Current location - Quotes Website - Signature design - Post-quantum RSA reading report
Post-quantum RSA reading report
This paper mainly introduces how to strengthen RSA to make all known quantum attack algorithms infeasible, while encryption and decryption are still feasible.

For RSA parameters in this paper: (1) encryption, decryption, signature and verification are feasible; (2) All known attacks are infeasible. Includes a highly scalable quantum computer.

Performance analysis part: This paper introduces a new algorithm for generating a batch of prime numbers. ?

In the part of attack analysis, this paper introduces a new quantum decomposition method GEECM, which is usually much faster than Shor's algorithm and pre-quantum decomposition algorithm. ?

First of all, summarize the main points and work of the article.

Question: Can RSA parameters be adjusted to make all known quantum attack algorithms infeasible, while encryption and decryption are still feasible?

The article revolves around "Will quantum computers really kill RSA?" Expand. Under the assumption that quantum computer is established and quantum bit operation is cheap, Shor algorithm is easy to destroy RSA. Shor's algorithm decrypts RSA public key N almost as fast as legitimate RSA users. When Shor algorithm uses quantum power module n. Shor algorithm, there is only a little overhead, and only a small gap between decryption cost and decomposition cost is generated. This paper will accelerate the development of RSA standard technology. When pushed to the limit, there will be a bigger gap between the legal RSA user cost and the attacker cost. For RSA in this paper, the attack cost is basically the quadratic of the use cost. These situations require careful analysis of the quantum algorithm of integer decomposition. The quantum decomposition algorithm GEECM is introduced. GEECM becomes one of the main limitations of post-quantum RSA parameter selection. These situations also need to carefully analyze the algorithm of RSA basic operation. Therefore, this paper introduces a new algorithm to generate a large number of independent uniform random prime numbers.

Second, discuss related technologies.

(1) post-quantum factorization: geecm (quantum ring algorithm, much faster than Shor algorithm and all pre-quantum factorization algorithms. A more efficient method is to use the best pre-quantum algorithm to find small prime numbers and use quantum technology to speed up these algorithms. )

Electronic interference ... Under the standard conjecture, ECM uses circular operation 2 ((LGY) (1/2+O (1)) to find the prime number p ≤ Y ... Based on the more detailed analysis of o( 1), it is concluded that the truncation value is below 2 30.

Eecm...ECM the latest variant of ECM. EECM selects Edwards curve: x 2+y 2 =1+d 2y 2 exceeds q, or selects a twisted Edwards curve with known twist point p; EECM also chooses a larger integer S, and uses Edwards' law of addition to calculate the multiple of P on the curve, especially the X coordinate x(sP) represented by a small part of the integer. The output of the ring algorithm is the numerator of this fraction. Generally speaking, the calculation needs (7+o( 1))lgs multiplication (more than half is square) and a considerable amount of addition and subtraction.

GEECM…… Quantum computers are used to speed up the same EECM calculation. Grover's method speeds up the search for the root of the function: if the input of the function F is the root of F with the probability of 1/R, the classical search evaluates R, while Grover's method evaluates F with a quantum value of about √ r. The input of the function F is the selection result of the EECM curve, and when the EECM result selected by the curve has the same nontrivial factor as N, its output is exactly 0. EECM finds the root of f through classical search; GEECM found the root of F by Grover's method. If S and Z are selected, then the input of F is the root of F, and the probability is1/L (1/2c+o (1)), so GEECM only uses the F( 1/4C+O( 1)) quantum of L. For c= 1/2, the expression c+ 1/4c takes its minimum value1; Then the total overhead is L (1+O (1)) loop operation. GEECM reduces the loop operation from l (√ 2+o (1)) to l (1+o (1)), where l = exp (logology) (1/2). For the same number of operations, GEECM increased logy by 2+o( 1), almost twice as much as the prime number that can be found.

Extensibility of registry system administrators

The post-quantum RSA public key n needs to be quite large to resist the attack described in the above post-quantum decomposition algorithm. This paper analyzes the scalability of the best algorithm that can be used for RSA key generation, encryption, decryption, signature generation and signature verification.

(1) Choose a small index. RSA public key operation is a module to calculate the power of n. The article takes e=3. Calculate the n-degree module n, and then multiply the n-degree module n and a constant by nn. Each step uses standard fast multiplication technique to perform (LGN) (1+O (1)) bit operation.

(2) multiple prime numbers. RSA's key operation is to calculate the root modulus n of eth.

This paper focuses on how to extend multiple RSA to a larger modulus n. After the birth of quantum computer, the main threats are GEECM and Shor algorithms. Therefore, RSA key generation, decryption and signature generation take (LGN) (1+O (1)) bit operation.

(3) Key generation. K- prime exponent -3RSA public key n is the product of k different prime numbers p, which is the same as modulo 2.

(4) encryption. Shoup's "RSA-KEM" and other latest mechanisms simply use RSA to encrypt n-bit random data, hash the random data to get a key, and use this key to encrypt and authenticate users' messages without any padding.

(5) decryption. In the case of post-quantum RSA, the speed of encryption is much slower than that of accelerated decryption.

(6) Signature generation and verification.

Third, point out the future research direction and unsolved problems.

1. A series of works show that large-scale secrets can prevent a limited number of bypass attacks and a limited number of malware vulnerabilities. It takes only a few hours for TB class to transmit through Gigabit Ethernet link, but the basic idea of this work is that sometimes the time and/or bandwidth of bypass channel and exit channel are limited, which may prevent attackers from extracting the required secrets. It is interesting to analyze the extent to which secrets in quantum RSA provide this protection. However, it should be noted that other parts of the system may destroy the positive answer, and these parts do not pay attention to expanding data.

2. Security issues and costs: Our batch generation algorithm shows that in order to help reduce energy consumption and protect the environment, all users of RSA (including users of traditional pre-quantum RSA) should entrust their key generation calculation to NIST or another trusted third party. This speed increase can also enable users to generate new RSA keys and delete old RSA keys more frequently, thus limiting the harm of key theft. However, all trusted third-party protocols will cause security problems, and it is very expensive for all known technologies to distribute or entrust RSA computing safely.

3. Integrate post-quantum RSA into standard Internet protocols (such as TLS). This integration is simple in concept, but it needs to solve many system-level challenges, such as various restrictions on the size of RSA keys allowed by encryption libraries.