Documente Academic
Documente Profesional
Documente Cultură
1
2 Common modulus attack
Consider the following scenario:
Suppose that the CEO dispatches the same message M to two different office
managers whose encryption exponents respectively are e1 and e2 . The encrypted
messages are:
One defense against this attack would be to ensure that the set of all encryp-
tion exponents has a number larger than 1 as a common factor. Though this
might defend sufficiently against an outside eavesdropper, we shall see next that
it is no defense against an insider attempting to steal proprietary information
from the organization.
2
3 The public encryption exponent is “small”
Consider the previous scenario with the single modification that the ISD does
not impose additional requirements on the encryption exponents, except that
no two employees be issued the same one (an obvious requirement). Thus, each
employee has the following information: The value of n, the employee’s personal
public encryption exponent e, and the employee’s personal private decryption
exponent d. It often happens in practice that at least the encryption exponent
e generated by implementations of RSA are ”small”. For example: For PGP
(Pretty Good Privacy) the great majority of e’s generated by the software is
17, for Secure Shell (SSH) the great majority of e’s generated is 37, and the
US Postal Services’ prescription for RSA implementations to handle e-stamps
requires the encryption exponent to be 65537. Suppose that this is also the
case in this scenario - e is ”small”. Now the malicious insider has the following
method for factoring n using the issued public value of e and private value of d.
Notice that e ∗ d = 1 mod φ(n).
Now φ(n) is not a priori known to the employees, but it is known that for
some natural number k < min{e, d} such that e ∗ d = 1 + k ∗ φ(n).
This suggests a search procedure for discovering φ(n), with the length of the
list of possible values shorter than min{e, d}. Once the correct value of φ(n)
is discovered, n can be factored using techniques discussed in the Section 1.
Indeed, once φ(n) is discovered, all the private keys of all the employees can be
computed from their known public key, and then all correspondence to them
can be decrypted.
3
Suppose that this message is encrypted for all these key owners. Also assume
that M < Ri for each i. Now the k encrypted versions are:
Ei = Mk mod Ri , i = 1, ..., k.
According to the Chinese Remainder Theorem there is a unique x < R1 ∗
R2 ∗ ... ∗ Rk such that for each i we have x = Ei mod Ri .
Also, the theorem describes exactly how to compute x from the data. But
Mk < R1 ∗R2 ∗...∗Rk , and also satisfies these equations. Thus, by its uniqueness,
x = Mk .
Now we compute M by taking the ordinary k-th root of x.
5 Wiener’s attack
It is sometimes tempting to choose the private decryption exponent d small to
speed up the decryption process. A small value of d always leads to a large value
of e, the public encryption exponent, and thus to slower encryption. There are
two reasons to avoid choosing a small private decryption exponent. One of them
is that correspondents will be discouraged by the ”slow” encryption process and
will most likely not communicate. The other is more ominous – it opens up
the system to a fairly efficient attack. The second is the subject of this section.
Recall how the Euclidean Algorithm computes the greatest common divisor, g,
of two numbers a and b with a < b. One obtains a list of equations using long
division:
b = q 1 ∗ a + r1 , 0 ≤ r1 < b
a = q 2 ∗ r1 + r2 , 0 ≤ r2 < r1
r1 = q 3 ∗ r2 + r3 , 0 ≤ r3 < r2
r2 = q 4 ∗ r3 + r4 , 0 ≤ r4 < r3
·
·
·
rn−1 = qn+2 ∗ rn+1 + rn+2 and rn+2 = 0 while rn+1 > 0.
4
Consider a rational number b/a with gcd(a, b) = 1. Then rn+1 = 1.
From the same set of equations we obtain:
= q1 + 1/(a/r1 )
·
·
·
= q1 + 1/(q2 + 1/(q3 + 1/(q4 + 1/(q5 + (... + 1/qn+2)...)))))
This result shows that if one is not careful with the selection of p, q and d,
then the Euclidean Algorithm can be used to dramatically reduce the amount
of work involved in a search for the private key d. Since typically n is 1024 bits,
5
it follows that d must be at least 256 bits long in order to avoid this attack.
This is unfortunate for low-power devices such as smartcards, where a small d
would result in big savings. All is not lost however. Wiener describes a number
of techniques that enable fast decryption and are not susceptible to his attack.
One of the techiniques involves Chinese Remainder Theorem:
6 Iterated Encryption
The Iterated Encryption Attack is based on the Euler - Fermat theorem.
Theorem 3 If n is a positive integer and m is a positive integer coprime to n,
then mφ(n) mod n = 1.
Consider a public RSA key with encryption modulus n and encryption ex-
ponent e. Also, consider a message M < n in padded ASCII form. Consider
what might happen when M is encrypted iteratively using this key:
E1 := M e mod n
E2 := E1e mod n
E3 := E2e mod n
..
.
Ek+1 := Eke mod n
k
Using the laws of exponents we have that for each n, Ek = M (e )
mod n.
This means that merely through repeating the encryption process, we even-
tually decrypt the originally encrypted message. Of course, if the smallest k
6
at which this occur is an enormous number, this is not an efficient method for
decrypting the message. But, if the designer of the key did not choose e care-
fully, this value of k may be relatively small, even just a few hundred or a few
thousand. Small values of s are typically safe against this sort of attack, but
as we have seen, there are circumstances under which one might want to have
large values of e(for example when users of a system must share a common n,
we want to ensure that neither e, nor d (the private key) is small enough).
When large values of e are considered, this particular attack must be con-
sidered during the design stage.Observe also that if we find the first value of k
at which Ek = M then we have found the first k at which ek mod φ(n) = 1 and
so we could use e(k−1) mod φ(n) as stand in for d.
7
the approximation dk by replacing the corresponding least significant digits of
dk by the digits of L. Let the resulting improvement be Dk . The attacker’s
guess will be this Dk . Observe that for the correct value of k, dk ≥ d. To see
how close dk is to the actual d, compute
√ √ 2
|dk − d| = (k/e) · ( p − q) .
Since k < e, we find that for the correct k,
√ √ 2 √ √ 2
(1/e) · ( p − q) ≤ |dk − d| < ( p − q) .
√ √ 2
The smaller the value of ( p − q) , the quicker the attacker will arrive at a
correct guess for the value of d. One finds that in any case |dk − d| < p, and
so, if p and q have the same number of digits, then half of the most significant
digits of d coincide with those of one of the dk ’s. What this indicates is that
for certain choices of p and q the following trustee schema is dangerous: Two
partners in a business decide that neither will have access to the private key
d of the business, but instead they will each have a share of the key. This is
to ensure that either can read encrypted confidential information only with the
collaboration of the other. If one of them gets the least significant half of d,
and the other gets the most significant half of d, then the one holding the least
significant half has a distinct advantage in reconstructing the whole private key
- especially if the prime numbers p and q have the same number of digits.
8
Eve now computes S = S 0 /r mod n and obtains Bob’s signature S on
the original M . Indeed, S e = (S 0 )e /r e = (M 0 )ed /r e = M 0 /r e = M mod n.
This technique enables Eve to obtain a valid signature on a message of
her choice by asking Bob to sign a random ”blinded” message. Bob has no
information as to what message he is actually signing.