Gaspare FERRARO

CyberSecNatLab
Matteo ROSSI
Politecnico di Torino

Attacks on RSA

1 https://cybersecnatlab.it
 License & Disclaimer
2

License Information Disclaimer

This presentation is licensed under the
Creative Commons BY-NC License
To view a copy of the license, visit:
http://creativecommons.org/licenses/by-nc/3.0/legalcode
➢ We disclaim any warranties or representations
as to the accuracy or completeness of this
material.
➢ Materials are provided “as is” without
warranty of any kind, either express or
implied, including without limitation,
warranties of merchantability, fitness for a
particular purpose, and non-infringement.
➢ Under no circumstances shall we be liable for
any loss, damage, liability or expense incurred
or suffered which is claimed to have resulted
from use of this material.

© CINI – 2021 Rel. 04.04.2021

 Goal
3

➢ Present different methods to exploit RSA algorithm based on:

➢ Modulo
➢ Oracles
➢ Public/private exponents
➢ External information (time and error)

© CINI – 2021 Rel. 04.04.2021

 Prerequisites
4

➢ Lectures:
➢ CR_0.1 - Number Theory and modular arithmetic
➢ CR_2.3 – RSA

© CINI – 2021 Rel. 04.04.2021

 Outline
5

➢ Attacks on the modulus

➢ Oracles
➢ Attacks on small public exponents
➢ Attacks on small private exponents (sketch)
➢ Implementation attacks (sketch)

© CINI – 2021 Rel. 04.04.2021

 Outline
6

➢ Attacks on the modulus

➢ Oracles
➢ Attacks on small public exponent
➢ Attacks on small private exponent (sketch)
➢ Implementation attacks (sketch)

© CINI – 2021 Rel. 04.04.2021

 Attacks on the modulus
7

➢ Recall that the security of RSA is based on the

hardness of factoring integers
➢ The most natural way to attack it, is to directly
factorize the modulus
➢ In this section, we describe the problem of factoring
and some particularly weak instances regarding RSA

© CINI – 2021 Rel. 04.04.2021

 Factoring
8

➢ Direct factorization of composite numbers is still

considered hard
➢ In general there is no chance to factor composite
numbers with 1024 or more bits
➢ There are particular cases for which it is feasible, for
example:
➢ If the primes are reused
➢ If all but (at most) one prime are small
➢ If two primes are very close

© CINI – 2021 Rel. 04.04.2021

 Direct Factorization
9

➢ One of the best known algorithms is the General

Number Field Sieve (GNFS), but it is still NP
➢ An implementation can be found in the CADO-NFS
software (http://cado-nfs.gforge.inria.fr/)
➢ Installation and use of CADO-NFS can be a little bit
tedious and in general not required in CTFs

© CINI – 2021 Rel. 04.04.2021

 Direct Factorization
10

➢ Easier-to-use alternatives to CADO-NFS are:

➢ Factordb.com - database of numbers and their factorization
➢ just a database, not a factoring software
➢ The factor function in SageMath
➢ Available also online (with limited execution time)
➢ The YAFU software
➢ Available for Linux and Windows (https://github.com/DarkenCode/yafu)

© CINI – 2021 Rel. 04.04.2021

 A particularly easy case
11

➢ Let's write 𝑝 = 𝑎 + 𝑏 and 𝑞 = 𝑎 − 𝑏 for integers 𝑎, 𝑏

➢ The RSA modulus becomes 𝑁 = 𝑎2 − 𝑏 2 , that is 𝑎2 − 𝑁 = 𝑏 2
➢ If 𝑏 is small enough, we can actually bruteforce on a or b to
get the factorization
➢ This is called Fermat's factorization method, and it is
implemented in YAFU as the "fermat" function

© CINI – 2021 Rel. 04.04.2021

 Common Prime Attack
12

➢ Lenstra et al. In 2012 published the paper "Ron was

wrong, Whit is right", stating"two out of every one
thousand RSA moduli that we collected offer no
security"
➢ They showed that in real life it is common that two
RSA keys share one of the prime factors

© CINI – 2021 Rel. 04.04.2021

 Common Prime Attack
13

➢ Why is this a problem?

