CTF-RSA-低指数广播攻击-给出几组N和c，求m

RSA-低指数广播攻击-给出几组N和c，求m

低指数广播攻击， 即用相同的公钥加密相同的消息，但每一组的n不同，e是一个很小的数，例如3或者10这个题目给出的是5进制数字，需要先处理一下
题目打开是RSA.txt，三组N与C，且都为8进制。

import gmpy2
import gmpy
import libnum
from Crypto.Util.number import long_to_bytes

n1 = 133735302625532414062163612717022712044055576762455037507605731653332354223002352676607633317042510252015433446751773241131517047667116572474235416040225127055444005776170553757215614153355577242264075666312600420051574060041204501611267744372143162013436162477632720337776423166041352273343344016505035636002422555611555667701572037222426225
c1 = 120251266416602463615761054034215122447154354703647446001640214754610520144741704544422465370237336275234136332245175310015175050306734272006503331344513106322254132215332563513100724251576253255127570756066052667565505567746317305655757340006336110670344621433664666523542154147250344035273643510713347647411164350714673416755131346071223345

n2 = 115632737421533021722537301460370413673612277303512316454551557744207067570404351247145707463643310611751067266502365773440467420352600364640011776774264167675553154454625216105527473145726004303371207271337671406273120414110143210274473613621171564041526417547427543301007246574207501513720573710020121717356423447404562731005502035015207117
c2 = 40402352220647352767163676715126257415777254577110016277763447116300617514640010212232326414016431434003045623223073511700022023034134405654542153725161145240474302326337614241617277006134104240125316667642050564133366166435612030462431754232214251737333673565636400737530145002577173035167575113163200526057400454467455546530615642446134465

n3 = 134543565706157513132257627745151275350705151416735700552170717402535555157435740502556067670227735677116307124513244302241673257171771152257150240432212160272432021710721126006365045202073330113376122063421613077350547753633342635636546734146766757137035355402155411511455272654610160141526675522275457343217544654627326033375747754152473413
c3 = 5054755105731571037506524330463104373031130453672040760326575377235534315327111214337550611357465065354513626440516372271170646600111734220124344045372274502165205634534117244010273013102756227700511075455347574261554023344302451620643626157517420361611561175523726126016733417734026700052562050231371467425173622537642473067234071270311772


def boradcast_fuzz(question, e):
    N = 1
    for i in range(len(question)):
        N *= question[i]['n']
    N_list = []
    for i in range(len(question)):
        N_list.append(N / question[i]['n'])
    t_list = []
    for i in range(len(question)):
        t_list.append(int(gmpy2.invert(N_list[i], question[i]['n'])))
    sum = 0
    for i in range(len(question)):
        sum = (sum + question[i]['c'] * t_list[i] * N_list[i]) % N
    sum = gmpy.root(sum, e)[0]
    # return libnum.n2s(sum)
    return long_to_bytes(sum)


n1 = int(str(n1), 8)
n2 = int(str(n2), 8)
n3 = int(str(n3), 8)
c1 = int(str(c1), 8)
c2 = int(str(c2), 8)
c3 = int(str(c3), 8)

question = [
    {'n': n1, 'c': c1},
    {'n': n2, 'c': c2},
    {'n': n3, 'c': c3},
]

for i in range(2, 20):
    res = boradcast_fuzz(question, i)
    if 'noxCTF' in res:
        print res
        print 'e=%d' % (i)
        break

运行，即可得flag及e。