Abstract
This paper proposes RSA parameters for which (1) key generation, encryption, decryption, signing, and verification are feasible on today’s computers while (2) all known attacks are infeasible, even assuming highly scalable quantum computers. As part of the performance analysis, this paper introduces a new algorithm to generate a batch of primes. As part of the attack analysis, this paper introduces a new quantum factorization algorithm that is often much faster than Shor’s algorithm and much faster than pre-quantum factorization algorithms. Initial pqRSA implementation results are provided.
Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO) and project number 645421 (ECRYPT-CSA); by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; by the U.S. National Institute of Standards and Technology under grant 60NANB10D263; by the U.S. National Science Foundation under grants 1314919, 1408734, 1505799, and 1513671; and by a gift from Cisco. P. Lou was supported by the Rachleff Scholars program at the University of Pennsylvania. We are grateful to Cisco for donating much of the hardware used for our experiments. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: aaf273785255fe95feca9484e74c7833. Date: 2017.04.23.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
If the goal is merely to protect past traffic against complete key theft (“forward secrecy”) then a user can obtain a speedup by generating many RSA keys in advance, and erasing each key soon after it is first used. But erasing each key soon after it has been generated is sometimes advertised as helping protect future traffic against limited types of compromise. Furthermore, batching across many users provides larger speedups.
References
— (no editor): Second International Conference on Quantum, Nano, and Micro Technologies, ICQNM 2008, 10–15 February 2008, Sainte Luce, Martinique, French Caribbean. IEEE Computer Society (2008). See [17]
— (no editor): Kernel BUG at mm/huge_memory.c:1798! (2012). http://linux-kernel.2935.n7.nabble.com/kernel-BUG-at-mm-huge-memory-c-1798-td574029.html. Citations in this document: §A
— (no editor): Proceedings of the 23rd USENIX Security Symposium, 20–22 August 2014, San Diego, CA, USA. USENIX (2014). See [19]
Abdalla, M., Barreto, P.S.L.M. (eds.): LATINCRYPT 2010. LNCS, vol. 6212. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14712-8. See [11]
Barbulescu, R., Bos, J.W., Bouvier, C., Kleinjung, T., Montgomery, P.L.: Finding ECM-friendly curves through a study of Galois properties. In: ANTS-X: Proceedings of the Tenth Algorithmic Number Theory Symposium, pp. 63–86 (2013). http://msp.org/obs/2013/1/p04.xhtml. Citations in this document: §2
Beauchemin, P., Brassard, G., Crépeau, C., Goutier, C., Pomerance, C.: The generation of random numbers that are probably prime. J. Cryptol. 1, 53–64 (1988). https://math.dartmouth.edu/~carlp/probprime.pdf. Citations in this document: §3
Bellare, M., Kane, D., Rogaway, P.: Big-key symmetric encryption: resisting key exfiltration. In: [44], pp. 373–402 (2016). https://eprint.iacr.org/2016/541.pdf. Citations in this document: §1
Bernstein, D.J.: How to find small factors of integers (2002). https://cr.yp.to/papers.html#sf. Citations in this document: §3
Bernstein, D.J.: How to find smooth parts of integers (2004). https://cr.yp.to/papers.html#smoothparts. Citations in this document: §3, §3
Bernstein, D.J.: Fast multiplication and its applications. In: [18], pp. 325-384 (2008). https://cr.yp.to/papers.html#multapps. Citations in this document: §3,§3,§3
Bernstein, D.J., Birkner, P., Lange, T.: Starfish on strike. In: LATINCRYPT 2010 [4], pp. 61–80 (2010). https://eprint.iacr.org/2010/367. Citations in this document: §2
Bernstein, D.J., Birkner, P., Lange, T., Peters, C.: ECM using Edwards curves (2008). https://eprint.iacr.org/2008/016. Citations in this document: §2, §2
Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring \(N=p^r q\) for large \(r\). In: [54], pp. 326–337 (1999). http://crypto.stanford.edu/~dabo/abstracts/prq.html. Citations in this document: §3
Bos, J.W., Kleinjung, T.: ECM at work pages. In: ASIACRYPT 2012 [53], pp. 467–484 (2012). https://eprint.iacr.org/2012/089. Citations in this document: §2
Boukhonine, S.: Cryptography: a security tool of the information age (1998). https://pdfs.semanticscholar.org/3932/8253d692f791b37c425e776f6cee0b8c3e56.pdf. Citations in this document: §1
Brassard, G., Høyer, P., Kalach, K., Kaplan, M., Laplante, S., Salvail, L.: Merkle puzzles in a quantum world. In: CRYPTO 2011 [45], pp. 391–410 (2011). https://arxiv.org/abs/1108.2316. Citations in this document: §1,§1
Brassard, G., Salvail, L.: Quantum Merkle puzzles. In: ICQNM 2008 [1], pp. 76–79 (2008). Citations in this document: §1
Buhler, J.P., Stevenhagen, P.: Surveys in Algorithmic Number Theory. Mathematical Sciences Research Institute Publications, vol. 44. Cambridge University Press, New York (2008). See [10]
Checkoway, S., Fredrikson, M., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the practical exploitability of Dual EC in TLS implementations. In: USENIX Security 2014 [3] (2014). https://projectbullrun.org/dual-ec/index.html. Citations in this document: §1
Ekert, A.: Quantum cryptoanalysis–introduction (2010). http://www.qi.damtp.cam.ac.uk/node/69. Citations in this document: §1
Fürer, M.: Faster integer multiplication. In: [30], pp. 57–66 (2007). https://www.cse.psu.edu/~furer/. Citations in this document: §3
Gélin, A., Kleinjung, T., Lenstra, A.K.: Parametrizations for families of ECM-friendly curves (2016). https://eprint.iacr.org/2016/1092. Citations in this document: §2
Goldwasser, S. (ed.): 35th Annual IEEE Symposium on the Foundations of Computer Science. Proceedings of the IEEE Symposium Held in Santa Fe, NM, 20–22 November 1994. IEEE (1994). ISBN 0–8186-6580-7. MR 98h:68008. See [48]
Goodin, D.: Symantec employees fired for issuing rogue HTTPS certificate for Google (2015). https://arstechnica.com/security/2015/09/symantec-employees-fired-for-issuing-rogue-https-certificate-for-google/. Citations in this document: §1
Granlund, T.: GMP integer size limitation (2012). https://gmplib.org/list-archives/gmp-discuss/2012-April/005020.html. Citations in this document: §A
Granlund, T., The GMP Development Team: GNU MP: The GNU Multiple Precision Arithmetic Library (2015). https://gmplib.org/. Citations in this document: §4
Harvey, D., van der Hoeven, J., Lecerf, G.: Even faster integer multiplication. J. Complex. 36, 1–30 (2016). https://arxiv.org/abs/1407.3360. Citations in this document: §3
Harvey, D., van der Hoeven, J., Lecerf, G.: Fast polynomial multiplication over \({ F}_{2^{60}}\). In: Proceedings of ISSAC 2016 (2016, to appear). https://hal.archives-ouvertes.fr/hal-01265278. Citations in this document: §4, §4
ID Quantique: Future-proof data confidentiality with quantum cryptography (2005). https://classic-web.archive.org/web/20070728200504/, http://www.idquantique.com/products/files/vectis-future.pdf. Citations in this document: §4
Johnson, D.S., Feige, U. (eds.): Proceedings of the 39th Annual ACM Symposium on Theory of Computing, San Diego, California, USA, 11–13 June 2007. Association for Computing Machinery, New York (2007). ISBN 978-1-59593-631-8. See [21]
Kim, S.H., Pomerance, C.: The probability that a random probable prime is composite. Math. Comput. 53, 721–741 (1989). https://math.dartmouth.edu/~carlp/PDF/paper72.pdf. Citations in this document: §4
Krawczyk, H. (ed.): CRYPTO 1998. LNCS, vol. 1462. Springer, Heidelberg (1998). doi:10.1007/BFb0055715. ISBN 3-540-64892-5. MR 99i:94059. See [52]
Lehmer, D.H., Powers, R.E.: On factoring large numbers. Bull. Am. Math. Soc. 37, 770–776 (1931). Citations in this document: §2
Lenstra, A.K., Lenstra Jr., H.W. (eds.): The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993). doi:10.1007/BFb0091534. ISBN 3-540-57013-6. MR 96m:11116. Citations in this document: §2
Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987). MR 89g:11125. Citations in this document: §2
Lenstra Jr., H.W., Tijdeman, R.: Computational Methods in Number Theory I. Mathematical Centre Tracts, vol. 154. Mathematisch Centrum, Amsterdam (1982). ISBN 90-6196-248-X. MR 84c:10002. See [41]
