As I understand it the proof that RSA-OAEP is secure in the random oracle model is much tighter for exponent 3. Does that mean that exponent 3 should be chosen?
Asked
Active
Viewed 318 times
1 Answers
6
For any reasonable RSA-based encryption (or signature) scheme, exponent $e = 3$ is a perfectly good choice and provides the best performance for the public-key operation short of qualitatively different Rabin-type schemes.
- Don't use RSAES-PKCS1-v1_5.
- RSAES-OAEP of PKCS#1 v2 is reasonable in this sense, though it is unnecessarily complicated.
- RSA-KEM is even more reasonable and much simpler.
But there are people out there who have PTSD from decades of bad crypto engineering with horrible flaws that are sort of halfway patched over by using larger exponents like $e = 65537$. So some auditors might summarily reject $e = 3$ when they see the letters R, S, and A, without looking at the elephant in the room of what specific encryption or signature scheme you're using that involves RSA.
Squeamish Ossifrage
- 49,816
- 3
- 122
- 230