强网杯-Qualifier-2022/Crypto/Factor writeup

本文是赛后复盘完成的,比赛时没有找到对应的论文。

1. challenge

附件下载 提取码(GAME)

下载得到附件task.py

点击查看task.py 
#encoding:utf-8
from Crypto.Util.number import *
from gmpy2 import *
from random import randint
from flag import flag

def gen1():
	r = 2
	while True:
		p2 = getPrime(1792)
		p1 = getPrime(1792)

		q1 = getPrime(512)
		q2 = getPrime(512)

		if (abs(p1-p2) < (p1//(2*r*q1*q2))):
			n1, n2 = (p1**r)*q1, (p2**r)*q2
			break

	phi1 = (p1**(r-1))*(p1-1)*(q1-1)
	phi2 = (p2**(r-1))*(p2-1)*(q2-1)
	while True:
		e1 = randint(5, (p1-1)*(q1-1))
		e2 = randint(5, (p2-1)*(q2-1))
		if gcd(e1, e2) == 1 and gcd(phi1, e1) == 1 and gcd(phi2, e2) == 1:
			break
	return n11, n12, e11, e12


def gen2():
	r = 7
	while True:
		p = getPrime(512)
		q =	getPrime(512)
		N = (p**r)*q
		if len(bin(N)) == 4096:
			break

	idx = (r*(r-1)) / ((r+1)*(r+1))
	delta = int(pow(mpz(N), idx))
	phi = (p**(r-1))*(p-1)*(q-1)

	while True:
		d1 = getPrime(int(2048*idx)//2)
		d2 = getPrime(int(2048*idx)//2)
		if abs(d1-d2) < delta:
			m1 = invert(d1, phi)
			m2 = invert(d2, phi)
			break

	e2 = 0x10001
	return n2, e2, m1, m2

def gen3():
	r = 7
	while True:
		p = getPrime(512)
		q =	getPrime(512)
		N = (p**r)*q
		phi = (p**(r-1))*(p-1)*(q-1)

		if len(bin(N))-2 == 4096:
			break

	idx = (r*(r-1)) / ((r+1)*(r+1))
	delta = int(pow(mpz(N), idx))

	while True:
		b = getRandomNBitInteger(int(2048*idx)//2)
		a = getRandomNBitInteger(int(2048*idx)//2)
		if a*b < delta:
			e = invert(a, phi)*b
			return n3, e3, b


n11, n12, e11, e12 = gen1()
print(f"n11={n11}\nn12={n12}\ne11={e11}\ne12={e12}\n")
n2, e2, m1, m2 = gen2()
print(f"n2={n2}\ne2={e2}\n")
n3, e3, b = gen3()
print(f"n3={n3}\ne3={e3}\n")

m3 = bytes_to_long(flag)
c11 = powmod(m1, e11, n11)
c12 = powmod(m2, e12, n12)
c2 = powmod(b, e2, n2)
c3 = powmod(m3, e3, n3)
print(f"c11={c11}\nc12={c12}\nc2={c2}\nc3={c3}\n")
'''
n11=801049932940568005269978912396585741498810389425615966036828877784238116634177290247194019425111606811005728521368879065336038221361037062407029836155148874719789714345603547779284558101833801155509762818376470874215789574939002212274399950433269775325144015468620263028557804618774240232988157961712628677901130814703917513004114547234375629747176834581166306552311075522669403347828095831520693563291249869832390698646691647204371133362254846234990175138047928703289833460734235302093916147489509206061923877623300596194317059884824322527532662470348274079800781120104946546063500763852622187404608639542858285661288293918912184354236687975919510300221932074135531028314170475917110204254042336116619335841213418990605590620842511615815443114612333881430920769002933370887494558640833005339906706603497809846863863967391543647049224309556936909768179259581851520214669904560467640473144481633920438487615788689262961741053146610554997224861331949716721056553499531186695425439163222802917813140266513735841447717418846360096652592844940362932171019143434080184728093326143821165097895058935372215708948088248596585127475770021962501262915274497478428868130455122612016408381607561200802267038869516896665387576895570245272035575637
n12=635401970340205725139325006504978344512744926958688031423448003992072769931808217486709574151492230879374574313457662436423263437792389711379687512056391117410807565492548718691166183372633151644917135272259770997096195518489056319350258673723095417922153182423913759272893696867426193704479752772511081457729513843682588951499551132432923147997238597538055902932123792252593514225328196541483451747314048080824405530742533473914329294346486691684904100406972073037050089861816604505650042953778360621934380815999541183067585498606053857125775979915077329566722531830089714823979965934190338538564188253271016367299890015449611141166780048763403252309160517164569110740561584100839212138661881615351382946813818078899882595313362934594951895560189003438775450675343590147821186953526262224973333962454561275321925151619178204499342339749637758100126893330994252902926509705617882239610380420830791088907378397226817514095468815228186716220057075095711894070032344613244803934541318573847029365563159918970404057137270884587905766828750387753130065274147902379993224780149663600462492281891320702134153853359393588902750423972068679293373333869389393970353760507436913233657422185531482023237384247535554666481760197851108297145147371
e11=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865
e12=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881

n2=209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209
e2=65537

n3=539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821
e3=8179300978753084587812861894047395225516049110376948812109811319430275614612773726672345893359691900281432484382670047044697374818043512731533402576374645405477207239801498428774783768163880078495448747421425078521981578408638790336528372019271073712013371141939808017049399434858687299480461753638164719404612128939787055797762174745092074547412183349192156638711750872083313795551439465507724807626674514935170104573715458782366469587138508845980490673890245713729782917089910271980557159592807350504157192913530007199510144004848020221181558472160543018733124225266127379373751910439604459368078652499029070936707349862139053913745186413782066470461478961703013591655136140060879250067379283913798867648758171004535775565306842444545755351202796833177560656564652632975685912935281581268141803696686952259539945588609591385807620108279333498170028167338690235117003515264281843953984997958878272347778561933726792473981855755454522886321669676790813189668084373153897754540290867346751033567500922477317530445967753955221454744946208555394588111484610700789566547507402309549957740815535069057837915204852490930168843605732632328017129154852857227895362549146737618906180651623216848500491438142456250653458053922622240299736136335179639180898730269690699965799644757774472147210271111150769048976871249731156387939260749192370361488285775377622944817570292095201906142567403539151179209316853493906909989301225903409448461436855145

c11=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579
c12=336587005671304527566745948355290412636261748969581976214239578621816863343117433524033533838636941679300497270909696775021031004312477997130741361709262822736904340641138652359632950455651920464042448022467664596484055174270895170499076347333381222768518599018520948098943626229061996126260154604038101543546588917619576702866444998578555907070990331574722135141778182631559802154493815687284077524469331290249057291163803290619701104007028836609832847351748020354798788508790258935718399783002069490123663345156902440501507117289747695510266461539019431610123351176227443612317037899257774045751487135646052309277098939919088029284437221840182769808850184827681307611389353392683707516141736067793897378911235819049432542758429901945202632117089595899280390575706266239252841152490534353760118231918190110043319877744119083811214707593122757409240645257409097436061825613686773916466122693168971062418046703969144004779270391320645495586024342668002497155358623795942692477164489475917351003149045087283510728981096449890130735055015075557614253867698702479920619299919816768972581273507837309179450374634916567083251630203067065663910073926990517108921490442919372774170201239734064819301693527366233007925670043499415100789027665
c2=18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653
c3=113097822337683973761068913398570777162211043704088253732500045618770280334319497174908657828372816818344430304314992760410247741225285170975119344962728883084314382093407445567724674775086423808679124143380073906159023182353116556175251427048715466914368972746661938211846262612414049036821553068430149530397389927209475908905748728402722287875974303298260579839357610962198145974153609818939841880084892796820949226354126424023144300953584658958900737493704530725894948802258740332090822797815745616247879170037794873059391625680745994045522420168248552864215035136318711240256011217929372430302003068882829637056296413462078222453765071094277727760527662423010417144554652783429899139309180017349156600053882338180319473460877576898373222480215735280046214925463242092830060830764299787309912687294672319845054775281463150375545716818434962456139485501224661520991156961587158843064393883274763714930309353593180897123378717852182761518709151878662808890356934477932099818218743384674756674800089177733447066489275506387382342429495897972218764782517198727316942685748481956118012927027254979181519862451112593068440686462293151078537886822555211870303467014484443432209106264020502334805536091587252238173816637270028678636848763

'''

2. 分析

走读task.py发现:

  1. 该脚本中的rsa算法是一个变种,$N=p^rq$(根据后文我们知道,这个变种叫做Prime Power RSA,在谷歌学术用该关键词搜索也可以找到对应论文)。
  2. 每个函数中, 对一些参数都给定了限定条件

有明确的限定条件,可以容易猜到是根据某篇论文改编的ctf题,搜索"RSA prq"可以找到论文 New attacks on RSA with Moduli N = $p^rq$

论文的摘要中介绍,作者提出了3种关于$N=p^rq$的RSA算法的攻击手法。

We present three attacks on the Prime Power RSA with modulus $N = p^r q$.

In the first attack, we consider a public exponent e satisfying an equation $ex − φ(N)y = z$ where $φ(N) = p^{r−1} (p − 1)(q − 1)$. We show that one can factor N if the parameters $|x|$ and $|z|$ satisfy $|xz| < N^{\frac{r(r−1)}{(r+1)^2}}$ thereby extending the recent results of Sakar [16].

In the second attack, we consider two public exponents $e_1$ and $e_2$ and their corresponding private exponents $d_1$ and $d_2$. We show that one can factor N when $d_1$ and $d_2$ share a suitable amount of their most significant bits, that is $|d1 − d2| < N^{\frac{r(r−1)}{(r+1)^2}}$.

The third attack enables us to factor two Prime Power RSA moduli $N_1 = p_1 ^rq_1$ and $N_2 = p_2^rq_2$ when $p_1$ and $p_2$ share a suitable amount of their most significant bits, namely, $|p_1 − p_2| < \frac{p_1}{2rq_1q_2}$.

可以发现,攻击一刚好对应ctf题目中的gen3(),攻击二对应gen2(),攻击三对应gen1()。因此,根据论文中的算法,我们可以分解本题中的各个N。

2.1 gen1()

涉及gen1()的相关代码如下,如果n11,n12可分解,则可求m1,m2。

def gen1():
	r = 2
	while True:
		p2 = getPrime(1792)
		p1 = getPrime(1792)

		q1 = getPrime(512)
		q2 = getPrime(512)

		if (abs(p1-p2) < (p1//(2*r*q1*q2))):
			n1, n2 = (p1**r)*q1, (p2**r)*q2
			break

	phi1 = (p1**(r-1))*(p1-1)*(q1-1)
	phi2 = (p2**(r-1))*(p2-1)*(q2-1)
	while True:
		e1 = randint(5, (p1-1)*(q1-1))
		e2 = randint(5, (p2-1)*(q2-1))
		if gcd(e1, e2) == 1 and gcd(phi1, e1) == 1 and gcd(phi2, e2) == 1:
			break
	return n11, n12, e11, e12
...
n11, n12, e11, e12 = gen1()
print(f"n11={n11}\nn12={n12}\ne11={e11}\ne12={e12}\n")
...
c11 = powmod(m1, e11, n11)
c12 = powmod(m2, e12, n12)
...

根据论文中的定理5, 我们可以在多项式时间内,分解N1, N2。

Theorem 5. Let $N_1 = p_1^rq_1$ and $N_2 = p_2^rq_2$ be two RSA moduli with $p_1$ > $p_2$. If $|p_1 − p_2| < \frac{p1}{2rq_1q_2}$, then, one can factor N in polynomial time.

作者希望将$|\frac{N_2}{N_1}-\frac{q_2}{q_1}|$带入连分数算法(论文定理2),从而求得$q_1$, $q_2$:

Theorem 2 (Legendre). Let ξ be a positive real number. Suppose gcd(a, b) = 1 and $ξ − \frac{a}{b} < \frac{1}{2b^2}$. Then $\frac{a}{b}$ is one of the convergents of the continued fraction expansion of ξ.

作者已经证明(本文略), $|\frac{N_2}{N_1}-\frac{q_2}{q_1}|$满足定理2条件。因此,我们只要对$\frac{N_2}{N_1}$使用连分数展开,一直展开,直到可被N整除即可能得到$q_1$, $q_2$。

from sage.all import continued_fraction

def solve1():
    convergents = continued_fraction(n12 / n11).convergents()
    for c in convergents[2:]:
        q2 = c.numerator()
        q1 = c.denominator()
        if n11 % q1 == 0:
#             print(f"q1={q1}, q2={q2}")
            break

    assert q1.nbits()==512 and n11% q1 == 0
    assert q2.nbits()==512 and n12 %q2 == 0

    p1 = (n11 // q1).sqrt()
    assert p1^2 * q1 == n11
    phi1 = p1*(p1-1)*(q1-1)
    d1 = inverse_mod(e11, phi1)
    assert (e11*d1)%phi1==1
    m1 = pow(c11, d1, n11);

    p2 = (n12 // q2).sqrt()
    assert p2^2 * q2 == n12
    phi2 = p2*(p2-1)*(q2-1)
    d2 = inverse_mod(e12, phi2)
    assert (e12*d2)%phi2==1
    m2 = pow(c12, d2, n12)
    return m1, m2

m1, m2 = solve1()

