def cubeattack(n, c, e=3):
i = 0
m = gmpy.root(i * n + c, 3)
while (m[1] != 1):
m = gmpy.root(i * n + c, 3)
i = i + 1
return (int(m[0]))
def decrypt(self):
s = Utils.CRT(self.ns, self.cs)
pt, perfect = gmpy.root(s, self.e)
if perfect:
return pt
else:
print "Cannot find %dth root of %s" % (self.e, hex(s))
def main():
N = 791624863672362607956099356831131364853604534581539305910340202530608819116145635786172280242888006099238658415878726648609085639898441498221890676242989932156153803416798752313174803590881722743224684700892225118961219497620039594839395302098710398557509455737717045746236278723783082574166076253616722351864293093113312339303779100928501715558725523086900830443711904148216534555379563587752574783766585298405162299420015348154910428560999297372318489063379606963196610310541923400713582218574580476129076391874763972417104970428247552426095493102113265356930843209220678746513622763556047230507409813826323653127519641722507761180370551715894779123757799654191386575031709371023058585245770842026072807521354840681453389934373985631297088292594571458141054189461792135505184038113247878020462609475899896639165065556193530858093783580972030229157998906679657691476969608156903485234277862405304786019418734022240703148376923711471550495919780707697498176112050789516280686586774453361477128822533764461655099250507644377378432909816994714226859830198325441550849414355111311567891047645058209193718307670504917114431127025248430544656281369344135327825272092527266146813922316680837029133898187541256581486770086898004104721349717
A = 20800474461367145273340906691597634098910584848634101425530321090829125122241687879745601849248837998876151999592885721935152548674120399809317994565118852444189251158193986225229214950841679795627758099753351375856214350384902504565070917605339475722050666023289412703507879513606009743774089452299903006910942117062241868053983949068811202383614893148995089157210610010137350618698066200655682358324076086051635412942424101514341843621257447734742388939312643974507540634350698445829827074747244048131430269996635105948318032075354212694854013936053043646732168771012778244153439821689497012763977957502463601486569
B = 8576238992571591869339367870140218994273542282194520701664348646682391448576106630680498284621212787593356209740914901168733090823371040699948878786651462518529144026837660123406693635154217830755339457596520608787502271941986487262771708521404416352019507024705430920736421058347439358995939039953228936764295191673752730499288133458713995709946983920103441131785342297881050343614665686721597353967276809964115302170170393367543710777834619256462467499921754735442721965580336508363159554886933283178151617020551042141999581756444339357087838568279392954356241659416168338179236507816144395812356271365879641284797
bits = 4096 // 2
"""
p = Int('p')
q = Int('q')
s = Solver()
s.add(A*q+B*p == n+1)
s.add(p >= (1 << (bits-1)))
s.add(p < (1 << (bits)) - 1)
s.add(q >= (1 << (bits-1)))
s.add(q < (1 << (bits)) - 1)
s.add(p*q == n)
print(s.check())
print(s.model())
"""
D = ((N + 1)**2) - 4 * B * A * N
kk, c = gmpy.root(D, 2)
T = ((N + 1) + (kk)) // (2 * B)
T = ((N + 1) - (kk)) // (2 * B)
print(N % T == 0)
P = T
Q = N / P
print(N == P * Q)
print("p : " + str(P))
print("q : " + str(Q))
def decrypt(self):
s = Utils.CRT(self.ns, self.cs)
pt, perfect = gmpy.root(s, self.e)
if perfect:
return pt
else:
print "Cannot find %dth root of %s" % (self.e, hex(s))