➢ Given (𝑁1 = 𝑝 × 𝑞, 𝑁2 = 𝑝 × 𝑟) we can factorize the two
modules as 𝑝 = 𝐺𝐶𝐷 𝑁1 , 𝑁2
➢ The Euclidean Algorithm runs in polynomial time!
➢ Once we have 𝑝, the two RSA keys are completely broken

© CINI – 2021 Rel. 04.04.2021

 Common Modulus Attack
14

➢ What happens when the entire modulus is reused?

➢ In practice, since the exponent is fixed to 65537, this
is not an issue
➢ But what if the two exponents are different?

© CINI – 2021 Rel. 04.04.2021

 Bézout’s Identity
15

➢ In order to understand the solution, we need the

following:
➢ Bézout’s Identity: Let a and b be integers with greatest
common divisor 𝑑. Then there exist integers 𝑥 and 𝑦 such
that 𝑎𝑥 + 𝑏𝑦 = 𝑑

© CINI – 2021 Rel. 04.04.2021

 Common Modulus Attack
16

➢ Suppose to have two keys (𝑁, 𝑒1 ), (𝑁, 𝑒2 ), for

simplicity with 𝐺𝐶𝐷 𝑒1 , 𝑒2 = 1, and two ciphertexts
coming from the same plaintext 𝑐1 , 𝑐2
➢ By Bézout's identity, we can compute 𝑢 and 𝑣 such that:
➢ 𝑢 × 𝑒1 + 𝑣 × 𝑒2 = 1
➢ Computing 𝑐1𝑢 + 𝑐2𝑣 𝑚𝑜𝑑 𝑁 reveals the plaintext!
➢ Notice that this can be an issue even with 𝐺𝐶𝐷 𝑒1 , 𝑒2 > 1 but
small! (More on this in the Attacks on small public exponent
section)

© CINI – 2021 Rel. 04.04.2021

 Outline
17

➢ Attacks on the modulus

➢ Oracles
➢ Attacks on small public exponent
➢ Attacks on small private exponent (sketch)
➢ Implementation attacks (sketch)

© CINI – 2021 Rel. 04.04.2021

 Oracles
18

➢ In this section we analyze the security of RSA in the

presence of oracles.
➢ This happens in particular with:
➢ Encryption oracles
➢ Decryption oracles
➢ Padding oracles

© CINI – 2021 Rel. 04.04.2021

 Modulus Recovery
19

➢ Scenario 1: we have an encryption oracle that encrypt with a

fixed secret key.
➢ Can we recover the modulus?
➢ Encrypt two chosen messages 𝑥 and 𝑦
➢ Use the fact that the standard RSA exponent is 65537 to compute 𝑥 𝑒
and 𝑦 2 (without modular reduction)
➢ Notice that 𝑥 𝑒 − 𝐸𝑛𝑐(𝑥) is a multiple of 𝑁
➢ Compute 𝐺𝐶𝐷(𝑥 𝑒 − 𝐸𝑛𝑐 𝑥 , 𝑦 𝑒 − 𝐸𝑛𝑐 𝑦 ) to find small multiple of 𝑁
➢ Repeat with different values if necessary

© CINI – 2021 Rel. 04.04.2021

 Homomorphic properties of RSA
20

➢ Scenario 2: we have a decryption oracle that does not

allow to decrypt messages containing sensible data.
➢ Can we decrypt an arbitrary ciphertext 𝑐?
➢ Encrypt a chosen plaintext 𝑥 (locally!)
➢ Ask the server to decrypt 𝑥 𝑒 × 𝑐
➢ Notice that 𝐷 𝑥 𝑒 × 𝑐 = 𝐷 𝑥 𝑒 × 𝐷 𝑐 = 𝑥 × 𝐷(𝑥) and
recover the message
➢ This is called Homomorphic Property of RSA

© CINI – 2021 Rel. 04.04.2021

 LSB Oracles
21

➢ Scenario 3: we have a decryption oracle that gives a partial

decryption: only the least significant bit.
➢ Can we recover the plaintext?
➢ The idea is to "binary search" the answer using the fact that 𝑁 is odd
➢ Decrypt 2𝑒 × 𝑐: if the result is 1, then 2𝑚 > 𝑁 and so 𝑁/2 < 𝑚 < 𝑁,
otherwise 0 < 𝑚 < 𝑁/2
➢ Repeat with 4𝑒 × 𝑐, 8𝑒 × 𝑐 and so on
➢ We can recover the message in 𝑂(log 𝑁) steps
➢ This technique can be easily extended to leakages of the 𝑘
least significant bits
© CINI – 2021 Rel. 04.04.2021
 Padding oracles (sketch)
22

