WACONCTF2023 Crypto Cry
I participated in the WaconCTF competition last week, did the password part, and recorded the crypto question
Cry
- Descrpition:😭
- Solves:3
Task.py
from Crypto.Util.number import bytes_to_long, getStrongPrime, isPrime
SIZE = 512
e = 65537
with open("flag.txt", "rb") as f:
m = bytes_to_long(f.read())
def encrypt(m):
while True:
p = getStrongPrime(SIZE)
if p % 4 != 3:
continue
q = p**2 + 1
assert q % 2 == 0
if isPrime(q // 2):
break
r = getStrongPrime(SIZE * 3)
n = p * q * r
c = pow(m, e, n)
return n, c
if __name__ == "__main__":
n0, c0 = encrypt(m)
n1, c1 = encrypt(c0)
n2, c = encrypt(c1)
assert m < n0 and c0 < n1 and c1 < n2
print(f"{n0 = }")
print(f"{n1 = }")
print(f"{n2 = }")
print(f"{c = }")
Solution
In general,the question is factoring n = p ∗ ( p 2 + 1 ) ∗ r n=p*(p^2+1)*r n=p∗(p2+1)∗r,which p is 512bits and r is 512*3 bits.At first glance, it looks very similar to the Sus by maple3142 in the ictf a few weeks ago.
Refer to last thought about Sus,I want to construct a random_element k in F p 4 \mathbb{F}_{p^4} Fp4,so k^n has the order p 2 − 1 p^2-1 p2−1,just like ax+b in F p 2 \mathbb{F}_{p^2} Fp2.How to constrain the element to two degrees of freedom not still four degrees.
Originally,I random choice the f ( x ) f(x) f(x) to construct the quotient ring Z n [ x ] / f ( x ) \mathbb{Z}_n[x]/f(x) Zn[x]/f(x),and random choice a element k,expect k^n has type a ∗ x + b a*x+b a∗x+b since it’s order is p^2-1.
After I consult maple3142 and find the discuss on the discard.
Just Choice
f
(
x
)
f(x)
f(x) as the type:
f
(
x
)
=
(
x
+
a
)
k
m
o
d
m
t
h
i
s
m
a
p
l
e
314
2
′
s
i
d
e
a
I
h
a
v
e
n
o
t
g
e
t
i
t
f(x)=(x+a)^kmodm\\ this\ maple3142's\ idea\ I\ have\ not\ get\ it\\
f(x)=(x+a)kmodmthis maple3142′s idea I have not get it
f
(
x
)
=
x
4
+
a
x
2
+
b
t
h
i
s
c
a
n
l
e
t
t
h
e
e
l
e
m
e
n
t
o
r
d
e
r
p
2
−
1
a
s
0
x
3
+
a
x
2
+
0
x
+
b
f(x)=x^4+ax^2+b\\ this\ can\ let\ the\ element\ order\ p^2-1\ as\ 0x^3+ax^2+0x+b\\
f(x)=x4+ax2+bthis can let the element order p2−1 as 0x3+ax2+0x+b
f
(
x
)
=
g
2
+
a
,
g
′
s
d
e
g
r
e
e
=
2
t
h
i
s
c
a
n
l
e
t
t
h
e
e
l
e
m
e
n
t
o
r
d
e
r
p
2
−
1
a
s
k
∗
g
+
b
e
q
u
a
l
t
o
0
x
3
+
a
x
2
+
b
x
+
c
f(x)=g^2+a,g's\ degree=2\\ this\ can\ let\ the\ element\ order\ p^2-1\ as\ k*g+b\ equal\ to\ 0x^3+ax^2+bx+c
f(x)=g2+a,g′s degree=2this can let the element order p2−1 as k∗g+b equal to 0x3+ax2+bx+c
solve.sage
def fac(n):
R = Zmod(n)["x"]
while True:
Q = R.quo(x ^ 4 + randint(0,n) * x ^ 2 + randint(0,n))
t = Q.random_element() ^ n
g = gcd(ZZ(t[3]), n) #or t[1]
if 1 < g < n and g != 2:
if g % 2 == 0:
g = g // 2
return g
1157
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
