there are two problems with e=3 : broadcast attacks and small messages when the padding is deterministic. The latter case is irrelevant
-
-
Replying to @cryptodavidw @hanno
since we always use a non-deterministic padding with RSA. The former case is irrelevant because we always use a non-deterministic padding...
2 replies 0 retweets 0 likes -
I guess you're talking about only RSA encryption, and not RSA sigs, where e=3 has had huge real-world problems w/ deterministic padding.
1 reply 0 retweets 0 likes -
Replying to @BRIAN_____ @hanno
are you talking about the bleichenbacher signature forgery?
1 reply 0 retweets 0 likes -
Yes.
1 reply 0 retweets 0 likes -
Replying to @BRIAN_____ @hanno
what are the huge real-world problems? I think I missed something
1 reply 0 retweets 0 likes -
Easy TLS authentication bypass in Firefox for ~17 years and in Chrome for ~5-10, to start.
2 replies 0 retweets 0 likes -
Replying to @BRIAN_____ @hanno
in this message you quoted here https://bugzilla.mozilla.org/show_bug.cgi?id=1064636 … they say "we were able to create a proof of > concept even for a e=65537 signature"
1 reply 0 retweets 1 like -
that is new to me... any more info on that? /cc
@FiloSottile2 replies 0 retweets 0 likes -
I think they explained below or elsewhere that their PoC required them to first generate sigs in a special form using private key.
1 reply 0 retweets 2 likes
I do t think they continued the work after my discovery or they independent Intel effort was released. Worth emailing them though.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.