Crypto in CTF: Q3 2022

CTF	Challenge Name	Solves (Difficulty)
Google CTF 2022	Cycling 🔥	50/382 (⭐⭐)
Google CTF 2022	Electric Mayhem CLS	70/382 (⭐⭐)
Google CTF 2022	Maybe Someday	35/382 (⭐⭐⭐)
Google CTF 2022	Enigma	9/382 (⭐⭐⭐)
Google CTF 2022	Custom Protocol 🔥	5/382 (⭐⭐⭐)
Google CTF 2022	Electric Mayhem PQC 🔥	3/382 (⭐⭐⭐⭐)
Crypto CTF 2022	Aniely	76/421 (⭐)
Crypto CTF 2022	Watery soup 🔥	15/421 (⭐⭐⭐)
Crypto CTF 2022	Oak land	35/421 (⭐⭐)
Crypto CTF 2022	polyRSA	145/421 (⭐)
Crypto CTF 2022	313 Loyal	17/421 (⭐⭐)
Crypto CTF 2022	Cantilever	60/421 (⭐⭐)
Crypto CTF 2022	Side step	28/421 (⭐⭐)
Crypto CTF 2022	Faonsa	21/421 (⭐⭐)
Crypto CTF 2022	Resign	35/421 (-)
Crypto CTF 2022	DBB	43/421 (⭐⭐)
Crypto CTF 2022	Soda 🔥	17/421 (⭐⭐⭐)
Crypto CTF 2022	Sparse	38/421 (⭐⭐)
Crypto CTF 2022	Fiercest	29/421 (⭐⭐)
Crypto CTF 2022	Persian cat	13/421 (⭐)
Crypto CTF 2022	Keydream	42/421 (⭐⭐)
Crypto CTF 2022	NLCS 🔥	5/421 (⭐⭐⭐)
Crypto CTF 2022	Shaim	15/421 (⭐⭐)
Crypto CTF 2022	Lagima	24/421 (⭐)
Crypto CTF 2022	Starter ECC	43/421 (⭐)
Crypto CTF 2022	Versace	15/421 (⭐⭐)
Crypto CTF 2022	GSDP	24/421 (⭐⭐)
UIUCTF 2022	asr	56/395 (⭐⭐)
UIUCTF 2022	Wringing Rings	44/395 (⭐⭐)
UIUCTF 2022	Elliptic Clock Crypto	27/395 (⭐⭐)
UIUCTF 2022	mom can we have AES	22/395 (⭐⭐)
UIUCTF 2022	That-crete Log	21/395 (⭐⭐)
UIUCTF 2022	Bro-key-n	14/395 (⭐⭐)
corCTF 2022	tadpole	262/978 (⭐)
corCTF 2022	luckyguess	150/978 (⭐⭐)
corCTF 2022	exchanged	94/978 (⭐⭐)
corCTF 2022	hidE	88/978 (⭐⭐)
corCTF 2022	generous	49/978 (⭐⭐)
corCTF 2022	leapfrog	36/978 (⭐⭐)
corCTF 2022	corrupted-curves	20/978 (⭐⭐⭐)
corCTF 2022	threetreasures	19/978 (⭐⭐⭐)
corCTF 2022	corrupted-curves+ 🔥	15/978 (⭐⭐⭐)
corCTF 2022	rlfsr	14/978 (⭐⭐⭐)
corCTF 2022	D3S 🔥	1/978 (⭐⭐⭐⭐)
MapleCTF 2022	brsaby	166/618 (⭐)
MapleCTF 2022	jwt	79/618 (⭐⭐)
MapleCTF 2022	Spiral-baby	57/618 (⭐⭐)
MapleCTF 2022	qotp-real	27/618 (⭐⭐)
MapleCTF 2022	e000p	18/618 (⭐⭐)
MapleCTF 2022	Spiral 🔥	9/618 (⭐⭐⭐)
MapleCTF 2022	clipper chip	2/618 (❓)
BalsnCTF 2022	Yet another RSA with hint	38/584 (⭐⭐)
BalsnCTF 2022	vss 🔥	9/584 (⭐⭐⭐)
BalsnCTF 2022	lfsr 🔥	6/584 (⭐⭐⭐)
DownUnderCTF 2022	baby arx	279/1407 (⭐)
DownUnderCTF 2022	oracle for block cipher	102/1407 (⭐⭐)
DownUnderCTF 2022	cheap ring theory	101/1407 (⭐)
DownUnderCTF 2022	rsa interval oracle i	79/1407 (⭐⭐)
DownUnderCTF 2022	rsa interval oracle ii 🔥	36/1407 (⭐⭐)
DownUnderCTF 2022	rsa interval oracle iii	23/1407 (⭐⭐)
DownUnderCTF 2022	rsa interval oracle iv 🔥	5/1407 (⭐⭐⭐)
DownUnderCTF 2022	time locked	18/1407 (⭐⭐)
DownUnderCTF 2022	faulty arx 🔥	11/1407 (⭐⭐⭐)
DownUnderCTF 2022	1337crypt v3 🔥	2/1407 (⭐⭐⭐)
DownUnderCTF 2022	kyber±	1/1407 (⭐⭐⭐⭐)

Google CTF 2022⌗

Cycling 🔥⌗

Solves: 50/382
Difficulty: ⭐⭐
Tags: rsa
Source: Official Repository

We are given a RSA public key $(n, e)$ and $c_0$, the ciphertext of $m_0$ (the flag). If we denote $(m, c)$ be a message-ciphertext pair, then $c = \text{Enc}(m) := m^e\ \text{mod}\ n$. Given also

$$\text{Enc}^{2^{1025} - 3}(c) := \underbrace{\text{Enc}(\text{Enc}(…\text{Enc}}_{\text{Enc applied}\ 2^{1025}-3\ \text{times}}(c))) = m.$$

The objective is to recover $m_0$.

Electric Mayhem CLS⌗

Solves: 70/382
Difficulty: ⭐⭐
Tags: aes, power analysis
Source: Official Repository

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

Maybe Someday⌗

Solves: 35/382
Difficulty: ⭐⭐⭐
Tags: paillier
Source: Official Repository

We are given a public key of Paillier cryptosystem $(n, g)$, and is asked to complete 16 rounds of challenge $\mathcal{C}$. In each round of $\mathcal{C}$:

The server generates a random $s$, which of two bytes long.
The server $m_0 := \text{SHA512}(s)$.
The server encrypts a PKCSv1.5-padded $m_0$ with the public key $(n, g)$ and sends its ciphertext $c_0$ to the player.
The player sends $c_1, c_2, …, c_{20}$ to the server.
The server checks and tells the player if each of the corresponding $m_i$’s is PKCSv1.5-compliant.
The player sends $\hat{m_0}$ to the server. If $\hat{m_0} = m_0$, the player wins this round.

The objective for the player is to win 16 rounds of $\mathcal{C}$ for the flag.

Enigma⌗

Solves: 9/382
Difficulty: ⭐⭐⭐
Tags: enigma
Source: Official Repository

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

Custom Protocol 🔥⌗

Solves: 5/382
Difficulty: ⭐⭐⭐
Tags: rsa, faulty signature
Source: Official Repository

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

Electric Mayhem PQC 🔥⌗

Solves: 3/382
Difficulty: ⭐⭐⭐⭐
Tags: kyber512, power analysis
Source: Official Repository

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

Crypto CTF 2022⌗

Aniely⌗

Solves: 76/421
Difficulty: ⭐
Tags: implementation
Author: @refactoreal, @y3noor

Define the aniely_encrypt function as below:

def aniely_stream(passphrase):
	def mixer(u, v):
		return ((u << v) & 0xffffffff) | u >> (32 - v)

	def forge(w, a, b, c, d):
		for i in range(2):
			w[a] = (w[a] + w[b]) & 0xffffffff
			w[d] = mixer(w[a] ^ w[d], 16 // (i + 1))
			w[c] = (w[c] + w[d]) & 0xffffffff
			w[b] = mixer(w[b] ^ w[c], (12 + 2*i) // (i + 1))

	bring = [0] * 16
	bring[:4] = [0x61707865, 0x3320646e, 0x79622d32, 0x6b206574]
	bring[4:12] = unpack('<8L', passphrase)
	bring[12] = bring[13] = 0x0
	bring[14:] = [0] * 2

	while True:
		w = list(bring)
		for _ in range(10):
			forge(w, 0x0, 0x4, 0x8, 0xc)
			forge(w, 0x1, 0x5, 0x9, 0xd)
			forge(w, 0x2, 0x6, 0xa, 0xe)
			forge(w, 0x3, 0x7, 0xb, 0xf)
			forge(w, 0x0, 0x5, 0xa, 0xf)
			forge(w, 0x1, 0x6, 0xb, 0xc)
			forge(w, 0x2, 0x7, 0x8, 0xd)
			forge(w, 0x3, 0x4, 0x9, 0xe)
		for c in pack('<16L', *((w[_] + bring[_]) & 0xffffffff for _ in range(16))):
			yield c
		bring[12] = (bring[12] + 1) & 0xffffffff
		if bring[12] == 0:
			bring[13] = (bring[13] + 1) & 0xffffffff

def aniely_encrypt(msg, passphrase):
	if len(passphrase) < 32:
		passphrase = (passphrase * (32 // len(passphrase) + 1))[:32]
	rand = urandom(2) * 16
	return bytes(a ^ b ^ c for a, b, c in zip(msg, aniely_stream(passphrase), rand))

We are given $\text{key} = \text{passphrase} \oplus \text{flag}$ and $c = \text{AnielyEncrypt}(\text{passphrase}, \text{key})$. The goal is to recover $\text{flag}$.

Watery soup 🔥⌗

Solves: 15/421
Difficulty: ⭐⭐⭐
Tags: math
Author: @refactoreal, @y3noor

The server has a secret $f \in [2^{256}, 2^{511})$. We can send many pairs of $(p, g)$ ($p \in [2^{127}, 2^{224})$ being a prime and $g \in [2^{64}, 2^{127})$) and obtain $r$, with

$$r = [(g^3f)^{f-g} \cdot f + f^2 + g]\ \text{mod}\ p.$$

The goal is to recover $f$ (the flag).

