Small Prime Divisors Attack and Countermeasure against the RSA-OTP Algorithm

: One-time password algorithms are widely used in digital services to improve security. However, many such solutions use a constant secret key to encrypt (process) one-time plaintexts. A paradigm shift from constant to one-time keys could introduce tangible beneﬁts to the application security ﬁeld. This paper analyzes a one-time password concept for the Rivest–Shamir–Adleman algorithm, in which each key element is hidden, and the value of the modulus is changed after each encryption attempt. The difference between successive moduli is exchanged between communication sides via an unsecure channel. Analysis shows that such an approach is not secure. Moreover, determining the one-time password element (Rivest–Shamir–Adleman modulus) can be straightforward. A countermeasure for the analyzed algorithm is proposed.


Introduction
Cryptography is the basis of modern secure communication. Cryptographic algorithms are very important for the security of data or information [1]. Commonly used algorithms such as the Advanced Encryption Standard (AES) and the Secure Hash Algorithm 2 (SHA-2) are often assumed to be unbreakable. However, the predecessors of these algorithms typically experienced decreased levels of security throughout their lifetimes. Hence, despite modern algorithms appearing secure, increasingly safe solutions must be sought [2][3][4].
Commonly used algorithms are often combined with an authentication process such as one-time password (OTP) to enhance communication security. The most popular OTP implementations, known as HOTP algorithms [5], are derived from hash-based message authentication code (HMAC) [6] algorithms. Given that HMAC algorithms use hash functions as symmetric keys, they represent ideal solutions for challenge-response authentication. However, the algorithms are effectively one-way and so cannot be used directly to encrypt data. This problem is not shared by AES-based OTP authentication algorithms (AES-OTP) [7]. These two examples, despite differing in approach and algorithm utilization, both use an OTP mechanism based on non-repeating challenges with a constant cryptographic key.
Jabłoński and Wójtowicz [8] propose a novel use of the Rivest-Shamir-Adleman (RSA) [9] algorithm in the context of OTP (RSA-OTP): following each sign or encryption operation, the RSA modulus n i is replaced by a newly generated value n i+1 . This approach ensures the secrecy of the initial key elements and their secure exchange between two communicating parties. Although this OTP-based approach no longer uses a public key, an important RSA attribute, it allows using shorter keys.
The primary advantage of RSA-OTP over AES-OTP or HOPT is a kind of one-time pad structure: each message is encrypted with a new random key which can be used for native cloning detection. A further advantage is the asymmetric nature of RSA and its mathematical simplicity. Research throughout the past four decades has shown that the primary threat to RSA is large integer factorization, a result of public knowledge of used moduli. Some research [10,11] additionally shows that the implementation method of RSA can produce unintended weaknesses. However, in the case of secret exponents and moduli, many public key RSA threats are no longer relevant.
The novel contributions of this paper are a small prime divisors attack against the RSA-OTP algorithm [8] and a countermeasure using XOR operation.

The RSA Algorithm
Many applications require the secure communication or storage of data. The RSA algorithm is a commonly used solution in various types of security applications. Despite the difficulty in breaking RSA keys, RSA algorithms still suffer varied attacks [12,13].
As an asymmetric encryption algorithm, RSA is widely deployed in public key cryptosystems (public key cryptography). A plaintext is encrypted by a public key and the resultant ciphertext is transmitted to the receiver where it can be decrypted by a private key. Encryption security is contingent on the difficulty of factoring the product of two large prime numbers [14].
To generate a private and public key pair, two large prime numbers p and q are randomly chosen. They are used to generate a semiprime n, where: and Euler's totient function ϕ(n), where: The public key (n, e) is a pair, where e is an integer. Additionally, e is not a factor of mod n, and 1 < e < ϕ(n). The private key (n, d) is a pair, where d is the modular multiplicative inverse of e modulo ϕ(n): The public key encrypts a plaintext x into a ciphertext y: To recover the original message, the corresponding private key decrypts the ciphertext: x ≡ y d mod n.

