This document reports on a cryptanalysis project to analyze the RSA cryptosystem used in smartcards. It begins by introducing RSA and describing its key generation, encryption, and decryption processes. It then discusses three attacks that could be used against the smartcard RSA system: Fermat factorization, Wiener's continued fraction method, and the quadratic sieve algorithm. The document outlines the implementation details of these attacks and provides analysis of test cases. It concludes that the main goal is to find the secret key corresponding to a given 1024-bit public key and ciphertext.

1. CRYPTANALYSIS PROJECT REPORT
ON
SMARTCARD RSA
(CS 265 -02 CRYPTOGRAPHY AND COMPUTER SECURITY)
BY:
PARIN SHAH

2. TABLE OF CONTENTS
1.) INTRODUCTION………………………………………………………………………………………………………..1
2.) RSA CRYPTOSYSTEM…………………………………………………………………………………………………2
2.1 ENCRYPTION……………………………………………………………………………………………………..2
2.2 SIMPLE DECRYPTION…………………………………………………………………………………………3
2.3 DECRYPTION USING RSA-CRT……………………………………………………………………………3
2.4 COMPARISON OF SIMPLE RSA AND RSA-CRT…………………………………………………….3
3.) ATTACKS ON SMARTCARD RSA CRYPTOSYSTEM……………………………………………………..4
4.) IMPLEMENTATION DETAILS…………………………………………………………………………………….7
5.) ANALYSIS AND TEST CASES……………………………………………………………………….…………….10
6.) CONCLUSION………………………………………………………………………………………………………….12
7.) REFERENCES……………………………………………………………………………………………………………13

3. CHAPTER 1 INTRODUCTION
In cryptography, RSA is an algorithm for public-key cryptography. This is the first algorithm
known to be suitable for signing as well as encryption, and was one of the first great advances
in public key cryptography. It is believed to be secure given sufficiently long keys and the use of
up-to-date implementations.
There are three stages of RSA
 Key Generation
 Encryption
 Decryption
In an encryption scheme the main objective of attacker is to recover plaintext from related
cipher text. Cryptanalysis attack that will be made against Smartcard RSA cryptosystem, a
secure RSA offered by Smartcrypto Inc. are Fermat Factorization, Basic Quadratic Sieve,
Weiner’s attack. Also, the company uses the Chinese Remainder Theorem (CRT) to decrypt the
message to speed up the decrypting process. Using this CRT method than simple decrypting,
company estimates that decryption is achieved at a factor of four times faster than traditional
method.
Primary Goal
The overall aim of this project is to find secret key corresponding to the given 1024 bit public
key and cipher text. The implementation will have to be as efficient as possible to ensure quick
execution times of the various parts.

4. CHAPTER 2 RSA CRYPTOSYSTEM
KEY GENERATION ENCRYPTION DECRYPTION
Compute p and q Decrypt : M= mod N.
Public key : (e,N)
Private key: (d,N)
N = p*q dP = (1/e) mod (p-1)
dQ = (1/e) mod (q-1)
φ(n)=(p – 1)(q – 1) Encrypt mod N m1= mod p
m2= mod q
Find e such that e and Sends the cipher text o=(m1-m2)
h =(qINV*(m1 - m2)) % p

φ(n) are coprime
e
–1
d = e mod φ(n) M=m2 + (h*q) =
1
SIMPLE DECRYPTION m
o
DECRYPTION -- CRT d
(
p
-
1
KEY GENERATION )
RSA involves a public key and a private key. The public key can be known to everyone and is*
used for encrypting messages. Messages encrypted with the public key can only be decrypted
using the private key. The keys for the RSA algorithm are generated the following way: (
q
1. Choose two distinct prime numbers p and q. -
 For security purposes, the integers p and q should be chosen at random, and1
should be of similar bit-length. Prime integers can be efficiently found using a)
primality test. .
2. Compute n = pq.
 n is used as the modulus for both the public and private keys
3. Compute φ(n) = (p – 1)(q – 1), where φ is Euler's totient function.

