Sie sind auf Seite 1von 8

On the usage of Modified RSA Cryptosystems

Abstract—Usually, Public key Cryptosystems are expensive and require more time and faster
processing capabilities than their private key counterparts. Specifically, RSA requires longer key
lengths when compared with the other Public Key Cryptosystems such as Elliptic curve
Cryptography. These longer key lengths slow down the process of encryption and decryption. To
address this issue several faster variants of RSA were proposed. Through this article, we review
such modified faster variants of RSA cryptosystem.

Mathematics Subject Classification (2010): 94A60, 68P25, 14G50

Keywords—RSA; Public Key Cryptography; Variants; Faster RSA


In the recent era, RSA is one of the widely known and largely used public key

cryptosystems in the world. Basically, RSA is required to send and receive a session key

securely on a network [1]. Though a mostly used cryptosystem, when compared to its

counterpart public key cryptosystems such as Elliptic curve cryptography, it requires a longer

key length [1]. With the increasing length of Keys, RSA requires devices with higher

computational power. Many hand-held devices such as Point of Sale (POS) machines lack such

high computation power making RSA a rather constrained and problematic cryptosystem to use.

Replacing RSA for another public key cryptosystems takes many years to accomplish and is

hugely expensive [1]. This prompted the researchers to modify the existing RSA’s encryption

and decryption technique, which enables the development of “Faster Variants” of RSA

cryptosystem. These “Faster Variants” are similar to the original RSA; work well with those

systems that were designed to use the original [1]. This makes the transition easier to newer

variants easier and not costly unlike moving on to a different public key cryptosystem.

Key Generation

RSA cryptosystems use two keys [2], one for the encryption, denoted with a pair <e, N>where e

is the encryption exponent and N is called the RSA modulus, N is obtained by the product of two

primes p & q known as RSA primes [1, 2]. On the other hand for decryption, denoted with a

triple <d, p, and q> where d is the decryption exponent and the length of the key is n bits. the

pair <e,N> is known as a public key and the triple <d,p,q> is known as a private key, which is

kept secret[1,2,11].

To generate these public and private keys, we use the following procedure:

Choosing the encryption exponent

 Select two large primes (p & q) whose length is equal to n/2.

 Compute the value of N=pq where φ(N)=(p-1)(q-1).

 Select an integer for the encryption exponent e, such that G.C.D (e, φ(N))=1

Choosing the decryption exponent

 Compute the decryption exponent d, Such that

1< d <φ(N) and ed ≡ 1 mod φ(N)

The Encryption

Encryption is the process of converting a Message, which is in plaintext (M) to Cipher text (C).

Cipher text is obtained using the equation

C= Me mod N
The Decryption

Decryption is the process of obtaining the Message in plaintext (M) from a cipher text (C). The

original message is extracted using the equation

M= Cd mod N

The main drawback of this original RSA cryptosystem is the long key length and slower speeds

in encryption and decryption. This prompted the need to modify RSA and develop faster variants



To address the above stated issues a number of variants of this original RSA have been

published in the literature. A total 7RSA variants have been found mostly cited such as using the

Chinese Remainder theorem CRT-RSA[3], using small public exponents also known as Batch

RSA [4], with a multiple number of primes and not limiting to only two prime numbers, known

as MPrime RSA [5], calculating N using multiple powers for the prime numbers (p & q), known

as MPower RSA [6], balancing the encryption and decryption processes, known as Rebalanced

RSA [7], a combination of Rebalanced RSA and MPrime RSA known as RPrime RSA [8] and

another combination, which includes MPower RSA and Rebalanced RSA, known as RePower

RSA [9]. The remainder of this article discusses in brief about the variants and their



Quisquater and Couvreur in 1982 described this variant of RSA, which uses Chinese Remainder

theorem (CRT) [3].The Chinese Remainder Theorem is used in dividing the single large
decryption exponent into smaller and faster exponents. The process of generating the encryption

key is same as the Original RSA [1], where the public key contains a pair <e, N>. The decryption

process uses the CRT, where Mp = Cdp Mod p and Mq = cdq mod q and then, M = (Mpq(q-1 mod

p)+ Mqp(p-1 mod q)) mod N [10], dp and dq are computed using dp= d mod p-1, dq=d mod q-1 [3,


Batch RSA [4]

When small exponents are used for encryption say e1 and e2, Fiat [4] observed that, the cost of

decrypting two cipher texts is approximately equal to cost of decrypting one. The Batch RSA

works on public key exponents, he generalized his observations based on a batch of b distinct

and pair wise relative prime public key exponents e1,e2,..,ento obtain M which is equal to Ci1/ei

for i= 1, 2,..,b [11].

MPrime RSA [5]

Collins, Hopkins, Langford and Sabin [5], in their article discussed on modifying the original RSA

by considering a number of primes rather than adhering to only two prime p and q. the modulo

N is computed as a product of n primes N=Π (p1,p2,p3,..,pn) [5].The encryption exponent and the

decryption exponent are computed using the d = e-1mod φ(N) and g.c.d(e, φ(N))=1, where

φ(N)=Πki=1 (p-1).The public key is pair of <e, N>similar to the original RSA [11]. The private key

contains a tuple <N, d1,d2,..,dk>where 1<= i <= k; di= d mod (pi-1) [5, 11]. To obtain the plain text

from the cipher, Mi= Cdi mod pi where 1<= i <= k, and M =Cd mod N is obtained using CRT [5,

Rebalanced RSA [7]

Weiner suggested this variant in 1990 [7], which discussed on using proportionately equal sizes

of encryption exponent e and decryption exponent d. The process of encryption is same as in

original RSA but only for larger values of e, which are of the order N. The private key contains of

a quadruple<dp, dq, p, q>instead of a triple, where dp and dq are two integers of length w bits,

where g.c.d (dp,p-1) = g.c.d (dq,q-1) =1 anddp≡dqmod 2. Also, d should satisfy a condition where d

= dqmod (p-1) and d = dp mod (p-1) [10]. The usual length of dp and dq is greater than or equal to

160 bits (w > = 160).

