Expand description
Structural factoring: the AIT thesis applied to public-key crypto.
The compressibility ladder crushes symmetric keystreams by finding their structure — a short
feedback register, a correlation, a low-degree annihilator. RSA lives in a different universe: its
security is integer factorization of N = p·q, not sequence structure. But the same thesis governs
it. A weak RSA modulus is one with exploitable STRUCTURE, and every classical factoring attack is a
structure-detector: a small factor, primes that sit too close, a smooth p−1, a shared prime across
moduli, a small private exponent. Each such structure is a compression — a short description of the
secret — and each attack returns a re-checkable WITNESS (the factors themselves, p·q = N).
The point of building the whole arsenal is the ceiling: run every structural attack against a soundly-generated modulus — two large, independent, well-separated strong primes — and it finds NOTHING within budget. RSA’s safety is precisely that its modulus is the number-theoretic incompressible residue: no structural shortcut exists, and only the general (sub-)exponential algorithms remain, which real key sizes push out of reach. Crush every structured form; the sound form stands. That standing IS the proof.
Structs§
- Structural
Budget - The effort budget for
structural_factor: each structural attack runs to its own bound, then declines. A soundly-generated modulus exhausts every bound and yields no witness. - Structural
Witness - A certified structural weakness: the factors and the attack that found them.
Functions§
- batch_
gcd - Batch GCD: catches a shared prime reused across moduli — the classic failure of low-entropy key
generation. Any pair with
gcd(Nᵢ, Nⱼ) > 1hands over the common factor for free. - boneh_
durfee - Boneh–Durfee: recover the factorization from a small private exponent
d < N^{0.284}— beyond Wiener’sN^{0.25}— by bivariate Coppersmith. Sincee·d − 1 = k·φ(N)andφ(N) = N + 1 − (p+q), the polynomialf(x, y) = x·y + (N+1)·x + 1has the small root(x₀, y₀) = (k, −(p+q))moduloe. The lattice ofx- andy-shifts off, LLL-reduced (fast float-Gram-Schmidt), yields short bivariate polynomials sharing that root; a resultant eliminatesx, its root givess = p+q, andz² − s·z + NsplitsN.m,tsize the lattice;x_bound = N^δboundsk. Returns(p, q)orNone. - common_
modulus_ attack - Common-modulus attack: recover
mwhen the SAME message is sent to the same modulusNunder two coprime public exponentse₁, e₂(a key-reuse mistake). Bézout givesa·e₁ + b·e₂ = 1, soc₁ᵃ · c₂ᵇ = m^{a·e₁ + b·e₂} = m (mod N)— negative exponents handled by inverting the ciphertext. - coppersmith_
factor_ high_ bits - Factor
Nfrom the high bits of one prime (Coppersmith’s method). We knowp = p_high + x₀with0 ≤ x₀ < 2^unknown_bits; the monic linear polynomialf(x) = x + p_highhas the small rootx₀modulo the unknown factorp. Coppersmith builds a lattice from theN-power andx-shift multiples off(all vanishing modulopᵐatx₀), LLL-reduces it, and reads a short vector whose small root is an INTEGER root of a real polynomial — recoveringx₀, hencep. This is the LATTICE lens: a factorization from PARTIAL knowledge that no factoring shortcut (Fermat, rho,p−1) can provide. - crt
- Chinese Remainder Theorem: the unique
xin[0, ∏mᵢ)withx ≡ residuesᵢ (mod moduliᵢ)for pairwise-coprimemoduli, orNoneif a modular inverse fails (moduli not coprime). - dixon_
factor - Dixon’s method: factor
Nvia a congruence of squares found by a GF(2) dependency among smooth relations (see the module note above). Searchesr = ⌈√N⌉, ⌈√N⌉+1, …for up totriessteps to gather relations whoser² mod Nis smooth overbase, then combines them. Returns(p, q)orNone(not enough smooth relations found, or only trivial congruences). Reuses our GF(2) symmetry-breaking on RSA’s ring structure. - factor_
via_ private_ exponent - Factor
Nfrom the RSA private exponentd(Miller’s deterministic reduction). Sincee·d − 1is a multiple ofλ(N), writing it ast·2ˢand raising a basegtot·2ⁱwalks a chain that ends at1; a step where the value squares to1while itself being≠ ±1is a NONTRIVIAL square root of unity, andgcd(x − 1, N)splitsN. This is the converse ofrsa_private_exponent: it proves that recovering the private key is computationally equivalent to factoring the modulus — the two are one problem, so RSA breaks exactly whenNfactors. Returns(p, q)orNone(no base worked). - fermat
