首页 > 其他分享 >NSSRound#11 Basic

NSSRound#11 Basic

时间:2023-05-31 14:37:06浏览次数:50  
标签:11 NSSRound pow list flag Basic print import conn

ez_enc

ABAABBBAABABAABBABABAABBABAAAABBABABABAAABAAABBAABBBBABBABBABBABABABAABBAABBABAAABBAABBBABABABAAAABBAAABABAABABBABBBABBAAABBBAABABAABBAAAABBBAAAABAABBBAABBABABAABABAAAAABBBBABAABBBBAAAABBBBBAB

题目提示不是baconic,那就将A转成0,B转成1,然后用工具一把梭,发现是伏羲六十四卦加密,直接出flag

MyMessage

from Crypto.Util.number import *
import os

flag = os.getenv('FLAG')

e = 127

def sign():
    msg = input("Input message:")
    p = getPrime(512)
    q = getPrime(512)
    n = p*q
    c = pow(bytes_to_long((msg + flag).encode()), e, n)
    print(f"n: {n}")
    print(f"Token: {hex(c)}")

def main():
    while True:
        sign()

main()

这题主要是取多组n和c的值进行中国剩余定理求m

from pwn import *
import re
import binascii, gmpy2
from functools import reduce
import libnum

host = 'node2.anna.nssctf.cn'
port = 28395
conn = remote(host, port)


def interact_with_server(conn):
    conn.recvuntil("Input message:")
    conn.sendline("")

    data1 = conn.recvline().decode()
    data2 = conn.recvline().decode()

    n = int(re.findall(r'n: (\d+)', data1)[0])
    c = int(re.findall(r'Token: 0x(\w+)', data2)[0], 16)

    return n, c


n_values = []
c_values = []

for i in range(127):
    n, c = interact_with_server(conn)
    n_values.append(n)
    c_values.append(c)


def CRT(mi, ai):
    assert (reduce(gmpy2.gcd, mi) == 1)
    assert (isinstance(mi, list) and isinstance(ai, list))
    M = reduce(lambda x, y: x * y, mi)
    ai_ti_Mi = [a * (M // m) * gmpy2.invert(M // m, m) for (m, a) in zip(mi, ai)]
    return reduce(lambda x, y: x + y, ai_ti_Mi) % M


e = 127
n = n_values
c = c_values
m = gmpy2.iroot(CRT(n, c), e)[0]
print(m)
print(libnum.n2s(int(m)))

MyGame

from Crypto.Util.number import *
import os
import random
import string

flag = os.getenv('FLAG')

def menu():
    print('''=---menu---=
1. Guess
2. Encrypt
''')

p = getPrime(512)
q = getPrime(512)
n = p*q

def randommsg():
    return ''.join(random.choices(string.ascii_lowercase+string.digits, k=30))

mymsg = randommsg()
def guess():
    global mymsg
    msg = input()

    if msg == mymsg:
        print(flag)
    else:
        print(mymsg)
        mymsg = randommsg()

def encrypt():
    e = random.getrandbits(8)
    c = pow(bytes_to_long(mymsg.encode()), e, n)
    print(f'Cipher_{e}: {c}')

def main():
    print(f'n: {n}')
    while True:
        opt = int(input())

        if opt == 1:
            guess()
        elif opt == 2:
            encrypt()

main()

因为n是不变的,e是2^8内的随机数,你可以一直输入2去改变e的值,直到e出来的是3或者其他比较小的值,然后低指数加密攻击就可以出来了,这是非预期解吧。这里还是以官方的做法来讲。

因为你每次输入2,他们的n是不变的,c,e是变的,那么就可以使用共模攻击来求解,当然e1和e2必须互素才能解。

from gmpy2 import *
from Crypto.Util.number import *
from pwn import *
import re
import binascii,gmpy2
from functools import reduce
import libnum

# ------------ 交互部分 ------------
host = 'node1.anna.nssctf.cn'
port = 28576
conn = remote(host, port)
data1 = conn.recvline().decode()
n = int(re.findall(r'n: (\d+)', data1)[0])

def interact_with_server(conn):
    conn.sendline("2")
    data1 = conn.recvline().decode()
    print(data1)
    e,c = re.findall(r'Cipher_(\d+): (\d+)', data1)[0]
    e = int(e)
    c = int(c)
    
    return e, c
# ------------ 共模攻击 ------------
def attack():
    e1,c1 = interact_with_server(conn)
    e2,c2 = interact_with_server(conn)

    g,x,y = gcdext(e1,e2)

    m= pow(c1,x,n)*pow(c2,y,n)%n

    m = iroot(m,2)[0]

    return long_to_bytes(m)

def get_flag():
    m = attack()
    print(m)
    conn.sendline("1")
    conn.sendline(m)
    return conn.recvline().decode()

while True:
    flag = get_flag()
    if "NSS" in flag:
        print(flag)
        break

ez_signin

from Crypto.Util.number import *
from secret import flag

p = getPrime(512)
q = getPrime(512)
assert p > q
n = p*q
e = 65536
m = bytes_to_long(flag)
num1 = (pow(p,e,n)-pow(q,e,n)) % n
num2 = pow(p-q,e,n)
c = pow(m,e,n)

print("num1=",num1)
print("num2=",num2)
print("n=",n)
print("c=",c)

\[num1=(p^e-q^e)\pmod n \]

\[num2=(p-q)^e\pmod n \]

\[根据二项式定理展开:num2=(p^e+q^e)\pmod n \]

\[两边同时模p \]

\[num1=(-q^e)\pmod p \]

\[num2=q^e\pmod p \]

\[所以两式相加:num1+num2=0\pmod p \]

\[p=gcd(num1+num2,n) \]

因为e=65536=1<<16,p,q都是4k+3型素数,所以又用到了二次剩余的知识(我周报里写着有),拿出之前的脚本结合,最终wp:

#sage
from sympy.ntheory.modular import crt
from Crypto.Util.number import *

num1= 2775831354229923947744110222507863933574411897722478973469923299411546050474843856326024430074857133976354676857166554872257638426565724387179149171632416985944346489466965110670104990151999871783845959108955589945641517118400357360851865623071772324939539064047191924077951100016766658043724058872748766771
num2= 57822654736857646576418296007540106780276512153756277058855757547382961542492838819696805844716620913167153602856693831726152375890495103035701199247079645092619874561711749593253235666771101287537876783566448505829451706496439205282302119316936881497163266819067206207458038596600471668612939197588441024158
n= 129770519090525725810022018120533695628782431267983618019293084269987333756301607244113360793108640577661794258265039863902836204944419443322596944769367767508517074838227609729864864417275432373782879364663360618747786397730015510710663590152772498306166973852059266895770180830911596826648497480706503280849
c= 71310243822509976120541805309731185677956258041399575869667955731705691994150005919354168558022080451707878959264030784055792822048483199371829432059611371728850382785173978204635157492807325268890777921704824498293700056727016422076617851179126873615625382747399852661166946838768567204732697003229415668085
p=gmpy2.gcd(num2+num1,n)
q=n//p
def get_mm(p, e_factor):
    cp_list = [c % p]
    for i in e_factor:
        cpp_list = []
        for j in cp_list:
            R.<x> = Zmod(p)[]
            f = x^i - j
            mm = f.roots()
            cpp_list.extend([int(i[0]) for i in mm])
        cp_list = cpp_list
    return cpp_list
e_factor = [2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2]  #将e分解成16个2
cp_list = get_mm(p, e_factor)
cq_list = get_mm(q, e_factor)
for i in cp_list:
    for j in cq_list:
        m = crt([p,q],[i,j])
        for z in m:
            m1 = long_to_bytes(int(z))
            if b'NSS' in m1:
                print(m1)

NTR

好家伙,涉及新知识NTRU加密算法,直接去学习一手

NTRU是一个带有专利保护的开源公开密钥加密系统,使用基于格的加密算法来加密数据。它包括两部分算法:NTRUEncrypt用来加密,NTRUSign用来进行数字签名。与其他流行的公钥加密系统不同,它可以防止被Shor算法破解,并显著提升了性能。NTRU算法被认为可以抵抗量子攻击。
NTRU is based on the SVP or CVP in a lattice

算法流程如下:

在这里插入图片描述

文字描述:

\[初始化三个整数参数(N,p,q)和四个具有N-1阶多项式f、g、r、m,其中N为表数,p可以是多项式或整数,q为整数 \]

\[但要保证gcd(p,q)=1,多项式f、g、r中非0系数的个数分别用d_f,d_g,d_r表示 \]

\[密钥产生:Bob根据NTRU参数N,d_F,d_g,随机选取多项式F,g\in R,F中的非0系数的个数为d_F,计算多项式h: \]

\[f=1+p*F \]

\[f*f_q\equiv 1\pmod q \]

\[h\equiv p*g*f_q\pmod q \]

\[f_g表示f的模q逆,Bob的公开密钥为(N,p,q,h),私钥为(f,f_p) \]

加密:

\[假设A想发送信息 m\in L_m 给B,他将根据参数 d_{\phi} 随机选择一个 \phi \in L_{\phi},然后他利用B的公钥 h 计算 \]

\[e\equiv \phi *h+m\pmod q \]

\[A把密文e发送给B \]

解密:

\[当B收到密文 e 后,他首先利用私钥 f 计算 \]

\[a\equiv f*e\pmod q \]

\[选择 a 的系数位于 [−\frac{p−1}{2},\frac{p-1}{2}] 之间,然后计算 \]

\[b\equiv a\pmod p \]

\[c\equiv F_p*b\pmod p \]

\[则多项式c就是明文m \]

那么就要构造矩阵\(\begin{pmatrix} I & H\\ 0 & q \end{pmatrix}\)=\(\begin{pmatrix} \lambda & 0 & \cdots & 0 & h_0 & h_1 & \cdots & h_{N-1}\\ 0 & \lambda & \cdots & 0 & h_{N-1} & h_0 & \cdots & h_{N-2}\\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & \lambda & h_1 & h_2 & \cdots & h_0\\0 & 0 & \cdots & 0 & q & 0 & \cdots & 0\\0 & 0 & \cdots & 0 & 0 & q & \cdots & 0\\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots\\0 & 0 & \cdots & 0& 0 & 0 & \cdots & q\\ \end{pmatrix}\),其中 H 是根据公钥多项式的系数生成的循环矩阵。构建一个这样的矩阵,然后进行LLL算法得到解密密钥。

exp:

#sage
h = 0b111010101001111010101010101100000011001010001111010010101110110111011101110100001111110100100011110001110000100110011000011110010101110011100111010101001010000000010010001110000000010110011100000011110110100111000101110010100100111011000100000010101011010000101111011000011110101100111011000100001101100001110001011101111100001100011111010010010001001001111100011001100010001000010011110011001000101011011011001011010100010111110011000101100101100001110010011111000111000101111101111110001010111110111010110111110100100010000110111011101111101011110000100010000000100100110101111101100111011101001001010110000101001010111011011001011010101111010010110001011001010010000011111101110000111100001000111101000111110011001000101001011111110111110000100110101101111001000100100010010100010011011011000000111111110100011010001111111001111010111111110101101101110110000110101001100111110110101111001101111001101000001110011100100100100111000011110011000110101011110101110101001101000100010010110011001011110010110010001101110011011001110101110001010011010001011010011110111000100000000100010000101011101101101001011101100011010111001011011110100101110000100001111100101010010010100111101000011000111001011111110100010010100101100101001001001101101010110001111110000101110110101000101110011100100001011000100110001000111101111001001011011001110010101001010001011011000100100010011000111110001110001011111111110110000001011011110101111110111010000011001111100011010001000100001010000000000101000001011010100111001101111001110100001101101100011110101111101011110111010110101110100010100011010001011111011011101011100001001000110110011001100100100101010011000011010010010111000011101100001100101011011101101100001011110101000000101100111101000110001100100000000100011010111111001010100001001001010001111011000110001111101111110010111101101100110110101010101000101101100110010000010111101110111110110100001011000100011010001011011000000001111001100010011000011101101000000110101111010100011000011111010101011111010000111000011011000011001001111000010000100
p = 0b10001000111011111101101011011111100100100010010111010011100110011010111100101100111001111101100001111010000010100101111101100010111100000011011100010001011001001000011101100100011110110110100100000110101010100111001111101000101100001010110011000101101000110001101001101000000100001011100111110101011110001110001111111110010011001100100001001011100110010110100010101000101000001100101101010000100101010101111011000100010001100101011111000100000111000111101110011001001010010000111000011010101010110100111111110100101110111001110111011010101010000001101110000101010111000011001000110001100010011011111110001000110011101001011010001110001001001111110001011111011010100010001110111110011101111001000011000000100000101111010011110111111101111111000101100111101010001010011110101000010001000000010101010011010101000000000100011101001110111100010111100111111110001011100110001101010000011110000110001001111111000000100111000111010110111110110001100000010100110110001011000110010000100101001010101011001011001100101101101111010110001111010000100001001101101110010010111101011011001101100100011000111001110001100010111101010100111010101110010100111001011111000100100010000111011110010100001001110001001110111100000110000010110111001011111111100111011111011010101100011010010001001101010101010101101100011110000001000100111001111111010010100101010100010111110000011100010111101100010010110010111101010001110101101101001011010110000010101110011010110111011111111101101011101111001110010111110010000001000010010010100010101010010011011111101101111011001010100001101000000111111011111111100111101001010001110111111011110100101010000011111101110100111101111110001000000111100100110011010010010000001011110001000010000111001010010101001110010011001010001111010001111011110110001000111100001011100100011101110001111100101000011001001001011010101101111100111000010011100011010011011110001010010110111111100000010000000111100111010000111000011010110000111100011111000100001100000101000011100001010001000100010100000111000000111000011010010000101010100100100010110111
c = 0b11100000010101110010011110011100110100011000111100010011100010000011011111110010110011101010001110110010111001001111110111001011100110100100000000110110010100101000101110101100101110100011101111000010101010011001110111001011011001110111000010011010100101111110101100111000011110000110100111111110110000100010111010111010101001101000101000111011001100101011100000000110000100101010110000010101100110011111101110000000010001110000010001110101000110000100100101110111011100010100110001000101110010001101010110000001001110000001001011001111010001111010000110100110011110100011001100101100000101110100101111100111001100001000011100100001101110000011010000001011010010001101010000001010011000111110010101001000111000111101110100101110100001111111011100011101010111001101000101001111011011111111010000010110001011001100010001000011011000101001011111010100011001101001110100000011100100011100111110011010011011000000101011100001100011100100000111000010101101110101010001111110000100111111001100100000101010001111001111000010100011100101100011101110011100000101110001101001100011111110111000010111110011001110010111100101101110011000000111000111100001001001000101011100010010000001000001101001100001100111011011000111101101010000110100001010000000101011010010101110100111110011100010110010001001100010011111010000001001101110000110111100101111011010001111111111010000110101000100110100100111011110100010010000100010111110011001111001111100000010010101001000110001010011100001101001011110101000001011100010011111100010000011110001101001110111011001101100010000101011011010111000100101011010001000001111110110011100010001101000110010000110011111110010010111110001100101000010000011100001011111000110101110000100010100011111101001001111111100001100100000001011100001101101010010001000110101011001010100001110000010011100110000001101100001100010100010101010110010110111101010111011110000100010001111011010001101111011101010010111011110001001000011111111001110010100001011011100000010001000101111110000010010110010000010110001100010110001110011001000010111100
v1 = vector(ZZ, [1, h])
v2 = vector(ZZ, [0, p])
m = matrix([v1,v2])  #构造格
f, g = m.LLL()[0]
print(f, g)

a = f*c % p % g
m = a * inverse_mod(f, g) % g
print(bytes.fromhex(hex(m)[2:]))

ez_fac

from Crypto.Util.number import *
import random
from secret import flag,a0,a1,b0,b1

p = getPrime(512)
q = getPrime(512)
e = getPrime(128)
n = p*q
assert pow(a0,2) + e * pow(b0,2) == n
assert pow(a1,2) + e * pow(b1,2) == n
m = bytes_to_long(flag)
c = pow(m,e,n)

print("c=",c)
print("n=",n)
print("a0=",a0)
print("a1=",a1)
print("b0=",b0)
print("b1=",b1)

e=(pow(a1,2)-pow(a0,2))//(pow(b0,2)-pow(b1,2)),且e是素数,那么思路清晰了,只要能把n分解掉就行了。看wp吧

检索一下相关文献,比如这个:
A Note on Euler's Factoring Problem-Brillhart_Euler_factoring_2009

img

对于这个题目本身就没什么可说的了

文字描述:

\[设N> 1为奇数,用两种不同的方式表示为 \]

\[N=m*a^2+n*b^2=m*c^2+n*d^2 \]

\[其中a, b, c, d, m, n\in Z^+, b < d,和 gcd(m*a,n*b) = gcd(m*c, n*d) = 1.然后 \]

\[N=gcd(N,a*d-b*c)*\frac{N}{gcd(N,a*d-b*c)} \]

\[其中因子是重要的。 \]

所以\(a*d-b*c=a0*b1-a1*b0\).

exp:

from Crypto.Util.number import *
import random
import gmpy2

c= 35365949784050829929861737789236020559135622198897625351353637445622956768233865962002277568692477708475206540271806542711843022878152143032364877838180739249214035959876599676088358907232330955234529703338468238427784663238111249828170368817450879581282130905777101291196257788568056540581712737620696888181
n= 60759060882959791909904396677188989949758090199603630243982902422381690538885036721260587316981956179159099537464766520810988299027308891716697721325694989187113132568281096643090555966502943628821584608317087986774067361766441006582461264783625589284748285132591500064467264821214540974749792006934616412217
a0= 7794809868300816476939749391923181660663599092817735689970830403880360740950291069966802056703842257352942487715953634294627774900178116901736408438781725
a1= 7794809868300816476939748778965768208814733337627617321244638924271232070361166330324980435743037906985498772947115676315756364476413563742000304770717475
b0= 19283995921825875899155714134110227538038032500196406129941198508864582000463560816723795975202107099295086076956040133684
b1= 172332404813056620110912939211150875333966617506319147214329967023854401850532359816888852973202924631133349299841944983684

temp=a0*b1-a1*b0
p=GCD(temp,n)

q=n//p
e=(pow(a1,2)-pow(a0,2))//(pow(b0,2)-pow(b1,2))

phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))

标签:11,NSSRound,pow,list,flag,Basic,print,import,conn
From: https://www.cnblogs.com/L00kback/p/17445967.html

相关文章

  • Git + msys2 + ohmyzsh 打造Win11美化终端及代码高亮
    1.下载最新版zshPackage:zsh-MSYS2Packages2.下载PeaZiphttps://peazip.github.io/解压zsh-5.9-2-x86_64.pkg.tar.zst文件全部放入安装的Git目录下。3.设置zsh为默认终端1.打开git-bash2.键入zsh3.vi~/.bashrc#LaunchZshif[-t1];thenexeczshfi4.......
  • java9&10&11
    java9语法改进:接口的私有方法Java8中规定接口中的方法除了抽象方法之外,还可以定义静态方法和默认方法。一定程度上,扩展了接口的功能,此时的接口更像是一个抽象类。在Java9中,接口更加的灵活和强大,连方法的权限修饰符都可以声明为private的了,此时方法将不会称为你对外暴露API的......
  • error LNK1104: 无法打开文件“d3dx10d.lib”
    将库目录默认的$(DXSDK_DIR)\Lib\x86删除,改为绝对路径就可以了。。奇怪。。明明已经在电脑的环境变量里配置了DXSDK_DIR变量了。而且include目录能找到啊。。怎么就lib文件夹找不到呢? 参考:https://www.cnblogs.com/Thermo/p/15755273.html......
  • SSO2.0 11-20230530
           ......
  • 1107 Social Clusters
    题目:Whenregisteronasocialnetwork,youarealwaysaskedtospecifyyourhobbiesinordertofindsomepotentialfriendswiththesamehobbies.A socialcluster isasetofpeoplewhohavesomeoftheirhobbiesincommon.Youaresupposedtofindallt......
  • Gym - 101174F[(DSU)+树状数组]
    题目链接:https://vjudge.net/problem/Gym-101174F 解题思路:其实这题不同启发式合并也可以做,对rank排个序,然后在做个dfs序,把rank值小的先插入树状数组中更新,然后对每个节点查询它的dfs序的区间和就好了。对于DSU来说就更加无脑了,本来就是"暴力",所以我们直接DSU再加一个树状数组维......
  • Gym - 101170H[格雷码规律]
    题目链接:https://vjudge.net/problem/Gym-101170H 解题思路:如果用一个值给他们做排名,可以发现一个格雷码的值是从高位开始间隔性+,-变化2^(i)-1。#include<bits/stdc++.h>usingnamespacestd;typedeflonglongll;chara[105],b[105];intmain(){ intn; scanf("%d",&n)......
  • Gym - 101170A[DP+思维]
    题目链接:https://vjudge.net/problem/Gym-101170A 解题思路:首先要确定的是,改变次数最多不会超过2*n次,因为n最多40,所以我们只要改变每个数的前两个最高位,肯定可以让n个数有序。然后我们就可以想办法搞个DP[i][j]表示将前i个数变成有序花了j次的最小值。为什么是最小值呢,维护最小......
  • CF 1175E Minimal Segment Cover[RMQ]
    题目链接:http://codeforces.com/problemset/problem/1175/E 解题思路:预处理出每个点用一次可以到达最远的距离。那么某个点用两次可以到达最远距离就是他用一次到达最远距离的地方用一次到达的最远距离,所以我们可以去倍增。#include<bits/stdc++.h>usingnamespacestd;typed......
  • Suse 12 安装gcc 11
    由于suse12默认不自带gcc镜像源,需要自行安装,首先添加gcc镜像源zypperar-fhttp://download.opensuse.org/repositories/devel:/gcc/SLE-12/devel:gcc使用zypperref命令刷新安装源(由于制作镜像时未删除cdrom源,会提示该源无法使用。是否使用该源选no)使用zypperlr查看gcc源......