格学习笔记 - Zsm's blog

zsm

Time can create anything

浏览量：-，访问次数：-

Announcement

A ctfer? maybe.

Learn More

分类

标签

笔记 crypto docker golang HMV HTB k8s mac nodejs sagemath shell THM vscode vuln web windows wsl2

2931 字

15 分钟

格学习笔记

2025-06-29

CTF-crypto

crypto

/

笔记

浏览量：加载中...，访问次数：加载中...

前言#

用来记录我的格密码学习，参考资料是NSS工坊和一些blog

NTRU#

1.入门题#

task.py

1
import gmpy2
2
from secret import flag
3
from Crypto.Util.number import *
4

5
f = bytes_to_long(flag)
6
p = getPrime(512)
7
g = getPrime(128)
8
h = gmpy2.invert(f+20192020202120222023, p) * g % p
9

10
print('h =', h)
11
print('p =', p)

想要flag就要求出f，f=f+20192020202120222023，最后减去这个数就好了，那么已知的式子就变成了

h \equiv f^{-1}g \mod p \\ hf \equiv g \mod p \\ g=hf-kp \\ \begin{pmatrix} f&-k \end{pmatrix} \begin{pmatrix} 1&h\\ 0&p \end{pmatrix}= \begin{pmatrix} f&g \end{pmatrix}

在本质的计算中，他是拿向量(h,1)(p,0)去做线性组合，如果两组是 $x_1$$x_2$ ，那么就变成了 $x_1h+x_2p,x_1$ ，而当 $x_1=f,x_2=-k$ 就是我们想要的结果

exp.sage

1
from sage.all import*
2
from Crypto.Util.number import *
3

4
h =
5
p =
6

7
zsm=Matrix(ZZ,[[1,h],[0,p]])
8
f,g=zsm.LLL()[0]
9
print(long_to_bytes(abs(f)-20192020202120222023))

与此题相似的还有LitCTF2025的baby，不过那个需要配平一下

2.HNCTF 2022 WEEK2#

task.py

1
from Crypto.Util.number import *
2
from hashlib import *
3

4
p = getPrime(2048)
5
f = getPrime(1024)
6
g = getPrime(768)
7
h = pow(f,-1,p)*g%p
8
verify = sha256(bytes.fromhex(hex(f+g)[2:])).hexdigest()
9
print(f'verify = {verify}')
10
print(f'p = {p}')
11
print(f'h = {h}')
12
print('NSSCTF{' + md5(bytes.fromhex(hex(f+g)[2:])).hexdigest() + '}')

h\equiv f^{-1}g \mod p \\ hf\equiv g \mod p \\ g=hf-kp \\ \begin{pmatrix} f&-k \end{pmatrix} \begin{pmatrix} 1&h\\ 0&p \end{pmatrix}= \begin{pmatrix} f&g \end{pmatrix}

你会发现和上一题差不多的感觉()

exp.sage

1
from sage.all import*
2
from Crypto.Util.number import *
3
from hashlib import *
4
verify = ""
5
p =
6
h =
7

8

9
zsm=Matrix(ZZ,[[1,h],[0,p]])
10
f,g=zsm.LLL()[0]
11
if sha256(bytes.fromhex(hex(abs(f)+abs(g))[2:])).hexdigest() == verify:
12
    flag = 'NSSCTF{' + md5(bytes.fromhex(hex(f+g)[2:])).hexdigest() + '}'
13
    print(flag)

3.不知道哪来的#

task.py

1
from Crypto.Util.number import *
2

3
p = getPrime(1024)
4

5
f = getPrime(400)
6
g = getPrime(512)
7
r = getPrime(400)
8

9
h = inverse(f, p) * g % p
10

11
m = b'******'
12
m = bytes_to_long(m)
13

14
c = (r*h + m) % p
15

16
print(f'p = {p}')
17
print(f'h = {h}')
18
print(f'c = {c}')

先把h代入进去，然后化简

c \equiv (r \times f^{-1} \times g+m) \mod p \\ fc \equiv (rg+mf) \mod p\\ mf \equiv (fc-rg) \mod p \\ mf \equiv fc \mod p \mod g \\ m \equiv (fc \mod p) \times f^{-1} \mod g

要求m就要知道fcpg，cp已知，求fg

\begin{pmatrix} f&-k \end{pmatrix} \begin{pmatrix} 1&h\\ 0&p \end{pmatrix}= \begin{pmatrix} f&g \end{pmatrix}

exp.sage

1
from sage.all import*
2
from Crypto.Util.number import *
3

4
p =
5
h =
6
c =
7

8
zsm=Matrix(ZZ,[[1,h],[0,p]])
9
f,g=zsm.LLL()[0]
10
f,g=abs(f),abs(g)
11
m=((f*c%p)*inverse(f,g))%g
12
print(long_to_bytes(m))

4.深育杯2021#

task.py

1
from Crypto.Util.number import *
2
import gmpy2
3
from flag import flag
4

5
def encrypt(plaintext):
6
    p = getStrongPrime(3072)
7
    m = bytes_to_long(plaintext)
8
    r = getRandomNBitInteger(1024)
9
    while True:
10
        f = getRandomNBitInteger(1024)
11
        g = getStrongPrime(768)
12
        h = gmpy2.invert(f, p) * g % p
13
        c = (r * h + m * f) % p
14
        return (h, p, c)
15

16
h, p, c = encrypt(flag)
17
with open("cipher.txt", "w") as f:
18
    f.write("h = " + str(h) + "\n")
19
    f.write("p = " + str(p) + "\n")
20
    f.write("c = " + str(c) + "\n")

格和前面构造的一样，主要是c的化简不一样，这里就省略了

NSS工坊题目#

P3#

task.py

1
from Crypto.Util.number import *
2
import random
3

4
flag = b'******'
5
m = bytes_to_long(flag)
6

7
a = getPrime(1024)
8
b = getPrime(1536)
9

10
p = getPrime(512)
11
q = getPrime(512)
12
r = random.randint(2**14, 2**15)
13
assert ((p-r) * a + q) % b < 50
14

15
c = pow(m, 65537, p*q)
16

17
print(f'c = {c}')
18
print(f'a = {a}')
19
print(f'b = {b}')

x \equiv ((p-r) \times a+q) \mod b \\ x-q \equiv (p-r)\times a \mod b \\ x-q=(p-r)\times a+kb \\ \begin{pmatrix} p-r&k \end{pmatrix} \begin{pmatrix} a&1\\ b&0 \end{pmatrix}= \begin{pmatrix} x-q&p-r \end{pmatrix}

xr都是很小的数，可以爆破，值得注意的是，先爆破r再爆破x会快一点xd

exp.sage

1
from sage.all import*
2
from Crypto.Util.number import *
3

4
c =
5
a =
6
b =
7
e=65537
8
zsm=Matrix(ZZ,[[a,1],[b,0]])
9
xq,pr=zsm.LLL()[0]
10
xq,pr=abs(xq),abs(pr)
11

12
for r in range(2**14,2**15):
13
   for x in range(50):
14
      p=pr+r
15
      q=x+xq
16
      n=p*q
17
      d=inverse(e,(p-1)*(q-1))
18
      m=pow(c,d,n)
19
      flag=long_to_bytes(m)
20
      if b'NSSCTF{' in flag:
21
        print(flag)
22
        break

P4#

task.py

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4
flag = b'******'
5
flag = bytes_to_long(flag)
6

7
p = getPrime(1024)
8
r = getPrime(175)
9
a = inverse(r, p)
10
a = (a*flag) % p
11

12
print(f'a = {a}')
13
print(f'p = {p}')

a\equiv r^{-1}flag \mod p \\ flag=ar+kp \\ \begin{pmatrix} r&k \end{pmatrix} \begin{pmatrix} a&2^{170}\\ p&0 \end{pmatrix}= \begin{pmatrix} flag&2^{170}r \end{pmatrix}

exp.sage

1
from sage.all import*
2
from Crypto.Util.number import *
3

4
a =
5
p =
6
e=65537
7
zsm=Matrix(ZZ,[[a,2**170],[p,0]])
8
flag,R=zsm.LLL()[0]
9
flag,R=abs(flag),abs(R)
10

11
print(long_to_bytes(flag))

P5#

task.py

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4
flag = b'******'
5
m = bytes_to_long(flag)
6

7
assert m.bit_length() == 351
8
p = getPrime(1024)
9
b = getPrime(1024)
10
c = getPrime(400)
11

12
a = (b*m + c) % p
13

14
print(f'a = {a}')
15
print(f'b = {b}')
16
print(f'p = {p}')

c=a-bm+kp\\ \begin{pmatrix} 1&m&k \end{pmatrix} \begin{pmatrix} a&0&2^{351}\\ -b&1&0\\ p&0&0 \end{pmatrix}= \begin{pmatrix} c&m&2^{351} \end{pmatrix}

exp.sage

1
from sage.all import*
2
from Crypto.Util.number import *
3

4
a =
5
b =
6
p =
7

8
zsm=Matrix(ZZ,[[a,0,2**351],[-b,1,0],[p,0,0]])
9
c,m,x=zsm.LLL()[0]
10
c,m,x=abs(c),abs(m),abs(x)
11

12
print(long_to_bytes(m))

P6#

task.py

1
from Crypto.Util.number import *
2

3
flag = b'******'
4
flag = bytes_to_long(flag)
5
d = getPrime(400)
6

7
for i in range(4):
8
    p = getPrime(512)
9
    q = getPrime(512)
10
    n = p * q
11
    e = inverse(d, (p-1)*(q-1))
12
    c = pow(flag, e, n)
13
    print(f'e{i} =', e)
14
    print(f'n{i} =', n)
15
    print(f'c{i} =', c)

原型应该是NUSTCTF 2022 新生赛的一个论文题，IJCSI-9-2-1-311-314

具体实现方法是把最大的n开根号赋值给M，然后还有 $e_id=1+k_i\phi N_i$ ，然后这里假设了phi可以写作N-s，使式子变成了

e_id=1+k_i(N_i-s_i)\\ e_id-k_iN_i=1-k_is_i\\ 我们还有一个式子dM=dM\\ 可以写成矩阵相乘\\ \begin{pmatrix} d & k_1 & k_2 & \dots & k_i \end{pmatrix} \begin{pmatrix} M & e_1 & e_2 & \dots & e_i \\ 0 & -N_1 & 0 & \dots & 0 \\ 0 & 0 & -N_2 & \dots & 0 \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & \dots & -N_i \end{pmatrix}= \begin{pmatrix} dM & 1 - k_1 s_1 & 1 - k_2 s_2 & \dots & 1 - k_is_i \end{pmatrix}

exp.sage

1
from Crypto.Util.number import *
2
from sage.all import*
3

4
M = isqrt(n0)
5

6
L = Matrix(ZZ, [[M, e0, e1, e2, e3],
7
                [0,-n0,  0,  0,  0],
8
                [0,  0,-n1,  0,  0],
9
                [0,  0,  0,-n2,  0],
10
                [0,  0,  0,  0,-n3]])
11

12
d = abs(L.LLL()[0][0]) // M
13

14
m = power_mod(c0, d, n0)
15

16
print(long_to_bytes(m))

P7#

task.py

1
from Crypto.Util.number import *
2

3
flag = b'******'
4
flag = bytes_to_long(flag)
5

6
p = getPrime(512)
7
q = getPrime(512)
8
n = p * q
9
c = pow(flag, 65537, n)
10
print(f'n =', n)
11
print(f'c =', c)
12
for i in range(2):
13
    d = getPrime(350)
14
    e = inverse(d, (p-1)*(q-1))
15
    print(f'e{i} =', e)

这个其实就是维纳拓展攻击，从一元变成了二元，直接上脚本了

exp.sage

1
from Crypto.Util.number import *
2
n =
3
c =
4
e0 =
5
e1 =
6
a = 5/14
7
D = diagonal_matrix(ZZ, [n, int(n^(1/2)), int(n^(1+a)), 1])
8
M = Matrix(ZZ, [[1, -n, 0, n^2],
9
                [0, e0, -e0, -e0*n],
10
                [0,  0, e1,  -e1*n],
11
                [0,  0,  0,  e0*e1]])*D
12
L = M.LLL()
13
t = vector(ZZ, L[0])
14
x = t * M^(-1)
15

16
x * M = t
17
phi = int(x[1]/x[0]*e0)
18

19
d = inverse_mod(65537, phi)
20
m = power_mod(c, d, n)
21
print(long_to_bytes(m))

P8#

task.py

1
from Crypto.Util.number import *
2

3
flag = b'******'
4
m = bytes_to_long(flag)
5

6
p = getPrime(512)
7
s = [getPrime(32) for i in range(3)]
8
a = [getPrime(512) for i in range(3)]
9

10
c = (a[0]*s[0]**2*s[1]**2 + a[1]*s[0]*s[2]**2 + a[2]*s[1]*s[2]) % p
11

12
flag = m*s[0]*s[1]*s[2]
13
print(f'c = {c}')
14
print(f'flag = {flag}')
15
print(f'a = {a}')
16
print(f'p = {p}')

目的是求s，要对这个式子变形，想办法使未知量在一侧

-s_1s_2=a_0a^{-1}_2s_0^{2}s_1^{2}+a_1a_2^{-1}s_0s_2^{2}-ca_2^{-1}+kp \\ \begin{pmatrix} s_0^{2}s_1^{2}&s_0s_2^{2}&1&k \end{pmatrix} \begin{pmatrix} a_0a^{-1}_2&0&0&1\\ a_1a_2^{-1}&0&1&0\\ -ca_2^{-1}&1&0&0\\ p&0&0&0 \end{pmatrix}= \begin{pmatrix} -s_1s_2&1&s_0s_2^{2}&s_0^{2}s_1^{2} \end{pmatrix}

发现直接这样打出不来，配平一下

exp.sage

1
from Crypto.Util.number import *
2

3
c =
4
flag =
5
a = []
6
p =
7

8
ia = inverse_mod(a[2], p)
9

10
L = Matrix(ZZ, [[a[0]*ia%p, 0, 0, 1],
11
                [a[1]*ia%p, 0, 1, 0],
12
                [-c*ia%p, 1, 0, 0  ],
13
                [p, 0, 0,         0]]) * diagonal_matrix(ZZ, [1, 2^32, 2^128, 2^64])
14

15
v = L.LLL()[0]
16
s0s1 = isqrt(abs(v[0]))
17
s1s2 = abs(v[3]) >> 64
18
s1 = gcd(s0s1, s1s2)
19
s0 = s0s1 // s1
20
s2 = s1s2 // s1
21

22
flag = flag // s0 // s1 // s2
23
print(long_to_bytes(flag))

HNP问题#

形式比较固定，一般长这样 $k_i\equiv A_ix+B_i \mod p$ ，我们一般会有多组kAB，所以我们可以依靠这个去建格。

这种式子经常出现在DSA签名中

r \equiv g^k \mod q \\ s \equiv k^{-1}(H(m)+xr) \mod q \\ k_i \equiv s_i^{-1}r_ix+s_i^{-1}H(m) \mod q \\ A=s_i^{-1}r_i,B=s_i^{-1}H(m) \\ k_i=A_ix+B+l_iq

这就是一个非常标准的HNP了，建一个格

\begin{pmatrix} l_1 & l_2 & \dots & l_i &x & 1 \end{pmatrix} \begin{pmatrix} q & 0 & \dots & 0 & 0 & 0 \\ 0 & 0 & \dots & 0 & 0 & 0\\ 0 & 0 & \ddots & 0 & 0 & 0\\ \vdots & \vdots & \vdots & q & \vdots & \vdots\\ A_1 & A_2 & \dots & A_i & K/q & 0\\ B_1 & B_2 & \dots & B_i & 0 & K \end{pmatrix}= \begin{pmatrix} k_1 & k_2 & \dots & k_i & Kx/q & K \end{pmatrix}

