RSA BROKEN

Name
Email
Subject
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Oekaki	Show oekaki applet (replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 16 MB. Max image dimensions are 15000 x 15000. You may upload 3 per post.

▶RSA BROKEN Anonymous 10/18/17 (Wed) 16:04:09 No.807240>>807280 >>807282 [Watch Thread][Show All Posts]

Hey there, today I want to inform you about a decryption technique I developed for Textbook-RSA. I know that Textbook-RSA is outdated and no longer in use, but I found a way nobody else found yet. It's very efficent and easy to apply. I proved my theory in a java program, which I've coded. This is free to download, so you can try it out. The program works like this: You enter the RSA Modulus (N) and public exponent (e), also the cipher text you want to decrypt without the private key. Then the program encrypts an amount of numbers (for example from 0 to 100000) with the given public key. The program builds up a "dictionary" (the clear number and the cipher number). For example: The tool encrypts the number 1. The cipher number would be 38. Then the tool adds 38 and the translation "1" to the dictionary. After building up the dictionary the program translates the cipher text. For exapmle: It finds a cipher number listed in the dictionary, then the found cipher number will be replaced with the translation (the clear number). After replacing all matches, the tool prints the clear message. Maybe you now say: "HEY! This is a known attack method: The chosen-plaintext attack!". But that's not the same. The attacker would generate an amount of cipher texts until the original cipher text and the self-generated cipher texts are equal. Then the attacker knows the plaintexts. But my method doesn't waste time with bruteforcing. But I don't want to repeat me. I also made a video showcase for you.

(For the lazy guys I will also link an unlisted pastebin with the source code.) First, sorry, that I used an ad showing link shortener. I'am still a student and I want to earn a little bit of money.

Download the tool: http://ceesty.com/wq0sSe

Source code (RSAGuess.java): http://ceesty.com/wq0vcP

Source code (Dictionary.java): http://ceesty.com/wq0bvz

Video: https://www.youtube.com/watch?v=Jo68WZk7yxA&feature=youtu.be

▶Anonymous 10/18/17 (Wed) 16:23:47 No.807246

This is just a brute force attack, actually. "Brute force" is the name a category of attacks, not of one particular attack on RSA. We discussed approximately this particular attack in my crypto class yesterday.

It doesn't count as breaking RSA because it doesn't run in polynomial time.

It's good that you discovered it, though. It means that you're gaining an understanding of RSA and public-key cryptography in general.

Random padding is the usual protection against this kind of attack.

Link shorteners are scummy.

Tool: https://www.dropbox.com/s/mq4phlafxqa8ubw/RSAGuess.jar?dl=0

RSAGuess.java: https://pastebin.com/mK4Tx0xR

Dictionary.java: https://pastebin.com/Jf8tL3nG

▶Anonymous 10/18/17 (Wed) 17:03:28 No.807261

>java

>all this text

CS undergrad?

▶Anonymous 10/18/17 (Wed) 17:28:57 No.807269

Okay, so I rewrote your code in Python while trying to make sense of it. I think this is equivalent to your Java code, with the same code structure and the same invocation.

import sys

if len(sys.argv) != 7:
    print("Usage: {} N e s l c d".format(sys.argv[0]))
    sys.exit(1)

N, e, s, l = [int(x) for x in sys.argv[1:5]]
d = sys.argv[6]
c = [int(x) for x in sys.argv[5].split(d)]

entries = dict()

for m in range(s, l + 1):
    entries[pow(m, e, N)] = m

print(d.join(str(entries[x]) for x in c))

(I highly recommend learning something besides Java. Python is good for this area. After parsing the arguments, the decryption takes just four lines, and you could do it in two. Python makes simple things simple.)

It correctly does this:

$ python3 RSAGuess.py 1005973 89 1 1006000 530339 -
6420

I didn't run your code, so I don't know if it matches that.

A much more memory-efficient brute force attack is to factor N, and then use the prime factors of N to calculate the inverse of e (i.e. the private key). That way you don't have to store the full table of encryptions in memory.

▶Anonymous 10/18/17 (Wed) 18:28:09 No.807280

>>807240 (OP)

>money whoring links

and there goes any reason for me to even read what you have to say.

▶???????????????????????? Anonymous 10/18/17 (Wed) 18:29:20 No.807282

>>807240 (OP)

>The attacker would generate an amount of cipher texts until the original cipher text and the self-generated cipher texts are equal.

This is exactly what you do. Your "cipher texts" are simply numbers.

This is a well known problem, and in practice you use randomized padding to address it.

https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Padding

▶Anonymous 10/18/17 (Wed) 18:34:27 No.807285

File (hide): 0a4c4d6a1b1fd84⋯.png (88.86 KB, 474x696, 79:116, pajeet_merchant.png) (h) (u)