Ok, glad to help. I agree with your defense, and e=3 is the obvious assumption for most situations.
You're right that RSA with e=3 can be as secure as e=65537, assuming an application where you use proper encryption/signing padding and verification. But it is more brittle in that partial failures in padding randomness or encryption of related messages can lead to compromise. Unless carefully reviewed and appropriate fail-closed measures are not present, it's better to avoid e=3.
You're right that RSA with e=3 can be as secure as e=65537, assuming an application where you use proper encryption/signing padding and verification. But it is more brittle in that partial failures in padding randomness or encryption of related messages can lead to compromise. Unless carefully reviewed and appropriate fail-closed measures are not present, it's better to avoid e=3.