## Fast Variants of RSA (2002)

Venue: | CryptoBytes |

Citations: | 16 - 1 self |

### BibTeX

@ARTICLE{Boneh02fastvariants,

author = {Dan Boneh and Hovav Shacham},

title = {Fast Variants of RSA},

journal = {CryptoBytes},

year = {2002},

volume = {5},

pages = {1--9}

}

### OpenURL

### Abstract

We survey four variants of RSA designed to speed up RSA decryption and signing. We only consider variants that are backwards compatible in the sense that a system using one of these variants can interoperate with systems using standard RSA.

### Citations

2949 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...yption and signing. We only consider variants that are backwards compatible in the sense that a system using one of these variants can interoperate with systems using standard RSA. 1 Introduction RSA =-=[12]-=- is the most widely deployed public key cryptosystem. It is used for securing web trac, e-mail, and some wireless devices. Since RSA is based on arithmetic modulo large numbers it can be slow in const... |

2500 | Handbook of Applied cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ... All the RSA variants we discuss apply equally well to digital signatures, where they speed up RSA signing. 1 1.1 Review of the basic RSA system We review the basic RSA public key system and refer to =-=[10]-=- for more information. We describe three constituent algorithms: key generation, encryption, and decryption. Key generation: The key generation algorithm takes a security parameter n as input. Through... |

915 | A course in computational algebraic number theory - Cohen - 1993 |

242 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...yption: To encrypt a message X using an RSA public key hN; ei, onesrst formats the bitstringsX to obtain an integer M in ZN = f0; : : : ; N 1g. This formatting is often done using the PKCS#1 standard =-=[1, 9]-=-. The ciphertext is then computed as CsM e mod N . (Other methods for formatting X prior to encryption are described elsewhere in this issue.) Decryption: To decrypt a ciphertext C the decrypter uses ... |

141 | Cryptanalysis of short RSA secret exponents
- Wiener
- 1990
(Show Context)
Citation Context ...ng up RSA decryption: Batch RSA [8]: do a number of RSA decryptions for approximately the cost of one. Multi-factor RSA [7, 14]: use a a modulus of the form N = pqr or N = p 2 q. Rebalanced RSA [16=-=]-=-: speed up RSA decryption by shifting most of the work to the encrypter. The security of these variants is an open research problem. We cannot show that an attack on these variants would imply an atta... |

129 | Twenty years of attacks on the RSA cryptosystem
- Boneh
- 1999
(Show Context)
Citation Context ...A that enables us to rebalance the diculty of encryption and decryption: we speed up RSA decryption by shifting the work to the encrypter. This variant is based on a proposal by Wiener [16] (see also =-=[2]-=-). Note that we cannot simply speedup RSA decryption by using a small value of d since as soon as d is less than N 0:292 RSA is insecure [16, 3]. The trick is to choose d such that d is large (on the ... |

116 | Cryptanalysis of RSA with private key d less than N0.292
- Boneh, Durfee
(Show Context)
Citation Context ...operation from the encryption algorithm is then reversed to obtain the original bit-string X from M . Note that d must be a large number (on the order of N) since otherwise the RSA system is insecure =-=[3, 16]-=-. It is standard practice to employ the Chinese Remainder Theorem (CRT) for RSA decryption. Rather than compute MsC d (mod N ), one evaluates: M psC dp p (mod p) M qsC dq q (mod q) Here d p = d mod p ... |

40 |
Factoring N = p r q for large r
- Boneh, Durfee, et al.
- 1999
(Show Context)
Citation Context ...ilities of ECM (and the ECM improvement for N = p 2 q [11]). Consequently, for 1024-bit moduli one can use at most b = 3, i.e., N = p 2 q. In addition, we note that the Lattice Factoring Method (LFM) =-=[4-=-], designed to factor integers of the form N = p u q for large u, cannot eciently factor integers of the form N = p 2 q when N is 1024 bits long. 6 4 Rebalanced RSA In standard RSA, encryption and si... |

32 | Factorization of a 512-bit RSA Modulus
- Cavallar, Dodson, et al.
- 2000
(Show Context)
Citation Context ...h is analyzed in [15]. Currently, 256-bit prime factors are considered within the bounds of ECM, since the work tosnd such factors is within range of the work needed for the RSA-512 factoring project =-=[5]-=-. Consequently, for 1024-bit moduli one should not use more than three factors. 5 3.2 Multi-power RSA: N = p 2 q One can further speed up RSA decryption using a modulus of the form N = p b 1 q where p... |

32 | Batch RSA
- Fiat
- 1997
(Show Context)
Citation Context ...ble to respond to a certicate request for a variant-RSA public key. We begin the paper with a brief review of RSA. We then describe the following variants for speeding up RSA decryption: Batch RSA [8]: do a number of RSA decryptions for approximately the cost of one. Multi-factor RSA [7, 14]: use a a modulus of the form N = pqr or N = p 2 q. Rebalanced RSA [16]: speed up RSA decryption by shif... |

20 | Improving SSL handshake performance via batching
- Shacham, Boneh
(Show Context)
Citation Context ...ires 2b modular inversions, but fewer auxiliary multiplications. Note that since b and the e i 's are small the exponents in Equation (2) are also small. 2.1 Improving the performance of batch RSA In =-=[13]-=- the authors show how to use batch RSA within the Apache web server to improve the performance of the SSL handshake. This requires changing the web server architecture. They also describe several natu... |

20 |
Fast RSA-type cryptosystem modulo p k q
- Takagi
- 1998
(Show Context)
Citation Context ...th a brief review of RSA. We then describe the following variants for speeding up RSA decryption: Batch RSA [8]: do a number of RSA decryptions for approximately the cost of one. Multi-factor RSA [7=-=, 14-=-]: use a a modulus of the form N = pqr or N = p 2 q. Rebalanced RSA [16]: speed up RSA decryption by shifting most of the work to the encrypter. The security of these variants is an open research pro... |

18 | Faster factoring of integers of a special form
- Peralta, Okamoto
- 1996
(Show Context)
Citation Context ... factoring integers of the form N = p b 1 q. As for multi-prime RSA, one has to make sure that the prime factors of N do not fall within the capabilities of ECM (and the ECM improvement for N = p 2 q =-=[11-=-]). Consequently, for 1024-bit moduli one can use at most b = 3, i.e., N = p 2 q. In addition, we note that the Lattice Factoring Method (LFM) [4], designed to factor integers of the form N = p u q f... |

13 |
Wagstaff,“A practical analysis of the elliptic curve factoring algorithm
- Silverman, S
- 1993
(Show Context)
Citation Context ... cannot take advantage of this special structure of N . However, one has to make sure that the prime factors of N do not fall within the range of the Elliptic Curve Method (ECM), which is analyzed in =-=[15]-=-. Currently, 256-bit prime factors are considered within the bounds of ECM, since the work tosnd such factors is within range of the work needed for the RSA-512 factoring project [5]. Consequently, fo... |

2 |
Public Key Cryptography Standards (PKCS), number 1
- Labs
(Show Context)
Citation Context ...yption: To encrypt a message X using an RSA public key hN; ei, onesrst formats the bitstringsX to obtain an integer M in ZN = f0; : : : ; N 1g. This formatting is often done using the PKCS#1 standard =-=[1, 9]-=-. The ciphertext is then computed as CsM e mod N . (Other methods for formatting X prior to encryption are described elsewhere in this issue.) Decryption: To decrypt a ciphertext C the decrypter uses ... |