[UTCTF2020]Curveball

[UTCTF2020]Curveball

My friend Shamir was trying to share the flag with me and some of the other problem writers, but he wanted to make sure it didn’t get intercepted in transmission, so he split it up. He said that the secrets that he shared will help us find the flag, but I can’t figure it out! These are the secrets I’ve gathered so far:

(C81E728D9D4C2F636F067F89CC14862C, 31E96A93BF1A7CE1872A3CCDA6E07F86)
(ECCBC87E4B5CE2FE28308FD9F2A7BAF3, ADF6E4F1052BDE978344743CCDCF5771)
(E4DA3B7FBBCE2345D7772B0674A318D5, 0668FBCFE4098FEA0218163AC21E6531)

Can you figure out which flag is the right one?

by balex

还给了一个巨大的flag.txt

需要我们找到：which flag is the right one

这就是一道Shamir秘密共享的问题。

wiki百科：https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

在本题中给出了三对数据

(C81E728D9D4C2F636F067F89CC14862C, 31E96A93BF1A7CE1872A3CCDA6E07F86)
(ECCBC87E4B5CE2FE28308FD9F2A7BAF3, ADF6E4F1052BDE978344743CCDCF5771)
(E4DA3B7FBBCE2345D7772B0674A318D5, 0668FBCFE4098FEA0218163AC21E6531)

通过对其MD5查表

可转化为：

(2,5398141)
(3,5398288)
(5,5398756)

所以我们可以把它放置在有理数环QQ上（因为计算秘密过程出来不一定是一个整数）去算

或者直接计算也可以。

....: x0,y0=(2,5398141)
....: x1,y1=(3,5398288)
....: x2,y2=(5,5398756)
....: R.<x>=QQ[]
sage: fx=y0*((-x1)*(-x2))/((x0-x1)*(x0-x2))+y1*((-x0)*(-x2))/((x1-x0)*(x1-x2))+y
....: 2*((-x1)*(-x0))/((x2-x1)*(x2-x0))
sage: print(fx)
5398021

就得到了他们可计算出的秘密，5398021.

得到这个数据以后就可以根据其所在行寻找对应的flag

其他write up中的计算方法：

x0,y0=(2,5398141)
x1,y1=(3,5398288)
x2,y2=(5,5398756)
R.<x>=QQ[]
l0=(x-x1)/(x0-x1)*((x-x2)/(x0-x2))
l1=(x-x0)/(x1-x0)*((x-x2)/(x1-x2))
l2=(x-x0)/(x2-x0)*((x-x1)/(x2-x1))
fx=y0*l0+y1*l1+y2*l2
print(fx)
29*x^2 + 2*x + 5398021

我们可以研究一下其shamir生成过程：

import random, math
from sympy import symbols

# 14776336
#  5398021

s = 5398021 # secret
n = 5       # shares
k = 3       # threshold

coeff = list()
limit = 50
for i in range(k - 1):
    coeff.append(random.randint(-limit, limit))

x = symbols('x')
exp = s
power = 1

for c in coeff:
    exp += x**power * c
    power += 1

print(exp)

shares = list()
for share in range(1, n + 1):
    shares.append((share, exp.subs(x, share)))

print(shares)

其用户数为5，shamir门限值为3

并根据该生成函数，我们可以将其他的两个用户掌握的信息也计算出来：

29*x**2 + 2*x + 5398021

(1, 5398052) 
(2, 5398141) 
(3, 5398288) 
(4, 5398493) 
(5, 5398756)

(C4CA4238A0B923820DCC509A6F75849B, 0010B2FB3FFA462DD06792909B23C60A)
(C81E728D9D4C2F636F067F89CC14862C, 31E96A93BF1A7CE1872A3CCDA6E07F86)
(ECCBC87E4B5CE2FE28308FD9F2A7BAF3, ADF6E4F1052BDE978344743CCDCF5771)
(A87FF679A2F3E71D9181A67B7542122C, BED2A2D5E68CF2139D9648D7D2ECE6E7)
(E4DA3B7FBBCE2345D7772B0674A318D5, 0668FBCFE4098FEA0218163AC21E6531)

比如说我们现在可以生成一个秘密为utflag{666666}

然后用

import itertools, string

def generate_strings(length):
    chars = string.digits
    for item in itertools.product(chars, repeat = length):
        yield "".join(item)

def main():
    out = open("flags.txt", "w")
    gen = generate_strings(6)
    for string in gen:
        flag = "utflag{" + string + "}"
        print(flag)
        out.write(flag + "\n")
    out.close()

main()

生成一个为六位数字所有情况的flags.txt

通过查找flag{666666}所在行号来作为我们的秘密。

因为这里我只生成了(10个)数字作为每一位的选择，所以行号和flag是一一对应的 这里只做一个题目解读尝试。

然后我们的秘密就是666667

import random, math
from sympy import symbols


s = 666667 # secret
n = 10       # shares
k = 3       # threshold

coeff = list()
limit = 50
for i in range(k - 1):
    coeff.append(random.randint(-limit, limit))

x = symbols('x')
exp = s
power = 1

for c in coeff:
    exp += x**power * c
    power += 1

print(exp)

shares = list()
for share in range(1, n + 1):
    shares.append((share, exp.subs(x, share)))

print(shares)

假如我们的用户数为10个，只要其中的5个人就能恢复的话，就可以采用这个脚本来构建。

-x**4 - 8*x**3 - 25*x**2 - 14*x + 666667
[(1, 666619),(2, 666459), (3, 666103), (4, 665443), (5, 664347), (6, 662659), (7, 660199), (8, 656763), (9, 652123), (10, 646027)]

然后我们尝试一下恢复秘密

选择用户1，3，5，7，9去恢复

x0,y0=(1, 666619)
x1,y1=(3, 666103)
x2,y2=(5, 664347)
x3,y3=(7, 660199)
x4,y4=(9, 652123)
R.<x>=QQ[]
l0=(x-x1)/(x0-x1)*((x-x2)/(x0-x2))*((x-x3)/(x0-x3))*((x-x4)/(x0-x4))
l1=(x-x0)/(x1-x0)*((x-x2)/(x1-x2))*((x-x3)/(x1-x3))*((x-x4)/(x1-x4))
l2=(x-x0)/(x2-x0)*((x-x1)/(x2-x1))*((x-x3)/(x2-x3))*((x-x4)/(x2-x4))
l3=((x-x0)/(x3-x0))*((x-x1)/(x3-x1))*((x-x2)/(x3-x2))*((x-x4)/(x3-x4))
l4=((x-x0)/(x4-x0))*((x-x1)/(x4-x1))*((x-x2)/(x4-x2))*((x-x3)/(x4-x3))
fx=y0*l0+y1*l1+y2*l2+y3*l3+y4*l4
print(fx)



sage: x0,y0=(1, 666619)
....: x1,y1=(3, 666103)
....: x2,y2=(5, 664347)
....: x3,y3=(7, 660199)
....: x4,y4=(9, 652123)
....: R.<x>=QQ[]
....: l0=(x-x1)/(x0-x1)*((x-x2)/(x0-x2))*((x-x3)/(x0-x3))*((x-x4)/(x0-x4))
....: l1=(x-x0)/(x1-x0)*((x-x2)/(x1-x2))*((x-x3)/(x1-x3))*((x-x4)/(x1-x4))
....: l2=(x-x0)/(x2-x0)*((x-x1)/(x2-x1))*((x-x3)/(x2-x3))*((x-x4)/(x2-x4))
....: l3=((x-x0)/(x3-x0))*((x-x1)/(x3-x1))*((x-x2)/(x3-x2))*((x-x4)/(x3-x4))
....: l4=((x-x0)/(x4-x0))*((x-x1)/(x4-x1))*((x-x2)/(x4-x2))*((x-x3)/(x4-x3))
....: fx=y0*l0+y1*l1+y2*l2+y3*l3+y4*l4
....: print(fx)
-x^4 - 8*x^3 - 25*x^2 - 14*x + 666667

成功恢复秘密。