Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves

RSA RSA security 2 k : require n bit modulus = k 2 bits RSA Signature generation/decryption: time O(n 3 ) = O(k 6 ) for k bits of security (Simple arithmetic operations) RSA Signature verification/encryption: time O(n 2 ) = O(k 4 ) for an n bit modulus (Simple arithmetic operations)

Fiat-Shamir For k bits of security, modulus must be O(k 2 ) bits in length m (or t) must be at least k, Signature generation: O(n 2 k)=O(k 5 ) Signature verification O(n 2 k) = O(k 5 )

“ Improving Fiat-Shamir ” Let the public key be only small primes 2, 3, 5, (if quadratic residue) This means that verification now takes time equal to a constant number of full length multiplications (O(n 2 ) = O(k 4 ))

Using fast arithmetic If multiplication/division of n bit integers only takes time n log n then we have oRSA signature (decryption): O(n 2 log n) = O(k 4 log k) oFiat-Shamir signature: O(n log(n) k) = O(k 3 log k) oRSA / Fiat-Shamir verification: O(n log n) = O(k 2 log k)

Can we do better? Can we do signature generation in less than k operations, say O(log(k)) operations? –Argument (false) if these operations are on public data then no, it would be easy to break the scheme by guessing what these operations are.

The trick Combine lots of private operations together Amortize the cost per private operation

Batch RSA An RSA variant: –When I send a signed message to Alice, I use one of the roots 3, 5, 7, …, 997 or , ?, ??, …, ??? (all primes in the range) Thus, to sign m 1 and m 2 I could extract the 3 rd root of hash(m 1 ) and the 5 th root of hash(m 2 )

Batch RSA The only expensive operation

What is going on? Can this always be done? Yes (on Blackboard) Cost per private operation is now down to O(log n) = O(log k) mutiplications/divisions, i.e., O(k 2 log k) operations per private operation