Consider an RSA cryptosystem with modulus and encryption key . Suppose we somehow finding an integer such that
for all . Then satisfies for all that are coprime to . As we saw in Section 3.3.1, knowing leads directly to a factorization of . Unfortunately, knowing does not seem to lead easily to a factorization of . However, there is a probabilistic procedure that, given an such that , will find a factorization of with ``high probability'' (we will not analyze the probability here).
Before giving the proof we introduce some more terminology from algebra.
We now return to discussing Algorithm 3.3.5. In step 1, note that is even since , so it makes sense to consider . It is not practical to determine whether or not for all , because it would require doing a computation for too many . Instead, we try a few random ; if for the we check, we divide by . Also note that if there exists even a single such that , then half the have this property, since then is a surjective homomorphism and the kernel has index .
Proposition 2.5.3 implies that if then . In step 2, since , we also have and , so and . Since , there are three possibilities for these signs, so with probability , one of the following two possibilities occurs:
so and we have factored . Similarly, in the second case, and we again factor .
has decryption key . We use this information and Algorithm 3.3.5 to factor . If
then , so for all coprime to . For each we find that , so we replace by
Again, we find with this new that for each , , so we replace by . Yet again, for each , , so we replace by . This is enough, since . Then
and we have found a factor of . Dividing, we find that
sage: def crack_given_decrypt(n, m): ... n = Integer(n); m = Integer(m); # some type checking ... # Step 1: divide out powers of 2 ... while True: ... if is_odd(m): break ... divide_out = True ... for i in range(5): ... a = randrange(1,n) ... if gcd(a,n) == 1: ... if Mod(a,n)^(m//2) != 1: ... divide_out = False ... break ... if divide_out: ... m = m//2 ... else: ... break ... # Step 2: Compute GCD ... while True: ... a = randrange(1,n) ... g = gcd(lift(Mod(a, n)^(m//2)) - 1, n) ... if g != 1 and g != n: ... return g ...We show how to verify Example 3.3.8 using SAGE.
sage: n=32295194023343; e=29468811804857; d=11127763319273 sage: crack_given_decrypt(n, e*d - 1) 737531 sage: factor(n) 737531 * 43788253
We try a much larger example.
sage: e = 22601762315966221465875845336488389513 sage: d = 31940292321834506197902778067109010093 sage: n = 268494924039590992469444675130990465673 sage: p = crack_given_decrypt(n, e*d - 1) sage: p # random output (could be other prime divisor) 13432418150982799907 sage: n % p 0
William 2007-06-01