Chinese

Remainder
Theorem in
cryptography
A brief overview of the
Chinese Remainder
Theorem and its use in
secret sharing and fast
RSA variants

Rahul Munshi 05PH2010

2 Chinese Remainder Theorem in cryptography

Chinese Remainder Theorem in cryptography

1. INTRODUCTION

The Chinese remainder theorem provides a correspondence between a system of equations

modulo a set of pairwise relative prime moduli and an equation modulo of their product.

Around A.D. 100, the Chinese mathematician Sun-Tsu solved the problem of finding those
integers x that leave remainders 2, 3, and 2 when divided by 3, 5, and 7 respectively. One
such solution is x = 23; all solutions are of the form 23 + 105k for arbitrary integers k.

Let us look at a simple interpretation of the theorem. Let r and s be positive integers which
are relatively prime and let a and b be any two integers. Then there is an integer N such that

N = a (mod r) (1)

and

N = b (mod s). (2)

Moreover, N is uniquely determined modulo r s. An equivalent statement is that if (r,s) = 1,

then every pair of residue classes modulo r and s corresponds to a simple residue class
modulo r s.

The theorem can be generalized as follows. Given a set of simultaneous congruences

X = ai (mod mi), (3)

2
for i = 1, ..., r and for which the mi are pairwise relatively prime, the solution of the set of
congruences is

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

3 Chinese Remainder Theorem in cryptography

x = a1b1M/(m1)+...+arbrM/(mr) (mod M), (4)

where

M = m1m2...mr (5)

and the bi are determined from

biM/(mi) = 1 (mod mi). (6)

i.e. to sum up,

The Chinese Remainder Theorem (CRT)

Let the numbers n1, n2.....nk be positive integers which are relatively prime in pair, i.e. gcd
(ni, nj ) = 1 when i ≠ j. Furthermore, let n = n1n2 ..... nk and let x1, x2..... xk be integers. Then
the system of congruences

x ≡ x1 mod n1

x ≡ x2 mod n2

...

x ≡ xk mod nk,

where, a mod b refers to the remainder of integer division of a by b, has a simultaneous

solution x to all of the congruences, and any two solutions are congruent to one another
modulo n. Furthermore there exists exactly one solution x between 0 and n-1.

The general case of CRT states that the simultaneous congruences can be solved even if the
ni's are not pairwise coprime. A solution x exists if and only if:

ai ≡ aj (mod gcd(ni nj)), for all i and j.

3

Note: If the moduli n1, n2. . . nr are not relatively prime in pairs, there may be no solution to
the congruence.

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

4 Chinese Remainder Theorem in cryptography

2. SECRET SHARING

Secret sharing refers to any method for distributing a secret amongst a group of
participants, where each participant is allocated a share of the secret. The secret can only
be reconstructed when the all the shares are recombined; individual shares are of no use on
their own. It was invented by both Adi Shamir and George Blakley in 1979, independently.

The initial applications of secret sharing were safeguarding cryptographic keys and
providing shared access to strategical resources. Threshold cryptography and some e-voting
schemes are more recent applications of the secret sharing schemes.

A very simple type of secret sharing is that in which each secret share is a plane and the
secret is the point at which the planes intersect. More generally, any n n-dimensional
hyperplanes intersect at a specific point. The secret may be encoded as any single
coordinate of the point of intersection. Each player is given enough information to define a
hyperplane; the secret is recovered by calculating the planes' point of intersection and then
taking a specified coordinate of that intersection. This forms the basis of Blakley's scheme of
secret sharing.

A simple 3-dimensional pictorial representation of the above idea is shown here.

4
Another system called a (t, n)-threshold scheme (sometimes it is written as an (n, t)-
threshold scheme) works as follows, there is one dealer and n players. The dealer gives a
secret to the players, but only on certain specific conditions. The sharing is such that any

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

5 Chinese Remainder Theorem in cryptography

and only a group of t (for threshold) or more players can together reconstruct the secret but
no group of fewer than t players can. This idea was put to use by Adi Shamir, an Israeli
cryptographer.

