0

Simple question, Given c=$b$$e$ mod $m$, we all know finding $e$‎ is equivalent to solving the discrete logarithm.
But what about finding $b$ from c ; $e$ and the semi‑prime $m$ ? Is it something harder than factoring $m$ too ?

If yes as this is different from the ʀꜱᴀ problem, how to compute $b$ when $e$ is more than 128‑bits long (so not small) ? Is the possibility to set c to arbitrary values while changing prime $e$ is making things easier to get at least 1 example where $b$ is found ?

user2284570
  • 210
  • 2
  • 11

1 Answers1

2

This is equivalent to finding the RSA plaintext $b$ given the public key $(m,e)$. Usually called The RSA Problem. It is no harder than factoring $m$. There is however no evidence that it is easier than factoring.

Edit: As @DanielS points out I was a bit sloppy. For the mapping to be one-to-one, i.e., for the encryption to be reversible, we require $\textrm{gcd}(e,\lambda(m))=1$ and the term RSA problem denotes this case.

kodlu
  • 22,423
  • 2
  • 27
  • 57
  • 2
    Slight quibble: it's the RSA problem when $(e,\lambda(m))=1$. Although not quite well-defined in the case $(e,\lambda(m))>1$, it is equivalent to factoring in such cases (at least in a PPT-sense for small $(p-1,q-1)$, though other results may be out there). – Daniel S Mar 19 '24 at 12:40
  • @kodlu even if the exponent is longer than 128‒bits large ? And if yes, how do it efficiently exactly ? – user2284570 Mar 19 '24 at 15:39
  • @DanielS I don’t have this in the case of the ʀꜱᴀ problem but in the case of the adaptive root problem where the random exponent can be predicted… So does the fact e c can be arbitrary values don’t change anything ? The only requirement, I have if for e to be a large prime. What’s $λ(m)$ ? In my case, I’m almost sure (e,λ(m)) will be greater than 1. – user2284570 Mar 19 '24 at 15:44
  • @user2284570: $λ$ is the Carmichael function. If $m=p,q$ with $p$ and $q$ distinct primes, then $λ(n)=\operatorname{lcm}(p-1,q-1)$, and $b=c^{(e^{-1}\bmodλ(n))}\bmod m$. In python (3.8 or better): b=pow(c,pow(e,-1,math.lcm(p-1,q-1)),m). Or b=pow(c,pow(e,-1,m-p-q+1),m). Update: that's for $\gcd(e,\lambda(m))=1$. For $\gcd(e,\lambda(m))>1$ there might be several, or no solution. – fgrieu Mar 19 '24 at 16:16
  • @fgrieu-modelectiontime so this requires to factorize $m$? – user2284570 Mar 19 '24 at 16:39
  • @user2284570: As far as we know, yes the most efficient general method is to factor $m$, for arbitrary $c$, $m$, and $e$ coprime to $p-1$ and to $q-1$. Update: If $e$ is a large prime and not chosen with knowledge of the factorization of $m$, then it's extremely likely that $e$ is coprime to $p-1$ and to $q-1$, equivalently that $\gcd(e,\lambda(m))=1$. – fgrieu Mar 19 '24 at 16:45
  • @DanielS but as far I m aware in the rsa problem, the base have to not be larger than the modulus which isn t the case here. Does this change anything? – user2284570 Mar 31 '24 at 08:53