Presentation on RSA

1. Security Attacks
On RSA
A Computational Number Theoretic Approach
Shahidul Islam Jahid
202324090107

2. Adi Shamir,
Ron Rivest ,
Len Adleman
in 1977

3. Dan Boneh
Cryptography Professor,
Professor of Electrical Engineering and Senior Fellow at
the Freeman Spogli Institute for International Studies
Research Paper : Boneh, Dan. (2002). Twenty Years of
Attacks on the RSA Cryptosystem

4. TABLE OF CONTENTS
01
Introduction
02
Factoring Attacks
03
Elementary
Attacks

5. CONTENTS
 Introduction
 Introduction to RSA Cryptosystem
 Basic Idea Of Attack On RSA
 Factoring Attacks
 factoring the modulus N
 Fact & Proof
 Open Problem
 Chosen Ciphertext Attack
 Elementary Attacks
 Common Modulus Attack
 Blinding Attack

6. Introduction
01

7. The Math Behind RSA
 p and q are two distinct large prime numbers
𝑵 = 𝒑𝒒 𝒂𝒏𝒅 𝝋 (𝑵) = (𝒑 − 𝟏) 𝒙 (𝒒 − 𝟏)
 Choose a large random number 𝒅 > 𝟏 such that
𝒈𝒄𝒅(𝒅, 𝝋 (𝑵)) = 𝟏 and compute the number e, 𝟏 < 𝒆 < 𝝋 (𝑵)
satisfying the congruence
𝒆𝒅 ≡ 𝟏 𝒎𝒐𝒅 𝝋 (𝑵)
 The numbers 𝑵, 𝒆, 𝒅 are referred to as the modulus, encryption
exponent and decryption exponent respectively.
 The public key is the pair (𝑵, 𝒆) and the secret trapdoor is 𝒅.

8. Basic Idea Of Attack On RSA
 In this study, we exploring the challenge of reversing the RSA encryption function without having
the secret "trapdoor" information (represented by the variable d ). This process is commonly
known as "breaking RSA."
 Specifically, When given Triple (N,e,C) we're interested in understanding the complexity involved
in computing the eth root of C modulo N = pq, where the factorization of N is unknown.
 One way to approach this problem is by systematically checking all possible numbers in the finite
set 𝒁𝑵 until we find the original message M.
 However, this method has a significant drawback. Its running time is on the order of N, which
means it grows exponentially with the size of its input.
 For instance, if N is 1024 bits long, the running time becomes impractical, being on the order of
𝟐𝟏𝟎𝟐𝟒
. This immense number makes the computation infeasible.

9. Basic Idea Of Attack On RSA
 But there could be some algorithms to factor large integers. Currently, the
General Number Field Sieve (GNFS) stands as the fastest method for
factoring large integers, ensuring the security of encryption systems.
 Our focus lies on highly efficient algorithms with runtime proportional to 𝒏𝒄
,
where n = 𝒍𝒐𝒈𝟐N and c is a small constant (typically < 5).
 These algorithms demonstrate practical effectiveness for specific inputs.
 In our study, we explore the RSA function's inversion difficulty, making it
challenging for an attacker to recover plaintext M from random inputs. While
basic inversion is difficult, a robust cryptosystem, ensuring semantic security,
must resist subtle attacks, making it infeasible to extract any information about
M even with (N,e,C).

10. Think of your message as a secret locked box. Semantic security
ensures that even if someone sees this locked box, they have no
idea what's inside. It's like having a secret code that not only hides
the message but also keeps any hints about the message
completely hidden. So, even if a hacker has some clues about the
message, they can't decipher it, ensuring the information remains
safe and private. This is crucial for secure communication online.
Semantic Security

11. Factoring Attacks
02

12. Factoring Large Integers
 The first attack on an RSA public key (N, e) to consider is factoring the modulus N.
 If an attacker has the factorization of N, they can easily construct φ(N) (Euler's
totient function), from which the decryption exponent d = 𝒆−𝟏
mod φ(N) can be
determined.
 Factoring the modulus is essentially a brute-force attack on RSA.
 Despite the continuous improvement in factoring algorithms, the current state-of-
the-art methods still do not pose a significant threat to the security of properly
implemented RSA.
 Factoring large integers remains a captivating problem in computational
mathematics.