Oak land⌗

Solves: 35/421
Difficulty: ⭐⭐
Tags: math, dlog
Author: @refactoreal, @y3noor

We are given $p$, $e$, $f$, $g$ and $c$ as below:

p = 7389313481223384214994762619823300589978423075857540712007981373887018860174846208000957230283669342186460652521580595183523706412588695116906905718440770776239313669678685198683933547601793742596023475603667
e = 31337
f = 7236042467316654159796543399639966340258093274047941788600980451877044636122969830708918356119442228154447395855689559447196348683125675305629837437591088260218138895919514078948650757100432223219969122629790
g = 1878626136321051642174045874618248475160620873585704351202865003185878331837410979441756843820270907300810543618813757245154196050399357659526631164136221434463496532263979506870318259276669412698827040743576
c = 871346503375040565701864845493751233877009611275883500035764036792906970084258238763963152627486758242101207127598485219754255161617890137664012548226251138485059295263306930653899766537171223837761341914356

We are also given the relation

$$c \equiv 110 e^x + 313 f^x + 114 g^x\ (\text{mod}\ p).$$

The goal is to find $x$.

polyRSA⌗

Solves: 145/421
Difficulty: ⭐
Tags: rsa
Author: @refactoreal, @y3noor

We are given the RSA public key $(n, e = 31337)$ and the encrypted flag $c$:

n = 44538727182858207226040251762322467288176239968967952269350336889655421753182750730773886813281253762528207970314694060562016861614492626112150259048393048617529867598499261392152098087985858905944606287003243
c = 37578889436345667053409195986387874079577521081198523844555524501835825138236698001996990844798291201187483119265306641889824719989940722147655181198458261772053545832559971159703922610578530282146835945192532

Given that the primes for the modulus, $p, q$, are given by

$$\left\{ \begin{aligned} p &= k^6 + 7k^4 - 40k^3 + 12k^2 - 114k + 31377 \\ q &= k^5 - 8k^4 + 19k^3 - 313k^2 - 14k + 14011 \end{aligned} \right. $$

313 Loyal⌗

Solves: 17/421
Difficulty: ⭐⭐
Tags: paillier
Author: @refactoreal, @y3noor

When connected to the server, $x_1, x_2, …, x_k$ are generated such that

$x_1 < x_2 < … < x_k$, and
$x_i = 2^{10} r_i + f_i$ for $i = 1, 2, …, k$ where $r_i \in [2, 2^{64})$ is random and $f_i$ is the $i$-th character of the flag.

We can send multiple pairs of $(n, g, p)$ with $n \geq 2^{256}$, $g \in \mathbb{Z}$ and $p(x) = \sum p_i x^i$ being a polynomial, and the server will return a shuffled list of $(c_1, c_2, …, c_k)$, where

$$c_i := \left(\prod {p_i}^{x^i}\right)^{s_i} g^m \cdot r^n\ \text{mod}\ n^2$$

with $s_i \in [2, n)$ being random. The objective is to recover the flag $(f_1, f_2, …, f_k)$.

Cantilever⌗

Solves: 60/421
Difficulty: ⭐⭐
Tags: rsa, dlog
Author: @refactoreal, @y3noor

We are given a RSA public key $(n, e = 65537)$ and $c_1, c_2$ defined below.

n = 7069789930583271525053215046247773438899869283661158227309691853515987055334306019600324056376312479212090202373516405860759222837585952590589336295698718699890424169542280710721069784487366121478569760563045886361884895363592898476736269784284754788133722060718026577238640218755539268465317292713320841554802703379684173485217045274942603346947299152498798736808975912326592689302969859834957202716983626393365387411319175917999258829839695189774082810459527737342402920881184864625678296442001837072332161966439361793009893108796934406114288057583563496587655548536011677451960307597573257032154009427010069578913
c1 = 488692928085934899944055554857568564903346089951134051486941368561567330884363274156339625953702601270565654444836193796061118053575538224794730472032345171432952984560662218697488844007827176184413713651118743456250147472678673801728916283759932987216388378211555067885210167894310696549664382751443669387953644382833924884208966436685137553434532738845959014828804809425096115758364136546390809453200055265653531950423111482644330073443545410319576097902472017235065047191133112557289289189187696092145850680765843608118584107829268136014912479701945735063525799796920293418182776436767911172221104640501952880057
c2 = 109770827223661560471527567179288748906402603483328748683689436879660543465776899146036833470531024202351087008847594392666852763100570391337823820240726499421306887565697452868723849092658743267256316770223643723095601213088336064635680075206929620159782416078143076506249031972043819429093074684182845530529249907297736582589125917235222921623698038868900282049587768700860009877737045693722732170123306528145661683416808514556360429554775212088169626620488741903267154641722293484797745665402402381445609873333905772582972140944493849645600529147490903067975300304532955461710562911203871840101407995813072692212

Additionally, the prime factors of $n$, namely $p$ and $q$, are given by

$$p = 2 r_1 r_2 … r_u + 1\ \text{and}\ q = 2 s_1 s_2 … s_v + 1,$$

where $r_1, …, r_u, s_1, …, s_v$ are all primes (less than $2^{20}$). Also, $c_1$ and $c_2$ are given by

$$\left\{\begin{aligned} c_1 &= {m_1}^e\ \text{mod}\ n \\ c_2 &= e^{m_2}\ \text{mod}\ n \end{aligned}\right.,$$

where $m_1$ and $m_2$ are two parts of the flag. The goal is to recover $m_1$ and $m_2$.

Side step⌗

Solves: 28/421
Difficulty: ⭐⭐
Tags: side channel
Author: @refactoreal, @y3noor

Let $p = 2^{1024} - 2^{234} - 2^{267} - 2^{291} - 2^{403} - 1$.

When connected to the server, a secret $s \in [2, (p-1)/2]$ is randomly generated and is kept secret. We can send quadratic residues $g$ to the server and it returns the value of pow_d(g, s, p) defined below:

def pow_d(g, e, n):
	t, r = 0, 1
	for _ in bin(e)[2:]:
		if r == 4: t += 1
		r = pow(r, 2, n)
		if _ == '1': r = r * g % n
	return t, r

The objective is to send $g$ to the server such that $g^s\ \text{mod}\ p = 4$.

Faonsa⌗

Solves: 21/421
Difficulty: ⭐⭐
Tags: elgamal, fault attack
Author: @refactoreal, @y3noor

Note. This challenge is known having an unintended solution. That said, the number of solves may not reflect the actual difficulty.

When connected to the server, a 256-bit safe prime $p$ (i.e., $p = 2q+1$ where $q$ is also a prime), a primitive root $g \in \mathbb{Z}_p$ and a random $x \in [2, p/2)$ are generated. Define also $y = g^x\ \text{mod}\ p$.

We are given $(p, g, y)$ (ElGamal public key). Denote $P = p$ and $Y = y$. We can perform the three operations:

[Apply Fault] Flip up to 30 bits of $p$ and make it the new $P$. Set $Y = g^x\ \text{mod}\ P$.
[Sign] Sign an arbitrary message $m\ (\neq m_0)$ with the ElGamal key $x, (P, g, Y)$.
[Verify] Verify the signature $(m, s)$ using the public key $(P, g, Y)$. Additionally, if the signature is valid and $m = m_0$, the server will also send the flag.

The goal is to obtain the flag using the verify operation.

Resign⌗

Solves: 35/421
Difficulty: -
Tags: rsa
Author: @refactoreal, @y3noor

We are given a message $m$ and a signature $s$. The objective is to generate a RSA key such that the $s$ is a signature of the message $m$.

DBB⌗

Solves: 43/421
Difficulty: ⭐⭐
Tags: ecc
Author: @refactoreal, @y3noor

Let $P$ and $Q$ be points over elliptic curve $\mathcal{C}$, with $Q = m \cdot P$ ($m < n$) and

$$\mathcal{C}: y^2 \equiv x^3 + ax + b\ (\text{mod}\ n).$$

We are given $n$, $P_x$, $Q_x$ and $Q_y$. The goal is to find $m$.

n = 34251514713797768233812437040287772542697202020425182292607025836827373815449
Px = 7331
Qx = 10680461779722115247262931380341483368049926186118123639977587326958923276962
Qy = 4003189979292111789806553325182843073711756529590890801151565205419771496727

Soda 🔥⌗

Solves: 17/421
Difficulty: ⭐⭐⭐
Tags: rsa, math
Author: @refactoreal, @y3noor

Note. This challenge is known having an unintended solution. That said, the number of solves may not reflect the actual difficulty.

A pair secret $p, q$ is determined and used for all remote connections. We are given $n = pq$, $g = 31337$ and $m_0 \approx 2^{159}$. We can also send $s\ (\neq m_0)$ to the server and it computes soda(g, p, q, s), defined below:

def soda(g, p, q, m):
	n, phi = p * q, (p - 1) * (q - 1)
	if isPrime(m) and m.bit_length() <= 128:
		e = m
	else:
		e = 2 * (pow(g, m**2, n) % 2**152) ^ 1
	if GCD(e, phi) == 1:
		d = inverse(e, phi)
		return pow(g, d, n)

The objective is to find $s$ such that $s^e\ \text{mod}\ n = g$, where e = 2 * (pow(g, m0**2, n) % 2**152) ^ 1.

Sparse⌗

Solves: 38/421
Difficulty: ⭐⭐
Tags: rsa, math
Author: @refactoreal, @y3noor

Let $p$ and $q$ be the two 417-bit prime factors of the RSA public modulus $n$ such that

$$q = p + \sum_{i=1}^5 r_i \cdot 2^{b_i},$$

where $r_i \in \{-1, 0, 1\}$ and $b_i \in \{3, …, 413\}$ for $i = 1, 2, 3, 4, 5$. We are given the RSA public key $(n, e = 65537)$ and the ciphertext $c$ (encrypted by the RSA key). The objective is to decrypt $c$ for the flag.

Fiercest⌗

Solves: 29/421
Difficulty: ⭐⭐
Tags: rsa, fault attack
Author: @refactoreal, @y3noor

Note. This challenge is known having an unintended solution. That said, the number of solves may not reflect the actual difficulty.

When connected to the server, a 1024-bit RSA modulus $n$ is generated. We are given $n, e = 65537$ as the RSA public key. Denote $N = n$. We can perform the two operations:

[Apply Fault] Flip up to 2 bits of $n$ and set it as the new $N$.
[Verify] Verify the signature $(m, s)$ using the public key $(N, e)$. Additionally, if the signature is valid and $m = m_0$, the server will also send the flag.

The goal is to obtain the flag using the verify operation.

Persian cat⌗

Solves: 13/421
Difficulty: ⭐
Tags: block cipher, custom cipher
Author: @refactoreal, @y3noor

Note. This challenge is known having an unintended solution. That said, the number of solves may not reflect the actual difficulty.

The challenge implements a custom cipher (code below). The server keeps a secret key (namely skey) and we are allowed to send m (needs to be ASCII-printable). We will obtain encrypt(m + flag, skey).

The objective is to recover flag.

python Persian cat cipher


Omega = [
		0x4e, 0x96, 0xfd, 0x7d, 0x8d, 0xf6, 0xdb, 0x33, 0x1e, 0x16, 0x9b, 0x6a, 0xe2, 0xc9, 0xa9, 0xe0, 
		0x34, 0xe6, 0x86, 0xd6, 0x52, 0x02, 0x25, 0x1f, 0x23, 0xdf, 0xd5, 0x12, 0x45, 0x6b, 0x6f, 0x4d, 
		0x31, 0x77, 0x09, 0xbf, 0x93, 0xca, 0x4b, 0xef, 0xee, 0x7c, 0x53, 0x1a, 0xc8, 0xea, 0x9d, 0xda, 
		0x32, 0xa4, 0x11, 0x7b, 0xd8, 0x3f, 0x13, 0x57, 0x75, 0xcb, 0x37, 0x9a, 0x83, 0xa5, 0x3e, 0xd3, 
		0x4a, 0x1d, 0x29, 0xb9, 0x18, 0x27, 0x2d, 0x0f, 0x15, 0x0d, 0x66, 0xae, 0xf5, 0xfa, 0x08, 0x9f, 
		0xc6, 0x55, 0xa0, 0xb7, 0x28, 0x0e, 0xf4, 0x01, 0x04, 0x46, 0xf9, 0x39, 0xe3, 0x7f, 0x5e, 0x61, 
		0x40, 0x26, 0xec, 0xb6, 0x14, 0xf0, 0x59, 0x50, 0xcf, 0x3a, 0x8b, 0x43, 0xaf, 0x10, 0xe5, 0xe8, 
		0x03, 0xbd, 0x51, 0xa7, 0x1c, 0x8e, 0x7a, 0x98, 0x3c, 0xeb, 0xac, 0x54, 0x84, 0xf7, 0x62, 0x88, 
		0x64, 0xa8, 0xbb, 0xab, 0xe1, 0x95, 0x94, 0x41, 0x2a, 0x60, 0x30, 0xcc, 0x48, 0xd2, 0x89, 0xb2, 
		0x65, 0x76, 0x0a, 0xb8, 0x56, 0x4f, 0xc3, 0x87, 0xdd, 0x4c, 0xc2, 0xd4, 0x82, 0x35, 0x90, 0xa2, 
		0x5f, 0xad, 0x19, 0x74, 0x73, 0xd0, 0x24, 0x69, 0x20, 0x07, 0xdc, 0x1b, 0x44, 0x58, 0xff, 0x5a, 
		0x6c, 0xf2, 0xfb, 0x8c, 0x79, 0x97, 0xa6, 0x22, 0xb4, 0x7e, 0x5b, 0x17, 0x2f, 0x91, 0x71, 0xfe, 
		0x38, 0xa3, 0x05, 0xb1, 0xba, 0x99, 0xd9, 0xf1, 0x21, 0x5c, 0x67, 0x6d, 0xde, 0xaa, 0xc7, 0x8f, 
		0x81, 0x0b, 0xb0, 0xbc, 0x0c, 0xcd, 0x63, 0xc1, 0xfc, 0xc0, 0x42, 0x78, 0xc5, 0x8a, 0x06, 0x3d, 
		0x2e, 0x9e, 0xa1, 0x80, 0xb3, 0xf8, 0xe9, 0x68, 0xd1, 0x36, 0x70, 0x49, 0xc4, 0xd7, 0x2c, 0x6e, 
		0xe7, 0xb5, 0xbe, 0x92, 0xce, 0xed, 0xf3, 0x9c, 0xe4, 0x3b, 0x47, 0x2b, 0x85, 0x5d, 0x72, 0x01
		]

def padding(msg):
	if len(msg) % 32 != 0:
		extra = '*' * (32 - len(msg) % 32)
		return msg + extra
	else:
		return msg

def keygen(u, v):
	return [a ^ b for a, b in zip(u, v)][:20]

def roadrunner(table, roadrunner_wile, lili, lilibeth, omega):
	for z in range(16):
		roadrunner_wile[z] = (((omega[table[lili[z][0]]] | omega[table[lili[z][1]]]) +
			(omega[table[lili[z][2]]] | omega[table[lili[z][3]]])) ^ ((omega[table[lili[z][4]]] +
			omega[table[lili[z][5]]]) + (omega[table[lili[z][6]]] ^ omega[table[lili[z][7]]]))) % 256
		roadrunner_wile[z] = (roadrunner_wile[z] + (((~omega[table[lili[z][8]]] ^ omega[table[lili[z][9]]]) +
			(omega[table[lili[z][10]]] & ~omega[table[lili[z][11]]])) ^ ((omega[table[lili[z][12]]] ^ 
			~omega[table[lili[z][13]]]) + (omega[table[lili[z][14]]] ^ omega[table[lili[z][15]]])))) % 256
		roadrunner_wile[z] = (roadrunner_wile[z] + lilibeth[roadrunner_wile[z]] + lilibeth[z]) % 256
	return roadrunner_wile

def roadrunner_init(table, roadrunner_wile, lili, lilibeth, omega):
	SBOX = [
		[10, 11, 4, 5, 15, 0, 2, 3, 1, 9, 14, 6, 7, 12, 8, 13], 
		[1, 11, 13, 2, 0, 7, 3, 8, 14, 4, 6, 15, 5, 10, 12, 9], 
		[1, 9, 0, 4, 11, 5, 2, 8, 15, 7, 3, 6, 10, 14, 13, 12], 
		[5, 0, 9, 8, 3, 10, 12, 4, 1, 6, 7, 11, 15, 14, 2, 13], 
		[10, 6, 13, 3, 2, 11, 12, 14, 5, 9, 4, 1, 0, 8, 15, 7], 
		[15, 6, 1, 10, 7, 13, 14, 8, 3, 12, 0, 5, 2, 9, 4, 11], 
		[13, 7, 9, 5, 14, 12, 8, 15, 6, 0, 10, 4, 3, 11, 2, 1], 
		[13, 15, 8, 10, 6, 11, 9, 7, 12, 2, 3, 4, 14, 0, 5, 1], 
		[11, 3, 14, 7, 4, 8, 12, 2, 13, 0, 6, 1, 9, 10, 5, 15], 
		[2, 3, 14, 9, 11, 5, 15, 0, 4, 7, 1, 6, 12, 13, 8, 10], 
		[13, 3, 14, 1, 10, 0, 6, 5, 7, 2, 4, 9, 12, 8, 11, 15], 
		[15, 7, 4, 12, 14, 2, 9, 6, 3, 1, 13, 5, 0, 8, 11, 10], 
		[10, 7, 5, 14, 6, 2, 15, 1, 8, 11, 12, 9, 0, 3, 4, 13], 
		[1, 5, 0, 4, 6, 9, 11, 12, 3, 14, 7, 2, 15, 8, 13, 10], 
		[14, 9, 11, 2, 10, 4, 3, 0, 5, 8, 6, 15, 1, 12, 13, 7], 
		[11, 13, 6, 2, 0, 9, 3, 12, 1, 8, 7, 15, 4, 5, 10, 14]
		]
	for z in range(16):
		roadrunner_wile[z] = (((omega[table[SBOX[z][0]]] | omega[table[SBOX[z][1]]]) +
			(omega[table[SBOX[z][2]]] | omega[table[SBOX[z][3]]])) ^ ((omega[table[SBOX[z][4]]] +
			omega[table[SBOX[z][5]]]) + ( omega[table[SBOX[z][6]]] ^ omega[table[SBOX[z][7]]]))) % 256
		roadrunner_wile[z] = (roadrunner_wile[z] + (((~omega[table[SBOX[z][8]]] ^ omega[table[SBOX[z][9]]]) + 
			(omega[table[SBOX[z][10]]] & ~omega[table[SBOX[z][11]]])) ^ ((omega[table[SBOX[z][12]]] ^ 
			~omega[table[SBOX[z][13]]]) + (omega[table[SBOX[z][14]]] ^ omega[table[SBOX[z][15]]])))) % 256
	return roadrunner_wile

def circle_it_out(msg, ruler, roadrunner_wile, lili, lilibeth, enc, l, r, omega):
	for i in range(16):
		l[0][i] = msg[i]
		r[0][i] = msg[i+16]
	for i in range(1, ruler):
		roadrunner_wile = roadrunner(r[i-1], roadrunner_wile, lili, lilibeth, omega)
		for y in range(16):
			l[i][y] = r[i-1][y]
			r[i][y] = (l[i-1][y] ^ roadrunner_wile[y])%256
	for i in range(16):
		enc[i+16] = l[ruler-1][i]%256
		enc[i] = r[ruler-1][i]%256
	return roadrunner_wile, enc, l, r

def circle_it_out_init(msg, ruler, roadrunner_wile, lili, lilibeth, enc, l, r, omega):
	for i in range(16):
		l[0][i] = msg[i]
		r[0][i] = msg[i+16]
	for i in range(1,ruler):
		roadrunner_wile = roadrunner_init(r[i-1], roadrunner_wile, lili, lilibeth, omega)
		for y in range(16):
			l[i][y] = r[i-1][y]
			r[i][y] = (l[i-1][y] ^ roadrunner_wile[y])%256
	for i in range(16):
		enc[i] = l[ruler-1][i]%256
		enc[i+16] = r[ruler-1][i]%256
	return roadrunner_wile, enc, l, r

def persian_init(key, roadrunner_wile, lili, lilibeth, enc, l, r, omega, Omega):
	stkey = [88, 20, 64, 181, 251, 167, 69, 243, 205, 166, 110, 65, 90, 176, 229, 46, 206, 104, 15, 19, 49, 101, 3, 223, 221, 231, 232, 43, 62, 193, 80, 228]
	for compt in range(256):
		omega[compt] = (Omega[compt]^key[compt%20]) % 256
	for w in range(4):
		roadrunner_wile, enc, l, r = circle_it_out_init(stkey, 32, roadrunner_wile, lili, lilibeth, enc, l, r, omega);
		for compt in range(256):
			omega[compt] = (omega[compt]^enc[compt%32])%256
		for compt in range(32):
			stkey[compt] = enc[compt]
	for compt in range(16):
		err = 0
		ix = 0
		while ix < 16:
			roadrunner_wile, enc, l, r = circle_it_out_init(enc, 4, roadrunner_wile, lili, lilibeth, enc, l, r, omega)
			x = 0
			while x < ix:
				if lili[compt][x] == (enc[7]%16):
					x = ix
					err = 1
					roadrunner_wile, enc, l, r = circle_it_out_init(enc, 4, roadrunner_wile, lili, lilibeth, enc, l, r, omega)
				else: x += 1
			if err == 0: lili[compt][ix] = enc[7]%16
			else:
				err = 0;
				ix = ix-1;
			ix += 1
	err = 0 
	ix = 0
	while ix < 256:
		roadrunner_wile, enc, l, r = circle_it_out_init(enc, 4, roadrunner_wile, lili, lilibeth, enc, l, r, omega)
		x = 0
		while x < ix:
			if lilibeth[x] == ( enc[7]%256):
				x  = ix 
				err = 1
				roadrunner_wile, enc, l, r = circle_it_out_init(enc, 4, roadrunner_wile, lili, lilibeth, enc, l, r, omega)
			else:	
				x += 1
		if err == 0: lilibeth[ix]=enc[7]%256
		else:
			err = 0;
			ix = ix-1;
		ix += 1
	for compt in range(256):
		omega[compt] = (omega[compt] ^ key[compt%20])%256	
	for w in range(4):
		roadrunner_wile, enc, l, r = circle_it_out_init(stkey, 32, roadrunner_wile, lili, lilibeth, enc, l, r, omega)
		for compt in range(256):
			omega[compt] = (omega[compt] ^ enc[compt%32])%256
		for compt in range(32):
			stkey[compt] = enc[compt]
	return roadrunner_wile, lili, lilibeth, enc, l, r, omega

def encrypt_iginition(msg, key):
	roadrunner_wile = [0 for x in range(16)]
	lili = [[0 for x in range(16)] for y in range(256)] 
	lilibeth, omega = [[0 for x in range(256)] for _ in '01']
	enc = [0 for x in range(32)]
	l, r = [[[0 for x in range(16)] for y in range(32)] for _ in '01'] 
	roadrunner_wile, lili, lilibeth, enc, l, r, omega = persian_init(key, roadrunner_wile, lili, lilibeth, enc, l, r, omega, Omega)
	roadrunner_wile, enc, l, r = circle_it_out(msg, 6, roadrunner_wile, lili, lilibeth, enc, l, r, omega)
	return enc

def encrypt(msg, key):
	msg = padding(msg)
	blocks = [msg[i*32:i*32+32] for i in range(len(msg) // 32)]
	ciphers = []
	enc = encrypt_iginition([ord(item) for item in blocks[0]], key)
	ciphers.append(enc)
	for i in range(len(blocks)-1):
		enc = encrypt_iginition([ord(item) for item in blocks[i+1]], keygen([ord(item) for item in blocks[i]], ciphers[i]))
		ciphers.append(enc)
	return "".join("".join(str(format(i, "02x")) for i in item) for item in ciphers)

