In [1]:
def modular_sqrt(a, p):
    """ Find a quadratic residue (mod p) of 'a'. p
        must be an odd prime.

        Solve the congruence of the form:
            x^2 = a (mod p)
        And returns x. Note that p - x is also a root.

        0 is returned is no square root exists for
        these a and p.

        The Tonelli-Shanks algorithm is used (except
        for some simple cases in which the solution
        is known from an identity). This algorithm
        runs in polynomial time (unless the
        generalized Riemann hypothesis is false).
    """
    # Simple cases
    #
    if legendre_symbol(a, p) != 1:
        return 0
    elif a == 0:
        return 0
    elif p == 2:
        return 0
    elif p % 4 == 3:
        return pow(a, (p + 1) / 4, p)

    # Partition p-1 to s * 2^e for an odd s (i.e.
    # reduce all the powers of 2 from p-1)
    #
    s = p - 1
    e = 0
    while s % 2 == 0:
        s /= 2
        e += 1

    # Find some 'n' with a legendre symbol n|p = -1.
    # Shouldn't take long.
    #
    n = 2
    while legendre_symbol(n, p) != -1:
        n += 1

    # Here be dragons!
    # Read the paper "Square roots from 1; 24, 51,
    # 10 to Dan Shanks" by Ezra Brown for more
    # information
    #

    # x is a guess of the square root that gets better
    # with each iteration.
    # b is the "fudge factor" - by how much we're off
    # with the guess. The invariant x^2 = ab (mod p)
    # is maintained throughout the loop.
    # g is used for successive powers of n to update
    # both a and b
    # r is the exponent - decreases with each update
    #
    x = pow(a, (s + 1) / 2, p)
    b = pow(a, s, p)
    g = pow(n, s, p)
    r = e

    while True:
        t = b
        m = 0
        for m in xrange(r):
            if t == 1:
                break
            t = pow(t, 2, p)

        if m == 0:
            return x

        gs = pow(g, 2 ** (r - m - 1), p)
        g = (gs * gs) % p
        x = (x * gs) % p
        b = (b * g) % p
        r = m


def legendre_symbol(a, p):
    """ Compute the Legendre symbol a|p using
        Euler's criterion. p is a prime, a is
        relatively prime to p (if p divides
        a, then a|p = 0)

        Returns 1 if a has a square root modulo
        p, -1 otherwise.
    """
    ls = pow(a, (p - 1) / 2, p)
    return -1 if ls == p - 1 else ls

In [2]:
from Crypto.Util.number import long_to_bytes

In [17]:
import gmpy2

In [22]:
gmpy2.gcd(e2, (p2-1)*(q2-1))

mpz(16)

In [3]:
# Son 2
p2 = 7237005577332262213973186563042994240829374041602535252466099000494570602917
q2 = 88653318322320212121171535397276679450159832009631056842709712756058489880609
e2 = 16
c2 = 128067909105216284348808993695734979917384615977985008857494038384160720721127262500602107681721675827823420594821881043967947295783995842628815275429540
N2 = p2*q2

# Get all 16*16 = 256 possible roots
entry = [c2]
roots1 = [entry[0]]
roots2 = []
for i in range(4):
    for e in roots1:
        r1 = modular_sqrt(e,p2)
        r2 = p2 - r1
        r3 = modular_sqrt(e,q2)
        r4 = q2 - r3
        [roots2.append(r) for r in [r1,r2,r3,r4]]
    #print(str(2**(i+1))+'-th root', len(roots2))
    roots1 = roots2[::1]
    roots2 = []
    
print()
# Let's check em out
# for r in roots1:
#     b = long_to_bytes(r).hex()
#     if '28322c' in b:
#         print(b)
for r in roots1:
    print(long_to_bytes(r))

TypeError: pow() 3rd argument not allowed unless all arguments are integers

In [4]:
import numbertheory

In [25]:
phi = (p2-1)*(q2-1)
d2 = gmpy2.invert(e2//16, phi)

m16 = pow(c2,d2,N2)

In [26]:
roots1 = [m16]
roots2 = []

for k in range(4):
    
    for r in roots1:
        
        try:
            r1 = numbertheory.square_root_mod_prime(r, p2)
            r2 = p2 - r1
        except:
            r1 = 0
            r2 = 0
        
        try:
            r3 = numbertheory.square_root_mod_prime(r, q2)
            r4 = q2 - r3
        except:
            r3 = 0
            r4 = 0
        
        [roots2.append(i) for i in [r1,r2,r3,r4]]
        
    roots1 = roots2[::1]
    roots2 = []



