def cubeattack(n, c, e=3): i = 0 m = gmpy.root(i * n + c, 3) while (m[1] != 1): m = gmpy.root(i * n + c, 3) i = i + 1 return (int(m[0]))
def decrypt(self): s = Utils.CRT(self.ns, self.cs) pt, perfect = gmpy.root(s, self.e) if perfect: return pt else: print "Cannot find %dth root of %s" % (self.e, hex(s))
def main(): N = 791624863672362607956099356831131364853604534581539305910340202530608819116145635786172280242888006099238658415878726648609085639898441498221890676242989932156153803416798752313174803590881722743224684700892225118961219497620039594839395302098710398557509455737717045746236278723783082574166076253616722351864293093113312339303779100928501715558725523086900830443711904148216534555379563587752574783766585298405162299420015348154910428560999297372318489063379606963196610310541923400713582218574580476129076391874763972417104970428247552426095493102113265356930843209220678746513622763556047230507409813826323653127519641722507761180370551715894779123757799654191386575031709371023058585245770842026072807521354840681453389934373985631297088292594571458141054189461792135505184038113247878020462609475899896639165065556193530858093783580972030229157998906679657691476969608156903485234277862405304786019418734022240703148376923711471550495919780707697498176112050789516280686586774453361477128822533764461655099250507644377378432909816994714226859830198325441550849414355111311567891047645058209193718307670504917114431127025248430544656281369344135327825272092527266146813922316680837029133898187541256581486770086898004104721349717 A = 20800474461367145273340906691597634098910584848634101425530321090829125122241687879745601849248837998876151999592885721935152548674120399809317994565118852444189251158193986225229214950841679795627758099753351375856214350384902504565070917605339475722050666023289412703507879513606009743774089452299903006910942117062241868053983949068811202383614893148995089157210610010137350618698066200655682358324076086051635412942424101514341843621257447734742388939312643974507540634350698445829827074747244048131430269996635105948318032075354212694854013936053043646732168771012778244153439821689497012763977957502463601486569 B = 8576238992571591869339367870140218994273542282194520701664348646682391448576106630680498284621212787593356209740914901168733090823371040699948878786651462518529144026837660123406693635154217830755339457596520608787502271941986487262771708521404416352019507024705430920736421058347439358995939039953228936764295191673752730499288133458713995709946983920103441131785342297881050343614665686721597353967276809964115302170170393367543710777834619256462467499921754735442721965580336508363159554886933283178151617020551042141999581756444339357087838568279392954356241659416168338179236507816144395812356271365879641284797 bits = 4096 // 2 """ p = Int('p') q = Int('q') s = Solver() s.add(A*q+B*p == n+1) s.add(p >= (1 << (bits-1))) s.add(p < (1 << (bits)) - 1) s.add(q >= (1 << (bits-1))) s.add(q < (1 << (bits)) - 1) s.add(p*q == n) print(s.check()) print(s.model()) """ D = ((N + 1)**2) - 4 * B * A * N kk, c = gmpy.root(D, 2) T = ((N + 1) + (kk)) // (2 * B) T = ((N + 1) - (kk)) // (2 * B) print(N % T == 0) P = T Q = N / P print(N == P * Q) print("p : " + str(P)) print("q : " + str(Q))