➢ As CBC mode, also RSA padding schemes have been

exploited in the past.
➢ The most famous attacks were:
➢ Coppermith's attack against short padding schemes (1997)
➢ Bleichenbacher's attack against PKCS#1 v1.5 (1998)
➢ Manger's attack against PKCS#1 v2.0 (2001)

© CINI – 2021 Rel. 04.04.2021

 Outline
23

➢ Attacks on the modulus

➢ Oracles
➢ Attacks on small public exponent
➢ Attacks on small private exponent (sketch)
➢ Implementation attacks (sketch)

© CINI – 2021 Rel. 04.04.2021

 Attacks on small public exponent
24

➢ In this section we show why the choice of 𝑒 = 3,

while being the best computationally speaking, has
been replaced by 65537

© CINI – 2021 Rel. 04.04.2021

 Direct cube root
25

➢ Scenario 1: we have an unpadded implementation of

RSA with 𝑒 = 3 and an encrypted message that
comes from a "short message"
➢ Can we decrypt it?
➢ If the number of bits in the message is less than log 2 𝑁 /3,
the modulus has no effect!
➢ We can simply compute an integer cube root to find the
message

© CINI – 2021 Rel. 04.04.2021

 Hastad's broadcast attack
26

➢ Scenario 2: 3 parties have 3 distinct RSA keys

𝑁1 , 3 , 𝑁2 , 3 , (𝑁3 , 3)
➢ The same message is sent to them without padding
➢ Knowing the 3 ciphertexts can we decrypt them?
➢ This follows from a direct application of the Chinese Remainder
Theorem: we can get 𝑚3 𝑚𝑜𝑑 𝑁1 × 𝑁2 × 𝑁3
➢ Since 𝑚 < min 𝑁1 , 𝑁2 , 𝑁3 this boils down again to an integer
cube root
➢ This works also for exponents different from 3!

© CINI – 2021 Rel. 04.04.2021

 Outline
27

➢ Attacks on the modulus

➢ Oracles
➢ Attacks on small public exponent
➢ Attacks on small private exponent (sketch)
➢ Implementation attacks (sketch)

© CINI – 2021 Rel. 04.04.2021

 Attacks on small private exponent
28

➢ To reduce decryption time, we may wish to have small

private exponents
1
➢ Wiener showed that if 3 × 𝑑 < 𝑁 then 𝑑 can be efficiently
4
recovered
➢ Boneh and Durfee improved this bound to 𝑑 < 𝑁 0.292
➢ The best bound is believed to be 𝑑 < 𝑁 0.5 , but no one proved it
yet (it is an open research problem!)
➢ The details on these attacks are tedious and outside the scope
of this presentation

© CINI – 2021 Rel. 04.04.2021

 Outline
29

➢ Attacks on the modulus

➢ Oracles
➢ Attacks on small public exponent
➢ Attacks on small private exponent (sketch)
➢ Implementation attacks (sketch)

© CINI – 2021 Rel. 04.04.2021

 Implementation Attacks (Sketch)
30

➢ In this last section we turn our attention to an

entirely different class of attacks: impementation
attacks
➢ Rather than attacking the underlying structure of
RSA, we attack its implementation

© CINI – 2021 Rel. 04.04.2021

 Timing Attacks (Sketch)
31

➢ P. Kocher in 1996 showed that it is possible to recover

RSA private exponents by measuring the timing of the
decryption
➢ The main problem is that the "repeated squaring"
algorithm to compute exponentiations is slower when
the exponent has more ones in its binary representation
➢ Kocher's exploitation technique is based on correlation
between a locally generated sample set and observed
values

© CINI – 2021 Rel. 04.04.2021

 Fault Injections (Sketch)
32

➢ Recall that exponentiation is usually done in two

parts via Chinese Remainder Theorem
➢ Boneh et al. In 1997 showed that if there's a glitch
on the decrypting computer that miscalculates
exactly one of the two parts, then the modulus can
be factored efficiently

© CINI – 2021 Rel. 04.04.2021

 Gaspare FERRARO
CyberSecNatLab
Matteo ROSSI
Politecnico di Torino

Attacks on RSA

33 https://cybersecnatlab.it