DASCTF2022.07赋能赛Crypto_复现

news/2024/12/2 21:37:46/

DASCTF2022.07赋能赛Crypto_复现

easyNTRU

keywords: 格密码私钥爆破

P r o b l e m Problem Problem

from Crypto.Hash import SHA3_256
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import flag# parameters
N = 10
p = 3
q = 512
d = 3
assert q>(6*d+1)*pR.<x> = ZZ[]#d1 1s and #d2 -1s
def T(d1, d2):assert N >= d1+d2s = [1]*d1 + [-1]*d2 + [0]*(N-d1-d2)shuffle(s)return R(s)def invertModPrime(f, p):Rp = R.change_ring(Integers(p)).quotient(x^N-1)return R(lift(1 / Rp(f)))def convolution(f, g):return (f*g) % (x^N-1)def liftMod(f, q):g = list(((f[i] + q//2) % q) - q//2 for i in range(N))return R(g)def polyMod(f, q):g = [f[i]%q for i in range(N)]return R(g)def invertModPow2(f, q):assert q.is_power_of(2)g = invertModPrime(f,2)while True:r = liftMod(convolution(g,f),q)if r == 1: return gg = liftMod(convolution(g,2 - r),q)def genMessage():result = list(randrange(p) - 1 for j in range(N))return R(result)def genKey():while True:try:f = T(d+1, d)g = T(d, d)Fp = polyMod(invertModPrime(f, p), p)Fq = polyMod(invertModPow2(f, q), q)breakexcept:continueh = polyMod(convolution(Fq, g), q)return h, (f, g)def encrypt(m, h):e = liftMod(p*convolution(h, T(d, d)) + m, q)return e# Step 1
h, secret = genKey()
m = genMessage()
e = encrypt(m, h)print('h = %s' % h)
print('e = %s' % e)# Step 2
sha3 = SHA3_256.new()
sha3.update(bytes(str(m).encode('utf-8')))
key = sha3.digest()cypher = AES.new(key, AES.MODE_ECB)
c = cypher.encrypt(pad(flag, 32))
print('c = %s' % c)"""
h = 39*x^9 + 60*x^8 + 349*x^7 + 268*x^6 + 144*x^5 + 469*x^4 + 449*x^3 + 165*x^2 + 248*x + 369
e = -144*x^9 - 200*x^8 - 8*x^7 + 248*x^6 + 85*x^5 + 102*x^4 + 167*x^3 + 30*x^2 - 203*x - 78
c = b'\xb9W\x8c\x8b\x0cG\xde\x7fl\xf7\x03\xbb9m\x0c\xc4L\xfe\xe9Q\xad\xfd\xda!\x1a\xea@}U\x9ay4\x8a\xe3y\xdf\xd5BV\xa7\x06\xf9\x08\x96="f\xc1\x1b\xd7\xdb\xc1j\x82F\x0b\x16\x06\xbcJMB\xc8\x80'
"""

A n a l y s i s Analysis Analysis

要想得到flag,需要知道step1中的m,而m进行了NTRU加密,已知NTRU的he,求m

简单回顾一下NTRU加密过程

首先在给定域内选择私钥 f f f,求不同模意义下的逆
F p ∗ f ≡ 1 ( m o d p ) F q ∗ f ≡ 1 ( m o d q ) F_p * f \equiv 1 \pmod p\\ F_q * f \equiv 1 \pmod q\\ Fpf1(modp)Fqf1(modq)
计算公钥
h ≡ r ∗ h + m ( m o d q ) h\equiv r * h + m\pmod q hrh+m(modq)
加密过程
e ≡ r ∗ h + m ( m o d q ) e \equiv r * h + m \pmod q erh+m(modq)
给出 h , e h, e h,e

解密过程

第一步
a ≡ e ∗ f ( m o d q ) ≡ r ∗ p ∗ g ∗ F q ∗ f + m ∗ f ( m o d q ) ≡ p ∗ r ∗ g + m ∗ f ( m o d q ) \begin{array} {l} a &\equiv & e * f \pmod q \\ &\equiv & r* p*g*F_q*f + m * f \pmod q\\ &\equiv & p * r * g + m* f\pmod q \end{array} aef(modq)rpgFqf+mf(modq)prg+mf(modq)

第二步

a ∗ F p ≡ m ∗ f ∗ F p ≡ m ( m o d p ) a * F_p \equiv m * f *F_p \equiv m \pmod p aFpmfFpm(modp)


本题关键看N的大小,得知生成的私钥所在域太小了,可以爆破

d = 3
N = 10
R.<x> = ZZ[]
def T(d1, d2):assert N >= d1+d2s = [1]*d1 + [-1]*d2 + [0]*(N-d1-d2)shuffle(s)return R(s)f = T(d+1, d)

从这里可见私钥 f f f 其实就是总共10-1,0,1作为系数组成的多项式

那么爆破 f f f ,给定判断条件为最后用key解出c的内容是否包含DASCTF即可

S o l u t i o n Solution Solution

# type:ignore
import itertools
from Crypto.Hash import SHA3_256
from Crypto.Cipher import AESN = 10
p = 3
q = 512
d = 3
c = b'\xb9W\x8c\x8b\x0cG\xde\x7fl\xf7\x03\xbb9m\x0c\xc4L\xfe\xe9Q\xad\xfd\xda!\x1a\xea@}U\x9ay4\x8a\xe3y\xdf\xd5BV\xa7\x06\xf9\x08\x96="f\xc1\x1b\xd7\xdb\xc1j\x82F\x0b\x16\x06\xbcJMB\xc8\x80'
e = [-78, -203, 30, 167, 102, 85, 248, -8, -200, -144] # 提取多项式的系数
h = [369, 248, 165, 449, 469, 144, 268, 349, 60, 39]
ls = [1, 0, -1]
R.<x> = ZZ[]e = R(e)
h = R(h)#  这里要用到题目给出的多项式运算函数,所以导入
def liftMod(f, q):g = list(((f[i] + q//2) % q) - q//2 for i in range(N))return R(g)def polyMod(f, q):g = [f[i]%q for i in range(N)]return R(g)4def invertModPrime(f, p):Rp = R.change_ring(Integers(p)).quotient(x^N-1)return R(lift(1 / Rp(f)))def convolution(f, g):return (f*g) % (x^N-1)for i in itertools.product(ls, repeat=N):f = list(i)f = R(f)a = liftMod(convolution(e, f), q) try:Fp = polyMod(invertModPrime(f, p), p) except:continuem = liftMod(convolution(a, Fp), p)sha3 = SHA3_256.new()sha3 = sha3.update(bytes(str(m).encode('utf-8')))key = sha3.digest()aes = AES.new(key, AES.MODE_ECB)flag = aes.decrypt(c)if b"DASCTF" in flag:print(flag)break

NTRURSA

keywords: 多项式RSA构造格子形成SVP问题

P r o b l e m Problem Problem

from Crypto.Util.number import *
from gmpy2 import *
from secret import flagdef gen():p1 = getPrime(256)while True:f = getRandomRange(1, iroot(p1 // 2, 2)[0])g = getRandomRange(iroot(p1 // 4, 2)[0], iroot(p1 // 2, 2)[0])if gcd(f, p1) == 1 and gcd(f, g) == 1 and isPrime(g) == 1:breakrand = getRandomRange(0, 2 ^ 20)g1 = g ^^ randh = (inverse(f, p1) * g1) % p1return h, p1, g, f, g1def gen_irreducable_poly(deg):while True:out = R.random_element(degree=deg)if out.is_irreducible():return outh, p1, g, f, g1 = gen()
q = getPrime(1024)
n = g * q 
e = 0x10001
c1 = pow(bytes_to_long(flag), e, n)
hint = list(str(h))
length = len(hint)
bits = 16
p2 = random_prime(2 ^ bits - 1, False, 2 ^ (bits - 1))
R.<x> = PolynomialRing(GF(p2))
P = gen_irreducable_poly(ZZ.random_element(length, 2 * length))
Q = gen_irreducable_poly(ZZ.random_element(length, 2 * length))
N = P * Q
S.<x> = R.quotient(N)
m = S(hint)
c2 = m ^ e
print("p1 =", p1)
print("c1 =", c1)
print("p2 =", p2)
print("c2 =", c2)
print("n =", n)
print("N =", N)'''
p1 = 106472061241112922861460644342336453303928202010237284715354717630502168520267
c1 = 20920247107738496784071050239422540936224577122721266141057957551603705972966457203177812404896852110975768315464852962210648535130235298413611598658659777108920014929632531307409885868941842921815735008981335582297975794108016151210394446009890312043259167806981442425505200141283138318269058818777636637375101005540308736021976559495266332357714
p2 = 64621
c2 = 19921*x^174 + 49192*x^173 + 18894*x^172 + 61121*x^171 + 50271*x^170 + 11860*x^169 + 53128*x^168 + 38658*x^167 + 14191*x^166 + 9671*x^165 + 40879*x^164 + 15187*x^163 + 33523*x^162 + 62270*x^161 + 64211*x^160 + 54518*x^159 + 50446*x^158 + 2597*x^157 + 32216*x^156 + 10500*x^155 + 63276*x^154 + 27916*x^153 + 55316*x^152 + 30898*x^151 + 43706*x^150 + 5734*x^149 + 35616*x^148 + 14288*x^147 + 18282*x^146 + 22788*x^145 + 48188*x^144 + 34176*x^143 + 55952*x^142 + 9578*x^141 + 9177*x^140 + 22083*x^139 + 14586*x^138 + 9748*x^137 + 21118*x^136 + 155*x^135 + 64224*x^134 + 18193*x^133 + 33732*x^132 + 38135*x^131 + 51992*x^130 + 8203*x^129 + 8538*x^128 + 55203*x^127 + 5003*x^126 + 2009*x^125 + 45023*x^124 + 12311*x^123 + 21428*x^122 + 24110*x^121 + 43537*x^120 + 21885*x^119 + 50212*x^118 + 40445*x^117 + 17768*x^116 + 46616*x^115 + 4771*x^114 + 20903*x^113 + 47764*x^112 + 13056*x^111 + 50837*x^110 + 22313*x^109 + 39698*x^108 + 60377*x^107 + 59357*x^106 + 24051*x^105 + 5888*x^104 + 29414*x^103 + 31726*x^102 + 4906*x^101 + 23968*x^100 + 52360*x^99 + 58063*x^98 + 706*x^97 + 31420*x^96 + 62468*x^95 + 18557*x^94 + 1498*x^93 + 17590*x^92 + 62990*x^91 + 27200*x^90 + 7052*x^89 + 39117*x^88 + 46944*x^87 + 45535*x^86 + 28092*x^85 + 1981*x^84 + 4377*x^83 + 34419*x^82 + 33754*x^81 + 2640*x^80 + 44427*x^79 + 32179*x^78 + 57721*x^77 + 9444*x^76 + 49374*x^75 + 21288*x^74 + 44098*x^73 + 57744*x^72 + 63457*x^71 + 43300*x^70 + 1508*x^69 + 13775*x^68 + 23197*x^67 + 43070*x^66 + 20751*x^65 + 47479*x^64 + 18496*x^63 + 53392*x^62 + 10387*x^61 + 2317*x^60 + 57492*x^59 + 25441*x^58 + 52532*x^57 + 27150*x^56 + 33788*x^55 + 43371*x^54 + 30972*x^53 + 39583*x^52 + 36407*x^51 + 35564*x^50 + 44564*x^49 + 1505*x^48 + 47519*x^47 + 38695*x^46 + 43107*x^45 + 1676*x^44 + 42057*x^43 + 49879*x^42 + 29083*x^41 + 42241*x^40 + 8853*x^39 + 33546*x^38 + 48954*x^37 + 30352*x^36 + 62020*x^35 + 39864*x^34 + 9519*x^33 + 24828*x^32 + 34696*x^31 + 2387*x^30 + 27413*x^29 + 55829*x^28 + 40217*x^27 + 30205*x^26 + 42328*x^25 + 6210*x^24 + 52442*x^23 + 58495*x^22 + 2014*x^21 + 26452*x^20 + 33547*x^19 + 19840*x^18 + 5995*x^17 + 16850*x^16 + 37855*x^15 + 7221*x^14 + 32200*x^13 + 8121*x^12 + 23767*x^11 + 46563*x^10 + 51673*x^9 + 19372*x^8 + 4157*x^7 + 48421*x^6 + 41096*x^5 + 45735*x^4 + 53022*x^3 + 35475*x^2 + 47521*x + 27544
n = 31398174203566229210665534094126601315683074641013205440476552584312112883638278390105806127975406224783128340041129316782549009811196493319665336016690985557862367551545487842904828051293613836275987595871004601968935866634955528775536847402581734910742403788941725304146192149165731194199024154454952157531068881114411265538547462017207361362857
N = 25081*x^175 + 8744*x^174 + 9823*x^173 + 9037*x^172 + 6343*x^171 + 42205*x^170 + 28573*x^169 + 55714*x^168 + 17287*x^167 + 11229*x^166 + 42630*x^165 + 64363*x^164 + 50759*x^163 + 3368*x^162 + 20900*x^161 + 55947*x^160 + 7082*x^159 + 23171*x^158 + 48510*x^157 + 20013*x^156 + 16798*x^155 + 60438*x^154 + 58779*x^153 + 9289*x^152 + 10623*x^151 + 1085*x^150 + 23473*x^149 + 13795*x^148 + 2071*x^147 + 31515*x^146 + 42832*x^145 + 38152*x^144 + 37559*x^143 + 47653*x^142 + 37371*x^141 + 39128*x^140 + 48750*x^139 + 16638*x^138 + 60320*x^137 + 56224*x^136 + 41870*x^135 + 63961*x^134 + 47574*x^133 + 63954*x^132 + 9668*x^131 + 62360*x^130 + 15244*x^129 + 20599*x^128 + 28704*x^127 + 26857*x^126 + 34885*x^125 + 33107*x^124 + 17693*x^123 + 52753*x^122 + 60744*x^121 + 21305*x^120 + 63785*x^119 + 54400*x^118 + 17812*x^117 + 64549*x^116 + 20035*x^115 + 37567*x^114 + 38607*x^113 + 32783*x^112 + 24385*x^111 + 5387*x^110 + 5134*x^109 + 45893*x^108 + 58307*x^107 + 33821*x^106 + 54902*x^105 + 14236*x^104 + 58044*x^103 + 41257*x^102 + 46881*x^101 + 42834*x^100 + 1693*x^99 + 46058*x^98 + 15636*x^97 + 27111*x^96 + 3158*x^95 + 41012*x^94 + 26028*x^93 + 3576*x^92 + 37958*x^91 + 33273*x^90 + 60228*x^89 + 41229*x^88 + 11232*x^87 + 12635*x^86 + 17942*x^85 + 4*x^84 + 25397*x^83 + 63526*x^82 + 54872*x^81 + 40318*x^80 + 37498*x^79 + 52182*x^78 + 48817*x^77 + 10763*x^76 + 46542*x^75 + 36060*x^74 + 49972*x^73 + 63603*x^72 + 46506*x^71 + 44788*x^70 + 44905*x^69 + 46112*x^68 + 5297*x^67 + 26440*x^66 + 28470*x^65 + 15525*x^64 + 11566*x^63 + 15781*x^62 + 36098*x^61 + 44402*x^60 + 55331*x^59 + 61583*x^58 + 16406*x^57 + 59089*x^56 + 53161*x^55 + 43695*x^54 + 49580*x^53 + 62685*x^52 + 31447*x^51 + 26755*x^50 + 14810*x^49 + 3281*x^48 + 27371*x^47 + 53392*x^46 + 2648*x^45 + 10095*x^44 + 25977*x^43 + 22912*x^42 + 41278*x^41 + 33236*x^40 + 57792*x^39 + 7169*x^38 + 29250*x^37 + 16906*x^36 + 4436*x^35 + 2729*x^34 + 29736*x^33 + 19383*x^32 + 11921*x^31 + 26075*x^30 + 54616*x^29 + 739*x^28 + 38509*x^27 + 19118*x^26 + 20062*x^25 + 21280*x^24 + 12594*x^23 + 14974*x^22 + 27795*x^21 + 54107*x^20 + 1890*x^19 + 13410*x^18 + 5381*x^17 + 19500*x^16 + 47481*x^15 + 58488*x^14 + 26433*x^13 + 37803*x^12 + 60232*x^11 + 34772*x^10 + 1505*x^9 + 63760*x^8 + 20890*x^7 + 41533*x^6 + 16130*x^5 + 29769*x^4 + 49142*x^3 + 64184*x^2 + 55443*x + 45925
'''

A n a l y s i s Analysis Analysis

flag经过了常数的RSA加密,其中n = g * q;而关于g给出了提示

def gen():p1 = getPrime(256)while True:f = getRandomRange(1, iroot(p1 // 2, 2)[0])g = getRandomRange(iroot(p1 // 4, 2)[0], iroot(p1 // 2, 2)[0])if gcd(f, p1) == 1 and gcd(f, g) == 1 and isPrime(g) == 1:breakrand = getRandomRange(0, 2 ^ 20)g1 = g ^^ randh = (inverse(f, p1) * g1) % p1return h, p1, g, f, g1h, p1, g, f, g1 = gen()
hint = list(str(h))
m = S(hint)

g相关的是g1, h,之间的关联式子是
g 1 = g ⊕ r a n d h ∗ f ≡ g 1 ( m o d p 1 ) \begin{array} {r} g_1 =& g \oplus rand\\ h * f \equiv &g_1 \pmod {p_1} \end{array} g1=hfgrandg1(modp1)
可以通过第二个关系式子,构造格子形成SVP问题求解g1,进而通过爆破rand来得到g
h ∗ f ≡ g 1 ( m o d p 1 ) h ∗ f − k ∗ p 1 = g 1 \begin{array} {r} h * f \equiv &g_1 \pmod {p_1}\\ h * f -k * p_1 =& g_1 \end{array} hfhfkp1=g1(modp1)g1
格子构造为
( f , − k ) ( 1 h 0 p 1 ) = ( f , g 1 ) (f,\ -k) \begin{pmatrix} 1 \qquad &h \\ 0 \qquad &p_1 \end{pmatrix} = (f, \ g_1) (f, k)(10hp1)=(f, g1)
而构造格子需要的h又作为新的m进行了多项式版本的RSA加密

p2 = 64621
length = len(hint)
R.<x> = PolynomialRing(GF(p2))
P = gen_irreducable_poly(ZZ.random_element(length, 2 * length))
Q = gen_irreducable_poly(ZZ.random_element(length, 2 * length))
N = P * Q
S.<x> = R.quotient(N)
m = S(hint)
c2 = m ^ e

相当于在模p2的意义下对多项式进行了RSA加密,由于p2比较小,并且生成的P, Q的大小是以h的位数来生成的,考虑直接对N进行分解

N = ...
P, Q = factor(N)[0][0], factor(N)[1][0]
phi = (p2^P.degree() - 1) * (p2^Q.degree() - 1)

对于多项式来说,求多项式的欧拉函数,按照欧拉函数的定义应该意味着求次数小于等于该多项式的不可约多项式的个数

官方给出的欧拉函数公式是
φ = ( p 2 P . d e g r e e ( ) − 1 ) ∗ ( p 2 Q . d e g r e e ( ) − 1 ) \varphi = (p_2^{P.degree()}-1) * (p_2^{Q.degree()} -1) φ=(p2P.degree()1)(p2Q.degree()1)
紧接着求逆元d即可,之后按照思路构造格子先后求解hg1gflag

S o l u t i o n Solution Solution

# type:ignore
from Crypto.Util.number import *
import gmpy2p1 = 106472061241112922861460644342336453303928202010237284715354717630502168520267
c1 = 20920247107738496784071050239422540936224577122721266141057957551603705972966457203177812404896852110975768315464852962210648535130235298413611598658659777108920014929632531307409885868941842921815735008981335582297975794108016151210394446009890312043259167806981442425505200141283138318269058818777636637375101005540308736021976559495266332357714
p2 = 64621
n = 31398174203566229210665534094126601315683074641013205440476552584312112883638278390105806127975406224783128340041129316782549009811196493319665336016690985557862367551545487842904828051293613836275987595871004601968935866634955528775536847402581734910742403788941725304146192149165731194199024154454952157531068881114411265538547462017207361362857
e = 0x10001R.<x> = PolynomialRing(GF(p2))c2 = 19921*x^174 + 49192*x^173 + 18894*x^172 + 61121*x^171 + 50271*x^170 + 11860*x^169 + 53128*x^168 + 38658*x^167 + 14191*x^166 + 9671*x^165 + 40879*x^164 + 15187*x^163 + 33523*x^162 + 62270*x^161 + 64211*x^160 + 54518*x^159 + 50446*x^158 + 2597*x^157 + 32216*x^156 + 10500*x^155 + 63276*x^154 + 27916*x^153 + 55316*x^152 + 30898*x^151 + 43706*x^150 + 5734*x^149 + 35616*x^148 + 14288*x^147 + 18282*x^146 + 22788*x^145 + 48188*x^144 + 34176*x^143 + 55952*x^142 + 9578*x^141 + 9177*x^140 + 22083*x^139 + 14586*x^138 + 9748*x^137 + 21118*x^136 + 155*x^135 + 64224*x^134 + 18193*x^133 + 33732*x^132 + 38135*x^131 + 51992*x^130 + 8203*x^129 + 8538*x^128 + 55203*x^127 + 5003*x^126 + 2009*x^125 + 45023*x^124 + 12311*x^123 + 21428*x^122 + 24110*x^121 + 43537*x^120 + 21885*x^119 + 50212*x^118 + 40445*x^117 + 17768*x^116 + 46616*x^115 + 4771*x^114 + 20903*x^113 + 47764*x^112 + 13056*x^111 + 50837*x^110 + 22313*x^109 + 39698*x^108 + 60377*x^107 + 59357*x^106 + 24051*x^105 + 5888*x^104 + 29414*x^103 + 31726*x^102 + 4906*x^101 + 23968*x^100 + 52360*x^99 + 58063*x^98 + 706*x^97 + 31420*x^96 + 62468*x^95 + 18557*x^94 + 1498*x^93 + 17590*x^92 + 62990*x^91 + 27200*x^90 + 7052*x^89 + 39117*x^88 + 46944*x^87 + 45535*x^86 + 28092*x^85 + 1981*x^84 + 4377*x^83 + 34419*x^82 + 33754*x^81 + 2640*x^80 + 44427*x^79 + 32179*x^78 + 57721*x^77 + 9444*x^76 + 49374*x^75 + 21288*x^74 + 44098*x^73 + 57744*x^72 + 63457*x^71 + 43300*x^70 + 1508*x^69 + 13775*x^68 + 23197*x^67 + 43070*x^66 + 20751*x^65 + 47479*x^64 + 18496*x^63 + 53392*x^62 + 10387*x^61 + 2317*x^60 + 57492*x^59 + 25441*x^58 + 52532*x^57 + 27150*x^56 + 33788*x^55 + 43371*x^54 + 30972*x^53 + 39583*x^52 + 36407*x^51 + 35564*x^50 + 44564*x^49 + 1505*x^48 + 47519*x^47 + 38695*x^46 + 43107*x^45 + 1676*x^44 + 42057*x^43 + 49879*x^42 + 29083*x^41 + 42241*x^40 + 8853*x^39 + 33546*x^38 + 48954*x^37 + 30352*x^36 + 62020*x^35 + 39864*x^34 + 9519*x^33 + 24828*x^32 + 34696*x^31 + 2387*x^30 + 27413*x^29 + 55829*x^28 + 40217*x^27 + 30205*x^26 + 42328*x^25 + 6210*x^24 + 52442*x^23 + 58495*x^22 + 2014*x^21 + 26452*x^20 + 33547*x^19 + 19840*x^18 + 5995*x^17 + 16850*x^16 + 37855*x^15 + 7221*x^14 + 32200*x^13 + 8121*x^12 + 23767*x^11 + 46563*x^10 + 51673*x^9 + 19372*x^8 + 4157*x^7 + 48421*x^6 + 41096*x^5 + 45735*x^4 + 53022*x^3 + 35475*x^2 + 47521*x + 27544
N = 25081*x^175 + 8744*x^174 + 9823*x^173 + 9037*x^172 + 6343*x^171 + 42205*x^170 + 28573*x^169 + 55714*x^168 + 17287*x^167 + 11229*x^166 + 42630*x^165 + 64363*x^164 + 50759*x^163 + 3368*x^162 + 20900*x^161 + 55947*x^160 + 7082*x^159 + 23171*x^158 + 48510*x^157 + 20013*x^156 + 16798*x^155 + 60438*x^154 + 58779*x^153 + 9289*x^152 + 10623*x^151 + 1085*x^150 + 23473*x^149 + 13795*x^148 + 2071*x^147 + 31515*x^146 + 42832*x^145 + 38152*x^144 + 37559*x^143 + 47653*x^142 + 37371*x^141 + 39128*x^140 + 48750*x^139 + 16638*x^138 + 60320*x^137 + 56224*x^136 + 41870*x^135 + 63961*x^134 + 47574*x^133 + 63954*x^132 + 9668*x^131 + 62360*x^130 + 15244*x^129 + 20599*x^128 + 28704*x^127 + 26857*x^126 + 34885*x^125 + 33107*x^124 + 17693*x^123 + 52753*x^122 + 60744*x^121 + 21305*x^120 + 63785*x^119 + 54400*x^118 + 17812*x^117 + 64549*x^116 + 20035*x^115 + 37567*x^114 + 38607*x^113 + 32783*x^112 + 24385*x^111 + 5387*x^110 + 5134*x^109 + 45893*x^108 + 58307*x^107 + 33821*x^106 + 54902*x^105 + 14236*x^104 + 58044*x^103 + 41257*x^102 + 46881*x^101 + 42834*x^100 + 1693*x^99 + 46058*x^98 + 15636*x^97 + 27111*x^96 + 3158*x^95 + 41012*x^94 + 26028*x^93 + 3576*x^92 + 37958*x^91 + 33273*x^90 + 60228*x^89 + 41229*x^88 + 11232*x^87 + 12635*x^86 + 17942*x^85 + 4*x^84 + 25397*x^83 + 63526*x^82 + 54872*x^81 + 40318*x^80 + 37498*x^79 + 52182*x^78 + 48817*x^77 + 10763*x^76 + 46542*x^75 + 36060*x^74 + 49972*x^73 + 63603*x^72 + 46506*x^71 + 44788*x^70 + 44905*x^69 + 46112*x^68 + 5297*x^67 + 26440*x^66 + 28470*x^65 + 15525*x^64 + 11566*x^63 + 15781*x^62 + 36098*x^61 + 44402*x^60 + 55331*x^59 + 61583*x^58 + 16406*x^57 + 59089*x^56 + 53161*x^55 + 43695*x^54 + 49580*x^53 + 62685*x^52 + 31447*x^51 + 26755*x^50 + 14810*x^49 + 3281*x^48 + 27371*x^47 + 53392*x^46 + 2648*x^45 + 10095*x^44 + 25977*x^43 + 22912*x^42 + 41278*x^41 + 33236*x^40 + 57792*x^39 + 7169*x^38 + 29250*x^37 + 16906*x^36 + 4436*x^35 + 2729*x^34 + 29736*x^33 + 19383*x^32 + 11921*x^31 + 26075*x^30 + 54616*x^29 + 739*x^28 + 38509*x^27 + 19118*x^26 + 20062*x^25 + 21280*x^24 + 12594*x^23 + 14974*x^22 + 27795*x^21 + 54107*x^20 + 1890*x^19 + 13410*x^18 + 5381*x^17 + 19500*x^16 + 47481*x^15 + 58488*x^14 + 26433*x^13 + 37803*x^12 + 60232*x^11 + 34772*x^10 + 1505*x^9 + 63760*x^8 + 20890*x^7 + 41533*x^6 + 16130*x^5 + 29769*x^4 + 49142*x^3 + 64184*x^2 + 55443*x + 45925P, Q = factor(N)[0][0], factor(N)[1][0]
phi = (p2^P.degree() - 1) * (p2^Q.degree() - 1)
d = inverse_mod(e, phi)m2 = pow(c2, d, N)
h = int(("".join(list(map(str, list(m2)[::-1])))))
M = matrix([[1, h],[0, p1]])
print(M.LLL())
g1 = M.LLL()[0][1]for i in range(2**20):tmp = i ^^ g1if n % tmp == 0:g = tmpq = n // tmpbreak
phi = (g - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c1, d, n)
print(long_to_bytes(int(m)))

LWE?

keywords: LWE问题Embedding Technique

P r o b l e m Problem Problem

from secret import secret
assert len(secret)==66*3
sec = [ord(x) for x in secret]DEBUG = False
m = 66
n = 200
p = 3
q = 2^20def errorV():return vector(ZZ, [1 - randrange(p) for _ in range(n)])def matrixMn():return matrix(ZZ, [[q//2 - randrange(q) for _ in range(n)] for _ in range(m)])A, B, C = matrixMn(), matrixMn(), matrixMn()
x = vector(ZZ, sec[0:m])
y = vector(ZZ, sec[m:2*m])
z = vector(ZZ, sec[2*m:3*m])
e = errorV()
b = x*A+y*B+z*C+eif DEBUG:print('x = %s' % x)print('y = %s' % y)print('z = %s' % z)print('e = %s' % e)
print('A = \n%s' % A)
print('B = \n%s' % B)
print('C = \n%s' % C)
print('b = %s' % b)

A n a l y s i s Analysis Analysis

flag的各个字符按顺序作为向量的元素赋值,关键代码

b = x*A+y*B+z*C+e

进行了LWE问题的实现,LWE问题应该是
b = A x + e b = Ax + e b=Ax+e
这里题目我们可以看作
X = ( x , y , z ) A = ( A B C ) \begin{array} {l} X &= (x,\ y, \ z)\\ A &= \begin{pmatrix} A\\ B\\ C \end{pmatrix} \end{array} XA=(x, y, z)= ABC
这样一来就构成了
b = A X + e b = AX + e b=AX+e
这样的LWE问题

应用Embedding Technique构造格子
M = [ A b 0 β ] M = \begin{bmatrix} A \qquad b\\ 0 \qquad \beta \end{bmatrix} M=[Ab0β]
其中 β \beta β 是自己选取的值,为了尽可能构造出正确的格(可以通过求LLL算法得到正确结果),这里将 β \beta β 选作1
[ A b 0 β ] [ − X 1 ] = [ e β ] \begin{bmatrix} A \qquad b\\ 0 \qquad \beta \end{bmatrix} \begin{bmatrix} -X \\ 1 \end{bmatrix} =\begin{bmatrix} e \\ \beta \end{bmatrix} [Ab0β][X1]=[eβ]
得到e之后与b向量相减,再将 A A A 看作整体求矩阵乘法即可

PS:题目实际构造格子的时候因为 b b b 加入矩阵会让矩阵不是方阵,所以考虑构造了 [ A 0 b β ] \begin{bmatrix}A \qquad 0\\b \qquad \beta\end{bmatrix} [A0bβ]

S o l u t i o n Solution Solution

# type:ignore
from Crypto.Util.number import *
import gmpy2
import rem = 66
n = 200
p = 3
q = 2^20with open ("C:\\Users\\Menglin\\Desktop\\out","r") as f:data = f.read().split('\n')f.close()A = matrix(m, n, [int(j) for i in data[1: m + 1] for j in re.findall(r'-?\d+', i)])
B = matrix(m, n, [int(j) for i in data[m + 1: 2 * m + 2] for j in re.findall(r'-?\d+', i)])
C = matrix(m, n, [int(j) for i in data[2 * m + 2: 3 * m + 3] for j in re.findall(r'-?\d+', i)])
b = vector([int(j) for i in data[3 * m + 3:] for j in re.findall(r'-?\d+', i)])A = block_matrix([[A], [B], [C]])
M = block_matrix([[A, matrix(3 * m, 1, [0] * 3 * m)], [matrix(b), matrix([1])]])
e = M.LLL()[0][:n]
x = A.solve_left(b - e)
for i in x:print(chr(i),end="")

P e f e r e n c e Peference Peference

DASCTF|2022DASCTF7月赋能赛官方Write Up (qq.com)

CVP到SVP的规约(Embedding Technique) | Tover’ Blog

2022DASCTF七月赛 Crypto部分Writeup | Tover’ Blog


http://www.ppmy.cn/news/498771.html

相关文章

echarts中的中国地图js源码(china.js)

ECharts官方已不再提供js地图下载&#xff0c;china.js的源码如下&#xff0c;只需要新建一个js文件&#xff0c;然后将以下js代码复制进去保存即可引用&#xff0c;也不用浪费积分去下载资源 (function (root, factory) {if (typeof define function && define.amd)…

fullCalendar 使用手册

fullCalendar 使用手册 标签&#xff08;空格分隔&#xff09;&#xff1a; fullCalendar 仰仗网络&#xff1a; fullCalendar官方网站 fullCalendar改造为农历 fullCalendar的基本事件的实现 fullCalendar的基本事件的实现2 一、简述 简单的说 fullCalendar 是一个日历控件…

linux磁盘信息文件,Linux查看硬盘信息方法总结归纳

Linux查看硬盘信息方法总结归纳 lsblk lsblk命令用来查看接入到系统中的块设备,默认输出分区、大小、挂载点等信息,一目了然: tlanyan@node1:~$ lsblk sda 8:0 0 558.9G 0 disk ├─sda1 8:1 0 488M 0 part ├─sda2 8:2 0 1K 0 part ├─sda5 8:5 0 7.6G 0 part └─sda6 8…

DASCTF2022 7月赋能赛 crypto wp(DASCTF2022.07赋能赛Pwn easyheap)

文章目录DASCTF2022 7月赋能赛 crypto wp sigin ezNTRU NTRURSA 碎碎念 import hashlib import ecdsa from Crypto.Util.number import * import random import osflag = b"xxx"assert flag.startswith(bDASCTF{) and flag.endswith(b}) assert len(flag) == 40def …

HITSZ嵌入式计算(研)23年Keil模拟器项目解决方案

HITSZ嵌入式计算&#xff08;研&#xff09;23年Keil模拟器项目解决方案 1. 项目介绍2. Keil安装3. 创建新项目3.1 参考博文3.2 流程 4. 发送串口数据4.1 参考博文4.2 串口收发流程 5. 产生波形5.1 头文件封装5.2 初始化GPIO口5.3 产生并观察方波 6. Keil信号函数和中断6.1 中断…

Java技术-接口文档-Swagger2Swagger3接口文档UI整合

一、Swagger2完整用法 二、Swagger3完整用法 三、Swagger整合Knife4jUi import com.ikong.model.req.TestReq; import com.ikong.model.ret.TestRet; import com.jd.security.framework.common.model.Result; import io.swagger.annotations.ApiImplicitParam; import io.sw…

BW生成HANA视图权限配置

目录 1 操作步骤1.1 SAP HANA端1、创建用户2、常规信息3、配置角色4、配置系统权限5、配置对象权限 1.2 BW端1、SM30配置数据库连接参数2、SU01创建账户&#xff08;与SAP HANA数据库账户名一致&#xff09;3、使用RS2HANA_VIEW查看配置Assignment TypeDB Connection NameLimit…

在电脑上下载 Youtube 的视频

2019独角兽企业重金招聘Python工程师标准>>> 直接下载 youtube 的视频&#xff1a;http://en.savefrom.net/ 转载于:https://my.oschina.net/u/205403/blog/830863