 So there's an important group of attacks on RSA that are known as venous attack, and they work as follows. So the idea is that behind RSA is that it relies on having a public encryption exponent e, and some public modulus n, and some private decryption exponent t, and factorization n equals p times q, where e t is going to be k times v of n plus 1. And so again, the reason that that works is that if I take my message, raise it to power e, I get the encrypted message. If I then take the encrypted message, raise it to power d, that's the same as raising the original to power k phi n plus 1. This portion drops out, and I have the original message raised to power 1, which is of course the original message. Now, the thing that's important to note here is that in order to break the RSA system, what we actually need to know is phi of n. We don't really need that factorization of n. If we have the factorization of n, phi of n is the first thing that we find. If we don't have the factorization of n, but we do have the factorization of phi of n, we don't really care what the factorization of n is. So this suggests the following approach. Now I'm going to make a couple of important observations here. And to begin with, again, we have our formula. If n is the product of two primes p and q, then phi of n is just going to be the product p minus 1 times q minus 1. And I'll expand that out using some basic simple algebra. And notice that right here I have this product p, q, which is just n. And because p and q are very, very, very, very, very, very large prime numbers, this sum p plus q is going to be very small in comparison to the product p times q. And 1, of course, is going to be absolutely infinitesimal in the informal sense. So that says phi of n is p, q, minus p, plus q, plus 1. But it's reasonably good to approximate that as n. Now the other thing I know is that ed is k times phi of n plus 1. And so given that, I can rewrite and solve for e over phi of n. And using the fact that phi of n is close to n, what that tells me is that e over n is approximately equal to k over d. The difference between these two is 1 over a very large number, essentially about nothing. And that tells me that these two fractional amounts have to be approximately equal. And phi of n is approximately n. So our chain of approximations tells us that e over n is approximately k over d. And what that says is that if I can approximate e over n with some rational number k over d, then there's a chance, at least, that my denominator is going to be my decryption exponent. So now we have this problem. How do we find what those rational approximations are? And what we're going to do is we're going to use the theory of continued fractions to find those convergence. And so I'll begin by supposing that I do have a rational number k over n that approximates e over n. And my hope is that this rational number will give me numerator I don't really care about, but denominator may be the decryption exponent. Now before I actually try and see if that works, I'll make a couple of observations that will make our life a lot easier. And so the first observation we're going to make is e d is going to be congruent to one mod phi of n. And because phi of n is the product of one less than two prime numbers, then phi of n is in general going to be even. So that means that d has to be an odd number. e will also have to be an odd number as well. But that tells me that d is going to be odd. So if my rational approximation gives me denominator even, I'm going to ignore it. I don't have to do anything further with it, and I'll move on to the next convergence. The other thing that we want to check is that phi of n has to be a whole number. And so if you go back, we know that we had our guess as to what phi of n was as e d minus one over k. And so we check this value. And if this isn't a whole number, we know that our value of d and k won't work and we'll move on to the next convergence. Now, if our denominator passes these two checks, we could try and figure out whether or not it works as a decryption exponent. But we'll do something a little bit easier. And this is going to be based on the theory of quadratic equations. So again, we have our values p and q, whose product is the modulus n. And the thing to note, first of all, phi of n, again, p minus one times q minus one. And expanding and simplifying a little bit, we get phi of n is n minus p plus q plus one. And we can solve that for p plus q. And let's consider the quadratic equation, x minus p, x minus q equals zero. Now, this is a quadratic equation, so we know what the roots are. It's going to be p and q, which will turn out to be the prime factors of n. Now, if I expand that out, what I get is two things of note. First of all, the constant term is p times q. Well, that's just n. And the coefficient of x is going to be negative p plus q. And I can express p plus q in terms of n and phi of n. So if I have the right values of e, d, and k that give me phi of n, I have a value for p plus q, and I have a quadratic equation, which I can, in theory, solve. So