ez_enc
题目:
ABAABBBAABABAABBABABAABBABAAAABBABABABAAABAAABBAABBBBABBABBABBABABABAABBAABBABAAABBAABBBABABABAAAABBAAABABAABABBABBBABBAAABBBAABABAABBAAAABBBAAAABAABBBAABBABABAABABAAAAABBBBABAABBBBAAAABBBBBAB
将A替换为0,B替换为1,再二进制转字符串
flag:
NSSCTF{mS4gT1Kv9L8NjPzx}
MyMessage
题目:
from Crypto.Util.number import *
import os
flag = os.getenv('FLAG')
e = 127
def sign():
msg = input("Input message:")
p = getPrime(512)
q = getPrime(512)
n = p*q
c = pow(bytes_to_long((msg + flag).encode()), e, n)
print(f"n: {n}")
print(f"Token: {hex(c)}")
def main():
while True:
sign()
main()
与黄河流域警校CTF类似,取127组数据构成 低加密指数广播攻击
,之后按照板子解题即可
解题代码:
import gmpy2
from pwn import *
from functools import reduce
from Crypto.Util.number import *
def CRT(ai, mi):
assert (reduce(gmpy2.gcd, mi) == 1)
assert (isinstance(mi, list) and isinstance(ai, list))
M = reduce(lambda x, y: x * y, mi)
ai_ti_Mi = [a * (M // m) * gmpy2.invert(M // m, m) for (m, a) in zip(mi, ai)]
return reduce(lambda x, y: x + y, ai_ti_Mi) % M
e = 127
n = []
c = []
for i in range(127):
p = remote('node2.anna.nssctf.cn', 28949)
message='1'
send_data = p.sendline(message.encode())
get_n = p.recvline().decode()
get_token = p.recvline().decode()
n_data = int(get_n.split(':')[1].replace('\n',''))
c_data = int(get_token.split(':')[1].strip(),16)
n.append(n_data)
c.append(c_data)
M = int(CRT(c,n))
m = gmpy2.iroot(M,127)[0]
flag = long_to_bytes(m)
print(flag)
MyGame
题目:
from Crypto.Util.number import *
import os
import random
import string
flag = os.getenv('FLAG')
def menu():
print('''=---menu---=
1. Guess
2. Encrypt
''')
p = getPrime(512)
q = getPrime(512)
n = p*q
def randommsg():
return ''.join(random.choices(string.ascii_lowercase+string.digits, k=30))
mymsg = randommsg()
def guess():
global mymsg
msg = input()
if msg == mymsg:
print(flag)
else:
print(mymsg)
mymsg = randommsg()
def encrypt():
e = random.getrandbits(8)
c = pow(bytes_to_long(mymsg.encode()), e, n)
print(f'Cipher_{e}: {c}')
def main():
print(f'n: {n}')
while True:
opt = int(input())
if opt == 1:
guess()
elif opt == 2:
encrypt()
main()
显然n已经确定了,那么直接取两组数据构成共模攻击
,然后按照板子解题即可
解题代码:
from Crypto.Util.number import *
import gmpy2
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def deocode():
n = 92376669002623921509402142523040417979742847285128913230222037277281193123569384917422295565460337201247419578329317570919388466167460921476436708744255861919569840646055365622736782018449981456970295507042507578400203506466228792516604670880411611388070363010575761687416199559859671498479577162814750167227
c1 = 56209807203263700238616560618292167910103178762773040784631746817419178047868684355927134794504437622277771565804770934927080520866774097937077159522561456694970573720502644960107683432027702982653269325018244743399259436663458302138397221829147003127560773174189067496942399020628208697090961657373400555014
c2 = 90201008191161333080317628432839944522494767331025005565907527059217108167006947509077285590701267614286437629784262846613850046677772564536135707131060135969549898546289759735024482099701063980172806975932382772513818194522857561088504530894222162124688966716463702313948548512256262573687696646070994545974
e1 = 170
e2 = 98
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
if s1 < 0:
s1 = - s1
c1 = gmpy2.invert(c1, n)
elif s2 < 0:
s2 = - s2
c2 = gmpy2.invert(c2, n)
if gmpy2.gcd(e1, e2) == 1:
print("e1,e2互质")
message = pow(c1, s1, n) * pow(c2, s2, n) % n
flag = long_to_bytes(message)
print(flag)
elif gmpy2.gcd(e1, e2) != 1:
message = pow(c1, s1, n) * pow(c2, s2, n) % n
common_e = gmpy2.gcd(e1, e2)
print("e1,e2不互质,且公约数为" + str(common_e))
flag = long_to_bytes((gmpy2.iroot(message, common_e)[0]))
print(flag)
if __name__ == '__main__':
deocode()
解密得到随机字符串:dpb3o4zvh47f8xksol7zgvbuullc96
,之后选择1进入到guess()方法输入字符串即可得到flag
ez_signin
题目:
from Crypto.Util.number import *
