只会简单的,后两题不会
signin
题目描述:
from Crypto.Util.number import *
from random import randrange
from secret import flag
def pr(msg):
print(msg)
pr(br"""
....''''''....
.`",:;;II;II;;;;:,"^'.
'"IlllI;;;;;;;;;;;;;Il!!l;^.
`l><>!!!!!!!!iiiii!!!!!!!!i><!".
':>?]__++~~~~~<<<<<<<<<<<<<<<<~~+__i".
.:i+}{]?-__+++~~~~~~<<<<<~~~~~~+_-?[\1_!^
.;<_}\{]-_++~<<<<<<<<<<<<<<<<<<<~+-?]\|]+<^
.!-{t|[?-}(|((){_<<<<<<<<<_}1)))1}??]{t|]_"
!)nf}]-?/\){]]]_<<<<<<<<<_]]}}{\/?-][)vf?`
'!tX/}]--<]{\Un[~~<<<<<~~<~-11Yz)<--?[{vv[".
.<{xJt}]?!ibm0%&Ci><<<<<<<<!0kJW%w+:-?[{uu)},
!1fLf}]_::xmqQj["I~<<<<<<>"(ZqOu{I^<?[{cc)[`
`}|x\}]_+<!<+~<<__~<<<<<<+_<<_+<><++-[1j/(>
!\j/{]-++___--_+~~<i;I>~~~__-______?}(jf}`
;~(|}?_++++~~++~+]-++]?+++~~~~+++-[1/]>^
;\([?__+_-?]?-_-----__-]?-_+++-]{/].
l||}?__/rjffcCQQQQQLUxffjf}+-]1\?'
,[\)[?}}-__[/nzXXvj)?__]{??}((>.
.I[|(1{]_+~~~<~~<<<~+_[}1(1+^
,~{|\)}]_++++++-?}1)1?!`
."!_]{11))1{}]-+i:'
.`^","^`'.
""".decode())
def gen_prime(bit):
while 1:
P = getPrime(bit)
if len(bin(P)) - 2 == bit:
return P
pq_bit = 512
offset = 16
P,Q = [gen_prime(pq_bit) for i in range(2)]
N = P * Q
gift = int(bin(P ^ (Q >> offset))[2+offset:],2)
pr(N)
pr(gift)
inpP = int(input())
if inpP != P:
pr(b"you lose!")
exit()
secret = randrange(0,P)
bs = [randrange(0,P) for _ in range(38)]
results = [(bi * secret) % P for bi in bs]
rs = [ri & (2 ** offset - 1) for ri in results]
pr(bs)
pr(rs)
inpsecret = int(input())
if inpsecret == secret:
pr(flag)
题目分析:
P的获取分析和 DASCTF-2023-ezRSA 这题一样,此处也就不过多赘述了,唯一不同的是此处的gift高16位没给,这样的话,直接爆破,代码如下:
from random import randrange
N = 73112325447718419004547130726695718285793085958231107892863489717428446716838799849309454056415849869930556787026583737635045001044331824958338557356039885155281113144595678795533444159689102603206422423835572911701365510630670709050480182217561850257781379648014791821272434711481938951190881233041060596523
gift1 = 115073356145766093260644381479331808320549133985413353306940738670775007719301812510687311522173487690937202937075087659433551944224376340973897790917
def gen_pq(gift1,N):
for i in range(2 ** 15,2 ** 16):
print(i)
gift = int(bin(i)[2:] + '0' * (496-gift1.bit_length()) + bin(gift1)[2:],2)
# bin(gift1)[2:]也许并非496bits,可能前导0会省略,自行加上即可
pbar = gift >> (512 - 16)
while True:
try:
qbar = (N >> (1024 - pbar.bit_length() * 2)) // pbar
qbar = qbar >> 6
gifts = gift ^ (qbar << (512 - 16 - qbar.bit_length()))
pbar = gifts >> (512 - 16 - qbar.bit_length())
except:
break
for i in range(64):
P = (pbar << 6) + i
if N % P == 0:
print(P)
return P
gen_pq(gift1,N)
# P = 9463395021022080495725625579099709864198202996192818493676075430361086175809577174253865589866353281287908307347544682931439681148579311956298173287376473
至此 得到bs,rs
b = [6099745272052586004179912608738971034534930536137743613897081917185107394368705591323971750395506839750452649288267772188419489756675205679949408086451232, 3951191747812729045440242820895124607189480251095163295242628450942998752364973601131023646206377502005591988554681151953526704565202075013281769088815523, 1404420597554404030107272770922253996678162333687352195618251218863999850248824692838151822875031075053556888677319712477280556217652901167451648905364386, 4488294572333656708259420377539737505003996159677656468026097114601711607985567015550450770914323371829296766770532559711193361180597308950367687185966302, 5481102322187479419436505829074865646684095327365195150222467418442873465357487402747218531517017371054667814520443813042860956594726076176855372054132653, 2713802788133698269409249999536200419140314121130473258656206052429002170951741696862581935955915442467962543363756219468741646383480138223283730677285687, 4388471418937878873760244311226931102311967761139597301227595095454037495066960891301104963760391091058605030114648033892461656189445282496553583505973028, 736776464731641575781839292404124851285324500513593675528872423711514787996001241149637426869001948983773230073266488914216375314221965655672656410584443, 8708590989237325341864969642266721092908150322862807883501307022447092127465507299112990850265948137001397701186114982614486130822490540038423320215334626, 9267802304424548397960617736597723635936811251609846290761762903654804678628923862108480264307805107896646269881938313148864202456071920121260093838052525, 3247108183860325987343060073325154780063121072412546176464075975152503493018889336496636379292425449406827070404175667145192082945885628262842725864496476, 455724435639473173230575250620919313737714978926744740871167992567140510847659696368128186714204899204016766561731806278682654146614456839201295265351084, 9020040064239438957325652010732562703496153379776291386479249377336002129977498901663356523568148111515751758815532962162768918028366620424504879498916260, 7688416580027582769915116662018701330731542853610728083638475681090388890585799679692871117954618858316092856071130163834051800086038254809868956867017534, 2914081803071475210765607707004526189627879912343305436165346830733180111712927683631299251265551199278425089831815911602268284636090898745079700939295508, 1682447624444059192944751083327557927345592086507420627567050313041103192041463642408780131750529259046595170811376763889856062916108841799386014250209204, 5341034619247476123738204666831636378756603282709541857595527812139022510035477000927339770989486054395218479620330803691178416464134942884723827374332572, 8376329702107133848458122442144946089340952412870283575988871694491609215583935392751355281411100977914041577559011007450313560473364023276862308392837927, 9416263788845104843254295633755080717027180798661946550343273052573861692993756745844265654941124801439244186152547374828735493445699134588163894749640836, 2932216738770537817881515093909708415125754815604299999068133848728425671241756819969645781862996905460305910366082553247028095515273709817106865465122590, 8097717669926537250731305609873869963442989665404721303119492230921259587448045170648745406003491170455200904721392690716080842205006420218957357208236777, 2320095372469412381123081241813969183059217183055092564165616040030126466741691823966421813308525807455783827406201671916779545841711101790509143391460558, 2333972164269303480468982231430944844261058855427800172027932923131801032739273832904738225066210544462847760672864166563796956687623202151756145595323299, 9437506711046580131962727129679057367842176159058408153672713703801123411305447877847753662475828865148714651927615052959365575959980181945973888298104933, 5802961795945602293929959252989205060907182950209184792016006564685164829079522333038011701596715377738492900250485584441351844045455427769773524087524156, 529599427933984238231472476175004896612420169200926563371105835757115041890610229232923121353193340603425988395343027602415343623433336040543795697317090, 6402196372034668863055877348065973921962422590516519136977866652600902486323081042430853494022971845631884452544526687998575817840711058028440421779395606, 1230624307875405241534590705586346034433600380745178644341864997283918237998339933919925940523713299382838409046998100995049951280382526255707022024214853, 4939399750563474831690751351208621006534538497525744056731033390661498923441407195386308647381246454241105286776645577202434999611495000302402098783151142, 3991859998040542133259043036343592584436362790235923761833962209989024458819225460294422336721726048826788046849829864060207989750046644621835589699009365, 240857736341741610087615111623321249370900668053282004036464835672779328135852021912344864307291860960709711372109427660351057177543937799209410049857688, 3616083502398202892601882038165628001289992103457989351932690769228627486934029132426774534679657144138989265564646117621513540781010324410148517674825531, 5404612891952879264496112103405811484626424108411041737043110667122266883638660766432812414542841773559389510234873119005979364687689717241678676878972572, 2034451564894992453342874697889924929640864497213866812897528594902646690104681644785346511630568960798405400466505451930160617969903308178504532997741868, 6157490304505265465913231571555412606905748047618103662427174891510009729459475829640015546085845764226272377180939793932164111694580454672032316588788226, 4975964317099024183607476155053005595563615534064262974131837949918711606891694740515965242556735284295717544308022169459365947195601426949094207557584822, 5428476883706514219777167145065847042077736528683727164449312172005302805331073867565107042753732467573625669359225318663458427411189319424302379038071051, 1671914205500553673647970410143909519671590636952787351672356207441593565754364343607635690418391473360926097632568317796984733317042685849430234554815858]
r = [48997, 62415, 23955, 36908, 52443, 4523, 22645, 22555, 31815, 15691, 47858, 27532, 21464, 23465, 45849, 59181, 27490, 6614, 16702, 57463, 52700, 28969, 31173, 41233, 61893, 36368, 17734, 53549, 17913, 33308, 63024, 61345, 33511, 53005, 26113, 59084, 35720, 44204]
r i = ( b i ∗ s ) % p % 2 16 r i = b i ∗ s + k ∗ p + l ∗ 2 16 r i − 16 b i t s b i , s − 510 b i t s p − 512 b i t s l − 496 b i t s ( 512 − 16 ) l ∗ 2 16 = b i ∗ s − r i + k ∗ p 令 i n v = i n v e r t ( 2 16 , p ) l = b i ∗ s ∗ i n v − r i ∗ i n v + k ∗ p 如下造格 M = ( p 0 ⋯ 0 0 0 0 p ⋯ 0 0 0 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ 0 0 ⋯ p b 1 × i n v b 2 × i n v ⋯ b n × i n v K / p 0 r 1 × i n v r 2 × i n v ⋯ r n × i n v 0 K ) ( k 1 k 2 ⋯ k n s − 1 ) ∗ M = ( l i l 2 ⋯ l n K s / p − K ) 其中 K = 2 496 r_i = (b_i * s) \ \%\ p \ \%\ 2^{16}\\ r_i = b_i * s + k * p + l * 2^{16}\\ r_i-16bits\\ b_i,s- 510bits\\ p-512bits\\ l-496bits (512-16)\\ \ \\ l * 2^{16} = b_i * s -r_i + k * p\\ 令inv = invert (2^{16},p) \\ l = b_i * s * inv - r_i * inv+k * p\\如下造格\\ M = \begin{pmatrix} p&0&\cdots&0&0&0\\ 0&p&\cdots&0&0&0\\ \vdots&\vdots&\ddots&\vdots&\vdots&\vdots\\ 0&0&\cdots&p&\\ b_1\times inv&b_2\times inv&\cdots&b_n\times inv&{K/p}&0\\r_1\times inv&r_2\times inv&\cdots&r_n\times inv&0&K \end{pmatrix}\\ \ \\ \begin{pmatrix} k_1&k_2&\cdots&k_n&s&-1 \end{pmatrix} * M = \begin{pmatrix} l_i&l_2&\cdots&l_n&Ks /p&-K \end{pmatrix}\\ 其中K = 2^{496}\\ ri=(bi∗s) % p % 216ri=bi∗s+k∗p+l∗216ri−16bitsbi,s−510bitsp−512bitsl−496bits(512−16) l∗216=bi∗s−ri+k∗p令inv=invert(216,p)l=bi∗s∗inv−ri∗inv+k∗p如下造格M= p0⋮0b1×invr1×inv0p⋮0b2×invr2×inv⋯⋯⋱⋯⋯⋯00⋮pbn×invrn×inv00⋮K/p000⋮0K (k1k2⋯kns−1)∗M=(lil2⋯lnKs/p−K)其中K=2496
很明显这是一道hnp问题
HNP知识导入
A i × x + B i = k i ( m o d p ) A_i\times x+B_i=k_i\pmod p Ai×x+Bi=ki(modp)
其中 A i , B i , p 已知, x , k i 未知 其中A_i,B_i,p已知,x,k_i未知 其中Ai,Bi,p已知,x,ki未知
可构造如下矩阵
M = ( p ⋱ p A 1 ⋯ A i Z B 1 ⋯ B i K ) M=\begin{pmatrix}p\\&\ddots\\&&p\\A_1&\cdots&A_i&Z\\B_1&\cdots&B_i&&K\end{pmatrix} M= pA1B1⋱⋯⋯pAiBiZK
其中k的bits位数要小于p的bits位数,在等式数量足够的情况下,少6bits可以求解kK为k同bits位数的值
Z为自己需要构造的数( l 1 ⋯ l i x 1 ) × M = ( k 1 ⋯ k i Z ∗ x K ) \begin{pmatrix}l_1&\cdots&l_i&x&1\end{pmatrix}\times M=\begin{pmatrix}k_1&\cdots&k_i&Z*x&K\end{pmatrix} (l1⋯lix1)×M=(k1⋯kiZ∗xK)
要尽可能的满足 Z ∗ x Z*x Z∗x的bits位数与K的一致
PS:有另一个短向量 v = ( 0 , 0 , ⋯ , K , 0 ) v=(0,0,\cdots,K,0) v=(0,0,⋯,K,0) 也在格上,此向量比目标向量 ( l 1 , l 2 , ⋯ , l n , K s / n , − K ) (l_1,l_2,\cdots,l_n,Ks/n,-K) (l1,l2,⋯,ln,Ks/n,−K) 还要短,总会出现在LLL后的第一行, 目标向量总会出现在 L L L 后的第二行 \color{red}目标向量总会出现在LLL后的第二行 目标向量总会出现在LLL后的第二行
其中有几个地方要注意:
l
l
l的bit位数要小于p的bit位数,越少越容易出结果,等式数量足够的情况下,少6bit位数可以求解
l
l
l
此题是少16bits
解题代码:
from gmpy2 import *
p = 9463395021022080495725625579099709864198202996192818493676075430361086175809577174253865589866353281287908307347544682931439681148579311956298173287376473
b = [6099745272052586004179912608738971034534930536137743613897081917185107394368705591323971750395506839750452649288267772188419489756675205679949408086451232, 3951191747812729045440242820895124607189480251095163295242628450942998752364973601131023646206377502005591988554681151953526704565202075013281769088815523, 1404420597554404030107272770922253996678162333687352195618251218863999850248824692838151822875031075053556888677319712477280556217652901167451648905364386, 4488294572333656708259420377539737505003996159677656468026097114601711607985567015550450770914323371829296766770532559711193361180597308950367687185966302, 5481102322187479419436505829074865646684095327365195150222467418442873465357487402747218531517017371054667814520443813042860956594726076176855372054132653, 2713802788133698269409249999536200419140314121130473258656206052429002170951741696862581935955915442467962543363756219468741646383480138223283730677285687, 4388471418937878873760244311226931102311967761139597301227595095454037495066960891301104963760391091058605030114648033892461656189445282496553583505973028, 736776464731641575781839292404124851285324500513593675528872423711514787996001241149637426869001948983773230073266488914216375314221965655672656410584443, 8708590989237325341864969642266721092908150322862807883501307022447092127465507299112990850265948137001397701186114982614486130822490540038423320215334626, 9267802304424548397960617736597723635936811251609846290761762903654804678628923862108480264307805107896646269881938313148864202456071920121260093838052525, 3247108183860325987343060073325154780063121072412546176464075975152503493018889336496636379292425449406827070404175667145192082945885628262842725864496476, 455724435639473173230575250620919313737714978926744740871167992567140510847659696368128186714204899204016766561731806278682654146614456839201295265351084, 9020040064239438957325652010732562703496153379776291386479249377336002129977498901663356523568148111515751758815532962162768918028366620424504879498916260, 7688416580027582769915116662018701330731542853610728083638475681090388890585799679692871117954618858316092856071130163834051800086038254809868956867017534, 2914081803071475210765607707004526189627879912343305436165346830733180111712927683631299251265551199278425089831815911602268284636090898745079700939295508, 1682447624444059192944751083327557927345592086507420627567050313041103192041463642408780131750529259046595170811376763889856062916108841799386014250209204, 5341034619247476123738204666831636378756603282709541857595527812139022510035477000927339770989486054395218479620330803691178416464134942884723827374332572, 8376329702107133848458122442144946089340952412870283575988871694491609215583935392751355281411100977914041577559011007450313560473364023276862308392837927, 9416263788845104843254295633755080717027180798661946550343273052573861692993756745844265654941124801439244186152547374828735493445699134588163894749640836, 2932216738770537817881515093909708415125754815604299999068133848728425671241756819969645781862996905460305910366082553247028095515273709817106865465122590, 8097717669926537250731305609873869963442989665404721303119492230921259587448045170648745406003491170455200904721392690716080842205006420218957357208236777, 2320095372469412381123081241813969183059217183055092564165616040030126466741691823966421813308525807455783827406201671916779545841711101790509143391460558, 2333972164269303480468982231430944844261058855427800172027932923131801032739273832904738225066210544462847760672864166563796956687623202151756145595323299, 9437506711046580131962727129679057367842176159058408153672713703801123411305447877847753662475828865148714651927615052959365575959980181945973888298104933, 5802961795945602293929959252989205060907182950209184792016006564685164829079522333038011701596715377738492900250485584441351844045455427769773524087524156, 529599427933984238231472476175004896612420169200926563371105835757115041890610229232923121353193340603425988395343027602415343623433336040543795697317090, 6402196372034668863055877348065973921962422590516519136977866652600902486323081042430853494022971845631884452544526687998575817840711058028440421779395606, 1230624307875405241534590705586346034433600380745178644341864997283918237998339933919925940523713299382838409046998100995049951280382526255707022024214853, 4939399750563474831690751351208621006534538497525744056731033390661498923441407195386308647381246454241105286776645577202434999611495000302402098783151142, 3991859998040542133259043036343592584436362790235923761833962209989024458819225460294422336721726048826788046849829864060207989750046644621835589699009365, 240857736341741610087615111623321249370900668053282004036464835672779328135852021912344864307291860960709711372109427660351057177543937799209410049857688, 3616083502398202892601882038165628001289992103457989351932690769228627486934029132426774534679657144138989265564646117621513540781010324410148517674825531, 5404612891952879264496112103405811484626424108411041737043110667122266883638660766432812414542841773559389510234873119005979364687689717241678676878972572, 2034451564894992453342874697889924929640864497213866812897528594902646690104681644785346511630568960798405400466505451930160617969903308178504532997741868, 6157490304505265465913231571555412606905748047618103662427174891510009729459475829640015546085845764226272377180939793932164111694580454672032316588788226, 4975964317099024183607476155053005595563615534064262974131837949918711606891694740515965242556735284295717544308022169459365947195601426949094207557584822, 5428476883706514219777167145065847042077736528683727164449312172005302805331073867565107042753732467573625669359225318663458427411189319424302379038071051, 1671914205500553673647970410143909519671590636952787351672356207441593565754364343607635690418391473360926097632568317796984733317042685849430234554815858]
r = [48997, 62415, 23955, 36908, 52443, 4523, 22645, 22555, 31815, 15691, 47858, 27532, 21464, 23465, 45849, 59181, 27490, 6614, 16702, 57463, 52700, 28969, 31173, 41233, 61893, 36368, 17734, 53549, 17913, 33308, 63024, 61345, 33511, 53005, 26113, 59084, 35720, 44204]
M = matrix(QQ,40,40)
inv = invert(2 ** 16,p)
for i in range(38):
M[i,i] = p
M[-2,i] = b[i] * inv
M[-1,i] = -r[i] * inv
M[-2,-2] = 2 ** 496 / p
M[-1,-1] = 2 ** 496
L = M.LLL()
res = L[1][-2].numerator() / 2 ** 496
# 或 res = L[1][-2] / (2 ** 496 / p) % p
print(res)
# 1005444529226476196286726437221411001182466035947403146822894574200213482908472882296123424897230218596631139138335919912390102402492391521467426075919696
# wmctf{we1c0me_brOo0Oo!hope_y0u_h4v3_fun_iN_the_fTcmWWmcTf/}
格里面的 K / p K / p K/p也可以换成 K / 2 512 K / 2^{512} K/2512,代码res改成【res = L[1][-2] / (2 ** 496 / 2**512) % p】即可。本质都一样。
bad_prime
题目描述:
from Crypto.Util.number import *
from secret import flag
M = 0x7cda79f57f60a9b65478052f383ad7dadb714b4f4ac069997c7ff23d34d075fca08fdf20f95fbc5f0a981d65c3a3ee7ff74d769da52e948d6b0270dd736ef61fa99a54f80fb22091b055885dc22b9f17562778dfb2aeac87f51de339f71731d207c0af3244d35129feba028a48402247f4ba1d2b6d0755baff6
def getMyprime(BIT):
while True:
p = int(pow(65537, getRandomRange(M>>1, M), M)) + getRandomInteger(BIT-int(M).bit_length()) * M
if isPrime(p):
return p
p = getMyprime(1024)
q = getPrime(1024)
n = p * q
m = bytes_to_long(flag)
print("Try to crack the bad RSA")
print("Public key:", n)
print("The flag(encrypted):", pow(m, 65537, n))
print("Well well, I will give you the hint if you please me ^_^")
leak = int(input("Gift window:"))
if M % leak == 0:
print("This is the gift for you: ", p % leak)
else:
print("I don't like this gift!")
题目分析:
简化一下
p
=
k
∗
M
+
6553
7
a
m
o
d
M
n
=
p
∗
q
c
=
p
o
w
(
m
,
e
,
n
)
其中
n
,
c
,
e
,
求
m
当传入
l
e
a
k
=
M
时,
6553
7
a
m
o
d
M
也就知道了,设为
c
1
故
p
=
k
∗
M
+
c
1
,
c
o
p
p
e
r
解未知数
k
(
可联想
p
的高位攻击
)
解出
k
后
,
p
就出来了,那么常规解
r
s
a
即可得到
f
l
a
g
简化一下\\ p = k * M + 65537^a \mod M\\ n = p * q\\ c = pow(m,e,n)\\ 其中n,c,e,求m\\ 当传入leak = M时,65537^a \mod M也就知道了,设为c1\\ 故p = k * M + c1,copper解未知数k(可联想p的高位攻击)\\ 解出k后,p就出来了,那么常规解rsa即可得到flag
简化一下p=k∗M+65537amodMn=p∗qc=pow(m,e,n)其中n,c,e,求m当传入leak=M时,65537amodM也就知道了,设为c1故p=k∗M+c1,copper解未知数k(可联想p的高位攻击)解出k后,p就出来了,那么常规解rsa即可得到flag
解题代码如下:
from gmpy2 import *
from Crypto.Util.number import *
from random import *
M = 19467773070115377343221509599623925236459751278180415885837207534756855405403128279156705968461708578168638327032034542684864920135818987044810141311008655898015207220772515212093850725541003213054560185603695585660265284153421684796257245143362498012760214539505870197264858636122745485373430
n = 12472626002077866920178151413020997724913658571138226796397411640804446564321570484592618940742408533690138669590557322926168978995001956382014248210028454259813367803052222369863506072015014883609823933916199419481066858857207231520311664459664902528025902842929794668275758050999942059191634389272522671320964894850456420184656960636923409596961814674469644409957628303843169123370081990714799730701582855785700612686890622611481291396041524116973463136171438984798796971881179996700508181507433729909799335407926106281784610873586071488796498924241193576957708827135293177349098586584341721100397256643105870234017
c = 3466758415290820987442064225311552826969252396823354251970465802062747610710039304956737475853499851308657287552846042373210014916465043057986006453373271445849582773551814082704211508983411410263969277743283649937754035696369377052129912145398573272341796607274110157954815587828158941071330317136229394703735678902977666517651646428685091559179815250115421401245448300167574693518725397910931616702958806963051996907279394420120954895776285408715241321615950015556075741287334450807330921625861564665314534563377374509879469933746968301524375756671482507713406072993839171585268250885202956594932196478756766992483
c1 = 6690282109150076978071823629257381590414658672115270641622535563594683313753965273939724195762544028639574673292035107704077883727588123581718080375731102259168467204097244013656517759083053091253802517030398053098956541395905430761385273208751606105259988121220776103683847056158653951540211
e = 65537
R.<k> = PolynomialRing(Zmod(n))
f = k * M + leak
f = f.monic()
roots = f.small_roots(X = 2 ** 55,beta = 0.4)
# print(roots)
p = leak + 5918963989085968 * M
q = n // p
phi = (p - 1)*(q - 1)
d = invert(e,phi)
print(long_to_bytes(int(pow(c,d,n))))
# wmctf{b4d_primE_f4ctor_1s_the_w3akness_for_RSA}
----------------------------------------------------------------------------------------------------------
后面两道welcome_signer不会,贴的大佬的做法,感觉比官方wp好理解不少,大佬真的,太强了啊啊啊啊!
后面就不看了,咱们转战大佬博客吧哈哈
welcome_signer2
题目描述:
from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import md5
import random
flag = b"***********************************"
def pad(message):
return message + b"\x00"*((16-len(message)%16)%16)
def myfastexp(m,d,N,j,N_):
A = 1
B = m
d = bin(d)[2:][::-1]
n = len(d)
N = N
for i in range(n):
if d[i] == '1':
A = A * B % N
# a fault occurs j steps before the end of the exponentiation
if i >= n-1-j:
N = N_
B = B**2 % N
return A
def encrypt(message,key):
key = bytes.fromhex(md5(str(key).encode()).hexdigest())
enc = AES.new(key,mode=AES.MODE_ECB)
c = enc.encrypt(pad(message))
return c
border = "|"
print(border*75)
print(border, "Hi all, I have another algorithm that can quickly calculate powers. ", border)
print(border, "But still there's something wrong with it. Your task is to get ", border)
print(border, "its private key,and decrypt the cipher to cat the flag ^-^ ", border)
print(border*75)
while True:
# generate
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 17
if GCD(e,(p-1)*(q-1)) == 1:
d = inverse(e,(p-1)*(q-1))
n_ = n
break
n_ = n
msg = bytes_to_long(b"Welcome_come_to_WMCTF")
sig = pow(msg,d,n)
assert sig == myfastexp(msg,d,n,0,n_)
CHANGE = True
while True:
try:
ans = input("| Options: \n|\t[G]et data \n|\t[S]ignatrue \n|\t[F]ault injection \n|\t[Q]uit\n").lower().strip()
if ans == 'f':
if CHANGE:
print(border,"You have one chance to change one byte of N. ")
temp,index = input("bytes, and index:").strip().split(",")
assert 0<= int(temp) <=255
assert 0<= int(index) <= 1023
n_ = n ^ (int(temp)<<int(index)) # 可换8bits
print(border,f"[+] update: n_ -> \"{n_}\"")
CHANGE = False
else:
print(border,"Greedy...")
elif ans == 'g':
print(border,f"n = {n}")
print(border,f"flag_ciphertext = {encrypt(flag,d).hex()}")
elif ans == 's':
index = input("Where your want to interfere:").strip()
sig_ = myfastexp(msg,d,n,int(index),n_)
print(border,f"signature of \"Welcome_come_to_WMCTF\" is {sig_}")
elif ans == 'q':
quit()
except Exception as e:
print(border,"Err...")
quit()
A
1
≡
B
d
_
l
o
w
(
m
o
d
n
)
A
2
≡
B
j
d
_
h
i
g
h
(
m
o
d
n
_
)
A
≡
A
1
∗
A
2
(
m
o
d
n
_
)
最终是求
d
其中
j
可自己控制,因此可以通过等式关系来爆破
d
通过生成
d
的函数可测试出
d
的
b
i
t
s
位数大多位于
1023
所以以生成位数为
1023
位的来爆破,并且是从高位开始
A1 \equiv B^{d\_low} \pmod n\\ A2 \equiv B_j^{d\_high} \pmod{n\_}\\ A \equiv A1 * A2 \pmod{n\_}\\ 最终是求d\\ 其中j可自己控制,因此可以通过等式关系来爆破d\\ 通过生成d的函数可测试出d的bits位数大多位于1023\\ 所以以生成位数为1023位的来爆破,并且是从高位开始\\
A1≡Bd_low(modn)A2≡Bjd_high(modn_)A≡A1∗A2(modn_)最终是求d其中j可自己控制,因此可以通过等式关系来爆破d通过生成d的函数可测试出d的bits位数大多位于1023所以以生成位数为1023位的来爆破,并且是从高位开始
消A2,留A1爆破:
from Crypto.Util.number import *
D = '1'
msg = bytes_to_long(b'Welcome_come_to_WMCTF')
d_len = 1023
BB = [msg]
for i in range(d_len - 1):
BB.append(BB[-1] ** 2 % n)
for i in range(1,d_len):
t1 = myfastexp(msg,d,n,i,n_) * inverse(pow(BB[d_len - i - 1],2 * int(d,2),n_),n_) % n_
t2 = myfastexp(msg,d,n,i + 1,n_) * inverse(pow(BB[d_len - i - 2],4 * int(d,2),n_),n_) % n_
# 其中myfastexp(msg,d,n,i,n_),myfastexp(msg,d,n,i + 1,n_)是接收到的sig_
if t1 = t2:
D += '0'
else:
D += '1'
if '111111111111111' in D: # 可以过滤掉不符合要求的
break
print(D)
welcome_signer1
题目描述:
from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import md5
from sympy import isprime
from tqdm import tqdm
import random
flag = b"***********************************"
def pad(message):
return message + b"\x00"*((16-len(message)%16)%16)
def myfastexp(m,d,N,j,N_):
A = 1
d = bin(d)[2:][::-1]
n = len(d)
for i in range(n-1,-1,-1):
if i < j:
#print(A)
N = N_
A = A*A % N
if d[i] == "1":
A = A * m % N
return A
def encrypt(message,key):
key = bytes.fromhex(md5(str(key).encode()).hexdigest())
enc = AES.new(key,mode=AES.MODE_ECB)
c = enc.encrypt(pad(message))
return c
border = "|"
print(border*75)
print(border, "Hi all, I have created an algorithm that can quickly calculate powers. ", border)
print(border, "But it looks like there's something wrong with it. Your task is to get ", border)
print(border, "its private key,and decrypt the cipher to cat the flag ^-^ ", border)
print(border*75)
while True:
# generate
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 17
if GCD(e,(p-1)*(q-1)) == 1:
d = inverse(e,(p-1)*(q-1))
n_ = n
break
msg = bytes_to_long(b"Welcome_come_to_WMCTF")
sig = pow(msg,d,n)
CHANGE = True
while True:
try:
ans = input("| Options: \n|\t[G]et data \n|\t[S]ignatrue \n|\t[F]ault injection \n|\t[Q]uit\n").lower().strip()
if ans == 'f':
if CHANGE:
print(border,"You have one chance to change one byte of N. ")
temp,index = input("bytes, and index:").strip().split(",")
assert 0<= int(temp) <=255
assert 0<= int(index) <= 1023
n_ = n ^ (int(temp)<<int(index))
print(border,f"[+] update: n_ -> \"{n_}\"")
CHANGE = False
else:
print(border,"Greedy...")
elif ans == 'g':
print(border,f"n = {n}")
print(border,f"flag_ciphertext = {encrypt(flag,d).hex()}")
elif ans == 's':
index = input("Where your want to interfere:").strip()
sig_ = myfastexp(msg,d,n,int(index),n_)
print(border,f"signature of \"Welcome_come_to_WMCTF\" is {sig_}")
elif ans == 'q':
quit()
except Exception as e:
print(border,"Err...")
quit()
不会,还是记录大佬的做法
等价表达:
def myfastexp(m,d,N,j,N_):
A = 1
d = bin(d)[2:]
n = len(d)
# print(d)
dd=d[::-1]
temp=pow(m,int(dd[:n-j],2),N)
temp=pow(temp,2**j,N_)*pow(m,int(dd[n-j:],2),N_) %N_
for i in range(n-1,-1,-1):
if i < j:
N = N_
A = A*A % N
if d[i] == "1":
A = A * m % N
assert A==temp
return A
temp=pow(m,int(dd[:n-j],2),N)
temp=pow(temp,2**j,N_)*pow(m,int(dd[n-j:],2),N_) %N_
上面两句总结的真是绝,我做题的时候反正没想到
A
1
≡
m
d
_
h
i
g
h
(
m
o
d
n
)
A
2
≡
m
d
_
l
o
w
(
m
o
d
n
_
)
A
≡
(
A
1
<
<
j
)
∗
A
2
(
m
o
d
n
_
)
最终是求
d
A1 \equiv m^{d\_high} \pmod n\\ A2 \equiv m^{d\_low} \pmod{n\_}\\ A \equiv (A1 << j) * A2 \pmod{n\_}\\ 最终是求d\\
A1≡md_high(modn)A2≡md_low(modn_)A≡(A1<<j)∗A2(modn_)最终是求d
消A1,留A2爆破
D='1'
for i in range(l-1,0,-1):
temp=pow(msg,int(D,2),n)
temp1=pow(temp,2**i,n_)
temp=pow(msg,2*int(D,2),n)
temp2=pow(temp,2**(i-1),n_)
t1=myfastexp(msg,d,n,i,n_)*inverse(temp1,n_) %n_
t2=myfastexp(msg,d,n,i-1,n_)*inverse(temp2,n_) %n_
# 其中myfastexp(msg,d,n,i,n_),myfastexp(msg,d,n,i - 1,n_)是接收到的sig_
if t1==t2:
D+='0'
else:
D+='1'
if '111111111111111' in D: # 可以过滤掉不符合要求的
break
print(D)
此次比赛给我的感觉是,比nepctf友好不少