RSA中e和phi不互素问题

已于 2023-11-24 11:25:15 修改
阅读量1.1k 收藏 22
点赞数 3
文章标签: python 密码学
于 2023-10-19 22:37:15 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_74345946/article/details/133936371
版权

总述

g c d ( e , φ ( n ) ) gcd(e,\varphi(n)) gcd(e,φ(n))比较小时可以考虑iroot直接开根,当直接开根跑不出来时,考虑有限域内开方

g c d ( e , φ ( n ) ) gcd(e,\varphi(n)) gcd(e,φ(n))很大时,考虑AMM算法

类型一

e e e φ ( n ) \varphi(n) φ(n)不互素,但是 e e e p − 1 p-1 p1或者 q − 1 q-1 q1互素,转化到模 p p p或者模 q q q下求解

例题 (2023MoeCTF bad_E)

from Crypto.Util.number import *
p = getPrime(512)
q = getPrime(512)
e = 65537

print(p) # 6853495238262155391975011057929314523706159020478084061020122347902601182448091015650787022962180599741651597328364289413042032923330906135304995252477571
print(q) # 11727544912613560398705401423145382428897876620077115390278679983274961030035884083100580422155496261311510530671232666801444557695190734596546855494472819

with open("flag.txt","r") as fs:
    flag = fs.read().strip()

m = bytes_to_long(flag.encode())
c = pow(m,e,p*q)
print(c) # 63388263723813143290256836284084914544524440253054612802424934400854921660916379284754467427040180660945667733359330988361620691457570947823206385692232584893511398038141442606303536260023122774682805630913037113541880875125504376791939861734613177272270414287306054553288162010873808058776206524782351475805

exp

from Crypto.Util.number import *
p=6853495238262155391975011057929314523706159020478084061020122347902601182448091015650787022962180599741651597328364289413042032923330906135304995252477571
q=11727544912613560398705401423145382428897876620077115390278679983274961030035884083100580422155496261311510530671232666801444557695190734596546855494472819
e=65537
c = 63388263723813143290256836284084914544524440253054612802424934400854921660916379284754467427040180660945667733359330988361620691457570947823206385692232584893511398038141442606303536260023122774682805630913037113541880875125504376791939861734613177272270414287306054553288162010873808058776206524782351475805
n = p*q
# _gcd = gcd(e,(p-1)*(q-1)) # 65537
gcd_q = gcd(e,q-1) # 1

d = inverse(e,q-1)
m = pow(c,d,q)
print(long_to_bytes(int(m)))
# moectf{N0w_Y0U_hAve_kN0w_h0w_rsA_w0rks!_f!lP0iYlJf!M3ru}

因为gcd(e,phi)=e=665537很大,可以用AMM算法求解

exp2

# sagemanth
import random
import math
import time
from Crypto.Util.number import bytes_to_long,long_to_bytes
p = 0
#设置模数
def GF(a):
    global p
    p = a
#乘法取模
def g(a,b):
    global p
    return pow(a,b,p)


def AMM(x,e,p):
    GF(p)
    y = random.randint(1, p-1)
    while g(y, (p-1)//e) == 1:
        y = random.randint(1, p-1)
        print(y)
    print("find")
    #p-1 = e^t*s
    t = 1
    s = 0
    while p % e == 0:
        t += 1
        print(t)
    s = p // (e**t)
    print('e =',e)
    print('p =',p)
    print('s =',s)
    print('t =',t)
    # s|ralpha-1
    k = 1    
    while((s * k + 1) % e != 0):
        k += 1
    alpha = (s * k + 1) // e
    #计算a = y^s b = x^s h =1
    #h为e次非剩余部分的积
    a = g(y, (e ** (t - 1) ) * s)
    b = g(x, e * alpha - 1)
    c = g(y, s)
    h = 1
    #
    for i in range(1, t-1):
        d = g(b,e**(t-1-i))
        if d == 1:
            j = 0
        else:
            j = -math.log(d,a)
        b = b * (g(g(c, e), j))
        h = h * g(c, j)
        c = g(c, e)
    #return (g(x, alpha * h)) % p
    root = (g(x, alpha * h)) % p
    roots = set()
    for i in range(e):
        mp2 = root * g(a,i) %p
        assert(g(mp2, e) == x)
        roots.add(mp2)
    return roots
# def check(m):
#     if 'flag' in m:
#         print(m)
#         return True
#     else:
#         return False

p=6853495238262155391975011057929314523706159020478084061020122347902601182448091015650787022962180599741651597328364289413042032923330906135304995252477571
q=11727544912613560398705401423145382428897876620077115390278679983274961030035884083100580422155496261311510530671232666801444557695190734596546855494472819
e=65537
c = 63388263723813143290256836284084914544524440253054612802424934400854921660916379284754467427040180660945667733359330988361620691457570947823206385692232584893511398038141442606303536260023122774682805630913037113541880875125504376791939861734613177272270414287306054553288162010873808058776206524782351475805
n = p*q
mps = AMM(c,e,p)
for mpp in mps:
        solution = long_to_bytes(int(mpp))
        if b'moectf' in solution:
        #solution = int(mpp)
            print(solution)

类型二

_gcd=gcd(e,phi)=2比较小,直接iroote//_gcd次根

示例

from Crypto.Util.number import *
 
flag = b'NSSCTF{******}'
 
p = getPrime(512)
q = getPrime(512)
 
e = 65537*2
n = p*q 
m = bytes_to_long(flag)
c = pow(m, e, n)
 
print(f'p = {p}')
print(f'q = {q}')
print(f'e = {e}')
print(f'c = {c}')
 
'''
p = 9927950299160071928293508814174740578824022211226572614475267385787727188317224760986347883270504573953862618573051241506246884352854313099453586586022059
q = 9606476151905841036013578452822151891782938033700390347379468858357928877640534612459734825681004415976431665670102068256547092636766287603818164456689343
e = 131074
c = 68145285629092005589126591120307889109483909395989426479108244531402455690717006058397784318664114589567149811644664654952286387794458474073250495807456996723468838094551501146672038892183058042546944692051403972876692350946611736455784779361761930869993818138259781995078436790236277196516800834433299672560
'''

exp

import gmpy2
import libnum
 
p = 9927950299160071928293508814174740578824022211226572614475267385787727188317224760986347883270504573953862618573051241506246884352854313099453586586022059
q = 9606476151905841036013578452822151891782938033700390347379468858357928877640534612459734825681004415976431665670102068256547092636766287603818164456689343
e = 131074
c = 68145285629092005589126591120307889109483909395989426479108244531402455690717006058397784318664114589567149811644664654952286387794458474073250495807456996723468838094551501146672038892183058042546944692051403972876692350946611736455784779361761930869993818138259781995078436790236277196516800834433299672560
 
n = p*q
phi = (p-1)*(q-1)
_gcd = gmpy2.gcd(e, phi)
d = gmpy2.invert(e//_gcd, phi)
m_gcd = gmpy2.powmod(c, d, n)
m = gmpy2.iroot(m_gcd1, _gcd)    # 得到元组 (mpz(1920535408007397829480400151650246901210634018403879187581), True)
flag = libnum.n2s(int(m[0]))
print(flag)

类型三

gcd(e,phi)=16也比较小,但尝试iroot开根跑不出来,这时考虑有限域内开方来求解.

示例(2023 一带一路金砖国家 crypto1)

from Crypto.Util.number import *
from flag import flag
import gmpy2
assert(len(flag)==38)
flag = bytes_to_long(flag)

p = getPrime(512)
q = getPrime(512)

e = 304
enc = pow(flag,e,p*q)
print(p)
print(q)
print(enc)
#9794998439882070838464987778400633526071369507639213778760131552998185895297188941828281554258704149333679257014558677504899624597863467726403690826271979
#10684338300287479543408040458978465940026825189952497034380241358187629934633982402116457227553161613428839906159238238486780629366907463456434647021345729
#88310577537712396844221012233266891147970635383301697208951868705047581001657402229066444746440502616020663700100248617117426072580419555633169418185262898647471677640199331807653373089977785816106098591077542771088672088382667974425747852317932746201547664979549641193108900510265622890793400796486146522028

exp

from Crypto.Util.number import *
p = 9794998439882070838464987778400633526071369507639213778760131552998185895297188941828281554258704149333679257014558677504899624597863467726403690826271979
q = 10684338300287479543408040458978465940026825189952497034380241358187629934633982402116457227553161613428839906159238238486780629366907463456434647021345729
c = 88310577537712396844221012233266891147970635383301697208951868705047581001657402229066444746440502616020663700100248617117426072580419555633169418185262898647471677640199331807653373089977785816106098591077542771088672088382667974425747852317932746201547664979549641193108900510265622890793400796486146522028
e = 304
n = p*q

P.<a>=PolynomialRing(Zmod(p),implementation='NTL')
f=a^e-c
mps=f.monic().roots()

P.<a>=PolynomialRing(Zmod(q),implementation='NTL')
g=a^e-c
mqs=g.monic().roots()

flag=[]
for mpp in mps:
    x=mpp[0]
    for mqq in mqs:
        y=mqq[0]
        solution = CRT_list([int(x), int(y)], [p, q])
        flag.append(solution)
for i in flag:
    m=long_to_bytes(i)
    if b'flag'in m:
        print(m)
        
# flag{947b6543117e32730a93d1b43c98bc57}

注意到flag是38位,也就是304bit,而pq都是512bit,满足 m < p 或 者 m < q m<p或者m<q m<pm<q,可以转化到模p或者模q下求解,简化过程

g c d ( e , q − 1 ) = 16 gcd(e,q-1)=16 gcd(e,q1)=16

( m 16 ) q − 1 16 = c   m o d   q (m^{16})^{\frac{q-1}{16}}=c\textbf{ }mod \textbf{ }q (m16)16q1=c mod q

q − 1 16 \frac{q-1}{16} 16q1的逆元,计算 c d ′ = m 16   m o d   q c^{d{'}}=m^{16}\textbf{ }mod\textbf{ }q cd=m16 mod q

那么,就可以在模q有限域下开根求解

exp

from Crypto.Util.number import *
import gmpy2
p = 9794998439882070838464987778400633526071369507639213778760131552998185895297188941828281554258704149333679257014558677504899624597863467726403690826271979
q = 10684338300287479543408040458978465940026825189952497034380241358187629934633982402116457227553161613428839906159238238486780629366907463456434647021345729
c = 88310577537712396844221012233266891147970635383301697208951868705047581001657402229066444746440502616020663700100248617117426072580419555633169418185262898647471677640199331807653373089977785816106098591077542771088672088382667974425747852317932746201547664979549641193108900510265622890793400796486146522028
e = 304
n = p*q

_gcd = gmpy2.gcd(e,(q-1))
# print(_gcd) # 16
d = gmpy2.invert(e//_gcd,q-1)
m_16 = pow(c,d,q)

P.<x> = PolynomialRing(Zmod(q),implementation='NTL')
e = _gcd
f = x^e - m_16
mqs = f.monic().roots()
# print(len(mqs)) # 16

for i in mqs:
    flag = long_to_bytes(int(i[0]))
    if b'flag' in flag:
        print(flag)

补充

解释一下所用代码

P.<a>=PolynomialRing(Zmod(p),implementation='NTL')
f=a^e-c
mps=f.monic().roots()
定义了一个名为P的多项式环,a是这个环里面的变量,Zmod(p)是在模p下定义了一个整数环。多项式的每一个系数都是p的倍数,这样才能确保在模p下进行运算时不会出现浮点数。
参数implementation='NTL'指示SageMath使用NTL(Number Theory Library)作为该环的实现。
f=a^e-c定义了一个多项式
monic()是将多项式首一化
f.roots()得到方程的一个根的列表,该列表包含f(x)=a^e-c在模p意义下的所有根。
列表中的每个元素的格式为 (a,1),在此二元组表示中,1表示多重根,即该解在方程中的出现次数。

再详细看一下PolynomialRing()

PolynomialRingSageMath的一个函数,用于构建一个多项式环,看一个示例

# 创建一个多项式环,定义一个变量 'x'
R = PolynomialRing(QQ, 'x')

# 创建一个多项式
f = x^2 + 2*x + 1

# 可以对多项式进行代数运算,如加法、乘法
g = 2*x + 3

在上面的示例中,我们首先使用PolynomialRing()创建了一个多项式环R,其中QQ表示有理数域(可以使用其他域,如整数域ZZ或有限域GF(p))。然后,我们定义了多项式里的变量x,并使用这个环创建了一个多项式f

类型四

g c d ( e , φ ( n ) ) = e = 1009 gcd(e,\varphi(n))=e=1009 gcd(e,φ(n))=e=1009算是很大了,且 g c d ( e , p − 1 ) = g c d ( e , q − 1 ) = e = 1009 gcd(e,p-1)=gcd(e,q-1)=e=1009 gcd(e,p1)=gcd(e,q1)=e=1009.直接用AMM(很快,大概十几秒出结果)

之前做过的题,找不到附件了。。

from Crypto.Util.number import *
import random
import math

def onemod(e, q):
    p = random.randint(1, q-1)
    while(powmod(p, (q-1)//e, q) == 1):  # (r,s)=1
        p = random.randint(1, q)
    return p


def AMM_rth(o, r, q):  # r|(q-1)
    """
    x^r % q = o
    :param o:
    :param r:
    :param q:
    :return:
    """
    assert((q-1) % r == 0)
    p = onemod(r, q)

    t = 0
    s = q-1
    while(s % r == 0):
        s = s//r
        t += 1
    k = 1
    while((s*k+1) % r != 0):
        k += 1
    alp = (s*k+1)//r

    a = powmod(p, r**(t-1)*s, q)
    b = powmod(o, r*a-1, q)
    c = powmod(p, s, q)
    h = 1

    for i in range(1, t-1):
        d = powmod(int(b), r**(t-1-i), q)
        if d == 1:
            j = 0
        else:
            j = (-int(math.log(d, a))) % r
        b = (b*(c**(r*j))) % q
        h = (h*c**j) % q
        c = (c*r) % q
    result = (powmod(o, alp, q)*h)
    return result


def ALL_Solution(m, q, rt, cq, e):
    mp = []
    for pr in rt:
        r = (pr*m) % q
        # assert(pow(r, e, q) == cq)
        mp.append(r)
    return mp


def ALL_ROOT2(r, q):  # use function set() and .add() ensure that the generated elements are not repeated
    li = set()
    while(len(li) < r):
        p = powmod(random.randint(1, q-1), (q-1)//r, q)
        li.add(p)
    return li


def attack(p, q, e, check=None):
    cp = c % p
    cq = c % q

    mp = AMM_rth(cp, e, p)
    mq = AMM_rth(cq, e, q)

    rt1 = ALL_ROOT2(e, p)
    rt2 = ALL_ROOT2(e, q)

    amp = ALL_Solution(mp, p, rt1, cp, e)
    amq = ALL_Solution(mq, q, rt2, cq, e)

    if check is not None:
        j = 1
        t1 = invert(q, p)
        t2 = invert(p, q)
        for mp1 in amp:
            for mq1 in amq:
                j += 1
                if j % 1000000 == 0:
                    print(j)
                ans = (mp1 * t1 * q + mq1 * t2 * p) % (p * q)
                if check(ans):
                    return ans
    return amp, amq

def calc(mp, mq, e, p, q):
    i = 1
    j = 1
    t1 = invert(q, p)
    t2 = invert(p, q)
    for mp1 in mp:
        for mq1 in mq:
            j += 1
            if j % 1000000 == 0:
                print(j)
            ans = (mp1*t1*q+mq1*t2*p) % (p*q)
            if check(ans):
                return
    return

def check(m):
    try:
        a = long_to_bytes(m)
        if b'NSSCTF' in a:
            print(a)
            return True
        else:
            return False
    except:
        return False

if __name__ == '__main__':
    e = 1009
    n = 38041020633815871156456469733983765765506895617311762629687651104582466286930269704125415948922860928755218376007606985275046819516740493733602776653724917044661666016759231716059415706703608364873041098478331738686843910748962386378250780017056206432910543374411668835255040201640020726710967482627384460424737495938659004753604600674521079949545966815918391090355556787926276553281009472950401599151788863393804355849499551329
    c = 2252456587771662978440183865248648532442503596913181525329434089345680311102588580009450289493044848004270703980243056178363045412903946651952904162045861994915982599488021388197891419171012611795147125799759947942753772847866647801312816514803861011346523945623870123406891646751226481676463538137263366023714001998348605629756519894600802504515051642140147685496526829541501501664072723281466792594858474882239889529245732945
    p = 5220649501756432310453173296020153841505609640978826669340282938895377093244978215488158231209243571089268416199675077647719021740691293187913372884975853901554910056350739745148711689601574920977808625399309470283   
    q = 7286645200183879820325990521698389973072307061827784645416472106180161656047009812712987400850001340478084529480635891468153462119149259083604029658605921695587836792877281924620444742434168448594010024363257554563
    cp = c % p
    cq = c % q

    mp = AMM_rth(cp, e, p)
    mq = AMM_rth(cq, e, q)

    rt1 = ALL_ROOT2(e, p)
    rt2 = ALL_ROOT2(e, q)

    amp = ALL_Solution(mp, p, rt1, cp, e)
    amq = ALL_Solution(mq, q, rt2, cq, e)

    calc(amp, amq, e, p, q)

有限域开方也能跑出来(需要三至四分钟吧)

exp1

from Crypto.Util.number import *
e = 1009
n = 38041020633815871156456469733983765765506895617311762629687651104582466286930269704125415948922860928755218376007606985275046819516740493733602776653724917044661666016759231716059415706703608364873041098478331738686843910748962386378250780017056206432910543374411668835255040201640020726710967482627384460424737495938659004753604600674521079949545966815918391090355556787926276553281009472950401599151788863393804355849499551329
c = 2252456587771662978440183865248648532442503596913181525329434089345680311102588580009450289493044848004270703980243056178363045412903946651952904162045861994915982599488021388197891419171012611795147125799759947942753772847866647801312816514803861011346523945623870123406891646751226481676463538137263366023714001998348605629756519894600802504515051642140147685496526829541501501664072723281466792594858474882239889529245732945
p = 5220649501756432310453173296020153841505609640978826669340282938895377093244978215488158231209243571089268416199675077647719021740691293187913372884975853901554910056350739745148711689601574920977808625399309470283   
q = 7286645200183879820325990521698389973072307061827784645416472106180161656047009812712987400850001340478084529480635891468153462119149259083604029658605921695587836792877281924620444742434168448594010024363257554563

P.<a> = PolynomialRing(Zmod(p),implementation='NTL')
f = a^e - c
mps = f.monic().roots(multiplicities = False)
print(mps)

P.<a> = PolynomialRing(Zmod(q),implementation='NTL')
f = a^e - c
mqs = f.monic().roots(multiplicities = False)

for i in mps:
    for j in mqs:
        m = crt([int(i),int(j)],[p,q])
        flag = long_to_bytes(m)
        if b'NSSCTF' in flag:
            print(flag)

multiplicities = False不打印根的重数.

类型五(2023香山杯-list)

n = p r ∗ q n=p^{r}*q n=prq时,ephi不互素问题

附件

import os
import gmpy2
from Crypto.Util.number import *
import random
from secrets import flag
def pad(s,l):
    return s + os.urandom(l - len(s))
def gen():
    g = getPrime(8)
    while True:
        p = g * random.getrandbits(138) + 1
        if isPrime(p):
            break
    while True:
        q = g * random.getrandbits(138) + 1
        if isPrime(q):
            break
    N = p ** 5 * q
    phi = p ** 4 * (p - 1) * (q - 1)
    d = random.getrandbits(256)
    e = inverse(d, phi)
    E = e * g
    hint = gmpy2.gcd(E, phi)
    return N, E, hint

flag = pad(flag,64)
m = bytes_to_long(flag)
n,e,hint = gen()
c = pow(m,e,n)
print(f'hint = {hint}')
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')
# hint = 251
# n = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
# e = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
# c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162

解题思路

先恢复pq

e ∗ d = 1   m o d   p h i , g c d ( e , p h i ) = 1 ⇒ e*d=1\textbf{ }mod\textbf{ }phi,gcd(e,phi)=1\Rightarrow ed=1 mod phi,gcd(e,phi)=1

e ∗ x − 1 = k ∗ p h i e*x-1=k*phi ex1=kphi
在多项式时间内求解上面方程(copper)求出d.
因 为 n = p r ∗ q , 所 以 g c d ( e ∗ x − 1 , n ) = g c d ( p r − 1 ∗ ( p − 1 ) ∗ ( q − 1 ) , p r ∗ q ) = p r − 1 因为n=p^{r}*q,所以gcd(e*x-1,n)=gcd(p^{r-1}*(p-1)*(q-1),p^{r}*q)=p^{r-1} n=prq,gcd(ex1,n)=gcd(pr1(p1)(q1),prq)=pr1
small_roots()r-1次方就能恢复 p

from gmpy2 import *
hint = 251
n = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
e = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162

P.<d> = PolynomialRing(Zmod(n))
f = e*d - 251
res = f.monic().small_roots(X = 2^256,beta = 0.4)

p_4 = gcd(int(f(res[0])),n)
p = iroot(p_4,4)[0]
q = n//p**4
print(f"p,q = {p},{q}")

接下来就是有限域开方的问题了

# sage
# 开251次方
from Crypto.Util.number import *
import itertools

hint = 251
n = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
e = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162

p,q=69367143733862710652791985332025152581988181 ,67842402383801764742069883032864699996366777

p_list = [p,q]
n_list = [p**5,q]
print(n_list)
# print(reduce((lambda x, y: x * y), n_list) - n)   # 0
# print(euler_phi(p_list[0])) # 直接求欧拉函数

res=[]

for pi in n_list:
    d = inverse(int(e//251),euler_phi(pi))     # 对n_listt 每一个 pi 求欧拉函数
    m = pow(c,d,pi)
    temp = (Zmod(pi)(m).nth_root(251, all=True))
    #print('temp =',temp) # 列表 251
    if temp is not None:
            res.append(temp)
    else:
            print("None")
   
for vc in itertools.product(*res):
    _c = [int(x) for x in vc]
    m = long_to_bytes(int(crt(_c, n_list)))
    if b"flag" in m:
        print(m)

# b'flag{4b68c7eece6be865f6da2a4323edd491}\x9d\xcf\xdc\xcb\xb8\xbdd\xec\xadh\xa6C\x99\xa0)7\xfb\x02\xba\x90q8\x10+\x7f}'
Zzzcth
关注
  • 3
    点赞
  • 22
    收藏
    觉得还不错? 一键收藏
  • 3
    评论
RSA.rar_RSA加密解密和
09-21
RSA算法是最著名的公开密码体制。基于大数分解的难度。其公开密钥和私人密钥是一对大素数的函数,从一个公开密钥和密文恢复出明文的难度等价于分解两个大素数之积。算法过程:首先是设计密钥,然后是对消息加密,最后是对密文解密。
[NPUCTF2020]EzRSA e和phi_n不互素怎么找d
学习,再学习
09-19 124
熟悉e和m在加密过程的指数计算问题
e与phi互素的情况
yuqie的博客
08-30 899
CryptoRSA的e与phi互素情况下的解法
BUUCTF RSA总结
m0_66467785的博客
05-21 3432
注意:python3里hex(d)的结果和python2里hex(d)的结果相差了一个末尾的L,所以计算md5的结果也就不一样,可以手动加上L再放到md5函数里面。循环遍历所有的n,两两求最大公约数,得到的其两个n的最大公约数刚好是素数,可以作为p。根据已知信息,我们可以求出n、φ(n)、d,进而求出m。分解质数n,得到p = 18443,q = 49891。根据已知信息,我们可以求出p、q、n、phi_n等。根据p、q可以求出φ(n),进而可以求出d。显然,根据提示,需要求出私钥d。
7.3RSA算法
qq_43699776的博客
11-27 359
RSA算法: 大数分解问题: 计算两个素数的乘积非常容易 分解该乘积却异常困难 特别是在这2个素数都很大的情况下 1、起源 1978年美国MIT的三名数学家R.Rivest,A.Shamir和L.Adleman提出了著名的公钥密码体制:RAS公钥算法 2、思想 RAS算法基于指数加密概念,以2个大素数的乘积作为算法的公钥来加密消息,密文的解密必须知道相应的两个大素数 3、RSA公钥算法特点 思想最简单 分析最透彻 应用最广泛 易于理解和实现 经受住了密码分析,具有一定的可信度 4、加密变换 将信息划分成
ctfshow funnyrsa1 e与phi互素
m0_62506844的博客
01-19 2572
在网上找了一上午,看了好几个人的wp,资源不多,结合了好多人的内容总算梳理明白了 #第一段 e1 = 14606334023791426 p1 = 121009772735460235364940622989433807619211926015494087453674747614331295040063679722422298286549493698150690694965106103822315378461970129912436074962111424616439032849788953648286
RSA,CTF,AMM算法,e和p不互素
weixin_45744904的博客
03-13 1530
RSAe和phi互素时的AMM开根 - 安全客,安全资讯平台
小指数rsa 多线程版writeup
u014281987的博客
08-17 1004
下载flag.enc 和pubkey.pem文件 将pem文件拖入openssl得到n(modulus)和e(exponent)  openssl rsa -pubin -text -modulus -in pubkey.pem n=C09778534564847D8CC4B420E9335867EC783E6CF5F05CA03EEEDC2563D0EB2A9EBA8F1952A2670B
e与phi互素 --- 四 + 1 + 1 + 1道题详记
Emmaaaaa's blog
04-22 3544
只能说,对于以上问题,有限域开方都能解决,所以在AMM和有限域间,首推有限域开方算法。当然遇到phi有大因子与e不互素,还是要先尝试题一的解题方式,毕竟更快呀。嗯,就这样
超详细解读RSA加密---数学定理、证明及应用
adonis1978的博客
09-17 2261
信息系统安全绕不开的话题就是加密、认证、完整、权限和不可否认性,这也是安全空间的五大特性。而对于安全,CIA是最基本的要求。随着时间的推移,我们的传输安全技术也在不停向前发展,从早期的古典加密,到机械加密,再到现在的电子加密,逐步发展。 我们今天网络上比较流行的加密、授权都是通过pki/ca认证,通过pmi授权,而pki的核心就是加密技术就是RSA-一种非对称加密。 1977年,三位密码学家发明这种加密算法,RSA就是他们名字的首字母,没有什么含义。 RSA加密算法设计的数学定理比较多,虽然他是最简单
