```PYTHON
from Crypto.Cipher import AES
from Crypto.Util.number import inverse
from Crypto.Util.Padding import pad, unpad
from collections import namedtuple
from random import randint
import hashlib
import os

# Create a simple Point class to represent the affine points.
Point = namedtuple("Point", "x y")

# The point at infinity (origin for the group law).
O = 'Origin'

def encrypt(secret):
    sha1 = hashlib.sha1()
    sha1.update(str(secret).encode('ascii'))
    key = sha1.digest()[:16]

    dt = open('flag.mp3','rb').read()
    # Encrypt flag
    cipher = AES.new(key, AES.MODE_ECB)

    ciphertext = cipher.encrypt(pad(dt, 16))

    open('flag.enc','wb').write(ciphertext)


def check_point(P: tuple):
    if P == O:
        return True
    else:
        return (P.y**2 - (P.x**3 + a*P.x + b)) % p == 0 and 0 <= P.x < p and 0 <= P.y < p


def point_inverse(P: tuple):
    if P == O:
        return P
    return Point(P.x, -P.y % p)


def point_addition(P: tuple, Q: tuple):
    if P == O:
        return Q
    elif Q == O:
        return P
    elif Q == point_inverse(P):
        return O
    else:
        if P == Q:
            lam = (3*P.x**2 + a)*inverse(2*P.y, p)
            lam %= p
        else:
            lam = (Q.y - P.y) * inverse((Q.x - P.x), p)
            lam %= p
    Rx = (lam**2 - P.x - Q.x) % p
    Ry = (lam*(P.x - Rx) - P.y) % p
    R = Point(Rx, Ry)
    assert check_point(R)
    return R


def double_and_add(P: tuple, n: int):
    Q = P
    R = O
    while n > 0:
        if n % 2 == 1:
            R = point_addition(R, Q)
        Q = point_addition(Q, Q)
        n = n // 2
    assert check_point(R)
    return R


def gen_shared_secret(Q: tuple, n: int):
    S = double_and_add(Q, n)
    return S.x


p = ...
a = ...
b = ...


g_x = ...
g_y = ...
G = Point(g_x, g_y)


n = randint(1, p)

public = double_and_add(G, n)

key = gen_shared_secret(public,n)
encrypt(key)
decrypt(key)
```

In [1]:
from Crypto.Cipher import AES
from Crypto.Util.number import inverse
from Crypto.Util.Padding import pad, unpad
from collections import namedtuple
from random import randint
import hashlib
import os

# Create a simple Point class to represent the affine points.
Point = namedtuple("Point", "x y")

# The point at infinity (origin for the group law).
O = 'Origin'

def encrypt(secret):
    sha1 = hashlib.sha1()
    sha1.update(str(secret).encode('ascii'))
    key = sha1.digest()[:16]

    dt = open('flag.mp3','rb').read()
    # Encrypt flag
    cipher = AES.new(key, AES.MODE_ECB)

    ciphertext = cipher.encrypt(pad(dt, 16))

    open('flag.enc','wb').write(ciphertext)


def check_point(P: tuple):
    if P == O:
        return True
    else:
        return (P.y**2 - (P.x**3 + a*P.x + b)) % p == 0 and 0 <= P.x < p and 0 <= P.y < p


def point_inverse(P: tuple):
    if P == O:
        return P
    return Point(P.x, -P.y % p)


def point_addition(P: tuple, Q: tuple):
    if P == O:
        return Q
    elif Q == O:
        return P
    elif Q == point_inverse(P):
        return O
    else:
        if P == Q:
            lam = (3*P.x**2 + a)*inverse(2*P.y, p)
            lam %= p
        else:
            lam = (Q.y - P.y) * inverse((Q.x - P.x), p)
            lam %= p
    Rx = (lam**2 - P.x - Q.x) % p
    Ry = (lam*(P.x - Rx) - P.y) % p
    R = Point(Rx, Ry)
    assert check_point(R)
    return R


def double_and_add(P: tuple, n: int):
    Q = P
    R = O
    while n > 0:
        if n % 2 == 1:
            R = point_addition(R, Q)
        Q = point_addition(Q, Q)
        n = n // 2
    assert check_point(R)
    return R


def gen_shared_secret(Q: tuple, n: int):
    S = double_and_add(Q, n)
    return S.x



In [2]:
p = 19930885203825540108513916323464619607890520613882110268999315402502483992713624056070847778485065788387695567162120805830837964237496163664777233360835853
a = 16964108867870875431022511847406074513505438269132199629926447105117327702973321429130078673611996313382775579316996202239740533714013559789369433905598853
b = 2557269903904682970099236538031735218462780844817175317697385659377007186785050969676938059088155922328011075081606354569621958862612850816694647002380820

E = EllipticCurve(GF(p), [a, b])
q = E.cardinality()
assert(p == q) # anomalous curve, we take an script which solves this ecdlp

# base point
G = E(11612316038801479962400723698427883310130163176291338759911281034170556609743457773032375965620429931675410389220512342834663089126659445523701533922313238,
      14492470559976609909614920150302533890662281539874542639808213982956316710837667114681496336361906718748053884513468343236055545337522055713141076615967243)

A = E(716447455218443211337138354910360820310039222467099750548875601978669948877653369670984450493776038314939273990792875030477209738905138162016103972822887,
      2577636835404844606086593513656242872409629115084680797009677298030035019056074660428408865132307063442440986937998752115629728860272800311376841076830297)

def a0(P, Q): 
    if P[2] == 0 or Q[2] == 0 or P == -Q: 
        return 0 
    if P == Q: 
        a = P.curve().a4() 
        return (3*P[0]^2+a)/(2*P[1]) 
    return (P[1]-Q[1])/(P[0]-Q[0]) 

def add_augmented(PP, QQ):
    (P, u), (Q, v) = PP, QQ
    return [P+Q, u + v + a0(P,Q)]

def scalar_mult(n, PP):
    t = n.nbits()
    TT = PP.copy()
    for i in range(1,t):
        bit = (n >> (t-i-1)) & 1
        TT = add_augmented(TT, TT)
        if bit == 1:
            TT = add_augmented(TT, PP)
    return TT

def solve_ecdlp(P,Q,p):
    R1, alpha = scalar_mult(p, [P,0])
    R2, beta  = scalar_mult(p, [Q,0])
    return ZZ(beta*alpha^(-1))
    

nA = solve_ecdlp(G,A,p)
assert(nA*G == A)


In [3]:
def decrypt(d):
    try:
        key = (d*d*G).xy()[0]
    except:
        return
    sha1 = hashlib.sha1()
    sha1.update(str(key).encode('ascii'))
    key = sha1.digest()[:16]

    dt = open('flag.enc','rb').read()
    # Encrypt flag
    cipher = AES.new(key, AES.MODE_ECB)

    try:
        ciphertext = unpad(cipher.decrypt(dt), 16)
        with open("prueba"+str(d)+".mp3", "wb") as f:
            f.write(ciphertext)
    except:
        return

In [4]:
decrypt(nA) # we should get a valid mp3 this way