Post-quantum RSA

Abstract

This paper proposes RSA parameters for which (1) key generation, encryption, decryption, signing, and verification are feasible on today’s computers while (2) all known attacks are infeasible, even assuming highly scalable quantum computers. As part of the performance analysis, this paper introduces a new algorithm to generate a batch of primes. As part of the attack analysis, this paper introduces a new quantum factorization algorithm that is often much faster than Shor’s algorithm and much faster than pre-quantum factorization algorithms. Initial pqRSA implementation results are provided.

Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO) and project number 645421 (ECRYPT-CSA); by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; by the U.S. National Institute of Standards and Technology under grant 60NANB10D263; by the U.S. National Science Foundation under grants 1314919, 1408734, 1505799, and 1513671; and by a gift from Cisco. P. Lou was supported by the Rachleff Scholars program at the University of Pennsylvania. We are grateful to Cisco for donating much of the hardware used for our experiments. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: aaf273785255fe95feca9484e74c7833. Date: 2017.04.23.

Appendices

A Appendix: Implementation Barriers and Details

Extending GMP’s Integer Capacity. The GMP library uses hard-coded 32-bit integers to represent sizes in multiple locations in the library. Without any modifications, GMP supports \(2^{37}\)-bit integers on 64-bit machines [25]. To represent large values, we extended GMP’s capacity from 32-bit integers to 64-bit integers by changing the data typing in GMP’s integer structure, mpz. Namely, we changed mpz_size and mpz_alloc from int types to int64_t types. To accommodate increased memory usage, we increased the bound for GMP’s memory allocation for the mpz struct in realloc.c to LLONG_MAX. The final modifications we made were to create binary-format I/O functions for 64-bit mpzs, namely in mpz_inp_out.c and mpz_out_raw.c.

Table A.1. Time per product-tree level in key generation—We record the time for each product-tree level in a 1-terabyte key generation using lattice0. Level 1 takes 1,953,125,000 4096-bit numbers as input, and produces 976,562,500 8192-bit numbers as output. Level 31 takes two 500 GB numbers and multiplies them to create the final 1 TB output.

Impact of Swapping. We initially evaluated the performance of our product-tree implementation by generating a “dummy key”, a terabyte product of random 4096-bit integers. During this product computation, we counted instructions per CPU cycle (IPCs) with the command perf stat -e instructions,cycles -a sleep 1 to measure the lost performance caused by swapping. When no swapping occurred, the machine had about 2 instructions per cycle, but upon swapping, the instructions per cycles dropped as low as 0.37 instructions per cycle and held around 0.5 to 1.2 instructions per cycle.

GMP Memory Consumption. GMP’s memory consumption is another concern. High RAM and swap usage at higher levels in the product tree are attributed to GMP’s FFT implementation. According to GMP’s developers, their FFT implementation consumes about 8n bytes of temporary memory space for an \(n \cdot n\) product where n is the byte size of the factors [57]. This massive consumption of memory also triggered a known race condition in the Linux kernel [2]. The bug was found in the huge_memory.c code. There are numerous bug reports for variants of the same bug on various mainline Linux systems throughout the past six years. Disabling transparent huge pages avoided the transparent_hugepage code in the kernel.

Measurements for 1-Terabyte Key Product Tree. In Table A.1, we show the wall-clock time for each level of computing a 1-terabyte product tree. Levels far down in the product tree are easily parallelized. We carried out the entire computation on lattice0 using 48 threads. The computation used a peak of 3.16 TB of RAM and 2.22 TB of swap memory, and completed in 356,709 s, or approximately 4 days, in wall-clock time.

Table A.2. Heterogeneous compute cluster—The experiments in this paper were carried out on a heterogeneous cluster.

Heterogeneous Cluster Description. See Table A.2.

B Credits for Multi-prime RSA

The idea of using RSA with more than two primes is most commonly credited to Collins, Hopkins, Langford, and Sabin, who received patent 5848159 in 1998 for “RSA with several primes”:

The invention, allowing 4 primes each about 150 digits long to obtain a 600 digit n, instead of two primes about 350 [sic] digits long, results in a marked improvement in computer performance. For, not only are primes that are 150 digits in size easier to find and verify than ones on the order of 350 digits, but by applying techniques the inventors derive from the Chinese Remainder Theorem (CRT), public key cryptography calculations for encryption and decryption are completed much faster—even if performed serially on a single processor system.

However, the same idea had already appeared in the original RSA patent in 1983:

In alternative embodiments, the present invention may use a modulus n which is a product of three or more primes (not necessarily distinct). Decoding may be performed modulo each of the prime factors of n and the results combined using “Chinese remaindering” or any equivalent method to obtain the result modulo n.

In any event, both of these patents have now expired, so they will not interfere with the deployment of post-quantum RSA.