Applications to Chinese Remainder Theorem-Computer Security-Lecture Handouts, Lecture notes of Computer Security

Download Applications to Chinese Remainder Theorem-Computer Security-Lecture Handouts and more Lecture notes Computer Security in PDF only on Docsity! Applications to Chinese Remainder Theorem 1 Applications to Chinese Remainder Theorem Abstract We demonstrate the usefulness of a simple mathematical result- the Chinese Remainder Theorem (CRT). A short informal introduction is followed by a formal analysis of the Chinese Remainder Theorem. Further, we discuss how the Chinese Remainder Theorem can leak information and why caution is to be exercised when applying to a k-threshold system for secret sharing. We also look at clever RSA variants, namely RSA-CRT and Rebalanced- RSA-CRT. Introduction A common math puzzle is to find a positive integer x which when divided by 2,3,5 gives remainder 1 and is divisible by 7. Does a solution necessarily exist? If yes, is there more than one solution? Such questions are formally studied using the Chinese Remainder Theorem. Statement: Given a system of congruences to different moduli: x==a1 mod m1, x== a2 mod m2, . . . x== ar mod mr. and if each pair of moduli are relatively prime: gcd (mi, mj)=1 for i ≠ j, has exactly one common solution modulo M=m1*m2*. . .*mr and any two solutions are congruent to one another modulo M. Proof: We first prove the existence of a unique solution modulo M. Suppose x’ and x’’ are two solutions, then x’==x’’ mod mi, for each (0<i<=r). i.e. mi |(x’-x’’) for each (0<i<=r). Since each mi are relatively prime in pairs, M | (x’-x’’) and we have x’==x’’ mod M. Therefore we have a unique solution modulo M and any two solutions are congruent to one another modulo M. Let Mi=M/mi; which means Mi is the product of all the moduli except for the ith term. Clearly, gcd (M/mi; mi)=1 and using the Euclidean algorithm, we can find Ni such that M/mi*Ni==1 mod mi. We set x = a1*(M/m1)*N1 + a2*(M/m2)*N2 +. . .+ar*(M/mr}*Nr. Consider each term in the sum modulo mi. We get x== ai*(M/mi}*Ni==ai mod mi. All other docsity.com Applications to Chinese Remainder Theorem 2 terms go to zero since M/mj == 0 mod mi when i(not equal)j. Hence x satisfies all the congruences in the system. We have already shown that x is a unique solution modulo M. Hence the proof. Note: If the moduli m1, m2. . . mr are not relatively prime in pairs, there may be no solution to the congruence. E.g. Using Chinese Remainder Theorem solve x== 2 mod 3, x== 3 mod 5, x== 4 mod 11, x==5 mod 16. Clearly, the moduli are relatively prime in pairs. M= 3*5*11*16 = 2640. M1 = 2640/3 = 880, M2 = 2640/5 = 528, M3 = 2640/11 = 240, M4 = 2640/16 = 165. We have 880*N1 == 1 mod 3, 520*N2 == 1 mod 5, 240*N3 == 1 mod 11, 165*N4 == 1 mod 16. Solving using the Extended Euclidean algorithm, we have N1 = 1, N2 = 2, N3 = 5, N4 = -3. Therefore, x = 2*880*N1 + 3*528*N2 + 4*240*N3 + 5*165*N4 = 2*880*1 + 3*528*2 + 4*240*5 + 5*165*(-3) = 7253 (mod 2640) = 1973. We have x = 1973 as a common solution to the above system of congruence. All other solutions are of the form 1973+ M*i, i=1, 2, 3 . . . and so on. Information leakage on using Chinese Remainder Theorem Consider this simplified example. Let N = 1000, the secret integer. We are to split the secret among 3 servers such that N can be retrieved by working together the partial secrets of 3 servers but not by the participation of fewer servers. We find cube-root of N < pi much< square-root of N. cube-root of 1000 < pi much< square-root of 1000. 10 < pi much< 31.6. We choose p1=11, p2=13, p3=17. Finding the residues of N modulo pi, we get x== 10 mod 11, docsity.com Applications to Chinese Remainder Theorem 5 RSA-CRT Decryption Since RSA-CRT encryption is same as that of the standard RSA encryption procedure, we now turn our attention to RSA-CRT decryption. Let M be the plaintext and C the ciphertext. Theorem: If C is not divisible by p and dp==d mod p-1, then Cdp==Cd (mod p). For decryption we find 1. Mp=Cdp(mod p)= Cd(mod p) and Mq=Cdq(mod q)= Cd(mod q). 