In [25]:
from hashlib import sha256

class AOP:
    def __init__(self, s = 1):
        self.p = 18446744073709551557 # p - 1 not a multiple of 3
        self.t = 5
        self.r = 9
        self.RC = [
            [ int.from_bytes(sha256(b"FCSC2024#" + str(self.t*j + i).encode()).digest()) % self.p for i in range(self.t) ]
            for j in range(self.r)
        ]
        self.M = [
            [ pow(i, j, self.p) for i in range(1, self.t + 1) ]
            for j in range(self.t)
        ]

    def R(self, r):
        # self.S <- self.S * M
        s = [ 0 ] * self.t
        for j in range(self.t):
            for i in range(self.t):
                s[j] += self.M[i][j] * self.S[i]
            s[j] %= self.p
        self.S = s[:]

        # self.S <- self.S + RC[i]
        for j in range(self.t):
            self.S[j] += self.RC[r][j]

        # self.S <- self.S ** e
        e = pow(3, -r, self.p - 1)
        self.S[0] = pow(self.S[0], e, self.p)

    def __call__(self, L):
        assert len(L) == self.t, f"Error: input must be a list of {self.t} elements."
        assert all(x in range(0, self.p) for x in L), f"Error: elements must be in [0..{self.p - 1}]."
        self.S = L[:]
        for i in range(self.r):
            self.R(i)
        return self.S

if __name__ ==  "__main__":

    try:
        aop = AOP()

        print("Input your values as a comma-separated list: ")
        X = input(">>> ").split(",")
        X = [ int(x) for x in X ]
        Y = aop(X)
        if X[0] == 0 and Y[0] == 0:
            flag = open("flag.txt").read()
            print(flag)
        else:
            print("Nope!")

    except:
        print("Please check your inputs.")
        exit(1)


Input your values as a comma-separated list: 


>>>  [0, 17870716303875943754, 7120576140853979269, 896341176514373340, 7404181473024868931]


Please check your inputs.


In [51]:
p = 18446744073709551557
Zp = FiniteField(p)
t = 5
r = 9 
RC = [
        [ int.from_bytes(sha256(b"FCSC2024#" + str(t*j + i).encode()).digest()) % p for i in range(t) ]
            for j in range(r)
        ]
M = [
        [ pow(i, j, p) for i in range(1, t + 1) ]
            for j in range(t)
        ]

M = Matrix(Zp, M)
RC = Matrix(Zp, RC)

M_inv = Matrix(R, M)^-1

def R(r, S):
    global t, p, RC, M
    # self.S <- self.S * M
    s = [ 0 ] * t
    for j in range(t):
        for i in range(t):
            s[j] += M[i][j] * S[i]
        s[j] %= p
    S = s[:]

    # self.S <- self.S + RC[i]
    for j in range(t):
        S[j] += RC[r][j]

    # self.S <- self.S ** e
    e = pow(3, -r, p - 1)
    S[0] = pow(S[0], e, p)
    return S

In [188]:
def R(r, S):
    global t, p, RC, M
    # self.S <- self.S * M
    S = S * M

    # self.S <- self.S + RC[i]
    #for j in range(t):
    #    S[j] += RC[r][j]
    S = S + RC[r]
    
    # self.S <- self.S ** e
    e = pow(3, -r, p - 1)
    S[0] = pow(S[0], e, p)
    return S

def R_inv (r, S):
    e = pow(3, r, p - 1)
    S[0] = pow(S[0], e, p)

    S = S - RC[r]
    S = S * M_inv
    return S

def R_inv_without_last (r, S):
    if r != 8:
        e = pow(3, r, p - 1)
        S[0] = pow(S[0], e, p)

    S = S - RC[r]
    S = S * M_inv
    return S

def R_inv(r, S):
    global t, p, RC, M_inv

    # self.S <- self.S ** e
    e = pow(3, r, p - 1)
    S[0] = pow(S[0], e, p)
    
    # self.S <- self.S + RC[i]
    for j in range(t):
        S[j] -= RC[r][j]
    # self.S <- self.S * M
    s = [ 0 ] * t
    for j in range(t):
        for i in range(t):
            s[j] += M_inv[i][j] * S[i]
    S = s[:]
    return S

In [189]:
X = [ 0 ] * 5 
Y = aop(X)
Y

[4928596142542652771,
 28957873498670107785,
 2778968339037312826,
 35142980752903985341,
 4751439992789700012]

In [201]:
def my_aop(X):
    X = vector(Zp, X)
    for i in range (r):
        X = R(i, X)
    return X



In [221]:
R.<x> = PolynomialRing(Zp)

M_inv = M_inv.change_ring(R)
RC = RC.change_ring(R)

def R_inv (r, S):
    
    e = pow(3, r, p - 1)
    S[0] = S[0]**e

    S = S - RC[r]
    S = S * M_inv
    return S

X = vector(R, [R(0), x, R(2), R(4), R(10)])
def my_aop_inv(X):
    for i in range (5, -1, -1):
        X = R_inv(i, X)
    return X
P = my_aop_inv(X)

In [222]:
P[0].numerator().roots(multiplicities=False)

[17808370576214756361]

In [142]:
a = (sum([3**i for i in range (r-1)]))**3

In [143]:
a.bit_length()

36

In [57]:
from hashlib import sha256
p = 18446744073709551557
Zp = FiniteField(p)
t = 5
r = 9 
RC = [
        [ int.from_bytes(sha256(b"FCSC2024#" + str(t*j + i).encode()).digest()) % p for i in range(t) ]
            for j in range(r)
        ]
M = [
        [ pow(i, j, p) for i in range(1, t + 1) ]
            for j in range(t)
        ]
M = Matrix(Zp, M)
RC = Matrix(Zp, RC)
M_inv = M^-1

In [2]:
R.<w, x, y, z> = PolynomialRing(Zp)
M = M.change_ring(R)
M_inv = M_inv.change_ring(R)
RC = RC.change_ring(R)
a = vector(R, [0, w, x, y, z])
eq1 = ((a - RC[r-1]) * M_inv) [0]
eq2 = ((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) [0]
eq3 = ((((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) - RC[r-3]) * M_inv) [0]

In [3]:
(((((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) - RC[r-3]) * M_inv) - RC[r-4])

(2433945398614443267*w + 4035225266123977517*x + 13450750887079874305*y + 5156121173380622652*z + 1015596098481985935, 16172926661846068052*w + 17501988951878917645*x + 7440613784360867453*y + 16485176236010399592*z + 119311557376106416, 6698687445748103935*w + 200159983438701981*x + 18259928089166768300*y + 13393371691827458736*z + 12472479660019071386, 9959960775909152889*w + 10936741495089948094*x + 757939137287836220*y + 18102468902195006633*z + 6649002295863063683, 7776882556537851819*w + 8831058469314946149*x + 9282085631996791003*y + 7583394572547119638*z + 2825490029654343536)

In [3]:
I = ideal(eq1, eq2, eq3 - 1)
B = I.groebner_basis()
B

[w + 5454712479041589855*z + 5001208985077240504, x + 2090050133024356058*z + 4039625023146769361, y + 4338721752191263340*z + 2986488571379101370]

In [4]:
z_ = (-w-5001208985077240504)/5454712479041589855
x_ = -2090050133024356058*z_ - 4039625023146769361
y_ = -4338721752191263340*z_ - 2986488571379101370
b = vector (R, [0, w, x_, y_, z_])

In [5]:
b

(0, w, 7751347071044020053*w + 2576907283469568520, 6450505145341482446*w + 8055939484761974218, 10079287237395866381*w + 2165418917895301056)

In [6]:
((b - RC[r-1]) * M_inv)

(0, 17945875178578098568*w + 11241143140465011357, 6391206445173276152*w + 10140529068645689973, 7430611963215986115*w + 4149570249540599250, 5125794560451742279*w + 11659556258662952884)

In [7]:
((((b - RC[r-1]) * M_inv) - RC[r-2]) * M_inv)

(0, 15852705652200377123*w + 18168003481057354437, 8403570614927655715*w + 9915901573114470822, 8137720991636860923*w + 17346490002983036698, 4499490888654209353*w + 17289904088884833071)

In [8]:
((((((b - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) - RC[r-3]) * M_inv)

(1, 42930435621426764*w + 14982809978410377897, 14073563353084841678*w + 10489044681462750960, 11420583639715602675*w + 10118795323305227223, 11356410718997231997*w + 1184250976724213368)

In [9]:
(((((((b - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) - RC[r-3]) * M_inv) - RC[r-4]) * M_inv

(2326101326505609977*w + 13944028497482579535, 1711397453578478046*w + 18165981654718844070, 3662386458591806325*w + 6879252824125546118, 3285569541195114492*w + 11812088561844985364, 7461289293838542717*w + 56665791945803990)

In [10]:
S.<w> = PolynomialRing(Zp)
b = b.change_ring(S)
M_inv = M_inv.change_ring(S)

In [11]:
def R(r, S):
    S = S * M
    S = S + RC[r]
    e = pow(3, -r, p - 1)
    S[0] = S[0]**e
    return S

def R_inv (r, S):
    e = pow(3, r, p - 1)
    S[0] = S[0]**e
    S = S - RC[r]
    S = S * M_inv
    return S

In [12]:
from tqdm import tqdm
X = b
for i in tqdm(range (r-1, -1, -1)):
    X = R_inv(i, X)

100%|█████████████████████████████████████████████| 9/9 [05:52<00:00, 39.17s/it]


In [13]:
P = X[0].numerator().univariate_polynomial()

In [17]:
Q = gcd(pow(w, p, P) - w, P) 

In [18]:
Q.any_root()

12800800085395480984

In [31]:
X[0].numerator()

6720419198742819826*w^59049 + 2112321553473414407*w^59048 + 6581391925060141464*w^59047 + 4155071083570034063*w^59046 + 14960252702756217050*w^59045 + 3434590113477346856*w^59044 + 866892026388635833*w^59043 + 18070553673604244870*w^59042 + 16284773511608046629*w^59041 + 16519974866478873267*w^59040 + 4971033112470914581*w^59039 + 61159364757151903*w^59038 + 3973888600561645702*w^59037 + 12523543602327586803*w^59036 + 17324482261470850852*w^59035 + 7216903438635950990*w^59034 + 9391865342765422514*w^59033 + 9692561037571265108*w^59032 + 95069611127391606*w^59031 + 841400945474774668*w^59030 + 16579930603059011455*w^59029 + 16777777165734086252*w^59028 + 13990111381504441561*w^59027 + 16956319340937804883*w^59026 + 15551391799715178413*w^59025 + 5363159071143763746*w^59024 + 4218520029951781023*w^59023 + 8384640755002480029*w^59022 + 14060247300078788985*w^59021 + 2386420256306100845*w^59020 + 1251500924069464318*w^59019 + 7636212235812016274*w^59018 + 8421526427895633384*w^59017 + 2905

In [16]:
def double_and_add(P):
    res = 1
    temp = w
    for bit in bin(p)[2:][::-1]: 
       if bit == "1":            
           res = res*temp % P# point add
       temp = temp**2 % P # double
    return (res - w)
gcd(double_and_add(P), P)

w^2 + 6221971758147678376*w + 1690337057228624673

In [18]:
Q = w^2 + 6221971758147678376*w + 1690337057228624673
Q.roots()

[(17870716303875943754, 1), (12800800085395480984, 1)]

In [24]:
u = b(w=Q.any_root())
aop(aop_inv(u))

(0, 12800800085395480984, 4913644272895075058, 4320020561816037913, 14339478968027157763)

In [140]:
from tqdm import tqdm
Y = check
for i in tqdm(range (r-1, -1, -1)):
    Y = R_inv(i, check)
    print(i, Y)

100%|███████████████████████████████████████████| 9/9 [00:00<00:00, 1375.78it/s]

