defrandom(self, nbit): returnsum((self._random() & 1) << i for i inrange(nbit))
defxor(a, b): returnbytes([x ^ y for x, y inzip(a, b)])
keys = [ bytes([rng.random(8) for _ inrange(10)]) for a inrange(2) for b inrange(2) if (rng := MyRandom(a, b)) ] ct = bytes.fromhex( "9dfa2c9ccd5c84c61feb00ea835e848732ac8701da32b5865a84db59b08532b6cf32ebc10384c45903bf860084d018b5d55a5cebd832ef8059ead810" ) for i inrange(0, len(ct), 10): for k in keys: s = xor(ct[i : i + 10], k) if s.isascii(): print(s.decode(), end="") print()
for a inrange(256): for b inrange(256): r = MyRandom(a, b) stream = tuple([rol(r.random(), shift) for _ inrange(ln)]) table[stream] = (a, b) return table
defsolve_gen1(): # a == ~(((~a)&b)^((~b)|c)^a) for 75% table = gen_table(87) for stream, (a, b) in table.items(): same = [0] * 8 for i inrange(36, len(stream)): for j inrange(8): mask = 1 << j if ((~ct[i]) & mask) == stream[i] & mask: same[j] += 1 rates = [s / (len(stream) - 36) for s in same] ifsum(rates) / len(rates) > 0.70: print(a, b, rates) return a, b, stream
defsolve_gen3(): # c == ~(((~a)&b)^((~b)|c)^a) for 75% table = gen_table(3) for stream, (a, b) in table.items(): same = [0] * 8 for i inrange(36, len(stream)): for j inrange(8): mask = 1 << j if ((~ct[i]) & mask) == stream[i] & mask: same[j] += 1 rates = [s / (len(stream) - 36) for s in same] ifsum(rates) / len(rates) > 0.70: print(a, b, rates) return a, b, stream
a1, b1, s1 = solve_gen1() a3, b3, s3 = solve_gen3() table2 = gen_table(6) for s2, (a2, b2) in table2.items(): oo = [((~o1 & o2) ^ (~o2 | o3) ^ (o1)) & 0xFFfor o1, o2, o3 inzip(s1, s2, s3)] if oo[36:] == ct[36 : len(oo)]: print(a2, b2) print(bytes([x ^ y for x, y inzip(oo, ct)][:36]))
# pypy3 takes less than 3s # FLAG{1_l13d_4nd_m4d3_4_n3w_prn6_qwq}
from Crypto.Util.number import * from secret import flag
p = getPrime(512) q = getPrime(512) n = p * q m = n**2 + 69420 h = (pow(3, 2022, m) * p**2 + pow(5, 2022, m) * q**2) % m c = pow(bytes_to_long(flag), 65537, n)
n = 60116508546664196727889673537793426957208317552814539722187167053623876043252780386821990827068176541032744152377606007460695865230455445490316090376844822501259106343706524194509410859747044301510282354678419831232665073515931614133865254324502750265996406483174791757276522461194898225654233114447953162193 h = 2116009228641574188029563238988754314114810088905380650788213482300513708694199075187203381676605068292187173539467885447061231622295867582666482214703260097506783790268190834638040582281613892929433273567874863354164328733477933865295220796973440457829691340185850634254836394529210411687785425194854790919451644450150262782885556693980725855574463590558188227365115377564767308192896153000524264489227968334038322920900226265971146564689699854863767404695165914924865933228537449955231734113032546481992453187988144741216240595756614621211870621559491396668569557442509308772459599704840575445577974462021437438528 c = 50609945708848823221808804877630237645587351810959339905773651051680570682896518230348173309526813601333731054682678018462412801934056050505173324754946000933742765626167885199640585623420470828969511673056056011846681065748145129805078161435256544226137963588018603162731644544670134305349338886118521580925 e = 65537 m = n ** 2 + 69420 a = pow(3, 1011, m) b = pow(5, 1011, m)
load("solver.sage") # https://github.com/rkm0959/Inequality_Solving_with_CVP lb = [h, 0, 0] ub = [h, 2 ^ 1024, 2 ^ 1024] result, applied_weights, fin = solve(B, lb, ub) # PS: B will be modified inplace v = vector( [x // y for x, y inzip(result, applied_weights)] ) # closest vector to (lb+ub)/2 print(v) ifnot v[1].is_square(): R = B.LLL() l0 = vector([x // y for x, y inzip(R[0], applied_weights)]) l1 = vector([x // y for x, y inzip(R[1], applied_weights)]) # enumerate nearby vectors for i inrange(-10, 10): for j inrange(-10, 10): vv = v + l0 * i + l1 * j if vv[1].is_square(): print("found", i, j) p = vv[1].sqrt() q = vv[2].sqrt() assert p * q == n d = inverse_mod(e, (p - 1) * (q - 1)) m = power_mod(c, d, n) print(long_to_bytes(m)) # FLAG{7hI5_i5_4_C0MPL373_r4nD0M_fL49_8LinK}
defrsa(p: int, q: int, message: bytes): n = p * q e = 65537 pad_length = n.bit_length() // 8 - len(message) - 2# I padded too much message += os.urandom(pad_length) m = bytes_to_long(message) return (n, pow(m, e, n))
deflucas_v(a, n): # computes n-th lucas number for v_n=a*v_{n-1}-v_{n-2} with fast matrix power v0 = 2 v1 = a R = a.base_ring() M = matrix(R, [[a, -1], [1, 0]]) v = M ^ (n - 1) * vector(R, [v1, v0]) return v[0]
N, L = 100, 200 M = genModular(int(N * N * 0.07 + N * log(N, 2)))
# generate a random vector in Z_M a = vector(ZZ, [ZZ.random_element(M) for _ inrange(N)])
# generate a random 0/1 matrix whileTrue: X = Matrix(ZZ, L, N) for i inrange(L): for j inrange(N): X[i, j] = ZZ.random_element(2) if X.rank() == N: break
# let's see what will this be b = X * a for i inrange(L): b[i] = mod(b[i], M)
print('N =', N) print('L =', L) print('M =', M) print('b =', b)
x = vector(ZZ, int(N)) for j inrange(N): for i inrange(L): x[j] = x[j] * 2 + X[i, j]
defbad(): print("They're not my values!!!") sys.exit(0)
defcalc(va, vx): ret = [0] * L for i, vai inenumerate(va): for j inrange(L): bij = (vx[i] >> (L - 1 - j)) & 1 ret[j] = (ret[j] + vai * bij) % M return ret
if __name__ == '__main__': print('What are my original values?') print('a?') aa = list(map(int, input().split())) print('x?') xx = list(map(int, input().split()))