The RSA-OTP Concept
The RSA-OTP algorithm also uses asymmetric keys e and d i . Following each encrypted transaction, a new modulus generation process is initiated by one of the communicating parties. The party is hence the owner of key d i . A differential value ∆n i is created from the previous modulus n i−1 and the new modulus n i : This value is then transmitted to the second party: the owner of key e. As claimed by Jabłoński and Wójtowicz [8], ∆n i can be exchanged across a public, unsecure channel. According to the authors, such a communication method guarantees an "unconditional security level". Moreover, the modulus length at even 128 bits should be sufficiently secure for certain applications. RSA-OTP scheme is presented in Figure 1. Assuming the privacy of each modulus n i , 128-bit RSA-OTP can be secure under several conditions. However, given that the ∆n i values are closely related to the n i values, the unsecure exchange of ∆n i values raises serious concerns regarding unintended n i leakage. These concerns precipitate a deeper analysis of the RSA-OTP approach.
Consider the dependency between modulus n and ciphertext y within RSA, as described in Equation (4). Given that y is always smaller than n, y represents the lower bound of the range which can contain a modulus. The upper bound is the product of the two largest primes for which the bit length is equal to the maximum modulus size (e.g., 128-bit). From this, an attacker observing RSA-OTP communication can attempt to estimate the boundaries of the current moduli via Algorithm 1. 5: if y i > m l then 6: m l ← y i 7: end if 8: if m l + ∆n i+1 < m min then 9: m l ← m min During empirical tests with 128-bit moduli, observations show that after 5 · 10 6 transactions in which ciphertext y i and differential value ∆n i are exchanged, at least twenty of the most significant bits of m l and n i match. Following this, to further reduce the security of modulus n i , the condition in which many of the most significant bits of m l are set must be detected. When this occurs, the number of possible modulus combinations decreases substantially, as shown in Table 1. The results presented in the first two columns of Table 1 are prime number approximations generated by

Algorithm 1 k-bit RSA-OTP modulus bounding
Consider the smallest 128-bit number t that has its s most significant bits set (e.g., for s = 3 : t = (111000...000) 2 ). The division of t by the largest 64-bit prime number p max produces a lower bound p min of possible prime values that can generate t or greater. Determining these prime values allows the estimation of prime numbers in a given range as follows: The number of unique combinations ( primeNo 2 ) represents the estimated number of possible modulus values, as displayed in the third column of Table 1. Among these combinations exist many values that do not produce sufficient "large" moduli. Such values can be justifiably included given that their existence can only be verified following the multiplication of two primes larger than p min . To summarize, RSA-OTP modulus leakage occurs via the following process: • Observation of approximately consecutive random 5 · 10 6 RSA-OTP transactions, using Algorithm 1, determines at least 20 most significant bits of each modulus. • Following this, the condition being reached that many of the most significant bits of m l are set brings a substantial decrease in the number of possible primes that can generate modulus n i .
Empirical tests over 32 · 10 6 RSA-OTP 128-bit transactions bounded the number of possible prime combinations that could generate the sought moduli to 91-84 bits. While this represents substantial progress toward discovering the RSA-OTP moduli, their final designation remains a computationally demanding task. Moreover, a trivial countermeasure can be applied to prevent such reduction in possible combinations of RSA-OTP moduli. This entails the verification of generated moduli and the rejection of those for which many most significant bits are set. The maximum modulus value can be limited to (BFF...FFF) 16 . Additionally, the extension of moduli to 256-bit should make this type of attack infeasible.

Small Prime Divisors Attack
The RSA-OTP attack method presented in the previous section degrades security but is somewhat impractical. This section presents an alternative attack method. Three lemmas lay the framework. This attack is derived from the fact that prime numbers, or large composite numbers such as RSA moduli, do not have small divisors (Lemma 1). Hence, such numbers can be "reconstructed" using equations for values that are not divisible by a set of small primes. The divisibility of integers by prime numbers is cyclic. Primes p 0 = 2 and p 1 = 3 have a cycle of 6 = lcm(2, 3). Primes p 0 , p 1 , and p 2 have a cycle of 30 = lcm (2,3,5). In this manner, any value s which is non-divisible by the set of the first k primes can be described as: where the offset t is an odd natural number and i is the largest natural number such that p 0 · p 1 · ...p k−2 · p k−1 · i < s. Hence, there exists only one possible t which is always smaller than p 0 · p 1 · ...p k−2 · p k−1 . Via this process, discovery of RSA moduli is undertaken by considering only odd values. As such, it holds that for every RSA-OTP modulus.

