def test_euclid(self): for b in range(1, 1000, 13): for a in range(1, 1000, 7): g = libnum.gcd(a, b) x, y, g2 = libnum.xgcd(a, b) self.assertEqual(g, g2) self.assertEqual(a * x + b * y, g) self.assertEqual(libnum.xgcd(0, 10)[1:], (1, 10)) self.assertEqual(libnum.xgcd(10, 0)[0::2], (1, 10)) self.assertEqual(libnum.xgcd(0, 0)[2], 0) self.assertRaises(TypeError, libnum.xgcd, "qwe", 10) self.assertRaises(TypeError, libnum.xgcd, 10, "qwe")
def rsa(e, n, p, q, c): from libnum import n2s, xgcd, gcd assert p * q == n phi = (p - 1) * (q - 1) assert gcd(e, phi) == 1 d = xgcd(e, phi)[0] % phi return n2s(pow(c, d, n))
def common_modulus_attack(c1, c2, e1, e2, n): s1, s2, _ = libnum.xgcd(e1, e2) if s1 < 0: s1 = s1 * -1 c1 = libnum.invmod(c1, n) if s2 < 0: s2 = s2 * -1 c2 = libnum.invmod(c2, n) m = (pow(c1, s1, n) * pow(c2, s2, n)) % n return m
def commonN(n, e1, c1, e2, c2): s1, s2, _ = xgcd(e1, e2) if s1 < 0: s1 = -s1 c1 = invmod(c1, n) if s2 < 0: s2 = -s2 c2 = invmod(c2, n) m = (pow(c1, s1, n) * pow(c2, s2, n)) % n return m
def common_modulus(e1, e2, c1, c2, N): # Extended Euclidean algorithm a, b, d = xgcd(e1, e2) # Invert negative factor if b < 0: c2 = invmod(c2, N) b = -b if a < 0: c1 = invmod(c1, N) a = -a # Get the message (c1^a * c2^b) % N return (pow(c1, a, N) * pow(c2, b, N)) % N
def getFlag((a, b, c)): M = d["M"] p = d["p"] q = d["q"] s1, s2, _ = xgcd(a, b) if s1 < 0: s1 = -s1 p = invmod(p, M) elif s2 < 0: s2 = -s2 q = invmod(q, M) flag = (pow(p, s1, M) * pow(q, s2, M)) % M print n2s(flag)
def f(r): p = 3 * r**2 + 2 * r + 7331 q = 17 * r**2 + 18 * r + 1339 n = p * q return [n] n = 577080346122592746450960451960811644036616146551114466727848435471345510503600476295033089858879506008659314011731832530327234404538741244932419600335200164601269385608667547863884257092161720382751699219503255979447796158029804610763137212345011761551677964560842758022253563721669200186956359020683979540809 #r = solve([(3 * x**2 + 2 * x + 7331)*(17 * x**2 + 18 * x + 1339)-n],[x]) #print r r = 57998468644974352708871490365213079390068504521588799445473981772354729547806 p = 3 * r**2 + 2 * r + 7331 q = 17 * r**2 + 18 * r + 1339 with open("flag.enc", "r") as f: info = f.read() c = int(info.split("= ")[1]) assert p * q == n assert p % 4 == 3 assert q % 4 == 3 m_p = pow(c, (p + 1) / 4, p) m_q = pow(c, (q + 1) / 4, q) y_p, y_q, temp = libnum.xgcd(p, q) assert (y_p * p + y_q * q) % n == 1 m1 = (y_p * p * m_q + y_q * q * m_p) % n m2 = (y_p * p * m_q - y_q * q * m_p) % n m3 = n - m1 m4 = n - m2 print libnum.n2s(m1) print libnum.n2s(m2) print libnum.n2s(m3) print libnum.n2s(m4)
n2 = bytes_to_num(base64.b64decode(n2_base64)) print n2 n3 = bytes_to_num(base64.b64decode(n3_base64)) print n3 c1_1 = "2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090" c1_2 = "42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a" #n1_1 = 0x11574caaea9fd80017ee2986de85b4939d2e43bd5edf5f84e280198004628303fc0c46030926d701194fd8b6b61fdad9fb996291742dcc181d7a21af22f9834caf7650637e458c616ec725a1396ea1920e78ea1ed70d9a35a2390744943a134c8a8101383386e94db4ff4e809d226cffc84bfa2847a3f4fe08ee9df4bf7a40ebf16a347fe90f09016b8b9d2dfb281b536da1fc4442c7b47f84204b3eed6186f4deab1f71ead8edd8c42fe3d93972c220d8c4eb9aab52600ed168ce51064c49b152e34c6fb83de63a635d421c9664fc78f7388de3d1dde7cd3180951c876f20dcede08280ec6ac284b120615e9e141dac68399035bb71eac8cd2bb866b3a6e007 #n1_2 = 0x0230d7a40a416d8c056c314b7d641bffb1dd007917ba0b215f58f6b68f8285067136aa0f0ce37db354cf61d22af84c8be4160963fcbfb9814f31875b458bfea9cb8aa064e5692894f2cde421b16ee2fba30d0b5d5acd8270af65c5bfdd656733b7170b48583a909560c5811cae775499b813efeb9bbb6a8e9da35bd54c0c6d047d6c28a6442cf69522b02c1609774fd4c19e1841989526f70896227138d0fc8bf3ad4ff92466aafc79dbc2b0b68cde3a810d805fba9db05267b33a39f26ccc06c34de1a6a90a5521f01a1e8e0e1387f6ed51b3970409b7562896dfdbf487337d787e6629d474a73e86dbb934446628dad06a8bc6bded821b9a2361f2f1055d12 n1_1 = bytes_to_num(c1_1.decode('hex')) n1_2 = bytes_to_num(c1_2.decode('hex')) e1 = 0x1001 e2 = 0x101 print libnum.xgcd(e1,e2) xgcd = libnum.xgcd(e1,e2) n1_1_inv = libnum.invmod(n1_1,n3) assert (n1_1_inv*n1_1)%n3==1 m = (pow(n1_1_inv,xgcd[0]*-1,n3)*pow(n1_2,xgcd[1],n3))%n3 print m print libnum.gcd(e1,e2) assert pow(m,e1,n3)==n1_1 assert pow(m,e2,n3)==n1_2 #print hex(pow(m,e2,n3)) n1 = m print n1 #n1 = 820928650845870620723398641418430560681156001138735096925030451902417919194443533997091546977591994803076546864089678354698681762386374331300311255855681398660128703679421620966541327377041709407909422433258969486458918135644782166730266421648609176380494526721089557340533459290986717438829332517062112510441791255031169683629746300741131885337863789133958194148147076564652001394063636006538871538841709581230856211101448471200607015180491156127670595948207742541369333765734985482522833859182877386338753929062754028024947469226250613374092460434598257428472528861445143456766204473851110780586998315353287 p1 = libnum.gcd(n1,n2) p2 = n1/p1 p3 = n2/p1
#!/usr/bin/env python # -*- coding: utf-8 -*- __Auther__ = 'M4x' from libnum import xgcd, invmod n = 0xace2aa1121d22a2153389fba0b5f3e24d8721f5e535ebf5486a74191790c4e3cdd0316b72388e7de8be78483e1f41ca5c930df434379db76ef02f0f8cd426348b62c0155cdf1d5190768f65ce23c60a4f2b16368188954342d282264e447353c62c10959fee475de08ec9873b84b5817fecb74899bedde29ef1220c78767f4de11ef1756404494ae1ce4af184cbc1c7c6de8e9cd16f814bca728e05bc56b090112f94fff686bf8122a3b199eb41080860fa0689ed7dbc8904184fb516b2bbf6b87a0a072a07b9a26b3cda1a13192c03e24dec8734378d10f992098fe88b526ce70876e2c7b7bd9e474307dc6864b4a8e36e28ce6d1b43e3ab5513baa6fa559ff e1 = 0xac8b c1 = 0x9e84763bdbe246fad0a9cd52fda6233e6128a6210efaf3e6dea4fe272f78ad1f8f5cc7022f62f4f542341128e42d6fd10e67c5f96edbd243917c0151289f7228e44019b8c65a541d7306b398465e26b69cab36cc61e4ac094832b4299bbaf4630b722a0fb4f1997053be97e926f94afb55a0bb6ef00ab694e2f595d9eb8ca96c49f5cbbe194529f68a1aaf6f5151484b471285ba8fc8cd30b55612f35a74dc68e255c363579a80d27ce5090873ac719ba59f2492c91fd28bcce26b6a02bae005cbbd2a4cfe5b93442be8664d2313d412e7e09f545c64b7b74bbc408b6e574d0d300135cba8d6c1d73737d59baca9992ede644d856eb4cfcda562a75743e4b491 e2 = 0x1091 c2 = 0x9817fdc7b31a8f9cde1794096d3aa2bc6fe06fe34d4b7c9ca9a77982adf67fd4a7e636659553f4168a16757dc3a75e54ff850b9a94a5270f4f75502c7055a3a389df2ea6b00784a4e78e66901b427253c0f343f127e0ff162a349bb14eb4c1453fc6daace19bba4940d77c435686ef3b59f732072cde2e148d1a64f9682b3f1ceb9a000d87e180a1f9eb20c59dbebc13ddb2e07b64db89217f40369aeec878a45d99909ab2a3e4cdb74aa68890c941315ae289d6667200c53f9a32c8a64bfc74e62898ac03c460f945a13f11ee28860a3cd07526c30aa92eb89442a76549fe4ed8a43d14fdeeb350e90443a3a586db719f8610eb5d4a8f5bd1e481b5ef6e96ef s1, s2, _ = xgcd(e1, e2) if s1 < 0: s1 = -s1 c1 = invmod(c1, n) elif s2 < 0: s2 = -s2 c2 = invmod(c2, n) m = (pow(c1, s1, n) * pow(c2, s2, n)) % n print m
#!/usr/bin/env python from Crypto.PublicKey import RSA import libnum key = RSA.importKey(open("pubkey.pem").read()) e = key.e n = key.n c = libnum.s2n(open("flag.enc").read()) p = 275127860351348928173285174381581152299 q = 319576316814478949870590164193048041239 mp = pow(c, (p + 1) / 4, p) mq = pow(c, (q + 1) / 4, q) yp, yq, _ = libnum.xgcd(p, q) r = (yp * p * mq + yq * q * mp) % n s = (yp * p * mq - yq * q * mp) % n _r = n - r _s = n - s print libnum.n2s(r) print libnum.n2s(s) print libnum.n2s(_r) print libnum.n2s(_s)
def modinv(m, N): from libnum import xgcd, gcd assert gcd(m, N) == 1 return xgcd(m, N)[0] % N
def modinv(m, N): from libnum import xgcd, gcd assert gcd(m, N) == 1 return xgcd(m, N)[0] % N def samod_attack((c1, c2), (e1, e2), N): from libnum import xgcd, gcd assert gcd(e1, e2) == 1 assert gcd(e1, N) == 1 assert gcd(e2, N) == 1 [r, s] = xgcd(e1, e2)[0:2] cc1, cc2 = c1, c2 if r < 0: r = -r cc1 = modinv(cc1, N) if s < 0: s = -s cc2 = modinv(cc2, N) m = pow(cc1, r, N) * pow(cc2, s, N) % N return m