In [6]:
import math
import random, sys
from math import gcd, log

Вспомогательные функции

In [27]:
def egcd(a,b):
    '''
    Расширенный алгоритм Евклида
    Возвращает x, y, gcd(a,b) такие, что ax + by = gcd(a,b)
    '''
    u, u1 = 1, 0
    v, v1 = 0, 1
    while b:
        q = a // b
        u, u1 = u1, u - q * u1
        v, v1 = v1, v - q * v1
        a, b = b, a - q * b
    return u, v, a

def gcd(a,b):
    '''
    Работает быстрее, чем стандартный gcd
    '''
    a,b = (b,a) if a<b else (a,b)
    
    while b:
        a,b=b,a%b
    return a

def lcm(a, b):
    '''
    Подсчёт НОК
    '''
    return (a * b) // math.gcd(a, b)

def modInverse(e,n):
    '''
    Возвращает d: de = 1 (mod n)
    e должно быть взаимно просто с n
    '''
    return egcd(e,n)[0]%n

def totient(p,q):
    
    return (p-1)*(q-1)

def bitlength(x):
    '''
    Вычисление битовой длины x
    '''
    assert x >= 0
    n = 0
    while x > 0:
        n = n+1
        x = x>>1
    return n


def sieve(n: int) -> list:
    """
    Sieve away and only primes are left.
    """
    primes = 2*[False] + (n-1)*[True]
    for i in range(2, int(n**0.5+1.5)):
        for j in range(i*i, n+1, i):
            primes[j] = False
    return [prime for prime, checked in enumerate(primes) if checked]


def isqrt(n):

    if n < 0:
        raise ValueError('Квадратный корень не вычисляется для отрицательных чисел')
    
    if n == 0:
        return 0
    a, b = divmod(bitlength(n), 2)
    x = 2**(a+b)
    while True:
        y = (x + n//x)//2
        if y >= x:
            return x
        x = y


def is_perfect_square(n):
    '''
    Возвращает квадратный корень, если число -- полный квадрат, 
    и -1 -- в противном случае
    '''
    h = n & 0xF; 
    
    if h > 9:
        return -1 

    if ( h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8 ):
        
        t = isqrt(n)
        if t*t == n:
            return t
        else:
            return -1
    
    return -1

In [8]:
def test_is_perfect_square():

    testsuit = [4, 0, 15, 25, 18, 901, 1000, 1024]
    
    for n in testsuit:
        print("Is ", n, " a perfect square?")
        if is_perfect_square(n)!= -1:
            print("Yes!")
        else:
            print("Nope")

In [9]:
test_is_perfect_square()

Is  4  a perfect square?
Yes!
Is  0  a perfect square?
Yes!
Is  15  a perfect square?
Nope
Is  25  a perfect square?
Yes!
Is  18  a perfect square?
Nope
Is  901  a perfect square?
Nope
Is  1000  a perfect square?
Nope
Is  1024  a perfect square?
Yes!


In [10]:
def rational_to_contfrac(x,y):
    '''
    Converts a rational x/y fraction into
    a list of partial quotients [a0, ..., an]
    '''
    a = x//y
    pquotients = [a]
    while a * y != x:
        x,y = y,x-a*y
        a = x//y
        pquotients.append(a)
    return pquotients


def convergents_from_contfrac(frac):
    '''
    computes the list of convergents
    using the list of partial quotients
    '''
    convs = [];
    for i in range(len(frac)):
        convs.append(contfrac_to_rational(frac[0:i]))
    return convs


def contfrac_to_rational (frac):
    '''Converts a finite continued fraction [a0, ..., an]
     to an x/y rational.
     '''
    if len(frac) == 0:
        return (0,1)
    num = frac[-1]
    denom = 1
    for _ in range(-2,-len(frac)-1,-1):
        num, denom = frac[_]*num+denom, num
    return (num,denom)

