-2

This is the setup: I have both public and private keys of one "instance" of RSA. And I have only the public key of another RSA cryptosystem, but this system has the same modulus as the first one. I need to decrypt a message encrypted with second cryptosystem. I tried to go with approach explained in this book (6th page of pdf, Relation to factoring) http://cacr.uwaterloo.ca/hac/about/chap8.pdf . This is the code I have written using sage

[ea,da]=[39179044089, 156228379005810487826203993004368317129]
[n,eb]=[26878770809509021607148455705681865402854989, 41068762391]
m=45174946057484071617993476375198277813392972
x=ea*da-1
s=0
while mod(x,2)==0:
    x = x / 2
    s=s+1
t = Integer(x)
a = 2
i = 2
a0=1
a1=power_mod(a, t*2, n)
while(mod(a1,n)!=1) or (abs(Integer(mod(a0,n))) == 1):
    if(i > s):
        a = a + 1
        i = 2
        a0=1
        a1=power_mod(a, t*2, n)
    a0 = a1
    a1 =  power_mod(a, t*2^i, n)
    i = i + 1
a0

This algorithm should give me a possible prime factor of n. But this code just gets stuck in the loop but I can't figure out why. I would appreciate any help or alternate solution to the problem.

Guest
  • 1
  • 2
  • 1
    Since we don't really do code review here or help debug, I haven't looked at your code really. I can give a suggestion, however. Take a look at this answer on a previous question. – mikeazo Nov 24 '14 at 20:48

2 Answers2

2

This is no valid standard RSA problem. My own recovery algorithm to get $p,q$ from $n,e_a,d_a$ failed. The reason: It assumes the standard RSA setting, but most factorization algorithms will reveal that

$$n=821 \times 528403 \times 107351609 \times 78385044401 \times 7363074684896267$$

Most probably your given $n$ contains a typo.

BTW: Your implementation obviously misses $\gcd$ operations and is very ineffective because it uses modular exponentiation over and over again, where simple squaring is sufficient, see the link from mikeazo's comment.

gammatester
  • 1,005
  • 1
  • 8
  • 12
2

As gammatester pointed out, the code could be more efficient; however that isn't the real problem.

The reason that your code gets in a loop is that it assumes that $(e, d)$ are a valid public/private exponent pair for the modulus in question; this implies that $x^{ed-1} = 1 \pmod{n}$ for any $x$ relatively prime to $n$. However, you don't have a valid pair (because you likely have a typo in your value $n$), and so your code will infinitely loop, vainly computing values $x^{2^{i-s}(ed-1)}$, looking for either the value 1 or -1, and not finding it.

Now, as for an obvious fix, if $(e, d)$ were a valid pair, and you when through the $s$ iterations, and didn't hit 1 or -1, well, the only reason that would happen is the value $a$ you picked wasn't relatively prime to $n$. As your original $a=2$ is guaranteed to be relatively prime to $n$ (assuming that only odd $n$ values are considered legal), then the obvious fix to do is, if the if(i>s) check succeeds, give up with an error (as the inputs were invalid).

poncho
  • 147,019
  • 11
  • 229
  • 360