Beispiel #1
0
    def __init__(self, bits_modulo=2048, e=2**16 + 1):
        '''
		genera una clau RSA (de 2048 bits i amb exponent públic 2**16+1 per defecte)
		'''
        self.publicExponent = e
        correct_primes = False
        while not correct_primes:
            self.primeP = sympy.randprime(2**(bits_modulo // 2 - 1),
                                          2**(bits_modulo // 2) - 1)
            self.primeQ = sympy.randprime(2**(bits_modulo // 2 - 1),
                                          2**(bits_modulo // 2) - 1)
            phi_p = self.primeP - 1
            if sympy.gcd(phi_p, self.publicExponent) != 1:
                continue
            phi_q = self.primeQ - 1
            if sympy.gcd(phi_q, self.publicExponent) != 1:
                continue
            correct_primes = True
        phi_n = (self.primeP - 1) * (self.primeQ - 1)
        # lcm = phi_p * phi_q / math.gcd(phi_p,phi_q)
        lcm = sympy.lcm(phi_p, phi_q)
        self.privateExponent = sympy.invert(self.publicExponent, lcm)
        self.modulus = self.primeP * self.primeQ
        self.privateExponentModulusPhiP = self.privateExponent % phi_p
        self.privateExponentModulusPhiQ = self.privateExponent % phi_q
        self.inverseQModulusP = sympy.invert(self.primeQ, self.primeP)
Beispiel #2
0
def slope(point_a, point_b, a, p):
    if point_a.x != point_b.x:
        s = (point_b.y - point_a.y) * invert((point_b.x - point_a.x), p)
    elif point_a.y == point_b.y:
        s = (3 * point_a.x ** 2 + a) * invert((2 * point_a.y), p)
    else:
        return None
    return s % p
Beispiel #3
0
def slope(point_a, point_b, a, p):
    global tmp
    if point_a.x != point_b.x:
        tmp = point_b.x - point_a.x
        s = (point_b.y - point_a.y) * invert((point_b.x - point_a.x), p)
    elif point_a.y == point_b.y:
        tmp = 2 * point_a.y
        s = (3 * point_a.x ** 2 + a) * invert((2 * point_a.y), p)
    else:
        return None
    return s % p
def invert_poly(f_poly, R_poly, p):
    inv_poly = None
    if is_prime(p):
        inv_poly = invert(f_poly, R_poly, domain=GF(p))
    elif is_2_power(p):
        inv_poly = invert(f_poly, R_poly, domain=GF(2))
        e = int(math.log(p, 2))
        for i in range(1, e):
            inv_poly = ((2 * inv_poly - f_poly * inv_poly**2) %
                        R_poly).trunc(p)
    else:
        raise Exception("Cannot invert polynomial in Z_{}".format(p))
    return inv_poly
Beispiel #5
0
def invert_poly(f_poly, N, p):
    R_poly = MOD
    inv_poly = None
    if is_prime(p):
        log.debug("Inverting as p={} is prime".format(p))
        inv_poly = invert(f_poly, R_poly, domain=GF(p))
    elif is_2_power(p):
        log.debug("Inverting as p={} is 2 power".format(p))
        inv_poly = invert(f_poly, R_poly, domain=GF(2))
        e = int(math.log(p, 2))
        for i in range(1, e):
            log.debug("Inversion({}): {}".format(i, inv_poly))
            inv_poly = ((2 * inv_poly - f_poly * inv_poly**2) %
                        R_poly).trunc(p)
Beispiel #6
0
def _check_sign(filePath, signPath):

    print("Checking sign of the file...")

    file = open(filePath, 'rb')
    fileData = file.read()
    file.close()

    file = open(signPath, 'rb')
    signData = file.read()
    file.close()

    print("---> STEP #1: Getting r,s, Q_x, Q_y from asn.1 file...")
    x_q, y_q, r, s = asnGenerator.decodeSign(signData)
    print("r = ", r)
    print("s = ", s)
    print("              Checking if (0 < r < q) & (0 < s < q)...")
    if ((r > 0 and r < q) and (s > 0 and s < q)):
        print("              r and s are OK")
        print("---> STEP #2: Calculating hash of the file...")
        h = gost34112012256.new(fileData).digest()
        print('              hash = {0}'.format(
            gost34112012256.new(fileData).hexdigest()))
        print("---> STEP #3: Calculating alpha from hash...")
        alpha = int.from_bytes(h, byteorder="big")
        print("              Calculating e = alpha (mod q) ...")
        e = alpha % q
        if e == 0:
            print("              e = 0 ---> e = 1")
            e = 1
        else:
            print("              e != 0")

        print("---> STEP #4: Calculating v = e^(-1) (mod q) ...")
        v = invert(e, q)
        print("              v = ", v)

        print("---> STEP #5: Calculating z1 = s*v (mod q) ...")
        print("              Calculating z2 = (-r*v) (mod q) ...")
        z_1 = (s * v) % q
        z_2 = (-r * v) % q

        print("---> STEP #6: Calculating C = z1*P + z2*Q  ...")
        x1, y1 = _mul_points(p_x, p_y, z_1)
        x2, y2 = _mul_points(x_q, y_q, z_2)
        x_C, y_C = sum(x1, y1, x2, y2)

        print("              Calculating R = C_x (mod q) ...")
        R = x_C % q
        print("              R = ", R)

        print("---> STEP #7: Checking if R = r ...")
        if R == r:
            print("              ! R = r !")
            return True
        else:
            print("              ! R != r !")
            return False

    return False
        def init_second_screen():
            self.remove_widget(self.first_screen)
            p = self.p_choice
            q = self.q_choice
            self.n = p * q
            phi = (p - 1) * (q - 1)
            e = sy.prevprime(int(phi / 2))
            while (sy.gcd(e, phi) != 1):
                e = sy.nextprime(e)
                if (e > phi):
                    e = sy.nextprime(e % phi)
            d = sy.invert(e, phi)
            self.key_pub.text = "Public key (e, n) = (" + str(e) + "," + str(
                self.n) + ")"
            self.key_pri.text = "Private key (d, n) = (" + str(d) + "," + str(
                self.n) + ")"
            if (len(self.key_pub.text) > 100):
                self.key_pub.text = "Public key (e, n) = \n(" + str(
                    e) + ",\n" + str(self.n) + ")"
            if (len(self.key_pri.text) > 100):
                self.key_pri.text = "Private key (d, n) = \n(" + str(
                    d) + ",\n" + str(self.n) + ")"

            self.rsa_crack.bind(on_press=crack_rsa)
            self.add_widget(self.second_screen)
def main():
    rsa_crypt = lib.RSACrypto(20, 7)
    print("params:")

    rsa_crypt.n = 790129
    rsa_crypt.e = 7
    rsa_crypt.d = 337579

    print("n = ", str(rsa_crypt.n))
    print("e = ", str(rsa_crypt.e))
    print("d = ", str(rsa_crypt.d))

    p = 0
    q = 0
    iter = 1
    while (p * q) != rsa_crypt.n:
        print(iter)
        p = decomposition(rsa_crypt.n)
        q = rsa_crypt.n // rsa_crypt.p
        iter += 1

    m = (p - 1) * (q - 1)
    d2 = int(sympy.invert(rsa_crypt.e, m))

    print("Found p: " + str(p))
    print("Found q: " + str(q))
    print("Found d: " + str(d2))
Beispiel #9
0
def elgamal_ecc_verify(src_file, sign_file):
    with open(sign_file, mode='rb') as file:
        encoded_data = file.read()

    decoder = asn1.Decoder()
    decoder.start(encoded_data)
    parse_ans1(decoder)
    Qx = params[params_dict['Qx']]
    Qy = params[params_dict['Qy']]
    p = params[params_dict['p']]
    a = params[params_dict['a']]
    # b = params[params_dict['b']]
    Px = params[params_dict['Px']]
    Py = params[params_dict['Py']]
    q = params[params_dict['q']]
    r = params[params_dict['r']]
    s = params[params_dict['s']]


# First step
    r = int(r)
    s = int(s)

    print('[+] a = ', hex(a))
    print('[+] x = ', hex(Px))
    print('[+] y = ', hex(Py))
    print('[+] p = ', hex(p))
    print('[+] r = ', hex(q))
    print('[+] P.x = ', hex(Qx))
    print('[+] P.y = ', hex(Qy))
    if r <= 0 or r >= q or s <= 0 or s >= q:
        print('[-] Invalid signature! r <= 0 || r >= q || s <= 0 || s >= q ! ')

    with open(src_file, mode='rb') as file:
        data = file.read()
# Second step
    # Used sha256, but standard use stribog
    dgst = sha256(data).digest()
# Third step
    alfa = int.from_bytes(dgst, byteorder='big')
    e = alfa % q
    print('[+] e = ', hex(e))
    if e == 0:
        e = 1
# Fourth step
    v = invert(e, q)
# Fifth step
    z1 = s * v % q z2 = -r * v % q
# Sixth step
    c1 = multiply(Point(Px, Py), z1, a, p)
    c2 = multiply(Point(Qx, Qy), z2, a, p)

    C = add(c1, c2, a, p) R = C.x % q

# Seventh step
    if R == r:
        print('[+] Signature is valid!')
    else:
        print('[-] Invalid signature!')
def invert_poly(f_poly, R_poly, p):
    inv_poly = None
    if is_prime(p):
        log.debug("Inverting as p={} is prime".format(p))
        inv_poly = invert(f_poly, R_poly, domain=GF(p))
    elif is_2_power(p):
        log.debug("Inverting as p={} is 2 power".format(p))
        inv_poly = invert(f_poly, R_poly, domain=GF(2))
        e = int(math.log(p, 2))
        for i in range(1, e):
            log.debug("Inversion({}): {}".format(i, inv_poly))
            inv_poly = ((2 * inv_poly - f_poly * inv_poly**2) %
                        R_poly).trunc(p)
    else:
        raise Exception("Cannot invert polynomial in Z_{}".format(p))
    log.debug("Inversion: {}".format(inv_poly))
    return inv_poly
def get_H(m_val, t_val, k_vec, g_vec): 
    support = []
    g_a = []
    k_poly = sympy.Poly(k_vec, alpha, domain='FF(2)')
    # Store the support of the code into a list
    for i in range(pow(2, m_val)):
        if i == 0:
            # Calculate g(0)
            a_poly = sympy.reduced(sympy.Poly(sympy.Poly(g_vec, x, 
            domain='FF(2)').eval(0), alpha, domain='FF(2)').args[0], 
            [k_poly])[1].set_modulus(2)
        else:
            # Calculate g(a^(i-1))
            a_poly = sympy.reduced(sympy.Poly(g_vec, alpha**(i-1), 
            domain='FF(2)').args[0], [k_poly])[1].set_modulus(2)
        if not a_poly.is_zero:
            # Only store if it is not zero
            if i == 0:
                support.append(sympy.reduced(0, [k_poly])[1].set_modulus(2))    
            else:
                support.append(sympy.reduced(alpha**(i-1),
                			   [k_poly])[1].set_modulus(2))
            g_a.append(a_poly)
    if args.vv: print('\nSupport:\n', support, '\n\ng(a_n):\n', g_a)
    col = []
    # Store the inverses of g(a)
    for element in g_a:
        inverse = sympy.invert(element, k_poly)
        col.append(inverse)
    if args.vv: print('\nInverses:\n', col)
    # Form the Parity check matrix
    poly_H = []
    for i in range(t_val):
        poly_H_row = []
        for j in range(len(support)):
            top = sympy.Poly.pow(support[j], i)
            product =  sympy.reduced(sympy.Poly.mul(top, col[j]),
            						 [k_poly])[1].set_modulus(2)
            poly_H_row.append(product)
        poly_H.append(poly_H_row)
    bin_H = sympy.zeros(t_val * m_val, len(support))
    # Turn the parity check matrix into a binary matrix
    for i in range(t_val):
        for j in range(len(support)):
            current_poly = poly_H[i][j].all_coeffs()
            current_len = len(current_poly)
            for k in range(current_len):
                try:
                    bin_H[(i*(m_val))+k,j] = current_poly[current_len-k-1]
                except:
                    sympy.pprint(bin_H)
                    print('i =', i, ', j =', j, ', k =', k)
                    exit()
    bin_H, pivot = bin_H.rref(iszerofunc=lambda x: x % 2==0)
    bin_H = bin_H.applyfunc(lambda x: mod(x,2))
    bin_H = fixup_H(bin_H, pivot)
    return(bin_H)
Beispiel #12
0
    def _gen_params(self, dimension, fixed_e):
        if fixed_e is not None:
            if (fixed_e % 2) == 0:
                print("Error: e is even number")
                fixed_e = None
            if fixed_e < 3:
                fixed_e = None

        difference = 2**(dimension // 2 - 2)

        while True:
            p = q = 0

            # Based on Pollard's p − 1 algorithm generate strong primes
            # https://en.wikipedia.org/wiki/Pollard%27s_p_%E2%88%92_1_algorithm
            # (p - 1 = prime * 2) => (p = prime * 2 + 1)
            while sympy.isprime(p) is False:
                p_1 = sympy.nextprime(
                    random.getrandbits(dimension // 2 + 1)) * 2
                p = p_1 + 1
            while sympy.isprime(q) is False:
                q_1 = sympy.nextprime(random.getrandbits(dimension // 2)) * 2
                q = q_1 + 1

            # Anti Fermat's factorization method
            # https://en.wikipedia.org/wiki/Fermat%27s_factorization_method
            if abs(p - q) > difference:
                n = p * q
                if lib.bitcount(n) == dimension:
                    phi = (p - 1) * (q - 1)
                    while True:
                        if fixed_e is None:
                            e = random.randint(3, phi - 1)
                        else:
                            e = fixed_e

                        if sympy.gcd(e, phi) == 1:
                            d = sympy.invert(e, phi)

                            # Anti Wiener's attack
                            # https://en.wikipedia.org/wiki/Wiener%27s_attack
                            if d > 1 / 3 * sympy.root(n, 4):
                                break
                    break

        self.p = p
        self.q = q
        self.n = n
        self.e = e
        self.d = int(d)

        return e, d, n
    def init_second_screen(self):
        self.remove_widget(self.first_screen)
        p = self.p_choice
        q = self.q_choice
        n = p * q
        phi = (p - 1) * (q - 1)
        e = sy.nextprime(int(n / 2))
        d = sy.invert(e, phi)

        self.key_pub.text = "Public key: (" + str(e) + ", " + str(n) + ")"
        self.key_pri.text = "Private key: (" + str(d) + ", " + str(n) + ")"

        self.add_widget(self.second_screen)
Beispiel #14
0
def sum(x_P, y_P, x_Q, y_Q):
    if (x_P == 0):
        return x_Q, y_Q
    if (x_Q == 0):
        return x_P, y_P

    if (x_P == x_Q and y_P == y_Q):

        m = ((3 * x_P * x_P + a) * invert(2 * y_P, p)) % p
        x_R = (m**2 - x_P - x_Q) % p
        x_R = int(x_R)
        y_R = (m * (x_P - x_R) - y_P) % p

        return x_R, y_R

    m = ((y_P - y_Q) * invert(x_P - x_Q, p)) % p
    x_R = (m**2 - x_P - x_Q) % p
    x_R = int(x_R)
    y_R = (m * (x_P - x_R) - y_P) % p

    return x_R, y_R

    return None
Beispiel #15
0
def decrypt(c):

    alphabet = "abcdefghijklmnopqrstuvwxyz"
    m = 3
    p = ""
    m_inverse = int(sympy.invert(m, 26))
    print m_inverse
    for i in c:
        if i in alphabet:
            index = alphabet.find(i)
            decrypted_char = alphabet[pow(m_inverse * index, 1, 26)]
            p += decrypted_char
        else:
            p += i
    return p
Beispiel #16
0
 def apply(self, a, b, m, evaluation):
     'PowerMod[a_Integer, b_Integer, m_Integer]'
     
     a_int = a
     m_int = m
     a, b, m = a.value, b.value, m.value
     if m == 0:
         evaluation.message('PowerMod', 'divz', m)
         return
     if b < 0:
         b = -b
         if a == 0:
             evaluation.message('PowerMod', 'ninv', a_int, m_int)
             return
         a = sympy.invert(a, m)
     return Integer(sympy.Mod(a ** b, m))
    def inverse(self, matrix):
        """
        compute inverse of a given matrix with mod(26)
        i.e => return inverse(matrix) mod(26)

