Moral: Never use RSA to sign a random document presented to you by a stranger. Always use a one-way hash function first. The ISO 9796 block format prevents this attack.

Common Modulus Attack on RSA

A possible RSA implementation gives everyone the same n, but different values for the exponents e and d. Unfortunately, this doesn’t work. The most obvious problem is that if the same message is ever encrypted with two different exponents (both having the same modulus), and those two exponents are relatively prime (which they generally would be), then the plaintext can be recovered without either of the decryption exponents [1457].

Let m be the plaintext message. The two encryption keys are e₁ and e₂. The common modulus is n. The two ciphertext messages are:

c₁ = m^e1 mod n

c₂ = m^e2 mod n

The cryptanalyst knows n, e₁, e₂, c₁, and c₂. Here’s how he recovers m.

Since e₁ and e₂ are relatively prime, the extended Euclidean algorithm can find r and s, such that

re₁ + se₂ = 1

Assuming r is negative (either r or s has to be, so just call the negative one r), then the extended Euclidean algorithm can be used again to calculate c₁^-1. Then

(c₁^-1)^-r * C₂^s = m mod n

There are two other, more subtle, attacks against this type of system. One attack uses a probabilistic method for factoring n. The other uses a deterministic algorithm for calculating someone’s secret key without factoring the modulus. Both attacks are described in detail in [449].

Moral: Don’t share a common n among a group of users.

Low Encryption Exponent Attack against RSA

RSA encryption and signature verification are faster if you use a low value for e, but that can also be insecure [704]. If you encrypt e(e + 1)/2 linearly dependent messages with different public keys having the same value of e, there is an attack against the system. If there are fewer than that many messages, or if the messages are unrelated, there is no problem. If the messages are identical, then e messages are enough. The easiest solution is to pad messages with independent random values. This also ensures that m^e mod n ≠ m^e. Most real-world RSA implementations—PEM and PGP (see Sections 24.10 and 24.12), for example—do this.

Moral: Pad messages with random values before encrypting them; make sure m is about the same size as n.

Low Decryption Exponent Attack against RSA

Another attack, this one by Michael Wiener, will recover d, when d is up to one quarter the size of n and e is less than n [1596]. This rarely occurs if e and d are chosen at random, and cannot occur if e has a small value.

Moral: Choose a large value for d.

Lessons Learned

Judith Moore lists several restrictions on the use of RSA, based on the success of these attacks [1114, 1115]:

— Knowledge of one encryption/decryption pair of exponents for a given modulus enables an attacker to factor the modulus.

— Knowledge of one encryption/decryption pair of exponents for a given modulus enables an attacker to calculate other encryption/decryption pairs without having to factor n.

— A common modulus should not be used in a protocol using RSA in a communications network. (This should be obvious from the previous two points.)

— Messages should be padded with random values to prevent attacks on low encryption exponents.

— The decryption exponent should be large.

Remember, it is not enough to have a secure cryptographic algorithm. The entire cryptosystem must be secure, and the cryptographic protocol must be secure. A failure in any of those three areas makes the overall system insecure.

Attack on Encrypting and Signing with RSA

It makes sense to sign a message before encrypting it (see Section 2.7), but not everyone follows this practice. With RSA, there is an attack against protocols that encrypt before signing [48].

Alice wants to send a message to Bob. First she encrypts it with Bob’s public key; then she signs it with her private key. Her encrypted and signed message looks like:

(m^eB mod n_B)^dA mod n_A

Here’s how Bob can claim that Alice sent him m’ and not m. Realize that since Bob knows the factorization of n_B (it’s his modulus), he can calculate discrete logarithms with respect to n_B. Therefore, all he has to do is to find an x such that

m’^x = m mod n_B

Then, if he can publish xe_B as his new public exponent and keep n_B as his modulus, he can claim that Alice sent him message m’ encrypted in this new exponent.

This is a particularly nasty attack in some circumstances. Note that hash functions don’t solve the problem. However, forcing a fixed encryption exponent for every user does.

Standards

RSA is a de facto standard in much of the world. The ISO almost, but not quite, created an RSA digital-signature standard; RSA is in an information annex to ISO 9796 [762]. The French banking community standardized on RSA [525], as have the Australians [1498]. The United States currently has no standard for public-key encryption, because of pressure from the NSA and patent issues. Many U.S. companies use PKCS (see Section 24.14), written by RSA Data Security, Inc. A draft ANSI banking standard specifies RSA [61].

Patents

The RSA algorithm is patented in the United States [1330], but not in any other country. PKP licenses the patent, along with other public-key cryptography patents (see Section 25.5). The U.S. patent will expire on September 20, 2000.

19.4 Pohlig-Hellman

The Pohlig-Hellman encryption scheme [1253] is similar to RSA. It is not a symmetric algorithm, because different keys are used for encryption and decryption. It is not a public-key scheme, because the keys are easily derivable from each other; both the encryption and decryption keys must be kept secret.

Like RSA,

C = P^e mod n

P = C^d mod n

where

ed ≡ 1 (mod some complicated number)

Unlike RSA, n is not defined in terms of two large primes, it must remain part of the secret key. If someone had e and n, they could calculate d. Without knowledge of e or d, an adversary would be forced to calculate

e = log_PC mod n

We have already seen that this is a hard problem.