Kyuchol Kim
ABSTRACT
It is easy to increase the encryption speed by using small public exponent in RSA. In this case, private exponent is full sized (on the order of modulus) and so, most of calculation costs are allocated to decryption. Meanwhile, it is not easy to speed up decryption by reducing private parameters for the security problem. From this, many researches have been done to increase the decryption speed without compromising the security. This paper presents two new modified schemes for implementing the RSA public-key cryptosystem, with the goal of reducing or controlling the time for encryption and decryption, while attempting to maintain security. In other words, we proposed two variants of RSA designed to speed up decryption. Our first variant allows the cost of encryption and decryption to be balanced without modifying the prime generation. Second variant has the faster decryption than the other RSA variants (e.g., rebalanced RSA) with two balanced primes.
- M.Bellare, P.Rogaway, Optimal asymmetric encryption, EUROCRYPT’95, LNCS950 (1995), 92-111.Google Scholar
Cross Ref
- D.Bleichenbacher and A.May, New attacks on RSA with small secret CRT-exponents, In International Workshop on Public Key Cryptography (2006), 1-13.Google Scholar
- D.Boneh, Twenty Years Attacks on the RSA Cryptosystem, Notices of the American Mathematical Society 46 (1999) 203-213.Google Scholar
- D.Boneh, G.Durfee, Cryptanalysis of RSA with Private Key d less than N0.292, IEEE Transactions on Information Theory 46(4) (2000) 1339-1349.Google ScholarDigital Library
- D.Boneh , H.Shacham., Fast variants of RSA, CryptoBytes (The Technical Newsletter of RSA Laboratories)5(1) (2002) 1–9.Google Scholar
- D.Coppersmith, Small solutions to polynomial equations and low exponent RSA vulnerabilities, Journal of Cryptology, 10(4) (1997), 233-260.Google ScholarDigital Library
- S.D.Galbraith, C.Heneghan, J.F.McKee, Tunable balancing of RSA, ACISP 3574(2005), 280-292.Google Scholar
- D.Hankerson, A.Menezes, S.Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag, 2004, pp.98, 109-113Google Scholar
- M.J.Hinek , Cryptanalysis of RSA and its variants, CRC Press ,2010, pp. 23-27,139-155.Google Scholar
- E. Jochemsz, A. May, A Strategy for finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants, ASIACRYPT2006(LNCS4284) (2006), 267-282.Google ScholarDigital Library
- E. Jochemsz, A. May, A polynomial time attack on RSA with private CRT-exponents smaller than N0.073, In A. Menezes, editor, volume 4622 of Lecture Notes in Computer Science, Springer, 2007, 395-411.Google Scholar
- A.May, Cryptanalysis of unbalanced RSA with small CRT–exponent, CRYPTO2002, LNCS2442 (2002), 242–256.Google Scholar
- A.Menezes , P.van Orschot , S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996, pp. 617-618.Google Scholar
- A.Nitaj, M.O.Douh, A new attack on RSA with a composed decryption exponent, Cryptology ePrint Archive, Report 2014/035, 2014. http://eprint.iacr.org/.Google Scholar
- L.Peng, Y.Lu, S.Sakar, J.Xu, Z.Huang, Cryptanalysis of variants of RSA with multiple small secret exponents, INDOCRYPT2015, LNCS9462 (2015), 105-123Google Scholar
- L.Peng, A.Takayasu, Generalized cryptanalysis of small CRT-exponent RSA, Theoretical Computer Science, 795(2019), 432-458Google ScholarDigital Library
- J. J. Quisquater , C. Couvreur, Fast Decipherment Algorithm for RSA Public-Key Cryptosystem, IEEE Electronics Letters 18(1982) 905-907.Google ScholarCross Ref
- R.L. Rivest, A. Shamir, L. Adleman , A method for obtaining digital signatures and public – key cryptosystems, Communications of ACM 21(2)( 1978) 120-126.Google ScholarDigital Library
- S.Sakar, Small secret exponent attack on RSA variant with modulus N=prq, Designs Codes and Cryptography, 73(2) (2014), 130-159Google Scholar
- S.Sakar, Revisiting prime power RSA, Discrete Applied Mathematics, 203 (2016), 127-133Google ScholarDigital Library
- N.Shinohara, T.Izu, N.Kunihiro, Small secrete CRT-exponent attacks on Takagi's RSA, IEICE Transactions 94-A(1) (2011), 19-27Google Scholar
- H.M. Sun, M.E. Wu, An Approach Towards Rebalanced RSA-CRT with Short Public Exponent, Cryptology ePrint Archive, Report 2005/053, 2005. http://eprint.iacr.org/.Google Scholar
- H.M.Sun, M.E.Wu, M.J.Hinek, Trading decryption for speeding encryption in Rebalanced-RSA, The Journal of Systems and Software 82 (2009), 1503-1512.Google ScholarDigital Library
- A.Takayasu, N.Kunihiro, Cryptoanalysis of RSA with multiple small secret exponents, ACISP2014, LNCS8544 (2014), 176-191Google Scholar
- A.Takayasu, N.Kunihiro, How to generalize RSA cryptanalyses, PKC2016, LNCS 9615(2016), 67-97Google ScholarDigital Library
- A.Takayasu, Y.Lu, L.Peng, Small CRT-exponent RSA revisited, EUROCRYPT2017, LNCS10211 (2017), 130-159Google Scholar
- A.Takayasu, Y.Lu, L.Peng, Small CRT-exponent RSA revisited, Journal of Cryptology, 32(4) (2019), 1337-1382 (full version of [26])Google ScholarDigital Library
- E.Verheul, H.van Tilborg, Cryptanalysis of less short RSA secret exponents, Applicable Algebra in Engineering, Communication and Computing 8 (1997) 425-435.Google Scholar
- H.Wiener, Cryptanalysis of Short RSA Secret Exponents, IEEE Transactions on Information Theory 36(3) (1990) 553-558.Google ScholarDigital Library
Index Terms
- Decryption speed up of RSA by pre-calculation
Recommendations
Trading decryption for speeding encryption in Rebalanced-RSA
In 1982, Quisquater and Couvreur proposed an RSA variant, called RSA-CRT, based on the Chinese Remainder Theorem to speed up RSA decryption. In 1990, Wiener suggested another RSA variant, called Rebalanced-RSA, which further speeds up RSA decryption by ...
Dual RSA and Its Security Analysis
We present new variants of an RSA whose key generation algorithms output two distinct RSA key pairs having the same public and private exponents. This family of variants, called dual RSA, can be used in scenarios that require two instances of RSA with ...
RSA-OAEP Is Secure under the RSA Assumption
Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor ...
Comments