def step2(search_number, i, M):
if i == 1 or len(M) > 1:
# Step 2a/2b
while True:
if debug:
sys.stdout.write("\rCurrent search number: %d" % search_number)
sys.stdout.flush()
search_number += 1
test_ciphertext = c0 * search_number ** exponent
test_ciphertext %= modulus
if padding_oracle(test_ciphertext.binary()[::-1]):
if verbose:
print "Found s0! Starting to narrow search interval..."
return(search_number)
else:
# Step 2c
a = list(M)[0][0]
b = list(M)[0][1]
r = gmpy.ceil( 2*(b * search_number - B2)/modulus )
while True:
s_range_bottom = gmpy.ceil(( B2 + r * modulus ) / b)
s_range_top = gmpy.floor(( B3-1 + r * modulus ) / a)
s = gmpy.mpz(s_range_bottom)
while s <= s_range_top:
test_ciphertext = c0 * s ** exponent
test_ciphertext %= modulus
if padding_oracle(test_ciphertext.binary()[::-1]):
return(s)
s += 1
r += 1
def step2(search_number, i, M):
if i == 1 or len(M) > 1:
# Step 2a/2b
while True:
if debug:
sys.stdout.write("\rCurrent search number: %d" % search_number)
sys.stdout.flush()
search_number += 1
test_ciphertext = c0 * search_number ** exponent
test_ciphertext %= modulus
if padding_oracle(test_ciphertext.binary()[::-1]):
if verbose:
print "Found s0! Starting to narrow search interval..."
return(search_number)
else:
# Step 2c
a = list(M)[0][0]
b = list(M)[0][1]
r = gmpy.ceil( 2*(b * search_number - B2)/modulus )
while True:
s_range_bottom = gmpy.ceil(( B2 + r * modulus ) / b)
s_range_top = gmpy.floor(( B3-1 + r * modulus ) / a)
s = gmpy.mpz(s_range_bottom)
while s <= s_range_top:
test_ciphertext = c0 * s ** exponent
test_ciphertext %= modulus
if padding_oracle(test_ciphertext.binary()[::-1]):
return(s)
s += 1
r += 1
def step3(s, M, R):
new_M = set([])
for a,b in M:
for r in R:
new_a = max(a, gmpy.ceil( (B2 + r * modulus)/s ) )
new_b = min(b, gmpy.floor( (B3 - 1 + r * modulus)/s ) )
if new_a <= new_b:
new_M |= set([(new_a, new_b)])
return new_M
def get_r_values(s, M):
R = []
for a,b in M:
low_val = gmpy.ceil( (a * s - B3 + 1)/modulus )
high_val = gmpy.floor( ((b * s - B2)/modulus))
R.extend([x for x in range(int(low_val),int(high_val+1))])
if verbose and len(R) > 1:
print "Found %d possible r values, trying to narrow to one..." % len(R)
return R
def step3(s, M, R):
new_M = set([])
for a,b in M:
for r in R:
new_a = max(a, gmpy.ceil( (B2 + r * modulus)/s ) )
new_b = min(b, gmpy.floor( (B3 - 1 + r * modulus)/s ) )
if new_a <= new_b:
new_M |= set([(new_a, new_b)])
return new_M
def get_r_values(s, M):
R = []
for a,b in M:
low_val = gmpy.ceil( (a * s - B3 + 1)/modulus )
high_val = gmpy.floor( ((b * s - B2)/modulus))
R.extend([x for x in range(int(low_val),int(high_val+1))])
if verbose and len(R) > 1:
print "Found %d possible r values, trying to narrow to one..." % len(R)
return R
def mpsin(x): if pi_minus<=x and x<=pi: return sin_taylor(x) if x<0: return -mpsin(-x) f= x - gmpy.floor(x/pix2)*pix2 #0..2 assert(f>=0) assert(f<=pix2) if f<pi: return sin_taylor(f) else: return -sin_taylor(f - pi)
def common_private_exponent(rsa_list):
"""
Attack to RSA: Common Private-Exponent Attack
Args:
rsa_list : RSA Object List (They have a same private exponent)
Return: Private Exponent
Reference: http://ijcsi.org/papers/IJCSI-9-2-1-311-314.pdf
"""
from scryptos.math import LLL
import math
import gmpy
eset = map(lambda x: x.e, rsa_list)
nset = map(lambda x: x.n, rsa_list)
r = len(eset)
M = int(gmpy.floor(gmpy.sqrt(nset[-1])))
B = []
B += [[M] + eset]
for x in xrange(r):
B += [[0] * (x + 1) + [-nset[x]] + [0] * (r - x - 1)]
S = LLL(B)
d = abs(S[0][0]) / M
return d
