from Crypto.Util.number import * from secret import flag
bit_length = len(flag) * 8
p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab K = GF(p) E = EllipticCurve(K, (0, 4)) o = 793479390729215512516507951283169066088130679960393952059283337873017453583023682367384822284289 n1, n2 = 859267, 52437899
while(1): G1, G2 = E.random_element(), E.random_element() if(G1.order() == o and G2.order() == o): P1, P2 = (o//n1)*G1, (o//n2)*G2 break
cs = [(randrange(0, o) * P1 + randrange(0, o) * G2).xy() if i == "1"else (randrange(0, o) * G1 + randrange(0, o) * P2).xy() for i inbin(bytes_to_long(flag))[2:].zfill(bit_length)] print(cs)
p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab K = GF(p) E = EllipticCurve(K, (0, 4)) o = 793479390729215512516507951283169066088130679960393952059283337873017453583023682367384822284289 n1, n2 = 859267, 52437899
points = []
flag = "0" K = E(points[0]) for i in points[1:]: if((n2*K).weil_pairing(E(i), o) == 1): flag += "0" else: flag += "1" print(long_to_bytes(int(flag, 2)))
import socketserver import signal from Crypto.Util.number import * from random import randint import time from sage.geometry.hyperbolic_space.hyperbolic_isometry import moebius_transform from secret import flag
defgame1(self): self.send(b"\nLet's play the game1!") rounds = 1000 pseudo_prime = int(self.recv(prompt=b'[+] Plz Tell Me your number: ')) if isPrime(pseudo_prime): self.send(b"\nNo! it's a prime, go away!") self.request.close() for i inrange(rounds): ifpow(randint(2, pseudo_prime), pseudo_prime - 1, pseudo_prime) != 1: self.send(b"\nYou failed in round " + str(i + 1).encode() + b', bye~~') self.request.close() self.send(b"\nCongratulations, you have won the game1!\n") returnTrue
defgame2(self): self.send(b"Let's play the game2!") res = self.recv(prompt=b'[+] Plz give Me your a, b, c: ') a,b,c = [int(x) for x in res.split(b',')] try: assert (isinstance(a, int) andisinstance(a, int) andisinstance(c, int)) assert a > 0 assert b > 0 assert c > 0 assert a / (b + c) + b / (a + c) + c / (a + b) == 4 assertint(a).bit_length() > 900andint(a).bit_length() < 1000 assertint(b).bit_length() > 900andint(b).bit_length() < 1000 assertint(c).bit_length() > 900andint(c).bit_length() < 1000 self.send(b"\nCongratulations, you have won the game2!\n") returnTrue except: self.send(b"\nNo! Game over!") self.request.close()
deffinal_game(self): self.send(b"Let's play the game3!") set_random_seed(int(time.time())) C = ComplexField(999) M = random_matrix(CC, 2, 2) Trans = lambda z: moebius_transform(M, z) out = [] for _ inrange(3): x = C.random_element() out.append((x,Trans(x))) out = str(out).encode() self.send(out) kx = C.random_element() kx_str = str(kx).encode() self.send(kx_str) C2 = ComplexField(50) ans = C(self.recv(prompt=b'[+] Plz Tell Me your answer: ').decode()) if C2(ans) == C2(Trans(kx)): self.send(b"\nCongratulations, you have won the game3!") self.send(flag) self.request.close() else: self.send(b"\nNo! Game over!") self.request.close()
from Crypto.Util.number import * from random import getrandbits from pwn import *
context.log_level = "critical" sh = remote("1.95.46.185", 10001) ########################################################################## game1 sh.recvuntil(b'[+] Plz Tell Me your number: ') if(0): while(1): k = getrandbits(100) a = 6 * k + 1 b = 12 * k + 1 c = 18 * k + 1 if isPrime(a) and isPrime(b) and isPrime(c): n = a * b * c print(n) break n = 782297933841357541176473640284870344877218151900677131070988547902278660193827528728178354969 sh.sendline(str(n).encode()) sh.recvuntil(b"Congratulations, you have won the game1!")
