[UTCTF2020]Curveball
My friend Shamir was trying to share the flag with me and some of the other problem writers, but he wanted to make sure it didn’t get intercepted in transmission, so he split it up. He said that the secrets that he shared will help us find the flag, but I can’t figure it out! These are the secrets I’ve gathered so far:
(C81E728D9D4C2F636F067F89CC14862C, 31E96A93BF1A7CE1872A3CCDA6E07F86) (ECCBC87E4B5CE2FE28308FD9F2A7BAF3, ADF6E4F1052BDE978344743CCDCF5771) (E4DA3B7FBBCE2345D7772B0674A318D5, 0668FBCFE4098FEA0218163AC21E6531) Can you figure out which flag is the right one?
by balex
还给了一个巨大的flag.txt
我们需要找到:which flag is the right one
这就是一道Shamir秘密共享问题。
wiki百科:https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing
本题给出了三对数据
(C81E728D9D4C2F636F067F89CC14862C, 31E96A93BF1A7CE1872A3CCDA6E07F86) (ECCBC87E4B5CE2FE28308FD9F2A7BAF3, ADF6E4F1052BDE978344743CCDCF5771) (E4DA3B7FBBCE2345D7772B0674A318D5, 0668FBCFE4098FEA0218163AC21E6531) 通过对其MD5查表
可转化为:
(2,5398141) (3,5398288) (5,5398756) 所以我们可以把它放在有理数环中QQ上(因为计算秘密过程出来不一定是一个整数)去算
或者直接计算。
....: x0,y0=(2,5398141) ....: x1,y1=(3,5398288) ....: x2,y2=(5,5398756) ....: R.<x>=QQ
[
] sage
: fx
=y0
*
(
(
-x1
)
*
(
-x2
)
)
/
(
(x0
-x1
)
*
(x0
-x2
)
)
+y1
*
(
(
-x0
)
*
(
-x2
)
)
/
(
(x1
-x0
)
*
(x1
-x2
)
)
+y
.
.
.
.
:
2
*
(
(
-x1
)
*
(
-x0
)
)
/
(
(x2
-x1
)
*
(x2
-x0
)
) sage
:
print
(fx
)
5398021
就得到了他们可计算出的秘密,5398021.
得到这个数据以后就可以根据其所在行寻找对应的flag
其他write up中的计算方法:
x0,y0=(2,5398141)
x1,y1=(3,5398288)
x2,y2=(5,5398756)
R.<x>=QQ[]
l0=(x-x1)/(x0-x1)*((x-x2)/(x0-x2))
l1=(x-x0)/(x1-x0)*((x-x2)/(x1-x2))
l2=(x-x0)/(x2-x0)*((x-x1)/(x2-x1))
fx=y0*l0+y1*l1+y2*l2
print(fx)
29*x^2 + 2*x + 5398021
我们可以研究一下其shamir生成过程:
import random, math
from sympy import symbols
# 14776336
# 5398021
s = 5398021 # secret
n = 5 # shares
k = 3 # threshold
coeff = list()
limit = 50
for i in range(k - 1):
coeff.append(random.randint(-limit, limit))
x = symbols('x')
exp = s
power = 1
for c in coeff:
exp += x**power * c
power += 1
print(exp)
shares = list()
for share in range(1, n + 1):
shares.append((share, exp.subs(x, share)))
print(shares)
其用户数为5,shamir门限值为3
并根据该生成函数,我们可以将其他的两个用户掌握的信息也计算出来:
29*x**2 + 2*x + 5398021
(1, 5398052)
(2, 5398141)
(3, 5398288)
(4, 5398493)
(5, 5398756)
(C4CA4238A0B923820DCC509A6F75849B, 0010B2FB3FFA462DD06792909B23C60A)
(C81E728D9D4C2F636F067F89CC14862C, 31E96A93BF1A7CE1872A3CCDA6E07F86)
