This is a Python implementation of lattice-based attack proposed in Revisiting Small Private Key Attacks on Common Prime RSA1. Some underlying functions are based on Joachim Vandersmissen's crypto-attacks and some ideas are inspired from Yansong Feng.
- SageMath 9.5 with Python 3.10
You can check your SageMath Python version using the following command:
$ sage -python --version
Python 3.10.12
Note: If your SageMath Python version is older than 3.9.0, some features in given scripts might not work.
The standard way (for sage -python attack.py <modulus_bit_length> <gamma> <delta> <s>
. For instance, to run the attack with sage -python attack.py 256 0.3 0.14 2
:
SPKA_CPRSA$ sage -python attack.py 256 0.3 0.14 2
The parameters: N = 63236039457260578412497711927910293735878673126804182969089706148653918249935 and e = 145739672445113948849846979314050302144141498062509003
Found primes: 223562247299154966144036511511089027139 and 282856520817858148936977711952759948165
The attack costs 0.538 seconds...
For instance, to run the attack with sage -python attack.py 256 0.4 0.18 3
:
SPKA_CPRSA$ sage -python attack.py 256 0.4 0.18 3
The parameters: N = 86979996154219372057125079917167888635328352326366555664505555588514924260695 and e = 4352284220734458151939458402045072251879045639
Found primes: 290119823470188643798682482670924661955 and 299807145591886897263554557316564900829
The attack costs 11.433 seconds...
For instance, to run the attack with sage -python attack.py 256 0.45 0.2 3
:
SPKA_CPRSA$ sage -python attack.py 256 0.45 0.2 3
The parameters: N = 61552569346213811735143034171114001039568008154180313065484412227486057176075 and e = 223190992838379235483530540382096126794459
Found primes: 221089799980331833665016302538931380589 and 278405287587620655679073975374948057175
The attack costs 12.562 seconds...
An improved way (for sage -python attack.py <modulus_bit_length> <gamma> <delta> <s>
. For instance, to run the attack with sage -python attack.py 256 0.45 0.3 9
:
SPKA_CPRSA$ sage -python attack.py 256 0.45 0.3 9
The parameters: N = 83196994066566645255513347521092230456833161712558088577574869116082244113083 and e = 181085677779487916012018080798162037073883
Found primes: 301057612996661619004057531579089461239 and 276349078963464723175663997350452591197
The attack costs 75.112 seconds...
This implementation automatically chooses LZPL strategy for larger
All the details of the numerical attack experiments are recorded in the attack.log
file.