예제 #1
1
파일: sil.py 프로젝트: estansifer/icfpc2016
 def init2(self):
     f = self.length_sq()
     self.rational = gmpy2.is_square(f.numerator) and gmpy2.is_square(f.denominator)
     if self.rational:
         n = int(gmpy2.iroot(f.numerator, 2)[0])
         d = int(gmpy2.iroot(f.denominator, 2)[0])
         self.length = fractions.Fraction(n, d)
예제 #2
0
def fermatFactor(n):
    a = gmpy2.iroot(gmpy2.mpz(n), 2)[0] + 1
    b2 = a**2 - n
    while gmpy2.is_square(b2) is False:
        a += 1
        b2 = a**2 - n
    return (a - gmpy2.iroot(b2, 2)[0], a + gmpy2.iroot(b2, 2)[0])
예제 #3
0
def factor_rsa_modulus_split(N):
    N = mpz(N)
    A, exact = gmpy2.iroot(24 * N, 2)
    if not exact:
        A = A + 1

    x, exact = gmpy2.iroot(A * A - 24 * N, 2)
    if not exact:
        print "Exact x not found"
        return None

    # have to check both positive and negative roots
    r = check_x(A, x)
    if r is None:
        r = check_x(A, -x)

    # Neither one worked
    if r is None:
        print "Cannot find p and q that fit"
        return None

    p, q = r
    if (p * q) != N:
        print "Found pair %s, %s but they don't produce N" % (str(p), str(q))
        return None

    return p, q
예제 #4
0
파일: solve.py 프로젝트: kankanhua/CTFS
def stage6(c, N):
    i = 0
    while 1:
        if (gmpy2.iroot(c + i * N, 3)[1] == 1):
            print i
            return gmpy2.iroot(c + i * N, 3)
        i = i + 1
예제 #5
0
def rev_crow(res, alpha):
    A = gmpy2.iroot(6 * res, 3)[0]
    B = gmpy2.iroot((6 * res - A**3) // 3, 2)[0] + alpha
    z = A - B
    y = (-6 * res + A**3 + 3 * (B**2) + 2 * B - z - 6) // 6
    x = B - y - 1
    return (x, y, z)
예제 #6
0
파일: RSAFunc.py 프로젝트: yuchouxuan/study
 def smalle(n, c, e=3):
     m = 0  # res是m
     for k in range(200000000):
         if gmpy2.iroot(c + n * k, e)[1] == 1:
             m = gmpy2.iroot(c + n * k, e)[0]
             print(k, m)
             print(libnum.n2s(m))
             return m
예제 #7
0
def fermat(n):
	a = gmpy2.isqrt(n) + 1
	b = a ** 2 - n
	while not gmpy2.iroot(b, 2)[1]:
		a += 1
		b = a ** 2 - n
	b = gmpy2.iroot(b, 2)[0]
	return (a + b, a - b)
예제 #8
0
def Brute(n, e, c):
    k = 0
    while True:
        if gmpy.iroot(c + k * n, e)[1] == True:
            m = gmpy.iroot(c + k * n, 3)[0]
            print(long_to_bytes(m))
            break
        k += 1
예제 #9
0
def factorise(n):
    #n,k=Ncheck(n)
    a = gmpy2.iroot(n, 2)[0]
    b = gmpy2.square(a) - n
    while ((a + b) <= n):
        if (gmpy2.is_square(b) == True):
            print(a, b)
        a = a + 1
        b = gmpy2.iroot(gmpy2.square(a) - n, 2)[0]
예제 #10
0
def hastads(N, e, c):
    log.info(
        'start Hastad attack. If there was no result after a long time. Press ctrl+c to stop, and try other ways.')
    n = 0
    while True:
        if gmpy2.iroot(c + n * N, e)[1]:
            log.info('Here are your plain text: \n' +
                     libnum.n2s(gmpy2.iroot(c + n * N, e)[0]))
            return
        n += 1
예제 #11
0
def fermat(n):
    a = gmpy2.iroot(n, 2)[0]+1
    count = 0
    while not gmpy2.iroot(a**2 - n, 2)[1]:
        a += 1
        count += 1
        if count == 100:
            return 0, 0
    b = gmpy2.iroot(a**2 - n, 2)[0]
    return a+b, a-b
예제 #12
0
def fermat(n, verbose=True):
    a = iroot(n, 2)[0] + 1
    b = a * a - n
    while not iroot(b, 2)[1]:
        a = a + 1
        b = a * a - n
    b = iroot(b, 2)[0]
    p = a + b
    q = a - b
    return p, q
예제 #13
0
def main():
    pth = fileChoose()
    with open(pth, "rb") as f:
        binary = f.read()
    L = len(binary)
    wid = None
    if L % 3 != 0:
        binary = os.urandom(3 - L % 3) + binary
        L = len(binary)
    if iroot(L // 3, 2)[1]:
        wid = int(iroot(L // 3, 2)[0])
    else:
        wid = int(iroot(L // 3, 2)[0]) + 1
        binary = os.urandom(3 * (wid**2 - L // 3)) + binary
        L = len(binary)

    assert L % 3 == 0, "Data cannot be RGB raw data"
    assert L == len(binary), "L must be length of binary"

    # BITMAPFILEHEADER
    bfType = b'BM'
    bfSize = bytes.fromhex(hexLE(L + 0x8A))
    bfReserved = bytes.fromhex("00000000")
    bfOffBits = bytes.fromhex("8A000000")

    FILEHEADER = bfType + bfSize + bfReserved + bfOffBits

    # BITMAPINFOHEADER
    biSize = bytes.fromhex("7C000000")
    biWidth = bytes.fromhex(hexLE(wid))  # Need to change
    biHeight = bytes.fromhex(hexLE(wid))  # Need to change
    biPlanes = bytes.fromhex("0100")
    biBitCount = bytes.fromhex("1800")
    biCompression = bytes.fromhex("00000000")
    biSizeImage = bytes.fromhex(hexLE(L))
    biXPelsPerMeter = bytes.fromhex("27000000")
    biYPelsPerMeter = bytes.fromhex("27000000")
    biClrUsed = bytes.fromhex("00000000")
    biClrImportant = bytes.fromhex("00000000")

    INFOHEADER = biSize + biWidth + biHeight + biPlanes + biBitCount + biCompression + biSizeImage + biXPelsPerMeter + biYPelsPerMeter + biClrUsed + biClrImportant

    DUMMY = os.urandom(84)

    npth = pth
    filename = npth.split("/")[-1]
    if filename.find(".") == -1:
        npth = npth + ".bmp"
    else:
        filename = '.'.join(filename.split(".")[:-1]) + ".bmp"
        npth = '/'.join(npth.split("/")[:-1]) + "/" + filename

    with open(npth, "wb") as f:
        DATA = FILEHEADER + INFOHEADER + DUMMY + binary
        f.write(DATA)
예제 #14
0
def attack_com_mode(n, c1, c2, e1, e2):
    # g为e1和e2的最大公约数
    g, s, t = gmpy2.gcdext(e1, e2)
    m = pow(c1, s, n) * pow(c2, t, n) % n
    y, b = gmpy2.iroot(m, g)
    k = 2
    while not b:
        att_m = m + k * n
        y, b = gmpy2.iroot(att_m, g)
        k += 1
    return y
예제 #15
0
def start(n, e, c):
    res = 0
    #print(time.asctime())
    for i in range(200000000):
        if gmpy2.iroot(c + n * i, 3)[1] == 1:
            res = gmpy2.iroot(c + n * i, 3)[0]
            #print(i, res)
            #print(long_to_bytes(res))
            #print(time.asctime())
            print("Successfully Cracked")
            break
    return long_to_bytes(res)
예제 #16
0
파일: tokyo.py 프로젝트: puckk/rsolver
def crack(solver):
    e = solver.datas["e"][-1]
    n = solver.datas["n"][-1]
    for k in range(1, 1000000):
        if gmpy2.iroot(1 + 4 * e * n * k, 2)[1]:
            q = int((1 + int(gmpy2.iroot(1 + 4 * e * n * k, 2)[0])) // (2 * e))
            solver.addq(q)
            if n % q == 0:
                p = n // q
                solver.addp(p)
                phin = (p - 1) * (q - 1)
                d = inverse(e, phin)
                solver.addd(d)
                break
예제 #17
0
def prime_power(x):
    if gmpy2.is_prime(x):
        return x, 1
    if x == 0 or x == 1:
        return None, None
    if not gmpy2.is_power(x):
        return None, None
    alpha = 2
    root, is_root = gmpy2.iroot(x, alpha)
    while not (is_root and not gmpy2.is_power(root)):
        alpha += 1
        root, is_root = gmpy2.iroot(x, alpha)
    if gmpy2.is_prime(root):
        return root, alpha
    return None, None
def generate_q7():
    print('Q7: ==========================')
    p = generate_prime_number()
    q = generate_prime_number()
    m = generate_prime_number(256)

    n = p * q
    e = 3

    c = pow(m, e, n)
    print('Given n, e, c, generate m')
    # The trick here is that e is so small you can just
    # get the (cubic root of c) % n  to get m
    gc = gmpy2.mpz(c)
    gn = gmpy2.mpz(n)
    ge = gmpy2.mpz(e)

    root, _ = gmpy2.iroot(gc, ge)
    m_p = gmpy2.t_mod(root, gn)

    assert(m_p == m)

    print('Values')
    print('n: {}'.format(n))
    print('e: {}'.format(e))
    print('c: {}'.format(c))

    print('Answer')
    print('m: {}'.format(m))
예제 #19
0
def crack(solver):
    n=solver.datas["n"]
    c=solver.datas["c"]
    le=len(n)
    # calc N
    N = 1
    for num in n:
        N *= num

    # N1,N2...Nn
    # NN1 * t1 = 1 (mod n1)
    NN = [None] * le
    t =  [None] * le
    x = 0
    for i in range(le):
        NN[i] = int(N / n[i])
        t[i] = gmpy2.invert(NN[i],n[i])
        x += c[i]*t[i]*NN[i]

    res = x % N
    for i in range(2, 65535):
        num = 0
        try:
            flag = long_to_bytes(gmpy2.iroot(res,i)[0])
            for j in flag:
                if j not in string.printable:
                    num = 1
                    break
            if num == 0:
                print ('e is ' + str(i))
                print (flag)
        except:
            continue
예제 #20
0
def crt_recover_plaintext(ciphertext_list):
    ciphertexts, moduli = zip(*ciphertext_list)
    assert all_coprime(moduli)
    modulus_product = 1
    for mod in moduli:
        modulus_product *= mod

    result_so_far = 0
    for ciphertext, modulus in ciphertext_list:
        # int division to make sure m_s is an integer
        assert modulus_product % modulus == 0
        m_s = modulus_product // modulus
        result_so_far += ciphertext * m_s * inverse_mod(m_s, modulus)
    # find the cube root of the result
    # // we have result_so_far = (m**3) % modulus_product which means m ** 3 = result_so_far + n * modulus_product
    # // m = cube_root(result_so_far + n * modulus_product) - need to find the n value that makes this equation true
    # m < n1, m < n2, and m < n3 based on the requirements of RSA, so m ** 3 < n1 * n2 * n3
    # modulus_product = n1 * n2 * n3, so m**3 < modulus_product, so cubing won't wrap around the modulus
    # If cubing doesn't wrap, that means that cube root mod modulus_product = regular cube root

    # use gmpy for extra precision
    result_mpz = mpz(result_so_far % modulus_product)
    root_mpz, exact = iroot(result_mpz, 3)
    # root should always be exact for reasoning explained in above comment (message cubed should never wrap)
    assert exact
    root = int(root_mpz)
    return num_to_bytes(root)
예제 #21
0
def hastad_attack_parallel(residue_and_moduli,
                           e,
                           parallel=6,
                           major_chunk_size=1200,
                           minor_chunk_size=120):
    """
    Calculate Hastad broadcast attack using Chinese Remainder Theorem using parallel solver.
    The more parallel processes you choose, the faster it will run, assuming you have enough CPU cores.
    The bigger the chunks, the faster it will run, but it will also consume more memory.
    Memory consumption is maximum once minor chunks start to process, so if you reached this stage without swapping, you should be fine.
    :param residue_and_moduli: list of pairs (remainder, modulus)
    :param e: RSA public exponent
    :param parallel: how many parallel processes to run, best effects with n-1 or n-2, where n is number of cores you have
    :param major_chunk_size: size of the data split chunk
    :param minor_chunk_size: size of single multiplication chunk
    :return: attack result, most likely RSA plaintext if there was enough data
    """
    import gmpy2
    print(
        "With this setup you can recover RSA message only if length was < %f of the average modulus size"
        % (len(residue_and_moduli) / (e * 1.0)))
    if major_chunk_size % parallel != 0 or minor_chunk_size % parallel != 0:
        print(
            "Keep in mind that it's better to choose chunk size as multiples of parallel processes count"
        )
    crt = solve_crt(residue_and_moduli, parallel, major_chunk_size,
                    minor_chunk_size)
    solution, _ = gmpy2.iroot(crt, e)
    return solution
예제 #22
0
def factor(n):
    p = int(iroot(n, 2)[0])
    while p > 1:
        if n % p == 0:
            return p, (n / p)
        p -= 1
    return N, 1
예제 #23
0
def small_e_msg(key, ciphertexts=None, max_times=100):
    """If both e and plaintext are small, ciphertext may exceed modulus only a little

