We are given n (public modulus) where n=pq and e (encryption exponent). Then I was able to crack the private key d, using Wieners attack. So now, I have (n,e,d). My question is, is there a way to calculate p and q from this information? If so, any links and explanation would be much appreciated!
Asked
Active
Viewed 5,516 times
2 Answers
11
It's actually fairly easy to factor $n$ given $e$ and $d$. Here's the standard way to do this:
Compute $f = ed - 1$. What's interesting about $f$ is that $x^f \equiv 1\ (\bmod n)$ for (almost) any $x$.
Write $f$ as $2^s g$ for an odd value $g$.
Select a random value $a$, and compute $b = a^g \bmod n$.
If $b = 1 $ or $-1$, then go back and select another random value of $a$
Repeatedly (in practice, up to $s$ times):
compute $c = b^2 \bmod n$.
If $c = 1$ then the factors for $n$ are $gcd(n, b-1)$ and $gcd(n, b+1)$
If $c = -1$, then go back and select another random value of $a$
Otherwise, set $b = c$, and go through another iteration of the loop.
If you are familiar with the Miller-Rabin primality test, this will look familiar; the logic is the same (except that we use $ed-1$ rather than $n-1$ as the startign place for the exponent)
poncho
- 154,064
- 12
- 239
- 382
1
Generally, (n,e,d) is sufficient. Using these three it is possible to decrypt, encrypt, sign and verify any message or signature.
If you still need p and q: NIST SP 800-56B: Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography, Appendix C Prime Factor Recovery (Normative) contains formula for retrieving p and q, when you know (n,e,d). This formula is useful for instance to convert the private key in (n,e,d) format to CRT format.
Even a tool exists for the job: RSA CRT/SFM Converter.
user4982
- 5,379
- 21
- 33