Introduction

Python implementations of cryptographic attacks and utilities.

Requirements

• SageMath with Python 3.9
• PyCryptodome

You can check your SageMath Python version using the following command:

$ sage -python --version
Python 3.9.0

If your SageMath Python version is older than 3.9.0, some features in some scripts might not work.

Usage

Unit tests are located in the test directory and can be executed using the unittest module or using pytest. This should not take very long, perhaps a few minutes depending on your machine.

To run a specific attack, you must add the code to the proper file before executing it.

Example

For example, you want to attack RSA using the Boneh-Durfee attack, with the following parameters (taken from test_rsa.py):

N = 88320836926176610260238895174120738360949322009576866758081671082752401596826820274141832913391890604999466444724537056453777218596634375604879123818123658076245218807184443147162102569631427096787406420042132112746340310992380094474893565028303466135529032341382899333117011402408049370805729286122880037249
e = 36224751658507610673165956970793195381480143363550601971796688201449789736497322700382657163240771111376677180786660893671085854060092736865293791299460933460067267613023891500397200389824179925263846148644777638774319680682025117466596019474987378275216579013846855328009375540444176771945272078755317168511

You add the following code at the bottom of the boneh_durfee.py file:

import logging

# Some logging so we can see what's happening.
logging.basicConfig(level=logging.DEBUG)

N = 88320836926176610260238895174120738360949322009576866758081671082752401596826820274141832913391890604999466444724537056453777218596634375604879123818123658076245218807184443147162102569631427096787406420042132112746340310992380094474893565028303466135529032341382899333117011402408049370805729286122880037249
e = 36224751658507610673165956970793195381480143363550601971796688201449789736497322700382657163240771111376677180786660893671085854060092736865293791299460933460067267613023891500397200389824179925263846148644777638774319680682025117466596019474987378275216579013846855328009375540444176771945272078755317168511
p_bits = 512
delta = 0.26

p, q = attack(N, e, p_bits, delta=delta)
assert p * q == N
print(f"Found p = {p} and q = {q}")

Then you can simply execute the file using Sage. It does not matter where you execute it from, the Python path is automagically set:

[crypto-attacks]$ sage -python attacks/rsa/boneh_durfee.py
INFO:root:Trying m = 1, t = 0...
DEBUG:root:Generating shifts...
DEBUG:root:Filling the lattice (3 x 3)...
DEBUG:root:Executing the LLL algorithm...
DEBUG:root:Reconstructing polynomials...
DEBUG:root:Polynomial at row 0 is constant, ignoring...
DEBUG:root:Reconstructed 2 polynomials
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
INFO:root:Trying m = 2, t = 0...
DEBUG:root:Generating shifts...
DEBUG:root:Filling the lattice (6 x 6)...
DEBUG:root:Executing the LLL algorithm...
DEBUG:root:Reconstructing polynomials...
DEBUG:root:Polynomial at row 0 is constant, ignoring...
DEBUG:root:Reconstructed 5 polynomials
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
INFO:root:Trying m = 3, t = 1...
DEBUG:root:Generating shifts...
DEBUG:root:Filling the lattice (11 x 11)...
DEBUG:root:Executing the LLL algorithm...
DEBUG:root:Reconstructing polynomials...
DEBUG:root:Polynomial at row 8 is constant, ignoring...
DEBUG:root:Reconstructed 10 polynomials
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 2
Found p = 7866790440964395011005623971351568677139336343167390105188826934257986271072664643571727955882500173182140478082778193338086048035817634545367411924942763 and q = 11227048386374621771175649743442169526805922745751610531569607663416378302561807690656370394330458335919244239976798600743588701676542461805061598571009923

You can also call the attacks from other Python files, but then you'll have to fix the Python path yourself.

Implemented attacks

Approximate Common Divisor

• Multivariate polynomial attack ¹
• Orthogonal based attack ²
• Simultaneous Diophantine approximation attack ³

CBC

• Bit flipping attack
• IV recovery attack
• Padding oracle attack

CBC + CBC-MAC

• Key reuse attack (encrypt-and-MAC)
• Key reuse attack (encrypt-then-MAC)
• Key reuse attack (MAC-then-encrypt)

CBC-MAC

• Length extension attack

CTR

• Bit flipping attack
• CRIME attack
• Separator oracle attack

ECB

• Plaintext recovery attack
• Plaintext recovery attack (harder variant)
• Plaintext recovery attack (hardest variant)

Elliptic Curve Cryptography

• ECDSA nonce reuse attack
• Frey-Ruck attack ⁴
• MOV attack ⁵
• Parameter recovery
• Singular curve attack
• Smart's attack ⁶

ElGamal Encryption

• Nonce reuse attack
• Unsafe generator attack

ElgGamal Signature

• Bleichenbacher's attack
• Khadir's attack
• Nonce reuse attack

Factorization

• Base conversion factorization
• Branch and prune attack ⁷
• Complex multiplication (elliptic curve) factorization ⁸
• Coppersmith factorization
• Fermat factorization
• Ghafar-Ariffin-Asbullah attack ⁹
• Implicit factorization ¹⁰
• Known phi factorization ¹¹
• ROCA ¹²
• Shor's algorithm (classical) ¹³
• Twin primes factorization
• Factorization of unbalanced moduli ¹⁴

GCM

• Forbidden attack ¹⁵

Hidden Number Problem

• Extended hidden number problem ¹⁶
• Fourier analysis attack
• Lattice-based attack

IGE

• Padding oracle attack

Knapsack Cryptosystems

• Low density attack ¹⁷

Linear Congruential Generators

• LCG parameter recovery
• Truncated LCG parameter recovery ¹⁸
• Truncated LCG state recovery ¹⁹

Learning With Errors

• Arora-Ge attack ²⁰
• Blum-Kalai-Wasserman attack
• Lattice reduction attack

Mersenne Twister

• State recovery

One-time Pad

• Key reuse

Pseudoprimes

• Generating Miller-Rabin pseudoprimes ²¹

RC4

• Fluhrer-Mantin-Shamir attack

RSA

• Bleichenbacher's attack ²²
• Bleichenbacher's signature forgery attack
• Boneh-Durfee attack ²³
• Common modulus attack
• CRT fault attack
• Extended Wiener's attack ²⁴
• Hastad's broadcast attack
• Known CRT exponents attack ²⁵
• Known private exponent attack
• Low public exponent attack
• LSB oracle (parity oracle) attack
• Manger's attack ²⁶
• Nitaj's CRT-RSA attack ²⁷
• Non coprime public exponent attack ²⁸
• Partial key exposure ^{29 30 31}
• Related message attack
• Stereotyped message attack
• Wiener's attack
• Wiener's attack for Common Prime RSA ³²
• Wiener's attack (Heuristic lattice variant) ³³

Shamir's Secret Sharing

• Deterministic coefficients
• Share forgery

Other interesting implementations

• Adleman-Manders-Miller root extraction method ³⁴
• Fast CRT using divide-and-conquer
• Fast modular inverses
• Linear Hensel lifting
• Quadratic Hensel lifting
• Babai's Nearest Plane Algorithm
• Matrix discrete logarithm
• Matrix discrete logarithm (equation)
• PartialInteger
• Fast polynomial GCD using half GCD

Elliptic Curve Generation

• Complex multiplication
• Anomalous curves
• MNT curves
• Prescribed order
• Prescribed trace
• Supersingular curves

Small Roots

• Polynomial roots using Groebner bases
• Polynomial roots using resultants
• Polynomial roots using Sage variety (triangular decomposition)
• Blomer-May method ³⁵
• Boneh-Durfee method ²³
• Coron method ³⁶
• Coron method (direct) ³⁷
• Ernst et al. methods ³⁰
• Herrmann-May method (unravelled linearization) ³⁸
• Herrmann-May method (modular multivariate) ³⁹
• Howgrave-Graham method ⁴⁰
• Jochemsz-May method (modular roots) ⁴¹
• Jochemsz-May method (integer roots) ⁴²
• Nitaj-Fouotsa method ⁴³

