> I don't follow. For RSA, the only difference between encryption and > decryption, and public and private key, and hence between chosen > plaintext and chosen ciphertext, is the arbitrary naming of one of > a pair of mutually-inverse values as the "private" key and the other > as the "public" key. > -- Jerry > Negative, Jerry.

There is a very big difference between which one you make "public" and which one you make "private". The difference is that the "public" one is given out to the world. It is well known that if d (the RSA private exponent) is small enough, it can be recovered via Wiener's continued fraction attack or the several extensions of it. I think Wiener's attack worked if d < N^{1/4}, and Boneh (with Glenn Durfee) brought this up to N^{.292}. There is a conjecture that d needs to be > sqrt(N), but no one's come close to proving this. So it IS important which one you name as the private key: name the bigger one! :) john// --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]