SlideShare a Scribd company logo

On the Secrecy of RSA Private Keys

Dharmalingam Ganesan
Dharmalingam Ganesan

Can we reveal the RSA private exponent d from its public key <e, n>? We study this question for two specific cases: e = 3 and e = 65537. Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small. For example, for 2048-bit RSA, the most significant 1024 bits are revealed!

Software
1 of 36
Download to read offline
On the Secrecy of RSA Private Keys Dr. Dharma Ganesan, Ph.D.,
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Question (standard notations are defined later) ● Can we reveal the RSA private exponent d from its public key <e, n>? ● We study this question for two specific cases: e = 3 and e = 65537 ● Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small ● For example, for 2048-bit RSA, the most significant 1024 bits are revealed! 3
Agenda ● Overview of Public Key Cryptography using RSA ● Math facts ● Algorithm to approximate private key from public key ● Demo ● Conclusion ● Appendix 4
Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● I will use CRT later for an RSA game 11
RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
13 Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q, then p+q ≤ 3√n Proof: p + q < 2q + q = 3q ……………………. (1) Since n = pq, n > q2 (since p > q ) Thus, q < √n …………………………………..(2) Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
14 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k ≥ e then ed - 1 ≥ e φ(n) Since ed > ed - 1 ≥ eφ(n) ed ≥ e φ(n) Since e > 0, divide by e of the above inequality, d ≥ φ(n) This is a contradiction because RSA private exponent d is smaller than φ(n). Note: One can similarly prove that k < d, too.
Algorithm to approximate the private exponent d 15 https://www.ams.org/notices/199902/boneh.pdf We experiment with this algorithm (page 8 in boneh.pdf) We provide a proof that k = 2 when e = 3, which was not given in the paper
16 e.d ≡ 1(mod φ(n)) e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1) = k (pq - p - q + 1) e.d - 1 = k (n - p - q + 1) (since n = pq) d = (1 + k(n - p - q + 1))/e Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n. Let’s approximate n-p-q+1 by n; Thus, d^ = ⌊(1 + kn)/e⌋ is an approximation of the private exponent d. Note that we know n and e, but not k Algorithm: derive private exponent d from public key
17 Fact: |d - d^ | < 3√n Proof: We know that d = (1+k(n-p-q+1))/e and d^ = ⌊(1 + kn)/e⌋ |d - d^ | = (1 + kn)/e - (1+kn-kp-kq+k)/e |d - d^ | = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e |d - d^ | < 3√n (Since p+q ≤ 3√n and k < e) Summary: d^ approximates d; half of the most significant bits is the same
18 e.d ≡ 1(mod φ(n)) 3.d - 1 = k φ(n) K can be either 1 or 2. We can prove that k ≠ 1 as follows: Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3 Since d is an odd number and φ(n) is an even number, we can deduce that φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n) should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … } Analysis of d^ when e = 3
Analysis of d^ when e = 3 19 We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t Let’s prove that the only possible value of φ(n) can be 8. Case 1: φ(n) = 8 + 12t = 4(2 + 3t) By defn., φ(n) is a product of two even numbers (p-1) and (q-1) Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t. Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
Analysis of d^ when e = 3 20 Case 2: φ(n) = 8 + 12t = 2(4 + 6t) Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t Since RSA definition assumes that q < p < 2q, 3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case) Since p < 2q is violated, φ(n) ≠ 2(4 + 6t). Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3 and p = 5, but such small p and q are absurd anyways)
Demo 21 ● Demo 1: When e = 3, the first half of the most significant private exponent d bits is leaked ● Demo 2: When e = 65537, there are only at most 65537 possible values of the most significant bits of d (instead of 2n/2 possibilities) ● For both demos, we will show that half of the most significant bits of the private exponent d can be revealed by using the public parameters <e, n> ● The demos use 2048-bit RSA key (but applicable for other key sizes) ● Appendix has my implementation of the algorithm used in the demos
Demo 1: e = 3 22
23 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_KeyPair 2048 $e d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952 504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484 083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162 790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926 861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684 949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702 9163150275214370671181822432156547192936318586434345409301739 n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428 756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726 124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744 186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051 969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253 252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423 2687942502070000081779339907151328354852637293825990658859773 (on the next slide, we will reveal parts of the private d from public parameters <e, n>) RSA_KeyPair is my program that generates RSA keys
24 ~/crypto/RSA$ java RSA_DCap $e $n k=1 d^ = 710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342 472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518 597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903 534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730 548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809 584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828 4212431275330219619924 k=2 d^ = 142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868 494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903 719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146 109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961 916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365 68424862550660439239849 k=3 d^ = 213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802 741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855 579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171 060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719 164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442 875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548 RSA_DCap is my program (see appendix)
25 We already proved that when e = 3, k = 2 d^ =142123706748419066468746764173718773448043207469116303923309899747569969 273375948257403295250405868494567224607132320644826377616708879131580503099 593859878891786128515812794542449248408318553115903719490269797921230122588 171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464 660810617887082734059146109640547426413471487550654337020280209812057383336 710275380607016883471469290404601074879516410961916863046514547806026698385 428182154358803195228800392860828217919616680466667211862266047675522365684 24862550660439239849 We see that d^ revealed half of the private exponent d using the public key parameters <e, n>
26 Demo 2: e = 65537
27 Example: RSA public exponent e (e.g., CNN) Disclaimer: CNN is just a random example. We are not attacking it.
28 RSA Public Exponent e is 65537 for CNN
29 Java JDK RSA key generation Code
30 Default Public Exponent e is 65537
31 ~/crypto/RSA$ java RSA_KeyPair 2048 65537 d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034 142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556 379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262 249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381 990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787 458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923 4654150061036966845424033 n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946 389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689 507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383 267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467 726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234 752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750 4687282086327354786906827 e = 65537
32 java RSA_DCap $e $n k=4942 d^ =14916291453347068964670172948948920076715349654876294642115910529983120420 21202036862248300189034142316438082203748580728041607410808263351850622119133 23751251143636076564023853129568759399389655637980565215148030800913144520961 16854784614053261370924413719142124471368492130356943656350440422622498243594 49257918362880503074774240355625043186484950061128437172018970117238473811810 21066106191884077345266942217285500426004798294465049353453317995464090084352 96398651248041119672893944491479051749177231854428675467086726545740361196397 25187699773491223215803817723443053331103514510753270668601927889140940039319 674 We see that d^ revealed half of the private exponent d using the public key parameters <e, n> (in 4942 attempts - see previous slide)
33 Conclusion ● When RSA is used with the public exponent e = 3, the most significant half of the private exponent d is revealed (in one attempt) ● So, we want to avoid using e = 3 during key generation even if we use RSA with proper random padding (e.g., OAEP) ● The default e = 65537 reveals half of the private key (65537 attempts at most) ● But, do not simply increase the value of e, then d will likely decrease! ● At this time of writing, e = 65537 is the NIST recommended value ● If RSA modulus size is b bit, the most significant b/2 bits of the private key are known to attackers! ○ This is also true when e = 65537
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 34
Appendix 35
36 public static BigInteger[] leakPrivExp(int e, BigInteger n) { BigInteger[] dcaps = new BigInteger[e]; for(int i = 1; i <= e; i++) { BigInteger k = BigInteger.valueOf(i); // dcap = floor((1+kN)/e) dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e)); } return dcaps; } Given the public parameters e and n, this code attempts to leak the private exponent d

