I read this question a while back (In RSA, why is it important to choose e so that it is coprime to φ(n)?). I was wondering whether there is a proof that shows that a public key exponent e that is coprime with the totient of the modulus N will result in a unique answer when the cipher text is decrypted. Please help.
Asked
Active
Viewed 1,126 times
3
-
1A proof for what? – yyyyyyy Dec 13 '15 at 12:21
-
Are you asking for a proof, rather that an illustration by example as given in the answer to the linked question, of the fact: $$\gcd(e,\varphi(N))\ne1\implies\exists (x,y)\in\mathbb N^2,;;x\not\equiv y\pmod N,;;x^e\equiv y^e\pmod N$$all other things being as specified in RSA (like, $N$ is a square-free integer, or is it the product of two distinct primes)? – fgrieu Dec 13 '15 at 12:39
-
@fgrieu Yes, a 'formal' proof. – user9750060 Dec 14 '15 at 02:58
1 Answers
1
First, if $e$ is the public key exponent, then the private key exponent $d$ is the (unique) multiplicative inverse modulo $\phi(n)$, or alternatively $ed \equiv 1 \pmod{\phi(n)}$. The reason we want $d$ to have this property is because by Euler's theorem, which says $a^{\phi(n)} \equiv 1 \pmod{n}$ for essentially all values of $a$, so $(a^e)^d\equiv a^{ed} \equiv a \pmod{n}$ ensures we can always decrypt $a^e$ to $a$.
Now, how do we know $d$ is the unique multiplicative inverse of $e$? Because if there were another value of $d'$ such that $ed' \equiv 1 \pmod{\phi(n)}$, then $0 \equiv 1-1 \equiv (ed-ed') \equiv (d-d')e \equiv (d-d') \pmod{\phi(n)}$, where the last congruence holds because $\gcd(e,\phi(n))=1$. Thus, $d$ is unique.
Finally, if $\gcd(e,\phi(n)) \ne 1$, then $e$ does not have a multiplicative inverse mod $\phi(n)$. This is because, assuming $e^{-1}$ exists, then there exists some integer $k$ such that $k\phi(n) + ee^{-1} = 1$, which implies $\gcd(e,\phi(n)) = 1$.
In practice, $e$ not having a multiplicative inverse means that the sequence $a^e, a^{2e}, a^{3e}, \ldots$ may never attain the value $a$ modulo $n$.
As fgrieu points out, there are other values of $d$ that can serve as private key exponent (besides the multiplicative inverse of $e$) but we can always choose $d$ to be $e^{-1}$ and we are guaranteed that this choice will work with high probability.
Joe Bebel
- 339
- 1
- 6
-
1$d=e^{-1}\bmod\phi(N)$ is typically not the only working $d$ modulo $\phi(N)$. Counterexample: $N=55$, $\phi(N)=40$, $e=3$, $e^{-1}\bmod\phi(N)=27$. Notwithstanding, $d'=7$ is a perfectly fine private exponent, such that $(a^e)^{d'}\equiv a\pmod N$ for all $a$, even though $e\cdot d'\not\equiv1\pmod{\phi(N)}$. Things are not quite that simple! – fgrieu Dec 14 '15 at 09:54
-
The chinese remainder theorem guarantees that such alternative d exist that can serve as private key exponent, even though they are not multiplicative inverses mod $\phi$. That does not conflict with anything I have said...you can always choose $d$ to be the multiplicative inverse and euler's thm gives us that whp we can recover the message. What does not work there? – Joe Bebel Dec 14 '15 at 10:07
-
I think there is some confusion, because I added proof that the multiplicative inverse of e is unique. I added that for completeness only. The original question is completely answered in my first paragraph. – Joe Bebel Dec 14 '15 at 10:20
-
The question asks to show that $\gcd(e,\varphi(N))=1$ is required so that we can always decrypt. The answer does not do that. It proves that $\gcd(e,\varphi(N))=1$ is required so that we can use $d\equiv e^{-1}\pmod{\phi(N)}$, which allows to always decrypt. The answer's reasoning does not rule out that other $d$ allow to always decrypt; which turns out to be the case, with these other values of $d$ are used in RSA practice. – fgrieu Dec 14 '15 at 11:06
-
The question could have been written clearer, but it does state: does there exist a proof that $\gcd(e,\phi)=1$ implies that $(a^e)^d \equiv a \pmod{n}$, where "decrypt cipher text" I interpret as $(a^e)^d$ with $d=e^{-1}$ and "a unique answer" as "(a^e)^d \equiv (b^e)^d \pmod{n}$ implies $a \equiv b \pmod{n}$. Sorry, I do not see anywhere in the question that asks why $\gcd(e,\phi)=1$ is required, or where it is asking why d is/is not unique. Those seem unrelated to the original question. – Joe Bebel Dec 14 '15 at 11:20
-
@fgrieu "The question asks to show that $\gcd(e,\varphi(N))=1$ is required so that we can always decrypt." No, it asks to show that it is sufficient. – fkraiem Jan 13 '16 at 12:20
-
You're getting grief because your first sentence is not correct: "the private key exponent $d$ is the (unique) multiplicative inverse modulo $\phi(n)$". Actually, a necessary and sufficient condition on $d$ is that $ed \equiv 1 \pmod{lcm(p-1,q-1)}$ (assuming $p, q$ are the prime factors of $n$). Because there exist valid $d$ values with $ed \not\equiv 1 \pmod{(p-1)(q-1)}$ (and there always will, assuming $p, q > 2$), your reasoning doesn't follow (even though the statement you're proving is true). – poncho Jan 13 '16 at 16:30
-
@fkraiem: you are right, the question as it stands now (and at the time I made my comment) asks a proof of:$$\gcd(e,\varphi(N))=1\implies\forall(x,y)\in\mathbb N^2,;\big(x^e\equiv y^e\pmod N\implies;x\equiv y\pmod N\big)$$ On the other hand, that was not originally clear, and I then got positive confirmation from the author that the question asks a proofs of:$$\gcd(e,\varphi(N))\ne1\implies\exists(x,y)\in\mathbb N^2,;;x\not\equiv y\pmod N,;;x^e\equiv y^e\pmod N$$Both are true, the first is well known, the second is less common. – fgrieu Jan 14 '16 at 07:21
-
1@fgrieu: If that's what he's asking, then a related answer (with, a bit of work, does answer the question) is http://crypto.stackexchange.com/questions/31980/computing-the-cardinality-of-the-co-domain-of-specific-modular-exponentiations/31984#31984 – poncho Feb 12 '16 at 14:35