emln/crypto2025
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ALL the CTFS of Crypto2025 finally

Browse Source
This commit is contained in:
emln
2025-06-02 19:35:30 +02:00
parent aa0fe54b3b
commit 50c18f35b9
442 changed files with 1743 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
crypto-asimmetric/inferious_prime/Arithmetic.py Normal file
View File

@ -0,0 +1,97 @@
#!/usr/bin/env python3
'''
Created on Dec 22, 2011
@author: pablocelayes
'''
def egcd(a,b):
'''
Extended Euclidean Algorithm
returns x, y, gcd(a,b) such that ax + by = gcd(a,b)
'''
u, u1 = 1, 0
v, v1 = 0, 1
while b:
q = a // b
u, u1 = u1, u - q * u1
v, v1 = v1, v - q * v1
a, b = b, a - q * b
return u, v, a
def gcd(a,b):
'''
2.8 times faster than egcd(a,b)[2]
'''
a,b=(b,a) if a<b else (a,b)
while b:
a,b=b,a%b
return a
def modInverse(e,n):
'''
d such that de = 1 (mod n)
e must be coprime to n
this is assumed to be true
'''
return egcd(e,n)[0]%n
def totient(p,q):
'''
Calculates the totient of pq
'''
return (p-1)*(q-1)
def bitlength(x):
'''
Calculates the bitlength of x
'''
assert x >= 0
n = 0
while x > 0:
n = n+1
x = x>>1
return n
def isqrt(n):
'''
Calculates the integer square root
for arbitrary large nonnegative integers
'''
if n < 0:
raise ValueError('square root not defined for negative numbers')
if n == 0:
return 0
a, b = divmod(bitlength(n), 2)
x = 2**(a+b)
while True:
y = (x + n//x)//2
if y >= x:
return x
x = y
def is_perfect_square(n):
'''
If n is a perfect square it returns sqrt(n),
otherwise returns -1
'''
h = n & 0xF; #last hexadecimal "digit"
if h > 9:
return -1 # return immediately in 6 cases out of 16.
# Take advantage of Boolean short-circuit evaluation
if ( h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8 ):
# take square root if you must
t = isqrt(n)
if t*t == n:
return t
else:
return -1
return -1

43
crypto-asimmetric/inferious_prime/ContinuedFractions.py Normal file
View File

@ -0,0 +1,43 @@
#!/usr/bin/env python3
'''
Created on Dec 14, 2011
@author: pablocelayes
'''
# Types
CFListT = list[int] # CF coefficients
CVListT = list[tuple[int, int]] # Convergents at each coefficient level
def rational_to_contfrac(x: int, y: int) -> tuple[CFListT, CVListT]:
"""
Converts a rational x/y fraction into
a list of partial coefficients [a0, ..., an], and
a list of convergents at each coefficient level [(n0, d0), (n1, d1), ...]
The algorithm of computing the convergents from left to right is available
in Section 9.1 of https://r-knott.surrey.ac.uk/Fibonacci/cfINTRO.html#CFtofract
Args:
x (int): numerator of the given rational number
y (int): denominator of the given rational number
Returns:
tuple[CFListT, CVListT]: a tuple of coefficients and convergents at each
coefficient level
"""
a = x // y
cflist = [a]
cvlist = [(a, 1)]
ppn, ppd = 1, 0 # pre-pre numerator and denominator of convergent
pn, pd = a, 1 # pre numerator and denominator of convergent
while a * y != x:
x, y = y, x - a * y
a = x // y
cflist.append(a)
cn, cd = a * pn + ppn, a * pd + ppd
cvlist.append((cn, cd))
ppn, ppd = pn, pd
pn, pd = cn, cd
return cflist, cvlist

BIN
crypto-asimmetric/inferious_prime/__pycache__/Arithmetic.cpython-313.pyc Normal file
View File

Binary file not shown.

BIN
crypto-asimmetric/inferious_prime/__pycache__/ContinuedFractions.cpython-313.pyc Normal file
View File

Binary file not shown.

16
crypto-asimmetric/inferious_prime/attack.py Normal file
View File

@ -0,0 +1,16 @@
import ContinuedFractions, Arithmetic
from Cryptodome.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
#flag len == 23
n = 770071954467068028952709005868206184906970777429465364126693
e = 3
# ct = pow(pt, e, n)
ct = 388435672474892257936058543724812684332943095105091384265939
p = 888242373638787482012535770369
q = 866961515596671343895614356197
phi = (p - 1)*(q - 1)
d = inverse(e, phi)
#res = egcd(e, phi)
pt = pow(ct,d,n)
decrypted = long_to_bytes(pt)
print(decrypted.decode())

32
crypto-asimmetric/inferious_prime/attack2.py Normal file
View File

@ -0,0 +1,32 @@
#!/usr/bin/env python3
import ContinuedFractions, Arithmetic
from Cryptodome.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
_, convergents = ContinuedFractions.rational_to_contfrac(e, n)
for (k,d) in convergents:
#check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d
n = 138728501052719695830997827983870257879591108626209095010716818754108501959050430927220695106906763908822395818876460759364322997020222845247478635848425558793671347756842735011885094468024344931360037542098264527076663690119553302046205282212602106990248442514444587909723612295871002063257141634196430659767
c = 40254592670056897412607628206293101688805220813070436291135637864728213056255791064749974976546612178688674369066366922740751516162695397004586912385306024596939610039396946106249406597089442755317018963104229975283670995939592563335766562761230485826833361814955946571348001305529987233069227384314146133493
e = 60016485563460433620911462871489753027091796150597697863772440338904706321535832359517415034149374289955681381097544059467926029963755494161141305994584249448583991034102694954139120453335603006006970009433124857766494518747385902016093339683987307620366742481560543776055295663835860818720290861634213881385
print(hack_RSA(e,n))

31
crypto-asimmetric/inferious_prime/challenge.py Normal file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env python3
from Cryptodome.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
from secret import flag
assert len(flag) == 23
e = 3
# n will be 8 * (100 + 100) = 1600 bits strong which is pretty good
while True:
#getPrime is 100 bits not 100 Bytes
p = getPrime(100)
q = getPrime(100)
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
if d != -1 and GCD(e, phi) == 1:
break
n = p * q
pt = bytes_to_long(flag)
ct = pow(pt, e, n)
print(f"n = {n}")
print(f"e = {e}")
print(f"ct = {ct}")
pt = pow(ct, d, n)
decrypted = long_to_bytes(pt)
assert decrypted == flag

3
crypto-asimmetric/inferious_prime/ct.txt Normal file
View File

@ -0,0 +1,3 @@
n = 770071954467068028952709005868206184906970777429465364126693
e = 3
ct = 388435672474892257936058543724812684332943095105091384265939

4
crypto-asimmetric/inferious_prime/factor.json Normal file
View File

@ -0,0 +1,4 @@
{ "input-expression":"factor(770071954467068028952709005868206184906970777429465364126693)", "input-decimal":"770071954467068028952709005868206184906970777429465364126693", "factors-prime":["866961515596671343895614356197","888242373638787482012535770369"], "pm1-curves" : {"150000":1}, "ecm-curves" : {"2000":30,"11000":49}, "ecm-levels" : {"t15":5.08,"t20":0.70,"t25":0.03}, "ecm-sum":18.49, "runtime" : {"total":3.3668, "ecm":0.7145, "pm1":0.1709, "siqs":1.5859}, "time-start" : "2025-05-31 16:36:45", "time-end" : "2025-05-31 16:36:49", "info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }
{ "input-expression":"factor(770071954467068028952709005868206184906970777429465364126693)", "input-decimal":"770071954467068028952709005868206184906970777429465364126693", "factors-prime":["866961515596671343895614356197","888242373638787482012535770369"], "pm1-curves" : {"150000":1}, "ecm-curves" : {"2000":30,"11000":49}, "ecm-levels" : {"t15":5.08,"t20":0.70,"t25":0.03}, "ecm-sum":18.49, "runtime" : {"total":3.4269, "ecm":0.7212, "pm1":0.1541, "siqs":1.6543}, "time-start" : "2025-05-31 16:41:17", "time-end" : "2025-05-31 16:41:20", "info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }
{ "input-expression":"factor(770071954467068028952709005868206184906970777429465364126693)", "input-decimal":"770071954467068028952709005868206184906970777429465364126693", "factors-prime":["866961515596671343895614356197","888242373638787482012535770369"], "pm1-curves" : {"150000":1}, "ecm-curves" : {"2000":30,"11000":49}, "ecm-levels" : {"t15":5.08,"t20":0.70,"t25":0.03}, "ecm-sum":18.49, "runtime" : {"total":3.4194, "ecm":0.7182, "pm1":0.1517, "siqs":1.6473}, "time-start" : "2025-05-31 16:59:56", "time-end" : "2025-05-31 16:59:59", "info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }
{ "input-expression":"factor(1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597)", "input-decimal":"1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597", "factors-prime":["3","24091","178873"], "factors-composite":["107311142968629109987106827924726849190727506922563506528296052606752554050570684149745249560701073047057673863013240005659733442526608459395106318894320211913016755833364378916165851253656368165804685947807602445392047856291998097447484713577830026745416939664870681389803184120274440801965548093"], "pm1-curves" : {"150000":1,"3750000":1}, "ecm-curves" : {"2000":30,"11000":74,"50000":214,"250000":331}, "ecm-levels" : {"t15":103.94,"t20":52.60,"t25":7.67,"t30":0.84,"t35":0.07}, "ecm-sum":29.18, "runtime" : {"total":674.1954, "ecm":582.0758, "pm1":3.8655}, "time-start" : "2025-05-31 17:16:44", "time-end" : "2025-05-31 17:27:58", "info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }

251
crypto-asimmetric/inferious_prime/factor.log Normal file
View File

@ -0,0 +1,251 @@
05/31/25 16:36:45,
05/31/25 16:36:45, ****************************
05/31/25 16:36:45, Starting factorization of 770071954467068028952709005868206184906970777429465364126693
05/31/25 16:36:45, using pretesting plan: normal
05/31/25 16:36:45, no tune info: using qs/gnfs crossover of 95 digits
05/31/25 16:36:45, no tune info: using qs/snfs crossover of 95 digits
05/31/25 16:36:45, ****************************
05/31/25 16:36:45, rho: x^2 + 3, starting 1000 iterations on C60
05/31/25 16:36:45, rho: x^2 + 2, starting 1000 iterations on C60
05/31/25 16:36:45, rho: x^2 + 1, starting 1000 iterations on C60
05/31/25 16:36:45, pm1: starting B1 = 150K, B2 = gmp-ecm default on C60
05/31/25 16:36:46, current ECM pretesting depth: 0.000000
05/31/25 16:36:46, scheduled 30 curves at B1=2000 toward target pretesting depth of 18.461538
05/31/25 16:36:46, Finished 30 curves using GMP-ECM method on C60 input, B1=2k, B2=gmp-ecm default
05/31/25 16:36:46, current ECM pretesting depth: 15.177725
05/31/25 16:36:46, scheduled 49 curves at B1=11000 toward target pretesting depth of 18.461538
05/31/25 16:36:46, Finished 49 curves using GMP-ECM method on C60 input, B1=11k, B2=gmp-ecm default
05/31/25 16:36:46, final ECM pretested depth: 18.488536
05/31/25 16:36:46, scheduler: switching to sieve method
05/31/25 16:36:47, starting SIQS on c60: 770071954467068028952709005868206184906970777429465364126693
05/31/25 16:36:47, random seed: 9798781643487242962
05/31/25 16:36:47, ==== sieve params ====
05/31/25 16:36:47, n = 60 digits, 199 bits
05/31/25 16:36:47, factor base: 3680 primes (max prime = 74821)
05/31/25 16:36:47, single large prime cutoff: 5611575 (75 * pmax)
05/31/25 16:36:47, allocating 2 large prime slices of factor base
05/31/25 16:36:47, buckets hold 2048 elements
05/31/25 16:36:47, large prime hashtables have 131072 bytes
05/31/25 16:36:47, using SSE41 enabled 32k sieve core
05/31/25 16:36:47, sieve interval: 4 blocks of size 32768
05/31/25 16:36:47, polynomial A has ~ 7 factors
05/31/25 16:36:47, using multiplier of 1
05/31/25 16:36:47, using multiplier of 1 (kn mod 8 == 5)
05/31/25 16:36:47, using SPV correction of 20 bits, starting at offset 31
05/31/25 16:36:47, trial factoring cutoff at 66 bits
05/31/25 16:36:47, ==== sieving started (1 thread) ====
05/31/25 16:36:49, trial division touched 318827 sieve locations out of 2373976064
05/31/25 16:36:49, total reports = 318827, total surviving reports = 52531
05/31/25 16:36:49, total blocks sieved = 72448, avg surviving reports per block = 0.73
05/31/25 16:36:49, 3751 relations found: 1751 full + 2000 from 19532 partial, using 9056 polys (160 A polys)
05/31/25 16:36:49, on average, sieving found 2.35 rels/poly and 13965.63 rels/sec
05/31/25 16:36:49, trial division touched 318827 sieve locations out of 2373976064
05/31/25 16:36:49, ==== post processing stage (msieve-1.38) ====
05/31/25 16:36:49, QS elapsed time = 1.5248 seconds.
05/31/25 16:36:49, begin singleton removal with 21283 relations
05/31/25 16:36:49, reduce to 5491 relations in 2 passes
05/31/25 16:36:49, recovered 5491 relations
05/31/25 16:36:49, recovered 4143 polynomials
05/31/25 16:36:49, attempting to build 3751 cycles
05/31/25 16:36:49, found 3751 cycles from 5491 relations in 1 passes
05/31/25 16:36:49, distribution of cycle lengths:
05/31/25 16:36:49, length 1 : 1751
05/31/25 16:36:49, length 2 : 2000
05/31/25 16:36:49, largest cycle: 2 relations
05/31/25 16:36:49, matrix is 3680 x 3751 (0.5 MB) with weight 91090 (24.28/col)
05/31/25 16:36:49, sparse part has weight 91090 (24.28/col)
05/31/25 16:36:49, filtering completed in 3 passes
05/31/25 16:36:49, matrix is 3423 x 3487 (0.4 MB) with weight 83804 (24.03/col)
05/31/25 16:36:49, sparse part has weight 83804 (24.03/col)
05/31/25 16:36:49, commencing Lanczos iteration
05/31/25 16:36:49, memory use: 0.6 MB
05/31/25 16:36:49, lanczos halted after 55 iterations (dim = 3419)
05/31/25 16:36:49, recovered 62 nontrivial dependencies
05/31/25 16:36:49, prp30 = 888242373638787482012535770369
05/31/25 16:36:49, prp30 = 866961515596671343895614356197
05/31/25 16:36:49, Lanczos elapsed time = 0.0590 seconds.
05/31/25 16:36:49, Sqrt elapsed time = 0.0020 seconds.
05/31/25 16:36:49, SIQS elapsed time = 1.5859 seconds.
05/31/25 16:36:49,
05/31/25 16:36:49,
05/31/25 16:36:49, Total factoring time = 3.3668 seconds
05/31/25 16:41:17,
05/31/25 16:41:17, ****************************
05/31/25 16:41:17, Starting factorization of 770071954467068028952709005868206184906970777429465364126693
05/31/25 16:41:17, using pretesting plan: normal
05/31/25 16:41:17, no tune info: using qs/gnfs crossover of 95 digits
05/31/25 16:41:17, no tune info: using qs/snfs crossover of 95 digits
05/31/25 16:41:17, ****************************
05/31/25 16:41:17, rho: x^2 + 3, starting 1000 iterations on C60
05/31/25 16:41:17, rho: x^2 + 2, starting 1000 iterations on C60
05/31/25 16:41:17, rho: x^2 + 1, starting 1000 iterations on C60
05/31/25 16:41:17, pm1: starting B1 = 150K, B2 = gmp-ecm default on C60
05/31/25 16:41:17, current ECM pretesting depth: 0.000000
05/31/25 16:41:17, scheduled 30 curves at B1=2000 toward target pretesting depth of 18.461538
05/31/25 16:41:17, Finished 30 curves using GMP-ECM method on C60 input, B1=2k, B2=gmp-ecm default
05/31/25 16:41:17, current ECM pretesting depth: 15.177725
05/31/25 16:41:17, scheduled 49 curves at B1=11000 toward target pretesting depth of 18.461538
05/31/25 16:41:18, Finished 49 curves using GMP-ECM method on C60 input, B1=11k, B2=gmp-ecm default
05/31/25 16:41:18, final ECM pretested depth: 18.488536
05/31/25 16:41:18, scheduler: switching to sieve method
05/31/25 16:41:19, starting SIQS on c60: 770071954467068028952709005868206184906970777429465364126693
05/31/25 16:41:19, random seed: 2197617152253159330
05/31/25 16:41:19, ==== sieve params ====
05/31/25 16:41:19, n = 60 digits, 199 bits
05/31/25 16:41:19, factor base: 3680 primes (max prime = 74821)
05/31/25 16:41:19, single large prime cutoff: 5611575 (75 * pmax)
05/31/25 16:41:19, allocating 2 large prime slices of factor base
05/31/25 16:41:19, buckets hold 2048 elements
05/31/25 16:41:19, large prime hashtables have 131072 bytes
05/31/25 16:41:19, using SSE41 enabled 32k sieve core