2.2 gen2()

已知m1,m2,如果再知道phi,则可知d1,d2。

def gen2():
	r = 7
	while True:
		p = getPrime(512)
		q =	getPrime(512)
		N = (p**r)*q
		if len(bin(N)) == 4096:
			break

	idx = (r*(r-1)) / ((r+1)*(r+1))
	delta = int(pow(mpz(N), idx))
	phi = (p**(r-1))*(p-1)*(q-1)

	while True:
		d1 = getPrime(int(2048*idx)//2)
		d2 = getPrime(int(2048*idx)//2)
		if abs(d1-d2) < delta:
			m1 = invert(d1, phi)
			m2 = invert(d2, phi)
			break

	e2 = 0x10001
	return n2, e2, m1, m2
...
n2, e2, m1, m2 = gen2()
...
c2 = powmod(b, e2, n2)
...

根据论文定理4, 我们可在多项式时间内分解N:

Theorem 4. Let $N = p^rq$ be an RSA modulus and $d_1$ and $d_2$ be two private exponents. Then, one can factor N in polynomial time, if $|d_1 − d_2| < N^\frac{r(r−1)}{(r+1)^2}$.

作者将$d_1-d_2$作为未知数,设为x,列出方程f(x):

$$ \begin{align} & e_1d_1 \equiv 1 (mod \phi(N)) \newline & e_2d_2 \equiv 1 (mod \phi(N)) \newline & \Rightarrow \newline & e_1e_2d_1-e_1e_2d_2 \equiv e_2-e_1 (mod \phi(N)) \newline & \Rightarrow e_1e_2(d_1-d_2) \equiv e_2-e_1 (mod \phi(N)) \newline & \Rightarrow e_1e_2x-(e_2-e_1) \equiv 0 (mod \phi(N)) \newline & \Rightarrow e_1e_2x-(e_2-e_1) \equiv 0 (mod p^{r-1}) \end{align} $$

根据论文定理1, 上述方程式可以在多项式时间求解:

Theorem 1 (Lu, Zhang and Lin). Let N be a composite integer with a divisor $p^u$ such that $p ≥ N^β$ for some 0 < β ≤ 1. Let f(x, y) ∈ Z[x, y] be a homogenous linear polynomial. Then one can find all the solutions (x, y) of the equation f(x, y) = 0 mod $p^v$ with gcd(x, y) = 1, $|x| < N^{γ_1}$ , $|y| < N^{γ_2}$, in polynomial time if $γ_1 + γ_2 < uvβ^2$.

假设$|d_1 − d_2| < N^{γ_1} < N^\frac{r(r−1)}{(r+1)^2}$, 令$\beta=r+1$, $u=r$, $v=r-1$,可满足定理1的前提条件。

因此可构造格,应用LLL算法求解x。则可求得$e_1e_2x-(e_2-e_1)$的确切值, 则有:

$gcd(e_1e_2x-(e_2-e_1), N)=gcd(p^{r-1}(p-1)(q-1)y, p^rq)$

$=p^{r-1} 或 p^r (当y=p)或 p^{r-1}q (当y=q)$。

则p,q易求。

sagemath可解该方程,不必再手动构造格:

def solve2(m1, m2):
    m1 = int(m1)
    m2 = int(m2)
    PR.<x> = PolynomialRing(Zmod(n2))
    f = m1*m2*x-(m2-m1)
    r = 7
    beta = 1/(r+1)
    idx = (r*(r-1)) / ((r+1)*(r+1))
    kbits = int(2048*idx)//2

    from sage.misc.verbose import set_verbose
    set_verbose(2)
    print("---------------LLL debug---------------")
    x = f.monic().small_roots(X=2**kbits, beta=beta)[0]
    set_verbose(0)
    print("-------------------------------------------")
    equ = m1*m2*x-(m2-m1)
    g = gcd(equ, n2)
    p = int(g)^(1/(r-1))
    assert n2%p == 0
    q = n2//p^r
    assert n2%q == 0
    phi = p^(r-1)*(p-1)*(q-1)
    d = inverse_mod(e2, phi)
    m = pow(c2, d, n2)
    return m
    
b = solve2(m1,m2)

2.3 gen3()

如果可分解n3, 则可求m3, 即flag。

def gen3():
	r = 7
	while True:
		p = getPrime(512)
		q =	getPrime(512)
		N = (p**r)*q
		phi = (p**(r-1))*(p-1)*(q-1)

		if len(bin(N))-2 == 4096:
			break

	idx = (r*(r-1)) / ((r+1)*(r+1))
	delta = int(pow(mpz(N), idx))

	while True:
		b = getRandomNBitInteger(int(2048*idx)//2)
		a = getRandomNBitInteger(int(2048*idx)//2)
		if a*b < delta:
			e = invert(a, phi)*b
			return n3, e3, b
...
n3, e3, b = gen3()
...
m3 = bytes_to_long(flag)
...
c3 = powmod(m3, e3, n3)
...

