RSA
baby rsa
已知e,p,q,c
n=p*q得到n,RSA基础题型解密得解。
phi_n = (p-1)*(q-1)#最小公倍数
d = gmpy2.invert(e,phi_n)#求逆元
m = pow(c,d,n)#c^d mod n
print(libnum.n2s(int(m)))#数字转字符串
easy rsa1
已知e,n,c
利用factordb.com分解得p,q
即rsa基础题型求解
easy rsa2
观察数据,e相同,已知n1,c1,n2,c2
可得为变式题型n不互素
q=gmpy2.gcd(n1,n2)#gcd(x,y)求x,y最大公约数
p1=n1//q
phi_n=(q-1)*(p1-1)
d1=libnum.invmod(e,phi_n)#对e模phi_n取反
m=pow(c1,d1,n1)
print(libnum.n2s(int(m)).decode())#decode()字节转字符串
easy rsa3
观察数据,n相同,已知e1,c1,e2,c2
可得为变式题型共模攻击
s1,s2,s3=gmpy2.gcdext(e1,e2)#扩展欧几里得原理
m=(pow(c1,s2,n)*pow(c2,s3,n)%n)
easy rsa4
观察数据,e=3,已知n,c
可得为变式题型低加密指数攻击,k比较小
def de(c,e,n):
k=0
while True:
m=c+n*k
result,flag=gmpy2.iroot(m,e)#开方
if True == flag:
return result
k+=1
m=de(c,e,n)#解密
easy rsa5
已知e,n,c
利用factordb.com分解得p,q
即rsa基础题型求解
easy rsa6
题目给出了e,n,c
用网站分解n得到p,q
import libnum
import gmpy2
c =
p =
q =
e =
n =
phi_n=(p-1)*(q-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)
print(m)
print(libnum.n2s(int(m)))
easy RSA7
CopperSmith攻击
特点:“p>>128<<128"且p末尾很多0,p低位数据缺失
理解p>>128<<128:利用代码,由简入繁
printp>>3 p<<3 p>>3<<3
运行查看结果,对比更好理解p>>128<<128
先使用sagemath运行下面这段代码可以得到n,p,q
from sage.all import *
n = 0x79e0bf9b916e59286163a1006f8cefd4c1b080387a6ddb98a3f3984569a4ebb48b22ac36dff7c98e4ebb90ffdd9c07f53a20946f57634fb01f4489fcfc8e402865e152820f3e2989d4f0b5ef1fb366f212e238881ea1da017f754d7840fc38236edba144674464b661d36cdaf52d1e5e7c3c21770c5461a7c1bc2db712a61d992ebc407738fc095cd8b6b64e7e532187b11bf78a8d3ddf52da6f6a67c7e88bef5563cac1e5ce115f3282d5ff9db02278859f63049d1b934d918f46353fea1651d96b2ddd874ec8f1e4b9d487d8849896d1c21fb64029f0d6f47e560555b009b96bfd558228929a6cdf3fb6d47a956829fb1e638fcc1bdfad4ec2c3590dea1ed3
p4 = 0xd1c520d9798f811e87f4ff406941958bab8fc24b19a32c3ad89b0b73258ed3541e9ca696fd98ce15255264c39ae8c6e8db5ee89993fa44459410d30a0a8af700ae3aee8a9a1d6094f8c757d3b79a8d1147e85be34fb260a970a52826c0a92b46cefb5dfaf2b5a31edf867f8d34d22229
#p4为p去除0的剩余位e = 0x10001
pbits = 1024
kbits = pbits - p4.nbits()
print(p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4)
if roots:
p = p4+int(roots[0])
print("n= "+str(n))
print("p= "+str(p))
print("q= "+str(n//p))
n=15385662500833683624078569984373213422422207212280496601444231671573448637150116227706836878878073499171848761705319193774526502237353076168018030771746205464158669320919641325288612751372670181299665139997586553315310347588233406828542606020800241161051008288437407736979922757405068072731770582498252049192877898003964488874889716478031688573585352005147285581281920852472734014864246643866812388198283781144177102040492746134555811828205526783046568167440811490128574493943480402635123221242083843427421730093351014697575278810518905300063354048399554869181858023737364977648594835522202515445612655483110199795411
p=147305526294483975294006704928271118039370615054437206404408410848858740256154476278591035455064149531353089038270283281541411458250950936656537283482331598521457077465891874559349872035197398406708610440618635013091489698011474611145014167945729411970665381793142591665313979405475889978830728651549052207969
q=104447286451939566076017797038369998283019120860149982200602344749600436385708441695230995780714906769626731151644722579252428917819367256207463696691033967714073069435280785389775459281272218174741165454138432242201951151298026448827619971129737985262978620243577274864410816225725466321200461416855483876019
现在我们已知n,p,q,e,c
套个基础脚本即得到flag
import libnum
import gmpy2
import binascii
n=15385662500833683624078569984373213422422207212280496601444231671573448637150116227706836878878073499171848761705319193774526502237353076168018030771746205464158669320919641325288612751372670181299665139997586553315310347588233406828542606020800241161051008288437407736979922757405068072731770582498252049192877898003964488874889716478031688573585352005147285581281920852472734014864246643866812388198283781144177102040492746134555811828205526783046568167440811490128574493943480402635123221242083843427421730093351014697575278810518905300063354048399554869181858023737364977648594835522202515445612655483110199795411
p=147305526294483975294006704928271118039370615054437206404408410848858740256154476278591035455064149531353089038270283281541411458250950936656537283482331598521457077465891874559349872035197398406708610440618635013091489698011474611145014167945729411970665381793142591665313979405475889978830728651549052207969
q=104447286451939566076017797038369998283019120860149982200602344749600436385708441695230995780714906769626731151644722579252428917819367256207463696691033967714073069435280785389775459281272218174741165454138432242201951151298026448827619971129737985262978620243577274864410816225725466321200461416855483876019
c=0x1b2b4f9afed5fb5f9876757e959c183c2381ca73514b1918d2f123e386bebe9832835350f17ac439ac570c9b2738f924ef49afea02922981fad702012d69ea3a3c7d1fc8efc80e541ca2622d7741090b9ccd590906ac273ffcc66a7b8c0d48b7d62d6cd6dd4cd75747c55aac28f8be3249eb255d8750482ebf492692121ab4b27b275a0f69b15baef20bf812f3cbf581786128b51694331be76f80d6fb1314d8b280eaa16c767821b9c2ba05dfde5451feef22ac3cb3dfbc88bc1501765506f0c05045184292a75c475486b680f726f44ef8ddfe3c48f75bb03c8d44198ac70e6b7c885f53000654db22c8cee8eb4f65eaeea2da13887aaf53d8c254d2945691
e=0x10001
phi = (q-1)*(p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(libnum.n2s(int(m)))
easy RSA8
先将下载的压缩包解压到相应的文件夹中,网上套用一个解题脚本
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP #PKCS1 OAEP 是一种基于 RSA 和 OAEP 填充的非对称密码
from numpy import long
import gmpy2
import binascii
读取文件可以得到n,e
public = RSA.importKey(open('public.key').read())
n = long(public.n)
e = long(public.e)
print(n)
print(e)
利用在线网站factordb.com分解n,得到p,q
p = 97
q = 106249972159566919549855203174197828387397831115262336234662051342543151219702510584956705611794290291345944183845955839244363030579896461607496959399297130227066841321473005074379950936513608503266587950271044991876848389878395867601515004796212227929894460104645781488319246866661398816686697306692491058609
d = 4520639064487098151327174667961365516283539231992543792882057746866179464294032313887767783621724945557985447874376379715922452725597335427159165685648572663979688014560576024497341124412004366514253110547369977143739781801290219136578513871764574450392367530817034216313429071683911546803031169524669257788417
rsakey = RSA.importKey(open('public.key', 'r').read())
privatekey = RSA.construct((n,e,d,p,q))
rsa = PKCS1_OAEP.new(privatekey)
m = rsa.decrypt(open('flag.enc', 'rb').read())
print(m)
funny RSA1
N1,N2使用相同的素数p或q,相同e(一般为65537)和m,有两个或多个n,c时,可以考虑N不互素。
e1 = 14606334023791426
p1 = 121009772735460235364940622989433807619211926015494087453674747614331295040063679722422298286549493698150690694965106103822315378461970129912436074962111424616439032849788953648286506433464358834178903821069564798378666159882090757625817745990230736982709059859613843100974349380542982235135982530318438330859
q1 = 130968576816900149996914427770826228884925960001279609559095138835900329492765336419489982304805369724685145941218640504262821549441728192761733409684831633194346504685627189375724517070780334885673563409259345291959439026700006694655545512308390416859315892447092639503318475587220630455745460309886030186593
c1 = 11402389955595766056824801105373550411371729054679429421548608725777586555536302409478824585455648944737304660137306241012321255955693234304201530700362069004620531537922710568821152217381257446478619320278993539785699090234418603086426252498046106436360959622415398647198014716351359752734123844386459925553497427680448633869522591650121047156082228109421246662020164222925272078687550896012363926358633323439494967417041681357707006545728719651494384317497942177993032739778398001952201667284323691607312819796036779374423837576479275454953999865750584684592993292347483309178232523897058253412878901324740104919248
e2 = 13813369129257838
p2 = 121009772735460235364940622989433807619211926015494087453674747614331295040063679722422298286549493698150690694965106103822315378461970129912436074962111424616439032849788953648286506433464358834178903821069564798378666159882090757625817745990230736982709059859613843100974349380542982235135982530318438330859
q2 = 94582257784130735233174402362819395926641026753071039760251190444144495369829487705195913337502962816079184062352678128843179586054535283861793827497892600954650126991213176547276006780610945133603745974181504975165082485845571788686928859549252522952174376071500707863379238688200493621993937563296490615649
c2 = 7984888899827615209197324489527982755561403577403539988687419233579203660429542197972867526015619223510964699107198708420785278262082902359114040327940253582108364104049849773108799812000586446829979564395322118616382603675257162995702363051699403525169767736410365076696890117813211614468971386159587698853722658492385717150691206731593509168262529568464496911821756352254486299361607604338523750318977620039669792468240086472218586697386948479265417452517073901655900118259488507311321060895347770921790483894095085039802955700146474474606794444308825840221205073230671387989412399673375520605000270180367035526919
观察题目,p1=p2,有两个不同的n,c,可以猜测为n不互素的情况,但是这道题有两个不同的e
我们先化简e,找到他们的最大公因数,分别约去14得到新的e1,e2,由于m^e mod n =c,改变了e,对应的密文c也需要改变。
import libnum
import gmpy2
import binascii
p1=121009772735460235364940622989433807619211926015494087453674747614331295040063679722422298286549493698150690694965106103822315378461970129912436074962111424616439032849788953648286506433464358834178903821069564798378666159882090757625817745990230736982709059859613843100974349380542982235135982530318438330859
q1=130968576816900149996914427770826228884925960001279609559095138835900329492765336419489982304805369724685145941218640504262821549441728192761733409684831633194346504685627189375724517070780334885673563409259345291959439026700006694655545512308390416859315892447092639503318475587220630455745460309886030186593
e=1043309573127959 #e=e1/14
c1=11402389955595766056824801105373550411371729054679429421548608725777586555536302409478824585455648944737304660137306241012321255955693234304201530700362069004620531537922710568821152217381257446478619320278993539785699090234418603086426252498046106436360959622415398647198014716351359752734123844386459925553497427680448633869522591650121047156082228109421246662020164222925272078687550896012363926358633323439494967417041681357707006545728719651494384317497942177993032739778398001952201667284323691607312819796036779374423837576479275454953999865750584684592993292347483309178232523897058253412878901324740104919248
n1=p1*q1
phi_n=(p1-1)*(q1-1)
d1=gmpy2.invert(e,phi_n)
c1_14=pow(c1,d1,n1)#相当于一次解密,得到新的e对应的c
#c=pow(m,e,n)
#与上面的处理相同
e2 = 986669223518417
p2 = 121009772735460235364940622989433807619211926015494087453674747614331295040063679722422298286549493698150690694965106103822315378461970129912436074962111424616439032849788953648286506433464358834178903821069564798378666159882090757625817745990230736982709059859613843100974349380542982235135982530318438330859
q2 = 94582257784130735233174402362819395926641026753071039760251190444144495369829487705195913337502962816079184062352678128843179586054535283861793827497892600954650126991213176547276006780610945133603745974181504975165082485845571788686928859549252522952174376071500707863379238688200493621993937563296490615649
c2 = 7984888899827615209197324489527982755561403577403539988687419233579203660429542197972867526015619223510964699107198708420785278262082902359114040327940253582108364104049849773108799812000586446829979564395322118616382603675257162995702363051699403525169767736410365076696890117813211614468971386159587698853722658492385717150691206731593509168262529568464496911821756352254486299361607604338523750318977620039669792468240086472218586697386948479265417452517073901655900118259488507311321060895347770921790483894095085039802955700146474474606794444308825840221205073230671387989412399673375520605000270180367035526919
n2=p2*q2
phi_n2=(p2-1)*(q2-1)
d2=gmpy2.invert(e2,phi_n2)
c2_14=pow(c2,d2,n2)
#得到新的e1,e2对应的c1,c2
print("c1=",c1_14)
print("c2=",c2_14)
得到c1,c2后,需要将其合并为c3
n=p*q,根据数论知识,q相同可以舍去。
c
1
=
m
14
.
m
o
d
.
q
1
c
2
=
m
14
.
m
o
d
.
q
2
c_1=m^{14}.mod.q_1\\c_2=m^{14}.mod.q_2
c1=m14.mod.q1c2=m14.mod.q2
根据中国剩余定理
c
3
=
m
14
.
m
o
d
.
(
q
1
∗
q
2
)
c_3=m^{14}.mod.(q_1*q_2)
c3=m14.mod.(q1∗q2)
有c1,c2时,可以运用中国剩余定理求c3
import libnum
c1=
c2=
q1=
q2=
c3=libnum.solve_crt([c1,c2], [q1,q2])#中国剩余定理
print("c3=",c3)
import libnum
import gmpy2
c3=
e=14#e没有化到最简时,逆元不存在。 14=2*7
p=#q1
q=#q2
n=p*q
phi_n=(p-1)*(q-1)
d=gmpy2.invert(e,phi_n)
c4=pow(c3,d,n)
print(c4)
同样的方法继续化简e,最终得到新e所对应的c4
e=2时
c
=
m
2
.
m
o
d
.
n
c=m^2.mod.n
c=m2.mod.n
由肉眼观察,得知m^2<n=p*q
所以c=m^2
最后将c4开方就得到了m
funny RSA2
这道题与众不同的点在于将n分解成了三个数
from Crypto.Util.number import *
import gmpy2
n = 897607935780955837078784515115186203180822213482989041398073067996023639
c = 490571531583321382715358426750276448536961994273309958885670149895389968
e = 0x10001
p = 876391552113414716726089
q = 932470255754103340237147
r = 1098382268985762240184333
phi = (p - 1) * (q - 1) * (r - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(m)
print(libnum.n2s(int(m)))
所以将N分解为多个素数的题型与这类大同小异,只是在欧拉函数phi_n的计算上扩开了一点点
import libnum
import gmpy2
n=
e=
c=
#分解n
p=
q=
r=
phi_n=(p-1)*(q-1)*(r-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)
print(m)
print(libnum.n2s(int(m)))
funny RSA3
dp泄露,已知e,n,c,dp
套用之前找到的脚本。
import libnum
import gmpy2
e = 65537
n = 13851998696110232034312408768370264747862778787235362033287301947690834384177869107768578977872169953363148442670412868565346964490724532894099772144625540138618913694240688555684873934424471837897053658485573395777349902581306875149677867098014969597240339327588421766510008083189109825385296069501377605893298996953970043168244444585264894721914216744153344106498382558756181912535774309211692338879110643793628550244212618635476290699881188640645260075209594318725693972840846967120418641315829098807385382509029722923894508557890331485536938749583463709142484622852210528766911899504093351926912519458381934550361
dp = 100611735902103791101540576986246738909129436434351921338402204616138072968334504710528544150282236463859239501881283845616704984276951309172293190252510177093383836388627040387414351112878231476909883325883401542820439430154583554163420769232994455628864269732485342860663552714235811175102557578574454173473
c = 6181444980714386809771037400474840421684417066099228619603249443862056564342775884427843519992558503521271217237572084931179577274213056759651748072521423406391343404390036640425926587772914253834826777952428924120724879097154106281898045222573790203042535146780386650453819006195025203611969467741808115336980555931965932953399428393416196507391201647015490298928857521725626891994892890499900822051002774649242597456942480104711177604984775375394980504583557491508969320498603227402590571065045541654263605281038512927133012338467311855856106905424708532806690350246294477230699496179884682385040569548652234893413
#遍历,爆破出p
#dp*e-1=(p-1)*[k2*(q-1)-k1]
#i=[k2*(q-1)-k1]
for i in range(1,65535):
p=(dp*e-1)//i+1
if n%p==0:
q=n//p
break
print(p)
print(q)
phi_n= (p-1)*(q-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)
print(m)
flag=libnum.n2s(int(m)).decode()
print(flag)
总结以下unusual系列rsa所运用到的数学知识:
模运算,欧拉函数,欧拉定理,扩展欧几里得算法,中国剩余定理,费马小定理
废人一个,数学知识匮乏,unusual有待研究
中国剩余定理:
c3=libnum.solve_crt([c1,c2], [q1,q2])#中国剩余定理
可以用来将c1和c2合并成为最终的c3(funny rsa1中的运用)
unusualrsa1
小e 部分明文泄露 (类似于easyrsa7) —>采用Coppersmith单变量模等式的攻击
原理如下:
exp
#sage
n = 14113948189208713011909396304970377626324044633561155020366406284451614054260708934598840781397326960921718892801653205159753091559901114082556464576477585198060530094478860626532455065960136263963965819002575418616768412539016154873800614138683106056209070597212668250136909436974469812231498651367459717175769611385545792201291192023843434476550550829737236225181770896867698281325858412643953550465132756142888893550007041167700300621499970661661288422834479368072744930285128061160879720771910458653611076539210357701565156322144818787619821653007453741709031635862923191561438148729294430924288173571196757351837
e = 3
beta = 1
epsilon = 1/7
nbits = n.nbits()
kbits = floor(nbits*(beta^2/e-epsilon))
mbar = 1520800285708753284739523608878585974609134243280728660335545667177630830064371336150456537012842986526527904043383436211487979254140749228004148347597566264500276581990635110200009305900689510908049771218073767918907869112593870878204145615928290375086195098919355531430003571366638390993296583488184959318678321571278510231561645872308920917404996519309473979203661442792048291421574603018835698487725981963573816645574675640357569465990665689618997534740389987351864738104038598104713275375385003471306823348792559733332094774873827383320058176803218213042061965933143968710199376164960850951030741280074168795136
c = 6635663565033382363211849843446648120305449056573116171933923595209656581213410699649926913276685818674688954045817246263487415328838542489103709103428412175252447323358040041217431171817865818374522191881448865227314554997131690963910348820833080760482835650538394814181656599175839964284713498394589419605748581347163389157651739759144560719049281761889094518791244702056048080280278984031050608249265997808217512349309696532160108250480622956599732443714546043439089844571655280770141647694859907985919056009576606333143546094941635324929407538860140272562570973340199814409134962729885962133342668270226853146819
print("upper %d bits (of %d bits) is given" % (nbits-kbits, nbits))
PR.<x> = PolynomialRing(Zmod(n))
f = (mbar + x)^e - c
x0 = f.small_roots(X=2^kbits, beta=1)[0] # sage中small_roots函数
m = int(mbar+x0)
mhex = '%x'%m
print('hex m = ',mhex)
mhex = '0'*(len(mhex)%2)+mhex
print('str m = ', bytes.fromhex(mhex))
unusualrsa2
题目
# ********************
# @Author: Lazzaro
# ********************
from Crypto.Util.number import getPrime,bytes_to_long,long_to_bytes
from functools import reduce
from secret import flag, x, y
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p*q
print(n)
assert(reduce(lambda x,y:x&y,[(i-5)*i+6==0 for i in x]))
assert(reduce(lambda x,y:x&y,[(j-15)*j+44==0 for j in y]))
print(pow(reduce(lambda x,y:x*m+y,x),17,n))
print(pow(reduce(lambda x,y:x*m+y,y),17,n))
# 23772599983135215481563178266884362291876571759991288577057472733374903836591330410574958472090396886895304944176208711481780781286891334062794555288959410390926474473859289842654809538435377431088422352076225067494924657598298955407771484146155998883073439266427190212827600119365643065276814044272790573450938596830336430371987561905132579730619341196199420897034988685012777895002554746080384319298123154671447844799088258541911028041717897434816921424155687677867019535399434825468160227242441375503664915265223696139025407768146464383537556265875013085702422829200814612395116961538432886116917063119749068212699
# 10900151504654409767059699202929100225155892269473271859207513720755903691031362539478242920144073599515746938827937863835169270383721094542639011665235593065932998091574636525973099426040452626893461449084383663453549354608769727777329036059746386523843912382289597182615339786437186169811342356085836838520978047561127661777189045888648773949147220411427306098338616422692914110656004863767719312410906124366000507952960331116878197129010412361636679449281808407214524741732730279777729251515759320442591663641984363061618865267606007355576230009922421807527598213455112981354590909603317525854070358390622096569841
# 17298679220717326374674940612143058330715465693318467692839033642321129433471254547497087746971317567301086124779289015934582615377165560688447452762043163082394944604062014490446763247008217251611443338103074143809936437694543761369945095202092750900940979469994907399829695696313513303922266742415376818434932335640062684245008822643258497589196668426788916969378417960200705779461808292296450298558001909603602502604228973101048082095642290047196235959438278631661658312398313171590515776453711432353011579809351076532129444735206408591345372296372378396539831385036814349328459266432393612919118094115543053115450
Franklin-Reiter攻击
exp.py
# FR相关攻击
def related_message_attack(c1, c2, di, e, n):
from Crypto.Util.number import GCD
# 展开(x+a)^e的系数,杨辉三角
def poly_coef(a, e):
assert e >= 0
if e == 0:
return 1
elif e == 1:
return [1, 1]
else:
res = [1]
coe_prev = poly_coef(a, e - 1)
for i in range(len(coe_prev) - 1):
res.append(sum(coe_prev[i:i + 2]))
res.append(1)
return res
def poly_extend(a, e, n, c):
coef = poly_coef(a, e)
res = [a ** i * coef[i] for i in range(len(coef))]
res[-1] = res[-1] + c
res = [x % n for x in res]
return res
# 化首1
def poly_monic(pl, n):
from gmpy2 import invert
for p in pl:
if p != 0:
inv = invert(p, n)
break
return [int((x * inv) % n) for x in pl]
# 模运算,这部分写的不是很好,待优化
def poly_mod(pl1, pl2, n):
from functools import reduce
assert len(pl1) == len(pl2)
pl1 = poly_monic(pl1, n)
pl2 = poly_monic(pl2, n)
for i in range(len(pl1)):
if pl1[i] > pl2[i]:
break
elif pl1[i] < pl2[i]:
return poly_mod(pl2, pl1, n)
else:
return 0
idx = -1
for i in range(len(pl1)):
if pl1[i] == 1:
idx = i
break
for i in range(idx, len(pl2)):
if pl2[i] == 1:
pl2 = pl2[:idx] + pl2[i:]
pl2 += [0] * (len(pl1) - len(pl2))
break
res = []
for i in range(len(pl1)):
if pl2[i] == 0:
res.append(pl1[i])
else:
res.append(pl1[i] - pl2[i])
res = [int(x % n) for x in res]
g = int(reduce(GCD, res))
if g > 1:
res = [x // g for x in res]
return res
# 最大公因式
def poly_gcd(pl1, pl2, n):
while pl2 != 0:
pl1, pl2 = pl2, poly_mod(pl1, pl2, n)
pl1 = poly_monic(pl1, n)
return pl1
# x^e-c1
# (x+di)^e-c2
pl1 = poly_extend(0, e, n, -c1)
pl2 = poly_extend(di, e, n, -c2)
pl_d = poly_gcd(pl1, pl2, n)
# 求得(x-m),所以取负数即为m
m = n - pl_d[-1]
return m
def exp():
from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long
n = 23772599983135215481563178266884362291876571759991288577057472733374903836591330410574958472090396886895304944176208711481780781286891334062794555288959410390926474473859289842654809538435377431088422352076225067494924657598298955407771484146155998883073439266427190212827600119365643065276814044272790573450938596830336430371987561905132579730619341196199420897034988685012777895002554746080384319298123154671447844799088258541911028041717897434816921424155687677867019535399434825468160227242441375503664915265223696139025407768146464383537556265875013085702422829200814612395116961538432886116917063119749068212699
c1 = 10900151504654409767059699202929100225155892269473271859207513720755903691031362539478242920144073599515746938827937863835169270383721094542639011665235593065932998091574636525973099426040452626893461449084383663453549354608769727777329036059746386523843912382289597182615339786437186169811342356085836838520978047561127661777189045888648773949147220411427306098338616422692914110656004863767719312410906124366000507952960331116878197129010412361636679449281808407214524741732730279777729251515759320442591663641984363061618865267606007355576230009922421807527598213455112981354590909603317525854070358390622096569841
c2 = 17298679220717326374674940612143058330715465693318467692839033642321129433471254547497087746971317567301086124779289015934582615377165560688447452762043163082394944604062014490446763247008217251611443338103074143809936437694543761369945095202092750900940979469994907399829695696313513303922266742415376818434932335640062684245008822643258497589196668426788916969378417960200705779461808292296450298558001909603602502604228973101048082095642290047196235959438278631661658312398313171590515776453711432353011579809351076532129444735206408591345372296372378396539831385036814349328459266432393612919118094115543053115450
e = 17
c11 = (pow(2, e, n) * c1) % n
diff = 5
m1 = related_message_attack(c11, c2, diff, e, n)
print("4m+6 =", m1)
m = (m1 - 6) * inverse(4, n) % n
print(long_to_bytes(m))
if __name__ == '__main__':
exp()
unusualrsa3
多项式RSA
有限域,欧拉函数,欧拉定理
exp
#多项式rsa
def main():
p = 2470567871
R.<x> = PolynomialRing(GF(p))
