Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
We study the problem of finding the square roots of unity in a finite group in order to factor composite numbers used in RSA. We implemented Peter Shor’s algorithm to find the square root of unity. Experimental results showed that finding the square roots of unity in a finite group multiplicative group is “hard”.
Slides demonstrate how to break RSA when no padding is applied. I replicated the meet-in-the-middle attack discussed in the existing Crypto literature.
This presentation is based on the paper :
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by R.L. Rivest, A. Shamir, and L. Adleman
Slides from the presentation "Modern Cryptography" delivered at Deovxx UK 2013. See Parleys.com for the full video https://www.parleys.com/speaker/5148920c0364bc17fc5697a5
We will discuss the following: RSA Key generation , RSA Encryption , RSA Decryption , A Real World Example, RSA Security.
https://www.youtube.com/watch?v=x7QWJ13dgGs&list=PLKYmvyjH53q13_6aS4VwgXU0Nb_4sjwuf&index=7
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
We study the problem of finding the square roots of unity in a finite group in order to factor composite numbers used in RSA. We implemented Peter Shor’s algorithm to find the square root of unity. Experimental results showed that finding the square roots of unity in a finite group multiplicative group is “hard”.
Slides demonstrate how to break RSA when no padding is applied. I replicated the meet-in-the-middle attack discussed in the existing Crypto literature.
This presentation is based on the paper :
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by R.L. Rivest, A. Shamir, and L. Adleman
Slides from the presentation "Modern Cryptography" delivered at Deovxx UK 2013. See Parleys.com for the full video https://www.parleys.com/speaker/5148920c0364bc17fc5697a5
We will discuss the following: RSA Key generation , RSA Encryption , RSA Decryption , A Real World Example, RSA Security.
https://www.youtube.com/watch?v=x7QWJ13dgGs&list=PLKYmvyjH53q13_6aS4VwgXU0Nb_4sjwuf&index=7
Results of some basic experiments with the Diffie-Hellman Key Exchange System. I analyse the key-exchange algorithm using brute-force as well using the Baby-step Giant-step algorithm.
Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
A Primality test is an algorithm for determining whether an input number is Prime. Among other fields of mathematics, it is used for Cryptography. Factorization is thought to be a computationally difficult problem, whereas primality testing is comparatively easy (its running time is polynomial in the size of the input).
Protect Your Online Accounts from Password Attacks! 🔒🛡️ Check out this informative blog post on MojoAuth about the various types of password attacks and how to safeguard your online accounts.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
An RSA private key is made of a few private variables. We analyze how these private variables are chained together. Further, we study if one of the private variables is leaked, can we derive the other private variables? Demos of the algorithms are also provided.
Can we reveal the RSA private exponent d from its public key <e, n>? We study this question for two specific cases: e = 3 and e = 65537. Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small. For example, for 2048-bit RSA, the most significant 1024 bits are revealed!
Results of some basic experiments with the Diffie-Hellman Key Exchange System. I analyse the key-exchange algorithm using brute-force as well using the Baby-step Giant-step algorithm.
Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
A Primality test is an algorithm for determining whether an input number is Prime. Among other fields of mathematics, it is used for Cryptography. Factorization is thought to be a computationally difficult problem, whereas primality testing is comparatively easy (its running time is polynomial in the size of the input).
Protect Your Online Accounts from Password Attacks! 🔒🛡️ Check out this informative blog post on MojoAuth about the various types of password attacks and how to safeguard your online accounts.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
The Cryptography puzzle discussed here is part of an online challenge. I demonstrate how I broke RSA when random prime numbers were common among a set of keys. I discuss basic metrics as well as implementation/design of my exploit scripts, too.
An RSA private key is made of a few private variables. We analyze how these private variables are chained together. Further, we study if one of the private variables is leaked, can we derive the other private variables? Demos of the algorithms are also provided.
Can we reveal the RSA private exponent d from its public key <e, n>? We study this question for two specific cases: e = 3 and e = 65537. Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small. For example, for 2048-bit RSA, the most significant 1024 bits are revealed!
The slides demonstrate how to break RSA when used incorrectly without integrity checks. The man-in-the-middle is allowed to edit the RSA public exponent e in such a way that the Extended Euclidean Algorithm can be employed to reconstruct the plaintexts from the given ciphertexts.
We experiment with Wiener's attack to break RSA when the secret exponent is short, meaning it is smaller than one quarter of the public modulus size. We discuss cryptanalysis details and present demos of the attack. Our very minor extension of Wiener's attack is also discussed.
