Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user - - PowerPoint PPT Presentation

Compressing RSA/Rabin keys

• D. J. Bernstein

Thanks to: University of Illinois at Chicago NSF CCR–9983950 Alfred P. Sloan Foundation American Institute of Mathematics Public keys Each user publishes a key 22047

• ✁

1 . User knows prime factors of . Hopefully attacker doesn’t. RSA: also publish big exponent

use primes allowing

Rabin: always use exponent 2; use primes in 3 + 4Z. Williams: 3 + 8Z and 7 + 8Z. Many subsequent variants; e.g., “RSA” using exponent 3, and “RSA” using exponent 65537.

RSA/Rabin keys Illinois at Chicago CCR–9983950 Foundation Institute of Mathematics Public keys Each user publishes a key 22047

• ✁

1 . User knows prime factors of . Hopefully attacker doesn’t. RSA: also publish big exponent

use primes allowing

Rabin: always use exponent 2; use primes in 3 + 4Z. Williams: 3 + 8Z and 7 + 8Z. Many subsequent variants; e.g., “RSA” using exponent 3, and “RSA” using exponent 65537. The compression question Can store in 2048 Can store

1

• 2
• ✁

• randomly accessible,

Can we use fewer bits? Knee-jerk answer: If you can’t afford

switch to 256-bit elliptic http://cr.yp.to/ecdh.html But elliptic-curve signatures have slow verification. Want a better answ

Public keys Each user publishes a key 22047

• ✁

1 . User knows prime factors of . Hopefully attacker doesn’t. RSA: also publish big exponent

use primes allowing

Rabin: always use exponent 2; use primes in 3 + 4Z. Williams: 3 + 8Z and 7 + 8Z. Many subsequent variants; e.g., “RSA” using exponent 3, and “RSA” using exponent 65537. The compression question Can store in 2048 bits. Can store

1

• 2
• ✁

• ,

randomly accessible, in 2048

bits. Can we use fewer bits? Knee-jerk answer: “No! If you can’t afford 2048

bits, switch to 256-bit elliptic curves. http://cr.yp.to/ecdh.html” But elliptic-curve signatures have slow verification. Want a better answer.

publishes a key

• ✁

1 . rime factors of . er doesn’t. publish big exponent

wing

use exponent 2; 4Z. Z and 7 + 8Z. subsequent variants; using exponent 3, using exponent 65537. The compression question Can store in 2048 bits. Can store

1

• 2
• ✁

• ,

randomly accessible, in 2048

bits. Can we use fewer bits? Knee-jerk answer: “No! If you can’t afford 2048

bits, switch to 256-bit elliptic curves. http://cr.yp.to/ecdh.html” But elliptic-curve signatures have slow verification. Want a better answer. Recognizing lower 22047

• ✁

so has top bit 1. Don’t store that bit. With Rabin-Williams: Don’t store bottom Better: Users never divisible by 3

• so only 480 possibilities

for mod 9240. Replace bottom 13 bits with encoding of mod

The compression question Can store in 2048 bits. Can store

1

• 2
• ✁

• ,

randomly accessible, in 2048

bits. Can we use fewer bits? Knee-jerk answer: “No! If you can’t afford 2048

bits, switch to 256-bit elliptic curves. http://cr.yp.to/ecdh.html” But elliptic-curve signatures have slow verification. Want a better answer. Recognizing lower entropy 22047

• ✁

1 so has top bit 1. Don’t store that bit. With Rabin-Williams: 5 + 8Z. Don’t store bottom 3 bits. Better: Users never generate divisible by 3

so only 480 possibilities for mod 9240. Replace bottom 13 bits with 9-bit encoding of mod 9240.

question 2048 bits.

• ✁

• ,

accessible, in 2048

bits. er bits? er: “No! rd 2048

bits, 256-bit elliptic curves. http://cr.yp.to/ecdh.html” elliptic-curve signatures verification. answer. Recognizing lower entropy 22047

• ✁

1 so has top bit 1. Don’t store that bit. With Rabin-Williams: 5 + 8Z. Don’t store bottom 3 bits. Better: Users never generate divisible by 3

so only 480 possibilities for mod 9240. Replace bottom 13 bits with 9-bit encoding of mod 9240. Have reduced 2048 Can we do much b Knee-jerk answer: C’mon, you know y switch to elliptic curves.” e.g. User generates

• independent uniform

21023

• ✁

• 21024
• ✁

1 1025 log 2 chance 1 1026 log 2 chance

• 1 8 chance of
• 2 log 2

1 chance

• so

22023 equally

Recognizing lower entropy 22047

• ✁

1 so has top bit 1. Don’t store that bit. With Rabin-Williams: 5 + 8Z. Don’t store bottom 3 bits. Better: Users never generate divisible by 3

so only 480 possibilities for mod 9240. Replace bottom 13 bits with 9-bit encoding of mod 9240. Have reduced 2048 to 2043. Can we do much better? Knee-jerk answer: “No! C’mon, you know you want to switch to elliptic curves.” e.g. User generates =

independent uniform random 21023

• ✁

1 ,

• 21024
• ✁

1 : 1 1025 log 2 chance of prime, 1 1026 log 2 chance of

1 8 chance of 3

2 log 2

1 chance of

• 22048,

so 22023 equally likely ’s.

er entropy

• ✁

1 1. bit. Rabin-Williams: 5 + 8Z.

• ttom 3 bits.

never generate

• 7

• ssibilities

Replace with 9-bit mod 9240. Have reduced 2048 to 2043. Can we do much better? Knee-jerk answer: “No! C’mon, you know you want to switch to elliptic curves.” e.g. User generates =

independent uniform random 21023

• ✁

1 ,

• 21024
• ✁

1 : 1 1025 log 2 chance of prime, 1 1026 log 2 chance of

1 8 chance of 3

2 log 2

1 chance of

• 22048,

so 22023 equally likely ’s. Reducing entropy Define ( ) = 500th ( ) = with 500th Change key-generation to produce keys Then can encode saving one bit; also top/bottom bits as Brute-force key generation: generate by the if ( ) = 1, try again. Conjecturally this tak almost exactly 2 tries confirmed by experiment.

Have reduced 2048 to 2043. Can we do much better? Knee-jerk answer: “No! C’mon, you know you want to switch to elliptic curves.” e.g. User generates =

independent uniform random 21023

• ✁

1 ,

• 21024
• ✁

1 : 1 1025 log 2 chance of prime, 1 1026 log 2 chance of

1 8 chance of 3

2 log 2

1 chance of

• 22048,

so 22023 equally likely ’s. Reducing entropy Define ( ) = 500th bit of , ( ) = with 500th bit omitted. Change key-generation procedure to produce keys with ( ) = 0. Then can encode as ( ), saving one bit; also save top/bottom bits as before. Brute-force key generation: generate by the old method; if ( ) = 1, try again. Conjecturally this takes almost exactly 2 tries on average; confirmed by experiment.

2048 to 2043. better? er: “No! you want to curves.” generates =

uniform random

• ✁

1 ,

• ✁

1 : chance of prime, chance of

3

chance of

• 22048,

equally likely ’s. Reducing entropy Define ( ) = 500th bit of , ( ) = with 500th bit omitted. Change key-generation procedure to produce keys with ( ) = 0. Then can encode as ( ), saving one bit; also save top/bottom bits as before. Brute-force key generation: generate by the old method; if ( ) = 1, try again. Conjecturally this takes almost exactly 2 tries on average; confirmed by experiment. More generally, select : 2048-bit strings

• bit strings

: 2048-bit strings (2048

with

• invertible.

Change key-generation to produce keys Then can encode saving bits. Is

• easy to compute

and easy to invert? for the functions w

Reducing entropy Define ( ) = 500th bit of , ( ) = with 500th bit omitted. Change key-generation procedure to produce keys with ( ) = 0. Then can encode as ( ), saving one bit; also save top/bottom bits as before. Brute-force key generation: generate by the old method; if ( ) = 1, try again. Conjecturally this takes almost exactly 2 tries on average; confirmed by experiment. More generally, select functions : 2048-bit strings

• bit strings

and : 2048-bit strings (2048

)-bit strings with

• invertible.

Change key-generation procedure to produce keys with ( ) = 0. Then can encode as ( ), saving bits. Is

• easy to compute

and easy to invert? Yes for the functions we’ll consider.

y 500th bit of , 500th bit omitted. ey-generation procedure with ( ) = 0. de as ( ), also save as before. generation: the old method; again. this takes tries on average; eriment. More generally, select functions : 2048-bit strings

• bit strings

and : 2048-bit strings (2048

)-bit strings with

• invertible.

Change key-generation procedure to produce keys with ( ) = 0. Then can encode as ( ), saving bits. Is

• easy to compute

and easy to invert? Yes for the functions we’ll consider. Do ’s exist with Conjecturally chance

• for the functions w

(Provable for chosen from “universal” classes.) Brute force takes

• far too slow for large

Can we do much b

• Yes. Will come back

Are the resulting k Not necessarily!

More generally, select functions : 2048-bit strings

• bit strings

and : 2048-bit strings (2048

)-bit strings with

• invertible.

Change key-generation procedure to produce keys with ( ) = 0. Then can encode as ( ), saving bits. Is

• easy to compute

and easy to invert? Yes for the functions we’ll consider. Do ’s exist with ( ) = 0? Conjecturally chance 1 2

• for the functions we’ll consider.

(Provable for chosen randomly from “universal” classes.) Brute force takes 2

• tries;

far too slow for large . Can we do much better?

• Yes. Will come back to this.

Are the resulting keys secure? Not necessarily!

select functions strings strings and strings

)-bit strings

• invertible.

ey-generation procedure with ( ) = 0. de as ( ),

• compute

invert? Yes we’ll consider. Do ’s exist with ( ) = 0? Conjecturally chance 1 2

• for the functions we’ll consider.

(Provable for chosen randomly from “universal” classes.) Brute force takes 2

• tries;

far too slow for large . Can we do much better?

• Yes. Will come back to this.

Are the resulting keys secure? Not necessarily! The half-special numb 1998 Lenstra: “Numb form 21024

• ✁

1024-bit RSA securit

Chance of an “unusually NFS polynomial is Not true. Reducing using ( ) = half reduces conjectured Skewed NFS polynomials (1999 Murphy) turn unusually small for

Do ’s exist with ( ) = 0? Conjecturally chance 1 2

• for the functions we’ll consider.

(Provable for chosen randomly from “universal” classes.) Brute force takes 2

• tries;

far too slow for large . Can we do much better?

• Yes. Will come back to this.

Are the resulting keys secure? Not necessarily! The half-special number-field sieve 1998 Lenstra: “Numbers of the form 21024

• ✁

1024-bit RSA security, as long as

Chance of an “unusually small” NFS polynomial is “negligible.” Not true. Reducing entropy, using ( ) = half the bits of , reduces conjectured security level. Skewed NFS polynomials (1999 Murphy) turn out to be unusually small for these numbers.

with ( ) = 0? chance 1 2

• we’ll consider.

chosen randomly classes.) es 2

• tries;

large . better? back to this. keys secure? The half-special number-field sieve 1998 Lenstra: “Numbers of the form 21024

• ✁

1024-bit RSA security, as long as

Chance of an “unusually small” NFS polynomial is “negligible.” Not true. Reducing entropy, using ( ) = half the bits of , reduces conjectured security level. Skewed NFS polynomials (1999 Murphy) turn out to be unusually small for these numbers. Sharing entropy Generate random from set

• f all p

Define

1 =

• Generate random

e.g., for = 500th generate random same 500th bit as Similarly generate

• ✁

Compress

2 to

( compress

3 to

( Overall (2048

)

to store

1

• 2
• ✁

The half-special number-field sieve 1998 Lenstra: “Numbers of the form 21024

• ✁

1024-bit RSA security, as long as

Chance of an “unusually small” NFS polynomial is “negligible.” Not true. Reducing entropy, using ( ) = half the bits of , reduces conjectured security level. Skewed NFS polynomials (1999 Murphy) turn out to be unusually small for these numbers. Sharing entropy Generate random

1

from set

• f all possible keys.

Define

1 =

Generate random

2 1:

e.g., for = 500th bit, generate random

2 having

same 500th bit as

1.

Similarly generate

3

• 4
• ✁

Compress

2 to

( 2); compress

3 to

( 3); etc. Overall (2048

)

+ bits to store

1

• 2
• ✁

• .

number-field sieve “Numbers of the

• ✁

security, as long as

• smaller than 2500.”

“unusually small” is “negligible.” Reducing entropy, half the bits of , conjectured security level.

