TODO: Pailier方案總結
題目分析
題目內容
*這道題是 Pailier加密方案,然而做題時我並不知道 …
解題思路
。
。
Exploit.py
#coding=utf-8
from gmpy2 import *
from Crypto.Util.number import long_to_bytes
p = 80006336965345725157774618059504992841841040207998249416678435780577798937819
q = 80006336965345725157774618059504992841841040207998249416678435780577798937447
n = 6401013954612445818165507289870580041358569258817613282142852881965884799988941535910939664068503367303343695466899335792545332690862283029809823423608093
c = 29088911054711509252215615231015162998042579425917914434962376243477176757448053722602422672251758332052330100944900171067962180230120924963561223495629695702541446456981441239486190458125750543542379899722558637306740763104274377031599875275807723323394379557227060332005571272240560453811389162371812183549
g = n + 1
# c = g^m * r^n (mod n^2) =>
# c mod n = g^m * r^n (mod n)
# And g (mod n) = 1, so g^m = 1 (mod n)
# We got r^n = c (mod n) , and find that (φ(n),n) = 1
φ = (p-1) * (q-1)
# Just solve r like RSA decryption
r = pow(c%n, invert(n, φ), n)
# convert equation to g^m = c*r^(-n) (mod n^2)
# g^m = (n+1)^m = mn + 1 (mod n^2)
# set a = c*r^(-n) - 1,
a = c * pow(invert(r,n*n), n, n*n) % (n*n) - 1
# We have mn = a (mod n^2)
# n|a , n|mn , n|n^2 , So m = a/n (mod n) => m = a/n
m = a//n
flag = long_to_bytes(m)
if __name__ == '__main__':
# print(r)
# print(a)
# print((a-1) % n)
print(flag)