Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pwang00
GitHub Repository: pwang00/Cryptographic-Attacks
 Path: blob/master/Public Key/RSA/fault_attack.sage
336 views
1
# This file contains an implementation of a fault attack on RSA-CRT signatures 

2


3
def generate_params(target_bitlen=1024, e=65537):

4
    p = random_prime(2^target_bitlen//2, proof=False)

5
    q = random_prime(2^target_bitlen//2, proof=False)

6


7
    N = p * q

8
    d = inverse_mod(e, (p - 1) * (q - 1))

9
    dp = d % (p - 1)

10
    dq = d % (q - 1)

11


12
    qinv = inverse_mod(q, p)

13
    pinv = inverse_mod(p, q)

14
    return N, p, q, dp, dq, e, qinv, pinv

15


16


17
# Signature method that flips a random bit in dq with probability error_prob

18


19
def sign(m, N, p, q, e, dp, dq, qinv, pinv, error_prob=1):

20
    s1 = Integer(pow(m, dp, p))

21
    s2 = Integer(pow(m, dq, q))

22
    

23
    if random() > 1 - error_prob:

24
        s2 ^^= 2 ^ randint(2, 512)

25


26
    s = (s1 * q * qinv) + (s2 * p * pinv) % N

27


28
    return s

29


30
# The attacker will already know m1 since he's trying to obtain signatures for them

31
# With sufficently high probability, gcd(s1 - m1, N) will reveal one of the factors of N

32
def factor_n(s1, e, m1, N):

33
    p = 1

34
    q = gcd(s1^e - m1, N)

35
    if q != 1:

36
        p = N // q

37


38
    return p, q

39


40
def test():

41
    N, p, q, dp, dq, e, qinv, pinv = generate_params()

42
    m1 = randint(0, 2^512)

43
    

44
    # Waaaaaaaaayy too many parameters for a simple function, will definitely simplify

45
    # In the near future

46


47
    s1 = sign(m1, N, p, q, e, dp, dq, qinv, pinv)

48


49
    p, q = factor_n(s1, e, m1, N)

50


51
    if p != N and q != N:

52
        print("[x] Obtained factors for N!")

53
    print(p, q)

54


55
if __name__ == "__main__":

56
    test()

57


58


59