SlideShare a Scribd company logo

Number theory and cryptography

Download as PPTX, PDF
Y
Yasser Ali

A small recap on some number theory basics and applications on RSA

Technology
1 of 54
Number Theory and RSA attacks A brief overview of attack on RSA
Modular Arithmetic • Modular arithmetic or Clock arithmetic is a circular system that increases until a specific point called modulus then rest to zero again. • Definition • Let 𝑍𝑛 be a set of all non-negative integers that are smaller than 𝑛: 𝑍𝑛 = {0,1,2, … , 𝑛 − 1} where 𝑛 is a positive integer. • In order to find the value of integer 𝑛 (mod 𝑚) we can use the following equation: 𝑛 = 𝑞𝑚 + 𝑟 where: • 𝑞 is integer and 𝑟 is the remainder
Modular Arithmetic • Examples: • 51 𝑚𝑜𝑑 10 = 5 10 + 1 • −51 𝑚𝑜𝑑 10 = −6 10 + 9 • Congruence modulo: To explain it in a simple way lets see the representation for all integers 𝑚𝑜𝑑 5, all integers in slice 𝑛 gives a remainder 𝑛 𝑚𝑜𝑑 5, we can say that those integers are in the same equivalence class, which can be represented as 𝐴≡B (mod C).
Congruence modulo and Equivalence relations • If we looked at the previous chart, we could notice that the difference between any two integers in the same slice can be represented as multiple of 5. • We can write the congruence mod 𝑛 as any of the following: • 𝐴 ≡ B (𝑚𝑜𝑑 𝑛) • 𝐴 𝑚𝑜𝑑 𝑛 = 𝐵 𝑚𝑜𝑑 𝑛 • 𝑛 | (𝐴 − 𝐵) • 𝐴 = 𝐵 + 𝑥 (𝑛) for integer 𝑥
Congruence modulo and Equivalence relations • The figure have the following properties: • Every pair in the same slice are related • We can never find the same integer in 2 slides • If we collected all the slices, we will get all the numbers. • Which means that the congruence modulo is equivalence relation.
Congruence modulo and Equivalence relations • Why do we even care whether it’s an equivalence relation or not? It’s simple, so we can apply the equivalence relation properties: • 𝐴≡𝐴 (𝑚𝑜𝑑 𝑛) (reflexive) • 𝐴≡𝐵 𝑚𝑜𝑑 𝑛 → 𝐵≡𝐴 𝑚𝑜𝑑 𝑛 (symmetric) • 𝐴≡𝐵 𝑚𝑜𝑑 𝑛 & 𝐵≡𝐷 𝑚𝑜𝑑 𝑛 then 𝐴≡𝐷 (𝑚𝑜𝑑 𝑛) (transitive)
Operations on Modular Arithmetic • Addition: 𝐴 + 𝐵 𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 + 𝐵 𝑚𝑜𝑑 𝑛 𝑚𝑜𝑑 𝑛 • Subtraction: 𝐴 − 𝐵 𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 − 𝑏 𝑚𝑜𝑑 𝑛 𝑚𝑜𝑑 𝑛 • Multiplication: 𝐴 ∗ 𝐵 𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 ∗ 𝐵 𝑚𝑜𝑑 𝑛 𝑚𝑜𝑑 𝑛 • Exponentiation: 𝐴𝐵𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 𝐵 𝑚𝑜𝑑 𝑛
Modular Inverses • In basic arithmetic we know that the inverse of a number 𝑋 = 1 𝑋 since 𝑋 ∗ 1 𝑋 = 1 • But in Modular arithmetic we don’t have a division operation, so the inverse would be : • 𝐴−1 ∶ 𝐴 ∗ 𝐴−1 ≡ 1 𝑚𝑜𝑑 𝑛 • which is means 𝐴 ∗ 𝐴−1 𝑚𝑜𝑑 𝑛 = 1 • 𝐴 is coprime to 𝑛
Modular Inverses • Calculating mod inverse: the native method is brute forcing all the number from 0 to 𝑛 − 1 until we find a number 𝐵 that makes 𝐴 ∗ 𝐵 𝑚𝑜𝑑 𝑛 = 1 • This method is sow slow and we need a faster method.
The Euclidean Algorithm • The Euclidean Algorithm is a quick method to calculate the GCD of two integers. • Let’s use Example to describe it: • GCD(270, 192): • 270 = 1 * 192 + 78 • 192 = 2 * 78 + 36 • 78 = 2 * 36 + 6 • 36 = 6 * 6 + 0 • We got 0 so our GCD is the last value before 0 which is 6.
Caesar cipher • Caesar cipher is the first substitution cipher ever, substitution ciphers are mainly about mapping the characters into other characters and use this map to (encode/decode) • In Caesar cipher we was shifting any number by three for encode for EX: ABC -> DEF • We can change just pick any key instead of three and do the same operation, as we mentioned in the Modular arithmetic, we will always do the full turn then back again to the character A
Caesar cipher • Let’s call then encryption function enc(m) and the decryption dec(m) • Enc(m) = for c in m: (c + k) mod 26 • Dec(m) = for c in m: (c - k) mod 26 • Where: • k is our key • c is each character in the string • 26 is number of characters in English alphabet • As you can see it’s so related to figure we showed earlier in the modular arithmetic.
Public key cryptography • After we learned a basic mathematics, we will start to introduce one of the most used application to secure our communications, which is the Public Key Cryptography. • As we shown in Caesar cipher, the same key was used for encryption and decryption, which can be unsecure and if the sides of communication are far away which will force them to share it through a channel, which may lead to leak it and expose the communication. • So, in public key crypto both sides of the conversation will have 2 keys, public key and private key, the public key can be shared and the private key remains as a secret.
Diffie-hellman key exchange • Diffie-Hellman key exchange is a method for securely exchanging the keys of encryption without being exposed to the public channel, it’s named after Whitfield Diffie and Martin Hellman and published in 1976. • The method is simple, let’s explain it by example: Assume that alice wants to send massage to bob, and we have eve watching the public channel between them.
Diffie-hellman key exchange • Now alice wants to share its key without, letting eve know it, so first both alice and, bob will choose a public generator 𝑔 and prime modulus 𝑝. • Now each of them will choose a private key 𝑑1, 𝑑2and apply the following: 𝑔𝑑𝑥 𝑚𝑜𝑑 𝑝. • At this point we will have 2 public keys for each alice 𝑃1 and bob 𝑃2 and they will send it to each other (until now eve got it also), now alice and bob create a shared secret key and eve will not get it by: 𝑃1 𝑑2 𝑚𝑜𝑑 𝑝 , 𝑃2 𝑑1 𝑚𝑜𝑑 𝑝.
Diffie-hellman key exchange • Let’s expand those expressions in order to make it simple: • Alice: 𝑔 = 3, 𝑝 = 17, 𝑑 = 15 • Bob: 𝑔 = 3, 𝑝 = 17, 𝑑 = 13 • Alice public key: 315𝑚𝑜𝑑 17 ≡ 6 , Bob public key: 313𝑚𝑜𝑑 17 ≡12 • Now Alice and Bob will exchange the public keys • Alice shared key: 1215𝑚𝑜𝑑 17 ≡10 , Bob shared key: 613𝑚𝑜𝑑 17 ≡10 which will always be the same since it’s the same calculations, why?? That’s easy the what alice did was 31315 𝑚𝑜𝑑 17 and bob 31513 𝑚𝑜𝑑 17. • Now eve only have: 𝑔 = 3, 𝑝 = 17, 𝑎𝑝𝑘 = 6, 𝑏𝑝𝑘 = 12 and she cannot get the shared key.
RSA • The previous way needed alice to generate a shared key for everyone she is contacting with, which can bee too hard and difficult, for this James Ellis, a British mathematician introduced and idea to create only 1 public key and send it to everyone then anyone wants to contact Alice will just use this key. • After that, a British mathematician and cryptographer, Clifford Cocks, introduced a mathematical way to apply this concept.
RSA • Bob will send a message 𝑚 using alice public key 𝑛 and a public exponent 𝑒 as follows: • 𝑚𝑒 ≡ 𝑐 (𝑚𝑜𝑑 𝑛)where 𝑐 is the encrypted message • Now alice needs to have a private key 𝑑 to decrypt the message such that: 𝑐𝑑 ≡ 𝑚(𝑚𝑜𝑑 𝑛) • Now eve only have 𝑛, 𝑒 𝑎𝑛𝑑 𝑐 let’s see if eve wants to get 𝑑 what she needs to do.
Euler’s totient • Euler’s phi function ∅ 𝑚 is a simple function to calculate the count of co-primes less than a number 𝑚. • If we noticed the co-primes of a prime number 𝑝, they will be all the numbers below it since it’s already a prime, means ∅ 𝑝 = 𝑝 − 1.
Euler’s Formula • Euler’s Formula states that: 𝑚∅(𝑛) ≡ 1 𝑚𝑜𝑑 𝑛 • Rising to the power 𝑘 then multiplying by 𝑚 would give us 𝑚𝑘∗∅ 𝑛 +1 ≡ 𝑚 (𝑚𝑜𝑑 𝑛) • Now back to the decryption formula: 𝑐𝑑 ≡ 𝑚 𝑚𝑜𝑑 𝑛 → 𝑚𝑒𝑑 ≡ 𝑚 𝑚𝑜𝑑 𝑛 • now we can see that 𝑘 ∗ ∅ 𝑛 + 1 = 𝑒𝑑 → 𝑑 = 𝑘 ∗ ∅ 𝑛 +1 𝑒 , 𝑒 is co- prime to ∅ 𝑛 → 𝑑𝑒 ≡ 1 (𝑚𝑜𝑑 ∅ 𝑛 ) • In order to choose our 𝑑, 𝑒 we need to know 2 important theorems.
Chinese Remainder Theorem • Chinese Remainder Theorem states that if we have some numbers: 𝑛1, 𝑛2, 𝑛3, … , 𝑛𝑥 and they are all relatively prime to each other, then for 𝑏1, 𝑏2, … . 𝑏𝑥, 𝐴 ≡ 𝑏1(𝑚𝑜𝑑 𝑛1), 𝐴 ≡ 𝑏2(𝑚𝑜𝑑 𝑛2), 𝐴 ≡ 𝑏3 𝑚𝑜𝑑 𝑛3 ,….., 𝐴 ≡ 𝑏𝑥(𝑚𝑜𝑑 𝑛𝑥) have exactly one solution 0 ≤ 𝐴 ≤ 𝑖=1 𝑥 𝑛𝑖.
Example • 𝑥 ≡ 3 𝑚𝑜𝑑 5 , 𝑥 ≡ 1 𝑚𝑜𝑑 7 , 𝑥 ≡ 6 𝑚𝑜𝑑 8 • Ok as we can see we have the same 𝑥 in 3 different congruences and we need to solve for 𝑥, using the Chinese remainder theorem we can create a table consist of Four columns: 𝑏𝑖 , 𝑁𝑖, 𝑥𝑖 and their product. • Where 𝑏𝑖 is our remainder, 𝑁𝑖 is 𝑁 𝑛𝑖 for 𝑁 = 𝑛1𝑛2𝑛3 and 𝑥𝑖 = 𝑖𝑛𝑣 𝑁𝑖, 𝑛𝑖 • Now our final 𝑥 is the sum of the last column 𝑚𝑜𝑑 𝑁 → x = 78 𝟑 𝑵𝒊 𝒙𝒊 𝒃𝒊𝑵𝒊𝒙𝒊 3 56 1 168 1 40 3 120 6 35 3 630
Fermat’s Little Theorem • Fermat’s Little Theorem states that if 𝑝 is a prime number and 𝑝 doesn’t divide 𝑎 then 𝑎𝑝−1 ≡ 1 (𝑚𝑜𝑑 𝑝).
Choosing 𝑑 and 𝑒 • There is some constrains on 𝑒 to which are: • 1 < 𝑒 < ∅(𝑛) • 𝑒 have to be co-prime with 𝑛, ∅(𝑛) • The private key 𝑑 have to satisfy that 𝑑𝑒 ≡ 1 (𝑚𝑜𝑑 ∅ 𝑛 ) which means 𝑑 = 𝑖𝑛𝑣(𝑒, ∅ 𝑛 ).
Wrap everything up • Let’s give a simple example to show everything we mentioned • 𝑛 = 3127, 𝑒 = 3 • Encryption: • 𝑐 = 𝑚𝑒 𝑚𝑜𝑑 𝑛 = 893 𝑚𝑜𝑑 3127 = 1394 • Decryption: • 𝑛 = 3127 = 53 ∗ 59 → ∅ 𝑛 = ∅ 53 ∗ ∅ 59 = 52 ∗ 58 = 3016 • 𝑑 = 𝑖𝑛𝑣 𝑒, ∅ 𝑛 = 𝑖𝑛𝑣 3, 3016 = 2011 • 𝑚 = 𝑐𝑑 𝑚𝑜𝑑 𝑛 = 13942011 𝑚𝑜𝑑 3127 = 89
Attacks on RSA • Now let’s start to interduce how can attacker know our secrets, note that we are not showing that the RSA is breakable, we will show that bad choosing of numbers can lead to recover the private key. • Factorizing 𝑛: • Choosing 𝑛 needs to be very careful, there is a lot of services online that works on factorize a huge collection of numbers like factordb, as shown in the previous example we could find 𝑑 just by getting the prime factorization of 𝑛. • Let’s discuss some of the Factorization methods for 𝑛.