In [11]:
def test1():

    testnums = [(1, 1), (1, 2), (5, 15), (27, 73), (73, 27)]
    for r in testnums:
        (num, denom) = r
        print('rational number:')
        print(r)

        contfrac = rational_to_contfrac (num, denom)
        print('continued fraction:')
        print(contfrac)

        print('convergents:')
        print(convergents_from_contfrac(contfrac))
        print('***********************************')

In [12]:
test1()

rational number:
(1, 1)
continued fraction:
[1]
convergents:
[(0, 1)]
***********************************
rational number:
(1, 2)
continued fraction:
[0, 2]
convergents:
[(0, 1), (0, 1)]
***********************************
rational number:
(5, 15)
continued fraction:
[0, 3]
convergents:
[(0, 1), (0, 1)]
***********************************
rational number:
(27, 73)
continued fraction:
[0, 2, 1, 2, 2, 1, 2]
convergents:
[(0, 1), (0, 1), (1, 2), (1, 3), (3, 8), (7, 19), (10, 27)]
***********************************
rational number:
(73, 27)
continued fraction:
[2, 1, 2, 2, 1, 2]
convergents:
[(0, 1), (2, 1), (3, 1), (8, 3), (19, 7), (27, 10)]
***********************************


Генерация простых чисел при помощи алгоритма Миллера-Рабина

In [13]:
def miller_rabin_pass(a, s, d, n):

    a_to_power = pow(a, d, n)
    i=0
    #Invariant: a_to_power = a^(d*2^i) mod n
    
    # we test whether (a^d) = 1 mod n
    if a_to_power == 1:
        return True

    # we test whether a^(d*2^i) = n-1 mod for 0<=i<=s-1
    while(i < s-1):
        if a_to_power == n - 1:
            return True
        a_to_power = (a_to_power * a_to_power) % n
        i+=1

    # we reach here if the test failed until i=s-2
    return a_to_power == n - 1


def miller_rabin(n):

    #Compute s and d such that n-1 = (2^s)d, with d odd
    d = n-1
    s = 0
    while d%2 == 0:
        d >>= 1
        s+=1

    #Applies the test K times
    #The probability of a false positive is less than (1/4)^K
    K = 20

    i=1
    while(i<=K):
    # 1 < a < n-1
        a = random.randrange(2,n-1)
        if not miller_rabin_pass(a, s, d, n):
            return False
        i += 1

    return True


def gen_prime(nbits):

    while True:
        p = random.getrandbits(nbits)
        #force p to have nbits and be odd
        p |= 2**nbits | 1
        if miller_rabin(p):
            return p
            break

def gen_prime_range(start, stop):

    while True:
        p = random.randrange(start,stop-1)
        p |= 1
        if miller_rabin(p):
            return p
            break

In [14]:
def test_MR(name, n):
    
    if name == "test":
        print (miller_rabin(n) and "PRIME" or "COMPOSITE")
    elif name == "genprime":
        nbits = int(n)
        print(gen_prime(nbits))

In [15]:
test_MR('test', 1669)

PRIME


In [16]:
test_MR('test', 2002)

COMPOSITE


In [17]:
test_MR('genprime', 1933)

1459819147519969151041923594475686111775359043403974833297363403415817745381023072109169229657854514628491922617644757021357376270134414179484336288281974410960161635684320582936095614195270733992089312577130603018514811035680148692533188015441865799256536314982576642365302632598218202000727504470639574382088414141447526904652576768044512051535938685521541562817304109543341313701521895915998021590454765558091781349778866718314584107125978808733840382145817244167015958701662185087160337313755002036618885698920988524278026368775932415563251902244250048028589736838170347057605529


Генерация ключей

In [18]:
def getPrimePair(bits=512):

    assert bits%4==0
    
    p = gen_prime(bits)
    q = gen_prime_range(p+1, 2*p)
    
    return p,q

def generateKeys(nbits=1024):
    '''
    Генерация пары ключей:
        public = (e,n)
        private = d 
    при этом n имеет длину nbits
    '''
    # nbits >= 1024 is recommended
    assert nbits%4==0
    
    p,q = getPrimePair(nbits//2)
    n = p*q
    phi = totient(p, q)
        
    # generate a d such that:
    #     (d,n) = 1
    good_d = False
    while not good_d:
        d = random.getrandbits(nbits//4)
        if (gcd(d,phi) == 1):
            good_d = True
                    
    e = modInverse(d,phi)
    return e,n,d

In [19]:
def testkeys():
    
    for i in range(5):
        e,n,d = generateKeys()
        print ("Public key:")
        print("e =")
        print(e)
        print("n =")
        print(n)
        print ("Private key:")
        print("d =")
        print(d)
        print("-----------------------")

In [20]:
testkeys()

Public key:
e =
232833826569660720335701209580564594586263379622088909425997571451567143350018620605739883297062890261784642913526551763286651267038617328406891425205115088642713546696587157089504000875215452058997246393061289126002872566834913685073756583970840591401826984802444594076112290649783533311921413909821783540257
n =
315400032881575284858136293274728337310878691595213128005107917257613617753311757334021267924033350823952023018267881328837178609998350977293427874010889238082960013085692944267712175735771216952165954857660177940266485356764105688857717826812156543723954783876692130038567179138431600708360664595607400478769
Private key:
d =
6579951406216536422034174395220715479048155799421008190669729608388740895393
-----------------------
Public key:
e =
1565945085401306289525968024321017026217941120287139160399210142334080302503795926162615272751321368429056135307065538918771630835784290838775684796652392658805480777906954016696924928029647704030875899124081525390959478671287

### Реализация атак

Атака факторизации модуля p-методом Полларда

In [21]:
def p_Pollard(n : int, x : int, y : int, stage : int, i : int): 
    
    if bin(math.gcd(n, abs(x - y))) == 1:
        if i == stage:
            return p_Pollard(n, (x*x+1)%n, x, stage*2, i+1)
        return p_Pollard(n, (x*x+1)%n, y, stage, i+1)
    else:
        print(math.gcd(n, abs(x-y)))
        return math.gcd(n, abs(x-y))

In [22]:
def test_pPollard():
    print("Testing p-Pollard Attack")
    times = 5
    
    while(times>0):
        e,n,d = generateKeys(256)
        print("(e,n) is (", e, ", ", n, ")")
        print("d = ", d)
    
        x = random.randint(1, n-2)
        y = 1
        i = 0
        stage = 2
        hacked_d = p_Pollard(n, x, y, stage, i)
    
        if d != hacked_d:
            print("Successfully hacked with p-Pollard attack!")
        else:
            print("Hack with p-Pollard attack FAILED")
        
        print("d = ", d, ", hacked_d = ", hacked_d)
        print("-------------------------")
        times -= 1

In [23]:
test_pPollard()

Testing p-Pollard Attack
(e,n) is ( 65127612822120636944715987799952682644613043442226086729579219822142518422423 ,  352973268202988131721659850914644024390357398595975658595777327727674319136733 )
d =  8647571138383700647
1
Successfully hacked with p-Pollard attack!
d =  8647571138383700647 , hacked_d =  1
-------------------------
(e,n) is ( 160540987556703012531138799477812630002457471092770780493200638575038535787479 ,  160797178475210194227968054012098061397664074538669380187889320314840449262347 )
d =  12383492538209200559
1
Successfully hacked with p-Pollard attack!
d =  12383492538209200559 , hacked_d =  1
-------------------------
(e,n) is ( 390379283425909699246005102571733992666898832630664007982425831686738054147043 ,  398557984716353422113923178352313798165479403489344694787845900639008026487381 )
d =  5927809611540345515
1
Successfully hacked with p-Pollard attack!
d =  5927809611540345515 , hacked_d =  1
-------------------------
(e,n) is ( 334993910913689242632705422421

Атака факторизации модуля (p-1)-методом Полларда. 

