可以加密,但是解密的时候最后要%n,所以解出来的m肯定小于n。所以true_m出不来了,但解出来的fake_m满足同余:
import uuid
import libnum
import gmpy2
flag = "flag{" + str(uuid.uuid4()) + "}"
print(flag)
e = 65537
m = libnum.s2n(flag.encode())
p1 = libnum.generate_prime(128)
q1 = libnum.generate_prime(128)
p2 = libnum.generate_prime(128)
q2 = libnum.generate_prime(128)
print("p1=", p1)
print("q1=", q1)
print("p2=", p2)
print("q2=", q2)
n1 = p1 * q1
n2 = p2 * q2
print("n1=", n1)
print("n2=", n2)
c1 = pow(m, e, n1)
c2 = pow(m, e, n2)
print("c1=", c1)
print("c2=", c2)
p1 = 241529374856419543994843741620715478233
q1 = 329891612475502969315412700917758756573
p2 = 179415062328238613586720079938194290751
q2 = 281209161331996176661322999324485217597
n1 = 79678514931584446837886795964984740987618425126262080131520484181733127175509
n2 = 50453159207651801862952938090505477143503284591035016948403490994601319545347
c1 = 10906371165492800616190805676717306177005704888515733402096006986355132032250
c2 = 47055855052437161522184969745110429012879528443871661682592147046669796586664
思路1:用crt扩大N,然后正常解密。
m=libnum.solve_crt([c1,c2],[n1,n2])
phi=(p1-1)*(q1-1)*(p2-1)*(q2-1)
d=pow(e,-1,phi)
M=pow(m,d,n1*n2)
print(libnum.n2s(int(M)))
思路2:用crt合成fake_m1,fake_m2,取得true_m.
def rsa(p,q,c,e):
n=p*q
phi=(q-1)*(p-1)
d=pow(e,-1,phi)
m=pow(c,d,n)
return m
m1=rsa(p1,q1,c1,e)
m2=rsa(p2,q2,c2,e)
M=libnum.solve_crt([m1,m2],[n1,n2])
print(libnum.n2s(int(M)))
b'flag{b204d8a4-0186-48c4-9c5f-2d02d267c326}'