共计 18529 个字符,预计需要花费 47 分钟才能阅读完成。
copperstudy — coppersmith
解题脚本
| #coding:utf-8 | |
| import hashlib | |
| from pwn import * | |
| import time | |
| def cha1(s,s256): | |
| ss = '' | |
| for i in range(5): | |
| ss = ss + chr(int((s[2 * i] + s[2 * i + 1]),16)) | |
| for i in range(0,256): | |
| for j in range(0,256): | |
| for h in range(0,256): | |
| a = ss + chr(i) + chr(j) + chr(h) | |
| if hashlib.sha256(a).hexdigest() == s256: | |
| return a.encode('hex') | |
| if __name__ == '__main__': | |
| ip = '119.3.245.36' | |
| port = 12345 | |
| teamtoken = 'dde3f26577d8d7816378038885943de1' | |
| s = remote(ip,port) | |
| s.recvuntil('[+]hashlib.sha256(skr).hexdigest()=') | |
| d256 = s.recvline() | |
| s.recvuntil("[+]skr[0:5].encode('hex')=") | |
| d = s.recvline() | |
| data = cha1(d.strip(),d256.strip()) | |
| s.recvuntil("[-]skr.encode('hex')=") | |
| s.sendline(data) | |
| s.recvuntil("[+]teamtoken:") | |
| s.sendline(teamtoken) | |
| time.sleep(2)#challenge1 -- Known High Bits Message Attack | |
| m = '858be94f2f6253ac4586da573086221c8256bf7fe7c7f6d0d4e459fd28abf8883cfa225f5cbb519d2c8e0427aab1dc03979886ac104018ddec85e8edb7bbc590' | |
| s.recvuntil("_bytes(m).encode('hex')=") | |
| s.sendline(m) | |
| time.sleep(2) | |
| #challenge2 -- Factoring with High Bits Known | |
| m2 = "7e2a3378b47f389134bda8811e253ace33c6978fbb5d0022ab312cf1f5246648516b320bf749e71a1d8cbdcab64fdb5ce8159022ea96484949152d31a9f17665" | |
| s.recvuntil("_bytes(m).encode('hex')=") | |
| s.sendline(m2) | |
| time.sleep(2) | |
| #challenge3 -- Patial Key Exposure Attack | |
| m3 = "86ee347cbeec999564c0615d33ea5e3cfb5e66f5d00b172194c0f86915de3ff19d2dffc2217caaa608ea6556b18e8f420fc1b287871475a0cd5c8f2d97e4c12c" | |
| s.recvuntil("_bytes(m).encode('hex')=") | |
| s.sendline(m3) | |
| time.sleep(4) | |
| #challenge4 -- Basic Broadcast Attack | |
| m4 = "380185242a03c9d6ca7a2e117490ebaf03a493b1250f4e248c732c2714eb6b9fd2fa4c90a4f1d8120ffbafb3b7fda85fff46a67a1da3e316392ec267e1fa7c27" | |
| s.recvuntil("_bytes(m).encode('hex')=") | |
| s.sendline(m4) | |
| time.sleep(20) | |
| #challenge5 -- Related Message Attack | |
| m5 = "0811b179ddbc246fc00ad94b6251c818e331941732fdfce9979c015ca7f0ec873641338c5814f3e8e50dfab04bd6aa0689334b517de10d7bac398aef23f929b3" | |
| s.sendlineafter("[-]long_to_bytes(m).encode('hex')=",m5) | |
| time.sleep(4) | |
| #challenge6 -- Boneh and Durfee attack | |
| m6 = "6b3bb0cdc72a7f2ce89902e19db0fb2c0514c76874b2ca4113b86e6dc128d44cc859283db4ca8b0b5d9ee35032aec8cc8bb96e8c11547915fc9ef05aa2d72b28" | |
| s.sendlineafter("[-]long_to_bytes(m).encode('hex')=",m6) | |
| time.sleep(4) | |
| print s.recv() |
challenge1 — Known High Bits Message Attack
| [++++++++++++++++]proof completed[++++++++++++++++] | |
| [+]Generating challenge 1 | |
| [+]n=0x331e53d1808798def926bc2c8081b3a959cec19c04ad6dd3a25357b5e3889dc0bbb8618b80ddecca89494eec6015080cf4402fcef0971f76d978c517ab1e3019ae65fdc443a99036d4adcda780dd662ae3eb5d3c6ce68adfe38137689df75a6196a7a6dc94a681dfb5437439c810416112b250402f53eb2341df2145c569c135L | |
| [+]e=3 | |
| [+]m=random.getrandbits(512) | |
| [+]c=pow(m,e,n)=0xab7b8544dc18a13c221d33b8ea84ee69ea3c74a1ce123e6f0a565e6afaff3d2682dfa254170a1200d66e9c017727c43b3c1af221f81d90598741454f68448cef4128ff56bb9929ffd3edaaa8069c08293463ad20486b6e6bee654ab471a3b364122d41f4570f6aa1084eb1eda5eebde1436a488e0390f8057df835f323802d4L | |
| [+]((m>>72)<<72)=0x858be94f2f6253ac4586da573086221c8256bf7fe7c7f6d0d4e459fd28abf8883cfa225f5cbb519d2c8e0427aab1dc03979886ac104018000000000000000000L | |
| [-]long_to_bytes(m).encode('hex')= |
题目给了明文的高位部分
| n = | |
| e = 3 | |
| m = randrange(n) | |
| c = pow(m, e, n) | |
| beta = 1 | |
| epsilon = beta^2/7 | |
| nbits = n.nbits() | |
| kbits = floor(nbits*(beta^2/e-epsilon)) | |
| #mbar = m & (2^nbits-2^kbits) | |
| mbar = | |
| c = | |
| print“upper %d bits (of %d bits) is given”% (nbits-kbits, nbits) | |
| PR.<x> = PolynomialRing(Zmod(n)) | |
| f = (mbar + x)^e – c | |
| print m | |
| x0 = f.small_roots(X=2^kbits, beta=1)[0] # find root < 2^kbits with factor = n | |
| print mbar + x0 | |
| print x0 |
challenge2 — Factoring with High Bits Known
| [++++++++++++++++]challenge 1 completed[++++++++++++++++] | |
| [+]Generating challenge 2 | |
| [+]n=0x116c51f73ef1c6b3b890dd8be446b80ac1dbe93742348e1284a7fdf0c76604ceae72011918f18de6b0ab873500ef2ed351110b67acce5b8c48a750a376c3e0117c44ec58e84e35f2ebf0e553b718720952dc826e364f130c2839c76878e0bfb3be0f24b06b3d91f1655e7ce588d2a3c429901197012db4d8b802308072bfca3fL | |
| [+]e=65537 | |
| [+]m=random.getrandbits(512) | |
| [+]c=pow(m,e,n)=0x8d8fba82b1ca4e8a6e87b1ed5d50a9e6e49b3fb2aed78208e8c513842dedb5f14b82b39e03ea86089e76b59ff7bec0f6647096098346dcf64c7d1aaf533f99827fd9979dee217c511a3192e99a70d4fcd6aa44b2cf52a1ceddf99db42cbf2872e7e2ed421a4a9ff548bef6dfdad7ef17b09748bdf0025dfb93091e11115ebd4L | |
| [+]((p>>128)<<128)=0x2bff4035e24f2023f876abaf53ef53374d0208d59d4350a1cf356050c3a09cfc644d9c46cb59f013fadd96bea4a56dd100000000000000000000000000000000L | |
| [-]long_to_bytes(m).encode('hex')= |
