def main():
rsa = RSA()
rsa.gen_keypair(prime_size=1024)
e, n = rsa.get_public_key()
message = b'hi mom'
real_signature = rsa.sign(message)
print('real signature:{}\n'.format(real_signature.hex()))
h = hashlib.sha256()
h.update(message)
digest = h.digest()
ASNSHA256 = b"\x30\x31\x30\x0D\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20"
for null_pad in range(1000):
block = b'\x00\x01\xff\x00' + ASNSHA256 + digest
block += b'\x00' * null_pad
block_int = bytes_to_int(block)
cube_root, rest = gmpy2.iroot_rem(block_int, 3)
cube_root = int(cube_root)
cube_root += 1
evil_signature = int_to_bytes(cube_root)
valid = rsa.verify(evil_signature, message)
if valid:
print('spoofed signature:{}'.format(evil_signature.hex()))
return
else:
pass
def main():
secret_plaintext = random_string(100).encode('utf-8')
print('plaintext is:{}'.format(secret_plaintext.decode('utf-8')))
rsa = RSA()
rsa.gen_keypair()
e1, n1 = rsa.get_public_key()
rsa.gen_keypair()
e2, n2 = rsa.get_public_key()
rsa.gen_keypair()
e3, n3 = rsa.get_public_key()
ct1 = rsa.encrypt(secret_plaintext, 3, n1)
ct1 = int.from_bytes(ct1, 'big')
ct2 = rsa.encrypt(secret_plaintext, 3, n2)
ct2 = int.from_bytes(ct2, 'big')
ct3 = rsa.encrypt(secret_plaintext, 3, n3)
ct3 = int.from_bytes(ct3, 'big')
n = [n1, n2, n3]
a = [ct1, ct2, ct3]
result_cubed = chinese_remainder(n, a)
result = int(gmpy2.iroot_rem(result_cubed, 3)[0])
plaintext = "%x" % result
plaintext = bytes.fromhex(plaintext)
plaintext = plaintext.decode('utf-8')
print('recovered :{}'.format(plaintext))
def attack1(N):
root = gmpy2.iroot_rem(N, 2)
A = root[0]
if root[1] > 0:
A += 1 # ceiling
x = gmpy2.iroot(A * A - N, 2)[0]
return A - x
def attack3(N):
root = gmpy2.iroot_rem(24 * N, 2)
A = root[0]
if root[1] > 0:
A += 1 # ceiling
x = gmpy2.isqrt(A * A - 24 * N)
# print(N)
# print((A + x) * (A - x) // 24)
if (A - x) % 6 == 0 and (A + x) % 4 == 0:
return min((A - x) // 6, (A + x) // 4)
return min((A - x) // 4, (A + x) // 6)
def attack2(N):
root = gmpy2.iroot_rem(N, 2)
Amin = root[0]
if root[1] > 0:
Amin += 1 # ceiling
Amax = min((N+1)/2, Amin + 2 ** 20)
A = Amin
while A <= Amax:
# print('Searching ' + str(A))
x = gmpy2.iroot(A * A - N, 2)[0]
if (A - x) * (A + x) == N:
return A - x
A += 1
return 'Not found'
def decryptRSA(e, ct, N):
# factor
root = gmpy2.iroot_rem(N, 2)
A = root[0]
if root[1] > 0:
A += 1 # ceiling
x = gmpy2.iroot(A * A - N, 2)[0]
p = A - x
q = A + x
# decrypt
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
unpad = gmpy2.powmod(ct, d, N).digits(16)
if len(unpad) & 1:
unpad = '0' + unpad # pad with 0
pkcs1 = binascii.unhexlify(unpad)
print(binascii.hexlify(pkcs1))
# extract
sep = 0x00
return pkcs1[pkcs1.find(sep)+1:].decode('ascii')
def iscube(hexstr):
return gmpy2.iroot_rem(mpz('0x'+hexstr),3)[1]==0
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
gmpy2.get_context().precision = 1000000
N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581
N_root = gmpy2.iroot_rem(N,2)[0] + 1
x = gmpy2.iroot(pow(N_root, 2) - N, 2)[0]
print("q1")
q = gmpy2.gcd(N_root - x, N)
print(q)
p = N // q
phi = (p - 1) * (q - 1)
d = modinv(65537, phi)
c = 22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540
m = gmpy2.powmod(c,d,N)
print(hex(m)[2:])
N = 648455842808071669662824265346772278726343720706976263060439070378797308618081116462714015276061417569195587321840254520655424906719892428844841839353281972988531310511738648965962582821502504990264452100885281673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877
N_root = gmpy2.iroot_rem(N,2)[0] + 1