TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM

Introduction The RSA cryptosystem, invented by Ron Rivest, Adi Shamir, and Len Adleman [18], was first publicized in the August 1977 issue of Scientific American. The cryptosystem is most commonly used for providing privacy and ensuring authenticity of digital data. These days RSA is deployed in many commercial systems. It is used by Web servers and browsers to secure Web traffic, it is used to ensure privacy and authenticity of e-mail, it is used to secure remote login sessions, and it is at the heart of electronic credit card payment systems. In short, RSA is frequently used in applications where security of digital data is a concern. Since its initial publication, the RSA system has been analyzed for vulnerability by many researchers. Although twenty years of research have led to a number of fascinating attacks, none of them is devastating. They mostly illustrate the dangers of improper use of RSA. Indeed, securely implementing RSA is a nontrivial task. Our goal is to survey some of these attacks and describe the underlying mathematical tools they use. Throughout the survey we follow standard naming conventions and use “Alice” and “Bob” to denote two generic parties wishing to communicate with each other. We use “Marvin” to denote a malicious attacker wishing to eavesdrop or tamper with the communication between Alice and Bob. We begin by describing a simplified version of RSA encryption. Let N = pq be the product of two large primes of the same size (n/2 bits each). A typical size for N is n = 1024 bits, i.e., 309 decimal digits. Each of the factors is 512 bits. Let e, d be two integers satisfying ed = 1 mod φ(N) where φ(N) = (p − 1)(q − 1) is the order of the multiplicative group ZN. We call N the RSA modulus, e the encryption exponent, and d the decryption exponent. The pair 〈N, e〉 is the public key. As its name suggests, it is public and is used to encrypt messages. The pair 〈N,d〉 is called the secret key or private key and is known only to the recipient of encrypted messages. The secret key enables decryption of ciphertexts. A message is an integer M ∈ ZN. To encrypt M, one computes C =Me mod N . To decrypt the ciphertext, the legitimate receiver computes Cd mod N. Indeed, Cd =Med =M mod N,

[1]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[2]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[3]  David Chaum,et al.  Attacks on Some RSA Signatures , 1985, CRYPTO.

[4]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[5]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[6]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..

[7]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[8]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[9]  G. Hardy,et al.  An Introduction To The Theory Of Numbers Fourth Edition , 1968 .

[10]  Marc Joye,et al.  On the importance of securing your bins: the garbage-man-in-the-middle attack , 1997, CCS '97.

[11]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[12]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[13]  Carl Pomerance,et al.  A Tale of Two Sieves , 1998 .

[14]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[15]  Arjen K. Lenstra,et al.  Algorithms in Number Theory , 1991, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity.

[16]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[17]  S. Goldwasser The Search for Provably Secure Cryptosystems , 1990 .

[18]  Yvo Desmedt,et al.  A Chosen Text Attack on the RSA Cryptosystem and Some Discrete Logarithm Schemes , 1986, CRYPTO.

[19]  Matthew K. Franklin,et al.  Low-Exponent RSA with Related Messages , 1996, EUROCRYPT.

[20]  E. T. An Introduction to the Theory of Numbers , 1946, Nature.

[21]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.