Chinese Remainder Algorithms. Çetin Kaya Koç Spring / 22

Transcription

1 Chinese Remainder Algorithms Çetin Kaya Koç Spring / 22

2 The Chinese Remainder Theorem Some cryptographic algorithms work with two (such as RSA) or more moduli (such as secret-sharing) The Chinese Remainder Theorem (CRT) and underlying algorithm allows to work with multiple moduli The general idea is to compute a large integer X knowing only its remainders modulo a small set of integers (called moduli) The principles of this method was established sometime in the 3rd and 5th century in China A Chinese mathematician Sun Tzu or Sunzi is known to be the author of The Mathematical Classic of Sunzi, which contains the earliest known example of the algorithm Thus, it is named as the Chinese Remainder Theorem. Çetin Kaya Koç Spring / 22

3 The Chinese Remainder Theorem Theorem Given k pairwise relatively prime moduli n i for i = 1, 2,..., k, a number x [0, m 1] with m = n 1 n 2 n k is uniquely representable using the remainders r i for i = 1, 2,..., k such that r i = x (mod n i ). Given the remainders r 1, r 2,..., r k, we can compute x using x = k r i c i m i (mod m) i=1 where m i = m/n i and c i = m 1 i (mod n i ) The computation of x using the linear summation formula above is also called the Chinese Remainder Algorithm (CRA) Çetin Kaya Koç Spring / 22

4 A CRT Example Chinese Remainder Algorithms Let the moduli set be {5, 7, 9} These moduli are pairwise relatively prime: gcd(5, 7) = gcd(5, 9) = gcd(7, 9) = 1 Each modulus does not need to be prime, but they need to be pairwise relatively prime If they are all prime, they will be pairwise relatively prime too We have n 1 = 5, n 2 = 7, n 3 = 9, and thus m = = 315 All integers in the range [0, 314] are uniquely representable using this moduli set Çetin Kaya Koç Spring / 22

5 A CRT Example Chinese Remainder Algorithms Let x = 200, then we have r 1 = 200 mod 5 r 2 = 200 mod 7 r 3 = 200 mod 9 r 1 = 0 r 2 = 4 r 3 = 2 The remainder set (0, 4, 2) with respect to the moduli set (5, 7, 9) uniquely represents the integer 200 Given the integer x and the moduli set, the remainders can be computed using r i = x (mod n i ) for i = 1, 2,..., k Çetin Kaya Koç Spring / 22

6 Chinese Remainder Algorithms Given the remainders and the moduli set, the integer x can be computed using the Chinese Remainder Algorithms (CRAs) There are two algorithms for computing x: The Single Radix Conversion (SRC) and the Mixed Radix Conversion (MRC) algorithms Either one of them computes x Given the remainders (0, 4, 2) with respect to the moduli (5, 7, 9), the computation integer x is represented as CRA(0, 4, 2; 5, 7, 9) = Çetin Kaya Koç Spring / 22

7 The SRCExample Chinese Remainder Algorithms The SRC Algorithm computes x = SRC(0, 4, 2; 5, 7, 9) m = n 1 n 2 n 3 = = 315 m 1 = m/n 1 = 315/5 = 7 9 = 63 m 2 = m/n 2 = 315/7 = 5 9 = 45 m 3 = m/n 3 = 315/9 = 5 7 = 35 c 1 = m1 1 = 63 1 = 3 1 = 2 (mod 5) c 2 = m2 1 = 45 1 = 3 1 = 5 (mod 7) c 2 = m3 1 = 35 1 = 8 1 = 8 (mod 9) x = r 1 c 1 m 1 + r 2 c 2 m 2 + r 3 c 3 m 3 (mod m) = = 1460 (mod 315) = 200 (mod 315) Therefore, SRC(0, 4, 2; 5, 7, 9) = Çetin Kaya Koç Spring / 22

8 Another SRC Example The SRC Algorithm computes x = SRC(2, 1, 1; 7, 9, 11) m = n 1 n 2 n 3 = = 693 m 1 = m/n 1 = 693/7 = 9 11 = 99 m 2 = m/n 2 = 693/9 = 7 11 = 77 m 3 = m/n 3 = 693/11 = 7 9 = 63 c 1 = m1 1 = 99 1 = 1 1 = 1 (mod 7) c 2 = m2 1 = 77 1 = 5 1 = 2 (mod 9) c 2 = m3 1 = 63 1 = 8 1 = 7 (mod 11) x = r 1 c 1 m 1 + r 2 c 2 m 2 + r 3 c 3 m 3 (mod N) = = 793 (mod 693) = 100 (mod 693) Therefore, SRC(2, 1, 1; 7, 9, 11) = Çetin Kaya Koç Spring / 22

9 The Mixed Radix Conversion Algorithm The SRC algorithm uses the summation x = k r i c i m i (mod m) i=1 The SRC algorithm requires multi-precision arithmetic at each step, as each product term in the summation grows beyond any of the moduli n i The Mixed Radix Conversion Algorithm computes x more efficiently The MRC algorithm is particularly useful when each modulus fits into the word size of the computer The MRC avoids multi-precision arithmetic until the last phase Çetin Kaya Koç Spring / 22

10 The Step 1 of the MRC Algorithm Step 1: Compute and save the inverses c ij for 1 j < i k c ij = n 1 j (mod n i ) This is accomplished using the extended Euclidean algorithm for the Fermat s method if the modulus is prime In case each modulus fits into the word size of the computer, any of the inverses would also fit into the same size Step 1 can be performed using the single-precision arithmetic Çetin Kaya Koç Spring / 22

