SECURITY OF NUMBER THEORETIC PUBLIC KEY CRYPTOSYSTEMS AGAINST RANDOM ATTACK, II

Abstract

This paper continues a discussion begun in the last issue of CRYPTOLOGIA. It shows that RSA cryptosystems and more general number theoretic public key cryptosystems appear most resistant to cryptanalysis when the encoding modulus m is the square free product of safe primes, namely primes p of the form p=2a+1 where a is an odd prime. There is reason to believe that at least 1 in every 100000 one hundred digit numbers is a safe prime. When m is the square free product of safe primes anybody who can find integers x and e larger than 1 such that can break the cryptosystem by factoring the coding modulus m. However, either x or e must in this case exceed p/3; where p is the smallest prime factor of m. In a typical RSA cryptosystem the two safe prime factors of m will be chosen so that p/3 exceeds . If every message receiver uses the same coding exponent c there are certain economies possible without any apparent loss of security. The Fermat prime 65537 seems to be a reasonable candidate for universal coding exponent c. If certain routine precautions described below are taken by the message receiver who sets up a number theoretic public key cryptosystem the cryptanalyst's prospects appear dismal, although there is no proof that this is the case. The third paper in this series, which will appear in the next issue of CRYPTOLOGIA, is devoted to pathological examples, and to the proofs of results in I and II.