Home Explore Help
Sign In
maker
/
bachelor
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 673cf9c83f
Branches Tags
bachelor
/
src
/
questions
/
pollard.c

pollard.c 2.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 
  1. /**
    2. 

  2.  * \file pollard.c
    3. 

  3.  *
    4. 

  4.  * \brief Pollard's (p-1) factorization algorithm.
    5. 

  5.  *
    6. 

  6.  * This file contains an implementations of Pollard's (p-1) algorithm, used to
    7. 

  7.  * attack the public modulus of RSA.
    8. 

  8.  *
    9. 

  9.  * Consider the public modulus N = pq. Now,
    10. 

  10.  *  (p-1) = q₀ᵉ⁰q₁ᵉ¹… qₖᵉᵏ .  q₀ᵉ⁰ < q₁ᵉ¹ < … < qₖᵉᵏ ≤ B
    11. 

  11.  * implies that  (p-1) | B! , since all factors of (p-1) belongs to {1, …, B}.
    12. 

  12.  * Consider a ≡ 2^(B!) (mod N)
    13. 

  13.  *   a = 2^(B!) + kN  = 2^(B!) + kqp → a ≡ 2^(B!) (mod p)
    14. 

  14.  * Since
    15. 

  15.  * <pre>
    16. 

  16.  *
    17. 

  17.  *   ⎧ 2ᵖ⁻¹ ≡ 1 (mod p)                              ⎧ p | (a-1)
    18. 

  18.  *   ⎨                  →  a ≡ 2^(B!) ≡ 1 (mod p) →  ⎨           → p | gcd(a-1, N)
    19. 

  19.  *   ⎩ p-1 | B!                                      ⎩ p | N
    20. 

  20.  *
    21. 

  21.  * </pre>
    22. 

  22.  * And gcd(a-1, N) is a non-trivial factor of N, unless a = 1.
    23. 

  23.  */
    24. 

  24. 

  25. #include <openssl/x509.h>
    26. 

  26. #include <openssl/err.h>
    27. 

  27. 

  28. #include "qa/questions/questions.h"
    29. 

  29. #include "qa/questions/primes.h"
    30. 

  30. #include "qa/questions/qarith.h"
    31. 

  31. #include "qa/questions/qpollard.h"
    32. 

  32. 

  33. 

  34. static BIGNUM *two = NULL;
    35. 

  35. 

  36. static int
    37. 

  37. pollard1_question_setup(void)
    38. 

  38. {
    39. 

  39.   /* create 2 */
    40. 

  40.   BN_dec2bn(&two, "2");
    41. 

  41.   return 1;
    42. 

  42. }
    43. 

  43. 

  44. static int
    45. 

  45. pollard1_question_teardown(void)
    46. 

  46. {
    47. 

  47.   BN_free(two);
    48. 

  48.   return 1;
    49. 

  49. }
    50. 

  50. 

  51. /**
    52. 

  52.  * \brief Pollard (p-1) factorization.
    53. 

  53.  *
    54. 

  54.  */
    55. 

  55. static RSA*
    56. 

  56. pollard1_question_ask_rsa(const RSA* rsa)
    57. 

  57. {
    58. 

  58.   RSA *ret = NULL;
    59. 

  59.   BIGNUM
    60. 

  60.     *p = BN_new(),
    61. 

  61.     *b = BN_new(),
    62. 

  62.     *b1 = BN_new(),
    63. 

  63.     *q = BN_new(),
    64. 

  64.     *r = BN_new(),
    65. 

  65.     *g = BN_new();
    66. 

  66.   BN_CTX *ctx = BN_CTX_new();
    67. 

  67.   pit_t *it;
    68. 

  68.   long j;
    69. 

  69.   /* long back; */
    70. 

  70.   int e, k, m = 100;
    71. 

  71. 

  72. 

  73.   BN_pseudo_rand_range(b, rsa->n);
    74. 

  74.   BN_one(g);
    75. 

  75.   BN_one(q);
    76. 

  76.   for (it = primes_init();
    77. 

  77.        BN_is_one(g) && primes_next(it, p);
    78. 

  78.        )  {
    79. 

  79.     e = BN_num_bits(rsa->n) / BN_num_bits(p);
    80. 

  80.     for (k = 0; k < e && BN_is_one(g); k += m) {
    81. 

  81.       /* back = primes_tell(it); */
    82. 

  82.       for (j = (m > e) ? e : m; j; j--) {
    83. 

  83.         BN_mod_exp(b, b, p, rsa->n, ctx);
    84. 

  84.         BN_sub(b1, b, BN_value_one());
    85. 

  85.         BN_mod_mul(q, q, b1, rsa->n, ctx);
    86. 

  86.       }
    87. 

  87.       BN_gcd(g, q, rsa->n, ctx);
    88. 

  88.     }
    89. 

  89.   }
    90. 

  90. 

  91.   /* replay latest epoch */
    92. 

  92.   /* if (BN_cmp(g, rsa->n)) { */
    93. 

  93.   /*   primes_seek(it, back); */
    94. 

  94. 

  95.   /* } */
    96. 

  96.   if (BN_cmp(g, rsa->n) && !BN_is_one(g))
    97. 

  97.       ret = qa_RSA_recover(rsa, g, ctx);
    98. 

  98. 

  99.   BN_free(p);
    100. 

  100.   BN_free(q);
    101. 

  101.   BN_free(b);
    102. 

  102.   BN_free(b1);
    103. 

  103.   BN_free(r);
    104. 

  104.   BN_free(g);
    105. 

  105.   BN_CTX_free(ctx);
    106. 

  106. 

  107.   return ret;
    108. 

  108. }
    109. 

  109. 

  110. 

  111. 

  112. qa_question_t PollardQuestion = {
    113. 

  113.   .name = "p-1",
    114. 

  114.   .pretty_name = "Pollard's (p-1) factorization",
    115. 

  115.   .setup = pollard1_question_setup,
    116. 

  116.   .teardown = pollard1_question_teardown,
    117. 

  117.   .test = NULL,
    118. 

  118.   .ask_rsa = pollard1_question_ask_rsa,
    119. 

  119.   .ask_crt = NULL
    120. 

  120. };
    121. 

  121.