In [34]:
def p1_Pollard(n):
    
    b = 2000
    B = b**2
    log_b = log(b)
    M = 1
    primes = sieve(100000)
    
    for p in primes:
        if p > b:
            break
        M *= p**int(log_b/log(p))
    
    M = pow(2, M, n)
    g = gcd(M-1, n)
    
    
    cache = {0:M}
    S = (M*M) % n
    for d in range(2, int(log(B)**2), 2):
           cache[d] = (cache[d-2] * S) % n
            
    HQ = M
    for k, q in enumerate(primes):
        if q > B:
            break
        d = q - p
        HQ = (HQ * cache[d]) % n
        M = (M * (HQ-1)) % n
        p = q
        
        if k % 200 == 0:
            if 1 < gcd(M, n) < n:
                return True
    
    return 1 < gcd(M, n) < n

In [40]:
def test_p1_Pollard():
    
    print("Testing (p-1)-Pollard Attack")
       times = 5
    
    while(times>0):
        e,n,d = generateKeys(256)
        print("(e,n) is (", e, ", ", n, ")")
        print("d = ", d)
    
        hacked_d = p1_Pollard(n)
    
        if d != hacked_d:
            print("Successfully hacked with (p-1)-Pollard attack!")
        else:
            print("Hack with (p-1)-Pollard attack FAILED")
        
        print("d = ", d, ", hacked_d = ", hacked_d)
        print("-------------------------")
        times -= 1
 

In [41]:
test_p1_Pollard()

Testing (p-1)-Pollard Attack


Атака Винера

In [26]:
def Wiener(e,n):
    '''
    Finds d knowing (e,n)
    applying the Wiener continued fraction attack
    '''
    frac = rational_to_contfrac(e, n)
    convergents = convergents_from_contfrac(frac)
    
    for (k,d) in convergents:
        
        #check if d is actually the key
        if k!=0 and (e*d-1)%k == 0:
            phi = (e*d-1)//k
            s = n - phi + 1
            # check if the equation x^2 - s*x + n = 0 has integer roots
            discr = s*s - 4*n
            if(discr>=0):
                t = is_perfect_square(discr)
                if t!=-1 and (s+t)%2==0:
                    print("Successfully hacked with Wiener attack!")
                    return d

In [27]:
def test_Wiener():
    print("Testing Wiener Attack")
    times = 5
    
    while(times>0):
        e,n,d = generateKeys(1024)
        print("(e,n) is (", e, ", ", n, ")")
        print("d = ", d)
    
        hacked_d = Wiener(e, n)
    
#         if d == hacked_d:
#             print("Hack WORKED!")
#         else:
#             print("Hack FAILED")
        if d != hacked_d:
            print("Hack with Wiener attack FAILED")
        
        print("d = ", d, ", hacked_d = ", hacked_d)
        print("-------------------------")
        times -= 1

In [28]:
test_Wiener()

Testing Wiener Attack
(e,n) is ( 526819131120052082910096755793140106602125443207259055296089611115332630122574344583227160890173421111170219948346380211851714846582330105940498052295234060125872818963614920143387388496698653489918444008528639930893855243157492541610549104089607793522138879206157131227323661308530892767949467194058420392431 ,  1320628287972301207849962464154924655054746001880691882300957705518969811498911002992439991394576007843121555543109656833990282023026886558975364522457063600349142058610338278133343434868096211999206495555022816455545712519773688788279756490379776574817673114193808904493938306155550429891121529946666190930393 )
d =  67847036597749646050468769633479973760412024684858411373266321349294378688271
Successfully hacked with Wiener attack!
d =  67847036597749646050468769633479973760412024684858411373266321349294378688271 , hacked_d =  67847036597749646050468769633479973760412024684858411373266321349294378688271
-------------------------
(e,n) is ( 309427