def nth_root(a, n): """ Calculate n-th root of a on Integer Args: a : An element of Z n : root param """ return int(gmpy.root(a, n)[0])
def calc(j): # print j a, b = gmpy.root(cipher + j * n, 3) if b > 0: m = a #print '{:x}'.format(int(m)).decode('hex') print j print n2s(m)
def nth_root(c, e): try: from gmpy import root except: from gmpy2 import iroot as root x = root(c, e)[0] return int(x)
def crack(self): s = CRT(self.ns, self.cs) plain, perfect = gmpy.root(s, self.e) if perfect: self.plain = ('%x' % plain).decode('hex') return True else: return False
def python_rsa_bleichenbacher(msg,hashtype,msgHashed,modulusSize): 'https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/' HASH_ASN1 = { 'MD5': b'\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10', 'SHA-1': b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14', 'SHA-256': b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20', 'SHA-384': b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30', 'SHA-512': b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40' } # we need to forge 00 01 XX XX XX ... XX XX 00 HASH_ASN1[hashtype] HASH # where the XX's make the whole thing same size as modulus # MAKE SUFFIX print(msgHashed) targetSuffix = '0000000000' + bin(int(binascii.hexlify(HASH_ASN1[hashtype]),16))[2:] + bin(msgHashed)[2:] print(targetSuffix) print(hex(int(targetSuffix,2))) # s = our forgery # c = s^3 # tgt = targetSuffix # key here is that nth bit, counting from LSB, only affects nth bit OR later in c # s starts out as bytes until first 1 in tgt s = targetSuffix[targetSuffix.rfind('1'):] c = sToC(s) initLenS = len(s) for index in range(initLenS,len(targetSuffix)): if(c[len(c)-index-1]==targetSuffix[len(targetSuffix)-index-1]): s = '0' + s else: s = '1' + s c = sToC(s) # SUFFIX MADE! assert(c[-len(targetSuffix):]==targetSuffix) suffix ='00'+hex(int(s,2))[2:] print("suffix is %s" % hex(int(s,2))) print("suffix is %s" % hex(int(c,2))) # Generate prefix prefix = format(0,'08b') + format(1,'08b') prefix += ''.join([format(random.randint(1,256),'08b')]*((modulusSize-len(prefix))//8)) assert len(prefix) == modulusSize print(hex(int(prefix,2))) import gmpy cRoot = gmpy.root(int(prefix,2),3) if(cRoot[1]==1): cRoot = int(cRoot[0].digits()) else: cRoot = int(cRoot[0].digits()) print(hex(cRoot)) prefix = hex(cRoot)[2:] final = prefix[:-len(suffix)] + suffix print(final) print(int(final,16)) print('0'+hex(int(final,16)**3)[2:]) return 'potato'
def Getanswer(c,n,e): while(True): k=1 temp = c + k*n x,y=gmpy.root(temp,e) if(y): return x else: k+=1
def eth_root(n, e, c): if e <> 3: return None for k in range(32): c = gmpy.mpz(c) + k * gmpy.mpz(n) (m, r) = gmpy.root(c, e) if r == 1: mb = convert_to_bits(m) return bits_to_string(pad_bits(mb, len(mb) + pad(len(mb)))) return None
def find_cube(i, j, k): n, x = chinrest([cs[j], cs[k], cs[i]], [ns[j], ns[k], ns[i]]) n = long(n) x = long(x) for i in range(100): x += n (m, r) = gmpy.root(x, 3) if r == 1: z = m pass return rev_oaep(z, 512, 512)
def brute_find(i, t = 20): j = 0 n_i = n[i] c_i = c_int[i] e_i = e[i] while j < 2**t: k, t = gmpy.root(n_i*j+c_i, e_i) if t == 1: print k return k j += 1 pass
def sample_RSA_lowexpo2(): import gmpy N = long('00b0a1f390acd3d43b47d39f132662f69c158925d92871e47869e2841a917c20d5102431b9a9781458d840fd29577815a41612d687a3487d26fbae256f15d4740c34591b646abcccb1a27acde299b3e71600857b455c283660e0455c68ff45c0644cfec211d7f51a16c82e91d786d92c799fb3cb48f92de342ba70dd8213056b314a8d51da9493cf1b86ec15fdf03e046e76d3f1a1ad0aabb684ce5d157e399828a63a5af5920228bb5ea1e66b8feaa3ccbbaff555e346797730ddfc1c4cf4a9dd406588629348c4c29265df9e2c3d02558be5e35cb277f4e7ac7b5158ef3903a396486371029e54a345292aba47499f1c267e680ae738195fd5af2a8075939890f5d69e6b3e94e3e560861aa6c6c69da82405dba2182e66ecff6a8a9cdf5ad5226f073e7d525e050fdd77e0bb1891a49efec2d367a693d2a6799d0d4667953d4f3ddec16ac15bb4cf6025ea58ecb6dfa572316da08d3106073973322ae7597446f2fd3043df6e1d604c6a1f0e59473d9bc182d4ec6fc4588f1c6b2aa476876a84b2d4e0d45910399118d7e1e20dcc27703f2bd3e9af722f37a7673b15d674922862c84d00fc2fc7ddddc915c4693fcb0b1789e9dcbd72ac04659e7c18dcf36254760040402bfcef11b8a3ef9c8bddbaaa8d14c6e8f518a70b036d206b809cd9b3b51a1ec0132dace96dca9451f34c38ab84ed475e7d94fbe9ffc007f2d14860bd', 16) orig = s2n(open("enc.dat").read().rstrip()) c = orig while True: m = gmpy.root(c, 3)[0] if pow(m, 3, N) == orig: print "pwned", n2s(m) break c += N
def hastads(self): # Hastad's attack if self.pub_key.e == 3 and self.args.uncipher is not None: orig = s2n(self.cipher) c = orig while True: m = gmpy.root(c, 3)[0] if pow(m, 3, self.pub_key.n) == orig: self.unciphered = n2s(m) break c += self.pub_key.n return
def hastads(self): # Hastad attack for low public exponent, this has found success for e = 3, and e = 5 previously if self.pub_key.e <= 11 and self.args.uncipher is not None: orig = s2n(self.cipher) c = orig while True: m = gmpy.root(c, self.pub_key.e)[0] if pow(m, self.pub_key.e, self.pub_key.n) == orig: self.unciphered = n2s(m) break c += self.pub_key.n return
def brute_find(i, t=20): j = 0 n_i = n[i] c_i = c_int[i] e_i = e[i] while j < 2**t: k, t = gmpy.root(n_i * j + c_i, e_i) if t == 1: print k return k j += 1 pass
def find_prime_factor(num): prime_factor = [] num_root = gmpy.root(num, 2)[0] + 1 print num_root i = 2 while i < num_root: if num % i == 0: prime_factor.append(i) num /= i else: i += 1 prime_factor.append(num) return prime_factor
def decrypt(grps, e): for grp in combinations(zip(grps['n'], grps['c']), e): N = 1 for x in grp: N *= x[0] M = 0 for x in grp: M += x[1] * number.inverse(N // x[0], x[0]) * (N // x[0]) M %= N m, exact = gmpy.root(M, e) if exact: print(number.long_to_bytes(m))
def brute_force(brute_force_attack_params): e = brute_force_attack_params['e'] n = brute_force_attack_params['n'] c = brute_force_attack_params['c'] start_time = time.time() current_time = time.time() while current_time - start_time < 30: current_time = time.time() m = gmpy.root(c, e)[0] if pow(m, e, n) == c: hd = hex(int(m))[2:] asc = bytes.fromhex(hd).decode('utf-8') return asc c += n return -1
def _brup_e(self): publickey = raw_input("请输入公钥的绝对路经:") key_data = open(publickey, 'rb').read() key = RSA.importKey(key_data) print("[*] n: " + str(key.n)) print("[*] e: " + str(key.e)) x = raw_input("密文格式:1.数字 2. 文件\n") c = 0 if x == '1': c = raw_input("请输入密文数字:") elif x == '2': pathen = raw_input("请输入密文绝对路经:") f = open(pathen, 'r').read() c = s2n(f) i = 0 while i < 10: a = gmpy.root(c, key.e) print(n2s(a[0])) c = a[0] i += 1 raw_input("执行完毕,按任意键继续...")
import gmpy c=120834334415160852720008181834558485154210074353712170753742121859375769954620080853024831805188626044332248657897956200333552302444801664165203934981417856836921490589448355159260196991182462307686587964231453698692517756240859075496171515630967327761143563063128466698098647876420389279719791854940177381159484797420915527554354529897877019363674101 p=gmpy.root(c, 7)[0] print(p) print(hex(p)[2:].decode('hex'))
import gmpy from Crypto.Util.number import * e = 5 n1 = 22354163791642068886566627219651104380195041959729310536115197372690426166153150709554121466476415239938369078918877984798582326979079153795774037292422071622126484521927631771658058095237139085385756115261972030995362441580297007439051832142457196151824718232248567366670706914779874402683742498695075966725643445863105930425231664277753503763301685728514729454184837909500791715332489780346705814147940635497894486147997813359576656960563599630666067976553724013307328267946814810660680917118025290583125363952665067417686810121196242575696597185045825025685213476854256583567246667302893495351968886389607277575017 n2 = 21572642385016963477579971598617440264385803019459680727028155128709560426935255322579963615480913309319371656833660339467010507644019609202771890449419513825998921211898287110979094482184152680851462860763436118651357838279675837330160696073705562801691670054989971242359972394239624514658831442232416757294030962417420713484664248743040825601912659822670147259253345577287621617731732830801600663028815836518284528998558748540254850496265160959735474358970956309010617755485370782641135356868776640582716527007418304047891311611018237370467038297057657170187552676959058139793475780778636104344421256645433184319157 n3 = 23538490262479781189676424291555687068164182643114661587432340961545193235358179989589472145285643966533983578871187834969068436328997665124747925015293061116055708486200061846952313798801858926911255182783099863586327412221517353934763470084520104303420274885565476991562950377811932201525369292989577677075746773213738116508556463673021568154490753308066042359478835646993306170787055261836477886518576333412004771973699327342803658870989682535232759787969849526764566716133935977445433821602865539462257059701760274658057551372518367400843423909801446235376486516405672866560803799383073579471615403602431711906749 c1 = 8251412717378499426943044591229698372921470386799043004121511177127490360947672432828172950920462590131612740580667346789845592456601935083361010491364143991167754355753784659730080802613261548707296078812865553433595508332527259182849010044455347956676601579784507086046839727921827816698611494372771020370220204666127232765068459835347577650640380746779041820863713925451297171219193544837774581741151646875007941650557239399525694514278200390425920026333044311100410760285248540227801135653250431214060352848761880110983132813330039294997643112287410353948128815918569840988643578772550051280725313230021391380942 c2 = 2702325779529388356371102063040984812124665040096740083415590291307659656117305889838882346989298792101301675475943519630707962469291374444160241176144438945716450393919324588280512162965834656691829393002354300184430292151232812832379450453239000612487613356778411786988702989653661016040401893797873661496019219713761717152774454407503253778794508261627260348018307413238031010132639873894130882230804487006727238991743901103529951650508735692190261561512563254962091894391335884495409277055781287361495675018521228212719289913631998193225375985394285744778656347088506213034138518416542660994351922789098153782426 c3 = 3900786923701448353408400328996279443634365978988250027372176657417202602107709749413601922950255680346434821246225602149213848118274433155867843596693043442953202427150352180877384824428649481139269805852912723284877986721489556461272257756102572291913902519661603733662427660803951862948881013199212486295331474761125640673120787973554851559343144421866187607741449270421663485412329555125791603856752842050767936467505915266913093771220903152480407517200342375961712589389233164233844314560534425409330962177881162956636107825634564219533818875183351523212208900244508745427360366146728697555090746078827400829510 #Using Chinese Remainder theorem N = n1 * n2 * n3 N1 = N / n1 N2 = N / n2 N3 = N / n3 u1 = gmpy.invert(N1, n1) u2 = gmpy.invert(N2, n2) u3 = gmpy.invert(N3, n3) M = (c1 * u1 * N1 + c2 * u2 * N2 + c3 * u3 * N3) % N m = gmpy.root(M, e) print m m = 166669694651033760061575940989372165846441757780154432573650021547004196492395364998535451972996273240942325802493947438303206809036305265985603556202994107733144683246196950761049669917488086843376146211622312998750164007816417563417701011230377730627570289745331758366880192428413 print long_to_bytes(m)
import gmpy N = long(80646413) def n2s(n): """ Number to string. """ s = hex(n)[2:].rstrip("L") if len(s) % 2 != 0: s = "0" + s return s.decode("hex") line = map(lambda x:long(x.strip()), open("rivest.txt").readlines()) out = '' for orig in line: c = orig while True: m = gmpy.root(c, 5)[0] if pow(m, 5, N) == orig: out += chr(m) break c += N print out
def introot(n, r=2): if n < 0: return None if r%2 == 0 else -introot(-n, r) return root(n, r)[0]
import gmpy def int2string(i): ihex = hex(i)[2:-1] if len(ihex) % 2 != 0: ihex = '0' + ihex return ihex.decode('hex') nthroot = lambda a, r: int(gmpy.root(a, r)[0]) modinv = lambda a, m: int(gmpy.invert(a, m)) egcd = lambda x, y: map(int, gmpy.gcdext(x, y))
ns = [945849313 * 890855617, 142594211 * 353521913, 41692333 * 775305163] e = 3 m1 = raw_input("Enter message to be broadcasted:") m2 = m1 #raw_input("Enter mesg2:") m3 = m1 #raw_input("Enter mesg3:") m1 = int(m1.encode("hex"), 16) m2 = int(m2.encode("hex"), 16) m3 = int(m3.encode("hex"), 16) print "The message is :", m1 #print m2 #print m3 cs = [] cs.append(pow(m1, e, ns[0])) print cs[0] cs.append(pow(m2, e, ns[1])) print cs[1] cs.append(pow(m3, e, ns[2])) print cs[2] s = CRT(ns, cs) print s pt, perfect = gmpy.root(s, e) m = hex(pt) b = m[2:].decode("hex") print "The message is %d or %s" % (pt, hex(pt)) print "Text : %s" % b
def hastads_broadcast_attack(e, pairs): x = chinese_remainder(pairs) m = root(x, e)[0] return m
def divide_into_blocks(text, blocklen): return [text[i:i + blocklen] for i in xrange(0, len(text), blocklen)] def flip_iv(oldplain, newplain, iv): flipmask = xor_str(oldplain, newplain) return xor_str(iv, flipmask) def gcd(a, b): while b: a, b = b, a % b return a nthroot = lambda a, r: int(gmpy.root(a, r)[0]) modinv = lambda a, m: int(gmpy.invert(a, m)) egcd = lambda x, y: map(int, gmpy.gcdext(x, y)) def str2num(s): return int(s.encode('hex'), 16) def num2str(n): h = hex(n) if h[-1] == "L": h = h[:-1] return h[2:].decode('hex') randstr = lambda n: ''.join(
def hastads_broadcast_attack(e, pairs): x, n = chinese_remainder(pairs) return gmpy.root(x, e)[0]
#!/usr/bin/env python3 import gmpy from Cryptodome.Util import number plain, _ = gmpy.root( 80505397907128518326368510654343095894448384569115420624567650731853204381479599216226376345254941090872832963619259274943986478887206647256170253591735005504, 3) print(number.long_to_bytes(int(plain)))
def sub_sub_sure_factors(f, u, curve_parameter): '''Finds all factors that can be found using ECM with a smoothness bound of u and sigma and give curve parameters. If that fails, checks for being a prime power and does Fermat factoring as well. Yields factors.''' while not (f & 1): yield 2 f >>= 1 while not (f % 3): yield 3 f /= 3 if isprime(f): yield f return log_u = math.log(u) u2 = int(_7_OVER_LOG_2 * u * log_u / math.log(log_u)) primes = [] still_a_chance = True log_mo = math.log(f + 1 + sqrt(f << 2)) g = gcd(curve_parameter, f) if g not in (1, f): for factor in sub_sub_sure_factors(g, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f / g, u, curve_parameter): yield factor return g2 = gcd(curve_parameter**2 - 5, f) if g2 not in (1, f): for factor in sub_sub_sure_factors(g2, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f / g2, u, curve_parameter): yield factor return if f in (g, g2): yield f while still_a_chance: p1 = get_points([curve_parameter], f) for prime in primes: p1 = multiply(p1, prime, f) if not isinstance(p1, list): if p1 != f: for factor in sub_sub_sure_factors(p1, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f / p1, u, curve_parameter): yield factor return else: still_a_chance = False break if not still_a_chance: break prime = 1 still_a_chance = False while prime < u2: prime = next_prime(prime) should_break = False for _ in xrange(int(log_mo / math.log(prime))): p1 = multiply(p1, prime, f) if not isinstance(p1, list): if p1 != f: for factor in sub_sub_sure_factors( p1, u, curve_parameter): yield factor for factor in sub_sub_sure_factors( f / p1, u, curve_parameter): yield factor return else: still_a_chance = True primes.append(prime) should_break = True break if should_break: break for i in xrange(2, int(math.log(f) / LOG_2) + 2): r = root(f, i) if r[1]: for factor in sub_sub_sure_factors(r[0], u, curve_parameter): for _ in xrange(i): yield factor return a = 1 + sqrt(f) bsq = a * a - f iter = 0 while bsq != sqrt(bsq)**2 and iter < 3: a += 1 iter += 1 bsq += a + a - 1 if bsq == sqrt(bsq)**2: b = sqrt(bsq) for factor in sub_sub_sure_factors(a - b, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(a + b, u, curve_parameter): yield factor return yield f return
def sqrt(n): return root(n, 2)[0]
#russian n3 = int("""00:91:4f:6b:95:33:56:85:ba:37:f4:f9:5b:f9:89: 3e:d7:c0:2b:b1:31:d6:d7:a4:a3:7c:ed:72:c3:1f: 52:83:a6:57:74:ea:67:d3:8c:70:29:d1:e7:51:a8: 25:64:b2:c1:89:bf:6c:76:c7:5e:07:f8:73:8e:97: 36:36:85:6f:34:61:d5:92:11:fe:96:f8:18:a4:19: 3a:0a:d4:53:2c:c1:e5:95:ff:18:7d:c8:ce:14:90: ad:19:ae:9e:4b:2e:a6:3a:07:0e:e7:e9:2d:43:6c: 64:52:fa:07:00:7e:3a:96:62:ee:eb:43:2a:e9:03: 54:a0:74:9c:3f:ca:8f:a5:e2:5e:a7:3d:64:0c:35: 2e:16:5a:85:7c:ef:a1:62:8a:fa:17:e0:24:b7:3e: 78:24:6e:12:40:2e:71:ab:65:ab:be:dc:ed:83:06: 62:9d:31:19:4a:d8:8b:f0:7b:08:5a:be:72:35:00: fd:02:e4:4e:70:42:07:9c:fb:81:58:c6:ed:88:b7: df:d2:52:66:e4:19:9f:68:ed:1c:58:2f:d9:59:f8: 7a:57:2f:7a:b8:c7:b5:4e:f3:27:20:5f:71:0c:7f: 27:0b:22:9d:d7:a3:73:15:58:2e:59:21:86:5a:dc: 7b:74:ac:73:81:6b:e2:1b:42:e0:bd:d9:11:7e:2f: b1:33""".replace("\n","").replace(" ","").replace(":",""),16) c3 = 9343715678106945233699669787842699250821452729365496523062308278114178149719235923445953522128410659220617418971359137459068077630717894445019972202645078435758918557351185577871693207368250243507266991929090173200996910881754217374691865096976051997491208921880703490275111904577396998775470664002942232492755888378994040358902392803421017545356248082413409915177589953816030273082416979477368273328755386893089597798104163894528521114946660635364704437632205696975201216810929650384600357902888251066301913255240181601332549134854827134537709002733583099558377965114809251454424800517166814936432579406541946707525 mto3 = chinese_remainder([n1,n2,n3],[c1,c2,c3]) m = gmpy.root(mto3,3)[0] assert(m ** 3 == mto3) print(bytes.fromhex(hex(m)[2:])) # FLAG : CSCG{ch1nes3_g0vernm3nt_h4s_n0_pr0blem_w1th_c0ron4}
v3 = t3 return u1, u2, u3 ii = [0, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15] ee = [e0, e2, e3, e4, e5, e6, e7, e8, e9, e10, e11, e12, e13, e14, e15] nn = [n0, n2, n3, n4, n5, n6, n7, n8, n9, n10, n11, n12, n13, n14, n15] cc = [c0, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15] import gmpy # solution for message 1 for i, (e, c, n) in enumerate(zip(ee, cc, nn)): if e != 3: continue c = gmpy.mpz(c) (m, r) = gmpy.root(c, e) if r == 1: bm = convert_to_bits(m) print bits_to_string(pad_bits(bm, len(bm) + pad(len(bm)))) # solution for message 9 for i, (e, c, n) in enumerate(zip(ee, cc, nn)): if e != 3: continue for k in range(1, 32): c = gmpy.mpz(c) + k * gmpy.mpz(n) (m, r) = gmpy.root(c, e) if r == 1: bm = convert_to_bits(m) print bits_to_string(pad_bits(bm, len(bm) + pad(len(bm))))
import gmpy from libnum import * # get N with: openssl rsa -in key.pem -pubin -text -modulus N = long('00b0...0bd', 16) orig = s2n(open("enc.dat").read().rstrip()) c = orig while True: m = gmpy.root(c, 3)[0] if pow(m, 3, N) == orig: print "pwned", n2s(m) break c += N
from Cryptodome.Util import number import gmpy e = 3 # N calculated from find_N.sage N = 187795925823734325427922129400903064447939230079749593582888955729233613927664963249253109445797881310600022107610063372163109680347351728106161259940132053843094520258298587300098649659086794250342183576016139529480708131865573815277186071689715560136272970295181972127809680913213315466857363592840734015631789901717416958763625579894203827173264533068928411411900434306159334166145601906949838378162268540176666151625668048199949727289362401385033442715204089618148304522761017721807220548062006257938216135412302607861485309850357047464137756090093147174466985388223476237618779397449867569762499553904537606950395560182967714513927555299260240145405337097541724441256522242351493898132661339746637960432365669179377375146876905861610710695642357915473770040937265038017475440256799871951819480154996649462065875190637650298268768632223305590541389220758177843962257602725068901998357847886097843725831692085292087342293328626211564879993107959726391583247091787672118640363796914156472420849303078305632328827952362595710204102897336000414029369544570370389149794466669907129497588557761458341467997245836443573184101088147352024805283420336966011949782437881061892874590468478282426014052996148571250702203577498897677913881903752762877594096034594195425068485720454216519907393575792021735978451081699399503002817458999501350160110440748525860129255899775473009074177252288293791544955724874319138044275542019473443141909056522597 plain = gmpy.root(N, e)[0] print(number.long_to_bytes(int(plain))) # flag{infi_nite_jes_t}
def sub_sub_sure_factors(f, u, curve_parameter): '''Finds all factors that can be found using ECM with a smoothness bound of u and sigma and give curve parameters. If that fails, checks for being a prime power and does Fermat factoring as well. Yields factors.''' while not (f & 1): yield 2 f >>= 1 while not (f % 3): yield 3 f /= 3 if isprime(f): yield f return log_u = math.log(u) u2 = int(_7_OVER_LOG_2 * u * log_u / math.log(log_u)) primes = [] still_a_chance = True log_mo = math.log(f + 1 + sqrt(f << 2)) g = gcd(curve_parameter, f) if g not in (1, f): for factor in sub_sub_sure_factors(g, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f/g, u, curve_parameter): yield factor return g2 = gcd(curve_parameter**2 - 5, f) if g2 not in (1, f): for factor in sub_sub_sure_factors(g2, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f / g2, u, curve_parameter): yield factor return if f in (g, g2): yield f while still_a_chance: p1 = get_points([curve_parameter], f) for prime in primes: p1 = multiply(p1, prime, f) if not isinstance(p1, list): if p1 != f: for factor in sub_sub_sure_factors(p1, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f/p1, u, curve_parameter): yield factor return else: still_a_chance = False break if not still_a_chance: break prime = 1 still_a_chance = False while prime < u2: prime = next_prime(prime) should_break = False for _ in xrange(int(log_mo / math.log(prime))): p1 = multiply(p1, prime, f) if not isinstance(p1, list): if p1 != f: for factor in sub_sub_sure_factors(p1, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(f/p1, u, curve_parameter): yield factor return else: still_a_chance = True primes.append(prime) should_break = True break if should_break: break for i in xrange(2, int(math.log(f) / LOG_2) + 2): r = root(f, i) if r[1]: for factor in sub_sub_sure_factors(r[0], u, curve_parameter): for _ in xrange(i): yield factor return a = 1 + sqrt(f) bsq = a * a - f iter = 0 while bsq != sqrt(bsq)**2 and iter < 3: a += 1 iter += 1 bsq += a + a - 1 if bsq == sqrt(bsq)**2: b = sqrt(bsq) for factor in sub_sub_sure_factors(a - b, u, curve_parameter): yield factor for factor in sub_sub_sure_factors(a + b, u, curve_parameter): yield factor return yield f return