6

I'm working on some RSA code that uses Toms Fast Math (TFM for short), and I'm trying to understand why the functions fp_exptmod (for modular exponentiation operations) and fp_invmod (for modular inverse operations) both require an odd modulus and the former also requires an odd exponent. I've written code to allow the use of evens, but TFM is built with crypto in mind, so I'm thinking maybe allowing evens isn't necessary or even desired? Still, even though my math-fu isn't as strong as it could be, I would think limiting the choices of exponent and modulus to only half (i.e. only odds) of all natural numbers would give bad actors a head start that we don't want.

Asked more generically, in the context of generating strong RSA keys, is the use of odd exponent and modulus for modular exponentiation operations and the use of an odd modulus for modular inverse operations required? If not, is there a benefit to including evens?

ubiquibacon
  • 237
  • 1
  • 2
  • 10

2 Answers2

21

If the modulus is even, that means one of its factors is 2. The modulus is supposed to be the product of two large prime numbers. While it's possible to use more than two prime factors (called multi-prime RSA), that's not common, and having the number 2 as one of those factors would make little sense.

The public exponent $e$ must be coprime with $\varphi(n)$, where $n$ is the public modulus. If that's not the case, then there will be multiple possible plaintexts for a given ciphertext. And actually, the Rabin cryptosystem is basically RSA with $e = 2$, which is, of course, even, but it spits out four possible plaintexts, so regular RSA decryption doesn't work in the Rabin cryptosystem (thus it's not RSA).

While $e$ can be any value as long as $\gcd(e,\varphi(n))=1$, it's usually chosen to be 65537 or 3.

As Ilmari Karonen pointed out, $\varphi(n) = (p-1)(q-1)$ is always even for a product $n = pq$ of two odd primes. $65537 = 2^{16}+1$ is one plus a power of two (and specifically a Fermat prime), and thus has the lowest possible binary Hamming weight among odd numbers of comparable size, which makes exponentiation by squaring faster. $e=3$ is faster still, but not often used for silly reasons.

forest
  • 15,626
  • 2
  • 49
  • 103
13

In the context of RSA, the modulus should be a product of two large primes, and all primes $>2$ are odd — so it's not a restriction in this situation.

The reason the implementation only works with odd moduli is that it uses Montgomery multiplication internally to speed up the exponentiation, which involves calculating the inverse of the modulus modulo a power of two. This inverse exists if and only if the modulus is odd.
(The special role of $2$ here arises from the fact that computers work with bits, thus computations modulo powers of two are "native" in some sense: They are typically much faster than for moduli of other forms.)

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68