(19)
As lcm (2,3,5,7,11) > n (where: lcm is least common multiple), Equation (19) must determine the correct value of n, with i 3 = 1. Table 2 summarizes the attack. It presents the number of primes required to precisely determine moduli of set binary sizes. The attack is surprisingly effective for even 4096-bit moduli with a computational complexity on the order of 32 bits. The requirement to observe a large set of consecutive ∆n i values presents the only drawback. This follows from Lemma 2: to achieve a high probability of success, the examined set must be sufficiently large so as not to verify an offset as a false positive (i.e., non-divisible by the selected prime number). For each subsequent small prime, the number of equations increases. As such, the discovery of the correct offset for primes larger than two appears difficult. However, the task is made considerably easier in the case of RSA-OTP by the observation of a sufficiently large set of consecutive public ∆n i values. The complete process is presented in Algorithm 2, which demonstrates the determination of the correct offset using Lemma 3. Upon validation of the correct offset, none of the checked values are divisible by the selected prime (line 18 in Algorithm 2). In another case, with probability p−1 p k (Lemma 2) some value will be divisible by the selected prime. The designation of the RSA-OTP secret moduli makes treating them as a one-time element meaningless but does not lead to a complete breakdown of the RSA-OTP scheme: all time exponents e and d i remain unknown. However, in specific scenarios, especially for short (128/256 bit) version of RSA-OTP, it may seriously affect the secrecy of encrypted data. Algorithm 2 Small prime divisors attack 1:

Countermeasures
The primary conclusion to be drawn from the presented attack is the need for secure, encrypted exchange of RSA-OTP ∆n i values. Multiple possible solutions exist, the most straightforward of which is an AES encryption algorithm. However, this approach would significantly increase the complexity of the solution. On the other hand, the ∆n i values look pseudo-random to an external observer, as shown in Figure 2. This bitmap, containing 256 randomly generated consecutive ∆n i values exchanged between communication parties, looks like (except for the few most significant bits) white noise. Given the random nature of the ∆n i values, a more effective approach could be implemented. Consider a basic XOR operation between consecutive differential values: Assuming ∆n 0 is a secret, random value securely exchanged between both communication sides, this approach nullifies the presented attack because an attacker cannot determine ∆n i from ∆encn i . As shown in Figure 3 ∆encn i values except for those most significant bits are approximately white noise. The figure presents a series of 256 ∆encn i transactions corresponded to ones in Figure 2 and ∆n 0 : 0xFB945A7D42485E3A0A5D2F346BAA9455E3E70682C2094CAC629F6FBED82C07CD. The improved RSA-OTP scheme is presented in Figure 4. The principle of operation (20) is similar to that of the Vernam cipher, because each ∆n i is derived from two randomly generated values (6) and then ∆encn i is a XOR result of two such consecutive values; hence, an attacker observing such communication cannot revert original value from it. As in the case of the Vernam cipher, achieving secrecy of exchanged data does not guarantee its integrity and authenticity; however, the simplicity of the mechanism increases the security of the OTP algorithm. Depending on the application, algorithms such as HMAC or Poly1305 can assure the integrity and authenticity of the ∆encn i approach.

Conclusions
The paradigm shift from constant to one-time keys is an interesting direction in the development of secure applications and services. Such an approach can potentially solve many problems regarding recovery following a system being compromised and resistance against side channel attacks. However, the case of RSA-OTP shows that exact RSA-OTP moduli delta values exchanged via insecure channels can be totally compromised, invalidating their classification as an OTP element. This is caused by the particular nature of those values: they are products of relatively large prime numbers which have no small divisors. Fortunately, despite the success of the small prime divisors attack, basic encryption via XORing consecutive differential values should prove to be a sufficient countermeasure.

Conflicts of Interest:
The authors declare no conflict of interest.