SlideShare a Scribd company logo

On the Secrecy of RSA Private Keys

Dharmalingam Ganesan, profile picture
Dharmalingam Ganesan

The document discusses the risks associated with RSA private keys, particularly focusing on revealing the private exponent d from its public key <e, n> when e is either 3 or 65537. It highlights that small public exponents can lead to a significant leak of the most significant bits of the private exponent, with experiments and demonstrations providing evidence of this vulnerability. The presentation covers mathematical principles behind RSA, key generation algorithms, and specific cases illustrating the potential for recovering private keys from public parameters.

Software
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
On the Secrecy of RSA Private Keys Dr. Dharma Ganesan, Ph.D.,
Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
Question (standard notations are defined later) ● Can we reveal the RSA private exponent d from its public key <e, n>? ● We study this question for two specific cases: e = 3 and e = 65537 ● Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small ● For example, for 2048-bit RSA, the most significant 1024 bits are revealed! 3
Agenda ● Overview of Public Key Cryptography using RSA ● Math facts ● Algorithm to approximate private key from public key ● Demo ● Conclusion ● Appendix 4
Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● I will use CRT later for an RSA game 11
RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
13 Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q, then p+q ≤ 3√n Proof: p + q < 2q + q = 3q ……………………. (1) Since n = pq, n > q2 (since p > q ) Thus, q < √n …………………………………..(2) Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
14 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k ≥ e then ed - 1 ≥ e φ(n) Since ed > ed - 1 ≥ eφ(n) ed ≥ e φ(n) Since e > 0, divide by e of the above inequality, d ≥ φ(n) This is a contradiction because RSA private exponent d is smaller than φ(n). Note: One can similarly prove that k < d, too.
Algorithm to approximate the private exponent d 15 https://www.ams.org/notices/199902/boneh.pdf We experiment with this algorithm (page 8 in boneh.pdf) We provide a proof that k = 2 when e = 3, which was not given in the paper
16 e.d ≡ 1(mod φ(n)) e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1) = k (pq - p - q + 1) e.d - 1 = k (n - p - q + 1) (since n = pq) d = (1 + k(n - p - q + 1))/e Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n. Let’s approximate n-p-q+1 by n; Thus, d^ = ⌊(1 + kn)/e⌋ is an approximation of the private exponent d. Note that we know n and e, but not k Algorithm: derive private exponent d from public key
17 Fact: |d - d^ | < 3√n Proof: We know that d = (1+k(n-p-q+1))/e and d^ = ⌊(1 + kn)/e⌋ |d - d^ | = (1 + kn)/e - (1+kn-kp-kq+k)/e |d - d^ | = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e |d - d^ | < 3√n (Since p+q ≤ 3√n and k < e) Summary: d^ approximates d; half of the most significant bits is the same
18 e.d ≡ 1(mod φ(n)) 3.d - 1 = k φ(n) K can be either 1 or 2. We can prove that k ≠ 1 as follows: Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3 Since d is an odd number and φ(n) is an even number, we can deduce that φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n) should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … } Analysis of d^ when e = 3
Analysis of d^ when e = 3 19 We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t Let’s prove that the only possible value of φ(n) can be 8. Case 1: φ(n) = 8 + 12t = 4(2 + 3t) By defn., φ(n) is a product of two even numbers (p-1) and (q-1) Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t. Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
Analysis of d^ when e = 3 20 Case 2: φ(n) = 8 + 12t = 2(4 + 6t) Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t Since RSA definition assumes that q < p < 2q, 3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case) Since p < 2q is violated, φ(n) ≠ 2(4 + 6t). Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3 and p = 5, but such small p and q are absurd anyways)
Demo 21 ● Demo 1: When e = 3, the first half of the most significant private exponent d bits is leaked ● Demo 2: When e = 65537, there are only at most 65537 possible values of the most significant bits of d (instead of 2n/2 possibilities) ● For both demos, we will show that half of the most significant bits of the private exponent d can be revealed by using the public parameters <e, n> ● The demos use 2048-bit RSA key (but applicable for other key sizes) ● Appendix has my implementation of the algorithm used in the demos
Demo 1: e = 3 22
23 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_KeyPair 2048 $e d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952 504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484 083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162 790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926 861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684 949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702 9163150275214370671181822432156547192936318586434345409301739 n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428 756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726 124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744 186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051 969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253 252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423 2687942502070000081779339907151328354852637293825990658859773 (on the next slide, we will reveal parts of the private d from public parameters <e, n>) RSA_KeyPair is my program that generates RSA keys
