On Fri, 28 Jul 2000, Steve Reid wrote:

> remember someone (I think it was Richard Schroeppel) a few years ago
> advocating RSA with a three-prime modulus. The idea was that having
> three primes instead of two would not weaken the algorithm in any
> practical way, but it could make CRT operations even faster. It

Note that Compaq is trying to push this under the name "Multiprime."
Bob Silverman has a nice analysis of the number of factors and size of
factors vs. security tradeoff in the April 2000 RSA Data Security
bulletin. It's only in the PDF version (or was), though. 
PKCS #1 is also being amended to allow for multiple distinct primes.

The idea of using CRT is due to Couvreur and Quisquater, as far as I
know...although I haven't read the original paper and don't know if they
suggested multiple primes or not. 

-David


Reply via email to