On the included estimations of the frequency that this occurs. I scraped a collection of (mainly developer) public keys for a previous project and got the following numbers.<p><pre><code> sqlite> select count(*) from keys;
1627715
</code></pre>
Quite a difference between the ratio of 2047/2048 bit keys and 1023/1024 bit keys.<p><pre><code> sqlite> select count(*) from keys where strength = "2048";
936441
sqlite> select count(*) from keys where strength = "2047";
466
sqlite> select count(*) from keys where strength = "1024";
39068
sqlite> select count(*) from keys where strength = "1023";
5908
</code></pre>
Interestingly also:<p><pre><code> sqlite> select count(*) from keys where strength = "2049";
13
sqlite> select count(*) from keys where strength = "2050";
5
sqlite> select count(*) from keys where strength = "2051";
1
sqlite> select count(*) from keys where strength = "2052";
0</code></pre>
The whole point of the long keys is the search space, isn’t it? If the leading bit has to be 1 then effectively you have a 2047 bit key either way. 1 followed by 2047 random-looking bits.
NIST is considering "resistance to misuse" when assessing post-quantum crypto schemes.<p><pre><code> A final desirable, although ill-defined, property is
resistance to misuse. Schemes should ideally not fail
catastrophically due to isolated coding errors, random
number generator malfunctions, nonce reuse, keypair reuse...
</code></pre>
<a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf" rel="nofollow">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Crypt...</a>
The most shocking part of this article is that 1800 bit rsa keys are significantly stronger than 2048 bit keys and that there are discontinuities in toughness at base 10 numbers like 1000 and 2000 bits.
> Why not roll the dice on the full interval and check the product after the fact? See earlier point about the time-consuming nature of RSA key generation. Starting over from scratch is expensive.<p>They lose a bit of entropy by pre-setting the leading bit to 1.<p>There have been discussions about this in the past - <a href="https://news.ycombinator.com/item?id=19374758" rel="nofollow">https://news.ycombinator.com/item?id=19374758</a>
One bit theoretically means it halves the possibilities, but in practice there's so many in the absolute sense that there's no practical difference in security.
Edit: ignore this. I might need new reading glasses...<p>article mentions a CSR containing a private key. Isn't that a absolute no no? CSRs you send around, but private keys should never leave your machine. Where machine could even he a hardware token in the ideal case. Confused.