2023赣政杯 --- Crypto
文章目录
-
-
- crypto1
- crypto2
-
- 求解x1
- 求解x2
- 求解x3
-
crypto1
题目:
from Crypto.Util.number import *
from gmpy2 import invert,gcd
flag = b'###'
p = getPrime(1024)
q = getPrime(1024)
n = p*q
fi = (p-1)*(q-1)
e1 = getPrime(200)
e2 = getPrime(200)
e3 = 65537
c = pow(bytes_to_long(flag),e3,n)
print(n)
print(c)
print(e1,e2)
l = 3*invert(e1,fi) - 2*invert(e2,fi)
print(l)
# 17292721978983607267718923718634305548293925536048457222972976121289309885759139060295886920407164363819420901895875254399359595973394431387846360520765205327144836799906135362452257623307102022291445029628782238521405931409291229248463837617401580600173077583943171896679232904981458275862028378237023986028001153676164561182371356596898184187590184455478690318324741581571554812742647463631545337268021329984154569576370352598120197605991949144443013468206983245554057352904863889632138060467077134384662793998998572664873312208265022794676616426412680890902293364368502643048737873693953075550383723675285227616397
# 11262957726526687856651103086915410919363781583740281242541133435895684557872848373183598908277896372575220350655871410741973457011773621514911795457547247638143385931212189807332453016648124312325964078502610642954492042568898679870975716747418361926689045230000169564315065425780404351118159843362139039288762708906878572375208700123570919174225712073740951890433433880474093154078203775671775455655269403226928059841306122415423576661710193478093980413703925973076259628618599441045577652991187944026246969418191789705042820179834443061730873779638409826451944533113953353770983794728402615949910204363918628794938
# 863730506311496380048464177431832856757231887750545766714043 1150630598011230266913144827508479988054069316592596632718511
# -9754612898628159268860797664298712620277301422822838483994027820600830106601927950168099205655730606742179276931554297578144525517754502663164605727502538787530579445688270704975958798751701673102593289201022186939320416269904242044099057518099075087472668747599123871745309839519713586137376001719593282486886331696055431287073705776659579254318080838375798526393908110868567114766287332516172333848631716689972944168953061446251353501793569920572432606314353875375139368870574672253417182827525543752158266074722259377017516428042286015114715209304254818046235283075281762932451264597218529734117472816995494099941
两边同时乘以e1e2
得到
l e 1 e 2 ≡ 3 e 2 − 2 e 1 m o d ϕ ( n ) le_1e_2 \equiv 3e_2-2e_1 \hspace{1.5mm} mod \hspace{1.5mm} \phi(n) le1e2≡3e2−2e1modϕ(n)
l e 1 e 2 − 3 e 2 + 2 e 1 = k ∗ ϕ ( n ) le_1e_2 -3e_2+2e_1 = k*\phi(n) le1e2−3e2+2e1=k∗ϕ(n)
由于phi_n和n差不多大,所以
k = l e 1 e 2 − 3 e 2 + 2 e 1 n k = \frac{le_1e_2 -3e_2+2e_1}{n} k=nle1e2−3e2+2e1
再联立n = p*q即可解出p,q
from Crypto.Util.number import *
import gmpy2
from sympy import *
n = 17292721978983607267718923718634305548293925536048457222972976121289309885759139060295886920407164363819420901895875254399359595973394431387846360520765205327144836799906135362452257623307102022291445029628782238521405931409291229248463837617401580600173077583943171896679232904981458275862028378237023986028001153676164561182371356596898184187590184455478690318324741581571554812742647463631545337268021329984154569576370352598120197605991949144443013468206983245554057352904863889632138060467077134384662793998998572664873312208265022794676616426412680890902293364368502643048737873693953075550383723675285227616397
c = 11262957726526687856651103086915410919363781583740281242541133435895684557872848373183598908277896372575220350655871410741973457011773621514911795457547247638143385931212189807332453016648124312325964078502610642954492042568898679870975716747418361926689045230000169564315065425780404351118159843362139039288762708906878572375208700123570919174225712073740951890433433880474093154078203775671775455655269403226928059841306122415423576661710193478093980413703925973076259628618599441045577652991187944026246969418191789705042820179834443061730873779638409826451944533113953353770983794728402615949910204363918628794938
e1 = 863730506311496380048464177431832856757231887750545766714043
e2 = 1150630598011230266913144827508479988054069316592596632718511
l = -9754612898628159268860797664298712620277301422822838483994027820600830106601927950168099205655730606742179276931554297578144525517754502663164605727502538787530579445688270704975958798751701673102593289201022186939320416269904242044099057518099075087472668747599123871745309839519713586137376001719593282486886331696055431287073705776659579254318080838375798526393908110868567114766287332516172333848631716689972944168953061446251353501793569920572432606314353875375139368870574672253417182827525543752158266074722259377017516428042286015114715209304254818046235283075281762932451264597218529734117472816995494099941
k = (l*e1*e2-3*e2+2*e1)//n
p,q = symbols('p q')
eq = [p*q-n,l*e1*e2-3*e2+2*e1-k*(p-1)*(q-1)]
result = list(nonlinsolve(eq,[p,q]))
p,q = int(result[0][0]),int(result[0][1])
e = 65537
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(m)
print(flag)
flag:
flag{906332e8a99a709b4f9cb75e41ae9d66}
crypto2
task.sage:
# you can get x1,x2,x3 here. data in output.txt.
from Crypto.Cipher import AES
from hashlib import md5
from Crypto.Util.number import *
from Crypto.Util.Padding import pad
n = getPrime(1024) * getPrime(1024)
x1 = getPrime(50)
m1 = b'Summer'
m2 = b'\x1b5Z\xd2$\x8c\xfdV\x9fG&\xc4'
m3 = b"\xf1XNW&'\xf4'}\xf9\xd1?\xc4\xa6h\xa3\xf8\x1d\x14\xc16)\xca\xab\xa4\x00\x18\x83 "
c1 = pow(bytes_to_long(m1),x1,n)
c2 = pow(bytes_to_long(m2),x1,n)
c3 = pow(bytes_to_long(m3),x1,n)
print(c1)
print(c2)
print(c3)
print('-------')
x2 = getPrime(79)
mod = 60901
R.<x> = PolynomialRing(GF(mod))
N = 25084*x^255 + 32363*x^254 + 21665*x^253 + 24571*x^252 + 20587*x^251 + 17472*x^250 + 30654*x^249 + 31322*x^248 + 23385*x^247 + 14049*x^246 + 27853*x^245 + 18183*x^244 + 33130*x^243 + 29218*x^242 + 3412*x^241 + 28875*x^240 + 1551*x^239 + 15231*x^238 + 32794*x^237 + 8541*x^236 + 23025*x^235 + 21145*x^234 + 11858*x^233 + 34388*x^232 + 21092*x^231 + 22355*x^230 + 1768*x^229 + 5868*x^228 + 1502*x^227 + 30644*x^226 + 24646*x^225 + 32356*x^224 + 27350*x^223 + 34810*x^222 + 27676*x^221 + 24351*x^220 + 9218*x^219 + 27073*x^218 + 21176*x^217 + 2139*x^216 + 8244*x^215 + 1887*x^214 + 3854*x^213 + 24362*x^212 + 10981*x^211 + 14237*x^210 + 28663*x^209 + 32272*x^208 + 29911*x^207 + 13575*x^206 + 15955*x^205 + 5367*x^204 + 34844*x^203 + 15036*x^202 + 7662*x^201 + 16816*x^200 + 1051*x^199 + 16540*x^198 + 17738*x^197 + 10212*x^196 + 4180*x^195 + 33126*x^194 + 13014*x^193 + 16584*x^192 + 10139*x^191 + 27520*x^190 + 116*x^189 + 28197*x^188 + 31755*x^187 + 10917*x^186 + 28271*x^185 + 1152*x^184 + 6118*x^183 + 27171*x^182 + 14265*x^181 + 905*x^180 + 13776*x^179 + 854*x^178 + 5397*x^177 + 14898*x^176 + 1388*x^175 + 14058*x^174 + 6871*x^173 + 13508*x^172 + 3102*x^171 + 20438*x^170 + 29122*x^169 + 17072*x^168 + 23021*x^167 + 29879*x^166 + 28424*x^165 + 8616*x^164 + 21771*x^163 + 31878*x^162 + 33793*x^161 + 9238*x^160 + 23751*x^159 + 24157*x^158 + 17665*x^157 + 34015*x^156 + 9925*x^155 + 2981*x^154 + 24715*x^153 + 13223*x^152 + 1492*x^151 + 7548*x^150 + 13335*x^149 + 24773*x^148 + 15147*x^147 + 25234*x^146 + 24394*x^145 + 27742*x^144 + 29033*x^143 + 10247*x^142 + 22010*x^141 + 18634*x^140 + 27877*x^139 + 27754*x^138 + 13972*x^137 + 31376*x^136 + 17211*x^135 + 21233*x^134 + 5378*x^133 + 27022*x^132 + 5107*x^131 + 15833*x^130 + 27650*x^129 + 26776*x^128 + 7420*x^127 + 20235*x^126 + 2767*x^125 + 2708*x^124 + 31540*x^123 + 16736*x^122 + 30955*x^121 + 14959*x^120 + 13171*x^119 + 5450*x^118 + 20204*x^117 + 18833*x^116 + 33989*x^115 + 25970*x^114 + 767*x^113 + 16400*x^112 + 34931*x^111 + 7923*x^110 + 33965*x^109 + 12199*x^108 + 11788*x^107 + 19343*x^106 + 33039*x^105 + 13475*x^104 + 15822*x^103 + 20921*x^102 + 25100*x^101 + 9771*x^100 + 5272*x^99 + 34002*x^98 + 16026*x^97 + 23104*x^96 + 33331*x^95 + 11944*x^94 + 5428*x^93 + 11838*x^92 + 30854*x^91 + 18595*x^90 + 5226*x^89 + 23614*x^88 + 5611*x^87 + 34572*x^86 + 17035*x^85 + 16199*x^84 + 26755*x^83 + 10270*x^82 + 25206*x^81 + 30800*x^80 + 21714*x^79 + 2088*x^78 + 3785*x^77 + 9626*x^76 + 25706*x^75 + 24807*x^74 + 31605*x^73 + 5292*x^72 + 17836*x^71 + 32529*x^70 + 33088*x^69 + 16369*x^68 + 18195*x^67 + 22227*x^66 + 8839*x^65 + 27975*x^64 + 10464*x^63 + 29788*x^62 + 15770*x^61 + 31095*x^60 + 276*x^59 + 25968*x^58 + 14891*x^57 + 23490*x^56 + 34563*x^55 + 29778*x^54 + 26719*x^53 + 28611*x^52 + 1633*x^51 + 28335*x^50 + 18278*x^49 + 33901*x^48 + 13451*x^47 + 30759*x^46 + 19192*x^45 + 31002*x^44 + 11733*x^43 + 29274*x^42 + 11756*x^41 + 6880*x^40 + 11492*x^39 + 7151*x^38 + 28624*x^37 + 29566*x^36 + 33986*x^35 + 5726*x^34 + 5040*x^33 + 14730*x^32 + 7443*x^31 + 12168*x^30 + 24201*x^29 + 20390*x^28 + 15087*x^27 + 18193*x^26 + 19796*x^25 + 32514*x^24 + 25252*x^23 + 15090*x^22 + 2653*x^21 + 29310*x^20 + 4037*x^19 + 6440*x^18 + 16780*x^17 + 1891*x^16 + 20592*x^15 + 11890*x^14 + 25769*x^13 + 29259*x^12 + 23814*x^11 + 17565*x^10 + 16797*x^9 + 34151*x^8 + 20893*x^7 + 2807*x^6 + 209*x^5 + 3217*x^4 + 8801*x^3 + 21964*x^2 + 16286*x + 1207
S.<x> = R.quotient(N)
g = x
c = g ^ x2
print(mod)
print(c)
print('-------')
A = [
[1287397632974625907369332145667695136576732725719, 999149001044306271168727399637009399486427921379, 1046504160269652701583906344218556291030141088947, 724446625683754938181565321149725788430461092168, 1071845980147173642753960259602135592110139561915],
[947603660931904341080240982051313712707367037453, 312289846563741934103580532543082761760226637905, 494739786803547247505263837170488583876166831850, 680540462980071181450018491798299105995449257198, 2602258415762368797405060707505977243346704576],
[996213673531855992829525358578006610606634622631, 1025711294257038288640877971869685565227647136954, 1432432135773706484846126533752827108541355741973, 1238541870126055576875033883691918425137600727481, 1130938956963588695293783764965618873887596017827],
[1320933266015680090206505704792362493057963931979, 1151746112645644166669332171392580649376526147475, 117512451110908867093773368598681106589771485221, 78071463743800894350883457304401524272336187149, 350437511649326676405126284689545814008237687775],
[438339253001275654203062260777687750937184662400, 372483950165136927369598298270629892810999203086, 859008773869616460027135965589262417694174453098, 1174526536643808668299968641952541506024584582818, 13201859260259503932772826643483081858286638179]
]
p = 1461501637330902918203684832716283019655932542983
A=Matrix(GF(p),A)
x3=randint(1,p-1)
enc=A ^ x3
print(enc)
print('-------')
# print(x1)
# print(x2)
# print(x3)
output.txt:
6642405920901856169444016797176854597511451869985089651222713756777328966941476058604740455313616649917187991048303850631108347661320663913557624152718957853756249151837319676066099077333534697206386691941331448958684021832562207954154873697814883115658290031936751010644432299888242593402862504138835921966726681417223379481462802829351047480186956868100845641554180786970034400113962411824354147963669819689032778624971549900555093828130900263372445564238059617835820174579230777360658751552380263147079230363339891599173117866703038100650069898243259407309606964270874516077211813084737872899450015333976760281703
12813265737443697551929767989570751888750511705348484641903902149955312616711153251092445655940484450690399380028749856807646105728043629274795851279862876474531555369892719879557046790927230728065906684723947834712460717801290713839457680590114020295500667651057326890424493250921935414989955491994447207088436387696477722392644270158235224792084194369936504271283334716001838217357724081502237230541364101629570586471163819753729676633882730583741430969604274129791655908106575499122099979016198784279229993793071830074860802254279441203206755560219988997867608365962558150456294230932902402240597836935823436345325
1074141404749280436711035717954232277868634448571610901178443079135403105955266644476567782025394567854097847885741302725302674986645525117336324292432565639695685409234514683062042319986450119065154690941584345281490656949110971489042530766614666018893998646120537235040632473971665446852454893601407555006747727810374360063434824501882913369912060331769975224417255887064285623738576301509295176265159320045368758095953721139289667647294584221175836778442865350736512281839062157810162651549604905844209087574264828233087914336817381862828345301138732008264028314915885909590652794738236676550466058502328912137350
-------
60901
55401*x^254 + 24633*x^253 + 53111*x^252 + 14311*x^251 + 11518*x^250 + 23162*x^249 + 19288*x^248 + 30770*x^247 + 37701*x^246 + 50355*x^245 + 48262*x^244 + 42287*x^243 + 58804*x^242 + 40341*x^241 + 42984*x^240 + 9389*x^239 + 49125*x^238 + 60022*x^237 + 48187*x^236 + 46353*x^235 + 20268*x^234 + 8938*x^233 + 54277*x^232 + 14687*x^231 + 28231*x^230 + 35733*x^229 + 5007*x^228 + 18273*x^227 + 60425*x^226 + 31385*x^225 + 39337*x^224 + 50374*x^223 + 30358*x^222 + 6588*x^221 + 11729*x^220 + 42187*x^219 + 23510*x^218 + 32410*x^217 + 5738*x^216 + 28534*x^215 + 25891*x^214 + 9972*x^213 + 56326*x^212 + 13038*x^211 + 47315*x^210 + 39424*x^209 + 3796*x^208 + 9154*x^207 + 59008*x^206 + 21473*x^205 + 49133*x^204 + 29560*x^203 + 44646*x^202 + 27705*x^201 + 55455*x^200 + 23699*x^199 + 22960*x^198 + 50525*x^197 + 13268*x^196 + 20970*x^195 + 40280*x^194 + 25203*x^193 + 39185*x^192 + 48453*x^191 + 890*x^190 + 5123*x^189 + 60749*x^188 + 951*x^187 + 18721*x^186 + 57419*x^185 + 7257*x^184 + 22621*x^183 + 26819*x^182 + 47248*x^181 + 45994*x^180 + 15573*x^179 + 16713*x^178 + 20203*x^177 + 897*x^176 + 7488*x^175 + 32050*x^174 + 3270*x^173 + 53472*x^172 + 40622*x^171 + 32333*x^170 + 4378*x^169 + 32201*x^168 + 44995*x^167 + 52649*x^166 + 29917*x^165 + 22557*x^164 + 13994*x^163 + 49091*x^162 + 45306*x^161 + 8177*x^160 + 6303*x^159 + 17569*x^158 + 3355*x^157 + 30530*x^156 + 59558*x^155 + 18321*x^154 + 35517*x^153 + 11883*x^152 + 13925*x^151 + 14679*x^150 + 50233*x^149 + 11787*x^148 + 39593*x^147 + 58739*x^146 + 57338*x^145 + 41399*x^144 + 42906*x^143 + 14458*x^142 + 41910*x^141 + 28416*x^140 + 8139*x^139 + 44971*x^138 + 38875*x^137 + 2802*x^136 + 59482*x^135 + 50068*x^134 + 18055*x^133 + 12860*x^132 + 26353*x^131 + 31779*x^130 + 27078*x^129 + 39282*x^128 + 44523*x^127 + 55970*x^126 + 47567*x^125 + 25213*x^124 + 48363*x^123 + 7496*x^122 + 51295*x^121 + 34384*x^120 + 28460*x^119 + 23547*x^118 + 1159*x^117 + 21655*x^116 + 57089*x^115 + 37023*x^114 + 23899*x^113 + 22581*x^112 + 27488*x^111 + 23946*x^110 + 49523*x^109 + 44072*x^108 + 47188*x^107 + 21628*x^106 + 34880*x^105 + 57871*x^104 + 49327*x^103 + 10140*x^102 + 36170*x^101 + 33307*x^100 + 60839*x^99 + 48178*x^98 + 39916*x^97 + 14610*x^96 + 42438*x^95 + 57662*x^94 + 54241*x^93 + 35070*x^92 + 31061*x^91 + 43269*x^90 + 38150*x^89 + 53239*x^88 + 45189*x^87 + 41485*x^86 + 47902*x^85 + 54667*x^84 + 649*x^83 + 56191*x^82 + 6057*x^81 + 370*x^80 + 39935*x^79 + 17960*x^78 + 20082*x^77 + 25163*x^76 + 54283*x^75 + 57334*x^74 + 13449*x^73 + 19038*x^72 + 26849*x^71 + 18729*x^70 + 45227*x^69 + 3179*x^68 + 60390*x^67 + 6694*x^66 + 46032*x^65 + 53506*x^64 + 22716*x^63 + 44127*x^62 + 20626*x^61 + 488*x^60 + 49145*x^59 + 24392*x^58 + 29665*x^57 + 30051*x^56 + 24849*x^55 + 3007*x^54 + 2459*x^53 + 13880*x^52 + 24094*x^51 + 7240*x^50 + 38191*x^49 + 33081*x^48 + 32018*x^47 + 20931*x^46 + 19671*x^45 + 35881*x^44 + 10575*x^43 + 1044*x^42 + 31649*x^41 + 8001*x^40 + 43071*x^39 + 698*x^38 + 50473*x^37 + 55442*x^36 + 54956*x^35 + 29000*x^34 + 53562*x^33 + 4782*x^32 + 6186*x^31 + 44930*x^30 + 45144*x^29 + 54107*x^28 + 42204*x^27 + 57096*x^26 + 8851*x^25 + 33377*x^24 + 34744*x^23 + 26925*x^22 + 41418*x^21 + 27187*x^20 + 20530*x^19 + 60503*x^18 + 6434*x^17 + 18420*x^16 + 19968*x^15 + 58669*x^14 + 7105*x^13 + 8018*x^12 + 51214*x^11 + 33099*x^10 + 17268*x^9 + 3428*x^8 + 50013*x^7 + 41048*x^6 + 19008*x^5 + 60810*x^4 + 53565*x^3 + 53558*x^2 + 46914*x + 8721
-------
[ 413094434584570995591398694224537386587890607099 1402178500605886628335320740160364976151966833746 224676119140512070289814098697316498283294186394 95207433392533133044965499790275028893073229005 84512728483260378812263046639161852722157440007]
[ 839641252733812478258826056657933667891721005509 75137116131174621187044431124685200657840877273 1044263592468227991738016566259580451830359820713 1361901709492224001881896595585166393645078000241 221917499090658247675093423011067065018034308218]
[1315301968215025397304836809076224100542432312513 605129393630472476299035900160790679472470273413 646531256186931146929304242983362631690900265566 594693457384017930182031564738973940589363805344 257106427346401942506852090636774640149629554885]
[ 640857434829813923255563118801415401588598205004 1148607850128743270967140556534752603625719960014 1134547787797381481449954822815892367870034266876 918295327097055894660693563263545537961722685932 545082959137454541579388693351505124519462125367]
[ 295894481010831543767846527675639322564996024436 145286734860912325389688024767333261487525476401 1420994667286333898883659969797582246266387486713 201795652532043659128421325330456874668634095998 914687479458311475079089248841757161330206386647]
-------
enc.py
from SECRET import x1,x2,x3,flag
from hashlib import md5
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
x = x1 + x2 + x3
key = md5(str(x).encode()).hexdigest()[:16]
cipher = AES.new(key.encode(),AES.MODE_ECB)
print(cipher.encrypt(pad(flag,16)))
# b'\xa1&%o\x82\x16i\x82\xd61\xeb\xc1qER\xccX\x83I\xd9\x14\xcb\xb5d`\x1d[\x90\x9e\rk\xb59n\xfa\xb5\xb0\x80\xf0A\x0c\xe2\x91\xf5>9\xd4R'
分析enc.py可知,x1,x2,x3之和的md5值的前16位作为aes的key,因此我们分别求出x1,x2,x3即可解密密文。
求解x1
根据计算结果可知, m 2 = m 1 2 , m 3 = m 1 5 m_2 =m_1^2,m_3=m_1^5 m2=m12,m3=m15。那么,我们就可以通过gcd求出n
PS:gcd出来的值还有一个小因子23,剩下的大整数才是n
求出n之后就是离散对数求解了
#sage
from Crypto.Util.number import *
import gmpy2
m1 = bytes_to_long(b'Summer')
c1 = 6642405920901856169444016797176854597511451869985089651222713756777328966941476058604740455313616649917187991048303850631108347661320663913557624152718957853756249151837319676066099077333534697206386691941331448958684021832562207954154873697814883115658290031936751010644432299888242593402862504138835921966726681417223379481462802829351047480186956868100845641554180786970034400113962411824354147963669819689032778624971549900555093828130900263372445564238059617835820174579230777360658751552380263147079230363339891599173117866703038100650069898243259407309606964270874516077211813084737872899450015333976760281703
c2 = 12813265737443697551929767989570751888750511705348484641903902149955312616711153251092445655940484450690399380028749856807646105728043629274795851279862876474531555369892719879557046790927230728065906684723947834712460717801290713839457680590114020295500667651057326890424493250921935414989955491994447207088436387696477722392644270158235224792084194369936504271283334716001838217357724081502237230541364101629570586471163819753729676633882730583741430969604274129791655908106575499122099979016198784279229993793071830074860802254279441203206755560219988997867608365962558150456294230932902402240597836935823436345325
c3 = 1074141404749280436711035717954232277868634448571610901178443079135403105955266644476567782025394567854097847885741302725302674986645525117336324292432565639695685409234514683062042319986450119065154690941584345281490656949110971489042530766614666018893998646120537235040632473971665446852454893601407555006747727810374360063434824501882913369912060331769975224417255887064285623738576301509295176265159320045368758095953721139289667647294584221175836778442865350736512281839062157810162651549604905844209087574264828233087914336817381862828345301138732008264028314915885909590652794738236676550466058502328912137350
n = gmpy2.gcd(c1**2-c2,c1**5-c3)//23
x1 = discrete_log_lambda(c1,m1,(1,2**50))
print(x1)
得到x1
x1 = 745410305382473
求解x2
这一部分是多项式dlp
分解多项式计算出其阶,然后将阶进行分解
PS:放到factordb上分解,sage上由于值过大,factror无法分解出来),然后手工剔除大因子,留下的小因子乘积大于x2的bit数即可。
