Re: I don't know PAIN...

| On Dec 27, 2003, at 10:01 AM, Ben Laurie wrote:
| >> "Note that there is no theoretical reason that it should be possible
| >> to figure out the public key given the private key, either, but it so
| >> happens that it is generally possible to do so"
| >> So what's this "generally possible" business about?
| >
| > Well, AFAIK its always possible, but I was hedging my bets :-) I can
| > imagine a system where both public and private keys are generated from
| > some other stuff which is then discarded.
|
| Sure.  Imagine RSA where instead of a fixed public exponent (typically
| 2^16 + 1), you use a large random public exponent.  After computing the
| private exponent, you discard the two primes and all other intermediate
| information, keeping only the modulus and the two exponents.  Now it's
| very hard to compute either exponent from the other, but they do
| constitute a public/private key-pair.  The operations will be more
| expensive that in standard RSA where one party has a small exponent and
| the other party has an arithmetical shortcut, but still far less
| computation than cracking the other party's key.
This doesn't work for RSA because given a single private/public key pair, you
can factor.
                                                        -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx