--- tags: vaje, kirv, rsa, attacks hackmd: https://hackmd.io/0_WDCb5fRVOvbs0XETLfOA plugins: mathjax --- # Cryptography and computer security - Tutorial 17.11.2020 --- ## Attacks on RSA ### Exercise 1 Show that, given <i>$\phi(n)$</i>, one can factorize <i>$n$</i>. Factorize <i>$n = 187$</i> if you know <i>$\phi(n) = 160$</i>. ---- $$ \begin{aligned} n &= pq \\ \phi(n) &= (p-1)(q-1) = pq - p - q + 1 \\ q &= {n \over p} \\ \phi(n) &= n - p - {n \over p} + 1 \\ p \phi(n) &= np - p^2 - n + p \\ 0 &= p^2 - (n - \phi(n) + 1) p + n \\ p, q &= {n - \phi(n) + 1 \pm \sqrt{(n - \phi(n) + 1)^2 - 4n} \over 2} \\[1ex] p, q &= {187 - 160 + 1 \pm \sqrt{(187 - 160 + 1)^2 - 4 \cdot 187} \over 2} \\ &= {28 \pm \sqrt{784 - 748} \over 2} = 14 \pm 3 = 11, 17 \end{aligned} $$ --- ### Exercise 2 - Coppersmith's attack on a small exponent Suppose Alice sends the same message <i>$m$</i> in encrypted form to three people. Each time, she used the same public exponent <i>$e = 3$</i>, but different moduli <i>$n_i$</i> (<i>$i = 1, 2, 3$</i>). Show how an attacker can retrieve the message <i>$m$</i> only from the public data (i.e., the moduli <i>$n_i$</i>, the public exponent <i>$e$</i>, and the encryptions <i>$c_i = m^e \bmod{n_i}$</i> for <i>$i = 1, 2, 3$</i>). Find the message <i>$m$</i> if <i>$e = 3$</i>, <i>$n_1 = 55$</i>, <i>$n_2 = 391$</i>, <i>$n_3 = 1189$</i> and <i>$c_1 = 6$</i>, <i>$c_2 = 105$</i>, <i>$c_3 = 1148$</i>. ---- $$ \begin{aligned} c_1 &\equiv m^3 \pmod{n_1} \\ c_2 &\equiv m^3 \pmod{n_2} \\ c_3 &\equiv m^3 \pmod{n_3} \\ \end{aligned} $$ * We find <i>$x := m^3 \bmod{n_1 n_2 n_3}$</i> by CRT (assuming <i>$n_1, n_2, n_3$</i> are coprime). - If they are not coprime, we can factorize them and find the private keys. $$ \begin{aligned} 0 \le m &< n_1 \\ 0 \le m &< n_2 \\ 0 \le m &< n_3 \\ 0 \le m^3 &< n_1 n_2 n_3 \end{aligned} $$ * Therefore, <i>$x = m^3$</i>. * <i>$m = \sqrt[3]{x}$</i> * [Example](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/Coppersmith.ipynb) --- ### Exercise 3 - common modulus attack Show how the plaintext can be recovered when the same message <i>$m$</i> is encrypted with two relatively prime public exponents <i>$e_1$</i> and <i>$e_2$</i> and the same modulus <i>$n$</i>. Find the message <i>$m$</i> if <i>$n = 55$</i>, <i>$e_1 = 3$</i>, <i>$e_2 = 7$</i> and <i>$c_1 = 8$</i>, <i>$c_2 = 18$</i>. ---- $$ \begin{aligned} c_1 &\equiv m^{e_1} \pmod{n} \\ c_2 &\equiv m^{e_2} \pmod{n} \\ e_1 &\bot e_2 \\ c_1^a c_2^b &\equiv m^{a e_1 + b e_2} \pmod{n} \end{aligned} $$ * We use the Extended Euclidean algorithm to compute <i>$a, b$</i> such that <i>$a e_1 + b e_2 = 1$</i>. * We can then compute <i>$m = c_1^a c_2^b \bmod{n}$</i>. * [Example](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/CommonModulus.ipynb) --- ### Exercise 4 Suppose that the RSA public key <i>$(n, e) = (2491, 1595)$</i> has been used to encrypt each individual character in a message <i>$m$</i> (using their ASCII codes), giving the following ciphertext: $$ c = (111, 2474, 1302, 1302, 1587, 395, 224, 313, 1587, 1047, 1302, 1341, 980) . $$ Determine the original message $m$ without factoring <i>$n$</i>. ---- * [Solution](https://nbviewer.jupyter.org/github/jaanos/kirv/blob/master/notebooks/RSA-ECB.ipynb)