- 1. RSA Game - Is the plaintext ending with a 1 or 0? Reverse the plaintext from the given ciphertext Dr. Dharma Ganesan, Ph.D.,
- 2. Context and Goal ● Context: This RSA game is an Crypto online problem ● This problem is a baby version of Bleichenbacher attack ● Goal: Break RSA using an oracle ○ The oracle leaks the least-significant bit (LSB) of the secret ● The attacker should reconstruct the secret from the ciphertext 2
- 3. Game description (informal) ● Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger picks a secret plaintext ● The challenger offers the RSA ciphertext of the secret to the adversary ● The challenger discloses the least significant bit (LSB) of the secret ● The adversary can ask for the LSB of the plaintext for any ciphertext 3
- 4. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
- 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
- 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
- 7. 7 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
- 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
- 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
- 10. Homomorphic properties of RSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
- 11. Core Idea of the attack: Search for the secret x 11 0 n/2 n Case 1: 0 ≤ x < n/2 RSA-1 (RSA(2x mod n)) = 2x mod n = 2x (since x < n/2) Thus, the LSB of 2x is zero because 2x is an even number Case 2: n/2 < x < n RSA-1 (RSA(2x mod n)) = 2x mod n = 2x - n Thus, the LSB of 2x is one because 2x - n is an odd number RSA(2) * RSA(x) mod n = RSA((2 * x) mod n)
- 12. Core Idea ... 12 ● The adversary multiplies the ciphertext by two ● If the oracle replies with the LSB as zero, then the secret x is case 1 ● Otherwise, the secret x is case 2 ● In each iteration, the adversary reduces the search interval by ½ ● After log2 (n) iterations, the algorithm stops with only one point which is x
- 13. High-level algorithm to win the RSA game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger publishes the ciphertext c of secret x: c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary computes encryption of number 2, y = RSA(2) ● low = 0, hi = n, mid = (low + hi)/2 ● Step 5: Adversary asks the challenger for the LSB of RSA-1 (y * c mod n) ● Step 6: If the LSB is zero, then the secret must be in the left half of the current range, hi = mid; Otherwise low = mid ● Step 7: y = y * RSA(2) mod n ● Step 8: Goto step 5 until all bits of n are covered; int(hi) is the secret 13
- 14. RSA Parity Oracle Interface 14
- 15. Search for the secret plaintext 15
- 16. Slide demo of the game 16
- 18. Challenger publishes the ciphertext to break 18 ciphertext to break c = 17130498310398736947925413661661465882926869940877729241345383947477486111931805658689975 70409796744414877697443617386091492162227276733018233630435840878933664293760327505054540 44501219717167153682358871134867069570065887710919893745735818584575959059508055467855971 16549056756398269334567110016523652656925354542961343152903509129885742976662667667409805 97165033985647315574245214546917176306011479418121651312453385173650600031902590543924957 09343452226472173920174468121404757809286186326774202637433387804564780903236292162653914 76034394754064243714225611167903078107138445076148327374783462086570480920168815278
- 19. On Even LSB: hi is replaced by mid 19
- 20. On Odd LSB - low is replaced by mid 20
- 21. 21 Adversary got the secret in 2048 attempts
- 22. Conclusion 22 ● The main goal was to implement the RSA LSB Oracle game ● The adversary was able to win the game by using chosen ciphertext ● The adversary reduces the search space of the [0, n) by half using the oracle ● In each iteration, the adversary learned one bit of the plaintext ● After all log(n) iterations all bits of the plaintext are revealed ● Thanks to Cryptopals for constructing this problem ● Java’s BigInteger and BigDecimal classes helped a lot
- 23. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 23