Re: Performance of RSA key generation

"Joseph Ashwood" <ashwood@xxxxxxx> writes:
"Paul Rubin" <http://phr.cx@xxxxxxxxxxxxxx> wrote in message
news:7xmyddw4cn.fsf@xxxxxxxxxxxxxxxxxxxxxx
Ertugrul Söylemez <es@xxxxxxxx> writes:
The average implementation uses e = 65537.

I don't understand why they don't use e=3. Is it an artifact of the
era when proper padding and its effects on provable security wasn't
understood?

It was a simple kneejerk reaction to the attack where if the same plaintext
was sent to e people the plaintext could be recovered. It was interpretted
by many as a break of e=3. It is rather irrelevant today, and arguably was
irrelevant at the time.

This particular one is somewhat irrelevant, but there's a much bigger problem
in that e=3 implementations tend to be quite vulnerable to even very minor
implementation flaws (including things that aren't explained in any of the
widely-used specs) while e=F4 is a lot less vulnerable. Witness the PKCS #1
padding vulnerability from a year or two back, where there were lots and lots
of little ways in which you could fail with e=3 but none with e=F4. For this
reason my code will block the use of e=3 keys (and in general e < 257, with
some exceptions for oddball exponents used by PGP 2.x, GPG, and SSH).

Peter.

.

Relevant Pages
Quantcast