newcrypt

Description

Solution

The script generated 4 numbers by:




for i in range(4):
    x = getPrime((1<<10)-random.randint(1<<0,1<<8))
    y = inverse(x,(self.p-1)*(self.q-1)//GCD(self.p-1,self.q-1))
    numbers.append(y)

The vulnerabililty here is that xs' bit length is small compared to n, so lattice-based attack could exploit it.

Howgrave-Graham and Seifert’s Attack had concluded that when given 4 public exponents whose private exponents' bit length is below

δ = 0.441

times the bit length of n, it's likely to factorize n efficiently.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

The bit length of x here is about

\frac{1024 - 128}{2048} = 0.4375

The math

e_{i} d_{i} = 1 + k_{i} \frac{ϕ}{G}

By this relation of e and d, we can have 10 basic equations: (

G

is GCD and

s = n - ϕ

)

W_{i} : G e_{i} d_{i} - k_{i} n = G - k_{i} s

G_{i, j} : k_{i} G e_{j} d_{j} - k_{j} G e_{i} d_{i} = G (k_{i} - k_{j})

The basic idea is using these equations to construct a vector-matrix equation

x B = v

where

B

is an upper triangle matrix and

x = (k_{1} k_{2} k_{3} k_{4}, d_{1} k_{2} k_{3} k_{4}, k_{1} d_{2} k_{3} k_{4}, d_{1} d_{2} k_{3} k_{4}, k_{1} k_{2} d_{3} k_{4}, . . ., d_{1} d_{2} d_{3} d_{4})

For the purpose that will be mentioned later, we want to choose

G_{i, j}

as many as possible and

W_{i}

as less as possible.

My choice was:

k_{1} k_{2} k_{3} k_{4} = k_{1} k_{2} k_{3} k_{4}, k_{2} k_{3} k_{4} W_{1}, k_{3} k_{4} G_{1, 2}, k_{3} k_{4} W_{1} W_{2}, k_{2} k_{4} G_{1, 3}, k_{4} W_{1} G_{2, 3}, k_{4} W_{2} G_{1, 3}, k_{4} W_{1} W_{2} W_{3}, k_{2} k_{3} G_{1, 4}, k_{3} W_{1} G_{2, 4}, G_{1, 2} G_{3, 4}, W_{1} W_{2} G_{3, 4} G_{1, 3} G_{2, 4}, W_{1} W_{3} G_{2, 4}, W_{2} W_{3} G_{1, 4}, W_{1} W_{2} W_{3} W_{4}

This lead to:

    B=[ [1,-n,0,n^2,0,0,0,-n^3,0,0,0,0,0,0,0,n^4],
        [0,e1,-e1,-e1*n,-e1,0,e1*n,e1*n^2,-e1,0,0,0,0,0,-e1*n^2,-e1*n^3],
        [0,0,e2,-e2*n,0,e2*n,0,e2*n^2,0,e2*n,0,0,0,-e2*n^2,0,-e2*n^3],
        [0,0,0,e1*e2,0,-e1*e2,-e1*e2,-e1*e2*n,0,-e1*e2,0,0,e1*e2,e1*e2*n,e1*e2*n,e1*e2*n^2],
        [0,0,0,0,e3,-e3*n,-e3*n,e3*n^2,0,0,0,-e3*n^2,0,0,0,-e3*n^3],
        [0,0,0,0,0,e1*e3,0,-e1*e3*n,0,0,e1*e3,e1*e3*n,0,0,e1*e3*n,e1*e3*n^2],
        [0,0,0,0,0,0,e2*e3,-e2*e3*n,0,0,-e2*e3,e2*e3*n,-e2*e3,e2*e3*n,0,e2*e3*n^2],
        [0,0,0,0,0,0,0,e1*e2*e3,0,0,0,-e1*e2*e3,0,-e1*e2*e3,-e1*e2*e3,-e1*e2*e3*n],
        [0,0,0,0,0,0,0,0,e4,-e4*n,0,e4*n^2,0,e4*n^2,e4*n^2,-e4*n^3],
        [0,0,0,0,0,0,0,0,0,e1*e4,-e1*e4,-e1*e4*n,-e1*e4,-e1*e4*n,0,e1*e4*n^2],
        [0,0,0,0,0,0,0,0,0,0,e2*e4,-e2*e4*n,0,0,-e2*e4*n,e2*e4*n^2],
        [0,0,0,0,0,0,0,0,0,0,0,e1*e2*e4,0,0,0,-e1*e2*e4*n],
        [0,0,0,0,0,0,0,0,0,0,0,0,e3*e4,-e3*e4*n,-e3*e4*n,e3*e4*n^2],
        [0,0,0,0,0,0,0,0,0,0,0,0,0,e1*e3*e4,0,-e1*e3*e4*n],
        [0,0,0,0,0,0,0,0,0,0,0,0,0,0,e2*e3*e4,-e2*e3*e4*n],
        [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,e1*e2*e3*e4] ]

and

v = [k_{1} k_{2} k_{3} k_{4}, (1 - k_{1} s) k_{2} k_{3} k_{4}, (k_{1} - k_{2}) k_{3} k_{4}, (1 - k_{1} s) (1 - k_{2} s) k_{3} k_{4}, (k_{1} - k_{3}) k_{2} k_{4}, (1 - k_{1} s) (k_{2} - k_{3}) k_{4}, (k_{1} - k_{3}) (1 - k_{2} s) k_{4}, Π_{i = 1}^{3} (1 - k_{i} s) k_{4}, (k_{1} - k_{4}) k_{2} k_{3}, (1 - k_{1} s) (k_{2} - k_{4}) k_{3}, (k_{1} - k_{2}) (k_{3} - k_{4}), (1 - k_{1} s) (1 - k_{2} s) (k_{3} - k_{4}), (k_{1} - k_{3}) (k_{2} - k_{4}), (1 - k_{1} s) (1 - k_{3} s) (k_{2} - k_{4}), (1 - k_{2} s) (1 - k_{3} s) (k_{1} - k_{4}), Π_{i = 1}^{4} (1 - k_{i} s)]

Every row of

B

is a vector much bigger than

v

and

v

is linear combination of these rows.

To apply lattice attack, we still need

v

to be balanced. Notice that

e_{i} \approx n

d_{i} \approx n^{δ}

k_{i} \approx n^{δ}

s \approx n^{0.5}

, so

v

is dominated by the last component

Π (1 - k_{i} s) \approx n^{2 + 4 δ}

Hence we need to multiply both

B

and

v

by a diagonal matrix

D

diagonal_matrix([n^2,n^1.5,n^(2+delta),n,n^(2+delta),
                 n^(1.5+delta),n^(1.5+delta),n^0.5,
                 n^(2+delta),n^(1.5+delta),n^(2+2*delta),n^(1+delta),
                 n^(2+2*delta),n^(1+delta),n^(1+delta),1])

Now we can apply LLL algorithm to obtain

v

and

x

, then calculate

ϕ = e_{1} \times \frac{d_{1} k_{2} k_{3} k_{4}}{k_{1} k_{2} k_{3} k_{4}}

. If

ϕ

is calculated correctly, the roots of

x^{2} - (n + 1 - ϕ) x + n = 0

will be p and q consequently.

The only thing left is that we don't know the GCD of

p - 1

and

q - 1

, it could be any even number. Hence for every possible

G

, we need to multiply

e

G

first. It turned out that the GCD is just

2

though.

Reason why not choose
$W_{i}$ but
$G_{i, j}$

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Using the theorem, to increase the success rate of the attack, we need the volume of

B

to be as large as possible. It means large components of

D

, which means small right hand side of each equation we choose.

By some observation, all the right hand side of the equations consists of

k_{1}, k_{2}, k_{3}, k_{4}

When choosing

G_{i, j}

, we elimintae

k_{i}

and

k_{j}

but only multiply the number by

(k_{i} - k_{j})

. On the other hand, choosing

W_{i}

multiplies the number by

k_{i} s

, which is much larger.

We can even calculate the upperbound of bit length of

d_{i}

by the theorem.

| | v | | \approx n^{2 + 4 δ} \leq n^{\frac{1}{16} (32 + 13 δ + 22.5)} \approx 4 (e_{1}^{8} e_{2}^{8} e_{3}^{8} e_{4}^{8} n^{13 δ + 22.5})^{\frac{1}{16}} = \sqrt{n} v o l (B)^{\frac{1}{n}} \Rightarrow δ \leq \frac{15}{34} = 0.441 . . .

newcrypt

Description

Solution

The math

Reason why not choose Wi but Gi,j

The script

Reason why not choose
$W_{i}$ but
$G_{i, j}$