In [6]:
#Ellipse Curve Cryptography
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib


def is_pkcs7_padded(message):
    padding = message[-message[-1]:]
    return all(padding[i] == len(padding) for i in range(0, len(padding)))


def decrypt_flag(shared_secret: int, iv: str, ciphertext: str):
    # Derive AES key from shared secret
    sha1 = hashlib.sha1()
    sha1.update(str(shared_secret).encode('ascii'))
    key = sha1.digest()[:16]
    # Decrypt flag
    ciphertext = bytes.fromhex(ciphertext)
    iv = bytes.fromhex(iv)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext)

    if is_pkcs7_padded(plaintext):
        return unpad(plaintext, 16).decode('ascii')
    else:
        return plaintext.decode('ascii')


shared_secret = secret
iv = "64bc75c8b38017e1397c46f85d4e332b"
ciphertext = '13e4d200708b786d8f7c3bd2dc5de0201f0d7879192e6603d7c5d6b963e1df2943e3ff75f7fda9c30a92171bbbc5acbf'

print(decrypt_flag(shared_secret, iv, ciphertext))


crypto{c0n1c_s3ct10n5_4r3_f1n1t3_gr0up5}


In [5]:
#Ellipse Curve Cryptography
from collections import namedtuple

Point = namedtuple("Point", "x y")

def point_addition(P, Q):
    Rx = (P.x*Q.x + D*P.y*Q.y) % p
    Ry = (P.x*Q.y + P.y*Q.x) % p
    return Point(Rx, Ry)


def scalar_multiplication(P, n):
    Q = Point(1, 0)
    while n > 0:
        if n % 2 == 1:
            Q = point_addition(Q, P)
        P = point_addition(P, P)
        n = n//2
    return Q


def gen_shared_secret(P, d):
    return scalar_multiplication(P, d).x

def grp_convert(x,y,W,p):
    return (x-(W*y))%p

p = 173754216895752892448109692432341061254596347285717132408796456167143559
D = 529
prim = p
if kronecker(D,p) == 1:
    W = s_root(GF(p)(D),p)
    prim = p
else:
    prim  = p*p
    W = (-D*D)%prim

g = grp_convert(29394812077144852405795385333766317269085018265469771684226884125940148,94108086667844986046802106544375316173742538919949485639896613738390948, W, prim)
A = grp_convert(155781055760279718382374741001148850818103179141959728567110540865590463, 73794785561346677848810778233901832813072697504335306937799336126503714, W, prim)
B = Point(171226959585314864221294077932510094779925634276949970785138593200069419, 54353971839516652938533335476115503436865545966356461292708042305317630)

n_a = A.log(g)
secret = gen_shared_secret(B, n_a)

In [4]:
# tonolli shanks
def step3(b,p,r,x):
       # Step 3: Find exponent
       if GF(p)(b) == GF(p)(1):
               return b,r,x,0
       m = 0
       while GF(p)(b**(2**m)) != 1:
               m = m + 1
       if m == r:
               return b,r,0,0
       return b,r,x,m

def s_root(a,p):
       # Step 0: Determine q:
       q = 0
       e = 0
       while q % 2 != 1:
               e = e+1
               q = (p-1) // 2**e
       # Step 1: Find generator
       n = ZZ.random_element()
       while kronecker(n,p) != -1:
               n = ZZ.random_element()
       n = GF(p)(n)
       z = GF(p)(n**q)
       # Step 2: Initialize
       y = z
       r = e
       a = GF(p)(a)
       x = GF(p)(a**((q-1)//2))
       b = GF(p)(a*(x**2))
       x = GF(p)(a*x)
       # Step 3:
       b,r,x,m = step3(b,p,r,x)
       # Step 4: Reduce exponent
       while ZZ(m) != ZZ(0):
               t = GF(p)(y**(2**(r-m-1)))
               y = GF(p)(t**2)
               r = GF(p)(m)
               x = GF(p)(x*t)
               b = GF(p)(b*y)
               b,r,x,m = step3(b,p,r,x)
       return x

pos = [14, 6, 11]
for i in pos:
    a = GF(29)(i)
    print(i, s_root(a,29))


14 0
6 21
11 0
