Baby_RSA

encrypt.py

from Crypto.Util.number import *
from secret import flag

modulus_list = [143786356117385195355522728814418684024129402954309769186869633376407480449846714776247533950484109173163811708549269029920405450237443197994941951104068001708682945191370596050916441792714228818475059839352105948003874426539429621408867171203559281132589926504992702401428910240117807627890055235377744541913L,
 73988726804584255779346831019194873108586184186524793132656027600961771331094234332693404730437468912329694216269372797532334390363774803642809945268154324370355113538927414351037561899998734391507272602074924837440885467211134022878597523920836541794820777951492188067045604789153534513271406458984968338509L,
 95666403279611361071535593067846981517930129087906362381453835849857496766736720885263927273295086034390557353492037703154353541274448884795437287235560639118986397838850340017834752502157881329960725771502503917735194236743345777337851076649842634506339513864285786698870866229339372558162315435127197444193L,
 119235191922699211973494433973985286182951917872084464216722572875998345005104112625024274855529546680909781406076412741844254205002739352725207590519921992295941563460138887173402493503653397592300336588721082590464192875253265214253650991510709511154297580284525736720396804660126786258245028204861220690641L]

e = [114194L, 130478L, 122694L, 79874L]
message = bytes_to_long(flag)
ciphertext = [pow(message, e[i], modulus_list[i]) for i in range(4)]
ciphertext = [long_to_bytes(ciphertext[i]) for i in range(4)]
ciphertext = [ciphertext[i].encode("hex") for i in range(4)]

obj1 = open("ciphertext.txt",'w')
obj1.write(str(ciphertext))

ciphertext.txt

['0c55bc89e3773d8e378121eced4f9300103a8696bc3f9a1542c5b1539442ca5de03a40ad564ab5c2e764b2f946058ec220abf20afc271896ff4ca1f4a2dd227405f221de51e097d6b9f270c4561cd25596e96efd7de1a0e65d37cbf6a73c62a7e323f48450b9dc75e3e738ec1c7e1ae9fc808da8c476e72aea9155125b815653', '67caf9720696b1d0d589f053bb00ebe42b7b26fed38acb4012d29ddc55cd53da8398f042f22987453bdfa2ee8fb35ff121f81e96137995a8ca4daa1fbd88af3fd29138853d5fe98f9b983f67d6fd2b7ff6650228479ca6cac1d49572d28f01a659892b0799ca8202031a1ab37656331470d3ea5f221cc948636c1027bb6dd10f', '65e1cffe93ebccd49a9d14c01b2583a5d5e3140bf38a768833aa494d2d879a2934dbc10a843ec834e9ade286824e68879cb09ac9bd67afd7318b74955e9aa66df5740e6dcc26ccc787f0b415bdc80c6468421c4d4ce615fa3d25350940c5004e9b480c86faebc31e809725a9a868c94e9f1eaac567b4672fe395a7b205775883', '23108bb7f35d12b69bbe5e649ff47fb802b68f22045c484805040a3f4f8669acde8b04daba71190154aef4be9a0eafdebe31b5f96e8b01b5085f502fc0e12a326cc4d867f5317ac12bf16607765d99708934c35c4b9404747f69988ea7d3f4d8022cdfd81ada3aedb22d110db4aa81038aa151c9a4dbb5651757dc092b70b84d']

Cozum:

soruda 4 farkli (N,e) public key cifti, sabit olan flagi sifreleyerek 4 farkli ciphertext olusturmus.

  1. ve 4. N(modulus) degerlerinin asal carpanlarina factordb’den ulasilabiliyor.
  2. (N,e) ciftini kullanicam.
    flage ulasmak icin d sayisini olusturmamiz gerek.
    normalde |d=(e^-1)%φ(n)|ed%φ(n)=1| esitliklerinden d sayisina ulasabilirdik.
    fakat burada φ(n) ve e aralarinda asal olmadigindan (EBOB==2)
    |d=((e/2)^-1)%φ(n)|e
    d%φ(n)=2| esitligini kullanarak flag^2 degerine ulasabiliyoruz.
    from Crypto.Util.number import *
    import gmpy2
    n=143786356117385195355522728814418684024129402954309769186869633376407480449846714776247533950484109  17316381170854926902992040545023744319799494195110406800170868294519137059605091644179271422881847505  98393521059480038744265394296214088671712035592811325899265049927024014289102401178076278900552353777  
    44541913L
    p=111960225180138464064502577636803075288614408406337123570210191209344103731804062179190669244744502  
    04377977943388931820832436504741695416094988192576484719L
    q=128426283428815957570404012930010100429807481441356932980421732938384128881898075944719623762195906  
    06232699559767631407513176187065045811465165682366505527L
    e=114194L
    cipher=0x0c55bc89e3773d8e378121eced4f9300103a8696bc3f9a1542c5b1539442ca5de03a40ad564ab5c2e764b2f94605  8ec220abf20afc271896ff4ca1f4a2dd227405f221de51e097d6b9f270c4561cd25596e96efd7de1a0e65d37cbf6a73c62a7e  
    323f48450b9dc75e3e738ec1c7e1ae9fc808da8c476e72aea9155125b815653
    phi=(p-1)*(q-1)
    d=inverse(e/2,phi)
    flag=gmpy2.isqrt(pow(cipher,d,n))
    print(long_to_bytes(flag))
    #flag{Congratzzz_y0u_kn0w_ext3nded_GCD_WOw!!}