3. Dan Boneh
Cryptography Professor,
Professor of Electrical Engineering and Senior Fellow at
the Freeman Spogli Institute for International Studies
Research Paper : Boneh, Dan. (2002). Twenty Years of
Attacks on the RSA Cryptosystem
5. CONTENTS
๏ถ Introduction
๏ Introduction to RSA Cryptosystem
๏ Basic Idea Of Attack On RSA
๏ถ Factoring Attacks
๏ factoring the modulus N
๏ Fact & Proof
๏ Open Problem
๏ Chosen Ciphertext Attack
๏ถ Elementary Attacks
๏ Common Modulus Attack
๏ Blinding Attack
7. The Math Behind RSA
๏ฑ p and q are two distinct large prime numbers
๐ต = ๐๐ ๐๐๐ ๐ (๐ต) = (๐ โ ๐) ๐ (๐ โ ๐)
๏ฑ Choose a large random number ๐ > ๐ such that
๐๐๐ (๐ , ๐ (๐ต)) = ๐ and compute the number e, ๐ < ๐ < ๐ (๐ต)
satisfying the congruence
๐๐ โก ๐ ๐๐๐ ๐ (๐ต)
๏ฑ The numbers ๐ต, ๐, ๐ are referred to as the modulus, encryption
exponent and decryption exponent respectively.
๏ฑ The public key is the pair (๐ต, ๐) and the secret trapdoor is ๐ .
8. Basic Idea Of Attack On RSA
๏ In this study, we exploring the challenge of reversing the RSA encryption function without having
the secret "trapdoor" information (represented by the variable d ). This process is commonly
known as "breaking RSA."
๏ Specifically, When given Triple (N,e,C) we're interested in understanding the complexity involved
in computing the eth root of C modulo N = pq, where the factorization of N is unknown.
๏ One way to approach this problem is by systematically checking all possible numbers in the finite
set ๐๐ต until we find the original message M.
๏ However, this method has a significant drawback. Its running time is on the order of N, which
means it grows exponentially with the size of its input.
๏ For instance, if N is 1024 bits long, the running time becomes impractical, being on the order of
๐๐๐๐๐
. This immense number makes the computation infeasible.
9. Basic Idea Of Attack On RSA
๏ But there could be some algorithms to factor large integers. Currently, the
General Number Field Sieve (GNFS) stands as the fastest method for
factoring large integers, ensuring the security of encryption systems.
๏ Our focus lies on highly efficient algorithms with runtime proportional to ๐๐
,
where n = ๐๐๐๐N and c is a small constant (typically < 5).
๏ These algorithms demonstrate practical effectiveness for specific inputs.
๏ In our study, we explore the RSA function's inversion difficulty, making it
challenging for an attacker to recover plaintext M from random inputs. While
basic inversion is difficult, a robust cryptosystem, ensuring semantic security,
must resist subtle attacks, making it infeasible to extract any information about
M even with (N,e,C).
10. Think of your message as a secret locked box. Semantic security
ensures that even if someone sees this locked box, they have no
idea what's inside. It's like having a secret code that not only hides
the message but also keeps any hints about the message
completely hidden. So, even if a hacker has some clues about the
message, they can't decipher it, ensuring the information remains
safe and private. This is crucial for secure communication online.
Semantic Security
12. Factoring Large Integers
๏ The first attack on an RSA public key (N, e) to consider is factoring the modulus N.
๏ If an attacker has the factorization of N, they can easily construct ฯ(N) (Euler's
totient function), from which the decryption exponent d = ๐โ๐
mod ฯ(N) can be
determined.
๏ Factoring the modulus is essentially a brute-force attack on RSA.
๏ Despite the continuous improvement in factoring algorithms, the current state-of-
the-art methods still do not pose a significant threat to the security of properly
implemented RSA.
๏ Factoring large integers remains a captivating problem in computational
mathematics.
13. Factoring Large Integers
๏ For reference, the fastest factoring algorithm currently available is the General
Number Field Sieve, which determines the running time on n-bit integers. Its
running time on n-bit integers
exp
๐ ๐๐
๐
(๐๐๐๐ต)
๐
๐(๐๐๐๐๐๐๐ต)
๐
๐
๏ for some c < 2. Attacks on RSA that take longer than this time bound are not
interesting. These include attacks such as exhaustive search for M and some older
attacks published right after the initial publication of RSA
14. Exhaustive search is a simple but time-consuming method used in
computer science and cryptography. In this approach, every
possible solution is tried systematically until the correct one is
found. It's like trying all the keys in a huge keychain until one fits the
lock. While exhaustive search guarantees finding the right answer
eventually, it can be very slow, especially for complex problems or
large datasets, making it impractical for many real-world situations.
