dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1.8.2 Multi-Prime RSA<br />
Multi-Prime RSA, like the name says, uses r < 1 distinct primes p1, p2, ..., pr to<br />
form the modulus N = p1p2...pr. A Multi-Prime RSA instance using r-primes<br />
is called r-prime RSA. For greater safety, it is usual to use balanced primes.<br />
The proceedings like computing the exponents and the encryption method are<br />
done in exactly the same way as the original RSA (that is, 2-RSA).<br />
The greatest advantage of Multi-Prime RSA is that it allows for a faster<br />
decryption process when Bob uses its knowledge of the factorization of N. When<br />
receiving a cypher text c = m e (mod N) he starts by computing the partial<br />
decryptions xi ∼ = c (mod pi) for i = 1, ..., r. Then he applies the CRT theorem<br />
and recovers the plain text m. According to results by [19], the worst case cost<br />
of decryption for a 3-prime RSA is 9<br />
4<br />
smaller than the worst case for RSA and<br />
this results gets even better with 4-prime RSA, which presents a worst case cost<br />
4 times smaller than that of the RSA.<br />
One interesting topic regarding Multi-Prime RSA is the number of primes<br />
one should use. It is obvious that the more primes we use the quicker the<br />
decryption will be, but using too many will result in N having smaller factors.<br />
The Number Field Sieve is the most efficient generic factorization method known<br />
presently. Its running time depends solely on the size of N, the integer we want<br />
to factor. On the other side, the Elliptic Curve Method is an extremely efficient<br />
factorization algorithm for numbers N with a small prime factor, as it depends<br />
on the size of N but also on the size of p, its smallest prime factor. When<br />
we choose the size of the modulus, N, the runtime of the NFS is fixed. The<br />
runtime of the Elliptic Curve Method will then be proportional to N but also<br />
to p, the size of the smallest prime factor p. So, the idea that occurred to<br />
Lenstra was to, for each size of a modulus N, calculate how many primes one<br />
can use in r-prime RSA so that the runtime for both algorithms is the same for<br />
standard RSA and for r-prime RSA. His work[28] resulted in recommendations<br />
for the number of primes that we can use safely for r-prime RSA with modulus<br />
of 1024,2048,4096 and 8192 bits. It should be noted that, besides taking in<br />
account the available computational power at the time of publication of the<br />
article, Lenstra also considered its probable evolution.<br />
19