If we have an RSA 2048 bits configuration, but our private exponent d is only about 512 bits, then the above attack breaks RSA in a few seconds.
This work uses Continued Fractions to derive the private keys from the given public keys. It turned out that one can derive the private exponent d by approximating it as a ratio of e/n, both are public values.
In a default settings of standard RSA libaries, this attack and my minor extension are not relevant (to the best of our knowledge). However, if we configure our library to choose a very large public encryption exponent e, then our private decryption exponent d could be short enough to mount an attack.
We study the behavior of the RSA trapdoor function by repeatedly encrypting the ciphertext sent over the public channel. We discuss the problem of finding a cycle in order to reverse the plaintext from the given ciphertext. Simple demos and algorithms/python programs are also presented. While the attack is not necessarily practical, it is educational to learn how the RSA trapdoor function behaves.
We look into the nitty-gritty details of the RSA key generation algorithm. We study how RSA can be exploited when the public exponent e is not chosen carefully. We examine why many digital certificates use e=65537. We also experiment with Hastad's broadcast attack for short RSA exponents in particular.
The slides demonstrate how to reverse the plaintext from the RSA encrypted ciphertext using an oracle that answers the question: is the last bit of the message 0 or 1?
Slides present a demo of exploiting the homomorphic properties of raw RSA (i.e., without any padding) to reverse an RSA ciphertext, without the private key. We have two roles: Adversary and Challenger. The challenger presents a ciphertext to the adversary to break it. The adversary is allowed to ask for encryption/decryption of any text, except the decryption of the challenge ciphertext. The goal of the adversary is to break the ciphertext.
Information and network security 33 rsa algorithmVaibhav Khanna
RSA algorithm is asymmetric cryptography algorithm. Asymmetric actually means that it works on two different keys i.e. Public Key and Private Key. As the name describes that the Public Key is given to everyone and Private key is kept private
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
Write the result of the following operation with the correct number of significant figure of 0.248?Write the result of the following operation with the correct number of signi
This PPT discusses about some programming puzzles that are related to Encryption and also it emphasis the need for strengthening bit-wise operators concept.
We study the internal structure of the SRP key exchange protocol and experiment with it. SRP establishes a shared encryption key between communicating parties using passwords that were shared out-of-band. We perform basic cryptanalysis of SRP using open-source implementations. We present a demo of how SRP was compromised due to an implementation bug, allowing the attacker to login without the password. The author of the Go-SRP library promptly fixed the issue on the very same day we reported the vulnerability.
We allow Eve to modify DH parameters as well as public keys of Alice and Bob. This allows Eve to derive the secret key and break the DH crypto system. We demonstrate that the DH key exchange algorithm should not be used without digital signatures.
This was an invited talk at the Central Middle School, Maryland. Without going into a lot of math, I try to explain the fundamental key exchange problem. It was a blast. 8th graders enjoyed it as much as I enjoyed it.
IRSim implements an approach to establish traceability links among artifacts such as requirements, source code, and test cases. This presentation shows how we used IRSim on NASA software to establish traceability links for sofware analysis, program understanding, and quality improvement, etc.
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
1. Introduction to threat modeling.
2. Applying threat modeling to identify security vulnerabilities and security threats on a simplified real-world system.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
1. Solutions to Online RSA
Factoring Challenges
When Ps and Qs are not independent or close to each other
Dr. Dharma Ganesan, Ph.D.,
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. Agenda
● Brief overview of public key cryptography
● RSA Key Generation Algorithm
● Integer Factorization Challenges
● Demo - break RSA when Ps and Qs are not independent
● Discussion/Recommendation
Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math
3
4. Context and Informal Problem Statement
● Online Cryptography challenges
○ proposed by Prof. Dan Boneh
● Break RSA when the random prime factors are
○ not independent of each other
○ or, close to each other
● Basically, we derive the private keys from the given public keys!
