[15090] in cryptography@c2.net mail archive
Re: I don't know PAIN...
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Mon Dec 29 16:06:09 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Jerrold Leichter <jerrold.leichter@smarts.com>
Cc: Ben Laurie <ben@algroup.co.uk>, Raymond Lillard <ryl@mmcent.com>,
crypto <cryptography@metzdowd.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 29 Dec 2003 12:50:04 -0800
In-Reply-To: <Pine.GSO.4.58.0312291200120.29666@frame>
Jerrold Leichter <jerrold.leichter@smarts.com> writes:
> | > "Note that there is no theoretical reason that it should be
> | > possible to figure out the public key given the private key,
> | > either, but it so happens that it is generally possible to
> | > do so"
> | >
> | > So what's this "generally possible" business about?
> |
> | Well, AFAIK its always possible, but I was hedging my bets :-) I can
> | imagine a system where both public and private keys are generated from
> | some other stuff which is then discarded.
> That's true of RSA! The public and private keys are indistinguishable - you
> have a key *pair*, and designate one of the keys as public. Computing either
> key from the other is as hard as factoring the modulus. (Proof: Given both
> keys in the pair, it's easy to factor.)
It's worth pointing out that this isn't how RSA is used in practice,
for two reasons:
(1) Most everyone uses one of 3 popular RSA public exponents
(3, 17, 65535) and then computes the private key from p and q.
(2) PKCS-1 RSAPrivateKey structures contain the public key.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
