DASCTF X 0psu3 2023

重点要放在科研上面了,偶尔看点简单题。

GeneratePrime

from Crypto.Util.number import *

n=43090231453250894711427929679917165532091051269639380881822679198388872373018031295429558758883298138388596507242928145888959963579111847255588834248367032580980272245414738073179172684104908272069503607376171584936239696444309039211273376010193165083254209608051430794825261116490356392215410064858020176711199543381037420111454942356936721487016187240237683725310306748046587503625096246489043270381153251813360521583717685413070481576320194446237522118380283335294528606720928637529817170809666802598938788405154468683850385277659812316577873886708164549255359514776884765904417881419804464020855420288884972204146588152412816874161445668955639456202226751519881834234916642218078966066353317917939418964763844067220460513388433020071277477619189495465483910271310025371745344364984826481983188861624474015117761898377237745775289039922285111681410319016537270412509750339539020876501534842403407208957382830000761065368861209033791387480377889838737241326116532852335478193204425626487166234964754732945953080086117315162916374952094149599597509405176646068341218684523765974759907645226607364627690026025662221036766148813918691578120023886400197652148214238256715089883892069133754778609710846757189987335827693169644541734443763194942694587436469448973201513131503797898892822373949177030567791519349220158287318717788746060997955057747930375117780320371517616412423571775682868481089431670802944047375824503353609019686495670630728618082254293585479431369645935654024149490741245953271830453426444847467908952699660750809490650479987
e=65537
c=30862228874892553476569860337345503267926249096036551213683005116620750680365154103242717714230966827288361499342464202425467642950081816675486231250411347472976482409360391136808439034217688010072648722396312121758844966972323513456884732046270240934002095706243044210312663525491282667971502534420245427643076262414036655243117610886157895994101178663474990136516153062956803591842233732498519246731337518545018734984319536536205092573418457928952414660837594265802406473201400259189950484841504227372735345451459452313825309333631615286962304963039625162366186574440146535361888708570569938418676320446653266676364765870547213167058713058609788316647593834008151805692510044158607162858906528913516242904419457446211348504248317409844426309455978985314882123424453618672960876022996245213882467954521212481418830104602302179759479012618982228223244131619557639469872139485197176384683400796204681045965981417650462297978265085323342772310690638049411549216990505001950512428646871875659468885490055363436412364532718888124906227240501145227269727887236864060558999336443165765870556727793253297515155026234234422303238380776900105115890363548589834345888430695886678231459920101695996112312269637459823479947618045447071359886515163416153117176539752947700226596291435270282598638974889205601333097978743387412651687356072223691445472690647184292120882095587563356691450107194982597794937293154289560470269606300576216128045797481404606810315677962659136641943747123985144899464108823536597185386155005111274476874957827391438859327653936

k = 5

R = Zmod(n)["x"]
while True:
    Q = R.quo(R.random_element(k))
    pp = gcd(ZZ(list(Q.random_element() ^ n)[1]), n)
    if pp != 1:
        qq = sum([pp**i for i in range(k)])
        rr = n // (pp * qq)
        assert n == pp * qq * rr
        break
phi = (pp - 1) * (qq - 1) * (rr - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(ZZ(m)))

FindPrime

agcd方法恢复p:

f = open('output.txt','r')
N = []
for i in range(30):
    N.append(int(f.readline()))

Q = []
R = []
D = []
t = 0
for _ in range(30):
    print(_)
    M = 2^180
    L = [[0 for _ in range(30)] for _ in range(30)]
    L[0] = [M]+N[0:t] + N[t+1:]
    for i in range(30):
        L[i][i] = - N[t]
    L[0][0] = M
    MQ = abs(matrix(L).LLL()[0][0])
    assert  MQ % M == 0
    Q.append(MQ // M)
    print(Q)
    t+=1

for n,q in zip(N,Q):
    R.append(n % q)

p = (N[0] - R[0]) // Q[0]
print(p)

mod p开方+crt,不知道为啥amm和nth_root都很慢,所以用roots:

from tqdm import tqdm
c = 57159622869951747163178501852120431176107650957830802270825455750469914448118245046725952261599895324038432812944510556455400604176785421515363765791667657770870191915043139038515131360636995278852935049763897591697122021960550532949709732323251731751850276780616071075745076793466693220935009599089734085675
p = 8475751295865335034925394592760419247986527875671629878727167186701425140981793707985425024055132199826439868047385642931090550239766413089832011638673209
q = 8113738201653971728158798912948448306407391708066449648228616380446013832560996616115571908110788295975649262942179361472746357630240226941517641071002603
e = 1337

R.<x> = Zmod(p)[] 
f = x^1337 - c
mps = f.roots()

R.<y> = Zmod(q)[] 
f = y^1337 - c
mqs = f.roots()

for mp in tqdm(mps):
    for mq in mqs:
        m = crt([ZZ(mp[0]), ZZ(mq[0])], [p, q])
        try:
            res = bytes.fromhex(hex(m)[2:])
            if b'DAS' in res:
                print(res)
        except:
            pass

MathFactor1

已知\(\small p^{21}+q^{17}\)的低300位,在mod2^300下联立\(\small n=pq\)可以得到\(\small p^{38}+n^{17}==d1\cdot p^{17} \;mod\;2^{300}\),可以解出p的低300位,这思路同样也是rsa私钥d泄露低位的常见打法。已知p低位再copper就行了。

n=89049581381915401856270440494182068395799559452947499744642830361236578373835725708887668528820916651578050248209041339369091828040992115394942524278397293747808840107939504743946806866214713225533666120894844131211241905215662457238793580469827973839976134854993162976454283311566973255659612267446150515233
e=65537
c=16305239798028293699632813396005973660370581911030264211210444559974188415332021689054795983319112132645051076901780239982290095820283651929773925636804434706351474493000010749679965744672518110692104573489299874390925347271040454693791271882869477780584606934066152476594086178041874762147934091597942667138
d1=1253867202722198232827428701701674148965306906567632781415318063046179456643047348348144258

from tqdm import tqdm
from Crypto.Util.number import *

def getFullP(low_p, n):
    R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
    p = x*2^300 + low_p
    root = (p-n).monic().small_roots(X = 2^(512-300), beta = 0.4)
    if root:
        return p(root[0])
    return None

# d1 * p^17 = n^17 + p ^ 38 
def attack(low_d, n,e,c):
    maybe_p = []
    p = var('p')
    p0 = solve_mod([d1 * p^17 == n^17 + p^38], 2^300)
    maybe_p += [int(x[0]) for x in p0]
    print(maybe_p)
    
    for x in tqdm(maybe_p):
        P = getFullP(x, n)
        if P: break
    
    P = int(P)
    Q = n // P
    
    assert P*Q == n
    print(P,Q)
    phi = (P-1)*(Q-1)
    d = inverse(e,phi)
    print(long_to_bytes(ZZ(pow(c,d,n))))

attack(d1,n,e,c)
# DASCTF{0psu3_is_the_most_Greatest_army}

MathFactor

套了ASISCTF-Refactor和今年n1ctf的dlp。就不多说了。

posted @ 2023-11-28 10:38  ZimaB1ue  阅读(281)  评论(0编辑  收藏  举报