papper实现-K-RSA-Moduli

第一次复现papper，听学长说这种能力需要提升，毕竟能学到不少呀

复现paper

https://eprint.iacr.org/2014/549.pdf

之前ctfshow密码挑战遗留的一道题目，由于当时格搞不太明白，就放下了，昨天刚总结完Wienerattack-extend，感觉有相同之处，就顺带把这个知识补了

上题!

so Damn big e?

hint:Dɪғғᴇʀᴇɴᴄᴇ?ɴo!

n1 = 0x7e503bdb2d037da083601c2945b668bbad980789cb4671b20fee013295319cc43a5b4defca704474c793fa2bd86eacd5552da0f0dc37a42eafd379d9216c0f3a1687ca42c5aa40500435374495fa0ebce37340bf6f98046c58443497457e4e442206a322ecfb60ee846f7aeb1e72f6804609a194ba9e28d6449a0e06d214525ce043afffd96eb9cb8e09b16722153ba5198bce185b5ad24b845b39a0940e5b9a7ad896c3e472b5d49cdb5956b91ef069d81fe399fcf5f3f02f465896bbf4ecbde7ba9cda0c510f14ba2b0673173c7916c284bf7a63613225ece3563a6d843ef06d731d0404646b97a4bc4a3ec4e77751d3c5fd280bf8b0277ae1cade8b1fbdf9
e1 = 0x45a1ee446ca0df0720f77b576f8c197a5033f5cefec5bc8a2ddd9da021ff389d8991e1822abbe9efe60204094c252195f6a4c898ce4f4ee0ef726bd0fcfe7741749bd9cc1cbbec83cc133743d4c746c2736da2452bfeaea1d031f10719f33fa4ef3b8878951b2b70cead75a608d883968a17cd04f19eb3a58e5d55e01790658248a0a26404131a070d3b3c9cb4a1d9d98eadc392199300fbf5ee472296e36dccef2e796b9b51e6693767d40336875ab62c41231ea9fb90bcad4df203b4459abb8d0e402de474cd802e2bfbc01d3b2d55f96b44ceec56ad6c4f3809cfa30b102bc5edc1607c613734571e1dbdb13ace896d1931a53fc9088ead61d78bc30fe78d
c1 = 0x5b4331a4de52d57c7ff77ae03a75b96629c76509d0fd003c27966ca0bd8a7e1a835eee6fe9b02afe78507b43e9efdb9c13f7cbdacd5d18d45ca98ab5538fbf6500a9b314e7e260bab673ae8a38c41b056bea895953ad7257cf30b9a1ba598a1ef01b251964feb2a63e09d8b699a14f1bf3d464809dab3c514fe7c6f59be9c434a694215ebafe547035323f90a661b9c5c73208ef0cbc21c0e9abbdaa65cc4bbaf8c2c47841aefcabd89bbaa3a6f2a9df6d3d8a0eedbec7c28c94fb369b426449b7d6ec5daed4d07df92d057e02cacbfdda0c94afce396dda307c8cc6ecd51c084fa2cfe3a31edde97018ba0de31b8cdeabe34f51ceebdf8834340605d5d71279
n2 = 0x878717447ff85bff1c360384309b5731edffd0ade56117d3b8b72b2ab9296633437e3f5fb09c57e8658c1dc1de5d7a9ba003923d3e9d8e124afe71c6fd0c9985988961198c5c21ed46dfad45399ec9d4c6a6a0ca793e5c721333db2ceed863bc919544024a2a630e9788e9f5afadbd3a291bbda804ed70c6e9b9a599cb3a4d14ed9325000c19d988a79af2e44ff1e14766a0465837125107a9c2cf7a76980d6f86aaf9f926ea0e46d641d3478112de0824bf9c5e726a7d5b7c92cbc1906d3d778e9a612290e043e2b3afd4f0a806254640772fd25980b009b4136d685e52725482ac61e1b679d13eb0d2b06df080fffc677a1b9afbcf327fba6a3ed8fbc7e22d
