Python implementations of cryptographic attacks and utilities.
- SageMath with Python 3.9
- PyCryptodome
- Hilbert Class Polynomial database (Only required for complex multiplication)
You can check your SageMath Python version using the following command:
$ sage -python --version
Python 3.9.0
If your SageMath Python version is older than 3.9.0, some features in some scripts might not work.
Unit tests are located in the test
directory and can be executed using the unittest
module or using pytest
. This should not take very long, perhaps a few minutes depending on your machine.
To run a specific attack, you must add the code to the proper file before executing it.
For example, you want to attack RSA using the Boneh-Durfee attack, with the following parameters (taken from test_rsa.py):
N = 88320836926176610260238895174120738360949322009576866758081671082752401596826820274141832913391890604999466444724537056453777218596634375604879123818123658076245218807184443147162102569631427096787406420042132112746340310992380094474893565028303466135529032341382899333117011402408049370805729286122880037249
e = 36224751658507610673165956970793195381480143363550601971796688201449789736497322700382657163240771111376677180786660893671085854060092736865293791299460933460067267613023891500397200389824179925263846148644777638774319680682025117466596019474987378275216579013846855328009375540444176771945272078755317168511
You add the following code at the bottom of the boneh_durfee.py file:
import logging
# Some logging so we can see what's happening.
logging.basicConfig(level=logging.DEBUG)
N = 88320836926176610260238895174120738360949322009576866758081671082752401596826820274141832913391890604999466444724537056453777218596634375604879123818123658076245218807184443147162102569631427096787406420042132112746340310992380094474893565028303466135529032341382899333117011402408049370805729286122880037249
e = 36224751658507610673165956970793195381480143363550601971796688201449789736497322700382657163240771111376677180786660893671085854060092736865293791299460933460067267613023891500397200389824179925263846148644777638774319680682025117466596019474987378275216579013846855328009375540444176771945272078755317168511
p_bits = 512
delta = 0.26
p, q = attack(N, e, p_bits, delta=delta)
assert p * q == N
print(f"Found p = {p} and q = {q}")
Then you can simply execute the file using Sage. It does not matter where you execute it from, the Python path is automagically set:
[crypto-attacks]$ sage -python attacks/rsa/boneh_durfee.py
INFO:root:Trying m = 1, t = 0...
DEBUG:root:Generating shifts...
DEBUG:root:Filling the lattice (3 x 3)...
DEBUG:root:Executing the LLL algorithm...
DEBUG:root:Reconstructing polynomials...
DEBUG:root:Polynomial at row 0 is constant, ignoring...
DEBUG:root:Reconstructed 2 polynomials
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
INFO:root:Trying m = 2, t = 0...
DEBUG:root:Generating shifts...
DEBUG:root:Filling the lattice (6 x 6)...
DEBUG:root:Executing the LLL algorithm...
DEBUG:root:Reconstructing polynomials...
DEBUG:root:Polynomial at row 0 is constant, ignoring...
DEBUG:root:Reconstructed 5 polynomials
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
INFO:root:Trying m = 3, t = 1...
DEBUG:root:Generating shifts...
DEBUG:root:Filling the lattice (11 x 11)...
DEBUG:root:Executing the LLL algorithm...
DEBUG:root:Reconstructing polynomials...
DEBUG:root:Polynomial at row 8 is constant, ignoring...
DEBUG:root:Reconstructed 10 polynomials
DEBUG:root:Using Groebner basis method to find roots...
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 1
DEBUG:root:Groebner basis length: 2
Found p = 7866790440964395011005623971351568677139336343167390105188826934257986271072664643571727955882500173182140478082778193338086048035817634545367411924942763 and q = 11227048386374621771175649743442169526805922745751610531569607663416378302561807690656370394330458335919244239976798600743588701676542461805061598571009923
You can also call the attacks from other Python files, but then you'll have to fix the Python path yourself.
- Multivariate polynomial attack [More information: Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 5)]
- Orthogonal based attack [More information: Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 4)]
- Simultaneous Diophantine approximation attack [More information: Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 3)]
- Key reuse attack (encrypt-and-MAC)
- Key reuse attack (encrypt-then-MAC)
- Key reuse attack (MAC-then-encrypt)
- Plaintext recovery attack
- Plaintext recovery attack (harder variant)
- Plaintext recovery attack (hardest variant)
- ECDSA nonce reuse attack
- Frey-Ruck attack [More information: Harasawa R. et al., "Comparing the MOV and FR Reductions in Elliptic Curve Cryptography" (Section 3)]
- MOV attack [More information: Harasawa R. et al., "Comparing the MOV and FR Reductions in Elliptic Curve Cryptography" (Section 2)]
- Parameter recovery
- Singular curve attack
- Smart's attack [More information: Smart N. P., "The discrete logarithm problem on elliptic curves of trace one"]
- Bleichenbacher's attack
- Khadir's attack
- Nonce reuse attack
- Base conversion factorization
- Branch and prune attack [More information: Heninger N., Shacham H., "Reconstructing RSA Private Keys from Random Key Bits"]
- Complex multiplication (elliptic curve) factorization [More information: Sedlacek V. et al., "I want to break square-free: The 4p - 1 factorization method and its RSA backdoor viability"]
- Coppersmith factorization
- Fermat factorization
- Ghafar-Ariffin-Asbullah attack [More information: Ghafar AHA. et al., "A New LSB Attack on Special-Structured RSA Primes"]
- Implicit factorization [More information: Nitaj A., Ariffin MRK., "Implicit factorization of unbalanced RSA moduli"]
- Known phi factorization [More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3)]
- ROCA [More information: Nemec M. et al., "The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli"]
- Shor's algorithm (classical) [More information: M. Johnston A., "Shor’s Algorithm and Factoring: Don’t Throw Away the Odd Orders"]
- Twin primes factorization
- Factorization of unbalanced moduli [More information: Brier E. et al., "Factoring Unbalanced Moduli with Known Bits" (Section 4)]
- Forbidden attack [More information: Joux A., "Authentication Failures in NIST version of GCM"]
Hidden Number Problem
- Extended hidden number problem [More information: Hlavac M., Rosa T., "Extended Hidden Number Problem and Its Cryptanalytic Applications" (Section 4)]
- Fourier analysis attack
- Lattice-based attack
- Low density attack [More information: Coster M. J. et al., "Improved low-density subset sum algorithms"]
- LCG parameter recovery
- Truncated LCG parameter recovery [More information: Contini S., Shparlinski I. E., "On Stern's Attack Against Secret Truncated Linear Congruential Generators"]
- Truncated LCG state recovery [More information: Frieze, A. et al., "Reconstructing Truncated Integer Variables Satisfying Linear Congruences"]
- Arora-Ge attack [More information: "The Learning with Errors Problem: Algorithms" (Section 1)]
- Blum-Kalai-Wasserman attack
- Lattice reduction attack
- Generating Miller-Rabin pseudoprimes [More information: R. Albrecht M. et al., "Prime and Prejudice: Primality Testing Under Adversarial Conditions"]
- Bleichenbacher's attack [More information: Bleichenbacher D., "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1"]
- Bleichenbacher's signature forgery attack
- Boneh-Durfee attack [More information: Boneh D., Durfee G., "Cryptanalysis of RSA with Private Key d Less than N^0.292"]
- Common modulus attack
- CRT fault attack
- Extended Wiener's attack [More information: Dujella A., "Continued fractions and RSA with small secret exponent"]
- Hastad's broadcast attack
- Known CRT exponents attack [More information: Campagna M., Sethi A., "Key Recovery Method for CRT Implementation of RSA"]
- Known private exponent attack
- Low public exponent attack
- LSB oracle (parity oracle) attack
- Manger's attack [More information: Manger J., "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0"]
- Nitaj's CRT-RSA attack [More information: Nitaj A., "A new attack on RSA and CRT-RSA"]
- Non coprime public exponent attack [More information: Shumow D., "Incorrectly Generated RSA Keys: How To Recover Lost Plaintexts"]
- Partial key exposure [More information: Boneh D., Durfee G., Frankel Y., "An Attack on RSA Given a Small Fraction of the Private Key Bits", Ernst M. et al., "Partial Key Exposure Attacks on RSA Up to Full Size Exponents", Blomer J., May A., "New Partial Key Exposure Attacks on RSA"]
- Related message attack
- Stereotyped message attack
- Wiener's attack
- Wiener's attack for Common Prime RSA [More information: Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 5)]
- Wiener's attack (Heuristic lattice variant) [More information: Nguyen P. Q., "Public-Key Cryptanalysis"]
- Adleman-Manders-Miller root extraction method [More information: Cao Z. et al., "Adleman-Manders-Miller Root Extraction Method Revisited" (Section 5)]
- Fast CRT using divide-and-conquer
- Linear Hensel lifting
- Quadratic Hensel lifting
- Babai's Nearest Plane Algorithm
- Matrix discrete logarithm
- Matrix discrete logarithm (equation)
- PartialInteger
- Fast polynomial GCD using half GCD
- MNT curves
- Prescribed order
- Prescribed trace
- Supersingular curves
- Polynomial roots using Groebner bases
- Polynomial roots using resultants
- Polynomial roots using Sage variety (triangular decomposition)
- Blomer-May method [More information: Blomer J., May A., "New Partial Key Exposure Attacks on RSA" (Section 6)]
- Boneh-Durfee method [More information: Boneh D., Durfee G., "Cryptanalysis of RSA with Private Key d Less than N^0.292"]
- Coron method [More information: Coron J., "Finding Small Roots of Bivariate Polynomial Equations Revisited"]
- Coron method (direct) [More information: Coron J., "Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach"]
- Ernst et al. methods [More information: Ernst M. et al., "Partial Key Exposure Attacks on RSA Up to Full Size Exponents"]
- Herrmann-May method (unravelled linearization) [More information: Herrmann M., May A., "Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA"]
- Herrmann-May method (modular multivariate) [More information: Herrmann M., May A., "Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits" (Section 3 and 4)]
- Howgrave-Graham method [More information: May A., "New RSA Vulnerabilities Using Lattice Reduction Methods" (Section 3.2)]
- Jochemsz-May method (modular roots) [More information: Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.1)]
- Jochemsz-May method (integer roots) [More information: Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.2)]
- Nitaj-Fouotsa method [More information: Nitaj A., Fouotsa E., "A New Attack on RSA and Demytko's Elliptic Curve Cryptosystem"]