Shamir’s secret sharing scheme uses the idea that k points are sufficient to define a
polynomial of degree k-1. Let us use the (k,n) threshold scheme to share our secret S,
assumed to be an element in a finite field F. We can choose (k-1) coefficients, a1, a2...ak-1 at
random and let a0 = S . Let us now build the polynomial,

f(x) = a0 + a1x + a2x2 +....+ ak-1x n-1

Let us construct any n points out of it, for instance set i=1,2....n to retrieve (i,f(i)) out of it.
Each point (a pair of input to the polynomial and output) are then given to a participant.
Given any subset of k of these pairs, we can then find the coefficients of the polynomial
using interpolation and the secret is the constant term a0.

3. CHINESE REMAINDER THEOREM IN A K-THRESHOLD SECRET SHARING

SYSTEM

As we saw earlier, In threshold schemes, only the cardinality of the sets of shares is
important for recovering the secret. Mignotte and Asmuth-Bloom introduced threshold
secret sharing schemes based on the Chinese remainder theorem.

3.1. MIGNOTTE’S THRESHOLD SECRET SHARING SCHEME

Mignotte’s threshold secret sharing scheme applies the general CRT for recovering the
secret making use of a special sequence of integers, referred to as the Mignotte
sequences.

Let n be an integer, n ≥ 2, and 2 ≤ k ≤ n. A (k, n)-Mignotte sequence is a sequence of

positive integers m1 < · · · < mn such that (mi,mj) = 1, for all 1 ≤ i < j ≤ n, and mn−k+2 ... mn <
m1...mk .

Given an (k, n)-Mignotte sequence, the scheme works as follows:

o The secret S is chosen as a random integer such that i, where α = m1 ... mk and
β = mn−k+2 ... mn ;

o The shares Ii are chosen by Ii = S mod mi, for all 1 ≤ i ≤ n; 5

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

6 Chinese Remainder Theorem in cryptography

o Given k distinct shares Ii1 ,..., Iik , the secret S is recovered using the standard
Chinese Remainder Theorem. The system of congruences shown below has a
unique solution modulo mi1 ... mik .

x ≡ Ii1 mod mi1

...

x ≡ Iik mod mik

By the construction of our shares, this solution is nothing but the secret S to recover.

Mignotte’s scheme can be generalized by allowing modules that are not necessarily
pairwise coprime by introducing generalized Mignotte sequences. A generalized (k, n)-
Mignotte sequence is a sequence m1, ... ,mn of positive integers such that

max1≤i1<···<ik−1≤n([{mi1 , ... ,mik−1}]) < min1≤i1<···<ik≤n([{mi1 , ... , mik}])

where the parentheses (a , ... , b) is used for gcd and [a , ... , b] is used for lcm.

Generalized Mignotte’s scheme works just like Mignotte’s scheme, except for the fact
that, α = min1≤i1<···<ik≤n([{mi1 , ... , mik}]) and β = max1≤i1<···<ik−1≤n([{mi1 , ... ,mik−1}]).

3.2. ASMUTH-BLOOM THRESHOLD SECRET SHARING SCHEME

This scheme, proposed by Asmuth and Bloom, also uses special sequences of integers.
A sequence of pairwise coprime positive integers r, m1 < ... < mn is chosen such that

r · m n−k+2 ... mn < m1 ... mk

Given such a sequence, the scheme works as follows:

o The secret S is chosen as a random element of the set Zr;

o The shares Ii are chosen by Ii = (S + γ · r) mod mi, for all 1 ≤ i ≤ n, where γ is an

arbitrary integer such that S + γ · r belongs to Zm1···mk ;

o Given k distinct shares Ii1 , . . . , Iik , the secret S can be obtained as S = x0 mod r.
x0 is obtained, using the standard Chinese Remainder Theorem, as the unique
solution modulo mi1 · · ·mik of the system 6

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

7 Chinese Remainder Theorem in cryptography

x ≡ Ii1 mod mi1

...

x ≡ Iik mod mik

The sequences used in the Asmuth-Bloom scheme can be generalized by allowing

modules that are not necessarily pairwise coprime in an obvious manner. We can use
any sequence r, m1 < ... < mn such that,

r . max1≤i1<···<ik−1≤n([{mi1 , ... ,mik−1}]) < min1≤i1<···<ik≤n([{mi1 , ... , mik}])

3.3. A SUM UP

An important point to be noted here is that the Mignotte and Asmuth-Bloom (k,n)-
threshold secret sharing schemes based on the Chinese Remainder Theorem are not
perfect. A set of less than k shares contains some information about the secret.
Nevertheless, by a suitable choice of the sequences and the parameters (α in the
Asmuth-Bloom case), one can get a reasonable security factor. Quite obviously the
Asmuth-Bloom scheme is more secure, for it involves more random parameters.

