为什么RSA解密过程比加密过程需要更长的时间?
我有一些想法,这是由于一些复杂的计算,但我想知道到底发生了什么,这比相应的加密过程需要更长的时间。任何网页或论文的链接都会有很大帮助。
感谢
感谢您的回答,还有一个疑问,签名和验证呢?签名和验证也会有这个时间差吗?前任。签名比验证需要更多时间?
I have some idea that it is due to some complex calculation, but i want to know about what exactly happens which takes long time than the corresponding encryption process. Any link to webpage or paper would be of great help.
Thanks
Thanks for the answers, One more Doubt, What about the Signing and verification? Will this time difference be there for Signing and verification also? Ex. Signing requires more time than Verification?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
我们分别将 n、d 和 e 称为 RSA 模数、私有指数和公共指数。 RSA解密速度与(log d)(log n)2成正比(即模数长度的二次方,私有指数长度的线性) 。同样,RSA加密速度与(log e)(log n)2成正比。私钥持有者还知道 n 的因式分解,它可用于将私钥操作速度加快约 4 倍(使用 中国剩余定理)。有关所涉及算法的详细信息,请参阅应用密码学手册,特别是第14章( “高效实施”)。
为了获得适当的安全性,私有指数 (d) 必须很大;已经表明,如果它小于模数长度 (n) 的 29%,则可以重建私钥。我们不知道避免此类弱点的最小长度是多少,因此实际上 d 的长度将与 n 的长度大致相同。这意味着解密大约是 n 长度的立方。
同样的规定不适用于公共指数 (e),只要符合 RSA 规则,公共指数可以尽可能小(e 必须是对于 n 的所有质因数 r 而言,与 r-1 互质。所以习惯上选择一个非常小的e。习惯上,广泛部署的实现无法处理大的公共指数。例如,如果 e 不适合 32,则 Windows CryptoAPI 中的 RSA 实现(例如,当连接到具有 RSA 服务器证书的 HTTPS 站点时,Internet Explorer 使用的实现)无法处理 RSA 公钥。位。 e=3 是最好的,但 e=65537 是传统的(这是一种历史性的错误,因为如果 RSA 是,非常小的指数可能会导致明显的弱点)在没有适当和标准填充的情况下使用,无论如何都不应该这样做)。 65537 是一个 17 位长整数,而 n 和 d 的典型长度将为 1024 位或更多。这使得公钥操作(消息加密、签名验证)比私钥操作(消息解密、签名生成)快得多。
Let's call n, d and e the RSA modulus, private exponent and public exponent, respectively. The RSA decryption speed is proportional to (log d)(log n)2 (i.e. quadratic in the length of the modulus, and linear in the length of the private exponent). Similarly, the RSA encryption speed is proportional to (log e)(log n)2. The private key holder also knows the factorization of n, which can be used to speed up private key operation by a factor of about 4 (with the Chinese Remainder Theorem). For details on the involved algorithms, see the Handbook of Applied Cryptography, especially chapter 14 ("Efficient Implementation").
For proper security, the private exponent (d) must be big; it has been shown that if it is smaller than 29% of the length of the modulus (n) then the private key can be reconstructed. We do not know what is the minimum length to avoid such weaknesses, so in practice d will have about the same length than n. This means that decryption will be about cubic in the length of n.
The same provisions do not apply to the public exponent (e), which can be as small as wished for, as long as it complies with the RSA rules (e must be relatively prime to r-1 for all prime factors r of n). So it is customary that a very small e is chosen. It is so customary that there are widely deployed implementations that cannot handle big public exponents. For instance, the RSA implementation in Windows' CryptoAPI (the one used e.g. by Internet Explorer when connected to a HTTPS site with a RSA server certificate) cannot process a RSA public key if e does not fit in 32 bits. e=3 is the best possible, but e=65537 is traditional (it is an historical kind of blunder, because a very small exponent can induce a perceived weakness if RSA is used without its proper and standard padding, something which should never be done anyway). 65537 is a 17-bit long integer, whereas a typical length for n and d will be 1024 bits or more. This makes public-key operations (message encryption, signature verification) much faster than private-key operations (message decryption, signature generation).
理论上来说,不一定是这样。加密和解密算法本质上是相同的。给定:
则:
求幂的正常算法是迭代的,因此所花费的时间取决于指数的大小。在大多数情况下,该对的解密密钥(通常相当大)大于加密密钥。
不过,扭转这一局面是可能的。仅举一个玩具示例,请考虑:
以下是该特定素数对的一些有效加密/解密密钥对的列表:
在这 20 个密钥对中,只有一个的解密密钥小于加密密钥对钥匙。在其他情况下,解密密钥的范围从不到两倍到几乎 17 倍。当然,当模数像这样很小时,可以快速轻松地生成大量密钥对,因此找到一个小的解密密钥将相当容易——但是,对于真正的 RSA 密钥,这并不是那么简单,并且我们通常只接受我们找到的第一对。正如您从上面的列表中看到的,在这种情况下,您很可能最终得到的解密密钥比加密密钥大得多,因此解密最终会比加密慢。当处理大约 100 位数字时,我们必须非常耐心地找到一对解密速度(甚至接近)与加密速度一样快的数字。
In theory, it doesn't have to be. The encryption and decryption algorithms are essentially identical. Given:
Then:
The normal algorithm for raising to a power is iterative, so the time taken depends on the size of the exponent. In most cases, the pair works out with the decryption key being (usually considerably) larger than the encryption key.
