RSA and integer factoring

RSA signature

In textbook RSA, only with a private key \(d\) can we generate a signature

\[\sigma \leftarrow m^{d}\equiv m \pmod{N}\]

but anyone with the public key \((e,N)\) can verify that

\[\sigma^e \equiv m \pmod{N}\]

The keys are constructed from two random prime numbers \(p,q\) such that

\[de\equiv 1 \pmod{\phi(N)}\]

where \(\phi(N)=(p-1)(q-1)\) is Euler’s totient function for such \(N\).

Warning

Anyone gaining knowledge of \(p\) or \(q\) can recover the private key \(d\) by computing either \(\gcd(p,N)\) or \(\gcd(q,N)\).

Details

There are plenty of ways to attack RSA in special cases. Even knowing \(\phi(N)\) allows computing \(e^{-1} \mod \phi(N)\). The above simplification is most relevant for our purpose here.

Important

The most efficient classical algorithm to factorize an \(N\) of length \(b\) bits, the GNFS, has complexity approximately

\[e ^ {3 b^{1/3} \cdot (\log b)^{2/3}}\]

A 3072-bit RSA public key provides \(\approx 128\) bits of security against a classical computer. [BGGHTZ_22]

Warning

Shor’s algorithm to factorize an \(N\) of length \(b\) bits has complexity approximately

\[b^3\]

. A 3072-bit RSA public key would provide \(\approx 34\) bits of security against a quantum computer running Shor’s algorithm. More recent estimates suggest it is possible to reach an efficiency closer to \(b^2\).

RSA and Shor’s algorithm

Note

Finding the period of the function \(a^k \mod N\) allows recovering the factors of \(N\).

Order of group elements

The order of a group element \(x\) is the smallest integer \(k\) for which \(a^k \equiv 1 \mod N\).

If no such \(k\) exists, the element is said to have infinite order. If it does, the subset \({a^j} \subseteq G\) is a subgroup of G generated by a, and its order is \(k\).

The order of every group element is a divisor of the number of group elements.

The order of the group \(G\) is the number of group elements in \(G\).

Lagrange’s theorem: the order of any subgroups of G is a divisor of the order of G itself.

Important

If \(x\) is a non-trivial solution to \(x^2-1\equiv 0 \pmod{N}\), then \((x\pm 1)\mid N\).

Warning

The factors of \(N\) can be efficiently recovered by \(\gcd(N,x\pm 1)\).

Consider the solutions to

\[ \begin{align} x^2 & \equiv 1 \pmod{N} \\ x^2 - 1^2 & = 0 \pmod{N} \\ (x+1)(x-1) & = 0 \pmod{N} \\ N & \mid (x+1)(x-1) \end{align} \]

\({1,-1}\) are solutions for any \(N\). There will be other solutions \(\neq \pm 1\) when \((x+1)(x-1)\) is divided by \(p\) or \(q\).

Example

Suppose \(p=3, q=7, N=21\). Non-trivial solutions are \({8,-8\equiv 13}\), for which \(\gcd(\pm x_i,N)={3,7}\) respectively.

Can’t we just use bigger keys?

No. Quantum algorithms for this particular problem scale much better than their classical best equivalent – polynomial (\(\approx n^2\)) vs. sub-exponential (\(e ^ {3 b^{1/3} \cdot (\log b)^{2/3}}\)), respectively. To keep using RSA with acceptable levels of securitty, we would have to increase public key sizes to terabytes. Scaling of GNFS vs quantum algorithms

Last updated on June 6, 2025