sign in sign up
<<
Home , Cryptosystem, Dan Boneh, RSA (cryptosystem)

boneh.qxp 12/7/98 11:40 AM Page 203

Twenty Years of Attacks on the RSA

Introduction mal digits. Each of the factors is 512 bits. Let e, d be two integers satisfying ed = 1 mod ϕ(N) where The RSA cryptosystem, invented by , Adi ϕ(N)=(p − 1)( − 1) is the order of the multi- Shamir, and Len Adleman [18], was first publi- ∗ plicative group Z . We call N the RSA modulus, e cized in the August 1977 issue of Scientific Amer- N the exponent, and d the decryption ex- ican. The cryptosystem is most commonly used for ponent. The pair hN,ei is the public . As its providing privacy and ensuring authenticity of name suggests, it is public and is used to encrypt digital data. These days RSA is deployed in many messages. The pair hN,di is called the secret key commercial systems. It is used by Web servers and or private key and is known only to the recipient browsers to secure Web traffic, it is used to ensure of encrypted messages. The secret key enables de- privacy and authenticity of e-mail, it is used to se- cryption of . cure remote login sessions, and it is at the heart ∗ A message is an integer M ∈ Z . To encrypt M, of electronic credit card payment systems. In short, N one computes C = Me mod N. To decrypt the ci- RSA is frequently used in applications where se- phertext, the legitimate receiver computes curity of digital data is a concern. Cd mod N. Indeed, Since its initial publication, the RSA system has been analyzed for vulnerability by many re- Cd = Med = M mod N, searchers. Although twenty years of research have where the last equality follows by Euler’s theo- led to a number of fascinating attacks, none of rem.1 One defines the RSA function as them is devastating. They mostly illustrate the x 7−→ xe mod N. If d is given, the function can be dangers of improper use of RSA. Indeed, securely easily inverted using the above equality. We refer implementing RSA is a nontrivial task. Our goal is to d as a trapdoor enabling one to invert the func- to survey some of these attacks and describe the tion. In this survey we study the difficulty of in- underlying mathematical tools they use. Through- verting the RSA function without the trapdoor. We out the survey we follow standard naming con- refer to this as breaking RSA. More precisely, given ventions and use “Alice” and “Bob” to denote two the triple hN,e,Ci, we ask how hard is it to com- generic parties wishing to communicate with each pute the eth root of C modulo N = pq when the other. We use “Marvin” to denote a malicious at- Z∗ of N is unknown. Since N is a finite tacker wishing to eavesdrop or tamper with the Z∗ set, one may enumerate all elements of N until communication between . the correct M is found. Unfortunately, this results We begin by describing a simplified version of in an algorithm with running time of order N, RSA encryption. Let N = pq be the product of two large primes of the same size (n/2 bits each). A 1Our description slightly oversimplifies RSA encryption. typical size for N is n = 1024 bits, i.e., 309 deci- In practice, messages are padded prior to encryption using some randomness [1]. For instance, a simple (but in- sufficient) algorithm may pad a M by Dan Boneh is an assistant professor of appending a few random bits to one of the ends prior to at . His e-mail address is encryption. Adding randomness to the encryption process [email protected]. is necessary for proper security.

