Chinese Remainder Theorem in Cryptography a Brief Overview Of

Chinese Remainder Theorem in cryptography A brief overview of the Chinese Remainder Theorem and its use in secret sharing and fast RSA variants Rahul Munshi 05PH2010

2 Chinese Remainder Theorem in cryptography

Chinese Remainder Theorem in cryptography

1. INTRODUCTION The Chinese remainder theorem provides a correspondence between a system of equations modulo a set of pairwise relative prime moduli and an equation modulo of their product. Around A.D. 100, the Chinese mathematician Sun-Tsu solved the problem of finding those integers x that leave remainders 2, 3, and 2 when divided by 3, 5, and 7 respectively. One such solution is x = 23; all solutions are of the form 23 + 105k for arbitrary integers k. Let us look at a simple interpretation of the theorem. Let r and s be positive integers which are relatively prime and let a and b be any two integers. Then there is an integer N such that N = a (mod r)

(1)

and N = b (mod s).

(2)

Moreover, N is uniquely determined modulo r s. An equivalent statement is that if (r,s) = 1, then every pair of residue classes modulo r and s corresponds to a simple residue class modulo r s. The theorem can be generalized as follows. Given a set of simultaneous congruences X = ai (mod mi),

(3)

for i = 1, ..., r and for which the mi are pairwise relatively prime, the solution of the set of congruences is

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

2

3 Chinese Remainder Theorem in cryptography

x = a1b1M/(m1)+...+arbrM/(mr) (mod M),

(4)

where M = m1m2...mr

(5)

biM/(mi) = 1 (mod mi).

(6)

and the bi are determined from

i.e. to sum up,

The Chinese Remainder Theorem (CRT) Let the numbers n1, n2.....nk be positive integers which are relatively prime in pair, i.e. gcd (ni, nj ) = 1 when i ≠ j. Furthermore, let n = n1n2 ..... nk and let x1, x2..... xk be integers. Then the system of congruences x ≡ x1 mod n1 x ≡ x2 mod n2 ... x ≡ xk mod nk, where, a mod b refers to the remainder of integer division of a by b, has a simultaneous solution x to all of the congruences, and any two solutions are congruent to one another modulo n. Furthermore there exists exactly one solution x between 0 and n-1. The general case of CRT states that the simultaneous congruences can be solved even if the ni's are not pairwise coprime. A solution x exists if and only if: ai ≡ aj (mod gcd(ni nj)), for all i and j. 3

Note: If the moduli n1, n2. . . nr are not relatively prime in pairs, there may be no solution to the congruence. Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

4 Chinese Remainder Theorem in cryptography

2. SECRET SHARING Secret sharing refers to any method for distributing a secret amongst a group of participants, where each participant is allocated a share of the secret. The secret can only be reconstructed when the all the shares are recombined; individual shares are of no use on their own. It was invented by both Adi Shamir and George Blakley in 1979, independently. The initial applications of secret sharing were safeguarding cryptographic keys and providing shared access to strategical resources. Threshold cryptography and some e-voting schemes are more recent applications of the secret sharing schemes. A very simple type of secret sharing is that in which each secret share is a plane and the secret is the point at which the planes intersect. More generally, any n n-dimensional hyperplanes intersect at a specific point. The secret may be encoded as any single coordinate of the point of intersection. Each player is given enough information to define a hyperplane; the secret is recovered by calculating the planes' point of intersection and then taking a specified coordinate of that intersection. This forms the basis of Blakley's scheme of secret sharing. A simple 3-dimensional pictorial representation of the above idea is shown here.

4

Another system called a (t, n)-threshold scheme (sometimes it is written as an (n, t)threshold scheme) works as follows, there is one dealer and n players. The dealer gives a secret to the players, but only on certain specific conditions. The sharing is such that any Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

5 Chinese Remainder Theorem in cryptography

and only a group of t (for threshold) or more players can together reconstruct the secret but no group of fewer than t players can. This idea was put to use by Adi Shamir, an Israeli cryptographer. Shamir’s secret sharing scheme uses the idea that k points are sufficient to define a polynomial of degree k-1. Let us use the (k,n) threshold scheme to share our secret S, assumed to be an element in a finite field F. We can choose (k-1) coefficients, a1, a2...ak-1 at random and let a0 = S . Let us now build the polynomial, f(x) = a0 + a1x + a2x2 +....+ ak-1x n-1 Let us construct any n points out of it, for instance set i=1,2....n to retrieve (i,f(i)) out of it. Each point (a pair of input to the polynomial and output) are then given to a participant. Given any subset of k of these pairs, we can then find the coefficients of the polynomial using interpolation and the secret is the constant term a0.

3. CHINESE REMAINDER THEOREM IN A K-THRESHOLD SECRET SHARING SYSTEM As we saw earlier, In threshold schemes, only the cardinality of the sets of shares is important for recovering the secret. Mignotte and Asmuth-Bloom introduced threshold secret sharing schemes based on the Chinese remainder theorem. 3.1. MIGNOTTE’S THRESHOLD SECRET SHARING SCHEME Mignotte’s threshold secret sharing scheme applies the general CRT for recovering the secret making use of a special sequence of integers, referred to as the Mignotte sequences. Let n be an integer, n ≥ 2, and 2 ≤ k ≤ n. A (k, n)-Mignotte sequence is a sequence of positive integers m1 < · · · < mn such that (mi,mj) = 1, for all 1 ≤ i < j ≤ n, and mn−k+2 ... mn < m1...mk . Given an (k, n)-Mignotte sequence, the scheme works as follows: o The secret S is chosen as a random integer such that i, where α = m1 ... mk and β = mn−k+2 ... mn ; o The shares Ii are chosen by Ii = S mod mi, for all 1 ≤ i ≤ n;

Rahul Munshi | 05PH2010 | Department of Physics and Meteorology

5

6 Chinese Remainder Theorem in cryptography

o Given k distinct shares Ii1 ,..., Iik , the secret S is recovered using the standard Chinese Remainder Theorem. The system of congruences shown below has a unique solution modulo mi1 ... mik . x ≡ Ii1 mod mi1 ... x ≡ Iik mod mik By the construction of our shares, this solution is nothing but the secret S to recover. Mignotte’s scheme can be generalized by allowing modules that are not necessarily pairwise coprime by introducing generalized Mignotte sequences. A generalized (k, n)Mignotte sequence is a sequence m1, ... ,mn of positive integers such that max1≤i1