当前位置:网站首页>[ciscn 2021 South China]rsa writeup
[ciscn 2021 South China]rsa writeup
2022-07-06 17:22:00 【bestkasscn】
[CISCN 2021 South China ]rsa
Title Description
from flag import text,flag
import md5
from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime
assert md5.new(text).hexdigest() == flag[6:-1]
msg1 = text[:xx]
msg2 = text[xx:yy]
msg3 = text[yy:]
msg1 = bytes_to_long(msg1)
msg2 = bytes_to_long(msg2)
msg3 = bytes_to_long(msg3)
p1 = getPrime(512)
q1 = getPrime(512)
N1 = p1*q1
e1 = 3
print pow(msg1,e1,N1)
print (e1,N1)
p2 = getPrime(512)
q2 = getPrime(512)
N2 = p2*q2
e2 = 17
e3 = 65537
print pow(msg2,e2,N2)
print pow(msg2,e3,N2)
print (e2,N2)
print (e3,N2)
p3 = getPrime(512)
q3 = getPrime(512)
N3 = p3*q3
print pow(msg3,e3,N3)
print (e3,N3)
print p3>>200
We can know from the audit code ,flag == md5(text),text = msg1 + msg2 + msg3
So as long as we can solve msg1,2,3 Can solve flag
part1
p1 = getPrime(512)
q1 = getPrime(512)
N1 = p1*q1
e1 = 3
print pow(msg1,e1,N1)
print (e1,N1)
Small plaintext attack ,e Too small, resulting in the plaintext of the third power is still greater than n Small , Direct pair c1 Third power
part2
p2 = getPrime(512)
q2 = getPrime(512)
N2 = p2*q2
e2 = 17
e3 = 65537
print pow(msg2,e2,N2)
print pow(msg2,e3,N2)
print (e2,N2)
print (e3,N2)
Typical common mode attacks , The derivation process is as follows :
First , Two encryption indices are coprime :
gcd(e1,e2)=1
There is s1、s2 bring :
s1 * e1+s2 * e2=1
Again because :
c1≡m^e1 mod n
c2≡m mod n
Substitution and simplification can be obtained :
c1^s1 * c2^s2 ≡ m mod n
You can find the plaintext
part3
p3 = getPrime(512)
q3 = getPrime(512)
N3 = p3*q3
print pow(msg3,e3,N3)
print (e3,N3)
print p3>>200
Title will p3 Move right 200 position , and p3 Originally 512 position , So we use Coppersmith partial information attack Algorithm for p3 The low order of can be solved p3,q3
among ,Coppersmith partial information attack be based on sage Realization .
complete exp
from Crypto.Util.number import *
import gmpy2
from hashlib import md5
import sys
sys.setrecursionlimit(1000000)
def egcd(a, b):
if a == 0:
return b, 0, 1
else:
g, y, x = egcd(b % a, a)
return g, x - (b // a) * y, y
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def CommonMode(e1, e2, c1, c2, n):
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
if s1 < 0:
s1 = - s1
c1 = modinv(c1, n)
elif s2 < 0:
s2 = - s2
c2 = modinv(c2, n)
m = (pow(c1, s1, n) * pow(c2, s2, n)) % n
return long_to_bytes(m)
c1 = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
e1 = 3
n1 = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009
msg1 = long_to_bytes(gmpy2.iroot(c1, e1)[0])
c2 = 54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
c3 = 91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
e2 = 17
e3 = 65537
n2 = 111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977
msg2 = CommonMode(e2, e3, c2, c3, n2)
c4 = 59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
n3 = 113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147
p3_high = 7117286695925472918001071846973900342640107770214858928188419765628151478620236042882657992902
# This part of the code uses sage Go for a run
# n=113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147
# p4=7117286695925472918001071846973900342640107770214858928188419765628151478620236042882657992902# It is known that P The high
# e=65537
# pbits=512 #P Original digits
#
# kbits=pbits - p4.nbits()
# print (p4.nbits())
# p4 = p4 << kbits
# PR.<x> = PolynomialRing(Zmod(n))
# f = x + p4
# roots = f.small_roots(X=2^kbits,beta=0.4)
# # After the above functions ,n and p Has been transformed into 10 Base number
# if roots:
# p= p4 + int(roots([0]))
# print ("n",n)
# print ("p",p)
# print ("q",n/p)
p3 = 11437038763581010263116493983733546014403343859218003707512796706928880848035239990740428334091106443982769386517753703890002478698418549777553268906496423
q3 = 9918033198963879798362329507637256706010562962487329742400933192721549307087332482107381554368538995776396557446746866861247191248938339640876368268930589
d = gmpy2.invert(e3, (p3 - 1) * (q3 - 1))
msg3 = long_to_bytes(pow(c4, d, n3))
text = msg1 + msg2 + msg3
print(md5(text).hexdigest())
In the end, you get flag.
边栏推荐
猜你喜欢
MySQL日期函数
Flink源码解读(三):ExecutionGraph源码解读
arithmetic operation
微信防撤回是怎么实现的?
Activiti目录(三)部署流程、发起流程
Take you hand-in-hand to do intensive learning experiments -- knock the level in detail
Activiti directory (V) reject, restart and cancel process
Idea breakpoint debugging skills, multiple dynamic diagram package teaching package meeting.
MySQL date function
1. Introduction to JVM
随机推荐
暑假刷题嗷嗷嗷嗷
Prototype chain inheritance
Some feelings of brushing leetcode 300+ questions
mysql 基本增删改查SQL语句
JVM之垃圾回收器下篇
吴军三部曲见识(七) 商业的本质
汇编语言寻址方式
List set data removal (list.sublist.clear)
Flink 解析(六):Savepoints
Eight part essay that everyone likes
肖申克的救赎有感
唯有学C不负众望 TOP5 S1E8|S1E9:字符和字符串&&算术运算符
[VNCTF 2022]ezmath wp
Description of project structure configuration of idea
February database ranking: how long can Oracle remain the first?
Wu Jun trilogy insight (IV) everyone's wisdom
MySQL string function
Activiti目录(一)重点介绍
Introduction to spring trick of ByteDance: senior students, senior students, senior students, and the author "brocade bag"
数据传送指令