## Recovering $p,q$ having $d$

As stated in fact 1, for a public key $ \langle N, e \rangle $ given the private key $d$, one can effictively recover the factorisation of N.

Notice that  
$k = ed - 1$ and $ k | φ(N) $, which is even.
Therefore $g_1 = g^{k/2}$ is a square root of unity for $g \in \mathbb{Z^{*}_n}$. 

By applying the CRT it is evident that $g_1 \equiv \pm 1 \mod q, g_1 \equiv \pm 1 \mod p $ and thus 2 out of the possible 4 roots reveal the factorization of $N$. 

According to the paper (proof of fact 1 - page 3) , for a random choice of $g$ the probability that any element of the sequence $g^{k/{2^t}} \equiv -1 \mod p$ (or mod q) is $50\%$.

In [3]:
p = random_prime(2^1024)
q = random_prime(2^1024)

n = p * q

e = 0x10001

phi = (p - 1)*(q - 1)

d = pow(e, -1, phi)

In [None]:
k = e*d - 1

pp = 1
for g in range(2,2**16):

    k_t = k
    while k_t % 2 == 0:
        k_t //= 2
        rt = pow(g,k_t,n)
        
        pp = gcd(rt - 1, n)
        
        if pp > 1 and pp != n:
            print(pp)
            break
    if pp > 1 and pp != n:
        break

qq = n // pp

print('[+] Recovered the factorisation of N')
print(f'{pp=} \n {qq=}')
