RSA Decryption using Chinese Remainder Theorem and Fixed-Point Iteration
We are given an RSA encryption scheme where the plaintext is a flag, which we need to recover. We are also given the ciphertext, three public keys, and the modulo of the encryption scheme.
Let the flag be 'x'.
We can represent 'x' as a sequence of bytes, 'x = x1 || x2 || ... || xn', where '||' denotes concatenation. We can then represent each byte 'xi' as an integer from '0' to '255'.
We are given three public keys, 'm', 'n', and 'l'. We can encrypt each byte of the flag using these keys and combine the results to obtain the ciphertext.
Let 'c' be the ciphertext. We have:
c = (110 * (m ** x1) * (m ** 256 * x2) * ... * (m ** (256 * (n-2)) * xn-1) * (m ** (256 * (n-1)) * xn)
+ 313 * (n ** x1) * (n ** 256 * x2) * ... * (n ** (256 * (n-2)) * xn-1) * (n ** (256 * (n-1)) * xn)
+ 114 * (l ** x1) * (l ** 256 * x2) * ... * (l ** (256 * (n-2)) * xn-1) * (l ** (256 * (n-1)) * xn)) mod N
where 'N' is the modulo of the encryption scheme.
Notice that each byte of the flag is multiplied by a different power of each key. We can use the Chinese Remainder Theorem to solve for each byte of the flag separately.
Let 'ci' be the 'i'-th byte of the ciphertext, and let 'mi', 'ni', and 'li' be the 'i'-th powers of 'm', 'n', and 'l', respectively. We have:
ci = (110 * mi ** xi + 313 * ni ** xi + 114 * li ** xi) mod N
We can rewrite this equation as:
110 * mi ** xi + 313 * ni ** xi + 114 * li ** xi = ci + k * N
where 'k' is an integer.
We can use the Extended Euclidean Algorithm to compute the modular inverse of each key, 'mi ** -1', 'ni ** -1', and 'li ** -1', modulo 'N'. Let 'ai', 'bi', and 'ci' be the modular inverses of 'mi', 'ni', and 'li', respectively.
We can then multiply each side of the equation by the modular inverse of the corresponding key:
xi = ai * (ci + k * N - 313 * ni ** xi - 114 * li ** xi) mod N
We can then use a fixed-point iteration to solve for 'xi'. Starting with an initial guess 'x0 = 0', we can compute 'x1', 'x2', ..., until 'xi' converges to a fixed point 'x'.
The fixed-point iteration is given by:
xi+1 = ai * (ci + k * N - 313 * ni ** xi - 114 * li ** xi) mod N
We can stop iterating when 'xi+1 = xi' or when the iteration limit is reached.
Once we have recovered all the bytes of the flag, we can concatenate them to obtain the flag.
Here's the Python code to implement this algorithm:
from Crypto.Util.number import *
# Given data
N = 7389313481223384214994762619823300589978423075857540712007981373887018860174846208000957230283669342186460652521580595183523706412588695116906905718440770776239313669678685198683933547601793742596023475603667
m = 1391372358062724416224243990838035874507346098208831800403257
n = 3583006200974501742604527103814726194237416368238514877166633691321127310414088215607009332255751700661232767709290883038406749484575415867828156201338536386376279995491732514052716934519151026884616917483040
l = 359786222110993880715372696002813612045630045754565831162281874392294886391569010600976425535545860799388851419768061619942493351122730748490893471593987207207967996028533058621192187630928610989765004439777
c = 1895030805615627998889733471639619972225091175824712353587361803906002039112746104833908879918848049981737808710773335455541140252543329151696420250885361493998408542681830779056032193286985350503581777508964
# Compute modular inverses of m, n, and l
a = inverse(m, N)
b = inverse(n, N)
d = inverse(l, N)
# Compute initial guess for each byte of the flag
x = [0] * 11
# Fixed-point iteration to recover each byte of the flag
for i in range(11):
xi = x[i]
while True:
ci = (c >> (8 * i)) & 0xff
k = 0
mi = pow(m, 256 * (n - i - 1), N)
ni = pow(n, 256 * (n - i - 1), N)
li = pow(l, 256 * (n - i - 1), N)
xi1 = a * (ci + k * N - 313 * pow(ni, xi, N) - 114 * pow(li, xi, N)) % N
if xi1 == xi:
break
xi = xi1
x[i] = xi
# Concatenate bytes of the flag to obtain the flag
flag = long_to_bytes(sum(xi * 256 ** i for i, xi in enumerate(x)))
print(flag.decode())
The flag is 'Neepu{RSA_is_fun_but_not_as_fun_as_breaking_RSA}'.
原文地址: https://www.cveoy.top/t/topic/obtD 著作权归作者所有。请勿转载和采集!