A huge part of the digital world relies on RSA encryption for privacy and security. A recent mathematical paper that “destroys the RSA cryptosystem” gave cryptographers palpitations. Are they right to worry?
What Is RSA Encryption?
The Rivest-Shamir-Adleman (RSA) cryptosystem solved the problem of how to encrypt data so that it could only be decrypted by the intended recipient. In 1977, the co-creators—Ron Rivest,Adi Shamir, andLeonard Adleman—proposedan elegant solutionbased on a new way to use encryption keys. Simply put, encryption keys are very large values used in the mathematical processes that are applied to the data to encrypt it. The breakthrough that RSA brought to the world of cryptography was the use ofprivateandpublickeys.
We should also mentionClifford Cocks, the chief mathematician at the U.K.’sGovernment Communication Headquarters(GCHQ) who applied public and private key encryption/decryption to cryptography in 1973. The information was classified and remained secret. It was only declassified in 1997. Great minds obviously do think alike.
The public key/private key sequence is to obtain the intended recipient’s public key and use it in the encryption process along with your private key. The recipient can then decrypt the data using their private key and your public key. Public keys can be safely made public, and private keys are kept securely private. And because the recipient doesn’t need to be a human, any system, service, or device that makes its public key known in a certified, authenticated fashion can use RSA encryption. This allows system-to-system communications to be encrypted.
Apublic key certificateis used to certify the identity of the owner of the public key. Two common examples of public key certificates areSecure Socket LayerandTransport Layer Certificates(SSL/TLS). Public keys can be transmitted between people who want to communicate, or they can be retrieved from key servers such as theOpenPGP key server.
Secure Shell(SSH),OpenPGP,S/MIME, and SSL/TSL all use RSA encryption, and all browsers use it. Some cryptocurrencies use it. Practically the whole of the e-commerce world depends on RSA in one way or another. Anything that threatens the integrity of the RSA cryptosystem needs to be looked at carefully.
Threats to RSA Cryptography
A central element of the encryption algorithms isirreversibility. The mathematical transforms that are performed on the data must be irreversible for all practical purposes.
The RSA scheme uses very large numbers that are the product of multiplying two large prime numbers together. Taking two prime numbers and multiplying them together is trivial andcomputationally cheap. It doesn’t take much processing power or time to perform that action. But being handed the resulting product and with no prior knowledge trying to work out—via factoring—which two prime numbers were used iscomputationally expensive.
Factoring gets much harder very quickly as the numbers become larger. It would take such a prohibitive time—some estimates run totrillions of years—to crack this type of encryption.This provides a safe pseudo-irreversibility. It’s not really irreversible, but it would take so long to do it, that it might as well be genuinely irreversible.
The advent ofquantum computingbrings a threat to this type of encryption. Quantum computers show promise to be able to do the integer factorization required to determine the two prime numbers in an extremely short time. It is predicted that a quantum computer running a derivative ofShor’s Algorithmwould be able to find the prime numbers within acceptably short periods of time—perhaps even within hours.
It’s expectedto take 25 yearsor more before a quantum computer capable of doing that exists. That might be fine for some information that is encrypted now—the usefulness of the information might have expired by then. But some of what is being encrypted now will still need to be protected and private in 25 (or even more) years from now. For example, some government and security communications will still be sensitive even then.
Errors in the implementation of the RSA have caused issues in the past. The theoretical RSA has to be rendered into a working software implementation before it can be useful—and complex software will often contain bugs. There have been tweaks and replacements to the algorithms used in the RSA cryptosystem as flaws have been found in the implementations. Old versions have been deprecated and superseded by new versions.
There have been claims that back doors have been introduced into the RSA algorithms because of coercion by, or cooperation with, national security agencies. These accusations have never been proven, but flaws that effectively provided back doorshave been foundand subsequently addressed.
What Is the New Threat?
ProfessorClaus Peter Schnorris a retired mathematician and cryptographer. He was a professor at the Department of Mathematics and Computer Science atJohann Wolfgang Goethe Universityin Frankfurt am Main.
A preprint of a paper by Schnorr (preprintmeans that it is in late development but not yet peer-reviewed) proposes anew method of factoring prime integerson today’s computing platforms at a greatly accelerated rate. The paper is titled “Fast Factoring Integers by SVP Algorithms.” SVP stands forshortest vector problem. The abstract ends with the provocative sentence “This destroys the RSA cryptosystem.”
By condensing a very complicated piece of work into a simple statement, what this propounds is an improvement by an order of magnitude in the speed of factoring. The speed gain would be achieved by using a refinement of some of Schnorr’s earlier work. Obviously, a revolutionary reduction in factoring integers would have a significant impact on the RSA cryptosystem. That is, if the theoretical paper is factually correct and if a practical implementation can bear out the hypothesis.
The paper promotes a factoring method using mathematical structures calledlattices. Professor Schnorr is a widely recognized expert in this field and its application to cryptography. The paper claims that the new technique is dramatically faster than theGeneral Number Field Sieve(GNFS) algorithm, which is considered to be the fastest current technique for factoring large numbers.
An Analysis of the Threat
Schorr’s paper is theoretical in nature. There are no timings or results from implementations. The theoretical speed gains over the GNFS sound impressive on paper, but do the theory and mathematics withstand scrutiny by those who actually understand this at the level required to meaningfully comment on it?
Dr.Lo Ducasis a researcher in thecryptography groupat theCentrum Wiskunde & Informatica(CWI). The CWI is the national research institute for mathematics and computer science in the Netherlands. Ducas completed his Ph.D.in 2013 on “Lattice Based Signatures: Attacks, Analysis and Optimization.” He has worked with lattices throughout his career. He’s also a cryptographer, so he is eminently capable of reviewing Schnorr’s paper.
Even better for our purposes, Dr.Lo Ducas is a programmer. If you fancy a turn at Cryptris, hisasymmetric cryptography game, go right ahead. His academic source code is scattered acrossGitHub. Some of it sits inhis own repository,while much more resides in the repositories of other multi-author projects that he’s worked on.
He’s performed a review and analysis of Schnorr’s paper. He has also created an implementation of Schnorr’s algorithms as aSageMathscript.He’s named itSchnorrGate. Ducas also points to a discussion on thecryptography StackExchange. This examines a mistake in one of the formulas in the paper which, if used as printed, produces highly inaccurate results. With this formula corrected, Schnorr’s factoring method does work, but at a much slower rate than he predicts.
Ducas’ findings from his SageMath tests corroborate this. They illustrate that Schnorr’s factoring algorithms do work, but much more slowly than the best methods already available today.
We Can All Breathe Again
The RSA lives to encrypt another day. But what would have happened if the claims in the paper had turned out to be true? Well, chaos, initially, and then, the adoption of a new cryptosystem.
Perhaps the era ofElliptic-Curve Cryptography (ECC) would have arrived.