CryingN

CryingN

早安, 晚安, 谢谢, 再见.

[Crypto学习笔记] Edwards curve类题目

1 分钟阅读时长

发布时间:

目录

前置概念

国城杯2024

curve

题目

#sagemath
from Crypto.Util.number import *

def add(P, Q):
    (x1, y1) = P
    (x2, y2) = Q

    x3 = (x1*y2 + y1*x2) * inverse(1 + d*x1*x2*y1*y2, p) % p
    y3 = (y1*y2 - a*x1*x2) * inverse(1 - d*x1*x2*y1*y2, p) % p
    return (x3, y3)

def mul(x, P):
    Q = (0, 1)
    while x > 0:
        if x % 2 == 1:
            Q = add(Q, P)
        P = add(P, P)
        x = x >> 1
    return Q

p = 64141017538026690847507665744072764126523219720088055136531450296140542176327
a = 362
d = 7
e=0x10001

gx=bytes_to_long(b'D0g3xGC{*****************}')

PR.<y>=PolynomialRing(Zmod(p))
f=(d*gx^2-1)*y^2+(1-a*gx^2)
gy=int(f.roots()[0][0])

assert (a*gx^2+gy^2)%p==(1+d*gx^2*gy^2)%p

G=(gx,gy)

eG = mul(e, G)
print(eG)

#eG = (34120664973166619886120801966861368419497948422807175421202190709822232354059, 11301243831592615312624457443883283529467532390028216735072818875052648928463)

解析

EXP

使用少女自用九成新EXP库:

from EXP import *

h1, r1, s1 = 659787401883545685817457221852854226644541324571, 334878452864978819061930997065061937449464345411, 282119793273156214497433603026823910474682900640
h2, r2, s2 = 156467414524100313878421798396433081456201599833, 584114556699509111695337565541829205336940360354, 827371522240921066790477048569787834877112159142
c = 18947793008364154366082991046877977562448549186943043756326365751169362247521
C = 179093209181929149953346613617854206675976823277412565868079070299728290913658

p = 149328490045436942604988875802116489621328828898285420947715311349436861817490291824444921097051302371708542907256342876547658101870212721747647670430302669064864905380294108258544172347364992433926644937979367545128905469215614628012983692577094048505556341118385280805187867314256525730071844236934151633203
q = 829396411171540475587755762866203184101195238207
g = 87036604306839610565326489540582721363203007549199721259441400754982765368067012246281187432501490614633302696667034188357108387643921907247964850741525797183732941221335215366182266284004953589251764575162228404140768536534167491117433689878845912406615227673100755350290475167413701005196853054828541680397

R = PolynomialRing(GF(q), 'x')
x = R.gen()
f = s2*x**2*r1 - s1*x*r2 - h2*r1 + h1*r2
hh = f.roots()
k = hh[1][0]

pri1 = (s1 * k - h1) // r1
pri2 = (s2 * k**2 - h2) // r2

assert pri1 == pri2, '不对'

print(l2b(int(pri1)))

e = 44519

for j in divisors(ZZ[i](C)):
    pp, qq = map(int, j)
    pp, qq = abs(pp), abs(qq)
    if pp**2+qq**2 == C and is_prime(pp) and is_prime(qq):
        p, q = pp, qq

assert C == p**2+q**2, 'p, q 不符合'

n = p*q
phin = (p-1)*(q-1)
d = pow(e,-1,phin)
m = pow(c,d,n)
print(l2b(m))

# D0g3xGC{EZ_DSA_@nd_C0mplex_QAQ}

参考文献

你可能感兴趣的