1
import logging
2
import os
3
import sys
4
from math import gcd
5
from math import log
6
from math import sqrt
7

8
from sage.all import RR
9
from sage.all import Zmod
10

11
path = os.path.dirname(os.path.dirname(os.path.dirname(os.path.realpath(os.path.abspath(__file__)))))
12
if sys.path[1] != path:
13
    sys.path.insert(1, path)
14

15
from shared.small_roots import herrmann_may_multivariate
16

17

18
def attack(N, e, delta, m, t, check_bounds=True):
19
    """
20
    Recovers the prime factors if one of the CRT-RSA private exponents is too small.
21
    More information: Nitaj A., "A new attack on RSA and CRT-RSA" (Section 4)
22
    :param N: the modulus
23
    :param e: the public exponent
24
    :param delta: the parameter delta such that dp <= N^delta
25
    :param m: the parameter m for small roots
26
    :param t: the parameter t for small roots
27
    :param check_bounds: perform bounds check (default: True)
28
    :return: a tuple containing the prime factors, or None if the factors could not be found
29
    """
30
    alpha = log(e, N)
31
    assert not check_bounds or 2 * delta < sqrt(2) / 2 - alpha, f"Bounds check failed ({2 * delta} < {sqrt(2) / 2 - alpha})."
32

33
    x, y = Zmod(N)["x", "y"].gens()
34
    f = x + e * y
35
    X = int(RR(N) ** delta)
36
    Y = int(e * RR(N) ** (delta - 1 / 2))  # Equivalent to N^(alpha + delta - 1 / 2)
37
    logging.info(f"Trying {m = }, {t = }...")
38
    for x0, y0 in herrmann_may_multivariate.modular_multivariate(f, N, m, t, [X, Y]):
39
        pz = int(f(x0, y0))
40
        p = gcd(pz, N)
41
        if 1 < p < N and N % p == 0:
42
            return p, N // p
43

44
    return None
45

46