[147901] in cryptography@c2.net mail archive
Re: [Cryptography] Standard exponents in RSA
daemon@ATHENA.MIT.EDU (David Mercer)
Wed Oct 30 14:54:46 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20131030190242.7a9e11a7@hboeck.de>
Date: Thu, 31 Oct 2013 02:39:42 +0800
From: David Mercer <radix42@gmail.com>
To: =?UTF-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0898389303704897392==
Content-Type: multipart/alternative; boundary=001a11c339b014a17a04e9f9a848
--001a11c339b014a17a04e9f9a848
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Thu, Oct 31, 2013 at 2:02 AM, Hanno B=C3=B6ck <hanno@hboeck.de> wrote:
> On Wed, 30 Oct 2013 18:07:18 +0100
> Ralph Holz <ralph-cryptometzger@ralphholz.de> wrote:
>
> > the two most common exponents that one finds in X.509 RSA certs are
> > 65537 and 17 -- in my data, they account for near 100%. Have these
> > been chosen as the result of some standardisation and was there some
> > cryptographic reasoning behind it, or is it simply that any exponent
> > will do? Any performance issues?
>
> NIST SP 800-56B says so:
> http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf
>
> (or to be precise, it says minimum size 65537 - so most people seem to
> choose the minimum, which is also fast in computation)
>
> There have been some attacks in the past that only work with very small
> exponents (like 3 or 4). An example is the Bleichenbacher attack on RSA
> signatures, it only works with e=3D3, see here:
> http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html
>
> 65537 seems a reasonable choice, because it allows still fast
> computation. See Wikipedia:
> https://en.wikipedia.org/wiki/65537_(number)
> "due to its low Hamming weight (number of 1 bits) can be computed
> extremely quickly on binary computers, which often support shift and
> increment instructions"
>
I wonder if any performance obsessed fool has been spotted in the wild
using an exponent of zero, which would be the RSA version of ROT-13, no?
--001a11c339b014a17a04e9f9a848
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Thu, Oct 31, 2013 at 2:02 AM, Hanno B=C3=B6ck <span dir=
=3D"ltr"><<a href=3D"mailto:hanno@hboeck.de" target=3D"_blank">hanno@hbo=
eck.de</a>></span> wrote:<br><div class=3D"gmail_extra"><div class=3D"gm=
ail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
der-left:1px #ccc solid;padding-left:1ex">
<div class=3D"im">On Wed, 30 Oct 2013 18:07:18 +0100<br>
Ralph Holz <<a href=3D"mailto:ralph-cryptometzger@ralphholz.de">ralph-cr=
yptometzger@ralphholz.de</a>> wrote:<br>
<br>
> the two most common exponents that one finds in X.509 RSA certs are<br=
>
> 65537 and 17 -- in my data, they account for near 100%. Have these<br>
> been chosen as the result of some standardisation and was there some<b=
r>
> cryptographic reasoning behind it, or is it simply that any exponent<b=
r>
> will do? Any performance issues?<br>
<br>
</div>NIST SP 800-56B says so:<br>
<a href=3D"http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf=
" target=3D"_blank">http://csrc.nist.gov/publications/nistpubs/800-56B/sp80=
0-56B.pdf</a><br>
<br>
(or to be precise, it says minimum size 65537 - so most people seem to<br>
choose the minimum, which is also fast in computation)<br>
<br>
There have been some attacks in the past that only work with very small<br>
exponents (like 3 or 4). An example is the Bleichenbacher attack on RSA<br>
signatures, it only works with e=3D3, see here:<br>
<a href=3D"http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html" targ=
et=3D"_blank">http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html</a=
><br>
<br>
65537 seems a reasonable choice, because it allows still fast<br>
computation. See Wikipedia:<br>
<a href=3D"https://en.wikipedia.org/wiki/65537_(number)" target=3D"_blank">=
https://en.wikipedia.org/wiki/65537_(number)</a><br>
"due to its low Hamming weight (number of 1 bits) can be computed<br>
extremely quickly on binary computers, which often support shift and<br>
increment instructions"<br></blockquote><div><br></div><div>I wonder i=
f any performance obsessed fool has been spotted in the wild using an expon=
ent of zero, which would be the RSA version of ROT-13, no?</div><div>=C2=A0=
</div>
</div></div></div>
--001a11c339b014a17a04e9f9a848--
--===============0898389303704897392==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0898389303704897392==--