4. THE RSA-CRT ALGORITHM

The RSA algorithm is an algorithm for public-key cryptography named after Ron Rivest, Adi
Shamir and Len Adleman, who invented it in 1977. The RSA algorithm can be used for both
public key encryption and digital signatures.

For faster decryption the In RSA-CRT is used where the Chinese Remainder Theorem is
applied during decryption. It results in a decryption much faster than modular
exponentiation. RSA-CRT differs from the standard RSA in key generation and decryption
steps.

Let us sum up the steps of the RSA algorithm and look into the major differences introduced
in the RSA-CRT algorithm.

4.1. OPERATION
7

The RSA algorithm involves three steps: key generation, encryption and decryption.

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

8 Chinese Remainder Theorem in cryptography

4.1.1. KEY GENERATION

o Generate two large random primes, p and q, of approximately equal size such
that their product n = p×q is of the required bit length, e.g. 1024 bits.

o Compute n = pq and φ(n) = (p-1)(q-1). Here, n is used as the modulus for both
the public and private keys

o Choose an integer e, 1 < e < φ(n) , such that gcd(e, φ(n)) = 1. d is released as the
public key exponent.

o Compute the secret exponent d, 1 < d < φ(n), such that the congruence relation,
ed ≡ (mod φ(n)) is satisfied.

The public key consists of the modulus n and the public (or encryption) exponent e. The
private key consists of the modulus n and the private (or decryption) exponent d which
must be kept secret.

The RSA-CRT key generation scheme is developed keeping in mind the fact that the
value of d, the secret exponent cannot be made short. As soon as d < N 0.292, RSA system
can be totally broken. Let us have a look at the scheme,

RSA-CRT key generation

o Let p and q be very be two very large primes of nearly the same size such that
gcd (p - 1, q - 1) = 2.

o Compute n = p×q and φ(n) = (p-1)(q-1).

o Pick two random integers dp and dq such that gcd (dp, p-1) = 1, gcd (dq, q-1) = 1
and dp ≡ dq (mod 2).

o Find a d such that d ≡ dp (mod p-1) and d ≡ dq (mod q-1).

o Compute e ≡ d-1 (mod φ(n)).

The public key is (n, e) and the private key is (p, q, dp, dq). Since gcd (dp, p-1) = 1 and
d ≡ dp mod p-1, we have gcd (d, p-1) = 1. Similarly, gcd (d, q-1) = 1. Hence
gcd (d, φ(n) )=1.
8

Application of the CRT

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

9 Chinese Remainder Theorem in cryptography

To apply the Chinese Remainder Theorem in step 4, the respective moduli have to be
relatively prime for a solution to necessarily exist. We observe that p-1 and q-1 are even
numbers and hence we cannot directly apply the Chinese Remainder Theorem.
However, gcd ((p-1)/2, (q-1)/2) = 1. Since gcd (dp, p-1)=1 and gcd (dq, q-1) = 1, essentially
dp, dq are odd integers and dp-1, dq-1 are even integers. We have gcd (d, p-1) = 1, which
implies that d is odd and d-1 is even.

To find a solution to d ≡ dp mod p-1, d ≡ dq mod q-1, we find a solution to

d - 1 ≡ dp – 1 mod p-1, d – 1 ≡ dq – 1 mod q - 1.

By applying the cancellation law and taking the common factor 2 out, we have

x = d’≡ (d-1)/2 ≡ (dp –1)/2 mod ( p-1)/2,

x = d’ ≡ (d-1)/2 ≡ (dq –1)/2 mod ( q-1)/2.

