### UC Berkeley, MICS, W202-Cryptography
### Week 02  Breakout 1
### Breaking RSA by factoring n into p and q by brute force


Here is an example where we will actually decode a ciphertext into plaintext by breaking RSA by factoring n into p and q by brute force.

We will use 128 bits for n in this example.  128 bits was the norm in the mid 1990s when it was still computationally intractible with computers of the time. On modern computers, 128 bits is easy to factor as you will soon see.

Publically known: <n, e> (public key), c (ciphertext)

Objective: decrypting the ciphertext c into plaintext m using only the public key <n, e>

Steps:
* factor n into p and q using brute force
* calculate Euler's phi = (p-1)(q-1)
* using the Extended Euclidean Algorithm, solve Bezout's Identity for d (private key)
* once we have recovered the private key d, we can decrypt as we normally would, m = c^d (mod n)

In [1]:
from sage.all import *

In [2]:
def my_print_number(label, x):
    "prints a number in decimal, number of digits, hex, number of bits"
    
    print ("\n", label, '\n')
    print ("decimal:", "{:,}".format(x), "\n")
    print ("number of digits:", x.ndigits(), "\n")
    print ("hex:", x.hex(), "\n")
    print ("number of bits:", x.nbits(), "\n")

In [3]:
# publically known:
#
# <n,e> is the public key 
# c is the cipher text

n = 0x8910bcf5972f024f3fee8af55f4faef1
e = 0x5ae303ffd95a5b66f9667d3455e5894b
c = 0x41ed10ac1ed06b67429446d4800358bf

In [4]:
my_print_number("n",n)


 n 

decimal: 182,191,144,722,964,401,241,857,980,467,499,740,913 

number of digits: 39 

hex: 8910bcf5972f024f3fee8af55f4faef1 

number of bits: 128 



In [5]:
my_print_number("e", e)


 e 

decimal: 120,809,252,125,207,568,615,322,638,509,316,344,139 

number of digits: 39 

hex: 5ae303ffd95a5b66f9667d3455e5894b 

number of bits: 127 



In [6]:
my_print_number("c", c)


 c 

decimal: 87,630,732,236,826,410,830,048,074,749,582,727,359 

number of digits: 38 

hex: 41ed10ac1ed06b67429446d4800358bf 

number of bits: 127 



In [7]:
# factor n by brute force into p and q

f = factor(n)
q = f[0][0]
p = f[1][0]

In [8]:
my_print_number("p", p)


 p 

decimal: 14,317,928,671,491,216,817 

number of digits: 20 

hex: c6b380445f9d55b1 

number of bits: 64 



In [9]:
my_print_number("q",q)


 q 

decimal: 12,724,685,874,831,162,689 

number of digits: 20 

hex: b0972a6287bdfd41 

number of bits: 64 



In [10]:
# now that we know p and q, we can easily calculate Euler's phi

phi = (p - 1) * (q - 1)

In [11]:
my_print_number("phi",phi)


 phi 

decimal: 182,191,144,722,964,401,214,815,365,921,177,361,408 

number of digits: 39 

hex: 8910bcf5972f024dc8a3e04e77f45c00 

number of bits: 128 



In [12]:
# now that we have e and phi, we can easily calculate d using the Extended Euclidean Algorithm to solve Bezout's Identity

def my_calculate_d(e,phi):
    "given e and phi calculate d"
    
    (g, d, b) = xgcd(e,phi)
    
    print ("\nd * e + b * phi = gcd(e,phi) = 1")
    print ("\n(" + str(d) + " * " + str(e) + ") + (" + str(b) + " * " + str(phi) + ") = " + str(g))
    
    print ("\nraw d = ", d)
    
    print ("\nd = raw d (mod phi) = ", d % phi)
    
    return d % phi


In [13]:
d = my_calculate_d(e,phi)


d * e + b * phi = gcd(e,phi) = 1

(10551194725837900616484391979403029603 * 120809252125207568615322638509316344139) + (-6996399006077726073490624431591312377 * 182191144722964401214815365921177361408) = 1

raw d =  10551194725837900616484391979403029603

d = raw d (mod phi) =  10551194725837900616484391979403029603


In [14]:
ed = e * d
power_mod(5, ed, n)

5

In [15]:
# now that we have recovered d, we can decrypt the ciphertext c into the message m
# the message should be 1234567890

m = power_mod(c, d, n)
print (m)

1234567890


### Further Discussion (time permitting)

If we have network traffic stored from years ago that used RSA encryption with 128 bits or less for key exchange, can we decrypt it now?  What types of data would no longer be meaningfull?  What types of data would still have value?

128 bit was seen as secure in the mid 1990s.  1024 is the current default for OpenSSH, the most widely used implementation. Recent bulletins have come out recommending 2048 as the new default. Considering Moore's Law, how long do you estimate it will be before n of the following sizes will be broken on a everyday laptop computer:

* 1024
* 2048
* 4096

Why not just use 4096 for everything?  Give examples where we would want to use 4096.  Give examples where we would not want to use 4096.  (assume today)
