[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ephemeral RSA

To: Ashar.Aziz@eng.sun.com, rubin@faline.bellcore.com
Subject: Ephemeral RSA
From: hugo@watson.ibm.com
Date: Wed, 14 Dec 94 21:35:41 EST
Cc: ipsec@ans.net, yacov@faline.bellcore.com

Ref:  Your note of Wed, 14 Dec 94 14:50:06 PST (attached)

Ashar says:

>> However, if you consider a public key cryptosystem
>> where key-pair generation is an efficient operation,
>> (RSA does not qualify), then one could generate
>> ephemeral public-private key pairs of this cryptosystem,
>> and use that to communicate session keys.

Just for the amusement: if you count ONLY real-time
operations, then using ephemeral RSA keys is significantly
more efficent than DH.
A chooses off-line two RSA primes and computes their product n.
Then for key exchange A sends n to B.
B encrypts a key using RSA with the public key n and sends it to A.
A decrypts to find the key.

The on-line cost is two multiplications (with public exponent 3) for B,
and one RSA decryption for A (the later is up to 4 times faster than
 a single DH exponentiation using the Chinesse Remainder Thm).
This is about 8 times less computation than the two (real-time)
exponentiations required by DH.

Hugo

Prev by Date: Re: Proposal: Perfect forward secrecy a MUST
Next by Date: Re: Re[2]: key management
Prev by thread: Re: Diffie-Hellman, IPsec, etc.
Next by thread: Re: Ephemeral RSA
Index(es):
- Main
- Thread