From: Mark Wooding Date: Thu, 25 Jul 2013 17:30:45 +0000 (+0100) Subject: rsa.c: Fix incorrect commentary. X-Git-Tag: debian/0.3.0_beta2~42 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=commitdiff_plain;h=104e8e74fd858a4efff3d8e186406adc431465fa rsa.c: Fix incorrect commentary. The Euler function phi(n) is defined to be phi(n) = #{ 1 < i < n | gcd(i, n) = 1 } the number of natural numbers less than n and prime to it; equivalently, it's the size of the multiplicative group (Z/nZ)^*. If n = p q is the product of two primes then phi(n) = (p - 1)(q - 1). But phi(n) is not (if n is composite) the exponent of (Z/nZ)^*. It's certainly true that a^{phi(n)} = 1 for all a in (Z/nZ)^*; but the exponent of a group G is the /smallest/ positive integer e such that a^e == 1 for all a in G. This quantity is denoted lambda(n); in our simple case where n = p q is the product of two primes it's true that lambda(n) = lcm(p - 1, q - 1) Since p and q are large primes, both p - 1 and q - 1 are even, so lambda(n) is at least a factor of 2 smaller than phi(n). In fact, lambda(2) = 1, lambda(2^f) = 2^{f-2} for f >= 1, and lambda(p^f) = p^{f-1} (p - 1) for prime p > 2; and, in general, if n = p_1^{f_1} ... p_m^{f_m} is the prime factorization of n then lambda(n) = lcm(lambda(p_1^{f_1}), ... lambda(p_m^{f_m})) Signed-off-by: Mark Wooding --- diff --git a/rsa.c b/rsa.c index 0bd106f..fed468d 100644 --- a/rsa.c +++ b/rsa.c @@ -430,8 +430,9 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, /* * Verify that d*e is congruent to 1 mod (p-1), and mod * (q-1). This is equivalent to it being congruent to 1 mod - * lcm(p-1,q-1), i.e. congruent to 1 mod phi(n). Note that - * phi(n) is _not_ simply (p-1)*(q-1). + * lambda(n) = lcm(p-1,q-1). The usual `textbook' condition, + * that d e == 1 (mod (p-1)(q-1)) is sufficient, but not + * actually necessary. */ mpz_mul(&tmp, &d, &e); mpz_sub_ui(&tmp2, &st->p, 1);