At 11:51 PM -0400 7/30/2000, dmolnar wrote:
>On Sun, 30 Jul 2000, Arnold G. Reinhold wrote:
>
>> By the way, I could not find the April 2000 RSA Data Security
>> Bulletin on three primes at
>> http://www.rsasecurity.com/rsalabs/bulletins/index.html Is there a
>> better link?
>
>The link I had in mind was
>
>ftp://ftp.rsasecurity.com/pub/pdfs/bulletn13.pdf
>
>The discussion is an appendix to the discussion of RSA key lengths.
>Note that it is actually more general than just 3 primes; various
>combinations of number of primes and their length are discussed,
>along with security against known factoring algorithms.
Thanks. I hadn't gotten that far. The bulletin is actually available
in the link I cited, in both pdf and html forms.
>
>Even if you may disagree with Silverman's assumptions about "safe"
>security levels, this is a very good place to start when looking at
>RSA with more than two factors. As for terminology, I would prefer to keep
>the RSA name and just modify it (e.g. "polyprime RSA," or better
>"3-384-prime RSA") to indicate that a modulus with more than two factors
>is in use.
>
>-David
It's not so much that I disagree with Silverman's assumptions about
"safe" security levels, it's that they are just that: assumptions.
Multiprime RSA is different from two-prime RSA, which is the version
most researchers have studied over the years. Silverman's numbers
show that. Consumers have a right to know what they are getting, even
in this arcane world of crypto (maybe especially in this world).
Suppose the 14 round version of Rijndael is adopted as AES and a few
years down the road someone decides that he can make his encryption
system a lot faster by using only 8 rounds. Would it be acceptable
for him to call his cipher AES-8? I don't think so. On the other
hand, "RSA" is RSA Security Inc.'s trademark and if they want to
dilute it -- to whatever extent -- by allowing multiprime moudli, I
suppose they can. That is why I think we need some nomenclature for
each member of this class of algorithms that does not depend on RSA
Security Inc.'s judgement, however informed it may be.
Arnold Reinhold
