RSA-CRT
foreword
Using the Chinese remainder theorem to decrypt RSA can increase the speed of RSA algorithm decryption.
For some basic knowledge of number theory, you can refer to the following article: Basic knowledge of cryptography - number theory (from entry to abandonment)
1. Chinese Remainder Theorem (CRT)
Let p and q be different prime numbers, and n = p*q. For any (X1, x2) where 0 ≤ x1 < p and 0 ≤ x2 < q, there exists a number x where 0 ≤ x < n.
The Chinese remainder theorem gives the following system of linear congruence equations in one variable:
x1 = x mod p
x2 = x mod q
Therefore, any integer x (0 < x< n) can be uniquely represented in its CRT representation (X1, X2).
2. Euler's Theorem
Euler's theorem is a generalization of Fermat's little theorem. Or known as the Euler-Fermat theorem.
n is a positive integer, a is any integer with gcd(a, n) = 1, then a^Φ(n) = 1 (mod n).
Φ(n) is the Euler function, that is, the number of positive integers that do not exceed n and are mutually prime with n. For a prime number p, Φ§ = p-1.
3. RSA normal decryption process
For the RSA algorithm process, please refer to the following article: Public Key Encryption Algorithm-RSA
m = c^d mod n (d is the private key).
In order to ensure security, p and q in the algorithm are required to be prime numbers with a length of 512 bits or more. When using the RSA algorithm to decrypt the ciphertext, the number of digits of the private key exponent d and the modulus n is generally relatively large, and it is difficult to calculate.
It can be deciphered using the Chinese remainder theorem and the Euler function.
According to the Chinese remainder theorem, m = c^d mod n can be written as
m1=c^d mod p
m2=c^d mod q
At this time, the number of n digits is reduced. But the number of digits of d is still very large.
To calculate c^d mod p, we can use Euler's theorem to reduce the number of bits of d
c ^ d mod p = c ^ ( d mod Φ ( p ) ) mod p = c ^ ( d mod (p-1) ) mod p
The above formula is proved as follows:
d = kφ( p ) + d mod φ( p ) (or d = k(p-1) + d mod ( p-1 )) where k is an integer.
c ^ d = c ^( k φ ( p ) + d mod φ( p ) ) = (c ^ φ( p )) ^k * c ^ d mod φ( p ) According to Euler's theorem, c ^ φ
( p ) = 1 (mod p)
then c ^ d = 1^k * c ^ d mod φ( p ) = c ^ d mod φ( p ) ( mod p)
In the same way:
c ^ d mod q = c ^ ( d mod Φ ( q ) ) mod q = c ^ ( d mod (q-1) ) mod q
令dP = d mod (p-1) = e^(-1)mod(p-1)
dQ = d mod (q-1) = e^(-1)mod(p-1)
m1 = c^dP mod p
m2 = c^dQ mod q
Then the RSA solution process is as follows:
qInv = q ^ (-1) mod p
h = qInv * ( m1-m2 ) mod p
m = m2 + h*q (m is plaintext)
The final solution process can be written as:
S=CRT(m1,m2)=m2+((m1-m2)(q^(-1)modp) modp)⋅q
The above is a bit messy, you can see the picture below:
4. Examples are as follows:
Use the Chinese remainder theorem to decrypt the following example.
The calculation process is as follows:
The reference article is as follows: Using the CRT with RSA