from secret import flag
p = getPrime(512)
q = getPrime(512)
assert p > q
n = p*q
e = 65536
m = bytes_to_long(flag)
num1 = (pow(p,e,n)-pow(q,e,n)) % n
num2 = pow(p-q,e,n)
c = pow(m,e,n)
print("num1=",num1)
print("num2=",num2)
print("n=",n)
print("c=",c)
n
u
m
1
≡
p
e
−
q
e
m
o
d
n
num1 \equiv p^e-q^e \space mod \space n
num1≡pe−qe mod n
n
u
m
2
≡
(
p
−
q
)
e
m
o
d
n
,
二项式展开,关于
p
q
的式子可消除,那么
n
u
m
2
≡
p
e
+
q
e
m
o
d
n
num2 \equiv (p-q)^e \space mod \space n,二项式展开,关于pq的式子可消除,那么num2 \equiv p^e+q^e \space mod \space n
num2≡(p−q)e mod n,二项式展开,关于pq的式子可消除,那么num2≡pe+qe mod n
两式相加得到
n
u
m
1
+
n
u
m
2
≡
2
∗
p
e
m
o
d
n
num1+num2 \equiv 2*p^e \space mod \space n
num1+num2≡2∗pe mod n
此时上式与n
存在最大公约数p
,可得
p
=
g
c
d
(
n
u
m
1
+
n
u
m
2
,
n
)
,
q
=
n
/
/
p
p = gcd(num1+num2,n),q = n//p
p=gcd(num1+num2,n),q=n//p
此时
e
=
65536
=
2
16
e = 65536=2^{16}
e=65536=216,且经计算p和q都属于4k+3型素数
,直接16次Rabin算法
解密即可
解题代码:
from Crypto.Util.number import *
import gmpy2
num1= 134186458247304184975418956047750205959249518467116558944535042073046353646812210914711656218265319503240074967140027248278994209294869476247136854741631971975560846483033205230015783696055443897579440474585892990793595602095853960468928457703619205343030230201261058516219352855127626321847429189498666288452
num2= 142252615203395148320392930915384149783801592719030740337592034613073131106036364733480644482188684184951026866672011061092572389846929838149296357261088256882232316029199097203257003822750826537629358422813658558008420810100860520289261141533787464661186681371090873356089237613080052677646446751824502044253
n= 154128165952806886790805410291540694477027958542517309121222164274741570806324940112942356615458298064007096476638232940977238598879453357856259085001745763666030177657087772721079761302637352680091939676709372354103177660093164629417313468356185431895723026835950366030712541994019375251534778666996491342313
c= 9061020000447780498751583220055526057707259079063266050917693522289697419950637286020502996753375864826169562714946009146452528404466989211057548905704856329650955828939737304126685040898740775635547039660982064419976700425595503919207903099686497044429265908046033565745195837408532764433870408185128447965
p = GCD(num1+num2,n)
q = n//p
x0=gmpy2.invert(p,q)
x1=gmpy2.invert(q,p)
cs = [c]
for i in range(16):
ps = []
for c2 in cs:
r = pow(c2, (p + 1) // 4, p)
s = pow(c2, (q + 1) // 4, q)
x = (r * x1 * q + s * x0 * p) % n
y = (r * x1 * q - s * x0 * p) % n
if x not in ps:
ps.append(x)
if n - x not in ps:
ps.append(n - x)
if y not in ps:
ps.append(y)
if n - y not in ps:
ps.append(n - y)
cs = ps
for m in ps:
flag = long_to_bytes(m)
if b"nssctf" in flag:
print(flag)
break
ez_fac
题目:
from Crypto.Util.number import *
import random
from secret import flag,a0,a1,b0,b1
p = getPrime(512)
q = getPrime(512)
e = getPrime(128)
n = p*q
assert pow(a0,2) + e * pow(b0,2) == n
assert pow(a1,2) + e * pow(b1,2) == n
m = bytes_to_long(flag)
c = pow(m,e,n)
print("c=",c)
print("n=",n)
print("a0=",a0)
print("a1=",a1)
print("b0=",b0)
print("b1=",b1)
论文:《A Note on Euler’s Factoring Problem-Brillhart_Euler_factoring_2009》
当
N
=
m
a
2
+
n
b
2
N=ma^2+nb^2
N=ma2+nb2
N
=
m
c
2
+
n
d
2
N = mc^2+nd^2
N=mc2+nd2
则有,
N
=
(
N
,
a
d
−
b
c
)
⋅
N
(
N
,
a
d
−
b
c
)
N = (N,ad-bc) \cdot \frac{N}{(N,ad-bc)}
N=(N,ad−bc)⋅(N,ad−bc)N
那么
,
p
=
g
c
d
(
N
,
a
d
−
b
c
)
那么,p = gcd(N,ad-bc)
那么,p=gcd(N,ad−bc)
解题代码:
import gmpy2
from Crypto.Util.number import *
c= 34007465638566836660852768374211870538357285529060206826620688555044780516477877596651414637089490522614456532732711803500304737160162560168303462221485961593760966240770414498297915175227814336224871400766371471776600674705757656616409870237891336752248110367865552469248343708419900511716030176178698949179
n= 70043427687738872803871163276488213173780425282753969243938124727004843810522473265066937344440899712569316720945145873584064860810161865485251816597432836666987134938760506657782143983431621481190009008491725207321741725979791393566155990005404328775785526238494554357279069151540867533082875900530405903003
a0= 8369195163678456889416121467476480674288621867182572824570660596055739410903686466334448920102666056798356927389728982948229326705483052970212882852055482
a1= 8369195163678456889416121462308686152524805984209312455308229689034789710117101859597220211456125364647704791637845189120538925088375209397006380815921158
b0= 25500181489306553053743739056022091355379036380919737553326529889338409847082228856006303427136881468093863020843230477979
b1= 31448594528370020763962343185054872105044827103889010592635556324009793301024988530934510929565983517651356856506719032859
e = (n-pow(a0,2))//pow(b0,2)
p = gmpy2.gcd(a0*b1-a1*b0,n)
q = n//p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(m)
print(flag)
NTR
题目:
import gmpy2
from flag import flag
from Crypto.Util.number import *
def init():
p = getPrime(2048)
while True:
x = getRandomNBitInteger(1024)
y = getPrime(768)
z = gmpy2.invert(x, p) * y % p
return (p, x, y, z)
def encrypt(cipher, p, z):
message = bytes_to_long(cipher)
r = getRandomNBitInteger(1024)
c = (r * z + message) % p
return c
p, x, y, z = init()
c = encrypt(flag, p, z)
with open("cipher.txt", "w") as f:
f.write("binz = " + str(bin(z)) + "\n")
f.write("binp = " + str(bin(p)) + "\n")
f.write("binc = " + str(bin(c)) + "\n")
binz = 0b10000100100000110000100001011001100110110111111110101001011100111001101101100100010010100110111010000001000001100011111011011000110000000111011100100010010001100110101001001110011000110000100101111001101010000101001101010001111001110000010100011001101010111000110111011111100101100100101100111000101011111101111011000101000100000010100100000110000001011100011100010001101001100101100100000101101101001100110100100101110000011001000000000010100010100011001100110101011000010000001111100101001001110111000110010001101111111110000111100001110011100001101010001101010011011110101100100110110011001111110111100100000011101000000100010011101110111100111100111100011001000111010110100101100110111101010010111110000100100001110101011000010101110010010100101110001001101010101001100000111010011110001000010100000100010000010000110011100111100110011100110111101011101001000110110011001011010101100110111111110001011110000100100011110111100011111011111011100110011011100010111010110010111101010001100010001010010111111101110011010101000010000011100000110001100110100001010011010111000000110001010110000110000000100111000101010000010100000110111111111001100100101001111001010010101101101100111010000001100101100100101010111010000011101000100011011111010101100000011100100101110001100100010010010100010000100100100111101101110110111101011001111011011101001110110100101111110001010110010000101111011110111011100111100110000110000010101001101001101000111010100110011000101010001110100110101101110011111010110010010111110111101100111100101110110011110100100000101000101100111000100011001111110001000010010001010101110001110000111100110001101111110110001001001100101110001010111111000111000100011001110001010101000100110001000101110110101000000001100010001000101110000000010001001001100110100100011100101101010010100001011111001011010011001000101101101001111001100101011101111110111101101100111110000100110110011110000111111011010010010011011100100101000000111110110010101110010011000111101101011111110001100101100011111110111111100111001011001010010101000011001110
binp = 0b10011001100000011101010111000011011000001101101000010101101110001111101010101100110000100111101101000100011101001011001100101000110010001000100001010011011100110011001110111001101010000111100000111110110101011101110000010111111101101111001011111111101100010011010001000011000100000010111111001000100000010001010001110101101011001100110001100000001100111010010011010101000011001101111011001110101111111011111101010100100000111101010101001101110000010101100011111001111100001100111010000111100110000001010001001101111111111100010010010001100110000011100110100100001000001001011010000000010100100011001000000000000010100111010011000111011010001010111010001000101100101011001001101101001101101001110101111011010110100101000000001111000001100101000000010101011011011100000001010001111000000100110011011001010011101000010101100101001000001100111001101000111101000000111001110010100001111100101001001101001101000011111001001000101001100101010001011010101111001001101110011101011001011110000001000100100110110001011010101000111001111001011001000001011111110000111000001100011110000011001110000010110101010000000101001111111011100010000000111001110100000010001101100110111010100000011101000100111011111011110001011001110000010001101010011110100110100111001000100010000110110110010111100101111010011110011110100000001001110111100111101000100011011100011101111100101100110110100011101110001111111110010001000001101111100100101011111110111110010100101010110111010111110010110111101011101111110110110101001111101101000010010100000101111000100010110100010011101000100111000011111100111010011010011101110110000100101100101010111111000110100010010101001000001111001100100110101000100110101001011110111101010101110001111101111001110000101000001010110011111000000010010100010000111011001000111000011000011110100000111101101011100000101000111011101110101100101001110001101000111100111011110000110010101010000100110100011010111110111100010111111101010110001000010010011110111101000110001100101111000111101010101101101100100010110011101111101000011101100000101001111001
binc = 0b1111010111110100110011100100001100111101111000010010000010010011101110101000101000100011111101011100110010010111111010000111001101010101010111100000000100111111001111110001111011110100001111001001010001000000011110000001001000011010100111100011110011011010011010011011111111100100110000110010011101110111001001011010101001101011100110101110001111111100100111011010011001001001100010110100000011100000000100110010101100000001010000101000100010000101101111010101000001000110011101100101010111110111000100001011110101010011010010110111010010100101001001010011000100110010010010110100101001111001111000011011000000110000111111001101001111010011110101001001111111110001001100011100101100011110110101000110010110110110101110110110111010110111100101101000111101101011000010011001111111010111000001100101001010010110111100100100100011110101010010010010010100100011001100011111010011101101101101000010101101011000100101101100001000000001101111111100100101111000101011001010010011000011001101101110101001011111010110000111111111011000101100000000011001010000000111110000001101101100101010010001101101010101000010010010110101110100100110011001001011101011111110011100000100001100010100000101011100001110101101011011110000101110011011100010100101010011101011001011011111100001100010000010110010001111010000110010000011100010010101110000101011110000111101001110001111111111101011000110001111011100100111000010110001111110100100011110000100010000011101110101111101000110100110111101110001011101110100001101101100011111000010101111100011100011011001011110010000000001010010101100111001111110110101000010110101110001011000101101110100110111100000110101101010010111001101000010001101110011101010111111011001110000001110000110001000101110110010001001001101010011110100000010100000100010110000001000011001011010000010111010100100101010100010011001100111011110111100101111100000100110110110101101110100011011101101100000101111000011110011000010000000100010000011110110010000010101001110000111110111110001001101000010011101010101101111101010100001101010111010000010000
典型的NTRU
已知
z
≡
x
−
1
∗
y
m
o
d
p
z \equiv x^{-1}*y \space mod \space p
z≡x−1∗y mod p
c
≡
r
∗
z
+
m
m
o
d
p
c \equiv r*z+m \space mod \space p
c≡r∗z+m mod p
上式可化简为
y
≡
z
∗
x
m
o
d
p
y \equiv z*x \space mod \space p
y≡z∗x mod p
c
≡
r
∗
x
−
1
∗
y
+
m
m
o
d
p
c \equiv r*x^{-1}*y+m \space mod \space p
c≡r∗x−1∗y+m mod p
两边同时乘以
x
x
x
c
∗
x
≡
r
∗
y
+
x
∗
m
m
o
d
p
c*x \equiv r*y+x*m \space mod \space p
c∗x≡r∗y+x∗m mod p
两边同时模上y,消去r
c
∗
x
≡
(
x
∗
m
m
o
d
p
)
m
o
d
y
c*x \equiv (x*m \hspace{0.3cm} mod \space p) mod \space y
c∗x≡(x∗mmod p)mod y
则
m
≡
(
c
∗
x
m
o
d
p
)
∗
x
−
1
m
o
d
y
m \equiv (c*x\hspace{0.3cm}mod \space p) * x^{-1} \space mod \space y
m≡(c∗xmod p)∗x−1 mod y
我们已知z
和c
以及p
,现在只要求出x和y即可求出m
依赖如下等式
{
y
=
x
×
z
+
k
×
p
x
=
x
×
1
+
x
×
0
\left\{\begin{matrix} y = x \times z+k\times p\\ x =x \times 1+x\times 0 \end{matrix}\right.
{y=x×z+k×px=x×1+x×0
构造
(
x
k
)
(
1
z
0
p
)
=
(
x
y
)
\begin{pmatrix} x&&k \end{pmatrix}\begin{pmatrix} 1&z \\ 0&p \end{pmatrix}=\begin{pmatrix} x&&y \end{pmatrix}
(xk)(10zp)=(xy)
∵
v
⃗
=
(
x
,
y
)
≈
512
b
i
t
<
2
p
=
2
∗
512
b
i
t
\because \vec{v} = (x,y)\approx512bit<\sqrt{2p}=\sqrt{2}*512bit
∵v=(x,y)≈512bit<2p=2∗512bit
所以可以格基规约出x
和y
,带入计算即可得到flag
解题代码:
#sage
binz = '0b10000100100000110000100001011001100110110111111110101001011100111001101101100100010010100110111010000001000001100011111011011000110000000111011100100010010001100110101001001110011000110000100101111001101010000101001101010001111001110000010100011001101010111000110111011111100101100100101100111000101011111101111011000101000100000010100100000110000001011100011100010001101001100101100100000101101101001100110100100101110000011001000000000010100010100011001100110101011000010000001111100101001001110111000110010001101111111110000111100001110011100001101010001101010011011110101100100110110011001111110111100100000011101000000100010011101110111100111100111100011001000111010110100101100110111101010010111110000100100001110101011000010101110010010100101110001001101010101001100000111010011110001000010100000100010000010000110011100111100110011100110111101011101001000110110011001011010101100110111111110001011110000100100011110111100011111011111011100110011011100010111010110010111101010001100010001010010111111101110011010101000010000011100000110001100110100001010011010111000000110001010110000110000000100111000101010000010100000110111111111001100100101001111001010010101101101100111010000001100101100100101010111010000011101000100011011111010101100000011100100101110001100100010010010100010000100100100111101101110110111101011001111011011101001110110100101111110001010110010000101111011110111011100111100110000110000010101001101001101000111010100110011000101010001110100110101101110011111010110010010111110111101100111100101110110011110100100000101000101100111000100011001111110001000010010001010101110001110000111100110001101111110110001001001100101110001010111111000111000100011001110001010101000100110001000101110110101000000001100010001000101110000000010001001001100110100100011100101101010010100001011111001011010011001000101101101001111001100101011101111110111101101100111110000100110110011110000111111011010010010011011100100101000000111110110010101110010011000111101101011111110001100101100011111110111111100111001011001010010101000011001110'
binp = '0b10011001100000011101010111000011011000001101101000010101101110001111101010101100110000100111101101000100011101001011001100101000110010001000100001010011011100110011001110111001101010000111100000111110110101011101110000010111111101101111001011111111101100010011010001000011000100000010111111001000100000010001010001110101101011001100110001100000001100111010010011010101000011001101111011001110101111111011111101010100100000111101010101001101110000010101100011111001111100001100111010000111100110000001010001001101111111111100010010010001100110000011100110100100001000001001011010000000010100100011001000000000000010100111010011000111011010001010111010001000101100101011001001101101001101101001110101111011010110100101000000001111000001100101000000010101011011011100000001010001111000000100110011011001010011101000010101100101001000001100111001101000111101000000111001110010100001111100101001001101001101000011111001001000101001100101010001011010101111001001101110011101011001011110000001000100100110110001011010101000111001111001011001000001011111110000111000001100011110000011001110000010110101010000000101001111111011100010000000111001110100000010001101100110111010100000011101000100111011111011110001011001110000010001101010011110100110100111001000100010000110110110010111100101111010011110011110100000001001110111100111101000100011011100011101111100101100110110100011101110001111111110010001000001101111100100101011111110111110010100101010110111010111110010110111101011101111110110110101001111101101000010010100000101111000100010110100010011101000100111000011111100111010011010011101110110000100101100101010111111000110100010010101001000001111001100100110101000100110101001011110111101010101110001111101111001110000101000001010110011111000000010010100010000111011001000111000011000011110100000111101101011100000101000111011101110101100101001110001101000111100111011110000110010101010000100110100011010111110111100010111111101010110001000010010011110111101000110001100101111000111101010101101101100100010110011101111101000011101100000101001111001'
binc = '0b1111010111110100110011100100001100111101111000010010000010010011101110101000101000100011111101011100110010010111111010000111001101010101010111100000000100111111001111110001111011110100001111001001010001000000011110000001001000011010100111100011110011011010011010011011111111100100110000110010011101110111001001011010101001101011100110101110001111111100100111011010011001001001100010110100000011100000000100110010101100000001010000101000100010000101101111010101000001000110011101100101010111110111000100001011110101010011010010110111010010100101001001010011000100110010010010110100101001111001111000011011000000110000111111001101001111010011110101001001111111110001001100011100101100011110110101000110010110110110101110110110111010110111100101101000111101101011000010011001111111010111000001100101001010010110111100100100100011110101010010010010010100100011001100011111010011101101101101000010101101011000100101101100001000000001101111111100100101111000101011001010010011000011001101101110101001011111010110000111111111011000101100000000011001010000000111110000001101101100101010010001101101010101000010010010110101110100100110011001001011101011111110011100000100001100010100000101011100001110101101011011110000101110011011100010100101010011101011001011011111100001100010000010110010001111010000110010000011100010010101110000101011110000111101001110001111111111101011000110001111011100100111000010110001111110100100011110000100010000011101110101111101000110100110111101110001011101110100001101101100011111000010101111100011100011011001011110010000000001010010101100111001111110110101000010110101110001011000101101110100110111100000110101101010010111001101000010001101110011101010111111011001110000001110000110001000101110110010001001001101010011110100000010100000100010110000001000011001011010000010111010100100101010100010011001100111011110111100101111100000100110110110101101110100011011101101100000101111000011110011000010000000100010000011110110010000010101001110000111110111110001001101000010011101010101101111101010100001101010111010000010000'
z = int(binz,2)
p = int(binp,2)
c = int(binc,2)
M = Matrix(ZZ,[[1,z],
[0,p]])
res = M.LLL()
x,y = res[0]
x = abs(x)
y = abs(y)
m = ((c*x)%p*inverse_mod(x,y))%y
flag = bytes.fromhex(hex(m)[2:])
print(flag)
【大概骄傲就i是高高的城头,喜欢之人,就走在城头之上,脚下是骄傲。】