食用简介
下面是本人新生赛时遇到的一些RSA密码题,题目名后大概写有类型便于查找
题目较多可以选择性食用
1.buuctf RSA
题目:在一次RSA密钥对生成中,假设p=473398607161,q=4511491,e=17,求解出d作为flag提交
import gmpy2
p,q,e=473398607161,4511491,17
d=int(gmpy2.invert(e,(p-1)*(q-1)))
print(d);
#flag{125631357777427553}
2.[SWPUCTF 2021 新生赛]crypto2 # 共模攻击
题目
flag = '***************'
p = getPrime(512)
q = getPrime(512)
m = bytes_to_long(bytes(flag.encode()))
n = p*q
e1 = getPrime(32)
e2 = getPrime(32)
print()
c1 = pow(m,e1,n)
c2 = pow(m,e2,n)
脚本
from gmpy2 import *
from Crypto.Util.number import *
c1 = 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280
c2 = 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075
e1 = 3247473589
e2 = 3698409173
n = 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313
_ ,s1 ,s2 = gcdext(e1,e2)
m = pow(c1,s1,n) * pow(c2,s2,n) % n
print(long_to_bytes(m))
# NSSCTF{xxxxx******xxxxx}
3.[羊城杯 2021]Bigrsa #共享素数
题目
n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
m = bytes_to_long(flag)
r1 = pow(m, e, n1)
r2 = pow(r1, e, n2)
脚本
r2 = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
p = GCD(n1,n2)
q1 = 10169921435575123642561867469669552661717864247752251361375671837367086221354750692635829007786009042729357644276462913457660789233674358081650339142863821
q2 = 11300955505231233842374743324817494386700809291852528704864397779486924493760947925710590633254027339824598181322986060728301639209174112581120081509548753
e = 65537
phin1 = (q1-1)*(p-1)
phin2 = (q2-1)*(p-1)
d1 = inverse(e,phin1)
d2 = inverse(e,phin2)
r1 = pow(r2,d2,n2)
m = pow(r1,d1,n1)
print(long_to_bytes(m))
4.[鹤城杯 2021]Crazy_Rsa_Tech #低指数广播加密
题目
FLAG = bytes_to_long(pad(b"flag{??????}",64))
def init_key():
p, q = getPrime(512), getPrime(512)
n = p*q
e = 9
while(GCD((p-1)*(q-1),e)!=1):
p, q = getPrime(512), getPrime(512)
n = p*q
d = inverse(e,(p-1)*(q-1))
return n,e,d
n_list=list()
c_list=list()
for i in range(9):
N,e,d=init_key()
n_list.append(N)
c=pow(FLAG,e,N)
c_list.append(pow(FLAG,e,N))
解析
使用crt进行求解
from Crypto.Util.Padding import *
from sympy.ntheory.modular import crt
import gmpy2
e = 9
ln = [...]
lc = [...]
m = crt(ln,lc)[0]
m = gmpy2.iroot(m,9)[0]
print(long_to_bytes(m))
# flag{H0w_Fun_13_HAstads_broadca5t_AtTack!}
5.[SWPUCTF 2021 新生赛]crypto1 #共模攻击 RSA 小明文
题目
flag = '****************************'
flag = {"asfajgfbiagbwe"}
p = getPrime(2048)
q = getPrime(2048)
m1 = bytes_to_long(bytes(flag.encode()))
e1*e2 = 3087
n = p*q
print()
flag1 = pow(m1,e1,n)
flag2 = pow(m1,e2,n)
print('c1= '+str(flag1))
print('c2= '+str(flag2))
print('n= '+str(n))
脚本
from gmpy2 import *
from Crypto.Util.number import *
c1 = ...
c2 = ...
n = ...
for e1 in range(1,3087):
if 3087 % e1 == 0 :
e2 = 3087 // e1
s0, s1, s2 = gcdext(e1,e2)
m_s0 = pow(c1,s1,n) * pow(c2,s2,n) % n
m = long_to_bytes(iroot(m_s0,s0)[0])
if m[0:6] == b'NSSCTF':
print(m)
# flag = NSSCTF{d64dba66-b608-4255-b888-0b0f25c2f90e}
6.[SWPUCTF 2021 新生赛]crypto4 #素数分解
题目
p = getPrime(512)
q = next_prime(p)
m1 = bytes_to_long(bytes(flag.encode()))
e = 0x10001
n = p*q
c = pow(m1,e,n)
print('c = '+str(c))
print('n = '+str(n))
解析
首先根据n可以大概知道p的范围,通过遍历小范围得到p,q
from gmpy2 import *
from Crypto.Util.number import *
c = 10227915341268619536932290456122384969242151167487654201363877568935534996454863939953106193665663567559506242151019201314446286458150141991211233219320700112533775367958964780047682920839507351492644735811096995884754664899221842470772096509258104067131614630939533042322095150722344048082688772981180270243
n= 52147017298260357180329101776864095134806848020663558064141648200366079331962132411967917697877875277103045755972006084078559453777291403087575061382674872573336431876500128247133861957730154418461680506403680189755399752882558438393107151815794295272358955300914752523377417192504702798450787430403387076153
e = 0x10001
p = iroot(n,2)[0]-10000
while not isPrime(p) : p += 1
q = p + 2
while not isPrime(q) : q += 2
while p*q - n != 0 :
p = q
q += 2
while not isPrime(q) : q += 2
phin = (q-1)*(p-1)
d = inverse(e,phin)
print(long_to_bytes(pow(c,d,n)))
7.[SWPUCTF 2021 新生赛]crypto5 # 小明文攻击
题目:
c= 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n= 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419
解析
由上面c较小可以推断出e较小,使用小明文攻击
from gmpy2 import *
from Crypto.Util.number import *
c = 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n = 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419
for i in range(2,10):
if iroot(c,i)[1]== True:
print(long_to_bytes(iroot(c,i)[0]))
8.RSA written by akram09[given by空白]
背景(一些没用的信息)
crazym@n_@rmy
The_Messager
496
A spy was recently caught, he was leaking important data. We could recover the data leaked as well as his machine.
题目
from Crypto.Util.number import bytes_to_long, getStrongPrime
from math import gcd
from flag import FLAG
from Crypto.Random import get_random_bytes
def encrypt(m):
return pow(m,e,N)
e = 65537
p = getStrongPrime(512)
q = getStrongPrime(512)
# generate secure keys
result = 0
while (result !=1):
p = getStrongPrime(512)
q = getStrongPrime(512)
result = gcd(e,(p-1)*(q-1))
N = p * q
print("N = " + str(N))
print("e = " + str(e))
ct= []
for car in FLAG:
ct.append(encrypt(car))
print("ct = "+str(ct))
N = ...
e = 65537
ct = [...] # len(ct) == 28 ,每个数已知
解析
由于flag都是可打印字符,并且N,e已知,建立每个可打印字符的c和m的映射表,通过ct查表得到flag
def enc(m):
return pow(m,e,N)
ls = []
for i in range(0x20,0x80):
ls.append(enc(i))
f = b''
for i in ct :
f += long_to_bytes(ls.index(i)+0x20)
print(f.decode())
# flag = CyberErudites{RSA_1S_S1MPL3}
9.MoeCTF 2022 signin # e与phin不互素
题目
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
print('p = ',p)
print('q = ',q)
n = p * q
解析
开始以为是一道水题,结果按正常思路来解出来m非常之离谱,后来看了一下e发现了事情的不对劲
那么回归到rsa本质,求解方程 c = m e m o d n c=m^emod\space n c=memod n
这道题里还有部分信息 e ∣ q − 1 , ( e , p ) = 1 e|q-1,(e,p)=1 e∣q−1,(e,p)=1
有第一条方程有
c
1
=
m
e
m
o
d
p
c_1=m^emod\space p
c1=memod p
c
1
=
c
%
p
c_1=c \% p
c1=c%p
那么令 e d = 1 m o d p − 1 ed=1\space mod\space p-1 ed=1 mod p−1
所以 c 1 d = m d e = m k ( p − 1 ) + 1 = m ∗ ( m p − 1 ) k = m m o d p c_1^d=m^{de}=m^{k(p-1)+1}=m*(m^{p-1})^k=m \space mod\space p c1d=mde=mk(p−1)+1=m∗(mp−1)k=m mod p
e = 65537
p = ...
q = ...
c = ...
n = p * q
c1 = c % p
d = inverse(e, p-1)
print(long_to_bytes(pow(c1,d,p)))
10.MoeCTF 2022 Ezfactor # 公共素数
首先题目给出了一个端口接入:nc polarnova.top 10001
并且给了一个py文件
from Crypto.Util.number import isPrime,getPrime,bytes_to_long
import socketserver
import random
import signal
from static_secret import flag,P
class Task(socketserver.BaseRequestHandler):
def _recvall(self):
#These are just the server's transceiver functions and are not important
BUFF_SIZE = 2048
data = b''
while True:
part = self.request.recv(BUFF_SIZE)
data += part
if len(part) < BUFF_SIZE:
break
return data.strip()
def send(self, msg, newline=True):
#These are just the server's transceiver functions and are not important
try:
if newline:
msg += b'\n'
self.request.sendall(msg)
except:
pass
def recv(self, prompt=b'[-] '):
#These are just the server's transceiver functions and are not important
self.send(prompt, newline=False)
return self._recvall()
def Goldbach_proof_of_work(self,BITS):
bigeven=str(random.randint(1<<BITS,1<<(BITS+1))<<1)
self.send(f"[+] I have two prime number A,B s.t. A>=B and A+B == {bigeven}".encode())
p = int(self.recv(prompt=b'[+] Plz tell me A=').decode())
q = int(self.recv(prompt=b'[+] Plz tell me B=').decode())
if not (isPrime(p) and isPrime(q) and p+q==int(bigeven) and p>=q):
return False
return True
def handle(self):#main
signal.alarm(120)
if not self.Goldbach_proof_of_work(100):
self.send(b'[!] Wrong! Try again!')
return
Q=getPrime(2048)
N=P*Q
e=0x10001
m=pow(bytes_to_long(flag),e,N)
self.send(b"[+] Good job! Here's the encrypted flag for you:")
self.send(f"m={hex(m)}".encode())
self.send(f"N={hex(N)}".encode())
self.send(b"[+] Have a Nice Day~ Bye!")
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
pass
if __name__ == "__main__":
HOST, PORT = '0.0.0.0', 10001
server = ForkedServer((HOST, PORT), Task)
server.allow_reuse_address = True
print(HOST, PORT)
server.serve_forever()
接入nc后,屏幕输出如下信息
n = ...
b = 3
a = n - b
while not isPrime(a) or not isPrime(b):
b += 2
a -= 2
直接用上述脚本得到a,b后输入,会得到N,C(在题目里是m)的信息
注意到每次P,均不改变,故可以通过两组数据求出p,进而求出flag
e = 65537
c1 = ...
N1 = ...
N2 = ...
p = GCD(N1,N2)
q1 = N1 // p
phin1 = (q1-1) * (p-1)
d =inverse(e,phin1)
m = pow(c1,d,N1)
print(long_to_bytes(m))
# flag = moectf{1t5_d4nger0us_t0_u5e_the_same_P_repeated1y}
11.MoeCTF 2022 一次就好 #RSA + 一点点异或
题目
from Crypto.Util.strxor import strxor
from gmpy2 import powmod,next_prime
from FLAG import flag
import codecs
c = b'Just once,I will accompany you to see the world'
flag = flag.ljust(len(c),'#')
key = strxor(flag.encode(), c)
m = bytes_to_long(key)
p = getPrime(512)
q = next_prime(p)
N = p*q
e = 0x10001
gift = powmod(m, e, N)
print(gift)
print(N)
解析
p,q相近,直接从iroot(N,2) - 1000开始遍历得到p,q
p = iroot(N,2)[0]-1000
while not isPrime(p):
p += 1
q = p + 2
while not isPrime(q):
q += 2
while not N == p * q:
p = q
q += 2
while not isPrime(q):
q += 2
随后得到key
phin = (q-1)*(p-1)
d = inverse(e,phin)
key = long_to_bytes(pow(gift,d,N))
最后再重新和c做异或得到flag
c = b'Just once,I will accompany you to see the world'
flag = strxor(key,c)
print(flag)
# moectf{W0w_y02_k5ow_w6at_1s_one_t1m3_pa7}
12.SWPU NSS新生赛 #小e
题目
from gmpy2 import invert
from Crypto.Util.number import getPrime, bytes_to_long
e = 3
p = getPrime(1024)
q = getPrime(1024)
n = p * q
phiN = (p - 1) * (q - 1)
d = invert(e, phiN)
m = bytes_to_long(f.encode())
c = pow(m, e, n)
print("c=" + str(c))
# c = 128198926274489803523728445192921664
# flag = NSSCTF{c}
解析
# 直接对c开3次方得到m,再转化为flag
print('NSSCTF{' + long_to_bytes(iroot(c,3)[0]).decode() + '}')
# NSSCTF{ufind}
13.MoeCTF 2022 0rsa0 # (dp,e) # 小e
题目
from Crypto.Util.number import *
from gmpy2 import *
from flag import flag
assert flag[0:7] == b'moectf{'
assert flag[-1:] == b'}'
flag = flag[7:-1]
assert len(flag) == 32
m1 = bytes_to_long(flag[0:16])
m2 = bytes_to_long(flag[16:32])
def enc1(m):
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 3
c = pow(m,e,n)
return n,e,c
def enc2(m):
p = getPrime(512)
q = getPrime(512)
e = 65537
d = inverse(e,(p-1)*(q-1))
n = p * q
dp2 = d % (p-1)
c = pow(m,e,n)
return n,e,c,dp2
n1,e1,c1 = enc1(m1)
n2,e2,c2,dp2 = enc2(m2)
解析
对于第一部分没啥好说的,直接对c开3次方得到m
对第二部分给出数学证明
初始条件: d e = k 1 ( p − 1 ) ( q − 1 ) + 1 de=k_1(p-1)(q-1)+1 de=k1(p−1)(q−1)+1 d = d p + k 2 ( p − 1 ) d=dp + k_2(p-1) d=dp+k2(p−1)
由上面两个式子 ( d p + k 2 ( p − 1 ) ) e = k 1 ( p − 1 ) ( q − 1 ) + 1 (dp + k_2(p-1))e=k_1(p-1)(q-1)+1 (dp+k2(p−1))e=k1(p−1)(q−1)+1
也就是 d p ∗ e − 1 = ( p − 1 ) ( k 1 q − k 1 − k 2 e ) dp*e - 1=(p-1)(k_1q-k_1-k_2e) dp∗e−1=(p−1)(k1q−k1−k2e)
而 ( p − 1 ) ( k 1 q − k 1 − k 2 e ) = d p ∗ e − 1 < d p ∗ e < e ( p − 1 ) (p-1)(k_1q-k_1-k_2e) = dp*e - 1 <dp*e<e(p-1) (p−1)(k1q−k1−k2e)=dp∗e−1<dp∗e<e(p−1)
所以 x = k 1 q − k 1 − k 2 e < e x=k_1q-k_1-k_2e< e x=k1q−k1−k2e<e
下面遍历x,即可以求得p-1
n1 = ...
e1 = 3
c1 = ...
m1 = iroot(c1,3)[0]
print(long_to_bytes(m1).decode(),end = '')
n2 = ...
e2 = 65537
c2 = ...
dp = ...
x = e2 * dp -1
for i in range(1,65537):
if x % i == 0 and n2 % (x//i+1) == 0:
p = x//i+1
break
q = n2 // p
phin = (q-1) * (p-1)
d2 = inverse(e2,phin)
print(long_to_bytes(pow(c2,d2,n2)).decode())
# flag = moectf{T8uus_23jkjw_asr_3d32awd!5f&#@sd}
14.RSA #mathrsa
题目
h1=pow(2022*p+2021*q,1919,n)
h2=pow(2021*p+2022*q,9191,n)
h1= 19833006575946524719734860655749897430996716214854394509141793247441984552312739336381544289582229635878374784700514176796213750612984375503829452046348964006439625639785195474405122597025617599221157530254436486974871377392676992323755343878688847757228158418367972796322888087679510158602115909469127347957
h2= 378159845999796834634733071282164226106157352305256240743272369823494751498623553741505441796796443917116119081291965129497888764190805349441925445430537324353522456188379487696261868115910126449034886690427415157731129446078773313894708979653146866399561144315206855955530175618287769228046620963527788560
n= 158550239307415787021878774489377164050114410895105185247274761267160101545614028597132371832991677739527541309280403555771841774190734937896655446167967980689195771471687662408939825136088663689784942499571220603957810368350239002179694427220081250797856136392928072791055227654777410808147665490868501507691
c= 103238050292230884025920137599978857103105694782271079198661186238549867271058376235577031392047974779108541567353073352817487194360852820072328699700529958482415374729517555184019284715904738456104746136537894442761330379427579392020949939832030655424272177519828410073606273099843302308920223719486267150794
e = 65537
解析
由题目有 h 1 = ( 2022 p + 2021 q ) 1919 m o d n h_1=(2022p+2021q)^{1919}\space modn h1=(2022p+2021q)1919 modn h 2 = ( 2021 p + 2022 q ) 9191 m o d n h_2=(2021p+2022q)^{9191}\space modn h2=(2021p+2022q)9191 modn
即 h 1 = ( 2022 p ) 1919 + ( 2021 q ) 1919 m o d n h_1=(2022p)^{1919}+(2021q)^{1919}\space modn h1=(2022p)1919+(2021q)1919 modn h 2 = ( 2021 p ) 9191 + ( 2022 q ) 9191 m o d n h_2=(2021p)^{9191}+(2022q)^{9191}\space modn h2=(2021p)9191+(2022q)9191 modn
另 h 1 91 = ( 2022 p ) 19 ∗ 101 ∗ 91 + ( 2021 q ) 19 ∗ 101 ∗ 91 m o d n h_1^{91}=(2022p)^{19*101*91}+(2021q)^{19*101*91}\space modn h191=(2022p)19∗101∗91+(2021q)19∗101∗91 modn h 2 19 = ( 2021 p ) 91 ∗ 101 ∗ 19 + ( 2022 q ) 91 ∗ 101 ∗ 19 m o d n h_2^{19}=(2021p)^{91*101*19}+(2022q)^{91*101*19}\space modn h219=(2021p)91∗101∗19+(2022q)91∗101∗19 modn
设 K = 91 ∗ 101 ∗ 19 K=91*101*19 K=91∗101∗19
h 1 91 = ( 2022 p ) K + ( 2021 q ) K m o d n h_1^{91}=(2022p)^{K}+(2021q)^{K}\space modn h191=(2022p)K+(2021q)K modn
h 2 19 = ( 2021 p ) K + ( 2022 q ) K m o d n h_2^{19}=(2021p)^{K}+(2022q)^{K}\space modn h219=(2021p)K+(2022q)K modn
则 h 1 91 ∗ 202 1 K = ( 2021 ∗ 2022 ) K ∗ p K + 202 1 2 K ∗ q K m o d n h_1^{91}*2021^K=(2021*2022)^{K}*p^{K}+2021^{2K}*q^{K}\space modn h191∗2021K=(2021∗2022)K∗pK+20212K∗qK modn h 2 19 ∗ 202 2 K = ( 2021 ∗ 2022 ) K ∗ p K + 202 2 2 K ∗ q K m o d n h_2^{19}*2022^K=(2021*2022)^{K}*p^{K}+2022^{2K}*q^{K}\space modn h219∗2022K=(2021∗2022)K∗pK+20222K∗qK modn
则有
( h 1 91 ∗ 202 1 K − h 2 19 ∗ 202 2 K ) ∗ ( 202 1 2 K − 202 2 2 K ) − 1 = h 3 = q K m o d n (h_1^{91}*2021^K-h_2^{19}*2022^K)*(2021^{2K}-2022^{2K})^{-1}=h_3=q^{K}\space modn (h191∗2021K−h219∗2022K)∗(20212K−20222K)−1=h3=qK modn
( h 1 91 ∗ 202 2 K − h 2 19 ∗ 202 1 K ) ∗ ( 202 2 2 K − 202 1 2 K ) − 1 = h 4 = p K m o d n (h_1^{91}*2022^K-h_2^{19}*2021^K)*(2022^{2K}-2021^{2K})^{-1}=h_4=p^{K}\space modn (h191∗2022K−h219∗2021K)∗(20222K−20212K)−1=h4=pK modn
所以, q = g c d ( n , h 3 ) q=gcd(n,h_3) q=gcd(n,h3), p = g c d ( n , h 4 ) p=gcd(n,h_4) p=gcd(n,h4)
from Crypto.Util.number import *
h1= 19833006575946524719734860655749897430996716214854394509141793247441984552312739336381544289582229635878374784700514176796213750612984375503829452046348964006439625639785195474405122597025617599221157530254436486974871377392676992323755343878688847757228158418367972796322888087679510158602115909469127347957
