# Nick Szabo - Contracts With Bearer (Highlights)  ## Metadata **Review**:: [readwise.io](https://readwise.io/bookreview/56490204) **Source**:: #from/readwise #from/reader **Zettel**:: #zettel/fleeting **Status**:: #x **Authors**:: [[Nick Szabo]] **Full Title**:: Contracts With Bearer **Category**:: #articles #readwise/articles **Category Icon**:: 📰 **URL**:: [nakamotoinstitute.org](https://nakamotoinstitute.org/library/contracts-with-bearer/) **Host**:: [[nakamotoinstitute.org]] **Highlighted**:: [[2025-11-26]] **Created**:: [[2025-11-29]] ## Highlights - We can check that the blind signature property holds: `gSf(m) = (m(ke))d * k-1 = md * k * k-1 = md`, which is the valid RSA signature of private key d on m. ([View Highlight](https://read.readwise.io/read/01kb06ebb9avcg3ygqxp3vbxsa)) ^961114591 Because of how the RSA exponents are chosen and how arithmetic modulo $n$ works. In RSA, you pick $n = pq$ (where $p$ and $q$ are distinct primes) and choose integers $e$ and $d$ such that $ed \equiv 1 \pmod{\varphi(n)}, \quad \text{where } \varphi(n) = (p-1)(q-1).$ This means there exists an integer $t$ such that $ed = 1 + t\varphi(n).$ For any message $k$ that is coprime to $n$, $k^{ed} = k^{\,1 + t\varphi(n)} = k \cdot \left(k^{\varphi(n)}\right)^t.$ By [[Euler's theorem]], since $\gcd(k, n) = 1$, we have $k^{\varphi(n)} \equiv 1 \pmod{n},$ so $k^{ed} \equiv k \cdot 1^t \equiv k \pmod{n}.$ Thus, modulo $n$, raising a message to the power $e$ (encryption) and then to the power $d$ (decryption) recovers the original message $k$.