In [1]:
import telnetlib
import json

host = "socket.cryptohack.org"
port = int(13386)

def readline():
    return tn.read_until(b"\n")

def json_recv():
    line = readline()
    return json.loads(line.decode())

def json_send(hsh):
    request = json.dumps(hsh).encode()
    tn.write(request)

def get_data():
    opening = readline()
    json_send({
        "option" : "get_flag"
    })
    data = json_recv()
    return data

In [2]:
def trimZero(f):
    while len(f) > 0 and f[-1] == 0:
        f.pop()
    return f

def fillZero(f, lenFill):
    assert len(f) <= lenFill
    return f + [0] * (lenFill - len(f))
        
def modPoly(f, modulus):
    r = f.copy()
    for i in range(len(f)):
        r[i] %= modulus
        r[i] = int(r[i])
    return trimZero(r)

def makeMonic(f, modulus):
    r = f.copy()
    leadCoefficientInverse = inverse_mod(r[-1], modulus)
    for i in range(len(r)):
        r[i] *= leadCoefficientInverse
        r[i] %= modulus
        r[i] = int(r[i])
    return r

def addPoly(f1, f2):
    f3 = [0] * max(len(f1), len(f2))
    for i in range(len(f3)):
        if i < min(len(f1), len(f2)):
            f3[i] = f1[i] + f2[i]
        elif len(f1) < len(f2):
            f3[i] = f2[i]
        else:
            f3[i] = f1[i]
    return trimZero(f3)

def mulPoly(f1, f2):
    f3 = [0] * (len(f1) + len(f2))
    for i2 in range(len(f2)):
        for i1 in range(len(f1)):
            f3[i1 + i2] += f1[i1] * f2[i2]
    return trimZero(f3)

def powPoly(f, p):
    r = [1]
    for i in range(p):
        r = mulPoly(r, f)
    return r

def getRoots(f):
    _x_ = PolynomialRing(RationalField(), 'x').gen()
    fInPolyRep = 0
    for i in range(len(f)):
        fInPolyRep += f[i] * _x_ ^ i
    try:
#         print("[i] Finding roots of {}...".format(fInPolyRep))
        return fInPolyRep.roots()
    except:
        return []
    
def genPoly(f):
    _x_ = PolynomialRing(RationalField(), 'x').gen()
    P = 0
    for i in range(len(f)):
        P += f[i] * _x_ ^ i
    return P

def coppersmith(f, modulus, m, X=None):    
    # Assure monic
    assert f[-1] == 1
    
    # Get degree & set X if necessary
    degree = len(f) - 1
    assert degree >= 1
    if not X:
        X = int(modulus ^ (1 / degree))
        if degree == 1:
            X -= 1
#         print('[No upperbound is set so the algorithm set it to {}]'.format(X))
    
    print("[] Solving {} = 0 mod {} \n\tfor x < {} \n\tfor m = {}".format(genPoly(f), modulus, X, m))
    
    # Get dim
    dimension = (degree) * (m + 1)

    # Constructs a matrix.
    M = []
    for v in range( 0, m+1 ):
        for u in range( 0, degree ):
            # Generate g(x) function from f(x)
            g = mulPoly( mulPoly( [modulus^(m-v)], [0]*u+[1] ), powPoly(f, v) )
            
            # Create g(xX) from g(x)
            for i in range(len(g)):
                g[i] *= X^i
            
            # Append to row
            M.append( fillZero(g, dimension) )
    print("[i] Generated a matrix size {}x{}".format(len(M), len(M[0])))
    
    # Convert to matrix
    M = matrix(M)
#     print("[] M:\n")
#     print(M)
    
    # Apply LLL
    M = M.LLL()
#     print("\n[] M.LLL():\n")
#     print(M); print('\n')
    
    
    # Scroll through the shortest vectors as the new polynomials
    roots = []
    for row in M:
        f = trimZero([int(col) for col in row])
        for i in range(len(f)):
            assert f[i] % (X^i) == 0
            f[i] //= X^i
#         print("[] f: {}, row: {}".format(f, row))
        roots += getRoots(f)
    
    # Return unique X component of roots
    return list(dict.fromkeys([root[0] for root in roots]))

def getValue(f, x):
    value = 0
    for coefficient in f[::-1]:
        value += coefficient
        value *= x
    return value // x

def hastad(fs, Ns, m, X=None):
    for i in range(len(Ns)):
        for j in range(i+1, len(Ns)):
            if gcd(Ns[i], Ns[j]) != 1:
                raise ValueError("The Ns must be all coprime!")
    
