Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Solutions to online rsa factoring challenges
1. Solutions to Online RSA
Factoring Challenges
When Ps and Qs are not independent or close to each other
Dr. Dharma Ganesan, Ph.D.,
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. Agenda
● Brief overview of public key cryptography
● RSA Key Generation Algorithm
● Integer Factorization Challenges
● Demo - break RSA when Ps and Qs are not independent
● Discussion/Recommendation
Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math
3
4. Context and Informal Problem Statement
● Online Cryptography challenges
○ proposed by Prof. Dan Boneh
● Break RSA when the random prime factors are
○ not independent of each other
○ or, close to each other
● Basically, we derive the private keys from the given public keys!
4
5. How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
6. RSA Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits)
○ Value of the parameter N is not chosen until step 3; small N is dangerous
2. Pick two independent, large random primes, p and q, of half of N’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute N= p.q (N is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from ZN
such that e.d ≡ 1(mod φ(N))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1)
○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in ZN
6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q>
Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately
6
7. 7
Notations and Facts for RSA
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
ZN
= { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN
as a circular wall clock
Z*
N
= { x ∈ Zn
| gcd(x, N) = 1 }; (Z*
N
is a multiplicative group)
φ(N): Euler’s Totient function denotes the number of elements in Z*
N
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
8. Three RSA Factoring Challenge Problems
Challenge 1: Break RSA when |p -q| < N1/4
Challenge 2: Break RSA when |p -q| < 211
N1/4
Challenge 3: Break RSA when |3p-2q| < N1/4
● Breaking of the RSA function means finding the prime factors p
and q from N, and the plaintext m from a ciphertext c
○ Given N, find p and q such that N= pq
○ Given <c, e, N>, find m such that RSA(m) = c
8
9. Challenge 1: Visual Representation
9
● Let A = (p + q)/2
○ Note that A is an even number. since p and q are large primes, which are odd
● In the appendix, we prove that A is the ceiling of the square root of N
10. Core idea of the solution to challenge 1
● Recall that A is the mid-point of p and q
● Thus, there exists an integer x such that
○ A - x = p and
○ A + x = q
● But we know N= pq = (A-x)(A+x) = A2
- x2
● Thus, x = sqrt(A2
- N)
● Since we know A and N, we can find x
● From x and A, we can find p and q
10
11. Challenge 1: Given an N, print p and q
public static void main(String []args){
BigInteger N= new BigInteger(args[0]); // Need to check args length
BigInteger A = bigIntSqRootCeil(N);
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N));
BigInteger p = A.subtract(x);
BigInteger q = A.add(x);
System.out.println("p = " + p);
System.out.println("q = " + q);
}
11
This program derives secret prime factors p and q from the given
public value N
12. Output of factoring private primes p and q from N
N =
179769313486231590772930519078902473361797697894230657273430081157732675805505620686
985379449212982959585501387537164015710139858647833778606925583497541085196591615128
057575940752635007475935288710823649949940771895617054361149474865046711015101563940
680527540071584560878577663743040086340742855278549092581
$ java RSACracking $N
p =
134078079299425970995740249982058461274793658205923933777235614437217640300736627688
91111614362326998675040546094339320838419523375986027530441562135724301
q =
134078079299425970995740249982058461274793658205923933777235614437217640300737785609
80348930557750569660049234002192590823085163940025485114449475265364281
12
13. Challenge 1: Given the ciphertext print plaintext
● Once we found p and q, we can easily derive the plaintext as follows
● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1
● Since most implementation choose e = 65537 we can find d easily:
○ e.d ≡ 1(mod φ(N))
● We know e and φ(N). d is a multiplicative inverse of e in φ(N)
○ Extended Euclidean Algorithm can find d
○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm
● Once we know d, we find the plaintext m as follows:
● m = cd
(mod N)
○ This is called RSA’s decryption function
13
14. Challenge 1: algorithm/pseudo code
BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1));
BigInteger e = BigInteger.valueOf(65537);
BigInteger d = e.modInverse(phiN);
BigInteger c = new BigInteger(args[1]); // Input ciphertext
BigInteger m = c.modPow(d, N); // m = cd
mod N
System.out.println("m = " + m.toString(16)); // Output plaintext
14
15. Inputs RSA public modulus N and ciphertext c
N =
179769313486231590772930519078902473361797697894230657273430081157732675805505620686
985379449212982959585501387537164015710139858647833778606925583497541085196591615128
057575940752635007475935288710823649949940771895617054361149474865046711015101563940
680527540071584560878577663743040086340742855278549092581
c =
220964518674103817763065611348834180174100697878928310717318391436761356001205380042
823296504735094243439462197515122564658399679428894607645420405815647489880137348641
204523252293201764879166664029975091887299716905260832220677716000193292608700095799
93724077458967773697817571267229951148662959627934791540
15
16. Output: Plaintext m by breaking RSA prime factors
$time java RSACracking $N $c
m =
20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959
a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252
cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004
66163746f72696e67206c65747320757320627265616b205253412e
