Practical attacks on small private exponent RSA: new records and new insights

Abstract

As a typical representative of the public key cryptosystem, RSA has attracted a great deal of cryptanalysis since its invention, among which a famous attack is the small private exponent attack. It is well-known that the best theoretical upper bound for the private exponent d that can be attacked is \(d\le N^{0.292}\), where N is a RSA modulus. However, this bound may not be achieved in practical attacks since the lattice constructed by Coppersmith method may have a large enough dimension and the lattice-based reduction algorithms cannot work so well in both efficiency and quality. In this paper, we propose a new practical attack based on the binary search for the most significant bits (MSBs) of prime divisors of N and the Herrmann-May’s attack in 2010. The idea of binary search is inspired by the discovery of phenomena called “multivalued-continuous phenomena”, which can significantly accelerate our attack. Together with several carefully selected parameters according to our exact and effective numerical estimations, we can improve the upper bound of d that can be practically achieved. More specifically, without the binary search method, we successfully attack RSA with a 1024-bit-modulus N when \(d\le N^{0.285}\). Moreover, by our new method, we can implement a successful attack for a 1024-bit-modulus RSA when \(d\le N^{0.292}\) and for a 2048-bit-modulus RSA when \(d\le N^{0.287}\) in about a month. We believe our method can provide some inspiration to practical attacks on RSA with mainstream-size moduli.

Appendices

Appendix A: Proof of Lamma 3

Proof

Take \(\tau =t/m\), then we have

$$\begin{aligned} s_{X}= & {} \sum _{k=0}^{m}\sum _{i=0}^{m-k}i=\sum _{k=0}^{m}\frac{(m-k)(m-k+1)}{2} \\= & {} \frac{1}{2}\sum _{k=0}^{m}\left( m(m+1)-(2m+1)k+k^{2}\right) \\= & {} \frac{1}{2}\left( m(m+1)^{2}-(2m+1)\frac{m(m+1)}{2}+\frac{m(m+1)(2m+1)}{6} \right) \\= & {} \frac{m(m+1)(m+2)}{6}, \\ s_{Y}= & {} \sum _{j=1}^{\tau m}\sum _{k=\big \lfloor \frac{1}{\tau } \big \rfloor j}^{m}j=\sum _{j=1}^{\tau m}j\left( m-\Bigg \lfloor \frac{1}{ \tau }\Bigg \rfloor j+1\right) \\= & {} \sum _{j=1}^{\tau m}(m+1)j-\sum _{j=1}^{\tau m}\Bigg \lfloor \frac{1}{\tau } \Bigg \rfloor j^{2} \\= & {} \frac{(m+1)\tau m(\tau m+1)}{2}-\Bigg \lfloor \frac{1}{\tau }\Bigg \rfloor \cdot \frac{\tau m(\tau m+1)(2\tau m+1)}{6} \\\approx & {} \frac{(m+1)\tau m(\tau m+1)}{2}-\frac{1}{\tau }\cdot \frac{\tau m(\tau m+1)(2\tau m+1)}{6} \\= & {} \frac{\tau ^{2}m^{3}+3\tau ^{2}m^{2}+3\tau m-m}{6}, \\ s_{U}= & {} \sum _{k=0}^{m}\sum _{i=0}^{m-k}k+\sum _{j=1}^{\tau m}\sum _{k=\big \lfloor \frac{1}{\tau }\big \rfloor j}^{m}k \\= & {} \sum _{k=0}^{m}k(m-k+1)+\sum _{j=1}^{\tau m}\frac{\left( m+\Bigg \lfloor \frac{1}{\tau }\Bigg \rfloor j\right) \left( m-\Bigg \lfloor \frac{1}{\tau } \Bigg \rfloor j+1\right) }{2} \\\approx & {} \sum _{k=0}^{m}k(m-k+1)+\sum _{j=1}^{\tau m}\frac{(m+\frac{1}{\tau } j)(m-\frac{1}{\tau }j+1)}{2} \\= & {} \sum _{k=0}^{m}k(m+1)-\sum _{k=0}^{m}k^{2}+\frac{1}{2}\sum _{j=1}^{\tau m}(m+ \frac{1}{\tau }j)(m-\frac{1}{\tau }j+1) \\= & {} \sum _{k=0}^{m}k(m+1)-\sum _{k=0}^{m}k^{2}+\frac{1}{2}\sum _{j=1}^{\tau m}\left( m(m+1)+\frac{1}{\tau }j-\frac{1}{\tau ^{2}}j^{2}\right) \\= & {} \frac{m(m+1)^{2}}{2}-\frac{m(m+1)(2m+1)}{6} \\{} & {} +\frac{1}{2}\left( m(m+1)\tau m+\frac{\tau m(\tau m+1)}{2\tau }-\frac{\tau m(\tau m+1)(2\tau m+1)}{6\tau ^{2}}\right) \\= & {} \frac{m(m+1)(m+2)}{6}+\frac{(4\tau ^{2}m^{3}+(9\tau ^{2}-3\tau )m^{2}+(3\tau -1)m)}{12\tau } \\= & {} \frac{(4\tau ^{2}+2\tau )m^{3}+(9\tau ^{2}+3\tau )m^{2}+(7\tau -1)m}{ 12\tau },\\ s_{e}= & {} \sum _{k=0}^{m}\sum _{i=0}^{m-k}(m-k)+\sum _{j=1}^{\tau m}\sum _{k=\big \lfloor \frac{1}{\tau }\big \rfloor j}^{m}(m-k) \\= & {} \sum _{k=0}^{m}(m-k)(m-k+1) \\{} & {} +\sum _{j=1}^{\tau m}\left( m\left( m-\Bigg \lfloor \frac{1}{\tau }\Bigg \rfloor j+1\right) -\frac{\left( m+\Bigg \lfloor \frac{1}{\tau }\Bigg \rfloor j\right) \left( m-\Bigg \lfloor \frac{1}{\tau }\Bigg \rfloor j+1\right) }{2}\right) \\\approx & {} \sum _{k=0}^{m}(m-k)(m-k+1) \\{} & {} +\sum _{j=1}^{\tau m}\left( m\left( m-\frac{1}{\tau }j+1\right) -\frac{\left( m+\frac{1}{\tau } j\right) \left( m-\frac{1}{\tau }j+1\right) }{2}\right) \\= & {} \sum _{k=0}^{m}(m(m+1)-(2m+1)k+k^{2})+\frac{1}{2}\sum _{j=1}^{\tau m}\left( \left( m-\frac{1}{\tau }j\right) \left( m-\frac{1}{\tau }j+1\right) \right) \\= & {} m(m+1)^{2}-\frac{(2m+1)m(m+1)}{2}+\frac{m(m+1)(2m+1)}{6} \\{} & {} +\sum _{j=1}^{\tau m}\left( m(m+1)-(2m+1)\frac{1}{\tau }j+\frac{1}{\tau ^{2} }j^{2}\right) \\= & {} \frac{m(m+1)(m+2)}{3} \\{} & {} +\frac{1}{2}\left( m(m+1)\tau m-\frac{(2m+1)\tau m(\tau m+1)}{2\tau }+ \frac{\tau m(\tau m+1)(2\tau m+1)}{6\tau ^{2}}\right) \\= & {} \frac{m(m+1)(m+2)}{3}+\frac{2\tau ^{2}m^{3}+(3\tau ^{2}-3\tau )m^{2}-(3\tau -1)m}{12\tau }, \\ \dim L= & {} \sum _{k=0}^{m}\sum _{i=0}^{m-k}1+\sum _{j=1}^{\tau m}\sum _{k=\big \lfloor \frac{1}{\tau }\big \rfloor j}^{m}1 \\= & {} \sum _{k=0}^{m}(m-k+1)+\sum _{j=1}^{\tau m}\left( m-\Bigg \lfloor \frac{1}{ \tau }\Bigg \rfloor j+1\right) \\\approx & {} \sum _{k=0}^{m}(m-k+1)+\sum _{j=1}^{\tau m}\left( m-\frac{1}{\tau } j+1\right) \\= & {} (m+1)^{2}-\frac{m(m+1)}{2}+\tau m(m+1)-\frac{1}{\tau }\cdot \frac{\tau m(\tau m+1)}{2} \\= & {} \frac{(m+1)(m+2)}{2}+\frac{\tau m^{2}+(2\tau -1)m}{2}. \end{aligned}$$

The proof of Lamma 3 has completed. \(\square \)

Appendix B: Proof of Proposition 1

Proof

It must be pointed out that the largest size of the vector norm B can be perfectly approximated by the maximum component of all the vectors in the lattice basis, e.g., the maximum coefficient of the term in all the polynomials.

At first we compute B in the lattice of the HM2010 attack. Note that vectors are produced by x-shift polynomials and y-shift polynomials:

$$\begin{aligned} \tilde{g}_{i,k}(u,x)&=x^{i}\tilde{f}^{k}e^{m-k},\,i=0,\ldots ,m-k, \,k=0,\ldots ,m \\ \tilde{h}_{j,k}(u,x,y)&=y^{j}\tilde{f}^{k}e^{m-k},\,j=1,\ldots ,\tau m, \,k=\lfloor 1/\tau \rfloor j,\ldots ,m, \end{aligned}$$

where \(\tilde{f}(u,x)=A+ux\) and \(t=\tau m\).

(I) The size of the maximum coefficient in \( {\varvec{x}}\) -shift polynomials

Note that

$$\begin{aligned} \tilde{g}_{i,k}(u,x)=x^{i}\tilde{f}^{k}e^{m-k}=\sum \limits _{a=0}^{k}\left( {\begin{array}{c}k \\ a\end{array}}\right) x^{i}u^{a}A^{k-a}x^{k-a}e^{m-k}. \end{aligned}$$

Terms in \(\tilde{g}_{i,k}(u,x)\) are of the form \(\left( {\begin{array}{c}k\\ a\end{array}}\right) u^{a}A^{k-a}x^{k-a+i}e^{m-k}.\) The final coefficients of such terms (i.e., the values of vector components when constructing lattices) is \(\left( {\begin{array}{c}k\\ a\end{array}}\right) U^{a}A^{k-a}X^{k-a+i}e^{m-k}\) with a size of

$$\begin{aligned} \left( a\left( \frac{1}{2}+\delta \right) +k-a+(k-a+i)\delta +m-k\right) \log N=\left( m- \frac{1}{2}a+(k+i)\delta \right) \log N. \end{aligned}$$

The size of the maximum coefficient is \(\varvec{(m+m\delta )\log N}\) according to the formula above since \(0\le a\le k<m,0\le k+i\le k+m-k=m.\)

(II) The size of the maximum coefficient in \( {\varvec{y}}\) -shift polynomials

Note that Terms in \(\tilde{h}_{j,k}(u,x,y)\) is of the form \(\left( {\begin{array}{c}k\\ b\end{array}}\right) y^{j}u^{b}A^{k-b}x^{k-b}e^{m-k}.\)

Case A

When \(j\ge k-b\),

$$\begin{aligned} \sum \limits _{b=0}^{k}\left( {\begin{array}{c}k\\ b\end{array}}\right) y^{j}u^{b}A^{k-b}x^{k-b}e^{m-k} = \sum \limits _{b=0}^{k}\left( {\begin{array}{c}k\\ b\end{array}}\right) y^{j-(k-b)}u^{b}A^{k-b}e^{m-k}(u-1)^{k-b}. \end{aligned}$$

Therefore, the term which has the maximum coefficient is \(\left( {\begin{array}{c}k\\ b\end{array}}\right) y^{j-(k-b)}A^{k-b}u^{k}e^{m-k}\) with the final coefficient \(\left( {\begin{array}{c}k\\ b\end{array}}\right) Y^{j-(k-b)}A^{k-b}U^{k}e^{m-k}.\) In this case the size of the maximum coefficient is

$$\begin{aligned} \left( \frac{1}{2}(j-(k-b))+k\left( \frac{1}{2}+\delta \right) +k-b+m-k\right) \log N=\left( \frac{1}{2}j-\frac{1}{2}b+\delta k+m\right) \log N. \end{aligned}$$

