I. Fast Variants of RSA

We survey four variants of RSA designed to speed up RSA [12] decryption and signing. We only consider variants that are backwards compatible in the sense that a system using one of these variants can interoperate with systems using standard RSA. 1 . I N T R O D U C T I O N RSA is the most widely deployed public key cryptosystem. It is used for securing web traffic, e-mail, and some wireless devices. Since RSA is based on arithmetic modulo large numbers it can be slow in constrained environments. For example, 1024-bit RSA decryption on a small handheld device such as the PalmPilot III can take as long as 30 seconds. Similarly, on a heavily loaded web server, RSA decryption significantly reduces the number of SSL requests per second that the server can handle. Typically, one improves RSA’s performance using special-purpose hardware. Current RSA coprocessors can perform as many as 10,000 RSA decryptions per second (using a 1024-bit modulus) and even faster processors are coming out. In this paper we survey four simple variants of RSA that are designed to speed up RSA decryption in software. We emphasize backwards compatibility: A system using one of these variants for fast RSA decryption should be able to interoperate with systems that are built for standard RSA. Moreover, existing Certificate Authorities must be able to respond to a certificate request for a variant-RSA public key. RSA Laboratories Cryptobytes Volume 5, No.1 — Winter/Spring 2002 RSA Security Inc. 2 Fast Variants of RSA cont’d from page 1 We begin the paper with a brief review of RSA. We then describe the following variants for speeding up RSA decryption: • Batch RSA [8]: do a number of RSA decryptions for approximately the cost of one • Multi-factor RSA [7, 14]: use a modulus of the form N = pqr or N = p2q • Rebalanced RSA [16]: speed up RSA decryption by shifting most of the work to the encrypter. The security of these variants is an open research problem. We cannot show that an attack on these variants would imply an attack on the standardized version of RSA (as described, e.g., in ANSI X9.31). Therefore, when using these variants, one can only rely on the fact that so far none of them has been shown to be weak. The RSA trapdoor permutation is used for both public key encryption and digital signatures. Since the exact application of RSA is orthogonal to the discussion in this paper we use terminology consistent with the application to public key encryption. All the RSA variants we discuss apply equally well to digital signatures, where they speed up RSA signing. 1 .1 Rev iew of the bas i c RSA sys tem We review the basic RSA public key system and refer to [10] for more information. We describe three constituent algorithms: key generation, encryption, and decryption. Key generation: The key generation algorithm takes a security parameter n as input. Throughout the paper we use n =1024 as the standard security parameter. The algorithm generates two (n/2)-bit primes, p and q, and sets N ← pq. Next, it picks some small value e that is relatively prime to φ (N ) = (p-1)(q-1). The value e is called the encryption exponent, and is usually chosen as e = 65537. The RSA public key consists of the two integers 〈N,e〉. The RSA private key is an integer d satisfying e ⋅d = 1 mod φ (N ). Typically, one sends the public key 〈N,e〉 to a certificate authority (CA) to obtain a certificate for it. Ed i t o r ’s No t e After a hiatus of over two years, RSA Laboratories is pleased to resume publication of its newsletter. CryptoBytes aims to present timely research articles and surveys written by leading specialists on selected topics in cryptography and data security. Ranging from the highly accessible to the broadly technical, the articles in CryptoBytes present information in an easily digestible form to a wide audience consisting of specialists and non-specialists from industry and academia. To software engineers, students, IT professionals, scientists, and the many other members of our readership, welcome back! This year marks the 25th anniversary of the invention of the RSA algorithm at M.I.T. by Profs. Rivest, Shamir, and Adleman. We are devoting this, the Winter/Spring 2002 issue of CryptoBytes, to a commemorative exploration of current research on RSA. The most widespread current use of the RSA algorithm is in the Secure Sockets Layer (SSL) protocol for data protection on the Internet. In the first article in this issue, Dan Boneh and Hovav Shacham discuss several backwards compatible variants of RSA that speed up RSA decryption and signing. From David Pointcheval, we have a survey article guiding the reader through the labyrinthine evolution of RSA-OAEP and related schemes, all of which seek to provide rigorously provable security guarantees to RSA encryption. Finally, Pascal Paillier writes about a new encryption scheme of his devising that makes use of an RSA modulus, i.e., the product of two primes, as its basis, but possesses very different properties. The Paillier encryption scheme is especially attractive, for instance, for the design of electronic voting schemes. As always, the input of our readers is important to the future success of CryptoBytes. We welcome comments, opinions, and proposals for future articles. The CryptoBytes editor may be contacted at cryptobytes [email protected]. RSA Laboratories Cryptobytes Volume 5, No.1 — Winter/Spring 2002 RSA Security Inc. 3 Encryption: To encrypt a message X using an RSA public key 〈N,e〉, one first formats the bit-string X to obtain an integer M in ZN = {0 , . . . , N -1}. This formatting is often done using the PKCS #1 standard [1, 9]. The ciphertext is then computed as C ← Me mod N. (Other methods for formatting X prior to encryption are described elsewhere in this issue.) Decryption: To decrypt a ciphertext C the decrypter uses its private key d to compute an e’th root of C by computing M ← Cd mod N. Since both d and N are large numbers (each approximately n bits long) this is a lengthy computation for the decrypter. The formatting operation from the encryption algorithm is then reversed to obtain the original bit-string X from M. Note that d must be a large number (on the order of N ) since otherwise the RSA system is insecure [3, 16]. It is standard practice to employ the Chinese Remainder Theorem (CRT) for RSA decryption. Rather than compute M ← Cd (mod N ), one evaluates: Mp ← Cp dp (mod p) Mq ← Cp dq (mod q). Here dp = d mod p -1 and dq = d mod q -1. Then one uses the CRT to calculate M from Mp and Mq . This is approximately four times as fast as evaluating C mod N directly [10, p. 613].