• lynomials

turn out to be for these numbers. Sharing entropy Generate random

1

from set

• f all possible keys.

Define

1 =

Generate random

2 1:

e.g., for = 500th bit, generate random

2 having

same 500th bit as

1.

Similarly generate

3

• 4
• ✁

Compress

2 to

( 2); compress

3 to

( 3); etc. Overall (2048

)

+ bits to store

1

• 2
• ✁

• .

If distribution of is uniform over , and distribution of is uniform over

1,

then distribution of is uniform over . So attacker’s chance is provably identical attacker’s chance of Same comment with replaced by “forging etc. Sharing entropy is

Sharing entropy Generate random

1

from set

• f all possible keys.

Define

1 =

Generate random

2 1:

e.g., for = 500th bit, generate random

2 having

same 500th bit as

1.

Similarly generate

3

• 4
• ✁

Compress

2 to

( 2); compress

3 to

( 3); etc. Overall (2048

)

+ bits to store

1

• 2
• ✁

• .

If distribution of

1

is uniform over , and distribution of

2 given 1

is uniform over

1,

then distribution of

2

is uniform over . So attacker’s chance of factoring

2

is provably identical to attacker’s chance of factoring

1.

Same comment with “factoring” replaced by “forging signatures” etc. Sharing entropy is provably secure.

1

all possible keys.

2 1:

500th bit,

2 having

as

1.

generate

3

• 4
• ✁

( 2); ( 3); etc.

)

+ bits

• ✁

• .

If distribution of

1

is uniform over , and distribution of

2 given 1

is uniform over

1,

then distribution of

2

is uniform over . So attacker’s chance of factoring

2

is provably identical to attacker’s chance of factoring

1.

Same comment with “factoring” replaced by “forging signatures” etc. Sharing entropy is provably secure. Time to factor

1

can be less than double the time for a single (e.g., Schnorr, Eratosthenes) Analogy: brute-force versus a secret-key finds

target keys as finding one target Problem arises with shared entropy. (e.g., Coppersmith, For safety, choose so that (conjecturally) can’t even do one

If distribution of

1

is uniform over , and distribution of

2 given 1

is uniform over

1,

then distribution of

2

is uniform over . So attacker’s chance of factoring

2

is provably identical to attacker’s chance of factoring

1.

Same comment with “factoring” replaced by “forging signatures” etc. Sharing entropy is provably secure. Time to factor

1 and 2

can be less than double the time for a single factorization. (e.g., Schnorr, Eratosthenes) Analogy: brute-force search versus a secret-key cipher finds

target keys in same time as finding one target key. Problem arises with or without shared entropy. (e.g., Coppersmith, Bernstein) For safety, choose key sizes so that (conjecturally) attacker can’t even do one factorization.

1

,

• f

2 given 1 1,

• f

2

. chance of factoring

2

identical to chance of factoring

1.

with “factoring” rging signatures” is provably secure. Time to factor

1 and 2

can be less than double the time for a single factorization. (e.g., Schnorr, Eratosthenes) Analogy: brute-force search versus a secret-key cipher finds

target keys in same time as finding one target key. Problem arises with or without shared entropy. (e.g., Coppersmith, Bernstein) For safety, choose key sizes so that (conjecturally) attacker can’t even do one factorization. Perhaps time to facto is below time to facto Analogy: brute-force finds some target k

after 1

• f the

As before, problem with or without sha For safety, multiply factorization success (e.g. ECM success by

before choosing

Time to factor

1 and 2

can be less than double the time for a single factorization. (e.g., Schnorr, Eratosthenes) Analogy: brute-force search versus a secret-key cipher finds

target keys in same time as finding one target key. Problem arises with or without shared entropy. (e.g., Coppersmith, Bernstein) For safety, choose key sizes so that (conjecturally) attacker can’t even do one factorization. Perhaps time to factor

1 or 2

is below time to factor

1.

Analogy: brute-force search finds some target key out of

after 1

• f the computation.

As before, problem arises with or without shared entropy. For safety, multiply conjectured factorization success chance (e.g. ECM success chance) by

before choosing key sizes.

1 and 2

double single factorization. Eratosthenes) rute-force search ey cipher

eys in same time rget key. with or without ersmith, Bernstein)

• se key sizes

(conjecturally) attacker

• ne factorization.