We get \(\left( \frac{1}{2}j-\frac{1}{2}b+\delta k+m\right) \log N\le ( \frac{1}{2}j-\frac{1}{2}b+\delta j+\delta b+m)\) for \(k\le j+b.\) Finally, the size of the maximum coefficient is \(\varvec{(m+\tau \delta m+\frac{1}{2}\tau m)\log N}\) when \(j=\tau m, b=0\) as \(0\le b\le k\le m,1\le j\le \tau m.\)

Case B

When \(j< k-b\), after a similar discussion as Case A, we can get the size of the maximum coefficient in \(y^{j}\tilde{f}^{k}e^{m-k}\) is

$$\begin{aligned} \left( (b+j)\left( \frac{1}{2}+\delta \right) +k-b+(k-b-j)\delta +m-k\right) \log N=\left( \frac{1}{2}j-\frac{1}{2}b+\delta k+m\right) \log N. \end{aligned}$$

Finally, since \(j< k-b,0\le b\le k,1\le j\le \tau m,\lfloor 1/\tau \rfloor j\le k\le m\), the size of the maximum coefficient is \(\varvec{(m+\delta m+ \frac{1}{2}\tau m)\log N}\) when \(j=\tau m,b=0,k=m\).

According to the detailed discussion, we obtain that

$$\begin{aligned} B&=\max \left\{ (m+m\delta )\log N,\left( m+\tau \delta m+\frac{1}{2}\tau m\right) \log N,\left( m+\delta m+\frac{1}{2}\tau m\right) \log N\right\} \\&=\left( m+\delta m+\frac{1}{2}\tau m\right) \log N. \end{aligned}$$

At the second step we compute B in our lattice. Use the notations above, the upper bound of each variable becomes to

$$\begin{aligned} x^{\prime }< & {} X^{\prime }=N^{\delta },\,y^{\prime }<Y^{\prime }=N^{ \frac{1}{2}-\xi }, \\ e< & {} N,\,u^{\prime }<U^{\prime }=N^{\delta +\frac{1}{2}-\xi }, \end{aligned}$$

where \(2^{s}=N^{\xi }\) and s is the amount of MSBs exhaustion. Note that the terms in the polynomials do not change while the bounds of variables differs comparing the lattice of HM2010 with ours. With a simple analysis as former, we can obtain the maximum sizes of coefficient in \(x^{\prime }\)-shift polynomials and \(y^{\prime }\)-shift polynomials are \((m+m\delta )\log N\) and \((m+\delta m+(\frac{1}{2}-\xi ) \tau m)\log N\). Finally we obtain \(\varvec{B=(m+\delta m+(\frac{1}{2}-\xi )\tau m)\log N}.\)

Based on the discussion above, we can see that the largest size of vector norm B is \(\varvec{(m+\delta m+(\frac{1}{2}-\xi )\tau m)\log N}\). The proof of Proposition 1 has completed. \(\square \)

Appendix C: Detailed parameters of the three experiments in Table 9

Exp. 1

\(N=\)

$$\begin{aligned}{} & {} 46126089040452448339448600417060313922101098426244293259787635 \\{} & {} 87074530673491676174094741308570008991308086429133694253082502 \\{} & {} 08322979383825756505663848479411358228528222527395327435101891 \\{} & {} 24124500359010333442383692988340095271183825614638791911699269 \\{} & {} 162046275028679426500348785157345976662456325437259705160061 \end{aligned}$$

\(e=\)

$$\begin{aligned}{} & {} 36614584641331081308456049556562616703353184435474954472543851 \\{} & {} 64159874655507513240178939924241301243795285290427026969984191 \\{} & {} 93417336370186256151741426122690631967234543279797441311494545 \\{} & {} 48205774006091224643569311902728986446145416739772661245661572 \\{} & {} 872595702072188094041649860081717657262961694486055770442903 \end{aligned}$$

