def main():
groups = get_groups_nec("problem.txt")
for x in groups:
for y in groups:
if x == y:
continue
n1, e1, c1 = x
n2, e2, c2 = y
# 涉及扩展欧几里德算法
# 这里的算法得好好学习下, 怎么求出 a 和 b 的
# a * e1 + b * e2 = 1
if gmpy2.gcd(e1, e2) == 1:
a = gmpy2.invert(e1, e2)
b = int((gmpy2.gcd(e1, e2) - a * e1) / e2)
assert (a * e1 + b * e2) == 1
assert b < 0
c2i = gmpy2.invert(c2, n1)
c1a = gmpy2.powmod(c1, a, n1)
c2b = gmpy2.powmod(c2i, -b, n1)
m = c1a * c2b % n1
print(binascii.unhexlify(hex(m)[2:]))
def pythag_triple_tree(triple=(3, 4, 5), forward=True, trust=False):
"""
Primitive Pythagorean Triple (PPT) (a, b, c) is integer triple satisfying
a**2 + b**2 = c**2
gcd(a, b) = gcd(b, c) = gcd(a, c) = 1
Given a PPT, it can generate three more PPTs. And if recursively applying this branching function from (3, 4, 5), all PPTs in form (odd, even, odd) can be generated in a trinary tree, which covers the entire set of PPTs completely and uniquely.
When forward is True, return all three children of current PPT.
When forward is False, return its parent in the PPT tree.
"""
a, b, c = triple
if not trust:
if a**2 + b**2 != c**2:
raise ValueError("Invalid Primitive Pythagorean Triple")
if gcd(a, b) * gcd(a, c) * gcd(b, c) != 1:
raise ValueError("Invalid Primitive Pythagorean Triple")
if forward:
return ((a-2*b+2*c, 2*a-b+2*c, 2*a-2*b+3*c),
(a+2*b+2*c, 2*a+b+2*c, 2*a+2*b+3*c),
(-a+2*b+2*c, -2*a+b+2*c, -2*a+2*b+3*c))
else:
if triple == (3, 4, 5):
return triple
else:
return (abs(-a-2*b+2*c), abs(-2*a-b+2*c), -2*a-2*b+3*c)
def generate_public_key(bits_length=512, e=3):
# 注意验证p和q的合法性, 要求与3互质
while True:
p = getPrime(bits_length)
q = getPrime(bits_length)
if gmpy2.gcd(p, e) == 1 and gmpy2.gcd(q, e) == 1:
return gmpy2.mpz(p) * gmpy2.mpz(q), e
def get_e_um_result(self, e):
"""
网上给的一个公式, 好像可以直接计算出来
[1 + gcd(e - 1, p - 1)] * [1 + gcd(e-1, q-1)]
:param e: 11
:return: 9
"""
return (1 + gmpy2.gcd(e - 1, self.p - 1)) * (1 + gmpy2.gcd(e - 1, self.q - 1))
def crt(eqn1, eqn2):
x1, m1 = eqn1
x2, m2 = eqn2
d = int(gmpy2.gcd(m1, m2))
x = x1 + (m1 // d) * (x2 - x1) * int(gmpy2.invert(m1 // d, m2 // d))
m = int(gmpy2.lcm(m1, m2))
return x % m, m
def could_be_prime(n):
'''Performs some trials to compute whether n could be prime. Run time is O(N^3 / (log N)^2) for N bits.
Returns whether it is possible for n to be prime (True or False).
'''
if n < 2:
return False
if n == 2:
return True
if not int(n) & 1:
return False
product = ONE
log_n = int(math.log(n)) + 1
bound = int(math.log(n) / (LOG_2 * math.log(math.log(n))**2)) + 1
if bound * log_n >= n:
bound = 1
log_n = int(sqrt(n))
prime_bound = 0
prime = 3
for _ in range(bound):
p = []
prime_bound += log_n
while prime <= prime_bound:
p.append(prime)
prime = next_prime(prime)
if p != []:
p = prod(p)
product = (product * p) % n
return gcd(n, product) == 1
def create_rsa_keys(bits_length=512, e=65537):
"""
产生有关 RSA 的一切参数, 包括 p, q, n ,phi_n, d, e
本来想用 pycrypto 库的 RSA 来生成的, 但是这个库至少要求 1024bits, 还是自己手搓吧
:param bits_length: p 和 q 的位长度限制
:param e: 指定的 e
:return: dict(), RSA 的一切参数作为字典返回
"""
rsa = dict()
while True:
p = gmpy2.mpz(getPrime(bits_length))
q = gmpy2.mpz(getPrime(bits_length))
n = p * q
phi_n = (p - 1) * (q - 1)
if gmpy2.gcd(e, phi_n) == 1:
break
rsa["p"] = p
rsa["q"] = q
rsa["n"] = n
rsa["phi"] = phi_n
rsa["d"] = gmpy2.invert(e, rsa["phi"])
rsa["e"] = e
return rsa
def factor_prime(prime):
# p - 1 is 37-smooth
base = 2
k_sm = 37
# pow(base,k_sm!) mod prime
a = gmpy2.powmod(base, gmpy2.fac(k_sm), prime)
# gcd(r_k - 1, prime)
p = gmpy2.gcd(a-1, prime)
# get second factor of prime
q = (prime / p)
# make sure factors (pq) are prime
if (gmpy2.is_prime(p) and gmpy2.is_prime(q)):
print "p = ", p
print "q = ", q
# make sure n = p*q = prime number
n = gmpy2.mul(p,q)
if (n == prime):
print "n = ", gmpy2.mul(p,q)
return
def __generate_e(self):
"""
生成器, 负责产生合理的 e 值以供选择
:return: generator
"""
for e in range(3, self.et):
if gmpy2.gcd(e, self.et) == 1:
yield e
def get_resilience(n):
rescount = 0
for i in xrange(1, n):
if gmpy2.gcd(i, n) == 1:
rescount = rescount + 1
res = 1.0 * rescount / (n - 1)
return res
def generate_e(self):
"""
产生 e 的生成器
:return: e, e 满足 1 < e < φ(q,p), 且 gcd(e,φ)=1
"""
for e in range(2, self.phi):
if gmpy2.gcd(e, self.phi) == 1:
yield e
def create_rsa_keys(bits_length=512, e=65537):
# 本来想用pycrypto库的RSA来生成的, 但是这个库至少要求1024bits, 还是自己手搓吧
rsa = dict()
while True:
p = getPrime(bits_length)
q = getPrime(bits_length)
if gmpy2.gcd(p, e) == 1 and gmpy2.gcd(q, e) == 1:
break
rsa["p"] = p
rsa["q"] = q
rsa["n"] = p * q
rsa["phi"] = (p - 1) * (q - 1)
rsa["d"] = gmpy2.invert(e, rsa["phi"])
rsa["e"] = e
return rsa
def encrypt(pk, m):
assert m < pk[0]
while True:
r = random.randint(1, pk[0])
if gmpy2.gcd(r, pk[0]) == 1:
break
c1 = pow(pk[1], m, pk[0]**2)
c2 = pow(r, pk[0], pk[0]**2)
return (c1*c2) % pk[0]**2
def ggcd(seq):
"""
return the greatest common divisor (gcd) for n integers,
where n can larger than 2
"""
if len(seq) < 2:
raise ValueError("There should be at least 2 integers!")
