安全矩阵

 找回密码
 立即注册
搜索
查看: 3017|回复: 1

已知高位攻击

[复制链接]

46

主题

165

帖子

731

积分

高级会员

Rank: 4

积分
731
发表于 2021-11-19 09:25:55 | 显示全部楼层 |阅读模式
本帖最后由 pukr 于 2021-12-7 21:52 编辑

1. 已知p高位2.2021赣网杯coppersmith
持续更新


回复

使用道具 举报

46

主题

165

帖子

731

积分

高级会员

Rank: 4

积分
731
 楼主| 发表于 2021-11-19 09:59:25 | 显示全部楼层
已知P高位:
[对RSA-Factoring with High Bits Known理解](https://www.jianshu.com/p/1a0e876d5929)
这篇文章把原理讲解了,我只会用脚本,格基规约还在学习中.....
以这道CTF题目为例:

  1. from Crypto.Util.number import *
  2. import binascii
  3. import gmpy2
  4. flag = '*****************************************'
  5. hex_flag=int(flag.encode("hex"),16)

  6. p=getPrime(256)
  7. q=getPrime(256)
  8. n=p*q

  9. e=getPrime(100)

  10. c=pow(hex_flag,e,n)

  11. p=((p>>60)<<60)

  12. print("n=",hex(n))
  13. print("p=",hex(p))
  14. print("e=",hex(e))
  15. print("c=",hex(c))
  16. '''
  17. ('n=', '0x558477ce1d081f831cfa159290ee4fd14888422c216a16ad86e2b2d4335e3cb18ed0120a955f970b17b229a8e7d0ae1b6f0c40213ad0e127eba99ae0d8a82397L')
  18. ('p=', '0x8fbcbb7d1e9f393ee21b537d6e0bd2cf8629e315f4e356c1e000000000000000L')
  19. ('e=', '0xf7278179324b11fd83d08aa6fL')
  20. ('c=', '0x36e1c09ccad45cd63a0f07e704d3811c39d70cdfdad999d2df90255a76c58cf6fe99ac1ab1d5d99a4ce1a2ebdbfbc49ce72df2a0b90766ff84ab0ef62068d46bL')
  21. '''
复制代码
首先通过sage分解n:
[在线运行sage](https://sagecell.sagemath.org/)

  1. n = 0x558477ce1d081f831cfa159290ee4fd14888422c216a16ad86e2b2d4335e3cb18ed0120a955f970b17b229a8e7d0ae1b6f0c40213ad0e127eba99ae0d8a82397L
  2. p_fake = 0x8fbcbb7d1e9f393ee21b537d6e0bd2cf8629e315f4e356c1e000000000000000L

  3. # pbits = p_fake.nbits()
  4. pbits = 256
  5. kbits = 60  #p失去的低位
  6. pbar = p_fake & (2^pbits-2^kbits)
  7. print("upper %d bits (of %d bits) is given" % (pbits-kbits, pbits))

  8. PR.<x> = PolynomialRing(Zmod(n))
  9. f = x + pbar

  10. x0 = f.small_roots(X=2^kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.3
  11. p= x0 + pbar
  12. print(p)
复制代码
​​
这样就得到了p,接下来就是常规解题了:
  1. from Crypto.Util.number import *
  2. import gmpy2
  3. import binascii
  4. # from sage import *

  5. n = 0x558477ce1d081f831cfa159290ee4fd14888422c216a16ad86e2b2d4335e3cb18ed0120a955f970b17b229a8e7d0ae1b6f0c40213ad0e127eba99ae0d8a82397
  6. p = 65014198595370482567008424566891688124621484545138665561606519358457336776131
  7. e = 0xf7278179324b11fd83d08aa6f
  8. c = 0x36e1c09ccad45cd63a0f07e704d3811c39d70cdfdad999d2df90255a76c58cf6fe99ac1ab1d5d99a4ce1a2ebdbfbc49ce72df2a0b90766ff84ab0ef62068d46b
  9. pp = binascii.b2a_hex(long_to_bytes(p)).decode()
  10. print(pp)
  11. ppp = 0x8fbcbb7d1e9f393ee21b537d6e0bd2cf8629e315f4e356c1e7c5e22d8cff45c3
  12. q = n // ppp
  13. phi = (ppp-1)*(q-1)
  14. d = gmpy2.invert(e, phi)
  15. m = pow(c, d, n)
  16. print(long_to_bytes(m))
复制代码


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-27 22:43 , Processed in 0.017429 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表