Note on Fast Computation of Secret RSA Exponents

  • Wieland Fischer
  • Jean-Pierre Seifert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2384)


Today’s cryptography using RSA is faced with the problem of increased bit length and so called fast on-card key generation — both for security reasons. These two requirements often constitute a problem on existing cards as their arithmetic coprocessors are most often designed for a fixed bit length which is not suited for latest security demands. While the main problem, the overcoming of the computational limitations of the cards coprocessor can in principle be solved via recent efficient algorithms, the subproblem of computing the secret RSA exponents cannot be solved satisfactory by these algorithms. This is due to the fact that the key generation, including the secret RSA exponent, is done during the card personalization in the fab where production times are very costly. This article proposes a very simple, natural and efficient solution to this problem. Namely, computing the secret RSA exponent d via the Chinese Remainder Theorem (CRT) wrt. p − 1 and q − 1 where p and q denote the two secret primes of the the public modul N. We stress that it is impossible to use the CRT in a straightforward way, as p − 1 and q − 1 are not relatively prime. Nevertheless the solution to this problem is natural and very simple. However, as we have not found anywhere in the literature a hint on this very practical result, we felt to share it with the community.

Moreover, we present another method to compute efficiently secret RSA exponents d for certain short public keys e which we have not seen so far in the public literature.


Carmichael’s λ-function Chinese Remainder Theorem Key generation RSA Secret exponent Short public key 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BS]
    E. Bach, J. Shallit, Algorithmic Number Theory, MIT Press, Cambridge MA, 1996.zbMATHGoogle Scholar
  2. [BDL]
    D. Boneh, DeMillo, R. Lipton, “On the Importance of Eliminating Errors in Cryptographic Computations” Journal of Cryptology 14(2):101–120, 2001.zbMATHCrossRefMathSciNetGoogle Scholar
  3. [CKN]
    J.-S. Coron, P. Kocher and D. Naccache, Statistics and secret leakage, Proc. of Financial Cryptography’ 00, pp.-–-, 2000.Google Scholar
  4. [C+]
    S. Cavallar et alii, Proc. of EUROCRYPT’ 00, Springer LNCS, vol. 1807, pp. 1–19, 2000.Google Scholar
  5. [CQ]
    C. Couvreur, J.-J. Quisquater, “Fast decipherment algorithm for RSA public-key cryptosystem”, Electronics Letters 18(21):905–907, 1982.CrossRefGoogle Scholar
  6. [Fr]
    A. S. Fraenkel, “New proof of the generalized Chinese Remainder Theorem”, Proc. Amer. Math. Soc. 14:790–791, 1963.zbMATHCrossRefMathSciNetGoogle Scholar
  7. [Ga]
    C. F. Gauss, Disquisitiones Arithmeticae, G. Fleischer, Leipzig, 1801.Google Scholar
  8. [HP]
    H. Handschuh, P. Pailler, “Smart Card Crypto-Coprocessors for Public-Key Cryptography”, CryptoBytes 4(1):6–11, 1998.Google Scholar
  9. [HJMS]
    E. Hess, N. Janssen, B. Meyer, T. Schütze, “Information leakage attacks against smart card implementations of cryptographic algorithms and countermeasures”, Proc. of EUROSMART-Security-Conference 2000, pp. 53–64, 2000.Google Scholar
  10. [JPY]
    M. Joye, P. Pailler, S.-M. Yen, “Secure Evaluation of Modular Functions”, Proc. of 2001 International Workshop on Cryptology and Network Security, pp. 227–229, 2001.Google Scholar
  11. [Knu]
    D. E. Knuth, The Art of Computer Programming, Vol.2: Seminumerical Algorithms, 3rd ed., Addison-Wesley, Reading MA, 1999.Google Scholar
  12. [Kob94]
    N. Koblitz, A Course in Number Theory and Cryptography, Springer, Berlin, 1994.zbMATHGoogle Scholar
  13. [Kob99]
    N. Koblitz, Algebraic Aspects of Cryptography, Springer, Berlin, 1999.Google Scholar
  14. [MvOV]
    A. J. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptog-raphy, CRC Press, New York, 1997.Google Scholar
  15. [Pai]
    P. Pailler, “Low-cost double size modular exponentiation or how to stretch your cryptocoprocessor”, Proc. of Public Key Cryptography’ 99, Springer LNCS, vol. 1560, pp. 223–234, 1999.CrossRefGoogle Scholar
  16. [RSA]
    R. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Comm. of the ACM 21:120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  17. [Sch]
    B. Schneier, Applied Cryptography, John Wiley & Sons, New York, 1996.Google Scholar
  18. [Sha]
    A. Shamir, “Method and Apparatus for protecting public key schemes from timing and fault attacks”, U.S. Patent Number 5, 991,415, November 1999.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Wieland Fischer
    • 1
  • Jean-Pierre Seifert
    • 1
  1. 1.Security & ChipCard ICs Technology & InnovationsInfineon Technologies CorporationMunichGermany

Personalised recommendations