Hello, If you have on the receiving site n, p, q, dmp1, dmq1, and iqmp components then you may decrypt message M from ciphertext C with CRT:
Cp = C mod p Cq = C mod q Mp = Cp^dmp1 mod p Mq = Cq^dmq1 mod q h = (Mp?Mq) * iqmp mod p M = Mq + qh where: dmp1= d mod (p?1) dmq1= d mod (q?1) iqmp = q^?1 mod p you have recomputed. You do not need d on the receiving site if you have this parameters. Best regards, -- Marek Marcola <marek.marc...@malkom.pl> owner-openssl-us...@openssl.org wrote on 02/24/2011 05:48:19 AM: > Victor Duchovni <victor.ducho...@morganstanley.com> > Sent by: owner-openssl-us...@openssl.org > > 02/24/2011 05:50 AM > > Please respond to > openssl-users@openssl.org > > To > > openssl-users@openssl.org > > cc > > Subject > > Re: RSA_private_decrypt without e and d > > On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: > > > Just to be clear, below is not the actual code, but what I would *like* > > to be able to do (or something close). > > What you are asking to do is not possible, not because of API limitations, > but as a matter of principle (mathematical property of RSA). > > > I have a situation where I have a message that has been encrypted via > > RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, > > dmq1, and iqmp components (I know it might sound odd that I don't have > > the e and d components but that is the case). > > The RSA algorithm computes a ciphertext M' from a plaintext M via > > M' = (M)^e mod n (i.e. mod pq). > > decryption is possible when p, q (and implicitly e) are known because > > M = (M')^d mod n > > provided: > > - M < n (e.g. the message is shorter than the key bit length), > thus computing the result mod n loses no information. > > - d*e = 1 mod phi(n) = (p-1)(q-1) > > http://en.wikipedia.org/wiki/Euler%27s_totient_function > > when e, p and q are known, d can be computed via Euclid's algorithm for > finding the multiplicative inverse of a mod b, when a is co-prime to b. > > When e is unknown, any M'' obtained from M via some exponent e' is > as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: > > M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) > > therefore if the public exponent were (d'*e) instead of e, the same > message M' decrypts to M' instead of M. There is no well-defined inverse > to RSA without "e", since e is fundamental parameter of the operation > you want to invert. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
