def main():
groups = get_groups_nec("problem.txt")
for x in groups:
for y in groups:
if x == y:
continue
n1, e1, c1 = x
n2, e2, c2 = y
# 涉及扩展欧几里德算法
# 这里的算法得好好学习下, 怎么求出 a 和 b 的
# a * e1 + b * e2 = 1
if gmpy2.gcd(e1, e2) == 1:
a = gmpy2.invert(e1, e2)
b = int((gmpy2.gcd(e1, e2) - a * e1) / e2)
assert (a * e1 + b * e2) == 1
assert b < 0
c2i = gmpy2.invert(c2, n1)
c1a = gmpy2.powmod(c1, a, n1)
c2b = gmpy2.powmod(c2i, -b, n1)
m = c1a * c2b % n1
print(binascii.unhexlify(hex(m)[2:]))
def decrypt_crt(m, sk):
p, q, d, N = sk
mp = pow(m, d, p)
mq = pow(m, d, q)
rp = invert(p, q)
rq = invert(q, p)
return (mp * q * rq + mq * p * rp) % N
def main():
g_to_b = powmod(G, 1048576, P)
g_invert = invert(G, P)
map = {}
time_start = time.time()
calc_1 = t_mod(H * G, P)
for i in range(1048576 + 1):
calc_1 = t_mod(calc_1 * g_invert, P)
map[calc_1] = i
time_end = time.time()
sys.stdout.write('\n\n')
sys.stdout.write('Left side complete...\n')
sys.stdout.write('Time: %0.3f ms\n' % ((time_end - time_start) * 1000.0))
sys.stdout.flush()
time_start = time.time()
calc_0 = invert(g_to_b, P)
for j in range(1048576 + 1):
calc_0 = t_mod(calc_0 * g_to_b, P)
if calc_0 in map:
calc = (j * 1048576) + map[calc_0]
sys.stdout.write('\n\n')
sys.stdout.write('Successfully found x with a value of %s\n' % calc)
sys.stdout.flush()
break
time_end = time.time()
sys.stdout.write('Time: %0.3f ms\n' % ((time_end - time_start) * 1000.0))
sys.stdout.flush()
def _calc_values(self):
self.n = self.p * self.q
phi = (self.p - 1) * (self.q - 1)
self.d = gmpy.invert(self.e, phi)
# CRT-RSA precomputation
self.dP = self.d % (self.p - 1)
self.dQ = self.d % (self.q - 1)
self.qInv = gmpy.invert(self.q, self.p)
def decrypt(cipher, p, q, public=65537):
private = gmpy2.invert(public,(p-1)*(q-1))
dp = private % (p-1)
dq = private % (q-1)
qinv = gmpy2.invert(q,p)
dec1 = pow(cipher,dp,p)
dec2 = pow(cipher,dq,q)
h = (qinv *(dec1-dec2)) % p
decoded = hex(dec2 + h*q)
return decoded[2:].decode('hex')
def add(q, a, b, P, Q):
if () in (P, Q):
return (P, Q)[P == ()]
(Px, Py), (Qx, Qy) = P, Q
try:
if P != Q: lam = (Qy - Py) * gmpy2.invert(Qx - Px, q) % q
else: lam = (3 * Px ** 2 + a) * gmpy2.invert(2 * Py, q) % q
except ZeroDivisionError:
return ()
Rx = (lam ** 2 - Px - Qx) % q
Ry = (lam * Px - lam * Rx - Py) % q
return int(Rx), int(Ry)
def generate_key(q_bit_length): q = gen_big_prime(q_bit_length) while True: try: f = gen_big_random(q_bit_length/2, msb = 0) g = gen_big_random(q_bit_length*3/8) assert(f.bit_length() > 0 and f.bit_length() < q_bit_length/2) assert(g.bit_length() > q_bit_length/4 and g.bit_length() < q_bit_length/2) h = invert(f, q)*g % q f_inv = invert(f, g) return (PrivateKey(f, g, q), PublicKey(h, q)) except: continue
def decrypt(self, message):
"""Decrypt and encrypted message. Only works if this instance has a private key available.
