def rabins_test(): i = 1 p = probable_prime(R, i) print "--"*78 i += 1 q = probable_prime(S, i) print "--"*78 print "\n" base = (2,3,5,7) for k in base: a = gmpy2.powmod(k, p-1, p) b = gmpy2.powmod(k, q-1, q) if (a == 1): print "p passes Miller-Rabin's test with base: ", k else: print "p has not passed Miller-Rabin's test with base " + str(k) + ", therefore p is not a prime number" if (b == 1): print "q passes Miller-Rabin's test with base: ", k else: print "q has not passed Miller-Rabin's test with base " + str(k) + ", therefore p is not a prime number" return p,q
def deterministic_is_pseudo_prime(n, k=64): assert(k <= len(FIRST_PRIMES)) if n in FIRST_PRIMES: return True if n < max(FIRST_PRIMES): return False if n & 1 == 0: return False # Find s and t s = 0 t = n - 1 while t & 1 == 0: s += 1 t = t >> 1 assert(n == 2**s * t + 1) # main loop for j in range(k): b = FIRST_PRIMES[j] x = gmpy2.powmod(b, t, n) i = 0 if x != 1: while x != n - 1: x = gmpy2.powmod(x, 2, n) i += 1 if i == s or x == 1: return False return True
def rsa_encrypt(_input): p = bin2int(PRIVATE_KEY['prime1']) q = bin2int(PRIVATE_KEY['prime2']) u = bin2int(PRIVATE_KEY['coefficient']) dP = bin2int(PRIVATE_KEY['prime_exponent1']) dQ = bin2int(PRIVATE_KEY['prime_exponent2']) c = bin2int(_input) cp = c % p cq = c % q a = int(gmpy2.powmod(cp, dP, p)) b = int(gmpy2.powmod(cq, dQ, q)) if a >= b: result = a - b else: result = b - a result = p - result result = result % p result = result * u result = result % p result = result * q result = result + b ret = bcdechex(result) ret = padstr(ret).upper() if len(ret) == 256: return ret else: return False
def main(): groups = get_groups_nec("problem.txt") for x in groups: for y in groups: if x == y: continue n1, e1, c1 = x n2, e2, c2 = y # 涉及扩展欧几里德算法 # 这里的算法得好好学习下, 怎么求出 a 和 b 的 # a * e1 + b * e2 = 1 if gmpy2.gcd(e1, e2) == 1: a = gmpy2.invert(e1, e2) b = int((gmpy2.gcd(e1, e2) - a * e1) / e2) assert (a * e1 + b * e2) == 1 assert b < 0 c2i = gmpy2.invert(c2, n1) c1a = gmpy2.powmod(c1, a, n1) c2b = gmpy2.powmod(c2i, -b, n1) m = c1a * c2b % n1 print(binascii.unhexlify(hex(m)[2:]))
def nokey_reading(e1, e2, N, mes1, mes2): koef = AlgEvklid_ex(e1, e2) r = koef['x'] s = koef['y'] x = (gmpy2.powmod(mes1, r, N)*gmpy2.powmod(mes2, s, N)) % N return x
def discrete_log(prime, generator, exp, limit): table = build_table(prime, generator, exp, limit) r = powmod(generator, 2 ** limit, prime) for x in range(0, 2 ** limit + 1): key = powmod(r, x, prime) if key in table: return (x * (2 ** limit) + table[key]) % prime return None
def singleTag(w, block, g, d, n): h = SHA256.new() bLong = number.bytes_to_long(block.data.tobytes()) powG = gmpy2.powmod(g,bLong,n) h.update(str(w)) wHash = number.bytes_to_long(h.digest()) wGmodN = gmpy2.powmod((wHash*powG),1, n) tag = gmpy2.powmod(wGmodN, d, n) return tag
def proofWorkerTask(inputQueue, blkPbSz, blkDatSz, chlng, lost, T, lock, cVal, N, ibf, g, qSets, TT): pName = mp.current_process().name x = ExpTimer() x.registerSession(pName) x.registerTimer(pName, "qSet_proof") x.registerTimer(pName, "cSumKept") x.registerTimer(pName, "cTagKept") x.registerTimer(pName, "ibf_serv") while True: item = inputQueue.get() if item == "END": TT[pName+str("_qSet_proof")] = x.getTotalTimer(pName, "qSet_proof") TT[pName+str("_cSumKept")] = x.getTotalTimer(pName, "cSumKept") - x.getTotalTimer(pName, "ibf_serv") TT[pName+str("_cTagKept")] = x.getTotalTimer(pName, "cTagKept") - x.getTotalTimer(pName, "ibf_serv") TT[pName+str("_ibf_serv")] = x.getTotalTimer(pName, "ibf_serv") return for blockPbItem in BE.chunks(item,blkPbSz): block = BE.BlockDisk2Block(blockPbItem, blkDatSz) bIndex = block.getDecimalIndex() if bIndex in lost: x.startTimer(pName, "qSet_proof") binBlockIndex = block.getStringIndex() indices = ibf.getIndices(binBlockIndex, True) for i in indices: with lock: qSets.addValue(i, bIndex) x.endTimer(pName, "qSet_proof") del block continue x.startTimer(pName, "cSumKept") x.startTimer(pName, "cTagKept") aI = pickPseudoRandomTheta(chlng, block.getStringIndex()) aI = number.bytes_to_long(aI) bI = number.bytes_to_long(block.data.tobytes()) with lock: x.startTimer(pName, "ibf_serv") ibf.insert(block, chlng, N, g, True) x.endTimer(pName, "ibf_serv") cVal["cSum"] += (aI*bI) x.endTimer(pName,"cSumKept") cVal["cTag"] *= gmpy2.powmod(T[bIndex], aI, N) cVal["cTag"] = gmpy2.powmod(cVal["cTag"],1,N) x.endTimer(pName,"cTagKept") del block
