[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Factorisation and Discrete Logs (was Re: EE Times on PRZ)



strick wrote:
> 
> DH uses "discrete log" as the hard problem, and very straightforward
> mathematics.
> 
> RSA uses "factoring" as the hard problem, and a very clever back door.
> 
> How do you decide if one is based on the other?
> 
> # public-key technology with Diffie-Hellman public-key in particular, which
> # (as I understand it) is not particularly secure.
> 
> It's still up in the air, isn't it, whether the discrete log or 
> factoring is the harder to crack.   My intuition is they're the
> same hard.
> 
> I know of no problem with DH that RSA doesn't have similar problems.
> 
> 			strick

 
It seems to me that factoring a large number is no harder than finding
a discrete logarithm.

Assume, for the moment, that an efficient method of computing discrete
logs has been discovered, rendering systems like Diffie-Hellman key
exchange unusuable.

I contend that RSA is now equally unusable.  The following variant of
the Pollard p-1 method should provide an efficient factorisation method
for an RSA modulus, say N.

Choose, at random, "a" such that gcd(a,N) = 1.

Compute x such that:

     a^x = 1 (mod N)          [ Discrete log time! ]

Partially factor x; say x = f  *  f  *  f  ...   where f  is not necessarily
prime.                       1     2     3              n

Note that it is usually easy to partially factor a "random" large integer.
Simply using trial division up to some limit; or, at worst, pollard rho
or pollard p-1 (on x) should suffice.  If you're truly unlucky, pick
another value for a.

Compute:

     M = a^(10000! * f) (mod N)

Where f is some partial factor of x.

gcd(M-1,N) should yield a non-trivial factor of N.  If it doesn't,
another choice of f and/or a should work.

I'm by no means a professional mathematician, but it seems that this
scheme should work.

Comments, anyone?


Dana W. Albrecht
[email protected]