Improvements to RSA Key Generation and CRT on Embedded Devices

Abstract

RSA key generation requires devices to generate large prime numbers. The naïve approach is to generate candidates at random, and then test each one for (probable) primality. However, it is faster to use a sieve method, where the candidates are chosen so as not to be divisible by a list of small prime numbers \(\{p_i\}\).

Sieve methods can be somewhat complex and time-consuming, at least by the standards of embedded and hardware implementations, and they can be tricky to defend against side-channel analysis. Here we describe an improvement on Joye et al.’s sieve based on the Chinese Remainder Theorem (CRT). We also describe a new sieve method using quadratic residuosity which is simpler and faster than previously known methods, and which can produce values in desired RSA parameter ranges such as \((2^{n-1/2}, 2^n)\) with minimal additional work. The same methods can be used to generate strong primes and DSA moduli.

We also demonstrate a technique for RSA private key operations using the Chinese Remainder Theorem (RSA-CRT) without \(q^{-1}\) mod p. This technique also leads to inversion-free batch RSA and inversion-free RSA mod \(p^k q\).

We demonstrate how an embedded device can use our key generation and RSA-CRT techniques to perform RSA efficiently without storing the private key itself: only a symmetric seed and one or two short hints are required.

Appendices

A Proof of Theorem 1

We prove this theorem in the extended version, at https://eprint.iacr.org/2020/1507.

B Minimizing u

We say that u is “valid” mod M if \(\left( \frac{-u}{p}\right) = -1\) for all primes p|M. If M’s factorization is known, then it is easy to find a valid \(u_p\) modulo each p|M (e.g. by checking the Jacobi symbol \(\left( \frac{-u_p}{p}\right) \) until a valid \(u_p\) is found), and to combine them using the Chinese Remainder Theorem. But what is the minimum valid u? Using a smaller u could allow the same u to be used for several values of M, or could reduce memory usage and compute time, but mostly it is a mathematically interesting question. For simplicity, we assume here that M is square-free.

If there are n primes dividing M, then a random element of \((\mathbb {Z}/M)^*\) is valid with probability \(2^{-n}\), so we expect the minimum valid u to be around \(u_\text {minexp} := 2^n\cdot M/\phi (M)\). A brute-force strategy would require about \(u_\text {minexp}\) work, which is infeasible past the first 50 primes or so. But this work can be reduced somewhat, particularly if we settle for a small but not minimal u.

1.1 B.1 Sparse Solutions to Linear Equations

The most effective method we found was to search for valid u of the form \(u = q_1\cdot q_2 \cdots q_m\) where the \(q_i\)’s are in some set Q. The validity criterion is that:

$$\begin{aligned} \text {for each prime}\ p|M,\ \ \left( \frac{-u}{p}\right) = \left( \frac{-1}{p}\right) \cdot \left( \frac{q_1}{p}\right) \cdots \left( \frac{q_m}{p}\right) \end{aligned}$$

(2)

If each \(q_i\) is coprime to M, then the Jacobi symbols are all either \(-1\) or 1; mapping these to 1 and 0 respectively translates the validity criterion to a system of affine equations over \(\mathbb {F} _2\). This allows us to solve for u with xor-list or sparse solution techniques, such as:

• A birthday attack or stronger collision technique [VOW99] for \(m=2\) and Q a large set (e.g. \(|Q|\approx 2^{32}\)).

• Wagner’s xor-list algorithm [Wag02] for m small and Q a large set.

• Information set decoding for large m and a relatively small set Q (e.g. the first 1000 primes not dividing M).

Using a birthday attack, we discovered that the 59-bit value

$$u = \texttt {0x4b0555d761f3f52}$$

is valid mod the 383-bit product of the first 59 odd primes. We also used Wagner’s algorithm to search for u a product of four 32-bit odd numbers, requiring it to be valid mod at least the first 72 odd primes. We ran the algorithm for a day on a 64-core Amazon EC2 Graviton2 instance, producing some 5 million results. Notably,

$$u=\texttt {0xe3b0f73b0050ab294417001ad1e63d}$$

is valid mod the 729-bit product of the first 99 odd primes. Our search was tuned to find u relatively close to \(u_\text {minexp}\); tuning it differently would have been faster or found valid u mod more primes, but the resulting u would be significantly larger.

