> > The algorithm is very simple:
> > 1. Choose a big random value x from some very broad range
> >   (say, {1,2,..,N^2}).
> > 2. Pick a random element g (mod N).
> > 3. Compute y = g^x (mod N).
> > 4. Ask for the discrete log of y to the base g, and get back some
> >   answer x' such that y = g^x' (mod N).
> > 5. Compute x-x'.  Note that x-x' is a multiple of phi(N), and
> >   it is highly likely that x-x' is non-zero.  It is well-known
> >   that given a non-zero multiple of phi(N), you can factor N in
> >   polynomial time.
> 
> Not exactly. Consider N = 3*7 = 21, phi(N) = 12, g = 4, x = 2, x' = 5. 
> You'll only get a multiple of phi(N) if g was a generator of the 
> multiplicative group Z_N^*.

When N is a large RSA modulus, there is a non-trivial probability that g
will be a generator (or that g will be such that x-x' lets you factor N).
The above is good enough for a polytime reduction.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to