Exhaustive search
15. Factoring Large Integers
๏ Our objective is to explore attacks on RSA that decrypt messages without directly
factoring the RSA modulus N.
๏ It's important to note that some specific sets of RSA moduli, where N = pq, can be
easily factored.
๏ For example, if pโ1 is a product of prime factors smaller than B, then N can be
factored in less than ๐ฉ๐
time. Some implementations actively avoid using primes p
that have pโ1 as a product of small primes.
๏ As previously mentioned, if an efficient factoring algorithm exists, RSA is
considered insecure. However, there is a significant open question: is it necessary
to factor N to efficiently compute eth roots modulo N,
๏ essentially asking whether breaking RSA is as hard as factoring N?
16. Fact
๏ฑ Fact 1:
๏ Given an RSA public key (๐ต, ๐) and its corresponding private key ๐ , the following holds:
๏ If you have the private key ๐ , you can efficiently find the prime factors ( p and q ) of the
modulus ๐ต = ๐๐.
๏ Conversely, if you know the prime factors ( p and q ) of ๐ต, you can efficiently compute the
private key ๐ .
We will show that exposing the private key d and factoring ๐ต are equivalent. Hence there is no
point in hiding the factorization of ๐ต from any party who knows ๐
17. Proof with Explanation
๏ฑFact :Let (๐, ๐) be an RSA public key. Given the private key ๐, one can efficiently factor the modulus
๐ = ๐๐. Conversely, given the factorization of ๐ , one can efficiently recover ๐.
๏ฑ Starting Point:
๏ Given RSA secret key ๐ , aim to find prime numbers ๐ ๐๐๐ ๐ that compose ๐ต.
๏ฑ Calculating k:
๏ Why? k aids crucial calculations.
๏ Explanation: Use ๐ and public exponent ๐ to compute ๐ = ๐ ๐ โ ๐, revealing patterns in modular arithmetic.
๏ฑ Chinese Remainder Theorem (CRT):
๏ Why? CRT unveils key numbers related to ๐ต.
๏ Explanation: CRT yields ๐๐, ๐๐, ๐๐โฒ, ๐๐โฒ, crucial in identifying ๐ and ๐ through diverse cases.
๏ฑ Finding x1 and x2:
๏ Why? Right pair (๐๐, ๐๐) discloses ๐ and ๐.
๏ Explanation: Correct ๐๐, ๐๐ help compute ๐ and ๐ from ๐ต properties.
18. Proof with Explanation
๏ฑFact :Let (๐, ๐) be an RSA public key. Given the private key ๐, one can efficiently factor the modulus
๐ = ๐๐. Conversely, given the factorization of ๐ , one can efficiently recover ๐.
๏ฑ GCD Reveals p and q:
๏ Why? ๐ฎ๐ช๐ซ identifies common factors, crucial for ๐ ๐๐๐ ๐.
๏ Explanation: Compute gcd(๐ โ ๐, ๐ต) for candidates; result reveals prime factors.
๏ฑ Probability and Efficiency:
๏ Why? Random number selection ensures comprehensive exploration.
๏ Explanation: Iterative steps with different random numbers (๐) ensure unbiased, efficient exploration.
๏ฑ Conclusion:
๏ Result: Systematic approach efficiently finds ๐ ๐๐๐ ๐.
๏ Security Assurance: RSA security upheld due to complex, non-reversible nature of these calculations.
๏ Summary: Intricate math, strategic number choice, and specific computations ensure efficient
discovery of ๐ ๐๐๐ ๐ in RSA encryption, preserving its security.
19. Proof with Example
Let ๐ต = ๐๐๐ ๐๐๐ = ๐๐๐ = ๐๐.
1. Calculating ๐: ๐ = ๐ ๐ โ ๐ = ๐๐ ร ๐๐๐ โ ๐ = ๐๐๐๐
2. Using Chinese Remainder Theorem (CRT):
The CRT gives us four numbers: โ๐, โ๐๐โ
, โ๐๐โ
, ๐๐โ
๐๐โ
.
3. Finding the Right ๐๐โ๐๐๐ ๐๐โ:
Let's explore different combinations of ๐๐โ๐๐๐ ๐๐โto find the pair that helps us discover ๐ ๐๐๐ ๐.
๏ Combination 1: ๐๐โ= ๐, ๐๐โ= ๐
๐๐๐ ๐, ๐๐๐ = ๐, ๐๐๐ ( ๐, ๐๐๐ = ๐
This combination doesn't reveal ๐ ๐๐๐ ๐.
