## Math 5410 Protocol Failures

In cryptosystems where the message is first converted to numbers which are then acted on, there are
several pitfalls which need to be avoided. These are collectively
known as *protocol failures* since they are not weaknesses of the
cryptosystem, but rather of the way the system is implemented.

### Dictionary Attacks

A dictionary attack on a cryptosystem occurs when it is possible to take all the components that are used to make up a plaintext and encrypt them separately (as in taking all the words in a dictionary and finding their encrypted equivalents). To decrypt a message given such a list, one only has to do a table look up to find the corresponding plaintext.
Thus, for example, if in a public key system based on factoring (such as RSA) or the discrete log problem, the plaintext message is blocked into blocks of size one (i.e., individual letters) which are then run through the encryption algorithm, the cryptanalyst has an easy method for decrypting without finding the key.

**Example**: The plaintext was encoded by replacing each letter with its corresponding value mod 26, i.e., A = 0, B = 1, C = 2 , etc. The RSA system was used to encipher this message using the public values n = 18721 and encryption exponent 25, and the following ciphertext was produced: 365, 0, 4845, 14930, 2608, 2608, 0

The cryptanalyst, knowing this encoding scheme, just calculates x^{25} mod (18721) for each x in the range 0 to 25 to get the following table of values:

A | B | C | D | E | F | G | H | I | J | K | L | M |

0 | 1 | 6400 | 18718 | 17173 | 1759 | 18242 | 12359 | 14930 | 9 | 6279 | 2608 | 4644 |

N | O | P | Q | R | S | T | U | V | W | X | Y | Z |

4845 | 1375 | 13444 | 16 | 13663 | 1437 | 2940 | 10334 | 365 | 10789 | 8945 | 11373 | 5116 |

The plaintext message can then be read off from the table : VANILLA.

To avoid this pitfall, the blocks of the message must be long enough so that it is impractical to store all possible blocks and their encrypted equivalents.

### RSA Common Modulus Failure

Suppose that, in the RSA system, two participants have the same public modulus (but different encryption exponents). If these encryption exponents are b and c, and gcd(b,c) = 1, then the following can happen. Suppose that Alice sends the same message x to these two participants, that is Alice sends y_{1} = x^{b} mod n to the first and y_{2} = x^{c} mod n to the other. If y_{1} and y_{2} are intercepted by Oscar, then he can calculate:
d = b^{-1} mod c,

e = (db - 1)/c,

and then calculate,

y_{1}^{d} (y_{2}^{e})^{-1} mod n = (x^{bd})(x^{ce})^{-1} mod n = x^{bd - ce} mod n = x mod n. Thus obtaining the message without factoring the modulus.
To avoid this problem, each user in the system should have a different modulus. A similar protocol failure occurs if three participants have the same encryption exponents (with different moduli), and so this should be avoided as well.