Before starting, let me introduce two terms used in the title:

• Textbook RSA – most basic implementation of RSA, used for educational purposes. It is easy to understand, but highly insecure. One of the vulnerabilities of textbook RSA lies in its deterministic nature. It means that encrypting the same message with public key, always gives the same output. This characteristic can be exploited.
• Padding – Crucial security measure, that makes textbook RSA much more resilient. Involves adding random data to a message before encryption. It removes deterministic nature from textbook RSA, making it significantly more secure.

There are multiple of attacks, that exploits lack of padding in textbook RSA:

• LOW EXPONENT ATTACK
  To make it work, the attack needs 2 things:
  – small e
  – short message
  The formula for maximum message length to make the attack work is `m < n^(1/e)`, where n is key length, and e=exponent. i.e. 512 bit key, and tiny e=3, maximum message is 21 ASCII characters. There are two countermeasures: using reasonably high exponent, and minimum message length. Arbitral padding will prevent too short messages
• SHORT MESSAGE ATTACK
  Requirements for successful attack:
  – short message
  – no padding
  Idea behind this attack is simple. Knowing that encrypted message is short, we are encrypting every combination – brute force – and then compare encrypted messages. If we have some assumptions about the message, it is possible to create a dictionary, and test most probable options first. Simple padding (like PKCS 1.5) adds random bits at the beginning of the message. It makes the output nondeterministic, and resilient to brute force attack.
• HOMOMORPHIC ATTACK. It requires 2 encrypted unpadded messages. This attack is interesting, because it does not reveal the message, but lets attacker manipulate data. Knowing encrypted(300) and encrypted(500), an attacker can construct (encrypted 300*500) by calculating encrypted(300) * encrypted(500). By adding padding, we are removing this property.

Here you can find script exploiting no padding vulnerability: https://github.com/o-lenczyk/rsa/blob/master/no_padding_attacks.py

sample output:

======================================================================
    SUMMARY TABLE: RSA Textbook Vulnerabilities Across Key Sizes
======================================================================
Key Size    RSA Bits    Encrypt     Low Exp     Homom       Brute
(primes)    (modulus)   Time        Attack      Attack      Attack
----------------------------------------------------------------------
512         1024        0.000002    0.000045    0.000087    0.000107
1024        2048        0.000003    0.000030    0.000066    0.000093
2048        4096        0.000002    0.000036    0.000018    0.000078
----------------------------------------------------------------------
TOTALS                  0.000007    0.000111    0.000171    0.000278
======================================================================

Regardless of the key size, lack of padding is critical textbook vulnerability. In all test cases, breaking the encryption was literally instant.

In previous post I was testing and comparing different factorization algorithms.

Based on my observation, the two most critical factors determining the time required to crack private key are

• size (bit length)
• the mathematical properties of its prime factors.

bit length

Most straightforward factor. Most of the known algorithms has exponential complexity. So factoring 2048bit number is not twice as hard as 1024bit number – it is trillions time harder. Current standard is 4096, because it is completely impossible with current technology.

prime factor properties – hidden weakness

Pollard’s p-1 algorithm introduces “smoothness” concept. A number is “smooth” if all his prime factors are small. For example:

• 3,024 seems reasonably large. But its prime factorization is 2^4 × 3^3 × 7. Since its largest prime factor is just 7, this is a 7-smooth number.
• 3,026 is very close to 3,024. But its prime factorization is 2 × 1513. Because it has a large prime factor (1513), it is not a smooth number.

Pollard’s p-1 works incredibly fast, if p-1 or q-1 is smooth.

https://github.com/o-lenczyk/rsa/blob/master/rsa_from_scratch.py#L60

Above you can find a function to generate smooth primes, that can be used to create extremely insecure RSA key pair.

core logic

1. Dynamic smoothness bound calculation:
   Instead of a fixed bound, this function calculates initial smoothness bound, based on the required prime length. This ensures, that for larger primes, there is a larger pool of small primes to work with. Initially I tried fixed, small bound. This was leading to extremely long generation times.
2. Generating small primes:
   helper function to generate all prime numbers up to current smoothness_bound. Those primes will be building p-1
3. Constructing p-1
   function will multiply small primes, until p-1 is close to desired length of p
4. primality test of (p-1)+1
   initially it was done with sympy, but c library is many times faster
5. Smoothness check
   calculating max prime power of p-1 (e.g. 2^8, 3^5). Initially I was checking only for max factor, but this was insufficient. If p-1 contained a prime like 17^6 = 24 137 569, but maximum bound was set to 200 000, the attack would fail. Or took significantly more time.
6. max_prime_power threshold
   the function rejects primes where max prime power exceeds a predefined threshold – currently 20 000 000. Initially it was set to 200 000, because finding such a prime took a long time. Anyway, the longer we will look for vulnerable primes, the faster the Pollard’s p-1 will crack such a key.
7. iterative bound increase
   if no prime is found in 10 000 attempts, the current smoothness bound is doubled

vulnerable key

Finding such a weak example is not an easy task, but after tuning few parameters I was able to generate super-smooth 4096bit key:
https://github.com/o-lenczyk/rsa/blob/master/smooth-keys.txt

cracking it took just 8s. Cracking almost any other key is not possible.

Unique characteristic of this p-1 is max prime factor = 32309, same as max power. This is extremely small number for 2.39×10^599. Or two hundred thirty-nine octononagintacentillion. Or number 10^519 times larger than the number of atoms in the observable universe. Interestingly, computations took less than hour to finish. Below is full list of factors of vulnerable p-1:

Factors of p-1: {2: 1, 47: 1, 269: 1, 383: 1, 491: 1, 709: 1, 967: 1, 1277: 1, 1279: 1, 1381: 1, 1657: 1, 1667: 1, 2377: 1, 2887: 1, 2957: 1, 2969: 1, 3389: 1, 3793: 1, 4201: 1, 4349: 1, 4357: 1, 4517: 1, 4919: 1, 5407: 1, 5563: 1, 5573: 1, 5647: 1, 5867: 1, 6301: 1, 6577: 1, 6637: 1, 6733: 1, 6883: 1, 6959: 1, 7027: 1, 7459: 1, 7537: 1, 7879: 1, 7949: 1, 8179: 1, 8209: 1, 8297: 1, 8423: 1, 8627: 1, 8693: 1, 8699: 1, 8731: 1, 8821: 1, 8963: 1, 9311: 1, 9467: 1, 9623: 1, 9923: 1, 10061: 1, 10987: 1, 11093: 1, 11161: 1, 11621: 1, 12041: 1, 12253: 1, 12511: 1, 12613: 1, 12899: 1, 13109: 1, 13291: 1, 13469: 1, 13591: 1, 13711: 1, 14173: 1, 14431: 1, 14533: 1, 14561: 1, 14731: 1, 14747: 1, 14869: 1, 14951: 1, 15013: 1, 15139: 1, 15277: 1, 15559: 1, 15773: 1, 15907: 1, 15919: 1, 15959: 1, 16333: 1, 16921: 1, 16927: 1, 17033: 1, 17321: 1, 17327: 1, 17341: 1, 17683: 1, 17827: 1, 17957: 1, 18131: 1, 18223: 1, 18587: 1, 19267: 1, 19429: 1, 19463: 1, 19751: 1, 19867: 1, 19973: 1, 20123: 1, 20327: 1, 20389: 1, 20483: 1, 21397: 1, 21401: 1, 21529: 1, 21559: 1, 21839: 1, 22037: 1, 22073: 1, 22109: 1, 22147: 1, 22271: 1, 22409: 1, 22469: 1, 22619: 1, 22811: 1, 23011: 1, 23173: 1, 23677: 1, 25733: 1, 25799: 1, 26399: 1, 26731: 1, 27061: 1, 27673: 1, 27773: 1, 27917: 1, 28051: 1, 28297: 1, 28447: 1, 29131: 1, 29179: 1, 29201: 1, 29387: 1, 29483: 1, 29573: 1, 29587: 1, 29663: 1, 29983: 1, 30161: 1, 30203: 1, 30661: 1, 30949: 1, 31547: 1, 31667: 1, 31751: 1, 32261: 1, 32309: 1}

what to do

Easiest way to mitigate the risk is to generate “safe” prime:

• (p-1)/2 is a prime number. It means that p-1 has large prime factor, so it is not “smooth”. This structure completely neutralizes the vulnerability exploited by algorithms like Pollard’s p-1

As said before, RSA algorithm rests on simple fact: multiplying two large numbers is easy, but factoring the result into original primes is incredibly difficult. Lets see how difficult it is. I prepared tool for that: https://github.com/o-lenczyk/rsa/blob/master/crack_rsa.py and did the measurements using my pc (11th Gen Core i7-11370H)

In RSA, the public key consists of a large number: n (the modulus) and an exponent – e. The private key – d – can only be calculated by someone who knows prime factors of n – p and q. By finding that values, we can calculate d and decrypt the message.

Let me present you couple of algorithms, from most simple implementations, to highly optimized, and compare the results.

Trial division (simple implementation)

Bit Size	Time
8bit	0.0000 seconds
16bit	0.0022 seconds
32bit	2.57 minutes
64bit	~21,000 years
128bit	~3.8×1023 years (or about 28 trillion times the age of the universe)

Trial division is exponential time algorithm. It means it use most straightforward method, but the runtime grows explosively with complexity, making it impractical for large numbers. The strategy is essentially brute-force search.

Trial division is trying to divide number n by every odd integer. It is not quite practical, because there is huge gap between 32bit primes used, and 64bit

gmpy2 – trial division

Bit Size	Time
8bit	0.0000 seconds
16bit	0.0016 seconds
32bit	5.50 minutes
64bit	~45,000 years
128bit	~8.3×1023 years (or about 60 trillion times the age of the universe)

gmpy2 is a python library that uses low-level c library. But for this particular usecase, repeatedly calling gmpy2.next_prime() did not help a lot. Overhead of calls was greater than using non-prime numbers for trial division. It turns out, that simply checking for odd numbers is better here.

Pollard’s Rho (custom implementation)

Bit Size	Time
8bit	0.0000 seconds
16bit	0.0005 seconds
32bit	0.0457 seconds
64bit	103 minutes
128bit	~400,000 years

Pollard’s rho is another exponential time algorithm, but with significant improvement over trial division. Instead of a linear search, it takes a “random walk” through the numbers, and uses cycle-finding trick to discover a number. Because of randomness, it is stochastic algorithm, and there is element of luck involved in finding the solution.

SymPy factorint (trial division only)

Bit Size	Time
8bit	0.0001 seconds
16bit	0.0039 seconds
32bit	2.47 minutes
34bit	7.06 minutes
36bit	34.05 minutes
38bit	~2,5h
64bit	~17,000years
128bit	~320 quadrillion years (about 23 trillion times the current age of the universe)

Sympy is a python library for computer algebra. It has tools related to number theory. I have used factorint function for cracking RSA. By default, it automatically selecting best algorithm, but i wanted to check how each implementation behaves. It is slightly faster than most basic trial division implementation.

SymPy factorint (Pollard’s Rho only)

Bit Size	Time
8bit	0.0001 seconds
16bit	0.0031 seconds
32bit	0.0730 seconds
34bit	0.5716 seconds
36bit	1.1293 seconds
38bit	1.4727 seconds
40bit	1.2474 seconds
64bit	105.75 minutes
128bit	~1.5 to 2.5 million years, on average.

Sympy Pollard’s rho results are almost identical as custom implementation

SymPy factorint (Pollard’s p-1 only)

Bit Size	Time
8bit	0.0001 seconds
16bit	0.0011 seconds
32bit	0.0045 seconds
34bit	0.2573 seconds
36bit	0.4208 seconds
38bit	0.2225 seconds
40bit	0.4577 seconds
64bit	will not work
128bit	will not work

Pollard’s p-1 is a special purpose algorithm, that is not guarantee to work. If the number has a special property, then is broken into primes instantly. Otherwise, the algorithm will not work at all. I will not go into the much details, but it is using fermat’s little theorem, and “smoothness” concept. Key take is: p-1 and q-1 should not be “smooth” if we want to implement secure RSA

SymPy factorint (ECM only)

Bit Size	Time
8bit	0.0001 seconds
16bit	did not work
32bit	did not work
34bit	did not work
36bit	did not work
38bit	did not work
40bit	did not work
64bit	7.1949 seconds
128bit	534.05 minutes
256bit	~100 years

ECM (Elliptic Curve Method) is an enhancement of Pollard’s p-1 method, acting as a generalization that adds “another dimension” to the attack.

While the p-1 method is stuck with the single, fixed number p-1, ECM’s breakthrough is its ability to create “alternative universes.” Each new elliptic curve it tries generates a completely different mathematical group, which has its own unique size (or “order”). The algorithm then bets that one of these new orders will be “smooth”.

It is still stochastic algorithm, and sometimes fail, due to “bad luck”.

SymPy factorint (auto algorithm selection)

Bit Size	Time
8bit	0.0001 seconds
16bit	0.0095 seconds
32bit	0.0108 seconds
34bit	0.1922 seconds
36bit	0.6174 seconds
38bit	0.1154 seconds
40bit	0.2449 seconds
64bit	6.8013 seconds
128bit	???

Finally, I let the sympy choose the best algorithm itself. By mixing different methods, the results are clearly the best so far.

SageMath (factorization using Sage)

Bit Size	Time
8bit	0.6318 seconds
16bit	0.0001 seconds
32bit	0.0003 seconds
34bit	0.0007 seconds
38bit	0.0016 seconds
40bit	0.0010 seconds
64bit	0.0206 seconds
128bit	2.60 minutes
256bit	~250 years

SageMath is computer algebra system, with dozen of specialized libraries, easy to use with Python. It includes number theory tools like factorization, that uses highly optimized PARI/GP C library. The results are two orders of magnitude better than plain python.

cypari2 (Pari/GP)

Bit Size	Time
8bit	0.0281 seconds
16bit	0.0063 seconds
32bit	0.0068 seconds
34bit	0.0077 seconds
36bit	0.0072 seconds
38bit	0.0076 seconds
40bit	0.0078 seconds
64bit	0.0270 seconds
128bit	2.59 minutes
256bit	~250 years

cypari2 serves the similar purpose, but instead giving an access to broad collection of tools, it provides python interface for PARI/GP alone. Results are almost identical.

python-flint

Bit Size	Time
8bit	0.0002 seconds
16bit	0.0001 seconds
32bit	0.0008 seconds
34bit	0.0168 seconds
36bit	0.0149 seconds
38bit	0.0085 seconds
40bit	0.0104 seconds
64bit	0.0479 seconds
128bit	2.80 minutes
256bit	~250 years

Python library that gives an access to FLINT – Fast Library for Number Theory. It is a modern, highly optimized C library for advanced number theory calculations. It is a direct competitor to PARI/GP. Both libraries uses algorithm cascade similar to this:

• Trial division
• Pollard’s rho
• Pollard’s p-1
• ECM
• Quadratic Sieve (QS)
• Number Field Sieve (NFS)

Both QS and NFS are sub-exponential sieve methods. Far more complex algorithms that work by collecting thousands of mathematical relationships and then using linear algebra on massive matrices to find the factors. They are used only by most sophisticated tools.

QS – core concept is that if:

• x2≡y2(modN))

then most likely:

• gcd(x - y, N) will be a factor of N

Next step is finding x and y, where again, “smooth” concept is used. Finally, when enough relations is collected, it looks for numbers multiplied together forms a perfect square

NFS – the most powerful factorization algorithm known today. Unbeatable for numbers over 110 digits. Has enormous complexity. It is an abstract over QS. NFS searches for polynomial equation, which has special relationship with number N, we are searching. It is scoring each equation, and spends a lot of time to find best equation, before solving it.

YAFU (standalone tool)

Bit Size	Time
8bit	0.0330 seconds
16bit	0.0218 seconds
32bit	0.0265 seconds
34bit	0.0327 seconds
36bit	0.0454 seconds
38bit	0.0740 seconds
40bit	0.1599 seconds
64bit	0.2154 seconds
128bit	56.2382 seconds
256bit	~80-100 years

YAFU – yet another factoring utility. Free, high-performance standalone command line tool. One of most the fastest and most powerful tools for factorization. Created for single purpose, and was 3x faster than SageMath multi tool. It uses own algorithmic cascade and Self-Initializing Quadratic Sieve (SIQS) – more advanced version of QS. SIQS tests few routes first, before digging deeper. Self-Initializing means it is creating next polynomial quickly, instead doing it from scratch. Thanks to that, most time consuming part is done in productive range.

CADO-NFS (standalone tool)

Bit Size	Time
8bit	too small
16bit	too small
32bit	too small
64bit	too small
128bit	4.50 minutes
130bit	5.56 minutes
132bit	8min
256bit	~50 years

CADO-NFS is research grade tool for high performance, distributed computing and world record factorizations. It was slower than YAFU, because it is designed for much higher numbers, and more computing power. The overhead was too much for 128x128bit prime.

FactorDB (online database)

Bit Size	Time
8bit	0.2378 seconds
16bit	0.1419 seconds
32bit	too long
64bit	too long
128bit	too long

Online database that stores known factorizations. Instead of computing, we are asking for the result. Works only for really small numbers

Wolfram Alpha (online API)

Bit Size	Time
8bit	2.0049 seconds
16bit	1.7616 seconds
32bit	1.6952 seconds
34bit	1.4012 seconds
36bit	1.8980 seconds
38bit	1.8980 seconds
40bit	1.7296 seconds
64bit	1.7817 seconds
128bit	too long

Online engine, powered by Mathematica. Can compute much higher numbers than factordb, but still relatively small for RSA key. For 64x64bit number, it was faster than fastest python implementation.

summary

• Right algorithm choice can lead to astronomical differences
• C libraries are hundreds time faster than python implementations
• huge complexity jump with doubling key size. That is why modern RSA keys are at least 2048 bit length.
• some algorithms base on pure luck. they can solve the problem fast, but are unreliable
• most powerful tools use cascade of tools to solve problem efficiently
• together with small key size “smoothness” is critical key vulnerability

In a previous post, I introduced the RSA algorithm and outlined its importance. Here, I will present a naive Python implementation. Later, I will highlight its shortcomings and address the flaws.

The code can be found here: https://github.com/o-lenczyk/rsa

Lets explain two helper functions:

def gcd(candidate_exponent, totient_phi):
    while totient_phi != 0:
        candidate_exponent, totient_phi = totient_phi, candidate_exponent % totient_phi
    return candidate_exponent

This function computes greatest common divisor. Example:

If you call gcd(14, 8), the steps are:

• (14, 8) → (8, 14 % 8 = 6)
• (8, 6) → (6, 8 % 6 = 2)
• (6, 2) → (2, 6 % 2 = 0)
• (2, 0) → returns 2

So, the GCD of 14 and 8 is 2.

def mod_inverse(encryption_exponent_e, totient_phi):
    m0, x0, x1 = totient_phi, 0, 1
    if totient_phi == 1:
        return 0
    while encryption_exponent_e > 1:
        q = encryption_exponent_e // totient_phi
        totient_phi, encryption_exponent_e = encryption_exponent_e % totient_phi, totient_phi
        x0, x1 = x1 - q * x0, x0
    if x1 < 0:
        x1 += m0
    return x1

This function finds a number that, when multiplied by encryption_exponent_e and divided by totient_phi, leaves a remainder of 1. This is needed in RSA to calculate the private key.

• Save the original value of totient_phi (call it m0).
• Set up two numbers, x0 and x1, to help keep track of the calculation.
• If totient_phi is 1, return 0 (no inverse exists).
• Repeat these steps while encryption_exponent_e is greater than 1:
  • Divide encryption_exponent_e by totient_phi and get the whole number part (call it q).
  • Update encryption_exponent_e and totient_phi to the next pair of numbers in the process (like in the Euclidean algorithm).
  • Update x0 and x1 to keep track of the calculation.
• If the answer (x1) is negative, add m0 to make it positive.
• Return x1 — this is the modular inverse.

def generate_keypair(p, q):
    if p == q:
        raise ValueError('p and q cannot be equal.')
    
    n = p * q
    phi = (p-1) * (q-1)
    
    # Choose an integer e such that e and phi(n) are coprime
    e = random.randrange(1, phi)
    
    # Use Euclid's Algorithm to verify that e and phi(n) are coprime
    g = gcd(e, phi)
    while g != 1:
        e = random.randrange(1, phi)
        g = gcd(e, phi)
        
