0

In RSA, we choose $p,q$ and calculate $\phi(n)=(p-1)(q-1)$. We then choose a public key $e$, and calculate its inverse modulo $\phi(n)$: $d\cdot e=1 \mod(\phi(n))$.

But then, when we decrypt a ciphertext $y=x^e \mod(n)$, we use the different modulus $n$ rather than $\phi(n)$: $x=y^d \mod(n)$. This is equal to $x^{e\cdot d \mod(n)}$, which supposedly equals $x^1$. But I don’t understand this last step, because we chose $d$ such that $e\cdot d=1 \mod (\phi(n))$, not such that $e\cdot d=1 \mod(n)$

user56834
  • 155
  • 1

3 Answers3

3

The question assumes, wrongly, that $a^b\bmod n$ is the same as $a^{b\bmod n}$ or $a^{b\bmod n}\bmod n$. In general these are three different quantities, as demonstrated with $a=5$, $b=5$, $n=3$: $$\begin{array}{} a^b\bmod n&=&\left(5^5\right)\bmod 3&=&3125\bmod 3&=&2\\ a^{b\bmod n}&=&5^{(5\bmod 3)}&=&5^2&=&25\\ a^{b\bmod n}\bmod n&=&\left(5^{(5\bmod 3)}\right)\bmod 3&=&25\bmod3&=&1 \end{array} $$ Note: going from the second to third expression of the last line uses the result obtained above.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
0

You are correct, $ed=1 \bmod \phi(n)$.

Changyu Dong
  • 4,198
  • 15
  • 15
0

I think you want to know why we use $\phi(n)$ as a modulus when calculating the keys and $n$ as a modulus when calculating the message/chiphertext. I was wondering the same when studying the RSA cryptosystem for the first time. The following is taken from the book Understanding Cryptography by Chrisoph Paar on page 178.

We have the definition of the RSA keys. $$de \equiv 1 \pmod {\phi(n)}$$

Per definition of the $\phi$ function this means the following: $$de = 1 + t*\phi(n)$$ for any integer $t$.

Edit: We assume that $gcd(x,n)=1$. Now we take a look at the decryption process. $$d(y) \equiv y^d \equiv (x^e)^d \equiv x^{de} \pmod n$$

It follows: $$x^{de} \equiv x^{1+t*\phi(n)} \equiv x^1*x^{t*\phi(n)} \equiv x*(x^{\phi(n)})^t \pmod n$$

Now take a look at Euler's theorem (a generalization of Fermat's little theorem). $$x^{\phi(n)} \equiv 1 \pmod n $$

Now we can substitute and get $$x^{de} \equiv x*1^t \equiv x \pmod n$$

mrstrauss
  • 21
  • 2