boneh.qxp 12/7/98 11:40 AM Page 203
Twenty Years of Attacks on the RSA Cryptosystem Dan Boneh
Introduction mal digits. Each of the factors is 512 bits. Let e, d be two integers satisfying ed = 1 mod ϕ(N) where The RSA cryptosystem, invented by Ron Rivest, Adi ϕ(N)=(p − 1)(q − 1) is the order of the multi- Shamir, and Len Adleman [18], was first publi- ∗ plicative group Z . We call N the RSA modulus, e cized in the August 1977 issue of Scientific Amer- N the encryption exponent, and d the decryption ex- ican. The cryptosystem is most commonly used for ponent. The pair hN,ei is the public key. As its providing privacy and ensuring authenticity of name suggests, it is public and is used to encrypt digital data. These days RSA is deployed in many messages. The pair hN,di is called the secret key commercial systems. It is used by Web servers and or private key and is known only to the recipient browsers to secure Web traffic, it is used to ensure of encrypted messages. The secret key enables de- privacy and authenticity of e-mail, it is used to se- cryption of ciphertexts. cure remote login sessions, and it is at the heart ∗ A message is an integer M ∈ Z . To encrypt M, of electronic credit card payment systems. In short, N one computes C = Me mod N. To decrypt the ci- RSA is frequently used in applications where se- phertext, the legitimate receiver computes curity of digital data is a concern. Cd mod N. Indeed, Since its initial publication, the RSA system has been analyzed for vulnerability by many re- Cd = Med = M mod N, searchers. Although twenty years of research have where the last equality follows by Euler’s theo- led to a number of fascinating attacks, none of rem.1 One defines the RSA function as them is devastating. They mostly illustrate the x 7−→ xe mod N. If d is given, the function can be dangers of improper use of RSA. Indeed, securely easily inverted using the above equality. We refer implementing RSA is a nontrivial task. Our goal is to d as a trapdoor enabling one to invert the func- to survey some of these attacks and describe the tion. In this survey we study the difficulty of in- underlying mathematical tools they use. Through- verting the RSA function without the trapdoor. We out the survey we follow standard naming con- refer to this as breaking RSA. More precisely, given ventions and use “Alice” and “Bob” to denote two the triple hN,e,Ci, we ask how hard is it to com- generic parties wishing to communicate with each pute the eth root of C modulo N = pq when the other. We use “Marvin” to denote a malicious at- Z∗ factorization of N is unknown. Since N is a finite tacker wishing to eavesdrop or tamper with the Z∗ set, one may enumerate all elements of N until communication between Alice and Bob. the correct M is found. Unfortunately, this results We begin by describing a simplified version of in an algorithm with running time of order N, RSA encryption. Let N = pq be the product of two large primes of the same size (n/2 bits each). A 1Our description slightly oversimplifies RSA encryption. typical size for N is n = 1024 bits, i.e., 309 deci- In practice, messages are padded prior to encryption using some randomness [1]. For instance, a simple (but in- sufficient) padding algorithm may pad a plaintext M by Dan Boneh is an assistant professor of computer science appending a few random bits to one of the ends prior to at Stanford University. His e-mail address is encryption. Adding randomness to the encryption process [email protected]. is necessary for proper security.
FEBRUARY 1999 NOTICES OF THE AMS 203 boneh.qxp 12/7/98 11:40 AM Page 204
namely, exponential in the size of its input, which ϕ(N) , from which the decryption exponent −1 is of the order log2 N. We are interested mostly in d = e mod ϕ(N) can be found. We refer to fac- algorithms with a substantially lower running time, toring the modulus as a brute-force attack on RSA. c namely, on the order of n where n = log2 N and Although factoring algorithms have been steadily c is some small constant (less than 5, say). Such improving, the current state of the art is still far algorithms often perform well in practice on the from posing a threat to the security of RSA when inputs in question. Throughout the paper we refer RSA is used properly. Factoring large integers is to such algorithms as efficient. one of the most beautiful problems of computa- In this survey we mainly study the RSA function tional mathematics [14, 17], but it is not the topic as opposed to the RSA cryptosystem. Loosely speak- of this article. For completeness we note that the ing, the difficulty of inverting the RSA function