Dharmalingam Ganesan, profile picture
Uploaded byDharmalingam Ganesan
PDF, PPTX2,632 views

Solutions to online rsa factoring challenges

The document discusses solutions to online RSA factoring challenges when prime factors p and q are either not independent or close to one another. It outlines the RSA key generation algorithm, integer factorization challenges, and provides technical approaches and algorithms to derive private keys from public keys in these scenarios. The presentation emphasizes the mathematical principles underpinning RSA encryption and the vulnerabilities that arise when the conditions for prime number selection are not met.

Software
Related topics:
Computer Science Basics

Embed presentation

Download as PDF, PPTX
Solutions to Online RSA Factoring Challenges When Ps and Qs are not independent or close to each other Dr. Dharma Ganesan, Ph.D.,
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Agenda ● Brief overview of public key cryptography ● RSA Key Generation Algorithm ● Integer Factorization Challenges ● Demo - break RSA when Ps and Qs are not independent ● Discussion/Recommendation Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math 3
Context and Informal Problem Statement ● Online Cryptography challenges ○ proposed by Prof. Dan Boneh ● Break RSA when the random prime factors are ○ not independent of each other ○ or, close to each other ● Basically, we derive the private keys from the given public keys! 4
How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits) ○ Value of the parameter N is not chosen until step 3; small N is dangerous 2. Pick two independent, large random primes, p and q, of half of N’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute N= p.q (N is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from ZN such that e.d ≡ 1(mod φ(N)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1) ○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in ZN 6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q> Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately 6
7 Notations and Facts for RSA GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes ZN = { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN as a circular wall clock Z* N = { x ∈ Zn | gcd(x, N) = 1 }; (Z* N is a multiplicative group) φ(N): Euler’s Totient function denotes the number of elements in Z* N φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
Three RSA Factoring Challenge Problems Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 ● Breaking of the RSA function means finding the prime factors p and q from N, and the plaintext m from a ciphertext c ○ Given N, find p and q such that N= pq ○ Given <c, e, N>, find m such that RSA(m) = c 8
Challenge 1: Visual Representation 9 ● Let A = (p + q)/2 ○ Note that A is an even number. since p and q are large primes, which are odd ● In the appendix, we prove that A is the ceiling of the square root of N
Core idea of the solution to challenge 1 ● Recall that A is the mid-point of p and q ● Thus, there exists an integer x such that ○ A - x = p and ○ A + x = q ● But we know N= pq = (A-x)(A+x) = A2 - x2 ● Thus, x = sqrt(A2 - N) ● Since we know A and N, we can find x ● From x and A, we can find p and q 10
Challenge 1: Given an N, print p and q public static void main(String []args){ BigInteger N= new BigInteger(args[0]); // Need to check args length BigInteger A = bigIntSqRootCeil(N); BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); System.out.println("p = " + p); System.out.println("q = " + q); } 11 This program derives secret prime factors p and q from the given public value N
Output of factoring private primes p and q from N N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 $ java RSACracking $N p = 134078079299425970995740249982058461274793658205923933777235614437217640300736627688 91111614362326998675040546094339320838419523375986027530441562135724301 q = 134078079299425970995740249982058461274793658205923933777235614437217640300737785609 80348930557750569660049234002192590823085163940025485114449475265364281 12
Challenge 1: Given the ciphertext print plaintext ● Once we found p and q, we can easily derive the plaintext as follows ● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1 ● Since most implementation choose e = 65537 we can find d easily: ○ e.d ≡ 1(mod φ(N)) ● We know e and φ(N). d is a multiplicative inverse of e in φ(N) ○ Extended Euclidean Algorithm can find d ○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm ● Once we know d, we find the plaintext m as follows: ● m = cd (mod N) ○ This is called RSA’s decryption function 13
Challenge 1: algorithm/pseudo code BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1)); BigInteger e = BigInteger.valueOf(65537); BigInteger d = e.modInverse(phiN); BigInteger c = new BigInteger(args[1]); // Input ciphertext BigInteger m = c.modPow(d, N); // m = cd mod N System.out.println("m = " + m.toString(16)); // Output plaintext 14
Inputs RSA public modulus N and ciphertext c N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 c = 220964518674103817763065611348834180174100697878928310717318391436761356001205380042 823296504735094243439462197515122564658399679428894607645420405815647489880137348641 204523252293201764879166664029975091887299716905260832220677716000193292608700095799 93724077458967773697817571267229951148662959627934791540 15
Output: Plaintext m by breaking RSA prime factors $time java RSACracking $N $c m = 20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959 a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252 cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004 66163746f72696e67206c65747320757320627265616b205253412e We were told that the plaintext is padded using PKCS1 standard. Thus, actual plaintext is after the 0x00 byte: 466163746f72696e67206c65747320757320627265616b205253412e 16
Final step: Convert hex to ascii $ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd -r -p Factoring lets us break RSA ● This text was encrypted but we found it without knowing the private key ● Factors p, q, and m were found in less than minute ● The main reason was due to the fact that |p -q| < N1/4 17
Let’s solve Challenge 2 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 18
Core idea of the solution to challenge 2 ● Need to prove that (A - √N) < 220 (See the Appendix for my proof) ● In contrast to Challenge 1, A may not be the same as √N ● However, we do know that A is within the distance of 220 from √N ● Why not just try all possible values of A given that 220 is a small number ● We start with A = √N and check whether the current pq = N ○ We leverage the solution to challenge 1 to find the current p and q 19
Challenge 2: My algorithm/ pseudo code BigInteger A = rootN; /* A is initialized to square root of N */ while(true) { BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; } if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */ System.out.println(p); System.out.println(q); break; } A = A.add(BigInteger.ONE) /* else keep trying until 2 20 limit */ } 20
Challenge 2: Input N and Output p and q N = 64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919 55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852 81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877 $time java RSACracking_2 $N p = 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107 384461557193173304497244814071505790566593206419759 q = 25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632 563509541784734741871379856682354747718346471375403 real 0m19.069s user 0m18.608s sys 0m0.036s 21 In less than a minute the prime factors p and q are found
Let’s solve Challenge 3 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 22
Core idea of the solution to challenge 3 ● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1 ● We can actually solve for (6p + 4q)/2 since this is an even number ● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix) ● Now we can apply the same core idea of Challenge 1 23
Adapting the solution to challenge 1 for challenge 3 ● A is the midpoint of 6p and 4q, A = (6p + 4q)/2 ● Thus, there must be an integer x with the following properties ○ A-x = 6p, thus p = (A-x)/6 ○ A+x =4q, thus q = (A+x)/4 ● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2 - x2 )/24 ● Thus, x = √(A2 - 24N) ● Since A is the same as ceiling of sqrt(24N), factors p and q are computable ● See the Appendix for a proof that A is the ceiling(√24N) 24
Challenge 3: My algorithm/pseudo code BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N // A is an approximation of sqrt(24*N) BigInteger A = bigIntSqRootCeil(twentyFourN); // x has the square root of A 2 - 24N BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN)); BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6)); BigInteger q = A.add(x).divide(BigInteger.valueOf(4)); System.out.println(“ p = “ + p); System.out.println(“ q = “ + q); 25
Input N, Output p and q (in less than 0.5 min) N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377 904234086641876639384851752649940178970835240791356868774411551320151882793318123090 919962463618968365736431191740949613485246397078852387993968392303646766702216270183 53299443241192173812729276147530748597302192751375739387929 $ time java RSACracking_3 $N p = 219098495924755330922739885315839558989821760933449290300994235841272120781261500447 21102570957812665127475051465088833555993294644190955293613411658629209 q = 328647743887132996384109827973759338484732641400173935451491353761908181171892400358 25816494954711821626076210364113848440012285863311027426121370050758081 26
Discussion ● Some RSA implementations do check whether Ps and Qs are good ○ They keep generating random primes until good Ps and Qs are found ● Random Ps and Qs rarely satisfy the constraints of these Challenges ○ Unless, the underlying random number generation process is very weak ○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close ● In general, standard implementations do generate Ps and Qs randomly ● If Ps and Qs are not independent of each other, RSA is factorable ○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.) 27
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring with high bits known,” Eurocrypt, 1996. ● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root- of-a-java-biginteger 28
Appendix 29
Prove that √N ≤ A, if A = (p+q)/2 30 Geometric mean is less than or equal to Arithmetic mean
Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2 31 A2 -N= (p+q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [see previous slide for a proof] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N) This proof was given by Prof. as part of the Challenge 1
Challenge 2: Prove that A - √N < 220 , if |p-q| < 211 N1/4 32
Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2 33 A2 -N= (6p+4q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
34
35
Acknowledgement ● Prof. Dan Boneh for constructing these insightful problems ○ Also, offering necessary lemmas to solve these challenges ● My understanding of RSA has improved significantly ○ Still a lot of deeper questions to experiment in my private time 36

More Related Content

PDF
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
byPierre-jean Texier
 
PDF
[NDC2016] TERA 서버의 Modern C++ 활용기
bySang Heon Lee
 
PDF
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
byAnne Nicolas
 
PDF
Python Installation Guide (1).pdf
bySudhirSubramanya2
 
PDF
Building Embedded Linux Systems Introduction
bySherif Mousa
 
PDF
Using ScyllaDB for Distribution of Game Assets in Unreal Engine
byScyllaDB
 
PPTX
Windows system - memory개념잡기
byChangKyu Song
 
PDF
Quick and Easy Device Drivers for Embedded Linux Using UIO
byChris Simmonds
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
byPierre-jean Texier
 
[NDC2016] TERA 서버의 Modern C++ 활용기
bySang Heon Lee
 
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
byAnne Nicolas
 
Python Installation Guide (1).pdf
bySudhirSubramanya2
 
Building Embedded Linux Systems Introduction
bySherif Mousa
 
Using ScyllaDB for Distribution of Game Assets in Unreal Engine
byScyllaDB
 
Windows system - memory개념잡기
byChangKyu Song
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
byChris Simmonds
 

What's hot

PPTX
Loops in Python
byArockia Abins
 
PDF
rrxv6 Build a Riscv xv6 Kernel in Rust.pdf
byYodalee
 
PPTX
Introduction To TensorFlow | Deep Learning Using TensorFlow | CloudxLab
byCloudxLab
 
PDF
不深不淺,帶你認識 LLVM (Found LLVM in your life)
byDouglas Chen
 
PDF
BPF Internals (eBPF)
byBrendan Gregg
 
PDF
사례를 통해 살펴보는 프로파일링과 최적화 NDC2013
byEsun Kim
 
PDF
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
byValeriy Kravchuk
 
PPTX
Basic Python Introduction Lecture 1.pptx
byAditya Patel
 
PDF
Modern OpenGL Usage: Using Vertex Buffer Objects Well
byMark Kilgard
 
PDF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
byBrendan Gregg
 
PDF
Introduction to python
byMohammed Rafi
 
PPTX
GCC RTL and Machine Description
byPriyatham Bollimpalli
 
PDF
Run Qt on Linux embedded systems using Yocto
byMarco Cavallini
 
PDF
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
bylinuxlab_conf
 
PDF
Boosting I/O Performance with KVM io_uring
byShapeBlue
 
PDF
Velero & Beyond: Backup & Restore for Kubernetes Applications (Cloud Native S...
byChakradhar Rao Jonagam
 
PDF
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
byAnne Nicolas
 
PDF
CNIT 127: Ch 2: Stack overflows on Linux
bySam Bowne
 
PDF
A/B Linux updates with RAUC and meta-rauc-community: now & in the future
byLeon Anavi
 
PDF
Velero search &amp; practice 20210609
byKAI CHU CHUNG
 
Loops in Python
byArockia Abins
 
rrxv6 Build a Riscv xv6 Kernel in Rust.pdf
byYodalee
 
Introduction To TensorFlow | Deep Learning Using TensorFlow | CloudxLab
byCloudxLab
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
byDouglas Chen
 
BPF Internals (eBPF)
byBrendan Gregg
 
사례를 통해 살펴보는 프로파일링과 최적화 NDC2013
byEsun Kim
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
byValeriy Kravchuk
 
Basic Python Introduction Lecture 1.pptx
byAditya Patel
 
Modern OpenGL Usage: Using Vertex Buffer Objects Well
byMark Kilgard
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
byBrendan Gregg
 