########################################################################## game2 if(0): PR.<x, y, z> = QQ[] f = (x*(x+z)*(x+y) + y*(y+z)*(y+x) + z*(z+y)*(z+x)) - 4*(x+y)*(x+z)*(y+z) tran = EllipticCurve_from_cubic(f, None, True) tran_inv = tran.inverse() EC = tran.codomain() g = EC.gens()[0] P = g while(1): Pinv = tran_inv(P) a = Pinv[0].numerator() b = Pinv[1].numerator() c = Pinv[0].denominator() if a>0and b>0: if(int(a).bit_length() > 900andint(a).bit_length() < 1000and \ int(b).bit_length() > 900andint(b).bit_length() < 1000and \ int(c).bit_length() > 900andint(c).bit_length() < 1000): print(a, b, c) break P = P+g a, b, c = 1440354387400113353318275132419054375891245413681864837390427511212805748408072838847944629793120889446685643108530381465382074956451566809039119353657601240377236701038904980199109550001860607309184336719930229935342817546146083848277758428344831968440238907935894338978800768226766379, 1054210182683112310528012408530531909717229064191793536540847847817849001214642792626066010344383473173101972948978951703027097154519698536728956323881063669558925110120619283730835864056709609662983759100063333396875182094245046315497525532634764115913236450532733839386139526489824351, 9391500403903773267688655787670246245493629218171544262747638036518222364768797479813561509116827252710188014736501391120827705790025300419608858224262849244058466770043809014864245428958116544162335497194996709759345801074510016208346248254582570123358164225821298549533282498545808644 sh.sendline(str(a).encode() + b"," + str(b).encode() + b"," + str(c).encode()) sh.recvuntil(b"Congratulations, you have won the game2!")
########################################################################## game3 import time from sage.geometry.hyperbolic_space.hyperbolic_isometry import moebius_transform
sh.recvuntil(b"Let's play the game3!") sh.recvline() sh.recvline() C = ComplexField(999) KX = sh.recvline().strip().decode()
temp = int(time.time()) for i inrange(-10, 10): set_random_seed(int(i+temp)) M = random_matrix(CC, 2, 2) Trans = lambda z: moebius_transform(M, z) out = [] for _ inrange(3): x = C.random_element() out.append((x,Trans(x))) out = str(out).encode() kx = C.random_element() kx_str = str(kx).encode() C2 = ComplexField(50) if(str(kx) == str(KX)): break
sh.recvuntil(b'[+] Plz Tell Me your answer: ') sh.sendline(str(C(Trans(kx))).encode()) sh.recvline() sh.recvline() sh.recvline() print(sh.recvline())
from Crypto.Cipher import AES from ast import literal_eval from hashlib import md5 import subprocess
ells = [*primes(3, 200), 269] p = 4*prod(ells) - 1 F = GF(p)
SUKEY = [randint(-3, 3) for _ inrange(len(ells))] defSuAuth(A, priv, LIMIT=True): ifany(priv[i] == SUKEY[i] for i inrange(len(ells))) and LIMIT: return"🙅SUKEY" E = EllipticCurve(F, [0, A, 0, 1, 0]) for sgn in [1, -1]: for e, ell inzip(priv, ells): for i inrange(sgn * e): whilenot (P := (p + 1) // ell * E.random_element()) or P.order() != ell: pass E = E.isogeny_codomain(P) E = E.quadratic_twist() return E.montgomery_model().a2()
