格两例12345

osu/Lucky Roll gaming

周末osu有道题：lcg已知低位

def lcg(s, a, b, p):
    return (a * s + b) % p

p = getPrime(floor(72.7))
a = randrange(0, p)
b = randrange(0, p)
seed = randrange(0, p)
print(f"{p = }")
print(f"{a = }")
print(f"{b = }")

def get_roll():
    global seed
    seed = lcg(seed, a, b, p)
    return seed % 100

out = []
for _ in range(floor(72.7)):
    out.append(get_roll())
print(f"{out = }")

flag = open("flag.txt", "rb").read()
key = bytes([get_roll() for _ in range(16)])
iv = bytes([get_roll() for _ in range(16)])
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.encrypt(pad(flag, 16)).hex())

题目很短，先给出lcg的参数，然后输出72个seed%100的值，后边是AES不是重点。

从网上搜到一例是给出高位的：crypto-babyLCG(NPUCTF2020)_lcg已知低位-CSDN博客

名字上是低位实际上是高位。共128位已知高64位。转出来式子：

$l_{2} = al_{1}+(ah_{1}+b-h_{2})$ 从式子上看泄露部分跟高位还是低位无关，所以构造格是完全相同的。

$\begin{vmatrix} m & 0 & 0\\ A & 1 & 0\\ B & 0 & m/100 \end{vmatrix}$

m = 4420073644184861649599
a = 1144993629389611207194
b = 3504184699413397958941
l = [0,39, 47, 95, 1, 77, 89, 77, 70, 99, 23, 44, 38, 87, 34, 99, 42, 10, 67, 24, 3, 2, 80, 26, 87, 91, 86, 1, 71, 59, 97, 69, 31, 17, 91, 73, 78, 43, 18, 15, 46, 22, 68, 98, 60, 98, 17, 53, 13, 6, 13, 19, 50, 73, 44, 7, 44, 3, 5, 80, 26, 10, 55, 27, 47, 72, 80, 53, 2, 40, 64, 55, 6]
enc = '34daaa9f7773d7ea4d5f96ef3dab1bbf5584ecec9f0542bbee0c92130721d925f40b175e50587196874e14332460257b'

A = [1]
B = [0]
for i in range(1, len(l)-1):
    A.append(a*A[i-1] % m)
    B.append((a*B[i-1]+(a*l[i]+b-l[i+1])*inverse_mod(100,m)) % m)
A = A[1:]
B = B[1:]
dim = len(l)
M = matrix(ZZ, dim, dim)
for i in range(dim-2):
    M[i, i] = m
    M[-2, i] = A[i]
    M[-1, i] = B[i]
    M[i, -2] = M[i, -1] = 0
M[-2,-2] =  1
M[-1,-1] = m//100  #高位的规模 格与高低位无关，但需要未知部分明显小于模

ll = M.LLL()[0]
l1 = ll[-2]
h1 = l[1]
s1 = l1*100+h1
#for s1=a*seed+b%m
seed = ((s1-b)*inverse_mod(a,m))%m
print(seed)

def get_roll():
    global seed
    seed = (seed*a+b)%m
    return int(seed % 100)

seed = 728664259414514712557
out = []
for _ in range(floor(72.7)):
    out.append(get_roll())

key = bytes([get_roll() for _ in range(16)])
iv = bytes([get_roll() for _ in range(16)])

from Crypto.Cipher import AES
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.decrypt(bytes.fromhex(enc)))
#osu{w0uld_y0u_l1k3_f1r5t_0r_53c0nd_p1ck}

第2题来自gcc ctf

GCC/TooManyLeaks

题目也很短给出g,A=2^a,B=2^b,c,AC=2^(a+c),s = B^a,s2=AC^b 其中s,s2仅给出高257位

$s_{2} = AC^{b}=2^{ab+bc}=2^{ab}*2^{bc}=s_{1}*B^c$

再通过r1,r2分别是s1,s2的高位得到

$-x+y*BC+r2-r1*BC = 0 (mod p)$

从rec师傅那问到构造方法（前边自己想的几个都没成功）

$\begin{vmatrix} 1 & 0 & BC\\ 0 & 2^{255} & R\\ 0 & 0 & p \end{vmatrix}$

用自制的数据验证得到的结果：第1个是-x但后边并不是y，y通过计算得到

p=12659765344651740648724763467724826993725936263366951091039118416195292099370631377712042960634433459603684366298668316118798753725083109726606307230709481
A=3301451331273103822833339817189898484477574460332521541023442766617163003861277567173209945681794302860954824946103841799431004692332025577336344394695314
B=4585794959794770660643739179463936175470737153250504109915159478661133411133496952267060123069524419032124459912888910847574766484421490926652243218962165
r1=2568748433813321161874639775621008976218176085243148442053880160521563872123950485879781803171876295709491228751046125319137014580919198982132588104122368
c=13305825506775525477695274133373660177357107668926266252207560823721404224069651345842091298405541700114875323083835571095924844005731356668708175418706451
AC=7245241643057289361660908682282370311759108862519890618466911853745311287850476739612486696335989486506224784314474292337315512082870292214611222140900864
r2=3829741721947473719324421527352078984331611168371079834096760630101921404398331513243772077101441758022492336098369985623504441570880895898971858238701568
ciphertext = bytes.fromhex('89c372210be2a7b313366206f7426f941157009493d00fcb18b467250139413b6ea1ada6302e1916b6c02a6f935f4ed4')
iv = bytes.fromhex('c7d192fb72b529acf7b57d488c182466')

'''
A = 2^a ,B = 2^b ,AC = 2^(a+c)
s = B^a = 2^(ab) => r1+x = 2^(ab)
s2 = AC^b = 2^(ab+bc) = 2^ab * 2^bc = s * B^c => r2 + y = (r1+x)*BC = r1*BC + x*BC
-x + y*BC+ r1*BC - r2 = 0 mod p 
|1 0 BC|
|0 1 R |.LLL() = |y k x|
|0 0 p |
'''
BC = pow(B,c,p)
R = int((r1*BC-r2)%p)
M = matrix(ZZ,[[1,0,BC],[0,2^255,R],[0,0,p]])
L = M.LLL()
'''
[ -25633356745769628425188974048965624683829363674340702376652630056616274263520                                                                               0   25192355301191283908458965869175850121091834483889075955116860140524780856947]
[  16398029187545116410379158779174289772216017281301637621417139570711691284296   57896044618658097711785492504343953926634992332820282019728792003956564819968   41036197941114149842214882116707031982582245609637689544867914273576525805038]
[-149510885595142246734642323500819848441581984553636254311696365107836707555515  173688133855974293135356477513031861779904976998460846059186376011869694459904 -175483554550299102224589434426378557989582203738521393133765379465260896275103]
'''
for v in L:
    x,k,y = v
    y.nbits()
    x.nbits()
    hex(x)
    hex(y)

x = 25633356745769628425188974048965624683829363674340702376652630056616274263520
#y = BC*(r1+x)%p-r2
y = 41036197941114149842214882116707031982582245609637689544867914273576525805038
#0x5ab9aa3a0a42183deb14e8725ef711b906ecc058e8be025b04d2d5322104b5ee
s = r1+x 
#0x310bc7e26b23c79469a5c1eb7b210f527af22ba0d17726051cd95216d6cdfd862440f4a33747fa708f7b878e6b882f164a2e7cf72cc2b67754c416a3fc6c4f48

import hashlib
from Crypto.Cipher import AES

sha1 = hashlib.sha1()
sha1.update(str(s).encode('ascii'))
key = sha1.digest()[:16]

cipher = AES.new(key, AES.MODE_CBC, iv)
flag = cipher.decrypt(ciphertext)
#b'GCC{D1ff13_H3llm4n_L34k_15_FUn!!}\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mfbz.cn/a/428319.html

如若内容造成侵权/违法违规/事实不符，请联系我们进行投诉反馈qq邮箱809451989@qq.com，一经查实，立即删除！