Abstract—Two methods are proposed to speed up the Batch RSA decryption. The first method (BMRSA- Batch Multi-Prime RSA) speeds up the Batch RSA decryption by reducing modules in modular exponentiation. Another method (BEARSA- Batch Encrypt Assistant RSA) speeds up the Batch RSA decryption by transferring some decryption computations to encryption. The solutions improve the performance without decreasing security of Batch RSA. The experimental results show that the speed of the Batch RSA decryption has been substantially improved by above two methods.

I. INTRODUCTION SA is the most commonly used public key cryptosystem [1]. RSA is typically used with a small

public exponent and a very large private exponent. Thus, decryption costs are significantly bigger than encryption costs. Fiat [4] is the first to propose speeding up RSA decryption via batching .Batch RSA [3][4] waits for more than one RSA decryption and performs one big computation for all decryptions. It can spare a lot of running time capacity, being able to perform more decryptions. In this paper, two methods are proposed to improve further the Batch RSA decryption. The first method improves the decryption performance by the Multi-Prime RSA [2] [3] technique. Multi-Prime RSA speeds up the Batch RSA decryption by reducing the size of the moduli. Another method speeds up the decryption by shifting some work to the encryption based on RSA-S1 system [5][6] and the exponent of decryption becomes some small numbers. Two methods make the Batch RSA decryption obtain better performance and further speed up the RSA decryption. New methods cannot only speed up RSA decryption but also guarantee the security of RSA cryptosystem.

The experimental results show that the first method can achieve an average factor of 2.46 speedup compared to Batch RSA from 1024- to 3072-bit. Another method can get the best factor of 3.24 speedup to original Batch RSA from 1024- to 3072 -bit. The methods efficiently utilize the Multi-Prime

This work has been supported by the National Science Foundation of China under Grant No. 60963007 , by the Middle-aged Backbone Teacher Training Program of Yunnan University No. 2113204 and by the Science Foundation of Yunnan Province, China under Grant No. 2007F008M and by the Key Subject Foundation of School of Software of Yunnan University and the Open Foundation of Key Laboratory of Software Engineering of Yunnan Province under Grant No. 2010KS01.

Yunfei Li is with the School of Information Science and Engineering, University of Yunnan, China, KM 650091 China.

Qing Liu is with the School of Software, University of Yunnan, China, KM 650091 China.

Tong Li is with the School of Software, University of Yunnan, China, KM 650091 China.

Wenming Xiao is with the School of Information Science and Engineering, University of Yunnan, China, KM 650091 China.

RSA and RSA-S1 system, giving full play to the advantage of Batch RSA decryption to further improve the performance of RSA decryption.

The paper is organized as follows. In section 2, two methods to speed up Batch RSA decryption are proposed and security is also discussed in this section. In section 3, the experimental results are presented and the performance is analyzed. Section 4 concludes the paper.

II. THE PROPOSED METHODS In this section, two methods to speed up Batch RSA

decryption are proposed and are respectively called BMRSA (Batch Multi-Prime RSA) and BEARSA (Batch Encrypt Assistant RSA) in the paper. BMRSA effectively combines Multi-Prime RSA and Batch RSA. BEARSA effectively abstracts RSA-S1 system advantages.

A. BMRSA Fiat [4] generalized the decryption of a batch of RSA

ciphertexts. Computation process is as a binary tree and performs computation in two phases, traversing the tree from leaf to root and then back again and the scheme only needs to perform a full exponentiation. In this subsection, BMRSA for improving the full exponentiation is described with four phases: Setup, Percolate-Up, Exponentiation-Phase and Percolate-Down. 1) Setup: Given a security parameter n and two additional parameters b and k as input. b is the number of moduli N prime factors and k is the batch size.

--First, generate b distinct primes 1 , , bp p each /n b⎢ ⎥⎣ ⎦

bits. Compute 1bi iN p== ∏ , 1( ) ( 1)b

i iN pϕ == ∏ − . --Second, pick k distinct and pairwise relatively prime public keys 1, , ke e as input .The public exponents e should be very small (e.g., 3 and 5).Otherwise, the extra arithmetic required is too expensive. Each ie computes,

for 1 i k≤ ≤ , 1 mod ( )i id e Nϕ−= ,at same time, compute

1 2 mod ( )kd d d d Nϕ⋅= ⋅ .

