def main():
message = "SATOSHI NAKAMOTO"
c1, n1 = encrypt_broadcast_message(message)
c2, n2 = encrypt_broadcast_message(message)
c3, n3 = encrypt_broadcast_message(message)
N = n1 * n2 * n3
N1 = N // n1
N2 = N // n2
N3 = N // n3
d1 = modinv(N1, n1)
d2 = modinv(N2, n2)
d3 = modinv(N3, n3)
x = (c1 * N1 * d1 + c2 * N2 * d2 + c3 * N3 * d3) % N
m = sympy.integer_nthroot(x, 3)[0]
message_decrypted = rsa_integer_to_string(m)
if message_decrypted == message:
print("challenge 5.40 completed.")
else:
print("challenge 5.40 failed.")
def recover_secret_key_repeated_nonce(signatures):
y = int(
"2d026f4bf30195ede3a088da85e398ef869611d0f68f07"
"13d51c9c1a3a26c95105d915e2d8cdf26d056b86b8a7b8"
"5519b1c23cc3ecdc6062650462e3063bd179c2a6581519"
"f674a61f1d89a1fff27171ebc1b93d4dc57bceb7ae2430"
"f98a6a4d83d8279ee65d71c1203d2c96d65ebbf7cce9d3"
"2971c3de5084cce04a2e147821", 16)
pairs = itertools.product(signatures, signatures)
for a, b in pairs:
if a['msg'] == b['msg']:
continue
h1 = int(a['m'], 16)
h2 = int(b['m'], 16)
s1 = a['s']
s2 = b['s']
try:
k_candidate = (((h1 - h2) % Q) * modinv((s1 - s2) % Q, Q)) % Q
except:
pass
secret_key = recover_secret_key(k_candidate, (a['r'], a['s']),
a['msg'])
if pow(G, secret_key, P) == y:
return secret_key
return None
def step_4_computing_the_solution(rsa, B, M, S):
n = rsa.key.N
Mi = M[0]
if Mi[0] == Mi[1]:
message = (Mi[0] * modinv(1, n)) % n
return message
else:
return None
def sign(self, message):
h = int(hashlib.sha1(message).hexdigest(), 16)
k = random_integer(2, self.q-1)
r = pow(self.g, k, self.p) % self.q
s = (modinv(k, self.q) * (h + self.x * r)) % self.q
#if r == 0 or s == 0:
# return self.sign(message)
return (r,s)
def sign(self, message):
h = int(hashlib.sha1(message).hexdigest(), 16)
k = random_integer(2, self.q - 1)
r = pow(self.g, k, self.p) % self.q
s = (modinv(k, self.q) * (h + self.x * r)) % self.q
if r == 0 or s == 0:
print 'trying to sign again'
return self.sign(message)
else:
return (r, s)
def exploit_oracle(ciphertext):
n = ORACLE_KEY.N
e = ORACLE_KEY.e
s = random_integer(2, n-1)
crafted_c = (pow(s, e, n) * ciphertext) % n
crafted_p = unpadded_message_oracle(crafted_c)
crafted_p = rsa_string_to_integer(crafted_p)
plaintext = (crafted_p * modinv(s, n)) % n
return rsa_integer_to_string(plaintext)
def solve_crt(equations):
ai = [a for (a, m) in equations]
mi = [m for (a, m) in equations]
M = reduce(lambda x, y: x * y, mi)
bi = [M / m for m in mi]
bi_prime = [modinv(i, j) for (i, j) in zip(bi, mi)]
x = 0
for (i, j, k) in zip(ai, bi, bi_prime):
x = (x + (i * j * k)) % M
return x
def verify(self, signature, message):
(r,s) = signature
#if r <= 0 or r >= self.q or s <= 0 or s >= self.q:
# return False
w = modinv(s, self.q)
h = int(hashlib.sha1(message).hexdigest(), 16)
u1 = (h * w) % self.q
u2 = (r * w) % self.q
v = ((pow(self.g, u1, self.p) * pow(self.y, u2, self.p)) % self.p ) % self.q
return v == r
def __init__(self, s, e=65537):
self.key = RSA(s, e=e)
self.key.generate_keys() # replace RSA params
self.key.p = getPrime(128)
self.key.q = getPrime(128)
self.key.N = self.key.p * self.key.q
self.key.et = (self.key.p - 1) * (self.key.q - 1)
self.key.d = modinv(self.key.e, self.key.et)
assert self.key.d is not None, 'modinv failed'
self.key.public_key = (self.key.N, self.key.e)
self.key.private_key = (self.key.N, self.key.d)
#self.key_length_bytes = s / 8
self.key_length_bytes = (len(bin(self.key.N)[2:-1]) + 7) / 8
def recover_secret_key(k, signature, message):
(r, s) = signature
h = int(hashlib.sha1(message).hexdigest(), 16)
x = ((s * k - h) * modinv(r, Q)) % Q
return x
def transform(y, r, n):
g_ = pow(g, r, p)
y_ = y * modinv(pow(g, n, p), p)
return y_, g_
def forge_signature(y):
z = random_integer(1, 2**16)
r = pow(y, z, P) % Q
s = (r * modinv(z, Q)) % Q
return (r, s)