It is possible to reverse that though. Just for a toy example, consider:
Here's a list of some valid encryption/decryption key pairs for this particular pair of primes:
Out of those 20 key pairs, only one has a decryption key smaller than the encryption key. In the other cases, the decryption key ranges from just under twice as big to almost 17 times as large. Of course, when the modulus is tiny like this, it's quick and easy to generate a lot of key pairs, so finding a small decryption key would be fairly easy -- with a real RSA key, however, it's not quite so trivial, and we generally just accept the first pair we find. As you can see from the list above, in that case, you're quite likely to end up with a decryption key that's considerably larger than your encryption key, and therefore decryption will end up slower than encryption. When working with ~100 digit numbers, we'd have to be quite patient to find a pair for which decryption was going to be (even close to) as fast as encryption.
加密幂通常选择为 2^n+1 (17, 63357) 形式的质数,这需要相对较少的乘法运算。因此,解密值将是一个更大的数字,因此需要更多的计算工作。
The encryption power is usually chosen to be a prime of the form 2^n+1 (17, 63357) which requires a relatively few multiplication operations. The decryption value will be a much larger number as a consequence, and thus take more work to compute.
这涉及两个因素:
一方面,公共指数可以选择一个只有两个 1 位的小数(通常是 3、17 或 65537)。这意味着 RSA 加密操作可以通过一些模平方和加法来完成。这是无法逆转的:如果你强迫私有指数是一个很小的数字,系统的安全性显然会被破坏。
另一方面,私钥的持有者可以存储一些从原始素数导出的预先计算的值。有了这些,他可以使用 CRT 算法 来替换单次幂模具有两个以 an/2 位数字为模的指数的 n 位数字。这比简单的方式大约快四倍。
因此,对于具有随机公共指数的 RSA 密钥对,私钥操作实际上可以更快。但选择小的公共指数的效果比更快的算法的效果要大得多,因此加密在实践中更快。
There are two factors involved in this:
On the one hand, the public exponent can be chosen to be a small number with only two 1-bits (usually 3, 17 or 65537). This means the RSA encryption operation can be done with a few modular squarings and an addition. This cannot be reversed: If you force the private exponent to be a small number, the security of the system is obviously broken.
On the other hand, the holder of the private key can store some precalculated values derived from the original primes. With those he can use the CRT algorithm to replace the single exponentiation modulo a n-bit number with two exponentiaions modulo a n/2-bit number. This is approximately four times faster than the naive way.
So for RSA key pairs with random public exponents, private key operations can actually be faster. But the effect of choosing a small public exponent is much greater than the effect of the faster algorithm, so encryption is faster in practice.
RSA 实验室很好地描述了原因
...
RSA Laboratories describes why pretty well
...
还要多久?你有具体的细节吗?
无论如何,解密比加密更复杂是有道理的,因为加密不是像 123 => 那样采用对称方式。 abc 和 abc > 123.
如需了解更多详细信息,我建议从此处开始。
要了解计算的工作原理,这篇文章似乎非常好http://www. di-mgt.com.au/rsa_alg.html
How much longer? Do you have any exact details?
Any way, it make sense that decryption is complicated more than encryption, since the encryption it is not in a symmetric way like 123 => abc and abc > 123.
For more details I suggest starting here.
To read about how the calculatio works, this article seems very good one http://www.di-mgt.com.au/rsa_alg.html
简而言之,“乘法=容易,因数=困难”。
看看 (http://en.wikipedia.org/ wiki/RSA#Encryption),其中引用了求幂优化(http://en.wikipedia.org/wiki/Exponentiation_by_squaring#Further_applications)
我发现的最好的资源是普林斯顿大学关于密码学的以下讲座(http://www.cs.princeton.edu/courses/archive/spr05/cos126/lectures/22.pdf)
In short "multiply = easy, factor = hard".
Take a look at (http://en.wikipedia.org/wiki/RSA#Encryption) which references optimizations in exponentiation (http://en.wikipedia.org/wiki/Exponentiation_by_squaring#Further_applications)
The best resource I found was the following lecture on cryptography from Princeton (http://www.cs.princeton.edu/courses/archive/spr05/cos126/lectures/22.pdf)
d和e是以phi(n)为模的乘法倒数。这意味着您选择两者中的哪一个进行加密以及选择其中一个进行解密并不重要。您只需在加密前选择一次。如果您想要快速解密,那么您可以选择更大的数字进行加密。就是这么简单。dandeare multiplicatively inverse numbers modulophi(n). That means that it doesn't matter witch of the two you'll choose for encryption, and witch one for decryption. You just choose once before encryption. If you want fast decryption than you choose the bigger number for encryption. It's that simple.