[DASCTF 2020 四月春季賽] not_RSA 題解

TODO: Pailier方案總結

題目分析

題目內容

*這道題是 Pailier加密方案，然而做題時我並不知道 …

$已知 c,\ n = p\cdot q, \ g=n+1 \ \ 。0<r<n, \ r 未知。求 m$

$加密過程爲：$
$c ≡ g^m (mod \ n^2) \cdot r^n (mod \ n^2) \ (mod \ n^2) \\ \equiv g^m r^n (mod \ n^2)$

解題思路

$有兩個未知量 r 和 m ，考慮先求 r。0<r<n, 故求 r\ mod\ n$

$注意到\ g = n+1 \ \ \ , \ \ c ≡ g^m \cdot r^n \ (mod \ n^2)$

$而根據 g^m 的二項式展開，易知 g^m\equiv1\ (mod \ n)$。

$因此，r^n \equiv c\ (mod \ n) 。要解這個方程就要求出 n 的分解。$

$用yafu求出 p,q 。計算 \varphi(n) =(p-1)(q-1)$ 。

$(n,\varphi(n)) =1 ， 因此計算 d=n^{-1}(mod\ \varphi(n))，得 r\equiv(r^n)^d\ (mod \ n)$

$\\接下來，再用 c ≡ g^m \cdot r^n \ (mod \ n^2) ，再對 g^m 二項式展開得$

$mn+1 \equiv c \cdot r^{-n} \ (mod\ n^2) \iff nm \equiv c \cdot r^{-n}-1(mod\ n^2)$

$記\ a=c \cdot r^{-n}-1。n \ |\ a ，\\ 故可對上式左右和模同除以n，得$ $\\ m \equiv \dfrac{a}{n}\ (mod\ n)$
$接下來就是不解釋連招了$

Exploit.py

#coding=utf-8

from gmpy2 import *
from Crypto.Util.number import long_to_bytes

p = 80006336965345725157774618059504992841841040207998249416678435780577798937819
q = 80006336965345725157774618059504992841841040207998249416678435780577798937447
n = 6401013954612445818165507289870580041358569258817613282142852881965884799988941535910939664068503367303343695466899335792545332690862283029809823423608093
c = 29088911054711509252215615231015162998042579425917914434962376243477176757448053722602422672251758332052330100944900171067962180230120924963561223495629695702541446456981441239486190458125750543542379899722558637306740763104274377031599875275807723323394379557227060332005571272240560453811389162371812183549

g = n + 1

# c = g^m * r^n (mod n^2) =>
# c mod n = g^m * r^n (mod n)
# And g (mod n) = 1, so g^m = 1 (mod n)  
# We got r^n = c (mod n) , and find that (φ(n),n) = 1 
φ = (p-1) * (q-1)     
# Just solve r like RSA decryption
r = pow(c%n, invert(n, φ), n)
# convert equation to g^m = c*r^(-n) (mod n^2)
# g^m = (n+1)^m = mn + 1 (mod n^2)
# set a = c*r^(-n) - 1, 
a = c * pow(invert(r,n*n), n, n*n) % (n*n) - 1
# We have mn = a (mod n^2)
# n|a , n|mn , n|n^2 , So m = a/n (mod n) => m = a/n
m = a//n 
flag = long_to_bytes(m)

if __name__ == '__main__':
    # print(r)
    # print(a)
    # print((a-1) % n)
    print(flag)