[K!nd4SUS 2025] Crypto

末了一个把周末的补完。这个本日问了小鸡块神终于把一个补上，完成5/6，末了一个网站也上不去不弄了。
Matrices Matrices Matrices

这个是不是叫LWE呀，名词忘了，但意思照旧知道。
b = a*s +e 这里的e是高斯分成，用10000个数测试会出现2，3但猜也就是1，0
别的这里a*s是反的，须要转置一下。

2. from sage.all import GF, Matrix
3. import os, random
5. assert("FLAG" in os.environ)
6. FLAG = os.environ["FLAG"]
7. assert(FLAG.startswith("KSUS{") and FLAG.endswith("}"))
9. q = 271
10. qf = GF(q)
11. m = 70
12. n = 30
14. def key_gen():
15.     a = Matrix(qf, [[qf.random_element() for _ in range(n)] for _ in range(m)])
16.     s = Matrix(qf, [[ord(c)] for c in FLAG])
17.     e = Matrix(qf, [[int(round(random.gauss(0, 2/3)))] for _ in range(m)])  #噪音[-3,3] 正常[-1,0,1]
18.     b = a * s + e
19.     return s, (a,b)
21. sk, pk = key_gen()
22. a, b = pk
24. print(f"a={[list(a[i]) for i in range(m)]}")
25. print(f"b={[list(b[i]) for i in range(m)]}")

复制代码

2. q = 271
3. a = ...
4. b = ...
5. A = matrix(ZZ,a).T
6. B = matrix(ZZ,b).T
7. A1 = A.stack(B)
9. M = block_matrix(ZZ,[[1,A1],[0,q]])
10. K = 256
11. M[30,30] = K
12. M[:,31:] *= K
13. L = M.LLL()
14. for i in L:
15.     if i[30] in [256,-256] and all(k in [-768,-512,-256,0,256,512,768] for k in i[30:]):
16.         print(i)
17.         v = [abs(k) for k in i[:30]]
18.         if all(0x20<=k<0x7f for k in v):
19.             print(bytes(v))
21. #(-75, -83, -85, -83, -123, -73, -95, -103, -117, -51, -115, -115, -95, -112, -52, -114, -52, -109, -115, -95, -109, -52, -55, -55, -51, -114, -95, -58, -47, -125, 256, -256, 0, 0, -256, -256, 256, 0, 0, 0, 256, 0, 0, 0, 256, 256, 0, 0, 0, 0, -256, 0, -256, 0, 0, 256, 256, 0, 0, -512, 256, 0, -256, 0, 0, 256, 256, -512, 0, -256, -256, 0, -256, 256, 512, 256, 0, -256, 0, 0, 256, 0, 0, -256, 0, 256, -256, 0, 0, 0, 256, -256, 0, 0, 256, 256, 0, 0, 0, 0, -256)
23. #KSUS{I_gu3ss_p4r4ms_m4773r_:/}

复制代码

Lightning Fast Scrambling

名字指出是LFS，但有点标题，当一开始使用时返回的直接就是从后前前的key每次8位。

2. from hashlib import sha256
3. from base64 import b64encode, b64decode
5. # utility wrapper for hashing
7. def digest(message):
8.         "Gives a bytes object representing the sha256 encoding of its argument (a sequence of bytes)"
9.         return sha256(message).digest()
11. # utility wrapper for encoding and decoding
13. def base64_encode(x):
14.         "Encodes a sequence of bytes in a string, using base64 encoding"
15.         return b64encode(x).decode()
17. def base64_decode(x):
18.         return b64decode(x, validate=True)
20. # crypto magic
22. def create_key(passphrase):
23.         h = passphrase.encode()
24.         h = digest(h)
25.         k = 0
26.         for i in range(8):
27.                 k <<= 8
28.                 k |= h[i]
29.         return k if k else 1
31. def secret_byte_stream(key):
32.         x = key
33.         mask = 255
34.         while True:
35.                 y = x
36.                 a = y & mask #返回尾部8位
37.                 yield a
38.                 y >>=  8
39.                 x = y
40.                 y >>=  1
41.                 a ^= y & mask
42.                 y >>= 14
43.                 a ^= y & mask
44.                 y >>= 17
45.                 a ^= y & mask
46.                 x |= a << 56
48. def scramble(message, key):
49.         stream = secret_byte_stream(key)
50.         return bytes(x ^ y for x, y in zip(message, stream))
52. # user-facing stuff
54. def encrypt(text, passphrase):
55.         message = text.encode()
56.         hash = digest(message)
57.         key = create_key(passphrase)
58.         e = scramble(message, key)
59.         return '#'.join(map(base64_encode, [e, hash]))
61. def decrypt(text, passphrase):
62.         e, hash = map(base64_decode, text.split('#'))
63.         key = create_key(passphrase)
64.         message = scramble(e, key)
65.         if hash != digest(message):
66.                 raise ValueError("Wrong key")
67.         return message.decode()
69. def create_flag(secret):
70.         return "".join(["KSUS{", secret.encode().hex(), "}"])
72. if __name__ == "__main__":
73.         secret = input("secret > ")
74.         passphrase = input("passphrase > ")
75.         flag = create_flag(secret)
76.         print("flag :", flag)
77.         challenge = encrypt(flag, passphrase)
78.         assert flag == decrypt(challenge, passphrase)
79.         print("challenge :", challenge)

复制代码

由于flag头有5字节，以是只须要爆破3字节即可。通过hash值判定。

2. enc = 'VERY/Rjwj1U4DQZ/zyyHxSsMY1iYuOZHs//qWPVYInUz/5cxidrFCrSqco4bbVLpWjHHI4Z+JZOwOfsT#SUS/PDQPS4DlVum2aO+5+SuczHag7/rnYMBUr+pEqEU='
3. enc, h = map(b64decode, enc.split('#'))
5. #由已知头得到key的后5字节,前3字节爆破
6. key_tail = xor(b'KSUS{', enc[:5])[::-1]
8. for i1 in trange(256):
9.   for i2 in range(256):
10.     for i3 in range(256):
11.       key = bytes([i1,i2,i3])+key_tail
12.       key = bytes_to_long(key)
13.       m = scramble(enc,key)
14.       if h == sha256(m).digest():
15.           print(m)
16.          
17. #KSUS{6c6673725f6172655f6e6f745f7365637572653038363834363137}

复制代码

Feistel <3

这个代码有点长

2. from Crypto.Util.number import bytes_to_long, getPrime, long_to_bytes
3. from Crypto.Util.Padding import pad
4. import os, signal
6. assert("FLAG" in os.environ)
7. FLAG = os.environ["FLAG"]
8. assert(FLAG.startswith("KSUS{") and FLAG.endswith("}"))
10. def xor_bytes(bytes_a, bytes_b):
11.     return bytes(a ^ b for a, b in zip(bytes_a, bytes_b)).ljust(2, b'\x00')
13. def f(sub_block, round_key, modulus):
14.     return long_to_bytes((bytes_to_long(sub_block) + pow(65537, bytes_to_long(round_key), modulus)) % (1<<17-1)).ljust(2, b'\x00')
16. def encrypt_block(block, key, modulus, rounds=8, shortcut=False):
17.     sub_block_1 = block[:2].ljust(2, b'\x00')
18.     sub_block_2 = block[2:4].ljust(2, b'\x00')
19.     sub_block_3 = block[4:].ljust(2, b'\x00')
20.     for i in range(0, rounds):
21.         round_key = key[i*2:i*2+2]
22.         new_sub_block_1 = xor_bytes(sub_block_1, sub_block_2)
23.         new_sub_block_2 = f(sub_block_3, round_key, modulus)
24.         new_sub_block_3 = xor_bytes(sub_block_2, round_key)
25.         sub_block_1 = new_sub_block_1
26.         sub_block_2 = new_sub_block_2
27.         sub_block_3 = new_sub_block_3
28.         print(sub_block_1 + sub_block_2 + sub_block_3)
29.         if shortcut and sub_block_1 == b"\xff\xff":
30.             break
31.     return sub_block_1 + sub_block_2 + sub_block_3
33. def encrypt(plaintext, key, modulus):
34.     iv = os.urandom(6)
35.     padded = pad(plaintext.encode(), 6)
36.     blocks = [padded[i:i+6] for i in range(0, len(padded), 6)]
37.     res = []
38.     for i in range(len(blocks)):
39.         if i == 0: block = xor_bytes(blocks[i], iv)
40.         else: block = xor_bytes(blocks[i], bytes.fromhex(res[-1]))
41.         res.append(encrypt_block(block, key, modulus).hex())
42.     return iv.hex() + "".join(res)
44. def handle():
45.     key = os.urandom(16)
46.     N = getPrime(1024)
47.     print("flag =", encrypt(FLAG, key, N))
48.     print("N =", N)
50.     encrypted = []
51.     while True:
52.         print("[1] Encrypt")
53.         print("[2] Exit")
54.         opt = input("> ")
55.         
56.         if opt == "1":
57.             plaintext = input("Enter your fantastic plaintext (in hex): ")
58.             if len(plaintext) % 2 != 0 or len(plaintext) < 2 or len(plaintext) > 12:
59.                 print("It doesn't look fine to me :/")
60.             elif plaintext in encrypted:
61.                 print("Nah, you've already encrypted it!")
62.             else:
63.                 encrypted.append(plaintext)
64.                 ciphertext = encrypt_block(bytes.fromhex(plaintext).rjust(6, b"\x00"), key, N, shortcut=True)
65.                 print("Here it is: " + ciphertext.hex())
66.         elif opt == "2":
67.             print("Bye (^-^)")
68.             exit(0)
69.         else:
70.             print("Nope :/")
72. if __name__ == "__main__":
73.     signal.alarm(300)
74.     handle()

复制代码

16字节密钥分成8段轮密钥，每段2字节。加密将密文分成6字节块块加密，块加密将明文分成3块：b1,b2,b3，然后得到b1^b2, b3+e^key_round, b2^key_round。
但在末了给了后门：当c1==FFFF里会退出并不都须要颠末8轮。
如许就有了爆破的方法，只要让运行指定轮里使c1==FFFF即可。第一轮直接FFFF00000000则可根据第3段密文得到第1个轮密钥。第2轮是上一轮的c2和b1,b2云云类推。
先从远程得到key和密文。

2. #-------------远程获取密文,key,N
3. '''
4. i    b1^b2^c(i-1)   x    c(i-1)^ki
5. i+1  b1^b2^c(i-1)^c(i)   c(i)^k(i+1)
6. '''
7. from pwn import *
9. def getenc(tmp):
10.     p.sendlineafter(b"> ", b'1')
11.     p.sendlineafter(b"Enter your fantastic plaintext (in hex): ", tmp.hex().encode())
12.     p.recvuntil(b"Here it is: ")
13.     return bytes.fromhex(p.recvline().strip().decode())
15. p = remote('chall.ctf.k1nd4sus.it', 31013)
17. print(p.recvline())
18. print(p.recvline())
20. c2 = b'\x00\x00'
21. lc2 = b'\x00\x00'
22. tk = b''
23. for i in range(8):
24.     tmp = xor(b'\xff\xff', c2)+b'\x00'*4
25.     #enc = encrypt_block(tmp, key, N, shortcut=True)
26.     enc = getenc(tmp)
27.     c2 = xor(c2,enc[2:4])
28.     tk+=xor(enc[4:],lc2)
29.     lc2 = enc[2:4]
30.     print(tk.hex())
32. p.close()   

复制代码

然后弄个解密函数解一下。这东西居然不是每次都乐成，会出乱字符，不清晰怎么来的。

2. def decrypt_block(block, key):
3.     c1,c2,c3 = block[:2],block[2:4],block[4:]
4.     for i in range(7,-1,-1):
5.         round_key = key[i*2:i*2+2]
6.         b2 = xor(c3, round_key)
7.         b1 = xor(c1, b2)
8.         b3 = long_to_bytes((bytes_to_long(c2) - pow(65537,bytes_to_long(round_key), N))&0xffff)
9.         c1,c2,c3 = b1,b2,b3
10.         #print(c1,c2,c3)
11.     return c1+c2+c3
13. def decrypt(ciphertext, key, modulus):
14.     iv = ciphertext[:6]
15.     padded = ciphertext[6:]
16.     blocks = [padded[i:i+6] for i in range(0, len(padded), 6)]
17.     res = b''
18.     for i in range(len(blocks)):
19.         tmp = decrypt_block(blocks[i], key)
20.         if i == 0:
21.             r = xor(tmp, iv)
22.         else:
23.             r = xor(tmp,blocks[i-1])
24.         res += r
25.         #print(res)
26.     return res
28. key = bytes.fromhex('35e7c26a66bc651827cac73bc99c6667')
29. N = 175914002278057050406831961452237183138299948079975109116384718227058692202299804814271876290451098159041914033459568540766514412008363701006284852804260357617529486527991021342873932212136053758342488462611451121664507695932811146083705960145782839959600560090211913120599024239421171256321562939861953258223
30. flag = bytes.fromhex('9f3d4928ba479f1e53a7f287efe0dba974745b5fb4a472e24ecdcefb3a70824f9ec87aba16cf7ab4551324af56035c387cb9bf390888')
31. decrypt(flag,key,N)
32. #b'KSUS{N3veR_Ev3r_5hOr7cuT_F3ist3l_Ne7w0rks}\x06\x06\x06\x06\x06\x06'

复制代码

key in the haystack

后边这两个是同一标题，一个小一个大，放一起

2. from Crypto.Util import number
3. from base64 import b64encode
5. prime = lambda: number.getPrime(512)
6. def b64enc(x):
7.         h = hex(x)[2:]
8.         if len(h) % 2:
9.                 h = '0' + h
10.         return b64encode(bytes.fromhex(h)).decode()
13. p = prime()
14. q = prime()
15. with open("flag.txt") as f:
16.         flag = f.readline().strip()
18. n = p * q
19. m = int(flag.encode().hex(), 16)
20. c = pow(m, 65537, n)
22. print("ciphertext:", hex(c)[2:])
24. bale = [p, q]
25. bale.extend(prime() for _ in range(1<<6))
27. def add_hay(stack, straw):
28.         x = stack[0]
29.         for i in range(1, len(stack)):
30.                 y = stack[i]
31.                 stack[i] = y + (straw * x)
32.                 x = y
33.         stack.append(straw * x)
35. stack = [1]
36. add_hay(stack, p) #[1,p]
37. add_hay(stack, q) #[1,p+q,p*q]
38. for straw in bale:
39.         add_hay(stack, straw)
41. print("size:", len(stack))
42. for x in stack:
43.         print(b64enc(x))

复制代码

天生包罗p,q的66个素数。然后颠末add_hay天生stack。
这里是我自己的想法，这个方法不实用增强后的第2题，但也是个思绪记载一下。
先设一个变量，从后向前导一下：Kn = S(n) + v*S(n-1) => Sn = Kn - v*S(n-1) 
末了得到即是f = ss[-1]*v - stack[-1]  这是一个66次1元方程，不算太大sage可以直接解。由于这里的66个素数都是对称的，直接可以解出66个根，这里边就包罗p,q

