[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

[Stephan Neuhaus]

On 6/9/20 2:08 PM, Weger, B.M.M. de wrote:
> Ralph wrote on June 6:
> 
>> because forcing a 2048 bit n to be used
>> with a 2041 bit e will give them quite a handy, small private decryption
>> exponent d.
> 
> and on June 9:
> 
>> I wonder if your answer with regard to the practical consequences of
>> real RSA use here and now is still "don't worry there ar sooo many d's,
>> all is fine"?
> 
> Hi Ralph,
> 
> Sorry that I was drifting more off-context, and still am...
> 
> My points can be summarized as follows:
> 
> - a 2048 bit n with a 2041 bit e will give with overwhelming
>    probability a d with bitsize close to 2048, unless you
>    really do your best to get d smaller

That was what I was thinking also, which is why I asked that question 
originally (or maybe we both hit on the same point, the messages to the 
list seem to cross each other). The d's seem to be very much equally 
distributed. If that is true, then you'll very probably get a d that's 
close to the bitsize of n with *any* suitable e.

> - "don't worry there ar sooo many d's, all is fine" comes close;
>    I would say: "don't worry *), the bad d's are sooo unlikely to
>    show up **), all is fine".

Yep.

> *)  if you use proper random generation
> **) and you can anyway build in checks in your key pair generation

Fun

Stephan