RSA PKCS#1 signing: differs from OpenSSL's?

Simon Josefsson simon at
Wed Dec 5 21:50:07 CET 2007

Dean Scarff <dos at> writes:

> On Wed, 05 Dec 2007 16:21:09 +0100, Werner Koch said:
>> Yes, this is correct.  Libgcrypt expects that P < Q; whereas OpenSSL
>> expect Q < P.  Here is code to convert this.
> [snip]
>> The important thing here is to recompute U because u = p^{-1} mod q.
> Aha.  I saw that the primes had been reversed but I missed this.

I had the same experience when porting libssh2 from OpenSSL to
libgcrypt, and this caused quite some confusion and a long debugging

Is there a normal standard for this in the literature?  I'm too tired to
look it up..

PKCS#1 calls the first prime P and the second one Q, and uses
coeff=p^{-1} mod q, which would suggest that libgcrypt got this


More information about the Gcrypt-devel mailing list