NPUCTF2020 共模攻击
拜读师傅们的wp颇有收获,记录在此,以备日后查阅~
hint
1. hint.py中后半部分代码给了n,e1,e2,c1,c2可以求出c的值,由c和p可以求得m,由m得到hint
2. c的求解过程就是共模攻击。共模攻击代码[1]如下(通用)
1 # py2 sameNAttack.py 2 import primefac 3 4 def same_n_attack(n,e1,e2,c1,c2): 5 def egcd(a,b): 6 x, lastX = 0, 1 7 y, lastY = 1, 0 8 while (b != 0): 9 q = a // b 10 a, b = b, a % b 11 x, lastX = lastX - q * x, x 12 y, lastY = lastY - q * y, y 13 return (lastX, lastY) 14 s = egcd(e1,e2) 15 s1 = s[0] 16 s2 = s[1] 17 if s1 < 0: 18 s1 = -s1 19 c1 = primefac.modinv(c1, n) 20 if c1 < 0: 21 c1 += n 22 elif s2 < 0: 23 s2 = -s2 24 c2 = primefac.modinv(c2, n) 25 if c2 < 0: 26 c2 += n 27 m = (pow(c1, s1, n) * pow(c2, s2, n)) % n 28 return m
3. 得到c后,有这样的一个表达式:c = m256 mod p,有两种方法解出m。
方法一:借助Python的sympy库nthroot_mod方法[2]
1 # dec.py 2 from Crypto.Util.number import long_to_bytes 3 from sameNAttack import same_n_attack 4 from sympy.ntheory.residue_ntheory import nthroot_mod 5 6 # hint 7 n = 6807492006219935335233722232024809784434293293172317282814978688931711423939629682224374870233587969960713638310068784415474535033780772766171320461281579 8 e1= 2303413961 9 e2 = 2622163991 10 c1 = 1754421169036191391717309256938035960912941109206872374826444526733030696056821731708193270151759843780894750696642659795452787547355043345348714129217723 11 c2= 1613454015951555289711148366977297613624544025937559371784736059448454437652633847111272619248126613500028992813732842041018588707201458398726700828844249 12 c = same_n_attack(n, e1, e2, c1, c2) 13 print c 14 15 p = 107316975771284342108362954945096489708900302633734520943905283655283318535709 16 m = nthroot_mod(c,256,p,all_roots=True) 17 print m 18 for i in m: 19 print i 20 hint = long_to_bytes(i) 21 print hint
得到hint:m.bit_length() < 400
task
由于hint提示了m有长度限制,所以联想到Coppersmith定理。Coppersmith定理的内容为:在一个e阶的mod n多项式f(x)中,如果有一个根小于n^1/e,就可以运用一个O(log n)的算法求出这些根[3]。计算可得m是满足这个情况的。
task中我们可以获取的信息有:
c1 = mp mod n = mp mod p*q
c2 = mq mod n = mq mod p*q
因为p、q为素数,所以由费马定理可得:
mp ≡ m mod p
mq ≡ m mod q
所以,又有:
c1 = m + ip + xpq,可整理成 c1 = m + ip
c2 = m + jq + ypq,可整理成 c2 = m + jq
因此:
c1 * c2 = m2 + (ip + jq)m + ijn
(c1 + c2)m = 2m2 + (ip+jq)m
有: m2 - (c1 + c2)m + c1 * c2 = ijn ≡ 0 mod n
最终的任务就是求m的值。
sage代码[2]如下:
1 n=128205304743751985889679351195836799434324346996129753896234917982647254577214018524580290192396070591032007818847697193260130051396080104704981594190602854241936777324431673564677900773992273463534717009587530152480725448774018550562603894883079711995434332008363470321069097619786793617099517770260029108149 2 c1=96860654235275202217368130195089839608037558388884522737500611121271571335123981588807994043800468529002147570655597610639680977780779494880330669466389788497046710319213376228391138021976388925171307760030058456934898771589435836261317283743951614505136840364638706914424433566782044926111639955612412134198 3 c2=9566853166416448316408476072940703716510748416699965603380497338943730666656667456274146023583837768495637484138572090891246105018219222267465595710692705776272469703739932909158740030049375350999465338363044226512016686534246611049299981674236577960786526527933966681954486377462298197949323271904405241585m 4 5 PR.<m> = PolynomialRing(Zmod(n)) 6 f = m^2-(c1+c2)*m+c1*c2 7 x0 = f.small_roots(X=2^400) 8 print(x0)
得到x0=4242839043019782000788118887372132807371568279472499477998758466224002905442227156537788110520335652385855
用Python输出以下就可以:
1 from Crypto.Util.number import long_to_bytes 2 x0=4242839043019782000788118887372132807371568279472499477998758466224002905442227156537788110520335652385855 3 print long_to_bytes(x0)
最终结果为verrrrrrry_345yyyyyyy_rsaaaaaaa_righttttttt?
Reference
[1] FlappyPig. CTF特训营. 2020