其他分享
首页 > 其他分享> > 已知p的高位攻击

已知p的高位攻击

作者:互联网

##ctf.show

#easyrsa7

题目:

e = 0x10001
p>>128<<128 = 0xd1c520d9798f811e87f4ff406941958bab8fc24b19a32c3ad89b0b73258ed3541e9ca696fd98ce15255264c39ae8c6e8db5ee89993fa44459410d30a0a8af700ae3aee8a9a1d6094f8c757d3b79a8d1147e85be34fb260a970a52826c0a92b46cefb5dfaf2b5a31edf867f8d34d2222900000000000000000000000000000000
n = 0x79e0bf9b916e59286163a1006f8cefd4c1b080387a6ddb98a3f3984569a4ebb48b22ac36dff7c98e4ebb90ffdd9c07f53a20946f57634fb01f4489fcfc8e402865e152820f3e2989d4f0b5ef1fb366f212e238881ea1da017f754d7840fc38236edba144674464b661d36cdaf52d1e5e7c3c21770c5461a7c1bc2db712a61d992ebc407738fc095cd8b6b64e7e532187b11bf78a8d3ddf52da6f6a67c7e88bef5563cac1e5ce115f3282d5ff9db02278859f63049d1b934d918f46353fea1651d96b2ddd874ec8f1e4b9d487d8849896d1c21fb64029f0d6f47e560555b009b96bfd558228929a6cdf3fb6d47a956829fb1e638fcc1bdfad4ec2c3590dea1ed3
c = 0x1b2b4f9afed5fb5f9876757e959c183c2381ca73514b1918d2f123e386bebe9832835350f17ac439ac570c9b2738f924ef49afea02922981fad702012d69ea3a3c7d1fc8efc80e541ca2622d7741090b9ccd590906ac273ffcc66a7b8c0d48b7d62d6cd6dd4cd75747c55aac28f8be3249eb255d8750482ebf492692121ab4b27b275a0f69b15baef20bf812f3cbf581786128b51694331be76f80d6fb1314d8b280eaa16c767821b9c2ba05dfde5451feef22ac3cb3dfbc88bc1501765506f0c05045184292a75c475486b680f726f44ef8ddfe3c48f75bb03c8d44198ac70e6b7c885f53000654db22c8cee8eb4f65eaeea2da13887aaf53d8c254d2945691

1、我们观察看到“p>>128>>128"且p末尾是很多0,所以我们猜想这是Coppersmith攻击()

2、在sage环境(https://sagecell.sagemath.org/)中运行以下代码

from sage.all import *
n = 0x79e0bf9b916e59286163a1006f8cefd4c1b080387a6ddb98a3f3984569a4ebb48b22ac36dff7c98e4ebb90ffdd9c07f53a20946f57634fb01f4489fcfc8e402865e152820f3e2989d4f0b5ef1fb366f212e238881ea1da017f754d7840fc38236edba144674464b661d36cdaf52d1e5e7c3c21770c5461a7c1bc2db712a61d992ebc407738fc095cd8b6b64e7e532187b11bf78a8d3ddf52da6f6a67c7e88bef5563cac1e5ce115f3282d5ff9db02278859f63049d1b934d918f46353fea1651d96b2ddd874ec8f1e4b9d487d8849896d1c21fb64029f0d6f47e560555b009b96bfd558228929a6cdf3fb6d47a956829fb1e638fcc1bdfad4ec2c3590dea1ed3
p4 = 0xd1c520d9798f811e87f4ff406941958bab8fc24b19a32c3ad89b0b73258ed3541e9ca696fd98ce15255264c39ae8c6e8db5ee89993fa44459410d30a0a8af700ae3aee8a9a1d6094f8c757d3b79a8d1147e85be34fb260a970a52826c0a92b46cefb5dfaf2b5a31edf867f8d34d22229
#p4为p去除0的剩余位
e = 0x10001 pbits = 1024 kbits = pbits - p4.nbits() print(p4.nbits()) p4 = p4 << kbits PR.<x> = PolynomialRing(Zmod(n)) f = x + p4 roots = f.small_roots(X=2^kbits, beta=0.4) if roots: p = p4+int(roots[0]) print("n= "+str(n)) print("p= "+str(p)) print("q= "+str(n//p))

3、得到:

n= 15385662500833683624078569984373213422422207212280496601444231671573448637150116227706836878878073499171848761705319193774526502237353076168018030771746205464158669320919641325288612751372670181299665139997586553315310347588233406828542606020800241161051008288437407736979922757405068072731770582498252049192877898003964488874889716478031688573585352005147285581281920852472734014864246643866812388198283781144177102040492746134555811828205526783046568167440811490128574493943480402635123221242083843427421730093351014697575278810518905300063354048399554869181858023737364977648594835522202515445612655483110199795411
p= 147305526294483975294006704928271118039370615054437206404408410848858740256154476278591035455064149531353089038270283281541411458250950936656537283482331598521457077465891874559349872035197398406708610440618635013091489698011474611145014167945729411970665381793142591665313979405475889978830728651549052207969
q= 104447286451939566076017797038369998283019120860149982200602344749600436385708441695230995780714906769626731151644722579252428917819367256207463696691033967714073069435280785389775459281272218174741165454138432242201951151298026448827619971129737985262978620243577274864410816225725466321200461416855483876019

4、已知n、p、q、e即可得到m

import gmpy2 as gp
import binascii
n= 15385662500833683624078569984373213422422207212280496601444231671573448637150116227706836878878073499171848761705319193774526502237353076168018030771746205464158669320919641325288612751372670181299665139997586553315310347588233406828542606020800241161051008288437407736979922757405068072731770582498252049192877898003964488874889716478031688573585352005147285581281920852472734014864246643866812388198283781144177102040492746134555811828205526783046568167440811490128574493943480402635123221242083843427421730093351014697575278810518905300063354048399554869181858023737364977648594835522202515445612655483110199795411
p= 147305526294483975294006704928271118039370615054437206404408410848858740256154476278591035455064149531353089038270283281541411458250950936656537283482331598521457077465891874559349872035197398406708610440618635013091489698011474611145014167945729411970665381793142591665313979405475889978830728651549052207969
q= 104447286451939566076017797038369998283019120860149982200602344749600436385708441695230995780714906769626731151644722579252428917819367256207463696691033967714073069435280785389775459281272218174741165454138432242201951151298026448827619971129737985262978620243577274864410816225725466321200461416855483876019
e = 0x10001
n = p*q
c = 0x1b2b4f9afed5fb5f9876757e959c183c2381ca73514b1918d2f123e386bebe9832835350f17ac439ac570c9b2738f924ef49afea02922981fad702012d69ea3a3c7d1fc8efc80e541ca2622d7741090b9ccd590906ac273ffcc66a7b8c0d48b7d62d6cd6dd4cd75747c55aac28f8be3249eb255d8750482ebf492692121ab4b27b275a0f69b15baef20bf812f3cbf581786128b51694331be76f80d6fb1314d8b280eaa16c767821b9c2ba05dfde5451feef22ac3cb3dfbc88bc1501765506f0c05045184292a75c475486b680f726f44ef8ddfe3c48f75bb03c8d44198ac70e6b7c885f53000654db22c8cee8eb4f65eaeea2da13887aaf53d8c254d2945691
phi = (p-1)*(q-1)
d = gp.invert(e,phi)
m = pow(c,d,n)
print(m)
print(bytes.fromhex(hex(m)[2:]))

5、解得:flag{Kn0wn_Hi9h_Bit5}

标签:p4,高位,攻击,已知,print,import,128,roots,0x10001
来源: https://www.cnblogs.com/Clair-is-com/p/16210940.html