本文介绍了一道GKCTF2021的Crypto赛题,通过数学推导和编程技巧,利用给出的hint解密找到了p和q,最终成功解出了flag。
引言
想不到一摸就是一学期[doge],转眼间就寒假了(其实已经回家十天了)
其实上学期也打了一些比赛,各种意义上的忙,辅修、大创、专业分流,各种各样的事
于是不知不觉就以“忙”为借口咕咕了
只不过,感觉还没完全继承前辈的衣钵,新的队员又来了,看来不得不努力了啊
[GKCTF 2021]RRRRsa
就给了一个没文件名的压缩文件,还怕是什么披着Crypto皮的Misc,不过加了文件名之后就是一个普通的压缩文件
就一个.py文件,加密代码如下:
from Crypto.Util.number import *
from gmpy2 import gcd
flag = b'xxxxxxxxxxxxx'
p = getPrime(512)
q = getPrime(512)
m = bytes_to_long(flag)
n = p*q
e = 65537
c = pow(m,e,n)
print('c={}'.format(c))
p1 = getPrime(512)
q1 = getPrime(512)
n1 = p1*q1
e1 = 65537
assert gcd(e1,(p1-1)*(q1-1)) == 1
c1 = pow(p,e1,n1)
print('n1={}'.format(n1))
print('c1={}'.format(c1))
hint1 = pow(2020 * p1 + q1, 202020, n1)
hint2 = pow(2021 * p1 + 212121, q1, n1)
print('hint1={}'.format(hint1))
print('hint2={}'.format(hint2))
p2 = getPrime(512)
q2 = getPrime(512)
n2 = p2*q2
e2 = 65537
assert gcd(e1,(p2-1)*(q2-1)) == 1
c2 = pow(q,e2,n2)
hint3 = pow(2020 * p2 + 2021 * q2, 202020, n2)
hint4 = pow(2021 * p2 + 2020 * q2, 212121, n2)
print('n2={}'.format(n2))
print('c2={}'.format(c2))
print('hint3={}'.format(hint3))
print('hint4={}'.format(hint4))
#c=13492392717469817866883431475453770951837476241371989714683737558395769731416522300851917887957945766132864151382877462142018129852703437240533684604508379950293643294877725773675505912622208813435625177696614781601216465807569201380151669942605208425645258372134465547452376467465833013387018542999562042758
#n1=75003557379080252219517825998990183226659117019770735080523409561757225883651040882547519748107588719498261922816865626714101556207649929655822889945870341168644508079317582220034374613066751916750036253423990673764234066999306874078424803774652754587494762629397701664706287999727238636073466137405374927829
#c1=68111901092027813007099627893896838517426971082877204047110404787823279211508183783468891474661365139933325981191524511345219830693064573462115529345012970089065201176142417462299650761299758078141504126185921304526414911455395289228444974516503526507906721378965227166653195076209418852399008741560796631569
#hint1=23552090716381769484990784116875558895715552896983313406764042416318710076256166472426553520240265023978449945974218435787929202289208329156594838420190890104226497263852461928474756025539394996288951828172126419569993301524866753797584032740426259804002564701319538183190684075289055345581960776903740881951
#hint2=52723229698530767897979433914470831153268827008372307239630387100752226850798023362444499211944996778363894528759290565718266340188582253307004810850030833752132728256929572703630431232622151200855160886614350000115704689605102500273815157636476901150408355565958834764444192860513855376978491299658773170270
#n2=114535923043375970380117920548097404729043079895540320742847840364455024050473125998926311644172960176471193602850427607899191810616953021324742137492746159921284982146320175356395325890407704697018412456350862990849606200323084717352630282539156670636025924425865741196506478163922312894384285889848355244489
#c2=67054203666901691181215262587447180910225473339143260100831118313521471029889304176235434129632237116993910316978096018724911531011857469325115308802162172965564951703583450817489247675458024801774590728726471567407812572210421642171456850352167810755440990035255967091145950569246426544351461548548423025004
#hint3=25590923416756813543880554963887576960707333607377889401033718419301278802157204881039116350321872162118977797069089653428121479486603744700519830597186045931412652681572060953439655868476311798368015878628002547540835719870081007505735499581449077950263721606955524302365518362434928190394924399683131242077
#hint4=104100726926923869566862741238876132366916970864374562947844669556403268955625670105641264367038885706425427864941392601593437305258297198111819227915453081797889565662276003122901139755153002219126366611021736066016741562232998047253335141676203376521742965365133597943669838076210444485458296240951668402513
题目给了四个hint,每两个分别加密p,q,而没有直接给加密flag的n
先看第一组:
h
i
n
t
1
≡
(
2020
×
p
1
+
q
1
)
202020
m
o
d
n
1
h
i
n
t
2
≡
(
2021
×
p
1
+
212121
)
q
1
m
o
d
n
1
hint1 \equiv (2020\times p_1+q_1)^{202020}\space mod \space n_1\\ hint2 \equiv (2021\times p_1+212121)^{q_1}\space mod \space n_1
hint1≡(2020×p1+q1)202020 mod n1hint2≡(2021×p1+212121)q1 mod n1
因为
p
1
×
q
1
=
n
1
p_1\times q_1=n_1
p1×q1=n1,由二项式展开可得,
(
2020
×
p
1
+
q
1
)
202020
(2020\times p_1+q_1)^{202020}
(2020×p1+q1)202020中所有除了只含
p
p
p或
q
q
q的项都会被
n
1
n_1
n1整除,所以
h
i
n
t
1
≡
[
(
2020
×
p
1
)
202020
+
(
q
1
)
202020
]
m
o
d
n
1
hint1 \equiv [(2020\times p_1)^{202020}+(q_1)^{202020}]\space mod \space n_1
hint1≡[(2020×p1)202020+(q1)202020] mod n1
对于
h
i
n
t
2
hint2
hint2,由费马小定理可知
(
2021
×
p
1
+
212121
)
q
1
m
o
d
q
1
≡
2021
×
p
1
+
212121
(2021\times p_1+212121)^{q_1}\space mod \space q_1 \equiv 2021\times p_1+212121
(2021×p1+212121)q1 mod q1≡2021×p1+212121
所以
∃
k
1
,
k
2
∈
Z
\exists k_1, k_2\in \mathbb{Z}
∃k1,k2∈Z,
s
.
t
.
s.t.
s.t.
h
i
n
t
1
=
(
2020
×
p
1
)
202020
+
k
1
q
1
h
i
n
t
2
−
212121
=
2021
×
p
1
+
k
2
q
1
hint1 = (2020\times p_1)^{202020} + k_1q_1\\ hint2-212121 = 2021\times p_1 + k_2q_1
hint1=(2020×p1)202020+k1q1hint2−212121=2021×p1+k2q1
由于
k
1
,
k
2
k_1,k_2
k1,k2未知,所以想办法消去含
p
1
p_1
p1的项,得到只含
q
1
q_1
q1的项,具体消去操作如下:
h
i
n
t
1
×
202
1
202020
−
(
h
i
n
t
2
−
212121
)
202020
×
202
0
202020
=
k
q
1
hint1 \times 2021^{202020} - (hint2 - 212121)^{202020} \times 2020^{202020} =kq_1
hint1×2021202020−(hint2−212121)202020×2020202020=kq1
再与
n
1
n_1
n1求公约数就可以解密得到
p
p
p
对于第二组:
h
i
n
t
3
≡
[
(
2020
×
p
2
)
202020
+
(
2021
×
q
2
)
202020
]
m
o
d
n
1
h
i
n
t
4
≡
[
(
2021
×
p
2
)
212121
+
(
2020
×
q
2
)
212121
]
m
o
d
n
1
hint3 \equiv [(2020\times p_2)^{202020} + (2021\times q_2)^{202020}]\space mod \space n_1\\ hint4 \equiv [(2021\times p_2)^{212121} + (2020\times q_2)^{212121}]\space mod \space n_1
hint3≡[(2020×p2)202020+(2021×q2)202020] mod n1hint4≡[(2021×p2)212121+(2020×q2)212121] mod n1
操作方法与第一组类似,这里不再赘述,完整解密代码如下:
from Crypto.Util.number import *
e = 65537
c = 13492392717469817866883431475453770951837476241371989714683737558395769731416522300851917887957945766132864151382877462142018129852703437240533684604508379950293643294877725773675505912622208813435625177696614781601216465807569201380151669942605208425645258372134465547452376467465833013387018542999562042758
n1 = 75003557379080252219517825998990183226659117019770735080523409561757225883651040882547519748107588719498261922816865626714101556207649929655822889945870341168644508079317582220034374613066751916750036253423990673764234066999306874078424803774652754587494762629397701664706287999727238636073466137405374927829
c1 = 68111901092027813007099627893896838517426971082877204047110404787823279211508183783468891474661365139933325981191524511345219830693064573462115529345012970089065201176142417462299650761299758078141504126185921304526414911455395289228444974516503526507906721378965227166653195076209418852399008741560796631569
hint1 = 23552090716381769484990784116875558895715552896983313406764042416318710076256166472426553520240265023978449945974218435787929202289208329156594838420190890104226497263852461928474756025539394996288951828172126419569993301524866753797584032740426259804002564701319538183190684075289055345581960776903740881951
hint2 = 52723229698530767897979433914470831153268827008372307239630387100752226850798023362444499211944996778363894528759290565718266340188582253307004810850030833752132728256929572703630431232622151200855160886614350000115704689605102500273815157636476901150408355565958834764444192860513855376978491299658773170270
n2 = 114535923043375970380117920548097404729043079895540320742847840364455024050473125998926311644172960176471193602850427607899191810616953021324742137492746159921284982146320175356395325890407704697018412456350862990849606200323084717352630282539156670636025924425865741196506478163922312894384285889848355244489
c2 = 67054203666901691181215262587447180910225473339143260100831118313521471029889304176235434129632237116993910316978096018724911531011857469325115308802162172965564951703583450817489247675458024801774590728726471567407812572210421642171456850352167810755440990035255967091145950569246426544351461548548423025004
hint3 = 25590923416756813543880554963887576960707333607377889401033718419301278802157204881039116350321872162118977797069089653428121479486603744700519830597186045931412652681572060953439655868476311798368015878628002547540835719870081007505735499581449077950263721606955524302365518362434928190394924399683131242077
hint4 = 104100726926923869566862741238876132366916970864374562947844669556403268955625670105641264367038885706425427864941392601593437305258297198111819227915453081797889565662276003122901139755153002219126366611021736066016741562232998047253335141676203376521742965365133597943669838076210444485458296240951668402513
h2 = pow(hint2 - 212121, 202020, n1) * pow(2020, 202020, n1)
h1 = hint1 * pow(2021, 202020, n1)
q1 = (GCD(abs(h2 - h1), n1))
p1 = n1 // q1
d1 = inverse(e, (p1-1) * (q1-1))
p = pow(c1, d1, n1)
h3 = pow(hint3, 212121, n2) * pow(2021, 212121*202020, n2)
h4 = pow(hint4, 202020, n2) * pow(2020, 212121*202020, n2)
q2 = (GCD(abs(h3 - h4), n2))
p2 = n2 // q2
d2 = inverse(e, (p2-1) * (q2-1))
q = pow(c2, d2, n2)
d = inverse(e, (p-1) * (q-1))
m = pow(c, d, p*q)
print(long_to_bytes(m))
结果为:
结语
寒假尽量把除了零解题做完吧
明天写一下安天杯HICTF2021(虽然是一个多月前的冷饭了)的一道有意思的题(因为我就做出了这题)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
