Coppersmith's attack explained

Coppersmith's attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of a prime factor of the secret key is available.

RSA basics

See main article: RSA (algorithm).

The public key in the RSA system is a tuple of integers

(N,e)

, where N is the product of two primes p and q. The secret key is given by an integer d satisfying

ed\equiv1\pmod{(p-1)(q-1)}

; equivalently, the secret key may be given by

d_p\equivd\pmod{p-1}

and

d_q\equivd\pmod{q-1}

if the Chinese remainder theorem is used to improve the speed of decryption, see CRT-RSA. Encryption of a message M produces the ciphertext

C\equivM^e\pmod{N}

, which can be decrypted using

by computing

C^d\equivM\pmod{N}

Low public exponent attack

In order to reduce encryption or signature verification time, it is useful to use a small public exponent (

).^[1] In practice, common choices for

are 3, 17 and 65537

(2¹⁶+1)

. These values for e are Fermat primes, sometimes referred to as

F_0,F₂

and

F₄

respectively

(F_x=

	2^x
2

+1)

. They are chosen because they make the modular exponentiation operation faster. Also, having chosen such

, it is simpler to test whether

\gcd(e,p-1)=1

and

\gcd(e,q-1)=1

while generating and testing the primes in step 1 of the key generation. Values of

that fail this test can be rejected there and then. (Even better: if e is prime and greater than 2, then the test

p\bmode\ne1

can replace the more expensive test

\gcd(p-1,e)=1

is very short, then the RSA function may be easy to invert, which makes certain attacks possible.Padding schemes ensure that messages have full lengths, but additionally choosing the public exponent

e=2¹⁶+1

is recommended. When this value is used, signature verification requires 17 multiplications, as opposed to about 25 when a random

of similar size is used. Unlike low private exponent (see Wiener's attack), attacks that apply when a small

is used are far from a total break, which would recover the secret key d. The most powerful attacks on low public exponent RSA are based on the following theorem, which is due to Don Coppersmith.

Håstad's broadcast attack

The simplest form of Håstad's attack is presented to ease understanding.^[2] The general case uses the Coppersmith method.

Suppose one sender sends the same message

in encrypted form to a number of people

P_1;P_2;...;P_k

, each using the same small public exponent

, say

e=3

, and different moduli

\left\langleN_i,e\right\rangle

. A simple argument shows that as soon as

k\ge3

ciphertexts are known, the message

is no longer secure: Suppose Eve intercepts

C_1,C₂

, and

C₃

, where

C_i\equivM³\pmod{N_i}

. We may assume

\gcd(N_i,N_j)=1

for all

i,j

(otherwise, it is possible to compute a factor of one of the numbers

N_i

by computing

\gcd(N_i,N_j)

.) By the Chinese remainder theorem, she may compute

C\in

	*
Z
	N_1N_2N₃

such that

C\equivC_i\pmod{N_i}

. Then

C\equiv

	3\pmod{N
M
	1

N₂N_3}

; however, since

M<N_i

for all

, we have

M³<N_1N_2N₃

. Thus

C=M³

holds over the integers, and Eve can compute the cube root of

to obtain

For larger values of

, more ciphertexts are needed, particularly,

ciphertexts are sufficient.

Generalizations

Håstad also showed that applying a linear padding to

prior to encryption does not protect against this attack. Assume the attacker learns that

C_i=

	e
f
	i(M)

for

1\leqi\leqk

and some linear function

f_i

, i.e., Bob applies a pad to the message

prior to encrypting it so that the recipients receive slightly different messages. For instance, if

bits long, Bob might encrypt

M_i=i2^m+M

and send this to the

-th recipient.

M_i

from all the ciphertext with similar methods. In more generality, Håstad proved that a system of univariate equations modulo relatively prime composites, such as applying any fixed polynomial

g_i(M)\equiv0\pmod{N_i}

, could be solved if sufficiently many equations are provided. This attack suggests that randomized padding should be used in RSA encryption.

Franklin–Reiter related-message attack

, then it is possible to recover both of them. The attack was originally described with public exponent

e=3

, but it works more generally (with increasing cost as

grows).

Let

\left\langleN;e_i\right\rangle

be Alice's public key. Suppose

M_1;M₂\inZ_N

are two distinct messages satisfying

M₁\equivf(M₂₎\pmod{N}

for some publicly known polynomial

f\inZ_N[x]

. To send

M₁

and

M₂

to Alice, Bob may naively encrypt the messages and transmit the resulting ciphertexts

C_1;C₂

. Eve can easily recover

M_1;M₂

, given

C_1;C₂

, by using the following theorem:

Coppersmith’s short-pad attack

Like Håstad’s and Franklin–Reiter’s attacks, this attack exploits a weakness of RSA with public exponent

e=3

. Coppersmith showed that if randomized padding suggested by Håstad is used improperly, then RSA encryption is not secure.

Suppose Bob sends a message

to Alice using a small random padding before encrypting it. An attacker, Eve, intercepts the ciphertext and prevents it from reaching its destination. Bob decides to resend

to Alice because Alice did not respond to his message. He randomly pads

again and transmits the resulting ciphertext. Eve now has two ciphertexts corresponding to two encryptions of the same message using two different random pads.

Even though Eve does not know the random pad being used, she still can recover the message

by using the following theorem, if the random padding is too short.

Notes and References

Boneh . Dan . 1999 . Twenty years of attacks on the RSA cryptosystem . Notices of the American Mathematical Society . 46 . 2 . 203–213.
Glenn Durfee, Cryptanalysis of RSA Using Algebraic and Lattice Methods.