Re: gnupg rsa question // why use e of 41 ?

Sebastian Gottschalk wrote:
> David Wagner wrote:
> > vedaal wrote:
> >> /* find an public exponent.
> >> We use 41 as this is quite fast and more secure than the
> >> commonly used 17. Benchmarking the RSA verify function
> >> with a 1024 bit key yields (2001-11-08):
> >
> > This is a suspicious comment and indicates to me that maybe the
> > developer is not fully up to speed on all of the literature on the
> > security of RSA.
>
> BTW, isn't 65537 chosen because it can be implemented faster than
> generic numbers (due to its form 1<<16+1)?

Yes, It requires 16 squarings and one mult. This is why 3, 17, 257,
etc are popular.

This has been around sci.crypt a lot recently and David Wagner has been
championing the notion that e=3 is safe.

There are practical reasons for using e=65537. Specifically that
phi(N) is less likely to be divisible by 65537 than it is by 3.

>>From a performance point of view it's largely academic. The time
difference from e=3 and e=65537 on a desktop processor is both
noticeable AND trivially small. e=3 is ideal for embedded platforms
where power is at a premium though and on smaller things like a PPC or
ARM it is definitely noticeable over e=65537 in terms of speed and
power.

In short:

e=3 safe and fast for use
e=65537 safe and fast for keygen

Tom
Received on Mon May 1 02:05:47 2006