def rabins_test():
i = 1
p = probable_prime(R, i)
print "--"*78
i += 1
q = probable_prime(S, i)
print "--"*78
print "\n"
base = (2,3,5,7)
for k in base:
a = gmpy2.powmod(k, p-1, p)
b = gmpy2.powmod(k, q-1, q)
if (a == 1):
print "p passes Miller-Rabin's test with base: ", k
else:
print "p has not passed Miller-Rabin's test with base " + str(k) + ", therefore p is not a prime number"
if (b == 1):
print "q passes Miller-Rabin's test with base: ", k
else:
print "q has not passed Miller-Rabin's test with base " + str(k) + ", therefore p is not a prime number"
return p,q
def deterministic_is_pseudo_prime(n, k=64):
assert(k <= len(FIRST_PRIMES))
if n in FIRST_PRIMES:
return True
if n < max(FIRST_PRIMES):
return False
if n & 1 == 0:
return False
# Find s and t
s = 0
t = n - 1
while t & 1 == 0:
s += 1
t = t >> 1
assert(n == 2**s * t + 1)
# main loop
for j in range(k):
b = FIRST_PRIMES[j]
x = gmpy2.powmod(b, t, n)
i = 0
if x != 1:
while x != n - 1:
x = gmpy2.powmod(x, 2, n)
i += 1
if i == s or x == 1:
return False
return True
def rsa_encrypt(_input):
p = bin2int(PRIVATE_KEY['prime1'])
q = bin2int(PRIVATE_KEY['prime2'])
u = bin2int(PRIVATE_KEY['coefficient'])
dP = bin2int(PRIVATE_KEY['prime_exponent1'])
dQ = bin2int(PRIVATE_KEY['prime_exponent2'])
c = bin2int(_input)
cp = c % p
cq = c % q
a = int(gmpy2.powmod(cp, dP, p))
b = int(gmpy2.powmod(cq, dQ, q))
if a >= b:
result = a - b
else:
result = b - a
result = p - result
result = result % p
result = result * u
result = result % p
result = result * q
result = result + b
ret = bcdechex(result)
ret = padstr(ret).upper()
if len(ret) == 256:
return ret
else:
return False
def main():
groups = get_groups_nec("problem.txt")
for x in groups:
for y in groups:
if x == y:
continue
n1, e1, c1 = x
n2, e2, c2 = y
# 涉及扩展欧几里德算法
# 这里的算法得好好学习下, 怎么求出 a 和 b 的
# a * e1 + b * e2 = 1
if gmpy2.gcd(e1, e2) == 1:
a = gmpy2.invert(e1, e2)
b = int((gmpy2.gcd(e1, e2) - a * e1) / e2)
assert (a * e1 + b * e2) == 1
assert b < 0
c2i = gmpy2.invert(c2, n1)
c1a = gmpy2.powmod(c1, a, n1)
c2b = gmpy2.powmod(c2i, -b, n1)
m = c1a * c2b % n1
print(binascii.unhexlify(hex(m)[2:]))
def nokey_reading(e1, e2, N, mes1, mes2):
koef = AlgEvklid_ex(e1, e2)
r = koef['x']
s = koef['y']
x = (gmpy2.powmod(mes1, r, N)*gmpy2.powmod(mes2, s, N)) % N
return x
def discrete_log(prime, generator, exp, limit):
table = build_table(prime, generator, exp, limit)
r = powmod(generator, 2 ** limit, prime)
for x in range(0, 2 ** limit + 1):
key = powmod(r, x, prime)
if key in table:
return (x * (2 ** limit) + table[key]) % prime
return None
def singleTag(w, block, g, d, n):
h = SHA256.new()
bLong = number.bytes_to_long(block.data.tobytes())
powG = gmpy2.powmod(g,bLong,n)
h.update(str(w))
wHash = number.bytes_to_long(h.digest())
wGmodN = gmpy2.powmod((wHash*powG),1, n)
tag = gmpy2.powmod(wGmodN, d, n)
return tag
def proofWorkerTask(inputQueue, blkPbSz, blkDatSz, chlng, lost, T, lock, cVal, N, ibf, g, qSets, TT):
pName = mp.current_process().name
x = ExpTimer()
x.registerSession(pName)
x.registerTimer(pName, "qSet_proof")
x.registerTimer(pName, "cSumKept")
x.registerTimer(pName, "cTagKept")
x.registerTimer(pName, "ibf_serv")
while True:
item = inputQueue.get()
if item == "END":
TT[pName+str("_qSet_proof")] = x.getTotalTimer(pName, "qSet_proof")
TT[pName+str("_cSumKept")] = x.getTotalTimer(pName, "cSumKept") - x.getTotalTimer(pName, "ibf_serv")
TT[pName+str("_cTagKept")] = x.getTotalTimer(pName, "cTagKept") - x.getTotalTimer(pName, "ibf_serv")
TT[pName+str("_ibf_serv")] = x.getTotalTimer(pName, "ibf_serv")
return
for blockPbItem in BE.chunks(item,blkPbSz):
block = BE.BlockDisk2Block(blockPbItem, blkDatSz)
bIndex = block.getDecimalIndex()
if bIndex in lost:
x.startTimer(pName, "qSet_proof")
binBlockIndex = block.getStringIndex()
indices = ibf.getIndices(binBlockIndex, True)
for i in indices:
with lock:
qSets.addValue(i, bIndex)
x.endTimer(pName, "qSet_proof")
del block
continue
x.startTimer(pName, "cSumKept")
x.startTimer(pName, "cTagKept")
aI = pickPseudoRandomTheta(chlng, block.getStringIndex())
aI = number.bytes_to_long(aI)
