The document presents a detailed analysis of breaking raw RSA encryption through a meet-in-the-middle attack. It explains the RSA cryptography system, its key generation, and the mechanics behind the chosen plaintext and the meet-in-the-middle attacks. The results demonstrate that the attack is effective for small message sizes without padding, but struggles with larger lengths, emphasizing the need for padding in secure cryptographic practices.

1. Cryptanalysis of Raw RSA
Experiments using Meet-in-the-middle Attack
Dr. Dharma Ganesan, Ph.D.,

2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2

3. Goal of this presentation
● Explain how to break Raw RSA (i.e., without padding)
● Present exploits using Meet-in-the-middle attack
● Discuss experimental results
3

4. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory (Abstract Algebra/Discrete Math)
● Modular Arithmetic (Number Theory)
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
4

5. How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB

6. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
6

7. 7
Notations and Facts (needed for RSA Trapdoor)
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock
Z*
n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z*
n is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(p) = p-1, if p is a prime number
x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n

8. RSA - Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1)
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately
8

9. Formal definition of the RSA trapdoor function
● RSA: Zn → Zn
● Let m and c ∈ Zn
● c = RSA(m) = me mod n
● m = RSA-1(c) = cd mod n
● e and d are also called encryption and decryption
exponents, respectively
● Note: Attackers know c, e, and n but not d
9

10. RSA Trapdoor ...
● RSACoreEngine.java implements the RSA and RSA-1 functions
○ See the method processBlock
● RSA(input) = inpute mod n
{
return input.modPow(
key.getExponent(), key.getModulus());
}
● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem)
○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q
10

11. Raw RSA (in Java)
public static byte[] encrypt(PublicKey pubKey, String message) throws Exception
{
Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
return cipher.doFinal(message.getBytes());
}
11

12. Deterministic behavior of Raw RSA (simple demo)
12
public class RSA_Encrypt {
public static void main(String [] args) throws Exception {
if(args.length != 3) {
System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>");
System.exit(-1);
}
BigInteger n = new BigInteger(args[0]);
BigInteger e = new BigInteger(args[1]);
String plaintext = args[2];
PublicKey pubKey = RSAService.getPublicKey(n, e);
byte[] ciphertext = RSAService.encrypt(pubKey, plaintext);
System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext));
}
}

13. No change in the ciphertext for the same plaintext
13
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me"
29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444
04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52
8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849
B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C
889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE
A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance-
1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me"
29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444
04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52
8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849
B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C
889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE
A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44

14. Problem statement: Break the RSA trapdoor function
● Recall that c = RSA(m) = me mod n
○ c is the ciphertext and m is the plaintext
● Breaking of the RSA function means finding m from c
○ Equivalently, reverse the plaintext from the ciphertext
● Formally, given <c, e, n> find m such that RSA(m) = c
14

15. Chosen plaintext attack of RSA trapdoor function
● RSA is a deterministic function (recall the previous demo)
● RSA(m) is always the same for a given public key pair (e, n)
○ That is, the ciphertext is the same when the plaintext m is encrypted again
● In order to find the secret x, the attacker can try all possible m as follows:
○ RSA(u) where u = 0, 1, …, 2n-1
○ If RSA(u) = RSA(m), then the attacker learns that m must u
● Chosen plaintext attack is easy for small values of public n
● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to
explore the space of 21024 possibilities, for example
○ It is difficult even if the message size is just 64 bits
15

16. Meet-in-the-middle attack - Core Idea
● Recall that the goal is to find the plaintext m such that RSA(m) = c
● What if m can be rewritten as a product of smaller numbers: m = m1 . m2
● For example, this 64-bit message m = 9223372036854775808 can be
rewritten as a product of two 32-bit numbers:
○ m1 = 2147483648
○ m2 = 4294967296
● Meet-in-the-middle attack leverages this observation to speed-up the Chosen
Plaintext attack
○ Instead of trying all possible n-bit messages, it tries only messages of size n/2
● It breaks RSA when the unknown plaintext is a product of smaller numbers
○ There are still some scalability issues (will revisit later)
16

