2023 楚慧杯 --- Crypto wp

初赛

so large e

题目：

from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from flag import flag
import randomm = bytes_to_long(flag)p = getPrime(512)
q = getPrime(512)
n = p*q
e = random.getrandbits(1024)
assert size(e)==1024
phi = (p-1)*(q-1)
assert GCD(e,phi)==1
d = inverse(e,phi)
assert size(d)==269pub = (n, e)
PublicKey = RSA.construct(pub)
with open('pub.pem', 'wb') as f :f.write(PublicKey.exportKey())c = pow(m,e,n)
print('c =',c)print(long_to_bytes(pow(c,d,n)))#c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860

读取公钥得到n,e,

e = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233n = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723

根据代码，获悉
$0.25\le \frac{d}{n}=0.263\le 0.292$
满足 Boneh and Durfee attack
直接套用模板，修改一下delta 和m即可
其中delta = 0.263,m = 5

exp:

#sage
from __future__ import print_function
import time############################################
# Config
##########################################"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = True"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct
upperbound on the determinant. Note that this
doesn't necesseraly mean that no solutions
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension############################################
# Functions
########################################### display stats on helpful vectors
def helpful_vectors(BB, modulus):nothelpful = 0for ii in range(BB.dimensions()[0]):if BB[ii,ii] >= modulus:nothelpful += 1print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")# display matrix picture with 0 and X
def matrix_overview(BB, bound):for ii in range(BB.dimensions()[0]):a = ('%02d ' % ii)for jj in range(BB.dimensions()[1]):a += '0' if BB[ii,jj] == 0 else 'X'if BB.dimensions()[0] < 60:a += ' 'if BB[ii, ii] >= bound:a += '~'print(a)# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):# end of our recursive functionif current == -1 or BB.dimensions()[0] <= dimension_min:return BB# we start by checking from the endfor ii in range(current, -1, -1):# if it is unhelpful:if BB[ii, ii] >= bound:affected_vectors = 0affected_vector_index = 0# let's check if it affects other vectorsfor jj in range(ii + 1, BB.dimensions()[0]):# if another vector is affected:# we increase the countif BB[jj, ii] != 0:affected_vectors += 1affected_vector_index = jj# level:0# if no other vectors end up affected# we remove itif affected_vectors == 0:print("* removing unhelpful vector", ii)BB = BB.delete_columns([ii])BB = BB.delete_rows([ii])monomials.pop(ii)BB = remove_unhelpful(BB, monomials, bound, ii-1)return BB# level:1# if just one was affected we check# if it is affecting someone elseelif affected_vectors == 1:affected_deeper = Truefor kk in range(affected_vector_index + 1, BB.dimensions()[0]):# if it is affecting even one vector# we give up on this oneif BB[kk, affected_vector_index] != 0:affected_deeper = False# remove both it if no other vector was affected and# this helpful vector is not helpful enough# compared to our unhelpful oneif affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):print("* removing unhelpful vectors", ii, "and", affected_vector_index)BB = BB.delete_columns([affected_vector_index, ii])BB = BB.delete_rows([affected_vector_index, ii])monomials.pop(affected_vector_index)monomials.pop(ii)BB = remove_unhelpful(BB, monomials, bound, ii-1)return BB# nothing happenedreturn BB""" 
Returns:
* 0,0   if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""
def boneh_durfee(pol, modulus, mm, tt, XX, YY):"""Boneh and Durfee revisited by Herrmann and Mayfinds a solution if:* d < N^delta* |x| < e^delta* |y| < e^0.5whenever delta < 1 - sqrt(2)/2 ~ 0.292"""# substitution (Herrman and May)PR.