当前位置：首页 > news >正文

【陇剑杯2025】密码复现（部分）

news 2025/9/10 11:04:26

这个比赛这点定的正在重要节日，没能参加。赛后看别人WP复现了几个题，还差一个，等问问师傅们，学会了再记。

EzHNP

from lbc_toolkit import ehnp
import json
from sage.all import *
from hashlib import md5p, d, m = random_prime(2^512), 5, 3
_x = randrange(1, p)
Pi = [0, 24, 140, 230]
Nu = [16, 72, 56, 32]
mask = 2^512 - 1 - sum(2^pi_j * (2^nu_j - 1) for pi_j, nu_j in zip(Pi, Nu))
xbar = _x & mask
Alpha = [randrange(1, p) for _ in range(d)]
Rho = [[randrange(1, p) for _ in range(m)] for _ in range(d)]
Mu = [[36, 52, 28] for _ in range(d)]
_K = [[randrange(1, 2^mu_i_j) for mu_i_j in Mu_i] for Mu_i in Mu]
Beta = [(alpha_i * _x + sum(rho_i_j * k_i_j for rho_i_j, k_i_j in zip(Rho_i, K_i))) % pfor alpha_i, Rho_i, K_i in zip(Alpha, Rho, _K)]
data_to_save = {'xbar': int(xbar), 'p': int(p), 'Pi': [int(x) for x in Pi], 'Nu': [int(x) for x in Nu], 'Alpha': [int(x) for x in Alpha], 'Rho': [[int(x) for x in row] for row in Rho], 'Mu': [[int(x) for x in row] for row in Mu], 'Beta': [int(x) for x in Beta]
}with open('data.json', 'w') as f:json.dump(data_to_save, f)with open('data.json', 'r') as f:json_data = json.load(f)xbar, p, Pi, Nu, Alpha, Rho, Mu, Beta = (json_data[key] for key in ('xbar', 'p', 'Pi', 'Nu', 'Alpha', 'Rho', 'Mu', 'Beta'))
sol = ehnp(xbar, p, Pi, Nu, Alpha, Rho, Mu, Beta, delta=1/10^12, verbose=True)
print('  Actual solution:', _x)
print('  Found  solution:', sol, end='\n\n')
print('  Correctness',sol == _x)print('flag :'+ 'flag{' + md5(str(_x).encode()).hexdigest() + "}")

这题有加密有解密后的校对，还有数据，这是白送啊。只要把后边部分运行一下就行。不过要先安装sage和下载那个lbc_toolket，用过hnp的基本都有这个库。

EzRSA

这个题只看了WP，没有下载原附件。大概意思是 n = p^r*q这里p,q都是512位，r是8位素数，求分解。

好像在去年的强网啥的吧有这个，还专门保存过这个题，那个题是3道关于n=p^r*q合一起，这是第2块。

题目应该是提示了d1,d2相差很小，给了e1,e2。原题是n=p^7*q这个题r没给但给出是8位素数（相当于给了，毕竟8位素数也就那么几个）

由于d1,d2相差很小就:

e1*d1 = 1 + k1*phi; e2*d2 = 1 + k2*phi 而这里边phi和n有个p^(r-1)的因子，所以在有限域n里有

e1*e2*(d2-d1) - e2+e1 == 0 mod N

直接用coopersmith求d2-d1，然后把它带进去求k*phi与n作gcd就得到p^? 这个可以小爆破一下就能得到p

这里的r其实并不一定是真正的r，爆破到第1个就能出g,这个g=p^232

P.<x> = PolynomialRing(Zmod(N))
for r in [131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251]:idx = r*(r - 1) / (r + 1)^2delta = floor(N.bit_length()*idx)   #没见原题，按去年题写的，这个数意义不大，反正比n小就行，我看WP里有写800的f = e1*e2*x - e1 + e2root = f.monic().small_roots(X=2**delta, beta=0.75)if len(root) > 0:print(r)g = gcd(int(e1*e2*root[0] - e1 + e2), N)  #phi = p^(r-1)*(p-1)*(q-1)  => p^x = gcd(kphi,N) print(g)breakfor tr in range(251,2,-1):p,v = gmpy2.iroot(g,tr)if v and is_prime(int(p)):print(tr, 'flag{' + hashlib.md5(str(p).encode()).hexdigest() + '}')break

附下去年原题

def gen2():r = 7while True:p = getPrime(512)q =	getPrime(512)N = (p**r)*qif len(bin(N)) == 4096:breakidx = (r*(r-1)) / ((r+1)*(r+1)) #0.65625delta = int(pow(mpz(N), idx))phi = (p**(r-1))*(p-1)*(q-1)while True:d1 = getPrime(int(2048*idx)//2) #672  d2 = getPrime(int(2048*idx)//2)if abs(d1-d2) < delta:m1 = invert(d1, phi)m2 = invert(d2, phi)breake2 = 0x10001return n2, e2, m1, m2  #两个相近d对应的e

RSA.iso

from Crypto.Util.number import *
from secret import flagf = open("output.txt", "w")def get_Prime(bits):from random import choicesbytes = [long_to_bytes(x) for x in range(1, 256)]while True:num = b''.join(choices(bytes, k=bits//8))if is_prime(bytes_to_long(num)):return bytes_to_long(num)def gen_para():while True:a = randint(50, 70)r = getPrime(10)if is_prime(2**a * r * lcm(range(1, 256)) - 1):return a, ra, r = gen_para()
f.write(f'{a = }\n')
f.write(f'{r = }\n')p = 2**a * r * lcm(range(1, 256)) - 1
F.<i> = GF(p^2, modulus=[1, 0, 1])
E = EllipticCurve(F, [0, 1])
E.set_order((p+1)**2)P, Q = E.gens()[0], E.gens()[1]f.write(f'P = {(P.x(), P.y())}\n')
f.write(f'Q = {(Q.x(), Q.y())}\n')pp = get_Prime(1024)
qq = get_Prime(1024)
n = pp * qq
e = 65537gift = []while pp:x = pp & 0xffassert x != 0pp = pp >> 8k = randint(1, 2**a * x)R = P + k * QK = (p + 1) // (2**a * x) * Rphi = E.isogeny(K, algorithm="factored")tmp1 = phi(P)tmp2 = phi(Q)gift.append([(tmp1.x(), tmp1.y()), (tmp2.x(), tmp2.y())])f.write(f'gift = {gift}\n')m = bytes_to_long(flag)
c = pow(m, e, n)f.write(f'n = {n}\n')
f.write(f'c = {c}\n')

这题在二次域上，用weil_pairing比较，只是不明白在二次域上怎么求，然后看WP上是n=p+1,完全是按WP画的，复现一下。

a = 58
r = 677p = 2**a * r * lcm(range(1, 256)) - 1
F.<i> = GF(p^2, modulus=[1, 0, 1])
E = EllipticCurve(F, [0, 1])
E.set_order((p+1)**2)P = ...
Q = ...
gift = ...
n = ...
c = ...# 计算标准 Weil 配对
P,Q = E(P),E(Q)
weil_base = P.weil_pairing(Q, p+1)  #这里的n用p+1
weils = [0]+[weil_base^(2^a*o) for o in range(1,256)]bb = []
for idx in range(len(gift)):#把两个点重新映射到新曲线上((x1,y1),(x2,y2)) = gift[idx]A = (y2^2 - y1^2 - x2^3 + x1^3)/(x2-x1)B = y1^2 - x1^3 - A*x1phi = EllipticCurve(F, [A, B])phi_p = phi((x1,y1))phi_q = phi((x2,y2))weil = phi_p.weil_pairing(phi_q,p+1)bb.append(weils.index(weil))pp = bytes_to_long(bytes(bb[::-1]))
print(long_to_bytes(int(pow(c,inverse_mod(65537,pp-1),pp))))

