This document describes an RSA two-person game designed to demonstrate how an adversary could exploit the homomorphic property of raw RSA encryption to break the system. It involves a challenger generating an RSA public/private key pair and encrypting a secret message. The adversary is able to obtain encryptions of arbitrary messages and uses the homomorphic property that the product of ciphertexts corresponds to the product of plaintexts to deduce the secret. Through a series of chosen plaintext/ciphertext queries, the adversary is able to compute the secret plaintext and win the game. The goal is to understand the vulnerabilities in raw RSA and how padding can strengthen the system.
1. RSA Two Person Game
Exploiting the homomorphic property of Raw RSA
Dr. Dharma Ganesan, Ph.D.,
2. Context and Goal
● Context: This RSA two person game is an online problem
○ Advanced level - RSA problems of Cryptopal challenges
● Goal: Break raw RSA using homomorphic properties
○ RSA(x) * RSA(y) = RSA(x * y)
■ The product of ciphertexts is same as the ciphertext
corresponding to the product of plaintexts
■ RSA is defined more formally later
2
3. Game description (informal)
● Two roles: Adversary (a.k.a., hacker) and Challenger
● The challenger offers an RSA ciphertext to the adversary to break
● The challenger is an encryption/decryption oracle
● The adversary is allowed to obtain RSA encryption of any plaintexts
● The adversary is allowed to obtain RSA decryption of any ciphertext
○ except the one given by the challenger, of course - otherwise there is no point in this game
3
4. Prerequisite (to follow the remaining slides)
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
4
5. How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
Private Key PrA
Public Key PuB
Private Key PrB
6. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
6
7. 7
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative
group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
8. RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
8
9. Formal definition of the RSA trapdoor function
● RSA: Zn
→ Zn
● Let m and c ∈ Zn
● c = RSA(m) = me
mod n
● m = RSA-1
(c) = cd
mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
9
10. Homomorphic properties of RSA
● Let x and y are two plaintexts
● RSA(x) * RSA(y) mod n = RSA((x * y) mod n)
● If we multiply two ciphertexts, we obtain the encryption of the products
● This homomorphic property is exploited by the adversary to win the game
10
11. High-level algorithm to win the game
● Step 1: Challenger publishes his/her public key <n, e>
● Step 2: Challenger encrypts a secret x and publishes the ciphertext
● c =RSA(x)
● Step 3: Challenger asks the adversary to break his ciphertext c
● Step 4: Adversary asks for encryption of a random message y
● The challenger replies with c′
=RSA(y)
● Step 5: Adversary asks for decryption of c * c′
mod n
● Step 6: Challenger replies with x*y mod n
● Because of homomorphic property of RSA
● Step 7: Adversary computes the secret x as follows: y-1
* x * y mod n
11
14. 14
dharma@dharma-VirtualBox:~/crypto/RSA$ java RSA_Games 2048
n =
1709851346613713567643160337993285060800599393409231770496463578261532485288696067035
2692836467179207604008961535329434004912673015610805072149000433201059263223327164013
7296959934298971932421480304777620319816740727609514385225648411577237584424159849714
2104532759944528937941736766620757115668654053296529152821720274859660915154393054549
6519650318594908467210892317739674750670536676228903211765739269780538717700054534881
3698553285851066651658160725147149995671283151084643621613397341920585913809160198802
9315496039894993989925015539751061716341836505902715579296028770698629510880261059715
9210158443744923908017
e = 65537
Step 1: Challenger publishes RSA-2048 public key
15. Step 2: Challenger publishes the ciphertext to break
15
ciphertext to break c =
9855547657815495092966623211311482819444438231675099122721509885948
6341370925617570541078827943867566982833628365915461135381992350784
9458167184231298888592318098017463988620352665261850990139574207970
8124469087903605128265009715691286849953534639918163552245285784232
2185990750420246850678736370808144856709485247765879901845791379777
0190267399425769127310311042530323994822180652488250473757270904449
4195684209563412538451898337050984252584502207871281188703017835747
2321014638362540988890890891980144655960685937271112367033892975451
4330731907016166427430551241698860605659271747569112446385396651423
6590576728606
16. Options for the adversary
16
************************************
Select one of the options:
Enter E for Encryption
Enter D for Decryption
Enter V for Validation
*************************************
17. Challenger catches the adversary
17
D
Enter a ciphertext to decrypt
985554765781549509296662321131148281944443823167509912272150988594863413709256175
705410788279438675669828336283659154611353819923507849458167184231298888592318098
017463988620352665261850990139574207970812446908790360512826500971569128684995353
463991816355224528578423221859907504202468506787363708081448567094852477658799018
457913797770190267399425769127310311042530323994822180652488250473757270904449419
568420956341253845189833705098425258450220787128118870301783574723210146383625409
888908908919801446559606859372711123670338929754514330731907016166427430551241698
8606056592717475691124463853966514236590576728606
No, I cannot decrypt the challenge ciphertext!!