FEBRUARY 1999 NOTICES OF THE AMS 203 boneh.qxp 12/7/98 11:40 AM Page 204

namely, exponential in the size of its input, which ϕ(N) , from which the decryption exponent −1 is of the order log2 N. We are interested mostly in d = e mod ϕ(N) can be found. We refer to fac- algorithms with a substantially lower running time, toring the modulus as a brute-force attack on RSA. c namely, on the order of n where n = log2 N and Although factoring algorithms have been steadily c is some small constant (less than 5, say). Such improving, the current state of the art is still far algorithms often perform well in practice on the from posing a threat to the security of RSA when inputs in question. Throughout the paper we refer RSA is used properly. Factoring large integers is to such algorithms as efficient. one of the most beautiful problems of computa- In this survey we mainly study the RSA function tional mathematics [14, 17], but it is not the topic as opposed to the RSA cryptosystem. Loosely speak- of this article. For completeness we note that the ing, the difficulty of inverting the RSA function on current fastest factoring algorithm is the General random inputs implies that given hN,e,Ci, an at- Number Field Sieve. Its running time on n-bit in- 2/3 tacker cannot recover the plaintext M. However, tegers is exp (c + o(1))n1/3 log n for some a cryptosystem must resist more subtle attacks. If c<2. Attacks on RSA that take longer than this hN,e,Ci is given, it should be intractable to recover time bound are not interesting. These include at- any information about M. This is known as se- tacks such as an exhaustive search for M and mantic security.2 We do not discuss these subtle some older attacks published right after the ini- attacks, but point out that RSA as described above tial publication of RSA. is not semantically secure: given hN,e,Ci, one can Our objective is to survey attacks on RSA that easily deduce some information about the plain- decrypt messages without directly factoring the text M (for instance, the Jacobi symbol of M over RSA modulus N. Nevertheless, it is worth noting N can be easily deduced from C). RSA can be that some sparse sets of RSA moduli, N = pq, can made semantically secure by adding randomness be easily factored. For instance, if p − 1 is a prod- to the encryption process [1]. uct of prime factors less than B, then N can be fac- 3 The RSA function x 7−→ xe mod N is an exam- tored in time less than B . Some implementations − ple of a trapdoor one-way function. It can be eas- explicitly reject primes p for which p 1 is a prod- ily computed, but (as far as we know) cannot be uct of small primes. efficiently inverted without the trapdoor d except As noted above, if an efficient factoring algo- in special circumstances. Trapdoor one-way func- rithm exists, then RSA is insecure. The converse tions can be used for digital signatures [16]. Digi- is a long-standing open problem: must one factor th tal signatures provide authenticity and nonrepu- N in order to efficiently compute e roots mod- diation of electronic legal documents. For instance, ulo N? Is breaking RSA as hard as factoring? We they are used for signing digital checks or electronic state the concrete open problem below. ∈ Z∗ purchase orders. To sign a message M N using Open Problem 1. Given integers N and e satisfy- h i RSA, Alice applies her private key N,d to M and ing gcd(e, ϕ(N))=1, define the function obtains a signature S = Md mod N. Given hM,Si, Z∗ → Z∗ 1/e fe,N : N N by fe,N(x)=x mod N. Is there a anyone can verify Alice’s signature on M by check- polynomial-time algorithm A that computes the e ing that S = M mod N. Since only Alice can gen- factorization of N given N and access to an “ora- erate S, one may suspect that an adversary can- cle” fe,N(x) for some e? not forge Alice’s signature. Unfortunately, things are not so simple; extra measures are needed for An oracle for f (x) evaluates the function on any proper security. Digital signatures are an impor- input x in unit time. Recently Boneh and Venkate- tant application of RSA. Some of the attacks we sur- san [6] provided evidence that for small e the an- vey specifically target RSA digital signatures. swer to the above problem may be no. In other An RSA key pair is generated by picking two ran- words, for small e there may not exist a polyno- n mial-time reduction from factoring to breaking dom 2-bit primes and multiplying them to obtain N . Then, for a given encryption exponent RSA. They do so by showing that in a certain model, e<ϕ(N), one computes d = e−1 mod ϕ(N) using a positive answer to the problem for small e yields the extended . Since the set of an efficient factoring algorithm. We note that a pos- primes is sufficiently dense, a random n-bit prime itive answer to Open Problem 1 gives rise to a 2 3 can be quickly generated by repeatedly picking “chosen attack” on RSA. Therefore, a n negative answer may be welcome. random 2-bit integers and testing each one for primality using a probabilistic [16]. Next we show that exposing the private key d and factoring N are equivalent. Hence there is no Factoring Large Integers The first attack on an RSA public key hN,ei to con- 3 sider is factoring the modulus N. Given the fac- In this context, “chosen ciphertext attack” refers to an at- tacker, Marvin, who is given a public key hN,ei and ac- torization of N, an attacker can easily construct cess to a black box that decrypts messages of his choice. Marvin succeeds in mounting the chosen ciphertext attack 2A source that explains and gives ex- if by using the black box he can recover the private key amples of semantically secure is [9]. hN,di.

