




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Let e, d be two integers satisfying ed = 1 mod φ(N) where φ(N) = (p-1) (q-1). N is called the RSA modulus, e is called the encryption exponent, and d is called ...
Typology: Exercises
1 / 8
This page cannot be seen from the preview
Don't miss anything!





By Abdulaziz Alrasheed and Fatima
Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American. The RSA is most commonly used for providing privacy and ensuring authenticity of digital data. RSA is used by many commercial systems. It is used to secure web traffic, to ensure privacy and authenticity of Email, to secure remote login sessions, and it is at the heart of electronic credit-card payment systems.
Since its initial release, the RSA has been analyzed for vulnerabilities. Twenty years of research have led to a number of intriguing attacks, none of them is devastating. They mostly show the danger of wrong use of RSA. Our objective is to explorer some of these attacks.
RSA encryption in its simple form is explained as follow. Let N = pq be the product of two large primes of the same size (n/2 bits each). As [1] explains, a typical size for N is n=1024 bits, i.e. 309 decimal digits. Let e, d be two integers satisfying ed = 1 mod φ(N) where φ(N) = (p-1) (q-1). N is called the RSA modulus, e is called the encryption exponent, and d is called the decryption exponent. The pair (N, e) is the public key. The pair (N, d) is called the secret key and only the recipient of an encrypted message knows it.
A message M is encrypted by computing C = Me^ mod N. To decrypt the ciphertext C, the authentic receiver computes Cd^ mod N.
Cd^ = Med^ = M (mod N)
The last equality is based on Euler’s theorem.
1.1 Factoring Large Integers
This is known as the first attack on RSA public key (N, e). After getting the factorization of N, an attacker can easily construct φ(N), from which the decryption exponent d = e-1^ mod φ(N) can be found. Factoring the modulus is referred to as brute-force attack. Although factorizing the modulus has been improving, the current state of the art of this attack is unable to post a threat to the security of RSA when RSA is used properly. The current fastest factoring algorithm is the
General Number Field Sieve with running time of (( ( ⁄^ ⁄^ )
Let’s begin by describing some old elementary attacks. These attacks depend primarily on the misuse of RSA. We will only talk about two examples of many elementary attacks.
2.1 Common modulus
The assumption that generating the same modulus N = pq for all users of a system, and user i is provided with a unique pair ei, di from which user i forms a public key (N, ei) and a secret key (N, di) may seem to work providing that a trusted central authority provides the unique pairs. But as per [1] the resulting system is insecure since Bob who is unable to decipher Alice’s cipher due to not having Alice private key dAlice he however, can factor N using his own exponents. This observation, due to Simmons, shows that an RSA modulus should only be used by one entity.
2.2 Blinding
Blinding enables Eve to obtain a valid signature on a message of his choice by asking Bob to sign a random "blinded message" [1]. In that case, Bob does not know what message he is actually signing and most signature schemes apply a "one-way hash" to the message prior to signing, thus the attack is not a serious concern.
Let ( N, d ) be Bob's private key and ( N, e ) be his public key. Assume that an adversary Eve wants Bob's signature on a message M ϵ Z*N. Being a smart move, Bob should refuse to sign M. Otherwise Eve can compute S = S' / ϒ mod N and obtains Bob's signature S on the original M.
Thus, Se^ = (S')e^ / ϒe^ = (M')ed^ / ϒe^ ≡ M' / ϒe^ = M (mod N)
Since modular exponentiation takes time linear in log 2 d, a small d can improve performance by at least a factor of 10, one of the misuses of RSA is to use a small value of d to reduce decryption time. Unfortunately, a clever attack due to M. Wiener [2] shows that a small d can result in a total break of the RSA cryptosystem.
Theorem (M. Wiener) Let N = pq with q < p < 2q. Let d < 1/3 N1/4. Given (N, e) with ed = 1 mod φ(N), an attacker can efficiently recover d.
Proof The proof is based on approximations using continued fractions. Since ed = 1 mod φ(N), there exists a k where ed -k φ(N) = 1. Therefore,
Since φ(N) = N-p-q+1 and p+q-1 < 3√ an attacker can use N to approximate φ(N).
In order to avoid this attack, and since N is 1024 bits, d must be at least 256 bits long. This is unfortunate for smart cards or low powered devices.
For simplicity, suppose all public exponents ei, are equal to 3. A simple arguments shows that Eve can recover M if k ≥ 3. Indeed, Bob obtains C 1 , C 2 , C 3 , where
C 1 = M^3 mod N 1 , C 2 = M^3 mod N 2 , C 3 = M^3 mod N 3.
Assume that gcd( N i, N j) = 1 for all i ≠ j since otherwise Eve can factor some of the Ni's. Hence, applying the Chinese Remainder Theorem (CRT) to C 1 , C 2 , C 3 gives a C' ϵ ZN1N2N3 satisfying C' = M^3 mod N 1 N 2 N 3. Since M is less than all the N i's, we have M^3 < N 1 N 2 N 3. Then C' = M^3 holds over the integers. Thus, Eve may recover M by computing the real cube root of C'. More generally, if all public exponents are equal to e, Eve can recover M as soon as k > e. The attack is feasible only when a small e is used.
To stimulate Hastad's result, if M is m bits long, Bob could send Mi = i2m^ + M to party Pi. Since Eve obtains encryptions of different messages, he can't mount the attack. Unfortunately, Hastad showed that this linear padding is insecure. In fact, he proved that applying any fixed polynomial to the message prior to encryption does not prevent the attack [1].
