Cryptography Reference
In-Depth Information
Now, for
i
from 1 to
t
do:
• Let
x
i
x
i
1
2
(mod
n
) (0 <
x
i
<
n
)
• Let
p
i
be the
h
least significant bits of
x
i
.
• Compute
m
i
=
p
i
c
i
.
and the plaintext message
P
=
m
1
m
2
. . .
m
t
is regained.
Why does this scheme work? In particular, how does the recipient retrieve the random
value
x
0
chosen by the sender? Decryption hinges on this, for once the receiver computes
x
0
, she can compute each successive
x
i
, and consequently compute each
m
i
=
p
i
c
i
. First,
observe that since
x
t
is a square modulo
n
, that is,
x
t
x
t
1
2
(mod
n
), has a solution, then
x
t
x
t
1
2
(mod
p
) also has a solution (see the proof of proposition 31). Thus, we have
x
t
(
p
1)/2
6.
1 (mod
p
).
(This is called Euler's criterion; you were asked to prove this in order to prove proposition
30). Given this, note that
x
t
1
(
p
1)/4
(
x
t
2
)
(
p
1)/4
x
t
(
p
1)/2
=
x
t
(
p
1)/2+1
x
t
(
p
1)/2
x
t
x
t
(mod
p
)
In the same way,
x
t
(
p
1)/4
x
t
1
(mod
p
) and hence
(
x
t
1
(
p
1)/4
)
2
x
t
1
(mod
p
).
Continuing in this way, we obtain
u
x
t
1
d
(
x
t
1
(
p
1)/4
)
t
1
x
0
(mod
p
).
We obtain a similar result for
v
:
v
x
t
1
e
(
x
t
1
(
q
1)/4
)
t
1
x
0
(mod
q
).
Note that we have not yet obtained
x
0
; only 2 residues of
x
0
congruent to
u
and
v
mod-
ulo
p
and
q
, respectively. We need the lnr of
x
0
modulo
n
, for this is
x
0
itself. To achieve this,
we note that since
ap
+
bq
= 1
we have both of the following:
1 (mod
p
)
ap
1 (mod
q
).
Thus, using the above two congruences, we derive the two congruences
bq
vap
+
ubq
x
0
(mod
p
)
vap
+
ubq
x
0
(mod
q
)
and hence, by proposition 26, we know that
vap
+
ubq
x
0
(mod
n
)
and hence the random seed
x
0
is discovered, making decryption possible.
Search WWH ::
Custom Search