def nth_root(a, n):
"""
Calculate n-th root of a on Integer
Args:
a : An element of Z
n : root param
"""
return int(gmpy.root(a, n)[0])
def calc(j):
# print j
a, b = gmpy.root(cipher + j * n, 3)
if b > 0:
m = a
#print '{:x}'.format(int(m)).decode('hex')
print j
print n2s(m)
def nth_root(c, e):
try:
from gmpy import root
except:
from gmpy2 import iroot as root
x = root(c, e)[0]
return int(x)
def crack(self):
s = CRT(self.ns, self.cs)
plain, perfect = gmpy.root(s, self.e)
if perfect:
self.plain = ('%x' % plain).decode('hex')
return True
else:
return False
def python_rsa_bleichenbacher(msg,hashtype,msgHashed,modulusSize):
'https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/'
HASH_ASN1 = {
'MD5': b'\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10',
'SHA-1': b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14',
'SHA-256': b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20',
'SHA-384': b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30',
'SHA-512': b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40'
}
# we need to forge 00 01 XX XX XX ... XX XX 00 HASH_ASN1[hashtype] HASH
# where the XX's make the whole thing same size as modulus
# MAKE SUFFIX
print(msgHashed)
targetSuffix = '0000000000' + bin(int(binascii.hexlify(HASH_ASN1[hashtype]),16))[2:] + bin(msgHashed)[2:]
print(targetSuffix)
print(hex(int(targetSuffix,2)))
# s = our forgery
# c = s^3
# tgt = targetSuffix
# key here is that nth bit, counting from LSB, only affects nth bit OR later in c
# s starts out as bytes until first 1 in tgt
s = targetSuffix[targetSuffix.rfind('1'):]
c = sToC(s)
initLenS = len(s)
for index in range(initLenS,len(targetSuffix)):
if(c[len(c)-index-1]==targetSuffix[len(targetSuffix)-index-1]):
s = '0' + s
else:
s = '1' + s
c = sToC(s)
# SUFFIX MADE!
assert(c[-len(targetSuffix):]==targetSuffix)
suffix ='00'+hex(int(s,2))[2:]
print("suffix is %s" % hex(int(s,2)))
print("suffix is %s" % hex(int(c,2)))
# Generate prefix
prefix = format(0,'08b') + format(1,'08b')
prefix += ''.join([format(random.randint(1,256),'08b')]*((modulusSize-len(prefix))//8))
assert len(prefix) == modulusSize
print(hex(int(prefix,2)))
import gmpy
cRoot = gmpy.root(int(prefix,2),3)
if(cRoot[1]==1):
cRoot = int(cRoot[0].digits())
else:
cRoot = int(cRoot[0].digits())
print(hex(cRoot))
prefix = hex(cRoot)[2:]
final = prefix[:-len(suffix)] + suffix
print(final)
print(int(final,16))
print('0'+hex(int(final,16)**3)[2:])
return 'potato'
def Getanswer(c,n,e):
while(True):
k=1
temp = c + k*n
x,y=gmpy.root(temp,e)
if(y):
return x
else:
k+=1
def eth_root(n, e, c):
if e <> 3:
return None
for k in range(32):
c = gmpy.mpz(c) + k * gmpy.mpz(n)
(m, r) = gmpy.root(c, e)
if r == 1:
mb = convert_to_bits(m)
return bits_to_string(pad_bits(mb, len(mb) + pad(len(mb))))
return None
def find_cube(i, j, k):
n, x = chinrest([cs[j], cs[k], cs[i]], [ns[j], ns[k], ns[i]])
n = long(n)
x = long(x)
for i in range(100):
x += n
(m, r) = gmpy.root(x, 3)
if r == 1:
z = m
pass
return rev_oaep(z, 512, 512)
def brute_find(i, t = 20):
j = 0
n_i = n[i]
c_i = c_int[i]
e_i = e[i]
while j < 2**t:
k, t = gmpy.root(n_i*j+c_i, e_i)
if t == 1:
print k
return k
j += 1
pass
def sample_RSA_lowexpo2():
import gmpy
