#StackBounty: #rsa Security of RSA variants with $e=n-2$ and $e=n$

Bounty: 500

RSA as defined by PKCS#1v2.2 allows public exponent $e=n-2$. And textbook RSA was born with $e=n$ (see second bullet here).

Are these variants essentially as secure as (textbook) RSA with fixed $e$? With random $e$? Can we reduce the security of one to the security of the other, or of another variant of RSA?

Note: as in RSA with fixed $e$, we choose $p$ and $q$ large random distinct secret primes. And further:

  • for $e=n-2$, it must hold $gcd[q-2,p-1]=1$ and $gcd[p-2,q-1]=1$ ;
  • for $e=n$, if must hold $min(p,q)$ does not divide $max(p,q)-1$.

Get this bounty!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.