--Third, compute mod 1pi id d p= − , for 1 i b≤ ≤ . The

private key is 1, ,...,p pbN d d< > and the public key is

, iN e< > for each encryption, for1 i k≤ ≤ .

--Fourth, k encrypted messages 1, ..., kv v are computed by

(mod )iei iv m N= ,where im is the plaintext message.

Computation process is as a binary tree with k leaves, and every inner node has two children. 2) Percolate-Up: In the Percolate-Up phase, nodes in the tree deal with pairs (V,E) where the component called V is a value,

Two Efficient Methods to Speed up the Batch RSA Decryption Yunfei Li, Qing Liu, Tong Li, Wenming Xiao

R

469

Third International Workshop on Advanced Computational Intelligence August 25-27, 2010 - Suzhou, Jiangsu, China

978-1-4244-6337-4/10/$26.00 @2010 IEEE

and the component called E is an exponent. The goal is to obtain /

1 (mod )iE eki iV NV == ∏ , where 1 (mod )k

i iE e N== ∏ .

--First, assign to each leaf node a public exponent iE e=

and iV v= . Pass (V, E) upward. --Second, each interior node combines results passed upward from children into a result. It can pass further upward. The left-hand and right-hand children yield the results ( LV , LE ) and ( RV , RE ), and interior node computes

(mod )R LE EL RV V V N= ⋅ , R LE E E= ⋅ and passes (V,E)

upward, storing ( LV , LE ) and ( RV , RE ) for use during Percolate-Down

--Third, the root node terminates the process .The result (V, E) of root is: /

1 (mod )iE eki iV NV == ∏ and

1 (mod )ki iE e N== ∏ .The Percolation-Up phase can be

deployed in the encryption process. 3) Exponentiation-Phase: In the exponentiation phase, the Eth root of V is the d that has been computed in the Setup phase. Calculate 1/ (mod ) (mod )E dr V N V N= ≡ and store it for use during the downward percolation. This paper improves the performance of the Batch RSA decryption by improving the speed of (mod )dV N that is the most time-consuming operation in the Batch RSA decryption. The Chinese Remainder Theorem (CRT) [10] and Multi-Prime RSA are used to compute the r. Improvement process is as follows:

--First, compute piC by the mod( )pi iC V p= , for1 i b≤ ≤ , where V is the result of Percolation-Up.

--Second, compute piM by the modpidpi pi iM C p= ,

for1 i b≤ ≤ , where pid has been computed in the Setup phase.

--Third, compute 1 2 1 1/i i i i by N p p p p p p− += =

and 1( (mod ))i i i in y y p−= × , for each i, 1 i b≤ ≤ . --Fourth, using the CRT to combine the iM ’s to obtain

1/1 1 (mod )E d

p pb br V V M n M n N== = × + + × .

The exponentiation yields 1/1/1

ieE ki iV V== ∏ , which stores

as r in the root node.

4) Percolate-Down: During the Percolation-Down phase, nodes in the tree deal with values called r.

--First, the root node passes the r that has been computed during Percolation-Up downward to the single child. --Second, an interior node has the r passed downward and needs to break it up to pass down further and computes

/ ( )(mod )R Lt ttR L Rr r V V N= ⋅ and / (mod )L Rr r r N= ,

where t is a value obtained via CRT based on 0(mod )Lt E≡ and 1(mod )Rt E≡ . /L Lt t E= and

( 1) /R Rt t E= − . Pass Lr and Rr downward to the left-hand and right-hand children. --Third, the leaf node terminates the process and the k-th node has 1/ (mod )ie

i ir M C N= = .All plaintext messages are obtained in the leaf nodes of binary tree.

At the end of the Percolate-Down process, each leaf’s r contains the decryption of the v placed there originally. Only one large full size exponentiation is needed, instead of k of them. The large exponentiation is divided to b small exponentiation by CRT in the BMRSA. BMRSA improves the performance of Batch RSA decryption by speeding up the exponentiation phase. BMRSA obtains higher decryption performance. BMRSA obtains high performance for decryption in following experiments.

