难度:basic
目录
ez_enc
A->0,B->1
MyMessage
from Crypto.Util.number import *
import os
flag = os.getenv('FLAG')
e = 127
def sign():
msg = input("Input message:")
p = getPrime(512)
q = getPrime(512)
n = p*q
c = pow(bytes_to_long((msg + flag).encode()), e, n)
print(f"n: {n}")
print(f"Token: {hex(c)}")
def main():
while True:
sign()
main()
申请127组n,c然后中国剩余定理,再开127次方
from pwn import *
import gmpy2
from Crypto.Util.number import *
n=[]
c=[]
for i in range(127):
p=remote('node3.anna.nssctf.cn',28167)
p.recv()
p.sendline(b'1')
n.append(int(p.recvline().replace(b'\n',b'').replace(b'n: ',b'').decode()))
c.append(int(p.recvline().replace(b'\n',b'').replace(b'Token: ',b'').decode(),16))
print('c=',c)
print('n=',n)
print(gmpy2.iroot(crt(c,n),127))
res=gmpy2.iroot(crt(c,n),127)[0]
long_to_bytes(ZZ(res))
MyGame
def randommsg():
return ''.join(random.choices(string.ascii_lowercase+string.digits, k=30))
mymsg = randommsg()
def guess():
global mymsg
msg = input()
if msg == mymsg:
print(flag)
else:
print(mymsg)
mymsg = randommsg()
def encrypt():
e = random.getrandbits(8)
c = pow(bytes_to_long(mymsg.encode()), e, n)
print(f'Cipher_{e}: {c}')
def main():
print(f'n: {n}')
while True:
opt = int(input())
if opt == 1:
guess()
elif opt == 2:
encrypt()
main()
爆破就好了e<=3,直接开根号解密
from pwn import *
from Crypto.Util.number import long_to_bytes
import gmpy2
p=remote('node1.anna.nssctf.cn',28593)
p.recv()
for i in range(1111):
p.sendline(b'2')
p.recvuntil(b'Cipher_')
res=int(p.recvuntil(b':',drop=True))
# print(res)
if 1<=res<=3:
r=gmpy2.iroot(int(p.recv().replace(b'\n',b'')),res)[0]
p.sendline(b'1')
print(long_to_bytes(r))
p.sendline(long_to_bytes(r))
print(p.recv())
break
p.sendline(b'1')
p.sendline(b'a')
ez_signin
from Crypto.Util.number import *
from secret import flag
p = getPrime(512)
q = getPrime(512)
while p < q:
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 65536
m = bytes_to_long(flag)
num1 = (pow(p,e,n)-pow(q,e,n)) % n
num2 = pow(p-q,e,n)
c = pow(m,e,n)
print((pow(p,e,n)+pow(q,e,n)) % n)
print("num1=",num1)
print("num2=",num2)
print("n=",n)
print("c=",c)
白给p,q,然后16轮rabin
16轮rabin不多说了
from math import gcd
from Crypto.Util.number import *
import gmpy2
num1= 74855936739883128482407980713629787928336508970708775500063924987764446801166219897775757478103272520249050665169652147137185381263306897125654437893250835481585042537676958789828784956928691092952816954836512551033082906298364081917666748686852386446936855259928138289544457781489895504162490035240749727990
num2= 111247396496283863837420733428958282109761874657402097146856628235950794746291971063634970558718097943690299561138037273430924852794331139275479211073023487111358635937276285736517965779750326464852716398401820548311929089425697226444842008702822910231272934456766234983635829634069431624660674624530383190442
n= 116649608565140972320095724465036758554506774564633065921133362066121806821519413504047911847066546840175644429046561544018917464691000222484518411089554824270659718060510818577972071229704274454669139480018916015677564623809580094222479120611722177503561402214364828845877753254874090429071533949692957614753
c= 76331022314160475295822009203612436874085930615661700985769409098647157393688444537270430993240049684232968633855346067385113977306505793482807163903794880680448270843837770341026630701732034313479515586140487294862311324532193471081722989612474930623455176502235495773657446636970923328729838580131542858489
e=65536
p=gcd((num1+num2)//2,n)
q=n//p
def s(c):
# 计算解密参数
mp = pow(c, (p+1)//4, p)
mq = pow(c, (q+1)//4, q)
# 计算四个可能的明文
d1 = (mq * p * inverse(p, q) + mp * q * inverse(q, p)) % n
d2 = n - d1
d3 = (mq * p * inverse(p, q) - mp * q * inverse(q, p)) % n
d4 = n - d3
return [d1,d2,d3,d4]
res=s(c)
r=[]
for j in res:
r.extend(s(j))
rr=[]
for i in range(14):
for j in r:
rr.extend(s(j))
r=list(set(rr))
rr=[]
for i in r:
# assert i**65536 %n==c
print(long_to_bytes(i))
ez_fac
from Crypto.Util.number import *
import random
from secret import flag,a0,a1,b0,b1
from math import gcd
p = getPrime(512)
q = getPrime(512)
e = getPrime(128)
n = p*q
assert pow(a0,2) + e * pow(b0,2) == n
assert pow(a1,2) + e * pow(b1,2) == n
m = bytes_to_long(flag)
c = pow(m,e,n)
print("c=",c)
print("n=",n)
print("a0=",a0)
print("a1=",a1)
print("b0=",b0)
print("b1=",b1)
论文找不到,推了半天
拿N与右边两个试一试取gcd,找到p,q。
这里应该有更严谨的数学证明,我还没找到原论文
c= 5799544639044779139946986791968145510500846652462292052669633760413793534018383092866571964128143513470554049521942327693339117020165620652006179062910793603018927768602371234880198300008770059120008931561100898666842097883558852980418823006037241685517419835838507990954385234830523251403758955806826879618
n= 68213208588478797434590492859598739065823280021105118658256543122706784900469481081964111014749980113295583260451091704150528768605932666799412946865058790012894692488259241968015202288744183901848022883964499756643821431612690339225279670319451134943024508330650176312418898073776471627253566187743581793833
a0= 8259128803238196105145168509958253369987536854763500176125746426134013180662179728549795800662462190076558053794789304838962250053195422657018957572091186
a1= 8259128803238196105145168474324027148454893273833648536836996881435062963908812785389760028008330862192062834681076966317258060159497292746026639842677270
b0= 2575418967504712085947402904040636239908962189712404174717075221760668016177010089065939310889632792569300801582754242093
b1= 54388006608267379711185614568312546859264790019372706395762423818871188129324130561340418682315102770581787074378512364771
e=(n-a0**2)//b0**2
assert pow(a1,2) + e * pow(b1,2) == n
print(gcd(b1**2-b0**2,a0*b1-b0*a1))
p=gcd(n,a0*b1-a1*b0)
q=n//p
d=inverse(e,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))
NTR
import gmpy2
# from flag import flag
from Crypto.Util.number import *
flag=b'asadsa'
def init():
p = getPrime(2048)
while True:
x = getRandomNBitInteger(1024)
y = getPrime(768)
z = gmpy2.invert(x, p) * y % p
return (p, x, y, z)
def encrypt(cipher, p, z):
message = getRandomNBitInteger(768)
r = getRandomNBitInteger(1024)
c = (r * z + message) % p
print((r*y+x*message) %p)
return c
p,x,y,z=init()
c = encrypt(flag, p, z)
print('p=',p)
print('z=',z)
print('c=',c)
一开始是这样构造
最后是m一个肯定没有1024bit的,可能就512以下了,差距过大,LLL算不出来
然后就看init函数
这个等式要是构造的话可以按上面的那个格子一样,或者把上面的格子的c改为0.
得到y,x后就替换掉z
观察到mod p可以去掉
然后m小于768bits
可以整个式子mod y
z = 0b10000000010010110110101000111010010100110101010101110110110111010001100000000000111000011101010000100110011010010011100100100110111000010010010110110110001101100000101010010100101101100101011111111101011000010011010011100100111100111011101111010111000000001000110100100000001110111100110001110010000110000010100000111100101110011100000010110111100010000101001010001101110100111100111010011100001010011000000011011000100100010110011011101110101000101010101010110010110011100000100011000111011110001101110001010110111101001101010000110110001000110011101111100000111110000101000000111100000000001010101111000010100010000111110000111001110001010100110011010101001000111100100111011101011100110100111011011000001000101110101100011011100011101101100000000001001100100001111001011000101000011111110110110001111010111001111011100100111001000111110110111110010000011110011101110101111011101011001110011000101110101000101010111110100110100001001101001000110010111101010110011001100000001011010010111111011100111100000000010110000011001011110101011100100001100100010010010110101110100110111001001101100110000010001101100111011010100010011000000011001001111100111011100011111111010111111011010001001111101111100011110101010000001011100111000011001110000000100100100000111100100111100010110000100101110000101101010100110101110100111110011111000001010000000001001000111111110111011110110111011000000010110101010000000011011110001011110011001111001101001101010100100011010100101011110000001101110111010011010010101111000010101011111110111101001110010111111011110101010011001110001101101000110110100000000000010000101000111010011111101010111000111101011101001111011011001010001000100100111010001110111010101111011000101000010000101010101010001111110101010010001011001101101011000011111100100101100110000101010010001110111111111110001101000101110110110010110101111011111100000100011101101110111110011100101110110101000101000101101100100001110010100101011110000001101100001010101101010110100011000000010000011110111011001111111101010100001110010100111011010110001110
p = 0b10100101101001010100011110100010001000110001110110100101011111010010011011001011000001111110101011000101111010110011110011110011010100001101101010010111110010011011100111110100110001001000011110001101000111111000110101111111111000100010100001110101001101010011001011000101110010111100101001101101000111100001110001111010001011101011011011011000100101111000111110010011101111010111001110110110111110010111100110000011011011000111100000111101100111101010010110011110001001111111010000011101101110101001001111000100101000011110111011010001110000111100101001101010101111101100010001011001001011100110000101101100100101001001111011011010011100110110101100111101100100100111001111111100110010000110101011011101000111011110100111110010010010001111001000011001001011001011001000100110101001101101110111111010010110100111101001100101111110000011111111110010111100011101000000100011011001101101010010110101001111000010001111111110010100111110000111010001011100110000101000111100011100000111011110111110011111011110001110000010100010010110111100111010110011001111011111000000111101010011010001111001010110101111100010101001100100101110011100110001101010101000110011000001110010011100000110101110000001001011011010100000011100110110011011111001000011100111101101111000011000000000101110101001110011110110100101011101110011110111000011101110010111000100010101001110000001101111110001100000111111110010001110000011111111000111010010010101101000110100000111100111000100101001110001100110110011100011111110100111000111010100010101101110010010110011100011011110111001111100100010010011110111110101101111000001101010110000011100011010101100011001011000011110101101101100111101100010110101010101100100100001000111010000011000101010100100010100010110110100110001010100010011000110000010001111111010010111000100110111001011001100110010110101010000111001110011100101000010101111011001001110011100111100011000000110101111110010100110100000101011110100101110101101010100000010001100111101001110111011011111111000001000001111100111010110110100011001011001001101100101011101
c = 0b10010101111011010011100011101011011010100001010001111011000010001111000100110011100011100100011110111111110111111011111111010010110100111110101111111101000101010011000011000111000010011101001000111110001111011011100101111011000000010110010010011110000111110100010001101011101011000111111111001010111011110110001100101000011000011010100101001000100101010011011110101000000101110001100101100001111001010111110110111010100001111111100000110100000100011010011110100001000101101111100001110111000110011111101111000001011011101010000010111001101111101001000101110000101000000101111001000010000111110110011011100101101000101101001011001011001010111100110100100010010101010100110000001000011000000110001110110111010011000101011110100100100001010100010110010010010000111000111111000110000001101100111111101001110010101000010110010010001100010111000011000011000010011001000100111111111100010111101111000111010011101110101000010001110011100000001110011001010001000011000010001001110110011111100000110100000101101110110001000001001011110110001100010010110001011110010001110010000100101010100010110111100001111010000111110100010110110110001001111011100100111001100100110010011111111011101100100011011011010001101100011000001001010011110010101000001110100010100111001011001001000000001100000010011101100101110100111100100011010001011110111001010010001110001111101111001111011100000000010110110110001101111110101011101101110011011101000011101000000010011111000101111101011100111111011011001111001010111100110100111010010001010001001000011100101110110001110110101001100010111111001001110100100010001001010000111111001001111101010010000011010011111110101001101111110011111010011110001010111011100101100000001000110010101111000111100000010000010011100101111000100001001110000110000001001100111100000001101010100101010101101101101111101011100000101101111111011010100000001110110111101011100011010011111110011110101111010101111101100110110111110001000110100000110000101110100110100101100010001000011100000100011001000001110000010000011010000010001110111011111100101101
M=Matrix(ZZ,3,3)
M[0,0]=p
M[1,0]=z
M[2,0]=c
M[1,1]=1
M[2,2]=2^1024
M.LLL()
x=101068500732124499172203887476035942654583636804334368391795729414542355173316176744921245945600913938972066421202981551393992829923855130318252346696159368552681676637979135755351273806046911727826496012344037255997062589668694453165158298933121703274624435300768147152885978139125921680927869971389753945279
y=1133895806611059708714737862434064678419354942879188549281188871131809391420399480973282132841994864147346412895495043326967818523773920752221579906182077624889063986028934818301417527865300440338266085405934815532342088675329696129
print(y.bit_length(),x.bit_length(),isPrime(y))
dd=x*c %p
m=inverse(x,y)*dd %y
print(long_to_bytes(m))