Keydream⌗

Solves: 42/421
Difficulty: ⭐⭐
Tags: rsa
Author: @refactoreal, @y3noor

Let $p$ and $q$ be two primes such that

rstr = 'CCTF{it_is_fake_flag_' + randstr(27) + '_90OD_luCk___!!}'
p = bytes_to_long(rstr.encode('utf-8'))
q = bytes_to_long(rstr[::-1].encode('utf-8'))

Let $(n = p \cdot q, e = 65537)$ be the public key and $c$ being the encrypted flag. The goal is to recover $m$ (the flag).

n = 23087202318856030774680571525957068827041569782431397956837104908189620961469336659300387982516148407611623358654041246574100274275974799587138270853364165853708786079644741407579091918180874935364024818882648063256767259283714592098555858095373381673229188828791636142379379969143042636324982275996627729079
c = 3621516728616736303019716820373078604485184090642291670706733720518953475684497936351864366709813094154736213978864841551795776449242009307288704109630747654430068522939150168228783644831299534766861590666590062361030323441362406214182358585821009335369275098938212859113101297279381840308568293108965668609

NLCS 🔥⌗

Solves: 5/421
Difficulty: ⭐⭐⭐
Tags: lfsr
Author: @refactoreal, @y3noor

Let $s_0, s_1, …, s_{65535}$ be the first $65536$ output bits of the LFSR system using an irreducible polynomial $f(x) = x^{64} + x^{33} + x^{30} + … \in \mathbb{F}_2[x]$ and the initial state $s_0, s_1, …, s_{63}$, derived from the flag. We are given the values of

$$\begin{aligned} t_i := (s_i &+ s_{i + 12} + s_{i + 62} + s_{i + 18} + s_{i + 36}) \\ &+ (s_{i + 2}s_{i + 8} + s_{i + 34}s_{i + 20} + s_{i + 27}s_{i + 60} + s_{i + 31}s_{i + 34} \\ &+ s_{i + 63}s_{i + 48} + s_{i + 50}s_{i + 15} + s_{i + 25}s_{i + 49} + s_{i + 49}s_{i + 7}) \\ &+ (s_{i + 13}s_{i + 61}s_{i + 10} + s_{i + 32}s_{i + 37}s_{i + 29} + s_{i + 9}s_{i + 6}s_{i + 42} \\ &+ s_{i + 59}s_{i + 26}s_{i + 55} + s_{i + 42}s_{i + 41}s_{i + 29} + s_{i + 58}s_{i + 21}s_{i + 24}) \end{aligned}$$

for every $i\in [0, 65536 - 64]$, the goal is to recover $s_0, s_1, \ldots, s_{63}$.

Credits: @grhkm21 for the challenge summary.

Shaim⌗

Solves: 15/421
Difficulty: ⭐⭐
Tags: hash
Author: @refactoreal, @y3noor

Define the shaim algorithm be the below. We are given a printable message $m_0$ (which has length between 40 and 71). The objective is to find a message $m$ such that shaim(m) == shaim(m0).

def shaim(msg):
	SBOX = [
		0xbe, 0xc5, 0x0f, 0x83, 0xb2, 0x77, 0xa8, 0x40, 0x4c, 0x53, 0x65, 0xd6, 0x27, 0xa7, 0x7c, 0x48, 
		0x1a, 0x60, 0x30, 0x17, 0xf3, 0x80, 0x04, 0x74, 0xd2, 0x5a, 0x2c, 0x8e, 0xa0, 0x32, 0x38, 0xcb, 
		0xe5, 0x4d, 0x19, 0x8f, 0xd9, 0x6d, 0x86, 0x58, 0xfc, 0xfa, 0xba, 0xdd, 0xc7, 0x57, 0xc1, 0x1c, 
		0x6a, 0x0c, 0x7b, 0x4b, 0xc8, 0x52, 0x54, 0x82, 0x47, 0x5d, 0xc9, 0xe8, 0x6b, 0xdb, 0x5e, 0x08,
		0xfb, 0x8d, 0x0e, 0x43, 0x37, 0x39, 0x50, 0x91, 0x7e, 0xf4, 0xe7, 0x35, 0xb8, 0x88, 0x20, 0x8b, 
		0x90, 0xe9, 0xee, 0xd5, 0xd3, 0xc3, 0xff, 0xa9, 0xae, 0x64, 0xf5, 0xac, 0x11, 0x4a, 0x76, 0x06, 
		0x18, 0x8a, 0xa3, 0xec, 0x56, 0x94, 0xdf, 0x42, 0x00, 0x22, 0xda, 0x6c, 0xb1, 0x12, 0xf2, 0xfe, 
		0xbf, 0x21, 0x1b, 0x4e, 0x9f, 0x97, 0xa6, 0x2b, 0x0b, 0xd4, 0x93, 0xc6, 0x03, 0x71, 0x14, 0x7a, 
		0x02, 0x0a, 0xc4, 0xdc, 0x36, 0x96, 0xd0, 0x09, 0x33, 0x26, 0xbc, 0x1d, 0xb6, 0xde, 0xe6, 0xe3, 
		0xeb, 0x28, 0x8c, 0x24, 0x99, 0x3f, 0xc0, 0x6f, 0xa2, 0xc2, 0xfd, 0x3c, 0x2d, 0x15, 0xf6, 0xad, 
		0x2f, 0xbd, 0x67, 0x05, 0x68, 0xa1, 0x69, 0x13, 0xca, 0x9d, 0x3a, 0x01, 0x63, 0xd7, 0x75, 0x07, 
		0x59, 0xb9, 0x46, 0xf8, 0xcd, 0x5c, 0x70, 0x95, 0xf9, 0x16, 0x45, 0xd1, 0x98, 0x79, 0x9c, 0x81, 
		0x44, 0x62, 0x6e, 0xb4, 0x34, 0xce, 0x84, 0xab, 0x29, 0x1e, 0x2a, 0x9b, 0xe2, 0x25, 0xb5, 0x87, 
		0x23, 0x3d, 0x5f, 0xaa, 0xf7, 0x9e, 0xed, 0xb3, 0xe1, 0x72, 0x7d, 0x3b, 0xb7, 0x0d, 0x51, 0x9a, 
		0x4f, 0x55, 0xf1, 0xf0, 0xe0, 0x31, 0x7f, 0xbb, 0x89, 0x5b, 0xe4, 0x78, 0x73, 0xef, 0xea, 0x92, 
		0x61, 0x41, 0x1f, 0xcc, 0xb0, 0x49, 0x85, 0x3e, 0x66, 0xaf, 0xd8, 0x2e, 0xa5, 0x10, 0xa4, 0xcf
		]
	nbit, hmsg = 64, msg.hex()
	hmsg += 'f' + hex(len(msg.hex())*4)[2:]
	hmsg += (nbit - (4*len(hmsg) % nbit)) // 4 * 'f'
	H, SBOX_M  = [], ''
	for i in range (0, len(hmsg) - 1, 2):
		tmp = hex(SBOX[int(hmsg[i:i+2], 16)])[2:]
		tmp = '0' + tmp if len(tmp) % 2 else tmp
		SBOX_M += tmp
	hmsg = SBOX_M  
	l = nbit // 4     
	H.append((int(hmsg[0:l], 16)))
	for i in range(1, len(hmsg) // l):
		plain = long_to_bytes(int(hmsg[i*l:(i+1)*l], 16))
		key = long_to_bytes(H[i-1])
		_DES = DES.new(key = key, mode = DES.MODE_OFB, IV = key)
		H.append(bytes_to_long(_DES.encrypt(plain)) ^ bytes_to_long(key))
	dgst = sha256(long_to_bytes(H[-1])).hexdigest()
	return dgst

Lagima⌗

Solves: 24/421
Difficulty: ⭐
Tags: math
Author: @refactoreal, @y3noor

Let $n = 313$ and $s$ be a secret integer. We are given $n$ permutations of $[1, n]$, say $p_1, \ldots, p_n \in S_n$, as well as $p_1^s, \ldots, p_n^s$ (i.e., $p_1, p_2, …, p_n$ applied $s$ times). The goal is to recover $s$.

Credits: @grhkm21 for the challenge summary.

Starter ECC⌗

Solves: 43/421
Difficulty: ⭐
Tags: ecc, math
Author: @refactoreal, @y3noor

We are given $n, a, b, x$. The objective is to find $y$ such that $y^2 \equiv x^3 + ax + b\mod n$.

x = 10715086071862673209484250490600018105614048117055336074437503883703510511249361224931983788156958581275946729175531468251871452856923140435984577574698574803934567774824230985421074605062371141877954182153046477020617917601884853827611232355455223966039590143622792803800879186033924150173912925208583
a = 31337
b = 66826418568487077181425396984743905464189470072466833884636947306507380342362386488703702812673327367379386970252278963682939080502468506452884260534949120967338532068983307061363686987539408216644249718950365322078643067666802845720939111758309026343239779555536517718292754561631504560989926785152983649035
n = 117224988229627436482659673624324558461989737163733991529810987781450160688540001366778824245275287757373389887319739241684244545745583212512813949172078079042775825145312900017512660931667853567060810331541927568102860039898116182248597291899498790518105909390331098630690977858767670061026931938152924839936

Credits: @grhkm21 for the challenge summary.

