Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!lll-lcc!ames!ucbcad!ucbvax!decvax!decwrl!sun!peregrine!falk
From: falk%peregrine@Sun.COM (Ed Falk)
Newsgroups: sci.crypt
Subject: Re: Security of RSA and factoring
Message-ID: <11482@sun.uucp>
Date: Thu, 15-Jan-87 00:16:28 EST
Article-I.D.: sun.11482
Posted: Thu Jan 15 00:16:28 1987
Date-Received: Fri, 16-Jan-87 00:44:43 EST
References: <9041@duke.duke.UUCP> <4205@columbia.UUCP> <9054@duke.duke.UUCP> <16847@ucbvax.BERKELEY.EDU>
Sender: news@sun.uucp
Reply-To: falk@sun.UUCP (Ed Falk)
Organization: Sun Microsystems, Mountain View
Lines: 57
Keywords: Hah! Fat chance.

In article <16847@ucbvax.BERKELEY.EDU> tedrick@ernie.Berkeley.EDU.UUCP (Tom Tedrick) writes:
>>The point about RSA is that if you can break the code, you can get
>>the factorization of the key (this is easy to do).
>
>False.
>
>If you can give me an algorithm that will do this efficiently
>I will eat my words (but send it to me secretly by email so I
>can publish it :-)

The original paper by Rivest, Shamir & Adleman says this:

[ remember: there are three numbers: e, d & n.  n is the product of two
large primes, p & q.  e & d are functions of these primes.  Encryption and
decryption are:

	C = E(M) = M**e mod n
	M = D(C) = C**d mod n

d is any large integer relatively prime to (p-1)*(q-1).  e is the
"multiplicative inverse" to d mod (p-1)*(q-1).  It is calculated by
taking gcd(d,T(n)), where 'T' is the totient function.  e & n
are public, d is secret.]

R, S & A consider three approaches to breaking RSA:

1) Factor n.
	This is proven to be too difficult.

2) Somehow find d without factoring n.
	Once you know d, you can calculate e*d-1 which is a multiple of
	T(n).  It has been shown that n can be factored using any
	multiple of T(n).

	Thus, if you can find d, you can factor n.  Therefore, either
	d is impractical to compute, or R, S & A have stumbled on an
	easy way to factor large primes.

3) Somehow compute D(C) without knowing d.
	R, S & A have no answer to this except to conjecture that it also
	leads to an efficient factoring algorithm.


My reference is about 10 years out of date, so it's possible that
conjecture (3) has been proven by now.  Also, conjecture (2) doesn't *prove*
that RSA is unbreakable; only that if it is, then an easy way to factor
large primes has been discovered.


Does anybody have more recent references?

One final note: a few months ago, someone posted that the fastest known
algorithm for factoring large numbers is O(exp(sqrt(ln(n)lnln(n)))), and the
current record is factoring a 71 digit number in 9.5 hours on a Cray XMP.
		-ed falk, sun microsystems
terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO.
(The above is food for the NSA line eater.)