\(p=\)

$$\begin{aligned}{} & {} 67948679188399660033177882768593480036059591634701532395565550 \\{} & {} 86565666723761153014913169297896634069961179454031340099285043 \\{} & {} 376680194594851361518965438191 \end{aligned}$$

\(q=\)

$$\begin{aligned}{} & {} 67883716933716631074522673334050992083124031396996898938020837 \\{} & {} 71485358806632262195329165541096647967833821293875054198640528 \\{} & {} 209010624705809648621661183571 \end{aligned}$$

\(d=\)

$$\begin{aligned}{} & {} 68845001992677564960353986498476584008893082985088950620216788 \\{} & {} 3636867990095285712393863167 \end{aligned}$$

Exp. 2

\(N=\)

$$\begin{aligned}{} & {} 93502450932903310633064573151907317024294867669134678632093362 \\{} & {} 46297788099166895737544153127851852138932264560083819167132205 \\{} & {} 42943047406167744180006421454219231575086254775401435086568101 \\{} & {} 80893794178324182089403622394064939255883017451942933893424910 \\{} & {} 850870147643227272288485474147840684850717753717586472451201 \end{aligned}$$

\(e=\)

$$\begin{aligned}{} & {} 66858620224726705843141951973966747720864781039484831550691634 \\{} & {} 09294281451926768980157225811154880346715028924829626919171141 \\{} & {} 60786364943066431341308061576266724936876531701099477141597025 \\{} & {} 75928828432166081285992511952702707653041998543208057095834381 \\{} & {} 069598542543859865005532560613469773387993762913083830903645 \end{aligned}$$

\(p=\)

$$\begin{aligned}{} & {} 99518569133681654608883617987619781762536839523918823141580161 \\{} & {} 97123835376178581844008644586889905048955222245453609041221097 \\{} & {} 121126837776453250821684510563 \end{aligned}$$

\(q=\)

$$\begin{aligned}{} & {} 93954778235710974203677377216985836253852371657508142242651124 \\{} & {} 33882347772961954728089804437932682899351880809635985985823721 \\{} & {} 278448590959326657930561582027 \end{aligned}$$

\(d=\)

$$\begin{aligned}{} & {} 84621421118866086279480677455817189905395785567701311624227231 \\{} & {} 1992184907517426187202723837 \end{aligned}$$

Exp. 3

\(N=\)

$$\begin{aligned}{} & {} 10205793884912309428243538885795108687967400364358859068757105 \\{} & {} 27366676256258700648163154922583229485417321567269849917383364 \\{} & {} 64656067954130787989822823376442710598097310129836268241537114 \\{} & {} 71952829908327055972448207678376586518255364121854918727930884 \\{} & {} 3770512577006453837517293155340490761206708661611812914183899 \end{aligned}$$

\(e=\)

$$\begin{aligned}{} & {} 80900458040712014796201499026385729329804135026384835491013425 \\{} & {} 86092605732136485389209880857013543736344572515888256253718707 \\{} & {} 08436780537181756263571337006232687007715876604623603003318929 \\{} & {} 36401425760635712653711506424050436067133668344381418365690036 \\{} & {} 931579614717233156905341293247889945042931394909865508914479 \end{aligned}$$

\(p=\)

$$\begin{aligned}{} & {} 130550858861846841747727958575739547701679174283776488146464000 \\{} & {} 035126653179894990637272044524427541060375052834227051238884085 \\{} & {} 86029300473284150150163760489 \end{aligned}$$

\(q=\)

$$\begin{aligned}{} & {} 781748505822731655261191706621539039622764767903458858428781536 \\{} & {} 263460148861416123276603543978929241699568615263385404823218907 \\{} & {} 1292155782177922355115574691 \end{aligned}$$

\(d=\)

$$\begin{aligned}{} & {} 868126999952902548361525189983896174511773826207382896837234598 \\{} & {} 157112101757767726001029119 \end{aligned}$$

