Franklin-Reiter相关消息攻击

已于 2023-09-17 14:30:04 修改
阅读量2k 收藏 16
点赞数 7
分类专栏: 赛事复现 总结性 文章标签: 密码学 安全
于 2023-06-01 19:44:01 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/XiongSiqi_blog/article/details/130978226
版权

文章目录

知识导入:

在这里插入图片描述

  • 总结:
    Franklin-Reiter相关消息攻击(Franklin-Reiter related-message attack):如果两个信息之间存在已知的固定差异,并且在相同的模数n下进行RSA加密,那么就有可能恢复出这两个消息
  • 简单点说就是m和m+a两个明文在相同的e和n下进行加密,那么m就可以破解
如果两条消息之间仅存在已知的固定差异

并且在相同的RSA模N下加密

那么就有可能同时恢复它们

m1 = bytes_to_long(flag)

m2 = a * m1 + b

c1 = pow(m1,e,n)

c2 = pow(a * m1 + b,e,n)

其中c1,c2,e,n都已知,那么m1,m2可被破解
  • 既然最后解的形式是(x - M)这样的,那么最后只要提结果后面的M即可,这里使用sage中的Q.coefficients()[0]

Q.coefficients() ------ 提取多项式Q中的系数,并且是升序排列
举个栗子:
f = x^3 + 2x^2 -3x + 4
f.coefficients()
返回列表[4,-3,2,1]
f = x^3 + 2x^2 + 4
f.coefficients()
返回列表[4,2,1] # 0省略

最后添个负号即可得到M

题一

题目描述:

from secret import flag
from Crypto.Util.number import *

m1 = bytes_to_long(flag)
N = getPrime(512)*getPrime(512)
e = 17

c1 = pow(m1, e, N)

a = getRandomNBitInteger(512)
b = getRandomNBitInteger(512)
m2 = a * m1 + b
c2 = pow(m2, e, N)

print(N, a, b, c1, c2, sep="\n")

# 51296885372346449295388453471330409021784141081351581975478435681552082076338697136130122011636685327781785488670769096434920591920054441921039812310126089859349902066456998315283909435249794317277620588552441456327265553018986591779396701680997794937951231970194353001576159809798153970829987274504038146741
# 13256631249970000274738888132534852767685499642889351632072622194777502848070957827974250425805779856662241409663031192870528911932663995606616763982320967
# 12614470377409090738391280373352373943201882741276992121990944593827605866548572392808272414120477304486154096358852845785437999246453926812759725932442170
# 18617698095122597355752178584860764221736156139844401400942959000560180868595058572264330257490645079792321778926462300410653970722619332098601515399526245808718518153518824404167374361098424325296872587362792839831578589407441739040578339310283844080111189381106274103089079702496168766831316853664552253142
# 14091361528414093900688440242152327115109256507133728799758289918462970724109343410464537203689727409590796472177295835710571700501895484300979622506298961999001641059179449655629481072402234965831697915939034769804437452528921599125823412464950939837343822566667533463393026895985173157447434429906021792720

题目分析:

典型的Franklin-Reiter相关消息攻击,直接上解题代码:

n=51296885372346449295388453471330409021784141081351581975478435681552082076338697136130122011636685327781785488670769096434920591920054441921039812310126089859349902066456998315283909435249794317277620588552441456327265553018986591779396701680997794937951231970194353001576159809798153970829987274504038146741
a=13256631249970000274738888132534852767685499642889351632072622194777502848070957827974250425805779856662241409663031192870528911932663995606616763982320967
b=12614470377409090738391280373352373943201882741276992121990944593827605866548572392808272414120477304486154096358852845785437999246453926812759725932442170
c1=18617698095122597355752178584860764221736156139844401400942959000560180868595058572264330257490645079792321778926462300410653970722619332098601515399526245808718518153518824404167374361098424325296872587362792839831578589407441739040578339310283844080111189381106274103089079702496168766831316853664552253142
c2=14091361528414093900688440242152327115109256507133728799758289918462970724109343410464537203689727409590796472177295835710571700501895484300979622506298961999001641059179449655629481072402234965831697915939034769804437452528921599125823412464950939837343822566667533463393026895985173157447434429906021792720
e=17

import libnum
def franklinReiter(n,e,c1,c2,a,b):
    R.<X> = Zmod(n)[]
    f1 = X^e - c1
    f2 = (X*a+ b)^e - c2
    # coefficient 0 = -m, which is what we wanted!
    return Integer(n-(compositeModulusGCD(f1,f2)).coefficients()[0]) # 系数

  # GCD is not implemented for rings over composite modulus in Sage
  # so we do our own implementation. Its the exact same as standard GCD, but with
  # the polynomials monic representation
def compositeModulusGCD(a, b):
    if(b == 0):
        return a.monic()
    else:
        return compositeModulusGCD(b, a % b)

m=franklinReiter(n,e,c1,c2,a,b)
print(libnum.n2s(int(m)))
# flag{a593591a-3749-cc52-0c27-e897fac2c967}

或者(本质一样,看起来更简洁一些):

import libnum
n=51296885372346449295388453471330409021784141081351581975478435681552082076338697136130122011636685327781785488670769096434920591920054441921039812310126089859349902066456998315283909435249794317277620588552441456327265553018986591779396701680997794937951231970194353001576159809798153970829987274504038146741
a=13256631249970000274738888132534852767685499642889351632072622194777502848070957827974250425805779856662241409663031192870528911932663995606616763982320967
b=12614470377409090738391280373352373943201882741276992121990944593827605866548572392808272414120477304486154096358852845785437999246453926812759725932442170
c1=18617698095122597355752178584860764221736156139844401400942959000560180868595058572264330257490645079792321778926462300410653970722619332098601515399526245808718518153518824404167374361098424325296872587362792839831578589407441739040578339310283844080111189381106274103089079702496168766831316853664552253142
c2=14091361528414093900688440242152327115109256507133728799758289918462970724109343410464537203689727409590796472177295835710571700501895484300979622506298961999001641059179449655629481072402234965831697915939034769804437452528921599125823412464950939837343822566667533463393026895985173157447434429906021792720
e=17
import binascii
def franklinReiter(n,e,c1,c2,a,b):
    PR.<x> = PolynomialRing(Zmod(n))
    g1 = (x)^e - c1
    g2 = (a*x+b)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic() # 
    return -gcd(g1, g2)[0]

m=franklinReiter(n,e,c1,c2,a,b)
print(libnum.n2s(int(m)))
# flag{a593591a-3749-cc52-0c27-e897fac2c967}
  • 其中:
def gcd(g1, g2): 
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic() # 
    return -gcd(g1, g2)[0]
  1. 使用辗转相除法求多项式的最大公因子
  2. 在代数中,一个多项式的首项系数通常被称为该多项式的引导系数(leading coefficient),而将多项式变成首项系数为1的形式被称为将多项式化为首一形式(monic form)
  3. 调用函数g1.monic()将g1转换为首一多项式(monic polynomial),并返回该多项式。
  4. 使用g.monic()[0],则会返回g(x)除以引导系数后得到的多项式的常数项
    比如:g.monic() = x + 32412345
    那么:g.monic()[0] = 32412345

题二

题目描述:

from Crypto.Util.number import getPrime,bytes_to_long,long_to_bytes
from functools import reduce
from secret import flag, x, y

m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p*q
print(n)

assert(reduce(lambda x,y:x&y,[(i-5)*i+6==0 for i in x]))
assert(reduce(lambda x,y:x&y,[(j-15)*j+44==0 for j in y]))

print(pow(reduce(lambda x,y:x*m+y,x),17,n))
print(pow(reduce(lambda x,y:x*m+y,y),17,n))

# n = 23772599983135215481563178266884362291876571759991288577057472733374903836591330410574958472090396886895304944176208711481780781286891334062794555288959410390926474473859289842654809538435377431088422352076225067494924657598298955407771484146155998883073439266427190212827600119365643065276814044272790573450938596830336430371987561905132579730619341196199420897034988685012777895002554746080384319298123154671447844799088258541911028041717897434816921424155687677867019535399434825468160227242441375503664915265223696139025407768146464383537556265875013085702422829200814612395116961538432886116917063119749068212699
# c1 = 10900151504654409767059699202929100225155892269473271859207513720755903691031362539478242920144073599515746938827937863835169270383721094542639011665235593065932998091574636525973099426040452626893461449084383663453549354608769727777329036059746386523843912382289597182615339786437186169811342356085836838520978047561127661777189045888648773949147220411427306098338616422692914110656004863767719312410906124366000507952960331116878197129010412361636679449281808407214524741732730279777729251515759320442591663641984363061618865267606007355576230009922421807527598213455112981354590909603317525854070358390622096569841
# c2 = 17298679220717326374674940612143058330715465693318467692839033642321129433471254547497087746971317567301086124779289015934582615377165560688447452762043163082394944604062014490446763247008217251611443338103074143809936437694543761369945095202092750900940979469994907399829695696313513303922266742415376818434932335640062684245008822643258497589196668426788916969378417960200705779461808292296450298558001909603602502604228973101048082095642290047196235959438278631661658312398313171590515776453711432353011579809351076532129444735206408591345372296372378396539831385036814349328459266432393612919118094115543053115450

题目分析:

  • 首先来看一下下面这一串
assert(reduce(lambda x,y:x&y,[(i-5)*i+6==0 for i in x]))

 1. [(i-5)*i+6==0 for i in x] 使用列表推导式判断等式是否成立,
    若成立,返回True,否则False,故列表中最终得到的是[True,True]
 2. 为什么是True呢,因为用了assert断言函数,
    如果为真则正常执行,如果为假则报错,过程中断
    给的题目是会正常运行下去的,故该结果应为True,
 3. 由此可以反推出x = [2,3](解方程得到),显然也可以知道下一串中y = [4,11]
 4. reduce函数是应用lambda表达式对列表([True,True])中的每一个元素依次进行异或操作

