The Chinese Remainder Theorem
On this page we look at the Chinese Remainder Theorem (CRT), Gauss's algorithm to solve simultaneous linear congruences, a simpler method to solve congruences for small moduli, and an application of the theorem to break the RSA algorithm when someone sends the same encrypted message to three different recipients using the same exponent of e=3.
The Chinese Remainder Theorem
Note that all the theorem says is that there is a unique solution. It doesn't actually say how to solve it. This is usually done using Gauss's algorithm. There is also a variant of the CRT used to speed up the calculations in the RSA algorithm.
The name "Chinese" comes from an old Chinese puzzle allegedly posed by Sun Tsu Suan-Ching in 4 AD:
There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number?
In modern number theory, we would write that as a problem to solve the simultaneous congruences
x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)
The Chinese Remainder Theorem (CRT) tells us that since 3, 5 and 7 are coprime in pairs then there is a unique solution
modulo 3 x 5 x 7 = 105
. The solution is x = 23
. You can check that by noting that the relations
23 = 7 x 3 + 2 ≡ 2 (mod 3) 23 = 4 x 5 + 3 ≡ 3 (mod 5) 23 = 3 x 7 + 2 ≡ 2 (mod 7)
are all satisfied for this value of x.
Gauss's algorithm
Algorithm. Let N=n1n2...nr
then
where Ni = N/ni
and di ≡ Ni-1 (mod ni)
.
The latter modular inverse di
is easily calculated by the extended Euclidean algorithm.
You can also use the bd_modinv
utility in our
Modular Arithmetic Freeware download.
Example
For the original "Chinese" problem above we have
N = n1n2n3 = 3 x 5 x 7 = 105
c1=2, c2=3, c3=2.
Now
N1 = N/n1 = 35
and so d1 = 35-1 (mod 3) = 2
,
N2 = N/n2 = 21
and so d2 = 21-1 (mod 5) = 1
, and
N3 = N/n3 = 15
and so d3 = 15-1 (mod 7) = 1
.
Hence
x = (2 x 35 x 2) + (3 x 21 x 1) + (2 x 15 x 1) = 233 ≡ 23 (mod 105)
Another example
x ≡ 1 (mod 3) x ≡ 2 (mod 4) x ≡ 3 (mod 5)
Using Gauss's algorithm,
N = n1n2n3 = 3 x 4 x 5 = 60
c1=1, c2=2, c3=3.
N1 = N/n1 = 20; d1 = 20-1 (mod 3) = 2 [check: 2x20=40≡1 (mod 3)]
N2 = N/n2 = 15; d2 = 15-1 (mod 4) = 3 [check: 3x15=45≡1 (mod 4)]
N3 = N/n3 = 12; d3 = 12-1 (mod 5) = 3 [check: 3x12=36≡1 (mod 5)]
x ≡ c1N1d1 + c2N2d2 + c3N3d3 (mod N)
x = (1x20x2) + (2x15x3) + (3x12x3) = 238 ≡ 58 (mod 60)
so a solution is x = 58
.
Note that this is "a" solution. Any integer that satisfies 58 + 60k
for any integer k is also
a solution, but the method gives you the unique solution in the range
0 ≤ x < n1n2n3
.
A simpler method
For congruences with small moduli there is a simpler method (useful in exams!).
To solve the previous problem, write out the numbers x ≡ 3 (mod 5)
until you find a number congruent to 2 (mod 4)
,
then increase that number by multiples of 5 x 4
until you find number congruent to 1 (mod 3)
.
x ≡ 3 (mod 5): x = 3,8,13,18 ≡ 2(mod 4) [increase by 5] x ≡ 18 (mod 20): x = 18,38,58 ≡ 1(mod 3) [increase by 5 x 4] x ≡ 58 (mod 60).
We find it easier to start with the largest modulus and work downwards.
To solve the original Chinese problem:
x ≡ 2 (mod 7): x = 2,9,16,23 ≡ 3(mod 5) [increase by 7] x ≡ 23 (mod 35): x = 23 ≡ 2(mod 3) x ≡ 23 (mod 105).
