# 真・biginner

给出了 m<<10000 十进制的后 175 位。
化为数学公式就是
m*2^10000 %10^175=c
m= c*2^-10000 mod 10^175
m= c*2^-10000 mod 5^175

import gmpy2
from Crypto.Util.number import *
c=1002773875431658367671665822006771085816631054109509173556585546508965236428620487083647585179992085437922318783218149808537210712780660412301729655917441546549321914516504576
a=5**175
m=c*gmpy2.powmod(2,-10000,a) %a
print(long_to_bytes(m))

# ^o^

我们知道
m^o^(2^2^_ mod n)=c
已知 m o _ c
就是只要求
2^2^_ mod n
这里好像因为数据太大算不出来
看了大佬的 wp
设2^_=x*phi+k
2^(x*phi+k) mod n
2^(x*phi)*2^k mod n
根据欧拉定理 2^phi mod n =1
所以上式变为 2^k mod n 而 k=2^_ mod phi
n 可以分解

from Crypto.Util.number import *
import gmpy2
n=126176329335043454027341235009057683290541781096785538088437185779950106283534462102786883
o=22456023784134158064387550786352078427103553489348641216173010466267938277785173301732037264951635050700506776189809535326121257316490294752439819127486709456258090566784874248887194200916292508316349668172694553726134727726937633467532396106605496205841004277926961591604901357597262377953003319850049478502819166543968493292912201066602832545685929727421332846592671475883986049409546411338070434784675992855275254782158499562211464363321053581615280674425860714715529804670567409115827118589244016504450514019111124308126165185658681843519312254372108072512792854040590016772780908271525769845284796145687079308339
_=1138895128842708275167
c=22456023784134158064387550786352078427103553489348641216173010466267938277785173301732037264951635050700506776189809535326121257316490294752439819127486709456258090566784874248887194200916292508316349668172694553726134727726937633467532396106605496205841004277926961591604901357597262377953003319850049478502819166543968493292912201066602832545685929727421332846592671475883986049409546411338070434784675992855275254782158499562211464363321053581615280674425860714715529804670567409115827118589244016504450514019111124308126165145471041075065947806083270394708336810934202426175949363009508477208686445248781032485832
phi=611738358 * 648863388 * 775357618 *  806952672 * 834612802 * 848994660 * 856368370 * 914351298 * 940957050 * 973139886
a=pow(2,_,phi)
b=pow(2,a,n)
print(long_to_bytes(c^o^b))

