[15084] in cryptography@c2.net mail archive
Re: I don't know PAIN...
daemon@ATHENA.MIT.EDU (Matt Crawford)
Mon Dec 29 14:19:22 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 29 Dec 2003 10:29:01 -0600
From: Matt Crawford <crawdad@fnal.gov>
In-reply-to: <3FEDACDF.1070904@algroup.co.uk>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Raymond Lillard <ryl@mmcent.com>,
crypto <cryptography@metzdowd.com>
On Dec 27, 2003, at 10:01 AM, Ben Laurie wrote:
>> "Note that there is no theoretical reason that it should be possible
>> to figure out the public key given the private key, either, but it so
>> happens that it is generally possible to do so"
>> So what's this "generally possible" business about?
>
> Well, AFAIK its always possible, but I was hedging my bets :-) I can
> imagine a system where both public and private keys are generated from
> some other stuff which is then discarded.
Sure. Imagine RSA where instead of a fixed public exponent (typically
2^16 + 1), you use a large random public exponent. After computing the
private exponent, you discard the two primes and all other intermediate
information, keeping only the modulus and the two exponents. Now it's
very hard to compute either exponent from the other, but they do
constitute a public/private key-pair. The operations will be more
expensive that in standard RSA where one party has a small exponent and
the other party has an arithmetical shortcut, but still far less
computation than cracking the other party's key.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
