#zer0ptsCTF2021 from Crypto.Util.number import getStrongPrime, GCD from random import randint from flag import flag import os def pad(m: int, n: int): # PKCS#1 v1.5 maybe ms = m.to_bytes((m.bit_length() + 7) // 8, "big") ns = n.to_bytes((n…

#HackTM_CTF_Quals_2023 from Crypto.Util.number import bytes_to_long, getStrongPrime from secret import flag assert len(flag) == 255 e = 3 p = getStrongPrime(1024, e=e) q = getStrongPrime(1024, e=e) n = p * q phi = (p - 1) * (q - 1) d = pow…

#bsidesahmedabadctf_2021 from Crypto.Util.number import getPrime from hashlib import sha256 import random def gen_parameters(): p = getPrime(512) q = getPrime(512) N = p * q a = -3 while True: b = random.randint(0, N) if (4*a**3 + 27*b**2)…

#srdnlen_CTF_2022 #!/usr/bin/env python3 import random import string from Crypto.Util.number import getPrime, bytes_to_long def flag_padding(flag): s = string.ascii_lowercase + string.ascii_uppercase + string.digits for i in range(random.r…

#ricerca_ctf_2023 #RSA #Franklin-Reiter_Related_Message_Attack #half-GCD https://furutsuki.hatenablog.com/entry/2023/04/23/143704#Rotated-Secret-Analysis

RSA Coppersmith's Short Pad Attack + Franklin-Reiter Related Message Attack https://furutsuki.hatenablog.com/entry/2020/06/07/192729#Crypto-Double-Message

#diceCTF_2021 #good_challenges_2021 Two agents, Blex and Kane, have simultaneously known very secret message and transmitted it to Center. You know following: 1) They used RSA with this public key 2) They sent exactly the same messages exc…

#Polynomial #GCD あとから考えたらこれFranklin-Reiter Related Message Attackだな で 各c, a, eと nが与えられる を考える。上だから自明になのでこの多項式はそれぞれで割り切れる。 したがって が得られる。一変数多項式のgcd ただし、こうして得た一次…

#acsc2021 import random from Crypto.Util.number import * from Crypto.Util.Padding import pad from flag import flag p = getStrongPrime(512) q = getStrongPrime(512) n = p * q B = getStrongPrime(512) m = flag[0:len(flag)//2] print("flag1_len …

#foobarCTF_2022 #!/usr/bin/env python3 from Crypto.Util.number import * from random import getrandbits flag = b'***********************REDACTED***********************' FLAG = bytes_to_long(flag) p = getStrongPrime(512) q = getStrongPrime(5…

RSAで同一modにおける2つの暗号文があり、2つの平文の差が小さい時に使える攻撃。つまり このとき、としてresultantでを消去した を求めるとはだけの式になり、univariate coppersmith methodで小さい根を求められれば、Franklin-Reiter Related Message Att…

from Crypto.Util.number import bytes_to_long, getStrongPrime from fractions import gcd from secret import flag from Crypto.Random import get_random_bytes def encrypt(number): return pow(number,e,N) def noisy_encrypt(a,m): return encrypt(po…