message: the message to be decrypted, must be a DamgaardJurikCiphertext instance
"""
# check that the private key is available
if self.l is None:
raise RuntimeError('This key has no private material for decryption')
if not isinstance(message, DamgaardJurikCiphertext):
raise TypeError('Data for decryption must be formatted as DamgaardJurikCiphertext instance')
# format the ciphertext as an integer, regardless of the given type
c = int(message)
# determine s from the message length
s = int(ceil(log(c, int(self.n)) - 1))
assert s > 0
# utility constants
ns = self.n**s
ns1 = ns*self.n
assert c < ns1
# calculate the decryption key for the given s
d = invert(self.l, ns) * self.l
assert d % ns == 1
assert d % self.l == 0
# perform the decryption
c = pow(c, d, ns1)
i = 0
for j in xrange(1, s+1):
nj = self.n**j
nj1 = nj*self.n
t1 = ((c % nj1) - 1) / self.n
t2 = i
kfac = 1
for k in xrange(2, j+1):
kfac *= k
i -= 1
t2 *= i
t2 %= nj
t1 -= (t2 * self.n ** (k - 1)) * invert(kfac, nj)
t1 %= nj
i = t1
# format the plaintext to match the type of the ciphertext
return DamgaardJurikPlaintext(i)
def main():
'''
Run the main application
'''
code = generate_c_header()
tab_x = ""
tab_y = ""
tab_m = ""
tab_mp = ""
i = 0
while i < set_count:
#x = random.randint(0, pow(pow(2, 32), 32))
modulus = (random.randint(0,1<<1023-1)<<1)|1
x = random.randint(0,modulus-1)
b = pow(2,32)
n = 32
r = pow(b, n)
rp = invert(r, modulus)
y = (x*x*rp)%modulus
if i == 0:
tab_x = tab_x + "\t" + generate_c_array(x)
else:
tab_x = tab_x + ",\n\t" + generate_c_array(x)
if i == 0:
tab_y = tab_y + "\t" + generate_c_array(y)
else:
tab_y = tab_y + ",\n\t" + generate_c_array(y)
if i == 0:
tab_m = tab_m + "\t" + generate_c_array(modulus)
else:
tab_m = tab_m + ",\n\t" + generate_c_array(modulus)
if i == 0:
tab_mp = tab_mp + "\t" + str(hex((-invert(modulus,pow(2,32)) % pow(2, 32)))) + "u"
else:
tab_mp = tab_mp + ",\n\t" + str(hex((-invert(modulus,pow(2,32)) % pow(2, 32)))) + "u"
i = i + 1
code = code + "mbed_int test_mont_mul_dataset_modulus[TEST_MONT_MUL_COUNT][BIGINT_SIZE + 2] = {\n" + tab_m + "\n};\n"
code = code + "mbed_int test_mont_mul_dataset_modulus_invert[TEST_MONT_MUL_COUNT] = {\n" + tab_mp + "\n};\n"
code = code + "mbed_int test_mont_mul_dataset_x[TEST_MONT_MUL_COUNT][BIGINT_SIZE + 2] = {\n" + tab_x + "\n};\n"
code = code + "mbed_int test_mont_mul_dataset_y[TEST_MONT_MUL_COUNT][BIGINT_SIZE + 2] = {\n" + tab_y + "\n};\n"
print code
def decrypt(c, sk):
# Find squares
p, q, N = sk
mp = sqrt_mod(c, p)
mq = sqrt_mod(c, q)
# Apply CRT
q_inv = invert(q, p)
p_inv = invert(p, q)
r = (p_inv * p * mq + q_inv * q * mp) % N
s = (p_inv * p * mq - q_inv * q * mp) % N
# Return 4 possible plaintexts
return (r, N - r, s, N - s)
def generate_key_r(bits,x):
""" Generate the key r. All the variables' name are the same as those used in the paper.
Args:
bits: int, the number of bits of p, which can be set to be larger than the length of r.
x: list, includes x_i which has been distributed members.
"""
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
L=1
for x_i in x :
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
""" Because the primes generated are pseudo primes that has passed probable
prime test, it is possible that the member cannot calculat the right key.
Verify the members can calculate the key rightly.
"""
while get_key(g,m,u,x[0])!=r:
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
L=1
for x_i in x :
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
return (g,m,u,L,r)
def regenerate_key(bits,x,x_i,L,leave):
""" Regenerate the key r when some peer join or leave the team. All the variables' name are the same as those used in the paper.
Args:
bits: int, the number of bits of p, which can be set to be larger than the length of r.
x: list, x_i which has been distributed members.
x_i: int, the x_i of a member who wants to join or leave the team.
L: int, the value of product of x_is before the member join or leave.
leave: bool. True if the x_i is leaving the team. False if the x_i is join the team.
"""
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
if leave :
L=gmpy2.div(L,x_i)
else:
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
while get_key(g,m,u,x[0])!=r:
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
if leave :
L=gmpy2.div(L,x_i)
else:
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
return (g,m,u,L,r)
def main():
# 我需要知道求模逆的算法(欧几里德?往下推求得最大公约数,再往回推求得模逆)
m1, m2 = 11, 23
a1, a2 = 9, 1
M1 = m1 * m2 / m1
M2 = m1 * m2 / m2
M1_inverse = gmpy2.invert(gmpy2.mpz(M1), m1)
M2_inverse = gmpy2.invert(gmpy2.mpz(M2), m2)
print(M1_inverse)
print(M2_inverse)
res = (M1 * M1_inverse * a1 + M2 * M2_inverse * a2) % (m1 * m2)
print(res)
def __add__(self, Q):
if isinstance(Q, Ideal):
return self
x_1, y_1, x_2, y_2 = self.x, self.y, Q.x, Q.y
if (x_1, y_1) == (x_2, y_2):
if y_1 == 0:
return Ideal(self.curve)
s = (3 * x_1 * x_1 + self.curve.a) * int(invert(2 * y_1, self.curve.p))
else:
if x_1 == x_2:
return Ideal(self.curve)
s = (y_2 - y_1) * int(invert(x_2 - x_1, self.curve.p))
x_3 = (s * s - x_2 - x_1) % self.curve.p
y_3 = (s * (x_3 - x_1) + y_1) % self.curve.p
return Point(self.curve, x_3, self.curve.p - y_3)
def create_keypair(size):
while True:
p = get_prime(size // 2)
q = get_prime(size // 2)
if q < p < 2*q:
break
N = p * q
phi_N = (p - 1) * (q - 1)
# Recall that: d < (N^(0.25))/3
max_d = c_div(isqrt(isqrt(N)), 3)
max_d_bits = max_d.bit_length() - 1
while True:
d = urandom.getrandbits(max_d_bits)
try:
e = int(gmpy2.invert(d, phi_N))
except ZeroDivisionError:
continue
if (e * d) % phi_N == 1:
break
assert test_key(N, e, d)
return N, e, d, p, q
def main():
# first make a dummy request to find the public modulus for our team
initial_request = {"team": TEAM, "ciphertext": "00"*(n//8)}
r = requests.post(SERVER_URL + "/decrypt", data=json.dumps(initial_request))
try:
N = int(r.json()["modulus"], 16)
except:
print(r.text)
sys.exit(1)
# compute R^{-1}_N
Rinv = gmpy2.invert(R, N)
# Start with a "guess" of 0, and analyze the zero-one gap, updating our
# guess each time. Repeat this for the (512-16) most significant bits of q
g = 0
for i in range(512-16):
gap = compute_gap(g, i, Rinv, 50, N) #50 used to be 512
# based on gap, decide whether bit (512 - i) is 0 or 1, and
# update g accordingly
if gap < 500: # large gap indicates bit i is a 1
g += 2**(511-i)
# print(hex(g))
# brute-force last 16 bits
for i in range(2**16):
q = g + i
if prime.isMillerRabinPrime(q):
if prime.isMillerRabinPrime(N/q): # TODO: check if this is a valid q - see if it's a factor of N
if N/q < q:
submit_guess(N/q)
else:
submit_guess(q)
def crt(pairs):
"""Solves a set of simultaneous congurences using the CRT
When running opimized this call never fails,
but may produce invalid results if no solution exists
Args:
pairs (list): An iterable of pairs (y, z) to solve for
x = y1 mod z1
x = y2 mod z2
x = y3 mod z3
...
