Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 9ea8bc7

Browse files
Add hitcon 2022 wu
1 parent b798c9a commit 9ea8bc7

File tree

14 files changed

+956
-0
lines changed

14 files changed

+956
-0
lines changed

‎2022/hitcon-2022/babysss/README.md‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
# BabySSS
2+
3+
Run CRT to recover the polynomial.

‎2022/hitcon-2022/babysss/solve.sage‎

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
from itertools import combinations
2+
from Crypto.Cipher import AES
3+
from hashlib import sha256
4+
5+
shares = [(41458, 3015894889650529600470920314593280408459518223054415623846810748413393737686521849609926975694824777687791824408686652245102687392987299828716863372946074882798754477101786150262288970710451710086966378817944448615584285684364802621112755627795146504720812935041851556318832824799502759754100408717888912062197676588256634343721633045179136302533777168978134770315363985448879229514802330846792965525004570768212871252658334277172395338054448791891165981203069346039654617938169527772805687564575525262812469960675835101499054296722994451502140787064163668418661661374437567033971648550576296023422536253955229), (3389, 188433716494377932944071544153838579057591833387651830021721770473524507947811754295899393634645349682360212761145039355690817927625249659010181081209481357850193656763556243022791637306094953982811471415645267589939465925098159204147714779617946431727015863707468081949286110249296858079354949234074465541940264775783884708819566758872542606519408358277173683256608326688673226933790117016596834640875497643330432185114931410656582728964222203181026468387428893233826461), (20016, 100434774699078525844435127144579870564983915777345068724291926367405061427748836490810414860997895358378538088786283372231649911113841061354335739776409724471256377867811133591349442950556374825868587940833009529662869081130218551306459690738900795035660420986807973542512081415453215211908130387754214098414826747340962722685373241806099462750595976574593799013733614097923338311883793416643213898201680852118540438376386415411317989072583126108177482838299109479175882214603698768498421016054035672774286507312986602290254323930575001551875601243671354491241420409219), (50683, 444545881882748849210617532697661279371689521082184772844723908765173319859389018743414369945234307906596253496624659734919646710483514374218993496994560985318096082923429834553341897367168830049334302307406087637232329348570485341223211629167329394484624055745054495405880099706580380696671879365741197827080224977821589102425678989782880274304484630899425664722718972847034030888019348402685383311095030884356731112886316823960378572796288532824588478234949384868912708000223119984161992105752059185137674711077940232530298853451166664700609238496874366152042676602089571801873748042888046623717879084695143810047335029), (6445, 101461065764578261241074518788237888467081270902741849861528201922043223477790661159690684156056890167304291810116447916457265705130707166062372766839626095333813681671546097679623755546322833727082145873422243641505450049118758544298328784536759107951763715458884889255549767465897671061295486677353893450789955616926292534325337544782386120469581214993770910137353221116457111551538222138388416162630076391624447865248920466274175229034129561913505977209131490066291917549232913771218316393849495621818397), (1359, 301175604076484656987097022479686300460199620068959954988990822483114048418823291831080744590394713639405681060973359346474547015206086229256524657214311815578895906855833813636970640902962286472992468394831014254279137613828904924898823470285520515090889491445149243620044782726415898188702226878029241518020146726699446397961112596830223444821094650508662477147134721631935528182772284099429814417490160457082241680661), (45286, 244867719210730952183489456726726432791149629831242968845409984537752132549250274779516590253042559196452609852176114909791657154092483479876795482861784431886143414585698773882088948703730268947925790809436449512089696895048994874003651088538416399435467483409931121063976149037130454114161175715871108284419975118570732022104749321213013756795645219060997019373915339235627535694458093194617642834806820772479160496966470147893963746139947337914575231526069667124822677688977724313174612816604463495630041075005651663546036363128325535621487658461744362098985183050127661470315454320073092665472364666768205258769), (5649, 4766101906865350375503575239791521167258753430948472304582908507542293595346756303331383584550516424087839316050412570112796817549423179461056531056102741963677007097061600281918678364910813585444151640384802648969082273001142879806475184857246441212406056540028447374033197873299250076862108042582790928405869475508762352345569281589853917902601519294573327847401601789315980414998055948162169170771240383220643819333682845459742335249254576151835966500230706707674854493184181354958093926469960861)]
6+
7+
def polyeval(poly, x):
8+
return sum([a * x**i for i, a in enumerate(poly)])
9+
10+
poly = [0]*129
11+
for j in range(129):
12+
poly[j] = CRT_list([(shares[i][1]-polyeval(poly,shares[i][0]))%shares[i][0]**(j+1)//shares[i][0]**j for i in range(8)], [shares[i][0] for i in range(8)])
13+
14+
secret = polyeval(poly, 0x48763)
15+
key = sha256(str(secret).encode()).digest()[:16]
16+
cipher = AES.new(key, AES.MODE_CTR, nonce=b'\x8f\xa5z\xb4mZ\x97\xe9')
17+
print(cipher.decrypt(b'G$\xf5\x9e\xa9\xb1e\xb5\x86w\xdfz\xbeP\xecJ\xb8wT<<\x84\xc5v\xb4\x02Z\xa4\xed\x8fB\x00[\xc0\x02\xf9\xc0x\x16\xf9\xa4\x02\xb8\xbb'))

‎2022/hitcon-2022/chimera/README.md‎

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# Chimera
2+
3+
1. Recover n^2 with:
4+
```py
5+
from output import *
6+
7+
n2 = None
8+
9+
for i in range(62):
10+
x1, y1 = chimera[i]
11+
x2, y2 = chimera[i+1]
12+
x3, y3 = chimera[i+2]
13+
14+
t1 = y1*y1 - y2*y2
15+
t2 = y2*y2 - y3*y3
16+
17+
t1 = t1 * (x2 - x3) - t2 * (x1 - x2)
18+
t2 = (x1**3 - x2**3) * (x2 - x3) - (x2**3 - x3**3) * (x1 - x2)
19+
20+
if n2 is None:
21+
n2 = abs(t1 - t2)
22+
else:
23+
n2 = gcd(n2, t1 - t2)
24+
25+
print(n2)
26+
print(sqrt(n2))
27+
```
28+
29+
2. Recover p, q by factoring `gift` and do ECM with it (`factor.sage`)
30+
3. Use https://arxiv.org/abs/2010.15543 for isomorphism to `Z/giftZ * Z/nZ`
31+
4. Get `k_i` that satisfies `k_i * chimera[0] = chimera[i]`, with dlog
32+
5. Recover `snake_tail` with hidden subset problem
33+
34+
`factor.sage` and `solve.sage` are not well organized,
35+
but you can understand what's going on by reading it

