Peter Gutmann wrote:

There'll always be broken standards out there that require e=3 (I know of
at least one that uses e=2, and [...]

OK, we've got into trouble with the exponent 3 because the RSA technique has been applied with varying degrees of care (both specifications drafting and implementation phase), and the number-theoretic properties of low-exponent RSA are now hitting us, as the theory predicted.

But please, don't put the Rabin-Williams exponent 2 into the picture at the same level of low-exponent RSA. The two are close numerically, but very far apart historically, number-theoretically (wrt computational complexity proofs), and implementation-wise. First, the exponent 2 has a built-in 4-to-1 ambiguity in the private key computation, which has been addressed in many different ways in cryptosystems based on the "x^2 mod N" primitive. Second, the number-theoretic proofs were always more advanced with exponent 2 than low exponent RSA, so that specifications drafters were well informed of the implementation pitfalls.

Peter, if you know a standard that uses public exponent 2 *and* either handles the 4-to-1 ambiguity in the private key computation in a way that appears inadequate, or allows arbitrary selection of (portions of) the public key operation input value, tell us. It would be specifications drafted without consideration of the most elementary advice from the number-theoreticians. The equivalent advice was usually lacking in the case of low-exponent RSA.

This being said, I don't want to participate in a further debate Rabin-Williams vs low exponent RSA. I just whish to limit the misrepresentations about the Rabin-Williams family of cryptosystems.



- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site:

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to