1 (mod m) where m =?(n) = (p-1)*(q-1), (?(m) is Euler's totient function ) in which case you can use the extended Euclidean algorithm to determine d from e. (d*e - k*m = 1 for some k).
1 (mod m) where m =?(n) = (p-1)*(q-1), (?(m) is Euler's totient function) in which case you can use the extended Euclidean algorithm to determine d from e. (d*e - k*m = 1 for some k) All these are very easy to compute, except for the factoring, which is designed to be intractably difficult so that public-key encryption is a useful technique that cannot be decrypted unless you know the private key.So, to answer your question in a practical sense, no, you can't derive the private key from the public key unless you can wait the hundreds or thousands of CPU-years to factor n. Public-key encryption and decryption are inverse operations: x = ye mod n = (xd)e mod n = xde mod n = xk?(n)+1 mod n = x * (x?(n))k mod n = x mod n where (x?(n))k = 1 mod n because of Euler's theorem.
1, but I think your "hundreds or thousands of CPU-years" may be an exaggeration at this point for 1024-bit keys. See here (among other places). 1024 bits is really too small at this point... – Nemo Jun 11 at 21:21 1 "For example as of Jun 11, a 1039 bit integer was factored with the special number field sieve using 400 computers over 11 months" -- that's 367 CPU-years, and they're saying it was a special form... so I don't think I was too far off.
– Jason S Jun 11 at 22:31 Fair enough. But your phrasing might make it sound like 1024-bit keys are "safe" when they are nothing of the kind these days, at least according to the experts. – Nemo Jun 11 at 22:36.
No. Otherwise a private key would be of no use.
The answer is yes under two conditions. One, somebody factors n. Two, someone slips the algorithm a mickey and convinces the signer to use one of several possible special values for x.
Applied Cryptography pages 472 and 473 describe two such schemes. I don't fully understand exactly how they would work in practice. But the solution is to use an x that cannot be fully controlled by someone who wants to determine d (aka the attacker).
There are several ways to do this, and they all involve hashing x, fiddling the value of the hash in predictable ways to remove some undesirable properties, and then signing that value. The recommended techniques for doing this are called 'padding', though there is one very excellent technique that does not count as a padding method that can be found in Practical Cryptography.
I don't agree. If you use an inappropriate padding then several types of chosen message and chosen ciphertext attacks are possible. These attacks can be used to forge signatures or to decrypt ciphertexts.
However, none of these attacks can be used to find the private key. – Accipitridae Jul 6 at 7:31.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.