-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinvalid_curve_attack.php
189 lines (162 loc) · 4.01 KB
/
invalid_curve_attack.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<?php
include "page_template.html"
?>
<div id="temp-content" style="display: none;">
<h3>Invalid curve attack</h3>
<hr>
<br>
<pre>
<code class="magma">
// ---------------------------------------------
// EXERCISE
// --------
// Apply the invalid curve attack to a NIST curve
// ---------------------------------------------
// In general
// we choose the size b of the curve
bit := 160 ;
// choose a curve which is secure
p := NextPrime(2^bit) ;
q := p ;
K := FiniteField(p) ;
a := K!-3 ;
b := 0 ;
// increase b until a prime order curve is found
time repeat
b := b + 1 ;
if K!4*a^3+27*b^2 ne 0 then
E := EllipticCurve([K | a,b]) ;
end if ;
time flag := IsPrime(#E) ;
until flag ;
b ;
// generate a base point P, a secret key k and Q = k*P
P := Random(E) ;
k := Random(Order(P)) ;
k ;
Q := k*P ;
// choose a curve which is weak
bit := 160 ;
p := NextPrime(2^bit) ;
q := p ;
K := FiniteField(q) ;
a := K!-3 ;
b := 0 ;
time repeat
b := b + 1 ;
if K!4*a^3+27*b^2 ne 0 then
E := EllipticCurve([K | a,b]) ;
F := Factorization(#E) ;
max := Max({F[i][1] : i in [1..#F]}) ;
end if ;
nfact := #F ;
ng := #Generators(E) ;
flag := Log(2,max) le 40 and ng eq 1 ;
if (b mod 100) eq 0 then
b ;
end if ;
until flag ;
b ;
// find a point of maximum order in the weak curve
repeat
P := Random(E) ;
until Order(P) eq #E ;
N := Order(P) ;
// For each power of a prime p^e in F find a point of order p^e
PP := [] ;
for i in [1..#F] do
PP[i] := Integers()!(N/F[i][1]^F[i][2]) * P ;
end for ;
[Order(PP[i]) : i in [1..#PP]] ;
// ask the user to compute "invalid" logarithms
QQ := [k*PP[i] : i in [1..#PP]] ;
Pi := [F[i][1]^F[i][2] : i in [1..#F]] ;
// solve the "invalid" logarithms
time Ki := [Log(PP[i],QQ[i]) : i in [1..#PP] ] ;
// we can now solve the ChineseRemainderTheorem
time k1 := ChineseRemainderTheorem(Ki,Pi) ;
k1 eq k ;
/////////////////////////////////////////////////
/////////////////////////////////////////////////
/////////////////////////////////////////////////
// we break NIST P-192 with invalide curve attack
// NIST P-192
p := 2^192 - 2^64 - 1 ;
q := p ;
K := FiniteField(q) ;
a := K!-3 ;
bN := K! 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1 ;
EN := EllipticCurve([K | a,bN]) ;
rN := 6277101735386680763835789423176059013767194773182842284081 ;
// WEAK CURVE
p := 2^192 - 2^64 - 1 ;
q := p ;
K := FiniteField(q) ;
a := K!-3 ;
b := 0 ;
/* // search for the curve
time repeat
b := b + 1 ;
if K!4*a^3+27*b^2 ne 0 then
E := EllipticCurve([K | a,b]) ;
F := Factorization(#E) ;
max := Max({F[i][1] : i in [1..#F]}) ;
end if ;
nfact := #F ;
ng := #Generators(E) ;
flag := Log(2,max) le 40 and ng eq 1 ;
if (b mod 100) eq 0 then
b ;
end if ;
until flag ;
b ;
// 2436
*/
bW := K!2436 ;
EW := EllipticCurve([K | a,bW]) ;
rW := #EW ;
F := Factorization(rW) ;
F ;
// [ <3, 2>, <173, 1>, <313, 1>, <857, 1>, <1453, 1>, <16301, 1>, <624829, 1>, <1543511, 1>, <159607069, 1>, <4370843969, 1>, <943142251561, 1> ]
// find a point in NIST P-192 of maximum order
repeat
P := Random(EN) ;
until Order(P) eq #EN ;
N := Order(P) ;
N ;
// choose a key
k := Random(Order(P)) ;
k ;
Q := k*P ;
// find a point in EW (the weak curve) of maximum order
repeat
PW := Random(EW) ;
until Order(PW) eq #EW ;
N := Order(PW) ;
// For each power of a prime p^e in F find a point of order p^e
PP := [] ;
for i in [1..#F] do
PP[i] := Integers()!(N/F[i][1]^F[i][2]) * PW ;
end for ;
[Order(PP[i]) : i in [1..#PP]] ;
// [ 9, 173, 313, 857, 1453, 16301, 624829, 1543511, 159607069, 4370843969, 943142251561 ]
QQ := [k*PP[i] : i in [1..#PP]] ;
time Ki := [Log(PP[i],QQ[i]) : i in [1..#PP] ] ;
// Time: 5.260
Pi := [F[i][1]^F[i][2] : i in [1..#F]] ;
// we can now solve the ChineseRemainderTheorem
time k1 := ChineseRemainderTheorem(Ki,Pi) ;
// Time: 0.000
k1 ;
// 251697511401526846594265382788855133579109928922384519879
k1 eq k ;
// true
</code>
</pre>
<script>
var chapter = 'programming' ;
var x = document.getElementById('temp-content') ;
document.getElementById('main').innerHTML = x.innerHTML ;
</script>
<!--
-->