[NepCTF2022]中学数学
阅读原文时间:2023年07月08日阅读:4

p、q挣扎很久没分解出来,wp出来了赶紧复现试试。

题目
from gmpy2 import *
from Crypto.Util.number import *
from secret import flag
p=getPrime(1024)

q=next_prime(p+(p>>500))    #p>>500=(1/2^500)p

e=0x10001

n=p*q

c=pow(bytes_to_long(flag),e,n)

print("n=",n)
print("c=",c)

'''
n= 13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507

c= 6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186
'''
分析

出题人:“无脑爆破不够优雅”

这题关键就是把p和q分解出来,那我们就来优雅一下,缩小范围再爆破。

其中q=next_prime(p+(p>>500))指的是:\(q=[p+\frac{1}{2^{500}}p]+r\)

即:\(q=[(1+\frac{1}{2^{500}})p]+r\)

其中这个r是个为了凑到满足q为素数的最小整数。

则n为:\(n=p*q=[(1+\frac{1}{2^{500}})p^2]+rp\)

凑个平方。

得:\(\color {blue}{[(1+\frac{1}{2^{500}})n]}\color {black}{=[(1+\frac{1}{2^{500}})p]^2+(1+\frac{1}{2^{500}})rp}>\color {red} {[(1+\frac{1}{2^{500}})p]^2}\)

因为

\([(1+\frac{1}{2^{500}})n]=[(1+\frac{1}{2^{500}})p]^2+(1+\frac{1}{2^{500}})rp\) ------1式

\(q^2=[(1+\frac{1}{2^{500}})p+r]^2=[(1+\frac{1}{2^{500}})p]^2+[(1+\frac{1}{2^{500}})rp]+[(1+\frac{1}{2^{500}})rp]+r^2\) ------2式

显然2式大于1式。

因此,经过比较我们可以得到:

\([(1+\frac{1}{2^{500}})p]^2<[(1+\frac{1}{2^{500}})n]<[(1+\frac{1}{2^{500}})p+r]^2\)

这样一来,我们就可以通过开方进而缩小范围解出q:

\((1+\frac{1}{2^{500}})p<\sqrt{(1+\frac{1}{2^{500}})n}<(1+\frac{1}{2^{500}})p+r=q\)

由此,\(\sqrt{(1+\frac{1}{2^{2000}})n}\)的下一位质数即为q:

q = next_prime(iroot((n + (n >> 2000)), 2)[0])


但注意到next_prime算法的本质逻辑即是通过不断枚举奇数判断是否为素数,而这里n的分解保证了其必为素数,再判断素数的话属于是多此一举(浪费计算资源),所以我们可以根据素数分布公式或next_prime的方案向下枚举,得到唯一分解即可。

import gmpy2
from gmpy2 import *
from Crypto.Util.number import *

n = 13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507
e = 0x10001
c = 6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186
q = next_prime(iroot((n + (n >> 500)), 2)[0])    #优雅,太优雅了
p = int(n // q)        #求出q就常规做题了
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))

flag{never_ignore_basic_math}

总结

新手上路,当时没看懂next_prime(p+(p>>500))

尝试拿yafu暴力分解n,发现40分钟起步(。)

看了wp之后,才发现这道题还真就中学数学了…就像flag所说的一样,永远不要忽视基础数学。

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器

你可能感兴趣的文章