From: dwa@mirage.svl.trw.com (Dana Albrecht)
To: cypherpunks@toad.com
Message Hash: 68ea050c1e4e357d165f947b8dce9b9d0f1752621b4ce357174ef9f75424ed15
Message ID: <9501190339.AA20854@mirage.svl.trw.com>
Reply To: N/A
UTC Datetime: 1995-01-19 03:39:07 UTC
Raw Date: Wed, 18 Jan 95 19:39:07 PST
From: dwa@mirage.svl.trw.com (Dana Albrecht)
Date: Wed, 18 Jan 95 19:39:07 PST
To: cypherpunks@toad.com
Subject: Factorisation and Discrete Logs (was Re: EE Times on PRZ)
Message-ID: <9501190339.AA20854@mirage.svl.trw.com>
MIME-Version: 1.0
Content-Type: text/plain
strick wrote:
>
> DH uses "discrete log" as the hard problem, and very straightforward
> mathematics.
>
> RSA uses "factoring" as the hard problem, and a very clever back door.
>
> How do you decide if one is based on the other?
>
> # public-key technology with Diffie-Hellman public-key in particular, which
> # (as I understand it) is not particularly secure.
>
> It's still up in the air, isn't it, whether the discrete log or
> factoring is the harder to crack. My intuition is they're the
> same hard.
>
> I know of no problem with DH that RSA doesn't have similar problems.
>
> strick
It seems to me that factoring a large number is no harder than finding
a discrete logarithm.
Assume, for the moment, that an efficient method of computing discrete
logs has been discovered, rendering systems like Diffie-Hellman key
exchange unusuable.
I contend that RSA is now equally unusable. The following variant of
the Pollard p-1 method should provide an efficient factorisation method
for an RSA modulus, say N.
Choose, at random, "a" such that gcd(a,N) = 1.
Compute x such that:
a^x = 1 (mod N) [ Discrete log time! ]
Partially factor x; say x = f * f * f ... where f is not necessarily
prime. 1 2 3 n
Note that it is usually easy to partially factor a "random" large integer.
Simply using trial division up to some limit; or, at worst, pollard rho
or pollard p-1 (on x) should suffice. If you're truly unlucky, pick
another value for a.
Compute:
M = a^(10000! * f) (mod N)
Where f is some partial factor of x.
gcd(M-1,N) should yield a non-trivial factor of N. If it doesn't,
another choice of f and/or a should work.
I'm by no means a professional mathematician, but it seems that this
scheme should work.
Comments, anyone?
Dana W. Albrecht
dwa@mirage.svl.trw.com
Return to January 1995
Return to “mpd@netcom.com (Mike Duvos)”