Given a public key (​e,N​) with a ​small ​N​, 64 bits, that can be

factored, such that ​N ​=​ p ​x​ q ​(Integer factorization calculator;

computation for get_factors), we have a ​viable attack vector​ for
determining the private key. We know that gcd(​e,t​) = 1 and private
key ​d​ is generated by finding ​e-1 ​ ​ (​mod t​), where ​t​ is the totient
function of ​N​ (i.e. ​t​ = (​p​ - 1) x (​q​ - 1)). We also know that
gcd(​a​,​b) ​ can be found by recursive application of division via the
Euclidean algorithm and, by t​he existence of Bézout's ​lemma, that if
the gcd(​a​,​b​) = ​r​ then there exist integers ​q​ and ​s​ so that
q​(​a)
​ + ​s( ​ ​b​) = ​r​ (Extended Euclidean algorithm). Then,
q​(​a)​ = ​r​ + (-​s​)​b​, or in other words, ​q​(​a​)​r ≡​ (​mod b​). Therefore, if
-1​
gcd(​a​,​b) ​ = 1, then ​q ​≡ ​a​ (​mod b​) such that ​q​ (and ​s​) can be found by
the ​extended Euclidean algorithm​ (Extended Euclidean algorithm;
pseudo code for extended_gcd) whereby the previous remainder of
recursive applications of division via the Euclidean algorithm is
recorded as a linear combination of ​a​ and ​b​. So, by substitution and
modular arithmetic (see get_key), we are able to find the private key
​ ​ (​mod t​) due to the vulnerability caused by the relatively
d ​≡ ​e-1
small size of the public key.

We know that the security of RSA encryption is based on the

computational complexity of factoring the moduli of public keys of
sufficient size, e.g. 1024 bits, into prime integers ​p​ and ​q​. We also
know that determining the gcd of two 1024-bit integers is
computationally trivial (Heninger, Nadia & Zakir Durumeric & Eric
Wustrow J. & Alex Halderman). As such, if the modulus of two
seemingly distinct public keys share a ​common prime factor ​p​, we can
find ​p​ by computing their ​gcd​ and then, through simple division, find
q ​for both moduli (Heninger, Nadia & Zakir Durumeric & Eric Wustrow
J. & Alex Halderman). With the prime factors of both public keys, we
then have a ​viable attack vector​ for determining both private keys.

Given a public key1 (​e​1,N ​ ​1)

​ and the modulus of a public key2 ​N2​ ​, we
determine that ​N​1​ and ​N​2​ have a gcd that is not equal to one
(is_waldo). We find their common prime factor ​p​ by computing
gcd(​N​1​,​N2​ )​ and then compute ​q1​ ​, such that​ N​1​ = ​ ​ p​1​ ​x​ q​1​, by dividing
N​1​ by ​p​1. ​ With the factored public key1, we are able via substitution
and modular arithmetic (see get_key) to utilize the extended
Euclidean algorithm as in Task 2 (Extended Euclidean algorithm;
pseudo code for extended_gcd) to find the private key
​
d ​≡ ​e1​ -1
​ (​mod t1​ ​), where ​t1​ ​ = (​p​1​ - 1) x (​q​1​ - 1), due to the

1
vulnerability caused by the common prime factor shared by two
seemingly distinct public keys.

We know that the system of linear congruences ​x​ ≡ ​c​1​ (mod ​n​1); ​
x​ ≡ ​c2​ ​ (mod ​n2​ );​ ... ; ​
x ​ ≡ ​
c ​ k​ (mod ​
n ​ k​), where ​
c ​ 1​, ..., ​
c ​ k​ are integers
such that 0 ≤ ​c​i​ < ​n​i​ for every ​i​ and ​n​1​, ..., ​n​k​ are positive integers
such that gcd(​n​i​,​nj​ ​) = 1 for ​i​ ≠ ​j,​ has a simultaneous unique solution
0 ≤ ​x​ < ​N​ where ​N​ = ​n1​ x ​ ​n​2​...​n​k by ​ the ​Chinese remainder theorem​ (CRT)
(​Chinese remainder theorem​). So, given a single plaintext message ​m
encrypted with three different public keys ​N​1​, ​N​2, ​ ​N​3,
​ all of which
share the ​same small public exponent ​e​ = 3, resulting in three
different ciphers C​1​, C​2​, C​3​ denoted ​C​1​ ≡ ​m​3​ (mod ​N​1); ​ ​C​2​ ≡ ​m3​ ​ (mod ​N2​ );
​
C​3​ ≡ ​m3​ ​ (mod ​N3​ ), ​ ​
w e can construct a system ​
o f linear congruences
x​ ≡ ​C1​ ​ (mod ​N1​ ); ​ ​x​ ≡ ​C​2​ (mod ​N​2); ​ ​x​ ≡ ​C​3​ (mod ​N​3) ​ such that
3​
x​ ≡ ​m​ (mod ​N1​ ​ x ​N​2​ x ​N​3) ​ (Coppersmith’s attack). Assuming that any
given pair of the seemingly distinct public keys do not share a
common prime factor (and are not vulnerable to the attack described
in Task 3) such that gcd(​N​i,​ ​ N​j​) = 1 for ​i​ ≠ ​j, ​we can utilize a method
of solving simultaneous linear congruences attributed to Gauss (The
Chinese Remainder Theorem) to find ​x​. Since we know that RSA PKCS1
(cryptography - RSA Encryption Problem [Size of payload data] - Stack
Overflow) dictates that any message we encrypt must be smaller than
the modulus, we know that ​m​ < min(​N1​ ​, ​N2​ , ​ ​N3​ ),
​ which means
m​3​ < (​N1​ ​ x ​N2​ ​ x ​N​3​) and ​m3​ ​ = ​x ​because ​x​ ≡ ​m3​ ​ (mod ​N​1​ x ​N​2​ x ​N3​ ​) and ​x​ is
the unique solution by CRT. Therefore, after computing √3 x , a
computationally trivial task, we have a ​viable attack vector​ for
recovering the plaintext message m.

Given a single plaintext message ​m​ encrypted with three different

public keys ​N​1​, ​N2​ ​, ​N​3, ​ all of which share the same small public
exponent ​e​ = 3, resulting in three different ciphers C​1​, C​2​, C​3, we ​
solve the system of three ​simultaneous linear congruences
x​ ≡ ​C​1​ (mod ​N1​ ); ​ ​x​ ≡ ​C​2​ (mod ​N​2);
​ ​x​ ≡ ​C​3​ (mod ​N​3) ​ using a method
attributed to Gauss (The Chinese Remainder Theorem) whereby
x​ ≡ ​C​1x(​
​ N2​ ​ x ​N3​ ​)​-1​(mod ​N1​ ​) + ​C​2​x(​N1​ ​ x ​N​3​)​-1​(mod ​N​2)
​ + ​C​3x(​
​ N​1​ x ​N​2)​
​
-1​
(mod ​N3​ ​)
and the modular multiplicative inverse, e.g. (​N2​ ​ x ​N3​ ​)​ (mod ​N1​ ​), is -1​

computed using the extended Euclidean algorithm as in Task 2

(Extended Euclidean algorithm; pseudo code for extended_gcd). Then,
we are able to recover the plaintext message m by computing √3 x
through application of binary search (Slides (Algorithm: Binary
search in interval 1 ... N.); pseudo code for cube_root), an

2
efficient algorithm that repeatedly divides the search interval in
half, due to the vulnerability caused by the use of the same small
public exponent with three different public keys to encrypt the same
message.

3
4