1. Introduction

Rivest et al. patented (US) RSA, which forms the basis for most public encryption systems. RSA describes a public key encryption algorithm and certification process, which protects user data over networks. The patent expired in September 2000 and now is available for general use. According to Marketsandmarkets.com [1], the global network encryption market size is expected to grow from USD 2.9 billion in 2018 to USD 4.6 billion by 2023, at a compound annual growth rate (CAGR) of 9.8%. Major growth drivers for the market include increasing adoption of optical transmission, an increasing demand to meet various regulatory compliances and a growing focus on shielding organizations from network security breaches. In short, RSA forms the basis of almost all public encryption systems. This, however, is not without risk. This chapter explores some of these vulnerabilities in a mathematical context and provides the reader with an appreciation of the strength of RSA.

RSA is secure and difficult to factorize in polynomial time. Conventional sequential computing machines, running in polynomial time, take an unfeasible amount of CPU cycles to find factorization solutions to RSA keys. Quantum computing holds great promise; this, however, is realistically still some way off. Opportunities exist using conventional computing (sequential and parallel) using better mathematical techniques. A discussion on exploiting implementation flaws is also considered.

Of keen interest is our lack of understanding of prime numbers and their structure. The current perception is that there appears to be some underlying structure, but essentially, primes are randomly distributed. This is explored in Sections 8 and 12. Vulnerabilities in the selection of primes are exploited in Section 5 using Euler's factorization.

Encrypt a message m, into cipher text C, with public key PU. Let the message

From this simple example, consider the following: How can we use a known public key PU = (N,e) to decrypt the original message? To decrypt the message, the private key is used: PR ¼ ð Þ N; d . How can d, be discovered? d is derived using Euler's totient function [φ<sup>n</sup> = (P<sup>1</sup> – 1) (P<sup>2</sup> – 1)], and the extended Euclidean algorithm ed mod φ<sup>n</sup> ¼ 1. However when a public key is transmitted, the totient φ<sup>n</sup> and the two primes P<sup>1</sup> and P<sup>2</sup> remain secret. If φn, P<sup>1</sup> or P<sup>2</sup> can be determined, the private key will be compromised and the cypher-text will no longer be secure. When the totient φ<sup>n</sup> is known, d can be determined through the normal key generation processes, so the determination of the two primes (P1, P2) is not required to recover the message from the cypher-text. The following proof is provided for completeness and shows how the two primes P1, P<sup>2</sup> can be recovered if the com-

4. If the composite N and the totient φ<sup>n</sup> are known, the original primes

<sup>φ</sup><sup>n</sup> <sup>¼</sup> ð Þ <sup>P</sup><sup>1</sup> � <sup>1</sup> ð Þ <sup>P</sup><sup>2</sup> � <sup>1</sup> , N <sup>¼</sup> <sup>P</sup>1, P2. General quadratic form: ax<sup>2</sup> <sup>þ</sup> bx <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>0</sup> <sup>¼</sup>.

φ<sup>n</sup> ¼ ð Þ P1 � 1 ð Þ¼ P2 � 1 P1 P2 � P1 � P2 þ 1 recalling N ¼ P<sup>1</sup> P2¼)φ<sup>n</sup> ¼ N � P<sup>1</sup> � P<sup>2</sup> þ 1

<sup>2</sup> <sup>þ</sup> P1 ð Þþ <sup>φ</sup><sup>n</sup> � <sup>N</sup> � <sup>1</sup> <sup>N</sup> <sup>¼</sup> <sup>0</sup> ax2 <sup>þ</sup> bx <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>0</sup> : <sup>a</sup> <sup>¼</sup> 1, b <sup>¼</sup> ð Þ <sup>φ</sup>n–<sup>N</sup> � <sup>1</sup> , c <sup>¼</sup> N, x <sup>¼</sup> �<sup>b</sup> �

When N and φ<sup>n</sup> are known: N = 2137458620009, φ<sup>n</sup> = 2137455696000

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>φ</sup><sup>n</sup> � <sup>N</sup> � <sup>1</sup> <sup>2</sup> � 4 1ð Þ<sup>N</sup>

<sup>8549834480100</sup> � <sup>8549834480036</sup> <sup>p</sup>

<sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> <sup>¼</sup> ð Þ <sup>a</sup> � <sup>b</sup> ð Þ <sup>a</sup> <sup>þ</sup> <sup>b</sup> is the difference of two squares.

P1 <sup>¼</sup> <sup>a</sup> � b, P<sup>2</sup> <sup>¼</sup> <sup>a</sup> <sup>þ</sup> b, P1 <sup>þ</sup> <sup>P</sup><sup>2</sup> <sup>¼</sup> 2a, P2 � P1 <sup>¼</sup> <sup>2</sup>b; a <sup>¼</sup> <sup>P</sup><sup>2</sup> <sup>þ</sup> <sup>P</sup><sup>1</sup>

Express primes in terms of N, φ<sup>n</sup> P1 = N�φn�P2 + 1, P2 = N�φn�P1 + 1N ¼ P<sup>1</sup> P<sup>2</sup>

2 1ð Þ <sup>¼</sup> �ð Þ� <sup>φ</sup><sup>n</sup> � <sup>N</sup> � <sup>1</sup>

Using the quadratic formula, P<sup>1</sup> and P<sup>2</sup> can be recovered if the composite N and

<sup>2</sup> <sup>¼</sup> <sup>2924010</sup> � ffiffiffiffiffi

<sup>2</sup> + P1

q

2

<sup>64</sup> <sup>p</sup>

<sup>2</sup> <sup>¼</sup> <sup>1462005</sup> � <sup>4</sup>

<sup>2</sup> , b <sup>¼</sup> <sup>P</sup><sup>2</sup> � <sup>P</sup><sup>1</sup>

2

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi <sup>b</sup><sup>2</sup> � <sup>4</sup>ac <sup>p</sup> 2a

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>φ</sup><sup>n</sup> � <sup>N</sup> � <sup>1</sup> <sup>2</sup> � <sup>4</sup><sup>N</sup>

1912018123454. To recover the original message, decrypt using Private Key,

PR= (N, d) = (1912018123454, 1973036027077) <sup>m</sup> <sup>¼</sup> <sup>C</sup>dmod <sup>N</sup> <sup>¼</sup> <sup>1912018123454</sup>1973036027077mod 2137458620009 <sup>ð</sup> Þ ¼ <sup>1461989</sup>:

The quadratic formula can be used to find P<sup>1</sup> and P<sup>2</sup>

substitute for P2 ¼) N=P1 (N�φn�P1 + 1) = P1 N�P1 φ<sup>n</sup> – P1

q

P1, P2 <sup>¼</sup> <sup>2924010</sup> � ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

mod <sup>N</sup> <sup>¼</sup> <sup>146198913</sup>13mod 2137458620009 <sup>ð</sup> Þ ¼

m = 1461989. <sup>C</sup> <sup>¼</sup> <sup>m</sup><sup>e</sup>

Survey of RSA Vulnerabilities

DOI: http://dx.doi.org/10.5772/intechopen.84852

posite N and the totient φ<sup>n</sup> are known.

can be recovered

ffiffiffiffiffiffiffiffiffiffiffi b2 �4ac <sup>p</sup> 2a

<sup>P</sup>1, P<sup>2</sup> <sup>¼</sup> �ð Þ� <sup>φ</sup><sup>n</sup> � <sup>N</sup> � <sup>1</sup>

P1, P<sup>2</sup> ¼ ð Þ 1462001; 1462009

5. Fermat's factorization method

the totient φ<sup>n</sup> are known.

<sup>x</sup> <sup>¼</sup> �b�

P1

19

Poor RSA key design and their exploits are considered in Section 6 using Wiener's method and in Sections 15–17 using a combination of LLL, Coppersmith and Pohlig-Hellman. All of these attacks can be mitigated by designing the RSA keys with these exploits in mind. RSA key design (Section 2) consists of two parts, a private key ð Þ N; d and a public key ð Þ N; e . A composite number N, is derived from two prime numbers. The ð Þ d; e numbers are selected in an ad hoc manner using Euler's totient.

Development of quantum computing is continuing at breakneck speed; however useful machines are yet to appear. Parallel computing however is here and now, and whilst factorizing RSA keys is not achievable on conventional computers in polynomial time, parallel computing has allowed for multiple solutions to be tested simultaneously. This is an area where research continues and new algorithms as shown in Sections 20 and 14 lend themselves well to GPU parallel processing systems.

## 2. Structure of RSA numbers

Consider RSA100 challenge number

$$\begin{aligned} \text{RSA} - 100 &= \text{15226050279225336053561837813263742971806811496138} \\ &0688657908494580122963258952897654000350692006139 \\ &= \text{37975227936943673922808872755445627854565536638199} \\ &\times 40094690950920881030683755292761468389214899724061 \end{aligned}$$

RSA100 is a 100 binary bit number made up of two 50 binary bit prime numbers. The motivation in breaking this composite number allows us to find the Euler's totient number φn. Once this is known, using the public key PU ¼ ð Þ N;e , it is possible to derive the private key PR ¼ ð Þ N; d , and hence all cypher-text encrypted (e) messages can thus be decrypted back to plain text, using (d).
