






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The rsa algorithm, focusing on efficient exponentiation and key generation. It covers the concept of number of bits vs. Decimal digits, right-to-left and left-to-right binary exponentiation, and the chinese remainder theorem. The document also discusses the importance of prime number generation and the comparison between random and incremental search.
Typology: Study notes
1 / 10
This page cannot be seen from the preview
Don't miss anything!







#digits
#bits
10
Problems:
E mod N = X X X X X … X X mod N
E-times
E may be in the range of 2
1024 10
308
E before reduction
Solutions:
200 BC, India, “Chandah-Sûtra”
2 mod N X
4 mod N X
8 mod N … X
2 mod N
L- 1
E: e 0
e 1
e 2
e 3
… e L- 1
2 mod N) (X
4 mod N) (X
8 mod N) … (X
2 mod N)
E = (e L- 1
, e L- 2
, …, e 1
, e 0
) 2
e 0 e 1
e 2
e 3
e L- 1
e 0
2e 1
4e 2
8e 3
… + 2
L- 1 e L- 1
mod N =
a X
b = X
a+b (X
a )
b = X
ab
E mod N
i=
L- 1
e i
2
i
L- 1
E mod N
2 mod N X
4 mod N X
8 mod N X
16 mod N
E: e 0 e 1 e 2 e 3 e 4
2 mod N 1 1 X
16 mod N =
E = 19 = 16 + 2 + 1 = (10011) 2
19 mod N
19 mod 11
3 3
2 mod 11 =9 9
2 mod 11 = 4 4
2 mod 11 = 5 5
2 mod 11 = 3
3 9 1 1 3 mod 11
(27 mod 11) 3 mod 11 = 5 3 mod 11 = 4
Left-to-right binary exponentiation
E: e L- 1
e L- 2
e L- 3
… e 1
e 0
2 X )
2 X )
2 X )
2 …. )
2 X )
2 X mod N
E = (e L- 1
, e L- 2
, …, e 1
, e 0
2
e L- 1
e L- 2
e L- 3
e 1 e 0
(e L- 1 2 + e L- 2 ) 2 + e L- 3 ) 2 + …. + e 1 ) 2 + e 0
mod N =
a X
b = X
a+b (X
a )
b = X
ab
E mod N
i=
L- 1
e i
2
i
E mod N
2
L- 1 e L- 1
L- 2 e L- 2
L- 3 e L- 3 +…+2e 1 +e 0
mod N = X =
Left-to-right binary exponentiation: Example
E: e 4 e 3 e 2 e 1 e 0
2 X )
2 1 )
2 1 )
2 X)
2 X mod N
8 X )
2 X mod N = X
19 mod N
E = 19 = 16 + 2 + 1 = (10011) 2
19 mod 11
1 0 0 1 1
2 mod 11) )
2 mod 11)
2 mod 11 3)
2 mod 11 3 mod 11
= (81 mod 11)
2 mod 11 3)
2 mod 11 3 mod 11 =
2 mod 11 3 mod 11 =
2 mod 11 3 mod 11 =
= 5 3 mod 11 = 4
Right-to-left binary
exponentiation
Left-to-right binary
exponentiation
Exponentiation: Y = X
mod N
E = (e L- 1
, e L- 2
, …, e 1
, e 0
2
for i=0 to L- 1
if (e i
Y = Y S mod N;
2 mod N;
for i=L-1 downto 0
2 mod N;
if (e i
Y = Y X mod N;
Exponentiation Example: Y = 7
mod 11
Right-to-left binary
exponentiation
Left-to-right binary
exponentiation
2
i 0 1 2 3
e i
before
after
after
i 3 2 1 0
e i
before
after
Right-to-Left Binary Exponentiation in Hardware
MUL
output
enable
Left-to-Right Binary Exponentiation in Hardware
MUL
output
Control
Logic
Encryption/
Signature verification
with a small exponent e
Decryption /
Signature generation
Key
Generation
Factorization
(breaking RSA)
c se · k
2 c he
· k
c sd
· k
3 c hd
· k
2
c sk
· k
4 /log 2
k c hk
· k
3 /log 2
k
exp(c sf
· k
1/ · (ln k)
2/ )
to keep the same security
P
C P P
d P
mod
M Q
C Q Q
d Q
mod
P
= C mod P
d P = d mod (P-1)
Q
= C mod Q
d Q = d mod (Q-1)
= mod M C
d
P
Q
Q
P
mod N
where
P
Q- 1 mod N
Q
P- 1 mod N
Without CRT
With CRT
t DEC
(k) = t EXP
(random e, k, L=k) = c s
k
3
t DEC-CRT
(k) 2 t EXP
(random e, k/2, L=k/2) = 2 c s
3 = t DEC
(k)
Without CRT
With CRT
t DEC (k) = t EXP (random e, k, L=k) = c h k
2
t DEC-CRT
(k) t EXP
(random e, k/2, L=k/2) = c h
2 = t DEC
(k)
k
k
Let
N = n 1 n 2 n 3
... n M
and
for any i, j gcd(n i
, n j
Then, any number 0 A N- 1
can be represented uniquely by
A (a 1
= A mod n 1
, a 2
= A mod n 2
, …, a M
= A mod n M
A can be reconstructed from (a 1
, a 2
, …, a M
) using equation
i=
M
(a i
i
i
- 1 mod n i ) mod N
where N i
n i
= n 1
n 2
... n i- 1
n i+
... n M
gcd(P, Q) = 1
p
= M mod P, M Q
= M mod Q)
P
mod P
mod Q
Q
mod N
P
P
Q
Q
P
mod N
Blakley, Borosh, 1979
There exist messages that are not changed by the RSA encryption!
For example:
e mod N = 1
e mod N = 0
M=N- 1 -1 mod N C = (-1)
e mod N = - 1
Every M such that
P
= M mod P {1, 0, - 1}
Q
= M mod Q {1, 0, - 1}
P
= C mod P = (M
e mod N) mod P = M
e mod P = M P
e mod P = M P
Q
= C mod Q = (M
e mod N) mod Q = M
e mod Q = M Q
e mod Q = M Q
Blakley, Borosh, 1979
At least 9 messages not concealed by RSA!
Number of messages not concealed by RSA:
= (1 + gcd( e - 1, P - 1)) · (1 + gcd( e - 1, Q - 1))
e =3 = 9
gcd( e - 1, P - 1) = 2 and gcd( e - 1, Q - 1) = 2 = 9
gcd( e - 1, P - 1) = P - 1 and gcd( e - 1, Q - 1) = Q - 1 = P · Q = N
It is possible that all messages remain unconcealed by RSA!
16
primes numbers tested for primality
starting point chosen at random
100
150
97
147
{1..n-1}
W(n)
L(n) Witnesses to
the compositness
of n
Liars to
the compositness
of n
Good probabilistic primality test
n composite
If a W(n) test returns “n composite”
else test returns “n probably prime”
or “n pseudoprime to the base a”
{1..n-1}
W(n)
L(n) Strong witnesses to
the compositness
of n
Strong liars to
the compositness
of n
Miller-Rabin test
{1..n-1}
W(n)
L(n)
Strong witnesses to
the compositness
of n
Strong liars to
the compositness
of n
Miller-Rabin test
1, n- 1
Miller-Rabin test
If n is prime then
1 has only two square roots modulo n
i.e., there are only two numbers, y 1
and y 2
, such that
y 1
2 mod n = 1 and y 2
2 mod n = 1
y 1
=1 and y 2
=n- 1 -1 mod n
If n is composite then
1 has at least four square roots modulo n
i.e., there exist numbers, y 1
, y 2
, y 3
, y 4
, such that
y 1
2 mod n = 1, y 2
2 mod n = 1, y 3
2 mod n = 1, y 4
2 mod n = 1,
y 1
=1, y 2
=n- 1 -1 mod n, y 3
1 mod n, y 4
1 mod n
Miller-Rabin test
Find s and r, such that
n - 1 = 2
s r, where r is odd
For example:
n = 49
n - 1 = 48 = 2
4 3 s=4, r=
n = 61
n-1 = 60 = 2
2 15 s=2, r=
Miller-Rabin test
Compute
a
n- 1 mod n = (…((a
r mod n)
2 mod n)
2 mod n …)
2 mod n = 1
s squarings
a
r (a
r )
2 (a
r )
2 (a
r )
2
... (a
r )
2 (a
r )
2
2 3 s- 1 s
mod n
square mod n
square root mod n
Miller-Rabin test
a
r (a
r )
2 (a
r )
2 (a
r )
2
... (a
r )
2 (a
r )
2
2 3 s- 1 s
mod n
square mod n
square root mod n
result of test
probably prime or composite? X 1 mod n
k = number
of bits of n
t - number of iterations of the Miller-Rabin test
- log 2 of the bound on the error probability of declaring
a k - bit composite number a prime after t iterations
of the Miller-Rabin test
k t k t k t
160 34 202-208 23 335-360 12
161-163 33 209-215 22 361-392 11
164-166 32 216-222 21 393-430 10
167-169 31 223-231 20 431-479 9
170-173 30 232-241 19 480-542 8
174-177 29 242-252 18 543-626 7
178-181 28 253-264 17 627-746 6
182-185 27 265-278 16 747-926 5
186-190 26 279-294 15 927-
1232
4
191-195 25 295-313 14 1233-
1853
3
196-201 24 314-334 13 over
1853
2
Minimal number of the Miller-Rabin tests t,
necessary to obtain the probability of error < 2
- 100
for a k - bit number n
primes numbers tested for primality
Random vs. Incremental Search
starting point chosen at random
Using division by small primes
primes numbers tested
D – Division by small primes
2
R – Miller-Rabin test with the random base a
2
Merten’s Theorem
The proportion of candidate odd integers NOT ruled out by the trial
division by all primes B
80% of tested numbers discarded by the trial division
Optimal Assymetric Encryption Padding (1)
Bellare-Rogaway
message SEED
Coding
masked_message
MASK(masked_message)
masked_message masked_seed
>168 bits
Optimal Assymetric Encryption Padding (2)
Bellare-Rogaway
Decoding
masked_message masked_seed
MASK(masked_message)
message
>168 bits
Message
Hash
function
Public key
algorithm
Signature
Alice’s private key
Hash
function
Alice’s public key
RSA signature
Hash value 1
Hash value 2
Hash value
Public key
algorithm
yes no
Message Signature
Padding for signatures with appendix
PKCS #1 for signatures
00 01 FF FF FF …. FF 00 h(m)
at least 8 bytes
6 BBBBBBBBBBB A h(m)
33CC for SHA- 1
31CC for RIPEMD- 160
hash
code