Introduction to Modern Cryptography, Lecture 10

About This Presentation

Title:

Description:

Number of Views:39

Avg rating:3.0/5.0

Slides: 11

Provided by: fiat

Category:

Tags: cryptography | introduction | lecture | modern | signature

Transcript and Presenter's Notes

Title: Introduction to Modern Cryptography, Lecture 10

1
Introduction to Modern Cryptography, Lecture 10

2
RSA

RSA security 2k require n bit modulus k2 bits
RSA Signature generation/decryption time O(n3)
O(k6) for k bits of security (Simple arithmetic
operations)
RSA Signature verification/encryption time O(n2)
O(k4) for an n bit modulus (Simple arithmetic
operations)

3
Fiat-Shamir

4
Improving Fiat-Shamir

Let the public key be only small primes 2, 3, 5,
(if quadratic residue)
This means that verification now takes time equal
to a constant number of full length
multiplications (O(n2) O(k4))

5
Using fast arithmetic

If multiplication/division of n bit integers only
takes time n log n then we have
RSA signature (decryption) O(n2 log n) O(k4
log k)
Fiat-Shamir signature O(n log(n) k) O(k3 log
k)
RSA / Fiat-Shamir verification O(n log n) O(k2
log k)

6
Can we do better?

Can we do signature generation in less than k
operations, say O(log(k)) operations?
Argument (false) if these operations are on
public data then no, it would be easy to break
the scheme by guessing what these operations are.

7
The trick

8
Batch RSA

An RSA variant
When I send a signed message to Alice, I use one
of the roots 3, 5, 7, , 997 or 2161, 216?,
216??, , 217??? (all primes in the range)
Thus, to sign m1 and m2 I could extract the 3rd
root of hash(m1) and the 5th root of hash(m2)

9
Batch RSA
The only expensive operation
10
What is going on?Can this always be done?

Yes (on Blackboard)
Cost per private operation is now down to O(log
n) O(log k) mutiplications/divisions, i.e.,
O(k2 log k) operations per private operation

Write a Comment

User Comments (0)