VNCTF 2023
Crypto_sign_in_1
预期解应该是构造奇异曲线之类的,但是由于随机选取y1,y2有时候会出现阶比较光滑的情况,所以反复连接终端直到获得这样一组数据求dlp即可,解密的时候要去爆破一下加上元素的阶。
from pwn import *
from sage.all import *
from Crypto.Util.number import long_to_bytes
from Crypto.Cipher import AES
from hashlib import *
import string
import itertools
table = string.ascii_uppercase + string.ascii_lowercase + string.digits
sh = remote('node4.buuoj.cn',25129)
def proof():
s1 = sh.recvline()
print(s1)
p1 = s1.find(b'X+')
p2 = s1.find(b')')
p3 = s1.find(b'== ')
s = s1[p1+2:p2]
h = s1[p3+3:-1]
h = h.decode()
print(h)
print(s)
for i in itertools.product(table, repeat=4):
d = ''.join(i).encode()
dd = d + s
#print(dd)
if sha256(dd).hexdigest() == h:
print(d)
sh.sendline(d)
# sh.interactive()
proof()
fullres, fullmod = 0, 1
y1, y2 = 0, 0
sh.sendline(f'{y1},{y2}'.encode())
sh.recvuntil(b'q = ')
q = int(sh.recvline(False).decode())
sh.recvuntil(b'G = ')
G = eval(sh.recvline(False).decode())
sh.recvuntil(b'm * G = ')
mG = eval(sh.recvline(False).decode())
sh.recvuntil((b'encrypt flag = '))
enc = sh.recvline(False).decode()
A = (y1 ** 2 - y2 ** 2 - 2022 ** 3 + 2023 ** 3) * inverse_mod(-1, q) % q
B = (y1 ** 2 - 2022 ** 3 - A * 2022) % q
E = EllipticCurve(GF(q), [A, B])
G, mG = E(G), E(mG)
print('q',q)
print('enc',enc)
print(factor(G.order()))
print('start dlp')
dlp = discrete_log(mG, G, operation='+')
print(dlp)
from Crypto.Cipher import AES
import binascii
dlp = 524181130139777122115469092016123855
enc = b'6e2f4068ab3377e05179c1ae6b3821523d211d7d81379e29e15d6d5af2d56a8a3a0eb9afa0aa712b814b1234b39ee32d'
enc_flag = binascii.unhexlify(enc)
order = 2**4 * 17 * 479 * 1361 * 84955313 * 170454503 * 4156192361147
for i in range(100000):
dlp_ = dlp + order * i
aes = AES.new(dlp_.to_bytes(16, 'big'), AES.MODE_CBC, bytes(16))
m = aes.decrypt(enc_flag)
if b'flag' in m:
print(m)
break
Crypto_sign_in_3
用给的最后一个等式求y1的平方进而求E(E比特小可以直接开根),然后再用另一个等式建立方程用coppersmith解。
from Crypto.Util.number import *
A1 = 2487322246494282687028685952336697222161498050749074124545944912398014429184582826650286777960068754422953637122436979
A2 = 64206164426928071920052175773879261343933711934932627021286907846048729201698838878979114242291357006430533069909319565210465
D = 1334761228093304066422725541040636413752041666615442422035287003842811922788386981433670983968012895479317108321354043845690780714684152217367413
N = 0x5da08737d91b4845151da8e22d4d591c82dc7247015a314ae41cc8283496102c5121f8c6cd1e6cba7cd1b982be45f9692085330c7f35fd632d638f8de2cd544f278ee4f4a9043db668a15d088284f60d63f9320bc23164f07cb4ada050d26993cf31161ea42bc4ecddf8244d26eff338669ca43bae6b26a6296c4dd6a3771f7ee3aade8a2752d1daecf0d476f1a9c92cf933effb2e811a67d5cae1a370fd7d96088c895ad6496fe0fc9709209301a58b131d9ef97804fb01578309c6c0bcdfbe71430cffaa9f53d272b194e6d3d981f8a4a6ba7b98d0f63745b30b89d3cd549babd7b9a15a1a1b6344b7057a0b499319311182879bec0d6fb8e694a98c990eb9
x1 = 0x17ad784481184d91239601adbb358489c241fa70b9938fd8adcca5eaaaab44f3c707d6a0595acaf43f35c03e226d965d62e7b53403b5610df9c0d3863768714a3264f1e0b09f8a5dbc37c5fa9dc34ad86875917a0d0805d9520cf0d34fd3851880aed1d0a93240555643b14652f592416de5acfee4c49c93f3f777c6654b82d3a10d50a612db1416600c34408e64d3a53424132fa87aed6f47dcce07dd467f00b1d3f8138fbe2cf404a6764aea2e64dd6c48ab4f8c66b0495cfde2cdfc9d8ed98bfa41ead86bfa10a6d7db2dbbae1d24f10be02ac42a631679097ac665a1436071748b56527e74cabdeded41f85bff18ceeafa2fcb692fa5959af952663b1137
C = 0x57754258622da2566497ed635f8c25a898c9fc95e8571e113074d6fe874cf75c8e722beb7eba0dc86913cf647447591ec8888b617548f088992d5eb4cb84e90ca7b4eb950fb0d7b8d4c5c64904db968721ae9af263c7ddd47955da7056444f558ec5db233cb1381c9fe1f0dc935d686e689d0f6ec9c98f74b988332a092267c1152801b5ca618e3efc066fce916f6d522c8619b2b9cdc341ecd7124d247890c9af90d1d4c526a6c77a634f9aa39ca941b876ff539a91df5c029a7b08e5f13be1dd72c600bf51e34b91736012f5e9aa68e0e21f770c57c576976186a5dfbe4c374c0b08950720396bfb16c64ae4213ea519b8f27f8747f763abeff001f5010a41
F = 0x5da08737d91b4845151da8e22d4d591c82dc7247015a314ae41cc8283496102c5121f8c6cd1e6cba7cd1b982be45f9692085330c7f35fd632d638f8de2cd544f278ee4f4a9043db668a15d088284f60d63f9320bc23164f07cb4ada050d26993cf31161ea42bc4ecddf814c1073fd8e50b7f5491bfa9fae2df3233e9f4220f04e6a47876d6e347f18f018310e973e06b782c67949d73d0c4d5a77e2685d6aaa92d5afdc28961e41dcd9242dcaa51a8b9ac2e42ba19320f933ae2aba5aa2642664f0a13d19a939c320417108ffbcc6fc5a50bba55f157cabfdf51ca37a73c2b3e3c65b2e3ad0666e2cacbdfe1d2e8f91e23bf128f714f390bdb992058b06107de
Ey1 = (A2 * x1 ^ 2 + D * x1 + F) * inverse_mod(-1,N) % N
y2 = (A2*x1^2+D*x1+Ey1+F-A1^2*x1^2+(A1*C)^2)*inverse_mod(C^2,N)%N
E = isqrt(Ey1^2*inverse_mod(y2,N)%N)
PR.<x0> = PolynomialRing(Zmod(N))
f = A1^2*x0^2+C^2*((A2*x0^2+D*x0+F)*inverse_mod(-E,N))^2-A1^2*C^2
f = f.monic()
m = f.small_roots(X = 2^400, beta = 0.8,epsilon=0.08)
print(long_to_bytes(ZZ(m[0])))
Crypto_sign_in_4
攻击出自于Discrete Logarithm Problems
with Auxiliary Inputs,按照论文一步步实现就可以了,本人太菜在比赛时没有理解到bsgs的用法,导致没有写出来,这里丢上挚友h教的写法。
from tqdm import tqdm
a = 2
p = 699224348797592685694139567
F = GF(p)
p_order = F(a).multiplicative_order()
t1 = 1761464417*61703 # d
t2 = (p_order-1)//t1
c1 = 456243869291881728252644176
c2 = 245442596690011466128946567
# first step
g = 5
#print(pow(g, (p_order-1)//2,p))
gd = pow(g, t1, p_order)
bounds = [0, 2^45]
u = 0
v = 0
l = {}
for i in tqdm(range(2^22)):
t = pow(gd, 2^22*i, p_order)
res = pow(a, t, p)
l[res] = i
for j in tqdm(range(2^22)):
t = pow(gd, -j, p_order)
res = pow(c2, t, p)
if res in l.keys():
u = j
v = l[res]
print(u,v)
# second step
k = 2^22*v+u
l = {}
for i in tqdm(range(2^22)):
t = pow(g, 2^22*i*(p_order-1)//t1+k, p_order)
res = pow(a, t, p)
l[res] = i
for j in tqdm(range(2^22)):
t = pow(g, -(p_order-1)//t1*j, p_order)
res = pow(c1, t, p)
if res in l.keys():
u2, v2 = j, l[res]
alpha = pow(g, k+(p_order-1)//t1*(2^22*v2+u2),p_order)
print(alpha)
Crypto_sign_in_2
学了线性差分再来补吧。