Using basic RSA algorithm computing moddC N takes time 2(log log )O d N . When d is on the order of N the running

time is 3(log )O N .Therefore, using CRT RSA computing

moddC N takes 3(log / 2)O N and the asymptotic speedup of BMRSA over Batch RSA is simply:

3 3 2/2(log / 2) (log / ) / 4N b N b b=

For the BMRSA follow experiments, b is 4, which gives a theoretical speed up of approximately 4 over Batch RSA. BMRSA experimental results show that a speedup can be obtained by an average factor of 2.46 from 1536- to 3072-bit over Batch RSA. 5) Security: The security of BMRSA depends on the size of the used primes. It depends on the difficulty of factoring integers of the form 1

bi iN p== ∏ for b>2.The fastest known

factoring algorithm cannot take advantage of this special structure of N [3].However, one has to make sure that the prime factors of N do not fall within the range of the Elliptic Curve Method [8], because 256-bit factors would be within the range of RSA-512 factoring project, using Elliptic Curve Method[3].Consequently, with a bit length of 1024 modules, it is not secure anymore to use a decomposition of more than three primes. When the value of b parameter is chosen in the new variant, one should make sure that the prime factors of N are bigger than 256-bit. In the following experiments, the key sizes of tested algorithms are from 1536- to 3072- bit, and b chooses 4 to make the prime factors of N bigger than 341-bit. So the security of BMRSA can be guaranteed.

B. BEARSA BEARSA speeds up the Batch RSA decryption by a

technique which shifts some decryption computations to encryption. The technique is based on RSA-S1 system [5][6] [11] and the system was originally proposed as a way to reduce load on small devices (smartcards) by shifting some heavy-weight cryptographic computation to more powerful server-host computers equipped with smartcard readers. The detail of the RSA-S1 system is as follows:

--First, the client randomly generates an integer vector 1 2( , , ..., )lD d d d= and a binary vector

1 2( , ,..., )lf f f f= .The RSA private exponent d is

represented as: 1 1 ... (mod ( ))l ld f d f d nϕ= + + . --Second, the client sends n, D and x to the server.

470

--Third, the server computes 1 2( , ,..., )lZ z z z= and sends Z back to the client, where (mod )id

iz x n= . --Fourth, the client obtains M by computing:

1 (mod ) (mod )ifl di iM z n x n== ∏ = .

BEARSA based on the RSA-S1 system is described as Batch RSA with four phases: Setup, Percolate-Up, Exponentiation-Phase and Percolate-Down. 1) Setup: Given a security parameter n and three additional parameters l, k and c as input. k is the batch size.

--First, compute two distinct primes p, q each one / 2n⎢ ⎥⎣ ⎦ bits and generate N=pq and ( ) ( 1)( 1)N p qϕ = − − . --Second, taken k distinct and pairwise relatively prime public keys 1, , ke e as input .The public exponents e

should be very small (e.g.,3 and 5). Each ie computes,

for 1 i k≤ ≤ , 1 mod ( )i id e Nϕ−= ,at same time, compute

1 2 mod ( )kd d d d Nϕ⋅= ⋅ . Represent the d as follows:

1 1 ... ... (mod ( ))i i l ld d f d f d f nϕ⋅ ⋅ ⋅= + + + +

Where the id ’s and if ’s, 1 i l≤ ≤ , are random vector elements of c and |n| bits, respectively. The choice and security of parameters: l and c are discussed later. In the paper, the l’s value is 2 and the d representation becomes:

1 1 2 2 (mod ( ))d d f d f nϕ⋅ ⋅= + .

--Third, the private key is 1 2, ,N d d< > and the public key is 1 2, , ,iN e f f< > for each encryption, for1 i k≤ ≤ .

--Fourth, k encrypted messages 1, ..., kv v are obtained by

(mod )iei iv m N= ,where im is the plaintext message.

