[cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
Jonathan Katz
jkatz at cs.umd.edu
Mon Mar 26 10:38:09 EDT 2012
On Mon, 26 Mar 2012, Thierry Moreau wrote:
> Florian Weimer wrote:
>> * Thierry Moreau:
>>
>>> The unusual public RSA exponent may well be an indication that the
>>> signature key pair was generated by a software implementation not
>>> encompassing the commonly-agreed (among number-theoreticians having
>>> surveyed the field) desirable strategies.
>>
>> I don't think this conclusion is warranted. Most textbooks covering
>> RSA do not address key generation in much detail. Even the Menezes et
>> al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as
>> "used in practice". Knuth (1981) fixes e=3. On the other side, two
>> popular cryptography textbooks, Schneier (1996) and Stinson (2002),
>> recommend to choose e randomly. None of these sources gives precise
>> guidance on how to generate the key material, although Menezes et al.
>> gives several examples of what you should not do.
>
> The original RSA publication suggests generating the RSA modulus N, and then
> the encryption and decryption exponents, resp. e and d, so that the first
> selection of the public exponent e might be rejected.
>
> The current recommendations fixes the decryption exponent, and then tries
> random N until e mod phi(N) and d mod phi(N) are both >1. The current
> "desirable strategies" encompass more provisions, of course.
That can't be correct, for several reasons:
- If you deterministically fix the decryption exponent in advance, then
everyone knows it. (Maybe you meant "choose d at random, and then find N
compatible with that choice of d." Still, I don't see why you would do
that, and if you did then there is no particular reason e would not come
out to be non-prime.)
- Maybe you meant to fix e in advance, and then find N compatible with
that value of e. But the check for compatibility is that gcd(e, phi(N))=1,
not that e mod \phi(N) > 1.
Going back to the original question, I see no reason why non-prime e
should be much less secure than prime e. In particular:
- The information leaked to the attacker is that gcd(e, \phi(N)) = 1. So
the attacker arguably learns a bit more information about the factors of N
if e is non-prime than if e is prime. But I don't see how this information
can be used to help speed up current factoring algorithms.
- Fix e = e1 * e2, where e1 ande2b are prime. Conditioned on the fact that
gcd(e, phi(N))=1, it is as secure to use public exponent e1 (or e2) as to
use public exponent e. In particular, if an attacker could invert RSA
with public exponent e, then it could also invert using public exponent
e1; the (easy) reduction is left to the reader. =)
For the record, in the Katz-Lindell book we say that choice of e is
arbitrary as far as security goes, but e=3 is prefered in practice for
efficiency.
More information about the cryptography
mailing list