BBCR4 on Crypto-wars today at 13:30
alan.braggins at gmail.com
Tue Mar 25 11:59:07 GMT 2014
On 25/03/14 03:41, Peter Fairbrother wrote:
> I just read of an idea, I don't know who by, about making RSA keys
> shorter - choose the first prime at random, then choose the second prime
> so that the first 2n/3 bits of n are some fixed, shared value.
http://joye.site88.net/papers/Joy08rsacompr.pdf says "Bernstein reports
an unpublished result by Coppersmith for specifying up to 2n/3 bits
using lattice reduction" (with references to slides for a couple of
talks by Bernstein).
http://cr.yp.to/sigs/rwsota-20080131.pdf says "Coppersmith 2003"
for the lattice reduction, but doesn't seem to list that in the
http://cr.yp.to/talks/2005.11.06/slides.pdf explains the actual
method, on a slide titled "Primes in lattices".
For n/2, Joye says "presented at ASIACRYPT '98 by Lenstra",
and "reinvented many times".
Bernstein just says "widely known" for n/2.
More information about the ukcrypto