2022 年秋季周赛 #1
太菜了,只做了一道题
Crypto1-ez_rsa
from gmpy2 import *
from Crypto.Util.number import bytes_to_long, getPrime
from secret import getflag
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
c = powmod(bytes_to_long(getflag().encode()), e, n)
p1 = getPrime(512)
q1 = getPrime(512)
e2 = 2
n2 = p1 * q1
qq = powmod(q, 2, n2)
print("p =", p)
print("c =", c)
print("qq =", qq)
print("p1 =", p1)
print("q1 =", q1)
#p = 12308179309593602751271791377741714447293667604857212390206415101449244381411434351497614234270867625237845969592644895509999349727102084699358121637245067
#c = 88538559780666662017760303643856502459757760454331764671087285648431177078968617861219906071439642098305192839557066453190948740527424406971066108015406215959011267909170965719551446028849697299662195844303871455220478384797843905782704149228080040972010247396299872761449874774574161170145754584161636708463
#qq = 659623774679343295579096632644038126081944753929948921559010081865515317884678258952299011773134549936516084556415410504410383829830292620097788697467220740462263267566490096302470940330078797261000281245191371755985721427772219625347847873896371027753352243635223720005059503695733447840784319938712939028
#p1 = 7159323633958486825636238779507796423759935709687676407678647843496143390649747715916150685774066022594593950540107699469642487153253666953468683287763279
#q1 = 8533560222700419855783713206183861487198172839465795177814632191948595287983585258794211931496348723663349103120182184360085227311412940152410920515278979
e2和pni不互素
参考了这篇文章https://forum.butian.net/index.php/share/1689
import random
import time
# About 3 seconds to run
def AMM(o, r, q):
start = time.time()
print('\n----------------------------------------------------------------------------------')
print('Start to run Adleman-Manders-Miller Root Extraction Method')
print('Try to find one {:#x}th root of {} modulo {}'.format(r, o, q))
g = GF(q)
o = g(o)
p = g(random.randint(1, q))
while p ^ ((q-1) // r) == 1:
p = g(random.randint(1, q))
print('[+] Find p:{}'.format(p))
t = 0
s = q - 1
while s % r == 0:
t += 1
s = s // r
print('[+] Find s:{}, t:{}'.format(s, t))
k = 1
while (k * s + 1) % r != 0:
k += 1
alp = (k * s + 1) // r
print('[+] Find alp:{}'.format(alp))
a = p ^ (r**(t-1) * s)
b = o ^ (r*alp - 1)
c = p ^ s
h = 1
for i in range(1, t):
d = b ^ (r^(t-1-i))
if d == 1:
j = 0
else:
print('[+] Calculating DLP...')
j = - discrete_log(d, a)
print('[+] Finish DLP...')
b = b * (c^r)^j
h = h * c^j
c = c^r
result = o^alp * h
end = time.time()
print("Finished in {} seconds.".format(end - start))
print('Find one solution: {}'.format(result))
return result
def findAllPRoot(p, e):
print("Start to find all the Primitive {:#x}th root of 1 modulo {}.".format(e, p))
start = time.time()
proot = set()
while len(proot) < e:
proot.add(pow(random.randint(2, p-1), (p-1)//e, p))
end = time.time()
print("Finished in {} seconds.".format(end - start))
return proot
def findAllSolutions(mp, proot, cp, p):
print("Start to find all the {:#x}th root of {} modulo {}.".format(e, cp, p))
start = time.time()
all_mp = set()
for root in proot:
mp2 = mp * root % p
assert(pow(mp2, e, p) == cp)
all_mp.add(mp2)
end = time.time()
print("Finished in {} seconds.".format(end - start))
return all_mp
c = 659623774679343295579096632644038126081944753929948921559010081865515317884678258952299011773134549936516084556415410504410383829830292620097788697467220740462263267566490096302470940330078797261000281245191371755985721427772219625347847873896371027753352243635223720005059503695733447840784319938712939028
p = 7159323633958486825636238779507796423759935709687676407678647843496143390649747715916150685774066022594593950540107699469642487153253666953468683287763279
q = 8533560222700419855783713206183861487198172839465795177814632191948595287983585258794211931496348723663349103120182184360085227311412940152410920515278979
e = 2
cp = c % p
cq = c % q
mp = AMM(cp, e, p)
mq = AMM(cq, e, q)
p_proot = findAllPRoot(p, e)
q_proot = findAllPRoot(q, e)
mps = findAllSolutions(mp, p_proot, cp, p)
mqs = findAllSolutions(mq, q_proot, cq, q)
print(mps, mqs)
Finished in 0.0014035701751708984 seconds.
{6460266826702225024526807277196419979248249563840228806068287308800598958130714825594569079072267676424792412317486000970448282378816353716504195270815071, 699056807256261801109431502311376444511686145847447601610360534695544432519032890321581606701798346169801538222621698499194204774437313236964488016948208} {7858380441214748626745670281819172868271621855535124009289008378191687823168780606237732292475864368764395488762729397968836691927690980190433171304711487, 675179781485671229038042924364688618926550983930671168525623813756907464814804652556479639020484354898953614357452786391248535383721959961977749210567492}
from Crypto.Util.number import long_to_bytes, getPrime
from gmpy2 import *
c = 88538559780666662017760303643856502459757760454331764671087285648431177078968617861219906071439642098305192839557066453190948740527424406971066108015406215959011267909170965719551446028849697299662195844303871455220478384797843905782704149228080040972010247396299872761449874774574161170145754584161636708463
p = 12308179309593602751271791377741714447293667604857212390206415101449244381411434351497614234270867625237845969592644895509999349727102084699358121637245067
q = 7858380441214748626745670281819172868271621855535124009289008378191687823168780606237732292475864368764395488762729397968836691927690980190433171304711487
phi = (p - 1) * (q - 1)
n = p * q
e = 65537
d = gmpy2.invert(e, phi)
# c = powmod(m, e, n)
m = gmpy2.powmod(c, d, n)
print(long_to_bytes(m))
b'NSSCTF{Y0u_Hav3_F1n1sh_e2_rsa_try_n3xt_13v31}'