Alice decides to use RSA with the public key N = 1889570071. In order to guard against transmission errors, Alice has Bob encrypt his message twice, once using the encryption exponent e1 = 1021763679 and once using the encryption exponent e2 = 519424709. Eve intercepts the two encrypted messages
c1 = 1244183534 and c2 = 732959706. Assuming that Eve also knows N and the two encryption exponents e1 and e2. Please help Eve recover Bob’s plaintext without finding a factorization of N.
选做,交电子版,写成md文档,交链接。提示:简单题,不同于共用模数攻击。
易得:
gcd(e1,e2)=1
则存在一对正反整数s1、s2使得:
e1∗s1+e2∗s2=1
由egcd可求出s1、s2:
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
s1=252426389
s2=−496549570
公式变换:
c1=me1modNc2=me2modNcs11∗cs22=(me1modN)s1∗(me2modN)s2(cs11∗cs22)modN=((me1modN)s1∗(me2modN)s2)modN(cs11∗cs22)modN=((me1)s1∗(me2)s2)modN(cs11∗cs22)modN=(me1∗s1+e2∗s2)modN
由前面的 e1∗s1+e2∗s2=1 得:
(cs11∗cs22)modN=(m1)modN
由RSA的解密公式可得 m<N ,所以
(cs11∗cs22)modN=m
最后就用快速幂取模算法求解: (cs11∗cs22)modN
def fastExpMod(b, e, m):
result = 1
while e != 0:
if (e&1) == 1:
result = (result * b) % m
e >>= 1
b = (b*b) % m
return result
需要注意:显然用快速幂取模算法不能直接算负数次幂,因此需要先求 c2的N模反元素
cs22modN=(c−12)−s2modN
最后求得:
cs11modN=1031756109
cs22modN=603385073
m=(cs11modN∗cs22modN)modN=1054592380
ps:不是很懂题目提示说的:不同于共模攻击