In [527]:
e=3
In [528]:
p
q
modulus1=p1*q1
In [529]:
p
q
modulus2=p2*q2
In [530]:
p
q
modulus3=p3*q3
In [531]:
m=123456789**250 # set 250 for 4096 bit modulus, 30 for 512 bit modulus
In [532]:
assert m<modulus1 and m>p1 and m>q1
In [533]:
# ZZ is used to coerce <sage.rings.finite_rings.integer_mod.IntegerMod_int> type to <sage.rings.integer.Integer> type
In [534]:
c1=ZZ(pow(m,e,modulus1))
In [535]:
c2=ZZ(pow(m,e,modulus2))
In [536]:
c3=ZZ(pow(m,e,modulus3))
In [537]:
math.gcd(c1,c2,c3)
Out[537]:
1
In [538]:
# tmp=m^e
tmp=crt([c1,c2,c3],[modulus1,modulus2,modulus3])
In [539]:
recovered=tmp**(1/e) # same as tmp^{1/3}, it's cubic sqrt. SageMath can't do 1/5 here. so e=3 only, alas.
In [540]:
m==recovered
Out[540]:
True
In [ ]:
# Now try DIY homebrew algorithm instead of CRT
In [541]:
# The algo from https://crypto.stackexchange.com/questions/6713/low-public-exponent-attack-for-rsa
# See also the older version of the page: https://en.wikipedia.org/w/index.php?title=Chinese_remainder_theorem&oldid=548432813
def solve_eq(cb,cc,cd,nb,nc,nd):
    tb=cb*(nc*nd)*ZZ(pow(nc*nd,-1,nb))
    tc=cc*(nb*nd)*ZZ(pow(nb*nd,-1,nc))
    td=cd*(nb*nc)*ZZ(pow(nb*nc,-1,nd))
    return divmod(tb+tc+td, nb*nc*nd)[1]
In [542]:
assert solve_eq(330,34,419,377,391,589)==1061208
In [543]:
tmp=solve_eq(c1,c2,c3,modulus1,modulus2,modulus3)
In [544]:
recovered=tmp**(1/e)
In [545]:
m==recovered
Out[545]:
True
In [ ]: