We study the behavior of the RSA trapdoor function by repeatedly encrypting the ciphertext sent over the public channel. We discuss the problem of finding a cycle in order to reverse the plaintext from the given ciphertext. Simple demos and algorithms/python programs are also presented. While the attack is not necessarily practical, it is educational to learn how the RSA trapdoor function behaves.

1. Analysis of RSA(RSA(...(RSA(ciphertext))))
Dr. Dharma Ganesan, Ph.D.,

2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2

3. Question (notations are defined later)
● Let x be some secret that was encrypted using RSA
● Let y be the ciphertext: y = RSA(x)
● What will happen to RSA(RSA(...(RSA(y)))?
● That is, can we uncover the secret x by repeated encryption?
● Of course, attackers don’t know the private key (at least, assume so)
○ They are given access to y as well as RSA public parameters
3

4. Agenda
● Brief overview of the RSA algorithm
● Formal definition of the RSA trapdoor function
● Algorithm/Demos - Cycling around the trapdoor function
● Conclusion
4

5. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
5

6. How can Bob send a message to Alice securely?
6
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB

7. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
7

8. 8
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number

9. Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
9

10. RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
10

11. RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
● Recall, that e.d ≡ 1(mod φ(n))
● Exercise: Prove that RSA is a bijective function (i.e., one-one and onto)
11

12. Cyclic Encryption of Ciphertext - Idea
12
y0
y1
y2
y3
y4
yt
● y0
= RSA(x0
)
● Problem: Given y0
find its inverse x0
● Solution (Core idea):
● yt
= RSA(yt-1
), t ≥ 1
● Basically, the attacker uses the public key
and recursively encrypts until yt
= y0
● Output: yt
should have been the secret x0
● Since RSA is bijective function, there must
be exist a cycle (see the figure)

13. Cyclic Encryption of Ciphertext - Algorithm
13
# y - ciphertext to reverse (i.e., RSA(x) = y)
# e and n - RSA public exponent and modulus
# returns the secret x
def cyclicEncryption(e, n, y):
numSteps = 0
prevEnc = y
nextEnc = Encrypt(e, n, y)
while nextEnc != y:
prevEnc = nextEnc
nextEnc = Encrypt(e, n, prevEnc)
numSteps+=1
return prevEnc, numSteps
# computes x power e (mod n)
def Encrypt(e, n, x):
return pow(x, e, n)

14. Simple Demo (I)
14
Consider this very small size parameters:
Private:
p = 41
q = 59
d = 1547
x = 872
Public:
e = 3
n = 2419
y = 2110
Can the cyclic attack find the input
plaintext x using the public data: y,
e, and n?
Recall, that RSA(x) = y

15. Simple Demo (1): Finding the cycle
15
Yes!, the cyclic attack found the plaintext 872
- (by repeatedly encrypting the ciphertext until the cycle is detected)
- The number of steps in the cycle is 27

16. Simple Demo (2)
16
Consider this (small) 46-bit RSA parameters:
Private:
p = 7135717
q = 5673043
d = 2649250619657
x = 32094683680129
Public:
e = 65537
n = 40481229376831
y = 34497639643462
Can the cyclic attack find the input
plaintext x using the public data: y, e,
and n?
$ python cyclic_attack.py
Output x = 32094683680129
Number of steps: 14525279
It took ~ 224
steps to find the cycle in
order to derive the plaintext x from the
ciphertext y.

17. Conclusion
17
● Cyclic encryption (using the RSA trapdoor) will reveal the secret plaintext
● However, this attack’s complexity is ~exponential in the length of the key size
○ In general, it takes an exponential number of steps to find the cycle
● Thus, the cyclic attack is not a real threat in practice
○ Nevertheless, it is educational to understand the behavior of trapdoors
● RSA trapdoor should not be directly used; need to use OAEP padding, for example.
○ That is, instead of RSA(x), use RSA(OAEP(x))
○ Avoid padding modes such as RSA/NONE/NoPadding, RSA/ECB/NoPadding, etc.

18. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
18

19. References
● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,”
https://toc.cryptobook.us/
● J. Katz and Y. Lindell, “Introduction to Modern Cryptography,” (2nd edition),
https://www.cs.umd.edu/~jkatz/imc.html
● G. T. Simmons and J. N. Norris, “Preliminary comments on the M.I.T.
public-key cryptosystem,” Cryptologia 1 (1977), 406-414.
19