204 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 205

point in hiding the factorization of N from any pair ei,di from which user i forms a public key party who knows d. hN,eii and a secret key hN,dii. At first glance this may seem to work: a ci- Fact 1. Let hN,ei be an RSA public key. Given the phertext C = Mea mod N intended for Alice cannot private key d, one can efficiently factor the mod- ulus N = pq. Conversely, given the factorization of be decrypted by Bob, since Bob does not possess N, one can efficiently recover d. da. However, this is incorrect, and the resulting sys- tem is insecure. By Fact 1 Bob can use his own ex- Proof. A factorization of N yields ϕ(N). Since e ponents eb,db to factor the modulus N. Once N is known, one can recover d. This proves the con- is factored Bob can recover Alice’s private key da verse statement. We now show that given d, one from her public key e . This observation, due to − a can factor N. Given d, compute k = de 1. By de- Simmons, shows that an RSA modulus should finition of d and e we know that k is a multiple never be used by more than one entity. of ϕ(N). Since ϕ(N) is even, k =2t r with r odd ∗ Blinding and t ≥ 1. We have gk =1for every g ∈ Z , and N h i h i therefore gk/2 is a root of unity modulo N. Let N,d be Bob’s private key and N,e his cor- By the Chinese Remainder Theorem, 1 has four responding public key. Suppose Marvin wants Bob’s ∈ Z∗ square roots modulo N = pq. Two of these square signature on a message M N. Being no fool, roots are 1. The other two are x where x sat- Bob refuses to sign M. Marvin can try the follow- ∈ Z∗ isfies x = 1 mod p and x = −1 mod q. Using either ing: he picks a random r N and sets 0 e one of these last two square roots, one can reveal M = r M mod N. He then asks Bob to sign the 0 the factorization of N by computing gcd(x − 1,N). random message M . Bob may be willing to pro- 0 0 A straightforward argument shows that if g is vide his signature S on the innocent-looking M . ∗ 0 0 chosen at random from Z , then with probability But recall that S =(M )d mod N. Marvin now sim- N 0 at least 1/2 (over the choice of g) one of the ele- ply computes S = S /r mod N and obtains Bob’s t ments in the sequence gk/2,gk/4,... ,gk/2 mod N signature S on the original M. Indeed, is a square root of unity that reveals the factor- e 0 e e 0 ed e ≡ 0 e ization of N. All elements in the sequence can be S =(S ) /r =(M ) /r M /r = M (mod N). 3 efficiently computed in time O(n ) where This technique, called blinding, enables Marvin ■ n = log2 N. to obtain a valid signature on a message of his choice by asking Bob to sign a random “blinded” Elementary Attacks message. Bob has no information as to what mes- We begin by describing some old elementary at- sage he is actually signing. Since most signature tacks. These attacks illustrate blatant misuse of schemes apply a “one-way hash” to the message RSA. Although many such attacks exist, we give M prior to signing [16], the attack is not a serious only two examples. concern. Although we presented blinding as an Common Modulus attack, it is actually a useful property of RSA To avoid generating a different modulus N = pq needed for implementing anonymous digital cash for each user, one may wish to fix N once and for (cash that can be used to purchase goods, but does all. The same N is used by all users. A trusted cen- not reveal the identity of the person making the tral authority could provide user i with a unique purchase).

