from Crypto.Util.number import * from random import * from secret import flag
m = bytes_to_long(flag)
defnextPrime(p): while(not isPrime(p)): p += 1 return p
a = 151 b = 172 p1 = 2^a*5^b - 1 F.<i> = GF(p1^2, modulus = x**2 + 1) E = EllipticCurve(j=F(1728))
assert E.is_supersingular()
for i inrange(50): P = E(0).division_points(5)[1:] shuffle(P) phi = E.isogeny(P[0]) E = phi.codomain() j1 = E.j_invariant()
a = int(j1[0]) b = int(j1[1]) p = nextPrime(a+b) q = getPrime(p.bit_length()) n = p*q e = 65537 c = pow(m,e,n) print("e =",e) print("n =",n) print("c =",c)
#leak path = [] for i inrange(4): P = E(0).division_points(5)[1:] shuffle(P) phi = E.isogeny(P[0]) j1 = phi.codomain().j_invariant() while(j1 in path): shuffle(P) phi = E.isogeny(P[0]) j1 = phi.codomain().j_invariant() path.append(j1) E = phi.codomain()
res = Φ5.roots(multiplicities=False) if(j_prev == None): return res else: returnlist(set(res) - set([j_prev]))
a = 151 b = 172 p1 = 2^a*5^b - 1 F.<i> = GF(p1^2, modulus = x^2 + 1) e = 65537 n = 27660779504321925356006447667320327390150480983648690901006174352749339874518759333831733034192127427897623854124514212301624188883116023679233194726978962252585566329625462410597485158957857003260340456610951535430042915065253353543837935016496092356489028408052863701705400021364167367862977808597173766465657159249607404278555781 c = 17137574768375613142899612121220754893579308480997275465013572460778148685559737592316898103173913046913093108521865424971517481171364906226416089569353963219436198051916581024399601607752314215085545336295450568344615872394961924295547685771955504826631319190372175753842519822279019714777697711192486128339049294501128261475088218 j1 = 3298455770740418540320875487876272515859315516778722120913599648146333514148291435827951366406176762948612097557652865226784729596111676446684986604300101971837911163*i + 4537130021779297048213998573445169432922796703632002090410524491881919608982806774072433257149497571183513473757657759960381311229351179660958581657639633158226859944
set1 = find_neighbors_phi5(j1)
set2 = [] for k in set1: set2 += find_neighbors_phi5(k) set2 = set(set2)
set3 = [] for k in set2: set3 += find_neighbors_phi5(k) set3 = set(set3)
set4 = [] for k in set3: set4 += find_neighbors_phi5(k) set4 = set(set4)
for k in set4: a = int(k[0]) b = int(k[1]) p = nextPrime(a+b) if(n % p == 0): q = n // p d = inverse(e,(p-1)*(q-1)) print(long_to_bytes(int(pow(c,d,n)))) break
#part1 remove redundant data of table table = "0123456789" prefix_set = [] for i in table: temp = bin(ord(i) // 2)[2:].zfill(7) if(temp notin prefix_set): prefix_set.append(temp)
#part2 bruteforce LFSR1.key and LFSR3.key key13 = [] for i in tqdm(product(prefix_set,repeat = 8),total=5**8): temp = ''.join(c + '0'for c inlist(i)) key = long_to_bytes(int(temp,2))
definit(self,para_len,p): self.p = p self.b = randint(1, self.p) self.a = [randint(1, self.p) for i inrange(para_len)] self.s = [ord(choice(string.printable)) for i inrange(para_len)] defget_params(self): return [self.a,self.b,self.s[0]]
flag = bytes_to_long(flag) flag_bin = bin(flag)[2:]
Round = 2024 A_len = 10 p = getPrime(256)
output = [] for i in flag_bin: if(i == "0"): temp = MRG(A_len,p) for j inrange(Round): temp.next() output.append(temp.get_params()) else: a = [randint(1,p) for i inrange(A_len)] b = randint(1,p) s = randint(1,p) output.append([a,b,s])
withopen("output.txt","w") as f: f.write(str(p)) f.write(str(output))
from Crypto.Util.number import * from tqdm import *
#matrix of MRG defbuild_iter_Matrix(a,b,p,length): L = Matrix(Zmod(p),length+1,length+1) for i inrange(length-1): L[i,i+1] = 1 for i inrange(length): L[length-1,i] = a[i] L[length-1,-1] = b L[-1,-1] = 1
return L
Round = 2024 A_len = 10 leak_len = 1 p = output =
flag = "" for i in tqdm(output): a,b,s = i[0],i[1],[i[2]] L = build_iter_Matrix(a,b,p,A_len) L = L^Round L = (L.T)[:,:leak_len] T = block_matrix( [ [identity_matrix(A_len+1+1),Matrix(ZZ,L).stack(-vector(ZZ,s))], [zero_matrix(leak_len,A_len+1+1),identity_matrix(leak_len)*p] ] ) Q = diagonal_matrix([1]*(A_len+1+1) + [2^1000]*leak_len) T = T*Q T = T.LLL() T = T/Q res = T[0] if(abs(res[0]) < 128): flag += "0" else: flag += "1"