RSA using 2 as a public exponent

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












3














I'm failing to see why 2 can never be used and what weaknesses would be associated with doing so.



There's a similar question asking why it has to be in the form of $2^n$+1 but why not $2^n$










share|improve this question

















  • 3




    $gcd(2,(p-1)(q-1)) =$?
    – kelalaka
    Dec 19 '18 at 12:41










  • if p is odd a q is even it will be 1. if both are odd/both are even it will be 2?
    – S. L.
    Dec 19 '18 at 12:46










  • $p$ and $q$ are prime >2 implies both odd.
    – kelalaka
    Dec 19 '18 at 12:46










  • right of course! facepalm OK so what weakness would that bring? Edit: scratch that, it would lead to any ct no being uniquely decryptable
    – S. L.
    Dec 19 '18 at 12:50







  • 5




    en.wikipedia.org/wiki/Rabin_cryptosystem
    – Maeher
    Dec 19 '18 at 12:52















3














I'm failing to see why 2 can never be used and what weaknesses would be associated with doing so.



There's a similar question asking why it has to be in the form of $2^n$+1 but why not $2^n$










share|improve this question

















  • 3




    $gcd(2,(p-1)(q-1)) =$?
    – kelalaka
    Dec 19 '18 at 12:41










  • if p is odd a q is even it will be 1. if both are odd/both are even it will be 2?
    – S. L.
    Dec 19 '18 at 12:46










  • $p$ and $q$ are prime >2 implies both odd.
    – kelalaka
    Dec 19 '18 at 12:46










  • right of course! facepalm OK so what weakness would that bring? Edit: scratch that, it would lead to any ct no being uniquely decryptable
    – S. L.
    Dec 19 '18 at 12:50







  • 5




    en.wikipedia.org/wiki/Rabin_cryptosystem
    – Maeher
    Dec 19 '18 at 12:52













3












3








3


2





I'm failing to see why 2 can never be used and what weaknesses would be associated with doing so.



There's a similar question asking why it has to be in the form of $2^n$+1 but why not $2^n$










share|improve this question













I'm failing to see why 2 can never be used and what weaknesses would be associated with doing so.



There's a similar question asking why it has to be in the form of $2^n$+1 but why not $2^n$







rsa public-key






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 19 '18 at 12:40









S. L.

636




636







  • 3




    $gcd(2,(p-1)(q-1)) =$?
    – kelalaka
    Dec 19 '18 at 12:41










  • if p is odd a q is even it will be 1. if both are odd/both are even it will be 2?
    – S. L.
    Dec 19 '18 at 12:46










  • $p$ and $q$ are prime >2 implies both odd.
    – kelalaka
    Dec 19 '18 at 12:46










  • right of course! facepalm OK so what weakness would that bring? Edit: scratch that, it would lead to any ct no being uniquely decryptable
    – S. L.
    Dec 19 '18 at 12:50







  • 5




    en.wikipedia.org/wiki/Rabin_cryptosystem
    – Maeher
    Dec 19 '18 at 12:52












  • 3




    $gcd(2,(p-1)(q-1)) =$?
    – kelalaka
    Dec 19 '18 at 12:41










  • if p is odd a q is even it will be 1. if both are odd/both are even it will be 2?
    – S. L.
    Dec 19 '18 at 12:46










  • $p$ and $q$ are prime >2 implies both odd.
    – kelalaka
    Dec 19 '18 at 12:46










  • right of course! facepalm OK so what weakness would that bring? Edit: scratch that, it would lead to any ct no being uniquely decryptable
    – S. L.
    Dec 19 '18 at 12:50







  • 5




    en.wikipedia.org/wiki/Rabin_cryptosystem
    – Maeher
    Dec 19 '18 at 12:52







3




3




$gcd(2,(p-1)(q-1)) =$?
– kelalaka
Dec 19 '18 at 12:41




$gcd(2,(p-1)(q-1)) =$?
– kelalaka
Dec 19 '18 at 12:41












if p is odd a q is even it will be 1. if both are odd/both are even it will be 2?
– S. L.
Dec 19 '18 at 12:46




if p is odd a q is even it will be 1. if both are odd/both are even it will be 2?
– S. L.
Dec 19 '18 at 12:46












