[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Weger, B.M.M. de b.m.m.d.weger at TUE.nl
Tue Jun 9 08:08:54 EDT 2020

Ralph wrote on June 6:

> because forcing a 2048 bit n to be used
> with a 2041 bit e will give them quite a handy, small private decryption
> exponent d.

and on June 9:

> I wonder if your answer with regard to the practical consequences of
> real RSA use here and now is still "don't worry there ar sooo many d's,
> all is fine"?

Hi Ralph,

Sorry that I was drifting more off-context, and still am...

My points can be summarized as follows:

- a 2048 bit n with a 2041 bit e will give with overwhelming
  probability a d with bitsize close to 2048, unless you
  really do your best to get d smaller

- "don't worry there ar sooo many d's, all is fine" comes close;
  I would say: "don't worry *), the bad d's are sooo unlikely to 
  show up **), all is fine".

There's (afaict) nothing wrong with e = F4. But if you have doubts,
there's also nothing wrong with much bigger e's (unless performance
really is an issue). I agree with you that, generally speaking, 
only allowing <= 32 bit e in an implementation is a not to be 
preferred inflexibility.


*)  if you use proper random generation 
**) and you can anyway build in checks in your key pair generation

More information about the cryptography mailing list