RSA Game using an Oracle
•
0 likes•1,714 views
The slides demonstrate how to reverse the plaintext from the RSA encrypted ciphertext using an oracle that answers the question: is the last bit of the message 0 or 1?
Recommended
More Related Content
What's hot
What's hot (20)
Similar to RSA Game using an Oracle
Similar to RSA Game using an Oracle (20)
More from Dharmalingam Ganesan
More from Dharmalingam Ganesan (17)
Recently uploaded
Recently uploaded (20)
RSA Game using an Oracle
- 1. RSA Game - Is the plaintext ending with a 1 or 0? Reverse the plaintext from the given ciphertext Dr. Dharma Ganesan, Ph.D.,
- 2. Context and Goal ● Context: This RSA game is an Crypto online problem ● This problem is a baby version of Bleichenbacher attack ● Goal: Break RSA using an oracle ○ The oracle leaks the least-significant bit (LSB) of the secret ● The attacker should reconstruct the secret from the ciphertext 2
- 3. Game description (informal) ● Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger picks a secret plaintext ● The challenger offers the RSA ciphertext of the secret to the adversary ● The challenger discloses the least significant bit (LSB) of the secret ● The adversary can ask for the LSB of the plaintext for any ciphertext 3
- 4. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
- 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
- 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
- 7. 7 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
- 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
- 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
- 10. Homomorphic properties of RSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
- 11. Core Idea of the attack: Search for the secret x 11 0 n/2 n Case 1: 0 ≤ x < n/2 RSA-1 (RSA(2x mod n)) = 2x mod n = 2x (since x < n/2) Thus, the LSB of 2x is zero because 2x is an even number Case 2: n/2 < x < n RSA-1 (RSA(2x mod n)) = 2x mod n = 2x - n Thus, the LSB of 2x is one because 2x - n is an odd number RSA(2) * RSA(x) mod n = RSA((2 * x) mod n)
- 12. Core Idea ... 12 ● The adversary multiplies the ciphertext by two ● If the oracle replies with the LSB as zero, then the secret x is case 1 ● Otherwise, the secret x is case 2 ● In each iteration, the adversary reduces the search interval by ½ ● After log2 (n) iterations, the algorithm stops with only one point which is x
- 13. High-level algorithm to win the RSA game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger publishes the ciphertext c of secret x: c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary computes encryption of number 2, y = RSA(2) ● low = 0, hi = n, mid = (low + hi)/2 ● Step 5: Adversary asks the challenger for the LSB of RSA-1 (y * c mod n) ● Step 6: If the LSB is zero, then the secret must be in the left half of the current range, hi = mid; Otherwise low = mid ● Step 7: y = y * RSA(2) mod n ● Step 8: Goto step 5 until all bits of n are covered; int(hi) is the secret 13
- 14. RSA Parity Oracle Interface 14
- 15. Search for the secret plaintext 15
- 16. Slide demo of the game 16
- 18. Challenger publishes the ciphertext to break 18 ciphertext to break c = 17130498310398736947925413661661465882926869940877729241345383947477486111931805658689975 70409796744414877697443617386091492162227276733018233630435840878933664293760327505054540 44501219717167153682358871134867069570065887710919893745735818584575959059508055467855971 16549056756398269334567110016523652656925354542961343152903509129885742976662667667409805 97165033985647315574245214546917176306011479418121651312453385173650600031902590543924957 09343452226472173920174468121404757809286186326774202637433387804564780903236292162653914 76034394754064243714225611167903078107138445076148327374783462086570480920168815278
- 19. On Even LSB: hi is replaced by mid 19
- 20. On Odd LSB - low is replaced by mid 20
- 21. 21 Adversary got the secret in 2048 attempts
- 22. Conclusion 22 ● The main goal was to implement the RSA LSB Oracle game ● The adversary was able to win the game by using chosen ciphertext ● The adversary reduces the search space of the [0, n) by half using the oracle ● In each iteration, the adversary learned one bit of the plaintext ● After all log(n) iterations all bits of the plaintext are revealed ● Thanks to Cryptopals for constructing this problem ● Java’s BigInteger and BigDecimal classes helped a lot
- 23. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 23