对DSA签名算法的攻击

DSA算法介绍：

　　DSA是在ElGamal和Schnorr两个签名方案的基础上设计的，其安全性基于求离散对数的困难性。生成签名长度 320 bit，算法描述如下：

(1) 全局公开钥

　　l p：满足2^L-1<p<2^L 的大素数，其中512≤L≤1024且L是64的倍数

　　l q：p-1的素因子，满足2¹⁵⁹<q<2¹⁶⁰ ，即q长为160比特。

　　l g：g=h^(p-1)/q mod p，h是满足1<h<p-1且使得h^(p-1)/q mod p >1的任一整数

(2) 用户秘密钥x

　　l x是满足0<x<q的随机数或伪随机数

(3) 用户的公开钥y

　　l y≡g^x mod p。

(4) 用户为待签消息选取的秘密数k

　　l k是满足0<k<q的随机数或伪随机数。

(5) 签名过程

　　l 用户对消息M的签名为(r, s)，其中r≡(g^k mod p) mod q

　　l  s≡[k^-1(H(M)+xr)] mod q，H(M)是由SHA求出的杂凑值

(6) 验证过程

　　l 设接收方收到的消息为M¢，签名为(r¢,s¢)。计算

　　l w≡(s¢)^-1 mod q,u1≡[H(M¢)w] mod q

　　l u2≡r¢w mod q, v≡[(g^u1y^u2) mod p] mod q

　　l 检查v=r ¢是否成立，若相等，则认为签名有效。

---

 1．利用如下的参数，恢复DSA的秘密钥x。

p = 800000000000000089e1855218a0e7dac38136ffafa72eda7859f2171e25e65eac698c1702578b07dc2a1076da241c76c62d374d8389ea5aeffd3226a0530cc565f3bf6b50929139ebeac04f48c3c84afb796d61e5a4f9a8fda812ab59494232c7d2b4deb50aa18ee9e132bfa85ac4374d7f9091abc3d015efc871a584471bb1
q = f4f47f05794b256174bba6e9b396a7707e563c5b
g = 5958c9d3898b224b12672c0b98e06c60df923cb8bc999d119458fef538b8fa4046c8db53039db620c094c9fa077ef389b5322a559946a71903f990f1f7e0e025e2d7f7cf494aff1a0470f5b64c36b625a097f1651fe775323556fe00b3608c887892878480e99041be601a62166ca6894bdd41a7054ec89f756ba9fc95302291
y = 84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4abab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07bbb283e6633451e535c45513b2d33c99ea17

 　　被签名的消息为：So be friendly, a matter of life and death, just like a etch-a-sketch，它的SHA1 值为（十六进制）：0xd2d0714f014a9784047eaeccf956520045c45265。

　　得到的签名为：

  r = 548099063082341131477253921760299949438196259240

  s = 857042759984254168557880549501802188789837994940

　　已知签名用的"k" 的范围是 0 到2^16。

　　请编程恢复DSA的秘密钥x，它的SHA1 值为：0954edd5e0afe5542a4adf012611a91912a3ec16

---

 思路：

　　首先，根据题目提示，可以根据r的取值先计算求出k的值（r≡(g^k mod p) mod q）；因为2^16穷举一下很轻松，时间复杂度还是可以接受的。

#先恢复k的值，穷举1-65536
for k in range(2**16):
　　temp=fastExpMod(g,k,p)
　　temp %=q
　　if temp == r:
　　　　break
　　else:
　　　　pass
print "k=",k

　　上面用到了：自定义的幂次取模的函数fastExpMod，

def fastExpMod(b, e, m):  #快速幂取模函数；b为底数，e为指数，m为模数
    result = 1
    while e != 0:
        if (e&1) == 1:
            result = (result * b) % m 
        e >>= 1
        b = (b*b) % m
    return result    #返回取模结果

　　其次，可以根据s的取值计算x:

　　从 s≡[k^-1(H(M)+xr)] mod q　，可以继续推出 x≡r ^-1 *[ks-H(M)]  mod q

　　这一步将要计算r ^-1的取值，用到一个自定义的求模逆函数：findModReverse，函数原理是基于扩展欧几里得算法求模逆，贴一下代码：

def gcd(a,b):  #求最大公约数函数
    while a!=0:
         a,b = b%a,a
     return b
 def findModReverse(a,m):#这个扩展欧几里得算法求模逆
     if gcd(a,m)!=1:
         return None
     u1,u2,u3 = 1,0,a
     v1,v2,v3 = 0,1,m
     while v3!=0:
         q = u3//v3
         v1,v2,v3,u1,u2,u3 = (u1-q*v1),(u2-q*v2),(u3-q*v3),v1,v2,v3
     return u1%m

 　　完整代码：

# -*- coding=utf-8 -*-
# py2
import hashlib 
p = 0x800000000000000089e1855218a0e7dac38136ffafa72eda7859f2171e25e65eac698c1702578b07dc2a1076da241c76c62d374d8389ea5aeffd3226a0530cc565f3bf6b50929139ebeac04f48c3c84afb796d61e5a4f9a8fda812ab59494232c7d2b4deb50aa18ee9e132bfa85ac4374d7f9091abc3d015efc871a584471bb1
q = 0xf4f47f05794b256174bba6e9b396a7707e563c5b
g = 0x5958c9d3898b224b12672c0b98e06c60df923cb8bc999d119458fef538b8fa4046c8db53039db620c094c9fa077ef389b5322a559946a71903f990f1f7e0e025e2d7f7cf494aff1a0470f5b64c36b625a097f1651fe775323556fe00b3608c887892878480e99041be601a62166ca6894bdd41a7054ec89f756ba9fc95302291
y = 0x84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4abab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07bbb283e6633451e535c45513b2d33c99ea17
hash_x=0x0954edd5e0afe5542a4adf012611a91912a3ec16
Hash_M=0xd2d0714f014a9784047eaeccf956520045c45265
r = 548099063082341131477253921760299949438196259240
s = 857042759984254168557880549501802188789837994940

def fastExpMod(b, e, m):  　　#快速幂取模函数；b为底数，e为指数，m为模数
    result = 1
    while e != 0:
        if (e&1) == 1:
            result = (result * b) % m
        e >>= 1
        # b, b^2, b^4, b^8, ... , b^(2^n)
        b = (b*b) % m
    return result
def gcd(a,b):  　　　　　　　　#求最大公约数函数
    while a!=0:
        a,b = b%a,a
    return b
def findModReverse(a,m):    #这个扩展欧几里得算法求模逆
    if gcd(a,m)!=1:
        return None
    u1,u2,u3 = 1,0,a
    v1,v2,v3 = 0,1,m
    while v3!=0:
        q = u3//v3
        v1,v2,v3,u1,u2,u3 = (u1-q*v1),(u2-q*v2),(u3-q*v3),v1,v2,v3
    return u1%m
if __name__ == '__main__':
    #先恢复k的值，穷举1-65536
    for k in range(2**16):
        temp=fastExpMod(g,k,p)
        temp %=q
        if temp == r:
            break
        else:
            pass
    print "k=",k    
    r_rev=findModReverse(r,q)
    print "r^-1=",r_rev 

    x=(k*s-Hash_M)%q
    x=x*r_rev %q
    print "x=",x
    hex_x=hex(x)[2:-1]
    print "hex_x=",hex_x
    Hash_x=hashlib.sha1(hex_x).hexdigest()
    print "Sha1(x)=",Hash_x
    if hash_x==int(Hash_x,16):
        print "哈希匹配，求解私钥x正确！"

　　执行结果：

---

---

2．如下是十一组消息及其DSA签名：

msg: Listen for me, you better listen for me now.
s: 1267396447369736888040262262183731677867615804316
r: 1105520928110492191417703162650245113664610474875
m: a4db3de27e2db3e5ef085ced2bced91b82e0df19

msg: Listen for me, you better listen for me now.
s: 29097472083055673620219739525237952924429516683
r: 51241962016175933742870323080382366896234169532
m: a4db3de27e2db3e5ef085ced2bced91b82e0df19

msg: When me rockin' the microphone me rock on steady,
s: 277954141006005142760672187124679727147013405915
r: 228998983350752111397582948403934722619745721541
m: 21194f72fe39a80c9c20689b8cf6ce9b0e7e52d4

msg: Yes a Daddy me Snow me are de article dan.
s: 1013310051748123261520038320957902085950122277350
r: 1099349585689717635654222811555852075108857446485
m: 1d7aaaa05d2dee2f7dabdc6fa70b6ddab9c051c5

msg: But in a in an' a out de dance em
s: 203941148183364719753516612269608665183595279549
r: 425320991325990345751346113277224109611205133736
m: 6bc188db6e9e6c7d796f7fdd7fa411776d7a9ff

msg: Aye say where you come from a,
s: 502033987625712840101435170279955665681605114553
r: 486260321619055468276539425880393574698069264007
m: 5ff4d4e8be2f8aae8a5bfaabf7408bd7628f43c9

msg: People em say ya come from Jamaica,
s: 1133410958677785175751131958546453870649059955513
r: 537050122560927032962561247064393639163940220795
m: 7d9abd18bbecdaa93650ecc4da1b9fcae911412

msg: But me born an' raised in the ghetto that I want yas to know,
s: 559339368782867010304266546527989050544914568162
r: 826843595826780327326695197394862356805575316699
m: 88b9e184393408b133efef59fcef85576d69e249

msg: Pure black people mon is all I mon know.
s: 1021643638653719618255840562522049391608552714967
r: 1105520928110492191417703162650245113664610474875
m: d22804c4899b522b23eda34d2137cd8cc22b9ce8

msg: Yeah me shoes a an tear up an' now me toes is a show a
s: 506591325247687166499867321330657300306462367256
r: 51241962016175933742870323080382366896234169532
m: bc7ec371d951977cba10381da08fe934dea80314

msg: Where me a born in are de one Toronto, so
s: 458429062067186207052865988429747640462282138703
r: 228998983350752111397582948403934722619745721541
m: d6340bfcda59b6b75b59ca634813d572de800e8f　

　　这些消息的签名公钥为：

y = 2d026f4bf30195ede3a088da85e398ef869611d0f68f0713d51c9c1a3a26c95105d915e2d8cdf26d056b86b8a7b85519b1c23cc3ecdc6062650462e3063bd179c2a6581519f674a61f1d89a1fff27171ebc1b93d4dc57bceb7ae2430f98a6a4d83d8279ee65d71c1203d2c96d65ebbf7cce9d32971c3de5084cce04a2e147821

　　另外，参数p，q，g与上一题的相同。

　　请编程恢复DSA的秘密钥x，它的SHA1 值为：ca8f6f7c66fa362d40760d135b763eb8527d3d52

---

思路：

　　从题目所知道的，p、q、g和第一题一样不变，变的是k的值以及私钥x（显然公钥y也要随着改变）。特点是这十一组数据和签名都有共同的私钥x，但是k并不完全一样，首先寻找规律，发现存在几组数据的r值相同，根据定义 r≡(gk mod p) mod q，说明这几组的k值相同

下面图中几组是整理的r相同的几组

　　

　　下面是计算x的推导公式，s1、s2代表的是r值相同的两组（从上图三组中任取一组），这样的好处是，虽然不知到k的取值，但是两个方程两个未知数便可以约去一个k甚至能求出k，并且得到x的取值

   

　　完整代码：

# -*- coding=utf-8 -*-
# py2
import hashlib 
p = 0x800000000000000089e1855218a0e7dac38136ffafa72eda7859f2171e25e65eac698c1702578b07dc2a1076da241c76c62d374d8389ea5aeffd3226a0530cc565f3bf6b50929139ebeac04f48c3c84afb796d61e5a4f9a8fda812ab59494232c7d2b4deb50aa18ee9e132bfa85ac4374d7f9091abc3d015efc871a584471bb1
q = 0xf4f47f05794b256174bba6e9b396a7707e563c5b
g = 0x5958c9d3898b224b12672c0b98e06c60df923cb8bc999d119458fef538b8fa4046c8db53039db620c094c9fa077ef389b5322a559946a71903f990f1f7e0e025e2d7f7cf494aff1a0470f5b64c36b625a097f1651fe775323556fe00b3608c887892878480e99041be601a62166ca6894bdd41a7054ec89f756ba9fc95302291
y = 0x2d026f4bf30195ede3a088da85e398ef869611d0f68f0713d51c9c1a3a26c95105d915e2d8cdf26d056b86b8a7b85519b1c23cc3ecdc6062650462e3063bd179c2a6581519f674a61f1d89a1fff27171ebc1b93d4dc57bceb7ae2430f98a6a4d83d8279ee65d71c1203d2c96d65ebbf7cce9d32971c3de5084cce04a2e147821
hash_x=0xca8f6f7c66fa362d40760d135b763eb8527d3d52
r = 1105520928110492191417703162650245113664610474875
s1= 1267396447369736888040262262183731677867615804316
hash_m1 = 0xa4db3de27e2db3e5ef085ced2bced91b82e0df19
s2 = 1021643638653719618255840562522049391608552714967
hash_m2 = 0xd22804c4899b522b23eda34d2137cd8cc22b9ce8

def gcd(a,b):
    while a!=0:
        a,b = b%a,a
    return b
def findModReverse(a,m):
    if gcd(a,m)!=1:
        return None
    u1,u2,u3 = 1,0,a
    v1,v2,v3 = 0,1,m
    while v3!=0:
        q = u3//v3
        v1,v2,v3,u1,u2,u3 = (u1-q*v1),(u2-q*v2),(u3-q*v3),v1,v2,v3
    return u1%m
s1_rev = findModReverse(s1,q)
s2_rev = findModReverse(s2,q)
r_rev = findModReverse(r,q)
A=(hash_m1*s1_rev-hash_m2*s2_rev) %q
B=(s2_rev-s1_rev) %q

B_rev=findModReverse(B,q)
x_tmp=(A*B_rev) %q
x=(x_tmp*r_rev) %q
# x=(A*r_rev*B_rev) %q
print "x=",x
hex_x=hex(x)[2:-1]
print "hex_x=",hex_x
Hash_x=hashlib.sha1(hex_x).hexdigest()
print "Sha1(x)=",Hash_x
if hash_x==int(Hash_x,16):
    print "哈希匹配，求解私钥x正确！"

 　　运行结果：