Returns:
A positive integer with x = y mod z
for every pair (y, z)
"""
assert len(pairs) > 0
# Calculate solution
x = 0
M = product(map(lambda (y, z): z, pairs))
for y, z in pairs:
c = M // z
b = invert(c, z)
x = (x + y * b * c) % M
# Check solution
if __debug__:
for (y, z) in pairs:
assert y % z == x % z
return int(x)
def create_rsa_keys(bits_length=512, e=65537):
"""
产生有关 RSA 的一切参数, 包括 p, q, n ,phi_n, d, e
本来想用 pycrypto 库的 RSA 来生成的, 但是这个库至少要求 1024bits, 还是自己手搓吧
:param bits_length: p 和 q 的位长度限制
:param e: 指定的 e
:return: dict(), RSA 的一切参数作为字典返回
"""
rsa = dict()
while True:
p = gmpy2.mpz(getPrime(bits_length))
q = gmpy2.mpz(getPrime(bits_length))
n = p * q
phi_n = (p - 1) * (q - 1)
if gmpy2.gcd(e, phi_n) == 1:
break
rsa["p"] = p
rsa["q"] = q
rsa["n"] = n
rsa["phi"] = phi_n
rsa["d"] = gmpy2.invert(e, rsa["phi"])
rsa["e"] = e
return rsa
def breakKey(N,e): P,Q = bruteSmall(N) phi = g.mul( g.sub(P,1), g.sub(Q,1) ) D = g.invert(e,phi) checkD(e,D,phi) return (P,Q,D)
def breakKey(N,e): P,Q = FermatFactor(N) phi = gmpy2.mul( gmpy2.sub(P,1), gmpy2.sub(Q,1) ) D = gmpy2.invert(e,phi) checkD(e,D,phi) return (P,Q,D)
def create_rsa_key(size=2048):
p = generate_prime_fix_len(size // 2)
while p is None:
p = generate_prime_fix_len(size // 2)
q = generate_prime_fix_len(size // 2)
while q is None:
q = generate_prime_fix_len(size // 2)
N = p * q
phiN = (p-1)*(q-1)
while True:
d = random.getrandbits(size // 5)
try:
e = int(gmpy2.invert(d, phiN))
except:
continue
if (e * d) % phiN == 1:
break
public_key = {
'e': e,
'n': N
}
private_key = {
'd': d,
'N': N
}
return {
'public_key': public_key,
'private_key': private_key
}
def crt(eqn1, eqn2):
x1, m1 = eqn1
x2, m2 = eqn2
d = int(gmpy2.gcd(m1, m2))
x = x1 + (m1 // d) * (x2 - x1) * int(gmpy2.invert(m1 // d, m2 // d))
m = int(gmpy2.lcm(m1, m2))
return x % m, m
def q4():
c = mpz('22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256' +
'46583996794288946076454204058156474898801373486412045232522932017648791666640299750918872997169052608322206777160001932' +
'9260870009579993724077458967773697817571267229951148662959627934791540')
n = mpz('17976931348623159077293051907890247336179769789423065727343008115' +
'77326758055056206869853794492129829595855013875371640157101398586' +
'47833778606925583497541085196591615128057575940752635007475935288' +
'71082364994994077189561705436114947486504671101510156394068052754' +
'0071584560878577663743040086340742855278549092581')
e = mpz(65537)
a = isqrt(n) + 1
x = isqrt(a**2 - n)
p = a - x
q = a + x
fi = (p-1) * (q-1)
d = invert(e, fi)
r = powmod(c, d, n)
m = digits(r, 16).split('00')[1]
return m.decode('hex')
def __compute_d(self, e):
"""
计算私钥, d = invmod(e, et)(exp, invmod(17,3120) = 2753)
:param e: 公钥 e
:return: 私钥 d
"""
return gmpy2.invert(e, self.et)
def Q1Q4():
N = mpz('17976931348623159077293051907890247336179769789423065727343008115\
77326758055056206869853794492129829595855013875371640157101398586\
47833778606925583497541085196591615128057575940752635007475935288\
71082364994994077189561705436114947486504671101510156394068052754\
0071584560878577663743040086340742855278549092581')
A = isqrt(N) + 1
x = isqrt(sub(mul(A, A), N))
p = sub(A, x)
q = add(A, x)
print("Q1:")
print(p)
fiN = mul(sub(p, 1), sub(q, 1))
e = mpz(65537)
d = gmpy2.invert(e, fiN)
ct = mpz('22096451867410381776306561134883418017410069787892831071731839143\
67613560012053800428232965047350942434394621975151225646583996794\
28894607645420405815647489880137348641204523252293201764879166664\
02997509188729971690526083222067771600019329260870009579993724077\
458967773697817571267229951148662959627934791540')
pt = gmpy2.powmod(ct, d, N)
ptstr = pt.digits(16)
pos = ptstr.find('00')
payload = ptstr[pos + 2:]
print("Q4:")
print(binascii.unhexlify(payload))
def digitial_generation(self,message,Curve_Polynomial,X,Y,Order,A,d_A):
r=np.array([0x0],dtype='uint32')
m=hashlib.sha256(message).hexdigest()
Order_np = self.str2nparray(Order)
Order_int = int(Order,16)
l=(len(Order_np)-1)*32+gmpy2.bit_length(int(Order_np[-1]))
m = field.str2nparray(m)
size = l/32+1
m=self.remove_1(m)
if(l>=256):
rem=l-256
chunk_added=(rem/32)+1
m=np.append(np.zeros(chunk_added,dtype='uint32'),m)
part=32-(l+chunk_added)%32
else:
m = m[len(m)-size:]
part = 32-l%32
X1=m>>part
Y1=m<<(32-part)
Z=np.bitwise_xor(Y1[1:],X1[:-1])
Z=np.append(Z,X1[-1])
Z = self.nparray2str(Z)
Z = int(Z,16)
