CryptoCTF Wp 2

CryptoCTF WriteUp 2 By huangx607087

0.About

再探CryptoCTF，这里面有些题目难度确实还是比较大的，这几天的解题进度也基本上是一天一题的进度吧，不过确实非常扩展思维的。然而我这么菜的肯定比不上群里那些大佬们。今天的RARCTF还有很多东西没看呢，事情的确多得有亿点点忙不过来了。

好在最近外面疫情严重，自己基本上也就一天待在家里，打CTF，配置Blockbot，摸鱼摸鱼在摸鱼，Hadoop的项目还没测试呢，院科协也有两天没打卡，好在还是补上了。

希望新学期能正常开学，我不想上网课，我只是期末想考61而已。

1.Tuti

#!/usr/bin/env python3
from Crypto.Util.number import *
from flag import flag
l = len(flag)
m_1, m_2 = flag[: l // 2], flag[l // 2:]
x, y = bytes_to_long(m_1), bytes_to_long(m_2)
k = '''
000bfdc32162934ad6a054b4b3db8578674e27a165113f8ed018cbe91124fbd63144ab6923d107eee2bc0712fcbdb50d96fdf04dd1ba1b69cb1efe71af7ca08ddc7cc2d3dfb9080ae56861d952e8d5ec0ba0d3dfdf2d12764
'''.replace('\n', '')
assert((x**2 + 1)*(y**2 + 1) - 2*(x - y)*(x*y - 1) == 4*(int(k, 16) + x*y))

很显然，这道题告诉你了两段密文之间的关系：$(x^2+1)(y^2+1)-2(x-y)(xy-1)=4(k+xy)$。

第一反应肯定是要把$xy$之类的未知量移到等号一边，然后等号两边展开，自己就什么也看不出来了。

然后我想到了sagemath，这个东西可以分解因数，说不定可以分解因式呢——貌似确实可行，$4xy$移到左边后对左边式子的分解因式结果是$(x+1)^2(y+1)^2$，这确实是一个非常好的结果，很多大佬都是手搓的——然而自己就不行了，因为自己解一元二次方程如果二次项不为$1$自己就分解不出这个式子了（比如$2x^2+7x+3=0$，笔者遇到直接上求根公式——define huangx607087 fw）。

然后对右边直接开平方就是$(x+1)(y+1)$的值了，至于分解右边的那个数字（实测是$14$个因数），根据$x,y$的位数差不多，在加上flag一定是可读字符，直接枚举各种可能性就行了。

from Crypto.Util.number import *
from gmpy2 import iroot
from string import printable
def check(a,b):
    if abs(len(a)-len(b))>1:
        return 0
    for i in a:
        if chr(i) not in printable:
            return 0
    for i in b:
        if(chr(i)) not in printable:
            return 0
    return 1
k = '''
000bfdc32162934ad6a054b4b3db8578674e27a165113f8ed018cbe9112
4fbd63144ab6923d107eee2bc0712fcbdb50d96fdf04dd1ba1b69cb1efe
71af7ca08ddc7cc2d3dfb9080ae56861d952e8d5ec0ba0d3dfdf2d12764
'''.replace('\n', '')
k=int(k,16)
mul=iroot(4*k,2)
assert mul[1]
mul=mul[0]
S=[2,2,3,11,11,19,47,71,3449,11953,5485619,2035395403834744453,17258104558019725087,1357459302115148222329561139218955500171643099]
for i in range(2**14):
    M1,M2=1,1
    for j in range(14):
        if i&(1<<j):
            M1*=S[j]
        else:
            M2*=S[j]
    a,b=long_to_bytes(M1-1),long_to_bytes(M2+1)
    if(check(a,b)):
        print(a+b)
#CCTF{S1mPL3_4Nd_N!cE_Diophantine_EqUa7I0nS!}

最后解出来为什么又是丢番图方程，看来CryptoCTF出题人对丢番图情有独钟啊，这让我想起来当年那个科协里的那个对话

A:让我们讨论一下丢番图
B:番图是什么，为什么要丢掉

2.RSAphantine

看名字，很明显，又是跟丢番图有关的

题目就给出了一个方程组，和一个RSA加密的结果

2*z**5 - x**3 + y*z = 47769864706750161581152919266942014884728504309791272300873440765010405681123224050402253883248571746202060439521835359010439155922618613520747411963822349374260144229698759495359592287331083229572369186844312169397998958687629858407857496154424105344376591742814310010312178029414792153520127354594349356721
x**4 + y**5 + x*y*z = 89701863794494741579279495149280970802005356650985500935516314994149482802770873012891936617235883383779949043375656934782512958529863426837860653654512392603575042842591799236152988759047643602681210429449595866940656449163014827637584123867198437888098961323599436457342203222948370386342070941174587735051
y**6 + 2*z**5 + z*y = 47769864706750161581152919266942014884728504309791272300873440765010405681123224050402253883248571746202060439521835359010439155922618613609786612391835856376321085593999733543104760294208916442207908167085574197779179315081994735796390000652436258333943257231020011932605906567086908226693333446521506911058
p = nextPrime(x**2 + z**2 + y**2 << 76)
q = nextPrime(z**2 + y**3 - y*x*z ^ 67)
n, e = p * q, 31337
m = bytes_to_long(FLAG)
c = pow(m, e, n)
c = 486675922771716096231737399040548486325658137529857293201278143425470143429646265649376948017991651364539656238516890519597468182912015548139675971112490154510727743335620826075143903361868438931223801236515950567326769413127995861265368340866053590373839051019268657129382281794222269715218496547178894867320406378387056032984394810093686367691759705672

第一次乍一看，似乎并没有什么思路，因为三个都是高次方程的组合，三个未知数，确实是求不出来了的。想要消元降次也几乎不可能——因为自己实测过了（

不过这个时候可以把重点聚焦到第一个和第三个式子上，因为第一个式子和第三个式子都有公共的部分就是$2z^5$，并且这两个式子算出来的结果有很长的高位时相同的，这确实是一个令人怀疑的地方——因此，我们可以猜测：对这两个数字除以$2$后直接开五次方，那么就可以得出$z$的准确值。

事实上确实如此，借助python中的iroot直接开根——可以发现这两个数字除以$2$后开五次方根的结果是一样的，而这个数字我们可以认为是解出来的$z$值——事实上解出来确实如此。

解出来之后，$x,y$两个数字就可以很容易地求出来了——我这边用的是$y^6+zy=a_3-2z^5$这个式子通过二分得出结果的，当然也可以用其他的办法求$y$，求出$y$后就可以直接求$x$了，不过最后$x$是负的令我没想到，但assert对了那就说明没问题了。

from gmpy2 import iroot,next_prime
from Crypto.Util.number import *
a1=47769864706750161581152919266942014884728504309791272300873440765010405681123224050402253883248571746202060439521835359010439155922618613520747411963822349374260144229698759495359592287331083229572369186844312169397998958687629858407857496154424105344376591742814310010312178029414792153520127354594349356721
a2=89701863794494741579279495149280970802005356650985500935516314994149482802770873012891936617235883383779949043375656934782512958529863426837860653654512392603575042842591799236152988759047643602681210429449595866940656449163014827637584123867198437888098961323599436457342203222948370386342070941174587735051
a3=47769864706750161581152919266942014884728504309791272300873440765010405681123224050402253883248571746202060439521835359010439155922618613609786612391835856376321085593999733543104760294208916442207908167085574197779179315081994735796390000652436258333943257231020011932605906567086908226693333446521506911058
Tz1,Tz3=iroot(a1//2,5)[0],iroot(a3//2,5)[0]
assert Tz1==Tz3
z=Tz1
x,y=None,None
L,R=0,10**1000
while L<=R:
    M=(L+R)//2
    if(M**6+M*z<a3-2*z**5):
        L=M+1
    if(M**6+M*z>a3-2*z**5):
        R=M-1
    if(M**6+M*z==a3-2*z**5):
        y=M
        break
assert y**6+2*z**5+z*y==a3
x=iroot(a1-2*z**5-y*z,3)
assert x[1]
x=-x[0]
assert x**4 + y**5 + x*y*z ==a2
p = next_prime(x**2 + z**2 + y**2 << 76)
q = next_prime(z**2 + y**3 - y*x*z ^ 67)
c=486675922771716096231737399040548486325658137529857293201278143425470143429646265649376948017991651364539656238516890519597468182912015548139675971112490154510727743335620826075143903361868438931223801236515950567326769413127995861265368340866053590373839051019268657129382281794222269715218496547178894867320406378387056032984394810093686367691759705672
d=inverse(31337,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,p*q)))
print(x)
print(y)
print(z)
'''
flag=CCTF{y0Ur_jO8_C4l13D_Diophantine_An4LySI5!}
x=-97319611529501810510904538298668204056042623868316550440771307534558768612892
y=311960913464334198969500852124413736815
z=29896806674955692028025365368202021035722548934827533460297089
'''

3.Onlude

#Sagemath
from sage.all import *
from flag import flag
global p, alphabet
p = 71
alphabet = '=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$!?_{}<>'
flag = flag.lstrip('CCTF{').rstrip('}')
assert len(flag) == 24
def cross(m):
	return alphabet.index(m)
def prepare(msg):
	A = zero_matrix(GF(p), 11, 11)
	for k in range(len(msg)):
		i, j = 5*k // 11, 5*k % 11
		A[i, j] = cross(msg[k])
	return A
def keygen():
	R = random_matrix(GF(p), 11, 11)
	while True:
		S = random_matrix(GF(p), 11, 11)
		if S.rank() == 11:
			_, L, U = S.LU()
			return R, L, U
def encrypt(A, key):
	R, L, U = key
	S = L * U
	X = A + R
	Y = S * X
	E = L.inverse() * Y
	return E
A = prepare(flag)
key = keygen()
R, L, U = key
S = L * U
E = encrypt(A, key)
print(f'E = \n{E}')#E
print(f'L * U * L = \n{L * U * L}')#M1
print(f'L^(-1) * S^2 * L = \n{L.inverse() * S**2 * L}')#M2
print(f'R^(-1) * S^8 = \n{R.inverse() * S**8}')#M10

一道矩阵题，加密方法不难，涉及矩阵运算。

题目给出了密文$E$，还有三个辅助量$M_1=LUL,M_2=L^{-1}S^2L,M_{10}=R^{-1}S^8$。 其中$R$是一个随机矩阵，$L,U$是$S$的$LU$分解，即$S=LU$。加密方法为$E=L^{-1}S(A+R)$，$A$就是明文

这边简单地提一下什么是矩阵的$LU$分解，就是对于任意一个矩阵$M$，可以将其沿主对角线拆分成一个上三角矩阵$U$和一个下三角矩阵$L$，使得$LU=S$，其中$\det L=1,\det U=\det S$，因此这种分解方法是唯一的。

由于$M_1=LUL=SL,M_2=L^{-1}S^2L$，根据矩阵的逆运算，因此$M_2^{-1}=L^{-1}S^{-2}L$，因此我们可以有：
$$
M_3=M_1M_2^{-1}=SLL^{-1}S^{-2}L=S^{-1}L=U^{-1}L^{-1}L=U^{-1}
$$
很显然，如果我们想要凑$S$出来，那就要消去$L$，由于我们发现$M_3=S^{-1}L,M_1=SL$，因此我们计算$M_1M_3^{-1}$，有
$$
M_1M_3^{-1}=SLL^{-1}S=S^2
$$
有了$S^2$，那么我们可以计算出$S^8$，进而计算出$S^{-8}$。故
$$
R=(M_{10}(S^{-8}))^{-1}=S^8M_{10}^{-1}
$$
由于$M_3=U^{-1}$，因此对$M_3$直接求逆就得到了$U$。到目前为止，$R,U$都得到了，而$E=L^{-1}S(A+R)=U(A+R)=UA+UR$，因此$A$很容易就可以得到了。然后根据他的规则，将矩阵里对应的数字转化成字典中的内容，这道题就解出来了。

from Crypto.Util.number import *
E=[[25,55,61,28,11,46,19,50,37,5,21],[20,57,39,9,25,37,63,31,70,15,47],[56,31,1,1,50,67,38,14,42,46,14],[42,54,38,22,19,55,7,18,45,53,39],[55,26,42,15,48,6,24,4,17,60,64],[1,38,50,10,19,57,26,48,6,4,14],[13,4,38,54,23,34,54,42,15,56,29],[26,66,8,48,6,70,44,8,67,68,65],[56,67,49,61,18,34,53,21,7,48,32],[15,70,10,34,1,57,70,27,12,33,46],[25,29,20,21,30,55,63,49,11,36,7]]
M1=[[50,8,21,16,13,33,2,12,35,20,14],[36,55,36,34,27,28,23,21,62,17,8],[56,26,49,39,43,30,35,46,0,58,43],[11,25,25,35,29,0,22,38,53,51,58],[34,14,69,68,5,32,27,4,27,62,15],[46,49,36,42,26,12,28,60,54,66,23],[69,55,30,65,56,13,14,36,26,46,48],[25,48,16,20,34,57,64,62,61,25,62],[68,39,11,40,25,11,7,40,24,43,65],[54,20,40,59,52,60,37,14,32,44,4],[45,20,7,26,45,45,50,17,41,59,50]]
M2=[[34,12,70,21,36,2,2,43,7,14,2],[1,54,59,12,64,35,9,7,49,11,49],[69,14,10,19,16,27,11,9,26,10,45],[70,17,41,13,35,58,19,29,70,5,30],[68,69,67,37,63,69,15,64,66,28,26],[18,29,64,38,63,67,15,27,64,6,26],[0,12,40,41,48,30,46,52,39,48,58],[22,3,28,35,55,30,15,17,22,49,55],[50,55,55,61,45,23,24,32,10,59,69],[27,21,68,56,67,49,64,53,42,46,14],[42,66,16,29,42,42,23,49,43,3,23]]
M10=[[51,9,22,61,63,14,2,4,18,18,23],[33,53,31,31,62,21,66,7,66,68,7],[59,19,32,21,13,34,16,43,49,25,7],[44,37,4,29,70,50,46,39,55,4,65],[29,63,29,43,47,28,40,33,0,62,8],[45,62,36,68,10,66,26,48,10,6,61],[43,30,25,18,23,38,61,0,52,46,35],[3,40,6,45,20,55,35,67,25,14,63],[15,30,61,66,25,33,14,20,60,50,50],[29,15,53,22,55,64,69,56,44,40,8],[28,40,69,60,28,41,9,14,29,4,29]]
E,M1,M2,M10=matrix(GF(71),E),matrix(GF(71),M1),matrix(GF(71),M2),matrix(GF(71),M10)
M3=M1*(M2^-1)
S2=M1*(M3^-1)
R=(M10*S2^-4)^-1
U=M3^-1
UA=E-U*R
A=M3*UA
Dic='=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$!?_{}<>'
F,K="",0
while len(F)<24:
    F+=Dic[A[K//11][K%11]]
    K+=5
print('CCTF{'+F+'}')
#CCTF{LU__D3c0mpO517Ion__4L90?}

4.Triplet

一个远程交互的题目，看起来似乎有点难度，也有点脑洞

from Crypto.Util.number import *
from random import randint
import sys
from flag import FLAG
def die(*args):
	pr(*args)
	quit()
def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()
def sc():
	return sys.stdin.readline().strip()
def main():
	border = "+"
	pr(border*72)
	pr(border, " hi talented cryptographers, the mission is to find the three RSA   ", border)
	pr(border, " modulus with the same public and private exponent! Try your chance!", border)
	pr(border*72)
	nbit = 160
	while True:
		pr("| Options: \n|\t[S]end the three nbit prime pairs \n|\t[Q]uit")
		ans = sc().lower()
		order = ['first', 'second', 'third']
		if ans == 's':
			P, N = [], []
			for i in range(3):
				pr("| Send the " + order[i] + " RSA primes such that nbit >= " + str(nbit) + ": p_" + str(i+1) + ", q_" + str(i+1) + " ")
				params = sc()
				try:
					p, q = params.split(',')
					p, q = int(p), int(q)
				except:
					die("| your primes are not valid!!")
				if isPrime(p) and isPrime(q) and len(bin(p)[2:]) >= nbit and len(bin(q)[2:]) >= nbit:
					P.append((p, q))
					n = p * q
					N.append(n)
				else:
					die("| your input is not desired prime, Bye!")
			if len(set(N)) == 3:
				pr("| Send the public and private exponent: e, d ")
				params = sc()
				try:
					e, d = params.split(',')
					e, d = int(e), int(d)
				except:
					die("| your parameters are not valid!! Bye!!!")
				phi_1 = (P[0][0] - 1)*(P[0][1] - 1)
				phi_2 = (P[1][0] - 1)*(P[1][1] - 1)
				phi_3 = (P[2][0] - 1)*(P[2][1] - 1)
				if 1 < e < min([phi_1, phi_2, phi_3]) and 1 < d < min([phi_1, phi_2, phi_3]):
					b = (e * d % phi_1 == 1) and (e * d % phi_2 == 1) and (e * d % phi_3 == 1)
					if b:
						die("| You got the flag:", FLAG)
					else:
						die("| invalid exponents, bye!!!")
				else:
					die("| the exponents are too small or too large!")
			else:
				die("| kidding me?!!, bye!")
		elif ans == 'q':
			die("Quitting ...")
		else:
			die("Bye ...")
if __name__ == '__main__':
	main()

简单看过代码后，就是你要构造三个不同的RSA模数$n_1,n_2,n_3$，大小必须超过$320$位（也就是两个$160$位的素数相乘）。使得这三个模数拥有一组相同的$(e,d)$，使得$(e,d)$均小于三个$\phi$值。简而言之就是要让$ed$的值很小且不能为$1$。

由于$ed\equiv 1 \pmod \phi$。根据扩展中国剩余定理，由于三个$\phi$不同，但$ed$相同，因此这里$ed$除了$1$，只能让$\mathrm{lcm}(\phi_1,\phi_2,\phi_3)$的值足够小。换句话就是让$\gcd(\phi_1,\phi_2,\phi_3)$足够大。

因此，我们可以构造三个素数$p,q,r=k_ig+1$，其中$i$取值为$1$到$3$，$k_i$远小于$g$，而这个$g$，就是我们所想要的$\gcd(\phi_1,\phi_2,\phi_3)$。我们可以构造$g=2^{158},2^{159},2^{160}$，当然这边为了方便起见，我在这里的$g$选择了$10$的次幂，因为这样看起来顺眼（x

于是可以构造： $p=1537000000000000000000000000000000000000000000001$，$q=1545000000000000000000000000000000000000000000001$，$r=1591000000000000000000000000000000000000000000001$

，这样子三个$\phi$的公约数就很大了。然后我们分别对服务器发送$p,q$，$p,r$，$q,r$，完成第一步。

然后我们计算$L=\mathrm{lcm}(\phi_1,\phi_2,\phi_3)$，得：
$$
L=3778092015000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
$$
分解这个$L$，有
$$
31×32251×3778919598392047858481007340607593062880770888824652598919163296761990876001844403924459456621
$$
因此我们有$e=31×32251=999781$，$d=3778919598392047858481007340607593062880770888824652598919163296761990876001844403924459456621$。直接发送过去就可以得到最后的结果

5.Tiny ECC

from mini_ecdsa import *#这个包里集成了一些ECC的算法，与题目无关，此处略去
from Crypto.Util.number import *
from flag import flag
def tonelli_shanks(n, p):
	if pow(n, int((p-1)//2), p) == 1:
			s = 1
			q = int((p-1)//2)
			while True:
				if q % 2 == 0:
					q = q // 2
					s += 1
				else:
					break
			if s == 1:
				r1 = pow(n, int((p+1)//4), p)
				r2 = p - r1
				return r1, r2
			else:
				z = 2
				while True:
					if pow(z, int((p-1)//2), p) == p - 1:
						c = pow(z, q, p)
						break
					else:
						z += 1
				r = pow(n, int((q+1)//2), p)
				t = pow(n, q, p)
				m = s
				while True:
					if t == 1:
						r1 = r
						r2 = p - r1
						return r1, r2
					else:
						i = 1
						while True:
							if pow(t, 2**i, p) == 1:
								break
							else:
								i += 1
						b = pow(c, 2**(m-i-1), p)
						r = r * b % p
						t = t * b ** 2 % p
						c = b ** 2 % p
						m = i
	else:
		return False
def random_point(p, a, b):
	while True:
		gx = getRandomRange(1, p-1)
		n = (gx**3 + a*gx + b) % p
		gy = tonelli_shanks(n, p)
		if gy == False:
			continue
		else:
			return (gx, gy[0])
def die(*args):
	pr(*args)
	quit()
def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()
def sc():
	return sys.stdin.readline().strip()
def main():
	border = "+"
	pr(border*72)
	pr(border, "  Dual ECC means two elliptic curve with same coefficients over the ", border)
	pr(border, "  different fields or ring! You should calculate the discrete log   ", border)
	pr(border, "  in dual ECCs. So be smart in choosing the first parameters! Enjoy!", border)
	pr(border*72)
	bool_coef, bool_prime, nbit = False, False, 128
	while True:
		pr(f"| Options: \n|\t[C]hoose the {nbit}-bit prime p \n|\t[A]ssign the coefficients \n|\t[S]olve DLP \n|\t[Q]uit")
		ans = sc().lower()
		if ans == 'a':
			pr('| send the coefficients a and b separated by comma: ')
			COEFS = sc()
			try:
				a, b = [int(_) for _ in COEFS.split(',')]
			except:
				die('| your coefficients are not valid, Bye!!')
			if a*b == 0:
				die('| Kidding me?!! a*b should not be zero!!')
			else:
				bool_coef = True
		elif ans == 'c':
			pr('| send your prime: ')
			p = sc()
			try:
				p = int(p)
			except:
				die('| your input is not valid :(')
			if isPrime(p) and p.bit_length() == nbit and isPrime(2*p + 1):
				q = 2*p + 1
				bool_prime = True
			else:
				die(f'| your integer p is not {nbit}-bit prime or 2p + 1 is not prime, bye!!')
		elif ans == 's':
			if bool_coef == False:
				pr('| please assign the coefficients.')
			if bool_prime == False:
				pr('| please choose your prime first.')
			if bool_prime and bool_coef:
				Ep = CurveOverFp(0, a, b, p)
				Eq = CurveOverFp(0, a, b, q)
				xp, yp = random_point(p, a, b)
				P = Point(xp, yp)
				xq, yq = random_point(q, a, b)
				Q = Point(xq, yq)
				k = getRandomRange(1, p >> 1)
				kP = Ep.mult(P, k)
				l = getRandomRange(1, q >> 1)
				lQ = Eq.mult(Q, l)
				pr('| We know that: ')
				pr(f'| P = {P}')
				pr(f'| k*P = {kP}')
				pr(f'| Q = {Q}')
				pr(f'| l*Q = {lQ}')
				pr('| send the k and l separated by comma: ')
				PRIVS = sc()
				try:
					priv, qriv = [int(s) for s in PRIVS.split(',')]
				except:
					die('| your input is not valid, Bye!!')
				if priv == k and qriv == l:
					die(f'| Congrats, you got the flag: {flag}')
				else:
					die('| sorry, your keys are not correct! Bye!!!')
		elif ans == 'q':
			die("Quitting ...")
		else:
			die("Bye ...")

if __name__ == '__main__':
	main()

又是一个交互题，题目是发送一个素数$p$，且$q=2p+1$也是素数，并自定椭圆曲线系数$a,b$，最后在$GF(p),GF(q)$上分别解一次椭圆曲线上的离散对数即可获得flag。

很显然，这边就是要构造一个特殊的曲线，这样才能很容易地解出ECDLP。很显然，最简单的椭圆曲线就是$y^2=x^3$，也就是此时$(0,0)$点在椭圆曲线上。

这里我选择了$p=207700000000000000000000000000000000001$，$q=2p+1=415400000000000000000000000000000000003$，符合题目条件。

但题目规定：$a,b$均不能为$0$，但是题目只说了$ab≠0$——很显然，这是一个漏洞，因为它这边没有取模。因此我们只需要计算$n=pq$，然后将$a,b$的值都定为$n$即可，此处有
$$
n=86278580000000000000000000000000000001038500000000000000000000000000000000003
$$
然后我们利用有限域上的极其特殊的椭圆曲线$y^2=x^3$的求解dlp的公式，就可以求出最终的结果了。

这个公式很简单，设$P(x,y),Q=kP$，定$f(P)=\dfrac x y$，那么：
$$
k=\dfrac {f(Q)}{f(P)}
$$
所以最后的解题过程就很简单了

from Crypto.Util.number import *
def solve(p,P,kP):
    fP = P[0]*inverse(P[1],p)%p
    fkP = kP[0]*inverse(kP[1],p)%p
    return fkP*inverse(fP,p)%p
p,q=207700000000000000000000000000000000001,415400000000000000000000000000000000003
n=86278580000000000000000000000000000001038500000000000000000000000000000000003
assert n==p*q
P = (203229899779000076314358233714424355341,60440074750241244164201445769817870587)
kP = (52410058339877917624863834128227223795,49211699144775676781683504862929553688)
Q = (172334393951679208280736138845997145361,20443831011651348736860400696145266671)
lQ = (145705507629923190180573378828332340194,79769406366840777802969722053757749656)
print(solve(p,P,kP),solve(q,Q,lQ))
#27870828690899416876383090452513900161 495768251079805627828936776109738300

最终解题结果：

6.总结

这5道题的思维量明显要比前5题的思维量难度大的，尤其是第4题和第5题，是一种全新的题型，直接就是让你构造特殊的素数和特殊的曲线，并在特殊的条件下求解一些难题——这种出题思维还是很不平常的，长见识了。而第1，2题对数感的要求要非常的好，比如近似数，还有那个分解因式（自己的短板，解二次项不为1的方程直接上公式了）

哦对，顺便提一下我在4，5两题里面构造的这种特殊素数：前面$4$位是随机的，中间一堆$0$，最后一个$1$，这种素数还有一个特点，就是$p-1$极度光滑——因为你除掉所有的$10$因数就还剩几千了，说不定以后会在什么题里遇到。