1994-01-16 - Re: PGP’s e exponent too small?
Header Data
From: smb@research.att.com
To: Mike Ingle <MIKEINGLE@delphi.com>
Message Hash: e6b88b03dffe2a3a92ae26a409605c1765e9fcfbe2aeda6d662d6d6f62574768
Message ID: <9401161330.AA10496@toad.com>
Reply To: N/A
UTC Datetime: 1994-01-16 13:33:13 UTC
Raw Date: Sun, 16 Jan 94 05:33:13 PST
Raw message
From: smb@research.att.com
Date: Sun, 16 Jan 94 05:33:13 PST
To: Mike Ingle <MIKEINGLE@delphi.com>
Subject: Re: PGP's e exponent too small?
Message-ID: <9401161330.AA10496@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
Is the e exponent in PGP too small? It's usually 17 decimal.
Applied Cryptography pp. 287-288 says:
"Low Exponent Attack Against RSA
Another suggestion to 'improve' RSA is to use low values for e,
the public key. This makes encryption fast and easy to perform.
Unfortunately, it is also insecure. Hastad demonstrated a
successful attack against RSA with a low encryption key [417].
Another attack by Michael Wiener will recover e, when e is up
to one quarter the size of n [878]. A low decryption key, d, is
just as serious a problem. Moral: Choose large values for e and d."
There was some discussion on this on sci.crypt. Briefly, the folks
from RSA don't agree that it's a problem in practice. If you always
include some random padding in the message, you're safe, if I remember
what Kaliski posted.
Thread
Return to January 1994
- Return to “Matthew J Ghio <mg5n+@andrew.cmu.edu>”
Return to “smb@research.att.com”
- 1994-01-16 (Sun, 16 Jan 94 05:33:13 PST) - Re: PGP’s e exponent too small? - smb@research.att.com
- 1994-01-16 (Sun, 16 Jan 94 12:18:16 PST) - Re: PGP’s e exponent too small? - Matthew J Ghio <mg5n+@andrew.cmu.edu>