CTF—CRYPTO
椭圆加密
1.简介
椭圆曲线密码学(Elliptic curve cryptography),简称 ECC,和RSA、ElGamel 算法等类似,是一种公开秘钥加密的算法,也就是非对称加密。ECC 被公认为在给定秘钥长度下最安全的加密算法。ECC 依赖于解决大椭圆曲线离散对数问题的困难性。它的优势主要在于相对于其它方法,它可以在使用较短密钥长度的同时保持相同的密码强度。
2.ECC加解密
2.1密钥生成
用户A先选择一条椭圆曲线
\[E_q(a, b)
\]
选择其上的一个生成元G,假设其阶为n,之后再选择一个正整数
\[n_a
\]
将其作为密钥,计算:
\[P_a=n_aG
\]
所以,公钥为
\[P_a
\]
私钥为:
\[n_a
\]
2.2加密
用户 B 在向用户 A 发送消息 m,这里假设消息 m 已经被编码为椭圆曲线上的点,其加密步骤如下
1.查询用户A的公钥:
\[E_q(a,b),q,P_a,G
\]
2.在(1,q-1)的区间内选择随机数k
根据A的公钥计算
\[(x_1,y_1)=kG
\]
计算
\[(x_2,y_2)=kP_a
\]
如果为0,则从第二步重新开始
计算
\[C=m+(x_2,y_2)
\]
于是,发送给A的消息是
\[((x_1,y_1),C)
\]
2.3解密
利用私钥计算
\[n_a(x_1,y_1)=n_akG=kP_a=(x_2,y_2)
\]
计算消息
\[m=C-(x_2,y_2)
\]
3.Pohlig-Hellman与ECC
设求解的式子为:
\[Q=l*P
\]
其中,P为我们选取的一个基点,l是我们选定的随机数,就是要求解的私钥
首先取P的阶n。可使得n*P不存在最小的正整数
设
\[n=(p_1)^{e_1}*(p_2)^{e_2}....(p_r)^{e_r}
\]
对于i属于[1,r]
\[l_i=l\ mod\ p_i^{e_i}
\]
如果得到了这些 li 的值我们就能使用中国剩余定理进行求解得到 l 了,现在的问题就是求解这些
\[P_0=\frac{n}{p_i}P
\]
\[Q_0=\frac{n}{p_i}Q
\]
所以
\[Q_0=lP_0
\]
\[l_i*P=Q
\]
\[(z_0+z_1P_i+...+z_{e-1}P_i^{e-1})=Q_0
\]
即
\[z_0*P_0=Q_0
\]
所以
\[z_0P_0+(z_1p_i+...+z_{e-1}p_i^{e-1}P_0=Q_0)
\]
\[z_1p_i=Q_0-z_0P_0
\]
依次将zi全部算出来,然后用crt算出l
例题
[第五空间 2021]
task.py
print 'Try to solve the 3 ECC'from secret import flag
from Crypto.Util.number import *
assert(flag[:5]=='flag{')
flag = flag[5:-1]
num1 = bytes_to_long(flag[:7])
num2 = bytes_to_long(flag[7:14])
num3 = bytes_to_long(flag[14:])def ECC1(num):p = 146808027458411567A = 46056180B = 2316783294673E = EllipticCurve(GF(p),[A,B])P = E.random_point() Q = num*Pprint Eprint 'P:',Pprint 'Q:',Qdef ECC2(num):p = 1256438680873352167711863680253958927079458741172412327087203#import random#A = random.randrange(389718923781273978681723687163812)#B = random.randrange(816378675675716537126387613131232121431231)A = 377999945830334462584412960368612B = 604811648267717218711247799143415167229480E = EllipticCurve(GF(p),[A,B])P = E.random_point() Q = num*Pprint Eprint 'P:',Pprint 'Q:',Qfactors, exponents = zip(*factor(E.order()))primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]print primesdlogs = []for fac in primes:t = int(int(P.order()) / int(fac))dlog = discrete_log(t*Q,t*P,operation="+")dlogs += [dlog]print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime orderprint numprint crt(dlogs,primes)def ECC3(num):p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1bA = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2E = EllipticCurve(GF(p),[A,B])P = E.random_point() Q = num*Pprint Eprint 'P:',Pprint 'Q:',QECC1(num1)
print '=============='
ECC2(num2)
print '=============='
ECC3(num3)这题第一个部分就是简单的离散对数法就可以解决,第二部分需要用到Pohlig-Hellman,顺便提一下,dlog = discrete_log(t * Q, t * P,operation = "+")这句代码中,dlog = discrete_log()可以自动换域,所以可以使用CRT
关于这个离散对数的问题,可以详见
https://xz.aliyun.com/t/13919?time__1311=GqmxnD2D9A0QKGNDQieBK4YvxAKPrw7YLbD
EXP
from Crypto.Util.number import *
from sage.all import *
# Part1
from Crypto.Util.number import *
p = 146808027458411567
a = 46056180
b = 2316783294673
E = EllipticCurve(GF(p),(a,b))
P = E(119851377153561800,50725039619018388)
Q = E(22306318711744209,111808951703508717)
num1 = discrete_log(Q,P,operation = '+')
# Part2
p = 1256438680873352167711863680253958927079458741172412327087203
a = 377999945830334462584412960368612
b = 604811648267717218711247799143415167229480
E = EllipticCurve(GF(p),[a,b])
P = E(550637390822762334900354060650869238926454800955557622817950,700751312208881169841494663466728684704743091638451132521079)
Q = E(1152079922659509908913443110457333432642379532625238229329830,819973744403969324837069647827669815566569448190043645544592)
# Q = k * P
n = E.order()
def Pohlig_Hellman(n,P,Q):factors, exponents = zip(*factor(n))primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]print(primes)dlogs = []for fac in primes:t = int(int(P.order()) // int(fac))dlog = discrete_log(t*Q,t*P,operation="+")dlogs += [dlog]print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime ordernum2 = crt(dlogs,primes)return num2
num2 = Pohlig_Hellman(n,P,Q)
# Part3
p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610)
Q = E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537)
def SmartAttack(P,Q,p):E = P.curve()Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)for P_Qp in P_Qps:if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:breakQ_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)for Q_Qp in Q_Qps:if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:breakp_times_P = p*P_Qpp_times_Q = p*Q_Qpx_P,y_P = p_times_P.xy()x_Q,y_Q = p_times_Q.xy()phi_P = -(x_P/y_P)phi_Q = -(x_Q/y_Q)k = phi_Q/phi_Preturn ZZ(k)
num3 = SmartAttack(P, Q, p)
print(b'NSSCTF{' + long_to_bytes(num1) + long_to_bytes(num2) + long_to_bytes(num3) + b'}')
