Rabin-Williams exponent 2 is not at stake, never been (WAS: Exponent 3 damage spreads...)
Thierry Moreau
thierry.moreau at connotech.com
Thu Sep 14 11:47:44 EDT 2006
Peter Gutmann wrote:
>
> There'll always be broken standards out there that require e=3 (I know of
> at least one that uses e=2, and [...]
>
OK, we've got into trouble with the exponent 3 because the RSA technique
has been applied with varying degrees of care (both specifications
drafting and implementation phase), and the number-theoretic properties
of low-exponent RSA are now hitting us, as the theory predicted.
But please, don't put the Rabin-Williams exponent 2 into the picture at
the same level of low-exponent RSA. The two are close numerically, but
very far apart historically, number-theoretically (wrt computational
complexity proofs), and implementation-wise. First, the exponent 2 has a
built-in 4-to-1 ambiguity in the private key computation, which has been
addressed in many different ways in cryptosystems based on the "x^2 mod
N" primitive. Second, the number-theoretic proofs were always more
advanced with exponent 2 than low exponent RSA, so that specifications
drafters were well informed of the implementation pitfalls.
Peter, if you know a standard that uses public exponent 2 *and* either
handles the 4-to-1 ambiguity in the private key computation in a way
that appears inadequate, or allows arbitrary selection of (portions of)
the public key operation input value, tell us. It would be
specifications drafted without consideration of the most elementary
advice from the number-theoreticians. The equivalent advice was usually
lacking in the case of low-exponent RSA.
This being said, I don't want to participate in a further debate
Rabin-Williams vs low exponent RSA. I just whish to limit the
misrepresentations about the Rabin-Williams family of cryptosystems.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list