elif len(seq) == 2:
return gcd(seq[0], seq[1])
else:
g = gcd(seq[-2], seq[-1])
if g == 1:
return g
for n in seq[:-2]:
g = gcd(g, n)
if g == 1:
return 1
return g
def chinese_remainder_theorem(eqn):
'''
eqn = [ (y_0, n_0), ... ] where
x = y_i mod n_i
'''
x = 0
m = 1
for y, n in eqn:
d = gmpy2.gcd(m, n)
x += (m // d) * (y - x) * gmpy2.invert(m // d, n // d)
m = gmpy2.lcm(m, n)
return x % m
def makeKey(n): privKey = [random.randint(1, 4**n)] s = privKey[0] for i in range(1, n): privKey.append(random.randint(s + 1, 4**(n + i))) s += privKey[i] q = random.randint(privKey[n-1] + 1, 2*privKey[n-1]) r = random.randint(1, q) while gmpy2.gcd(r, q) != 1: r = random.randint(1, q) pubKey = [ r*w % q for w in privKey ] return privKey, q, r, pubKey
def encrypt(pub, plain):
while True:
r=mpz_urandomb(rand, pub.bits)
if r > 0 and r < pub.n and gcd(r,pub.n)==1:
break
# else:
# print r
# for sufficiently large pub.bits comment the previous while True loop and uncomment the following line
# r=mpz_urandomb(rand, pub.bits)
x = powmod(r, pub.n, pub.n_sq)
cipher = (powmod(pub.g, plain, pub.n_sq) * x) % pub.n_sq
return cipher
def test_wiener(self):
q = gmpy2.mpz(getPrime(512))
p = gmpy2.mpz(getPrime(512))
if q > p :
p , q = q , p
n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.iroot(n, 5)[0]
while gmpy2.gcd(d, phi) != 1 :
d -= 1
e = gmpy2.invert(d , phi)
self.assertEqual((d, p, q), number.wiener_attack(n, e))
def gen_keys():
rs = gmpy2.random_state(hash(gmpy2.random_state()))
P = gmpy2.mpz_urandomb(rs, mpz('128'))
P = gmpy2.next_prime(P)
Q = gmpy2.mpz_urandomb(rs, mpz('128'))
Q = gmpy2.next_prime(Q)
N = P*Q
Fi = (P-1)*(Q-1)
Pkey = gmpy2.mpz_random(rs, Fi)
while not (gmpy2.gcd(Fi, Pkey) == 1):
Pkey = gmpy2.mpz_random(rs, Fi)
Skey = gmpy2.invert(Pkey, Fi)
assert gmpy2.t_mod(Skey*Pkey,Fi) == 1
return Pkey, Skey, N
def co_prime_tree(pair=(0, 0), trust=False):
"""
All co-prime pairs can be generated from (2, 1) (for (odd, even) and (even, odd) pairs) and (3, 1) (for (odd, odd) pairs).
It follows a trinary tree, from co-prime pair (a, b), we get: (2*a - b, a), (2*a + b, a), (a + 2*b, b)
It can be shown that the co-prime pairs in the tree are disjoint complete.
"""
if pair == (0, 0):
return ((2, 1), (3, 1))
a, b = pair
if not trust:
if gcd(a, b) != 1:
raise ValueError("Invalid co-prime pair!")
return ((2*a - b, a), (2*a + b, a), (a + 2*b, b))
def hing(pairs):
"""Solves a set of simultaneous congurences using
a generalized CRT (Yih-Hing).
For more detail see
"Elementary Number Theory", Gareth A.Jones and J. Mary Jones
When running optimized this call never fails,
but may produce invalid results if no solution exists
Args:
pairs (list): An iterable of pairs(y, P),
where P are the prime factors of z
(see crt function documentation)
Notice that the moduli need not be
pairwise relativly prime!
Returns:
A positive integer with x = y mod product(P)
for every pair (y, P)
"""
# Check for existance of solution
if __debug__:
prods = {product(P): y for y, P in pairs}
assert len(prods) == len(pairs)
for z1, y1 in prods.items():
for z2, y2 in prods.items():
if (y1 - y2) % gcd(z1, z2) != 0:
raise NoSolution
# Find the highest exponent
part = {}
for y, p in pairs:
for f in set(p):
e = p.count(f)
try:
if part[f][0] >= e:
continue
except KeyError:
pass
part[f] = (e, y)
# Produce regular CRT instance
new = []
for f, (e, y) in part.items():
z = pow(f, e)
new.append((y % z, z))
return crt(new)
def test_crt_coprime(self):
v = random.randint(10, 10000000000)
n = random.randint(1, 100)
remainders = []
moduli = []
lcm = 1
for i in range(n):
while True:
mod = random.randint(2, 100000000)
g = gmpy2.gcd(mod, lcm)
if g == 1 : break
remainders.append(v % mod)
moduli.append(mod)
lcm *= mod
res = number.crt(remainders, moduli)
self.assertEqual(res, (v % lcm, lcm))
def matrixSimplify(mat, den):
resultRows = len(mat)
resultCols = len(mat[0])
result = [[mpz(0) for x in xrange(resultCols)] for x in xrange(resultRows)]
gcd = den
for row in xrange(resultRows):
for col in xrange(resultCols):
gcd = gmpy2.gcd(gcd, mat[row][col])
for row in xrange(len(mat)):
for col in xrange(len(mat[0])):
result[row][col] = mat[row][col] / gcd
resultDen = den / gcd
return [result, resultDen]
def generate_public_key(bits_length=512, e=3):
"""
产生关于 RSA 的合法参数, p, q, e
:param bits_length: 所需的 p 和 q 要求的位长度
:param e: 3
:return: n, e
"""
# 注意验证参数的合法性, 要求 phi(N) 与 e 互素
while True:
p = getPrime(bits_length)
q = getPrime(bits_length)
n = gmpy2.mpz(p) * gmpy2.mpz(q)
phi_n = gmpy2.mpz(p - 1) * gmpy2.mpz(q - 1)
if gmpy2.gcd(phi_n, e) == 1:
return n, e
def pollard_rho(n):
"""Pollard's rho method for small prime factor
:param N: RSA public key N.
"""
assert(has_gmpy2)
x, y, d = 2, 2, 1
while d == 1:
x = g(x, n)
y = g(g(y, n), n)
d = gmpy2.gcd(x - y, n)
if d != n:
return d, n // d
# Failed
return None
def gen_keys():
rs = gmpy2.random_state(hash(gmpy2.random_state()))
P = gmpy2.mpz_urandomb(rs, mpz('256'))
P = gmpy2.next_prime(P)
Q = gmpy2.mpz_urandomb(rs, mpz('256'))
Q = gmpy2.next_prime(Q)
N = P*Q
Fi = (P-1)*(Q-1)
Pkey = gmpy2.mpz_random(rs, Fi)
while not (gmpy2.gcd(Fi, Pkey) == 1):
Pkey = gmpy2.mpz_random(rs, Fi)
Skey = gmpy2.invert(Pkey, Fi)
print('Публичный ключ: ')
print(Pkey)
print('Приватный ключ:')
print(Skey)
print('N:')
print(N)
def pollard_rho(n):
"""Pollard's rho method for small prime factor.
:param N: number to factorize.
"""
def g(x, n):
return (x**2 + 1) % n
x, y, d = 2, 2, 1
while d == 1:
x = g(x, n)
y = g(g(y, n), n)
d = gmpy2.gcd(x - y, n)
if d != n:
return d, n // d
# Failed
return None
def parallel_invert(l, n):
'''Inverts all elements of a list modulo some number, using 3(n-1) modular multiplications and one inversion.
Returns the list with all elements inverted modulo 3(n-1).'''
l_ = l[:]
for i in xrange(len(l) - 1):
l[i + 1] = (l[i] * l[i + 1]) % n
try:
inv = invert(l[-1], n)
except ZeroDivisionError:
inv = 0
if inv == 0:
return gcd(l[-1], n)
for i in xrange(len(l) - 1, 0, -1):
l[i] = (inv * l[i - 1]) % n
inv = (inv * l_[i]) % n
l[0] = inv
return l
def p_sub_1_attack(n, e):
DIFFICULTY1, TRIAL_NUM = 20, 100
A = 1 << DIFFICULTY1
PrimesTable = Generate_PrimeTable_Sieve(A)
r = []
for prime in PrimesTable:
a = math.floor(math.log(A, prime))
r.append(prime**a)
p, q = 0, 0
for _ in range(TRIAL_NUM):
base = PrimesTable[random.randint(0, len(PrimesTable) - 1)]
x = base
for pa in r:
x = pow(x, pa, n)
if x != 1:
p = gmpy2.gcd(x - 1, n) # p = gcd(x-1,n)
q = n // p # q = n / p
break
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
return p, q, d
def pollardRho(n):
n = mpz(n)
i = mpz(1)
x = randint(0, (n-1))
y = x
k = mpz(2)
while True:
i = i +1
x = pow(x,2,n) -1 % n
if(x < 0):
x = n -1
d = gcd((y-x),n)
if(d != 1 and d != n):
print "The factor is: "
print d
print "And "
print n/d
return True
if i == k:
y = x
k = 2*k
def rsaEncode(msg):
f=open("out","a")
while True:
ran=random.randint(3, 12)
if isPrime(ran):
break
e=ran*getPrime(30)
p = getPrime(1024)
q = getPrime(1024)
while (not gmpy2.gcd((p-1)*(q-1),e)==ran or p*q<pow(msg,ran)):
p = getPrime(1024)
q = getPrime(1024)
n=p*q
assert(pow(msg,ran)<n)
print("rsaEncode_init_finish!")
dsaEncode(p)
f.write("rsaEncode n:"+hex(n)+"\n")
f.write("rsaEncode e:"+hex(e)+"\n")
c=pow(msg,e,n)
f.write("rsaEncode flag is:"+hex(c)+"\n")
f.close()
def computeRight(x,y, MAX):
# find how many. how many points on line O-P are ints?
# then project them from P to Q until reaching MAX x
#(2,3) -> each 3 righ -> (2+3,3-2), (2+2*3,3-2*2)
#(4,6) -> [gcd] (2,3) -> each 3 right
#(2,2) -> gcd - 1,1 -> each 1 right/down -> (1+1, 1-1), inv(1+2*1, 1-2*1), ..
#(3,2) -> each 3 down - inv(3+2,2-3), inv(3+2*2, 2-2*3)
#(6,4) -> gcd (3,2)each 3 down - (6+2,4-3), inv(6+2*2,4-2*3),
# direction to go on second side
dx = y
dy = x
gcd = int(gmpy2.gcd(x,y))
if gcd > 1:
dx = dx // gcd
dy = dy // gcd
sx = (MAX - x) // dx
sy = y // dy
return min(sx, sy)
def attack(self, publickey, cipher=[], progress=True):
"""Run tests against fermat composites"""
with timeout(self.timeout):
try:
limit = 10000
p = q = None
for x in tqdm(range(1, limit), disable=(not progress)):
f = (2 ** 2 ** x) + 1
fermat = gcd(f, publickey.n)
if 1 < fermat < publickey.n:
p = publickey.n // fermat
q = fermat
break
if p is not None and q is not None:
priv_key = PrivateKey(
int(p), int(q), int(publickey.e), int(publickey.n)
)
return (priv_key, None)
return (None, None)
except TimeoutError:
return (None, None)
def attack(e, n):
# Take a shitty message
m = 7
# m = hex(m)[2:]
r.sendline(hex(m)[2:])
data = r.recv().decode().strip().split('\n\n')
c = data[0].split(': ')[1]
# print(data)
# print(c)
c = int(c, 16)
p = gmpy2.gcd(pow(c, e, n) - m, n)
# print(p)
q = n // p
if q != 1: # q == 1 means secure encryption no attack possible
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
return d
else:
return 0
def parallel_invert(l, n):
"""Inverts all elements of a list modulo some number, using 3(n-1) modular multiplications and one inversion.
Returns the list with all elements inverted modulo 3(n-1)."""
l_ = l[:]
for i in xrange(len(l) - 1):
l[i + 1] = (l[i] * l[i + 1]) % n
try:
inv = invert(l[-1], n)
except ZeroDivisionError:
inv = 0
if inv == 0:
return gcd(l[-1], n)
for i in xrange(len(l) - 1, 0, -1):
l[i] = (inv * l[i - 1]) % n
inv = (inv * l_[i]) % n
l[0] = inv
return l
def generate(self, bits, k=999):
"""
Return public and private key of RSA
:param bits: minimum number of bits for p and q
:param k: number of checks in miller_rabin algorithm
"""
p = q = 0
while True:
p = rand_n_bits_number(bits)
if is_prime_miller_rabin(p, k):
break
# every 24 bits, about 7 digits difference - rand between 14 and 42 digits difference
pq_bits_difference = random.randint(48, 144)
while True:
q = rand_n_bits_number(bits + pq_bits_difference)
if is_prime_miller_rabin(q, k):
break
n = gmpy2.mpz(p) * gmpy2.mpz(q)
phi_n = gmpy2.mpz(p - 1) * gmpy2.mpz(q - 1)
e = 0
temp = rand_n_bits_number(16, even=True)
while True:
if gmpy2.gcd(temp, phi_n) == 1:
e = gmpy2.mpz(temp)
break
temp += 1
assert e < phi_n
# ext = multiplicative_inverse(e, phi_n)
ext = gmpy2.gcdext(e, phi_n)
if ext[0] == 1:
d = phi_n + ext[1]
assert (d * e % phi_n == 1)
self.private_key = (d, n)
self.public_key = (e, n)
return self.public_key, self.private_key
def find(self):
i = 0
while not self.kill.is_set():
n, p, q = self.find_good_pair()
t = n - (p + q - 1)
e = EMIN
while e < EMAX:
if self.kill.is_set():
self.trials.put(i)
return
i += 1
o = make_onion(n, e)
if self.matches_regex(o.decode('utf-8')) and gmpy2.gcd(e,
t) == 1:
d = gmpy2.invert(e, t)
p = private_key(n, e, d, p, q)
self.results.put(o + p)
self.trials.put(i)
if self.one:
self.kill.set()
e += 2
def william_p1(n, process_id):
# this algorithm technically works but literally none of the modulos were p+1 so idk
# choose a B (work limit) to start with
if gmpy2.bit_length(gmpy2.mpz(n)) <= 2044:
work_limit = pow(n, (1 / 6))
else:
work_limit = gmpy2.div(n, 27)
threshold = 3
previous_sub2 = 2
# A needs to be greater than 2 to start with so we therefore start with 3
A = process_id + 3
previous = A
counter = 0
# if the counter ever reaches m, terminate
while counter != threshold:
counter += 1
# current = (a^(current-1) - current-2) % n)
current = (((A**previous) - previous_sub2) % n)
# move the previous variables forward
previous_sub2 = previous
previous = current
d = gmpy2.gcd(current - 2, n)
if d != 1 and d != n:
# calculate the factorial of m
mult = gmpy2.fac(threshold)
if DEBUG:
print(d, mult)
# check to see if we've found the terminating conditions for p + 1
if gmpy2.f_mod(mult, d):
return d
else:
# increment threshold by 1 if we haven't found anything
threshold += 1
if threshold > work_limit:
return 1
return 1
def pollard_p1(n, process_id):
# choose a B (work limit) to start with
if gmpy2.bit_length(gmpy2.mpz(n)) <= 2044:
work_limit = pow(n, (1 / 6))
else:
work_limit = gmpy2.div(n, 27)
a = 2
# break up how many things we have to check so we can split over cores
process_range = (math.floor(work_limit) // PROCESS_COUNT)
start = process_range * process_id
end = process_range * (process_id + 1) - 1
# assign default values here so we are an excellent, coding standard following coder
q1, q2, q3 = 0, 0, 0
if DEBUG:
# lock processes so we can print cleanly (thanks 421)
processLock.acquire()
print("CORE", process_id, "checking p1 from", start, "to", end)
processLock.release()
# calculate the quarter ranges
q1 = ((process_range // 4) * 1) + start
q2 = ((process_range // 4) * 2) + start
q3 = ((process_range // 4) * 3) + start
for i in range(start, end):
# print informative debug statements
if DEBUG:
if i == q1:
print("CORE", process_id, "p1 25%")
elif i == q2:
print("CORE", process_id, "p1 50%")
elif i == q3:
print("CORE", process_id, "p1 75%")
# check to see if we've found the terminating conditions for p - 1
a = gmpy2.powmod(a, i, n)
d = gmpy2.gcd(a - 1, n)
if d != 1 and d != n:
return d
return 1
def encrypt(m, n, g):
"""
Encrypts a message, given a public key.
