RSA given d and d = p

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
4
down vote

favorite












Assume we have a somehow unorthodox implementation of RSA whereby:



$p$ and $q$ are chosen primes of length $n/2$ where $n$ is the number of bits desired in $N=p,q$ and
$$beginalign
phi &= (p-1)(q-1)\
d &= p\
e &= d^-1bmod phi
endalign$$



I can see that there is a weakness here but I'm unsure of how it translates. Playing around a bit I see that I end up with:



$$e = fracphi j + 1p $$



Further assuming that $frac1p$ can be considered infinitesimal:
$$e ≈ jleft(qleft(1+frac1pright) -1right)$$



So basically:
$$e ≈ j(q-1)$$



Is that right? Am I missing something?




rsa modular-arithmetic




share|improve this question


















  • 1




    Do you mean $e = mathrmmodinv(d,phi)?$ Otherwise explain how to get $e.$
    – gammatester
    Sep 3 at 15:28















up vote
4
down vote

favorite












Assume we have a somehow unorthodox implementation of RSA whereby:



$p$ and $q$ are chosen primes of length $n/2$ where $n$ is the number of bits desired in $N=p,q$ and
$$beginalign
phi &= (p-1)(q-1)\
d &= p\
e &= d^-1bmod phi
endalign$$



I can see that there is a weakness here but I'm unsure of how it translates. Playing around a bit I see that I end up with:



$$e = fracphi j + 1p $$



Further assuming that $frac1p$ can be considered infinitesimal:
$$e ≈ jleft(qleft(1+frac1pright) -1right)$$



So basically:
$$e ≈ j(q-1)$$



Is that right? Am I missing something?




rsa modular-arithmetic




share|improve this question


















  • 1




    Do you mean $e = mathrmmodinv(d,phi)?$ Otherwise explain how to get $e.$
    – gammatester
    Sep 3 at 15:28













up vote
4
down vote

favorite









up vote
4
down vote

favorite











Assume we have a somehow unorthodox implementation of RSA whereby:



$p$ and $q$ are chosen primes of length $n/2$ where $n$ is the number of bits desired in $N=p,q$ and
$$beginalign
phi &= (p-1)(q-1)\
d &= p\
e &= d^-1bmod phi
endalign$$



I can see that there is a weakness here but I'm unsure of how it translates. Playing around a bit I see that I end up with:



$$e = fracphi j + 1p $$



Further assuming that $frac1p$ can be considered infinitesimal:
$$e ≈ jleft(qleft(1+frac1pright) -1right)$$



So basically:
$$e ≈ j(q-1)$$



Is that right? Am I missing something?




rsa modular-arithmetic




share|improve this question














Assume we have a somehow unorthodox implementation of RSA whereby:



$p$ and $q$ are chosen primes of length $n/2$ where $n$ is the number of bits desired in $N=p,q$ and
$$beginalign
phi &= (p-1)(q-1)\
d &= p\
e &= d^-1bmod phi
endalign$$



I can see that there is a weakness here but I'm unsure of how it translates. Playing around a bit I see that I end up with:



$$e = fracphi j + 1p $$



Further assuming that $frac1p$ can be considered infinitesimal:
$$e ≈ jleft(qleft(1+frac1pright) -1right)$$



So basically:
$$e ≈ j(q-1)$$



Is that right? Am I missing something?





rsa modular-arithmetic





share|improve this question













share|improve this question




share|improve this question








edited Sep 3 at 16:33

























asked Sep 3 at 13:14









S. L.

485




485







  • 1




    Do you mean $e = mathrmmodinv(d,phi)?$ Otherwise explain how to get $e.$
    – gammatester
    Sep 3 at 15:28













  • 1




    Do you mean $e = mathrmmodinv(d,phi)?$ Otherwise explain how to get $e.$
    – gammatester
    Sep 3 at 15:28








1




1




Do you mean $e = mathrmmodinv(d,phi)?$ Otherwise explain how to get $e.$
– gammatester
Sep 3 at 15:28





Do you mean $e = mathrmmodinv(d,phi)?$ Otherwise explain how to get $e.$
– gammatester
Sep 3 at 15:28











1 Answer
1






active

oldest

votes

















up vote
8
down vote



accepted










Yes, it's broken. Here is the approach I see:



$$p = textgcd( n, r^e - r bmod n)$$



with quite high probability, for random $r$.



This happens because $e equiv 1 bmod p-1$, and hence $r^e equiv r pmod p$ (for any $r$). It is unlikely that $r^e equiv r pmod q$, and hence $r^e - r$ has $p$ as a factor, but (probably) doesn't have $q$.






share|improve this answer






















  • Awesome, exactly what I was looking for! Thanks!
    – S. L.
    Sep 4 at 6:59










  • I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
    – S. L.
    Sep 4 at 15:59






  • 1




    @S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
    – poncho
    Sep 4 at 16:12











  • OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
    – S. L.
    Sep 4 at 16:37







  • 1




    @S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
    – poncho
    Sep 4 at 16:47










Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62008%2frsa-given-d-and-d-p%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
8
down vote



accepted










Yes, it's broken. Here is the approach I see:



$$p = textgcd( n, r^e - r bmod n)$$



with quite high probability, for random $r$.



