文章目录
- Bad_rsa
- Classlcal
Bad_rsa
题目描述:
from Crypto.Util.number import *
f = open('flag.txt','rb')
m = bytes_to_long(f.readline().strip())
p = getPrime(512)
q = getPrime(512)
e = getPrime(8)
n = p*q
phi = (p-1)*(q-1)
d = inverse(e,phi)
leak = d & ((1<<265) - 1)
print(f'e = {e}')
print(f'leak = {leak}')
print(f'n = {n}')
c = pow(m,e,n)
print(f'c = {c}')
'''
e = 149
leak = 6001958312144157007304943931113872134090201010357773442954181100786589106572169
n = 88436063749749362190546240596734626745594171540325086418270903156390958817492063940459108934841028734921718351342152598224670602551497995639921650979296052943953491639892805985538785565357751736799561653032725751622522198746331856539251721033316195306373318196300612386897339425222615697620795751869751705629
c = 1206332017436789083799133504302957634035030644841294494992108068042941783794804420630684301945366528832108224264145563741764232409333108261614056154508904583078897178425071831580459193200987943565099780857889864631160747321901113496943710282498262354984634755751858251005566753245882185271726628553508627299
'''
题目分析:
d低位泄露
e
∗
d
=
1
+
k
∗
p
h
i
设
s
=
p
+
q
则有
e
∗
d
=
k
∗
(
n
−
s
+
1
)
+
1
设
d
的低位为
d
l
(
已知
)
⇒
e
∗
d
l
≡
k
∗
(
n
−
s
+
1
)
+
1
(
m
o
d
2
265
)
①
又
p
2
+
s
∗
p
+
n
=
p
2
−
p
2
−
p
∗
q
+
n
=
0
②
p
∗
①
−
k
∗
②
=
e
d
l
p
≡
k
p
n
+
k
p
+
p
−
k
p
2
−
k
n
(
m
o
d
2
265
)
如此此式子便只有
p
这个未知数了
e * d = 1 + k * phi\\ 设 s = p + q\\ 则有 e * d = k * (n - s + 1) + 1\\ 设d的低位为d_l(已知)\\ \Rightarrow e * d_l \equiv k * (n - s + 1) + 1 \pmod{2^{265}} ①\\ 又 p^2 + s * p + n = p^2 - p^2 - p * q + n = 0②\\ p * ① - k * ② = e d_lp \equiv kpn + kp + p - kp^2 - kn \pmod{2^{265}}\\ 如此此式子便只有p这个未知数了
e∗d=1+k∗phi设s=p+q则有e∗d=k∗(n−s+1)+1设d的低位为dl(已知)⇒e∗dl≡k∗(n−s+1)+1(mod2265)①又p2+s∗p+n=p2−p2−p∗q+n=0②p∗①−k∗②=edlp≡kpn+kp+p−kp2−kn(mod2265)如此此式子便只有p这个未知数了
解同余方程式:
e
d
l
p
≡
k
p
n
+
k
p
+
p
−
k
p
2
−
k
n
(
m
o
d
2
265
)
e d_lp \equiv kpn + kp + p - kp^2 - kn \pmod{2^{265}}
edlp≡kpn+kp+p−kp2−kn(mod2265)便能得到p的低265位
p
l
p_l
pl
此时高247位未知,而我们又知道以下结论:
p,q 512bit ---- 未知227bit , coppersmith定理可求解 (0.38 <= beta <= 0.44)
p,q 512bit ---- 未知248bit , coppersmith定理可求解 (0.40 <= beta <= 0.49, epsilon = 0.01)
p,q 512bit ---- 未知250bit , coppersmith定理可求解 (beta = 0.5, epsilon = 0.01 , p进行求解且p > q)
p,q1024bit — 未知554bit , coppersmith定理可求解 (0.38 <= beta <= 0.44)
p,q1024bit — 未知496bit , coppersmith定理可求解 (0.40 <= beta <= 0.49, epsilon = 0.01)
p,q1024bit ----未知500bit , coppersmith定理可求解 (beta = 0.5, epsilon = 0.01 , p进行求解且p > q)
所以copper时使用X = 2^428, beta = 0.4, epsilon = 0.01即可求解出完整p,之后便是常规rsa操作得flag
exp:
from tqdm import tqdm
def getFullP(low_p, n):
R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
p = x*2^265 + low_p
root = (p-n).monic().small_roots(X = 2^248, beta = 0.4,epsilon = 0.01)
if root:
print(root[0])
return p(root[0])
return None
def phase4(low_d, n, c):
maybe_p = []
for k in range(1, 150):
p = var('p')
p0 = solve_mod([149*p*low_d == p + k*(n*p - p^2 - n + p)], 2^265)
maybe_p += [int(x[0]) for x in p0]
print(maybe_p)
for x in tqdm(maybe_p):
P = getFullP(x, n)
if P: break
P = int(P)
print(P)
d = inverse_mod(149, (P-1)*(Q-1))
print(long_to_bytes(int(pow(c,d,n))))
e = 149
low_d = 6001958312144157007304943931113872134090201010357773442954181100786589106572169
n = 88436063749749362190546240596734626745594171540325086418270903156390958817492063940459108934841028734921718351342152598224670602551497995639921650979296052943953491639892805985538785565357751736799561653032725751622522198746331856539251721033316195306373318196300612386897339425222615697620795751869751705629
c = 1206332017436789083799133504302957634035030644841294494992108068042941783794804420630684301945366528832108224264145563741764232409333108261614056154508904583078897178425071831580459193200987943565099780857889864631160747321901113496943710282498262354984634755751858251005566753245882185271726628553508627299
phase4(low_d, n, c)
# flag{827ccb0eea8a706c4c34a16891f84e7b}
Classlcal
题目描述:
p = ZQIUOMCEFZGVRGTBAAAAAJRTKENSNQ
c = WUJQYGCAHAAAAAGDPQXUXHIDTDLIRG
C = OKCZKNCSQ_ULYOKPKW,PL.UXIWX,YCLXZFGBM_SUJLSCOXZT.AIGFZRDCIX,
题目分析:
加密表现如下,其中p,c已知
(
k
11
k
12
k
13
k
14
k
15
k
21
k
22
k
23
k
24
k
25
k
31
k
32
k
13
k
34
k
15
k
41
k
42
k
43
k
44
k
45
k
51
k
52
k
53
k
54
k
55
)
(
p
1
p
2
p
3
p
4
p
5
)
+
K
=
(
c
1
c
2
c
3
c
4
c
5
)
\begin{pmatrix} k_{11}&k_{12}&k_{13}&k_{14}&k_{15}\\ k_{21}&k_{22}&k_{23}&k_{24}&k_{25}\\ k_{31}&k_{32}&k_{13}&k_{34}&k_{15}\\ k_{41}&k_{42}&k_{43}&k_{44}&k_{45}\\ k_{51}&k_{52}&k_{53}&k_{54}&k_{55}\end{pmatrix} \begin{pmatrix} p_1\\p_{2}\\p_{3}\\p_{4}\\p_{5}\end{pmatrix}+K= \begin{pmatrix} c_{1}\\c_{2}\\c_{3}\\c_{4}\\c_{5} \end{pmatrix}
k11k21k31k41k51k12k22k32k42k52k13k23k13k43k53k14k24k34k44k54k15k25k15k45k55
p1p2p3p4p5
+K=
c1c2c3c4c5
一共6组,每组加密形式都是这样,密钥矩阵和K是固定的,我们的目标就是求出密钥矩阵和K,然后解C
我们用前五个明文减后五个明文,前五个密文减后五个密文即可消掉K
化简一下:
k
∗
P
1
−
K
=
C
1
①
k
∗
P
2
−
K
=
C
2
②
k
∗
P
3
−
K
=
C
3
③
k
∗
P
4
−
K
=
C
4
④
k
∗
P
5
−
K
=
C
5
⑤
k
∗
P
6
−
K
=
C
6
⑥
前一组减后一组:
k
∗
(
P
1
−
P
2
)
=
(
C
1
−
C
2
)
k
∗
(
P
2
−
P
3
)
=
(
C
2
−
C
3
)
k
∗
(
P
3
−
P
4
)
=
(
C
3
−
C
4
)
k
∗
(
P
4
−
P
5
)
=
(
C
4
−
C
5
)
k
∗
(
P
5
−
P
6
)
=
(
C
5
−
C
6
)
化简一下:\\ k * P_1 - K = C_1 ①\\ k * P_2 - K = C_2 ②\\ k * P_3 - K = C_3 ③\\ k * P_4 - K = C_4 ④\\ k * P_5 - K = C_5 ⑤\\ k * P_6 - K = C_6 ⑥\\ 前一组减后一组:\\ k * (P_1 - P_2) = (C_1 - C_2)\\ k * (P_2 - P_3) = (C_2 - C_3)\\ k * (P_3 - P_4) = (C_3 - C_4)\\ k * (P_4 - P_5) = (C_4 - C_5)\\ k * (P_5 - P_6) = (C_5 - C_6)\\
化简一下:k∗P1−K=C1①k∗P2−K=C2②k∗P3−K=C3③k∗P4−K=C4④k∗P5−K=C5⑤k∗P6−K=C6⑥前一组减后一组:k∗(P1−P2)=(C1−C2)k∗(P2−P3)=(C2−C3)k∗(P3−P4)=(C3−C4)k∗(P4−P5)=(C4−C5)k∗(P5−P6)=(C5−C6)
(注意P和p,C和c的差别,每个P由5个p组成,C由5个c组成)
得到:
( k 11 k 12 k 13 k 14 k 15 k 21 k 22 k 23 k 24 k 25 k 31 k 32 k 13 k 34 k 15 k 41 k 42 k 43 k 44 k 45 k 51 k 52 k 53 k 54 k 55 ) 5 ∗ 5 ( P 1 − P 2 P 2 − P 3 P 3 − P 4 P 4 − P 5 P 5 − P 6 ) 5 ∗ 5 = ( C 1 − C 2 C 2 − C 3 C 3 − C 4 C 4 − C 5 C 5 − C 6 ) 5 ∗ 5 \begin{pmatrix} k_{11}&k_{12}&k_{13}&k_{14}&k_{15}\\ k_{21}&k_{22}&k_{23}&k_{24}&k_{25}\\ k_{31}&k_{32}&k_{13}&k_{34}&k_{15}\\ k_{41}&k_{42}&k_{43}&k_{44}&k_{45}\\ k_{51}&k_{52}&k_{53}&k_{54}&k_{55} \end{pmatrix}_{5*5} \begin{pmatrix} P_1 - P_2\\ P_2 - P_3\\ P_3 - P_4\\ P_4 - P_5\\ P_5 - P_6 \end{pmatrix}_{5 * 5}= \begin{pmatrix} C_1 - C_2\\ C_2 - C_3\\ C_3 - C_4\\ C_4 - C_5\\ C_5 - C_6 \end{pmatrix}_{5*5} k11k21k31k41k51k12k22k32k42k52k13k23k13k43k53k14k24k34k44k54k15k25k15k45k55 5∗5 P1−P2P2−P3P3−P4P4−P5P5−P6 5∗5= C1−C2C2−C3C3−C4C4−C5C5−C6 5∗5
其中P,C皆已知,那么密钥矩阵便能求出来,之后利用① 便能将K求出来
未知量全部求出,那么由所给的密文C便能求出flag了
先将字符串转换成对应的数字:
p = 'ZQIUOMCEFZGVRGTBAAAAAJRTKENSNQ'
c = 'WUJQYGCAHAAAAAGDPQXUXHIDTDLIRG'
C = 'OKCZKNCSQ_ULYOKPKW,PL.UXIWX,YCLXZFGBM_SUJLSCOXZT.AIGFZRDCIX,'
mapping_dict = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4, 'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9, 'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14, 'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19, 'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25, '_': 26, ',': 27, '.': 28}
pp = [mapping_dict[char] for char in p]
cc = [mapping_dict[char] for char in c]
CC = [mapping_dict[char] for char in C]
print(pp)
print(cc)
print(CC)
完整exp:
mapping_dict = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4, 'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9, 'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14, 'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19, 'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25, '_': 26, ',': 27, '.': 28}
pp = [25, 16, 8, 20, 14, 12, 2, 4, 5, 25, 6, 21, 17, 6, 19, 1, 0, 0, 0, 0, 0, 9, 17, 19, 10, 4, 13, 18, 13, 16]
cc = [22, 20, 9, 16, 24, 6, 2, 0, 7, 0, 0, 0, 0, 0, 6, 3, 15, 16, 23, 20, 23, 7, 8, 3, 19, 3, 11, 8, 17, 6]
CC = [14, 10, 2, 25, 10, 13, 2, 18, 16, 26, 20, 11, 24, 14, 10, 15, 10, 22, 27, 15, 11, 28, 20, 23, 8, 22, 23, 27, 24, 2, 11, 23, 25, 5, 6, 1, 12, 26, 18, 20, 9, 11, 18, 2, 14, 23, 25, 19, 28, 0, 8, 6, 5, 25, 17, 3, 2, 8, 23, 27]
temp1 = []
temp2 = []
for i in range(0,25,5):
temp1.append([(cc[j] - cc[j+5])%29 for j in range(i,i + 5)])
temp2.append([(pp[j] - pp[j+5])%29 for j in range(i,i + 5)])
# XA = B,求X【求key1】
B = matrix(Zmod(29),temp1).transpose()
A = matrix(Zmod(29),temp2).transpose()
key1 = A.solve_left(B)
#【求key2】
temp3 = matrix(Zmod(29),pp[:5]).transpose()
temp4 = (key1 * temp3).list()
temp5 = cc[:5]
key2 = [(temp5[i] - temp4[i]) % 29 for i in range(5)]
# key1 * P + key2 = C ,求P
m_list = []
for i in range(0,len(CC),5):
tt = CC[i:i+5]
ttt = [(tt[j] - key2[j]) % 29 for j in range(5)]
B = matrix(Zmod(29),ttt).transpose() # B = C - key2 = key1 * P = B
# AX = B 求X 【求最终明文】
P = x.solve_right(B).list()
m_list.extend(P)
# 【明文数字转换成字母】
for i in m_list:
for key, value in mapping_dict.items():
if i == value:
print(key,end = '')
# QUANTUM_CRYPTOGRAPHY_IS_AN_UNBREAKABLE_SYSTEM_OF_ENCRYPTION.