Parameters:
m: number to be encrypted
n,g: public keys used for the decryption
Returns:
c: encrypted representation of m
"""
n2 = pow(n, 2)
one = gmpy2.mpz(1)
state = gmpy2.random_state(int_time())
r = gmpy2.mpz_random(state, n)
while gmpy2.gcd(r, n) != one:
state = gmpy2.random_state(int_time())
r = gmpy2.mpz_random(state, n)
x = gmpy2.powmod(r, n, n2)
c = gmpy2.f_mod(gmpy2.mul(gmpy2.powmod(g, m, n2), x), n2)
return c
def rsaEncode2(m):
m=int.from_bytes(m.encode(),'big')
f=open("out","w")
while True:
ran=random.randint(20, 50)
if isPrime(ran):
break
e=ran*getPrime(30)
p = getPrime(1024)
q = gmpy2.next_prime(p)
while (not gmpy2.gcd((p-1)*(q-1),e)==ran or p*q>pow(m,ran)):
p = getPrime(1024)
q = gmpy2.next_prime(p)
n=p*q
assert(pow(m,ran)>n)
c=pow(m,e,n)
f.write("n2:"+hex(n)+"\n")
f.write("e2:"+hex(e)+"\n")
f.write("rsaEncode2 re is:"+hex(c)+"\n")
f.close()
print("rsaEncode2_finish!")
return pow(m,ran,n)
def solve_bounty(x, challenge_no, challenge, a0, incorrect_root = False, incorrect_hash_to_prime = False, not_prime = False):
p = hash_to_prime(x, incorrect_hash_to_prime)
if not_prime:
multiplicative_group_order = reduce(mul, [x - 1 for x in challenge["factors"]])
while is_prime(p) or gcd(p, multiplicative_group_order) > 1:
p += 2
y = modular_root(challenge["modulus"], challenge["factors"], x, p)
if incorrect_root:
y += 1
else:
assert powmod(y, p, challenge["modulus"]) == x
xbytes = x.to_bytes(((x.bit_length() + 7) // 8) * 1, "big")
ybytes = y.to_bytes(((y.bit_length() + 7) // 8) * 1, "big")
bytes_to_hash = challenge_no.to_bytes(32, "big") + xbytes + \
ybytes + \
p.to_bytes(32, "big") + \
bytes.fromhex(a0[2:]).rjust(32, b"\0")
return y, p, xbytes, ybytes, bytes_to_hash
def genkey():
while 1:
while 1:
p = getPrime(512)
q = getPrime(512)
if len(bin(abs(p - q))[2:]) < 450 or (p + q) & 1 != 0:
continue
phi = (p - 1) * (q - 1)
e = 257
print (gmpy2.gcd(phi, e))
try:
d = int(gmpy2.invert(e, phi))
except:
continue
assert (d * e) % phi == 1
ret = (d*e - 1) // phi
break
print ('d : ', d)
r = 256
mod = 2 ** r
d0 = d % mod
d0e = d0 * e
print (bin(d0e)[-10:])
if d0e & (1 << 2):
x = RSA.construct((p*q, e, d, p, q))
output = x.exportKey("PEM")
with open('pri.pem', 'w') as f:
f.write(output)
output = x.publickey().exportKey("PEM")
with open('pub.pem', 'w') as f:
f.write(output)
break
return ret
def affine_enc(m, *k):
"""
Do affine cipher encryption.
compute ci ≡ ami + b (mod 26)
:param str m: Plaintext. It consists of lowercase letter and space,comma ....
:param tuple k: Key. k = (a,b). Note that a and 26 must be coprime
:return str c:
"""
a = k[0]
b = k[1]
assert 0 < a < 26
assert 0 <= b < 26
assert gcd(a, 26) == 1
c = ""
for i in range(len(m)):
if m[i].isalpha():
c[i] = chr((a * (ord(m[i]) - 97) + b) % 26 + 97)
else: # if m[i] is a space or sthg
c[i] = m[i]
return m
def affine_dec(c, *k):
"""
ci ≡ ami + b (mod 26) =>
mi ≡ a^(-1) * (ci-b) (mod 26)
:param str c: Ciphertext.
:param tuple k: Same as above
:return str m:
"""
a = k[0]
b = k[1]
assert 0 < a < 26
assert 0 <= b < 26
assert gcd(a, 26) == 1
m = ""
for i in range(len(c)):
if c[i].isalpha():
m[i] = chr(invert(a) * (ord(c[i]) - 97 - b) % 26 + 97)
else: # if m[i] is a space or sthg
m[i] = c[i]
return m
def pollard_P_1(self, n, progress=True):
"""Pollard P1 implementation"""
z = []
def first_primes(n):
p = 2
tmp = [p]
while p <= n - 1:
p = next_prime(p)
tmp.append(p)
return tmp
prime = first_primes(997)
logn = math.log(int(isqrt(n)))
for j in range(0, len(prime)):
primej = prime[j]
logp = math.log(primej)
for i in range(1, int(logn / logp) + 1):
z.append(primej)
try:
for pp in tqdm(prime, disable=(not progress)):
i = 0
x = pp
while 1:
x = powmod(x, z[i], n)
i = i + 1
y = gcd(n, x - 1)
if y != 1:
p = y
q = n // y
return p, q
if i >= len(z):
return 0, None
except TypeError:
return 0, None
def my_rsa_key_generator(nbits):
pattern_size = 256
prime_size = nbits // 2
pattern = gmpy2.mpz(random.getrandbits(pattern_size))
pattern = pattern.bit_set(pattern_size - 1)
pattern = pattern.bit_set(pattern_size - 2)
p = pattern
while p.bit_length() != prime_size:
p = pattern + (p << pattern_size)
