SlideShare a Scribd company logo

RSA Two Person Game

Dharmalingam Ganesan
Dharmalingam Ganesan

This document describes an RSA two-person game designed to demonstrate how an adversary could exploit the homomorphic property of raw RSA encryption to break the system. It involves a challenger generating an RSA public/private key pair and encrypting a secret message. The adversary is able to obtain encryptions of arbitrary messages and uses the homomorphic property that the product of ciphertexts corresponds to the product of plaintexts to deduce the secret. Through a series of chosen plaintext/ciphertext queries, the adversary is able to compute the secret plaintext and win the game. The goal is to understand the vulnerabilities in raw RSA and how padding can strengthen the system.

Software
1 of 25
Download to read offline
RSA Two Person Game Exploiting the homomorphic property of Raw RSA Dr. Dharma Ganesan, Ph.D.,
Context and Goal ● Context: This RSA two person game is an online problem ○ Advanced level - RSA problems of Cryptopal challenges ● Goal: Break raw RSA using homomorphic properties ○ RSA(x) * RSA(y) = RSA(x * y) ■ The product of ciphertexts is same as the ciphertext corresponding to the product of plaintexts ■ RSA is defined more formally later 2
Game description (informal) ● Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger offers an RSA ciphertext to the adversary to break ● The challenger is an encryption/decryption oracle ● The adversary is allowed to obtain RSA encryption of any plaintexts ● The adversary is allowed to obtain RSA decryption of any ciphertext ○ except the one given by the challenger, of course - otherwise there is no point in this game 3
Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
7 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
Homomorphic properties of RSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
High-level algorithm to win the game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger encrypts a secret x and publishes the ciphertext ● c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary asks for encryption of a random message y ● The challenger replies with c′ =RSA(y) ● Step 5: Adversary asks for decryption of c * c′ mod n ● Step 6: Challenger replies with x*y mod n ● Because of homomorphic property of RSA ● Step 7: Adversary computes the secret x as follows: y-1 * x * y mod n 11
12
Slide demo of the game 13
14 dharma@dharma-VirtualBox:~/crypto/RSA$ java RSA_Games 2048 n = 1709851346613713567643160337993285060800599393409231770496463578261532485288696067035 2692836467179207604008961535329434004912673015610805072149000433201059263223327164013 7296959934298971932421480304777620319816740727609514385225648411577237584424159849714 2104532759944528937941736766620757115668654053296529152821720274859660915154393054549 6519650318594908467210892317739674750670536676228903211765739269780538717700054534881 3698553285851066651658160725147149995671283151084643621613397341920585913809160198802 9315496039894993989925015539751061716341836505902715579296028770698629510880261059715 9210158443744923908017 e = 65537 Step 1: Challenger publishes RSA-2048 public key
Step 2: Challenger publishes the ciphertext to break 15 ciphertext to break c = 9855547657815495092966623211311482819444438231675099122721509885948 6341370925617570541078827943867566982833628365915461135381992350784 9458167184231298888592318098017463988620352665261850990139574207970 8124469087903605128265009715691286849953534639918163552245285784232 2185990750420246850678736370808144856709485247765879901845791379777 0190267399425769127310311042530323994822180652488250473757270904449 4195684209563412538451898337050984252584502207871281188703017835747 2321014638362540988890890891980144655960685937271112367033892975451 4330731907016166427430551241698860605659271747569112446385396651423 6590576728606
Options for the adversary 16 ************************************ Select one of the options: Enter E for Encryption Enter D for Decryption Enter V for Validation *************************************
Challenger catches the adversary 17 D Enter a ciphertext to decrypt 985554765781549509296662321131148281944443823167509912272150988594863413709256175 705410788279438675669828336283659154611353819923507849458167184231298888592318098 017463988620352665261850990139574207970812446908790360512826500971569128684995353 463991816355224528578423221859907504202468506787363708081448567094852477658799018 457913797770190267399425769127310311042530323994822180652488250473757270904449419 568420956341253845189833705098425258450220787128118870301783574723210146383625409 888908908919801446559606859372711123670338929754514330731907016166427430551241698 8606056592717475691124463853966514236590576728606 No, I cannot decrypt the challenge ciphertext!! Adversary cannot ask for decryption of the same challenge ciphertext, of course!
Step 3: Adversary asks for encryption of a message 18 E Enter a big integer to encrypt 2 (2 is a random message, adversary can pick any message he wanted) Output: Encryption of 2 send by the challenger to the adversary: c′ = 207761100292736073207266890528080055431757717113240650234728025058369264950913 572594069311892236621579386133308355806543128087317975104556733018536319064351 616741269607490363598097075471402051110668447611933869549815812530005087627186 206164430338613938048101163582431311899710754662799153692576067938637701755240 959973535327922438251104051315864857847955697650496689067336233493099038837714 381515085005782069542704405048201665110403017228603657769088105003850914369350 239375138558418371108828474886699844332031983891913166535769318207770085327398 1403680875355720427588065807196262481256722233314756137428772690187823
Step 4: Adversary computes c * c’ in mod n 19 c * c′ mod n = 1452508197207602186169423085271383873618579144021522840937148634290540063821 8509409937112553395257809512708081971265283222952060086673154824378297287705 3627868590828848832576105793648340992392221785100308613966862864113055876592 4778952323502414251515624539159332186076571109876673078764467926083831682681 0202193640108723241485253860620974773212500968358051048628650722297145128517 2892470515099441142804039048740717483960645666391217643381961354526802982631 5715562201701969927499658389296982160662526184591207307420448000499552609290 8195802633283243852646746219328402471313198233426024829066725840886032023047 461602922
Step 5: Adversary asks for decryption of c * c′ mod n 20 D Enter a ciphertext to decrypt 14525081972076021861694230852713838736185791440215228409371486342905400638218509409 93711255339525780951270808197126528322295206008667315482437829728770536278685908288 48832576105793648340992392221785100308613966862864113055876592477895232350241425151 56245391593321860765711098766730787644679260838316826810202193640108723241485253860 62097477321250096835805104862865072229714512851728924705150994411428040390487407174 83960645666391217643381961354526802982631571556220170196992749965838929698216066252 61845912073074204480004995526092908195802633283243852646746219328402471313198233426 024829066725840886032023047461602922 Output: (From the challenger to the adversary) 27335134792008068640285226556294004121359257644879032320595778071940672256727749871 815857251115104016420962038285773998242146871894641401544 This output is nothing but 2*x mod n due to homomorphic property of RSA
Step 6: Adversary derives the secret 21 ● The adversary now knows 2*x mod n, but he does not know x ○ Recall that x is the secret of the challenger ● The adversary will compute x as follows: ○ 2-1 * (2 * x) mod n = x mod n ● In this case, x = 13667567396004034320142613278147002060679628822439516160297889 03597033612836387493590792862555755200821048101914288699912107 3435947320700772
Step 7: Adversary validates the plaintext ************************************ Select one of the options: Enter E for Encryption Enter D for Decryption Enter V for Validation ************************************* V Enter the matching plaintext 13667567396004034320142613278147002060679628822439516160297889035 97033612836387493590792862555755200821048101914288699912107343594 7320700772 WOW. You won the game!! 22
Step 7: BigInteger to ascii (to read the secret) ● In RSA, plaintexts and ciphertexts are (big) integers ● Adversary simply decodes his (big) integer into ascii ● x = 13667567396004034320142613278147002060679628822439516160297889 03597033612836387493590792862555755200821048101914288699912107 3435947320700772 ● This number x actually denotes the secret: “It is useful to understand how Crypto works under-the-hood” ● Adversary enjoys his secret :) 23
Conclusion 24 ● The main goal was to implement the RSA two person game ● Raw RSA satisfies homomorphic property ● Raw RSA allows an adversary to exploit the homomorphic property ● The adversary was able to win the game by using chosen ciphertext and plaintext attacks ● RSA with random padding will make it harder to perform this attack ● Thanks to Cryptopals for constructing this challenge!
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 25

Recommended

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity ChecksDharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without PaddingDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 

Recommended

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity ChecksDharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without PaddingDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA ModulusDharmalingam Ganesan
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzleDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeDharmalingam Ganesan
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMSathish Kumar
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adlemanHossain Md Shakhawat
 
RSA
RSARSA
RSAbansidhar11
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmJoon Young Park
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
public-key cryptography Shamir
public-key cryptography Shamirpublic-key cryptography Shamir
public-key cryptography ShamirInformation Security Awareness Group
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
rsa-1
rsa-1rsa-1
rsa-1aniruddh Tyagi
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Rsa algorithm key generation
Rsa algorithm key generation Rsa algorithm key generation
Rsa algorithm key generation swarnapatil
 

More Related Content

What's hot

Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 

What's hot (20)

Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
RSA
RSARSA
RSA
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 
public-key cryptography Shamir
public-key cryptography Shamirpublic-key cryptography Shamir
public-key cryptography Shamir
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
rsa-1
rsa-1rsa-1
rsa-1
 

Similar to RSA Two Person Game

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Rsa algorithm key generation
Rsa algorithm key generation Rsa algorithm key generation
Rsa algorithm key generation swarnapatil
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.pptArchanaT30
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-ittrameshvvv
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptxSou Jana
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsaBill GU
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSASam Bowne
 
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...Codemotion
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSASam Bowne
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
PUBLIC KEY & RSA.ppt
PUBLIC KEY & RSA.pptPUBLIC KEY & RSA.ppt
PUBLIC KEY & RSA.pptRizwanBasha12
 
RSA Algorithem and information about rsa
RSA Algorithem and information about rsaRSA Algorithem and information about rsa
RSA Algorithem and information about rsaMohsin Ali
 

Similar to RSA Two Person Game (20)

Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Rsa algorithm key generation
Rsa algorithm key generation Rsa algorithm key generation
Rsa algorithm key generation
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.ppt
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-itt
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
RSA Algm.pptx
RSA Algm.pptxRSA Algm.pptx
RSA Algm.pptx
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsa
 
Presentation
PresentationPresentation
Presentation
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
 
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
 
CNIT 141: 10. RSA
CNIT 141: 10. RSACNIT 141: 10. RSA
CNIT 141: 10. RSA
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
10 RSA
10 RSA10 RSA
10 RSA
 
PUBLIC KEY & RSA.ppt
PUBLIC KEY & RSA.pptPUBLIC KEY & RSA.ppt
PUBLIC KEY & RSA.ppt
 
RSA Algorithem and information about rsa
RSA Algorithem and information about rsaRSA Algorithem and information about rsa
RSA Algorithem and information about rsa
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (13)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAlluxio, Inc.
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez
 
How To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfHow To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfayushiqss
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockSkilrock Technologies
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)Max Lee
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzisteffenkarlsson2
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 

Recently uploaded (20)

Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
How To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdfHow To Build a Successful SaaS Design.pdf
How To Build a Successful SaaS Design.pdf
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 

