> I don't follow.  For RSA, the only difference between encryption and
> decryption, and public and private key, and hence between chosen
> plaintext and chosen ciphertext, is the arbitrary naming of one of
> a pair of mutually-inverse values as the "private" key and the other
> as the "public" key.
>                                                       -- Jerry
Negative, Jerry.

There is a very big difference between which one you make "public" and
which one you make "private".  The difference is that the "public" one
is given out to the world.

It is well known that if d (the RSA private exponent) is small enough,
it can be recovered via Wiener's continued fraction attack or the 
several extensions of it.  I think Wiener's attack worked if d < N^{1/4},
and Boneh (with Glenn Durfee) brought this up to N^{.292}.  There is
a conjecture that d needs to be > sqrt(N), but no one's come close to
proving this.

So it IS important which one you name as the private key: name the bigger
one! :)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to