ECE646 Lecture 10 RSA Implementation: Efficient Encryption & Decryption Required Reading W. Stallings, "Cryptography and etwork-security, Chapter 9.2 The RSA Algorithm Chapter 8.4 The Chinese Remainder Theorem Efficient encryption and decryption 1
umber of bits vs. number of decimal digits 10 #digits = 2 #bits #digits = (log 10 2) #bits 0.30 #bits 256 bits = 77 D 384 bits = 116 D 512 bits = 154 D 768 bits = 231 D 1024 bits = 308 D 2048 bits = 616 D How to perform exponentiation efficiently? Y = X E mod = X X X X X X X mod E-times E may be in the range of 2 1024 10 308 Problems: Solutions: 1. huge storage necessary to store X E before reduction 2. amount of computations infeasible to perform 1. modulo reduction after each multiplication 2. clever algorithms 200 BC, India, Chandah-Sûtra Exponentiation: Y = X E mod Right-to-left binary exponentiation Left-to-right binary exponentiation E = (e L-1, e L-2,, e 1, e 0) 2 Y = 1; S = X; for i=0 to L-1 { if (e i == 1) Y = Y S mod ; S = S 2 mod ; } Y = 1; for i=l-1 downto 0 { Y = Y 2 mod ; if (e i == 1) Y = Y X mod ; } 2
Right-to-left binary exponentiation Y = X E mod E = (e L-1, e L-2,, e 1, e 0) 2 S: X X 2 mod X 4 mod X 8 mod L-1 X 2 mod E: e 0 e 1 e 2 e 3 e L-1 e 0 e Y = X (X 2 1 e mod ) (X 4 mod ) 2 e 3 (X 8 L-1 e L-1 mod ) (X 2 mod ) (X a ) b = X ab X a X b = X a+b Y = X e 0 + 2 e 1 + 4 e 2 + 8 e 3 + + 2 L-1 e L-1 mod = L-1 e i 2 i i=0 = X = X E mod Right-to-left binary exponentiation: Example E = 19 = 16 + 2 + 1 = (10011) 2 S: X X 2 mod X 4 mod X 8 mod X 16 mod E: e 0 e 1 e 2 e 3 e 4 1 1 0 0 1 Y = X X 2 mod 1 1 X 16 mod = = X 19 mod Y = 3 19 mod 11 3 3 2 mod 11 =9 9 2 mod 11 = 4 4 2 mod 11 = 5 5 2 mod 11 = 3 3 9 1 1 3 mod 11 (27 mod 11) 3 mod 11 = 5 3 mod 11 = 4 Left-to-right binary exponentiation Y = X E mod E = (e L-1, e L-2,, e 1, e 0) 2 E: e L-1 e L-2 e L-3 e 1 e 0 e Y = ((...(((1 2 L-1 e X ) 2 L-2 e X ) 2 L-3 e 1 e X ) 2. ) 2 X ) 2 0 X mod (X a ) b = X ab X a X b = X a+b Y = X (e L-1 2 + e L-2) 2 + e L-3 ) 2 +. + e 1) 2 + e 0 mod = e i 2 i = X 2L-1 e L-1+ 2 L-2 e L-2+ 2 L-3 e L-3 + +2 e 1+e 0mod i=0 = X = = X E mod L-1 3
Left-to-right binary exponentiation: Example Y = 3 19 mod 11 E = 19 = 16 + 2 + 1 = (10011) 2 E: e 4 e 3 e 2 e 1 e 0 1 0 0 1 1 Y = ((...(((1 2 X ) 2 1 ) 2 1 ) 2 X) 2 X mod = (((3 2 mod 11) ) 2 mod 11) 2 mod 11 3) 2 mod 11 3 mod 11 = (81 mod 11) 2 mod 11 3) 2 mod 11 3 mod 11 = = (5 3) 2 mod 11 3 mod 11 = = 4 2 mod 11 3 mod 11 = = 5 3 mod 11 = 4 Y = (X 8 X ) 2 X mod = X 19 mod Exponentiation Example: Y = 7 12 mod 11 Right-to-left binary exponentiation e = 12 = (1 1 0 0) 2 Left-to-right binary exponentiation Right-to-Left Binary Exponentiation in Hardware 1 X E enable Y S MUL SQR output 4
Left-to-Right Binary Exponentiation in Hardware 1 Y X Control Logic E MUL output Basic Operations of RSA Encryption L < k e public key exponent C = M mod ciphertext plaintext public key modulus k-bits k-bits k-bits Decryption M plaintext = C mod ciphertext L=k private key exponent private key modulus k-bits k-bits k-bits d Time of Exponentiation in Software t EXP(e, L, k) = #modular_multiplications(e, L) t MULMOD(k) e, L e=3 2 4 e = F 4 = 2 + 1 #modular_multiplications 2 17 3 large random L-bit e L + #ones(e) L 2 t MULMOD(k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number t MULMOD(k) = c sm k 2 5
