[watevrCTF 2019]Baby RLWE

題目

Mateusz carried a huge jar of small papers with public keys written on them, but he tripped and accidentally dropped them into the scanner and made a txt file out of them! D: Note: This challenge is just an introduction to RLWE, the flag is (in standard format) encoded inside the private key.

baby_rlwe.sage

from sage.stats.distributions.discrete_gaussian_polynomial import DiscreteGaussianDistributionPolynomialSampler as d_gaussflag = bytearray(raw_input()) flag = list(flag)n = len(flag) q = 40961## Finite Field of size q. F = GF(q)## Univariate Polynomial Ring in y over Finite Field of size q R.<y> = PolynomialRing(F)## Univariate Quotient Polynomial Ring in x over Finite Field of size 40961 with modulus b^n + 1 S.<x> = R.quotient(y^n + 1)def gen_small_poly():sigma = 2/sqrt(2*pi)d = d_gauss(S, n, sigma)return d()def gen_large_poly():return S.random_element()## Public key 1 a = gen_large_poly()## Secret key s = S(flag)file_out = open("downloads/public_keys.txt", "w") file_out.write("a: " + str(a) + "\n")for i in range(100):## Errore = gen_small_poly()## Public key 2b = a*s + efile_out.write("b: " + str(b) + "\n")file_out.close()

解題

Mateusz拿著一大罐寫著公鑰的小文件，但他絆倒了，不小心把它們丟進了掃描儀，并用它們制作了一個txt文件！D：注意：這個挑戰只是對RLWE的介紹，標志（標準格式）編碼在私鑰中。

RLWE是Ring learning with errors的簡稱，是基于格的環上容錯學習問題

RLWE 問題定義為：給定均勻隨機生成的多項式 $a\in R_q$，$s\in R_q$和$e\in R_q$ 服從分布 $X$， $b_i=a_{i}s+e_i$。搜索版本的 RLWE 問題 (Search RLWE) 為：給定多組 $(a_i,b_i)$，找到 $s$。判定版本的 RLWE 問題 (Decision RLWE) 為：將$b_i$和均勻隨機生成的向量區分開。
大概能看出這道題就是這種類型的了，但是怎么解呢

找到一位大佬的思路

keys = open("public_keys.txt", "r").read().split("n")[:-1] temp1 = keys[0].find("^") temp2 = keys[0].find(" ", temp1) n = Integer(keys[0][temp1+1:temp2]) + 1 q = 40961 F = GF(q) R.<y> = PolynomialRing(F) S.<x> = R.quotient(y^n + 1) a = S(keys[0].replace("a: ", "")) keys = keys[1:] counters = [] for i in range(n):counters.append({})for key in keys:b = key.replace("b: ", "")b = list(S(b))for i in range(n):try:counters[i][b[i]] += 1except:counters[i][b[i]] = 1a_s = [] for counter in counters:dict_keys = counter.keys()max_key = 0maxi = 0for key in dict_keys:if counter[key] > maxi:maxi = counter[key]max_key = keya_s.append(max_key)a_s = S(a_s) s = a_s/a print ''.join(map(chr,list(s)))

也有師傅說：
用sage解
通過觀察e的生成函數可以發現多項式e上的很多位都為0
這就說明我們可以通過統計b中的相應位上的出現次數最多的系數作為a*s的值
而a我們又是知道的
所以就可以求出s來
從而繞過e的干擾

#sage from sage.stats.distributions.discrete_gaussian_polynomial import DiscreteGaussianDistributionPolynomialSampler as d_gauss keys = open("public_keys.txt", "r").read().split("\n")[:-1] temp1 = keys[0].find("^") temp2 = keys[0].find(" ", temp1) n=int(keys[0][temp1+1:temp2])+1 print(n) q = 40961 F = GF(q) R.<y> = PolynomialRing(F) S.<x> = R.quotient(y^n + 1) num=[] for i in range(n):num.append({}) #print(num) a=S(keys[0].replace('a: ','')) #print(a) keys=keys[1:] for key in keys:b=key.replace('b: ','')li=list(S(b))#print(li)for i in range(len(num)):try:num[i][li[i]]+=1except:num[i][li[i]]=1 asnum=[] #print(num) for i in num:asnum.append(max(i,key=i.get)) #print(asnum) aspoly=S(asnum) flag=aspoly/a print(list(flag)) flag=''.join(map(chr,flag)) print(flag)

運行得到watevr{rlwe_and_statistics_are_very_trivial_when_you_reuse_same_private_keys#02849jedjdjdj202ie9395u6ky}

總結

以上是生活随笔為你收集整理的[watevrCTF 2019]Baby RLWE的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。