(I copied Hans-Joachim Knobloch onto the thread)
Weiner is talking about small secret exponents (small d), no one does that.
They choose smallish prime e, with low hamming weight (for
encryption/signature verification efficiency) like 65537 (10001h) and get a
random d, which will by definition
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Nov 3, 2012, at 7:03 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Jon Callas j...@callas.org writes:
Which immediately prompts the question of what if it's long or secret? [1]
This attack doesn't work on that.
The
In the past there have been a few proposals to use asymmetric cryptosystems,
typically RSA, like symmetric ones by keeping the public key secret, the idea
behind this being that if the public key isn't known then there isn't anything
for an attacker to factor or otherwise attack. Turns out that
Hi,
In the past there have been a few proposals to use asymmetric cryptosystems,
typically RSA, like symmetric ones by keeping the public key secret, the idea
behind this being that if the public key isn't known then there isn't anything
for an attacker to factor or otherwise attack. Turns
In the past there have been a few proposals to use asymmetric cryptosystems,
typically RSA, like symmetric ones by keeping the public key secret, the idea
behind this being that if the public key isn't known then there isn't anything
for an attacker to factor or otherwise attack. Turns out
Jon Callas j...@callas.org writes:
Which immediately prompts the question of what if it's long or secret? [1]
This attack doesn't work on that.
The asymmetric-as-symmetric was proposed about a decade ago as a means of
protecting against new factorisation attacks, and was deployed as a commercial