1

As far as I can see, generating a private key from two prime numbers p and q, having calculated n = pq, starts with calculating λ(n) = lcm(p-1, q-1). This is the detailed explanation given in the wikipedia article for RSA, it's also the implementation I've found in most Python cryptography libraries, and, searching through the openssl source code, it's also how they seem to do it, so I'd say this looks like the standard.

So my question is, why do some implementations appear to use ϕ(n) instead, which is simply (p-1)(q-1)? I understand that you can calculate λ(n) = ϕ(n) / gcd(p-1, q-1), so I suppose these two can be equal if p-1 and q-1 are coprime, but what's with the two different implementations?

This way to generate the "private modulo" is used for example in the somewhat popular python program rsatool, it's also mentioned in this popular article detailing how RSA keys are generated, but my problem is, taking the two same prime numbers p and q, these two methods will not generate the same private key, so assuming the former is the proper, standard way, where did this other one come from?

Élise Navennec
  • 41
  • 4
  • 1
    You can have more than one private key for RSA and $\lambda$ always provides the smallest $d$ since $\lambda(n)| \phi(n)$ by definition. Smallest = less calculation. – kelalaka Oct 12 '21 at 19:01
  • 2
    @kelalaka: it's doubtful that "less calculation" is the true reason. When performance matters, $d$ is not used at all. And when $d$ is used, the average difference is I think <0.2% for 2048-bit keys , and (unless special precautions are taken) much less than the random variation from one key to the other. My bets are on: $d\equiv e^{-1}\pmod{\lambda(n)}$ is necessary and sufficient for $d$ to work; and defining $d=e^{-1}\bmod\lambda(n)$ uniquely defines $d$ as the smallest positive working $d$, which is mathematically satisfying, and simplifies conformance testing. – fgrieu Oct 12 '21 at 19:11
  • Yes, very small, and still can produce little time advantage. Your bet is a good one. – kelalaka Oct 12 '21 at 19:16
  • 2
    Dupe https://crypto.stackexchange.com/questions/1789 https://crypto.stackexchange.com/questions/12710 https://crypto.stackexchange.com/questions/29591 https://crypto.stackexchange.com/questions/33676/ https://crypto.stackexchange.com/questions/54280/ https://crypto.stackexchange.com/questions/68873/ https://crypto.stackexchange.com/questions/70624/ and a side issue or comment in many more. Note for RSA p and q must both be odd so p-1,q-1 cannot be coprime and lambda cannot equal phi. – dave_thompson_085 Oct 13 '21 at 01:09

1 Answers1

3

So after searching, turns out the 2nd version is the one given in the original RSA paper, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems".

I assume the 1st method is simply the standard since. As pointed out by a comment $\lambda(n)$ will always be smaller or equal to $\phi(n)$. In RSA, as pointed by Dave Thompsons, $\lambda(n) \neq \phi(n)$. $\lambda(n)$ possibly leads to faster calculations(?) but what interested me was where that 2nd version came from, and it comes from the original RSA paper, turns out.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Élise Navennec
  • 41
  • 4
  • Yes, your second version (with $\varphi$ or $\Phi$ or $\phi$) is the chronologically first published. Notice the other (with $\lambda$) subdivides into $e,d\equiv1\pmod{\lambda(n)}$ with $0<d<n$ (PKCS#1), or $d=e^{-1}\bmod{\lambda(n)}$ (FIPS 186-4). – fgrieu Oct 12 '21 at 19:20