It isn’t necessary to choose M before u. One could start with a small u which is valid mod the first several primes, and then choose further primes p|M so that u is valid. This sacrifices some performance, because discarding small primes reduces \(M/\phi (M)\). Our search using Wagner’s algorithm found that

$$u = \texttt {0x23e9ee9bd621b0b248e8b59a4c80bb55}$$

performs well across a range of bit sizes, losing about 0.5% of performance compared to an unconstrained (M, u) at 1024 bits and 3% at 2048 bits.

The quality of results from Wagner’s algorithm should fall off exponentially with the number of primes dividing M, because at each step the algorithm multiplies two intermediate values to produce another intermediate that solves b more equations, for some block size b. So while it performs well for the first 100 primes, ISD appears to perform better for the first 400 primes.

1.2 B.2 Multiple u

Instead of using linear equations to search for a single u, we could choose a few small u such that at least one of them is valid for every p|M. For example, for each of the first 133 odd primes, at least one of \(u\in U := \{1,2,5,19\}\) is valid. We could factor M into \(\prod _{u\in U} M_u\) such that u is valid mod the corresponding \(M_u\). Then we could sample values \(x_u\mathop {{\mathop {\leftarrow }\limits ^{\$}}}(\mathbb {Z}/M_u)^*\) and combine them as in Sect. 2.2.

1.3 B.3 Quadratic Minimization

Two other techniques are based on finding small values of quadratic functions over the integers. One is to factor M as \(M_1\cdot M_3\) where \(M_1\) contains the 1-mod-4 factors and \(M_3\) contains the 3-mod-4 factors of M. Valid u are of the form \(u\equiv x^2\mod M_3\) for some x coprime to \(M_3\). We may plug in \(x = \lfloor \sqrt{k M_3}\rfloor + \ell \) for small positive integers \(k,\ell \) as a more efficient brute force technique. This technique gives many candidate values of u which are around \(\sqrt{M_3}\approx \root 4 \of {M}\), but it still takes exponential time as M increases.

The second approach is to choose small, coprime, square-free positive integers \((\alpha ,\beta )\), and then partition M as \(M_0\cdot M_1\), such that

$$u = \alpha M_0 - \beta M_1$$

is valid. This will be true if:

1. 1.

   For all primes p|M, if \(p|\alpha \) then \(p| M_0\) and likewise if \(p|\beta \) then \(p| M_1\).

2. 2.

   For all other primes \(p|M_0\), \(\left( \frac{\beta }{p}\right) \cdot \prod _{q|M_1}\left( \frac{q}{p}\right) = -1\) and vice versa.

These equations are actually affine: switching a prime p from \(M_0\) to \(M_1\) or back has the same effect on all the equations regardless of where the other primes are assigned. They can therefore be solved efficiently for a given \((\alpha ,\beta )\) with probability about \((1-\frac{1}{2})\cdot (1-\frac{1}{4})\cdots \approx 0.29\).

To further reduce u, we make two improvements. First, we extend the equation to \(u = \alpha M_0 x^2 - \beta M_1 y^2\) where x is coprime to \(\beta M_1 y^2\) and vice versa. By setting x/y as convergents to \(\sqrt{\beta M_1 / (\alpha M_0)}\), we can find many valid values of \(u\approx \sqrt{\alpha \cdot \beta \cdot M_0\cdot M_1}\). Furthermore, we don’t need to set \(M = M_0\cdot M_1\) exactly: it suffices to instead choose \(M_2|M\) upfront and set \(M = M_0\cdot M_1\cdot M_2\). This method produces many u which are valid mod \(M_0\cdot M_1\), and we can continue until by chance we find one which is also valid mod \(M_2\). Overall, this approach finds u which are slightly smaller than \(\sqrt{M}\), as does ISD, but ISD seems to work better in practice.