Versace⌗

Solves: 15/421
Difficulty: ⭐⭐
Tags: dlog
Author: @refactoreal, @y3noor

Define a custom asymmetric cipher, where the below are the keygen and the encrypt functions:

def keygen(n):
	e = 65537
	x, y = [getRandomRange(2, n - 2) for _ in '01']
	fi = pow(5, x, n)
	th = pow(13, y, n)
	return (n, e, fi, th)

def encrypt(m, pubkey):
	n, e, fi, th = pubkey
	k, u, v = [getRandomRange(2, n - 2) for _ in '012']
	c_1 = pow(k, e, n)
	c_2 = pow(5, u, n)
	c_3 = pow(13, v, n)
	c_4 = pow(fi, u, n) * pow(th, v, n) * pow(k + 1, e, n) * m % n
	return c_1, c_2, c_3, c_4

Given $n$ and a set of output from pubkey = keygen(n) and enc = encrypt(msg, pubkey). The objective is to find msg.

n = 141886649864474336567180245736091175577519141092893110664440298696325928109107819365023509727482657156444454196974621121317731892910779276975799862237645015028934626195549529415068518701179353407407170273107294065819774663163018151369555922179926003735413019069305586784817562889650637936781439564028325920769
pubkey = (141886649864474336567180245736091175577519141092893110664440298696325928109107819365023509727482657156444454196974621121317731892910779276975799862237645015028934626195549529415068518701179353407407170273107294065819774663163018151369555922179926003735413019069305586784817562889650637936781439564028325920769, 65537, 125494383162828289973475117066203219587304356806057400173045477137700391356840397636206107925460433939119412469184723408274805651096828270461235114589209044543108910295997506041345432448035371092981112305692014036117962906342882215492784319467728201344342591126197621795974549431806828947671232171059809967991, 138257736445723754207239869344459794807808248188757696052272858978544083465381926995900887162870612185045399616892685750962667762789508194359878372465943702647287813020223160406789982302692329883577043521781397505345137392777694159916452699296748509096494301465498192136911589776144421856343483031920756519249)
enc = (88920444409754899592335110119456825172544580816901497880270628553955508488170483498726344301421934007876515783471747430111559265733377611608113080609941423596790625452564403457107243481310552344096683637970851198148957553062631972064855184560312748315536290880767375156429548232884895308088306625307674645678, 45539956581550314230977168288877082058214432324397034618326297663129864608739856352261029083496409133620455599376139981575342903237304167908534019438874239934645347320209162850653298515960349717851268830205737252263548268549179642907155075129172651815656517165432021020317138111104384072600486843574535899860, 69849817078368866947686316374564245958824276178721440086311727765763093314086243149277327430285562537315291446874425715021031882041090977200029684675392021083309757246079110723453995717856469919242618068208424495615283285085190255592463862108516827540775850882615540406750734639040903336048095547788528187976, 20285007564778647051596518902857046010716548094264173639037549746086538656814534621919993169453446815272789643882592631536755194356753848872566348635207131520597253599540337542405837637606323276917410384296602682043902830628022440639028040137219164743287397377174047728489836106561656239657061612908104843401)

Credits: @grhkm21 for the challenge summary.

GSDP⌗

Solves: 24/421
Difficulty: ⭐⭐
Tags: math
Author: @refactoreal, @y3noor

Let $R, S \in M_{5, 5}(\mathbb{Z}_n)$ be random matrices. We are given $n, R, S, Y, C_1$ and $C_2$:

n = 20474248118672564431085568112167867588651829
r = [ 2168977325369444782802512809005167009163457  9637731563002649997560875900298785659999735 11402741982195550777990817093767890991834736  6248261665690503242396669505673833765541530 18383713927317640760514600671318653784954042]
    [16744026390724915738262959513570982580233867 10819123318870588054961801715028528659245735  5382293825969147064471127752184942873958882  2344559383975384575566938072263260707083674  6107831242377773278696901510341268870768483]
    [13913478639322625565461944432421523802028490  1657756157808133991943366467693421012417454 20077078978711296540965234618986335826824167 15787724170325517021960596569296223410283963 11311327970428371404045885802092772454814312]
    [ 6961572103900078883590821780051797472394845  9455345930492634517894541442153982197931104  7188007809979291502164073459871201264229019  5450777010613496799286069470550372888274079 19294083677962489844799387987438241606854764]
    [ 2085952337131731679161648956407072286901978  6312527395255217479599228946227018949620025  3768572167307432043022080651953496439648407 12149358492352082063390352013944276402659624  1238053480843820309901822772557963596458725]
s = [14359986778171934757328112351570087412922923 11851267097835964101770194163721259897123880 12595767519284390452196370829927812771980581   206471849033914539608937494910010443534631 16748276256578102130941428769109053956841543]
    [17260552917456245674154511124533873366489719  6705751087806309384311406617121931614484164 17060390771834209118913353599009244296476485 14200001344699610276445944574627003822066232 11014902955514050741738009264685742116160993]
    [ 6574547665819712697427953197398960761636762 12380657135986764418898027400335749204149860 20268210493845979828493975027685347139394991 18542561637456865344299035395313783209218383  7517573123535289654812496192079398350464721]
    [11797258068553520501845550128339899816126913 18396577268206658268808323909560870783161039  5490905135614309369346662799065239256309022 14271245849005639472351475697722779937695903  4543895191969014210971676462965142633095929]
    [ 8211670484406041965410550067328494865731128  9385233048164928123059801337014436991987865  2095213218314387589455876832673480152942740 13404162072797239424739266925419641170015472  6893572325245832032339890201821364839102869]
y = [ 9455266042843307825749316910810796871873373 15333106063741475447799261101208428669252581 17507977101165165875868259123812011424101505 18840713703683969794184618879025658583771001  8194677825423260832777930195809869229371863]
    [12501728660245911874452737460699597975974127 19510243647017562462989706821025083261970404 16201393977361396153964696776216973010001356  9663056411865435751212414658633217623172749  3239680106699734686590526219042751814995824]
    [ 3712586611180063604215543952289707697324027 14733212399197986119485181728946640781107458  2840139099323763287710523315368925837277792 13720228569300291500610175158110171144774084  6108815350519225911945135207538331156078296]
    [ 7943973119701029382921917301472306070824581  2869347305630973901685036806460889911095637 10842022254827356928486285947954965977783240 20363982398752260203093070660357855892929807  3232527006736169029584220678644241677651188]
    [18741615057330867264302735709730246936126331  7207581826003452274777064725926668618294351 12235279908760679864964056098862023499484670 11395481161377031878998588680860748310228740 14691306415490831547905993706341909177907668]
c_1 = [14520715136678131886650886394655992310739740  5133803346119603685589690243318329447613811  8631069083165564771821540186676532972101042 11371460936058753234877719062830204068473293  4675643908977844081807119750891783452511801]
      [10758446634943798177756512241470807154028028   230322671654482905785761279475308992164431 19859272618066856343509476253828743509021381 10790059806866303289733349155468067057434048  7937553273189724162746367232714449171157875]
      [12713707768421115203045631708468778038780988  6562443329388128558909111073920129986165358  8629397281530840800788762372728359271085200  3497280351202001940823865223283895540070188 16324531747558707671873605114378727152000738]
      [17664302494165645750553234381674396726461155 11329821313213471881023356172069963076578223 17420708004114170496283987639981918922808988  4025301508682028642713745479550070150287792 13516995862604528976910352157951268294502659]
      [13197381126644223748863331681581035046689048 18134793368131211547774737770284104243998582  3304296884612368960093061281547555357926671 17654343876553302292700074689920978613390384 19965538184282119398237005639724114717256368]
c_2 = [ 7467508370111086497875591641000575993385737   436730215933598480688770862716304678927061 16388674389038775692052384536812272916184391  1544929917235051621830007372321346311674993 20266847919326089072814025756784393554435095]
      [ 8525400103718228392870804572553779730855209  6910832586632574200490719455813022347001485 17879158289938108082881632425571195671456277 10773037736439027909506921110474733019517450  6673285991052846421739430171898388311111793]
      [ 9870026505859633975247413380429542368374340  3599087047295232637660012477486366289652163  9771908525081529326761727267151928531319243 19335625816265272435673905591707160166566864 15219307175745538685718076680399058971932192]
      [ 7121095235650179073589022177762837236165521 10051305836914620675997951100253778882475518 14120877609199150307731361282669945615365363  3064435253345055470095756982744706296418025   126078528977194834765813221549264972548412]
      [18926039657432874696099563502261812215936524 14159758827498805644159739654028640645658626  4643672049840979864316682883185591331924981 20293416534996028081504808704845564317319704  5806383537343185356941724671128323142478351]

We are also given the relations

$$\left\{\begin{aligned} Y &= f(R)^u \cdot S \cdot f(R)^v \\ C_1 &= h(R)^u \cdot S \cdot h(R)^v \\ C_2 &= \text{HashBase}\left(h(R)^u \cdot Y \cdot h(R)^v\right) \oplus \text{HashBase}(\mathcal{F}) \end{aligned}\right.$$

where $f(x) = a_0 x^4 + a_1 x^3 + … + a_4$ with $a_i \in [0, 25]$ (not given), $h(x) = x^5 + x + 1$ and $\text{HashBase}$ is the function with given implementation. The objective is to recover $\mathcal{F}$, the flag.

def hash_base(m):
	m = M(m)
	_M = M(zero_matrix(d))
	for i in range(d):
		for j in range(d):
			_M[i, j] = pow(2, m[i, j], n)
	return M(_M)

Credits: @grhkm21 for the challenge summary.

UIUCTF 2022⌗

asr⌗

Solves: 56/395
Difficulty: ⭐⭐
Tags: rsa
Author: zhengdw
Source: Official Repository

We are given $e, d$ (the public and private exponents of RSA) and the encrypted flag. It is known the largest prime factor for $p-1$ and $q-1$ is less than $2^{64}$ ($p$ and $q$ are the prime factors of the public modulus $n$). The goal is to recover the flag.

e = 65537
d = 195285722677343056731308789302965842898515630705905989253864700147610471486140197351850817673117692460241696816114531352324651403853171392804745693538688912545296861525940847905313261324431856121426611991563634798757309882637947424059539232910352573618475579466190912888605860293465441434324139634261315613929473
ct = 212118183964533878687650903337696329626088379125296944148034924018434446792800531043981892206180946802424273758169180391641372690881250694674772100520951338387690486150086059888545223362117314871848416041394861399201900469160864641377209190150270559789319354306267000948644929585048244599181272990506465820030285

Wringing Rings⌗

Solves: 44/395
Difficulty: ⭐⭐
Tags: secret-sharing
Author: Spamakin
Source: Official Repository

When connected to the server, a secret $s \in [1, 500000]$ is generated. Let $\text{f}$ be a polynomial such that

$$\text{f}(x) := a_9 x^9 + a_8 x^8 + … + a_1 x + s,$$

where $a_1, a_2, …, a_9 \in [1, 100000]$ are randomly generated. We are given nine of these ten values: $(1, \text{f}(1))$, $(2, \text{f}(2))$, …, $(10, \text{f}(10))$. The objective is to find $s$.

Elliptic Clock Crypto⌗

Solves: 27/395
Difficulty: ⭐⭐
Tags: dlog
Author: Husnain
Source: Official Repository

Define $\oplus$ operation over $\mathbb{Z}_p$ by:

$$(x_1, y_1) \oplus (x_2, y_2) := (x_1y_2 + y_1x_2, y_1y_2 - x_1x_2).$$

Let $0 \leq a, b < 2^{256}$ be respectively Alice’s and Bob’s secret key. Let also $A = a \cdot G$, $B = b \cdot G$ ($k \cdot G = G + G + … + G$, a sum of $k$ $G$’s). We are given $p, A, B$ and $G$. The objective is to find $S := ab \cdot G$.

p = 62471552838526783778491264313097878073079117790686615043492079411583156507853
G = (34510208759284660042264570994647050969649037508662054358547659196695638877343, 4603880836195915415499609181813839155074976164846557299963454168096659979337)
A = (929134947869102207395031929764558470992898835457519444223855594752208888786,6062966687214232450679564356947266828438789510002221469043877962705671155351)
B = (49232075403052702050387790782794967611571247026847692455242150234019745608330,46585435492967888378295263037933777203199027198295712697342810710712585850566)

mom can we have AES⌗

Solves: 22/395
Difficulty: ⭐⭐
Tags: man-in-the-middle
Author: Random Object No.79
Source: Official Repository

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

That-crete Log⌗

Solves: 21/395
Difficulty: ⭐⭐
Tags: dlog
Author: zhengdw, Spamakin
Source: Official Repository

Note. In this challenge, the prime check runs the Miller-Rabin test with bases $b = 2, 3, 5, 7, 11, 13, 17, 19, 31337$.

When connected to the server, a message $m := \text{flag} \oplus \text{token}$ is defined and $\text{token}$ is given. Repeat the below procedures five times:

We send $q_1, q_2, …$ to the server. $q_i$’s needs to be primes with $\text{max}(q_i) \geq 2^{512}$. The product, $p = q_1 \cdot q_2 \cdot …$ needs to be a prime and $2^{512} \leq p \leq 2^{1024}$. Note that the prime $p$ computed should not be used in a previous round.
The server generates a random $0 \leq x < p$ and sends it to us.
The server computes $y = x^m\ \text{mod}\ p$ and sends it to us.

The goal is to recover $\text{flag}$.

Bro-key-n⌗

Solves: 14/395
Difficulty: ⭐⭐
Tags: rsa
Author: Husnain
Source: Official Repository

We are given a partially redacted private key file (in .pem). The objective is to recover the private key.

corCTF 2022⌗

tadpole⌗

Solves: 262/978
Difficulty: ⭐
Tags: lcg
Author: @willwam845
Source: Official Repository

Let $p$ be a secret prime. We are given the LCG $x_{i+1} = a \cdot x_i + b\ \text{mod}\ p$ with $x_0 = 13337$. We are given $a, b, x_1$ and $x_2$. The objective is to recover $p$.

a = 7904681699700731398014734140051852539595806699214201704996640156917030632322659247608208994194840235514587046537148300460058962186080655943804500265088604049870276334033409850015651340974377752209566343260236095126079946537115705967909011471361527517536608234561184232228641232031445095605905800675590040729
b = 16276123569406561065481657801212560821090379741833362117064628294630146690975007397274564762071994252430611109538448562330994891595998956302505598671868738461167036849263008183930906881997588494441620076078667417828837239330797541019054284027314592321358909551790371565447129285494856611848340083448507929914
x1 = 52926479498929750044944450970022719277159248911867759992013481774911823190312079157541825423250020665153531167070545276398175787563829542933394906173782217836783565154742242903537987641141610732290449825336292689379131350316072955262065808081711030055841841406454441280215520187695501682433223390854051207100
x2 = 65547980822717919074991147621216627925232640728803041128894527143789172030203362875900831296779973655308791371486165705460914922484808659375299900737148358509883361622225046840011907835671004704947767016613458301891561318029714351016012481309583866288472491239769813776978841785764693181622804797533665463949

luckyguess⌗

Solves: 150/978
Difficulty: ⭐⭐
Tags: lcg
Author: @willwam845
Source: Official Repository

Let $p = 2^{521} - 1$ and $0 \leq a, b \leq 2^{521} - 1$ be two given numbers. Define the LCG by

$$x_{i+1} = a \cdot x_i + b\ \text{mod}\ p.$$

We are asked to give $x, y$. After that, $0 \leq r < 2^{20}$ is randomly generated. We will be given the flag if $x_0 = x$ and $x_r = y$.

exchanged⌗

Solves: 94/978
Difficulty: ⭐⭐
Tags: math, lcg
Author: @willwam845
Source: Official Repository

We are given LCG parameters $p, a, b$ and the seed $x_0$. We are also given $M = x_m, N = x_n$ where $0 \leq m, n < p$. The goal is to find $x_{m+n}$.

p = 142031099029600410074857132245225995042133907174773113428619183542435280521982827908693709967174895346639746117298434598064909317599742674575275028013832939859778024440938714958561951083471842387497181706195805000375824824688304388119038321175358608957437054475286727321806430701729130544065757189542110211847
a = 118090659823726532118457015460393501353551257181901234830868805299366725758012165845638977878322282762929021570278435511082796994178870962500440332899721398426189888618654464380851733007647761349698218193871563040337609238025971961729401986114391957513108804134147523112841191971447906617102015540889276702905
b = 57950149871006152434673020146375196555892205626959676251724410016184935825712508121123309360222777559827093965468965268147720027647842492655071706063669328135127202250040935414836416360350924218462798003878266563205893267635176851677889275076622582116735064397099811275094311855310291134721254402338711815917
x0 = 35701581351111604654913348867007078339402691770410368133625030427202791057766853103510974089592411344065769957370802617378495161837442670157827768677411871042401500071366317439681461271483880858007469502453361706001973441902698612564888892738986839322028935932565866492285930239231621460094395437739108335763
M = 27055699502555282613679205402426727304359886337822675232856463708560598772666004663660052528328692282077165590259495090388216629240053397041429587052611133163886938471164829537589711598253115270161090086180001501227164925199272064309777701514693535680247097233110602308486009083412543129797852747444605837628
N = 132178320037112737009726468367471898242195923568158234871773607005424001152694338993978703689030147215843125095282272730052868843423659165019475476788785426513627877574198334376818205173785102362137159225281640301442638067549414775820844039938433118586793458501467811405967773962568614238426424346683176754273

hidE⌗

Solves: 88/978
Difficulty: ⭐⭐
Tags: rsa
Author: quintec
Source: Official Repository

When connected to the server, a RSA modulus $n$ is generated. The seed for Python’s random package is set to be int(time.time()). We are given $n$ and two methods (we can use these methods as much as we would), which encrypts either the flag, or a user-supplied message using the first $e$ generated by random.randint(1, n) which is coprime with $\varphi(n)$, and sends to the player.

The objective is to recover the flag.

generous⌗

Solves: 49/978
Difficulty: ⭐⭐
Tags: okamoto-uchiyama
Author: qoprime
Source: Official Repository

The below defines the Okamoto-Uchiyama cryptosystem.

Let $p$ and $q$ be two primes and $n = p^2q$. Define $2 \leq g < n$ and $h = g^n\ \text{mod}\ n$. The public and private keys are given by $(n, g, h)$ and $(g, p, q)$ respectively.

The encryption function $c := \text{Enc}(m)$ is given by:

Generates $1 \leq r < n$ randomly.
Computes $c = g^m \cdot h^r\ \text{mod}\ n$.

The decryption function $m := \text{Dec}(c)$ is given by:

Computes $a = [(c^{p-1}\ \text{mod}\ p^2) - 1] / p$ and $b = [(g^{p-1}\ \text{mod}\ p^2) - 1] / p$.
Computes $m = a \cdot b^{-1}\ \text{mod}\ p$.

When connected to the server, two 512-bit primes $p, q$ are generated and $g$ such that $g^{p-1} \not\equiv 1\ (\text{mod}\ p^2)$. We are given $(n, g, h)$ and the encrypted flag $\text{Enc}(\text{flag})$. After that, we are given the oracle which computes $\text{Dec}(c)\ \text{mod}\ 2$ for user-supplied $c$, for an arbitrary number of times.

The objective is to recover $\text{flag}$.

leapfrog⌗

Solves: 36/978
Difficulty: ⭐⭐
Tags: lcg
Author: @willwam845
Source: Official Repository

We are given the $i$-th output from an unknown LCG (neither $a, b$ nor $p$ are given), with $i = 0, 5, 8, 31, 44, 68, 74, 84, 93, 100, 104, 123$. The goal is to recover $a, b$ and $p$.

x_0   = 26242498579536691811055981149948736081413123636643477706015419836101346754443
x_5   = 30320412755241177141099565765265147075632060183801443609889236855980299685595
x_8   = 65684356693401962957802832810273549345608027337432965824937963429120291339333
x_31  = 15025547765549333168957368149177848577882555487889680742466312084547650972663
x_44  = 46764069432060214735440855620792051531943268335710103593983788232446614161424
x_68  = 71575544531523096893697176151110271985899529970263634996534766185719951232899
x_74  = 8149547548198503668415702507621754973088994278880874813606458793607866713778
x_84  = 12081871161483608517505346339140143493132928051760353815508503241747142024697
x_93  = 65627056932006241674763356339068429188278123434638526706264676467885955099667
x_100 = 23413741607307309476964696379608864503970503243566103692132654387385869400762
x_104 = 56014408298982744092873649879675961526790332954773022900206888891912862484806
x_123 = 77000766146189604405769394813422399327596415228762086351262010618717119973525
x_139 = 14589246063765426640159853561271509992635998018136452450026806673980229327448

corrupted-curves⌗

Solves: 20/978
Difficulty: ⭐⭐⭐
Tags: ecc
Author: qoprime
Source: Official Repository

Denote $x_0$ be a secret (the flag).

When connected to the server, a 512-bit prime $p$ and $0 \leq a, b < 2^{384}$ are generated such that there exists $y_0$ such that ${y_0}^2 \equiv {x_0}^3 + a \cdot x_0 + b\ (\text{mod}\ p)$.

We can call the below oracle $\mathcal{O}(x_1)$, where $0 \leq x_1 < p$, as long as $\text{count} < 64$. Initialize $S = \phi$:

Generate a 64-bit $e$.
If $x \in S$ or $x < 2^{384}$ or $x > p - 2^{384}$, abort.
Define the curve $C: y^2 \equiv x^3 + (a \oplus e) \cdot x + (b \oplus e)\ (\text{mod}\ p)$.
If there exists a point $P$ such that its $x$-coordinate equals $x_1$, returns its $y$-coordinate and set $\text{count} \leftarrow \text{count} + 1$ and set $S \leftarrow S \cup \{x_1\}$.

The goal is to recover $x_0$.

threetreasures⌗

Solves: 19/978
Difficulty: ⭐⭐⭐
Tags: ecc
Author: qoprime
Source: Official Repository

Note: the flag has the format with corctf{...}.

Given that the flag is 375 bits long and it is broken evenly into three parts: $a, b, c$ ($a, b$ and $c$ consist of the first 125 bits, subsequent 125 bits and the remaining bits respectively). Let $p$ be a 512-bit prime and denote the elliptic curve $\mathcal{C}$ by

$$\mathcal{C}: y^2 = x^3 + ax + b\ (\text{mod}\ p).$$

Moreover, let $G \in \mathcal{C}$ such that $3G = O$. Let also $q$ be another 512-bit prime, $n = pq$ and $\text{Enc}(c) := \text{Pad}(c)^{65537}\ \text{mod}\ n$. We are given $n$, $\text{Enc}(c)$ and $G$. The goal is to recover $a, b$ and $c$.

n      = 97915144495462666300795364589570761584322186881492143950078938328867290046424857019504657598883431857075772605985768551863478086544857915637724181292135280539943713583281151707224031808445390796342632369109562433275679473233398168787639940620683354458292117457239552762694657810883738834935391913698852811737
Enc(c) = 20363336204536918055183609604474634074539942561101208682977506918349108499764147141944713060658857301108876346227077713201766486360148051069618774935469969057808945271860025712869868421279488925632657486125211168314387620225601572070169746014988350688548088791906161773656057212229972967244998930356157725393
G      = (3115938227771961657567351113281194074601897467086373590156577019504528350118731801249444974253028485083440228959842232653488953448859690520619223338133881, 2665631524518629436093690344927156713668794128141943350227439039472817541262750706395352700109556004195261826476428128993836186741129487842876154876730189)

corrupted-curves+ 🔥⌗

Solves: 15/978
Difficulty: ⭐⭐⭐
Tags: ecc
Author: qoprime
Source: Official Repository

Note. This challenge is similar to corrupted-curves, except that the upper limit of $\text{count}$ is changed, and it no longer accepts user-supplied $x_1$.

