SlideShare a Scribd company logo

RSA without Padding

Download as PPTX, PDF
Dharmalingam Ganesan
Dharmalingam Ganesan

Slides demonstrate how to break RSA when no padding is applied. I replicated the meet-in-the-middle attack discussed in the existing Crypto literature.

Software
1 of 29
Cryptanalysis of Raw RSA Experiments using Meet-in-the-middle Attack Dr. Dharma Ganesan, Ph.D.,
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Goal of this presentation ● Explain how to break Raw RSA (i.e., without padding) ● Present exploits using Meet-in-the-middle attack ● Discuss experimental results 3
Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
7 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1(c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
RSA Trapdoor ... ● RSACoreEngine.java implements the RSA and RSA-1 functions ○ See the method processBlock ● RSA(input) = inpute mod n { return input.modPow( key.getExponent(), key.getModulus()); } ● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem) ○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q 10
Raw RSA (in Java) public static byte[] encrypt(PublicKey pubKey, String message) throws Exception { Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING"); cipher.init(Cipher.ENCRYPT_MODE, pubKey); return cipher.doFinal(message.getBytes()); } 11
Deterministic behavior of Raw RSA (simple demo) 12 public class RSA_Encrypt { public static void main(String [] args) throws Exception { if(args.length != 3) { System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>"); System.exit(-1); } BigInteger n = new BigInteger(args[0]); BigInteger e = new BigInteger(args[1]); String plaintext = args[2]; PublicKey pubKey = RSAService.getPublicKey(n, e); byte[] ciphertext = RSAService.encrypt(pubKey, plaintext); System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext)); } }
No change in the ciphertext for the same plaintext 13 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance- 1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
Problem statement: Break the RSA trapdoor function ● Recall that c = RSA(m) = me mod n ○ c is the ciphertext and m is the plaintext ● Breaking of the RSA function means finding m from c ○ Equivalently, reverse the plaintext from the ciphertext ● Formally, given <c, e, n> find m such that RSA(m) = c 14
Chosen plaintext attack of RSA trapdoor function ● RSA is a deterministic function (recall the previous demo) ● RSA(m) is always the same for a given public key pair (e, n) ○ That is, the ciphertext is the same when the plaintext m is encrypted again ● In order to find the secret x, the attacker can try all possible m as follows: ○ RSA(u) where u = 0, 1, …, 2n-1 ○ If RSA(u) = RSA(m), then the attacker learns that m must u ● Chosen plaintext attack is easy for small values of public n ● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to explore the space of 21024 possibilities, for example ○ It is difficult even if the message size is just 64 bits 15
Meet-in-the-middle attack - Core Idea ● Recall that the goal is to find the plaintext m such that RSA(m) = c ● What if m can be rewritten as a product of smaller numbers: m = m1 . m2 ● For example, this 64-bit message m = 9223372036854775808 can be rewritten as a product of two 32-bit numbers: ○ m1 = 2147483648 ○ m2 = 4294967296 ● Meet-in-the-middle attack leverages this observation to speed-up the Chosen Plaintext attack ○ Instead of trying all possible n-bit messages, it tries only messages of size n/2 ● It breaks RSA when the unknown plaintext is a product of smaller numbers ○ There are still some scalability issues (will revisit later) 16
Meet-in-the-middle attack - Algorithm ● Assume that the unknown message m can be rewritten as a product of two unknown smaller numbers: m = m1 . m2 ● The goal of this attack is to find m1 and m2 from ciphertext c ● c = RSA(m) = me mod n c = (m1. m2)e mod n c = (m1 e. m2 e) mod n c/m2 e = m1 e mod n ● Step 1: Construct a hashtable of the right hand side for all possible m1 ● Step 2: For each possible m2 if c/m2 e is present in the hashtable, them m is recovered by multiplying matching m1 with the current m2 17
Step 1: Hashtable H construction 18 Key Value 0e mod n 0 1e mod n 1 2e mod n 2 3e mod n 3 ... ... (m1-1)e mod n m1 - 1
Step 2: Search the Hashtable H 19 ● Step 2.1: For each m2, compute c/m2 e mod n ● Step 2.2: Search whether the hashtable H has the key c/m2 e mod n ● Step 2.3: If yes, extract m1 = H(c/m2 e mod n) ○ Terminate the search. Return the plaintext m = m1 . m2 ● Step 2.4: Else, goto Step 2.1 and try the next possible m2
Implementation Details: Key-Value Store (Hashtable)public interface IKeyValueStore { public void put(byte[] key, byte[] data); public byte[] get(byte[] key); public void close(); } 20 ● This interface provides an abstraction of hashtable implementations ● Allows plug-and-play of different key-value pair libraries
Key-Value Implementation using Java Hashmap public class KeyValueStoreHash implements IKeyValueStore { private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>(); public KeyValueStoreHash() { } public void put(byte[] key, byte[] data) { hashMap.put(ByteBuffer.wrap(key), data); } public byte[] get(byte[] key) { return hashMap.get(ByteBuffer.wrap(key)); } public void close() { hashMap.clear(); } } 21
Step 1: Hashtable construction (basic version) public void buildHashTable() { BigInteger two = BigInteger.valueOf(2); BigInteger minM1 = two.pow(minNumBitsM1 - 1); BigInteger maxM1 = two.pow(maxNumBitsM1); for(BigInteger m1 = minM1; m1.compareTo(maxM1) < 0; m1 = m1.add(BigInteger.ONE)) { byte[] m1PowE = m1.modPow(e, n).toByteArray(); keyValueStore.put(m1PowE, m1.toByteArray()); } } 22
Step 2: Search the hashtable for a match public BigInteger breakRSA(BigInteger c) { BigInteger m = BigInteger.ZERO; BigInteger two = BigInteger.valueOf(2); BigInteger minM2 = two.pow(minNumBitsM2 - 1); BigInteger maxM2 = two.pow(maxNumBitsM2); for(BigInteger m2 = minM2; m2.compareTo(maxM2) < 0; m2 = m2.add(BigInteger.ONE)) { BigInteger m2powe = m2.modPow(e, n); byte[] lhs = c.multiply(m2powe.modInverse(n)).mod(n).toByteArray(); if(keyValueStore.get(lhs) != null) { BigInteger m1 = new BigInteger(keyValueStore.get(lhs)); m = m1.multiply(m2); System.out.println("Match m = " + m + " m1 = " + m1 + " m2 = " + m2); break; } } return m; } 23
Demo client to break Raw RSA (2048-bit modulus) 24
Demo client to break RSA ... 25
~/crypto/RSA$ time java ClientRawRSA Match m = 549986500608 m1 = 892928 m2 = 615936 The plaintext is: 549986500608 real 1m51.176s user 1m1.520s sys 0m4.176s In ~1.5 min Raw RSA is broken 26
11 out of 50 random messages decrypted! 27 $ time java ClientRawRSArandom # of successful RSA breaking = 11 out of 50 real 462m0.941s user 314m21.392s sys 21m22.772s
Conclusion/Discussion 28 ● The main goal was to experiment with meet-in-the-middle attack ● This attack works when RSA is used without any padding ○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts ● The attack is not scalable when the message length is longer than 8 bytes ○ May be upto 10 bytes when using a large farm of computers ● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits ○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table ● In part-2, I will talk about using advanced databases to store large key-value ● RSA without random padding should be avoided
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA Encryption are Insecure,” AsiaCrypt, 2000 29

Recommended

RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
Komal Singh
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa Crptosystem
Amlan Patel
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
Mohamed Loey
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
JacobBrazeal
 
Cryptography
CryptographyCryptography
Cryptography
Rutuja Solkar
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
UTD Computer Security Group
 

Recommended

RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
Komal Singh
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa Crptosystem
Amlan Patel
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
Mohamed Loey
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
JacobBrazeal
 
Cryptography
CryptographyCryptography
Cryptography
Rutuja Solkar
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
UTD Computer Security Group
 
Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptography
Pavithra renu
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network security
Mahipesh Satija
 
HMAC - HASH FUNCTION AND DIGITAL SIGNATURES
HMAC - HASH FUNCTION AND DIGITAL SIGNATURESHMAC - HASH FUNCTION AND DIGITAL SIGNATURES
HMAC - HASH FUNCTION AND DIGITAL SIGNATURES
PACHIYAPPAN PACHIYAPPAS
 
Elgamal Digital Signature
Elgamal Digital SignatureElgamal Digital Signature
Elgamal Digital Signature
Sou Jana
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
Abhishek Gautam
 
Rsa
RsaRsa
Rsa
ismaelhaider
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
Cysinfo Cyber Security Community
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
Samdish Arora
 
Cryptography
CryptographyCryptography
Cryptography
herrberk
 
Hybrid encryption ppt
Hybrid encryption pptHybrid encryption ppt
Hybrid encryption ppt
prashantdahake
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Vipin Tejwani
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
Triad Square InfoSec
 
Rsa
RsaRsa
Rsa
Navneet Sharma
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
drewz lin
 
What is AES? Advanced Encryption Standards
What is AES? Advanced Encryption StandardsWhat is AES? Advanced Encryption Standards
What is AES? Advanced Encryption Standards
Faisal Shahzad Khan
 
Data Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill CipherData Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill Cipher
Aashirwad Kashyap
 
Cryptography
CryptographyCryptography
Cryptography
Jens Patel
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 

More Related Content

What's hot

13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
drewz lin
 

What's hot (20)

Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptography
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network security
 
HMAC - HASH FUNCTION AND DIGITAL SIGNATURES
HMAC - HASH FUNCTION AND DIGITAL SIGNATURESHMAC - HASH FUNCTION AND DIGITAL SIGNATURES
HMAC - HASH FUNCTION AND DIGITAL SIGNATURES
 
Elgamal Digital Signature
Elgamal Digital SignatureElgamal Digital Signature
Elgamal Digital Signature
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
Rsa
RsaRsa
Rsa
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
 
Cryptography
CryptographyCryptography
Cryptography
 
Hybrid encryption ppt
Hybrid encryption pptHybrid encryption ppt
Hybrid encryption ppt
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 
Rsa
RsaRsa
Rsa
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
 
What is AES? Advanced Encryption Standards
What is AES? Advanced Encryption StandardsWhat is AES? Advanced Encryption Standards
What is AES? Advanced Encryption Standards
 
Data Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill CipherData Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill Cipher
 
Cryptography
CryptographyCryptography
Cryptography
 

Similar to RSA without Padding

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptxSecurity_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
shahiduljahid71
 

Similar to RSA without Padding (20)

RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptxSecurity_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Ch09
Ch09Ch09
Ch09
 

More from Dharmalingam Ganesan

More from Dharmalingam Ganesan (17)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Recently uploaded (20)

WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid EnvironmentsWSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid Environments
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 

RSA without Padding

  • 1. Cryptanalysis of Raw RSA Experiments using Meet-in-the-middle Attack Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Goal of this presentation ● Explain how to break Raw RSA (i.e., without padding) ● Present exploits using Meet-in-the-middle attack ● Discuss experimental results 3
  • 4. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory (Abstract Algebra/Discrete Math) ● Modular Arithmetic (Number Theory) ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 4
  • 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 6. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 6
  • 7. 7 Notations and Facts (needed for RSA Trapdoor) GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(p) = p-1, if p is a prime number x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
  • 8. RSA - Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(n)) = 1) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> Note: If p, q, d, or φ(n) is leaked, RSA is broken immediately 8
  • 9. Formal definition of the RSA trapdoor function ● RSA: Zn → Zn ● Let m and c ∈ Zn ● c = RSA(m) = me mod n ● m = RSA-1(c) = cd mod n ● e and d are also called encryption and decryption exponents, respectively ● Note: Attackers know c, e, and n but not d 9
  • 10. RSA Trapdoor ... ● RSACoreEngine.java implements the RSA and RSA-1 functions ○ See the method processBlock ● RSA(input) = inpute mod n { return input.modPow( key.getExponent(), key.getModulus()); } ● The implementation for RSA-1 is a bit involved (Chinese-Remainder Theorem) ○ To speed-up the computation of inputd mod n, it computes inputd mod p and mod q 10
  • 11. Raw RSA (in Java) public static byte[] encrypt(PublicKey pubKey, String message) throws Exception { Cipher cipher = Cipher.getInstance("RSA/ECB/NOPADDING"); cipher.init(Cipher.ENCRYPT_MODE, pubKey); return cipher.doFinal(message.getBytes()); } 11
  • 12. Deterministic behavior of Raw RSA (simple demo) 12 public class RSA_Encrypt { public static void main(String [] args) throws Exception { if(args.length != 3) { System.out.println("Usage: RSA_Encrypt <modulus n> <exponent e> <plaintext>"); System.exit(-1); } BigInteger n = new BigInteger(args[0]); BigInteger e = new BigInteger(args[1]); String plaintext = args[2]; PublicKey pubKey = RSAService.getPublicKey(n, e); byte[] ciphertext = RSAService.encrypt(pubKey, plaintext); System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(ciphertext)); } }
  • 13. No change in the ciphertext for the same plaintext 13 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44 dharmalingam_ganesan11@instance-1:~/crypto/RSA$ dharmalingam_ganesan11@instance- 1:~/crypto/RSA$ java RSA_Encrypt $n $e "It's all Greek to Me" 29B20484723BC302E3E1D13D763AA4CF8E43627B006B431DBE1C3B9887D3A34199CA5FC74B751501D86114DADB444 04563FB5B916E8CDC5EF0EBA43C244671B63493355EE00630114B27E1E154D806ADF94374E8B52BD1D0BFC0823C52 8BE0DA95774B172235E15345DB757173954E3E09CC7213AD77C6F6452F0B63008CF773E5E2369A3CDE3A94B925849 B59410D04B1B5FCB8BD54EA545CEECEFE6BB77BD7E9ABB54D8DF2764471F6C23A66E65B1D5D7266E7E669B0C7AC1C 889420C6B81689CD9965E528F6D94297C6AB95A510A0BB380E22F99B20ABDFE3837459D8AFF6F552F7B20BD908DBE A2906C8809A1A50F4209025C8BEB561DC58E56F13894C44
  • 14. Problem statement: Break the RSA trapdoor function ● Recall that c = RSA(m) = me mod n ○ c is the ciphertext and m is the plaintext ● Breaking of the RSA function means finding m from c ○ Equivalently, reverse the plaintext from the ciphertext ● Formally, given <c, e, n> find m such that RSA(m) = c 14
  • 15. Chosen plaintext attack of RSA trapdoor function ● RSA is a deterministic function (recall the previous demo) ● RSA(m) is always the same for a given public key pair (e, n) ○ That is, the ciphertext is the same when the plaintext m is encrypted again ● In order to find the secret x, the attacker can try all possible m as follows: ○ RSA(u) where u = 0, 1, …, 2n-1 ○ If RSA(u) = RSA(m), then the attacker learns that m must u ● Chosen plaintext attack is easy for small values of public n ● Scalability problem: For very large n (e.g., 1024 bits), it is not feasible to explore the space of 21024 possibilities, for example ○ It is difficult even if the message size is just 64 bits 15
