0

I'm studying the RSA algorithm and the theory says to select $d$ to be the multiplicative inverse of.

$$ e \mod \phi(n) $$

If we take this approach I know that it is important that $e$ and $\phi(n)$ are coprime.

Why is this "better" as opposed to say the following equation where $e$ is still selected as a coprime to $\phi(n)$:

$$ d = \frac{\phi(n) + 1}{e} $$

I would like to have a deep explanation. I do not have formal math training, so any links to help understand the answer is very much appreciated.

wythagoras
  • 207
  • 1
  • 6
Ishan Antony
  • 11

2 Answers2

1

In the standarized RSA algorithm the private key $d$ is calculated computing the modular multiplicative inverse with the Extended Euclidean GCD that satisfies:

$1\equiv e \cdot d\pmod {\varphi(p \cdot q})$

Notice that modular multiplicative inverse can be expressed as:

$$d=\frac{\varphi(p\cdot q)\cdot k + 1}{e}$$

for some $k$ multiple of $\varphi$($p\cdot q$). We know that $e$ is 17 bits (65537) so $k$ will be small, thus computing $d$ with this method would be realizable. You have to know the factorization of the semiprime for computing $\varphi(p \cdot q)$.

Mathematically other ways for computing the private key exist, such as the Euler Criterion.

For calculating the modular multiplicative inverse we would have:

$d\equiv e^{\varphi(\varphi(p \cdot q))-1}\pmod {\varphi(p \cdot q})$

As you can see we would need to have the factorization of $\varphi(p\cdot q)$, so we cannot deal with big semiprime modulus. Concretely we need the factors of $(p-1)$ and $(q-1)$ in order to compute $\varphi(p-1) \cdot \varphi(q-1)$

SEJPM
  • 46,697
  • 9
  • 103
  • 214
kub0x
  • 898
  • 11
  • 21
0

The number $1$ is known as the multiplicative identity.

In RSA, $d$ is the multiplicative inverse of $e$, therefore, $ed=1$. Mathematically $d$ would normally be a fraction, such as, $e=4$, then $d={1\over 4}$, thereby $4\cdot {1\over 4}=1$. RSA uses modular rings, so we compute $d$ as a modular multiplicative inverse of $e$, then $d\equiv e^{-1}\bmod \varphi(p\cdot q)$ (for textbook RSA), resulting in $1\equiv ed\bmod \varphi(p\cdot q)$.

Now if we round-robin a message, $C=M^e\bmod(p\cdot q)$, then $M'=C^d\bmod(p\cdot q)$, we get $M'=M$, the original message. If we do a little substitution, we have $M'=(M^e)^d=M^{ed}=M^1$, which we know is equivalent to $M'=M$ because any positive number to the power of $1$ equals itself, as in, $438^1=438$.

Given the equations $d\equiv e^{-1}\bmod \varphi(p\cdot q)$ and $d={{\varphi(p\cdot q) \cdot k+1}\over e}$, both require knowledge of $p$ and $q$, however, the second requires also finding a value for $k$ which produces an integer result. This is more challenging for larger $(p\cdot q)$ than performing the modular multiplicative inverse function.

Carl Knox
  • 181
  • 4