Denote $x_0$ be a secret (the flag).

When connected to the server, a 512-bit prime $p$ and $0 \leq a, b < 2^{384}$ are generated such that there exists $y_0$ such that ${y_0}^2 \equiv {x_0}^3 + a \cdot x_0 + b\ (\text{mod}\ p)$.

We can call the below oracle $\mathcal{O}$ as long as $\text{count} < 2022$. Initialize $S = \phi$:

Generate a 64-bit $e$ and $2 \leq x_1 < p$.
If $x \in S$ or $x < 2^{384}$ or $x > p - 2^{384}$, abort.
Define the curve $C: y^2 \equiv x^3 + (a \oplus e) \cdot x + (b \oplus e)\ (\text{mod}\ p)$.
If there exists a point $P$ such that its $x$-coordinate equals $x_1$, returns its $y$-coordinate and set $\text{count} \leftarrow \text{count} + 1$ and set $S \leftarrow S \cup \{x_1\}$.

The goal is to recover $x_0$.

rlfsr⌗

Solves: 14/978
Difficulty: ⭐⭐⭐
Tags: lfsr
Author: @willwam845
Source: Official Repository

Let $R$ be a known 128-bit LFSR. We are given $15104 = 128 \times 118$ output bits, in a way that the first 128 bits are shuffled, the subsequent 128 bits are shuffled, etc. The goal is to recover the initial values of the LFSR.

D3S 🔥⌗

Solves: 1/978
Difficulty: ⭐⭐⭐⭐
Tags: des
Author: pot
Source: Official Repository

We are given a Feistel cipher implementation, where the message space, ciphertext space, key space are all 54 trits (i.e., $\mathcal{M} = \mathcal{C} = \mathcal{K} = \mathbb{Z}_3^{54}$). We are given $3^9$ message-ciphertext pairs and the objective is to recover the key.

MapleCTF 2022⌗

brsaby⌗

Solves: 166/618
Difficulty: ⭐
Tags: rsa
Author: zhengdw

Let $n = pq$ be the public modulus of RSA. Given $n$, $e = 65537$, $c$ (the encrypted flag) and $h := p^4 - q^3$, the goal is to recover the flag.

n = 134049493752540418773065530143076126635445393203564220282068096099004424462500237164471467694656029850418188898633676218589793310992660499303428013844428562884017060683631593831476483842609871002334562252352992475614866865974358629573630911411844296034168928705543095499675521713617474013653359243644060206273
e = 65537
c = 110102068225857249266317472106969433365215711224747391469423595211113736904624336819727052620230568210114877696850912188601083627767033947343144894754967713943008865252845680364312307500261885582194931443807130970738278351511194280306132200450370953028936210150584164591049215506801271155664701637982648648103
h = 20172108941900018394284473561352944005622395962339433571299361593905788672168045532232800087202397752219344139121724243795336720758440190310585711170413893436453612554118877290447992615675653923905848685604450760355869000618609981902108252359560311702189784994512308860998406787788757988995958832480986292341328962694760728098818022660328680140765730787944534645101122046301434298592063643437213380371824613660631584008711686240103416385845390125711005079231226631612790119628517438076962856020578250598417110996970171029663545716229258911304933901864735285384197017662727621049720992964441567484821110407612560423282

jwt⌗

Solves: 79/618
Difficulty: ⭐⭐
Tags: ecdsa
Author: vEvergarden

This challenge implements ECDSA with a fixed private key $x$. However, for every signature generated, the nonce $k$ is always set to be $x$. The goal is to recover $x$.

Spiral-baby⌗

Solves: 57/618
Difficulty: ⭐⭐
Tags: block cipher
Author: vEvergarden

The challenge defines a new block cipher called Spiral:

python Spiral


#
# Util functions
#

# rotate a 4x4 matrix clockwise
def spiralRight(matrix):
    right = []
    for j in range(4):
        for i in range(3, -1, -1):
            right.append(matrix[i][j])
    return bytes2matrix(right)


# rotate a 4x4 matrix counterclockwise
def spiralLeft(matrix):
    left = []
    for j in range(3, -1, -1):
        for i in range(4):
            left.append(matrix[i][j])
    return bytes2matrix(left)


# convert bytes to 4x4 matrix
def bytes2matrix(bytes):
    return [list(bytes[i : i + 4]) for i in range(0, len(bytes), 4)]


# convert 4x4 matrix to bytes
def matrix2bytes(matrix):
    return bytes(sum(matrix, []))

SBOX = [184, 79, 76, 49, 237, 28, 54, 183, 106, 24, 192, 7, 43, 111, 175, 44, 46, 199, 182, 115, 83, 227, 61, 230, 6, 57, 165, 137, 58, 14, 94, 217, 66, 120, 53, 142, 29, 150, 103, 75, 186, 39, 31, 196, 18, 207, 244, 16, 213, 243, 114, 251, 96, 4, 138, 197, 10, 176, 157, 91, 238, 155, 254, 71, 86, 37, 130, 12, 52, 162, 220, 56, 88, 188, 27, 208, 25, 51, 172, 141, 168, 253, 85, 193, 90, 35, 95, 105, 200, 127, 247, 21, 93, 67, 13, 235, 84, 190, 225, 119, 189, 81, 250, 117, 231, 50, 179, 22, 223, 26, 228, 132, 139, 166, 210, 23, 64, 108, 212, 201, 99, 218, 160, 240, 129, 224, 233, 242, 159, 47, 126, 125, 146, 229, 0, 252, 161, 98, 30, 63, 239, 164, 36, 80, 151, 245, 38, 107, 3, 65, 73, 204, 8, 205, 82, 78, 173, 112, 219, 136, 123, 149, 118, 32, 215, 163, 74, 134, 248, 68, 110, 45, 59, 145, 178, 156, 100, 177, 221, 2, 92, 20, 40, 144, 101, 140, 169, 116, 143, 202, 1, 113, 209, 104, 133, 128, 70, 89, 216, 147, 122, 131, 9, 249, 121, 109, 191, 77, 124, 246, 55, 198, 187, 185, 17, 60, 180, 203, 19, 158, 97, 206, 148, 5, 87, 170, 236, 222, 194, 15, 214, 241, 211, 234, 42, 41, 153, 62, 102, 152, 69, 181, 34, 48, 226, 11, 195, 154, 174, 167, 135, 232, 72, 171, 33]

SPIRAL = [
    [1, 19, 22, 23],
    [166, 169, 173, 31],
    [149, 212, 176, 38],
    [134, 94, 59, 47],
]

#
# The Spiral block cipher
#

class Spiral:
    def __init__(self, key, rounds=4):
        self.rounds = rounds
        self.keys = [bytes2matrix(key)]
        self.BLOCK_SIZE = 16

        for i in range(rounds):
            self.keys.append(spiralLeft(self.keys[-1]))

    def encrypt(self, plaintext):
        if len(plaintext) % self.BLOCK_SIZE != 0:
            padding = self.BLOCK_SIZE - len(plaintext) % self.BLOCK_SIZE
            plaintext += bytes([padding] * padding)

        ciphertext = b""
        for i in range(0, len(plaintext), 16):
            ciphertext += self.encrypt_block(plaintext[i : i + 16])
        return ciphertext

    def encrypt_block(self, plaintext):
        self.state = bytes2matrix(plaintext)
        self.add_key(0)

        for i in range(1, self.rounds):
            self.substitute()
            self.rotate()
            self.mix()
            self.add_key(i)

        self.substitute()
        self.rotate()
        self.add_key(self.rounds)

        return matrix2bytes(self.state)

    def add_key(self, idx):
        for i in range(4):
            for j in range(4):
                self.state[i][j] = (self.state[i][j] + self.keys[idx][i][j]) % 255

    def substitute(self):
        for i in range(4):
            for j in range(4):
                self.state[i][j] = SBOX[self.state[i][j]]

    def rotate(self):
        self.state = spiralRight(self.state)

    def mix(self):
        out = [[0 for _ in range(4)] for _ in range(4)]
        for i in range(4):
            for j in range(4):
                for k in range(4):
                    out[i][j] += SPIRAL[i][k] * self.state[k][j]
                out[i][j] %= 255

        self.state = out

When connected to the server, a 16-byte key is randomly generated and we are allowed to encrypt

the flag, and
or arbitrary message,

using Spiral with one round, as much as we could. The goal is to recover the flag.

qotp-real⌗

Solves: 27/618
Difficulty: ⭐⭐
Tags: rng
Author: zhengdw

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

e000p⌗

Solves: 18/618
Difficulty: ⭐⭐
Tags: ec
Author: zhengdw

Let $\mathcal{C}$ be the Edwards curve Curve41417, $G \in \mathcal{C}$ be the generator and $n$ be its order. Define $x := \text{FLAG}^{-1}\ \text{mod}\ n$. Let also $h = x \land \text{MASK}$ ($\land$ is the bitwise AND operator) and $P = x \cdot G$.

We are given $\text{MASK}$, $P$ and $h$, the goal is to recover $\text{FLAG}$.

MASK = 0xfffffffffffffffffff800001ffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffff800001fff
P = (29389900956614406804195679733048238721927197300216785144586024378999988819550861039522005309555174206184334563744077143526515, 35393890305755889860162885313105764163711685229222879079392595581125504924571957049674311023316022028491019878405896203357959)
h = 323811241263249292936728039512527915123919581362694022248295847200852329370976362254362732891461683020125008591836401372097

Spiral 🔥⌗

Solves: 9/618
Difficulty: ⭐⭐⭐
Tags: block cipher
Author: vEvergarden

Note. The challenge uses the same cipher given in Spiral-baby. However, the cipher is now of four rounds instead of one.

When connected to the server, a 16-byte key is randomly generated and we are allowed to encrypt

the flag, and
or arbitrary message,

using Spiral with four rounds, as much as we could. The goal is to recover the flag.

clipper chip⌗

Solves: 2/618
Difficulty: ❓
Tags: ❓
Author: xal

Needs more information. I am not totally clear about this challenge. Please let me know if you have a better picture on this one!

BalsnCTF 2022⌗

Yet another RSA with hint⌗

Solves: 38/584
Difficulty: ⭐⭐
Tags: rsa
Author: utaha

Let $(n, e)$ be a RSA public key ($n$ being 1024 bits and $e = 65537$), and $c$ be the encrypted flag. We are also given $\text{hint} := (b_2, b_3, …, b_{199})$, where $b_k$ is the sum of digits of $p$ (a prime factor of $n$) in base $k$. The objective is to recover the flag.

n = 69769370315605399620499157110259161770226204413410714287546175640222894393734656823609842094208000324903785445480970937467772043771047139468214623293799193606693151204028152125827120312591965423568920046988483517193159267137262989786922993050699199470525597334312901558499603311835177928669168435353736304603
e = 65537
c = 44629586340631092032969036077439025547731549046317830052768219747251144452428756243443530079705365300095620187777995163429306743725384004785137984724398460770780400852341911649904759816676765406154144761671142475150796245779492784073799771022568183264838096756108860913879311490014711507384458820460700533977
hint = [250, 305, 371, 421, 519, 569, 583, 621, 746, 679, 787, 821, 880, 919, 899, 1021, 1038, 1151, 1133, 1229, 1157, 1205, 1237, 1301, 1399, 1335, 1574, 1549, 1495, 1469, 1564, 1709, 1634, 1633, 1759, 1673, 1794, 1817, 1790, 1989, 1971, 2081, 2058, 2041, 2114, 2065, 2239, 2381, 2193, 2199, 2432, 2297, 2500, 2519, 2459, 2501, 2558, 2597, 2647, 2609, 2750, 2711, 2627, 2765, 2609, 3053, 2931, 3333, 2939, 2809, 2843, 2789, 3002, 3089, 2924, 3185, 3306, 3389, 3169, 2989, 3302, 3201, 3153, 3089, 2874, 3305, 3554, 3493, 3822, 3419, 3467, 3261, 3548, 3461, 3679, 3533, 3420, 4251, 4274, 4249, 3967, 4013, 4172, 4117, 3824, 4461, 3707, 4193, 3585, 4109, 4532, 4237, 4009, 4439, 4089, 4917, 3896, 4181, 4370, 3989, 4032, 4641, 4841, 4509, 4324, 4643, 4379, 4685, 4595, 5079, 4437, 5165, 5161, 4271, 5624, 4557, 4570, 4871, 5191, 5189, 4871, 4689, 4923, 5597, 4859, 4973, 5084, 5457, 5196, 5099, 4855, 5541, 5237, 5077, 5284, 5729, 5468, 5539, 5468, 5709, 5308, 5813, 6201, 6317, 5264, 4979, 6540, 5693, 5885, 5679, 5921, 5713, 6086, 6425, 5574, 6221, 5774, 6581, 6422, 6209, 6324, 5651, 6227, 6021, 6789, 6617, 6155, 6657, 6218, 6719, 5820, 6221, 6026, 6815, 6509, 6113, 6731, 7343]

vss 🔥⌗

Solves: 9/584
Difficulty: ⭐⭐⭐
Tags: math
Author: utaha

When connected to the server, two 512-bit numbers $x, y$ will be generated. We are allowed to get up to around 180 sets of $(a, b, c, p, g, v, q)$ such that:

$u = (a + bx + cy)\ \text{mod}\ p$, and
$v = g^u\ \text{mod}\ q$.

The goal is to recover $x$ and $y$.

LFSR 🔥⌗

Solves: 6/584
Difficulty: ⭐⭐⭐
Tags: lfsr
Author: utaha

Note. In the challenge, the operations are done in $\text{GF}(2)$. That said, $+$ is actually the $\oplus$ (XOR) operation and $\times$ is the AND operation.

Let $\mathcal{L}$ be a LFSR with key $(s_0, s_1, …, s_{127})$, and for $i \geq 0$,

$$s_{i+128} = s_{i} + s_{i+1} + s_{i+2} + s_{i+7}.$$

Let the output bits $y_0, y_1, …$ defined by

$$\begin{aligned} y_i &= s_i + s_{i+16} + s_{i+32} + s_{i+120} + s_i s_{i+8} + s_i s_{i+32} + s_{i+8} s_{i+64} + s_{i+16} s_{i+32} \\ &\qquad + s_i s_{i+8} s_{i+64} + s_{i+16} s_{i+32} s_{i+64} + s_i s_{i+8} s_{i+16} s_{i+64} s_{i+120} + s_{i+8} s_{i+16} s_{i+32} s_{i+64} s_{i+120}. \end{aligned}$$

We are given the first 8192 bits of the output (i.e., $y_0, y_1, …, y_{8191}$). The goal is to recover the key (i.e., $s_0, s_1, …, s_{127}$).

DownUnderCTF 2022⌗

baby arx⌗

Solves: 279/1407
Difficulty: ⭐
Tags: ?
Author: @josep68_

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

oracle for block cipher⌗

Solves: 102/1407
Difficulty: ⭐⭐
Tags: ?
Author: @josep68_

Let m be the message with a given 16-byte prefix. When connected to the server, a 16-byte key k is generated. We are allowed to pick two IVs iv1, iv2. After each pick, we will be given the ciphertext of m, encrypted with AES-OFB with key k and iv. The goal is to recover m.

cheap ring theory⌗

Solves: 101/1407
Difficulty: ⭐
Tags: ?
Author: @josep68_

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

rsa interval oracle i⌗

Solves: 79/1407
Difficulty: ⭐⭐
Tags: rsa
Author: @josep68_

When connected to the server, two 192-bit primes $p, q$ are generated and $n = p \cdot q$. Let $e = 65537$ and $d$ be the corresponding decryption exponent. We are given $(n, e)$ (a RSA public key). A 336-bit message $m$ is generated and encrypted using the RSA public key. The ciphertext, $c$, is given as well.

We are allowed to set $k$ intervals $[\alpha_1, \beta_1)$, …, $[\alpha_k, \beta_k)$. We are also allowed to send $c_1, c_2, …, c_q$ (in multiple batches) and obtain $\mathcal{O}(c_1), \mathcal{O}(c_2), …, \mathcal{O}(c_q)$. The server will sleeps for $s$ seconds after returning each batch of $\mathcal{O}(c_i)$’s.

The goal is to recover $m$ within $t$ seconds.

Finally, $\mathcal{O}(c)$ is given by the smallest $i$ such that $m := c^d\ \text{mod}\ n$ and $m \in [\alpha_i, \beta_i)$ (or -1 if it falls into neither of the intervals).

In this challenge, $k = 384$, $q = 384$, $t = 1800$ and $s = 0$.

rsa interval oracle ii 🔥⌗

Solves: 36/1407
Difficulty: ⭐⭐
Tags: rsa
Author: @josep68_

The challenge is similar to rsa interval oracle i, except that we are only allowed to set one interval (i.e., $k = 1$).

rsa interval oracle iii⌗

Solves: 23/1407
Difficulty: ⭐⭐
Tags: rsa
Author: @josep68_

The challenge is similar to rsa interval oracle i, with $k = 4$, $q = 4700$, $t = 180$ and $s = 44$.

rsa interval oracle iv 🔥⌗

Solves: 5/1407
Difficulty: ⭐⭐⭐⭐
Tags: rsa
Author: @josep68_

The challenge is similar to rsa interval oracle i, with $q = 4700$ and $t = 180$.

In this challenge, we are no longer able to add intervals by ourselves, but to use these intervals: $[1, 2^{373}), [1, 2^{374}), [1, 2^{375}), [1, 2^{376})$. Also, we can only send all the $c_i$’s in one batch, i.e., we cannot send $c_i$’s adaptively.

time locked⌗

Solves: 18/1407
Difficulty: ⭐⭐
Tags: math
Author: @josep68_

Let $f$ be the function given below. The goal is to recover $f(2^{2^{1337}})$.

p = 275344354044844896633734474527970577743
a = [2367876727, 2244612523, 2917227559, 2575298459, 3408491237, 3106829771, 3453352037]
α = [843080574448125383364376261369231843, 1039408776321575817285200998271834893, 712968634774716283037350592580404447, 1166166982652236924913773279075312777, 718531329791776442172712265596025287, 766989326986683912901762053647270531, 985639176179141999067719753673114239]

def f(n):
    if n < len(α):
        return α[n]

    n -= len(α) - 1
    t = α[::-1]
    while n > 0:
        x = sum([a_ * f_ for a_, f_ in zip(a, t)]) % p
        t = [x] + t[:-1]
        n -= 1

    return t[0]

faulty arx 🔥⌗

Solves: 11/1407
Difficulty: ⭐⭐⭐
Tags: ?
Author: @josep68_

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.

1337crypt v3 🔥⌗

Solves: 2/1407
Difficulty: ⭐⭐⭐
Tags: math
Author: @josep68_

Let $3 \leq x < 2^{780}$. We are given $\alpha_1, \alpha_2, \alpha_3, \beta_1, \beta_2, \beta_3$ such that:

$$\left\{\begin{aligned} \beta_1 &= \sin \alpha_1 x \\ \beta_2 &= \cos \alpha_2 x \\ \beta_3 &= \tan \alpha_3 x \end{aligned}\right..$$

Hereby $\alpha_1, \alpha_2, \alpha_3, \beta_1, \beta_2, \beta_3$ are real numbers with 1337 bits of precision. The goal is to recover $x$.

alpha1 = 382688.000003718840762957370928334219657048504840071252989018263226986883648629049352735765207269589923429068690707732585598417261371285342932900956113960156340065674727873827170594382319143476595475658327786062528588588365234789011569313613560380958047757353077898557461668048835816899156195030884972536360965559815694251787832696791756073796676100126068701864254874470530046373944314078415476327719123
alpha2 = 15637.0000000000000000000000000000000000000000073407249596755993494633815978948470725770595202532938111233270822656540006827548854086357909099305933838931019150313577619230563069886151776251889782046359224864632667394933146539407828208245853609735993739377148185083846731149980246713157043706328084023440946327661078130241672626606833808343709723838524304060402271919834105020805612169606358017694056416
alpha3 = 29275.0000000000640306760478159122361364268852615107016525704106080086895615545710184648549454761942179678623356595579867852707677349455538454994245696487465653543975651069930536590338519688676538350247199102639964709439110478379805687129967589534757115196430034251100020849966477333439686322641356763869580696872661554589116735439860643787761928921454825557808884297326088601658418898922938739996904201
beta1 = 0.965482350590597357930331336732328693322339578742073734517347983738107022900479878437240803728616183527740872166110419707555902612362293470627167159630511997241207746072653515847677991057240464634863174163959352186613630940970393483122090644984824146327516779925585782449367431713140436462716606231926544190865635435305068802789385561809037048381522369403391403353483514563964854636147009339110513969645
beta2 = 0.919312641039301449759543236755656153255910638284013829633241595979805444268967097520473755994266515165860135737385130077610933382052195648654916587723024832651148703456409500869252608520524821467862378804471336340455738379241087436118861027054778860623168210037730515076872812158198969896476202559290795561594850736319300877512941843333101776445598926887112185986310036903702305697813449195991705718975
beta3 = 1.14855387625795367637526700157484262696944920546403536701593427303031683808809632650237298251670835767655247021139590568460713791448489530488025769625130549491228701922532851244586550786881004979465956996142194848926889854866759317451072626109337018933249842757205735321771354730486331102478476183417508143532011641972415188172049143718997615501480006657475224101754862855024419523910721536847865397788

kyber±⌗

Solves: 1/1407
Difficulty: ⭐⭐⭐⭐
Tags: ?
Author: @josep68_

🛠️ To-be written. This is a placeholder because I am lazy. Please read the tags, or the official source meanwhile.