# To make it harder we change MSB and LSB, so one shouldn't assume
# are also patterns.
msb = 8*6
lsb = 8*10
p = p & (2**(prime_size - msb) - 1)
p = random.getrandbits(msb)*(2**(prime_size - msb)) + p
p = p.bit_set(prime_size - 1)
p = p.bit_set(prime_size - 2)
p = p >> lsb
p = p << lsb
p += random.getrandbits(lsb)
p = gmpy2.next_prime(p)
q = gmpy2.mpz(random.getrandbits(prime_size))
q = q.bit_set(prime_size - 1)
q = q.bit_set(prime_size - 2)
q = gmpy2.next_prime(q)
e = 0x10001
n = p*q
lcm = (p-1)*(q-1) // gmpy2.gcd(p-1, q-1)
d = gmpy2.invert(e, lcm)
return list(map(int, [n, e, d, p, q]))
def cal_p(A, B):
x1, y1 = A
x2, y2 = B
return gcd(pow(x1, 2) + pow(y1, 2) - 1, pow(x2, 2) + pow(y2, 2) - 1)
def phi(k):
ret = 0
for e in range(1, k + 1):
if gmpy2.gcd(e, k) == 1:
ret += 1
return ret
def gcd(a, b):
return gmpy2.gcd(a, b)
def big_num():
operator = request.values.get('operator')
result = '1'
try:
if operator == 'FACT' or operator == 'isPrime':
p = gmpy2.mpz(int(request.values.get('p')))
if not p:
resu = {'code': 10001, 'message': '参数不能为空!'}
return json.dumps(resu, ensure_ascii=False)
if operator == 'FACT': #p的阶层
result = gmpy2.fac(p)
elif operator == 'isPrime': #判断p是否是素数
result = gmpy2.is_prime(p)
elif operator == 'MULMN' or operator == 'POWMN':
p = gmpy2.mpz(int(request.values.get('p')))
q = gmpy2.mpz(int(request.values.get('q')))
n = gmpy2.mpz(int(request.values.get('n')))
if not p and not q and not n:
resu = {'code': 10001, 'message': '参数不能为空!'}
return json.dumps(resu, ensure_ascii=False)
if operator == 'POWMN': #计算p**q mod n
result = gmpy2.powmod(p, q, n)
elif operator == 'MULMN': #计算p*q mod n
result = gmpy2.modf(gmpy2.mul(p, q), n)
else:
p = gmpy2.mpz(int(request.values.get('p')))
q = gmpy2.mpz(int(request.values.get('q')))
if not p and not q:
resu = {'code': 10001, 'message': '参数不能为空!'}
return json.dumps(resu, ensure_ascii=False)
if operator == 'ADD': #相加
print('good')
result = gmpy2.add(p, q)
elif operator == 'SUB': #相减
result = gmpy2.sub(p, q)
elif operator == 'MUL': #相乘
result = gmpy2.mul(p, q)
elif operator == 'DIV': #相除
result = gmpy2.div(p, q)
elif operator == 'MOD': #取余
result = gmpy2.f_mod(p, q)
elif operator == 'POW':
result = gmpy2.powmod(p, q)
elif operator == 'GCD': #最大公因数
result = gmpy2.gcd(p, q)
elif operator == 'LCM':
result = gmpy2.lcm(p, q)
elif operator == 'OR': #或
result = p | q
elif operator == 'AND': #与
result = p & q
elif operator == 'XOR': #抑或
result = p ^ q
elif operator == 'SHL': #左移
result = p << q
elif operator == 'SHR': #右移
result = p >> q
resu = {'code': 200, 'result': str(result)}
return json.dumps(resu, ensure_ascii=False)
except:
resu = {'code': 10002, 'message': '异常。'}
return json.dumps(resu, ensure_ascii=False)
jks0_input = ".".join(jwt0.split('.')[0:2])
sha256_0 = SHA256.new(jks0_input.encode('ascii'))
padded0 = PKCS1_v1_5.EMSA_PKCS1_V1_5_ENCODE(sha256_0, len(jwt0_sig_bytes))
jks1_input = ".".join(jwt1.split('.')[0:2])
sha256_1 = SHA256.new(jks1_input.encode('ascii'))
padded1 = PKCS1_v1_5.EMSA_PKCS1_V1_5_ENCODE(sha256_1, len(jwt0_sig_bytes))
m0 = bytes2mpz(padded0)
m1 = bytes2mpz(padded1)
pkcs1 = asn1tools.compile_files('data/pkcs1.asn', codec='der')
x509 = asn1tools.compile_files('data/x509.asn', codec='der')
for e in [mpz(3), mpz(65537)]:
gcd_res = gcd(pow(jwt0_sig, e) - m0, pow(jwt1_sig, e) - m1)
#To speed things up switch comments on prev/next lines!
#gcd_res = mpz(0x143f02c15c5c79368cb9d1a5acac4c66c5724fb7c53c3e048eff82c4b9921426dc717b2692f8b6dd4c7baee23ccf8e853f2ad61f7151e1135b896d3127982667ea7dba03370ef084a5fd9229fc90aeed2b297d48501a6581eab7ec5289e26072d78dd37bedd7ba57b46cf1dd9418cd1ee03671b7ff671906859c5fcda4ff5bc94b490e92f3ba9739f35bd898eb60b0a58581ebdf14b82ea0725f289d1dac982218d6c8ec13548f075d738d935aeaa6260a0c71706ccb8dedef505472ce0543ec83705a7d7e4724432923f6d0d0e58ae2dea15f06b1b35173a2f8680e51eff0fb13431b1f956cf5b08b2185d9eeb26726c780e069adec0df3c43c0a8ad95cbd342)
print("[*] GCD: ", hex(gcd_res))
for my_gcd in range(1, 100):
my_n = c_div(gcd_res, mpz(my_gcd))
if pow(jwt0_sig, e, my_n) == m0:
print("[+] Found n with multiplier", my_gcd, " :\n", hex(my_n))
pkcs1_pubkey = pkcs1.encode("RSAPublicKey", {
"modulus": int(my_n),
"publicExponent": int(e)
})
x509_der = x509.encode(
"PublicKeyInfo", {
"publicKeyAlgorithm": {
"algorithm": "1.2.840.113549.1.1.1",
import gmpy2 N1 = 3895738302299059518129198422310169628530536557191890566210939781698372336257482186582163630847612416277492034959243510457939210010336159061758606919109259916143600981918456942199762738624796190838889500238780675229383463267807384154074134251073572174392024892486431125499446924573006208711810847272390619510395812856188247531815920797526102562723333957594242603466996229335924848954210939152042149332307810693239925149256224795031982752752336401872520016106145667479144091130160998875256860809091721275069193773739370057334041922519998813268278574260846083883264261920589114740823464192397850923545998904365370408113 N2 = 3036683903819675505741091164945461947189004916494633766372176282409409694958701211748277050499101511956962003835932755555293255586827283990400451317444723234406968971873530093281591689832798646915816609347861047534121792409030834659241904646743453387504496246791081682741245482378149293399372654558929658582070853972454887854658545741800574343930155288517185535533201220281739954820271979667081052363406511938025061398551356675540358212449132781674832812796443378476387659729623581274433769056775163718782871879747276327458473970177451591251859530403032170215968101310739004163533767679394201611410832974546802038041 N3 = 