Re: Breaking RSA & Securing RSA
From: Pubkeybreaker (Robert_silverman_at_raytheon.com)
Date: 07/11/05
- Next message: Peter Pearson: "Re: primes question"
- Previous message: JiXian Yang: "Re: A scheme of software protection"
- In reply to: Michael Scott: "Re: Breaking RSA & Securing RSA"
- Next in thread: Kristian Gjøsteen: "Re: Breaking RSA & Securing RSA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 11 Jul 2005 07:18:15 -0700
Michael Scott wrote:
> I wonder has this ever been completely analysed.
Yes, it has. See my joint paper with Sam Wagstaff Jr.
"A Practical Analysis of the Elliptic Curve Factoring Algorithm".
I agree that RSA with
> two 512-bit primes, its fine to just pick random primes. But at a lower
> security levels, using say a pair of random 256-bit primes, could the
> p-1 factorisation method be faster than quadratic sieve based methods
> for a significant percentage of RSA public keys?
(1) Compare with NFS, not QS
(2) The answer is no. In over 30 years of trials with P-1, the largest
factor ever found was ~187 bits.
>Would p-1 be faster at
> any level of security?
On average? Not likely. I can split 20 digit composites with QS in ~10
milliseconds. I would expect P-1 to be much worse, on average.
For a small subset of randomly chosen small primes, the answer is yes.
- Next message: Peter Pearson: "Re: primes question"
- Previous message: JiXian Yang: "Re: A scheme of software protection"
- In reply to: Michael Scott: "Re: Breaking RSA & Securing RSA"
- Next in thread: Kristian Gjøsteen: "Re: Breaking RSA & Securing RSA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