‎2022/hitcon-2022/chimera/factor.sage‎

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
from output import *
2+
from tqdm import tqdm
3+
from Crypto.Util.number import *
4+
5+
a = 143684642197375144177147158855853692668588800554193977558610296778751822580114038001358324581787378580872562099321966717548328915955931557014819660248335768703843650181118037332168940615255654385428471399452134131237486655430385594698984041709528412818098878208671854494888289862816247508570341341144291061804686340591902597677708742601740239151407141330097096057960696869868306378165361528290787726188133329061186703067302036544465101778190513113434324043654457
6+
b = 167352289538521831900068303893849462884611879177327891332587809720230639559806397413772956644716449447590735981383896960276712495542059479149006336979727641959120139405218127535689160497885057304889947873643276371840497731671102379214228403473852990097216100053584104183830792848580118046966013781807107306470368639380702010022756255560693596301723230682190906560616366646290287284412622207608529405928696609593713613820866492056395760168172577692798799704251087
7+
n = 591703505189598943502532470020819444351417786427559744959290752225569789666099653318864844640178933068932025277859268335616211431452288797227920690077916934058390749961256662320969850344143774517775954191622800337672863912047782627
8+
9+
NN = Zmod(n)
10+
11+
def add1(P, Q):
12+
x1, y1, z1 = P
13+
x2, y2, z2 = Q
14+
15+
s1 = (x1 * y2 - x2 * y1) * (y1 * z2 + y2 * z1) + (x1 * z2 - x2 * z1) * y1 * y2
16+
s1 += -a * (x1 * z2 - x2 * z1) * (x1 * z2 + x2 * z1) - 3 * b * (x1 * z2 - x2 * z1) * z1 * z2
17+
s2 = -3 * x1 * x2 * (x1 * y2 - x2 * y1) - y1 * y2 * (y1 * z2 - y2 * z1)
18+
s2 += -a * (x1 * y2 - x2 * y1) * z1 * z2 + a * (y1 * z2 - y2 * z1) * (x1 * z2 + x2 * z1)
19+
s2 += 3 * b * (y1 * z2 - y2 * z1) * z1 * z2
20+
s3 = 3 * x1 * x2 * (x1 * z2 - x2 * z1) - (y1 * z2 - y2 * z1) * (y1 * z2 + y2 * z1)
21+
s3 += a * (x1 * z2 - x2 * z1) * z1 * z2
22+
23+
assert s2^2 * s3 - s1^3 - a*s1*s3^2 - b*s3^3 == 0
24+
25+
return [s1, s2, s3]
26+
27+
def add2(P, Q):
28+
x1, y1, z1 = P
29+
x2, y2, z2 = Q
30+
31+
t1 = y1 * y2 * (x1 * y2 + x2 * y1) - a * x1 * x2 * (y1 * z2 + y2 * z1)
32+
t1 += -a * (x1 * y2 + x2 * y1) * (x1 * z2 + x2 * z1) - 3 * b * (x1 * y2 + x2 * y1) * z1 * z2
33+
t1 += -3 * b * (x1 * z2 + x2 * z1) * (y1 * z2 + y2 * z1) + a^2 * (y1 * z2 + y2 * z1) * z1 * z2
34+
t2 = y1^2 * y2^2 + 3 * a * x1^2 * x2^2 + 9 * b * x1 * x2 * (x1 * z2 + x2 * z1)
35+
t2 += -a^2 * x1 * z2 * (x1 * z2 + 2 * x2 * z1) - a^2 * x2 * z1 * (2 * x1 * z2 + x2 * z1)
36+
t2 += -3 * a * b * z1 * z2 * (x1 * z2 + x2 * z1) - (a^3 + 9 * b^2) * z1^2 * z2^2
37+
t3 = 3 * x1 * x2 * (x1 * y2 + x2 * y1) + y1 * y2 * (y1 * z2 + y2 * z1)
38+
t3 += a * (x1 * y2 + x2 * y1) * z1 * z2 + a * (x1 * z2 + x2 * z1) * (y1 * z2 + y2 * z1)
39+
t3 += 3 * b * (y1 * z2 + y2 * z1) * z1 * z2
40+
41+
assert t2^2 * t3 - t1^3 - a*t1*t3^2 - b*t3^3 == 0
42+
43+
return [t1, t2, t3]
44+
45+
def add(P, Q):
46+
x1, y1, z1 = add1(P, Q)
47+
x2, y2, z2 = add2(P, Q)
48+
return [(x1 + x2), (y1 + y2), (z1 + z2)]
49+
50+
def mult(k, P):
51+
if k == 0:
52+
return (0, 1, 0)
53+
elif k == 1:
54+
return P
55+
56+
t = mult(k//2, P)
57+
t = add(t, t)
58+
if k % 2 == 1:
59+
t = add(t, P)
60+
return t
61+
62+
P = [NN(chimera[0][0]), NN(chimera[0][1]), NN(1)]
63+
res = mult(26547499809981069510927003971948749075772722276992950364792314618117852191809368252259393907545335096600102525321072, P)
64+
65+
66+
print(gcd(int(res[0]), n))
67+
print(gcd(int(res[1]), n))
68+
print(gcd(int(res[2]), n))
69+
70+
exit(0)
71+
72+
# st = set()
73+
74+
# def backtrack(idx, val, upper):
75+
# # print(idx, val)
76+
# if idx == len(factors):
77+
# global st
78+
# st.add(val)
79+
# # print(val)
80+
# return
81+
82+
# if val * upper // factors[idx] >= MIN:
83+
# backtrack(idx + 1, val, upper // factors[idx])
84+
# if val * factors[idx] < MAX:
85+
# backtrack(idx + 1, val * factors[idx], upper // factors[idx])
86+
87+
# backtrack(0, 1, gift)
88+
89+
# E = EllipticCurve(Zmod(n), [a, b])
90+
# for v in tqdm(st):
91+
# for xy in chimera:
92+
# P, flag = E(*xy), False
93+
# try:
94+
# T = v * P
95+
# except ZeroDivisionError:
96+
# flag = True
97+
98+
# if not flag:
99+
# break
100+
# else:
101+
# print(v)
102+
103+
pos = [
104+
26547499809981069510927003971948749075772722276992950364792314618117852191809368252259393907545335096600102525321072,
105+
22288483263012814591348765846880205017828692034537673547054108766305150848936155217127280012115743233530006890953060
106+
]
107+
108+
load('coppersmith/coppersmith.sage')
109+
110+
bounds = (floor(n^.25), floor(n^.25))
111+
roots = tuple(randrange(bound) for bound in bounds)
112+
R = Integers(n)
113+
P.<x, y> = PolynomialRing(R)
114+
monomials = [x, y, x*y, x^2]
115+
f = (x - pos[0]) * (y - pos[1])
116+
print(small_roots(f, bounds))
117+
118+
# print("backtrack fin")
119+
# Zn = Zmod(n)
120+
# P.<x> = PolynomialRing(Zn)
121+
# print(gift - pos[1] * pos[2])
122+
# for v1 in pos:
123+
# for v2 in pos:
124+
# print(n - v1 * v2)

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /