4

PK := (n, e) = (1765937, 23755) SK := (n, d) = (1765937, 1734043)

Can someone tell me, given these keys, what is not good about them, meaning it should not be very difficult to break it?

(Except from the fact that they are very small numbers.)

tr3quart1sta
  • 141
  • Why do you think that they must be bad? – TonyK Apr 28 '14 at 11:31
  • 1
    One observation is that with $n=p*q= 7919\times223$ the primes $p,q$ are not of roughly the same size, violating the first part of Key_generation. – gammatester Apr 28 '14 at 11:36
  • AFAIK when p and q about the same size are, the fermat factorization can be solved in very few iterations and that's not good. – tr3quart1sta Apr 28 '14 at 11:44
  • @gammatester If they are about the same size, they are very near to $\sqrt{n}$, so the factorization can be obtained starting from $\lfloor\sqrt{n}\rfloor$ in a small amount of time. – egreg Apr 28 '14 at 11:46
  • @egreg: Yes, I know that they should not be too close (i.e. $\log_2|p-q| > \frac{3}{4}\log_2|p|)$, but OTOH the difference should not be so large. – gammatester Apr 28 '14 at 11:59
  • 1
    I think I found something: I tried to apply cyclic attack and the messages do not encrypt at all. That means, for every message m (as long as m < n) m^e mod n = m every time. Now, another question is: What must the relationship between n and e be, in order for something like that to happen? – tr3quart1sta Apr 28 '14 at 12:26
  • 2
    This comes from $e=\lambda(n)+1$ where $\lambda$ is the http://en.wikipedia.org/wiki/Carmichael_function: You have $m^e \equiv m^{\lambda(n)+1} \equiv m^{\lambda(n)}m \equiv 1\times m = m \pmod{n}$ – gammatester Apr 28 '14 at 12:43

1 Answers1

1

As mentioned in the comments the key leads to an identity mapping, so it's a weak key.

The concern about $p,q$ being roughly the same size in bits is misplaced for a real world system. Let $N$ have size 4096 bits, as is recommended today. If $p,q$ are chosen randomly from the set of integers of size 2048 and tested for primality, they are chosen from a set of roughly $$\geq \frac{1}{2}\frac{2^{2048}}{\log(2^{2048})}\approx 2^{2036} $$ integers so the probability that a search near $\sqrt{N}$ will factor $N$ faster than the best factoring algorithm, the Number Field Sieve (see wikipedia entry ) is vanishingly small, less than $2^{-1400}.$

kodlu
  • 9,338