 5. PS:“lambda x,y:x&y”中的‘x’
        与
        “[(i-5)*i+6==0 for i in x]”中的‘x’
        并不是同一个!!!(如果这里清楚了,那这句话就是真的弄明白了!)
  • 所以推出(解方程相信大家都会)

x = [2,3]
y = [4,11]

  • 接下来看最后一串:
reduce(lambda x,y:x*m+y,x)

这里就不过多说理论方面的了,我直接举个例子吧

x = [1,2,3,4]
reduce(lambda x,y:x+y,x),使用reduce对x进行累积
x = 1,y = 2,==>
x+y = 3 ①
x = ①,y = 3,==>
x+y = 6 ②
x = ②,y = 4,==>
x+y = 10 ③
即 1+2+3+4

最终得到的结果为10
再举个更难一点的例子

x = [1,2,3,4]
reduce(lambda x,y:x*m+y,x),使用reduce对x进行累积
x = 1,y = 2,==>
x*m+y = 1*m+2 ①
x = ①,y = 3,==>
x*m+y = (1*m+2)*m+3 ②
x = ②,y = 4,==>
x*m+y = ((1*m+2)*m+3)*m+4 ③

最终得到的即为式③

  • 由此可以得知题目中
reduce(lambda x,y:x*m+y,x) = 2*m+3
reduce(lambda x,y:x*m+y,y) = 4*m+11
  • 最终得到:
c1 = pow(2*m+3,17,n)
c2 = pow(4*m+11,17,n)
  • 又是典型的Franklin-Reiter相关消息攻击,直接上代码解题
import libnum
n = 23772599983135215481563178266884362291876571759991288577057472733374903836591330410574958472090396886895304944176208711481780781286891334062794555288959410390926474473859289842654809538435377431088422352076225067494924657598298955407771484146155998883073439266427190212827600119365643065276814044272790573450938596830336430371987561905132579730619341196199420897034988685012777895002554746080384319298123154671447844799088258541911028041717897434816921424155687677867019535399434825468160227242441375503664915265223696139025407768146464383537556265875013085702422829200814612395116961538432886116917063119749068212699
c1 = 10900151504654409767059699202929100225155892269473271859207513720755903691031362539478242920144073599515746938827937863835169270383721094542639011665235593065932998091574636525973099426040452626893461449084383663453549354608769727777329036059746386523843912382289597182615339786437186169811342356085836838520978047561127661777189045888648773949147220411427306098338616422692914110656004863767719312410906124366000507952960331116878197129010412361636679449281808407214524741732730279777729251515759320442591663641984363061618865267606007355576230009922421807527598213455112981354590909603317525854070358390622096569841
c2 = 17298679220717326374674940612143058330715465693318467692839033642321129433471254547497087746971317567301086124779289015934582615377165560688447452762043163082394944604062014490446763247008217251611443338103074143809936437694543761369945095202092750900940979469994907399829695696313513303922266742415376818434932335640062684245008822643258497589196668426788916969378417960200705779461808292296450298558001909603602502604228973101048082095642290047196235959438278631661658312398313171590515776453711432353011579809351076532129444735206408591345372296372378396539831385036814349328459266432393612919118094115543053115450
e = 17
import binascii
def franklinReiter(n,e,c1,c2):
    PR.<x> = PolynomialRing(Zmod(n))
    g1 = (2*x+3)^e - c1
    g2 = (4*x+11)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()
    return -gcd(g1, g2)[0]

m=franklinReiter(n,e,c1,c2)
print(libnum.n2s(int(m)))
# flag{r54__r3l473d_m355463_4774ck_4l50_c4ll3d_fr4nkl1n_r3173r_4774ck~}

题三

(NEEPUSec CTF 2021 RSA)

题目描述:

from Crypto.Util.number import *
from sympy import nextprime
import gmpy2
import random

def encode (p1,p2,e):
    not_hint = (p1 + 1) * (p2 + 1)
    S = gmpy2.invert(e, not_hint)
    not_p = S%(p1+1)
    return not_p

flag = b'Neepu{********************}'
flag = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
n = p*q
e = nextprime(random.randint(1,1000))
d = gmpy2.invert(e, (p-1)*(q-1))
c = pow(flag, e, n)
print(c)
print(n)

m = encode(p, q, e)
c1 = pow(m, 7, n)
c2 = pow(m+e, 7, n)
print(c1)
print(c2)

c = 78543767285872349029076059073458316000847341792088805258173041942425687239313215276670106926320359777962661495032475004417723103701253550583245518206305422982968675291500865382213182669036827898932991063338163290845510339896689210314509493839746410486257998875782496654704288722251878269643040214139429715671
n = 91995272927105081122659192011056020468305570748555849650309966887236871318156855318666540461669669247866754568189179687694315627673545298267458869140096224628114424176937828378360997230874932015701507629238213240839370628366083111028544554453150572165461450371411341485911677167168492357154684642531577228543
c1 = 10186066785511829759164194803209819172224966119227668638413350199662683285189286077736537161204019147791799351066849945954518642600518196927152098131117402608793752080104402893792812059620726950782670809837962606250674588612783027976958719051829085903720655233948024280118985875980227528403883475592567727892
c2 = 46182103994299145562022812023438495797686077104477472631494150222038404419414100727667171290098624214113241032861128455086601197239761085752413519627251290509474327611253599768650908336142621210005389246714504358370629231557080301516460985022782887233790302054696967900384601182742759555421864610431428746119

题目分析:

c1 = pow(m, 7, n)
c2 = pow(m+e, 7, n)

很熟悉的两串,但其中有两个未知数,以上两题都只有一个未知数,所以先要把e给求出来,再使用Franklin-Reiter相关消息攻击求出m。如何求e呢,这里便用到了短填充攻击(Coppersmith’s short-pad attack)【目前本人也没看此攻击手法,等推到了原理再说】,不多说,直接上解题代码

def short_pad_attack(c1, c2, e, n):
    PRxy.< x, y > = PolynomialRing(Zmod(n))
    PRx.< xn > = PolynomialRing(Zmod(n))
    PRZZ.< xz, yz > = PolynomialRing(Zmod(n))
    g1 = x ^ e - c1
    g2 = (x + y) ^ e - c2
    q1 = g1.change_ring(PRZZ)
    q2 = g2.change_ring(PRZZ)
    h = q2.resultant(q1)
    h = h.univariate_polynomial()
    h = h.change_ring(PRx).subs(y=xn)
    h = h.monic()
    kbits = n.nbits() // (2 * e * e)
    diff = h.small_roots(X=2 ^ kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.4
    return diff


def related_message_attack(c1, c2, diff, e, n):
    PRx.< x > = PolynomialRing(Zmod(n))
    g1 = x ^ e - c1
    g2 = (x + diff) ^ e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()

    return -gcd(g1, g2)[0]


if __name__ == '__main__':
    c2 = 10186066785511829759164194803209819172224966119227668638413350199662683285189286077736537161204019147791799351066849945954518642600518196927152098131117402608793752080104402893792812059620726950782670809837962606250674588612783027976958719051829085903720655233948024280118985875980227528403883475592567727892
    c1 = 46182103994299145562022812023438495797686077104477472631494150222038404419414100727667171290098624214113241032861128455086601197239761085752413519627251290509474327611253599768650908336142621210005389246714504358370629231557080301516460985022782887233790302054696967900384601182742759555421864610431428746119
    n = 91995272927105081122659192011056020468305570748555849650309966887236871318156855318666540461669669247866754568189179687694315627673545298267458869140096224628114424176937828378360997230874932015701507629238213240839370628366083111028544554453150572165461450371411341485911677167168492357154684642531577228543
    e = 7
    diff = short_pad_attack(c1, c2, e, n)
    print("difference of two messages is %d" % diff)
    m1 = related_message_attack(c1, c2, diff, e, n)
    print("m1:", m1)
    print("m2:", m1 + diff)
  • 另一种方法求m(直接爆破e):
import binascii
def attack(c1, c2, n, e):
    PR.<x> = PolynomialRing(Zmod(n))
    g1 = (x)^7 - c1
    g2 = (x+e)^7 - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()
    return -gcd(g1, g2)[0]
c1 = 10186066785511829759164194803209819172224966119227668638413350199662683285189286077736537161204019147791799351066849945954518642600518196927152098131117402608793752080104402893792812059620726950782670809837962606250674588612783027976958719051829085903720655233948024280118985875980227528403883475592567727892
c2 = 46182103994299145562022812023438495797686077104477472631494150222038404419414100727667171290098624214113241032861128455086601197239761085752413519627251290509474327611253599768650908336142621210005389246714504358370629231557080301516460985022782887233790302054696967900384601182742759555421864610431428746119
n = 91995272927105081122659192011056020468305570748555849650309966887236871318156855318666540461669669247866754568189179687694315627673545298267458869140096224628114424176937828378360997230874932015701507629238213240839370628366083111028544554453150572165461450371411341485911677167168492357154684642531577228543

for e in range(1,1000):
    m = attack(c1, c2, n, e)
    try:
        if pow(m,7,n) == c1:
            print((e,m))
    except:
        pass
#结果:(71, 129256555243625096140386916253259867206651269142565502540823654159666398099455456877012993395632742360829588042575108302297567291349420390228163587340859)
#e = 71
#m = 129256555243625096140386916253259867206651269142565502540823654159666398099455456877012993395632742360829588042575108302297567291349420390228163587340859
  • 求到m,又m = s % (p+1) = d % (p+1),这不就类似于dp泄露吗,简单推导一下,把加1换成减1即可得到p,q,直接上解题代码了
import gmpy2
from Crypto.Util.number import *
e = 71
# m = 129256555243625096140386916253259867206651269142565502540823654159666398099455456877012993395632742360829588042575108302297567291349420390228163587340859
c = 78543767285872349029076059073458316000847341792088805258173041942425687239313215276670106926320359777962661495032475004417723103701253550583245518206305422982968675291500865382213182669036827898932991063338163290845510339896689210314509493839746410486257998875782496654704288722251878269643040214139429715671
n = 91995272927105081122659192011056020468305570748555849650309966887236871318156855318666540461669669247866754568189179687694315627673545298267458869140096224628114424176937828378360997230874932015701507629238213240839370628366083111028544554453150572165461450371411341485911677167168492357154684642531577228543
# dp = m ,类似的dp
dp = 129256555243625096140386916253259867206651269142565502540823654159666398099455456877012993395632742360829588042575108302297567291349420390228163587340859
for i in range(1,65535):
    p = (dp*e-1)//i-1
    if n%p == 0:
        q = n//p
        d = gmpy2.invert(e, (p - 1) * (q - 1))
        flag = pow(c,d,n)
        print(long_to_bytes(flag))
        break
# Neepu{Have-a-g00d-day12138}

收获与体会:

学到挺多,对相关消息攻击掌握了,对reduce(),lambda()函数理解更透彻了,
学到了dp泄露的另一种变形,嗯,不得不说,收获挺大的

浅记一下:

做完NEEPUSec CTF 2023后,感觉这个比赛的题目质量很不错,于是就找了一下它往年的题,然后就做到了NEEPUSec CTF 2021 RSA这题。一开始看它题目描述感觉很简单,但推来推去也只能得到 m * e = 1 % (p+1),m和e还是不知道,结果就是,啥都没求出来。看完wp后知道原来这里对m,e的求解有具体知识点,于是查找了很多资料,最终把这题给弄懂了。

其实一开始是本着直接套脚本的想法,但突然想到了某位前辈说的一句话 “我们是搞网络安全的,不是找flag的ctfer,别把两者搞反了”。
但其实说完全弄懂这题还是有些勉强,里面有一些小点还是不太懂的,比如求公因子后会得到x-M,其中M即为所求的m,不太明白(挠头),比如短填充攻击(还没找资料看),总之大体步骤和含义是清楚了。

2023/06/08 来解疑了:

在这里插入图片描述

理解为什么是x - M2了,M2是f(x) - c1 = 0 (mod N)的一个解,把 f(x) - c1 写成下面的形式:f(x) - c1 = (x - M2) * g(x) + r(x),其中,g(x) 是商式,r(x) 是余数多项式,需要证明当 x = M2时,r(x) 的值为 0。如果 r(x) 的值不为 0,那么 f(M2) - c1 的值就不为 0,这与知道事实相矛盾。因此,当 x = M2 时,r(x) 的值必须为 0,所以说,f(x) - c1 能够被 (x - M2) 整除,意味着 x - M2 是 f(x) - c1 的一个因子,同理x - M2 也是x ^ e - c2 = 0 (mod N)的一个因子

题四

(于2023-09-17记录)
题目描述:

from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
p1, q1 = getPrime(512), getPrime(512)
n1 = p1*q1
e = 65537

p2, q2 = getPrime(512), getPrime(512)
n2 = p2*q2

print(f'n1 = {n1}')
print(f'n2 = {n2}')
print(f'c1 = {pow(m,e,n2)}')
print(f'c2 = {pow(n1-m,e,n2)}')

# n1 = 52579135273678950581073020233998071974221658902576724000130040488018033110534210901239397446395736563148970863970460542205225993317478251099451639165369081820130823165642873594136020122857712288395352930384057524510346112486008850200845915783772351449146183974239444691330777565342525218070680067550270554767
# n2 = 68210568831848267339414957973218186686176324296418282565773310695862151827108036984694027795077376921170907068110296451176263520249799154781062517066423984526868547296781709439425857993705489037768605485740968600877866332458671029054092942851472208033494968784822459369206497698469167909174346042658361616469
# c1 = 42941712708129054668823891960764339394032538100909746015733801598044118605733969558717842106784388091495719003761324737091667431446354282990525549196642753967283958283202592037329821712755519455155110675327321252333824912095517427885925854391047828862338332559137577789387455868761466777370476884779752953853
# c2 = 62704043252861638895370674827559804184650708692227789532879941590038911799857232898692335429773480889624046167792573885125945511356456073688435911975161053231589019934427151230924004944847291434167067905803180207183209888082275583120633408232749119300200555327883719466349164062163459300518993952046873724005

题目分析:
线性相关,想到相关消息攻击
不过此题比较特殊,e很大,用上面的脚本跑大概要1个小时,这里引入另一种解法,half gcd算法
参考:
https://www.cnblogs.com/whx1003/p/16217087.html

代码参考:
https://github.com/rkm0959/rkm0959_implements/blob/main/Half_GCD/code.sage

常规:

from Crypto.Util.number import *

e = 65537
n1 = 52579135273678950581073020233998071974221658902576724000130040488018033110534210901239397446395736563148970863970460542205225993317478251099451639165369081820130823165642873594136020122857712288395352930384057524510346112486008850200845915783772351449146183974239444691330777565342525218070680067550270554767
n2 = 68210568831848267339414957973218186686176324296418282565773310695862151827108036984694027795077376921170907068110296451176263520249799154781062517066423984526868547296781709439425857993705489037768605485740968600877866332458671029054092942851472208033494968784822459369206497698469167909174346042658361616469
c1 = 42941712708129054668823891960764339394032538100909746015733801598044118605733969558717842106784388091495719003761324737091667431446354282990525549196642753967283958283202592037329821712755519455155110675327321252333824912095517427885925854391047828862338332559137577789387455868761466777370476884779752953853
c2 = 62704043252861638895370674827559804184650708692227789532879941590038911799857232898692335429773480889624046167792573885125945511356456073688435911975161053231589019934427151230924004944847291434167067905803180207183209888082275583120633408232749119300200555327883719466349164062163459300518993952046873724005

def attack(c1, c2):
    PR.<x>=PolynomialRing(Zmod(n2))
    g1 = x^e - c1
    g2 = (n1-x)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
            if(g2.degree() % 100 == 0):
                print(g2.degree())
        return g1.monic()
    return -gcd(g1, g2)[0]

m1 = attack(c1, c2)
flag = long_to_bytes(int(m1))
print(flag)

half gcd:

from Crypto.Util.number import *
import sys

def HGCD(a, b):
    if 2 * b.degree() <= a.degree() or a.degree() == 1:
        return 1, 0, 0, 1
    m = a.degree() // 2
    a_top, a_bot = a.quo_rem(x^m)
    b_top, b_bot = b.quo_rem(x^m)
    R00, R01, R10, R11 = HGCD(a_top, b_top)
    c = R00 * a + R01 * b
    d = R10 * a + R11 * b
    q, e = c.quo_rem(d)
    d_top, d_bot = d.quo_rem(x^(m // 2))
    e_top, e_bot = e.quo_rem(x^(m // 2))
    S00, S01, S10, S11 = HGCD(d_top, e_top)
    RET00 = S01 * R00 + (S00 - q * S01) * R10
    RET01 = S01 * R01 + (S00 - q * S01) * R11
    RET10 = S11 * R00 + (S10 - q * S11) * R10
    RET11 = S11 * R01 + (S10 - q * S11) * R11
    return RET00, RET01, RET10, RET11
    
def GCD(a, b):
    print(a.degree(), b.degree())
    q, r = a.quo_rem(b)
    if r == 0:
        return b
    R00, R01, R10, R11 = HGCD(a, b)
    c = R00 * a + R01 * b
    d = R10 * a + R11 * b
    if d == 0:
        return c.monic()
    q, r = c.quo_rem(d)
    if r == 0:
        return d
    return GCD(d, r)

sys.setrecursionlimit(500000)

e = 65537
n1 = 52579135273678950581073020233998071974221658902576724000130040488018033110534210901239397446395736563148970863970460542205225993317478251099451639165369081820130823165642873594136020122857712288395352930384057524510346112486008850200845915783772351449146183974239444691330777565342525218070680067550270554767
n2 = 68210568831848267339414957973218186686176324296418282565773310695862151827108036984694027795077376921170907068110296451176263520249799154781062517066423984526868547296781709439425857993705489037768605485740968600877866332458671029054092942851472208033494968784822459369206497698469167909174346042658361616469
c1 = 42941712708129054668823891960764339394032538100909746015733801598044118605733969558717842106784388091495719003761324737091667431446354282990525549196642753967283958283202592037329821712755519455155110675327321252333824912095517427885925854391047828862338332559137577789387455868761466777370476884779752953853
c2 = 62704043252861638895370674827559804184650708692227789532879941590038911799857232898692335429773480889624046167792573885125945511356456073688435911975161053231589019934427151230924004944847291434167067905803180207183209888082275583120633408232749119300200555327883719466349164062163459300518993952046873724005

R.<x> = PolynomialRing(Zmod(n2))
f = x^e - c1
g = (n1 - x)^e - c2

res = GCD(f,g)
print(long_to_bytes(int(-res.monic().coefficients()[0])))

gcd的结果是 ax - b,我们要得到的是x - m,用monic()将ax - b化为首一多项式即x系数位1,如此得到x - m,然后用coefficients()[0]提取到-m,最后再添个符号得到flag。漂亮!

Emmaaaaaaaaaa
关注
  • 7
    点赞
  • 16
    收藏
    觉得还不错? 一键收藏
  • 4
    评论
专栏目录
Franklin-s-Algorithm:富兰克林算法
05-19
富兰克林算法 富兰克林算法 富兰克林算法旨在提高Chang-Roberts算法的消息复杂度。 每个活动进程p反复将自己的ID与两端最近的活动邻居的ID进行比较。 如果这样的邻居具有较大的id,则p变为被动。 这样可以避免消息不必要地传播。 让我们看一下Chang-Roberts算法{考虑有向环。 该算法的思想是,只有ID最高的消息才能在环中完成一轮。 每个发起方都会发送一条消息,并标上其ID。 当p收到q <p> p的q时,它将变为被动,并传递消息。 当p收到p时,它将成为领导者。 被动进程(包括所有非启动程序)传递消息。 最坏情况的消息复杂度:O(N2)平均情况下的消息复杂度:O(N logN)} 富兰克林算法{考虑无向环。 最初,启动器是主动的,非启动器是被动的。 每个活动进程都将其ID发送给任一侧的邻居。 如果max(q,r)<p,则让活动进程
Python库 | franklin-0.6-py3-none-any.whl
03-20
python库,解压后可用。 资源全名:franklin-0.6-py3-none-any.whl
RSA攻击方式一览--自查表
BlusKing
01-31 2891
粗略整理RSA的攻击方式, 欢迎指正和补充。 ·p,q 过大或过小:n可能被分解 ·p,q过近:导致n开方可得近似值 ·e过小:低加密指数攻击 ·明文过小:小明文攻击 ·e很大:Wiener-attack ·e=2:Rabin算法 ·低加密指数广播攻击:e较小,并且使用不同的n,多次加密相同的明文。 ·共模攻击:对于同一明文m,使用同样的n,不同的e分别进行加密 ·共...
密码学基础知识
lzce111的博客
06-05 2658
密码是一种用来混淆的技术,它希望将正常的、可识别的信息转变为无法识别的信息。 密码学是研究编制密码和破译密码的技术科学。 密码编码学侧重着加密,即编码。。密码分析学侧重解密,即破译 密码学是保障信息安全的核心,信息安全密码学研究与发展的目的。 信息安全的基本属性: 完整性。指信息在存储或传输过程中保持不被修改、不被破坏、不被插入、不延迟、不乱序和不丢失的特性,保证真实的信息从真实的信源无失真地到达真实的信宿。保密性。指严密控制各个可能泄密的环节,使信息在产生、传输、处理和存储的各个.
【Neepuctf】Crypto部分writeup
a5555678744的博客
05-24 824
Crypto方向 1.RSA 先看一下代码,分析一下逻辑,要想得到flag,不仅要知道n的分解方式,还需要知道e是多少,那么把目标分解为两步,而这两者都和encode(p,q,e)有关。 分析到encode(p,q,e)里面,发现这个函数里面,S是e的模逆,(m*e-1)%(p+1)==0 那么就知道一定要先搞定m和e就可以搞定p了 求e的过程 这是明显的padding Oracle攻击可以用富兰克林算法搞定 注意以下脚本并非python脚本而是sagemath脚本,需要在sag.
相关信息攻击-Franklin-Reiter
刘十三t的博客
09-14 475
函数先从列表(或序列)中取出2个元素执行指定函数,并将输出结果与第3个元素传入函数,输出结果再与第4个元素传入函数,…,以此类推,直到列表每个元素都取完。是上述两个多项式的根,因此它们有一个公因子。通常被称为该多项式的引导系数。除以引导系数后得到的多项式的。是未知的,所以我们需要先解出。都是比较小的,但也会出现**简单来说,相关信息攻击就是。理清题目思路,本题要得到。比较大**的情况,这时用。,今天来系统学习一下。,攻击者就可以恢复消息。素数中的一个,遍历一下。在代数中,一个多项式的。
典型的Franklin-Reiter attack攻击题目--base64解码+Escape解码+base92+十六进制转字符+base16解码题目--web空格过滤注入题目
weixin_55631415的博客
11-23 593
典型的Franklin-Reiter attack攻击题目--base64解码+Escape解码+base92+十六进制转字符+base16解码题目--web空格过滤注入题目
Short padding attack
weixin_42769240的博客
03-24 251
Short padding attack 前几天的nepctf中遇到一个short padding attack的题目childrsa,而且padding长度也很合适,本以为可以直接用别人的脚本跑出来,因为我不懂原理也无从考证原因 题目如下 已知c1,c2的值N是2048bit, r1,r2是170bit的质数c_1 , c_2的值 \\ N是2048bit, \ r_1, r_2是170bit的质数c1​,c2​的值N是2048bit, r1​,r2​是170bit的质数 {c1≡(
RSA相关攻击
Givememercy的博客
03-05 172
RSA相关攻击简要摘录
###RSA相关攻击内容
DeeBaTO的博客
12-07 260
###RSA相关攻击内容 第一次write…2020.12.7 written by 8470 1.rsa关于dp泄露的攻击 ​ 已知n,c,e,dp: 因为:dp%(p−1)=d%(p−1);d∗e%ϕ(n)=1 因为:dp\%(p-1)=d\%(p-1);d*e\%\phi(n)=1 因为:dp%(p−1)=d%(p−1);d∗e%ϕ(n)=1 所以就可以通过这个得出:(d∗e)%(p−1)=1;(dp∗e)%(p−1)=(d∗e)%(p−1
