Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!lll-lcc!ames!ucbcad!ucbvax!decvax!decwrl!sun!peregrine!falk From: falk%peregrine@Sun.COM (Ed Falk) Newsgroups: sci.crypt Subject: Re: Security of RSA and factoring Message-ID: <11482@sun.uucp> Date: Thu, 15-Jan-87 00:16:28 EST Article-I.D.: sun.11482 Posted: Thu Jan 15 00:16:28 1987 Date-Received: Fri, 16-Jan-87 00:44:43 EST References: <9041@duke.duke.UUCP> <4205@columbia.UUCP> <9054@duke.duke.UUCP> <16847@ucbvax.BERKELEY.EDU> Sender: news@sun.uucp Reply-To: falk@sun.UUCP (Ed Falk) Organization: Sun Microsystems, Mountain View Lines: 57 Keywords: Hah! Fat chance. In article <16847@ucbvax.BERKELEY.EDU> tedrick@ernie.Berkeley.EDU.UUCP (Tom Tedrick) writes: >>The point about RSA is that if you can break the code, you can get >>the factorization of the key (this is easy to do). > >False. > >If you can give me an algorithm that will do this efficiently >I will eat my words (but send it to me secretly by email so I >can publish it :-) The original paper by Rivest, Shamir & Adleman says this: [ remember: there are three numbers: e, d & n. n is the product of two large primes, p & q. e & d are functions of these primes. Encryption and decryption are: C = E(M) = M**e mod n M = D(C) = C**d mod n d is any large integer relatively prime to (p-1)*(q-1). e is the "multiplicative inverse" to d mod (p-1)*(q-1). It is calculated by taking gcd(d,T(n)), where 'T' is the totient function. e & n are public, d is secret.] R, S & A consider three approaches to breaking RSA: 1) Factor n. This is proven to be too difficult. 2) Somehow find d without factoring n. Once you know d, you can calculate e*d-1 which is a multiple of T(n). It has been shown that n can be factored using any multiple of T(n). Thus, if you can find d, you can factor n. Therefore, either d is impractical to compute, or R, S & A have stumbled on an easy way to factor large primes. 3) Somehow compute D(C) without knowing d. R, S & A have no answer to this except to conjecture that it also leads to an efficient factoring algorithm. My reference is about 10 years out of date, so it's possible that conjecture (3) has been proven by now. Also, conjecture (2) doesn't *prove* that RSA is unbreakable; only that if it is, then an easy way to factor large primes has been discovered. Does anybody have more recent references? One final note: a few months ago, someone posted that the fastest known algorithm for factoring large numbers is O(exp(sqrt(ln(n)lnln(n)))), and the current record is factoring a 71 digit number in 9.5 hours on a Cray XMP. -ed falk, sun microsystems terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO. (The above is food for the NSA line eater.)