高次Rabin算法攻击

题目:

from Crypto.Util.number import *
from gmpy2 import *

flag = b'NSSCTF{******}'

p = getPrime(256)
q = getPrime(256)

assert p%4 == 3 and q%4 == 3

n = p*q
e = 4
m = bytes_to_long(flag)

c = powmod(m, e, n)

print(f'p = {p}')
print(f'q = {q}')
print(f'e = {e}')
print(f'c = {c}')

'''
p = 59146104467364373868799971411233588834178779836823785905639649355194168174467
q = 78458230412463183024731868185916348923227701568297699614451375213784918571587
e = 4
c = 1203393285445255679455330581174083350744414151272999693874069337386260499408999133487149585390696161509841251500970131235102423165932460197848215104528310
'''

解题思路:

我们要的是e=2,那么就把m=4看成(m=2)^2即可,然后我们需要解2次Rabin一共会得到16组解

比如65536是2的16次方,那就需要解16次Rabin

解答:

from Crypto.Util.number import *

p = 59146104467364373868799971411233588834178779836823785905639649355194168174467
q = 78458230412463183024731868185916348923227701568297699614451375213784918571587
e = 4
c = 1203393285445255679455330581174083350744414151272999693874069337386260499408999133487149585390696161509841251500970131235102423165932460197848215104528310

n = p*q

def rabin(c):
    mp = pow(c, (p + 1) // 4, p)
    mq = pow(c, (q + 1) // 4, q)

    yp = inverse(p,q)
    yq = inverse(q,p)

    r = (yp * p * mq + yq * q * mp) % n
    r_ = n - r
    s = (yp * p * mq - yq * q * mp) % n
    s_ = n - s
    return r,r_,s,s_

c_list = rabin(c)
for c in c_list:
    cc = rabin(c)
    for c in cc:
        flag = long_to_bytes(c)
        if b'NSSCTF' in flag:
            print(flag)
#NSSCTF{9c66047c-72da-49b6-9856-00fd46969fc7}