Tunable Balancing of RSA

  • Steven D. Galbraith
  • Chris Heneghan
  • James F. McKee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3574)


We propose a key generation method for RSA moduli which allows the cost of the public operations (encryption/verifying) and the private operations (decryption/signing) to be balanced according to the application requirements. Our method is a generalisation of using small public exponents and small Chinese remainder (CRT) private exponents. Our results are most relevant in the case where the cost of private operations must be optimised. We give methods for which the cost of private operations is the same as the previous fastest methods, but where the public operations are significantly faster. The paper gives an analysis of the security of keys generated by our method, and a new birthday attack on low Hamming-weight private exponents.


Chinese Remainder Theorem Decryption Time Linearisation Attack Public Exponent Springer LNCS 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)Google Scholar
  2. 2.
    Boneh, D., Shacham, H.: Fast variants of RSA. CryptoBytes 5(1), 1–9 (2002)Google Scholar
  3. 3.
    Ciet, M., Koeune, F., Laguillaumie, F., Quisquater, J.-J.: Short private exponent attacks on fast variants of RSA, Louvain technical report CG-2003/4 (2003)Google Scholar
  4. 4.
    Collins, T., Hopkins, D., Langford, S., Sabin, M.: Public key cryptographic apparatus and method. US Patent (1997)Google Scholar
  5. 5.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent RSA vulnerabilities. J. Crypt. 10, 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Coppersmith, D.: Finding small solutions to small degree polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 20–31. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Dujella, A.: Continued fractions and RSA with small secret exponent. Tatra Mt. Math. Publ. 29, 101–112 (2004)zbMATHMathSciNetGoogle Scholar
  8. 8.
    Durfee, G., Nguyen, P.: Cryptanalysis of the RSA scheme with short secret exponent from Asiacrypt 1999. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Hardy, G.H., Wright, E.M.: An introduction to the theory of numbers, 5th edn., Oxford (1979)Google Scholar
  10. 10.
    Heneghan, C.: Ph.D. thesis (in preparation)Google Scholar
  11. 11.
    Hinek, M.J., Low, M.K., Teske, E.: On some attacks on multi-prime RSA. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 385–404. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Howgrave-Graham, N.A.: Finding small solutions of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  13. 13.
    Lim, C.H., Lee, P.J.: Sparse RSA secret keys and their generation. In: Proc. of 3rd Annual Workshop on Selected Areas in Cryptography (SAC 1996), pp. 117–131 (1996)Google Scholar
  14. 14.
    May, A.: Cryptanalysis of unbalanced RSA with small CRT-exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Paixão, C.A.M.: An efficient variant of the RSA cryptosystem (2003) (preprint)Google Scholar
  16. 16.
    Qiao, G., Lam, K.-Y.: RSA signature algorithm for microcontroller implementation. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 353–356. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Stinson, D.: Some baby-step-giant-step algorithms for the low Hamming weight discrete logarithm problem. Math. Comp. 71(237), 379–391 (2001)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Sun, H.-M., Wu, M.-E.: An Approach Towards Rebalanced RSA-CRT with Short Public Exponent, Cryptology ePrint Archive, 2005/053Google Scholar
  19. 19.
    Sun, H.-M., Yang, C.-T.: RSA with balanced short exponents and its application to entity authentication. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 199–215. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Sun, H.-M., Yang, W.-C., Laih, C.-S.: On the design of RSA with short secret exponent. In: Lam, K.Y., et al. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 150–164. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    Takagi, T.: Fast RSA-type cryptosystem modulo pkq. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)Google Scholar
  22. 22.
    Turk, J.W.M.: Fast arithmetic operations on numbers and polynomials. In: Lenstra Jr., H.W., Tijdeman, R. (eds.) Computational methods in number theory, Part 1, Mathematical Centre Tracts 154, Amsterdam (1984)Google Scholar
  23. 23.
    Verheul, E.R., van Tilborg, H.C.A.: Cryptanalysis of ‘less short’ RSA secret exponents, Applicable Algebra in Engineering. Communication and Computing 8, 425–435 (1997)zbMATHGoogle Scholar
  24. 24.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Th. 36, 553–558 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Wu, M.-E.: A Study of RSA with Small CRT-Exponent, Thesis of Master Degree, Department of Applied Mathematics, National Chiao Tung University, Taiwan (June 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Steven D. Galbraith
    • 1
  • Chris Heneghan
    • 1
  • James F. McKee
    • 1
  1. 1.Department of MathematicsRoyal Holloway, University of LondonEgham, SurreyUK

Personalised recommendations