1 / 10

Introduction to Modern Cryptography, Lecture 10

Introduction to Modern Cryptography, Lecture 10. Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves. RSA. RSA security 2 k : require n bit modulus = k 2 bits

sutton
Download Presentation

Introduction to Modern Cryptography, Lecture 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves

  2. RSA • RSA security 2k: require n bit modulus = k2 bits • RSA Signature generation/decryption: time O(n3) = O(k6) for k bits of security (Simple arithmetic operations) • RSA Signature verification/encryption: time O(n2) = O(k4) for an n bit modulus (Simple arithmetic operations)

  3. Fiat-Shamir • For k bits of security, modulus must be O(k2) bits in length • m (or t) must be at least k, • Signature generation: O(n2k)=O(k5) • Signature verification O(n2k) = O(k5)

  4. “Improving Fiat-Shamir” • Let the public key be only small primes 2, 3, 5, (if quadratic residue) • This means that verification now takes time equal to a constant number of full length multiplications (O(n2) = O(k4))

  5. Using fast arithmetic • If multiplication/division of n bit integers only takes time n log n then we have • RSA signature (decryption): O(n2 log n) = O(k4 log k) • Fiat-Shamir signature: O(n log(n) k) = O(k3 log k) • RSA / Fiat-Shamir verification: O(n log n) = O(k2 log k)

  6. Can we do better? • Can we do signature generation in less than k operations, say O(log(k)) operations? • Argument (false) if these operations are on public data then no, it would be easy to break the scheme by guessing what these operations are.

  7. The trick • Combine lots of private operations together • Amortize the cost per private operation

  8. Batch RSA • An RSA variant: • When I send a signed message to Alice, I use one of the roots 3, 5, 7, …, 997 or 216+1, 216+?, 216+??, …, 217+??? (all primes in the range) • Thus, to sign m1 and m2 I could extract the 3rd root of hash(m1) and the 5th root of hash(m2)

  9. Batch RSA The only expensive operation

  10. What is going on?Can this always be done? • Yes (on Blackboard) • Cost per private operation is now down to O(log n) = O(log k) mutiplications/divisions, i.e., O(k2 log k) operations per private operation

More Related