That's a bit of old and incorrect lore, which is sometimes inverted into a prohibition against big exponents (since it is a myth, the reverse myth is also a myth and is no more - and no less - substantiated) I believe this is what you observe here. Nevertheless, whenever someone refers to an exponent-size related weakness, he more or less directly refers to this occurrence. Padding is very important for security of RSA, whether encryption or signature if you do not use a proper padding (such as the ones described in PKCS#1), then you have many weaknesses, and the one outlined in the paragraph above is not the biggest, by far. The weakness, here, is not the small exponent rather, it is the use of an improper padding (namely, no padding at all) for encryption. A (non modular) cube root extraction then suffices to extract m. By the Chinese Remainder Theorem, you can then rebuild m 3 mod n 1n 2n 3, which turns out to be m 3 (without any modulo) because If you use a small exponent and you do not use any padding for encryption and you encrypt the exact same message with several distinct public keys, then your message is at risk: if e = 3, and you encrypt message m with public keys n 1, n 2 and n 3, then you have c i = m 3 mod n i for i = 1 to 3. relatively prime to p-1 for all primes p which divide the modulus). There is no known weakness for any short or long public exponent for RSA, as long as the public exponent is "correct" (i.e.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |