def eNotCoprimePhi(): c = 2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524 n = 23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067 e = 3 p1 = 32581479300404876772405716877547 p2 = 27038194053540661979045656526063 p3 = 26440615366395242196516853423447 c1 = eval( scryptos.parigp(["Vec(liftall(sqrtnall(Mod(%d, %d), 3)))" % (c, p1)])) c2 = eval( scryptos.parigp(["Vec(liftall(sqrtnall(Mod(%d, %d), 3)))" % (c, p2)])) c3 = eval( scryptos.parigp(["Vec(liftall(sqrtnall(Mod(%d, %d), 3)))" % (c, p3)])) print c1, c2, c3 #c1 = [6149264605288583791069539134541, 13404203109409336045283549715377, 13028011585706956936052628027629] #c2 = [19616973567618515464515107624812] #c3 = [13374868592866626517389128266735, 7379361747422713811654086477766, 5686385026105901867473638678946] for x in c1: for y in c2: for z in c3: m = libnum.solve_crt([x, y, z], [p1, p2, p3]) #chinese_remainder(ak, nk) d = libnum.n2s(m) if "0ctf" in d: print d[d.find("0ctf"):].strip()
def test_crt(self): for module in [2, 3, 5, 7, 1993]: for a in xrange(module): self.assertEqual(libnum.solve_crt([a], [module]), a) modules = [2, 3, 5, 19, 137] for i in xrange(1000): rems = [] a = 7 for m in modules: rems.append(a % m) a += 31337 a = libnum.solve_crt(rems, modules) for i in xrange(len(modules)): self.assertEqual(rems[i], a % modules[i]) self.assertRaises(TypeError, libnum.solve_crt, [1, 2, 3], [1, 2]) self.assertRaises(ValueError, libnum.solve_crt, [], []);
def b(): ids = lines[1].split(",") return solve_crt( [-i for i, x in enumerate(ids) if x != "x"], [int(x) for x in ids if x != "x"], ) pass
def BroadcastAttack(N, C): e = 3 m = solve_crt(C, N) ans = gmpy2.iroot(m, e) if ans[1] == True: return ans[0] else: raise Exception('BroadcastAttack Failed')
def Rabin(p, q, c): t = tonelli_shanks(c, p) qlist = [-t, t] t = tonelli_shanks(c, q) plist = [-t, t] for i in qlist: for j in plist: print(long_to_bytes(solve_crt([i, j], [p, q])))
def solve_quadratic(a, b, c, factors): gens = [] if isinstance(factors, dict): factors = factors.items() for p, k in factors: gens.append(solve_quadratic_prime_power(a, b, c, p, k)) for solns in itertools.product(*gens): yield solve_crt(solns, [p**k for p, k in factors])
def solve_linear(a, b, factors): gens = [] if isinstance(factors, dict): factors = list(factors.items()) for p, k in factors: gens.append(solve_linear_prime_power(a, b, p, k)) for solns in itertools.product(*gens): yield solve_crt(solns, [p**k for p, k in factors])
def broadcast(): e = 3 n = [ 0x43d819a4caf16806e1c540fd7c0e51a96a6dfdbe68735a5fd99a468825e5ee55c4087106f7d1f91e10d50df1f2082f0f32bb82f398134b0b8758353bdabc5ba2817f4e6e0786e176686b2e75a7c47d073f346d6adb2684a9d28b658dddc75b3c5d10a22a3e85c6c12549d0ce7577e79a068405d3904f3f6b9cc408c4cd8595bf67fe672474e0b94dc99072caaa4f866fc6c3feddc74f10d6a0fb31864f52adef71649684f1a72c910ec5ca7909cc10aef85d43a57ec91f096a2d4794299e967fcd5add6e9cfb5baf7751387e24b93dbc1f37315ce573dc063ecddd4ae6fb9127307cfc80a037e7ff5c40a5f7590c8b2f5bd06dd392fbc51e5d059cffbcb85555, 0x60d175fdb0a96eca160fb0cbf8bad1a14dd680d353a7b3bc77e620437da70fd9153f7609efde652b825c4ae7f25decf14a3c8240ea8c5892003f1430cc88b0ded9dae12ebffc6b23632ac530ac4ae23fbffb7cfe431ff3d802f5a54ab76257a86aeec1cf47d482fec970fc27c5b376fbf2cf993270bba9b78174395de3346d4e221d1eafdb8eecc8edb953d1ccaa5fc250aed83b3a458f9e9d947c4b01a6e72ce4fee37e77faaf5597d780ad5f0a7623edb08ce76264f72c3ff17afc932f5812b10692bcc941a18b6f3904ca31d038baf3fc1968d1cc0588a656d0c53cd5c89cedba8a5230956af2170554d27f524c2027adce84fd4d0e018dc88ca4d5d26867, 0x280f992dd63fcabdcb739f52c5ed1887e720cbfe73153adf5405819396b28cb54423d196600cce76c8554cd963281fc4b153e3b257e96d091e5d99567dd1fa9ace52511ace4da407f5269e71b1b13822316d751e788dc935d63916075530d7fb89cbec9b02c01aef19c39b4ecaa1f7fe2faf990aa938eb89730eda30558e669da5459ed96f1463a983443187359c07fba8e97024452087b410c9ac1e39ed1c74f380fd29ebdd28618d60c36e6973fc87c066cae05e9e270b5ac25ea5ca0bac5948de0263d8cc89d91c4b574202e71811d0ddf1ed23c1bc35f3a042aac6a0bdf32d37dede3536f70c257aafb4cfbe3370cd7b4187c023c35671de3888a1ed1303 ] c = [ 0x5517bdd6996b54aa72c2a9f1eec2d364fc71880ed1fa8630703a3c38035060b675a144e78ccb1b88fa49bad2ed0c6d5ad0024d4bb18e7d87f3509b0dbf238a0d1ff33f48ffc99c1bdf2f2547a193e7ab66eec562a7bc3f9521f70d453ff6d1fdb24de40b3f621ca6be6606440d09d0f302d5806e7cebc9b612522f181baa43373d6827ffd794916ffcc205147c8d88a59d2fce4bbcdfd6a4934fb72d5f74be79a1bd64b4305865c9d20eb96d8bd7976440a4bc326fdb5b9a04bac3762a664346a175f1029f448bb421506f3dfeb75d6531f89f0b92a7e66e295ede5928ec8301a202d5c9fd528cda84190c2b47f423af1a59c63ae6253d1903c83ae158f9b42, 0x3288e3ea8c74fd004e14b66a55acdcbcb2e9bd834b0f543514e06198045632b664dac3cf8578cde236a16bef4a1246de692ec6a61ce507a220fa04e09044632787ba42b856cb13be6e905c20b493004822888d3c44c6fc367c7af0287f1683f08baae5bb650902067908e93246af3954d62437aa14248529fd07c8902b9403920b6550f12d1c398881cd7fc8b5f096f38c33df21887bfe989fb011a9deade2370d90347510b76f1f3e3dedf09c148675ea8919878c8ac188253b78886d906cd1f3aee5484d6d13fb4bbad233f670f825fa618adbf0705ed4e31b60957f5c28cfd1febd13370630a6c94990e341d38918a9c1faa614fd14cdd41b7bc8461f2f0c, 0xb0c5ee1ac47c671c918726287e70239147a0357a9638851244785d552f307ed6a049398d3e6f8ed373b3696cfbd0bce1ba88d152f48d4cea82cd5dafd50b9843e3fa2155ec7dd4c996edde630987806202e45821ad6622935393cd996968fc5e251aa3539ed593fe893b15d21ecbe6893eba7fe77b9be935ca0aeaf2ec53df7c7086349eb12792aefb7d34c31c18f3cd7fb68e8a432652ef76096096e1a5d7ace90a282facf2d2760e6b5d98f0c70b23a6db654d10085be9dcc670625646a153b52c6c710efe8eb876289870bdd69cb7b45813e4fcfce815d191838926e9d60dd58be73565cff0e10f4e80122e077a5ee720caedc1617bf6a0bb072bbd2dab0 ] m_e = libnum.solve_crt(c, n) #scryptos.crt(c, n) #chinese_remainder(ak, nk) m = gmpy2.iroot(m_e, e) if m[1]: print m[0]
def EDlog(X, P): xs = [] fs = [] # calculate Pmul(P, order//f) together Pfs = [] Ps = [P] for _ in range(47): Ps.append(Padd(Ps[-1], Ps[-1])) for f in fords: z = [] for i, b in enumerate(NAF(order // f).rev): if b == 1: z.append(Ps[i]) elif b == -1: z.append(Pneg(Ps[i])) Pfs.append(z) # Merge most common pair first while any(len(z) > 1 for z in Pfs): cnt = Counter() for z in Pfs: for p in z.combinations(2): p = tuple(sorted(p)) cnt.update([p]) (A, B), _ = cnt.most_common(1)[0] C = Padd(A, B) for z in Pfs: if A in z and B in z: z.remove(A) z.remove(B) z.append(C) assert all(len(z) == 1 for z in Pfs) Pfs = [z[0] for z in Pfs] for Pf, f in zip(Pfs, fords): fs.append(f) Xf = iPmul(X, order//f) print("Doing dlog on factor", f) xs.append(EDlogNaive(Xf, Pf, f)) return libnum.solve_crt(xs, fs)
#!/usr/bin/env python import libnum n1 = 95118357989037539883272168746004652872958890562445814301889866663072352421703264985997800660075311645555799745426868343365321502734736006248007902409628540578635925559742217480797487130202747020211452620743021097565113059392504472785227154824117231077844444672393221838192941390309312484066647007469668558141 n2 = 98364165919251246243846667323542318022804234833677924161175733253689581393607346667895298253718184273532268982060905629399628154981918712070241451494491161470827737146176316011843738943427121602324208773653180782732999422869439588198318422451697920640563880777385577064913983202033744281727004289781821019463 n3 = 68827940939353189613090392226898155021742772897822438483545021944215812146809318686510375724064888705296373853398955093076663323001380047857809774866390083434272781362447147441422207967577323769812896038816586757242130224524828935043187315579523412439309138816335569845470021720847405857361000537204746060031 c1 = 64830446708169012766414587327568812421130434817526089146190136796461298592071238930384707543318390292451118980302805512151790248989622269362958718228298427212630272525186478627299999847489018400624400671876697708952447638990802345587381905407236935494271436960764899006430941507608152322588169896193268212007 c2 = 96907490717344346588432491603722312694208660334282964234487687654593984714144825656198180777872327279250667961465169799267405734431675111035362089729249995027326863099262522421206459400405230377631141132882997336829218810171728925087535674907455584557956801831447125486753515868079342148815961792481779375529 c3 = 43683874913011746530056103145445250281307732634045437486524605104639785469050499171640521477036470750903341523336599602288176611160637522568868391237689241446392699321910723235061180826945464649780373301028139049288881578234840739545000338202917678008269794179100732341269448362920924719338148857398181962112 m = libnum.n2s(libnum.nroot(int(libnum.solve_crt((c1,c2,c3),(n1,n2,n3))),3)) print m
import libnum from IPython import embed import pickle print('[*] Loading data') with open('pair.pkl', 'rb') as f: data = pickle.load(f) Cs, Ns = zip(*data) print('[*] Solving CRT') s = libnum.solve_crt(Cs, Ns) print('[*] Solving Root') k = libnum.nroot(s, 217) print('[+] Flag (hex):') print('[>] ' + hex(k)) print('[+] Flag:') k = libnum.n2s(k) print('[>] ' + k)
#!/usr/bin/env python import libnum print libnum.n2s( libnum.nroot( libnum.solve_crt((c1, c2, c3, c4, c5, c6, c7), (n1, n2, n3, n4, n5, n6, n7)), 7))
def b(): mods = [] remainders = [] info = [(-pos - disc, mod) for disc, mod, _, pos in map(u.ints, lines) ] + [(-len(lines) - 1, 11)] return solve_crt(*zip(*info))
for _ in range(10): r = random.randint(2, 100) num.append(enc(r)**2 - enc(r**2)) n = gcd(*num) print(n) ppqs = (n - phi + 1)**2 pmqs = ppqs - 4 * n ppq = (n - phi + 1) pmq = nroot(pmqs, 2) q = (ppq - pmq) // 2 p = (ppq + pmq) // 2 assert n == p * q assert phi == (p - 1) * (q - 1) conn.interactive() factors = factordb() cs = [] ns = [] for k, v in factors: ns.append(pow(k, v)) cs.append(1) solve_crt(ns, cs) # F = pow(e*flag,e,n) # x % phi
import gmpy2 import libnum def chinese_remainder(a, n): sum = 0 prod = reduce(lambda a, b: a * b, n) #sequentially apply a*b to list n for n_i, a_i in zip(n, a): p = prod / n_i sum += a_i * gmpy2.invert(p, n_i) * p return int(sum % prod) e = 3 n = [ 0x43d819a4caf16806e1c540fd7c0e51a96a6dfdbe68735a5fd99a468825e5ee55c4087106f7d1f91e10d50df1f2082f0f32bb82f398134b0b8758353bdabc5ba2817f4e6e0786e176686b2e75a7c47d073f346d6adb2684a9d28b658dddc75b3c5d10a22a3e85c6c12549d0ce7577e79a068405d3904f3f6b9cc408c4cd8595bf67fe672474e0b94dc99072caaa4f866fc6c3feddc74f10d6a0fb31864f52adef71649684f1a72c910ec5ca7909cc10aef85d43a57ec91f096a2d4794299e967fcd5add6e9cfb5baf7751387e24b93dbc1f37315ce573dc063ecddd4ae6fb9127307cfc80a037e7ff5c40a5f7590c8b2f5bd06dd392fbc51e5d059cffbcb85555, 0x60d175fdb0a96eca160fb0cbf8bad1a14dd680d353a7b3bc77e620437da70fd9153f7609efde652b825c4ae7f25decf14a3c8240ea8c5892003f1430cc88b0ded9dae12ebffc6b23632ac530ac4ae23fbffb7cfe431ff3d802f5a54ab76257a86aeec1cf47d482fec970fc27c5b376fbf2cf993270bba9b78174395de3346d4e221d1eafdb8eecc8edb953d1ccaa5fc250aed83b3a458f9e9d947c4b01a6e72ce4fee37e77faaf5597d780ad5f0a7623edb08ce76264f72c3ff17afc932f5812b10692bcc941a18b6f3904ca31d038baf3fc1968d1cc0588a656d0c53cd5c89cedba8a5230956af2170554d27f524c2027adce84fd4d0e018dc88ca4d5d26867, 0x280f992dd63fcabdcb739f52c5ed1887e720cbfe73153adf5405819396b28cb54423d196600cce76c8554cd963281fc4b153e3b257e96d091e5d99567dd1fa9ace52511ace4da407f5269e71b1b13822316d751e788dc935d63916075530d7fb89cbec9b02c01aef19c39b4ecaa1f7fe2faf990aa938eb89730eda30558e669da5459ed96f1463a983443187359c07fba8e97024452087b410c9ac1e39ed1c74f380fd29ebdd28618d60c36e6973fc87c066cae05e9e270b5ac25ea5ca0bac5948de0263d8cc89d91c4b574202e71811d0ddf1ed23c1bc35f3a042aac6a0bdf32d37dede3536f70c257aafb4cfbe3370cd7b4187c023c35671de3888a1ed1303 ] c = [ 0x5517bdd6996b54aa72c2a9f1eec2d364fc71880ed1fa8630703a3c38035060b675a144e78ccb1b88fa49bad2ed0c6d5ad0024d4bb18e7d87f3509b0dbf238a0d1ff33f48ffc99c1bdf2f2547a193e7ab66eec562a7bc3f9521f70d453ff6d1fdb24de40b3f621ca6be6606440d09d0f302d5806e7cebc9b612522f181baa43373d6827ffd794916ffcc205147c8d88a59d2fce4bbcdfd6a4934fb72d5f74be79a1bd64b4305865c9d20eb96d8bd7976440a4bc326fdb5b9a04bac3762a664346a175f1029f448bb421506f3dfeb75d6531f89f0b92a7e66e295ede5928ec8301a202d5c9fd528cda84190c2b47f423af1a59c63ae6253d1903c83ae158f9b42, 0x3288e3ea8c74fd004e14b66a55acdcbcb2e9bd834b0f543514e06198045632b664dac3cf8578cde236a16bef4a1246de692ec6a61ce507a220fa04e09044632787ba42b856cb13be6e905c20b493004822888d3c44c6fc367c7af0287f1683f08baae5bb650902067908e93246af3954d62437aa14248529fd07c8902b9403920b6550f12d1c398881cd7fc8b5f096f38c33df21887bfe989fb011a9deade2370d90347510b76f1f3e3dedf09c148675ea8919878c8ac188253b78886d906cd1f3aee5484d6d13fb4bbad233f670f825fa618adbf0705ed4e31b60957f5c28cfd1febd13370630a6c94990e341d38918a9c1faa614fd14cdd41b7bc8461f2f0c, 0xb0c5ee1ac47c671c918726287e70239147a0357a9638851244785d552f307ed6a049398d3e6f8ed373b3696cfbd0bce1ba88d152f48d4cea82cd5dafd50b9843e3fa2155ec7dd4c996edde630987806202e45821ad6622935393cd996968fc5e251aa3539ed593fe893b15d21ecbe6893eba7fe77b9be935ca0aeaf2ec53df7c7086349eb12792aefb7d34c31c18f3cd7fb68e8a432652ef76096096e1a5d7ace90a282facf2d2760e6b5d98f0c70b23a6db654d10085be9dcc670625646a153b52c6c710efe8eb876289870bdd69cb7b45813e4fcfce815d191838926e9d60dd58be73565cff0e10f4e80122e077a5ee720caedc1617bf6a0bb072bbd2dab0 ] m_e = libnum.solve_crt(c, n) #chinese_remainder(ak, nk) m = gmpy2.iroot(m_e, e) if m[1]: print m[0]
def find_cube_root(ciphertexts, modulus): x = libnum.solve_crt(ciphertexts, modulus) cube_root = gmpy2.iroot(x, 3) return cube_root
c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169 """ # -*- coding: utf-8 -*- from Crypto.Util.number import long_to_bytes, isPrime from gmpy2 import invert, powmod from libnum import solve_crt from functools import reduce n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407 c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169 e = 65537 p = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625526487 q = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625528161 d = invert(e, (p-1)*(q-1)) assert p*q == n m = pow(c, d, n) d1 = invert(p-1, p) print(f'd1 = {d1}') m1 = m * d1 % p print(f'm1 = {m1}') s = reduce(lambda x,y: x * y % n, range(p, q), 1) d2 = invert(s, q) s = d2 * (q - 1) % q d2 = invert(s, q) print(f'd2 = {d2}') m2 = m * d2 % q print(f'm2 = {m2}') m = solve_crt((m1, m2), (p, q)) print(long_to_bytes(m)[:-80]) b'flag{c7cfdbc1-729b-de11-239f-a473ec0637b8}'
# 將檔案load進來 KEY = RSA.importKey(open('public.pem','rb').read()) c = number.bytes_to_long(open('flag.enc','rb').read()) # c = 171593038454590370639160691816701768011631708114057748881162208227300377341431533481821899 n = KEY.n # 564462951471307835462571845543842769912055276672163683778178867635658249722491250650054821 e = KEY.e # 3 # n 丟factordb.com,得以下 p = 691656593965348479724501935967 q = 736838799725172104070074576411 r = 1107573188787951966821430803233 # c^3 mod p = c mod p = 221211335853089364838057411976 as p1 # c^3 mod q = c mod q = 666763593084936946778597990126 as q1 # c^3 mod r = c mod r = 489130359096392455679033210237 as r1 # # "c^3 = p1 (mod p)" p_root = [111258723643802345601340873881, 183438136792285161537706063165, 396959733529260972585454998921] q_root = [437268968619046660735525109048] r_root = [259921130176063805782994055338, 351097072905607274934883479051, 496554985706280886103553268844] for x in p_root: for y in q_root: for z in r_root: # m = chinese_remainder([p,q,r], [x,y,z]) m = solve_crt([x,y,z], [p,q,r]) print n2s(m)
#!/usr/bin/env python import libnum e = 3 c1 = 261345950255088824199206969589297492768083568554363001807292202086148198540785875067889853750126065910869378059825972054500409296763768604135988881188967875126819737816598484392562403375391722914907856816865871091726511596620751615512183772327351299941365151995536802718357319233050365556244882929796558270337 n1 = 1001191535967882284769094654562963158339094991366537360172618359025855097846977704928598237040115495676223744383629803332394884046043603063054821999994629411352862317941517957323746992871914047324555019615398720677218748535278252779545622933662625193622517947605928420931496443792865516592262228294965047903627 c2 = 147535246350781145803699087910221608128508531245679654307942476916759248311896958780799558399204686458919290159543753966699893006016413718139713809296129796521671806205375133127498854375392596658549807278970596547851946732056260825231169253750741639904613590541946015782167836188510987545893121474698400398826 n2 = 405864605704280029572517043538873770190562953923346989456102827133294619540434679181357855400199671537151039095796094162418263148474324455458511633891792967156338297585653540910958574924436510557629146762715107527852413979916669819333765187674010542434580990241759130158992365304284892615408513239024879592309 c3 = 633230627388596886579908367739501184580838393691617645602928172655297372145912724695988151441728614868603479196153916968285656992175356066846340327304330216410957123875304589208458268694616526607064173015876523386638026821701609498528415875970074497028482884675279736968611005756588082906398954547838170886958 n3 = 1204664380009414697639782865058772653140636684336678901863196025928054706723976869222235722439176825580211657044153004521482757717615318907205106770256270292154250168657084197056536811063984234635803887040926920542363612936352393496049379544437329226857538524494283148837536712608224655107228808472106636903723 key = libnum.solve_crt((c1, c2, c3), (n1, n2, n3)) m = libnum.nroot(int(key), 3) print libnum.n2s(m)
gsqf = pow(gf, sqf, n) table = {} # Giant step ygna = pow(c, m, n) for a in trange(sqf, leave=False): table[ygna] = a ygna = (ygna * gsqf) % n # Baby step gb = 1 for b in trange(sqf, leave=False): if gb in table: a = table[gb] # gf^b = cy^a = gf^(ki + a * sqf) ki = (b - a * sqf) % f remainders.append(ki) break gb = (gb * gf) % n # Reconstruct k = libnum.solve_crt(remainders, factors) # Print flag k = hashlib.sha512(str(k).encode('ascii')).digest() dec = bytes(ci ^ ki for ci, ki in zip(enc, k)) print(dec)