
RSA public exponent size - taylorbuley
http://www.imperialviolet.org/2012/03/16/rsae.html
======
joejohnson
Does anyone know what the "Bleichenbacher bug" was that scared people away
from using 3 for the exponent?

~~~
dfranke
[http://archiv.infsec.ethz.ch/education/fs08/secsem/Bleichenb...](http://archiv.infsec.ethz.ch/education/fs08/secsem/Bleichenbacher98.pdf)

~~~
NateLawson
Bleichenbacher often comes out of hiding and posts some terrible crypto bug,
usually based on a slight implementation deviation from best practices.

The above bug is in RSA encryption, not signing, and is much more interesting
technically than the e=3 padding verification bug. Just by revealing a
different error message, attackers can use your server as a decryption oracle.
It's different than the POET/BEAST attacks though, which are on block cipher
modes.

I tried to write a clear review of the paper here:
<http://rdist.root.org/2008/01/07/ssl-pkcs-padding-attack/>

The amusing thing is that he usually picks a random toolkit you've never heard
of to attack, and then someone else (Hal Finney in the case of the e=3 padding
bug) realizes it's a widespread issue in much more important systems.

------
cperciva
One reason to use E>3: Side channel attacks which reveal random bits of
exponents (e.g., the hyperthreading attack) are much easier with a small
public exponent.

------
tptacek
Had no idea Bleichenbacher was at Google. Good get.

------
dfc
In case you are not familiar with dnssec-keygen:

    
    
      -e If generating an RSAMD5/RSASHA1 key, 
         use a large exponent.

------
carterschonwald
Wait a minute. Is it just me or is the author talking about fixing the public
key at a default value? I hope it is meant to be read as the default maximum
bit SIZE of the public key instead.

~~~
subleq
An RSA public key is made of of two parts -- a 'modulus' and an 'exponent'.
The modulus is the part you're thinking about -- very large, computed from
your private key, hard to factor, etc. He is talking about the exponent part,
which can indeed be very small (and the same everywhere event).

~~~
ahelwer
I was taught in a crypto class a few years ago that an algorithm commonly used
to encrypt messages runs in time proportional to the number of 1 bits in the
binary representation of e, thus a smaller e is better and so 3 (11) is a very
good candidate efficiency-wise. Is this true in the real world?

~~~
30thElement
Not quite, the cost of RSA encryption is O(k^3), where k is the total number
of bits, not the number of 1's. But it is cheaper to have less 1 bits, as
(abusing big-O notation), the cost is more like O(3k^3-z^3), where z is the
number of 0 bits. That's why some people are using 2^32+1 instead of 2^32-1.

In theory the size of e doesn't matter, but a larger e does make it harder to
brute force the message text.

~~~
pbsd
You're mixing up the number of bits in the RSA modulus n, and the number of
bits in the exponent e.

Integer modular multiplication is O(n^2)[1]. Binary exponentiation, the most
common of algorithms, requires O(e) modular multiplications. It is therefore
trivial to get to the O(n^3) figure of general modular exponentiation.

RSA encryption with e = 3 is much simpler, consisting of exactly 2 modular
multiplications. That makes it O(n^2).

Note that an exponent with very low hamming weight can still be O(n^3). For
example e = 2^(n-1) + 1 requires n multiplications, therefore O(n^3).

[1] If you want to go all theoretical, it can be as low as O(n log n log log
n) using Schoenhage-Strassen. But that is not practical for 1024--4096 bit
integers.

