HSCCTF 2025 WriteUp - Q1uJu's House

题目后面带(!)的是指AI出了但还没复现的~

CRYPTO#

Ancient#

base64 -> base32 -> base85 -> base45 -> base62 -> base58

flag{cl@ss1cal_c1pher_@re_really_1nterest1ng}

Sign_in#

题目：

1
from Crypto.Util.number import *
2
from gmpy2 import *
3
import random
4

5
get_context().precision = 2048
6

7
L = 5
8
S = getPrime(144)
9
a = getPrime(32)
10
b = random.randint(0, S - 1)
11

12
def split_and_pad_single_char_rule(msg, L):
13
    segments = []
14
    assert L >= 1
15
    pad_len = L - 1
16
    for char_idx, char_byte in enumerate(msg):
17
        char_ascii = char_byte
18
        pad_bytes = bytes([(char_ascii + i + 1) % 256 for i in range(pad_len)])
19
        seg_bytes = bytes([char_byte]) + pad_bytes
20
        segments.append(bytes_to_long(seg_bytes))
21
    return segments
22

23
def encrypt_segment(m_i, a, b, M):
24
    return (a * m_i + b) % M
25

26
flag = "flag{___________________}"
27
msg_bytes = flag.encode()
28
m_segments = split_and_pad_single_char_rule(msg_bytes, L)
29
c_segments = [encrypt_segment(mi, a, b, S) for mi in m_segments]
30

31
print(f"a = {a}")
32
print(f"S = {S}")
33
print(f"L = {L}")
34
print(f"C = {c_segments}")
35
print(f'M = {m_segments}')
36

37
'''
38
a = 3517115977
39
S = 13338196046628817705384101887069807236659077
40
L = 5
41
C = [...]
42
'''

整体加密流程就是先用split_and_pad_single_char_rule这个特殊的填充算法填充字符，例如f（ASCII 102, 0x66）填充后就是\x66\x67\x68\x69\x6a然后转换为一个大整数m。

然后剩下encrypt_segment就是一个简单的仿射加密，我们这里可以取确定的最后一位flag也就是}来进行填充后，通过一对已知明文密文对和a还有S求解出b，然后就可以求解整个密文组了。

exp.py：

1
from Crypto.Util.number import inverse
2

3
a = 3517115977
4
S = 13338196046628817705384101887069807236659077
5
L = 5
6
C = [...]
7
m_last = int("".join(hex(ord("}") + i)[2:] for i in range(L)), 16)
8
b = (C[-1] - a * m_last) % S
9
a_inv = inverse(a, S)
10
flag = ""
11
for c in C:
12
    m = (c - b) * a_inv % S
13
    flag += chr(int(hex(m)[2:4], 16))
14
print(flag)
15
# flag{s1gn_1n_t0geth5r_xixi}

Math#

题目：

1
from Crypto.Util.number import *
2

3

4
def gen_rev_sum(m,p):
5
    sum = 0
6
    round = 0
7
    while m > 0:
8
        digit = m % p
9
        if round % 2 == 0:
10
            sum -= digit
11
        else:
12
            sum += digit
13
        m = m // p
14
        round += 1
15
    return sum // 2025
16

17

18
e = 65537
19
p = getPrime(256)
20
q = getPrime(256)
21
n = p*q
22

23
m1 = getRandomNBitInteger(2048)
24
m2 = getRandomNBitInteger(2048)
25
sum1 = gen_rev_sum(m1, p)
26
sum2 = gen_rev_sum(m2, p)
27

28
flag = "flag{--------------------------}"
29
m = bytes_to_long(flag.encode())
30

31
print("m1 =",m1)
32
print("m2 =",m2)
33
print("sum1 =",sum1)
34
print("sum2 =",sum2)
35
print("n =",n)
36
print("c =",pow(m,e,n))
37

38
'''
39
m1 = ...
40
m2 = ...
41
sum1 = ...
42
sum2 = ...
43
n = ...
44
c = ...
45
e = 65537
46
'''

直接看加密使用的gen_rev_sum函数：

将m进行p进制分解：
$m=d_0+d_1*p+d_2*p^2+\dots$
计算一个交替和S：
$S=-d_0+d_1-d_2+d_3-\cdots=\sum(-1)^{i+1}d_i$
最终返回sum := S // 2025。