bI = number.bytes_to_long(block.data.tobytes())
with lock:
x.startTimer(pName, "ibf_serv")
ibf.insert(block, chlng, N, g, True)
x.endTimer(pName, "ibf_serv")
cVal["cSum"] += (aI*bI)
x.endTimer(pName,"cSumKept")
cVal["cTag"] *= gmpy2.powmod(T[bIndex], aI, N)
cVal["cTag"] = gmpy2.powmod(cVal["cTag"],1,N)
x.endTimer(pName,"cTagKept")
del block
def main():
# predefine these, we will stop overwriting them when ready to run the big numbers
p=mpz('13407807929942597099574024998205846127'
'47936582059239337772356144372176403007'
'35469768018742981669034276900318581848'
'6050853753882811946569946433649006084171'
)
g=mpz('117178298803662070095161175963353670885'
'580849999989522055999794590639294997365'
'837466705721764714603129285948296754282'
'79466566527115212748467589894601965568'
)
y=mpz('323947510405045044356526437872806578864'
'909752095244952783479245297198197614329'
'255807385693795855318053287892800149470'
'6097394108577585732452307673444020333'
)
log.info("Starting Discrete Log Calculation")
log.info("p: %i", p)
log.info("g: %i", g)
log.info("y: %i", y)
m = gmpy2.ceil(gmpy2.sqrt(p))
log.info("m: %i", m)
# custom range since builtin has a size limit
long_range = lambda start, stop: iter(itertools.count(start).next, stop)
chunk_size = 100000
if m < 100000:
chunk_size = m
stop_at = chunk_size
start = 0
while True:
chunk = {}
log.info("Starting chunk from %i to %i", start, stop_at)
for i in xrange(start, stop_at):
chunk[gmpy2.powmod(g,i,p)] = i
for t in long_range(0,m):
expone = mpz(gmpy2.mul(-m,t))
g_term = gmpy2.powmod(g, expone, p)
res = gmpy2.f_mod(gmpy2.mul(y, g_term), p)
if res in chunk:
s = chunk[res]
dc = gmpy2.f_mod(mpz(gmpy2.add(s, gmpy2.mul(m,t))), p)
log.info("DC LOG FOUND")
log.info("dc: %i", dc)
return
log.info("Completed chunk run: %i to %i no DC yet :(", start, stop_at)
start = stop_at
stop_at += chunk_size
def encrypt(pub, plain):
while True:
r=mpz_urandomb(rand, pub.bits)
if r > 0 and r < pub.n and gcd(r,pub.n)==1:
break
# else:
# print r
# for sufficiently large pub.bits comment the previous while True loop and uncomment the following line
# r=mpz_urandomb(rand, pub.bits)
x = powmod(r, pub.n, pub.n_sq)
cipher = (powmod(pub.g, plain, pub.n_sq) * x) % pub.n_sq
return cipher
def findDiscreteLog(self):
x = -1
element_powB = gmpy2.powmod(mpz(self.element), mpz(self.B), mpz(self.prime))
for x0 in range (0, self.B + 1):
right_x0 = gmpy2.powmod(element_powB, x0, mpz(self.prime))
if right_x0 in self.h_by_gx_hash:
print("x0: %d" % (x0))
x1 = self.h_by_gx_hash[right_x0]
print("x1: %d" % (x1))
x = gmpy2.t_mod(gmpy2.add(gmpy2.mul(x0, self.B), x1), mpz(self.prime))
print("x: %d" % (x))
return str(x)
return x
def encrypt(pub, plain):
# while True:
# r = generate_prime(pub.bits)
# if r > 0 and r < pub.n:
# break
r = mpz_urandomb(rand, pub.bits)
# if gcd(r,pub.n)==1:
# break
# else:
# print r
x = powmod(r, pub.n, pub.n_sq)
cipher = (powmod(pub.g, plain, pub.n_sq) * x) % pub.n_sq
return cipher
def checkCorresponding(table, g, B, p):
'''
B - number from meet in the middle attack
Func verifies if computing element is in hash table.
return: needed elements x0,x1
'''
base = gmpy2.powmod(g, B, p)
for x0 in range(B):
value = gmpy2.powmod(base, x0, p)
if(table.has_key(value)):
x1 = table.get(value)
return (x0, x1)
def dlog(prime, g, h):
CONST_2_20 = 2 ** 20
h_x1 = {}
for x1 in xrange(CONST_2_20 + 1):
val = divm(h, powmod(g, x1, prime), prime)
h_x1[val] = x1
gb = powmod(g, CONST_2_20, prime)
for x0 in xrange(CONST_2_20 + 1):
val = powmod(gb, x0, prime)
if val in h_x1:
x1 = h_x1[val]
x = x0 * CONST_2_20 + x1
print x
break
def regenerate_key(bits,x,x_i,L,leave):
""" Regenerate the key r when some peer join or leave the team. All the variables' name are the same as those used in the paper.
Args:
bits: int, the number of bits of p, which can be set to be larger than the length of r.
x: list, x_i which has been distributed members.
x_i: int, the x_i of a member who wants to join or leave the team.
L: int, the value of product of x_is before the member join or leave.
leave: bool. True if the x_i is leaving the team. False if the x_i is join the team.
