22-11-04-RSA
JUST conclude the attacks about RSA.
Make a record for myself.
RSA
Algorithm
- produce large primes
and - calculate
- use Euler’s totient function to get
, in code we usually use or - define
which satisfies the condition that , and the is between 1 and - calculate
and the comes from - encrypt:
- decrypt:
- PUBLICKEY: PU{e, n}
- PRIVATEKEY: PR{p, q, d}
Proof
use the Fermat’s little theorem deduce:
, are relatively-prime
the
, not relatively-prime
preparation:
also Fermat’s little theorem:
based on the properties of con-gruences multiplication property:
substitute the
thus,
proved.
Preparation
- gmpy2
- python3.7+
- pycharm
- sagemath
NC CHALLENGE
Before nc real connection, you need to receive the challenge and make a solution about it.
1 | # 1 |
change sha256/tail and crack xxxx
Or use the connecting function:
1 | # 3 |
MODULUS FACTORIZATION
Or we can call it Original_RSA
.
The main target in RSA problems is to factorize n
to p
and q
.
Here is the code of Original_RSA
which is the basic attack among RSA attacks.
1 | def Original_RSA(p, q, e, c, n): |
BUT HOW TO FACTORIZE THE
It is the significant question. Follows are some solutions that I met.
Factorize
factordb
A database contains many
yafu-x64
The
usage
yafu-x64 factor()
yafu-x64 factor(@) -batchfile [filename] !remember the number saved in file and need a
\n
msieve153
Which is similar to yafu-x64
RSAConverter
Based on CRT.
usage
, convert to hex and delete0x
convert to hex and deletex
fermath factorization
p,q have a little difference
- p or q created by
next_prime()
- find the Reference Substance
n_2
which can be produced byiroot(n, 2)[0]
- p and q are primes, and
- we can get
bynext_prime(n_2)
- and
p = n // q
- find the Reference Substance
- p and q are similar but not neighbors
- also find the
n_2
- with
n_2
as a center, step size 1 and right - if find
and satisfied the condition, and we get the true and
- also find the
1 | # Fermat Factorization 2 |
backdoor
1 | def RSA_Backdoor(n): |
xor factorization
usage
xor_factor.py n x
pollard’s p-1
This part only give the solution.
Detailed introduction needs time to be written.
1 | from primefac import pollard_pm1 |
williams’s p+1
As above.
1 | from primefac import williams_pp1 |
known phi
1 | from math import gcd |
sage
1 | two_squares(n) |
1 | three_squares(n) |
Quadratic Sieve
1 | qsieve() |
find prime factors
- elliptic curve factorize
1 | ecm() |
- just prime factorize
1 | prime_divisors() |
Others
- lenstra elliptic curve factorization
- birthday attack
- ……
SAME MOD
The attack is based on the Homomorphic Encryption and Extended Euclidean Algorithm.
Usually, we have two pairs of
and and both them have the same modulo. *REMEMBER that the encrypted m should be same. *
Use Extended Euclidean Algorithm, the eqution follows:
Based on the Multiplicative homomorphism
, and we can make a conversion.
, are primes
If
, not primes
and are not relatively-prime.
May use Rabin Algorithm
to solve this problem. For another word, the problem converts to the Low_Exponent_e2
problem.
and are relatively-prime.
Thus, just use iroot(m, g)
and we get the true % n
first.
1 | def Same_Mod_RSA(e1, e2, c1, c2, n): |
The code ignores that gcd(
Multiplicative congruence
We use multiplicative congruence to simplify our calculation.
It usually gives us one same modulo
FOR EXAMPLE:
1 | N = |
The deduction is as follows:
The three public keys satisfy
We can get the equation that
Expand it:
1 | …… |
MODULO RELATED
and are relatively-primes When they encrypt the same message
,it exists THE MODULO RELATED ATTACK.
Deduction
Ignore the possibility that
gcd()
, and use division to solve out the
The problem converts to the Original_RSA
.
Solution
1 | def RSA_NPM(n1,n2,e,c1): |
Remember that
LOW EXPONENT
e = 3
or one-to-one function
JUST Bruck.
, means that in code below
1 | def RSA_Low_Exponent_e3(c,e,n): |
and are not relatively-prime
e = 2
Rabin
PART1
Split into two scenarios for discussion:
and are satisfied .
and are different to 1.
PART2 Calculated gmpy2.gcdext()
.
PART3 Solve out four plaintexts.
Thus, we will get four different plaintext, and one of them is the true plaintext.
Here is the complete code:
1 | def RSA_Rabin_e2(c,n,p,q): |
e != 2
If
For example,
Finally, we get the iroot($m^{a}$, a)[0]
to get the final plaintext
1 | # We define phi as N |
AMM
The same
is too large to solve out.
1 | import random |
RSA_LEAKAGE
Leakage_d
Use RSAConverter.
, , hex(), delete0x
, hex(), deletex
Leakage_dp&dq
Dedection and keypoint!
Prepare and make a definition to
After deductions, we can get four significant equations or relations.
And make the equations convert to codes. Here is the main function:
1 | def RSA_Leakage_dp_dq(dp, dq, p, q, c): |
Leakage_dp
basic
Known:
Make full use of the two known equations and deduce the key condition to obtain the final
Substitute (2)
to (1)
:
Assume
If we brute the
1 | def RSA_Leakage_dp(n,e,dp,c): |
dp_extension-1
reference: Larrozo
relate: [2020YCB]Power

1 | def dp_hensel(c, e, dp, p, b): |
dp_extension-2 coppersmith known dp high
Given:
the
Solve: use the coppersmith-high p
dp_extension-3

LARGE
Wiener Attack
original deduction
From the RSA proof, we have a DEFAULT RULE:
If satisfied conditions, we will get the deduced equation:
In cryptography, the
Thus, we can get the final deduction:
continued fraction
Use Extended Euclidean Algorithm, and we will get the equation. Here is the proof-picture:

For the example, we can get the continued fraction that 34/99 -> [0, 2, 1, 10, 3]
.
1 | def continued_fra(x,y): |
gradual fraction
1 | def gradual_fra(cf): |
Veda’s theorem
1 | def solve_pq(a,b,c): |
main Wiener
1 | def RSA_Wiener_Attack(e,n): |
Boneh-Durfee Attack
COPPPERSMITH
high m
1 | # high m |
high p
1 | # high p |
low d
1 | # low d |
crt/broadcast
1 | # crt/broadcast |
Franklin–Reiter related-message attack
1 | n = |
Boneh Burfee Attack
1 | # Boneh Burfee Attack |
Addiction
When we obtain the flag
.
- long_to_bytes()
Long integer converts to bytes.
- ASCII
The beginning of 1
, and it may convert to some invisible characters.
TBC