๏ Combination 2: ๐๐โ= ๐, ๐๐โ= ๐
๐๐๐ ๐, ๐๐๐ = ๐, ๐๐๐ (๐, ๐๐๐) = ๐,
This combination also doesn't reveal ๐ ๐๐๐ ๐.
๏ Combination 3: ๐๐โ= ๐๐, ๐๐โ= ๐๐
๐๐ ๐ ๐, ๐๐๐ = ๐, ๐๐๐ ( ๐๐, ๐๐๐ = ๐
Still, no luck in finding ๐ ๐๐๐ ๐.
20. Proof with Example
4. Trying Different Random Numbers g:
๏ Random Number 1: ๐ = ๐ , ๐๐๐ ๐, ๐๐๐ = ๐ This doesn't help in finding ๐ ๐๐๐ ๐.
๏ Random Number 2:๐ = ๐, ๐๐๐ ๐, ๐๐๐ = ๐ Still no success.
๏ Random Number 3:๐ = ๐, ๐๐๐ (๐, ๐๐๐) = ๐ We are still searching for the right combination
๏ Random Number 4: ๐ = ๐๐ , ๐๐๐ ๐๐, ๐๐๐ = ๐ The search continues.
๏ Random Number 5:๐ = ๐๐, ๐๐๐ ๐๐, ๐๐๐ = ๐ We are still exploring possibilities.
๏ Random Number 6:๐ = ๐๐, ๐๐๐ (๐๐, ๐๐๐) = ๐ This doesn't help in finding ๐ ๐๐๐ ๐
๏ Random Number 7: ๐ = ๐๐, ๐๐๐ ๐๐, ๐๐๐ = ๐๐
Finally, we found a pair that reveals a common factor (๐๐) with ๐ต = ๐๐๐
๏ So, after trying several combinations and random numbers, we found that when ๐ = ๐๐, the GCD operation
revealed a common factor ๐๐. This means that ๐๐ is one of the prime factors of ๐ต.
๏ To find the other prime factor, divide ๐ต by 11: ๐ช =
๐ต
๐ท
=
๐๐๐
๐๐
= ๐๐
๏ Therefore, the prime factors of ๐ต = ๐๐๐ are ๐ = ๐๐ and ๐ = ๐๐.
21. Open Problem
๏ฑ Problem Description:
Given two integers ๐ต and ๐ satisfying ๐๐๐ (๐, ๐(๐ต)) = ๐, where ๐(๐ต) is Euler's totient
function, define a function ๐๐,๐ต as follows: ๐๐,๐ต ๐ = ๐
๐
๐ ๐๐๐ ๐ต. The question is whether there
exists a polynomial-time algorithm A that can factorize the number ๐ต given ๐ต and access to
an "oracle" ๐๐,๐ต ๐ for some ๐.
๏ฑ Problem Inquiry:
๏ The question asks whether, given the capability to efficiently compute ๐๐,๐ต ๐ for some
specific ๐, is there exists an algorithm A that can efficiently find the prime factors of ?
๏ In simpler terms, if you can quickly calculate the ๐๐๐ ๐๐๐๐๐ ๐๐๐ ๐๐๐ ๐ต, can you also
quickly find the prime factors of ๐ต?
22. Open Problem
๏ฑ Research and Implications :
๏ Boneh and Venkatesan conducted research indicating that for small values of ๐,
finding a solution might be challenging means answer to the problem may be No .
๏ In other words, for small e there may not exist a polynomial-time reduction from
factoring to breaking RSA
๏ A positive solution for small ๐ could lead to an efficient factoring algorithm,
potentially compromising RSA encryption.
๏ A positive solution would also enable a โChosen Ciphertext Attack" a severe
vulnerability in RSA encryption.
๏ Therefore, a negative answer may be welcome .
23. Chosen Ciphertext Attack
๏ฑ Normal Operation:
๏ Alice sends a message to Bob.
๏ The message is encrypted using a strong encryption algorithm and sent to Bob.
๏ Bob receives the encrypted message and decrypts it using the corresponding decryption key.
๏ฑ Chosen Ciphertext Attack Scenario:
๏ An attacker, Eve, intercepts the ciphertext sent from Alice to Bob.
๏ Eve wants to learn the content of Alice's message.
In a chosen ciphertext attack, Eve has the ability to interact with the decryption process. There are two
main types of chosen ciphertext attacks:
๏ CCA1 (Adaptive Chosen Ciphertext Attack)
๏ CCA2 (Non-Adaptive Chosen Ciphertext Attack)
24. CCA1 (Adaptive Chosen Ciphertext Attack)
๏ Bob sends a message to Alice
๏ An attacker, Eve, intercepts the ciphertext sent from Bob to
Alice
๏ Eve sends the intercepted ciphertext to Bob, pretending to be
Alice.
