[147895] in cryptography@c2.net mail archive
Re: [Cryptography] Standard exponents in RSA
daemon@ATHENA.MIT.EDU (Hanno =?UTF-8?B?QsO2Y2s=?=)
Wed Oct 30 14:34:52 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 30 Oct 2013 19:02:42 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: cryptography@metzdowd.com
In-Reply-To: <52713CC6.1000809@ralphholz.de>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--===============1212794028320221988==
Content-Type: multipart/signed; micalg=PGP-SHA512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-16778-1383156181-0001-2"
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_zucker.schokokeks.org-16778-1383156181-0001-2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Wed, 30 Oct 2013 18:07:18 +0100
Ralph Holz <ralph-cryptometzger@ralphholz.de> wrote:
> the two most common exponents that one finds in X.509 RSA certs are
> 65537 and 17 -- in my data, they account for near 100%. Have these
> been chosen as the result of some standardisation and was there some
> cryptographic reasoning behind it, or is it simply that any exponent
> will do? Any performance issues?
NIST SP 800-56B says so:
http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf
(or to be precise, it says minimum size 65537 - so most people seem to
choose the minimum, which is also fast in computation)
There have been some attacks in the past that only work with very small
exponents (like 3 or 4). An example is the Bleichenbacher attack on RSA
signatures, it only works with e=3D3, see here:
http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html
65537 seems a reasonable choice, because it allows still fast
computation. See Wikipedia:
https://en.wikipedia.org/wiki/65537_(number)
"due to its low Hamming weight (number of 1 bits) can be computed
extremely quickly on binary computers, which often support shift and
increment instructions"
--=20
Hanno B=C3=B6ck
http://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42
--=_zucker.schokokeks.org-16778-1383156181-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJScUnEAAoJEKWIAHK7tR5CAE4P/0lNjXn+5vW/MNhCRDI87DuH
/iymDVG8YBdL4y/XAWoBiBWolDKJnG85eqgsj3yKW+/R7qwl316HiG0AjIKQbNax
gSXPfDST1olZnheIVAsRewYsJUGTvuLevUVQY+fESspsEOoVmCTM53Slln4lpTgh
Hz3CI+bOsNROLJYIlJCQVfY3YY2frvKMo924Q1RcKK8EV9p7mLDUTvLNFG5e4djH
p+evcybNFBQRhxEJvji7CbBHXb5OYLi0TCXXKkIGj9Q7cCGmPglFbSvzUGDcTuaU
ve53BJuQ4ApZAvasUl65qxlTcDlc9u4vGtDcDpf06E5hSkMh2JUI5iwpKoe1rB2e
PwQtx/0MkKP5/cj+pkswP2+NUQWQE+fmtHFilO4038LgHY7BLHAfww0ltKYcYJUv
syVU/NiYzpssPKEHYw8yZkAIIzclGkSpe62h7W2JAyLwBLuyJDYAMS9ir9TZsejQ
SBdJ2UkjQXL5xXL+8sPxkvADlKwSaGYr3Ixe3XOTUS72f5KMp3Vv6uZqetwN7xjl
1TAM6LwUIlmalUtqWDFQdkICngsi6/VVbURoIHGM4wDuNWoZcVz/2GKN4J+pSryf
1/mJPP2xdMvOvetY37sscj1GIZty4hBTYccjMcldJNfpi+7phrdOF4+kBX9YhkWq
zIR1/PRiiH+QnXjgvGfs
=7N8r
-----END PGP SIGNATURE-----
--=_zucker.schokokeks.org-16778-1383156181-0001-2--
--===============1212794028320221988==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1212794028320221988==--
