The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1) p. Substituting this into the equation of n we find
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1) p. Substituting this into the equation of n we find n = p ((n φ(n) + 1) p) and thus
The modulus n and its totient value φ(n) are known i.e. φ(n) = p q (p + q) + 1 = n (p + q) + 1 q = (n φ(n) + 1) p. Substituting this into the equation of n we find and thus n = p ((n φ(n) + 1) p) p 2 p (n φ(n) + 1) + n = 0 Solving the equation for p we find p = n φ(n)+1± (n φ(n)+1) 2 4 n 2
The modulus n and its totient value φ(n) are known i.e. φ(n) = p q (p + q) + 1 = n (p + q) + 1 q = (n φ(n) + 1) p. Substituting this into the equation of n we find and thus n = p ((n φ(n) + 1) p) p 2 p (n φ(n) + 1) + n = 0 Solving the equation for p we find and then compute q. p = n φ(n)+1± (n φ(n)+1) 2 4 n 2
Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are:
Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and
Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n
Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n Theorem Let a and b be integers, not both zero. Then a and b are relatively prime if and only if there are integers x and y such that a x + b y = 1.
Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n Theorem Let a and b be integers, not both zero. Then a and b are relatively prime if and only if there are integers x and y such that a x + b y = 1. We use the extended Euclidean algorithm to compute the integers x and y. Then
Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n Theorem Let a and b be integers, not both zero. Then a and b are relatively prime if and only if there are integers x and y such that a x + b y = 1. We use the extended Euclidean algorithm to compute the integers x and y. Then E x F y M mod n
Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users,
Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered).
Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered). Consider a message M not known to the eavesdropper.
Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered). Consider a message M not known to the eavesdropper. Suppose that M is encrypted for all these k owners. M < n i for each i. e < k.
Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered). Consider a message M not known to the eavesdropper. Suppose that M is encrypted for all these k owners. M < n i for each i. e < k. Now the k encrypted versions are: E i = M e mod n i, i = 1,..., k.
Common encryption exponent (cont.) Chinese Remainder Theorem Let n 1, n 2,..., n k be natural numbers such that for i, j distinct indices one has gcd(n i, n j ) = 1. Then the system of linear congruences x b 1 mod n 1 x b 2 mod n 2 x b 3 mod n 3 x b k mod n k has a solution which is unique modulo N = n 1 n 2... n k. The solution is x = b 1 N 1 x 1 + b 2 N 2 x 2 +... + b k N k x k mod N where N i = N/n i and x i = 1 N i mod n i.
Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k.
Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k. But we know that M e < n 1 n 2... n e < n 1 n 2... n k,
Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k. But we know that M e < n 1 n 2... n e < n 1 n 2... n k, and also satisfies these equations.
Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k. But we know that M e < n 1 n 2... n e < n 1 n 2... n k, and also satisfies these equations. The plaintext M can be discovered by taking the ordinary e-th root of the solution x.