on current fastest factoring algorithm is the General random inputs implies that given hN,e,Ci, an at- Number Field Sieve. Its running time on n-bit in- 2/3 tacker cannot recover the plaintext M. However, tegers is exp (c + o(1))n1/3 log n for some a cryptosystem must resist more subtle attacks. If c<2. Attacks on RSA that take longer than this hN,e,Ci is given, it should be intractable to recover time bound are not interesting. These include at- any information about M. This is known as se- tacks such as an exhaustive search for M and mantic security.2 We do not discuss these subtle some older attacks published right after the ini- attacks, but point out that RSA as described above tial publication of RSA. is not semantically secure: given hN,e,Ci, one can Our objective is to survey attacks on RSA that easily deduce some information about the plain- decrypt messages without directly factoring the text M (for instance, the Jacobi symbol of M over RSA modulus N. Nevertheless, it is worth noting N can be easily deduced from C). RSA can be that some sparse sets of RSA moduli, N = pq, can made semantically secure by adding randomness be easily factored. For instance, if p − 1 is a prod- to the encryption process [1]. uct of prime factors less than B, then N can be fac- 3 The RSA function x 7−→ xe mod N is an exam- tored in time less than B . Some implementations − ple of a trapdoor one-way function. It can be eas- explicitly reject primes p for which p 1 is a prod- ily computed, but (as far as we know) cannot be uct of small primes. efficiently inverted without the trapdoor d except As noted above, if an efficient factoring algo- in special circumstances. Trapdoor one-way func- rithm exists, then RSA is insecure. The converse tions can be used for digital signatures [16]. Digi- is a long-standing open problem: must one factor th tal signatures provide authenticity and nonrepu- N in order to efficiently compute e roots mod- diation of electronic legal documents. For instance, ulo N? Is breaking RSA as hard as factoring? We they are used for signing digital checks or electronic state the concrete open problem below. ∈ Z∗ purchase orders. To sign a message M N using Open Problem 1. Given integers N and e satisfy- h i RSA, Alice applies her private key N,d to M and ing gcd(e, ϕ(N))=1, define the function obtains a signature S = Md mod N. Given hM,Si, Z∗ → Z∗ 1/e fe,N : N N by fe,N(x)=x mod N. Is there a anyone can verify Alice’s signature on M by check- polynomial-time algorithm A that computes the e ing that S = M mod N. Since only Alice can gen- factorization of N given N and access to an “ora- erate S, one may suspect that an adversary can- cle” fe,N(x) for some e? not forge Alice’s signature. Unfortunately, things are not so simple; extra measures are needed for An oracle for f (x) evaluates the function on any proper security. Digital signatures are an impor- input x in unit time. Recently Boneh and Venkate- tant application of RSA. Some of the attacks we sur- san [6] provided evidence that for small e the an- vey specifically target RSA digital signatures. swer to the above problem may be no. In other An RSA key pair is generated by picking two ran- words, for small e there may not exist a polyno- n mial-time reduction from factoring to breaking dom 2-bit primes and multiplying them to obtain N . Then, for a given encryption exponent RSA. They do so by showing that in a certain model, e<ϕ(N), one computes d = e−1 mod ϕ(N) using a positive answer to the problem for small e yields the extended Euclidean algorithm. Since the set of an efficient factoring algorithm. We note that a pos- primes is sufficiently dense, a random n-bit prime itive answer to Open Problem 1 gives rise to a 2 3 can be quickly generated by repeatedly picking “chosen ciphertext attack” on RSA. Therefore, a n negative answer may be welcome. random 2-bit integers and testing each one for primality using a probabilistic primality test [16]. Next we show that exposing the private key d and factoring N are equivalent. Hence there is no Factoring Large Integers The first attack on an RSA public key hN,ei to con- 3 sider is factoring the modulus N. Given the fac- In this context, “chosen ciphertext attack” refers to an at- tacker, Marvin, who is given a public key hN,ei and ac- torization of N, an attacker can easily construct cess to a black box that decrypts messages of his choice. Marvin succeeds in mounting the chosen ciphertext attack 2A source that explains semantic security and gives ex- if by using the black box he can recover the private key amples of semantically secure ciphers is [9]. hN,di.