e2 = 0x837ebb33e9bbb4a5662d484099db6a435c68d630acdfe317aed1a089fcb9deb4df3c328a36c8f1f14045374e8cd4a75e6480bc04489fbf86a1d324b6c2c31ce11dd50d6cb75f9be5b01d2b756aac22f3c7c17f42b47b9bba52575912faa482214158c935ea1d943d62f2a5242c00771a983b1428edbefbe43b8bcad116e6a110ebc3305f622fe131596889450b16a69b8567086939f7f4766f3cb93c1cc63c0ee1f6b2a4ce0de084b760e1f7dd3d5542a4f958969f0b17f5268eddb78b68d3348ef0e6be831c3846325985170f06ad25f5af5a04ada0f2aa3c93ad8c940966248698e72d6f029b0af9af91634aae13319faf985ce77ec4c35b416a8100050c7d
c2 = 0x26049d5d64a85ad3e89d7933a0d296651d566d71314485d2c4c74e8fa462f0c95d43daca9bbbc2557efd7441286e5de65b6067f9df6eb6b9ece0439f7ce7b0ee5e97607b3de1f7e591461469482975e9e2161e5ef1664b44d994c2d294884e0ddaab5c19a1a292d057dc517c9b4cb2dbdcfdbab02972cfd0a7d00f34320c4bc887ea2531ecf188e50e0f33995770b54affe30ebbce85bff955aa66c8e28e5708b0f3d3f52f07dbe5bf155968a65deb94f877ae7904b3dbc848e29d465452a07c373799a30452985e5b9933a57ca2d5227c40fed42e9537435c9f3221749db451c3861bbf57a4901f81d6794d0ad10ba882e8ba99e320cb12edd0b8c7194ded33
n3 = 0xd0a6712277676e497a6c09871e09ca7e87a0a09cc9c7a402ff12617eb2da499651724c4bfc4bdee713062c93ac852d627954cd59ed95b97d4ace621d8b86b867b9ff4b58c45c83f51fb4dcb12a15eaba0bf7370c29b1178a1bee585c4263ac7c1f0846bf4b5d2e8be1ec7bbaa023a8439deaaeeebd04d1188692a2223820c447606662e27af3f1fc45332dcea5214b05946d65e73bc8e9a17dc5093a2b0241b5166e6310e9bd0e1a20f9a5cb0f1925ba00b71bff78b058a167ee5dcadf428e1d3e4c077710dc073025a7813160fe825c8e3c81ef5e5070226b5d89a1ce86e91b3ce7cf3b5d590fa467a8defb2f96083291a74996dff53dfc44883a6a1c2e4651
e3 = 0x25b452f7ef6177efeb93d117aa856ca788713ff813af2f577246ed3a0a8cf244032197abd38c42677a0b7a3693108207b71ac7c934cc96d8cfafbe27e1a3ecda72796f0c09d9308e14f62be5bd913bb28afb6f92dc7a362e871d0f8667b9f44ffa2bcd240c554da99fe159599d68a9f7c4aa869b44edb382315b3ffb75bd2b12ba60f7ac667551756d13cb88e2be3f9959ab99fc4a063b8b53d208950f6db139d486f5f7351fa75010ad5177c07e4b2226298678518dd5145be36d4901c69949800f5e63be0b9fd7297eb204d76fd8c87217ea30a5495add4b5d901caabc929ee72de78d6ed3ae760c985ff58703f46046352d17926db6bcd57839c0a3ca9cfd
c3 = 0x874354398f60a93239229e47157f12c2c5b34886cacfe9b236ec545a5dc503c9e5cd38552eeb024d7562fed842368bde2e1744b222aa5f857684de402924a1b493c715a679ad17ab2251c1ad8e92fa83f45c4fb33154e09de088704acd4f14a4d3f8099aba4e2e2a4bc3baf35f32485ca67de3338cf0fd2276af6eb35751b0378709cb2aaff033146bc5d2f94fde12cb2286173af2f582b1841db9fb136667f2f90aca690f6041ad84380ecb86b443949d05bee5a08305b26f3efd53d0ae6e2e9cae6c4b4c36b2ae7d826117512e4c1d12dcce75b35d55b737970e3dc809c04b5aa309583e6a9650bd58415805be3c8175bf9546b24c8ce833a402f9b5d2ef35

