CRT優化RSA

轉載：利用中國剩餘定理加速 RSA

RSA 作爲世界上使用最爲流行的公鑰密碼算法，被廣泛應用在數據加密和數字簽名上。

爲了提高加密和簽名驗證的效率，一般會將RSA的加密指數（一般是公鑰位數）設置的較小，一般爲 65537 ，而解密或簽名效率卻不能夠簡單的通過減小私鑰的長度來實現，因爲過短的私鑰將直接導致安全問題。

於是乎，基於中國剩餘定理（Chinese Remainder Theorem，簡稱 CRT）的 RSA 加速方案被提出。以RSA加解密爲例，本文將首先講解 RSA 基本原理，再介紹中國剩餘理論和費馬小定理，最後介紹 RSA-CRT算法。

RSA算法

RSA 包括密鑰生成算法、加密算法和簽名算法。

密鑰生成

加解密

簽名與驗籤

CRT

Garner's formulax(x1, x2)（參考：H. Garner. The Residue Number System. IRE Transactions on Electronic Computers, EC-8 (6), pp. 140 – 147, June 1959.），對於\(x_1 = x(mod p)\)和\(x_2=x(mod q)\)：

\(x=x_2 + h.q\)

\(h=(x_1-x_2)(q^{-1}mod p) mod p\)

歐拉定理和費馬小定理

RSA-CRT

• \(d = d(mod p-1)+k(p-1)\)，這個如何實現？
• 求出\(m_q\)和\(m_p\)後，就可以基於CRT求出\(m\)。

舉例

## RSA加解密
p = 137, q = 131, n = 137.131 = 17947, e = 3, d = 11787.
私鑰（n，d），公鑰（n，e）
m = 513
加密：c = 5133 mod n = 8363
解密：m'=c^d mod n = 513

## RSA-CRT加解密
dP = d mod (p-1) = 11787 mod 136 = 91
dQ = d mod (q-1) = 11787 mod 130 = 87

qInv = q^{-1} mod p = 131-1 mod 137 = 114
m1 = cdP mod p = 836391 mod 137 = 102
m2 = cdQ mod q = 836387 mod 131 = 120

h = qInv.(m1 - m2) mod p = 114.(102-120+137) mod 137 = 3 
m = m2 + h.q = 120 + 3.131 = 513.

程序

import time

def chinese_remainder_theorem(c, d, p, q):
    dp = d % (p - 1)
    dq = d % (q - 1)
    q_inv = modinv(q, p)  # calculates the inverse
    m1 = pow(c % p, dp, p)
    m2 = pow(c % q, dq, q)
    h = q_inv * (m1 - m2) % p
    m = m2 + h * q
    return m


def modinv(e, phi):  # function used to calculate modular inverse
    d = 0
    x1 = 0
    x2 = 1
    y1 = 1
    temp_phi = phi

    while e > 0:  # extended euclidean algorithm
        temp1 = temp_phi // e
        temp2 = temp_phi - temp1 * e
        temp_phi = e
        e = temp2

        x = x2 - temp1 * x1
        y = d - temp1 * y1

        x2 = x1
        x1 = x
        d = y1
        y1 = y

    if temp_phi == 1:
        return d + phi


def gcd(a, h):  # function used to calculate the GCD
    temp = 0
    while (1):
        temp = a % h
        if (temp == 0):
            return h
        a = h
        h = temp


start_time = time.time()

# p and q are 1024 bit primes. Tested using Miller Rabbin algorithm from Question 2
p = 137
q = 131
n = p*q
e = 3
phi = (p-1)*(q-1)
d = modinv(e, phi)

msg = 513
print("Message data = ", msg)
c = pow(msg, e, n)  # encryption c = (msg ^ e) % n
print("Encrypted data = ", c)

# decryption using chinese remainder theorem
decrypted_msg = chinese_remainder_theorem(c, d, p, q)
print("Original Message Sent = ", decrypted_msg)

end_time = time.time()

elapsed_time = end_time - start_time
print("Time taken for RSA with CRT: {:.6f} seconds".format(elapsed_time))

參考

1. 第二十一個知識點：CRT算法如何提高RSA的性能?
2. Using the CRT with RSA