| n=0x985CBA74B3AFCF36F82079DE644DE85DD6658A2D3FB2D5C239F2657F921756459E84EE0BBC56943DE04F2A04AACE311574BE1E9391AC5B0F8DBB999524AF8DF2451A84916F6699E54AE0290014AFBF561B0E502CA094ADC3D9582EA22F857529D3DA79737F663A95767FDD87A9C19D8104A736ACBE5F4A25B2A25B4DF981F44DB2EB7F3028B1D1363C3A36F0C1B9921C7C06848984DFE853597C3410FCBF9A1B49C0F5CB0EEDDC06D722A0A7488F893D37996F9A92CD3422465F49F3035FEA6912589EFCFB5A4CF9B69C81B9FCC732D6E6A1FFCE9690F34939B27113527ABB00878806B229EC6570815C32BC2C134B0F56C21A63CA535AB467593246508CA9F9 | |
| p=0xBCF6D95C9FFCA2B17FD930C743BCEA314A5F24AE06C12CE62CDB6E8306A545DE468F1A23136321EB82B4B8695ECE58B763ECF8243CBBFADE0603922C130ED143D4D3E88E483529C820F7B53E4346511EB14D4D56CB2B714D3BDC9A2F2AB655993A31E0EB196E8F63028F9B29521E9B3609218BA0000000000000000000000000 | |
| p_fake = p+0x10000000000000000000000000 | |
| pbits = 1024 | |
| kbits = pbits-576 | |
| pbar = p_fake & (2^pbits-2^kbits) | |
| print "upper %d bits (of %d bits) is given" % (pbits-kbits, pbits) | |
| PR.<x> = PolynomialRing(Zmod(n)) | |
| f = x + pbar | |
| x0 = f.small_roots(X=2^kbits, beta=0.4)[0] # find root < 2^kbits with factor >= n^0.4 | |
| print x0 + pbar |
challenge3 — Patial Key Exposure Attack
| [++++++++++++++++]challenge 2 completed[++++++++++++++++] | |
| [+]Generating challenge 3 | |
| [+]n=0x56705388192a25439c7ec9f826467255aeac3a1991b0a5804e8cbe01d4fd33c0accdacc8cb2497969133116d841032cd023f29e4014b0c7619c40ce6e1977308f3587da928fe7c103e8fd68c0e909d229e68c23879c010f88dca4481af1c7030466edc93898b12f31dba9e7aa513fb1fd84c3d1d028cc068160501dafa1d54bL | |
| [+]e=3 | |
| [+]m=random.getrandbits(512) | |
| [+]c=pow(m,e,n)=0xcbe7d8021fa02b92239521aeaaf76b2d9553b6b738c79a2c31ef9dcef7875d5bde76f5ebb318660761090869c02c182a29516482e5daf090df76d10eab9398ede85a00d47abb3e27f6a87f8c0928e18c778efb3b6a02acb52257369cbc7e3015bda888e50d5586a34a5554df1f5f0e4cb0b8e9dd442ed939f610d18731be3L | |
| [+]d=invmod(e,(p-1)*(q-1)) | |
| [+]d&((1<<512)-1)=0xd74e2c4973ea6530620197a999a7a78d85a3029dfe8931397ee15b480c2f77b5042938e2f58f60e9c44e4f8d911b661b42dac0dbc0c1513773f870916b2418abL | |
| [-]long_to_bytes(m).encode('hex')= |
| def partial_p(p0, kbits, n): | |
| PR.<x> = PolynomialRing(Zmod(n)) | |
| nbits = n.nbits() | |
| f = 2^kbits*x + p0 | |
| f = f.monic() | |
| roots = f.small_roots(X=2^(nbits//2-kbits), beta=0.3) # find root < 2^(nbits//2-kbits) with factor >= n^0.3 | |
| if roots: | |
| x0 = roots[0] | |
| p = gcd(2^kbits*x0 + p0, n) | |
| return ZZ(p) | |
| def find_p(d0, kbits, e, n): | |
| X = var('X') | |
| for k in xrange(1, e+1): | |
| results = solve_mod([e*d0*X - k*X*(n-X+1) + k*n == X], 2^kbits) | |
| for x in results: | |
| p0 = ZZ(x[0]) | |
| p = partial_p(p0, kbits, n) | |
| if p: | |
| return p | |
