next up previous
Next: Up: Previous:

Correctness

P(S(M)) = (Md mod n)e mod n = \(M^{ed} mod \;n\)
S(P(M)) = (Me mod n)d mod n = \(M^{ed} mod \;n\)
Since d = e-1 mod [(p-1)(q-1)]
Then ed = 1 + k(p-1)(q-1)



If M $\equiv$ 0 (mod p), then \(M^{ed} \;\equiv\; M (mod \;p)\)
If M \(\not \equiv\) 0 (mod p), then
\(M^{ed} \;\equiv\; M(M^{p-1})^{k(q-1)} (mod \;p)\)
\(\equiv\; M(1)^{k(q-1)} (mod \;p)\) Fermat's Theorem
\(\equiv\; M (mod \;p)\).

Similarly for q, thus
\(M^{ed} \;\equiv\; M \;\;\;(mod \;p)\)
\(M^{ed} \;\equiv\; M \;\;\;(mod \;q)\)
p and q are prime, n = pq.

Thus, by the Corollary to the Chinese Remainder Theorem, \(M^{ed} \;\equiv\; M (mod \;n)\).



If the adversary can factor n into p and q, then the code is broken, but this is hard.

next up previous
Next: Up: Previous: