Re: Some naive musings about RSA

Liste des GroupesRevenir à c misc 
Sujet : Re: Some naive musings about RSA
De : invalid (at) *nospam* invalid.invalid (Richard Kettlewell)
Groupes : comp.misc
Date : 08. Jul 2025, 08:47:50
Autres entêtes
Organisation : terraraq NNTP server
Message-ID : <wwv8qkznmxl.fsf@LkoBDZeT.terraraq.uk>
References : 1 2
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Ethan Carter <ec1828@somewhere.edu> writes:
Sylvia Else <sylvia@email.invalid> writes:
Sometimes in an idle moment, I find myself wondering about possible
ways to attack RSA. Spoiler alert, I haven't found one.
>
But in passing, I found myself thinking about this:
>
For the uninitiated, RSA is based on the fact that if p and q are
large primes, then the product p*q is a large number that is
computationally infeasible to factorise - which is to say, no one's
found a way, though quantum computers offer a possibility.
>
Let m be p * q, and n be (p-1)(q-1). Then RSA further depends on the

Noting again for reference that conventional notation here is n=pq.

fact that for any integer a, co-prime with m, a^n modulo m is 1. Since
2 will be co-prime with m, that means that 2^n modulo m is also 1. We
can write that equivalently as
>
2^n - 1 = k * m
where k is an unknown integer. Actually, there are an infinity of
possible k, but we're interested in the lowest (ignoring the trivial
case of k = 0).
>
I suggest you should not use the word ``unknown'' here because the
equation is true for all integers k, as you observe on the following
sentence.  The equation is saying that 2^n - 1 is a multiple of m.
Mathematical lingo is such that ``an unknown integer'' means a /fixed/
number k (that we don't which it is), but your k here is not fixed.
(You can say ``an arbitrary integer'' instead.)

I covered this in another post. For a given RSA key there’s only one k
and it’s straightforward to write down an expression for it, just not
practical to compute the value of that expression. I don’t know why
Sylvia thought there might be more than one, or for that matter why k=0
would work since it’s obviously not possible for any RSA key.

If we knew k, then that would give us n, or a factor of n (n is never
prime, it is at least divisible by 4).
>
Something isn't quite right here.  We trivially know the smallest
positive k that satisfy the equation---that's k = 1.  For example, take
p = 3, q = 5 so that m = 15 and n = 8.  Then the equation
>
  2^8 - 1 = k * 15
>
is trivially satisfied by taking k = 1, which is the smallest /positive/
integer you're looking for. 
>
So I did not really understand the rest of your post.  You seemed to be
looking for a factor of n.  You're then looking for a factor of
>
  p - 1 or q - 1.
>
If these numbers would have /small/ factors, you could find them by
trial division, say.  That would indeed be a weakness.  RSA is not
safe if we pick p, q such that p - 1 or q - 1 have small factors.

p-1 and q-1 are always divisible by 2, as small a factor as you can
possibly get.

--
https://www.greenend.org.uk/rjk/

Date Sujet#  Auteur
27 Jun 25 * Some naive musings about RSA5Sylvia Else
27 Jun 25 +- Re: Some naive musings about RSA1Richard Kettlewell
8 Jul 25 `* Re: Some naive musings about RSA3Ethan Carter
8 Jul 25  `* Re: Some naive musings about RSA2Richard Kettlewell
9 Jul 25   `- Re: Some naive musings about RSA1Ethan Carter

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal