文章目录
- 题目
- 解题思路
- 解题代码
题目
import os
import gmpy2
from Crypto.Util.number import *
import random
from secrets import flag
def pad(s,l):return s + os.urandom(l - len(s))
def gen():g = getPrime(8)while True:p = g * random.getrandbits(138) + 1if isPrime(p):breakwhile True:q = g * random.getrandbits(138) + 1if isPrime(q):breakN = p ** 5 * qphi = p ** 4 * (p - 1) * (q - 1)d = random.getrandbits(256)e = inverse(d, phi)E = e * ghint = gmpy2.gcd(E, phi)return N, E, hintflag = pad(flag,64)
m = bytes_to_long(flag)
n,e,hint = gen()
c = pow(m,e,n)
print(f'hint = {hint}')
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')
# hint = 251
# n = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
# e = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
# c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162解题思路
根据题目代码,得到如下信息
p = g ∗ a + 1 , q = g ∗ b + 1 p = g*a+1,q = g*b+1 p=g∗a+1,q=g∗b+1
E = e g E = eg E=eg
p h i = p 4 ( p − 1 ) ∗ ( q − 1 ) = p 4 g 2 a b phi = p^4(p-1)*(q-1)=p^4g^2ab phi=p4(p−1)∗(q−1)=p4g2ab
又因为 g c d ( E , p h i ) = h i n t = 251 gcd(E,phi) = hint=251 gcd(E,phi)=hint=251
由此得到, g = 251 g = 251 g=251
进而可以得到 e = E g e = \frac{E}{g} e=gE
根据论文
New attacks on RSA with Moduli N = p r q N = p ^rq N=prq
部分
我们可以将 e d ≡ 1 m o d p 4 ( p − 1 ) ∗ ( q − 1 ) ed \equiv 1 \space mod \space p^4(p-1)*(q-1) ed≡1 mod p4(p−1)∗(q−1)
转化为
e d ≡ 1 m o d p 4 ed \equiv 1 \space mod \space p^4 ed≡1 mod p4
由此可以构建一个多项式环
f = e d − 1 m o d p 4 f = ed-1 \space mod \space p^4 f=ed−1 mod p4
其中d为256bit
#sage
n = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
e = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162
R.<x> = PolynomialRing(Zmod(n))
f = (e//251)*x - 1
root = f.monic().small_roots(X = 2^256,beta=0.5)
print(root)
解出d为
d = 39217838246811431279243531729119914044224429322696785472959081158748864949269
又有
e d − 1 ≡ 0 m o d p 4 ed-1 \equiv0 \space mod \space p^4 ed−1≡0 mod p4
进而可以求出 p = g c d ( e d − 1 , n ) 4 p= \sqrt[4]{gcd(ed-1,n)} p=4gcd(ed−1,n)
由于 g c d ( e , p h i ) = 251 gcd(e,phi)=251 gcd(e,phi)=251
所以转为有限域下开根
flag经过pad之后长度为512bit,而p和q只有146bit,组合p和q再crt是不够计算出flag的。
因此,我们将在模n的RSA转为在模 p 5 p^5 p5下的RSA
n = p 5 n = p^5 n=p5
p h i = p 4 ( p − 1 ) phi = p^4(p-1) phi=p4(p−1)
m 251 = p o w ( c , d , p 5 ) m^{251} = pow(c,d,p^5) m251=pow(c,d,p5)
一开始想用常规有限域下开根去解方程
#sage
R.<x> = Zmod(p^5)[]
f = x^251-m
f = f.monic()
results1 = f.roots()
不知道啥情况,一直没有解
但是捏
山重水复疑无路,柳暗花明又一春
找到了一个新的用法
我们可以利用nth_root()求出在模 p 5 p^5 p5下的 m m m所有可能的根
再遍历所有的根,直到找到flag为止
解题代码
#sage
from Crypto.Util.number import *
import gmpy2n = 108960799213330048807537253155955524262938083957673388027650083719597357215238547761557943499634403020900601643719960988288543702833581456488410418793239589934165142850195998163833962875355916819854378922306890883033496525502067124670576471251882548376530637034077
e = 3359917755894163258174451768521610910491402727660720673898848239095553816126131162471035843306464197912997253011899806560624938869918893182751614520610693643690087988363775343761651198776860913310798127832036941524620284804884136983215497742441302140070096928109039
c = 72201537621260682675988549650349973570539366370497258107694937619698999052787116039080427209958662949131892284799148484018421298241124372816425123784602508705232247879799611203283114123802597553853842227351228626180079209388772101105198454904371772564490263034162#get d and p
R.<x> = PolynomialRing(Zmod(n))
f = (e//251)*x - 1
root = f.monic().small_roots(X = 2^256,beta=0.5)
d = int(root[0])
p_4 = GCD(e//251*d-1,n)
p = gmpy2.iroot(p_4,4)[0]#find all possible roots to ergodic flag
phi = p^4*(p-1)
d1 = inverse_mod(e//251,phi)
m = pow(c,d,p^5)
result = Zmod(p^5)(m).nth_root(251,all=True)
for i in result:flag = long_to_bytes(int(i))if b'flag{' in flag:print(flag)break
flag:
flag{4b68c7eece6be865f6da2a4323edd491}
【等人是一件很开心的事情啊,如果等着人又能马上见着面就更幸福哩。】
