最后一个把周末的补完。这个今天问了小鸡块神终于把一个补上,完成5/6,最后一个网站也上不去不弄了。
Matrices Matrices Matrices
这个是不是叫LWE呀,名词忘了,但意思还是知道。
b = a*s +e 这里的e是高斯分成,用10000个数测试会出现2,3但猜也就是1,0
另外这里a*s是反的,需要转置一下。
from sage.all import GF, Matrix
import os, random
assert("FLAG" in os.environ)
FLAG = os.environ["FLAG"]
assert(FLAG.startswith("KSUS{") and FLAG.endswith("}"))
q = 271
qf = GF(q)
m = 70
n = 30
def key_gen():
a = Matrix(qf, [[qf.random_element() for _ in range(n)] for _ in range(m)])
s = Matrix(qf, [[ord(c)] for c in FLAG])
e = Matrix(qf, [[int(round(random.gauss(0, 2/3)))] for _ in range(m)]) #噪音[-3,3] 正常[-1,0,1]
b = a * s + e
return s, (a,b)
sk, pk = key_gen()
a, b = pk
print(f"a={[list(a[i]) for i in range(m)]}")
print(f"b={[list(b[i]) for i in range(m)]}")
q = 271
a = ...
b = ...
A = matrix(ZZ,a).T
B = matrix(ZZ,b).T
A1 = A.stack(B)
M = block_matrix(ZZ,[[1,A1],[0,q]])
K = 256
M[30,30] = K
M[:,31:] *= K
L = M.LLL()
for i in L:
if i[30] in [256,-256] and all(k in [-768,-512,-256,0,256,512,768] for k in i[30:]):
print(i)
v = [abs(k) for k in i[:30]]
if all(0x20<=k<0x7f for k in v):
print(bytes(v))
#(-75, -83, -85, -83, -123, -73, -95, -103, -117, -51, -115, -115, -95, -112, -52, -114, -52, -109, -115, -95, -109, -52, -55, -55, -51, -114, -95, -58, -47, -125, 256, -256, 0, 0, -256, -256, 256, 0, 0, 0, 256, 0, 0, 0, 256, 256, 0, 0, 0, 0, -256, 0, -256, 0, 0, 256, 256, 0, 0, -512, 256, 0, -256, 0, 0, 256, 256, -512, 0, -256, -256, 0, -256, 256, 512, 256, 0, -256, 0, 0, 256, 0, 0, -256, 0, 256, -256, 0, 0, 0, 256, -256, 0, 0, 256, 256, 0, 0, 0, 0, -256)
#KSUS{I_gu3ss_p4r4ms_m4773r_:/}Lightning Fast Scrambling
名字指出是LFS,但有点问题,当一开始使用时返回的直接就是从后前前的key每次8位。
from hashlib import sha256
from base64 import b64encode, b64decode
# utility wrapper for hashing
def digest(message):
"Gives a bytes object representing the sha256 encoding of its argument (a sequence of bytes)"
return sha256(message).digest()
# utility wrapper for encoding and decoding
def base64_encode(x):
"Encodes a sequence of bytes in a string, using base64 encoding"
return b64encode(x).decode()
def base64_decode(x):
return b64decode(x, validate=True)
# crypto magic
def create_key(passphrase):
h = passphrase.encode()
h = digest(h)
k = 0
for i in range(8):
k <<= 8
k |= h[i]
return k if k else 1
def secret_byte_stream(key):
x = key
mask = 255
while True:
y = x
a = y & mask #返回尾部8位
yield a
y >>= 8
x = y
y >>= 1
a ^= y & mask
y >>= 14
a ^= y & mask
y >>= 17
a ^= y & mask
x |= a << 56
def scramble(message, key):
stream = secret_byte_stream(key)
return bytes(x ^ y for x, y in zip(message, stream))
# user-facing stuff
def encrypt(text, passphrase):
message = text.encode()
hash = digest(message)
key = create_key(passphrase)
e = scramble(message, key)
return '#'.join(map(base64_encode, [e, hash]))
def decrypt(text, passphrase):
e, hash = map(base64_decode, text.split('#'))
key = create_key(passphrase)
message = scramble(e, key)
if hash != digest(message):
