| On Dec 27, 2003, at 10:01 AM, Ben Laurie wrote: | >> "Note that there is no theoretical reason that it should be possible | >> to figure out the public key given the private key, either, but it so | >> happens that it is generally possible to do so" | >> So what's this "generally possible" business about? | > | > Well, AFAIK its always possible, but I was hedging my bets :-) I can | > imagine a system where both public and private keys are generated from | > some other stuff which is then discarded. | | Sure. Imagine RSA where instead of a fixed public exponent (typically | 2^16 + 1), you use a large random public exponent. After computing the | private exponent, you discard the two primes and all other intermediate | information, keeping only the modulus and the two exponents. Now it's | very hard to compute either exponent from the other, but they do | constitute a public/private key-pair. The operations will be more | expensive that in standard RSA where one party has a small exponent and | the other party has an arithmetical shortcut, but still far less | computation than cracking the other party's key. This doesn't work for RSA because given a single private/public key pair, you can factor. -- Jerry

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]