(ECCBC87E4B5CE2FE28308FD9F2A7BAF3, ADF6E4F1052BDE978344743CCDCF5771)
(A87FF679A2F3E71D9181A67B7542122C, BED2A2D5E68CF2139D9648D7D2ECE6E7)
(E4DA3B7FBBCE2345D7772B0674A318D5, 0668FBCFE4098FEA0218163AC21E6531)
比如说我们现在可以生成一个秘密为utflag{666666}
然后用
import itertools, string
def generate_strings(length):
chars = string.digits
for item in itertools.product(chars, repeat = length):
yield "".join(item)
def main():
out = open("flags.txt", "w")
gen = generate_strings(6)
for string in gen:
flag = "utflag{" + string + "}"
print(flag)
out.write(flag + "\n")
out.close()
main()
生成一个为六位数字所有情况的flags.txt
通过查找flag{666666}所在行号来作为我们的秘密。
因为这里我只生成了(10个)数字作为每一位的选择,所以行号和flag是一一对应的 这里只做一个题目解读尝试。
然后我们的秘密就是666667
import random, math
from sympy import symbols
s = 666667 # secret
n = 10 # shares
k = 3 # threshold
coeff = list()
limit = 50
for i in range(k - 1):
coeff.append(random.randint(-limit, limit))
x = symbols('x')
exp = s
power = 1
for c in coeff:
exp += x**power * c
power += 1
print(exp)
shares = list()
for share in range(1, n + 1):
shares.append((share, exp.subs(x, share)))
print(shares)
假如我们的用户数为10个,只要其中的5个人就能恢复的话,就可以采用这个脚本来构建。
-x**4 - 8*x**3 - 25*x**2 - 14*x + 666667
[(1, 666619),(2, 666459), (3, 666103), (4, 665443), (5, 664347), (6, 662659), (7, 660199), (8, 656763), (9, 652123), (10, 646027)]
然后我们尝试一下恢复秘密
选择用户1,3,5,7,9去恢复
x0,y0=(1, 666619)
x1,y1=(3, 666103)
x2,y2=(5, 664347)
x3,y3=(7, 660199)
x4,y4=(9, 652123)
R.<x>=QQ[]
l0=(x-x1)/(x0-x1)*((x-x2)/(x0-x2))*((x-x3)/(x0-x3))*((x-x4)/(x0-x4))
l1=(x-x0)/(x1-x0)*((x-x2)/(x1-x2))*((x-x3)/(x1-x3))*((x-x4)/(x1-x4))
l2=(x-x0)/(x2-x0)*((x-x1)/(x2-x1))*((x-x3)/(x2-x3))*((x-x4)/(x2-x4))
l3=((x-x0)/(x3-x0))*((x-x1)/(x3-x1))*((x-x2)/(x3-x2))*((x-x4)/(x3-x4))
l4=((x-x0)/(x4-x0))*((x-x1)/(x4-x1))*((x-x2)/(x4-x2))*((x-x3)/(x4-x3))
fx=y0*l0+y1*l1+y2*l2+y3*l3+y4*l4
print(fx)
sage: x0,y0=(1, 666619)
....: x1,y1=(3, 666103)
....: x2,y2=(5, 664347)
....: x3,y3=(7, 660199)
....: x4,y4=(9, 652123)
....: R.<x>=QQ[]
....: l0=(x-x1)/(x0-x1)*((x-x2)/(x0-x2))*((x-x3)/(x0-x3))*((x-x4)/(x0-x4))
....: l1=(x-x0)/(x1-x0)*((x-x2)/(x1-x2))*((x-x3)/(x1-x3))*((x-x4)/(x1-x4))
....: l2=(x-x0)/(x2-x0)*((x-x1)/(x2-x1))*((x-x3)/(x2-x3))*((x-x4)/(x2-x4))
....: l3=((x-x0)/(x3-x0))*((x-x1)/(x3-x1))*((x-x2)/(x3-x2))*((x-x4)/(x3-x4))
....: l4=((x-x0)/(x4-x0))*((x-x1)/(x4-x1))*((x-x2)/(x4-x2))*((x-x3)/(x4-x3))
....: fx=y0*l0+y1*l1+y2*l2+y3*l3+y4*l4
....: print(fx)
-x^4 - 8*x^3 - 25*x^2 - 14*x + 666667
成功恢复秘密。