defrandom_element(self, degree=(-1, 2), monic=False, *args, **kwds): r""" Return a random polynomial of given degree (bounds). INPUT: - ``degree`` -- (default: ``(-1, 2)``) integer for fixing the degree or a tuple of minimum and maximum degrees - ``monic`` -- boolean (default: ``False``); indicate whether the sampled polynomial should be monic - ``*args, **kwds`` -- additional keyword parameters passed on to the ``random_element`` method for the base ring EXAMPLES:: sage: R.<x> = ZZ[] sage: f = R.random_element(10, x=5, y=10) sage: f.degree() 10 sage: f.parent() is R True sage: all(a in range(5, 10) for a in f.coefficients()) True sage: R.random_element(6).degree() 6 If a tuple of two integers is given for the ``degree`` argument, a polynomial is chosen among all polynomials with degree between them. If the base ring can be sampled uniformly, then this method also samples uniformly:: sage: R.random_element(degree=(0, 4)).degree() in range(0, 5) True sage: found = [False]*5 sage: while not all(found): ....: found[R.random_element(degree=(0, 4)).degree()] = True Note that the zero polynomial has degree `-1`, so if you want to consider it set the minimum degree to `-1`:: sage: while R.random_element(degree=(-1,2), x=-1, y=1) != R.zero(): ....: pass Monic polynomials are chosen among all monic polynomials with degree between the given ``degree`` argument:: sage: all(R.random_element(degree=(-1, 1), monic=True).is_monic() for _ in range(10^3)) True sage: all(R.random_element(degree=(0, 1), monic=True).is_monic() for _ in range(10^3)) True TESTS:: sage: R.random_element(degree=[5]) Traceback (most recent call last): ... ValueError: degree argument must be an integer or a tuple of 2 integers (min_degree, max_degree) sage: R.random_element(degree=(5,4)) Traceback (most recent call last): ... ValueError: minimum degree must be less or equal than maximum degree Check that :issue:`16682` is fixed:: sage: R = PolynomialRing(GF(2), 'z') sage: for _ in range(100): ....: d = randint(-1, 20) ....: P = R.random_element(degree=d) ....: assert P.degree() == d In :issue:`37118`, ranges including integers below `-1` no longer raise an error:: sage: R.random_element(degree=(-2, 3)) # random z^3 + z^2 + 1 :: sage: 0 in [R.random_element(degree=(-1, 2), monic=True) for _ in range(500)] False Testing error handling:: sage: R.random_element(degree=-5) Traceback (most recent call last): ... ValueError: degree (=-5) must be at least -1 sage: R.random_element(degree=(-3, -2)) Traceback (most recent call last): ... ValueError: maximum degree (=-2) must be at least -1 Testing uniformity:: sage: from collections import Counter sage: R = GF(3)["x"] sage: samples = [R.random_element(degree=(-1, 2)) for _ in range(27000)] # long time sage: assert all(750 <= f <= 1250 for f in Counter(samples).values()) # long time sage: samples = [R.random_element(degree=(-1, 2), monic=True) for _ in range(13000)] # long time sage: assert all(750 <= f <= 1250 for f in Counter(samples).values()) # long time """ R = self.base_ring()
ifisinstance(degree, (list, tuple)): iflen(degree) != 2: raise ValueError("degree argument must be an integer or a tuple of 2 integers (min_degree, max_degree)") if degree[0] > degree[1]: raise ValueError("minimum degree must be less or equal than maximum degree") if degree[1] < -1: raise ValueError(f"maximum degree (={degree[1]}) must be at least -1") else: if degree < -1: raise ValueError(f"degree (={degree}) must be at least -1") degree = (degree, degree)
if degree[0] <= -2: degree = (-1, degree[1])
# If the coefficient range only contains 0, then # * if the degree range includes -1, return the zero polynomial, # * otherwise raise a value error if args == (0, 1): if degree[0] == -1: return self.zero() else: raise ValueError("No polynomial of degree >= 0 has all coefficients zero")
if degree == (-1, -1): return self.zero()
# If `monic` is set, zero should be ignored if degree[0] == -1and monic: if degree[1] == -1: raise ValueError("the maximum degree of monic polynomials needs to be at least 0") if degree[1] == 0: return self.one() degree = (0, degree[1])
# Pick random coefficients end = degree[1] if degree[0] == -1: return self([R.random_element(*args, **kwds) for _ inrange(end + 1)])
nonzero = False coefs = [None] * (end + 1)
whilenot nonzero: # Pick leading coefficients, if `monic` is set it's handle here. if monic: for i inrange(degree[1] - degree[0] + 1): coefs[end - i] = R.random_element(*args, **kwds) ifnot nonzero andnot coefs[end - i].is_zero(): coefs[end - i] = R.one() nonzero = True else: # Fast path for i inrange(degree[1] - degree[0] + 1): coefs[end - i] = R.random_element(*args, **kwds) nonzero |= not coefs[end - i].is_zero()
# Now we pick the remaining coefficients. for i inrange(degree[1] - degree[0] + 1, degree[1] + 1): coefs[end - i] = R.random_element(*args, **kwds)
from Crypto.Util.number import * import random from tqdm import *
######################################################### part1 recover MT and get seed RNG = random.Random()
defconstruct_a_row(RNG): row = [] RNG.getrandbits(128*11) for i inrange(bytes_to_long(b"SU")): RNG.getrandbits(128*10) row += [int(int(RNG.getrandbits(128)) & 1)] return row
L = [] for i in trange(19968): state = [0]*624 temp = "0"*i + "1"*1 + "0"*(19968-1-i) for j inrange(624): state[j] = int(temp[32*j:32*j+32],2) RNG.setstate((3,tuple(state+[624]),None)) L.append(construct_a_row(RNG))
L = Matrix(GF(2),L) K = L.T KK = K[:19937, [0]+list(range(32,19968))] KK_inv = KK^(-1)
交互:
1 2 3 4 5 6 7 8 9 10 11 12 13
from pwn import *
context.log_level = "critical"
#sh = process(["sage", "chall.sage"]) sh = remote("1.95.46.185", 10005) sh.recvuntil(b" :") points = eval(sh.recvline().strip().decode()) known = [i[0] % 2for i in points]
d_m = 54846367460362174332079522877510670032871200032162046677317492493462931044216323394426650814743565762481796045534803612751698364585822047676578654787832771646295054609274740117061370718708622855577527177104905114099420613343527343145928755498638387667064228376160623881856439218281811203793522182599504560128 n = 102371500687797342407596664857291734254917985018214775746292433509077140372871717687125679767929573899320192533126974567980143105445007878861163511159294802350697707435107548927953839625147773016776671583898492755338444338394630801056367836711191009369960379855825277626760709076218114602209903833128735441623 e = 112238903025225752449505695131644979150784442753977451850362059850426421356123
k = e*d_m // n + 1 L = Matrix(ZZ, [ [1, 0, 0, e], [0, 1, 0, k], [0, 0, 2^512, e*d_m - k - 1 - k*n], ]) L[:, -1:] *= 2^1000 L = L.LLL() res = L[1] t = res[1] % e
PR.<x> = PolynomialRing(Zmod(e)) f = x^2 + n - t*x res = f.roots() pl = int(res[0][0])
import multiprocessing import tqdm from hashlib import sha256
defcopper_attack(i): PR.<x> = PolynomialRing(Zmod(n)) f = e*(2^12*x + i) + pl f = f.monic() res = f.small_roots(X=2^244, beta=0.499, epsilon=0.02) if(res != []): t = int(res[0]) p = e*(2^12*t + i) + pl q = n // p assert p * q == n and isPrime(p) and isPrime(q) print(sha256(str(p).encode()).hexdigest()[:32]) print(sha256(str(q).encode()).hexdigest()[:32]) returnTrue
with multiprocessing.Pool(processes=16) as pool: for _ in tqdm.tqdm(pool.imap(copper_attack, range(2^12)), total=int(2^12)): if(_): break