# 🔮cnss娘的谜语

cnss娘信手写下几串意义不明的谜语，你可以猜出其中的含义吗？

```py
import base64
from Crypto.Util.number import *
from secret import flag  ## secret is a local file, flag is unknown to you. Try to find it.

assert type(flag) == str

flag = flag.encode()
length = len(flag)
assert length % 4 == 0
L = length // 4

secret1 = bytes_to_long(flag[:L])
secret2 = flag[L:2*L].hex()
secret3 = bin(int(flag[2*L:3*L].hex(), 16))
secret4 = base64.b64encode(flag[3*L:])

print(f"{secret1 = }")
print(f"{secret2 = }")
print(f"{secret3 = }")
print(f"{secret4 = }")
```

常见编码，把十进制、十六进制、二进制和base64分别转化为字节类型，拼起来后utf-8转成字符串就能还原出flag。

In [None]:
import base64
from Crypto.Util.number import *

secret1 = 30772543014919602267414633191
secret2 = 'bc96e7a081e698afe5ada620'
secret3 = '0b10000110111001001111001011100000111010001101111001000001110011110011010100001001110011110101100'
secret4 = b'rOS4gOatpeOAgiF9'

flag1 = long_to_bytes(secret1)
flag2 = bytes.fromhex(secret2)
flag3 = long_to_bytes(int(secret3, 2))
flag4 = base64.b64decode(secret4)

flag = (flag1 + flag2 + flag3 + flag4).decode()
print(flag)


# 🐬水龙吟

楚天千里清秋，水随天去秋无际。遥岑远目，献愁供恨，玉簪螺髻。

```py
from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)

p = 4873905926740615531018463661385452170898784133203367799135441645830937750628221985822405430005703937197770247575076559744236744538228018031486049820173674
g = 2593552830271406523114019117101950399687742243315195843514987700785182656087120211241524521448500935829478648514527037446437576680778419567396094750508622
c = 0

for i in range(m):
    c = (c + g)  % p
 
print(f'{c = }')
```

如何[求解](https://cp-algorithms.com/algebra/linear_congruence_equation.html)线性同余方程 $c\equiv m\cdot g\ {\rm mod}\ p$ ？
```py
def Exgcd(a, b):
    if b == 0:
        return a, 1, 0
    d, x, y = Exgcd(b, a % b)
    return d, y, x - (a // b) * y
```

In [None]:
from Crypto.Util.number import *
from gmpy2 import gcdext

def liEu(a, b, n):
    d, x, y = gcdext(a, n)
    if b % d != 0:
        return False
    n = n // d
    return (x * b // d) % n

p = 4873905926740615531018463661385452170898784133203367799135441645830937750628221985822405430005703937197770247575076559744236744538228018031486049820173674
g = 2593552830271406523114019117101950399687742243315195843514987700785182656087120211241524521448500935829478648514527037446437576680778419567396094750508622
c = 3431276814099066030808269572939347769420622699894452016972504433264414095698239241816562301198442206498226641308404105790355301176892588988847042699636406

m = liEu(g, c, p)
flag = long_to_bytes(int(m)).decode()
print(flag)


# 🌔卜算子

惊起却回头，有恨无人省。拣尽寒枝不肯栖，寂寞沙洲冷。

```py
from Crypto.Util.number import *
from secret import flag

p, q, r = getPrime(512), getPrime(512), getPrime(512)
n = p * q * r
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n)
 
print('p =', p)
print('q =', q)
print('n =', n)
print('c =', c)
```

三素数RSA。

In [None]:
from Crypto.Util.number import *

p = 12253096079262730693787845304459770181159272160708761390419517461435886798119494973936186382645490774511179747402693066192362104144553287739427091488849987
q = 9656184899794050073098614505490788837141112476549205418072011388278372195682566976277132351856116300104728124405389485440262266612903835574949734938773879
n = 1068394811940475700113916170772008310607904879176073274337669322446687936907143981238893756179197975634434673229920275765973807209412891205884402965483756254507691419368528133959132303476165747992107800736918701005971552264644185146124560027884795936191839406241406301141310602020436434278421529178345240902508007101551941438277539664839258109542374751444222500079818129540895166090788487787028178055561786822480872065405947357363186718845196587434430898650662917
e = 65537
c = 364812620179131273680130240148084836403846027393384913159162092631491386521136431985815726041640268869899250546875572473450702105133851945618590296616284218872409897353796638895758963083075264218372930102765065661636950920355098372841435042642748593167374414989630427181232399218196685772309403529745406119979371226428026631723070867224675860939203796555567951762311063010081727524747799375832842589314306700599116049075415601108806973017635507910763925927172362

r = n // p // q
phi_n = (p - 1) * (q - 1) * (r - 1)
d = inverse(e, phi_n)
m = pow(c, d, n)

flag = long_to_bytes(int(m)).decode()
print(flag)


# 🐠Fun_factoring

Have fun in the factoring!

```py
import random
from Crypto.Util.number import *
from gmpy2 import next_prime
from secret import flag1, flag2

def init():
    primes = []
    p = 1
    while len(primes) < 100:
        p = next_prime(p)
        primes.append(int(p))
    return primes

primes = init()
p1 = getPrime(256)
while True:
    q1 = 1
    while q1.bit_length() < 255:
        q1 *= random.choice(primes)
    q1 = q1 + 1
    if isPrime(q1):
        break

n1 = p1 * q1
e = 65537
m1 = bytes_to_long(flag1)
c1 = pow(m1, e, n1)

print(f'{n1 = }')
print(f'{c1 = }')

m2 = bytes_to_long(flag2)
p2 = getPrime(256)
q2 = getPrime(256)
n2 = p2 * q2
c2 = pow(m2, e, n2)

phi = (p2 - 1) * (q2 - 1)
e2 = getPrime(256)
d2 = inverse(e2, phi)

hint1 = getPrime(256) * n2
hint2 = e2 * d2

print(f'{c2 = }')
print(f'{hint1 = }')
print(f'{hint2 = }')
```

------

RSA攻击，分解PRIMES。

首先`init()`函数生成了[前](https://zh.wikipedia.org/zh-cn/%E8%B3%AA%E6%95%B8%E5%88%97%E8%A1%A8)100个素数，$q_1-1$ [光滑](https://ctf-wiki.org/crypto/asymmetric/rsa/rsa_module_attack/#p-q-n)，考虑使用 Pollard's p - 1 algorithm。

第二个是[已知e*d分解n](https://www.di-mgt.com.au/rsa_factorize_n.html)，给的hint1里面多乘了一个未知素数。

In [None]:
from sage.all import *
from Crypto.Util.number import *
import random


def pollard(N, e, c):
    a, n = 2, 2
    while True:
        a = pow(a, n, N)
        res = gcd(a-1, N)
        if res != 1 and res != N:
            q = N // res
            d = inverse(e, (res-1)*(q-1))
            m = pow(c, d, N)
            return m
        n += 1

n1 = 29993156790273796411588637755401407649619741972315831791586727944419911570896819043688187483218756247767784823799572993962152654560761989054087817767687901
e = 65537
c1 = 28308885699728621592812918494757273712938007912315485487807230648420711341284570451708049371754826651903406663574768899937862287581243099737368091309807825

m1 = pollard(n1, e, c1)
flag1 = long_to_bytes(int(m1)).decode()
print(flag1)


def getpq(n, d_e):
	p = 1
	q = 1
	while p == 1 and q == 1:
		k = d_e - 1
		g = random.randint(0, n)
		while p == 1 and q == 1 and k % 2 == 0:
			k //= 2
			y = pow(g, k, n)
			if y != 1 and gcd(y - 1, n) > 1:
				p = gcd(y - 1, n)
				q = n // p
				return p, q
	return 0, 0

c2 = 3677242432073556679040222440039877927024312077564452145956625214187804614184186227277646425370459616386984491952553180136037741092781602470053045143802537
hint1 = 397340046977096077577115578026599912881304442662450049334426974861677656259439266980515145452369301652618056238525786266286451780972189318240092026572582216328286841448920434798083168400087303822060653407466964485682775061825982767
hint2 = 42319976894927564843833810567252442522907372281560684051129782019144211533194692653447095916384084531450449319697685128778953472384491084162072476640254892049041007337641419872550411941455264025858397584349456909103991157799852081

n2, r = getpq(hint1, hint2)
p2, q2 = getpq(n2, hint2)
assert p2 * q2 * r == hint1

phi_n2 = (p2 - 1) * (q2 - 1)
d = inverse(e, phi_n2)
m2 = pow(c2, d, n2)

flag2 = long_to_bytes(int(m2)).decode()
print(flag2)


