SlideShare a Scribd company logo
1 of 36
Download to read offline
Solutions to Online RSA
Factoring Challenges
When Ps and Qs are not independent or close to each other
Dr. Dharma Ganesan, Ph.D.,
Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
Agenda
● Brief overview of public key cryptography
● RSA Key Generation Algorithm
● Integer Factorization Challenges
● Demo - break RSA when Ps and Qs are not independent
● Discussion/Recommendation
Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math
3
Context and Informal Problem Statement
● Online Cryptography challenges
○ proposed by Prof. Dan Boneh
● Break RSA when the random prime factors are
○ not independent of each other
○ or, close to each other
● Basically, we derive the private keys from the given public keys!
4
How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
RSA Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits)
○ Value of the parameter N is not chosen until step 3; small N is dangerous
2. Pick two independent, large random primes, p and q, of half of N’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute N= p.q (N is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from ZN
such that e.d ≡ 1(mod φ(N))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1)
○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in ZN
6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q>
Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately
6
7
Notations and Facts for RSA
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
ZN
= { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN
as a circular wall clock
Z*
N
= { x ∈ Zn
| gcd(x, N) = 1 }; (Z*
N
is a multiplicative group)
φ(N): Euler’s Totient function denotes the number of elements in Z*
N
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
Three RSA Factoring Challenge Problems
Challenge 1: Break RSA when |p -q| < N1/4
Challenge 2: Break RSA when |p -q| < 211
N1/4
Challenge 3: Break RSA when |3p-2q| < N1/4
● Breaking of the RSA function means finding the prime factors p
and q from N, and the plaintext m from a ciphertext c
○ Given N, find p and q such that N= pq
○ Given <c, e, N>, find m such that RSA(m) = c
8
Challenge 1: Visual Representation
9
● Let A = (p + q)/2
○ Note that A is an even number. since p and q are large primes, which are odd
● In the appendix, we prove that A is the ceiling of the square root of N
Core idea of the solution to challenge 1
● Recall that A is the mid-point of p and q
● Thus, there exists an integer x such that
○ A - x = p and
○ A + x = q
● But we know N= pq = (A-x)(A+x) = A2
- x2
● Thus, x = sqrt(A2
- N)
● Since we know A and N, we can find x
● From x and A, we can find p and q
10
Challenge 1: Given an N, print p and q
public static void main(String []args){
BigInteger N= new BigInteger(args[0]); // Need to check args length
BigInteger A = bigIntSqRootCeil(N);
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N));
BigInteger p = A.subtract(x);
BigInteger q = A.add(x);
System.out.println("p = " + p);
System.out.println("q = " + q);
}
11
This program derives secret prime factors p and q from the given
public value N
Output of factoring private primes p and q from N
N =
179769313486231590772930519078902473361797697894230657273430081157732675805505620686
985379449212982959585501387537164015710139858647833778606925583497541085196591615128
057575940752635007475935288710823649949940771895617054361149474865046711015101563940
680527540071584560878577663743040086340742855278549092581
$ java RSACracking $N
p =
134078079299425970995740249982058461274793658205923933777235614437217640300736627688
91111614362326998675040546094339320838419523375986027530441562135724301
q =
134078079299425970995740249982058461274793658205923933777235614437217640300737785609
80348930557750569660049234002192590823085163940025485114449475265364281
12
Challenge 1: Given the ciphertext print plaintext
● Once we found p and q, we can easily derive the plaintext as follows
● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1
● Since most implementation choose e = 65537 we can find d easily:
○ e.d ≡ 1(mod φ(N))
● We know e and φ(N). d is a multiplicative inverse of e in φ(N)
○ Extended Euclidean Algorithm can find d
○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm
● Once we know d, we find the plaintext m as follows:
● m = cd
(mod N)
○ This is called RSA’s decryption function
13
Challenge 1: algorithm/pseudo code
BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1));
BigInteger e = BigInteger.valueOf(65537);
BigInteger d = e.modInverse(phiN);
BigInteger c = new BigInteger(args[1]); // Input ciphertext
BigInteger m = c.modPow(d, N); // m = cd
mod N
System.out.println("m = " + m.toString(16)); // Output plaintext
14
Inputs RSA public modulus N and ciphertext c
N =
179769313486231590772930519078902473361797697894230657273430081157732675805505620686
985379449212982959585501387537164015710139858647833778606925583497541085196591615128
057575940752635007475935288710823649949940771895617054361149474865046711015101563940
680527540071584560878577663743040086340742855278549092581
c =
220964518674103817763065611348834180174100697878928310717318391436761356001205380042
823296504735094243439462197515122564658399679428894607645420405815647489880137348641
204523252293201764879166664029975091887299716905260832220677716000193292608700095799
93724077458967773697817571267229951148662959627934791540
15
Output: Plaintext m by breaking RSA prime factors
$time java RSACracking $N $c
m =
20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959
a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252
cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004
66163746f72696e67206c65747320757320627265616b205253412e
We were told that the plaintext is padded using PKCS1 standard. Thus, actual
plaintext is after the 0x00 byte:
466163746f72696e67206c65747320757320627265616b205253412e
16
Final step: Convert hex to ascii
$ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd
-r -p
Factoring lets us break RSA
● This text was encrypted but we found it without knowing the private key
● Factors p, q, and m were found in less than minute
● The main reason was due to the fact that |p -q| < N1/4
17
Let’s solve Challenge 2
Challenge 1: Break RSA when |p -q| < N1/4
Challenge 2: Break RSA when |p -q| < 211
N1/4
Challenge 3: Break RSA when |3p-2q| < N1/4
18
Core idea of the solution to challenge 2
● Need to prove that (A - √N) < 220
(See the Appendix for my proof)
● In contrast to Challenge 1, A may not be the same as √N
● However, we do know that A is within the distance of 220
from √N
● Why not just try all possible values of A given that 220
is a small number
● We start with A = √N and check whether the current pq = N
○ We leverage the solution to challenge 1 to find the current p and q
19
Challenge 2: My algorithm/ pseudo code
BigInteger A = rootN; /* A is initialized to square root of N */
while(true) {
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N));
BigInteger p = A.subtract(x);
BigInteger q = A.add(x);
if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; }
if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */
System.out.println(p);
System.out.println(q);
break;
}
A = A.add(BigInteger.ONE) /* else keep trying until 2 20
limit */
}
20
Challenge 2: Input N and Output p and q
N =
64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919
55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852
81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877
$time java RSACracking_2 $N
p =
25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107
384461557193173304497244814071505790566593206419759
q =
25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632
563509541784734741871379856682354747718346471375403
real 0m19.069s
user 0m18.608s
sys 0m0.036s
21
In less than a minute the prime factors p and q are found
Let’s solve Challenge 3