204 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 205
point in hiding the factorization of N from any pair ei,di from which user i forms a public key party who knows d. hN,eii and a secret key hN,dii. At first glance this may seem to work: a ci- Fact 1. Let hN,ei be an RSA public key. Given the phertext C = Mea mod N intended for Alice cannot private key d, one can efficiently factor the mod- ulus N = pq. Conversely, given the factorization of be decrypted by Bob, since Bob does not possess N, one can efficiently recover d. da. However, this is incorrect, and the resulting sys- tem is insecure. By Fact 1 Bob can use his own ex- Proof. A factorization of N yields ϕ(N). Since e ponents eb,db to factor the modulus N. Once N is known, one can recover d. This proves the con- is factored Bob can recover Alice’s private key da verse statement. We now show that given d, one from her public key e . This observation, due to − a can factor N. Given d, compute k = de 1. By de- Simmons, shows that an RSA modulus should finition of d and e we know that k is a multiple never be used by more than one entity. of ϕ(N). Since ϕ(N) is even, k =2t r with r odd ∗ Blinding and t ≥ 1. We have gk =1for every g ∈ Z , and N h i h i therefore gk/2 is a square root of unity modulo N. Let N,d be Bob’s private key and N,e his cor- By the Chinese Remainder Theorem, 1 has four responding public key. Suppose Marvin wants Bob’s ∈ Z∗ square roots modulo N = pq. Two of these square signature on a message M N. Being no fool, roots are 1. The other two are x where x sat- Bob refuses to sign M. Marvin can try the follow- ∈ Z∗ isfies x = 1 mod p and x = −1 mod q. Using either ing: he picks a random r N and sets 0 e one of these last two square roots, one can reveal M = r M mod N. He then asks Bob to sign the 0 the factorization of N by computing gcd(x − 1,N). random message M . Bob may be willing to pro- 0 0 A straightforward argument shows that if g is vide his signature S on the innocent-looking M . ∗ 0 0 chosen at random from Z , then with probability But recall that S =(M )d mod N. Marvin now sim- N 0 at least 1/2 (over the choice of g) one of the ele- ply computes S = S /r mod N and obtains Bob’s t ments in the sequence gk/2,gk/4,... ,gk/2 mod N signature S on the original M. Indeed, is a square root of unity that reveals the factor- e 0 e e 0 ed e ≡ 0 e ization of N. All elements in the sequence can be S =(S ) /r =(M ) /r M /r = M (mod N). 3 efficiently computed in time O(n ) where This technique, called blinding, enables Marvin ■ n = log2 N. to obtain a valid signature on a message of his choice by asking Bob to sign a random “blinded” Elementary Attacks message. Bob has no information as to what mes- We begin by describing some old elementary at- sage he is actually signing. Since most signature tacks. These attacks illustrate blatant misuse of schemes apply a “one-way hash” to the message RSA. Although many such attacks exist, we give M prior to signing [16], the attack is not a serious only two examples. concern. Although we presented blinding as an Common Modulus attack, it is actually a useful property of RSA To avoid generating a different modulus N = pq needed for implementing anonymous digital cash for each user, one may wish to fix N once and for (cash that can be used to purchase goods, but does all. The same N is used by all users. A trusted cen- not reveal the identity of the person making the tral authority could provide user i with a unique purchase).
FEBRUARY 1999 NOTICES OF THE AMS 205 boneh.qxp 12/7/98 11:40 AM Page 206
Low Private Exponent Large e: Suppose instead of reducing e modulo ϕ(N), one uses hN,e0i for the public key, where To reduce decryption time (or signature-generation 0 0 time), one may wish to use a small value of d e = e + t · ϕ(N) for some large t. Clearly e can be rather than a random d. Since modular exponen- used in place of e for message encryption. How- ever, when a large value of e is used, the k in the tiation takes time linear in log2 d, a small d can improve performance by at least a factor of 10 (for above proof is no longer small. A simple calcula- 0 a 1024-bit modulus). Unfortunately, a clever attack tion shows that if e >N1.5 , then no matter how due to M. Wiener [19] shows that a small d results small d is, the above attack cannot be mounted. in a total break of the cryptosystem. Unfortunately, large values of e result in increased encryption time. Theorem 2 (M. Wiener). Let N = pq with Using CRT: An alternate approach is to use the Chi- q
e k ed − kϕ(N) − kN + kϕ(N) We do not know whether either of these meth- − = N d Nd ods is secure. All we know is that Wiener’s attack √
1 − k(N − ϕ(N)) 3k N is ineffective against them. Theorem 2 was re- = ≤ Nd Nd cently improved by Boneh and Durfee [4], who show that as long as d e k 1 1 vin is given hN,ei with ed = 1 mod ϕ(N) and − ≤ √ < . N d d 4 N 2d2 e<ϕ(N), can he efficiently recover d? This is a classic approximation relation. The k Low Public Exponent number of fractions d with d 206 NOTICES OF THE AMS VOLUME 46, NUMBER 2 boneh.qxp 12/7/98 11:40 AM Page 207 Theorem 3 (Coppersmith). Let N be an integer and for some predefined m. Then x0 is a root of gu,v (x) f ∈ Z[x] be a monic polynomial of degree d. Set modulo Nm for any u ≥ 0 and 0 ≤ v ≤ m. To use 1 − X = N d for some ≥ 0. Then, given hN,fi, Mar- Lemma 4 we must find an integer linear combi- vin can efficiently find all integers |x0|