easy_ecc

由于 ECC 需要数论前置知识，这里很难一次讲解清楚，想要学习 ECC 的同学可以先补一下数论知识。但是对于这道题目不没有那么难，看一看下面两篇文章可以了：

涉及加密解密的所有参数都已经给出，flag 只和 $m$ 有关，而 $m$ 的解密只涉及 ECC 的基本解密流程

m = c_{1} - r \cdot K = c_{1} - r \cdot k \cdot G = c 1 - k \cdot c_{2}

这样就得到了 $m$ ， $m$ 是一个点， $x$ 坐标和 $y$ 坐标分别是 m[0] 和 m[1]，flag 前半和后半分别整除 $x$ 和 $y$ ，然后拼接就能得到 flag

EXP：

python

from Crypto.Util.number import *

p = 64408890408990977312449920805352688472706861581336743385477748208693864804529
a = 111430905433526442875199303277188510507615671079377406541731212384727808735043
b = 89198454229925288228295769729512965517404638795380570071386449796440992672131
k = 86388708736702446338970388622357740462258632504448854088010402300997950626097
E = EllipticCurve(GF(p),[a,b])

c1 = E([10968743933204598092696133780775439201414778610710138014434989682840359444219, 50103014985350991132553587845849427708725164924911977563743169106436852927878 ])
c2 = E([16867464324078683910705186791465451317548022113044260821414766837123655851895, 35017929439600128416871870160299373917483006878637442291141472473285240957511 ])
cipher_left = 15994601655318787407246474983001154806876869424718464381078733967623659362582
cipher_right = 3289163848384516328785319206783144958342012136997423465408554351179699716569
m = c1 - k*c2

x=m[0]
y=m[1]

left = cipher_left // x
right = cipher_right // y
print(long_to_bytes(int(left))+long_to_bytes(int(right)))

easy_ecc ​

easy_ecc