4
5. How can Bob send a message to Alice securely?
5
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
6. RSA Key Generation Algo. (Fits on one page)
1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits)
○ Value of the parameter N is not chosen until step 3; small N is dangerous
2. Pick two independent, large random primes, p and q, of half of N’s bitlength
○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization)
3. Compute N= p.q (N is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from ZN
such that e.d ≡ 1(mod φ(N))
○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1)
○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in ZN
6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q>
Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately
6
7. 7
Notations and Facts for RSA
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
ZN
= { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN
as a circular wall clock
Z*
N
= { x ∈ Zn
| gcd(x, N) = 1 }; (Z*
N
is a multiplicative group)
φ(N): Euler’s Totient function denotes the number of elements in Z*
N
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
8. Three RSA Factoring Challenge Problems
Challenge 1: Break RSA when |p -q| < N1/4
Challenge 2: Break RSA when |p -q| < 211
N1/4
Challenge 3: Break RSA when |3p-2q| < N1/4
● Breaking of the RSA function means finding the prime factors p
and q from N, and the plaintext m from a ciphertext c
○ Given N, find p and q such that N= pq
○ Given <c, e, N>, find m such that RSA(m) = c
8
9. Challenge 1: Visual Representation
9
● Let A = (p + q)/2
○ Note that A is an even number. since p and q are large primes, which are odd
● In the appendix, we prove that A is the ceiling of the square root of N
10. Core idea of the solution to challenge 1
● Recall that A is the mid-point of p and q
● Thus, there exists an integer x such that
○ A - x = p and
○ A + x = q
● But we know N= pq = (A-x)(A+x) = A2
- x2
● Thus, x = sqrt(A2
- N)
● Since we know A and N, we can find x
● From x and A, we can find p and q
10
11. Challenge 1: Given an N, print p and q
public static void main(String []args){
BigInteger N= new BigInteger(args[0]); // Need to check args length
BigInteger A = bigIntSqRootCeil(N);
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N));
BigInteger p = A.subtract(x);
BigInteger q = A.add(x);
System.out.println("p = " + p);
System.out.println("q = " + q);
}
11
This program derives secret prime factors p and q from the given
public value N
12. Output of factoring private primes p and q from N
N =
179769313486231590772930519078902473361797697894230657273430081157732675805505620686
985379449212982959585501387537164015710139858647833778606925583497541085196591615128
057575940752635007475935288710823649949940771895617054361149474865046711015101563940
680527540071584560878577663743040086340742855278549092581
$ java RSACracking $N
p =
134078079299425970995740249982058461274793658205923933777235614437217640300736627688
91111614362326998675040546094339320838419523375986027530441562135724301
q =
134078079299425970995740249982058461274793658205923933777235614437217640300737785609
80348930557750569660049234002192590823085163940025485114449475265364281
12
13. Challenge 1: Given the ciphertext print plaintext
● Once we found p and q, we can easily derive the plaintext as follows
● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1
● Since most implementation choose e = 65537 we can find d easily:
○ e.d ≡ 1(mod φ(N))
● We know e and φ(N). d is a multiplicative inverse of e in φ(N)
○ Extended Euclidean Algorithm can find d
○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm
● Once we know d, we find the plaintext m as follows:
● m = cd
(mod N)
○ This is called RSA’s decryption function
13
14. Challenge 1: algorithm/pseudo code
BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1));
BigInteger e = BigInteger.valueOf(65537);
BigInteger d = e.modInverse(phiN);
BigInteger c = new BigInteger(args[1]); // Input ciphertext
BigInteger m = c.modPow(d, N); // m = cd
mod N
System.out.println("m = " + m.toString(16)); // Output plaintext
14
15. Inputs RSA public modulus N and ciphertext c
N =
179769313486231590772930519078902473361797697894230657273430081157732675805505620686
985379449212982959585501387537164015710139858647833778606925583497541085196591615128
057575940752635007475935288710823649949940771895617054361149474865046711015101563940
680527540071584560878577663743040086340742855278549092581
c =
220964518674103817763065611348834180174100697878928310717318391436761356001205380042
823296504735094243439462197515122564658399679428894607645420405815647489880137348641
204523252293201764879166664029975091887299716905260832220677716000193292608700095799
93724077458967773697817571267229951148662959627934791540
15
16. Output: Plaintext m by breaking RSA prime factors
$time java RSACracking $N $c
m =
20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959
a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252
cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004
66163746f72696e67206c65747320757320627265616b205253412e
We were told that the plaintext is padded using PKCS1 standard. Thus, actual
plaintext is after the 0x00 byte:
466163746f72696e67206c65747320757320627265616b205253412e
16
17. Final step: Convert hex to ascii
$ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd
-r -p
Factoring lets us break RSA
● This text was encrypted but we found it without knowing the private key
● Factors p, q, and m were found in less than minute
● The main reason was due to the fact that |p -q| < N1/4
17
19. Core idea of the solution to challenge 2
● Need to prove that (A - √N) < 220
(See the Appendix for my proof)
● In contrast to Challenge 1, A may not be the same as √N
● However, we do know that A is within the distance of 220
from √N
● Why not just try all possible values of A given that 220
is a small number
● We start with A = √N and check whether the current pq = N
○ We leverage the solution to challenge 1 to find the current p and q
19
20. Challenge 2: My algorithm/ pseudo code
BigInteger A = rootN; /* A is initialized to square root of N */
while(true) {
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N));
BigInteger p = A.subtract(x);
BigInteger q = A.add(x);
if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; }
if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */
System.out.println(p);
System.out.println(q);
break;
}
A = A.add(BigInteger.ONE) /* else keep trying until 2 20
limit */
}
20
21. Challenge 2: Input N and Output p and q
N =
64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919
55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852
81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877
$time java RSACracking_2 $N
p =
25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107
384461557193173304497244814071505790566593206419759
q =
25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632
563509541784734741871379856682354747718346471375403
real 0m19.069s
user 0m18.608s
sys 0m0.036s
21
In less than a minute the prime factors p and q are found
23. Core idea of the solution to challenge 3
● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1
● We can actually solve for (6p + 4q)/2 since this is an even number
● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix)
● Now we can apply the same core idea of Challenge 1
23
24. Adapting the solution to challenge 1 for challenge 3
● A is the midpoint of 6p and 4q, A = (6p + 4q)/2
● Thus, there must be an integer x with the following properties
○ A-x = 6p, thus p = (A-x)/6
○ A+x =4q, thus q = (A+x)/4
● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2
- x2
)/24
● Thus, x = √(A2
- 24N)
● Since A is the same as ceiling of sqrt(24N), factors p and q are computable
● See the Appendix for a proof that A is the ceiling(√24N)
24
25. Challenge 3: My algorithm/pseudo code
BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N
// A is an approximation of sqrt(24*N)
BigInteger A = bigIntSqRootCeil(twentyFourN);
// x has the square root of A 2
- 24N
BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN));
BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6));
BigInteger q = A.add(x).divide(BigInteger.valueOf(4));
System.out.println(“ p = “ + p);
System.out.println(“ q = “ + q);
25
26. Input N, Output p and q (in less than 0.5 min)
N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377
904234086641876639384851752649940178970835240791356868774411551320151882793318123090
919962463618968365736431191740949613485246397078852387993968392303646766702216270183
53299443241192173812729276147530748597302192751375739387929
$ time java RSACracking_3 $N
p =
219098495924755330922739885315839558989821760933449290300994235841272120781261500447
21102570957812665127475051465088833555993294644190955293613411658629209
q =
328647743887132996384109827973759338484732641400173935451491353761908181171892400358
25816494954711821626076210364113848440012285863311027426121370050758081
26
27. Discussion
● Some RSA implementations do check whether Ps and Qs are good
○ They keep generating random primes until good Ps and Qs are found
● Random Ps and Qs rarely satisfy the constraints of these Challenges
○ Unless, the underlying random number generation process is very weak
○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close
● In general, standard implementations do generate Ps and Qs randomly
● If Ps and Qs are not independent of each other, RSA is factorable
○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.)
27
28. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring
with high bits known,” Eurocrypt, 1996.
● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root-
of-a-java-biginteger
28
30. Prove that √N ≤ A, if A = (p+q)/2
30
Geometric mean is less
than or equal to Arithmetic
mean
31. Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2
31
A2
-N= (p+q)2
/4 -N= (p-q)2
/4 [Since N= pq]
A - √N = (A - √N)(A + √N)/(A + √N)
= (A2
- N)/(A + √N) = (p-q)2
/4(A + √N)
We know that √N ≤ A [see previous slide for a proof]
A - √N ≤ (p-q)2
/8√N
≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4
]
Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
This proof was given by Prof. as part of
the Challenge 1
33. Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2
33
A2
-N= (6p+4q)2
/4 -N= (p-q)2
/4 [Since N= pq]
A - √N = (A - √N)(A + √N)/(A + √N)
= (A2
- N)/(A + √N) = (p-q)2
/4(A + √N)
We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean]
A - √N ≤ (p-q)2
/8√N
≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4
]
Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
36. Acknowledgement
● Prof. Dan Boneh for constructing these insightful problems
○ Also, offering necessary lemmas to solve these challenges
● My understanding of RSA has improved significantly
○ Still a lot of deeper questions to experiment in my private time
36