<u, x, y> = PolynomialRing(ZZ)Q = PR.quotient(x*y + 1 - u) # u = xy + 1polZ = Q(pol).lift()UU = XX*YY + 1# x-shiftsgg = []for kk in range(mm + 1):for ii in range(mm - kk + 1):xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kkgg.append(xshift)gg.sort()# x-shifts list of monomialsmonomials = []for polynomial in gg:for monomial in polynomial.monomials():if monomial not in monomials:monomials.append(monomial)monomials.sort()# y-shifts (selected by Herrman and May)for jj in range(1, tt + 1):for kk in range(floor(mm/tt) * jj, mm + 1):yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)yshift = Q(yshift).lift()gg.append(yshift) # substitution# y-shifts list of monomialsfor jj in range(1, tt + 1):for kk in range(floor(mm/tt) * jj, mm + 1):monomials.append(u^kk * y^jj)# construct lattice Bnn = len(monomials)BB = Matrix(ZZ, nn)for ii in range(nn):BB[ii, 0] = gg[ii](0, 0, 0)for jj in range(1, ii + 1):if monomials[jj] in gg[ii].monomials():BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)# Prototype to reduce the latticeif helpful_only:# automatically removeBB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)# reset dimensionnn = BB.dimensions()[0]if nn == 0:print("failure")return 0,0# check if vectors are helpfulif debug:helpful_vectors(BB, modulus^mm)# check if determinant is correctly boundeddet = BB.det()bound = modulus^(mm*nn)if det >= bound:print("We do not have det < bound. Solutions might not be found.")print("Try with highers m and t.")if debug:diff = (log(det) - log(bound)) / log(2)print("size det(L) - size e^(m*n) = ", floor(diff))if strict:return -1, -1else:print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")# display the lattice basisif debug:matrix_overview(BB, modulus^mm)# LLLif debug:print("optimizing basis of the lattice via LLL, this can take a long time")BB = BB.LLL()if debug:print("LLL is done!")# transform vector i & j -> polynomials 1 & 2if debug:print("looking for independent vectors in the lattice")found_polynomials = Falsefor pol1_idx in range(nn - 1):for pol2_idx in range(pol1_idx + 1, nn):# for i and j, create the two polynomialsPR.<w,z> = PolynomialRing(ZZ)pol1 = pol2 = 0for jj in range(nn):pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)# resultantPR.<q> = PolynomialRing(ZZ)rr = pol1.resultant(pol2)# are these good polynomials?if rr.is_zero() or rr.monomials() == [1]:continueelse:print("found them, using vectors", pol1_idx, "and", pol2_idx)found_polynomials = Truebreakif found_polynomials:breakif not found_polynomials:print("no independant vectors could be found. This should very rarely happen...")return 0, 0rr = rr(q, q)# solutionssoly = rr.roots()if len(soly) == 0:print("Your prediction (delta) is too small")return 0, 0soly = soly[0][0]ss = pol1(q, soly)solx = ss.roots()[0][0]#return solx, solydef example():############################################# How To Use This Script############################################ The problem to solve (edit the following values)## the modulusN = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723# the public exponente = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233# the hypothesis on the private exponent (the theoretical maximum is 0.292)delta = .263 # this means that d < N^delta## Lattice (tweak those values)## you should tweak this (after a first run), (e.g. increment it until a solution is found)m = 5 # size of the lattice (bigger the better/slower)# you need to be a lattice master to tweak theset = int((1-2*delta) * m)  # optimization from Herrmann and MayX = 2*floor(N^delta)  # this _might_ be too muchY = floor(N^(1/2))    # correct if p, q are ~ same size## Don't touch anything below## Problem put in equationP.<x,y> = PolynomialRing(ZZ)A = int((N+1)/2)pol = 1 + x * (A + y)## Find the solutions!## Checking boundsif debug:print("=== checking values ===")print("* delta:", delta)print("* delta < 0.292", delta < 0.292)print("* size of e:", int(log(e)/log(2)))print("* size of N:", int(log(N)/log(2)))print("* m:", m, ", t:", t)# boneh_durfeeif debug:print("=== running algorithm ===")start_time = time.time()solx, soly = boneh_durfee(pol, e, m, t, X, Y)# found a solution?if solx > 0:print("=== solution found ===")if False:print("x:", solx)print("y:", soly)d = int(pol(solx, soly) / e)print("private key found:", d)else:print("=== no solution was found ===")if debug:print(("=== %s seconds ===" % (time.time() - start_time)))if __name__ == "__main__":example()

计算得到d

d = 663822343397699728953336968317794118491145998032244266550694156830036498673227937

最后RSA解密得到flag

#sage
c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
d = 663822343397699728953336968317794118491145998032244266550694156830036498673227937
n = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723
m = pow(c,d,n)
flag = bytes.fromhex(hex(m)[2:])
print(flag)
#DASCTF{6f4fadce-5378-d17f-3c2d-2e064db4af19}

决赛

JIGE

题目：

from gmpy2 import *
from hashlib import md5
from Crypto.Util.number import *
from sympy import *message=XXXXXX
flag = 'DASCTF{'+md5(message).hexdigest()+'}'
p = getPrime(256)
q = getPrime(256)
assert p > q
n = p * q
e = 0x10001  #65537
m = bytes_to_long(message)
c = pow(m, e, n)N = pow(p, 11) * q
d1 = getPrime(2000)
d2 = nextprime(d1 + getPrime(1000))
e1 = invert(d1, (pow(p, 10) * (p - 1) * (q - 1)))
e2 = invert(d2, (pow(p, 10) * (p - 1) * (q - 1)))print(f'c = {c}')
print(f'N = {N}')
print(f'e1 = {e1}')
print(f'e2 = {e2}')'''
c = 1206807362850301500412872994631699583002892289904471476523412128137773618173466272359196256671175708216503443050872032061782739223138420055283507423416014
N = 2769972268494457422626756881035680365791374852650158574600757210295514312723202376005992652087072745127197622954236101990451854162917559723722518981897097628959272185981219794883530767584841881112435651621934537571083225349949311621207409183741363444346000402562578450456645711882560128619242711698327278980081266684521150227771637075686195050487818614035674633610096137625035790732645845723462391311298302637686542232835581871746884130013070996968184596449672622781116306181302392813217024411730226953994648038878074679828551669837254152265441513617958229372943240214088399450834487541147274643124286983672414825675492669859487862886608989862491581277404219285561282275675102529309186029976081969486912697417132568798720377963032348920342675126756050513673101405664709184620104181654397512121633023592966498206439167017063802120497727043888826589401745202319033829767714724756122673441156732069183201569766204472097988081541
e1 = 2019789551019093124420297272384567741634310853673511749178611164072776295834811119450621861426097251426338761387400947669712980885171825246712129400923345045714062211913328737569990247227840399725205366257333392335095407072561983345874628219982166479392648454069496646733709717240335264301129096508037181465890164627276692696540046415077712807666335629672257696160380799064676194674815656129599632459744438651570247278542393673849808278202966914757001771181720554604666343205509941102540930522715083963211556704973593626830060515529201025992233193710032293801887064920491994892731059564016729184073592209700547810374523193198684464611594086849851216947777536116800375704509948170375971236541467019409313469504630988967011023280553412399918851721362010464793913169072750314771104456079550196999871385309352503595586614818585704007635869697001268017638044593755012233245211072647051603150602669710674109645174749520576295708163
e2 = 1583703592049684873685114339953437401553059969077370065722292597953883761416746559834892164581234164438330080827740800363198430396478731634782581595240544469072569584848085012992026166904750154014378216852052182115039653650262042887676171319128137818446568464062868113062233139620367603439600244722942659267734053620937005194939432606278744697609503707934576549002757520737074102321078418822923889399221127593632747782118004212766847803779185975309956970980280169387201657554918144244843463689062591309308003163435148432749203807727111886042271473627935482161154494976464303547129663586810973936239964669196142557977332701367619795730332662446023712262922190841226239360097490311533265953167562594634954870494720064733019963379137130620318351648747992348207245430288065933286523588168735037017481803349125024025183996822657547245651094947702268545834292593852409172743667084611813423926836813703374530071303810930647531379459
'''

考察论文New attacks on RSA with Moduli N = p^rq

根据论文，可以构建如下多项式
$e_1{e}_2(d_1-d_2)\equiv e_2-e_{1}mod\varphi (n)$
因为$\varphi (n)=p^{r-1}(p-1)(q-1)$,所以上式子可以变为
$e_1{e}_{2}x-(e_2-e_1)\equiv 0mod{p}^{r-1}$
当$|d_1-d_2|<n^{\frac{r(r-1)}{(r+1{)}^2}}$时，在多项式时间内可解
copper出x,也就是d1-d2
计算$gcd(e_1{e}_{2}x-(e_2-e_1),n)=gcd(y\times p^{r-1}(p-1)(q-1),p^{r}q)=g$
p的值按如下情况取
$wheng=p^{r-1},p=g^{\frac{1}{r-1}}(1)$
$wheng=p^r,p=g^{\frac{1}{r}}(2)$
$wheng=p^{r-1}q,p=\frac{n}{g}(3)$

在本题中，我们得到的g为2560bit,p为256bit，那么$g=p^{11-1}=p^{10}$
直接开10次方得到p，进而q = n//p^11，最后RSA解密再计算明文的md5摘要即可获得flag
exp:

#sage  
import gmpy2
from hashlib import *c = 1206807362850301500412872994631699583002892289904471476523412128137773618173466272359196256671175708216503443050872032061782739223138420055283507423416014
n = 2769972268494457422626756881035680365791374852650158574600757210295514312723202376005992652087072745127197622954236101990451854162917559723722518981897097628959272185981219794883530767584841881112435651621934537571083225349949311621207409183741363444346000402562578450456645711882560128619242711698327278980081266684521150227771637075686195050487818614035674633610096137625035790732645845723462391311298302637686542232835581871746884130013070996968184596449672622781116306181302392813217024411730226953994648038878074679828551669837254152265441513617958229372943240214088399450834487541147274643124286983672414825675492669859487862886608989862491581277404219285561282275675102529309186029976081969486912697417132568798720377963032348920342675126756050513673101405664709184620104181654397512121633023592966498206439167017063802120497727043888826589401745202319033829767714724756122673441156732069183201569766204472097988081541
e1 = 2019789551019093124420297272384567741634310853673511749178611164072776295834811119450621861426097251426338761387400947669712980885171825246712129400923345045714062211913328737569990247227840399725205366257333392335095407072561983345874628219982166479392648454069496646733709717240335264301129096508037181465890164627276692696540046415077712807666335629672257696160380799064676194674815656129599632459744438651570247278542393673849808278202966914757001771181720554604666343205509941102540930522715083963211556704973593626830060515529201025992233193710032293801887064920491994892731059564016729184073592209700547810374523193198684464611594086849851216947777536116800375704509948170375971236541467019409313469504630988967011023280553412399918851721362010464793913169072750314771104456079550196999871385309352503595586614818585704007635869697001268017638044593755012233245211072647051603150602669710674109645174749520576295708163
e2 = 1583703592049684873685114339953437401553059969077370065722292597953883761416746559834892164581234164438330080827740800363198430396478731634782581595240544469072569584848085012992026166904750154014378216852052182115039653650262042887676171319128137818446568464062868113062233139620367603439600244722942659267734053620937005194939432606278744697609503707934576549002757520737074102321078418822923889399221127593632747782118004212766847803779185975309956970980280169387201657554918144244843463689062591309308003163435148432749203807727111886042271473627935482161154494976464303547129663586810973936239964669196142557977332701367619795730332662446023712262922190841226239360097490311533265953167562594634954870494720064733019963379137130620318351648747992348207245430288065933286523588168735037017481803349125024025183996822657547245651094947702268545834292593852409172743667084611813423926836813703374530071303810930647531379459
e = 65537
a = e1 * e2
b = (e2 - e1)
R.<x> = PolynomialRing(Zmod(n))
f = a*x - b
f = f.monic()
res =  f.small_roots(2^2000,beta = 0.4)	
ans = int(res[0])
tmp = GCD(a*ans - b,n)
p  = gmpy2.iroot(tmp,10)[0]
q = n//(p**11)
phi = (p-1)*(q-1)
d = inverse_mod(e,phi)
m = pow(c,d,p*q)
plain = bytes.fromhex(hex(m)[2:])
#YOU MUST BE A XIAOHEIZI
flag = 'DASCTF{'+md5(plain).hexdigest()+'}'
print(flag)
#DASCTF{4ed94d288633e880f9d8a53039247805}

【世上伤病千百种，情伤病入膏肓，心病无药可救。】