  • 16. Meet-in-the-middle attack - Core Idea ● Recall that the goal is to find the plaintext m such that RSA(m) = c ● What if m can be rewritten as a product of smaller numbers: m = m1 . m2 ● For example, this 64-bit message m = 9223372036854775808 can be rewritten as a product of two 32-bit numbers: ○ m1 = 2147483648 ○ m2 = 4294967296 ● Meet-in-the-middle attack leverages this observation to speed-up the Chosen Plaintext attack ○ Instead of trying all possible n-bit messages, it tries only messages of size n/2 ● It breaks RSA when the unknown plaintext is a product of smaller numbers ○ There are still some scalability issues (will revisit later) 16
  • 17. Meet-in-the-middle attack - Algorithm ● Assume that the unknown message m can be rewritten as a product of two unknown smaller numbers: m = m1 . m2 ● The goal of this attack is to find m1 and m2 from ciphertext c ● c = RSA(m) = me mod n c = (m1. m2)e mod n c = (m1 e. m2 e) mod n c/m2 e = m1 e mod n ● Step 1: Construct a hashtable of the right hand side for all possible m1 ● Step 2: For each possible m2 if c/m2 e is present in the hashtable, them m is recovered by multiplying matching m1 with the current m2 17
  • 18. Step 1: Hashtable H construction 18 Key Value 0e mod n 0 1e mod n 1 2e mod n 2 3e mod n 3 ... ... (m1-1)e mod n m1 - 1
  • 19. Step 2: Search the Hashtable H 19 ● Step 2.1: For each m2, compute c/m2 e mod n ● Step 2.2: Search whether the hashtable H has the key c/m2 e mod n ● Step 2.3: If yes, extract m1 = H(c/m2 e mod n) ○ Terminate the search. Return the plaintext m = m1 . m2 ● Step 2.4: Else, goto Step 2.1 and try the next possible m2
  • 20. Implementation Details: Key-Value Store (Hashtable)public interface IKeyValueStore { public void put(byte[] key, byte[] data); public byte[] get(byte[] key); public void close(); } 20 ● This interface provides an abstraction of hashtable implementations ● Allows plug-and-play of different key-value pair libraries
  • 21. Key-Value Implementation using Java Hashmap public class KeyValueStoreHash implements IKeyValueStore { private HashMap<ByteBuffer, byte[]> hashMap = new HashMap<ByteBuffer, byte[]>(); public KeyValueStoreHash() { } public void put(byte[] key, byte[] data) { hashMap.put(ByteBuffer.wrap(key), data); } public byte[] get(byte[] key) { return hashMap.get(ByteBuffer.wrap(key)); } public void close() { hashMap.clear(); } } 21
  • 22. Step 1: Hashtable construction (basic version) public void buildHashTable() { BigInteger two = BigInteger.valueOf(2); BigInteger minM1 = two.pow(minNumBitsM1 - 1); BigInteger maxM1 = two.pow(maxNumBitsM1); for(BigInteger m1 = minM1; m1.compareTo(maxM1) < 0; m1 = m1.add(BigInteger.ONE)) { byte[] m1PowE = m1.modPow(e, n).toByteArray(); keyValueStore.put(m1PowE, m1.toByteArray()); } } 22
  • 23. Step 2: Search the hashtable for a match public BigInteger breakRSA(BigInteger c) { BigInteger m = BigInteger.ZERO; BigInteger two = BigInteger.valueOf(2); BigInteger minM2 = two.pow(minNumBitsM2 - 1); BigInteger maxM2 = two.pow(maxNumBitsM2); for(BigInteger m2 = minM2; m2.compareTo(maxM2) < 0; m2 = m2.add(BigInteger.ONE)) { BigInteger m2powe = m2.modPow(e, n); byte[] lhs = c.multiply(m2powe.modInverse(n)).mod(n).toByteArray(); if(keyValueStore.get(lhs) != null) { BigInteger m1 = new BigInteger(keyValueStore.get(lhs)); m = m1.multiply(m2); System.out.println("Match m = " + m + " m1 = " + m1 + " m2 = " + m2); break; } } return m; } 23
  • 24. Demo client to break Raw RSA (2048-bit modulus) 24
  • 25. Demo client to break RSA ... 25
  • 26. ~/crypto/RSA$ time java ClientRawRSA Match m = 549986500608 m1 = 892928 m2 = 615936 The plaintext is: 549986500608 real 1m51.176s user 1m1.520s sys 0m4.176s In ~1.5 min Raw RSA is broken 26
  • 27. 11 out of 50 random messages decrypted! 27 $ time java ClientRawRSArandom # of successful RSA breaking = 11 out of 50 real 462m0.941s user 314m21.392s sys 21m22.772s
  • 28. Conclusion/Discussion 28 ● The main goal was to experiment with meet-in-the-middle attack ● This attack works when RSA is used without any padding ○ Meet-in-the-middle is much better than brute-forcing all possible plaintexts ● The attack is not scalable when the message length is longer than 8 bytes ○ May be upto 10 bytes when using a large farm of computers ● Nevertheless, the attack reverses the plaintext in the order of 2m/2 bits ○ Storage requirement: Need to be able to store 2m/2 rows in the key-value table ● In part-2, I will talk about using advanced databases to store large key-value ● RSA without random padding should be avoided
  • 29. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Boneh, A. Joux, and P. Nguyen, “Why Textbook ElGamal and RSA Encryption are Insecure,” AsiaCrypt, 2000 29