Computation process is as a binary tree with k leaves, and the private key d is divided into 4 vectors, for l=2. Two big vectors are computed in encryption phase. Another two small vectors are computed in the Exponentiation Phase. In this way, lots of Batch RSA decryption computations are transferred to the multiple encryptions. 2) Percolate-Up: The paper chooses detailed data (batch size k=4 and l=2) to more clearly describe Percolate-Up process of BEARSA. The steps of Percolate-Up, for k=4 and l=2, are as follow:

-- Step1: Assign to four leaf nodes ( , )i iV E and , iV is a

ciphertext and iE is a public exponent ,for1 4i≤ ≤ . --Step2:The inner nodes respectively compute

2 11 2 (mod )E E

LV V V N= ⋅ and 5 2 1E E E= ⋅ ,

343 4 (mod )EE

RV V V N= ⋅ and 6 4 3E E E= ⋅ .Pass

5( , )LV E and 6,( )R EV upward, storing them for use during Percolate-Down .

--Step3: Compute 1 (mod )fa LV V N= and

1 (mod )fb RV V N= ，where LV and RV have been computed

in Step2.Using same way to compute the ( , )c dV V ,where 2 (mod )f

c LV V N= and 2 (mod )fd LV V N= . The 1f and

2f have been computed in the Setup phase.

--Step4: The root node computes 6 5 (mod )E Ee a bV V V N= ⋅

, 5 6E E E= ⋅ and 6 5 (mod )E Ef c dV V V N= ⋅ , storing

them for using in Exponentiation phase .The root node terminates the process and the result is:

1 (mod )f

eV V N= and 2 (mod )f

fV V N= ,

where /41 (mod )iE e

i iV V N=∏= . Fig 1 shows the

Percolate-Up process for 1 (mod )f

eV V N= .

3) Exponentiation-Phase: In the exponentiation phase, the Eth root of V is the d .It has been computed and is represented as 1 1 2 2 (mod ( ))d d f d f nϕ= ⋅ + ⋅ in the Setup phase. Compute

the 1/ (mod )E dr V V N= = ,and 1 1 2 2 (mod )d f d fr V N⋅ + ⋅= .r

can be represented : 1 2( ) (mod ) ( ) (mod )d de fr V N V N≡ ⋅

according to Percolate-Up. So, the computation process of r is divided into two parts which are 1( ) (mod )d

eV N and 2( ) (mod )d

fV N . Firstly, the steps of computing 1( ) (mod )deV N

by using CRT are as follows:

--First, calculate peC and qeC by the modpe eC V p= and

modqe eC V q= ,where eV is the result of Percolation-Up.

--Second, compute peM and qeM by

the 1 moddpe peM C p= and 1 modd

qe qeM C q= ,where 1d has been computed in the Setup phase. --Third, compute 1 /y N p q= = and 2 /y N q p= =

11 1 1( (mod ))n y y p−= × , and 1

2 2 2( (mod ))n y y q−= × .

--Fourth, using the CRT to combine the peM and qeM to

obtain 11 2 (mod )d

e pe qeV M n M n N= × + × .

The value of 2( ) (mod )dfV N can be also obtained by the

above same steps. The final r is computed by 1 2 modd d

e fr V V N≡ ⋅ . The exponentiation yields 31 2 41/1/ 1/ 1/

1 2 3 4 (mod )EE E Er V V V V N≡ ⋅ ⋅ ⋅ .Store r for using in the downward percolation. In the phase, the CRT is used twice to compute 1( ) (mod )d

eV N and 2( ) (mod )dfV N . A full

exponentiation of original Batch RSA is divided into four small exponentiations and the Batch RSA decryption performance is improved.

471

4) Percolate-Down: This is the same method used in BMRSA Percolate-Down phase.

At the end of the Percolate-Down process, each leaf’s r contains the plaintext. The large exponent is divided into 4 c-bit exponents. BEARSA improves the performance of Batch RSA decryption by reducing the exponent in the exponentiation phase. BEARSA obtains high decryption performance.

Considering RSA using CRT computing moddC N takes time 3(log / 2)O N . The asymptotic speedup of BEARSA, for l=2, over Batch RSA is simply:

log / 2 2N c⋅ ⋅

, where c is the bit size of vector 1d or 2d .For 1536-bit BEARSA, c is 128-bit, which gives a theoretical speed up of approximately 3.00 over Batch RSA. 5) Security: The security of BEARSA depends on the security offered by many private exponents id , for 1 i l≤ ≤ .To guarantee the security of BEARSA, one has to require for the method to be infeasible to deduce value d via brute force, since an attacker with knowledge of some one would be able to factor modulus N and thereby break RSA. Given a vector 1,..., lf f< > ,a search through all possible values of id would reveal d. Because there are l c-bit vector elements, one has to make sure that the search space of 2l c×

