原理

低加密指数攻击:

假设e=3, 公钥中的加密指数e很小,但是模数n很大

有RSA加密公式:$ c \equiv m^{e} \pmod{n} $ (c密文,m明文)

则:

当$m^{e}<n $时,$c = m^{e} $,所以对c开方就能得到m

当$m^{e}>n $ 时,此时用爆破的方法:

假设我们$m^{e} / n $的商为 k 余数为c,则$m^{e} = kn + c$,对k进行爆破,只要k满足 kn + c能够开e次方就可以得明文

脚本

$m^{e}<n $时:

from gmpy2 import *
from Crypto.Util.number import *


n=0x52d483c27cd806550fbe0e37a61af2e7cf5e0efb723dfc81174c918a27627779b21fa3c851e9e94188eaee3d5cd6f752406a43fbecb53e80836ff1e185d3ccd7782ea846c2e91a7b0808986666e0bdadbfb7bdd65670a589a4d2478e9adcafe97c6ee23614bcb2ecc23580f4d2e3cc1ecfec25c50da4bc754dde6c8bfd8d1fc16956c74d8e9196046a01dc9f3024e11461c294f29d7421140732fedacac97b8fe50999117d27943c953f18c4ff4f8c258d839764078d4b6ef6e8591e0ff5563b31a39e6374d0d41c8c46921c25e5904a817ef8e39e5c9b71225a83269693e0b7e3218fc5e5a1e8412ba16e588b3d6ac536dce39fcdfce81eec79979ea6872793
e=0x3
c=0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365

n=int(n)
e=int(e)
c=int(c)

m=iroot(c,e)
if m[1]:
m=m[0]
print(long_to_bytes(m))

$m^{e}>n $时:

from gmpy2 import *
from Crypto.Util.number import *

n=
e=
c=

i = 0
while True:
flag = i*n+c
if iroot(flag, e)[1]:
m = iroot(flag, e)[0]
print(long_to_bytes(m))
break
i += 1