взломщикам RSA на заметку

Тема в разделе "WASM.CRYPTO", создана пользователем RElf, 19 мар 2008.

  1. Ruptor

    Ruptor Marcos el Ruptor

    Публикаций:
    0
    Регистрация:
    9 янв 2005
    Сообщения:
    167
    Адрес:
    Australia
    georgel: First, you are supposed to convert all the inputs and outputs to binary form. They are in 8-bit n-residue form. Factoring those as if they were numbers is of no use.
     
  2. georgel

    georgel New Member

    Публикаций:
    0
    Регистрация:
    4 ноя 2006
    Сообщения:
    19
    Ruptor
    How?

    And then what when I have several primes?
     
  3. Ruptor

    Ruptor Marcos el Ruptor

    Публикаций:
    0
    Регистрация:
    9 янв 2005
    Сообщения:
    167
    Адрес:
    Australia
    RTFM. Any big number library has a function for that, including Miracl. No one is going to do it for you.

    Nothing. You haven't prepared a list of cubes resulting in small primes yet. It's a long search somewhat similar to the quadratic sieve, but once you have those, you just multiply them for all the factors of your input to make up its signature. It is not as expensive as factoring, but you won't be able to forge any signature, only the smooth ones. In the above example for instance, two of the factors are too large. You would not be able to forge that particular signature if it wasn't in n-residue form.
     
  4. georgel

    georgel New Member

    Публикаций:
    0
    Регистрация:
    4 ноя 2006
    Сообщения:
    19
    Ruptor
    BTW: output.bin is in binary form - it is 100% a message and I know the meaning of every byte in it. It does not need any conversion except to place most significant bytes first, e.g. to reverse the order of bytes.

    I don not know the meaning of

    yet, because I couldn't find TFM.

    The input.bin from the example bin should be the output of the method we discuss here and is my goal, but as such it would require this mysterious n-residue conversion as a final operation, wouldn't it? I think there is a bit of misunderstanding from me or even from you as to which item is input and which is output :dntknw:

    The only thing that gives me a little hope is that I could have enormous amount of "output.bin"s that suit my needs and one of them could be smooth for your mysterious and unknown method...
     
  5. Ruptor

    Ruptor Marcos el Ruptor

    Публикаций:
    0
    Регистрация:
    9 янв 2005
    Сообщения:
    167
    Адрес:
    Australia
    georgel
    You obviously do not understand how Montgomery multiplication works or how this simple old attack works. It is far from mine and far from mysterious. As a result, your frustration is leading you to attacking me personally. I do not wish to continue helping you any further. It is your problem, not mine. All I can do is repeat: 1) figure out the difference between a number in binary form and its n-residue form and how to convert between the two (RTF Miracl library documentation), 2) find this attack in the literature - it is probably the oldest attack against RSA that there is and the reason why all the RSA signature algorithms hash and time stamp messages before signing them.
     
  6. georgel

    georgel New Member

    Публикаций:
    0
    Регистрация:
    4 ноя 2006
    Сообщения:
    19
    Ruptor
    Yes, so far I don't. Do I have to? I just wanted to know what is n-residue format. I skimmed through MIRACL docs again today after your last message (user's manual http://www.shamus.ie/uploads/docs/userman.pdf and reference manual http://www.shamus.ie/uploads/docs/refman.pdf) and found nothing clear on what is n-residue format but a description of converting routines (to and from n-residue and modulus preparation?) and their API.

    Yes, which one of the attacks??? There are so many and I can't find one that fits this case and your explanation... http://www.scipub.org/fulltext/jcs/jcs28665-671.pdf

    On the contrary, I am irritated because of my stupidity and not understanding you. No one is attacking you :)))))))))))))) Moreover I think you are disappointed from explaining these things to someone (me) who obviously can't understand you.

    I've tried. All that comes to my stupid mind is m1^e*m2^e===(m1*m2)^e. But this requires access to encrypting party. Or I suspect you mean representing the message like m1*m2*...*mn, where all numbers are small enough and are not affected by the modulus...


    Finally I've found this which is more useful (to me) than the miracl docs themselves:

    http://ftp.funet.fi/pub/crypt/math/montgomery-multiplication.txt
     
  7. Garaus

    Garaus New Member

    Публикаций:
    0
    Регистрация:
    9 апр 2008
    Сообщения:
    5
    1024-битный шифр RSA взломают через пять лет

    http://habrahabr.ru/blog/crypto/12565.html
     
  8. UbIvItS

    UbIvItS Well-Known Member

    Публикаций:
    0
    Регистрация:
    5 янв 2007
    Сообщения:
    6.243
    georgel
    почитай лит-ру; поэксперементируй; отвлекись, коли мозг циклит:derisive:, а так ты заставляешь человека строкать тебе портянки лекций на форуме:) - он тебе всё равно лучше, чем в книге не напишет.
    Garaus
    инфа уже с бородой и впринцепе интереса никакого не представляет - взлом засчёт простого роста производительности железа являет собой пустую новость:)
     
  9. georgel

    georgel New Member

    Публикаций:
    0
    Регистрация:
    4 ноя 2006
    Сообщения:
    19
    UbIvItS
    А ты его понял? Кто нибудь здесь его понял? Наверное он мне объяснял как найти точных кубов...Ето не подойдет для таких больших чисел...Там только 2^512 точных кубов.
     
  10. UbIvItS

    UbIvItS Well-Known Member

    Публикаций:
    0
    Регистрация:
    5 янв 2007
    Сообщения:
    6.243
    georgel
    первым делом не совсем понял, что тебе нужно: понять есть ли уязвимость в досовской реализации рса и как её юзать???
     
  11. georgel

    georgel New Member

    Публикаций:
    0
    Регистрация:
    4 ноя 2006
    Сообщения:
    19
    UbIvItS
    Да. Мне нужно из своего output.bin сделать input.bin, которое потом с "досовской реализации" трансформировалось правильно опять в output.bin...