RSA Moduli with a Predetermined Portion: Techniques and Applications

  • Marc Joye
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4991)


This paper discusses methods for generating RSA moduli with a predetermined portion. Predetermining a portion enables to represent RSA moduli in a compressed way, which gives rise to reduced transmission- and storage requirements. The first method described in this paper achieves the compression rate of known methods but is fully compatible with the fastest prime generation algorithms available on constrained devices. This is useful for devising a key escrow mechanism when RSA keys are generated on-board by tamper-resistant devices like smart cards. The second method in this paper is a compression technique yielding a compression rate of about 2/3 instead of 1/2. This results in higher savings in both transmission and storage of RSA moduli. In a typical application, a 2048-bit RSA modulus can fit on only 86 bytes (instead of 256 bytes for the regular representation). Of independent interest, the methods for prescribing bits in RSA moduli can be used to reduce the computational burden in a variety of cryptosystems.


RSA-type cryptosystems RSA moduli RSA key lengths diminished-radix moduli key compression key generation key transport key storage key transmission key escrow tamper-resistant devices smart cards kleptography setup 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Rogaway, P.: The exact security of digital signatures. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Bernstein, D.J.: Stop overestimating RSA bandwidth! Rump session of CRYPTO 2004, Santa Barbara, CA, USA (August 17, 2004),
  3. 3.
    Bernstein, D.J.: Compressing RSA/Rabin keys. Invited talk, Number Theory Inspired By Cryptography (NTIBC 2005), Bannf Centre, Alberta, Canada, (November 6, 2005),
  4. 4.
    Boneh, D.: Twenty years of attacks on the RSA cryptosystem. Notices of the American Mathematical Society (AMS) 46(2), 203–213 (1999)zbMATHMathSciNetGoogle Scholar
  5. 5.
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Coron, J.-S.: Finding small roots of bivariate integer polynomial equations: A direct approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Crépeau, C., Slakmon, A.: Simple backdoors for RSA key generation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 403–416. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Desmedt, Y.: Abuses in cryptography and how to fight them. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 375–389. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Gehrmann, C., Näslund, M., (eds.): ECRYPT yearly report on algorithms and keysizes. ECRYPT Report, D.SPA.16, Revision 1.0 (January 2006),
  13. 13.
    Girault, M., Misarski, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)Google Scholar
  14. 14.
    Joye, M., Paillier, P.: Fast generation of prime numbers on portable devices: An update. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 160–173. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Joye, M., Paillier, P., Vaudenay, S.: Efficient generation of prime numbers. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 340–354. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Juels, A.: Provable security: Some caveats. Panel discussion, 6th ACM Conference on Computer and Communications Security (ACM CCS 1999), Singapore (November 1–4, 1999)Google Scholar
  17. 17.
    Knobloch, H.-J.: A smart card implementation of the Fiat-Shamir identification scheme. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 87–95. Springer, Heidelberg (1988)Google Scholar
  18. 18.
    Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Meister, G.: On an implementation of the Mohan-Adiga algorithm. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 496–500. Springer, Heidelberg (1991)Google Scholar
  21. 21.
    Mohan, S.B., Adiga, B.S.: Fast algorithms for implementing RSA public key cryptosystems. Electronics Letters 21(7), 761 (1985)CrossRefGoogle Scholar
  22. 22.
    Naccache, D., M’Raïhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 77–85. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  23. 23.
    Okamoto, T., Shiraishi, A.: A fast signature scheme based on quadratic inequalities. In: 1985 IEEE Symposium on Security and Privacy, pp. 123–133. IEEE Computer Society Press, Los Alamitos (1985)Google Scholar
  24. 24.
    Orton, G., Peppard, L., Tavares, S.: A design of a fast pipelined modular multiplier based on a diminished-radix algorithm. Journal of Cryptology 6(4), 183–208 (1993)zbMATHCrossRefGoogle Scholar
  25. 25.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  26. 26.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    RSA Laboratories. The RSA challenge numbers,
  28. 28.
    RSA Laboratories. RSA-200 is factored! (May 2005),
  29. 29.
    Shparlinski, I.E.: On RSA moduli with prescribed bit patterns. Designs, Codes and Cryptography 39(1), 113–122 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Simmons, G.J.: The subliminal channel and digital signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–368. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  31. 31.
    Takagi, T.: Fast RSA-type cryptosystem modulo p k q. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)Google Scholar
  32. 32.
    Vanstone, S.A., Zuccherato, R.J.: Using four-prime RSA in which some of the bits are specified. Electronics Letters 30(25), 2118–2119 (1994)CrossRefGoogle Scholar
  33. 33.
    Vanstone, S.A., Zuccherato, R.J.: Short RSA keys and their generation. Journal of Cryptology 8(2), 101–114 (1995)zbMATHGoogle Scholar
  34. 34.
    Walter, C.D.: Faster modular multiplication by operand scaling. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 313–323. Springer, Heidelberg (1992)Google Scholar
  35. 35.
    Young, A., Yung, M.: The dark side of “black-box” cryptography, or: Should we trust Capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)Google Scholar
  36. 36.
    Young, A., Yung, M.: Kleptography: Using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Marc Joye
    • 1
  1. 1.Thomson R&D FranceTechnology Group, Corporate Research, Security LaboratoryCesson-Sévigné CedexFrance

Personalised recommendations