[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP's e exponent too small?



	Is the e exponent in PGP too small? It's usually 17 decimal.

	Applied Cryptography pp. 287-288 says:

	"Low Exponent Attack Against RSA

	Another suggestion to 'improve' RSA is to use low values for e,
	the public key. This makes encryption fast and easy to perform.
	Unfortunately, it is also insecure. Hastad demonstrated a
	successful attack against RSA with a low encryption key [417].
	Another attack by Michael Wiener will recover e, when e is up
	to one quarter the size of n [878]. A low decryption key, d, is
	just as serious a problem. Moral: Choose large values for e and d."

There was some discussion on this on sci.crypt.  Briefly, the folks
from RSA don't agree that it's a problem in practice.  If you always
include some random padding in the message, you're safe, if I remember
what Kaliski posted.