| if __name__ == '__main__': | |
| n = 0x56705388192a25439c7ec9f826467255aeac3a1991b0a5804e8cbe01d4fd33c0accdacc8cb2497969133116d841032cd023f29e4014b0c7619c40ce6e1977308f3587da928fe7c103e8fd68c0e909d229e68c23879c010f88dca4481af1c7030466edc93898b12f31dba9e7aa513fb1fd84c3d1d028cc068160501dafa1d54b | |
| e = 3 | |
| d = 0xd74e2c4973ea6530620197a999a7a78d85a3029dfe8931397ee15b480c2f77b5042938e2f58f60e9c44e4f8d911b661b42dac0dbc0c1513773f870916b2418ab | |
| beta = 0.5 | |
| epsilon = beta^2/7 | |
| nbits = n.nbits() | |
| kbits = floor(nbits*(beta^2+epsilon)) | |
| d0 = d & (2^kbits-1) | |
| print "lower %d bits (of %d bits) is given" % (kbits, nbits) | |
| p = find_p(d0, kbits, e, n) | |
| print "found p: %d" % p | |
| q = n//p | |
| print d | |
| print inverse_mod(e, (p-1)*(q-1)) | |
| lower 291 bits (of 1019 bits) is given | |
| found p: 1556928330519222949185052385205770511398851299027067030656737931164636055914888549373041706626311467428902396847671677538586996128733508490246169051729867 | |
| 11276456863053049846778143161914757923513133539274086554204762345263769886584929828068603961625809916094813748871857226391606896679593696242167359171991723 | |
| 2529140489407550411860842517642709534323596281579020017754223390342047118996108186564106911103882855078009689932113065210547912624644857741988858283570121514938039297592621259739497542591992130948345362969430345095193882648382370898025817668567519357247651572797940766217498405274704879818312077507052181675 |
challenge4 — Basic Broadcast Attack
| [++++++++++++++++]challenge 3 completed[++++++++++++++++] | |
| [+]Generating challenge 4 | |
| [+]e=3 | |
| [+]m=random.getrandbits(512) | |
| [+]n1=0x9c94fecac76f9c5524d994d51efc1f02ad40fcf9cd5409d7c9f86a9f10e31b6c73d8bc02df743fea939acbcf9f81a748914fce0f8df1155c0f29faac38bd70b322eb7bc69c130720bdcb2ad2cbb84ad182b36e93170d81cb3a68969c850519e86b6a3676534cdbe85c9429c058230d58527d8028c134d6078cbb89faa071848fL | |
| [+]c1=pow(m,e,n1)=0x5e3b988abb38c33e145bbc16f56ec192253d26cc053d4f78e073d0d035eda4ea91f33ec7f7cd1a56165cae95a86e0a4edabb83743966b3a4621bb33753aec5fa4b1c6d80e0d404c19c6659c8ff6dc4f5539a5dbae659ca4f24f4c53a65c5c42bf9de04852c098841d2affe83c59be99b6ecd857e232cb008c657e1f55137bf06L | |
| [+]n2=0x409a8a39fcb302f0660f0a85b6d43636dce5b4797b6f3ef0b4972f70b6e0c74038c55ba50e0c918057e9ceaee024ae81da2faede8b5b66caae6892943a8892ad98b1f6f208b8b5ded753e6b8c6b94c5faf67314384f3f26e3dca579237893f098c90b0f8b80692aed4606947d656b74b69444ba0dc24b9c66a339f7a50f52783L | |
| [+]c2=pow(m,e,n2)=0xc5381d89ca5be27f43c30dbc395ce0d5b8a69adb80dc05d7f5d8dffc1b2fb76d2ab656f5659b9280c9cac83addcc0eb58e86f8e07a37f28b0500ab75bde4eb2b2e6631eeeb6bbe146c889b2ac6046864977aaee7292676fdbd4fb987940a83a94c3d04aef256b50d304d945528c69866acf591f914c0e50e012734827143ed7L | |
| [+]n3=0x56a700d8f04da68c6cdb08e04a0cb2fa332389e10c1a3c94b220cb39144fc971c804ab02637303866040c13814194d863814453eec48db6136741d3a599cf890c678114b65dc60da2bbd29651bd0148f8949d69c4b18460ad0e1908eba384a1b51041e41caf70fed285fb34a8e56f04487d6d8b5d88f2a88d88565ef6757a697L | |
| [+]c3=pow(m,e,n3)=0x73e58f11dd9f637a7a7c05f6223ee95cb6d34a77583bfc6ca675955d51dd15ff4561654264e9985fcb2e87e3ddda7d6d7620cee80a1f2c20944d5d6f456a3e892f74b6745ddecbe3447825bf44344fc9e0839bdaebcca8352075675ffc8fee8c3698a87f3110f4004fea88c3faf05e5a527854e759e315b487b49e8ff9510cbL | |
| [-]long_to_bytes(m).encode('hex')= |
| import gmpy2 | |
| import libnum | |
| e=3 | |
| n_0=0x9c94fecac76f9c5524d994d51efc1f02ad40fcf9cd5409d7c9f86a9f10e31b6c73d8bc02df743fea939acbcf9f81a748914fce0f8df1155c0f29faac38bd70b322eb7bc69c130720bdcb2ad2cbb84ad182b36e93170d81cb3a68969c850519e86b6a3676534cdbe85c9429c058230d58527d8028c134d6078cbb89faa071848f | |
| ct_0=0x5e3b988abb38c33e145bbc16f56ec192253d26cc053d4f78e073d0d035eda4ea91f33ec7f7cd1a56165cae95a86e0a4edabb83743966b3a4621bb33753aec5fa4b1c6d80e0d404c19c6659c8ff6dc4f5539a5dbae659ca4f24f4c53a65c5c42bf9de04852c098841d2affe83c59be99b6ecd857e232cb008c657e1f55137bf06 | |
| n_1=0x409a8a39fcb302f0660f0a85b6d43636dce5b4797b6f3ef0b4972f70b6e0c74038c55ba50e0c918057e9ceaee024ae81da2faede8b5b66caae6892943a8892ad98b1f6f208b8b5ded753e6b8c6b94c5faf67314384f3f26e3dca579237893f098c90b0f8b80692aed4606947d656b74b69444ba0dc24b9c66a339f7a50f52783 | |
| ct_1=0xc5381d89ca5be27f43c30dbc395ce0d5b8a69adb80dc05d7f5d8dffc1b2fb76d2ab656f5659b9280c9cac83addcc0eb58e86f8e07a37f28b0500ab75bde4eb2b2e6631eeeb6bbe146c889b2ac6046864977aaee7292676fdbd4fb987940a83a94c3d04aef256b50d304d945528c69866acf591f914c0e50e012734827143ed7 | |
| n_2=0x56a700d8f04da68c6cdb08e04a0cb2fa332389e10c1a3c94b220cb39144fc971c804ab02637303866040c13814194d863814453eec48db6136741d3a599cf890c678114b65dc60da2bbd29651bd0148f8949d69c4b18460ad0e1908eba384a1b51041e41caf70fed285fb34a8e56f04487d6d8b5d88f2a88d88565ef6757a697 | |
| ct_2=0x73e58f11dd9f637a7a7c05f6223ee95cb6d34a77583bfc6ca675955d51dd15ff4561654264e9985fcb2e87e3ddda7d6d7620cee80a1f2c20944d5d6f456a3e892f74b6745ddecbe3447825bf44344fc9e0839bdaebcca8352075675ffc8fee8c3698a87f3110f4004fea88c3faf05e5a527854e759e315b487b49e8ff9510cb | |
| N_012 = n_0 * n_1 * n_2 | |
| # n1 * n2 | |
| m_s_0 = n_1 * n_2 | |
| # n0 * n2 | |
| m_s_1 = n_0 * n_2 | |
| # n0 * n1 | |
| m_s_2 = n_0 * n_1 | |
| crt = libnum.solve_crt([ct_0,ct_1,ct_2], [n_0,n_1,n_2]) | |
| c_0 = crt % n_0 | |
| c_1 = crt % n_1 | |
| c_2 = crt % n_2 | |
| result = ((c_0 * m_s_0 * libnum.invmod(m_s_0, n_0)) + (c_1 * m_s_1 * libnum.invmod(m_s_1, n_1)) + (c_2 * m_s_2 * libnum.invmod(m_s_2, n_2))) % N_012 | |
| pt = libnum.nroot(result, 3) | |
| print libnum.n2s(pt).encode('hex') | |
| #380185242a03c9d6ca7a2e117490ebaf03a493b1250f4e248c732c2714eb6b9fd2fa4c90a4f1d8120ffbafb3b7fda85fff46a67a1da3e316392ec267e1fa7c27 |
challenge5 — Related Message Attack
| [++++++++++++++++]challenge 4 completed[++++++++++++++++] | |
| [+]Generating challenge 5 | |
| [+]n=0x1bda683489ec09b15aa5ab9356db56e8586f03879e19bf4b2316b56332fd2d994ae8682d121373b21771eda5246b3565c52266e83bada43723bb8f4457d712f339d350d02bcd257923fb6b7ad265bafd4b9429943ba56f0d27b123962adf60b809f886a090e3472abe01e194dbc3ec1ecba2550d695e771d3f0edb9ada77f29L | |
| [+]e=3 | |
| [+]m=random.getrandbits(512) | |
| [+]c=pow(m,e,n)=0x22573b528e5ca137dc93b7f17f04d4efbf82124215a9c28ae6823fe5c7b6fb5eb5d328d9f6dbf73f88f59add74630d0721a822f8fb884b314f4c45aae1358fc8a19c59bbc370463541d58bd9cda1d77575a443cfbd85bdba48ae3e01642811a0b9824e3c8df8c02caed7a0606ceb6695dca7372e4291c60a98ed56b9442434L | |
| [+]x=pow(m+1,e,n)=0xe5ac2d53cd385143472febb8d7ba4acb7697bd494ef9ea0d165dd2ba7e451d803e45076ded5ef44bec0b72052b932348a50f0c66c6641159518f5137140a4db9fc497982930801715468932913e257f8b2abe287244d1d087c0ecf679cb46b1957bef678dee094d650a97d5a9d53cab80986571d890fbcd024528d6a321ac9L | |
| [-]long_to_bytes(m).encode('hex')= |
| import hashlib | |
| import gmpy2 | |
| import libnum | |
| from Crypto.Util.number import * | |
| n = 0x1bda683489ec09b15aa5ab9356db56e8586f03879e19bf4b2316b56332fd2d994ae8682d121373b21771eda5246b3565c52266e83bada43723bb8f4457d712f339d350d02bcd257923fb6b7ad265bafd4b9429943ba56f0d27b123962adf60b809f886a090e3472abe01e194dbc3ec1ecba2550d695e771d3f0edb9ada77f29 | |
| e = 3 | |
| c1 = 0x22573b528e5ca137dc93b7f17f04d4efbf82124215a9c28ae6823fe5c7b6fb5eb5d328d9f6dbf73f88f59add74630d0721a822f8fb884b314f4c45aae1358fc8a19c59bbc370463541d58bd9cda1d77575a443cfbd85bdba48ae3e01642811a0b9824e3c8df8c02caed7a0606ceb6695dca7372e4291c60a98ed56b9442434 | |
| c2 = 0xe5ac2d53cd385143472febb8d7ba4acb7697bd494ef9ea0d165dd2ba7e451d803e45076ded5ef44bec0b72052b932348a50f0c66c6641159518f5137140a4db9fc497982930801715468932913e257f8b2abe287244d1d087c0ecf679cb46b1957bef678dee094d650a97d5a9d53cab80986571d890fbcd024528d6a321ac9 | |
| a = 1 | |
| b = -1 | |
| padding2 = 1 | |
| def getM2(a,b,c1,c2,n): | |
| a3 = pow(a,3,n) | |
| b3 = pow(b,3,n) | |
| first = c1-a3*c2+2*b3 | |
| first = first % n | |
| second = 3*b*(a3*c2-b3) | |
| second = second % n | |
| third = second*gmpy2.invert(first,n) | |
| third = third % n | |
| fourth = (third+b)*gmpy2.invert(a,n) | |
| return fourth % n | |
| m = getM2(a,b,c1,c2,n)-padding2 | |
| print "m==\n" + hex(m) + "\n" | |
| #print m | |
| c = pow(m,e,n) | |
| #print hex(c) | |
| if c == c1: | |
| print "yeah" |
challenge6 — Boneh and Durfee attack
| [++++++++++++++++]challenge 5 completed[++++++++++++++++] | |
| [+]Generating challenge 6 | |
| [+]n=0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L | |
| [+]d=random.getrandbits(1024*0.270) | |
| [+]e=invmod(d,phin) | |
| [+]hex(e)=0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL | |
| [+]m=random.getrandbits(512) | |
| [+]c=pow(m,e,n)=0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL | |
| [-]long_to_bytes(m).encode('hex')= |
GitHub 开源项目 RSA-and-LLL-attacks
解密可得
| import gmpy2 | |
| import libnum | |
| e=3 | |
| n_0=0x9c94fecac76f9c5524d994d51efc1f02ad40fcf9cd5409d7c9f86a9f10e31b6c73d8bc02df743fea939acbcf9f81a748914fce0f8df1155c0f29faac38bd70b322eb7bc69c130720bdcb2ad2cbb84ad182b36e93170d81cb3a68969c850519e86b6a3676534cdbe85c9429c058230d58527d8028c134d6078cbb89faa071848f | |
| ct_0=0x5e3b988abb38c33e145bbc16f56ec192253d26cc053d4f78e073d0d035eda4ea91f33ec7f7cd1a56165cae95a86e0a4edabb83743966b3a4621bb33753aec5fa4b1c6d80e0d404c19c6659c8ff6dc4f5539a5dbae659ca4f24f4c53a65c5c42bf9de04852c098841d2affe83c59be99b6ecd857e232cb008c657e1f55137bf06 | |
| n_1=0x409a8a39fcb302f0660f0a85b6d43636dce5b4797b6f3ef0b4972f70b6e0c74038c55ba50e0c918057e9ceaee024ae81da2faede8b5b66caae6892943a8892ad98b1f6f208b8b5ded753e6b8c6b94c5faf67314384f3f26e3dca579237893f098c90b0f8b80692aed4606947d656b74b69444ba0dc24b9c66a339f7a50f52783 | |
| ct_1=0xc5381d89ca5be27f43c30dbc395ce0d5b8a69adb80dc05d7f5d8dffc1b2fb76d2ab656f5659b9280c9cac83addcc0eb58e86f8e07a37f28b0500ab75bde4eb2b2e6631eeeb6bbe146c889b2ac6046864977aaee7292676fdbd4fb987940a83a94c3d04aef256b50d304d945528c69866acf591f914c0e50e012734827143ed7 | |
| n_2=0x56a700d8f04da68c6cdb08e04a0cb2fa332389e10c1a3c94b220cb39144fc971c804ab02637303866040c13814194d863814453eec48db6136741d3a599cf890c678114b65dc60da2bbd29651bd0148f8949d69c4b18460ad0e1908eba384a1b51041e41caf70fed285fb34a8e56f04487d6d8b5d88f2a88d88565ef6757a697 | |
| ct_2=0x73e58f11dd9f637a7a7c05f6223ee95cb6d34a77583bfc6ca675955d51dd15ff4561654264e9985fcb2e87e3ddda7d6d7620cee80a1f2c20944d5d6f456a3e892f74b6745ddecbe3447825bf44344fc9e0839bdaebcca8352075675ffc8fee8c3698a87f3110f4004fea88c3faf05e5a527854e759e315b487b49e8ff9510cb | |