# so Damn big e?

给了三组 n c e
e 很大尝试 winner 和 boneh 都不行
提示是 Dɪғғᴇʀᴇɴᴄᴇ?ɴo!
difference?
d 应该是相同的

n1 = 0x7e503bdb2d037da083601c2945b668bbad980789cb4671b20fee013295319cc43a5b4defca704474c793fa2bd86eacd5552da0f0dc37a42eafd379d9216c0f3a1687ca42c5aa40500435374495fa0ebce37340bf6f98046c58443497457e4e442206a322ecfb60ee846f7aeb1e72f6804609a194ba9e28d6449a0e06d214525ce043afffd96eb9cb8e09b16722153ba5198bce185b5ad24b845b39a0940e5b9a7ad896c3e472b5d49cdb5956b91ef069d81fe399fcf5f3f02f465896bbf4ecbde7ba9cda0c510f14ba2b0673173c7916c284bf7a63613225ece3563a6d843ef06d731d0404646b97a4bc4a3ec4e77751d3c5fd280bf8b0277ae1cade8b1fbdf9
e1 = 0x45a1ee446ca0df0720f77b576f8c197a5033f5cefec5bc8a2ddd9da021ff389d8991e1822abbe9efe60204094c252195f6a4c898ce4f4ee0ef726bd0fcfe7741749bd9cc1cbbec83cc133743d4c746c2736da2452bfeaea1d031f10719f33fa4ef3b8878951b2b70cead75a608d883968a17cd04f19eb3a58e5d55e01790658248a0a26404131a070d3b3c9cb4a1d9d98eadc392199300fbf5ee472296e36dccef2e796b9b51e6693767d40336875ab62c41231ea9fb90bcad4df203b4459abb8d0e402de474cd802e2bfbc01d3b2d55f96b44ceec56ad6c4f3809cfa30b102bc5edc1607c613734571e1dbdb13ace896d1931a53fc9088ead61d78bc30fe78d
c1 = 0x5b4331a4de52d57c7ff77ae03a75b96629c76509d0fd003c27966ca0bd8a7e1a835eee6fe9b02afe78507b43e9efdb9c13f7cbdacd5d18d45ca98ab5538fbf6500a9b314e7e260bab673ae8a38c41b056bea895953ad7257cf30b9a1ba598a1ef01b251964feb2a63e09d8b699a14f1bf3d464809dab3c514fe7c6f59be9c434a694215ebafe547035323f90a661b9c5c73208ef0cbc21c0e9abbdaa65cc4bbaf8c2c47841aefcabd89bbaa3a6f2a9df6d3d8a0eedbec7c28c94fb369b426449b7d6ec5daed4d07df92d057e02cacbfdda0c94afce396dda307c8cc6ecd51c084fa2cfe3a31edde97018ba0de31b8cdeabe34f51ceebdf8834340605d5d71279
n2 = 0x878717447ff85bff1c360384309b5731edffd0ade56117d3b8b72b2ab9296633437e3f5fb09c57e8658c1dc1de5d7a9ba003923d3e9d8e124afe71c6fd0c9985988961198c5c21ed46dfad45399ec9d4c6a6a0ca793e5c721333db2ceed863bc919544024a2a630e9788e9f5afadbd3a291bbda804ed70c6e9b9a599cb3a4d14ed9325000c19d988a79af2e44ff1e14766a0465837125107a9c2cf7a76980d6f86aaf9f926ea0e46d641d3478112de0824bf9c5e726a7d5b7c92cbc1906d3d778e9a612290e043e2b3afd4f0a806254640772fd25980b009b4136d685e52725482ac61e1b679d13eb0d2b06df080fffc677a1b9afbcf327fba6a3ed8fbc7e22d
e2 = 0x837ebb33e9bbb4a5662d484099db6a435c68d630acdfe317aed1a089fcb9deb4df3c328a36c8f1f14045374e8cd4a75e6480bc04489fbf86a1d324b6c2c31ce11dd50d6cb75f9be5b01d2b756aac22f3c7c17f42b47b9bba52575912faa482214158c935ea1d943d62f2a5242c00771a983b1428edbefbe43b8bcad116e6a110ebc3305f622fe131596889450b16a69b8567086939f7f4766f3cb93c1cc63c0ee1f6b2a4ce0de084b760e1f7dd3d5542a4f958969f0b17f5268eddb78b68d3348ef0e6be831c3846325985170f06ad25f5af5a04ada0f2aa3c93ad8c940966248698e72d6f029b0af9af91634aae13319faf985ce77ec4c35b416a8100050c7d
c2 = 0x26049d5d64a85ad3e89d7933a0d296651d566d71314485d2c4c74e8fa462f0c95d43daca9bbbc2557efd7441286e5de65b6067f9df6eb6b9ece0439f7ce7b0ee5e97607b3de1f7e591461469482975e9e2161e5ef1664b44d994c2d294884e0ddaab5c19a1a292d057dc517c9b4cb2dbdcfdbab02972cfd0a7d00f34320c4bc887ea2531ecf188e50e0f33995770b54affe30ebbce85bff955aa66c8e28e5708b0f3d3f52f07dbe5bf155968a65deb94f877ae7904b3dbc848e29d465452a07c373799a30452985e5b9933a57ca2d5227c40fed42e9537435c9f3221749db451c3861bbf57a4901f81d6794d0ad10ba882e8ba99e320cb12edd0b8c7194ded33
