Florian Weimer wrote:
* Thierry Moreau:
The unusual public RSA exponent may well be an indication that the
signature key pair was generated by a software implementation not
encompassing the commonly-agreed (among number-theoreticians having
surveyed the field) desirable strategies.
I don't think this conclusion is warranted. Most textbooks covering
RSA do not address key generation in much detail. Even the Menezes et
al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as
"used in practice". Knuth (1981) fixes e=3. On the other side, two
popular cryptography textbooks, Schneier (1996) and Stinson (2002),
recommend to choose e randomly. None of these sources gives precise
guidance on how to generate the key material, although Menezes et al.
gives several examples of what you should not do.
The original RSA publication suggests generating the RSA modulus N, and
then the encryption and decryption exponents, resp. e and d, so that the
first selection of the public exponent e might be rejected.
The current recommendations fixes the decryption exponent, and then
tries random N until e mod phi(N) and d mod phi(N) are both >1. The
current "desirable strategies" encompass more provisions, of course.
What I meant is that the occurrence of an encryption exponent not "used
in practice" may be an indication that the key generation procedure was
more like the one suggested in the original RSA publication.
- Thierry Moreau
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography