Download to read offline
Uploaded byDharmalingam Ganesan
RSA Game using an Oracle
The document presents an interactive RSA game involving an adversary and a challenger, where the goal is to break RSA encryption by reconstructing a secret plaintext using an oracle that reveals the least-significant bit (LSB) of the secret. The adversary leverages homomorphic properties of RSA and the information gained through the oracle to halve the search space iteratively until the secret is revealed after a number of iterations proportional to the size of the RSA modulus. The document outlines the background, algorithm, and mechanics behind this cryptographic attack.
More Related Content
Similar to RSA Game using an Oracle
RSA Game using an Oracle
- 1. RSA Game -Is the plaintext ending with a 1 or 0? Reverse the plaintext from the given ciphertext Dr. Dharma Ganesan, Ph.D.,
- 2. Context and Goal ●Context: This RSA game is an Crypto online problem ● This problem is a baby version of Bleichenbacher attack ● Goal: Break RSA using an oracle ○ The oracle leaks the least-significant bit (LSB) of the secret ● The attacker should reconstruct the secret from the ciphertext 2
- 3. Game description (informal) ●Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger picks a secret plaintext ● The challenger offers the RSA ciphertext of the secret to the adversary ● The challenger discloses the least significant bit (LSB) of the secret ● The adversary can ask for the LSB of the plaintext for any ciphertext 3
- 4. Prerequisite (to followthe remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
- 5. How can Bobsend a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
- 6. RSA Public KeyCryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
- 7. 7 Notations and Facts GCD(x,y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
- 8. RSA - KeyGeneration Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
- 9. Formal definition ofthe RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
- 10. Homomorphic properties ofRSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
- 11. Core Idea ofthe attack: Search for the secret x 11 0 n/2 n Case 1: 0 ≤ x < n/2 RSA-1 (RSA(2x mod n)) = 2x mod n = 2x (since x < n/2) Thus, the LSB of 2x is zero because 2x is an even number Case 2: n/2 < x < n RSA-1 (RSA(2x mod n)) = 2x mod n = 2x - n Thus, the LSB of 2x is one because 2x - n is an odd number RSA(2) * RSA(x) mod n = RSA((2 * x) mod n)
- 12. Core Idea ... 12 ●The adversary multiplies the ciphertext by two ● If the oracle replies with the LSB as zero, then the secret x is case 1 ● Otherwise, the secret x is case 2 ● In each iteration, the adversary reduces the search interval by ½ ● After log2 (n) iterations, the algorithm stops with only one point which is x
- 13. High-level algorithm towin the RSA game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger publishes the ciphertext c of secret x: c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary computes encryption of number 2, y = RSA(2) ● low = 0, hi = n, mid = (low + hi)/2 ● Step 5: Adversary asks the challenger for the LSB of RSA-1 (y * c mod n) ● Step 6: If the LSB is zero, then the secret must be in the left half of the current range, hi = mid; Otherwise low = mid ● Step 7: y = y * RSA(2) mod n ● Step 8: Goto step 5 until all bits of n are covered; int(hi) is the secret 13
- 14. RSA Parity OracleInterface 14
- 15. Search for thesecret plaintext 15
- 16. Slide demo ofthe game 16
- 17.
- 18. Challenger publishes theciphertext to break 18 ciphertext to break c = 17130498310398736947925413661661465882926869940877729241345383947477486111931805658689975 70409796744414877697443617386091492162227276733018233630435840878933664293760327505054540 44501219717167153682358871134867069570065887710919893745735818584575959059508055467855971 16549056756398269334567110016523652656925354542961343152903509129885742976662667667409805 97165033985647315574245214546917176306011479418121651312453385173650600031902590543924957 09343452226472173920174468121404757809286186326774202637433387804564780903236292162653914 76034394754064243714225611167903078107138445076148327374783462086570480920168815278
- 19. On Even LSB:hi is replaced by mid 19
- 20. On Odd LSB- low is replaced by mid 20
- 21. 21 Adversary got thesecret in 2048 attempts
- 22. Conclusion 22 ● The maingoal was to implement the RSA LSB Oracle game ● The adversary was able to win the game by using chosen ciphertext ● The adversary reduces the search space of the [0, n) by half using the oracle ● In each iteration, the adversary learned one bit of the plaintext ● After all log(n) iterations all bits of the plaintext are revealed ● Thanks to Cryptopals for constructing this problem ● Java’s BigInteger and BigDecimal classes helped a lot
- 23. References ● W. Diffieand M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 23