解密三个椭圆曲线算法
一、椭圆曲线的离散对数问题
(数据量不能太大,同样代码跑不出第2、3个flag)
P是椭圆曲线的一个点,Q是椭圆曲线上的另一个点,求num其实就是已知椭圆曲线和两点求私钥,使用sagemath
flag1 = 13566003730592612
二、中国剩余定理解决离散对数问题
在我思考怎么用中国剩余定理写代码的时候,群里老哥说中国剩余定理代码在加密算法ecc2下面写出来了
啊啊啊啊啊啊,天啊
把题里的中国剩余定理代码加到ecc1里
flag2=16093767336603949
参考资料:https://www.codercto.com/a/26932.html
三、阶数与p相等采用smart's attack
群里老哥说网上有源码
把框里代码加到ecc1里
flag3 = 19597596255129283097357413993866074145935170485891892
参考资料:https://crypto.stackexchange.com/questions/70454/why-smarts-attack-doesnt-work-on-this-ecdlp
四、flag
>>> from Crypto.Util.number import long_to_bytes
>>> a =13566003730592612
>>> b=16093767336603949
>>> c=19597596255129283097357413993866074145935170485891892
>>> long_to_bytes(a)+long_to_bytes(b)+long_to_bytes(c)
b'025ab3d9-2521-4a81-9957-8c3381622434
五、所有代码
#ecc1 p = 146808027458411567 A = 46056180 B = 2316783294673 E = EllipticCurve(GF(p),[A,B]) P = E(119851377153561800, 50725039619018388) Q = E(22306318711744209, 111808951703508717) P.discrete_log(Q) #ecc2 p = 1256438680873352167711863680253958927079458741172412327087203 A = 377999945830334462584412960368612 B = 604811648267717218711247799143415167229480 E = EllipticCurve(GF(p),[A,B]) P = E(550637390822762334900354060650869238926454800955557622817950, 700751312208881169841494663466728684704743091638451132521079) Q = E(1152079922659509908913443110457333432642379532625238229329830, 819973744403969324837069647827669815566569448190043645544592) factors, exponents = zip(*factor(E.order())) primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1] print(primes) dlogs = [] for fac in primes: t = int(int(P.order()) // int(fac)) dlog = discrete_log(t*Q,t*P,operation="+") dlogs += [dlog] print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order print(crt(dlogs,primes)) #ecc3 p =0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b A =0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07 B =0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2 E = EllipticCurve(GF(p),[A,B]) P =E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610) Q =E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537) def SmartAttack(P,Q,p): E = P.curve() Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ]) P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True) for P_Qp in P_Qps: if GF(p)(P_Qp.xy()[1]) == P.xy()[1]: break Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True) for Q_Qp in Q_Qps: if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]: break p_times_P = p*P_Qp p_times_Q = p*Q_Qp x_P,y_P = p_times_P.xy() x_Q,y_Q = p_times_Q.xy() phi_P = -(x_P/y_P) phi_Q = -(x_Q/y_Q) k = phi_Q/phi_P return ZZ(k) n = SmartAttack(P, Q, p) n