        """
        determinant = int(np.linalg.det(matrix))

        determinant_inv = int(sympy.invert(determinant, 26))

        matrix_adjascent = np.linalg.inv(matrix) * determinant

        matrix_inv = determinant_inv * matrix_adjascent % 26

        matrix_inv = matrix_inv.astype(int)

        return matrix_inv
Beispiel #18
0
    def apply(self, a, b, m, evaluation):
        "PowerMod[a_Integer, b_Integer, m_Integer]"

        a_int = a
        m_int = m
        a, b, m = a.value, b.value, m.value
        if m == 0:
            evaluation.message("PowerMod", "divz", m)
            return
        if b < 0:
            b = -b
            try:
                a = int(sympy.invert(a, m))
            except sympy.polys.polyerrors.NotInvertible:
                evaluation.message("PowerMod", "ninv", a_int, m_int)
                return
        return Integer(pow(a, b, m))
Beispiel #19
0
    def apply(self, a, b, m, evaluation):
        'PowerMod[a_Integer, b_Integer, m_Integer]'

        a_int = a
        m_int = m
        a, b, m = a.value, b.value, m.value
        if m == 0:
            evaluation.message('PowerMod', 'divz', m)
            return
        if b < 0:
            b = -b
            try:
                a = int(sympy.invert(a, m))
            except sympy.polys.polyerrors.NotInvertible:
                evaluation.message('PowerMod', 'ninv', a_int, m_int)
                return
        return Integer(pow(a, b, m))
Beispiel #20
0
    conn.sendline(str(n))
    conn.recvuntil("f_a(n + 0) = ")
    f0 = int(conn.recvuntil("\n").strip(b"\n").decode())
    conn.recvuntil("f_a(n + 1) = ")
    f1 = int(conn.recvuntil("\n").strip(b"\n").decode())
    conn.recvuntil("f_a(n + 4) = ")
    f4 = int(conn.recvuntil("\n").strip(b"\n").decode())
    return f0, f1, f4


if __name__ == '__main__':
    proof()

    # n = (1 << 128) - 3
    # conn.recvuntil("for n = ")
    # n = int(conn.recvuntil(",").strip(b",").decode())
    conn.recvuntil("= (")
    p = int(conn.recvuntil(",").strip(b",").strip(b"0x").decode(), 16)

    # binary = bin(n)[2:].zfill(128)
    # p1 = new(int(binary[:32], 2) * 2 ** 96)
    # p2 = new(int(binary[32:], 2))
    p0, p1, _ = new((1 << 128) - 6)
    _, _, p4 = new(int("10" * 64, 2) - 4)
    # new(n - 5)
    conn.recvuntil("[Q]uit")
    conn.sendline("G")
    conn.recvuntil(": ")
    conn.sendline(str(p4 * p1 * int(invert(p0, p)) % p))

    conn.interactive()
Beispiel #21
0
a = 1
b = -(2**1024 + 31336)
c = n
d = int(root(b ** 2 - 4 * a * c, 2))
p = (-b + d) // (2 * a)
q = n // p

assert isPrime(p) and isPrime(q)
assert p * q == n

'''
for ei in range(4096):
	try:
		g = gcd(2 ** ei - 1, (p-1) * (q-1))
		d = int(invert((2 ** ei - 1) // g, (p-1) * (q-1)))
		flag = long_to_bytes(pow(pow(ct, d, n), 1 / g))
		if b"CCTF" in flag:
			print(ei)
			print(flag)
			break
	except:
		print(ei)
'''

ei = 3729
g = gcd(2 ** ei - 1, (p-1) * (q-1))
d = int(invert((2 ** ei - 1) // g, (p-1) * (q-1)))
flag = long_to_bytes(int(root(pow(ct, d, n), g)))
print(flag.decode())
Beispiel #22
0
==> fermat(n1)
'''

def fermat(n):
	a = gmpy2.isqrt(n) + 1
	b = a ** 2 - n
	while not gmpy2.iroot(b, 2)[1]:
		a += 1
		b = a ** 2 - n
	b = gmpy2.iroot(b, 2)[0]
	return (a + b, a - b)

r1, r2 = fermat(n1)
phi1 = (r1-1) * (r2-1)
d1 = int(invert(e, phi1))
m1 = pow(enc1, d1, n1)
flag1 = long_to_bytes(m1)

k1, k2 = r1 - 1, r2 - 1
p1 = (r1 ** 5 - 1) // k1
p2 = (r2 ** 5 - 1) // k2

# print(n2 % p1)
# print(n2 % p2) # <-- bingo

p, q = p2, n2 // p2
phi2 = (p-1) * (q-1)
d2 = int(invert(e, phi2))
m2 = pow(enc2, d2, n2)
flag2 = long_to_bytes(m2)
Beispiel #23
0
G = E([Gx, Gy])
#r = random.randint(1,n)
r = _sage_const_32903829104380230318795649424761085390545183133709242454697246715961201857515
print("Clau privada (r) = " + str(r))
public_key = r * G
print("Clau publica (r*G) = " + str(public_key))

# b)

# Firmar amb la nostra:
m1 = b"Cryptography is easy"
m2 = b"Fake news!"
hash_m1 = hashlib.sha256(m1).hexdigest()
hash_m2 = hashlib.sha256(m2).hexdigest()
k = _sage_const_2019
kinv = sympy.invert(k, n)
punt = k * public_key
kinv = sympy.invert(k, n)
f1_m1 = int(punt[_sage_const_0]) % n
f2_m1 = kinv * (int(hash_m1, _sage_const_16) + f1_m1 * r) % n
f1_m2 = int(punt[_sage_const_0]) % n
f2_m2 = kinv * (int(hash_m2, _sage_const_16) + f1_m2 * r) % n

print("sha256 m1 = " + hash_m1)
print("firma m1 = " + str(f1_m1) + ", " + str(f2_m1))
print("sha256 m2 = " + hash_m2)
print("firma m2 = " + str(f1_m2) + ", " + str(f2_m2))

# Descobrir la clau privada d'un company

Qx, Qy = (
Beispiel #24
0
import sympy

from pwn import *

r = remote('csie.ctf.tw', 10119)

n = 29483112906907846550407371381907804051925957834404110624325531950200215274674279351500117069061279396866776918114198748748643519779529947303729199772247349
e = 65537
c = "0x1c9d992fd1c6c9f26b24fb127e3e1ac343eadb0dad36c27747111ad07238bf9bc76d16737f8f7fc6752df563027fc6614a8c803de38bbe6aefca0e7f3ec739ba4"
c = int(c, 16)

inverse_of_2 = int(sympy.invert(2, n))

c_prime = pow(pow(2, e, n) * c, 1, n)

r.send(str(c_prime) + '\n')

c_prime_power_d = int(pow(int(r.recvline()[:-1]), 1, n))

m = int(pow(c_prime_power_d * inverse_of_2, 1, n))

stripped_message = str(hex(m))[2:].decode('hex')

print stripped_message
Beispiel #25
0
    # encrypted = a ** e % n = r
    # encrypted_2 = (a ** e) ** 2 % n = r ** 2 % n
    # Let m = k_1 * n + r
    # encrypted ** 2 - encrypted_2 = (r ** 2) - (r ** 2 % n)
    # Let r ** 2 = k_2 * n + r' (k_2 >= 0)
    # encrypted ** 2 - encrypted_2 = (k_2 * n + r') - r' = k_2 * n
    # ==> gcd(n, encrypted ** 2 - encrypted_2) = 0 or n
    encrypted_2 = oracle_enc(a**2)
    n = sympy.gcd(n, encrypted_2 - encrypted**2)
    encrypted, a = encrypted_2, a**2

print("n = {}".format(str(n)))

plaintext = oracle_dec(ENC)
encrypted_8 = oracle_enc(2**8)
inverse = sympy.invert(n % 2**8, 2**8)

# ENC = flag ** e % n
# encrypted_8 = 2 ** 8 ** e % n
# t_cipher = encrypted_8 ** t % n = 2 ** (8 * t) ** e % n
# ENC * t_cipher % n = (flag * 2 ** (8 * t)) ** e % n
# ==> decrypt(ENC * t_cipher % n)

k = 0
t = 1
t_cipher = 1
for _ in xrange(128):
    t = t * 2**8  # record digest
    k = k * 2**8  # record flag
    t_cipher = t_cipher * encrypted_8 % n
    res = oracle_dec(int(ENC * t_cipher % n))
Beispiel #26
0



with open("raw/client_hello_random.bin","rb") as f:
	m = f.read()
with open("raw/server_hello_random.bin","rb") as f:
	m += f.read()
with open("raw/server_key_exchange_curve_type.bin","rb") as f:
	m += f.read()
with open("raw/server_key_exchange_named_curve.bin","rb") as f:
	m += f.read()
with open("raw/server_key_exchange_pubkey_length.bin","rb") as f:
	m += f.read()
with open("raw/server_key_exchange_pubkey.bin","rb") as f:
	m += f.read()


hashed = hashlib.sha512(m).hexdigest()
hashed = hashed[:_sage_const_64 ]
hashed = int(hashed,_sage_const_16 )
inv2 = sympy.invert(f2,n)
w1 = int((hashed*inv2)%n)
w2 = int((f1*inv2)%n)
P = E([Gx,Gy])
Q = E([Px,Py])
P_ = w1*P + w2*Q
print("e) Verificar la firma:")
print(f1 == int(P_[_sage_const_0 ])%n)

Beispiel #27
0
    t *= 2

n8 = 2**8 - res
print("{} -> {}".format(Hex(res), Hex(n8)))
assert n8 & 1

# 1. recover full n
# by finding k = floor(2 ** 2048 / n) byte-by-byte

# let  t = n * k + r,  r < n
# then n = floor(t / k) - floor(r / k)
# if   k > r (i.e. is large enough) then n = floor(t / k)

k = 0
t //= 2  # t < n
inverse = sympy.invert(n8, 2**8)
while t < 2**2048:
    t = t * 2**8
    k = k * 2**8
    res = oracle_dec(oracle_enc(t))
    k += (t - k * n8 - res) * inverse % 2**8

n = t // k  # floor
n2 = n**2
print("n = {}".format(str(n)))


# 2. decrypt flag
# by using homomorphic operations
def ctadd(c1, c2):
    return (c1 * c2) % n2
def get_pref_state(state):
	a_m = invert(25214903917, 2**48)
	return (int(a_m) * (int(state) - 11)) & 281474976710655
Beispiel #29
0
def inv(x, m):
    return sympy.invert(x, m)
Beispiel #30
0
from Crypto.Util.number import long_to_bytes
from sympy import invert


def egcd(a, b):  #Extended Euclidean Algorithm
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)


n = 56891607317613445737750783421867972775249572399868790441120633009929442237956426430872259524747190957003843589191818005172449569095010326902570697779311445080658255239480648637639774011002922525938326812054289272761548189515649720401657615661945821118048442804640057370308200873641231270154569615397630035523
e1 = 15
e2 = 13
c1 = 56469309419621722745072264207838652962328435946767997622044814783708364014641727623574445134141501637979157915357991990349560025038641029733835390776874211827838349081746055988558104358822972488360758486671776227087938906728676579783033437913622465886682124098078049146249446462955542454130870990925587760172
c2 = 32329112615946008400629911894435459433005895247408214608443373037890224605212549196731172020927876324933946521979508705874232456594545880155126627698928055303619040189497194414548410456513691315796957680520443150673697523600966755935741384614826849213578224143275544065415119993769274896134376873260076292691

gcd, x, y = egcd(e1, e2)
assert gcd == 1
assert invert(pow(c2, y, n), n)

m = (pow(c1, x, n) * pow(c2, y, n)) % n
print(long_to_bytes(m))
Beispiel #31
0
def invert_polynomial(f_polynomial, N, p):
    modulus_polynomial = MOD
    return invert(f_polynomial, modulus_polynomial, domain=GF(p))