强网杯_copperstudy_writeup

copperstudy

proof

解题代码

from Crypto.Util.number import *
import hashlib
import socket
import re

def get_skr(skr_tmp, skr_sha):
    ''' get skr '''
    for i1 in range(255):
        for i2 in range(255):
            for i3 in range(255):
                tmp = skr_tmp + chr(i1) +chr(i2) + chr(i3)
                tmp_sha = hashlib.sha256(tmp).hexdigest()
                if tmp_sha == skr_sha:
                    return tmp.encode('hex')

token = '7fcdb5ede241a196b2d958880a2f9a29'
ip, port = '119.3.245.36', 12345

# connecting
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))

# get param
s.recv(1024)
rec = s.recv(1024)
rec = re.findall(r'=.*', rec)

skr_tmp = rec[1].replace('=', '').decode('hex')
skr_sha = rec[0].replace('=', '')
skr = get_skr(skr_tmp, skr_sha)

s.send(skr + '\n')
s.send(token + '\n')

print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)

# send m
#m = '8361512165070014586895678477825180865189621422784802691684809418128757895325269060807554721770833633435168960533193320555457740976615244772253038194720768'
m1 = '8361512165070014586895678477825180865189621422784802691684809418128757895325269060807554721770833633435168960533193320555457740976615746354337498884332973'
m1= long_to_bytes(m1).encode('hex')
s.send(m1 + '\n')

print s.recv(1024)
print s.recv(1024)
print s.recv(1024)

m2 = '10611260462614318802124064669081480164083875865381798746709764118824810474510530852108099252056537041793810111214355532979795966164280097387217579463682162'
m2 = long_to_bytes(m2).encode('hex')
s.send(m2 + '\n')

print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)

m3 = '13239736669758452714117467347920235909166967045373282180783598166687512737767905234220459230202543306947672690604033749312991477459995403074812328021089401'
m3 = long_to_bytes(m3).encode('hex')
s.send(m3 + '\n')

print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)
print s.recv(1024)

m4 = '2757659504362116665195664742934956877866641579389333206484021635974392009581735684551788891697893786084375459819819120831993718641162079060993952390939195'
m4 = long_to_bytes(m4).encode('hex')
s.send(m4 + '\n')

print s.recv(1024)
print s.recv(1024)
print s.recv(1024)

m5 = '7817720986977280268165220975637422140294509361784378357722075608912832979819596211274752881945672208470596068877409342056786943646225715615479712541201125'
m5 = long_to_bytes(m5).encode('hex')
s.send(m5 + '\n')

print s.recv(1024)
print s.recv(1024)

m6 = '5616256644474643777324927156425296308201436356404797635226215853608752109375728559177663257634746748367999648544612395127292284761610833552163188225026856'
m6 = long_to_bytes(m6).encode('hex')
s.send(m6 + '\n')

print s.recv(1024)
print s.recv(1024)
print s.recv(1024)

flag

flag{50567cbad246a91f3be88f14c714feb236817fab28b075e54cd3942054693473}

challenge 1

  • 部分明文已知时

解题代码

# partial_m.sage

n = 0xbeb367f6bf76b7583c7f8cd9f955d220234648a3b5ef8dc4886bb0f9b33cff6f39c6da5dbe610f1876b81427def63daf9a706150bd04d4283ca886ffb27b5a581bdae43ab427856792cb681418bbfe002dbfacb6339baf8bef83394e0b548b14aff34da70883e1444f56f30bad124db049fcb0a5bb715261a9727b8e67b73d45
e = 3

m = 0x9fa63858efcd2860b60edf2954216b506fabdeb5b16e65cd7a44664559f51e11f8fffa091a31a8f3324336dfa2e1474fdc861d135bfde6000000000000000000
c = 0xb9d19c67d615965f339033c7557bc97202f15adf270d9064cb6487b0bfbeba005c01366e5f93b811838d6933c60058e73fd243f41f5e6000f4a3399e8f2224b3f8f53f03a7336045bfcb61dd27470a257c18f8f95515d4a18eee23e34fccaa69ff0321c80e49211b0cb9c374e46aea404b29d26e11d6c6075c4c5199b28fa938

beta = 1
epsilon = beta^2/7

nbits = n.nbits()
kbits = floor(nbits*(beta^2/e-epsilon))
mbar = m & (2^nbits-2^kbits)
print "upper %d bits (of %d bits) is given" % (nbits-kbits, nbits)

PR.<x> = PolynomialRing(Zmod(n))
f = (mbar + x)^e - c

print m
x0 = f.small_roots(X=2^kbits, beta=1)[0]  # find root < 2^kbits with factor = n
print mbar + x0

输出

upper 829 bits (of 1024 bits) is given
8361512165070014586895678477825180865189621422784802691684809418128757895325269060807554721770833633435168960533193320555457740976615244772253038194720768
8361512165070014586895678477825180865189621422784802691684809418128757895325269060807554721770833633435168960533193320555457740976615746354337498884332973

验证得正确m为

8361512165070014586895678477825180865189621422784802691684809418128757895325269060807554721770833633435168960533193320555457740976615746354337498884332973

challenge 2

  • 部分p已知时

解题代码

n=0x7faa1c17a78231e0057f78bc3879e59e2f85c7a0b97619649878433ad65b38b65452568307c432e693e11310aa0b6ecac7b64986cda050cb223aa261d3c95ce73de626870e62f996e0bd6626ac3482e5f652ece876e8b004e062f7c9a35cdc3d9c763b884f05ff67c47544a0918d36caf2f8a6421f16718837c7e10b6288d16b
p=0x916d55f4f05fc4e65c0e1f212dc12ee45ded1ebdc3d67fb68e985eb8b78a9bae314b624f9d7e9f99a5206a44aff6a54300000000000000000000000000000000
p_fake = p+0x10000000000000000000000000
pbits = 512
kbits = pbits-288
pbar = p_fake & (2^pbits-2^kbits)
print "upper %d bits (of %d bits) is given" % (pbits-kbits, pbits)
PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.4
print x0 + pbar

输出

upper 288 bits (of 512 bits) is given
7616634877721643900978834622921628471278625334258981608798082044807929012249091714476374841720214371816242609310305357405748113174176160510161602308555377

得到p,解得m为

10611260462614318802124064669081480164083875865381798746709764118824810474510530852108099252056537041793810111214355532979795966164280097387217579463682162

challenge 3

  • 部分d已知时

解题代码

# partial_d.sage

def partial_p(p0, kbits, n):
    PR.<x> = PolynomialRing(Zmod(n))
    nbits = n.nbits()

    f = 2^kbits*x + p0
    f = f.monic()
    roots = f.small_roots(X=2^(nbits//2-kbits), beta=0.3)  # find root < 2^(nbits//2-kbits) with factor >= n^0.3
    if roots:
        x0 = roots[0]
        p = gcd(2^kbits*x0 + p0, n)
        return ZZ(p)

def find_p(d0, kbits, e, n):
    X = var('X')

    for k in xrange(1, e+1):
        results = solve_mod([e*d0*X - k*X*(n-X+1) + k*n == X], 2^kbits)
        for x in results:
            p0 = ZZ(x[0])
            p = partial_p(p0, kbits, n)
            if p:
                return p


if __name__ == '__main__':
    n = 0xca42c80481dd641011a5e660472fa7587a50a822b04339ce8bdcd8eb6f83a0d87be33fbf33d9efdd3f46b8e3ede8d826ec51da4c56abf76f4cb0f98217fbe626401864c53b1d52de582a9c78ad3702d08ed7ab4fbaed6308c14e2f8da8f276e041849ec7ebc1d2762a9c9782161ca3926a785f74fe964508e91d944ee542461
    e = 3
    d = 0x31c7114e27cb34ef96856c9601376e2d597561e355647360d1b7ec90b2e97cd7f00c5ef20fe4d982cb2ae7470917a377808a8c37905b75a2a7603b922c6b7403

    beta = 0.5
    epsilon = beta^2/7

    nbits = n.nbits()
    kbits = 510
    d0 = d & ((2<<kbits)-1)
    print "lower %d bits (of %d bits) is given" % (kbits, nbits)

    p = find_p(d0, kbits, e, n)
    print "found p: %d" % p
    q = n//p
    print d
    print inverse_mod(e, (p-1)*(q-1))

