Can we reveal the RSA private exponent d from its public key <e, n>? We study this question for two specific cases: e = 3 and e = 65537. Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small. For example, for 2048-bit RSA, the most significant 1024 bits are revealed!
Sending Calendar Invites on SES and Calendarsnack.pdf
On the Secrecy of RSA Private Keys
1. On the Secrecy of RSA Private Keys
Dr. Dharma Ganesan, Ph.D.,
2. Disclaimer
● The opinions expressed here are my own
○ But not the views of my employer
● The source code fragments and exploits shown here can be reused
○ But without any warranty nor accept any responsibility for failures
● Do not apply the exploit discussed here on other systems
○ Without obtaining authorization from owners
2
3. Question (standard notations are defined later)
● Can we reveal the RSA private exponent d from its public key <e, n>?
● We study this question for two specific cases: e = 3 and e = 65537
● Using demos, we verify that RSA reveals the most significant half of the
private exponent d when the public exponent e is small
● For example, for 2048-bit RSA, the most significant 1024 bits are revealed!
3
4. Agenda
● Overview of Public Key Cryptography using RSA
● Math facts
● Algorithm to approximate private key from public key
● Demo
● Conclusion
● Appendix
4
5. Prerequisite
Some familiarity with the following topics will help to follow the rest of the slides
● Group Theory
● Number Theory
● Algorithms and Complexity Theory
● If not, it should still be possible to obtain a high-level overview
5
6. How can Bob send a message to Alice securely?
6
Public Key PuA
● Alice and Bob never met each other
● Bob will encrypt using Alice’s public key
○ Assume that public keys are known to the world
● Alice will decrypt using her private key
○ Private keys are secrets (never sent out)
● Bob can sign messages using his private key
○ Alice verifies message integrity using Bob’s public key
○ Not important for this presentation/attack
● Note: Alice and Bob need other evidence (e.g., passwords,
certificates) to prove their identity to each other
● Who are Alice, Bob, and Eve?
Private Key PrA
Public Key PuB
Private Key PrB
7. RSA Public Key Cryptography System
● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman
● Rooted in elegant mathematics - Group Theory and Number Theory
● Core idea: Anyone can encrypt a message using recipient's public key but
○ (as far as we know) no one can efficiently decrypt unless they got the matching private key
● Encryption and Decryption are inverse operations (math details later)
○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA
● Eavesdropper Eve cannot easily derive the secret (math details later)
○ Unless she solves “hard” number theory problems that are computationally intractable
7
8. 8
Notations and Facts
GCD(x, y): The greatest common divisor that divides integers x and y
Co-prime: If gcd(x, y) = 1, then x and y are co-primes
Zn
= { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn
as a circular wall clock
Z*
n
= { x ∈ Zn
| gcd(x, n) = 1 }; (additional info: Z*
n
is a multiplicative group)
φ(n): Euler’s Totient function denotes the number of elements in Z*
n
φ(nm) = φ(n).φ(m) (This property is called multiplicative)
φ(p) = p-1, if p is a prime number
9. Notations and Facts ...
● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n
● Euler’s Theorem: aφ(n)
≡ 1 (mod n), if gcd(a, n) = 1
● Fermat’s Little Theorem: ap
≡ a (mod p)
● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is
either a prime or can be written as a unique product of primes
○ Euclid’s work is the foundation for this theorem, see The Elements
● Euclid’s Lemma: if a prime p divides the product of two natural numbers a
and b, then p divides a or p divides b
● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes
9
10. RSA - Key Generation Algo
1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits)
○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later)
2. Pick two independent, large random primes, p and q, of half of n’s bitlength
○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization)
3. Compute n = p.q (n is also called the RSA modulus)
4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1)
5. Select numbers e and d from Zn
such that e.d ≡ 1(mod φ(n))
○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt)
○ d is the multiplicative inverse of e in Zn
6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q>
10
11. RSA Trapdoor
● RSA: Zn
→ Zn
● Let x and y ∈ Zn
● y = RSA(x) = xe
mod n
○ We may view x as a plaintext, and y as the corresponding ciphertext
● x = RSA-1
(y) = yd
mod n
● e and d are also called encryption and decryption exponents, respectively
● Many implementations use Chinese-Remainder Theorem (CRT) to compute
yd
efficiently
● I will use CRT later for an RSA game
11
12. RSA Trapdoor variables’ dependency graph
12
Private variable
Public variable
Note: Public exponent e affects the private exponent d
13. 13
Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q,
then p+q ≤ 3√n
Proof:
p + q < 2q + q = 3q ……………………. (1)
Since n = pq, n > q2
(since p > q )
Thus, q < √n …………………………………..(2)
Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
14. 14
Fact: If ed - 1 = k φ(n), then k < e
Proof (by contradiction):
Suppose k ≥ e then ed - 1 ≥ e φ(n)
Since ed > ed - 1 ≥ eφ(n)
ed ≥ e φ(n)
Since e > 0, divide by e of the above inequality, d ≥ φ(n)
This is a contradiction because RSA private exponent d is smaller than
φ(n). Note: One can similarly prove that k < d, too.
15. Algorithm to approximate the private exponent d
15
https://www.ams.org/notices/199902/boneh.pdf
We experiment with this algorithm (page 8 in boneh.pdf)
We provide a proof that k = 2 when e = 3, which was not
given in the paper
16. 16
e.d ≡ 1(mod φ(n))
e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1)
= k (pq - p - q + 1)
e.d - 1 = k (n - p - q + 1) (since n = pq)
d = (1 + k(n - p - q + 1))/e
Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n.
Let’s approximate n-p-q+1 by n; Thus, d^
= ⌊(1 + kn)/e⌋ is an approximation of
the private exponent d.
Note that we know n and e, but not k
Algorithm: derive private exponent d from public key
17. 17
Fact: |d - d^
| < 3√n
Proof:
We know that d = (1+k(n-p-q+1))/e and d^
= ⌊(1 + kn)/e⌋
|d - d^
| = (1 + kn)/e - (1+kn-kp-kq+k)/e
|d - d^
| = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e
|d - d^
| < 3√n (Since p+q ≤ 3√n and k < e)
Summary: d^
approximates d; half of the most significant bits is the same
18. 18
e.d ≡ 1(mod φ(n))
3.d - 1 = k φ(n)
K can be either 1 or 2. We can prove that k ≠ 1 as follows:
Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3
Since d is an odd number and φ(n) is an even number, we can deduce that
φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t
φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n)
should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … }
Analysis of d^
when e = 3
19. Analysis of d^
when e = 3
19
We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t
Let’s prove that the only possible value of φ(n) can be 8.
Case 1: φ(n) = 8 + 12t = 4(2 + 3t)
By defn., φ(n) is a product of two even numbers (p-1) and (q-1)
Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t.
Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
20. Analysis of d^
when e = 3
20
Case 2: φ(n) = 8 + 12t = 2(4 + 6t)
Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t
Since RSA definition assumes that q < p < 2q,
3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case)
Since p < 2q is violated, φ(n) ≠ 2(4 + 6t).
Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3
and p = 5, but such small p and q are absurd anyways)
21. Demo
21
● Demo 1: When e = 3, the first half of the most significant private exponent d
bits is leaked
● Demo 2: When e = 65537, there are only at most 65537 possible values of
the most significant bits of d (instead of 2n/2
possibilities)
● For both demos, we will show that half of the most significant bits of the
private exponent d can be revealed by using the public parameters <e, n>
● The demos use 2048-bit RSA key (but applicable for other key sizes)
● Appendix has my implementation of the algorithm used in the demos
23. 23
~/crypto/RSA$ e=3
~/crypto/RSA$ java RSA_KeyPair 2048 $e
d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952
504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484
083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162
790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926
861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684
949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702
9163150275214370671181822432156547192936318586434345409301739
n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428
756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726
124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744
186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051
969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253
252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423
2687942502070000081779339907151328354852637293825990658859773
(on the next slide, we will reveal parts of the private d from public parameters <e, n>)
RSA_KeyPair is my program that generates RSA keys
25. 25
We already proved that when e = 3, k = 2
d^
=142123706748419066468746764173718773448043207469116303923309899747569969
273375948257403295250405868494567224607132320644826377616708879131580503099
593859878891786128515812794542449248408318553115903719490269797921230122588
171830418358691911614066318623211150830200308423524716279068195824926134780
706987796506102781128056576548817866081205121791611493297181640362383003464
660810617887082734059146109640547426413471487550654337020280209812057383336
710275380607016883471469290404601074879516410961916863046514547806026698385
428182154358803195228800392860828217919616680466667211862266047675522365684
24862550660439239849
We see that d^
revealed half of the private exponent d using the
public key parameters <e, n>
32. 32
java RSA_DCap $e $n
k=4942
d^
=14916291453347068964670172948948920076715349654876294642115910529983120420
21202036862248300189034142316438082203748580728041607410808263351850622119133
23751251143636076564023853129568759399389655637980565215148030800913144520961
16854784614053261370924413719142124471368492130356943656350440422622498243594
49257918362880503074774240355625043186484950061128437172018970117238473811810
21066106191884077345266942217285500426004798294465049353453317995464090084352
96398651248041119672893944491479051749177231854428675467086726545740361196397
25187699773491223215803817723443053331103514510753270668601927889140940039319
674
We see that d^
revealed half of the private exponent d using the
public key parameters <e, n> (in 4942 attempts - see previous slide)
33. 33
Conclusion
● When RSA is used with the public exponent e = 3, the most significant half of
the private exponent d is revealed (in one attempt)
● So, we want to avoid using e = 3 during key generation even if we use RSA
with proper random padding (e.g., OAEP)
● The default e = 65537 reveals half of the private key (65537 attempts at most)
● But, do not simply increase the value of e, then d will likely decrease!
● At this time of writing, e = 65537 is the NIST recommended value
● If RSA modulus size is b bit, the most significant b/2 bits of the private
key are known to attackers!
○ This is also true when e = 65537
34. References
● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE
Transactions on Information Theory, vol. IT-22, no. 6, November, 1976.
● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems,” CACM 21, 2, February, 1978.
● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students
and Practitioners,” Springer, 2011.
34
36. 36
public static BigInteger[] leakPrivExp(int e, BigInteger n) {
BigInteger[] dcaps = new BigInteger[e];
for(int i = 1; i <= e; i++)
{
BigInteger k = BigInteger.valueOf(i);
// dcap = floor((1+kN)/e)
dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e));
}
return dcaps;
}
Given the public parameters e and n, this code attempts to leak the private exponent d