Suppose that for each of the participants P 1 ,........, Pk, Bob has a fixed public polynomial f i ϵ ZNi[x]. To broadcast a message M , Bob sends the encryption of f i ( M ) to party Pi. By eavesdropping, Eve learns Ci = f i( M )ei^ mod Ni for i=1,....., k. Hastad showed that if enough parties are involved, Eve can recover the plaintext M from all the ciphertexts. In more generality, Hastad proved that a system of univariate equations modulo relatively prime composites, such as applying any fixed polynomial g 1 (M) = 0 mod Ni, could be solved if sufficiently many equations are provided. This attack suggests that randomized padding should be used in RSA encryption.
Theorem Let N 1 ,..........., Nk be pairwise relatively prime integers and set Nmin = mini (Ni). Let gi ϵ ZNi[x] be k polynomials of maximum degree d. Suppose there exists a unique M < N min satisfying
gi( M ) = 0 mod Ni for all i = 1,........, k.
Under the assumption that k > d, one can efficiently find M given (Ni, gi)ki = 1.
4.3 Franklin-Reiter Related Message Attack
Franklin and Reiter [4] found a smart attack when Bob sends Alice related encrypted messages using the same modulus. Let (N, e) be Alice’s public key. Suppose M 1 , M 2 are two distinct messages such as M 1 = f(M 2 ) mod N. If Bob encrypt the messages and transmit the resulting ciphers C 1 and C 2 we will show how an attacker can easily recover M 1 and M 2.
Lemma Set e = 3 and let (N,e) be an RSA public key. Let M 1 != M 2 satisfy M 1 = f(M 2 ) mod N for some linear polynomial f = ax + b with b != 0. Then, given (N, e, C 1 , C 2 , f) an attacker can recover M 1 and M 2 in time quadratic in log N.
Proof Since C 1 = mod N, we know that M 2 is a root of the polynomial g 1 (x) = f(x)e^ - C 1 and similarly M 2 is a root of g 2 (x) = f(x)e^ – C 2. The linear factor x - M 2 divides both polynomials. Therefore, an attacker may use the Euclidean algorithm to compute the gcd of g 1 and g 2. If the gcd turns out to be linear, M 2 is found.
4.4 Coppersmith’s short pad attack
Generally, The Franklin-Reiter attack is considered to be an artificial attack because why should Bob send Alice the encryption of related messages? Coppersmith strengthened the attack and proved an important result on padding. Coppersmith showed that if randomized padding suggested by Hastad is used improperly then RSA encryption is not secure [ 7 ].
A naive random padding algorithm might pad a plaintext M by appending a few random bits to one of the ends. The following attack points out the danger of such simplistic padding. Suppose Bob sends a properly-padded encryption of M to Alice. An attacker, Eve, intercepts the ciphertext and prevents it from reading its destination. Bob notice that Alice did not respond to his message and decides to resend M to Alice. He randomly pads M and transmits the resulting ciphertext. Eve now has two ciphertexts corresponding to two encryptions of the same message using two different random pads.
The following theorem shows that although he does not know the pads used, Eve is able to recover the plaintext.
Theorem Let (N , e) be a public RSA key where N is n-bits long. Set m = | n/e^2 |. Let M ϵ Z* N be a message of length at most n - m bits. Define M 1 = 2m^ M + r1 and M 2 = 2m^ M + r 2 , where r 1 and r 2 are distinct integers with 0 ≤ r 1 , r 2 < 2m. If Eve is given ( N , e) and the encryptions C 1 , C 2 of M 1 , M 2 (but is not given r 1 or r 2 ), he can efficiently recover M.
4.5 Partial key exposure attack
This attack is possible when the public key is small. If an attacker exposed a fraction of the bits of d, s/he can, on the assumption that the modulus is small, reconstruct the rest of d. Boneh,
Durfe, and Frankel [5] have made recent proof that d can be reconstructed as long as e < (^) √.
Theorem Let (N,d) be a private key with N is n bits long. Given the ⌈ ⌉ least significant bits of
d, an attacker can reconstruct all of d in time linear in e log 2 e.
Theorem (Coppersmith) Let N = pq. Given the n/4 least or most significant bits of p, one can factor N efficiently. k integer exist such that: ed – k (N – p – q + 1 ) = 1. [1]
Since d < φ(N), then 0 < k <= e. Reducing N to ⁄^ and setting q = N/p, we get:
(ed)p – kp(N – p + 1) + kN = p (mod ⁄^ ) [1]
half the length of d and consequently computing M dp^ mod p is eight times faster than computing M dp^ mod N. Overall signature time is thus reduced by a factor of four. Many RSA implementations use this method to improve performance.
Twenty years of research aimed to break the RSA produced some insightful attacks, but no serious attack has been found yet. Currently, it appears that proper RSA implementation can provide the required security in the digital world. Four main classes of RSA attacks were found: (1) elementary attacks that show the misuse of the system, (2) low private exponent to show how serious it gets when a low private is used, (3) low public exponent attacks, and (4) attacks on the RSA implementation.
Proper use of RSA and properly padding a message before encryption can defeat the explained attacks.
[1] D. Boneh, Twenty Years of Attacks on the RSA Cryptosystm
[2] M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, 36:553-558, 1990
[3] http://www.untruth.org/~josh/school/phd/seminar/fall-2010-coppersmiths-theorem/coppersmiths- theorem-combined.pdf
[4] D. Coppersmith, M. Franklin, J. Patarin, and M. Reiter. Low-exponent RSA with related messages. In EUROCRYPT '96, volume1070 of Lecture Notes in Computer Science, pages 1-9. Springer-Verlag,
[5] P. Kocher. Timing attacks on implementations of Die-Hellman, RSA, DSS, and other systems. In CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 104-113.Springer-Verlag,
[6] http://www.cc.gatech.edu/~cpeikert/lic13/lec04.pdf
[7] http://en.wikipedia.org/wiki/Coppersmith's_Attack