Assume I have the following modular congruences, where $n = pq$ is the product of two (large) primes:
$$A \equiv (xp+yq)^{e_1} \mod n$$
$$B \equiv (zp+uq)^{e_2} \mod n$$
We know $A,B, x,y,z,u, e_1, e_2$ and $n$, but not its prime factors $p$ and $q$.
I have some vague recollections from one of my classes that using this system of congruences, given the properties of modular exponentiation, I can find $p$ and $q$. I am not necessarily looking for a plain solution but for an explanation why.
My first instinct was to solve the following system:
$$k_1n + A = (xp+yq)^{e_1}$$
$$k_2n + B = (zp+uq)^{e_2}$$
$$n = pq$$
But that has 4 unknowns so I'd need 4 equations.
Answer
The following may be what you are thinking of from your class. You have the following $2$ congruence equations:
$$A \equiv (xp+yq)^{e_1} \pmod n \tag{1}\label{eq1}$$
$$B \equiv (zp+uq)^{e_2} \pmod n \tag{2}\label{eq2}$$
Let $e = \text{lcm}(e_1,e_2)$. Take both sides of \eqref{eq1} to the power of $f = \frac{e}{e_1}$ and both sides of \eqref{eq2} to the power of $g = \frac{e}{e_2}$ to get
$$A^f \equiv (xp+yq)^e \pmod n \tag{3}\label{eq3}$$
$$B^{\, g} \equiv (zp+uq)^e \pmod n \tag{4}\label{eq4}$$
As Roddy MacPhee stated in the comments, in the binomial expansion of the RHS of \eqref{eq3} and \eqref{eq4}, each term except for the first & last ones have a factor of $pq$, so are congruent to $0$ modulo $n$ and, thus, can be ignored. You then end up with
$$A^f \equiv x^e p^e + y^e q^e \pmod n \tag{5}\label{eq5}$$
$$B^{\, g} \equiv z^e p^e + u^e q^e \pmod n \tag{6}\label{eq6}$$
You now basically have $2$ linear equations in $2$ unknowns of $p^e$ and $q^e$. To solve them, you can multiply and subtract to eliminate one of the variables. Multiply both sides of \eqref{eq5} by $u^e$ and subtract \eqref{eq6} multiplied by $y^e$ to get
$$u^e A^f - y^e B^{\, g} \equiv \left(\left(ux\right)^e - \left(zy\right)^e\right)p^e \pmod n \tag{7}\label{eq7}$$
Since $n = pq$, this means the LHS of \eqref{eq7} must be a multiple of $p$. There are $2$ basic cases to consider now. If the LHS is not congruent to $0$ modulo $n$, then you can use the Euclidean algorithm to efficiently get $p = \gcd(n,u^e A^f - y^e B^{\, g})$, and then $q$ from $n$. However, if the LHS is congruent to $0$ modulo $n$, then if $p \neq q$ (note: if there is any chance of this not being true, you should check for & handle this initially), you have instead that $C = \left(ux\right)^e - \left(zy\right)^e \equiv 0 \pmod q$, so there are now $2$ sub-cases to handle. If $C$ is not congruent to $0$ modulo $n$, you can use the Euclidean algorithm to get $q = \gcd(n,C)$, and then $p$ from $n$. However, if it is, then you can eliminate $p^e$ from \eqref{eq5} and \eqref{eq6} to use those other values instead. If they also fail in this respect, I don't know offhand what is best to do next, but I doubt this will happen very often, if at all, especially since $p$ and $q$ are both large primes.
One thing to note is there are relatively fast and efficient means to get the modulo results of $j^k \pmod m$ for even quite large values of $j, k$ and $m$. For example, Congruence Modulo with large exponents has some ideas, with my suggestion being to consider a binary method, like repeated squaring and reduction, as outlined in the answer by André Nicolas, or repeated squaring & multiplication of the values corresponding to the $1$ coefficients in the binary representation of $k$.
No comments:
Post a Comment