[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP's e exponent too small?

To: Mike Ingle <[email protected]>
Subject: Re: PGP's e exponent too small?
From: [email protected]
Date: Sun, 16 Jan 94 08:29:31 EST
Cc: [email protected]

	Is the e exponent in PGP too small? It's usually 17 decimal.

	Applied Cryptography pp. 287-288 says:

	"Low Exponent Attack Against RSA

	Another suggestion to 'improve' RSA is to use low values for e,
	the public key. This makes encryption fast and easy to perform.
	Unfortunately, it is also insecure. Hastad demonstrated a
	successful attack against RSA with a low encryption key [417].
	Another attack by Michael Wiener will recover e, when e is up
	to one quarter the size of n [878]. A low decryption key, d, is
	just as serious a problem. Moral: Choose large values for e and d."

There was some discussion on this on sci.crypt.  Briefly, the folks
from RSA don't agree that it's a problem in practice.  If you always
include some random padding in the message, you're safe, if I remember
what Kaliski posted.

Follow-Ups:
- Re: PGP's e exponent too small?
  - From: Matthew J Ghio <[email protected]>

Prev by Date: Re: Using the tools we have
Next by Date: No Subject
Prev by thread: PGP's e exponent too small?
Next by thread: Re: PGP's e exponent too small?
Index(es):
- Date
- Thread