这次国赛密码题有三道,我只做出了两题。可惜web、逆向和pwn零封了,所以最后成绩不太理想。
没什么好说的,wiener attack秒了
#sage
from Crypto.Util.number import *
from sage.all import *
from random import randint
from gmpy2 import invert,iroot#不能全部导入,会有问题
def list_cf(p,q):
'''
return continued Fractions of p/q
imput:int:p,q
output:list of continued Fractions p/q
'''
alist=[]
r=p
while(r):
a=floor(p/q)
r=p%q
p=q
q=r
alist.append(int(a))
return alist
def check_cf(alist):
'''
input:alist:list
output:sum
'''
sum=0
blist=alist[::-1]
for i in blist:
sum+=i
sum=(1/sum)
return (1/sum)
def convergent_cf_2(alist):
'''
input:alist:list
output:the convergent of each cf :list
change some detail
'''
blist=[]
for i in range(1,len(alist)):
sum=0
if i>1 and is_even(i):
for k in range(i,0,-1):
if k==i:
sum+=(alist[k]+1)
else:
sum+=(alist[k])
sum=(1/sum)
else:
for k in range(i,0,-1):
sum+=alist[k]
sum=(1/sum)
blist.append(sum)
return blist
def possible_phi(e,alist,N):
for m in range(1):
for x in alist:
phi=floor(e/x)-m
jd=int(pow((phi-N-1),2)-4*N)
if jd >= 0:
if iroot(jd,int(2))[1]:
(p,q)=var('p,q')
x=solve([(p-1)*(q-1)==phi, p*q==N],p,q)
print x[0]
return int(str(x[0][0]).split('==')[1])
else:
continue
else:
continue
def possible_phi2(e,alist,N):
for x in alist:
# (k,dg)=as_integer_ratio(x)
phi = floor(e*(1/x))
if (N-phi+1)%2==0 and sqrt(pow((N-phi+1)//2,2)-N).is_integer():
(p,q)=var('p,q')
x=solve([(p-1)*(q-1)==phi, p*q==N],p,q)
print x[0]
return int(str(x[0][0]).split('==')[1])
else:
continue
def solve_wiener_attack(e,N):
list=list_cf(e,N)
clist=convergent_cf_2(list)
return possible_phi2(e,clist,N)
def test():
while 1:
p=getPrime(512)
q=getPrime(512)
N=p*q
nn=int(pow(N,0.25))
d=next_prime(randint(1,nn))
if gcd(p-1,q-1)<=2 and q<p and p<2*q:
break
e=invert(d,(p-1)*(q-1))
print solve_wiener_attack(e,N)
#=pq = 8927 and e = 2621.
(c,e,N)=(37625098109081701774571613785279343908814425141123915351527903477451570893536663171806089364574293449414561630485312247061686191366669404389142347972565020570877175992098033759403318443705791866939363061966538210758611679849037990315161035649389943256526167843576617469134413191950908582922902210791377220066,46867417013414476511855705167486515292101865210840925173161828985833867821644239088991107524584028941183216735115986313719966458608881689802377181633111389920813814350964315420422257050287517851213109465823444767895817372377616723406116946259672358254060231210263961445286931270444042869857616609048537240249, 86966590627372918010571457840724456774194080910694231109811773050866217415975647358784246153710824794652840306389428729923771431340699346354646708396564203957270393882105042714920060055401541794748437242707186192941546185666953574082803056612193004258064074902605834799171191314001030749992715155125694272289)
#(e,N) = (2621, 8927)
print solve_wiener_attack(e,N)
#当 d>pow(N,0.25)时,基本不可能解出来
#当gcd(p-1,q-1)比较大时,解不出来
源码:
import random
from secret import flag
N = 100
MASK = 2**(N+1) - 1
def lfsr(state, mask):
feedback = state & mask
feed_bit = bin(feedback)[2:].count("1") & 1
output_bit = state & 1
state = (state >> 1) | (feed_bit << (N-1))
return state, output_bit
def main():
assert flag.startswith("flag{")
assert flag.endswith("}")
mask = int(flag[5:-1])
assert mask.bit_length() == N
state = random.randint(0, MASK)
print(state)
outputs = ''
for _ in range(N**2):
state, output_bit = lfsr(state, mask)
outputs += str(output_bit)
with open("output.txt", "w") as f:
f.write(outputs)
main()
分析后可知outputs是返回的每个state的最后一位,state每次变化都是向右移一位,然后左边添加一位feedbit,feedbit是state与mask与运算的1的数量模2的结果。所以我们通过outputs找到几乎所有的state。
其实在ctfwiki上看了BM算法才知道这题可以构造矩阵解决。
feed_bit可以看作是在GF(2)上的向量state和向量mask的乘积。所以通过构造N行state 和 feed向量使得
matrix(state) * mask = feed.
然后解一下方程组就能找到mask了。
wp:
#lFSr
from sage.all import *
N=100
F=GF(2)
out
out=[int(out[i]) for i in range(len(out))]
state=out[0:N][::-1]
state1=out[N:2*N]
blist=[]
for i in range(N):
list=state1[:i][::-1]+state[:N-i]
blist.append(list)
fb=out[N:2*N]
x=matrix(F,blist)
y=vector(F,fb)
t=x.solve_right(y)
print x*t
print y
m=''
for i in t:
m+=str(i)
print int(m,2)