对应脚本

1
import json
2

3
t = 40
4

5
# Load data
6
f = open("data", "r")
7
(q, Hm_s, r_s, s_s) = json.load(f)
8

9
# Calculate A & B
10
A = []
11
B = []
12
for r, s, Hm in zip(r_s, s_s, Hm_s):
13
    A.append( ZZ( (inverse_mod(s, q)*r) % q ) )
14
    B.append( ZZ( (inverse_mod(s, q)*Hm) % q ) )
15

16
# Construct Lattice
17
K = 2^122   # ki < 2^122
18
X = q * identity_matrix(QQ, t) # t * t
19
Z = matrix(QQ, [0] * t + [K/q] + [0]).transpose() # t+1 column
20
Z2 = matrix(QQ, [0] * (t+1) + [K]).transpose()    # t+2 column
21

22
Y = block_matrix([[X],[matrix(QQ, A)], [matrix(QQ, B)]]) # (t+2) * t
23
Y = block_matrix([[Y, Z, Z2]])
24

25
# Find short vector
26
Y = Y.LLL()
27

28
# check
29
k0 = ZZ(Y[1, 0] % q)
30
x = ZZ(Y[1, -2] / (K/q) % q)
31
assert(k0 == (A[0]*x + B[0]) % q)
32
print(x)
33

34
/**
35
* 复制并使用代码请注明引用出处哦~
36
* Lazzaro @ https://lazzzaro.github.io
37
*/

当然现在LCG的题目里面也有HNP了，比如LCG已知state高位求seed/LCG未知a,b求seed，这种题目在0xGame中是出现过的

1.2023闽盾杯#

task.py

1
from random import randbytes
2
from hashlib import sha256
3
from secret import FLAG
4

5
prime_q =
6
prime_p = 2 * prime_q + 1
7
generator = 2
8

9
def generate_keys(prime_p:int, prime_q: int, generator: int):
10
    private_key = int(randbytes(48).hex(), 16)
11
    public_key = pow(generator, private_key, prime_p)
12
    return private_key, public_key
13

14
def signature(m: str, private_key: int):
15
    ephemeral_key = pow(int.from_bytes(m.encode(), "big"), -1, prime_q)
16
    value_r = pow(generator, ephemeral_key, prime_p) % prime_q
17
    hash_value = sha256(m.encode()).hexdigest()
18
    value_s = pow(ephemeral_key, -1, prime_q) * (int(hash_value, 16) + private_key * value_r) % prime_q
19
    return hash_value, value_r, value_s
20

21
def verification(message_hash: str, value_r: int, value_s: int, public_key: int):
22
    message_hash = int(message_hash, 16)
23
    inverse_s = pow(value_s, -1, prime_q)
24
    u1 = message_hash * inverse_s % prime_q
25
    u2 = value_r * inverse_s % prime_q
26
    value_v = (pow(generator, u1, prime_p) * pow(public_key, u2, prime_p) % prime_p) % prime_q
27
    return value_v == value_r
28

29
private_key, public_key = generate_keys(prime_p, prime_q, generator)
30
print(f"prime_p = {prime_p}")
31
print(f"prime_q = {prime_q}")
32
print(f"generator = {generator}")
33
print(f"public_key = {public_key}")
34
hash_value, value_r, value_s = signature(FLAG, private_key)
35
assert verification(hash_value, value_r, value_s, public_key)
36
print("FLAG= *******************************")
37
print(f"Here is your gift = {hash_value}")
38
print(f"value_r = {value_r}")
39
print(f"value_s = {value_s}")

先看看代码，可以看见他把flag加密完带进去当ephemeral_key了，按照上面的式子来说就是

m=k^{-1},hash(m)=H\\ s\equiv k^{-1}\times (H+xr) \mod q \\ m=sH^{-1}-mxrH^{-1}+kq \\ sH^{-1}=B,-rH^{-1}=A,mx=t\\ m=At+B+kq\\ \begin{pmatrix} k & t & 1 \end{pmatrix} \begin{pmatrix} q&0&0\\ A&1/2^{384}&0\\ B&0&2^{320} \end{pmatrix}= \begin{pmatrix} m&t/2^{384}&2^{320} \end{pmatrix}

