[Cryptography] Standard exponents in RSA
David Mercer
radix42 at gmail.com
Wed Oct 30 14:39:42 EDT 2013
On Thu, Oct 31, 2013 at 2:02 AM, Hanno Böck <hanno at hboeck.de> wrote:
> On Wed, 30 Oct 2013 18:07:18 +0100
> Ralph Holz <ralph-cryptometzger at ralphholz.de> wrote:
>
> > the two most common exponents that one finds in X.509 RSA certs are
> > 65537 and 17 -- in my data, they account for near 100%. Have these
> > been chosen as the result of some standardisation and was there some
> > cryptographic reasoning behind it, or is it simply that any exponent
> > will do? Any performance issues?
>
> NIST SP 800-56B says so:
> http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf
>
> (or to be precise, it says minimum size 65537 - so most people seem to
> choose the minimum, which is also fast in computation)
>
> There have been some attacks in the past that only work with very small
> exponents (like 3 or 4). An example is the Bleichenbacher attack on RSA
> signatures, it only works with e=3, see here:
> http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html
>
> 65537 seems a reasonable choice, because it allows still fast
> computation. See Wikipedia:
> https://en.wikipedia.org/wiki/65537_(number)
> "due to its low Hamming weight (number of 1 bits) can be computed
> extremely quickly on binary computers, which often support shift and
> increment instructions"
>
I wonder if any performance obsessed fool has been spotted in the wild
using an exponent of zero, which would be the RSA version of ROT-13, no?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131031/088e7da9/attachment.html>
More information about the cryptography
mailing list