TSCTF-J2024 密码向WP(5/8)
ezRSA
part 1
#part1
p = getPrime(512)
q = getPrime(512)
n = p * q
phi = (p-1) * (q-1)
d = getPrime(250)
e = inverse(d, phi)
c = pow(bytes_to_long(parts[0]), e, n)
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')
# n = 124695452995031270645183837267530422032624508784074534979189655228220709056309638648794696369835930482818980808128467814617220810217534821336503942838791498456112882717378013827550680516551959078234339477401303759763506487676709408813412867364414651706461400252466842182365340612883444737530603407481042520627
# e = 38587713366842463962841747677614707312145479235042165803103947138237921458583509748629042842505955223421671992698976799249425980974893271454942323501453571320592126625468760278770909411858284131095166550317734018153286242950401311537208914820833671566620645882329390747892971373265592565291598852744678229891
# c = 75650426098322108299742769179799276679353245586432433359812352366165787480762021753671012472067826915659840541954505167382050569833945309043431554352347482992118091659840982421987700648585142917347916194810259117115753813661282178558428786374835684668840019166776178494086580424196110694158066034697988927644
容易发现
\[\frac{1}{3}n^{\frac{1}{4}} > d
\]
\[\min(p, q) < \max(p, q) < 2\min(p, q)
\]
因此采用 \(\text{Wiener's Attack}\)。
part 2
#part2
p = getPrime(80)
q = getPrime(80)
n = p * q
e = 2
c = pow(bytes_to_long(parts[1]), e, n)
print(f'n = {n}')
print(f'c = {c}')
print(f'p,q = {p,q}')
# n = 649329048322675374317593820985753646586809799201
# c = 283668420132846011615755415362202578109404366325
# p,q = (647260709632957671018359, 1003195526406802286444839)
发现 \(e = 2\) 且 \(p, q\) 较小,采用 \(\text{Rabin}\) 算法。
part 3
#part3
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
c = pow(bytes_to_long(parts[2]), e, n)
print(f'n = {n}')
print(f'c = {c}')
print(f'p^q = {p^q}')
# n = 85836893651204560884454211125508692415276042143801480450535044733242333318334455339451808653755272841343378345709375676280488068099971805717946097641116078266013229365158341178806480395974457905053516603153056936745020102883744430977333247681929718298626185526512756702624513738698825219177049538628421559753
# c = 75578834548096799626696300881096262997184146142305165096930004492293642496308047534319034721187289042138332386120962890635270628767192988167590315544321566944902760623837249074921079890026503778053466720161607743010204269544291059577848021218234039433294700788160167294093796603060247381385159054508170520277
# p^q = 5068548570505625142069285468439450186210992627026138517591800598908379828953823253346928574075223127205617451260708785889033493211347183583859669806824864
\(p \oplus q\) 已知,考虑从低到高搜索 \(p, q\) 的每一位,对于当前为 \(i\) 满足异或后第 \(i\) 位与 \(p \oplus q\) 相等,且 \(p \times q \le n\),实现剪枝。
part 4
#part4
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 3
m = bytes_to_long(os.urandom(32)+parts[3])
c = pow(m, e, n)
print(f'n = {n}')
print(f'c = {c}')
print(f'mleak = {m>>128}')
# n = 136909292741753142871542219643510188168311518562065789353531367466023357011784735447560466352669948897633633920102617017949126915203615330337196942328793619163571419292670395849251337340787480297972818664454785647844715189207055430597030032696044932960884594660634280475822683286430432169515120767378120972393
# c = 14763067643592454478187771324072634160297758439803081056226124797870386993054732731754324146768654813122274647054179017048620683751626439261028839186682159969656271385676822426489416369402998625865982105676257668946313225156476831065481561281126267398712822218497384996243578386630794573662378684549962709522
# mleak = 287621732882458207416007037901690948810437972193283953524078189541847647258
明文 \(m\) 的高 \(\text{bit}\) 位已知,低 \(128\) 位未知,根据 \(\text{Coppersmith}\) 定理可求。
ezNumberTheory
part 1
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
gift = pow(p+q,q,n)-p
m = bytes_to_long(flag[:part_len])
c = pow(m,e,n)
print("n =",n)
print("gift =",gift)
print("c =",c)
已知
\[(p+q)^q - p \equiv gift (\text{mod } n)
\]
\[n=pq
\]
考虑二项式展开得到
\[\sum_{i=0}^{q} \binom{q}{i} {p}^{i} {q}^{q-i} - p \equiv gift (\bmod pq)
\]
化简得
\[p^q + q^q - p \equiv gift (\text{mod } pq)
\]
不妨考虑拆分模数 \(pq\),得到两个式子。
\[q^q \equiv gift (\text{mod } p)
\]
\[p^q - p \equiv gift (\text{mod } q)
\]
由于 \(p, q\) 为质数,由费马小定理可得
\[q^q\equiv gift (\text{mod } p)
\]
\[0 \equiv gift (\text{mod } q)
\]
对 \(gift\) 因式分解得到 \(q\),进而 \(p = \frac{n}{q}\)。
已知 \(e,p,q\),可求出密文 \(m\)。
part 2
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
m = bytes_to_long(flag[part_len:2*part_len])
gift = pow(n-1,m,n**2)
c = pow(m,e,n)
print("n =",n)
print("gift =",gift)
print("c =",c)
# n = 101825028937892274755066568298675753051915211984336844010001051946487425488926444636462308770518438066690807207349397829434761111870976777194195377994066094978667372161712559828354279213717904934626695765400184018995342438568172381388749973725572499090794995578069624189552411881722996041605959223833931977161
# gift = 10368336518202599155478611962986419931032852827247241544520944151147424100095888793813818133261771295138537638975002709013348196763698154979511238402220870231916534915445557931918512473116396709289462544729254616655147690181935999744990349056920271954901882532521970967307761055252723712876050094383313331140406445004997917905258680326374893836686879404331037481540004243801858344196072242572121743245711481444665694028492376994909442739868671793792049626000877294534619734785195159330183197692177383792865340479971388526007871832995878259364333594949083550807440342049213394072558604884076160696389453987350453566282
# c = 6206002756473719752481539026703107851866702754011241324450943403363532188346664095512595594879972008741307201868011790850666619709952602312346601585431717191460826191100496612662950423560204126590072745286069584415447406165328489464592884522745095517397118876988652114937810284710552486235169949976593170616
已知
\[(n-1)^m \equiv gift (\text{mod }n^2)
\]
不妨先考虑
\[(n-1)^m \equiv gift (\text{mod }n)
\]
同上,有
\[(-1)^m \equiv gift (\text{mod }n)
\]
带入 \(gift, n\) 可得
\[1 \equiv gift (\text{mod }n)
\]
于是 \(m\) 为偶数。
直接展开原式有
\[\sum_{i=0}^{m} \binom{m}{i} (-1)^{i} {n}^{m-i} \equiv gift (\text{mod }n^2)
\]
化简得
\[(-1)^{m-1}nm + (-1)^m \equiv gift (\text{mod }n^2)
\]
即
\[1 - nm \equiv gift (\text{mod }n^2)
\]
求得
\[nm \equiv n^2 - gift + 1 (\text{mod }n^2)
\]
根据第一部分 \(m\) 的大小推断 \(m,n\) 大小接近,试除后发现 \(m = \frac{n^2 - gift + 1}{n}\) 恰为整数,故 \(m\) 为所求值。
part 3
p = getPrime(512)
q = next_prime(p)
r = getPrime(512)
n = p * q
e = 65537
m = bytes_to_long(flag[2*part_len:])
gift = (pow(1+m*n,1,n**2)*pow(r,n,n**2))%(n**2)
print("n =",n)
print("gift =",gift)
print("p =",p)
print("q =",q)
# n = 120085278656547434097495160698983440086977117014813250068332400723955573086081539793659925690983763612644098938270646361630753175121916904514302168476109276991065963359696653413330575343172587757112308794397643577457876878076258704713342584783867357600427211623403743168388707834963362860793081706620920977197
# gift = 755365096368274234067764643236574524026724653923904235465391689910808113641191521577417355583242717443863451427293486428108305560959934240539916731737071269870765365812729624798503913486014927177398814766178335408644263304959990001131184599054858122656321624816269434361664736002888774514548687701448375859895656340630928111228145226768972365422917506757004452665088879334351527814068349598913876771933729841797767944898598495453091334481416909244894797229851139025287531257727280929467263018600829848751441007477417666581057493947789435287529403836954674188989033519154270698877075630430517874818318137411379414838
已知
\[(nm + 1)r^n \equiv gift (\text{mod } n^2)
\]
考虑
\[(nm + 1)r^n \equiv gift (\text{mod } n)
\]
有
\[r^n \equiv gift (\text{mod } n)
\]
再考虑将 \(n\) 分解有
\[r^n \equiv gift (\text{mod } p)
\]
\[r^n \equiv gift (\text{mod } q)
\]
由费马小定理有
\[( r^{q} )^{p} \equiv gift (\bmod p)
\]
即
\[r^q \equiv gift (\text{mod } p)
\]
考虑欧拉定理 \(a^n \equiv a^{n \text{ mod } \varphi(p)} (\text{mod p})\) 有
\[r^{q \bmod \varphi(p)} \equiv gift (\bmod p)
\]
\[r^{q \bmod (p - 1)} \equiv gift (\bmod p)
\]
记 \(q^{-1}\) 为 \(q\) 模 \(p - 1\) 的逆元,可知
\[( {r} ^ {q \bmod (p - 1)} ) ^ {q ^ {-1}} \equiv gift ^ {q ^ {-1}} (\text{mod } p)
\]
\[{r} ^ {q {q} ^ {-1} \bmod (p - 1)} \equiv gift ^ {q ^ {-1}} (\text{mod } p)
\]
即
\[r \equiv {gift} ^ {q ^ {-1}} (\text{mod } p)
\]
由于 \(r\) 与 \(p\) 大小相近,可解出唯一 \(r\)。
回到原式,记 $ ( r^n ) ^ {-1} $ 为 \(r^n\) 模 \(n^2\) 的逆元,有
\[nm + 1 \equiv gift \times (r ^ n) ^ {-1} (\bmod n ^ 2 )
\]
\[nm \equiv gift \times (r ^ n) ^ {-1} - 1 (\text{mod } n ^ 2 )
\]
依旧有 $ m = \frac{(gift \times (r ^ n) ^ {-1} - 1) \text{ mod } n ^ 2 }{n} $,此题完。
ezPwntools
挺过了前面的分P狂魔,单题可以开始轻松了不少。
import random
from Crypto.Util.number import *
from typing import Callable
with open("flag.txt", "r") as f:
flag = f.read().strip()
length = 128
class LCG:
def __init__(self, length=128):
self.length = length
self.setparam()
def setparam(self):
self.m = getPrime(length+1)
self.a = getPrime(length)
self.b = getPrime(length)
self.seed = random.randint(0, self.m - 1)
self.begin = self.seed
def generate(self):
for i in range(10):
self.seed = (self.a * self.seed + self.b) % self.m
seed_list = []
for i in range(5):
self.seed = (self.a * self.seed + self.b) % self.m
seed_list.append(self.seed)
return seed_list
def __call__(self):
return self.begin
def challenge(input:Callable[[str],None], print:Callable[[str],None]):
print("Welcome to TSCTF-J! If you can recover the seed, you will get the flag!")
for i in range(512):
lcg = LCG()
print("Here is your gift:{}".format(lcg.generate()))
i = input(f"Give me the seed: ")
if int(i) != lcg():
print(f"Oh, you are wrong!")
return
print(f"Congurations!{flag}")
观察到 generate 函数每次做 \(15\) 次线性同余变换并返回最后 \(5\) 次结果,可以列出方程。
\[x_{i+1} \equiv ax_i + b (\text{mod } m)(i = 1,2,3,4)
\]
考虑相邻两项相减消去 \(b\) 有
\[x_5 - x_4 \equiv a(x_4 - x_3)(\text{mod } m)
\]
\[x_4 - x_3 \equiv a(x_3 - x_2)(\text{mod } m)
\]
则对于 \(a\) 有
\[a \equiv \frac{x_5 - x_4}{x_4 - x_3} \equiv \frac{x_4 - x_3}{x_3 - x_2}(\text{mod } m)
\]
交叉相乘可得
\[(x_5 - x_4)(x_3 - x_2) \equiv (x_4 - x_3)^2 (\text{mod } m)
\]
不难发现
\[m \mid (x_5 - x_4)(x_3 - x_2) - (x_4 - x_3)^2
\]
取出上式的最大质因子即可得到 \(m\),接着易于得到 \(a, b\) 的值。
然后解 \(10\) 次一元线性同余方程
\[x_{i-1} \equiv (x_i - b)a^{-1}(\text{mod } m)
\]
对于 \(512\) 次操作,求出 \(m, a, b\),并解出其初值,用 pwntools 与交互库交互即可。
如下是一份代码
from pwn import *
from gmpy2 import *
from sympy import *
con = remote('challenges.hazmat.buptmerak.cn', 21747)
t = con.recvline()
for _ in range(512):
t = con.recvline()
t = t[19:len(t)-1]
ls = t.split()
xi = []
for i in ls:
xi.append(int(i[:len(i)-1]))
x1, x2, x3, x4, x5 = xi
m = gmpy2.gcd((x5-x4)*(x3-x2)-(x4-x3)**2, (x4-x3)*(x2-x1)-(x3-x2)**2)
while is_prime(m) == False:
div = primefactors(m)
m //= div[0]
a = (x5 - x4) * gmpy2.invert(x4 - x3, m) % m
b = (x5 - a * x4) % m
x = x1
for i in range (10, -1, -1):
x = (x - b) * gmpy2.invert(a, m) % m
t = con.recv()
print(_ + 1)
con.sendline(str(x))
t = con.recv()
print(t)
ezECC
#sage
from Crypto.Util.number import *
from sage.all import *
msg = b'???'
flag = b'TSCTF-J{'+msg+b'}'
m = bytes_to_long(flag)
(p,a,b) = (getPrime(len(bin(bytes_to_long(flag)))) for i in range(3))
E = EllipticCurve(GF(p),[a,b])
for i in range(4):
print(E.random_point())
e = 114514
K = E.lift_x(m+1)
eK = e*K
print(f"eK={eK}")
# (121542556343240612458886464797113519174471159973947349739843570016310276547868092596053087152046638137671892191449161589255393370014868931365353180578227117593735, 98840327394835055943257602264613388284774639725847294267402852043945104193135363216749971927532657727021952911622427228151863672295675502233797082353097959401869)
(99873546068894326234875062311058443230105529641172112880280159410919160848811689840010700811925066814781044568587853533466146854172381759747204462070834544581290, 54021704113721739503680080012966661376438637715420865450114718929076757346120207862947548620569435334895396324086781218017455445315421875871714429627637052871264)
(157617948261622464254152314994703598559915540865514420750304511730242939622181332932412360735409968696715108030369878546783001121709970056186086411214753185288604, 172554749510163658517336910991986476106096485848063383199885085041705448141288872247307505628175707155625972718684398442883637022240936050198926361252214588735919 )
(35601692031837010013294196210817440996871532774395053520652383520080490377765688796593595849840043210266473831404618732851470643297944496494254634489110294026906, 83109137089012676168973029782730032714034653700896174331183408691033951856596721848482516578501834370646437639802694578133409539742068584938899820955422945845189 )
# eK=(148943471114336569351357302344843611917995236697008317506292328720097140911033713257363114040728547610446354966023690433690295644571622343830380563979394775174929, 5570936030363753742907439216925560949272269404612411400083981446597152991432704283038752432067099389895408182978262946903003923985122728700021027170168725851130 )
构式题,椭圆曲线密码,做法与 ezNumberTheory 和 ezPwntools 完全一样。
给定域 \(GF(p)\),椭圆曲线 \(E_p: y^2 = x^3 + ax + b\) 上任意 \(4\) 点 \(A_1,A_2,A_3,A_4\),与 \(e\) 倍基点 \(K(m+1, y_{lift\_x})\),\(eK\) 的坐标,求 \(m\)。
对于点 \(A_i(x_i, y_i)\) 有
\[y_i^2 \equiv x_i^3 + ax_i + b (\text{mod } p)
\]
一样是先消去 \(b\),用 \(a\) 联立两个方程得到 \(p\),然后解出 \(a, b\)。
利用 sage 自带的求椭圆曲线阶的函数 E.order(),求得阶为 \(P\),这个题就转化为了:
\(K\) 为椭圆曲线 \(E_p\) 上一点,已知 \(eK\),\(e\),求 \(K\)。
求出 \(e\) 关于阶 \(P\) 的逆元即可。
ezFakekey
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from typing import Callable
with open("flag.txt", "r") as f:
flag = f.read().strip()
def pad(data):
pad_len = 16 - len(data) % 16
return data + bytes([pad_len] * pad_len)
def unpad(data):
pad_len = data[-1]
return data[:-pad_len]
def generate_key():
return get_random_bytes(32)
def generate_iv():
return get_random_bytes(16)
def encrypt(message, key, iv):
assert len(key) == 32
assert len(iv) == 16
cipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = cipher.encrypt(pad(message))
return ciphertext
def decrypt(ciphertext, key, iv):
assert len(key) == 32
assert len(iv) == 16
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = unpad(cipher.decrypt(ciphertext))
return plaintext
def challenge(input:Callable[[str],None], print:Callable[[str],None]):
print("Welcome to TSCTF-J! If you are Administrator, I will give you a flag!")
key = generate_key()
iv = generate_iv()
while True:
print('[E]ncrypt the message')
print('[D]ecrypt the message')
print('[G]et the flag')
print('[Q]uit')
option = input('> ').upper()
if option == 'E':
input_message = input('Plz input your message: ')
m = input_message.encode()
if b'Administrator' in m:
print('Permission denied!')
return
ciphertext = encrypt(m, key, iv)
print(f'Your ciphertext: {ciphertext.hex()}')
elif option == 'D':
ciphertext = bytes.fromhex(input('Plz input the ciphertext: '))
m = ciphertext
plaintext = decrypt(m, key, iv)
print(f'Your plaintext: {plaintext}')
elif option == 'G':
ciphertext = bytes.fromhex(input('Plz input the ciphertext: '))
m = ciphertext
plaintext = decrypt(m, key, iv)
if b'Administrator' in plaintext:
print(f'Congurations!Here is flag:{flag}')
return
else:
print('Permission denied!')
elif option == 'Q':
return
else:
print('Unknown option:', option)
又是我们的交互题,这是一道 AES-CBC 的已知文本攻击题目,我们需要构造一条密文,使得密文经过解密后出现一条子串 Administrator。
由于 CBC 加密只有相邻的两个块有异或关系,我们可以先通过加密得到含有 administrator 的循环密文,其循环节为 \(16\)(CBC加密的块大小),找到对应字节所在块的位置,进行遍历搜索解密。
考虑 AES 编码只存在十六进制数,因此找到一个十六进制两位数对其做替换解密,直到出现子串 Administrator,即是我们所需要的密文,最后发现替换第 \(72,73\) 位可以做到。
代码如下(非预期解)
from pwn import *
from gmpy2 import *
from sympy import *
con = remote('challenges.hazmat.buptmerak.cn', 21815)
ls = [b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'a', b'b', b'c', b'd', b'e', b'f']
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recv()
con.sendline("E")
t = con.recv()
t = b'administrator' + b'\x03' * 3 + b'administrator'+ b'\x03' * 3 + b'administrator'
con.sendline(str(t))
t = con.recv()
Administ = t[17:]
Administ = Administ[:len(Administ) - 1]
for i in ls:
for j in ls:
A = Administ
ad = A[:72] + i + j + A[74:]
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recv()
con.sendline("D")
t = con.recv()
c = str(ad, "utf-8")
con.sendline(c)
t = con.recvline()
ans = t[20:]
if (b'Administrator' in ans):
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recvline()
t = con.recv()
con.sendline("G")
t = con.recv()
con.sendline(str(c))
t = con.recv()
print(t)
break
Conclusion
对于新生赛而言,题目难度是比较高的,\(8\) 题里面我只做了 \(5\) 题(在此期间和 ACM 队友去集训了一天,不然可能还能做一道题),甚至不乏有 ezECC 这种题目解法与其他题目完全重合的这种题,同时也见识到了各种密码题的解题思路,收益还是比较大的,虽然我想学密码学的原因有一部分是数学,但我希望不要所有的密码题都是数学,ezRSA 中对搜索的考察就是很不错的一点。
成就:在比赛期间快把 Nanachi 和 PYthok 烦死了(不会做题导致的),现在其实也是什么都不会呐,还是任重而道远啊。
浙公网安备 33010602011771号