这边配平是因为只打格出不来，就改改，能跑出来就行()

exp.sage

1
import gmpy2
2
from Crypto.Util.number import *
3

4
p =
5
q =
6
g = 2
7
pb =
8
h = ''
9
r =
10
s =
11

12
H = int(h,16)
13
inv = gmpy2.invert(H,q)
14
A = -r*inv
15
B = s*inv
16

17
M = [[q,0,0],
18
      [A,1/2^384,0],
19
      [B,0,2^320]]
20

21
Ge = Matrix(M)
22

23
for i in Ge.LLL():
24
    if i[-1] == 2^320:
25
        m = i[0]
26
        print(long_to_bytes(int(m)))

2.BabyHNP#

task.py

1
from secret import flag
2
from random import randint
3
import libnum
4
import os
5
assert len(flag) == 44
6

7
def padding(f):
8
    return f + os.urandom(64 - 1 - len(f))
9

10
n = 5
11
m = libnum.s2n(padding(flag))
12
q = libnum.generate_prime(512)
13
A = [randint(1, q) for i in range(n)]
14
B = [A[i] * m % q for i in range(n)]
15
b = [B[i] % 2**128 for i in range(n)]
16

17
print('q = %s' % q)
18
print('A = %s' % A)
19
print('b = %s' % b)

B_i=b_i+k\times 2^{128} \\ b_i+k_i\times 2^{128}\equiv A_im \mod q \\ k_i=A_im\times (2^{-128} \mod q)-b_i\times (2^{-128} \mod q)+l_iq

这个就和上面的格一模一样了，直接构建就行了

exp.sage

1
from gmpy2 import *
2
from Crypto.Util.number import *
3

4
p =
5
B = [, , , , ]
6
R = [, , , , ]
7

8

9
n = len(R)
10

11
M = Matrix(QQ,n+2,n+2)
12
inv = invert(2 ** 128,p)
13

14
for i in range(n):
15
    M[i,i] = p
16
    M[-2,i] = B[i] * inv
17
    M[-1,i] = -R[i] * inv
18

19
t = 1 / 2^128
20
K = 2^384
21

22
M[-2,-2] = t
23
M[-1,-1] = K
24

25
L = M.LLL()
26

27
x = L[1][-2] // t
28
m = x % p
29
print(int(m).bit_length())
30
print(long_to_bytes(int(m)))

看了好多师傅的博客，感觉HNP都可以建成这个格，主要难的还是化简构造，得自己多练练，找到这种建格去打的感觉才行

HSP&HSSP#

HSP在我的认知里就是背包的升级版？或者说背包就是一种HSP，而HSSP是一种正交格，这个真的不会，看Tover神的博客吧，我只会套脚本

LWE#

这种问题的特点在于有一个噪音e(一般比较小)，比如原式子是 $Ax=b$ ，加入噪音之后变成了 $Ax+e=b$ ，在未知x和e的情况下，我们就可以通过建格去先求出e，然后解方程求出x，构建这个格就行了

\begin{pmatrix} A &0\\ -b&1 \end{pmatrix}

SUSCTF2022#

task.py

1
import numpy as np
2
from secret import flag
3

4
def gravity(n,d=0.25):
5
    A=np.zeros([n,n])
6
    for i in range(n):
7
        for j in range(n):
8
            A[i,j]=d/n*(d**2+((i-j)/n)**2)**(-1.5)
9
    return A
10

11
n=len(flag)
12
A=gravity(n)
13
x=np.array(list(flag))
14
b=A@x
15
np.savetxt('b.txt',b)

b已经给出，那么可以知道矩阵的维度，那么就可以恢复出A，再按照上面的格去打出e就行了

exp.sage

1
import numpy as np
2

3
def gravity(n,d=0.25):
4
    A=np.zeros([n,n])
5
    for i in range(n):
6
        for j in range(n):
7
            A[i,j]=d/n*(d**2+((i-j)/n)**2)**(-1.5)
8
    return A
9

10
b = []
11
for i in open('b.txt','r').readlines():
12
    b.append(float(i.strip()))
13

14
n = 85
15
A = gravity(85)
16

17
t = 10^21
18
for i in range(len(b)):
19
    b[i] = -b[i] * t
20

21
for i in range(n):
22
    for j in range(n):
23
        A[i,j] = A[i,j] * t
24

