SlideShare a Scribd company logo

Solutions to online rsa factoring challenges

Dharmalingam Ganesan
Dharmalingam Ganesan

The slides present my solutions to RSA factoring challenges when the prime factors of an RSA modulus are not independent or close to each other.

1 of 36
Download to read offline
Solutions to Online RSA Factoring Challenges When Ps and Qs are not independent or close to each other Dr. Dharma Ganesan, Ph.D.,
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Agenda ● Brief overview of public key cryptography ● RSA Key Generation Algorithm ● Integer Factorization Challenges ● Demo - break RSA when Ps and Qs are not independent ● Discussion/Recommendation Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math 3
Context and Informal Problem Statement ● Online Cryptography challenges ○ proposed by Prof. Dan Boneh ● Break RSA when the random prime factors are ○ not independent of each other ○ or, close to each other ● Basically, we derive the private keys from the given public keys! 4
How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits) ○ Value of the parameter N is not chosen until step 3; small N is dangerous 2. Pick two independent, large random primes, p and q, of half of N’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute N= p.q (N is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from ZN such that e.d ≡ 1(mod φ(N)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1) ○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in ZN 6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q> Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately 6
7 Notations and Facts for RSA GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes ZN = { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN as a circular wall clock Z* N = { x ∈ Zn | gcd(x, N) = 1 }; (Z* N is a multiplicative group) φ(N): Euler’s Totient function denotes the number of elements in Z* N φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
Three RSA Factoring Challenge Problems Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 ● Breaking of the RSA function means finding the prime factors p and q from N, and the plaintext m from a ciphertext c ○ Given N, find p and q such that N= pq ○ Given <c, e, N>, find m such that RSA(m) = c 8
Challenge 1: Visual Representation 9 ● Let A = (p + q)/2 ○ Note that A is an even number. since p and q are large primes, which are odd ● In the appendix, we prove that A is the ceiling of the square root of N
Core idea of the solution to challenge 1 ● Recall that A is the mid-point of p and q ● Thus, there exists an integer x such that ○ A - x = p and ○ A + x = q ● But we know N= pq = (A-x)(A+x) = A2 - x2 ● Thus, x = sqrt(A2 - N) ● Since we know A and N, we can find x ● From x and A, we can find p and q 10
Challenge 1: Given an N, print p and q public static void main(String []args){ BigInteger N= new BigInteger(args[0]); // Need to check args length BigInteger A = bigIntSqRootCeil(N); BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); System.out.println("p = " + p); System.out.println("q = " + q); } 11 This program derives secret prime factors p and q from the given public value N
Output of factoring private primes p and q from N N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 $ java RSACracking $N p = 134078079299425970995740249982058461274793658205923933777235614437217640300736627688 91111614362326998675040546094339320838419523375986027530441562135724301 q = 134078079299425970995740249982058461274793658205923933777235614437217640300737785609 80348930557750569660049234002192590823085163940025485114449475265364281 12
Challenge 1: Given the ciphertext print plaintext ● Once we found p and q, we can easily derive the plaintext as follows ● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1 ● Since most implementation choose e = 65537 we can find d easily: ○ e.d ≡ 1(mod φ(N)) ● We know e and φ(N). d is a multiplicative inverse of e in φ(N) ○ Extended Euclidean Algorithm can find d ○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm ● Once we know d, we find the plaintext m as follows: ● m = cd (mod N) ○ This is called RSA’s decryption function 13
Challenge 1: algorithm/pseudo code BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1)); BigInteger e = BigInteger.valueOf(65537); BigInteger d = e.modInverse(phiN); BigInteger c = new BigInteger(args[1]); // Input ciphertext BigInteger m = c.modPow(d, N); // m = cd mod N System.out.println("m = " + m.toString(16)); // Output plaintext 14
Inputs RSA public modulus N and ciphertext c N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 c = 220964518674103817763065611348834180174100697878928310717318391436761356001205380042 823296504735094243439462197515122564658399679428894607645420405815647489880137348641 204523252293201764879166664029975091887299716905260832220677716000193292608700095799 93724077458967773697817571267229951148662959627934791540 15
Output: Plaintext m by breaking RSA prime factors $time java RSACracking $N $c m = 20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959 a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252 cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004 66163746f72696e67206c65747320757320627265616b205253412e We were told that the plaintext is padded using PKCS1 standard. Thus, actual plaintext is after the 0x00 byte: 466163746f72696e67206c65747320757320627265616b205253412e 16
