big e
I’m so confident in my big e’s, I’ll give them to you twice!
Source:
|
|
Solutions:
Because $e_1$,$e_2$ is primes, we can use extended euclidean algorithm to find $x$,$a$,$b$ such that $a * e_1+b*e_2 = x$, $x = gcd(e_1,e_2) = 1$.
$$ ct_1 = pt^{e_1} ; % ; n $$
$$ ct_2 = pt^{e_2} ; % ; n $$
$$ x,a,b = xgcd(e_1,e_2)$$
$$ ct_1^{a}ct_2^{b} = pt^{ae_1+b*e_2} = pt^{x} ; % ; n = pt$$
|
|
Extremely Convenient Breaker
Source:
I won’t let you decrypt the flag, but you can use my Extremely Convenient Breaker.
|
|
Solutions:
It’s ECB mode, so just break the flag by block and sent each block to get the flag.
|
|
RSAaaS
Tired of doing RSA on your own? Try out my new service!
Source:
|
|
Solutions:
The service will print out the flag when we make error, the only block that do not have try catch is line 40-44, so just brute for some prime $p$ which $gcd(e,\phi_p) ; != 1$.
|
|
crypto-civilization
Source:
In Crypto Civilization, nobody commits the beef.
|
|
Solutions:
So in this challenge, we have to guess the output of PRG function and it have 2 cases:
- If $choice = 0$, guess $com = PRG(decom)$
- If $choice = 1$, guess $com = PRG(decom) \oplus y$
The decom is only 2 bytes long, so we can bruteforce it. Because we must sent $com$ before $decom$, so to ensure it corrects in both cases, we must find $com$ to that it have $PRG(decom_1) = com$ and $PRG(decom_2) \oplus y = com$.
|
|
quickprime
Behold: my revolutionary new algorithm to generate primes QUICKLY and SECURELY.
Source:
|
|
Solutions:
The LCG will make p, q have the form: $$p = a * state + c ; % ; m$$ $$q = a * state + c ; % ; m$$
But we can assume that q is LCG.next() from p $\rightarrow$ we can have $q = a * p + c ; % ; m$; or $$q = a^b p + \frac{a^b-1}{a-1} c ; % ; m$$ with $b$ is the number of next in the LCG.
Another thing to keep in mind that is $gcd(a-1,m) != 1$ so we can’t not find $$\frac{a^b-1}{a-1} = (a^b-1)*(a-1)^{-1} ; % ; m$$ and must expand $$\frac{a^b-1}{a-1} = a^{b-1} + a^{b-2} + … + 1 ; % ; m$$
|
|
good-hash
I learned about hash-length extension attacks, so I’m going to use a good hash instead
Source:
|
|
Solutions:
This is a AES-GCM challange for more about GCM you can read here:> GCM. So when we sent $leftextend$ and $rightextend$, it will encrypt $leftextend + secret + rightextend$ and return the mac. Assume we fix $leftextend$ and $rightextend$ at a block size, we will have form of mac
$$ mac = H^4 * (leftextend \oplus keystream_1) + H^3 * (secret \oplus keystream_2) + H^2 * (rightextend \oplus keystream_3) + H * LENGTH + T$$
We have 4 queries, 1 of them is to get the flag, so which 3 queries left, I think about setting enough equations to solve of $H$ and then solve for $secret$. Using $leftextend$ and $rightextend$ as null bytes for easy to calculate $$b’\text{\x00}’* 16 \oplus ks_1 = ks_1$$. The oracle is reusing $key$ and $iv$ so $T$ and $H$ will be the same.
$$ mac_1 = H^4 * ks_1 + H^3 * ks_2 + H^2 * (secret \oplus ks_3) + H * LENGTH + T$$
$$ mac_2 = H^4 * ks_1 + H^3 * (secret \oplus ks_2) + H^2 * ks_3 + H * LENGTH + T$$
$$ mac_3 = H^4 * (secret \oplus ks_1) + H^3 * ks_2 + H^2 * ks_3 + H * LENGTH + T$$
$$ mac_1 + mac_2 = H^3 * secret + H^2 * secret = f_1$$
$$ mac_1 + mac_3 = H^4 * secret + H^2 * secret = f_2$$
$$ mac_2 + mac_3 = H^4 * secret + H^3 * secret = f_3$$
$$ f_1 * f_2^{-1} =\frac{H^3+H^2}{H^4+H^2}$$
From this we can solve for $H$ and $serect = \frac{f_1}{H^3+H^2}$
|
|