Professional Documents
Culture Documents
Rsa-Attacks
Rsa-Attacks
Michael Levin
Computer Science Department, Higher School of Economics
Outline
Simple Attacks
Small Difference
Insufficient Randomness
Simple Attacks
Small Difference
Insufficient Randomness
√
• 𝑛 = 𝑝𝑞, 𝑝 < 𝑞 ⇒ 𝑝 < 𝑛<𝑞
Small Difference
√
• 𝑛 = 𝑝𝑞, 𝑝 < 𝑞 ⇒ 𝑝 < 𝑛 < 𝑞
√ √ √
• 𝑛−𝑝 <𝑞−𝑝 =𝑟 ⇒ 𝑛−𝑟 <𝑝 < 𝑛
Small Difference
√
• 𝑛 = 𝑝𝑞, 𝑝 < 𝑞 ⇒ 𝑝 < 𝑛 < 𝑞
√ √ √
• 𝑛−𝑝 <𝑞−𝑝 =𝑟 ⇒ 𝑛−𝑟 <𝑝 < 𝑛
√ √
• Try all integers between 𝑛 − 𝑟 and 𝑛 as
divisors of 𝑛
Small Difference
√
• 𝑛 = 𝑝𝑞, 𝑝 < 𝑞 ⇒ 𝑝 < 𝑛 < 𝑞
√ √ √
• 𝑛−𝑝 <𝑞−𝑝 =𝑟 ⇒ 𝑛−𝑟 <𝑝 < 𝑛
√ √
• Try all integers between 𝑛 − 𝑟 and 𝑛 as
divisors of 𝑛
• Factorize 𝑛 and decrypt the same way as Bob
does
Even Faster
• Generate 𝑝 and 𝑞
• If |𝑝 − 𝑞| is small, regenerate
• Repeat until |𝑝 − 𝑞| is sufficiently large
Outline
Simple Attacks
Small Difference
Insufficient Randomness
Simple Attacks
Small Difference
Insufficient Randomness
Bob Angelina
Adriana
Alice
Bob Angelina
𝑚
Adriana
Alice
𝑚
Bob Angelina
𝑚
𝑚 𝑚
Adriana
Alice
𝑒1 mod 𝑁 1
𝑐1 = 𝑚
Bob Angelina
𝑐2 = 𝑚𝑒2 mod 𝑁2
𝑚 𝑐3 = 𝑒
𝑚 3 Adriana
mod
𝑁3
Alice
𝑒1 mod 𝑁 1
𝑐1 = 𝑚
Bob Angelina
𝑐2 = 𝑚𝑒2 mod 𝑁2
𝑚 𝑐3 = 𝑒
𝑚 3 Adriana
mod
𝑁3
𝑒1 = 𝑒 2 = 𝑒 3 = 3
Alice
3 mod 𝑁 1
𝑐1 = 𝑚
Bob Angelina
𝑐2 = 𝑚3 mod 𝑁2
𝑚
𝑐3 = 3
𝑚 m Adriana
od 𝑁
3
𝑒1 = 𝑒 2 = 𝑒 3 = 3
𝑐1 ≡ 𝑚3 mod 𝑁1 , 𝑐2 ≡ 𝑚3 mod 𝑁2 , 𝑐3 ≡ 𝑚3 mod 𝑁3
𝑐1 ≡ 𝑚3 mod 𝑁1 , 𝑐2 ≡ 𝑚3 mod 𝑁2 , 𝑐3 ≡ 𝑚3 mod 𝑁3
𝑐 ≡ 𝑚3 mod 𝑁1 𝑁2 𝑁3
𝑐 ≡ 𝑚3 mod 𝑁1 𝑁2 𝑁3
0 ≤ 𝑐, 𝑚3 < 𝑁1 𝑁2 𝑁3
𝑐 ≡ 𝑚3 mod 𝑁1 𝑁2 𝑁3
0 ≤ 𝑐, 𝑚3 < 𝑁1 𝑁2 𝑁3
So 𝑐 = 𝑚3
𝑐 ≡ 𝑚3 mod 𝑁1 𝑁2 𝑁3
0 ≤ 𝑐, 𝑚3 < 𝑁1 𝑁2 𝑁3
So 𝑐 = 𝑚3
√
Eve can decode 𝑚 as 𝑚 = 3
𝑐
• Broadcasting the same fixed message is a
problem
• Hastad’s original attack works even with
bigger and different 𝑒𝑖
• Solution — add random padding to 𝑚 before
encryption
• Then it is impossible to compute 𝑚 using all
𝑐𝑖 , because each 𝑐𝑖 includes some randomness
apart from 𝑚
More Attacks
• Time to compute 𝑐𝑑 mod 𝑛 can expose 𝑑 — if
one can send ciphertexts to the server which
decrypts them and sends some response
• Error return code in case of incorrect
ciphertext can expose the message in the
same case
• Power consumption while computing
𝑐𝑑 mod 𝑛 can expose 𝑑 — if one tries to
decrypt an encrypted hard drive on a stolen
computer, or withdraw cash from a stolen card
using an ATM
Conclusion