1RSA Implementation:Efficient encryption, decryption & key generationECE646 Lecture 10 2Efficient encryption and decryption3Number of bits vs. number of decimal digits10#digits = 2#bits#digits = (log10 2) · #bits ≈ 0.30 · #bits 256 bits = 77 D 384 bits = 116 D 512 bits = 154 D 768 bits = 231 D1024 bits = 308 D2048 bits = 616 D 4How to perform exponentiation efficiently?Problems:Y = XE mod N = X ⋅ X ⋅ X ⋅ X ⋅ X … ⋅ X ⋅ X mod NE-timesE may be in the range of 21024 ≈ 103081. huge storage necessary to store XE before reduction2. amount of computations infeasible to performSolutions:1. modulo reduction after each multiplication2. clever algorithms200 BC, India, “Chandah-Sûtra”5Right-to-left binary exponentiationS: X X2 mod N X4 mod N X8 mod N … X2 mod NL-1E: e0 e1 e2 e3 … eL-1Y = X ⋅ (X2 mod N) ⋅ (X4 mod N) ⋅ (X8 mod N) ⋅ … ⋅ (X2 mod N) E = (eL-1, eL-2, …, e1, e0)2e0e1e2e3eL-1Y = Xe0 + 2⋅e1 + 4⋅e2 + 8⋅e3 + … + 2L-1 ⋅eL-1 mod N =Xa ⋅ Xb = Xa+b(Xa)b = Xab= X = XE mod N∑i=0L-1ei ⋅ 2iL-1Y = XE mod N 6Right-to-left binary exponentiation: ExampleS: X X2 mod N X4 mod N X8 mod N X16 mod NE: e0 e1 e2 e3 e4 1 1 0 0 1Y = X ⋅ X2 mod N ⋅ 1 ⋅ 1 ⋅ X16 mod N =E = 19 = 16 + 2 + 1 = (10011)2 = X 19 mod NY = 319 mod 113 32 mod 11 =9 92 mod 11 = 4 42 mod 11 = 5 52 mod 11 = 33 ⋅ 9 ⋅ 1 ⋅ 1 ⋅ 3 mod 11 (27 mod 11) ⋅ 3 mod 11 = 5 ⋅ 3 mod 11 = 47Left-to-right binary exponentiationE: eL-1 eL-2 eL-3 … e1 e0Y = ((...(((12 ⋅ X )2 ⋅ X )2 ⋅ X )2 …. )2 ⋅ X )2 ⋅ X mod N E = (eL-1, eL-2, …, e1, e0)2eL-1eL-2eL-3e1e0Y = X(eL-1 ⋅ 2 + eL-2) ⋅ 2 + eL-3 ) ⋅ 2 + …. + e1) ⋅ 2 + e0mod N =Xa ⋅ Xb = Xa+b(Xa)b = Xab= XE mod N∑i=0L-1ei ⋅ 2iY = XE mod N= X2L-1 ⋅eL-1+ 2L-2 ⋅eL-2+ 2L-3 ⋅eL-3 +…+2⋅e1+e0mod N = X = 8Left-to-right binary exponentiation: ExampleE: e4 e3 e2 e1 e0Y = ((...(((12 ⋅ X )2 ⋅ 1 )2 ⋅ 1 )2 ⋅ X)2 ⋅ X mod N Y = (X8 ⋅ X )2 ⋅ X mod N = X19 mod NE = 19 = 16 + 2 + 1 = (10011)2Y = 319 mod 111 0 0 1 1= (((32 mod 11) )2 mod 11)2 mod 11 ⋅ 3)2 mod 11 ⋅ 3 mod 11 = (81 mod 11)2 mod 11 ⋅ 3)2 mod 11 ⋅ 3 mod 11 == (5 ⋅ 3)2 mod 11 ⋅ 3 mod 11 == 42 mod 11 ⋅ 3 mod 11 = = 5 ⋅ 3 mod 11 = 49Right-to-left binary exponentiationLeft-to-right binary exponentiationExponentiation: Y = XE mod NE = (eL-1, eL-2, …, e1, e0)2Y = 1;S = X;for i=0 to L-1 { if (ei == 1) Y = Y ⋅ S mod N; S = S2 mod N; }Y = 1;for i=L-1 downto 0 { Y = Y2 mod N; if (ei == 1) Y = Y ⋅ X mod N; } 10Exponentiation Example: Y = 712 mod 11Right-to-left binary exponentiationLeft-to-right binary exponentiation12 = (1 1 0 0)2i 0 1 2 3ei 0 0 1 1Sbefore 7 5 3 9Yafter 1 1 1 3 5Safter 7 5 3 9 4i 3 2 1 0ei 1 1 0 0Y 1 7 2 4 5Sbefore - S before round i is computedSafter - S after round i is computed11Right-to-Left Binary Exponentiation in