Perhaps time to factor

1 or 2

is below time to factor

1.

Analogy: brute-force search finds some target key out of

after 1

• f the computation.

As before, problem arises with or without shared entropy. For safety, multiply conjectured factorization success chance (e.g. ECM success chance) by

before choosing key sizes. Is this overkill? Are there algorithms

1 or 2 or

• more quickly than

For discrete logs, p by randomized self-reduction. For factorization, no without an extra

Factorization literature explicitly address multiple Maybe we’re oversimplifying by considering just

Perhaps time to factor

1 or 2

is below time to factor

1.

Analogy: brute-force search finds some target key out of

after 1

• f the computation.

As before, problem arises with or without shared entropy. For safety, multiply conjectured factorization success chance (e.g. ECM success chance) by

before choosing key sizes. Is this overkill? Are there algorithms to factor

1 or 2 or

• more quickly than factoring

1?

For discrete logs, prove “no” by randomized self-reduction. For factorization, no hope of proof without an extra

Factorization literature needs to explicitly address multiple inputs. Maybe we’re oversimplifying by considering just one input.

factor

1 or 2

factor

1.

rute-force search rget key out of

the computation. roblem arises shared entropy. multiply conjectured success chance success chance)

• sing key sizes.

Is this overkill? Are there algorithms to factor

1 or 2 or

• more quickly than factoring

1?

For discrete logs, prove “no” by randomized self-reduction. For factorization, no hope of proof without an extra

Factorization literature needs to explicitly address multiple inputs. Maybe we’re oversimplifying by considering just one input. Generating given Define ( ) = mo Reasonably fast generation

• with

(

( 1 Choose 1024-bit .

If not both primes, If

• 22048, try again.

Conjecturally 217

• n average.

Is this overkill? Are there algorithms to factor

1 or 2 or

• more quickly than factoring

1?

For discrete logs, prove “no” by randomized self-reduction. For factorization, no hope of proof without an extra

Factorization literature needs to explicitly address multiple inputs. Maybe we’re oversimplifying by considering just one input. Generating given bottom half Define ( ) = mod 21024. Reasonably fast generation of

• with

(

( 1), given ( 1): Choose 1024-bit . Compute

If not both primes, try again. If

• 22048, try again.

Conjecturally 217 tries

• n average.

rithms to factor

• than factoring

1?

logs, prove “no” self-reduction. rization, no hope of proof

literature needs to address multiple inputs.

• versimplifying

just one input. Generating given bottom half Define ( ) = mod 21024. Reasonably fast generation of

• with

(

( 1), given ( 1): Choose 1024-bit . Compute

If not both primes, try again. If

• 22048, try again.

Conjecturally 217 tries

• n average.

Analogous method ( ) = 21024 Method reinvented Published 1991 Guillou in context of reducing “Some forms of the

all of the bits of the most significant bytes valued to zero.”

Generating given bottom half Define ( ) = mod 21024. Reasonably fast generation of

• with

(

( 1), given ( 1): Choose 1024-bit . Compute

If not both primes, try again. If

• 22048, try again.

Conjecturally 217 tries

• n average.

Analogous method works for ( ) = 21024 . Method reinvented several times. Published 1991 Guillou Quisquater, in context of reducing entropy: “Some forms of the modulus

all of the bits of the most significant bytes are valued to zero.”

given bottom half mod 21024. generation of

• 1), given

( 1): . Compute

• ( 1) mod 21024).

rimes, try again.

• try again.

217 tries Analogous method works for ( ) = 21024 . Method reinvented several times. Published 1991 Guillou Quisquater, in context of reducing entropy: “Some forms of the modulus

all of the bits of the most significant bytes are valued to zero.” Patent application by Vanstone and Zuccherato: “A method of encrypting

selecting said public

having a plurality of at least one set being predetermined pattern

and applying said public to encrypt the message.” Includes some generation ranging from sensible Granted 2000: US

Analogous method works for ( ) = 21024 . Method reinvented several times. Published 1991 Guillou Quisquater, in context of reducing entropy: “Some forms of the modulus

all of the bits of the most significant bytes are valued to zero.” Patent application filed 1995 by Vanstone and Zuccherato: “A method of encrypting data

selecting said public key

having a plurality of sets of bits, at least one set being of a predetermined pattern of bits

and applying said public key to encrypt the message.” Includes some generation methods, ranging from sensible to silly. Granted 2000: US 6134325.