In [13]:
import numpy as np
from Crypto.Util.number import long_to_bytes

In [29]:
for root in np.unique(roots1):
    if root != 0:
        print(long_to_bytes(root))

b'\xb9?\xcfi6\xb7\x07}\x81>N\xd9f+\xe6\x12\xd4\xbfD]On\xfa\x8e\xecFt\x1f\x14^\xc5'
b'\x02\xd1\xc3t\x95U\xf7\xc8g\x1d\xaa\xe1,!\xcd\xb9\x11-\x02\x85\xc1\x14\x9b\xe0\xdc\x89\x06d>Z>_'
b'\x02\xfd\x81\x9dq\xf2\xcf\xf3\x95V\xb5U!"\xe2#\x883\xbd0\xe7{\x1c\x83\xe2\xa0\xe9y\xd3\xb0\x9d\x02'
b'\x03\xd8\xf7\xc0\xf5p\x08\x1cg\xa3_\xf3Ah0\r0;s\xf4\xa6]\x93=OlY\x8e\xf5\xe1\xc3S'
b'\x03\xdcu\xbb!\x89\xcb\x05X\x7f<\x83\x91\xb5OL\xc5eWa\xc0\x85\x10\xa2\xcd;\x16\n/9rT'
b'\x04961238641\x11\x8a\x08"o&E\x9d\xcb}7\x16\x9fS\x11\xd6Gl`\x1c\x19\xaa'
b'\x04\xb8\xe1\xddv~v\xbfH(~\xf9\xc0\xe9\xdc\x15\r\xceU%sK\xe8F.\x91!zH=R~'
b"\x04\xf4M\xdeO\xde\xa0/\xe9n\x0c\xb0\x08\x8a\x98\x99\xde\xe9U>\xad\x92\x0b\xff?\xf0'.V\xd6\xe5\xe9"
b'\x05i\xa2\xbe\xa1\xf6\xd7\x00\xe7\x00j\x8a\x01zfjp\xa4\x92g\x1b\xa4\x86z\x8c_\xfb9|\x94\x7ff'
b'\x05\xb4\xd3\xbd\xbd\xdd-\x9a\x8e-\xf0;z\xcf\xde\xe5\x13\xeeR!0i\xc8\x18\x10\x88\xa1j\x0b\xd1T\x8a'
b'\x05\xe4\x9d@! Dad\xde\xbapy\x90K\x9a\x15%\x84\x7fQ\x85\x14\xc9\xc6vE\xd1\xe4j\xc0\xa1'
b'

In [30]:
def legendre_symbol(a, p):
    """
    Legendre symbol
    Define if a is a quadratic residue modulo odd prime
    http://en.wikipedia.org/wiki/Legendre_symbol
    """
    ls = pow(a, (p - 1)//2, p)
    if ls == p - 1:
        return -1
    return ls

def prime_mod_sqrt(a, p):
    """
    Square root modulo prime number
    Solve the equation
        x^2 = a mod p
    and return list of x solution
    http://en.wikipedia.org/wiki/Tonelli-Shanks_algorithm
    """
    a %= p

    # Simple case
    if a == 0:
        return [0]
    if p == 2:
        return [a]

    # Check solution existence on odd prime
    if legendre_symbol(a, p) != 1:
        return []

    # Simple case
    if p % 4 == 3:
        x = pow(a, (p + 1)//4, p)
        return [x, p-x]

    # Factor p-1 on the form q * 2^s (with Q odd)
    q, s = p - 1, 0
    while q % 2 == 0:
        s += 1
        q //= 2

    # Select a z which is a quadratic non resudue modulo p
    z = 1
    while legendre_symbol(z, p) != -1:
        z += 1
    c = pow(z, q, p)

    # Search for a solution
    x = pow(a, (q + 1)//2, p)
    t = pow(a, q, p)
    m = s
    while t != 1:
        # Find the lowest i such that t^(2^i) = 1
        i, e = 0, 2
        for i in range(1, m):
            if pow(t, e, p) == 1:
                break
            e *= 2

        # Update next value to iterate
        b = pow(c, 2**(m - i - 1), p)
        x = (x * b) % p
        t = (t * b * b) % p
        c = (b * b) % p
        m = i

    return [x, p-x]

In [64]:
m2

array([list([2641505242155570709869754740226520880434339438169725263265148264111259779253, 4595500335176691504103431822816473360395034603432809989200950736383310823664]),
       list([2856719430566652581805226484293801930212924619175739824952550321137262029256, 4380286146765609632167960078749192310616449422426795427513548679357308573661]),
       list([]), list([])], dtype=object)

In [66]:
prime = q2
m16 = c2
m8 = np.array(prime_mod_sqrt(m16, prime))
m4 = np.array([prime_mod_sqrt(i, prime) for i in m8]).flatten()
m2 = np.array([prime_mod_sqrt(i, prime) for i in m4]).flatten()
m1 = np.array([prime_mod_sqrt(i, prime) for i in m2]).flatten()
m0 = np.array([prime_mod_sqrt(i, prime) for i in m1]).flatten()

In [67]:
long_to_bytes(m16)

b'\x02q\xfb\x9fV8\x84\xe0\x8b\xa0\x08B()\t\xc9\xeb\xd5\xa6OrA\xfdVP\x90\\\xaf\xe0\xe4\x1f>\xaa\xa8u\xc94\xd6W\xad\x80\xff\xfa\xa1\xa8\xf5\xb6\x1dCB\xf2\xb5s\x89[k\xca\x81\x13!p\x0c\x0e\xa4'

In [68]:
for r in m8:
    print(long_to_bytes(r))

b'#\xb5\x0f\x9a\xf4\x9e\x16\xe6s=V\xb6\xcf\xb3\x1c\x83\x12\xb0uZ\x16\x81+\xc2\xf1ZA\xba\xe0o\x1c\xbf'
b'\xa0J\xf0e\x0ba\xe9\x19\x8c\xc2\xa9I0L\xe3|\xedO\x8a\xa5\xe9~\xd4=\x0e\xa5\xbeE\x1f\x90\xe3b'


In [69]:
for r in m4:
    print(long_to_bytes(r))

b'\t*e\x85Fi\x8eo\xf7\x16\x19\xe9\x1f\x83\xed\xa4\x9dv+\n\x12K\xcf+ol\x13\x96)\xca2\xdd'
b'\xba\xd5\x9az\xb9\x96q\x90\x08\xe9\xe6\x16\xe0|\x12[b\x89\xd4\xf5\xed\xb40\xd4\x90\x93\xeci\xd65\xcdD'
b"b[$\xda&\x05l\xdae\xef\xa9\x909\x98Lj\xcd\xe4\x8e*\xc4\xb4G\xa6B\x1a\x02?\xbeMJ'"
b'a\xa4\xdb%\xd9\xfa\x93%\x9a\x10Vo\xc6g\xb3\x952\x1bq\xd5;K\xb8Y\xbd\xe5\xfd\xc0A\xb2\xb5\xfa'


In [70]:
for r in m2:
    print(long_to_bytes(r))

b"\xa9\xda\xf6\xd6I\xd7\xb8'Th\x1c#\xe3=D-%2\xb6\x19o\x872\xa0\xc7S]CYZ\x93\xc9"
b'\x1a%\t)\xb6(G\xd8\xab\x97\xe3\xdc\x1c\xc2\xbb\xd2\xda\xcdI\xe6\x90x\xcd_8\xac\xa2\xbc\xa6\xa5lX'
b'\n\xca\x80= |\x82\xb5\x8c\x83\xf2\x9a\xceq\xd3I\xcc\x1c\xb4\xa2\xd6\xd1g\xd5\xb4\x99\x1b\xb6,\x9e\xf2\x19'
b'\xb95\x7f\xc2\xdf\x83}Js|\re1\x8e,\xb63\xe3K]).\x98*Kf\xe4I\xd3a\x0e\x08'
b"q\x1b\x98\xdc\xd6\xf6\xd8f@\xdf\x1d'\xaby$\xe4\x0c\xcf:(\xec\x1ch\xa6\xcd\x95:o\x87W\xf1\x04"
b"R\xe4g#)\t'\x99\xbf \xe2\xd8T\x86\xdb\x1b\xf30\xc5\xd7\x13\xe3\x97Y2j\xc5\x90x\xa8\x0f\x1d"
b"\x84`\xa0t}e\x06a\xc3\x0fE\xcf\xd1\x15u\xafI\xf3'\xb7\xfe\xd6\x8b\xcc\x9c\xb9\x1bzD\x84t\xb5"
b'?\x9f_\x8b\x82\x9a\xf9\x9e<\xf0\xba0.\xea\x8aP\xb6\x0c\xd8H\x01)t3cF\xe4\x85\xbb{\x8bl'


In [71]:
for r in m1:
    print(long_to_bytes(r))

b'T\xab\xb9C\xfeR\xbf~L\xd6\xa3\x9e\xba\xd9\xf9\xc4\x8e\x82\x82$O\xec\x0f\xd5\xa5\xce`\xabV\x90\x97\x11'
b'oTF\xbc\x01\xad@\x81\xb3)\\aE&\x06;q}}\xdb\xb0\x13\xf0*Z1\x9fT\xa9oi\x10'
b'!$\xd9\xeb\xcf\xb1m\xf0\x81B\xfe\x08\xeb\xfe@f\xd2]HzP\xc5u\x0e\xa7E\xe2\xa6U\xae|A'
b'\xa2\xdb&\x140N\x92\x0f~\xbd\x01\xf7\x14\x01\xbf\x99-\xa2\xb7\x85\xaf:\x8a\xf1X\xba\x1dY\xaaQ\x83\xe0'
b'\x8d\x1c\x0e\xf7q\x14\xed\xec\xd0e\xb42\x84\x85\t\nQ\x9a.O\xab\x05D!\x9fr\xbcx\xac?3\xa6'
b'6\xe3\xf1\x08\x8e\xeb\x12\x13/\x9aK\xcd{z\xf6\xf5\xaee\xd1\xb0T\xfa\xbb\xde`\x8dC\x87S\xc0\xcc{'
b'\x91\xdd\x8a\xe4\xa4\x0b\x99\xa2v;\xed\xd8\xd3\xe7\xd7\x14\xa5\x97\xf8\xa3k\xffn\xbf\xea\xac2^\xac\xfc6\xc2'
b'2"u\x1b[\xf4f]\x89\xc4\x12\',\x18(\xebZh\x07\\\x94\x00\x91@\x15S\xcd\xa1S\x03\xc9_'
b'\x0cH_\xd2k\xc5\x1e\x98\xb5S\xd2\x0b\xc7\x1a\x8e\xbdz^\x84\x8ck\xd3\x8co\x1e\x96\xa5\xb3\x8b7d\x1c'
b'\xb7\xb7\xa0-\x94:\xe1gJ\xac-\xf48\xe5qB\x85\xa1{s\x94,s\x90\xe1iZLt\xc8\x9c\x05'
b'?\x1cN\xd5\x15E[\x066<\xbd\xf6\x8a)\xae\x9aw\xbe\x0

In [72]:
for r in m0:
    print(long_to_bytes(r))

b'\x8a\xe1\xd8\xd3\xb7\x80\xcf\x17\xeb\xca\x1crE\xc1t\x08J0\xa7\xab\x16\xdb\xcd\r\x03qHL\xf9\x02\xea"'
b"9\x1e',H\x7f0\xe8\x145\xe3\x8d\xba>\x8b\xf7\xb5\xcfXT\xe9$2\xf2\xfc\x8e\xb7\xb3\x06\xfd\x15\xff"
b"\xbe\xff\r\xfe\x16\xe6\xf5'f`m\xcePC\r\xd9\xc0g\xebw\xb2\x89\x05\x06\xee\x87\xf1\xf77>a\xdb"
b'\x05\x00\xf2\x01\xe9\x19\n\xd8\x99\x9f\x921\xaf\xbc\xf2&?\x98\x14\x88Mv\xfa\xf9\x11x\x0e\x08\xc8\xc1\x9eF'
b'\x04d\xfc\x9f\xbd=\xf0\xd3+-\x82\x91\x05\x13j\xfb\xe0\xab\xa82\xa9T\xf5\xa8:\x05\xcb7\xb58\xa89'
b'\xbf\x9b\x03`B\xc2\x0f,\xd4\xd2}n\xfa\xec\x95\x04\x1fTW\xcdV\xab\nW\xc5\xfa4\xc8J\xc7W\xe8'
b'\xbc\xea\x05B\x9b\x9f[\xd2xk\x00\xff\xb7\x06:\x9d\x87\xe3\xbc\x8e\xb7\x987\xbcq\xb7i\xbe\xb3^\xe8\x00'
b'\x07\x15\xfa\xbdd`\xa4-\x87\x94\xff\x00H\xf9\xc5bx\x1cCqHg\xc8C\x8eH\x96AL\xa1\x18!'
b'\x10\x00\xe9\x16\xe6\x06\xc1\x7fr\xfe\xeb\x9e\xc7/\xe3\xc0\xbb h\x9f"\xf5\x81\xca\xde\xf8\xd2\x90\xfa\xf56\xce'
b'\xb3\xff\x16\xe9\x19\xf9>\x80\x8d\x01\x14a8\xd0\x1c?D\xdf\x97`\xdd\n~5!\x07-o\x05\n\xc9S'
b'z