On Sat, Nov 3, 2012 at 5:29 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> [...] We show that if the RSA cryptosystem is used in such a symmetric > application, it is possible to determine the public RSA modulus if the > public exponent is known and short, such as 3 or F4=65537, and two or more > plaintext/ciphertext (or, if RSA is used for signing, signed > value/signature) pairs are known. Is this a different attack from Weiner's "Cryptanalysis of Short RSA Secret Exponents"? madchat.awired.net/crypto/codebreakers/ShortSecretExponents.pdf I thought it had been known for at least a decade that small exponents were a bad idea, because of the Weiner paper. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography