CTF Crypto RSA合集（新生赛难度）

食用简介

下面是本人新生赛时遇到的一些RSA密码题，题目名后大概写有类型便于查找
题目较多可以选择性食用

1.buuctf RSA

题目：在一次RSA密钥对生成中，假设p=473398607161，q=4511491，e=17，求解出d作为flag提交

import gmpy2
p,q,e=473398607161,4511491,17
d=int(gmpy2.invert(e,(p-1)*(q-1)))
print(d);
#flag{125631357777427553}

2.[SWPUCTF 2021 新生赛]crypto2 # 共模攻击

题目

flag  = '***************'
p = getPrime(512)
q = getPrime(512)
m = bytes_to_long(bytes(flag.encode()))
n = p*q
e1 = getPrime(32)
e2 = getPrime(32)
print()
c1 = pow(m,e1,n)
c2 = pow(m,e2,n)

脚本

from gmpy2 import *
from Crypto.Util.number import *
c1 = 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280
c2 = 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075
e1 = 3247473589
e2 = 3698409173
n = 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313
_ ,s1 ,s2 = gcdext(e1,e2)
m = pow(c1,s1,n) * pow(c2,s2,n) % n
print(long_to_bytes(m))
# NSSCTF{xxxxx******xxxxx}

3.[羊城杯 2021]Bigrsa #共享素数

题目

n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
m = bytes_to_long(flag)
r1 = pow(m, e, n1)
r2 = pow(r1, e, n2)

脚本

r2 = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
p = GCD(n1,n2)
q1 = 10169921435575123642561867469669552661717864247752251361375671837367086221354750692635829007786009042729357644276462913457660789233674358081650339142863821
q2 = 11300955505231233842374743324817494386700809291852528704864397779486924493760947925710590633254027339824598181322986060728301639209174112581120081509548753
e = 65537
phin1 = (q1-1)*(p-1)
phin2 = (q2-1)*(p-1)
d1 = inverse(e,phin1)
d2 = inverse(e,phin2)
r1 = pow(r2,d2,n2)
m = pow(r1,d1,n1)
print(long_to_bytes(m))

4.[鹤城杯 2021]Crazy_Rsa_Tech #低指数广播加密

题目

FLAG = bytes_to_long(pad(b"flag{??????}",64))
def init_key():p, q = getPrime(512), getPrime(512)n = p*qe = 9while(GCD((p-1)*(q-1),e)!=1):p, q = getPrime(512), getPrime(512)n = p*qd = inverse(e,(p-1)*(q-1))return n,e,d
n_list=list()
c_list=list()
for i in range(9):N,e,d=init_key()n_list.append(N)c=pow(FLAG,e,N)c_list.append(pow(FLAG,e,N))

解析

使用crt进行求解

from Crypto.Util.Padding import *
from sympy.ntheory.modular import crt
import gmpy2
e  = 9
ln = [...]
lc = [...]
m = crt(ln,lc)[0]
m = gmpy2.iroot(m,9)[0]
print(long_to_bytes(m))
# flag{H0w_Fun_13_HAstads_broadca5t_AtTack!}

5.[SWPUCTF 2021 新生赛]crypto1 #共模攻击 RSA 小明文

题目

flag  = '****************************'
flag = {"asfajgfbiagbwe"}
p = getPrime(2048)
q = getPrime(2048)
m1 = bytes_to_long(bytes(flag.encode()))e1*e2 = 3087
n = p*q
print()flag1 = pow(m1,e1,n)
flag2 = pow(m1,e2,n)
print('c1= '+str(flag1))
print('c2= '+str(flag2))
print('n= '+str(n))

脚本

from gmpy2 import *
from Crypto.Util.number import *c1 = ...
c2 = ...
n  = ...for e1 in range(1,3087):if 3087 % e1 == 0 :e2 = 3087 // e1s0, s1, s2 = gcdext(e1,e2)m_s0 = pow(c1,s1,n) * pow(c2,s2,n) % nm = long_to_bytes(iroot(m_s0,s0)[0])if m[0:6] == b'NSSCTF':print(m)
# flag = NSSCTF{d64dba66-b608-4255-b888-0b0f25c2f90e}

6.[SWPUCTF 2021 新生赛]crypto4 #素数分解

题目

p = getPrime(512)
q = next_prime(p)
m1 = bytes_to_long(bytes(flag.encode()))
e = 0x10001
n = p*qc = pow(m1,e,n)
print('c = '+str(c))
print('n = '+str(n))

解析

首先根据n可以大概知道p的范围，通过遍历小范围得到p,q

from gmpy2 import *
from Crypto.Util.number import *c = 10227915341268619536932290456122384969242151167487654201363877568935534996454863939953106193665663567559506242151019201314446286458150141991211233219320700112533775367958964780047682920839507351492644735811096995884754664899221842470772096509258104067131614630939533042322095150722344048082688772981180270243
n= 52147017298260357180329101776864095134806848020663558064141648200366079331962132411967917697877875277103045755972006084078559453777291403087575061382674872573336431876500128247133861957730154418461680506403680189755399752882558438393107151815794295272358955300914752523377417192504702798450787430403387076153
e = 0x10001
p = iroot(n,2)[0]-10000
while not isPrime(p) : p += 1
q = p + 2
while not isPrime(q) : q += 2
while p*q - n != 0 :p = qq += 2while not isPrime(q) : q += 2
phin = (q-1)*(p-1)
d = inverse(e,phin)
print(long_to_bytes(pow(c,d,n)))

7.[SWPUCTF 2021 新生赛]crypto5 # 小明文攻击

题目：

c= 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n= 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419

解析

由上面c较小可以推断出e较小，使用小明文攻击

from gmpy2 import *
from Crypto.Util.number import *
c = 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n = 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419
for i in range(2,10):if iroot(c,i)[1]== True:print(long_to_bytes(iroot(c,i)[0]))

8.RSA written by akram09[given by空白]

背景（一些没用的信息）

crazym@n_@rmy
The_Messager
496
A spy was recently caught, he was leaking important data. We could recover the data leaked as well as his machine.

题目

from Crypto.Util.number import bytes_to_long, getStrongPrime
from math import gcd
from flag import FLAG
from Crypto.Random import get_random_bytesdef encrypt(m):return pow(m,e,N)e = 65537
p = getStrongPrime(512)
q = getStrongPrime(512)# generate secure keys
result = 0
while (result !=1):p = getStrongPrime(512)q = getStrongPrime(512)result = gcd(e,(p-1)*(q-1))    N = p * qprint("N = " + str(N))
print("e = " + str(e))ct= []
for car in FLAG:ct.append(encrypt(car))
print("ct = "+str(ct))
N = ...
e = 65537
ct = [...] # len(ct) == 28 ,每个数已知

解析

由于flag都是可打印字符，并且N,e已知，建立每个可打印字符的c和m的映射表，通过ct查表得到flag

def enc(m):return pow(m,e,N)ls = []
for i in range(0x20,0x80):ls.append(enc(i))f = b''
for i in ct :f += long_to_bytes(ls.index(i)+0x20)
print(f.decode())
# flag = CyberErudites{RSA_1S_S1MPL3}

9.MoeCTF 2022 signin # e与phin不互素

题目

from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
print('p = ',p)
print('q = ',q)
n = p * q

解析

开始以为是一道水题，结果按正常思路来解出来m非常之离谱，后来看了一下e发现了事情的不对劲

那么回归到rsa本质，求解方程c=memodnc=m^emod\space nc=memod n

这道题里还有部分信息 e∣q−1,(e,p)=1e|q-1,(e,p)=1e∣q−1,(e,p)=1

有第一条方程有c1=memodpc_1=m^emod\space pc1=memod p
c1=c%pc_1=c \% pc1=c%p

那么令ed=1modp−1ed=1\space mod\space p-1ed=1 mod p−1

所以 c1d=mde=mk(p−1)+1=m∗(mp−1)k=mmodpc_1^d=m^{de}=m^{k(p-1)+1}=m*(m^{p-1})^k=m \space mod\space pc1d=mde=mk(p−1)+1=m∗(mp−1)k=m mod p

e = 65537
p = ...
q = ...
c = ...
n = p * q
c1 = c % p
d = inverse(e, p-1)
print(long_to_bytes(pow(c1,d,p)))

10.MoeCTF 2022 Ezfactor # 公共素数

首先题目给出了一个端口接入：nc polarnova.top 10001

并且给了一个py文件

from Crypto.Util.number import isPrime,getPrime,bytes_to_long
import socketserver
import random
import signal
from static_secret import flag,Pclass Task(socketserver.BaseRequestHandler):def _recvall(self):#These are just the server's transceiver functions and are not importantBUFF_SIZE = 2048data = b''while True:part = self.request.recv(BUFF_SIZE)data += partif len(part) < BUFF_SIZE:breakreturn data.strip()def send(self, msg, newline=True):#These are just the server's transceiver functions and are not importanttry:if newline:msg += b'\n'self.request.sendall(msg)except:passdef recv(self, prompt=b'[-] '):#These are just the server's transceiver functions and are not importantself.send(prompt, newline=False)return self._recvall()def Goldbach_proof_of_work(self,BITS):bigeven=str(random.randint(1<<BITS,1<<(BITS+1))<<1)self.send(f"[+] I have two prime number A,B s.t. A>=B and A+B == {bigeven}".encode())p = int(self.recv(prompt=b'[+] Plz tell me A=').decode())q = int(self.recv(prompt=b'[+] Plz tell me B=').decode())if not (isPrime(p) and isPrime(q) and p+q==int(bigeven) and p>=q):return Falsereturn Truedef handle(self):#mainsignal.alarm(120)if not self.Goldbach_proof_of_work(100):self.send(b'[!] Wrong! Try again!')returnQ=getPrime(2048)N=P*Qe=0x10001m=pow(bytes_to_long(flag),e,N)self.send(b"[+] Good job! Here's the encrypted flag for you:")self.send(f"m={hex(m)}".encode())self.send(f"N={hex(N)}".encode())self.send(b"[+] Have a Nice Day~ Bye!")        class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):passclass ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):passif __name__ == "__main__":HOST, PORT = '0.0.0.0', 10001server = ForkedServer((HOST, PORT), Task)server.allow_reuse_address = Trueprint(HOST, PORT)server.serve_forever()

接入nc后，屏幕输出如下信息

n = ...
b = 3
a = n - b
while not isPrime(a) or not isPrime(b):b += 2a -= 2

直接用上述脚本得到a,b后输入，会得到N，C（在题目里是m）的信息

注意到每次P，均不改变，故可以通过两组数据求出p，进而求出flag

e = 65537
c1 = ...
N1 = ...
N2 = ...
p = GCD(N1,N2)
q1 = N1 // p
phin1 = (q1-1) * (p-1)
d =inverse(e,phin1)
m = pow(c1,d,N1)
print(long_to_bytes(m))
# flag = moectf{1t5_d4nger0us_t0_u5e_the_same_P_repeated1y}

11.MoeCTF 2022 一次就好 #RSA + 一点点异或

题目

from Crypto.Util.strxor import strxor
from gmpy2 import powmod,next_prime
from FLAG import flag
import codecsc = b'Just once,I will accompany you to see the world'
flag = flag.ljust(len(c),'#')
key = strxor(flag.encode(), c)
m = bytes_to_long(key)p = getPrime(512)
q = next_prime(p)
N = p*q
e = 0x10001gift = powmod(m, e, N)print(gift)
print(N)

解析

p，q相近，直接从iroot（N，2） - 1000开始遍历得到p，q

p = iroot(N,2)[0]-1000
while not isPrime(p):p += 1
q = p + 2
while not isPrime(q):q += 2
while not N == p * q: p = qq += 2while not isPrime(q):q += 2

随后得到key

phin = (q-1)*(p-1)
d = inverse(e,phin)
key = long_to_bytes(pow(gift,d,N))

最后再重新和c做异或得到flag

c = b'Just once,I will accompany you to see the world'
flag = strxor(key,c)
print(flag)
# moectf{W0w_y02_k5ow_w6at_1s_one_t1m3_pa7}

12.SWPU NSS新生赛 #小e

题目

from gmpy2 import invert
from Crypto.Util.number import getPrime, bytes_to_longe = 3
p = getPrime(1024)
q = getPrime(1024)
n = p * q
phiN = (p - 1) * (q - 1)
d = invert(e, phiN)
m = bytes_to_long(f.encode())
c = pow(m, e, n)
print("c=" + str(c))
# c = 128198926274489803523728445192921664
# flag = NSSCTF{c}

解析

# 直接对c开3次方得到m，再转化为flag
print('NSSCTF{' + long_to_bytes(iroot(c,3)[0]).decode() + '}')
# NSSCTF{ufind}

13.MoeCTF 2022 0rsa0 # （dp，e） # 小e

题目

from Crypto.Util.number import *
from gmpy2 import *
from flag import flagassert flag[0:7] == b'moectf{'
assert flag[-1:] == b'}'
flag = flag[7:-1]
assert len(flag) == 32m1 = bytes_to_long(flag[0:16])
m2 = bytes_to_long(flag[16:32])def enc1(m):p = getPrime(512)q = getPrime(512)n = p * qe = 3c = pow(m,e,n)return n,e,cdef enc2(m):p = getPrime(512)q = getPrime(512)e = 65537d = inverse(e,(p-1)*(q-1))n = p * q dp2 = d % (p-1)c = pow(m,e,n)return n,e,c,dp2n1,e1,c1 = enc1(m1)
n2,e2,c2,dp2 = enc2(m2)

解析

对于第一部分没啥好说的，直接对c开3次方得到m

对第二部分给出数学证明

初始条件：de=k1(p−1)(q−1)+1de=k_1(p-1)(q-1)+1de=k1(p−1)(q−1)+1 d=dp+k2(p−1)d=dp + k_2(p-1)d=dp+k2(p−1)

由上面两个式子(dp+k2(p−1))e=k1(p−1)(q−1)+1(dp + k_2(p-1))e=k_1(p-1)(q-1)+1(dp+k2(p−1))e=k1(p−1)(q−1)+1

也就是dp∗e−1=(p−1)(k1q−k1−k2e)dp*e - 1=(p-1)(k_1q-k_1-k_2e)dp∗e−1=(p−1)(k1q−k1−k2e)

而(p−1)(k1q−k1−k2e)=dp∗e−1<dp∗e<e(p−1)(p-1)(k_1q-k_1-k_2e) = dp*e - 1 <dp*e<e(p-1)(p−1)(k1q−k1−k2e)=dp∗e−1<dp∗e<e(p−1)

所以x=k1q−k1−k2e<ex=k_1q-k_1-k_2e< ex=k1q−k1−k2e<e

下面遍历x，即可以求得p-1

n1 = ...
e1 = 3
c1 = ...
m1 = iroot(c1,3)[0]
print(long_to_bytes(m1).decode(),end = '')n2  = ...
e2  = 65537
c2  = ...
dp  = ...x = e2 * dp -1
for i in range(1,65537):if x % i == 0 and n2 % (x//i+1) == 0:p = x//i+1break
q = n2 // p
phin = (q-1) * (p-1)
d2 = inverse(e2,phin)
print(long_to_bytes(pow(c2,d2,n2)).decode())# flag = moectf{T8uus_23jkjw_asr_3d32awd!5f&#@sd}

14.RSA #mathrsa

题目

h1=pow(2022*p+2021*q,1919,n)
h2=pow(2021*p+2022*q,9191,n)h1= 19833006575946524719734860655749897430996716214854394509141793247441984552312739336381544289582229635878374784700514176796213750612984375503829452046348964006439625639785195474405122597025617599221157530254436486974871377392676992323755343878688847757228158418367972796322888087679510158602115909469127347957
h2= 378159845999796834634733071282164226106157352305256240743272369823494751498623553741505441796796443917116119081291965129497888764190805349441925445430537324353522456188379487696261868115910126449034886690427415157731129446078773313894708979653146866399561144315206855955530175618287769228046620963527788560
n= 158550239307415787021878774489377164050114410895105185247274761267160101545614028597132371832991677739527541309280403555771841774190734937896655446167967980689195771471687662408939825136088663689784942499571220603957810368350239002179694427220081250797856136392928072791055227654777410808147665490868501507691
c= 103238050292230884025920137599978857103105694782271079198661186238549867271058376235577031392047974779108541567353073352817487194360852820072328699700529958482415374729517555184019284715904738456104746136537894442761330379427579392020949939832030655424272177519828410073606273099843302308920223719486267150794
e = 65537

解析

由题目有h1=(2022p+2021q)1919modnh_1=(2022p+2021q)^{1919}\space modnh1=(2022p+2021q)1919 modn h2=(2021p+2022q)9191modnh_2=(2021p+2022q)^{9191}\space modnh2=(2021p+2022q)9191 modn

即h1=(2022p)1919+(2021q)1919modnh_1=(2022p)^{1919}+(2021q)^{1919}\space modnh1=(2022p)1919+(2021q)1919 modn h2=(2021p)9191+(2022q)9191modnh_2=(2021p)^{9191}+(2022q)^{9191}\space modnh2=(2021p)9191+(2022q)9191 modn

另h191=(2022p)19∗101∗91+(2021q)19∗101∗91modnh_1^{91}=(2022p)^{19*101*91}+(2021q)^{19*101*91}\space modnh191=(2022p)19∗101∗91+(2021q)19∗101∗91 modn h219=(2021p)91∗101∗19+(2022q)91∗101∗19modnh_2^{19}=(2021p)^{91*101*19}+(2022q)^{91*101*19}\space modnh219=(2021p)91∗101∗19+(2022q)91∗101∗19 modn

设K=91∗101∗19K=91*101*19K=91∗101∗19

h191=(2022p)K+(2021q)Kmodnh_1^{91}=(2022p)^{K}+(2021q)^{K}\space modnh191=(2022p)K+(2021q)K modn

h219=(2021p)K+(2022q)Kmodnh_2^{19}=(2021p)^{K}+(2022q)^{K}\space modnh219=(2021p)K+(2022q)K modn

则h191∗2021K=(2021∗2022)K∗pK+20212K∗qKmodnh_1^{91}*2021^K=(2021*2022)^{K}*p^{K}+2021^{2K}*q^{K}\space modnh191∗2021K=(2021∗2022)K∗pK+20212K∗qK modn h219∗2022K=(2021∗2022)K∗pK+20222K∗qKmodnh_2^{19}*2022^K=(2021*2022)^{K}*p^{K}+2022^{2K}*q^{K}\space modnh219∗2022K=(2021∗2022)K∗pK+20222K∗qK modn

则有

(h191∗2021K−h219∗2022K)∗(20212K−20222K)−1=h3=qKmodn(h_1^{91}*2021^K-h_2^{19}*2022^K)*(2021^{2K}-2022^{2K})^{-1}=h_3=q^{K}\space modn(h191∗2021K−h219∗2022K)∗(20212K−20222K)−1=h3=qK modn

(h191∗2022K−h219∗2021K)∗(20222K−20212K)−1=h4=pKmodn(h_1^{91}*2022^K-h_2^{19}*2021^K)*(2022^{2K}-2021^{2K})^{-1}=h_4=p^{K}\space modn(h191∗2022K−h219∗2021K)∗(20222K−20212K)−1=h4=pK modn

所以，q=gcd(n,h3)q=gcd(n,h_3)q=gcd(n,h3)，p=gcd(n,h4)p=gcd(n,h_4)p=gcd(n,h4)

from Crypto.Util.number import *
h1= 19833006575946524719734860655749897430996716214854394509141793247441984552312739336381544289582229635878374784700514176796213750612984375503829452046348964006439625639785195474405122597025617599221157530254436486974871377392676992323755343878688847757228158418367972796322888087679510158602115909469127347957
h2= 378159845999796834634733071282164226106157352305256240743272369823494751498623553741505441796796443917116119081291965129497888764190805349441925445430537324353522456188379487696261868115910126449034886690427415157731129446078773313894708979653146866399561144315206855955530175618287769228046620963527788560
n= 158550239307415787021878774489377164050114410895105185247274761267160101545614028597132371832991677739527541309280403555771841774190734937896655446167967980689195771471687662408939825136088663689784942499571220603957810368350239002179694427220081250797856136392928072791055227654777410808147665490868501507691
c= 103238050292230884025920137599978857103105694782271079198661186238549867271058376235577031392047974779108541567353073352817487194360852820072328699700529958482415374729517555184019284715904738456104746136537894442761330379427579392020949939832030655424272177519828410073606273099843302308920223719486267150794
e = 65537
k = 19 * 101 * 91
h5 = pow(h1,91,n)*pow(2021,k,n)-pow(h2,19,n)*pow(2022,k,n)
h6 = pow(h1,91,n)*pow(2022,k,n)-pow(h2,19,n)*pow(2021,k,n)
k1 = inverse(pow(2021,2*k,n)-pow(2022,2*k,n), n)
k2 = inverse(pow(2022,2*k,n)-pow(2021,2*k,n), n)
h3 = h5 * k1 % n
h4 = h6 * k2 % n
q = GCD(h3, n)
p = GCD(h4, n)
phi = (p-1) * (q-1)
d = inverse(e, phi)
m = pow(c,d,n)
print(bytes.fromhex(hex(m)[2:]))
# flag{882163a5-9ed0-47e5-b386-6637f62cb005}

15.rasrsa

题目

Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm.p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e =  65537
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034Use RSA to find the secret message

题目有亿点点简单

from Crypto.Util.number import *
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
n = q*p
e = 65537
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
phi = (p-1) * (q-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)).decode())
# flag{5577446633554466577768879988}

16.BUUCTF # rsa2(e,n,dp,c)

首先由题目已知dp=dmodp−1dp=d modp-1dp=dmodp−1可以得到e∗dp=demodp−1e*dp=de mod p-1e∗dp=demodp−1
又考虑到de=1mod(p−1)(q−1)de=1 mod(p-1)(q-1)de=1mod(p−1)(q−1)
即de=1modp−1de=1 modp-1de=1modp−1
所以p−1∣e∗dp−1p-1|e*dp-1p−1∣e∗dp−1

下一步用yafu分解e*dp-1，得到ls，最后通过筛选ls的因子+1 得到pA

from Crypto.Util.number import *
from functools import reduce
e = 65537
n = 248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113
dp = 905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657
c = 140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751
# e*dp-1 = 59315867378856659089589938133524992838556700165994240300903969550746506475107189709727568518174855260630155107372617804812871207516504589971269688075778168808
# 2 4 8 ls[] len(ls) = 8
ls=[2,2,2,3,59,61,151,367,789129589052842241,41474649656673896980319,378620157247671136189892147784463855572144373204226980628812338811781197098372249535566403370486867830108231]
prod = lambda a,b:a*bdef f(p):q = n//passert(q*p == n)phin = p*q-p-q+1d = inverse(e,phin)print(bytes.fromhex(hex(pow(c,d,n))[2:]))for i in range(1<<len(ls)):if i == 0:continuefac = reduce(prod,[ls[j] for j in range(len(ls)) if bin(i)[2:].zfill(len(ls))[j] == '1'])if n%(fac+1)==0 :f(fac+1)break

17.BUUCTF RASROLL

题目比较简单，主要是学习文件读写

from Crypto.Util.number import *
n=920139713
e=19
p=49891
q=18443
# 用yafu将n分解
phi=(p-1)*(q-1)
d=inverse(e,phi)data = open("C:\\Users\\zhn\\Desktop\\data.txt").read().strip().split('\n')[2:]
data = list(map(int,data))
for i in range(len(data)):print(chr(pow(data[i],d,n)),end='')

最后得到flag

# flag{13212je2ue28fy71w8u87y31r78eu1e2}

18.BUUCTF # RSA1(p,q,dp,dq,c)

题目

p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852

解析

cd=cdp=mmodpcd=cdq=mmodq则cd=m1+k1p=m2+k2qm1−m2=k2q−k1p=k2qmodp记i=invp(q)则（m1−m2)i=k2modp回带得到cd(1)\begin{matrix} c^d=c^{dp}=m\space mod p \\ c^d=c^{dq}=m\space mod q \\ 则c^d=m_1+k_1p=m_2+k_2q\\ m_1-m_2=k_2q-k_1p=k_2q\space mod p\\ 记i=inv_p(q)\\ 则（m_1-m_2)i=k_2\space mod p\\ 回带得到c^d \\ \end{matrix} \tag{1} cd=cdp=m modpcd=cdq=m modq则cd=m1+k1p=m2+k2qm1−m2=k2q−k1p=k2q modp记i=invp(q)则（m1−m2)i=k2 modp回带得到cd(1)

from Crypto.Util.number import *
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
n = q*p
m1 = pow(c,dp,p)
m2 = pow(c,dq,q)
i = inverse(q,p)
m = (i*(m1-m2)%p)*q+m2
print(long_to_bytes(m))

# 最后得到flag noxCTF{W31c0m3_70_Ch1n470wn}

19.[NCTF2019]childRSA

题目

from random import choice
from Crypto.Util.number import isPrime, sieve_base as primes
from flag import flagdef getPrime(bits):while True:n = 2while n.bit_length() < bits:n *= choice(primes)if isPrime(n + 1):return n + 1e = 0x10001
m = int.from_bytes(flag.encode(), 'big')
p, q = [getPrime(2048) for _ in range(2)]
n = p * q
c = pow(m, e, n)# n = ...
# c = ...

解析

1.使用yafu解出p,q

2.求d

3.求m

4.将m转化为bytes格式输出

from Crypto.Util.number import *
e = 65537
p = 178449493212694205742332078583256205058672290603652616240227340638730811945224947826121772642204629335108873832781921390308501763661154638696935732709724016546955977529088135995838497476350749621442719690722226913635772410880516639651363626821442456779009699333452616953193799328647446968707045304702547915799734431818800374360377292309248361548868909066895474518333089446581763425755389837072166970684877011663234978631869703859541876049132713490090720408351108387971577438951727337962368478059295446047962510687695047494480605473377173021467764495541590394732685140829152761532035790187269724703444386838656193674253139
q = 184084121540115307597161367011014142898823526027674354555037785878481711602257307508985022577801782788769786800015984410443717799994642236194840684557538917849420967360121509675348296203886340264385224150964642958965438801864306187503790100281099130863977710204660546799128755418521327290719635075221585824217487386227004673527292281536221958961760681032293340099395863194031788435142296085219594866635192464353365034089592414809332183882423461536123972873871477755949082223830049594561329457349537703926325152949582123419049073013144325689632055433283354999265193117288252918515308767016885678802217366700376654365502867
n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
phi = (p-1)*(q-1)
d = inverse(e, phi)
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
m = pow(c, d, n)print(bytes.fromhex(hex(m)[2:]))
print(long_to_bytes(m))
from binascii import *
print(unhexlify(hex(m)[2:]))

注意上述转换的三种方式

print(bytes.fromhex(hex(m)[2:]))
print(long_to_bytes(m)) # Crypto.Util.number
print(unhexlify(hex(m)[2:])) # binascii

ps:inverse函数返回类型为int

gmpy2.insert()返回类型为mpz

最后输出flag

b'NCTF{Th3r3_ar3_1ns3cure_RSA_m0duli_7hat_at_f1rst_gl4nce_appe4r_t0_be_s3cur3}'

20.[BJDCTF 2020]EasyRSA #解方程得到p,q

题目

# 已知c z n
p=getPrime(1024)
q=getPrime(1024)
e=65537
n=p*q
z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))
m=bytes_to_long(flag)
c=pow(m,e,n)

解析

主要读懂这句话的函数z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))

Fraction 表示分母 arctan 表示反正切
Derivative表示求导 arth 表示反双曲
$z=1+p^2-(1-q2)=p^2+q2 $
随后就可以解出p,q

from Crypto.Util.number import long_to_bytes,inverse
from gmpy2 import *
c = 7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
z = 32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
n = 15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
e = 65537
# a = p + q  b = p - q
a = iroot(z+2*n,2)[0]
b = iroot(z-2*n,2)[0]
p = (a + b) // 2
q = a - p
print(long_to_bytes(pow(c,inverse(e,p*q-p-q+1),n)))

21.[BJDCTF 2020]rsa # 未知e

题目

重新设了一下变量

from Crypto.Util.number import getPrime,bytes_to_longq=getPrime(1024)
p1=getPrime(1024)
# e<100000
n1 = p1*q
m1 = bytes_to_long(flag)
c1 = pow(m1,e,n1)
k = pow(294,e,n1)p2 = getPrime(1024)
n2 = p2*q
m2 = bytes_to_long("BJD"*32)
c2 = pow(m2,e,n2)'''
output:
c1 = 1264...
n1 = 1350...
k = 3816...
c2 = 9791...
n2 = 1280...
'''

解析

1.首先可以得到q=GCD(n1,n2)

2.爆破得到e的值

from Crypto.Util.number import *
c1=12641635617803746150332232646354596292707861480200207537199141183624438303757120570096741248020236666965755798009656547738616399025300123043766255518596149348930444599820675230046423373053051631932557230849083426859490183732303751744004874183062594856870318614289991675980063548316499486908923209627563871554875612702079100567018698992935818206109087568166097392314105717555482926141030505639571708876213167112187962584484065321545727594135175369233925922507794999607323536976824183162923385005669930403448853465141405846835919842908469787547341752365471892495204307644586161393228776042015534147913888338316244169120
n1=13508774104460209743306714034546704137247627344981133461801953479736017021401725818808462898375994767375627749494839671944543822403059978073813122441407612530658168942987820256786583006947001711749230193542370570950705530167921702835627122401475251039000775017381633900222474727396823708695063136246115652622259769634591309421761269548260984426148824641285010730983215377509255011298737827621611158032976420011662547854515610597955628898073569684158225678333474543920326532893446849808112837476684390030976472053905069855522297850688026960701186543428139843783907624317274796926248829543413464754127208843070331063037
k=381631268825806469518166370387352035475775677163615730759454343913563615970881967332407709901235637718936184198930226303761876517101208677107311006065728014220477966000620964056616058676999878976943319063836649085085377577273214792371548775204594097887078898598463892440141577974544939268247818937936607013100808169758675042264568547764031628431414727922168580998494695800403043312406643527637667466318473669542326169218665366423043579003388486634167642663495896607282155808331902351188500197960905672207046579647052764579411814305689137519860880916467272056778641442758940135016400808740387144508156358067955215018
c2=979153370552535153498477459720877329811204688208387543826122582132404214848454954722487086658061408795223805022202997613522014736983452121073860054851302343517756732701026667062765906277626879215457936330799698812755973057557620930172778859116538571207100424990838508255127616637334499680058645411786925302368790414768248611809358160197554369255458675450109457987698749584630551177577492043403656419968285163536823819817573531356497236154342689914525321673807925458651854768512396355389740863270148775362744448115581639629326362342160548500035000156097215446881251055505465713854173913142040976382500435185442521721
n2=12806210903061368369054309575159360374022344774547459345216907128193957592938071815865954073287532545947370671838372144806539753829484356064919357285623305209600680570975224639214396805124350862772159272362778768036844634760917612708721787320159318432456050806227784435091161119982613987303255995543165395426658059462110056431392517548717447898084915167661172362984251201688639469652283452307712821398857016487590794996544468826705600332208535201443322267298747117528882985955375246424812616478327182399461709978893464093245135530135430007842223389360212803439850867615121148050034887767584693608776323252233254261047q=GCD(n1,n2)for e in range(100000):if isPrime(e):if k==pow(294,e,n1):breakp1 = n1 // q
phin1 = (p1-1)*(q-1)
d1 = inverse(e, phin1)
print( long_to_bytes(pow(c1,d1,n1)) )

22.HNCTF AnyoneisOk # PKCS1_OAEP

题目

给你了100个msg，以及x.pem文件

解析

1.读取文件

2.尝试解密（判断广播？共模？低指数？最后发现是广播）

3.分解后得到两组(e,p,q,d,n)

4.根据对应的c发现解不出来flag

5.猜测是否是PKCS1_OAEP

6.调用 RSA ，PKCS1_OAEP最终得到flag

注意下面构建私钥的函数，本人找了好久才知道这个函数

from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
c,n,e = [],[],[]
for i in range(1,101):p1 = 'msg' + str(i)with open(p1,'br') as f1:tem= f1.read()c.append(tem)p2 = str(i) + '.pem'with open(p2 ,'br') as f2:key = RSA.import_key(f2.read())e.append(key.e) n.append(key.n)
e = 65537
p = GCD(n[21],n[42])
q1 = n[21]//p
q2 = n[42]//p
phin1 = (q1-1)*(p-1)
phin2 = (q2-1)*(p-1)
d1 = pow(e,-1,phin1)
d2 = pow(e,-1,phin2)key1 = RSA.construct((n[21], e, d1, p, q1))
key2 = RSA.construct((n[42], e, d2, p, q2))cipher1 = PKCS1_OAEP.new(key1)
cipher2 = PKCS1_OAEP.new(key2)
flag2 = cipher2.decrypt(c[42])

23.CryptoHack-Mathematics-Brainteasers Part 1-Modular Binomials

题目

Rearrange the following equations to get the primes p,q

N=pqN = pqN=pq
c1=(2p+3q)e1modNc_1 = (2p + 3q)^{e1} mod Nc1=(2p+3q)e1modN
c2=(5p+7q)e2modNc_2 = (5p + 7q)^{e2} mod Nc2=(5p+7q)e2modN

解析

按照二项式定理并消元可以得到 q∣X=(c1e2∗5e1e2−c2e1∗2e1e2)modNq|X=(c_1^{e_2}*5^{e_1e_2}-c_2^{e_1}*2^{e_1e_2})modNq∣X=(c1e2∗5e1e2−c2e1∗2e1e2)modN

所以q=gcd(N,X)q=gcd(N,X)q=gcd(N,X)

from Crypto.Util.number import *
N  = 14905562257842714057932724129575002825405393502650869767115942606408600343380327866258982402447992564988466588305174271674657844352454543958847568190372446723549627752274442789184236490768272313187410077124234699854724907039770193680822495470532218905083459730998003622926152590597710213127952141056029516116785229504645179830037937222022291571738973603920664929150436463632305664687903244972880062028301085749434688159905768052041207513149370212313943117665914802379158613359049957688563885391972151218676545972118494969247440489763431359679770422939441710783575668679693678435669541781490217731619224470152467768073
e1 = 12886657667389660800780796462970504910193928992888518978200029826975978624718627799215564700096007849924866627154987365059524315097631111242449314835868137
e2 = 12110586673991788415780355139635579057920926864887110308343229256046868242179445444897790171351302575188607117081580121488253540215781625598048021161675697
c1 = 14010729418703228234352465883041270611113735889838753433295478495763409056136734155612156934673988344882629541204985909650433819205298939877837314145082403528055884752079219150739849992921393509593620449489882380176216648401057401569934043087087362272303101549800941212057354903559653373299153430753882035233354304783275982332995766778499425529570008008029401325668301144188970480975565215953953985078281395545902102245755862663621187438677596628109967066418993851632543137353041712721919291521767262678140115188735994447949166616101182806820741928292882642234238450207472914232596747755261325098225968268926580993051
c2 = 14386997138637978860748278986945098648507142864584111124202580365103793165811666987664851210230009375267398957979494066880296418013345006977654742303441030008490816239306394492168516278328851513359596253775965916326353050138738183351643338294802012193721879700283088378587949921991198231956871429805847767716137817313612304833733918657887480468724409753522369325138502059408241232155633806496752350562284794715321835226991147547651155287812485862794935695241612676255374480132722940682140395725089329445356434489384831036205387293760789976615210310436732813848937666608611803196199865435145094486231635966885932646519
qq = (pow(c1,e2,N)*pow(5,e1*e2,N)-pow(c2,e1,N)*pow(2,e1*e2,N))%N
q = GCD(N,qq)
p = N//q

24.HNCTF week3 pnearq #p,q相邻

题目

已知n，c，p与q相邻，求m

解析

由p，q相邻，那么n**(1/2)则近似等于p，向下遍历求出p，进而不难求出m

from Crypto.Util.number import *
import gmpy2
n = 19421904767367129549329507820147867763064747101931314714173717122035977491291441314433180813343755107381230481007143328156292096871675328839756035726106037229325380698967544660649710464634698425387682458721466040894830503881966355435442651493212040443436714597490121865537266815247879839020846287255634123530517095030752832857842819836940083915495464712363169428825344678729929317207583197980607919720642725221740680718976635305544368542563503440076036727388062097647374046378854873864505267644315352602271587283702733779081805129429479541906613334092422428543951370065910195162721686773383508480268145903016615151713
c = 16430654037742749931837577925393394466626615745270895225352757745284038922799868617243616416116392338428121605256850230862894296244375242336599929497221079420665154174930054597666915358687410522457846003186806053368237783147731665147575913322026626738697036282908055611350347494310666532700194563684837580022875526378181343082801716942536163583090541294011987732281942148455345223347021675781368596340860151253774597168954881987520338304516390785094435356412111780768446904948045448510663589654475221029009283144829902553888829840193614048967712676048740814622290029846433107762872806981599110271586325156855299974310
x = gmpy2.iroot(n,2)[0]
while n%x !=0 :x -= 1
p = x
q = n//p
phin = (p-1)*(q-1)
e = 65537
d = pow(e,-1,phin)
print(long_to_bytes(pow(c,d,n)))
# flag{when_PQ_is_near_Its_simple}