3

RSA private exponent is much larger than RSA public exponent. For example, for a 2048 bit RSA private key, the private exponent can have more than 2000 bits. But the public exponent is usually 65537 (0x10001) which has a much shorter bit length.

Here is my guess of the reason. Let's use define the following symbols to describe RSA algorithm:

  • $n$: modulus
  • $e$: public exponent
  • $d$: private exponent
  • $P$: public key $(e,n)$
  • $S$: private key $(d,n)$

Encrypt a plain message $M$ with $M^e \text{ mod }n$. Decrypt a encrypted message $C$ with $C^d \text{ mod }n$. Since $d$ is much larger than $e$, decryption incurs much more mulipliation compuatuation. So the use of a large priavate exponent is to make the decryption harder.

Is my guess correct?

Jingguo Yao
  • 133
  • 1
  • 5

2 Answers2

8

Is my guess correct?

Not really; we don't go out of our way to deliberately slow down the decryption operation. Instead, things are set up that way because that's what's needed for security.

  • It turns out that if $d$ is small (e.g. less than a fourth of the size of $n$), and we tell people what the corresponding $e$ is, it turns out they can factor $n$ efficiently. Hence, $d$ needs to be large to ensure security.

  • There's no similar issue for $e$; telling a people a small $e$ doesn't help them factor $n$ (or otherwise break RSA). Hence, there's no reason not to select a small value (and make the encryption operation faster).

poncho
  • 154,064
  • 12
  • 239
  • 382
6

In addition to poncho's answer: $d$ being approximately $n$ sized is a by-product of computing it as the modular inverse of $e$.

With high probability, the inverse of $x \bmod k$ is approximately $k$ sized, even if $x$ is small.

Ella Rose
  • 19,971
  • 6
  • 56
  • 103