[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption
Bart Preneel
bart.preneel at esat.kuleuven.be
Mon Jun 8 18:44:32 EDT 2020
On Mon, 8 Jun 2020, Ralf Senderek wrote:
>
>
> On Mon, 8 Jun 2020, Stephan Neuhaus wrote:
>
>> On 6/5/20 10:33 AM, Ralf Senderek wrote:
>>> Well, everything can be overdone, because forcing a 2048 bit n to be used
>>> with a 2041 bit e will give them quite a handy, small private decryption
>>> exponent d.
>>
>> Will it? Can I ask you to explain your reasoning?
>>
>> Fun,
>>
>> Stephan
>
> If I'm not mistaken then phi(n) = (p-1)*(q-1) is of roughly the same size
> as n.
> And if e*d = 1 mod phi(n) , then you *might* find a small d if e is large.
> You may as well find a large d if e is large, but any small one that fits
> the bill will decrypt your ossifrage.
>
> --ralf
>
> PS: doesn't convince you?
Small secret exponents (less than 25% of modulus length) are known to be
insecure since 1989.
Michael J. Wiener: Cryptanalysis of short RSA secret exponents.
IEEE Trans. Inf. Theory 36(3): 553-558 (1990) (conference version was Eurocrypt 1989).
See also https://en.wikipedia.org/wiki/Wiener%27s_attack
There have been several improvements up to 29% of modulus length, e.g.,
https://eprint.iacr.org/2011/591.pdf
-Bart
More information about the cryptography
mailing list