Cryptography Reference
In-Depth Information
We are going to choose
bytelength = 95
because this is the maximum size
that we will be able to use when testing Rabin-SAEP
+
with our previously generated
key but we remark that substantially larger messages can be encryptedwith a 2048-bit
RSA key.
> PublicKeyTiming(RSAOAEP, rsakey, sd, 10, 95);
10 RSAOAEP encryption/decryptions of 95-byte messages took 16.282000 seconds
Exercise 8.34
Generate an RSA key with a 4096-bit RSA modulus and use this key
in a timing experiment with the remaining parameters as above.
Next, we repeat the test for Rabin-SAEP
+
. In this case we will use the Rabin key
rk
generated in Example 8.13:
> seed1 := "3d53d86af89150d1437856427eb8ed78":
seed2 := "d5d7c4472ae89a7b0b0f7580177236a6":
rk := RabinKeyGen(256, seed1, seed2):
Since this is a Rabin-SAEP
+
key generated with security parameter
k
256
(which means that it has a 2050-bit modulus) the seed required here must have
k
=
/
=
2
128 bytes. We will use the following seed:
se := StringTools:-Repeat("0123456789abcdef", 16):
Then the timing test gives the following result:
> PublicKeyTiming(RabinSAEPPlus, rk, se, 10, 95);
10 RabinSAEPPlus encryption/decryptions of 95-byte messages took 32.688000 seconds
We observe that RSAES-OAEP was substantially faster than Rabin-SAEP
+
but
this is not really a fair comparison because, as we have seen, the security reduction of
Rabin-SAEP
+
is much tighter than that of RSAES-OAEP. This means that, to attain
a similar security level in practice, it seems likely that much longer keys (above
4096 bits) should be used for RSAES-OAEP and this, of course, would cause a
performance penalty for this scheme (although it would also have the advantage
of allowing encryption of larger messages). Moreover, as we have also remarked,
Rabin-SAEP
+
has the advantage that its security reduces to the factoring assumption,
which is potentially weaker than the RSA assumption used in the RSAES-OAEP
security reduction.
Let us now consider the Cramer-Shoup encryption scheme. In this case we use
the Cramer-Shoup key
key
of Example 8.17 above. The seed here is used to feed
the Blum-Blum-Shub PRG and we will use the same seed,
sd
,weusedforRSAES-
OAEP above. Then we obtain:
> PublicKeyTiming(CramerShoup, key, sd, 10, 95);
10 CramerShoup encryption/decryptions of 95-byte messages took 37.953000 seconds
We see that Cramer-Shoup is the slowest of the three implementations we are
considering, although the difference with Rabin-SAEP
+
is not that large; it is also
the scheme that has a higher message expansion factor. Once again, these aspects
must be balanced against the fact that Cramer-Shoup is the only of these three
schemes whose reductionist security proof does not rely on the existence of random
oracles and hence it seems the strongest scheme from the security point of view.
