Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

Moral: Never use RSA to sign a random document presented to you by a stranger. Always use a one-way hash function first. The ISO 9796 block format prevents this attack.

*Common Modulus Attack on RSA*

A possible RSA implementation gives everyone the same *n*, but different values for the exponents *e* and *d*. Unfortunately, this doesn’t work. The most obvious problem is that if the same message is ever encrypted with two different exponents (both having the same modulus), and those two exponents are relatively prime (which they generally would be), then the plaintext can be recovered without either of the decryption exponents [1457].

Let *m* be the plaintext message. The two encryption keys are *e*_{1} and *e*_{2}. The common modulus is *n*. The two ciphertext messages are:

*c*_{1}=*m*^{e1}mod*n**c*_{2}=*m*^{e2}mod*n*

The cryptanalyst knows *n, e*_{1}, *e*_{2}, *c*_{1}, and *c*_{2}. Here’s how he recovers *m*.

Since *e*_{1} and *e*_{2} are relatively prime, the extended Euclidean algorithm can find *r* and *s*, such that

*re*_{1}+*se*_{2}= 1

Assuming *r* is negative (either *r* or *s* has to be, so just call the negative one *r*), then the extended Euclidean algorithm can be used again to calculate *c*_{1}^{-1}. Then

- (
*c*_{1}^{-1})^{-r}**C*_{2}^{s}=*m*mod*n*

There are two other, more subtle, attacks against this type of system. One attack uses a probabilistic method for factoring *n*. The other uses a deterministic algorithm for calculating someone’s secret key without factoring the modulus. Both attacks are described in detail in [449].

Moral: Don’t share a common *n* among a group of users.

*Low Encryption Exponent Attack against RSA*

RSA encryption and signature verification are faster if you use a low value for *e*, but that can also be insecure [704]. If you encrypt *e*(*e* + 1)/2 linearly dependent messages with different public keys having the same value of *e*, there is an attack against the system. If there are fewer than that many messages, or if the messages are unrelated, there is no problem. If the messages are identical, then *e* messages are enough. The easiest solution is to pad messages with independent random values. This also ensures that *m ^{e}* mod

Moral: Pad messages with random values before encrypting them; make sure *m* is about the same size as *n*.

*Low Decryption Exponent Attack against RSA*

Another attack, this one by Michael Wiener, will recover *d*, when *d* is up to one quarter the size of *n* and *e* is less than *n* [1596]. This rarely occurs if *e* and *d* are chosen at random, and cannot occur if *e* has a small value.

Moral: Choose a large value for *d*.

*Lessons Learned*

Judith Moore lists several restrictions on the use of RSA, based on the success of these attacks [1114, 1115]:

- — Knowledge of one encryption/decryption pair of exponents for a given modulus enables an attacker to factor the modulus.
- — Knowledge of one encryption/decryption pair of exponents for a given modulus enables an attacker to calculate other encryption/decryption pairs without having to factor
*n*. - — A common modulus should not be used in a protocol using RSA in a communications network. (This should be obvious from the previous two points.)
- — Messages should be padded with random values to prevent attacks on low encryption exponents.
- — The decryption exponent should be large.

Remember, it is not enough to have a secure cryptographic algorithm. The entire cryptosystem must be secure, and the cryptographic protocol must be secure. A failure in any of those three areas makes the overall system insecure.

*Attack on Encrypting and Signing with RSA*

It makes sense to sign a message before encrypting it (see Section 2.7), but not everyone follows this practice. With RSA, there is an attack against protocols that encrypt before signing [48].

Alice wants to send a message to Bob. First she encrypts it with Bob’s public key; then she signs it with her private key. Her encrypted and signed message looks like:

- (
*m*^{eB}mod*n*_{B})^{dA}mod*n*_{A}

Here’s how Bob can claim that Alice sent him *m’* and not *m*. Realize that since Bob knows the factorization of *n*_{B} (it’s his modulus), he can calculate discrete logarithms with respect to *n*_{B}. Therefore, all he has to do is to find an *x* such that

*m’*=^{x}*m*mod*n*_{B}

Then, if he can publish *xe*_{B} as his new public exponent and keep *n*_{B} as his modulus, he can claim that Alice sent him message *m’* encrypted in this new exponent.

This is a particularly nasty attack in some circumstances. Note that hash functions don’t solve the problem. However, forcing a fixed encryption exponent for every user does.

*Standards*

RSA is a *de facto* standard in much of the world. The ISO almost, but not quite, created an RSA digital-signature standard; RSA is in an information annex to ISO 9796 [762]. The French banking community standardized on RSA [525], as have the Australians [1498]. The United States currently has no standard for public-key encryption, because of pressure from the NSA and patent issues. Many U.S. companies use PKCS (see Section 24.14), written by RSA Data Security, Inc. A draft ANSI banking standard specifies RSA [61].

*Patents*

The RSA algorithm is patented in the United States [1330], but not in any other country. PKP licenses the patent, along with other public-key cryptography patents (see Section 25.5). The U.S. patent will expire on September 20, 2000.

The Pohlig-Hellman encryption scheme [1253] is similar to RSA. It is not a symmetric algorithm, because different keys are used for encryption and decryption. It is not a public-key scheme, because the keys are easily derivable from each other; both the encryption and decryption keys must be kept secret.

Like RSA,

*C*=*P*mod^{e}*n**P*=*C*mod^{d}*n*

where

*ed*≡ 1 (mod some complicated number)

Unlike RSA, *n* is not defined in terms of two large primes, it must remain part of the secret key. If someone had *e* and *n*, they could calculate *d*. Without knowledge of *e* or *d*, an adversary would be forced to calculate

*e*=*log*_{P}C mod*n*

We have already seen that this is a hard problem.

Previous | Table of Contents | Next |