computing the rsa secret key is deterministic …pmol/talks/rsa_dpt_factoring.pdf · computing the...
Post on 08-Aug-2018
218 Views
Preview:
TRANSCRIPT
Computing the RSA secret Key is DeterministicPolynomial Time equivalent to Factoring
Alexander May
Faculty of Computer Science, Electrical Engineering and Mathematics
Crypto 2004
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 1 / 14
Outline
1 IntroductionQuick OverviewA more detailed descriptionRelated topics and previous Results
2 Main ResultsGoal and assumptionsProof OverviewMain theoremsRemarks
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 2 / 14
Introduction Quick Overview
Main Result of the paper
The knowledge of the RSA public key secret key pair (e,d) ⇒Factorization of N=pq in Polynomial Time
Assumptions
1 e, d < φ(N)
2 p,q are of the same bit-size
Technique used
Coppersmith’s technique for finding small roots of bivariate integerpolynomials
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 3 / 14
Introduction Quick Overview
Main Result of the paper
The knowledge of the RSA public key secret key pair (e,d) ⇒Factorization of N=pq in Polynomial Time
Assumptions
1 e, d < φ(N)
2 p,q are of the same bit-size
Technique used
Coppersmith’s technique for finding small roots of bivariate integerpolynomials
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 3 / 14
Introduction Quick Overview
Main Result of the paper
The knowledge of the RSA public key secret key pair (e,d) ⇒Factorization of N=pq in Polynomial Time
Assumptions
1 e, d < φ(N)
2 p,q are of the same bit-size
Technique used
Coppersmith’s technique for finding small roots of bivariate integerpolynomials
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 3 / 14
Introduction A more detailed description
Common technique in public key Cryptography is to establish PolynomialTime equivalence between:
• The problem of computing the secret key from the public information
• a well-known hard problem p (believed to be computationallyinfeasible)
This establishes the security of the secret key (given that p iscomputationally infeasible)However IT DOES NOT provide security for the public key system itself.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 4 / 14
Introduction A more detailed description
Common technique in public key Cryptography is to establish PolynomialTime equivalence between:
• The problem of computing the secret key from the public information
• a well-known hard problem p (believed to be computationallyinfeasible)
This establishes the security of the secret key (given that p iscomputationally infeasible)However IT DOES NOT provide security for the public key system itself.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 4 / 14
Introduction A more detailed description
Common technique in public key Cryptography is to establish PolynomialTime equivalence between:
• The problem of computing the secret key from the public information
• a well-known hard problem p (believed to be computationallyinfeasible)
This establishes the security of the secret key (given that p iscomputationally infeasible)However IT DOES NOT provide security for the public key system itself.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 4 / 14
Introduction Related topics and previous Results
Related Topics
• Primality:Proven to be in P [AKS 2002]
• Factoring:RSA’s security is based on the hardness of factoriztion:• It is yet unknown if factorization is equivalent to RSA cryptanalysis• Cryptanalysis of RSA is at least as easy as factoring.
Previous Results
• Existence of probabilistic polynomial time equivalence betweenfactoring N and finding d.
• Factors of N can be obtained from d under the Extended RiemannHypothesis (Miller , 1975)
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 5 / 14
Introduction Related topics and previous Results
Related Topics
• Primality:Proven to be in P [AKS 2002]
• Factoring:RSA’s security is based on the hardness of factoriztion:• It is yet unknown if factorization is equivalent to RSA cryptanalysis• Cryptanalysis of RSA is at least as easy as factoring.
Previous Results
• Existence of probabilistic polynomial time equivalence betweenfactoring N and finding d.
• Factors of N can be obtained from d under the Extended RiemannHypothesis (Miller , 1975)
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 5 / 14
Main Results Goal and assumptions
Goal
Knowledge of (e,d) ⇔ knowledge of factors p,q of N.
⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e · d ≤ N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < φ(N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6 / 14
Main Results Goal and assumptions
Goal
Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial
⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e · d ≤ N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < φ(N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6 / 14
Main Results Goal and assumptions
Goal
Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e · d ≤ N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < φ(N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6 / 14
Main Results Goal and assumptions
Goal
Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e · d ≤ N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < φ(N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6 / 14
Main Results Goal and assumptions
Goal
Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e · d ≤ N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < φ(N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6 / 14
Main Results Goal and assumptions
Goal
Knowledge of (e,d) ⇔ knowledge of factors p,q of N.⇐: trivial⇒: (Reduction of factoring problem to d computation)Input (N,e,d) ⇒ output (p,q) under the assumptions:
(a) p,q have the same bitsize
(b) e · d ≤ N2
Remarks on the assumptions
(a) This is usually the case
(b) Usually 1 < e, d < φ(N)
Conclusion: The assumptions are not so restrictive
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 6 / 14
Main Results Proof Overview
Basic technique
Coppersmith’s method for finding small roots of bivariate integerpolynomialsPrevious application:factorization of N when half of the msb of p aregiven.
