2021第五空间crypto
crypto
之前有很零散地做过一些,其中有几个题目都很有价值,记录一下
signin
from Crypto.Util.number import *
from secret import flag
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
x = (p ^ q) & ((1 << 400) - 1)
m = bytes_to_long(flag)
c = pow(m,e,n)
print("c = " + str(c))
print("e = " + str(e))
print("n = " + str(n))
print("x = " + str(x))
'''
c = 86415476382906786465939442398992406348852252355326334785583474583480585659663836032856765037225261433532613020730103955916772373674295180495452293421279237222544308971840820110279355118064931506637793547489441433938707518241461449059717326341918746156620038847745542794560335988858156929013492541794032580255
e = 65537
n = 166337085427556441543394334802135957169988266794453522153008810336368247289697353242192853337017363111987395194428553050681210209730724596529629525357502302165396675392000087988956194589350195512264427901330860811469484473725396354231555692283910488095918243519370430703255279433498479943391876108577325840381
x = 2509898544460604898497702985357222191225421344430742181152035006910161802193623236888758239071502008180363546424715261788
'''
利用位运算结果对p的低400位爆破,将满足条件的p进行copper,用字符筛一下即可
import gmpy2
c = 86415476382906786465939442398992406348852252355326334785583474583480585659663836032856765037225261433532613020730103955916772373674295180495452293421279237222544308971840820110279355118064931506637793547489441433938707518241461449059717326341918746156620038847745542794560335988858156929013492541794032580255
e = 65537
n = 166337085427556441543394334802135957169988266794453522153008810336368247289697353242192853337017363111987395194428553050681210209730724596529629525357502302165396675392000087988956194589350195512264427901330860811469484473725396354231555692283910488095918243519370430703255279433498479943391876108577325840381
x = 2509898544460604898497702985357222191225421344430742181152035006910161802193623236888758239071502008180363546424715261788
def findp(p,rp):
l=len(p)
if l==400:
rp.append(int(p,2))
else:
pp=int(p,2)
qq=(x^^pp)%2**l
if pp*qq%2**l==n%2**l:
findp('1'+p,rp)
findp('0'+p,rp)
rp=[]
findp('1',rp)
for i in range(len(rp)):
PR.<x>=PolynomialRing(Zmod(n))
f=pow(2,400)*x+rp[i]
f=f.monic()
root=f.small_roots(X=2^130,beta=0.4)
if root:
p=rp[i]+pow(2,400)*int(root[0])
q=n//p
if p*q==n:
phi=(p-1)*(q-1)
d=gmpy2.invert(e,int(phi))
m=int(pow(c,d,n))
print(m)
ecc
print 'Try to solve the 3 ECC'
from secret import flag
from Crypto.Util.number import *
assert(flag[:5]=='flag{')
flag = flag[5:-1]
num1 = bytes_to_long(flag[:7])
num2 = bytes_to_long(flag[7:14])
num3 = bytes_to_long(flag[14:])
def ECC1(num):
p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
Q = num*P
print E
print 'P:',P
print 'Q:',Q
def ECC2(num):
p = 1256438680873352167711863680253958927079458741172412327087203
#import random
#A = random.randrange(389718923781273978681723687163812)
#B = random.randrange(816378675675716537126387613131232121431231)
A = 377999945830334462584412960368612
B = 604811648267717218711247799143415167229480
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
Q = num*P
print E
print 'P:',P
print 'Q:',Q
factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
print primes
dlogs = []
for fac in primes:
t = int(int(P.order()) / int(fac))
dlog = discrete_log(t*Q,t*P,operation="+")
dlogs += [dlog]
print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
print num
print crt(dlogs,primes)
def ECC3(num):
p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
Q = num*P
print E
print 'P:',P
print 'Q:',Q
ECC1(num1)
print '=============='
ECC2(num2)
print '=============='
ECC3(num3)
#Try to solve the 3 ECC
Elliptic Curve defined by y^2 = x^3 + 46056180*x + 2316783294673 over Finite Field of size 146808027458411567
P: (119851377153561800 : 50725039619018388 : 1)
Q: (22306318711744209 : 111808951703508717 : 1)
==============
Elliptic Curve defined by y^2 = x^3 + 377999945830334462584412960368612*x + 604811648267717218711247799143415167229480 over Finite Field of size 1256438680873352167711863680253958927079458741172412327087203
P: (550637390822762334900354060650869238926454800955557622817950 : 700751312208881169841494663466728684704743091638451132521079 : 1)
Q: (1152079922659509908913443110457333432642379532625238229329830 : 819973744403969324837069647827669815566569448190043645544592 : 1)
==============
Elliptic Curve defined by y^2 = x^3 + 490963434153515882934487973185142842357175523008183292296815140698999054658777820556076794490414610737654365807063916602037816955706321036900113929329671*x + 7668542654793784988436499086739239442915170287346121645884096222948338279165302213440060079141960679678526016348025029558335977042712382611197995002316466 over Finite Field of size 11093300438765357787693823122068501933326829181518693650897090781749379503427651954028543076247583697669597230934286751428880673539155279232304301123931419
P: (10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861 : 8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610 : 1)
Q: (964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927 : 5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537 : 1)
套路ecc了
第一层私钥较小直接bsgs
第二层阶部分光滑,题目里还直接给了hellman的代码,有个有趣的地方是在这个地方我们不需要在大的素数域下求解离散对数问题,因为hellman算法的目的是在各个素数域下求解并通过crt组合起来,但是如果私钥本身较小,我们并不需要联立太多的方程,这里我们可以舍弃掉大素数,对小素数实现hellman算法即可
第三层smart攻击,直接搜的攻击代码,数学原理没看懂,以后复现
E=EllipticCurve(GF(146808027458411567),[46056180,2316783294673])
P=E(119851377153561800 ,50725039619018388)
Q=E(22306318711744209 , 111808951703508717)
print(discrete_log(Q,P,operation='+'))
#025ab3d
E=EllipticCurve(GF(1256438680873352167711863680253958927079458741172412327087203),[377999945830334462584412960368612,604811648267717218711247799143415167229480 ])
P=E(550637390822762334900354060650869238926454800955557622817950 ,700751312208881169841494663466728684704743091638451132521079 )
Q=E(1152079922659509908913443110457333432642379532625238229329830 , 819973744403969324837069647827669815566569448190043645544592 )
factors, exponents = zip(*factor(P.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
K=[]
for i in primes:
t=P.order()//i
k=discrete_log(t*Q,t*P,operation='+')
K.append(k)
print(crt(K,primes))
#9-2521-
def SmartAttack(P,Q,p):
E = P.curve()
Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])
P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
for P_Qp in P_Qps:
if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
break
Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
for Q_Qp in Q_Qps:
if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
break
p_times_P = p*P_Qp
p_times_Q = p*Q_Qp
x_P,y_P = p_times_P.xy()
x_Q,y_Q = p_times_Q.xy()
phi_P = -(x_P/y_P)
phi_Q = -(x_Q/y_Q)
k = phi_Q/phi_P
return ZZ(k)
q=0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
E=EllipticCurve(GF(q),[0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07,0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2])
P=E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861 , 8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610 )
Q=E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927 , 5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537 )
print(SmartAttack(P,Q,q))
#4a81-9957-8c3381622434
secrets
import random, hashlib
from Crypto.Util.number import *
from Crypto.Cipher import AES
