boneh.qxp 12/7/98 11:40 AM Page 203 Twenty Years of Attacks on the RSA Cryptosystem Dan Boneh Introduction mal digits. Each of the factors is 512 bits. Let e, d be two integers satisfying ed = 1 mod ϕ(N) where The RSA cryptosystem, invented by Ron Rivest, Adi ϕ(N)=(p − 1)(q − 1) is the order of the multi- Shamir, and Len Adleman [18], was first publi- ∗ plicative group Z . We call N the RSA modulus, e cized in the August 1977 issue of Scientific Amer- N the encryption exponent, and d the decryption ex- ican. The cryptosystem is most commonly used for ponent. The pair hN,ei is the public key. As its providing privacy and ensuring authenticity of name suggests, it is public and is used to encrypt digital data. These days RSA is deployed in many messages. The pair hN,di is called the secret key commercial systems. It is used by Web servers and or private key and is known only to the recipient browsers to secure Web traffic, it is used to ensure of encrypted messages. The secret key enables de- privacy and authenticity of e-mail, it is used to se- cryption of ciphertexts. cure remote login sessions, and it is at the heart ∗ A message is an integer M ∈ Z . To encrypt M, of electronic credit card payment systems. In short, N one computes C = Me mod N. To decrypt the ci- RSA is frequently used in applications where se- phertext, the legitimate receiver computes curity of digital data is a concern. Cd mod N. Indeed, Since its initial publication, the RSA system has been analyzed for vulnerability by many re- Cd = Med = M mod N, searchers. Although twenty years of research have where the last equality follows by Euler’s theo- led to a number of fascinating attacks, none of rem.1 One defines the RSA function as them is devastating. They mostly illustrate the x 7−→ xe mod N. If d is given, the function can be dangers of improper use of RSA. Indeed, securely easily inverted using the above equality. We refer implementing RSA is a nontrivial task. Our goal is to d as a trapdoor enabling one to invert the func- to survey some of these attacks and describe the tion. In this survey we study the difficulty of in- underlying mathematical tools they use. Through- verting the RSA function without the trapdoor. We out the survey we follow standard naming con- refer to this as breaking RSA. More precisely, given ventions and use “Alice” and “Bob” to denote two the triple hN,e,Ci, we ask how hard is it to com- generic parties wishing to communicate with each pute the eth root of C modulo N = pq when the other. We use “Marvin” to denote a malicious at- Z∗ factorization of N is unknown. Since N is a finite tacker wishing to eavesdrop or tamper with the Z∗ set, one may enumerate all elements of N until communication between Alice and Bob. the correct M is found. Unfortunately, this results We begin by describing a simplified version of in an algorithm with running time of order N, RSA encryption. Let N = pq be the product of two large primes of the same size (n/2 bits each). A 1Our description slightly oversimplifies RSA encryption. typical size for N is n = 1024 bits, i.e., 309 deci- In practice, messages are padded prior to encryption using some randomness [1]. For instance, a simple (but in- sufficient) padding algorithm may pad a plaintext M by Dan Boneh is an assistant professor of computer science appending a few random bits to one of the ends prior to at Stanford University. His e-mail address is encryption. Adding randomness to the encryption process [email protected]. is necessary for proper security. FEBRUARY 1999 NOTICES OF THE AMS 203 boneh.qxp 12/7/98 11:40 AM Page 204 namely, exponential in the size of its input, which ϕ(N) , from which the decryption exponent −1 is of the order log2 N. We are interested mostly in d = e mod ϕ(N) can be found. We refer to fac- algorithms with a substantially lower running time, toring the modulus as a brute-force attack on RSA. c namely, on the order of n where n = log2 N and Although factoring algorithms have been steadily c is some small constant (less than 5, say). Such improving, the current state of the art is still far algorithms often perform well in practice on the from posing a threat to the security of RSA when inputs in question. Throughout the paper we refer RSA is used properly. Factoring large integers is to such algorithms as efficient. one