On Mar 25, 2012, at 1:16 PM, Florian Weimer wrote: > * Thierry Moreau: > >> The unusual public RSA exponent may well be an indication that the >> signature key pair was generated by a software implementation not >> encompassing the commonly-agreed (among number-theoreticians having >> surveyed the field) desirable strategies. > > I don't think this conclusion is warranted. Most textbooks covering > RSA do not address key generation in much detail. Even the Menezes et > al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as > "used in practice". Knuth (1981) fixes e=3. On the other side, two > popular cryptography textbooks, Schneier (1996) and Stinson (2002), > recommend to choose e randomly. None of these sources gives precise > guidance on how to generate the key material, although Menezes et al. > gives several examples of what you should not do.
2^16+1 (or numbers of that pattern) give good performance for encryption or for signature verification. NIST's standards require that public keys be odd, positive [sic] integers between 65537 and 2^256-1 (http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf). --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
