I don't understand how the chinese remainder theorem (CRT) is used in decrypting Paillier ciphertext on page 12 in the paper. Without CRT, the decryption (on page 7) is $\frac {L(c^\lambda\bmod N^2)}{L(g^\lambda\bmod N^2)} \bmod N$ where $L(x) = \frac{x - 1}N$.
From my understanding of CRT, this should be calculated as (I understand following is less efficient than the paper because exponent of $c$ is of size O($p^2$))
- Compute $c^\lambda\bmod N^2$ using CRT by first computing $c_p = c^{\lambda \bmod p(p-1)}\bmod p^2$ and $c_q = c^{\lambda \bmod q(q-1)}\bmod q^2$. The modular reduction in exponent is due to Euler's theorem as $\phi(p^2) = p(p-1)$ and $\phi(q^2) = q(q-1)$.
- Combine $c_p$ and $c_q$ using CRT to get $c^\lambda\bmod N^2$.
- Similarly compute $g^\lambda\bmod N^2$ using CRT by first computing $h_p = g^{\lambda \bmod p(p-1)}\bmod p^2$ and $h_q = g^{\lambda \bmod q(q-1)}\bmod q^2$ and combining with CRT to get $g^\lambda\bmod N^2$.
- Now these can be plugged in the above formula $\frac {L(c^\lambda\bmod N^2)}{L(g^\lambda\bmod N^2)} \bmod N$ to get the result.
But in the paper, on page 12, they compute
$m_p = L_p(c^{p-1} \bmod p^2)L_p(g^{p-1} \bmod p^2)^{-1} \bmod p$
$m_q = L_q(c^{q-1} \bmod q^2)L_q(g^{q-1} \bmod q^2)^{-1} \bmod q$
Combine $m_p$ and $m_q$ using CRT.
where $L_p(x) = \frac{x - 1}p$ and $L_q(x) = \frac{x - 1}q$
I don't understand why the above works?
I have seen this answer but still don't understand.