FEBRUARY 1999 NOTICES OF THE AMS 205 boneh.qxp 12/7/98 11:40 AM Page 206

Low Private Exponent Large e: Suppose instead of reducing e modulo ϕ(N), one uses hN,e0i for the public key, where To reduce decryption time (or signature-generation 0 0 time), one may wish to use a small value of d e = e + t · ϕ(N) for some large t. Clearly e can be rather than a random d. Since modular exponen- used in place of e for message encryption. How- ever, when a large value of e is used, the k in the tiation takes time linear in log2 d, a small d can improve performance by at least a factor of 10 (for above proof is no longer small. A simple calcula- 0 a 1024-bit modulus). Unfortunately, a clever attack tion shows that if e >N1.5 , then no matter how due to M. Wiener [19] shows that a small d results small d is, the above attack cannot be mounted. in a total break of the cryptosystem. Unfortunately, large values of e result in increased encryption time. Theorem 2 (M. Wiener). Let N = pq with Using CRT: An alternate approach is to use the Chi- q

e k ed − kϕ(N) − kN + kϕ(N) We do not know whether either of these meth- − = N d Nd ods is secure. All we know is that Wiener’s attack √

1 − k(N − ϕ(N)) 3k N is ineffective against them. Theorem 2 was re- = ≤ Nd Nd cently improved by Boneh and Durfee [4], who show that as long as d

e k 1 1 vin is given hN,ei with ed = 1 mod ϕ(N) and − ≤ √ < . N d d 4 N 2d2 e<ϕ(N), can he efficiently recover d? This is a classic approximation relation. The k Low Public Exponent number of fractions d with d

206 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 207

Theorem 3 (Coppersmith). Let N be an integer and for some predefined m. Then x0 is a root of gu,v (x) f ∈ Z[x] be a monic polynomial of degree d. Set modulo Nm for any u ≥ 0 and 0 ≤ v ≤ m. To use 1 − X = N d for some ≥ 0. Then, given hN,fi, Mar- Lemma 4 we must find an integer linear combi- vin can efficiently find all integers |x0|

The lemma states that if h is a polynomial with The entries ∗ correspond to coefficients of the low norm, then all small roots of h mod N are also polynomials whose value we ignore. All empty en- roots of h over the integers. The lemma suggests tries are zero. Since the matrix is triangular, its de- that to find a small root x0 of f (x) mod N, we terminant is the product of the elements on the di- should look for another polynomial h ∈ Z[x] with agonal (which are explicitly given above). Our small norm having the same roots as f modulo N. objective is to find short vectors in this lattice. Then x0 will be a root of h over the integers and A classic result of Hermite states that any can be easily found. To do so, we may search for lattice L of dimension w contains a nonzero ∈ Z a polynomial g [x] such that h = gf has low point v ∈ L whose L2 norm satisfies kvk≤ 1/w norm, i.e., norm less than N. This amounts to γw det(L) , where γw is a constant depending searching for an integer linear combination of the only on w. Hermite’s bound can be used to show polynomials f, xf, x2f, ... ,xr f with low norm. that for large enough m our lattice contains vec- Unfortunately, most often there is no nontrivial lin- tors of norm less than Nm, as required. The ques- ear combination with sufficiently small norm. tion is whether we can efficiently construct a short Coppersmith found a trick to solve the problem: vector in L whose length is not much larger than k k if f (x0) = 0 mod N, then f (x0) = 0 mod N for any the Hermite bound. The LLL algorithm is an effi- k. More generally, define the following polynomi- cient algorithm that does precisely that. als: − Fact 5 (LLL). Let L be a lattice spanned by g (x)=Nm v xuf (x)v u,v hu1,... ,uw i. When hu1,... ,uw i are given as

FEBRUARY 1999 NOTICES OF THE AMS 207 boneh.qxp 12/7/98 11:40 AM Page 208

input, then the LLL algorithm outputs a point vin can recover M if k ≥ 3. Indeed, Marvin obtains v ∈ L satisfying C1,C2,C3, where

