[羊城杯 2024] Crypto

TH_Curve

题目描述：

from Crypto.Util.number import *
from secret import flag


def add_THcurve(P, Q):
    if P == (0, 0):
        return Q
    if Q == (0, 0):
        return P
    x1, y1 = P
    x2, y2 = Q
    x3 = (x1 - y1 ** 2 * x2 * y2) * pow(a * x1 * y1 * x2 ** 2 - y2, -1, p) % p
    y3 = (y1 * y2 ** 2 - a * x1 ** 2 * x2) * pow(a * x1 * y1 * x2 ** 2 - y2, -1, p) % p
    return x3, y3


def mul_THcurve(n, P):
    R = (0, 0)
    while n > 0:
        if n % 2 == 1:
            R = add_THcurve(R, P)
        P = add_THcurve(P, P)
        n = n // 2
    return R


p = 10297529403524403127640670200603184608844065065952536889
a = 2
G = (8879931045098533901543131944615620692971716807984752065, 4106024239449946134453673742202491320614591684229547464)

FLAG = flag.lstrip(b'DASCTF{').rstrip(b'}')
assert len(FLAG) == 15
m = bytes_to_long(FLAG)
assert m < p
Q = mul_THcurve(m, G)
print("Q =", Q)
# Q = (6784278627340957151283066249316785477882888190582875173, 6078603759966354224428976716568980670702790051879661797)

题目分析：
映射关系如下：
https://hyperelliptic.org/EFD/g1p/data/twistedhessian/coordinates
故该曲线为：
$$\begin{gathered} a{x}^3+y^3+1=dxy \\ 2x^3+y^3+1=dxy \end{gathered}$$

通过点Q求出d来从而得到完整的曲线方程

d = (a * Q[0] ** 3 + Q[1] ** 3 + 1) * inverse(Q[0] * Q[1], p) % p

接下来解题思路参考：https://tangcuxiaojikuai.xyz/post/a6ee3e0e.html

通过以下方式换元：$x=\frac{x^{\prime }}{z^{\prime }}，y=\frac{y^{\prime }}{z^{\prime }}$

从而转换成以下三次齐次方程形式：$2x^{\prime 3}+y^{\prime 3}+z^{\prime 3}\equiv d{x}^{\prime }{y}^{\prime }{z}^{\prime }(\mathrm{m}\mathrm{o}\mathrm{d}p)$

构建出椭圆曲线后使用 Pohlig Hellman 即可解出 Q = mG 中的 m

exp:

from Crypto.Util.number import *

p = 10297529403524403127640670200603184608844065065952536889
a = 2
P = (8879931045098533901543131944615620692971716807984752065, 4106024239449946134453673742202491320614591684229547464)
Q = (6784278627340957151283066249316785477882888190582875173, 6078603759966354224428976716568980670702790051879661797)
d = (a * Q[0] ** 3 + Q[1] ** 3 + 1) * inverse(Q[0] * Q[1], p) % p

# construct ECC to get a solution of 2X^3+Y^3+Z^3=dXYZ
R.<x,y,z> = Zmod(p)[]
cubic = 2 * x^3 + y^3 + z^3 - d*x*y*z
E = EllipticCurve_from_cubic(cubic,morphism=True)
P = E(P)
Q = E(Q)
P_ord = P.order()

def Pohlig_Hellman(n,P,Q):
    factors, exponents = zip(*factor(n))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
    print(primes)
    dlogs = []
    for fac in primes:
        t = int(int(P.order()) // int(fac))
        dlog = discrete_log(t*Q,t*P,operation="+")
        dlogs += [dlog]
        print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
    num2 = crt(dlogs,primes)
    return num2

num2 = Pohlig_Hellman(P_ord,P,Q)
print(long_to_bytes(num2))

baby_Curve

题目描述：

#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import os
import hashlib
from sage.all import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import c, b, key, FLAG

def add_curve(P, Q, K):
    a, d, p = K
    if P == (0, 0):
        return Q
    if Q == (0, 0):
        return P
    x1, y1 = P
    x2, y2 = Q
    x3 = (x1 * y2 + y1 * x2) * pow(1 - d * x1 ** 2 * x2 ** 2, -1, p) % p
    y3 = ((y1 * y2 + 2 * a * x1 * x2) * (1 + d * x1 ** 2 * x2 ** 2) + 2 * d * x1 * x2 * (x1 ** 2 + x2 ** 2)) * pow(
        (1 - d * x1 ** 2 * x2 ** 2) ** 2, -1, p) % p
    return x3, y3

def mul_curve(n, P, K):
    R = (0, 0)
    while n > 0:
        if n % 2 == 1:
            R = add_curve(R, P, K)
        P = add_curve(P, P, K)
        n = n // 2
    return R

def AES_encrypt(k):
    key = hashlib.sha256(str(k).encode()).digest()[:16]
    iv = os.urandom(16)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    cipher = cipher.encrypt(pad(FLAG, 16))
    data = {}
    data["iv"] = iv.hex()
    data["cipher"] = cipher.hex()
    return data

a = 46
d = 20
p1 = 826100030683243954408990060837
K1 = (a, d, p1)
G1 = (560766116033078013304693968735, 756416322956623525864568772142)
P1 = mul_curve(c, G1, K1)
Q1 = mul_curve(b, G1, K1)
print("P1 =", P1)
print("Q1 =", Q1)
# P1 = (528578510004630596855654721810, 639541632629313772609548040620)
# Q1 = (819520958411405887240280598475, 76906957256966244725924513645)

p = 770311352827455849356512448287
E = EllipticCurve(GF(p), [-c, b])
G = E.gens()[0]
P = G * key
data = AES_encrypt(key)
print("G =", G)
print("P =", P)
print("data =",data)
# G = (584273268656071313022845392380 : 105970580903682721429154563816 : 1)
# P = (401055814681171318348566474726 : 293186309252428491012795616690 : 1)
# data = {'iv': 'bae1b42f174443d009c8d3a1576f07d6', 'cipher': 'ff34da7a65854ed75342fd4ad178bf577bd622df9850a24fd63e1da557b4b8a4'}

题目分析：
解方程得c，b（或者爆破），然后。。。sagemath10.4解、、

from Crypto.Util.number import *
import hashlib
p = 770311352827455849356512448287
x1, y1 = (584273268656071313022845392380, 105970580903682721429154563816)
x2, y2 = (401055814681171318348566474726, 293186309252428491012795616690)
c = ((y1 ** 2 - x1 ** 3) - (y2 ** 2 - x2 ** 3)) * inverse(x1 - x2, p) % p
b = (y1 ** 2 - x1 ** 3 - c * x1) % p
E = EllipticCurve(GF(p), [c, b])
G = E(x1 ,y1)
P = E(x2 ,y2)
k = P.log(G) # 2951856998192356
iv = 0xbae1b42f174443d009c8d3a1576f07d6
cipher = 0xff34da7a65854ed75342fd4ad178bf577bd622df9850a24fd63e1da557b4b8a4
key = hashlib.sha256(str(k).encode()).digest()[:16]
aes = AES.new(key, AES.MODE_CBC, long_to_bytes(iv))
m = aes.decrypt(long_to_bytes(cipher))
print(m)

或者网页版https://sagecell.sagemath.org/

p = 770311352827455849356512448287
E = EllipticCurve(GF(p), [-35, 98])
G = E(584273268656071313022845392380, 105970580903682721429154563816)
P = E(401055814681171318348566474726, 293186309252428491012795616690)
k = G.discrete_log(P)
print(k) # 2951856998192356

RSA_loss

题目描述：

from Crypto.Util.number import *
from gmpy2 import *
p = getPrime(100)
q = getPrime(100)
n = p * q
e = 65537
message = b""
m = bytes_to_long(message)
c = pow(m, e, n)
print(f'c = {c}')
print(f'p = {p}')
print(f'q = {q}')
d = invert(e,(p-1)*(q-1))
newm = pow(c, d, n)
print(long_to_bytes(newm))
# c = 356435791209686635044593929546092486613929446770721636839137
# p = 898278915648707936019913202333
# q = 814090608763917394723955024893
# newm = b'X\xee\x1ey\x88\x01dX\xf6i\x91\x80h\xf4\x1f!\xa7"\x0c\x9a\x06\xc8\x06\x81\x15'

题目分析：

$$\begin{gathered} 得到的newm!=message，说明message比n大， \\ 试着去简单(+kn)爆破一下没有爆出来，说明message应该比n大不少 \\ 既然如此那就去爆破message里面的每一位 \end{gathered}$$

参考：https://tangcuxiaojikuai.xyz/post/94c7e291.html

猜测 $message\in [0-9,a-z,A-Z,\_]$
那么对应的ascii码就在48~128里面

假设message长度为le

那么：$newm=c=256^{(le-7)}\ast pre+256\ast m_0+suf$
(其中pre = b’DASCTF{’，suf = b’}’，m0为中间未知的数字串)

得到：$m_0\equiv 256^{-1}\ast (c-256^{(le-7)}\ast pre-suf)(\mathrm{m}\mathrm{o}\mathrm{d}p)$

又：$m_0\equiv {\sum }_{i=0}^{len-7-1-1}256^i\ast s_i(\mathrm{m}\mathrm{o}\mathrm{d}p)$

得到：$m_0\equiv {\sum }_{i=0}^{len-7-1-1}256^i\ast s_i+k\ast p$

构造如下格（为了保证能规约出0，做题时可以给格的最后一列配上个大系数）：
$$M=\left(\begin{array}{cccccc}1& & & & & 1\\ & 1& & & & 256\\ & & \ddots & & & ⋮\\ & & & 1& & 256^{le-9}\\ & & & & 1& -m_0\\ & & & & & p\end{array}\right)$$

有：$(s_0,s_1,...,s_{(le-9)},1,k)\ast M=(s_0,s_1,...,s_{(le-9)},1,0)$

此时：$s_i\in (48,128)$

有点大，优化一下：$t_i=s_i-48$

得到：$m_0\equiv {\sum }_{i=0}^{len-9}256^i\ast (t_i+48)(\mathrm{m}\mathrm{o}\mathrm{d}p)$

得到：$m_0-48\ast {\sum }_{i=0}^{len-9}256^i={\sum }_{i=0}^{len-9}256^i\ast t_i=m_1$

此时 $t_i\in (0,80)，目标向量为：(t_0,t_1,...,t_{(le-9)},1,0)$

测试之后发现只有在 $le<=33$ 才能出结果，带入题中数据没得到结果说明 $len(flag)>33$

既然如此，再优化下：$t_i=s_i-48-40$

得到：$m_0\equiv {\sum }_{i=0}^{len-9}256^i\ast (t_i+48+40)(\mathrm{m}\mathrm{o}\mathrm{d}p)$

此时：$t_i\in (-40,40)，目标向量为：(t_0,t_1,...,t_{(le-9)},1,0)$

正好，能出

exp:

from Crypto.Util.number import *

p1 = 898278915648707936019913202333
q1 = 814090608763917394723955024893
newm = bytes_to_long(b'X\xee\x1ey\x88\x01dX\xf6i\x91\x80h\xf4\x1f!\xa7"\x0c\x9a\x06\xc8\x06\x81\x15')
p = p1 * q1
c = newm

prefix = b"DASCTF{"
suffix = b"}"
for le in range(33, 40):
    length = le - len(prefix) - len(suffix)
    #part1 remove prefix and suffix
    c -= 256^(len(suffix) + length) * bytes_to_long(prefix)
    c -= bytes_to_long(suffix)
    c = c * inverse(256,p) % p

    L = Matrix(ZZ,length+2,length+2)
    for i in range(length):
        L[i,i] = 1
        L[i,-1] = 256^i
        c -= 256^i*48
        c -= 256^i*40

    L[-2,-2] = 1
    L[-2,-1] = -c
    L[-1,-1] = p
    L[:,-1:] *= p
    res = L.BKZ()
    for i in res[:-1]:
        flag = ""
        if(all(abs(j) <= 40 for j in i[:-2])):
            if(i[-2] == 1):
                for j in i[:-2][::-1]:
                    flag += chr(48 + 40 + j)
            elif i[-2] == -1:
                for j in i[:-2][::-1]:
                    flag += chr(48 + 40 - j)
        if(flag != ""):
            print(flag)
    c = newm
# o0p5_m3ssaGe_to0_b1g_nv93nd0

TheoremPlus

题目描述：

from Crypto.Util.number import *
from gmpy2 import *
from secret import flag

def decode_e(e):
    if e > 1:
        mul = 1
        for i in range(1, e):
            mul *= i
        if e - mul % e - 1 == 0:
            mulmod = mul % e - e
        else:
            mulmod = mul % e
        return mulmod + decode_e(e - 1)
    else:
        return 0

q = getPrime(1024)
p = next_prime(q)
n = p * q
phi = (p - 1) * (q - 1)
e = abs(decode_e(703440151))
c = pow(bytes_to_long(flag), e, n)
print('n = {}\n'
      'c = {}'.format(n, c))

'''
n = 18770575776346636857117989716700159556553308603827318013591587255198383129370907809760732011993542700529211200756354110539398800399971400004000898098091275284235225898698802555566416862975758535452624647017057286675078425814784682675012671384340267087604803050995107534481069279281213277371234272710195280647747033302773076094600917583038429969629948198841325080329081838681126456119415461246986745162687569680825296434756908111148165787768172000131704615314046005916223370429567142992192702888820837032850104701948658736010527261246199512595520995042205818856177310544178940343722756848658912946025299687434514029951
c = 2587907790257921446754254335909686808394701314827194535473852919883847207482301560195700622542784316421967768148156146355099210400053281966782598551680260513547233270646414440776109941248869185612357797869860293880114609649325409637239631730174236109860697072051436591823617268725493768867776466173052640366393488873505207198770497373345116165334779381031712832136682178364090547875479645094274237460342318587832274304777193468833278816459344132231018703578274192000016560653148923056635076144189403004763127515475672112627790796376564776321840115465990308933303392198690356639928538984862967102082126458529748355566
'''

题目分析：
函数 decode_e(a) 中的逻辑：

$如果(a-1)的阶乘mul\equiv (a-1)!\equiv -1(\mathrm{m}\mathrm{o}\mathrm{d}a),那么mulmod=-1，否则mulmod=mul\%a$

$\text{威尔逊定理：对于素数 }p\text{ 有 }(p-1)!\equiv -1(\mathrm{m}\mathrm{o}\mathrm{d}p)$

所以(1, a)范围内的数字中，素数的mulmod = -1

那么接下来看看合数的mulmod，合数一定能由小于它的数组成，或者说合数一定能由小于它的素数组成，比如 6 = 2 * 3，8 = 2 * 4 = 2 * 2 * 2，…
$故如果e为合数，那么一定有(e-1)!=k\ast e（感叹号为阶乘符号），所以此时的mulmod=mul\%e=k\ast e\%e=0（4先除外）$

可以去打印一下看看，也是符合的：

既然如此，那么我们只要知道在1~703440151中有多少个素数，我们就能求出e

exp:

from Crypto.Util.number import *
from sympy import primepi
from gmpy2 import *
n = 18770575776346636857117989716700159556553308603827318013591587255198383129370907809760732011993542700529211200756354110539398800399971400004000898098091275284235225898698802555566416862975758535452624647017057286675078425814784682675012671384340267087604803050995107534481069279281213277371234272710195280647747033302773076094600917583038429969629948198841325080329081838681126456119415461246986745162687569680825296434756908111148165787768172000131704615314046005916223370429567142992192702888820837032850104701948658736010527261246199512595520995042205818856177310544178940343722756848658912946025299687434514029951
c = 2587907790257921446754254335909686808394701314827194535473852919883847207482301560195700622542784316421967768148156146355099210400053281966782598551680260513547233270646414440776109941248869185612357797869860293880114609649325409637239631730174236109860697072051436591823617268725493768867776466173052640366393488873505207198770497373345116165334779381031712832136682178364090547875479645094274237460342318587832274304777193468833278816459344132231018703578274192000016560653148923056635076144189403004763127515475672112627790796376564776321840115465990308933303392198690356639928538984862967102082126458529748355566
e = primepi(703440151) - 2
p = next_prime(iroot(n,2)[0])
q = n // p
phi = (p - 1) * (q - 1)
d = invert(int(e), phi)
print(long_to_bytes(pow(c, d, n)))

浅记一下：

关键词: ECC，curve，G.discrete_log( P)，Pohlig Hellman，解方程，格，优化，阶乘，primepi