Prime Factorization • Fermat’s Factorization: • named after Pierre de fermat, which represent the odd integers as difference of two squares, 𝑁 = 𝑎2 − 𝑏2 • Since we can already factor the difference of two squares: 𝑎 + 𝑏 𝑎 − 𝑏 • And we know that our 𝑛 = 𝑝 𝑞 where 𝑝, 𝑞 are primes, we can write it as ( 𝑝+𝑞 2 )2−( 𝑝−𝑞 2 )2 • Assuming that 𝑛 is odd so 𝑝, 𝑞 are also odd. • Now the steps are simple, first we can rewrite 𝑛 as 𝑎2 − 𝑛 = 𝑏2 • Then we need to find the smallest 𝑘 s.t 𝑘2 ≥ 𝑛 → 𝑘2 − 𝑛 ≥ 0 → 𝑏2 ≥ 0 • Then we start to look at the following numbers 𝑘2 − 𝑛, 𝑘 + 1 2 − 𝑛, 𝑘 + 2 2 − 𝑛, … . . Until we get a perfect square. • Note that this will terminate always since ( 𝑛+1 2 )2−𝑛 = ( 𝑛−1 2 )2
Fermat Factorization Example • Here is a small example to apply our steps, let 𝑛 = 119143 • First find 𝑘 → 346 since 3462 is the smallest k s.t 𝑘2 ≥ 𝑛 • Then we start to find the perfect square from the sequence we mentioned: 3462 − 𝑛 = 573 (not perfect square) 3472 − 𝑛 = 1266 (not perfect square) …. … 3522 − 𝑛 = 4761 = 692 (perfect square!) • Now we can write 𝑛 as 𝑛 = 119143 = 3522 − 692 = 352 − 69 (352 +
Pollard’s p-1 Factorization • Another method of factorization that uses Fermat's little theorem that we introduced. • The method is simple, since we know from Fermat’s Little theorem that 𝑎𝑝−1≡1 𝑚𝑜𝑑 𝑝 where gcd 𝑎, 𝑝 = 1,suppose that we have a number 𝑝 − 1 s.t it’s a factor for another number 𝑀 where 𝑀 = 𝑝 − 1 ∗ 𝑘 , 𝑘 ∈ 𝑍. • Then 𝑎𝑀≡(𝑎𝑝−1)𝑘≡1 𝑚𝑜𝑑 𝑝, since in rsa our 𝑛 = 𝑝 ∗ 𝑞, then 𝑝 𝑎𝑀 − 1 & 𝑝 𝑛. • So gcd 𝑎𝑀 − 1, 𝑛 will include the factor 𝑝 or will equal it.
Pollard’s p-1 Factorization • So, let’s wrap our steps: • Choose integer 𝑎 s.t gcd 𝑎, 𝑛 = 1 • Calculate 𝑎𝐵! : 𝐵 = 1, 2, 3, … to find the nontrivial factor, note that we replaced the 𝑀 with 𝐵! Since it’s increase so fast and will give us a good chance to check if 𝑛 is prime. • Now we will take the gcd 𝑎𝐵! − 1, 𝑛 if it's nontrivial. • Example: 𝑛 = 91, 𝑎 = 2 • 21! = 2 → gcd 2 − 1, 91 = 1 … 23! = 26 → 𝑔𝑐𝑑 64 − 1, 91 = 7 • So, 91 = 7 ∗ 13
RSA Security • We still have many other factorizations methods like Quadratic sieve, ECM but does that mean that the RSA is not secure? • The answer is until now no, the strength point in RSA that it’s depends on ignorance than knowledge, we don’t have an efficient way to calculate how hard is to factor a huge number, we just know it’s hard, and a small mitigation for the previous factorization methods is adding more digits to our 𝑛 which will make it harder to factorize. • But there are some attacks on RSA based on bad key generation for our variables or even our encryption methodology.
Bad Key generation Attacks • Some of the attacks can be applied on RSA are: • Common Modulus • Blinding • Small Private Exponent: wiener • Small Public Exponent: Coppersmith, Hastad • Time Attack • We will try to explain some of them by examples in order to make it clearer.
Example1 • Question from PICOCTF 2018: • N: 37415923547017213098893819652088052694795252162093236205030866324359 57883085839921208813593652589497238199117581980132026446664892479873 14025169670926273213367237020188587742716017314320191350666762541039 23824198493447318865661061591847467396333199240875004745125320515843 64528143545642830036966669459509085491971754045805331321421113569313 24330631843602412540295482841975783884766801266552337129105407869020 73022604153875053562861971770883802928636676147098605633523017114873 40275368205445432518010932308091862229408067182216388458165217386018 43083746103374974120575519418797642878012234163709518203946599836959 811 • e: 3, c: 22053164139311340310464407676205419848010912163512227891805825645573 28762455422721368029531360076729972211412236072921577317264715424950 82309138220343548946052209468914959595101034266236834798786287833885 1038892082799389023900415351164773
Example1 • As you can see the 𝑛 is huge number, factorizing it won’t be an easy thing at all, but we notice that 𝑒 is so small, small such that 𝑚𝑒 < 𝑛, so 𝑐 = 𝑚𝑒 𝑚𝑜𝑑 𝑛 = 𝑚𝑒 • So, to get 𝑚 we can just take the cubic root for 𝑐, computer can do this easily. • So, 𝑚 = 3 𝑐 = 13016382529449106065839070830454998857466392684017754632233906857023684751222397 • Decoding the long to string using the ASCII table will result this message: • picoCTF{e_w4y_t00_sm411_81b6559f} , which is our solution.
Example2 • PICO CTF 2018: • We are given the following inputs: • c: 177867301851107514035069825289163955790640709025053905722180634076877670576311381537327171359820673 494330413688530765764474616655780152761455595506361395855071560610250266076857330008476741047886616 129573917962674329283920486265414847289694983534607432371666740494992970190373787209058814769825082 6373180618 • n: 775319695037483265896774189483151408705840152453867636332415188453568509795644029232666967041865672 700063612088620862545275760104121352302795536849406359566566497281348938745676199486753040524827204 303677486127089171058465340828630428239131661208653622524792065769421470713963194591125808537717425 37940112457 • e: 561724365774597256989343913591391049150414302131842212923016585717264140594118891557829820240198145 645122914219324897315635192963728734150805463794246193088591523602142097401691351597612348949231449 713729740380219452019546002389942096050357033171191928449754639154657254065430979290176378590199505 90916533609 • As you can see everything is huge, and after tries to factorize 𝑛 it didn’t work, in this case we can consider checking another attack called wiener attack
Wiener’s Attack • Michael J. Wiener was able to state a theorem based on continuous fractions that says if 𝑑 < 1 3 𝑛 1 4 then we can recover 𝑑 without factoring 𝑛. • Explaining: • we already mentioned before that 𝑒𝑑 = 𝑘 ∗ ∅ 𝑛 + 1, and since ∅ 𝑛 = 𝑝 − 1 𝑞 − 1 → 𝑝𝑞 − 𝑝 + 𝑞 + 1, and since 𝑝, 𝑞 are so large we can take a good approximation that ∅ 𝑛 ≈ 𝑛. • Now substituting this into our first equation: 𝑒𝑑 = 𝑘 ∗ 𝑛 + 1 → 𝑒𝑑 − 𝑘𝑛 = 1 → 𝑒 𝑛 − 𝑘 𝑑 = 1 𝑑𝑛 → 𝑒 𝑛 ≈ 𝑘 𝑑
Wiener’s Attack • So, let’s set our steps: • We need to find a set of convergent 𝑘 𝑑 that approximate 𝑒 𝑛 (using continued fractions and we will demonstrate it), under some conditions: • Since 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 ∅(𝑛) and ∅(𝑛) is product of 2 primes so it will be even number, 𝑑 will be odd, so we can skip the convergent if our 𝑑 is not odd. • Since ∅ 𝑛 must be a whole number, 𝑒𝑑 −1 𝑘 also must be a whole number, and if it’s not so we will move to the next convergent. • Now let 𝑥 − 𝑝 𝑥 − 𝑞 = 0 be a quadratic equation then: 𝑥 − 𝑝 (𝑥 −
Wiener’s Attack • Short Example: 𝑛 = 64741, 𝑒 = 42667 • Solution: • 𝑒 𝑛 = 42667 64741 • now using the Euclidean algorithm to find the convergent in the continued fraction • 42667 64741 = 0 64741 + 42667 → 0 1 ≈ 𝑘 𝑑 (ignore) • 64741 42667 = 1 42667 + 22074 → 0 + 1 1 = 1 1 ≈ 𝑘 𝑑 (ignore) • 42667 22074 = 1 22074 + 20593 → 0 + 1 1+ 1 1 = 1 2 ≈ 𝑘 𝑑 (d is even, ignore) • 22074 20593 = 1 20593 + 1481 → 0 + 1 1+ 1 1+ 1 1 = 2 3 ≈ 𝑘 𝑑 (passed first check)
Wiener’s Attack • Now since ∅ 𝑛 = 𝑒𝑑 −1 𝑘 = 64000 • We can set our quadratic equation as: 𝑥2 − (64741 − 64000 +
Example2 • Now applying this to the example will be hard to do manually so with a use of simple script and run it on a computer we get the following message: picoCTF{w@tch_y0ur_Xp0n3nt$_c@r3fu11y_5495627}
Example3 • Qiwi CTF 2016: • We are given the following data: • e = 3 • n1 = 951183579890375398832721687460046528729588905624458143018898666630723524217032649859978006600753116455557997454268683433653215027347360 062480079024096285405786359255597422174807974871302027470202114526207430210975651130593925044727852271548241172310778444446723932218381 92941390309312484066647007469668558141 • n2 = 983641659192512462438466673235423180228042348336779241611757332536895813936073466678952982537181842735322689820609056293996281549819187 120702414514944911614708277371461763160118437389434271216023242087736531807827329994228694395881983184224516979206405638807773855770649 13983202033744281727004289781821019463 • n3 = 688279409393531896130903922268981550217427728978224384835450219442158121468093186865103757240648887052963738533989550930766633230013800 478578097748663900834342727813624471474414222079675773237698128960388165867572421302245248289350431873155795234124393091388163355698454 70021720847405857361000537204746060031 • c1 = 648304467081690127664145873275688124211304348175260891461901367964612985920712389303847075433183902924511189803028055121517902489896222 693629587182282984272126302725251864786272999998474890184006244006718766977089524476389908023455873819054072369354942714369607648990064 30941507608152322588169896193268212007 • c2 = 969074907173443465884324916037223126942086603342829642344876876545939847141448256561981807778723272792506679614651697992674057344316751 110353620897292499950273268630992625224212064594004052303776311411328829973368292188101717289250875356749074555845579568018314471254867 53515868079342148815961792481779375529 • c3 = 436838749130117465300561031454452502813077326340454374865246051046397854690504991716405214770364707509033415233365996022881766111606375 225688683912376892414463926993219107232350611808269454646497803733010281390492888815782348407395450003382029176780082697941791007323412 69448362920924719338148857398181962112
Example3 • As you can see yes, our public exponent 𝑒 is small, but taking the 3rd root for 𝑐 won’t give us the solution, this means that 𝑚𝑒 > 𝑛 • Now there is an attack in this case we can apply called Hastad’s attack. • Let’s discuss it in the next slide