# 🦅ezLattice

In [None]:
from sage.all import *
from Crypto.Util.number import long_to_bytes

C = Matrix([(144677713346957624019507733536070086000583480493652781477899076711148153230292098798872446531726678132089331080830636098076419482082861999024220005583755519773327508805051793863872850888263705008531442360287828578345878133230776416312579632401598284090004733249888046819940553234810783370239604605404007474164869929079372827884659269813487416817239117200593450444628739783605283836206833341229787757277984181466234560529435912200774888742434088352774543140378545, 606469894627177459514617750195821379946882622566858373472060054438703738311971772612334391173981446929089098763000956167556689148708714997150609496589520739311034907096699180956105152604230103967168966080753890064123893736520054936315403939633910951745788833896988167241460169120919691100078616321513441511272190040058176633130535729274072847506775347740220274436322668627187522430240328411183936200863693659466859437024002976912592187826260243575691769393216764, 718618084462014163096627204183254661785163316648026627680977189971903161429760696713073893117578512818937655225879182301812836697614712515392183685285415994369443246628697906018451243312746160398292932469164878488889878696643741366095732636350969795652864583742495855295864692914778202710659715055113293367037886394552959439612874922081773818945619610668509150795654982749468315621004696496470437497926594610545583908602624319054386494206067527389423048985741442, 828339208097201440225979683126023299991827484653447530847695480816154196860733834578870546666502554453185466828067184639584455949492859259935162829516224036225015142050874150203488299873847337711931731524045535514333895486528281481752710814500705557571664090168918012648932990866598405466385321005061118303201608160713632178977486544794550563116924338667104491837606346957083060657916519897895795140502868824422903133319324564106755544335922801464358889548075232), (98557505321806179560205361091977346613386405783888328158201047186412339679779226060511694079947686168491926437287883280270909986525857565639195987173798082110213665323406780682075947102197898505005035135697906524438808640208455679057609844069179846385658725963310168789522807169616218590958623310752109987991723412198515462865902879859242072401588684224537669980392041647209265557112438196041961933296103593366674060367469238871694829312136056902162096079943711, 421650964057814040848572790213188957815156172376208932699026968322530140664237479923324066339588291589077260065810658125095424708339253594318476005626214190957760100817695061783791265791816966617333192490414318952628750765842895772948142983150786687600744413383717711891943020431309604956311108430078134763258409909954523750318297993191443104413909204760920568676764009552818477238626076282437137350693893111418808984830731192694214261926317642143557968675967574, 513938264126900698623306003619941344099000978531111355808980107738715769759124246681140814870949843631373363564634716011619989987372053722244569228726686043298918451735925931446306870477743437336800568329431427552734824950755026543220895835453682774392444000206708389345791470407055397451320099793548052036345400594720198166102629511345675030460895177627133635114762250812394593729740558243812540999988488749737899866000687725939103514192549958347239914260185993, 572297472728450968894036129654563830092716749216046905542065781981409845743100068089784217153500209066545793473073045851624415077501148987297197973293727184086190894874122366612579284806620887636094377965125285595554099608704021172232225953095868350934668042710890977188941827233003344970252137769007752742672415149531081552802428252929912400727613726901056095730516870593157205791158626284708659368511594363349790207447906503357212785375271013593038981058723570), (26177211068774959553346141368866206775621799897402059650397204895900560095361064386212985688258553091344276662946300848283485643622474324633427496142953959534639000646692850547248593951664796269093896827633763106506628233306304670096673878191922610962217971634646191657944668764480677392316633754313040461130337565237917678006148398891912820318131102169243589598731093911595951895933233225995674470656001410701272992554561443699924642840148962999007555095943910, 114274381736732549331653025244467722438008441007078999244128190143769914293656553044455781907962771623853347733545189645492774196247754870612080998624166765048864283428236372312471340894598626057206589486073826482647921364028218356781960156829394832499747392085226266693464246690237501550812555913675102669213112253576711141238875149921218507807228105075755887982547408488749290209353591757692594759017370044066604122997707690579009577869203627165793135315116694, 143047453277377673102084935232569716479490674560154650441394028191906532457033437754119629278284948127343654002100598185342841904918784455061391767833939809226405563511374926857634643395026492911584305273527333633526361699381733527833490903707117304053169778782704791996009434121746905164349556183955685247236391565325878304982731533685834406853655377183357024806494104094851996319956547554729472030892942115776409550766761352347221235517193745057351296488901649, 154153717228685761916708849737659869128356695518893286026159003283605489750043472239864642520278239125468903162609943073304481886154574223631749370464677630992119481188801829892853014647355492844433780485095722030636064223998755491903276732662052952183559155478993417935036937039076398090822816023594147962672867947113851335359822940873210104610968952188752829191166126860560403445006066613725623760781372481262500771520930950087450443304131619266709717530933450), (13045572734588881701027036807529154823339424580345010043393731741546425617896634432631026851926907438743111718059168417659230416379261374066705243322072387363040495206165692215226832877136286974891921619673596285906115065931165895909772134409412185945620269410312299929850687862492330802139094041830496018167, 56949334851983719849953325675456886127755291391559407363071102162027540620583528026935959471264798996020357802516354374338348752130604233357273425489304755942382783123829421185875787630352554783497912469711543742659630835153596374028039321568814203699470175853360647549393237636101281795350690601924813987459, 71288570479294627205516219112873862084245338386642866815513955784003859751754941901022789845826232541120300654376095692486478247062443942762762302113267725465472454256554997989031597925972389983078430198597792614313204252974148000990617513134899758117150426114568391297758997288468503478913969413344968060807, 76823444832627051461794679335195993992709357170159573567627629624532138587182479941402944690416068985791827086212337849496371818499002445996976512032886928530489010060717932798056017344852160457398913328389559820185665345940165145426975144597143141960740763872371154277496185329893794327464660302354732664955)])
m = C.LLL().rows()[0]

flag = ''
for i in m:
	flag += long_to_bytes(-i).decode()

print(flag)


# 🦢BabyCurve
如何在椭圆曲线上定义一个群呢？

```python
from Crypto.Cipher import AES
from os import urandom
from Crypto.Util.Padding import pad
from Crypto.Util.number import *
from secret import flag

def encrypt(data, key):
    cipher = AES.new(key, AES.MODE_ECB)
    enc = cipher.encrypt(pad(data, AES.block_size))
    return enc

p = 9348030992978262347982920431034912130716881552084115381757548130699185130820479730646974634141092089651314678852571714802122984104452942803209295252010181
a = 7763518046982192251231517150944105482004832971680748456996310159078009542876654956303764776823623497403884988108392624824526960061132573798331838835960909
b = 10997613169313236085705837600762108982163011398922795151006166411501358991822489779966644769325114384948484844491824976044124478063235526767931678399125511
E = EllipticCurve(GF(p), [a, b])
e = 65537

while True:
    key = urandom(16) #生成随机字符串
    x = ZZ(bytes_to_long(key)) #ZZ是sage中的大整数类型
    if E.is_x_coord(x): #验证给的x是否在曲线上
        break

enc = encrypt(flag, key)
P = E.lift_x(x) #根据x坐标找到点P
Q = e * P

print(f'Q = {(Q[0], Q[1])}')
print(f'{enc = }')
```
------
简单的椭圆曲线群，sage跑一下就行了。

In [None]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import *
from Crypto.Util.number import *

def decrypt(enc, key):
    cipher = AES.new(key, AES.MODE_ECB)
    dec = cipher.decrypt(enc)
    data = unpad(dec, AES.block_size)
    return data

p = 9348030992978262347982920431034912130716881552084115381757548130699185130820479730646974634141092089651314678852571714802122984104452942803209295252010181
a = 7763518046982192251231517150944105482004832971680748456996310159078009542876654956303764776823623497403884988108392624824526960061132573798331838835960909
b = 10997613169313236085705837600762108982163011398922795151006166411501358991822489779966644769325114384948484844491824976044124478063235526767931678399125511
E = EllipticCurve(GF(p), [a, b])
e = 65537

Q = (702269728158503157149596097443623465665001736303612719716566418594125500303838352102906729735173073066319779069987350585597471722439620961396365725087358, 7741251535874845030195254089473397439416170375681731646623904995909698213716045714883145323049811857989495704699439881764120694648581710750825272993480662)
enc = b'c\xea\x0eO\xf1V\n"\xf4\xd5V\x10\x06\x85\xd8a\xe5`\xab\xd4\x9b\x96Fz+:\x0b\xaeg-\x92\xe6\xfb:\xc7\xaf\x1b<\x04\xf0\x81\xb8\xbf\xc6\x96\x16q\x17\xd0\xb4F\x92L]\xa4\xe9|\xe1\xafg?\x1c\x88u{\x91\xe5=\x0c\xdb\xb6S\x02\xdd4\x90F.\xe8\xa9'

d = inverse(e, E.order())
Q = E.point(Q)
P = Q * d
x = P[0]

key = long_to_bytes(int(x))
flag = decrypt(enc, key).decode()
print(flag)


# 🐿️物不知数

今有物不知其数，三三数之剩二，五五数之剩三，七七数之剩二，问物几何？

```py
from Crypto.Util.number import *
from math import prod
from Secret import flag

m = bytes_to_long(flag)
assert m.bit_length() < 256
factors = []
for i in range(4):
    factors.append(getPrime(64))
factors.append(getPrime(256))
n = prod(factors) #分解n
g = 7

h = pow(g, m, n)

print('n =', n)
print('h =', h)
```

CRT、DLP

In [None]:
from sage.all import *
from Crypto.Util.number import *

n = 3322653117860796307881702118715938603299933196422318170688239817538863269879196751517883984368101175912757699818959313188577820238991745748791220070657861
h = 2124833808496595853801133466156124859021541288125712571058299295082272671181015365259674266573518307514981326822864098542354452199064749348011358863682094
g = 7

primes, exp = zip(*factor(n))
primes = primes[:-1]
dlogs = []
pri = []

for fac in primes:
    F = GF(fac)
    dlog = F(h).log(F(g))
    dlogs.append(dlog)
    pri.append(fac - 1)

m = crt(list(dlogs), list(pri))
print(long_to_bytes(m).decode())


# 😋叒是欧几里得

GCD算法不一定只用在整数环。

```py
from Crypto.Util.number import *
from random import randint
from secret import flag

m = bytes_to_long(flag)
assert m.bit_length() < 240

p, q = getPrime(512), getPrime(512)
n = p * q
e = 127
delta = getPrime(1024)

c1 = pow(m + delta * randint(1, 16), e, n)
c2 = pow(m + delta * randint(1, 16), e, n)

print('n =', n)
print('delta =', delta)
print('c1 =', c1)
print('c2 =', c2)
```

这里Alice用同一公钥e对两个具有线性关系的消息加密，并将加密后的消息发送给了Bob。满足[Related Message Attack](https://ctf-wiki.org/crypto/asymmetric/rsa/rsa_coppersmith_attack/)的攻击条件，[Franklin–Reiter related-message attack](https://en.wikipedia.org/wiki/Coppersmith's_attack#Franklin–Reiter_related-message_attack)即可。

在[这篇博客](https://www.ruanx.net/coppersmith/)里找到了一模一样的攻击。

嗨，又是铜。$m_1=m+k_1\delta,\ m_2=m+k_2\delta$，$r=(k_1-k_2)\delta$。

In [None]:
from Crypto.Util.number import *

def pgcd(p1, p2):
    return p1.monic() if not p2 else pgcd(p2, p1%p2)

def franklinReiter(n, e, r, c1, c2):
    R.<X> = PolynomialRing(Zmod(n))
    f1 = X^e - c1
    f2 = (X + r)^e - c2
    return Integer(n - (pgcd(f1, f2)).coefficients()[0])

n = 106779363880076711773075699433100599895752060445908922588084993492786672784954758549724923806403815118329157370314538739556401945331526955585157296102995095058754131439773509333156269006100625688320139764686427638742922183379567401526489614734413753625605868977997707989608662119117472672541825583454466252249
delta = 118213943928964692131681911554523043480519176140778442241686032633789966281330512604904235341538576163059642583837358962734675482139463734627459846464016893267630963298445219866530559060385220958414475107951781234568817651589371875381274817463012860268745594355922832515274085557941829993477982849565203831157
c1 = 34663150129434657933013580561073403868368642117172823953309968804053630576027962656647472614936858072893901317336864316142615890221332765871236633745002723914241788757810175949804415680907931109864935094279302980782233439010460241333733342348240105606827729876563669989545941758458007227666481095933161752880
c2 = 20732184545170566185887724502415035711290809508036601172320311201995234181771554470576913863496604707865719290738222775905251826243178014149682876398475630299003284439939330536792467070111163515963000915599545258223116155880179560004989878902770439637039588673994503746074047210052685834276257197511496439251

for i in range(-255, 256):
    e = 127
    m = franklinReiter(n, e, i * delta, c1, c2)
    found = False
    for j in range(1, 256):
        try:
            flag = long_to_bytes((m - j * delta % n + n) % n).decode()
        except Exception as e:
            continue
        else:
            print(flag)
            found = True
            break
    if found:
        break
