Title of Invention

METHOD OF AND APPARATUS FOR DETERMINING A KEY PAIR AND FOR GENERATING RSA KEYS

Abstract

Method of and Apparatus for Determining a Key Pair and for Generating RSA Keys In a method of determining a pair of numbers comprising a first number and a second number, in which the first number may be a first key and the second number may be a second key of an encryption system and the second number is the multiplicative inverse with respect to a modulus of the first number, said modulus being equal to the product of a first prime number and a second prime number, the first number is selected first (100). Thereafter, a first sub- number (dp) for the second number (d) is computed as a multiplicative inverse of the first number (e) with respect to a first sub-modulus (110) that is equal to the first prime number minus 1 divided by the greatest common divisor of the first prime number minus 1 and the second prime num- ber minus 1. Then, a second sub-number (dq) for the second number (d) is computed as multiplicative inverse of the first number (e) with respect to a second sub-modulus (120) that is equal to the second prime number (q) minus 1, with said first sub-modulus and said second sub-modulus being relatively prime. Finally, the second number (d) is deter- mined using the first sub-number (dp) and the second sub- number (dq) by means of the Chinese remainder theorem (130). By utilization of the Chinese remainder theorem, the operation of forming the multiplicative inverse is trans- formed to two corresponding operations with shorter numbers and a fast combination step, so that an acceleration by the factor of 4 is obtained as compared to a method without Chinese remainder theorem.