Challenge 1: Break RSA when |p -q| < N1/4
Challenge 2: Break RSA when |p -q| < 211
N1/4
Challenge 3: Break RSA when |3p-2q| < N1/4
22
Core idea of the solution to challenge 3
● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1
● We can actually solve for (6p + 4q)/2 since this is an even number
● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix)
● Now we can apply the same core idea of Challenge 1
23
Adapting the solution to challenge 1 for challenge 3
● A is the midpoint of 6p and 4q, A = (6p + 4q)/2
● Thus, there must be an integer x with the following properties
○ A-x = 6p, thus p = (A-x)/6
○ A+x =4q, thus q = (A+x)/4
● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2
- x2
)/24
● Thus, x = √(A2
- 24N)
● Since A is the same as ceiling of sqrt(24N), factors p and q are computable
● See the Appendix for a proof that A is the ceiling(√24N)
24
Challenge 3: My algorithm/pseudo code
BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N
// A is an approximation of sqrt(24*N)
BigInteger A = bigIntSqRootCeil(twentyFourN);
// x has the square root of A 2
- 24N
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN));
BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6));
BigInteger q = A.add(x).divide(BigInteger.valueOf(4));
System.out.println(“ p = “ + p);
System.out.println(“ q = “ + q);
25
Input N, Output p and q (in less than 0.5 min)
N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377
904234086641876639384851752649940178970835240791356868774411551320151882793318123090
919962463618968365736431191740949613485246397078852387993968392303646766702216270183
53299443241192173812729276147530748597302192751375739387929
$ time java RSACracking_3 $N
p =
219098495924755330922739885315839558989821760933449290300994235841272120781261500447
21102570957812665127475051465088833555993294644190955293613411658629209
q =
328647743887132996384109827973759338484732641400173935451491353761908181171892400358
25816494954711821626076210364113848440012285863311027426121370050758081
26
Discussion
● Some RSA implementations do check whether Ps and Qs are good
○ They keep generating random primes until good Ps and Qs are found
● Random Ps and Qs rarely satisfy the constraints of these Challenges
○ Unless, the underlying random number generation process is very weak
○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close
● In general, standard implementations do generate Ps and Qs randomly
● If Ps and Qs are not independent of each other, RSA is factorable
○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.)
27
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring
with high bits known,” Eurocrypt, 1996.
● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root-
of-a-java-biginteger
28
Appendix
29
Prove that √N ≤ A, if A = (p+q)/2
30
Geometric mean is less
than or equal to Arithmetic
mean
Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2
31
A2
-N= (p+q)2
/4 -N= (p-q)2
/4 [Since N= pq]
A - √N = (A - √N)(A + √N)/(A + √N)
= (A2
- N)/(A + √N) = (p-q)2
/4(A + √N)
We know that √N ≤ A [see previous slide for a proof]
A - √N ≤ (p-q)2
/8√N
≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4
]
Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
This proof was given by Prof. as part of
the Challenge 1
Challenge 2: Prove that A - √N < 220
, if |p-q| < 211
N1/4
32
Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2
33
A2
-N= (6p+4q)2
/4 -N= (p-q)2
/4 [Since N= pq]
A - √N = (A - √N)(A + √N)/(A + √N)
= (A2
- N)/(A + √N) = (p-q)2
/4(A + √N)
We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean]
A - √N ≤ (p-q)2
/8√N
≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4
]
Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
34
35
Acknowledgement
● Prof. Dan Boneh for constructing these insightful problems
○ Also, offering necessary lemmas to solve these challenges
● My understanding of RSA has improved significantly
○ Still a lot of deeper questions to experiment in my private time
36