    # Use Extended Euclidean Algorithm to generate the private key
    d = mod_inverse(e, phi)
    
    # Return public and private keypair
    # Public key is (e, n) and private key is (d, n)
    return ((e, n), (d, n))

By having two above functions already, generating keypair is fairly straightforward

Last two functions are encrypt and decrypt

def encrypt(public_key, plaintext):
    e, n = public_key
    cipher = [pow(ord(char), e, n) for char in plaintext]
    return cipher

What is happening here:

• ord(char) converts a character (like 'A') into its ASCII numeric value (e.g., 65)
• pow(ord(char), e, n) computes (m ^ e) mod n – RSA encryption formula
• [ … for char in plaintext] does this for every character in the plaintext, producing a list of encrypted numbers

def decrypt(private_key, ciphertext):
    d, n = private_key
    plain = [chr(pow(char, d, n)) for char in ciphertext]
    return ''.join(plain)

Last but not least:

• for each number, compute (char ^ e) mod n – the RSA decryption formula
• chr(…) – Converts the resulting number back to a character using its ASCII code
• return ”.join(plain) – Joins the list of characters into a single string

Rest is the matter of generating key pair, and using encrypt and decrypt function.

RSA stands for Rivest-Shamir-Adleman, who first described the algorithm in 1977. It is used in public-key cryptography. RSA is essential for modern internet protocols. Key applications are

• TLS/SSL. Whenever you visit a secure website, RSA is used to exchange symmetric session key
• Digital signatures. RSA provide a way to verify authenticity and integrity of a message. Sender uses private key to “sign” a document. Then recipient uses public key to verify the signature
• Email security. Protocols like PGP use RSA to encrypt emails
• VPN. RSA is used during the setup of secure VPN connection to authenticate parties
• Cryptocurrency and blockchain. RSA is used in key management and signing. But for most cases Elliptic Curve Cryptography is used instead of RSA

Public key cryptography

RSA is asymmetric encryption algorithm. This means it uses pair of keys

• public key: can be shared with anyone
• private key: must be kept secret

Public key is used for encryption, private key is used for decryption.

why rsa is so important

RSA solves very important problem: how to exchange encryption keys, before establishing secure connection? This was often a logistical challenge. RSA bypasses this issue, by never sharing a secret key. Instead, only an encryption key is shared.

mathematical asymmetry

The key concept that makes RSA so resilient is the asymmetry of computational difficulty between two mathematical operations: multiplication and prime factorization.

• easy direction: multiplication. It is simple, even for huge numbers. Straightforward process that takes a computer milliseconds.
• hard direction: factorization. Guessing what was prime factors of for large numbers is computationally intensive. It can take thousands of years to complete, even for supercomputers

generating Public key

Public key is a tuple (e,n).

• e – encryption exponent
• n – RSA modulus
• p – relatively big prime number
• q – relatively big prime number

n = p*q

to calculate e, we must first find euler totient (φ):

φ = (p-1)(q-1)

and e is coprime to that number:

• no common factors other than 1. In other words, greatest common divisor of e and (p-1)(q-1) is 1

Common choice for e is 2^16+1. It is a prime number, and binary representation 10000000000000001 makes it computationally efficient. It is also large enough to avoid security risks associated with small exponents.

example of public key

Lets calculate simple public key

p=5
q=11
n=p*q=55
φ = (p-1)(q-1) = 4*10 = 40
e = 3
(e,n) = (3,55)

Our public key is (3,55)

encrypting the message

To encrypt the message, sender has to calculate number c:

c ≡ m^e (mod n)

• m: original message
• e: exponent, taken from public key
• n: modulus, taken from public key

Assume, that we want to send the number 7 (for any reason). In practice, ASCII table can be used to convert letters to numbers first.

m = 7
c ≡ 7^3 (mod 55) ≡ 343 (mod 55) ≡ 13

decrypting message

To decrypt, first we need to solve this equation:

de = 1 (mod φ ) = 1 (mod((p-1)(q-1))
3d ≡ 1 (mod 40)
d ≡ 27 (mod 40)

by having d, we can decrypt the message:

• m: decrypted message
• c: encrypted message
• d: private, decryption exponent
• n: rsa modulus

m ≡ c^d (mod n)
m ≡ 13^27 (mod 55) ≡ 7