Number Theory and

RSA attacks
A brief overview of attack on RSA
Modular Arithmetic
• Modular arithmetic or Clock arithmetic is a circular system that
increases until a specific point called modulus then rest to zero again.
• Definition
• Let be a set of all non-negative integers that are smaller than :

where is a positive integer.

• In order to find the value of integer (mod ) we can use the following
equation:
where:
• is integer and is the remainder
Modular Arithmetic
• Examples:

• Congruence modulo:
To explain it in a simple way lets see
the representation for all integers
, all integers in slice
gives a remainder ,
we can say that those integers are
in the same equivalence class,
which can be represented as
.
Congruence modulo and
Equivalence relations
• If we looked at the previous chart, we could notice that the difference
between any two integers in the same slice can be represented as
multiple of 5.
• We can write the congruence mod as any of the following:

• for integer
Congruence modulo and
Equivalence relations
• The figure have the following
properties:
• Every pair in the same slice
are related
• We can never find the same
integer in 2 slides
• If we collected all the slices,
we will get all the numbers.
• Which means that the congruence
modulo is equivalence relation.
Congruence modulo and
Equivalence relations
• Why do we even care whether it’s an equivalence relation or not?
It’s simple, so we can apply the equivalence relation properties:
• (reflexive)
• (symmetric)
• then (transitive)
Operations on Modular Arithmetic
• Addition:
• Subtraction:
• Multiplication:
• Exponentiation:
Modular Inverses
• In basic arithmetic we know that the inverse of a number since
• But in Modular arithmetic we don’t have a division operation, so the
inverse would be :

• which is means
• is coprime to
Modular Inverses
• Calculating mod inverse:
the native method is brute forcing all the number from 0 to until we
find a number that makes

• This method is sow slow and we need a faster method.

The Euclidean Algorithm
• The Euclidean Algorithm is a quick method to calculate the GCD of
two integers.
• Let’s use Example to describe it:
• GCD(270, 192):
• 270 = 1 * 192 + 78
• 192 = 2 * 78 + 36
• 78 = 2 * 36 + 6
• 36 = 6 * 6 + 0
• We got 0 so our GCD is the last value before 0 which is 6.
Caesar cipher
• Caesar cipher is the first substitution cipher ever, substitution ciphers
are mainly about mapping the characters into other characters and
use this map to (encode/decode)
• In Caesar cipher we was shifting any number
by three for encode for EX: ABC -> DEF
• We can change just pick any key instead
of three and do the same operation,
as we mentioned in the Modular arithmetic,
we will always do the full turn then back again
to the character A
Caesar cipher
• Let’s call then encryption function enc(m) and the decryption dec(m)
• Enc(m) = for c in m: (c + k) mod 26
• Dec(m) = for c in m: (c - k) mod 26
• Where:
• k is our key
• c is each character in the string
• 26 is number of characters in English alphabet
• As you can see it’s so related to figure we showed earlier in the
modular arithmetic.
Public key cryptography
• After we learned a basic mathematics, we will start to introduce one
of the most used application to secure our communications, which is
the Public Key Cryptography.
• As we shown in Caesar cipher, the same key was used for encryption
and decryption, which can be unsecure and if the sides of
communication are far away which will force them to share it through
a channel, which may lead to leak it and expose the communication.
• So, in public key crypto both sides of the conversation will have 2
keys, public key and private key, the public key can be shared and the
private key remains as a secret.
Diffie-hellman key exchange
• Diffie-Hellman key exchange is a method for securely exchanging the
keys of encryption without being exposed to the public channel, it’s
named after Whitfield Diffie and Martin Hellman and published in
1976.
• The method is simple, let’s explain it by example:
Assume that alice wants to send massage to bob,
and we have eve watching the public channel
between them.
Diffie-hellman key exchange
• Now alice wants to share its key without,
letting eve know it, so first both alice and,
bob will choose a public generator and
prime modulus .
• Now each of them will choose a private
key and apply the following: .
• At this point we will have 2 public keys for each alice and bob and
they will send it to each other (until now eve got it also), now alice
and bob create a shared secret key and eve will not get it by:
,
Diffie-hellman key exchange
• Let’s expand those expressions in order to make it simple:
• Alice:
• Bob:
• Alice public key: , Bob public key:
• Now Alice and Bob will exchange the public keys
• Alice shared key: , Bob shared key: which will always be the same since it’s
the same calculations, why??
That’s easy the what alice did was and bob
• Now eve only have: and she cannot get the shared key.
RSA
• The previous way needed alice to generate a shared key for everyone
she is contacting with, which can bee too hard and difficult, for this
James Ellis, a British mathematician introduced and idea to create
only 1 public key and send it to everyone then anyone wants to
contact Alice will just use this key.
• After that, a British mathematician and cryptographer, Clifford Cocks,
introduced a mathematical way to apply this concept.
RSA
• Bob will send a message using alice public key and a public exponent
as follows:
• where is the encrypted message
• Now alice needs to have a private key to decrypt the message such
that:
• Now eve only have let’s see if eve wants to get what she needs to
do.
Euler’s totient
• Euler’s phi function is a simple function to calculate the count of co-
primes less than a number .
• If we noticed the co-primes of a prime number ,
they will be all the numbers below it since it’s
already a prime, means
Euler’s Formula
• Euler’s Formula states that:
• Rising to the power then multiplying by would give us
• Now back to the decryption formula:
• now we can see that , is co-prime to
• In order to choose our we need to know 2 important theorems.
Chinese Remainder Theorem
• Chinese Remainder Theorem states that if we have some numbers:
and they are all relatively prime to each other, then for ,
, , ,….., have exactly one solution .
Example

• Ok as we can see we have the same in 3 different congruences and

we need to solve for , using the Chinese remainder theorem we can
create a table consist of Four columns: and their product.
• Where is our remainder, is for and

3 56 1 168
1 40 3 120
6 35 3 630
• Now our final is the sum of the last column
Fermat’s Little Theorem
• Fermat’s Little Theorem states that if is a prime number and doesn’t
divide then .
Choosing and
• There is some constrains on to which are:

• have to be co-prime with

• The private key have to satisfy that which means .
Wrap everything up
• Let’s give a simple example to show everything we mentioned

• Encryption:

• Decryption:
Attacks on RSA
• Now let’s start to interduce how can attacker know our secrets, note
that we are not showing that the RSA is breakable, we will show that
bad choosing of numbers can lead to recover the private key.
• Factorizing :
• Choosing needs to be very careful, there is a lot of services online that works
on factorize a huge collection of numbers like factordb, as shown in the
previous example we could find just by getting the prime factorization of

• Let’s discuss some of the Factorization methods for .

Prime Factorization
• Fermat’s Factorization:
• named after Pierre de fermat, which represent the odd integers as difference
of two squares,
• Since we can already factor the difference of two squares:
• And we know that our where are primes, we can write it as
• Assuming that is odd so are also odd.
• Now the steps are simple, first we can rewrite as
• Then we need to find the smallest s.t
• Then we start to look at the following numbers Until we get a perfect square.
• Note that this will terminate always since
Fermat Factorization Example
• Here is a small example to apply our steps, let
• First find since is the smallest k s.t
• Then we start to find the perfect square from the sequence we mentioned:
(not perfect square)
(not perfect square)
….
…
(perfect square!)
• Now we can write as
• Which is our prime factorization for .
Pollard’s p-1 Factorization
• Another method of factorization that uses Fermat's little theorem that
we introduced.
• The method is simple, since we know from Fermat’s Little theorem
that where ,suppose that we have a number s.t it’s a factor for
another number where .
• Then , since in rsa our , then .
• So will include the factor or will equal it.
Pollard’s p-1 Factorization
• So, let’s wrap our steps:
• Choose integer s.t
• Calculate to find the nontrivial factor, note that we replaced the with Since
it’s increase so fast and will give us a good chance to check if is prime.
• Now we will take the if it's nontrivial.
• Example:
•
…

• So,
RSA Security
• We still have many other factorizations methods like Quadratic sieve,
ECM but does that mean that the RSA is not secure?
• The answer is until now no, the strength point in RSA that it’s depends
on ignorance than knowledge, we don’t have an efficient way to
calculate how hard is to factor a huge number, we just know it’s hard,
and a small mitigation for the previous factorization methods is
adding more digits to our which will make it harder to factorize.
• But there are some attacks on RSA based on bad key generation for
our variables or even our encryption methodology.
Bad Key generation Attacks
• Some of the attacks can be applied on RSA are:
• Common Modulus
• Blinding
• Small Private Exponent: wiener
• Small Public Exponent: Coppersmith, Hastad
• Time Attack
• We will try to explain some of them by examples in order to make it
clearer.
Example1
• Question from PICOCTF 2018:
• N:
374159235470172130988938196520880526947952521620932362050308663243595788308583
992120881359365258949723819911758198013202644666489247987314025169670926273213
367237020188587742716017314320191350666762541039238241984934473188656610615918
474673963331992408750047451253205158436452814354564283003696666945950908549197
175404580533132142111356931324330631843602412540295482841975783884766801266552
337129105407869020730226041538750535628619717708838029286366761470986056335230
171148734027536820544543251801093230809186222940806718221638845816521738601843
083746103374974120575519418797642878012234163709518203946599836959811
• e: 3, c:
220531641393113403104644076762054198480109121635122278918058256455732876245542
272136802953136007672997221141223607292157731726471542495082309138220343548946
052209468914959595101034266236834798786287833885103889208279938902390041535116
4773
Example1
• As you can see the is huge number, factorizing it won’t be an easy
thing at all, but we notice that is so small, small such that , so
• So, to get we can just take the cubic root for , computer can do this
easily.
• So,
• Decoding the long to string using the ASCII table will result this
message:
• picoCTF{e_w4y_t00_sm411_81b6559f} , which is our solution.
Example2
• PICO CTF 2018:
• We are given the following inputs:
• c:
17786730185110751403506982528916395579064070902505390572218063407687767057631138153732717135982067349433
04136885307657644746166557801527614555955063613958550715606102502660768573300084767410478866161295739179
626743292839204862654148472896949835346074323716667404949929701903737872090588147698250826373180618

• n:
77531969503748326589677418948315140870584015245386763633241518845356850979564402923266696704186567270006
36120886208625452757601041213523027955368494063595665664972813489387456761994867530405248272043036774861
2708917105846534082863042823913166120865362252479206576942147071396319459112580853771742537940112457

• e:
56172436577459725698934391359139104915041430213184221292301658571726414059411889155782982024019814564512
29142193248973156351929637287341508054637942461930885915236021420974016913515976123489492314497137297403
8021945201954600238994209605035703317119192844975463915465725406543097929017637859019950590916533609

• As you can see everything is huge, and after tries to factorize it didn’t work, in this case we can consider checking another attack
called wiener attack
Wiener’s Attack
• Michael J. Wiener was able to state a theorem based on continuous
fractions that says if then we can recover without factoring .
• Explaining:
• we already mentioned before that , and since , and since are so large we can
take a good approximation that .
• Now substituting this into our first equation:
Wiener’s Attack
• So, let’s set our steps:
• We need to find a set of convergent that approximate (using continued
fractions and we will demonstrate it), under some conditions:
• Since and is product of 2 primes so it will be even number, will be odd, so we can skip
the convergent if our is not odd.
• Since must be a whole number, also must be a whole number, and if it’s not so we will
move to the next convergent.
• Now let be a quadratic equation then:
• If we got the right value for then the roots of the equation will be our factors
for .
Wiener’s Attack
• Short Example:
• Solution:

• now using the Euclidean algorithm to find the convergent in the continued
fraction
• (ignore)
• (ignore)
• (d is even, ignore)
• (passed first check)
Wiener’s Attack
• Now since
• We can set our quadratic equation as:
• Solving it will give us which are whole numbers, so we got the right
value of which is 3.
Example2
• Now applying this to the example will be hard to do manually so with
a use of simple script and run it on a computer we get the following
message: picoCTF{w@tch_y0ur_Xp0n3nt$_c@r3fu11y_5495627}
Example3
• Qiwi CTF 2016:
• We are given the following data:
• e=3

• n1 =
951183579890375398832721687460046528729588905624458143018898666630723524217032649859978006600753116455557997454268683433653215027347360062480079
024096285405786359255597422174807974871302027470202114526207430210975651130593925044727852271548241172310778444446723932218381929413903093124840
66647007469668558141
• n2 =
983641659192512462438466673235423180228042348336779241611757332536895813936073466678952982537181842735322689820609056293996281549819187120702414
514944911614708277371461763160118437389434271216023242087736531807827329994228694395881983184224516979206405638807773855770649139832020337442817
27004289781821019463
• n3 =
688279409393531896130903922268981550217427728978224384835450219442158121468093186865103757240648887052963738533989550930766633230013800478578097
748663900834342727813624471474414222079675773237698128960388165867572421302245248289350431873155795234124393091388163355698454700217208474058573
61000537204746060031

• c1 =
648304467081690127664145873275688124211304348175260891461901367964612985920712389303847075433183902924511189803028055121517902489896222693629587
182282984272126302725251864786272999998474890184006244006718766977089524476389908023455873819054072369354942714369607648990064309415076081523225
88169896193268212007
• c2 =
969074907173443465884324916037223126942086603342829642344876876545939847141448256561981807778723272792506679614651697992674057344316751110353620
897292499950273268630992625224212064594004052303776311411328829973368292188101717289250875356749074555845579568018314471254867535158680793421488
15961792481779375529
• c3 =
436838749130117465300561031454452502813077326340454374865246051046397854690504991716405214770364707509033415233365996022881766111606375225688683
912376892414463926993219107232350611808269454646497803733010281390492888815782348407395450003382029176780082697941791007323412694483629209247193
38148857398181962112
Example3
• As you can see yes, our public exponent is small, but taking the 3rd
root for won’t give us the solution, this means that
• Now there is an attack in this case we can apply called Hastad’s attack.
• Let’s discuss it in the next slide
Hastad’s Attack
• Simply when we send the same message to different receivers, an
attacker can retrieve the private key using Chinese remainder
theorem that we discussed before.

• ……

• The Chinese Remainder Theorem allows us to solve those

congruences and since , then *.. so we can solve them and get our .
Hastad’s Attack
• Example:
• Solution: we need to write them as congruences:

• Using Chinese remainder algorithm:

Hastad’s Attack
• Now

• Applying the same steps on Example3 will result the message:

theoretical_computer_scientist_johan_torkel_hastad
Example4 (CodeBlue CTF 2017)
• Given:
•
79131130908737458893427435491634914123315077876208631537434385012680878228429492122811091632217889855169166913310199790712758712152028816657446860521451630412292776
38434346532156813608725232532907662970445108706177451229977398149472868923768887763195525161411363636733158159995970350687067443620484808520749890631523338807543751
96551355543036200494314973628012006925154168913855587162465714207917714655810265293814697401062934881400969828166519415465439814160673468968009887672546243771190906
30054437596200257433401817500749823163224002180559363505718784235384046197344920583941919582699216917710830700440436574546270679796943671821215088817129962080005118
37556816312500409362881495923438906169201534006911029339667240257657664183384525952188615820080261860679465082212649387365620821928907279808444449780811105997149930
30990031363457184296168457089953510500474033234298252385232725393194957086065274263743550741242453140557383981358497807318476777558208795816650619401057283873302725
81679529893081730774597326633544793809125205587281623296863516942987515393355373311635692018539653099056043451094909215453971112405249014274256752783375162492499390
6099869301505096094512729115132147653907827742334805918235749308541981388529841813147
• 813647
•
79131130908737458893427435491634914123315077876208631537434385012680878228429492122811091632217889855169166913310199790712758712152028816657446860521451630412292776
38434346532156813608725232532907662970445108706177451229977398149472868923768887763195525161411363636733158159995970350687067443620484808520749890631523338807543751
96551355543036200494314973628012006925154168913855587162465714207917714655810265293814697401062934881400969828166519415465439814160673468968009887672546243771190906
30054437596200257433401817500749823163224002180559363505718784235384046197344920583941919582699216917710830700440436574546270679796943671821215088817129962080005118
37556816312500409362881495923438906169201534006911029339667240257657664183384525952188615820080261860679465082212649387365620821928907279808444449780811105997149930
30990031363457184296168457089953510500474033234298252385232725393194957086065274263743550741242453140557383981358497807318476777558208795816650619401057283873302725
81679529893081730774597326633544793809125205587281623296863516942987515393355373311635692018539653099056043451094909215453971112405249014274256752783375162492499390
6099869301505096094512729115132147653907827742334805918235749308541981388529841813147
• 846359
•
76720225540349464128572381954327822626360115589882360526549736183070566824003241850149495914144902851710042208127269188336925710738841143961131880898397912209048625
25780410060719995812826630854950585159587455462116687018352501220327154730145983950501847029833686679728037181694818093945657061751414256503702797752338136744429577
60484285820381853600163980060348710028919659329781877491724136976028815641232407109144869660767954119268355348405951052583739555066569345526640029961785158127382321
11183359969107994941504978672366321054273365555486832754283305302459589552319288811867576324235240794864353798586144878856855030848165511684563495251667690525157908
44043083146397171625267984514107670584236196772120692703981320217294480479807663128186560653690230931230584226200852737284815456804232661978479379253422638703099399
13221308330842487685037638837340238355192125668409039255551545407800543798158964963358868702135730305156935767426581823180696819366253148799571923731323928995477390
55941882257525953194102351818280773994972602615702742654562406119547188865315276849527211376975175505332133382934593939163886391892079810779234601522450911893014301
0726156407828938941341788657835191853473698010478888928860138978235297618195944868175
•
39320564286881744264921679335971855627840613745977024476183290619596043291846861773106945670464478980650780982909384262974506675959928672953872836888249138299733761
14174415292203970676422181195259688975512892305586278701549849794441957576774116730964434760213623193250976623928081706324715537173558952194056445185037832355365971
43112954291157798713583737689125917709618182162360535659223966858707155741267214975141963463832314566520144602105237041672437684177707624423211972004800873375670613
14814025609955272440819221755033198731055899143338357147053299585677876479754063767922682557755339693473432555029355038962391990474491399030594969730822204659416030
23626695102429212997552557906401010061522696199655607422431680992193636262175129409956157309161347751347640699121205832821482194051780652223136079574268874956580804
97917440100549199528894874905968298614233827155712422019324710018755792249855902168601927285980197334672067920857960628679370550895555840658121626134216719240409691
39773576268534916227711181572710016975596055368856932670524927066247087919723483658541883584523723172191093834155772624594003187334566657175186775596129497342604562
9909899256967038811807893676700888551318830676356324765330202998096318754445585853694
Example4
• As u can see we cannot use any of the previous attacks since is not
small enough and we couldn’t factorize but we noticed that they are
the same, also it’s given that the message is the same.

• In this case we can use an attack called Common modulus Attack

Common Modulus Attack
• Let’s translate our input as math:

• Now we know that RSA system is homomorphic to multiplication, so

we can get a new cipher text which is the product of the other cipher
texts raised to powers :
• Now we can use Bézout's identity which states:
• For
Common Modulus Attack
• Now using Extended Euclidean algorithm to find the multiplicative
inverse , we can recover our , let’s see example with small numbers.
• Let:
• Solution: q
• In EEA: 2 17 7 3 0 1 -2
2 7 3 1 1 -2 5
3 3 1 0 -2 5 -17
1 0 5 -17

• So
• And from this
Common Modulus Attack
• To validate our result, we know from Bézout's identity that: which is
true
• Now to get our new
• Now we need to e EEA again for for short using computers it will give
us 16
• So
• And since so our
Example4
• Applying the same steps on the example we will get message:
CBCTF{6ac2afd2fc108894db8ab21d1e30d3f3}
Last Words
• Number theory is very interesting and fun, applying it to cryptography will
give you more fun, there is still a lot of topics we can discuss and other
attacks like: LLL and time attacks, also there is a lot of interesting topics in
cryptography like fast powering, elliptic curves, lattices, successive
powers, quadratic residue and much more, I really want to stay with you
and talk more but we can do it in another time, so always keep learning
and excited and never give up to math, it might seems hard and most of
simple thing seems weird to you but when you get it you will be so proud.
• In the next slide I will share a great resources that I use to practice and
learn.
Don’t learn to hack… hack to learn.
Resources
• Cryptohack one of the best websites that teaches you by challenges
• Math 3107 by prof. Jeff Suzuki Boston University
• MIT 6.875 MIT Cryptography Spring 2018
• An Introduction to Mathematical Cryptography by J.H. Silverman, Jill
Pipher, Jeffrey Hoffstein
References
• https://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf
• https://cryptohack.org/challenges/maths/
• https://www.youtube.com/playlist?list=PLKXdxQAT3tCssgaWOy5vKXA
R4WTPpRVYK
• https://link.springer.com/book/10.1007/978-0-387-77993-5
• https://www.amazon.com/Friendly-Introduction-Number-Theory-4th/
dp/0321816196/ref=sr_1_2?ie=UTF8&qid=1326998078&sr=8-2
• https://www.khanacademy.org/computing/computer-science/cryptog
raphy/