More Related Content

What's hot (20)

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa Crptosystem
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
 
Diffiehellman
DiffiehellmanDiffiehellman
Diffiehellman
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Affine Cypher Encryption - Decryption
Affine Cypher Encryption - DecryptionAffine Cypher Encryption - Decryption
Affine Cypher Encryption - Decryption
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Finite fields
Finite fields Finite fields
Finite fields
 
How to Share a Secret
How to Share a SecretHow to Share a Secret
How to Share a Secret
 
N queen puzzle
N queen puzzleN queen puzzle
N queen puzzle
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 

Similar to Solutions to online rsa factoring challenges

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 

Similar to Solutions to online rsa factoring challenges (20)

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
Rsa algorithm
Rsa algorithmRsa algorithm
Rsa algorithm
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
 
Ch08
Ch08Ch08
Ch08
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
 
factoring
factoringfactoring
factoring
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (16)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 

Recently uploaded (20)

ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 

Solutions to online rsa factoring challenges

  • 1. Solutions to Online RSA Factoring Challenges When Ps and Qs are not independent or close to each other Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Agenda ● Brief overview of public key cryptography ● RSA Key Generation Algorithm ● Integer Factorization Challenges ● Demo - break RSA when Ps and Qs are not independent ● Discussion/Recommendation Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math 3
  • 4. Context and Informal Problem Statement ● Online Cryptography challenges ○ proposed by Prof. Dan Boneh ● Break RSA when the random prime factors are ○ not independent of each other ○ or, close to each other ● Basically, we derive the private keys from the given public keys! 4
  • 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 6. RSA Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits) ○ Value of the parameter N is not chosen until step 3; small N is dangerous 2. Pick two independent, large random primes, p and q, of half of N’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute N= p.q (N is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from ZN such that e.d ≡ 1(mod φ(N)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1) ○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in ZN 6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q> Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately 6
  • 7. 7 Notations and Facts for RSA GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes ZN = { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN as a circular wall clock Z* N = { x ∈ Zn | gcd(x, N) = 1 }; (Z* N is a multiplicative group) φ(N): Euler’s Totient function denotes the number of elements in Z* N φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
  • 8. Three RSA Factoring Challenge Problems Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 ● Breaking of the RSA function means finding the prime factors p and q from N, and the plaintext m from a ciphertext c ○ Given N, find p and q such that N= pq ○ Given <c, e, N>, find m such that RSA(m) = c 8
  • 9. Challenge 1: Visual Representation 9 ● Let A = (p + q)/2 ○ Note that A is an even number. since p and q are large primes, which are odd ● In the appendix, we prove that A is the ceiling of the square root of N
  • 10. Core idea of the solution to challenge 1 ● Recall that A is the mid-point of p and q ● Thus, there exists an integer x such that ○ A - x = p and ○ A + x = q ● But we know N= pq = (A-x)(A+x) = A2 - x2 ● Thus, x = sqrt(A2 - N) ● Since we know A and N, we can find x ● From x and A, we can find p and q 10
  • 11. Challenge 1: Given an N, print p and q public static void main(String []args){ BigInteger N= new BigInteger(args[0]); // Need to check args length BigInteger A = bigIntSqRootCeil(N); BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); System.out.println("p = " + p); System.out.println("q = " + q); } 11 This program derives secret prime factors p and q from the given public value N
  • 12. Output of factoring private primes p and q from N N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 $ java RSACracking $N p = 134078079299425970995740249982058461274793658205923933777235614437217640300736627688 91111614362326998675040546094339320838419523375986027530441562135724301 q = 134078079299425970995740249982058461274793658205923933777235614437217640300737785609 80348930557750569660049234002192590823085163940025485114449475265364281 12
  • 13. Challenge 1: Given the ciphertext print plaintext ● Once we found p and q, we can easily derive the plaintext as follows ● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1 ● Since most implementation choose e = 65537 we can find d easily: ○ e.d ≡ 1(mod φ(N)) ● We know e and φ(N). d is a multiplicative inverse of e in φ(N) ○ Extended Euclidean Algorithm can find d ○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm ● Once we know d, we find the plaintext m as follows: ● m = cd (mod N) ○ This is called RSA’s decryption function 13
  • 14. Challenge 1: algorithm/pseudo code BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1)); BigInteger e = BigInteger.valueOf(65537); BigInteger d = e.modInverse(phiN); BigInteger c = new BigInteger(args[1]); // Input ciphertext BigInteger m = c.modPow(d, N); // m = cd mod N System.out.println("m = " + m.toString(16)); // Output plaintext 14
  • 15. Inputs RSA public modulus N and ciphertext c N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 c = 220964518674103817763065611348834180174100697878928310717318391436761356001205380042 823296504735094243439462197515122564658399679428894607645420405815647489880137348641 204523252293201764879166664029975091887299716905260832220677716000193292608700095799 93724077458967773697817571267229951148662959627934791540 15
  • 16. Output: Plaintext m by breaking RSA prime factors $time java RSACracking $N $c m = 20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959 a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252 cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004 66163746f72696e67206c65747320757320627265616b205253412e We were told that the plaintext is padded using PKCS1 standard. Thus, actual plaintext is after the 0x00 byte: 466163746f72696e67206c65747320757320627265616b205253412e 16
  • 17. Final step: Convert hex to ascii $ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd -r -p Factoring lets us break RSA ● This text was encrypted but we found it without knowing the private key ● Factors p, q, and m were found in less than minute ● The main reason was due to the fact that |p -q| < N1/4 17
  • 18. Let’s solve Challenge 2 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 18
  • 19. Core idea of the solution to challenge 2 ● Need to prove that (A - √N) < 220 (See the Appendix for my proof) ● In contrast to Challenge 1, A may not be the same as √N ● However, we do know that A is within the distance of 220 from √N ● Why not just try all possible values of A given that 220 is a small number ● We start with A = √N and check whether the current pq = N ○ We leverage the solution to challenge 1 to find the current p and q 19
  • 20. Challenge 2: My algorithm/ pseudo code BigInteger A = rootN; /* A is initialized to square root of N */ while(true) { BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; } if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */ System.out.println(p); System.out.println(q); break; } A = A.add(BigInteger.ONE) /* else keep trying until 2 20 limit */ } 20
  • 21. Challenge 2: Input N and Output p and q N = 64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919 55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852 81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877 $time java RSACracking_2 $N p = 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107 384461557193173304497244814071505790566593206419759 q = 25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632 563509541784734741871379856682354747718346471375403 real 0m19.069s user 0m18.608s sys 0m0.036s 21 In less than a minute the prime factors p and q are found
  • 22. Let’s solve Challenge 3 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 22
  • 23. Core idea of the solution to challenge 3 ● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1 ● We can actually solve for (6p + 4q)/2 since this is an even number ● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix) ● Now we can apply the same core idea of Challenge 1 23
  • 24. Adapting the solution to challenge 1 for challenge 3 ● A is the midpoint of 6p and 4q, A = (6p + 4q)/2 ● Thus, there must be an integer x with the following properties ○ A-x = 6p, thus p = (A-x)/6 ○ A+x =4q, thus q = (A+x)/4 ● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2 - x2 )/24 ● Thus, x = √(A2 - 24N) ● Since A is the same as ceiling of sqrt(24N), factors p and q are computable ● See the Appendix for a proof that A is the ceiling(√24N) 24
  • 25. Challenge 3: My algorithm/pseudo code BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N // A is an approximation of sqrt(24*N) BigInteger A = bigIntSqRootCeil(twentyFourN); // x has the square root of A 2 - 24N BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN)); BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6)); BigInteger q = A.add(x).divide(BigInteger.valueOf(4)); System.out.println(“ p = “ + p); System.out.println(“ q = “ + q); 25
  • 26. Input N, Output p and q (in less than 0.5 min) N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377 904234086641876639384851752649940178970835240791356868774411551320151882793318123090 919962463618968365736431191740949613485246397078852387993968392303646766702216270183 53299443241192173812729276147530748597302192751375739387929 $ time java RSACracking_3 $N p = 219098495924755330922739885315839558989821760933449290300994235841272120781261500447 21102570957812665127475051465088833555993294644190955293613411658629209 q = 328647743887132996384109827973759338484732641400173935451491353761908181171892400358 25816494954711821626076210364113848440012285863311027426121370050758081 26
  • 27. Discussion ● Some RSA implementations do check whether Ps and Qs are good ○ They keep generating random primes until good Ps and Qs are found ● Random Ps and Qs rarely satisfy the constraints of these Challenges ○ Unless, the underlying random number generation process is very weak ○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close ● In general, standard implementations do generate Ps and Qs randomly ● If Ps and Qs are not independent of each other, RSA is factorable ○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.) 27
  • 28. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring with high bits known,” Eurocrypt, 1996. ● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root- of-a-java-biginteger 28
  • 30. Prove that √N ≤ A, if A = (p+q)/2 30 Geometric mean is less than or equal to Arithmetic mean
  • 31. Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2 31 A2 -N= (p+q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [see previous slide for a proof] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N) This proof was given by Prof. as part of the Challenge 1
  • 32. Challenge 2: Prove that A - √N < 220 , if |p-q| < 211 N1/4 32
  • 33. Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2 33 A2 -N= (6p+4q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
  • 34. 34
  • 35. 35
  • 36. Acknowledgement ● Prof. Dan Boneh for constructing these insightful problems ○ Also, offering necessary lemmas to solve these challenges ● My understanding of RSA has improved significantly ○ Still a lot of deeper questions to experiment in my private time 36