    # Setup variables
    Ts    = [1] * len(fs)
    ProdN = 1
    for i in range(len(fs)):
        ProdN *= Ns[i]
        
    # Generate Ti, Chinese Remainder Coefficients
    for i in range(len(fs)):
        Ts[i] *= ProdN // Ns[i]
        Ts[i] *= int(inverse_mod(int(Ts[i] % Ns[i]), Ns[i]))
        
    # Make sure T serves our criteria
    for i in range(len(Ts)):
        for j in range(len(Ns)):
            if (i == j and Ts[i] % Ns[j] != 1) or (i != j and Ts[i] % Ns[j] != 0):
                assert False
        
    # Generate f(x) from fi(x)s
    f = [0]
    for i in range(len(fs)):
        f = addPoly(f, mulPoly([Ts[i]], fs[i]))
    f = modPoly(f, ProdN)
    
    # Make sure we actually had monic polynomial
    assert f[-1] == 1
    
    # Using coppersmith to solve
    return coppersmith(f, ProdN, m, X)

In [3]:
fs = []
Ns = []
e  = 11
for _ in range(e+1):
    tn = telnetlib.Telnet(host, port)
    data = get_data()

    c    = int(data["encrypted_flag"])                        # (a*m+b)^11
    N    = int(data["modulus"])                               # N
    a, b = int(data["padding"][0]), int(data["padding"][1])   # a, b

    f = modPoly(powPoly([b, a], e), N)
    f[0] -= c
    f = modPoly(f, N)
    
    fs.append(makeMonic(f, N))
    Ns.append(N)

In [4]:
def hastad2(fs, Ns, eps=1/8):
    for i in range(len(Ns)):
        for j in range(i+1, len(Ns)):
            if gcd(Ns[i], Ns[j]) != 1:
                raise ValueError("The Ns must be all coprime!")
    
    # Setup variables
    Ts    = [1] * len(fs)
    ProdN = 1
    for i in range(len(fs)):
        ProdN *= Ns[i]
        
    # Generate Ti, Chinese Remainder Coefficients
    for i in range(len(fs)):
        Ts[i] *= ProdN // Ns[i]
        Ts[i] *= int(inverse_mod(int(Ts[i] % Ns[i]), Ns[i]))
        
    # Make sure T serves our criteria
    for i in range(len(Ts)):
        for j in range(len(Ns)):
            if (i == j and Ts[i] % Ns[j] != 1) or (i != j and Ts[i] % Ns[j] != 0):
                assert False
        
    # Generate f(x) from fi(x)s
    f = [0]
    for i in range(len(fs)):
        f = addPoly(f, mulPoly([Ts[i]], fs[i]))
    f = modPoly(f, ProdN)
    
    # Make sure we actually had monic polynomial
    assert f[-1] == 1
    
    # Using coppersmith to solve
    P = genPoly(f).change_ring(Zmod(ProdN))
    return P.small_roots(eps=eps)

In [5]:
hastad(fs, Ns, 5, min(Ns))

[] Solving x^11 + 4381179725741741268811618293062092033231732051570009741194489816003213873753021868583667166639244370337943726128342808838339247885252396635869707654482970339199676021643774320612503211181002373490069095562855210410951084569488094187880188482331926953200733295868205218795105220094492388704679745047141574889419049190356133289110619925802057691171720480885240762932431396040195990748364011987267046071651197895935174072116192822309753620403645227242911578549383853809705389420612662817557805810347073217903087577064975930945384685132524754991531214926260848925406741046887580196544288720461325807019352074167940933154540504642039892747128419499939140673875439040631166626303228708476998823486625769721875746721909282149922090660503068719725200759119801949728683610702923908666073135050881911268602741872260673534094428728167792009714278243149081254388937540469662136348890076287818445980122383176524703147925594832387544255243604724377200903050979500008996844246803344311055885483757

[i] Generated a matrix size 66x66


KeyboardInterrupt: 