from sage.allimport * from sage.rings.finite_rings.hom_finite_field import FiniteFieldHomomorphism_generic from Crypto.Util.number import * from base64 import b64encode from random import * from secret import flag import signal
defgenerate_irreducible_polynomial(R, n): whileTrue: f = R.random_element(degree=n) while f.degree() != n: f = R.random_element(degree=n) if f.is_irreducible(): return f
defgenerate_sparse_irreducible_polynomial(R, n): x = R.gen() whileTrue: g = sum(choice([-1, 0, 1]) * x**i for i inrange(randint(1, n//2 + 1))) if (x**n + g + 1).is_irreducible(): return x**n + g + 1
defrandom_polynomial(R, n, beta): returnsum(randrange(-beta, beta) * R.gen()**i for i inrange(randint(0, n))) + R.gen()**n
win_count = 0 for _ inrange(chance): opt = randint(0, 1) if opt: As = [phi(random_polynomial(k1,n,beta)) for i inrange(polyns)] else: As = [k2.random_element() for i inrange(polyns)]
for i inrange(polyns): print(f"As[{i}]: {encode(As[i],q).decode()}")
sage: B1.<u>=GF(2**8,modulus=[1,0,1,1,1,0,0,0,1]) sage: B2.<v>=GF(2**8,modulus=[1,1,0,1,1,0,0,0,1]) sage: from sage.rings.finite_rings.hom_finite_field import FiniteFieldHomomorphism_generic sage: phi=FiniteFieldHomomorphism_generic(Hom(B1,B2)) sage: phi Ring morphism: From: Finite Field in u of size 2^8 To: Finite Field in v of size 2^8 Defn: u |--> v + 1 sage: u**116 u^7 + u^6 + u^5 + u^4 + u^3 sage: (v+1)**116 v^7 + v^2 + v + 1 sage: R.<x>=PolynomialRing(GF(2)) #构造复合函数x^7+x^6+x^5+x^4+x^3 sage: ((x+1)**7+(x+1)**6+(x+1)**5+(x+1)**4+(x+1)**3)%(x^8+x^4+x^3+x+1) x^7 + x^2 + x + 1
sage: phinv=FiniteFieldHomomorphism_generic(Hom(B2,B1)) sage: phinv Ring morphism: From: Finite Field in v of size 2^8 To: Finite Field in u of size 2^8 Defn: v |--> u + 1 sage: (u+1)**51 1 sage: v**51 1
from Crypto.Util.number import * import os from hashlib import * from random import * p = getPrime(512) q = getPrime(512) n = p*q m = bytes_to_long(os.urandom(20)) x = pow(m,p,n) y = pow(m,q,n)
这一问和鹏城杯的那个题一样,CRT化简之后,还是 $g\equiv m\pmod p,h\equiv m \pmod q$ 的形式,完全一样的代码
1 2 3 4 5 6 7 8
n = 133693649727082259107041662011720823458571250895054242259170170354175642242128965748915759548206594541801234255878757661771526775311636655859201668702890990745739241126384729560433907755687614698569613585182786544165812027959219789602655976970715100245966545577285355634247363922810553139003838578363660449109 g=92401219014364912794053160070309527007771356043695463515571328726676546494869270394623052969651083009651771857467561945521106625547418406188430774969043958102947805651169010188202688119325462398122519423459244079993702953589811689050017122705616315531462047800685314554111273134721614734430443067361639605720 h=27444123601022148160097636168019280219400389861288181193988463940073215353205764735090720106313510456714820401995714013971697413924167047690200030265762984461900122475812718262941762361406314725034408660419186620573774598548615986428700226735633115570424145980543054306673862989672645266476994517440508647839
from Crypto.Util.number import * sdivt=[s[i]*inverse(t[i],q)%q for i inrange(len(s))] rdivt=[r[i]*inverse(t[i],q)%q for i inrange(len(r))] M=block_matrix([[identity_matrix(len(s)),diagonal_matrix(ZZ,sdivt)], [zero_matrix(len(s)),q*identity_matrix(len(s))], [zero_matrix(1,18),Matrix(ZZ,rdivt)]]) MLLL=M.LLL()
from Crypto.Util.number import * A=[r[i]*s[-1]*inverse(r[-1]*t[i],q)%q for i inrange(17)] B=[r[-1]*s[i]*inverse(r[-1]*t[i],q)%q for i inrange(17)] C=[r[i]*t[-1]*inverse(r[-1]*t[i],q)%q for i inrange(17)] M=[[0for _ inrange(35)] for __ inrange(36)] for i inrange(35): M[i][i]=1if i<18else q for i inrange(17): M[i][i+18]=B[i] for i inrange(17): M[17][18+i]=A[i] for i inrange(17): M[-1][18+i]=C[i] M=Matrix(ZZ,M) MLLL=M.LLL() print(' ',end='') for i inrange(35): print(i%10,end=' ') print() for i inrange(M.nrows()): print(f'{i%10} ',end='') for j inrange(M.ncols()): print('X'if M[i][j] else'.',end=' ') print() for i inrange(MLLL.nrows()): for j inrange(MLLL.ncols()): print(MLLL[i][j].nbits(),end=' ') print() v=MLLL[3] v=v*sgn(v[0]) listv=list(v) k=listv[:18] b=listv[18:] x=(k[0]*s[0]-b[0]*t[0])*inverse(r[0],q)%q print(x,k[0],b[0])
M=[[0for _ inrange(36)] for __ inrange(36)] for i inrange(36): M[i][i]=1if i<=18else q for i inrange(17): M[i+1][i+19]=B[i] for i inrange(17): M[18][19+i]=A[i] for i inrange(17): M[0][19+i]=C[i]
from Crypto.Util.number import * import random from secret import flag
defgettoken(c): X = 0 while ((pow(X, (p-1)//2, p)!=1) or (pow(X, (q-1)//2, q)!=1)): X = 1 while X.bit_length() < 920: X *= random.choice(primes) xp = pow(X, (p + 1)//4, p) xq = pow(X, (q + 1)//4, q) xp = random.choice([xp,-xp%p]) xq = random.choice([xq,-xq%q]) x = c * (xp*inverse(q,p)*q + xq*inverse(p,q)*p) % n return x
defgetmyPrime(nbits): p = getPrime(nbits) while(p%4==1): p = getPrime(nbits) return p
primes = random.sample(sieve_base, 920) p = getmyPrime(512) q = getmyPrime(512) e = 65537 n = p*q c = pow(bytes_to_long(flag), e, n)
withopen("output.txt", "w")as f: f.write("n = " + str(n) + "\n") for i inrange(920): f.write("Token #"+str(i+1)+': '+str(gettoken(c))+'\n') #最后给出了920组数据
from Crypto.Util.number import * from tqdm import * tokens=open('output.txt','r').readlines() tokens.pop(0) n=68512262030092235082955402685415541014208343583540436164257874839232436153071370815269154345614809159891073442197732980480807167946204103083844856370368201582809851941837996671056932696292853288793127100756079130455873788646267803515293475609923615566516458978625901881951403282617405981962778117066458607117 tokens=[int(tokens[i].split(':')[1])for i inrange(920)] tokens2=[i*i%n for i in tokens] M=block_matrix(ZZ, [[Matrix(tokens2[:50])], [identity_matrix(50)*n]])
MLLL=M.LLL() lgMLLL=[[0for _ inrange(50)]for __ inrange(51)] Xarr=list(MLLL[1]) #print(Xarr) C2=tokens2[0]*inverse(Xarr[0],n)%n #print(C2) for i inrange(50,920): Xarr.append(tokens2[i]*inverse(C2,n)%n)
FactXarr=[] for i in (range(920)): FactXarr.append(list(factor(Xarr[i]))) primeset=[] for i inrange(920): for j,_ in FactXarr[i]: primeset.append(j) primeset=sorted(list(set(primeset))) indexdic={} for i inrange(920): indexdic[primeset[i]]=i
p,q=GCD(int(k-1),n),GCD(int(k+1),n) assert p notin [1,n] and q notin [1,n] and p!=q carr=[] cp=int(pow(C2,(p+1)//4,p)) cq=int(pow(C2,(q+1)//4,q)) for sp in [1,-1]: for sq in [1,-1]: carr.append(crt([cp*sp,cq*sq],[p,q])) print(carr) d=inverse(65537,(p-1)*(q-1)) for c in carr: print(long_to_bytes(pow(c,d,n))) """ Output: [46630614291745334334152762312676921133624051168940817865903892997090214159501097997241603185344424810227360569767886901658508914717819387760635901824660947938796941642460399170111143796793156856634009422349818143947262685178807938549388138287681555995508698977295037594135656538624892517735216104401235804978, 19703989276128579847076476848899002659695039512136459426637790674933329268053509523645116022627877355721599775333883095285751759221736313984198660551863329947412556215691527518951119591197450423277438733191151653085195488305757310694499293449100108574981362635828059309918833297115589471736564051849673468541, 48808272753963655235878925836516538354513304071403976737620084164299106885017861291624038322986931804169473666863849885195055408724467789099646195818504871635397295726146469152105813105095402865515688367564927477370678300340510492820794182160823506991535096342797842572032569985501816510226214065216785138576, 21881647738346900748802640372738619880584292414599618298353981842142221993570272818027551160270384349663712872429846078822298253228384715323208954545707253644012910299377597500945788899499696432159117678406260986508611103467459864965905337322242059571007760001330864287815746743992513464227562012665222802139] b'2v\xa7F0aU\xdaJK\x1e\xff\r!>\x84\xf3\xe3\xe5sC\xd6\xa2\x8a-vJ\xe15g\xf0\xcb-^g\xaeJ\x05o.N\xd2\xb1\x12\x06\xe0\x05\xf9\xcc\x0f\xcf\xac(\x1d\x9c\\\xfcz\xe9\xf4\x04\x99V[\x98\xc7\xeb(\xfe\xa1X\x1a\x89\xaa\x17,\xf7\xc9d\x069\xb3\x1d\x0chd\x9d6Z\xdaT\xf8\xba1\x16\xf8{Z\xb3D\xd9\x05\xf8\xb8E\xb8\xd75V\xcc-\x80al\xc3\xf2\xd6.\xcaNt\xfa\xed\x83\x14T\xb3\xe1' b'n1ctf{b9e7d419-0df8-438a-9120-efdf3ddf155f}' b"a\x90\x90(K\xa8\x92&\x82\x8f6\xdf\x86^\xa8p\x94\xf9^@wR\x08-g\xc19\x90\xae\x02\xfdQ\x1a\xb21U^(\xe0]9\n\xba\x86\xc1z!\xf1M\xc1\xa1\xcc\xb9~m:w\x0e\xf5\xe2s-\x83\xb0\xb0H^\xed\xe1H\xd5\x83yHp\xcf\x15\xed\xc6\xd8\xf1S\xf1B\xb2\xc1\xce!\xc0\x01\xbc\x82:0\xdd\xdfLy\xe3\xedJ\x9b\x0b\x14\xa0t\xef \x15\x02\xd8O\xfe\x8a'}3\x96\xc1\xbf\xef\x01\xcf\xf4\xb4\xa1\xc7\x90" b'/\x19\xe8\xe2\x1bG<L8D\x17\xe0y=i\xeb\xa1\x15x\xcd3{e\xa3:J\xee\xafx\x9b\x0c\x85\xedS\xc9\xa7\x14#q.\xea8\tt\xba\x9a\x1b\xf7\x81\xb1\xd2 \x91`\xd0\xddz\x94\x0b\xeen\x94-U\x17\x80s\xc4\xe2\xa7}h\xef\x9eY\xa2\x1e$b\xd2\xb7\xa0\xd46J\xcbbN\xd9\x8d\xe2\xeb\xb9d\xfeK\x05Pi\xd5\xa1\xf9x\x94\x87\xf0K#\x1fc\xe4\x00\xcfM\x90\xef\xc3\xcc]\xa4\xdekH\xa2\xd5\x82z,' """
print( "[+] Now, you have permission to access the privkey!") print(f"[+] privkey is: ({d_},{blind}).") print(f"[+] encrypt token is: {rsa.encrypt(bytes_to_long(token))}")
guess_token = bytes.fromhex(input("[-] guess token:")) if guess_token == token: print("[+] correct token, here is your flag:",flag) else: print("[-] wrong token")
PR.<x> = PolynomialRing(RealField(2000)) f = x*(paddqH-x) - n ph = int(f.roots()[0][0]) // (e*b) * (e*b) print(int(f.roots()[0][0])) R.<x> = PolynomialRing(Zmod(e)) fe = x*(paddqL-x) - n rese = fe.roots() R.<x> = PolynomialRing(Zmod(b)) fb = x*(paddqL-x) - n resb = fb.roots() rese=[rese[i][0] for i inrange(len(rese))] resb=[resb[i][0] for i inrange(len(resb))] print(rese,resb) for i in rese: for j in resb: pl=crt([int(i),int(j)],[e,b]) PR.<x> = PolynomialRing(Zmod(n)) f = ph + e*b*x + pl f = f.monic() res = f.small_roots(X=2**245,beta=0.496,epsilon=0.015) if(res!=[]): pg=ph+e*b*res[0]+pl assert (n%int(pg)==0) print(pg) qg=int(n)//int(pg) dg=inverse(int(e),int((pg-1)*(qg-1))) print(pg,qg)