## Math 5410 Protocol Failures

In cryptosystems where the message is first converted to numbers which are then acted on, there are several pitfalls which need to be avoided. These are collectively known as protocol failures since they are not weaknesses of the cryptosystem, but rather of the way the system is implemented.

### Dictionary Attacks

A dictionary attack on a cryptosystem occurs when it is possible to take all the components that are used to make up a plaintext and encrypt them separately (as in taking all the words in a dictionary and finding their encrypted equivalents). To decrypt a message given such a list, one only has to do a table look up to find the corresponding plaintext.

Thus, for example, if in a public key system based on factoring (such as RSA) or the discrete log problem, the plaintext message is blocked into blocks of size one (i.e., individual letters) which are then run through the encryption algorithm, the cryptanalyst has an easy method for decrypting without finding the key.

Example: The plaintext was encoded by replacing each letter with its corresponding value mod 26, i.e., A = 0, B = 1, C = 2 , etc. The RSA system was used to encipher this message using the public values n = 18721 and encryption exponent 25, and the following ciphertext was produced: 365, 0, 4845, 14930, 2608, 2608, 0

The cryptanalyst, knowing this encoding scheme, just calculates x25 mod (18721) for each x in the range 0 to 25 to get the following table of values:
 A B C D E F G H I J K L M 0 1 6400 18718 17173 1759 18242 12359 14930 9 6279 2608 4644 N O P Q R S T U V W X Y Z 4845 1375 13444 16 13663 1437 2940 10334 365 10789 8945 11373 5116

The plaintext message can then be read off from the table : VANILLA.

To avoid this pitfall, the blocks of the message must be long enough so that it is impractical to store all possible blocks and their encrypted equivalents.

### RSA Common Modulus Failure

Suppose that, in the RSA system, two participants have the same public modulus (but different encryption exponents). If these encryption exponents are b and c, and gcd(b,c) = 1, then the following can happen. Suppose that Alice sends the same message x to these two participants, that is Alice sends y1 = xb mod n to the first and y2 = xc mod n to the other. If y1 and y2 are intercepted by Oscar, then he can calculate:
d = b-1 mod c,
e = (db - 1)/c,
and then calculate,
y1d (y2e)-1 mod n = (xbd)(xce)-1 mod n = xbd - ce mod n = x mod n. Thus obtaining the message without factoring the modulus.

To avoid this problem, each user in the system should have a different modulus. A similar protocol failure occurs if three participants have the same encryption exponents (with different moduli), and so this should be avoided as well.