2. Then using Chinese Remainder Theorem, we find a solution for M=Mp(mod p)= Cd(mod p), M=Mq=Cdq(mod q)= Cd(mod q). We now illustrate the scheme using an over simplified example. Choose p = 7, q = 11, gcd (p-1, q-1) = 2, N = p*q = 7*11 = 77, phi (N) = (p-1)*(q-1) = 6*10 = 60. Let dp = 5, gcd (dp , p-1) = gcd (5,6) = 1. dq = 3, gcd (dq , q-1) = gcd (3,10) = 1. We are to find d such that d==5 mod 6, d==3 mod 10. We cannot apply the Chinese Remainder theorem since gcd (6,10) ≠ 1, hence we convert the system of congruences in such a manner that the cancellation law can be applied Therefore, we have d-1==5-1 mod 6, d-1==3-1 mod 10. On applying the cancellation law, (d-1)/2==(5-1)/2 mod (6/2), (d-1)/2==(3-1)/2 mod (10/2). x = d’= (d-1)/2== 2 mod 3, x = d’= (d-1)/2== 1 mod 5. Solving using Chinese Remainder Theorem, M = 3*5 = 15, M1 =15/3 = 5, M2 = 15/5=3. 5*N1==1 mod 3, N1=2, 3*N2==1 mod 5, N2=2. We have, d’ = x = 2*5*2 + 1*3*2 = 26(mod 15) = 11. Therefore d’ = 11 and d = (2*d’)+1 = (2*11) +1 = 23, d = 23. Now we find, e such that docsity.com Applications to Chinese Remainder Theorem 6 e*d==1 mod phi(N), e*23==1 mod 60, e = 47. Let the plaintext M=5. C=547 mod 77 = 3. For decryption, we find M = Mp mod p = cd mod p, M = Mq mod q = cd mod q. Mp = 35 mod 7 = 243 mod 7 = 5, Mq = 33 mod 11= 27 mod 11 = 5. Using the Chinese Remainder Theorem, M = 7*11 = 77, M1 = 77/7 = 11, M2 = 77/11 = 7. 11*N1==1 mod 7, N1=2, 7*N2==1 mod 11, N2=8. x = 5*11*2 + 5*7*8 = 390 mod 77 =5. Thus x = M = 5, as desired. In this specific example (Mp and Mq)=5 is a common solution and it is not necessary to further apply the Chinese Remainder Theorem. We now turn our attention to another RSA variant, the Rebalanced RSA-CRT. The main aim of Rebalanced RSA-CRT is to speed up RSA decryption by shifting the work to the encrypter. This behavior is particularly useful for RSA decryption in mobile devices like cell phones whose life is limited by its battery. Rebalanced RSA-CRT decryption is over three times faster than the standard RSA. The only difference between RSA-CRT and Rebalanced RSA-CRT is in choosing the values of dp and dq. In Rebalanced RSA-CRT, the size of e and d are of the order of phi (N), where as in standard RSA, e is usually a 16-bit or 32-bit integer. According to [6], the size of dp and dq should be at least 160-bits to achieve a security of 280. As a result, for Rebalanced RSA-CRT we always choose (dp and dq) > 160-bits. The remaining steps are same as that for RSA-CRT. The main drawback with this scheme is that the task of the encrypter is enormous, even for a high-end computer. A variant of Rebalanced RSA-CRT exists with encryption three times faster than the original Rebalanced RSA-CRT. For more details please refer [7]. The security of these RSA variants is an open question. For a security of 280 against the best-known attacks on Rebalanced RSA-CRT, one should use dp and dq of length greater than 160 bits. docsity.com Applications to Chinese Remainder Theorem 7 Conclusion We discussed applications of Chinese Remainder Theorem to a k-threshold system for secret sharing and its use in clever RSA variants like RSA-CRT and Rebalanced RSA-CRT where decryption is over three times faster than standard RSA, which uses modular arithmetic. Bibliography [1]. Neal Koblitz, A Course In Number Theory and Cryptography, Springer, Second edition, 1994. [2]. William Stallings, Cryptography and Network Security, Pearson Education, Third Edition. [3]. Tom Apostol, Introduction to Analytical Number Theory, Springer International, Student edition, 1989. [4]. Bruce Schneier, Applied Cryptography, Wiley Publications, Second edition, 2001. [5]. Ivan Niven, Herbert S.Zuckerman, An Introduction to the Theory of Numbers, Wiley Eastern Limited. [6]. Dan Boneh and Hovav Shacham, Winter/Spring 2002. Fast Variants of RSA. CryptoBytes-Volume 5, No. 1, Winter/Spring 2002, pg 1-9. Available: http://www.rsasecurity.com/rsalabs/cryptobytes/CryptoBytes_January_2002_final.pdf [7]. Hung-Min Sun and Mu-En Wu, 2005, February. An Approach Towards Rebalanced RSA-CRT with Short Public Exponent. Cryptology ePrint Archive: Report 2005/053, Available: http://eprint.iacr.org/2005/053 [8]. Boneh.D, Twenty years of attacks on the RSA Cryptosystem, Notices of the American Mathematical Society, February 1999. Authored by Sarad A.V docsity.com