CryptoBook
  • CryptoBook
  • Book Plan
  • Style Guide
    • Sample Page
  • Contributors
  • Fundamentals
    • Mathematical Notation
    • Division and Greatest common divisor
      • Euclidean Algorithm
    • Modular Arithmetic
      • Theorems of Wilson, Euler, and Fermat
        • Fermat's Little Theorem in Detail
        • Euler's Theorem in Detail
      • Quadratic Residues
    • Continued Fractions
  • Number Theory
  • Ideals
  • Polynomials With Shared Roots
  • Integer Factorization
    • Pollard rho
    • Sieves
  • Abstract algebra
    • Groups
      • Another take on groups
      • Discrete Log Problem
    • Rings
    • Fields
    • Polynomials
  • Elliptic Curves
    • Untitled
  • Lattices
    • Introduction
    • LLL reduction
      • Gram-Schmidt Orthogonalization
      • Lagrange's algorithm
      • LLL reduction
    • Lattice reduction
      • Minkowski reduced
      • HKZ reduced
      • LLL reduced
    • Applications
      • Coppersmith algorithm
      • Extensions of Coppersmith algorithm
    • Hard lattice problems
    • Lattices of interest
    • Cryptographic lattice problems
      • Short integer solutions (SIS)
      • Learning with errors (LWE)
      • Ring-LWE
      • NTRU
    • Interactive fun
    • Resources and notations
  • Asymmetric Cryptography
  • RSA
    • Proof of correctness
    • RSA application
    • Low Private Component Attacks
      • Wiener's Attack
      • Boneh-Durfee Attack
    • Common Modulus Attack
    • Recovering the Modulus
  • Diffie-Hellman
    • MITM
  • Elliptic Curve Cryptography
  • Symmetric Cryptography
    • Encryption
    • The One Time Pad
    • AES
      • Rijndael Finite Field
      • Round Transformations
  • Hashes
    • Introduction / overview
    • The Birthday paradox / attack
  • Isogeny Based Cryptography
    • Introduction to Isogeny Cryptography
    • Isogenies
    • Isogeny and Ramanujan Graphs
  • Appendices
    • Sets and Functions
    • Probability Theory
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. RSA

Proof of correctness

PreviousRSANextRSA application

Last updated 3 years ago

Was this helpful?

We now consider cd=med=mc^d = m^{ed} = mcd=med=mnecessary for the successful description of an RSA ciphertext. The core of this result is due to which states

aϕ(n)≡1mod  na^{\phi(n)} \equiv 1 \mod naϕ(n)≡1modn

for all coprime integers (a,n)(a,n)(a,n) and ϕ(n)\phi(n)ϕ(n) is .

As a reminder, we say two integers are coprime if they share no non-trivial factors. This is the same statement that gcd⁡(a,n)=1\gcd(a,n)=1gcd(a,n)=1.

From the definition of the protocol, we have that

ed≡1mod  ϕ(n),    ⇒    ed=1+kϕ(n)ed \equiv 1 \mod \phi(n), \;\; \Rightarrow \;\; ed = 1 + k\phi(n)ed≡1modϕ(n),⇒ed=1+kϕ(n)

for some k∈Zk \in \mathbb{Z}k∈Z. Combining this with Euler's theorem, we see that we recover mmmfrom the ciphertext

cd≡(me)dmod  n≡medmod  n≡mkϕ+1mod  n≡mkϕmmod  n≡(mϕ)kmmod  n≡1kmmod  n≡mmod  n\begin{align} c^d &\equiv (m^e)^d &&\mod n \\ &\equiv m^{ed} &&\mod n \\ &\equiv m^{k\phi + 1} &&\mod n \\ &\equiv m^{k\phi} m &&\mod n \\ &\equiv (m^\phi)^km &&\mod n \\ &\equiv 1^km &&\mod n \\ &\equiv m &&\mod n \\ \end{align}cd​≡(me)d≡med≡mkϕ+1≡mkϕm≡(mϕ)km≡1km≡m​​modnmodnmodnmodnmodnmodnmodn​​

When the requirement gcd⁡(m,n)=1\gcd(m, n) = 1gcd(m,n)=1does not hold, we can instead look at the equivalences modulo pppand qqqrespectively. Clearly, when gcd⁡(m,n)=n,\gcd(m, n) = n,gcd(m,n)=n,we have that c≡m≡0mod  nc \equiv m \equiv 0 \mod nc≡m≡0modnand our correctness still holds. Now, consider the case m=k⋅p,m = k\cdot p,m=k⋅p,where we have that c≡m≡0mod  pc \equiv m \equiv 0 \mod pc≡m≡0modpand cd≡(me)d(modq).c^d \equiv (m^e)^d \pmod q.cd≡(me)d(modq).Since we have already excluded the case that gcd⁡(m,q)=q,\gcd(m, q) = q,gcd(m,q)=q,we can conclude that gcd⁡(m,q)=1,\gcd(m, q) = 1,gcd(m,q)=1,as qqqis prime. This means that mℓϕ(q)≡1mod  qm^{\ell\phi(q)} \equiv 1 \mod qmℓϕ(q)≡1modqand by the multiplicative properties of the ϕ\phiϕfunction, we determine that mℓnϕ(n)=mℓϕ(q)≡1mod  q.m^{\ell_n\phi(n)} = m^{\ell\phi(q)} \equiv 1 \mod q.mℓn​ϕ(n)=mℓϕ(q)≡1modq.We conclude by invoking the Chinese Remainder theorem with

m≡0mod  pm≡1ℓmmod  q\begin{align*} m &\equiv 0 &&\mod p \\ m &\equiv 1^\ell m &&\mod q\\ \end{align*}mm​≡0≡1ℓm​​modpmodq​

that me⋅d≡mmod  n.m^{e\cdot d} \equiv m \mod n.me⋅d≡mmodn.The case for m=k⋅qm = k\cdot qm=k⋅qfollows in a parallel manner.

Euler's theorem
Euler's totient function