4793455677299549137382284585015750073239112414361680529255951318217960300841340399094743130287927996565298160174555422185410320841942637374406558835150138631140265626020072464652973386772727192540062051929655235552439145036105501434801984612127808829810146844869487529177642676245549299371487478280457673839725488195812744535928488844735950540356920273038857127652414836352483913807655170699520816765863272825856765769043174406026964068017257738085400965661973681558654658747878342173984592411085018242201038877382766239487564503728442821348064764166024851080258629751476765613997512620274759264076272801682962144457 E = 65537 C1 = 396708474546125804352894757436683688457291028695044217325853929491171136935487190613513217479209066321213697066977005912522338337419604329864854419961723570625025089500459612736934675744115710978556346050350466970024450696226499749911198313775828281699871502987873199226066403667788132060336882800770615332190939846610876881382430101512212915247532319827304296610854802037475047119525110795533529161852951539770153761419387662527094415537933400873451490021233979268224054475360645920086811082803271848565851436058022797610887635287190533293980480191482625531855511415716253479184799509403767653927424232672209598509 C2 = 355006513750551550798931713354683491263062473879176656452255051848683497534660576981575518851351256702360823676609578259232763677292692743319345273559085724516350773319337226043634439282120083618718026203533033564167432280901197175559735572797382863132012675404876908914335941746393221402727788260354881773319480220225939283398326940847106630716629330817737251316474369640273632208347751866683363389016722969822345738247486942531821199790024647950924227337611907877819668593060172268197128413003269501597578146759488894526193598933152416894414296396043283131502951693668167550687432080480619240585408701379144341703 C3 = 924835278307680480966328618545268895077532556525413716080960421925985654497130329688156219485942736928562517552888163928270855659413958949301590302010862666331053838345196518237383846281768395909801043955047640003147798786793258813501366000503338638933238548605016169865688228297750780710248359326295693845663887055907900967535999885217905972006140096240831305484619796964713673839223632057905454213937054336962510051529266336629730913756688411854427999570223208667606703681762027957427028839409594591627448224813082072169775916331655060221445546199171668136050686471357710989346885039441000083764142021784018773006 q = gmpy2.gcd(N1, N2) r = gmpy2.gcd(N2, N3) p = gmpy2.gcd(N3, N1) phi1 = (p - 1) * (q - 1) phi2 = (q - 1) * (r - 1) phi3 = (r - 1) * (p - 1) d1 = gmpy2.invert(E, phi1) d2 = gmpy2.invert(E, phi2) d3 = gmpy2.invert(E, phi3) m1 = pow(C1, d1, N1) m2 = pow(C2, d2, N2) m3 = pow(C3, d3, N3)
p1 = 282595361018796512312481928903796535047168039821441204226899357708165480989181288601210607191471483534037953052604722708819774231230476577951670676743338887609132820418468389978419501153422449272224388422022777
q1 = 142270506848638924547091203976235495577725242858694711068289574174127601000137457280276860615471044907560710121669055364010408768146949985099404319539891688093875478389341632242096859500255283810703767020918479
k = 877
p2 = 291668652611471250039066078554824884845341136873092210122454888337748213391694969640183343019452438800975699247613989121123985462360872265327833435184781051854777074884190706087067889456284908187292126902073849
q2 = 90298557884682577669238320760096423994217812898822512514104930945042122418007925771281125855142645396913218673571816112036657123492733042972301983242487835472292994595416656844378721884370309120262139835889657
k = 1041
p3 = 267307309343866797026967908679365544381223264502857628608660439661084648014195234872217075156454448820508389018205344581075300847474799458610853350116251989700007053821013120164193801622760845268409925117073227
p4 = 188689169745401648234984799686937623590015544678958930140026860499157441295507274434268349194461155162481283679350641089523071656015001291946438485044113564467435184782104140072331748380561726605546500856968771
f = open("output.txt", "r")
data = f.read().split("\n")
for i in range(4):
data[i] = map(int, data[i].split(" ")[1:])
e = 1667
r = gcd(data[1][0], data[0][0])
d2 = invert(e, (p1 - 1) * (q1 - 1) * (r - 1))
print data[1][0] % q1
d1 = invert(e, (p2 - 1) * (q2 - 1) * (r - 1))
print data[2][0] % (p3**2)
q3 = data[2][0] / (p3**2)
d3 = invert(e, (p3 - 1) * p3 * (q3 - 1))
q4 = data[3][0] / p4
assert data[3][0] == p4 * q4
d4 = invert(e, (p4 - 1) * (q4 - 1))
c = 594744523070645240942929359037746826510854567332177011620057998249212031582656570895820012394249671104987340986625186067934908726882826886403853350036347685535238091672944302281583099599474583019751882763474741100766908948169830205008225271404703602995718048181715640523980687208077859421140848814778358928590611556775259065145896624024470165717487152605409627124554333901173541260152787825789663724638794217683229247154941119470880060888700805864373121475407572771283720944279236600821215173142912640154867341243164010769049585665362567363683571268650798207317025536004271505222437026243088918839778445295683434396247524954340356
c = pow(c, d4, data[3][0])
c = pow(c, d3, data[2][0])
c = pow(c, d2, data[1][0])
c = pow(c, d1, data[0][0])
from gmpy2 import gcd, invert, powmod from Crypto.Util.number import long_to_bytes n1 = 14343453794367092515497895137902168386296417319247146730459319881802140334698737189342973812146465828660342012946910653192803473600595707696472591504951198563603709181626005658184116684367802758344031386496658458264959969692044879175628783605186867276515694784082482043436473458055894723810140516689141599152195984714148210638833797638255124702611899073506190942745515704802064433300261613781916198106074829630095538317067848424354570246167013526201728488570271571071978289748473886089178585249674489547064957622989808178007470483946536987289341591847349128538928294808117443145097551386826012131775390678998400121889 n2 = 20308195943065789251817446829863883469272602304751753219641822206296872340042055615695828234875654938558065292577939692476866300109337008636927498617655004089261030659132847752508448477243753135984370110439693105967818735745420000128069178972088161949286955900852997852216281385776262449633762670014571643311788609943581805728189446261833834354199480558854660930835489848639377800962143545608517015172667287024378681310097239827666867592226542748876958241795640727126418223939447294264460580825913526549434716100031432143671503937393640601052321015919112419872256052688412078974604159554387677255024728801489704260363 c1 = 7060913174371289769309763235647638447135191122575239829016360331184038730172940927388867110734381358453407989806140634011350721798160713053621896705641720212112551788757319365520015847374673960320334248580560205413153114427654784961710348834514336159373193900583620653085765067165174133038800649323672785585501521017885631280303551697739951014696330327670228229605047676440962916067564193271247936974843751339372847625153953559941840547748375919498892051841063000432368600158512968060459462404612866403066205167176313042517873197370743936042865113128112591367582742396193149320607077649094903691975739181219359076265 c2 = 20148610260208170593289118672038891818770076647095364134619069654881479351996793675661468921299369828610961411535098751945943055486021096222646490248098261096267277133140141311947840921090893680970207588861087220137922905797128028172779716663247976566807484416436273763735289602135279810958841816837092253309070217739840320870090502512130142015671736882941916450932012952894134313348115440744061809508935802755106889882605495521669026118538807594430799171795521056652204797565525565412195933084030518258900930049905119086640401568596910662117008862676917676436361632490924908191898958534522611573541581472875515834526 e = 65537 p = gcd(n1, n2) q1 = n1 // p phi = (p - 1) * (q1 - 1) d = invert(e, phi) m = powmod(c1, d, n1) flag = long_to_bytes(m) print(flag.decode())
if 1.0 * A1 / A2 == comp_jk:
result[A1] = A2
if 1.0 * A3 / A4 == comp_jk:
result[A3] = A4
if 1.0 * A1 / A4 == comp_jk:
result[A1] = A4
if 1.0 * A1 / A5 == comp_ik:
result[A1] = A5
if 1.0 * A3 / A5 == comp_ik:
result[A3] = A5
if 1.0 * A1 / A6 == comp_ik:
result[A1] = A6
if 1.0 * A2 / A6 == comp_ij:
result[A2] = A6
if 1.0 * A2 / A5 == comp_ij:
result[A2] = A5
if 1.0 * A4 / A6 == comp_ij:
result[A4] = A6
numerator = 1
denominator = 1
for key in result.keys():
numerator *= key
denominator *= result[key]
print denominator / gmpy2.gcd(numerator, denominator)
def nc_are_prime(n, c):
if not all([n, c]):
return
gcd = gmpy2.gcd(n, c)
if gcd != 1:
print('n, c not prime, gcd is ', gcd)
t = next_prime(o)
u = next_prime(s)
print o * s
n2 = o * s * t * u
assert (m < n2)
print n2
c2 = pow(m, e, n2)
## level3
m = c2
p = getPrime(800)
q = getPrime(800)
n3 = p * q
phi = (q - 1) * (p - 1)
assert (m < n3)
print n3
while True:
s = getPrime(10)
if (gcd(s, p - 1) == 1):
sinv = invert(s, p - 1)
e = 4 * s * sinv + 3
if (gcd(phi, e) == 1):
break
c3 = pow(m, e, n3)
print c3
m = bytes_to_long(os.urandom(128))
print m
assert (m < n3)
print pow(m, e, n3)
import gmpy2
import binascii
n = 15944475431088053285580229796309956066521520107276817969079550919586650535459242543036143360865780730044733026945488511390818947440767542658956272380389388112372084760689777141392370253850735307578445988289714647332867935525010482197724228457592150184979819463711753058569520651205113690397003146105972408452854948512223702957303406577348717348753106868356995616116867724764276234391678899662774272419841876652126127684683752880568407605083606688884120054963974930757275913447908185712204577194274834368323239143008887554264746068337709465319106886618643849961551092377843184067217615903229068010117272834602469293571
e1 = 797
c1 = 11157593264920825445770016357141996124368529899750745256684450189070288181107423044846165593218013465053839661401595417236657920874113839974471883493099846397002721270590059414981101686668721548330630468951353910564696445509556956955232059386625725883038103399028010566732074011325543650672982884236951904410141077728929261477083689095161596979213961494716637502980358298944316636829309169794324394742285175377601826473276006795072518510850734941703194417926566446980262512429590253643561098275852970461913026108090608491507300365391639081555316166526932233787566053827355349022396563769697278239577184503627244170930
e2 = 521
c2 = 6699274351853330023117840396450375948797682409595670560999898826038378040157859939888021861338431350172193961054314487476965030228381372659733197551597730394275360811462401853988404006922710039053586471244376282019487691307865741621991977539073601368892834227191286663809236586729196876277005838495318639365575638989137572792843310915220039476722684554553337116930323671829220528562573169295901496437858327730504992799753724465760161805820723578087668737581704682158991028502143744445435775458296907671407184921683317371216729214056381292474141668027801600327187443375858394577015394108813273774641427184411887546849
assert gmpy2.gcd(e1, e2) == 1
s = gmpy2.gcdext(e1, e2)
m1 = gmpy2.powmod(c1, s[1], n)
m2 = gmpy2.powmod(c2, s[2], n)
m = (m1 * m2) % n
print(binascii.unhexlify(hex(m)[2:]))
# method
def common_modulus(n, c1, e1, c2, e2):
s = gmpy2.gcdext(e1, e2)
m1 = gmpy2.powmod(c1, s[1], n)
m2 = gmpy2.powmod(c2, s[2], n)
m = (m1 * m2) % n
unhexlify = binascii.unhexlify(hex(m)[2:])
print(unhexlify)
return unhexlify
def gen_coprime(self, x):
while True:
random_state = gmpy2.random_state(int(time.time() * 100000))
coprime = gmpy2.mpz_random(random_state, x)
if gmpy2.gcd(coprime, x) == 1:
return coprime
