[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption
Weger, B.M.M. de
b.m.m.d.weger at TUE.nl
Tue Jun 9 08:08:54 EDT 2020
Ralph wrote on June 6:
> because forcing a 2048 bit n to be used
> with a 2041 bit e will give them quite a handy, small private decryption
> exponent d.
and on June 9:
> I wonder if your answer with regard to the practical consequences of
> real RSA use here and now is still "don't worry there ar sooo many d's,
> all is fine"?
Hi Ralph,
Sorry that I was drifting more off-context, and still am...
My points can be summarized as follows:
- a 2048 bit n with a 2041 bit e will give with overwhelming
probability a d with bitsize close to 2048, unless you
really do your best to get d smaller
- "don't worry there ar sooo many d's, all is fine" comes close;
I would say: "don't worry *), the bad d's are sooo unlikely to
show up **), all is fine".
There's (afaict) nothing wrong with e = F4. But if you have doubts,
there's also nothing wrong with much bigger e's (unless performance
really is an issue). I agree with you that, generally speaking,
only allowing <= 32 bit e in an implementation is a not to be
preferred inflexibility.
Grtz,
Benne
*) if you use proper random generation
**) and you can anyway build in checks in your key pair generation
More information about the cryptography
mailing list