Wiener's Attack

The public-key cryptosystem RSA is frequently used for security applications such as email, credit card payments, login network access, etc. The security of RSA depends on the choice of certain parameters. Wiener's attack uses the continued fraction method to exploit a mistake made in the use of RSA. This error could be exploited when users are doing transactions using credit card or mobile devices such as phones.

Contents

Introduction

Before we discuss how Wiener's attack works, we will first briefly explain how RSA works. For more details see the main entry on the RSA cryptosystem. Let Alice and Bob be two people who want to communicate securely. More specifically, Alice wants to send a message to Bob which only Bob can read. First Bob chooses two primes p and q. Then he calculates the RSA modulus N = pq. This RSA modulus is made public together with the encryption exponent e, N and e form the public key pair (e,N). By making this information public, anyone can encrypt messages to Bob. The decryption exponent d satisfies ed=1 \bmod \varphi (N), where \varphi (N)= (p-1)(q-1) , is Euler’s phi function (note: this is the order of the multiplicative group \mathbb{Z}_N^*). The encryption exponent e and \varphi (N) also must be relatively prime so that there is a modular inverse. The factorization of N and the private key d are kept secret, so that only Bob can decrypt the message. We denote the private key pair as (d, N). The encryption of the message M is given by C\equiv M^e\bmod N and the decryption of cipher text C is given by C^d\equiv (M^e)^d\equiv M^{(ed)}\equiv M \bmod N (using Fermat's little theorem).

Using the Euclidean algorithm, one can efficiently recover the secret key d if one knows the factorization of N. By having the secret key d, one can efficiently factor the modulus of N.[1]

In the RSA Cryptosystem, Bob might tend to use a small value of d, rather than a large random number to improve the RSA decryption performance. However, Wiener’s attack shows that choosing a small value for d will result an insecure system in which an attacker can recover all secret information, i.e., break the RSA system. This break is based on Wiener’s Theorem, which holds for small values of d. Wiener has proved that the attacker may efficiently find d when d< \frac{1}{3}N^{\frac{1}{4}} .[2]

Wiener's paper also presented some countermeasures against his attack that allow fast decryption. Two techniques are described as follows.

Choosing large public key: Replace e by e', where e'=e%2Bk. \varphi (N) for some large of k . When e' is large enough, i.e. e'>N^{ \frac{1}{2}} , then Wiener’s attack can not be applied regardless of how small d is.

Using the Chinese Remainder Theorem: Suppose one chooses d such that both d_p = d \bmod\ (p-1) and d_{q} = d \bmod\ (q-1) are small but d itself is not, then a fast decryption of C can be done as follows:

1. First compute M_p\equiv C^{d_p} \bmod\ p and M_q\equiv C^{d_q} \bmod\ q .
2. Use the Chinese Remainder Theorem to compute the unique value of M \in \mathbb{Z_N} which satisfies M\equiv M_p \bmod\ p and M\equiv M_q \bmod\ q . The result of M satisfies M\equiv C^{d} \bmod\ N as needed. The point is that Wiener’s attack does not apply here because the value of d \bmod\ \varphi (N) can be large. [3]

See also: RSA (disambiguation)#Using the Chinese remainder algorithm

How Wiener's Attack Works

Since

ed=1(\bmod\ lcm(p-1, q-1)) ,

there exists an integer K such that

ed = K \times lcm(p-1, q-1)%2B1

Define G = \gcd (p-1, q-1) to be substituted in the equation above which gives:

ed = \frac {K}{G} (p-1)(q-1)%2B1

Defining k = \frac {K}{\gcd(K,G)} and g= \frac {G}{\gcd(K,G)} , and substituting into the above gives:

ed = \frac {k}{g} (p-1) (q-1)%2B1.

Divided by dpq:

\frac{e}{pq} = \frac{k}{dg} (1- \delta), where \delta = \frac {p%2Bq-1- \frac {g}{k}}{pq} .

So, \frac {e}{pq} is slightly smaller than \frac {k}{dg}, and the latter is composed entirely of public information. However, a method of checking a guess is still required. Assuming that ed > pq (a reasonable assumption unless G is large) the last equation above may be written as:

edg=k.(p-1)(q-1) %2B g

By using simple algebraic manipulations and identities, a guess can be checked for accuracy. [1]

Theorem (M. Wiener)

Let \ N = pq with \ q < p < 2q . Let d < \frac{1}{3} N^{\frac{1}{4}}.
Given \left \langle N,e\right \rangle with ed = 1 \bmod\ \varphi (N), the attacker can efficiently recover d.[2]

Example

Suppose that the public keys are \left \langle N,e\right \rangle = \left \langle 90581,17993\right \rangle
The attack shall determine d .
By using Wiener's Theorem and continued fractions to approximate d, first we try to find the continued fractions expansion of \frac{e}{N} . Note that this algorithm finds fractions in their lowest terms. We know that

\frac{e}{N} = \frac{17993}{90581} = \cfrac{1}{5 %2B \cfrac{1}{29 %2B\dots %2B \cfrac{1}{3}}} = \left [0,5,29,4,1,3,2,4,3 \right ]

According to the continued fractions expansion of \frac{e}{N} , all convergents \frac{k}{d} are:

\frac{k}{d} = 0, \frac{1}{5}, \frac{29}{146}, \frac{117}{589}, \frac{146}{733}, \frac{555}{2794}, \frac{1256}{6323}, \frac{5579}{28086}, \frac{17993}{90581}

We can verify that the first convergent does not produce a factorization of N. However, the convergent \frac{1}{5} yields

\varphi (N) = \frac{e.d - 1}{k} = \frac{17993\times5 - 1}{1} = 89964

Now, if we solve the equation

x^2 - \left ( \left (N - \varphi (N) \right ) %2B 1 \right )x %2B N = 0
x^2 - \left ( \left (90581 - 89964 \right ) %2B 1 \right )x %2B 90581 = 0
x^2 - \left (618 \right )x %2B 90581 = 0

then we find the roots which are x = 379�; 239. Therefore we have found the factorization

N = 90581 = 379 \times 239 = p \times q.

Notice that, for the modulus N = 90581, Wiener's Theorem will work if

d < \frac{N^{ \frac{1}{4}}}{3} \approx 5,783.

Proof of Wiener's Theorem

The proof is based on approximations using continued fractions.[2][4]
Since ed = 1\bmod \varphi (N), there exists a \mathit {k} such that ed - k \varphi (N) = 1. Therefore

\left | \frac {e}{\varphi (N)}- \frac {k}{d} \right \vert = \frac{1}{d \varphi (N)}.

Hence, \frac {k}{d} is an approximation of \frac{e}{\varphi(N)}. Although the attacker does not know \varphi(N), he may use N to approximate it. Indeed, since

\varphi(N)= N-p-q%2B1 and p%2Bq-1<3 \sqrt{N} , we have:

\left \vert p%2Bq-1 \right \vert < 3 \sqrt{N}
\left \vert N%2B1-\varphi (N)-1 \right \vert < 3 \sqrt{N}

Using N in place of \varphi(N) we obtain:

\left \vert \frac{e}{N}- \frac{k}{d} \right \vert = \left \vert \frac{ed-kN}{Nd} \right \vert
\qquad = \left \vert \frac{ed-k \varphi (N)-kN%2Bk \varphi (N)}{Nd} \right \vert
= \left \vert \frac{1-k(N- \varphi (N))}{Nd} \right \vert
\le \left \vert \frac{3k \sqrt{N}}{Nd} \right \vert = \frac {3k \sqrt{N}}{\sqrt{N} \sqrt{N}d} = \frac {3k}{d \sqrt{N}}

Now, k \varphi (N)=ed-1<ed , so k \varphi (N)<ed . Since e< \varphi (N) , so k \varphi (N)<ed< \varphi (N)d , then we obtain:

k \varphi (N)<\varphi (N)d
k<d

Since k<d and d< \frac{1}{3} N^{ \frac{1}{4}} . Hence we obtain:

(1) \left \vert \frac{e}{N}- \frac{k}{d} \right \vert \le \frac{1}{dN^{ \frac{1}{4}}}

Since d< \frac{1}{3}N^{ \frac{1}{4}},2d<3d, then 2d<3d<N^{ \frac{1}{4}} , we obtain:

2d<N^{ \frac{1}{4}},, so (2) \frac{1}{2d}> \frac{1}{N^{ \frac{1}{4}}}

From (1) and (2), we can conclude that

\left \vert \frac{e}{N}- \frac{k}{d} \right \vert \le \frac{3k}{d \sqrt{N}}< \frac{1}{d.2d}= \frac{1}{2d^2} \blacksquare

References

  1. ^ a b L. Render, Elaine (2007). Wiener's Attack on Short Secret Exponents.
  2. ^ a b c Boneh, Dan (1999). Twenty Years of attacks on the RSA Cryptosystem. Notices of the American Mathematical Society (AMS) 46 (2).
  3. ^ Cui, Xiao-lei (2005). Attack On the RSA Cryptosystem.
  4. ^ Khaled Salah, Imad (2006). Mathematical Attacks on RSA Cryptosystem. Journal of Computer Science 2 (8)). pp. 665-671.

Further reading