HardwareMULSQRYSEoutputX1enable 12Left-to-Right Binary Exponentiation in HardwareMULYEoutputX1ControlLogic13Basic Operations of RSAEncryptionDecryptionciphertext=modplaintextpublic key moduluspublic key exponentplaintext=modciphertextprivate key modulusprivate key exponentk-bitsk-bitsk-bitsk-bitsk-bits k-bitsL=kL < kCMeNMCdN 14Time of exponentiationtEXP(e, L, k) = #modular_multiplications(e, L) ⋅ tMULMOD(k)SOFTWARE#modular_multiplicationse=324e = F4 = 2 + 1217large random L-bit eL + #ones(e) ≈ ⋅ L32tMULMOD(k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit numberHARDWAREtMULMOD(k) = csm · k2 tMULMOD(k) = chm · ke, L15Algorithms for Modular MultiplicationMultiplicationModular ReductionMultiplication combined withmodular reduction• Montgomery algorithm• Paper-and-pencil• Karatsuba• Schönhage-Strassen (FFT)• classical• Barrett• Selby-Mitchellθ(k2)θ(k3/2)θ(k ⋅ ln(k))θ(k2)θ(k2)complexity same as multiplication usedθ(k2) 16. . .A0A1An-1An-2. . . B0B1Bn-1Bn-2D0D1D2. . .C0C1Cn-1Cn-2. . . CnCn+1C2n-1C2n-2D2n-4D2n-3D2n-2. . . . .3 words3 wordsABC2 words2 wordsD0 = A0B0D1 = A0B1 + A1B0D2 = A0B2 + A1B1 + A2B0D2n-4 = An-3Bn-1 + An-2Bn-2 + An-1Bn-3D2n-3 = An-2Bn-1 + An-1Bn-2D2n-2 = An-1Bn-11 word = l bytes = λ bitsPaper-and-Pencil Algorithm of MultiplicationAssertion:lg2 n ≤ λx+++++17Classical Algorithm (1)x2n-1x0. . .x1x2n-2x2n-3xn-1. . .m0mn-1mn-2. . .:x0. . .x1x2n-2x2n-3xn-1. . .q’n-1 mxm–q’n-1=x2n-1b+ x2n-2mn-1q’n-1 = qn-1 + εε = 0, 1, 2m0mn-1mn-2. . .–x0. . .x1x2n-3xn-1. . .:q’n-2=x2n-2b+ x2n-3mn-1q’n-2 = qn-2 + εε = 0, 1, 2. . . . . . .x0x1xn-1. . . 18ModularMultiplicationModular ExponentiationSOFTWAREHARDWAREcsm · k2chm · kTime of basic operations in software and hardwarecsme · k2 · Lchme · k · L19Encryption/Signature verificationwith a small exponent eDecryption / Signature generationKey GenerationFactorization(breaking RSA)SOFTWAREHARDWAREcse · k2che · kTime of the RSA operations as a function of the key size kcsd · k3chd · k2csk · k4/log2kchk · k3/log2kexp(csf · k1/3 · (ln k)2/3) 20Effect of the increase in the computer speedon the speed of encryption and decryption in RSAcomputer speedoperandsizeencryption/decryptionspeedto keep the same security21Decryption using Chinese Remainder Theorem=MPCPPdPmod=MQCQQdQmodCP = C mod PdP = d mod (P-1)CQ = C mod QdQ = d mod (Q-1)=modCMdNM = MP ·RQ + MQ ·RP mod NwhereRP = (P-1 mod Q) ·P = PQ-1 mod NRQ = (Q-1 mod P) ·Q= QP-1 mod N 22Time of decryption without and with Chinese Remainder TheoremSOFTWAREHARDWAREWithout CRTWith CRTtDEC(k) = tEXP(random e, k, L=k) = cs ⋅ k3 tDEC-CRT(k) ≈ 2 ⋅ tEXP(random e, k/2, L=k/2) = 2 ⋅ cs ⋅ ( )3 = tDEC(k)14Without CRTWith CRTtDEC(k) = tEXP(random e, k, L=k) =
View Full Document
Unlocking...