n3 = 0xd0a6712277676e497a6c09871e09ca7e87a0a09cc9c7a402ff12617eb2da499651724c4bfc4bdee713062c93ac852d627954cd59ed95b97d4ace621d8b86b867b9ff4b58c45c83f51fb4dcb12a15eaba0bf7370c29b1178a1bee585c4263ac7c1f0846bf4b5d2e8be1ec7bbaa023a8439deaaeeebd04d1188692a2223820c447606662e27af3f1fc45332dcea5214b05946d65e73bc8e9a17dc5093a2b0241b5166e6310e9bd0e1a20f9a5cb0f1925ba00b71bff78b058a167ee5dcadf428e1d3e4c077710dc073025a7813160fe825c8e3c81ef5e5070226b5d89a1ce86e91b3ce7cf3b5d590fa467a8defb2f96083291a74996dff53dfc44883a6a1c2e4651
e3 = 0x25b452f7ef6177efeb93d117aa856ca788713ff813af2f577246ed3a0a8cf244032197abd38c42677a0b7a3693108207b71ac7c934cc96d8cfafbe27e1a3ecda72796f0c09d9308e14f62be5bd913bb28afb6f92dc7a362e871d0f8667b9f44ffa2bcd240c554da99fe159599d68a9f7c4aa869b44edb382315b3ffb75bd2b12ba60f7ac667551756d13cb88e2be3f9959ab99fc4a063b8b53d208950f6db139d486f5f7351fa75010ad5177c07e4b2226298678518dd5145be36d4901c69949800f5e63be0b9fd7297eb204d76fd8c87217ea30a5495add4b5d901caabc929ee72de78d6ed3ae760c985ff58703f46046352d17926db6bcd57839c0a3ca9cfd
c3 = 0x874354398f60a93239229e47157f12c2c5b34886cacfe9b236ec545a5dc503c9e5cd38552eeb024d7562fed842368bde2e1744b222aa5f857684de402924a1b493c715a679ad17ab2251c1ad8e92fa83f45c4fb33154e09de088704acd4f14a4d3f8099aba4e2e2a4bc3baf35f32485ca67de3338cf0fd2276af6eb35751b0378709cb2aaff033146bc5d2f94fde12cb2286173af2f582b1841db9fb136667f2f90aca690f6041ad84380ecb86b443949d05bee5a08305b26f3efd53d0ae6e2e9cae6c4b4c36b2ae7d826117512e4c1d12dcce75b35d55b737970e3dc809c04b5aa309583e6a9650bd58415805be3c8175bf9546b24c8ce833a402f9b5d2ef35
Ns = [n1, n2, n3]
es = [e1, e2, e3]
cs = [c1, c2, c3]
N = max(Ns)
k = 3
delta = 0.375
epsilon = sqrt(5) * N^(delta-1/2)
n = k
C = int(3^(n+1) * 2 ^ ((n+1)*(n-4)/4) * epsilon^(-n-1))
M = Matrix(ZZ, [[1, -int(C * es[0] / (Ns[0] + 1)), -int(C * es[1] / (Ns[1] + 1)), -int(C * es[2] / (Ns[2] + 1))],
                [0, C, 0, 0],
                [0, 0, C, 0],
                [0, 0, 0, C]])
K = M.LLL()
need_x = K * M.inverse()
x, y1, y2, y3 = -need_x[0]
print(x, y1, y2, y3)
ys = [y1, y2, y3]
print(type(x))
print(Ns[0])
print(type(es[0]))
# print(x)
# print(ys[0])
print(int(es[0] * x / ys[0]))
Ss = [abs(int(Ns[i] + 1 - es[i] * x / ys[i])) for i in range(3)]
Ds = [int(sqrt(Ss[i]^2 - 4 * Ns[i])) for i in range(3)]
pas = [int((Ss[i] + Ds[i])/2) for i in range(3)]
# print(pas)
# print(ciphertexts[0]['p'])
# print(ciphertexts[0]['p'] - pas[0])
ps = []
for i in range(3):
    PR.<x> = PolynomialRing(Zmod(Ns[i]))
    f = x + pas[i]
    f = f.monic()
    # print(f)
    p_solve = f.small_roots(X = 2 ** 160, beta=0.42) # 
    ps.append(int(p_solve[0] + pas[i]))
print(ps)
def decrypt(c, d, n):
    return pow(c, d, n)
from Crypto.Util.number import *
for i in range(3):
    q = Ns[i] // ps[i]
    d = inverse(es[i], (ps[i] - 1) * (q-1))
    print(long_to_bytes(decrypt(cs[i], d, Ns[i])))

大佬的脚本

# Lousy RSA

代码审计
已知 e n
c0 = (r*2^24)^e mod n
c1 = (c^3 mod n + r*2^24)^e mod n
就是 Coppersmith's Shortpad attack
直接套脚本

# Franklin-Reiter attack against RSA.
# If two messages differ only by a known fixed difference between the two messages
# and are RSA encrypted under the same RSA modulus N
# then it is possible to recover both of them.
# Inputs are modulus, known difference, ciphertext 1, ciphertext2.
# Ciphertext 1 corresponds to smaller of the two plaintexts. (The one without the fixed difference added to it)
def franklinReiter(n,e,r,c1,c2):
    R.<X> = Zmod(n)[]
    f1 = X^e - c1
    f2 = (X + r)^e - c2
    # coefficient 0 = -m, which is what we wanted!
    return Integer(n-(compositeModulusGCD(f1,f2)).coefficients()[0])
  # GCD is not implemented for rings over composite modulus in Sage
  # so we do our own implementation. Its the exact same as standard GCD, but with
  # the polynomials monic representation
def compositeModulusGCD(a, b):
    if(b == 0):
        return a.monic()
    else:
        return compositeModulusGCD(b, a % b)
def CoppersmithShortPadAttack(e,n,C1,C2,eps=1/30):
    """
    Coppersmith's Shortpad attack!
    Figured out from: https://en.wikipedia.org/wiki/Coppersmith's_attack#Coppersmith.E2.80.99s_short-pad_attack
    """
    import binascii
    P.<x,y> = PolynomialRing(ZZ)
    ZmodN = Zmod(n)
    g1 = x^e - C1
    g2 = (x+y)^e - C2
    res = g1.resultant(g2)
    P.<y> = PolynomialRing(ZmodN)
    # Convert Multivariate Polynomial Ring to Univariate Polynomial Ring
    rres = 0
    for i in range(len(res.coefficients())):
        rres += res.coefficients()[i]*(y^(res.exponents()[i][1]))
    diff = rres.small_roots(epsilon=eps)
    recoveredM1 = franklinReiter(n,e,diff[0],C1,C2)
    print(recoveredM1)
    print("Message is the following hex, but potentially missing some zeroes in the binary from the right end")
    print(hex(recoveredM1))
    print("Message is one of:")
    # for i in range(8):
    #     msg = hex(Integer(recoveredM1*pow(2,i)))
    #     if(len(msg)%2 == 1):
    #         msg = '0' + msg
    #     if(msg[:2]=='0x'):
    #         msg = msg[:2]
    #     print(binascii.unhexlify(msg))
n = 174324486246368706797369875696431154949507985109580823636508797586027916444803631093979820096354080131009188697471459585235480269518884904218296080625677554764210808485701518333455709354167598696733122008278355512171891384681986269483195309509133593018767111011832503457483041663404694035291873770757106015449
e = 3
C1, C2 = 88554857474269339852350542587956796788714004892624376338962263744306147590687055479228330665088129549575464328512236397812387501900150260467472351323852483274115510618656195946027819867866634308043212616446284716554910529549810773289873546024253185922156211258677734456543059298007223415035206559594581502103, 112732326999517888611419175089443524302591653761429814923847106037636816337706802444535563232240653892157472132168410061883415326501881505694114629236915564055116316663500118393388695858293682251173885215276730055163639055888657121111458082026971631310339083682125210709877457091022108330866304123178910694286
CoppersmithShortPadAttack(e,n,C1,C2,eps=1/30)