SlideShare a Scribd company logo
RSA Game - Is the plaintext
ending with a 1 or 0?
Reverse the plaintext from the given ciphertext
Dr. Dharma Ganesan, Ph.D.,
Context and Goal
● Context: This RSA game is an Crypto online problem
● This problem is a baby version of Bleichenbacher attack
● Goal: Break RSA using an oracle
○ The oracle leaks the least-significant bit (LSB) of the secret
● The attacker should reconstruct the secret from the ciphertext
2
Game description (informal)
● Two roles: Adversary (a.k.a., hacker) and Challenger
● The challenger picks a secret plaintext
● The challenger offers the RSA ciphertext of the secret to the adversary
● The challenger discloses the least significant bit (LSB) of the secret
● The adversary can ask for the LSB of the plaintext for any ciphertext
3
Prerequisite (to follow the remaining slides)
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
4
How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
Private Key PrA
Public Key PuB
Private Key PrB
RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
6
7
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative
group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
8
Formal definition of the RSA trapdoor function
● RSA: Zn
→ Zn
● Let m and c ∈ Zn
● c = RSA(m) = me
mod n
● m = RSA-1
(c) = cd
mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
9
Homomorphic properties of RSA
● Let x and y are two plaintexts
● RSA(x) * RSA(y) mod n = RSA((x * y) mod n)
● If we multiply two ciphertexts, we obtain the encryption of the products
● This homomorphic property is exploited by the adversary to win the game
10
Core Idea of the attack: Search for the secret x
11
0 n/2 n
Case 1: 0 ≤ x < n/2
RSA-1
(RSA(2x mod n)) = 2x mod n = 2x (since x < n/2)
Thus, the LSB of 2x is zero because 2x is an even number
Case 2: n/2 < x < n
RSA-1
(RSA(2x mod n)) = 2x mod n = 2x - n
Thus, the LSB of 2x is one because 2x - n is an odd number
RSA(2) * RSA(x) mod n = RSA((2 * x) mod n)
Core Idea ...
12
● The adversary multiplies the ciphertext by two
● If the oracle replies with the LSB as zero, then the secret x is case 1
● Otherwise, the secret x is case 2
● In each iteration, the adversary reduces the search interval by ½
● After log2
(n) iterations, the algorithm stops with only one point which is x
High-level algorithm to win the RSA game
● Step 1: Challenger publishes his/her public key <n, e>
● Step 2: Challenger publishes the ciphertext c of secret x: c =RSA(x)
● Step 3: Challenger asks the adversary to break his ciphertext c
● Step 4: Adversary computes encryption of number 2, y = RSA(2)
● low = 0, hi = n, mid = (low + hi)/2
● Step 5: Adversary asks the challenger for the LSB of RSA-1
(y * c mod n)
● Step 6: If the LSB is zero, then the secret must be in the left half of the current
range, hi = mid; Otherwise low = mid
● Step 7: y = y * RSA(2) mod n
● Step 8: Goto step 5 until all bits of n are covered; int(hi) is the secret
13
RSA Parity Oracle Interface
14
Search for the secret plaintext
15
Slide demo of the game
16
17
n =
2052726560261555648531226889349105162766949821676813276639789863783617867365234324324
7908504755739683912785380180169653718914542806166664110421255797531356531985597128860
6475800664456017497279807913771831585365061528476582443710952173825606916116189680352
6264759422032179091180349104675190171220311879344489716989764074184839335338296720468
3798370445008814063698305644331367320193290657474586236756921221687245100573144894672
5448392996228199190512603871227092978437293884773292768121620803654982608424461148954
9457970066122180375000947471627800930433414999931198985917982453791300458206975111169
1167601520160703755227
e = 65537
Challenger publishes RSA-2048 public key
Challenger publishes the ciphertext to break
18
ciphertext to break c =
17130498310398736947925413661661465882926869940877729241345383947477486111931805658689975
70409796744414877697443617386091492162227276733018233630435840878933664293760327505054540
44501219717167153682358871134867069570065887710919893745735818584575959059508055467855971
16549056756398269334567110016523652656925354542961343152903509129885742976662667667409805
97165033985647315574245214546917176306011479418121651312453385173650600031902590543924957
09343452226472173920174468121404757809286186326774202637433387804564780903236292162653914
76034394754064243714225611167903078107138445076148327374783462086570480920168815278
On Even LSB: hi is replaced by mid
19
On Odd LSB - low is replaced by mid
20
21
Adversary got the secret in 2048 attempts
Conclusion
22
● The main goal was to implement the RSA LSB Oracle game
● The adversary was able to win the game by using chosen ciphertext
● The adversary reduces the search space of the [0, n) by half using the oracle
● In each iteration, the adversary learned one bit of the plaintext
● After all log(n) iterations all bits of the plaintext are revealed
● Thanks to Cryptopals for constructing this problem
● Java’s BigInteger and BigDecimal classes helped a lot
References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability
23

More Related Content

What's hot

Cryptography - Discrete Mathematics
Cryptography - Discrete MathematicsCryptography - Discrete Mathematics
Cryptography - Discrete MathematicsACM-KU
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
Asymptotic Notations
Asymptotic NotationsAsymptotic Notations
Asymptotic NotationsRishabh Soni
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
Adversarial search
Adversarial searchAdversarial search
Adversarial searchDheerendra k
 