2. from base64 import *
3. from Crypto.Util.number import *
5. outs = open('output.txt').readlines()
6. st = [bytes_to_long(b64decode(outs[2+i])) for i in range(69)]
8. #Kn = S(n) + v*S(n-1) => Sn = Kn - v*S(n-1)
9. var('v')
10. ss = [1]
11. for i in range(1,68):
12.     ss.append(st[i]-v*ss[-1])
14. #K68 = v*S68
15. f = ss[-1]*v - st[-1]
16. ps = f.roots()
17. #v有66个解,对应66个素数
18. ps = [int(i[0]) for i in ps]
20. c = 0x7434d263623892ca660f4139c54ab02a8a14d87cd5c658fca9105f88f7ed5c888a744e949b716094c1d73fd8084eeaf72b23e97325829a69ca57a34e5e0b5272ddaf039bcc0aed2055968c8dfa7cd0373cca072c31123e6259659af03ce87b224bb7fdf13fb89b4ceb580d2d11524025ccb4f86560f3b006d99d86a63ab3aa5a
22. #猜flag小于512位
23. for p in ps:
24.     m = pow(c,invert(65537,p-1),p)
25.     print(long_to_bytes(int(m)))
27. #b'KSUS{6465726976617469766573206172652061206e69636520747269636b}'

复制代码

key in the big haystack

这个升级版想了一天也没效果，然后问小鸡块给秒了。(数据有44M，就不贴了，也贴不上)

2. bale = [p, q]
3. bale.extend(prime() for _ in range(1<<9))
5. stack = [1]
6. add_hay(stack, p)
7. add_hay(stack, q)
8. for straw in bale:
9.     add_hay(stack, straw)
10. for straw in bale[2:]:
11.     add_hay(stack, straw + 2)

复制代码

这题与上边只有这些厘革，素数由64改为512，而且用了两次，以是效果是1029项。
这些给定的值现实上是一个1029项多项式的系数。可以先用3个变量试下。
(x+p)*(x+q)*(x+r) = x^3 + (p+q+r)*x^2 + (pq+qr+rp)*x + pqr
然后把这些数据代入含x的方程

而这个式子里除了p,q是2次外别的都是1次（包罗512和素数和512个素数+2，素数+2后跟原来不形成平方关系）以是对f求导后与原来的f作gcd就能得到对于p,q的多项式。然后直接求解可得p,q

2. from base64 import *
3. from Crypto.Util.number import *
4. from gmpy2 import iroot
6. outs = open('big_output.txt').readlines()
7. enc = bytes.fromhex('5894f38180b9f41fb816c7428b64b63cf207e349832aeb256977526ec750239c5b75e846f2c7db19fc84d44e57c1a6181562487cd4a7e58bab9903feead90d884b574dcc9d35b0d6ae7d491d399dcdf6aacc74efff2135c673178e08b50ac1a09f5334cd0d4b48355b28219dbc31b45a2c7687114b69c4f8a0ae20740e9ce1fe')
8. c = bytes_to_long(enc)
9. stack = [bytes_to_long(b64decode(outs[2+i])) for i in range(1029)]
11. PR.<x> = PolynomialRing(ZZ)
12. f = sum([stack[i] * x^(1028-i) for i in range(len(stack))])
13. g = gcd(f.derivative(), f)
14. print(g)
15. #x^2 + 20450065261452182016584260876047399525896704233984001074890163119931284325571387726435254377483741593577102784943815777723994032502151858215013739509078298*x + 101344562563413148702503209034490415272295393794389109823061195011331285068194700252292458323839836319978741203645201395179109429423054143994480684843212974225776158987058221755014377991550489320194566899710227109943050130147641582913932721996451645082208066936338974731735770555839605141969367848387625804201
16. #系数分别是p+q,p*q
17. v = g.roots()
18. p = abs(v[0][0])
19. #8434298218257235619456993018380042120260367010962473119979826477888279532268658434816651817828253000282579391409905630356600119281235242527375263115386349
20. long_to_bytes(int(pow(c,inverse_mod(65537,p-1),p)))
21. #KSUS{43525420697320612076657279206e69636520747269636b}

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。