13. Factoring Large Integers
 For reference, the fastest factoring algorithm currently available is the General
Number Field Sieve, which determines the running time on n-bit integers. Its
running time on n-bit integers
exp
𝟑 𝟔𝟒
𝟗
(𝒍𝒐𝒈𝑵)
𝟏
𝟑(𝒍𝒐𝒈𝒍𝒐𝒈𝑵)
𝟐
𝟑
 for some c < 2. Attacks on RSA that take longer than this time bound are not
interesting. These include attacks such as exhaustive search for M and some older
attacks published right after the initial publication of RSA

14. Exhaustive search is a simple but time-consuming method used in
computer science and cryptography. In this approach, every
possible solution is tried systematically until the correct one is
found. It's like trying all the keys in a huge keychain until one fits the
lock. While exhaustive search guarantees finding the right answer
eventually, it can be very slow, especially for complex problems or
large datasets, making it impractical for many real-world situations.
Exhaustive search

15. Factoring Large Integers
 Our objective is to explore attacks on RSA that decrypt messages without directly
factoring the RSA modulus N.
 It's important to note that some specific sets of RSA moduli, where N = pq, can be
easily factored.
 For example, if p−1 is a product of prime factors smaller than B, then N can be
factored in less than 𝑩𝟑
time. Some implementations actively avoid using primes p
that have p−1 as a product of small primes.
 As previously mentioned, if an efficient factoring algorithm exists, RSA is
considered insecure. However, there is a significant open question: is it necessary
to factor N to efficiently compute eth roots modulo N,
 essentially asking whether breaking RSA is as hard as factoring N?

16. Fact
 Fact 1:
 Given an RSA public key (𝑵, 𝒆) and its corresponding private key 𝒅, the following holds:
 If you have the private key 𝒅, you can efficiently find the prime factors ( p and q ) of the
modulus 𝑵 = 𝒑𝒒.
 Conversely, if you know the prime factors ( p and q ) of 𝑵, you can efficiently compute the
private key 𝒅.
We will show that exposing the private key d and factoring 𝑵 are equivalent. Hence there is no
point in hiding the factorization of 𝑵 from any party who knows 𝒅

17. Proof with Explanation
Fact :Let (𝑁, 𝑒) be an RSA public key. Given the private key 𝑑, one can efficiently factor the modulus
𝑁 = 𝑝𝑞. Conversely, given the factorization of 𝑁 , one can efficiently recover 𝑑.
 Starting Point:
 Given RSA secret key 𝒅, aim to find prime numbers 𝒑 𝒂𝒏𝒅 𝒒 that compose 𝑵.
 Calculating k:
 Why? k aids crucial calculations.
 Explanation: Use 𝒅 and public exponent 𝒆 to compute 𝒌 = 𝒅𝒆 − 𝟏, revealing patterns in modular arithmetic.
 Chinese Remainder Theorem (CRT):
 Why? CRT unveils key numbers related to 𝑵.
 Explanation: CRT yields 𝒙𝟏, 𝒙𝟐, 𝒙𝟏′, 𝒙𝟐′, crucial in identifying 𝒑 and 𝒒 through diverse cases.
 Finding x1 and x2:
 Why? Right pair (𝒙𝟏, 𝒙𝟐) discloses 𝒑 and 𝒒.
 Explanation: Correct 𝒙𝟏, 𝒙𝟐 help compute 𝒑 and 𝒒 from 𝑵 properties.

18. Proof with Explanation
Fact :Let (𝑁, 𝑒) be an RSA public key. Given the private key 𝑑, one can efficiently factor the modulus
𝑁 = 𝑝𝑞. Conversely, given the factorization of 𝑁 , one can efficiently recover 𝑑.
 GCD Reveals p and q:
 Why? 𝑮𝑪𝑫 identifies common factors, crucial for 𝒑 𝒂𝒏𝒅 𝒒.
 Explanation: Compute gcd(𝒙 − 𝟏, 𝑵) for candidates; result reveals prime factors.
 Probability and Efficiency:
 Why? Random number selection ensures comprehensive exploration.
 Explanation: Iterative steps with different random numbers (𝒈) ensure unbiased, efficient exploration.
 Conclusion:
 Result: Systematic approach efficiently finds 𝒑 𝒂𝒏𝒅 𝒒.
 Security Assurance: RSA security upheld due to complex, non-reversible nature of these calculations.
 Summary: Intricate math, strategic number choice, and specific computations ensure efficient
discovery of 𝒑 𝒂𝒏𝒅 𝒒 in RSA encryption, preserving its security.