def main(): # predefine these, we will stop overwriting them when ready to run the big numbers p=mpz('13407807929942597099574024998205846127' '47936582059239337772356144372176403007' '35469768018742981669034276900318581848' '6050853753882811946569946433649006084171' ) g=mpz('117178298803662070095161175963353670885' '580849999989522055999794590639294997365' '837466705721764714603129285948296754282' '79466566527115212748467589894601965568' ) y=mpz('323947510405045044356526437872806578864' '909752095244952783479245297198197614329' '255807385693795855318053287892800149470' '6097394108577585732452307673444020333' ) log.info("Starting Discrete Log Calculation") log.info("p: %i", p) log.info("g: %i", g) log.info("y: %i", y) m = gmpy2.ceil(gmpy2.sqrt(p)) log.info("m: %i", m) # custom range since builtin has a size limit long_range = lambda start, stop: iter(itertools.count(start).next, stop) chunk_size = 100000 if m < 100000: chunk_size = m stop_at = chunk_size start = 0 while True: chunk = {} log.info("Starting chunk from %i to %i", start, stop_at) for i in xrange(start, stop_at): chunk[gmpy2.powmod(g,i,p)] = i for t in long_range(0,m): expone = mpz(gmpy2.mul(-m,t)) g_term = gmpy2.powmod(g, expone, p) res = gmpy2.f_mod(gmpy2.mul(y, g_term), p) if res in chunk: s = chunk[res] dc = gmpy2.f_mod(mpz(gmpy2.add(s, gmpy2.mul(m,t))), p) log.info("DC LOG FOUND") log.info("dc: %i", dc) return log.info("Completed chunk run: %i to %i no DC yet :(", start, stop_at) start = stop_at stop_at += chunk_size
def encrypt(pub, plain): while True: r=mpz_urandomb(rand, pub.bits) if r > 0 and r < pub.n and gcd(r,pub.n)==1: break # else: # print r # for sufficiently large pub.bits comment the previous while True loop and uncomment the following line # r=mpz_urandomb(rand, pub.bits) x = powmod(r, pub.n, pub.n_sq) cipher = (powmod(pub.g, plain, pub.n_sq) * x) % pub.n_sq return cipher
def findDiscreteLog(self): x = -1 element_powB = gmpy2.powmod(mpz(self.element), mpz(self.B), mpz(self.prime)) for x0 in range (0, self.B + 1): right_x0 = gmpy2.powmod(element_powB, x0, mpz(self.prime)) if right_x0 in self.h_by_gx_hash: print("x0: %d" % (x0)) x1 = self.h_by_gx_hash[right_x0] print("x1: %d" % (x1)) x = gmpy2.t_mod(gmpy2.add(gmpy2.mul(x0, self.B), x1), mpz(self.prime)) print("x: %d" % (x)) return str(x) return x
def encrypt(pub, plain): # while True: # r = generate_prime(pub.bits) # if r > 0 and r < pub.n: # break r = mpz_urandomb(rand, pub.bits) # if gcd(r,pub.n)==1: # break # else: # print r x = powmod(r, pub.n, pub.n_sq) cipher = (powmod(pub.g, plain, pub.n_sq) * x) % pub.n_sq return cipher
def checkCorresponding(table, g, B, p): ''' B - number from meet in the middle attack Func verifies if computing element is in hash table. return: needed elements x0,x1 ''' base = gmpy2.powmod(g, B, p) for x0 in range(B): value = gmpy2.powmod(base, x0, p) if(table.has_key(value)): x1 = table.get(value) return (x0, x1)
def dlog(prime, g, h): CONST_2_20 = 2 ** 20 h_x1 = {} for x1 in xrange(CONST_2_20 + 1): val = divm(h, powmod(g, x1, prime), prime) h_x1[val] = x1 gb = powmod(g, CONST_2_20, prime) for x0 in xrange(CONST_2_20 + 1): val = powmod(gb, x0, prime) if val in h_x1: x1 = h_x1[val] x = x0 * CONST_2_20 + x1 print x break
def regenerate_key(bits,x,x_i,L,leave): """ Regenerate the key r when some peer join or leave the team. All the variables' name are the same as those used in the paper. Args: bits: int, the number of bits of p, which can be set to be larger than the length of r. x: list, x_i which has been distributed members. x_i: int, the x_i of a member who wants to join or leave the team. L: int, the value of product of x_is before the member join or leave. leave: bool. True if the x_i is leaving the team. False if the x_i is join the team. """ p=generate_large_prime(bits) (m,q)=generate_m(p) delta= generate_large_prime(len(bin(min(x)))-2) k=delta-p a=generate_large_prime(bits) g=gmpy2.powmod(a,q,m) r=gmpy2.powmod(g,k,m) if leave : L=gmpy2.div(L,x_i) else: L=gmpy2.mul(L,x_i) u=gmpy2.invert(delta,L) while get_key(g,m,u,x[0])!=r: p=generate_large_prime(bits) (m,q)=generate_m(p) delta= generate_large_prime(len(bin(min(x)))-2) k=delta-p a=generate_large_prime(bits) g=gmpy2.powmod(a,q,m) r=gmpy2.powmod(g,k,m) if leave : L=gmpy2.div(L,x_i) else: L=gmpy2.mul(L,x_i) u=gmpy2.invert(delta,L) return (g,m,u,L,r)
def generate_key_r(bits,x): """ Generate the key r. All the variables' name are the same as those used in the paper. Args: bits: int, the number of bits of p, which can be set to be larger than the length of r. x: list, includes x_i which has been distributed members. """ p=generate_large_prime(bits) (m,q)=generate_m(p) delta= generate_large_prime(len(bin(min(x)))-2) k=delta-p a=generate_large_prime(bits) g=gmpy2.powmod(a,q,m) r=gmpy2.powmod(g,k,m) L=1 for x_i in x : L=gmpy2.mul(L,x_i) u=gmpy2.invert(delta,L) """ Because the primes generated are pseudo primes that has passed probable prime test, it is possible that the member cannot calculat the right key. Verify the members can calculate the key rightly. """ while get_key(g,m,u,x[0])!=r: p=generate_large_prime(bits) (m,q)=generate_m(p) delta= generate_large_prime(len(bin(min(x)))-2) k=delta-p a=generate_large_prime(bits) g=gmpy2.powmod(a,q,m) r=gmpy2.powmod(g,k,m) L=1 for x_i in x : L=gmpy2.mul(L,x_i) u=gmpy2.invert(delta,L) return (g,m,u,L,r)
def getIntermidiateX(p, g, h): table = {} for x1 in range(0, 2 ** 20 + 1): denominator = powmod(g, x1, p) division = divm(h, denominator, p) table[division] = x1 # print division for x0 in range(0, 2 ** 20 + 1): rightHandSide = mpz(powmod(powmod(g, B, p), mpz(x0), p)) # print rightHandSide if rightHandSide in table: print "Win x0={0}, x1={1}".format(x0, table[rightHandSide]) return x0, table[rightHandSide]
def rsa_decrypt(_input): check = bchexdec(_input) modulus = bin2int(PRIVATE_KEY['modulus']) exponent = int("010001", 16) result = int(gmpy2.powmod(check, exponent, modulus)) rb = bcdechex(result) return padstr(rb).upper()
def factor_prime(prime): # p - 1 is 37-smooth base = 2 k_sm = 37 # pow(base,k_sm!) mod prime a = gmpy2.powmod(base, gmpy2.fac(k_sm), prime) # gcd(r_k - 1, prime) p = gmpy2.gcd(a-1, prime) # get second factor of prime q = (prime / p) # make sure factors (pq) are prime if (gmpy2.is_prime(p) and gmpy2.is_prime(q)): print "p = ", p print "q = ", q # make sure n = p*q = prime number n = gmpy2.mul(p,q) if (n == prime): print "n = ", gmpy2.mul(p,q) return
def __init__(self, p, q, s, shift=0): self.p = p self.q = q self.n = p * q power = (2 ** shift) % ((p - 1) * (q - 1)) self.s = s % self.n self.s = gmpy2.powmod(self.s, power, self.n)
def q4(): c = mpz('22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256' + '46583996794288946076454204058156474898801373486412045232522932017648791666640299750918872997169052608322206777160001932' + '9260870009579993724077458967773697817571267229951148662959627934791540') n = mpz('17976931348623159077293051907890247336179769789423065727343008115' + '77326758055056206869853794492129829595855013875371640157101398586' + '47833778606925583497541085196591615128057575940752635007475935288' + '71082364994994077189561705436114947486504671101510156394068052754' + '0071584560878577663743040086340742855278549092581') e = mpz(65537) a = isqrt(n) + 1 x = isqrt(a**2 - n) p = a - x q = a + x fi = (p-1) * (q-1) d = invert(e, fi) r = powmod(c, d, n) m = digits(r, 16).split('00')[1] return m.decode('hex')
def hash_table(h, g, p, B): table = dict() # Table to store x1 and h/(g**x1) values for x1 in range(B - 1): val = gmpy2.f_mod(gmpy2.mul(h, gmpy2.powmod(g, -x1, p)), p) table.update({val: x1}) return table
def getTags(self, w_collection, g, blocks, d, n): tags = [] fp = open("BEFORE","w") for (w, b) in zip(w_collection, blocks): h = SHA256.new() bLong = number.bytes_to_long(b.data.tobytes()) powG = gmpy2.powmod(g,bLong, n) h.update(str(w)) wHash = number.bytes_to_long(h.digest()) fp.write(str(wHash)+"\n") wGmodN = gmpy2.powmod((wHash*powG),1, n) res = gmpy2.powmod(wGmodN, d, n) tags.append(res) fp.close() return tags
def self_test(): p = 13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084171 g = 11717829880366207009516117596335367088558084999998952205599979459063929499736583746670572176471460312928594829675428279466566527115212748467589894601965568 h = 3239475104050450443565264378728065788649097520952449527834792452971981976143292558073856937958553180532878928001494706097394108577585732452307673444020333 print("Running tiny test") xTiny = 3 x = discrete_log(97, 20, 57, 6) print("x == {}".format(x)) assert(xTiny == x) print("Tiny test passed!") print("") print("Running short test") xShort = 23232 x = discrete_log(1938281, 190942, 1737373, 16) print("x == {}".format(x)) assert(xShort == x) print("Short test passed!") print("") print("Running long test") x = discrete_log(p, h, g, 40) assert(h == powmod(g,x,p)) print("x == {}".format(x)) print("Long test passed!") print("")
def Q1Q4(): N = mpz('17976931348623159077293051907890247336179769789423065727343008115\ 77326758055056206869853794492129829595855013875371640157101398586\ 47833778606925583497541085196591615128057575940752635007475935288\ 71082364994994077189561705436114947486504671101510156394068052754\ 0071584560878577663743040086340742855278549092581') A = isqrt(N) + 1 x = isqrt(sub(mul(A, A), N)) p = sub(A, x) q = add(A, x) print("Q1:") print(p) fiN = mul(sub(p, 1), sub(q, 1)) e = mpz(65537) d = gmpy2.invert(e, fiN) ct = mpz('22096451867410381776306561134883418017410069787892831071731839143\ 67613560012053800428232965047350942434394621975151225646583996794\ 28894607645420405815647489880137348641204523252293201764879166664\ 02997509188729971690526083222067771600019329260870009579993724077\ 458967773697817571267229951148662959627934791540') pt = gmpy2.powmod(ct, d, N) ptstr = pt.digits(16) pos = ptstr.find('00') payload = ptstr[pos + 2:] print("Q4:") print(binascii.unhexlify(payload))
def main(): g_to_b = powmod(G, 1048576, P) g_invert = invert(G, P) map = {} time_start = time.time() calc_1 = t_mod(H * G, P) for i in range(1048576 + 1): calc_1 = t_mod(calc_1 * g_invert, P) map[calc_1] = i time_end = time.time() sys.stdout.write('\n\n') sys.stdout.write('Left side complete...\n') sys.stdout.write('Time: %0.3f ms\n' % ((time_end - time_start) * 1000.0)) sys.stdout.flush() time_start = time.time() calc_0 = invert(g_to_b, P) for j in range(1048576 + 1): calc_0 = t_mod(calc_0 * g_to_b, P) if calc_0 in map: calc = (j * 1048576) + map[calc_0] sys.stdout.write('\n\n') sys.stdout.write('Successfully found x with a value of %s\n' % calc) sys.stdout.flush() break time_end = time.time() sys.stdout.write('Time: %0.3f ms\n' % ((time_end - time_start) * 1000.0)) sys.stdout.flush()
def crack(cipher_text, rsa): raw_cipher_text = cipher_text # low和high表示明文范围 low = 0 high = rsa["n"] - 1 while int(low) != int(high): # 题目给的算法原理: If you double a ciphertext (multiply it by (2**e)%n) # the resulting plaintext will (obviously) be either even or odd. cipher_text = (2 ** rsa["e"] * cipher_text) % rsa["n"] if judge_rsa_parity(cipher_text, rsa["n"], rsa["d"]): # odd: plaintext in upper half of range if high - low == 1: # 明文一定是整数(不可能是浮点), 这种情况下说明找到了 low = high low += (high - low) // 2 # 地板除法防止产生浮点数 else: # If the plaintext after doubling is even, doubling the plaintext didn't wrap the modulus # even: plaintext in the lower half if high - low == 1: high = low high -= (high - low) // 2 # 考虑到可能有误差, 设置个误差范围进行解码 possible_plaintexts = list() for i in range(-5, 5): plaintext = gmpy2.powmod(low + i, rsa["e"], rsa["n"]) possible_plaintexts.append(int(low + i).to_bytes(1000, "big").replace(b"\x00", b"")) return possible_plaintexts
def dlog(pgh): p = pgh[0] g = pgh[1] h = pgh[2] B = gmpy2.powmod(2,20,mpz(p)) B_low = 0 #B_low = gmpy2.powmod(2,18,mpz(p)) print "B: " + repr(B) # build the hash hash_table = {} for i in range(B_low,B): left = gmpy2.divm(mpz(h),gmpy2.powmod(mpz(g),i, mpz(p)),mpz(p)) try: hash_table[left] print "collision at " + i except KeyError: hash_table[left] = i continue print "Hash table built" #print "keys: " + repr(hash_table.keys()) counter = mpz(0) # meet in the middle x0 = mpz(0) x1 = mpz(0) for i in range(B_low,B): counter = gmpy2.add(counter,mpz(1)) right = gmpy2.powmod(gmpy2.powmod(mpz(g),mpz(B),mpz(p)),i,mpz(p)) try: h_entry = hash_table[right] print 'found x0 and x1...' x0 = i x1 = h_entry print 'x0=' + repr(x0) print 'x1=' + repr(x1) break except KeyError: continue print "counter: " + repr(counter) x = gmpy2.t_mod(gmpy2.add(gmpy2.mul(x0,B),x1), mpz(p)) return x
def is_prime(r): for k in range(0,10000000): p = gmpy2.add(r, k) a = gmpy2.powmod(2, p-1, p) if (a == 1): print "k = %i \nprime = %i\n" % (k, p) return
def probable_prime(exponent): for k in range(0,10000000): p = 10**exponent + k a = gmpy2.powmod(2, p-1, p) if (a == 1): print "k = %i \nprobable prime = %i\n" % (k, p) return
import gmpy2 def asc2str(strs): result = '' if (len(strs) % 2) == 0: strs = strs[2:] else: strs = strs[2:] strs = '0' + strs result = strs.decode('hex') print result return result N = 322831561921859 p = 13574881 q = 23781539 c = 0xdc2eeeb2782c e = 23 phi = (p - 1) * (q - 1) d = gmpy2.invert(e, phi) flag = gmpy2.powmod(c, d, N) asc2str(hex(flag))
import gmpy2 from Crypto.Util.number import bytes_to_long, long_to_bytes, inverse q = 25447604191089399379159931601501080444223112829447986750317096149517867285845804966271224749129184435412473271409883249120061873968316995978986208798525834614270065406921367971958806946394627934176702490478759393791972348471983612822611594685811932943967049526367295051671357595632868487646701478129716574546371021473575044516208082932409236271197813454910887142831892249406409490190907510457662553380813454668746280863597454887291739055374694568403834521593202067598993705171014838010676808696015931234887447378008864624871506336318997332815619367547971665857733583462023685385857017492039424076060074104480283423261 p = 