2023楚慧杯Crypto（部分）

so-large-e#

题目：

点击展开代码

1
from Crypto.Util.number import *
2
from Crypto.PublicKey import RSA
3
from flag import flag
4
import random
5

6
m = bytes_to_long(flag)
7

8
p = getPrime(512)
9
q = getPrime(512)
10
n = p*q
11
e = random.getrandbits(1024)
12
assert size(e)==1024
13
phi = (p-1)*(q-1)
14
assert GCD(e,phi)==1
15
d = inverse(e,phi)
16
assert size(d)==269
17

18
pub = (n, e)
19
PublicKey = RSA.construct(pub)
20
with open('pub.pem', 'wb') as f :
21
    f.write(PublicKey.exportKey())
22

23
c = pow(m,e,n)
24
print('c =',c)
25

26
print(long_to_bytes(pow(c,d,n)))
27

28

29
#c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
30

31
#pub文件里有n和e的值：
32
#n = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723
33
#e = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233

因为对比n和e的时候发现：这两数是几乎一样长的；所以可以猜测这两种攻击中的一种：Wiener攻击 或 Boneh-Durfee攻击

这两种攻击的区别在于：前者的条件是： $d<\frac {1}{3}N^{\frac {1}{4}}$ ,而后者的条件是： $d<N^{0.292}$ 。

假如说一开始不太懂区分，那就直接都试一下。这里因为题目有给出d的位数，所以我就通过计算去分析，看应该是哪种攻击，结果如下：

由此可知：这里应该选Boneh-Durfee攻击。

接着就是直接带进脚本里去算就行，不过得调调参数才能运行（好像是 delta>=0.23，m>=5；这样的运行速度更快）。

代码如下：

点击展开代码

1
# sage
2
from __future__ import print_function
3
from Crypto.Util.number import *
4
import time
5

6
############################################
7
# Config
8
##########################################
9

10
"""
11
Setting debug to true will display more informations
12
about the lattice, the bounds, the vectors...
13
"""
14
debug = True
15

16
"""
17
Setting strict to true will stop the algorithm (and
18
return (-1, -1)) if we don't have a correct
19
upperbound on the determinant. Note that this
20
doesn't necesseraly mean that no solutions
21
will be found since the theoretical upperbound is
22
usualy far away from actual results. That is why
23
you should probably use `strict = False`
24
"""
25
strict = False
26

27
"""
28
This is experimental, but has provided remarkable results
29
so far. It tries to reduce the lattice as much as it can
30
while keeping its efficiency. I see no reason not to use
31
this option, but if things don't work, you should try
32
disabling it
33
"""
34
helpful_only = True
35
dimension_min = 7 # stop removing if lattice reaches that dimension
36

37
############################################
38
# Functions
39
##########################################
40

41
# display stats on helpful vectors
42
def helpful_vectors(BB, modulus):
43
    nothelpful = 0
44
    for ii in range(BB.dimensions()[0]):
45
        if BB[ii,ii] >= modulus:
46
            nothelpful += 1
47

48
    print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
49

50
# display matrix picture with 0 and X
51
def matrix_overview(BB, bound):
52
    for ii in range(BB.dimensions()[0]):
53
        a = ('%02d ' % ii)
54
        for jj in range(BB.dimensions()[1]):
55
            a += '0' if BB[ii,jj] == 0 else 'X'
56
            if BB.dimensions()[0] < 60:
57
                a += ' '
58
        if BB[ii, ii] >= bound:
59
            a += '~'
60
        print(a)
61

62
# tries to remove unhelpful vectors
63
# we start at current = n-1 (last vector)
64
def remove_unhelpful(BB, monomials, bound, current):
65
    # end of our recursive function
66
    if current == -1 or BB.dimensions()[0] <= dimension_min:
67
        return BB
68

69
    # we start by checking from the end
70
    for ii in range(current, -1, -1):
71
        # if it is unhelpful:
72
        if BB[ii, ii] >= bound:
73
            affected_vectors = 0
74
            affected_vector_index = 0
75
            # let's check if it affects other vectors
76
            for jj in range(ii + 1, BB.dimensions()[0]):
77
                # if another vector is affected:
78
                # we increase the count
79
                if BB[jj, ii] != 0:
80
                    affected_vectors += 1
81
                    affected_vector_index = jj
82

83
            # level:0
84
            # if no other vectors end up affected
85
            # we remove it
86
            if affected_vectors == 0:
87
                print("* removing unhelpful vector", ii)
88
                BB = BB.delete_columns([ii])
89
                BB = BB.delete_rows([ii])
90
                monomials.pop(ii)
91
                BB = remove_unhelpful(BB, monomials, bound, ii-1)
92
                return BB
93

94
            # level:1
95
            # if just one was affected we check
96
            # if it is affecting someone else
97
            elif affected_vectors == 1:
98
                affected_deeper = True
99
                for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
100
                    # if it is affecting even one vector
101
                    # we give up on this one
102
                    if BB[kk, affected_vector_index] != 0:
103
                        affected_deeper = False
104
                # remove both it if no other vector was affected and
105
                # this helpful vector is not helpful enough
106
                # compared to our unhelpful one
107
                if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):
108
                    print("* removing unhelpful vectors", ii, "and", affected_vector_index)
109
                    BB = BB.delete_columns([affected_vector_index, ii])
110
                    BB = BB.delete_rows([affected_vector_index, ii])
111
                    monomials.pop(affected_vector_index)
112
                    monomials.pop(ii)
113
                    BB = remove_unhelpful(BB, monomials, bound, ii-1)
114
                    return BB
115
    # nothing happened
116
    return BB
117

118
"""
119
Returns:
120
* 0,0   if it fails
121
* -1,-1 if `strict=true`, and determinant doesn't bound
122
* x0,y0 the solutions of `pol`
123
"""
124
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
125
    """
126
    Boneh and Durfee revisited by Herrmann and May
127

128
    finds a solution if:
129
    * d < N^delta
130
    * |x| < e^delta
131
    * |y| < e^0.5
132
    whenever delta < 1 - sqrt(2)/2 ~ 0.292
133
    """
134

135
    # substitution (Herrman and May)
136
    PR.<u, x, y> = PolynomialRing(ZZ)
137
    Q = PR.quotient(x*y + 1 - u) # u = xy + 1
138
    polZ = Q(pol).lift()
139

140
    UU = XX*YY + 1
141

142
    # x-shifts
143
    gg = []
144
    for kk in range(mm + 1):
145
        for ii in range(mm - kk + 1):
146
            xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk
147
            gg.append(xshift)
148
    gg.sort()
149

150
    # x-shifts list of monomials
151
    monomials = []
152
    for polynomial in gg:
153
        for monomial in polynomial.monomials():
154
            if monomial not in monomials:
155
                monomials.append(monomial)
156
    monomials.sort()
157

158
    # y-shifts (selected by Herrman and May)
159
    for jj in range(1, tt + 1):
160
        for kk in range(floor(mm/tt) * jj, mm + 1):
161
            yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)
162
            yshift = Q(yshift).lift()
163
            gg.append(yshift) # substitution
164

165
    # y-shifts list of monomials
166
    for jj in range(1, tt + 1):
167
        for kk in range(floor(mm/tt) * jj, mm + 1):
168
            monomials.append(u^kk * y^jj)
169

170
    # construct lattice B
171
    nn = len(monomials)
172
    BB = Matrix(ZZ, nn)
173
    for ii in range(nn):
174
        BB[ii, 0] = gg[ii](0, 0, 0)
175
        for jj in range(1, ii + 1):
176
            if monomials[jj] in gg[ii].monomials():
177
                BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)
178

179
    # Prototype to reduce the lattice
180
    if helpful_only:
181
        # automatically remove
182
        BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)
183
        # reset dimension
184
        nn = BB.dimensions()[0]
185
        if nn == 0:
186
            print("failure")
187
            return 0,0
188

189
    # check if vectors are helpful
190
    if debug:
191
        helpful_vectors(BB, modulus^mm)
192

193
    # check if determinant is correctly bounded
194
    det = BB.det()
195
    bound = modulus^(mm*nn)
196
    if det >= bound:
197
        print("We do not have det < bound. Solutions might not be found.")
198
        print("Try with highers m and t.")
199
        if debug:
200
            diff = (log(det) - log(bound)) / log(2)
201
            print("size det(L) - size e^(m*n) = ", floor(diff))
202
        if strict:
203
            return -1, -1
204
    else:
205
        print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")
206

207
    # display the lattice basis
208
    if debug:
209
        matrix_overview(BB, modulus^mm)
210

211
    # LLL
212
    if debug:
213
        print("optimizing basis of the lattice via LLL, this can take a long time")
214

215
    BB = BB.LLL()
216

217
    if debug:
218
        print("LLL is done!")
219

220
    # transform vector i & j -> polynomials 1 & 2
221
    if debug:
222
        print("looking for independent vectors in the lattice")
223
    found_polynomials = False
224

225
    for pol1_idx in range(nn - 1):
226
        for pol2_idx in range(pol1_idx + 1, nn):
227
            # for i and j, create the two polynomials
228
            PR.<w,z> = PolynomialRing(ZZ)
229
            pol1 = pol2 = 0
230
            for jj in range(nn):
231
                pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)
232
                pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)
233

234
            # resultant
235
            PR.<q> = PolynomialRing(ZZ)
236
            rr = pol1.resultant(pol2)
237

238
            # are these good polynomials?
239
            if rr.is_zero() or rr.monomials() == [1]:
240
                continue
241
            else:
242
                print("found them, using vectors", pol1_idx, "and", pol2_idx)
243
                found_polynomials = True
244
                break
245
        if found_polynomials:
246
            break
247

248
    if not found_polynomials:
249
        print("no independant vectors could be found. This should very rarely happen...")
250
        return 0, 0
251

252
    rr = rr(q, q)
253

254
    # solutions
255
    soly = rr.roots()
256

257
    if len(soly) == 0:
258
        print("Your prediction (delta) is too small")
259
        return 0, 0
260

261
    soly = soly[0][0]
262
    ss = pol1(q, soly)
263
    solx = ss.roots()[0][0]
264

265
    #
266
    return solx, soly
267

268
def Boneh_Durfee(N, e):
269
    ############################################
270
    # How To Use This Script
271
    ##########################################
272

273
    #
274
    # The problem to solve (edit the following values)
275
    #
276

277
    # the hypothesis on the private exponent (the theoretical maximum is 0.292)
278
    delta = 0.23 # this means that d < N^delta
279

280
    #
281
    # Lattice (tweak those values)
282
    #
283

284
    # you should tweak this (after a first run), (e.g. increment it until a solution is found)
285
    m = 5 # size of the lattice (bigger the better/slower)
286

287
    # you need to be a lattice master to tweak these
288
    t = int((1-2*delta) * m)  # optimization from Herrmann and May
289
    X = 2*floor(N^delta)  # this _might_ be too much
290
    Y = floor(N^(1/2))    # correct if p, q are ~ same size
291

292
    #
293
    # Don't touch anything below
294
    #
295

296
    # Problem put in equation
297
    P.<x,y> = PolynomialRing(ZZ)
298
    A = int((N+1)/2)
299
    pol = 1 + x * (A + y)
300

301
    #
302
    # Find the solutions!
303
    #
304

305
    # Checking bounds
306
    if debug:
307
        print("=== checking values ===")
308
        print("* delta:", delta)
309
        print("* delta < 0.292", delta < 0.292)
310
        print("* size of e:", int(log(e)/log(2)))
311
        print("* size of N:", int(log(N)/log(2)))
312
        print("* m:", m, ", t:", t)
313

314
    # boneh_durfee
315
    if debug:
316
        print("=== running algorithm ===")
317
        start_time = time.time()
318

319
    solx, soly = boneh_durfee(pol, e, m, t, X, Y)
320

321
    # found a solution?
322
    if solx > 0:
323
        print("=== solution found ===")
324
        if False:
325
            print("x:", solx)
326
            print("y:", soly)
327

328
        d = int(pol(solx, soly) / e)
329
        print("private key found:", d)
330
        return int(d)
331
    else:
332
        print("=== no solution was found ===")
333
        return 0
334

335
    if debug:
336
        print(("=== %s seconds ===" % (time.time() - start_time)))
337

338
if __name__ == "__main__":
339
    # cipher
340
    c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
341
    # the modulus
342
    N = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723
343
    # the public exponent
344
    e = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233
345
    d = Boneh_Durfee(N, e)
346
    if d != 0:
347
        print(f"get flag: {long_to_bytes(int(pow(c, d, N)))}")

结果如下：

于是就得到了flag：DASCTF{6f4fadce-5378-d17f-3c2d-2e064db4af19}

matrixequation#

题目：

点击展开代码

1
from sage.all import *
2
import string
3
from myflag import finalflag, flag
4

5
assert len(flag) == 24
6

7
alphabet = string.printable[:71]
8
p = len(alphabet)
9

10

11
def getKey():
12
    R = random_matrix(GF(p), 11, 11)
13
    while True:
14
        tmpMatrix = random_matrix(GF(p), 11, 11)
15
        if tmpMatrix.rank() == 11:
16
            _, leftmatrix, matrixU = tmpMatrix.LU()
17
            return R, leftmatrix, matrixU
18

19
A = matrix([[0 for i in range(11)] for i in range(11)])
20
for k in range(len(flag)):
21
  i, j = 5*k // 11, 5*k % 11
22
  A[i, j] = alphabet.index(flag[k])
23
from hashlib import md5
24
assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')
25
key = getKey()
26
R, leftmatrix, matrixU = key
27
tmpMatrix = leftmatrix * matrixU
28
X = A + R
29
Y = tmpMatrix * X
30
E = leftmatrix.inverse() * Y
31

32
f = open('output','w')
33
f.write(str(E)+'\n')
34
f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')
35
f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))
36
f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))
37
#因为矩阵太长了，所以我就不展示了，如果有需要的师傅可以qq联系我

这道题说到底，就是考了个矩阵乘法。

所以解题的关键就是看我们知道啥：

已知信息： $\\1,\ E=U*(A+R)\\ 2,\ E1=LUL\\3,\ E2=ULUL\\4,\ E3=(R^-1)*(LU)^8$

因此，我们有以下解题过程：

由 $E2$ 和 $E1$ 可以得到: $\ \ U=E2*({E1}^{-1})\\$ 由 $U$ 、 $E3$ 和 $E2$ 可以得到: $\ \ R=(E3 * {(E1*U)}^{-4})^{-1}\\$ 由 $E$ 和 $U$ 可以得到: $\ \ AR=E*{U}^{-1}$ (即 $A+R$ ) $\\$ 最后便可得到: $\ \ A=AR-R$

因为我们的flag是按一定的规则存入矩阵A中：

1
for k in range(len(flag)):
2
  i, j = 5*k // 11, 5*k % 11
3
  A[i, j] = alphabet.index(flag[k])

所以我们就直接按这个顺序，输出矩阵A上对应位置的数字所对应的printable[:71]里的字符即可。

最后就是带上 DASCTF{}，再算个MD5值提交即可。

代码如下：

点击展开代码

1
from Crypto.Util.number import  long_to_bytes
2
from hashlib import md5
3
import re
4
import string
5

6

7
alphabet = string.printable[:71]
8
p = Integer(len(alphabet))
9

10
with open("D:\\CTF\\ctf\\ctf_task\\chb\\matrixequation的附件\\tempdir\\CRYPTO附件\\matrixequation\\output", "r") as p:
11
     data = p.read().split("\n")[:-1]
12
# print(data)
13
data = [re.findall(r"\d+", d) for d in data]
14
data = [[Integer(di) for di in d] for d in data]
15
# print(data[:11])
16
E = matrix(GF(71), data[:11])
17
LUL = matrix(GF(71), data[11:22])
18
ULUL = matrix(GF(71), data[22:33])
19
R1LU8 = matrix(GF(71), data[33:])
20

21
U = LUL.solve_left(ULUL)
22
LU8=(LUL*U)**4
23
R = (LU8.solve_left(R1LU8)).inverse()
24
AR = U.solve_right(E)
25
A = AR - R
26
m = "".join([alphabet[A[5*k // 11, 5*k % 11]] for k in range(24)])
27
print(md5(m.encode()).hexdigest())
28
# 3529d01631d8436edca1c78ad82b6f26

还剩一道cuckoo，因为没咋见过，就没写出来（