1

For $d = e^{-1} \mod \phi(n)$

$$d\cdot e \operatorname{mod} \phi(n)=1$$ $$d = (e^{-1} \operatorname{mod} \phi(n))$$

With having $e$ and $n$, we can calculate the value of $d$ , the private key for cracking. Why do people worry about factoring $d$ when this technique is available? I would like to know some real insight into this.

Ali Gajani
  • 418
  • 2
  • 6
  • 12
  • 3
    I've never seen anyone worry about factoring d. $;$ –  Dec 06 '13 at 02:28
  • Haha, I know what you mean :) – Ali Gajani Dec 06 '13 at 02:32
  • 1
    I don't. Is "factoring the d" an euphemism? – rath Dec 06 '13 at 06:33
  • What does it mean, if you put the "mod $\phi(n)$" in the denominator? Usually "mod $x$" is meant for the entire statement (term, equation, etc.) – tylo Dec 06 '13 at 11:37
  • I vote to close the question as is, for: The question shows a lack of research; $d = 1/(e \operatorname{mod} \phi(n))$ does not make sense; there is not the slightest reasoning to support the bold assertion "With having $e$ and $n$, we can calculate the value of $d$"; and "factoring $d$" makes no sense. – fgrieu Dec 06 '13 at 12:46
  • possible duplicate of How do I calculate the private key in RSA? – Cryptographeur Dec 06 '13 at 13:56
  • Made some corrections to the formula. There was some trouble in the denominator. It correctly represents d more accurately. – Ali Gajani Dec 07 '13 at 11:39
  • 1
    In your restated version of the question you appear to be asking: "Look: $A$ so $B$ so $A$, meaning $A$ is easy"? Given $(e,N)$ it is not easy to calculate $d$ – Cryptographeur Dec 07 '13 at 12:13
  • As an answer to your question, yes you know $e$ and $N$ and that would be enough to compute $d$ if you knew $\phi(n)$. But $\phi(n)$ is not public – AFS Dec 08 '13 at 01:05
  • @AFS: You can calculate phi(n) because N , the modulus is public, remember (N,e). So calculating that would be easy, well for smaller number perhaps ? :) – Ali Gajani Dec 08 '13 at 02:42

2 Answers2

6

You are correct in that knowing $\phi(n)$ it is trivial to get the private key back with a simple modular inversion.

However, we are only given $e$ and $n$, and it turns out that computing $\phi(n)$ from $n$ alone is computationally equivalent to finding the factors of $n$. Namely, if you know $\phi(n) = (p-1)(q-1) = (p-1)(n/p - 1)$, you can recover $p$ by solving the quadratic equation $p^2 + (\phi(n) - n - 1)p + n = 0$ for $p$.

Samuel Neves
  • 12,460
  • 43
  • 52
  • How about solving for d when you know n and e as I explained in my question, using the inverse operation. I don't see how that is hard. I can't digest it, maybe I am imagining smaller numbers. – Ali Gajani Dec 06 '13 at 01:43
  • To solve for $d$, you must find out $\phi(n)$, since $d = e^{-1} \bmod \phi(n)$. That is the hard part. – Samuel Neves Dec 06 '13 at 01:48
  • You can solve for phi(n) by doing a quick computation in Wolfram Alpha and it tells you the totient or phi of n. How is that hard? – Ali Gajani Dec 06 '13 at 01:49
  • Like factoring, it becomes much harder as $n$ grows. If you try to do it for a $2048$-bit $n$, it will not be so easy. – Samuel Neves Dec 06 '13 at 01:52
  • You mean to say finding out the phi of n is as hard as finding out its factors. I believe finding out the factors would be a bit more harder computationally but I might be wrong because RSA hasn't been cracked yet with an efficient mathematical solution either. By the way, am I correct in saying that d is an inverse of 1/e mod phi(n) ? Because if we compute d = 1/e mod phi(n) we get a fraction so we must inverse d to get an integer, just clearing up buddy. – Ali Gajani Dec 06 '13 at 01:56
  • It's actually equivalent to factoring: you can compute $\phi(n)$ quickly from the factors, and you can find the factors quickly from $phi(n)$.

    No, $d = 1/e \bmod \phi(n)$. This does not result in a fraction, because we are working in modular arithmetic. There are efficient algorithms to do this.

     – Samuel Neves Dec 06 '13 at 01:59
  • I mean to say, my technique works most of the time because initially I have this: de ≡ 1 mod(phi(n)) which in turn becomes de mod(phi(n)) = 1 , solving for d we get d = 1/e mod(phi(n)) and then once I get the answer, I simply inverse it. What am I doing wrong here, as it has worked for me all the time? – Ali Gajani Dec 06 '13 at 02:04
  • 1
    It seems I misunderstood what you said earlier. You're correct. – Samuel Neves Dec 06 '13 at 02:24
  • @AliGajani If you know $\phi(n)$,your technique works. In fact it's how $d$ is computed during RSA key generation. But an attacker does not know $\phi(n)$, so they can't use this technique. – CodesInChaos Dec 06 '13 at 10:27
4

The main misconception here is, what part of the RSA problem is actually hard to compute.

Your statement is like this:

  • We have $e$ and $n$.
  • We know $ed=1$ mod $\phi(n)$.
  • So we should be able to calculate $d$.

Your reasoning is exactly what is happening in the key generation algorithm. Division in modular arithmetic behaves just the same as with rationals, just that they are not fractions but integers with the "same property" (inverse element) - if the inverse exists (that's why gdc$(e,\phi(n))=1$).

So where is the computation problem hidden, and what error was made?

The problem is, that computing $\phi(n)$ is easy if and only if the prime factors of $n$ are known. In fact, from $n$ and $\phi(n)$ you can compute the factorization of $n$ directly. You asked in the comments:

You can solve for phi(n) by doing a quick computation in Wolfram Alpha and it tells you the totient or phi of n. How is that hard?

There is your problem. This "quick computation" is scaling super-polynomially or maybe even exponentially (if no efficient factoring algorithms are used). It might be "easy" for small integers, but factoring numbers between 10 and 100 is also easy and can even be done without a computer.

Btw, if you know $e$ and $d$ instead of $\phi(n)$, you can also calculate the prime factors of $n$ in polynomial time. This is described in Alexander May's paper "Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring" (2004). To explain what this result means: If you know $e$ and $d$, then we can also compute $e\cdot d$ in $\mathbb{Z}$. We don't know $\phi(n)$, but we know that $ed=1 + k\cdot\phi(n)$. And we know that $ed < n^2$. If $k$ is small, then this is really easy, but if $k$ close to $n$, it is harder.

edit: rephrasing the last sentence

Anyway, the hardness of the RSA problem is not based on calculating $d$ from $e$ and phi(n). It is hard because $n$ is hard to factorize, and (for RSA modulus) it is constant time equivalent to calculate the factorization from $ph(n)$ and $n$.

tylo
  • 12,654
  • 24
  • 39
  • In your last sentence "RSA problem" could be misleading, since the RSA problem is: given an RSA public key $(e,n)$ and a randomly sampled ciphertext $c$ find $m$ s.t. $c\equiv m^e\pmod n$. – DrLecter Dec 06 '13 at 12:22
  • 1
    Your last sentence isn't just misleading, it's plain wrong. Calculating $\phi(n)$ and factoring $n$ are equivalent. The RSA problem is about solving $c=m^e \pmod n$ for $m$. While best known way is to factor $n$ and compute $\phi(n)$, it might be possible to solve this equation without learning $\phi(n)$ – CodesInChaos Dec 06 '13 at 12:53