A message, m is encrypted using a private key d.
p = prime()
q = prime()
e = 65537
c = pow(m, e, n)
PHI = (p-1)*(q-1)
d = mod_inverse(e, PHI)
Assume all these values are known to the attacker, except for the message (m) and ciphertext (c).
Is it possible to find an alternate value for d such that:
c ^ d_alternative % n == m (the ciphertext decrypts correctly to the message)
And
d_alternative % PHI != d (the new d modulus PHI does not equal the old d)
This second part is the catch: d and d_alternative cannot be modularly congruent.
Is this possible, and if so, how?