N = long('00b0a1f390acd3d43b47d39f132662f69c158925d92871e47869e2841a917c20d5102431b9a9781458d840fd29577815a41612d687a3487d26fbae256f15d4740c34591b646abcccb1a27acde299b3e71600857b455c283660e0455c68ff45c0644cfec211d7f51a16c82e91d786d92c799fb3cb48f92de342ba70dd8213056b314a8d51da9493cf1b86ec15fdf03e046e76d3f1a1ad0aabb684ce5d157e399828a63a5af5920228bb5ea1e66b8feaa3ccbbaff555e346797730ddfc1c4cf4a9dd406588629348c4c29265df9e2c3d02558be5e35cb277f4e7ac7b5158ef3903a396486371029e54a345292aba47499f1c267e680ae738195fd5af2a8075939890f5d69e6b3e94e3e560861aa6c6c69da82405dba2182e66ecff6a8a9cdf5ad5226f073e7d525e050fdd77e0bb1891a49efec2d367a693d2a6799d0d4667953d4f3ddec16ac15bb4cf6025ea58ecb6dfa572316da08d3106073973322ae7597446f2fd3043df6e1d604c6a1f0e59473d9bc182d4ec6fc4588f1c6b2aa476876a84b2d4e0d45910399118d7e1e20dcc27703f2bd3e9af722f37a7673b15d674922862c84d00fc2fc7ddddc915c4693fcb0b1789e9dcbd72ac04659e7c18dcf36254760040402bfcef11b8a3ef9c8bddbaaa8d14c6e8f518a70b036d206b809cd9b3b51a1ec0132dace96dca9451f34c38ab84ed475e7d94fbe9ffc007f2d14860bd', 16)
orig = s2n(open("enc.dat").read().rstrip())
c = orig
while True:
m = gmpy.root(c, 3)[0]
if pow(m, 3, N) == orig:
print "pwned", n2s(m)
break
c += N
def hastads(self):
# Hastad's attack
if self.pub_key.e == 3 and self.args.uncipher is not None:
orig = s2n(self.cipher)
c = orig
while True:
m = gmpy.root(c, 3)[0]
if pow(m, 3, self.pub_key.n) == orig:
self.unciphered = n2s(m)
break
c += self.pub_key.n
return
def hastads(self):
# Hastad attack for low public exponent, this has found success for e = 3, and e = 5 previously
if self.pub_key.e <= 11 and self.args.uncipher is not None:
orig = s2n(self.cipher)
c = orig
while True:
m = gmpy.root(c, self.pub_key.e)[0]
if pow(m, self.pub_key.e, self.pub_key.n) == orig:
self.unciphered = n2s(m)
break
c += self.pub_key.n
return
def brute_find(i, t=20):
j = 0
n_i = n[i]
c_i = c_int[i]
e_i = e[i]
while j < 2**t:
k, t = gmpy.root(n_i * j + c_i, e_i)
if t == 1:
print k
return k
j += 1
pass
def hastads(self):
# Hastad attack for low public exponent, this has found success for e = 3, and e = 5 previously
if self.pub_key.e <= 11 and self.args.uncipher is not None:
orig = s2n(self.cipher)
c = orig
while True:
m = gmpy.root(c, self.pub_key.e)[0]
if pow(m, self.pub_key.e, self.pub_key.n) == orig:
self.unciphered = n2s(m)
break
c += self.pub_key.n
return
def find_prime_factor(num):
prime_factor = []
num_root = gmpy.root(num, 2)[0] + 1
print num_root
i = 2
while i < num_root:
if num % i == 0:
prime_factor.append(i)
num /= i
else:
i += 1
prime_factor.append(num)
return prime_factor
def decrypt(grps, e):
for grp in combinations(zip(grps['n'], grps['c']), e):
N = 1
for x in grp:
N *= x[0]
M = 0
for x in grp:
M += x[1] * number.inverse(N // x[0], x[0]) * (N // x[0])
M %= N
m, exact = gmpy.root(M, e)
if exact:
print(number.long_to_bytes(m))
def brute_force(brute_force_attack_params):
e = brute_force_attack_params['e']
n = brute_force_attack_params['n']
c = brute_force_attack_params['c']
start_time = time.time()
current_time = time.time()
while current_time - start_time < 30:
current_time = time.time()
m = gmpy.root(c, e)[0]
if pow(m, e, n) == c:
hd = hex(int(m))[2:]
asc = bytes.fromhex(hd).decode('utf-8')
return asc
c += n
return -1
def _brup_e(self):
publickey = raw_input("请输入公钥的绝对路经:")
key_data = open(publickey, 'rb').read()
key = RSA.importKey(key_data)
print("[*] n: " + str(key.n))
print("[*] e: " + str(key.e))
x = raw_input("密文格式:1.数字 2. 文件\n")
c = 0
if x == '1':
c = raw_input("请输入密文数字:")
elif x == '2':
pathen = raw_input("请输入密文绝对路经:")
f = open(pathen, 'r').read()
c = s2n(f)
i = 0
while i < 10:
a = gmpy.root(c, key.e)
print(n2s(a[0]))
c = a[0]
i += 1
raw_input("执行完毕,按任意键继续...")
