侥幸拿了Curve一血😋,最终排名第十六名,还得继续加油
babyrsa
题目:
from secret import flag
from Crypto.Util.number import*
from gmpy2 import*
flag = b'D0g3xGC{****************}'
def gen_key(p, q):
public_key = p*p*q
e = public_key
n = p*q
phi_n = (p-1)*(q-1)
private_key = inverse(e,phi_n)
return public_key,private_key,e
p = getPrime(512)
q = getPrime(512)
N,d,e = gen_key(p,q)
c = gmpy2.powmod(bytes_to_long(flag),e,N)
print(N)
print(d)
print(c)
'''
n = 539403894871945779827202174061302970341082455928364137444962844359039924160163196863639732747261316352083923762760392277536591121706270680734175544093484423564223679628430671167864783270170316881238613070741410367403388936640139281272357761773388084534717028640788227350254140821128908338938211038299089224967666902522698905762169859839320277939509727532793553875254243396522340305880944219886874086251872580220405893975158782585205038779055706441633392356197489
d = 58169755386408729394668831947856757060407423126014928705447058468355548861569452522734305188388017764321018770435192767746145932739423507387500606563617116764196418533748380893094448060562081543927295828007016873588530479985728135015510171217414380395169021607415979109815455365309760152218352878885075237009
c = 82363935080688828403687816407414245190197520763274791336321809938555352729292372511750720874636733170318783864904860402219217916275532026726988967173244517058861515301795651235356589935260088896862597321759820481288634232602161279508285376396160040216717452399727353343286840178630019331762024227868572613111538565515895048015318352044475799556833174329418774012639769680007774968870455333386419199820213165698948819857171366903857477182306178673924861370469175
'''
Schemidt-Samoa非对称密码,这里就不细说了可以自己去了解一下
from gmpy2 import *
from Crypto.Util.number import *
def getPQ(pub, priv):
return gmpy2.gcd(pub, gmpy2.powmod(2, pub*priv, pub)-2)
def decrypt(pub, priv, enc):
return gmpy2.powmod(enc, priv, getPQ(pub, priv))
n = 539403894871945779827202174061302970341082455928364137444962844359039924160163196863639732747261316352083923762760392277536591121706270680734175544093484423564223679628430671167864783270170316881238613070741410367403388936640139281272357761773388084534717028640788227350254140821128908338938211038299089224967666902522698905762169859839320277939509727532793553875254243396522340305880944219886874086251872580220405893975158782585205038779055706441633392356197489
d = 58169755386408729394668831947856757060407423126014928705447058468355548861569452522734305188388017764321018770435192767746145932739423507387500606563617116764196418533748380893094448060562081543927295828007016873588530479985728135015510171217414380395169021607415979109815455365309760152218352878885075237009
c = 82363935080688828403687816407414245190197520763274791336321809938555352729292372511750720874636733170318783864904860402219217916275532026726988967173244517058861515301795651235356589935260088896862597321759820481288634232602161279508285376396160040216717452399727353343286840178630019331762024227868572613111538565515895048015318352044475799556833174329418774012639769680007774968870455333386419199820213165698948819857171366903857477182306178673924861370469175
pq = getPQ(n, d)
m = decrypt(n, d, c)
print(long_to_bytes(m))
EZ_sign
题目:
from Crypto.Util.number import *
from gmpy2 import *
from hashlib import*
import random,os
flag = b'D0g3xGA{***************}'
msg = b'e = ?'
