RSA Implementation: Efficient Encryption, Decryption and Key Generation - Prof. Krzysztof , Study notes of Cryptography and System Security

An in-depth exploration of rsa implementation, focusing on efficient encryption, decryption, and key generation. It covers topics such as number of bits vs. Decimal digits, right-to-left and left-to-right binary exponentiation, and chinese remainder theorem. The document also discusses the basic operations of rsa, time of exponentiation, and the effect of computer speed on encryption and decryption.

Typology: Study notes

Pre 2010

Uploaded on 02/10/2009

koofers-user-3rz
koofers-user-3rz 🇺🇸

10 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
RSA Implementation:
Efficient encryption, decryption
& key generation
ECE646 Lecture 10
2
Efficient encryption
and decryption
3
Number of bits vs. number of deci mal digits
10#digits = 2#bits
#digits = (log10 2) · #bits 0 .30 · #bits
256 bits = 77 D
384 bits = 116 D
512 bits = 154 D
768 bits = 231 D
1024 bits = 308 D
2048 bits = 616 D
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download RSA Implementation: Efficient Encryption, Decryption and Key Generation - Prof. Krzysztof and more Study notes Cryptography and System Security in PDF only on Docsity!

1

RSA Implementation:

Efficient encryption, decryption

& key generation

ECE646 Lecture 10

2

Efficient encryption

and decryption

Number of bits vs. number of decimal digits

10 #digits^ = 2 #bits

#digits = (log 10 2) · #bits ≈ 0.30 · #bits

256 bits = 77 D

384 bits = 116 D

512 bits = 154 D

768 bits = 231 D

1024 bits = 308 D

2048 bits = 616 D

4

How to perform exponentiation efficiently?

Problems:

Y = XE^ mod N = X ⋅ X ⋅ X ⋅ X ⋅ X … ⋅ X ⋅ X mod N

E-times

E may be in the range of 2^1024 ≈ 10308

  1. huge storage necessary to store XE^ before reduction
  2. amount of computations infeasible to perform

Solutions:

  1. modulo reduction after each multiplication
  2. clever algorithms 200 BC, India, “Chandah-Sûtra”

5

Right-to-left binary exponentiation

S: X X^2 mod N X^4 mod N X^8 mod N … X^2 mod N

L-

E: e 0 e 1 e 2 e 3 … eL-

Y = X ⋅ (X^2 mod N) ⋅ (X^4 mod N) ⋅ (X^8 mod N) ⋅ … ⋅ (X^2 mod N)

E = (eL-1, eL-2, …, e 1 , e 0 ) 2

e 0 e 1 e 2 e 3 eL-

Y = X

e 0 + 2⋅e 1 + 4⋅e 2 + 8⋅e 3 + … + 2L-1^ ⋅eL- mod N =

(Xa)b^ = Xab Xa^ ⋅ Xb^ = Xa+b

= X = XE^ mod N

i=

L- ei ⋅ 2 i

L-

Y = XE^ mod N

Right-to-left binary exponentiation: Example

S: X X^2 mod N X^4 mod N X^8 mod N X^16 mod N

E: e 0 e 1 e 2 e 3 e 4 1 1 0 0 1

Y = X ⋅ X^2 mod N ⋅ 1 ⋅ 1 ⋅ X^16 mod N =

E = 19 = 16 + 2 + 1 = (10011) 2

= X 19 mod N

Y = 3^19 mod 11

3 32 mod 11 =9 92 mod 11 = 4 42 mod 11 = 5 52 mod 11 = 3

3 ⋅ 9 ⋅ 1 ⋅ 1 ⋅ 3 mod 11

(27 mod 11) ⋅ 3 mod 11 = 5 ⋅ 3 mod 11 = 4

10

Exponentiation Example: Y = 7^12 mod 11

Right-to-left binary exponentiation

Left-to-right binary exponentiation

12 = (1 1 0 0) 2

i 0 1 2 3 ei 0 0 1 1 Sbefore 7 5 3 9 Yafter 1 1 1 3 5 Safter 7 5 3 9 4

i 3 2 1 0 ei 1 1 0 0 Y 1 7 2 4 5

Sbefore - S before round i is computed Safter - S after round i is computed

11

Right-to-Left Binary Exponentiation in Hardware

MUL SQR

E^ Y^ S

output

1 X

enable

12

Left-to-Right Binary Exponentiation in Hardware

MUL

Y

E

output

X

Control Logic

13

Basic Operations of RSA

Encryption

Decryption

ciphertext

= mod plaintext public key modulus

public key exponent

plaintext

= mod ciphertext private key modulus

private key exponent

k -bits k -bits k -bits

k -bits k -bits k -bits

L=k

L < k

C M

e N

M C

d

N

14

Time of exponentiation

tEXP(e, L, k) = #modular_multiplications(e, L) ⋅ tMULMOD (k)

SOFTWARE

#modular_multiplications

e=

24 e = F 4 = 2 + 1

large random L-bit e L + #ones(e) ≈ ⋅ L

3 2

tMULMOD(k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number

HARDWARE tMULMOD(k) = csm · k^2 tMULMOD(k) = chm · k

e, L

Algorithms for Modular Multiplication

Multiplication

Modular Reduction

Multiplication combined with modular reduction

- Montgomery algorithm - Paper-and-pencil - Karatsuba - Schönhage-Strassen (FFT) - classical - Barrett - Selby-Mitchell

θ(k^2 ) θ(k3/2) θ(k ⋅^ ln(k))

θ(k^2 )

θ(k^2 )

complexity same as multiplication used

θ(k^2 )

19

Encryption/ Signature verification with a small exponent e

Decryption / Signature generation

Key Generation

Factorization (breaking RSA)

SOFTWARE HARDWARE

cse · k^2 che · k

Time of the RSA operations as a function of the key size k

csd · k^3 chd · k^2

csk · k^4 /log 2 k chk · k^3 /log 2 k

exp(csf · k1/3^ · (ln k)2/3)

20

Effect of the increase in the computer speed on the speed of encryption and decryption in RSA

computer

speed

operand

size

encryption/decryption

speed

to keep the same security

21

Decryption using Chinese Remainder Theorem

MP = CP P

dP mod MQ = CQ^ Q

dQ mod

CP = C mod P dP = d mod (P-1)

CQ = C mod Q dQ = d mod (Q-1)

M^ =^ C mod

d N

M = MP ·RQ + MQ ·RP mod N where RP = (P-1^ mod Q) ·P = PQ-1^ mod N RQ = (Q-1^ mod P) ·Q= QP-1^ mod N

22

Time of decryption

without and with Chinese Remainder Theorem

SOFTWARE

HARDWARE

Without CRT

With CRT

tDEC(k) = tEXP(random e, k, L=k) = cs ⋅ k^3

tDEC-CRT(k) ≈ 2 ⋅ tEXP(random e, k/2, L=k/2) = 2 ⋅ cs ⋅ ( )^3 = tDEC(k)

Without CRT

With CRT

tDEC(k) = tEXP(random e, k, L=k) = ch ⋅ k^2

tDEC-CRT(k) ≈ tEXP(random e, k/2, L=k/2) = ch ⋅ ( )^2 = tDEC(k)

k 2

k 2

23

Chinese Remainder Theorem

Let N = n 1n 2n 3...nM

and for any i, j gcd(ni, nj) = 1

Then, any number 0 ≤ A ≤ N-

can be represented uniquely by

A(a 1 = A mod n 1 , a 2 = A mod n 2 , …, aM = A mod nM)

A can be reconstructed from (a 1 , a 2 , …, aM) using equation

A = ∑

i=

M (aiNiNi-1^ mod ni) mod N where^ Ni^ =^

N

ni = n 1 ⋅ n 2 ⋅...⋅ ni-1 ⋅ ni+1 ⋅... ⋅ nM

Chinese Remainder Theorem

for N=P ⋅ Q

N = P ⋅ Q gcd(P, Q) = 1

M(Mp = M mod P, MQ = M mod Q)

M = MP ⋅ N

P

⋅ N

P

  • mod P +^

N

Q

⋅ N

Q

MQ ⋅ (^) mod Qmod N

= MP ⋅ Q ⋅ ((Q-1) mod P) + MQ ⋅ P ⋅ ((P-1) mod Q) mod N =

= MP ⋅ RQ + MQ ⋅ RP mod N

28

Generation of the RSA keys

e Typically

e = 3 or

e = 2^16 + 1

P, Q

prime number

generation

gcd(e, P-1) = 1

gcd(e, Q-1) = 1

N = P · Q

Extended Euclid’s

algorithm

d = e-1^ mod (P-1) ·(Q-1)

gcd(e-1, P-1) = 2

gcd(e-1, Q-1) = 2

29

Random search

Incremental search

primes numbers tested for primality

Random vs. Incremental Search

starting point chosen at random

Is there a sufficent amount of prime numbers to choose from?

π(x) - the amount of prime numbers smaller than x

0 x

π(x) prime numbers

π(x) =

x

ln(x)

x π(x)

31

Is there a sufficent amount of prime numbers of the given bit length to choose from?

πk - the amount of prime numbers of the size of k-bits

0 2 k

πk prime numbers

2 k-

πk = π(2k) - π(2k-1) ≈

≈ 0.5 ⋅ π(2k) ≈

≈ π(2k-1)

k πk

32

Average distance between primes of the given bit length (1)

Average distance between two consecutive primes

primes

Average distance (k) ≈

2 k-1^2 k

2 k^ - 2k-

πk

2 k-

π(2k-1)

≈ ln 2k-1^ ≈

≈ 0.69 ⋅ (k-1)

Average distance between primes of the given bit length (2)

Number of bits

k

Average distance

between primes

Average amount

of odd numbers

to test

37

{1..n-1}

W(n) L(n) (^) Witnesses to the compositness of n

Liars to the compositness of n

Good probabilistic primality test

n composite

∀ n composite | W(n) | ≥ | L(n) |

If a ∈ W(n) test returns “n composite” else test returns “n probably prime” or “n pseudoprime to the base a”

38

{1..n-1}

W(n) L(n) (^) Strong witnesses to the compositness of n

Strong liars to the compositness of n

Miller-Rabin test

n composite

∀ n composite | L(n) | ≤ ϕ(n)/4 < (n-1)/

39

{1..n-1}

W(n)

L(n) Strong witnesses^ to the compositness Strong liars to of n the compositness of n

Miller-Rabin test

n composite

1, n-

For certain composite numbers, such as

n = 3 · 5 · 7 ·... · (2k+1)

there are only two strong liars: 1 and n-

40

Miller-Rabin test

Mathematical Basis

If n is prime then 1 has only two square roots modulo n i.e., there are only two numbers, y 1 and y 2 , such that y 12 mod n = 1 and y 22 mod n = 1 y 1 =1 and y 2 =n-1≡-1 mod n

If n is composite then 1 has at least four square roots modulo n i.e., there exist numbers, y 1 , y 2 , y 3 , y 4 , such that

y 12 mod n = 1, y 22 mod n = 1, y 32 mod n = 1, y 42 mod n = 1, y 1 =1, y 2 =n-1≡-1 mod n, y 3 ≡ ± 1 mod n, y 4 ≡ ± 1 mod n

41

Miller-Rabin test

Algorithm (1)

Find s and r, such that n - 1 = 2s^ ⋅ r, where r is odd

For example:

n = 49 n - 1 = 48 = 2^4 ⋅ 3 s=4, r=

n = 61 n-1 = 60 = 2^2 ⋅ 15 s=2, r=

Miller-Rabin test

Algorithm (2)

Compute

an-1^ mod n = (…((ar^ mod n)^2 mod n)^2 mod n …)^2 mod n = 1

s squarings

ar^ (ar^ )^2 (ar^ )^2 2 (a^ r^ )^2 3... (a^ r^ )^2 s-1(a^ r^ )^2 s^ mod n

square mod n

square root mod n

46

Random search

Incremental search

primes numbers tested for primality

Random vs. Incremental Search

starting point chosen at random

47

Using division by small primes

D D D D D D D D D D D D D D D D D

R 2

R

R

R

R

R

primes numbers tested

D – Division by small primes R 2 – Miller-Rabin test with base 2 R – Miller-Rabin test with the random base a

R 2

Merten’s Theorem

The proportion of candidate odd integers NOT ruled out by the trial division by all primes ≤ B

α(B) = (1-1/3)⋅(1-1/5) ⋅(1-1/7) ⋅ … ⋅(1-1 / B )

α (B) ≈ 1.12 / ln B

For B=256, α(B) ≈ 0.

80% of tested numbers discarded by the trial division

49

Efficient implementation of division by small primes

Set of small primes

n 0 = 91

n = 93

n = 95

n = 97

n = 99

n =

n 0 mod 3 = 1 n 0 mod 5 = 1 n 0 mod 7 = 0 n 0 mod 11 = 3

1+2 mod 3= 0 1+2 mod 5=^^3

0+2 mod 3= 2

2+2 mod 3= 1

1+2 mod 3= 0

0+2 mod 3= 2

3+2 mod 5= 0

0+2 mod 5= 2

2+2 mod 5= 4

4+2 mod 5= 1

0+2 mod 7= 2

2+2 mod 7= 4

4+2 mod 7= 6

6+2 mod 7= 1

1+2 mod 7= 3

3+2 mod 11= 5

5+2 mod 11= 7

7+2 mod 11= 9

9+2 mod 11= 0

0+2 mod 11= 2

Incremental search for a prime

50

Division by small primes – Practical implementation (2)

91 93 95 97 99 101 103 105 107 109 111 113 115 117 119 121

3 5 7 11

1

1

1

3

1

1

3

1

5

1

5

1

1

7

1

7

1

1

1

3

3

3

11

S[k] 1 1 1 0 1 0 0 1 0 0 1 0

1 1 1 1

Optimum number of small primes

{ 3, 5, 7, …. Bopt}

Bopt ≈

R 2 = time of the Miller-Rabin test with base 2 D = time spent on test dividing one number by one small prime

R 2

D · ln (R 2 /D)

55

Optimal Assymetric Encryption Padding (1)

Bellare-Rogaway

000000001 message SEED

Coding

MASK(SEED)

masked_message

MASK(masked_message)

masked_message masked_seed

>168 bits

56

Optimal Assymetric Encryption Padding (2)

Bellare-Rogaway Decoding

masked_message masked_seed

MASK(masked_message)

SEED

MASK(SEED)

000000001 message >168 bits

57

Message

Hash function

Public key algorithm

Alice

Signature

Alice’s private key

Bob

Hash function

Alice’s public key

RSA signature

Hash value 1

Hash value 2

Hash value

Public key algorithm

yes no

Message Signature

Padding for signatures with appendix

PKCS #1 for signatures

00 01 FF FF FF …. FF 00 h(m)

at least 8 bytes

ISO-

6 BBBBBBBBBBB A h(m) 33CC for SHA- 31CC for RIPEMD-

hash code