AIM2_cryptanalysis/logs/n192_l2_L191_seed=0.log at main · cryptolu/AIM2_cryptanalysis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
single_approximant: len(flat_coeffs) = 292620
single_approximant: d = 115 / 1156 (9.9 %)
single_approximant: d = 230 / 1156 (19.9 %)
single_approximant: d = 345 / 1156 (29.8 %)
single_approximant: d = 460 / 1156 (39.8 %)
single_approximant: d = 575 / 1156 (49.7 %)
single_approximant: d = 690 / 1156 (59.7 %)
single_approximant: d = 805 / 1156 (69.6 %)
single_approximant: d = 920 / 1156 (79.6 %)
single_approximant: d = 1035 / 1156 (89.5 %)
single_approximant: d = 1150 / 1156 (99.5 %)
[i] Seed: 0
[i] Secret key: GF192Element(4826867323a7711a8133287637ebdcd9e87a1613e443df78)

Generating (iv, ct) pairs...


[i] AIM/attack parameters:
- n = 192 bits
- ell = 2 branches
- L = 191 IVs
- M = 1 squarings (1 ... 2^(M-1) 2^M)
- W = 385 t-monomials
- Only estimate ? False

[I] Time complexity rough estimate = 2^36.73 field ops

Generating base equations... (using linearized polynomials)

[i] Initial equations: 193
[i] Squared equations: 386
[i] W = t-monomials in equations: 385

Arranging equations...

[i] Full equation matrix F: H=386 x W=385

Computing pivots (p=0)
[i] Rank = #pivots = 385/385   fingerprint 6380e53aacb5b510
[I] Row-degree sum ξ: experimental = 2^9.17, estimated = 2^9.59
[I] Total nonzero coefficients 293382 <= 2W^2 = 296450 ? True
[I] Time complexity 2^29.02 field ops = 2^21.43 encs  (1/n convention)
[I] Memory complexity : 2^20.88 field elems = 2^25.46 bytes = 0.04 GB
[R1] n=192  ell= 2  L=191  M=  1  W= 385  ξ=2^  9.17  Time=2^ 29.02 field ops  Mem=2^ 20.88 field elems
[R2] n=192  ell= 2  L=191  M=  1  W= 385  ξ=2^  9.17  Time=2^ 21.43 enc  Mem=2^ 25.46 bytes

[i] Running full attack 0.0 GB needed, 26.7 GB available

[o] Approximant order o = 1156 = 2^10.17
[i] FAFFT max degree 2^12
[T] Main attack part, start time measurement  | memory usage: 0.31 GB

[.] Computing pivots of G0 for inversion...
[.] Inversion of base matrix...
[.] Single approximant...
[T] TIME after single approximant: 9.947845458984375  | memory usage: 0.36 GB

[i] Kernel len = 385 degrees = [1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 1155, 0]
[T] TIME after first HalfGCD: 10.05132532119751  | memory usage: 0.36 GB
[i] Degrees of kernel * F [-1, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 576, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575, 575]
[i] Got univariate poly in p, degree 577
[T] TIME to get univariate polynomial: 10.45918869972229  | memory usage: 0.32 GB

[T] TIME pre gcd (x^(2^n)-x mod f): 11.079707145690918  | memory usage: 0.32 GB
gcd polynomial 5261367445086508685759714455113489258910397866001875552083*x + 762430575403149870111618783668389620852978377381305242459
[T] TIME post gcd: 11.118046045303345  | memory usage: 0.32 GB
found roots:
- 4826867323a7711a8133287637ebdcd9e87a1613e443df78 | 191 / 191 match
[T] TIME full attack (main part only): 13.042763948440552  | memory usage: 0.32 GB
[i] Real secret key for comparison: GF192Element(4826867323a7711a8133287637ebdcd9e87a1613e443df78)
	Command being timed: "sage attack-aim2.py --no-progress-bars -n 192 -l 2 -L 191 --seed=0"
	User time (seconds): 59.54
	System time (seconds): 0.26
	Percent of CPU this job got: 99%
	Elapsed (wall clock) time (h:mm:ss or m:ss): 0:59.91
	Average shared text size (kbytes): 0
	Average unshared data size (kbytes): 0
	Average stack size (kbytes): 0
	Average total size (kbytes): 0
	Maximum resident set size (kbytes): 399296
	Average resident set size (kbytes): 0
	Major (requiring I/O) page faults: 0
	Minor (reclaiming a frame) page faults: 107782
	Voluntary context switches: 157
	Involuntary context switches: 1587
	Swaps: 0
	File system inputs: 0
	File system outputs: 16
	Socket messages sent: 0
	Socket messages received: 0
	Signals delivered: 0
	Page size (bytes): 4096
	Exit status: 0