On Sat, Nov 3, 2012 at 5:29 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:

>   [...] We show that if the RSA cryptosystem is used in such a symmetric
>   application, it is possible to determine the public RSA modulus if the
>   public exponent is known and short, such as 3 or F4=65537, and two or more
>   plaintext/ciphertext (or, if RSA is used for signing, signed
>   value/signature) pairs are known.

Is this a different attack from Weiner's "Cryptanalysis of Short RSA
Secret Exponents"?
madchat.awired.net/crypto/codebreakers/ShortSecretExponents.pdf

I thought it had been known for at least a decade that small exponents were
a bad idea, because of the Weiner paper.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to