We were told that the plaintext is padded using PKCS1 standard. Thus, actual
plaintext is after the 0x00 byte:
466163746f72696e67206c65747320757320627265616b205253412e
16
17. Final step: Convert hex to ascii
$ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd
-r -p
Factoring lets us break RSA
● This text was encrypted but we found it without knowing the private key
● Factors p, q, and m were found in less than minute
● The main reason was due to the fact that |p -q| < N1/4
17
19. Core idea of the solution to challenge 2
● Need to prove that (A - √N) < 220
(See the Appendix for my proof)
● In contrast to Challenge 1, A may not be the same as √N
● However, we do know that A is within the distance of 220
from √N
● Why not just try all possible values of A given that 220
is a small number
● We start with A = √N and check whether the current pq = N
○ We leverage the solution to challenge 1 to find the current p and q
19
20. Challenge 2: My algorithm/ pseudo code
BigInteger A = rootN; /* A is initialized to square root of N */
while(true) {
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N));
BigInteger p = A.subtract(x);
BigInteger q = A.add(x);
if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; }
if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */
System.out.println(p);
System.out.println(q);
break;
}
A = A.add(BigInteger.ONE) /* else keep trying until 2 20
limit */
}
20
21. Challenge 2: Input N and Output p and q
N =
64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919
55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852
81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877
$time java RSACracking_2 $N
p =
25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107
384461557193173304497244814071505790566593206419759
q =
25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632
563509541784734741871379856682354747718346471375403
real 0m19.069s
user 0m18.608s
sys 0m0.036s
21
In less than a minute the prime factors p and q are found
23. Core idea of the solution to challenge 3
● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1
● We can actually solve for (6p + 4q)/2 since this is an even number
● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix)
● Now we can apply the same core idea of Challenge 1
23
24. Adapting the solution to challenge 1 for challenge 3
● A is the midpoint of 6p and 4q, A = (6p + 4q)/2
● Thus, there must be an integer x with the following properties
○ A-x = 6p, thus p = (A-x)/6
○ A+x =4q, thus q = (A+x)/4
● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2
- x2
)/24
● Thus, x = √(A2
- 24N)
● Since A is the same as ceiling of sqrt(24N), factors p and q are computable
● See the Appendix for a proof that A is the ceiling(√24N)
24
25. Challenge 3: My algorithm/pseudo code
BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N
// A is an approximation of sqrt(24*N)
BigInteger A = bigIntSqRootCeil(twentyFourN);
// x has the square root of A 2
- 24N
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN));
BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6));
BigInteger q = A.add(x).divide(BigInteger.valueOf(4));
System.out.println(“ p = “ + p);
System.out.println(“ q = “ + q);
25
26. Input N, Output p and q (in less than 0.5 min)
N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377
904234086641876639384851752649940178970835240791356868774411551320151882793318123090
919962463618968365736431191740949613485246397078852387993968392303646766702216270183
53299443241192173812729276147530748597302192751375739387929
$ time java RSACracking_3 $N
p =
219098495924755330922739885315839558989821760933449290300994235841272120781261500447
21102570957812665127475051465088833555993294644190955293613411658629209
q =
328647743887132996384109827973759338484732641400173935451491353761908181171892400358
25816494954711821626076210364113848440012285863311027426121370050758081
26
27. Discussion
● Some RSA implementations do check whether Ps and Qs are good
○ They keep generating random primes until good Ps and Qs are found
● Random Ps and Qs rarely satisfy the constraints of these Challenges
○ Unless, the underlying random number generation process is very weak
○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close
● In general, standard implementations do generate Ps and Qs randomly
● If Ps and Qs are not independent of each other, RSA is factorable
○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.)
27
28. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring
with high bits known,” Eurocrypt, 1996.
● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root-
of-a-java-biginteger
28
30. Prove that √N ≤ A, if A = (p+q)/2
30
Geometric mean is less
than or equal to Arithmetic
mean
31. Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2
31
A2
-N= (p+q)2
/4 -N= (p-q)2
/4 [Since N= pq]
A - √N = (A - √N)(A + √N)/(A + √N)
= (A2
- N)/(A + √N) = (p-q)2
/4(A + √N)
We know that √N ≤ A [see previous slide for a proof]
A - √N ≤ (p-q)2
/8√N
≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4
]
Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
This proof was given by Prof. as part of
the Challenge 1
33. Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2
33
A2
-N= (6p+4q)2
/4 -N= (p-q)2
/4 [Since N= pq]
A - √N = (A - √N)(A + √N)/(A + √N)
= (A2
- N)/(A + √N) = (p-q)2
/4(A + √N)
We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean]
A - √N ≤ (p-q)2
/8√N
≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4
]
Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
36. Acknowledgement
● Prof. Dan Boneh for constructing these insightful problems
○ Also, offering necessary lemmas to solve these challenges
● My understanding of RSA has improved significantly
○ Still a lot of deeper questions to experiment in my private time
36