http://matasanochargen.disqus.com/enSat, 16 Sep 2006 03:02:15 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320525I agree with everything you said, except the reference to Rabin's system as "low exponent RSA", which is wrong both from a technical and historical perspective.<br><br>The details we already mentioned, plus a paper or two, affirm this assertion. If e=2 were to RSA as e=3 is, there'd be nothing to debate.<br><br>Even Ferguson and Schneier, in that footnote you cited, allude to these differences (although arguably too mildly).<br><br>I just thought that, seeing as how the series started by explaining how the little details matter, it's important not to gloss over the difference between RSA and Rabin.Adam MorrisonSat, 16 Sep 2006 03:02:15 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320524I agree with everything you said, except the reference to Rabin's system as "low exponent RSA", which is wrong both from a technical and historical perspective.<br><br>The details we already mentioned, plus a paper or two, affirm this assertion. If e=2 were to RSA as e=3 is, there'd be nothing to debate.<br><br>Even Ferguson and Schneier, in that footnote you cited, allude to these differences (lthough arguably too mildly).<br><br>I just thought that, seeing as how the series started by explaining how the little details matter, it's important not to gloss over the difference between RSA and Rabin.Adam MorrisonSat, 16 Sep 2006 03:01:47 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-23205231a. Rabin uses a small exponent (e=2)<br>1b. RSA can use e=3<br>2a. Rabin security is based on the difficulty of factoring N (p*q)<br>2b. RSA, ditto<br>3a. Rabin requires special formatting and redundancy checking of the result (i.e. that M is a quadratic residue mod N)<br>3b. RSA requires special formatting and redundancy checking of the result (i.e. PKCS)<br><br>In refuting the argument that small exponents in RSA are the cause of the problem (not an implementation flaw), it's perfectly legitimate to include Rabin as a counter example.<br><br>The lesson remains: proper redundancy checking is vital to security in public key crypto, no matter what the public exponent. I hope you can agree.NateThu, 14 Sep 2006 15:02:24 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320522I think we can all easily reach a consensus that Rabin keys are "NOT" PKCS#1 v2.0 or above.<br><br>Is there any way to have a conversation that doesn't involve us delving into the definitions of what "variant" means, or questioning the legitimacy of various sources (even I can cite credible sources that say e=2 is RSA --- for instance, Ferguson and Schneier, p 231, discussing how to choose the public exponent for RSA)? <br><br>I'm also going to call you on comparing a blog post to an implementation of RSA. <br><br>You seem sharp. What are your technical critiques on the posts so far?Thomas PtacekThu, 14 Sep 2006 14:37:54 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320521Yeah, Rabin is a <b>variant</b> of RSA; it's <b>not</b> RSA.<br><br>It's not RSA, because the signing algorithm is totally different.<br><br>It's not RSA, because PKCS#1 says so [PKCS#1 v2.1, sec 3.1].<br><br>It's not RSA, because if you try using e=2 in any decent RSA implementation, you won't get past the key generation phase, and things will break horribly even if you do.<br><br>You just spent an <a href="http://www.matasano.com/log/487/rsa-signature-forgery-explained-with-nate-lawson-part-ii/" rel="nofollow">entire blog post</a> explaining how cryptography is hard to get right, and how the minute details of the implementation matter. Isn't it also important to know which algorithm is being used?Adam MorrisonThu, 14 Sep 2006 14:19:32 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320520And here...<br><br><a href="http://www.lcs.mit.edu/publications/pubs/pdf/MIT-LCS-TR-212.pdf" rel="nofollow">http://www.lcs.mit.edu/publications/pubs/pdf/MI...</a>sargonThu, 14 Sep 2006 13:56:31 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320519No. e=2 is Rabin, a variant of RSA.<br><a href="http://www.x5.net/faqs/crypto/q37.html" rel="nofollow">http://www.x5.net/faqs/crypto/q37.html</a>NateThu, 14 Sep 2006 10:29:42 -0000http://www.matasano.com/log/495/halvar-flake-and-nate-lawson-on-alternative-padding-schemes/#comment-2320518e=2 is not a valid RSA exponent, since it's not coprime to (p-1)(q-1).Adam MorrisonThu, 14 Sep 2006 01:58:49 -0000