30 lines
1.3 KiB
Python
30 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
||
|
||
from Crypto.Util.number import *
|
||
|
||
# The main idea behind this cryptography task is the Pollard's rho algorithm, so we are looking for distinct pairs (c1, d1) and (c2, d2)
|
||
# of integers modulo O, where O is the order of given elliptic curve such that:
|
||
# c1 * P + d1 * Q = c2 * P + d2 * Q
|
||
# Then:
|
||
# (c1 − c2) * P = (d2 − d1) * Q = (d2 − d1) * m * P
|
||
# and so
|
||
# (c1 − c2) ≡ (d2 − d1) * m (mod O)
|
||
# and finally:
|
||
# m = (c1 − c2) * inverse(d2 − d1, O) % O
|
||
|
||
# 5007339194230261965136074875375133987796015742 * P + 1181661145340628811169250733264617512334954185830 * Q = (679918816734405330432523483123942869125974815453, 1119608671998053139878595075131105932939987602772)
|
||
# 1438308046558610569478031991194627397484760926155 * P + 556538017327362316826260662010956239612818063997 * Q = (679918816734405330432523483123942869125974815453, 1119608671998053139878595075131105932939987602772)
|
||
|
||
# Hence
|
||
|
||
c1 = 5007339194230261965136074875375133987796015742
|
||
d1 = 1181661145340628811169250733264617512334954185830
|
||
c2 = 1438308046558610569478031991194627397484760926155
|
||
d2 = 556538017327362316826260662010956239612818063997
|
||
|
||
# O = E.order()
|
||
O = 1461501637330902918203683758258034914537499271049
|
||
|
||
m = (c1 - c2) * inverse(d2 - d1, O) % O
|
||
msg = long_to_bytes(m)
|
||
print(f'flag = {msg}') |