zoukankan      html  css  js  c++  java

  • 2021第五空间,密码学crypto,ecc

    解密三个椭圆曲线算法

    一、椭圆曲线的离散对数问题

    (数据量不能太大,同样代码跑不出第2、3个flag)

     P是椭圆曲线的一个点,Q是椭圆曲线上的另一个点,求num其实就是已知椭圆曲线和两点求私钥,使用sagemath

    flag1 = 13566003730592612

    二、中国剩余定理解决离散对数问题

    在我思考怎么用中国剩余定理写代码的时候,群里老哥说中国剩余定理代码在加密算法ecc2下面写出来了

     啊啊啊啊啊啊,天啊

    把题里的中国剩余定理代码加到ecc1里

     flag2=16093767336603949

    参考资料:https://www.codercto.com/a/26932.html

    三、阶数与p相等采用smart's attack

    群里老哥说网上有源码

    把框里代码加到ecc1里

    flag3 = 19597596255129283097357413993866074145935170485891892

     参考资料:https://crypto.stackexchange.com/questions/70454/why-smarts-attack-doesnt-work-on-this-ecdlp

    四、flag

    >>> from Crypto.Util.number import long_to_bytes

    >>> a =13566003730592612
    >>> b=16093767336603949
    >>> c=19597596255129283097357413993866074145935170485891892

    >>> long_to_bytes(a)+long_to_bytes(b)+long_to_bytes(c)
    b'025ab3d9-2521-4a81-9957-8c3381622434

    五、所有代码

    #ecc1
p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p),[A,B])
P = E(119851377153561800, 50725039619018388)
Q = E(22306318711744209, 111808951703508717)
P.discrete_log(Q)

#ecc2
p = 1256438680873352167711863680253958927079458741172412327087203
A = 377999945830334462584412960368612
B = 604811648267717218711247799143415167229480
E = EllipticCurve(GF(p),[A,B])
P = E(550637390822762334900354060650869238926454800955557622817950,
700751312208881169841494663466728684704743091638451132521079)
Q = E(1152079922659509908913443110457333432642379532625238229329830,
819973744403969324837069647827669815566569448190043645544592)
factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
print(primes)
dlogs = []
for fac in primes:
    t = int(int(P.order()) // int(fac))
    dlog = discrete_log(t*Q,t*P,operation="+")
    dlogs += [dlog]
    print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
print(crt(dlogs,primes))

#ecc3
p =0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A =0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B =0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P =E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610)
Q =E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537)
def SmartAttack(P,Q,p):
    E = P.curve()
    Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])

    P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
    for P_Qp in P_Qps:
        if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
            break

    Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
    for Q_Qp in Q_Qps:
        if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
            break

    p_times_P = p*P_Qp
    p_times_Q = p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    return ZZ(k)
n = SmartAttack(P, Q, p)
n
  • 相关阅读:
    数据库设计:数据库设计步骤,er图,三大范式
    连接查询
    连接查询和分组查询
    Django项目的创建与配置
    WEB框架的原理总结
    RabbitMQ---消息队列
    Djang之基于角色的权限控制(RBAC)
    Django之基于RBAC权限控制生成动态菜单
    关于装饰器的一些小练习
    关于简单的python函数的一些小练习题
  • 原文地址:https://www.cnblogs.com/blackicelisa/p/15315636.html
Copyright © 2011-2022 走看看