x,y,z=var('x y z') eqution1= ...==... eqution2= ...==... eqution3= ...==... solutions=solve((eqution1,eqution2,eqution3),x,y,z) for solution in solutions: print(solution)
for i inrange(1,65538): if (dp*e-1)%i == 0: if n%(((dp*e-1)/i)+1)==0: p=((dp*e-1)/i)+1 q=n/(((dp*e-1)/i)+1) phi = (p-1)*(q-1) d = gmpy2.invert(e,phi)%phi
ZmodN = Zmod(N) P.<x> = PolynomialRing(ZmodN) f = (m + x)^e - c x0 = f.small_roots(X=2^kbits, beta=1)[0] print("m:", m + x0)
2.适用于N的因数P的高位或低位泄漏
kbit = 435#p的低位数 PR.<x> = PolynomialRing(Zmod(n)) f = p0+x#p0为p的高位,x为p的低位,p0已知 x = f.small_roots(X=2^kbit, beta=0.4) p = p0+int(x[0]) q = n // p
3.d的低比特泄漏
4.Boneh Durfee Attack(d只有1024*0.27bit)
5.已知m%r和r
欧拉定理
mϕ(n)≡1modn
卡米歇尔定理
λ(n)=gcd(p−1,q−1)(p−1)(q−1)mλ(n)≡1modn
欧拉ϕ公式
ϕ(n)=i=1∏rpiki−1(pi−1)
中国剩余定理CRT
x≡amodpx≡bmodqx=aqq−1+bpp−1modpq
利用CRT解RSA:
c=libnum.solve_crt([c1,c2],[q1,q2])
多素数因子分解
已知N和phi,N有多个素数因子,直接函数分解
deffactorize(N, phi): """ Recovers the prime factors from a modulus if Euler's totient is known. This method only works for a modulus consisting of 2 primes! :param N: the modulus :param phi: Euler's totient, the order of the multiplicative group modulo N :return: a tuple containing the prime factors, or None if the factors were not found """ s = N + 1 - phi d = s ** 2 - 4 * N p = int(s - isqrt(d)) // 2 q = int(s + isqrt(d)) // 2 return p, q
deffactorize_multi_prime(N, phi): """ Recovers the prime factors from a modulus if Euler's totient is known. This method works for a modulus consisting of any number of primes, but is considerably be slower than factorize. More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3) :param N: the modulus :param phi: Euler's totient, the order of the multiplicative group modulo N :return: a tuple containing the prime factors """ prime_factors = set() factors = [N] whilelen(factors) > 0: # Element to factorize. N = factors[0]
w = randrange(2, N - 1) i = 1 while phi % (2 ** i) == 0: sqrt_1 = pow(w, phi // (2 ** i), N) if sqrt_1 > 1and sqrt_1 != N - 1: # We can remove the element to factorize now, because we have a factorization. factors = factors[1:]
p = gcd(N, sqrt_1 + 1) q = N // p
if is_prime(p): prime_factors.add(p) elif p > 1: factors.append(p)
if is_prime(q): prime_factors.add(q) elif q > 1: factors.append(q)
defrho(n): i = 1 whileTrue: a = getRandomRange(2, n) b = f(a, n) j = 1 whileTrue: p = GCD(abs(a - b), n) print('{} in {} circle'.format(j, i)) if p == n: break elif p > 1: return (p, n // p) else: a = f(a, n) b = f(f(b, n), n) j += 1 i += 1
defget_oneroot(p, e): whileTrue: Zp = Zmod(p) g = Zp.random_element() g = g^((p-1) // e) for mult in divisors(e): if (mult != e): g2 = g^mult if (g2 == 1): break else: return g
defdecrypt(p, c, e): w = gcd(e, p-1) e1, p1 = e // w, (p-1) // w d = inverse_mod(e1, p1) c1 = pow(c, d, p) g, a, b = xgcd(p1, w) g = get_oneroot(p, w) m = pow(c1, b, p) return [ZZ(m * g^i) for i inrange(w)]
mp_list = decrypt(p, c, e) print('Find root p OK') mq_list = decrypt(q, c, e) print('Find root q OK') for mp, mq in itertools.product(mp_list, mq_list): m = crt([mp, mq], [p, q]) msg = long_to_bytes(int(m)) if (b'...CTF'in msg orb'flag'in msg): print(msg)
中国剩余定理
p= q= n= e=
R.<x> = Zmod(p)[] f = x ^ e - c f = f.monic() res1 = f.roots() R.<x> = Zmod(q)[] f = x ^ e - c f = f.monic() res2 = f.roots()
#这里在有限域内求根,求出多个根,但要求的m`只有最小的那一个(也可以分别用RSA解法求m)
for i in res1: for j in res2: # 普普通通中国剩余定理 m =libnum.solve_crt([int(i[0]),int(j[0])],[p,q])#c3=libnum.solve_crt([c1,c2], [q1,q2]) flag = long_to_bytes(m) if flag.startswith(b'flag'): print(flag)