from secret import flag
assert(flag[:5] == b"flag{" and flag[-1:] == b"}")
flag = flag[5:-1]
p = getPrime(512)
secrets = [getPrime(32) for i in range(3)]
a = [getPrime(511) for i in range(3)]
e = [[random.randint(0,2) for i in range(3)] for j in range(3)]
c = 0
for i in range(3):
tmp = 1
for j in range(3):
tmp *= secrets[j] ** e[i][j]
c += a[i] * tmp
c %= p
key = hashlib.sha256(str(secrets).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
enc_flag = cipher.encrypt(flag).hex()
print(p)
print(a)
print(e)
print(c)
print(enc_flag)
'''
7920896218820943056702891053785968782942077704655549145065876361907786355057528237061821280280635146678227702121299090049267547565989625947956850127609879
[5159988341992193282580685525745512910538614629527934692498086718630359717994948104271635300443062627349528208661883545208904466234606731357843882012950859, 6335284643679900918720817621948758994408045076082703123014899812263624185305268879304513104269749790342063146501376008458665966651095670658606928517201721, 6076126683981038494289949541335915228950649182831013867715530414744306299113418155691977393469353865827225836608438360416489035800225275307683760086087019]
[[1, 2, 2], [1, 0, 2], [2, 0, 0]]
2262305826865903827781721021939132022253239409560318732728105425007767005455109451147816015758855318893496902119172860305961200859254558917933621119030425
99ff236d4f1e020e6c83cc154e20f71eb510913056d47344b44a87f98664efd3
'''
首先由所给信息构造同余式
c≡\(a_1s_1s_2^2s_3^2+a_2s_1s_3^2+a_3s_1^2\) mod(p)
注意到题目给了我们相关的bits信息,secrets中的数bits较小,考虑构造成格中的最短向量
由同余式=>\(ca_3^{-1}=a_3^{-1}a_1s_1s_2^2s_3^2+a_3^{-1}a_2s_1s_3^2+s_1^2+kp\)
构造四维格
\[L=\left[\begin{matrix}a_3^{-1}c\%p&0&0&0\\-a_3^{-1}a_1\%p&1&0&0\\-a_3^{-1}a_2\%p&0&1&0\\-p&0&0&1\end{matrix}\right]
\]
我们希望最后规约得到的v是(\(s_1^2,s_1s_2^2s_3^2,s_1s_3^2,k\))考虑分量的大小,配一个平衡矩阵即可
解得secrets的信息后带入原函数解密即可
import gmpy2
p=7920896218820943056702891053785968782942077704655549145065876361907786355057528237061821280280635146678227702121299090049267547565989625947956850127609879
q=[5159988341992193282580685525745512910538614629527934692498086718630359717994948104271635300443062627349528208661883545208904466234606731357843882012950859, 6335284643679900918720817621948758994408045076082703123014899812263624185305268879304513104269749790342063146501376008458665966651095670658606928517201721, 6076126683981038494289949541335915228950649182831013867715530414744306299113418155691977393469353865827225836608438360416489035800225275307683760086087019]
s=2262305826865903827781721021939132022253239409560318732728105425007767005455109451147816015758855318893496902119172860305961200859254558917933621119030425
a=gmpy2.invert(q[2],p)
LL=diagonal_matrix(ZZ,[2**96,1,2**64,1])
L=Matrix(ZZ,[[a*s%p,0,0,0],[-a*q[0]%p,1,0,0],[-a*q[1]%p,0,1,0],[-p,0,0,1]])
L=L*LL
v=vector(ZZ,L.LLL()[0])
print(v)
s1=isqrt(abs(v[0]//2^96))
s3=isqrt(abs(v[2]//(2^64*s1)))
s2=isqrt(abs(v[1]//(s1*s3^2)))
print([s1,s2,s3])
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.number import *
secrets=[2328484063, 3354920123, 2829061799]
key = hashlib.sha256(str(secrets).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
c=long_to_bytes(0x99ff236d4f1e020e6c83cc154e20f71eb510913056d47344b44a87f98664efd3)
m=cipher.decrypt(c)
print(m)
data_protection
#run under python3
import random
from secret import flag,name,phone,mail,address,school,seed
from gmpy2 import *
from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import sha256
random.seed(seed)
def encrypt1(m):
a = random.getrandbits(96)
b = random.getrandbits(96)
p = next_prime(a)
q = next_prime(b)
n = p*q
e = 65537
assert(m<n)
print (pow(m,e,n))
print (n)
def encrypt2(m):
p = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
q = random.randrange(11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997,11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526563615762644)
nq = next_prime(q)
n = p*q
e = 65537
assert(m<n)
print (pow(m,e,n))
print (n)
def encrypt3(msg):
q = getPrime(33)
key = [[] for i in range(34)]
for i in range(len(key)):
for j in range(len(msg)):
tmp = random.getrandbits(32)
assert(tmp<q)
key[i].append(tmp)
cipher = []
for l in key:
tmp = 0
for x,y in zip(l,msg):
tmp = (tmp+x*y)%q
cipher.append(tmp)
print (q)
print (key)
print (cipher)
def encrypt4(msg):
key = long_to_bytes(random.getrandbits(128))
a = AES.new(key,AES.MODE_ECB)
cipher = a.encrypt(msg)
print (bytes_to_long(cipher))
def encrypt5(msg):
q = getPrime(512)
g = random.randrange(q-1)
x = random.randrange(q-1)
h = pow(g,x,q)
y = random.randrange(q-1)
s = pow(h,y,q)
c1 = pow(g,y,q)
c2 = (msg*s)%q
print (q,g,h)
print (c1,c2)
msg1 = bytes_to_long(name)
encrypt1(msg1)
msg2 = bytes_to_long(phone+long_to_bytes(random.getrandbits(160)))
encrypt2(msg2)
msg3 = [x for x in mail]
encrypt3(msg3)
#Note the address incude digits,letters, '.' and '_'
msg4 = address
encrypt4(msg4)
msg5 = bytes_to_long(school)
encrypt5(msg5)
flag = 'flag{'+sha256(name).hexdigest()[:8]+'-'+sha256(phone).hexdigest()[:4]+'-'+sha256(mail).hexdigest()[:4]+'-'+sha256(address).hexdigest()[:4]+'-'+sha256(school).hexdigest()[:12]+'}'
#print (flag)
套娃题了,前两个简单的RSA解密,第三个矩阵运算,第四个和第五个都是运用MT19937预测AES和Elgamal的私钥进行解密
import gmpy2
c=659742747933803685159824618024154814230816386382620824215
p=22186905890293167337018474103
q=64390888389278700958517837593
n=p*q
phi=(p-1)*(q-1)
e=65537
d=gmpy2.invert(e,phi)
m=int(pow(c,d,n))
print(m.to_bytes(10,'big'))
#Xiaoming
import gmpy2
p=11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
n=134949786048887319137407994803780389722367094355650515833817995038306119197600539524985448574053755793699799863164150565217726975197643634831307454431403854861515253009970594684699064052739820092115115614153962139870020206132705821506686959283747802946805730902605814619499301779892151365118901010526138311982
q= 10931740521710649641129836704228357436391126949743247361384455561383094203666858697822945232269161198072127321232960803288081264483098926838278972991
c=93823394819893781294145893595876176392272709588141239765465056990025264756001551662286866510606348927770275357928084190921646652273213088016700645013648101794273512066846822716422789921137430035251019936921307446229894438817835962711632983943326022431165313426682669557098482175573639354190037351152748781943
e=65537
phi=(p-1)*2*(3^2)*10*1788*(q-1)
d=gmpy2.invert(e,phi)
m=int(pow(c,d,p))
print(m)
print(m.to_bytes(200,'big'))
#15412134151
q=6457637957
key=[[978955513, 2055248981, 3094004449, 411497641, 4183759491, 521276843, 1709604203, 3162773533, 2140722701, 782306144, 421964668, 356205891, 1039083484, 1911377875, 1661230549, 312742665, 3628868938, 2049082743], [3833871085, 2929837680, 2614720930, 4056572317, 3787185237, 93999422, 590001829, 429074138, 3012080235, 2336571108, 831707987, 3902814802, 2084593018, 316245361, 1799842819, 2908004545, 120773816, 2687194173], [3213409254, 3303290739, 742998950, 2956806179, 2834298174, 429260769, 769267967, 1301491642, 2415087532, 1055496090, 690922955, 2984201071, 3517649313, 3675968202, 3389582912, 2632941479, 186911789, 3547287806], [4149643988, 3811477370, 1269911228, 3709435333, 1868378108, 4173520248, 1573661708, 2161236830, 3266570322, 1611227993, 2539778863, 1857682940, 1020154001, 92386553, 3834719618, 3775070036, 3777877862, 2982256702], [4281981169, 2949541448, 4199819805, 3654041457, 3300163657, 1674155910, 1316779635, 66744534, 3804297626, 2709354730, 2460136415, 3983640368, 3801883586, 1068904857, 4178063279, 41067134, 752202632, 3143016757], [3078167402, 2059042200, 252404132, 415008428, 3611056424, 1674088343, 2460161645, 3311986519, 3130694755, 934254488, 898722917, 2865274835, 567507230, 1328871893, 3903457801, 2499893858, 492084315, 183531922], [3529830884, 4039243386, 233553719, 4118146471, 1646804655, 2089146092, 2156344320, 2329927228, 508323741, 1931822010, 579182891, 176447133, 597011120, 3261594914, 2845298788, 3759915972, 3095206232, 3638216860], [3352986415, 4264046847, 3829043620, 2530153481, 3421260080, 1669551722, 4240873925, 2101009682, 3660432232, 4224377588, 929767737, 3729104589, 2835310428, 1727139644, 1279995206, 1355353373, 2144225408, 1359399895], [3105965085, 818804468, 3230054412, 2646235709, 4053839846, 2878092923, 587905848, 1589383219, 2408577579, 880800518, 28758157, 1000513178, 2176168589, 187505579, 89151277, 1238795748, 8168714, 3501032027], [3473729699, 1900372653, 305029321, 2013273628, 1242655400, 4192234107, 2446737641, 1341412052, 304733944, 4174393908, 2563609353, 3623415321, 49954007, 3130983058, 425856087, 2331025419, 34423818, 2042901845], [1397571080, 1615456639, 1840339411, 220496996, 2042007444, 3681679342, 2306603996, 732207066, 663494719, 4092173669, 3034772067, 3807942919, 111475712, 2065672849, 3552535306, 138510326, 3757322399, 2394352747], [371953847, 3369229608, 1669129625, 168320777, 2375427503, 3449778616, 1977984006, 1543379950, 2293317896, 1239812206, 1198364787, 2465753450, 3739161320, 2502603029, 1528706460, 1488040470, 3387786864, 1864873515], [1356892529, 1662755536, 1623461302, 1925037502, 1878096790, 3682248450, 2359635297, 1558718627, 116402105, 3274502275, 2436185635, 771708011, 3484140889, 3264299013, 885210310, 4225779256, 363129056, 2488388413], [2636035482, 4140705532, 3187647213, 4009585502, 351132201, 2592096589, 3785703396, 750115519, 3632692007, 3936675924, 3635400895, 3257019719, 1928767495, 2868979203, 622850989, 3165580000, 4162276629, 4157491019], [1272163411, 1251211247, 357523138, 1233981097, 1855287284, 4079018167, 4028466297, 92214478, 4290550648, 648034817, 1247795256, 3928945157, 1199659871, 397659647, 3360313830, 561558927, 3446409788, 2727008359], [1470343419, 3861411785, 953425729, 65811127, 458070615, 1428470215, 3101427357, 1137845714, 1980562597, 4120983895, 45901583, 2869582150, 427949409, 3025588000, 3231450975, 3313818165, 4015642368, 3197557747], [2452385340, 111636796, 897282198, 4273652805, 1223518692, 3680320805, 2771040109, 3617506402, 3904690320, 77507239, 3010900929, 4099608062, 546322994, 1084929138, 902220733, 4054312795, 1977510945, 735973665], [3729015155, 3027108070, 1442633554, 1949455360, 2864504565, 3673543865, 446663703, 3515816196, 1468441462, 897770414, 2831043012, 707874506, 1098228471, 1225077381, 3622448809, 2409995597, 3847055008, 1887507220], [1839061542, 1963345926, 2600100988, 1703502633, 1824193082, 3595102755, 2558488861, 2440526309, 3909166109, 1611135411, 2809397519, 1019893656, 3281060225, 2387778214, 2460059811, 198824620, 1645102665, 865289621], [224442296, 3009601747, 3066701924, 1774879140, 880620935, 2676353545, 3748945463, 1994930827, 75275710, 3710375437, 4132497729, 3010711783, 3731895534, 2434590580, 3409701141, 2209951200, 995511645, 3571299495], [2337737600, 110982073, 2985129643, 1668549189, 3298468029, 698015588, 2945584297, 1036821195, 4249059927, 3384611421, 3304378629, 1307957989, 602821252, 184198726, 1182960059, 4200496073, 1562699893, 3320841302], [5866561, 2442649482, 479821282, 2687097642, 3347828225, 1876332308, 2704295851, 2952277070, 1803967244, 2837783916, 658984547, 3605604364, 1931924322, 3285319978, 556150900, 3795666798, 261321502, 1040433381], [3855222954, 3565522064, 1841853882, 1066304362, 3552076734, 3075952725, 2193242436, 2052898568, 2341179777, 3089412493, 165812889, 4196290126, 3568567671, 28097161, 2249543862, 1251207418, 522526590, 765541973], [1801734077, 2132230169, 667823776, 3900096345, 3119630138, 3620542178, 2900630754, 30811433, 608818254, 1040662178, 900811411, 3221833258, 43598995, 1818995893, 2718507668, 3445138445, 3217962572, 1437902734], [1812768224, 392114567, 2694519859, 1941199322, 2523549731, 2078453798, 851734499, 2376090593, 2069375610, 4084690114, 246441363, 4154699271, 58451971, 31806021, 4158724930, 2741293247, 3230803936, 2790505999], [3906342775, 2231570871, 1258998901, 1517292578, 162889239, 3130741176, 3925266771, 1780222960, 2378568279, 3873144834, 1597459529, 1581197809, 4101706041, 196019642, 1439141586, 587446072, 2012673288, 1280875335], [4058452685, 653145648, 553051697, 1406542226, 4053722203, 994470045, 2066358582, 3919235908, 2315900402, 3236350874, 172880690, 3104147616, 489606166, 3898059157, 200469827, 665789663, 3116633449, 4137295625], [1460624254, 4286673320, 2664109800, 1995979611, 4091742681, 2639530247, 4240681440, 2169059390, 1149325301, 3139578541, 2320870639, 3148999826, 4095173534, 2742698014, 3623896968, 2444601912, 1958855100, 1743268893], [2187625371, 3533912845, 29086928, 543325588, 4247300963, 1972139209, 272152499, 4276082595, 3680551759, 1835350157, 3921757922, 2716774439, 1070751202, 69990939, 3794506838, 699803423, 3699976889, 40791189], [539106994, 1670272368, 3483599225, 2867955550, 2207694005, 1126950203, 693920921, 2333328675, 539234245, 1961438796, 3126390464, 1118759587, 59715473, 1450076492, 4101732655, 3658733365, 940858890, 1262671744], [3092624332, 2175813516, 3355101899, 3657267135, 770650398, 359506155, 4149470178, 3763654751, 1184381886, 942048015, 523057971, 1098635956, 1732951811, 150067724, 2417766207, 4152571821, 2759971924, 4284842765], [3336022203, 2569311431, 2752777107, 1441977867, 1279003682, 3861567631, 1064716472, 3046493996, 1339401643, 39466446, 1464905290, 420733872, 2057911345, 2418624800, 2193625430, 1558527155, 4224908000, 207684355], [2681129718, 4210889596, 4051161171, 3131196482, 1128312875, 938670840, 2828563599, 3078146488, 1102989364, 3557724304, 156013303, 2371355565, 3608679353, 3513837899, 155622460, 396656112, 2493417457, 876296360], [3135876409, 181875076, 3662181650, 3851859805, 3626146919, 90441351, 1944988720, 585429580, 3158268550, 1399100291, 3688843295, 2851190, 2670576474, 3177735154, 3479499727, 197376977, 1790622954, 2393956089]]
c=[678819070, 3817412512, 301055013, 3114443682, 1912121740, 6169688434, 3834848760, 720680768, 3243307544, 2416524053, 3681314853, 2462958278, 1788315814, 1598431410, 3242718726, 1781508823, 5681795746, 5178418664, 6449543467, 1237772319, 6209249676, 3838512107, 3752816369, 1313804600, 1188836210, 3446064361, 143393929, 3810070519, 5753849566, 4918185832, 1289703820, 6211307915, 1782532569, 4395333125]
key=Matrix(GF(q),key)
c=vector(GF(q),c)
m=key.solve_right(c)
m=list(m)
print(bytes(m))
#Xiaoming@cmail.com
4.5
这个地方的mt19937的624个状态需要从整个代码里找,要注意的是python中random生成的随机数都是以32位为基础,多余截断,少了再补充一组,最后学了下wp下的RandCrack,太强大了
import sympy
import gmpy2
from Crypto.Cipher import AES
from Crypto.Util.number import *
from tqdm import tqdm
from randcrack import RandCrack
def move(m,t):
for i in range(t):
rc.submit(m%(2**32))
m=m>>32
p1 = 22186905890293167337018474103
q1 = 64390888389278700958517837593
prep1 = sympy.prevprime(p1)
preq1 = sympy.prevprime(q1)
with open('out') as f:
s = f.read().splitlines()
n = eval(s[3])
p=11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
e = 65537
q = (n // p)%(2**31)
key = eval(s[5])
key = [x for y in key for x in y]
pads=b'\xf1\x0f\xb5\xb5\xae\xf0\x05\x92BWR\xd0>\x91\x0cv\xbc ]\x81'
pads = bytes_to_long(pads)
msg=long_to_bytes(152306929817910220077778723987104768071)
qq=12217466470388578339925921504697419805922316645286268670005262949923786678953775204218792050281040210171698682980282116705949902617753168109140673704093013
c1=1206086806846740801537809351203441891991149258137979326257729133418947335751911053166910334440727360724054611656176111461530487297130872946166550101453709
c2=9595419621184859047616076479725843810995669805509369406782913078875593428769072592975736393012907744950510239492901380211367555005217818487881050318849564
for a in tqdm(range(prep1,p1)):
for b in range(preq1,q1):
for r in range(2):
rc=RandCrack()
move(a,3)
move(b,3)
move(pads,5)
move((q<<1)+r,1)
for i in range(len(key)):
move(key[i],1)
aeskey = long_to_bytes(rc.predict_getrandbits(128))
try:
pt = AES.new(aeskey, AES.MODE_ECB)
m=pt.decrypt(msg)
if '_' in str(m) and '.' in str(m):
print(m)
gg=rc.predict_randrange(qq-1)
x=rc.predict_randrange(qq-1)
y=rc.predict_randrange(qq-1)
m2=c2*(gmpy2.invert(pow(c1,x,qq),qq))%qq
print(long_to_bytes(m2))
except:
continue
#No.007_hack_road
#MakeUSAGreatAgain_University
getflag
from hashlib import sha256
name=b'Xiaoming'
phone=b'15412134151'
mail=b'Xiaoming@cmail.com'
address=b'No.007_hack_road'
school=b'MakeUSAGreatAgain_University'
flag = 'flag{'+sha256(name).hexdigest()[:8]+'-'+sha256(phone).hexdigest()[:4]+'-'+sha256(mail).hexdigest()[:4]+'-'+sha256(address).hexdigest()[:4]+'-'+sha256(school).hexdigest()[:12]+'}'
print(flag)
doublesage
from sage.modules.free_module_integer import IntegerLattice
from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler
from sage.crypto.lwe import LWE
from sage.crypto.lwe import samples
import numpy as np
import signal
def Question(n,m,para_D,para_e):
signal.alarm(600)
print('[+] Question:')
# m=n^2-2
q=next_prime(n^2)
D=DiscreteGaussianDistributionIntegerSampler(para_D*n)
lwe=LWE(n=n, q=q, D=D)
Z=[lwe() for _ in range(m)]
A=matrix([a for (a,c) in Z]).transpose()
C=vector([c for (a,c) in Z])
print('[+] The following matrix operations are modulus',q)
print('\n[+] Matrix A of size',n,'*',m,':'); print(A)
print('\n[+] Vector C of size',1,'*',m,':'); print(np.array(C))
E=lwe._LWE__s*A-C
E=[int(e) for e in E]
E=vector([e if e <= floor(q/2) else e-q for e in E])
E_norm=E.norm().n()*para_e
print('[+] Please give an integer vector x of size',1,'*',m,'(format [1 2 3] or [1, 2, 3]), such that the norm of vector x*A-C <=',E_norm,', where operations are modulus',q,':')
k=GF(q)^n
x=k(0)
u=input()
try:
u=np.matrix(u)
for i in range(n):
x[i]=u[0,i]
except:
print('[+] Wrong format, exit.')
exit()
E=x*A-C
E=[int(e) for e in E]
E=vector([e if e <= floor(q/2) else e-q for e in E])
tmp=E.norm().n()
print('[+] The norm of vector x*A-C is', tmp,',', tmp<E_norm,'.\n')
if not tmp<E_norm:
exit()
def ReadFlag():
print('flag{**********}')
Question(5, 23, 1.5, 1.1)
Question(15, 143, 1.5, 3)
ReadFlag()
看描述是个LWE的,不会就得学😢
和以前见过的GGH有点像,都是基于CVP构建的平均困难问题
搜索LWE主要还是解决一个在给定多组线性方程 Ax+e=B 在已知A,B的情况下还原x
其中e被称为噪声扰动,如果没有e我们能通过高斯消元很容易地解决这个问题
在加上e后这个问题就变成了在由A的列向量构成的格空间里找B的最近向量
在这个地方题目并不需要我们求最近向量,而是近似最近,wp上采取的是一种求伪逆的方式,似乎是解决最小范数问题的有效途径(但是因为限制松随便输也有可能满足)
A=Matrix(GF(29),[])
K=A.transpose()*(A*A.transpose())^(-1)
v=vector(GF(29),)
V=v*K
print(V)
总的来说原理弄得还不是很清楚,等过段时间把基于格的加密梳理一遍再来复现