import gmpy
c=120834334415160852720008181834558485154210074353712170753742121859375769954620080853024831805188626044332248657897956200333552302444801664165203934981417856836921490589448355159260196991182462307686587964231453698692517756240859075496171515630967327761143563063128466698098647876420389279719791854940177381159484797420915527554354529897877019363674101
p=gmpy.root(c, 7)[0]
print(p)
print(hex(p)[2:].decode('hex'))
import gmpy from Crypto.Util.number import * e = 5 n1 = 22354163791642068886566627219651104380195041959729310536115197372690426166153150709554121466476415239938369078918877984798582326979079153795774037292422071622126484521927631771658058095237139085385756115261972030995362441580297007439051832142457196151824718232248567366670706914779874402683742498695075966725643445863105930425231664277753503763301685728514729454184837909500791715332489780346705814147940635497894486147997813359576656960563599630666067976553724013307328267946814810660680917118025290583125363952665067417686810121196242575696597185045825025685213476854256583567246667302893495351968886389607277575017 n2 = 21572642385016963477579971598617440264385803019459680727028155128709560426935255322579963615480913309319371656833660339467010507644019609202771890449419513825998921211898287110979094482184152680851462860763436118651357838279675837330160696073705562801691670054989971242359972394239624514658831442232416757294030962417420713484664248743040825601912659822670147259253345577287621617731732830801600663028815836518284528998558748540254850496265160959735474358970956309010617755485370782641135356868776640582716527007418304047891311611018237370467038297057657170187552676959058139793475780778636104344421256645433184319157 n3 = 23538490262479781189676424291555687068164182643114661587432340961545193235358179989589472145285643966533983578871187834969068436328997665124747925015293061116055708486200061846952313798801858926911255182783099863586327412221517353934763470084520104303420274885565476991562950377811932201525369292989577677075746773213738116508556463673021568154490753308066042359478835646993306170787055261836477886518576333412004771973699327342803658870989682535232759787969849526764566716133935977445433821602865539462257059701760274658057551372518367400843423909801446235376486516405672866560803799383073579471615403602431711906749 c1 = 8251412717378499426943044591229698372921470386799043004121511177127490360947672432828172950920462590131612740580667346789845592456601935083361010491364143991167754355753784659730080802613261548707296078812865553433595508332527259182849010044455347956676601579784507086046839727921827816698611494372771020370220204666127232765068459835347577650640380746779041820863713925451297171219193544837774581741151646875007941650557239399525694514278200390425920026333044311100410760285248540227801135653250431214060352848761880110983132813330039294997643112287410353948128815918569840988643578772550051280725313230021391380942 c2 = 