3 3 kvk≤2w/4 det(L)1/w . C1 = M mod N1,C2 = M mod N2, 3 C3 = M mod N3. The running time for LLL is quartic in the length 6 of the input. We may assume that gcd(Ni,Nj )=1for all i = j, since otherwise Marvin can factor some of the The LLL algorithm (named after its inventors L. Ni’s. Hence, applying the Chinese Remainder The- Lovasz, A. Lenstra, and H. Lenstra Jr.) has many ap- 0 ∈ Z orem (CRT) to C1,C2,C3 gives a C N1N2N3 sat- 0 3 plications in both computational isfying C = M mod N1N2N3. Since M is less than 3 0 3 and cryptography. Its discovery in 1982 provided all the Ni’s, we have M

which Coppersmith’s theorem can be generalized gi(M) = 0 mod Ni for all i =1,... ,k. to bivariate polynomials. Under the assumption that k>d, one can effi- Hastad’s Broadcast Attack h ik ciently find M given Ni,gi i=1. As a first application of Coppersmith’s theorem, ··· we an improvement to an old attack due Proof. Let N = N1 Nk. We may assume that all gi’s are monic. (Indeed, if for some i the leading to Hastad [11]. Suppose Bob wishes to send an en- ∗ coefficient of g is not invertible in Z , then the crypted message M to a number of parties i Ni factorization of N is exposed.) By multiplying P1,P2,... ,Pk. Each party has its own RSA key i each g by the appropriate power of x, we may as- hNi,eii. We assume M is less than all the Ni’s. i Naively, to send M, Bob encrypts it using each of sume they all have degree d. Construct the poly- the public keys and sends out the ith ciphertext nomial Xk to P . Marvin can eavesdrop on the connection out i g(x)= T g (x), of Bob’s sight and collect the k transmitted ci- i i i=1 phertexts. ( 1 mod N if i = j For simplicity, suppose all public exponents e j i where Ti = are equal to 3. A simple argument shows that Mar- 0 mod Nj if i =6 j.

