做题杂记333

题1

题目来源：https://blog.csdn.net/luochen2436/article/details/132964576?spm=1001.2014.3001.5502
题目描述：

from Crypto.Util.number import *
from Crypto.Util.Padding import pad
from sage.all import *
flag = open('flag', 'rb').read()

n_bits = 1024
beta = 0.29
delta = 0.45
assert delta < (3/4 - beta)
flag1 = pad(flag[:len(flag)//2], n_bits//16)
p = next_prime(bytes_to_long(flag1))
pqdiff_bound = 1 << int(n_bits * beta)
pqdiff_lower_bound = 1 << int(n_bits * beta - 1)
q = next_prime(p - random_prime(pqdiff_bound, lbound=pqdiff_lower_bound))
n = p*q
phi = (p-1)*(q-1)
d_bound = 1 << int(n_bits*delta)
d_lower_bound = 1 << int(n_bits * delta - 1)

while True:
    d = random_prime(d_bound, lbound=d_lower_bound)
    if gcd(d, phi) == 1:
        e = inverse_mod(d, phi)
        if gcd(e, phi) == 1:
            break

print(f'n = {n}')
print(f'e = {e}')

flag2 = pad(flag[len(flag)//2:], n_bits//8-1)
m = bytes_to_long(flag2)
c = pow(m, e, n)
print(f'c = {c}')


"""
n = 12779292788328507635646485236446323990578456114967808016182263578178494180795370424798860493650480053570371250811905773960481750940458827979861184722353108227092212225595979824252209841697659509529606215126716440565931530812981595774746754816326511322383070955072647153550727568166534351477967896890021106177
e = 9127521457923354456069487334973053064242751338553190692058159575640567634725596267894601092335626785885309669456842153792617210853891969129983736241476545935575261789952791385304618176639748270574246664480305757268659559315780221543289523307886165842999070576207133912422055150609884199685294091097607124409
c = 4715199541938838482829660474842815637758774748907642018610952495675409399919781649074418880398481916563366285817131200590553788510331744823499159289515632966376454919605434679417642103846284370991583023683038608112090557964515005763676931627459252593722505464252259469202165279234233266578704442372964772018
"""

题目分析：
先熟悉几个函数：

random_prime(ub,lb):
生成[lb,ub)之间的随机素数,注意ub在前,lb在后,lb可缺省为0
可通过这种方式生成128位的随机素数
p=random_prime(2 ** 128,2 ** 127)

pad(data,block_size):
来自from Crypto.Util.Padding import pad
data: 需要进行填充的数据
bolck_size: 数据块大小，倍数形式
填充方式：PKCS#7，即用需要填充的字节数来填充每个字节
eg:
len(data) = 23,block_size = 20,则填充成长度为40的数据，末尾加17个b’\x11’。

$$\begin{gathered} pqdiff\_bound=1<<296 \\ pqdiff\_lower\_bound=1<<295 \\ q=next\_prime(p-random\_prime(...)) \\ 说明p,q高205bits相等，一般flag不会超过400bits \\ 故直接对n开方转bytes即可得到flag的前半部分 \\ 之后便能得到p,q,随即得到完整flag \end{gathered}$$

from Crypto.Util.Padding import pad
from gmpy2 import *
from Crypto.Util.number import *
n_bits = 1024
n = 12779292788328507635646485236446323990578456114967808016182263578178494180795370424798860493650480053570371250811905773960481750940458827979861184722353108227092212225595979824252209841697659509529606215126716440565931530812981595774746754816326511322383070955072647153550727568166534351477967896890021106177
e = 9127521457923354456069487334973053064242751338553190692058159575640567634725596267894601092335626785885309669456842153792617210853891969129983736241476545935575261789952791385304618176639748270574246664480305757268659559315780221543289523307886165842999070576207133912422055150609884199685294091097607124409
c = 4715199541938838482829660474842815637758774748907642018610952495675409399919781649074418880398481916563366285817131200590553788510331744823499159289515632966376454919605434679417642103846284370991583023683038608112090557964515005763676931627459252593722505464252259469202165279234233266578704442372964772018
p = iroot(n,2)[0]
print(long_to_bytes(int(p)))
flag1 = b'DASCTF{9a697216-6900-4'
flag1 = pad(flag1, n_bits//16) # 填充满64位
p = next_prime(bytes_to_long(flag1))
q = n // p
d = invert(e,(p - 1)*(q - 1))
print(long_to_bytes(int(pow(c,d,n))))
# DASCTF{9a697216-6900-4a72-92e1-e3eefd98794f}

