## What's hot

Cryptography - Discrete Mathematics
Cryptography - Discrete MathematicsACM-KU

Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey

Asymptotic Notations
Asymptotic NotationsRishabh Soni

Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan

Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan

Lecture 17 Iterative Deepening a star algorithm
Lecture 17 Iterative Deepening a star algorithmHema Kashyap

18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy

Algorithms Lecture 4: Sorting Algorithms I
Algorithms Lecture 4: Sorting Algorithms IMohamed Loey

Introduction to Cryptography
Introduction to CryptographyPopescu Petre

CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne

Algorithm chapter 1
Algorithm chapter 1chidabdu

### What's hot(20)

Cryptography - Discrete Mathematics
Cryptography - Discrete Mathematics

Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSA

Asymptotic Notations
Asymptotic Notations

Algorithm and Programming (Searching)
Algorithm and Programming (Searching)

Diffie-hellman algorithm
Diffie-hellman algorithm

Security of RSA and Integer Factorization
Security of RSA and Integer Factorization

Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function

RSA Algorithm
RSA Algorithm

RSA ALGORITHM
RSA ALGORITHM

Lecture 17 Iterative Deepening a star algorithm
Lecture 17 Iterative Deepening a star algorithm

18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security

Algorithms Lecture 4: Sorting Algorithms I
Algorithms Lecture 4: Sorting Algorithms I

RSA algorithm
RSA algorithm

Asymmetric Cryptography
Asymmetric Cryptography

Introduction to Cryptography
Introduction to Cryptography

Asymptotic notation
Asymptotic notation

CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing

Algorithm chapter 1
Algorithm chapter 1

## Similar to RSA Game using an Oracle

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan

On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386

Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan

Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan

CNIT 141: 10. RSA
CNIT 141: 10. RSASam Bowne

Homomorphic Encryption
Homomorphic EncryptionGöktuğ Serez

RSA Algorithm.ppt
RSA Algorithm.pptArchanaT30

CNIT 141: 10. RSA
CNIT 141: 10. RSASam Bowne

### Similar to RSA Game using an Oracle(20)

RSA Two Person Game
RSA Two Person Game

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables

Analysis of Shared RSA Modulus
Analysis of Shared RSA Modulus

On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys

RSA without Integrity Checks
RSA without Integrity Checks

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx

Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms

Solutions to online rsa factoring challenges
Solutions to online rsa factoring challenges

rsa-1
rsa-1

rsa-1
rsa-1

rsa-1
rsa-1

PKC&RSA
PKC&RSA

CNIT 141: 10. RSA
CNIT 141: 10. RSA

Homomorphic Encryption
Homomorphic Encryption

Class3
Class3

RSA Algorithm.ppt
RSA Algorithm.ppt

CNIT 141: 10. RSA
CNIT 141: 10. RSA

## More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan

How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan

Requirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan

Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan

On deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan

Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan

Integer security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan

Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan

Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan

### More from Dharmalingam Ganesan(17)

.NET Deserialization Attacks
.NET Deserialization Attacks

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf

How to exploit rand()?
How to exploit rand()?

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)

Thank-a-Gram
Thank-a-Gram

Active Attacks on DH Key Exchange
Active Attacks on DH Key Exchange

Can I write to a read only file ?
Can I write to a read only file ?

How do computers exchange secrets using Math?
How do computers exchange secrets using Math?

Requirements driven Model-based Testing
Requirements driven Model-based Testing

Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks

On deriving the private key from a public key
On deriving the private key from a public key

Reverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies

Software Architecture
Software Architecture

Integer security analysis using smt solver
Integer security analysis using smt solver

Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit

20170605135932210 thank you card7
20170605135932210 thank you card7

Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style

De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend

KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j

Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171

10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro

Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareinfo611746

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion Clinic

Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980

Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy

A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed

GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j

GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2

De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME

KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach

Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...

Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)

A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1

GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates

GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

### RSA Game using an Oracle

• 1. RSA Game - Is the plaintext ending with a 1 or 0? Reverse the plaintext from the given ciphertext Dr. Dharma Ganesan, Ph.D.,
• 2. Context and Goal ● Context: This RSA game is an Crypto online problem ● This problem is a baby version of Bleichenbacher attack ● Goal: Break RSA using an oracle ○ The oracle leaks the least-significant bit (LSB) of the secret ● The attacker should reconstruct the secret from the ciphertext 2
• 3. Game description (informal) ● Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger picks a secret plaintext ● The challenger offers the RSA ciphertext of the secret to the adversary ● The challenger discloses the least significant bit (LSB) of the secret ● The adversary can ask for the LSB of the plaintext for any ciphertext 3
• 4. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
• 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
• 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
• 7. 7 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
• 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
• 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
• 10. Homomorphic properties of RSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
• 11. Core Idea of the attack: Search for the secret x 11 0 n/2 n Case 1: 0 ≤ x < n/2 RSA-1 (RSA(2x mod n)) = 2x mod n = 2x (since x < n/2) Thus, the LSB of 2x is zero because 2x is an even number Case 2: n/2 < x < n RSA-1 (RSA(2x mod n)) = 2x mod n = 2x - n Thus, the LSB of 2x is one because 2x - n is an odd number RSA(2) * RSA(x) mod n = RSA((2 * x) mod n)
• 12. Core Idea ... 12 ● The adversary multiplies the ciphertext by two ● If the oracle replies with the LSB as zero, then the secret x is case 1 ● Otherwise, the secret x is case 2 ● In each iteration, the adversary reduces the search interval by ½ ● After log2 (n) iterations, the algorithm stops with only one point which is x
• 13. High-level algorithm to win the RSA game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger publishes the ciphertext c of secret x: c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary computes encryption of number 2, y = RSA(2) ● low = 0, hi = n, mid = (low + hi)/2 ● Step 5: Adversary asks the challenger for the LSB of RSA-1 (y * c mod n) ● Step 6: If the LSB is zero, then the secret must be in the left half of the current range, hi = mid; Otherwise low = mid ● Step 7: y = y * RSA(2) mod n ● Step 8: Goto step 5 until all bits of n are covered; int(hi) is the secret 13
• 14. RSA Parity Oracle Interface 14
• 15. Search for the secret plaintext 15
• 16. Slide demo of the game 16
• 18. Challenger publishes the ciphertext to break 18 ciphertext to break c = 17130498310398736947925413661661465882926869940877729241345383947477486111931805658689975 70409796744414877697443617386091492162227276733018233630435840878933664293760327505054540 44501219717167153682358871134867069570065887710919893745735818584575959059508055467855971 16549056756398269334567110016523652656925354542961343152903509129885742976662667667409805 97165033985647315574245214546917176306011479418121651312453385173650600031902590543924957 09343452226472173920174468121404757809286186326774202637433387804564780903236292162653914 76034394754064243714225611167903078107138445076148327374783462086570480920168815278
• 19. On Even LSB: hi is replaced by mid 19
• 20. On Odd LSB - low is replaced by mid 20
• 21. 21 Adversary got the secret in 2048 attempts
• 22. Conclusion 22 ● The main goal was to implement the RSA LSB Oracle game ● The adversary was able to win the game by using chosen ciphertext ● The adversary reduces the search space of the [0, n) by half using the oracle ● In each iteration, the adversary learned one bit of the plaintext ● After all log(n) iterations all bits of the plaintext are revealed ● Thanks to Cryptopals for constructing this problem ● Java’s BigInteger and BigDecimal classes helped a lot
• 23. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 23
Current LanguageEnglish
Español
Portugues
Français
Deutsche