Hastad’s Attack • Simply when we send the same message to different receivers, an attacker can retrieve the private key using Chinese remainder theorem that we discussed before. • 𝑚𝑒 ≡ 𝑐1 𝑚𝑜𝑑 𝑛1 • 𝑚𝑒 ≡ 𝑐2 𝑚𝑜𝑑 𝑛2 • …… • 𝑚𝑒 ≡ 𝑐𝑥 𝑚𝑜𝑑 𝑛𝑥 • The Chinese Remainder Theorem allows us to solve those congruences and since 𝑚 < min(𝑛1, 𝑛2, … , 𝑛𝑥), then 𝑚𝑒 < 𝑛1 ∗ 𝑛2*.. 𝑛𝑥 so we can solve them and get our 𝑚.
Hastad’s Attack • Example: 𝑒 = 3, & 𝑛1, 𝑛2, 𝑛3 = 629, 2173, 1159 & 𝑐1, 𝑐2 , 𝑐3 = 529, 414, 558 • Solution: we need to write them as congruences: • 𝑚3 ≡ 529 𝑚𝑜𝑑 629 • 𝑚3 ≡ 414 𝑚𝑜𝑑 2173 • 𝑚3 ≡ 558 𝑚𝑜𝑑 1159 • Using Chinese remainder algorithm: • 𝑁 = 𝑛1 ∗ 𝑛2 ∗ 𝑛3 = 1584140903 • 𝑁1 = 𝑁 𝑛1 = 2518507, 𝑁2 = 𝑁 𝑛2 = 729011, 𝑁3 = 𝑁 𝑛3 = 1366817 • 𝑢1 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒 𝑁1, 𝑛1 , 𝑢2 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒 𝑁2, 𝑛2 , 𝑢3 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒(𝑁3, 𝑛3)
Hastad’s Attack • Now 𝑚𝑒 = [(𝑐1∗ 𝑢1 ∗ 𝑁1) + (𝑐2∗ 𝑢2 ∗ 𝑁2) + (𝑐3∗ 𝑢3 ∗ 𝑁3)] 𝑚𝑜𝑑 𝑁 • 𝑚3 = 15625 → 𝑚 = 25 • Applying the same steps on Example3 will result the message: theoretical_computer_scientist_johan_torkel_hastad
Example4 (CodeBlue CTF 2017) • Given: • 𝑛1 = 791311309087374588934274354916349141233150778762086315374343850126808782284294921228110916322178898551691669133101997907127587121520288166574468605214516304122927763843434653215681360872523 253290766297044510870617745122997739814947286892376888776319552516141136363673315815999597035068706744362048480852074989063152333880754375196551355543036200494314973628012006925154168913855 587162465714207917714655810265293814697401062934881400969828166519415465439814160673468968009887672546243771190906300544375962002574334018175007498231632240021805593635057187842353840461973 449205839419195826992169177108307004404365745462706797969436718212150888171299620800051183755681631250040936288149592343890616920153400691102933966724025765766418338452595218861582008026186 067946508221264938736562082192890727980844444978081110599714993030990031363457184296168457089953510500474033234298252385232725393194957086065274263743550741242453140557383981358497807318476 777558208795816650619401057283873302725816795298930817307745973266335447938091252055872816232968635169429875153933553733116356920185396530990560434510949092154539711124052490142742567527833 751624924993906099869301505096094512729115132147653907827742334805918235749308541981388529841813147 • 𝑒1 = 813647 • 𝑛2 = 791311309087374588934274354916349141233150778762086315374343850126808782284294921228110916322178898551691669133101997907127587121520288166574468605214516304122927763843434653215681360872523 253290766297044510870617745122997739814947286892376888776319552516141136363673315815999597035068706744362048480852074989063152333880754375196551355543036200494314973628012006925154168913855 587162465714207917714655810265293814697401062934881400969828166519415465439814160673468968009887672546243771190906300544375962002574334018175007498231632240021805593635057187842353840461973 449205839419195826992169177108307004404365745462706797969436718212150888171299620800051183755681631250040936288149592343890616920153400691102933966724025765766418338452595218861582008026186 067946508221264938736562082192890727980844444978081110599714993030990031363457184296168457089953510500474033234298252385232725393194957086065274263743550741242453140557383981358497807318476 777558208795816650619401057283873302725816795298930817307745973266335447938091252055872816232968635169429875153933553733116356920185396530990560434510949092154539711124052490142742567527833 751624924993906099869301505096094512729115132147653907827742334805918235749308541981388529841813147 • 𝑒2 = 846359 • 𝑐1 = 767202255403494641285723819543278226263601155898823605265497361830705668240032418501494959141449028517100422081272691883369257107388411439611318808983979122090486252578041006071999581282663 085495058515958745546211668701835250122032715473014598395050184702983368667972803718169481809394565706175141425650370279775233813674442957760484285820381853600163980060348710028919659329781 877491724136976028815641232407109144869660767954119268355348405951052583739555066569345526640029961785158127382321111833599691079949415049786723663210542733655554868327542833053024595895523 192888118675763242352407948643537985861448788568550308481655116845634952516676905251579084404308314639717162526798451410767058423619677212069270398132021729448047980766312818656065369023093 123058422620085273728481545680423266197847937925342263870309939913221308330842487685037638837340238355192125668409039255551545407800543798158964963358868702135730305156935767426581823180696 819366253148799571923731323928995477390559418822575259531941023518182807739949726026157027426545624061195471888653152768495272113769751755053321333829345939391638863918920798107792346015224 509118930143010726156407828938941341788657835191853473698010478888928860138978235297618195944868175 • 𝑐2 = 393205642868817442649216793359718556278406137459770244761832906195960432918468617731069456704644789806507809829093842629745066759599286729538728368882491382997337611417441529220397067642218 119525968897551289230558627870154984979444195757677411673096443476021362319325097662392808170632471553717355895219405644518503783235536597143112954291157798713583737689125917709618182162360 535659223966858707155741267214975141963463832314566520144602105237041672437684177707624423211972004800873375670613148140256099552724408192217550331987310558991433383571470532995856778764797 540637679226825577553396934734325550293550389623919904744913990305949697308222046594160302362669510242921299755255790640101006152269619965560742243168099219363626217512940995615730916134775 134764069912120583282148219405178065222313607957426887495658080497917440100549199528894874905968298614233827155712422019324710018755792249855902168601927285980197334672067920857960628679370 550895555840658121626134216719240409691397735762685349162277111815727100169755960553688569326705249270662470879197234836585418835845237231721910938341557726245940031873345666571751867755961 294973426045629909899256967038811807893676700888551318830676356324765330202998096318754445585853694
Example4 • As u can see we cannot use any of the previous attacks since 𝑒 is not small enough and we couldn’t factorize 𝑛1, 𝑛2 but we noticed that they are the same, also it’s given that the message is the same. • In this case we can use an attack called Common modulus Attack
Common Modulus Attack • Let’s translate our input as math: • 𝑐1 = 𝑚𝑒1 𝑚𝑜𝑑 𝑛 • 𝑐2 = 𝑚𝑒2 𝑚𝑜𝑑 𝑛 • gcd 𝑒1, 𝑒2 = 𝑑 • Now we know that RSA system is homomorphic to multiplication, so we can get a new cipher text which is the product of the other cipher texts raised to powers 𝑎, 𝑏: 𝑐𝑚 = 𝑐1 𝑎 ∗ 𝑐2 𝑏𝑚𝑜𝑑 𝑛 → 𝑚𝑎∗𝑒1 ∗ 𝑚𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 → 𝑚𝑎∗𝑒1+𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 • Now we can use Bézout's identity which states: • For 𝑎, 𝑏 ∈ 𝑍+, gcd 𝑎, 𝑏 = 𝑑 𝑡ℎ𝑒𝑛 ∃ 𝑥, 𝑦 ∈ 𝑍 ∶ 𝑥 ∗ 𝑎 + 𝑦 ∗ 𝑏 = 𝑑
Common Modulus Attack • Now using Extended Euclidean algorithm to find the multiplicative inverse , we can recover our 𝑚, let’s see example with small numbers. • Let: 𝑛 = 143, 𝑒1 = 7, 𝑒2 = 17, 𝑐1 = 42, 𝑐2 = 9 • Solution: • In EEA: • So gcd 𝑒1, 𝑒2 = 1 & 𝑖𝑛𝑣 𝑒1, 𝑒2 = 5 • And from this a = 5, 𝑏 = −2 q 𝒓𝟏 𝒓𝟐 𝒓 𝒕𝟏 𝒕𝟐 𝒕 2 17 7 3 0 1 -2 2 7 3 1 1 -2 5 3 3 1 0 -2 5 -17 1 0 5 -17
Common Modulus Attack • To validate our result, we know from Bézout's identity that: 𝑎𝑒1 + 𝑏𝑒2 = gcd 𝑒1, 𝑒2 → 5 ∗ 7 + −2 17 = 1 which is true • Now to get our new 𝑐𝑚 = 𝑐1 𝑎 ∗ 𝑐2 𝑏 𝑚𝑜𝑑 𝑛 = 425 ∗ (9−1)2𝑚𝑜𝑑 143 • Now we need to e EEA again for 9−1 for short using computers it will give us 16 • So 𝑐𝑚 = 425 ∗ 16 2 𝑚𝑜𝑑 143 = 3 • And since 𝑚𝑎∗𝑒1+𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 = 𝑚gcd(𝑒1,𝑒2) 𝑚𝑜𝑑 𝑛 = 𝑚1 𝑚𝑜𝑑 143 = 𝑐𝑚 so our 𝑚 = 3
Example4 • Applying the same steps on the example we will get message: CBCTF{6ac2afd2fc108894db8ab21d1e30d3f3}
Last Words • Number theory is very interesting and fun, applying it to cryptography will give you more fun, there is still a lot of topics we can discuss and other attacks like: LLL and time attacks, also there is a lot of interesting topics in cryptography like fast powering, elliptic curves, lattices, successive powers, quadratic residue and much more, I really want to stay with you and talk more but we can do it in another time, so always keep learning and excited and never give up to math, it might seems hard and most of simple thing seems weird to you but when you get it you will be so proud. • In the next slide I will share a great resources that I use to practice and learn. Don’t learn to hack… hack to learn.
Resources • Cryptohack one of the best websites that teaches you by challenges • Math 3107 by prof. Jeff Suzuki Boston University • MIT 6.875 MIT Cryptography Spring 2018 • An Introduction to Mathematical Cryptography by J.H. Silverman, Jill Pipher, Jeffrey Hoffstein
References • https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf • https://cryptohack.org/challenges/maths/ • https://www.youtube.com/playlist?list=PLKXdxQAT3tCssgaWOy5vKXA R4WTPpRVYK • https://link.springer.com/book/10.1007/978-0-387-77993-5 • https://www.amazon.com/Friendly-Introduction-Number-Theory- 4th/dp/0321816196/ref=sr_1_2?ie=UTF8&qid=1326998078&sr=8-2 • https://www.khanacademy.org/computing/computer- science/cryptography/