Cracking RSA
Alice sends the same message m encrypted using the RSA algorithm to three recipients with different moduli
n1,n2,n3
all coprime to each other but using the same exponent e=3
.
Eve recovers the three ciphertext values c1,c2,c3
and knows the public keys (n,e=3)
of all the recipients.
Can Eve recover the message without factoring the moduli?
Yes. Eve uses Gauss's algorithm above to find a solution
x, in the range 0 ≤ x < n1n2n3
,
to the three simultaneous congruences
x ≡ c2 (mod n2)
x ≡ c3 (mod n3)
We know from the Chinese Remainder Theorem that m3 < n1n2n3
,
so it follows that x = m3
and so m can be recovered by simply
computing the integer cube root of x.
Note that the cube root does not involve any modular arithmetic and so is straightforward to compute
(well, as straightforward as computing any cube root is).
Example
There are three recipients with public keys (87,3)
, (115,3)
and (187,3)
.
That is, we have e=3
and
(although the factorisation would neither be public nor feasibly computable for large n's used in practice)
Alice encrypts the message m=10
using RSA to all three, as follows,
and these three ciphertext values c1, c2, c3
are intercepted by Eve,
who also knows the public values (ni, e)
.
She then uses Gauss's algorithm as follows
N1 = N/n1 = 115x187 = 21505; d1 = 21505-1 (mod 87) = 49
N2 = N/n2 = 87x187 = 16269; d2 = 16269-1 (mod 115) = 49
N3 = N/n3 = 87x115 = 10005; d3 = 10005-1 (mod 187) = 2
x ≡ c1N1d1 + c2N2d2 + c3N3d3 (mod N)
x = (43.21505.49) + (80.16269.49) + (65.10005.2) = 110386165 ≡ 1000 (mod 1870935)
So m is the cube root of 1000; that is, m = 10
, as required.
Eve did not need to factor the moduli to find the message.
To compute the modular inverses, we used the bd_modinv
function in our
Modular Arithmetic Freeware package
(new updated version released 11-11-11)
> bd_modinv 21505 87 21505^-1 mod 87 = 49 > bd_modinv 16269 115 16269^-1 mod 115 = 49 > bd_modinv 10005 187 10005^-1 mod 187 = 2
Comment
In practice with RSA we would be looking at much larger moduli in the order of 1000 or 2000 bits (i.e. numbers about 300 to 600 decimal digits long, probably too big for your pocket calculator), but the same principles apply. You would need to use a computer package that does large integer arithmetic (like our free BigDigits software - see below). It is most likely that any three moduli in practice will be coprime, so the method is likely to be successful.
Example with larger modulus
Here is an example to recover a message which has been encrypted using RSA to three recipients using 512-bit moduli and the common exponent 3 with no random padding. We use our BigDigits library to do the arithmetic. We added a cuberoot function in the latest version 2.3 specifically to solve this type of problem.
The example code is in t_bdRsaCrack.c (included in the latest BigDigits distribution). The output of running this code is here. Thanks to Arone Prem Kumar Arokiasami for prompting us to do this.
This shows how easy it is to crack RSA even for realistic key sizes if the sender is careless.
How to prevent this type of attack
- Use a larger exponent, like 65537 (0x10001). This makes it harder to use the above method, but it is much better to...
- Add some random bits to the message - at least 64 bits worth. Make sure every message ever encrypted always has different random bytes added. This is known as salting the message and will prevent many other attacks, too. Obviously, the recipient needs to know how to remove the random bytes after decrypting the message.
For more on weaknesses in RSA and how to combat them, see our RSA algorithm page.
References
- Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography, CRC Press LLC, 1997. The complete book is available on-line.
- M381 Mathematics and Computing: A Third Level Course, Number Theory Handbook, The Open University, 1996.
Contact us
Feedback or questions: Send us a message.
This page first published 23 October 2010 and last updated 5 December 2019