DI Management Home > Mathematics > The Chinese Remainder Theorem

The Chinese Remainder Theorem


On this page we look at the Chinese Remainder Theorem (CRT), Gauss's algorithm to solve simultaneous linear congruences, a simpler method to solve congruences for small moduli, and an application of the theorem to break the RSA algorithm when someone sends the same encrypted message to three different recipients using the same exponent of e=3.

The Chinese Remainder Theorem

Theorem. Let n1,n2,...,nr be positive integers such that gcd(ni,nj)=1 for i ≠ j. Then the system of linear congruences

x ≡ c1 (mod n1); x ≡ c2 (mod n2); ... ; x ≡ cr (mod nr)

has a simultaneous solution which is unique modulo n1n2...nr.

Note that all the theorem says is that there is a unique solution. It doesn't actually say how to solve it. This is usually done using Gauss's algorithm. There is also a variant of the CRT used to speed up the calculations in the RSA algorithmNew.

The name "Chinese" comes from an old Chinese puzzle allegedly posed by Sun Tsu Suan-Ching in 4 AD:

There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number?

In modern number theory, we would write that as a problem to solve the simultaneous congruences

x ≡ 2 (mod 3)
x ≡ 3 (mod 5)
x ≡ 2 (mod 7)

The Chinese Remainder Theorem (CRT) tells us that since 3, 5 and 7 are coprime in pairs then there is a unique solution modulo 3 x 5 x 7 = 105. The solution is x = 23. You can check that by noting that the relations

23 = 7 x 3 + 2 ≡ 2 (mod 3)
23 = 4 x 5 + 3 ≡ 3 (mod 5)
23 = 3 x 7 + 2 ≡ 2 (mod 7)

are all satisfied for this value of x.

Gauss's algorithm

Algorithm. Let N=n1n2...nr then

x ≡ c1N1d1 + c2N2d2 + ... + crNrdr (mod N)

where Ni = N/ni and di ≡ Ni-1 (mod ni).

The latter modular inverse di is easily calculated by the extended Euclidean algorithm. You can also use the bd_modinv utility in our Modular Arithmetic Freeware download.

Example

For the original "Chinese" problem above we have

n1=3, n2=5, n3=7
N = n1n2n3 = 3 x 5 x 7 = 105
c1=2, c2=3, c3=2.

Now N1 = N/n1 = 35 and so d1 = 35-1 (mod 3) = 2,
N2 = N/n2 = 21 and so d2 = 21-1 (mod 5) = 1, and
N3 = N/n3 = 15 and so d3 = 15-1 (mod 7) = 1. Hence

x = (2 x 35 x 2) + (3 x 21 x 1) + (2 x 15 x 1) = 233 ≡ 23 (mod 105)

Another example

x ≡ 1 (mod 3)
x ≡ 2 (mod 4)
x ≡ 3 (mod 5)

Using Gauss's algorithm,

n1=3, n2=4, n3=5
N = n1n2n3 = 3 x 4 x 5 = 60
c1=1, c2=2, c3=3.
N1 = N/n1 = 20; d1 = 20-1 (mod 3) = 2 [check: 2x20=40≡1 (mod 3)]
N2 = N/n2 = 15; d2 = 15-1 (mod 4) = 3 [check: 3x15=45≡1 (mod 4)]
N3 = N/n3 = 12; d3 = 12-1 (mod 5) = 3 [check: 3x12=36≡1 (mod 5)]
x ≡ c1N1d1 + c2N2d2 + c3N3d3 (mod N)
x = (1x20x2) + (2x15x3) + (3x12x3) = 238 ≡ 58 (mod 60)

so a solution is x = 58. Note that this is "a" solution. Any integer that satisfies 58 + 60k for any integer k is also a solution, but the method gives you the unique solution in the range 0 ≤ x < n1n2n3.

A simpler method

For congruences with small moduli there is a simpler method (useful in exams!). To solve the previous problem, write out the numbers x ≡ 3 (mod 5) until you find a number congruent to 2 (mod 4), then increase that number by multiples of 5 x 4 until you find number congruent to 1 (mod 3).

x ≡ 3 (mod 5):   x = 3,8,13,18 ≡ 2(mod 4)    [increase by 5]
x ≡ 18 (mod 20): x = 18,38,58 ≡ 1(mod 3)     [increase by 5 x 4] 
x ≡ 58 (mod 60). 