This happens because $e equiv 1 bmod p-1$, and hence $r^e equiv r pmod p$ (for any $r$). It is unlikely that $r^e equiv r pmod q$, and hence $r^e - r$ has $p$ as a factor, but (probably) doesn't have $q$.






share|improve this answer






















  • Awesome, exactly what I was looking for! Thanks!
    – S. L.
    Sep 4 at 6:59










  • I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
    – S. L.
    Sep 4 at 15:59






  • 1




    @S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
    – poncho
    Sep 4 at 16:12











  • OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
    – S. L.
    Sep 4 at 16:37







  • 1




    @S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
    – poncho
    Sep 4 at 16:47














up vote
8
down vote



accepted










Yes, it's broken. Here is the approach I see:



$$p = textgcd( n, r^e - r bmod n)$$



with quite high probability, for random $r$.



This happens because $e equiv 1 bmod p-1$, and hence $r^e equiv r pmod p$ (for any $r$). It is unlikely that $r^e equiv r pmod q$, and hence $r^e - r$ has $p$ as a factor, but (probably) doesn't have $q$.






share|improve this answer






















  • Awesome, exactly what I was looking for! Thanks!
    – S. L.
    Sep 4 at 6:59










  • I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
    – S. L.
    Sep 4 at 15:59






  • 1




    @S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
    – poncho
    Sep 4 at 16:12











  • OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
    – S. L.
    Sep 4 at 16:37







  • 1




    @S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
    – poncho
    Sep 4 at 16:47












up vote
8
down vote



accepted







up vote
8
down vote



accepted






Yes, it's broken. Here is the approach I see:



$$p = textgcd( n, r^e - r bmod n)$$



with quite high probability, for random $r$.



This happens because $e equiv 1 bmod p-1$, and hence $r^e equiv r pmod p$ (for any $r$). It is unlikely that $r^e equiv r pmod q$, and hence $r^e - r$ has $p$ as a factor, but (probably) doesn't have $q$.






share|improve this answer














Yes, it's broken. Here is the approach I see:



$$p = textgcd( n, r^e - r bmod n)$$



with quite high probability, for random $r$.



This happens because $e equiv 1 bmod p-1$, and hence $r^e equiv r pmod p$ (for any $r$). It is unlikely that $r^e equiv r pmod q$, and hence $r^e - r$ has $p$ as a factor, but (probably) doesn't have $q$.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 3 at 20:52

























answered Sep 3 at 16:46









poncho

85.5k2127216




85.5k2127216











  • Awesome, exactly what I was looking for! Thanks!
    – S. L.
    Sep 4 at 6:59










  • I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
    – S. L.
    Sep 4 at 15:59






  • 1




    @S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
    – poncho
    Sep 4 at 16:12











  • OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
    – S. L.
    Sep 4 at 16:37







  • 1




    @S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
    – poncho
    Sep 4 at 16:47
















  • Awesome, exactly what I was looking for! Thanks!
    – S. L.
    Sep 4 at 6:59










  • I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
    – S. L.
    Sep 4 at 15:59






  • 1




    @S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
    – poncho
    Sep 4 at 16:12











  • OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
    – S. L.
    Sep 4 at 16:37







  • 1




    @S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
    – poncho
    Sep 4 at 16:47















Awesome, exactly what I was looking for! Thanks!
– S. L.
Sep 4 at 6:59




Awesome, exactly what I was looking for! Thanks!
– S. L.
Sep 4 at 6:59












I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
– S. L.
Sep 4 at 15:59




I'm trying to derive the equation myself (the implementation works like a charm, just trying to understand it better). Would you mind expanding? Do you use Fermat's little theorem?
– S. L.
Sep 4 at 15:59




1




1




@S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
– poncho
Sep 4 at 16:12





@S.L. Two things: $d = p$ implies $d equiv 1 pmodp-1$, which imples that $d^-1 = e equiv 1 pmodp-1$, that is, $e = k(p-1) + 1$ for some integer $k$. Second thing: Fermat's little theorem (as he originally stated it) says that $a^p equiv a pmod p$ for all $a, p$ (with $p$ prime). A simple extension gives $a^k(p-1) + 1 equiv a pmod p$ for all $a, k, p$ (with $p$ prime). Combining these two ideas immediately gives the result.
– poncho
Sep 4 at 16:12













OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
– S. L.
Sep 4 at 16:37





OK I follow up to Fermat's theorem. in this case, $e$ i.e. $k(p-1)+1$ isn't prime. Moreover, wouldn't that be $$a^k(p-1)+1 = a (mod (k(p-1)+1)$$ ? Thanks!
– S. L.
Sep 4 at 16:37





1




1




@S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
– poncho
Sep 4 at 16:47




@S.L.: it doesn't matter whether $k(p-1) + 1$ is prime or not; it only matters that $p$ is prime. As for the extension to FLT, it really is $a^k(p-1)+1 equiv a pmod p$; showable by simple induction (it's true for $k=0, 1$, and if it's true for $k=1, x$, it's easy to show it's true for $k = x+1$)
– poncho
Sep 4 at 16:47

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62008%2frsa-given-d-and-d-p%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more