5

I am writing a (high-school) paper on the public key exponent's (in textbook RSA - no padding is discussed!) significance in terms of time and security. The time part is done; as for the security part, so far I have shown example of various attacks that can take place when the public key is low (e.g. $e$ root attack, Håstad Broadcast Attacks etc).

My question is: Is there a way to mathematically justify that there is no way to prove that the security of the system lies in the value of the public key exponent?

I have also done some readings on the integer factorization problem whose intractability cannot be proven - can I relate this to the link between security and the public key?

user9750060
  • 389
  • 3
  • 18
  • 1
    I recommend that you illustrate why padding is a must, using a simple example: enciphering the value of a dice throw, or the name of a classmate. Without padding, regardless of public exponent, that's entirely insecure (because anyone can test all few possible values to ascertain the right one). That's fixed with a simple random padding, where random bits or digits are added on the left of what's enciphered before exponentiation, and removed at decryption. With enough of such random padding, any valid public exponent is believed to be just fine (we have no proof, for that simple padding). – fgrieu Jan 04 '16 at 16:25
  • @fgrieu Thank you, that sounds like a good idea. This part though: "Without padding, regardless of public exponent, that's entirely insecure (because anyone can test all few possible values to ascertain the right one)." - which source did you find this from? (I understand that you have a lot of knowledge, but I need something to refer to...) – user9750060 Jan 04 '16 at 16:32
  • That's the forward search attack; but a simple proof is better than a source! $;$ If the unknown name $x$ of a classmate is enciphered as $c=x^e\bmod N$, with $N$, $e$, $c$ known (the standard assumption in RSA encryption): simply compute $c_j={x_j}^e\bmod N$ for the name $x_j$ of each classmate; find for which $j$ it holds that $c=c_j$; the classmate $x$ is now known, that's $x_j$. This basic attack (totally overlooked in many bad introductory texts) works regardless of the choice of the public key $(N,e)$. – fgrieu Jan 04 '16 at 16:50
  • It's not proven if there's no other attack than factor the primes or solve the discreet logarithm. – Joshua Jan 04 '16 at 17:22

1 Answers1

6

Loosely define the RSA problem as solving for $x$ the equation $c=x^e\bmod N$, with $x$ random in $\{0,1,\dots,N-1\}$ (or equivalently $c$ random in this set), and $(N,e)$ properly chosen. The best method we know for tackling that problem is factoring $N$, but we have no proof that there is no substantially better method.

We do not know if the RSA problem is more difficult when $e$ is small (e.g. $e=3$), or large or/and random, or even have expert consensus on that research topic or what should be done in practice (I'm in the league favoring good padding with $e=3$ at least when speed matters, and reluctantly bowing to $e=65537$ to avoid conflict with official advice); much less do we know if it is possible to make a proof in either direction.

We do not know an efficient integer factorization method (that is one with effort growing polynomially with the number of digits in the number to factor); and I doubt that there is a proof or even argument that such an algorithm can not be found, for integer factorization is not in Wikipedia's list of known NP-complete problems.

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • I have been told that large exponents (like 65537) reduce the consequences of certain implementation mistakes. One can therefore argue that a standard with exponent 3 will - on average - have weaker implementations than a standard with larger exponent. I am not entirely convinced... – K.G. Jan 05 '16 at 12:20
  • I do agree with " $e=65537$ reduce the consequences of certain implementation mistakes"; in particular: no padding at all; and PKCS#1 v1.5 encryption padding with a deciphering entity susceptible to padding oracle attack by leaking information thru an error code, or timing. But, because choice of $e$ is not independent of what implementation mistakes are made, I disagree with "A standard with exponent $3$ will - on average - have weaker implementations than a standard with larger exponent". @K.G. – fgrieu Jan 05 '16 at 13:28
  • Like I said, I am not entirely convinced. So I agree with your disagreement. It's complicated. – K.G. Jan 05 '16 at 19:14