Recommended

Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Matrix chain multiplication
Matrix chain multiplicationMatrix chain multiplication
Matrix chain multiplicationRespa Peter
 
DISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMDISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMMANISH KUMAR
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 

Recommended

Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Matrix chain multiplication
Matrix chain multiplicationMatrix chain multiplication
Matrix chain multiplicationRespa Peter
 
DISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMDISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMMANISH KUMAR
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmSrinadh Muvva
 
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE Qualcomm
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design PrinciplesSHUBHA CHATURVEDI
 
Rc4
Rc4Rc4
Rc4Amjad Rehman
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
Cryptography
CryptographyCryptography
CryptographyIGZ Software house
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniquesJanani S
 
Hash function
Hash function Hash function
Hash function Salman Memon
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa CrptosystemAmlan Patel
 
Unit 3
Unit 3Unit 3
Unit 3KRAMANJANEYULU1
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyAdam Reagan
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In CryptographyAadya Vatsa
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
CONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTIONCONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTIONSHUBHA CHATURVEDI
 
CH4__crypto.pptx
CH4__crypto.pptxCH4__crypto.pptx
CH4__crypto.pptxMohammad512578
 
Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptxRavikumarVadana
 

More Related Content

What's hot

RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE Qualcomm
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design PrinciplesSHUBHA CHATURVEDI
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniquesJanani S
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyAdam Reagan
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In CryptographyAadya Vatsa
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 

What's hot (20)

RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
 
Rc4
Rc4Rc4
Rc4
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Cryptography
CryptographyCryptography
Cryptography
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
 
Hash function
Hash function Hash function
Hash function
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa Crptosystem
 
Unit 3
Unit 3Unit 3
Unit 3
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information Security
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In Cryptography
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
CONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTIONCONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTION
 

Similar to Number theory and cryptography

Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptxRavikumarVadana
 
Insider mathematical
Insider mathematicalInsider mathematical
Insider mathematicalAditi Saxena
 
class 10 chapter 1- real numbers
class 10 chapter 1- real numbersclass 10 chapter 1- real numbers
class 10 chapter 1- real numberskaran saini
 
Simple Overview Caesar and RSA Encryption_by_Tarek_Gaber
Simple Overview Caesar and RSA Encryption_by_Tarek_GaberSimple Overview Caesar and RSA Encryption_by_Tarek_Gaber
Simple Overview Caesar and RSA Encryption_by_Tarek_GaberTarek Gaber
 
Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"
Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"
Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"22bcs058
 
Applied Algorithms and Structures week999
Applied Algorithms and Structures week999Applied Algorithms and Structures week999
Applied Algorithms and Structures week999fashiontrendzz20
 
Algorithm in computer science
Algorithm in computer scienceAlgorithm in computer science
Algorithm in computer scienceRiazul Islam
 
Real numbers- class 10 mathematics
Real numbers- class 10 mathematicsReal numbers- class 10 mathematics
Real numbers- class 10 mathematicsAmit Choube
 

Similar to Number theory and cryptography (20)

CH4__crypto.pptx
CH4__crypto.pptxCH4__crypto.pptx
CH4__crypto.pptx
 
Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptx
 
Insider mathematical
Insider mathematicalInsider mathematical
Insider mathematical
 
Number system
Number systemNumber system
Number system
 
Maths project
Maths projectMaths project
Maths project
 
class 10 chapter 1- real numbers
class 10 chapter 1- real numbersclass 10 chapter 1- real numbers
class 10 chapter 1- real numbers
 
Maths project
Maths projectMaths project
Maths project
 
Maths project
Maths projectMaths project
Maths project
 
Simple Overview Caesar and RSA Encryption_by_Tarek_Gaber
Simple Overview Caesar and RSA Encryption_by_Tarek_GaberSimple Overview Caesar and RSA Encryption_by_Tarek_Gaber
Simple Overview Caesar and RSA Encryption_by_Tarek_Gaber
 
Magical methods
Magical methodsMagical methods
Magical methods
 
Number and operations review1
Number and operations review1Number and operations review1
Number and operations review1
 
Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"
Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"
Mastering Greedy Algorithms: Optimizing Solutions for Efficiency"
 
P1-Chp13-Integration.pptx
P1-Chp13-Integration.pptxP1-Chp13-Integration.pptx
P1-Chp13-Integration.pptx
 
CRYPTO 2.pptx
CRYPTO 2.pptxCRYPTO 2.pptx
CRYPTO 2.pptx
 
Applied Algorithms and Structures week999
Applied Algorithms and Structures week999Applied Algorithms and Structures week999
Applied Algorithms and Structures week999
 
Algorithm in computer science
Algorithm in computer scienceAlgorithm in computer science
Algorithm in computer science
 
Division of polynomials
Division of polynomialsDivision of polynomials
Division of polynomials
 
Real numbers- class 10 mathematics
Real numbers- class 10 mathematicsReal numbers- class 10 mathematics
Real numbers- class 10 mathematics
 
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
 
PETERSON BERGE
PETERSON BERGEPETERSON BERGE
PETERSON BERGE
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Number theory and cryptography

  • 1. Number Theory and RSA attacks A brief overview of attack on RSA
  • 2. Modular Arithmetic • Modular arithmetic or Clock arithmetic is a circular system that increases until a specific point called modulus then rest to zero again. • Definition • Let 𝑍𝑛 be a set of all non-negative integers that are smaller than 𝑛: 𝑍𝑛 = {0,1,2, … , 𝑛 − 1} where 𝑛 is a positive integer. • In order to find the value of integer 𝑛 (mod 𝑚) we can use the following equation: 𝑛 = 𝑞𝑚 + 𝑟 where: • 𝑞 is integer and 𝑟 is the remainder
  • 3. Modular Arithmetic • Examples: • 51 𝑚𝑜𝑑 10 = 5 10 + 1 • −51 𝑚𝑜𝑑 10 = −6 10 + 9 • Congruence modulo: To explain it in a simple way lets see the representation for all integers 𝑚𝑜𝑑 5, all integers in slice 𝑛 gives a remainder 𝑛 𝑚𝑜𝑑 5, we can say that those integers are in the same equivalence class, which can be represented as 𝐴≡B (mod C).
  • 4. Congruence modulo and Equivalence relations • If we looked at the previous chart, we could notice that the difference between any two integers in the same slice can be represented as multiple of 5. • We can write the congruence mod 𝑛 as any of the following: • 𝐴 ≡ B (𝑚𝑜𝑑 𝑛) • 𝐴 𝑚𝑜𝑑 𝑛 = 𝐵 𝑚𝑜𝑑 𝑛 • 𝑛 | (𝐴 − 𝐵) • 𝐴 = 𝐵 + 𝑥 (𝑛) for integer 𝑥
  • 5. Congruence modulo and Equivalence relations • The figure have the following properties: • Every pair in the same slice are related • We can never find the same integer in 2 slides • If we collected all the slices, we will get all the numbers. • Which means that the congruence modulo is equivalence relation.
  • 6. Congruence modulo and Equivalence relations • Why do we even care whether it’s an equivalence relation or not? It’s simple, so we can apply the equivalence relation properties: • 𝐴≡𝐴 (𝑚𝑜𝑑 𝑛) (reflexive) • 𝐴≡𝐵 𝑚𝑜𝑑 𝑛 → 𝐵≡𝐴 𝑚𝑜𝑑 𝑛 (symmetric) • 𝐴≡𝐵 𝑚𝑜𝑑 𝑛 & 𝐵≡𝐷 𝑚𝑜𝑑 𝑛 then 𝐴≡𝐷 (𝑚𝑜𝑑 𝑛) (transitive)
  • 7. Operations on Modular Arithmetic • Addition: 𝐴 + 𝐵 𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 + 𝐵 𝑚𝑜𝑑 𝑛 𝑚𝑜𝑑 𝑛 • Subtraction: 𝐴 − 𝐵 𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 − 𝑏 𝑚𝑜𝑑 𝑛 𝑚𝑜𝑑 𝑛 • Multiplication: 𝐴 ∗ 𝐵 𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 ∗ 𝐵 𝑚𝑜𝑑 𝑛 𝑚𝑜𝑑 𝑛 • Exponentiation: 𝐴𝐵𝑚𝑜𝑑 𝑛 = 𝐴 𝑚𝑜𝑑 𝑛 𝐵 𝑚𝑜𝑑 𝑛
  • 8. Modular Inverses • In basic arithmetic we know that the inverse of a number 𝑋 = 1 𝑋 since 𝑋 ∗ 1 𝑋 = 1 • But in Modular arithmetic we don’t have a division operation, so the inverse would be : • 𝐴−1 ∶ 𝐴 ∗ 𝐴−1 ≡ 1 𝑚𝑜𝑑 𝑛 • which is means 𝐴 ∗ 𝐴−1 𝑚𝑜𝑑 𝑛 = 1 • 𝐴 is coprime to 𝑛
  • 9. Modular Inverses • Calculating mod inverse: the native method is brute forcing all the number from 0 to 𝑛 − 1 until we find a number 𝐵 that makes 𝐴 ∗ 𝐵 𝑚𝑜𝑑 𝑛 = 1 • This method is sow slow and we need a faster method.
  • 10. The Euclidean Algorithm • The Euclidean Algorithm is a quick method to calculate the GCD of two integers. • Let’s use Example to describe it: • GCD(270, 192): • 270 = 1 * 192 + 78 • 192 = 2 * 78 + 36 • 78 = 2 * 36 + 6 • 36 = 6 * 6 + 0 • We got 0 so our GCD is the last value before 0 which is 6.
  • 11. Caesar cipher • Caesar cipher is the first substitution cipher ever, substitution ciphers are mainly about mapping the characters into other characters and use this map to (encode/decode) • In Caesar cipher we was shifting any number by three for encode for EX: ABC -> DEF • We can change just pick any key instead of three and do the same operation, as we mentioned in the Modular arithmetic, we will always do the full turn then back again to the character A
  • 12. Caesar cipher • Let’s call then encryption function enc(m) and the decryption dec(m) • Enc(m) = for c in m: (c + k) mod 26 • Dec(m) = for c in m: (c - k) mod 26 • Where: • k is our key • c is each character in the string • 26 is number of characters in English alphabet • As you can see it’s so related to figure we showed earlier in the modular arithmetic.
  • 13. Public key cryptography • After we learned a basic mathematics, we will start to introduce one of the most used application to secure our communications, which is the Public Key Cryptography. • As we shown in Caesar cipher, the same key was used for encryption and decryption, which can be unsecure and if the sides of communication are far away which will force them to share it through a channel, which may lead to leak it and expose the communication. • So, in public key crypto both sides of the conversation will have 2 keys, public key and private key, the public key can be shared and the private key remains as a secret.
  • 14. Diffie-hellman key exchange • Diffie-Hellman key exchange is a method for securely exchanging the keys of encryption without being exposed to the public channel, it’s named after Whitfield Diffie and Martin Hellman and published in 1976. • The method is simple, let’s explain it by example: Assume that alice wants to send massage to bob, and we have eve watching the public channel between them.
  • 15. Diffie-hellman key exchange • Now alice wants to share its key without, letting eve know it, so first both alice and, bob will choose a public generator 𝑔 and prime modulus 𝑝. • Now each of them will choose a private key 𝑑1, 𝑑2and apply the following: 𝑔𝑑𝑥 𝑚𝑜𝑑 𝑝. • At this point we will have 2 public keys for each alice 𝑃1 and bob 𝑃2 and they will send it to each other (until now eve got it also), now alice and bob create a shared secret key and eve will not get it by: 𝑃1 𝑑2 𝑚𝑜𝑑 𝑝 , 𝑃2 𝑑1 𝑚𝑜𝑑 𝑝.
  • 16. Diffie-hellman key exchange • Let’s expand those expressions in order to make it simple: • Alice: 𝑔 = 3, 𝑝 = 17, 𝑑 = 15 • Bob: 𝑔 = 3, 𝑝 = 17, 𝑑 = 13 • Alice public key: 315𝑚𝑜𝑑 17 ≡ 6 , Bob public key: 313𝑚𝑜𝑑 17 ≡12 • Now Alice and Bob will exchange the public keys • Alice shared key: 1215𝑚𝑜𝑑 17 ≡10 , Bob shared key: 613𝑚𝑜𝑑 17 ≡10 which will always be the same since it’s the same calculations, why?? That’s easy the what alice did was 31315 𝑚𝑜𝑑 17 and bob 31513 𝑚𝑜𝑑 17. • Now eve only have: 𝑔 = 3, 𝑝 = 17, 𝑎𝑝𝑘 = 6, 𝑏𝑝𝑘 = 12 and she cannot get the shared key.
  • 17. RSA • The previous way needed alice to generate a shared key for everyone she is contacting with, which can bee too hard and difficult, for this James Ellis, a British mathematician introduced and idea to create only 1 public key and send it to everyone then anyone wants to contact Alice will just use this key. • After that, a British mathematician and cryptographer, Clifford Cocks, introduced a mathematical way to apply this concept.
  • 18. RSA • Bob will send a message 𝑚 using alice public key 𝑛 and a public exponent 𝑒 as follows: • 𝑚𝑒 ≡ 𝑐 (𝑚𝑜𝑑 𝑛)where 𝑐 is the encrypted message • Now alice needs to have a private key 𝑑 to decrypt the message such that: 𝑐𝑑 ≡ 𝑚(𝑚𝑜𝑑 𝑛) • Now eve only have 𝑛, 𝑒 𝑎𝑛𝑑 𝑐 let’s see if eve wants to get 𝑑 what she needs to do.
  • 19. Euler’s totient • Euler’s phi function ∅ 𝑚 is a simple function to calculate the count of co-primes less than a number 𝑚. • If we noticed the co-primes of a prime number 𝑝, they will be all the numbers below it since it’s already a prime, means ∅ 𝑝 = 𝑝 − 1.
  • 20. Euler’s Formula • Euler’s Formula states that: 𝑚∅(𝑛) ≡ 1 𝑚𝑜𝑑 𝑛 • Rising to the power 𝑘 then multiplying by 𝑚 would give us 𝑚𝑘∗∅ 𝑛 +1 ≡ 𝑚 (𝑚𝑜𝑑 𝑛) • Now back to the decryption formula: 𝑐𝑑 ≡ 𝑚 𝑚𝑜𝑑 𝑛 → 𝑚𝑒𝑑 ≡ 𝑚 𝑚𝑜𝑑 𝑛 • now we can see that 𝑘 ∗ ∅ 𝑛 + 1 = 𝑒𝑑 → 𝑑 = 𝑘 ∗ ∅ 𝑛 +1 𝑒 , 𝑒 is co- prime to ∅ 𝑛 → 𝑑𝑒 ≡ 1 (𝑚𝑜𝑑 ∅ 𝑛 ) • In order to choose our 𝑑, 𝑒 we need to know 2 important theorems.
  • 21. Chinese Remainder Theorem • Chinese Remainder Theorem states that if we have some numbers: 𝑛1, 𝑛2, 𝑛3, … , 𝑛𝑥 and they are all relatively prime to each other, then for 𝑏1, 𝑏2, … . 𝑏𝑥, 𝐴 ≡ 𝑏1(𝑚𝑜𝑑 𝑛1), 𝐴 ≡ 𝑏2(𝑚𝑜𝑑 𝑛2), 𝐴 ≡ 𝑏3 𝑚𝑜𝑑 𝑛3 ,….., 𝐴 ≡ 𝑏𝑥(𝑚𝑜𝑑 𝑛𝑥) have exactly one solution 0 ≤ 𝐴 ≤ 𝑖=1 𝑥 𝑛𝑖.
  • 22. Example • 𝑥 ≡ 3 𝑚𝑜𝑑 5 , 𝑥 ≡ 1 𝑚𝑜𝑑 7 , 𝑥 ≡ 6 𝑚𝑜𝑑 8 • Ok as we can see we have the same 𝑥 in 3 different congruences and we need to solve for 𝑥, using the Chinese remainder theorem we can create a table consist of Four columns: 𝑏𝑖 , 𝑁𝑖, 𝑥𝑖 and their product. • Where 𝑏𝑖 is our remainder, 𝑁𝑖 is 𝑁 𝑛𝑖 for 𝑁 = 𝑛1𝑛2𝑛3 and 𝑥𝑖 = 𝑖𝑛𝑣 𝑁𝑖, 𝑛𝑖 • Now our final 𝑥 is the sum of the last column 𝑚𝑜𝑑 𝑁 → x = 78 𝟑 𝑵𝒊 𝒙𝒊 𝒃𝒊𝑵𝒊𝒙𝒊 3 56 1 168 1 40 3 120 6 35 3 630
  • 23. Fermat’s Little Theorem • Fermat’s Little Theorem states that if 𝑝 is a prime number and 𝑝 doesn’t divide 𝑎 then 𝑎𝑝−1 ≡ 1 (𝑚𝑜𝑑 𝑝).
  • 24. Choosing 𝑑 and 𝑒 • There is some constrains on 𝑒 to which are: • 1 < 𝑒 < ∅(𝑛) • 𝑒 have to be co-prime with 𝑛, ∅(𝑛) • The private key 𝑑 have to satisfy that 𝑑𝑒 ≡ 1 (𝑚𝑜𝑑 ∅ 𝑛 ) which means 𝑑 = 𝑖𝑛𝑣(𝑒, ∅ 𝑛 ).
  • 25. Wrap everything up • Let’s give a simple example to show everything we mentioned • 𝑛 = 3127, 𝑒 = 3 • Encryption: • 𝑐 = 𝑚𝑒 𝑚𝑜𝑑 𝑛 = 893 𝑚𝑜𝑑 3127 = 1394 • Decryption: • 𝑛 = 3127 = 53 ∗ 59 → ∅ 𝑛 = ∅ 53 ∗ ∅ 59 = 52 ∗ 58 = 3016 • 𝑑 = 𝑖𝑛𝑣 𝑒, ∅ 𝑛 = 𝑖𝑛𝑣 3, 3016 = 2011 • 𝑚 = 𝑐𝑑 𝑚𝑜𝑑 𝑛 = 13942011 𝑚𝑜𝑑 3127 = 89
  • 26. Attacks on RSA • Now let’s start to interduce how can attacker know our secrets, note that we are not showing that the RSA is breakable, we will show that bad choosing of numbers can lead to recover the private key. • Factorizing 𝑛: • Choosing 𝑛 needs to be very careful, there is a lot of services online that works on factorize a huge collection of numbers like factordb, as shown in the previous example we could find 𝑑 just by getting the prime factorization of 𝑛. • Let’s discuss some of the Factorization methods for 𝑛.
  • 27. Prime Factorization • Fermat’s Factorization: • named after Pierre de fermat, which represent the odd integers as difference of two squares, 𝑁 = 𝑎2 − 𝑏2 • Since we can already factor the difference of two squares: 𝑎 + 𝑏 𝑎 − 𝑏 • And we know that our 𝑛 = 𝑝 𝑞 where 𝑝, 𝑞 are primes, we can write it as ( 𝑝+𝑞 2 )2−( 𝑝−𝑞 2 )2 • Assuming that 𝑛 is odd so 𝑝, 𝑞 are also odd. • Now the steps are simple, first we can rewrite 𝑛 as 𝑎2 − 𝑛 = 𝑏2 • Then we need to find the smallest 𝑘 s.t 𝑘2 ≥ 𝑛 → 𝑘2 − 𝑛 ≥ 0 → 𝑏2 ≥ 0 • Then we start to look at the following numbers 𝑘2 − 𝑛, 𝑘 + 1 2 − 𝑛, 𝑘 + 2 2 − 𝑛, … . . Until we get a perfect square. • Note that this will terminate always since ( 𝑛+1 2 )2−𝑛 = ( 𝑛−1 2 )2
  • 28. Fermat Factorization Example • Here is a small example to apply our steps, let 𝑛 = 119143 • First find 𝑘 → 346 since 3462 is the smallest k s.t 𝑘2 ≥ 𝑛 • Then we start to find the perfect square from the sequence we mentioned: 3462 − 𝑛 = 573 (not perfect square) 3472 − 𝑛 = 1266 (not perfect square) …. … 3522 − 𝑛 = 4761 = 692 (perfect square!) • Now we can write 𝑛 as 𝑛 = 119143 = 3522 − 692 = 352 − 69 (352 +
  • 29. Pollard’s p-1 Factorization • Another method of factorization that uses Fermat's little theorem that we introduced. • The method is simple, since we know from Fermat’s Little theorem that 𝑎𝑝−1≡1 𝑚𝑜𝑑 𝑝 where gcd 𝑎, 𝑝 = 1,suppose that we have a number 𝑝 − 1 s.t it’s a factor for another number 𝑀 where 𝑀 = 𝑝 − 1 ∗ 𝑘 , 𝑘 ∈ 𝑍. • Then 𝑎𝑀≡(𝑎𝑝−1)𝑘≡1 𝑚𝑜𝑑 𝑝, since in rsa our 𝑛 = 𝑝 ∗ 𝑞, then 𝑝 𝑎𝑀 − 1 & 𝑝 𝑛. • So gcd 𝑎𝑀 − 1, 𝑛 will include the factor 𝑝 or will equal it.
  • 30. Pollard’s p-1 Factorization • So, let’s wrap our steps: • Choose integer 𝑎 s.t gcd 𝑎, 𝑛 = 1 • Calculate 𝑎𝐵! : 𝐵 = 1, 2, 3, … to find the nontrivial factor, note that we replaced the 𝑀 with 𝐵! Since it’s increase so fast and will give us a good chance to check if 𝑛 is prime. • Now we will take the gcd 𝑎𝐵! − 1, 𝑛 if it's nontrivial. • Example: 𝑛 = 91, 𝑎 = 2 • 21! = 2 → gcd 2 − 1, 91 = 1 … 23! = 26 → 𝑔𝑐𝑑 64 − 1, 91 = 7 • So, 91 = 7 ∗ 13
  • 31. RSA Security • We still have many other factorizations methods like Quadratic sieve, ECM but does that mean that the RSA is not secure? • The answer is until now no, the strength point in RSA that it’s depends on ignorance than knowledge, we don’t have an efficient way to calculate how hard is to factor a huge number, we just know it’s hard, and a small mitigation for the previous factorization methods is adding more digits to our 𝑛 which will make it harder to factorize. • But there are some attacks on RSA based on bad key generation for our variables or even our encryption methodology.
  • 32. Bad Key generation Attacks • Some of the attacks can be applied on RSA are: • Common Modulus • Blinding • Small Private Exponent: wiener • Small Public Exponent: Coppersmith, Hastad • Time Attack • We will try to explain some of them by examples in order to make it clearer.
  • 33. Example1 • Question from PICOCTF 2018: • N: 37415923547017213098893819652088052694795252162093236205030866324359 57883085839921208813593652589497238199117581980132026446664892479873 14025169670926273213367237020188587742716017314320191350666762541039 23824198493447318865661061591847467396333199240875004745125320515843 64528143545642830036966669459509085491971754045805331321421113569313 24330631843602412540295482841975783884766801266552337129105407869020 73022604153875053562861971770883802928636676147098605633523017114873 40275368205445432518010932308091862229408067182216388458165217386018 43083746103374974120575519418797642878012234163709518203946599836959 811 • e: 3, c: 22053164139311340310464407676205419848010912163512227891805825645573 28762455422721368029531360076729972211412236072921577317264715424950 82309138220343548946052209468914959595101034266236834798786287833885 1038892082799389023900415351164773
  • 34. Example1 • As you can see the 𝑛 is huge number, factorizing it won’t be an easy thing at all, but we notice that 𝑒 is so small, small such that 𝑚𝑒 < 𝑛, so 𝑐 = 𝑚𝑒 𝑚𝑜𝑑 𝑛 = 𝑚𝑒 • So, to get 𝑚 we can just take the cubic root for 𝑐, computer can do this easily. • So, 𝑚 = 3 𝑐 = 13016382529449106065839070830454998857466392684017754632233906857023684751222397 • Decoding the long to string using the ASCII table will result this message: • picoCTF{e_w4y_t00_sm411_81b6559f} , which is our solution.
  • 35. Example2 • PICO CTF 2018: • We are given the following inputs: • c: 177867301851107514035069825289163955790640709025053905722180634076877670576311381537327171359820673 494330413688530765764474616655780152761455595506361395855071560610250266076857330008476741047886616 129573917962674329283920486265414847289694983534607432371666740494992970190373787209058814769825082 6373180618 • n: 775319695037483265896774189483151408705840152453867636332415188453568509795644029232666967041865672 700063612088620862545275760104121352302795536849406359566566497281348938745676199486753040524827204 303677486127089171058465340828630428239131661208653622524792065769421470713963194591125808537717425 37940112457 • e: 561724365774597256989343913591391049150414302131842212923016585717264140594118891557829820240198145 645122914219324897315635192963728734150805463794246193088591523602142097401691351597612348949231449 713729740380219452019546002389942096050357033171191928449754639154657254065430979290176378590199505 90916533609 • As you can see everything is huge, and after tries to factorize 𝑛 it didn’t work, in this case we can consider checking another attack called wiener attack
  • 36. Wiener’s Attack • Michael J. Wiener was able to state a theorem based on continuous fractions that says if 𝑑 < 1 3 𝑛 1 4 then we can recover 𝑑 without factoring 𝑛. • Explaining: • we already mentioned before that 𝑒𝑑 = 𝑘 ∗ ∅ 𝑛 + 1, and since ∅ 𝑛 = 𝑝 − 1 𝑞 − 1 → 𝑝𝑞 − 𝑝 + 𝑞 + 1, and since 𝑝, 𝑞 are so large we can take a good approximation that ∅ 𝑛 ≈ 𝑛. • Now substituting this into our first equation: 𝑒𝑑 = 𝑘 ∗ 𝑛 + 1 → 𝑒𝑑 − 𝑘𝑛 = 1 → 𝑒 𝑛 − 𝑘 𝑑 = 1 𝑑𝑛 → 𝑒 𝑛 ≈ 𝑘 𝑑
  • 37. Wiener’s Attack • So, let’s set our steps: • We need to find a set of convergent 𝑘 𝑑 that approximate 𝑒 𝑛 (using continued fractions and we will demonstrate it), under some conditions: • Since 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 ∅(𝑛) and ∅(𝑛) is product of 2 primes so it will be even number, 𝑑 will be odd, so we can skip the convergent if our 𝑑 is not odd. • Since ∅ 𝑛 must be a whole number, 𝑒𝑑 −1 𝑘 also must be a whole number, and if it’s not so we will move to the next convergent. • Now let 𝑥 − 𝑝 𝑥 − 𝑞 = 0 be a quadratic equation then: 𝑥 − 𝑝 (𝑥 −
  • 38. Wiener’s Attack • Short Example: 𝑛 = 64741, 𝑒 = 42667 • Solution: • 𝑒 𝑛 = 42667 64741 • now using the Euclidean algorithm to find the convergent in the continued fraction • 42667 64741 = 0 64741 + 42667 → 0 1 ≈ 𝑘 𝑑 (ignore) • 64741 42667 = 1 42667 + 22074 → 0 + 1 1 = 1 1 ≈ 𝑘 𝑑 (ignore) • 42667 22074 = 1 22074 + 20593 → 0 + 1 1+ 1 1 = 1 2 ≈ 𝑘 𝑑 (d is even, ignore) • 22074 20593 = 1 20593 + 1481 → 0 + 1 1+ 1 1+ 1 1 = 2 3 ≈ 𝑘 𝑑 (passed first check)
  • 39. Wiener’s Attack • Now since ∅ 𝑛 = 𝑒𝑑 −1 𝑘 = 64000 • We can set our quadratic equation as: 𝑥2 − (64741 − 64000 +
  • 40. Example2 • Now applying this to the example will be hard to do manually so with a use of simple script and run it on a computer we get the following message: picoCTF{w@tch_y0ur_Xp0n3nt$_c@r3fu11y_5495627}
  • 41. Example3 • Qiwi CTF 2016: • We are given the following data: • e = 3 • n1 = 951183579890375398832721687460046528729588905624458143018898666630723524217032649859978006600753116455557997454268683433653215027347360 062480079024096285405786359255597422174807974871302027470202114526207430210975651130593925044727852271548241172310778444446723932218381 92941390309312484066647007469668558141 • n2 = 983641659192512462438466673235423180228042348336779241611757332536895813936073466678952982537181842735322689820609056293996281549819187 120702414514944911614708277371461763160118437389434271216023242087736531807827329994228694395881983184224516979206405638807773855770649 13983202033744281727004289781821019463 • n3 = 688279409393531896130903922268981550217427728978224384835450219442158121468093186865103757240648887052963738533989550930766633230013800 478578097748663900834342727813624471474414222079675773237698128960388165867572421302245248289350431873155795234124393091388163355698454 70021720847405857361000537204746060031 • c1 = 648304467081690127664145873275688124211304348175260891461901367964612985920712389303847075433183902924511189803028055121517902489896222 693629587182282984272126302725251864786272999998474890184006244006718766977089524476389908023455873819054072369354942714369607648990064 30941507608152322588169896193268212007 • c2 = 969074907173443465884324916037223126942086603342829642344876876545939847141448256561981807778723272792506679614651697992674057344316751 110353620897292499950273268630992625224212064594004052303776311411328829973368292188101717289250875356749074555845579568018314471254867 53515868079342148815961792481779375529 • c3 = 436838749130117465300561031454452502813077326340454374865246051046397854690504991716405214770364707509033415233365996022881766111606375 225688683912376892414463926993219107232350611808269454646497803733010281390492888815782348407395450003382029176780082697941791007323412 69448362920924719338148857398181962112
  • 42. Example3 • As you can see yes, our public exponent 𝑒 is small, but taking the 3rd root for 𝑐 won’t give us the solution, this means that 𝑚𝑒 > 𝑛 • Now there is an attack in this case we can apply called Hastad’s attack. • Let’s discuss it in the next slide
