RSA-2048 Threat Model
Algorithm Type: Asymmetric Encryption/Digital Signature (TRANSITIONAL)
Security Level: 112-bit (classical only)
Quantum Impact: COMPLETELY BROKEN - Shor’s algorithm breaks RSA in polynomial time
Deprecation Date: 2030 (MANDATORY)
Last Updated: 2025-09-08
⚠️ CRITICAL SECURITY WARNING
RSA-2048 is provided ONLY for transitional use during migration to post-quantum cryptography. It offers ZERO protection against quantum computers and will be removed from this library by 2030.
Executive Summary
This document analyzes threats specific to RSA-2048, a transitional asymmetric algorithm providing 112-bit classical security. RSA is completely vulnerable to Shor’s algorithm on quantum computers, making it unsuitable for long-term security. All implementations MUST migrate to post-quantum alternatives.
Algorithm-Specific Threats
Quantum Attacks (CRITICAL)
Shor’s Algorithm
- Impact: Complete key recovery in polynomial time
- Quantum Resources Required: ~3000 logical qubits for RSA-2048
- Timeline: Practical attacks expected by 2030-2035
- Mitigation: NONE - Must migrate to PQC
Period Finding
- Complexity: O((log N)³) on quantum computer
- Classical Complexity: O(exp(∛(log N)))
- Result: Private key recovery from public key
Classical Cryptanalytic Attacks
Integer Factorization
- Best Known Attack: General Number Field Sieve (GNFS)
- Complexity: O(exp(1.923 × ∛(ln n × (ln ln n)²)))
- Current Record: 829-bit RSA factored (2020)
- RSA-2048 Status: ~112 bits of security remaining
Small Private Exponent Attack (Wiener/Boneh-Durfee)
- Vulnerable If: d < N^0.292
- Mitigation: Ensure d > N^0.5 (enforced in implementation)
Common Modulus Attack
- Vulnerable If: Same n used with different (e,d) pairs
- Mitigation: Never reuse modulus
Partial Key Exposure
- Vulnerable If: Portions of d, p, or q are leaked
- Impact: Full key recovery possible with ~25% of bits
- Mitigation: Secure key storage, memory protection
Implementation Vulnerabilities
Padding Oracle Attacks
Bleichenbacher’s Attack (RSA-PKCS#1 v1.5)
- Impact: Plaintext recovery without private key
- Complexity: ~2^20 chosen ciphertexts
- Mitigation: MANDATORY use of OAEP padding
Manger’s Attack (RSA-OAEP)
- Impact: Plaintext recovery if error messages differ
- Mitigation: Constant-time error handling
Timing Attacks
Montgomery Reduction Timing
- Vulnerable Operations: Modular exponentiation
- Information Leaked: Private key bits
- Mitigation: CRT with blinding
CRT Fault Attacks (Bellcore)
- Attack Method: Induce fault during CRT computation
- Impact: Factor recovery from single faulty signature
- Mitigation: Verify signature before release
Side-Channel Attacks
Power Analysis
- Simple Power Analysis (SPA): Key bit recovery from power traces
- Differential Power Analysis (DPA): Statistical analysis of power consumption
- Mitigation: Blinding, constant-time operations
Cache Timing
- Vulnerable Operations: Table lookups in exponentiation
- Information Leaked: Private exponent bits
- Mitigation: Scatter-gather implementations
Platform-Specific Risks
Hardware Vulnerabilities
- Rowhammer: Bit flips in adjacent memory
- Cold Boot: Key recovery from RAM
- EM Emanations: Key leakage via electromagnetic radiation
Software Implementation Issues
- BigInt Libraries: Timing variations in different languages
- Memory Management: Key material in swap/hibernation files
- Compiler Optimizations: May break constant-time guarantees
Security Analysis
Classical Security
| Attack Type | Complexity | Practical | Mitigation | |————|————|———–|————| | Factorization (GNFS) | 2^112 | No (currently) | Monitor advances | | Padding Oracle | 2^20 | Yes | OAEP mandatory | | Timing Attack | 2^40-50 | Yes | CRT blinding | | Fault Injection | Single fault | Yes | Output verification | | Small Exponent | Polynomial | Yes | Large d enforced |
Quantum Security
| Attack Type | Quantum Complexity | Impact | Mitigation | |————|——————-|——–|————| | Shor’s Algorithm | O((log n)³) | Complete break | MIGRATE TO PQC | | Grover’s Algorithm | O(√n) | Speedup only | Not primary threat |
Known Vulnerabilities Timeline
| Year | Vulnerability | Impact | Status |
|---|---|---|---|
| 1996 | Timing Attacks (Kocher) | Key recovery | Mitigated via blinding |
| 1998 | Bleichenbacher | Plaintext recovery | Mitigated via OAEP |
