def main(): rsa = RSA() rsa.gen_keypair(prime_size=1024) e, n = rsa.get_public_key() message = b'hi mom' real_signature = rsa.sign(message) print('real signature:{}\n'.format(real_signature.hex())) h = hashlib.sha256() h.update(message) digest = h.digest() ASNSHA256 = b"\x30\x31\x30\x0D\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20" for null_pad in range(1000): block = b'\x00\x01\xff\x00' + ASNSHA256 + digest block += b'\x00' * null_pad block_int = bytes_to_int(block) cube_root, rest = gmpy2.iroot_rem(block_int, 3) cube_root = int(cube_root) cube_root += 1 evil_signature = int_to_bytes(cube_root) valid = rsa.verify(evil_signature, message) if valid: print('spoofed signature:{}'.format(evil_signature.hex())) return else: pass
def main(): secret_plaintext = random_string(100).encode('utf-8') print('plaintext is:{}'.format(secret_plaintext.decode('utf-8'))) rsa = RSA() rsa.gen_keypair() e1, n1 = rsa.get_public_key() rsa.gen_keypair() e2, n2 = rsa.get_public_key() rsa.gen_keypair() e3, n3 = rsa.get_public_key() ct1 = rsa.encrypt(secret_plaintext, 3, n1) ct1 = int.from_bytes(ct1, 'big') ct2 = rsa.encrypt(secret_plaintext, 3, n2) ct2 = int.from_bytes(ct2, 'big') ct3 = rsa.encrypt(secret_plaintext, 3, n3) ct3 = int.from_bytes(ct3, 'big') n = [n1, n2, n3] a = [ct1, ct2, ct3] result_cubed = chinese_remainder(n, a) result = int(gmpy2.iroot_rem(result_cubed, 3)[0]) plaintext = "%x" % result plaintext = bytes.fromhex(plaintext) plaintext = plaintext.decode('utf-8') print('recovered :{}'.format(plaintext))
def attack1(N): root = gmpy2.iroot_rem(N, 2) A = root[0] if root[1] > 0: A += 1 # ceiling x = gmpy2.iroot(A * A - N, 2)[0] return A - x
def attack3(N): root = gmpy2.iroot_rem(24 * N, 2) A = root[0] if root[1] > 0: A += 1 # ceiling x = gmpy2.isqrt(A * A - 24 * N) # print(N) # print((A + x) * (A - x) // 24) if (A - x) % 6 == 0 and (A + x) % 4 == 0: return min((A - x) // 6, (A + x) // 4) return min((A - x) // 4, (A + x) // 6)
def attack2(N): root = gmpy2.iroot_rem(N, 2) Amin = root[0] if root[1] > 0: Amin += 1 # ceiling Amax = min((N+1)/2, Amin + 2 ** 20) A = Amin while A <= Amax: # print('Searching ' + str(A)) x = gmpy2.iroot(A * A - N, 2)[0] if (A - x) * (A + x) == N: return A - x A += 1 return 'Not found'
def decryptRSA(e, ct, N): # factor root = gmpy2.iroot_rem(N, 2) A = root[0] if root[1] > 0: A += 1 # ceiling x = gmpy2.iroot(A * A - N, 2)[0] p = A - x q = A + x # decrypt phi = (p - 1) * (q - 1) d = gmpy2.invert(e, phi) unpad = gmpy2.powmod(ct, d, N).digits(16) if len(unpad) & 1: unpad = '0' + unpad # pad with 0 pkcs1 = binascii.unhexlify(unpad) print(binascii.hexlify(pkcs1)) # extract sep = 0x00 return pkcs1[pkcs1.find(sep)+1:].decode('ascii')
def iscube(hexstr): return gmpy2.iroot_rem(mpz('0x'+hexstr),3)[1]==0
if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def modinv(a, m): g, x, y = egcd(a, m) if g != 1: raise Exception('modular inverse does not exist') else: return x % m gmpy2.get_context().precision = 1000000 N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581 N_root = gmpy2.iroot_rem(N,2)[0] + 1 x = gmpy2.iroot(pow(N_root, 2) - N, 2)[0] print("q1") q = gmpy2.gcd(N_root - x, N) print(q) p = N // q phi = (p - 1) * (q - 1) d = modinv(65537, phi) c = 22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540 m = gmpy2.powmod(c,d,N) print(hex(m)[2:]) N = 648455842808071669662824265346772278726343720706976263060439070378797308618081116462714015276061417569195587321840254520655424906719892428844841839353281972988531310511738648965962582821502504990264452100885281673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877 N_root = gmpy2.iroot_rem(N,2)[0] + 1