Mpower RSA [6]

Takagi in 1998 has first described this MultiPower or MPower RSA [6]. In this variant of RSA, a

change is made to the Modulus N, for the values of r >=3, where N=pr-1q. The process of

encryption is same as the original RSA but during decryption, we apply the Decryption process of

CRT RSA [10,12].

RePower RSA [9]

Cesar [9] in his article discussed on combining two variants Rebalanced RSA [7] and Multi

Power or MPower RSA [6]. To generate the keys, only two primes of length n/k bits are used in

combination with Rebalanced RSA and for decryption algorithm, MultiPower or MPower RSA

is used [12]. The details of encryption and decryption are detailed in that article [8].

RPrime RSA [8]

The MultiPrime or MPrime RSA [5] and Rebalanced RSA [7] are combined to form another
variant of RSA known as RPrime RSA [10]. The encryption of RPrime RSA is similar to the

Original RSA, where the public exponent e is larger. Here, we use multiple primes such that

g.c.d (p1-1, p2-1, p3-1,.., pk-1) =2 and N=p1, p2, p3,.., pk.RPrime RSA’s [8] public key contains a

pair <e, N> and the Private Key contains a n-tuple <p1, p2, p3,.., pk, dp1, dp2, dp3,.., dpk> is similar

to the Rebalanced RSA [7], where gcd(dp1,p1 − 1) = 1, gcd(dp2,p2 − 1) = 1,...,gcd(dpk,pk − 1) = 1

anddp1 =dp2 =...=dpk mod2 [8, 10]. In the decryption
process, Mi = Cdpi mod pi where 1 <= i<=

k and later all these Mi are combined which equals M = Cd mod N [8,10].

In the following section, a comparison made based on the time complexities in using the

decryption keys.


The process of extracting a plaintext from the cipher text is rather sluggish while using

RSA. Several variants of RSA addressed this shortcoming and suggested the improvements that

can be made to the decryption process of RSA. Table1, shows as comparison of the decryption

time complexities for the variants of RSA (excluding Batch RSA) [10].Here, considerations for

r,w, n are taken as n=1024, w=160 and r =3.

Variants of RSA Time Complexity


Original RSA [2] O(n)

CRT RSA [3] 2xO((n/2)3)

MPrime RSA [5] r x O((n/r)3)

Rebalanced RSA 2 x O(w(n/2)2)


MPower [7] 2 x O((n/r)3)

RePower RSA [9] (9s+12ne+10)n2/9+O(n2)

RPrime RSA [8] r x O(w(n/r)2)

Table1: Time Complexities of RSA Variants

From the above table, as the process of encryption in RSA variants is almost the same as

encryption in original RSA, if we are to choose between a RSA variant in speeding up the

decryption process, one can choose to use RPrime RSA[8] [10].


Through this article, we review such modified faster variants of RSA cryptosystem. We

have reviewed a total of 7 Variants of RSA, which are later compared based on their time

complexities for decryption. From the observations, we affirm that RPrime RSA[8] can be used

in place of the original RSA as it has a comparatively faster decryption process. Though RPrime

RSA has a “faster” decryption process, it is prone to security attacks. The future scope of this

work lies in comparing the RSA variants based on their security attacks and threats.


[1] M. J. Hinek, “Another look at small RSA exponents,” Topics in Cryptology, CT-RSA
2006, 2006, Vol. 3860, pp. 82– 98.
[2] R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and
Public Key Cryptosystems”, Communications of the ACM Vol. 21, No. 2, pp. 120 - 126,
[3] J-J. Quisquater and C. Couvreur, “Fast Decipherment Algorithm for RSA Public-Key
Cryptosystem”, Electronic Letters, Vol. 18, 1982, pp. 905–907.

[4] A. Fiat. Batch RSA. “Advances in Cryptology”, Crypto ‟89, Vol. 435, 1989, pp.175–185.
[5] T. Collins, D. Hopkins, S. Langford, and M. Sabin, “Public Key Cryptographic
Apparatus and Method”, US Patent #5,848,159. Jan. 1997.
[6] T. Takagi, “Fast RSA-Type Cryptosystem Modulo p q”, Crypto ‟98, 1462 of LNCS.
1998, pp. 318–326
[7] M. Wiener, “Cryptanalysis of Short RSA Secret Exponents”, IEEE Transactions on
Information Theory, Vol. 36, No. 3, 1990, pp. 553–558.
[8] Cesar Alison Monteiro Paixao, “An efficient variant of the RSA cryptosystem”, preprints
[9] Garg D,Verma S, “Improvement over Public Key cryptographic Algorithm” Advance
Computing Conference,2009, IACC 2009, IEEE International Conference, March 2009,
pp. 734-739
[10] Klaus Hansen, Troels Larsen and Kim Olsen, On the Efficiency of Fast RSA Variants in
Modern Mobile Phones, International Journal of Computer Science and Information
Security, Vol. 6, No. 3, 2009
[11] D. Boneh and H. Shacham. Fast Variants of RSA. RSA Laboratories, 2002. 

[12] S. Verma and D. Garg, Improvement in RSA Cryptosystems, Journal of advances in
information technology, vol. 2, no. 3, August 2011