问题:
Question 1
Your goal in this project is to break RSA when the public modulus N is generated incorrectly. This should serve as yet another reminder not to implement crypto primitives yourself.
Normally, the primes that comprise an RSA modulus are generated independently of one another. But suppose a developer decides to generate the first prime p by choosing a random number R and scanning for a prime close by. The second prime q is generated by scanning for some other random prime also close to R . We show that the resulting RSA modulus N=pq can be easily factored.
Suppose you are given a composite N and are told that N is a product of two relatively close primes p and q , namely p and q satisfy
|p−q|<2N1/4 (*)
Your goal is to factor N .
Let A be the arithmetic average of the two primes, that is A=p+q2 . Since p and q are odd, we know that p+q is even and therefore A is an integer.
To factor N you first observe that under condition (*) the quantity N−−√ is very close to A . In particular
A−N−−√<1
as shown below. But since