Recommended

Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeDharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity ChecksDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzleDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 

Recommended

Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeActive Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeDharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity ChecksDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzleDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA ModulusDharmalingam Ganesan
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person GameDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without PaddingDharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMSathish Kumar
 
RSA
RSARSA
RSAbansidhar11
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adlemanHossain Md Shakhawat
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongInformation Security Awareness Group
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2Coleman Gorham
 

More Related Content

What's hot

Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 

What's hot (20)

RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
RSA
RSARSA
RSA
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA Encryption
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 

Similar to On the Secrecy of RSA Private Keys

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2Coleman Gorham
 
Chapter 06 rsa cryptosystem
Chapter 06 rsa cryptosystemChapter 06 rsa cryptosystem
Chapter 06 rsa cryptosystemAnkur Choudhary
 
Signyourd digital signature certificate provider
Signyourd digital signature certificate providerSignyourd digital signature certificate provider
Signyourd digital signature certificate providerKishankant Yadav
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsaBill GU
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiouvafopoulos
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptxKokilaK25
 
Senior Research Final Draft3
Senior Research Final Draft3Senior Research Final Draft3
Senior Research Final Draft3Coleman Gorham
 
11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdfVipinNegi38
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 

Similar to On the Secrecy of RSA Private Keys (20)

Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Chapter 06 rsa cryptosystem
Chapter 06 rsa cryptosystemChapter 06 rsa cryptosystem
Chapter 06 rsa cryptosystem
 
Signyourd digital signature certificate provider
Signyourd digital signature certificate providerSignyourd digital signature certificate provider
Signyourd digital signature certificate provider
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
Rsa documentation
Rsa documentationRsa documentation
Rsa documentation
 
Deep dive into rsa
Deep dive into rsaDeep dive into rsa
Deep dive into rsa
 
2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou2010 3-24 cryptography stamatiou
2010 3-24 cryptography stamatiou
 
Eulers totient
Eulers totientEulers totient
Eulers totient
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptx
 
Senior Research Final Draft3
Senior Research Final Draft3Senior Research Final Draft3
Senior Research Final Draft3
 
11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf11 Applied_Mathemathics HANDBOOK.pdf
11 Applied_Mathemathics HANDBOOK.pdf
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and Isogenies
 
RSA
RSARSA
RSA
 
Unit 3
Unit 3Unit 3
Unit 3
 
MFCS-17.ppt
MFCS-17.pptMFCS-17.ppt
MFCS-17.ppt
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
 
Nbvtalkatbzaonencryptionpuzzles
NbvtalkatbzaonencryptionpuzzlesNbvtalkatbzaonencryptionpuzzles
Nbvtalkatbzaonencryptionpuzzles
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (13)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 

Recently uploaded (20)

Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 

On the Secrecy of RSA Private Keys

  • 1. On the Secrecy of RSA Private Keys Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Question (standard notations are defined later) ● Can we reveal the RSA private exponent d from its public key <e, n>? ● We study this question for two specific cases: e = 3 and e = 65537 ● Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small ● For example, for 2048-bit RSA, the most significant 1024 bits are revealed! 3
  • 4. Agenda ● Overview of Public Key Cryptography using RSA ● Math facts ● Algorithm to approximate private key from public key ● Demo ● Conclusion ● Appendix 4
  • 5. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
  • 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
  • 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 9. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
  • 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
  • 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● I will use CRT later for an RSA game 11
  • 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
  • 13. 13 Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q, then p+q ≤ 3√n Proof: p + q < 2q + q = 3q ……………………. (1) Since n = pq, n > q2 (since p > q ) Thus, q < √n …………………………………..(2) Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
  • 14. 14 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k ≥ e then ed - 1 ≥ e φ(n) Since ed > ed - 1 ≥ eφ(n) ed ≥ e φ(n) Since e > 0, divide by e of the above inequality, d ≥ φ(n) This is a contradiction because RSA private exponent d is smaller than φ(n). Note: One can similarly prove that k < d, too.
  • 15. Algorithm to approximate the private exponent d 15 https://www.ams.org/notices/199902/boneh.pdf We experiment with this algorithm (page 8 in boneh.pdf) We provide a proof that k = 2 when e = 3, which was not given in the paper
  • 16. 16 e.d ≡ 1(mod φ(n)) e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1) = k (pq - p - q + 1) e.d - 1 = k (n - p - q + 1) (since n = pq) d = (1 + k(n - p - q + 1))/e Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n. Let’s approximate n-p-q+1 by n; Thus, d^ = ⌊(1 + kn)/e⌋ is an approximation of the private exponent d. Note that we know n and e, but not k Algorithm: derive private exponent d from public key
  • 17. 17 Fact: |d - d^ | < 3√n Proof: We know that d = (1+k(n-p-q+1))/e and d^ = ⌊(1 + kn)/e⌋ |d - d^ | = (1 + kn)/e - (1+kn-kp-kq+k)/e |d - d^ | = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e |d - d^ | < 3√n (Since p+q ≤ 3√n and k < e) Summary: d^ approximates d; half of the most significant bits is the same
  • 18. 18 e.d ≡ 1(mod φ(n)) 3.d - 1 = k φ(n) K can be either 1 or 2. We can prove that k ≠ 1 as follows: Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3 Since d is an odd number and φ(n) is an even number, we can deduce that φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n) should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … } Analysis of d^ when e = 3
  • 19. Analysis of d^ when e = 3 19 We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t Let’s prove that the only possible value of φ(n) can be 8. Case 1: φ(n) = 8 + 12t = 4(2 + 3t) By defn., φ(n) is a product of two even numbers (p-1) and (q-1) Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t. Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
  • 20. Analysis of d^ when e = 3 20 Case 2: φ(n) = 8 + 12t = 2(4 + 6t) Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t Since RSA definition assumes that q < p < 2q, 3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case) Since p < 2q is violated, φ(n) ≠ 2(4 + 6t). Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3 and p = 5, but such small p and q are absurd anyways)
  • 21. Demo 21 ● Demo 1: When e = 3, the first half of the most significant private exponent d bits is leaked ● Demo 2: When e = 65537, there are only at most 65537 possible values of the most significant bits of d (instead of 2n/2 possibilities) ● For both demos, we will show that half of the most significant bits of the private exponent d can be revealed by using the public parameters <e, n> ● The demos use 2048-bit RSA key (but applicable for other key sizes) ● Appendix has my implementation of the algorithm used in the demos
  • 22. Demo 1: e = 3 22
  • 23. 23 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_KeyPair 2048 $e d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952 504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484 083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162 790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926 861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684 949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702 9163150275214370671181822432156547192936318586434345409301739 n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428 756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726 124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744 186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051 969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253 252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423 2687942502070000081779339907151328354852637293825990658859773 (on the next slide, we will reveal parts of the private d from public parameters <e, n>) RSA_KeyPair is my program that generates RSA keys
  • 24. 24 ~/crypto/RSA$ java RSA_DCap $e $n k=1 d^ = 710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342 472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518 597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903 534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730 548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809 584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828 4212431275330219619924 k=2 d^ = 142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868 494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903 719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146 109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961 916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365 68424862550660439239849 k=3 d^ = 213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802 741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855 579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171 060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719 164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442 875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548 RSA_DCap is my program (see appendix)
  • 25. 25 We already proved that when e = 3, k = 2 d^ =142123706748419066468746764173718773448043207469116303923309899747569969 273375948257403295250405868494567224607132320644826377616708879131580503099 593859878891786128515812794542449248408318553115903719490269797921230122588 171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464 660810617887082734059146109640547426413471487550654337020280209812057383336 710275380607016883471469290404601074879516410961916863046514547806026698385 428182154358803195228800392860828217919616680466667211862266047675522365684 24862550660439239849 We see that d^ revealed half of the private exponent d using the public key parameters <e, n>
  • 26. 26 Demo 2: e = 65537
  • 27. 27 Example: RSA public exponent e (e.g., CNN) Disclaimer: CNN is just a random example. We are not attacking it.
  • 28. 28 RSA Public Exponent e is 65537 for CNN
  • 29. 29 Java JDK RSA key generation Code
  • 31. 31 ~/crypto/RSA$ java RSA_KeyPair 2048 65537 d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034 142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556 379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262 249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381 990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787 458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923 4654150061036966845424033 n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946 389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689 507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383 267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467 726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234 752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750 4687282086327354786906827 e = 65537
  • 32. 32 java RSA_DCap $e $n k=4942 d^ =14916291453347068964670172948948920076715349654876294642115910529983120420 21202036862248300189034142316438082203748580728041607410808263351850622119133 23751251143636076564023853129568759399389655637980565215148030800913144520961 16854784614053261370924413719142124471368492130356943656350440422622498243594 49257918362880503074774240355625043186484950061128437172018970117238473811810 21066106191884077345266942217285500426004798294465049353453317995464090084352 96398651248041119672893944491479051749177231854428675467086726545740361196397 25187699773491223215803817723443053331103514510753270668601927889140940039319 674 We see that d^ revealed half of the private exponent d using the public key parameters <e, n> (in 4942 attempts - see previous slide)
  • 33. 33 Conclusion ● When RSA is used with the public exponent e = 3, the most significant half of the private exponent d is revealed (in one attempt) ● So, we want to avoid using e = 3 during key generation even if we use RSA with proper random padding (e.g., OAEP) ● The default e = 65537 reveals half of the private key (65537 attempts at most) ● But, do not simply increase the value of e, then d will likely decrease! ● At this time of writing, e = 65537 is the NIST recommended value ● If RSA modulus size is b bit, the most significant b/2 bits of the private key are known to attackers! ○ This is also true when e = 65537
  • 34. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 34
  • 36. 36 public static BigInteger[] leakPrivExp(int e, BigInteger n) { BigInteger[] dcaps = new BigInteger[e]; for(int i = 1; i <= e; i++) { BigInteger k = BigInteger.valueOf(i); // dcap = floor((1+kN)/e) dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e)); } return dcaps; } Given the public parameters e and n, this code attempts to leak the private exponent d