Appendix D: Detailed parameters of the three experiments in Table 10

Exp. 4

\(N=\)

$$\begin{aligned}{} & {} 13108249020538785310663414698582637064820950198561878706735851 \\{} & {} 65703644339810427940041439226962830915168487281788869208017778 \\{} & {} 64923887358082167988616026368541195282045124591109789444274263 \\{} & {} 26718715032735164557685449265721895500116475985815536552066383 \\{} & {} 98902635748400290357538362875036895327848802671465354828268316 \\{} & {} 19459190428496888414853786863007208331552517424436288121969788 \\{} & {} 57993634225342593766658498158262129054566502609859174903015093 \\{} & {} 10543060200243513864877744474764130353698543557524799219837216 \\{} & {} 81177688022836416789341375825625350075504640416012415003418082 \\{} & {} 73695609938403611734357471580735947449865433515838599015767 \end{aligned}$$

\(e=\)

$$\begin{aligned}{} & {} 89451479500251299951266471597772406719039486388733814263161727 \\{} & {} 77277693744087994022236345476762214316234081707614457014149993 \\{} & {} 07086353862705412696231771650983658024823969641299772311875452 \\{} & {} 35751367575578627668994418983506635558378045495835658481986197 \\{} & {} 64498956959651824723201619704850371101473507734971701102683193 \\{} & {} 24725402870657449338885605852347781947910706904405925408817023 \\{} & {} 60111680067003156460400937994396681812731602263538839593687345 \\{} & {} 62219589235850846108119781315380911546600335260644624325458166 \\{} & {} 47435720465040339844832330681577201708958823066483795645154297 \\{} & {} 8645874176685545024632447680732323591071139368778498577639 \end{aligned}$$

\(p=\)

$$\begin{aligned}{} & {} 12475716189463277471168125160458453539576717759904860818958950 \\{} & {} 12014825348919743719578184669777821230125550070704404895576204 \\{} & {} 52941396889634025921970794255590369593505603793752936553527919 \\{} & {} 38379990938303607598997653011866480954848015397181895617491220 \\{} & {} 3077504115908974119391542269233365957211095336385587786710643 \end{aligned}$$

\(q=\)

$$\begin{aligned}{} & {} 10507011238047985984905944714077857914018323916121653018787711 \\{} & {} 19630266681204488009378026133638912480941505942176252858307437 \\{} & {} 32991043217939651634566680101998984493904772645000773580396638 \\{} & {} 66392564560306397986626626825696478790443273047686349310580634 \\{} & {} 5028770283044102294594624281933734776943133629178895741769869 \end{aligned}$$

\(d=\)

$$\begin{aligned}{} & {} 16203833775447352356853531181274614215508930119487698497783433 \\{} & {} 20417126835821821597640064942591829248499538916881397751938428 \\{} & {} 70347081603575753080006255052855504063533452418351103 \end{aligned}$$

Exp. 5

\(N=\)

$$\begin{aligned}{} & {} 18909672181904151395097968169920434800151774976081336450891174\\{} & {} 87637992213220042585977009330732380044765810427401976038590837\\{} & {} 11873143826745772602607516127893011661052190642253756693227076\\{} & {} 98926584779010796261564768643160271391197294787916627864241401\\{} & {} 91442506166372883954050983092065122469794049346568026032600851\\{} & {} 06520619119309685394418339932570134971764214265160652504821910\\{} & {} 54728868131847284573195025675911240577689925121207663441802463\\{} & {} 95424763276465590987069458679529387973710595569647138338589685\\{} & {} 41003463475729539029975985698319117707054049488848688491897152\\{} & {} 76445558134402328090544913847971380379882458726005541831877 \end{aligned}$$

\(e=\)

$$\begin{aligned}{} & {} 71750525858644602573827151612109334198329801833575974634891308\\{} & {} 81495398383619485101066743946892399989979056836606216684862725\\{} & {} 57211251358518687663563498732052487860671897005525731875587709\\{} & {} 48285298803158025787222714686015007936511780408515333161477308\\{} & {} 33938515599770436750069222320451660592526204534805678560379611\\{} & {} 66401313318683780361047153401836775380248541241640858508425424\\{} & {} 17567958496040977474953521700071041506080838448030690016792476\\{} & {} 72933113105225110610011794291511678512931585633775157710522063\\{} & {} 46208952124338836289923112469153753848820848393483936342199771\\{} & {} 0031387152470262859696222361705999483806613844394759888651 \end{aligned}$$

\(p=\)

$$\begin{aligned}{} & {} 17632053007251238779460491844609267953184637057432293238819260\\{} & {} 45182034840480286908458849795483938148101996899679104684164224\\{} & {} 74443986695404811633893785378170226481910000920070470403858119\\{} & {} 63853022804280585705368356890551045545683993527388328068472661\\{} & {} 0142603148675130345130093490471284531708421254883794726933731 \end{aligned}$$

\(q=\)

$$\begin{aligned}{} & {} 10724600348086231138978615424494121452147302572884539393558466\\{} & {} 49494608032097842525445414641585733688186933655325569963690234\\{} & {} 73297386324910499142225474129024782995490552263782465106021625\\{} & {} 38318333121616296839163140328592966430893795983414382893135148\\{} & {} 9815771244076937362708739778582739737422552531974179680294967 \end{aligned}$$

\(d=\)

$$\begin{aligned}{} & {} 74371802615146241472896188271041978689492703240379646141995046\\{} & {} 73820493661253184594168451370887921723607130820247798059973262\\{} & {} 06710810842150444333271043589416784775482885854461951 \end{aligned}$$

Exp. 6

\(N=\)

$$\begin{aligned}{} & {} 23106605651041615213646000110077851420712757917776430930326056 \\{} & {} 60296830951476238797402172985663226841689573922131931924256474 \\{} & {} 42373164767688138199312178870617014197433167498889179888412544 \\{} & {} 74185076959806015212320711881448073618683164329640885570487353 \\{} & {} 50354182223829749002048540419684771479273577984952576597834431 \\{} & {} 10876017808739917408013571983470008797535808485837831985030128 \\{} & {} 18980694013921518439031616253599644305480276822960370194442400 \\{} & {} 29680528535253331304066794571579472555287555198582878649996706 \\{} & {} 70189200424088850932169339900976909686922394456370919349825147 \\{} & {} 79933248467489575820613721302800274215988236180595306270631 \end{aligned}$$

\(e=\)

$$\begin{aligned}{} & {} 12306595799514227604950469560934424785746654745458886525393457 \\{} & {} 58899783970499242533791938472818667104241589586924790854906048 \\{} & {} 54925263611470499944927026328816440185366245189763792436116837 \\{} & {} 57561103528778660481890339014924778781448952317743651644045890 \\{} & {} 34734358672625085976939766863203987473622112403467008193246531 \\{} & {} 18811333558134310761081974826858002018445896729330025874175254 \\{} & {} 08511656625722972253589317139568494268155847524384162663775384 \\{} & {} 56174150943940984854862543628588707580008442653426773237869939 \\{} & {} 26533039846186871551451618391840130895864570824139236237941156 \\{} & {} 12847782672209965094853232413711557861305091453331658286885 \end{aligned}$$

\(p=\)

$$\begin{aligned}{} & {} 15200857097888143612235928515088793346264155533550218885999558 \\{} & {} 43118029224237682629271323091741303390999578531540748865895441 \\{} & {} 28299767695057057649418113935154004959819709868376351089412151 \\{} & {} 66689369221389374628670381926958230967689721241987218903900245 \\{} & {} 6978031157591446602279278447377998069848764568730671548941379 \end{aligned}$$

\(q=\)

$$\begin{aligned}{} & {} 15200857097888130222480933300617571310430741971257868954229473 \\{} & {} 99010773432783299974566489666130612156702118428957004402934567 \\{} & {} 26259649410467624692928043525938992850157984384838932304533523 \\{} & {} 37960458325033282161048364788519071913365063106030773291799585 \\{} & {} 7967631386967340066303738923024637820931061972877004540650189 \end{aligned}$$

\(d=\)

$$\begin{aligned}{} & {} 95106665770280602013064006456747612094114888110214050993001292 \\{} & {} 18842148846561624186845878708855870619895801364016214375097533 \\{} & {} 53978037760812938848119029882054844495851034227001786365 \end{aligned}$$