[pycrypto] Why p<q in RSA code?

Legrandin gooksankoo at hoiptorrow.mailexpire.com
Wed Jan 19 14:06:05 CST 2011

> >> I have noticed that - when generating an RSA key - a special check is
> >> made to ensure that p<q.
> If you do modular arithmetic mod q on p -- which is what is being done here -- you'd want to start with p having a legal value mod q.  Such a value is in the range 0..q-1, so that's why you'd have the check.
> p^-1 mod q will deliver a value in that range.  You could argue that it should be valid even if p is outside the range -- effectively that means you're doing (p mod q)^-1 mod q.  But I would expect your typical modular arithmetic package not to go through that extra work.
> 	paul

I see, thanks.

Both Crypto.Util.number.inverse() and mpz_invert() work correctly if the
number to invert is larger than the modulus though, therefore I
understand that the check is actually redundant.

Note that I am not advocating to remove the check (if it's not broken
don't fix it). The problem I was considering is that a private key imported
as PEM could have p>q, because the standard does not prescribe any ordering.
Given that, should p and q be swapped (p to becomes q, q to become p) when p>q
or not?

I believe it is not necessary, but I had no hard proof that a flaw was
not lurking by doing that.

I would adjust the comment "# p shall be smaller than q (for calc of u)"
though because it is simply not right, along with the test cases that verify
that p<q....

More information about the pycrypto mailing list