h2= 378159845999796834634733071282164226106157352305256240743272369823494751498623553741505441796796443917116119081291965129497888764190805349441925445430537324353522456188379487696261868115910126449034886690427415157731129446078773313894708979653146866399561144315206855955530175618287769228046620963527788560
n= 158550239307415787021878774489377164050114410895105185247274761267160101545614028597132371832991677739527541309280403555771841774190734937896655446167967980689195771471687662408939825136088663689784942499571220603957810368350239002179694427220081250797856136392928072791055227654777410808147665490868501507691
c= 103238050292230884025920137599978857103105694782271079198661186238549867271058376235577031392047974779108541567353073352817487194360852820072328699700529958482415374729517555184019284715904738456104746136537894442761330379427579392020949939832030655424272177519828410073606273099843302308920223719486267150794
e = 65537
k = 19 * 101 * 91
h5 = pow(h1,91,n)*pow(2021,k,n)-pow(h2,19,n)*pow(2022,k,n)
h6 = pow(h1,91,n)*pow(2022,k,n)-pow(h2,19,n)*pow(2021,k,n)
k1 = inverse(pow(2021,2*k,n)-pow(2022,2*k,n), n)
k2 = inverse(pow(2022,2*k,n)-pow(2021,2*k,n), n)
h3 = h5 * k1 % n
h4 = h6 * k2 % n
q = GCD(h3, n)
p = GCD(h4, n)
phi = (p-1) * (q-1)
d = inverse(e, phi)
m = pow(c,d,n)
print(bytes.fromhex(hex(m)[2:]))
# flag{882163a5-9ed0-47e5-b386-6637f62cb005}
15.rasrsa
题目
Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm.
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
Use RSA to find the secret message
题目有亿点点简单
from Crypto.Util.number import *
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
n = q*p
e = 65537
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
phi = (p-1) * (q-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)).decode())
# flag{5577446633554466577768879988}
16.BUUCTF # rsa2(e,n,dp,c)
首先由题目已知 d p = d m o d p − 1 dp=d modp-1 dp=dmodp−1可以得到 e ∗ d p = d e m o d p − 1 e*dp=de mod p-1 e∗dp=demodp−1
又考虑到 d e = 1 m o d ( p − 1 ) ( q − 1 ) de=1 mod(p-1)(q-1) de=1mod(p−1)(q−1)
即 d e = 1 m o d p − 1 de=1 modp-1 de=1modp−1
所以 p − 1 ∣ e ∗ d p − 1 p-1|e*dp-1 p−1∣e∗dp−1
下一步用yafu分解e*dp-1,得到ls,最后通过筛选ls的因子+1 得到pA
from Crypto.Util.number import *
from functools import reduce
e = 65537
n = 248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113
dp = 905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657
c = 140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751
# e*dp-1 = 59315867378856659089589938133524992838556700165994240300903969550746506475107189709727568518174855260630155107372617804812871207516504589971269688075778168808
# 2 4 8 ls[] len(ls) = 8
ls=[2,2,2,3,59,61,151,367,789129589052842241,41474649656673896980319,378620157247671136189892147784463855572144373204226980628812338811781197098372249535566403370486867830108231]
prod = lambda a,b:a*b
def f(p):
q = n//p
assert(q*p == n)
phin = p*q-p-q+1
d = inverse(e,phin)
print(bytes.fromhex(hex(pow(c,d,n))[2:]))
for i in range(1<<len(ls)):
if i == 0:continue
fac = reduce(prod,[ls[j] for j in range(len(ls)) if bin(i)[2:].zfill(len(ls))[j] == '1'])
if n%(fac+1)==0 :
f(fac+1)
break
17.BUUCTF RASROLL
题目比较简单,主要是学习文件读写
from Crypto.Util.number import *
n=920139713
e=19
p=49891
q=18443
# 用yafu将n分解
phi=(p-1)*(q-1)
d=inverse(e,phi)
data = open("C:\\Users\\zhn\\Desktop\\data.txt").read().strip().split('\n')[2:]
data = list(map(int,data))
for i in range(len(data)):
print(chr(pow(data[i],d,n)),end='')
最后得到flag
# flag{13212je2ue28fy71w8u87y31r78eu1e2}
18.BUUCTF # RSA1(p,q,dp,dq,c)
题目
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
解析