Introduction to python
byMohammed Rafi
 
GCC RTL and Machine Description
byPriyatham Bollimpalli
 
Run Qt on Linux embedded systems using Yocto
byMarco Cavallini
 
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
bylinuxlab_conf
 
Boosting I/O Performance with KVM io_uring
byShapeBlue
 
Velero & Beyond: Backup & Restore for Kubernetes Applications (Cloud Native S...
byChakradhar Rao Jonagam
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
byAnne Nicolas
 
CNIT 127: Ch 2: Stack overflows on Linux
bySam Bowne
 
A/B Linux updates with RAUC and meta-rauc-community: now & in the future
byLeon Anavi
 
Velero search &amp; practice 20210609
byKAI CHU CHUNG
 

Similar to Solutions to online rsa factoring challenges

PDF
Dependency Analysis of RSA Private Variables
byDharmalingam Ganesan
 
PDF
Security of RSA and Integer Factorization
byDharmalingam Ganesan
 
PPTX
RSA without Padding
byDharmalingam Ganesan
 
PDF
RSA ALGORITHM
byDr. Shashank Shetty
 
PDF
Analysis of Shared RSA Modulus
byDharmalingam Ganesan
 
PDF
Security Attacks on RSA
byPratik Poddar
 
PPT
implementing the encryption in the JAVA.ppt
byMuhammadAbdullah311866
 
PDF
An Analysis of RSA Public Exponent e
byDharmalingam Ganesan
 
PDF
rsa-1
byaniruddh Tyagi
 
PPT
CHAPTER 06 - RSA cryptosystem,encryption.ppt
byssuser6c0026
 
PPTX
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
byshahiduljahid71
 
PDF
rsa-1
byAniruddh Tyagi
 
PPT
14-applications-of-number-theory.ppt
byIdcIdk1
 
PPT
Chapter 06 rsa cryptosystem
byAnkur Choudhary
 
DOCX
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
bywellesleyterresa
 
PDF
Twenty years of attacks on the rsa cryptosystem
bylinzi320
 
PDF
On the Secrecy of RSA Private Keys
byDharmalingam Ganesan
 
PDF
RSA without Integrity Checks
byDharmalingam Ganesan
 
PDF
rsa-1
byaniruddh Tyagi
 
PDF
Factorization Hack of RSA Secret Numbers
byUniversitas Pembangunan Panca Budi
 