Steps
• Proof for the special case where ed ≤ N3/2.
• Generalization of the proof for the case where ed ≤ N2
• Experimental Results and conclusion
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7 / 14
Main Results Proof Overview
Basic technique
Coppersmith’s method for finding small roots of bivariate integerpolynomialsPrevious application:factorization of N when half of the msb of p aregiven.
Steps
• Proof for the special case where ed ≤ N3/2.
• Generalization of the proof for the case where ed ≤ N2
• Experimental Results and conclusion
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7 / 14
Main Results Proof Overview
Basic technique
Coppersmith’s method for finding small roots of bivariate integerpolynomialsPrevious application:factorization of N when half of the msb of p aregiven.
Steps
• Proof for the special case where ed ≤ N3/2.
• Generalization of the proof for the case where ed ≤ N2
• Experimental Results and conclusion
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7 / 14
Main Results Proof Overview
Basic technique
Coppersmith’s method for finding small roots of bivariate integerpolynomialsPrevious application:factorization of N when half of the msb of p aregiven.
Steps
• Proof for the special case where ed ≤ N3/2.
• Generalization of the proof for the case where ed ≤ N2
• Experimental Results and conclusion
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 7 / 14
Main Results Main theorems
ed ≤ N3/2
Wlog assume that p < q. Then p < N1/2 < q < 2p < 2N1/2(1) which
gives p + q < 3N1/2 ≤ N2 (2) (for N ≥ 36) Thus,
φ(N) = N + 1− (p + q) > N2 (3)
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and
ed ≤ N32
Then N can be factored in time polynomial to its bitsize.
Proof.
• dke:ceiling of k.
• Z∗φ(N): Ring of the invertible integers modφ(N).
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 8 / 14
Main Results Main theorems
ed ≤ N3/2
Wlog assume that p < q. Then p < N1/2 < q < 2p < 2N1/2(1) which
gives p + q < 3N1/2 ≤ N2 (2) (for N ≥ 36) Thus,
φ(N) = N + 1− (p + q) > N2 (3)
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and
ed ≤ N32
Then N can be factored in time polynomial to its bitsize.
Proof.
• dke:ceiling of k.
• Z∗φ(N): Ring of the invertible integers modφ(N).
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 8 / 14
Main Results Main theorems
ed ≤ N3/2
Wlog assume that p < q. Then p < N1/2 < q < 2p < 2N1/2(1) which
gives p + q < 3N1/2 ≤ N2 (2) (for N ≥ 36) Thus,
φ(N) = N + 1− (p + q) > N2 (3)
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) and
ed ≤ N32
Then N can be factored in time polynomial to its bitsize.
Proof.
• dke:ceiling of k.
• Z∗φ(N): Ring of the invertible integers modφ(N).
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 8 / 14
Main Results Main theorems
proof (continued)
ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 for some k ∈ N.k̄ = ed−1
N . Then k ≥ dk̄eIn addition k − k̄ = ... = (p+q−1)(ed−1)
φ(N)N
(2) and (3) give k − k̄ < 6N−3/2(ed − 1) (4) which givesby hypothesis k − k̄ < 6 ⇒ k − dk̄e < 6Thus we only have to try dk̄e+ i for i=0,...,5 to find the right k.
Complexity
The complexity of the algorithm is O(log2N).
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 9 / 14
Main Results Main theorems
proof (continued)
ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 for some k ∈ N.k̄ = ed−1
N . Then k ≥ dk̄eIn addition k − k̄ = ... = (p+q−1)(ed−1)
φ(N)N
(2) and (3) give k − k̄ < 6N−3/2(ed − 1) (4) which givesby hypothesis k − k̄ < 6 ⇒ k − dk̄e < 6Thus we only have to try dk̄e+ i for i=0,...,5 to find the right k.
Complexity
The complexity of the algorithm is O(log2N).
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 9 / 14
Main Results Main theorems
ed ≤ N2
Theorem (Coppersmith)
Let f(x,y) be an irreducible polynomial in two variables over Z, ofmaximuum degree δ in each variable seperately. Let X,Y be bounds on thedesired solutions (x0, y0).Let W be the absolute value of the largest entry
in the coefficient vector of f(xX,yY). If XY ≤ W23δ Then in time
polynomial in logW and 2δ we can find all integer pairs (x0, y0) withf (x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y .