Leprévost, F.: The end of public key cryptography or does God play dices? PricewaterhouseCoopers Cryptogr. Centre Excell. Q. J. (1999). http://tinyurl.com/jdkkxc3. Citations in this document: §2
Maurer, U.M.: Fast generation of prime numbers and secure public-key cryptographic parameters. J. Cryptol. 8, 123–155 (1995). http://link.springer.com/article/10.1007/BF00202269. Citations in this document: §2
Pollard, J.M.: Theorems on factorization and primality testing. Proc. Camb. Philos. Soc. 76, 521–528 (1974). MR 50 #6992. Citations in this document: §2
Pollard, J.M.: A Monte Carlo method for factorization. BIT 15, 331–334 (1975). MR 52 #13611. Citations in this document: §2
Pomerance, C.: Analysis and comparison of some integer factoring algorithms. In: [36], pp. 89–139 (1982). MR 84i:10005. Citations in this document: §2
Rabin, M.O.: Digitalized signatures and public-key functions as intractableas factorization. Technical report 212, MIT Laboratory for Computer Science (1979). https://archive.org/details/bitsavers_mitlcstrMI_457188. Citations in this document: §3
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978). ISSN 0001-0782. Citations in this document: §3
Robshaw, M., Katz, J. (eds.): CRYPTO 2016. LNCS, vol. 9814. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53018-4. ISBN 978-3-662-53017-7. See [7]
Rogaway, P. (ed.): CRYPTO 2011. LNCS, vol. 6841. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9. See [16]
Schönhage, A., Strassen, V.: Schnelle Multiplikation großer Zahlen. Computing 7, 281–292 (1971). http://link.springer.com/article/10.1007/BF02242355. Citations in this document: §3
Shamir, S.: RSA for paranoids. CryptoBytes 1 (1995). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.154.5763&rep=rep1&type=pdf. Citations in this document: §1,§3
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: [23], pp. 124–134 (1994). See also newer version [49]. MR 1489242. Citations in this document: §1
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer (1995). See also older version [48]; see also newer version [50]. https://arxiv.org/abs/quant-ph/9508027v2
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26, 1484–1509 (1997). See also older version [49]. MR 98i:11108
Shoup, V.: A proposal for an ISO standard for public key encryption (version 2.1) (2001). http://www.shoup.net/papers. Citations in this document: §3
Takagi, T.: Fast RSA-type cryptosystem modulo \(p^{k}q\). In: [32], pp. 318–326 (1998). http://imi.kyushu-u.ac.jp/takagi/takagi/publications/cr98.ps. Citations in this document: §1, §3
Wang, X., Sako, K. (eds.): ASIACRYPT 2012. LNCS, vol. 7658. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4. ISBN 978-3-642-34960-7. See [14]
Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1. ISBN 3-540-66347-9. MR 2000h:94003. See [13]
Williams, H.C.: A \(p+1\) method of factoring. Math. Comput. 39, 225–234 (1982). MR 83h:10016. Citations in this document: §2
Zalka, C.: Fast versions of Shor’s quantum factoring algorithm (1998). https://arxiv.org/abs/quant-ph/9806084. Citations in this document: §2, §4
Zimmermann, P.: About memory-usage of mpz_mul (2016). https://gmplib.org/list-archives/gmp-discuss/2016-June/006009.html. Citations in this document: §A
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Appendix: Implementation Barriers and Details
Extending GMP’s Integer Capacity. The GMP library uses hard-coded 32-bit integers to represent sizes in multiple locations in the library. Without any modifications, GMP supports \(2^{37}\)-bit integers on 64-bit machines [25]. To represent large values, we extended GMP’s capacity from 32-bit integers to 64-bit integers by changing the data typing in GMP’s integer structure, mpz. Namely, we changed mpz_size and mpz_alloc from int types to int64_t types. To accommodate increased memory usage, we increased the bound for GMP’s memory allocation for the mpz struct in realloc.c to LLONG_MAX. The final modifications we made were to create binary-format I/O functions for 64-bit mpzs, namely in mpz_inp_out.c and mpz_out_raw.c.
