MR素数测试在密码学库中应用广泛,通常作为BPSW的一部分来进行素数测试,由于在其算法中,有随机数的使用(选择一个随机的base),若一个MR伪素数 n n n,已知其在某一个强伪证 a a a(随机base)下表现出伪素性,那么我们可以逆向其算法过程,构造一个伪随机数生成器,使其通过MR素数测试。这通常是绕过BPSW必不可少的一部分。
文章目录
- 1.MR素数测试
- [2.pycryptodome 下MR素数测试源码分析](#2.pycryptodome 下MR素数测试源码分析)
-
- [2.1 相关版本](#2.1 相关版本)
- [2.2 源码分析](#2.2 源码分析)
- [3.已知MR伪素数以及强伪证 生成指定伪随机数生成器](#3.已知MR伪素数以及强伪证 生成指定伪随机数生成器)
-
- [3.1 base生成机理](#3.1 base生成机理)
- [3.2 转换为伪随机数生成器的输出](#3.2 转换为伪随机数生成器的输出)
- [3.3 生成指定伪随机数生成器](#3.3 生成指定伪随机数生成器)
- [3.4 测试](#3.4 测试)
1.MR素数测试
设 n n n是一个素数,且 n > 2 n>2 n>2,则 n − 1 n-1 n−1为偶数, n − 1 n-1 n−1可以表示为 2 s d 2^{s}d 2sd, s s s和 d d d为正整数,且 d d d为奇数。对任意在 ( Z / n Z ) ∗ (Z/nZ)^{*} (Z/nZ)∗范围内的 a a a,必须满足以下两种形式的一种:
a d ≡ 1 ( m o d n ) 1 ◯ a 2 r d ≡ − 1 ( m o d n ) 2 ◯ a^{d} \equiv1\ (mod \ n) \textcircled{1}\\ a^{2^{r}d} \equiv -1\ (mod \ n) \textcircled{2} ad≡1 (mod n)1◯a2rd≡−1 (mod n)2◯
其中 r r r是满足 , 0 ≤ r ≤ s − 1 ,0\leq r \leq s-1 ,0≤r≤s−1的整数。
由费马定理可得,对于一个素数 n n n,有
a n − 1 ≡ 1 ( m o d n ) a^{n-1} \equiv 1\ (mod \ n) an−1≡1 (mod n)
不断对 a n − 1 a^{n-1} an−1取平方根后,总会得到 1 1 1或 − 1 -1 −1。如果得到了 − 1 -1 −1,意味着 2 ◯ \textcircled{2} 2◯成立。如果从未得到-1,那么这个过程已经取遍了所有 2 2 2的幂次,意味着 1 ◯ \textcircled{1} 1◯成立。
Miller--Rabin素数测试基于上述原理的逆否,如果能找到一个 a a a,使得对于任意 0 ≤ r ≤ s − 1 0\leq r \leq s-1 0≤r≤s−1以下两个式子均满足:
a d ≢ 1 ( m o d n ) a 2 r d ≢ − 1 ( m o d n ) a^{d} \not\equiv1\ (mod \ n) \\ a^{2^{r}d} \not\equiv -1\ (mod \ n) ad≡1 (mod n)a2rd≡−1 (mod n)
那么 n n n是一个合数。这样的 a a a称为 n n n是合数的一个凭证(witness)。否则 a a a可能是一个证明 n n n是素数的"强伪证"(strong liar),即当 n n n确实是一个合数,但是对于当前选取的 a a a来说上述两个式子均不满足,这时我们认为 n n n是基于 a a a的大概率素数。
详情参考维基百科:https://zh.wikipedia.org/wiki/米勒-拉宾检验
2.pycryptodome 下MR素数测试源码分析
2.1 相关版本
- python 3.9.0
- pycryptodome 3.18.0
2.2 源码分析
直接取自Crypto.Math.Primality
下的miller_rabin_test
方法:
python
def miller_rabin_test(candidate, iterations, randfunc=None):
"""Perform a Miller-Rabin primality test on an integer.