N = 1932231392*x^255 + 1432733708*x^254 + 1270867914*x^253 + 1573324635*x^252 + 2378103997*x^251 + 820889786*x^250 + 762279735*x^249 + 1378353578*x^248 + 1226179520*x^247 + 657116276*x^246 + 1264717357*x^245 + 1015587392*x^244 + 849699356*x^243 + 1509168990*x^242 + 2407367106*x^241 + 873379233*x^240 + 2391647981*x^239 + 517715639*x^238 + 828941376*x^237 + 843708018*x^236 + 1526075137*x^235 + 1499291590*x^234 + 235611028*x^233 + 19615265*x^232 + 53338886*x^231 + 434434839*x^230 + 902171938*x^229 + 516444143*x^228 + 1984443642*x^227 + 966493372*x^226 + 1166227650*x^225 + 1824442929*x^224 + 930231465*x^223 + 1664522302*x^222 + 1067203343*x^221 + 28569139*x^220 + 2327926559*x^219 + 899788156*x^218 + 296985783*x^217 + 1144578716*x^216 + 340677494*x^215 + 254306901*x^214 + 766641243*x^213 + 1882320336*x^212 + 2139903463*x^211 + 1904225023*x^210 + 475412928*x^209 + 127723603*x^208 + 2015416361*x^207 + 1500078813*x^206 + 1845826007*x^205 + 797486240*x^204 + 85924125*x^203 + 1921772796*x^202 + 1322682658*x^201 + 2372929383*x^200 + 1323964787*x^199 + 1302258424*x^198 + 271875267*x^197 + 1297768962*x^196 + 2147341770*x^195 + 1665066191*x^194 + 2342921569*x^193 + 1450622685*x^192 + 1453466049*x^191 + 1105227173*x^190 + 2357717379*x^189 + 1044263540*x^188 + 697816284*x^187 + 647124526*x^186 + 1414769298*x^185 + 657373752*x^184 + 91863906*x^183 + 1095083181*x^182 + 658171402*x^181 + 75339882*x^180 + 2216678027*x^179 + 2208320155*x^178 + 1351845267*x^177 + 1740451894*x^176 + 1302531891*x^175 + 320751753*x^174 + 1303477598*x^173 + 783321123*x^172 + 1400145206*x^171 + 1379768234*x^170 + 1191445903*x^169 + 946530449*x^168 + 2008674144*x^167 + 2247371104*x^166 + 1267042416*x^165 + 1795774455*x^164 + 1976911493*x^163 + 167037165*x^162 + 1848717750*x^161 + 573072954*x^160 + 1126046031*x^159 + 376257986*x^158 + 1001726783*x^157 + 2250967824*x^156 + 2339380314*x^155 + 571922874*x^154 + 961000788*x^153 + 306686020*x^152 + 80717392*x^151 + 2454799241*x^150 + 1005427673*x^149 + 1032257735*x^148 + 593980163*x^147 + 1656568780*x^146 + 1865541316*x^145 + 2003844061*x^144 + 1265566902*x^143 + 573548790*x^142 + 494063408*x^141 + 1722266624*x^140 + 938551278*x^139 + 2284832499*x^138 + 597191613*x^137 + 476121126*x^136 + 1237943942*x^135 + 275861976*x^134 + 1603993606*x^133 + 1895285286*x^132 + 589034062*x^131 + 713986937*x^130 + 1206118526*x^129 + 311679750*x^128 + 1989860861*x^127 + 1551409650*x^126 + 2188452501*x^125 + 1175930901*x^124 + 1991529213*x^123 + 2019090583*x^122 + 215965300*x^121 + 532432639*x^120 + 1148806816*x^119 + 493362403*x^118 + 2166920790*x^117 + 185609624*x^116 + 184370704*x^115 + 2141702861*x^114 + 223551915*x^113 + 298497455*x^112 + 722376028*x^111 + 678813029*x^110 + 915121681*x^109 + 1107871854*x^108 + 1369194845*x^107 + 328165402*x^106 + 1792110161*x^105 + 798151427*x^104 + 954952187*x^103 + 471555401*x^102 + 68969853*x^101 + 453598910*x^100 + 2458706380*x^99 + 889221741*x^98 + 320515821*x^97 + 1549538476*x^96 + 909607400*x^95 + 499973742*x^94 + 552728308*x^93 + 1538610725*x^92 + 186272117*x^91 + 862153635*x^90 + 981463824*x^89 + 2400233482*x^88 + 1742475067*x^87 + 437801940*x^86 + 1504315277*x^85 + 1756497351*x^84 + 197089583*x^83 + 2082285292*x^82 + 109369793*x^81 + 2197572728*x^80 + 107235697*x^79 + 567322310*x^78 + 1755205142*x^77 + 1089091449*x^76 + 1993836978*x^75 + 2393709429*x^74 + 170647828*x^73 + 1205814501*x^72 + 2444570340*x^71 + 328372190*x^70 + 1929704306*x^69 + 717796715*x^68 + 1057597610*x^67 + 482243092*x^66 + 277530014*x^65 + 2393168828*x^64 + 12380707*x^63 + 1108646500*x^62 + 637721571*x^61 + 604983755*x^60 + 1142068056*x^59 + 1911643955*x^58 + 1713852330*x^57 + 1757273231*x^56 + 1778819295*x^55 + 957146826*x^54 + 900005615*x^53 + 521467961*x^52 + 1255707235*x^51 + 861871574*x^50 + 397953653*x^49 + 1259753202*x^48 + 471431762*x^47 + 1245956917*x^46 + 1688297180*x^45 + 1536178591*x^44 + 1833258462*x^43 + 1369087493*x^42 + 459426544*x^41 + 418389643*x^40 + 1800239647*x^39 + 2467433889*x^38 + 477713059*x^37 + 1898813986*x^36 + 2202042708*x^35 + 894088738*x^34 + 1204601190*x^33 + 1592921228*x^32 + 2234027582*x^31 + 1308900201*x^30 + 461430959*x^29 + 718926726*x^28 + 2081988029*x^27 + 1337342428*x^26 + 2039153142*x^25 + 1364177470*x^24 + 613659517*x^23 + 853968854*x^22 + 1013582418*x^21 + 1167857934*x^20 + 2014147362*x^19 + 1083466865*x^18 + 1091690302*x^17 + 302196939*x^16 + 1946675573*x^15 + 2450124113*x^14 + 1199066291*x^13 + 401889502*x^12 + 712045611*x^11 + 1850096904*x^10 + 1808400208*x^9 + 1567687877*x^8 + 2013445952*x^7 + 2435360770*x^6 + 2414019676*x^5 + 2277377050*x^4 + 2148341337*x^3 + 1073721716*x^2 + 1045363399*x + 1809685811
S.<x> = R.quotient(N)
c = 922927962*x^254 + 1141958714*x^253 + 295409606*x^252 + 1197491798*x^251 + 2463440866*x^250 + 1671460946*x^249 + 967543123*x^248 + 119796323*x^247 + 1172760592*x^246 + 770640267*x^245 + 1093816376*x^244 + 196379610*x^243 + 2205270506*x^242 + 459693142*x^241 + 829093322*x^240 + 816440689*x^239 + 648546871*x^238 + 1533372161*x^237 + 1349964227*x^236 + 2132166634*x^235 + 403690250*x^234 + 835793319*x^233 + 2056945807*x^232 + 480459588*x^231 + 1401028924*x^230 + 2231055325*x^229 + 1716893325*x^228 + 16299164*x^227 + 1125072063*x^226 + 1903340994*x^225 + 1372971897*x^224 + 242927971*x^223 + 711296789*x^222 + 535407256*x^221 + 976773179*x^220 + 533569974*x^219 + 501041034*x^218 + 326232105*x^217 + 2248775507*x^216 + 1010397596*x^215 + 1641864795*x^214 + 1365178317*x^213 + 1038477612*x^212 + 2201213637*x^211 + 760847531*x^210 + 2072085932*x^209 + 168159257*x^208 + 70202009*x^207 + 1193933930*x^206 + 1559162272*x^205 + 1380642174*x^204 + 1296625644*x^203 + 1338288152*x^202 + 843839510*x^201 + 460174838*x^200 + 660412151*x^199 + 716865491*x^198 + 772161222*x^197 + 924177515*x^196 + 1372790342*x^195 + 320044037*x^194 + 117027412*x^193 + 814803809*x^192 + 1175035545*x^191 + 244769161*x^190 + 2116927976*x^189 + 617780431*x^188 + 342577832*x^187 + 356586691*x^186 + 695795444*x^185 + 281750528*x^184 + 133432552*x^183 + 741747447*x^182 + 2138036298*x^181 + 524386605*x^180 + 1231287380*x^179 + 1246706891*x^178 + 69277523*x^177 + 2124927225*x^176 + 2334697345*x^175 + 1769733543*x^174 + 2248037872*x^173 + 1899902290*x^172 + 409421149*x^171 + 1223261878*x^170 + 666594221*x^169 + 1795456341*x^168 + 406003299*x^167 + 992699270*x^166 + 2201384104*x^165 + 907692883*x^164 + 1667882231*x^163 + 1414341647*x^162 + 1592159752*x^161 + 28054099*x^160 + 2184618098*x^159 + 2047102725*x^158 + 103202495*x^157 + 1803852525*x^156 + 446464179*x^155 + 909116906*x^154 + 1541693644*x^153 + 166545130*x^152 + 2283548843*x^151 + 2348768005*x^150 + 71682607*x^149 + 484339546*x^148 + 669511666*x^147 + 2110974006*x^146 + 1634563992*x^145 + 1810433926*x^144 + 2388805064*x^143 + 1200258695*x^142 + 1555191384*x^141 + 363842947*x^140 + 1105757887*x^139 + 402111289*x^138 + 361094351*x^137 + 1788238752*x^136 + 2017677334*x^135 + 1506224550*x^134 + 648916609*x^133 + 2008973424*x^132 + 2452922307*x^131 + 1446527028*x^130 + 29659632*x^129 + 627390142*x^128 + 1695661760*x^127 + 734686497*x^126 + 227059690*x^125 + 1219692361*x^124 + 635166359*x^123 + 428703291*x^122 + 2334823064*x^121 + 204888978*x^120 + 1694957361*x^119 + 94211180*x^118 + 2207723563*x^117 + 872340606*x^116 + 46197669*x^115 + 710312088*x^114 + 305132032*x^113 + 1621042631*x^112 + 2023404084*x^111 + 2169254305*x^110 + 463525650*x^109 + 2349964255*x^108 + 626689949*x^107 + 2072533779*x^106 + 177264308*x^105 + 153948342*x^104 + 1992646054*x^103 + 2379817214*x^102 + 1396334187*x^101 + 2254165812*x^100 + 1300455472*x^99 + 2396842759*x^98 + 2398953180*x^97 + 88249450*x^96 + 1726340322*x^95 + 2004986735*x^94 + 2446249940*x^93 + 520126803*x^92 + 821544954*x^91 + 1177737015*x^90 + 676286546*x^89 + 1519043368*x^88 + 224894464*x^87 + 1742023262*x^86 + 142627164*x^85 + 1427710141*x^84 + 1504189919*x^83 + 688315682*x^82 + 1397842239*x^81 + 435187331*x^80 + 433176780*x^79 + 454834357*x^78 + 1046713282*x^77 + 1208458516*x^76 + 811240741*x^75 + 151611952*x^74 + 164192249*x^73 + 353336244*x^72 + 1779538914*x^71 + 1489144873*x^70 + 213140082*x^69 + 1874778522*x^68 + 908618863*x^67 + 1058334731*x^66 + 1706255211*x^65 + 708134837*x^64 + 1382118347*x^63 + 2111915733*x^62 + 1273497300*x^61 + 368639880*x^60 + 1652005004*x^59 + 1977610754*x^58 + 1412680185*x^57 + 2312775720*x^56 + 59793381*x^55 + 1345145822*x^54 + 627534850*x^53 + 2159477761*x^52 + 10450988*x^51 + 1479007796*x^50 + 2082579205*x^49 + 1158447154*x^48 + 126359830*x^47 + 393411272*x^46 + 2343384236*x^45 + 2191577465*x^44 + 1281188680*x^43 + 230049708*x^42 + 539600199*x^41 + 1711135601*x^40 + 1659775448*x^39 + 1716176055*x^38 + 904363231*x^37 + 2385749710*x^36 + 567278351*x^35 + 404199078*x^34 + 372670353*x^33 + 1286079784*x^32 + 1744355671*x^31 + 2316856064*x^30 + 2106475476*x^29 + 614988454*x^28 + 2149964943*x^27 + 1065233185*x^26 + 188130174*x^25 + 540415659*x^24 + 1031409799*x^23 + 1067085678*x^22 + 1005161755*x^21 + 249654085*x^20 + 1816791634*x^19 + 1437500292*x^18 + 448596413*x^17 + 2397497659*x^16 + 2353732701*x^15 + 2068949189*x^14 + 1826419168*x^13 + 1265366199*x^12 + 547031306*x^11 + 1016962374*x^10 + 160089486*x^9 + 2264803979*x^8 + 1081806194*x^7 + 824215340*x^6 + 497731793*x^5 + 45017166*x^4 + 317548920*x^3 + 1391127733*x^2 + 1752881284*x + 1290424106
P, Q = N.factor()
P, Q = P[0], Q[0]
phi = (p**P.degree()-1)*(p**Q.degree()-1)
e = 0x10001
d = inverse_mod(e, phi)
m = c^d
m = "".join([chr(c) for c in m.list()])
print(m)
if __name__ == '__main__':
main()
unusualrsa4
费马小定理
exp
from Crypto.Util.number import *
from gmpy2 import *
from itertools import *
q_1 = 113350138578125471637271827037682321496361317426731366252238155037440385105997423113671392038498349668206564266165641194668802966439465128197299073392773586475372002967691512324151673246253769186679521811837698540632534357656221715752733588763108463093085549826122278822507051740839450621887847679420115044512