  • 43. Hastad’s Attack • Simply when we send the same message to different receivers, an attacker can retrieve the private key using Chinese remainder theorem that we discussed before. • 𝑚𝑒 ≡ 𝑐1 𝑚𝑜𝑑 𝑛1 • 𝑚𝑒 ≡ 𝑐2 𝑚𝑜𝑑 𝑛2 • …… • 𝑚𝑒 ≡ 𝑐𝑥 𝑚𝑜𝑑 𝑛𝑥 • The Chinese Remainder Theorem allows us to solve those congruences and since 𝑚 < min(𝑛1, 𝑛2, … , 𝑛𝑥), then 𝑚𝑒 < 𝑛1 ∗ 𝑛2*.. 𝑛𝑥 so we can solve them and get our 𝑚.
  • 44. Hastad’s Attack • Example: 𝑒 = 3, & 𝑛1, 𝑛2, 𝑛3 = 629, 2173, 1159 & 𝑐1, 𝑐2 , 𝑐3 = 529, 414, 558 • Solution: we need to write them as congruences: • 𝑚3 ≡ 529 𝑚𝑜𝑑 629 • 𝑚3 ≡ 414 𝑚𝑜𝑑 2173 • 𝑚3 ≡ 558 𝑚𝑜𝑑 1159 • Using Chinese remainder algorithm: • 𝑁 = 𝑛1 ∗ 𝑛2 ∗ 𝑛3 = 1584140903 • 𝑁1 = 𝑁 𝑛1 = 2518507, 𝑁2 = 𝑁 𝑛2 = 729011, 𝑁3 = 𝑁 𝑛3 = 1366817 • 𝑢1 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒 𝑁1, 𝑛1 , 𝑢2 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒 𝑁2, 𝑛2 , 𝑢3 = 𝑖𝑛𝑣𝑒𝑟𝑠𝑒(𝑁3, 𝑛3)
  • 45. Hastad’s Attack • Now 𝑚𝑒 = [(𝑐1∗ 𝑢1 ∗ 𝑁1) + (𝑐2∗ 𝑢2 ∗ 𝑁2) + (𝑐3∗ 𝑢3 ∗ 𝑁3)] 𝑚𝑜𝑑 𝑁 • 𝑚3 = 15625 → 𝑚 = 25 • Applying the same steps on Example3 will result the message: theoretical_computer_scientist_johan_torkel_hastad
  • 46. Example4 (CodeBlue CTF 2017) • Given: • 𝑛1 = 791311309087374588934274354916349141233150778762086315374343850126808782284294921228110916322178898551691669133101997907127587121520288166574468605214516304122927763843434653215681360872523 253290766297044510870617745122997739814947286892376888776319552516141136363673315815999597035068706744362048480852074989063152333880754375196551355543036200494314973628012006925154168913855 587162465714207917714655810265293814697401062934881400969828166519415465439814160673468968009887672546243771190906300544375962002574334018175007498231632240021805593635057187842353840461973 449205839419195826992169177108307004404365745462706797969436718212150888171299620800051183755681631250040936288149592343890616920153400691102933966724025765766418338452595218861582008026186 067946508221264938736562082192890727980844444978081110599714993030990031363457184296168457089953510500474033234298252385232725393194957086065274263743550741242453140557383981358497807318476 777558208795816650619401057283873302725816795298930817307745973266335447938091252055872816232968635169429875153933553733116356920185396530990560434510949092154539711124052490142742567527833 751624924993906099869301505096094512729115132147653907827742334805918235749308541981388529841813147 • 𝑒1 = 813647 • 𝑛2 = 791311309087374588934274354916349141233150778762086315374343850126808782284294921228110916322178898551691669133101997907127587121520288166574468605214516304122927763843434653215681360872523 253290766297044510870617745122997739814947286892376888776319552516141136363673315815999597035068706744362048480852074989063152333880754375196551355543036200494314973628012006925154168913855 587162465714207917714655810265293814697401062934881400969828166519415465439814160673468968009887672546243771190906300544375962002574334018175007498231632240021805593635057187842353840461973 449205839419195826992169177108307004404365745462706797969436718212150888171299620800051183755681631250040936288149592343890616920153400691102933966724025765766418338452595218861582008026186 067946508221264938736562082192890727980844444978081110599714993030990031363457184296168457089953510500474033234298252385232725393194957086065274263743550741242453140557383981358497807318476 777558208795816650619401057283873302725816795298930817307745973266335447938091252055872816232968635169429875153933553733116356920185396530990560434510949092154539711124052490142742567527833 751624924993906099869301505096094512729115132147653907827742334805918235749308541981388529841813147 • 𝑒2 = 846359 • 𝑐1 = 767202255403494641285723819543278226263601155898823605265497361830705668240032418501494959141449028517100422081272691883369257107388411439611318808983979122090486252578041006071999581282663 085495058515958745546211668701835250122032715473014598395050184702983368667972803718169481809394565706175141425650370279775233813674442957760484285820381853600163980060348710028919659329781 877491724136976028815641232407109144869660767954119268355348405951052583739555066569345526640029961785158127382321111833599691079949415049786723663210542733655554868327542833053024595895523 192888118675763242352407948643537985861448788568550308481655116845634952516676905251579084404308314639717162526798451410767058423619677212069270398132021729448047980766312818656065369023093 123058422620085273728481545680423266197847937925342263870309939913221308330842487685037638837340238355192125668409039255551545407800543798158964963358868702135730305156935767426581823180696 819366253148799571923731323928995477390559418822575259531941023518182807739949726026157027426545624061195471888653152768495272113769751755053321333829345939391638863918920798107792346015224 509118930143010726156407828938941341788657835191853473698010478888928860138978235297618195944868175 • 𝑐2 = 393205642868817442649216793359718556278406137459770244761832906195960432918468617731069456704644789806507809829093842629745066759599286729538728368882491382997337611417441529220397067642218 119525968897551289230558627870154984979444195757677411673096443476021362319325097662392808170632471553717355895219405644518503783235536597143112954291157798713583737689125917709618182162360 535659223966858707155741267214975141963463832314566520144602105237041672437684177707624423211972004800873375670613148140256099552724408192217550331987310558991433383571470532995856778764797 540637679226825577553396934734325550293550389623919904744913990305949697308222046594160302362669510242921299755255790640101006152269619965560742243168099219363626217512940995615730916134775 134764069912120583282148219405178065222313607957426887495658080497917440100549199528894874905968298614233827155712422019324710018755792249855902168601927285980197334672067920857960628679370 550895555840658121626134216719240409691397735762685349162277111815727100169755960553688569326705249270662470879197234836585418835845237231721910938341557726245940031873345666571751867755961 294973426045629909899256967038811807893676700888551318830676356324765330202998096318754445585853694
  • 47. Example4 • As u can see we cannot use any of the previous attacks since 𝑒 is not small enough and we couldn’t factorize 𝑛1, 𝑛2 but we noticed that they are the same, also it’s given that the message is the same. • In this case we can use an attack called Common modulus Attack
  • 48. Common Modulus Attack • Let’s translate our input as math: • 𝑐1 = 𝑚𝑒1 𝑚𝑜𝑑 𝑛 • 𝑐2 = 𝑚𝑒2 𝑚𝑜𝑑 𝑛 • gcd 𝑒1, 𝑒2 = 𝑑 • Now we know that RSA system is homomorphic to multiplication, so we can get a new cipher text which is the product of the other cipher texts raised to powers 𝑎, 𝑏: 𝑐𝑚 = 𝑐1 𝑎 ∗ 𝑐2 𝑏𝑚𝑜𝑑 𝑛 → 𝑚𝑎∗𝑒1 ∗ 𝑚𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 → 𝑚𝑎∗𝑒1+𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 • Now we can use Bézout's identity which states: • For 𝑎, 𝑏 ∈ 𝑍+, gcd 𝑎, 𝑏 = 𝑑 𝑡ℎ𝑒𝑛 ∃ 𝑥, 𝑦 ∈ 𝑍 ∶ 𝑥 ∗ 𝑎 + 𝑦 ∗ 𝑏 = 𝑑
  • 49. Common Modulus Attack • Now using Extended Euclidean algorithm to find the multiplicative inverse , we can recover our 𝑚, let’s see example with small numbers. • Let: 𝑛 = 143, 𝑒1 = 7, 𝑒2 = 17, 𝑐1 = 42, 𝑐2 = 9 • Solution: • In EEA: • So gcd 𝑒1, 𝑒2 = 1 & 𝑖𝑛𝑣 𝑒1, 𝑒2 = 5 • And from this a = 5, 𝑏 = −2 q 𝒓𝟏 𝒓𝟐 𝒓 𝒕𝟏 𝒕𝟐 𝒕 2 17 7 3 0 1 -2 2 7 3 1 1 -2 5 3 3 1 0 -2 5 -17 1 0 5 -17
  • 50. Common Modulus Attack • To validate our result, we know from Bézout's identity that: 𝑎𝑒1 + 𝑏𝑒2 = gcd 𝑒1, 𝑒2 → 5 ∗ 7 + −2 17 = 1 which is true • Now to get our new 𝑐𝑚 = 𝑐1 𝑎 ∗ 𝑐2 𝑏 𝑚𝑜𝑑 𝑛 = 425 ∗ (9−1)2𝑚𝑜𝑑 143 • Now we need to e EEA again for 9−1 for short using computers it will give us 16 • So 𝑐𝑚 = 425 ∗ 16 2 𝑚𝑜𝑑 143 = 3 • And since 𝑚𝑎∗𝑒1+𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 = 𝑚gcd(𝑒1,𝑒2) 𝑚𝑜𝑑 𝑛 = 𝑚1 𝑚𝑜𝑑 143 = 𝑐𝑚 so our 𝑚 = 3
  • 51. Example4 • Applying the same steps on the example we will get message: CBCTF{6ac2afd2fc108894db8ab21d1e30d3f3}
  • 52. Last Words • Number theory is very interesting and fun, applying it to cryptography will give you more fun, there is still a lot of topics we can discuss and other attacks like: LLL and time attacks, also there is a lot of interesting topics in cryptography like fast powering, elliptic curves, lattices, successive powers, quadratic residue and much more, I really want to stay with you and talk more but we can do it in another time, so always keep learning and excited and never give up to math, it might seems hard and most of simple thing seems weird to you but when you get it you will be so proud. • In the next slide I will share a great resources that I use to practice and learn. Don’t learn to hack… hack to learn.
  • 53. Resources • Cryptohack one of the best websites that teaches you by challenges • Math 3107 by prof. Jeff Suzuki Boston University • MIT 6.875 MIT Cryptography Spring 2018 • An Introduction to Mathematical Cryptography by J.H. Silverman, Jill Pipher, Jeffrey Hoffstein
  • 54. References • https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf • https://cryptohack.org/challenges/maths/ • https://www.youtube.com/playlist?list=PLKXdxQAT3tCssgaWOy5vKXA R4WTPpRVYK • https://link.springer.com/book/10.1007/978-0-387-77993-5 • https://www.amazon.com/Friendly-Introduction-Number-Theory- 4th/dp/0321816196/ref=sr_1_2?ie=UTF8&qid=1326998078&sr=8-2 • https://www.khanacademy.org/computing/computer- science/cryptography/