The test is specified in Section C.3.1 of `FIPS PUB 186-4`__.
:Parameters:
candidate : integer
The number to test for primality.
iterations : integer
The maximum number of iterations to perform before
declaring a candidate a probable prime.
randfunc : callable
An RNG function where bases are taken from.
:Returns:
``Primality.COMPOSITE`` or ``Primality.PROBABLY_PRIME``.
.. __: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
"""
if not isinstance(candidate, Integer):
candidate = Integer(candidate)
if candidate in (1, 2, 3, 5):
return PROBABLY_PRIME
if candidate.is_even():
return COMPOSITE
one = Integer(1)
minus_one = Integer(candidate - 1)
if randfunc is None:
randfunc = Random.new().read
# Step 1 and 2
m = Integer(minus_one)
a = 0
while m.is_even():
m >>= 1
a += 1
# Skip step 3
# Step 4
for i in iter_range(iterations):
# Step 4.1-2
base = 1
while base in (one, minus_one):
base = Integer.random_range(min_inclusive=2,
max_inclusive=candidate - 2,
randfunc=randfunc)
assert(2 <= base <= candidate - 2)
# Step 4.3-4.4
z = pow(base, m, candidate)
if z in (one, minus_one):
continue
# Step 4.5
for j in iter_range(1, a):
z = pow(z, 2, candidate)
if z == minus_one:
break
if z == one:
return COMPOSITE
else:
return COMPOSITE
# Step 5
return PROBABLY_PRIME
三个参数分别是待测数、迭代次数、伪随机数生成器,同时注释也表明了是遵循nist规范(http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf)的一个实现。
按照第1章的符号规范的话,其中的minus_one是 n − 1 n-1 n−1,m是 d d d,a是 s s s,base是随机选择的 a a a。
整体流程是:
- 1.先将 n − 1 n-1 n−1表示为 2 s d 2^{s}d 2sd。
- 2.在指定迭代次数下,每次随机选取一个 a a a,满足 1 < a < n − 1 1<a<n-1 1<a<n−1,分别测试 1 ◯ \textcircled{1} 1◯和 2 ◯ \textcircled{2} 2◯的逆否。
再来看一下默认迭代次数是如何选择的,在test_probable_prime
方法中:
选择的依据是保证伪素数的概率是 1 0 − 30 10^{-30} 10−30,按照220比特内,迭代30次,220-280比特内,迭代20次这样的方式预设迭代次数的值。
3.已知MR伪素数以及强伪证 生成指定伪随机数生成器
如何构造一个MR伪素数及强伪证不是本文的重点,可以自行参考相应论文(Fran ̧cois Arnault. Constructing Carmichael numbers which are strong pseudoprimes to several bases. Journal of Symbolic Computation, 20(2):151--161, 1995.)
假设已知一个MR伪素数 n n n,一个强伪证 a a a,若要让第2章中的miller_rabin_test
通过测试,我们需要确定其随机数的选择机理,同时将 a a a转换为一系列伪随机生成器的输出,同时逆向该伪随机数生成器,在调用miller_rabin_test
的时候指定为该伪随机数生成器,或覆盖系统的os.urandom
为该伪随机数生成器。
3.1 base生成机理
base的生成,调用的是Integer.random_range
方法:
python
@classmethod
def random_range(cls, **kwargs):
"""Generate a random integer within a given internal.
:Keywords:
min_inclusive : integer
The lower end of the interval (inclusive).
max_inclusive : integer
The higher end of the interval (inclusive).
max_exclusive : integer
The higher end of the interval (exclusive).
randfunc : callable
A function that returns a random byte string. The length of the
byte string is passed as parameter. Optional.
If not provided (or ``None``), randomness is read from the system RNG.
:Returns:
An Integer randomly taken in the given interval.
"""
min_inclusive = kwargs.pop("min_inclusive", None)
max_inclusive = kwargs.pop("max_inclusive", None)
max_exclusive = kwargs.pop("max_exclusive", None)
randfunc = kwargs.pop("randfunc", None)
if kwargs:
raise ValueError("Unknown keywords: " + str(kwargs.keys))
if None not in (max_inclusive, max_exclusive):
raise ValueError("max_inclusive and max_exclusive cannot be both"
" specified")
if max_exclusive is not None:
max_inclusive = max_exclusive - 1
if None in (min_inclusive, max_inclusive):
raise ValueError("Missing keyword to identify the interval")
if randfunc is None:
randfunc = Random.new().read
norm_maximum = max_inclusive - min_inclusive
bits_needed = cls(norm_maximum).size_in_bits()
norm_candidate = -1
while not 0 <= norm_candidate <= norm_maximum:
norm_candidate = cls.random(
max_bits=bits_needed,
randfunc=randfunc
)
return norm_candidate + min_inclusive
在该方法中,将其分为了norm_candidate + min_inclusive
(最小值保证),随后调用了cls.random
获取norm_candidate
:
python
@classmethod
def random(cls, **kwargs):
"""Generate a random natural integer of a certain size.
:Keywords:
exact_bits : positive integer
The length in bits of the resulting random Integer number.
The number is guaranteed to fulfil the relation:
2^bits > result >= 2^(bits - 1)
max_bits : positive integer
The maximum length in bits of the resulting random Integer number.
The number is guaranteed to fulfil the relation:
2^bits > result >=0
randfunc : callable
A function that returns a random byte string. The length of the
byte string is passed as parameter. Optional.
If not provided (or ``None``), randomness is read from the system RNG.
:Return: a Integer object
"""
exact_bits = kwargs.pop("exact_bits", None)
max_bits = kwargs.pop("max_bits", None)
randfunc = kwargs.pop("randfunc", None)
if randfunc is None:
randfunc = Random.new().read
if exact_bits is None and max_bits is None:
raise ValueError("Either 'exact_bits' or 'max_bits' must be specified")
if exact_bits is not None and max_bits is not None:
raise ValueError("'exact_bits' and 'max_bits' are mutually exclusive")
bits = exact_bits or max_bits
bytes_needed = ((bits - 1) // 8) + 1
significant_bits_msb = 8 - (bytes_needed * 8 - bits)
msb = bord(randfunc(1)[0])
if exact_bits is not None:
msb |= 1 << (significant_bits_msb - 1)
msb &= (1 << significant_bits_msb) - 1
return cls.from_bytes(bchr(msb) + randfunc(bytes_needed - 1))
流程如下:
- 1.先产生一个随机字节,用于确定最高位。
- 2.然后产生剩余的字节,一起组合成一个整数。
3.2 转换为伪随机数生成器的输出
我们使用python的random模块,其使用的是MT19937。若要逆向MT19937得到一个完全一致的伪随机数生成器,我们需要明确在整个调用伪随机数生成器期间,生成了哪些32位数。
MT19937默认生成的随机数是32字节,若调用random.randbytes(1)
生成一个字节,那么从源码可以看出:
是将一个32位的数右移24位。
剩余的字节数,按每4个字节是一个完整的MT19937输出计算,好需要特殊处理末尾的几个字节,可能为0-3个字节。
具体转换过程见代码:
python
def get_mr_test_rand_list(p, base):
def get_iter_count(x):
x = Integer(x)
mr_ranges = ((220, 30), (280, 20), (390, 15), (512, 10),
(620, 7), (740, 6), (890, 5), (1200, 4),
(1700, 3), (3700, 2))
bit_size = x.size_in_bits()
try:
mr_iterations = list(filter(lambda x: bit_size < x[0],
mr_ranges))[0][1]
except IndexError:
mr_iterations = 1
return mr_iterations
res_rands = []
base_bytes = long_to_bytes(base - 2)
iter_count = get_iter_count(p)
for _ in range(iter_count):
# randbytes(1)
res_rands += [base_bytes[0] << 24]
# randbytes(bytes_needed - 1)
base_byte_size = len(base_bytes) - 1
base_int_size_r = base_byte_size % 4
for i in range(1, base_byte_size - base_int_size_r + 1, 4):
res_rands += [base_bytes[i] + base_bytes[i + 1] * 2**8 +
base_bytes[i + 2] * 2**16 + base_bytes[i + 3] * 2**24]
last_int = 0
for i in range(0, base_int_size_r):
last_int += base_bytes[base_byte_size - base_int_size_r + 1 + i] * 2**(i*8)
res_rands += [last_int << ((4 - base_int_size_r) * 8)]
return res_rands
3.3 生成指定伪随机数生成器
参考之前逆向MT19937的文章:
MT19937在连续输出存在截断的情况下利用z3符号执行推导内部状态以及等价种子: 点我前往
只需要将get_mr_test_rand_list
函数的输出,传入recover_seed
,即可得到一个等价种子,从而得到一个指定的伪随机数生成器。
3.4 测试
给定MR伪素数及强伪证如下:
p1 = 142445387161415482404826365418175962266689133006163
p2 = 5840260873618034778597880982145214452934254453252643
p3 = 14386984103302963722887462907235772188935602433622363
n = p1 * p2 * p3
a = 29
在控制其伪随机数生成器后,成功通过MR素数测试。
python
import random
from Crypto.Math.Primality import *
from Crypto import Random
from Crypto.Math.Numbers import Integer
from Crypto.Util.number import *
def mr_test(x, randfunc=None):
if randfunc is None:
randfunc = Random.new().read
x = Integer(x)
mr_ranges = ((220, 30), (280, 20), (390, 15), (512, 10),
(620, 7), (740, 6), (890, 5), (1200, 4),
(1700, 3), (3700, 2))
bit_size = x.size_in_bits()
try:
mr_iterations = list(filter(lambda x: bit_size < x[0],
mr_ranges))[0][1]
except IndexError:
mr_iterations = 1
if miller_rabin_test(x, mr_iterations,
randfunc=randfunc) == COMPOSITE:
return COMPOSITE
return PROBABLY_PRIME
def get_mr_test_rand_list(p, base):
def get_iter_count(x):
x = Integer(x)
mr_ranges = ((220, 30), (280, 20), (390, 15), (512, 10),
(620, 7), (740, 6), (890, 5), (1200, 4),
(1700, 3), (3700, 2))
bit_size = x.size_in_bits()
try:
mr_iterations = list(filter(lambda x: bit_size < x[0],
mr_ranges))[0][1]
except IndexError:
mr_iterations = 1
return mr_iterations
res_rands = []
base_bytes = long_to_bytes(base - 2)
iter_count = get_iter_count(p)
for _ in range(iter_count):
# randbytes(1)
res_rands += [base_bytes[0] << 24]
# randbytes(bytes_needed - 1)
base_byte_size = len(base_bytes) - 1
base_int_size_r = base_byte_size % 4
for i in range(1, base_byte_size - base_int_size_r + 1, 4):
res_rands += [base_bytes[i] + base_bytes[i + 1] * 2**8 +
base_bytes[i + 2] * 2**16 + base_bytes[i + 3] * 2**24]
last_int = 0
for i in range(0, base_int_size_r):
last_int += base_bytes[base_byte_size - base_int_size_r + 1 + i] * 2**(i*8)
res_rands += [last_int << ((4 - base_int_size_r) * 8)]
return res_rands
p1 = 142445387161415482404826365418175962266689133006163
p2 = 5840260873618034778597880982145214452934254453252643
p3 = 14386984103302963722887462907235772188935602433622363
q = p1 * p2 * p3
a = 29
res_rands = get_mr_test_rand_list(q, a)
#from find_seed_u import find_seed
#seed_int = find_seed(res_rands)
#print(hex(seed_int))
seed_int = 0x200000026f63458da31799827b37b66b56258fad6d9f4abe83b656d75039aa466cebe4069b45a9aa58e93c783fc680f4418983609647fe2054326d4aa9a06188b0f2faf737d0ffc160b133e1e01f264e99d5a1fd7d4023be33f7ed49542176243de356cd0cfb685ba1453824b8dd32467785e2aa2ad361cc6e68483ef79d3975d154fa154fd80cba2b98ddb1db4192aef398aa2ca421148c954b11b9064a3965c16ad46d3fe517cb53fc6f6394778ef1ebb497ad74102f662d48dc193914129deb8d816dbdf2c805e20f411be3d853e069c37534b51662b4e4f7b2307b6b4559b38d2260f244250db221655a89c8133cf4f081d60373d8a0bf322addc33ea21633c989bf45d9303864c65d06408cbdf76040560944091e12f57a22122711f266ab939a29c7eaa3d046f1bd461761b70e5173b7e23f3f8be4f1e78b6867d79af97d8b4f173d7f5ca15e516041b949596f62cca47119a3889be1b75e21078885ed8fb011c4e310d4c90cb916908e9b797a631096de1c8ae1d8e7d8f7d42010c9acfa74585a413fd19112b5c4c0a4fa64b269767c3e1f183d405391ce52eb4cde09c24e75e152f02d46edea20ea6d4c4edb515f41559a88f0a15861725d5c8c93e8f09d2236c97ca1c318fe0142ccba897ddcee14b14eff773a34d8e2adfa61ef4e47203c3ec3ab6a93c704d02d8ce6061b7fc17ea56f05ab7ec08d9ede71299873c3a02f97191f80116ced41e1db53db1e4f9caa5a6a86bb35c69f83af511e65ee4531ea4e3091ddf437441553b567cc2166d99c9b172f9d41372d8e1cfffc28337f1cede9a7f9403989fa7e466050b907bfd4bbe6be77f6e6a795836f06b3d87f057ad49c0e3fb15ee7005782d7fa6ac59879e5b056216dff18f8dfd26a12b60fc6c1a7c389094b638524ea341332b1c04f7283a405518872fd7f7512379b8c06543da5a6bdf77ceabe2b0a1775b3d3ca2a525b3f0ef6566d9ccb531ed8c70ac5dd179c55b337102d5fe22855c9dd0eda78ae89d61ccf7138054eac9bfda4e1b433bd9a9d8b42bc6d80b6b9bafa84301df7c81349ba20b92de6a07d4fe6b147d881049d1786e4e2cfcb4271a9ef776de67a7a3b22c69cde2b4bb7bfff5b74a39e0840f49ffaf71c8ed7be06a2fd6ada15ed583bb11f43833328128aae86c293743cdfcdf5942683ed9a12faf2cf29106d8669fa635d9fc06a1ce26a8ea724ff69f1b8b2bc9966f25a964e5fc93ba15a5875d99b9121a28f3d617c1bacb17347ffa64bf0bbf09b82002fdd56c8d3f46c3ab36bf4e1786acb9a1d8780dd003cf3317deeb1a717bf2f39540d1931003958693ea2b3420eb11a6407969647a0512f710f4cbb6e80f7487a22eff221a8d92cafbc25984e07077320aa0a29a5ed86d976dffffde8f1329395ec395f73b12a53d1dee3325d630806a67a91fd884dd08aa9f4d7b3f9de82357819fd5387e2f3e2247945efb87302f8af8dcb194c26ecc68c2f0cfc85bb567e25357916f471c42aa90570a0a299412ee2e0eeee4a90959388c1aeb7f612ce5724f6a77f4ca4bb654698a7f05523873fe70b9537529147ff18d476f34e87121e22537358500acf037c276b4d39e58e5a1c017c572f1ed4d5d74d2c3ccda2006b55e31246bb4770906e5ab3f3ea3f2187a429c3438fc27ae570bf39fb576ad70448a5519e51bbc81a878429790eb8500ab63cf07b0913dca24d291d7dfa63662e415859eb013103f5d1bd5072940b917792100919a5c0fe9036e9a4f4e84ceeb2d3e3456cada86b7bdb01a624a4ad0200acdb98fac04e6437d1be8b4300021090e27bc5b8a82321d0fcc5993eceac5688ee7bef3b6840624951fbd503e98a113b91e1e330b7abe30b8dd5d78e69dd5a2c5cf94f6d20ce9a63bfd0e0d84359f246f4ae373c7d7c072d64edb02ee6720584a98858b37abeb8e3505dbedb681a20ed7260291520a0e3042aa2b7fcf130831ec37f21710fc2ff2a784ce2f1986610f7db78a1fabb59f1f2ae72e64deacf4c11e37358f7379beaed89121b305e1cf8bf8423d57603269ae10fb1b3c4f67f1c7ef1ce0f010b2e8a74fb1f597a303bfd3762f6658bd602949bd687a237e54fd3ff5639789aa17af0270cb4f2f1132bcab6ed8c917d7a977bb39cf66221b6519c23c148331d0d712acd48e028a066511892c516dcb0ec0ac8db98896b179b2bff0ec92715e8ec5ab5282d7f548ef3f706ae1ac6d354e6b8cf3b30962cd49b998af43fc49e17254b4ae4c0dabda4ee8360215a72486b209d974aa27079d23e31ebf8f0d62f7af43222bf9450f07e1ce8048be131aa55b8752782a563151a4f0c71658dc77cefcf0669a47746fdf46d8e98f5b56e59831dcee875f2038cd7bff3cedb121bca32f55b706e982c47bf010cb336a70e829df61a2e8ffe57b5d652f0495f132377842eb646c814d8bb7ab2da4985d7f5e98d31f882015e271c520b4b2f42c82af9c8cb98149a850540c03ad0a9bb8711e13cc6355df41ef9e9ad44adc5da4c5658e41e9d94e6f40210c04579feb5aaad2a435f184e8a3bcf243e1b97e45f87095c8642f67e63f9d5036f1122849e37e99f7e29958f5cbf47004fa9c3e5a29cc53da9e05116f0016dd8dcffd78bf3e656c092a4c87d4a9f81153dbe35fe33309dde407587bc1fc7e5aeef630c0856bd4566ccedb6b016bbacae97a24c07a3958259b4567a09a03bba4aa49e3de6469c5c31aaa2348fe52a83155d99b00523c530a73140e6cb0c77c9217f437e2e142c04bf443b62b4fda667fe5e7a75ced70db0387a7e95b4fae41c210d656fa25cda5eb2214041a2dca52aa9ed5692f441f6b4490c3f5ac9f88e2c8f78ff5e058dc09d5f21a926680cb196a778fc6be1b6337bdcdcff9be3f2899087ed58a978dbfca49c4425374f6fdd847908a0d29a596995aa334a0d7674aecbeaf410a92a8b6ce62d801caf7796eed699f304e13571dd7e3faf5138bb54c503365672f4bd2e77711681af1efceb5bc81b0dcbd8e05ba60f45a7b1824ec5db1c2e49b82db896a28c24f5cff6f8ce34e5c736ee4f2791494e4e9535517d4e00e844033e101a61bc201831830ab3063799f928a6309fe898f00696ac02dea38c7445b064e4c2a5994ae342d16b6bdd086991293423efe2ca2b5eed550f7fde1187964b904974bd036da4bcc3589e34c638c1e67341b78ea086282f651db24ff95031e97f22f88081d51c58b7d6160bbc49b4d458c2d50639ffef26e35773cc5243c7c48a8827c6bea813385b076048ef50d7a2c1f9ac605c298f93c78075abd920a25e2e54e23815f379ea23da984a90b472bebb908303dfdfd01685477fbee0814e0c8f2fdc50598c58a8e6b3a1c268dd8be35a31b9f2044bb347beb5abf4bc1453684567baf8f2766437a0711777ad04d1db165bdb52815583ab2d64713908094bf1ab993877a7b87ef5758e9bf2b4f17ec9bd0f127508669cc461762543b4f6ae34f9f0bc8988757ceefddb4774e3307e6677665205164522cdece2a79a80
random.seed(seed_int)
print(mr_test(q, randfunc=random.randbytes))
ATFWUS 2023-11-20