Participate HITCON CTF 2022

Qwaz · Qwaz · commit ac624c589bc0 · 2023-01-23T20:51:25.000+09:00
diff --git a/HITCON/2022/secret/output.txt b/HITCON/2022/secret/output.txt
diff --git a/HITCON/2022/secret/prob.py b/HITCON/2022/secret/prob.py
@@ -0,0 +1,15 @@
+import random, os
+from Crypto.Util.number import getPrime, bytes_to_long
+
+p = getPrime(1024)
+q = getPrime(1024)
+n = p * q
+
+flag = open('flag','rb').read()
+pad_length = 256 - len(flag)
+m = bytes_to_long(os.urandom(pad_length) + flag)
+assert(m < n)
+es = [random.randint(1, 2**512) for _ in range(64)]
+cs = [pow(m, p + e, n) for e in es]
+print(es)
+print(cs)
diff --git a/HITCON/2022/secret/solver.sage b/HITCON/2022/secret/solver.sage
@@ -0,0 +1,122 @@
+import ast
+import random
+from multiprocessing import Pool
+
+from Crypto.Util.number import inverse, long_to_bytes
+
+with open("output.txt", "r") as f:
+    es = ast.literal_eval(f.readline())
+    cs = ast.literal_eval(f.readline())
+
+
+def coeff_mul(coeffs, n=None):
+    acc_e = 0
+    acc_c = 1
+    for (e, c, coeff) in zip(es, cs, coeffs):
+        acc_e += coeff * e
+        if n is None:
+            acc_c *= pow(c, coeff)
+        else:
+            acc_c *= pow(c, coeff, n)
+
+    return (acc_e, int(acc_c))
+
+
+def work(work_arg):
+    (basis, n) = work_arg
+
+    if sum(basis) != 0 or basis[len(basis) - 1] != 0 or basis[len(basis) - 2] != 0:
+        return None
+
+    first = []
+    second = []
+
+    for i in range(len(basis) - 1):
+        if basis[i] < 0:
+            first.append(-basis[i])
+            second.append(0)
+        else:
+            first.append(0)
+            second.append(basis[i])
+
+    return abs(coeff_mul(first, n)[1] - coeff_mul(second, n)[1])
+
+
+# First stage - find N
+n = None
+bits = 0
+
+small_prime = []
+
+for i in range(2, 100):
+    if is_prime(i):
+        small_prime.append(i)
+
+with Pool() as pool:
+    while True:
+        mat = []
+        scale = 2**64
+
+        for (i, e) in enumerate(es):
+            row = [1 if i == j else 0 for j in range(len(es))]
+            row.append(e * scale)
+            row.append(scale)
+            mat.append(row)
+
+        bases = Matrix(mat).LLL()
+        worklist = [(basis, n) for basis in bases]
+        for cand in pool.map(work, worklist):
+            if cand is None:
+                continue
+
+            if n is None:
+                n = cand
+            else:
+                n = gcd(n, cand)
+
+            bits = int(n).bit_length()
+            print(f"bit_length of N: {bits}")
+
+        for prime in small_prime:
+            while n % prime == 0:
+                n = n // prime
+        print(f"bit_length of N: {bits}")
+
+        if bits == 2048:
+            break
+
+# Second stage - recover m
+if es[0] > es[1]:
+    big = 0
+    small = 1
+else:
+    big = 1
+    small = 0
+
+first_e = es[big] - es[small]
+first_c = cs[big] * inverse(cs[small], n) % n
+
+if es[3] > es[4]:
+    big = 3
+    small = 4
+else:
+    big = 4
+    small = 3
+
+second_e = es[big] - es[small]
+second_c = cs[big] * inverse(cs[small], n) % n
+
+
+def egcd(a, b):
+    if a == 0:
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b % a, a)
+        return (g, x - (b // a) * y, y)
+
+
+g, x, y = egcd(first_e, second_e)
+assert g == 1
+
+m = pow(first_c, x, n) * pow(second_c, y, n) % n
+print(long_to_bytes(int(m)))
diff --git a/HITCON/2022/secret/solver.sage.py b/HITCON/2022/secret/solver.sage.py
@@ -0,0 +1,129 @@
+
+
