NSSCTF Round11 Crypto

无趣的浅

已于 2024-03-03 11:51:26 修改

阅读量931

点赞数 1

文章标签： python

于 2023-04-08 18:03:23 首次发布

本文链接：https://blog.csdn.net/qq_41626232/article/details/130031871

版权

难度：basic

ez_enc

A->0,B->1

MyMessage

from Crypto.Util.number import *
import os

flag = os.getenv('FLAG')

e = 127

def sign():
    msg = input("Input message：")
    p = getPrime(512)
    q = getPrime(512)
    n = p*q
    c = pow(bytes_to_long((msg + flag).encode()), e, n)
    print(f"n: {n}")
    print(f"Token: {hex(c)}")

def main():
    while True:
        sign()

main()

申请127组n,c然后中国剩余定理，再开127次方

from pwn import *
import gmpy2
from Crypto.Util.number import *
n=[]
c=[]
for i in range(127):
    p=remote('node3.anna.nssctf.cn',28167)
    p.recv()
    p.sendline(b'1')
    n.append(int(p.recvline().replace(b'\n',b'').replace(b'n: ',b'').decode()))
    c.append(int(p.recvline().replace(b'\n',b'').replace(b'Token: ',b'').decode(),16))
print('c=',c)
print('n=',n)
print(gmpy2.iroot(crt(c,n),127))
res=gmpy2.iroot(crt(c,n),127)[0]
long_to_bytes(ZZ(res))

MyGame

def randommsg():
    return ''.join(random.choices(string.ascii_lowercase+string.digits, k=30))

mymsg = randommsg()
def guess():
    global mymsg
    msg = input()

    if msg == mymsg:
        print(flag)
    else:
        print(mymsg)
        mymsg = randommsg()

def encrypt():
    e = random.getrandbits(8)
    c = pow(bytes_to_long(mymsg.encode()), e, n)
    print(f'Cipher_{e}: {c}')

def main():
    print(f'n: {n}')
    while True:
        opt = int(input())

        if opt == 1:
            guess()
        elif opt == 2:
            encrypt()

main()

爆破就好了e<=3，直接开根号解密

from pwn import *
from Crypto.Util.number import long_to_bytes
import gmpy2
p=remote('node1.anna.nssctf.cn',28593)
p.recv()
for i in range(1111):
    p.sendline(b'2')
    p.recvuntil(b'Cipher_')
    res=int(p.recvuntil(b':',drop=True))
    # print(res)
    if 1<=res<=3:
        r=gmpy2.iroot(int(p.recv().replace(b'\n',b'')),res)[0]
        p.sendline(b'1')
        print(long_to_bytes(r))
        p.sendline(long_to_bytes(r))
        print(p.recv())
        break
    p.sendline(b'1')
    p.sendline(b'a')

ez_signin

from Crypto.Util.number import *
from secret import flag
p = getPrime(512)
q = getPrime(512)
while p < q:
    p = getPrime(512)
    q = getPrime(512)
n = p*q
e = 65536
m = bytes_to_long(flag)
num1 = (pow(p,e,n)-pow(q,e,n)) % n
num2 = pow(p-q,e,n)
c = pow(m,e,n)
print((pow(p,e,n)+pow(q,e,n)) % n)
print("num1=",num1)
print("num2=",num2)
print("n=",n)
print("c=",c)

白给p,q，然后16轮rabin

$\noindent \\ (p-q)^{65536}\ mod \ p*q=p^{65536}+q^{65536} \ mod \ p*q$

$\noindent \\ 2*p^e=num1+num2\ mod \ n \\gcd(num1+num2,n)=p$

16轮rabin不多说了

from math import gcd
from Crypto.Util.number import *
import gmpy2
num1= 74855936739883128482407980713629787928336508970708775500063924987764446801166219897775757478103272520249050665169652147137185381263306897125654437893250835481585042537676958789828784956928691092952816954836512551033082906298364081917666748686852386446936855259928138289544457781489895504162490035240749727990
num2= 111247396496283863837420733428958282109761874657402097146856628235950794746291971063634970558718097943690299561138037273430924852794331139275479211073023487111358635937276285736517965779750326464852716398401820548311929089425697226444842008702822910231272934456766234983635829634069431624660674624530383190442
n= 116649608565140972320095724465036758554506774564633065921133362066121806821519413504047911847066546840175644429046561544018917464691000222484518411089554824270659718060510818577972071229704274454669139480018916015677564623809580094222479120611722177503561402214364828845877753254874090429071533949692957614753
c= 76331022314160475295822009203612436874085930615661700985769409098647157393688444537270430993240049684232968633855346067385113977306505793482807163903794880680448270843837770341026630701732034313479515586140487294862311324532193471081722989612474930623455176502235495773657446636970923328729838580131542858489
e=65536
p=gcd((num1+num2)//2,n)
q=n//p
def s(c):
    # 计算解密参数
    mp = pow(c, (p+1)//4, p)
    mq = pow(c, (q+1)//4, q)
    # 计算四个可能的明文
    d1 = (mq * p * inverse(p, q) + mp * q * inverse(q, p)) % n
    d2 = n - d1
    d3 = (mq * p * inverse(p, q) - mp * q * inverse(q, p)) % n
    d4 = n - d3
    return [d1,d2,d3,d4]
res=s(c)
r=[]
for j in res:
    r.extend(s(j))
rr=[]
for i in range(14):
    for j in r:
        rr.extend(s(j))
    r=list(set(rr))
    rr=[]
for i in r:
    # assert i**65536 %n==c
    print(long_to_bytes(i))

ez_fac

from Crypto.Util.number import *
import random
from secret import flag,a0,a1,b0,b1
from math import gcd
p = getPrime(512)
q = getPrime(512)
e = getPrime(128)
n = p*q
assert pow(a0,2) + e * pow(b0,2) == n
assert pow(a1,2) + e * pow(b1,2) == n
m = bytes_to_long(flag)
c = pow(m,e,n)

print("c=",c)
print("n=",n)
print("a0=",a0)
print("a1=",a1)
print("b0=",b0)
print("b1=",b1)

论文找不到，推了半天

$\noindent \\ N=a_0^2+e*b_0^2=a_1^2+e*b_1^2\\ b_0^2*N-b_1^2*N=a_1^2b_0^2+e*b_0^2b_1^2-e*b_0^2b_1^2-a_0^2b_1^2\\ (b_0^2-b_1^2)*N=(a_1b_0+a_0b_1)*(a_1b_0-a_0b_1)$

拿N与右边两个试一试取gcd，找到p,q。

这里应该有更严谨的数学证明，我还没找到原论文

c= 5799544639044779139946986791968145510500846652462292052669633760413793534018383092866571964128143513470554049521942327693339117020165620652006179062910793603018927768602371234880198300008770059120008931561100898666842097883558852980418823006037241685517419835838507990954385234830523251403758955806826879618
n= 68213208588478797434590492859598739065823280021105118658256543122706784900469481081964111014749980113295583260451091704150528768605932666799412946865058790012894692488259241968015202288744183901848022883964499756643821431612690339225279670319451134943024508330650176312418898073776471627253566187743581793833
a0= 8259128803238196105145168509958253369987536854763500176125746426134013180662179728549795800662462190076558053794789304838962250053195422657018957572091186
a1= 8259128803238196105145168474324027148454893273833648536836996881435062963908812785389760028008330862192062834681076966317258060159497292746026639842677270
b0= 2575418967504712085947402904040636239908962189712404174717075221760668016177010089065939310889632792569300801582754242093
b1= 54388006608267379711185614568312546859264790019372706395762423818871188129324130561340418682315102770581787074378512364771
e=(n-a0**2)//b0**2
assert pow(a1,2) + e * pow(b1,2) == n
print(gcd(b1**2-b0**2,a0*b1-b0*a1))
p=gcd(n,a0*b1-a1*b0)
q=n//p
d=inverse(e,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))

NTR

import gmpy2
# from flag import flag
from Crypto.Util.number import *
flag=b'asadsa'
def init():
    p = getPrime(2048)
    while True:
        x = getRandomNBitInteger(1024)
        y = getPrime(768)
        z = gmpy2.invert(x, p) * y % p
        return (p, x, y, z)

def encrypt(cipher, p, z):
    message = getRandomNBitInteger(768)
    r = getRandomNBitInteger(1024)
    c = (r * z + message) % p
    print((r*y+x*message) %p)
    return c
p,x,y,z=init()
c = encrypt(flag, p, z)
print('p=',p)
print('z=',z)
print('c=',c)

一开始是这样构造

$\noindent \\ z*r+m=c\ mod \ p\\ M=\begin{pmatrix} p & & \\ z &1 & \\ c & & 2^{1024} \end{}\\ \begin{pmatrix}k &r & -1 \end{}\times M=\begin{pmatrix}-m & r & 2^{0124} \end{}$

最后是m一个肯定没有1024bit的，可能就512以下了，差距过大，LLL算不出来

然后就看init函数

$z*x=y\ mod \ p$

这个等式要是构造的话可以按上面的那个格子一样，或者把上面的格子的c改为0.

$\begin{pmatrix}k&x&0 \end{}\times M=\begin{pmatrix}y & x &0 \end{}$

得到y,x后就替换掉z

$y*r+x*m=x*c\ mod \ p$

观察到mod p可以去掉

然后m小于768bits

可以整个式子mod y

$\noindent \\ x*m=x*c \ mod \ y\\ m=x^{-1}*x*c\ mod\ y$

z = 0b10000000010010110110101000111010010100110101010101110110110111010001100000000000111000011101010000100110011010010011100100100110111000010010010110110110001101100000101010010100101101100101011111111101011000010011010011100100111100111011101111010111000000001000110100100000001110111100110001110010000110000010100000111100101110011100000010110111100010000101001010001101110100111100111010011100001010011000000011011000100100010110011011101110101000101010101010110010110011100000100011000111011110001101110001010110111101001101010000110110001000110011101111100000111110000101000000111100000000001010101111000010100010000111110000111001110001010100110011010101001000111100100111011101011100110100111011011000001000101110101100011011100011101101100000000001001100100001111001011000101000011111110110110001111010111001111011100100111001000111110110111110010000011110011101110101111011101011001110011000101110101000101010111110100110100001001101001000110010111101010110011001100000001011010010111111011100111100000000010110000011001011110101011100100001100100010010010110101110100110111001001101100110000010001101100111011010100010011000000011001001111100111011100011111111010111111011010001001111101111100011110101010000001011100111000011001110000000100100100000111100100111100010110000100101110000101101010100110101110100111110011111000001010000000001001000111111110111011110110111011000000010110101010000000011011110001011110011001111001101001101010100100011010100101011110000001101110111010011010010101111000010101011111110111101001110010111111011110101010011001110001101101000110110100000000000010000101000111010011111101010111000111101011101001111011011001010001000100100111010001110111010101111011000101000010000101010101010001111110101010010001011001101101011000011111100100101100110000101010010001110111111111110001101000101110110110010110101111011111100000100011101101110111110011100101110110101000101000101101100100001110010100101011110000001101100001010101101010110100011000000010000011110111011001111111101010100001110010100111011010110001110

p = 0b10100101101001010100011110100010001000110001110110100101011111010010011011001011000001111110101011000101111010110011110011110011010100001101101010010111110010011011100111110100110001001000011110001101000111111000110101111111111000100010100001110101001101010011001011000101110010111100101001101101000111100001110001111010001011101011011011011000100101111000111110010011101111010111001110110110111110010111100110000011011011000111100000111101100111101010010110011110001001111111010000011101101110101001001111000100101000011110111011010001110000111100101001101010101111101100010001011001001011100110000101101100100101001001111011011010011100110110101100111101100100100111001111111100110010000110101011011101000111011110100111110010010010001111001000011001001011001011001000100110101001101101110111111010010110100111101001100101111110000011111111110010111100011101000000100011011001101101010010110101001111000010001111111110010100111110000111010001011100110000101000111100011100000111011110111110011111011110001110000010100010010110111100111010110011001111011111000000111101010011010001111001010110101111100010101001100100101110011100110001101010101000110011000001110010011100000110101110000001001011011010100000011100110110011011111001000011100111101101111000011000000000101110101001110011110110100101011101110011110111000011101110010111000100010101001110000001101111110001100000111111110010001110000011111111000111010010010101101000110100000111100111000100101001110001100110110011100011111110100111000111010100010101101110010010110011100011011110111001111100100010010011110111110101101111000001101010110000011100011010101100011001011000011110101101101100111101100010110101010101100100100001000111010000011000101010100100010100010110110100110001010100010011000110000010001111111010010111000100110111001011001100110010110101010000111001110011100101000010101111011001001110011100111100011000000110101111110010100110100000101011110100101110101101010100000010001100111101001110111011011111111000001000001111100111010110110100011001011001001101100101011101

c = 0b10010101111011010011100011101011011010100001010001111011000010001111000100110011100011100100011110111111110111111011111111010010110100111110101111111101000101010011000011000111000010011101001000111110001111011011100101111011000000010110010010011110000111110100010001101011101011000111111111001010111011110110001100101000011000011010100101001000100101010011011110101000000101110001100101100001111001010111110110111010100001111111100000110100000100011010011110100001000101101111100001110111000110011111101111000001011011101010000010111001101111101001000101110000101000000101111001000010000111110110011011100101101000101101001011001011001010111100110100100010010101010100110000001000011000000110001110110111010011000101011110100100100001010100010110010010010000111000111111000110000001101100111111101001110010101000010110010010001100010111000011000011000010011001000100111111111100010111101111000111010011101110101000010001110011100000001110011001010001000011000010001001110110011111100000110100000101101110110001000001001011110110001100010010110001011110010001110010000100101010100010110111100001111010000111110100010110110110001001111011100100111001100100110010011111111011101100100011011011010001101100011000001001010011110010101000001110100010100111001011001001000000001100000010011101100101110100111100100011010001011110111001010010001110001111101111001111011100000000010110110110001101111110101011101101110011011101000011101000000010011111000101111101011100111111011011001111001010111100110100111010010001010001001000011100101110110001110110101001100010111111001001110100100010001001010000111111001001111101010010000011010011111110101001101111110011111010011110001010111011100101100000001000110010101111000111100000010000010011100101111000100001001110000110000001001100111100000001101010100101010101101101101111101011100000101101111111011010100000001110110111101011100011010011111110011110101111010101111101100110110111110001000110100000110000101110100110100101100010001000011100000100011001000001110000010000011010000010001110111011111100101101



M=Matrix(ZZ,3,3)
M[0,0]=p
M[1,0]=z
M[2,0]=c
M[1,1]=1
M[2,2]=2^1024
M.LLL()
x=101068500732124499172203887476035942654583636804334368391795729414542355173316176744921245945600913938972066421202981551393992829923855130318252346696159368552681676637979135755351273806046911727826496012344037255997062589668694453165158298933121703274624435300768147152885978139125921680927869971389753945279

y=1133895806611059708714737862434064678419354942879188549281188871131809391420399480973282132841994864147346412895495043326967818523773920752221579906182077624889063986028934818301417527865300440338266085405934815532342088675329696129
print(y.bit_length(),x.bit_length(),isPrime(y))

dd=x*c %p

m=inverse(x,y)*dd %y
print(long_to_bytes(m))