| 1999 | CRT Fault (Bellcore) | Factorization | Partial mitigation |
| 2003 | Manger (OAEP) | Plaintext recovery | Constant-time handling |
| 2012 | CRIME/BREACH | Compression oracle | N/A for RSA |
| 2017 | ROBOT | Bleichenbacher variant | OAEP prevents |
| 2030 | Quantum Computers | Complete break | MANDATORY MIGRATION |
Attack Mitigation Strategies
Mandatory Requirements
- OAEP Padding: All encryption MUST use OAEP with SHA-256
- PSS Padding: All signatures MUST use PSS with SHA-256
- CRT Blinding: All private key operations MUST use blinding
- Secure Memory: Private keys MUST be cleared after use
- Migration Plan: MUST have PQC migration plan by 2025
Implementation Checklist
- OAEP-SHA256 for encryption
- PSS-SHA256 for signatures
- CRT optimization with blinding
- Minimum prime difference 2^100
- Miller-Rabin ≥20 rounds
- Secure memory clearing
- Fault attack detection
- Full constant-time implementation
Migration Requirements
Timeline
- 2024-2025: Deploy hybrid RSA/PQC systems
- 2025-2027: Gradual migration to PQC
- 2028-2029: RSA for legacy only
- 2030: Complete removal of RSA
Replacement Algorithms
| Use Case | Current (RSA-2048) | Replacement | Security Gain | |———-|——————-|————-|—————| | Key Exchange | RSA-OAEP | ML-KEM-768 | Quantum-safe | | Digital Signatures | RSA-PSS | ML-DSA-65 | Quantum-safe | | Encryption | RSA-OAEP | ML-KEM + AES-256-GCM | Quantum-safe | | Authentication | RSA-PSS | Falcon-512 | Quantum-safe + faster |
Threat Severity Matrix
| Threat Category | Current Risk | 2025 Risk | 2030 Risk | Mitigation |
|---|---|---|---|---|
| Quantum Attack | Low | Medium | CRITICAL | Migrate to PQC |
| Factorization | Low | Low-Medium | Medium | 2030 deadline |
| Padding Oracle | Medium | Medium | Medium | OAEP/PSS |
| Timing Attack | Medium | Medium | Medium | Blinding |
| Implementation | Medium | Medium | Medium | Best practices |
| Key Management | High | High | High | HSM/Secure storage |
Specific Attack Scenarios
Scenario 1: Quantum Computer Attack (2030+)
Attacker: Nation-state with quantum computer
Target: RSA-encrypted communications
Method: Shor's algorithm implementation
Impact: Complete plaintext recovery, signature forgery
Mitigation: IMPOSSIBLE - must use PQC
Scenario 2: Padding Oracle via TLS
Attacker: Network adversary
Target: TLS server using RSA
Method: Bleichenbacher variant attack
Impact: Session key recovery
Mitigation: Use OAEP, prefer ECDHE/PQC
Scenario 3: CRT Fault Injection
Attacker: Physical access to device
Target: RSA signing operation
Method: Voltage glitch during CRT
Impact: Private key factorization
Mitigation: Signature verification, fault detection
Security Recommendations
Immediate Actions
- Audit Usage: Identify all RSA-2048 deployments
- Risk Assessment: Evaluate data sensitivity and retention
- Hybrid Mode: Deploy RSA+PQC hybrid immediately
- Key Rotation: Reduce RSA key lifetime to <1 year
Long-term Strategy
- PQC Selection: Choose appropriate PQC algorithms
- Testing: Validate PQC implementations
- Migration Plan: Document transition timeline
- Training: Educate teams on PQC
- Compliance: Meet regulatory requirements
Compliance and Standards
| Standard | RSA-2048 Status | Deadline | Notes |
|---|---|---|---|
| NIST SP 800-131A | Acceptable | 2030 | Legacy use only |
| CNSA 2.0 | Deprecated | Now | Requires PQC |
| BSI TR-02102-1 | Transitional | 2026 | Not for new systems |
| ANSSI | Deprecated | Now | PQC recommended |
| ETSI | Transitional | 2030 | Quantum-safe required |
Conclusion
RSA-2048 faces an existential threat from quantum computing with no possible mitigation. The algorithm is provided solely for transitional use during migration to quantum-safe alternatives. All systems MUST complete migration to post-quantum cryptography before 2030 when RSA-2048 will be completely removed from this library.
THE ONLY DEFENSE AGAINST QUANTUM ATTACK IS MIGRATION TO PQC.
References
- Shor, P.W. (1994). “Algorithms for quantum computation: discrete logarithms and factoring”
- Kleinjung et al. (2010). “Factorization of a 768-bit RSA modulus”
- Bleichenbacher, D. (1998). “Chosen Ciphertext Attacks Against Protocols Based on RSA”
- Boneh, D. et al. (1997). “On the Importance of Checking Cryptographic Protocols for Faults”
- NIST SP 800-56B Rev. 2: “Recommendation for Pair-Wise Key-Establishment Using RSA”
- RSA to PQC Migration Guide