Final step: Convert hex to ascii $ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd -r -p Factoring lets us break RSA ● This text was encrypted but we found it without knowing the private key ● Factors p, q, and m were found in less than minute ● The main reason was due to the fact that |p -q| < N1/4 17
Let’s solve Challenge 2 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 18
Core idea of the solution to challenge 2 ● Need to prove that (A - √N) < 220 (See the Appendix for my proof) ● In contrast to Challenge 1, A may not be the same as √N ● However, we do know that A is within the distance of 220 from √N ● Why not just try all possible values of A given that 220 is a small number ● We start with A = √N and check whether the current pq = N ○ We leverage the solution to challenge 1 to find the current p and q 19
Challenge 2: My algorithm/ pseudo code BigInteger A = rootN; /* A is initialized to square root of N */ while(true) { BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; } if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */ System.out.println(p); System.out.println(q); break; } A = A.add(BigInteger.ONE) /* else keep trying until 2 20 limit */ } 20
Challenge 2: Input N and Output p and q N = 64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919 55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852 81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877 $time java RSACracking_2 $N p = 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107 384461557193173304497244814071505790566593206419759 q = 25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632 563509541784734741871379856682354747718346471375403 real 0m19.069s user 0m18.608s sys 0m0.036s 21 In less than a minute the prime factors p and q are found
Let’s solve Challenge 3 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 22
Core idea of the solution to challenge 3 ● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1 ● We can actually solve for (6p + 4q)/2 since this is an even number ● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix) ● Now we can apply the same core idea of Challenge 1 23
Adapting the solution to challenge 1 for challenge 3 ● A is the midpoint of 6p and 4q, A = (6p + 4q)/2 ● Thus, there must be an integer x with the following properties ○ A-x = 6p, thus p = (A-x)/6 ○ A+x =4q, thus q = (A+x)/4 ● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2 - x2 )/24 ● Thus, x = √(A2 - 24N) ● Since A is the same as ceiling of sqrt(24N), factors p and q are computable ● See the Appendix for a proof that A is the ceiling(√24N) 24
Challenge 3: My algorithm/pseudo code BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N // A is an approximation of sqrt(24*N) BigInteger A = bigIntSqRootCeil(twentyFourN); // x has the square root of A 2 - 24N BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN)); BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6)); BigInteger q = A.add(x).divide(BigInteger.valueOf(4)); System.out.println(“ p = “ + p); System.out.println(“ q = “ + q); 25
Input N, Output p and q (in less than 0.5 min) N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377 904234086641876639384851752649940178970835240791356868774411551320151882793318123090 919962463618968365736431191740949613485246397078852387993968392303646766702216270183 53299443241192173812729276147530748597302192751375739387929 $ time java RSACracking_3 $N p = 219098495924755330922739885315839558989821760933449290300994235841272120781261500447 21102570957812665127475051465088833555993294644190955293613411658629209 q = 328647743887132996384109827973759338484732641400173935451491353761908181171892400358 25816494954711821626076210364113848440012285863311027426121370050758081 26
Discussion ● Some RSA implementations do check whether Ps and Qs are good ○ They keep generating random primes until good Ps and Qs are found ● Random Ps and Qs rarely satisfy the constraints of these Challenges ○ Unless, the underlying random number generation process is very weak ○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close ● In general, standard implementations do generate Ps and Qs randomly ● If Ps and Qs are not independent of each other, RSA is factorable ○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.) 27
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring with high bits known,” Eurocrypt, 1996. ● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root- of-a-java-biginteger 28
Appendix 29
Prove that √N ≤ A, if A = (p+q)/2 30 Geometric mean is less than or equal to Arithmetic mean
Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2 31 A2 -N= (p+q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [see previous slide for a proof] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N) This proof was given by Prof. as part of the Challenge 1
Challenge 2: Prove that A - √N < 220 , if |p-q| < 211 N1/4 32
Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2 33 A2 -N= (6p+4q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
34
35
Acknowledgement ● Prof. Dan Boneh for constructing these insightful problems ○ Also, offering necessary lemmas to solve these challenges ● My understanding of RSA has improved significantly ○ Still a lot of deeper questions to experiment in my private time 36

Recommended

Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
Dharmalingam Ganesan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Modern Cryptography
Modern CryptographyModern Cryptography
Modern Cryptography
James McGivern
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Vipin Tejwani
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
Mohamed Loey
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 

Recommended

Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
Dharmalingam Ganesan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Modern Cryptography
Modern CryptographyModern Cryptography
Modern Cryptography
James McGivern
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Vipin Tejwani
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
Mohamed Loey
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
Dharmalingam Ganesan
 
Ch08
Ch08Ch08
Ch08Joe Christensen
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based Cryptography
Alexandre Augusto Giron
 
Primality
PrimalityPrimality
Primality
Mohanasundaram Nattudurai
 
Ch08
Ch08Ch08
Ch08nathanurag
 
First Order Logic resolution
First Order Logic resolutionFirst Order Logic resolution
First Order Logic resolution
Amar Jukuntla
 
Lattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemLattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemVarun Janga
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
Yasser Ali
 
Discrete Logarithm Algorithm.pptx
Discrete Logarithm Algorithm.pptxDiscrete Logarithm Algorithm.pptx
Discrete Logarithm Algorithm.pptx
AkankshaKumari28597
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Blowfish Cryptosystem
Blowfish Cryptosystem Blowfish Cryptosystem
Blowfish Cryptosystem
هيثم فرج
 
Password Attacks.pdf
Password Attacks.pdfPassword Attacks.pdf
Password Attacks.pdf
Andy32903
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
AES by example
AES by exampleAES by example
AES by example
Shiraz316
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
Dharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
Dharmalingam Ganesan
 

More Related Content

What's hot

On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
Dharmalingam Ganesan
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based Cryptography
Alexandre Augusto Giron
 
Primality
PrimalityPrimality
Primality
Mohanasundaram Nattudurai
 
First Order Logic resolution
First Order Logic resolutionFirst Order Logic resolution
First Order Logic resolution
Amar Jukuntla
 
Lattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemLattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemVarun Janga
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
Yasser Ali
 
Discrete Logarithm Algorithm.pptx
Discrete Logarithm Algorithm.pptxDiscrete Logarithm Algorithm.pptx
Discrete Logarithm Algorithm.pptx
AkankshaKumari28597
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Blowfish Cryptosystem
Blowfish Cryptosystem Blowfish Cryptosystem
Blowfish Cryptosystem
هيثم فرج
 
Password Attacks.pdf
Password Attacks.pdfPassword Attacks.pdf
Password Attacks.pdf
Andy32903
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
AES by example
AES by exampleAES by example
AES by example
Shiraz316
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
Dharmalingam Ganesan
 

What's hot (20)

On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Ch08
Ch08Ch08
Ch08
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based Cryptography
 
Primality
PrimalityPrimality
Primality
 
Ch08
Ch08Ch08
Ch08
 
First Order Logic resolution
First Order Logic resolutionFirst Order Logic resolution
First Order Logic resolution
 
Lattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemLattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH Cryptosystem
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
DES
DESDES
DES
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
 
Discrete Logarithm Algorithm.pptx
Discrete Logarithm Algorithm.pptxDiscrete Logarithm Algorithm.pptx
Discrete Logarithm Algorithm.pptx
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
 
Blowfish Cryptosystem
Blowfish Cryptosystem Blowfish Cryptosystem
Blowfish Cryptosystem
 
Password Attacks.pdf
Password Attacks.pdfPassword Attacks.pdf
Password Attacks.pdf
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
AES by example
AES by exampleAES by example
AES by example
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 

Similar to Solutions to online rsa factoring challenges

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
Dharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
Dharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
Anver S R
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
Dharmalingam Ganesan
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
Dharmalingam Ganesan
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
Vaibhav Khanna
 
Rsa algorithm
Rsa algorithmRsa algorithm
Rsa algorithm
MDKAWSARAHMEDSAGAR
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
MuhammadAbdullah311866
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
FahmiOlayah
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
Nagasuri Bala Venkateswarlu
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
Nagasuri Bala Venkateswarlu
 
factoring
factoringfactoring
factoring
Harish Sahu
 
Algorithms - A Sneak Peek
Algorithms - A Sneak PeekAlgorithms - A Sneak Peek
Algorithms - A Sneak Peek
BADR
 
Unit-1 DAA_Notes.pdf
Unit-1 DAA_Notes.pdfUnit-1 DAA_Notes.pdf
Unit-1 DAA_Notes.pdf
AmayJaiswal4
 

Similar to Solutions to online rsa factoring challenges (20)

Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
Rsa algorithm
Rsa algorithmRsa algorithm
Rsa algorithm
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
 
factoring
factoringfactoring
factoring
 
Algorithms - A Sneak Peek
Algorithms - A Sneak PeekAlgorithms - A Sneak Peek
Algorithms - A Sneak Peek
 
Unit-1 DAA_Notes.pdf
Unit-1 DAA_Notes.pdfUnit-1 DAA_Notes.pdf
Unit-1 DAA_Notes.pdf
 

More from Dharmalingam Ganesan

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
Dharmalingam Ganesan
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
Dharmalingam Ganesan
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
Dharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
Dharmalingam Ganesan
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
Dharmalingam Ganesan
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
Dharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
Dharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
Dharmalingam Ganesan
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
Dharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
Dharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
Dharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 

More from Dharmalingam Ganesan (16)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key Exchange
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
ayushiqss
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 

Recently uploaded (20)

Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 

Solutions to online rsa factoring challenges

  • 1. Solutions to Online RSA Factoring Challenges When Ps and Qs are not independent or close to each other Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Agenda ● Brief overview of public key cryptography ● RSA Key Generation Algorithm ● Integer Factorization Challenges ● Demo - break RSA when Ps and Qs are not independent ● Discussion/Recommendation Because of the mathematical nature of RSA, the slides are highly technical with a fair amount of math 3
  • 4. Context and Informal Problem Statement ● Online Cryptography challenges ○ proposed by Prof. Dan Boneh ● Break RSA when the random prime factors are ○ not independent of each other ○ or, close to each other ● Basically, we derive the private keys from the given public keys! 4
  • 5. How can Bob send a message to Alice securely? 5 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 6. RSA Key Generation Algo. (Fits on one page) 1. Select an appropriate bitlength of the RSA modulus N (e.g., 2048 bits) ○ Value of the parameter N is not chosen until step 3; small N is dangerous 2. Pick two independent, large random primes, p and q, of half of N’s bitlength ○ In practice, p and q are not close to each other to avoid attacks (e.g., Fermat’s factorization) 3. Compute N= p.q (N is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from ZN such that e.d ≡ 1(mod φ(N)) ○ Many implementations set e to be 65537 (Note: gcd(e, φ(N)) = 1) ○ e must be relatively prime to φ(N) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in ZN 6. Public key is the pair <N, e> and private key is 4-tuple <φ(N), d, p, q> Note: If p, q, d, or φ(N) is leaked, RSA is broken immediately 6
  • 7. 7 Notations and Facts for RSA GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes ZN = { 0, 1, 2, …, N-1 }, N > 0; we may imagine ZN as a circular wall clock Z* N = { x ∈ Zn | gcd(x, N) = 1 }; (Z* N is a multiplicative group) φ(N): Euler’s Totient function denotes the number of elements in Z* N φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number x ≡ y (mod N) denotes that N divides x-y; x is congruent to y mod N
  • 8. Three RSA Factoring Challenge Problems Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 ● Breaking of the RSA function means finding the prime factors p and q from N, and the plaintext m from a ciphertext c ○ Given N, find p and q such that N= pq ○ Given <c, e, N>, find m such that RSA(m) = c 8
  • 9. Challenge 1: Visual Representation 9 ● Let A = (p + q)/2 ○ Note that A is an even number. since p and q are large primes, which are odd ● In the appendix, we prove that A is the ceiling of the square root of N
  • 10. Core idea of the solution to challenge 1 ● Recall that A is the mid-point of p and q ● Thus, there exists an integer x such that ○ A - x = p and ○ A + x = q ● But we know N= pq = (A-x)(A+x) = A2 - x2 ● Thus, x = sqrt(A2 - N) ● Since we know A and N, we can find x ● From x and A, we can find p and q 10
  • 11. Challenge 1: Given an N, print p and q public static void main(String []args){ BigInteger N= new BigInteger(args[0]); // Need to check args length BigInteger A = bigIntSqRootCeil(N); BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); System.out.println("p = " + p); System.out.println("q = " + q); } 11 This program derives secret prime factors p and q from the given public value N
  • 12. Output of factoring private primes p and q from N N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 $ java RSACracking $N p = 134078079299425970995740249982058461274793658205923933777235614437217640300736627688 91111614362326998675040546094339320838419523375986027530441562135724301 q = 134078079299425970995740249982058461274793658205923933777235614437217640300737785609 80348930557750569660049234002192590823085163940025485114449475265364281 12
  • 13. Challenge 1: Given the ciphertext print plaintext ● Once we found p and q, we can easily derive the plaintext as follows ● Euler’s totient function φ(N) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)= N-p-q+1 ● Since most implementation choose e = 65537 we can find d easily: ○ e.d ≡ 1(mod φ(N)) ● We know e and φ(N). d is a multiplicative inverse of e in φ(N) ○ Extended Euclidean Algorithm can find d ○ I used Java’s BigInteger implementation of the Extended Euclidean Algorithm ● Once we know d, we find the plaintext m as follows: ● m = cd (mod N) ○ This is called RSA’s decryption function 13
  • 14. Challenge 1: algorithm/pseudo code BigInteger phiN = N.subtract(p).subtract(q).add(BigInteger.valueOf(1)); BigInteger e = BigInteger.valueOf(65537); BigInteger d = e.modInverse(phiN); BigInteger c = new BigInteger(args[1]); // Input ciphertext BigInteger m = c.modPow(d, N); // m = cd mod N System.out.println("m = " + m.toString(16)); // Output plaintext 14
  • 15. Inputs RSA public modulus N and ciphertext c N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686 985379449212982959585501387537164015710139858647833778606925583497541085196591615128 057575940752635007475935288710823649949940771895617054361149474865046711015101563940 680527540071584560878577663743040086340742855278549092581 c = 220964518674103817763065611348834180174100697878928310717318391436761356001205380042 823296504735094243439462197515122564658399679428894607645420405815647489880137348641 204523252293201764879166664029975091887299716905260832220677716000193292608700095799 93724077458967773697817571267229951148662959627934791540 15
  • 16. Output: Plaintext m by breaking RSA prime factors $time java RSACracking $N $c m = 20805907610b524330594e51d5dbbf643f09603731e9817111392d0c64e2739959 a092d4daf979d387520ea7e577af9eb50a29f736925e810ab2fb4640e091a0f73252 cb669d5b62b26764190ed188239fe71e1a7cb9e935d2db55c98b024e1dae46d004 66163746f72696e67206c65747320757320627265616b205253412e We were told that the plaintext is padded using PKCS1 standard. Thus, actual plaintext is after the 0x00 byte: 466163746f72696e67206c65747320757320627265616b205253412e 16
  • 17. Final step: Convert hex to ascii $ echo 466163746f72696e67206c65747320757320627265616b205253412e | xxd -r -p Factoring lets us break RSA ● This text was encrypted but we found it without knowing the private key ● Factors p, q, and m were found in less than minute ● The main reason was due to the fact that |p -q| < N1/4 17
  • 18. Let’s solve Challenge 2 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 18
  • 19. Core idea of the solution to challenge 2 ● Need to prove that (A - √N) < 220 (See the Appendix for my proof) ● In contrast to Challenge 1, A may not be the same as √N ● However, we do know that A is within the distance of 220 from √N ● Why not just try all possible values of A given that 220 is a small number ● We start with A = √N and check whether the current pq = N ○ We leverage the solution to challenge 1 to find the current p and q 19
  • 20. Challenge 2: My algorithm/ pseudo code BigInteger A = rootN; /* A is initialized to square root of N */ while(true) { BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(N)); BigInteger p = A.subtract(x); BigInteger q = A.add(x); if(A.subtract(rootN).compareTo(two.pow(20)) == 1) { break; } if(p.multiply(q).equals(N)) { /* We found the prime factors p and q */ System.out.println(p); System.out.println(q); break; } A = A.add(BigInteger.ONE) /* else keep trying until 2 20 limit */ } 20
  • 21. Challenge 2: Input N and Output p and q N = 64845584280807166966282426534677227872634372070697626306043907037879730861808111646271401527606141756919 55873218402545206554249067198924288448418393532819729885313105117386489659625828215025049902644521008852 81673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877 $time java RSACracking_2 $N p = 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107 384461557193173304497244814071505790566593206419759 q = 25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632 563509541784734741871379856682354747718346471375403 real 0m19.069s user 0m18.608s sys 0m0.036s 21 In less than a minute the prime factors p and q are found
  • 22. Let’s solve Challenge 3 Challenge 1: Break RSA when |p -q| < N1/4 Challenge 2: Break RSA when |p -q| < 211 N1/4 Challenge 3: Break RSA when |3p-2q| < N1/4 22
  • 23. Core idea of the solution to challenge 3 ● Since (3p + 2q) is an odd number, we have to adapt our solution to problem 1 ● We can actually solve for (6p + 4q)/2 since this is an even number ● Need to prove that √(24N) is close to (6p + 4q)/2 (Proof in the appendix) ● Now we can apply the same core idea of Challenge 1 23
  • 24. Adapting the solution to challenge 1 for challenge 3 ● A is the midpoint of 6p and 4q, A = (6p + 4q)/2 ● Thus, there must be an integer x with the following properties ○ A-x = 6p, thus p = (A-x)/6 ○ A+x =4q, thus q = (A+x)/4 ● Since N= pq, N= (A-x)/6 * (A+x)/4 = (A2 - x2 )/24 ● Thus, x = √(A2 - 24N) ● Since A is the same as ceiling of sqrt(24N), factors p and q are computable ● See the Appendix for a proof that A is the ceiling(√24N) 24
  • 25. Challenge 3: My algorithm/pseudo code BigInteger twentyFourN = BigInteger.valueOf(24).multiply(N); // 24*N // A is an approximation of sqrt(24*N) BigInteger A = bigIntSqRootCeil(twentyFourN); // x has the square root of A 2 - 24N BigInteger x = bigIntSqRootCeil(A.multiply(A).subtract(twentyFourN)); BigInteger p = A.subtract(x).divide(BigInteger.valueOf(6)); BigInteger q = A.add(x).divide(BigInteger.valueOf(4)); System.out.println(“ p = “ + p); System.out.println(“ q = “ + q); 25
  • 26. Input N, Output p and q (in less than 0.5 min) N=7200622637473504252795644355255837383380844514739998418266530579819163556901883377 904234086641876639384851752649940178970835240791356868774411551320151882793318123090 919962463618968365736431191740949613485246397078852387993968392303646766702216270183 53299443241192173812729276147530748597302192751375739387929 $ time java RSACracking_3 $N p = 219098495924755330922739885315839558989821760933449290300994235841272120781261500447 21102570957812665127475051465088833555993294644190955293613411658629209 q = 328647743887132996384109827973759338484732641400173935451491353761908181171892400358 25816494954711821626076210364113848440012285863311027426121370050758081 26
  • 27. Discussion ● Some RSA implementations do check whether Ps and Qs are good ○ They keep generating random primes until good Ps and Qs are found ● Random Ps and Qs rarely satisfy the constraints of these Challenges ○ Unless, the underlying random number generation process is very weak ○ I generated 500, 000 keys using Java JDK but none of the Ps and Qs were very close ● In general, standard implementations do generate Ps and Qs randomly ● If Ps and Qs are not independent of each other, RSA is factorable ○ Threat applicable to all stronger RSA modulus size (e.g., 2048, 4096, etc.) 27
  • 28. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● C. Paar and J. Pelzl, “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. ● D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring with high bits known,” Eurocrypt, 1996. ● https://stackoverflow.com/questions/4407839/how-can-i-find-the-square-root- of-a-java-biginteger 28
  • 30. Prove that √N ≤ A, if A = (p+q)/2 30 Geometric mean is less than or equal to Arithmetic mean
  • 31. Challenge 1: Prove that ceiling(√N) = A, if A = (p+q)/2 31 A2 -N= (p+q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [see previous slide for a proof] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N) This proof was given by Prof. as part of the Challenge 1
  • 32. Challenge 2: Prove that A - √N < 220 , if |p-q| < 211 N1/4 32
  • 33. Challenge 3: Prove that ceiling(√24N) = A, if A = (6p+4q)/2 33 A2 -N= (6p+4q)2 /4 -N= (p-q)2 /4 [Since N= pq] A - √N = (A - √N)(A + √N)/(A + √N) = (A2 - N)/(A + √N) = (p-q)2 /4(A + √N) We know that √N ≤ A [geometric mean is less than or equal to arithmetic mean] A - √N ≤ (p-q)2 /8√N ≤ √N/(8√N) ≤ ⅛ ≤ 1 [Since |p -q | < N1/4 ] Since A is an integer, (A - √N) ≤ 1 implies that A must be the ceiling(√N)
  • 34. 34
  • 35. 35
  • 36. Acknowledgement ● Prof. Dan Boneh for constructing these insightful problems ○ Also, offering necessary lemmas to solve these challenges ● My understanding of RSA has improved significantly ○ Still a lot of deeper questions to experiment in my private time 36