I'll substitute those values in. And if we have the correct value of phi of n, the roots of the equation will be, first off, whole numbers. And they'll also be the factors of n. Now, that first point is actually important. The correct value of phi of n will give us whole number solutions, which means if I solve this quadratic equation, and in general it's a quadratic equation, I could solve it, but I might not get a whole number solution. If I don't get a whole number solution, then I know that I don't have the correct value of phi of n. If I do get whole number solutions, those solutions should be the factors of n. And if they are, then I know I have the correct value of phi of n, but who cares? I know I have the correct value for the decryption exponent d, which is the thing we do care about. So, for example, let's take an RSA encryption system and we'll have public modulus 64, 741, and public exponent 42, 667. And let's see if we can find the decryption exponent. So, again, the idea is that our decryption exponent will be part of a rational approximation to e over n. So I want to find the rational approximations to e over n, and I'll use the Euclidean algorithm to find the success of convergence in the expansion of e over n. So, I'll go ahead and start the Euclidean algorithm. The first convergent is going to be 0, and, well, I'll express that as a fraction, 0 over 1, k equals 0, d equals 1. Obviously, it won't work for decryption, so we'll move on to the next convergent. So our next convergent, continuing that 0 plus 1 over 1 is 1 over 1. And again, that gives us decryption exponent equals 1, and presumably that's not going to work. Our next convergent, 1 over 2, that gives us a value for d that's even, but we know that d has to be an odd number, so, again, this won't work. Next convergent, 2 over 3, which suggests k equals 2, d equals 3, d is odd, passes the first check. Now we'll make sure that e d minus 1 over k are proposed value for phi of n. That should be a whole number, and it turns out it is. So we've passed both checks, d is odd, phi of n is a whole number, and now we check to see if our corresponding quadratic equation has integer solutions. So our equation should have integer solutions. I know what n is. I have a guess as to phi of n, and so my quadratic equation substituting it in gives us this. Now, how do you solve a quadratic equation? Well, this type, you don't factor. Why not? Because if you could factor this, you wouldn't go through this whole problem. If you could factor this equation, you'd have a factorization of 64, 471, and you don't have to factor n, and that would tell you what phi of n is. On the other hand, we do have the quadratic formula, so applying the quadratic formula does give us 2 integer solutions, 641 and 101, and we verify that their product is, in fact, the product n, and that gives us our factorization. Who cares? More importantly, it tells us that d equals 3 is the correct decryption exponent. Obviously, we want to avoid designing an RSA system that is susceptible to the Vayner's attack, and we can do this in a couple of different ways. One, if we... One, which is really the more reliable way, is that we can check to see if Vayner's attack will give us the correct decryption exponent. Now, in general, we do have some guidelines for this. So again, thinking about how we set up a RSA system, we choose PQ and find the product as our public number, find our values E and D, and it's possible to prove, using results from number theory, that if PQ is less than P is less than 2Q. In other words, if P is less than or equal to twice the other prime number, and D is less than one-third the fourth root of n, Vayner's attack will be successful. If you pick a small decryption exponent, or in other words, if you get your value of E and D and your decryption exponent is too small, Vayner's attack will succeed against that type of RSA system. So what does that mean? Well, you should pick a large decryption exponent, and that guarantees that... Well, what it actually guarantees is that it guarantees that Vayner's attack is not guaranteed to succeed. Now, we should pick a large value. The thing we don't know at this point is there could be values greater than one-third fourth root of n for which Vayner's attack will still work. That upper limit has not been thoroughly researched at this point. So what does that suggest? Well, pick your decryption exponent. Certainly if it fails this, it's a bad decryption exponent. So pick a large decryption exponent. Better yet, start with a large decryption exponent and see if Vayner's attack will work to recover that decryption exponent. If it does, then it's a bad decryption exponent. If it doesn't, then it's probably a good decryption exponent, but the Red Queen's race, that is cryptography, does lead to one other problem. If D is very large, that avoids Vayner's attack here, E will tend to be small, and there's a whole family of low exponent attacks. So what does that mean? Well, it means you have to be very careful about your choice of E and D. More about that in later videos.