攻防世界 · EASY_ECC · wp

题目来源：题目 (xctf.org.cn)

 

附件解析​

 

如果是能够熟练掌握ECC密码的话，其实很快就能够解出来了

大佬的脚本走一遍就可以得到公钥了

> import collections
> import random
> EllipticCurve = collections.namedtuple('EllipticCurve', 'name p a b g n h')
> curve = EllipticCurve(
>    'secp256k1',
>
> #Field characteristic.
>
>    p=int(input('p=')),
>
> #Curve coefficients.
>
>    a=int(input('a=')),
>    b=int(input('b=')),
>
> #Base point.
>
>    g=(int(input('Gx=')),
>       int(input('Gy='))),
>
> #Subgroup order.
>
>    n=int(input('k=')),
>
> #Subgroup cofactor.
>
>    h=1,
> )
>
> #Modular arithmetic
>
> def inverse_mod(k, p):
>    """Returns the inverse of k modulo p.
>   This function returns the only integer x such that (x * k) % p == 1.
>   k must be non-zero and p must be a prime.
>   """
>    if k == 0:
>        raise ZeroDivisionError('division by zero')
>    if k < 0:
>        # k ** -1 = p - (-k) ** -1 (mod p)
>        return p - inverse_mod(-k, p)
>
> #Extended Euclidean algorithm.
>
>    s, old_s = 0, 1
>    t, old_t = 1, 0
>    r, old_r = p, k
>    while r != 0:
>        quotient = old_r // r
>        old_r, r = r, old_r - quotient * r
>        old_s, s = s, old_s - quotient * s
>        old_t, t = t, old_t - quotient * t
>    gcd, x, y = old_r, old_s, old_t
>    assert gcd == 1
>    assert (k * x) % p == 1
>    return x % p
>
> #Functions that work on curve points
>
> def is_on_curve(point):
>    """Returns True if the given point lies on the elliptic curve."""
>    if point is None:
>        # None represents the point at infinity.
>        return True
>    x, y = point
>    return (y * y - x * x * x - curve.a * x - curve.b) % curve.p == 0
> def point_neg(point):
>    """Returns -point."""
>    assert is_on_curve(point)
>    if point is None:
>        # -0 = 0
>        return None
>    x, y = point
>    result = (x, -y % curve.p)
>    assert is_on_curve(result)
>    return result
> def point_add(point1, point2):
>    """Returns the result of point1 + point2 according to the group law."""
>    assert is_on_curve(point1)
>    assert is_on_curve(point2)
>    if point1 is None:
>        # 0 + point2 = point2
>        return point2
>    if point2 is None:
>        # point1 + 0 = point1
>        return point1
>    x1, y1 = point1
>    x2, y2 = point2
>    if x1 == x2 and y1 != y2:
>        # point1 + (-point1) = 0
>        return None
>    if x1 == x2:
>        # This is the case point1 == point2.
>        m = (3 * x1 * x1 + curve.a) * inverse_mod(2 * y1, curve.p)
>    else:
>        # This is the case point1 != point2.
>        m = (y1 - y2) * inverse_mod(x1 - x2, curve.p)
>    x3 = m * m - x1 - x2
>    y3 = y1 + m * (x3 - x1)
>    result = (x3 % curve.p,
>              -y3 % curve.p)
>    assert is_on_curve(result)
>    return result
> def scalar_mult(k, point):
>    """Returns k * point computed using the double and point_add algorithm."""
>    assert is_on_curve(point)
>    if k < 0:
>        # k * point = -k * (-point)
>        return scalar_mult(-k, point_neg(point))
>    result = None
>    addend = point
>    while k:
>        if k & 1:
>            # Add.
>            result = point_add(result, addend)
>        # Double.
>        addend = point_add(addend, addend)
>        k >>= 1
>    assert is_on_curve(result)
>    return result
>
> #Keypair generation and ECDHE
>
> def make_keypair():
>    """Generates a random private-public key pair."""
>    private_key = curve.n
>    public_key = scalar_mult(private_key, curve.g)
>    return private_key, public_key
> private_key, public_key = make_keypair()
> print("private key:", hex(private_key))
> print("public key: (0x{:x}, 0x{:x})".format(*public_key))

public key: (0xcb19fe553fa, 0x50545408eb4)

公钥K(13957031351290，5520194834100)

或者直接用ECCTOOL做，更加简单

​下载地址：ECCTooL下载 ECCTooL(椭圆曲线密码学工具) v1.04 绿色免费版 下载-脚本之家 (jb51.net)

 题目中说flag是X+Y那就转成十进制的

相加即可得到FLAG，注意提交形式

​