Note on Fast Computation of Secret RSA Exponents
Today’s cryptography using RSA is faced with the problem of increased bit length and so called fast on-card key generation — both for security reasons. These two requirements often constitute a problem on existing cards as their arithmetic coprocessors are most often designed for a fixed bit length which is not suited for latest security demands. While the main problem, the overcoming of the computational limitations of the cards coprocessor can in principle be solved via recent efficient algorithms, the subproblem of computing the secret RSA exponents cannot be solved satisfactory by these algorithms. This is due to the fact that the key generation, including the secret RSA exponent, is done during the card personalization in the fab where production times are very costly. This article proposes a very simple, natural and efficient solution to this problem. Namely, computing the secret RSA exponent d via the Chinese Remainder Theorem (CRT) wrt. p − 1 and q − 1 where p and q denote the two secret primes of the the public modul N. We stress that it is impossible to use the CRT in a straightforward way, as p − 1 and q − 1 are not relatively prime. Nevertheless the solution to this problem is natural and very simple. However, as we have not found anywhere in the literature a hint on this very practical result, we felt to share it with the community.
Moreover, we present another method to compute efficiently secret RSA exponents d for certain short public keys e which we have not seen so far in the public literature.
KeywordsCarmichael’s λ-function Chinese Remainder Theorem Key generation RSA Secret exponent Short public key
Unable to display preview. Download preview PDF.
- [CKN]J.-S. Coron, P. Kocher and D. Naccache, Statistics and secret leakage, Proc. of Financial Cryptography’ 00, pp.-–-, 2000.Google Scholar
- [C+]S. Cavallar et alii, Proc. of EUROCRYPT’ 00, Springer LNCS, vol. 1807, pp. 1–19, 2000.Google Scholar
- [Ga]C. F. Gauss, Disquisitiones Arithmeticae, G. Fleischer, Leipzig, 1801.Google Scholar
- [HP]H. Handschuh, P. Pailler, “Smart Card Crypto-Coprocessors for Public-Key Cryptography”, CryptoBytes 4(1):6–11, 1998.Google Scholar
- [HJMS]E. Hess, N. Janssen, B. Meyer, T. Schütze, “Information leakage attacks against smart card implementations of cryptographic algorithms and countermeasures”, Proc. of EUROSMART-Security-Conference 2000, pp. 53–64, 2000.Google Scholar
- [JPY]M. Joye, P. Pailler, S.-M. Yen, “Secure Evaluation of Modular Functions”, Proc. of 2001 International Workshop on Cryptology and Network Security, pp. 227–229, 2001.Google Scholar
- [Knu]D. E. Knuth, The Art of Computer Programming, Vol.2: Seminumerical Algorithms, 3rd ed., Addison-Wesley, Reading MA, 1999.Google Scholar
- [Kob99]N. Koblitz, Algebraic Aspects of Cryptography, Springer, Berlin, 1999.Google Scholar
- [MvOV]A. J. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptog-raphy, CRC Press, New York, 1997.Google Scholar
- [Sch]B. Schneier, Applied Cryptography, John Wiley & Sons, New York, 1996.Google Scholar
- [Sha]A. Shamir, “Method and Apparatus for protecting public key schemes from timing and fault attacks”, U.S. Patent Number 5, 991,415, November 1999.Google Scholar