๏ Bob, believing this is a message from Alice, decrypts it and
sends the plaintext back to Eve.
๏ Based on the decrypted content, Eve may craft another
ciphertext that exploits vulnerabilities in the decryption
process or the encryption scheme itself.
๏ She can repeat this process, adapting her queries and
ciphertexts based on the information she gains from previous
responses.
25. CCA1 (Adaptive Chosen Ciphertext Attack)
๏ฑ First Eve listens for a cipher that she want to crack:
๐ช = ๐ด๐
( ๐๐๐ ๐ต )
๏ฑ Next she takes this cipher and gets Bob to decrypt it (and
also multiplying by a random value to the power of Bob's e
value):
๐ชโฒ
= ๐ช ร ๐๐
( ๐๐๐ ๐ต )
๏ฑ If Eve can determine the decrypted value for this cipher, she
can determine the message as:
(๐ชโฒ
)๐
= (๐ช ร ๐๐
)๐
= (๐ด๐
ร ๐๐
)๐
= ๐ด๐ร๐
ร ๐๐ร๐
=M ร ๐ซ
as (๐ด๐
)๐
( ๐๐๐ ๐ต ) must equal ๐ด๐
( ๐๐๐ ๐ต ) )
So Eve just takes the original cipher, and divides it by the random
value ( ๐)
26. CCA2 (Non-Adaptive Chosen Ciphertext Attack)
๏ Eve collects several ciphertexts, including the one she
intercepted earlier, without decrypting them.
๏ She sends all these ciphertexts to Bob at once, pretending to be
Alice.
๏ Bob decrypts all the ciphertexts and sends back the
corresponding plaintexts.
๏ Eve can analyze the decrypted plaintexts collectively to look for
patterns, vulnerabilities, or weaknesses in the encryption scheme.
27. 1. Threat Overview:
Chosen Ciphertext Attacks (CCA) can compromise RSA encryption without proper padding schemes.
1. Secure Padding Solutions:
๏ Randomization with OAEP: Padding methods like OAEP add randomness, making it hard to predict
encrypted messages.
๏ Mathematical Complexity: RSA's math tricks and big numbers make it super tricky to decrypt without the
right key.
๏ Multiplicative Property: Multiplying RSA numbers is so complicated that bad guys can't figure out the
original messages easily.
Using techniques like OAEP fortifies RSA encryption, rendering it highly resilient against chosen ciphertext
attacks.
Chosen Ciphertext Attack
29. Common modulus attack happens when two different
messages are encrypted using the same RSA modulus. By
analyzing the encrypted messages, an attacker can
calculate the original messages without the private key. To
prevent this, it's important to use different moduli for
different encryption keys.
Common Modulus attack
30. Common Modulus attack
๐1 = ๐๐๐
๐2 = ๐๐๐
๐๐
๐๐
M
Consider a scenario where a person encrypts same plain text, 2 different times, which he sends to 2 different people.
Suppose you eavesdropped on the communication and got both the cipher texts (c1, c2) and the exponents(e1, e2) he
used. You already know his Modulus N which is public.
So is there a way you can decipher this ?
Well the answer is yes.
31. Common Modulus attack
๐1 = ๐๐๐
๐2 = ๐๐๐
๐๐
๐๐
M
In order to decrypt it, we use an algorithm called extended euclidean which makes our
tasks much easier. But another condition we need to decrypt this is that the
GCD (e1, e2) = 1
๐๐ ๐๐ + ๐๐ ๐๐ = 1
32. ๏ฑ Decryption Equation :
M = ( (๐ด๐๐)๐๐ ร (๐ด๐๐)๐๐) mod N
= ( ๐ด๐๐๐๐ ร ๐ด๐๐๐๐) mod N
= ( ๐ด๐๐๐๐+๐๐๐๐) mod N
= ( ๐ด๐
) mod N [ ๐๐ ๐๐ + ๐๐ ๐๐ = 1 ]
= M
Common Modulus attack
34. Common Modulus attack EXAMPLE
Q ๐๐ ๐๐ r ๐๐ ๐๐ t
t= ๐๐ โq๐๐
2 17 7 3 0 1 -2
2 7 3 1 1 -2 5
3 3 1 0 -2 5 -17
1 0 5 -17
๏ฑ Letโs find GCD of 7,17 by Extended Euclidean method to get ๐๐ , ๐๐
๏ฑ We Found ๐๐ , ๐๐ . Here ๐๐ = 5 And ๐๐ = -2
35. Common Modulus attack EXAMPLE
๏ฑ Decryption Calculation:
M= (๐๐
๐๐ ร ๐๐
๐๐) Mod N
= ๐๐๐
ร (๐)โ๐
Mod N
= ๐๐๐
ร (๐โ๐
)
๐
Mod N
= ๐๐๐ ร ๐๐ Mod N
= 3 Plain_text
36. ๏ฑ Each user should have a unique modulus (N). Sharing the same N
among multiple users allows potential attackers to exploit the shared
structure, undermining the security of the RSA encryption system.