208 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 209

The Ti’s are integers known as the Chinese Re- We show that when e =3, the gcd must be lin- 3 mainder Coefficients. Then g(x) must be monic, ear. The polynomial x − C2 factors modulo both since it is monic modulo all the Ni. Its degree is p and q into a linear factor and an irreducible qua- d. Furthermore, we know that g(M) = 0 mod N . dratic factor (recall that gcd(e, ϕ(N))=1, hence 3 Theorem 6 now follows from Theorem 3, since x − C2 has only one root in ZN). Since g2 cannot 1/k 1/d M3 the gcd is almost always linear. However, for some rare The theorem shows that a system of univariate M1,M2, and f, it is possible to obtain a nonlinear equations modulo relatively prime composites gcd, in which case the attack fails. ■ can be efficiently solved, assuming sufficiently many equations are provided. By setting gi = For e>3 the attack takes time quadratic in e. ei − fi Ci mod Ni, we see that Marvin can recover M Consequently, it can be applied only when a small from the given ciphertexts whenever the number public exponent e is used. For large e the work in of parties is at least d, where d is the maximum computing the gcd is prohibitive. It is an interest- of eideg(fi) over all i =1,... ,k. In particular, if all ing question (though likely to be difficult) to de- ei’s are equal to e and Bob sends out linearly re- vise such an attack for arbitrary e. In particular, lated messages, then Marvin can recover the plain- can the gcd of g1 and g2 above be found in time text as soon as k>e. polynomial in log e? Hastad’s original theorem is weaker than the one Coppersmith’s Short Pad Attack stated above. Rather than d polynomials, Hastad The Franklin-Reiter attack might seem a bit artifi- required d(d +1)/2 polynomials. Hastad’s proof is cial. After all, why should Bob send Alice the en- similar to the proof of Coppersmith’s theorem de- cryption of related messages? Coppersmith scribed in the previous section. However, Hastad strengthened the attack and proved an important does not use powers of g in the lattice and con- result on padding [7]. sequently obtains a weaker bound. A naive random padding algorithm might pad To conclude this section, we note that to prop- a plaintext M by appending a few random bits to erly defend against the broadcast attack above, one one of the ends. The following attack points out must use a randomized pad [1] rather than a fixed the danger of such simplistic padding. Suppose Bob one. sends a properly padded encryption of M to Alice. Marvin intercepts the ciphertext and prevents it Franklin-Reiter Related Message Attack from reaching its destination. Bob notices that Franklin and Reiter [8] found a clever attack when Alice did not respond to his message and decides Bob sends Alice related encrypted messages using to resend M to Alice. He randomly pads M and h i the same modulus. Let N,e be Alice’s public transmits the resulting ciphertext. Marvin now has ∈ Z∗ key. Suppose M1,M2 N are two distinct mes- two ciphertexts corresponding to two sages satisfying M1 = f (M2) mod N for some pub- of the same message using two different random ∈ Z licly known polynomial f N [x]. To send M1 and pads. The following theorem shows that although M2 to Alice, Bob may naively encrypt the mes- he does not know the pads used, Marvin is able to sages and transmit the resulting ciphertexts C1,C2. recover the plaintext. We show that given C1,C2, Marvin can easily re- h i cover M1,M2. Although the attack works for any Theorem 8. Let N,e be a public RSA key where 2 ∈ Z∗ small e, we state the following lemma for e =3in N is n-bits long. Set m =[n/e ]. Let M N be a − order to simplify the proof. message of length at most n m bits. Define m m M1 =2 M + r1 and M2 =2 M + r2, where r1 and h i m Lemma 7 (FR). Set e =3, and let N,e be an r2 are distinct integers with 0 ≤ r1,r2 < 2 . If Mar- 6 ∈ ∗ RSA public key. Let M1 = M2 ZN satisfy vin is given hN,ei and the encryptions C1,C2 of M1 = f (M2) mod N for some linear polynomial M1,M2 (but is not given r1 or r2), he can effi- f = ax + b ∈ ZN [x] with b =06 . Then, given ciently recover M. hN,e,C ,C ,fi, Marvin can recover M ,M in time 1 2 1 2 e − quadratic in log N. Proof. Define g1(x, y)=x C1 and g2(x, y) e =(x + y) − C2. We know that when y = r2 − r1, Proof. To keep this part of the proof general, we these polynomials have M1 as a common root. In state it using an arbitrary e (rather than restrict- other words, ∆ = r2 − r1 is a root of the “resultant” e ing to e =3). Since C1 = M1 mod N , we know h(y) = resx(g1,g2) ∈ ZN [y]. The degree of h is at 2 m 1/ that M2 is a root of the polynomial g1(x)= most e . Furthermore, |∆| < 2

FEBRUARY 1999 NOTICES OF THE AMS 209 boneh.qxp 12/7/98 11:40 AM Page 210

x orem 3). Once ∆ is known, the Franklin-Reiter at- tial key exposure. Indeed, if g mod p and a con- tack of the previous section can be used to re- stant fraction of the bits of x are given, there is cover M2 and consequently M. ■ no known polynomial-time algorithm to compute the rest of x. When e =3, the attack can be mounted as long as To conclude the section, we show that when the the pad length is less than 1/9 the message length. encryption exponent e is small, the RSA system This is an important result. Note that for the rec- leaks half the most significant bits of the corre- ommended value of e = 65537, the attack is use- less against standard moduli sizes. sponding private key d. To see this, consider once again the equation ed − k(N − p − q +1)=1 for Partial Key Exposure Attack an integer 0

