The Return of Coppersmith’s Attack:

Practical Factorization of Widely Used RSA ModuliMatus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas

Centre for Research on Cryptography and Security, Masaryk University Ca’ Foscari University of Venice

Abstract

We discovered an algorithmic flaw in the construction of pri-mes for RSA key generation in a widely-used library of amajor manufacturer of cryptographic hardware. The primessuffer from a significant loss of entropy. We proposed a prac-tical factorization method that only requires the value of thepublic modulus and does not depend on a weak or a faultyrandom number generator. We devised an extension of Cop-persmith’s factorization attack utilizing an alternative form

of the primes in question. The library is found in NIST FIPS140-2 and CC EAL 5+ certified devices used for a wide rangeof real-world applications, including identity cards, TrustedPlatform Modules, PGP, and tokens for authentication orsoftware signing. The impacted devices are widespread. Weresponsibly disclosed our findings to the manufacturer of theflawed library. Our work was published at ACM CCS 2017 [1]and received the Real-World Impact Award.

Background – surprising biases in RSA public keys

Svenda et al. [2] described how cryptographic libraries gene-rate RSA primes in various ways, introducing subtle biases in

the public keys, sufficient to classify the keys based on theirorigin. Infineon smartcards produced especially biased keys.

Library: Microsoft CryptoAPI

P

Q

2k−1 2k

2k−1

2k

Library: OpenSSL 1.1.0e

P

Q

2k−1 2k

2k−1

2k

Library: WolfSSL 3.10.2

P

Q

2k−1 2k

2k−1

2k

Library: mbedTLS 1.3.19

P

Q

2k−1 2k

2k−1

2kCard: Infineon JTOP 80K

P

Q

2k−1 2k

2k−1

2k

The distribution of the most significant bytes of a pair of RSA primes varies for different cryptographic libraries.

The properties of vulnerable keys

The distribution of the Infineon RSA primes and keys mo-dulo small primes is irregular, unlike randomly chosen primesand keys that are distributed uniformly modulo small primes(left). In fact, the primes belong to a small subgroup modulo

a product M of small consecutive primes, what lead us to thediscovery of the structure of the primes (right). The primesand RSA moduli suffer from a significant loss of entropy andcan be uniquely fingerprinted using a fast discrete logarithm.

5 10 15Remainder

0.06

0.07

0.08

0.09

0.10

Prob

abilit

y

Random primesModulo

11131719

5 10 15Remainder

0.0

0.1

0.2

0.3

0.4

0.5

Prob

abilit

y

InfineonModulo

11131719

The distribution of RSA keys modulo small primes

N = p ∗ q

pideal = random prime

pInfineon = (k ∗M + 65537a mod M); a, k ∈ ZM = 2 ∗ 3 ∗ 5 ∗ 7 ∗ · · · ∗ Pn

Entropy in a prime

Random: random bits

Infineon: a k determined by the structure

Factorization attack complexity

The complexity of the factorization depends on the size ofthe keys (horizontal axis). However, due to the different para-meters used in their generation (different values of M at thetop of the figure), the time required to break a key (vertical

axis, blue dots) does not strictly increase. Therefore, somekey lengths are more affected, including the common sizes of1024 bits and 2048 bits. The attack can be easily parallelizedwith independent processors to achieve a linear speedup.

512 1024 1536 2048 2560 3072 3584 4096Key size [bits]

103

1012

1021

1030

1039

1048

1057

1066

1075

Wor

st c

ase

fact

oriza

tion

time

[yea

rs]

M1219 b

M2475 b

M3971 b

M41962 b

3936Worst case factorization time 512-bit: 2 CPU hours1024-bit: 2 CPU months2048-bit: 100 CPU years3072-bit & 3584-bit: allowed by BSI for QES3936-bit: attack not applicable4096-bit: 109 CPU yearsNo practical attack

Impact on real-world applications of cryptographic chips

Electronic identity documents (eID) were significantly impac-ted with Spain, Slovakia, Estonia, Austria, Bulgaria, Brazil,Italy, Kosovo, Malaysia, Poland, and Taiwan affected. Trus-

ted Platform Modules (TPM) used for platform integrity anddata encryption (e.g., by Microsoft BitLocker) were vulne-rable, as well as authentication tokens and other devices.

