• Stars
    star
    664
  • Rank 67,903 (Top 2 %)
  • Language
    TeX
  • Created almost 10 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

attacking RSA via lattice reductions (LLL)

Lattice based attacks on RSA

This repo host implementations and explanations of different RSA attacks using lattice reduction techniques (in particular LLL).

First, we'll see how Coppersmith found out that you could use lattice reduction techniques to attack a relaxed model of RSA (we know parts of the message, or we know parts of one of the prime, ...). And how Howgrave-Graham reformulated his attack.

Second we'll see how Boneh and Durfee used a coppersmith-like attack to factor the RSA modulus when the private key is too small (d < N^0.292). Followed by a simplification from Herrman and May.

If you want to use the implementations, see below for explanations on Coppersmith and Boneh-Durfee. If you want to dig deeper you can also read my survey or watch my video.

I've also done some personal researches on the Boneh-Durfee algorithm and they are being used in boneh_durfee.sage by default, just use helpful_only = False to disable the improvements. I talk quantitatively about the improvements here.

The latest research on the subject is:

Coppersmith

I've implemented the work of Coppersmith (to be correct the reformulation of his attack by Howgrave-Graham) in coppersmith.sage.

I've used it in two examples in the code:

Stereotyped messages

For example if you know the most significant bits of the message. You can find the rest of the message with this method.

The usual RSA model is this one: you have a ciphertext c a modulus N and a public exponent e. Find m such that m^e = c mod N.

Now, this is the relaxed model we can solve: you have c = (m + x)^e, you know a part of the message, m, but you don't know x. For example the message is always something like "the password today is: [password]". Coppersmith says that if you are looking for N^1/e of the message it is then a small root and you should be able to find it pretty quickly.

let our polynomial be f(x) = (m + x)^e - c which has a root we want to find modulo N. Here's how to do it with my implementation:

dd = f.degree()
beta = 1
epsilon = beta / 7
mm = ceil(beta**2 / (dd * epsilon))
tt = floor(dd * mm * ((1/beta) - 1))
XX = ceil(N**((beta**2/dd) - epsilon))
roots = coppersmith_howgrave_univariate(f, N, beta, mm, tt, XX)

You can play with the values until it finds the root. The default values should be a good start. If you want to tweak:

  • beta is always 1 in this case.
  • XX is your upper bound on the root. The bigger is the unknown, the bigger XX should be. And the bigger it is... the more time it takes.

Factoring with high bits known

Another case is factoring N knowing high bits of q.

The Factorization problem normally is: give N = pq, find q. In our relaxed model we know an approximation q' of q.

Here's how to do it with my implementation:

let f(x) = x - q' which has a root modulo q

beta = 0.5
dd = f.degree()
epsilon = beta / 7
mm = ceil(beta**2 / (dd * epsilon))
tt = floor(dd * mm * ((1/beta) - 1))
XX = ceil(N**((beta**2/dd) - epsilon)) + 1000000000000000000000000000000000
roots = coppersmith_howgrave_univariate(f, N, beta, mm, tt, XX)

What is important here if you want to find a solution:

  • we should have q >= N^beta
  • as usual XX is the upper bound of the root, so the difference should be: |diff| < X

note: diff = |q-q'|

Boneh Durfee

The implementation of Boneh and Durfee attack (simplified by Herrmann and May) can be found in boneh_durfee.sage.

The attack allows us to break RSA and the private exponent d. Here's why RSA works (where e is the public exponent, phi is euler's totient function, N is the public modulus):

   ed = 1 mod phi(N)
=> ed = k phi(N) + 1 over Z
=> k phi(N) + 1 = 0 mod e
=> k (N + 1 - p - q) + 1 = 0 mod e
=> 2k [(N + 1)/2 + (-p -q)/2] + 1 = 0 mod e

The last equation gives us a bivariate polynomial f(x,y) = 1 + x * (A + y). Finding the roots of this polynomial will allow us to easily compute the private exponent d.

The attack works if the private exponent d is too small compared to the modulus: d < N^0.292.

To use it:

  1. look at the how to use section at the end of the file in boneh_durfee.sage and replace the values according to your problem: the variable delta is your hypothesis on the private exponent d. If you don't have d < N^delta you will not find solutions. Start small (delta = 0.26) and increase slowly (maximum is 0.292)

  2. Run the program. If you get an error: "Try with highers m and t" you should increase m. The more you increase it, the longer the program will need to run. Increase it until you get rid of the error.

  3. If you do not want to increase m (because it takes too long for example) you can try to decrease X because it happens that it is too high compared to the root of the x you are trying to find. This is a last recourse tweak though.

  4. If you still don't find anything for high values of delta, m and t then you can try to do an exhaustive search on d > N^0.292. Good luck!

  5. Once you found solutions for x and y, you can easily insert them into the equation:

e d = x [(N + 1)/2 + y] + 1

The example in the code should be clear enough, there is also a write-up of a CTF challenge using this code.

PS: You can also try to use research.sage. It tries to remove unhelpful vectors when it doesn't break the triangular form of the lattice's basis. It might help you to use a lower m than necessary!

More Repositories

1

Diffie-Hellman_Backdoor

How to backdoor Diffie-Hellman
Python
603
star
2

disco

a protocol to encrypt communications and a cryptographic library based on Disco
Go
203
star
3

eureka

Need to encrypt a file before sending it to someone? This is it.
Go
133
star
4

GoKangarooTwelve

Implementation of KangarooTwelve in Go
Go
94
star
5

disco-c

A tiny C cryptographic library to encrypt sessions, authenticate messages, sign, hash, etc. based only on SHA-3 and Curve25519
C
66
star
6

cargo-dephell

Cargo dephell analyzes the third-party dependencies of a Rust workspace
HTML
47
star
7

crypto_blogs

Blogs about Cryptography/Security to follow
47
star
8

noname

Noname: a programming language to write zkapps
Rust
45
star
9

NoiseGo

An implementation of Noise in Go
Go
42
star
10

SSL-TLS-ECDSA-timing-attack

Timing Attack on TLS' ECDSA signature
TeX
42
star
11

RSA_PKCS1v1_5_attacks

Implementation of Bleichenbacher, Manger and Ben-Or attacks on RSA PKCS#1 v1.5
Python
42
star
12

cargo-specification

The code is the spec
Rust
37
star
13

nodster

Node-webkit + Napster (stream music from Google)
JavaScript
31
star
14

whiteboxDES

a whiteboxed DES implementation based on Chow et al paper
C
30
star
15

StrobeGo

Readable Implementation of Strobe in Go
Go
22
star
16

test_DHparams

test your Diffie-Hellman parameters for safe primes and right sizes
Go
19
star
17

DES

implementation of the DES cipher in C
C
11
star
18

FirefoxTimeTracker

a time tracker to avoid slacking (firefox plugin)
JavaScript
11
star
19

nixbyexample

Learn nix by example
OCaml
11
star
20

cryptobible

Auditing Applied Cryptography
Shell
10
star
21

fromager

Format your damn OCaml code!
OCaml
9
star
22

hexstring

An ocaml library to encode to and decode from hexadecimal strings
OCaml
7
star
23

better-ocaml

A program that parses OCaml errors to display them in a more readable format
Python
6
star
24

wiitop

tournament script for many games (counter strike, warcraft, dota...)
PHP
6
star
25

GoNTL

stuff
Go
5
star
26

blockbreakers

Learn how to break block ciphers
HTML
5
star
27

sumcheck

Implementation of the sum check protocol
Rust
5
star
28

Bool

Bool as options in Golang
Go
4
star
29

randoml

Generate cryptographically-secure random numbers in OCaml
OCaml
4
star
30

disco-formal-verification

Formal Verification of the Disco protocol using Tamarin
3
star
31

disco-whitepaper

TeX
3
star
32

narwhaml

OCaml
3
star
33

siphash

siphash implementation in rust
Rust
2
star
34

democracy_threat_model

A threat model for democracies in general
2
star
35

microcorruption

TeX
1
star
36

trying_to_understand_ocaml_rs

Rust
1
star
37

modena

A machine parsable conlang (constructed language)
HTML
1
star
38

citytrade

trying to write a trading interface for www.citymayor.co
Vue
1
star
39

boite

OCaml
1
star
40

sudoku

1
star
41

xkcp-sys

keccak bindings from rust to C
Rust
1
star
42

UnencryptedWarnings

displays an alert when visiting non-https webpages
1
star
43

mirror-vscode-nix-dev

mirror of https://github.com/jamesottaway/vscode-nix-develop
Nix
1
star
44

unicornator

tool to find cryptography bugs in code
Go
1
star
45

rust-mirai

Github Action to run the MIRAI static analyzer on a rust codebase
TypeScript
1
star
46

dalek-ocaml

bindings to the dalek suite of libraries
Rust
1
star
47

gosphincs

SPHINCS+ in Golanmg
Go
1
star
48

ocamlbyexample

Learn Ocaml by reading code examples
OCaml
1
star