NPUCTF2020 共模攻击

拜读师傅们的wp颇有收获,记录在此,以备日后查阅~

hint

1. hint.py中后半部分代码给了n,e1,e2,c1,c2可以求出c的值,由c和p可以求得m,由m得到hint

2. c的求解过程就是共模攻击。共模攻击代码[1]如下(通用)

 1 # py2 sameNAttack.py
 2 import primefac
 3 
 4 def same_n_attack(n,e1,e2,c1,c2):
 5     def egcd(a,b):
 6         x, lastX = 0, 1
 7         y, lastY = 1, 0
 8         while (b != 0):
 9             q = a // b
10             a, b = b, a % b
11             x, lastX = lastX - q * x, x
12             y, lastY = lastY - q * y, y
13         return (lastX, lastY)
14     s = egcd(e1,e2)
15     s1 = s[0]
16     s2 = s[1]
17     if s1 < 0:
18         s1 = -s1
19         c1 = primefac.modinv(c1, n)
20         if c1 < 0:
21             c1 += n
22     elif s2 < 0:
23         s2 = -s2
24         c2 = primefac.modinv(c2, n)
25         if c2 < 0:
26             c2 += n
27     m = (pow(c1, s1, n) * pow(c2, s2, n)) % n
28     return m

3. 得到c后,有这样的一个表达式:c = m256 mod p,有两种方法解出m。

  方法一:借助Python的sympy库nthroot_mod方法[2]

 1 # dec.py
 2 from Crypto.Util.number import long_to_bytes
 3 from sameNAttack import same_n_attack
 4 from sympy.ntheory.residue_ntheory import nthroot_mod
 5 
 6 # hint
 7 n = 6807492006219935335233722232024809784434293293172317282814978688931711423939629682224374870233587969960713638310068784415474535033780772766171320461281579
 8 e1= 2303413961
 9 e2 = 2622163991
10 c1 = 1754421169036191391717309256938035960912941109206872374826444526733030696056821731708193270151759843780894750696642659795452787547355043345348714129217723
11 c2= 1613454015951555289711148366977297613624544025937559371784736059448454437652633847111272619248126613500028992813732842041018588707201458398726700828844249
12 c = same_n_attack(n, e1, e2, c1, c2)
13 print c
14 
15 p = 107316975771284342108362954945096489708900302633734520943905283655283318535709
16 m = nthroot_mod(c,256,p,all_roots=True)
17 print m
18 for i in m:
19     print i
20     hint = long_to_bytes(i)
21     print hint

得到hint:m.bit_length() < 400

task

  由于hint提示了m有长度限制,所以联想到Coppersmith定理。Coppersmith定理的内容为:在一个e阶的mod n多项式f(x)中,如果有一个根小于n^1/e,就可以运用一个O(log n)的算法求出这些根[3]。计算可得m是满足这个情况的。

task中我们可以获取的信息有:

  c1 = mp mod n = mp mod p*q

  c2 = mq mod n = mq mod p*q

因为p、q为素数,所以由费马定理可得:

  mp ≡ m mod p

  mq ≡ m mod q

所以,又有:

  c1 = m + ip + xpq,可整理成 c1 = m + ip 

  c2 = m + jq + ypq,可整理成 c2 = m + jq

因此:

  c1 * c2 = m2 + (ip + jq)m + ijn

  (c1 + c2)m = 2m2 + (ip+jq)m 

  有: m2 - (c1 + c2)m + c1 * c2 = ijn ≡ 0 mod n

最终的任务就是求m的值。

sage代码[2]如下:

1 n=128205304743751985889679351195836799434324346996129753896234917982647254577214018524580290192396070591032007818847697193260130051396080104704981594190602854241936777324431673564677900773992273463534717009587530152480725448774018550562603894883079711995434332008363470321069097619786793617099517770260029108149
2 c1=96860654235275202217368130195089839608037558388884522737500611121271571335123981588807994043800468529002147570655597610639680977780779494880330669466389788497046710319213376228391138021976388925171307760030058456934898771589435836261317283743951614505136840364638706914424433566782044926111639955612412134198
3 c2=9566853166416448316408476072940703716510748416699965603380497338943730666656667456274146023583837768495637484138572090891246105018219222267465595710692705776272469703739932909158740030049375350999465338363044226512016686534246611049299981674236577960786526527933966681954486377462298197949323271904405241585m
4 
5 PR.<m> = PolynomialRing(Zmod(n))
6 f = m^2-(c1+c2)*m+c1*c2
7 x0 = f.small_roots(X=2^400)
8 print(x0)

得到x0=4242839043019782000788118887372132807371568279472499477998758466224002905442227156537788110520335652385855

用Python输出以下就可以:

1 from Crypto.Util.number import long_to_bytes
2 x0=4242839043019782000788118887372132807371568279472499477998758466224002905442227156537788110520335652385855
3 print long_to_bytes(x0)

最终结果为verrrrrrry_345yyyyyyy_rsaaaaaaa_righttttttt?

Reference

[1] FlappyPig. CTF特训营. 2020

[2] https://shimo.im/docs/6hyIjGkLoRc43JRs

[3] https://www.52pojie.cn/thread-653446-1-8.html

posted @ 2020-07-13 22:15  vict0r  阅读(2518)  评论(0编辑  收藏  举报