values is large enough to prevent such an exhaustive search. When the values of the parameters c, l are chosen, one has to make the difficulty of exhausting the resulting search space at least equivalent (or harder than) to breaking the underlying RSA cryptosystem. Exhaustive search of 2l c× values is equivalent to searching for all possible keys in a symmetric-key cryptosystem. Thus, based on the RSA key size used, one has to make sure that the symmetric key size can provide equivalent security. Lenstra and Verheul give formulas for determining such keys [7] [6][11]. RSA with 1024- and 1536-bit keys by the above formulas would be roughly equal in strength to a symmetric-key cryptosystem with 72- and 80-bit keys [6], respectively. The EAMRSA values c and l were selected based on the key size formulas in [7] [6], and l c× corresponds to a symmetric key comparable in strength to the corresponding RSA key. In the following experiments, the key size of tested algorithms is from 1024- to 3072-bit, parameter c chooses 128- or 64-bit, and l=2, making the value of l c× much larger than the value based on key size formulas in [7][6] .Thus, the security level of the private keys of the method is greatly enhanced by the above scheme. A

conclusion is reached, that is, BEARSA can provide services of high security and high speed.

III. PERFORMANCE AND EXPERIMANTAL RESULTS

A. Experiment set-up The speedup is measured by the execution time of RSA

decryption in the paper. These test algorithms were written by using the OpenSSL[9] cryptographic library (version 0.9.8 k). The hardware platform was a 1.5GHz Intel(R) Celeron(R) M processor with 512 MB RAM running Windows XP Professional. In the experiment, the algorithms were called different names according to different parameters and values of the parameters. B4EA1RSA and B4EA6RSA in the paper respectively indicate the BEARSA of the parameters k=4, l=2 and c=128-bit and the parameters k=4,l=2 and c=64-bit. BM4RSA indicates the BMRSA of the parameter k=4 and the parameter b=4. Four small public key exponents are used and they are 1 3e = , 2 5e = , 3 7e = and 4 11e = in the experiments. The RSA keys of 1024, 1536, 2048, 2304, 2560, 2816, and 3072 bits were used so as to test method performance with both current and future security.

B. BMRSA Experimental Results In the subsection, BMRSA experimental results and

performance are discussed. Table 1 lists the average decryption time for the four moduli with two RSA variants.

Table 2 shows the speedups for the four moduli with BM4RSA to the Batch RSA. Table 2 also lists the improved speedup of the BM4RSA compared to the Batch RSA. The average improved factor of speedup is 2.46 from 1536- to 3072-bit.BMRSA improves the performance of Batch RSA decryption based on the Multi-Prime RSA and can get high speedup to the Batch RSA.

Fig 2 shows the relationship between the varying sizes of

the BM4RSA and the decryption speedup to Batch RSA, when b=4 and k= 4. Fig 2 also shows that when k and b is fixed, the key size becomes bigger and the speedup of BM4RSA decryption to Batch RSA will be higher.

C. BEARSA Experimental Results In the subsection, BEARSA experimental results and

performance are analyzed. Table 3 lists the average decryption time for the five moduli with three RSA variants.

TABLE II SPEEDUP RELATED TO DECRYPTION FOR BATCH SIZE =4

Variant Speedup to Batch RSA

1536 2048 2560 3072 Average BM4RSA 1.96 2.23 2.87 2.79 2.46

TABLE I DECRYPTION TIME FOR BATCH SIZE=4

Variant Decryption Time(msec)

1536 2048 2560 3072 BM4RSA 29 39 54 78 BatchRSA 47 87 155 218

E7=1155

E5=15 E6=77

E1=3 E2=5 E3=7 E4=11

1/ 3 / 5 / 7 /11( 1 2 3 4 )

f

e

E E E EV v v v v= ⋅ ⋅ ⋅

3 5 7 11E e← = ⋅ ⋅ ⋅

,1 1fv 2 1, fv

1,3 fv 1,4 fv

151

fV v

⋅= 13

2f

V v⋅

= 1113

fV v

⋅= 17

4f

V v⋅

=

1)5 3

( 1 2f

aV v v= ⋅ 111)

7( 3 4

f

bV v v= ⋅

77 15 1) ) )5 3 11 7

(( (1 2 3 4f

eV v v v v= ⋅ ⋅ ⋅

R LE E E← ⋅

R LE EL RV V V← ⋅

Fig. 1. BERSA Percolate-Up,For b=4

472

Table 4 shows the speedups for the five moduli with two BEARSA variants to the Batch RSA. The B4EA6RSA got the highest speedup.