c d = c d p = m m o d p c d = c d q = m m o d q 则 c d = m 1 + k 1 p = m 2 + k 2 q m 1 − m 2 = k 2 q − k 1 p = k 2 q m o d p 记 i = i n v p ( q ) 则( m 1 − m 2 ) i = k 2 m o d p 回带得到 c d (1) \begin{matrix} c^d=c^{dp}=m\space mod p \\ c^d=c^{dq}=m\space mod q \\ 则c^d=m_1+k_1p=m_2+k_2q\\ m_1-m_2=k_2q-k_1p=k_2q\space mod p\\ 记i=inv_p(q)\\ 则(m_1-m_2)i=k_2\space mod p\\ 回带得到c^d \\ \end{matrix} \tag{1} cd=cdp=m modpcd=cdq=m modq则cd=m1+k1p=m2+k2qm1−m2=k2q−k1p=k2q modp记i=invp(q)则(m1−m2)i=k2 modp回带得到cd(1)
from Crypto.Util.number import *
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
n = q*p
m1 = pow(c,dp,p)
m2 = pow(c,dq,q)
i = inverse(q,p)
m = (i*(m1-m2)%p)*q+m2
print(long_to_bytes(m))
# 最后得到flag noxCTF{W31c0m3_70_Ch1n470wn}
19.[NCTF2019]childRSA
题目
from random import choice
from Crypto.Util.number import isPrime, sieve_base as primes
from flag import flag
def getPrime(bits):
while True:
n = 2
while n.bit_length() < bits:
n *= choice(primes)
if isPrime(n + 1):
return n + 1
e = 0x10001
m = int.from_bytes(flag.encode(), 'big')
p, q = [getPrime(2048) for _ in range(2)]
n = p * q
c = pow(m, e, n)
# n = ...
# c = ...
解析
1.使用yafu解出p,q
2.求d
3.求m
4.将m转化为bytes格式输出
from Crypto.Util.number import *
e = 65537
p = 178449493212694205742332078583256205058672290603652616240227340638730811945224947826121772642204629335108873832781921390308501763661154638696935732709724016546955977529088135995838497476350749621442719690722226913635772410880516639651363626821442456779009699333452616953193799328647446968707045304702547915799734431818800374360377292309248361548868909066895474518333089446581763425755389837072166970684877011663234978631869703859541876049132713490090720408351108387971577438951727337962368478059295446047962510687695047494480605473377173021467764495541590394732685140829152761532035790187269724703444386838656193674253139
q = 184084121540115307597161367011014142898823526027674354555037785878481711602257307508985022577801782788769786800015984410443717799994642236194840684557538917849420967360121509675348296203886340264385224150964642958965438801864306187503790100281099130863977710204660546799128755418521327290719635075221585824217487386227004673527292281536221958961760681032293340099395863194031788435142296085219594866635192464353365034089592414809332183882423461536123972873871477755949082223830049594561329457349537703926325152949582123419049073013144325689632055433283354999265193117288252918515308767016885678802217366700376654365502867
n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
phi = (p-1)*(q-1)
d = inverse(e, phi)
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
m = pow(c, d, n)
print(bytes.fromhex(hex(m)[2:]))
print(long_to_bytes(m))
from binascii import *
print(unhexlify(hex(m)[2:]))
注意上述转换的三种方式
print(bytes.fromhex(hex(m)[2:]))
print(long_to_bytes(m)) # Crypto.Util.number
print(unhexlify(hex(m)[2:])) # binascii
ps:inverse函数返回类型为int
gmpy2.insert()返回类型为mpz
最后输出flag
b'NCTF{Th3r3_ar3_1ns3cure_RSA_m0duli_7hat_at_f1rst_gl4nce_appe4r_t0_be_s3cur3}'
20.[BJDCTF 2020]EasyRSA #解方程得到p,q
题目
# 已知c z n
p=getPrime(1024)
q=getPrime(1024)
e=65537
n=p*q
z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))
m=bytes_to_long(flag)
c=pow(m,e,n)
解析
主要读懂这句话的函数z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))
Fraction 表示分母 arctan 表示反正切
Derivative表示求导 arth 表示反双曲
$z=1+p2-(1-q2)=p2+q2 $
随后就可以解出p,q
from Crypto.Util.number import long_to_bytes,inverse
from gmpy2 import *
c = 7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
z = 32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
n = 15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
e = 65537
# a = p + q b = p - q
a = iroot(z+2*n,2)[0]
b = iroot(z-2*n,2)[0]
p = (a + b) // 2
q = a - p
print(long_to_bytes(pow(c,inverse(e,p*q-p-q+1),n)))
21.[BJDCTF 2020]rsa # 未知e
题目
重新设了一下变量
from Crypto.Util.number import getPrime,bytes_to_long
q=getPrime(1024)
p1=getPrime(1024)
# e<100000
n1 = p1*q
m1 = bytes_to_long(flag)
c1 = pow(m1,e,n1)
k = pow(294,e,n1)
p2 = getPrime(1024)
n2 = p2*q
m2 = bytes_to_long("BJD"*32)
c2 = pow(m2,e,n2)
'''
output:
c1 = 1264...
n1 = 1350...
k = 3816...
c2 = 9791...
n2 = 1280...
'''
解析
1.首先可以得到q=GCD(n1,n2)
2.爆破得到e的值
from Crypto.Util.number import *
c1=12641635617803746150332232646354596292707861480200207537199141183624438303757120570096741248020236666965755798009656547738616399025300123043766255518596149348930444599820675230046423373053051631932557230849083426859490183732303751744004874183062594856870318614289991675980063548316499486908923209627563871554875612702079100567018698992935818206109087568166097392314105717555482926141030505639571708876213167112187962584484065321545727594135175369233925922507794999607323536976824183162923385005669930403448853465141405846835919842908469787547341752365471892495204307644586161393228776042015534147913888338316244169120
n1=13508774104460209743306714034546704137247627344981133461801953479736017021401725818808462898375994767375627749494839671944543822403059978073813122441407612530658168942987820256786583006947001711749230193542370570950705530167921702835627122401475251039000775017381633900222474727396823708695063136246115652622259769634591309421761269548260984426148824641285010730983215377509255011298737827621611158032976420011662547854515610597955628898073569684158225678333474543920326532893446849808112837476684390030976472053905069855522297850688026960701186543428139843783907624317274796926248829543413464754127208843070331063037
k=381631268825806469518166370387352035475775677163615730759454343913563615970881967332407709901235637718936184198930226303761876517101208677107311006065728014220477966000620964056616058676999878976943319063836649085085377577273214792371548775204594097887078898598463892440141577974544939268247818937936607013100808169758675042264568547764031628431414727922168580998494695800403043312406643527637667466318473669542326169218665366423043579003388486634167642663495896607282155808331902351188500197960905672207046579647052764579411814305689137519860880916467272056778641442758940135016400808740387144508156358067955215018
c2=979153370552535153498477459720877329811204688208387543826122582132404214848454954722487086658061408795223805022202997613522014736983452121073860054851302343517756732701026667062765906277626879215457936330799698812755973057557620930172778859116538571207100424990838508255127616637334499680058645411786925302368790414768248611809358160197554369255458675450109457987698749584630551177577492043403656419968285163536823819817573531356497236154342689914525321673807925458651854768512396355389740863270148775362744448115581639629326362342160548500035000156097215446881251055505465713854173913142040976382500435185442521721
n2=12806210903061368369054309575159360374022344774547459345216907128193957592938071815865954073287532545947370671838372144806539753829484356064919357285623305209600680570975224639214396805124350862772159272362778768036844634760917612708721787320159318432456050806227784435091161119982613987303255995543165395426658059462110056431392517548717447898084915167661172362984251201688639469652283452307712821398857016487590794996544468826705600332208535201443322267298747117528882985955375246424812616478327182399461709978893464093245135530135430007842223389360212803439850867615121148050034887767584693608776323252233254261047
q=GCD(n1,n2)
for e in range(100000):
if isPrime(e):
if k==pow(294,e,n1):break
p1 = n1 // q
phin1 = (p1-1)*(q-1)
d1 = inverse(e, phin1)
print( long_to_bytes(pow(c1,d1,n1)) )
22.HNCTF AnyoneisOk # PKCS1_OAEP
题目
给你了100个msg,以及x.pem文件
解析
1.读取文件
2.尝试解密(判断广播? 共模? 低指数? 最后发现是广播)
3.分解后得到两组(e,p,q,d,n)
4.根据对应的c发现解不出来flag
5.猜测是否是PKCS1_OAEP
6.调用 RSA ,PKCS1_OAEP最终得到flag
注意下面构建私钥的函数,本人找了好久才知道这个函数
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
c,n,e = [],[],[]
for i in range(1,101):
p1 = 'msg' + str(i)
with open(p1,'br') as f1:
tem= f1.read()
c.append(tem)
p2 = str(i) + '.pem'
with open(p2 ,'br') as f2:
key = RSA.import_key(f2.read())
e.append(key.e)
n.append(key.n)
e = 65537
p = GCD(n[21],n[42])
q1 = n[21]//p
q2 = n[42]//p
phin1 = (q1-1)*(p-1)
phin2 = (q2-1)*(p-1)
d1 = pow(e,-1,phin1)
d2 = pow(e,-1,phin2)
key1 = RSA.construct((n[21], e, d1, p, q1))
key2 = RSA.construct((n[42], e, d2, p, q2))
cipher1 = PKCS1_OAEP.new(key1)
cipher2 = PKCS1_OAEP.new(key2)
flag2 = cipher2.decrypt(c[42])
23.CryptoHack-Mathematics-Brainteasers Part 1-Modular Binomials
题目
Rearrange the following equations to get the primes