8 (0, 15093164647038454362, 9650883575931930148, 14799806655461532227, 16093687912591888284)
7 (7749230036014372372, 10091059737912831835, 15978001480640403643, 9779233006086191128, 676030811676344493)
6 (10491150818273440837, 13275016177265692427, 5670132167014969221, 3451800636707528027, 3886801160640938937)
5 (3712481066994129028, 13684750081035832200, 842807185659570183, 11082488535181525802, 3088746387537150306)
4 (4223741428771591737, 16430729518217108864, 2636015167385177545, 2916541429905278741, 13700455022311088372)
3 (6262979508748924591, 2154834105996703491, 15978477450934593377, 534761122388066941, 6260184081342874420)
2 (13735998343319716296, 9425281175717415267, 493028012300012845, 875203374178931676, 8927742220159795686)
1 (8445302355753242392, 13191140531428554909, 14974687990342938825, 1405807005241855660, 15957740265312852092)
0 (11701109563336180139, 9711999861191849550, 18025966311145941308, 6080429651733741353, 15033990730433179832)





In [44]:
R_inv(0, R(0, Y)) == Y

NameError: name 'Y' is not defined

In [43]:
def aop(X):
    for i in range (r):
        X = R(i, X)
    return X
def aop_inv(X):
    for i in range (r-1, -1, -1):
        X = R_inv(i, X)
    return X

In [38]:
aop_inv(u)

OverflowError: Python int too large to convert to C long

In [25]:
u

(0, 12800800085395480984, 4913644272895075058, 4320020561816037913, 14339478968027157763)

In [32]:
P = X[0].numerator().univariate_polynomial()
Q = gcd(pow(w, p, P) - w, P)

r = Q.any_root()

u = X(w=r)

print("[+] found solution!")
print(u)


[+] found solution!
(0, 14943802172708370896, 2591253059790796825, 5560997863685283522, 9069998101027961552)


In [54]:
RC = [
        [ int.from_bytes(sha256(b"FCSC2024#" + str(t*j + i).encode()).digest()) % p for i in range(t) ]
            for j in range(r)
        ]
RC = Matrix(Zp, RC)

KeyboardInterrupt: 

In [58]:
aop(u)

(0, 12800800085395480984, 4913644272895075058, 4320020561816037913, 14339478968027157763)

In [56]:
r

12800800085395480984

In [60]:
I.dimension()

1

In [61]:
P = X[0].numerator().univariate_polynomial()
Q = gcd(pow(w, p, P) - w, P)

u = X(w=Q.any_root())

print("[+] found solution!")
print(aop_inv(u))


[+] found solution!
(11973833112604868124, 6877640217488612210, 7396016656544614758, 16976296790004471448, 7070797802178188106)


In [79]:
e = B[2]

In [80]:
e.variables()

(y, z)

In [89]:
S.<w> = PolynomialRing(Zp)
b = b.change_ring(S)
M = M.change_ring(S)
M_inv = M_inv.change_ring(S)

print("[+] beginning of computation of univariate system, this may take some time")
X = b
for i in range (r-1, -1, -1):
    X = R_inv(i, X)
print("[+] end of computation of univariate system")

[+] beginning of computation of univariate system, this may take some time
[+] end of computation of univariate system


In [85]:
P = X[0]


In [87]:
P.any_root()

17870716303875943754

In [108]:
from hashlib import sha256

# ------------------ SETUP ------------------ #

p = 18446744073709551557
Zp = FiniteField(p)
t = 5
r = 9 
RC = [
        [ int.from_bytes(sha256(b"FCSC2024#" + str(t*j + i).encode()).digest()) % p for i in range(t) ]
            for j in range(r)
        ]
M = [
        [ pow(i, j, p) for i in range(1, t + 1) ]
            for j in range(t)
        ]
M = Matrix(Zp, M)
RC = Matrix(Zp, RC)
M_inv = M^-1

def R(r, S):
    global M, RC
    S = S * M
    S = S + RC[r]
    e = pow(3, -r, p - 1)
    S[0] = S[0]**e
    return S

def R_inv (r, S):
    global M, RC
    e = pow(3, r, p - 1)
    S[0] = S[0]**e
    S = S - RC[r]
    S = S * M_inv
    return S

def aop(X):
    global r
    for i in range (r):
        X = R(i, X)
    return X

def aop_inv(X):
    global r
    for i in range (r-1, -1, -1):
        X = R_inv(i, X)
    return X