method works for . reinvented several times. Guillou Quisquater, reducing entropy: the modulus

rage.

the bytes are Patent application filed 1995 by Vanstone and Zuccherato: “A method of encrypting data

selecting said public key

having a plurality of sets of bits, at least one set being of a predetermined pattern of bits

and applying said public key to encrypt the message.” Includes some generation methods, ranging from sensible to silly. Granted 2000: US 6134325. More patents filed responding to silly “Select a number

factor

• ; check

the factor

as the product of

• determine that the

RSA modulus; and

• is not prime, adjust
• the check of whether
• prime.”

Granted 2002: US US 6496929.

Patent application filed 1995 by Vanstone and Zuccherato: “A method of encrypting data

selecting said public key

having a plurality of sets of bits, at least one set being of a predetermined pattern of bits

and applying said public key to encrypt the message.” Includes some generation methods, ranging from sensible to silly. Granted 2000: US 6134325. More patents filed by Lenstra, responding to silly methods. “Select a number ;

factor

• ; check whether

the factor

as the product of and

determine that the number

is the RSA modulus; and if the factor

• is not prime, adjust

the check of whether the factor

prime.” Granted 2002: US 6404890, US 6496929.

application filed 1995 Zuccherato: encrypting data

public key

y of sets of bits, being of a pattern of bits

said public key message.” generation methods, sensible to silly. US 6134325. More patents filed by Lenstra, responding to silly methods. “Select a number ;

factor

• ; check whether

the factor

as the product of and

determine that the number

is the RSA modulus; and if the factor

• is not prime, adjust

the check of whether the factor

prime.” Granted 2002: US 6404890, US 6496929. These key-generation allow compression 2048 bits to 1024 Exactly how fast is Can we make it even What if ( ) = What if ( ) = Do we still have fast key-generation metho

More patents filed by Lenstra, responding to silly methods. “Select a number ;

factor

• ; check whether

the factor

as the product of and

determine that the number

is the RSA modulus; and if the factor

• is not prime, adjust

the check of whether the factor

prime.” Granted 2002: US 6404890, US 6496929. These key-generation methods allow compression from 2048 bits to 1024 bits. Exactly how fast is this? Can we make it even faster? What if ( ) = mod 21280? What if ( ) = mod 21536? Do we still have fast key-generation methods?

filed by Lenstra, silly methods. er ;

• ✁
• ; check whether
• rime; if the factor
• compute the number

duct of and

the number

is the and if the factor

• adjust

whether the factor

US 6404890, These key-generation methods allow compression from 2048 bits to 1024 bits. Exactly how fast is this? Can we make it even faster? What if ( ) = mod 21280? What if ( ) = mod 21536? Do we still have fast key-generation methods? Unbalanced primes Take ( ) = mo Choose 768-bit .

If not both primes, If

• 22048, try again.

This allows compression 2048 bits to 768 bits, with unbalanced

• (1998 Lenstra)

ECM more dangerous Don’t want so small.

These key-generation methods allow compression from 2048 bits to 1024 bits. Exactly how fast is this? Can we make it even faster? What if ( ) = mod 21280? What if ( ) = mod 21536? Do we still have fast key-generation methods? Unbalanced primes Take ( ) = mod 21280. Choose 768-bit . Compute

If not both primes, try again. If

• 22048, try again.

This allows compression from 2048 bits to 768 bits, with unbalanced

• .

(1998 Lenstra) ECM more dangerous than NFS! Don’t want so small.

ey-generation methods ression from 1024 bits. is this? even faster? mod 21280? mod 21536? fast methods? Unbalanced primes Take ( ) = mod 21280. Choose 768-bit . Compute

If not both primes, try again. If

• 22048, try again.

This allows compression from 2048 bits to 768 bits, with unbalanced

• .

(1998 Lenstra) ECM more dangerous than NFS! Don’t want so small. Primes in lattices Take ( ) = mo Choose 683-bit

0.