2702325779529388356371102063040984812124665040096740083415590291307659656117305889838882346989298792101301675475943519630707962469291374444160241176144438945716450393919324588280512162965834656691829393002354300184430292151232812832379450453239000612487613356778411786988702989653661016040401893797873661496019219713761717152774454407503253778794508261627260348018307413238031010132639873894130882230804487006727238991743901103529951650508735692190261561512563254962091894391335884495409277055781287361495675018521228212719289913631998193225375985394285744778656347088506213034138518416542660994351922789098153782426 c3 = 3900786923701448353408400328996279443634365978988250027372176657417202602107709749413601922950255680346434821246225602149213848118274433155867843596693043442953202427150352180877384824428649481139269805852912723284877986721489556461272257756102572291913902519661603733662427660803951862948881013199212486295331474761125640673120787973554851559343144421866187607741449270421663485412329555125791603856752842050767936467505915266913093771220903152480407517200342375961712589389233164233844314560534425409330962177881162956636107825634564219533818875183351523212208900244508745427360366146728697555090746078827400829510 #Using Chinese Remainder theorem N = n1 * n2 * n3 N1 = N / n1 N2 = N / n2 N3 = N / n3 u1 = gmpy.invert(N1, n1) u2 = gmpy.invert(N2, n2) u3 = gmpy.invert(N3, n3) M = (c1 * u1 * N1 + c2 * u2 * N2 + c3 * u3 * N3) % N m = gmpy.root(M, e) print m m = 166669694651033760061575940989372165846441757780154432573650021547004196492395364998535451972996273240942325802493947438303206809036305265985603556202994107733144683246196950761049669917488086843376146211622312998750164007816417563417701011230377730627570289745331758366880192428413 print long_to_bytes(m)
import gmpy
N = long(80646413)
def n2s(n):
"""
Number to string.
"""
s = hex(n)[2:].rstrip("L")
if len(s) % 2 != 0:
s = "0" + s
return s.decode("hex")
line = map(lambda x:long(x.strip()), open("rivest.txt").readlines())
out = ''
for orig in line:
c = orig
while True:
m = gmpy.root(c, 5)[0]
if pow(m, 5, N) == orig:
out += chr(m)
break
c += N
print out
def introot(n, r=2):
if n < 0: return None if r%2 == 0 else -introot(-n, r)
return root(n, r)[0]
import gmpy
def int2string(i):
ihex = hex(i)[2:-1]
if len(ihex) % 2 != 0:
ihex = '0' + ihex
return ihex.decode('hex')
nthroot = lambda a, r: int(gmpy.root(a, r)[0])
modinv = lambda a, m: int(gmpy.invert(a, m))
egcd = lambda x, y: map(int, gmpy.gcdext(x, y))
ns = [945849313 * 890855617, 142594211 * 353521913, 41692333 * 775305163]
e = 3
m1 = raw_input("Enter message to be broadcasted:")
m2 = m1 #raw_input("Enter mesg2:")
m3 = m1 #raw_input("Enter mesg3:")
m1 = int(m1.encode("hex"), 16)
m2 = int(m2.encode("hex"), 16)
m3 = int(m3.encode("hex"), 16)
print "The message is :", m1
#print m2
#print m3
cs = []
cs.append(pow(m1, e, ns[0]))
print cs[0]
cs.append(pow(m2, e, ns[1]))
print cs[1]
cs.append(pow(m3, e, ns[2]))
print cs[2]
s = CRT(ns, cs)
print s
pt, perfect = gmpy.root(s, e)
m = hex(pt)
b = m[2:].decode("hex")
print "The message is %d or %s" % (pt, hex(pt))
print "Text : %s" % b
def hastads_broadcast_attack(e, pairs):
x = chinese_remainder(pairs)
m = root(x, e)[0]
return m
def divide_into_blocks(text, blocklen):
return [text[i:i + blocklen] for i in xrange(0, len(text), blocklen)]
def flip_iv(oldplain, newplain, iv):
flipmask = xor_str(oldplain, newplain)
return xor_str(iv, flipmask)
def gcd(a, b):
while b:
a, b = b, a % b
return a
nthroot = lambda a, r: int(gmpy.root(a, r)[0])
modinv = lambda a, m: int(gmpy.invert(a, m))
egcd = lambda x, y: map(int, gmpy.gcdext(x, y))
def str2num(s):
return int(s.encode('hex'), 16)
def num2str(n):
h = hex(n)
if h[-1] == "L": h = h[:-1]
return h[2:].decode('hex')
randstr = lambda n: ''.join(
def hastads_broadcast_attack(e, pairs):
x, n = chinese_remainder(pairs)
return gmpy.root(x, e)[0]
#!/usr/bin/env python3
import gmpy
from Cryptodome.Util import number
plain, _ = gmpy.root(
80505397907128518326368510654343095894448384569115420624567650731853204381479599216226376345254941090872832963619259274943986478887206647256170253591735005504,
3)
print(number.long_to_bytes(int(plain)))
def sub_sub_sure_factors(f, u, curve_parameter):
'''Finds all factors that can be found using ECM with a smoothness bound of u and sigma and give curve parameters. If that fails, checks for being a prime power and does Fermat factoring as well.
Yields factors.'''
while not (f & 1):
yield 2
f >>= 1
while not (f % 3):
yield 3
f /= 3
if isprime(f):
yield f
return
log_u = math.log(u)
u2 = int(_7_OVER_LOG_2 * u * log_u / math.log(log_u))
primes = []
still_a_chance = True
log_mo = math.log(f + 1 + sqrt(f << 2))
g = gcd(curve_parameter, f)
if g not in (1, f):
for factor in sub_sub_sure_factors(g, u, curve_parameter):
yield factor
for factor in sub_sub_sure_factors(f / g, u, curve_parameter):
yield factor
return
g2 = gcd(curve_parameter**2 - 5, f)
if g2 not in (1, f):
for factor in sub_sub_sure_factors(g2, u, curve_parameter):
yield factor
for factor in sub_sub_sure_factors(f / g2, u, curve_parameter):
yield factor
return
if f in (g, g2):
yield f
while still_a_chance:
p1 = get_points([curve_parameter], f)
for prime in primes:
p1 = multiply(p1, prime, f)
if not isinstance(p1, list):
if p1 != f:
for factor in sub_sub_sure_factors(p1, u, curve_parameter):
yield factor
for factor in sub_sub_sure_factors(f / p1, u,
curve_parameter):
yield factor
return
else:
still_a_chance = False
break
if not still_a_chance:
break
prime = 1
still_a_chance = False
while prime < u2:
prime = next_prime(prime)
should_break = False
for _ in xrange(int(log_mo / math.log(prime))):
p1 = multiply(p1, prime, f)
if not isinstance(p1, list):
if p1 != f:
for factor in sub_sub_sure_factors(
p1, u, curve_parameter):
yield factor
for factor in sub_sub_sure_factors(
f / p1, u, curve_parameter):
yield factor
return
else:
still_a_chance = True
primes.append(prime)
should_break = True
break
if should_break:
break
for i in xrange(2, int(math.log(f) / LOG_2) + 2):
r = root(f, i)
if r[1]:
for factor in sub_sub_sure_factors(r[0], u, curve_parameter):
for _ in xrange(i):
yield factor
return
a = 1 + sqrt(f)
bsq = a * a - f
iter = 0
while bsq != sqrt(bsq)**2 and iter < 3:
a += 1
iter += 1
bsq += a + a - 1
if bsq == sqrt(bsq)**2:
b = sqrt(bsq)
for factor in sub_sub_sure_factors(a - b, u, curve_parameter):
yield factor
for factor in sub_sub_sure_factors(a + b, u, curve_parameter):
yield factor
return
yield f
return
def sqrt(n): return root(n, 2)[0]
#russian
n3 = int("""00:91:4f:6b:95:33:56:85:ba:37:f4:f9:5b:f9:89:
3e:d7:c0:2b:b1:31:d6:d7:a4:a3:7c:ed:72:c3:1f:
52:83:a6:57:74:ea:67:d3:8c:70:29:d1:e7:51:a8:
25:64:b2:c1:89:bf:6c:76:c7:5e:07:f8:73:8e:97:
36:36:85:6f:34:61:d5:92:11:fe:96:f8:18:a4:19:
3a:0a:d4:53:2c:c1:e5:95:ff:18:7d:c8:ce:14:90:
ad:19:ae:9e:4b:2e:a6:3a:07:0e:e7:e9:2d:43:6c:
64:52:fa:07:00:7e:3a:96:62:ee:eb:43:2a:e9:03:
54:a0:74:9c:3f:ca:8f:a5:e2:5e:a7:3d:64:0c:35:
2e:16:5a:85:7c:ef:a1:62:8a:fa:17:e0:24:b7:3e:
78:24:6e:12:40:2e:71:ab:65:ab:be:dc:ed:83:06:
62:9d:31:19:4a:d8:8b:f0:7b:08:5a:be:72:35:00:
fd:02:e4:4e:70:42:07:9c:fb:81:58:c6:ed:88:b7:
df:d2:52:66:e4:19:9f:68:ed:1c:58:2f:d9:59:f8:
7a:57:2f:7a:b8:c7:b5:4e:f3:27:20:5f:71:0c:7f:
27:0b:22:9d:d7:a3:73:15:58:2e:59:21:86:5a:dc:
7b:74:ac:73:81:6b:e2:1b:42:e0:bd:d9:11:7e:2f:
b1:33""".replace("\n","").replace(" ","").replace(":",""),16)
c3 = 9343715678106945233699669787842699250821452729365496523062308278114178149719235923445953522128410659220617418971359137459068077630717894445019972202645078435758918557351185577871693207368250243507266991929090173200996910881754217374691865096976051997491208921880703490275111904577396998775470664002942232492755888378994040358902392803421017545356248082413409915177589953816030273082416979477368273328755386893089597798104163894528521114946660635364704437632205696975201216810929650384600357902888251066301913255240181601332549134854827134537709002733583099558377965114809251454424800517166814936432579406541946707525
mto3 = chinese_remainder([n1,n2,n3],[c1,c2,c3])
m = gmpy.root(mto3,3)[0]
assert(m ** 3 == mto3)
print(bytes.fromhex(hex(m)[2:]))
# FLAG : CSCG{ch1nes3_g0vernm3nt_h4s_n0_pr0blem_w1th_c0ron4}
v3 = t3
return u1, u2, u3
ii = [0, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
ee = [e0, e2, e3, e4, e5, e6, e7, e8, e9, e10, e11, e12, e13, e14, e15]
nn = [n0, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15]
cc = [c0, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15]
import gmpy
# solution for message 1
for i, (e, c, n) in enumerate(zip(ee, cc, nn)):
if e != 3:
continue
c = gmpy.mpz(c)
(m, r) = gmpy.root(c, e)
if r == 1:
bm = convert_to_bits(m)
print bits_to_string(pad_bits(bm, len(bm) + pad(len(bm))))
# solution for message 9
for i, (e, c, n) in enumerate(zip(ee, cc, nn)):
if e != 3:
continue
for k in range(1, 32):
c = gmpy.mpz(c) + k * gmpy.mpz(n)
(m, r) = gmpy.root(c, e)
if r == 1:
bm = convert_to_bits(m)
print bits_to_string(pad_bits(bm, len(bm) + pad(len(bm))))
import gmpy
from libnum import *
# get N with: openssl rsa -in key.pem -pubin -text -modulus
N = long('00b0...0bd', 16)
orig = s2n(open("enc.dat").read().rstrip())
c = orig
while True:
m = gmpy.root(c, 3)[0]
if pow(m, 3, N) == orig:
print "pwned", n2s(m)
break
c += N
from Cryptodome.Util import number
import gmpy
e = 3
# N calculated from find_N.sage
N = 187795925823734325427922129400903064447939230079749593582888955729233613927664963249253109445797881310600022107610063372163109680347351728106161259940132053843094520258298587300098649659086794250342183576016139529480708131865573815277186071689715560136272970295181972127809680913213315466857363592840734015631789901717416958763625579894203827173264533068928411411900434306159334166145601906949838378162268540176666151625668048199949727289362401385033442715204089618148304522761017721807220548062006257938216135412302607861485309850357047464137756090093