17. Meet-in-the-middle attack - Algorithm
● Assume that the unknown message m can be rewritten as a product of two
unknown smaller numbers: m = m1 . m2
● The goal of this attack is to find m1 and m2 from ciphertext c
● c = RSA(m) = me mod n
c = (m1. m2)e mod n
c = (m1
e. m2
e) mod n
c/m2
e = m1
e mod n
● Step 1: Construct a hashtable of the right hand side for all possible m1
● Step 2: For each possible m2 if c/m2
e is present in the hashtable, them m is
recovered by multiplying matching m1 with the current m2
17

18. Step 1: Hashtable H construction
18
Key Value
0e mod n 0
1e mod n 1
2e mod n 2
3e mod n 3
... ...
(m1-1)e mod n m1 - 1

19. Step 2: Search the Hashtable H
19
● Step 2.1: For each m2, compute c/m2
e mod n
● Step 2.2: Search whether the hashtable H has the key c/m2
e mod n
● Step 2.3: If yes, extract m1 = H(c/m2
e mod n)
○ Terminate the search. Return the plaintext m = m1 . m2
● Step 2.4: Else, goto Step 2.1 and try the next possible m2

20. Implementation Details: Key-Value Store
(Hashtable)public interface IKeyValueStore {
public void put(byte[] key, byte[] data);
public byte[] get(byte[] key);
public void close();
}
20
● This interface provides an abstraction of hashtable implementations
● Allows plug-and-play of different key-value pair libraries

21. Key-Value Implementation using Java Hashmap
public class KeyValueStoreHash implements IKeyValueStore {
private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>();
public KeyValueStoreHash() {
}
public void put(byte[] key, byte[] data) {
hashMap.put(ByteBuffer.wrap(key), data);
}
public byte[] get(byte[] key) {
return hashMap.get(ByteBuffer.wrap(key));
}
public void close() {
hashMap.clear();
}
} 21

22. Step 1: Hashtable construction (basic version)
public void buildHashTable() {
BigInteger two = BigInteger.valueOf(2);
BigInteger minM1 = two.pow(minNumBitsM1 - 1);
BigInteger maxM1 = two.pow(maxNumBitsM1);
for(BigInteger m1 = minM1; m1.compareTo(maxM1) < 0; m1 = m1.add(BigInteger.ONE)) {
byte[] m1PowE = m1.modPow(e, n).toByteArray();
keyValueStore.put(m1PowE, m1.toByteArray());
}
}
22

23. Step 2: Search the hashtable for a match
public BigInteger breakRSA(BigInteger c) {
BigInteger m = BigInteger.ZERO;
BigInteger two = BigInteger.valueOf(2);
BigInteger minM2 = two.pow(minNumBitsM2 - 1);
BigInteger maxM2 = two.pow(maxNumBitsM2);
for(BigInteger m2 = minM2; m2.compareTo(maxM2) < 0; m2 = m2.add(BigInteger.ONE)) {
BigInteger m2powe = m2.modPow(e, n);
byte[] lhs = c.multiply(m2powe.modInverse(n)).mod(n).toByteArray();
if(keyValueStore.get(lhs) != null) {
BigInteger m1 = new BigInteger(keyValueStore.get(lhs));
m = m1.multiply(m2);
System.out.println("Match m = " + m + " m1 = " + m1 + " m2 = " + m2);
break;
}
}
return m;
}
23

24. Demo client to break Raw RSA (2048-bit modulus)
24

25. Demo client to break RSA ...
25

26. ~/crypto/RSA$ time java ClientRawRSA
Match m = 549986500608 m1 = 892928 m2 = 615936
The plaintext is: 549986500608
real 1m51.176s
user 1m1.520s
sys 0m4.176s
In ~1.5 min Raw RSA is broken
26

27. 11 out of 50 random messages decrypted!
27
$ time java ClientRawRSArandom
# of successful RSA breaking = 11 out of 50
real 462m0.941s
user 314m21.392s
sys 21m22.772s

28. Conclusion/Discussion
28
● The main goal was to experiment with meet-in-the-middle attack
● This attack works when RSA is used without any padding
○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts
● The attack is not scalable when the message length is longer than 8 bytes
○ May be upto 10 bytes when using a large farm of computers
● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits
○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table
● In part-2, I will talk about using advanced databases to store large key-value
● RSA without random padding should be avoided

29. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA
Encryption are Insecure,” AsiaCrypt, 2000
29