24 ~/crypto/RSA$ java RSA_DCap $e $n k=1 d^ = 710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342 472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518 597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903 534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730 548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809 584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828 4212431275330219619924 k=2 d^ = 142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868 494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903 719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146 109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961 916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365 68424862550660439239849 k=3 d^ = 213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802 741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855 579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171 060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719 164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442 875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548 RSA_DCap is my program (see appendix)
25 We already proved that when e = 3, k = 2 d^ =142123706748419066468746764173718773448043207469116303923309899747569969 273375948257403295250405868494567224607132320644826377616708879131580503099 593859878891786128515812794542449248408318553115903719490269797921230122588 171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464 660810617887082734059146109640547426413471487550654337020280209812057383336 710275380607016883471469290404601074879516410961916863046514547806026698385 428182154358803195228800392860828217919616680466667211862266047675522365684 24862550660439239849 We see that d^ revealed half of the private exponent d using the public key parameters <e, n>
26 Demo 2: e = 65537
27 Example: RSA public exponent e (e.g., CNN) Disclaimer: CNN is just a random example. We are not attacking it.
28 RSA Public Exponent e is 65537 for CNN
29 Java JDK RSA key generation Code
30 Default Public Exponent e is 65537
31 ~/crypto/RSA$ java RSA_KeyPair 2048 65537 d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034 142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556 379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262 249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381 990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787 458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923 4654150061036966845424033 n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946 389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689 507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383 267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467 726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234 752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750 4687282086327354786906827 e = 65537
32 java RSA_DCap $e $n k=4942 d^ =14916291453347068964670172948948920076715349654876294642115910529983120420 21202036862248300189034142316438082203748580728041607410808263351850622119133 23751251143636076564023853129568759399389655637980565215148030800913144520961 16854784614053261370924413719142124471368492130356943656350440422622498243594 49257918362880503074774240355625043186484950061128437172018970117238473811810 21066106191884077345266942217285500426004798294465049353453317995464090084352 96398651248041119672893944491479051749177231854428675467086726545740361196397 25187699773491223215803817723443053331103514510753270668601927889140940039319 674 We see that d^ revealed half of the private exponent d using the public key parameters <e, n> (in 4942 attempts - see previous slide)
33 Conclusion ● When RSA is used with the public exponent e = 3, the most significant half of the private exponent d is revealed (in one attempt) ● So, we want to avoid using e = 3 during key generation even if we use RSA with proper random padding (e.g., OAEP) ● The default e = 65537 reveals half of the private key (65537 attempts at most) ● But, do not simply increase the value of e, then d will likely decrease! ● At this time of writing, e = 65537 is the NIST recommended value ● If RSA modulus size is b bit, the most significant b/2 bits of the private key are known to attackers! ○ This is also true when e = 65537
References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 34
Appendix 35
36 public static BigInteger[] leakPrivExp(int e, BigInteger n) { BigInteger[] dcaps = new BigInteger[e]; for(int i = 1; i <= e; i++) { BigInteger k = BigInteger.valueOf(i); // dcap = floor((1+kN)/e) dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e)); } return dcaps; } Given the public parameters e and n, this code attempts to leak the private exponent d

More Related Content

PDF
Active Attacks on DH Key Exchange
Dharmalingam Ganesan
 
PPTX
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
PDF
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
PDF
RSA without Integrity Checks
Dharmalingam Ganesan
 
PDF
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
PDF
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
PDF
RSA cracking puzzle
Dharmalingam Ganesan
 
PDF
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Active Attacks on DH Key Exchange
Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
RSA without Integrity Checks
Dharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
RSA cracking puzzle
Dharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 

What's hot (20)

PDF
RSA Game using an Oracle
Dharmalingam Ganesan
 
PDF
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
PDF
RSA Two Person Game
Dharmalingam Ganesan
 
PDF
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
PDF
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
PPTX
RSA without Padding
Dharmalingam Ganesan
 
PDF
On deriving the private key from a public key
Dharmalingam Ganesan
 
PDF
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
PDF
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
PPTX
RSA-W7(rsa) d1-d2
Fahad Layth
 
PPTX
RSA ALGORITHM
Sathish Kumar
 
PPT
RSA
bansidhar11
 
PPT
The rsa algorithm
Komal Singh
 
PPT
Rsa rivest shamir adleman
Hossain Md Shakhawat
 
PPT
The rsa algorithm JooSeok Song
Information Security Awareness Group
 
PDF
PKC&RSA
Anver S R
 
PPTX
The Mathematics of RSA Encryption
Nathan F. Dunn
 
PDF
Presentation about RSA
Srilal Buddika
 
PPTX
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Md. Ariful Hoque
 
PDF
Ntewrok secuirty cs7
Infinity Tech Solutions
 
RSA Game using an Oracle
Dharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
RSA Two Person Game
Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
RSA without Padding
Dharmalingam Ganesan
 
On deriving the private key from a public key
Dharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
RSA-W7(rsa) d1-d2
Fahad Layth
 
RSA ALGORITHM
Sathish Kumar
 
RSA
bansidhar11
 
The rsa algorithm
Komal Singh
 
Rsa rivest shamir adleman
Hossain Md Shakhawat
 
The rsa algorithm JooSeok Song
Information Security Awareness Group
 
PKC&RSA
Anver S R
 
The Mathematics of RSA Encryption
Nathan F. Dunn
 
Presentation about RSA
Srilal Buddika
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Md. Ariful Hoque
 
Ntewrok secuirty cs7
Infinity Tech Solutions
 
Ad

Similar to On the Secrecy of RSA Private Keys (20)

PPT
Primes: a quick tour to spplications and challenges!
Ashutosh Tripathi
 
DOCX
Rsa
Waseem Wasi
 
PPTX
Cyber Security Part-3.pptx
RavikumarVadana
 
PPT
The RSA (Rivest, Shamir & Adleman ) Algorithm
devarahul1
 
DOCX
Senior Research Final Draft3
Coleman Gorham
 
PPTX
Cryptography - key sharing - RSA
John Paul Prassanna
 
PDF
rsa-1
Aniruddh Tyagi
 
PDF
rsa-1
aniruddh Tyagi
 
PDF
rsa-1
aniruddh Tyagi
 
PPT
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
PPTX
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
shahiduljahid71
 
PPTX
6-PKCpartII-Encryptionandsignatures.pptx
farouqalfuhidi
 
PDF
A comparative analysis of the possible attacks on rsa cryptosystem
IAEME Publication
 
PPTX
RSA Algm.pptx
Sou Jana
 
PPTX
Information and network security 33 rsa algorithm
Vaibhav Khanna
 
PPT
Ch09
Joe Christensen
 
PPT
crypto Digital Signature Diffie Hell man.ppt
SuryaBasnet3
 
PDF
CRYPTOGRAPHY (2).pdf
BhuvanaR13
 
PDF
Public-Key Cryptography.pdfWrite the result of the following operation with t...
FahmiOlayah
 
PDF
RSA ALGORITHM
Dr. Shashank Shetty
 
Primes: a quick tour to spplications and challenges!
Ashutosh Tripathi
 
Rsa
Waseem Wasi
 
Cyber Security Part-3.pptx
RavikumarVadana
 
The RSA (Rivest, Shamir & Adleman ) Algorithm
devarahul1
 
Senior Research Final Draft3
Coleman Gorham
 
Cryptography - key sharing - RSA
John Paul Prassanna
 
rsa-1
Aniruddh Tyagi
 
rsa-1
aniruddh Tyagi
 
rsa-1
aniruddh Tyagi
 
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
Security_Attacks_On_RSA~ A Computational Number Theoretic Approach.pptx
shahiduljahid71
 
6-PKCpartII-Encryptionandsignatures.pptx
farouqalfuhidi
 
A comparative analysis of the possible attacks on rsa cryptosystem
IAEME Publication
 
RSA Algm.pptx
Sou Jana
 
Information and network security 33 rsa algorithm
Vaibhav Khanna
 
Ch09
Joe Christensen
 
crypto Digital Signature Diffie Hell man.ppt
SuryaBasnet3
 
CRYPTOGRAPHY (2).pdf
BhuvanaR13
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
FahmiOlayah
 
RSA ALGORITHM
Dr. Shashank Shetty
 
Ad

More from Dharmalingam Ganesan (13)

PDF
.NET Deserialization Attacks
Dharmalingam Ganesan
 
PDF
Reverse Architecting using Relation Algebra.pdf
Dharmalingam Ganesan
 
PDF
How to exploit rand()?
Dharmalingam Ganesan
 
PDF
Thank-a-Gram
Dharmalingam Ganesan
 
PDF
Can I write to a read only file ?
Dharmalingam Ganesan
 
PDF
Requirements driven Model-based Testing
Dharmalingam Ganesan
 
PDF
Automated Traceability for Software Engineering Tasks
Dharmalingam Ganesan
 
PDF
Reverse Engineering of Module Dependencies
Dharmalingam Ganesan
 
PPTX
Software Architecture
Dharmalingam Ganesan
 
PPTX
Integer security analysis using smt solver
Dharmalingam Ganesan
 
PDF
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
PDF
20170605135932210 thank you card7
Dharmalingam Ganesan
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
.NET Deserialization Attacks
Dharmalingam Ganesan
 
Reverse Architecting using Relation Algebra.pdf
Dharmalingam Ganesan
 
How to exploit rand()?
Dharmalingam Ganesan
 
Thank-a-Gram
Dharmalingam Ganesan
 
Can I write to a read only file ?
Dharmalingam Ganesan
 
Requirements driven Model-based Testing
Dharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Dharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Dharmalingam Ganesan
 
Software Architecture
Dharmalingam Ganesan
 
Integer security analysis using smt solver
Dharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
20170605135932210 thank you card7
Dharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 

Recently uploaded (20)

PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PPTX
Custom Software Development Services.pptx.pptx
TVL IT Solutions
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PPTX
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
Custom Software Development Services.pptx.pptx
TVL IT Solutions
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
assetexplorer- product-overview - presentation
nonameist3434
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 

On the Secrecy of RSA Private Keys

  • 1. On the Secrecy of RSA Private Keys Dr. Dharma Ganesan, Ph.D.,
  • 2. Disclaimer ● The opinions expressed here are my own ○ But not the views of my employer ● The source code fragments and exploits shown here can be reused ○ But without any warranty nor accept any responsibility for failures ● Do not apply the exploit discussed here on other systems ○ Without obtaining authorization from owners 2
  • 3. Question (standard notations are defined later) ● Can we reveal the RSA private exponent d from its public key <e, n>? ● We study this question for two specific cases: e = 3 and e = 65537 ● Using demos, we verify that RSA reveals the most significant half of the private exponent d when the public exponent e is small ● For example, for 2048-bit RSA, the most significant 1024 bits are revealed! 3
  • 4. Agenda ● Overview of Public Key Cryptography using RSA ● Math facts ● Algorithm to approximate private key from public key ● Demo ● Conclusion ● Appendix 4
  • 5. Prerequisite Some familiarity with the following topics will help to follow the rest of the slides ● Group Theory ● Number Theory ● Algorithms and Complexity Theory ● If not, it should still be possible to obtain a high-level overview 5
  • 6. How can Bob send a message to Alice securely? 6 Public Key PuA ● Alice and Bob never met each other ● Bob will encrypt using Alice’s public key ○ Assume that public keys are known to the world ● Alice will decrypt using her private key ○ Private keys are secrets (never sent out) ● Bob can sign messages using his private key ○ Alice verifies message integrity using Bob’s public key ○ Not important for this presentation/attack ● Note: Alice and Bob need other evidence (e.g., passwords, certificates) to prove their identity to each other ● Who are Alice, Bob, and Eve? Private Key PrA Public Key PuB Private Key PrB
  • 7. RSA Public Key Cryptography System ● Published in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman ● Rooted in elegant mathematics - Group Theory and Number Theory ● Core idea: Anyone can encrypt a message using recipient's public key but ○ (as far as we know) no one can efficiently decrypt unless they got the matching private key ● Encryption and Decryption are inverse operations (math details later) ○ Work of Euclid, Euler, and Fermat provide the mathematical foundation of RSA ● Eavesdropper Eve cannot easily derive the secret (math details later) ○ Unless she solves “hard” number theory problems that are computationally intractable 7
  • 8. 8 Notations and Facts GCD(x, y): The greatest common divisor that divides integers x and y Co-prime: If gcd(x, y) = 1, then x and y are co-primes Zn = { 0, 1, 2, …, n-1 }, n > 0; we may imagine Zn as a circular wall clock Z* n = { x ∈ Zn | gcd(x, n) = 1 }; (additional info: Z* n is a multiplicative group) φ(n): Euler’s Totient function denotes the number of elements in Z* n φ(nm) = φ(n).φ(m) (This property is called multiplicative) φ(p) = p-1, if p is a prime number
  • 9. Notations and Facts ... ● x ≡ y (mod n) denotes that n divides x-y; x is congruent to y mod n ● Euler’s Theorem: aφ(n) ≡ 1 (mod n), if gcd(a, n) = 1 ● Fermat’s Little Theorem: ap ≡ a (mod p) ● Gauss’s Fundamental Theorem of Arithmetic: Any integer greater than 1 is either a prime or can be written as a unique product of primes ○ Euclid’s work is the foundation for this theorem, see The Elements ● Euclid’s Lemma: if a prime p divides the product of two natural numbers a and b, then p divides a or p divides b ● Euclid’s Infinitude of Primes (c. 300 BC): There are infinitely many primes 9
  • 10. RSA - Key Generation Algo 1. Select an appropriate bitlength of the RSA modulus n (e.g., 2048 bits) ○ Value of the parameter n is not chosen until step 3; small n is dangerous (details later) 2. Pick two independent, large random primes, p and q, of half of n’s bitlength ○ In practice, q < p < 2q to avoid attacks (e.g., Fermat’s factorization) 3. Compute n = p.q (n is also called the RSA modulus) 4. Compute Euler’s Totient (phi) Function φ(n) = φ(p.q) = φ(p)φ(q) = (p-1)(q-1) 5. Select numbers e and d from Zn such that e.d ≡ 1(mod φ(n)) ○ e must be relatively prime to φ(n) otherwise d cannot exist (i.e., we cannot decrypt) ○ d is the multiplicative inverse of e in Zn 6. Public key is the pair <n, e> and private key is 4-tuple <φ(n), d, p, q> 10
  • 11. RSA Trapdoor ● RSA: Zn → Zn ● Let x and y ∈ Zn ● y = RSA(x) = xe mod n ○ We may view x as a plaintext, and y as the corresponding ciphertext ● x = RSA-1 (y) = yd mod n ● e and d are also called encryption and decryption exponents, respectively ● Many implementations use Chinese-Remainder Theorem (CRT) to compute yd efficiently ● I will use CRT later for an RSA game 11
  • 12. RSA Trapdoor variables’ dependency graph 12 Private variable Public variable Note: Public exponent e affects the private exponent d
  • 13. 13 Fact: Let n = pq, p and q are two prime numbers such that q < p < 2q, then p+q ≤ 3√n Proof: p + q < 2q + q = 3q ……………………. (1) Since n = pq, n > q2 (since p > q ) Thus, q < √n …………………………………..(2) Thus, combining (1) and (2), we obtain p + q < 3q < 3√n
  • 14. 14 Fact: If ed - 1 = k φ(n), then k < e Proof (by contradiction): Suppose k ≥ e then ed - 1 ≥ e φ(n) Since ed > ed - 1 ≥ eφ(n) ed ≥ e φ(n) Since e > 0, divide by e of the above inequality, d ≥ φ(n) This is a contradiction because RSA private exponent d is smaller than φ(n). Note: One can similarly prove that k < d, too.
  • 15. Algorithm to approximate the private exponent d 15 https://www.ams.org/notices/199902/boneh.pdf We experiment with this algorithm (page 8 in boneh.pdf) We provide a proof that k = 2 when e = 3, which was not given in the paper
  • 16. 16 e.d ≡ 1(mod φ(n)) e.d - 1 = k (p-1)(q-1) for some integer k, recall that φ(n) = (p-1) (q-1) = k (pq - p - q + 1) e.d - 1 = k (n - p - q + 1) (since n = pq) d = (1 + k(n - p - q + 1))/e Since p and q are half the bitsize of n, (n-p-q+1) is of the same bitsize as n. Let’s approximate n-p-q+1 by n; Thus, d^ = ⌊(1 + kn)/e⌋ is an approximation of the private exponent d. Note that we know n and e, but not k Algorithm: derive private exponent d from public key
  • 17. 17 Fact: |d - d^ | < 3√n Proof: We know that d = (1+k(n-p-q+1))/e and d^ = ⌊(1 + kn)/e⌋ |d - d^ | = (1 + kn)/e - (1+kn-kp-kq+k)/e |d - d^ | = (kp+kq-k)/e = k(p+q-1)/e < k (p + q)/e |d - d^ | < 3√n (Since p+q ≤ 3√n and k < e) Summary: d^ approximates d; half of the most significant bits is the same
  • 18. 18 e.d ≡ 1(mod φ(n)) 3.d - 1 = k φ(n) K can be either 1 or 2. We can prove that k ≠ 1 as follows: Suppose k = 1, then 3d - 1 = φ(n) then d = (φ(n) + 1)/3 Since d is an odd number and φ(n) is an even number, we can deduce that φ(n) ∈ {2, 8, 14, 20, 26, … }, or φ(n) = 2 + 6t for some non-negative integer t φ(n) = 2 + 6t = 2(1 + 3t). If t is even, then (1+3t) is an odd number, but φ(n) should only be a product of two even numbers. Thus, φ(n) ∉ {2, 14, 26, … } Analysis of d^ when e = 3
  • 19. Analysis of d^ when e = 3 19 We have established that φ(n) ∈ {8, 20, 32, … }; i.e., φ(n) = 8 + 12t Let’s prove that the only possible value of φ(n) can be 8. Case 1: φ(n) = 8 + 12t = 4(2 + 3t) By defn., φ(n) is a product of two even numbers (p-1) and (q-1) Let’s take q-1 = 4 and p-1 = 2+3t; i.e., q = 5 and p = 3+3t. Clearly, 3+3t is not a prime number when t > 0. Thus, φ(n) ≠ 4(2 + 3t)
  • 20. Analysis of d^ when e = 3 20 Case 2: φ(n) = 8 + 12t = 2(4 + 6t) Let q-1 = 2 and p-1 = 4+6t. That is, q = 3 and p = 5+6t Since RSA definition assumes that q < p < 2q, 3 < 5 + 6t is true for all t, but 5+6t > 2*3 (except t = 0 case) Since p < 2q is violated, φ(n) ≠ 2(4 + 6t). Thus, we proved that when e =3, k must be 2. (k = 1 is only possible if q = 3 and p = 5, but such small p and q are absurd anyways)
  • 21. Demo 21 ● Demo 1: When e = 3, the first half of the most significant private exponent d bits is leaked ● Demo 2: When e = 65537, there are only at most 65537 possible values of the most significant bits of d (instead of 2n/2 possibilities) ● For both demos, we will show that half of the most significant bits of the private exponent d can be revealed by using the public parameters <e, n> ● The demos use 2048-bit RSA key (but applicable for other key sizes) ● Appendix has my implementation of the algorithm used in the demos
