Posted by Two Cities on September 26, 1997 at 14:56:20:

FYI

**************************************************

Since I am new to this, perhaps someone could provide

some answers to the following PGP and RSA security

concern of mine.

The source code for both PGP and RSA suggests that

the two most significant bits are set by default when

selecting the constituent primes (p,q) for the generation of

the modulus (m). For an n-bit m, p and q both start out

as members of the range 75% 2^(n/2) to 99.9999...% 2^(n/2).

The resulting return value of m is thus confined to

56.25% 2^n to 99.9999...% 2^n, and supposedly factoring is

hard.

However, for return values of the modulus at the extremes of

the available range, only a limited range of target candidate

primes are worthy of consideration.

I.e. the factorization of approx. 56.25% 2^n is by neccessity of

construction approx. 75% 2^(n/2) and some other number in close

proximity. No other inputs need to be considered. Since the

remaining bits are assigned 'randomly', a significant statistical

sample of modulus, will therefore fall close to the extremes of

the possible range, and can be identified by sight, as potentially

weak keys, and my conclusion is that not all keys are created

equal.

Worse than the above somewhat technical discussion, is the

notion that what I wrote could have merit, and that it was

pointed out by a novice. Do tell me that I am wrong.

Posted to alt.security.pgp

- Re: Email and privacy
**Common Right Group***05:29:35 9/27/97*(0)