由于最后给出的是整除了的值，所以得爆破一下余数r：S = sum * 2025 + r， 0 <= r < 2025。

然后p进制分解可以在模(p + 1)运算上推导：

\begin{aligned} p\equiv -1\pmod{p+1}\\ p^i\equiv (-1)^i\pmod{p+1}\\ m\equiv \sum d_i(-1)^i\pmod{p+1}\\ S=\sum d_i(-1)^{i+1}\equiv -\sum d_i(-1)^i\pmod{p+1}\\ m+S=\sum d_i(-1)^i-\sum d_i(-1)^i\equiv 0\pmod{p+1} \end{aligned}

那么可以用gcd(m1 + S1, m2 + S2)来打出p + 1。

exp.py：

1
from Crypto.Util.number import long_to_bytes
2
from gmpy2 import gcd, invert
3
from tqdm import trange
4
from sys import exit
5

6
m1 = ...
7
m2 = ...
8
sum1 = ...
9
sum2 = ...
10
n = ...
11
c = ...
12
e = 65537
13
base1 = m1 + sum1 * 2025
14
base2 = m2 + sum2 * 2025
15
for r1 in trange(2025):
16
    v1 = base1 + r1
17
    for r2 in range(2025):
18
        v2 = base2 + r2
19
        g = gcd(v1, v2)
20
        if g.bit_length() >= 254:
21
            p = g - 1
22
            q = n // p
23
            assert p * q == n
24
            phi = (p - 1) * (q - 1)
25
            d = invert(e, phi)
26
            m = pow(c, d, n)
27
            print(long_to_bytes(m).decode())
28
            exit(0)
29
#  62%|██████▏   | 1254/2025 [00:18<00:11, 68.31it/s]
30
# flag{Reverse_Sum_Mod_p+i_GCD_2025!}

EZRSA#

题目：

1
from Crypto.Util.number import *
2

3
def tran(n):
4
    s_bin = bin(n)[2:]
5
    bit_map = {'0': '10', '1': '01'}
6
    p_bin = '11' + ''.join([bit_map[bit] for bit in s_bin[1:]])
7
    return int(p_bin, 2)
8

9
def keygen(nbit):
10
    while True:
11
       s = getPrime(nbit)
12
       p = tran(s)
13
       if not isPrime(p):
14
          continue
15
       s_bin = bin(s)[2:].zfill(nbit)
16
       q_bin = (s_bin[:nbit // 2]
17
              + '1' * (nbit // 2)
18
              + s_bin[nbit // 2:]
19
              + '1' * (nbit // 2))
20
       q = int(q_bin, 2)
21
       if isPrime(q):
22
             return p,q
23

24
flag = "flag{____________________________}"
25
nbit = 256
26
p, q = keygen(nbit)
27
m = bytes_to_long(flag.encode())
28
e= 65537
29
n = p * q
30
c = pow(m, e, n)
31

32
print(f'n = {n}')
33
print(f'c = {c}')
34

35
"""
36
n = ...
37
c = ...
38
"""

p和q的生成依赖于一个初始的 256 bit 的种子s。

p的生成：

将s转为二进制。
忽略最高位，对其余位进行映射：0->10，1->01。
头部固定拼接11。

q的生成：

将s转为二进制s_bin，s_high = s_bin[:128], s_low = s_bin[128:]。
q就是拼接s_high + 1 * 128 + s_low + 1 * 128。

最后得到两个 512 bit 的n的质因数。

解密的话直接从低位开始往上逐比特爆破 + 剪枝就行。

exp.py：

1
from Crypto.Util.number import inverse, long_to_bytes
2
from tqdm import trange
3
from sys import exit
4

5
def gen_p_q(s_bits):
6
    s_bin = "".join(str(b) for b in s_bits)
7
    # p
8
    bit_map = {'0': '10', '1': '01'}
9
    p_bin = '11' + ''.join([bit_map[bit] for bit in s_bin[1:]])
10
    p = int(p_bin, 2)
11
    # q
12
    q_bin = (s_bin[:nbit // 2]
13
             + '1' * (nbit // 2)
14
             + s_bin[nbit // 2:]
15
             + '1' * (nbit // 2))
16
    q = int(q_bin, 2)
17
    return p, q
18

