针对N=p^r*q分解之初探

论文地址:https://eprint.iacr.org/2015/399.pdf

题目:https://www.nssctf.cn/problem/2016

from Crypto.Util.number import bytes_to_long, getPrime

from secret import msg

from sympy import nextprime

from gmpy2 import invert

from hashlib import md5

flag = 'd3ctf{'+md5(msg).hexdigest()+'}'

p = getPrime(256)

q = getPrime(256)

assert p > q

n = p * q

e = 0x10001

m = bytes_to_long(msg)

c = pow(m, e, n)

N = pow(p, 7) * q

phi = pow(p, 6) * (p - 1) * (q - 1)

d1 = getPrime(2000)

d2 = nextprime(d1 + getPrime(1000))

e1 = invert(d1, phi)

e2 = invert(d2, phi)

print(f'c = {c}')

print(f'N = {N}')

print(f'e1 = {e1}')

print(f'e2 = {e2}')

'''

c = 2420624631315473673388732074340410215657378096737020976722603529598864338532404224879219059105950005655100728361198499550862405660043591919681568611707967

N = 1476751427633071977599571983301151063258376731102955975364111147037204614220376883752032253407881568290520059515340434632858734689439268479399482315506043425541162646523388437842149125178447800616137044219916586942207838674001004007237861470176454543718752182312318068466051713087927370670177514666860822341380494154077020472814706123209865769048722380888175401791873273850281384147394075054950169002165357490796510950852631287689747360436384163758289159710264469722036320819123313773301072777844457895388797742631541101152819089150281489897683508400098693808473542212963868834485233858128220055727804326451310080791

e1 = 425735006018518321920113858371691046233291394270779139216531379266829453665704656868245884309574741300746121946724344532456337490492263690989727904837374279175606623404025598533405400677329916633307585813849635071097268989906426771864410852556381279117588496262787146588414873723983855041415476840445850171457530977221981125006107741100779529209163446405585696682186452013669643507275620439492021019544922913941472624874102604249376990616323884331293660116156782891935217575308895791623826306100692059131945495084654854521834016181452508329430102813663713333608459898915361745215871305547069325129687311358338082029

e2 = 1004512650658647383814190582513307789549094672255033373245432814519573537648997991452158231923692387604945039180687417026069655569594454408690445879849410118502279459189421806132654131287284719070037134752526923855821229397612868419416851456578505341237256609343187666849045678291935806441844686439591365338539029504178066823886051731466788474438373839803448380498800384597878814991008672054436093542513518012957106825842251155935855375353004898840663429274565622024673235081082222394015174831078190299524112112571718817712276118850981261489528540025810396786605197437842655180663611669918785635193552649262904644919

'''

这题的话:N=p^r*q

如果

\[|d_2-d_1|<N^{\frac{r(r-1)}{(r+1)^2}}
\]

这题的话,r=7

\[N=p^7*q\\
phi=p^6*(p-1)*(q-1)\\
d_2=d_1+x_0\\
e_1d_1\equiv 1\ mod\ phi\\
e_2d_2\equiv 1\ mod\ phi
\]

将后面的两个式子分别乘以e2,e1,并且作差得到

\[e_1e_2(d_1-d_2)+(e_2-e_1)\equiv 0\ mod\ phi\\
e_1e_2x_0+e_2-e_1\equiv 0\ mod\ phi
\]

等价于等式

\[g(x)=x-a\equiv 0(mod\ p^{r-1})
\]

其中

\[a=(e_2-e_1)(e_1e_2)^{-1}\ (mod\ N)
\]

\[gcd(e_1e_2x-(e_2-e_1),N)=g
\]

exp

from Crypto.Util.number import *

from hashlib import md5

from gmpy2 import iroot

e = 65537

c = 2420624631315473673388732074340410215657378096737020976722603529598864338532404224879219059105950005655100728361198499550862405660043591919681568611707967

