� ✂ ✁ ✁ ✁ Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key � 2 2047 + 1 2 2047 � 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR–9983950 Hopefully attacker doesn’t. Alfred P. Sloan Foundation ✄ ; RSA: also publish big exponent American Institute of Mathematics ✄ th roots. use primes allowing Rabin: always use exponent 2; use primes in 3 + 4 Z . Williams: 3 + 8 Z and 7 + 8 Z . Many subsequent variants; e.g., “RSA” using exponent 3, and “RSA” using exponent 65537.
✁ ✂ ✁ � � ✁ ✁ ✁ � � ✁ ✁ ✁ � RSA/Rabin keys Public keys The compression question Each user publishes a key Can store in 2048 � 2 2047 + 1 2 2047 � 2 2048 1 . Can store 1 2 randomly accessible, Illinois at Chicago User knows prime factors of . CCR–9983950 Hopefully attacker doesn’t. Can we use fewer bits? Foundation ✄ ; RSA: also publish big exponent Knee-jerk answer: Institute of Mathematics ✄ th roots. use primes allowing If you can’t afford Rabin: always use exponent 2; switch to 256-bit elliptic use primes in 3 + 4 Z . http://cr.yp.to/ecdh.html Williams: 3 + 8 Z and 7 + 8 Z . But elliptic-curve signatures Many subsequent variants; have slow verification. e.g., “RSA” using exponent 3, Want a better answ and “RSA” using exponent 65537.
✁ ✁ � ✁ ✁ ✁ � ✂ ✁ ✁ ✁ � � Public keys The compression question Each user publishes a key Can store in 2048 bits. � 2 2047 + 1 2 2047 � 2 2048 � , 1 . Can store 1 2 randomly accessible, in 2048 bits. User knows prime factors of . Hopefully attacker doesn’t. Can we use fewer bits? ✄ ; RSA: also publish big exponent Knee-jerk answer: “No! ✄ th roots. use primes allowing If you can’t afford 2048 bits, Rabin: always use exponent 2; switch to 256-bit elliptic curves. use primes in 3 + 4 Z . http://cr.yp.to/ecdh.html ” Williams: 3 + 8 Z and 7 + 8 Z . But elliptic-curve signatures Many subsequent variants; have slow verification. e.g., “RSA” using exponent 3, Want a better answer. and “RSA” using exponent 65537.
✁ ✁ ✁ ✁ ✁ � � ✁ � � ✁ ✁ ✂ ✂ � ✁ ✁ ✁ � � The compression question Recognizing lower 2 2047 � 2 2048 publishes a key Can store in 2048 bits. � 2 2048 � , 1 . Can store so has top bit 1. 1 2 randomly accessible, in 2048 bits. Don’t store that bit. rime factors of . er doesn’t. Can we use fewer bits? With Rabin-Williams: Don’t store bottom ✄ ; publish big exponent Knee-jerk answer: “No! ✄ th roots. wing If you can’t afford 2048 bits, Better: Users never � 5 � 7 use exponent 2; switch to 256-bit elliptic curves. divisible by 3 4 Z . http://cr.yp.to/ecdh.html ” so only 480 possibilities Z and 7 + 8 Z . for mod 9240. Replace But elliptic-curve signatures subsequent variants; bottom 13 bits with have slow verification. using exponent 3, encoding of mod Want a better answer. using exponent 65537.
✁ ✂ ✁ ✁ � ✁ � ✁ ✁ ✁ � � ✁ The compression question Recognizing lower entropy 2 2047 � 2 2048 Can store in 2048 bits. 1 � , Can store so has top bit 1. 1 2 randomly accessible, in 2048 bits. Don’t store that bit. Can we use fewer bits? With Rabin-Williams: 5 + 8 Z . Don’t store bottom 3 bits. Knee-jerk answer: “No! If you can’t afford 2048 bits, Better: Users never generate � 5 � 7 � 11, switch to 256-bit elliptic curves. divisible by 3 http://cr.yp.to/ecdh.html ” so only 480 possibilities for mod 9240. Replace But elliptic-curve signatures bottom 13 bits with 9-bit have slow verification. encoding of mod 9240. Want a better answer.
