5

I am writing a (high-school) paper on the public key exponent's (in textbook RSA - no padding is discussed!) significance in terms of time and security. The time part is done; as for the security part, so far I have shown example of various attacks that can take place when the public key is low (e.g. $e$ root attack, HÃ¥stad Broadcast Attacks etc).

My question is: Is there a way to mathematically justify that there is no way to prove that the security of the system lies in the value of the public key exponent?

I have also done some readings on the integer factorization problem whose intractability cannot be proven - can I relate this to the link between security and the public key?

user9750060
  • 389
  • 3
  • 18

1 Answers1

6

Loosely define the RSA problem as solving for $x$ the equation $c=x^e\bmod N$, with $x$ random in $\{0,1,\dots,N-1\}$ (or equivalently $c$ random in this set), and $(N,e)$ properly chosen. The best method we know for tackling that problem is factoring $N$, but we have no proof that there is no substantially better method.

We do not know if the RSA problem is more difficult when $e$ is small (e.g. $e=3$), or large or/and random, or even have expert consensus on that research topic or what should be done in practice (I'm in the league favoring good padding with $e=3$ at least when speed matters, and reluctantly bowing to $e=65537$ to avoid conflict with official advice); much less do we know if it is possible to make a proof in either direction.

We do not know an efficient integer factorization method (that is one with effort growing polynomially with the number of digits in the number to factor); and I doubt that there is a proof or even argument that such an algorithm can not be found, for integer factorization is not in Wikipedia's list of known NP-complete problems.

Community
  • 1
fgrieu
  • 149,326
  • 13
  • 324
  • 622