19
n = ...
20
c = ...
21
e = 65537
22
nbit = 256
23
s_bits = [0] * nbit
24
stack = [(255, 0)]
25
for k in trange(nbit):
26
    idx = 255 - k
27
    found = False
28
    for bit in [0, 1]:
29
        s_bits[idx] = bit
30
        p, q = gen_p_q(s_bits)
31
        check_bits = 2 * (k + 1)
32
        mask = (1 << check_bits) - 1
33
        if (p * q) & mask == n & mask:
34
            found = True
35
            break
36
    if not found:
37
        print(f"Error finding bit at index {idx} (k={k})")
38
        exit(1)
39
p, q = gen_p_q(s_bits)
40
assert p * q == n
41
phi = (p - 1) * (q - 1)
42
d = inverse(e, phi)
43
m = pow(c, d, n)
44
print(long_to_bytes(m).decode())
45
# 100%|██████████| 256/256 [00:00<00:00, 27760.33it/s]
46
# flag{n1ce_th1s_RSA_I_can_do_it}

Where#

题目：

1
from Crypto.Util.number import *
2
import random
3

4
flag = "flag{_______________________________}"
5
m = bin(bytes_to_long(flag.encode()))[2:]
6
p = getPrime(300)
7
q = getPrime(300)
8
n = p * q
9

10
R.<x> = PolynomialRing(Zmod(n))
11

12
def gen(m):
13
    C = []
14
    for bit in m:
15
        if bit == '0':
16
            C.append(random.randint(1, n-1))
17
        else:
18
            x = random.randint(1, 2^80)
19
            y = random.randint(1, p-1)
20
            val = 65537 + x*(1-x) +(q - x)*y + (y + x)*(q + x)
21
            C.append(R(val))
22
    return C
23

24
c = gen(m)
25
print(f"n = {n}")
26
print(f"c = {c}")

主要看gen函数，当m的bit == '1'时，密文：

C_i=65537+x*(1-x)+(q-x)*y+(y+x)*(q+x)

在模n域下展开：

\begin{aligned} C_i=65537+x-x^2+qy-xy+yq+xy+xq+x^2\\ =65537+x+2yq+xq=65537+x+q(2y+x) \end{aligned}

而本题最后加到C列表里的也是R(val)，所以如果我们模q看：

C_i\equiv 65537+x\pmod{q}

这说明对于bit = 1的密文，(C_i - 65537)(mod q)一定小于2 ** 80，而对于bit = 0，(C_i - 65537)(mod q)会随机且大概率接近2 ** 300。而第一个密文C[0]一定对应bit = 1，那么我们可以有方程：

f=C_0-65537-x_0\equiv 0\pmod{q}

此时x只有2 ** 80，可以直接 Copper 打出q，然后根据x的值反推flag的比特流就行。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3

4
n = ...
5
c = [...]
6
PR.<x> = PolynomialRing(Zmod(n))
7
target_val = c[0] - 65537
8
f = target_val - x
9
roots = f.monic().small_roots(X=2**80, beta=0.27)
10
x_0 = roots[0]
11
q = gcd(int(c[0] - 65537 - x_0), n)
12
m_bits = ""
13
threshold = 2 ** 81
14
for i in c:
15
    x = (i - 65537) % q
16
    if x < threshold:
17
        m_bits += "1"
18
    else:
19
        m_bits += "0"
20
print(long_to_bytes(int(m_bits, 2)).decode())
21
# flag{where_1s_th5_flag_where}

StillRSA#

题目：

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4

5
def gen():
6
    while(1):
7
        p1 = getPrime(128)
8
        p2 = getPrime(512)
9
        q2 = getPrime(512)
10
        s = q2 & ((1 << 56) - 1)
11
        q1 = 2 * p1 + s
12
        r1 = 2 * q1 + s
13
        if is_prime(q1) and is_prime(r1):
14
            n1 = p1 * q1 * r1
15
            n2 = p2 * q2
16
            break
17
    return n1,n2,p1,p2
18

19

20
n1,n2, p1, p2 = gen()
21
e = 65537
22

23
flag = "flag{---------------------------------------}".encode()
24
m1 = bytes_to_long(flag[: (len(flag)+1) // 2])
25
m2 = bytes_to_long(flag[(len(flag)+1) // 2 :])
26

27
c1 = powmod(m1, e, n1)
28
c2 = powmod(m2, e, n2)
29

30
gift = p2 >> 262
31

32
print(f"e = {e}")
33
print(f"n1 = {n1}")
34
print(f"n2 = {n2}")
35
print(f"c1 = {c1}")
36
print(f"c2 = {c2}")
37
print(f"p1 = {p1}")
38
print(f"gift = {gift}")
39

40
'''
41
e = 65537
42
n1 = ...
43
n2 = ...
44
c1 = ...
45
c2 = ...
46
p1 = ...
47
gift = ...
48
'''

flag分为了两部分。

第一部分

\begin{aligned} n_1=p_1q_1r_1,q_1=2p_1+s,r_1=2q_1+s\\ n_1/p_1=q_1r_1=(2p_1+s)(4p_1+3s)=8p_1^2+10p_1s+3s^2\\ \end{aligned}

已知n1和p1，直接解一元二次方程得到s即可分解出q1和r1。

第二部分

第一部分求出的s是q2的低 56 位，还给出了p2的高 250 位，可以从q2的低 56 位求出p2的低 56 位：

\begin{aligned} n_2=p_2q_2,n_2\equiv p_2\cdot s\pmod{2^{56}}\\ p_2\pmod{2^{56}}=n_2\cdot s^{-1}\pmod{2^{56}} \end{aligned}

然后 copper 打出p的中间部分就行。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import inverse, long_to_bytes
3

4
e = 65537
5
n1 = ...
6
n2 = ...
7
c1 = ...
8
c2 = ...
9
p1 = ...
10
gift = ...
11
# Part 1
12
s = var('s')
13
f = (2 * p1 + s) * (4 * p1 + 3 * s) - n1 // p1
14
s = int(f.roots(multiplicities=False)[1])
15
q1 = 2 * p1 + s
16
r1 = 2 * q1 + s
17
assert p1 * q1 * r1 == n1
18
phi1 = (p1 - 1) * (q1 - 1) * (r1 - 1)
19
d1 = inverse(e, phi1)
20
m1 = pow(c1, d1, n1)
21
flag1 = long_to_bytes(m1).decode()
22
# Part 2
23
p2h = gift << 262
24
p2l = inverse(s, 2 ** 56) * n2 % (2 ** 56)
25
PR.<x> = PolynomialRing(Zmod(n2))
26
f = p2h + x * 2 ** 56 + p2l
27
res = f.monic().small_roots(X=2**206, beta=0.4)[0]
28
p2 = int(p2h + res * 2 ** 56 + p2l)
29
q2 = n2 // p2
30
assert p2 * q2 == n2
31
phi2 = (p2 - 1) * (q2 - 1)
32
d2 = inverse(e, phi2)
33
m2 = pow(c2, d2, n2)
34
flag2 = long_to_bytes(m2).decode()
35
print(flag1 + flag2)
36
# flag{Im_a_fw_that_only_crafts_RSA_challenges}

Abg#

题目：

1
from Crypto.Util.number import *
2

3
def ECC(bit):
4
    g = getPrime(bit)
5
    a = getPrime(bit)
6
    b = getPrime(bit)
7

8
    E = EllipticCurve(GF(g),[a,b])
9
    J = E.random_point()
10
    K = E.random_point()
11
    L = E.random_point()
12

13
    r = getPrime(bit // 2)
14
    k = getPrime(16)
15

16
    s  = r * J
17
    s1 = r * J + k * L
18
    s2 = r * k * J
19

20
    return L.xy(), s.xy(), s1.xy(), s2.xy(), K.xy()
21

22
def RSA(m, s, bit):
23
    p = getPrime(bit)
24
    q = getPrime(bit)
25
    rr = getPrime(bit)
26
    n = p * q
27

28
    gift = pow(rr, rr * (p-1), n)
29
    enc = pow(m, int(s), n)
30

31
    return gift, n, enc
32

33
flag = "flag{--------------------------------}"
34
m = bytes_to_long(flag.encode())
35

