『CTF』你知道 DLP 吗?

admin
admin
admin
138633
文章
114
评论
2023年2月1日17:16:26评论75 views字数 5363阅读17分52秒阅读模式
『CTF』你知道 DLP 吗?

点击蓝字,关注我们

日期:2023-02-01

作者:jgk01

介绍:最近的比赛题目是越来越难了,题目种类也越来越多,这次再给大家介绍一种比赛中常见的密码学题型 DLP 题目类型。

0x00 前言

『CTF』你知道 DLP 吗?

0x01 基础定义

1.1 生成元

『CTF』你知道 DLP 吗?

1.2 阶

『CTF』你知道 DLP 吗?

1.3 原根

『CTF』你知道 DLP 吗?

0x02 求解算法

『CTF』你知道 DLP 吗?

算法思想

『CTF』你知道 DLP 吗?

『CTF』你知道 DLP 吗?

优化后的算法脚本:

def babystep_giantstep(g, y, p, q=None):    if q is None:        q = p - 1    m = int(q**0.5 + 0.5)    # Baby step    table = {}    gr = 1  # g^r    for r in range(m):        table[gr] = r        gr = (gr * g) % p    # Giant step    try:        gm = pow(g, -m, p)  # gm = g^{-m}    except:        return None    ygqm = y                # ygqm = y * g^{-qm}    for q in range(m):        if ygqm in table:            return q * m + table[ygqm]        ygqm = (ygqm * gm) % p    return None
def pohlig_hellman_DLP(g, y, p):    crt_moduli = []    crt_remain = []    for q, _ in factor(p-1):        x = babystep_giantstep(pow(g,(p-1)//q,p), pow(y,(p-1)//q,p), p, q)        if (x is None) or (x <= 1):            continue        crt_moduli.append(q)        crt_remain.append(x)    x = crt(crt_remain, crt_moduli)    return x
g = y = p = x = pohlig_hellman_DLP(g, y, p)print(x)print(pow(g, x, p) == y)

0x03 例题分析

来看一道典型的DLP题目,题目如下:

from Crypto.Util.number import getPrimeimport randomflag = b'***************************'
x = getPrime(64)n = getPrime(1024)m = getPrime(120)c = pow(m,x,n)
print(m,c,n)
'''m = 696376465415968446607383675953857997c = 75351884040606337127662457946455960228423443937677603718170904462378938882502061014476822055783421908392386804380503123596242003758891619926133807099465797120624009076182390781918339985157326114840926784410018674639537246981505937318380179042568501449024366208980139650052067021073343322300422190243015076307n = 135413548968824157679549005083702144352234347621794899960854103942091470496598900341162814164511690126111049767046340801124977369460415208157716471020260549912068072662740722359869775486486528791641600354017790255320219623493658736576842207668208174964413000049133934516641398518703502709055912644416582457721'''
p = getPrime(512)g = getPrime(512)y = pow(g,x,p)k = random.randint(0,p)
c1 = flag * pow(y,k,p)c2 = pow(g,k,p)
print(c1,c2)
'''c1 = 209941170134628207830310059622280988835086910150451946264595015050300510031560522999562095124692878755896950865676914790595999182721583547184333760954091880805688518459046880395477235753285839380764579025127254060855545c2 = 4803339369764546990337396010353372745379378328671778873584350940089623041410194355125962064067657967062926344955874581199853582279928946579389671271191196p = 6809372619970287379746941806942051353536181082328454067824596651780784704823185066486367854653297514943018290212240504418345108411269306758069486928594027g = 12575636661436726898107254102531343862656456137827822292892883099464907172061178954026138165159168595086335202285503403441736394399853074532771428483593753k = 4521228602593215445063533369342315270631623025219518143209270060218625289087470505221974748605346084266802332207199304586313352026660695691783656769488472'''

根据题目代码,我们可以知道,这个题目的核心问题就是求解出x,只要求解出x,就能求出flag,而且我们可以很清楚的看出,这里求x就是离散对数求解问题,n作为一个大素数,我们可以利用Pohlig-Hellman算法进行求解,然后求出flag





    

