[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected]*Subject*: Re: Peter Landrock's CRYPTO 97 rump session*From*: [email protected] (Ian Goldberg)*Date*: 4 Oct 1997 23:13:24 GMT*Distribution*: isaac*Newsgroups*: isaac.lists.cypherpunks*Organization*: ISAAC Group, UC Berkeley*References*: <[email protected]>*Sender*: [email protected]

In article <[email protected]>, Chris Hall <[email protected]> wrote: > >I know that many of you attended this years CRYPTO and probably went to the >rump session too. Does anyone remember the details of Peter Landrock's >presentation? If I recall correctly, he presented an amusing talk in which >an attacker tried to blackmail a bank by claiming knowledge of the bank's >RSA private exponent. He did this by revealing successive bytes of the >exponent starting with the most significant. The ransom doubled with each >successive byte revealed (and I believe he got up to 52 in his example). >The catch was that any person can do this for the first X number of bytes >of the exponent *without actually knowing d* (where X varies depending at >least upon n). IIRC, it only worked for e=3. In that case, since gcd(e,(p-1)(q-1)) = 1, we must have that p and q are each 2 mod 3. Then, since (p-1)(q-1) | de-1, we have that e d - r (p-1)(q-1) = 1 for some positive integer r. Taking this mod 3, we see that r is 2 mod 3. But r = (ed-1)/[(p-1)(q-1)] < (3(p-1)(q-1)-1)/[(p-1)(q-1)] < 3, so r=2. Thus d = [2(p-1)(q-1)+1]/3 = 2(n-p-q)/3 + 1. If p and q are each about half the length of n, then d agrees with 2(n-1)/3 for about its first half. - Ian

- Prev by Date:
**Nice quote** - Next by Date:
**Re: Regulate them to 'double-death'...** - Prev by thread:
**Re: Nice quote** - Next by thread:
**Re: [email protected] list explodes!** - Index(es):