This document discusses a common factor attack on RSA cryptography. It begins by providing background on RSA and its use of large prime number factorization to encrypt data. It then introduces the idea of a common factor attack, where if two RSA moduli N1 and N2 share a common prime factor p, that factor can be obtained through calculating the greatest common divisor (GCD) of N1 and N2, without needing to fully factor either number. The document proposes a parallelized approach to perform this attack by dividing a dataset of RSA moduli into partitions, running GCD calculations on each partition separately, and combining the results. Experimental results show this approach recovers a high percentage of common factors through multiple iterations of the process.

1. Common Factor Attack on RSA
Assessing the Public Key Infrastructure
Vineet Kumar
Computer Science & Engineering Department
Jadavpur University, Kolkata
http://vntkumar8.github.io
November 20, 2017

2. RSA
The most widely used Public Key Cryptographic primitive
RSA has stood the test of nearly 40 years of attacks, making it the
algorithm of choice for encrypting Internet credit-card transactions
securing e-mail , authenticating phone calls and others
Vineet Kumar Common Factor Attack on RSA November 20, 2017 2 / 22

3. Its all started with...
Die Hellman's Direction
Figure: New Directions in Cryptography [1976]
Vineet Kumar Common Factor Attack on RSA November 20, 2017 3 / 22

4. Idea of Public Key Crypto
Each party A has a public key PKA others can use to encrypt
messages to A:
C = PKA(M)
Each party A also has a secret key SKA for decrypting a received
ciphertext C :
M = SKA(C )
Vineet Kumar Common Factor Attack on RSA November 20, 2017 4 / 22

5. Idea of Public Key Crypto
In 1976, Marty Hellman and Whit Die, invented the notion of
public-key cryptography
Each party A has a public key PKA others can use to encrypt
messages to A:
C = PKA(M)
Each party A also has a secret key SKA for decrypting a received
ciphertext C :
M = SKA(C )
Vineet Kumar Common Factor Attack on RSA November 20, 2017 4 / 22

6. Idea of Public Key Crypto
In 1976, Marty Hellman and Whit Die, invented the notion of
public-key cryptography
Each party A has a public key PKA others can use to encrypt
messages to A:
C = PKA(M)
Each party A also has a secret key SKA for decrypting a received
ciphertext C :
M = SKA(C )
It is easy to compute public/secret key pairs.
Publishing PKA does not compromise SKA
It is computationally infeasible to obtain SKA from PKA (One Way
Functions)
Vineet Kumar Common Factor Attack on RSA November 20, 2017 4 / 22

7. Vineet Kumar Common Factor Attack on RSA November 20, 2017 5 / 22

8. RSA explained
PK = (n, e) where n = pq and gcd(e, φ(n)) = 1
SK = d where de = 1 mod φ(n)
Encryption/decryption are simple:
* C = PK (M) = M
e mod n
* M = SK (C ) = C
d mod n
Security of RSA relies on inability to factor product n of two primes p, q.
Vineet Kumar Common Factor Attack on RSA November 20, 2017 6 / 22

9. Strength of RSA
Factoring is hard
GNFS is best known algorithm for factorization
Vineet Kumar Common Factor Attack on RSA November 20, 2017 7 / 22

10. Common Factor Attack - Idea
What if we didn't have to factor ?
Vineet Kumar Common Factor Attack on RSA November 20, 2017 8 / 22

11. Common Factor Attack - Idea
N1 = p × q
N2 = p × r
Vineet Kumar Common Factor Attack on RSA November 20, 2017 8 / 22

12. Common Factor Attack - Idea
N1 = p × q
N2 = p × r
gcd(N1, N2) = p
Vineet Kumar Common Factor Attack on RSA November 20, 2017 8 / 22

13. Exploiting the idea
Heninger2012 Lenstra2012
Vineet Kumar Common Factor Attack on RSA November 20, 2017 9 / 22

14. Certicate
and its manipulation I
certicate as looks in browser same certicate when exported as .pem
Vineet Kumar Common Factor Attack on RSA November 20, 2017 10 / 22

15. Certicate
and its manipulation II
$ openssl x509 -in mailgooglecom.crt -out cert -text
Segregate the public key from the certicate
Vineet Kumar Common Factor Attack on RSA November 20, 2017 11 / 22

16. Imitation Game - I
Collected 7GB of 1024 bit Moduli 8GB of 2048 bit Moduli
FastGCD on dataset
computation ran on
0.4% of TLS Hosts are compromised due to Common Factor Attack
compared to 0.75% of Heninger et al. [Late 2015]
Vineet Kumar Common Factor Attack on RSA November 20, 2017 12 / 22

17. Imitation Game - I
Collected 7GB of 1024 bit Moduli 8GB of 2048 bit Moduli
FastGCD on dataset
computation ran on
0.4% of TLS Hosts are compromised due to Common Factor Attack
compared to 0.75% of Heninger et al. [Late 2015]
Reason of Such Vulnerability
sloppy implementations of RSA in embedded systems, especially in routers,
rewalls, and other network devices
less entropy for PRNGs
Vineet Kumar Common Factor Attack on RSA November 20, 2017 12 / 22

18. Our observation
In 2015, 0.4% of TLS Hosts were compromised compared to
0.75% that was reported in 2012
Computational Bottleneck
Enormous Memory Huge Computational Power is required.
Hasting et al. [2016] did a massive batchwise gcd comptation ever using
quad 6-core 3.40GHz Intel Xeon E7-8893 processors with 3 TB RAM
required over 500 GB of memory
Can we parallelize Batchwise GCD Computation?
Vineet Kumar Common Factor Attack on RSA November 20, 2017 13 / 22

19. Our Proposed Solution
1 Divide dataset randomly into parts
Vineet Kumar Common Factor Attack on RSA November 20, 2017 14 / 22

20. Our Proposed Solution
1 Divide dataset randomly into parts
largest data-size that a single node can handle
Vineet Kumar Common Factor Attack on RSA November 20, 2017 14 / 22

21. Our Proposed Solution
1 Divide dataset randomly into parts
2 Apply the batch-GCD algorithm over each part separately
Vineet Kumar Common Factor Attack on RSA November 20, 2017 14 / 22

22. Our Proposed Solution
1 Divide dataset randomly into parts
2 Apply the batch-GCD algorithm over each part separately
Obviously, the method will miss the instances where gcd(N1, N2) 1 and
N1 and N2 are in dierent partitions
Vineet Kumar Common Factor Attack on RSA November 20, 2017 14 / 22

23. Our Proposed Solution
1 Divide dataset randomly into parts
2 Apply the batch-GCD algorithm over each part separately
3 To overcome this, use multiple random divisions of the dataset and
aggregate the results using Union
Vineet Kumar Common Factor Attack on RSA November 20, 2017 14 / 22

24. One Complete Iteration
Input Dataset of RSA Moduli D
· · ·d2d1 dp−1 dp
· · ·v2v1 vp−1 vp
Set of Vulnerable RSA Moduli V
randomPartition
batchGCD
setUnion
Figure: One complete iteration of the proposed Parallelized Algorithm.
Vineet Kumar Common Factor Attack on RSA November 20, 2017 15 / 22

25. Algorithm
Input : Set of moduli D, constraint m, accuracy
Output: V set of vulnerable moduli in D
1 p ← ceiling(|D|/m) ;
2 k ← chooseIteration(m, p, ) ;
3 for i ← 1 to k do
4 {d1, d2, . . . , dp} ← randomPartition(D, p) ;
5 {v1, v2, . . . , vp} ← batchGCD({d1, d2, . . . , dp}) ;
6 Vi ← setUnion({v1, v2, . . . , vp}) ;
7 end
8 V ← setUnion({V1, V2, . . . , Vk}) ;
Algorithm 1: Parallelized Common Factor Attack
Vineet Kumar Common Factor Attack on RSA November 20, 2017 16 / 22

26. Proof
GD
g1
g2
g3
g4
Figure: Illustrative partition of
graph GD into subgraphs
{g1, g2, . . . , gp}.
undirected graph GD with RSA moduli
Ni as vertices
edges present between vertices
{Ni, Nj} i gcd(Ni, Nj) 1
(illustrated as solid edges)
partition the graph GD into mutually
exclusive subgraphs {g1, g2, . . . , gp}
batchGCD on each subset will yield all
edges within each subgraph, but will
miss the edges e(Ni ,Nj ) in GD where Ni
and Nj belong to two dierent
subgraphs (illustrated as dotted edges)
Vineet Kumar Common Factor Attack on RSA November 20, 2017 17 / 22

27. Proof
GD
g1
g2
g3
g4
Figure: Illustrative
partition of graph
GD into subgraphs
{g1, g2, . . . , gp}.
The probability that we will miss a specic edge
e(Ni ,Nj ) in GD after one execution of the parallel
batchGCD algorithm on {d1, d2, . . . , dp} can be
computed as Pi=1
Pi=1 = 1 −
total number of edges in {g1, g2, . . . , gp}
total number of edges in GD
≈ 1 −
edges in complete supergraph of {g1, g2, . . . , gp}
edges in complete supergraph of GD
≈ 1 −
p × m
2
mp
2
= 1 −
m − 1
mp − 1
=
m(p − 1)
mp − 1
.
Vineet Kumar Common Factor Attack on RSA November 20, 2017 18 / 22

28. Proof
GD
g1
g2
g3
g4
Figure: Illustrative
partition of graph
GD into subgraphs
{g1, g2, . . . , gp}.
probability that we will miss a specic edge e(Ni ,Nj )
in GD after k independent executions of the parallel
batchGCD algorithm
Pi=k = (Pi=1)k ≈
m(p − 1)
mp − 1
k
.
∴ fraction of edges recovered after k iterations is
≈ 1 − m(p−1)
mp−1
k
Vineet Kumar Common Factor Attack on RSA November 20, 2017 19 / 22

29. Proof
GD
g1
g2
g3
g4
Figure: Illustrative
partition of graph
GD into subgraphs
{g1, g2, . . . , gp}.
probability that we will miss a specic edge e(Ni ,Nj )
in GD after k independent executions of the parallel
batchGCD algorithm
Pi=k = (Pi=1)k ≈
m(p − 1)
mp − 1
k
.
∴ fraction of edges recovered after k iterations is
≈ 1 − m(p−1)
mp−1
k
Another interpretation of the values of and k as
≈ 1 −
|D| − |D|/p
|D| − 1
k
, that is,
k ≈
log (1 − )
log (|D| − |D|/p) − log (|D| − 1)
.
Vineet Kumar Common Factor Attack on RSA November 20, 2017 19 / 22

30. Results
1 2 3 4 5 6 7 8
70
75
80
85
90
95
100
Number of iterations (k )
Percentageaccuracy()
p = 2
p = 4
p = 8
p = 16
p = 32
Figure: Relationship between , p and k from experimental data.
Vineet Kumar Common Factor Attack on RSA November 20, 2017 20 / 22

31. Vineet Kumar Common Factor Attack on RSA November 20, 2017 21 / 22

32. Thank You!
Vineet Kumar Common Factor Attack on RSA November 20, 2017 22 / 22