[CryptoHack] RSA-PUBLICEXPONENT Write-Up_rsa endless email-CSDN博客

本文链接：https://blog.csdn.net/dlfls0710/article/details/117721614

本文详细介绍了RSA公开指数解密的六个挑战，包括Salty、Modulus Inutilis等，涉及e=1、e=3等特殊情况下解密策略，如Wiener's Attack、骨赫-杜菲攻击，并提及了Hastad's Broadcast Attack。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

RSA-PUBLICEXPONENT目录

5. Everything is still big

6. Endless Emails

1. Salty

这道题的题目就是大大的提示

解题重点在于 e = 1

具体原理讲解在下面链接里，（建议）简单阅读一下：

https://stackoverflow.com/questions/17490282/why-is-this-commit-that-sets-the-rsa-public-exponent-to-1-problematic

解题思路：

$\because d = 1 mod (p-1)(q-1)$

$\therefore c = m^{1} (mod N)$

因为已知N是非常大的数字，所以我们能够得出结论m一定小于N 既 c = m

from Crypto.Util.number import *
n=110581795715958566206600392161360212579669637391437097703685154237017351570464767725324182051199901920318211290404777259728923614917211291562555864753005179326101890427669819834642007924406862482343614488768256951616086287044725034412802176312273081322195866046098595306261781788276570920467840172004530873767                                                                  
e = 1
ct = 44981230718212183604274785925793145442655465025264554046028251311164494127485
print(long_to_bytes(ct))
#crypto{saltstack_fell_for_*****}

2. Modulus Inutilis

这道题的解题重点在于 e = 3

解题思路：

$m = c ^{1/3}$

单纯的立方根会导致失去一部分的m，所以先提高精准度

下面是关于gmpy.get_context().precision具体讲解：

https://gmpy2.readthedocs.io/en/latest/mpfr.html

from Crypto.Util.number import *
from gmpy2 import *
n=17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883
e = 3
ct=243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957

ctx=get_context()
ctx.precision = 3000 #提高精准度
m = cbrt(ct) #求出cube root
print(long_to_bytes(m))
#crypto{****_m04R_p4dd1ng}

3. Everything is Big

这道题的解题重点在于e的值非常大，自然d的值就非常小了

解题思路：利用 Wiener's Attack

from __future__ import print_function
import libnum

def continued_fractions_expansion(numerator,denominator):#(e,N)
	result=[]
 
	divident = numerator % denominator
	quotient = numerator //denominator
	result.append(quotient)
 
	while divident != 0:
		numerator = numerator - quotient * denominator
 
		tmp = denominator
		denominator = numerator
		numerator = tmp
 
		divident = numerator % denominator
		quotient = numerator //denominator
		result.append(quotient)
 
	return result
 
def convergents(expansion):
	convergents=[(expansion[0], 1)]
	for i in range(1, len(expansion)):
		numerator = 1
		denominator = expansion[i]
		for j in range(i - 1, -1, -1):
			numerator += expansion[j] * denominator
			if j==0:
				break
			tmp = denominator
			denominator = numerator
			numerator = tmp
		convergents.append((numerator, denominator)) #(k,d)
	return convergents
 
def newtonSqrt(n):
	approx = n // 2
	better = (approx + n //approx) // 2
	while better != approx:
	    approx = better
	    better = (approx + n // approx) // 2
	return approx
 
def wiener_attack(cons, e, N):
	for cs in cons:
		k,d = cs
		if k == 0:
			continue
		phi_N = (e * d - 1) // k
		#x**2 - ((N - phi_N) + 1) * x + N = 0
		a = 1
		b = -((N - phi_N) + 1)
		c = N
		delta = b * b - 4 * a * c
		if delta <= 0:
			continue
		x1 = (newtonSqrt(delta) - b)//(2 *