Peter Gutmann wrote:

There'll always be broken standards out there that require e=3 (I know ofat least one that uses e=2, and [...]

`OK, we've got into trouble with the exponent 3 because the RSA technique`

`has been applied with varying degrees of care (both specifications`

`drafting and implementation phase), and the number-theoretic properties`

`of low-exponent RSA are now hitting us, as the theory predicted.`

`But please, don't put the Rabin-Williams exponent 2 into the picture at`

`the same level of low-exponent RSA. The two are close numerically, but`

`very far apart historically, number-theoretically (wrt computational`

`complexity proofs), and implementation-wise. First, the exponent 2 has a`

`built-in 4-to-1 ambiguity in the private key computation, which has been`

`addressed in many different ways in cryptosystems based on the "x^2 mod`

`N" primitive. Second, the number-theoretic proofs were always more`

`advanced with exponent 2 than low exponent RSA, so that specifications`

`drafters were well informed of the implementation pitfalls.`

`Peter, if you know a standard that uses public exponent 2 *and* either`

`handles the 4-to-1 ambiguity in the private key computation in a way`

`that appears inadequate, or allows arbitrary selection of (portions of)`

`the public key operation input value, tell us. It would be`

`specifications drafted without consideration of the most elementary`

`advice from the number-theoreticians. The equivalent advice was usually`

`lacking in the case of low-exponent RSA.`

`This being said, I don't want to participate in a further debate`

`Rabin-Williams vs low exponent RSA. I just whish to limit the`

`misrepresentations about the Rabin-Williams family of cryptosystems.`

Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]