Science Lecture 4 Attack on RSA with Low Public Exponent Lecturer : Oded Regev Scribe :

The well-known RSA public key cryptosystem is nowadays used in a wide variety of applications ranging from web browsers to smart cards. Since its initial publication in 1977, many researchers have tried to look for vulnerabilities in the system. Some clever attacks have been found. However, none of the known attacks is devastating and the RSA system is still considered secure. In this lecture we present one such attack, originally due to Håstad and then greatly refined by Coppersmith. This attack can be mounted when RSA is used with a low public exponent. The attack is based on an algorithm for finding small solutions to low degree polynomials, which is in turn based on the LLL algorithm. This root finding algorithm is interesting on its own and is also used in other attacks on the RSA system. Let us describe a simple version of the RSA cryptosystem. Let N = p · q be the product of two large primes of roughly the same size. Let r, s be two integers satisfying r · s = 1 (mod φ(N)), where φ(N) = (p − 1)(q − 1) is the order of the multiplicative group ZN . We call N the RSA modulus, r the public exponent, and s the private exponent. The pair (N, r) is the public key. As its name suggests, it is public and is used to encrypt messages. The pair (N, s) is called the secret key or private key, and is known only to the recipient of encrypted messages. The secret key enables decryption of ciphertexts. A message is an integer M ∈ ZN . To encrypt M , one computes C = M r (mod N). To decrypt the ciphertext, the legitimate receiver computes Cs (mod N). Indeed, Cs = M r·s = M (mod N), where the last equality follows by Euler’s theorem.