N = 1476751427633071977599571983301151063258376731102955975364111147037204614220376883752032253407881568290520059515340434632858734689439268479399482315506043425541162646523388437842149125178447800616137044219916586942207838674001004007237861470176454543718752182312318068466051713087927370670177514666860822341380494154077020472814706123209865769048722380888175401791873273850281384147394075054950169002165357490796510950852631287689747360436384163758289159710264469722036320819123313773301072777844457895388797742631541101152819089150281489897683508400098693808473542212963868834485233858128220055727804326451310080791

e1 = 425735006018518321920113858371691046233291394270779139216531379266829453665704656868245884309574741300746121946724344532456337490492263690989727904837374279175606623404025598533405400677329916633307585813849635071097268989906426771864410852556381279117588496262787146588414873723983855041415476840445850171457530977221981125006107741100779529209163446405585696682186452013669643507275620439492021019544922913941472624874102604249376990616323884331293660116156782891935217575308895791623826306100692059131945495084654854521834016181452508329430102813663713333608459898915361745215871305547069325129687311358338082029

e2 = 1004512650658647383814190582513307789549094672255033373245432814519573537648997991452158231923692387604945039180687417026069655569594454408690445879849410118502279459189421806132654131287284719070037134752526923855821229397612868419416851456578505341237256609343187666849045678291935806441844686439591365338539029504178066823886051731466788474438373839803448380498800384597878814991008672054436093542513518012957106825842251155935855375353004898840663429274565622024673235081082222394015174831078190299524112112571718817712276118850981261489528540025810396786605197437842655180663611669918785635193552649262904644919

a = (e2-e1)*inverse(e1*e2,N) % N

PR.<x> = PolynomialRing(Zmod(N))

f = x - a

res =  f.small_roots(2^1000,beta = 0.4)

x = res[0]

p_6 = int(gcd(x-a,N))

p = int(iroot(int(p_6),6)[0])

q = N//p**7

print(q)

phi = (p-1)*(q-1)

d = inverse(e,phi)

n = p*q

msg = long_to_bytes(int(pow(c,d,n)))

flag = 'd3ctf{'+md5(msg).hexdigest()+'}'

print(flag)

针对N=p^rq分解之初探的更多相关文章

  1. 开源项目audioFlux: 针对音频领域的深度学习工具库

    目录 时频变换 频谱重排 倒谱系数 解卷积 谱特征 音乐信息检索 audioFlux是一个Python和C实现的库,提供音频领域系统.全面.多维度的特征提取与组合,结合各种深度学习网络模型,进行音频领 ...

  2. 解密jQuery内核 DOM操作的核心buildFragment

    文档碎片是什么 http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-B63ED1A3 DocumentFragment is a & ...

  3. numpy 辨异(三)—— hstack/column_stack,linalg.eig/linalg.eigh

    1. np.hstack np.column_stack >>> np.hstack([np.array([1, 2, 3]), np.array([4, 5, 6])]) arra ...

  4. 基于HHT和RBF神经网络的故障检测——第二篇论文读后感

    故障诊断主要包括三部分: 1.故障信号检测方法(定子电流信号检测 [ 定子电流幅值和电流频谱 ] ,振动信号检测,温度信号检测,磁通检测法,绝缘检测法,噪声检测法) 2.故障信号的处理方法,即故障特征 ...

  5. 简单RSA攻击方式

    RSA攻击方式总结 1.模数分解 1).解题思路 ​ a).找到RSA算法中的公钥(e,n) ​ b).通过n来找到对应的p和q,然后求得φ(n) ​ c).通过gmpy2.invert或者gmpy2 ...

  6. 针对缓冲区保护技术(ASLR)的一次初探

    0x01 前言 ASLR 是一种针对缓冲区溢出的安全保护技术,通过对堆.栈.共享库映射等线性区布局的随机化,通过增加攻击者预测目的地址的难度,防止攻击者直接定位攻击代码位置,达到阻止溢出攻击的目的的一 ...

  7. ReactNative学习实践--动画初探之加载动画

    学习和实践react已经有一段时间了,在经历了从最初的彷徨到解决痛点时的兴奋,再到不断实践后遭遇问题时的苦闷,确实被这一种新的思维方式和开发模式所折服,react不是万能的,在很多场景下滥用反而会适得 ...

  8. 初探Lambda表达式/Java多核编程【2】并行与组合行为

    今天又翻了一下书的目录,第一章在这之后就结束了.也就是说,这本书所涉及到的新的知识已经全部点到了. 书的其余部分就是对这几个概念做一些基础知识的补充以及更深层次的实践. 最后两个小节的内容较少,所以合 ...

  9. 【GCN】图卷积网络初探——基于图(Graph)的傅里叶变换和卷积

    [GCN]图卷积网络初探——基于图(Graph)的傅里叶变换和卷积 2018年11月29日 11:50:38 夏至夏至520 阅读数 5980更多 分类专栏: # MachineLearning   ...

  10. 07.LoT.UI 前后台通用框架分解系列之——强大的文本编辑器

    LOT.UI分解系列汇总:http://www.cnblogs.com/dunitian/p/4822808.html#lotui LoT.UI开源地址如下:https://github.com/du ...

随机推荐

  1. docker保存、导入、导出和加载tar及其tar.gz

    一.操作tar包1.save和load命令save命令 docker save [options] images [images...]示例 : docker save -o nginx.tar ng ...

  2. Qt编写安防视频监控系统41-秘钥认证

    一.前言 早些年开源过一个秘钥生成器,做的比较粗糙,离真正的商业应用还差点距离,这次在用户的强烈要求下,对秘钥认证这块做了重新的改版,对原有的类进行了重写,重写后一个类不到300行完成所有的事情,并提 ...

  3. [转]Bundle Adjustment简述

    原文链接:https://optsolution.github.io/archives/58892.html或https://blog.csdn.net/optsolution/article/det ...

  4. 字符编码技术专题(一):快速理解ASCII、Unicode、GBK和UTF-8

    本文由阮一峰(ruanyifeng.com)分享,本文收录时有内容修订和排版优化. 1.引言 今天中午,我突然想搞清楚 Unicode 和 UTF-8 之间的关系,就开始查资料. 这个问题比我想象的复 ...

  5. 探探的IM长连接技术实践:技术选型、架构设计、性能优化

    本文由探探服务端高级技术专家张凯宏分享,原题"探探长链接项目的Go语言实践",因原文内容有较多错误,有修订和改动. 1.引言 即时通信长连接服务处于网络接入层,这个领域非常适合用G ...

  6. nginx升级与版本回退

    ginx官网下载安装包http://nginx.org/en/download.html 查看nginx文件或目录find / -name nginx 2>/dev/null 查看已安装的 Ng ...

  7. 今天记录一下vue更改时间格式的js

    首先定义js文件,我这边定义为date.js,里面包含了增加零的处理 //date.jsexport function formatDate(date, fmt) { if (/(y+)/.test( ...

  8. 《C++并发编程实战》读书笔记(1):线程管控

    1.线程的基本管控 包含头文件<thread>后,通过构建std::thread对象启动线程,任何可调用类型都适用于std::thread. void do_some_work(); st ...

  9. 微服务实战系列(三)-springcloud、springboot及maven之间关系-copy

    1 . 问题描述 随着springboot.springcloud的不断迭代升级,开发效率不断提升,越来越多的开发团队加入到spring的大军中,今天用通俗的语言,介绍下什么是springboot,s ...

  10. Spring Boot前后端分离直接访问静态页+ajax实现动态网页

    Spring Boot前后端分离直接访问静态页+ajax实现动态网页. 一般java里面Spring Boot项目的静态资源resources/下面有两个文件夹和一个配置文件,分别是static/目录 ...