












Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An in-depth exploration of rsa implementation, focusing on efficient encryption, decryption, and key generation. It covers topics such as number of bits vs. Decimal digits, right-to-left and left-to-right binary exponentiation, and chinese remainder theorem. The document also discusses the basic operations of rsa, time of exponentiation, and the effect of computer speed on encryption and decryption.
Typology: Study notes
1 / 20
This page cannot be seen from the preview
Don't miss anything!













1
2
4
How to perform exponentiation efficiently?
Problems:
Y = XE^ mod N = X ⋅ X ⋅ X ⋅ X ⋅ X … ⋅ X ⋅ X mod N
E-times
E may be in the range of 2^1024 ≈ 10308
Solutions:
5
Right-to-left binary exponentiation
S: X X^2 mod N X^4 mod N X^8 mod N … X^2 mod N
L-
E: e 0 e 1 e 2 e 3 … eL-
Y = X ⋅ (X^2 mod N) ⋅ (X^4 mod N) ⋅ (X^8 mod N) ⋅ … ⋅ (X^2 mod N)
E = (eL-1, eL-2, …, e 1 , e 0 ) 2
e 0 e 1 e 2 e 3 eL-
e 0 + 2⋅e 1 + 4⋅e 2 + 8⋅e 3 + … + 2L-1^ ⋅eL- mod N =
(Xa)b^ = Xab Xa^ ⋅ Xb^ = Xa+b
= X = XE^ mod N
i=
L- ei ⋅ 2 i
L-
Y = XE^ mod N
Right-to-left binary exponentiation: Example
S: X X^2 mod N X^4 mod N X^8 mod N X^16 mod N
E: e 0 e 1 e 2 e 3 e 4 1 1 0 0 1
Y = X ⋅ X^2 mod N ⋅ 1 ⋅ 1 ⋅ X^16 mod N =
E = 19 = 16 + 2 + 1 = (10011) 2
= X 19 mod N
Y = 3^19 mod 11
3 32 mod 11 =9 92 mod 11 = 4 42 mod 11 = 5 52 mod 11 = 3
3 ⋅ 9 ⋅ 1 ⋅ 1 ⋅ 3 mod 11
(27 mod 11) ⋅ 3 mod 11 = 5 ⋅ 3 mod 11 = 4
10
Exponentiation Example: Y = 7^12 mod 11
Right-to-left binary exponentiation
Left-to-right binary exponentiation
12 = (1 1 0 0) 2
i 0 1 2 3 ei 0 0 1 1 Sbefore 7 5 3 9 Yafter 1 1 1 3 5 Safter 7 5 3 9 4
i 3 2 1 0 ei 1 1 0 0 Y 1 7 2 4 5
Sbefore - S before round i is computed Safter - S after round i is computed
11
Right-to-Left Binary Exponentiation in Hardware
output
enable
12
Left-to-Right Binary Exponentiation in Hardware
MUL
output
Control Logic
13
Basic Operations of RSA
Encryption
Decryption
ciphertext
= mod plaintext public key modulus
public key exponent
plaintext
= mod ciphertext private key modulus
private key exponent
k -bits k -bits k -bits
k -bits k -bits k -bits
L=k
L < k
e N
d
N
14
Time of exponentiation
tEXP(e, L, k) = #modular_multiplications(e, L) ⋅ tMULMOD (k)
#modular_multiplications
e=
24 e = F 4 = 2 + 1
large random L-bit e L + #ones(e) ≈ ⋅ L
3 2
tMULMOD(k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number
HARDWARE tMULMOD(k) = csm · k^2 tMULMOD(k) = chm · k
e, L
Algorithms for Modular Multiplication
Multiplication
Modular Reduction
Multiplication combined with modular reduction
- Montgomery algorithm - Paper-and-pencil - Karatsuba - Schönhage-Strassen (FFT) - classical - Barrett - Selby-Mitchell
θ(k^2 ) θ(k3/2) θ(k ⋅^ ln(k))
θ(k^2 )
θ(k^2 )
complexity same as multiplication used
θ(k^2 )
19
Encryption/ Signature verification with a small exponent e
Decryption / Signature generation
Key Generation
Factorization (breaking RSA)
cse · k^2 che · k
Time of the RSA operations as a function of the key size k
csd · k^3 chd · k^2
csk · k^4 /log 2 k chk · k^3 /log 2 k
exp(csf · k1/3^ · (ln k)2/3)
20
Effect of the increase in the computer speed on the speed of encryption and decryption in RSA
to keep the same security
21
Decryption using Chinese Remainder Theorem
dP mod MQ = CQ^ Q
dQ mod
CP = C mod P dP = d mod (P-1)
CQ = C mod Q dQ = d mod (Q-1)
M^ =^ C mod
d N
M = MP ·RQ + MQ ·RP mod N where RP = (P-1^ mod Q) ·P = PQ-1^ mod N RQ = (Q-1^ mod P) ·Q= QP-1^ mod N
22
Without CRT
With CRT
tDEC(k) = tEXP(random e, k, L=k) = cs ⋅ k^3
tDEC-CRT(k) ≈ 2 ⋅ tEXP(random e, k/2, L=k/2) = 2 ⋅ cs ⋅ ( )^3 = tDEC(k)
Without CRT
With CRT
tDEC(k) = tEXP(random e, k, L=k) = ch ⋅ k^2
tDEC-CRT(k) ≈ tEXP(random e, k/2, L=k/2) = ch ⋅ ( )^2 = tDEC(k)
k 2
k 2
23
Let N = n 1 ⋅ n 2 ⋅ n 3... ⋅ nM
and for any i, j gcd(ni, nj) = 1
Then, any number 0 ≤ A ≤ N-
can be represented uniquely by
A ↔ (a 1 = A mod n 1 , a 2 = A mod n 2 , …, aM = A mod nM)
A can be reconstructed from (a 1 , a 2 , …, aM) using equation
i=
M (ai ⋅ Ni ⋅ Ni-1^ mod ni) mod N where^ Ni^ =^
ni = n 1 ⋅ n 2 ⋅...⋅ ni-1 ⋅ ni+1 ⋅... ⋅ nM
N = P ⋅ Q gcd(P, Q) = 1
M ↔ (Mp = M mod P, MQ = M mod Q)
MQ ⋅ (^) mod Qmod N
= MP ⋅ Q ⋅ ((Q-1) mod P) + MQ ⋅ P ⋅ ((P-1) mod Q) mod N =
= MP ⋅ RQ + MQ ⋅ RP mod N
28
Generation of the RSA keys
29
primes numbers tested for primality
Random vs. Incremental Search
starting point chosen at random
Is there a sufficent amount of prime numbers to choose from?
31
Is there a sufficent amount of prime numbers of the given bit length to choose from?
32
Average distance between primes of the given bit length (1)
Average distance between two consecutive primes
primes
Average distance between primes of the given bit length (2)
37
{1..n-1}
W(n) L(n) (^) Witnesses to the compositness of n
Liars to the compositness of n
Good probabilistic primality test
n composite
If a ∈ W(n) test returns “n composite” else test returns “n probably prime” or “n pseudoprime to the base a”
38
{1..n-1}
W(n) L(n) (^) Strong witnesses to the compositness of n
Strong liars to the compositness of n
Miller-Rabin test
39
{1..n-1}
W(n)
L(n) Strong witnesses^ to the compositness Strong liars to of n the compositness of n
Miller-Rabin test
1, n-
40
Miller-Rabin test
If n is prime then 1 has only two square roots modulo n i.e., there are only two numbers, y 1 and y 2 , such that y 12 mod n = 1 and y 22 mod n = 1 y 1 =1 and y 2 =n-1≡-1 mod n
If n is composite then 1 has at least four square roots modulo n i.e., there exist numbers, y 1 , y 2 , y 3 , y 4 , such that
y 12 mod n = 1, y 22 mod n = 1, y 32 mod n = 1, y 42 mod n = 1, y 1 =1, y 2 =n-1≡-1 mod n, y 3 ≡ ± 1 mod n, y 4 ≡ ± 1 mod n
41
Miller-Rabin test
Find s and r, such that n - 1 = 2s^ ⋅ r, where r is odd
For example:
n = 49 n - 1 = 48 = 2^4 ⋅ 3 s=4, r=
n = 61 n-1 = 60 = 2^2 ⋅ 15 s=2, r=
Miller-Rabin test
Compute
an-1^ mod n = (…((ar^ mod n)^2 mod n)^2 mod n …)^2 mod n = 1
s squarings
ar^ (ar^ )^2 (ar^ )^2 2 (a^ r^ )^2 3... (a^ r^ )^2 s-1(a^ r^ )^2 s^ mod n
square mod n
square root mod n
46
primes numbers tested for primality
Random vs. Incremental Search
starting point chosen at random
47
Using division by small primes
primes numbers tested
D – Division by small primes R 2 – Miller-Rabin test with base 2 R – Miller-Rabin test with the random base a
Merten’s Theorem
The proportion of candidate odd integers NOT ruled out by the trial division by all primes ≤ B
80% of tested numbers discarded by the trial division
49
Set of small primes
n 0 = 91
n = 93
n = 95
n = 97
n = 99
n =
n 0 mod 3 = 1 n 0 mod 5 = 1 n 0 mod 7 = 0 n 0 mod 11 = 3
1+2 mod 3= 0 1+2 mod 5=^^3
0+2 mod 3= 2
2+2 mod 3= 1
1+2 mod 3= 0
0+2 mod 3= 2
3+2 mod 5= 0
0+2 mod 5= 2
2+2 mod 5= 4
4+2 mod 5= 1
0+2 mod 7= 2
2+2 mod 7= 4
4+2 mod 7= 6
6+2 mod 7= 1
1+2 mod 7= 3
3+2 mod 11= 5
5+2 mod 11= 7
7+2 mod 11= 9
9+2 mod 11= 0
0+2 mod 11= 2
Incremental search for a prime
50
91 93 95 97 99 101 103 105 107 109 111 113 115 117 119 121
3 5 7 11
1
1
1
3
1
1
3
1
5
1
5
1
1
7
1
7
1
1
1
3
3
3
11
S[k] 1 1 1 0 1 0 0 1 0 0 1 0
1 1 1 1
Optimum number of small primes
R 2 = time of the Miller-Rabin test with base 2 D = time spent on test dividing one number by one small prime
55
Optimal Assymetric Encryption Padding (1)
Bellare-Rogaway
000000001 message SEED
Coding
masked_message
MASK(masked_message)
masked_message masked_seed
>168 bits
56
Optimal Assymetric Encryption Padding (2)
Bellare-Rogaway Decoding
masked_message masked_seed
MASK(masked_message)
000000001 message >168 bits
57
Message
Hash function
Public key algorithm
Signature
Alice’s private key
Hash function
Alice’s public key
RSA signature
Hash value 1
Hash value 2
Hash value
Public key algorithm
yes no
Message Signature
Padding for signatures with appendix
PKCS #1 for signatures
00 01 FF FF FF …. FF 00 h(m)
at least 8 bytes
6 BBBBBBBBBBB A h(m) 33CC for SHA- 31CC for RIPEMD-
hash code