Chinese Remainder Theorem synthesis algorithm

September 14, 2023
Rss Fetcher

Suppose m = pq where p and q are large, distinct primes. In the previous post we said that calculations mod m can often be carried out more efficiently by working mod p and mod q, then combining the results to get back to a result mod m.

The Chinese Remainder Theorem assures us that the system of congruences

$begin{align*} x &equiv apmod p \ x &equiv bpmod q end{align*}$

has a unique solution mod m, but the theorem doesn’t say how to compute x efficiently.

H. L. Garner developed an algorithm to directly compute x [1]:

$x = p biggl(big(,(a-b)(q^{-1}bmod p,)big)bmod pbiggr) + b$

You compute the inverse of q mod p once and save it, then solving the system above for multiple values of a and b is very efficient.

Garner’s algorithm extends to more than two factors. We will present the general case of his algorithm below, but first we do a concrete example with RSA keys.

RSA key example

This is a continuation of the example at the bottom of this post.

This shows that the numbers in the key file besides those that are strictly necessary for the RSA algorithm are numbers needed for Garner’s algorithm.

What the key file calls “coefficient” is the inverse of q modulo p.

What the key file calls “exponent1” is the the decryption exponent d reduced mod p-1. Similarly, “exponent2” is d reduced mod q-1 as explained here.

    from sympy import lcm

    prime1 = 0xf33514...d9
    prime2 = 0xfee496...51

    publicExponent = 65537
    privateExponent = 0x03896d...91

    coefficient = 0x4d5a4c...b7 # q^-1 mod p
    assert(coefficient*prime2 % prime1 == 1)

    exponent1 = 0x37cc69...a1 # e % phi(p)
    exponent2 = 0x2aa06f...01 # e % phi(q)
    assert(privateExponent % (prime1 - 1) == exponent1)
    assert(privateExponent % (prime2 - 1) == exponent2)

More factors

Garner’s algorithm can be used more generally when m is the product of more than two primes [2]. Suppose

$m = prod_{i=1}^n m_i$

where the m_i are pairwise relatively prime (not necessarily prime). Then the system of congruences

$x equiv x_i pmod {m_i}$

for i = 1, 2, 3, …, n can be solved by looking for a solution of the form

$x = v_1 + v_2 m_1 + v_3 m_1m_2 + cdots + v_n prod_{i=1}^{n-1} m_i$

where

$v_k equiv bigg( x_k - big(v_1 + v_2m_1 + cdots + v_{k-1} prod_{i=1}^{k-2}m_i big) bigg) bigg( prod_{i=1}^{k-1} m_ibigg)^{-1} pmod {m_k}$

Again, in practice the modular inverses of the products of the ms would be precomputed and cached.

[1] Ferguson, Schneier, Kohno. Cryptography Engineering. Wiley. 2010.

[2] Geddes, Czapor, and Labahn. Algorithms for Computer Algebra. Kluwer Academic Publishers. 1992.

The post Chinese Remainder Theorem synthesis algorithm first appeared on John D. Cook.

RSA key example

More factors

Related posts

Previous Post

Next Post

Solutions

Regions Covered