输出

lower 510 bits (of 1020 bits) is given
found p: 1323424161654691429069974698244621851094466902431843163110386192656926874637453965783372762742152774582924789143039154296378708229542626118591114783369351
2607064862107619843810325179786409896270071181798035109575033748374915858474304146632582737535357551496784172542334261195420279882192051526016311239603203
5918017050952924829745783249048636067607403249775341530569565294127650271811914802248911381766735382073604577221266610647849540893465863173078969958705797639160580434388342616745845613491940108218003655006757463878824069220218078325846853278743502685049256419030392327957207694001110746333351861858989732867

得到d

5918017050952924829745783249048636067607403249775341530569565294127650271811914802248911381766735382073604577221266610647849540893465863173078969958705797639160580434388342616745845613491940108218003655006757463878824069220218078325846853278743502685049256419030392327957207694001110746333351861858989732867

解出m

13239736669758452714117467347920235909166967045373282180783598166687512737767905234220459230202543306947672690604033749312991477459995403074812328021089401

challenge 4

  • Hastad广播攻击

解题代码

import gmpy2
from Crypto.Util.number import *

def CRT(items):
    // (i[1] for i in items):将items中的元素变成一个元组
    // lambda x, y: x * y, (i[1] for i in items):将元组中的元素相乘
    // 函数    输入:输出  , 参数列表
    // lambda x, y: x * y, [1, 2, 3, 4, 5] 得到 120
    N = reduce(lambda x, y: x * y, (i[1] for i in items))
    result = 0
    for a, n in items:
        m = N / n
        gcd, r, s = gmpy2.gcdext(n, m)
        assert gcd == 1
        result += a * s * m
    return result % N, N

e = 3
n = [0xb24855969d55dee4bfa8e20baea7eed278c49dcb360d11ce19e0f8d57ab271e5dbb48a6a8b26fb487d98fc44ca685cbce592d67a9e3875da3f9da3cabcb37466901971eed7064ca808803cf7f4f3ff8b243e1e21e17c6f8e29ebdc9fab7b1c29588c9e6df4b7646dd94fa968a4ce4ba895441857588fd786bd502f0784149ff, 0x15e3d6340cca0d1f312513a0ef66a9f2fe6d2469426d79e2acb109cde843cbeebe1883bf4cddf331eb92cffe7cb539107877bb4715fe22e280e039d1c56f2f6287e9d3fca416ce2dabb898407567b8fc983365ac403f447c235c8c9441a2ad2551b7bb0be6c096f8f48b7e6ac2f2c7ac053dd95b5ec8d6b0fe74b61f64ffd961, 0x1465450a886629da173f84be329d70b61ff6e0159cc6ce27fb51138b6ec88a5ec353f34f58d64e4e1b6402b29a063a9766422e7c07b042b8f44c89a91f4223d5cf17095aff9d1d426fec68754a35c5d174687ae2ddcaf7637753fa157acab9012ef1079619bced51087ba3c0df2823ceaa91ffb6ef5c85d1b5ca705034454b0b]
c = [0x91a44e5418c89c0bcdad5fde76b28c42a358b84a6ea700e9f378ec2d8714e06bc44a88a883d93c60d0b07ee5bfd1c885852b6eead7c50ef829af14771d71a0fa5c3f99b6c285b0244507698c0cd8693c48e2de0fc2c53d2aab9c9d92bc3003c8ae3c2f055810123c84c7970070cd5c115e48fe2b4367d8788035fc76fc777d4, 0x1113feecc5c68f2482f503a4d4bb202eb6afbf1282ee61deae0545c67010a22414078435754e8afb84913e00d26f32c56c7f8f442d02d6d945ae58caddfe6f9184e883e196e89b9b697f8645869fb4c4336f73b3edb847bb88f33520665b99e497edaf6086543adf01d4462c21ae6279286c2ebf52945de0198056817ab6e560, 0x1c731edcdcf939f60ac43b26265e25edbd559672fd916241d69d8279621ab600ceaf3fa3866b48863ba561bd751746165d6e363119abaf1b0530c24392cd0ecbf9087a0aaaafcbf0cdb8792389a8e5a0e7603ecf87f1731eac2da186260ffa6407ea1164211da7eb27d2d86f56c5bd91783a473b19143d86451c39e4de908f7]