19. Proof with Example
Let 𝑵 = 𝟏𝟖𝟕 𝒂𝒏𝒅 = 𝟐𝟑𝒅 = 𝟐𝟑.
1. Calculating 𝒌: 𝒌 = 𝒅𝒆 − 𝟏 = 𝟐𝟑 × 𝟏𝟖𝟕 − 𝟏 = 𝟓𝟐𝟗𝟗
2. Using Chinese Remainder Theorem (CRT):
The CRT gives us four numbers: −𝟏, −𝒙𝟏​
, −𝒙𝟐​
, 𝒙𝟏​
𝒙𝟐​
.
3. Finding the Right 𝒙𝟏​𝒂𝒏𝒅 𝒙𝟐​:
Let's explore different combinations of 𝒙𝟏​𝒂𝒏𝒅 𝒙𝟐​to find the pair that helps us discover 𝒑 𝒂𝒏𝒅 𝒒.
 Combination 1: 𝒙𝟏​= 𝟐, 𝒙𝟐​= 𝟑
𝒈𝒄𝒅 𝟏, 𝟏𝟖𝟕 = 𝟏, 𝒈𝒄𝒅( 𝟐, 𝟏𝟖𝟕 = 𝟏
This combination doesn't reveal 𝒑 𝒂𝒏𝒅 𝒒.
 Combination 2: 𝒙𝟏​= 𝟓, 𝒙𝟐​= 𝟕
𝒈𝒄𝒅 𝟒, 𝟏𝟖𝟕 = 𝟏, 𝒈𝒄𝒅(𝟔, 𝟏𝟖𝟕) = 𝟏,
This combination also doesn't reveal 𝒑 𝒂𝒏𝒅 𝒒.
 Combination 3: 𝒙𝟏​= 𝟏𝟎, 𝒙𝟐​= 𝟏𝟑
𝒈𝒄 𝒅 𝟗, 𝟏𝟖𝟕 = 𝟏, 𝒈𝒄𝒅( 𝟏𝟐, 𝟏𝟖𝟕 = 𝟏
Still, no luck in finding 𝒑 𝒂𝒏𝒅 𝒒.

20. Proof with Example
4. Trying Different Random Numbers g:
 Random Number 1: 𝒈 = 𝟑 , 𝒈𝒄𝒅 𝟐, 𝟏𝟖𝟕 = 𝟏 This doesn't help in finding 𝒑 𝒂𝒏𝒅 𝒒.
 Random Number 2:𝒈 = 𝟓, 𝒈𝒄𝒅 𝟒, 𝟏𝟖𝟕 = 𝟏 Still no success.
 Random Number 3:𝒈 = 𝟕, 𝒈𝒄𝒅(𝟔, 𝟏𝟖𝟕) = 𝟏 We are still searching for the right combination
 Random Number 4: 𝒈 = 𝟏𝟏 , 𝒈𝒄𝒅 𝟏𝟎, 𝟏𝟖𝟕 = 𝟏 The search continues.
 Random Number 5:𝒈 = 𝟏𝟑, 𝒈𝒄𝒅 𝟏𝟐, 𝟏𝟖𝟕 = 𝟏 We are still exploring possibilities.
 Random Number 6:𝒈 = 𝟏𝟕, 𝒈𝒄𝒅(𝟏𝟔, 𝟏𝟖𝟕) = 𝟏 This doesn't help in finding 𝒑 𝒂𝒏𝒅 𝒒
 Random Number 7: 𝒈 = 𝟏𝟗, 𝒈𝒄𝒅 𝟏𝟖, 𝟏𝟖𝟕 = 𝟏𝟏
Finally, we found a pair that reveals a common factor (𝟏𝟏) with 𝑵 = 𝟏𝟖𝟕
 So, after trying several combinations and random numbers, we found that when 𝒈 = 𝟏𝟗, the GCD operation
revealed a common factor 𝟏𝟏. This means that 𝟏𝟏 is one of the prime factors of 𝑵.
 To find the other prime factor, divide 𝑵 by 11: 𝐪 =
𝑵
𝑷
=
𝟏𝟖𝟕
𝟏𝟏
= 𝟏𝟕
 Therefore, the prime factors of 𝑵 = 𝟏𝟖𝟕 are 𝒑 = 𝟏𝟏 and 𝒒 = 𝟏𝟕.

21. Open Problem
 Problem Description:
Given two integers 𝑵 and 𝒆 satisfying 𝒈𝒄𝒅(𝒆, 𝝋(𝑵)) = 𝟏, where 𝝋(𝑵) is Euler's totient
function, define a function 𝒇𝒆,𝑵 as follows: 𝒇𝒆,𝑵 𝒙 = 𝒙
𝟏
𝒆 𝒎𝒐𝒅 𝑵. The question is whether there
exists a polynomial-time algorithm A that can factorize the number 𝑵 given 𝑵 and access to
an "oracle" 𝒇𝒆,𝑵 𝒙 for some 𝒆.
 Problem Inquiry:
 The question asks whether, given the capability to efficiently compute 𝒇𝒆,𝑵 𝒙 for some
specific 𝒆, is there exists an algorithm A that can efficiently find the prime factors of ?
 In simpler terms, if you can quickly calculate the 𝒆𝒕𝒉 𝒓𝒐𝒐𝒕𝒔 𝒎𝒐𝒅𝒖𝒍𝒐 𝑵, can you also
quickly find the prime factors of 𝑵?

22. Open Problem
 Research and Implications :
 Boneh and Venkatesan conducted research indicating that for small values of 𝒆,
finding a solution might be challenging means answer to the problem may be No .
 In other words, for small e there may not exist a polynomial-time reduction from
factoring to breaking RSA
 A positive solution for small 𝒆 could lead to an efficient factoring algorithm,
potentially compromising RSA encryption.
 A positive solution would also enable a “Chosen Ciphertext Attack" a severe
vulnerability in RSA encryption.
 Therefore, a negative answer may be welcome .

23. Chosen Ciphertext Attack
 Normal Operation:
 Alice sends a message to Bob.
 The message is encrypted using a strong encryption algorithm and sent to Bob.
 Bob receives the encrypted message and decrypts it using the corresponding decryption key.
 Chosen Ciphertext Attack Scenario:
 An attacker, Eve, intercepts the ciphertext sent from Alice to Bob.
 Eve wants to learn the content of Alice's message.
In a chosen ciphertext attack, Eve has the ability to interact with the decryption process. There are two
main types of chosen ciphertext attacks:
 CCA1 (Adaptive Chosen Ciphertext Attack)
 CCA2 (Non-Adaptive Chosen Ciphertext Attack)

24. CCA1 (Adaptive Chosen Ciphertext Attack)
 Bob sends a message to Alice
 An attacker, Eve, intercepts the ciphertext sent from Bob to
Alice
 Eve sends the intercepted ciphertext to Bob, pretending to be
Alice.
 Bob, believing this is a message from Alice, decrypts it and
sends the plaintext back to Eve.
 Based on the decrypted content, Eve may craft another
ciphertext that exploits vulnerabilities in the decryption
process or the encryption scheme itself.
 She can repeat this process, adapting her queries and
ciphertexts based on the information she gains from previous
responses.

25. CCA1 (Adaptive Chosen Ciphertext Attack)
 First Eve listens for a cipher that she want to crack:
𝑪 = 𝑴𝒆
( 𝒎𝒐𝒅𝑵 )
 Next she takes this cipher and gets Bob to decrypt it (and
also multiplying by a random value to the power of Bob's e
value):
𝑪′
= 𝑪 × 𝒓𝒆
( 𝒎𝒐𝒅𝑵 )
 If Eve can determine the decrypted value for this cipher, she
can determine the message as:
(𝑪′
)𝒅
= (𝑪 × 𝒓𝒆
)𝒅
= (𝑴𝒆
× 𝒓𝒆
)𝒅
= 𝑴𝒆×𝒅
× 𝒓𝒆×𝒅
=M × 𝐫
as (𝑴𝒆
)𝒅
( 𝒎𝒐𝒅𝑵 ) must equal 𝑴𝟏
( 𝒎𝒐𝒅𝑵 ) )
So Eve just takes the original cipher, and divides it by the random
value ( 𝒓)

26. CCA2 (Non-Adaptive Chosen Ciphertext Attack)
 Eve collects several ciphertexts, including the one she
intercepted earlier, without decrypting them.
 She sends all these ciphertexts to Bob at once, pretending to be
Alice.
 Bob decrypts all the ciphertexts and sends back the
corresponding plaintexts.
 Eve can analyze the decrypted plaintexts collectively to look for
patterns, vulnerabilities, or weaknesses in the encryption scheme.

