Cryptanalysis RSA

This article describes the conditions for using the RSA public key cryptographic algorithm , simplifying cryptanalytic attacks ^[1] , and methods for eliminating such conditions.

Content

Introduction

For 2009, an RSA-based encryption system is considered reliable, starting with $n$ ${\ displaystyle n}$ in 1024 bits.

A group of scientists from Switzerland, Japan, France, the Netherlands, Germany and the United States were able to successfully calculate data encrypted using a 768-bit RSA standard cryptographic key. ^[2] According to the researchers, after their work, only RSA-keys with a length of 1024 bits or more can be considered as a reliable encryption system. Moreover, encryption with a key with a length of 1024 bits should be abandoned in the next three to four years. ^[3]

As follows from the description of the work, the calculation of key values was carried out by the general method of numerical field sieve .

The first step (the choice of a pair of polynomials of degree 6 and 1) spent about six months computing on 80 processors, which was about 3% of the time spent on the main stage of the algorithm (sifting), which was performed on hundreds of computers for almost two years. If you interpolate this time for the operation of a single AMD Opteron 2.2 GHz processor with 2 GB of memory, you would get about 1500 years. Data processing after sifting for the next resource-intensive step (linear algebra) took several weeks on a small number of processors. The final step after finding non-trivial OSL solutions took no more than 12 hours.

The OSLU solution was carried out using the Wiedemann method on several separate clusters and lasted just under 4 months. The size of the sparse matrix was 192,796,550x192,795,550 with 27,795,115 920 non-zero elements (that is, an average of 144 non-zero elements per line). To store the matrix on the hard disk took about 105 gigabytes. At the same time, it took about 5 terabytes of compressed data to build this matrix.

As a result, the group was able to calculate the 232-digital key, which opens access to the encrypted data.

Researchers are confident that using their factorization method, a 1024-bit RSA key will be possible to crack within the next decade.

Knowing the decomposition of the module $n$ ${\ displaystyle n}$ on the product of two prime numbers, the enemy can easily find the secret exponent $d$ ${\ displaystyle d}$ and thereby hack rsa. However, today the fastest factorization algorithm is the General Number Field Sieve sieve of the generalized number field, whose speed for a k-bit integer is

$\exp((c+o(1))k^{\frac {1}{3}}\log ^{\frac {2}{3}}k),$ ${\ displaystyle \ exp ((c + o (1)) k ^ {\ frac {1} {3}} \ log ^ {\ frac {2} {3}} k),}$ for some $c<2$ ${\ displaystyle c <2}$ ,

does not allow decomposing a large integer in a reasonable time. We will consider possible attacks on RSA, which allow hacking this system without using direct decomposition of the module n into the product of two prime numbers.

Elementary attacks

Consider several attacks associated with improper use of the RSA algorithm.

Generating prime numbers

To random primes $p$ ${\ displaystyle p}$ and $q$ ${\ displaystyle q}$ the following additional constraint is imposed:

$p$ ${\ displaystyle p}$ and $q$ ${\ displaystyle q}$ should not be too close to each other, otherwise it will be possible to find them using the Fermat factorization method . However, if both are prime $p$ ${\ displaystyle p}$ and $q$ ${\ displaystyle q}$ were generated independently, then this limitation is very likely to be automatically satisfied.

Diagram with a common module n

Initial data: To avoid generating different modules $n=p*q$ ${\ displaystyle n = p * q}$ for each user, the secure server uses a single n to encrypt all messages. Side $A$ ${\ displaystyle A}$ uses this server to receive a message $M$ ${\ displaystyle M}$

Task: the opponent wants to decrypt the message side $A$ ${\ displaystyle A}$ .

It would seem ciphertext $C=M^{e_{a}}\mod n,$ ${\ displaystyle C = M ^ {e_ {a}} \ mod n,}$ sent to the side $A$ ${\ displaystyle A}$ can not be decoded by $B$ ${\ displaystyle B}$ if she does not have a secret key $d_{a}$ ${\ displaystyle d_ {a}}$ . However side $B$ ${\ displaystyle B}$ can use your exhibitors $e_{b},d_{b}$ ${\ displaystyle e_ {b}, d_ {b}}$ to decompose the module $n$ ${\ displaystyle n}$ and after that, knowing $e_{a}$ ${\ displaystyle e_ {a}}$ , calculate the secret exponent $d_{a}$ ${\ displaystyle d_ {a}}$ .

Protection: for each user must use its own module $n$ ${\ displaystyle n}$ .

Attack on RSA signature in notary scheme

Initial data: $(n,e)$ ${\ displaystyle (n, e)}$ - public key of the notary. Opponent gets a refusal when trying to sign a message by a notary $M\in \mathbb {Z} _{n}$ ${\ displaystyle M \ in \ mathbb {Z} _ {n}}$

Task: the enemy wants to get the notary's signature on the message $M\in \mathbb {Z} _{n}$ ${\ displaystyle M \ in \ mathbb {Z} _ {n}}$ .

Opponent chooses arbitrary $r\in \mathbb {Z} _{n},$ ${\ displaystyle r \ in \ mathbb {Z} _ {n},}$ calculates $M'=r^{e}M\mod n$ ${\ displaystyle M '= r ^ {e} M \ mod n}$ and sends this message to the notary for signature.

If the notary signs this message:

S'=(M')^{d}\mod n

{\ displaystyle S '= (M') ^ {d} \ mod n}

then the opponent by calculating $S=S'/r\mod n$ ${\ displaystyle S = S '/ r \ mod n}$ receives the signature of the message $M$ ${\ displaystyle M}$ .

Really, $S^{e}=(S')^{e}/r^{e}=(M')^{ed}/r^{e}\equiv M'/r^{e}=M(\mod n)$ ${\ displaystyle S ^ {e} = (S ') ^ {e} / r ^ {e} = (M') ^ {ed} / r ^ {e} \ equiv M '/ r ^ {e} = M (\ mod n)}$

Protection: when signing, add a random number to the message (for example, time).

Small secret exponent values

Initial data: To increase the speed of decryption (or creating a digital signature), the number of non-zero bits of the binary representation of the secret exponent was reduced. $d$ ${\ displaystyle d}$ (see the speed of the RSA algorithm ).

Task: calculate the secret exponent $d$ ${\ displaystyle d}$ .

In 1990, Michael Wiener (Michael J. Wiener) showed that in the case of small values $d$ ${\ displaystyle d}$ possible hacking of the RSA system, namely:

Wiener's theorem:

  Let be 
          $n=pq$ n=pq{\ displaystyle n = pq}  where ${\displaystyle q<span class=$ q<p<2q{\ displaystyle q <p <2q}d<one3nonefour{\ displaystyle d <{\ frac {1} {3}} n ^ {\ frac {1} {4}}} 
Then, if known $(n,e)$ (n,e){\ displaystyle (n, e)}  where $ed=1\mod \varphi (n)$ ed=onemodφ(n){\ displaystyle ed = 1 \ mod \ varphi (n)}  ,
then there is an efficient way to calculate $d$ d{\ displaystyle d}  .

Protection: So if

n

{\ displaystyle n}

has a size of 1024 bits, it is necessary that

d

{\ displaystyle d}

was at least 256 bits long.

Small values of the open exponent

To increase the speed of encryption and verification of digital signatures , use small values of the open exponent $e$ ${\ displaystyle e}$ . The smallest of them $e=3$ ${\ displaystyle e = 3}$ . However, in order to increase the cryptostability of the RSA algorithm, it is recommended to use

$e=2^{16}+1=65537$ ${\ displaystyle e = 2 ^ {16} + 1 = 65537}$ .

Attack of Hastada

Initial conditions: Party $B$ ${\ displaystyle B}$ sends an encrypted message $M$ ${\ displaystyle M}$ users $P_{1},P_{2},...P_{k}$ ${\ displaystyle P_ {1}, P_ {2}, ... P_ {k}}$ . Each user has his own public key. $(n_{i},e_{i})$ ${\ displaystyle (n_ {i}, e_ {i})}$ , and $M<n_{i},\forall i$ ${\ displaystyle M <n_ {i}, \ forall i}$ . Side $B$ ${\ displaystyle B}$ encrypts the message using each user's alternately public key and sends it to the appropriate recipient. Opponent listens to the transmission channel and collects $k$ ${\ displaystyle k}$ transmitted ciphertexts.

Task: the opponent wants to restore the message $M$ ${\ displaystyle M}$ .

Set $e_{i}=3,\forall i$ ${\ displaystyle e_ {i} = 3, \ forall i}$ then the enemy can recover $M$ ${\ displaystyle M}$ if a $k\geqslant 3$ ${\ displaystyle k \ geqslant 3}$ .

Evidence

Indeed, if the enemy received $C_{1},C_{2},C_{3}$ ${\ displaystyle C_ {1}, C_ {2}, C_ {3}}$ where

C_{1}=M^{3}\mod n_{1}

{\ displaystyle C_ {1} = M ^ {3} \ mod n_ {1}}

C_{2}=M^{3}\mod n_{2}

{\ displaystyle C_ {2} = M ^ {3} \ mod n_ {2}}

C_{3}=M^{3}\mod n_{3}

{\ displaystyle C_ {3} = M ^ {3} \ mod n_ {3}}

We assume that $n_{1},n_{2},n_{3}$ ${\ displaystyle n_ {1}, n_ {2}, n_ {3}}$ are mutually simple, otherwise the greatest common divisor other than one means that the divisor of one of $n$ ${\ displaystyle n}$ . Applying the Chinese remainder theorem to $C_{1},C_{2},C_{3}$ ${\ displaystyle C_ {1}, C_ {2}, C_ {3}}$ get $C'\in \mathbb {Z} _{n_{1}n_{2}n_{3}}$ ${\ displaystyle C '\ in \ mathbb {Z} _ {n_ {1} n_ {2} n_ {3}}}$ ,

C'=M^{3}\mod n_{1}n_{2}n_{3}

{\ displaystyle C '= M ^ {3} \ mod n_ {1} n_ {2} n_ {3}}

Insofar as $M<n_{i},\forall i$ ${\ displaystyle M <n_ {i}, \ forall i}$ then $M^{3}<n_{1}n_{2}n_{3},\forall i$ ${\ displaystyle M ^ {3} <n_ {1} n_ {2} n_ {3}, \ forall i}$ and

C'=M^{3}

{\ displaystyle C '= M ^ {3}}

Ie the adversary can recover the message $M$ ${\ displaystyle M}$ calculating the cubic root of $C^{'}$ ${\ displaystyle C '}$ .

In general, if all open exponents are equal $e$ ${\ displaystyle e}$ , the enemy can recover $M$ ${\ displaystyle M}$ at $k\geqslant e$ ${\ displaystyle k \ geqslant e}$ .

Consider the simplest defense against this attack. Let the message $M_{i}$ ${\ displaystyle M_ {i}}$ for each user is some fixed permutation of the original message $M$ ${\ displaystyle M}$ .For example

M_{i}=i2^{m}+M

{\ displaystyle M_ {i} = i2 ^ {m} + M}

- message for i-th user.

Hustad (Johan Hastad) showed that even in this case, the enemy can recover the message $M$ ${\ displaystyle M}$ with enough users.

Protection: This attack is possible only with a small value of the open exponent. $e$ ${\ displaystyle e}$ In this case, the cryptographic strength of the RSA system can be achieved using an arbitrary permutation, rather than a fixed one, an example of which was given above.

Franklin-Reiter Attack

Initial conditions :

There are two messages. $M_{1},M_{2}\in \mathbb {Z} _{n}$ ${\ displaystyle M_ {1}, M_ {2} \ in \ mathbb {Z} _ {n}}$ , and

M_{1}=f(M_{2})\mod n,

{\ displaystyle M_ {1} = f (M_ {2}) \ mod n,}

Where

f\in \mathbb {Z} _{n}[x]

{\ displaystyle f \ in \ mathbb {Z} _ {n} [x]}

some open polynomial.

Side $A$ ${\ displaystyle A}$ with public key $(n,e)$ ${\ displaystyle (n, e)}$ receives these messages from the side $B$ ${\ displaystyle B}$ which simply encrypts messages $M_{1},M_{2}$ ${\ displaystyle M_ {1}, M_ {2}}$ and passes the received ciphertexts $C_{1},C_{2}$ ${\ displaystyle C_ {1}, C_ {2}}$ .

Task: Opponent, knowing $(n,e,C_{1},C_{2},f)$ ${\ displaystyle (n, e, C_ {1}, C_ {2}, f)}$ , wants to recover $M_{1},M_{2}$ ${\ displaystyle M_ {1}, M_ {2}}$ .

Matthew K. Franklin and Michael K. Reiter proved the following statement:

  Let be    
      one)  $(n,e)$ (n,e){\ displaystyle (n, e)}  - the public key of the RSA system, and $e=3$ e=3{\ displaystyle e = 3} 
2) $M_{1}\neq M_{2}\in \mathbb {Z} _{n}$ Mone≠M2∈Zn{\ displaystyle M_ {1} \ neq M_ {2} \ in \ mathbb {Z} _ {n}}  and $M_{1}=f(M_{2})\mod N$ Mone=f(M2)modN{\ displaystyle M_ {1} = f (M_ {2}) \ mod N}  ,
for some linear polynomial $f=ax+b\in \mathbb {Z} _{n}[x]$ f=ax+b∈Zn[x]{\ displaystyle f = ax + b \ in \ mathbb {Z} _ {n} [x]}  , $b\neq 0$ b≠0{\ displaystyle b \ neq 0} 
Then knowing $(n,e,C_{1},C_{2},f)$ (n,e,Cone,C2,f){\ displaystyle (n, e, C_ {1}, C_ {2}, f)}  , the enemy can recover $M_{1},M_{2}$ Mone,M2{\ displaystyle M_ {1}, M_ {2}}

Evidence

Indeed, for arbitrary

e

{\ displaystyle e}

:

$C_{1}={M^{e}}_{1}\mod n~~~~\rightarrow ~~~~M_{2}$ ${\ displaystyle C_ {1} = {M ^ {e}} _ {1} \ mod n ~~~~ \ rightarrow ~~~~ M_ {2}}$ , is the root of a polynomial

g_{1}(x)=f(x)^{e}-C_{1}\in \mathbb {Z} _{n}[x]

{\ displaystyle g_ {1} (x) = f (x) ^ {e} -C_ {1} \ in \ mathbb {Z} _ {n} [x]}

but, $M_{2}$ ${\ displaystyle M_ {2}}$ is also the root of a polynomial

g_{2}(x)=x^{e}-C_{2}\in \mathbb {Z} _{n}[x]

{\ displaystyle g_ {2} (x) = x ^ {e} -C_ {2} \ in \ mathbb {Z} _ {n} [x]}

.

In this way $(x-M_{2})$ ${\ displaystyle (x-m_ {2})}$ divides both polynomials. And the adversary can use the Euclidean algorithm to calculate the gcd $(g_{1},g_{2})$ ${\ displaystyle (g_ {1}, g_ {2})}$ . If the result is a linear polynomial, then $M_{2}$ ${\ displaystyle M_ {2}}$ will be found.

When $e=3$ ${\ displaystyle e = 3}$ NOD $(g_{1},g_{2})$ ${\ displaystyle (g_ {1}, g_ {2})}$ is a linear polynomial, and therefore the adversary can effectively compute messages $M_{1},M_{2}$ ${\ displaystyle M_ {1}, M_ {2}}$ .

Protection: when $e>3$ ${\ displaystyle e> 3}$ RSA hacking time is proportional $e^{2}$ ${\ displaystyle e ^ {2}}$ Therefore, this attack can be used only for small values of the open exponent.

Attack by partially known secret exponent

Initial conditions :

The adversary knows part of the binary representation of the secret exponent. $d$ ${\ displaystyle d}$ .

Task: recover $d$ ${\ displaystyle d}$ .

It turns out that:

Let be

(n,d)

{\ displaystyle (n, d)}

- the secret key of the RSA system, where

n=pq

{\ displaystyle n = pq}

has a size

\eta

{\ displaystyle \ eta}

bits.

Then knowing

\eta /4

{\ displaystyle \ eta / 4}

low bits of the number

d

{\ displaystyle d}

, the enemy can recover

d

{\ displaystyle d}

in time proportional

e\log _{2}e

{\ displaystyle e \ log _ {2} e}

The possibility of breaking the RSA system in the case when an open exhibitor $e$ ${\ displaystyle e}$ small, is also evident from the following reasoning:

from the definition

e

{\ displaystyle e}

and

d

{\ displaystyle d}

:

ed-k\varphi (n)=ed-k(n-p-q+1)=1

{\ displaystyle ed-k \ varphi (n) = ed-k (np-q + 1) = 1}

Insofar as

d<\varphi (n)

{\ displaystyle d <\ varphi (n)}

then obvious

0<k\leqslant e

{\ displaystyle 0 <k \ leqslant e}

.

With a given

k

{\ displaystyle k}

the enemy can easily calculate

{\hat {d}}={\mathcal {b}}(kn+1)/e{\mathcal {c}}

{\ displaystyle {\ hat {d}} = {\ mathcal {b}} (kn + 1) / e {\ mathcal {c}}}

Then at

{\displaystyle q<semantics><mrow class=

{\ displaystyle q <p <2q}

|{\hat {d}}-d|\leqslant k(p+q)/e\leqslant 3k{\sqrt {n}}/e<3{\sqrt {n}}

{\ displaystyle | {\ hat {d}} - d | \ leqslant k (p + q) / e \ leqslant 3k {\ sqrt {n}} / e <3 {\ sqrt {n}}}

In this way,

{\hat {d}}

{\ displaystyle {\ hat {d}}}

is a good approximation when

d

{\ displaystyle d}

.

Since only possible

e

{\ displaystyle e}

different meanings

k

{\ displaystyle k}

an adversary can build a row containing

e

{\ displaystyle e}

members for which the binary representation of one of its elements coincides with the upper half of the binary representation of the secret exponent

d

{\ displaystyle d}

.

Protection: increase in open exhibitors $e$ ${\ displaystyle e}$ .

Quantum Computer Attack

Using a quantum computer , if it is built, it will be possible to crack RSA, since Shore’s quantum algorithm allows factorizing large numbers in a fairly short time. By decomposing the module n into prime factors (this can be done in time ${\textstyle {O(\log ^{2}n\log ^{3}(\log n))}}$ ${\ displaystyle {\ textstyle {O (\ log ^ {2} n \ log ^ {3} (\ log n))}}}$ using O (log n ) logical Q-bits ), it will be possible to calculate the secret exponent d.

Attacks related to the implementation of the RSA system

Runtime Attack

Initial conditions:

Consider a smart card whose microprocessor signs messages using the built-in RSA secret key.

Task: the enemy wants to get a secret exhibitor $d$ ${\ displaystyle d}$ .

Paul Kocher, suggested an attack based on high-precision measurements of the execution time of the smart card by the encoder . Consider this attack on the example of the RSA system, using the algorithm of rapid exponentiation :

Opponent receives smart card signatures for a large number of random messages. $M_{1},M_{2},...,M_{k}\in \mathbb {Z} _{n}$ ${\ displaystyle M_ {1}, M_ {2}, ..., M_ {k} \ in \ mathbb {Z} _ {n}}$ and measures the generation time of their signatures. $T_{i}$ ${\ displaystyle T_ {i}}$ .

During the attack the value of the secret exponent $d$ ${\ displaystyle d}$ recovered bitwise, starting with the least significant bit:

$d$ ${\ displaystyle d}$ odd, therefore $d_{0}=1$ ${\ displaystyle d_ {0} = 1}$ .
if a $d_{1}=1$ ${\ displaystyle d_ {1} = 1}$ then the smart card microprocessor needs to perform three multiplications modulo $n$ ${\ displaystyle n}$ as opposed to the two needed when $d_{1}=0$ ${\ displaystyle d_ {1} = 0}$ (see algorithm of rapid exponentiation ). We denote $t_{i}$ ${\ displaystyle t_ {i}}$ - CPU time for reporting $M_{i}$ ${\ displaystyle M_ {i}}$ .

Kocher testified that when

d_{1}=1

{\ displaystyle d_ {1} = 1}

two ensembles

{\mathcal {f}}t_{i}{\mathcal {g}}

{\ displaystyle {\ mathcal {f}} t_ {i} {\ mathcal {g}}}

and

{\mathcal {f}}T_{i}{\mathcal {g}}

{\ displaystyle {\ mathcal {f}} T_ {i} {\ mathcal {g}}}

correlate. however in the case

d_{1}=0

{\ displaystyle d_ {1} = 0}

they are independent. Thus, by resorting to correlation analysis , the adversary can determine

d_{1}

{\ displaystyle d_ {1}}

.

similarly, you can define $d_{2},d_{3}...$ ${\ displaystyle d_ {2}, d_ {3} ...}$ .

Note that in the case of a small open exponent $e$ ${\ displaystyle e}$ an attack on a partially open secret exponent can be applied. In this case, it is sufficient to recover half of the bits of the secret exponent $d$ ${\ displaystyle d}$ .

Protection: it is necessary to add the appropriate delay so that each step of the fast exponentiation algorithm takes a fixed period of time.

Attack on a failed RSA hardware implementation

Initial conditions:

Consider a smart card whose microprocessor signs messages using the built-in RSA secret key. The card microprocessor uses the Chinese theorem on residuals in order to speed up the signature procedure. The adversary is trying to cause a failure in the microprocessor calculations.

Task: the opponent wants to calculate the module $n$ ${\ displaystyle n}$ .

The use of the Chinese remainder theorem increases the speed of creating a digital signature.

Indeed, calculating

\sigma _{p}=M^{d_{p}}\mod p

{\ displaystyle \ sigma _ {p} = M ^ {d_ {p}} \ mod p}

where

d_{p}=d\mod (p-1)~~~~(a)

{\ displaystyle d_ {p} = d \ mod (p-1) ~~~~ (a)}

\sigma _{q}=M^{d_{q}}\mod q

{\ displaystyle \ sigma _ {q} = M ^ {d_ {q}} \ mod q}

where

d_{q}=d\mod (q-1)~~~~(b)

{\ displaystyle d_ {q} = d \ mod (q-1) ~~~~ (b)}

can get a signature

\sigma =T_{1}\sigma _{p}+T_{2}\sigma _{q}({\bmod {n}})

{\ displaystyle \ sigma = T_ {1} \ sigma _ {p} + T_ {2} \ sigma _ {q} ({\ bmod {n}})}

where

T_{1}={\mathcal {f}}1\mod p,0\mod q{\mathcal {g}}

{\ displaystyle T_ {1} = {\ mathcal {f}} 1 \ mod p, 0 \ mod q {\ mathcal {g}}}

T_{2}={\mathcal {f}}0\mod p,1\mod q{\mathcal {g}}

{\ displaystyle T_ {2} = {\ mathcal {f}} 0 \ mod p, 1 \ mod q {\ mathcal {g}}}

Obviously computing

(a),(b)

{\ displaystyle (a), (b)}

much faster exponentiation modulo

n

{\ displaystyle n}

.

Let the actions of the enemy caused a failure, which caused the defect of one bit of the signature. Then at least one of $\sigma _{p}$ ${\ displaystyle \ sigma _ {p}}$ or $\sigma _{q}$ ${\ displaystyle \ sigma _ {q}}$ calculated incorrectly. We put the defect contained in ${\hat {\sigma _{q}}}$ ${\ displaystyle {\ hat {\ sigma _ {q}}}}$ .

In this case

{\hat {\sigma ^{e}}}\neq M\mod n

{\ displaystyle {\ hat {\ sigma ^ {e}}} \ neq M \ mod n}

{\hat {\sigma ^{e}}}\neq M\mod q

{\ displaystyle {\ hat {\ sigma ^ {e}}} \ neq M \ mod q}

but

{\hat {\sigma ^{e}}}=M\mod p

{\ displaystyle {\ hat {\ sigma ^ {e}}} = M \ mod p}

Thus, the enemy can find decomposition $n$ ${\ displaystyle n}$ as search result $(n,{\hat {\sigma _{e}}}-m)$ ${\ displaystyle (n, {\ hat {\ sigma _ {e}}} - m)}$ .

Protection:

when signing, add a random number to the message (for example, time).
check the signature before sending it.

Notes

↑ Yan S. Y. RSA Cryptanalysis. - M.-Izhevsk: SRC "Regular and chaotic dynamics", Izhevsk Institute of Computer Research, 2011. - 312 p.
↑ Announcement of factoring RSA-768 (English)
↑ Factoring RSA-768 (English)

[1] Yan S. Y. RSA Cryptanalysis. - M.-Izhevsk: SRC "Regular and chaotic dynamics", Izhevsk Institute of Computer Research, 2011. - 312 p.

[2] Announcement of factoring RSA-768 (English)

[3] Factoring RSA-768 (English)

Cryptanalysis RSA

Content

Introduction

Elementary attacks

Generating prime numbers

Diagram with a common module n

Attack on RSA signature in notary scheme

Small secret exponent values

Small values ​​of the open exponent

Attack of Hastada

Franklin-Reiter Attack

Attack by partially known secret exponent

Quantum Computer Attack

Attacks related to the implementation of the RSA system

Runtime Attack

Attack on a failed RSA hardware implementation

Notes

More articles:

Small values of the open exponent