CCTF_Public/writeups/vol9_rnd1/ratoto/exp.sage

#!/usr/bin/env sage

from Crypto.Util.number import *
from tqdm import tqdm
from math import *
from flag import flag

# We show that fining `p' is sufficient to solve the task:
# We will using the fact that probability of existence of 3 same indices in encryption function is greater than 0.333. 
# This mean that it is not negligible! 
# So there are at least two same indices in I and J, in such situation the difference of two such member of ENC has 3 alternatives:
# 	if bmsg[i] = bmsg[j], then (p - 1337) | (ENC[i] - ENC[j])
#	else: bmsg[i] != bmsg[j], then (p - 1337) | (ENC[i] - ENC[j] - 1) or (p - 1337) | (ENC[i] - ENC[j] + 1)
# Then we can recover the `p - 1337' by traversing all differences and take GCD. 

nbit, l, size = 128, 19, 5

ENC = [75268964922975765683886184416990455164276663222132201867219339149609601640795354092835048934411481375148226722972537, 74252184883067578741858552515565939844317035859324392993119193039648219454473879279850963366442082743544769805458093, 64583689532455128238181950133603764819991571440534989711566068812879896102335935024226203698035351959296273301620382, 73954367329838128950914640708096093147639394836395653880329242588430780186315735317486478948873839323544148182046060, 75540701798305498918283744819791084402734841823004203657655286972115005642886230626192560562036356429969087249749278, 83872558265379890948034647783505689679700547421470900720449930006747906783329308539967940807527137801010983230543774, 77705947019521396446475481469278541003396226719169548444032469535863873095121773225096457030939776241708584877652524, 67978656624841265601170418603936659974046910767040700357101791447012736488838985064735678352741670061202258680739613, 75837776024713216055252518667514169542080138087975755002363563069785802623303866125263281067936355517377820113667938, 72603151435863208938327307099489992009503479936015135389478635090492096706114933187890818438751887746500721218652279, 73733888839207865983240327892983241289807286168603031808496385958061899980948024355900045884970345191191769699229572, 76026001574719054322680074358373247357277987998647217611854197191799805043883446767698657010815870374638525933229216, 63615784956049398129624134567271813178274843680080230739648893117265006852003095883577207792935652909457887432886634, 74314745266672130614736730205508743251909165513298788771079770174772692182554673617622080176041112321775103212794681, 79808971655750303755413506820459952862540593036756356552664510506567642440507925671785412128797976991001820031588130, 75915254885797123244398876243336351194329874908365892333139851049388257233722719136397235760463970737727970609339312, 64114186080762792859293991399106517893360191652551357443121129122462433160641071479199225529745571585214304165061817, 74176893436699760305666941232857324140220281172091619114199349376569553895200481745053966340874533504830731432331761, 65379506164867136665192274667729049599007431441006633301906255285699351901936986158197296816318302265070157727306970, 57734853389427355405820176374447554484081455080718872159664935452844587615749966471451302705760102043394337793674134, 72164458294489270773116999933772464726701897942521287747462068732817425062837112879435748825749540652043063399391740, 73533607440404723098729330549853565477375009566185892920120779847282390979077303050957969029679100636837235455425148, 67910633736286426177905642387864261831904228112266837721401298578497816969172551312098565810156856523055157660819174, 77145919038841774942938403303293697658704133494073580951405558775319431418307178858581189998388420298928872937142204, 65316520180773818730596609051534961697086117625743664034359793048202198689638292713653043527893771549081363196461966, 70324075773672074785155720870438842968121302464564810815742720469400450322118197147257760168356158374289747183646032, 74277997795328016517733231263490311387843259299704020344473594680232437350713199379852380685625125507903212690538046, 80353551042715480372252377966526689396620563667125920905369146340631127992578344244640139688021457849051252571371323, 66922589883235873034882666091200050432735050020794478023937092818173116357945368783393984618721410092651847916753091, 77467339420681224353988988376154713148015203276300489417814883702198728334175202420631824150076283282744626709180226, 79097299183913345407040873759347332470217313814159193531838843440200836795671311808648358249581413181644557861974831, 62756520014735162454225939858932259868243016316270213169441851406103016694242175318295039641813173797765197587560445, 63049641273711537541615736211346454956746091880777884629921119040803802051281158760693454284194639431582863122971626, 68796347239778609667891754600409990346962433499269414828554356220466244423321263484233357424212705737417177507371319, 7379146359221248658956427580822984611769039256411775055291101023942854852213

print('Starting...')
L = len(ENC)