Dependency Analysis of RSA Private Variables
byDharmalingam Ganesan
 
Security of RSA and Integer Factorization
byDharmalingam Ganesan
 
RSA without Padding
byDharmalingam Ganesan
 
RSA ALGORITHM
byDr. Shashank Shetty
 
Analysis of Shared RSA Modulus
byDharmalingam Ganesan
 
Security Attacks on RSA
byPratik Poddar
 
implementing the encryption in the JAVA.ppt
byMuhammadAbdullah311866
 
An Analysis of RSA Public Exponent e
byDharmalingam Ganesan
 
rsa-1
byaniruddh Tyagi
 
CHAPTER 06 - RSA cryptosystem,encryption.ppt
byssuser6c0026
 
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
byshahiduljahid71
 
rsa-1
byAniruddh Tyagi
 
14-applications-of-number-theory.ppt
byIdcIdk1
 
Chapter 06 rsa cryptosystem
byAnkur Choudhary
 
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
bywellesleyterresa
 
Twenty years of attacks on the rsa cryptosystem
bylinzi320
 
On the Secrecy of RSA Private Keys
byDharmalingam Ganesan
 
RSA without Integrity Checks
byDharmalingam Ganesan
 
rsa-1
byaniruddh Tyagi
 
Factorization Hack of RSA Secret Numbers
byUniversitas Pembangunan Panca Budi
 

More from Dharmalingam Ganesan

PDF
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
byDharmalingam Ganesan
 
PDF
On deriving the private key from a public key
byDharmalingam Ganesan
 
PDF
Analysis of Short RSA Secret Exponent d
byDharmalingam Ganesan
 
PDF
RSA cracking puzzle
byDharmalingam Ganesan
 
PDF
Cyclic Attacks on the RSA Trapdoor Function
byDharmalingam Ganesan
 
PDF
RSA Game using an Oracle
byDharmalingam Ganesan
 
PDF
RSA Two Person Game
byDharmalingam Ganesan
 
PDF
An Analysis of Secure Remote Password (SRP)
byDharmalingam Ganesan
 
PPTX
Software Architecture
byDharmalingam Ganesan
 
PDF
How to exploit rand()?
byDharmalingam Ganesan
 
PDF
.NET Deserialization Attacks
byDharmalingam Ganesan
 
PDF
Reverse Engineering of Module Dependencies
byDharmalingam Ganesan
 
PPTX
How do computers exchange secrets using Math?
byDharmalingam Ganesan
 
PDF
Active Attacks on DH Key Exchange
byDharmalingam Ganesan
 
PPTX
Integer security analysis using smt solver
byDharmalingam Ganesan
 
PDF
Reverse Architecting using Relation Algebra.pdf
byDharmalingam Ganesan
 
PDF
Automated Traceability for Software Engineering Tasks
byDharmalingam Ganesan
 
PDF
Can I write to a read only file ?
byDharmalingam Ganesan
 
PDF
Requirements driven Model-based Testing
byDharmalingam Ganesan
 
PDF
Thank-a-Gram
byDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
byDharmalingam Ganesan
 
On deriving the private key from a public key
byDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
byDharmalingam Ganesan
 
RSA cracking puzzle
byDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
byDharmalingam Ganesan
 
RSA Game using an Oracle
byDharmalingam Ganesan
 
RSA Two Person Game
byDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
byDharmalingam Ganesan
 
Software Architecture
byDharmalingam Ganesan
 
How to exploit rand()?
byDharmalingam Ganesan
 
.NET Deserialization Attacks
byDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
byDharmalingam Ganesan
 
How do computers exchange secrets using Math?
byDharmalingam Ganesan
 
Active Attacks on DH Key Exchange
byDharmalingam Ganesan
 
Integer security analysis using smt solver
byDharmalingam Ganesan
 
Reverse Architecting using Relation Algebra.pdf
byDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
byDharmalingam Ganesan
 
Can I write to a read only file ?
byDharmalingam Ganesan
 
Requirements driven Model-based Testing
byDharmalingam Ganesan
 
Thank-a-Gram
byDharmalingam Ganesan
 

Recently uploaded

PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PDF
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
PDF
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
PDF
SecureChain AI (SCAI) Token – Smart Contract Security Audit Report by EtherAu...
byEtherAuthority
 
PDF
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
PDF
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
PDF
Why Zoho Notebook’s AI-Fueled Upgrade Matters for Knowledge Workers in 2026
byEvoluz Global Solutions
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PDF
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PPTX
GDS Integration Solution | GDS Integration Service
byyugababu033
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
SecureChain AI (SCAI) Token – Smart Contract Security Audit Report by EtherAu...
byEtherAuthority
 
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
Why Zoho Notebook’s AI-Fueled Upgrade Matters for Knowledge Workers in 2026
byEvoluz Global Solutions
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
application security presentation 2 by harman
byharmanideapad
 
GDS Integration Solution | GDS Integration Service
byyugababu033
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 

Solutions to online rsa factoring challenges

  • 1.
    Solutions to OnlineRSA Factoring Challenges When Ps and Qs are not independent or close to each other Dr. Dharma Ganesan, Ph.D.,
  • 2.
    Disclaimer ● The opinionsexpressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3.
    Agenda ● Brief overviewof public key cryptography ● RSA Key Generation Algorithm ● Integer Factorization Challenges ● Demo - break RSA when Ps and Qs are not independent ● Discussion/Recommendation Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math 3
  • 4.
    Context and InformalProblem Statement ● Online Cryptography challenges ○ proposed by Prof. Dan Boneh ● Break RSA when the random prime factors are ○ not independent of each other ○ or, close to each other ● Basically, we derive the private keys from the given public keys! 4
  • 5.
    How can Bobsend a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 6.
    RSA Key GenerationAlgo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits) ○ Value of the parameter N is not chosen until step 3; small N is dangerous 2. Pick two independent, large random primes, p and q, of half of N’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute N= p.q (N is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from ZN such that e.d ≡ 1(mod φ(N)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1) ○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in ZN 6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q> Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately 6
  • 7.
    7 Notations and Factsfor RSA GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes ZN = { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN as a circular wall clock Z* N = { x ∈ Zn | gcd(x, N) = 1 }; (Z* N is a multiplicative group) φ(N): Euler’s Totient function denotes the number of elements in Z* N φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
  • 8.
    Three RSA FactoringChallenge Problems Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 ● Breaking of the RSA function means finding the prime factors p and q from N, and the plaintext m from a ciphertext c ○ Given N, find p and q such that N= pq ○ Given <c, e, N>, find m such that RSA(m) = c 8
  • 9.
    Challenge 1: VisualRepresentation 9 ● Let A = (p + q)/2 ○ Note that A is an even number. since p and q are large primes, which are odd ● In the appendix, we prove that A is the ceiling of the square root of N
  • 10.
    Core idea ofthe solution to challenge 1 ● Recall that A is the mid-point of p and q ● Thus, there exists an integer x such that ○ A - x = p and ○ A + x = q ● But we know N= pq = (A-x)(A+x) = A2 - x2 ● Thus, x = sqrt(A2 - N) ● Since we know A and N, we can find x ● From x and A, we can find p and q 10
  • 11.
    Challenge 1: Givenan N, print p and q public static void main(String []args){ BigInteger N= new BigInteger(args[0]); // Need to check args length BigInteger A = bigIntSqRootCeil(N); BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); System.out.println("p = " + p); System.out.println("q = " + q); } 11 This program derives secret prime factors p and q from the given public value N
  • 12.
    Output of factoringprivate primes p and q from N N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 $ java RSACracking $N p = 134078079299425970995740249982058461274793658205923933777235614437217640300736627688 91111614362326998675040546094339320838419523375986027530441562135724301 q = 134078079299425970995740249982058461274793658205923933777235614437217640300737785609 80348930557750569660049234002192590823085163940025485114449475265364281 12
  • 13.
    Challenge 1: Giventhe ciphertext print plaintext ● Once we found p and q, we can easily derive the plaintext as follows ● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1 ● Since most implementation choose e = 65537 we can find d easily: ○ e.d ≡ 1(mod φ(N)) ● We know e and φ(N). d is a multiplicative inverse of e in φ(N) ○ Extended Euclidean Algorithm can find d ○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm ● Once we know d, we find the plaintext m as follows: ● m = cd (mod N) ○ This is called RSA’s decryption function 13
  • 14.
    Challenge 1: algorithm/pseudocode BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1)); BigInteger e = BigInteger.valueOf(65537); BigInteger d = e.modInverse(phiN); BigInteger c = new BigInteger(args[1]); // Input ciphertext BigInteger m = c.modPow(d, N); // m = cd mod N System.out.println("m = " + m.toString(16)); // Output plaintext 14
  • 15.
    Inputs RSA publicmodulus N and ciphertext c N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 c = 220964518674103817763065611348834180174100697878928310717318391436761356001205380042 823296504735094243439462197515122564658399679428894607645420405815647489880137348641 204523252293201764879166664029975091887299716905260832220677716000193292608700095799 93724077458967773697817571267229951148662959627934791540 15
  • 16.
    Output: Plaintext mby breaking RSA prime factors $time java RSACracking $N $c m = 20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959 a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252 cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004 66163746f72696e67206c65747320757320627265616b205253412e We were told that the plaintext is padded using PKCS1 standard. Thus, actual plaintext is after the 0x00 byte: 466163746f72696e67206c65747320757320627265616b205253412e 16
  • 17.
    Final step: Converthex to ascii $ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd -r -p Factoring lets us break RSA ● This text was encrypted but we found it without knowing the private key ● Factors p, q, and m were found in less than minute ● The main reason was due to the fact that |p -q| < N1/4 17
  • 18.
    Let’s solve Challenge2 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 18
  • 19.
    Core idea ofthe solution to challenge 2 ● Need to prove that (A - √N) < 220 (See the Appendix for my proof) ● In contrast to Challenge 1, A may not be the same as √N ● However, we do know that A is within the distance of 220 from √N ● Why not just try all possible values of A given that 220 is a small number ● We start with A = √N and check whether the current pq = N ○ We leverage the solution to challenge 1 to find the current p and q 19
  • 20.
    Challenge 2: Myalgorithm/ pseudo code BigInteger A = rootN; /* A is initialized to square root of N */ while(true) { BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; } if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */ System.out.println(p); System.out.println(q); break; } A = A.add(BigInteger.ONE) /* else keep trying until 2 20 limit */ } 20
  • 21.
    Challenge 2: InputN and Output p and q N = 64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919 55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852 81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877 $time java RSACracking_2 $N p = 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107 384461557193173304497244814071505790566593206419759 q = 25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632 563509541784734741871379856682354747718346471375403 real 0m19.069s user 0m18.608s sys 0m0.036s 21 In less than a minute the prime factors p and q are found
  • 22.
    Let’s solve Challenge3 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 22
  • 23.
    Core idea ofthe solution to challenge 3 ● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1 ● We can actually solve for (6p + 4q)/2 since this is an even number ● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix) ● Now we can apply the same core idea of Challenge 1 23
  • 24.
    Adapting the solutionto challenge 1 for challenge 3 ● A is the midpoint of 6p and 4q, A = (6p + 4q)/2 ● Thus, there must be an integer x with the following properties ○ A-x = 6p, thus p = (A-x)/6 ○ A+x =4q, thus q = (A+x)/4 ● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2 - x2 )/24 ● Thus, x = √(A2 - 24N) ● Since A is the same as ceiling of sqrt(24N), factors p and q are computable ● See the Appendix for a proof that A is the ceiling(√24N) 24
  • 25.
    Challenge 3: Myalgorithm/pseudo code BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N // A is an approximation of sqrt(24*N) BigInteger A = bigIntSqRootCeil(twentyFourN); // x has the square root of A 2 - 24N BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN)); BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6)); BigInteger q = A.add(x).divide(BigInteger.valueOf(4)); System.out.println(“ p = “ + p); System.out.println(“ q = “ + q); 25
  • 26.
    Input N, Outputp and q (in less than 0.5 min) N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377 904234086641876639384851752649940178970835240791356868774411551320151882793318123090 919962463618968365736431191740949613485246397078852387993968392303646766702216270183 53299443241192173812729276147530748597302192751375739387929 $ time java RSACracking_3 $N p = 219098495924755330922739885315839558989821760933449290300994235841272120781261500447 21102570957812665127475051465088833555993294644190955293613411658629209 q = 328647743887132996384109827973759338484732641400173935451491353761908181171892400358 25816494954711821626076210364113848440012285863311027426121370050758081 26
  • 27.
    Discussion ● Some RSAimplementations do check whether Ps and Qs are good ○ They keep generating random primes until good Ps and Qs are found ● Random Ps and Qs rarely satisfy the constraints of these Challenges ○ Unless, the underlying random number generation process is very weak ○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close ● In general, standard implementations do generate Ps and Qs randomly ● If Ps and Qs are not independent of each other, RSA is factorable ○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.) 27
  • 28.
    References ● W. Diffieand M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring with high bits known,” Eurocrypt, 1996. ● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root- of-a-java-biginteger 28
  • 29.
  • 30.
    Prove that √N≤ A, if A = (p+q)/2 30 Geometric mean is less than or equal to Arithmetic mean
  • 31.
    Challenge 1: Provethat ceiling(√N) = A, if A = (p+q)/2 31 A2 -N= (p+q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [see previous slide for a proof] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N) This proof was given by Prof. as part of the Challenge 1
  • 32.
    Challenge 2: Provethat A - √N < 220 , if |p-q| < 211 N1/4 32
  • 33.
    Challenge 3: Provethat ceiling(√24N) = A, if A = (6p+4q)/2 33 A2 -N= (6p+4q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
  • 34.
  • 35.
  • 36.
    Acknowledgement ● Prof. DanBoneh for constructing these insightful problems ○ Also, offering necessary lemmas to solve these challenges ● My understanding of RSA has improved significantly ○ Still a lot of deeper questions to experiment in my private time 36