1. from flag import text,flag
  2. import md5
  3. from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime
  5. assert md5.new(text).hexdigest() == flag[6:-1]
  7. msg1 = text[:xx]
  8. msg2 = text[xx:yy]
  9. msg3 = text[yy:]
  11. msg1 = bytes_to_long(msg1)
  12. msg2 = bytes_to_long(msg2)
  13. msg3 = bytes_to_long(msg3)
  15. p1 = getPrime(512)
  16. q1 = getPrime(512)
  17. N1 = p1*q1
  18. e1 = 3
  19. print pow(msg1,e1,N1)
  20. print (e1,N1)
  22. p2 = getPrime(512)
  23. q2 = getPrime(512)
  24. N2 = p2*q2
  25. e2 = 17
  26. e3 = 65537
  27. print pow(msg2,e2,N2)
  28. print pow(msg2,e3,N2)
  29. print (e2,N2)
  30. print (e3,N2)
  32. p3 = getPrime(512)
  33. q3 = getPrime(512)
  34. N3 = p3*q3
  35. print pow(msg3,e3,N3)
  36. print (e3,N3)
  37. print p3>>200

代码分为3关,

1.低加密指数攻击e=3

  1. from gmpy2 import iroot
  2. from Crypto.Util.number import *
  3. n = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009
  4. e=3
  5. c = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
  8. for i in range(10 ** 10):
  9.     res = iroot(n * i + c, e)
  10.     if res[1]:
  11.         print(long_to_bytes(res[0]))
  12.         break

2.共模攻击

  1. import gmpy2
  2. from Crypto.Util.number import *
  4. n = 111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977
  5. e1 = 17
  6. e2 = 65537
  8. c1 = 54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
  9. c2 = 91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
  11. _, r, s = gmpy2.gcdext(e1, e2)
  13. m = (pow(c1, r, n) * pow(c2, s, n) % n)
  14. print(long_to_bytes(m))

3.已知p高位

这个当初做的时候虽然思路对了,但是脚本找了好久才找到一个能用的,还有就是sage太难装了,顺便放一个在线sage网站:https://sagecell.sagemath.org/

  1. p_3 = 7117286695925472918001071846973900342640107770214858928188419765628151478620236042882657992902
  2. n = 113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147
  4. bits = 512
  5. kbit = bits - p_3.nbits()
  6. print(p_3.nbits())
  7. p_3 = p_3 << kbit
  9. PR.<x> = PolynomialRing(Zmod(n))
  10. f = x + p_3
  11. x0 = f.small_roots(X=2^kbit, beta=0.4)[0]
  12. print("x: %s" %hex(int(x0)))
  14. p = p_3+x0
  15. print("p: ", hex(int(p)))
  16. assert n % p == 0
  17. q = n/int(p)
  19. print("q: ", hex(int(q)))