raise ValueError("Wrong key")
return message.decode()
def create_flag(secret):
return "".join(["KSUS{", secret.encode().hex(), "}"])
if __name__ == "__main__":
secret = input("secret > ")
passphrase = input("passphrase > ")
flag = create_flag(secret)
print("flag :", flag)
challenge = encrypt(flag, passphrase)
assert flag == decrypt(challenge, passphrase)
print("challenge :", challenge)
由于flag头有5字节,所以只需要爆破3字节即可。通过hash值判断。
enc = 'VERY/Rjwj1U4DQZ/zyyHxSsMY1iYuOZHs//qWPVYInUz/5cxidrFCrSqco4bbVLpWjHHI4Z+JZOwOfsT#SUS/PDQPS4DlVum2aO+5+SuczHag7/rnYMBUr+pEqEU='
enc, h = map(b64decode, enc.split('#'))
#由已知头得到key的后5字节,前3字节爆破
key_tail = xor(b'KSUS{', enc[:5])[::-1]
for i1 in trange(256):
for i2 in range(256):
for i3 in range(256):
key = bytes([i1,i2,i3])+key_tail
key = bytes_to_long(key)
m = scramble(enc,key)
if h == sha256(m).digest():
print(m)
#KSUS{6c6673725f6172655f6e6f745f7365637572653038363834363137}Feistel <3
这个代码有点长
from Crypto.Util.number import bytes_to_long, getPrime, long_to_bytes
from Crypto.Util.Padding import pad
import os, signal
assert("FLAG" in os.environ)
FLAG = os.environ["FLAG"]
assert(FLAG.startswith("KSUS{") and FLAG.endswith("}"))
def xor_bytes(bytes_a, bytes_b):
return bytes(a ^ b for a, b in zip(bytes_a, bytes_b)).ljust(2, b'\x00')
def f(sub_block, round_key, modulus):
return long_to_bytes((bytes_to_long(sub_block) + pow(65537, bytes_to_long(round_key), modulus)) % (1<<17-1)).ljust(2, b'\x00')
def encrypt_block(block, key, modulus, rounds=8, shortcut=False):
sub_block_1 = block[:2].ljust(2, b'\x00')
sub_block_2 = block[2:4].ljust(2, b'\x00')
sub_block_3 = block[4:].ljust(2, b'\x00')
for i in range(0, rounds):
round_key = key[i*2:i*2+2]
new_sub_block_1 = xor_bytes(sub_block_1, sub_block_2)
new_sub_block_2 = f(sub_block_3, round_key, modulus)
new_sub_block_3 = xor_bytes(sub_block_2, round_key)
sub_block_1 = new_sub_block_1
sub_block_2 = new_sub_block_2
sub_block_3 = new_sub_block_3
print(sub_block_1 + sub_block_2 + sub_block_3)
if shortcut and sub_block_1 == b"\xff\xff":
break
return sub_block_1 + sub_block_2 + sub_block_3
def encrypt(plaintext, key, modulus):
iv = os.urandom(6)
padded = pad(plaintext.encode(), 6)
blocks = [padded[i:i+6] for i in range(0, len(padded), 6)]
res = []
for i in range(len(blocks)):
if i == 0: block = xor_bytes(blocks[i], iv)
else: block = xor_bytes(blocks[i], bytes.fromhex(res[-1]))
res.append(encrypt_block(block, key, modulus).hex())
return iv.hex() + "".join(res)
def handle():
key = os.urandom(16)
N = getPrime(1024)
print("flag =", encrypt(FLAG, key, N))
print("N =", N)
encrypted = []
while True:
print("[1] Encrypt")
print("[2] Exit")
opt = input("> ")
if opt == "1":
plaintext = input("Enter your fantastic plaintext (in hex): ")
if len(plaintext) % 2 != 0 or len(plaintext) < 2 or len(plaintext) > 12:
print("It doesn't look fine to me :/")
elif plaintext in encrypted:
print("Nah, you've already encrypted it!")
else:
encrypted.append(plaintext)
ciphertext = encrypt_block(bytes.fromhex(plaintext).rjust(6, b"\x00"), key, N, shortcut=True)
print("Here it is: " + ciphertext.hex())
elif opt == "2":
print("Bye (^-^)")
exit(0)
else:
print("Nope :/")
if __name__ == "__main__":
signal.alarm(300)
handle()
16字节密钥分成8段轮密钥,每段2字节。加密将密文分成6字节块块加密,块加密将明文分成3块:b1,b2,b3,然后得到b1^b2, b3+e^key_round, b2^key_round。
但在最后给了后门:当c1==FFFF里会退出并不都需要经过8轮。
这样就有了爆破的方法,只要让运行指定轮里使c1==FFFF即可。第一轮直接FFFF00000000则可根据第3段密文得到第1个轮密钥。第2轮是上一轮的c2和b1,b2如此类推。
先从远程得到key和密文。
#-------------远程获取密文,key,N
'''
i b1^b2^c(i-1) x c(i-1)^ki
i+1 b1^b2^c(i-1)^c(i) c(i)^k(i+1)
'''
from pwn import *
def getenc(tmp):
p.sendlineafter(b"> ", b'1')
p.sendlineafter(b"Enter your fantastic plaintext (in hex): ", tmp.hex().encode())
p.recvuntil(b"Here it is: ")
return bytes.fromhex(p.recvline().strip().decode())
p = remote('chall.ctf.k1nd4sus.it', 31013)
print(p.recvline())
print(p.recvline())
c2 = b'\x00\x00'
lc2 = b'\x00\x00'
tk = b''
for i in range(8):
tmp = xor(b'\xff\xff', c2)+b'\x00'*4
#enc = encrypt_block(tmp, key, N, shortcut=True)
enc = getenc(tmp)
c2 = xor(c2,enc[2:4])
tk+=xor(enc[4:],lc2)
lc2 = enc[2:4]
print(tk.hex())
p.close() 然后弄个解密函数解一下。这东西居然不是每次都成功,会出乱字符,不清楚怎么来的。
def decrypt_block(block, key):
c1,c2,c3 = block[:2],block[2:4],block[4:]
for i in range(7,-1,-1):
round_key = key[i*2:i*2+2]
b2 = xor(c3, round_key)
b1 = xor(c1, b2)
b3 = long_to_bytes((bytes_to_long(c2) - pow(65537,bytes_to_long(round_key), N))&0xffff)
c1,c2,c3 = b1,b2,b3
#print(c1,c2,c3)
return c1+c2+c3
def decrypt(ciphertext, key, modulus):
iv = ciphertext[:6]
padded = ciphertext[6:]
blocks = [padded[i:i+6] for i in range(0, len(padded), 6)]
res = b''
for i in range(len(blocks)):
tmp = decrypt_block(blocks[i], key)
if i == 0:
r = xor(tmp, iv)
else:
r = xor(tmp,blocks[i-1])
res += r
#print(res)
return res
key = bytes.fromhex('35e7c26a66bc651827cac73bc99c6667')
N = 175914002278057050406831961452237183138299948079975109116384718227058692202299804814271876290451098159041914033459568540766514412008363701006284852804260357617529486527991021342873932212136053758342488462611451121664507695932811146083705960145782839959600560090211913120599024239421171256321562939861953258223
flag = bytes.fromhex('9f3d4928ba479f1e53a7f287efe0dba974745b5fb4a472e24ecdcefb3a70824f9ec87aba16cf7ab4551324af56035c387cb9bf390888')
decrypt(flag,key,N)
#b'KSUS{N3veR_Ev3r_5hOr7cuT_F3ist3l_Ne7w0rks}\x06\x06\x06\x06\x06\x06'key in the haystack
后边这两个是同一问题,一个小一个大,放一起
from Crypto.Util import number
from base64 import b64encode
prime = lambda: number.getPrime(512)
def b64enc(x):
h = hex(x)[2:]
if len(h) % 2:
h = '0' + h
return b64encode(bytes.fromhex(h)).decode()
p = prime()
q = prime()
with open("flag.txt") as f:
flag = f.readline().strip()
n = p * q
m = int(flag.encode().hex(), 16)
c = pow(m, 65537, n)
print("ciphertext:", hex(c)[2:])
bale = [p, q]
bale.extend(prime() for _ in range(1<<6))
def add_hay(stack, straw):
x = stack[0]
for i in range(1, len(stack)):
y = stack[i]
stack[i] = y + (straw * x)
x = y
stack.append(straw * x)
stack = [1]
add_hay(stack, p) #[1,p]
add_hay(stack, q) #[1,p+q,p*q]
for straw in bale:
add_hay(stack, straw)
print("size:", len(stack))
for x in stack:
print(b64enc(x))生成包含p,q的66个素数。然后经过add_hay生成stack。
这里是我自己的想法,这个方法不适用加强后的第2题,但也是个思路记录一下。
先设一个变量,从后向前导一下:Kn = S(n) + v*S(n-1) => Sn = Kn - v*S(n-1)
最后得到等于f = ss[-1]*v - stack[-1] 这是一个66次1元方程,不算太大sage可以直接解。由于这里的66个素数都是对称的,直接可以解出66个根,这里边就包含p,q
from base64 import *
from Crypto.Util.number import *
outs = open('output.txt').readlines()
st = [bytes_to_long(b64decode(outs[2+i])) for i in range(69)]
#Kn = S(n) + v*S(n-1) => Sn = Kn - v*S(n-1)
var('v')
ss = [1]
for i in range(1,68):
ss.append(st[i]-v*ss[-1])
#K68 = v*S68
f = ss[-1]*v - st[-1]
ps = f.roots()
#v有66个解,对应66个素数
ps = [int(i[0]) for i in ps]
c = 0x7434d263623892ca660f4139c54ab02a8a14d87cd5c658fca9105f88f7ed5c888a744e949b716094c1d73fd8084eeaf72b23e97325829a69ca57a34e5e0b5272ddaf039bcc0aed2055968c8dfa7cd0373cca072c31123e6259659af03ce87b224bb7fdf13fb89b4ceb580d2d11524025ccb4f86560f3b006d99d86a63ab3aa5a
#猜flag小于512位
for p in ps:
m = pow(c,invert(65537,p-1),p)
print(long_to_bytes(int(m)))
#b'KSUS{6465726976617469766573206172652061206e69636520747269636b}'key in the big haystack
这个升级版想了一天也没结果,然后问小鸡块给秒了。(数据有44M,就不贴了,也贴不上)
bale = [p, q]
bale.extend(prime() for _ in range(1<<9))
stack = [1]
add_hay(stack, p)
add_hay(stack, q)
for straw in bale:
add_hay(stack, straw)
for straw in bale[2:]:
add_hay(stack, straw + 2)这题与上边只有这些变化,素数由64改为512,并且用了两次,所以结果是1029项。
这些给定的值实际上是一个1029项多项式的系数。可以先用3个变量试下。
(x+p)*(x+q)*(x+r) = x^3 + (p+q+r)*x^2 + (pq+qr+rp)*x + pqr
然后把这些数据代入含x的方程
而这个式子里除了p,q是2次外其它都是1次(包含512和素数和512个素数+2,素数+2后跟原来不形成平方关系)所以对f求导后与原来的f作gcd就能得到对于p,q的多项式。然后直接求解可得p,q
from base64 import *
from Crypto.Util.number import *
from gmpy2 import iroot
outs = open('big_output.txt').readlines()
enc = bytes.fromhex('5894f38180b9f41fb816c7428b64b63cf207e349832aeb256977526ec750239c5b75e846f2c7db19fc84d44e57c1a6181562487cd4a7e58bab9903feead90d884b574dcc9d35b0d6ae7d491d399dcdf6aacc74efff2135c673178e08b50ac1a09f5334cd0d4b48355b28219dbc31b45a2c7687114b69c4f8a0ae20740e9ce1fe')
c = bytes_to_long(enc)
stack = [bytes_to_long(b64decode(outs[2+i])) for i in range(1029)]
PR.<x> = PolynomialRing(ZZ)
f = sum([stack[i] * x^(1028-i) for i in range(len(stack))])
g = gcd(f.derivative(), f)
print(g)
#x^2 + 20450065261452182016584260876047399525896704233984001074890163119931284325571387726435254377483741593577102784943815777723994032502151858215013739509078298*x + 101344562563413148702503209034490415272295393794389109823061195011331285068194700252292458323839836319978741203645201395179109429423054143994480684843212974225776158987058221755014377991550489320194566899710227109943050130147641582913932721996451645082208066936338974731735770555839605141969367848387625804201
#系数分别是p+q,p*q
v = g.roots()
p = abs(v[0][0])
#8434298218257235619456993018380042120260367010962473119979826477888279532268658434816651817828253000282579391409905630356600119281235242527375263115386349
long_to_bytes(int(pow(c,inverse_mod(65537,p-1),p)))
#KSUS{43525420697320612076657279206e69636520747269636b}
