An RSA private key is made of a few private variables. We analyze how these private variables are chained together. Further, we study if one of the private variables is leaked, can we derive the other private variables? Demos of the algorithms are also provided.
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. High-level Question
● An RSA private key is made of a few private variables
● If a private variable is exposed, can we efficiently derive
the rest of the private variables?
3
4. Detailed questions (notations are defined later)
1. How to derive the private prime factors of RSA modulus n from φ(n)?
2. How to derive the private exponent d from φ(n)?
3. How to derive the private prime factors p and q from the private exponent d?
4
5. Agenda
● Brief overview of RSA algorithm
● Formal definition of RSA Trapdoor function
● Algorithms and Demos (for the three questions)
● Conclusion
5
6. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
6
7. How can Bob send a message to Alice securely?
7
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
8. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
8
9. 9
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
10. Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
10
11. RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, p and q satisfy q < p < 2q to avoid polynomial time factorization algorithms
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
11
12. RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
12
13. RSA Trapdoor variables’ dependency graph
13
Private variable
Public variable
Note: Public exponent e affects the private exponent d
14. Question 1: Factor n when private φ(n) is given
14
φ(n) = (p-1)(q-1)
φ(n) = pq - p - q + 1
φ(n) = n - p - n/p + 1 (since n = pq)
pφ(n) = np -p2
-n+ p
p2
- np - p+ pφ(n)+ n = 0
p2
- (n+ 1- φ(n))p + n = 0
This is a quadratic equation in p. We know how to solve ax2
+bx+c = 0.
x = (-b ∓ √(b2
- 4ac))/2a
Note also that the product of the two roots = c/a.
In our case, a = 1, thus the products of the roots are the prime factors of n
15. Demo 1: Factor n when private φ(n) is given
15
Let’s generate a 2048 RSA key pair as follows: keysize = 2048, e = 65537
~/crypto/RSA$ java RSA_KeyPair $keysize $e
Output: <phi, n, d, p, q> are shown below
17. Demo 1: Factor n when private φ(n) is given ...
17
~/crypto/RSA$ java PrimeFactorsFromPhi $n $phi
p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720
5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266
4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890
15575518486062027786802049855038992628112233123
q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808
6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189
9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340
05824459505427320400617171847420795137628994559
We see that this p and q are the same on the previous slide
Equivalently, we derived the private prime factors p and q of n from another private variable φ(n)
18. Demo 1: Prime factors of n using phi(n)
18
/*
* Given n and phi(n), returns the factors of n: p and q
*/
public static BigInteger[] factorize(BigInteger n, BigInteger phi) {
BigInteger one = BigInteger.valueOf(1);
BigInteger minusOne = BigInteger.valueOf(-1);
/* p*p -(n+1-phi(n))p + n = 0 */
BigInteger z = n.add(one).subtract(phi).multiply(minusOne);
/* Roots of this quadratic equation are the prime factors of n */
BigInteger[] factors = BigIntUtil.quadraticSol(one,z,n);
assert n.equals(factors[0].multiply(factors[1]));
return factors;
}
19. 19
/*
* Returns the integer roots of the ax2 + bx + c = 0
*/
public static BigInteger[] quadraticSol(BigInteger a, BigInteger b, BigInteger c) {
BigInteger zero = BigInteger.ZERO;
BigInteger minusOne = BigInteger.valueOf(-1);
BigInteger two = BigInteger.valueOf(2);
BigInteger four = BigInteger.valueOf(4);
BigInteger b2_4ac = b.multiply(b).subtract(four.multiply(a.multiply(c)));
assert a.compareTo(zero) != 0 && b2_4ac.compareTo(zero) >= 0;
BigInteger negB = b.multiply(minusOne);
BigInteger root_b2_4ac = iRoot(b2_4ac, 2);
assert root_b2_4ac.multiply(root_b2_4ac).compareTo(b2_4ac) == 0;
BigInteger[] roots = new BigInteger[2];
roots[0] = negB.add(root_b2_4ac).divide(two.multiply(a));
roots[1] = negB.subtract(root_b2_4ac).divide(two.multiply(a));
return roots;
}
20. Question 2: Derive private exponent d from φ(n)
20
We know that e.d ≡ 1(mod φ(n))
To find d, we multiply both sides by the inverse of e (i.e., e-1
)
Thus, d ≡ e-1
mod φ(n)
Note that e-1
should exist because e and φ(n) are relatively prime
22. Demo 2: Derive private exponent d from φ(n)
22
~/crypto/RSA$ java ModInverse $e $phi
Modular Inverse of 65537 is
2205151223696884190252381916635434764104221807529134232843816122898922433546108
3287372976252503587328696591274260031885794600481314199611651200179626903675369
0028009274857755022760288405248617492304240282041017910963309960636514481667802
6944157259783475257086607960394921579465796075728094174066371810325736212160395
6922757355039274603476879690439127159645339789795023593785438145131390767349450
4634404929864749265927992741511730020925412893911025985705705945455643610869142
0863758917973667307103241295297662510557556262730109970320101433216326920736123
5840090794589733305253198877867831375654052088316468016370497257
This is the same private d generated by the RSA key pair generator (see Demo 1)
23. Question 3: Derive the prime factors p and q from d
23
We know that e.d ≡ 1(mod φ(n))
e.d - 1 ≡ 0 ( mod φ(n))
e.d - 1 = r φ(n) for some integer r.
Let k = e.d - 1. This means that k is a multiple of φ(n). K is even because φ(n) is even
Let g be a random element of Z*
n
. That is, g is relatively prime to n.
Euler’s theorem says gk
≡ 1 (mod n) since gcd (g, n) =1 .
This implies gk/2
is a square of one mod n because gk/2
. gk/2
= gk
≡ 1 (mod n)
24. Question 3: Algorithm to factorize n from d
24
Step 1: Pick a random g from the multiplicative group Zn
*
Step 2: Construct a sequence: gk/2
, gk/4
, gk/8
, … until not equal to 1 mod n
Note: If k/2i
is not an even number, go back to step 1 and pick a new g
Step 3: Now we have calculated square root of one in mod n.
That is, z2
≡ 1 (mod n) and z ≠ ∓ 1 (mod n)
(z+1)(z-1) ≡ 0 (mod n)
This implies n divides (z+1) and (z-1).
Equivalently, n must share factors with (z+1) and (z-1).
Step 4: Compute gcd(n, z-1) to extract one of the prime factors (say p) of n
Step 5: Derive another prime factor q = n/p
26. 26
~/crypto/RSA$ java PrimeFactorsFromD $e $n $d
p=17903874057903527472517669435513313630569762683771632088937031464400624513093903398720
5261101355504048933406381667101125804436997838009295776233608129356643657709953464604266
4278240107564127344919624324139339067172539410416522168861149638310907790220912279762890
15575518486062027786802049855038992628112233123
q=17874883566449270685325299591622537894696700693308029291565246263883560607941716737808
6464578047472634374830076876987053824678362512846985147502313908595068657410399492853189
9056645383086939677868549377884628581065684311026875287600736273831026715753577358550340
05824459505427320400617171847420795137628994559
We see that the p and q are the factors of n (as expected)
Equivalently, we derived the private prime factors p and q of n from another private variable d
Demo 3: Derive the prime factors p and q from d
27. Conclusion
27
● We analyzed the dependencies of RSA private variables
● We efficiently derived the
○ private prime factors p and q of RSA modulus n from φ(n)
○ private exponent d from φ(n)
○ private prime factors p and q from the private exponent d
● This analysis shows that if one of the private variables is leaked the rest is public
○ We need to throw away all the private variables and generate new keys
● If we can efficiently solve z2
≡ 1 (mod n) (of course, z ≠ ∓ 1), then RSA is breakable
○ We used this fact in Demo 3, because d is given to us
28. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
28
29. References
● Finding a non-trivial square root of n:
http://www.tricki.org/article/To_factorize_n_find_a_non-trivial_square_root_of
_1_mod_n
● D. Boneh and Victor Shoup, “A Graduate Course in Applied Cryptography,”
https://toc.cryptobook.us/
29
30. Appendix - graphviz for the dependency graph
digraph G {
{
p [color = red, shape=box]
q [color = red, shape=box]
"φ(n)" [color = red, shape=box]
d [color = red, shape=box]
x [color = red, shape=box]
y [color = blue]
e [color = blue]
n [color = blue]
}
n -> {p q}
"φ(n)" -> {p q}
d -> {e "φ(n)"}
y -> {x e n}
}
30