  • 22. Demo 1: e = 3 22
  • 23. 23 ~/crypto/RSA$ e=3 ~/crypto/RSA$ java RSA_KeyPair 2048 $e d=1421237067484190664687467641737187734480432074691163039233098997475699692733759482574032952 504058684945672246071323206448263776167088791315805030995938598788917861285158127945424492484 083185531159037194902697979212301225881718304183586919116140663186232111508302003084235247162 790681958249261347807069877965041559837274254672179935363751863511411580357365707845953663926 861042738958587605928377974474390920562141137897933563181368621890970668452394101228784250684 949276876015095331870308805317389193397861773963131721670380660776616208922972152524281777702 9163150275214370671181822432156547192936318586434345409301739 n=2131855601226285997031201462605781601720648112036744558849648496213549539100639223861049428 756088027418508369106984809672395664250633186973707546493907898183376791927737191918136738726 124778296738555792354046968818451838822577456275380378674210994779348167262453004626352870744 186022937373892021710604816947591541716920848648232267991218076826874172399457724605435745051 969912159268306241010887191644608211396202072313259815055304203147180860750050654130709105253 252072039356069016123192746164428752945697718217090400475781422732315382047928432005892912423 2687942502070000081779339907151328354852637293825990658859773 (on the next slide, we will reveal parts of the private d from public parameters <e, n>) RSA_KeyPair is my program that generates RSA keys
  • 24. 24 ~/crypto/RSA$ java RSA_DCap $e $n k=1 d^ = 710618533742095332343733820868593867240216037345581519616549498737849846366879741287016476252029342 472836123035661603224131888083544395657902515497969299394458930642579063972712246242041592765579518 597451348989606150612940859152091793459558070331593116055754151001542117623581395340979124630673903 534938982530513905640282882744089330406025608958057466485908201811915017323304053089435413670295730 548202737132067357437753271685101401049060286916683551376903035084417357346452023005374397582054809 584315232572739030133491927140910771794015976144001964304141089598083402333336059311330238377611828 4212431275330219619924 k=2 d^ = 142123706748419066468746764173718773448043207469116303923309899747569969273375948257403295250405868 494567224607132320644826377616708879131580503099593859878891786128515812794542449248408318553115903 719490269797921230122588171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464660810617887082734059146 109640547426413471487550654337020280209812057383336710275380607016883471469290404601074879516410961 916863046514547806026698385428182154358803195228800392860828217919616680466667211862266047675522365 68424862550660439239849 k=3 d^ = 213185560122628599703120146260578160172064811203674455884964849621354953910063922386104942875608802 741850836910698480967239566425063318697370754649390789818337679192773719191813673872612477829673855 579235404696881845183882257745627538037867421099477934816726245300462635287074418602293737389202171 060481694759154171692084864823226799121807682687417239945772460543574505196991215926830624101088719 164460821139620207231325981505530420314718086075005065413070910525325207203935606901612319274616442 875294569771821709040047578142273231538204792843200589291242326879425020700000817793399071513283548 RSA_DCap is my program (see appendix)
  • 25. 25 We already proved that when e = 3, k = 2 d^ =142123706748419066468746764173718773448043207469116303923309899747569969 273375948257403295250405868494567224607132320644826377616708879131580503099 593859878891786128515812794542449248408318553115903719490269797921230122588 171830418358691911614066318623211150830200308423524716279068195824926134780 706987796506102781128056576548817866081205121791611493297181640362383003464 660810617887082734059146109640547426413471487550654337020280209812057383336 710275380607016883471469290404601074879516410961916863046514547806026698385 428182154358803195228800392860828217919616680466667211862266047675522365684 24862550660439239849 We see that d^ revealed half of the private exponent d using the public key parameters <e, n>
  • 26. 26 Demo 2: e = 65537
  • 27. 27 Example: RSA public exponent e (e.g., CNN) Disclaimer: CNN is just a random example. We are not attacking it.
  • 28. 28 RSA Public Exponent e is 65537 for CNN
  • 29. 29 Java JDK RSA key generation Code
  • 31. 31 ~/crypto/RSA$ java RSA_KeyPair 2048 65537 d=1491629145334706896467017294894892007671534965487629464211591052998312042021202036862248300189034 142316438082203748580728041607410808263351850622119133237512511436360765640238531295687593993896556 379805652151480308009131445209611685478461405326137092441371914212447136849213035694365635044042262 249824359449236690818626487184413087475423626176858565860592456883256289778387604384353711846146381 990134324009985938782618001216802708526050010979574880940401482976305545922019524306316518714599787 458458410757158810193932688548523743542459048263467703772587696279955036020135068150653908985091923 4654150061036966845424033 n=1978083757543518532451617006384592017538838264531824609389620454074269046902944514161092004238946 389821780708081486659958997628993972908848446665759239882372672238056970816760676356241963730837689 507554087920913900161765429475967645309630212886666261176248303151378956043846109273606649613140383 267234703464710971180657618980402253949546710953311699153301788485281409238637350429069319629583467 726988461505380836551971149145379567858344693903298557007299040518049531377666675151765379279923234 752095969737037013565533109667398191120453837912308378294097448282776247294362326194476537661616750 4687282086327354786906827 e = 65537
  • 32. 32 java RSA_DCap $e $n k=4942 d^ =14916291453347068964670172948948920076715349654876294642115910529983120420 21202036862248300189034142316438082203748580728041607410808263351850622119133 23751251143636076564023853129568759399389655637980565215148030800913144520961 16854784614053261370924413719142124471368492130356943656350440422622498243594 49257918362880503074774240355625043186484950061128437172018970117238473811810 21066106191884077345266942217285500426004798294465049353453317995464090084352 96398651248041119672893944491479051749177231854428675467086726545740361196397 25187699773491223215803817723443053331103514510753270668601927889140940039319 674 We see that d^ revealed half of the private exponent d using the public key parameters <e, n> (in 4942 attempts - see previous slide)
  • 33. 33 Conclusion ● When RSA is used with the public exponent e = 3, the most significant half of the private exponent d is revealed (in one attempt) ● So, we want to avoid using e = 3 during key generation even if we use RSA with proper random padding (e.g., OAEP) ● The default e = 65537 reveals half of the private key (65537 attempts at most) ● But, do not simply increase the value of e, then d will likely decrease! ● At this time of writing, e = 65537 is the NIST recommended value ● If RSA modulus size is b bit, the most significant b/2 bits of the private key are known to attackers! ○ This is also true when e = 65537
  • 34. References ● W. Diffie and M. E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, vol. IT-22, no. 6, November, 1976. ● R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” CACM 21, 2, February, 1978. ● A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996. ● C. Paar and J. Pelzl. “Understanding Cryptography: A Textbook for Students and Practitioners,” Springer, 2011. 34
  • 36. 36 public static BigInteger[] leakPrivExp(int e, BigInteger n) { BigInteger[] dcaps = new BigInteger[e]; for(int i = 1; i <= e; i++) { BigInteger k = BigInteger.valueOf(i); // dcap = floor((1+kN)/e) dcaps[i-1] = one.add(k.multiply(n)).divide(BigInteger.valueOf(e)); } return dcaps; } Given the public parameters e and n, this code attempts to leak the private exponent d