27. 1. Threat Overview:
Chosen Ciphertext Attacks (CCA) can compromise RSA encryption without proper padding schemes.
1. Secure Padding Solutions:
 Randomization with OAEP: Padding methods like OAEP add randomness, making it hard to predict
encrypted messages.
 Mathematical Complexity: RSA's math tricks and big numbers make it super tricky to decrypt without the
right key.
 Multiplicative Property: Multiplying RSA numbers is so complicated that bad guys can't figure out the
original messages easily.
Using techniques like OAEP fortifies RSA encryption, rendering it highly resilient against chosen ciphertext
attacks.
Chosen Ciphertext Attack

28. Elementary Attacks
03

29. Common modulus attack happens when two different
messages are encrypted using the same RSA modulus. By
analyzing the encrypted messages, an attacker can
calculate the original messages without the private key. To
prevent this, it's important to use different moduli for
different encryption keys.
Common Modulus attack

30. Common Modulus attack
𝑐1 = 𝑚𝒆𝟏
𝑐2 = 𝑚𝒆𝟐
𝒆𝟏
𝒆𝟐
M
Consider a scenario where a person encrypts same plain text, 2 different times, which he sends to 2 different people.
Suppose you eavesdropped on the communication and got both the cipher texts (c1, c2) and the exponents(e1, e2) he
used. You already know his Modulus N which is public.
So is there a way you can decipher this ?
Well the answer is yes.

31. Common Modulus attack
𝑐1 = 𝑚𝒆𝟏
𝑐2 = 𝑚𝒆𝟐
𝒆𝟏
𝒆𝟐
M
In order to decrypt it, we use an algorithm called extended euclidean which makes our
tasks much easier. But another condition we need to decrypt this is that the
GCD (e1, e2) = 1
𝒂𝟏 𝒆𝟏 + 𝒂𝟐 𝒆𝟐 = 1

32.  Decryption Equation :
M = ( (𝑴𝒆𝟏)𝒂𝟏 × (𝑴𝒆𝟐)𝒂𝟐) mod N
= ( 𝑴𝒆𝟏𝒂𝟏 × 𝑴𝒆𝟐𝒂𝟐) mod N
= ( 𝑴𝒆𝟏𝒂𝟏+𝒆𝟐𝒂𝟐) mod N
= ( 𝑴𝟏
) mod N [ 𝒂𝟏 𝒆𝟏 + 𝒂𝟐 𝒆𝟐 = 1 ]
= M
Common Modulus attack

33. Common Modulus attack EXAMPLE
 Scenario:
 Modulus (N): 143
 Public Exponents: e1 = 7, e2 = 17
 Cipher Texts: c1 = 42, c2 = 9 [ Plain_Text = 3 ]

34. Common Modulus attack EXAMPLE
Q 𝒓𝟏 𝒓𝟐 r 𝒕𝟏 𝒕𝟐 t
t= 𝒕𝟏 −q𝒕𝟐
2 17 7 3 0 1 -2
2 7 3 1 1 -2 5
3 3 1 0 -2 5 -17
1 0 5 -17
 Let’s find GCD of 7,17 by Extended Euclidean method to get 𝒂𝟏 , 𝒂𝟐
 We Found 𝒂𝟏 , 𝒂𝟐 . Here 𝒂𝟏 = 5 And 𝒂𝟐 = -2

35. Common Modulus attack EXAMPLE
 Decryption Calculation:
M= (𝒄𝟏
𝒂𝟏 × 𝒄𝟐
𝒂𝟐) Mod N
= 𝟒𝟐𝟓
× (𝟗)−𝟐
Mod N
= 𝟒𝟐𝟓
× (𝟗−𝟏
)
𝟐
Mod N
= 𝟒𝟐𝟓 × 𝟏𝟔 Mod N
= 3 Plain_text

36.  Each user should have a unique modulus (N). Sharing the same N
among multiple users allows potential attackers to exploit the shared
structure, undermining the security of the RSA encryption system.
 This observation emphasizes the importance of using a unique
modulus for each user in RSA encryption to maintain the security and
privacy of the communication system.
Common Modulus attack

37. A blinding attack in RSA encryption manipulates ciphertext
using a blinding factor, deceiving the recipient into
decrypting a modified message. This allows attackers to
gather sensitive information or perform unauthorized actions.
Blinding attack

38. Blinding attack
 Eve has the message (M - "Pay Eve $1 million")
and creates another message:
𝑴′
= 𝒓𝒆
M mod N
 where e is Bob's encryption key exponent and r is a
random number. Eve gets Bob to sign for this. The
signature is then:
𝑺′
= (𝑴′
)𝒅
mod N
 Bob gives S' to Eve, and she just divides by r to get the
signature for the original message:
𝑺′
𝒓
=
(M × 𝒓𝒆)𝒅
𝒓
=
(𝑴𝒅 × 𝒓𝒆𝒅)
𝒓
=
(𝑴𝒅 × 𝒓𝟏)
𝒓
= 𝑴𝒅
mod (N)

39. Blinding attack
 Eve takes Bob signature and adds it to the original
message that Bob wouldn't sign, and she can prove that
Bob signed it. If she is sending to Alice the Banker, she
would take the message:
"𝑷𝒂𝒚 𝑬𝒗𝒆 $𝟏 𝒎𝒊𝒍𝒍𝒊𝒐𝒏"
 and add Bob signature for the message
𝑺′
𝒓
= 𝑴𝒅
mod (N),
and then encrypt everything with Alice the Banker's public
key. Alice will get the encrypted message and decrypts with
her private key, and reads the message:
"𝑷𝒂𝒚 𝑬𝒗𝒆 $𝟏 𝒎𝒊𝒍𝒍𝒊𝒐𝒏"
 and she then looks at the signature, and gets Bob's public
key and checks the signature. It will match, so she will pays
Eve one million dollars from Bob's account.

40. Blinding attack EXAMPLE
 RSA Parameters:
 Public Key (e, N): e = 79, N = 3337
 Private Key (d): d = 1019
 Message to be Signed: "Pay Eve $1 million"
 Blinding Factor: r = 21

41. # Import necessary libraries
import sys
import os
import hashlib
import libnum
# Initialize RSA parameters and
message
e = 79
d = 1019
N = 3337
r = 21
Message = 'Pay Eve $1 million'
# Print initial values for
reference
print('== Initial values ==')
print('e =', e, 'd =', d, 'N =', N)
print('Message =', Message, 'r =', r)
print('n=============‘)
# Generate a random MD5 hash
and reduce it modulo N
array = os.urandom(1 << 20)
md5 = hashlib.md5()
md5.update(array)
digest = md5.hexdigest()
M = int(digest, 16) % N
# Print the MD5 hash (mod N)
print('MD5 hash (mod N):', M)
# Bob signs the message using
his private key d
signed = pow(M, d, N)
print('Bob signs the message:', signed)
# Eve blinds the signed message
and sends it to Alice
val_sent_by_eve = (M * pow(r, e, N)) %
N
signed_dash = pow(val_sent_by_eve,
d, N)
print('Eve sends blinded signature to
Alice:', signed_dash)
# Alice receives the blinded
signature and unblinds it
result = (signed_dash *
libnum.invmod(r, N)) % N
print('Alice receives unblinded
signature:', result)
print('n=== Check ==')
# Alice verifies the signature
using Bob's public key e
unsigned = pow(result, e, N)
print('Unsigned value is:', unsigned)
# If the unsigned value matches
the original message M, the
signature is valid
if unsigned == M:
print('Success. The signature is
valid.')
else:
print('Signatures do not compute')
Blinding attack EXAMPLE

42.  Signatures schemes often employ a "one-way hash" function to
secure the message (M) before signing, ensuring message integrity
and authenticity.
 This approach mitigates the risk of message manipulation, making it
computationally challenging for attackers to tamper with the signed
content during transmission.
 Although blinding was presented as an attack, it is, in fact, a
fundamental property of RSA Properly implemented, it is not a
security threat.
Blinding attack

43. THANKS!