We find it easier to start with the largest modulus and work downwards.

To solve the original Chinese problem:

x ≡ 2 (mod 7):   x = 2,9,16,23 ≡ 3(mod 5)    [increase by 7]
x ≡ 23 (mod 35): x = 23 ≡ 2(mod 3)
x ≡ 23 (mod 105).

Cracking RSA

Alice sends the same message m encrypted using the RSA algorithm to three recipients with different moduli n1,n2,n3 all coprime to each other but using the same exponent e=3. Eve recovers the three ciphertext values c1,c2,c3 and knows the public keys (n,e=3) of all the recipients. Can Eve recover the message without factoring the moduli?

Yes. Eve uses Gauss's algorithm above to find a solution x, in the range 0 ≤ x < n1n2n3, to the three simultaneous congruences

x ≡ c1 (mod n1)
x ≡ c2 (mod n2)
x ≡ c3 (mod n3)

We know from the Chinese Remainder Theorem that m3 < n1n2n3, so it follows that x = m3 and so m can be recovered by simply computing the integer cube root of x. Note that the cube root does not involve any modular arithmetic and so is straightforward to compute (well, as straightforward as computing any cube root is).

Example

There are three recipients with public keys (87,3), (115,3) and (187,3). That is, we have e=3 and

n1=29x3=87, n2=23x5=115, n3=17x11=187

(although the factorisation would neither be public nor feasibly computable for large n's used in practice)

Alice encrypts the message m=10 using RSA to all three, as follows,

c1 = 103 mod 87 = 43; c2 = 103 mod 115 = 80; c3 = 103 mod 187 = 65

and these three ciphertext values c1, c2, c3 are intercepted by Eve, who also knows the public values (ni, e). She then uses Gauss's algorithm as follows

N = n1n2n3 = 87 x 115 x 187 = 1870935
N1 = N/n1 = 115x187 = 21505; d1 = 21505-1 (mod 87) = 49
N2 = N/n2 = 87x187 = 16269; d2 = 16269-1 (mod 115) = 49
N3 = N/n3 = 87x115 = 10005; d3 = 10005-1 (mod 187) = 2
x ≡ c1N1d1 + c2N2d2 + c3N3d3 (mod N)
x = (43.21505.49) + (80.16269.49) + (65.10005.2) = 110386165 ≡ 1000 (mod 1870935)

So m is the cube root of 1000; that is, m = 10, as required. Eve did not need to factor the moduli to find the message.

To compute the modular inverses, we used the bd_modinv function in our Modular Arithmetic Freeware package (new updated version released 11-11-11)

> bd_modinv 21505 87
21505^-1 mod 87 = 49
> bd_modinv 16269 115
16269^-1 mod 115 = 49
> bd_modinv 10005 187
10005^-1 mod 187 = 2

Comment

In practice with RSA we would be looking at much larger moduli in the order of 1000 or 2000 bits (i.e. numbers about 300 to 600 decimal digits long, probably too big for your pocket calcuator), but the same principles apply. You would need to use a computer package that does large integer arithmetic (like our free BigDigits software - see below). It is most likely that any three moduli in practice will be coprime, so the method is likely to be successful.

Example with larger modulus

Here is an example to recover a message which has been encrypted using RSA to three recipients using 512-bit moduli and the common exponent 3 with no random padding. We use our BigDigits library to do the arithmetic. We added a cuberoot function in the latest version 2.3 specifically to solve this type of problem.

The example code is in t_bdRsaCrack.c (included in the latest BigDigits distribution). The output of running this code is here. Thanks to Arone Prem Kumar Arokiasami for prompting us to do this.

This shows how easy it is to crack RSA even for realistic key sizes if the sender is careless.

How to prevent this type of attack

  1. Use a larger exponent, like 65537 (0x10001). This makes it harder to use the above method, but it is much better to...
  2. Add some random bits to the message - at least 64 bits worth. Make sure every message ever encrypted always has different random bytes added. This is known as salting the message and will prevent many other attacks, too. Obviously, the recipient needs to know how to remove the random bytes after decrypting the message.

For more on weaknesses in RSA and how to combat them, see our RSA algorithm page.

References

Contact us

Feedback or questions: Send us a message.

This page first published 23 October 2010 and last updated 13 November 2011