def sign(pub, pri, k):
(p,q,g,y) = pub
x = pri
r = int(powmod(g, k, p) % q)
H = bytes_to_long(sha1(os.urandom(20)).digest())
s = int((H + r * x) * invert(k, q) % q)
return (H,r,s)
k1 = getPrime(64)
k2 = k1 ** 2
pri = bytes_to_long(msg)
a = 149328490045436942604988875802116489621328828898285420947715311349436861817490291824444921097051302371708542907256342876547658101870212721747647670430302669064864905380294108258544172347364992433926644937979367545128905469215614628012983692577094048505556341118385280805187867314256525730071844236934151633203
b = 829396411171540475587755762866203184101195238207
g = 87036604306839610565326489540582721363203007549199721259441400754982765368067012246281187432501490614633302696667034188357108387643921907247964850741525797183732941221335215366182266284004953589251764575162228404140768536534167491117433689878845912406615227673100755350290475167413701005196853054828541680397
y = 97644672217092534422903769459190836176879315123054001151977789291649564201120414036287557280431608390741595834467632108397663276781265601024889217654490419259208919898180195586714790127650244788782155032615116944102113736041131315531765220891253274685646444667344472175149252120261958868249193192444916098238
pub = (a, b, g, y)
H1, r1, s1 = sign(pub, pri, k1)
H2, r2, s2 = sign(pub, pri, k2)
p = getPrime(128)
q = getPrime(128)
n = p * q
c = powmod(bytes_to_long(flag), e, n)
C = p**2 + q**2
print(f'(H1, r1, s1) = {H1}, {r1}, {s1}')
print(f'(H2, r2, s2) = {H2}, {r2}, {s2}')
print(c)
print(C)
'''
(H1, r1, s1) = 659787401883545685817457221852854226644541324571, 334878452864978819061930997065061937449464345411, 282119793273156214497433603026823910474682900640
(H2, r2, s2) = 156467414524100313878421798396433081456201599833, 584114556699509111695337565541829205336940360354, 827371522240921066790477048569787834877112159142
c = 18947793008364154366082991046877977562448549186943043756326365751169362247521
C = 179093209181929149953346613617854206675976823277412565868079070299728290913658
'''
条件有
可以推导出
上式乘r2,下式乘r1,消掉x得到
从而来求这个多项式根
from Crypto.Util.number import *
import gmpy2
from tqdm import tqdm
from Crypto.PublicKey import RSA
from tqdm import *
p = 149328490045436942604988875802116489621328828898285420947715311349436861817490291824444921097051302371708542907256342876547658101870212721747647670430302669064864905380294108258544172347364992433926644937979367545128905469215614628012983692577094048505556341118385280805187867314256525730071844236934151633203
q = 829396411171540475587755762866203184101195238207
g = 87036604306839610565326489540582721363203007549199721259441400754982765368067012246281187432501490614633302696667034188357108387643921907247964850741525797183732941221335215366182266284004953589251764575162228404140768536534167491117433689878845912406615227673100755350290475167413701005196853054828541680397
y = 97644672217092534422903769459190836176879315123054001151977789291649564201120414036287557280431608390741595834467632108397663276781265601024889217654490419259208919898180195586714790127650244788782155032615116944102113736041131315531765220891253274685646444667344472175149252120261958868249193192444916098238
(h1, r1, s1) = 659787401883545685817457221852854226644541324571, 334878452864978819061930997065061937449464345411, 282119793273156214497433603026823910474682900640
(h2, r2, s2) = 156467414524100313878421798396433081456201599833, 584114556699509111695337565541829205336940360354, 827371522240921066790477048569787834877112159142
PR.<x> = PolynomialRing(GF(q))
f = s2*x^2*r1 - s1*x*r2 - h2*r1 + h1*r2
print(f.roots())
k = int(f.roots()[1][0])
x = (s1*k - h1) * inverse(r1, q) % q
print(long_to_bytes(x))
# e = 44519
写到这里我以为之后可以直接通过two_squares秒了,写的时候发现,求不出来,甚至一度以为题有问题,后来发现求出来的p和q并不是素数,那就在想C能分解出来不止一组,于是我自己生成数据尝试了一下果然是这样
那我只能尝试别的方法了,可以写出分解后的复数形式,就是写成
这样就能得到想要的p和q了
from itertools import combinations
N = ZZ[I](179093209181929149953346613617854206675976823277412565868079070299728290913658)
print(N)
facs = list(factor(N))
for i in range(len(facs)):
facs[i] = facs[i][0]
print(facs)
prods = []
for i in range(1, len(facs) + 1):
for j in combinations(facs, i):
mul = prod(j)
if is_prime(ZZ(abs(mul[0]))) and is_prime(ZZ(abs(mul[1]))) and mul.norm() == ZZ(N):
print(mul)
print(str(abs(mul[0])).encode("utf-8"))
print(str(abs(mul[1])).encode("utf-8"))
#p = 295488723650623654106370451762393175957
#q = 302951519846417861008714825074296492447
from Crypto.Util.number import *
e = 44519
c = 18947793008364154366082991046877977562448549186943043756326365751169362247521
p = 295488723650623654106370451762393175957
q = 302951519846417861008714825074296492447
phi = (p-1)*(q-1)
d = inverse(e,phi)
m = pow(c,d,p*q)
print(long_to_bytes(m))
#D0g3xGC{EZ_DSA_@nd_C0mplex_QAQ}
Curve
题目:
#sagemath
from Crypto.Util.number import *
def add(P, Q):
(x1, y1) = P
(x2, y2) = Q
x3 = (x1*y2 + y1*x2) * inverse(1 + d*x1*x2*y1*y2, p) % p
y3 = (y1*y2 - a*x1*x2) * inverse(1 - d*x1*x2*y1*y2, p) % p
return (x3, y3)
def mul(x, P):
Q = (0, 1)
while x > 0:
if x % 2 == 1:
Q = add(Q, P)
P = add(P, P)
x = x >> 1
return Q
p = 64141017538026690847507665744072764126523219720088055136531450296140542176327
a = 362
d = 7
e=0x10001
gx=bytes_to_long(b'D0g3xGC{*****************}')
PR.<y>=PolynomialRing(Zmod(p))
f=(d*gx^2-1)*y^2+(1-a*gx^2)
gy=int(f.roots()[0][0])
assert (a*gx^2+gy^2)%p==(1+d*gx^2*gy^2)%p
G=(gx,gy)
eG = mul(e, G)
print(eG)
#eG = (34120664973166619886120801966861368419497948422807175421202190709822232354059, 11301243831592615312624457443883283529467532390028216735072818875052648928463)
标准型的扭曲爱德华曲线可以直接参考曲线 | Lazzaro 和Crypto趣题-曲线
写的很清楚
from Crypto.Util.number import *
p = 64141017538026690847507665744072764126523219720088055136531450296140542176327
a = 362
d = 7
e=0x10001
c = 1
eG = (34120664973166619886120801966861368419497948422807175421202190709822232354059, 11301243831592615312624457443883283529467532390028216735072818875052648928463)
# part2 map to ECC
F = GF(p)
dd = F(d * c ^ 4)
A = F(2) * F(a + dd) / F(a - dd)
B = F(4) / F(a - dd)
a = F(3 - A ^ 2) / F(3 * B ^ 2)
b = F(2 * A ^ 3 - 9 * A) / F(27 * B ^ 3)
def edwards_to_ECC(x, y):
x1 = F(x) / F(c)
y1 = F(y) / F(c)
# now curve is a*x^2+y^2 = 1+dd*x^2*y^2
x2 = F(1 + y1) / F(1 - y1)
y2 = F(x2) / F(x1)
# now curve is By^2 = x^3 + Ax^2 + x
x3 = (F(3 * x2) + F(A)) / F(3 * B)
y3 = F(y2) / F(B)
# now curve is y^2 = x^3 + ax + b
return (x3, y3)
def ECC_to_edwards(x, y):
x2 = (F(x) * F(3 * B) - F(A)) / F(3)
y2 = F(y) * F(B)
# now curve is By^2 = x^3 + Ax^2 + x
x1 = F(x2) / F(y2)
y1 = F(1) - (F(2) / F(x2 + 1))
# now curve is a*x^2+y^2 = 1+dd*x^2*y^2
x_ = F(x1) * F(c)
y_ = F(y1) * F(c)
# now curve is a*x^2+y^2 = c^2(1+d*x^2*y^2)
return (x_, y_)
E = EllipticCurve(GF(p), [a, b])
order = E.order()
eG = E(edwards_to_ECC(eG[0], eG[1]))
t = inverse(e, order)
G = t * eG
G = ECC_to_edwards(G[0], G[1])
print(long_to_bytes(int(G[0])))
# D0g3xGC{SOlvE_The_Edcurv3}