Skip to main content

Issues with Euler’s Totient Function in RSA

Hamdaan AliApril 3, 2025About 2 minDevOpsSecuriryMathematicsArticle(s)blogfreecodecamp.orgdevopssecuritymathmathematics

Issues with Euler’s Totient Function in RSA 관련

The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS
The RSA algorithm was introduced in 1978 in the seminal paper, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...
The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS
The RSA algorithm was introduced in 1978 in the seminal paper, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...

While using Euler’s Totient Function works well in theory, implementers of the scheme realized its practical downsides. Simply put, the primary issue was that Euler’s Totient Function can lead to a larger private exponent dd than what was necessary.

To completely appreciate this fact, let’s take a step back to understand why the size of the private exponent dd matters in RSA.

RSA decryption (or signing) involves computing mdmodnm^{d}\:\text{mod}\:n which is done via modular exponentiation. The time complexity of exponentiation algorithms (like square-and-multiply) grows with the number of bits in dd. A larger dd means more multiplications and squarings, that is slower decryption.

In practice, if using the Euler’s Totient Function makes dd roughly twice as large as what is required, then decryption can be almost twice as slow compared to using the minimal dd. This inefficiency is especially noticeable when ee is small (common public exponents like 33 or 6553765537). A small e leads to a very large dd under ϕ(n)\phi\left(n\right).

Beyond performance, having an unnecessarily large dd can increase storage size slightly (a few more bytes for the key). This can also lead to interoperability quirks, which is why standards and protocols such as FIPS 186-4[1] and RFC 8017[2] expect dd to be below a certain size. We will take a detailed look at this in the next section.

To combat these issues, cryptographers utilized the Carmichael function to generate RSA keys. Before we dive into how the Carmichael function helps our case, let’s quickly understand what the Carmichael function actually is.

  1. FIPS 186-5: Digital Signature Standard (DSS) ↩︎

  2. RFC 8017 PKCS #1: RSA Cryptography Specifications ↩︎

MIT Licensed | Copyright © 2022-present Chan Hee Lee
Copyright © 2025 Hamdaan Ali