[CS304] Introduction to Cryptography and Network Security

Course Instructor: Dr. Dibyendu Roy Autumn 2024-2025

Scribed by: Diya (202251043) Lecture 14 and 15 (Week 8)

1 System of Modular Equations

We aim to solve a system of linear congruences of the form:

a · x ≡ b (mod m) (Equation 1)

This congruence can be rewritten in an equivalent linear Diophantine equation:

a·x−m·y =b (Equation 2)

where y is an integer. According to Bézout’s Identity, we know that:

a · x0 + m · y0 = gcd(a, m) (Equation 3)

where x0 and y0 are specific integers that can be determined using the Extended Euclidean
Algorithm.
Equation 2 has a solution if and only if gcd(a, m) divides b. If this condition is not met, then
Equation 2 does not have a solution. When gcd(a, m) divides b, we can express b in terms of
gcd(a, m) as follows:

b = t · gcd(a, m)

where t is an integer. By multiplying Equation 3 by t, we obtain:

a · (t · x0 ) + m · (t · y0 ) = t · gcd(a, m)
=⇒ a · X0 + m · Y0 = b (Equation 4)

where X0 = t · x0 and Y0 = t · y0 represent solutions to Equation 2.

Thus, to solve the given modular equation:

• First, check if gcd(a, m) divides b. If it does not, no solution exists.

• If gcd(a, m) divides b, use the Extended Euclidean Algorithm to find x0 and y0 .

• Multiply x0 and y0 by t = b
gcd(a,m) to obtain X0 and Y0 , which are solutions to the equation.

1
1.1 Chinese Remainder Theorem
The Chinese Remainder Theorem (CRT) is a crucial concept in number theory and finds exten-
sive applications in areas such as cryptography, where solving systems of modular congruences is
essential. Consider a system of congruences:

x ≡ a1 (mod m1 )
x ≡ a2 (mod m2 )
..
.
x ≡ ar (mod mr )

where m1 , m2 , . . . , mr are pairwise coprime integers, meaning gcd(mi , mj ) = 1 for all i ̸= j. The
CRT states that this system has a unique solution modulo M = m1 · m2 · · · · · mr .
To understand why this theorem holds, we define δj for each 1 ≤ j ≤ r as:
(
1, for x ≡ aj (mod mj )
δj =
0, for x ≡ ai (mod mi ) where i ̸= j
We claim that the solution x can be expressed as:
r
X
x= aj · δj (1)
j=1

To prove this, consider the congruence for a specific j:

x ≡ aj (mod mj )
Taking the expression of x modulo mj , we have:
r
!
X
x≡ ai · δi (mod mj )
i=1

Since δi = 0 for i ̸= j and δj = 1, it simplifies to:

x ≡ aj (mod mj )
This confirms that x satisfies all the congruences in the system.
Now, we need to construct δj . Let M be defined as:

M = m1 · m2 · · · · · mr (2)
For each j, define:

M
Mj =
mj
Since mi are pairwise coprime, gcd(Mj , mj ) = 1. This allows us to find the multiplicative inverse
bj of Mj modulo mj using the Extended Euclidean Algorithm such that:

Mj · bj ≡ 1 (mod mj )

2
Now, δj can be defined as:

δj = Mj · bj (3)
By construction, δj ≡ 1 (mod mj ) and δj ≡ 0 (mod mi ) for i ̸= j. Thus, we have:

δj (mod mi ) = (Mj · bj ) (mod mi )

 
M
= · bj (mod mi )
mj
= t · mi (mod mi )
=0
Pr
This verifies that x = j=1 aj · δj satisfies all the given congruences and provides a unique solution
modulo M .

1.1.1 Uniqueness of the Solution

To prove the uniqueness of the solution to a system of congruences, let us assume that there are
two solutions, say x and x′ , which satisfy the following system of congruences:

x ≡ ai (mod mi ) for i = 1, 2, . . . , r
′
x ≡ ai (mod mi ) for i = 1, 2, . . . , r

Since x and x′ are both solutions to the system, we can write:

x ≡ ai (mod mi ) and x′ ≡ ai (mod mi )

Subtracting these congruences yields:

x′ − x ≡ 0 (mod mi ) for each i = 1, 2, . . . , r

This implies that the difference x′ − x is divisible by each mi . Since the moduli m1 , m2 , . . . , mr
are pairwise coprime, it follows that x′ − x must be divisible by their product:

x′ − x ≡ 0 (mod m1 · m2 · · · · · mr )
Therefore, we can conclude that:

x′ ≡ x (mod M )
where M = m1 · m2 · · · · · mr . This proves that any solution to the system is unique modulo M .

3
2 Elliptic Curve Cryptography (ECC)
Elliptic Curve Cryptography (ECC) is a modern cryptographic technique that provides strong
security with smaller key sizes compared to traditional methods such as RSA. ECC operates on
the mathematical properties of elliptic curves, making it highly efficient for secure communication.

2.0.1 Basics of Elliptic Curves

Elliptic curves are defined by equations of the form:

y 2 = x3 + ax + b (4)
where a and b are real numbers such that:

4a3 + 27b2 ̸= 0
This condition ensures that the curve is non-singular, meaning it has no cusps or self-intersections.

2.0.2 Properties and Operations on Elliptic Curves

Points on an elliptic curve can be added using specific geometric operations, which are crucial for
cryptographic applications:

1. Point Addition (P + Q = R): If P and Q are points on the curve, the line through P and
Q intersects the curve at a third point, which we denote as −R. The reflection of −R over
the x-axis gives R.

2. Point Doubling (2P ): If P is a point on the curve, the tangent at P intersects the curve
at a new point −R. The reflection of −R over the x-axis gives R.

3. Identity Element (Θ): The point at infinity, Θ, acts as the identity element for the addition
operation. For any point P on the curve:

P +Θ=P

4. Inverse of a Point (−P ): For any point P (x, y), its inverse is −P (x, −y). Adding P and
−P yields the identity element Θ:
P + (−P ) = Θ

These properties make the set of points on an elliptic curve, combined with the addition oper-
ation, a group.

2.0.3 Elliptic Curve Diffie-Hellman (ECDH) Key Exchange

The Elliptic Curve Diffie-Hellman (ECDH) protocol is a method for secure key exchange between
two parties (e.g., Alice and Bob). It relies on the difficulty of the Elliptic Curve Discrete Logarithm
Problem (ECDLP).
Process:

1. Alice and Bob agree on a public elliptic curve E and a base point P on E.

2. Alice selects a private key a and computes her public key A = aP .

4
 3. Bob selects a private key b and computes his public key B = bP .

4. Alice computes the shared secret as S = aB.

5. Bob computes the shared secret as S = bA.

Since S = abP by the commutative property of point multiplication, both Alice and Bob derive
the same shared secret.

2.0.4 Elliptic Curve Digital Signature Algorithm (ECDSA)

The ECDSA is an elliptic curve-based variant of the Digital Signature Algorithm (DSA). It ensures
the authenticity and integrity of messages.
Steps for Signing:

1. Compute the hash e of the message m.

2. Select a random integer k from the range [1, n − 1], where n is the order of the base point G.

3. Compute the point (x1 , y1 ) = kG and r = x1 (mod n).

4. Compute s = k −1 (e + rdA ) (mod n), where dA is Alice’s private key.

5. The signature is the pair (r, s).

Verification by Bob:

1. Verify that r and s are in the interval [1, n − 1].

2. Compute e = Hash(m).

3. Compute w = s−1 (mod n), u1 = ew (mod n), and u2 = rw (mod n).

4. Compute the point (x2 , y2 ) = u1 G + u2 QA , where QA is Alice’s public key.

5. The signature is valid if r ≡ x2 (mod n); otherwise, it is invalid.

The security of ECDSA relies on the difficulty of solving the ECDLP, ensuring that it is com-
putationally infeasible to deduce the private key from the public key.