- 1. Analysis of shared RSA Modulus n Dr. Dharma Ganesan, Ph.D.,
- 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
- 3. Question (notations are defined later) ● An RSA public key is made of two public variables <n, e> ● If n is shared between two users, can we break RSA? ● If <n, e1 > and <n, e2 > are public keys, we break RSA ● We make no assumption about e1 and e2 3
- 4. Agenda ● Brief overview of RSA algorithm ● Formal definition of RSA Trapdoor function ● Algorithms and Demos ● Conclusion 4
- 5. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
- 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
- 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
- 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
- 9. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
- 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
- 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively 11
- 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
- 13. 13 Public key <n, eAlice > Public key <n, eeve > AliceBob Eve Bob encrypts data using Alice’s public key pair Note: Both Alice and Eve are sharing the same RSA modulus n Focus Question: Can Eve decrypt the data send by Bob to Alice? Private key dalice Private key deve
- 14. 14 Formal Problem Statement Bob encrypts secret 𝓍 using Alice’s public key <n, ealice >, which she can decrypt using dalice Bob computes y = RSA( 𝓍) and send to Alice using her public exponent ealice Can Eve reconstruct 𝓍 using her private exponent deve and public exponent ealice ? Note that both Eve and Alice share the same RSA public modulus n but they have different public exponents eeve and ealice , respectively Further, assume that Eve does not know φ(n); otherwise, it is a piece of cake (?)
- 15. Solutions - Three different cryptanalysis algorithms Eve has at least three different ways to break RSA when n is shared Let V = eeve deve - 1 Algorithm 1: Lucky case: ealice is relatively prime to V Algorithm 2: If ealice is not relatively prime to V, Eve can try a variant of solution 1 Algorithm 3: Derive prime factors p and q from deve 15
- 16. Algorithm 1: In case ealice is relatively prime to V We known eeve .deve ≡ 1(mod φ(n)); Thus, V = eeve .deve - 1 is a multiple of φ(n) Since ealice is relatively prime to V, Eve can find d from the following: ealice .d ≡ 1(mod V) ⇒ ealice .d = 1 + kV for some integer k. Eve will use this d to decrypt the ciphertext y send from Bob to Alice as follows: yd mod n = ( 𝓍 ) mod n = 𝓍1+kV mod n = 𝓍 𝓍kV mod n = 𝓍 mod n; [Note 𝓍kV mod n = 1;Euler’s theorem] Thus, Eve got the secret message 𝓍 by simply performing yd mod n 16 ealice d
- 17. Demo 1 17 Bob sends to alice “How are you?” encrypted using her public key ealice = 5 (as an example) ~/crypto/RSA$ java RSA_Encrypt $n $e_alice "How are you?" Output ciphertext y= 76dc17aa07343da5366c5ae5f2ea14f42e3016ad8e9f05e7ac70b3bb38ce8ea 962543d2941ff53f0957a5bb6bdae0d6a08eaa8f89154cc5331aa3f
- 18. Demo 1: Eve guesses d using the above algorithm 18 ~/crypto/RSA$ java RSA_GuessD_SameMod $e_eve $d_eve $e_alice $n d = 6109521603000905944231978051014444608636964079961090052376203662589 5058435631761952658286457830881963456717135147920938169205948861023 5453124603263332993499408548199329230099560054492593276801844765356 8646202775339187614808158973187558622762807954379537344465186936469 47901699211795980621476299720308178571373 Note: In my experiment, e_alice was 5 and e_eve was 35. There is no requirement that public exponents have to be relatively prime to each other
- 19. 19 public static BigInteger guessD(BigInteger e_eve, BigInteger d_eve, BigInteger e_alice, BigInteger n) { BigInteger one = BigInteger.ONE; BigInteger v = e_eve.multiply(d_eve).subtract(one); assert e_alice.gcd(v).equals(one); BigInteger d = e_alice.modInverse(v); return d; }
- 20. Demo 1: Eve successfully decrypts 20 ~/crypto/RSA$ java RSA_Decrypt $n $d $y Output: Plaintext: How are you?
- 21. Algorithm 2: In case ealice is not relatively prime to V 21 eeve .deve ≡ 1(mod φ(n)) ⇒ eeve .deve -1 = k φ(n) for some unknown integer k Let V = eeve .deve -1 ⇒ V = k φ(n) φ(n) = (p-1)(q-1) kφ(n) = k(pq - p - q + 1) kp2 - (kn+ k - kφ(n))p + kn = 0 (since n = pq and V = k φ(n)) kp2 - (kn+ k - V)p + kn = 0 This is a quadratic equation in p. We know how to solve ax2 +bx+c = 0. Note also that the product of the two roots = c/a = kn/k = n. Thus the products of the roots are the prime factors of n
- 22. Algorithm 2: In case ealice is not relatively prime to V 22 There is one challenge in Algorithm 2: We do not know the value of K However, we can prove that k < eeve (general proof on the next slide) This means that if eeve is not a very large number, we can try different values of k For example, in my experiments eeve is bounded by 65537, which is a recommended value of e
- 23. 23 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k > e then ed - 1 > e φ(n) Since ed > ed - 1 > eφ(n) ⇒ ed > e φ(n) Since e > 0, divide by e to obtain d > φ(n); This is a contradiction because RSA private exponent d is smaller than φ (n). Note: One can similarly prove that k < d, too.
- 24. 24
- 25. 25 ~/crypto/RSA$ java PrimeFactorsSameMod $e_eve $d_eve $n p = 13276679695761958519526349357562244988244279824926936082195687 40853247578889768050764104271700195002296832080914965123511352 0731128590296162806037862841243 q = 95868623013590057413914082440137643220393917593508351868252918 43518030624838461380195946775818574653366607424324589728945776 902488108182844666775027068559 Demo 2: Eve derives factors p and q from her deve
- 26. Algorithm 3: Factorize n from deve 26 We know that eeve .deve ≡ 1(mod φ(n)) eeve .deve - 1 ≡ 0 ( mod φ(n)) ⇒ eeve .deve - 1 = r φ(n) for some integer r. Let k = eeve .deve - 1. This means that k is a multiple of φ(n). K is even because φ(n) is even Let g be a random element of Z* n . That is, g is relatively prime to n. Euler’s theorem says gk ≡ 1 (mod n) since gcd (g, n) =1 . This implies gk/2 is a square of one mod n because gk/2 . gk/2 = gk ≡ 1 (mod n)
- 27. Algorithm 3: Factorize n from deve 27 Step 1: Pick a random g from the multiplicative group Zn * Step 2: Construct a sequence: gk/2 , gk/4 , gk/8 , … until not equal to 1 mod n Note: If k/2i is not an even number, go back to step 1 and pick a new g Step 3: Now we have calculated square root of one in mod n. That is, z2 ≡ 1 (mod n) and z ≠ ∓ 1 (mod n) (z+1)(z-1) ≡ 0 (mod n) This implies n divides (z+1) and (z-1). Equivalently, n must share factors with (z+1) and (z-1). Step 4: Compute gcd(n, z-1) to extract one of the prime factors (say p) of n Step 5: Derive another prime factor q = n/p
- 28. 28 My implementation of the algorithm to find the prime factors p and q from d
- 29. 29 ~/crypto/RSA$ java PrimeFactorsFromD $e_eve $d_eve $n p = 95868623013590057413914082440137643220393917593508351868252918435180 30624838461380195946775818574653366607424324589728945776902488108182 844666775027068559 q = 13276679695761958519526349357562244988244279824926936082195687408532 47578889768050764104271700195002296832080914965123511352073112859029 6162806037862841243 Example: Derive the prime factors p and q from deve
- 30. Conclusion 30 ● If RSA public modulus n is not unique per user, then RSA is breakable ● We investigated three different cryptanalysis algorithms to break ○ Algorithm 1 is efficient if public exponents have certain math properties ○ Algorithm 2 relaxes the properties but works only for “small” public exponents ○ Algorithm 3 works well even for very large public exponents, too ● Algorithm 2 is the slowest of all because it enumerates an unknown variable ● Algorithm 3 is efficient in general - no restriction on the public exponent values ● Takeaway is that <n, e1 >, <n, e2 > should not be part of the system ○ The public exponent e can be shared among the participants though.
- 31. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 31