About The Chinese Remainder Theorem

We are building up the mathematics to understand how various algorithms related to cryptography work.
On Monday, we gave an algorithm for solving modular linear equations ax ≡ b mod n.
We have, in studying number theory, so far looked at a Greek Algorithm that is more than 2000 years old, so its time to look at a Chinese result that is also more than a thousand years old, the Chinese Remainder Theorem.
One of the earliest works with the Chinese Remainder Theorem in it was 孙子算经 (Sunzi Suan Jing) which was written between the 3rd and 5th century.
Some uses of it are:
- It tells us if `n` is the product of pairwise relatively prime numbers `n_0,...,n_k` then the structure of `ZZ_n` behaves as that of the Cartesian product `ZZ_(n_0) times ZZ_(n_1) times ... times ZZ_(n_k)`.
- It gives us efficient/parallel algorithms for certain operations like multiplication/division by allowing us to work modulo `n_i` (a small number) rather than modulo `n` (a potentially big number).

The Chinese Remainder Theorem

Theorem. Let `n = n_1 cdot n_2 cdots n_k`, where the `n_i` are pairwise relatively prime. Consider the correspondence `a <=> (a_1,...,a_k)` where `a_i= a mod n_i`. Then this is a bijection and preserves addition and product.

Proof. The preservation of plus and times is easy to check. Computing the `a_i`'s from `a` is also easy. To compute `a` from `(a_1,..,a_k)`, let `m_i = n/n_i`. Observe `gcd(m_i, n_i)=1` and also `m_j equiv 0 (mod n_i)` for `j != i`. Compute `t_i= m_i^(-1) (mod n_i)` using the Extended Euclidean Algorithm. Let `c_i= m_i cdot t_i` (here we are not computing `c_i` modulo anything). Finally, compute `a` as `(a_1 cdot c_1 + cdots + a_k cdot c_k).` Notice `a = sum_j a_j c_j equiv sum_j a_j (m_j cdot t_j) equiv a_i cdot c_i (mod n_i)` using `m_j equiv 0 (mod n_i)` for `j != i`. So `a equiv a_i cdot c_i equiv a_i cdot m_i cdot t_i equiv a_i (mod n_i)`.

Example

Find a number `a mod 30` such `a mod 2 equiv 1 mod 2`, `a mod 3 equiv 2 mod 3`, and `a mod 5 equiv 3 mod 5`.

Solution. First we compute: `m_1 = 30/2 = 15`, `m_2 = 30/3 = 10`, `m_3 = 30/5 = 6`. Next we compute `t_i = (m_i)^(-1) mod n_i`. Abbreviate Extended-Euclid(a, b) as EE(a,b). For `i=1`, Extended-Euclid(15, 2) makes the calls:
EE(15,2)
EE(2, 1)
EE(1, 0) which returns `(1, 1, 0)`
So EE(2, 1) returns `(1, 0, 1 - |__2/1__| cdot 0) = (1, 0, 1)`
So EE(15,2) returns `(1, 1, 0 - |__15/2__| cdot 1) = (1, 1, -7)`
This tells us `15 cdot 1 - 7 cdot 2 = 1`. i.e., `15 cdot 1 equiv 1 mod 2`, therefore, `t_1 = 15^(-1) = 1 mod 2`. Similarly, we can compute Extended-Euclid(10, 3) to get `t_2 = 10^(-1) = 1 mod 3`, and compute Extended-Euclid(6, 5) to get `t_3 = 6^(-1) = 1 mod 5`. From this we have `c_1 = m_1 cdot t_1 = 15 cdot 1 = 15`, `c_2 = 10 cdot 1 = 10`, `c_3 = 6 cdot 1 = 6`. So finally `a = a_1 cdot c_1 + a_2 cdot c_2 + a_3 cdot c_3 = 1 cdot 15 + 2 cdot 10 + 3 cdot 6 = 15 + 20 + 18 = 53 mod 30 = 23 mod 30.` One can check `23 equiv 1 mod 2`, `23 equiv 2 mod 3`, and `23 equiv 3 mod 5`.

In-class Exercise

Find a number a mod 42, such that `a equiv 1 mod 2`, `a equiv 2 mod 3`, and `a equiv 5 mod 7`. Show your work.
Please post your solution to the Apr 13 In-Class Exercise Thread.

Powers of an Element

The following two useful theorems are corollaries of earlier results about the size of `ZZ_n^star` and Lagrange's Theorem:
Theorem. For any integer `n gt 1`, `a^(phi(n)) equiv 1 (mod n)` for all `a in ZZ_n^star`.
Theorem. If `p` is prime, then `a^(p - 1) equiv 1 (mod p)` for all `a in ZZ_p^star`.
The next theorem tells us the values of n for which `ZZ_n^star` is cyclic.
Theorem (#). The values of `n gt 1` for which `ZZ_n^star` is cyclic (that is, generated by one element) are `2`, `4`, `p^e`, and `2p^e`, for all primes `p gt 2` and all positive integers `e`.
Proof Idea. Both of our textbooks skip the proof of this. It can be found in An Introduction to The Theory of Numbers. Niven, Zuckerman, Montgomery. 5th Ed. Wiley. 1991. The cases 2 (which consists of 1 element) and 4 which consists of 2 are trivial. For the case of `ZZ_p^star` one can show if `a` has order `h` mod `p` and `b` has order `k` mod `p` and `h` and `k` are relatively prime, then `ab` will have order `hk` mod `p`. This is applied to the prime factorization of `p-1` to get generators for each of `p-1`'s factors and combine them to get a generator of `ZZ_p^star`. One then shows if `g` generates `ZZ_p^star` then `g+tp`, `t ne 0` generates `ZZ_{p^2}^star`. One then can show if `p` is an odd prime and `g` generates `p^2`, that `g` also generates `ZZ_{p^e}^star` for `e > 2`. (To see one shows earlier powers can't be congruent to `1 mod p^e` using the binomial theorem.) One next shows it follows that either `g` or `g + p^e` will generate `ZZ_{2p^e}^star`. Finally, one can show if `n` isn't of the above form, then it can be expressed as a product of two relatively prime numbers `n_1` and `n_2`, and that the order of every element in `ZZ_n^star` will be at most the least common multiple of `phi(n_1)` and `phi(n_2)` which will be strictly less than `phi(n)`.

More Powers of an Element

`g` is a primitive root or generator of `ZZ_n^star` if `langle g rangle = ZZ_n^(star)`.
If g is a primitive root then the equation `g^x equiv a mod n` has a solution called the discrete logarithm or index of `a mod n`, which we write as `i\n\d_(n, g)(a)`.
The next theorem concerns the discrete logarithm problem which is connected to factoring which is the basis of RSA.

Theorem (##). If `g` is a primitive root of `ZZ_n^star`, then the equation `g^x equiv g^y (mod n)` holds if and only if the equation `x equiv y mod phi(n)` holds.

Proof. Suppose `x equiv y mod phi(n)` holds. Then `x= y + k phi(n)` for some `k`. So `g^x equiv g^(y + k phi(n)) equiv g^y g^(k phi(n)) equiv g^y 1^k equiv g^y (mod n)`. Conversely, suppose `g^x equiv g^y (mod n)` holds. Since `g` is a generator, `|langle g rangle|= phi(n)`. So we know `g` is periodic with period `phi(n)`. Therefore, if `g^x equiv g^y (mod n)` we must have `x equiv y mod phi(n)`.

Square Roots

Theorem. If `p` is an odd prime, and `e ge 1`, then the equation `x^2 equiv 1 (mod p^e)` has only two solutions, `x = 1` and `x = -1`.

Proof. Let `n = p^e`. Theorem (#) implies `ZZ_n^star` has a generator `g`. So the above equation can be rewritten as `g^((i\n\d(x))2) equiv g^(i\n\d(1)) mod n`. Note `i\n\d(1) = 0`, so Theorem (##) implies this is equation is equivalent to `2 cdot i\n\d(x) equiv 0 mod phi(n)`, a modular linear equation we can solve. We know `phi(n) = p^e(1- 1/p) = (p-1)p^(e-1)`. If `d` is `gcd(2, phi(n))`, then `d=2` (as if `p` is odd, `2` divides `p-1`) and `d | 0`. So we know this equation has two solutions, which we can compute using our algorithm or by inspection as `1` and `-1`.

A number `x` is a nontrivial square root of `1 mod n`, if it is a square root but not equivalent to `+-1 mod n`. For example `6 mod 35`.

Corollary. If there exists a nontrivial square root of `1` modulo `n`, then `n` is composite.

Public Key Cryptosystems

We now apply what we've learned to public key cryptography.
In public key cryptography, we have two participants Alice and Bob (i.e., A and B) who want to exchange messages securely.
Each has a public key `P_A`, `P_B` which they let everyone know.
They also each have a private key `S_A`, `S_B` which only they know.
Each of these keys is a permutation in some space of strings and the public keys are inverses of the private keys. That is, `M = P_A(S_A(M)) = S_A(P_A(M))`. Here `M` is the message.
If Alice wants to send Bob a message `M`. She computes some hash function of `M`, `h(M)` and signs this with her private key to make `S_A(h(M))`. She concatenates this to `M` to make `langle M, S_A(h(M)) rangle`. Then she sends `P_B(langle M, S_A(h(M)) rangle)` to Bob.
To decode, Bob applies his private key to get `S_B(P_B( langle M, S_A(h(M)) rangle)) = langle M, S_A(h(M)) rangle`.
To check this is from Alice, he applies her public key to the end `P_A(S_A(h(M))) = h(M)` then he computes the hash of the message received and verifies it equal `h(M)`.

RSA

RSA (Rivest, Shamir, and Adleman 1977) is a particular public key cryptoscheme.
It creates public keys and private keys as follows:
1. Select two large prime numbers `p` and `q` such that `p ne q`. (For instance, the primes might be 512 bits each.)
2. Compute `n = pq`.
3. Select a small odd integer e that is relatively prime to `phi(n) = (p-1)(q-1)`.
4. Compute the multiplicative inverse `d` of `e mod phi(n)`.
5. Publish the pair `P = (e, n)` as the RSA public key.
6. Keep secret the pair `S= (d, n)` as the RSA secret key.
To apply a key to a message `0 le M< n`, we compute either `P(M) = M^e mod n` or `S(C) = C^d mod n`. Here `C` is suppose to mean ciphertext.

Correctness of RSA

Theorem. The RSA functions `P` and `S` on the last slides define inverse transformations.

Proof. `P(S(M)) = S(P(M))= M^(ed) mod n`. Since `e` and `d` are multiplicative inverses modulo `phi(n) = (p-1)(q-1)`, `ed = 1+k(p-1)(q-1)` for some `k`. If `M equiv 0 mod n`, then `M^(ed) equiv 0 mod n` so we are done. If `M` is not congruent to `0 mod p`, we have
`M^(ed) equiv M(M^(p-1))^(k(q-1)) mod p`
`equiv M(1)^(k(q-1)) mod p`
`equiv M mod p`
and a similar result holds `mod q`. By the Chinese Remainder Theorem, this implies `M^(ed) equiv M (mod n)`.

Testing for Primes

One key component of RSA is to use large primes chosen at random.
It turns out that primes are not too rare since it is known that `pi(n)` = the number of primes less than `n` grows as `n/(log n)`.
However, we still need a way to check if an odd number is prime.
One brute force approach is to try to divide each number up to `sqrt(n)`. This is exponential in the number of bits of `n`.
Recall if `n` is prime then `a^(n-1) equiv 1 mod n`.
A number `n` is pseudo-prime for `a`, if it is composite but `a^(n-1) equiv 1 mod n`.
It turns out pseudo-primes are rare, so we could almost check for primality by checking this equation for different values for `a`.
Unfortunately, there are even rarer numbers called Carmichael numbers.
These are defined as composite numbers such that the equation `a^(n-1) equiv 1 mod n` holds for all nonzero `a` that are relatively prime to `n`.
Carmichael numbers are rare since one can show they need to be a product of at least three distinct prime number.
For example, `561 = 3 cdot 11 cdot 17` is a Carmichael Number. One can check for each nonzero `a` relatively prime to `561` that `a^(560) equiv 1 mod 561` (probably want to do using a program).

Miller Rabin Primality Testing

Idea:
1. Try several randomly chosen values for `a`.
2. While computing each modular exponentiation we check, if we ever see a nontrivial square root of `1 mod n`. If so, we know for sure the number is composite.

The Non-Trivial Square root testing is done by the following routine:

Witness(a,n)
1 let n - 1 = 2^t*u, where t >= 1 and u is odd
2 x_0 = Modular-Exponentiation(a, u, n)
3 for i = 1 to t:
4     x_i = (x_(i-1))^2 mod n
5     if x_i = 1 and x_(i-1) != 1 and x_(i-1) != n-1:
6         return true
7 if x_t != 1: 
8     return true
9 return false

Chinese Remaindering, Discrete Log, RSA

Outline