25447604191089399379159931601501080444223112829447986750317096149517867285845804966271224749129184435412473271409883249120061873968316995978986208798525834614270065406921367971958806946394627934176702490478759393791972348471983612822611594685811932943967049526367295051671357595632868487646701478129716574546371021473575044516208082932409236271197813454910887142831892249406409490190907510457662553380813454668746280863597454887291739055374694568403834521593202067598993705171014838010676808696015931234887447378008864624871506336318997332815619367547971665857733583462023685385857017492039424076060074104480283422433 n = 647580559066350764512574139212258654419619377791696792933162647847016182264786947024323483613445156926567953673211035865775396889491136493021394983865794529477091872229948860215774356455333826515720143910504339782998354975787558272036453370109286642626999091302012693562994565167763421804705602666440082138719409120664293876204553614511882382199434919365954997082834057119072868066696185230896273866269308019520562618860020221768639470528300841159704088859374399286986458302241337120121430937058280863472916553328255990461105886678126859657320418919609691089677744300138990131567897731188913573095161012997609872471436323858576012929455006921387033623358406327954425701649820631580290471076284227572599505740170534938538303275799383217459413578897504327360744415747939112249827320135553789275968404788584789483305709222531189435482276931098037440920811828069795012367922134191531348046137386595744872323763751900274523135348273825558806037832123609238684829315071013742451094194097286985647180549444633529585827947422469423955056342229557961062943802754823402381380268562309956425582717559687406317915547051766896665477764999756658000565784673316779579644624160889528487904071313946671365415309957045804828537561845474437630201414013 c = 3301725813323793523830449827529001764170324266525813942905248339398533386704146778215164605307364778538312368834939155244976282618558606453065237517755562156941816361506386129237655201821569225442531883605299886901781519717 e = 3 phi = n - (p + q - 1) d = inverse(e, phi) plain = gmpy2.powmod(c, d, n) print "plaintext: {}".format(long_to_bytes(plain))
#!/usr/bin/env python2.7 import gmpy2 import sys from main import * # Closed form of `enc`: # ct = pt * 1337**R + sum(k * 1337**i for i = 1..R) # A = 1337**R A = gmpy2.powmod(1337, R, P) # B = 1337**R + 1337**(R - 1) + ... + 1337 # = (1337**(R + 1) - 1) / (1337 - 1) - 1 B = gmpy2.divm(gmpy2.powmod(1337, R + 1, P) - 1, 1336, P) - 1 pt = a2i(file('lorem').read()) % P ct = a2i(file('lorem.enc').read()) # Caveat: corresponding CT block is the most significant part while ct > P: ct /= P # Solve for k k = gmpy2.divm(ct - A * pt, B, P) def dec(ct, k): a = a2i(ct) b = 0 while a: x = a % P
59997945906392949973658374667057217647146031292859482967\ 5428279466566527115212748467589894601965568') h=mpz('323947510405045044356526437872806578864909752095244\ 952783479245297198197614329255807385693795855318053\ 2878928001494706097394108577585732452307673444020333') B=2**20 x_result = mpz(0) x0_result = mpz(0) x1_result = mpz(0) # build the hash table of h/g^x_1 x_1 from 0 to 2^20 left_table = dict() for x1 in range(0, B): # 2**20 + 1 ? # compute h/(g**x1) mod p key = powmod(g, -x1, p) # seperate ? key = f_mod(h * key, p) left_table[key] = x1 # (g^B)^X_0 right_base = powmod(g, B, p) for x0 in range(0, B): right_val = powmod(right_base, x0, p) if right_val in left_table.keys(): x0_result = x0 x1_result = left_table[right_val] x_result = x0_result * B + x1_result break print x_result
def compute_x0s(p, h, g, B): return ((i, powmod(g, B * i, p)) for i in range(B))
def encrypt(self, msg, rdm): return (gmpy2.powmod(self.g, msg, self.n2) * gmpy2.powmod(rdm, self.n, self.n2)) % (self.n2)
def inverse_mod(a, m): """Inverse of a mod m.""" if a == 0: return 0 return powmod(a, -1, m)
def compute_x1(seq): hash_map = {} for x1 in seq: left = f_mod(H * invert(powmod(G, x1, P), P), P) hash_map[left] = x1 return hash_map
""" This function has very special purpose :)) Simply to screw you up """ raw = urandom(6) print 'prefix = {}'.format(raw.encode('hex')) challenge = raw_input('Challenge: ') temp = sha256(raw + challenge).hexdigest() if temp.startswith('25455'): return True else: return False if __name__ == "__main__": try: assert proof_of_shit() == True N, delta, gamma = gen_key() m = int(FLAG.encode('hex'), 16) c = powmod(m, 0x10001, N) print introduction print 'N = {}'.format(N) print 'delta = {}'.format(delta) print 'gamma = {}'.format(gamma) print 'ciphertext = {}'.format(c) except AssertionError: print "Take your time and think of the inputs."
assert p == 21909849592475533092273988531583955898982176093344929030099423584127212078126150044721102570957812665127475051465088833555993294644190955293613411658629209 print 'Question 4' c = 22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540 e = 65537 N = N1 p = p1 q = q1 assert p * q == N phi = (p - 1) * (q - 1) assert phi == N - p - q + 1 # e*d = 1 % phi d = gmpy2.divm(1, e, phi) assert (e * d) % phi == 1 # encrypt c = m^e in Zn # decrypt m = c^d in Zn m = gmpy2.powmod(c, d, N) assert gmpy2.powmod(m, e, N) == c hexstring = format(m, 'x') hexstring = hexstring.split('00')[1] plaintext = hexstring.decode('hex') print plaintext # correct answer assert plaintext == 'Factoring lets us break RSA.'
def powmod(x, y, m): return gmpy2.powmod(gmpy2.mpz(x), gmpy2.mpz(y), gmpy2.mpz(m))
def getRec(i): if i % 2: return (2 * powmod(3, i, 256) - 1) % 256 else: return (2 * powmod(3, i, 256) + 1) % 256
def xgcd(a, b): """return (g, x, y) such that a*x + b*y = g = gcd(a, b)""" x0, x1, y0, y1 = 0, 1, 1, 0 while a != 0: q, b, a = b // a, a, b % a y0, y1 = y1, y0 - q * y1 x0, x1 = x1, x0 - q * x1 return b, x0, y0 c = gmpy2.mpz(int(open(sys.argv[1]).readline().strip(), 16)) pk = open(sys.argv[2]) n = gmpy2.mpz(int(pk.readline().strip()[2:], 16)) e = gmpy2.mpz(int(pk.readline().strip()[2:], 16)) p, q = fermat_factorise(n) phi = (p - 1) * (q - 1) gcd, d, b = xgcd(e, phi) plaintext = gmpy2.powmod(c, gmpy2.mpz(d), n) bin = bytearray(gmpy2.to_binary(plaintext)) print('p = {}\n\nq = {}\n'.format(p, q)) print('d = {}\n'.format(d)) print('Plaintext (little endian): {}'.format(bin)) bin.reverse() print('Plaintext (big endian): {}'.format(bin))
def run(args): if dependencies_missing: module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error') return target = (args['rhost'], int(args['rport'])) timeout = float(args['timeout']) cipher_handshake = cipher_handshakes[args['cipher_group']] module.log("{}:{} - Scanning host for Bleichenbacher oracle".format(*target), level='debug') N, e = get_rsa_from_server(target, timeout) if not N: module.log("{}:{} - Cannot establish SSL connection: {}".format(*target, e), level='error') return modulus_bits = int(math.ceil(math.log(N, 2))) modulus_bytes = (modulus_bits + 7) // 8 module.log("{}:{} - RSA N: {}".format(*target, hex(N)), level='debug') module.log("{}:{} - RSA e: {}".format(*target, hex(e)), level='debug') module.log("{}:{} - Modulus size: {} bits, {} bytes".format(*target, modulus_bits, modulus_bytes), level='debug') cke_2nd_prefix = bytearray.fromhex("{0:0{1}x}".format(modulus_bytes + 6, 4) + "10" + "{0:0{1}x}".format(modulus_bytes + 2, 6) + "{0:0{1}x}".format(modulus_bytes, 4)) # pad_len is length in hex chars, so bytelen * 2 pad_len = (modulus_bytes - 48 - 3) * 2 rnd_pad = ("abcd" * (pad_len // 2 + 1))[:pad_len] rnd_pms = "aa112233445566778899112233445566778899112233445566778899112233445566778899112233445566778899" pms_good_in = int("0002" + rnd_pad + "00" + "0303" + rnd_pms, 16) # wrong first two bytes pms_bad_in1 = int("4117" + rnd_pad + "00" + "0303" + rnd_pms, 16) # 0x00 on a wrong position, also trigger older JSSE bug pms_bad_in2 = int("0002" + rnd_pad + "11" + rnd_pms + "0011", 16) # no 0x00 in the middle pms_bad_in3 = int("0002" + rnd_pad + "11" + "1111" + rnd_pms, 16) # wrong version number (according to Klima / Pokorny / Rosa paper) pms_bad_in4 = int("0002" + rnd_pad + "00" + "0202" + rnd_pms, 16) pms_good = int(gmpy2.powmod(pms_good_in, e, N)).to_bytes(modulus_bytes, byteorder="big") pms_bad1 = int(gmpy2.powmod(pms_bad_in1, e, N)).to_bytes(modulus_bytes, byteorder="big") pms_bad2 = int(gmpy2.powmod(pms_bad_in2, e, N)).to_bytes(modulus_bytes, byteorder="big") pms_bad3 = int(gmpy2.powmod(pms_bad_in3, e, N)).to_bytes(modulus_bytes, byteorder="big") pms_bad4 = int(gmpy2.powmod(pms_bad_in4, e, N)).to_bytes(modulus_bytes, byteorder="big") oracle_good = oracle(target, pms_good, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout) oracle_bad1 = oracle(target, pms_bad1, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout) oracle_bad2 = oracle(target, pms_bad2, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout) oracle_bad3 = oracle(target, pms_bad3, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout) oracle_bad4 = oracle(target, pms_bad4, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout) if (oracle_good == oracle_bad1 == oracle_bad2 == oracle_bad3 == oracle_bad4): module.log("{}:{} - Identical results ({}), retrying with changed messageflow".format(*target, oracle_good), level='info') oracle_good = oracle(target, pms_good, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout) oracle_bad1 = oracle(target, pms_bad1, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout) oracle_bad2 = oracle(target, pms_bad2, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout) oracle_bad3 = oracle(target, pms_bad3, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout) oracle_bad4 = oracle(target, pms_bad4, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout) if (oracle_good == oracle_bad1 == oracle_bad2 == oracle_bad3 == oracle_bad4): module.log("{}:{} - Identical results ({}), no working oracle found".format(*target, oracle_good), level='info') return else: flow = True else: flow = False # Re-checking all oracles to avoid unreliable results oracle_good_verify = oracle(target, pms_good, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout) oracle_bad_verify1 = oracle(target, pms_bad1, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout) oracle_bad_verify2 = oracle(target, pms_bad2, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout) oracle_bad_verify3 = oracle(target, pms_bad3, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout) oracle_bad_verify4 = oracle(target, pms_bad4, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout) if (oracle_good != oracle_good_verify) or (oracle_bad1 != oracle_bad_verify1) or (oracle_bad2 != oracle_bad_verify2) or (oracle_bad3 != oracle_bad_verify3) or (oracle_bad4 != oracle_bad_verify4): module.log("{}:{} - Getting inconsistent results, skipping".format(*target), level='warning') return # If the response to the invalid PKCS#1 request (oracle_bad1) is equal to both # requests starting with 0002, we have a weak oracle. This is because the only # case where we can distinguish valid from invalid requests is when we send # correctly formatted PKCS#1 message with 0x00 on a correct position. This # makes our oracle weak if (oracle_bad1 == oracle_bad2 == oracle_bad3): oracle_strength = "weak" else: oracle_strength = "strong" if flow: flowt = "shortened" else: flowt = "standard" s, cke_version = tls_connect(target, timeout, cipher_handshake) s.close() if cke_version[0] == 3 and cke_version[1] == 0: tlsver = "SSLv3" elif cke_version[0] == 3 and cke_version[1] == 1: tlsver = "TLSv1.0" elif cke_version[0] == 3 and cke_version[1] == 2: tlsver = "TLSv1.1" elif cke_version[0] == 3 and cke_version[1] == 3: tlsver = "TLSv1.2" else: tlsver = "TLS raw version %i/%i" % (cke_version[0], cke_version[1]) module.report_vuln(target[0], 'Bleichenbacher Oracle', port=target[1]) module.log("{}:{} - Vulnerable: ({}) oracle found {} with {} message flow".format(*target, oracle_strength, tlsver, flowt), level='good') module.log("{}:{} - Result of good request: {}".format(*target, oracle_good), level='debug') module.log("{}:{} - Result of bad request 1 (wrong first bytes): {}".format(*target, oracle_bad1), level='debug') module.log("{}:{} - Result of bad request 2 (wrong 0x00 position): {}".format(*target, oracle_bad2), level='debug') module.log("{}:{} - Result of bad request 3 (missing 0x00): {}".format(*target, oracle_bad3), level='debug') module.log("{}:{} - Result of bad request 4 (bad TLS version): {}".format(*target, oracle_bad4), level='debug')
with open("./pubkey", "r") as f: pubkey = int(f.read(), 16) with open("./key_enc", "r") as f: key_enc = int(f.read(), 16) with open("./key_dec", "r") as f: key_dec = int(f.read(), 16) import gmpy2 import math import sys encrypted = gmpy2.powmod(11711737117, key_enc, pubkey) def calc_list(target, modulo, redix=8): lst = [1] for i in range(2**redix): print(i) lst.append(gmpy2.t_mod(gmpy2.mul(lst[-1], target), modulo)) return lst def power(lst, exponent, modulo, redix=8): result = 1 while True: ind = exponent & (2**redix - 1) result = gmpy2.t_mod(gmpy2.mul(result, lst[ind]), modulo) exponent = exponent >> redix
def enc_mul_const(pub, m, c): return powmod(m, c, pub.n_sq)
def decrypt(self, enc): return gmpy2.mul(self.L(gmpy2.powmod(enc, self.l, self.n2)), self.m) % self.n
rhs = gmpy2.powmod(gB, x0, p) print('Trying x0 %d' % x0) if rhs in lhs.keys(): x1 = lhs[rhs] print('Found x1 %d' % x1) return x0 * B + x1 print('Not found') return -1 p = '134078079299425970995740249982058461274793658205923933 \ 77723561443721764030073546976801874298166903427690031 \ 858186486050853753882811946569946433649006084171' g = '11717829880366207009516117596335367088558084999998952205 \ 59997945906392949973658374667057217647146031292859482967 \ 5428279466566527115212748467589894601965568' h = '323947510405045044356526437872806578864909752095244 \ 952783479245297198197614329255807385693795855318053 \ 2878928001494706097394108577585732452307673444020333' p = gmpy2.mpz(p) g = gmpy2.mpz(g) h = gmpy2.mpz(h) x = dlog(p, g, h) print(x) print('verifying: h == %d' % gmpy2.powmod(g, x, p))
def modular_root(m, factors, x, p): multiplicative_group_order = reduce(mul, [x - 1 for x in factors]) _, p_inv, _ = gcdext(p, multiplicative_group_order) return int(powmod(x, p_inv, m))
g=mpz('11717829880366207009516117596335367088558084999998952205\ 59997945906392949973658374667057217647146031292859482967\ 5428279466566527115212748467589894601965568') h=mpz('323947510405045044356526437872806578864909752095244\ 952783479245297198197614329255807385693795855318053\ 2878928001494706097394108577585732452307673444020333') B=2**20 x_result = mpz(0) x0_result = mpz(0) x1_result = mpz(0) # build the hash table of h/g^x_1 x_1 from 0 to 2^20 left_table = dict() for x1 in range(0, B): # 2**20 + 1 ? key = powmod(g, -x1, p) # seperate ? key = f_mod(h * key, p) left_table[key] = x1 for x0 in range(0, B): right_val = powmod(g, x0 * B, p) try: x1_result = left_table[right_val] x0_result = x0 x_result = x0_result * B + x1_result break except KeyError: continue print x_result print " {} = {} * B + {}".format(x_result, x0_result, x1_result)
(q, rem2) = gmpy2.c_divmod(res - AA, 6) if rem != 0 or rem2 != 0: (p, rem1) = gmpy2.c_divmod(res - AA, 4) (q, rem2) = gmpy2.c_divmod(res + AA, 6) assert (abs(p * q) == N3) return min(abs(p), abs(q)) print(break_challenge_3(N3)) print("-" * 20) print("Part 4:") CHALLENGE_CIPHERTEXT = mpz( 22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540 ) e = 65537 phi_N = mul(p - 1, q - 1) # m^(e * d) = m # e * d = 1 # d = modinv(e, phi_N) d = invert(e, phi_N) plaintext = powmod(CHALLENGE_CIPHERTEXT, d, N) assert (mul(p, q) == N) assert (powmod(powmod(CHALLENGE_CIPHERTEXT, d, N), e, N) == CHALLENGE_CIPHERTEXT) print(bytearray.fromhex(hex(plaintext).split('00')[1]).decode())
import gmpy2 p = 13574881 q = 23781539 n = p * q e = 23 c = 0xdc2eeeb2782c phin = (p - 1) * (q - 1) d = gmpy2.invert(e, phin) p = gmpy2.powmod(c, d, n) tmp = hex(p) print tmp, tmp[2:].decode('hex')
N = mpz( '179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581' ) C = mpz( '22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540' ) enc_exp = mpz('65537') (A, is_exact) = iroot(N, 2) if not is_exact: A = A + 1 x = isqrt(A**2 - N) p = A - x q = A + x if p * q != N: print("4: Fail check p * q != N") phi_N = N - p - q + 1 dec_exp = invert(enc_exp, phi_N) if t_mod(enc_exp * dec_exp, phi_N) != mpz(1): print("4: Fail check e*d != 1") pkcs_pt = powmod(C, dec_exp, N) #print("pkcs plaintext:") #print(pkcs_pt.digits(16)) res_C = powmod(pkcs_pt, enc_exp, N) if res_C != C: print("4: Fail check res_C != C") pt_hex = pkcs_pt.digits(16).split("00")[1] print("4:") print("'" + bytes.fromhex(pt_hex).decode('utf-8') + "'") sys.exit(0)
def enc_mul_const(pub, m, c): """Multiplies an encrypted integer by a constant""" mul_result = powmod(m, c, pub.n_sq) return mul_result
def __rpow__(self, other): return DHGroupNumber(powmod(other, self, self.__local__.context.modulo))
def enc_add_const(pub, m, c): """Add constant n to an encrypted integer""" # Similiar to enc add add_const_result = m * powmod(pub.g, c, pub.n_sq) % pub.n_sq return add_const_result
def __pow__(self, other, modulo=None): return DHGroupNumber(powmod(self, other, modulo if modulo is not None else self.__local__.context.modulo))
def dec(priv, pub, cipher): x = powmod(cipher, priv.l, pub.n_sq) plain = (((x - 1) // pub.n) * priv.m) % pub.n return plain
y2 = gmpy2.invert(M2, m2) return (a1 * M1 * y1) + (a2 * M2 * y2) while (True): if (t % 2 != 0): break e = e + 1 t = t / 2 q = (m - 1) / pow(2, e) # generate quadratic non-residue of m while (True): x = randint(2, m - 1) z = powmod(x, q, m) if (powmod(z, mpz(pow(2, e - 1)), m) != 1): break y = z r = e x = powmod(a, (q - 1) / 2, m) v = a * x % m w = v * x % m while (True): if (w == 1): break k = 0 while (True): if (powmod(w, mpz(pow(2, k)), m) == 1):
def enc_add_const(pub, m, c): return (m * powmod(pub.g, c, pub.n_sq)) % pub.n_sq