Merge pull request r3kapig#18 from crazymanarmy/master

crazymanarmy · web-flow · commit e165a079cd85 · 2023-02-07T00:58:05.000+08:00
update dicectf 2023
diff --git a/20230206-DiceCTF2023-CN/README.md b/20230206-DiceCTF2023-CN/README.md
@@ -1169,37 +1169,13 @@ if __name__ == '__main__':
 
 ### Membrane:
 
-一开始，我想要去直接LLL出来"e"s(which is in [-10,10]) : $pk_b= pk_A * S+ 257 * e \pmod{q}$
-
-为了让目标向量足够小，我这么做: $new\_pk_b=pk_b*(p^{-1})\pmod{q},new\_pk_A=pk_A*(p^{-1})\pmod{q}$
-
-那么 $|new\_pk_A\cdot S-new\_pk_b|<10$, 但是格子规模太大了，同时目标向量不是足够小
-
-大约 1000 个维度.....XD
-
-用了巨久去找一些奇怪的问题， 最后, 我发现每个A 满足线性关系: $c_{i} \cdot pk_A = A$, $pk_A$ 是 612*512的一个矩阵
-
-![](https://i.imgur.com/4W3zLbc.png)
+![](https://i.imgur.com/2BDPfju.png)
 
 **关键点来了:**
 
-$pk_A$ 的最后 100 行可以被前面 512 行线性表示
-
-$pk_{A,i-1}$ : the i-th row of $pk_A$. $pk_{A,i-1}=pk_{A,i-1},i\in[1,512]$ ; $pk_{A,i-1}=\sum_{j=0}^{511}x_{i,j}\cdot pk_{A,j-1},i\in[513,612]$
-
-于是用最新的表达方式表示 $pk_A$. $pk_A$ 就只有512个分量了 新关系式如下
-
-$$c\text{fake}_i = k_i+\sum_{j=512}^{611} k_j\cdot x_{i,j}\pmod{q}\Rightarrow -k_i = -c\text{fake}_i+\sum_{j=512}^{611} k_j\cdot x_{i,j}\pmod{q}$$
-
-对于真正的 c, $c_i=k_i\in \set{0,-1,1}$ ,用了100条 (可能50条就够) 关系去构造格子 $\mathcal{L}$ (201*201, like knapsack,SIS)
-
-![](https://i.imgur.com/aOxFjOk.png)
+![](https://i.imgur.com/mK44OTN.png)
 
-LLL这个格子以后可以得到目标向量 $(k_{512},\dots,k_{611},-1,k_{0},\dots,k_{99})$
-
-接着使用 $(k_{512},\dots,k_{611})$ 计算出来 $(k_{0},\dots,k_{511})$. 就得到了真正的c
-
-![](https://i.imgur.com/2Hbwazh.png)
+![](https://i.imgur.com/p2IdvkX.png)
 
 然后即可解密拿到flag:
 
@@ -1328,22 +1304,7 @@ enc0, enc1 = alice.encrypt(mask)
 
 **OT-csidh**:
 
-$$pub_0=[priv0]base,pub1=[priv1]base,ssi=[-privi]mask$$
-
-$$enc_0=m_0\oplus ss_0,enc_1=m_1\oplus ss_1,flag=m_0\oplus m_1$$
-
-If choose mask=pub0,then 
-
-![](https://i.imgur.com/qbeRDcO.png)
-
-为了让题目比较神奇一点，我们使用 mask == libcsidh.base,
-然后 ss = apply_iso(clibcsidh.base,-priv),pub = apply_iso(clibcsidh.base,priv)
-
-$$ss = [a]^{-1}\text{base},pub=[a]\text{base}$$
-
-但是笔者并不理解csidh, 所以尝试去猜测 ss 和 pub 是否有什么代数关系
-
-然后发现 $ss=-pub\pmod{p}$
+![](https://i.imgur.com/21wUr7V.png)
 
 **Note:** 小端序 ！
 
diff --git a/20230206-DiceCTF2023-EN/README.md b/20230206-DiceCTF2023-EN/README.md
@@ -1193,39 +1193,13 @@ if __name__ == '__main__':
 
 ### Membrane:
 
-In the beginning, I wanted to get "e"s(which is in [-10,10]) : $pk_b= pk_A * S+ 257 * e \pmod{q}$
-
-In order to make the target small, I did this: $new\_pk_b=pk_b*(p^{-1})\pmod{q},new\_pk_A=pk_A*(p^{-1})\pmod{q}$ Then $|new\_pk_A\cdot S-new\_pk_b|<10$
-
-but the Lattice is too large to be LLL & target is not small enough.
-
-The Lattice is about 1000 dimensions.....XD
-
-I spent 4 hours trying to find something odd.. Finally, I found that every A satisfying this LINEAR RELATIONSHIP: $c_{i} \cdot pk_A = A$ , $pk_A$ is matrix 612*512... 
-
-![](https://i.imgur.com/rbdPS1h.png)
+![](https://i.imgur.com/yIpffoK.png)
 
 **Here comes the key point.**
 
-The last 100 rows can be linearly represented by the former 512 rows in matrix $pk_A$.
-
-$pk_{A,i-1}$ : the i-th row of $pk_A$. $pk_{A,i-1}=pk_{A,i-1},i\in[1,512]$ ; $pk_{A,i-1}=\sum_{j=0}^{511}x_{i,j}\cdot pk_{A,j-1},i\in[513,612]$
-
-So get new expressions of 100 rows of $pk_A$.. $pk_A$ is just 512 components.
-
-New relationship comes out.
-
-$$c\text{fake}_i = k_i+\sum_{j=512}^{611} k_j\cdot x_{i,j}\pmod{q}\Rightarrow -k_i = -c\text{fake}_i+\sum_{j=512}^{611} k_j\cdot x_{i,j}\pmod{q}$$
-
-For real c, $c_i=k_i\in \set{0,-1,1}$ ,I use 100 (maybe 50 is enough) relationships to build Lattice $\mathcal{L}$ (201*201, like knapsack,SIS).
+![](https://i.imgur.com/373pYyo.png)
 
-![](https://i.imgur.com/aOxFjOk.png)
-
-Then we can get the target vector $(k_{512},\dots,k_{611},-1,k_{0},\dots,k_{99})$ . 
-
-Finally, use $(k_{512},\dots,k_{611})$ can compute $(k_{0},\dots,k_{511})$ . So we get the real c.
-
-![](https://i.imgur.com/2Hbwazh.png)
+![](https://i.imgur.com/YeM6SdZ.png)
 
 Haha, decrypt it and get the flag!(but I spent 3 hours debugging this.. T_T....)
 
@@ -1354,22 +1328,7 @@ enc0, enc1 = alice.encrypt(mask)
 
 **OT-csidh:**
 
-$$pub_0=[priv0]base,pub1=[priv1]base,ssi=[-privi]mask$$
-
-$$enc_0=m_0\oplus ss_0,enc_1=m_1\oplus ss_1,flag=m_0\oplus m_1$$
-
-If choose mask=pub0,then 
-
-![](https://i.imgur.com/qbeRDcO.png)
-
-To find something odd, we choose mask == libcsidh.base,
-then ss = apply_iso(clibcsidh.base,-priv),pub = apply_iso(clibcsidh.base,priv)
-
-$$ss = [a]^{-1}\text{base},pub=[a]\text{base}$$
-
-But idk csidh, so try to guess if ss and pub have any algebraic relationship.
-
-Then find $ss=-pub\pmod{p}$.
+![](https://i.imgur.com/5iuhjNY.png)
 
 **Note:** The pub and ss are little-endian storage.
 