分析

emm，根据hint可知三次加密的d相同(嗯，我反正没get到，但是主要学知识，脑洞就不管了)

从题目所给的数据我们可以看到每组e和n的量级都是接近的，但是我们并不能通过Wiener甚至更强的Boneh and Durfee attack得到结果，原因是d还不够小，否则他也不会给你三组了

paper介绍了这么一种攻击方式，在给出多组模数n和指数e的情况下如果d是相同的能够在对d的大小限制更松的情况下找到d的解

标记paper中有关此攻击的几个关键点

我们做的就是实现Theorem5的过程

首先我们有一组等式

e_id-k_iφ(n_i)=1 [i=1,2,3] (就一般还是用的欧拉函数如果使用卡米歇尔函数的话类似推理即可)

e_id-k_i(n_i+1)=1+k_i(p_i+q_i) =>\(\frac{e_id}{n_i+1}-k_i=\frac{1+ki(p_i+q_i)}{n_i+1}\)

基于这个方程组我们得

(-d -k₁ -k₂ -k₃)\(\left[\begin{matrix}1&-\frac{e_1}{n_i+1}&-\frac{e_2}{n_i+1}&-\frac{e_3}{n_i+1}\\&1&&&\\&&1&\\&&&1\end{matrix}\right]\)=(-d \(\frac{1+k1(p_1+q_1)}{n_1+1}\) \(\frac{1+k1(p_1+q_1)}{n_1+1}\) \(\frac{1+k3(p_3+q_3)}{n_3+1}\))

我们希望通过LLL算法求出向量(d k₁ k₂ k₃)

根据Minkowsiki约束我们调一个L*=diag(c c c c)

由图二的证明我们限制了左式大小，记ε=\(\sqrt{5}N^{θ-\frac{1}{2}}\)，

\(\frac{e_id}{n_i+1}-k_i<ε\)

具体计算paper中有提到，最后取到c=\(3^{n+1}2^{\frac{(n+1)(n-4)}{4}}ε^{-n-1}\)

此时我们能通过格基规约得到(d,k₁,k₂,k₃)

由原方程式变形=>p_i+q_i=\(\frac{e_id}{k_i}-(n_i+1)-\frac{1}{k~i~}\)

记\(\frac{e_id}{k_i}-(n_i+1)\)=S

由图1我们可由S得到p的近似且相差不到\(N^{\frac{1}{4}}\)这意味着我们有可能通过copper还原p从而达到分解N的效果

根据paper的示例过一遍，就差不多能够理解了

代码

import gmpy2
n1 = 0x7e503bdb2d037da083601c2945b668bbad980789cb4671b20fee013295319cc43a5b4defca704474c793fa2bd86eacd5552da0f0dc37a42eafd379d9216c0f3a1687ca42c5aa40500435374495fa0ebce37340bf6f98046c58443497457e4e442206a322ecfb60ee846f7aeb1e72f6804609a194ba9e28d6449a0e06d214525ce043afffd96eb9cb8e09b16722153ba5198bce185b5ad24b845b39a0940e5b9a7ad896c3e472b5d49cdb5956b91ef069d81fe399fcf5f3f02f465896bbf4ecbde7ba9cda0c510f14ba2b0673173c7916c284bf7a63613225ece3563a6d843ef06d731d0404646b97a4bc4a3ec4e77751d3c5fd280bf8b0277ae1cade8b1fbdf9
e1 = 0x45a1ee446ca0df0720f77b576f8c197a5033f5cefec5bc8a2ddd9da021ff389d8991e1822abbe9efe60204094c252195f6a4c898ce4f4ee0ef726bd0fcfe7741749bd9cc1cbbec83cc133743d4c746c2736da2452bfeaea1d031f10719f33fa4ef3b8878951b2b70cead75a608d883968a17cd04f19eb3a58e5d55e01790658248a0a26404131a070d3b3c9cb4a1d9d98eadc392199300fbf5ee472296e36dccef2e796b9b51e6693767d40336875ab62c41231ea9fb90bcad4df203b4459abb8d0e402de474cd802e2bfbc01d3b2d55f96b44ceec56ad6c4f3809cfa30b102bc5edc1607c613734571e1dbdb13ace896d1931a53fc9088ead61d78bc30fe78d
c1 = 0x5b4331a4de52d57c7ff77ae03a75b96629c76509d0fd003c27966ca0bd8a7e1a835eee6fe9b02afe78507b43e9efdb9c13f7cbdacd5d18d45ca98ab5538fbf6500a9b314e7e260bab673ae8a38c41b056bea895953ad7257cf30b9a1ba598a1ef01b251964feb2a63e09d8b699a14f1bf3d464809dab3c514fe7c6f59be9c434a694215ebafe547035323f90a661b9c5c73208ef0cbc21c0e9abbdaa65cc4bbaf8c2c47841aefcabd89bbaa3a6f2a9df6d3d8a0eedbec7c28c94fb369b426449b7d6ec5daed4d07df92d057e02cacbfdda0c94afce396dda307c8cc6ecd51c084fa2cfe3a31edde97018ba0de31b8cdeabe34f51ceebdf8834340605d5d71279
n2 = 0x878717447ff85bff1c360384309b5731edffd0ade56117d3b8b72b2ab9296633437e3f5fb09c57e8658c1dc1de5d7a9ba003923d3e9d8e124afe71c6fd0c9985988961198c5c21ed46dfad45399ec9d4c6a6a0ca793e5c721333db2ceed863bc919544024a2a630e9788e9f5afadbd3a291bbda804ed70c6e9b9a599cb3a4d14ed9325000c19d988a79af2e44ff1e14766a0465837125107a9c2cf7a76980d6f86aaf9f926ea0e46d641d3478112de0824bf9c5e726a7d5b7c92cbc1906d3d778e9a612290e043e2b3afd4f0a806254640772fd25980b009b4136d685e52725482ac61e1b679d13eb0d2b06df080fffc677a1b9afbcf327fba6a3ed8fbc7e22d
e2 = 0x837ebb33e9bbb4a5662d484099db6a435c68d630acdfe317aed1a089fcb9deb4df3c328a36c8f1f14045374e8cd4a75e6480bc04489fbf86a1d324b6c2c31ce11dd50d6cb75f9be5b01d2b756aac22f3c7c17f42b47b9bba52575912faa482214158c935ea1d943d62f2a5242c00771a983b1428edbefbe43b8bcad116e6a110ebc3305f622fe131596889450b16a69b8567086939f7f4766f3cb93c1cc63c0ee1f6b2a4ce0de084b760e1f7dd3d5542a4f958969f0b17f5268eddb78b68d3348ef0e6be831c3846325985170f06ad25f5af5a04ada0f2aa3c93ad8c940966248698e72d6f029b0af9af91634aae13319faf985ce77ec4c35b416a8100050c7d
c2 = 0x26049d5d64a85ad3e89d7933a0d296651d566d71314485d2c4c74e8fa462f0c95d43daca9bbbc2557efd7441286e5de65b6067f9df6eb6b9ece0439f7ce7b0ee5e97607b3de1f7e591461469482975e9e2161e5ef1664b44d994c2d294884e0ddaab5c19a1a292d057dc517c9b4cb2dbdcfdbab02972cfd0a7d00f34320c4bc887ea2531ecf188e50e0f33995770b54affe30ebbce85bff955aa66c8e28e5708b0f3d3f52f07dbe5bf155968a65deb94f877ae7904b3dbc848e29d465452a07c373799a30452985e5b9933a57ca2d5227c40fed42e9537435c9f3221749db451c3861bbf57a4901f81d6794d0ad10ba882e8ba99e320cb12edd0b8c7194ded33
n3 = 0xd0a6712277676e497a6c09871e09ca7e87a0a09cc9c7a402ff12617eb2da499651724c4bfc4bdee713062c93ac852d627954cd59ed95b97d4ace621d8b86b867b9ff4b58c45c83f51fb4dcb12a15eaba0bf7370c29b1178a1bee585c4263ac7c1f0846bf4b5d2e8be1ec7bbaa023a8439deaaeeebd04d1188692a2223820c447606662e27af3f1fc45332dcea5214b05946d65e73bc8e9a17dc5093a2b0241b5166e6310e9bd0e1a20f9a5cb0f1925ba00b71bff78b058a167ee5dcadf428e1d3e4c077710dc073025a7813160fe825c8e3c81ef5e5070226b5d89a1ce86e91b3ce7cf3b5d590fa467a8defb2f96083291a74996dff53dfc44883a6a1c2e4651
e3 = 0x25b452f7ef6177efeb93d117aa856ca788713ff813af2f577246ed3a0a8cf244032197abd38c42677a0b7a3693108207b71ac7c934cc96d8cfafbe27e1a3ecda72796f0c09d9308e14f62be5bd913bb28afb6f92dc7a362e871d0f8667b9f44ffa2bcd240c554da99fe159599d68a9f7c4aa869b44edb382315b3ffb75bd2b12ba60f7ac667551756d13cb88e2be3f9959ab99fc4a063b8b53d208950f6db139d486f5f7351fa75010ad5177c07e4b2226298678518dd5145be36d4901c69949800f5e63be0b9fd7297eb204d76fd8c87217ea30a5495add4b5d901caabc929ee72de78d6ed3ae760c985ff58703f46046352d17926db6bcd57839c0a3ca9cfd
c3 = 0x874354398f60a93239229e47157f12c2c5b34886cacfe9b236ec545a5dc503c9e5cd38552eeb024d7562fed842368bde2e1744b222aa5f857684de402924a1b493c715a679ad17ab2251c1ad8e92fa83f45c4fb33154e09de088704acd4f14a4d3f8099aba4e2e2a4bc3baf35f32485ca67de3338cf0fd2276af6eb35751b0378709cb2aaff033146bc5d2f94fde12cb2286173af2f582b1841db9fb136667f2f90aca690f6041ad84380ecb86b443949d05bee5a08305b26f3efd53d0ae6e2e9cae6c4b4c36b2ae7d826117512e4c1d12dcce75b35d55b737970e3dc809c04b5aa309583e6a9650bd58415805be3c8175bf9546b24c8ce833a402f9b5d2ef35
nl=[n1,n2,n3]
el=[e1,e2,e3]
cl=[c1,c2,c3]
N=max(n1,n2,n3)
k=3
a=0.375
b=sqrt(5)*N^(a-1/2)
c=int(3^(k+1)*2^((k+1)*(k-4)/4)*b^(-k-1))
L=Matrix(ZZ,[[1,int(-c*e1/(n1+1)),int(-c*e2/(n2+1)),int(-c*e3/(n3+1))],[0,c,0,0],[0,0,c,0],[0,0,0,c]])
t=L.LLL()[0]
v=t*L^(-1)
x,y1,y2,y3=-v
y=[y1,y2,y3]
s=[]
for i in range(3):
    ss=int(nl[i]+1-el[i]*x/y[i])
    s.append(ss)
p_high=[]
for i in range(3):
    pp=int((s[i]+sqrt(s[i]^2-4*n[i]))/2)
    p_high.append(pp)
def copper(p_,n):
    PR.<x>=PolynomialRing(Zmod(n))
    f=p_+x
    _p=int(f.small_roots(X=2^400,beta=0.4)[0])
    p=p_+_p
    return p
for i in range(3):
    p=copper(p_high[i],nl[i])
    q=nl[i]//p
    phi=(p-1)*(q-1)
    e=el[i]
    d=gmpy2.invert(e,phi)
    m=pow(cl[i],d,nl[i])
    print(m)