franklin-resume:我的简历
05-01
_____ _ _ _ ____| ___ | __ __ _ _ __ | | _ | (_)_ __ | _ \ ___ ___ _ _ _ __ ___ ___| | _ | ' __/ _` | ' _ \| | / / | | ' _ \ | |_) / _ \/ __| | | | ' _ ` _ \ / _ \| _ || | | (_ | | | | | <...
franklin-开源
05-02
富兰克林(Franklin)是一种工具,用于记录来自各种测试的数据并将其存储以供以后以图表形式显示。 借助富兰克林,您可以监视例如您的网站ping,pagerank,索引页面等。 您也可以创建自己的测试! 在
franklin-le.github.io
03-07
franklin-le.github.io
ip icmp flood 等 常见的攻击
phone1126的专栏
09-12 6624
SYN Flood攻击:   在TCP连接的三次握手中,假设一个用户向服务器发送了SYN报文后突然死机或掉线,那么服务器在发出SYN+ACK应答报文后是无法收到客户端的ACK报文的(第三次握手无法完成),这 种情况下服务器端一般会重试(再次发送SYN+ACK给客户端)并等待一段时间后丢弃这个未完成的连接,这段时间的长度我们称为SYN Timeout,一般来说这个时间是分钟的数量级(大约为30秒 ...
消息重放攻击以及预防方法
dazhongliu666的博客
09-10 1347
是指攻击者利用其消息再生能力生成用户所期望的消息格式,并重新发送,从而达到破坏协议安全性的目的。其实质为消息的新鲜性不能得到保证。
CTF密码学部分知识总结(二)
weixin_41038905的博客
04-28 2640
目录1.低指数攻击2.Rabin攻击(e=2,n可分解)3.低指数广播攻击(多组c和n,e相同)4.Wiener攻击(e很大)5.Boneh and Durfee attack6.Related Message Attack(e=3)7.Coppersmith's short-pad attack(e!=3)8.Coppersmith定理攻击(知道部分P)9.共模攻击10.共享素数攻击(多组n和c...
斯坦福大学的在线密码学课程
最新发布
mseoffice的博客
05-08 488
课程首先将详细讨论当强大的对手窃听和篡改流量时,拥有共享密钥的双方如何进行安全通信。在整个课程中,学员将接触到该领域许多令人兴奋的公开问题,并参与有趣的(可选的)编程项目。在第二门课程(密码 II)中,我们将介绍更高级的密码任务,如零知识、隐私机制和其他形式的加密。斯坦福的密码学课程[good] btw,最近山东大学的王美琴老师主编的《密码分析学》出版了,很赞,方法梳理得很系统。流密码在语义上是安全的 [可选]•10 分钟。来自密码和 MAC 的构造•20 分钟。来自 PRG 的分组密码•11 分钟。
学习《现代密码学——基于安全多方计算协议的研究》 第二章
weixin_67944207的博客
05-07 665
内容探讨了现代密码学中常用的数学基础知识,包括素数、模运算和群论等概念。此外,还介绍了密码学中的困难性假设,如大数分解困难性假设、离散对数困难性假设以及Diffie-Hellman问题。
《现代密码学——基于安全多方计算协议的研究》 第二章中Diffie-Hellman问题深入探讨
weixin_67944207的博客
05-07 385
其中, (p ) 是一个大质数,而 (g ) 是 (p ) 的一个原根,也就是 (g ) 的幂按模 (p ) 可以得到从1到 (p-1 ) 所有整数的集合。现在,Alice 和 Bob 都得到了相同的共享密钥 (K = 2 ),并且其他人很难通过公开的值 (A )、 (B ) 和 (p )、 (g ) 推断出这个密钥。4. 交换公开值 (A ) 和 (B ) :Alice和Bob交换他们计算出的公开值 (A ) 和 (B )。
franklin, "feedback control of dynamic systems," 6th edition isbn: 0-13-601969-2. free pdf
10-22
《Franklin, “动态系统的反馈控制”第六版,ISBN: 0-13-601969-2》是一本关于动态系统的反馈控制的教材。这本书是由Franklin等人编写的,该书的主要目的是帮助读者理解和应用动态系统的反馈控制方法。 这本教材的第六版是一本很有价值的教材,其中包含了大量的理论和实践的内容。它涵盖了反馈控制的基本原理、数学分析以及实际应用。书中的内容丰富多样,包括控制系统的建模、传递函数、稳定性分析、控制器设计等。它还介绍了现代控制理论中常见的方法和技巧,如根轨迹法、频率响应法、状态空间法等。 针对该书的价值,作者Franklin提供了免费的PDF版本,这为广大读者提供了方便。通过阅读这本书,读者可以深入了解动态系统的反馈控制原理,并且可以通过实例和练习来加深对控制方法的理解和掌握。这本书的理论部分与实践部分相结合,帮助读者将所学的知识应用到实际的工程问题中。 总而言之,《Franklin, “动态系统的反馈控制”第六版,ISBN: 0-13-601969-2》是一本内容丰富、全面的教材,适合学习动态系统反馈控制的读者使用。无论是有一定控制理论基础的学生还是从业人员,都可以通过阅读这本书来深入学习和掌握反馈控制的方法和技巧。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值