# Lecture: Attacks on RSA

### Background Material

### Reading

- Section 6.2 of the text.
- Rivest, R. L., Shamir, A., and Adleman, L., A Method for Obtaining
Digital Signatures and Public Key Cryptosystems, JACM, Vol. 21, No.
2, 1978, pp. 120-126.
(available electronically through the Drexel library - ACM digital library)

### Topics

- Review RSA Public Key Cryptosystem
- Generating keys
- Prime number theorem and generating primes
- Avoid p-1 smooth

- Knowing phi(n) is equivalent to factor n.
- Knowing secret key is equivalent to factor n.
- Knowing part of p is enough to factor n.
- If the secret key is small it can be found via continued fractions
- Short plaintext messages can be found
- Optimal Asymmetric Encryption Padding (OAEP)

### Slides and Worksheets

- dfactor.mw - Maple worksheet showing how
to factor n=pq given the secret key (d,n).
- smallexponent.mw - Maple worksheet
showing how to determine the secret key d given that it is small,
i.e. less than 1/3n^(1/4).

### Resources

- D. Boneh, "Twenty years of attacks on the RSA cryptosystem",
Amer. Math. Soc. Notices, vol. 46, 1999.
- D. Coppersmith, "Small solutions to polynomial equations",
J. Cryptology, vo. 10, 1997.
- D. Boneh, A. Joux, and P. Nguyen, "Why textbook ElGamal and RSA
encryption are insecure", Advances in Cryptology - ASIACRYPT, '00,
LNCS, Springer-Verlag, 2000.

### Practice Assignment

Go through the Maple worksheets.
Created: Feb. 8, 2016 (modified ) by
jjohnson AT cs DOT drexel DOT edu