TPM

Programmable

Identity documents(eID, eHealth cards)

Trusted PlatformModules

Authenticationtokens

Programmablesmartcards

Message protection(S-MIME, PGP)

Software signing

Coppersmith’s factorization method

Coppersmith’s method uses a partialknowledge of one of the primes tocompute the factorization of an RSAmodulus. At least half of the bits ofthe prime must be known. However,the method performs faster with moreknown bits. We use the method as ablack-box tool.

Coppersmith’s method as a black-box tool roca.crocs.fi.muni.cz

1. Modulus ���������

2. Unknown factors ������������ �����������

3. Partial knowledge of prime p ������� ���� �����������

4. Apply Coppersmith’s attack ��������������������

���������

@CRoCS_MUNI | mnemec@mail.muni.cz The Return of Coppersmith’s Attack November 2, 2017 6 / 12

Making the attack practical

To attempt a factorization of a vulnerable RSA key, we guess the value of aand compute the much larger “known” part of the prime as 65537a mod M .We then try to compute k using Coppersmith’s method, what succeeds onlyif the guess was correct. In the worst case, the attack will require trying halfof all the possible values of a.

Coppersmith’s attack applied on Infineon primes roca.crocs.fi.muni.cz

p = k ∗ M + 65537a mod MGuess a and compute k using Coppersmith’s method

�

� ������������

��������

������� ��������

��������������

a is still too large – find a smaller M � (divisor of M)�����������������������������������������������������

��

� � �������

������ �

�������

�������� ��������

@CRoCS_MUNI | mnemec@mail.muni.cz The Return of Coppersmith’s Attack November 2, 2017 7 / 12

For the majority of RSA key sizes, the bit length of M (and 65537a mod M)is much larger than the required bound for the attack (one half of the prime’sbit length). We find a smaller M ′ (a divisor of M), such that its size is stillsufficient, yet the size of a′ is significantly reduced when compared to a.

Coppersmith’s attack applied on Infineon primes roca.crocs.fi.muni.cz

p = k ∗ M + 65537a mod MGuess a and compute k using Coppersmith’s method

�

� ������������

��������

������� ��������

��������������

a is still too large – find a smaller M � (divisor of M)�����������������������������������������������������

��

� � �������

������ �

�������

�������� ��������

@CRoCS_MUNI | mnemec@mail.muni.cz The Return of Coppersmith’s Attack November 2, 2017 7 / 12

Entropy in primes

The figure shows the number and origin of random bits in relation to the sizeof the prime (vertical axis) for keys of given length (horizontal axis). A largeportion of prime’s bits is determined by the structure (orange) and can becomputed from the knowledge of random bits (green). Coppersmith’s attackfurther reduces the required number of known bits even lower (black dots).

512 1024 1536 2048 2560 3072 3584 4096Key size [bits]

0

512

1024

1536

2048

Prim

e siz

e [b

its]

Bits of the primeDetermined by the structureRandom bits in kRandom bits in aBruteforce search space (a0)

The attack optimization process

Smaller values of M ′ (fewer known bits) require fewer guesses on the valueof a′. However, the evaluation of each guess takes more time. We select theparameters corresponding to the minimal overall time of the factorization.

260280300320340Known bits

227230233236239242

Num

ber o

f atte

mpt

s ●

0.001

0.01

0.1

1

Tim

e/at

tem

pt [s

ec] +

260280300320340Known bits

100

101

102

Tota

l tim

e [y

ears

]

Acknowledgements

This project was supported by the Czech Science Foundation, project GA16-08565S. We greatly appreciate the access to the computing resources of theNational Grid Infrastructure MetaCentrum (CESNET LM2015042).

References

[1] Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas.The Return of Coppersmith’s Attack: Practical Factorization of WidelyUsed RSA Moduli.In Proceeding of the 24th ACM Conference on Computer andCommunications Security (ACM CCS 2017), 2017.

[2] Petr Svenda, Matus Nemec, Peter Sekan, Rudolf Kvasnovsky, DavidFormanek, David Komarek, Vashek Matyas.The Million-Key Question – Investigating the Origins of RSA Public Keys.In Proceeding of the 25th USENIX Security Symposium, 2016.

roca.crocs.fi.muni.cz mnemec@mail.muni.cz