36
L, s, s1, s2, K = ECC(256)
37
gift, n, enc = RSA(m, abs(int(s[0] - s[1])), 512)
38

39
print("L =", L)
40
print("s1 =", s1)
41
print("s2 =", s2)
42
print("K =", K)
43
print("enc =", enc)
44
print("gift =", gift)
45
print("n =", n)
46

47
'''
48
L = (..., ...)
49
s1 = (..., ...)
50
s2 = (..., ...)
51
K = (..., ...)
52
enc = ...
53
gift = ...
54
n = ...
55
'''

题目分为一个 ECC 层和一个 RSA 层。

ECC层

随机生成一个椭圆曲线以及三个随机点。接着生成了一个随机秘密点s = r * J和一个很小的随机数k = getPrime(16)，同时给了我们s1和s2：

s_1=s+k\cdot L,s_2=k\cdot s

首先要通过已知的四个点L，s1，s2，K联立方程来求出g，a，b三个参数。

x_1-x_2\equiv (y_1^2 - y_2^2)-(x_1^3 - x_2^3)\pmod{g}

有点类似 LCG 的消元法就可以求出。

接下来看k，k只有 16 位，可以直接爆破找到一个满足以下等式的k：

s_2=k\cdot (s_1-k\cdot L)=k\cdot s_1-k^2\cdot L

有k后就可以直接算得s = s1 - k * L。

RSA层

主要点在e = |x - y|，以及给我们的后门gift：

gift\equiv rr^{rr(p-1)}\pmod{n} \Rightarrow gift=(rr^{rr})^{p-1}\equiv 1\pmod{p}

所以有p = gcd(gift - 1, n)。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import inverse, long_to_bytes
3

4
L = (..., ...)
5
s1 = (..., ...)
6
s2 = (..., ...)
7
K = (..., ...)
8
enc = ...
9
gift = ...
10
n = ...
11
points = [L, s1, s2, K]
12
val_list = []
13
for i in range(len(points) - 1):
14
    x1, y1 = points[i]
15
    x2, y2 = points[i + 1]
16
    lhs = x1 - x2
17
    rhs = (y1 ** 2 - y2 ** 2) - (x1 ** 3 - x2 ** 3)
18
    val_list.append((lhs, rhs))
19
candidates = []
20
for i in range(len(val_list) - 1):
21
    v1 = val_list[i]
22
    v2 = val_list[i + 1]
23
    res = v1[1] * v2[0] - v2[1] * v1[0]
24
    candidates.append(abs(res))
25
g = candidates[0]
26
for c in candidates[1:]:
27
    g = gcd(g, c)
28
lhs, rhs = val_list[0]
29
a = (rhs * inverse_mod(lhs, g)) % g
30
x, y = L
31
b = (y ** 2 - x ** 3 - a * x) % g
32
E = EllipticCurve(GF(g), [a, b])
33
P_L = E(L)
34
P_s1 = E(s1)
35
P_s2 = E(s2)
36
k = None
37
for k_guess in primes(2, 65536):
38
    term1 = k_guess * P_s1
39
    term2 = (k_guess * k_guess) * P_L
40
    check = term1 - term2
41
    if check == P_s2:
42
        k = k_guess
43
        break
44
P_s = P_s1 - k * P_L
45
s_coords = P_s.xy()
46
e = abs(int(s_coords[0]) - int(s_coords[1]))
47
p = gcd(gift - 1, n)
48
q = n // p
49
assert p * q == n
50
phi = (p - 1) * (q - 1)
51
d = inverse(e, phi)
52
m = pow(enc, d, n)
53
print(long_to_bytes(m).decode())
54
# flag{this_1s_a_so_EZ_Ecc_and_RSA_}

1ZRSA(!)#

题目：

1
from Crypto.Util.number import *
2
from gmpy2 import *
3
import random
4

5
def RSA(m,nbit):
6
    while True:
7
        p, q, e = getPrime(nbit), getPrime(nbit), getPrime(nbit)
8
        n = p * q
9
        phi_n = (p - 1) * (q - 1)
10
        d = int(inverse(e, phi_n))
11
        if len(bin(d)[2:]) == 1024:
12
            break
13

