Table of costs of operations in elliptic curves

Template:Multiple issues

Intuitive Proof

The algorithm is based on a Fermat's little theorem

${\displaystyle a^{(p-1)}\equiv 1{\pmod {p}}}$

p prime, a & p coprime.

So, if we choose d such that

${\displaystyle ed\equiv 1{\pmod {p-1}}}$

i.e.

${\displaystyle ed-1=k(p-1)}$

Then for a message m

${\displaystyle m^{e^{d}}\equiv m^{ed}\equiv m^{(ed-1)}\cdot m^{1}\equiv m^{k(p-1)}m\equiv 1^{k}m\equiv m{\pmod {p}}}$

So a message that is encrypted by raising m to e can be decrypted by raising the result to d.

In order to provide security, RSA actually calculates

${\displaystyle n=pq}$

(p, q prime) and then d such that

${\displaystyle ed\equiv 1{\pmod {(p-1)(q-1)}}}$

so

${\displaystyle ed-1=k(p-1)(q-1)}$

We can then continue to calculate

${\displaystyle m^{e^{d}}\equiv m^{ed}\equiv m^{(ed-1)}m\equiv m^{k(p-1)(q-1)}m\equiv 1^{k(q-1)}m\equiv m{\pmod {p}}}$

And likewise for q

${\displaystyle m^{e^{d}}\equiv m^{ed}\equiv m^{(ed-1)}m\equiv m^{k(p-1)(q-1)}m\equiv 1^{k(p-1)}m\equiv m{\pmod {q}}}$

Now if ${\displaystyle a\equiv b{\pmod {p}}}$ and ${\displaystyle a\equiv b{\pmod {q}}}$ then ${\displaystyle a\equiv b{\pmod {pq}}}$, p, q coprime.

so

${\displaystyle m^{e^{d}}\equiv m{\pmod {pq}}}$

An attacker would need to factor n into p and q in order to determine d, and this is a hard problem.

Note that while an attacker could easily calculate f as

${\displaystyle ef\equiv 1{\pmod {n-1}}}$

that

${\displaystyle m^{e^{f}}\equiv m^{k(n-1)}m\neq m{\pmod {n}}}$

because n is not prime.