Full Text

Description Method of and Apparatus for Determining a Key Pair and for Generating RSA Keys The present invention relates to the RSA cryptography algo- rithm and in particular to the generation of RSA keys. The RSA cryptosystem, named after its inventors R. Rivest, A. Shamir and L Adleman, is one of the most widespread public key cryptosystems. It can be used both for obtaining se- crecy and for generating digital signatures. Its security is based on the fact that the so-called integer factoriza- tion problem cannot be solved presently in algorithmically efficient manner. Before dealing with the RSA cryptosystem in more detail, some basic terms of cryptography shall be outlined first. Generally, a distinction is made between symmetric encryp- tion systems, also referred to as secret key encryption systems, and public key encryption systems. A communication system with two parties making use of en- cryption by means of symmetric keys, can be described as follows. The first party communicates its encryption key to the second party via a secure channel. The first party then encrypts the secret message by means of the key and trans- raits the encrypted message to the second party via a public or non-secured channel. The second party then decrypts the encrypted message by use of the symmetric key that was com- municated to the second party via the secure channel. An essential problem with such encryption systems resides in providing an efficient way of exchanging the secret keys, i.e. of finding a secure channel. In contrast thereto, asymmetric encryption is carried out as follows. A party desiring to receive a secret message . communicates its public key to the other party, i.e. the party from which it desires to receive a secret message. The public key is communicated via a non-secured channel, i.e. via a "public" channel. The party desiring to send a secret message receives the public key of the other party, encrypts the message using the public key and transmits the encrypted message again via a non-secured channel, and thus a public channel, to the party from which the public key was sent. Only the party that generated the public key is capable of making available a private key for decrypting the encrypted mes- sage. Not even the party that encrypted its message using the public key is in the position of decrypting the mes- sage. An advantage of this concept consists in that no se- cure channel, and thus no secret exchange of keys, is re- quired between the two parties. The party that decrypted the message need not and must not know the private key of the message recipient. A physically, analogous scheme to the asymmetric encryption concept or the public key encryption concept can be out- lined as follows. Consider a metal box with a lid secured by a combination lock. The combination is known only to the party desiring to receive an encrypted message. If the lock is left open and made available to the public, anybody de- siring to communicate a secret message may place this mes- sage in the metal box and close the lid. However, only the party providing the box knows the combination of the combi- nation lock. Only this latter party is in the position to decrypt the message, i.e. to reopen the metal box. Even the party that placed the message in the box can no longer re- trieve the same. Essential for asymmetric or public key encryption concepts is the underlying mathematical problem the solution of which is nearly impossible utilizing the public key for de- cryption, but the solution of which is easily possible knowing the private key. One of the most common public key cryptosystems is the RSA cryptosystem. The RSA cryptosystem is described in the "Handbook of Applied Cryptography", Menezes, van Oorschot, Vanstone, CRC Press 1997, pages 285 to 291. The first task consists in generating the keys for the RSA cryptosystem.. To this end, reference is made to Fig. 3. An entity that is to receive an encrypted message, in a first step 300 must generate first two large prime numbers p and q that preferably should have about equal quantities. Thereafter, in a step 310, the product of the two prime numbers is calculated, which is also referred to as modulus N. In addition thereto, Euler's j function is computed, which is equal to the product of (p-1) and (q-1). In a step 320, a random integer e is selected then, with e being se- lected such that e is greater than 1 and smaller than j, with the further condition that the greatest common divisor gcd of e and j is 1, i.e. that e and j are relatively prime. Thereafter, in a step 330 a number d is computed that has to fulfil the following equation: d is also referred to as multiplicative inverse with re- spect to modulus j and usually is computed using the ex- tended Euclidean algorithm, which is also described in the "Handbook of Applied Cryptography", page 67. d thus is a unique integer that is greater than 1 and smaller than j and thus fulfils the equation given. In a step 340, the public key is then output, with the pub- lic key comprising the modulus N and the number e. In con- trast thereto, the private key d is not output, but is stored in a step 350 in order to be utilized for decryption when the key-generating entity has received a message that is encrypted using the public key output in step 340. i In the following, reference is made to Fig. 2 in order to illustrate the RSA algorithm. The initial situation is that one communication partner encrypts a message M that has to be decrypted by the other communication partner. The en- crypting entity must first receive, in a step 200, the pub- lic key (N, e) in order to be able at all to send an en- crypted message to the other party. Following this, the en- crypting party, in a step 210, has to represent the message to be encrypted in the form of an integer M, with M having to be in the interval from 0 to N-l. In a step 220, which is the encryption step proper, the encrypting entity has to compute the following equation: C is the encrypted message. This message is then output in a step 230 and transmitted to the recipient of the en- crypted message via a public channel, designated 240 in Fig. 2. The recipient receives the encrypted message C in a step 250 and performs the following computation in a step 260, which is the decryption step proper: It can be seen from Fig. 2 that only the public key (N, e) is necessary for encryption, but not the private key d, whereas decryption requires the private key d. The question is now how an attacker can break the RSA cryptosystem. He knows the public key, i.e. N and e. In the same manner as shown in Fig. 3, he could now factorize the modulus N into a product of two prime numbers and then com- pute the secret key d in the same manner as it was done by the key-generating authentic party. To this end, the at- tacker would have to try all possible prime number pairs p', q' in order to sooner or later hit the private key d in consideration of e. With small prime numbers p and q, this problem is relatively easy to solve simply by trial. How- ever, if p and q, i.e. the modulus N that is the product of p and q, become increasingly greater, the various possi- bilities for the factorization of modulus N increase to as- tronomical extents. This is what the security of the RSA system is based on. It can be seen therefrom that secure cryptosystems must make use of very long numbers that may have a length of, for example, 512, 1024 or even up to 2048 bits. With increasing length of the prime numbers p and q, how- ever, the computation of the multiplicative inverse, i.e. of the private key d in step 330 of Fig. 3, becomes time- critical as well. To this end, the extended Euclidean algo- rithm is utilized the required computation time of which may also assume considerable orders of magnitude with in- creasing length of the relevant numbers. It is the object of the present invention to provide a more efficient concept for determining private keys. This object is met by a method of determining a key pair according to claim 1, a method of generating keys of an RSA encryption process according to claim 4, an apparatus for determining a key pair according to claim 5, and an appara- tus for generating keys for an RSA encryption process ac- cording to claim 6. The present invention is based on the finding that, in com- puting the multiplicative inverse using Euler's j func- tion, there is the problem that the two factors of Euler's j function, i.e. (p-1) and (q-1), are not relatively prime. This can be seen from that fact that prime numbers are odd numbers. If a value of "1" is subtracted from a prime num- ber, an even number results, such that the two factors (p- 1) and (q-1) are no longer relatively prime to this effect, as they now have at least the common divisor "2". Euclid's algorithm thus must be computed as set forth in Fig. 3 with respect to the prior art, using the number (p-1)(q-1) of the full bit length, so that this step becomes critical in terms of time. According to the invention, the multiplicative inverse is no longer computed using Euler's j function, but rather us- ing Carmichael's l function. Utilization of Carmichael's l function has the effect that two factors on the right-hand side of the equation for com- puting the multiplicative inverse are relatively prime, so that the Chinese remainder theorem, also referred to as CRT (CRT = Chinese Remainder Theorem), may be used. The Chinese remainder theorem and the algorithm of Garner are described e.g. on page 68 and pages 612, 613 in the "Handbook of Ap- plied Cryptography". However, the Chinese remainder theorem can be utilized only if relatively prime factors are pre- sent. In computing the private key d, i.e. the multiplicative in- verse, the Chinese remainder theorem permits that, instead of one computation with full bit length, two computations of half bit length as well as a fast combination of the re- sults of the two computations with half bit length need to be carried out. This procedure has the effect that the private key can be computed up to four times faster than in case of utiliza- tion of Euler's j function as in the prior art. An advantage of the present invention consists in that, with the same computation time, it is now possible to make use of considerably longer prime numbers and that the secu- rity of the RSA cryptosystem can thus be increased consid- erably. In contrast thereto, maintaining the same security stan- dards as in the prior art, an acceleration with respect to computation time efficiency by a factor of four can be ob- tained right at the critical point, namely the computation of the multiplicative inverse. Crypto processors imple- mented according to the present invention thus may contrib- ute to a considerable increase in efficiency of e.g. TPM modules (TPM = Trusted Platform Module) or security ICs. As an alternative, the method according to the invention may also be utilized in smart cards in which, due to the lim- ited computation capacity available on the smart card, com- promises are often made with respect to the prime number length and thus with respect to security. With the aid of the present invention, the security standards can be in- creased considerably, maintaining the same computation time. Due to the fact that the two CRT terms can be computed separately from each other, the two CRT terms may also be computed in parallel in two separate arithmetic units and may finally be "joined together", so that further savings in computation time may be achieved by parallel implementa- tion. A preferred embodiment of the present invention will be elucidated hereinafter with reference to the accompanying drawings in which Fig. 1 shows a block diagram of a preferred embodiment of the method according to the invention; Fig. 2 shows a summary of the RSA algorithm; and Fig. 3 shows a schematic flow chart for RSA key genera- tion. Fig. 1 shows a preferred embodiment of the method of deter- mining a key pair e, d, according to the invention, in which two prime numbers p, q are generated first, as is usual, which, multiplied by each other, result in the modulus N. In step 100, a first key e is selected then. Contrary to the prior art, however, the second key d is no longer computed using Euler's j function, but rather Carmi- chael's X function. Carmichael's X function is given as follows: X{N) = (p-1) (q-l)/gcd(p-l,q-l). The following relationship holds for Carmichael's X func- tion: Ml(N) = 1 mod N. The second key, i.e. the secret key d, then is computed on the basis of the known data e, p and q as follows: e x d = 1 mod kl{N) . For solving the above equation, i.e. for computing the multiplicative inverse d, the Chinese remainder theorem (CRT) may be used now since the factors (p-1)/gcd(p-l,q-l) and (q-1) now are relatively prime. By means of the Chinese remainder theorem, the problem of computing the multiplicative inverse d may now be split into the computation of two multiplicative inverses dp and dq and a combination step. To this end, dp first is computed so as to fulfil the fol- lowing defining equation: e x dp = 1 mod ((p-1)/gcd(p-l,q-l)]. Analogously thereto, dq can be computed using the following defining equation: e x dq = 1 mod (q-1) . Alternatively, the relatively prime factors could also be obtained in the opposite manner, namely as (q-1)/gcd(p-1,q-1). It is to be pointed out that, as known from the CRT, the two sub-keys dp and dq are half as long as the second key d proper. It is to be pointed out that the steps 110 and 120 of Fig. 1 make use of two different sub-moduli. The first sub- modulus in step 110 reads: (p-l)/gcd(p-l,q-l). The second sub-modulus in step 120 merely reads: (q-1). It can be seen that the two sub-moduli are relatively prime due to the gcd function, so that the CRT will be success- ful. The two sub-keys dp and dq then are combined in a step 130 using the Chinese remainder theorem (CRT) in order to thus generate the second or private key d. To this end, an auxiliary quantity xp is computed first, which is defined by the following equation: xp = (dp - dq) x [(q-1)-1 mod (p-1)/gcd (p-q, q-1) ] mod (p-1)/gcd(p-l,q-l). The inverse computation and the gcd computation in the above quotation are carried out using numbers of half length, which has the effect that these steps are less time-critical. The second key or private key d then results as follows: d = dp + xp x (q-1) mod l(N) . It is to be pointed out that the modular reduction with mod l(N) in the above equation need not be carried out any more, as d already is in the remainder class without reduc- tion. When the present invention is utilized for RSA key genera- tion, the latter improves in terms of its complexity in time, since the computation of multiplicative inverses, by way of the extended Euclidean algorithm, needs to be car- ried out with half bit length only as regards modulus N. The computation of the secret key d by means of the Chinese remainder theorem is faster by the factor of 4 as compared to the situation using no Chinese remainder theorem since, instead of using Euler's j function for computing the key pair e and d, Carmichael's l function is utilized as the same can be represented as a product of two relatively prime factors which then constitute the two sub-moduli for the Chinese remainder theorem. It is to be pointed out that the concept according to the invention cannot only be utilized,for RSA key generation, but in all situations in which a multiplicative inverse to a number is to be computed, with the modulus consisting of two or more factors that are not relatively prime with re- spect to each other. Carmichael's l function at all times will have the effect that the multiplicative inverse with respect to a modulus can be obtained using the Chinese re- mainder theorem as there are now relatively prime factors present that can be employed as sub-moduli. WE CLAIM: 1. An apparatus for determining a pair of numbers comprising a first number (e) and a second number (d), the second number (d) being the multiplicative inverse with respect to a modulus (N) of the first number (e), said modulus (N) being equal to the product of a first prime number (p) and a second prime number (q), wherein the first number (e) and the second number (de) are part of a key pair, a first key (e) serving together with the modulus (N) as a public key and a second key (d) serving as a private key of an asymmetric encryption system, said apparatus comprising: means for selecting the first number (e); means for computing a first sub-number (dp) for the second number (d) as a multiplicative inverse of the first number (e) with respect to a first sub-modulus that is equal to the first prime number (p) minus 1 divided by the greatest common divisor of the first prime number (p) minus 1 and the second prime number (q) minus 1; means computing a second sub-number (dq) for the second number (d) as multiplicative inverse of the first number (e) with respect to a second sub- modulus that is equal to the second prime number (q) minus 1, with said first sub-modulus and said second sub-modulus being relatively prime; and means for determining the second number (d) using the first sub-number (dp) and the second sub-number (dq) by means of the Chinese remainder theorem. 2. The apparatus as claimed in claim 1, wherein said computing means is configured to use extended Euclidean process for computation of said first sub- number (dp) and said second sub-number (dq). 3. The apparatus as claimed in the preceding claims, wherein said means for determining the second number (d) and the second sub-number (dq) is configured to use the following equations: d =dq + xpx(q-1) wherein dp is the first sub-number; dq is the second sub-number; q is the first prime number; p is the second prime number; gcd designates the operation "greatest common divisor"; mod designates the modular operation; and xp is an auxiliary quantity. 4. An apparatus for generating keys for an RSA encryption system, comprising: means for selecting two prime numbers (p, q); means for computing the product (N) of the prime numbers; means for determining a pair of numbers, wherein said means for determining a pair of numbers is adapted to : select a first number (e); compute a first sub-number (dp) for a second number (d) as a multiplicative inverse of the first number (e) with respect to a first sub-modulus that is equal to the first prime number (p) minus 1 divided by the greatest common divisor of the first prime number (p) minus 1 and the second prime number (q) minus 1; compute a second sub-number (dq) for the second number (d) as multiplicative inverse of the first number (e) with respect to a second sub-modulus that is equal to the second prime number (q) minus 1, with said first sub-modulus and said second sub-modulus being relatively prime; and determine the second number (d) using the first sub-number (dp) and the second sub-number (dq) by means of the Chinese remainder theorem, wherein the first number (e) and the second number (d) are part of a key pair, a first key (e) serving together with the modulus (N) as a public key and a second key (d) serving as a private key of the RSA encryption system; means for outputting said product (N) and the first number (e) of said pair of numbers as public key; and means for storing the second number (d) as private key. Method of and Apparatus for Determining a Key Pair and for Generating RSA Keys In a method of determining a pair of numbers comprising a first number and a second number, in which the first number may be a first key and the second number may be a second key of an encryption system and the second number is the multiplicative inverse with respect to a modulus of the first number, said modulus being equal to the product of a first prime number and a second prime number, the first number is selected first (100). Thereafter, a first sub- number (dp) for the second number (d) is computed as a multiplicative inverse of the first number (e) with respect to a first sub-modulus (110) that is equal to the first prime number minus 1 divided by the greatest common divisor of the first prime number minus 1 and the second prime num- ber minus 1. Then, a second sub-number (dq) for the second number (d) is computed as multiplicative inverse of the first number (e) with respect to a second sub-modulus (120) that is equal to the second prime number (q) minus 1, with said first sub-modulus and said second sub-modulus being relatively prime. Finally, the second number (d) is deter- mined using the first sub-number (dp) and the second sub- number (dq) by means of the Chinese remainder theorem (130). By utilization of the Chinese remainder theorem, the operation of forming the multiplicative inverse is trans- formed to two corresponding operations with shorter numbers and a fast combination step, so that an acceleration by the factor of 4 is obtained as compared to a method without Chinese remainder theorem.

Documents:

688-kolnp-2003-granted-abstract.pdf

688-kolnp-2003-granted-claims.pdf

688-kolnp-2003-granted-correspondence.pdf

688-kolnp-2003-granted-description (complete).pdf

688-kolnp-2003-granted-drawings.pdf

688-kolnp-2003-granted-examination report.pdf

688-kolnp-2003-granted-form 1.pdf

688-kolnp-2003-granted-form 18.pdf

688-kolnp-2003-granted-form 2.pdf

688-kolnp-2003-granted-form 5.pdf

688-kolnp-2003-granted-gpa.pdf

688-kolnp-2003-granted-priority document.pdf

688-kolnp-2003-granted-reply to examination report.pdf

688-kolnp-2003-granted-specification.pdf

688-kolnp-2003-granted-translated copy of priority document.pdf