๏ฑ This observation emphasizes the importance of using a unique
modulus for each user in RSA encryption to maintain the security and
privacy of the communication system.
Common Modulus attack
37. A blinding attack in RSA encryption manipulates ciphertext
using a blinding factor, deceiving the recipient into
decrypting a modified message. This allows attackers to
gather sensitive information or perform unauthorized actions.
Blinding attack
38. Blinding attack
๏ฑ Eve has the message (M - "Pay Eve $1 million")
and creates another message:
๐ดโฒ
= ๐๐
M mod N
๏ฑ where e is Bob's encryption key exponent and r is a
random number. Eve gets Bob to sign for this. The
signature is then:
๐บโฒ
= (๐ดโฒ
)๐
mod N
๏ฑ Bob gives S' to Eve, and she just divides by r to get the
signature for the original message:
๐บโฒ
๐
=
(M ร ๐๐)๐
๐
=
(๐ด๐ ร ๐๐๐ )
๐
=
(๐ด๐ ร ๐๐)
๐
= ๐ด๐
mod (N)
39. Blinding attack
๏ฑ Eve takes Bob signature and adds it to the original
message that Bob wouldn't sign, and she can prove that
Bob signed it. If she is sending to Alice the Banker, she
would take the message:
"๐ท๐๐ ๐ฌ๐๐ $๐ ๐๐๐๐๐๐๐"
๏ฑ and add Bob signature for the message
๐บโฒ
๐
= ๐ด๐
mod (N),
and then encrypt everything with Alice the Banker's public
key. Alice will get the encrypted message and decrypts with
her private key, and reads the message:
"๐ท๐๐ ๐ฌ๐๐ $๐ ๐๐๐๐๐๐๐"
๏ฑ and she then looks at the signature, and gets Bob's public
key and checks the signature. It will match, so she will pays
Eve one million dollars from Bob's account.
40. Blinding attack EXAMPLE
๏ฑ RSA Parameters:
๏ Public Key (e, N): e = 79, N = 3337
๏ Private Key (d): d = 1019
๏ Message to be Signed: "Pay Eve $1 million"
๏ Blinding Factor: r = 21
41. # Import necessary libraries
import sys
import os
import hashlib
import libnum
# Initialize RSA parameters and
message
e = 79
d = 1019
N = 3337
r = 21
Message = 'Pay Eve $1 million'
# Print initial values for
reference
print('== Initial values ==')
print('e =', e, 'd =', d, 'N =', N)
print('Message =', Message, 'r =', r)
print('n=============โ)
# Generate a random MD5 hash
and reduce it modulo N
array = os.urandom(1 << 20)
md5 = hashlib.md5()
md5.update(array)
digest = md5.hexdigest()
M = int(digest, 16) % N
# Print the MD5 hash (mod N)
print('MD5 hash (mod N):', M)
# Bob signs the message using
his private key d
signed = pow(M, d, N)
print('Bob signs the message:', signed)
# Eve blinds the signed message
and sends it to Alice
val_sent_by_eve = (M * pow(r, e, N)) %
N
signed_dash = pow(val_sent_by_eve,
d, N)
print('Eve sends blinded signature to
Alice:', signed_dash)
# Alice receives the blinded
signature and unblinds it
result = (signed_dash *
libnum.invmod(r, N)) % N
print('Alice receives unblinded
signature:', result)
print('n=== Check ==')
# Alice verifies the signature
using Bob's public key e
unsigned = pow(result, e, N)
print('Unsigned value is:', unsigned)
# If the unsigned value matches
the original message M, the
signature is valid
if unsigned == M:
print('Success. The signature is
valid.')
else:
print('Signatures do not compute')
Blinding attack EXAMPLE
42. ๏ผ Signatures schemes often employ a "one-way hash" function to
secure the message (M) before signing, ensuring message integrity
and authenticity.
๏ผ This approach mitigates the risk of message manipulation, making it
computationally challenging for attackers to tamper with the signed
content during transmission.
๏ผ Although blinding was presented as an attack, it is, in fact, a
fundamental property of RSA Properly implemented, it is not a
security threat.
Blinding attack