147174466985388223476237618779397449867569762499553904537606950395560182967714513927555299260240145405337097541724441256522242351493898132661339746637960432365669179377375146876905861610710695642357915473770040937265038017475440256799871951819480154996649462065875190637650298268768632223305590541389220758177843962257602725068901998357847886097843725831692085292087342293328626211564879993107959726391583247091787672118640363796914156472420849303078305632328827952362595710204102897336000414029369544570370389149794466669907129497588557761458341467997245836443573184101088147352024805283420336966011949782437881061892874590468478282426014052996148571250702203577498897677913881903752762877594096034594195425068485720454216519907393575792021735978451081699399503002817458999501350160110440748525860129255899775473009074177252288293791544955724874319138044275542019473443141909056522597
plain = gmpy.root(N, e)[0]
print(number.long_to_bytes(int(plain)))
# flag{infi_nite_jes_t}
def sub_sub_sure_factors(f, u, curve_parameter): '''Finds all factors that can be found using ECM with a smoothness bound of u and sigma and give curve parameters. If that fails, checks for being a prime power and does Fermat factoring as well. Yields factors.''' while not (f & 1): yield 2 f >>= 1 while not (f % 3): yield 3 f /= 3 if isprime(f): yield f return log_u = math.log(u) u2 = int(_7_OVER_LOG_2 * u * log_u / math.log(log_u)) primes = [] still_a_chance = True log_mo = math.log(f + 1 + sqrt(f << 2)) g = gcd(curve_parameter, f) if g not in (1, f): for factor in sub_sub_sure_factors(g, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f/g, u, curve_parameter): yield factor return g2 = gcd(curve_parameter**2 - 5, f) if g2 not in (1, f): for factor in sub_sub_sure_factors(g2, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f / g2, u, curve_parameter): yield factor return if f in (g, g2): yield f while still_a_chance: p1 = get_points([curve_parameter], f) for prime in primes: p1 = multiply(p1, prime, f) if not isinstance(p1, list): if p1 != f: for factor in sub_sub_sure_factors(p1, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f/p1, u, curve_parameter): yield factor return else: still_a_chance = False break if not still_a_chance: break prime = 1 still_a_chance = False while prime < u2: prime = next_prime(prime) should_break = False for _ in xrange(int(log_mo / math.log(prime))): p1 = multiply(p1, prime, f) if not isinstance(p1, list): if p1 != f: for factor in sub_sub_sure_factors(p1, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f/p1, u, curve_parameter): yield factor return else: still_a_chance = True primes.append(prime) should_break = True break if should_break: break for i in xrange(2, int(math.log(f) / LOG_2) + 2): r = root(f, i) if r[1]: for factor in sub_sub_sure_factors(r[0], u, curve_parameter): for _ in xrange(i): yield factor return a = 1 + sqrt(f) bsq = a * a - f iter = 0 while bsq != sqrt(bsq)**2 and iter < 3: a += 1 iter += 1 bsq += a + a - 1 if bsq == sqrt(bsq)**2: b = sqrt(bsq) for factor in sub_sub_sure_factors(a - b, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(a + b, u, curve_parameter): yield factor return yield f return
def sqrt(n):
return root(n, 2)[0]