题2

题目来源：https://blog.csdn.net/luochen2436/article/details/133793317?spm=1001.2014.3001.5502
题目描述：

from fastecdsa.curve import P521 as Curve
from fastecdsa.point import Point
from os import urandom
from random import getrandbits
import uuid
from Crypto.PublicKey import DSA
from Crypto.Util.number import *
import random
from hashlib import sha256

flag = f"flag{{{uuid.uuid4()}}}".encode('utf-8')
m1 = b'****************'
m2 = b'****************'

def gen(G):
    urand = bytes_to_long(urandom(256 // 8))
    while True:
        s = getrandbits(256) ^ urand
        Q = s * G
        if isPrime(Q.x) and isPrime(Q.y):
            return Q.x, Q.y


def sign(m, k, x, p, q, g):
    cm = sha256(m).digest()
    hm = bytes_to_long(cm)
    r = pow(g, k, p) % q
    s = (hm + x * r) * inverse(k, q) % q
    return r, s

def encrypt(msg):
    p, q, r, t = getPrime(256), getPrime(256), getPrime(256), getPrime(256)
    pubkey = p ** 2 * q * r * t
    n = pubkey
    phi = (p - 1) * (q - 1) * (r - 1) * (t - 1)
    privkey = inverse(n, phi)
    c = long_to_bytes(pow(bytes_to_long(msg), pubkey, pubkey))
    return [c, pubkey, privkey]
    
def verify(message, r, s, p, q, g, y): 
    cm = sha256(message).digest()
    hm = bytes_to_long(cm)
    w = pow(s, q - 2, q) 
    u1 = (hm * w) % q 
    u2 = (r * w) % q 
    v = ((pow(g, u1, p) * pow(y, u2, p)) % p) % q 
    return v == r 
 
ecc_p = Curve.p
a = Curve.a
b = Curve.b
Gx = Curve.gx
Gy = Curve.gy
G = Point(Gx, Gy, curve=Curve)
p, q = gen(G)
n = p * q
print(f"a={a}")
print(f"b={b}")
print(f"ecc_p={ecc_p}")
print(f"n={n}")
x = bytes_to_long(flag)
cm1 = encrypt(m1)
cm2 = encrypt(m2)
key = DSA.generate(int(2048))
g = key.g
assert q > x
k = random.randint(1, q - 1)
r1, s1 = sign(m1, k, x, p, q, g)
r2, s2 = sign(m2, k, x, p, q, g)
print(f"cm1={cm1}")
print(f"cm2={cm2}")
print(f's1 = {s1}')
print(f'r1 = {r1}')
print(f'r2 = {r2}')
print(f's2 = {s2}')

"""
a=-3
b=1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984
ecc_p=6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151
n=17892143742135558659464483241031582705399015704984635198259117502698806062144577358841580186430592021484784182374984891504991723987372158404717308894627025254370106060682124762121644746055038786733570766842371672272269500805787962472846195694411232153017387865489974233181909133999038179766349022983643293490318883

cm1=[b'~(\x13K\xbd\x07\xf6\xac\x0f^\xff\xc0\x11\xf4\\-[bd\xd4\xee\xad\xd3\x12hY\xa9\xfawU6\tM\xd8\xc7$Q\x08fe\x0e\xa6V\x84Af\xc2\x90\xff\x0b\xb3\xf7\t\xeb\x1f\x92\xe9_\xc2d\x0b,\xb8j\xa7x\xb7\xd8.\x01\x0f\xb3\xfb\x84}\x18M_$J\x19WS\x19\xe4\xac|\xfb\xab\\\xddE\xe8K\x11\x85\x94I\x88\x06\xda\xd9\xa5\xd3%\xdeZ\xc0\xa1\x96K\x8f\xc9\xd6rZ\xf9\x80\x03\xb6\xe7&\xc7\xba\xfa\x11\x0e\x17\x03\xc6@\xf9\xe1\x91\xc3\x98\xfd~\xb4,\xbf+\xf1\x9c\x13\xf9\xcb\xd3\xa2\xcd\t\xc1\xa0\x16\xac(kO\x0e', 4210112960230753389177723103991057503675404064215473253619064996297654205031972289490914887593241466687180915490587736105591295790203391680056466722777574962131018329890483040708509359428184782432390334491747709835762154148954222667111743029165387940794322517656416298463983972364481679736217231237972603248180412651171720538869199141557228108454144762163387122885891997412124486368093, 34467673940229375549861096366968383350573853982091018691379038369575391106133342982206096859322434387821396329105522038690695490560975568642248771969263414977884644851551873207137010180591879084640509485920597821696620795026052163156567900184188166776652129980691756851240082925443033375548789315858902528245]

cm2=[b"\x04L\xfbgl\x83\x8c\xd0\xd1\x94\xaeH\x15\x1f\x9d\r\xfe4Qo\x1f\x0e\xac\x99\x10\xd7p\x05\x0e\xe1Z\xde\xf1-\x90'\xfd\n\xcb\x11\x95\xe7\xfd\xb4\xa9\xe1g\xba\x88\x97h\t\x114\x8f\r\xa4\xf38\xf59\xbdbt\x8f\\U\xeau\x0e\xe2C\xd0\xbf\xb0\x0b\xe4\xfb\\\xb1\xe6\xd8\xc9K\x99F\n\xd1s(\xda \xe1\xa0)st\xdduv\x05\t\x97\x85\xbfdnr$\xeee<\xdd\xa2j\xd1l\x0c\x14\xe0\x9d!\x9d\x85J\xe6\x08\xf3\x8b\xf5^\xb6\xf9\xd5\xf8\xf1\xa9\x05\x11\xf2\x1f\xe6L}_?\xdc\xf1\xcf_\x19K\x9d?F\x11\x8a\xd6m_", 2107035726522358468787800437216735702294054489210423482763141344245971658038208946943384473505445944203654154393368969472650747972993446483863354738530464536671191192852772663305104685295729636566877550779644763943501495227449049599621704191810033993441720482366622086425653151565702373624357844645714794047547901924425604430887869417863146263310137069165358904526698570368614646908659, 25851316624668868073282577242443094459803237792257031370809123539176662555947554778083633535689341409219664781371076460089226128423940382827297717468898042144540839805840728213520942720971834042050337266075935231655467146339599134132537675265039256700087188339078240329238442682883808814292004154090735239739]

s1 = 1147444956942488206425397540690496331513776719096397579521439800869593847794208912124600845863795170543614454413750492051491732502087262731130173253134510721
r1 = 1157925007400122568661548726339484089282532284376929635262438142895805835643192575599802310792451479232905705228133875039893052991121145062272055314297648646
r2 = 1157925007400122568661548726339484089282532284376929635262438142895805835643192575599802310792451479232905705228133875039893052991121145062272055314297648646
s2 = 1705053872995228285447305031429522382982990819347651751236442503354782702527682212062279231285695576661552718820729949632674150767988313498856519278708115047
"""

part1:
$$\begin{gathered} q^2=p^3+a\ast p+b \\ {n}^2=p^2\ast q^2=p^5+a\ast p^3+b\ast p^2 \\ 在有限域ecc\_p下解方程即可的得到p，进而得到q \end{gathered}$$
exp1:

a=-3
b=1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984
ecc_p=6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151
n=17892143742135558659464483241031582705399015704984635198259117502698806062144577358841580186430592021484784182374984891504991723987372158404717308894627025254370106060682124762121644746055038786733570766842371672272269500805787962472846195694411232153017387865489974233181909133999038179766349022983643293490318883
R.<x> = PolynomialRing(Zmod(ecc_p))
f = x ^ 5 + a * x ^ 3 + b * x ^ 2 - n ^ 2
f = f.monic()
f.roots() # 通过n % p = 0来确定正确的p
p = 4577319558089231038488430259088780264163885803784130570636777011174249008593353860100699977490946626815819097685374123509720374237025755098078222435580364427
q = n // p

part2:
$$\begin{gathered} n=p^2\ast q\ast r\ast t \\ phi=p\ast (p-1)\ast (q-1)\ast (r-1)\ast (t-1) \\ ph{i}_1=(p-1)\ast (q-1)\ast (r-1)\ast (t-1) \\ e\ast d_1\equiv 1\mathrm{mod}ph{i}_1 \\ 其中e=n=pubkey，d_1=privkey \\ {a}^{e\ast d_1}\mathrm{mod}n\equiv a^{1+k\ast ph{i}_1}\mathrm{mod}(p\ast q\ast r\ast t)\equiv a\mathrm{mod}(p\ast q\ast r\ast t) \\ \Rightarrow p\ast q\ast r\ast t=gcd(a^{e\ast d_1}\mathrm{mod}n-a,n) \\ c\equiv m^e\mathrm{mod}n\equiv m^e\mathrm{mod}(p\ast q\ast r\ast t) \\ \Rightarrow m\equiv c^{d_1}\mathrm{mod}(p\ast q\ast r\ast t) \\ 至此可求得m_1,m_2 \end{gathered}$$
exp:

from gmpy2 import *
from Crypto.Util.number import *
c1,e1,d1 = b'~(\x13K\xbd\x07\xf6\xac\x0f^\xff\xc0\x11\xf4\\-[bd\xd4\xee\xad\xd3\x12hY\xa9\xfawU6\tM\xd8\xc7$Q\x08fe\x0e\xa6V\x84Af\xc2\x90\xff\x0b\xb3\xf7\t\xeb\x1f\x92\xe9_\xc2d\x0b,\xb8j\xa7x\xb7\xd8.\x01\x0f\xb3\xfb\x84}\x18M_$J\x19WS\x19\xe4\xac|\xfb\xab\\\xddE\xe8K\x11\x85\x94I\x88\x06\xda\xd9\xa5\xd3%\xdeZ\xc0\xa1\x96K\x8f\xc9\xd6rZ\xf9\x80\x03\xb6\xe7&\xc7\xba\xfa\x11\x0e\x17\x03\xc6@\xf9\xe1\x91\xc3\x98\xfd~\xb4,\xbf+\xf1\x9c\x13\xf9\xcb\xd3\xa2\xcd\t\xc1\xa0\x16\xac(kO\x0e', 4210112960230753389177723103991057503675404064215473253619064996297654205031972289490914887593241466687180915490587736105591295790203391680056466722777574962131018329890483040708509359428184782432390334491747709835762154148954222667111743029165387940794322517656416298463983972364481679736217231237972603248180412651171720538869199141557228108454144762163387122885891997412124486368093, 34467673940229375549861096366968383350573853982091018691379038369575391106133342982206096859322434387821396329105522038690695490560975568642248771969263414977884644851551873207137010180591879084640509485920597821696620795026052163156567900184188166776652129980691756851240082925443033375548789315858902528245
c2,e2,d2 = b"\x04L\xfbgl\x83\x8c\xd0\xd1\x94\xaeH\x15\x1f\x9d\r\xfe4Qo\x1f\x0e\xac\x99\x10\xd7p\x05\x0e\xe1Z\xde\xf1-\x90'\xfd\n\xcb\x11\x95\xe7\xfd\xb4\xa9\xe1g\xba\x88\x97h\t\x114\x8f\r\xa4\xf38\xf59\xbdbt\x8f\\U\xeau\x0e\xe2C\xd0\xbf\xb0\x0b\xe4\xfb\\\xb1\xe6\xd8\xc9K\x99F\n\xd1s(\xda \xe1\xa0)st\xdduv\x05\t\x97\x85\xbfdnr$\xeee<\xdd\xa2j\xd1l\x0c\x14\xe0\x9d!\x9d\x85J\xe6\x08\xf3\x8b\xf5^\xb6\xf9\xd5\xf8\xf1\xa9\x05\x11\xf2\x1f\xe6L}_?\xdc\xf1\xcf_\x19K\x9d?F\x11\x8a\xd6m_", 2107035726522358468787800437216735702294054489210423482763141344245971658038208946943384473505445944203654154393368969472650747972993446483863354738530464536671191192852772663305104685295729636566877550779644763943501495227449049599621704191810033993441720482366622086425653151565702373624357844645714794047547901924425604430887869417863146263310137069165358904526698570368614646908659, 25851316624668868073282577242443094459803237792257031370809123539176662555947554778083633535689341409219664781371076460089226128423940382827297717468898042144540839805840728213520942720971834042050337266075935231655467146339599134132537675265039256700087188339078240329238442682883808814292004154090735239739
c1 = int(bytes_to_long(c1))
c2 = int(bytes_to_long(c2))
n11 = gcd(int(pow(2,e1 * d1,e1)) - 2,e1)
n22 = gcd(int(pow(2,e2 * d2,e2)) - 2,e2)
m1 = long_to_bytes(int(pow(c1,d1,n11)))
m2 = long_to_bytes(int(pow(c2,d2,n22)))
print(m1) # This is the first message
print(m2) # This is the second message

part3:
$$\begin{gathered} s_1\equiv (h(m_1)+flag\ast r)\ast k^{-1}\mathrm{mod}q \\ {s}_2\equiv (h(m_2)+flag\ast r)\ast k^{-2}\mathrm{mod}q \\ 联立解方程即可得到flag,k \end{gathered}$$
完整exp:

from gmpy2 import *
from hashlib import *
from Crypto.Util.number import *
a=-3
b=1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984
ecc_p=6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151
n=17892143742135558659464483241031582705399015704984635198259117502698806062144577358841580186430592021484784182374984891504991723987372158404717308894627025254370106060682124762121644746055038786733570766842371672272269500805787962472846195694411232153017387865489974233181909133999038179766349022983643293490318883
R.<x> = PolynomialRing(Zmod(ecc_p))
f = x ^ 5 + a * x ^ 3 + b * x ^ 2 - n ^ 2
f = f.monic()
# f.roots() # 通过n % p = 0来确定正确的p
p = 4577319558089231038488430259088780264163885803784130570636777011174249008593353860100699977490946626815819097685374123509720374237025755098078222435580364427
q = n // p
c1,e1,d1 = b'~(\x13K\xbd\x07\xf6\xac\x0f^\xff\xc0\x11\xf4\\-[bd\xd4\xee\xad\xd3\x12hY\xa9\xfawU6\tM\xd8\xc7$Q\x08fe\x0e\xa6V\x84Af\xc2\x90\xff\x0b\xb3\xf7\t\xeb\x1f\x92\xe9_\xc2d\x0b,\xb8j\xa7x\xb7\xd8.\x01\x0f\xb3\xfb\x84}\x18M_$J\x19WS\x19\xe4\xac|\xfb\xab\\\xddE\xe8K\x11\x85\x94I\x88\x06\xda\xd9\xa5\xd3%\xdeZ\xc0\xa1\x96K\x8f\xc9\xd6rZ\xf9\x80\x03\xb6\xe7&\xc7\xba\xfa\x11\x0e\x17\x03\xc6@\xf9\xe1\x91\xc3\x98\xfd~\xb4,\xbf+\xf1\x9c\x13\xf9\xcb\xd3\xa2\xcd\t\xc1\xa0\x16\xac(kO\x0e', 4210112960230753389177723103991057503675404064215473253619064996297654205031972289490914887593241466687180915490587736105591295790203391680056466722777574962131018329890483040708509359428184782432390334491747709835762154148954222667111743029165387940794322517656416298463983972364481679736217231237972603248180412651171720538869199141557228108454144762163387122885891997412124486368093, 34467673940229375549861096366968383350573853982091018691379038369575391106133342982206096859322434387821396329105522038690695490560975568642248771969263414977884644851551873207137010180591879084640509485920597821696620795026052163156567900184188166776652129980691756851240082925443033375548789315858902528245
c2,e2,d2 = b"\x04L\xfbgl\x83\x8c\xd0\xd1\x94\xaeH\x15\x1f\x9d\r\xfe4Qo\x1f\x0e\xac\x99\x10\xd7p\x05\x0e\xe1Z\xde\xf1-\x90'\xfd\n\xcb\x11\x95\xe7\xfd\xb4\xa9\xe1g\xba\x88\x97h\t\x114\x8f\r\xa4\xf38\xf59\xbdbt\x8f\\U\xeau\x0e\xe2C\xd0\xbf\xb0\x0b\xe4\xfb\\\xb1\xe6\xd8\xc9K\x99F\n\xd1s(\xda \xe1\xa0)st\xdduv\x05\t\x97\x85\xbfdnr$\xeee<\xdd\xa2j\xd1l\x0c\x14\xe0\x9d!\x9d\x85J\xe6\x08\xf3\x8b\xf5^\xb6\xf9\xd5\xf8\xf1\xa9\x05\x11\xf2\x1f\xe6L}_?\xdc\xf1\xcf_\x19K\x9d?F\x11\x8a\xd6m_", 2107035726522358468787800437216735702294054489210423482763141344245971658038208946943384473505445944203654154393368969472650747972993446483863354738530464536671191192852772663305104685295729636566877550779644763943501495227449049599621704191810033993441720482366622086425653151565702373624357844645714794047547901924425604430887869417863146263310137069165358904526698570368614646908659, 25851316624668868073282577242443094459803237792257031370809123539176662555947554778083633535689341409219664781371076460089226128423940382827297717468898042144540839805840728213520942720971834042050337266075935231655467146339599134132537675265039256700087188339078240329238442682883808814292004154090735239739
c1 = int(bytes_to_long(c1))
c2 = int(bytes_to_long(c2))
n11 = gcd(int(pow(2,e1 * d1,e1)) - 2,e1)
n22 = gcd(int(pow(2,e2 * d2,e2)) - 2,e2)
m1 = long_to_bytes(int(pow(c1,d1,n11)))
m2 = long_to_bytes(int(pow(c2,d2,n22)))

hm1 = bytes_to_long(sha256(m1).digest())
hm2 = bytes_to_long(sha256(m2).digest())

s1 = 1147444956942488206425397540690496331513776719096397579521439800869593847794208912124600845863795170543614454413750492051491732502087262731130173253134510721
r1 = 1157925007400122568661548726339484089282532284376929635262438142895805835643192575599802310792451479232905705228133875039893052991121145062272055314297648646
r2 = 1157925007400122568661548726339484089282532284376929635262438142895805835643192575599802310792451479232905705228133875039893052991121145062272055314297648646
s2 = 1705053872995228285447305031429522382982990819347651751236442503354782702527682212062279231285695576661552718820729949632674150767988313498856519278708115047

P.<k,x> = PolynomialRing(Zmod(q))
G = [hm1 + x * r1 - k * s1,hm2 + x * r2 - k * s2]
B = Ideal(G).groebner_basis()
res = [x.constant_coefficient() for x in B]
k = -res[0] % q
x = -res[1] % q
print(long_to_bytes(int(x)))
# flag{d55a50f1-c95b-4e56-a7f7-b0efa1dc1d04}

浅记一下：
关键词: 解方程，数论推导，phi与phi_1