[43155] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Rabin-Williams exponent 2 is not at stake, never been (WAS: Exponent

daemon@ATHENA.MIT.EDU (Thierry Moreau)
Thu Sep 14 13:22:29 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 14 Sep 2006 11:47:44 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cryptography@metzdowd.com
In-Reply-To: <E1GNpaL-0006uN-00@medusa01.cs.auckland.ac.nz>



Peter Gutmann wrote:
> 
> There'll always be broken standards out there that require e=3 (I know of
> at least one that uses e=2, and [...] 
> 

OK, we've got into trouble with the exponent 3 because the RSA technique 
has been applied with varying degrees of care (both specifications 
drafting and implementation phase), and the number-theoretic properties 
of low-exponent RSA are now hitting us, as the theory predicted.

But please, don't put the Rabin-Williams exponent 2 into the picture at 
the same level of low-exponent RSA. The two are close numerically, but 
very far apart historically, number-theoretically (wrt computational 
complexity proofs), and implementation-wise. First, the exponent 2 has a 
built-in 4-to-1 ambiguity in the private key computation, which has been 
addressed in many different ways in cryptosystems based on the "x^2 mod 
N" primitive. Second, the number-theoretic proofs were always more 
advanced with exponent 2 than low exponent RSA, so that specifications 
drafters were well informed of the implementation pitfalls.

Peter, if you know a standard that uses public exponent 2 *and* either 
handles the 4-to-1 ambiguity in the private key computation in a way 
that appears inadequate, or allows arbitrary selection of (portions of) 
the public key operation input value, tell us. It would be 
specifications drafted without consideration of the most elementary 
advice from the number-theoreticians. The equivalent advice was usually 
lacking in the case of low-exponent RSA.

This being said, I don't want to participate in a further debate 
Rabin-Williams vs low exponent RSA. I just whish to limit the 
misrepresentations about the Rabin-Williams family of cryptosystems.

Regards,

-- 

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post