| N_012 = n_0 * n_1 * n_2 | |
| # n1 * n2 | |
| m_s_0 = n_1 * n_2 | |
| # n0 * n2 | |
| m_s_1 = n_0 * n_2 | |
| # n0 * n1 | |
| m_s_2 = n_0 * n_1 | |
| crt = libnum.solve_crt([ct_0,ct_1,ct_2], [n_0,n_1,n_2]) | |
| c_0 = crt % n_0 | |
| c_1 = crt % n_1 | |
| c_2 = crt % n_2 | |
| result = ((c_0 * m_s_0 * libnum.invmod(m_s_0, n_0)) + (c_1 * m_s_1 * libnum.invmod(m_s_1, n_1)) + (c_2 * m_s_2 * libnum.invmod(m_s_2, n_2))) % N_012 | |
| pt = libnum.nroot(result, 3) | |
| print libnum.n2s(pt).encode('hex') | |
| def getM2(a,b,c1,c2,n): | |
| a3 = pow(a,3,n) | |
| b3 = pow(b,3,n) | |
| first = c1-a3*c2+2*b3 | |
| first = first % n | |
| second = 3*b*(a3*c2-b3) | |
| second = second % n | |
| third = second*gmpy2.invert(first,n) | |
| third = third % n | |
| fourth = (third+b)*gmpy2.invert(a,n) | |
| return fourth % n | |
| m = getM2(a,b,c1,c2,n)-padding2 | |
| print libnum.n2s(m) |
| import hashlib | |
| import gmpy2 | |
| import libnum | |
| from Crypto.Util.number import * | |
| n = 0x1bda683489ec09b15aa5ab9356db56e8586f03879e19bf4b2316b56332fd2d994ae8682d121373b21771eda5246b3565c52266e83bada43723bb8f4457d712f339d350d02bcd257923fb6b7ad265bafd4b9429943ba56f0d27b123962adf60b809f886a090e3472abe01e194dbc3ec1ecba2550d695e771d3f0edb9ada77f29 | |
| e = 3 | |
| c1 = 0x22573b528e5ca137dc93b7f17f04d4efbf82124215a9c28ae6823fe5c7b6fb5eb5d328d9f6dbf73f88f59add74630d0721a822f8fb884b314f4c45aae1358fc8a19c59bbc370463541d58bd9cda1d77575a443cfbd85bdba48ae3e01642811a0b9824e3c8df8c02caed7a0606ceb6695dca7372e4291c60a98ed56b9442434 | |
| c2 = 0xe5ac2d53cd385143472febb8d7ba4acb7697bd494ef9ea0d165dd2ba7e451d803e45076ded5ef44bec0b72052b932348a50f0c66c6641159518f5137140a4db9fc497982930801715468932913e257f8b2abe287244d1d087c0ecf679cb46b1957bef678dee094d650a97d5a9d53cab80986571d890fbcd024528d6a321ac9 | |
| a = 1 | |
| b = -1 | |
| padding2 = 1 | |
| def getM2(a,b,c1,c2,n): | |
| a3 = pow(a,3,n) | |
| b3 = pow(b,3,n) | |
| first = c1-a3*c2+2*b3 | |
| first = first % n | |
| second = 3*b*(a3*c2-b3) | |
| second = second % n | |
| third = second*gmpy2.invert(first,n) | |
| third = third % n | |
| fourth = (third+b)*gmpy2.invert(a,n) | |
| return fourth % n | |
| m = getM2(a,b,c1,c2,n)-padding2 | |
| print long_to_bytes(m).encode('hex') | |
| #print m | |
| c = pow(m,e,n) | |
| #print hex(c) | |
| if c == c1: | |
| print "yeah" |
参考链接
http://www.realwz.com/2018/03…
http://inaz2.hatenablog.com/e…
https://findneo.github.io/180…
https://www.cnblogs.com/WangA…
https://code.felinae98.cn/ctf…
https://www.anquanke.com/post…
https://altman.vip/2018/07/23…
正文完
发表至: javascript
2019-07-17
