I don't know PAIN...
Eric Rescorla
ekr at rtfm.com
Mon Dec 29 15:50:04 EST 2003
Jerrold Leichter <jerrold.leichter at smarts.com> writes:
> | > "Note that there is no theoretical reason that it should be
> | > possible to figure out the public key given the private key,
> | > either, but it so happens that it is generally possible to
> | > do so"
> | >
> | > So what's this "generally possible" business about?
> |
> | Well, AFAIK its always possible, but I was hedging my bets :-) I can
> | imagine a system where both public and private keys are generated from
> | some other stuff which is then discarded.
> That's true of RSA! The public and private keys are indistinguishable - you
> have a key *pair*, and designate one of the keys as public. Computing either
> key from the other is as hard as factoring the modulus. (Proof: Given both
> keys in the pair, it's easy to factor.)
It's worth pointing out that this isn't how RSA is used in practice,
for two reasons:
(1) Most everyone uses one of 3 popular RSA public exponents
(3, 17, 65535) and then computes the private key from p and q.
(2) PKCS-1 RSAPrivateKey structures contain the public key.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list