本文主要是介绍羊城杯-Cry部分,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
本次密码还算友好
RSAloss
思路:m mod n情况,已知高位为b'DASCTF',低位为b'}',中间未知,约为200bit。造格爆破未知部分高位,最终在爆破三字节情况下格求解得到准确结果。
import itertools
from Crypto.Util.number import *
import re
from gmpy2 import gcdp = 898278915648707936019913202333
q = 814090608763917394723955024893
e = 65537
m_mod = bytes_to_long(b'X\xee\x1ey\x88\x01dX\xf6i\x91\x80h\xf4\x1f!\xa7"\x0c\x9a\x06\xc8\x06\x81\x15')
n = p * qstring = ''
for i in range(33,127):string += chr(i)for i in range(208,512,8):print(i)S = []for i0 in itertools.product(string, repeat=(i-200)//8):A = ''for i1 in i0:A += i1S.append(A)# print(S)for ii in S:K0 = bytes_to_long(b'DASCTF{'+ii.encode())*2**208K1 = bytes_to_long(b'}')KK = (K0+K1-m_mod)M = matrix(ZZ,[[n,0],[KK,2**200]])mm = M.LLL()m = long_to_bytes(abs(int(mm[1][0]))*inverse(2**8,n)%n)if re.fullmatch(b'[0-9a-zA-Z_{}]+', m):print(m)
TH_curve
问GPT是Hessian curves,maple有过转换推导:
from Crypto.Util.number import *# def re(x1,y1,p,d2):
# u = (12*(d2**3-1)*inverse(d2+x1+y1,p)-9*d2**2)%p
# v= 36*(y1-x1)*(d2**3-1)*inverse(d2+x1+y1,p)%p
# return u,vp = 10297529403524403127640670200603184608844065065952536889
a = 2
G = (8879931045098533901543131944615620692971716807984752065, 4106024239449946134453673742202491320614591684229547464)
Q = (6784278627340957151283066249316785477882888190582875173, 6078603759966354224428976716568980670702790051879661797)d = inverse(G[1]*G[0],p)*(1+a*G[0]**3+G[1]**3) % p
c = 1F = GF(p)
x, y, z = QQ["x,y,z"].gens()
eq = a * x ^ 3 + y ^ 3 + c * z ^ 3 - d * x * y * z
phi = EllipticCurve_from_cubic(eq)
E = phi.codomain().change_ring(GF(p))fx, fy, fz = map(lambda f: f.change_ring(F), phi.defining_polynomials())
phiP = lambda x, y, z=1: E(fx(x, y, z) / fz(x, y, z), fy(x, y, z) / fz(x, y, z))
EP = phiP(*G)
EQ = phiP(*Q)
factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-2]
# print(primes)
primes=[ 9, 49, 11, 19, 29, 1361, 6421, 3376343, 1815576031,295369272787]dlogs = []
for fac in primes:t = int(int(EP.order()) // int(fac))# dlog = discrete_log(t*EQ,t*EP,operation="+")dlog=(t*EP).discrete_log(t*EQ)dlogs += [dlog]print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime orderx = crt(dlogs,primes)
print(x)od = EP.order() # the generator doesn't have full order
print([flagfor i in range(E.order() // od)if (flag := long_to_bytes(int(x + od * i))).isascii()]
)
babycurve
b,c居然可以爆破出来,难评。。。后面就是ph问题,求出ecdlp的x值即可:
from Crypto.Cipher import AES
from Crypto.Util.number import *
import hashlibb = 98
c = 35
p = 770311352827455849356512448287
E = EllipticCurve(GF(p), [-c, b])
G = E(584273268656071313022845392380, 105970580903682721429154563816)
P = E(401055814681171318348566474726, 293186309252428491012795616690)
pfactor = [i for i,_ in E.order().factor()][:-1]
print(pfactor)
dislog = []
for i in pfactor:t = int(E.order())//int(i)dislog.append(discrete_log(P*t,t*G,operation = '+'))# dislog.append((t * G).discrete_log(t * A))print(f'pfactor {i} have done')
k = crt(dislog,pfactor)# k = 2951856998192356
key = hashlib.sha256(str(k).encode()).digest()[:16]
iv = long_to_bytes(0xbae1b42f174443d009c8d3a1576f07d6)
cipher = AES.new(key, AES.MODE_CBC, iv)
flag = cipher.decrypt(long_to_bytes(0xff34da7a65854ed75342fd4ad178bf577bd622df9850a24fd63e1da557b4b8a4))
print(flag)
TheoremPlus
我们直接输入一个小值给原题目函数先看看,发现是统计素数个数-2,欧式筛一分钟左右即可。(只不过也看到有师傅用sagemath自带的prime_range函数,学到了,🐂啊)
import timeimport gmpy2
from gmpy2 import *
from tqdm import tqdm
from Crypto.Util.number import *n = 18770575776346636857117989716700159556553308603827318013591587255198383129370907809760732011993542700529211200756354110539398800399971400004000898098091275284235225898698802555566416862975758535452624647017057286675078425814784682675012671384340267087604803050995107534481069279281213277371234272710195280647747033302773076094600917583038429969629948198841325080329081838681126456119415461246986745162687569680825296434756908111148165787768172000131704615314046005916223370429567142992192702888820837032850104701948658736010527261246199512595520995042205818856177310544178940343722756848658912946025299687434514029951
c = 2587907790257921446754254335909686808394701314827194535473852919883847207482301560195700622542784316421967768148156146355099210400053281966782598551680260513547233270646414440776109941248869185612357797869860293880114609649325409637239631730174236109860697072051436591823617268725493768867776466173052640366393488873505207198770497373345116165334779381031712832136682178364090547875479645094274237460342318587832274304777193468833278816459344132231018703578274192000016560653148923056635076144189403004763127515475672112627790796376564776321840115465990308933303392198690356639928538984862967102082126458529748355566def sieve_of_eratosthenes(limit):# 创建一个布尔数组,并初始化所有值为 Trueis_prime = [True] * (limit + 1)is_prime[0] = is_prime[1] = False # 0 和 1 不是素数# 从 2 开始筛选p = 2while p * p <= limit:if is_prime[p]:# 将 p 的倍数标记为非素数for multiple in range(p * p, limit + 1, p):is_prime[multiple] = Falsep += 1# 提取所有素数primes = [p for p in range(limit + 1) if is_prime[p]]return primes# 使用示例start = time.time()
print('start')
limit = 703440151
number = sieve_of_eratosthenes(limit)
print(f"所有小于等于 {limit} 的素数: {number}")
end = time.time()
print('The consumption of time is:',end-start)print(len(number))e = 36421873p = next_prime(iroot(n,2)[0])
q = n//p
phi = (p - 1) * (q - 1)d = inverse(e,phi)print(long_to_bytes(pow(c,d,n)))
这篇关于羊城杯-Cry部分的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!