最后PH算法求x2
#Sage
def brute_dlp(gi, ci, n, lim):
bi = gi
for i in range(1, lim+1):
if bi == ci:
return i
bi = (bi * gi) % n
print("[-] NOT in the range")
print("[-] Something's Wrong, you gotta check the range", lim)
def pohlig_hellman(g, c, s, n, factors):
res = []
modulus = []
for q in factors:
e=1
assert pow(g, s//(q**e), n) != 1
gi = pow(g, s//(q**e), n)
ci = pow(c, s//(q**e), n)
dlogi = brute_dlp(gi, ci, n, q**e)
print("[+] dlog modulo {0} == {1}".format(q**e, dlogi))
res.append(dlogi)
modulus.append(q**e)
print("\n[*] res = ", res)
print("[*] modulus = ", modulus)
dlog = CRT(res, modulus)
return dlog
p = 60901
P = PolynomialRing(Zmod(p), name='x')
x = P.gen()
n = 25084*x^255 + 32363*x^254 + 21665*x^253 + 24571*x^252 + 20587*x^251 + 17472*x^250 + 30654*x^249 + 31322*x^248 + 23385*x^247 + 14049*x^246 + 27853*x^245 + 18183*x^244 + 33130*x^243 + 29218*x^242 + 3412*x^241 + 28875*x^240 + 1551*x^239 + 15231*x^238 + 32794*x^237 + 8541*x^236 + 23025*x^235 + 21145*x^234 + 11858*x^233 + 34388*x^232 + 21092*x^231 + 22355*x^230 + 1768*x^229 + 5868*x^228 + 1502*x^227 + 30644*x^226 + 24646*x^225 + 32356*x^224 + 27350*x^223 + 34810*x^222 + 27676*x^221 + 24351*x^220 + 9218*x^219 + 27073*x^218 + 21176*x^217 + 2139*x^216 + 8244*x^215 + 1887*x^214 + 3854*x^213 + 24362*x^212 + 10981*x^211 + 14237*x^210 + 28663*x^209 + 32272*x^208 + 29911*x^207 + 13575*x^206 + 15955*x^205 + 5367*x^204 + 34844*x^203 + 15036*x^202 + 7662*x^201 + 16816*x^200 + 1051*x^199 + 16540*x^198 + 17738*x^197 + 10212*x^196 + 4180*x^195 + 33126*x^194 + 13014*x^193 + 16584*x^192 + 10139*x^191 + 27520*x^190 + 116*x^189 + 28197*x^188 + 31755*x^187 + 10917*x^186 + 28271*x^185 + 1152*x^184 + 6118*x^183 + 27171*x^182 + 14265*x^181 + 905*x^180 + 13776*x^179 + 854*x^178 + 5397*x^177 + 14898*x^176 + 1388*x^175 + 14058*x^174 + 6871*x^173 + 13508*x^172 + 3102*x^171 + 20438*x^170 + 29122*x^169 + 17072*x^168 + 23021*x^167 + 29879*x^166 + 28424*x^165 + 8616*x^164 + 21771*x^163 + 31878*x^162 + 33793*x^161 + 9238*x^160 + 23751*x^159 + 24157*x^158 + 17665*x^157 + 34015*x^156 + 9925*x^155 + 2981*x^154 + 24715*x^153 + 13223*x^152 + 1492*x^151 + 7548*x^150 + 13335*x^149 + 24773*x^148 + 15147*x^147 + 25234*x^146 + 24394*x^145 + 27742*x^144 + 29033*x^143 + 10247*x^142 + 22010*x^141 + 18634*x^140 + 27877*x^139 + 27754*x^138 + 13972*x^137 + 31376*x^136 + 17211*x^135 + 21233*x^134 + 5378*x^133 + 27022*x^132 + 5107*x^131 + 15833*x^130 + 27650*x^129 + 26776*x^128 + 7420*x^127 + 20235*x^126 + 2767*x^125 + 2708*x^124 + 31540*x^123 + 16736*x^122 + 30955*x^121 + 14959*x^120 + 13171*x^119 + 5450*x^118 + 20204*x^117 + 18833*x^116 + 33989*x^115 + 25970*x^114 + 767*x^113 + 16400*x^112 + 34931*x^111 + 7923*x^110 + 33965*x^109 + 12199*x^108 + 11788*x^107 + 19343*x^106 + 33039*x^105 + 13475*x^104 + 15822*x^103 + 20921*x^102 + 25100*x^101 + 9771*x^100 + 5272*x^99 + 34002*x^98 + 16026*x^97 + 23104*x^96 + 33331*x^95 + 11944*x^94 + 5428*x^93 + 11838*x^92 + 30854*x^91 + 18595*x^90 + 5226*x^89 + 23614*x^88 + 5611*x^87 + 34572*x^86 + 17035*x^85 + 16199*x^84 + 26755*x^83 + 10270*x^82 + 25206*x^81 + 30800*x^80 + 21714*x^79 + 2088*x^78 + 3785*x^77 + 9626*x^76 + 25706*x^75 + 24807*x^74 + 31605*x^73 + 5292*x^72 + 17836*x^71 + 32529*x^70 + 33088*x^69 + 16369*x^68 + 18195*x^67 + 22227*x^66 + 8839*x^65 + 27975*x^64 + 10464*x^63 + 29788*x^62 + 15770*x^61 + 31095*x^60 + 276*x^59 + 25968*x^58 + 14891*x^57 + 23490*x^56 + 34563*x^55 + 29778*x^54 + 26719*x^53 + 28611*x^52 + 1633*x^51 + 28335*x^50 + 18278*x^49 + 33901*x^48 + 13451*x^47 + 30759*x^46 + 19192*x^45 + 31002*x^44 + 11733*x^43 + 29274*x^42 + 11756*x^41 + 6880*x^40 + 11492*x^39 + 7151*x^38 + 28624*x^37 + 29566*x^36 + 33986*x^35 + 5726*x^34 + 5040*x^33 + 14730*x^32 + 7443*x^31 + 12168*x^30 + 24201*x^29 + 20390*x^28 + 15087*x^27 + 18193*x^26 + 19796*x^25 + 32514*x^24 + 25252*x^23 + 15090*x^22 + 2653*x^21 + 29310*x^20 + 4037*x^19 + 6440*x^18 + 16780*x^17 + 1891*x^16 + 20592*x^15 + 11890*x^14 + 25769*x^13 + 29259*x^12 + 23814*x^11 + 17565*x^10 + 16797*x^9 + 34151*x^8 + 20893*x^7 + 2807*x^6 + 209*x^5 + 3217*x^4 + 8801*x^3 + 21964*x^2 + 16286*x + 1207