RSA Two Person Game

  • 1. RSA Two Person Game Exploiting the homomorphic property of Raw RSA Dr. Dharma Ganesan, Ph.D.,
  • 2. Context and Goal ● Context: This RSA two person game is an online problem ○ Advanced level - RSA problems of Cryptopal challenges ● Goal: Break raw RSA using homomorphic properties ○ RSA(x) * RSA(y) = RSA(x * y) ■ The product of ciphertexts is same as the ciphertext corresponding to the product of plaintexts ■ RSA is defined more formally later 2
  • 3. Game description (informal) ● Two roles: Adversary (a.k.a., hacker) and Challenger ● The challenger offers an RSA ciphertext to the adversary to break ● The challenger is an encryption/decryption oracle ● The adversary is allowed to obtain RSA encryption of any plaintexts ● The adversary is allowed to obtain RSA decryption of any ciphertext ○ except the one given by the challenger, of course - otherwise there is no point in this game 3
  • 4. Prerequisite (to follow the remaining slides) Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
  • 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other Private Key PrA Public Key PuB Private Key PrB
  • 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
  • 7. 7 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
  • 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
  • 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1 (c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
  • 10. Homomorphic properties of RSA ● Let x and y are two plaintexts ● RSA(x) * RSA(y) mod n = RSA((x * y) mod n) ● If we multiply two ciphertexts, we obtain the encryption of the products ● This homomorphic property is exploited by the adversary to win the game 10
  • 11. High-level algorithm to win the game ● Step 1: Challenger publishes his/her public key <n, e> ● Step 2: Challenger encrypts a secret x and publishes the ciphertext ● c =RSA(x) ● Step 3: Challenger asks the adversary to break his ciphertext c ● Step 4: Adversary asks for encryption of a random message y ● The challenger replies with c′ =RSA(y) ● Step 5: Adversary asks for decryption of c * c′ mod n ● Step 6: Challenger replies with x*y mod n ● Because of homomorphic property of RSA ● Step 7: Adversary computes the secret x as follows: y-1 * x * y mod n 11
  • 12. 12
  • 13. Slide demo of the game 13
  • 14. 14 dharma@dharma-VirtualBox:~/crypto/RSA$ java RSA_Games 2048 n = 1709851346613713567643160337993285060800599393409231770496463578261532485288696067035 2692836467179207604008961535329434004912673015610805072149000433201059263223327164013 7296959934298971932421480304777620319816740727609514385225648411577237584424159849714 2104532759944528937941736766620757115668654053296529152821720274859660915154393054549 6519650318594908467210892317739674750670536676228903211765739269780538717700054534881 3698553285851066651658160725147149995671283151084643621613397341920585913809160198802 9315496039894993989925015539751061716341836505902715579296028770698629510880261059715 9210158443744923908017 e = 65537 Step 1: Challenger publishes RSA-2048 public key
  • 15. Step 2: Challenger publishes the ciphertext to break 15 ciphertext to break c = 9855547657815495092966623211311482819444438231675099122721509885948 6341370925617570541078827943867566982833628365915461135381992350784 9458167184231298888592318098017463988620352665261850990139574207970 8124469087903605128265009715691286849953534639918163552245285784232 2185990750420246850678736370808144856709485247765879901845791379777 0190267399425769127310311042530323994822180652488250473757270904449 4195684209563412538451898337050984252584502207871281188703017835747 2321014638362540988890890891980144655960685937271112367033892975451 4330731907016166427430551241698860605659271747569112446385396651423 6590576728606
  • 16. Options for the adversary 16 ************************************ Select one of the options: Enter E for Encryption Enter D for Decryption Enter V for Validation *************************************
  • 17. Challenger catches the adversary 17 D Enter a ciphertext to decrypt 985554765781549509296662321131148281944443823167509912272150988594863413709256175 705410788279438675669828336283659154611353819923507849458167184231298888592318098 017463988620352665261850990139574207970812446908790360512826500971569128684995353 463991816355224528578423221859907504202468506787363708081448567094852477658799018 457913797770190267399425769127310311042530323994822180652488250473757270904449419 568420956341253845189833705098425258450220787128118870301783574723210146383625409 888908908919801446559606859372711123670338929754514330731907016166427430551241698 8606056592717475691124463853966514236590576728606 No, I cannot decrypt the challenge ciphertext!! Adversary cannot ask for decryption of the same challenge ciphertext, of course!