- Fermat’s method: catches primes that sit too close —
N = a² − b²withajust above√N, so a few steps expose(a−b, a+b). Structurally, close primes are a compressed key (one prime nearly fixes the other). - franklin_
reiter_ attack - Franklin–Reiter related-message attack: recover
mfrom ciphertexts of two LINEARLY RELATED messagesmandm + r(knownr) under the same modulusNand a small public exponente. Bothg₁(x) = xᵉ − c₁andg₂(x) = (x + r)ᵉ − c₂have the rootx = m mod N, so their GCD over(ℤ/N)[x]is the linear factorx − m, andmis read straight off it. The lens: two ciphertexts sharing a hidden root, extracted by polynomial GCD. - gcd
- The greatest common divisor of
|a|and|b|(Euclid). - hastad_
broadcast_ attack - Håstad’s broadcast attack: recover the plaintext
mfromk ≥ eciphertextscᵢ = mᵉ mod Nᵢof the SAME message under a small public exponenteand distinct moduli (see the module note above). CRT reconstructsmᵉexactly, and its integere-th root ism. Returns the recovered message, orNoneif the CRT fails or the result is not a perfecte-th power (the preconditionk ≥ edid not hold). - integer_
nth_ root - The integer
n-th root⌊x^{1/n}⌋(Newton’s method, overestimate seed then monotone descent, exact final adjustment — then-th-root analogue ofisqrt). - is_
probable_ prime - Miller–Rabin primality over [
MR_BASES]. - isqrt
- The integer square root
⌊√n⌋(Newton’s method). The floating-point seed is only ~15 digits precise, so it is first forced to an OVERESTIMATE (x² ≥ n, a handful of doublings); from above, the Newton iterationx ← ⌊(x + ⌊n/x⌋)/2⌋decreases monotonically and halts exactly at⌊√n⌋. - low_
exponent_ message - Low-exponent / no-padding attack: if
mᵉ < N(a small message under a small public exponent with no padding), thenc = mᵉover the integers, so the plaintext is just the integere-th root ofc. - mod_
inverse - The modular inverse
a⁻¹ mod mvia the extended Euclidean algorithm, orNoneifgcd(a, m) ≠ 1. - modpow
- Modular exponentiation
base^exp mod mwith a fullBigIntexponent (square-and-multiply, the exponent’s bits read off by repeated halving). - next_
prime - The smallest prime
≥ start. - pollard_
p_ minus_ 1 - Pollard’s
p − 1: catches a prime with a smoothp − 1. Raising a base toB!collapses to1modulo any prime whosep − 1isB-smooth, andgcd(a − 1, N)exposes it — the smoothness is the structure. - pollard_
rho - Pollard’s rho (
f(x) = x² + 1, Floyd cycle detection): the general-purpose structural probe. ExpectedO(N^{1/4}), so it crushes moderate semiprimes but is bounded out on a large sound modulus. - quadratic_
sieve - The quadratic sieve (see the module note above): factor
Nby log-sievingQ(x) = (⌈√N⌉+x)² − Nover[0, m_interval)against the factor base of primes≤ bfor whichNis a quadratic residue, then combining smooth relations through a GF(2) dependency. Returns(p, q)orNone. - rsa_
private_ exponent - Derive the RSA private exponent
d = e⁻¹ mod φ(N)from the public exponent and the two primes (φ = (p−1)(q−1)), orNoneifeis not coprime toφ. The “if you can factor, you can break RSA” direction: the factorization hands over the private key. - structural_
factor - Run the whole structural arsenal against
nwithinbudget, returning the first certified factorization found, orNone— the number-theoretic incompressible residue (a sound modulus has no structural shortcut, so only the general sub-exponential algorithms, out of scope here, remain). - trial_
division - Trial division up to
limit: catches a small factor — a modulus that leaked a tiny prime. - verify_
factorization - A nontrivial factorization
p·q = n(1 < p, q < n) — the re-checkable witness every attack returns. - wiener
- Wiener’s attack: catches a small private exponent
d(d < ⅓ N^{1/4}). The convergents of the continued fraction ofe/Nincludek/d; fromdwe recoverφ(N), thenp, qas roots ofx² − (N − φ + 1)x + N. A smalldis a compressed private key — and this reuses the very continued-fraction / rational-reconstruction machinery the 2-adic FCSR rung was built on.