标签:pp rp rq pow leak 分站赛 XCTF ACTF mod
impossible RSA:
没啥好说的,跟我之前文章有道题类似,虽然如此还是花费了很长时间,原因令人落泪,把q = inverse(e,p)的数学式写成了eq mod p导致数学式推导及其困难(能推但无用)
解题脚本:
#coding:utf-8
from Crypto.Util.number import *
import math
n = 15987576139341888788648863000534417640300610310400667285095951525208145689364599119023071414036901060746667790322978452082156680245315967027826237720608915093109552001033660867808508307569531484090109429319369422352192782126107818889717133951923616077943884651989622345435505428708807799081267551724239052569147921746342232280621533501263115148844736900422712305937266228809533549134349607212400851092005281865296850991469375578815615235030857047620950536534729591359236290249610371406300791107442098796128895918697534590865459421439398361818591924211607651747970679849262467894774012617335352887745475509155575074809
e = 65537
c = 8273086882440893360458062957389163084656045191542493618199369528956277216626884353986044368396198156428766254991928690583227149075264217246716715502497271453823598984519037301602775476502736840821942623288225980044817912940317041496675271105285924648202112216540495276381694590948153181922044287087121526235593090625653756288948499134042427779455887781328892794911088854654421379942237290840799205667104402295294924690771201447934282318850564703279100891083617354084345663030868007048086929831020873706613566948846194280096109248694845560054847526215721665897469865078997234299897107511688667705001432037926136840958
import gmpy2
for k in range(1, 100000000):
L = gmpy2.iroot(1 + 4 * k * n * e, 2)
if L[1]:
p = (-1 + L[0]) // (2 * k)
q = (p * k + 1) // e
print(p)
print(q)
print(k)
break
k = 46280
p = 150465840847587996081934790667651610347742504431401795762471467800785876172317705268993152743689967775266712089661128372295606682852482012493939368044600366794969553828079064622047080051569090177885299781981209120854290564064662058027679075401901717932024549311396484660557278975525859127898004619405319768113
q = 106253858346069738600667441477316882476975191191010804704017265511396163224664897689076447029585908855140507431062102645373463498213419404889139172575859514095414665779078979976323891310048026205540865067215318951327289428947198682355325809994354509756230772573224732747769822710641878029801786071777441733193
phi = (p - 1) * (q - 1)
# print(phi)
print(gmpy2.gcd(e, phi))
#ed mod phi 余 1
d = gmpy2.invert(e, phi)
print(d)
m = pow(c, d, n)
# m = m
print(long_to_bytes(m))
flag:ACTF{F1nD1nG_5pEcia1_n_i5_nOt_eA5y}
RSA leak:
题目如下:
from sage.all import *
from secret import flag
from Crypto.Util.number import bytes_to_long
def leak(a, b):
p = random_prime(pow(2, 64))
q = random_prime(pow(2, 64))
n = p*q
e = 65537
print(n)
print((pow(a, e) + pow(b, e) + 0xdeadbeef) % n)
def gen_key():
a = randrange(0, pow(2,256))
b = randrange(0, pow(2,256))
p = pow(a, 4)
q = pow(b, 4)
rp = randrange(0, pow(2,24))
rq = randrange(0, pow(2,24))
pp = next_prime(p+rp)
qq = next_prime(q+rq)
if pp % pow(2, 4) == (pp-p) % pow(2, 4) and qq % pow(2, 4) == (qq-q) % pow(2, 4):
n = pp*qq
rp = pp-p
rq = qq-q
return n, rp, rq
n, rp, rq = gen_key()
e = 65537
c = pow(bytes_to_long(flag), e, n)
print("n =", n)
print("e =", e)
print("c =", c)
print("=======leak=======")
leak(rp, rq)
'''
n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743
e = 65537
c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840
=======leak=======
122146249659110799196678177080657779971
90846368443479079691227824315092288065
'''
解题思路:
这题我在比赛时也没算出来,在公式的推导过程中就走了弯路导致在有限的时间,有限的算力里面是无法解出答案的。废话不多说,来复盘整理一下思路。
审计代码可以得到如下:
(ae + be + A) mod n1 ≡ B (A,B都是已知的常数,k为未知数,n1为函数里的n,为了与外面n区分写为n1)
p = a4 同理可以得q
pp = rp + p 同理可以得qq
pp mod 16 = pp - p mod 16 同理可以得qq-q
根据同余性质可以得到如下:
(ae + be ) ≡ (B-A) mod n1
ae ≡ (B-A-be ) mod n1
因为leak函数里面又是一个rsa,所以可以求rq和rp,脚本如下:
def get_rq_or_rp():
#对leak_x分解得到p1,q1
p = 8949458376079230661
q = 13648451618657980711
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
for rp in range(10000, pow(2, 24)):
rq_e = leak_c - 0xdeadbeef #(a^e + b^e)
rq_e = (rq_e - pow(rp, e, leak_n)) % leak_n
rq = pow(rq_e, d, leak_n)
if len(bin(rq)[2:]) <= 24:
print(rp)
print(rq)
return rp, rq
因为 pp mod 16 = pp-p mod 16,可以推出p+k = pp,因为k远小于p,所以可以近似看成p=pp
则n = pp * qq = p * q
可以推出 pq = (ab)4 从而得到ab,然后得出pq
把 pp = rp + p 以及 qq = rq + q 代入n可以得到如下:
n = (ab)4 + a4 * rq + b4 * rp + rp * rq
可以推出 n - rp * rq - (ab)4 = p * rq + q * rp = M
算出M后,两边同乘q,得到如下式子:
rp * q2 - M * q + pq * rq = 0
解得q,然后q + rq = qq 同理得 pp
完整脚本如下:
#coding:utf-8
from Crypto.Util.number import *
import gmpy2
leak_n = 122146249659110799196678177080657779971
leak_c = 90846368443479079691227824315092288065
n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743
e = 65537
c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840
def get_rq_or_rp():
#对leak_x分解得到p1,q1
p = 8949458376079230661
q = 13648451618657980711
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
for rp in range(10000, pow(2, 24)):
rq_e = leak_c - 0xdeadbeef #(a^e + b^e)
rq_e = (rq_e - pow(rp, e, leak_n)) % leak_n
rq = pow(rq_e, d, leak_n)
if len(bin(rq)[2:]) <= 24:
return rp, rq
def get_flag(rp, rq):
#n = pp * qq 因为pp = p + k 又因为k<16所以pp约等于p,同理得q
pq_ab4 = (gmpy2.iroot(n, 4)[0])**4
L = n - rp * rq - pq_ab4
#判别式
M = gmpy2.iroot(L ** 2 - 4 * rp * rq * pq_ab4, 2)
if M[1]:
q1 = (L + M[0]) // (2 * rp)
q2 = (L - M[0]) // (2 * rp)
qq1 = q1 + rq
qq2 = q2 + rq
pp1 = n // qq1
pp2 = n // qq2
if pp1 * qq1 == n:
phi = (pp1 - 1) * (qq1 - 1)
d = gmpy2.invert(e, phi)
m = gmpy2.powmod(c, d, n)
print(long_to_bytes(m))
else:
phi = (pp2 - 1) * (qq2 - 1)
d = gmpy2.invert(e, phi)
m = gmpy2.powmod(c, d, n)
print(long_to_bytes(m))
if __name__ == '__main__':
rp, rq = get_rq_or_rp()
if rp and rq:
get_flag(rp, rq)
推导过程用到的性质:
同余式相加:若a≡b(mod m),c≡d(mod m),则a ± c≡b ± d(mod m);
不好理解可以如下例子:
17 mod 13 ≡ 4 即 (15 + 2) mod 13 ≡ 4 推出 15 mod 13 ≡ 2
同余其它性质:
传递性:若a≡b(mod m),b≡c(mod m),则a≡c(mod m); 对称性:若a≡b(mod m),则b≡a (mod m); 反身性:a≡a (mod m); 同余式相乘:若a≡b(mod m),c≡d(mod m),则ac≡bd(mod m)。
总结:
rsa求解主要通过推导出它们之间的关系,所以想每一题都能做出来,要有一个好的数论基础 ,没有基础的话就只能像本人一样边做边学,做不做的出来就要靠临场发挥,好的运气(有时候,你推了半天的公式结果根本无法跑出flag,需要的时间太久了)
标签:pp,rp,rq,pow,leak,分站赛,XCTF,ACTF,mod 来源: https://www.cnblogs.com/nLesxw/p/rsa_leak.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。