05/31/25 16:41:19, sieve interval: 4 blocks of size 32768
05/31/25 16:41:19, polynomial A has ~ 7 factors
05/31/25 16:41:19, using multiplier of 1
05/31/25 16:41:19, using multiplier of 1 (kn mod 8 == 5)
05/31/25 16:41:19, using SPV correction of 20 bits, starting at offset 31
05/31/25 16:41:19, trial factoring cutoff at 66 bits
05/31/25 16:41:19, ==== sieving started (1 thread) ====
05/31/25 16:41:20, trial division touched 319551 sieve locations out of 2382364672
05/31/25 16:41:20, total reports = 319551, total surviving reports = 86124
05/31/25 16:41:20, total blocks sieved = 72704, avg surviving reports per block = 1.18
05/31/25 16:41:20, 3751 relations found: 1775 full + 1976 from 19593 partial, using 9088 polys (160 A polys)
05/31/25 16:41:20, on average, sieving found 2.35 rels/poly and 13449.19 rels/sec
05/31/25 16:41:20, trial division touched 319551 sieve locations out of 2382364672
05/31/25 16:41:20, ==== post processing stage (msieve-1.38) ====
05/31/25 16:41:20, QS elapsed time = 1.5897 seconds.
05/31/25 16:41:20, begin singleton removal with 21368 relations
05/31/25 16:41:20, reduce to 5490 relations in 2 passes
05/31/25 16:41:20, recovered 5490 relations
05/31/25 16:41:20, recovered 4137 polynomials
05/31/25 16:41:20, attempting to build 3751 cycles
05/31/25 16:41:20, found 3751 cycles from 5490 relations in 1 passes
05/31/25 16:41:20, distribution of cycle lengths:
05/31/25 16:41:20, length 1 : 1775
05/31/25 16:41:20, length 2 : 1976
05/31/25 16:41:20, largest cycle: 2 relations
05/31/25 16:41:20, matrix is 3680 x 3751 (0.5 MB) with weight 90726 (24.19/col)
05/31/25 16:41:20, sparse part has weight 90726 (24.19/col)
05/31/25 16:41:20, filtering completed in 3 passes
05/31/25 16:41:20, matrix is 3382 x 3446 (0.4 MB) with weight 82607 (23.97/col)
05/31/25 16:41:20, sparse part has weight 82607 (23.97/col)
05/31/25 16:41:20, commencing Lanczos iteration
05/31/25 16:41:20, memory use: 0.6 MB
05/31/25 16:41:20, lanczos halted after 55 iterations (dim = 3380)
05/31/25 16:41:20, recovered 63 nontrivial dependencies
05/31/25 16:41:20, prp30 = 888242373638787482012535770369
05/31/25 16:41:20, prp30 = 866961515596671343895614356197
05/31/25 16:41:20, Lanczos elapsed time = 0.0580 seconds.
05/31/25 16:41:20, Sqrt elapsed time = 0.0070 seconds.
05/31/25 16:41:20, SIQS elapsed time = 1.6543 seconds.
05/31/25 16:41:20,
05/31/25 16:41:20,
05/31/25 16:41:20, Total factoring time = 3.4269 seconds
05/31/25 16:59:56,
05/31/25 16:59:56, ****************************
05/31/25 16:59:56, Starting factorization of 770071954467068028952709005868206184906970777429465364126693
05/31/25 16:59:56, using pretesting plan: normal
05/31/25 16:59:56, no tune info: using qs/gnfs crossover of 95 digits
05/31/25 16:59:56, no tune info: using qs/snfs crossover of 95 digits
05/31/25 16:59:56, ****************************
05/31/25 16:59:56, rho: x^2 + 3, starting 1000 iterations on C60
05/31/25 16:59:56, rho: x^2 + 2, starting 1000 iterations on C60
05/31/25 16:59:56, rho: x^2 + 1, starting 1000 iterations on C60
05/31/25 16:59:56, pm1: starting B1 = 150K, B2 = gmp-ecm default on C60
05/31/25 16:59:56, current ECM pretesting depth: 0.000000
05/31/25 16:59:56, scheduled 30 curves at B1=2000 toward target pretesting depth of 18.461538
05/31/25 16:59:57, Finished 30 curves using GMP-ECM method on C60 input, B1=2k, B2=gmp-ecm default
05/31/25 16:59:57, current ECM pretesting depth: 15.177725
05/31/25 16:59:57, scheduled 49 curves at B1=11000 toward target pretesting depth of 18.461538
05/31/25 16:59:57, Finished 49 curves using GMP-ECM method on C60 input, B1=11k, B2=gmp-ecm default
05/31/25 16:59:57, final ECM pretested depth: 18.488536
05/31/25 16:59:57, scheduler: switching to sieve method
05/31/25 16:59:58, starting SIQS on c60: 770071954467068028952709005868206184906970777429465364126693
05/31/25 16:59:58, random seed: 5474488345592639154
05/31/25 16:59:58, ==== sieve params ====
05/31/25 16:59:58, n = 60 digits, 199 bits
05/31/25 16:59:58, factor base: 3680 primes (max prime = 74821)
05/31/25 16:59:58, single large prime cutoff: 5611575 (75 * pmax)
05/31/25 16:59:58, allocating 2 large prime slices of factor base
05/31/25 16:59:58, buckets hold 2048 elements
05/31/25 16:59:58, large prime hashtables have 131072 bytes
05/31/25 16:59:58, using SSE41 enabled 32k sieve core
05/31/25 16:59:58, sieve interval: 4 blocks of size 32768
05/31/25 16:59:58, polynomial A has ~ 7 factors
05/31/25 16:59:58, using multiplier of 1
05/31/25 16:59:58, using multiplier of 1 (kn mod 8 == 5)
05/31/25 16:59:58, using SPV correction of 20 bits, starting at offset 31
05/31/25 16:59:58, trial factoring cutoff at 66 bits
05/31/25 16:59:58, ==== sieving started (1 thread) ====
05/31/25 16:59:59, trial division touched 321806 sieve locations out of 2399666176
05/31/25 16:59:59, total reports = 321806, total surviving reports = 87328
05/31/25 16:59:59, total blocks sieved = 73232, avg surviving reports per block = 1.19
05/31/25 16:59:59, 3747 relations found: 1688 full + 2059 from 19667 partial, using 9154 polys (158 A polys)
05/31/25 16:59:59, on average, sieving found 2.33 rels/poly and 13473.45 rels/sec
05/31/25 16:59:59, trial division touched 321806 sieve locations out of 2399666176
05/31/25 16:59:59, ==== post processing stage (msieve-1.38) ====
05/31/25 16:59:59, QS elapsed time = 1.5857 seconds.
05/31/25 16:59:59, begin singleton removal with 21355 relations
05/31/25 16:59:59, reduce to 5526 relations in 2 passes
05/31/25 16:59:59, recovered 5526 relations
05/31/25 16:59:59, recovered 4180 polynomials
05/31/25 16:59:59, attempting to build 3747 cycles
05/31/25 16:59:59, found 3747 cycles from 5526 relations in 1 passes
05/31/25 16:59:59, distribution of cycle lengths:
05/31/25 16:59:59, length 1 : 1688
05/31/25 16:59:59, length 2 : 2059
05/31/25 16:59:59, largest cycle: 2 relations
05/31/25 16:59:59, matrix is 3680 x 3747 (0.5 MB) with weight 92151 (24.59/col)
05/31/25 16:59:59, sparse part has weight 92151 (24.59/col)
05/31/25 16:59:59, filtering completed in 3 passes
05/31/25 16:59:59, matrix is 3383 x 3447 (0.4 MB) with weight 84068 (24.39/col)
05/31/25 16:59:59, sparse part has weight 84068 (24.39/col)
05/31/25 16:59:59, commencing Lanczos iteration
05/31/25 16:59:59, memory use: 0.6 MB
05/31/25 16:59:59, lanczos halted after 55 iterations (dim = 3381)
05/31/25 16:59:59, recovered 63 nontrivial dependencies
05/31/25 16:59:59, prp30 = 866961515596671343895614356197
05/31/25 16:59:59, prp30 = 888242373638787482012535770369
05/31/25 16:59:59, Lanczos elapsed time = 0.0580 seconds.
05/31/25 16:59:59, Sqrt elapsed time = 0.0040 seconds.
05/31/25 16:59:59, SIQS elapsed time = 1.6473 seconds.
05/31/25 16:59:59,
05/31/25 16:59:59,
05/31/25 16:59:59, Total factoring time = 3.4194 seconds
05/31/25 17:16:44,
05/31/25 17:16:44, ****************************
05/31/25 17:16:44, Starting factorization of 1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597
05/31/25 17:16:44, using pretesting plan: normal
05/31/25 17:16:44, no tune info: using qs/gnfs crossover of 95 digits
05/31/25 17:16:44, no tune info: using qs/snfs crossover of 95 digits
05/31/25 17:16:44, ****************************
05/31/25 17:16:44, div: found prime factor = 3
05/31/25 17:16:44, rho: x^2 + 3, starting 1000 iterations on C306
05/31/25 17:16:44, prp5 = 24091
05/31/25 17:16:44, rho: x^2 + 3, starting 1000 iterations on C302
05/31/25 17:16:44, prp6 = 178873
05/31/25 17:16:44, rho: x^2 + 3, starting 1000 iterations on C297
05/31/25 17:16:44, rho: x^2 + 2, starting 1000 iterations on C297
05/31/25 17:16:44, rho: x^2 + 1, starting 1000 iterations on C297
05/31/25 17:16:45, pm1: starting B1 = 150K, B2 = gmp-ecm default on C297
05/31/25 17:16:45, current ECM pretesting depth: 0.000000
05/31/25 17:16:45, scheduled 30 curves at B1=2000 toward target pretesting depth of 91.384615
05/31/25 17:16:46, Finished 30 curves using GMP-ECM method on C297 input, B1=2k, B2=gmp-ecm default
05/31/25 17:16:46, current ECM pretesting depth: 15.177725
05/31/25 17:16:46, scheduled 74 curves at B1=11000 toward target pretesting depth of 91.384615
05/31/25 17:16:52, Finished 74 curves using GMP-ECM method on C297 input, B1=11k, B2=gmp-ecm default
05/31/25 17:16:52, current ECM pretesting depth: 20.242996
05/31/25 17:16:52, scheduled 214 curves at B1=50000 toward target pretesting depth of 91.384615
05/31/25 17:18:12, Finished 214 curves using GMP-ECM method on C297 input, B1=50k, B2=gmp-ecm default
05/31/25 17:18:12, pm1: starting B1 = 3750K, B2 = gmp-ecm default on C297
05/31/25 17:18:16, current ECM pretesting depth: 25.332854
05/31/25 17:18:16, scheduled 430 curves at B1=250000 toward target pretesting depth of 91.384615
05/31/25 17:27:58, Finished 331 curves using GMP-ECM method on C297 input, B1=250k, B2=gmp-ecm default
05/31/25 17:27:58, ecm work completed:
05/31/25 17:27:58, t15: 103.94
05/31/25 17:27:58, t20: 52.60
05/31/25 17:27:58, t25: 7.67
05/31/25 17:27:58, t30: 0.84
05/31/25 17:27:58, t35: 0.07
05/31/25 17:27:58, estimated sum of completed work is t29.18
05/31/25 17:27:58, c297 cofactor = 107311142968629109987106827924726849190727506922563506528296052606752554050570684149745249560701073047057673863013240005659733442526608459395106318894320211913016755833364378916165851253656368165804685947807602445392047856291998097447484713577830026745416939664870681389803184120274440801965548093
05/31/25 17:27:58, Total factoring time = 674.1954 seconds

54
crypto-asimmetric/inferious_prime/session.log Normal file
View File

@ -0,0 +1,54 @@
05/31/25 16:35:29, =====================================
05/31/25 16:35:29, System/Build Info:
05/31/25 16:35:29, YAFU Version 3.0
05/31/25 16:35:29, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0
05/31/25 16:35:29, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
05/31/25 16:35:29, detected AMD Ryzen 5 5600H with Radeon Graphics
detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
05/31/25 16:35:29, CPU features enabled: 05/31/25 16:35:29, SSE41 05/31/25 16:35:29,
05/31/25 16:35:29, using 1 random witness for Rabin-Miller PRP checks
05/31/25 16:35:29, Cached 664579 primes: max prime is 9999991
05/31/25 16:35:29, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
05/31/25 16:35:29, Random seed: 11355864739165760672
05/31/25 16:41:06, =====================================
05/31/25 16:41:06, System/Build Info:
05/31/25 16:41:06, YAFU Version 3.0
05/31/25 16:41:06, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0
05/31/25 16:41:06, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
05/31/25 16:41:06, detected AMD Ryzen 5 5600H with Radeon Graphics
detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
05/31/25 16:41:06, CPU features enabled: 05/31/25 16:41:06, SSE41 05/31/25 16:41:06,
05/31/25 16:41:06, using 1 random witness for Rabin-Miller PRP checks
05/31/25 16:41:06, Cached 664579 primes: max prime is 9999991
05/31/25 16:41:06, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
05/31/25 16:41:06, Random seed: 2349589573457932528
05/31/25 16:59:51, =====================================
05/31/25 16:59:51, System/Build Info:
05/31/25 16:59:51, YAFU Version 3.0
05/31/25 16:59:51, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0
05/31/25 16:59:51, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
05/31/25 16:59:51, detected AMD Ryzen 5 5600H with Radeon Graphics
detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
05/31/25 16:59:51, CPU features enabled: 05/31/25 16:59:51, SSE41 05/31/25 16:59:51,
05/31/25 16:59:51, using 1 random witness for Rabin-Miller PRP checks
05/31/25 16:59:51, Cached 664579 primes: max prime is 9999991
05/31/25 16:59:51, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
05/31/25 16:59:51, Random seed: 13485483859696141696
05/31/25 17:16:09, =====================================
05/31/25 17:16:09, System/Build Info:
05/31/25 17:16:09, YAFU Version 3.0
05/31/25 17:16:09, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0
05/31/25 17:16:09, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
05/31/25 17:16:09, detected AMD Ryzen 5 5600H with Radeon Graphics
detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
05/31/25 17:16:09, CPU features enabled: 05/31/25 17:16:09, SSE41 05/31/25 17:16:09,
05/31/25 17:16:09, using 1 random witness for Rabin-Miller PRP checks
05/31/25 17:16:09, Cached 664579 primes: max prime is 9999991
05/31/25 17:16:09, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
05/31/25 17:16:09, Random seed: 10478636967936581680
05/31/25 17:16:44, Processing: factor(1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597)
05/31/25 17:27:58, Result : 107311142968629109987106827924726849190727506922563506528296052606752554050570684149745249560701073047057673863013240005659733442526608459395106318894320211913016755833364378916165851253656368165804685947807602445392047856291998097447484713577830026745416939664870681389803184120274440801965548093

30
crypto-asimmetric/inferious_prime/test.py Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env python3
from Cryptodome.PublicKey import RSA
#kth root of the number n
def iroot(k, n):
u, s = n, n+1
while u < s:
s = u
t = (k-1) * s + n // pow(s, k-1)
u = t // k
return s
if __name__ == '__main__':
e = 3
# d = rsa_keypair.d
n = 388435672474892257936058543724812684332943095105091384265939
m = b'A'*8
m_int = int.from_bytes(m,byteorder='big')
c = pow(m_int,e,n)
decrypted_int = iroot(e, c)
print(decrypted_int)
print(decrypted_int.to_bytes(decrypted_int.bit_length() // 8 +1, byteorder='big').decode())
dec = pow(c, 1/3)
print(dec)

24
crypto-asimmetric/inferious_prime/wiener.py Normal file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python3
import ContinuedFractions, Arithmetic
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
_, convergents = ContinuedFractions.rational_to_contfrac(e, n)
for (k,d) in convergents:
#check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d