2022 CISCN Crypto

rhash

\[ d<\frac{n^\frac{1}{d}}{\sqrt{6}} \]

用维纳攻击获取d 现成库rsa-wiener-attack

hash扩展攻击

通过hash值和已知后缀，计算相同前缀但不同后缀的后缀数据和hash值

现成库HashPump

exp

from pwn import *
from Crypto.Util.number import *
import hashpumpy
import  RSAwienerHacker

context.log_level='debug'

r=remote('39.104.54.192',54731)
r.recvline()
N=int(r.recvline().strip()[6:],16)
e=int(r.recvline().strip()[6:],16)
d=RSAwienerHacker.hack_RSA(e,N)
r.recvline()
data=int(r.recvline().strip()[9:],16)
signature=int(r.recvline().strip()[14:],16)
signature=long_to_bytes(pow(signature,e,N))
r.recvuntil(':')
h,data=hashpumpy.hashpump(signature, long_to_bytes(data), b'\x00', 16)
m=hex(bytes_to_long(data))
sig=hex(pow(bytes_to_long(h.encode()),d,N))
r.sendline('{},{}'.format(m,sig))
r.interactive()

strangeecc

对于奇异曲线 \(E:y^2=x^3\) ,有映射 \(E_d(F)\rightarrow F\) \((x,y)\rightarrow \frac{x}{y}\) ，该映射为群同构，把曲线加群映射到有限加群 \[ P=d×G\\\\ g=G.x×G.y^{−1}\ \ (mod\ p),\ \ \ \ y=P.x×P.y^{−1}\ \ (mod\ p)\\\\ d=g^{-1}×y\ \ (mod\ p) \]

exp

from pwn import *
from collections import namedtuple
from Crypto.Util.number import *

context.log_level='debug'

Point = namedtuple("Point","x y")

r=remote('39.104.54.192',32867)
r.recvuntil(b'p: ')
p=int(r.recvline().strip())
print(p)
r.recvuntil('a: ')
r.sendline(str(p))
r.recvuntil('b: ')
r.sendline(str(p))
P=eval(r.recvline().strip())
Q=eval(r.recvline().strip())
r.recvuntil('guess: ')

P=P.x*inverse(P.y,p)%p
Q=Q.x*inverse(Q.y,p)%p
secret=Q*inverse(P,p)%p

r.sendline(str(secret))
r.interactive()