18

I'm trying to understand the working of RSA algorithm. I am getting confused in the decryption part. I'm assuming

$$n = pq$$ $$m = \phi(n) = (p - 1)(q - 1)$$

E is the encryption key $\gcd(\phi(n), E) = 1$

D is the decryption key, and $DE = 1 \mod \phi(n)$

$x$ is the plain text

Encryption works as ($y = x^E \mod n$) and decryption works as ($x = y^D \mod n$)

The explanation for why the decryption works is that since $DE = 1 + k\phi(n)$,

$$y^D = x^{ED} = x^{1 + k \phi(n)} = x(x^{\phi(n)})^k = x \mod n$$

The reason why last expression works is $x^{\phi(n)} = 1 \mod n$ ? According to Eulers theorem this is true only if $x \text{ and }\phi(n)$ are coprimes. But $x$ is only restricted to be $0 < x < n$ and $\phi(n) < n$. So $x$ should be chosen to be coprime with $\phi(n)$?

Help me clear out the confusion!

Community
  • 1
sauravrt
  • 733
  • 5
    It is frustrating that many references (not just the OP's question) claim that RSA uses Euler's theorem and the possibility that x and n have a common factor is treated as a separate case. As user996522 shows in an answer below (not the accepted answer, unfortunately), it is irrelevant that x could have a factor in common with n, and in fact RSA goes through with n being any squarefree number with no exceptions on x whatsoever. That RSA works depends on Fermat's little theorem, not Euler's theorem. Look at the original RSA paper: they use Fermat's little theorem, not Euler's theorem. – KCd Dec 27 '11 at 16:50
  • @KCd I went through the original paper on RSA and indeed the explanation for decryption is based on Fermats Little theorem ( special case of Euler's theorem ) and the Chinese remainder theorem. – sauravrt Dec 27 '11 at 21:11
  • Can you tell me how you arrived at the answer: \begin{align} &\equiv x^1 \cdot x^{\phi(q) \phi(p) z} \ &\equiv x \pmod q \end{align} – RVM Dec 29 '11 at 00:54
  • The above relation works out because $\phi(q) = q - 1$ and from Fermat's Little Theorem, $x^{q-1} \equiv 1 (\text{mod q}) $ – sauravrt Dec 29 '11 at 02:40
  • The original source - in beautifully accessible language. – Antoni Parellada Jun 14 '19 at 14:20
  • @KCd I might be misreading, but from reading the original paper it seems like in the section "The Underlying Mathematics" they only prove RSA works for a message $M$, where $M$ is relatively prime to $n$ – Foobar Jan 15 '22 at 23:48
  • @Roymunson not so. Just because they say $(M,n) = 1$ implies equation (3) at the start of that section, that doesn't mean they actually use it anywhere, and in fact they don't. They only cite equation (3) at the top of page 8 for the prime modulus $p$, so it's a bad way to refer to Fermat's little theorem. They want to show $M^{k\varphi(n)+1} \equiv M \bmod n$, and since $n = pq$ it suffices to check that mod $p$ and mod $q$. They show it mod $p$ if $(M,p) = 1$ by Fermat's little theorem and "trivially" if $p \mid M$, thus "for all $M$". They stress "for all $M$" multiple times at the end. – KCd Jan 16 '22 at 02:53
  • @Roymunson The last sentence of the section says "We thank Rich Schroeppel for suggesting the above improved version of the authors’ previous proof." I always suspected that the original argument in this section used Euler's theorem, making it valid only for messages $M$ where $(M,n) = 1$, and perhaps the improvement from Schroeppel was showing R, S, and A how they could get their result for all $M$ by focusing on calculations mod $p$ and mod $q$ instead of mod $n$ by using Fermat's little theorem. The way they display (3) but never use it might be a remnant of an earlier weaker result. – KCd Jan 16 '22 at 02:57
  • The proof is complete (and uses both Fermat's and Euler's theorems) on Wikipedia: RSA – FraSchelle Nov 01 '23 at 09:02

3 Answers3

6

Even if the plaintext $x$ is not pairwise coprime with $p$ or $q$, RSA still works as advertised. Here is why:

$p$ and $q$ are prime, so $x$ is a multiple of either $p$ or $q$, given the restriction that $x < pq$.

Assume that $x \equiv 0 \pmod p$. If it is congruent to $0$ mod $q$ the below still applies, just switch the name assigned to the two primes.

$x^k \equiv 0 \pmod p$ for all $k > 0$, i.e $x^k \equiv x \pmod p$.

$$ \begin{align*} x^{1+ z \phi(n)} & \equiv x^{1+ z \phi(p) \phi(q) } \\ &\equiv x^1 \cdot x^{\phi(q) \phi(p) z} \\ &\equiv x \pmod q \end{align*} $$

Combining both equations with the Chinese Remainder Theorem yields $x$, the plaintext.

bzc
  • 8,778
user996522
  • 570
  • I suppose that it is assumed that $x$ and $q$ are coprime for $x^{\phi(q)} = 1$ to be used in the last equality. – beroal Jun 20 '20 at 08:48
5

First, the statement should read $x^{\phi(n)}\equiv1\pmod{n}$, not modulo $\phi(n)$. You are right that this assumes that $x$ and $n$ are coprime. Given that $p,q$ are very large primes, the fraction of possible $x$ that is not coprime with $n$ is exceedingly small: $\frac1p+\frac1q-\frac1n$. In fact the security of the method is based on the smallness of this number: if there were any reasonable chance of finding a number $m$ not coprime with $n$ by picking a random number between $0$ and $n$, then one could compute $\gcd(m,n)\in\{p,q\}$ using it, and factor $n$. But formally, the test of coprimality of the plain text $x$ with $n$ should be done by the encoder, just like the test you already assumed that $x\neq0$. In the very unlikely event that coprimality fails, one must add some noise to the plain text.

Marc van Leeuwen
  • 119,547
  • Thank. That clears the doubt that I had. And yes you are right about the modulo being mod n, I'll edit the question. – sauravrt Dec 02 '11 at 13:20
4

Aside from it being unlikely that $\gcd(x,n) \neq 1$, note that the only possibilities are $\gcd(x,n) \in \{1,p,q,n\}$. Therefore, if $x$ and $n$ are not coprime, the one can decipher the text anyways (since one then knows either $p$ or $q$ and can easily find the other factor, and hence $n$).

In other words, if $x \in \mathbb{Z}/ n \mathbb{Z}$ is not a unit, we know that $$ x^{ED} \equiv x \pmod{n} \Longleftrightarrow \left\{\begin{array}{ccc} x^{ED} \equiv x \pmod{p} \\ x^{ED} \equiv x \pmod{q} \end{array} \right\}. $$

Hope this helps.

JavaMan
  • 13,375