RSA Algorithm: Efficient Exponentiation and Key Generation - Prof. Krzysztof Gaj, Study notes of Cryptography and System Security

The rsa algorithm, focusing on efficient exponentiation and key generation. It covers the concept of number of bits vs. Decimal digits, right-to-left and left-to-right binary exponentiation, and the chinese remainder theorem. The document also discusses the importance of prime number generation and the comparison between random and incremental search.

Typology: Study notes

Pre 2010

Uploaded on 02/12/2009

koofers-user-ogh
koofers-user-ogh 🇺🇸

10 documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
RSA Implementation:
Efficient encryption, decryption
& key generation
ECE646 Lecture 10
Efficient encryption
and decryption
Number of bits vs. number of decimal digits
10#digits = 2#bits
#digits = (log10 2) · #bits 0.30 · #bits
256 bits = 77 D
384 bits = 116 D
512 bits = 154 D
768 bits = 231 D
1024 bits = 308 D
2048 bits = 616 D
How to perform exponentiation efficiently?
Problems:
Y = XEmod N = X XXXX XX mod N
E-times
E may be in the range of 2 1024 10308
1. huge storage necessary to store XEbefore reduction
2. amount of computations infeasible to perform
Solutions:
1. modulo reduction after each multiplication
2. clever algorithms 200 BC, India, “Chandah-Sûtra”
Right-to-left binary exponentiation
S: X X2mod N X4mod N X8mod N X2mod N
L-1
E: e0e1e2e3 eL-1
Y=X(X2mod N) (X4mod N) (X8mod N) (X2mod N)
E = (eL-1, eL-2, …, e1, e0)2
e0e1e2e3eL-1
Y=Xe0+ 2e1+ 4e2+ 8e3+ + 2L-1 eL-1 mod N =
XaXb= Xa+b
(Xa)b= Xab
=X = XEmod N
i=0
L-1 ei2i
L-1
Y = XEmod N Right-to-left binary exponentiation: Example
S: X X2mod N X4mod N X8mod N X16 mod N
E: e0e1e2e3e4
1 1 0 0 1
Y = X X2mod N 11X16 mod N =
E = 19 = 16 + 2 + 1 = (10011)2
= X 19 mod N
Y = 319 mod 11
3 32mod 11 =9 92mod 11 = 4 42mod 11 = 5 52mod 11 = 3
39113 mod 11
(27 mod 11) 3 mod 11 = 5 3 mod 11 = 4
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download RSA Algorithm: Efficient Exponentiation and Key Generation - Prof. Krzysztof Gaj and more Study notes Cryptography and System Security in PDF only on Docsity!

RSA Implementation:

Efficient encryption, decryption

& key generation

ECE646 Lecture 1 0

Efficient encryption

and decryption

Number of bits vs. number of decimal digits

#digits

#bits

#digits = (log

10

2) · #bits  0.30 · #bits

256 bits = 77 D

384 bits = 116 D

512 bits = 154 D

768 bits = 231 D

1024 bits = 308 D

2048 bits = 616 D

How to perform exponentiation efficiently?

Problems:

Y = X

E mod N = X  X  X  X  X …  X  X mod N

E-times

E may be in the range of 2

1024  10

308

  1. huge storage necessary to store X

E before reduction

  1. amount of computations infeasible to perform

Solutions:

  1. modulo reduction after each multiplication
  2. clever algorithms

200 BC, India, “Chandah-Sûtra”

Right-to-left binary exponentiation

S: X X

2 mod N X

4 mod N X

8 mod N … X

2 mod N

L- 1

E: e 0

e 1

e 2

e 3

… e L- 1

Y = X  (X

2 mod N)  (X

4 mod N)  (X

8 mod N)  …  (X

2 mod N)

E = (e L- 1

, e L- 2

, …, e 1

, e 0

) 2

e 0 e 1

e 2

e 3

e L- 1

Y = X

e 0

  • 2e 1

  • 4e 2

  • 8e 3

  • … + 2

L- 1 e L- 1

mod N =

X

a  X

b = X

a+b (X

a )

b = X

ab

= X = X

E mod N

i=

L- 1

e i

 2

i

L- 1

Y = X

E mod N

Right-to-left binary exponentiation: Example

S: X X

2 mod N X

4 mod N X

8 mod N X

16 mod N

E: e 0 e 1 e 2 e 3 e 4

Y = X  X

2 mod N  1  1  X

16 mod N =

E = 19 = 16 + 2 + 1 = (10011) 2

= X

19 mod N

Y = 3

19 mod 11

3 3

2 mod 11 =9 9

2 mod 11 = 4 4

2 mod 11 = 5 5

2 mod 11 = 3

3  9  1  1  3 mod 11

(27 mod 11)  3 mod 11 = 5  3 mod 11 = 4

Left-to-right binary exponentiation

E: e L- 1

e L- 2

e L- 3

… e 1

e 0

Y = ((...(((

2  X )

2  X )

2  X )

2 …. )

2  X )

2  X mod N

E = (e L- 1

, e L- 2

, …, e 1

, e 0

2

e L- 1

e L- 2

e L- 3

e 1 e 0

Y = X

(e L- 1  2 + e L- 2 )  2 + e L- 3 )  2 + …. + e 1 )  2 + e 0

mod N =

X

a  X

b = X

a+b (X

a )

b = X

ab

= X

E mod N

i=

L- 1

e i

 2

i

Y = X

E mod N

= X

2

L- 1 e L- 1

  • 2

L- 2 e L- 2

  • 2

L- 3 e L- 3 +…+2e 1 +e 0

mod N = X =

Left-to-right binary exponentiation: Example

E: e 4 e 3 e 2 e 1 e 0

Y = ((...(((

2  X )

2  1 )

2  1 )

2  X)

2  X mod N

Y = (X

8  X )

2  X mod N = X

19 mod N

E = 19 = 16 + 2 + 1 = (10011) 2

Y = 3

19 mod 11

1 0 0 1 1

2 mod 11) )

2 mod 11)

2 mod 11  3)

2 mod 11  3 mod 11

= (81 mod 11)

2 mod 11  3)

2 mod 11  3 mod 11 =

2 mod 11  3 mod 11 =

2 mod 11  3 mod 11 =

= 5  3 mod 11 = 4

Right-to-left binary

exponentiation

Left-to-right binary

exponentiation

Exponentiation: Y = X

E

mod N

E = (e L- 1

, e L- 2

, …, e 1

, e 0

2

Y = 1;

S = X;

for i=0 to L- 1

if (e i

Y = Y  S mod N;

S = S

2 mod N;

Y = 1;

for i=L-1 downto 0

Y = Y

2 mod N;

if (e i

Y = Y  X mod N;

Exponentiation Example: Y = 7

mod 11

Right-to-left binary

exponentiation

Left-to-right binary

exponentiation

2

i 0 1 2 3

e i

S

before

Y

after

S

after

i 3 2 1 0

e i

Y 1 7 2 4 5

S

before

  • S before round i is computed

S

after

  • S after round i is computed

Right-to-Left Binary Exponentiation in Hardware

MUL

SQR

Y

S

E

output

1 X

enable

Left-to-Right Binary Exponentiation in Hardware

MUL

Y

E

output

X

Control

Logic

Encryption/

Signature verification

with a small exponent e

Decryption /

Signature generation

Key

Generation

Factorization

(breaking RSA)

SOFTWARE

HARDWARE

c se · k

2 c he

· k

Time of the RSA operations

as a function of the key size k

c sd

· k

3 c hd

· k

2

c sk

· k

4 /log 2

k c hk

· k

3 /log 2

k

exp(c sf

· k

1/ · (ln k)

2/ )

Effect of the increase in the computer speed

on the speed of encryption and decryption in RSA

computer

speed

operand

size

encryption/decryption

speed

to keep the same security

Decryption using Chinese Remainder Theorem

M =

P

C P P

d P

mod

M Q

C Q Q

d Q

mod

C

P

= C mod P

d P = d mod (P-1)

C

Q

= C mod Q

d Q = d mod (Q-1)

= mod M C

d

N

M = M

P

·R

Q

+ M

Q

·R

P

mod N

where

R

P

= (P

  • 1 mod Q) ·P = P

Q- 1 mod N

R

Q

= (Q

  • 1 mod P) ·Q= Q

P- 1 mod N

Time of decryption

without and with Chinese Remainder Theorem

SOFTWARE

HARDWARE

Without CRT

With CRT

t DEC

(k) = t EXP

(random e, k, L=k) = c s

 k

3

t DEC-CRT

(k)  2  t EXP

(random e, k/2, L=k/2) = 2  c s

3 = t DEC

(k)

Without CRT

With CRT

t DEC (k) = t EXP (random e, k, L=k) = c h  k

2

t DEC-CRT

(k)  t EXP

(random e, k/2, L=k/2) = c h

2 = t DEC

(k)

k

k

Chinese Remainder Theorem

Let

N = n 1n 2n 3

...n M

and

for any i, j gcd(n i

, n j

Then, any number 0  A  N- 1

can be represented uniquely by

A(a 1

= A mod n 1

, a 2

= A mod n 2

, …, a M

= A mod n M

A can be reconstructed from (a 1

, a 2

, …, a M

) using equation

A =

i=

M

(a i

 N

i

 N

i

- 1 mod n i ) mod N

where N i

N

n i

= n 1

 n 2

... n i- 1

 n i+

...  n M

Chinese Remainder Theorem

for N=P  Q

N = P  Q

gcd(P, Q) = 1

M  (M

p

= M mod P, M Q

= M mod Q)

M = M

P

N

P

N

P

  • 1

mod P

N

Q

N

Q

  • 1

mod Q

M

Q

mod N

= M

P

 Q  ((Q

  • 1 ) mod P) + M Q

 P  ((P

  • 1 ) mod Q) mod N =

= M

P

 R

Q

+ M

Q

 R

P

mod N

Concealment of messages in the RSA cryptosystem

Blakley, Borosh, 1979

There exist messages that are not changed by the RSA encryption!

For example:

M=1 C = 1

e mod N = 1

M=0 C = 0

e mod N = 0

M=N- 1 -1 mod N C = (-1)

e mod N = - 1

Every M such that

M

P

= M mod P  {1, 0, - 1}

M

Q

= M mod Q  {1, 0, - 1}

C

P

= C mod P = (M

e mod N) mod P = M

e mod P = M P

e mod P = M P

C

Q

= C mod Q = (M

e mod N) mod Q = M

e mod Q = M Q

e mod Q = M Q

Concealment of messages in the RSA cryptosystem

Blakley, Borosh, 1979

At least 9 messages not concealed by RSA!

Number of messages not concealed by RSA:

 = (1 + gcd( e - 1, P - 1)) · (1 + gcd( e - 1, Q - 1))

A.

e =3  = 9

B.

gcd( e - 1, P - 1) = 2 and gcd( e - 1, Q - 1) = 2  = 9

C.

gcd( e - 1, P - 1) = P - 1 and gcd( e - 1, Q - 1) = Q - 1  = P · Q = N

It is possible that all messages remain unconcealed by RSA!

Efficient key generation

Generation of the RSA keys

e

Typically

e = 3 or

e = 2

16

P, Q

prime number

generation

gcd(e, P-1) = 1

gcd(e, Q-1) = 1

N = P · Q

Extended Euclid’s

algorithm

d = e

  • 1

mod (P-1) ·(Q-1)

gcd(e-1, P-1) = 2

gcd(e-1, Q-1) = 2

Random search

Incremental search

primes numbers tested for primality

Random vs. Incremental Search

starting point chosen at random

Is there a sufficent amount of prime numbers

to choose from?

(x) - the amount of prime numbers smaller than x

0 x

(x) prime numbers

(x) =

x

ln(x)

x (x)

100

150

97

147

{1..n-1}

W(n)

L(n) Witnesses to

the compositness

of n

Liars to

the compositness

of n

Good probabilistic primality test

n composite

 n composite | W(n) |  | L(n) |

If a  W(n) test returns “n composite”

else test returns “n probably prime”

or “n pseudoprime to the base a”

{1..n-1}

W(n)

L(n) Strong witnesses to

the compositness

of n

Strong liars to

the compositness

of n

Miller-Rabin test

n composite

 n composite | L(n) |  (n)/4 < (n-1)/

{1..n-1}

W(n)

L(n)

Strong witnesses to

the compositness

of n

Strong liars to

the compositness

of n

Miller-Rabin test

n composite

1, n- 1

For certain composite numbers, such as

n = 3 · 5 · 7 ·... · (2k+1)

there are only two strong liars: 1 and n- 1

Miller-Rabin test

Mathematical Basis

If n is prime then

1 has only two square roots modulo n

i.e., there are only two numbers, y 1

and y 2

, such that

y 1

2 mod n = 1 and y 2

2 mod n = 1

y 1

=1 and y 2

=n- 1 -1 mod n

If n is composite then

1 has at least four square roots modulo n

i.e., there exist numbers, y 1

, y 2

, y 3

, y 4

, such that

y 1

2 mod n = 1, y 2

2 mod n = 1, y 3

2 mod n = 1, y 4

2 mod n = 1,

y 1

=1, y 2

=n- 1 -1 mod n, y 3

  1 mod n, y 4

  1 mod n

Miller-Rabin test

Algorithm (1)

Find s and r, such that

n - 1 = 2

s  r, where r is odd

For example:

n = 49

n - 1 = 48 = 2

4  3 s=4, r=

n = 61

n-1 = 60 = 2

2  15 s=2, r=

Miller-Rabin test

Algorithm (2)

Compute

a

n- 1 mod n = (…((a

r mod n)

2 mod n)

2 mod n …)

2 mod n = 1

s squarings

a

r (a

r )

2 (a

r )

2 (a

r )

2

... (a

r )

2 (a

r )

2

2 3 s- 1 s

mod n

square mod n

square root mod n

Miller-Rabin test

Algorithm (3)

a

r (a

r )

2 (a

r )

2 (a

r )

2

... (a

r )

2 (a

r )

2

2 3 s- 1 s

mod n

square mod n

square root mod n

X X - 1 1 1 1

X X 1 1 1 1

X X X X X X

result of test

probably prime or composite? X   1 mod n

k = number

of bits of n

t - number of iterations of the Miller-Rabin test

- log 2 of the bound on the error probability of declaring

a k - bit composite number a prime after t iterations

of the Miller-Rabin test

k t k t k t

160 34 202-208 23 335-360 12

161-163 33 209-215 22 361-392 11

164-166 32 216-222 21 393-430 10

167-169 31 223-231 20 431-479 9

170-173 30 232-241 19 480-542 8

174-177 29 242-252 18 543-626 7

178-181 28 253-264 17 627-746 6

182-185 27 265-278 16 747-926 5

186-190 26 279-294 15 927-

1232

4

191-195 25 295-313 14 1233-

1853

3

196-201 24 314-334 13 over

1853

2

Minimal number of the Miller-Rabin tests t,

necessary to obtain the probability of error < 2

- 100

for a k - bit number n

Random search

Incremental search

primes numbers tested for primality

Random vs. Incremental Search

starting point chosen at random

Using division by small primes

D D D D D D D D D D D D D D D D D

R

2 R R R R R

primes numbers tested

D – Division by small primes

R

2

  • Miller-Rabin test with base 2

R – Miller-Rabin test with the random base a

R

2

Merten’s Theorem

The proportion of candidate odd integers NOT ruled out by the trial

division by all primes  B

(B) = (1-1/3)(1-1/5) (1-1/7)  … (1- 1 / B )

 (B)  1.12 / ln B

For B=256, (B)  0.

80% of tested numbers discarded by the trial division

Optimal Assymetric Encryption Padding (1)

Bellare-Rogaway

message SEED

Coding

MASK(SEED)

masked_message

MASK(masked_message)

masked_message masked_seed

>168 bits

Optimal Assymetric Encryption Padding (2)

Bellare-Rogaway

Decoding

masked_message masked_seed

MASK(masked_message)

SEED

MASK(SEED)

message

>168 bits

Message

Hash

function

Public key

algorithm

Alice

Signature

Alice’s private key

Bob

Hash

function

Alice’s public key

RSA signature

Hash value 1

Hash value 2

Hash value

Public key

algorithm

yes no

Message Signature

Padding for signatures with appendix

PKCS #1 for signatures

00 01 FF FF FF …. FF 00 h(m)

at least 8 bytes

ISO- 14888

6 BBBBBBBBBBB A h(m)

33CC for SHA- 1

31CC for RIPEMD- 160

hash

code