5. 4. Choose an integer e such that 1 < e < φ(n) and gcd(e,φ(n)) = 1, i.e. e and φ(n) are co
prime.
 e is released as the public key exponent.
5. Determine d = e–1 mod φ(n); i.e. d is the multiplicative inverse of e mod φ(n).
 d is kept as the private key exponent.
Public Key --- (e,N) and private key (d,N).
ENCRYPTION
 Sender transmits public key (n,e) to receiver and keeps the private key secret.
Receiver then wishes to send message M to Sender.
 Sender first turns M into an integer 0 < m < n by using an agreed-upon reversible
protocol known as a padding scheme. He then computes the cipher text c
corresponding to
C = me (mod n).
 This can be done quickly using the method of repeated squaring.
DECRYPTION
Simple Decryption
 Sender can recover m from c by using her private key exponent d via computing
M= mod N.
 Given m, sender can recover the original message M by reversing the padding
scheme.
CRT Decryption
 We can use the CRT to compute M= mod N more efficiently. The full algorithm
from is
 Pre compute the following values given p, q with p > q
 Then next is to compute dP = (1/e) mod (p-1) and dQ = (1/e) mod (q-1).
 To compute the message m given c we have to do following calculation.
 m1= mod p and m2= mod q
 e = 1 mod (p-1) * (q-1).
 o=(m1-m2) and h = (qINV*(m1 - m2)) % p;
 M=m2 + (h*q) thus original message is obtained.

6. CHAPTER 3 ATTACKS ON SMART CARD RSA
3.1) FERMAT’S FACTORIZATION METHOD:
Fermat's factorisation method uses that fact that any number can be expressed as the
difference between two squares. It always works, and works very quickly when the factors are
near the root of the number. Here we have the value of N and we can by guessing find the
value of a, b by following the equation a^2-b^2=N. Here take the value of as square root of N
and then keep on guessing the value of b till it finds a value which is a perfect square.
Algorithm ::
FermatFactor(N): // N should be odd
A  ceil(sqrt(N))
b2  a*a - N
while (b2 is not a square)
{
a  a + 1;
b2  a*a – N; // equivalently: b2  b2 + 2*a + 1
} //end while
return (a - sqrt(b2)); // or a + sqrt(b2)
Taking an example to illustrate this attack of Fermat’s Factorization we have,
For example, to factor N = 5959, one computes
a: 78 79 80
b2: 125 282 441
The third try produces a square. a = 80, b = 21, and the factors are a − b = 59, and a + b = 101.

7. 3.2) WEINER’S CONTINUES FRACTION METHOD ATTACK :
To reduce the work load of exponentiation one may use small value of private key that can
improve performance by at least factor of 10. Weiner attack suggest that for given public key
that satisfy private key less than one third of one fourth power of N and product of e and d is
equivalent to 1 mod N than attacker can efficiently recover d. Now in our problem, it has been
told that the private key of the CRT system are taken as small values. But they are not too small
to enforce brute force attack on the system. So we can utilize the Weiner’s attack on our
system to break it.
Algorithms:
Weiners Method()
{
Set c0=1, c1=1, d0=0, d1=1, i=1;
while i<=m do
{
Calculate z=(ci*e-1)/di ;
If z is an integer then
Let p and q be the roots of the equation: x2-(Nz+1)x+N=0;
If p and q are positive integers then return (p,q);
i=i+1;
ci=qi*ci-1+ci-2;
di=qi*di-1+di-2;
}
return “failure”;
}

8. 3.3 QUADRATIC SIEVE ALGORITHMS
 The quadratic sieve algorithm is a modern integer factorization algorithm. The algorithm
attempts to set up a congruence of squares modulo n, which often leads to a factorization
of n. The algorithm works in two phases:
1.) Data collection phase -- It collects information that may lead to a congruence of
squares.
2.) Data processing phase-- It puts all the data it has collected into a matrix and solves it
to obtain a congruence of squares.
 The naive approach to finding a congruence of squares is to pick a random number, square
it, and hope the least non-negative remainder modulo n is a perfect square.

9. CHAPTER 4 -- IMPLEMENTATION DETAILS
In the implementation stage, following are the important phase of designing the source code.
1.) Encryption
1.1) Generating the prime numbers p and q.
1.2) Calculating N.
1.3) Calculating the value of e by finding co-prime between 2 and (p-1)*(q-1).
1.4) Calculating the value of d by finding = 1 mod N.
1.5) Calculate C= mod N and obtain the cipher text.
2.) Decryption
2.1) Simple Decryption
a.) We have the private key as (d,N) and now Calculate M= mod N.
2.2) Decryption by RSA-CRT
a.) Calculate dp = d mod (1-p) and dq = d mod (q-1).
b.) Calculate the m1= mod p and m2= mod q
c.) Calculate e = 1 mod (p-1) * (q-1).
d.) Calculate o=(m1-m2) and h = (qINV*(m1 - m2)) % p;
e.) Calculate original message by M=m2 + (h*q).
3.) Attack
3.1) Fermat Attack
3.2) Weiner’s Attack.
3.3) Quadratic Sieve Factoring Attack.
3.4) Other Attack’s Tried.
4.) Execution of the program.

10. 1.) Encrpytion
The source code for the project for encryption and decryption is mainly contained in
the file RSA-CRT.c file. This file contains various methods to encrypt and decrypt the
message.
Now the given challenge problem consist of N and e values which are not capable of
being handled by the normal C data-type so we used the GMP library. This library
allows user to go to very higher number of bits depending upon the memory of the
computer being used.
1.1) Calculate prime numbers p and q ::
void generatePrime(unsigned long no, unsigned long *gen_p,unsigned long
*gen_q)
First of all this method will take input from the user as N. Then this method
will generate prime numbers up to N and will store that into integer array.
Then the method will generate two random number which will serve as an
index to select prime numbers from the pointer array. The randomly selected
prime numbers from the array will act as p and q.
1.2) The values of p and q obtained from above will be used for calculating the
value of N as N = p*q.
1.3) Next is the step to calculate the value of e
unsigned long e_generate(unsigned long p1, unsigned long q1 )
unsigned long isGCD(unsigned long n, unsigned long m)
unsigned long gcd(unsigned long n,unsigned long m)
In this method we will first find the random number from the list generated
previously which will serve as the index. Then we will check whether that
number of that index is GCD with (p-1)*(q-1). If yes then its ok otherwise we
will find another gcd number.
1.4) Calculate the value of d which satisfies the equation : de=1 mod N
unsigned long calc_d(unsigned long e, unsigned long phi)
In this method we will calculate d such that the above equation is satisfied.
1.5) Now, encrypt the cipher text using the formula C= mod N.
unsigned long fast_exp(unsigned long x, unsigned long y, unsigned long N)
The above function will be used tom implement the functionality of solving
the modulus of the different value after finding the exponential value of it.

11. 2.) DECRYPTION
2.1) Simple Decryption
In this simple decryption we just perform the function of repeated squaring to
find the original message. Here we have C=x, y=d and N=N.
unsigned long fast_exp(unsigned long x, unsigned long y, unsigned long N)
2.2) Decryption by RSA-CRT
Here all the function are contained in the same file as RSA-CRT.c because
basically they perform the same function but with different values.
Only difference we have is that we have an extra function to calculate the
value of h which is used for final calculation of decrypting original message.
unsigned long calc_h(unsigned long o,unsigned long qINV,unsigned long
m1,unsigned long m2,unsigned long p)
3.) ATTACK
We are using the program of Quadratic Sieve algorithm which is present in the
Attacks folder. This attack consist of various files like Gaussian.c, Factorize.c,
Factor_Base.c, Factorize_old.c, rsa_main.c and main.c. This file contains the various
source code for performing the Quadratic Sieve Algorithm.
We also have implemented the Fermat algorithm which is located as Fermat.c in the
folder.
Moreover we also have included the program of RSA which does computation of
RSA-CRT in which we can generate numbers up to size of any bit using the GMP
library. This code is included in the file rsa_crypto.c
Our main source file is RSA_CRT.c which includes all the function but the data type
used is unsigned long, so it has certain limitation. So we also have included the file
which can deal with larger numbers.
So execute the program RSA_CRT.c which will ask the user to input value of some
number up to which the prime numbers will be generated. Then the code will
encrypt and decrypt depending upon the values generated randomly.

12. CHAPTER 5 – ANALYSIS & TEST CASES
The graph below represents comparison of RSA Simple Decryption and CRT Decryption
From the above graph decryption by CRT is faster than simple decryption by a factor of 4.
Key generation
P q n P*q R (p-1)*(q-1) Correct
37 137 5069 5069 4896 4896 Yes
181 211 38191 38191 37800 37800 Yes
197 31 6107 6107 5880 5880 Yes
67 41 2747 2747 2640 2640 Yes
Public Private key Plain Computer Computer By hand By hand Correct
key text Encrypted Decrypted Encrypted Decrypted
151 8003 3151 151 123 7371 123 7371 123 yes
13 321 5153 321 5153 321 yes
456 7100 456 7100 456 yes
789 3809 654 3809 654 yes

13. Conclusion for RSA encryption and decryption
The decrypted numbers are the same as the original plaintext which shows test are successful.
Thus it concludes that the encryption and decryption parts of the program work correctly and
generate the required results.
Fermat factorization
Here value of As and Q are factors
N A As B Bs P Q Correct
39 4 11 16 16 4 3 Correct
45 7 9 4 4 2 5 Correct
21 5 7 4 4 2 3 Correct
As by Q Hand
Hand
11 3
9 5
7 3
From the table above we conclude that computer generated factors matches with factors
calculated by hand. Thus the program works correctly.
Quadratic Sieve factorization
Quadratic Sieve is faster than fermat because fermats takes factors near to n 2 – a2 without
considering all the values of factors of n.

14. CHAPTER 7 – CONCLUSION
Important things we learned from this project:
 We have implemented all the above attacks, but we could not succeed in breaking
smartcard RSA. The algorithms which we used for attacking were not capable of
dealing with key size of 1024 bits.
 The Quadratic Sieve(QS) algorithm can factorize the modulus N with size of up to
110 bits much smaller than our key size of 1024 bits.
 For the Weiner’s attack to work, requires the private exponent to satisfy the
condition as d < . From the question we don’t know about the size of the
exponent but we guessed and implemented it but could not get the result. So in
our case Weiner’s attack also failed.
 In case of the Fermat’s algorithm we can observe that it needn’t compute all the
square-roots of a2 − N nor even examine all the values for a. We can also conclude
from our analysis of this attack that Fermat's method works best when there is a
factor near the square-root of N.
 We have also further studied about various other algorithm which could help
cryptanalysis of smartcard RSA. To name some of them are General Number Field
Sieving algorithm, Extended Weiner’s, etc. The most fastest and efficient among
this algorithm is GNFS which can work for larger number of bits like required in
our challenge problem but we have not implemented it.
 Also we studied about the Kocher’s Timing attack but it works when RSA is
decrypted in traditional manner. Here we are using Chinese Remainder so we
cannot implement the Kocher’s Timing attack. And trying to factorize 1024 bits i.e.
number with 309 digits like using simple maths can take many years which is not
at all desirable.

15. REFERENCES:
BOOKS :-
1.) Applied Cryptanalysis : Breaking Cipher in real world by Mark Stamp and Richard M. Low.
2.) Cryptanalysis of RSA and its variant by M. Jason Hinek.
3.) Cryptanalysis on RSA by Y. Yan.
WEB-SITES:-
http://www.steve-jones.org.uk/RSA-project.pdf
http://data.at.preempted.net/INDEX/articles/CRT.pdf
http://www.di-mgt.com.au/crt_rsa.html
http://epsi00.blogspot.com/2008/04/fermat-factorization-method-revisited.html
http://www4.ncsu.edu/~kksivara/sfwr4c03/projects/4c03projects/XCui-Project.pdf
http://www.mat.uniroma3.it/users/pappa/KU2010/kalyan_2.pdf
http://en.wikipedia.org/wiki/Fermat's_factorization_method
http://www.rajorshi.net/old/paper_rsa.htm
http://honga.super6.cz/2010/10/rsa-implementation-using-gmp-library.html
http://www.exploringbinary.com/how-to-install-and-run-gmp-on-windows-using-mpir/
http://members.tripod.com/irish_ronan/rsa/attacks.html
http://www.scipub.org/fulltext/jcs/jcs28665-671.pdf
http://www.codeproject.com/KB/IP/YourOwnSecureProtocol.aspx?msg=2062591