14
    keep_bits = nbit * 2 - 100
15
    mask = int((1 << keep_bits) - 1)
16
    d_ = d & mask
17
    c = powmod(m, e, n)
18
    return c,n,e,d_
19

20
def gen(nbit):
21

22
    c, n, e, d_ = RSA(m, nbit)
23
    N = getPrime(nbit * 2)
24
    t = random.randint(1, nbit * 2 - 1)
25
    C = [random.randint(0, N - 1) for _ in range(t - 1)] + [powmod(d_,1,N)]
26
    R.<x> = GF(N)[]
27
    f = R(0)
28
    for i in range(t):
29
        f += x ** (t - i - 1) * C[i]
30
    enc = [(a, f(a)) for a in [random.randint(1, N - 1) for _ in range(t)]]
31

32
    with open("output.txt", "w", encoding="utf-8") as f_out:
33
        f_out.write(f"c = {c}\n")
34
        f_out.write(f"n = {n}\n")
35
        f_out.write(f"e = {e}\n")
36
        f_out.write(f"N = {N}\n")
37
        f_out.write(f"enc = {enc}\n")
38

39
flag = "flag{-------------------------------}"
40
m = bytes_to_long(flag.encode())
41

42
if __name__ == "__main__":
43
    gen(512)

主要考察了d的低位泄露以及Shamir的秘密共享方案。

秘密共享可以直接利用 SageMath 的lagrange_polynomial函数恢复P(x)，然后计算P(0)得到d_low。

后面d的低位泄露具体其实有点不是很清楚了，之前的二元脚本打不通，翻到了鸡块师傅的博客然后找到论文，让Gemini根据论文写的脚本了，之后还得再好好学习学习，附个论文链接。

exp.py：

1
# SageMath 10.7
2
from sage.all import *
3
import time
4
from math import isqrt
5
from Crypto.Util.number import inverse, long_to_bytes
6

7
def solve_bloemer_may_heavy(n, e, d_low, leak_bits):
8
    print(f"[*] Initializing HEAVY Attack (Leak: {leak_bits} bits)...")
9

10
    # 1. 构造模数 M
11
    M_shift = 2**leak_bits
12
    Modulus = e * M_shift
13
    C = (e * d_low - 1) % Modulus
14

15
    # 2. 定义环和变量
16
    PR = PolynomialRing(ZZ, names=['y', 'z'])
17
    y, z = PR.gens()
18

19
    # f(y, z) = y(N - z) - C
20
    f = y * (n - z) - C
21

22
    # 3. 设定界限
23
    Y_bound = e                  # k < e
24
    Z_bound = isqrt(n) * 3       # z approx 2*sqrt(N)
25

26
    print(f"[*] Modulus bits: {Modulus.nbits()}")
27
    print(f"[*] Unknowns product: {(Y_bound * Z_bound).nbits()}")
28
    print(f"[*] Ratio: {(Y_bound * Z_bound).nbits() / Modulus.nbits():.4f}")
29

30
    # 4. 构造 Lattice (高强度参数)
31
    # 提升 m 到 6，t 到 3
32
    m = 6
33
    t = 3
34

35
    poly_list = []
36

37
    # y-shifts: y^j * M^i * f^(m-i)
38
    for i in range(m + 1):
39
        for j in range(i + 1):
40
            g = (y**j) * (Modulus**i) * (f**(m - i))
41
            poly_list.append(g)
42

43
    # z-shifts: z^j * M^i * f^(m-i)
44
    for i in range(m + 1):
45
        for j in range(1, t + 1):
46
            h = (z**j) * (Modulus**i) * (f**(m - i))
47
            poly_list.append(h)
48

49
    # 去重
50
    poly_list = sorted(list(set(poly_list)), key=lambda p: p.degree())
51

52
    # 构建矩阵 (修复 Deprecation Warning)
53
    seq = Sequence(poly_list, PR)
54
    try:
55
        B, monomials = seq.coefficients_monomials()
56
    except AttributeError:
57
        B, monomials = seq.coefficient_matrix()
58
    monomials = vector(monomials)
59

60
    # 权重平衡
61
    factors = [monomial(Y_bound, Z_bound) for monomial in monomials]
62
    for i, factor in enumerate(factors):
63
        B.rescale_col(i, factor)
64