Theorem 10 (Coppersmith). Let N = pq be an n- Implementation Attacks bit RSA modulus. Then given the n/4 least sig- We turn our attention to an entirely different class nificant bits of p or the n/4 most significant bits of attacks. Rather than attacking the underlying of p, one can efficiently factor N. structure of the RSA function, these attacks focus Theorem 9 readily follows from Theorem 10. In on the implementation of RSA. fact, by definition of e and d, there exists an in- Timing Attacks teger k such that Consider a smartcard that stores a private RSA key. ed − k(N − p − q +1)=1. Since the card is tamper resistant, Marvin may not be able to examine its contents and expose the key. ≤ Since d<ϕ(N), we must have 0

210 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 211

The variable z runs through the set of values in a given iteration the card performs one or two i M2 mod N for i =0,... ,n. The variable C “col- multiplications, thus exposing the bits of d. lects” the appropriate powers in the set to obtain Random Faults Md mod N. Implementations of RSA decryption and signa- To mount the attack, Marvin asks the smartcard tures frequently use the Chinese Remainder The- to generate signatures on a large number of ran- orem to speed up the computation of Md mod N. ∈ Z∗ dom messages M1,... ,Mk N and measures the Instead of working modulo N, Bob first computes time Ti it takes the card to generate each of the the signatures modulo p and q and then com- signatures. bines the results using the Chinese Remainder The attack recovers bits of d one at a time, be- Theorem. More precisely, Bob first computes ginning with the least significant bit. We know d dp dq Cp = M mod p and Cq = M mod q, is odd. Thus d0 =1. Consider the second itera- 2 tion. Initially z = M mod N and C = M. If d1 =1, where dp = d mod (p − 1) and dq = d mod (q − 1). the smartcard computes the product He then obtains the signature C by setting 2 Cz = M · M mod N. Otherwise, it does not. Let ti be the time it takes the smartcard to compute C = T1Cp + T2Cq mod N, · 2 Mi Mi mod N. The ti’s differ from each other, where · 2 since the time to compute Mi Mi mod N depends ( ) ( ) on the value of Mi (simple modular reduction al- 1 mod p 0 mod p T = and T = . gorithms take a different amount of time de- 1 0 mod q 2 1 mod q pending on the value being reduced). Marvin mea- sures the ti’s offline (prior to mounting the attack) The running time of the last CRT step is negligi- once he obtains the physical specifications of the ble compared to the two . Note card. that p and q are half the length of N. Since sim- Kocher observed that when d1 =1, the two en- ple implementations of multiplication take qua- { } { } sembles ti and Ti are correlated. For instance, dratic time, multiplication modulo p is four times if for some i, ti is much larger than its expecta- faster than modulo N. Furthermore, dp is half the tion, then Ti is also likely to be larger than its ex- length of d , and consequently computing pectation. On the other hand, if d1 =0, the two en- Mdp mod p is eight times faster than computing sembles {ti} and {Ti} behave as independent Md mod N. Overall signature time is thus reduced random variables. By measuring the correlation, by a factor of four. Many implementations use Marvin can determine whether d1 is 0 or 1. Con- this method to improve performance. tinuing in this way, he can recover d2, d3, and so Boneh, DeMillo, and Lipton [3] observed that on. Note that when a low public exponent e is there is an inherent danger in using the CRT used, the partial key exposure attack of the pre- method. Suppose that while generating a signature, vious section shows that Kocher’s a glitch on Bob’s computer causes it to miscalcu- need only be employed until a quarter of the bits late in a single instruction. For instance, while of d are discovered. copying a register from one location to another, one There are two ways to defend against the attack. of the bits is flipped. (A glitch may be caused by The simplest is to add appropriate delay so that ambient electromagnetic interference or perhaps modular always takes a fixed by a rare hardware bug, like the one found in an amount of time. The second approach, due to early version of the Pentium chip.) Given an invalid Rivest, is based on blinding. Prior to decryption of signature, Marvin can easily factor Bob’s modulus ∈ Z∗ N. M the smartcard picks a random r N and com- putes M0 = M · r e mod N. It then applies d to M0 We present a version of the attack as described and obtains C0 =(M0)d mod N. Finally, the smart- by A. K. Lenstra. Suppose a single error occurs card sets C = C0/r mod N. With this approach, the while Bob is generating a signature. As a result, ex- 0 smartcard is applying d to a random message M actly one of Cp or Cq will be computed incorrectly. b unknown to Marvin. As a result, Marvin cannot Say Cp is correct, but Cq is not. The resulting b b mount the attack. signature is C = T1Cp + T2Cq. Once Marvin receives Kocher recently discovered another attack along Cb , he knows it is a false signature, since these lines called power . Kocher Cb e =6 M mod N. However, notice that showed that by precisely measuring the smart- b e b e 6 card’s power consumption during signature gen- C = M mod p while C = M mod q. eration, Marvin can often easily discover the secret As a result, gcd(N,Cb e − M) exposes a nontrivial key. As it turns out, during a multiprecision mul- factor of N. tiplication the card’s power consumption is higher For the attack to work, Marvin must have full than normal. By measuring the length of high con- knowledge of M; namely, we are assuming Bob sumption periods, Marvin can easily determine if does not use any random padding procedure. Ran-

