Python implementations of cryptographic attacks and utilities.
 SageMath with Python 3.9
 PyCryptodome
You can check your SageMath Python version using the following command:
$ sage python version
Python 3.9.0
If your SageMath Python version is older than 3.9.0, some features in some scripts might not work.
Unit tests are located in the test
directory and can be executed using the unittest
module or using pytest
. This should not take very long, perhaps a few minutes depending on your machine.
To run a specific attack, you must add the code to the proper file before executing it.
For example, you want to attack RSA using the BonehDurfee attack, with the following parameters (taken from test_rsa.py):
N = 88320836926176610260238895174120738360949322009576866758081671082752401596826820274141832913391890604999466444724537056453777218596634375604879123818123658076245218807184443147162102569631427096787406420042132112746340310992380094474893565028303466135529032341382899333117011402408049370805729286122880037249
e = 36224751658507610673165956970793195381480143363550601971796688201449789736497322700382657163240771111376677180786660893671085854060092736865293791299460933460067267613023891500397200389824179925263846148644777638774319680682025117466596019474987378275216579013846855328009375540444176771945272078755317168511
You add the following code at the bottom of the boneh_durfee.py file:
import logging
# Some logging so we can see what's happening.
logging.basicConfig(level=logging.DEBUG)
N = 88320836926176610260238895174120738360949322009576866758081671082752401596826820274141832913391890604999466444724537056453777218596634375604879123818123658076245218807184443147162102569631427096787406420042132112746340310992380094474893565028303466135529032341382899333117011402408049370805729286122880037249
e = 36224751658507610673165956970793195381480143363550601971796688201449789736497322700382657163240771111376677180786660893671085854060092736865293791299460933460067267613023891500397200389824179925263846148644777638774319680682025117466596019474987378275216579013846855328009375540444176771945272078755317168511
p_bits = 512
delta = 0.26
p, q = attack(N, e, p_bits, delta=delta, m=3)
assert p * q == N
print(f"Found {p = } and {q = }")
Then you can simply execute the file using Sage. It does not matter where you execute it from, the Python path is automagically set (you can also call the attacks from other Python files, but then you'll have to fix the Python path yourself):
[cryptoattacks]$ sage python attacks/rsa/boneh_durfee.py
INFO:root:Trying m = 3, t = 1...
DEBUG:root:Generating shifts...
DEBUG:root:Creating a lattice with 11 shifts (order = 'invlex', sort_shifts_reverse = False, sort_monomials_reverse = False)...
DEBUG:root:Reducing a 11 x 11 lattice...
DEBUG:root:Reconstructing polynomials (divide_original = True, modulus_bound = False, divide_gcd = True)...
DEBUG:root:Polynomial at row 8 is constant, ignoring...
DEBUG:root:Reconstructed polynomial has gcd 1312232632720549890113031660369306919929075823824696839212183146130434668203517349691252841557097914064120078389640402109017308806168467714230057403815071456395553717020189622129706447677967264344568789118172311850383406340547579993263937406518074980025897726255316031512238322022839331135299265704052474541497687419350763703993630899191179705015113329644753599872380152055902238937889027950089072598069861391599563222633064848996619752054685734260976071760984100109990150069201501748622288840900421607423175114026653242500476408861976142751384898489130281755466581359057847077651502734556259387442296763474369957121 with polynomial at 8, dividing...
DEBUG:root:Reconstructed 10 polynomials
DEBUG:root:Computing pairwise gcds to find trivial roots...
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Sequence length: 10, Groebner basis length: 1
DEBUG:root:Sequence length: 9, Groebner basis length: 1
DEBUG:root:Sequence length: 8, Groebner basis length: 1
DEBUG:root:Sequence length: 7, Groebner basis length: 2
DEBUG:root:Found Groebner basis with length 2, trying to find roots...
Found p = 7866790440964395011005623971351568677139336343167390105188826934257986271072664643571727955882500173182140478082778193338086048035817634545367411924942763 and q = 11227048386374621771175649743442169526805922745751610531569607663416378302561807690656370394330458335919244239976798600743588701676542461805061598571009923
The parameters m
and t
as shown in the output log deserve special attention. These parameters are used in many latticebased (small roots) algorithms to tune the lattice size. Conceptually, m
(sometimes called k
) and t
represent the number of "shifts" used in the lattice, which is roughly equal or proportional to the number of rows. Therefore, increasing m
and t
will increase the size of the lattice, which also increases the time required to perform lattice reduction (currently using LLL). On the other hand, if m
and t
are too low, it is possible that the lattice reduction will not result in appropriate vectors, therefore wasting the time spent reducing. Hence, this is a tradeoff.
In the current version of the project, m
must always be provided by the user (the default value is set to 1
). t
can, in some cases, be computed based on the specific small roots method used by the attack. However it can still be tweaked by the user. In general, there are two ways to use these kinds of parameters:
 Implement a loop which starts at
m = 1
until an answer is found (example below). This is a simple approach, but risks wasting time on futile computations with too small lattices.
m = 1
while True:
res = attack(..., m=m)
if res is not None:
# The attack succeeded!
break
m += 1
 Implement a debug version of the attack you're trying to use (with known results), and determine the
m
value which results in good lattice vectors. Then directly call the attack method with the correctm
value.
 Multivariate polynomial attack ^{1}
 Orthogonal based attack ^{2}
 Simultaneous Diophantine approximation attack ^{3}
 Key reuse attack (encryptandMAC)
 Key reuse attack (encryptthenMAC)
 Key reuse attack (MACthenencrypt)
 Plaintext recovery attack
 Plaintext recovery attack (harder variant)
 Plaintext recovery attack (hardest variant)
 ECDSA nonce reuse attack
 FreyRuck attack ^{4}
 MOV attack ^{5}
 Parameter recovery
 Singular curve attack
 Smart's attack ^{6}
 Bleichenbacher's attack
 Khadir's attack
 Nonce reuse attack
 Base conversion factorization
 Branch and prune attack ^{7}
 Complex multiplication (elliptic curve) factorization ^{8}
 Coppersmith factorization
 Fermat factorization
 GhafarAriffinAsbullah attack ^{9}
 Implicit factorization ^{10}
 Known phi factorization ^{11}
 ROCA ^{12}
 Shor's algorithm (classical) ^{13}
 Twin primes factorization
 Factorization of unbalanced moduli ^{14}
 Forbidden attack ^{15}
Hidden Number Problem
With applications to partial (EC)DSA nonce exposure.
 Extended hidden number problem ^{16}
 Fourier analysis attack
 Latticebased attack
 Low density attack ^{17}
 AroraGe attack ^{20}
 BlumKalaiWasserman attack
 Lattice reduction attack
 Bleichenbacher's attack ^{22}
 Bleichenbacher's signature forgery attack
 BonehDurfee attack ^{23}
 CherkaouiSemmouni's attack ^{24}
 Common modulus attack
 CRT fault attack
 d fault attack
 DesmedtOdlyzko attack (selective forgery) ^{25}
 Extended Wiener's attack ^{26}
 Hastad's broadcast attack
 Known CRT exponents attack ^{27}
 Partial known CRT exponents attack ^{28}
 Known private exponent attack
 Low public exponent attack
 LSB oracle (parity oracle) attack
 Manger's attack ^{29}
 Nitaj's CRTRSA attack ^{30}
 Non coprime public exponent attack ^{31}
 Partial key exposure ^{32} ^{33} ^{34}
 Related message attack
 Stereotyped message attack
 Wiener's attack
 Wiener's attack for Common Prime RSA ^{35}
 Wiener's attack (Heuristic lattice variant) ^{36} ^{37} ^{38}
 AdlemanMandersMiller root extraction method ^{39}
 Fast CRT using divideandconquer
 Fast modular inverses
 Linear Hensel lifting
 Quadratic Hensel lifting
 Babai's Nearest Plane Algorithm
 Matrix discrete logarithm
 Matrix discrete logarithm (equation)
 PartialInteger
 Fast polynomial GCD using half GCD
 Complex multiplication
 Anomalous curves
 MNT curves
 Prescribed order
 Prescribed trace
 Supersingular curves
 Polynomial roots using Groebner bases
 Polynomial roots using resultants
 Polynomial roots using Sage variety (triangular decomposition)
 Aono method (Minkowski sum lattice) ^{38}
 BlomerMay method ^{40}
 BonehDurfee method ^{23}
 Coron method ^{41}
 Coron method (direct) ^{42}
 Ernst et al. methods ^{33}
 HerrmannMay method (unravelled linearization) ^{43}
 HerrmannMay method (modular multivariate) ^{44}
 HowgraveGraham method ^{45}
 JochemszMay method (modular roots) ^{46}
 JochemszMay method (integer roots) ^{47}
 NitajFouotsa method ^{48}
Footnotes

Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 5) ↩

Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 4) ↩

Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 3) ↩

Harasawa R. et al., "Comparing the MOV and FR Reductions in Elliptic Curve Cryptography" (Section 3) ↩

Harasawa R. et al., "Comparing the MOV and FR Reductions in Elliptic Curve Cryptography" (Section 2) ↩

Smart N. P., "The discrete logarithm problem on elliptic curves of trace one" ↩

Heninger N., Shacham H., "Reconstructing RSA Private Keys from Random Key Bits" ↩

Sedlacek V. et al., "I want to break squarefree: The 4p  1 factorization method and its RSA backdoor viability" ↩

Ghafar AHA. et al., "A New LSB Attack on SpecialStructured RSA Primes" ↩

Nitaj A., Ariffin MRK., "Implicit factorization of unbalanced RSA moduli" ↩

Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multiprime RSA" (Section 3) ↩

Nemec M. et al., "The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli" ↩

M. Johnston A., "Shor’s Algorithm and Factoring: Don’t Throw Away the Odd Orders" ↩

Brier E. et al., "Factoring Unbalanced Moduli with Known Bits" (Section 4) ↩

Joux A., "Authentication Failures in NIST version of GCM" ↩

Hlavac M., Rosa T., "Extended Hidden Number Problem and Its Cryptanalytic Applications" (Section 4) ↩

Coster M. J. et al., "Improved lowdensity subset sum algorithms" ↩

Contini S., Shparlinski I. E., "On Stern's Attack Against Secret Truncated Linear Congruential Generators" ↩

Frieze, A. et al., "Reconstructing Truncated Integer Variables Satisfying Linear Congruences" ↩

"The Learning with Errors Problem: Algorithms" (Section 1) ↩

R. Albrecht M. et al., "Prime and Prejudice: Primality Testing Under Adversarial Conditions" ↩

Bleichenbacher D., "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1" ↩

Boneh D., Durfee G., "Cryptanalysis of RSA with Private Key d Less than N^0.292" ↩ ↩^{2}

CherkaouiSemmouni M. et al., "Cryptanalysis of RSA Variants with Primes Sharing Most Significant Bits" ↩

Coron J. et al., "Practical Cryptanalysis of ISO 97962 and EMV Signatures (Section 3)" ↩

Dujella A., "Continued fractions and RSA with small secret exponent" ↩

Campagna M., Sethi A., "Key Recovery Method for CRT Implementation of RSA" ↩

May A., Nowakowski J., Sarkar S., "Approximate Divisor Multiples  Factoring with Only a Third of the Secret CRTExponents" ↩

Manger J., "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0" ↩

Nitaj A., "A new attack on RSA and CRTRSA" ↩

Shumow D., "Incorrectly Generated RSA Keys: How To Recover Lost Plaintexts" ↩

Boneh D., Durfee G., Frankel Y., "An Attack on RSA Given a Small Fraction of the Private Key Bits" ↩

Ernst M. et al., "Partial Key Exposure Attacks on RSA Up to Full Size Exponents" ↩ ↩^{2}

Blomer J., May A., "New Partial Key Exposure Attacks on RSA" ↩

Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 5) ↩

Nguyen P. Q., "PublicKey Cryptanalysis" ↩

HowgraveGraham N., Seifert J., "Extending Wiener’s Attack in the Presence of Many Decrypting Exponents" ↩

Aono Y., "Minkowski sum based lattice construction for multivariate simultaneous Coppersmith's technique and applications to RSA" (Section 4) ↩ ↩^{2}

Cao Z. et al., "AdlemanMandersMiller Root Extraction Method Revisited" (Section 5) ↩

Blomer J., May A., "New Partial Key Exposure Attacks on RSA" (Section 6) ↩

Coron J., "Finding Small Roots of Bivariate Integer Polynomial Equations Revisited" ↩

Coron J., "Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach" ↩

Herrmann M., May A., "Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA" ↩

Herrmann M., May A., "Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits" (Section 3 and 4) ↩

May A., "New RSA Vulnerabilities Using Lattice Reduction Methods" (Section 3.2) ↩

Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.1) ↩

Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.2) ↩

Nitaj A., Fouotsa E., "A New Attack on RSA and Demytko's Elliptic Curve Cryptosystem" ↩