In [33]:
from __future__ import annotations

import base64
import json
import os

from Crypto.Cipher import AES
from Crypto.Hash import SHA512
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Util.number import long_to_bytes


MAX_STEPS = 5
BASE_CURVE = 0

SECRET_TEXT = b"This is just a dummy-text with a gctf{DUMMY_FLAG} dummy flag"

# Many thanks to Lorenz Panny (https://yx7.cc/) for providing a 
# baseimplementation of CSIDH in sage :)


class CSIDH:
    def __init__(self, primes: list[int]) -> CSIDH:
        self.primes = set(primes)
        self.p = 4 * prod(self.primes) - 1
        if not is_prime(self.p):
            print("Error, p is not a prime")
            exit(1)

        self.priv = [
            randrange(-MAX_STEPS, MAX_STEPS + 1) for _ in range(len(self.primes))
        ]

    def montgomery_coefficient(self, E):
        Ew = E.change_ring(GF(self.p)).short_weierstrass_model()
        _, _, _, a, b = Ew.a_invariants()
        R.<z> = GF(self.p)[]
        r = (z**3 + a*z + b).roots(multiplicities=False)[0]
        s = sqrt(3 * r**2 + a)
        if not is_square(s): s = -s
        A = 3 * r / s
        assert CSIDH.montgomery_curve(A, self.p).change_ring(GF(self.p)).is_isomorphic(Ew)
        return GF(self.p)(A)

    def action(self, pub):
        E = CSIDH.montgomery_curve(pub, self.p)
        es = self.priv[:]

        while any(es):
            E._order = (self.p + 1)**2

            P = E.lift_x(GF(self.p).random_element())
            s = +1 if P.xy()[1] in GF(self.p) else -1
            k = prod(l for l, e in zip(self.primes, es) if sign(e) == s)
            P *= (self.p + 1) // k

            for i, (l, e) in enumerate(zip(self.primes, es)):

                if sign(e) != s: continue

                Q = k // l * P
                if not Q: continue
                Q._order = l
                phi = E.isogeny(Q)

                E, P = phi.codomain(), phi(P)
                es[i] -= s
                k //= l

        return self.montgomery_coefficient(E)

    @staticmethod
    def validate(A, primes):
        p = 4 * prod(set(primes)) - 1

        while True:
            k = 1
            P = CSIDH.montgomery_curve(A, p).lift_x(GF(p).random_element())
            for l in set(primes):
                Q = (p + 1) // l * P
                if not Q: continue
                if l * Q: return False
                k *= l
                if k > 4 * sqrt(p): return True
    
    @staticmethod
    def montgomery_curve(A, p):
        Fp2.<i> = GF(p**2, modulus = x**2 + 1)
        return EllipticCurve(Fp2, [0, A, 0, 1, 0])


In [43]:
#p = 12959456557067361712384024746379793830601915837667680587668447897474899951780816971683771956821720947533009322245297643751451495017497326024669948837896093
#p = 11116330492821741564211699431464181354023142964060118538243670238498029185233938989054823344817816785070863347254052409937707662219694461395013791528574897
p = 55541
primes_list = [p] * 75
print(primes_list)
csidh = CSIDH(primes_list)
csidh.action(BASE_CURVE)

[55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541, 55541]


ValueError: the degree of the modulus does not equal the degree of the field

In [2]:
primes_list = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 587]

csidh = CSIDH(primes_list)
bobs_resulting_curve = 3598894395515401842313465584971980800039377895742359654348981859659353336111199051823284318292160975526136148376327469429183227738632638406660792580155527

derived_secret = csidh.action(bobs_resulting_curve)

aes_secret_key = PBKDF2(
    long_to_bytes(int(derived_secret)),
    b"secret_salt",
    count=1000000,
    hmac_hash_module=SHA512
)

cipher = AES.new(aes_secret_key, AES.MODE_GCM)

In [4]:
result = {"Nonce": "L5KGxwFntei7GU3GQYNgZg==", "CT": "tPZCIpISvJb3gK4jSLC5JWJLi+zJ2/9dEAfCfqnx+I3lwRZ3YgixjmICrRzMvgBgAT8BKU6oZ8APu5Iy19tmT5fpNDusFpTUj65C+9q7Z660jfyPbeFx7zBornwpaMVpvZxwsao3vpVsGHe/wx1GaldFRwje98fYQv+aSFk+9l0fmaAofWeNYv3+EE3Gbv2wkBJblL/lAHl0dgHTaq194+dsdB8ony2B6NiXq3Z+5bXR3j76e+ol2TZ39Uhrr56nqhu5qk2JPqmR1k68Ow==", "Tag": "Tg2MsWS60WmE4DV5CwiPYQ=="}


cipher2 = AES.new(
    aes_secret_key,
    AES.MODE_GCM,
    nonce=base64.b64decode(result['Nonce'])
)
plaintext = cipher2.decrypt_and_verify(
    base64.b64decode(result['CT']),
    base64.b64decode(result['Tag']),
)
plaintext

ValueError: MAC check failed

In [1]:
for i in [2, 3, 5, 7, 11, 13]:
    for pw in range(75, 100):
        p = 4 * pow(i, pw) - 1
        if is_prime(p):
            print(i, pw)

2 87
3 95


In [4]:
MAX_STEPS = 5
def read_bobs_primes(primes_strs):

    primes = []
    security_level = 1
    for prime_str in primes_strs:
        try:
            prime_int = int(prime_str.strip())
            # we need to make sure that the securitylevel is met
            if not is_prime(prime_int):
                print(f"Bob, {prime_int} is not a prime.")
                print("Stop trolling, I seriously need your attention")
                print("Message me if you are done with trolling")
                exit(-1)
            security_level *= (2 * MAX_STEPS + 1)
            primes.append(prime_int)
        except ValueError:
            print(f"Bob, {prime_str} does not look like an integer to me")
            print("Please avoid trolling me, I'll no longer talk to you!")
            exit(-2)

    if security_level < 0xff00000000000000000000000000000000000000000000000000000000000000:
        print("Bob, please read the specification!")
        print("The security level is not met, Eve will be able to listen!")
        exit(-3)

    return primes

read_bobs_primes(['2'] * 87)

[2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2,
 2]

In [32]:
print([3] * 95)

[3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]


In [42]:
from Crypto.Util.number import getPrime
from tqdm import tqdm

for _ in tqdm(range(1000)):
    x = getPrime(16)
    if is_prime(4*x - 1):
        print(x)

 18%|█▊        | 183/1000 [00:00<00:00, 946.13it/s]

55541
53267
50111
49523
34313
61211
61001
58013
63311
43853
37871
41333
41507
39953
45137
61211
57527
39953
40751
48947
42953
64601
54251
55457

 48%|████▊     | 475/1000 [00:00<00:00, 952.07it/s]


50033
53381
47807
62801
42131
46997
43691
36947
40751
43481
37223
64781
53267
33071
38933
64781
64553
42131
51407


 69%|██████▉   | 689/1000 [00:00<00:00, 1014.33it/s]

61283
50891
51797
42953
41681
55661
50753
38861
49871
40841
48857
44453
47381
59333
63377
36947
59333
63521
35171
37181
53693
46691
60413
36821
51563
56843
32843
55763
63761
32987
56957
65381

 89%|████████▉ | 890/1000 [00:00<00:00, 953.67it/s] 


61151
36887
58727
47123
51407
59141
49193
47381
34607
62903
63311
43991
37253
62171
37217
33191
33083
62207
44273
40787
41681
53171
37217
35111
37217
53717
55073
59333

100%|██████████| 1000/1000 [00:01<00:00, 879.52it/s]


37253
59141
33851
41177
34361