FEBRUARY 1999 NOTICES OF THE AMS 211 boneh.qxp 12/7/98 11:40 AM Page 212

dom padding prior to signing defeats the attack. We categorized known attacks on RSA into four A simpler defense is for Bob to check the gener- categories: (1) elementary attacks that exploit bla- ated signature before sending it out to the world. tant misuse of the system, (2) low private exponent Checking is especially important when using the attacks serious enough that a low private exponent CRT speedup method. Random faults are haz- should never be used, (3) low public exponent at- ardous to many cryptographic systems. Many sys- tacks, (4) and attacks on the implementation. These tems, including a non-CRT implementation of RSA, last attacks illustrate that a study of the underly- can be attacked using random faults [3]. However, ing mathematical structure is insufficient. Through- these results are far more theoretical. out the paper we observed that many attacks can Bleichenbacher’s Attack on PKCS 1 be defeated by properly padding the message prior to encryption or signing. Let N be an n-bit RSA modulus and M be an m- The first twenty years of RSA have led to a num- bit message with m

212 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 213

[12] N. HOWGRAVE-GRAHAM, Finding small roots of uni- variate modular equations revisited, Cryptography and Coding, Lecture Notes in Computer Science, vol. 1355, Springer-Verlag, Berlin and New York, 1997, pp. 131–142. [13] P. KOCHER, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems, CRYPTO ’96, Lecture Notes in Computer Science, vol. 1109, Springer-Verlag, 1996, pp. 104–113. [14] A. K. LENSTRA and H. W. LENSTRA JR., Algorithms in number theory, Handbook of Theoretical Computer Science (Volume A: Algorithms and Complexity), Chapter 12, Elsevier and MIT Press, Amsterdam and Cambridge, MA, 1990, pp. 673–715. [15] L. LOVASZ, An Algorithmic Theory of Number, Graphs and Convexity, SIAM Publications, 1986. [16] A. MENEZES, P. VAN OORSCHOT, and S. VANSTONE, Hand- book of Applied Cryptography, CRC Press, Boca Raton, FL, 1996. [17] C. POMERANCE, A tale of two sieves, Notices Amer. Math. Soc. 43 (1996), 1473–1485. [18] R. L. RIVEST, A. SHAMIR, and L. ADLEMAN, A method for obtaining digital signatures and public key cryp- tosystems, Commun. ACM 21 (1978), 120–126. [19] M. WIENER, Cryptanalysis of short RSA secret expo- nents, IEEE Trans. Inform. Theory 36 (1990), 553–558.

FEBRUARY 1999 NOTICES OF THE AMS 213