+# This file was *autogenerated* from the file solver.sage
+from sage.all_cmdline import *   # import sage library
+
+_sage_const_0 = Integer(0); _sage_const_1 = Integer(1); _sage_const_2 = Integer(2); _sage_const_100 = Integer(100); _sage_const_64 = Integer(64); _sage_const_2048 = Integer(2048); _sage_const_3 = Integer(3); _sage_const_4 = Integer(4)
+import ast
+import random
+from multiprocessing import Pool
+
+from Crypto.Util.number import inverse, long_to_bytes
+
+with open("output.txt", "r") as f:
+    es = ast.literal_eval(f.readline())
+    cs = ast.literal_eval(f.readline())
+
+
+def coeff_mul(coeffs, n=None):
+    acc_e = _sage_const_0 
+    acc_c = _sage_const_1 
+    for (e, c, coeff) in zip(es, cs, coeffs):
+        acc_e += coeff * e
+        if n is None:
+            acc_c *= pow(c, coeff)
+        else:
+            acc_c *= pow(c, coeff, n)
+
+    return (acc_e, int(acc_c))
+
+
+def work(work_arg):
+    (basis, n) = work_arg
+
+    if sum(basis) != _sage_const_0  or basis[len(basis) - _sage_const_1 ] != _sage_const_0  or basis[len(basis) - _sage_const_2 ] != _sage_const_0 :
+        return None
+
+    first = []
+    second = []
+
+    for i in range(len(basis) - _sage_const_1 ):
+        if basis[i] < _sage_const_0 :
+            first.append(-basis[i])
+            second.append(_sage_const_0 )
+        else:
+            first.append(_sage_const_0 )
+            second.append(basis[i])
+
+    return abs(coeff_mul(first, n)[_sage_const_1 ] - coeff_mul(second, n)[_sage_const_1 ])
+
+
+# First stage - find N
+n = None
+bits = _sage_const_0 
+
+small_prime = []
+
+for i in range(_sage_const_2 , _sage_const_100 ):
+    if is_prime(i):
+        small_prime.append(i)
+
+with Pool() as pool:
+    while True:
+        mat = []
+        scale = _sage_const_2 **_sage_const_64 
+
+        for (i, e) in enumerate(es):
+            row = [_sage_const_1  if i == j else _sage_const_0  for j in range(len(es))]
+            row.append(e * scale)
+            row.append(scale)
+            mat.append(row)
+
+        bases = Matrix(mat).LLL()
+        worklist = [(basis, n) for basis in bases]
+        for cand in pool.map(work, worklist):
+            if cand is None:
+                continue
+
+            if n is None:
+                n = cand
+            else:
+                n = gcd(n, cand)
+
+            bits = int(n).bit_length()
+            print(f"bit_length of N: {bits}")
+
+        for prime in small_prime:
+            while n % prime == _sage_const_0 :
+                n = n // prime
+        print(f"bit_length of N: {bits}")
+
+        if bits == _sage_const_2048 :
+            break
+
+# Second stage - recover m
+if es[_sage_const_0 ] > es[_sage_const_1 ]:
+    big = _sage_const_0 
+    small = _sage_const_1 
+else:
+    big = _sage_const_1 
+    small = _sage_const_0 
+
+first_e = es[big] - es[small]
+first_c = cs[big] * inverse(cs[small], n) % n
+
+if es[_sage_const_3 ] > es[_sage_const_4 ]:
+    big = _sage_const_3 
+    small = _sage_const_4 
+else:
+    big = _sage_const_4 
+    small = _sage_const_3 
+
+second_e = es[big] - es[small]
+second_c = cs[big] * inverse(cs[small], n) % n
+
+
+def egcd(a, b):
+    if a == _sage_const_0 :
+        return (b, _sage_const_0 , _sage_const_1 )
+    else:
+        g, y, x = egcd(b % a, a)
+        return (g, x - (b // a) * y, y)
+
+
+g, x, y = egcd(first_e, second_e)
+assert g == _sage_const_1 
+
+m = pow(first_c, x, n) * pow(second_c, y, n) % n
+print(long_to_bytes(int(m)))
+