Footnotes

1. Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 5) ↩

2. Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 4) ↩

3. Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 3) ↩

4. Harasawa R. et al., "Comparing the MOV and FR Reductions in Elliptic Curve Cryptography" (Section 3) ↩

5. Harasawa R. et al., "Comparing the MOV and FR Reductions in Elliptic Curve Cryptography" (Section 2) ↩

6. Smart N. P., "The discrete logarithm problem on elliptic curves of trace one" ↩

7. Heninger N., Shacham H., "Reconstructing RSA Private Keys from Random Key Bits" ↩

8. Sedlacek V. et al., "I want to break square-free: The 4p - 1 factorization method and its RSA backdoor viability" ↩

9. Ghafar AHA. et al., "A New LSB Attack on Special-Structured RSA Primes" ↩

10. Nitaj A., Ariffin MRK., "Implicit factorization of unbalanced RSA moduli" ↩

11. Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3) ↩

12. Nemec M. et al., "The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli" ↩

13. M. Johnston A., "Shor’s Algorithm and Factoring: Don’t Throw Away the Odd Orders" ↩

14. Brier E. et al., "Factoring Unbalanced Moduli with Known Bits" (Section 4) ↩

15. Joux A., "Authentication Failures in NIST version of GCM" ↩

16. Hlavac M., Rosa T., "Extended Hidden Number Problem and Its Cryptanalytic Applications" (Section 4) ↩

17. Coster M. J. et al., "Improved low-density subset sum algorithms" ↩

18. Contini S., Shparlinski I. E., "On Stern's Attack Against Secret Truncated Linear Congruential Generators" ↩

19. Frieze, A. et al., "Reconstructing Truncated Integer Variables Satisfying Linear Congruences" ↩

20. "The Learning with Errors Problem: Algorithms" (Section 1) ↩

21. R. Albrecht M. et al., "Prime and Prejudice: Primality Testing Under Adversarial Conditions" ↩

22. Bleichenbacher D., "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1" ↩

23. Boneh D., Durfee G., "Cryptanalysis of RSA with Private Key d Less than N^0.292" ↩ ↩²

24. Dujella A., "Continued fractions and RSA with small secret exponent" ↩

25. Campagna M., Sethi A., "Key Recovery Method for CRT Implementation of RSA" ↩

26. Manger J., "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0" ↩

27. Nitaj A., "A new attack on RSA and CRT-RSA" ↩

28. Shumow D., "Incorrectly Generated RSA Keys: How To Recover Lost Plaintexts" ↩

29. Boneh D., Durfee G., Frankel Y., "An Attack on RSA Given a Small Fraction of the Private Key Bits" ↩

30. Ernst M. et al., "Partial Key Exposure Attacks on RSA Up to Full Size Exponents" ↩ ↩²

31. Blomer J., May A., "New Partial Key Exposure Attacks on RSA" ↩

32. Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 5) ↩

33. Nguyen P. Q., "Public-Key Cryptanalysis" ↩

34. Cao Z. et al., "Adleman-Manders-Miller Root Extraction Method Revisited" (Section 5) ↩

35. Blomer J., May A., "New Partial Key Exposure Attacks on RSA" (Section 6) ↩

36. Coron J., "Finding Small Roots of Bivariate Polynomial Equations Revisited" ↩

37. Coron J., "Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach" ↩

38. Herrmann M., May A., "Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA" ↩

39. Herrmann M., May A., "Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits" (Section 3 and 4) ↩

40. May A., "New RSA Vulnerabilities Using Lattice Reduction Methods" (Section 3.2) ↩

41. Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.1) ↩

42. Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.2) ↩

43. Nitaj A., Fouotsa E., "A New Attack on RSA and Demytko's Elliptic Curve Cryptosystem" ↩