1、[WUSTCTF2020]dp_leaking_1s_very_d
考点:RSA—dp泄露
(1)题目:
e=
n=
c=
dp=
(2)原理:
dp=d mod p-1
dp*e=d*e mod p-1
dp*e=(p-1)(k1(q-1)+k2)+1
我们知道dp<p-1;所以(k1(q-1)+k2)的范围确定为(1,e);然后暴力求解
import gmpy2
import libnum
e=
n=
c=
dp=
for i in range(1,e):
if (dp*e-1)%i==0:
if n%((dp*e-1)//i+1)==0:
p=(dp*e-1)//i+1
q=n//p
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
print(libnum.n2s(int(gmpy2.powmod(c,d,n))))
break
#flag{dp_leaking_1s_very_d@angerous}
2、[MRCTF2020]Easy_RSA
考点:RSA—特殊题型
(1)题目:
import sympy
from gmpy2 import gcd, invert#gcd求解最大公约数 invert求解模逆
from random import randint#导入随机数
from Crypto.Util.number import getPrime, isPrime, getRandomNBitInteger, bytes_to_long, long_to_bytes
import base64#base64编码
from zlib import *
flag = b"MRCTF{XXXX}"
base = 65537
def gen_prime(N):#生成N位素数
A = 0
while 1:
A = getPrime(N)
if A % 8 == 5:#素数需要满足的条件
break
return A
def gen_p():#生成p q ;并确保p<q
p = getPrime(1024)
q = getPrime(1024)
assert (p < q)
n = p * q
print("P_n = ", n)#n
F_n = (p - 1) * (q - 1)#欧拉函数
print("P_F_n = ", F_n)
factor2 = 2021 * p + 2020 * q
#factor=
if factor2 < 0:
factor2 = (-1) * factor2#核心点
return sympy.nextprime(factor2)
def gen_q():#生成p q
p = getPrime(1024)
q = getPrime(1024)
assert (p < q)
n = p * q
print("Q_n = ", n)
e = getRandomNBitInteger(53)#生成一个53位的随机整数e
F_n = (p - 1) * (q - 1)#欧拉函数
while gcd(e, F_n) != 1:#e与欧拉函数的条件
e = getRandomNBitInteger(53)
d = invert(e, F_n)#私钥
print("Q_E_D = ", e * d)
factor2 = 2021 * p - 2020 * q
if factor2 < 0:
factor2 = (-1) * factor2
return sympy.nextprime(factor2)
if __name__ == "__main__":
_E = base
_P = gen_p()
_Q = gen_q()
assert (gcd(_E, (_P - 1) * (_Q - 1)) == 1)
_M = bytes_to_long(flag)
_C = pow(_M, _E, _P * _Q)
print("Ciphertext = ", _C)
'''
P_n =
P_F_n =
Q_n =
Q_E_D =
Ciphertext =
'''
(2)题解
#计算第一组p q
Pn=p*q-->
P_F_n=(p-1)(q-1)=pq - p - q + 1-->P_F_n = P_n - p - q + 1
-->p + q = P_n - P_F_n + 1
(1)p + q = P_n - P_F_n + 1
(2)pq=Pn #根据(1)(2)就可以算出p1和q1-->x^2 - (p+q)x + pq = 0
#计算phi;现在知道了p q;以及Q Q_E_D 可算出phi
Q_n =p*q
Q_E_D =e*d=1mod(phi)-->其中phi=(p-1)(q-1)=Q_n-p-q+1
根据下面的就可以算出P Q;和D
根据main函数可知道:_P是(2021 * p + 2020 * q)的下一个素数
_Q是(2021 * p - 2020 * q)的下一个素数;首先可以算出_P _Q
算出P Q 和phi ;并且知道e c;那么就可以解密M
import gmpy2
import sympy
from Crypto.Util.number import long_to_bytes
P_n =
P_F_n =
Q_n =
Q_E_D =
Ciphertext =
e=
# 计算 p 和 q
def get_fac(n, fai_n):
p_q_sum = n - fai_n + 1
difference_square = p_q_sum**2 - 4 * n
difference = gmpy2.iroot(difference_square, 2)[0]
p = (p_q_sum + difference) // 2
q = p_q_sum - p
if q < p:
p, q = q, p
return p, q
# 计算 Q 的 phi(n)
k = (Q_E_D - 1) // Q_n + 1
Q_fai_n = (Q_E_D - 1) // k
# 计算 P 和 Q 的 p 和 q
P_p, P_q = get_fac(P_n, P_F_n)
Q_p, Q_q = get_fac(Q_n, Q_fai_n)
# 计算 P 和 Q
factor1 = 2021 * P_p + 2020 * P_q
if factor1 < 0:
factor1 = -factor1
P = sympy.nextprime(factor1)
factor2 = 2021 * Q_p - 2020 * Q_q
if factor2 < 0:
factor2 = -factor2
Q = sympy.nextprime(factor2)
# 检查 P 和 Q 是否为素数
assert sympy.isprime(P), "P is not prime!"
assert sympy.isprime(Q), "Q is not prime!"
# 计算 phi(n) 和私钥 D
fai_n = (P - 1) * (Q - 1)
D = gmpy2
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