data = zip(c, n)
x, n = CRT(data)
m = gmpy2.iroot(x, e)[0]
print m

输出,得到m

2757659504362116665195664742934956877866641579389333206484021635974392009581735684551788891697893786084375459819819120831993718641162079060993952390939195

challenge 5

  • Franklin-Reiter相关消息攻击

解题代码

# coppersmiths_short_pad_attack.sage

def short_pad_attack(c1, c2, e, n):
    PRxy.<x,y> = PolynomialRing(Zmod(n))
    PRx.<xn> = PolynomialRing(Zmod(n))
    PRZZ.<xz,yz> = PolynomialRing(Zmod(n))

    g1 = x^e - c1
    g2 = (x+y)^e - c2

    q1 = g1.change_ring(PRZZ)
    q2 = g2.change_ring(PRZZ)

    h = q2.resultant(q1)
    h = h.univariate_polynomial()
    h = h.change_ring(PRx).subs(y=xn)
    h = h.monic()

    kbits = n.nbits()//(2*e*e)
    diff = h.small_roots(X=2^kbits, beta=0.5)[0]  # find root < 2^kbits with factor >= n^0.5

    return diff

def related_message_attack(c1, c2, diff, e, n):
    PRx.<x> = PolynomialRing(Zmod(n))
    g1 = x^e - c1
    g2 = (x+diff)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()

    return -gcd(g1, g2)[0]


if __name__ == '__main__':
    n = 0xa8fd65f425fbd7e06d773253d5593f6193e3755c8d079b2dfc00fcef5cc162a21dd2574b325dab2a578e32ba6ba88f5b0942355866717abbc6e5a52ca7ab3776416c37eccedb6f4b3aa922d63d8fe2bf34f27acabb310d1549fbb32bba07825b02c26e327bd3742bed486a1f8b15ddf66a3fc95b12e676d5516140c93ef8dba7
    e = 3

    nbits = n.nbits()
    kbits = nbits//(2*e*e)
    print "upper %d bits (of %d bits) is same" % (nbits-kbits, nbits)

    # ^^ = bit-wise XOR
    # http://doc.sagemath.org/html/en/faq/faq-usage.html#how-do-i-use-the-bitwise-xor-operator-in-sage
    m1 = randrange(2^nbits)
    m2 = m1 ^^ randrange(2^kbits)
    c1 = 0x96dd132922984c8cb5f6a339faf85a9eb4baf111c70e5d250067921b3aae9ad709906eb202dae997909eb2564ec4d702320ed22ad5d75adfea3f6fb78aec7f0c96ff77cd9b2779d249f0c4397b7ba20ea09be983ac70447b1c9a93aa014caa9959bf0079c55e476f5b846d9f9417d8b834ff7120be3f3d4ea5be5accb7b9e27a
    c2 = 0x49fbbe3af7f2a614d06bb3adf6c78e32a23b95ef1141fe1b8fcfd48ff3d254da07d7909a44399ebdc5198d7bb24db063d59e5c2a5ac65ce4bd1e86f6b51f46d61c10d7991a555d5bbfd24be59cbebb6805187e2bac919dcea5f5a35147ad035b61fd72d98cb40d90b63e3d9ba1e42232df634f0f5d5b362dff27f818c3f5a667

    diff = short_pad_attack(c1, c2, e, n)
    print "difference of two messages is %d" % diff

    m1 = related_message_attack(c1, c2, diff, e, n)
    print m1

输出

upper 968 bits (of 1024 bits) is same
difference of two messages is 1
7817720986977280268165220975637422140294509361784378357722075608912832979819596211274752881945672208470596068877409342056786943646225715615479712541201125

得到m

7817720986977280268165220975637422140294509361784378357722075608912832979819596211274752881945672208470596068877409342056786943646225715615479712541201125

challenge 6

  • Boneh and Durfee attack

解题代码

import time

############################################
# Config
##########################################

"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = True

"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct 
upperbound on the determinant. Note that this 
doesn't necesseraly mean that no solutions 
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False

"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension

############################################
# Functions
##########################################

# display stats on helpful vectors
def helpful_vectors(BB, modulus):
    nothelpful = 0
    for ii in range(BB.dimensions()[0]):
        if BB[ii,ii] &gt;= modulus:
            nothelpful += 1

    print nothelpful, "/", BB.dimensions()[0], " vectors are not helpful"

# display matrix picture with 0 and X
def matrix_overview(BB, bound):
    for ii in range(BB.dimensions()[0]):
        a = ('%02d ' % ii)
        for jj in range(BB.dimensions()[1]):
            a += '0' if BB[ii,jj] == 0 else 'X'
            if BB.dimensions()[0] = bound:
            a += '~'
        print a

# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):
    # end of our recursive function
    if current == -1 or BB.dimensions()[0] = bound:
            affected_vectors = 0
            affected_vector_index = 0
            # let's check if it affects other vectors
            for jj in range(ii + 1, BB.dimensions()[0]):
                # if another vector is affected:
                # we increase the count
                if BB[jj, ii] != 0:
                    affected_vectors += 1
                    affected_vector_index = jj

            # level:0
            # if no other vectors end up affected
            # we remove it
            if affected_vectors == 0:
                print "* removing unhelpful vector", ii
                BB = BB.delete_columns([ii])
                BB = BB.delete_rows([ii])
                monomials.pop(ii)
                BB = remove_unhelpful(BB, monomials, bound, ii-1)
                return BB

            # level:1
            # if just one was affected we check
            # if it is affecting someone else
            elif affected_vectors == 1:
                affected_deeper = True
                for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
                    # if it is affecting even one vector
                    # we give up on this one
                    if BB[kk, affected_vector_index] != 0:
                        affected_deeper = False
                # remove both it if no other vector was affected and
                # this helpful vector is not helpful enough
                # compared to our unhelpful one
                if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) &lt; abs(bound - BB[ii, ii]):
                    print &quot;* removing unhelpful vectors&quot;, ii, &quot;and&quot;, affected_vector_index
                    BB = BB.delete_columns([affected_vector_index, ii])
                    BB = BB.delete_rows([affected_vector_index, ii])
                    monomials.pop(affected_vector_index)
                    monomials.pop(ii)
                    BB = remove_unhelpful(BB, monomials, bound, ii-1)
                    return BB
    # nothing happened
    return BB

&quot;&quot;&quot; 
Returns:
* 0,0   if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
&quot;&quot;&quot;
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
    &quot;&quot;&quot;
    Boneh and Durfee revisited by Herrmann and May

    finds a solution if:
    * d &lt; N^delta
    * |x| &lt; e^delta
    * |y| &lt; e^0.5
    whenever delta &lt; 1 - sqrt(2)/2 ~ 0.292
    &quot;&quot;&quot;

    # substitution (Herrman and May)
    PR.<u> = PolynomialRing(ZZ)
    Q = PR.quotient(x*y + 1 - u) # u = xy + 1
    polZ = Q(pol).lift()

    UU = XX*YY + 1

    # x-shifts
    gg = []
    for kk in range(mm + 1):
        for ii in range(mm - kk + 1):
            xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk
            gg.append(xshift)
    gg.sort()

    # x-shifts list of monomials
    monomials = []
    for polynomial in gg:
        for monomial in polynomial.monomials():
            if monomial not in monomials:
                monomials.append(monomial)
    monomials.sort()

    # y-shifts (selected by Herrman and May)
    for jj in range(1, tt + 1):
        for kk in range(floor(mm/tt) * jj, mm + 1):
            yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)
            yshift = Q(yshift).lift()
            gg.append(yshift) # substitution

    # y-shifts list of monomials
    for jj in range(1, tt + 1):
        for kk in range(floor(mm/tt) * jj, mm + 1):
            monomials.append(u^kk * y^jj)

    # construct lattice B
    nn = len(monomials)
    BB = Matrix(ZZ, nn)
    for ii in range(nn):
        BB[ii, 0] = gg[ii](0, 0, 0)
        for jj in range(1, ii + 1):
            if monomials[jj] in gg[ii].monomials():
                BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)

    # Prototype to reduce the lattice
    if helpful_only:
        # automatically remove
        BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)
        # reset dimension
        nn = BB.dimensions()[0]
        if nn == 0:
            print "failure"
            return 0,0

    # check if vectors are helpful
    if debug:
        helpful_vectors(BB, modulus^mm)

    # check if determinant is correctly bounded
    det = BB.det()
    bound = modulus^(mm*nn)
    if det &gt;= bound:
        print "We do not have det &lt; bound. Solutions might not be found.&quot;
        print &quot;Try with highers m and t.&quot;
        if debug:
            diff = (log(det) - log(bound)) / log(2)
            print &quot;size det(L) - size e^(m*n) = &quot;, floor(diff)
        if strict:
            return -1, -1
    else:
        print &quot;det(L) &lt; e^(m*n) (good! If a solution exists  polynomials 1 &amp; 2
    if debug:
        print &quot;looking for independent vectors in the lattice&quot;
    found_polynomials = False

    for pol1_idx in range(nn - 1):
        for pol2_idx in range(pol1_idx + 1, nn):
            # for i and j, create the two polynomials
            PR. = PolynomialRing(ZZ)
            pol1 = pol2 = 0
            for jj in range(nn):
                pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)
                pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)

            # resultant
            PR.<q> = PolynomialRing(ZZ)
            rr = pol1.resultant(pol2)

            # are these good polynomials?
            if rr.is_zero() or rr.monomials() == [1]:
                continue
            else:
                print "found them, using vectors", pol1_idx, "and", pol2_idx
                found_polynomials = True
                break
        if found_polynomials:
            break

    if not found_polynomials:
        print "no independant vectors could be found. This should very rarely happen..."
        return 0, 0

    rr = rr(q, q)

    # solutions
    soly = rr.roots()

    if len(soly) == 0:
        print "Your prediction (delta) is too small"
        return 0, 0

    soly = soly[0][0]
    ss = pol1(q, soly)
    solx = ss.roots()[0][0]

    #
    return solx, soly

def example():
    ############################################
    # How To Use This Script
    ##########################################

    #
    # The problem to solve (edit the following values)
    #

    # the modulus
    N = 0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27
    # the public exponent
    e = 0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bb

    # the hypothesis on the private exponent (the theoretical maximum is 0.292)
    delta = .18 # this means that d &lt; N^delta

    #
    # Lattice (tweak those values)
    #

    # you should tweak this (after a first run), (e.g. increment it until a solution is found)
    m = 4 # size of the lattice (bigger the better/slower)

    # you need to be a lattice master to tweak these
    t = int((1-2*delta) * m)  # optimization from Herrmann and May
    X = 2*floor(N^delta)  # this _might_ be too much
    Y = floor(N^(1/2))    # correct if p, q are ~ same size

    #
    # Don't touch anything below
    #

    # Problem put in equation
    P. = PolynomialRing(ZZ)
    A = int((N+1)/2)
    pol = 1 + x * (A + y)

    #
    # Find the solutions!
    #

    # Checking bounds
    if debug:
        print &quot;=== checking values ===&quot;
        print &quot;* delta:&quot;, delta
        print &quot;* delta &lt; 0.292&quot;, delta  0:
        print &quot;=== solution found ===&quot;
        if False:
            print &quot;x:&quot;, solx
            print &quot;y:&quot;, soly

        d = int(pol(solx, soly) / e)
        print &quot;private key found:&quot;, d
    else:
        print &quot;=== no solution was found ===&quot;

    if debug:
        print(&quot;=== %s seconds ===&quot; % (time.time() - start_time))

if __name__ == &quot;__main__&quot;:
    example()

输出

=== checking values ===
* delta: 0.180000000000000
* delta &lt; 0.292 True
* size of e: 1020
* size of N: 1023
* m: 4 , t: 2
=== running algorithm ===
* removing unhelpful vector 0
6 / 18  vectors are not helpful
det(L) 72)128)&lt;&lt;128)=0x916d55f4f05fc4e65c0e1f212dc12ee45ded1ebdc3d67fb68e985eb8b78a9bae314b624f9d7e9f99a5206a44aff6a54300000000000000000000000000000000L
[-]long_to_bytes(m).encode('hex')=
[++++++++++++++++]challenge 2 completed[++++++++++++++++]
[+]Generating challenge 3

[+]n=0xca42c80481dd641011a5e660472fa7587a50a822b04339ce8bdcd8eb6f83a0d87be33fbf33d9efdd3f46b8e3ede8d826ec51da4c56abf76f4cb0f98217fbe626401864c53b1d52de582a9c78ad3702d08ed7ab4fbaed6308c14e2f8da8f276e041849ec7ebc1d2762a9c9782161ca3926a785f74fe964508e91d944ee542461L

[+]e=3
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0xa7f5a43c578fdae8ec26bd21d238b13191127f159513750984f926c8e4504e24571a9d8b0e69bb6b3e088ca73203f5e50c1c86fc99558b787242966c6854016486ea9ebb06908d51d22be25f6ddc309107680a8aa6f7ee0879b7a5251023986ddc0579a8c7e45737145bc88f3d95a5347702c3c608e78b0af8426d1db6baad9L
[+]d=invmod(e,(p-1)*(q-1))
[+]d&amp;((1&lt;&lt;512)-1)=0x31c7114e27cb34ef96856c9601376e2d597561e355647360d1b7ec90b2e97cd7f00c5ef20fe4d982cb2ae7470917a377808a8c37905b75a2a7603b922c6b7403L
[-]long_to_bytes(m).encode('hex')=
[++++++++++++++++]challenge 3 completed[++++++++++++++++]

[+]Generating challenge 4
[+]e=3
[+]m=random.getrandbits(512)

[+]n1=0xb24855969d55dee4bfa8e20baea7eed278c49dcb360d11ce19e0f8d57ab271e5dbb48a6a8b26fb487d98fc44ca685cbce592d67a9e3875da3f9da3cabcb37466901971eed7064ca808803cf7f4f3ff8b243e1e21e17c6f8e29ebdc9fab7b1c29588c9e6df4b7646dd94fa968a4ce4ba895441857588fd786bd502f0784149ffL

[+]c1=pow(m,e,n1)=0x91a44e5418c89c0bcdad5fde76b28c42a358b84a6ea700e9f378ec2d8714e06bc44a88a883d93c60d0b07ee5bfd1c885852b6eead7c50ef829af14771d71a0fa5c3f99b6c285b0244507698c0cd8693c48e2de0fc2c53d2aab9c9d92bc3003c8ae3c2f055810123c84c7970070cd5c115e48fe2b4367d8788035fc76fc777d4L

[+]n2=0x15e3d6340cca0d1f312513a0ef66a9f2fe6d2469426d79e2acb109cde843cbeebe1883bf4cddf331eb92cffe7cb539107877bb4715fe22e280e039d1c56f2f6287e9d3fca416ce2dabb898407567b8fc983365ac403f447c235c8c9441a2ad2551b7bb0be6c096f8f48b7e6ac2f2c7ac053dd95b5ec8d6b0fe74b61f64ffd961L

[+]c2=pow(m,e,n2)=0x1113feecc5c68f2482f503a4d4bb202eb6afbf1282ee61deae0545c67010a22414078435754e8afb84913e00d26f32c56c7f8f442d02d6d945ae58caddfe6f9184e883e196e89b9b697f8645869fb4c4336f73b3edb847bb88f33520665b99e497edaf6086543adf01d4462c21ae6279286c2ebf52945de0198056817ab6e560L

[+]n3=0x1465450a886629da173f84be329d70b61ff6e0159cc6ce27fb51138b6ec88a5ec353f34f58d64e4e1b6402b29a063a9766422e7c07b042b8f44c89a91f4223d5cf17095aff9d1d426fec68754a35c5d174687ae2ddcaf7637753fa157acab9012ef1079619bced51087ba3c0df2823ceaa91ffb6ef5c85d1b5ca705034454b0bL

[+]c3=pow(m,e,n3)=0x1c731edcdcf939f60ac43b26265e25edbd559672fd916241d69d8279621ab600ceaf3fa3866b48863ba561bd751746165d6e363119abaf1b0530c24392cd0ecbf9087a0aaaafcbf0cdb8792389a8e5a0e7603ecf87f1731eac2da186260ffa6407ea1164211da7eb27d2d86f56c5bd91783a473b19143d86451c39e4de908f7L
[-]long_to_bytes(m).encode('hex')=
[++++++++++++++++]challenge 4 completed[++++++++++++++++]

[+]Generating challenge 5

[+]n=0xa8fd65f425fbd7e06d773253d5593f6193e3755c8d079b2dfc00fcef5cc162a21dd2574b325dab2a578e32ba6ba88f5b0942355866717abbc6e5a52ca7ab3776416c37eccedb6f4b3aa922d63d8fe2bf34f27acabb310d1549fbb32bba07825b02c26e327bd3742bed486a1f8b15ddf66a3fc95b12e676d5516140c93ef8dba7L
[+]e=3
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0x96dd132922984c8cb5f6a339faf85a9eb4baf111c70e5d250067921b3aae9ad709906eb202dae997909eb2564ec4d702320ed22ad5d75adfea3f6fb78aec7f0c96ff77cd9b2779d249f0c4397b7ba20ea09be983ac70447b1c9a93aa014caa9959bf0079c55e476f5b846d9f9417d8b834ff7120be3f3d4ea5be5accb7b9e27aL
[+]x=pow(m+1,e,n)=0x49fbbe3af7f2a614d06bb3adf6c78e32a23b95ef1141fe1b8fcfd48ff3d254da07d7909a44399ebdc5198d7bb24db063d59e5c2a5ac65ce4bd1e86f6b51f46d61c10d7991a555d5bbfd24be59cbebb6805187e2bac919dcea5f5a35147ad035b61fd72d98cb40d90b63e3d9ba1e42232df634f0f5d5b362dff27f818c3f5a667L
[-]long_to_bytes(m).encode('hex')=
[++++++++++++++++]challenge 5 completed[++++++++++++++++]

[+]Generating challenge 6
[+]n=0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L
[+]d=random.getrandbits(1024*0.270)
[+]e=invmod(d,phin)
[+]hex(e)=0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL
[-]long_to_bytes(m).encode('hex')=
[++++++++++++++++]challenge 6 completed[++++++++++++++++]

[++++++++++++++++]all clear[++++++++++++++++]
flag{50567cbad246a91f3be88f14c714feb236817fab28b075e54cd3942054693473}

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据