[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Bart Preneel bart.preneel at esat.kuleuven.be
Mon Jun 8 18:44:32 EDT 2020

On Mon, 8 Jun 2020, Ralf Senderek wrote:

> On Mon, 8 Jun 2020, Stephan Neuhaus wrote:
>> On 6/5/20 10:33 AM, Ralf Senderek wrote:
>>>  Well, everything can be overdone, because forcing a 2048 bit n to be used
>>>  with a 2041 bit e will give them quite a handy, small private decryption
>>>  exponent d.
>> Will it? Can I ask you to explain your reasoning?
>> Fun,
>> Stephan
> If I'm not mistaken then phi(n) = (p-1)*(q-1) is of roughly the same size
> as n.
> And if e*d = 1 mod phi(n) , then you *might* find a small d if e is large.
> You may as well find a large d if e is large, but any small one that fits
> the bill will decrypt your ossifrage.
>   --ralf
> PS: doesn't convince you?

Small secret exponents (less than 25% of modulus length) are known to be 
insecure since 1989.

Michael J. Wiener: Cryptanalysis of short RSA secret exponents. 
IEEE Trans. Inf. Theory 36(3): 553-558 (1990) (conference version was Eurocrypt 1989).

See also https://en.wikipedia.org/wiki/Wiener%27s_attack

There have been several improvements up to 29% of modulus length, e.g., 


More information about the cryptography mailing list