The last question of our number theory final review is as follows:
The same plaintext $P$ is encrypted in RSA using two coprime encryption keys $e_1$, $e_2$. Show how this message can be decrypted quickly if both ciphertexts $C_1$, $C_2$ are intercepted.
Hint: Bézout's identity.
I know the RSA cryptosystem has it that
$$\begin{align}
C_1&\equiv P^{e_1}\pmod{n_1}\text{ and}\\
C_2&\equiv P^{e_2}\pmod{n_2},
\end{align}$$
where $n_1=p_1q_1$, $n_2=p_2q_2$, $(e_1,\varphi(n_1))=1$, and $(e_2,\varphi(n_2))=1$, for some large primes $p_1$, $q_1$, $p_2$, and $q_2$.
Since one does not have access to the secret keys $d_1$ and $d_2$, I assume Bézout's identity must play a big role here. However, the only place I can think of using it is with the encryption keys
$$\begin{align}
1&=e_1s_1+n_1t_1,\\
1&=e_2s_2+n_2t_2,\text{ and}\\
1&=e_1s_3+e_2t_3,
\end{align}$$
for some integers $s_1$, $t_1$, $s_2$, $t_2$, $s_3$, and $t_3$.
Nevertheless, this is not very useful. What am I missing?
Best Answer
I suspect that the messages $C_1$ and $C_2$ were encrypted with the same modulus $n=pq$, even though different exponents $e_1$ and $e_2$ were used. Then we have $$C_1 \equiv P^{e_1} \pmod{n}$$ $$C_2 \equiv P^{e_2} \pmod{n}.$$ Further, we can find integers $s$ and $t$ such that $se_1+te_2 =1$.
Can you figure out how to obtain $P^{se_1+te_2} \pmod{n}$? Can you see why this idea works if the same modulus $n$ is used for both encryptions, but does not work if we have two different moduli $n_1$ and $n_2$?