Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption

Attacks on the RSA Algorithm

Attacks on the RSA Algorithm. CSIS 5857: Encoding and Encryption. Short Message Attacks. Typical use of public key algorithm: Generating short messages Symmetric keys (used then to send rest of message) Social security numbers, etc. Idea: Adversary acquires public key E , n - PowerPoint PPT Presentation

Outline• Short message attacks

– Generating all possible messages with the public key

• Timing attacks– Guessing private key based on

decryption run time

Apply to many encryption algorithms

Mathematical Attacks• Based on finding fast ways to solve underlying

mathematics– Factorization– Discrete Logarithms

Unsolved at this point

• Recommendations:– Large p and q (at least 1024 bits)– Don’t reuse same n too many times– Large E (at least 216+1)

Short Message Attacks• Typical use of public key algorithm:

Generating short messages– Symmetric keys (used then to send rest of message)– Social security numbers, etc.

• Idea:– Adversary acquires public key E, n– Uses them to encrypt all possible messages that may be sent

(plausible if messages are short enough!) and stores in table– Intercepts encrypted message C and searches for match in the


Adversary can recover plaintext without decryption key!

Short Message Attack• Example:

Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits)

Alice’s KPU

Darth finds Alice’s public key KPU

Short Message Attack

• Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers (only a billion)

Alice’s KPU000-00-0000…298-76-8466298-76-8467298-76-8468…999-99-9999


Short Message Attack• Darth intercepts Bob’s SSN encrypted with Alice’s public key• Searches for match in table of encrypted values












Message matches thisencrypted value So this must be the

corresponding plaintext value

Short Message Attacks• Solution: Pad message to M bits

– M large enough so adversary can’t generate all 2M possible messages

– Can’t just add extra bits to end – still possibly vulnerable

• Optimal Asymmetric Encryption Padding (OAEP)– Additional bits used as “mask” to conceal plaintext

• Mask generated randomly• Mask data sent as part of encrypted message for decryption

– Based on cryptographic hash (more later)

Optimal Asymmetric Encryption Padding

Encryption:• Message padded to m bits• Random bits r mask padded message

– Run through hash function G– XOR’d with padded message to give P1

• Masked message mask random bits– Masked message run through hash function H– XOR’d with random bits to give P2

• Masked message and random bits (P1 and P2) encrypted and sent

• Key: One-way hash functions make it impossible to recover r from P2

Optimal Asymmetric Encryption Padding

Decryption:• Ciphertext decrypted to get

masked message and random bits (P1 and P2)

• Masked message P1 run through hash function H and XOR’d with P2 to recover r

• r run through hash function G and XOR’d with P1 to recover original padded plaintext

Timing Attacks

• Encryption/decryption times may not be constant for all algorithms

• Times may be function of:– Plaintext, Ciphertext– Keys

• Adversary can observe timing in different ways– Overall time– Processor cycles– Power consumption…


Timing Attacks on RSA• Fast exponentiation algorithm used for decryption

to compute CD mod n:result = 1for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n C = C2 mod n }

• Speed of decryption depends on number of 1’s in D– Each 1 requires additional multiplication operation– Each 0 skips that step

Timing Attacks on RSA• If adversary knows the following:

– Ciphertext C• Can compute how long it takes to multiply ciphertext and

compute mods • That is, how long a 1 or a 0 takes to decrypt

– Total time decryption takes• Can be observed

They could compute number of 1’s in private D• Given enough known plaintexts, can reliably guess D


Timing Attacks on RSA• Darth infiltrates organization

– Requests secure data from database– Observes ciphertext– Times processor cycles required by decryption– Guesses properties of key

Fast exponentiation



Timing Attack Solutions

Solutions: • “Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D - 1) {

if (ith bit of D = 1) result = (result * C) mod n else garbageVariable = (result * C) mod n C = C2 mod n }

• Remove adversary’s ability to know the C used in the fast exponentiation (blinding)– Compute fast exponentiation on a value other than C– Use that value to recover the plaintext– Used by commercial versions of RSA

Blinding Timing Attacks• Algorithm:

– Select random r < modulus n– Compute C1 = C r E mod n – Compute P1 = C1

D mod n = (C r E )D mod n = (CD mod n r ED mod n ) mod n = (P r ) mod n – Compute P = (P1 r -1 ) mod n

fast exponentiation on value unknown to adversary

Factor out the original r

Timing Attacks• Based on implementation of algorithm, not

underlying mathematics• Any cryptosystem that has a component that takes

different time for different keys may be vulnerable

• Current research: AES– MixColumns stage uses matrix multiplication– More 0’s in state Faster matrix multiplication– May be able to recover intermediate states based on run
