Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [roca]

ROCA is an acronym for "Return of the Coppersmith Attack" — a vulnerability in the RSALib cryptographic software library thought to be used in millions of smart cards and other devices.

ROCA is an acronym for "Return of the Coppersmith Attack" — a vulnerability in the RSALib cryptographic software library thought to be used in millions of smart cards and other devices. This library generates prime numbers for RSA keys based on the formula $p = k * M + (65537^a \bmod M)$ where $M$ is the product of the first $n$ successive primes $(2, 3, 5, 7, 11, 13,...)$, and $n$ is a constant that only depends on the desired key size. These keys can be broken by using a variation of the Coppersmith attack.

7 questions
40
votes
1 answer

What is “Fast Prime”?

In this note, the manufacturer of a RSA key generation gizmo vulnerable to the new ROCA attack (see second section) explains that it is common practice to employ acceleration algorithms in order to generate key pairs, especially if time resources…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
8
votes
1 answer

How does the ROCA attack work?

I have been trying to understand the ROCA attack described here as the "First Attack" and I cannot follow the explaination. I have been trying to generate a 512-bits key and crack it. As far as I can understand, $p$ and $q$ are $65537^a \bmod L$…
John
  • 81
  • 1
  • 2
4
votes
2 answers

How ROCA get the polynomial used with coppersmith

I'm trying to understand the ROCA attack on RSA from Matus Nemec et al. but I'm stuck on how they goes from the constraint they have expressed has: $$f(x) = x ∗ M' + (65537^{a'} \mod M') \pmod p$$ To the real polynomial they feed to…
needle
  • 41
  • 1
3
votes
0 answers

RSALib prime generation - derive number of primes

I'm working on factorizing a ~450 bit key that I know has been generated with RSALib and thus is vulnerable to ROCA. Now reading the original paper, I can see that the primes are generated in the following form: $$p = k \cdot M +…
S. L.
  • 431
  • 3
  • 15
3
votes
1 answer

ROCA Implementation, Coppersmith Algorithm does not return roots

We are currently trying to reproduce the implementation of the ROCA-Paper. Therefore we calculated $M'$ from $M$ and $Order_M'$ from $Order_M$ to reduce the search space, but when we hand these values to the coppersmith algorithm as described in…
R4ph4e1
  • 31
  • 1
3
votes
1 answer

Biased RSA moduli and ROCA

Say I can generate many 1024-bit RSA public keys $(N,e)$ with fixed public exponent $e = 65537$. They turn out to be heavily biased when computing $N \bmod x$ for small primes $x$. These congruences always seem to hold: $N \equiv 1 \pmod 2$ $N…
RSAvgb
  • 33
  • 3
0
votes
0 answers

ROCA with unknown M and g

Trying to upsolve "notsosmart - hxp CTF 2017" https://2017.ctf.link/internal/challenge/5c8119ca-bfed-444a-968d-1cc9bff27bfb.html This server code was given during the CTF, letting you get multiple values of n: #!/usr/bin/env python3 from random…
akonzu
  • 59
  • 4