Using Chinese Remainder Theorem we find the secret exponent d such that
d = (2×d’) +1.

4.1.2. ENCRYPTION

Sender A does the following:-

o Obtains the recipient B's public key (n, e) who has in turn kept the private key
secured.

o Represents the plaintext message M as a positive integer m (0 < m < n) by using

an agreed-upon reversible protocol known as a padding scheme.

o Computes the ciphertext c ≡ me (mod n).

o Sends the ciphertext c to B.

4.1.3. DECRYPTION

Recipient B does the following:-

o Uses his private key (n, d) to compute m ≡ cd (mod n).

9

o Extracts the plaintext M from m by reversing the padding scheme .

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

10 Chinese Remainder Theorem in cryptography

If c is not divisible by p and dp ≡ d mod p-1, then cdp ≡ cd (mod p). For decryption we find
mp = Cdp(mod p) = cd(mod p) and mq = cdq(mod q) = cd(mod q).

Then using Chinese Remainder Theorem, we find a solution for m = mp(mod p) = cd(mod
p), m = mq = cdq(mod q) = Cd(mod q).

Calculation of equation of the form m = cd(mod p)is known as modular exponentiation.

The computation time is directly proportional to the value of d, but since d’s value
cannot be compromised, reducing the decryption time is a big problem.

An efficient method replacing the usual binary right to left method is the method of
representing the private key by using the Chinese Remainder Theorem (CRT). The
private key is represented as a quintuple (p, q, dp, dq, and qInv), where p and q are prime
factors of n, dp and dq are known as the CRT exponents, and qInv is the CRT coefficient.
The CRT method of decryption is four times faster overall than calculating
m = cd (mod n). The extra values for the private key are :-

dp = (1/e) mod (p-1)

dq = (1/e) mod (q-1)
qInv = (1/q) mod p where p > q

These are pre-computed and saved along with p and q as the private key. To compute
the message m given c does the following:-

m1 = c dp mod p
m2 = c dq mod q
h = qInv(m1 - m2) mod p
m = m2 + hq

Even though there are more steps in this procedure, the modular exponentiation to be
carried out uses much shorter exponents and so it is less expensive overall.

Rebalanced RSA-CRT

We shall now look into another RSA variant, the Rebalanced RSA-CRT. The main aim of
Rebalanced RSA-CRT is to speed up RSA decryption by shifting the work to the
encrypter. This behavior is particularly useful for RSA decryption in mobile devices like
cellular phones whose life is limited by its battery. Rebalanced RSA-CRT decryption is
over three times faster than the standard RSA. The only difference between RSA-CRT
and Rebalanced RSA-CRT is in choosing the values of dp and dq. In Rebalanced RSA-CRT, 10
the size of e and d are of the order of φ(n), where as in standard RSA, e is usually a 16-
bit or 32-bit integer.

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

11 Chinese Remainder Theorem in cryptography

The size of dp and dq should be at least 160-bits to achieve a security of 280. As a

result, for Rebalanced RSA-CRT we always choose (dp and dq) > 160-bits. The remaining
steps are same as that for RSA-CRT.

4.2. SUM UP

The main drawback with this scheme is that the task of the encrypter is enormous, even
for a high-end computer. But since it is a one time act it does not matter much in the
long run.

5. CONCLUSIONS

Here we discussed the mathematics behind the Chinese remainder theorem and studied its
application to a k-threshold system for secret sharing. We also saw how its use in certain RSA
variants like RSA-CRT and the Rebalanced RSA-CRT significantly reduces the computation time
by eliminating the need of modular exponentiation.

6. AKNOWLEDGEMENTS

I would like to thank Mr. P. V. Kiran Kumar for his paitient proof reading.

7. BIBLIOGRAPHY

http://en.wikipedia.org/wiki/RSA , http://en.wikipedia.org/wiki/Chinese_remainder_theorem

“Compartmented Secret Sharing Based on the Chinese Remainder Theorem” - Sorin Iftene

http://www.di-mgt.com.au/rsa_alg.html

Applications of Chinese Remainder Theorem http://neworder.box.sk/files/CRT.pdf

11

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology