- 1. Dependency Analysis of RSA Private Variables Dr. Dharma Ganesan, Ph.D.,
- 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
- 3. High-level Question ● An RSA private key is made of a few private variables ● If a private variable is exposed, can we efficiently derive the rest of the private variables? 3
- 4. Detailed questions (notations are defined later) 1. How to derive the private prime factors of RSA modulus n from φ(n)? 2. How to derive the private exponent d from φ(n)? 3. How to derive the private prime factors p and q from the private exponent d? 4
- 5. Agenda ● Brief overview of RSA algorithm ● Formal definition of RSA Trapdoor function ● Algorithms and Demos (for the three questions) ● Conclusion 5
- 6. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 6
- 7. How can Bob send a message to Alice securely? 7 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
- 8. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 8
- 9. 9 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
- 10. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 10
- 11. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 11
- 12. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively 12
- 13. RSA Trapdoor variables’ dependency graph 13 Private variable Public variable Note: Public exponent e affects the private exponent d
- 14. Question 1: Factor n when private φ(n) is given 14 φ(n) = (p-1)(q-1) φ(n) = pq - p - q + 1 φ(n) = n - p - n/p + 1 (since n = pq) pφ(n) = np -p2 -n+ p p2 - np - p+ pφ(n)+ n = 0 p2 - (n+ 1- φ(n))p + n = 0 This is a quadratic equation in p. We know how to solve ax2 +bx+c = 0. x = (-b ∓ √(b2 - 4ac))/2a Note also that the product of the two roots = c/a. In our case, a = 1, thus the products of the roots are the prime factors of n
- 15. Demo 1: Factor n when private φ(n) is given 15 Let’s generate a 2048 RSA key pair as follows: keysize = 2048, e = 65537 ~/crypto/RSA$ java RSA_KeyPair $keysize $e Output: <phi, n, d, p, q> are shown below
- 16. Demo 1: Factor n when private φ(n) is given 16
- 17. Demo 1: Factor n when private φ(n) is given ... 17 ~/crypto/RSA$ java PrimeFactorsFromPhi $n $phi p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720 5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266 4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890 15575518486062027786802049855038992628112233123 q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808 6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189 9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340 05824459505427320400617171847420795137628994559 We see that this p and q are the same on the previous slide Equivalently, we derived the private prime factors p and q of n from another private variable φ(n)
- 18. Demo 1: Prime factors of n using phi(n) 18 /* * Given n and phi(n), returns the factors of n: p and q */ public static BigInteger[] factorize(BigInteger n, BigInteger phi) { BigInteger one = BigInteger.valueOf(1); BigInteger minusOne = BigInteger.valueOf(-1); /* p*p -(n+1-phi(n))p + n = 0 */ BigInteger z = n.add(one).subtract(phi).multiply(minusOne); /* Roots of this quadratic equation are the prime factors of n */ BigInteger[] factors = BigIntUtil.quadraticSol(one,z,n); assert n.equals(factors[0].multiply(factors[1])); return factors; }
- 19. 19 /* * Returns the integer roots of the ax2 + bx + c = 0 */ public static BigInteger[] quadraticSol(BigInteger a, BigInteger b, BigInteger c) { BigInteger zero = BigInteger.ZERO; BigInteger minusOne = BigInteger.valueOf(-1); BigInteger two = BigInteger.valueOf(2); BigInteger four = BigInteger.valueOf(4); BigInteger b2_4ac = b.multiply(b).subtract(four.multiply(a.multiply(c))); assert a.compareTo(zero) != 0 && b2_4ac.compareTo(zero) >= 0; BigInteger negB = b.multiply(minusOne); BigInteger root_b2_4ac = iRoot(b2_4ac, 2); assert root_b2_4ac.multiply(root_b2_4ac).compareTo(b2_4ac) == 0; BigInteger[] roots = new BigInteger[2]; roots[0] = negB.add(root_b2_4ac).divide(two.multiply(a)); roots[1] = negB.subtract(root_b2_4ac).divide(two.multiply(a)); return roots; }
- 20. Question 2: Derive private exponent d from φ(n) 20 We know that e.d ≡ 1(mod φ(n)) To find d, we multiply both sides by the inverse of e (i.e., e-1 ) Thus, d ≡ e-1 mod φ(n) Note that e-1 should exist because e and φ(n) are relatively prime
- 21. 21 Java’s BigInteger has ModInverse
- 22. Demo 2: Derive private exponent d from φ(n) 22 ~/crypto/RSA$ java ModInverse $e $phi Modular Inverse of 65537 is 2205151223696884190252381916635434764104221807529134232843816122898922433546108 3287372976252503587328696591274260031885794600481314199611651200179626903675369 0028009274857755022760288405248617492304240282041017910963309960636514481667802 6944157259783475257086607960394921579465796075728094174066371810325736212160395 6922757355039274603476879690439127159645339789795023593785438145131390767349450 4634404929864749265927992741511730020925412893911025985705705945455643610869142 0863758917973667307103241295297662510557556262730109970320101433216326920736123 5840090794589733305253198877867831375654052088316468016370497257 This is the same private d generated by the RSA key pair generator (see Demo 1)
- 23. Question 3: Derive the prime factors p and q from d 23 We know that e.d ≡ 1(mod φ(n)) e.d - 1 ≡ 0 ( mod φ(n)) e.d - 1 = r φ(n) for some integer r. Let k = e.d - 1. This means that k is a multiple of φ(n). K is even because φ(n) is even Let g be a random element of Z* n . That is, g is relatively prime to n. Euler’s theorem says gk ≡ 1 (mod n) since gcd (g, n) =1 . This implies gk/2 is a square of one mod n because gk/2 . gk/2 = gk ≡ 1 (mod n)
- 24. Question 3: Algorithm to factorize n from d 24 Step 1: Pick a random g from the multiplicative group Zn * Step 2: Construct a sequence: gk/2 , gk/4 , gk/8 , … until not equal to 1 mod n Note: If k/2i is not an even number, go back to step 1 and pick a new g Step 3: Now we have calculated square root of one in mod n. That is, z2 ≡ 1 (mod n) and z ≠ ∓ 1 (mod n) (z+1)(z-1) ≡ 0 (mod n) This implies n divides (z+1) and (z-1). Equivalently, n must share factors with (z+1) and (z-1). Step 4: Compute gcd(n, z-1) to extract one of the prime factors (say p) of n Step 5: Derive another prime factor q = n/p
- 25. 25 My implementation of the algorithm to find the prime factors p and q from d
- 26. 26 ~/crypto/RSA$ java PrimeFactorsFromD $e $n $d p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720 5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266 4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890 15575518486062027786802049855038992628112233123 q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808 6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189 9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340 05824459505427320400617171847420795137628994559 We see that the p and q are the factors of n (as expected) Equivalently, we derived the private prime factors p and q of n from another private variable d Demo 3: Derive the prime factors p and q from d
- 27. Conclusion 27 ● We analyzed the dependencies of RSA private variables ● We efficiently derived the ○ private prime factors p and q of RSA modulus n from φ(n) ○ private exponent d from φ(n) ○ private prime factors p and q from the private exponent d ● This analysis shows that if one of the private variables is leaked the rest is public ○ We need to throw away all the private variables and generate new keys ● If we can efficiently solve z2 ≡ 1 (mod n) (of course, z ≠ ∓ 1), then RSA is breakable ○ We used this fact in Demo 3, because d is given to us
- 28. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 28
- 29. References ● Finding a non-trivial square root of n: http://www.tricki.org/article/To_factorize_n_find_a_non-trivial_square_root_of _1_mod_n ● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,” https://toc.cryptobook.us/ 29
- 30. Appendix - graphviz for the dependency graph digraph G { { p [color = red, shape=box] q [color = red, shape=box] "φ(n)" [color = red, shape=box] d [color = red, shape=box] x [color = red, shape=box] y [color = blue] e [color = blue] n [color = blue] } n -> {p q} "φ(n)" -> {p q} d -> {e "φ(n)"} y -> {x e n} } 30