2

I am trying to implement the RSA cryptography algorithm using C language. I am not sure of the size that each operand should have. Let me explain:

RSA requires to generate two huge prime numbers p and q, and compute their product n = pq. Let's suppose that we want to use a key size = 2048 bits.

So we generate two 2048-bits prime numbers. Hence their product is 4096 bits-wide. But as we said, our key size is 2048 bits ! So should we use only the low-part of this product i.e the 2048 less significant bits of n ?

Or should we limit the range of p and q to 1024 bits i.e half of the key size ?

I don't know what is the impact of these two options on the safety of the system.

Wheatley
  • 147
  • 4
  • Note: in RSA, what's called "key size" is the number of bits of the public modulus $n$. That's the sum of the number of bits in the two (or more generally $k\ge2$) prime factors of $n$, within at most $1$ bit by default (more generally at most $k-1$ bit by default). The key itself is usually slightly larger, because it includes the public exponent $e$, and formatting. – fgrieu Oct 14 '23 at 08:20
  • Well, use GNU/GMP for your development... – kelalaka Oct 15 '23 at 20:40

1 Answers1

2

Yes, you need two primes of half the key size, since multiplication of two $$-bit integers are $2$-bit.

It is possible to use more primes for multi-prime RSA, in which case the cumulative prime sizes make up the key size. This can speed up the algorithm in case the Chinese Remainder Theorem (CRT) is used and it will speed up the generation of the primes as well.

A number that is $p \cdot q \bmod 2^{2048}$ cannot guarantee to produce two large primes and therefore it may be easily factored, so it will break the standard assumptions of the RSA problem. As the security of RSA relies on the problem it cannot rely on the RSA problem and is not likely to be secure - if the inversion with the other key works at all.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Thank you ! For curiosity, why p.q mod 2^2048 would be easily factored if p and q are 2048-bits wide numbers instead of 1024 ? – Wheatley Oct 12 '23 at 10:00
  • Also, does the multi-prime version guarantee the same safety ? The more factors involved, the more easy is to break the encryption, right? – Wheatley Oct 12 '23 at 10:02
  • 3
    Multi prime RSA key generation. Multip-Prime RSA has a different RSA problem, though similar arguments can be made. We can say as long as one uses primes > 1024-bits and Shor's factoring algorithm is not built, it is secure. $p\cdot q \bmod2^{2048}$ is not guaranteed to be product of primes, even it may have many small primes. – kelalaka Oct 12 '23 at 10:19
  • I've removed the last part of the discussion, which is about handling large numbers in software. It is not on topic for this answer. – Maarten Bodewes Oct 16 '23 at 15:45