of the most beautiful problems of computa- In this survey we mainly study the RSA function tional mathematics [14, 17], but it is not the topic as opposed to the RSA cryptosystem. Loosely speak- of this article. For completeness we note that the ing, the difficulty of inverting the RSA function on current fastest factoring algorithm is the General random inputs implies that given hN,e,Ci, an at- Number Field Sieve. Its running time on n-bit in- 2/3 tacker cannot recover the plaintext M. However, tegers is exp (c + o(1))n1/3 log n for some a cryptosystem must resist more subtle attacks. If c<2. Attacks on RSA that take longer than this hN,e,Ci is given, it should be intractable to recover time bound are not interesting. These include at- any information about M. This is known as se- tacks such as an exhaustive search for M and mantic security.2 We do not discuss these subtle some older attacks published right after the ini- attacks, but point out that RSA as described above tial publication of RSA. is not semantically secure: given hN,e,Ci, one can Our objective is to survey attacks on RSA that easily deduce some information about the plain- decrypt messages without directly factoring the text M (for instance, the Jacobi symbol of M over RSA modulus N. Nevertheless, it is worth noting N can be easily deduced from C). RSA can be that some sparse sets of RSA moduli, N = pq, can made semantically secure by adding randomness be easily factored. For instance, if p − 1 is a prod- to the encryption process [1]. uct of prime factors less than B, then N can be fac- 3 The RSA function x 7−→ xe mod N is an exam- tored in time less than B . Some implementations − ple of a trapdoor one-way function. It can be eas- explicitly reject primes p for which p 1 is a prod- ily computed, but (as far as we know) cannot be uct of small primes. efficiently inverted without the trapdoor d except As noted above, if an efficient factoring algo- in special circumstances. Trapdoor one-way func- rithm exists, then RSA is insecure. The converse tions can be used for digital signatures [16]. Digi- is a long-standing open problem: must one factor th tal signatures provide authenticity and nonrepu- N in order to efficiently compute e roots mod- diation of electronic legal documents. For instance, ulo N? Is breaking RSA as hard as factoring? We they are used for signing digital checks or electronic state the concrete open problem below. ∈ Z∗ purchase orders. To sign a message M N using Open Problem 1. Given integers N and e satisfy- h i RSA, Alice applies her private key N,d to M and ing gcd(e, ϕ(N))=1, define the function obtains a signature S = Md mod N. Given hM,Si, Z∗ → Z∗ 1/e fe,N : N N by fe,N(x)=x mod N. Is there a anyone can verify Alice’s signature on M by check- polynomial-time algorithm A that computes the e ing that S = M mod N. Since only Alice can gen- factorization of N given N and access to an “ora- erate S, one may suspect that an adversary can- cle” fe,N(x) for some e? not forge Alice’s signature. Unfortunately, things are not so simple; extra measures are needed for An oracle for f (x) evaluates the function on any proper security. Digital signatures are an impor- input x in unit time. Recently Boneh and Venkate- tant application of RSA. Some of the attacks we sur- san [6] provided evidence that for small e the an- vey specifically target RSA digital signatures. swer to the above problem may be no. In other An RSA key pair is generated by picking two ran- words, for small e there may not exist a polyno- n mial-time reduction from factoring to breaking dom 2-bit primes and multiplying them to obtain N . Then, for a given encryption exponent RSA. They do so by showing that in a certain model, e<ϕ(N), one computes d = e−1 mod ϕ(N) using a positive answer to the problem for small e yields the extended Euclidean algorithm. Since the set of an efficient factoring algorithm. We note that a pos- primes is sufficiently dense, a random n-bit prime itive answer to Open Problem 1 gives rise to a 2 3 can be quickly generated by repeatedly picking “chosen ciphertext attack” on RSA. Therefore, a n negative answer may be welcome. random 2-bit integers and testing each one for primality using a probabilistic primality test [16]. Next we show that exposing the private key d and factoring N are equivalent.