记录一下XY的维纳攻击题目
winner's acctack,维纳攻击,其原理https://zhuanlan.zhihu.com/p/400818185 这位佬写的超级详细,若需要证明过程可参考!
维纳的本质在于通过近似phi与n的值,ed = 1 + k * phi 即可化简成 e / n = k / d,其中e , n的值已知的情况下,我们可以通过求e / n的连分数来得到d的值(d包含在e / n的连分数组中),通过循环遍历k的d的值去检验e / phi = k / d,我们便可以求得phi的值,phi = n - (p + q) -1 ,得知(p + q)与 p * q 的值,我们可以通过韦达定理构造一元二次方程: x^2 + (p + q)x + pq = 0,该方程的两解必为p ,q ,从而解决问题。
给个题
题目所示
点击查看代码
p = getPrime(512)
q = getPrime(512)
d = getPrime(512)
e = gmpy2.invert(d, (p**3 - 1) * (q**3 - 1))
flag = "XYCTF{" + **hashlib**.md5(str(p + q).encode()).hexdigest() + "}"
print(e)
print(p * q)
e = 172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
n = 99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793
看到题目,只在知道e,n的值情况下,很容易联想到维纳攻击,但本题的e并非真实的e值,那就意味着我们通过维纳攻击求出来的phi值即为(p ** 3 - 1) * (q ** 3 - 1),运用一些数论小知识,我们不难将其化简为n ** 3 − (p+q) ** 3 + 3n * (p+q) + 1,刚好题目的flag是p + q哈希加密后的结果,所以解p + q就行啦!
下面是维纳攻击求phi的代码
点击查看代码
import gmpy2
import libnum
from Crypto.Util.number import long_to_bytes
def transform(x, y): # 使用辗转相处将分数 x/y 转为连分数的形式
res = []
while y:
res.append(x // y)
x, y = y, x % y
return res
def continued_fraction(sub_res):
numerator, denominator = 1, 0
for i in sub_res[::-1]: # 从sublist的后面往前循环
denominator, numerator = numerator, i * numerator + denominator
return denominator, numerator # 得到渐进分数的分母和分子,并返回
# 求解每个渐进分数
def sub_fraction(x, y):
res = transform(x, y)
res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res))))) # 将连分数的结果逐一截取以求渐进分数
return res
def get_pq(a, b, c): # 由p+q和pq的值通过维达定理来求解p和q
par = gmpy2.isqrt(b * b - 4 * a * c) # 由上述可得,开根号一定是整数,因为有解
x1, x2 = (-b + par) // (2 * a), (-b - par) // (2 * a)
return x1, x2
def wienerAttack(e, n):
for (d, k) in sub_fraction(e, pow(n,3)): # 用一个for循环来注意试探e/n的连续函数的渐进分数,直到找到一个满足条件的渐进分数
if k == 0: # 可能会出现连分数的第一个为0的情况,排除
continue
if (e * d - 1) % k != 0: # ed=1 (mod φ(n)) 因此如果找到了d的话,(ed-1)会整除φ(n),也就是存在k使得(e*d-1)//k=φ(n)
continue
phi = (e * d - 1) // k # 这个结果就是 φ(n)
print(phi)
e = 172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
n = 99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793
d = wienerAttack(e, n)
这里面的get_pq函数并没有用到,运行结果后发现满足条件的phi有四个值。在尝试带入最后一个phi值时,便可以得到flag的值!
这道题有不严谨的地方在于,在实际的证明过程中,维纳运用的多次近似操作,而事实上,近似的值是会产生影响的,只不过难以证明。这道题能成立的前提在于 p ** 3 和 q ** 3 的值很大,这才让题目符合维纳攻击的特性!ok,证毕,下面附上marddown的证明过程
点击查看代码
winner's attack
$$
phi = (p^3 - 1) * (q^3 - 1) \sim (p*q)^3 = n^3
\\e*d \equiv 1 \mod {phi}
\\e*d = k*phi + 1
\\\sim e*d = k*phi
\\e/phi = k/d
\\ \sim e/n^3 = k / d
\\构造一元二次方程,使得两根为q,p
\\x^2 - (p+q)x + pq = 0
\\韦达定理
$$
数论推理
$$
已知phi=(p^3 - 1) * (q^3 - 1),n=pq
\\求p+q
\\phi=(p^3 - 1) * (q^3 - 1)
\\ = {p*q}^3 - (p^3 + q^3) + 1
\\\because (a+b) (a²-ab+b²)=a³+b³
\\\therefore \\= {n}^3 - (p+q)(p^2-p*q+q^2) + 1
\\ = {n}^3 - (p+q)(p^2 + 2pq + q^2 -3pq) + 1
\\ = n^3 - (p+q)[(p+q)^2-3n] + 1
\\ = n^3 - (p+q)^3 + 3n(p+q) +1
\\令 x = p+q
\\ 0 = - x^3 + 3n \times x + 1 + n^3 - phi
$$