( 1) mo Idea: will take = and

• Use lattice reduction

to try to find

1

• 1

with ( ( 1)

1

(mo Good chance of success. (2003 Coppersmith)

Unbalanced primes Take ( ) = mod 21280. Choose 768-bit . Compute

If not both primes, try again. If

• 22048, try again.

This allows compression from 2048 bits to 768 bits, with unbalanced

• .

(1998 Lenstra) ECM more dangerous than NFS! Don’t want so small. Primes in lattices Take ( ) = mod 21366. Choose 683-bit

• 0. Compute

( 1) mod 2683. Idea: will take =

0 + 2683 1

and

Use lattice reduction to try to find

1

• 1

2341 with ( ( 1)

1

(mod 2683). Good chance of success. (2003 Coppersmith)

rimes mod 21280. . Compute

• ( 1) mod 21280).

rimes, try again.

• try again.

compression from bits,

• .

dangerous than NFS! small. Primes in lattices Take ( ) = mod 21366. Choose 683-bit

• 0. Compute

( 1) mod 2683. Idea: will take =

0 + 2683 1

and

Use lattice reduction to try to find

1

• 1

2341 with ( ( 1)

1

(mod 2683). Good chance of success. (2003 Coppersmith) This allows compression 2048 bits to 682 bits, with balanced

• .

Minor flaw: uniform does not produce exactly uniform random integer But confirm experimentally that each

0 has go

• f producing at least

This implies that each

• f

has probability not far above unifo

Primes in lattices Take ( ) = mod 21366. Choose 683-bit

• 0. Compute

( 1) mod 2683. Idea: will take =

0 + 2683 1

and

Use lattice reduction to try to find

1

• 1

2341 with ( ( 1)

1

(mod 2683). Good chance of success. (2003 Coppersmith) This allows compression from 2048 bits to 682 bits, with balanced

• .

Minor flaw: uniform random does not produce exactly uniform random integer . But confirm experimentally that each

0 has good chance

• f producing at least one

. This implies that each choice

• f

has probability not far above uniform.

lattices mod 21366.

• 0. Compute
• mod 2683.

=

0 + 2683 1

• 683

reduction

• 1

2341

• (mod 2683).

success. ersmith) This allows compression from 2048 bits to 682 bits, with balanced

• .

Minor flaw: uniform random does not produce exactly uniform random integer . But confirm experimentally that each

0 has good chance

• f producing at least one

. This implies that each choice

• f

has probability not far above uniform. Some open questions: Find random

• given

use higher-dimensional Or 2768,

• 2

Doesn’t seem to imp lattice effectiveness. Find three balanced given half the bits Do better with another

This allows compression from 2048 bits to 682 bits, with balanced

• .

Minor flaw: uniform random does not produce exactly uniform random integer . But confirm experimentally that each

0 has good chance

• f producing at least one

. This implies that each choice

• f

has probability not far above uniform. Some open questions: Find random

• 21024

given

use higher-dimensional lattices. Or 2768,

• 21280?

Doesn’t seem to improve lattice effectiveness. Find three balanced integers given half the bits of product? Do better with another shape?

compression from bits,

• .

uniform random duce exactly integer . erimentally good chance least one . that each choice robability uniform. Some open questions: Find random

• 21024

given

use higher-dimensional lattices. Or 2768,

• 21280?

Doesn’t seem to improve lattice effectiveness. Find three balanced integers given half the bits of product? Do better with another shape? Key-generation speed Start with many ’s. Use trial division etc. Then try 2

• 1 mod

26 exponentiations to find one prime. Traditional key generation chooses

• independently

27 exponentiations. Faster, slightly non-unifo build visible primes If determines

212 exponentiations.

Some open questions: Find random

• 21024

given

use higher-dimensional lattices. Or 2768,

• 21280?

Doesn’t seem to improve lattice effectiveness. Find three balanced integers given half the bits of product? Do better with another shape? Key-generation speed Start with many ’s. Use trial division etc. Then try 2

• 1 mod

. 26 exponentiations to find one prime. Traditional key generation chooses

• independently.

27 exponentiations. Faster, slightly non-uniform: build visible primes (Maurer). If determines

212 exponentiations.

questions:

• 21024
• 1500? Maybe

higher-dimensional lattices.

• 21280?

improve effectiveness. balanced integers bits of product? another shape? Key-generation speed Start with many ’s. Use trial division etc. Then try 2

• 1 mod

. 26 exponentiations to find one prime. Traditional key generation chooses

• independently.

27 exponentiations. Faster, slightly non-uniform: build visible primes (Maurer). If determines

212 exponentiations. For ( ) = mod Each determines pool of 216 possible

• Select randomly from

until finding a prime. 27 exponentiations. For ( ) = mod Obtain pool of pairs

• with all different

and all different

212 exponentiations.

Key-generation speed Start with many ’s. Use trial division etc. Then try 2

• 1 mod

. 26 exponentiations to find one prime. Traditional key generation chooses

• independently.

27 exponentiations. Faster, slightly non-uniform: build visible primes (Maurer). If determines

212 exponentiations. For ( ) = mod 21008: Each determines pool of 216 possible

Select randomly from pool until finding a prime. 27 exponentiations. For ( ) = mod 21350: Obtain pool of pairs (

• )

with all different ’s and all different

212 exponentiations.

speed ’s. etc.

• mod

.

• nentiations

rime. generation

• independently.
• nentiations.

non-uniform: rimes (Maurer).

• nentiations.

For ( ) = mod 21008: Each determines pool of 216 possible

Select randomly from pool until finding a prime. 27 exponentiations. For ( ) = mod 21350: Obtain pool of pairs (

• )

with all different ’s and all different

212 exponentiations. Can use lattice structure to share trial divisions. Or use batch facto Still many exponentiations. Is there a better metho If not, might as well take opposite approach: compress slightly mo Lattice reduction is so can afford many before each exponentiation.

For ( ) = mod 21008: Each determines pool of 216 possible

Select randomly from pool until finding a prime. 27 exponentiations. For ( ) = mod 21350: Obtain pool of pairs (

• )

with all different ’s and all different

212 exponentiations. Can use lattice structure to share trial divisions. Or use batch factorization. Still many exponentiations. Is there a better method? If not, might as well take opposite approach: compress slightly more. Lattice reduction is fast, so can afford many

0’s

before each exponentiation.

mod 21008: determines

• ssible

from pool rime.

• nentiations.

mod 21350: pairs (

• )

’s

• nentiations.

Can use lattice structure to share trial divisions. Or use batch factorization. Still many exponentiations. Is there a better method? If not, might as well take opposite approach: compress slightly more. Lattice reduction is fast, so can afford many

0’s

before each exponentiation. Protocol violations One user generates Second user sees and generates

2.

Security of

2 was

assuming uniform random What if first user cheats, and doesn’t generate uniform random

1

Recall half-special can construct rare allowing easier facto

Can use lattice structure to share trial divisions. Or use batch factorization. Still many exponentiations. Is there a better method? If not, might as well take opposite approach: compress slightly more. Lattice reduction is fast, so can afford many

0’s

before each exponentiation. Protocol violations One user generates

1.

Second user sees (

1)

and generates

2.

Security of

2 was proven

assuming uniform random

1.

What if first user cheats, and doesn’t generate uniform random

1?

Recall half-special NFS: can construct rare values allowing easier factorization.

structure divisions. factorization.

• nentiations.

method? well approach: more. is fast, many

0’s

• nentiation.

Protocol violations One user generates

1.

Second user sees (

1)

and generates

2.

Security of

2 was proven

assuming uniform random

1.

What if first user cheats, and doesn’t generate uniform random

1?

Recall half-special NFS: can construct rare values allowing easier factorization. One solution is to generate

1

• 1
• 1

from digits of

10th, 20th, 30th, etc. Not random, but conjecturally Variant:

1 without

• Another solution is

generate

1

• 1
• 1

from SHA-256 output. Another solution is generate

1

• 1
• 1

from 1955 RAND

Protocol violations One user generates

1.

Second user sees (

1)

and generates

2.

Security of

2 was proven

assuming uniform random

1.

What if first user cheats, and doesn’t generate uniform random

1?

Recall half-special NFS: can construct rare values allowing easier factorization. One solution is to generate

1

• 1
• 1 publicly

from digits of

10th, 20th, 30th, etc. Not random, but conjecturally safe. Variant:

1 without 1

• 1.

Another solution is to generate

1

• 1
• 1 publicly

from SHA-256 output. Another solution is to generate

1

• 1
• 1 publicly

from 1955 RAND tables.