On Dec 27, 2003, at 10:01 AM, Ben Laurie wrote:
"Note that there is no theoretical reason that it should be possible
to figure out the public key given the private key, either, but it so
happens that it is generally possible to do so"
So what's this "generally possible" business about?
Well, AFAIK its always possible, but I was hedging my bets :-) I can
imagine a system where both public and private keys are generated from
some other stuff which is then discarded.
Sure. Imagine RSA where instead of a fixed public exponent (typically
2^16 + 1), you use a large random public exponent. After computing the
private exponent, you discard the two primes and all other intermediate
information, keeping only the modulus and the two exponents. Now it's
very hard to compute either exponent from the other, but they do
constitute a public/private key-pair. The operations will be more
expensive that in standard RSA where one party has a small exponent and
the other party has an arithmetical shortcut, but still far less
computation than cracking the other party's key.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx
