1) The document describes how to decrypt an RSA ciphertext using a Chinese Remainder Theorem attack when the public exponent is small. It involves using the public moduli and exponents from certificates to determine the plaintext. 2) The attack works by using the Chinese Remainder Theorem to determine the plaintext from the ciphertexts modulo the public moduli. This works because the public exponent is small, in this case 3, allowing extraction of the plaintext cube root. 3) Pseudocode is provided showing the steps: using the Chinese Remainder Theorem formula to combine the ciphertexts modulo the public moduli, taking the cube root to obtain the plaintext, which in this example decrypts to a German message about a fixed

1. BROADCASTING AND LOW
EXPONENT RSA ATTACK
Presented By:
Ankita Kapratwar
Yogesh Wattamwar

2. Overview
• Decryption of cipher which was encrypted using RSA
• Employ Chinese Remainder Theorem to decrypt the cipher text
• We have used the public exponents and moduli from the given
certificates
• We also suggest methods that could be implemented to avoid these
attacks

3. Introduction
• RSA: Named after Rivest Shamir and Adleman
• This is a public key cryptosystem and is based on complex
mathematical problem
• This algorithm is based on factoring where we select the public and
private key pair

4. RSA Algorithm
• Encryption:
• Obtains the recipient's public key (n, e).
• Represents the plaintext message as a positive integer m, 1 < m < n.
• Computes the ciphertext c = m^e mod n.
• Decryption:
• Uses his private key (n, d) to compute m = c^d mod n.
• Extracts the plaintext from the message representative m.

5. Cube Root Attack
Cube Root Attack
• When a small encryption exponent e=3 is used and if M<N^(1/3)
• The cipher text is C=M^e mod N
• Since M<N^(1/3), mod N has no effect
• C=M^e=M^3
• M=cuberoot(C) will give us the message

6. Chinese Remainder Theorem
• This theorem is a result of congruencies in the number theory
• Using this theorem we can determine a number n that when divided
by some given divisors leaves given remainders
• Using the theorem can find that the value of number n is 23, that
when divided by 3 leaves a remainder of 2, when divided by 5 leaves
a remainder of 3, and when divided by 7 leaves a remainder of 2.
• Let n1,n2,...,nr be positive integers such that gcd(ni,nj)=1 for i ≠ j.
Then the system of linear congruence’s
• x ≡ c1 (mod n1); x ≡ c2 (mod n2); ... ; x ≡ cr (mod nr)
has a simultaneous solution which is unique modulo n1n2...nr.

7. Chinese remainder Theorem
• We can determine a number n that when divided by some given divisors leave
given remainders.
• Let n1, n2,..., nr be positive integers such that gcd(ni, nj)=1 for i ≠ j.
• Linear congruence’s
x ≡ c1 (mod n1); x ≡ c2 (mod n2); ... ; x ≡ cr (mod nr) has a simultaneous solution
which is unique modulo n1n2...nr.
• If c1,c2,c3 are 1,2,3 and n1,n2,n3 are 3,4,5.
• Chinese Remainder Theorem (CRT) tells us that since 3, 4 and 5 are coprime in
pairs then there is a unique solution modulo 3 x 4 x 5 = 60.
• Using Gauss's algorithm, Let N=n1n2...nr then x ≡ c1N1d1 + c2N2d2 + ... + crNrdr
(mod N) where Ni = N/ni and di ≡ Ni-1 (mod ni).
• The latter modular inverse di is easily calculated by the extended Euclidean
algorithm.

8. How To Avoid This Attack
• Since a small encryption exponent value like 3 is used RSA can be
easily attacked. So it is recommended to use e=2^(17). In this case the
coppersmith’s theorem which is based on lattice reduction algorithm.
The theorem provides an algorithm for efficiently finding all roots of f
modulo N that are less than X = N^(1/d).

9. Pseudo Code
1)Given Parameters n1, n2, n3, e, c1, c2, c3 where public pair = (n, e), c
is ciphertext.
2. Convert given Hexadecimal modulus values of n1, n2, n3 and c1, c2,
c3 each of 512 bits in Decimal using function bdConvFromHex ().
3. An eavesdropper has the public values n1, n2, n3, c1, c2 and c3.
4. Check that n1, n2, n3 are coprime in pairs by computing GCD of
each Pair using function bdGcd ().
5. Compute N = n1 * n2 * n3 using function bdMultiply ().
6. Compute Ni = N/ni for i = 1, 2, 3.
7. Compute di = Ni-1 mod ni for i = 1, 2, 3 using function bdModInv ().

10. Psedo Code (Conti…)
8. Compute x = c1 N1 d1 + c2 N2 d2 + c3 N3 d3 (mod N) using function
bdModMult ().
9. Compute the integer cube root of x using function bdCubeRoot ().
10. Converting Obtained Bigdigit Hex value into String or plaintext

11. Computation Results
• The plain text that we computed through this type of attack is :
Das fuer morgen festgelegte Meeting muss unbedingt stattfinden!
This means: The fixed meeting for tomorrow must necessarily take
place

12. Conclusion
• In this project, we have studied the RSA algorithm and Chinese
reminder theorem in detail.
• We have been able to successfully perform an attack on RSA which
uses a low exponent using Chinese remainder theorem and retrieve
the original plain text message.

13. References
• [1] “Applied Cryptanalysis: Breaking Ciphers in the Real World”, Mark
Stamp and Richard M. Low, Wiley-IEEE Press, May 2007.
• [2] “Research and Implementation of RSA Algorithm in Java”, Jiezhao
Peng and Qi Wu, International Conference on Management of e-Commerce
and e-Government.
• [3] “The Handbook of Applied Cryptography”, by A. Menezes, P. van
Oorschot, and S. Vanstone, CRC Press, 1996.
• [4] “An Efficient RSA Public Key Encryption Scheme”, Sattar J Aboud1,
Mohammad A AL-Fayoumi1, 2Mustafa Al-Fayoumi and 3Haidar S Jabbar ,
Fifth International Conference on Information Technology: New
Generations.
• [5] “RSA Problem”, Ronald L. Rivest, and Burt Kaliski, RSA
Laboratories,December