p,qN = p q N = pq N=pq
c 1 = ( 2 p + 3 q ) e 1 m o d N c_1 = (2p + 3q)^{e1} mod N c1=(2p+3q)e1modN
c 2 = ( 5 p + 7 q ) e 2 m o d N c_2 = (5p + 7q)^{e2} mod N c2=(5p+7q)e2modN
解析
按照二项式定理并消元可以得到 q ∣ X = ( c 1 e 2 ∗ 5 e 1 e 2 − c 2 e 1 ∗ 2 e 1 e 2 ) m o d N q|X=(c_1^{e_2}*5^{e_1e_2}-c_2^{e_1}*2^{e_1e_2})modN q∣X=(c1e2∗5e1e2−c2e1∗2e1e2)modN
所以 q = g c d ( N , X ) q=gcd(N,X) q=gcd(N,X)
from Crypto.Util.number import *
N = 14905562257842714057932724129575002825405393502650869767115942606408600343380327866258982402447992564988466588305174271674657844352454543958847568190372446723549627752274442789184236490768272313187410077124234699854724907039770193680822495470532218905083459730998003622926152590597710213127952141056029516116785229504645179830037937222022291571738973603920664929150436463632305664687903244972880062028301085749434688159905768052041207513149370212313943117665914802379158613359049957688563885391972151218676545972118494969247440489763431359679770422939441710783575668679693678435669541781490217731619224470152467768073
e1 = 12886657667389660800780796462970504910193928992888518978200029826975978624718627799215564700096007849924866627154987365059524315097631111242449314835868137
e2 = 12110586673991788415780355139635579057920926864887110308343229256046868242179445444897790171351302575188607117081580121488253540215781625598048021161675697
c1 = 14010729418703228234352465883041270611113735889838753433295478495763409056136734155612156934673988344882629541204985909650433819205298939877837314145082403528055884752079219150739849992921393509593620449489882380176216648401057401569934043087087362272303101549800941212057354903559653373299153430753882035233354304783275982332995766778499425529570008008029401325668301144188970480975565215953953985078281395545902102245755862663621187438677596628109967066418993851632543137353041712721919291521767262678140115188735994447949166616101182806820741928292882642234238450207472914232596747755261325098225968268926580993051
c2 = 14386997138637978860748278986945098648507142864584111124202580365103793165811666987664851210230009375267398957979494066880296418013345006977654742303441030008490816239306394492168516278328851513359596253775965916326353050138738183351643338294802012193721879700283088378587949921991198231956871429805847767716137817313612304833733918657887480468724409753522369325138502059408241232155633806496752350562284794715321835226991147547651155287812485862794935695241612676255374480132722940682140395725089329445356434489384831036205387293760789976615210310436732813848937666608611803196199865435145094486231635966885932646519
qq = (pow(c1,e2,N)*pow(5,e1*e2,N)-pow(c2,e1,N)*pow(2,e1*e2,N))%N
q = GCD(N,qq)
p = N//q
24.HNCTF week3 pnearq #p,q相邻
题目
已知n,c,p与q相邻,求m
解析
由p,q相邻,那么n**(1/2)则近似等于p,向下遍历求出p,进而不难求出m
from Crypto.Util.number import *
import gmpy2
n = 19421904767367129549329507820147867763064747101931314714173717122035977491291441314433180813343755107381230481007143328156292096871675328839756035726106037229325380698967544660649710464634698425387682458721466040894830503881966355435442651493212040443436714597490121865537266815247879839020846287255634123530517095030752832857842819836940083915495464712363169428825344678729929317207583197980607919720642725221740680718976635305544368542563503440076036727388062097647374046378854873864505267644315352602271587283702733779081805129429479541906613334092422428543951370065910195162721686773383508480268145903016615151713
c = 16430654037742749931837577925393394466626615745270895225352757745284038922799868617243616416116392338428121605256850230862894296244375242336599929497221079420665154174930054597666915358687410522457846003186806053368237783147731665147575913322026626738697036282908055611350347494310666532700194563684837580022875526378181343082801716942536163583090541294011987732281942148455345223347021675781368596340860151253774597168954881987520338304516390785094435356412111780768446904948045448510663589654475221029009283144829902553888829840193614048967712676048740814622290029846433107762872806981599110271586325156855299974310
x = gmpy2.iroot(n,2)[0]
while n%x !=0 :
x -= 1
p = x
q = n//p
phin = (p-1)*(q-1)
e = 65537
d = pow(e,-1,phin)
print(long_to_bytes(pow(c,d,n)))
# flag{when_PQ_is_near_Its_simple}
652
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