11 The Step 2 of the MRC Algorithm Step 2: Given the remainders (r 1, r 2,..., r k ) of X with respect to the moduli (n 1, n 2,..., n k ) and its first column as r i1 = r i for i = 1, 2,..., k compute the entries of the lower triangular matrix r 11 r 21 r 22 r 31 r 32 r r k1 r k2 r k3 r kk The computations in the ith row are performed mod n i Çetin Kaya Koç Spring / 22

12 The Step 2 of the MRC Algorithm The 2nd column is computed using the 1st column The inverses are r 22 = (r 21 r 11 ) c 21 (mod n 2 ) r 32 = (r 31 r 11 ) c 31 (mod n 3 ) r 42 = (r 41 r 11 ) c 41 (mod n 4 ). r k2 = (r k1 r 11 ) c k1 (mod n k ) c 21 = n1 1 (mod n 2 ) c 31 = n1 1 (mod n 3 ) c 41 = n1 1 (mod n 4 ). c k1 = n 1 1 (mod n k ) Çetin Kaya Koç Spring / 22

13 The Step 2 of the MRC Algorithm The 3rd column is computed using the 2nd column The inverses are r 33 = (r 32 r 22 ) c 32 (mod n 3 ) r 43 = (r 42 r 22 ) c 42 (mod n 4 ). r k3 = (r k2 r 22 ) c k2 (mod n k ) c 32 = n2 1 (mod n 3 ) c 42 = n2 1 (mod n 4 ). c k2 = n 1 2 (mod n k ) Çetin Kaya Koç Spring / 22

14 The Step 2 of the MRC Algorithm The jth column is computed using the (j 1)th column r ij = (r i,j 1 r j 1,j 1 ) c i,j 1 (mod n i ) for i = j, j + 1,..., k The inverses are c i,j 1 = n 1 j 1 (mod n i) All computations in Step 2 are in single-precision arithmetic Çetin Kaya Koç Spring / 22

15 An Example of MRC Algorithm for k = 5 r 11 = r 1 modn 1 r 21 = r 2 r 22 = (r 21 r 11 )c 21 modn 2 r 31 = r 3 r 32 = (r 31 r 11 )c 31 r 33 = (r 32 r 22 )c 32 modn 3 r 41 = r 4 r 42 = (r 41 r 11 )c 41 r 43 = (r 42 r 22 )c 42 r 44 = (r 43 r 33 )c 43 modn 4 r 51 = r 5 r 52 = (r 51 r 11 )c 41 r 53 = (r 52 r 22 )c 52 r 54 = (r 53 r 33 )c 53 r 55 = (r 54 r 44 )c 54 modn 5 Çetin Kaya Koç Spring / 22

16 The Step 3 of the MRC Algorithm Step 3: The integer x is then computed using the diagonal entries as c = r 11 + r 22 n 1 + r 33 n 1 n r kk n 1 n 2 n k 1 This step requires multi-precision arithmetic due to the product terms n 1 n 2 n i for i = 1, 2,..., k 1 in the summation to obtain x Step 3 is the only step the MRC requires multi-precision arithmetic The MRC has some other advantages: Two numbers can be compared in size if their MRC coefficients (r 11, r 22,..., r kk ) are known The MRC is essentially a weighted radix representation of x, however, more than one radix is used (thus, the term: mixed-radix) Çetin Kaya Koç Spring / 22

17 An Example of the MRC Algorithm As example, let us take the remainders (r 1, r 2, r 3 ) = (2, 1, 1) with respect to the moduli (n 1, n 2, n 3 ) = (7, 9, 11) and compute x Step 1: First we compute and save the inverses c 21, c 31, c 32 c 21 = n1 1 (mod n 2 ) 7 1 (mod 9) 4 c 31 = n1 1 (mod n 3 ) 7 1 (mod 11) 8 c 32 = n2 1 (mod n 3 ) 9 1 (mod 11) 5 Çetin Kaya Koç Spring / 22

18 An Example of the MRC Algorithm Step 2: The first column of the lower triangular matrix is the given set of remainders (2, 1, 1) from which we compute the rest of the columns: 2 1 (1 2) 4 (mod 9) 5 1 (1 2) 8 (mod 11) 3 (3 5) 5 (mod 11) 1 Çetin Kaya Koç Spring / 22

19 An Example of the MRC Algorithm Step 3: To compute x, we perform the summation x = r 11 + r 22 n 1 + r 33 n 1 n 2 = = 100 Until the Step 3, all computations are in single-precision, assuming each modulus is a single-precision integer Çetin Kaya Koç Spring / 22

20 Comparing Integers in Mixed-Radix Representation Consider the integer x = 100 which has the remainders (2, 1, 1) with respect to the moduli (7, 9, 11) Now consider the integer y = 96 which has the remainders (5, 6, 8) with respect to the same moduli (7, 9, 11) We can tell of two integers are equal by comparing their remainders However, we cannot tell which one is larger, if they are not equal Even though y < x, it is not clear if this can be decided by comparing x = (2, 1, 1) and y = (5, 6, 8) 100 = (2, 1, 1)? (5, 6, 8) = 96 Çetin Kaya Koç Spring / 22

21 Comparing Integers in Mixed-Radix Representation The mixed-radix representation of x was (2, 5, 1) We now compute the mixed-radix coefficients of y as 5 6 (6 5) 4 (mod 9) 4 8 (8 5) 8 (mod 11) 2 (2 4) 5 (mod 11) 1 This gives the mixed-radix representation of y as (5, 4, 1) Çetin Kaya Koç Spring / 22

22 Comparing Integers in Mixed-Radix Representation These representations imply = = 96 We compare the mixed-radix coefficients from the right (which has the more weight) to the left (which has the least weight) and decided which number is larger Therefore, since the rightmost digits are equal (1 = 1) but, the next digits are not (5 > 4), we decide (2, 5, 1) > (5, 4, 1) Çetin Kaya Koç Spring / 22