2025 红明谷杯 - Crypto

队友把 flag 放生了，差点没重捕回来

qaq

题目如下：

from Crypto.Util.number import *
from Crypto.Util.Padding import pad
from sage.all import *
from functools import reduce

def mul(numbers):
    return reduce(lambda x, y: x * y, numbers)

res = [4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272555731, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272556223, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272556437, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272556749, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272557237, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272557459, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272557687, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272558239, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272558627, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559239, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559523, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272560169, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272560343, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272560433, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272560751, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272560969, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272561441, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272562103, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272562601, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272563261, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272563297, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272563391, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272563511, 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272563711]
p = res[11]
pp = mul(res)
K = GF(p)
E = EllipticCurve(K, (0, 4))
qwq = 0x320238b
qaq = E.order()//qwq**2

flag = pad(open("flag.txt", "rb").read().strip(),4)
flag_part = [bytes_to_long(flag[i:i+2]) for i in range(0, len(flag), 2)]

output = []
for c in flag_part:
    P1 = qaq*E.random_element()
    P2 = qaq*E.random_element()
    out = P1.weil_pairing(P2, qwq)**3*c
    output.append(pow(out,qaq, pp))
print(output)

比较简单，知道 pow(P1.weil_pairing(P2, qwq), qwq, pp) 为 1 这个性质就好搞了，直接爆破。

from tqdm import trange
output = [2258729984869869545899085887518820011795880892632317458813070773270633871398785757696896679887453336507722151037267, 1843407310728065127389586068976768146728145160643439144895915852634291722663455873979176336542780552480617232750208, 1107061034832953338095294459542523703297843192927313275050958753437078121375795698115353665062727895555487155331316, 460337686287218470707660572908024613140030922587867288532588857547792028112129697850035268228038619747643899804437, 1659483062154723617504533638726171721668768657049197025961515070605996080663312140357834824850074607457421362000265, 3150528329201636320206556304125544975332446992414777732425647667048147102509308959254762895094589762017857965981432, 3338854035461286314545186888372727000962778038359519702308782495912356677650264814573463929190025956045491115654437, 3042574495339632074308497406446851120362994432361876743901608172567070991832258762751304397604780567703759317642849, 380771388315580393673388198522357440257018642337119013880143084485482127962577943753495690258532782147018511750175, 507222017133457507399048159541059729302482262298099528096040456818913085187752925782279385808732260473494863290057, 533663958640518878580794848474449572155795564171089765377581587253792204491009275840408579120376539757958097910250, 2681145160205204287930367627648683111546318004811732016137828270063753300095675791698398080219566725174890793619305, 3259478178021541801713314504097142165241891541242669456591074651894459393333167453811425864198267757724232689747676, 3553147298452254907907643059383506744982654808021508866104139240155822133286673657139615950259800036058045049186173, 1778776925369812510137824472396145391840300438509021838870105004154301861222612045533034046889878767915343446874895, 3409071358092535255033136229525415652816479844958949032220987821989305575696869929136493897719813036034016228268240, 571819148781137687997336847709735468532344087614483867682513640750800758034003212746545051127998686475933050072942, 2676666310158795770609746651024766841212271213339384335651155407291004834251914242990757216402110096603729617413168, 2557670339976470006330058052583841683167706755578266425502679937976714609864257535859316483527764340425703004883241, 973319024062640263364951783086923560907216776835485042157036675663719529568519121997200478026304141184810597275543, 1189768012357955450386827626693191057999220508190415783719135619271537446794904663649700073564180453068646130539863, 790522915783756530835443034667719516913120763875831140857606265058871034793645280121113275798239222760522467771184]
qwq = 52437899
qaq = 1455562845228184014106046353081846661166991594741034685342212005778133078550081291411839443612828739
p = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
pp = 1142978779632379969344384731816162212888551618412329487106182280460437948092775711025967355940728231074890740899064640830398142874211991038883733284039800714505967651759704707992207784798239393362313297134594620014689682614240673537974557609861073306584658917996634844473811713419516903992529010895368959512679762289061068750767272698410215219533780655490415972743692988039833721614365666351993335487907630409251025045193853809748905622077308664180480367745710426032292386656086977067733622324316251529279607679277315460682229036612415671436750122463497232354487970164567780660490851719503274520946852300175626980611392631378809761471008912076867118407483633023972770466259823927186918393298562128724829440836477986155752970694743829209037174635041410726609282526831341517005657513843064438822963889242924262793222516020047446160732380317460354380360631410063425737815245021223478414682926747310466080332446879064402066941673574937629942929233455490274643362453741527197512754992027588837742379352267575132076083027187211706722453314430311004216968206130931288118058422366846939843087867250208877457319655178776062205940749067608893888034471934498471108657546819750267606396282564760741394990056227498915716584453032204001863843912412620387842902864334464379557329439877766499721799090180106521949951507272088709752519109213448727550708629255894136853537524380257318749296652254490078801325565006537513324586727547784991700595087705177455733512116158384067200350557794061293097502070348758198384841013593727341655870858396981828914338167957355150495452710750066169828143717442866112149903974836803397451575951574758654598880735940075788671576674526836994715591739706357057699815597838906674624342854258780099739154689251277228387303286939318942508552968316726162904163233093355404058098725090760924700590208502555303625523880704006432299376446667399608178425319560581147711144539551105861283701119108963169437908720656474728443678191938587615688687790629662300315532804071728862616303844951511490625466845163653129560217890959711300145881339450565190571060840607910845859092526135249208093288167160336376760756304426346191389836338030781150259308295948794598941075005091244070210278000618109506241126900605449640742804019648207423896435466279361456668694686659046783765010159699708381871052284511858609936333837955434251107707443213658437730311109969181952584054470023007587546017226025865786999438913340937349025972249717158120517871211726893902696323141657820845379040062853354814032959005613852245360974457983567350637965684959556717166402357443319038744133853892077940635948927422008055364972815542308398644934412934780783306202098819759411204807373212433398053269281025972467100298781118011559579222633822445452194520775694259907477695015888131044620718709602314026156618474076423869840805574376019023676271040579611999127090671029103930178015883340947208339547
flag = []
for fp in output:
    target = pow(fp, qwq, p)
    for i in trange(65536):
        if pow(i, qwq*qaq, p) == target:
            print(i)
            flag.append(i)
            print(flag)
            break
from Crypto.Util.number import long_to_bytes
flag = b''.join([long_to_bytes(i) for i in flag])
print(flag)

ECBag

题目如下：

from random import randint, choice
from Crypto.Util.number import *
from secret import flag

p = getPrime(160)
print("p =", p)
a, b = int(input("a =")), int(input("b ="))
assert len(set([a%p, b%p, (a+b)%p, (a-b)%p])) == 4
E1 = EllipticCurve(Zmod(p), [a, b])
E2 = EllipticCurve(Zmod(p), [a+b, a-b])
P, Q = E1.gens()[0], E2.gens()[0]

n = 80
s = [choice([0, bytes_to_long(flag)]) for _ in range(n)]
sP, sQ = [_*P for _ in s], [_*Q for _ in s]
AP, AQ = [randint(0, p) for _ in range(n)], [randint(0, p) for _ in range(n)]
encP, encQ = sum([AP[_]*sP[_] for _ in range(n)]), sum([AQ[_]*sQ[_] for _ in range(n)])

print("A =", [AP, AQ])
print("enc =", [P.xy(), Q.xy(), encP.xy(), encQ.xy()])

我不会椭圆曲线啊
数一数发现竟然对于 MT19937 来说数据是够的，但是由于 randint 的原因，可能会有一些数据错位，具体来说就是他会先 getrandbits，如果这个数超过 p 了，那么就会继续生成，此时我们丢失了这个比较大的随机数，那么就得赌他 randint 生成的数据全在 p 以内，这样就跟 getrandbits 一样了。
然后什么 DLP 也不太会，抄一抄代码，做一些优化，避免一下模逆不存在的情况。
每次都会跑出一个 flag mod N，flag 比较大的情况要多出几次做 CRT，实测一般大概 200 次左右出完整的。
远程环境 10 秒一个 getPrime(160)，太逆天了。
一开始跑出来了一个，队友没交直接把容器关了，放生一个 flag，差点 GG，还好又跑出来了，就是一血没了。
非预期图一乐，没啥学习价值。

from pwn import *
from sage.all import *
import ast
from Crypto.Util.number import bytes_to_long, long_to_bytes
import sys
sys.path.append('./MT19937-Symbolic-Execution-and-Solver-master/source')
from MT19937 import MT19937, MT19937_symbolic
from tqdm import trange
import itertools

context.log_level = 'error'

def main():
    r = process(['sage', 'task.sage'])
    r.recvuntil(b'p =')
    p = int(r.recvline().strip())