*LFSRunning

至今未找到WP，原来有个小鸡块师傅的类似题是模3，照葫芦也画不出瓢来。先留存，我再找找。

from random import randintmask = 7914424199261124662862774159390417416144942331617401794326681839046700982102459500083290436028119146970393378533178868190994617721884386374777744925799997class LFSR:def __init__(self, mask, seed):self.mask = maskself.seed = seedfor i in range(512):self.next()def next(self):self.seed = (self.seed << 1) | (int(self.seed & self.mask).bit_count() & 1)self.seed &= 2 ^ 512 - 1return self.seed % 257flag = b'flag{*******************************************************}'
flag = flag[5:-1]current = int.from_bytes(flag)
lfsr = LFSR(mask, current)step = [randint(0,6) for i in range(220)]
c = []
for _ in range(220):for time in range(step[_]):lfsr.next()c.append(lfsr.next())print(step)
print(c)
'''
[1, 4, 2, 3, 3, 1, 0, 5, 6, 3, 6, 5, 6, 6, 0, 5, 6, 2, 6, 0, 2, 5, 6, 2, 5, 5, 3, 2, 4, 2, 0, 2, 4, 2, 2, 3, 0, 5, 0, 2, 0, 5, 2, 3, 1, 3, 6, 4, 4, 1, 2, 1, 2, 2, 6, 2, 6, 1, 2, 4, 6, 2, 3, 1, 6, 0, 5, 3, 3, 0, 4, 1, 5, 2, 3, 3, 2, 5, 2, 6, 5, 1, 3, 5, 6, 4, 5, 6, 3, 3, 2, 5, 5, 2, 0, 2, 6, 6, 1, 2, 2, 2, 0, 2, 4, 1, 4, 1, 4, 3, 2, 0, 0, 4, 4, 0, 3, 2, 2, 5, 2, 5, 4, 5, 3, 6, 2, 4, 5, 2, 5, 5, 5, 4, 5, 1, 0, 5, 6, 3, 4, 2, 6, 4, 2, 0, 2, 2, 3, 0, 2, 6, 5, 1, 6, 4, 0, 6, 6, 4, 0, 6, 1, 4, 2, 1, 3, 2, 0, 5, 3, 6, 3, 2, 4, 5, 1, 2, 1, 3, 5, 5, 3, 1, 1, 2, 0, 2, 3, 3, 0, 5, 1, 4, 1, 2, 2, 5, 5, 6, 2, 5, 5, 5, 1, 0, 5, 0, 4, 1, 5, 0, 5, 2, 0, 5, 0, 6, 5, 1, 6, 4, 2, 5, 3, 5, 1, 3, 5, 2, 4, 3, 2, 0, 4, 6, 6, 1, 4, 4, 2, 2, 0, 3, 4, 5, 6, 4, 3, 5, 5, 3, 2, 6, 6, 4, 1, 1, 6, 0, 0, 5, 1, 1, 1, 1, 0, 5, 5, 0, 2, 1, 6, 6, 6, 1, 5, 1, 2, 2, 3, 6, 5, 6, 4, 2, 0, 3, 5, 6, 1, 2, 1, 0, 2, 0, 4, 0, 2, 4]
[236, 105, 71, 95, 233, 159, 61, 12, 248, 101, 85, 46, 237, 13, 25, 96, 15, 121, 85, 169, 69, 50, 77, 105, 67, 152, 123, 213, 132, 25, 50, 143, 225, 3, 19, 35, 70, 120, 241, 129, 1, 25, 201, 127, 251, 164, 90, 36, 124, 236, 91, 107, 85, 162, 112, 122, 159, 120, 183, 220, 220, 215, 107, 172, 147, 36, 249, 128, 250, 243, 65, 3, 202, 74, 154, 156, 220, 186, 202, 243, 98, 136, 115, 169, 181, 138, 146, 191, 230, 72, 63, 182, 107, 89, 179, 149, 141, 4, 17, 136, 57, 202, 148, 161, 35, 141, 131, 10, 66, 20, 159, 62, 124, 88, 244, 230, 82, 144, 126, 152, 188, 176, 225, 227, 40, 235, 81, 1, 83, 150, 113, 25, 105, 16, 18, 70, 139, 150, 199, 112, 229, 29, 93, 138, 77, 154, 204, 93, 199, 141, 96, 191, 182, 215, 63, 212, 168, 157, 65, 36, 72, 241, 195, 53, 166, 150, 82, 141, 24, 244, 58, 28, 191, 243, 54, 148, 79, 116, 209, 8, 236, 211, 26, 105, 162, 9, 18, 147, 36, 54, 108, 246, 214, 174, 182, 166, 47, 202, 110, 238, 103, 187, 165, 252, 236, 215, 144, 32, 3, 13, 90, 180, 207, 116, 231, 155, 52, 92, 7, 30]
'''