Fig 3 shows the relationship between the varying size of

B4EA1RSA and B4EA6RSA and the decryption speedup. The results show that when the key becomes larger, the B4EA6RSA results will be better.

Fig 3 also shows that when l is fixed, increasing c will

lower system performance. BEARSA transfers some computations of exponentiation to encryptions to speed up the Batch RSA decryption. The methods can get higher speedup to Batch RSA decryption.

IV. CONCLUSION In this paper, two methods to speed up Batch RSA

decryption were proposed. The first method improves the decryption performance by reducing the modulus. Another method speeds up decryption by shifting some work to encryption. Two methods improve the Batch RSA decryption performance in the exponentiation phase. The methods can be easily implemented and can guarantee security and get higher Batch RSA decryption speedup. The next study will focus on: How to optimize the parameters of the methods to make the variant get higher performance and security.

REFERENCES [1] R. Rivest,A. Shami and L. Aldeman, “A Methoed for Obtaining

DigitalSignatures and Public-key Cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978.

[2] T. Collins, D. Hopkins, and M. Sabin, “Public Key Cryptographic Apparatus and Method,” U.S. Patent 5 848 159, Jan,1997.

[3] D.Boneh and H.Shacham, “Fast Variants of RSA,” RSA Laboratories Cryptobytes Rep,2002, vol. 5 no. 1, pp. 1-8.

[4] A .Fiat , “Batch RSA,” in Proc. LNCS Conf. Crypto ’89, Berlin, 1989, pp. 175-185.

[5] T.Matsumoto,K.Kato, “Speeding up secret computations with insecure auxiliary device,” in Proc. Springer-Verlag Conf. the 8th Annual International Crypto Conference on Advances in Cryptology, London, 1988, pp. 497-506.

[6] C .Castelluccia, E. Mykletun, and G. Tsudik. “Improving secure server performance by re-balancing SSL/TLS handshakes,” in Proc. ACM Conf. ACM Symposium on Information, computer and communications security, New York, 2006, pp. 26-34.

[7] A. K. Lenstra and E. R. Verheul, “ Selecting cryptographic key sizes,”The journal of the International Association for Cryptologic Research, vol. 14, no. 4, pp. 255-293, 2001.

[8] R. Silverman and S. Wagstaff Jr, “ A Practical Analysis of the Elliptic Curve Factoring Algorithm,”Math.Comp, vol. 61, no. 203, pp. 445–462, Jul. 1993.

[9] J. Viega, M. Messier and P. Chandra, Network Security with OpenSSL . O’Reilly,2002.

[10] J-J. Quisquater and C. Couvreur, “Fast decipherment algorithm for RSA public-key cryptosystem,”Eletronic Letters, vol. 18, no. 72, pp. 905–907, 1982.

[11] L.Yunfei, L.Qing and L.Tong,“Design and Implementation of an Improved RSA Algorithm,” in Proc. IEEE Conf. e-Health Networking, Digital Ecosystems and Technologies, Shenzhen, 2010, pp. 390-393.

TABLE IV SPEEDUP RELATED TO DECRYPTION

Variant Speedup to Batch RSA

1024 1536 2048 2560 3072 Average B4EA1RSA 2.00 2.94 2.72 3.37 3.11 2.83 B4EA6RSA 2.26 3.13 2.81 3.97 4.04 3.24

TABLE III DECRYPTION TIME FOR BATCH SIZE=4

Variant Decryption Time(msec)

1024 1536 2048 2560 3072 B4EA1RSA 8 16 32 46 70 B4EA6RSA 7 15 31 39 54Batch RSA 16 47 87 155 218

Fig. 2. Decryption speedup when varying key size

Fig. 3. Two BEARSA decryption speedup when varying key size

473