Adversary cannot ask for decryption of the
same challenge ciphertext, of course!
18. Step 3: Adversary asks for encryption of a message
18
E
Enter a big integer to encrypt
2 (2 is a random message, adversary can pick any message he wanted)
Output: Encryption of 2 send by the challenger to the adversary:
c′ =
207761100292736073207266890528080055431757717113240650234728025058369264950913
572594069311892236621579386133308355806543128087317975104556733018536319064351
616741269607490363598097075471402051110668447611933869549815812530005087627186
206164430338613938048101163582431311899710754662799153692576067938637701755240
959973535327922438251104051315864857847955697650496689067336233493099038837714
381515085005782069542704405048201665110403017228603657769088105003850914369350
239375138558418371108828474886699844332031983891913166535769318207770085327398
1403680875355720427588065807196262481256722233314756137428772690187823
19. Step 4: Adversary computes c * c’ in mod n
19
c * c′
mod n =
1452508197207602186169423085271383873618579144021522840937148634290540063821
8509409937112553395257809512708081971265283222952060086673154824378297287705
3627868590828848832576105793648340992392221785100308613966862864113055876592
4778952323502414251515624539159332186076571109876673078764467926083831682681
0202193640108723241485253860620974773212500968358051048628650722297145128517
2892470515099441142804039048740717483960645666391217643381961354526802982631
5715562201701969927499658389296982160662526184591207307420448000499552609290
8195802633283243852646746219328402471313198233426024829066725840886032023047
461602922
20. Step 5: Adversary asks for decryption of c * c′ mod n
20
D
Enter a ciphertext to decrypt
14525081972076021861694230852713838736185791440215228409371486342905400638218509409
93711255339525780951270808197126528322295206008667315482437829728770536278685908288
48832576105793648340992392221785100308613966862864113055876592477895232350241425151
56245391593321860765711098766730787644679260838316826810202193640108723241485253860
62097477321250096835805104862865072229714512851728924705150994411428040390487407174
83960645666391217643381961354526802982631571556220170196992749965838929698216066252
61845912073074204480004995526092908195802633283243852646746219328402471313198233426
024829066725840886032023047461602922
Output: (From the challenger to the adversary)
27335134792008068640285226556294004121359257644879032320595778071940672256727749871
815857251115104016420962038285773998242146871894641401544
This output is nothing but 2*x mod n due to homomorphic property of RSA
21. Step 6: Adversary derives the secret
21
● The adversary now knows 2*x mod n, but he does not know x
○ Recall that x is the secret of the challenger
● The adversary will compute x as follows:
○ 2-1
* (2 * x) mod n = x mod n
● In this case, x =
13667567396004034320142613278147002060679628822439516160297889
03597033612836387493590792862555755200821048101914288699912107
3435947320700772
22. Step 7: Adversary validates the plaintext
************************************
Select one of the options:
Enter E for Encryption
Enter D for Decryption
Enter V for Validation
*************************************
V
Enter the matching plaintext
13667567396004034320142613278147002060679628822439516160297889035
97033612836387493590792862555755200821048101914288699912107343594
7320700772
WOW. You won the game!! 22
23. Step 7: BigInteger to ascii (to read the secret)
● In RSA, plaintexts and ciphertexts are (big) integers
● Adversary simply decodes his (big) integer into ascii
● x =
13667567396004034320142613278147002060679628822439516160297889
03597033612836387493590792862555755200821048101914288699912107
3435947320700772
● This number x actually denotes the secret:
“It is useful to understand how Crypto works under-the-hood”
● Adversary enjoys his secret :)
23
24. Conclusion
24
● The main goal was to implement the RSA two person game
● Raw RSA satisfies homomorphic property
● Raw RSA allows an adversary to exploit the homomorphic property
● The adversary was able to win the game by using chosen ciphertext and
plaintext attacks
● RSA with random padding will make it harder to perform this attack
● Thanks to Cryptopals for constructing this challenge!
25. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● https://en.wikipedia.org/wiki/Ciphertext_indistinguishability
25