Number theoretic cryptographic algorithms are all based upon modular mul- tiplication modulo some composite or prime. Some security parameter n is set (the length of the composite or prime). Cryptographic functions such as digi- tal signature or key exchange require O(n) or O(√n) modular multiplications ([DH, RSA, R, E, GMR, FS], etc.).
This paper proposes a variant of the RSA scheme which requires only polylog(n) (O(log2 n)) modular multiplications per RSA operation. Inherent to the scheme is the idea of batching, i.e., performing several encryption or signature operations simultaneously. In practice, the new variant effectively performs several modular exponentiations at the cost of a single modular ex- ponentiation. This leads to a very fast RSA-like scheme whenever RSA is to be performed at some central site or when pure-RSA encryption (vs. hybrid encryption) is to be performed.
An important feature of the new scheme is a practical scheme that isolates the private key from the system, irrespective of the size of the system, the number of sites, or the number of private operations that need be performed.
KeywordsSignature Scheme Batch Size Security Parameter Modular Multiplication Modular Exponentiation
- [AFK]Abadi, M., Feigenbaum, J., and Kilian, J., On Hiding Information from an Oracle, Proceedings of the 19th Annual ACM Symposium on Theory of Computing.Google Scholar
- [AGCS]Alexi, W., Chor, B., Goldreich, O., and Schnorr, C.P., RSA and Rabin Functions: Certain Parts are as Hard as the Whole, SIAM J. Comput., April, 1988.Google Scholar
- [AHU]Aho, A.V., Hopcroft J.E., and Ullman, J.D., The Design and Analysis of Computer Algorithms, Addison-Wesley, 1974.Google Scholar
- [B]Blum, M., Personal communication.Google Scholar
- [BM]Blum, M. and Micali, S., How to generate Cryptographically Strong Sequences of Pseudo-Random Bits, SIAM J. Comp., 13, 1984.Google Scholar
- [BG]Blum, M. and Goldwasser, S., An Efficient Probabilistic Public Key Encryption Scheme which Hides all Partial Information, Proceedings of Crypto’ 84.Google Scholar
- [CFN]Chaum, D., Fiat, A., and Naor, M., Untraceable Electronic Cash, Proceedings of Crypto’ 88.Google Scholar
- [DH]Diffie, W. and Hellman, M.E., New Directions in Cryptography, IEEE Trans. on Information Theory, Vol IT-22, 1976.Google Scholar
- [E]El Gamal, T., A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory, Vol IT-31, 1985.Google Scholar
- [FS]Fiat, A., and Shamir, A., How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Proceedings of Crypto’ 86.Google Scholar
- [GMR]Goldwasser, S., S. Micali, and R.L. Rivest, A Secure Digital Signature Scheme, SIAM J. Comput., April, 1988.Google Scholar
- [H]Håstad, J., On using RSA with Low Exponent in a Public Key Network, Proceedings of Crypto’ 85.Google Scholar
- [K]Knuth, D., The Art of Computer Programming, vol. 2: Seminumerical Algorithms, 2nd ed., Addison-Wesley, 1981.Google Scholar
- [MS]Micali, S., and Schnorr, C.P., Efficient, Perfect Random Number Generators, proceedings of Crypto’ 88.Google Scholar
- [R]Rabin, M.O., Digitalized signatures, in Foundations of Secure Computation, Academic Press, NY, 1978.Google Scholar
- [RSA]Rivest, R.L., Shamir, A. and Adleman, L., A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Comm. ACM, Vol. 21, No. 2, 1978.Google Scholar
- [S]Shamir, A., On the Generation of Cryptographically Strong Pseudorandom Sequences, ACM Trans. on Computer Systems, Vol. 1, No. 1, 1983.Google Scholar