1994-01-16 - Re: PGP’s e exponent too small?

Header Data

From: smb@research.att.com
To: Mike Ingle <MIKEINGLE@delphi.com>
Message Hash: e6b88b03dffe2a3a92ae26a409605c1765e9fcfbe2aeda6d662d6d6f62574768
Message ID: <9401161330.AA10496@toad.com>
Reply To: N/A
UTC Datetime: 1994-01-16 13:33:13 UTC
Raw Date: Sun, 16 Jan 94 05:33:13 PST

Raw message

From: smb@research.att.com
Date: Sun, 16 Jan 94 05:33:13 PST
To: Mike Ingle <MIKEINGLE@delphi.com>
Subject: Re: PGP's e exponent too small?
Message-ID: <9401161330.AA10496@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


	Is the e exponent in PGP too small? It's usually 17 decimal.

	Applied Cryptography pp. 287-288 says:

	"Low Exponent Attack Against RSA

	Another suggestion to 'improve' RSA is to use low values for e,
	the public key. This makes encryption fast and easy to perform.
	Unfortunately, it is also insecure. Hastad demonstrated a
	successful attack against RSA with a low encryption key [417].
	Another attack by Michael Wiener will recover e, when e is up
	to one quarter the size of n [878]. A low decryption key, d, is
	just as serious a problem. Moral: Choose large values for e and d."

There was some discussion on this on sci.crypt.  Briefly, the folks
from RSA don't agree that it's a problem in practice.  If you always
include some random padding in the message, you're safe, if I remember
what Kaliski posted.





Thread