25
M = Matrix(ZZ,n+1,n+1)
26

27
for i in range(n):
28
    M[-1,i] = b[i]
29
    for j in range(n):
30
        M[i,j] = A[i,j]
31

32
M[-1,-1] = 1
33

34
e = M.LLL()[0]
35
flag = M.solve_left(e)
36

37
print(bytes(flag[:-1]))

常用脚本#

这里直接搬la佬的了

1
#脚本1-小规模
2
#Sage
3
from sage.modules.free_module_integer import IntegerLattice
4

5
row =
6
column =
7
prime =
8

9
ma =
10
res =
11

12
W = matrix(ZZ, ma)
13
cc = vector(ZZ, res)
14

15
# Babai's Nearest Plane algorithm
16
def Babai_closest_vector(M, G, target):
17
    small = target
18
    for _ in range(5):
19
        for i in reversed(range(M.nrows())):
20
            c = ((small * G[i]) / (G[i] * G[i])).round()
21
            small -=  M[i] * c
22
    return target - small
23

24
A1 = matrix.identity(column)
25
Ap = matrix.identity(row) * prime
26
B = block_matrix([[Ap], [W]])
27
lattice = IntegerLattice(B, lll_reduce=True)
28
print("LLL done")
29
gram = lattice.reduced_basis.gram_schmidt()[0]
30
target = vector(ZZ, res)
31
re = Babai_closest_vector(lattice.reduced_basis, gram, target)
32
print("Closest Vector: {}".format(re))
33

34
R = IntegerModRing(prime)
35
M = Matrix(R, ma)
36
M = M.transpose()
37

38
ingredients = M.solve_right(re)
39
print("Ingredients: {}".format(ingredients))
40

41
m = ''
42
for i in range(len(ingredients)):
43
    m += chr(ingredients[i])
44
print(m)

1
#脚本2-大规模
2
#Sage
3
from sage.modules.free_module_integer import IntegerLattice
4
from random import randint
5
import sys
6
from itertools import starmap
7
from operator import mul
8

9
# Babai's Nearest Plane algorithm
10
# from: http://mslc.ctf.su/wp/plaidctf-2016-sexec-crypto-300/
11
def Babai_closest_vector(M, G, target):
12
    small = target
13
    for _ in range(1):
14
        for i in reversed(range(M.nrows())):
15
            c = ((small * G[i]) / (G[i] * G[i])).round()
16
            small -= M[i] * c
17
    return target - small
18

19
m =
20
n =
21
q =
22

23
A_values =
24
b_values =
25

26
A = matrix(ZZ, m + n, m)
27
for i in range(m):
28
    A[i, i] = q
29
for x in range(m):
30
    for y in range(n):
31
        A[m + y, x] = A_values[x][y]
32
lattice = IntegerLattice(A, lll_reduce=True)
33
print("LLL done")
34
gram = lattice.reduced_basis.gram_schmidt()[0]
35
target = vector(ZZ, b_values)
36
res = Babai_closest_vector(lattice.reduced_basis, gram, target)
37
print("Closest Vector: {}".format(res))
38

39
R = IntegerModRing(q)
40
M = Matrix(R, A_values)
41
ingredients = M.solve_right(res)
42

43
print("Ingredients: {}".format(ingredients))
44

45
for row, b in zip(A_values, b_values):
46
    effect = sum(starmap(mul, zip(map(int, ingredients), row))) % q
47
    assert(abs(b - effect) < 2 ** 37)
48

49
print("ok")

格学习笔记

https://www.zhuangsanmeng.xyz/posts/ge-1/

作者

zsm

发布于

2025-06-29

许可协议

MIT

Study golang「1」

MT19937

a ctfer on the load

前言#

NTRU#

1.入门题#

2.HNCTF 2022 WEEK2#

3.不知道哪来的#

4.深育杯2021#

NSS工坊题目#

P3#

P4#

P5#

P6#

P7#

P8#

HNP问题#

1.2023闽盾杯#

2.BabyHNP#

HSP&HSSP#

LWE#

SUSCTF2022#

常用脚本#