Let's say that you have some small number of RSA signatures of known data: you know some pairs $(m_k, c_k)$ such that ${c_k}^e \equiv m_k \pmod n$. If you know $e$, because probably it's one of $\{3, 17, 65537\}$, is it possible to recover $n$?
Asked
Active
Viewed 6,632 times
2 Answers
14
calculate $$gcd(c_1^e - m_1 , c_2^e- m_2, \dots , c_k^e-m_k)$$
With a bit luck this should get $n$.
It will be an interesting exercise to calculate the probability of success based on the number of cleartect/ciphertext pairs.
4
Note: In my answer below I neglected to consider that the the messages for the associated signatures are also known, and that this could enable the existence of a practical algorithm to recover the modulus. While I haven't done the legwork to verify, fgrieu's comment below indicates that recovery of the modulus may very well be practical. I'm leaving my original answer below for those who are curious.
For any practical number of RSA signatures, no, you will not be able to recover the entirety of the modulus $n$. You can however, with enough signatures, come up with a reasonable estimate for the value of the most significant bits of $n$ using Frequentist analysis.
It was exactly this sort of characterization of the RSA modulus that broke the key privacy scheme used on Australia's Health Care Card.
Robert Quattlebaum
- 534
- 3
- 9