Lecture 17 Iterative Deepening a star algorithm
Lecture 17 Iterative Deepening a star algorithmLecture 17 Iterative Deepening a star algorithm
Lecture 17 Iterative Deepening a star algorithmHema Kashyap
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Algorithms Lecture 4: Sorting Algorithms I
Algorithms Lecture 4: Sorting Algorithms IAlgorithms Lecture 4: Sorting Algorithms I
Algorithms Lecture 4: Sorting Algorithms IMohamed Loey
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
Algorithm chapter 1
Algorithm chapter 1Algorithm chapter 1
Algorithm chapter 1chidabdu
 

What's hot (20)

Cryptography - Discrete Mathematics
Cryptography - Discrete MathematicsCryptography - Discrete Mathematics
Cryptography - Discrete Mathematics
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
Asymptotic Notations
Asymptotic NotationsAsymptotic Notations
Asymptotic Notations
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Algorithm and Programming (Searching)
Algorithm and Programming (Searching)Algorithm and Programming (Searching)
Algorithm and Programming (Searching)
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithm
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Adversarial search
Adversarial searchAdversarial search
Adversarial search
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Lecture 17 Iterative Deepening a star algorithm
Lecture 17 Iterative Deepening a star algorithmLecture 17 Iterative Deepening a star algorithm
Lecture 17 Iterative Deepening a star algorithm
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Algorithms Lecture 4: Sorting Algorithms I
Algorithms Lecture 4: Sorting Algorithms IAlgorithms Lecture 4: Sorting Algorithms I
Algorithms Lecture 4: Sorting Algorithms I
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Asymptotic notation
Asymptotic notationAsymptotic notation
Asymptotic notation
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
 
Algorithm chapter 1
Algorithm chapter 1Algorithm chapter 1
Algorithm chapter 1
 

Similar to RSA Game using an Oracle

An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSASam Bowne
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.pptArchanaT30
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSASam Bowne
 

Similar to RSA Game using an Oracle (20)

RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Class3
Class3Class3
Class3
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.ppt
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (17)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareinfo611746
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion Clinic
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 

Recently uploaded (20)

De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 

RSA Game using an Oracle

  • 1. RSA Game - Is the plaintext ending with a 1 or 0? Reverse the plaintext from the given ciphertext Dr. Dharma Ganesan, Ph.D.,
  • 2. Context and Goal ● Context: This RSA game is an Crypto online problem ● This problem is a baby version of Bleichenbacher attack ● Goal: Break RSA using an oracle ○ The oracle leaks the least-significant bit (LSB) of the secret ● The attacker should reconstruct the secret from the ciphertext 2
  • 3. Game description (informal) ● Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger picks a secret plaintext ● The challenger offers the RSA ciphertext of the secret to the adversary ● The challenger discloses the least significant bit (LSB) of the secret ● The adversary can ask for the LSB of the plaintext for any ciphertext 3
  • 4. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
  • 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
  • 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
  • 7. 7 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
  • 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
  • 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
  • 10. Homomorphic properties of RSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
  • 11. Core Idea of the attack: Search for the secret x 11 0 n/2 n Case 1: 0 ≤ x < n/2 RSA-1 (RSA(2x mod n)) = 2x mod n = 2x (since x < n/2) Thus, the LSB of 2x is zero because 2x is an even number Case 2: n/2 < x < n RSA-1 (RSA(2x mod n)) = 2x mod n = 2x - n Thus, the LSB of 2x is one because 2x - n is an odd number RSA(2) * RSA(x) mod n = RSA((2 * x) mod n)
  • 12. Core Idea ... 12 ● The adversary multiplies the ciphertext by two ● If the oracle replies with the LSB as zero, then the secret x is case 1 ● Otherwise, the secret x is case 2 ● In each iteration, the adversary reduces the search interval by ½ ● After log2 (n) iterations, the algorithm stops with only one point which is x
  • 13. High-level algorithm to win the RSA game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger publishes the ciphertext c of secret x: c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary computes encryption of number 2, y = RSA(2) ● low = 0, hi = n, mid = (low + hi)/2 ● Step 5: Adversary asks the challenger for the LSB of RSA-1 (y * c mod n) ● Step 6: If the LSB is zero, then the secret must be in the left half of the current range, hi = mid; Otherwise low = mid ● Step 7: y = y * RSA(2) mod n ● Step 8: Goto step 5 until all bits of n are covered; int(hi) is the secret 13
  • 14. RSA Parity Oracle Interface 14
  • 15. Search for the secret plaintext 15
  • 16. Slide demo of the game 16
  • 18. Challenger publishes the ciphertext to break 18 ciphertext to break c = 17130498310398736947925413661661465882926869940877729241345383947477486111931805658689975 70409796744414877697443617386091492162227276733018233630435840878933664293760327505054540 44501219717167153682358871134867069570065887710919893745735818584575959059508055467855971 16549056756398269334567110016523652656925354542961343152903509129885742976662667667409805 97165033985647315574245214546917176306011479418121651312453385173650600031902590543924957 09343452226472173920174468121404757809286186326774202637433387804564780903236292162653914 76034394754064243714225611167903078107138445076148327374783462086570480920168815278
  • 19. On Even LSB: hi is replaced by mid 19
  • 20. On Odd LSB - low is replaced by mid 20
  • 21. 21 Adversary got the secret in 2048 attempts
  • 22. Conclusion 22 ● The main goal was to implement the RSA LSB Oracle game ● The adversary was able to win the game by using chosen ciphertext ● The adversary reduces the search space of the [0, n) by half using the oracle ● In each iteration, the adversary learned one bit of the plaintext ● After all log(n) iterations all bits of the plaintext are revealed ● Thanks to Cryptopals for constructing this problem ● Java’s BigInteger and BigDecimal classes helped a lot
  • 23. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 23