Factoring $n$ in RSA knowing $e$ and $d$

Question

I know that if $(n,e)$ is the public key in RSA and we also know $d$ the private key, then there is a probabilistic algorithm to factor $n$. I'm reading the proof from Fact 1 on here.

I understand the proof until it says

"A straightforward argument shows that if $g$ is chosen at random from $\mathbb{Z}^*_N$ then with probability at least $1/2$ (over the choice of g) one of the elements in the sequence $g^{k/2}, g^{k/4}, \cdots ,g^{k/2^t} \mod N$ is a square root of unity that reveals the factorization of N."

Why is that last paragraph true?

Answer 1

Ok, let’s see if we can go through one line of reasoning, and see if that makes sense.

If we have the sequence:

$$g^{k/2^t} \bmod N, g^{k/2^{t-1}} \bmod N, …, g^{k/2} \bmod N, g^k \bmod N$$

We know that the last entry evaluates to 1, and we are looking at the probability (for random $g$) that the entry immediately before the first 1 is a nontrivial square root of 1.

Now, we can consider the sequences modulo $p$ and $q$, namely

$$g^{k/2^t} \bmod p, g^{k/2^{t-1}} \bmod p, …, g^{k/2} \bmod p, g^k \bmod p$$

$$g^{k/2^t} \bmod q, g^{k/2^{t-1}} \bmod q, …, g^{k/2} \bmod q, g^k \bmod q$$

Now, we might not be able to compute these values before we know the factorization, but that's OK, we're just considering them.

Both sequences end in 1, and consist of a (possibly empty) sequence of non-1 values, followed by all 1 values. In addition, $g^{k/2^i} \bmod N$ is a nontrivial square root of 1 if $g^{k/2^i} \bmod p$ is 1 and $g^{k/2^i} \bmod q$ is the last non-1 value (or versa-vica). In other words, we'll have a nontrivial square root if the two sequences turn into a 1 value at different positions in their sequences.

So, the question is: what is the probability bound on that?

Now, if $g$ is a random (equiprobable) value in $\mathbb{Z}_N^*$, then $g \bmod p$ and $g \bmod q$ are equiprobable and independently distributed values in $\mathbb{Z}_p^*$ and $\mathbb{Z}_q^*$; hence both sequences are selected from random starting values.

And, half of the values of $g$ are quadratic residues modulo $p$ and half are quadratic nonresidues modulo $p$. For a quadratic nonresidue, the mod-p sequence will become a one at step $t_p$ (where $p-1 = 2^{t_p} z_p$ for odd $z_p$; for a quadratic residue, it will be come one at an earlier step. Hence, the maximum probability for any particular step will be 0.5.

The same logic holds for $q$.

Now, $g \bmod p$ and $g \bmod q$ are independent variables, and so the maximum coincidental probability will occur if both chains have two stages with probability 0.5 each; in that case, the probability that they are difficult will be $1 - (0.5 \cdot 0.5 + 0.5 \cdot 0.5) = 0.5$.

This argument could be tightened up a bit; however it should be enough to give you some insight...