Key Pair Agreement?

Matt Crawford crawdad at fnal.gov
Tue Jan 21 11:41:32 EST 2003


>  I can see how Alice can easily generate two primes whose product
> will have that *high* order part, but it seems hard to generate an
> RSA modulus with a specific *low* order 64 bits.

Is it?  As long as the lowest bit is a 1, Alice just has to search
for one prime that ends with 63 0's and a 1 (she may keep one up her
sleeve) and the other prime ending with the specified bits.  As long
as the length of each prime is much greater than 64 bits, I don't see
that this slows her down too badly.

Isn't this the reason why using the bottom 32 bits of a PGP RSA key
for a key id is subject to a user-confusion attack?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list