Time of Exponentiation in Hardware t EXP(L, k) = L t MULMOD(k) t MULMOD(k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number t MULMOD(k) = c hm k Algorithms for Modular Multiplication Multiplication Paper-and-pencil θ(k 2 ) Karatsuba θ(k 3/2 ) Schönhage-Strassen (FFT) Modular Reduction θ(k ln(k)) Multiplication combined with modular reduction Montgomery algorithm θ(k 2 ) classical Barrett θ(k 2 ) the same complexity as underlying multiplication Selby-Mitchell θ(k 2 ) Paper-and-Pencil Algorithm of Multiplication 1 word = l bytes = λ bits An-1 An-2... A1 A0 A x Bn-1 Bn-2... B1 B0 B Assertion: 2 words + + lg 2 n λ D0 = A0B0 D1 = A0B1 + A1B0 D2 = A0B2 + A1B1 + A2B0 3 words + D2n-4 D2n-3 D2n-2 D2n-2 = An-1Bn-1 2 words..... + D1 + D2 3 words D2n-4 = An-3Bn-1 + An-2Bn-2 + An-1Bn-3 D2n-3 = An-2Bn-1 + An-1Bn-2 D0 C2n-1 C2n-2... Cn+1 Cn Cn-1 Cn-2... C1 C0 C 6
Classical Algorithm of Modular Reduction x m x 2n-1 x 2n-2 x 2n-3... xn-1... x 1 x 0 : m n-1 m n-2... m 0 x 2n-2 x 2n-3... x n-1... x 1 q n-1 m x 0 : q n-1 = x2n-1b+ x2n-2 mn-1 m n-1 mn-2... m0 q n-1 = qn-1 + ε ε = 0, 1, 2 x 2n-3... x n-1... x 1 x 0 q n-2 = x2n-2b+ x2n-3 mn-1 q n-2 = qn-2 + ε ε = 0, 1, 2....... x n-1... x1 x 0 Effect of the increase in the computer speed on the speed of encryption and decryption in RSA to keep the same security computer speed operand size encryption/decryption speed Decryption using Chinese Remainder Theorem M d = C mod C P = C mod P d P = d mod (P-1) C Q = C mod Q d Q = d mod (Q-1) d P d Q M P = CP mod P M Q = C Q mod Q where M = M P R Q + M Q R P mod R P = (P -1 mod Q) P = P Q-1 mod R Q = (Q -1 mod P) Q= Q P-1 mod 7
Let and Chinese Remainder Theorem = n 1 n 2 n 3... n M for any i, j gcd(n i, n j) = 1 Then, any number 0 A -1 can be represented uniquely by A (a 1 = A mod n 1, a 2 = A mod n 2,, a M = A mod n M) A can be reconstructed from (a 1, a 2,, a M) using equation A = M(a i i ( -1 i mod n i)) mod where i = = n i i=1 = n 1 n 2... n i-1 n i+1... n M Chinese Remainder Theorem for =P Q = P Q gcd(p, Q) = 1 M (M p = M mod P, M Q = M mod Q) M = M P P P -1 mod P + MQ Q Q -1 mod Q mod = M P Q ((Q -1 ) mod P) + M Q P ((P -1 ) mod Q) mod = = M P R Q + M Q R P mod Concealment of messages in the RSA cryptosystem Blakley, Borosh, 1979 There exist messages that are not changed by the RSA encryption! For example: M=1 C = 1 e mod = 1 M=0 C = 0 e mod = 0 M=-1-1 mod C = (-1) e mod = -1 Every M such that M P = M mod P {1, 0, -1} M Q = M mod Q {1, 0, -1} C P = C mod P = (M e mod ) mod P = M e mod P = M P e mod P = M P C Q = C mod Q = (M e mod ) mod Q = M e mod Q = M Qe mod Q = M Q 8
Concealment of messages in the RSA cryptosystem Blakley, Borosh, 1979 At least 9 messages not concealed by RSA! umber of messages not concealed by RSA: σ = (1 + gcd(e-1, P-1)) (1 + gcd(e-1, Q-1)) A. e=3 σ = 9 B. gcd(e-1, P-1) = 2 and gcd(e-1, Q-1) = 2 σ = 9 C. gcd(e-1, P-1) = P-1 and gcd(e-1, Q-1) = Q-1 σ = P Q= It is possible that all messages remain unconcealed by RSA! Optimal Assymetric Encryption Padding (1) Coding >168 bits 000000001 message SEED Bellare-Rogaway MASK(SEED) masked_message MASK(masked_message) masked_message masked_seed Optimal Assymetric Encryption Padding (2) Decoding Bellare-Rogaway masked_message masked_seed MASK(masked_message) SEED MASK(SEED) 000000001 message >168 bits 9