4

In one of my assignments, I had the following question (Please read on. Not a homework assignment :) ):

X.509 (1998 version) lists properties that RSA keys must satisfy to be secure. One such requirement is that the public exponent $e > \log_2(n)$ where n is the modulus. Consider the following justifications for this:

  1. We require $e > \log_2(n)$ in order to prevent an attack to disclose the plaintext by taking the eth root modulus n.
  2. We require $e > \log_2(n)$ in order to prevent an attack to disclose the plaintext by taking the eth integer root.

Which of these two is the correct justification of the above requirement? For the incorrect justification, explain why is it incorrect.

My question here is: Where is the X.509 certificate listed mentioning the above requirement? I tried googling a lot but could not find any such requirement listed in any online available material unfortunately. Also, if any such requirement does exist, what is the justification for the same?

SEJPM
  • 45,967
  • 7
  • 99
  • 205
ankita
  • 143
  • 4
  • X.509 is a standard for certificates. The original specification appears to have had a "security considerations" section discussing these requirements. An X.509 certificate is any certificate that follows the X.509 specification. As for the justification, imagine what happens if you encrypt $2$ using $e$ if $e<\log_2(n)$ using textbook RSA. – SEJPM Nov 15 '15 at 17:28

1 Answers1

6

The requirement was introduced in IUT Recommendation X.509 (November 1993), informative appendix D.5.2:

It must be ensured that e > log2(n). If not, then the simple operation of taking the integer eth root of a ciphertext block will disclose the plaintext.

This advice was removed in the 2000 edition of the standard. It was arguably misguided, and at the very least the justification given was very incorrect (even when using RSA for encryption without padding, what's stated in the justification works only for a very small portion of plaintexts, including for $e=3$; it thus does not work at all for random plaintext, or when using RSA with proper padding).

The assignment itself is questionable: we are asked to choose among two incorrect justifications for advice so questionable that it was removed; and it turns out that the few plaintexts allowing the attack in 1 to work also allow to perform precisely what's claimed in 2. The only superiority of argument 1 is that it more clearly describes an attack which is NOT a good reason to use a public exponent larger than some bound.

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587