> I can see how Alice can easily generate two primes whose product > will have that *high* order part, but it seems hard to generate an > RSA modulus with a specific *low* order 64 bits.
Is it? As long as the lowest bit is a 1, Alice just has to search for one prime that ends with 63 0's and a 1 (she may keep one up her sleeve) and the other prime ending with the specified bits. As long as the length of each prime is much greater than 64 bits, I don't see that this slows her down too badly. Isn't this the reason why using the bottom 32 bits of a PGP RSA key for a key id is subject to a user-confusion attack? --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