    Args:
        key(RSAKey): with small e, at least one ciphertext
        ciphertexts(list)
        max_times(int): how many times plaintext**e exceeded modulus maximally

    Returns:
        list: recovered plaintexts
    """
    ciphertexts = get_mutable_texts(key, ciphertexts)
    recovered = []
    for ciphertext in ciphertexts:
        log.debug("Find msg for ciphertext {}".format(ciphertext))
        times = 0
        for k in range(max_times):
            msg, is_correct = gmpy2.iroot(ciphertext + times, key.e)
            if is_correct and gmpy2.powmod(msg, key.e, key.n) == ciphertext:
                msg = int(msg)
                log.success("Found msg: {}, times=={}".format(
                    i2h(msg), times // key.n))
                recovered.append(msg)
                break
            times += key.n
    return recovered
예제 #24
0
파일: set6.py 프로젝트: jia-kai/cryptopals
def ch42():
    def make_pkcs15(msg, num=1):
        return b'\x01' + (b'\xff' * num) + b'\x00ASN.1' + as_bytes(msg)

    def pkcs15_check(padded, msg):
        pat = b'\x01\xff+\x00ASN.1' + re.escape(as_bytes(msg))
        return re.match(pat, as_bytes(padded)) is not None

    assert_eq(pkcs15_check(make_pkcs15('x'), 'x'), True)
    assert_eq(pkcs15_check(make_pkcs15('x', 2), 'x'), True)
    assert_eq(pkcs15_check(make_pkcs15('x', 0), 'x'), False)
    assert_eq(pkcs15_check(make_pkcs15('x'), 'y'), False)

    enc, _ = RSA.make_enc_dec_pair(bits=1024, e=3)

    msg = 'hi mom'
    msg_pad = make_pkcs15(msg)
    n = bytes2int(msg_pad)
    n_upper = n + 1
    while True:
        n3, exact = gmpy2.iroot(n, 3)
        n3 = int(n3)
        if not exact:
            n3 += 1
        n33 = n3**3
        assert n33 < enc._n
        if n33 < n_upper:
            break

        n <<= 8
        n_upper <<= 8

    assert_eq(pkcs15_check(int2bytes(enc(n3)), msg), True)
예제 #25
0
def forgeSign(hash_mes,length):
    ''' because they not check number of 0xff so we can fake it ,and they just take enough number of hash but not check the character behind the hash(true is no letter more)''' 
    C = b'\x00\x01\xff\xff\x00' + b'ASN_SHA1' + hash_mes 
    while (len(C) != length):
        C += b'\x00' 
    sign = iroot(bytes_to_long(C),3)[0] + 1
    return long_to_bytes(sign)
예제 #26
0
def decrypt_by_crt(messages, public_key):
    """
    Requires that messages is an array of tuples of the form (ciphertext_i, n_i),
    where ciphertext_i for each i is the same message message m that is
    encrypted by m^public_key mod n_i.  Attempts an attack based on the
    Chinese Remainder theorem to compute m^public_key_key mod (n_1 * n_2 * ...).
    Here the hope is that m^public_key is not large compared to (n_1 * n_2 * ...)
    so that we can recover the original message by just taking
    (ciphertext_i - n_i * k)^(1/public_key) where k is fairly small.
    Of course this attack only works if (ciphertext_i, n_i) are all
    encryptions of the same original message (with identical padding),
    encrypted with the same (small) public.
    Returns None if unable to decrypt the messages.
    """
    print("Attempting decryption using CRT")
    crt_system = [(bits_to_int(string_to_bits(message[0])), message[1]) for message in messages]

    crt_solution = solve_crt_system(crt_system)
    
    # Recover the original message by taking the public_key root
    MAX_CRT_ROOT_TRIES = 10
    for i in range(MAX_CRT_ROOT_TRIES):
        root_result = gmpy2.iroot(gmpy2.mpz(crt_solution[0] + crt_solution[1] * i), public_key)    
    
        if root_result[1]:
            oaep_padded_plaintext_int = root_result[0]
            return remove_oaep_from_plaintext(oaep_padded_plaintext_int, crt_system[0][1])

    return None
예제 #27
0
def broadcast_attack(data):
    def extended_gcd(a, b):
        x, y = 0, 1
        lastx, lasty = 1, 0
        while b:
            a, (q, b) = b, divmod(a, b)
            x, lastx = lastx - q * x, x
            y, lasty = lasty - q * y, y
        return (lastx, lasty, a)

    def chinese_remainder_theorem(items):
        N = 1
        for i in items:
            N *= i["n"]
        result = 0
        for i in items:
            m = N // i["n"]
            r, s, d = extended_gcd(i["n"], m)
            if d != 1:
                N = N / i["n"]
                continue
            result += i["c"] * s * m
        return result % N, N

    x, n = chinese_remainder_theorem(data)
    m = gmpy2.iroot(x, 10)[0]
    return m
예제 #28
0
def commonmodulo(n, e1, e2, c1, c2):
    def egcd(a, b):
        if (a == 0):
            return (b, 0, 1)
        else:
            g, y, x = egcd(b % a, a)
            return (g, x - (b // a) * y, y)

    # Calculates a^{b} mod n when b is negative
    def neg_pow(a, b, n):
        assert b < 0
        assert GCD(a, n) == 1
        res = int(gmpy2.invert(a, n))
        res = pow(res, b * (-1), n)
        return res

    g, a, b = egcd(e1, e2)
    if a < 0:
        c1 = neg_pow(c1, a, n)
    else:
        c1 = pow(c1, a, n)
    if b < 0:
        c2 = neg_pow(c2, b, n)
    else:
        c2 = pow(c2, b, n)
    ct = c1 * c2 % n
    m = int(gmpy2.iroot(ct, g)[0])
    return long_to_bytes(m).decode('UTF-8')
예제 #29
0
 def crack_times(self):
     k = -1
     while True:
         k += 1
         res, check = iroot(k * self.n + self.c, self.e)
         if check: break
     self.m = res
예제 #30
0
def solve(ct, e, n, padding_len):
    new_ct = ct * pow(modinv(256, n) ** padding_len, e, n)
    new_ct %= n
    for i in range(256):
        potential_pt, is_cube = gmpy2.iroot(new_ct + (n * i), e)
        if is_cube:
            print(i, long_to_bytes(potential_pt))
예제 #31
0
def Basic_Broadcast_Attack(data):
    if data['e'] == len(data['n']) == len(data['c']):
        t_to_e = chinese_remainder(data['n'], data['c'])
        t = int(gmpy2.iroot(t_to_e, data['e'])[0])
        log.info('Here are your plain text: \n' + libnum.n2s(t))
    else:
        log.error('wrong json file, check examples')
예제 #32
0
def decrypt_flag(rc, e, N, i):
    print 'Step {}/{}'.format(str(i).zfill(3), l)
    ct = pow(rc.ct, 2) * pow(2, i * e, N)
    res = rc.decrypt(ct % N)
    if res is not None:
        res = (res + N) // pow(2, i, N)
        return long_to_bytes(iroot(res, 2)[0])
예제 #33
0
파일: oracle.py 프로젝트: rot256/Wargames
def fake(h, padding, asn, size):
    pad  = b'\x00\x01' + b'\xFF' * padding
    core = pad + b'\x00' + asn + h

    s = core + b'\x01' + b'\x00' * ((size // 8 - len(core)))
    sig, e = iroot(bytes_to_int(s), 3)
    for l, r in zip(core[1:], int_to_bytes(sig ** 3)):
        if l != r:
            return None
    return int_to_bytes(sig)
예제 #34
0
 def hastads(self):
     # Hastad attack for low public exponent, this has found success for e = 3, and e = 5 previously
     if self.pub_key.e <= 11 and self.cipher is not None:
         orig = s2n(self.cipher)
         c = orig
         while True:
             m = gmpy2.iroot(c, self.pub_key.e)[0]
             if pow(m, self.pub_key.e, self.pub_key.n) == orig:
                 self.unciphered = n2s(m)
                 break
             c += self.pub_key.n
     return
예제 #35
0
 def test_wiener(self):
     q = gmpy2.mpz(getPrime(512))
     p = gmpy2.mpz(getPrime(512))
     if q > p :
         p , q = q , p
     n = p * q
     phi = (p - 1) * (q - 1)
     d = gmpy2.iroot(n, 5)[0]
     while gmpy2.gcd(d, phi) != 1 :
         d -= 1
     e = gmpy2.invert(d , phi)
     self.assertEqual((d, p, q), number.wiener_attack(n, e))
예제 #36
0
def factor_N2(N):
	'''Factor in correctly genrated N,
which is a product of two relatively close primes p/q such that,
|p-q| < 2^11*N^(1/4)'''
	
	N = mpz(N)	
	sqrtN = gmpy2.isqrt(N)
	A = sqrtN
	for delta in range(0,2**20):
		A = sqrtN + delta
		if A*A < N:
			continue
		if gmpy2.iroot(A**2-N,2)[1]:	# A^2-N is a perfect square
			return factor(A,N)
	return 0
예제 #37
0
def decrypt_by_public_key_root(public_key, n, ciphertext):
    ciphertext_bits = string_to_bits(ciphertext)
    ciphertext_int = bits_to_int(ciphertext_bits)
    
    PUBLIC_KEY_ROOT_ATTEMPTS = 10
    for i in range(PUBLIC_KEY_ROOT_ATTEMPTS):
        plaintext_root_result = gmpy2.iroot(gmpy2.mpz(ciphertext_int + i * n), public_key)
        if plaintext_root_result[1]:
            plaintext_int = int(plaintext_root_result[0])
            assert pow(plaintext_int, public_key) == ciphertext_int + i * n              
            print("Found integer root of message")
                
            plaintext_bits = pad_bits(convert_to_bits(plaintext_int), MESSAGE_CHARS * ASCII_BITS)
            plaintext_string = bits_to_string(plaintext_bits).strip('\x00')

            assert is_valid_message(plaintext_string)
            return plaintext_string
        else:
            print("Root result is non-integer")

    print("Unable to decrypt by taking private key root")
    return None
예제 #38
0
def forgeSignature(msg, pk):
    (e, n) = pk
    msg_hash = hashlib.sha1(msg).digest()
    garbage = '\x00'*75
    forge_sig =  "\x00\x01\xff\x00" + sha1_asn1 + msg_hash + garbage

    forge_sig_num = int(binascii.hexlify(forge_sig), 16)

    # compute the cube root of our forged signature block
    (cube_root, exact) = gmpy2.iroot(forge_sig_num, 3)
    cube_root += 1

    # make sure we don't wrap the modulus
    assert n > pow(int(cube_root), e)

    # recovered = int2bytes(pow(int(cube_root), pk[0], pk[1]))
    recovered = int2bytes(pow(int(cube_root), e, n))

    assert "\x01\xff" in recovered
    assert sha1_asn1 in recovered
    assert msg_hash in recovered

    return int(cube_root)
예제 #39
0
def icbrt (a1, a2):
    z = gmpy2.iroot(mpz(a1), 3)
    return z[0]
예제 #40
0
c1 = 421111161283346431452404838872906910488956231402567019627078538397015129219548039141380131693083805603634832115136344104821561027925864923901767159809798556819390401416411855168293007844311613426948800208007055064348403326803934387258467126612219000171854953396242427891713082121012531213725355828779993888182933907101893044052692649728535361366924432892126370724588453260805681821935597271080255619110465374127164951502400983809536186925456642086304791751551216044579863129291165009342909475237361181743987301745314378124693429484474503217504889965795409106282650296184945237152875186651795552666842345066169360660546054986708172417429052514059615434084086154415920830883055729609108788179781445658162049137989591033198225687070565856609516100367268190340309308157085784134411282761584130225746032198957351227779773001865341915642873414205377145922729731246073639219795924517066513774579919237687232502798978463575009663263447306363691670476046609459059167879832079562689979943552446917015778003739858532004479603764374411135699895655736013845369551111690464128448955486337191304960262873891918387298035244888743768954328136862535082300010994461970837930794524673040694310506226189740828318579439950518115967189869637345638498098713092489244636082588805772227797143449747153355341250697133905040459624514982099584435140538668878747129925880019957973864264834954951976218071371679757509297492047186840975743403271896047156768874314108910566561868784522463064748746223313798316236978642468003218086919263188950066989044210829301678555320837086377545741001736801163743516580353549217680694256032377932133575488109549594325464409000682442042651791171660390153162096538381581148625792618196174157168997050557100450557288143739840824092541232969307054965994887340364612034225310418659933594966854225109483090892335755747449339249960596843266176465016510244036725441439565001070917883074011690676911331738356675397441288471244334501091751395240775991013123686801229872759306547212076067886148629332008410208267030715989530663720054487572883736818402878156320070866728567321649066842627412668340251628750512807830348760198570727092664649603270152943231283098179852700308804060616603604109118233213539629764618927518884532667481665405755714542980086417296700138731812815602896287231173509006149715343922041354056256194681983557852276963918040964106582078239501915086320391282791023780691061950154312894926940866878046518974877055347229774579384836298084254309194742164500782
c2 = 905336011260893181451937420601175770518313987534058470576409049452599974940736949020892631904955374029696187995214208522797070994604711663756814784706053753391830801248808142181434422224620348115969075398677162880328104668870990618955018212918253536803780269490731174871303579036880145367252409300321511403369634435527150000969450834032455903281526350857234024199221097951905683106432984567192925721856154512618509568221546898136983740670694848845816274649037002810596080076911851084982546841069002779200879395931456796911067433329924739943299552475793965462348342813683729525726622940637841204356613245154725191731818570068876251576706021876289420301350487275708440713574921631267131651109260124766475594710481161866254565495750886839979733888772439130815149472846472765436552529628205718020374215877005469575372812773398343007234021177110808440750777736752300216949812950208548770769356889084232841311299404061610926387440620373137543532240294565244268885021138356121583352086433040479579285669028705571672002026293450745788592556823683194951826864141604029265650908715426822940827714455571796485962047146479512064410497475912291097113335318214286537554114706858926411912595063427662813512257156617697572638072509013871077829931469009241562237896598800666350337578826848041056097241547835195327840625894306586665539851835002956883837883293039313345815320389859457247452362675082429215289259947007386622301346393036750250168159297672722825807855637539796284414040339895615478904699195785762873300869004533530925681372154050324943727448464697359515536114806520493724557784204316395281200493439754546212305945038548703862153513568552164320556554039878316192239576925690599059819274827811660423411125130527352853059068829976616766635622188402967122171283526317336114731850274527784991508989562864331372520028706424190362623058696630974348010681878756845430600722349325469186628612347668798617024215127322351935893754437838675067920448401031834465304168738463170328598024532652790234530162187677742373772610227011372650971705426850962132725369442443471111605896253734934335599889785048210986345764273409091402794347076211775580564523705131025788768349950799136508286891544854890654019681560870443838699627458034827040931554727774022911060988866035389927962128604944287104134091087855031454577661765552937836562030914936714391213421737277968877508252894207799747341644008076766221537325719773971004607956958298021339118374168598829394997802039272072755111105775037781715

g, s, t = gmpy2.gcdext(e1, e2)
assert e1 * s + e2 * t == 1

if s < 0 and t > 0:
    c1i = gmpy2.invert(c1, N)
    m = (pow(c1i, -s, N) * pow(c2, t, N)) % N
elif s > 0 and t < 0:
    c2i = gmpy2.invert(c2, N)
    m = (pow(c1, s, N) * pow(c2i, -t, N)) % N
else:
    print "WTF", e1, e2, s, t
    exit()

for i in xrange(1024):
    a = 1 << (i*8)
    
    a17 = pow(a, 17, N)
    a17i = gmpy2.invert(a17, N)
    
    m2 = (m * a17i) % N
    
    mroot, foundexact = gmpy2.iroot(m2, 17)
    if foundexact:
        pt = ("%x" % mroot)
        if len(pt) % 2 == 1:
            pt = "0" + pt
        print repr(binascii.a2b_hex(pt))
예제 #41
0
import gmpy2, binascii

N = 691611766208546073444876122261067788277978858453710639029761974358666489171591889808344592871468081368348731289584873825685836699513369087940744233044470468106283756269016888690397802087612562650740690626844050981638158798650899164329024889012339813251634342169796374490173324858177655412520581064091323105709703802894635752243504165527728325493775585018099572491218738859140069209745383085972126419677929983854492018948495162457428459536088314487922683148031388611849013227501962458386817851194913551405843074740308192841259015955432216658418219471365781271743026881045054161177699500233983945284463060091084401032681620162554495490307966608011765399197534175588394769839991952726269105973546086964385977836193216093842605576347580465390858378577913173391209728199847916944392685608959720919745441534152140791433228642857247821519585327091864890122871765266988285510728943279970135846908966516130597249552710186071954611133294079017500030355232895541367427153922527925908108643934213023557398363684188823565535815365161748782796247844503993809352854741573950620787090272760236473228652960605730173150252619759400890068298838592790770868307280012495168740250977525199965477849089021924445456338550258621310346872587368865023459114279
e1 = 2623119 / 3
e2 = 2611101 / 3

c1 = 632613645684838434911920364870092246688638723680203743297038042884981435531349983627632652213126007404455112992754038899192740232209237012089852184466576496173356903126767617531366105427616049893559911396536574555008451239827427140619373005107923039458285095437111146013805698400274937791209388463040761234346114146112603113513874269976957472698342250573902102976387047390228485927254752372525379266486917620487089416581168720140744193600912161065888758451629009978676721731074043142666019127528370181044741033938879227651226413524178992155234346229899043794846119210274959231350300191718278291314079326011260972911790929707654859407903619102516710246683375658271085356783673232677699444921875427077745087507202504075374873842972977165904031632108921391219453633100007509368853543202918527396858214941532156620908283394786740941868393377733920317480973184132461984594109692489226477402338664642727766514992506288377119275635222078018270479534265371971469799345627297451492177595572561618185463142728664331779856911512823762928116551034186671353283417747535010208121962539603383913657773795358612010178381857101029638404248669376029927680328805839410427459248430136708902815920536603541943356116875656311481908672896225539754812052984
c2 = 473583830101449207063655453483957320801977763405664178108962387145963115641321631378723122470718049239150183483107837540062110255460217493574236417576528210993551734521104360323008425196350719034294427914294044848231276934402896045785500160974092767601908407706594433190832523140982335688121038712802163776950422665847149664034820576774873956120202470663588902529914328392634164212558025176982387474287314624421143326789371057668708456922968762564019631616913937820209470604081356673188045257490667304640155390478645279862586730343779998826931285683980941686981775369499484033439920659579124275957233449431588512697916708510428626881790592757578867152025501459202793986322020476004209777449674143157280081483085868896558215825742742029607229809248023263081810931655981810534293127835168642962477010095223356972141559004635008185531900175232541978761179342338914489553003329293031284557554252476291770973145365678145226167965362251186233138510776436645583796590010200995100899736056399413460647507781994189935869541735701599175369334170081795310585938471394672279359692859881857399434361716843681313191143289947464231132723256066979526475873327590657111481299295002695482778491520250596998683754980263059514032256777144682239680031331

g, s, t = gmpy2.gcdext(e1, e2)
assert e1 * s + e2 * t == 1

if s < 0 and t > 0:
    c1i = gmpy2.invert(c1, N)
    m = (pow(c1i, -s, N) * pow(c2, t, N)) % N
elif s > 0 and t < 0:
    c2i = gmpy2.invert(c2, N)
    m = (pow(c1, s, N) * pow(c2i, -t, N)) % N
else:
    print "WTF", e1, e2, s, t
    exit()
    
mroot, foundexact = gmpy2.iroot(m, 3)
if foundexact:
    pt = ("%x" % mroot)
    if len(pt) % 2 == 1:
        pt = "0" + pt
    print repr(binascii.a2b_hex(pt))
예제 #42
0
import gmpy2
from gmpy2 import mpz
from hashlib import sha1
message = "cat flag" # ls first time
messagesha = sha1(message.encode("ascii")).hexdigest() # sha1 of message
targetsig = "0001" + "f" * 8 + "00" + messagesha + "f" * 714 # target signature
targethex = int(targetsig, 16) # target signature, converted to an int
icbrt = gmpy2.iroot(mpz(targethex), 3) # integer cube root
# note: icbrt is a tuple of (result, exact).
# exact is True if it is a perfect cube root, False otherwise
perfectcube = icbrt[0] ** 3 # cube cube root
print(hex(perfectcube)) # print hex value, the result
예제 #43
0
 def introot(n, r=2):
     if n < 0: return None if r%2 == 0 else -introot(-n, r)
     return iroot(n, r)[0]
예제 #44
0
def cube_root(n):
    return int(iroot(mpz(n), 3)[0])
  
  if p*q == N:
    print("second factoring challenge")
    print("p=",p)
    break

# third assignment

N=720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929


B = gmpy2.isqrt(24*N) + 1

tmp = B*B-24*N

woop = gmpy2.iroot(tmp,2)
if woop[1] == True:
  x = woop[0]
else:
  print("not a square")
  quit()

tmp = B - x

if not tmp%3:
  p = gmpy2.divexact(tmp,6)
  q = gmpy2.divexact(B+x,4)
else:
  p = gmpy2.divexact(tmp,4)
  q = gmpy2.divexact(B+x,6)