CTF-Writeups:这些是我的CTF写作,以及我每个人的思考过程
05-23
为什么呢 我试图解释一些CTF挑战,希望您发现它们有用! :open_book: 一些链接... 在ctftime上的 :triangular_flag: 骄傲成员 :skull_and_crossbones: 骄傲成员 :bust_in_silhouette:
RSA在C#和java的应用
01-21
RSA在C#和java的应用,通过公钥加密私钥解密,私钥加密公钥解密
rsa.rar_RSA加密解密和
09-20
rsa算法是经典的加密解密算法,可用来加密和进行数字签名。本程序运用rsa算法生成密钥对。
RSAUML建模元素的扩展与定制
03-03
通过对一个实例场景的引用,文章重点阐明如何在RSA基于Eclipse插件技术完成对RSAUML建模元素的容器,即Palette的静态、动态扩展,以及对Palette扩展工具项定制时需要注意的技术难点。1摘要RSA为基于UML进行业务...
以moectf为例,解决rsa里e和phi互素问题,ctfrsa的ZeroDivisionError: invert() no inverse exists报错
最新发布
ljc13626678577的博客
10-22 869
解决ctfrsa的ZeroDivisionError: invert() no inverse exists报错
【笔记】公钥密码学RSA
comptine的博客
12-13 1077
数论基础 1.素数: 定义:一个大于1的自然数,除了1和它本身外,不能被其他自然数整除(除0以外)的数称之为素数(质数);否则称为合数。 如:3×4 = 12,不是素数。11除了等于11×1以外,不能表示为其它任何两个整数的乘积,所以11是一个素数。 关于素数的事实: (1)如果p是素数,且p | ab(表示ab能被p整除),则p | a或 p | b ,即p 至少整除a与b的一个。 (2)算术基本定理:每个整数n ≥ 2 ,均可分解成素数幂之积,即其而且 是一个质数, 若不计因数的顺序,这个分解式是唯
RSA加密、解密、签名、验签(验证签名)&RSA算法原理
热门推荐
qq_44750892的博客
09-04 3万+
参考链接:https://www.jianshu.com/p/8dc4a5f64e06 https://www.cnblogs.com/pcheng/p/9629621.html 首先, 加密:加密是为了防止信息被泄露; 签名:签名是为了防止信息被篡改。 一、RSA加密简介 RSA加密是一种非对称加密。可以在不直接传递密钥的情况下,完成解密;是由一对密钥来进行加解密的过程,分别称为公钥和私钥。两者之间有数学相关,该加密算法的原理就是对一极大整数做因数分解的困难性来保证安全性。通常个人保存私钥,公钥是公开的(
vsCTF crypto 部分wp
m0_62506844的博客
07-11 540
最近比赛太多了,要不是有人提醒我我已经忘记这个比赛了,但我知道的时候已经是晚上了QAQ,匆匆忙忙就做了两道题 加密代码主要又两段:第一段 第二段 exp: Baby RSA 通过pubkey导出e和n,n 很小可以直接分解 尝试求d的时候发现e没有phi的逆元,检查发现e是phi的因子参考NCTF2019的easyRSA[909pt 2solvers]第一次出这个题只有两个解,不得不承认论文确实很难看懂需要涉及到如何在有限域内开r次方根,而AMM算法是一个十分有效的方法。
[xctf crypto] simpleRSA
weixin_52640415的博客
11-12 613
RSA 求根公式,国剩余定理,e与phi互素
rsa判断两个数的互素
07-10
RSA(Rivest-Shamir-Adleman)算法是一种非对称加密算法,用于加密和解密数据。它的主要原理是基于两个大素数的乘积作为公钥,其一个素数的私钥保密,通过计算两个数的最大公约数来判断它们是否互素。 在RSA算法,选择两个不同的素数 p 和 q,并计算它们的乘积 n = p * q。然后选择一个整数 e,使得 e 与 (p-1)*(q-1) 互素。这里的 (p-1)*(q-1) 就是欧拉函数 &phi;(n) 的值。 如果两个数 x 和 n 互素,即 gcd(x, n) = 1,那么 x 的 e 次方对 n 取模的结果 y = (x^e) % n 就可以用作加密或解密。这是因为根据欧拉定理,当 x 与 n 互素时,有 x^&phi;(n) ≡ 1 (mod n),因此 x^e ≡ y (mod n)。 所以,通过计算 gcd(x, n) 是否等于 1,可以判断 x 和 n 是否互素。在RSA算法,这一步是用来验证选择的公钥 e 是否与 &phi;(n) 互素的关键步骤。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值