✁ ✁ ✁ ✁ ✁ � ✁ ✁ ✂ � � ✂ � ✁ � ✂ � ✂ � ✁ � ✁ � ✁ ✁ ✁ � � ✁ question Recognizing lower entropy Have reduced 2048 Can we do much b 2 2047 � 2 2048 2048 bits. 1 � , so has top bit 1. Knee-jerk answer: accessible, in 2048 bits. Don’t store that bit. C’mon, you know y switch to elliptic curves.” er bits? With Rabin-Williams: 5 + 8 Z . Don’t store bottom 3 bits. e.g. User generates er: “No! independent uniform rd 2048 bits, Better: Users never generate 2 1023 � 2 1024 � 5 � 7 � 11, 256-bit elliptic curves. divisible by 3 2 1024 � 2 1025 http://cr.yp.to/ecdh.html ” so only 480 possibilities 1 1025 log 2 chance for mod 9240. Replace elliptic-curve signatures 1 1026 log 2 chance bottom 13 bits with 9-bit verification. 1 8 chance of encoding of mod 9240. answer. 2 log 2 1 chance 2 2023 equally so
✁ � ✁ ✁ ✂ � � ✁ ✁ ✁ � ✂ ✂ ✁ ✂ � ✁ ✁ Recognizing lower entropy Have reduced 2048 to 2043. Can we do much better? 2 2047 � 2 2048 1 so has top bit 1. Knee-jerk answer: “No! Don’t store that bit. C’mon, you know you want to switch to elliptic curves.” With Rabin-Williams: 5 + 8 Z . Don’t store bottom 3 bits. e.g. User generates = � from independent uniform random Better: Users never generate 2 1023 � 2 1024 1 , � 5 � 7 � 11, divisible by 3 2 1024 � 2 1025 1 : so only 480 possibilities 1 1025 log 2 chance of prime, for mod 9240. Replace 1 1026 log 2 chance of � prime, bottom 13 bits with 9-bit � 7 + 8 Z , 1 8 chance of 3 encoding of mod 9240. 2 2048 , 2 log 2 1 chance of 2 2023 equally likely so ’s.
� ✁ ✁ ✁ ✂ � � � ✁ ✁ � ✂ ✂ ✂ � ✁ ✁ ✁ ✁ er entropy Have reduced 2048 to 2043. Reducing entropy Can we do much better? � 2 2048 1 Define ( ) = 500th 1. Knee-jerk answer: “No! ( ) = with 500th bit. C’mon, you know you want to Change key-generation switch to elliptic curves.” Rabin-Williams: 5 + 8 Z . to produce keys ottom 3 bits. e.g. User generates = � from Then can encode independent uniform random saving one bit; also never generate 2 1023 � 2 1024 1 , top/bottom bits as � 7 � 11, 2 1024 � 2 1025 1 : ossibilities Brute-force key generation: 1 1025 log 2 chance of prime, Replace generate by the 1 1026 log 2 chance of � prime, with 9-bit if ( ) = 1, try again. � 7 + 8 Z , 1 8 chance of 3 mod 9240. Conjecturally this tak 2 2048 , 2 log 2 1 chance of almost exactly 2 tries 2 2023 equally likely so ’s. confirmed by experiment.
✂ ✁ � ✂ ✁ ✁ ✁ � � ✁ ✂ ✁ � Have reduced 2048 to 2043. Reducing entropy Can we do much better? Define ( ) = 500th bit of , Knee-jerk answer: “No! ( ) = with 500th bit omitted. C’mon, you know you want to Change key-generation procedure switch to elliptic curves.” to produce keys with ( ) = 0. e.g. User generates = � from Then can encode as ( ), independent uniform random saving one bit; also save 2 1023 � 2 1024 1 , top/bottom bits as before. 2 1024 � 2 1025 1 : Brute-force key generation: 1 1025 log 2 chance of prime, generate by the old method; 1 1026 log 2 chance of � prime, if ( ) = 1, try again. � 7 + 8 Z , 1 8 chance of 3 Conjecturally this takes 2 2048 , 2 log 2 1 chance of almost exactly 2 tries on average; 2 2023 equally likely so ’s. confirmed by experiment.
✂ ✂ � ✁ ✁ ✁ � � ✂ ✁ ✁ ✁ � ✂ � � 2048 to 2043. Reducing entropy More generally, select better? : 2048-bit strings Define ( ) = 500th bit of , -bit strings er: “No! ( ) = with 500th bit omitted. : 2048-bit strings you want to Change key-generation procedure (2048 curves.” to produce keys with ( ) = 0. with invertible. generates = � from Then can encode as ( ), Change key-generation uniform random saving one bit; also save to produce keys � 2 1024 1 , top/bottom bits as before. Then can encode � 2 1025 1 : Brute-force key generation: saving bits. chance of prime, generate by the old method; chance of � prime, Is easy to compute if ( ) = 1, try again. � 7 + 8 Z , 3 and easy to invert? Conjecturally this takes 2 2048 , chance of for the functions w almost exactly 2 tries on average; equally likely ’s. confirmed by experiment.
� � ✂ Reducing entropy More generally, select functions : 2048-bit strings Define ( ) = 500th bit of , -bit strings and ( ) = with 500th bit omitted. : 2048-bit strings Change key-generation procedure (2048 )-bit strings to produce keys with ( ) = 0. with invertible. Then can encode as ( ), Change key-generation procedure saving one bit; also save to produce keys with ( ) = 0. top/bottom bits as before. Then can encode as ( ), Brute-force key generation: saving bits. generate by the old method; Is easy to compute if ( ) = 1, try again. and easy to invert? Yes Conjecturally this takes for the functions we’ll consider. almost exactly 2 tries on average; confirmed by experiment.
Recommend
More recommend