g =x
nfactors = n.factor()
s = 1
for i in nfactors:
s *= p**(i[0].degree()) - 1
factors=[3121,7489,7937,8009,57809,138007,169937,271129,295049]
c=55401*x^254 + 24633*x^253 + 53111*x^252 + 14311*x^251 + 11518*x^250 + 23162*x^249 + 19288*x^248 + 30770*x^247 + 37701*x^246 + 50355*x^245 + 48262*x^244 + 42287*x^243 + 58804*x^242 + 40341*x^241 + 42984*x^240 + 9389*x^239 + 49125*x^238 + 60022*x^237 + 48187*x^236 + 46353*x^235 + 20268*x^234 + 8938*x^233 + 54277*x^232 + 14687*x^231 + 28231*x^230 + 35733*x^229 + 5007*x^228 + 18273*x^227 + 60425*x^226 + 31385*x^225 + 39337*x^224 + 50374*x^223 + 30358*x^222 + 6588*x^221 + 11729*x^220 + 42187*x^219 + 23510*x^218 + 32410*x^217 + 5738*x^216 + 28534*x^215 + 25891*x^214 + 9972*x^213 + 56326*x^212 + 13038*x^211 + 47315*x^210 + 39424*x^209 + 3796*x^208 + 9154*x^207 + 59008*x^206 + 21473*x^205 + 49133*x^204 + 29560*x^203 + 44646*x^202 + 27705*x^201 + 55455*x^200 + 23699*x^199 + 22960*x^198 + 50525*x^197 + 13268*x^196 + 20970*x^195 + 40280*x^194 + 25203*x^193 + 39185*x^192 + 48453*x^191 + 890*x^190 + 5123*x^189 + 60749*x^188 + 951*x^187 + 18721*x^186 + 57419*x^185 + 7257*x^184 + 22621*x^183 + 26819*x^182 + 47248*x^181 + 45994*x^180 + 15573*x^179 + 16713*x^178 + 20203*x^177 + 897*x^176 + 7488*x^175 + 32050*x^174 + 3270*x^173 + 53472*x^172 + 40622*x^171 + 32333*x^170 + 4378*x^169 + 32201*x^168 + 44995*x^167 + 52649*x^166 + 29917*x^165 + 22557*x^164 + 13994*x^163 + 49091*x^162 + 45306*x^161 + 8177*x^160 + 6303*x^159 + 17569*x^158 + 3355*x^157 + 30530*x^156 + 59558*x^155 + 18321*x^154 + 35517*x^153 + 11883*x^152 + 13925*x^151 + 14679*x^150 + 50233*x^149 + 11787*x^148 + 39593*x^147 + 58739*x^146 + 57338*x^145 + 41399*x^144 + 42906*x^143 + 14458*x^142 + 41910*x^141 + 28416*x^140 + 8139*x^139 + 44971*x^138 + 38875*x^137 + 2802*x^136 + 59482*x^135 + 50068*x^134 + 18055*x^133 + 12860*x^132 + 26353*x^131 + 31779*x^130 + 27078*x^129 + 39282*x^128 + 44523*x^127 + 55970*x^126 + 47567*x^125 + 25213*x^124 + 48363*x^123 + 7496*x^122 + 51295*x^121 + 34384*x^120 + 28460*x^119 + 23547*x^118 + 1159*x^117 + 21655*x^116 + 57089*x^115 + 37023*x^114 + 23899*x^113 + 22581*x^112 + 27488*x^111 + 23946*x^110 + 49523*x^109 + 44072*x^108 + 47188*x^107 + 21628*x^106 + 34880*x^105 + 57871*x^104 + 49327*x^103 + 10140*x^102 + 36170*x^101 + 33307*x^100 + 60839*x^99 + 48178*x^98 + 39916*x^97 + 14610*x^96 + 42438*x^95 + 57662*x^94 + 54241*x^93 + 35070*x^92 + 31061*x^91 + 43269*x^90 + 38150*x^89 + 53239*x^88 + 45189*x^87 + 41485*x^86 + 47902*x^85 + 54667*x^84 + 649*x^83 + 56191*x^82 + 6057*x^81 + 370*x^80 + 39935*x^79 + 17960*x^78 + 20082*x^77 + 25163*x^76 + 54283*x^75 + 57334*x^74 + 13449*x^73 + 19038*x^72 + 26849*x^71 + 18729*x^70 + 45227*x^69 + 3179*x^68 + 60390*x^67 + 6694*x^66 + 46032*x^65 + 53506*x^64 + 22716*x^63 + 44127*x^62 + 20626*x^61 + 488*x^60 + 49145*x^59 + 24392*x^58 + 29665*x^57 + 30051*x^56 + 24849*x^55 + 3007*x^54 + 2459*x^53 + 13880*x^52 + 24094*x^51 + 7240*x^50 + 38191*x^49 + 33081*x^48 + 32018*x^47 + 20931*x^46 + 19671*x^45 + 35881*x^44 + 10575*x^43 + 1044*x^42 + 31649*x^41 + 8001*x^40 + 43071*x^39 + 698*x^38 + 50473*x^37 + 55442*x^36 + 54956*x^35 + 29000*x^34 + 53562*x^33 + 4782*x^32 + 6186*x^31 + 44930*x^30 + 45144*x^29 + 54107*x^28 + 42204*x^27 + 57096*x^26 + 8851*x^25 + 33377*x^24 + 34744*x^23 + 26925*x^22 + 41418*x^21 + 27187*x^20 + 20530*x^19 + 60503*x^18 + 6434*x^17 + 18420*x^16 + 19968*x^15 + 58669*x^14 + 7105*x^13 + 8018*x^12 + 51214*x^11 + 33099*x^10 + 17268*x^9 + 3428*x^8 + 50013*x^7 + 41048*x^6 + 19008*x^5 + 60810*x^4 + 53565*x^3 + 53558*x^2 + 46914*x + 8721
x2 = pohlig_hellman(g, c, s, n, factors)
print(x2)
求得x2
x2 = 371531551624759418592097
求解x3
第三部分是矩阵dlp,参考la佬博客—离散对数篇—矩阵dlp
#sage
n = 5
p = 1461501637330902918203684832716283019655932542983
A = [
[1287397632974625907369332145667695136576732725719, 999149001044306271168727399637009399486427921379, 1046504160269652701583906344218556291030141088947, 724446625683754938181565321149725788430461092168, 1071845980147173642753960259602135592110139561915],
[947603660931904341080240982051313712707367037453, 312289846563741934103580532543082761760226637905, 494739786803547247505263837170488583876166831850, 680540462980071181450018491798299105995449257198, 2602258415762368797405060707505977243346704576],
[996213673531855992829525358578006610606634622631, 1025711294257038288640877971869685565227647136954, 1432432135773706484846126533752827108541355741973, 1238541870126055576875033883691918425137600727481, 1130938956963588695293783764965618873887596017827],
[1320933266015680090206505704792362493057963931979, 1151746112645644166669332171392580649376526147475, 117512451110908867093773368598681106589771485221, 78071463743800894350883457304401524272336187149, 350437511649326676405126284689545814008237687775],
[438339253001275654203062260777687750937184662400, 372483950165136927369598298270629892810999203086, 859008773869616460027135965589262417694174453098, 1174526536643808668299968641952541506024584582818, 13201859260259503932772826643483081858286638179]
]
B = [[ 413094434584570995591398694224537386587890607099,1402178500605886628335320740160364976151966833746,224676119140512070289814098697316498283294186394,95207433392533133044965499790275028893073229005,84512728483260378812263046639161852722157440007],
[ 839641252733812478258826056657933667891721005509,75137116131174621187044431124685200657840877273,1044263592468227991738016566259580451830359820713,1361901709492224001881896595585166393645078000241,221917499090658247675093423011067065018034308218],
[1315301968215025397304836809076224100542432312513,605129393630472476299035900160790679472470273413,646531256186931146929304242983362631690900265566,594693457384017930182031564738973940589363805344,257106427346401942506852090636774640149629554885],
[ 640857434829813923255563118801415401588598205004,1148607850128743270967140556534752603625719960014,1134547787797381481449954822815892367870034266876,918295327097055894660693563263545537961722685932,545082959137454541579388693351505124519462125367],
[ 295894481010831543767846527675639322564996024436,145286734860912325389688024767333261487525476401,1420994667286333898883659969797582246266387486713,201795652532043659128421325330456874668634095998,914687479458311475079089248841757161330206386647]]
G = matrix(GF(p), n, n, A)
H = matrix(GF(p), n, n, B)
G_Jor, P = G.jordan_form(transformation=True)
H_Jor = ~P * H * P
x3 = G_Jor[3][3]*H_Jor[3][4]//H_Jor[4][4]
print(x3)
求得x3
x3 = 353938647605998917422096040690857374445425326925
最后直接aes解密即可获得flag
from Crypto.Cipher import AES
from hashlib import md5
enc = b'\xa1&%o\x82\x16i\x82\xd61\xeb\xc1qER\xccX\x83I\xd9\x14\xcb\xb5d`\x1d[\x90\x9e\rk\xb59n\xfa\xb5\xb0\x80\xf0A\x0c\xe2\x91\xf5>9\xd4R'
x = 745410305382473 +371531551624759418592097+353938647605998917422096040690857374445425326925
key = md5(str(x).encode()).hexdigest()[:16]
cipher = AES.new(key.encode(),AES.MODE_ECB)
flag = cipher.decrypt(enc)
print(flag)
flag:
flag{2e626effd4c3a666f0e95317c70210ce}
【我心匪席,不可卷也。】