Crypto

by Smera1d0

1.ezrsa

题干如下:

from Crypto.Util.number import getPrime

from secret import flag

p = getPrime(512)

print(p,pow(flag, 2, p))

给出了\(p\)和\({flag}^2modp\)

即我们需要解一个已知\(n\)和\(p\),求解\(x^2=n(modp)\)中\(x\)的值

上网查阅发现\(Tonelli \ Shanks\)算法可以求解模意义下的平方根

from Crypto.Util.number import getPrime

from Crypto.Util.number import long_to_bytes

# from secret import flag

#

# p = getPrime(512)

# print(p,pow(flag, 2, p))

import gmpy2

import math

# 4124820799737107236308837008524397355107786950414769996181324333556950154206980059406402767327725312238673053581148641438494212320157665395208337575556385 13107939563507459774616204141253747489232063336204173944123263284507604328885680072478669016969428366667381358004059204207134817952620014738665450753147857

c=4124820799737107236308837008524397355107786950414769996181324333556950154206980059406402767327725312238673053581148641438494212320157665395208337575556385

p=13107939563507459774616204141253747489232063336204173944123263284507604328885680072478669016969428366667381358004059204207134817952620014738665450753147857

from Crypto.Util.number import *

def Legendre(n, p):

    return pow(n, (p - 1) // 2, p)

def Tonelli_Shanks(n, p):

    assert Legendre(n, p) == 1

    if p % 4 == 3:

        return pow(n, (p + 1) // 4, p)

    q = p - 1

    s = 0

    while q % 2 == 0:

        q = q // 2

        s += 1

    for z in range(2, p):

        if Legendre(z, p) == p - 1:

            c = pow(z, q, p)

            break

    r = pow(n, (q + 1) // 2, p)

    t = pow(n, q, p)

    m = s

    if t % p == 1:

        return r

    else:

        i = 0

        while t % p != 1:

            temp = pow(t, 2 ** (i + 1), p)

            i += 1

            if temp % p == 1:

                b = pow(c, 2 ** (m - i - 1), p)

                r = r * b % p

                c = b * b % p

                t = t * c % p

                m = i

                i = 0

        return r

result = Tonelli_Shanks(c, p)

print(result)

print(long_to_bytes(-result%p))

解出来方程的两根分别为result和(-result)%p

long_to_bytes(-result%p)得到flag:flag{9971e255f0c020e8e57fbae75f43d7fb}

2.hdRsa

在github上查阅到一道极为相似的题目idekctf2021/crypto/DestroyedRSA

查阅到了这道题的题解 https://angmar2722.github.io/CTFwriteups/2021/idek2021/#destroyed-rsa

此题D是从列表a里选取的,于是我们修改一下脚本

from sage.all import *

from math import gcd

import sys

from Crypto.Util.number import *

from tqdm import tqdm

sys.setrecursionlimit(100000)

def polynomial_xgcd(a, b):

    """

    Computes the extended GCD of two polynomials using Euclid's algorithm.

    :param a: the first polynomial

    :param b: the second polynomial

    :return: a tuple containing r, s, and t

    """

    assert a.base_ring() == b.base_ring()

    r_prev, r = a, b

    s_prev, s = 1, 0

    t_prev, t = 0, 1

    while r:

        try:

            q = r_prev // r

            r_prev, r = r, r_prev - q * r

            s_prev, s = s, s_prev - q * s

            t_prev, t = t, t_prev - q * t

        except RuntimeError:

            raise ArithmeticError("r is not invertible", r)

    return r_prev, s_prev, t_prev

def polynomial_inverse(p, m):

    """

    Computes the inverse of a polynomial modulo a polynomial using the extended GCD.

    :param p: the polynomial

    :param m: the polynomial modulus

    :return: the inverse of p modulo m

    """

    g, s, t = polynomial_xgcd(p, m)

    return s * g.lc() ** -1

def factorize(N, D):

    """

    Recovers the prime factors from a modulus using Cheng's elliptic curve complex multiplication method.

    More information: Sedlacek V. et al., "I want to break square-free: The 4p - 1 factorization method and its RSA backdoor viability"

    :param N: the modulus

    :param D: the discriminant to use to generate the Hilbert polynomial

    :return: a tuple containing the prime factors

    """

    assert D % 8 == 3, "D should be square-free"

    zmodn = Zmod(N)

    pr = zmodn["x"]

    H = pr(hilbert_class_polynomial(-D))

    Q = pr.quotient(H)

    j = Q.gen()

    try:

        k = j * polynomial_inverse((1728 - j).lift(), H)

    except ArithmeticError as err:

        # If some polynomial was not invertible during XGCD calculation, we can factor n.

        p = gcd(int(err.args[1].lc()), N)

        return int(p), int(N // p)

    E = EllipticCurve(Q, [3 * k, 2 * k])

    while True:

        x = zmodn.random_element()

        #print(f"Calculating division polynomial of Q{x}...")

        z = E.division_polynomial(N, x=Q(x))

        try:

            d, _, _ = polynomial_xgcd(z.lift(), H)

        except ArithmeticError as err:

            # If some polynomial was not invertible during XGCD calculation, we can factor n.

            p = gcd(int(err.args[1].lc()), N)

            return int(p), int(N // p)

        p = gcd(int(d), N)

        if 1 < p < N:

            return int(p), int(N // p)

n = 330961752887996173328854935965112588884403584531022561119743740650364958220684640754584393850796812833007843940336784599719224428969119533284286424077547165101460469847980799370419655082069179038497637761333327079374599506574723892143817226751806802676013225188467403274658211563655876500997296917421904614128056847977798146855336939306463059440416150493262973269431000762285579221126342017624118238829230679953011897314722801993750454924627074264353692060002758521401544361385231354313981836056855582929670811259113019012970540824951139489146393182532414878214182086999298397377845534568556100933934481180701997394558264969597606662342898026915506749002491326250792107348176681795942799954526068501499100232598658650184565873243525176833451664254917655703178472944744658628534195346977023418550761620254528178516972066618936960223660362493931786389085393392950207048675797593816271435700130995225483316625836104802608163745376633884840588575355936746173068655319645572100149515524131883813773486917122153248495022372690912572541775943614626733948206252900473118240712831444072243770979419529210034883903111038448366933374841531126421441232024514486168742686297481063089161977054825621099768659097509939405315056325336120929492838479309609958696957890570295444494277819063443427972643459784894450787015151715676537385237767990406742547664321563688829289809321534752244260529319454316532580416182438749849923354060125229328043961355894086576238519138868298499249023773237770103057707912709725417033309061308880583988666463892828633292839968866953776989722310954204550783825704710017434214644199415756584929214239679433211393230307782953067246529626136446314941258877439356094775337541321331600788042698664632064112896956898222397445497695982546922871549828242938368486774617350420790711093069910914135319635330786253331223459637232106417577225350441291

e = 65537

c = 187275367513186345104534865239994699892170904489725413330767115192172530253625393062151741036312498277557971553595091826062438445856091864605758318579599363539202154625683947568962358702545878760994434813222953503460910447662183200334960821110618746899798165363389255347363192576250804362413854445821046755759458439443253294822553986237695607000569717855942461517564526611106601774100617668231506539201297550376834067118784548951699927659889815770492684106287801610261026674778509245649501695344652216367741171392139049785280654043804502329999760613658697298671602787929199239524617160567336634126185042907593427921016129734757065504417112269027028799047579450965076835882020261162192475637278445255805339324893626400179818784574957669576516363342104273184813708475202313539634027764340858242764934872804570810575764191987921655276520658100755510986290562980055133376750812535713567917823663134974180449002466833109112866681229626239871954125027501071383217816313440079294139254989413050731511516498127225020975071747314764552267845933494600295296885808466296844091612401062566502515356974852161817112538289440970059783116540091633055220150093646069438113246518726017868258339512247175386052684861670431148484455765445960495130308147156436998327553854387741014177421559585683382003377803158283603889312107837885491964835073892174406797445622388505256985237867456926792546588756970045576002345376035346727906264683596628903417932566383221754976804148878057310066885140776352202510584461556988179369177560403923399529842871087532495739921906849249072433614545319458973155343802539527630971239359995893495205324483418191744545506744253222956232506980824457995662900264427265978239540089825733734306363153471606200228841997928021468359645661221933848545854596097640552489404777927679709089475954033350287287833943519423030861868256961619722983499902810335

a = [427,403,267,235,187,123,115,91,35,51]

for D in a:

    p, q = factorize(n, D)

    assert p*q == n

    def roots_of_unity(e, phi, n, rounds=250):

        # Divide common factors of `phi` and `e` until they're coprime.

        phi_coprime = phi

        while gcd(phi_coprime, e) != 1:

            phi_coprime //= gcd(phi_coprime, e)

        # Don't know how many roots of unity there are, so just try and collect a bunch

        roots = set(pow(i, phi_coprime, n) for i in range(1, rounds))

        assert all(pow(root, e, n) == 1 for root in roots)

        return roots, phi_coprime

    # n is prime

    # Problem: e and phi are not coprime - d does not exist

    phi = (p - 1) * (q-1)

    # Find e'th roots of unity modulo n

    roots, phi_coprime = roots_of_unity(e, phi, n)

    # Use our `phi_coprime` to get one possible plaintext

    d = inverse_mod(e, phi_coprime)

    pt = pow(c, d, n)

    assert pow(pt, e, n) == c

    # Use the roots of unity to get all other possible plaintexts

    pts = [(pt * root) % n for root in roots]

    pts = [long_to_bytes(pt) for pt in pts]

    for pt in pts:

        if b'flag' in pt:

            print(pt)

用sagemath跑一下,得到:

后来欧阳学长说这个分解来自一篇论文 https://www.researchgate.net/publication/335162606_I_Want_to_Break_Square-free_The_4p_-_1_Factorization_Method_and_Its_RSA_Backdoor_Viability

HUAWEI SECURITY 2023 山东大学专场 WP的更多相关文章

  1. sed用法——在指定行后面添加内容

    文档内容如下: # cat 123.txt linuxciscohuaweinetworksystem 1. 使用sed命令在cisco行下面添加CCIE: # sed -i "/cisco ...

  2. ICSFUZZ:操纵I/O、二进制代码重用以及插桩,来Fuzzing工业控制应用程序

    ​ 本文系原创,转载请说明出处 Please Subscribe Wechat Official Account:信安科研人,获取更多的原创安全资讯 源码:GitHub - momalab/ICSFu ...

  3. 2023云数据库技术沙龙MySQL x ClickHouse专场成功举办

    4月22日,2023首届云数据库技术沙龙 MySQL x ClickHouse 专场,在杭州市海智中心成功举办.本次沙龙由玖章算术.菜根发展.良仓太炎共创联合主办.围绕"技术进化,让数据更智 ...

  4. 华为 huawei 查看系统中存在的安全风险信息 display security risk

    查看系统中存在的安全风险信息. 应用场景 由于协议自身的安全性能不同,用户配置时使用的某些协议可能存在安全风险.通过该命令可查看系统中存在的安全风险,并根据给出的修复建议解除风险.例如,用户配置了SN ...

  5. HGAME 2023 WP week1

    WEEK1 web Classic Childhood Game 一眼顶真,直接翻js文件,在Events.js中找到mota(),猜测是获取flag,var a = ['\x59\x55\x64\x ...

  6. 【WP开发】加密篇:双向加密

    说起双向加密,如果以前在.NET开发中弄过加/解密的朋友都不会陌生,常用的算法有DES.AES等.在RT应用程序中,也提供了加密相关的API,算法自然是一样的,只是API的封装方式不同罢了,因为RT不 ...

  7. Android Security

    Android Security¶ 确认签名¶ Debug签名: $ jarsigner -verify -certs -verbose bin/TemplateGem.apk sm 2525 Sun ...

  8. SpringMVC 3.2集成Spring Security 3.2

    参考:http://www.cnblogs.com/Beyond-bit/p/springmvc_and_springsecurity.html SpringMVC 3.2集成Spring Secur ...

  9. Java Spring Boot VS .NetCore (九) Spring Security vs .NetCore Security

    Java Spring Boot VS .NetCore (一)来一个简单的 Hello World Java Spring Boot VS .NetCore (二)实现一个过滤器Filter Jav ...

  10. 分享:五个非常有用的WP插件

    一全老师(www.yiquanseo.com)认为非常有用的几款WP插件,用WordPress做站的可以看下,估计你很可能用得到! 第一款WooCommerce Page Builder: 这款插件是 ...

随机推荐

  1. Angular Material 18+ 高级教程 – Material Form Field

    介绍 Form Field 或 Text Field 是 Material Design 独有的设计风格 .它长这样 注:Material Design 管它叫 Text Field,Angular ...

  2. 手脱upx

    其实已经是大一下刚开始的事情了,补个档 手动脱壳の新年快乐 查壳,有壳,UPX X32dbg打开文件,查看初始断点 点击PUSHAD跟进,CTRL+*设置EIP,开始F8步过,寻找ESP寄存器第一次单 ...

  3. C++ 数组元素操作

    数组元素的移除 核心思路:创建一个新的内存空间存储移除后的数组,再将原数组delete释放,再将指针指向新数组. cout << "----------------------- ...

  4. 图形化客户端工具——Navicat

    1.下载 下载地址:https://wwb.lanzoub.com/i4TuZ0g3okod   破解:     解压后有两个文件          先点击第一个文件依次安装     安装完成后    ...

  5. fp16 的累加误差有多大

    本文地址:https://wanger-sjtu.github.io/fp16-err/ 最近在项目中需要实现fp16的数据类型做FFN的计算,算子实现的同学反馈误差与x86上得到的golden数据有 ...

  6. UEFI原理与编程(二)

    系统表 对UEFI应用程序和驱动程序开发人员来讲,系统表是最重要的数据结构之一,它是用户空间通往内核空间的通道.有了它,UEFI应用程序和驱动才可以访问UEFI内核.硬件资源和I/O设备. 1 在应用 ...

  7. Android Qcom USB Driver学习(十二)

    keypad 在suspend的过程中导致Android无法进入suspend的问题,导致整体功耗过高,其实是主机都没有进入睡眠,通过以下打log的方式最终定位到问题,pmic vbus输出的时候会有 ...

  8. 认识JVM

    类加载器 运行时数据区 执行引擎 执行引擎的任务就是将字节码指令解释/编译为对应平台上的本地机器指令 JVM架构图

  9. Oracle 11.2 RAC 删除节点

    软硬件环境:与上一篇文章一致: 一般对 CRS 层面数据结构做重要操作之前一定要先备份 OCR  [root@vastdata4 ~]# ocrconfig -manualbackup vastdat ...

  10. win10下端口映射设置内网别人访问本机安装的vmware默认NAT网络

    用管理员权限打开powershell或者cmd,命令如下 netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=主 ...