# ------------------------------------------- #


### Skipping last 3 rounds of AOP with an affine space of dim 1 

R.<w, x, y, z> = PolynomialRing(Zp)
M = M.change_ring(R)
M_inv = M_inv.change_ring(R)
RC = RC.change_ring(R)

a = vector(R, [0, w, x, y, z])
# 3 equations removing 3 of the 4 degrees of liberty
eq1 = ((a - RC[r-1]) * M_inv) [0]
eq2 = ((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) [0]
eq3 = ((((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) - RC[r-3]) * M_inv) [0]
I = ideal(eq1, eq2, eq3 - 1)
B = I.groebner_basis()
# solve linear system by hand 
z_ = (-w-5001208985077240504)/5454712479041589855
x_ = -2090050133024356058*z_ - 4039625023146769361
y_ = -4338721752191263340*z_ - 2986488571379101370
b = vector (R, [0, w, x_, y_, z_]) 

### computation of univariate system to solve CICO

S.<w> = PolynomialRing(Zp)
b = b.change_ring(S)
M = M.change_ring(S)
M_inv = M_inv.change_ring(S)
RC = RC.change_ring(S)


print("[+] beginning of computation of univariate system, this may take some time")
X = b
for i in range (r-1, -1, -1):
    X = R_inv(i, X)
print("[+] end of computation of univariate system")

### computation of a root of univariate

print("[+] beginning of computation of univariate system, this may take some time")

P = X[0]
Q = gcd(pow(w, p, P) - w, P)

u = X(w=Q.any_root())

print("[+] found solution!")
print(aop_inv(u))


[+] beginning of computation of univariate system, this may take some time
[+] end of computation of univariate system
[+] beginning of computation of univariate system, this may take some time
[+] found solution!
(11973833112604868124, 6877640217488612210, 7396016656544614758, 16976296790004471448, 7070797802178188106)


In [91]:
M.inverse()

[                   5  1537228672809129290  3843071682022823244 16909515400900422260 14603672391686728316]
[18446744073709551547 15372286728091292982  3074457345618258583  3074457345618258595 15372286728091292964]
[                  10  9223372036854775759 13835058055282163680 18446744073709551554 13835058055282163668]
[18446744073709551552  3074457345618258603  3074457345618258586 15372286728091292966 15372286728091292964]
[                   1  7686143364045646480 13066443718877599021  1537228672809129296 14603672391686728316]

In [109]:
G = Matrix([eq1.coefficients(),
eq2.coefficients(), 
 eq3.coefficients()])  

In [144]:
eq1

18446744073709551547*w + 10*x + 18446744073709551552*y + z + 12345205671218884834

In [143]:
eq1.monomial_coefficient(z)

12345205671218884834

In [134]:
eq1

18446744073709551547*w + 10*x + 18446744073709551552*y + z + 12345205671218884834

In [145]:
R.<w, x, y, z> = PolynomialRing(Zp)
M = M.change_ring(R)
M_inv = M_inv.change_ring(R)
RC = RC.change_ring(R)

a = vector(R, [0, w, x, y, z])
# 3 equations removing 3 of the 4 degrees of liberty
eq1 = ((a - RC[r-1]) * M_inv) [0]
eq2 = ((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) [0]
eq3 = ((((((a - RC[r-1]) * M_inv) - RC[r-2]) * M_inv) - RC[r-3]) * M_inv) [0]

In [154]:
A = [[eq1.monomial_coefficient(s) for s in [w, x, y, z]],
     [eq2.monomial_coefficient(s) for s in [w, x, y, z]], 
     [eq3.monomial_coefficient(s) for s in [w, x, y, z]]
    ]


In [156]:
t = Matrix(t)

In [171]:
t.solve_right(3*vector([1, 1, 1]))

(2320697544986274151, 11897621237340121201, 15464498569965783788, 0)