[cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)

Thierry Moreau thierry.moreau at connotech.com
Mon Mar 26 10:29:13 EDT 2012

Florian Weimer wrote:
> * Thierry Moreau:
>> The unusual public RSA exponent may well be an indication that the
>> signature key pair was generated by a software implementation not
>> encompassing the commonly-agreed (among number-theoreticians having
>> surveyed the field) desirable strategies.
> I don't think this conclusion is warranted.  Most textbooks covering
> RSA do not address key generation in much detail.  Even the Menezes et
> al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as
> "used in practice".  Knuth (1981) fixes e=3.  On the other side, two
> popular cryptography textbooks, Schneier (1996) and Stinson (2002),
> recommend to choose e randomly.  None of these sources gives precise
> guidance on how to generate the key material, although Menezes et al.
> gives several examples of what you should not do.

The original RSA publication suggests generating the RSA modulus N, and 
then the encryption and decryption exponents, resp. e and d, so that the 
first selection of the public exponent e might be rejected.

The current recommendations fixes the decryption exponent, and then 
tries random N until e mod phi(N) and d mod phi(N) are both >1. The 
current "desirable strategies" encompass more provisions, of course.

What I meant is that the occurrence of an encryption exponent not "used 
in practice" may be an indication that the key generation procedure was 
more like the one suggested in the original RSA publication.

- Thierry Moreau

More information about the cryptography mailing list