How can one crack a message c_2 encoded by e_2 if one knows e_1, e_2, d_1, and both codes share common modulo n, without using factorization? Considering textbook RSA
Asked
Active
Viewed 846 times
1 Answers
2
In this answer on math stackoverflow I explain a (probabilistic) algorithm to factor $n$ when $e$ and $d$ are both known. This answer does the same (almost) and provides Python code to do it as well, while this answer gives some references (and even a more complicated deterministic algorithm). Knowing $p$ and $q$ then allows you to find $d_2$, etc.
Without this, of course you can compute $M = e_1 d_1-1$ which must be a multiple of $\phi(n)$. Inverting $e_2$ modulo $M$ will also work as a decryption exponent, most of the time. (This inverse might not exist if $M = k\phi(n)$ and $(e_2, k) \neq 1$, say.) If you'd know $\phi(n)$ exactly, you could find $p,q$ from:
$\phi(n) = (p-1)(q-1) = pq - p - q +1$ so $p+q = n-\phi(n) + 1$ and so we can solve the quadratic $n=pq = p(n-\phi(n)+1-p)$ where $p$ is unknown and $n$ and $\phi(n)$ are known.
So to factor $n$ for an RSA system $(n,e)$ we can use $e$ and $d$ or $\phi(n)$.
Henno Brandsma
- 3,862
- 17
- 20