The Chinese Remainder Theorem
On this page we look at the Chinese Remainder Theorem (CRT), Gauss's algorithm to solve simultaneous linear congruences, a simpler method to solve congruences for small moduli, and an application of the theorem to break the RSA algorithm when someone sends the same encrypted message to three different recipients using the same exponent of e=3.
Note that all the theorem says is that there is a unique solution. It doesn't actually say how to solve it. This is usually done using Gauss's algorithm. There is also a variant of the CRT used to speed up the calculations in the RSA algorithm.
The name "Chinese" comes from an old Chinese puzzle allegedly posed by Sun Tsu Suan-Ching in 4 AD:
There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number?
x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)
The Chinese Remainder Theorem (CRT) tells us that since 3, 5 and 7 are coprime in pairs then there is a unique solution
3 x 5 x 7 = 105. The solution is
x = 23. You can check that by noting that the relations
23 = 7 x 3 + 2 ≡ 2 (mod 3) 23 = 4 x 5 + 3 ≡ 3 (mod 5) 23 = 3 x 7 + 2 ≡ 2 (mod 7)
are all satisfied for this value of x.
Ni = N/ni and
di ≡ Ni-1 (mod ni).
For the original "Chinese" problem above we have
N = n1n2n3 = 3 x 5 x 7 = 105
c1=2, c2=3, c3=2.
N1 = N/n1 = 35 and so
d1 = 35-1 (mod 3) = 2,
N2 = N/n2 = 21 and so
d2 = 21-1 (mod 5) = 1, and
N3 = N/n3 = 15 and so
d3 = 15-1 (mod 7) = 1.
x = (2 x 35 x 2) + (3 x 21 x 1) + (2 x 15 x 1) = 233 ≡ 23 (mod 105)
x ≡ 1 (mod 3) x ≡ 2 (mod 4) x ≡ 3 (mod 5)
Using Gauss's algorithm,
N = n1n2n3 = 3 x 4 x 5 = 60
c1=1, c2=2, c3=3.
N1 = N/n1 = 20; d1 = 20-1 (mod 3) = 2 [check: 2x20=40≡1 (mod 3)]
N2 = N/n2 = 15; d2 = 15-1 (mod 4) = 3 [check: 3x15=45≡1 (mod 4)]
N3 = N/n3 = 12; d3 = 12-1 (mod 5) = 3 [check: 3x12=36≡1 (mod 5)]
x ≡ c1N1d1 + c2N2d2 + c3N3d3 (mod N)
x = (1x20x2) + (2x15x3) + (3x12x3) = 238 ≡ 58 (mod 60)
so a solution is
x = 58.
Note that this is "a" solution. Any integer that satisfies
58 + 60k for any integer k is also
a solution, but the method gives you the unique solution in the range
0 ≤ x < n1n2n3.
For congruences with small moduli there is a simpler method (useful in exams!).
To solve the previous problem, write out the numbers
x ≡ 3 (mod 5)
until you find a number congruent to
2 (mod 4),
then increase that number by multiples of
5 x 4
until you find number congruent to
1 (mod 3).
x ≡ 3 (mod 5): x = 3,8,13,18 ≡ 2(mod 4) [increase by 5] x ≡ 18 (mod 20): x = 18,38,58 ≡ 1(mod 3) [increase by 5 x 4] x ≡ 58 (mod 60).
We find it easier to start with the largest modulus and work downwards.
To solve the original Chinese problem:
x ≡ 2 (mod 7): x = 2,9,16,23 ≡ 3(mod 5) [increase by 7] x ≡ 23 (mod 35): x = 23 ≡ 2(mod 3) x ≡ 23 (mod 105).
Alice sends the same message m encrypted using the RSA algorithm to three recipients with different moduli
n1,n2,n3 all coprime to each other but using the same exponent
Eve recovers the three ciphertext values
and knows the public keys
(n,e=3) of all the recipients.
Can Eve recover the message without factoring the moduli?
Yes. Eve uses Gauss's algorithm above to find a solution
x, in the range
0 ≤ x < n1n2n3,
to the three simultaneous congruences
x ≡ c2 (mod n2)
x ≡ c3 (mod n3)
We know from the Chinese Remainder Theorem that
m3 < n1n2n3,
so it follows that
x = m3 and so m can be recovered by simply
computing the integer cube root of x.
Note that the cube root does not involve any modular arithmetic and so is straightforward to compute
(well, as straightforward as computing any cube root is).
There are three recipients with public keys
That is, we have
(although the factorisation would neither be public nor feasibly computable for large n's used in practice)
Alice encrypts the message
m=10 using RSA to all three, as follows,
and these three ciphertext values
c1, c2, c3 are intercepted by Eve,
who also knows the public values
She then uses Gauss's algorithm as follows
N1 = N/n1 = 115x187 = 21505; d1 = 21505-1 (mod 87) = 49
N2 = N/n2 = 87x187 = 16269; d2 = 16269-1 (mod 115) = 49
N3 = N/n3 = 87x115 = 10005; d3 = 10005-1 (mod 187) = 2
x ≡ c1N1d1 + c2N2d2 + c3N3d3 (mod N)
x = (43.21505.49) + (80.16269.49) + (65.10005.2) = 110386165 ≡ 1000 (mod 1870935)
So m is the cube root of 1000; that is,
m = 10, as required.
Eve did not need to factor the moduli to find the message.
To compute the modular inverses, we used the
bd_modinv function in our
Modular Arithmetic Freeware package
(new updated version released 11-11-11)
> bd_modinv 21505 87 21505^-1 mod 87 = 49 > bd_modinv 16269 115 16269^-1 mod 115 = 49 > bd_modinv 10005 187 10005^-1 mod 187 = 2
In practice with RSA we would be looking at much larger moduli in the order of 1000 or 2000 bits (i.e. numbers about 300 to 600 decimal digits long, probably too big for your pocket calculator), but the same principles apply. You would need to use a computer package that does large integer arithmetic (like our free BigDigits software - see below). It is most likely that any three moduli in practice will be coprime, so the method is likely to be successful.
Here is an example to recover a message which has been encrypted using RSA to three recipients using 512-bit moduli and the common exponent 3 with no random padding. We use our BigDigits library to do the arithmetic. We added a cuberoot function in the latest version 2.3 specifically to solve this type of problem.
This shows how easy it is to crack RSA even for realistic key sizes if the sender is careless.
How to prevent this type of attack
- Use a larger exponent, like 65537 (0x10001). This makes it harder to use the above method, but it is much better to...
- Add some random bits to the message - at least 64 bits worth. Make sure every message ever encrypted always has different random bytes added. This is known as salting the message and will prevent many other attacks, too. Obviously, the recipient needs to know how to remove the random bytes after decrypting the message.
For more on weaknesses in RSA and how to combat them, see our RSA algorithm page.
- Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography, CRC Press LLC, 1997. The complete book is available on-line.
- M381 Mathematics and Computing: A Third Level Course, Number Theory Handbook, The Open University, 1996.
Feedback or questions: Send us a message.
This page first published 23 October 2010 and last updated 5 December 2019