d = 27451162557471435115589774083548548295656504741540442329428952622804866596982747294930359990602468139076296433114830591568558281638895221175730257057177963017177029796952153436494826699802526267315286199047856818119832831065330607262567182123834935483241720327760312585050990828017966534872294866865933062292893033455722786996125448961180665396831710915882697366767203858387536850040283296013681157070419459208544201363726008380145444214578735817521392863391376821427153094146080055636026442795625833039248405951946367504865008639190248509000950429593990524808051779361516918410348680313371657111798761410501793645137
c = 619543409290228183446186073184791934402487500047968659800765382797769750763696880547221266055431306972840980865602729031475343233357485820872268765911041297456664938715949124290204230537793877747551374176167292845717246943780371146830637073310108630812389581197831196039107931968703635129091224513813241403591357678410312272233389708366642638825455844282490676862737715585788829936919637988039113463707959069907015464745700766013573282604376277598510224455044288896809217461295080140187509519005245601483583507547733673523120385089098002298314719617693895392148294399937798485146568296114338393548124451378170302291
e = 0x10001
for k in range(1, e):
# 枚举phi
t = e * d - 1
if t % k == 0:
phi = t // k
kp = q_1 * phi - q_1 + 1
x1 = pow(3, phi, kp) - 1
x2 = pow(5, phi, kp) - 1
x = gcd(x1, x2)
if x.bit_length() == 1024:
p = x
q = invert(q_1, p)
n, phi = p*q, (p-1)*(q-1)
assert d == invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
break
unusualrsa5
中国剩余定理
有限域上求r-th root :Adleman-Manders-Miller algorithm (AMM) 和Cipolla-Lehmer algorithm (CL)
exp
#解剩余定理,r=[余数],m=[模数]
def crt(r, m):
from functools import reduce
from Crypto.Util.number import inverse
from operator import mul
assert len(r) == len(m)
M = reduce(lambda x,y:x*y, m)
#M = [M//mi for mi in m]
t = [inverse(M//x,x)*(M//x) for x in m]
res = sum(map(mul,r,t)) % M
return res
#求解x^e = c mod p^order
def nthRoot_amm(c,e,p,order=1):
from gmpy2 import is_prime
from Crypto.Util.number import getRandomRange, inverse, GCD
assert is_prime(p) and is_prime(e) and (p-1)%e==0
cp = c%p**order if c>p**order else c
phi = (p - 1) * p**(order-1)
mod = p**order
for i in range(9999):
rho = getRandomRange(1, mod)
if pow(rho, phi // e, mod) != 1:
#print(f'i = {i}')
break
s = phi
t = 0
while s % e == 0:
s //= e
t += 1
assert GCD(s, e) == 1
#print(f't = {t} ')
alpha = inverse(e, s)
a = pow(rho, s*e**(t-1), mod)
b = pow(cp, e*alpha-1, mod)
c = pow(rho, s, mod)
h = 1
for i in range(1, t):
d = pow(b, e**(t-1-i), mod)
if d == 1:
j = 0
else:
j = e - next(filter(lambda x: pow(a,x,mod)==d, range(e)))
b = b * pow(c, e*j, mod) % mod
h = h * pow(c, j, mod) % mod
c = pow(c, e, mod)
root = pow(cp, alpha, mod) * h % mod
#找到其它根
from gmpy2 import next_prime
all_roots = set()
all_roots.add(root)
g = 3
while len(all_roots) < e:
newRoot = root
g = int(next_prime(g))
u = pow(g, phi//e, mod)
for i in range(e-1):
newRoot = (newRoot * u) % mod
all_roots.add(newRoot)
return list(all_roots)
def expUnrsa5():
from Crypto.Util.number import GCD, long_to_bytes
from itertools import product
from gmpy2 import iroot
e = 0x14
p = 733089589724903586073820965792963746076789390539824437962807679954808310072656817423828613938510684864567664345751164944269489647964227519307980688068059059377123391499328155025962198363435968318689113750910755244276996554328840879221120846257832190569086861774466785101694608744384540722995426474322431441
q = 771182695213910447650732428220054698293987458796864628535794956332865106301119308051373568460701145677164052375651484670636989109023957702790185901445649197004100341656188532246838220216919835415376078688888076677350412398198442910825884505318258393640994788407100699355386681624118606588957344077387058721
n = p*q
c = 406314720119562590605554101860453913891646775958515375190169046313074168423687276987576196367702523895650602252851191274766072774312855212771035294337840170341052016067631007495713764510925931612800335613551752201920460877432379214684677593342046715833439574705829048358675771542989832566579493199671622475225225451781214904100440695928239014046619329247750637911015313431804069312072581674845078940868349474663382442540424342613429896445329365750444298236684237769335405534090013035238333534521759502103604033307768304224154383880727399879024077733935062478113298538634071453067782212909271392163928445051705642
print('gcd(e,p-1)',GCD(e,p-1))
print('gcd(e,q-1',GCD(e,q-1))
e1 = 5
cp1 = nthRoot_amm(c,e1,p)
cq1 = nthRoot_amm(c,e1,q)
cp1 = [nthRoot_amm(x,2,p) for x in cp1]
cq1 = [nthRoot_amm(x,2,q) for x in cq1]
mp = []
mq = []
for cp in cp1:
for cpp in cp:
mp.extend(nthRoot_amm(cpp,2,p))
for cq in cq1:
for cqq in cq:
mq.extend(nthRoot_amm(cqq,2,q))
for m1,m2 in product(mp,mq):
m = crt([m1,m2],[p,q])
flag = long_to_bytes(m)
if b'flag' in flag:
print(flag)
break
if __name__ == '__main__':
expUnrsa5()
852
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
