Popping "R-propping"

This repository contains code for replicating the experiments in the 'Popping "R-propping"' paper. The code is written in Sagemath 9.4.

Verifying the implementation of M_k(F_{2^8})

We provide code to verify that our computations in M_k(F_{2^8}) obtain the same results as those in the "R-propping" series of papers. To run the verification, run

sage papers.py

Plaintext-recovery attacks

To run the attacks on the GSDP-related HK17-like encryption scheme, run

sage plaintextrec.py

Use the --warmup flag to run the "warmup" attack against the buggy scheme using coefficient-wise product Use the --same-m-n flag to make alice and bob use the same exponents m and n. Use the --seed flag to change the PRNG seed for the experiments. Use the --verbose flag to see the output of every instance, including the orders of g_0.

Forgery attacks

To run the forgery attacks on the signature scheme, run

sage forgery.py

Use the --seed flag to change the PRNG seed for the experiments. Use the --tries flag to determine how many tries to run for the experiments. Use the --verbose flag to see the output of every instance, including the orders of g_0.

DLP attacks

To run the DLP attacks on the "R-propped" parameters, run

sage dlp.py

Use the --seed flag to change the PRNG seed for the experiments. Use the --tries flag to determine how many tries to run for the experiments. Use the --verbose flag to see the output of every instance, including the orders of g_0.

Extras: reproducing computations from the "R-propping" papers

As part of our work, we implemented the examples given in some of the "R-propping" papers, to check that our implementation matched the original one. The numbers can be generated by running

sage papers.py