  • 



# Baby-step Giant-step法def babystep_giantstep(g, y, p, q=None):    if q is None:        q = p - 1    m = int(q**0.5 + 0.5)    # Baby step    table = {}    gr = 1  # g^r    for r in range(m):        table[gr] = r        gr = (gr * g) % p    # Giant step    try:        gm = pow(g, -m, p)  # gm = g^{-m}    except:        return None    ygqm = y                # ygqm = y * g^{-qm}    for q in range(m):        if ygqm in table:            return q * m + table[ygqm]        ygqm = (ygqm * gm) % p    return None
# Pohlig–Hellman法def pohlig_hellman_DLP(g, y, p):    crt_moduli = []    crt_remain = []    for q, _ in factor(p-1):        if q > 1000000000000:            break        x = babystep_giantstep(pow(g,(p-1)//q,p), pow(y,(p-1)//q,p), p, q)        if (x is None) or (x <= 1):            continue        crt_moduli.append(q)        crt_remain.append(x)    x = crt(crt_remain, crt_moduli)    return x
m = 696376465415968446607383675953857997c = 75351884040606337127662457946455960228423443937677603718170904462378938882502061014476822055783421908392386804380503123596242003758891619926133807099465797120624009076182390781918339985157326114840926784410018674639537246981505937318380179042568501449024366208980139650052067021073343322300422190243015076307n = 135413548968824157679549005083702144352234347621794899960854103942091470496598900341162814164511690126111049767046340801124977369460415208157716471020260549912068072662740722359869775486486528791641600354017790255320219623493658736576842207668208174964413000049133934516641398518703502709055912644416582457721
x = pohlig_hellman_DLP(m, c, n)print(x)#x=17271504622210389511
求出x以后我们可以通过c1来求出flag:from Crypto.Util.number import *import gmpy2
x=17271504622210389511c1 = 209941170134628207830310059622280988835086910150451946264595015050300510031560522999562095124692878755896950865676914790595999182721583547184333760954091880805688518459046880395477235753285839380764579025127254060855545c2 = 4803339369764546990337396010353372745379378328671778873584350940089623041410194355125962064067657967062926344955874581199853582279928946579389671271191196p = 6809372619970287379746941806942051353536181082328454067824596651780784704823185066486367854653297514943018290212240504418345108411269306758069486928594027g = 12575636661436726898107254102531343862656456137827822292892883099464907172061178954026138165159168595086335202285503403441736394399853074532771428483593753k = 4521228602593215445063533369342315270631623025219518143209270060218625289087470505221974748605346084266802332207199304586313352026660695691783656769488472
y = pow(g,x,p)
flag=c1//pow(y,k,p)
print(long_to_bytes(flag))#flag{th1s_1s_so_3a2y_rlgh4}




0x04 后记


参考链接:
https://blog.csdn.net/weixin_46395886/article/details/113793694
https://lazzzaro.github.io/2020/05/07/crypto-离散对数/










免责声明:本文仅供安全研究与讨论之用,严禁用于非法用途,违者后果自负。






































































『CTF』你知道 DLP 吗?









宸极实验室隶属山东九州信泰信息科技股份有限公司,致力于网络安全对抗技术研究,是山东省发改委认定的“网络安全对抗关键技术山东省工程实验室”。团队成员专注于 Web 安全、移动安全、红蓝对抗等领域,善于利用黑客视角发现和解决网络安全问题。










团队自成立以来,圆满完成了多次国家级、省部级重要网络安全保障和攻防演习活动,并积极参加各类网络安全竞赛,屡获殊荣。










对信息安全感兴趣的小伙伴欢迎加入宸极实验室,关注公众号,回复『招聘』,获取联系方式。
















原文始发于微信公众号(宸极实验室):『CTF』你知道 DLP 吗?






							

						
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
	
				
				

	
    
		
  • 
			左青龙
		
    • 
		
  • 微信扫一扫
    • 
		
  • 
			weinxin
		
    • 
	

	
    
		
  • 
			右白虎
		
    • 
		
  • 微信扫一扫
    • 
		
  • 
			weinxin
		
    • 
	

	



	
	

		

				

	


	




								

			
		

	
									

					admin				
    
											
  • 本文由  发表于 2023年2月1日17:16:26
    • 
						
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  
『CTF』你知道 DLP 吗?https://cn-sec.com/archives/1532279.html

                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

    • 
			

	



				
				

				
										

				
				

	

			

	




				
				

			



	


				




	
	
			

		

							

											

														

																	
发表评论

																匿名网友
								填写信息