[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Ralf Senderek crypto at senderek.ie
Tue Jun 9 06:54:34 EDT 2020 


On Tue, 9 Jun 2020, Weger, B.M.M. de wrote:

... <snip>

> As a consequence, the probability that d will be almost as large as
> phi(n) is overwhelmingly large, whether or not e is small or large.
> Roughly only 1 in a million d's will be 20 bits shorter than phi(n),
> and only 1 in a million*million d's will be 40 bits shorter than phi(n).

I'll skip the Einstein quote about theory and practice because I have
no reason to dispute your findings above.

But I'd like to add the CONTEXT that has gone missing by now.
In an implementation that people really use with RSA keys it's not the
ideal world of mathematics. Florian complained about an implementation
of a crypto library that fixes e=3. The mathematical answer to this
(as argued above) is "don't worry there ar sooo many d's, all is fine"

Adding another piece of context, I myself referred to a 2012 research
that found a worring number of re-used prime factors and asked if in
such a situation fixing e to sub-32 bit is prudent. I did this after
Peter answered my observation that there are crypto implementations
that allow for a range of e values the size of n in their datastructure
with an anectdote that some people see this as necessary, which
led to my top-of-the-head example that sparced the mathematical view
expressed above. My point was, that it is not prudent to fix another
parameter to a low value if in the wild you can find X-509 RSA moduli
with common prime factors (and maybe worse).

I wonder if your answer with regard to the practical consequences of
real RSA use here and now is still "don't worry there ar sooo many d's,
all is fine"?

And adding a last piece of context. The original poster, John Gilmore,
brought up another implementation question, what's going on behind
the scenes in Zoom's crypto bulletin board that distributes meeting
keys? Is it possible for an adversary to deny a legitimate user access
to a meeting by posting some carefully crafted nonsense to the board.

I myself feel guilty to have deviated the postings away from John's
(in my view) still unanswered question. So fellows, let the context
be with you. Always.

      --ralf

More information about the cryptography mailing list