T = []
for i in range(L):
	for j in range(i):
		t = abs(ENC[i] - ENC[j])
		if t != 0:
			u = lcm(t, t - 1, t + 1)
			T.append(u)

d = 0
for i in tqdm(range(len(T))):
	if d >= 2 ** (nbit - 1):
		break
	for j in range(i):
		d = gcd(T[i], T[j])
		if d >= 2 ** (nbit - 1):
			print(d)
			break

# Now factor d, and we try to find such divisor q of d such that q + 1337 is prime:

for q in divisors(d):
	if is_prime(q + 1337) and (q + 1337).bit_length() == 128:
		p = q + 1337
		print(f'p = {p}')

# It's clear that for each element c of ENC: c = (p - 1337) * sum(BSE) + 31337 * sum(NSE) + int(bmsg[i]), 
# 	(p - 1337) * sum(BSE) >> 31337 * sum(NSE) + int(bmsg[i])
# So c % (p - 1337) = 31337 * sum(NSE) + int(bmsg[i])
# and finally:
# 	(c % (p - 1337)) % 31337 = int(bmsg[i])

flag = ''
for c in ENC:
	flag += str((c % (p - 1337)) % 31337)

flag = long_to_bytes(int(flag, 2))
print(f'flag = {flag}')
Vol9, rnd1, cryptography witeups 2022-09-10 10:53:53 +00:00			`#!/usr/bin/env sage`

			`from Crypto.Util.number import *`
			`from tqdm import tqdm`
			`from math import *`
			`from flag import flag`

			# We show that fining `p' is sufficient to solve the task:
			`# We will using the fact that probability of existence of 3 same indices in encryption function is greater than 0.333.`
			`# This mean that it is not negligible!`
			`# So there are at least two same indices in I and J, in such situation the difference of two such member of ENC has 3 alternatives:`
			`# if bmsg[i] = bmsg[j], then (p - 1337) \| (ENC[i] - ENC[j])`
			`# else: bmsg[i] != bmsg[j], then (p - 1337) \| (ENC[i] - ENC[j] - 1) or (p - 1337) \| (ENC[i] - ENC[j] + 1)`
			# Then we can recover the `p - 1337' by traversing all differences and take GCD.

			`nbit, l, size = 128, 19, 5`

			ENC = [75268964922975765683886184416990455164276663222132201867219339149609601640795354092835048934411481375148226722972537, 74252184883067578741858552515565939844317035859324392993119193039648219454473879279850963366442082743544769805458093, 64583689532455128238181950133603764819991571440534989711566068812879896102335935024226203698035351959296273301620382, 73954367329838128950914640708096093147639394836395653880329242588430780186315735317486478948873839323544148182046060, 75540701798305498918283744819791084402734841823004203657655286972115005642886230626192560562036356429969087249749278, 83872558265379890948034647783505689679700547421470900720449930006747906783329308539967940807527137801010983230543774, 77705947019521396446475481469278541003396226719169548444032469535863873095121773225096457030939776241708584877652524, 67978656624841265601170418603936659974046910767040700357101791447012736488838985064735678352741670061202258680739613, 75837776024713216055252518667514169542080138087975755002363563069785802623303866125263281067936355517377820113667938, 72603151435863208938327307099489992009503479936015135389478635090492096706114933187890818438751887746500721218652279, 73733888839207865983240327892983241289807286168603031808496385958061899980948024355900045884970345191191769699229572, 76026001574719054322680074358373247357277987998647217611854197191799805043883446767698657010815870374638525933229216, 63615784956049398129624134567271813178274843680080230739648893117265006852003095883577207792935652909457887432886634, 74314745266672130614736730205508743251909165513298788771079770174772692182554673617622080176041112321775103212794681, 79808971655750303755413506820459952862540593036756356552664510506567642440507925671785412128797976991001820031588130, 75915254885797123244398876243336351194329874908365892333139851049388257233722719136397235760463970737727970609339312, 64114186080762792859293991399106517893360191652551357443121129122462433160641071479199225529745571585214304165061817, 74176893436699760305666941232857324140220281172091619114199349376569553895200481745053966340874533504830731432331761, 65379506164867136665192274667729049599007431441006633301906255285699351901936986158197296816318302265070157727306970, 57734853389427355405820176374447554484081455080718872159664935452844587615749966471451302705760102043394337793674134, 72164458294489270773116999933772464726701897942521287747462068732817425062837112879435748825749540652043063399391740, 73533607440404723098729330549853565477375009566185892920120779847282390979077303050957969029679100636837235455425148, 67910633736286426177905642387864261831904228112266837721401298578497816969172551312098565810156856523055157660819174, 77145919038841774942938403303293697658704133494073580951405558775319431418307178858581189998388420298928872937142204, 65316520180773818730596609051534961697086117625743664034359793048202198689638292713653043527893771549081363196461966, 70324075773672074785155720870438842968121302464564810815742720469400450322118197147257760168356158374289747183646032, 74277997795328016517733231263490311387843259299704020344473594680232437350713199379852380685625125507903212690538046, 80353551042715480372252377966526689396620563667125920905369146340631127992578344244640139688021457849051252571371323, 66922589883235873034882666091200050432735050020794478023937092818173116357945368783393984618721410092651847916753091, 77467339420681224353988988376154713148015203276300489417814883702198728334175202420631824150076283282744626709180226, 79097299183913345407040873759347332470217313814159193531838843440200836795671311808648358249581413181644557861974831, 62756520014735162454225939858932259868243016316270213169441851406103016694242175318295039641813173797765197587560445, 63049641273711537541615736211346454956746091880777884629921119040803802051281158760693454284194639431582863122971626, 68796347239778609667891754600409990346962433499269414828554356220466244423321263484233357424212705737417177507371319, 7379146359221248658956427580822984611769039256411775055291101023942854852213

			`print('Starting...')`
			`L = len(ENC)`

			`T = []`
			`for i in range(L):`
			`for j in range(i):`
			`t = abs(ENC[i] - ENC[j])`
			`if t != 0:`
			`u = lcm(t, t - 1, t + 1)`
			`T.append(u)`

			`d = 0`
			`for i in tqdm(range(len(T))):`
			`if d >= 2 ** (nbit - 1):`
			`break`
			`for j in range(i):`
			`d = gcd(T[i], T[j])`
			`if d >= 2 ** (nbit - 1):`
			`print(d)`
			`break`

			`# Now factor d, and we try to find such divisor q of d such that q + 1337 is prime:`

			`for q in divisors(d):`
			`if is_prime(q + 1337) and (q + 1337).bit_length() == 128:`
			`p = q + 1337`
			`print(f'p = {p}')`

			`# It's clear that for each element c of ENC: c = (p - 1337) * sum(BSE) + 31337 * sum(NSE) + int(bmsg[i]),`
			`# (p - 1337) * sum(BSE) >> 31337 * sum(NSE) + int(bmsg[i])`
			`# So c % (p - 1337) = 31337 * sum(NSE) + int(bmsg[i])`
			`# and finally:`
			`# (c % (p - 1337)) % 31337 = int(bmsg[i])`

			`flag = ''`
			`for c in ENC:`
			`flag += str((c % (p - 1337)) % 31337)`

			`flag = long_to_bytes(int(flag, 2))`
			`print(f'flag = {flag}')`