根据论文定理3, 我们可在多项式时间内分解N。

Theorem 3. Let $N = p^rq$ be a Prime Power RSA modulus and e a public exponent satisfying the equation $ex − φ(N)y = z$ with $1 < e < φ(N)$ and $gcd(e, φ(N)) = 1$. Then one can factor N in polynomial time if $|xz| < N^\frac{r(r−1)}{(r+1)^2}$.

我们有方程:

$$ \begin{align} & ex − z \equiv 0 (\mod(\phi(N))) \newline & \Rightarrow ex − z \equiv 0 (\mod(p^{r-1})) \end{align} $$

同gen2(),为应用定理1, 令$u=r, v=r-1, \beta=\frac{1}{r+1}$, 存在$|x|<N^{γ_1}, |z|<N^{γ_2}$,使$γ_1 + γ_2 < uvβ^2$, 满足定理1的前提条件。

from Crypto.Util.number import long_to_bytes

def solve3(b):
    b = int(b)
    print(b)
    PR.<x> = PolynomialRing(Zmod(n3))
    f = e3*x-b
    r = 7
    beta = 1/(r+1)
    idx = (r*(r-1)) / ((r+1)*(r+1))
    kbits = int(2048*idx)//2
    from sage.misc.verbose import set_verbose
    print("---------------LLL debug---------------")
    set_verbose(2)
    a = f.monic().small_roots(X=2**kbits, beta=beta)[0]
    set_verbose(0)
    print("-------------------------------------------")
    equ = e3*a-b
    g = gcd(equ, n3)
    p = int(g)^(1/(r-1))
    assert n3%p == 0
    q = n3//p^r
    assert n3%q == 0
    phi = p^(r-1)*(p-1)*(q-1)
    d = inverse_mod(e3, phi)
    m = pow(c3, d, n3)  
    print(m)
    return m

m = solve3(b)
flag = long_to_bytes(int(m))
print(flag)

3. exp

完整exp如下:

n11=801049932940568005269978912396585741498810389425615966036828877784238116634177290247194019425111606811005728521368879065336038221361037062407029836155148874719789714345603547779284558101833801155509762818376470874215789574939002212274399950433269775325144015468620263028557804618774240232988157961712628677901130814703917513004114547234375629747176834581166306552311075522669403347828095831520693563291249869832390698646691647204371133362254846234990175138047928703289833460734235302093916147489509206061923877623300596194317059884824322527532662470348274079800781120104946546063500763852622187404608639542858285661288293918912184354236687975919510300221932074135531028314170475917110204254042336116619335841213418990605590620842511615815443114612333881430920769002933370887494558640833005339906706603497809846863863967391543647049224309556936909768179259581851520214669904560467640473144481633920438487615788689262961741053146610554997224861331949716721056553499531186695425439163222802917813140266513735841447717418846360096652592844940362932171019143434080184728093326143821165097895058935372215708948088248596585127475770021962501262915274497478428868130455122612016408381607561200802267038869516896665387576895570245272035575637
n12=635401970340205725139325006504978344512744926958688031423448003992072769931808217486709574151492230879374574313457662436423263437792389711379687512056391117410807565492548718691166183372633151644917135272259770997096195518489056319350258673723095417922153182423913759272893696867426193704479752772511081457729513843682588951499551132432923147997238597538055902932123792252593514225328196541483451747314048080824405530742533473914329294346486691684904100406972073037050089861816604505650042953778360621934380815999541183067585498606053857125775979915077329566722531830089714823979965934190338538564188253271016367299890015449611141166780048763403252309160517164569110740561584100839212138661881615351382946813818078899882595313362934594951895560189003438775450675343590147821186953526262224973333962454561275321925151619178204499342339749637758100126893330994252902926509705617882239610380420830791088907378397226817514095468815228186716220057075095711894070032344613244803934541318573847029365563159918970404057137270884587905766828750387753130065274147902379993224780149663600462492281891320702134153853359393588902750423972068679293373333869389393970353760507436913233657422185531482023237384247535554666481760197851108297145147371
e11=1898839980562048754607069073527844852132536432440793106124181406514770178066775988232362054809850074774981836898118651469424148725970708199461113088705044905633592578936333918328544505910996746428679299419879472444790941363558025887620570856598548320246426354974395765243741646121743413447132297230365355148066914830856904433750379114692122900723772114991199979638987571559860550883470977246459523068862898859694461427148626628283198896659337135438506574799585378178678790308410266713256003479022699264568844505977513537013529212961573269494683740987283682608189406719573301573662696753903050991812884192192569737274321828986847640839813424701894578472933385727757445011291134961124822612239865
e12=1262647419018930022617189608995712260095623047273893811529510754596636390255564988827821761126917976430978175522450277907063247981106405519094560616378241247111698915199999363948015703788616554657275147338766805289909261129165025156078136718573006479030827585347458143645738353716189131209398056741864848486818076440355778886993462012533397208330925057305502653219173629466948635110352752162442552541812665607516753186595817376029707777599029040724727499952161261179707271814405907165207904499722122779096230563548011491932378429654764486855147873135769116637484240454596231092684424572258119768093562747249251518965380465994055049411715353547147466711949391814550591591830515262296556050946881

n2=209798341155088334158217087474227805455138848036904381404809759100627849272231840321985747935471287990313456209656625928356468120896887536235496490078123448217785939608443507649096688546074968476040552137270080120417769906047001451239544719039212180059396791491281787790213953488743488306241516010351179070869410418232801398578982244984544906579574766534671056023774009163991804748763929626213884208260660722705479782932001102089367261720194650874553305179520889083170973755913964440175393646890791491057655226024046525748177999422035469428780228224800114202385209306803288475439775037067014297973202621118959024226798935588827359265962780792266516120013602384766460619793738405476219362508944225007365127768741191310079985425349292613888185378948854602285379329682053663283534930182589905986063348509703027498270111412063194971956202729807710253369312175636837558252924035002153389909587349043986253518050303628071319876207392440085675892353421232158925122721273720564784886530611286461575045181073744696415657043278123662980166364494583141297996445429477446442693717498789391918530672770193730629928408766563592081857706608049076318165712479742423149330311238462044666384622153280310696667586565906758451118241914402257039981388209
e2=65537

n3=539779851369541956878655738599584730199799866957191805784596190682932284216781781433367450841202917758999300635019369629627621029957135109806205877317954671312041249493462048283611940752235036153024920172209763260723728345918562258401803973624430150143563078517485996070862532682695228590709019451174548520135142052216785774589096706631010293690859363524584240662502290912412366366114571976050857239915691266377257797199583543940504695517331512813468837128344612227973709974625418257243011036826241599265375741977853552204640800449679679351666009764297016524814036295707311913711955324055690490892097177271718850857268982130811714517356073266905474635370690445031512184247179039751734276906533177939993769044135143389748416635981226449566039039202521305851567296884751935162651063209779647359922622084851547605090230221057349511482738300221222563908357379545905837110168948295030747460300104202323692732549831403834387939156877086852393515817984772384147449841124275061609701453997579569931391166586163299940486204581696722731952467570857217406030804590055255431828403195798003509083922294733709507134156466158642941338493323430671502043066148246348074878064089651235355282144209668143249348243220714471988019011613749340243917652821
e3=8179300978753084587812861894047395225516049110376948812109811319430275614612773726672345893359691900281432484382670047044697374818043512731533402576374645405477207239801498428774783768163880078495448747421425078521981578408638790336528372019271073712013371141939808017049399434858687299480461753638164719404612128939787055797762174745092074547412183349192156638711750872083313795551439465507724807626674514935170104573715458782366469587138508845980490673890245713729782917089910271980557159592807350504157192913530007199510144004848020221181558472160543018733124225266127379373751910439604459368078652499029070936707349862139053913745186413782066470461478961703013591655136140060879250067379283913798867648758171004535775565306842444545755351202796833177560656564652632975685912935281581268141803696686952259539945588609591385807620108279333498170028167338690235117003515264281843953984997958878272347778561933726792473981855755454522886321669676790813189668084373153897754540290867346751033567500922477317530445967753955221454744946208555394588111484610700789566547507402309549957740815535069057837915204852490930168843605732632328017129154852857227895362549146737618906180651623216848500491438142456250653458053922622240299736136335179639180898730269690699965799644757774472147210271111150769048976871249731156387939260749192370361488285775377622944817570292095201906142567403539151179209316853493906909989301225903409448461436855145

c11=18979511327426975645936984732782737165217332092805655747550406443960209507493506811471688957217003792679188427155591583024966608843371190136274378868083075515877811693937328204553788450031542610082653080302874606750443090466407543829279067099563572849101374714795279414177737277837595409805721290786607138569322435729584574023597293220443351227559400618351504654781318871214405850541820427562291662456382362148698864044961814456827646881685994720468255382299912036854657082505810206237294593538092338544641919051145900715456411365065867357857347860000894624247098719102875782712030938806816332901861114078070638796157513248160442185781635520426230183818695937457557248160135402734489627723104008584934936245208116232179751448263136309595931691285743580695792601141363221346329077184688857290503770641398917586422369221744736905117499140140651493031622040723274355292502182795605723573863581253354922291984335841915632076694172921289489383700174864888664946302588049384130628381766560976143458735712162489811693014419190718601945154153130272620025118408017441490090252674737105557818759190934585829634273698371996797545908125156282869589331913665938038870431655063063535672001112420959158339261862052308986374193671007982914711432579
c12=336587005671304527566745948355290412636261748969581976214239578621816863343117433524033533838636941679300497270909696775021031004312477997130741361709262822736904340641138652359632950455651920464042448022467664596484055174270895170499076347333381222768518599018520948098943626229061996126260154604038101543546588917619576702866444998578555907070990331574722135141778182631559802154493815687284077524469331290249057291163803290619701104007028836609832847351748020354798788508790258935718399783002069490123663345156902440501507117289747695510266461539019431610123351176227443612317037899257774045751487135646052309277098939919088029284437221840182769808850184827681307611389353392683707516141736067793897378911235819049432542758429901945202632117089595899280390575706266239252841152490534353760118231918190110043319877744119083811214707593122757409240645257409097436061825613686773916466122693168971062418046703969144004779270391320645495586024342668002497155358623795942692477164489475917351003149045087283510728981096449890130735055015075557614253867698702479920619299919816768972581273507837309179450374634916567083251630203067065663910073926990517108921490442919372774170201239734064819301693527366233007925670043499415100789027665
c2=18352572608055902550350386950073774530453857897248738030380007830701135570310622004368605208336922266513238134127496822199799761713782366178177809597137102612444147565578155260524747439899150012223027218489946124086276814899675563837669559795153349686434242738207425653079514376089070980797596457151965772460109519623572502109592612394316680202287712465721767341302234806130244551387296133051760893033194962691942040228545508895009195291106297581470066545991352668826197346830561010198417527057944507902143965634058848276017283478933675052993657822322866778994956205033704582047618324071045349072526540250707463112668579342537349567247810715604220690215313641329522674080146047291570752430231923566302463491877377617044768978997438596643458475128936850994934029476030136643053997549253792076260765459166618369864942681056864815996253315631930002738854235841120321870075261782250357506436825550088826469396508045912258303652912217151127280959435741419961721418428605515096160344688795655562889755165362006775317188009008288782691705879510655892181975003485714604340542378477388225736316682379616676770234557939471098919647053799313777248678455620231721202780830980063824003076308811540534492317719811588898727134190545533822501681653
c3=113097822337683973761068913398570777162211043704088253732500045618770280334319497174908657828372816818344430304314992760410247741225285170975119344962728883084314382093407445567724674775086423808679124143380073906159023182353116556175251427048715466914368972746661938211846262612414049036821553068430149530397389927209475908905748728402722287875974303298260579839357610962198145974153609818939841880084892796820949226354126424023144300953584658958900737493704530725894948802258740332090822797815745616247879170037794873059391625680745994045522420168248552864215035136318711240256011217929372430302003068882829637056296413462078222453765071094277727760527662423010417144554652783429899139309180017349156600053882338180319473460877576898373222480215735280046214925463242092830060830764299787309912687294672319845054775281463150375545716818434962456139485501224661520991156961587158843064393883274763714930309353593180897123378717852182761518709151878662808890356934477932099818218743384674756674800089177733447066489275506387382342429495897972218764782517198727316942685748481956118012927027254979181519862451112593068440686462293151078537886822555211870303467014484443432209106264020502334805536091587252238173816637270028678636848763

from sage.all import continued_fraction
from Crypto.Util.number import long_to_bytes

def solve1():
    convergents = continued_fraction(n12 / n11).convergents()
    for c in convergents[2:]:
        q2 = c.numerator()
        q1 = c.denominator()
        if n11 % q1 == 0:
#             print(f"q1={q1}, q2={q2}")
            break

    assert q1.nbits()==512 and n11% q1 == 0
    assert q2.nbits()==512 and n12 %q2 == 0

    p1 = (n11 // q1).sqrt()
    assert p1^2 * q1 == n11
    phi1 = p1*(p1-1)*(q1-1)
    d1 = inverse_mod(e11, phi1)
    assert (e11*d1)%phi1==1
    m1 = pow(c11, d1, n11);

    p2 = (n12 // q2).sqrt()
    assert p2^2 * q2 == n12
    phi2 = p2*(p2-1)*(q2-1)
    d2 = inverse_mod(e12, phi2)
    assert (e12*d2)%phi2==1
    m2 = pow(c12, d2, n12)
    return m1, m2

def solve2(m1, m2):
    m1 = int(m1)
    m2 = int(m2)
    PR.<x> = PolynomialRing(Zmod(n2))
    f = m1*m2*x-(m2-m1)
    r = 7
    beta = 1/(r+1)
    idx = (r*(r-1)) / ((r+1)*(r+1))
    kbits = int(2048*idx)//2

    from sage.misc.verbose import set_verbose
    set_verbose(2)
    print("---------------LLL debug---------------")
    x = f.monic().small_roots(X=2**kbits, beta=beta)[0]
    set_verbose(0)
    print("-------------------------------------------")
    equ = m1*m2*x-(m2-m1)
    g = gcd(equ, n2)
    p = int(g)^(1/(r-1))
    assert n2%p == 0
    q = n2//p^r
    assert n2%q == 0
    phi = p^(r-1)*(p-1)*(q-1)
    d = inverse_mod(e2, phi)
    m = pow(c2, d, n2)
    return m

def solve3(b):
    b = int(b)
    PR.<x> = PolynomialRing(Zmod(n3))
    f = e3*x-b
    r = 7
    beta = 1/(r+1)
    idx = (r*(r-1)) / ((r+1)*(r+1))
    kbits = int(2048*idx)//2
    from sage.misc.verbose import set_verbose
    print("---------------LLL debug---------------")
    set_verbose(2)
    a = f.monic().small_roots(X=2**kbits, beta=beta)[0]
    set_verbose(0)
    print("-------------------------------------------")
    equ = e3*a-b
    g = gcd(equ, n3)
    p = int(g)^(1/(r-1))
    assert n3%p == 0
    q = n3//p^r
    assert n3%q == 0
    phi = p^(r-1)*(p-1)*(q-1)
    d = inverse_mod(e3, phi)
    m = pow(c3, d, n3)  
    return m

m1, m2 = solve1()
b = solve2(m1,m2)
m = solve3(b)
flag = long_to_bytes(int(m))
print(flag)

运行结果:

---------------LLL debug---------------
verbose 2 (47: 3672364177.py, solve2) epsilon = 0.015625
verbose 2 (47: 3672364177.py, solve2) m = 1
verbose 2 (47: 3672364177.py, solve2) t = 7
verbose 2 (47: 3672364177.py, solve2) X = 19595533242629369747791401605606558418088927130487463844933662202465281465266200982457647235235528838735010358900495684567911298014908298340170885513171109743249504533143507682501017145381579984990109696
verbose 1 (47: 3672364177.py, solve2) LLL of 8x8 matrix (algorithm fpLLL:wrapper)
verbose 1 (47: 3672364177.py, solve2) LLL finished (time = 0.03204700000000016)
-------------------------------------------
---------------LLL debug---------------
verbose 2 (74: 3672364177.py, solve3) epsilon = 0.015625
verbose 2 (74: 3672364177.py, solve3) m = 1
verbose 2 (74: 3672364177.py, solve3) t = 7
verbose 2 (74: 3672364177.py, solve3) X = 19595533242629369747791401605606558418088927130487463844933662202465281465266200982457647235235528838735010358900495684567911298014908298340170885513171109743249504533143507682501017145381579984990109696
verbose 1 (74: 3672364177.py, solve3) LLL of 8x8 matrix (algorithm fpLLL:wrapper)
verbose 1 (74: 3672364177.py, solve3) LLL finished (time = 0.017914999999999903)
-------------------------------------------
b'qwb{8633ce6d-fece-4cf1-8f0f-f27e5bf6d678}'