[Cryptography] Standard exponents in RSA
Hanno Böck
hanno at hboeck.de
Wed Oct 30 14:02:42 EDT 2013
On Wed, 30 Oct 2013 18:07:18 +0100
Ralph Holz <ralph-cryptometzger at ralphholz.de> wrote:
> the two most common exponents that one finds in X.509 RSA certs are
> 65537 and 17 -- in my data, they account for near 100%. Have these
> been chosen as the result of some standardisation and was there some
> cryptographic reasoning behind it, or is it simply that any exponent
> will do? Any performance issues?
NIST SP 800-56B says so:
http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf
(or to be precise, it says minimum size 65537 - so most people seem to
choose the minimum, which is also fast in computation)
There have been some attacks in the past that only work with very small
exponents (like 3 or 4). An example is the Bleichenbacher attack on RSA
signatures, it only works with e=3, see here:
http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html
65537 seems a reasonable choice, because it allows still fast
computation. See Wikipedia:
https://en.wikipedia.org/wiki/65537_(number)
"due to its low Hamming weight (number of 1 bits) can be computed
extremely quickly on binary computers, which often support shift and
increment instructions"
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131030/8a948d1c/attachment.pgp>
More information about the cryptography
mailing list