Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring
We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e,d) yield the factorization of N=pq in polynomial time? It is well-known that there is a probabilistic polynomial time algorithm that on input (N,e,d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e,d < φ(N) and that the factors p, q are of the same bit-size. Our approach is an application of Coppersmith’s technique for finding small roots of bivariate integer polynomials.
KeywordsRSA Coppersmith’s method
- 6.Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 8.Miller, G.L.: Riemann’s hypothesis and tests for primality. In: Seventh Annual ACM Symposium on the Theory of Computing, pp. 234–239 (1975)Google Scholar
- 10.Shoup, V.: NTL: A Library for doing Number Theory, online available at http://www.shoup.net/ntl/index.html