"""
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
if leave :
L=gmpy2.div(L,x_i)
else:
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
while get_key(g,m,u,x[0])!=r:
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
if leave :
L=gmpy2.div(L,x_i)
else:
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
return (g,m,u,L,r)
def generate_key_r(bits,x):
""" Generate the key r. All the variables' name are the same as those used in the paper.
Args:
bits: int, the number of bits of p, which can be set to be larger than the length of r.
x: list, includes x_i which has been distributed members.
"""
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
L=1
for x_i in x :
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
""" Because the primes generated are pseudo primes that has passed probable
prime test, it is possible that the member cannot calculat the right key.
Verify the members can calculate the key rightly.
"""
while get_key(g,m,u,x[0])!=r:
p=generate_large_prime(bits)
(m,q)=generate_m(p)
delta= generate_large_prime(len(bin(min(x)))-2)
k=delta-p
a=generate_large_prime(bits)
g=gmpy2.powmod(a,q,m)
r=gmpy2.powmod(g,k,m)
L=1
for x_i in x :
L=gmpy2.mul(L,x_i)
u=gmpy2.invert(delta,L)
return (g,m,u,L,r)
def getIntermidiateX(p, g, h):
table = {}
for x1 in range(0, 2 ** 20 + 1):
denominator = powmod(g, x1, p)
division = divm(h, denominator, p)
table[division] = x1
# print division
for x0 in range(0, 2 ** 20 + 1):
rightHandSide = mpz(powmod(powmod(g, B, p), mpz(x0), p))
# print rightHandSide
if rightHandSide in table:
print "Win x0={0}, x1={1}".format(x0, table[rightHandSide])
return x0, table[rightHandSide]
def rsa_decrypt(_input):
check = bchexdec(_input)
modulus = bin2int(PRIVATE_KEY['modulus'])
exponent = int("010001", 16)
result = int(gmpy2.powmod(check, exponent, modulus))
rb = bcdechex(result)
return padstr(rb).upper()
def factor_prime(prime):
# p - 1 is 37-smooth
base = 2
k_sm = 37
# pow(base,k_sm!) mod prime
a = gmpy2.powmod(base, gmpy2.fac(k_sm), prime)
# gcd(r_k - 1, prime)
p = gmpy2.gcd(a-1, prime)
# get second factor of prime
q = (prime / p)
# make sure factors (pq) are prime
if (gmpy2.is_prime(p) and gmpy2.is_prime(q)):
print "p = ", p
print "q = ", q
# make sure n = p*q = prime number
n = gmpy2.mul(p,q)
if (n == prime):
print "n = ", gmpy2.mul(p,q)
return
def __init__(self, p, q, s, shift=0):
self.p = p
self.q = q
self.n = p * q
power = (2 ** shift) % ((p - 1) * (q - 1))
self.s = s % self.n
self.s = gmpy2.powmod(self.s, power, self.n)
def q4():
c = mpz('22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256' +
'46583996794288946076454204058156474898801373486412045232522932017648791666640299750918872997169052608322206777160001932' +
'9260870009579993724077458967773697817571267229951148662959627934791540')
n = mpz('17976931348623159077293051907890247336179769789423065727343008115' +
'77326758055056206869853794492129829595855013875371640157101398586' +
'47833778606925583497541085196591615128057575940752635007475935288' +
'71082364994994077189561705436114947486504671101510156394068052754' +
'0071584560878577663743040086340742855278549092581')
e = mpz(65537)
a = isqrt(n) + 1
x = isqrt(a**2 - n)
p = a - x
q = a + x
fi = (p-1) * (q-1)
d = invert(e, fi)
r = powmod(c, d, n)
m = digits(r, 16).split('00')[1]
return m.decode('hex')
def hash_table(h, g, p, B):
table = dict() # Table to store x1 and h/(g**x1) values
for x1 in range(B - 1):
val = gmpy2.f_mod(gmpy2.mul(h, gmpy2.powmod(g, -x1, p)), p)
table.update({val: x1})
return table
def getTags(self, w_collection, g, blocks, d, n):
tags = []
fp = open("BEFORE","w")
for (w, b) in zip(w_collection, blocks):
h = SHA256.new()
bLong = number.bytes_to_long(b.data.tobytes())
powG = gmpy2.powmod(g,bLong, n)
h.update(str(w))
wHash = number.bytes_to_long(h.digest())
fp.write(str(wHash)+"\n")
wGmodN = gmpy2.powmod((wHash*powG),1, n)
res = gmpy2.powmod(wGmodN, d, n)
tags.append(res)
fp.close()
return tags
def self_test():
p = 13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084171
g = 11717829880366207009516117596335367088558084999998952205599979459063929499736583746670572176471460312928594829675428279466566527115212748467589894601965568
h = 3239475104050450443565264378728065788649097520952449527834792452971981976143292558073856937958553180532878928001494706097394108577585732452307673444020333
print("Running tiny test")
xTiny = 3
x = discrete_log(97, 20, 57, 6)
print("x == {}".format(x))
assert(xTiny == x)
print("Tiny test passed!")
print("")
print("Running short test")
xShort = 23232
x = discrete_log(1938281, 190942, 1737373, 16)
print("x == {}".format(x))
assert(xShort == x)
print("Short test passed!")
print("")
print("Running long test")
x = discrete_log(p, h, g, 40)
assert(h == powmod(g,x,p))
print("x == {}".format(x))
print("Long test passed!")