Impact of Swapping. We initially evaluated the performance of our product-tree implementation by generating a “dummy key”, a terabyte product of random 4096-bit integers. During this product computation, we counted instructions per CPU cycle (IPCs) with the command perf stat -e instructions,cycles -a sleep 1 to measure the lost performance caused by swapping. When no swapping occurred, the machine had about 2 instructions per cycle, but upon swapping, the instructions per cycles dropped as low as 0.37 instructions per cycle and held around 0.5 to 1.2 instructions per cycle.
GMP Memory Consumption. GMP’s memory consumption is another concern. High RAM and swap usage at higher levels in the product tree are attributed to GMP’s FFT implementation. According to GMP’s developers, their FFT implementation consumes about 8n bytes of temporary memory space for an \(n \cdot n\) product where n is the byte size of the factors [57]. This massive consumption of memory also triggered a known race condition in the Linux kernel [2]. The bug was found in the huge_memory.c code. There are numerous bug reports for variants of the same bug on various mainline Linux systems throughout the past six years. Disabling transparent huge pages avoided the transparent_hugepage code in the kernel.
Measurements for 1-Terabyte Key Product Tree. In Table A.1, we show the wall-clock time for each level of computing a 1-terabyte product tree. Levels far down in the product tree are easily parallelized. We carried out the entire computation on lattice0 using 48 threads. The computation used a peak of 3.16 TB of RAM and 2.22 TB of swap memory, and completed in 356,709 s, or approximately 4 days, in wall-clock time.
Heterogeneous Cluster Description. See Table A.2.
B Credits for Multi-prime RSA
The idea of using RSA with more than two primes is most commonly credited to Collins, Hopkins, Langford, and Sabin, who received patent 5848159 in 1998 for “RSA with several primes”:
The invention, allowing 4 primes each about 150 digits long to obtain a 600 digit n, instead of two primes about 350 [sic] digits long, results in a marked improvement in computer performance. For, not only are primes that are 150 digits in size easier to find and verify than ones on the order of 350 digits, but by applying techniques the inventors derive from the Chinese Remainder Theorem (CRT), public key cryptography calculations for encryption and decryption are completed much faster—even if performed serially on a single processor system.
However, the same idea had already appeared in the original RSA patent in 1983:
In alternative embodiments, the present invention may use a modulus n which is a product of three or more primes (not necessarily distinct). Decoding may be performed modulo each of the prime factors of n and the results combined using “Chinese remaindering” or any equivalent method to obtain the result modulo n.
In any event, both of these patents have now expired, so they will not interfere with the deployment of post-quantum RSA.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Bernstein, D.J., Heninger, N., Lou, P., Valenta, L. (2017). Post-quantum RSA. In: Lange, T., Takagi, T. (eds) Post-Quantum Cryptography . PQCrypto 2017. Lecture Notes in Computer Science(), vol 10346. Springer, Cham. https://doi.org/10.1007/978-3-319-59879-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-59879-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59878-9
Online ISBN: 978-3-319-59879-6
eBook Packages: Computer ScienceComputer Science (R0)