We study the behavior of the RSA trapdoor function by repeatedly encrypting the ciphertext sent over the public channel. We discuss the problem of finding a cycle in order to reverse the plaintext from the given ciphertext. Simple demos and algorithms/python programs are also presented. While the attack is not necessarily practical, it is educational to learn how the RSA trapdoor function behaves.
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. Question (notations are defined later)
● Let x be some secret that was encrypted using RSA
● Let y be the ciphertext: y = RSA(x)
● What will happen to RSA(RSA(...(RSA(y)))?
● That is, can we uncover the secret x by repeated encryption?
● Of course, attackers don’t know the private key (at least, assume so)
○ They are given access to y as well as RSA public parameters
3
4. Agenda
● Brief overview of the RSA algorithm
● Formal definition of the RSA trapdoor function
● Algorithm/Demos - Cycling around the trapdoor function
● Conclusion
4
5. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
5
6. How can Bob send a message to Alice securely?
6
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
7. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
7
8. 8
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
9. Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
9
10. RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
10
11. RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
● Recall, that e.d ≡ 1(mod φ(n))
● Exercise: Prove that RSA is a bijective function (i.e., one-one and onto)
11
12. Cyclic Encryption of Ciphertext - Idea
12
y0
y1
y2
y3
y4
yt
● y0
= RSA(x0
)
● Problem: Given y0
find its inverse x0
● Solution (Core idea):
● yt
= RSA(yt-1
), t ≥ 1
● Basically, the attacker uses the public key
and recursively encrypts until yt
= y0
● Output: yt
should have been the secret x0
● Since RSA is bijective function, there must
be exist a cycle (see the figure)
13. Cyclic Encryption of Ciphertext - Algorithm
13
# y - ciphertext to reverse (i.e., RSA(x) = y)
# e and n - RSA public exponent and modulus
# returns the secret x
def cyclicEncryption(e, n, y):
numSteps = 0
prevEnc = y
nextEnc = Encrypt(e, n, y)
while nextEnc != y:
prevEnc = nextEnc
nextEnc = Encrypt(e, n, prevEnc)
numSteps+=1
return prevEnc, numSteps
# computes x power e (mod n)
def Encrypt(e, n, x):
return pow(x, e, n)
14. Simple Demo (I)
14
Consider this very small size parameters:
Private:
p = 41
q = 59
d = 1547
x = 872
Public:
e = 3
n = 2419
y = 2110
Can the cyclic attack find the input
plaintext x using the public data: y,
e, and n?
Recall, that RSA(x) = y
15. Simple Demo (1): Finding the cycle
15
Yes!, the cyclic attack found the plaintext 872
- (by repeatedly encrypting the ciphertext until the cycle is detected)
- The number of steps in the cycle is 27
16. Simple Demo (2)
16
Consider this (small) 46-bit RSA parameters:
Private:
p = 7135717
q = 5673043
d = 2649250619657
x = 32094683680129
Public:
e = 65537
n = 40481229376831
y = 34497639643462
Can the cyclic attack find the input
plaintext x using the public data: y, e,
and n?
$ python cyclic_attack.py
Output x = 32094683680129
Number of steps: 14525279
It took ~ 224
steps to find the cycle in
order to derive the plaintext x from the
ciphertext y.
17. Conclusion
17
● Cyclic encryption (using the RSA trapdoor) will reveal the secret plaintext
● However, this attack’s complexity is ~exponential in the length of the key size
○ In general, it takes an exponential number of steps to find the cycle
● Thus, the cyclic attack is not a real threat in practice
○ Nevertheless, it is educational to understand the behavior of trapdoors
● RSA trapdoor should not be directly used; need to use OAEP padding, for example.
○ That is, instead of RSA(x), use RSA(OAEP(x))
○ Avoid padding modes such as RSA/NONE/NoPadding, RSA/ECB/NoPadding, etc.
18. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
18
19. References
● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,”
https://toc.cryptobook.us/
● J. Katz and Y. Lindell, “Introduction to Modern Cryptography,” (2nd edition),
https://www.cs.umd.edu/~jkatz/imc.html
● G. T. Simmons and J. N. Norris, “Preliminary comments on the M.I.T.
public-key cryptosystem,” Cryptologia 1 (1977), 406-414.
19