$p$ and $q$ are prime >2 implies both odd.
– kelalaka
Dec 19 '18 at 12:46




$p$ and $q$ are prime >2 implies both odd.
– kelalaka
Dec 19 '18 at 12:46












right of course! facepalm OK so what weakness would that bring? Edit: scratch that, it would lead to any ct no being uniquely decryptable
– S. L.
Dec 19 '18 at 12:50





right of course! facepalm OK so what weakness would that bring? Edit: scratch that, it would lead to any ct no being uniquely decryptable
– S. L.
Dec 19 '18 at 12:50





5




5




en.wikipedia.org/wiki/Rabin_cryptosystem
– Maeher
Dec 19 '18 at 12:52




en.wikipedia.org/wiki/Rabin_cryptosystem
– Maeher
Dec 19 '18 at 12:52










1 Answer
1






active

oldest

votes


















11














It is not that RSA becomes insecure when used with public exponent $2$. (In fact, the Rabin Cryptosystem does exactly that.) It's that it doesn't actually work.



The problem is that for $N = pq$ for two primes $p$ and $q$, the function $f : x mapsto x^2 bmod N$ is not injective. So it is impossible to invert uniquely. In fact, most elements of the function's range (the set of perfect squares) have $4$ preimages under $f$. (As pointed out by Thomas Pornin, the multiples of $p$ and $q$ have $2$, while $0$ has only one.)



We can get around this problem by choosing $pequiv qequiv 3 bmod 4$ and restricting the domain to the set of quadratic residues. In this case, the function is a trapdoor permutation over the set of quadratic residues if factoring is hard.



One might note, that this is actually a better guarantee than the one we have for the RSA trapdoor permutation, where the security is not known to be implied by the hardness of factoring.






share|improve this answer


















  • 5




    Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
    – Thomas Pornin
    Dec 19 '18 at 13:37










  • @ThomasPornin You are of course correct.
    – Maeher
    Dec 19 '18 at 13:44






  • 1




    The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
    – R..
    Dec 19 '18 at 16:25










  • @R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
    – Maeher
    Dec 19 '18 at 16:35










  • @Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
    – R..
    Dec 19 '18 at 16:45










Your Answer





StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65983%2frsa-using-2-as-a-public-exponent%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









11














It is not that RSA becomes insecure when used with public exponent $2$. (In fact, the Rabin Cryptosystem does exactly that.) It's that it doesn't actually work.



The problem is that for $N = pq$ for two primes $p$ and $q$, the function $f : x mapsto x^2 bmod N$ is not injective. So it is impossible to invert uniquely. In fact, most elements of the function's range (the set of perfect squares) have $4$ preimages under $f$. (As pointed out by Thomas Pornin, the multiples of $p$ and $q$ have $2$, while $0$ has only one.)



We can get around this problem by choosing $pequiv qequiv 3 bmod 4$ and restricting the domain to the set of quadratic residues. In this case, the function is a trapdoor permutation over the set of quadratic residues if factoring is hard.



One might note, that this is actually a better guarantee than the one we have for the RSA trapdoor permutation, where the security is not known to be implied by the hardness of factoring.






share|improve this answer


















  • 5




    Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
    – Thomas Pornin
    Dec 19 '18 at 13:37










  • @ThomasPornin You are of course correct.
    – Maeher
    Dec 19 '18 at 13:44






  • 1




    The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
    – R..
    Dec 19 '18 at 16:25










  • @R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
    – Maeher
    Dec 19 '18 at 16:35










  • @Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
    – R..
    Dec 19 '18 at 16:45















11














It is not that RSA becomes insecure when used with public exponent $2$. (In fact, the Rabin Cryptosystem does exactly that.) It's that it doesn't actually work.



The problem is that for $N = pq$ for two primes $p$ and $q$, the function $f : x mapsto x^2 bmod N$ is not injective. So it is impossible to invert uniquely. In fact, most elements of the function's range (the set of perfect squares) have $4$ preimages under $f$. (As pointed out by Thomas Pornin, the multiples of $p$ and $q$ have $2$, while $0$ has only one.)



We can get around this problem by choosing $pequiv qequiv 3 bmod 4$ and restricting the domain to the set of quadratic residues. In this case, the function is a trapdoor permutation over the set of quadratic residues if factoring is hard.



One might note, that this is actually a better guarantee than the one we have for the RSA trapdoor permutation, where the security is not known to be implied by the hardness of factoring.






share|improve this answer


















  • 5




    Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
    – Thomas Pornin
    Dec 19 '18 at 13:37










  • @ThomasPornin You are of course correct.
    – Maeher
    Dec 19 '18 at 13:44






  • 1




    The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
    – R..
    Dec 19 '18 at 16:25










  • @R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
    – Maeher
    Dec 19 '18 at 16:35










  • @Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
    – R..
    Dec 19 '18 at 16:45













11












11








11






It is not that RSA becomes insecure when used with public exponent $2$. (In fact, the Rabin Cryptosystem does exactly that.) It's that it doesn't actually work.



The problem is that for $N = pq$ for two primes $p$ and $q$, the function $f : x mapsto x^2 bmod N$ is not injective. So it is impossible to invert uniquely. In fact, most elements of the function's range (the set of perfect squares) have $4$ preimages under $f$. (As pointed out by Thomas Pornin, the multiples of $p$ and $q$ have $2$, while $0$ has only one.)



We can get around this problem by choosing $pequiv qequiv 3 bmod 4$ and restricting the domain to the set of quadratic residues. In this case, the function is a trapdoor permutation over the set of quadratic residues if factoring is hard.



One might note, that this is actually a better guarantee than the one we have for the RSA trapdoor permutation, where the security is not known to be implied by the hardness of factoring.






share|improve this answer














It is not that RSA becomes insecure when used with public exponent $2$. (In fact, the Rabin Cryptosystem does exactly that.) It's that it doesn't actually work.



The problem is that for $N = pq$ for two primes $p$ and $q$, the function $f : x mapsto x^2 bmod N$ is not injective. So it is impossible to invert uniquely. In fact, most elements of the function's range (the set of perfect squares) have $4$ preimages under $f$. (As pointed out by Thomas Pornin, the multiples of $p$ and $q$ have $2$, while $0$ has only one.)



We can get around this problem by choosing $pequiv qequiv 3 bmod 4$ and restricting the domain to the set of quadratic residues. In this case, the function is a trapdoor permutation over the set of quadratic residues if factoring is hard.



One might note, that this is actually a better guarantee than the one we have for the RSA trapdoor permutation, where the security is not known to be implied by the hardness of factoring.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 19 '18 at 16:28

























answered Dec 19 '18 at 13:19









Maeher

3,51711730




3,51711730







  • 5




    Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
    – Thomas Pornin
    Dec 19 '18 at 13:37










  • @ThomasPornin You are of course correct.
    – Maeher
    Dec 19 '18 at 13:44






  • 1




    The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
    – R..
    Dec 19 '18 at 16:25










  • @R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
    – Maeher
    Dec 19 '18 at 16:35










  • @Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
    – R..
    Dec 19 '18 at 16:45












  • 5




    Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
    – Thomas Pornin
    Dec 19 '18 at 13:37










  • @ThomasPornin You are of course correct.
    – Maeher
    Dec 19 '18 at 13:44






  • 1




    The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
    – R..
    Dec 19 '18 at 16:25










  • @R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
    – Maeher
    Dec 19 '18 at 16:35










  • @Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
    – R..
    Dec 19 '18 at 16:45







5




5




Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
– Thomas Pornin
Dec 19 '18 at 13:37




Technically, most elements have 4 square roots, but some have only two, and zero has only one. The elements that have only two square roots are the non-zero elements that happen to be a multiple of either $p$ or $q$. Of course, it is extremely improbable to hit one such element out of (bad) luck.
– Thomas Pornin
Dec 19 '18 at 13:37












@ThomasPornin You are of course correct.
– Maeher
Dec 19 '18 at 13:44




@ThomasPornin You are of course correct.
– Maeher
Dec 19 '18 at 13:44




1




1




The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
– R..
Dec 19 '18 at 16:25




The last sentence might be worth emphasizing: unlike RSA, the Rabin cryptosystem is provably as hard as factoring (i.e. breaking it provides efficient factoring as a side effect).
– R..
Dec 19 '18 at 16:25












@R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
– Maeher
Dec 19 '18 at 16:35




@R.. I left that out because it did not seem particularly relevant to the question being asked, but I added a comment about it now.
– Maeher
Dec 19 '18 at 16:35












@Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
– R..
Dec 19 '18 at 16:45




@Maeher: Thanks. I think it's nice because it confirms whatever suspicion the OP had that 2 is actually an interesting and productive choice of exponent.
– R..
Dec 19 '18 at 16:45

















draft saved

draft discarded
















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65983%2frsa-using-2-as-a-public-exponent%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?