"""This code is designed to be run with SageMath. See https://www.sagemath.org/ If you don't have SageMath installed, you can use the online version at https://cocalc.com/ or https://sagecell.sagemath.org/ But you may not use pyton lib online... ref: https://doc.sagemath.org/html/en/index.html """ from Crypto.Util.number import bytes_to_long, long_to_bytes, isPrime from flag import flag from Crypto.Cipher import AES from base64 import b64encode from secret import key from Crypto.Util.Padding import pad p = 1457379754778834114393428514496372769300186542434939310975944765431765709327445548009771988242361974038539406450275157591 a = 1236064211753439722521344199773932075287648377233139862790772102290062141518569630890922001641345393262197009050412379555 b = 1128111897991419355721141214155995058314857116431662004640521251265155838304469066234949556324122951758680646976644303642 def lift_x(x, p): assert p % 4 == 3 z = (x**3 + a * x + b) % p res = pow(z, (p + 1) // 4, p) return res % p, -res % p if __name__ == "__main__": assert isPrime(p) F = GF(p) m = flag.encode("utf-8") cipher = AES.new(long_to_bytes(key), AES.MODE_CBC) iv = cipher.iv c = cipher.encrypt(pad(m, AES.block_size)) x = bytes_to_long(long_to_bytes(key) + c) assert x < p d = 65537 ecc = EllipticCurve(F, [a, b]) y = lift_x(x, p)[0] P = ecc(x, y) Q = d * P with open("public.txt", "w") as f: f.write(f"iv={bytes_to_long(b64encode(iv))}\n") f.write(f"Q_x={Q[0]}\n") f.write(f"Q_y={Q[1]}\n")
EllipticCurve。フラグがにエンコードされていて、とされている。がわかるので が計算可能
from Crypto.Util.number import bytes_to_long, long_to_bytes from Crypto.Cipher import AES from base64 import b64decode iv=1605329254557036569964018111218106639001485748371419774269 Q_x=1392303607889887553584136595208390161792050603172364540235291678701315789244344186052295822556700256817290239704363991998 Q_y=1217907436356492041789129865417129927287034438783900990437895711720259012753482269603468893642710812002767867785347902249 p = 1457379754778834114393428514496372769300186542434939310975944765431765709327445548009771988242361974038539406450275157591 a = 1236064211753439722521344199773932075287648377233139862790772102290062141518569630890922001641345393262197009050412379555 b = 1128111897991419355721141214155995058314857116431662004640521251265155838304469066234949556324122951758680646976644303642 d = 65537 E = EllipticCurve(GF(p), [a, b]) # e = inverse_mod(d, E.order()) # print(e) e = 1241564711061108477269540882575666943185803668724957376907835699186771306647708130089471975991520338085455819126992575937 P = E((Q_x, Q_y)) M = e*P print(M) x = long_to_bytes(int(M[0])) iv= b64decode(long_to_bytes(iv)) key, c = x[:len(iv)], x[len(iv):] cipher = AES.new(key, mode=AES.MODE_CBC, iv=iv) print(cipher.decrypt(c))