Z = gmpy2.f_mod(Z,Order_int)
S=0
while(S==0):
while(np.all(r[0]==0)):
k=random.randint(1,Order_int-1)
r=self.bin_public_key_gen(X,Y,A,k)
k_inv=gmpy2.invert(k,Order_int)
r = self.nparray2str(r[0])
r = int(r,16)
r=gmpy2.f_mod(r,Order_int)
rd_A = gmpy2.mul(r,d_A)
rd_A = gmpy2.f_mod(rd_A,Order_int)
Zrd_A = rd_A + Z
Zrd_A = int(Zrd_A)
k_inv = int(k_inv)
S = gmpy2.mul(Zrd_A,k_inv)
S = gmpy2.f_mod(S,Order_int)
return r,S
def factorRSA():
e = 65537
p = computeP(N1)
q = computeQ(N1)
orderN = N1 - p - q + 1
d = gmpy2.invert(mpz(e), mpz(orderN))
plaintext = gmpy2.powmod(RSACipherText, d, N1)
print hex(plaintext)
def main():
# first make a dummy request to find the public modulus for our team
initial_request = {"team": TEAM, "ciphertext": "00"*(n//8)}
r = requests.post(SERVER_URL + "/decrypt", data=json.dumps(initial_request))
try:
N = int(r.json()["modulus"], 16)
except:
print(r.text)
sys.exit(1)
# compute R^{-1}_N
Rinv = gmpy2.invert(R, N)
# Start with a "guess" of 0, and analyze the zero-one gap, updating our
# guess each time. Repeat this for the (512-16) most significant bits of q
g = 0
# get bits 2-5
start_bits = 2
max_i = 0
max_t = 0
for i in range(1, 2**start_bits):
t_1 = 0
for j in range(1024):
t_1 += time_decrypt(gmpy2.mpz(i * 2**(511 - start_bits) + 2**511 + j))
print(i, t_1)
if t_1 > max_t:
max_t = t_1
max_i = i
print("MAX:", max_i, max_t)
g += max_i*2**(511 - start_bits) + 2**511
# Q -= g
for i in range(start_bits + 2, 512-16):
gap = compute_gap(g, i, Rinv, 50, N)
# TODO: based on gap, decide whether bit (512 - i) is 0 or 1, and
# update g accordingly
# bit = Q // (2**(512 - i))
# print("gap:", gap, "\t bit at index", i, "should be", bit)
# if bit == 1:
# Q -= 2**(512 - i)
# g += 2**(512 - i)
print("gap:", gap, "\t bit at index", i)
if gap < threshold:
g += 2**(512 - i)
# brute-force last 16 bits
for i in range(2**16):
q = g + i
if gmpy2.is_prime(q):
if submit_guess(q):
print("hooray:", q)
break
def decrypt_RSA(ciphertext, pk):
N, e = pk
p,q = factor(N)
phiN = N - p - q + 1
d = invert(e, phiN)
return powmod(ciphertext, d, N)
def solve_fourth(N4):
p = gmpy2.mpz("13407807929942597099574024998205846127479365820592393377723561443721764030073662768891111614362326998675040546094339320838419523375986027530441562135724301")
q = gmpy2.mpz("13407807929942597099574024998205846127479365820592393377723561443721764030073778560980348930557750569660049234002192590823085163940025485114449475265364281")
N = gmpy2.mpz("179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581")
pi_N = (p-1)*(q-1)
d = gmpy2.invert(65537,pi_N)
plaintext = gmpy2.powmod(N4 , d , N)
hex_plaintext = str(hex(plaintext)).split("00")[-1]
print "#4 ----> the secret message is: " + hex_plaintext.decode("hex")
def __neg__(self):
return self.wrap(invert(self.c, self.ns1))
from Crypto.Util.number import *
import gmpy2
p, q, r = [getPrime(512) for i in range(3)]
n = p * q * r
phi = (p - 1) * (q - 1) * (r - 1)
d = getPrime(256)
e = gmpy2.invert(d , phi)
flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"
c = pow(bytes_to_long(flag), e, n)
print(e, n)
print(c)
n1 = gmpy2.mpz(
"1001191535967882284769094654562963158339094991366537360172618359025855097846977704928598237040115495676223744383629803332394884046043603063054821999994629411352862317941517957323746992871914047324555019615398720677218748535278252779545622933662625193622517947605928420931496443792865516592262228294965047903627"
)
c2 = gmpy2.mpz(
"147535246350781145803699087910221608128508531245679654307942476916759248448374688671157343167317710093065456240596223287904483080800880319712443044372346198448258006286828355244986776657425121775659144630571637596283100201930037799979864768887420615134036083295810488407488056595808231221356565664602262179441"
)
n2 = gmpy2.mpz(
"405864605704280029572517043538873770190562953923346989456102827133294619540434679181357855400199671537151039095796094162418263148474324455458511633891792967156338297585653540910958574924436510557629146762715107527852413979916669819333765187674010542434580990241759130158992365304284892615408513239024879592309"
)
c3 = gmpy2.mpz(
"633230627388596886579908367739501184580838393691617645602928172655297372282390454586345936209841638502749645277206386289490247066959822668419069562380546618337543323956757811325946190976649051724173510367477564435069180291575386473277111391106753472257905377429144209593931226163885326581862398737742032667573"
)
n3 = gmpy2.mpz(
"1204664380009414697639782865058772653140636684336678901863196025928054706723976869222235722439176825580211657044153004521482757717615318907205106770256270292154250168657084197056536811063984234635803887040926920542363612936352393496049379544437329226857538524494283148837536712608224655107228808472106636903723"
)
M = n1 * n2 * n3
m1 = M / n1
m2 = M / n2
m3 = M / n3
t1 = c1 * (m1) * gmpy2.invert(m1, n1)
t2 = c2 * (m2) * gmpy2.invert(m2, n2)
t3 = c3 * (m3) * gmpy2.invert(m3, n3)
x = (t1 + t2 + t3) % M # chinese reminder theorem
m, exact = gmpy2.iroot(x, e) # recover m
if exact:
print binascii.unhexlify(gmpy2.digits(m,
16)) # convert int -> hex -> ascii
def __invert__(self):
"""Inversion.
"""
return GFElement(long(invert(self.value, self.modulus)))
if len(data) % 8 != 0:
to_add = 8 - len(data) % 8
data += ' ' * to_add
cipher_text = des.encrypt(data)
return cipher_text
p = gmpy2.next_prime(randint(50000, 500000))
r = p - 1
t = 15394852587444895931
decoded_values = []
decoded_values_2 = []
while True:
a = gmpy2.next_prime(randint(50000, 500000))
if gmpy2.invert(a, r) != 0:
break
print('\n[+] Generated a..')
# self.t = int.from_bytes(self._t, byteorder='big')
t %= p
key = int(t).to_bytes(8, byteorder='big')
cipher_text = encrypt_triple_des(key)
with open('cipher', 'wb') as c:
c.write(cipher_text)
ta = gmpy2.powmod(t, a, p)
print('\n[+] Calculated t^a')
asn = asn1.Encoder()
asn.start()
asn.enter(asn1.Numbers.Sequence)
def __init__(self, p, q, n):
self.l = (p - 1) * (q - 1)
self.m = invert(self.l, n) #l mod n 的乘法逆元
from gmpy2 import powmod, invert
from Crypto.Util.number import getPrime as prime
flag = <redacted>
p = prime(512)
q = prime(512)
n = p*q
t = (p-1)*(q-1)
e = 0b10001
d = invert(e,t)
public = (e,n)
private = (d,n)
enc_flag = powmod(flag, e, n)
def pad(m):
global p
if p.bit_length() + m.bit_length() < n.bit_length():
return True, (p << m.bit_length()) + m
else:
return False, 'Error: message too big'
print('bzzz')
print('public key: ', public)
print('encrypted flag: ', enc_flag)
import gmpy2 N = 103461035900816914121390101299049044413950405173712170434161686539878160984549 E = 65537 p = 282164587459512124844245113950593348271 q = 366669102002966856876605669837014229419 L = (p - 1) * (q - 1) D = int(gmpy2.invert(E, L)) ''' gmpy2.invert()返回值类型为<class 'mpz'> invert(x,y) 计算 x 关于1模 y 的乘法逆元 ''' enstr = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35 destr = gmpy2.powmod(enstr, D, N) ''' gmpy2.powmod()返回值类型为<class 'mpz'> gmpy2.powmod(x,y,z),计算x^y mod z 的值并返回 ''' flag0 = hex(destr)[2:] # flag0类型为str,存的是十六进制表示的字符串 flag1 = bytes.fromhex(flag0) # 将其从十六进制转换为byte类型(此时已解释成字符) flag = str(flag1, 'utf-8') # 将byte类型转换为str类型 print(flag)
def crack_lcg(seeds):
a = ((seeds[2] - seeds[1]) * invert(seeds[1] - seeds[0], p)) % p
return a, (seeds[1] - seeds[0]*a) % p
def modinv(a, m):
return int(gmpy2.invert(gmpy2.mpz(a), gmpy2.mpz(m)))
import gmpy2
import libnum
n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
e = 0x10001
def Pollard_p_1(N):
a = 2
while True:
f = a
# precompute
for n in range(1, 80000):
f = pow(f, n, N)
for n in range(80000, 104729 + 1):
f = pow(f, n, N)
if n % 15 == 0:
d = gmpy2.gcd(f - 1, N)
if 1 < d < N:
return d
a += 1
#p = Pollard_p_1(n)
p = 178449493212694205742332078583256205058672290603652616240227340638730811945224947826121772642204629335108873832781921390308501763661154638696935732709724016546955977529088135995838497476350749621442719690722226913635772410880516639651363626821442456779009699333452616953193799328647446968707045304702547915799734431818800374360377292309248361548868909066895474518333089446581763425755389837072166970684877011663234978631869703859541876049132713490090720408351108387971577438951727337962368478059295446047962510687695047494480605473377173021467764495541590394732685140829152761532035790187269724703444386838656193674253139
q = n / p
d = gmpy2.invert(e, (p - 1) * (q - 1))
m = gmpy2.powmod(c, d, n)
print libnum.n2s(m)
dest="stop_on_fail")
options, args = parser.parse_args()
if len(args) != 1:
parser.print_help()
exit(2)
sshare = open('Data/SharingData.txt')
p = int(sshare.readline())
print 'p = %d' % p
param = int(math.ceil(p.bit_length() / 8.0)) * 8
print 'param = %d' % param
byte_length = int(math.ceil(param / 64.0)) * 8
print 'byte_length = %d' % byte_length
#print byte_length
R = 2**(8 * byte_length) % p
R_inv = gmpy2.invert(R, p)
#print "R = %s" % hex(R)
program.P = p
program.bit_length = param
program.name = args[0]
sfloat.plen = types.sfloat.plen
sfloat.vlen = types.sfloat.vlen
cfloat.plen = types.cfloat.plen
cfloat.vlen = types.cfloat.vlen
sfix.f = types.sfix.f
sfix.k = types.sfix.k
cfix.f = types.cfix.f
cfix.k = types.cfix.k
#!/usr/bin/env python3
from gmpy2 import invert, to_binary, digits
import codecs
with open('RSA.txt', 'r') as f:
lines = f.readlines()
c = int(lines[0][3:])
p = int(lines[1][3:])
q = int(lines[2][3:])
dp = int(lines[3][4:])
dq = int(lines[4][4:])
invQ = invert(q, p)
m1 = pow(c, dp, p)
m2 = pow(c, dq, q)
h = (invQ * (m1 - m2)) % p
m = m2 + h * q
s = str(hex(m)[2:])
print(''.join([chr(int(s[i:i+2], 16)) for i in range(0, len(s), 2)]))
def crack_unknown_multiplier(states, modulus):
multiplier = (states[2] - states[1]) * invert(states[1] - states[0], modulus) % modulus
return crack_unknown_increment(states, modulus, multiplier)
beta = group.random_element()
public = group.random_element()
secret = group.random_exponent()
ciphertext = {'alpha': group.random_element(), 'beta': beta}
encoded = (public**secret).inverse * beta
b = beta.value
y = public.value
x = secret
# if group.contains(encoded):
if group.order > encoded.value:
# (y ^ x) ^ -1 * b - 1 (mod p)
decoded = ((invert(powmod(y, x, modulus), modulus) * b) % modulus -
1) % modulus
else:
# (-(y ^ x) ^ -1 * b (mod p)) - 1 (mod p)
decoded = (-(invert(powmod(y, x, modulus), modulus) * b) % modulus
- 1) % modulus
decoded = ModPrimeElement(decoded, modulus)
__system__ciphertext__public__secret__decoded.append(
(system, ciphertext, public, secret, decoded))
@pytest.mark.parametrize('system, ciphertext, public, secret, decoded',
__system__ciphertext__public__secret__decoded)
def test_decryption_with_randomness(system, ciphertext, public, secret,
log.info(f'd = {d}')
log.info(f'agent_e = {agent_e}')
log.info(f'cipher = {cipher}')
test_pt = b'helloWorld'
test_ct = pow(bytes_to_long(test_pt), e, n)
test_dec = long_to_bytes(pow(test_ct, d, n)).decode('utf-8')
log.info(f'test: encrypted {test_pt.decode("utf-8")} - decrypted {test_dec}')
# recover p and q knowing n and d
priv_key = RSA.construct((n, e, d))
q = priv_key.q
p = priv_key.p
log.success(f'q = {q}')
log.success(f'p = {p}')
# compute agent_d
phi = (p - 1) * (q - 1)
agent_d = gmpy2.invert(agent_e, phi)
log.success(f'agent_d = {agent_d}')
# decrypt ciphertext
pt = pow(cipher, agent_d, n)
log.success(f'pt = {pt}')
log.success(f'str pt = {long_to_bytes(pt)}')
print(r.clean().decode('utf-8'))
r.interactive()
# CTF{omg_rsa_destroyyyyyeeeeddddd}
def __sub__(self, other):
return PaillierCiphertext((self.c * invert(other.c, self.n_sqr)) % self.n_sqr, self.n)
for i in range(len(s) - 1):
t.append(int(s[i + 1]) - int(s[i]))
for i in range(len(t) - 2):
a = t[i + 2] * t[i]
b = t[i + 1] * t[i + 1]
u.append(abs(a - b))
res = u[0]
for c in u[1::]:
res = gcd(res, c)
# lcg_state = (c + lcg_state * m) % n;
n = res
m = (s[1] - s[2]) * gmpy2.invert(s[0] - s[1], n)
m = m % n
c = s[1] - m * s[0]
c = c % n
lcg_state = s[-1]
removal = []
for i in range(14):
lcg_state = (c + lcg_state * m) % n
removal.append(lcg_state % len(code))
new_code = ''
count = 0
for i in range(45):
no = True
for j in removal:
)
N3 = mpz(
'720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929'
)
C4 = mpz(
'22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540'
)
def factor(n, k=1):
nk_sqrt = isqrt(n * k)
for i in range(1, 2**20):
a = nk_sqrt + i
t = a * a - n * k
if is_square(t):
x = isqrt(t)
p = gcd(n, a - x)
q = gcd(n, a + x)
if mul(p, q) == n:
return [p, q]
p1, q1 = factor(N1)
print("Challenge 1: ", p1 if p1 < q1 else q1)
p2, q2 = factor(N2)
print("Challenge 2: ", p2 if p2 < q2 else q2)
p3, q3 = factor(N3, 24)
print("Challenge 3: ", p3 if p3 < q3 else q3)
d = invert(65537, N1 - p1 - q1 + 1)
m4 = '{0:x}'.format(powmod(C4, d, N1))
print("Challenge 4: ", bytes.fromhex(m4[m4.rfind('00') + 2:]).decode())
def modular_inverse(self, c1, c2, N):
i = gmpy2.invert(c2, N)
mx = pow(c1, self.a, N)
my = pow(i, int(-self.b), N)
self.m = mx * my % N
def get_root_2(index, p, k, c): # Find m such that m^index=c mod p^k
# assert index < 1000
print("p = " + hex(p))
assert gmpy2.is_prime(p)
assert p.bit_length() * k <= (2 << 16)
n = p**k
phi = (p**(k - 1)) * (p - 1)
c %= n
# First, split index into 2 parts, invert-able and un-invert-able.
un_invert_able = gmpy2.gcd(index, phi)
invert_able = index // un_invert_able
while True:
gcd = gmpy2.gcd(invert_able, phi)
if gcd == 1:
break
invert_able //= gcd
un_invert_able *= gcd
assert invert_able * un_invert_able == index
assert gmpy2.gcd(invert_able, phi) == 1
print(invert_able, un_invert_able)
# Get rid of the invert-able part.
d = gmpy2.invert(invert_able, phi)
c2 = pow(c, d, n)
assert pow(c2, invert_able, n) == c
print("c2 = " + hex(c2))
# Next, find m such that m^un_invert_able=c2 mod p^k.
now_roots = {c2}
for r in [2, 3, 5, 7]:
if 0 != un_invert_able % r:
continue
s = phi
t = 1
while 0 == s % r:
t *= r
s //= r
# now phi=s*t=s*(r**?)
print("r =", r, ",\tt =", t, ",\ts =", s)
g, u, k = gmpy2.gcdext(t, s)
print("g =", hex(g), ",\tu =", hex(u), ",\tk =", hex(k))
assert g == 1 == u * t + k * s
print(pow(c2, k * s, n))
v = 0
while 1 >= pow(v, s, n):
v = gmpy2.next_prime(getRandomInteger(20))
v_s = pow(v, s, n)
print("v_s =", v_s)
new_roots = set()
for c_now in now_roots:
now = pow(c_now, u, n)
for _ in range(t):
if not pow(now, t, n) == c_now:
print(hex(pow(now, t, n)))
new_roots.add(pow(now, t // r, n))
now = now * v_s % n
now_roots = new_roots
ans = list(now_roots)
for m in ans:
assert pow(m, index, n) == c
return ans
def extended_euclidean(self, e1, e2):
self.a = gmpy2.invert(e1, e2)
self.b = (float(self.gcd(e1, e2) - (self.a * e1))) / float(e2)
print("p = "+str(p)+"\n\n")
q = Crypto.Util.number.getPrime(bits, randfunc=Crypto.Random.get_random_bytes)
print("q = "+str(q)+"\n\n")
n = p*q
#print("n = "+str(n)+"\n\n")
PHI = (pow(p,2)-1) * (pow(p,2)-p) + (pow(q,2)-1) * (pow(q,2)-q)
#print("PHI = "+str(PHI)+"\n\n")
e = 65537
d = (gmpy2.invert(e, PHI))
end_key = time.time()
#print("d = "+str(d)+"\n\n")
print("Key Generation in microseconds : " + str((end_key - start_key)*1000))
start_enc = time.time()
cry = []
for temp in msg:
for i in temp:
cr = pow(ord(i),e,n)
cry.append(cr)
end_enc = time.time()
#print("cipher text: ",cry)
print("Encryption in microseconds : " + str((end_enc - start_enc)*1000))
start_dec = time.time()
import libnum from gmpy2 import invert p = 18714300200687946606417475113748411757743586023240392378853331423798582704739577160809046533982190015378916609910299982076851233748921615268428359433829002059792704988146145739860736655018941828637055243352009655261293487255469551678522883875642351671721016236035569131604259699085381596779830584046576224554770354190736563200673573024262419262559236101964171706063073640200831922815215111145006429726335055132639533551949538161314009512728921475119672731194028849975315405517071962022700366581651252088995956297543970967732767450920852567899463530316932064722349264517507350094749769497108337631790791346318230751467 q = 30552204091910875431291919425618888921607509266659604502231534635505004810638914100691545468257006240596550765690798491345098863254173424024998743532286380217457851534350524484706004447384808653484021353685996782074649108589859638965444227515165630037853803848229119739614192719714949595650173398501253949580632580378445656988567262614726587013639289383099203420083245588942219970897830391338154716916744536057329192636782494267528658701270088641884801883694117073790281623634377404263059229020529966601047901105181866246255952836387904879534241722493167641455570024588858425255243370690280787155370103141260043411661 dp = 2113650676922590921531406888097175652666553970370206386238192407439908607036913562120812895676588977437717329729051667137173845584932797476841955390760948378845188349717411244341491685723554677607214477013556813221577575765839040070466260630647631980977901292211801713522691310773154899165765446687212364661111742856414291731192429304118135217311044617930564270906487203143122481159609223562494921233557423130057191279288297384357002893710427953127663050040765484710119548288959249480276734240867985329381597554393859547626867432765689088835380447607255235739900677632980703302358871506496687657614784232363239722243 dq = 5788167388051724716810892119036276384568739745937396013142966588262653289337075487717487326501429819394838902326342940814278059196225682985490579480515715772286488419773964621864186639509899233511073564527985951512176641259265549161375785957646938340127913599774441207415776838831509697561248781879302410919530236131723614624424074189229089759925778421759786019424889546421170675540836209291930403385372726059756470641511777704976220572754195964140672876687026237952210676500280961856740738830271013035564815946324727885195243099976744409776094893483325977817127736576433569067055608588326403902580541206686303889873 c = 384929090932385996300437698443351351222657430231792271021979369045257864053158435250184030149777284082510073627528209810672363521580647440950106870825629883302323851559034735994087843688646935370662482579888504962318787263997049089413754685891026635315320875882728719395076452158893555507140577145903864388713919016157101958904142810732607134452942881617431875298933328540319148889024495933387044799699433095512815295940010646778114607098872549702858456599434456983299647009574282025979457015668597891927983237716649083484352758257963545691110984096821795178242993969192099166184429086345049153979409087585587571327817887358571118356759225035695747961543312655312264279672525598786445423631249211265717828366185415266991409347843974610048165409998344775345360487289963115672655921621317473495217757627154800133102951496287140658824930568854480305068261055037053240580934109999991985818224800202315818697854673777558125149884689730910631204781640327296146871675437493511228919215368716128657061542948569525563311760449077224551898269699919505183276551536489615118550091258023171726065399277746784797644908104579006305836735024990455916432520581462154492205029992103020811657574184733472856639500738114451844881095812082300354248726945 n = p * q mp = pow(c, dp, p) mq = pow(c, dq, q) pinv = invert(p, q) y = ((mq - mp) * pinv) % q m = y * p + mp m = libnum.n2s(int(m)) print(m)
# -*- coding: utf-8 -*-
import binascii
import gmpy2
"""
We seem to be missing the decryption key d? Can you help us somehow decode the ciphertext?
"""
e = 65537
p = 163598797232837275790583032413921422452851861145478369331976309880028992955089558380171554447759405365296693377570783300198791468861355639873166150884714034914366548252757855530548966926710596087588892893653952147784119788340592861717511574050564549916735627066568966135368285851889401719649796310308064172229
q = 151928351783926490385254692544226090032004315756120674902384041799040568083955129227360764179393042678005292005933989750269377019057534023167675372696224003953154715102625798599561576746593076228704448522848509650863715575134525964992439285085243915010868628145127710442853766119688772555932018349278733467937
c = 4413233431418367729487001191499320110908628864393005850336194538378846901872012263024060279733910394528568658924541767014298273106072428208428621362441660742168169457839232452898840402021800460905562638079257404470183053387353849960252811956727755974787563684430128654542847575219444418360279725423441999278619584162289488016498634231451443666882615379215688913514242136494373656647328276909398980200846880640231426382657437148137610018777974884800967755913109702229247523206388812041488414941125272083962209616158810973532091497979384180936871075352614021504627549173686729322478688708849605857667792183339692021980
dp = gmpy2.invert(e, p - 1)
m = binascii.unhexlify(hex(pow(c,dp,p))[2:]).decode('utf-8')
print (m)
def normal(n, e, c):
'''n为质数
'''
d = gmpy2.invert(e, n - 1)
m = pow(c, d, n)
return m
n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169
"""
# -*- coding: utf-8 -*-
from Crypto.Util.number import long_to_bytes, isPrime
from gmpy2 import invert, powmod
from libnum import solve_crt
from functools import reduce
n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169
e = 65537
p = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625526487
q = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625528161
d = invert(e, (p-1)*(q-1))
assert p*q == n
m = pow(c, d, n)
d1 = invert(p-1, p)
print(f'd1 = {d1}')
m1 = m * d1 % p
print(f'm1 = {m1}')
s = reduce(lambda x,y: x * y % n, range(p, q), 1)
d2 = invert(s, q)
s = d2 * (q - 1) % q
d2 = invert(s, q)
print(f'd2 = {d2}')
m2 = m * d2 % q
print(f'm2 = {m2}')
m = solve_crt((m1, m2), (p, q))
print(long_to_bytes(m)[:-80])
def worker_mod(data):
nx, n = data
return gmpy2.invert(nx, n)
import gmpy2
from gmpy2 import mpz
from Crypto.Util.number import long_to_bytes
from Crypto.Util.number import bytes_to_long
from binascii import hexlify
p = 3231660450893985129787028139151018035610437467522069485447060736495328441321407792079915113733222842630322770984020297415912649518117481856420586639729
q = 7
n = gmpy2.mul(p, q)
e = 5
phi = gmpy2.mul(p - 1, q - 1)
d = gmpy2.invert(e, phi)
m = bytes_to_long(b'hello world')
print(m)
c = gmpy2.powmod(m, e, n)
m_rec = gmpy2.powmod(c, d, n)
print('n: ' + str(n))
print('d: ' + str(d))
print('c: ' + str(c))
gmpy2.iroot(c, 5)
print(long_to_bytes(m_rec))
e =
n =
dp =
c =
i =
import gmpy2
while True:
print(i)
p = ((dp * e - 1) // i) + 1
if gmpy2.gcd(p, n) == p:
break
i += 1
q = n // p
r = (p - 1) * (q - 1)
d = gmpy2.invert(e, r)
m = pow(c, d, n)