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) anded ≤ N2
Then N can be factored in time polynomial in the bitsize of N.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 10 / 14
Main Results Main theorems
ed ≤ N2
Theorem (Coppersmith)
Let f(x,y) be an irreducible polynomial in two variables over Z, ofmaximuum degree δ in each variable seperately. Let X,Y be bounds on thedesired solutions (x0, y0).Let W be the absolute value of the largest entry
in the coefficient vector of f(xX,yY). If XY ≤ W23δ Then in time
polynomial in logW and 2δ we can find all integer pairs (x0, y0) withf (x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y .
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Suppose we know integers e,d with ed > 1, ed ≡ 1(modφ(N)) anded ≤ N2
Then N can be factored in time polynomial in the bitsize of N.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 10 / 14
Main Results Main theorems
Proof.
Again ed ≡ 1(modφ(N)) ⇒ ed = kφ(N) + 1 (5) for some k ∈ N.Let k̄ = ed−1
N be an underestimation of k. Using (4) we obtain
k − k̄ < 6N−3/2(ed − 1) < 6N1/2
Let us denote x = k − dk̄e (dk̄e:approximation of k, x: additive error) In
addition N − φ(N) = p + q − 1 < 3N1/2
Thus φ(N) lies in the interval [N − 3N1/2,N].We divide the interval [N − 3N1/2,N] into 6 subintervals of length 1
2N1/2
with centers N − 2i−14 N1/2, i = 1, ..., 6 For the correct i we have
|N − 2i−14 N1/2 − φ(N)| ≤ 1
4N1/2
Let g = d2i−14 N1/2e for the right i. Then
|N − g − φ(N)| < 14N1/2 + 1 ⇒ φ(N) = N − g − y for some unknown y
with |y | ≤ 14N1/2
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 11 / 14
Main Results Main theorems
Proof (continued)
(5) yields ed − 1− (dk̄e+ x)(N − g − y) = 0We define the bivariate integer polynomial :f (x , y) = xy − (N − g)x + dk̄ey − dk̄e(N − g) + ed − 1with a known root (x0, y0) = (k − dk̄e, p + q + 1− g) over the integers.
We now apply Coppersmith’s theorem. We defineX = 6N1/2 andY = 1
4N1/2 + 1 Then |x0| ≤ X and |y0| ≤ Y .
Let W denote the linf norm of the coefficient vector of f(xX,yY). ThenW ≥ (N − g)X > 3N3/2
Thus XY = ... < W 2/3 = W23δ (for N > 144
(2·91/3−3)2)
By Coppersmith’s theorem we can find the root (x0, y0) in timepolynomialin the bitsize of of W.Finally the solution y0 = p + q − 1− g yields the factorization of N.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 12 / 14
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2
2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2
(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)
(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13 / 14
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2
2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2
(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)
(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13 / 14
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2
2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2
(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)
(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13 / 14
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2
2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2
(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)
(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13 / 14
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2
2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2
(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)
(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13 / 14
Main Results Remarks
Remarks
1 The running time of the algorithm is also polynomial in the bitsize ofN since W ≤ NX = 6N3/2
2 The previous theorem can be easily generalized for the case wherep + q ≤ poly(logN)N1/2
(a) For the case where ed ≤ N3/2 we only have to examine the valuesdk̄e+ i , for i=0,1,...,d2poly(logN)e − 1(polynomialy bounded by the bitsize of N)
(b) For the case where ed ≤ N2 we just have to divide the interval[N − poly(logN)N1/2,N] into d2poly(logN)e intervals.
Conclusion:Assumption (a) is not restrictive at all.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 13 / 14
Main Results Remarks
From the cryptography point of view ...
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Furthermore let e ∈ Z∗
φ(N) be an RSA public exponent.
Suppose we have an algorithm that on input (N,e) outputs in deterministicpolynomial time the RSA secret exponent d ∈ Z∗
φ(N) satisfying
ed = 1(modφ(N))Then N can be factored in deterministic polynomial time.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 14 / 14
Main Results Remarks
From the cryptography point of view ...
Theorem
Let N=pq be the RSA-modulus, where p and q are of the same bitsize.Furthermore let e ∈ Z∗
φ(N) be an RSA public exponent.
Suppose we have an algorithm that on input (N,e) outputs in deterministicpolynomial time the RSA secret exponent d ∈ Z∗
φ(N) satisfying
ed = 1(modφ(N))Then N can be factored in deterministic polynomial time.
Alexander May (Faculty of Computer Science, Electrical Engineering and Mathematics)Computing the RSA secret Key is Deterministic Polynomial Time equivalent to FactoringCrypto 2004 14 / 14
top related