print("")
def Q1Q4():
N = mpz('17976931348623159077293051907890247336179769789423065727343008115\
77326758055056206869853794492129829595855013875371640157101398586\
47833778606925583497541085196591615128057575940752635007475935288\
71082364994994077189561705436114947486504671101510156394068052754\
0071584560878577663743040086340742855278549092581')
A = isqrt(N) + 1
x = isqrt(sub(mul(A, A), N))
p = sub(A, x)
q = add(A, x)
print("Q1:")
print(p)
fiN = mul(sub(p, 1), sub(q, 1))
e = mpz(65537)
d = gmpy2.invert(e, fiN)
ct = mpz('22096451867410381776306561134883418017410069787892831071731839143\
67613560012053800428232965047350942434394621975151225646583996794\
28894607645420405815647489880137348641204523252293201764879166664\
02997509188729971690526083222067771600019329260870009579993724077\
458967773697817571267229951148662959627934791540')
pt = gmpy2.powmod(ct, d, N)
ptstr = pt.digits(16)
pos = ptstr.find('00')
payload = ptstr[pos + 2:]
print("Q4:")
print(binascii.unhexlify(payload))
def main():
g_to_b = powmod(G, 1048576, P)
g_invert = invert(G, P)
map = {}
time_start = time.time()
calc_1 = t_mod(H * G, P)
for i in range(1048576 + 1):
calc_1 = t_mod(calc_1 * g_invert, P)
map[calc_1] = i
time_end = time.time()
sys.stdout.write('\n\n')
sys.stdout.write('Left side complete...\n')
sys.stdout.write('Time: %0.3f ms\n' % ((time_end - time_start) * 1000.0))
sys.stdout.flush()
time_start = time.time()
calc_0 = invert(g_to_b, P)
for j in range(1048576 + 1):
calc_0 = t_mod(calc_0 * g_to_b, P)
if calc_0 in map:
calc = (j * 1048576) + map[calc_0]
sys.stdout.write('\n\n')
sys.stdout.write('Successfully found x with a value of %s\n' % calc)
sys.stdout.flush()
break
time_end = time.time()
sys.stdout.write('Time: %0.3f ms\n' % ((time_end - time_start) * 1000.0))
sys.stdout.flush()
def crack(cipher_text, rsa):
raw_cipher_text = cipher_text
# low和high表示明文范围
low = 0
high = rsa["n"] - 1
while int(low) != int(high):
# 题目给的算法原理: If you double a ciphertext (multiply it by (2**e)%n)
# the resulting plaintext will (obviously) be either even or odd.
cipher_text = (2 ** rsa["e"] * cipher_text) % rsa["n"]
if judge_rsa_parity(cipher_text, rsa["n"], rsa["d"]):
# odd: plaintext in upper half of range
if high - low == 1:
# 明文一定是整数(不可能是浮点), 这种情况下说明找到了
low = high
low += (high - low) // 2 # 地板除法防止产生浮点数
else:
# If the plaintext after doubling is even, doubling the plaintext didn't wrap the modulus
# even: plaintext in the lower half
if high - low == 1:
high = low
high -= (high - low) // 2
# 考虑到可能有误差, 设置个误差范围进行解码
possible_plaintexts = list()
for i in range(-5, 5):
plaintext = gmpy2.powmod(low + i, rsa["e"], rsa["n"])
possible_plaintexts.append(int(low + i).to_bytes(1000, "big").replace(b"\x00", b""))
return possible_plaintexts
def dlog(pgh):
p = pgh[0]
g = pgh[1]
h = pgh[2]
B = gmpy2.powmod(2,20,mpz(p))
B_low = 0
#B_low = gmpy2.powmod(2,18,mpz(p))
print "B: " + repr(B)
# build the hash
hash_table = {}
for i in range(B_low,B):
left = gmpy2.divm(mpz(h),gmpy2.powmod(mpz(g),i, mpz(p)),mpz(p))
try:
hash_table[left]
print "collision at " + i
except KeyError:
hash_table[left] = i
continue
print "Hash table built"
#print "keys: " + repr(hash_table.keys())
counter = mpz(0)
# meet in the middle
x0 = mpz(0)
x1 = mpz(0)
for i in range(B_low,B):
counter = gmpy2.add(counter,mpz(1))
right = gmpy2.powmod(gmpy2.powmod(mpz(g),mpz(B),mpz(p)),i,mpz(p))
try:
h_entry = hash_table[right]
print 'found x0 and x1...'
x0 = i
x1 = h_entry
print 'x0=' + repr(x0)
print 'x1=' + repr(x1)
break
except KeyError:
continue
print "counter: " + repr(counter)
x = gmpy2.t_mod(gmpy2.add(gmpy2.mul(x0,B),x1), mpz(p))
return x
def is_prime(r):
for k in range(0,10000000):
p = gmpy2.add(r, k)
a = gmpy2.powmod(2, p-1, p)
if (a == 1):
print "k = %i \nprime = %i\n" % (k, p)
return
def probable_prime(exponent):
for k in range(0,10000000):
p = 10**exponent + k
a = gmpy2.powmod(2, p-1, p)
if (a == 1):
print "k = %i \nprobable prime = %i\n" % (k, p)
return
import gmpy2
def asc2str(strs):
result = ''
if (len(strs) % 2) == 0:
strs = strs[2:]
else:
strs = strs[2:]
strs = '0' + strs
result = strs.decode('hex')
print result
return result
N = 322831561921859
p = 13574881
q = 23781539
c = 0xdc2eeeb2782c
e = 23
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
flag = gmpy2.powmod(c, d, N)
asc2str(hex(flag))
import gmpy2
from Crypto.Util.number import bytes_to_long, long_to_bytes, inverse
q = 25447604191089399379159931601501080444223112829447986750317096149517867285845804966271224749129184435412473271409883249120061873968316995978986208798525834614270065406921367971958806946394627934176702490478759393791972348471983612822611594685811932943967049526367295051671357595632868487646701478129716574546371021473575044516208082932409236271197813454910887142831892249406409490190907510457662553380813454668746280863597454887291739055374694568403834521593202067598993705171014838010676808696015931234887447378008864624871506336318997332815619367547971665857733583462023685385857017492039424076060074104480283423261
p = 25447604191089399379159931601501080444223112829447986750317096149517867285845804966271224749129184435412473271409883249120061873968316995978986208798525834614270065406921367971958806946394627934176702490478759393791972348471983612822611594685811932943967049526367295051671357595632868487646701478129716574546371021473575044516208082932409236271197813454910887142831892249406409490190907510457662553380813454668746280863597454887291739055374694568403834521593202067598993705171014838010676808696015931234887447378008864624871506336318997332815619367547971665857733583462023685385857017492039424076060074104480283422433
n = 647580559066350764512574139212258654419619377791696792933162647847016182264786947024323483613445156926567953673211035865775396889491136493021394983865794529477091872229948860215774356455333826515720143910504339782998354975787558272036453370109286642626999091302012693562994565167763421804705602666440082138719409120664293876204553614511882382199434919365954997082834057119072868066696185230896273866269308019520562618860020221768639470528300841159704088859374399286986458302241337120121430937058280863472916553328255990461105886678126859657320418919609691089677744300138990131567897731188913573095161012997609872471436323858576012929455006921387033623358406327954425701649820631580290471076284227572599505740170534938538303275799383217459413578897504327360744415747939112249827320135553789275968404788584789483305709222531189435482276931098037440920811828069795012367922134191531348046137386595744872323763751900274523135348273825558806037832123609238684829315071013742451094194097286985647180549444633529585827947422469423955056342229557961062943802754823402381380268562309956425582717559687406317915547051766896665477764999756658000565784673316779579644624160889528487904071313946671365415309957045804828537561845474437630201414013
c = 3301725813323793523830449827529001764170324266525813942905248339398533386704146778215164605307364778538312368834939155244976282618558606453065237517755562156941816361506386129237655201821569225442531883605299886901781519717
e = 3
phi = n - (p + q - 1)
d = inverse(e, phi)
plain = gmpy2.powmod(c, d, n)
print "plaintext: {}".format(long_to_bytes(plain))
#!/usr/bin/env python2.7
import gmpy2
import sys
from main import *
# Closed form of `enc`:
# ct = pt * 1337**R + sum(k * 1337**i for i = 1..R)
# A = 1337**R
A = gmpy2.powmod(1337, R, P)
# B = 1337**R + 1337**(R - 1) + ... + 1337
# = (1337**(R + 1) - 1) / (1337 - 1) - 1
B = gmpy2.divm(gmpy2.powmod(1337, R + 1, P) - 1, 1336, P) - 1
pt = a2i(file('lorem').read()) % P
ct = a2i(file('lorem.enc').read())
# Caveat: corresponding CT block is the most significant part
while ct > P:
ct /= P
# Solve for k
k = gmpy2.divm(ct - A * pt, B, P)
def dec(ct, k):
a = a2i(ct)
b = 0
while a:
x = a % P
59997945906392949973658374667057217647146031292859482967\
5428279466566527115212748467589894601965568')
h=mpz('323947510405045044356526437872806578864909752095244\
952783479245297198197614329255807385693795855318053\
2878928001494706097394108577585732452307673444020333')
B=2**20
x_result = mpz(0)
x0_result = mpz(0)
x1_result = mpz(0)
# build the hash table of h/g^x_1 x_1 from 0 to 2^20
left_table = dict()
for x1 in range(0, B): # 2**20 + 1 ?
# compute h/(g**x1) mod p
key = powmod(g, -x1, p) # seperate ?
key = f_mod(h * key, p)
left_table[key] = x1
# (g^B)^X_0
right_base = powmod(g, B, p)
for x0 in range(0, B):
right_val = powmod(right_base, x0, p)
if right_val in left_table.keys():
x0_result = x0
x1_result = left_table[right_val]
x_result = x0_result * B + x1_result
break
print x_result
def compute_x0s(p, h, g, B):
return ((i, powmod(g, B * i, p)) for i in range(B))
def encrypt(self, msg, rdm):
return (gmpy2.powmod(self.g, msg, self.n2) * gmpy2.powmod(rdm, self.n, self.n2)) % (self.n2)
def inverse_mod(a, m):
"""Inverse of a mod m."""
if a == 0:
return 0
return powmod(a, -1, m)
def compute_x1(seq):
hash_map = {}
for x1 in seq:
left = f_mod(H * invert(powmod(G, x1, P), P), P)
hash_map[left] = x1
return hash_map
"""
This function has very special purpose
:)) Simply to screw you up
"""
raw = urandom(6)
print 'prefix = {}'.format(raw.encode('hex'))
challenge = raw_input('Challenge: ')
temp = sha256(raw + challenge).hexdigest()
if temp.startswith('25455'):
return True
else:
return False
if __name__ == "__main__":
try:
assert proof_of_shit() == True
N, delta, gamma = gen_key()
m = int(FLAG.encode('hex'), 16)
c = powmod(m, 0x10001, N)
print introduction
print 'N = {}'.format(N)
print 'delta = {}'.format(delta)
print 'gamma = {}'.format(gamma)
print 'ciphertext = {}'.format(c)
except AssertionError:
print "Take your time and think of the inputs."
assert p == 21909849592475533092273988531583955898982176093344929030099423584127212078126150044721102570957812665127475051465088833555993294644190955293613411658629209
print 'Question 4'
c = 22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540
e = 65537
N = N1
p = p1
q = q1
assert p * q == N
phi = (p - 1) * (q - 1)
assert phi == N - p - q + 1
# e*d = 1 % phi
d = gmpy2.divm(1, e, phi)
assert (e * d) % phi == 1
# encrypt c = m^e in Zn
# decrypt m = c^d in Zn
m = gmpy2.powmod(c, d, N)
assert gmpy2.powmod(m, e, N) == c
hexstring = format(m, 'x')
hexstring = hexstring.split('00')[1]
plaintext = hexstring.decode('hex')
print plaintext
# correct answer
assert plaintext == 'Factoring lets us break RSA.'
def powmod(x, y, m):
return gmpy2.powmod(gmpy2.mpz(x), gmpy2.mpz(y), gmpy2.mpz(m))
def getRec(i):
if i % 2:
return (2 * powmod(3, i, 256) - 1) % 256
else:
return (2 * powmod(3, i, 256) + 1) % 256
def xgcd(a, b):
"""return (g, x, y) such that a*x + b*y = g = gcd(a, b)"""
x0, x1, y0, y1 = 0, 1, 1, 0
while a != 0:
q, b, a = b // a, a, b % a
y0, y1 = y1, y0 - q * y1
x0, x1 = x1, x0 - q * x1
return b, x0, y0
c = gmpy2.mpz(int(open(sys.argv[1]).readline().strip(), 16))
pk = open(sys.argv[2])
n = gmpy2.mpz(int(pk.readline().strip()[2:], 16))
e = gmpy2.mpz(int(pk.readline().strip()[2:], 16))
p, q = fermat_factorise(n)
phi = (p - 1) * (q - 1)
gcd, d, b = xgcd(e, phi)
plaintext = gmpy2.powmod(c, gmpy2.mpz(d), n)
bin = bytearray(gmpy2.to_binary(plaintext))
print('p = {}\n\nq = {}\n'.format(p, q))
print('d = {}\n'.format(d))
print('Plaintext (little endian): {}'.format(bin))
bin.reverse()
print('Plaintext (big endian): {}'.format(bin))
def run(args):
if dependencies_missing:
module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error')
return
target = (args['rhost'], int(args['rport']))
timeout = float(args['timeout'])
cipher_handshake = cipher_handshakes[args['cipher_group']]
module.log("{}:{} - Scanning host for Bleichenbacher oracle".format(*target), level='debug')
N, e = get_rsa_from_server(target, timeout)
if not N:
module.log("{}:{} - Cannot establish SSL connection: {}".format(*target, e), level='error')
return
modulus_bits = int(math.ceil(math.log(N, 2)))
modulus_bytes = (modulus_bits + 7) // 8
module.log("{}:{} - RSA N: {}".format(*target, hex(N)), level='debug')
module.log("{}:{} - RSA e: {}".format(*target, hex(e)), level='debug')
module.log("{}:{} - Modulus size: {} bits, {} bytes".format(*target, modulus_bits, modulus_bytes), level='debug')
cke_2nd_prefix = bytearray.fromhex("{0:0{1}x}".format(modulus_bytes + 6, 4) + "10" + "{0:0{1}x}".format(modulus_bytes + 2, 6) + "{0:0{1}x}".format(modulus_bytes, 4))
# pad_len is length in hex chars, so bytelen * 2
pad_len = (modulus_bytes - 48 - 3) * 2
rnd_pad = ("abcd" * (pad_len // 2 + 1))[:pad_len]
rnd_pms = "aa112233445566778899112233445566778899112233445566778899112233445566778899112233445566778899"
pms_good_in = int("0002" + rnd_pad + "00" + "0303" + rnd_pms, 16)
# wrong first two bytes
pms_bad_in1 = int("4117" + rnd_pad + "00" + "0303" + rnd_pms, 16)
# 0x00 on a wrong position, also trigger older JSSE bug
pms_bad_in2 = int("0002" + rnd_pad + "11" + rnd_pms + "0011", 16)
# no 0x00 in the middle
pms_bad_in3 = int("0002" + rnd_pad + "11" + "1111" + rnd_pms, 16)
# wrong version number (according to Klima / Pokorny / Rosa paper)
pms_bad_in4 = int("0002" + rnd_pad + "00" + "0202" + rnd_pms, 16)
pms_good = int(gmpy2.powmod(pms_good_in, e, N)).to_bytes(modulus_bytes, byteorder="big")
pms_bad1 = int(gmpy2.powmod(pms_bad_in1, e, N)).to_bytes(modulus_bytes, byteorder="big")
pms_bad2 = int(gmpy2.powmod(pms_bad_in2, e, N)).to_bytes(modulus_bytes, byteorder="big")
pms_bad3 = int(gmpy2.powmod(pms_bad_in3, e, N)).to_bytes(modulus_bytes, byteorder="big")
pms_bad4 = int(gmpy2.powmod(pms_bad_in4, e, N)).to_bytes(modulus_bytes, byteorder="big")
oracle_good = oracle(target, pms_good, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout)
oracle_bad1 = oracle(target, pms_bad1, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout)
oracle_bad2 = oracle(target, pms_bad2, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout)
oracle_bad3 = oracle(target, pms_bad3, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout)
oracle_bad4 = oracle(target, pms_bad4, cke_2nd_prefix, cipher_handshake, messageflow=False, timeout=timeout)
if (oracle_good == oracle_bad1 == oracle_bad2 == oracle_bad3 == oracle_bad4):
module.log("{}:{} - Identical results ({}), retrying with changed messageflow".format(*target, oracle_good), level='info')
oracle_good = oracle(target, pms_good, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout)
oracle_bad1 = oracle(target, pms_bad1, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout)
oracle_bad2 = oracle(target, pms_bad2, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout)
oracle_bad3 = oracle(target, pms_bad3, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout)
oracle_bad4 = oracle(target, pms_bad4, cke_2nd_prefix, cipher_handshake, messageflow=True, timeout=timeout)
if (oracle_good == oracle_bad1 == oracle_bad2 == oracle_bad3 == oracle_bad4):
module.log("{}:{} - Identical results ({}), no working oracle found".format(*target, oracle_good), level='info')
return
else:
flow = True
else:
flow = False
# Re-checking all oracles to avoid unreliable results
oracle_good_verify = oracle(target, pms_good, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout)
oracle_bad_verify1 = oracle(target, pms_bad1, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout)
oracle_bad_verify2 = oracle(target, pms_bad2, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout)
oracle_bad_verify3 = oracle(target, pms_bad3, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout)
oracle_bad_verify4 = oracle(target, pms_bad4, cke_2nd_prefix, cipher_handshake, messageflow=flow, timeout=timeout)
if (oracle_good != oracle_good_verify) or (oracle_bad1 != oracle_bad_verify1) or (oracle_bad2 != oracle_bad_verify2) or (oracle_bad3 != oracle_bad_verify3) or (oracle_bad4 != oracle_bad_verify4):
module.log("{}:{} - Getting inconsistent results, skipping".format(*target), level='warning')
return
# If the response to the invalid PKCS#1 request (oracle_bad1) is equal to both
# requests starting with 0002, we have a weak oracle. This is because the only
# case where we can distinguish valid from invalid requests is when we send
# correctly formatted PKCS#1 message with 0x00 on a correct position. This
# makes our oracle weak
if (oracle_bad1 == oracle_bad2 == oracle_bad3):
oracle_strength = "weak"
else:
oracle_strength = "strong"
if flow:
flowt = "shortened"
else:
flowt = "standard"
s, cke_version = tls_connect(target, timeout, cipher_handshake)
s.close()
if cke_version[0] == 3 and cke_version[1] == 0:
tlsver = "SSLv3"
elif cke_version[0] == 3 and cke_version[1] == 1:
tlsver = "TLSv1.0"
elif cke_version[0] == 3 and cke_version[1] == 2:
tlsver = "TLSv1.1"
elif cke_version[0] == 3 and cke_version[1] == 3:
tlsver = "TLSv1.2"
else:
tlsver = "TLS raw version %i/%i" % (cke_version[0], cke_version[1])
module.report_vuln(target[0], 'Bleichenbacher Oracle', port=target[1])
module.log("{}:{} - Vulnerable: ({}) oracle found {} with {} message flow".format(*target, oracle_strength, tlsver, flowt), level='good')
module.log("{}:{} - Result of good request: {}".format(*target, oracle_good), level='debug')
module.log("{}:{} - Result of bad request 1 (wrong first bytes): {}".format(*target, oracle_bad1), level='debug')
module.log("{}:{} - Result of bad request 2 (wrong 0x00 position): {}".format(*target, oracle_bad2), level='debug')
module.log("{}:{} - Result of bad request 3 (missing 0x00): {}".format(*target, oracle_bad3), level='debug')
module.log("{}:{} - Result of bad request 4 (bad TLS version): {}".format(*target, oracle_bad4), level='debug')
with open("./pubkey", "r") as f:
pubkey = int(f.read(), 16)
with open("./key_enc", "r") as f:
key_enc = int(f.read(), 16)
with open("./key_dec", "r") as f:
key_dec = int(f.read(), 16)
import gmpy2
import math
import sys
encrypted = gmpy2.powmod(11711737117, key_enc, pubkey)
def calc_list(target, modulo, redix=8):
lst = [1]
for i in range(2**redix):
print(i)
lst.append(gmpy2.t_mod(gmpy2.mul(lst[-1], target), modulo))
return lst
def power(lst, exponent, modulo, redix=8):
result = 1
while True:
ind = exponent & (2**redix - 1)
result = gmpy2.t_mod(gmpy2.mul(result, lst[ind]), modulo)
exponent = exponent >> redix
def enc_mul_const(pub, m, c):
return powmod(m, c, pub.n_sq)
def decrypt(self, enc):
return gmpy2.mul(self.L(gmpy2.powmod(enc, self.l, self.n2)), self.m) % self.n
rhs = gmpy2.powmod(gB, x0, p)
print('Trying x0 %d' % x0)
if rhs in lhs.keys():
x1 = lhs[rhs]
print('Found x1 %d' % x1)
return x0 * B + x1
print('Not found')
return -1
p = '134078079299425970995740249982058461274793658205923933 \
77723561443721764030073546976801874298166903427690031 \
858186486050853753882811946569946433649006084171'
g = '11717829880366207009516117596335367088558084999998952205 \
59997945906392949973658374667057217647146031292859482967 \
5428279466566527115212748467589894601965568'
h = '323947510405045044356526437872806578864909752095244 \
952783479245297198197614329255807385693795855318053 \
2878928001494706097394108577585732452307673444020333'
p = gmpy2.mpz(p)
g = gmpy2.mpz(g)
h = gmpy2.mpz(h)
x = dlog(p, g, h)
print(x)
print('verifying: h == %d' % gmpy2.powmod(g, x, p))
def modular_root(m, factors, x, p):
multiplicative_group_order = reduce(mul, [x - 1 for x in factors])
_, p_inv, _ = gcdext(p, multiplicative_group_order)
return int(powmod(x, p_inv, m))
g=mpz('11717829880366207009516117596335367088558084999998952205\
59997945906392949973658374667057217647146031292859482967\
5428279466566527115212748467589894601965568')
h=mpz('323947510405045044356526437872806578864909752095244\
952783479245297198197614329255807385693795855318053\
2878928001494706097394108577585732452307673444020333')
B=2**20
x_result = mpz(0)
x0_result = mpz(0)
x1_result = mpz(0)
# build the hash table of h/g^x_1 x_1 from 0 to 2^20
left_table = dict()
for x1 in range(0, B): # 2**20 + 1 ?
key = powmod(g, -x1, p) # seperate ?
key = f_mod(h * key, p)
left_table[key] = x1
for x0 in range(0, B):
right_val = powmod(g, x0 * B, p)
try:
x1_result = left_table[right_val]
x0_result = x0
x_result = x0_result * B + x1_result
break
except KeyError:
continue
print x_result
print " {} = {} * B + {}".format(x_result, x0_result, x1_result)
(q, rem2) = gmpy2.c_divmod(res - AA, 6)
if rem != 0 or rem2 != 0:
(p, rem1) = gmpy2.c_divmod(res - AA, 4)
(q, rem2) = gmpy2.c_divmod(res + AA, 6)
assert (abs(p * q) == N3)
return min(abs(p), abs(q))
print(break_challenge_3(N3))
print("-" * 20)
print("Part 4:")
CHALLENGE_CIPHERTEXT = mpz(
22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540
)
e = 65537
phi_N = mul(p - 1, q - 1)
# m^(e * d) = m
# e * d = 1
# d = modinv(e, phi_N)
d = invert(e, phi_N)
plaintext = powmod(CHALLENGE_CIPHERTEXT, d, N)
assert (mul(p, q) == N)
assert (powmod(powmod(CHALLENGE_CIPHERTEXT, d, N), e,
N) == CHALLENGE_CIPHERTEXT)
print(bytearray.fromhex(hex(plaintext).split('00')[1]).decode())
import gmpy2
p = 13574881
q = 23781539
n = p * q
e = 23
c = 0xdc2eeeb2782c
phin = (p - 1) * (q - 1)
d = gmpy2.invert(e, phin)
p = gmpy2.powmod(c, d, n)
tmp = hex(p)
print tmp, tmp[2:].decode('hex')
N = mpz(
'179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581'
)
C = mpz(
'22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540'
)
enc_exp = mpz('65537')
(A, is_exact) = iroot(N, 2)
if not is_exact:
A = A + 1
x = isqrt(A**2 - N)
p = A - x
q = A + x
if p * q != N:
print("4: Fail check p * q != N")
phi_N = N - p - q + 1
dec_exp = invert(enc_exp, phi_N)
if t_mod(enc_exp * dec_exp, phi_N) != mpz(1):
print("4: Fail check e*d != 1")
pkcs_pt = powmod(C, dec_exp, N)
#print("pkcs plaintext:")
#print(pkcs_pt.digits(16))
res_C = powmod(pkcs_pt, enc_exp, N)
if res_C != C:
print("4: Fail check res_C != C")
pt_hex = pkcs_pt.digits(16).split("00")[1]
print("4:")
print("'" + bytes.fromhex(pt_hex).decode('utf-8') + "'")
sys.exit(0)
def enc_mul_const(pub, m, c):
"""Multiplies an encrypted integer by a constant"""
mul_result = powmod(m, c, pub.n_sq)
return mul_result
def __rpow__(self, other):
return DHGroupNumber(powmod(other, self, self.__local__.context.modulo))
def enc_add_const(pub, m, c):
"""Add constant n to an encrypted integer"""
# Similiar to enc add
add_const_result = m * powmod(pub.g, c, pub.n_sq) % pub.n_sq
return add_const_result
def __pow__(self, other, modulo=None):
return DHGroupNumber(powmod(self, other, modulo if modulo is not None else self.__local__.context.modulo))
def dec(priv, pub, cipher):
x = powmod(cipher, priv.l, pub.n_sq)
plain = (((x - 1) // pub.n) * priv.m) % pub.n
return plain
y2 = gmpy2.invert(M2, m2)
return (a1 * M1 * y1) + (a2 * M2 * y2)
while (True):
if (t % 2 != 0):
break
e = e + 1
t = t / 2
q = (m - 1) / pow(2, e)
# generate quadratic non-residue of m
while (True):
x = randint(2, m - 1)
z = powmod(x, q, m)
if (powmod(z, mpz(pow(2, e - 1)), m) != 1):
break
y = z
r = e
x = powmod(a, (q - 1) / 2, m)
v = a * x % m
w = v * x % m
while (True):
if (w == 1):
break
k = 0
while (True):
if (powmod(w, mpz(pow(2, k)), m) == 1):
def enc_add_const(pub, m, c):
return (m * powmod(pub.g, c, pub.n_sq)) % pub.n_sq