  • 18. Step 3: Adversary asks for encryption of a message 18 E Enter a big integer to encrypt 2 (2 is a random message, adversary can pick any message he wanted) Output: Encryption of 2 send by the challenger to the adversary: c′ = 207761100292736073207266890528080055431757717113240650234728025058369264950913 572594069311892236621579386133308355806543128087317975104556733018536319064351 616741269607490363598097075471402051110668447611933869549815812530005087627186 206164430338613938048101163582431311899710754662799153692576067938637701755240 959973535327922438251104051315864857847955697650496689067336233493099038837714 381515085005782069542704405048201665110403017228603657769088105003850914369350 239375138558418371108828474886699844332031983891913166535769318207770085327398 1403680875355720427588065807196262481256722233314756137428772690187823
  • 19. Step 4: Adversary computes c * c’ in mod n 19 c * c′ mod n = 1452508197207602186169423085271383873618579144021522840937148634290540063821 8509409937112553395257809512708081971265283222952060086673154824378297287705 3627868590828848832576105793648340992392221785100308613966862864113055876592 4778952323502414251515624539159332186076571109876673078764467926083831682681 0202193640108723241485253860620974773212500968358051048628650722297145128517 2892470515099441142804039048740717483960645666391217643381961354526802982631 5715562201701969927499658389296982160662526184591207307420448000499552609290 8195802633283243852646746219328402471313198233426024829066725840886032023047 461602922
  • 20. Step 5: Adversary asks for decryption of c * c′ mod n 20 D Enter a ciphertext to decrypt 14525081972076021861694230852713838736185791440215228409371486342905400638218509409 93711255339525780951270808197126528322295206008667315482437829728770536278685908288 48832576105793648340992392221785100308613966862864113055876592477895232350241425151 56245391593321860765711098766730787644679260838316826810202193640108723241485253860 62097477321250096835805104862865072229714512851728924705150994411428040390487407174 83960645666391217643381961354526802982631571556220170196992749965838929698216066252 61845912073074204480004995526092908195802633283243852646746219328402471313198233426 024829066725840886032023047461602922 Output: (From the challenger to the adversary) 27335134792008068640285226556294004121359257644879032320595778071940672256727749871 815857251115104016420962038285773998242146871894641401544 This output is nothing but 2*x mod n due to homomorphic property of RSA
  • 21. Step 6: Adversary derives the secret 21 ● The adversary now knows 2*x mod n, but he does not know x ○ Recall that x is the secret of the challenger ● The adversary will compute x as follows: ○ 2-1 * (2 * x) mod n = x mod n ● In this case, x = 13667567396004034320142613278147002060679628822439516160297889 03597033612836387493590792862555755200821048101914288699912107 3435947320700772
  • 22. Step 7: Adversary validates the plaintext ************************************ Select one of the options: Enter E for Encryption Enter D for Decryption Enter V for Validation ************************************* V Enter the matching plaintext 13667567396004034320142613278147002060679628822439516160297889035 97033612836387493590792862555755200821048101914288699912107343594 7320700772 WOW. You won the game!! 22
  • 23. Step 7: BigInteger to ascii (to read the secret) ● In RSA, plaintexts and ciphertexts are (big) integers ● Adversary simply decodes his (big) integer into ascii ● x = 13667567396004034320142613278147002060679628822439516160297889 03597033612836387493590792862555755200821048101914288699912107 3435947320700772 ● This number x actually denotes the secret: “It is useful to understand how Crypto works under-the-hood” ● Adversary enjoys his secret :) 23
  • 24. Conclusion 24 ● The main goal was to implement the RSA two person game ● Raw RSA satisfies homomorphic property ● Raw RSA allows an adversary to exploit the homomorphic property ● The adversary was able to win the game by using chosen ciphertext and plaintext attacks ● RSA with random padding will make it harder to perform this attack ● Thanks to Cryptopals for constructing this challenge!
  • 25. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability 25