    from sage.parallel.multiprocessing_sage import pyprocessing

    def find_ab_worker(*args):
        p, attempts = args
        import random
        for _ in range(attempts):
            a = random.randint(1, p-1)
            b = random.randint(1, p-1)
            try:
                E1 = EllipticCurve(Zmod(p), [a, b])
                E2 = EllipticCurve(Zmod(p), [a+b, a-b])
                E1o = E1.order()
                E2o = E2.order()
            except:
                continue
            m1 = prod(list(filter(lambda x: x < 2 ** 32, 
                        (base ** exp for base, exp in factor(E1o)))))
            m2 = prod(list(filter(lambda x: x < 2 ** 32, 
                        (base ** exp for base, exp in factor(E2o)))))
            ml1 = m1.bit_length()
            ml2 = m2.bit_length()
            if ml1 > 40 and ml2 > 40 and (ml1 + ml2) > 120:
                return (a, b)
        return None

    def find_ab(p, processes=20, batch_size=2):
        parallel_iter = pyprocessing(processes)
        P = parallel(p_iter=parallel_iter)
        while True:
            inputs = [((p, batch_size), {}) for _ in range(processes) ]
            results = list(P(find_ab_worker)(inputs))
            for res in results:
                if res[1] is not None:
                    return res[1]

    a, b = find_ab(p)
    r.sendlineafter(b'a =', str(a).encode())
    r.sendlineafter(b'b =', str(b).encode())

    r.recvuntil(b'A =')
    A_data = r.recvline().strip().decode()
    AP, AQ = ast.literal_eval(A_data)

    r.recvuntil(b'enc =')
    enc_data = r.recvline().strip().decode()
    enc_points = ast.literal_eval(enc_data)

    P_xy, Q_xy, encP_xy, encQ_xy = enc_points

    E1 = EllipticCurve(GF(p), [a, b])
    E2 = EllipticCurve(GF(p), [a+b, a-b])

    P = E1(*P_xy)
    Q = E2(*Q_xy)
    encP = E1(*encP_xy)
    encQ = E2(*encQ_xy)

    known = AP + AQ[:45]

    data = []
    for i in known:
        for _ in range(5):
            data.append(i & 2**32-1)
            i >>= 32
    data = data[:624]
    try:
        rng = MT19937(state_from_data = (data, 32))
    except:
        r.close()
        return None
    for tryrev in trange(80, 300):
        rng = MT19937(state_from_data = (data, 32))
        rng.reverse_states(tryrev)
        m_list = [rng() >> 30 for _ in range(tryrev)]
        s = []
        for i in m_list:
            if i <= 1:
                s.append(i)
        if len(s) == 80:
            break

    E1o = E1.order()
    E2o = E2.order()

    def dl(Q, P, n, filnum):
        primes = list(filter(lambda x: x < 2 ** 32 and gcd(x, filnum) == 1, (base ** exp for base, exp in factor(n))))

        dlogs = []
        for fac in primes:
            t = int(n) // int(fac)
            dlog = discrete_log(t*Q,t*P,operation="+")
            dlogs.append(dlog)
        k = int(crt(dlogs,primes))
        return k, prod(primes)
    
    sAP = sum([s[i]*AP[i] for i in range(80)])
    sAQ = sum([s[i]*AQ[i] for i in range(80)])

    sum_AP, modA = dl(encP, P, E1o, sAP)
    sum_AQ, modB = dl(encQ, Q, E2o, sAQ)

    mA = sum_AP * pow(sAP, -1, modA) % modA
    mB = sum_AQ * pow(sAQ, -1, modB) % modB
    # print(mA, modA)
    # print(mB, modB)

    try:
        m = crt([mA, mB], [modA, modB])
        return m, lcm(modA, modB)
    except:
        print('FUCK')
        return (mA, modA) if modA > modB else (mB, modB)


if __name__ == '__main__':
    flags = []
    modulos = []
    for _ in trange(1000):
        res = main()
        if res is not None:
            if res[0] is not None and res[1] is not None:
                flags.append(int(res[0]))
                modulos.append(int(res[1]))
                print("flags =", flags)
                print("modulos =", modulos)
                lst = list(zip(flags, modulos))
                result = []
                for i in range(2, len(lst)+1):
                    for combo in itertools.combinations(lst, i):
                        result.append(list(combo))
                for combo in result:
                    f, m = map(list, zip(*combo))
                    try:
                        flag = long_to_bytes(crt(f, m))
                        if flag.startswith(b'flag'):
                            print(flag)
                            exit()
                    except Exception as e:
                        # print(e)
                        pass

参考

https://hasegawaazusa.github.io/ecc-note.html