next up previous
Next: RSA Challenge Up: Lecture 10: Attacking RSA Previous: When  and  Are Close

Factoring $ n$ Given $ d$

Suppose that we crack an RSA cryptosystem by finding a $ d$ such that

$\displaystyle a^{ed} \equiv a\pmod{n} $

for all $ a$. Then we've found an $ m$ ($ =ed-1$) such that $ a^m\equiv 1\pmod{n}$ for all $ a$ with $ \gcd(a,n)=1$. Knowing $ a$ does not lead to a factorization of $ n$ in as direct a manner as knowing $ \varphi (n)$ does (see Section 1). However, there is a probabilistic procedure that, given an $ m$ such that $ a^m\equiv 1\pmod{n}$, will with high probability find a factorization of $ n$.



Probabilistic procedure to factor $ n$:

  1. $ m$ is even since $ (-1)^m\equiv 1\pmod{n}$.
  2. If $ a^{m/2}\equiv 1\pmod{n}$ for all $ a$ coprime to $ n$, replace $ m$ by $ m/2$. In practice, it is not possible to determine whether or not this condition holds, because it would require doing a computation for too many $ a$. Instead, we try a few random $ a$; if $ a^{m/2}\equiv 1\pmod{n}$ for the $ a$ we check, then we divide $ m$ by $ 2$. (If there exists even a single $ a$ such that $ a^{m/2}\not\equiv 1\pmod{n}$, then at least half the $ a$ have this property.)

    Keep repeating this step until we find an $ a$ such that $ a^{m/2}\not\equiv 1\pmod{n}$.

  3. There is a 50% chance that a randomly chosen $ a$ will have the property that

    $\displaystyle a^{m/2}\equiv +1\pmod{p},\qquad a^{m/2}\equiv -1\pmod{q}$

    or

    $\displaystyle a^{m/2}\equiv -1\pmod{p},\qquad a^{m/2}\equiv +1\pmod{q}.$

    If the first case occurs, then

    $\displaystyle p\mid a^{m/2}-1,$    but $\displaystyle q\nmid a^{m/2}-1,$

    so

    $\displaystyle \gcd(a^{m/2}-1,pq) = p, $

    and we have factored $ n$. Just keep trying $ a$'s until one of the cases occurs. 

? \r rsa   \\ load the file rsa.gp, available at Lecture 9 web page.
? rsa = make_rsa_key(10)
%34 = [32295194023343, 29468811804857, 11127763319273]
? n = rsa[1]; e = rsa[2]; d = rsa[3];
? m = e*d-1
%38 = 327921963064646896263108960
? for(a=2,20, if(Mod(a,n)^m!=1,print(a)))   \\ prints nothing...
? m = m/2
%39 = 163960981532323448131554480
? for(a=2,20, if(Mod(a,n)^m!=1,print(a)))
? m = m/2
%40 = 81980490766161724065777240
? for(a=2,20, if(Mod(a,n)^m!=1,print(a)))
? m = m/2
%41 = 40990245383080862032888620
? for(a=2,20, if(Mod(a,n)^m!=1,print(a)))
? m = m/2
%42 = 20495122691540431016444310
? for(a=2,20,if(Mod(a,n)^m!=1,print(a)))
2
5
6
... etc.
? gcd(2^m,n)
  ***   power overflow in pow_monome.
? x = lift(Mod(2,n)^m)-1
%43 = 4015382800098
? gcd(x,n)
%46 = 737531
? p = gcd(x,n)
%53 = 737531
? q = n/p
? p*q
%54 = 32295194023343
? n
%55 = 32295194023343

next up previous
Next: RSA Challenge Up: Lecture 10: Attacking RSA Previous: When  and  Are Close
William A Stein 2001-10-04