65
    print(f"[*] Lattice dimension: {B.nrows()}x{B.ncols()}")
66
    print(f"[*] Running LLL (hold tight, this may take 1-2 mins)...")
67

68
    start = time.time()
69
    B = B.dense_matrix().LLL()
70
    print(f"[*] LLL finished in {time.time() - start:.2f}s")
71

72
    # 还原
73
    B = B.change_ring(QQ)
74
    for i, factor in enumerate(factors):
75
        B.rescale_col(i, 1 / factor)
76

77
    # 5. 提取根
78
    print("[*] Extracting roots...")
79

80
    vecs = []
81
    for i in range(B.nrows()):
82
        h_vec = B.row(i)
83
        h_poly = h_vec * monomials
84

85
        if h_poly != 0 and not h_poly.is_constant():
86
            # 强制类型转换为 ZZ 上多项式
87
            h_poly = h_poly.change_ring(ZZ)
88
            # 归一化 (去除公因子)
89
            h_poly = h_poly // h_poly.content()
90
            vecs.append(h_poly)
91

92
    # 尝试策略 1: 简单的单变量因子
93
    for h in vecs:
94
        try:
95
            for fac, _ in h.factor():
96
                if fac.degree(z) == 1 and fac.degree(y) == 0:
97
                    val = -fac.constant_coefficient() / fac.leading_coefficient()
98
                    if val in ZZ: return int(val)
99
        except: pass
100

101
    # 尝试策略 2: Sylvester Resultant
102
    if len(vecs) >= 2:
103
        print("[*] Trying Sylvester Resultant...")
104
        # 尝试前几对向量
105
        for i in range(min(3, len(vecs))):
106
            for j in range(i + 1, min(4, len(vecs))):
107
                h1 = vecs[i]
108
                h2 = vecs[j]
109
                try:
110
                    res_matrix = h1.sylvester_matrix(h2, y)
111
                    res_poly = res_matrix.det()
112
                    if res_poly != 0 and res_poly.degree(z) > 0:
113
                        roots = res_poly.univariate_polynomial().roots()
114
                        for root, _ in roots:
115
                            if root in ZZ: return int(root)
116
                except: pass
117

118
    # 尝试策略 3: Groebner Basis (作为最后的兜底)
119
    if len(vecs) >= 2:
120
        print("[*] Trying Groebner Basis (Fallback)...")
121
        try:
122
            # 在 QQ 上计算 GB
123
            PR_QQ = PolynomialRing(QQ, names=['y', 'z'])
124
            ideal_polys = [PR_QQ(p) for p in vecs[:3]] # 取前3个
125
            I = Ideal(ideal_polys)
126
            gb = I.groebner_basis()
127

128
            for p in gb:
129
                # 寻找 z - z0
130
                if p.degree(PR_QQ.gen(1)) == 1 and p.degree(PR_QQ.gen(0)) == 0:
131
                    val = -p.constant_coefficient() / p.leading_coefficient()
132
                    if val in ZZ: return int(val)
133
        except Exception as e:
134
            print(f"[-] GB failed: {e}")
135

136
    return None
137

138
c = ...
139
n = ...
140
e = ...
141
N = ...
142
enc = [...]
143
R_field = GF(N)
144
points = [(R_field(x), R_field(y)) for x, y in enc]
145
poly_shamir = PolynomialRing(R_field, 'w').lagrange_polynomial(points)
146
d_low = int(poly_shamir(0))
147
leak_bits = 924
148
z_val = solve_bloemer_may_heavy(n, e, d_low, leak_bits)
149
s = z_val + 1
150
diff = isqrt(s ** 2 - 4 * n)
151
p = (s + diff) // 2
152
q = (s - diff) // 2
153
assert p * q == n
154
phi = (p - 1) * (q - 1)
155
d = inverse(e, phi)
156
m = pow(c, d, n)
157
print(long_to_bytes(m).decode())
158
# flag{Coppersmith_Lagrange_RSA_7f9d2b4e0a3c5e8g1h6j0k9l3m5n2p4q}

持续更新中~

CRYPTO#

Ancient#

Sign_in#

Math#

EZRSA#

Where#

StillRSA#

Abg#

1ZRSA(!)#