 0 = mcb+nda = 7(3)3+10( 2)1 = = 63 20 = 43 (mod 70). 3

Solving x 2 a (mod n) We have said nothing (so far) about whether one can solve x 2 a (mod n) when n is a composite number. We have also said nothing about how to solve it if it has a solution. There are probabilistic polynomial time algorithms (Tonelli and Cipolla) to compute square roots of QR s mod p, where p is prime. They work well for numbers of hundreds of digits, but are too complicated to present here. 4

Recall Euler s Criterion. Theorem. (Euler s Criterion.) For prime p > 2 and 0 < a < p, a (p 1)/2 1 if a is a QR mod p and a (p 1)/2 1 if a is a QNR mod p. Here is a simple algorithm that finds square roots of QR s modulo any prime p 3 (mod 4), that is, it works for half of the primes. If p 3 (mod 4), then the solutions to x 2 a (mod p) are x 1 a (p+1)/4 (mod p) and x 2 = p x 1. To see that this works, note that x 2 1 a(p+1)/2 a a (p 1)/2 a (mod p) since a (p 1)/2 +1 (mod p) by Euler s Criterion and the fact that a is a QR mod p. 5

Now I will tell you how to solve x 2 a (mod n) when n = pq is the product of two primes p q 3 (mod 4), an important special case. Separately solve y 2 a (mod p), with solutions y 1 and y 2, and z 2 a (mod q), with solutions z 1 and z 2. Then use the CRT four times to solve the four systems x y i (mod p) x z j (mod q) for i = 1,2;j = 1,2. This will produce four different roots to x 2 a (mod n). 6

Example. Find all four square roots of 11 modulo 133. Factor 133 = 7 19. We must first solve x 2 11 (mod p) for p = 7 and for p = 19. 11 mod 7 = 4, which happens to be 2 2. So the solution to x 2 11 (mod 7) is x ±2 (mod 7), or x 2 or 5 (mod 7). 11 mod 19 = 11, so we use exponentiation: x 11 (19+1)/4 = 11 5 7 (mod 19). So the solution to x 2 11 (mod 19) is x ±7 (mod 19), or x 7 or 12 (mod 19). 7

We have to solve the four CRT problems: x 1 2 (mod 7) x 1 7 (mod 19). x 2 2 (mod 7) x 2 12 (mod 19). x 3 5 (mod 7) x 3 7 (mod 19). x 4 5 (mod 7) x 4 12 (mod 19). 8

We begin the CRT by solving 19x+7y = 1 by the extended Euclidean algorithm. It gives 19(3) + 7( 8) = 1. We have found both b 1 and b 2 in the CRT by one extended Euclidean algorithm. In all four CRT problems we have n 1 = 7, n 2 = 19, b 1 = 3 and b 2 8 11 (mod 19). In the first CRT, we have a 1 = 2 and a 2 = 7. The solution is x 1 = 19 3 2+7 11 7 = 653 121 (mod 133). We also get x 4 = 133 x 1 = 133 121 = 12. In the second CRT, we have a 1 = 2 and a 2 = 12. The solution is x 2 = 19 3 2+7 11 12 = 1038 107 (mod 133). We also get x 3 = 133 x 2 = 133 107 = 26. The four square roots of 11 modulo 133 are 121, 107, 26, 12. 9

An application of finding square roots modulo n is the Rabin-Blum Oblivious Transfer or Coin Flipping Protocol. In it, Alice reveals a secret to Bob with probability 0.5. In the Oblivious Transfer version, Alice doesn t know whether Bob got the secret or not (and this outcome must be acceptable to both participants). In the Coin Tossing version, Bob tells Alice whether he got the secret. He wins the coin toss if he did get it; loses otherwise. 10

Alice s secret is the factorization of a number n = pq which is the product of two large primes p q 3 (mod 4). 1. Alice sends n to Bob. 2. Bob picks a random x in n < x < n with gcd(x,n) = 1. Bob computes a = x 2 mod n and sends a to Alice. 3. Knowing p and q, Alice computes the four solutions to x 2 a (mod n). They are x, n x, y and n y, for some y. These are just four numbers to Alice. She doesn t know which ones are x and n x. She chooses one of the four numbers at random and sends it to Bob. 4. If Bob receives x or n x, he learns nothing. But, if Bob receives y or n y, he can factor n by computing gcd(x+y,n) = p or q. 11

Why can Bob factor n if he gets y or n y? Theorem. If n = pq is the product of two distinct primes, and if x 2 y 2 (mod n), but x ±y (mod n), then gcd(x+y,n) = p or q. Proof: We are given that n divides (x+y)(x y) but not (x+y) or (x y). Hence, one of p, q must divide (x + y) and the other must divide (x y). 12

It is easy to modify the Oblivious Transfer protocol to let Alice give Bob the content of an arbitrary file with probability 0.5. Alice s secret is the content of the file. Alice enciphers the file using AES with secret key K. She gives the ciphertext of the file to Bob. Alice chooses two large primes p q 3 (mod 4), sets n = pq and chooses 0 < e < n with gcd(e,(p 1)(q 1)) = 1. This sets up an RSA public key cipher with public key n and e. Alice enciphers K as C = K e mod n. Alice gives Bob C and e. Then Alice and Bob do the Oblivious Transfer protocol, Alice sending n to Bob in Step 1. If Bob learns the factorization of n = pq in Step 4, then Bob finds d with ed 1 (mod (p 1)(q 1)) by extended Euclid. He finds K = C d mod n, and deciphers the file using K as the AES key. 13

Zero-Knowledge Proofs This protocol is closely related to the oblivious transfer protocol. The difference is that Alice wants to convince Bob that she knows the factors of n = pq, but does not want to reveal the factors to Bob. Alice (the prover) convinces Bob (the verifier) that she knows the prime factorization of a large composite number n, but does not give Bob any hint which would help him find the factors of n. Bob learns nothing about the factorization of n during the protocol that he could not have deduced on his own without Alice s help. Roughly speaking, Bob gives Alice some quadratic residues modulo n and Alice replies with their square roots. The difficulty with this simple approach is that when Alice replies to Bob with a square root, there is a 50% chance that she will reveal the factorization of n to Bob, as in the oblivious transfer protocol. 14

Here is a good way to do the zero-knowledge proof protocol: Alice knows n, p and q. Bob knows n but not p or q. 1. Alice chooses a in n < a < n and computes b = a 2 mod n. 2. At the same time, Bob chooses c in n < c < n and computes d = c 2 mod n. 3. Alice sends b to Bob and Bob sends d to Alice. 4. Alice receives d and solves x 2 bd (mod n). (Note that this is possible because bd is a QR and she can compute its square root because she knows the factors of n.) Let x 1 be one solution of this congruence. 5. At the same time, Bob tosses a fair coin and gets Heads or Tails each with probability 0.5. Bob sends H or T to Alice. 15

6. If Alice receives H, she sends a to Bob. If Alice receives T, she sends x 1 to Bob. 7. If Bob sent H to Alice, then he receives a from Alice and checks that a 2 b (mod n). If Bob sent T to Alice, then he receives x 1 from Alice and checks that x 2 1 bd (mod n). Alice and Bob repeat steps 1 through 7 many (20 or 30) times. If the check in step 7 is always okay, then Bob accepts that Alice knows the factorization of n. But if Alice ever fails even one test, then Bob concludes that Alice is lying. Why does this protocol work? Why does Bob not learn the factors of n? 16

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback