# Cryptohack Challenges 02 - Modular Arithmetic

### Greatest Common Divisor (GCD)

The Greatest Common Divisor (GCD), sometimes known as the highest common factor, is the largest number which divides two positive integers (a,b)(a,b).

For a=12,b=8a=12,b=8 we can calculate the divisors of aa: {1,2,3,4,6,12}{1,2,3,4,6,12} and the divisors of bb: {1,2,4,8}{1,2,4,8}. Comparing these two, we see that gcd⁡(a,b)=4gcd(a,b)=4.

Now imagine we take a=11,b=17a=11,b=17. Both aa and bb are prime numbers. As a prime number has only itself and 11 as divisors, gcd⁡(a,b)=1gcd(a,b)=1.

We say that for any two integers a,ba,b, if gcd⁡(a,b)=1gcd(a,b)=1 then aa and bb are coprime integers.

If aa and bb are prime, they are also coprime. If aa is prime and b<ab<a then aa and bb are coprime.

Think about the case for aa prime and b>ab>a, why are these not necessarily coprime?

There are many tools to calculate the GCD of two integers, but for this task we recommend looking up Euclid's Algorithm.

Try coding it up; it's only a couple of lines. Use a=12,b=8a=12,b=8 to test it.

Now calculate gcd⁡(a,b)gcd(a,b) for a=66528,b=52920a=66528,b=52920 and enter it below. 

In [8]:
# Function to calculate GCD using Euclid's algorithm
def gcd(a, b):
    while b != 0:
        a, b = b, a % b  # Repeatedly apply the algorithm until b becomes 0
    return a

# Test case with given values
gcd_test = gcd(12, 8)

# Main calculation for the provided values
gcd_main = gcd(66528, 52920)

gcd_test, gcd_main

(4, 1512)

## Extended GCD

Let aa and bb be positive integers.

The extended Euclidean algorithm is an efficient way to find integers u,vu,v such that

a⋅u+b⋅v=gcd⁡(a,b)a⋅u+b⋅v=gcd(a,b)

Later, when we learn to decrypt RSA ciphertexts, we will need this algorithm to calculate the modular inverse of the public exponent.

Using the two primes p=26513,q=32321p=26513,q=32321, find the integers u,vu,v such that

p⋅u+q⋅v=gcd⁡(p,q)p⋅u+q⋅v=gcd(p,q)

Enter whichever of uu and vv is the lower number as the flag.

Knowing that p,qp,q are prime, what would you expect gcd⁡(p,q)gcd(p,q) to be? For more details on the extended Euclidean algorithm, check out this page. 

In [11]:
# Using extended Eculidean Algorithm to find u and v, such that a*u + b*v = gcd(a, b)
def extended_gcd(a, b):
    if b == 0:
        return a, 1, 0 # EA base case: When b becomes 0, gcd of a and 0 is a
    gcd_value, u, v = extended_gcd(b, a % b) # Recursive call
    return gcd_value, v, u - (a // b) * v # Important to note that v comes before u here, as v becomes the new u

# Given prime values for p and q
p = 26513
q = 32321

# Using the extended Euclidean algorithm to find u and v
gcd_value, u, v = extended_gcd(p, q)

# Since gcd(p, q) for prime p and q should be 1, we expect gcd_val to be 1
gcd_value, u, v, min(u, v)  # Output the values and the lower of u and v as the flag


(1, 10245, -8404, -8404)

In [13]:
"""
Calculate the following integers:

11 ≡ x mod 6
8146798528947 ≡ y mod 17

The solution is the smaller of the two integers,(x,y), you obtained after reducing by the modulus. 
"""

# Define the given values and moduli
a1, m1 = 11, 6  # For x in the equation 11 ≡ x mod 6
a2, m2 = 8146798528947, 17  # For y in the equation 8146798528947 ≡ y mod 17

# Calculate the remainders (x and y) using modulo operation
x = a1 % m1
y = a2 % m2

# Output the results and the smaller of the two values
x, y, min(x, y)


(5, 4, 4)

In [36]:
# Modular Arithmetic 2
"""
Lets say we pick p=17. Calculate 3exp17 mod. Now do the same but with 5exp17 mod 17.

What would you expect to get for 7exp16 mod 17? Try calculating that.

This interesting fact is known as Fermat's little theorem. We'll be needing this (and its generalisations) when we look at RSA cryptography.

Now take the prime p=65537. Calculate 273246787654exp65536 mod 65537.

Did you need a calculator? 
"""

# Attempt 1: Fermat's Little Theorem calculations

prime1 = 17
mod_exponent_1 = pow(3, 17, prime1)
mod_exponent_2 = pow(5, 17, prime1)
mod_exponent_3 = pow(7, 16, prime1)

prime2 = 65537          #exp         #mod
large_base = 273246787654    #base

# From Fermats little theorem, we know that 27324678765465536 ** 65537 ≡ 1 mod 65537 
# Thus we only need to raise the base to the first power to find the answer
mod_exponent_fermat_1 = pow(large_base, 1, prime2)
mod_exponent_fermat_2 =  (273246787654 ** 1) % 65537

print(f"{large_base}^{prime2} mod {prime2} using Fermat's Little Theorem = {mod_exponent_fermat_1}")
print(f"{large_base}^{prime2} mod {prime2} using Fermat's Little Theorem = {mod_exponent_fermat_2}")


# Y U NO WORK!?!?!?!?

273246787654^65537 mod 65537 using Fermat's Little Theorem = 31167
273246787654^65537 mod 65537 using Fermat's Little Theorem = 31167


In [32]:
# Attempt 2: Fermat's Little Theorem calculations

# Function to calculate (base ** exponent) % modulus
def mod_exp(base, exponent, modulus):
    return pow(base, exponent, modulus)

# Step 1: Calculate 3^17 mod 17
result_3_17 = mod_exp(3, 17, 17)
print(f"3^17 mod 17 = {result_3_17}")

# Step 2: Calculate 5^17 mod 17
result_5_17 = mod_exp(5, 17, 17)
print(f"5^17 mod 17 = {result_5_17}")

# Step 3: Calculate 7^16 mod 17
result_7_16 = mod_exp(7, 16, 17)
print(f"7^16 mod 17 = {result_7_16}")

# Step 4: Calculate 273246787654^65536 mod 65537
result_large = mod_exp(273246787654, 65536, 65537)
print(f"273246787654^65536 mod 65537 = {result_large}")


# Y U WORK!?!?!?!?

3^17 mod 17 = 3
5^17 mod 17 = 5
7^16 mod 17 = 1
273246787654^65536 mod 65537 = 1


In [37]:
# Modular inverting

inverse_element = pow(3, 11, 13)
print(inverse_element)

9


In [38]:
# Quadratic Residues

# Define variables
p = 29
ints = [14, 6, 11]

# Function to check if x is a quadratic residue modulo p and find its square root
def find_square_root_mod_p(x, p):
    for a in range(1, p):
        if (a * a) % p == x:
            return a  # Return the smaller root if found
    return None  # Return None if no root is found

# Iterate through the list to find the quadratic residue and its square root
for x in ints:
    root = find_square_root_mod_p(x, p)
    if root is not None:
        print(f"{x} is a quadratic residue modulo {p}. The smallest square root is {root}.")
    else:
        print(f"{x} is not a quadratic residue modulo {p}.")


14 is not a quadratic residue modulo 29.
6 is a quadratic residue modulo 29. The smallest square root is 8.
11 is not a quadratic residue modulo 29.


In [39]:
# Legendre Symbol

# Provided prime and integers
p = 101524035174539890485408575671085261788758965189060164484385690801466167356667036677932998889725476582421738788500738738503134356158197247473850273565349249573867251280253564698939768700489401960767007716413932851838937641880157263936985954881657889497583485535527613578457628399173971810541670838543309159139
ints = [
    25081841204695904475894082974192007718642931811040324543182130088804239047149283334700530600468528298920930150221871666297194395061462592781551275161695411167049544771049769000895119729307495913024360169904315078028798025169985966732789207320203861858234048872508633514498384390497048416012928086480326832803,
    45471765180330439060504647480621449634904192839383897212809808339619841633826534856109999027962620381874878086991125854247108359699799913776917227058286090426484548349388138935504299609200377899052716663351188664096302672712078508601311725863678223874157861163196340391008634419348573975841578359355931590555,
    17364140182001694956465593533200623738590196990236340894554145562517924989208719245429557645254953527658049246737589538280332010533027062477684237933221198639948938784244510469138826808187365678322547992099715229218615475923754896960363138890331502811292427146595752813297603265829581292183917027983351121325,
    14388109104985808487337749876058284426747816961971581447380608277949200244660381570568531129775053684256071819837294436069133592772543582735985855506250660938574234958754211349215293281645205354069970790155237033436065434572020652955666855773232074749487007626050323967496732359278657193580493324467258802863,
    4379499308310772821004090447650785095356643590411706358119239166662089428685562719233435615196994728767593223519226235062647670077854687031681041462632566890129595506430188602238753450337691441293042716909901692570971955078924699306873191983953501093343423248482960643055943413031768521782634679536276233318,
    85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771,
    50576597458517451578431293746926099486388286246142012476814190030935689430726042810458344828563913001012415702876199708216875020997112089693759638454900092580746638631062117961876611545851157613835724635005253792316142379239047654392970415343694657580353333217547079551304961116837545648785312490665576832987,
    96868738830341112368094632337476840272563704408573054404213766500407517251810212494515862176356916912627172280446141202661640191237336568731069327906100896178776245311689857997012187599140875912026589672629935267844696976980890380730867520071059572350667913710344648377601017758188404474812654737363275994871,
    4881261656846638800623549662943393234361061827128610120046315649707078244180313661063004390750821317096754282796876479695558644108492317407662131441224257537276274962372021273583478509416358764706098471849536036184924640593888902859441388472856822541452041181244337124767666161645827145408781917658423571721,
    18237936726367556664171427575475596460727369368246286138804284742124256700367133250078608537129877968287885457417957868580553371999414227484737603688992620953200143688061024092623556471053006464123205133894607923801371986027458274343737860395496260538663183193877539815179246700525865152165600985105257601565
]

# Function to calculate Legendre symbol
def legendre_symbol(a, p):
    return pow(a, (p - 1) // 2, p)

# Function to find square root using p = 3 mod 4
def modular_square_root(a, p):
    # Only valid if p ≡ 3 mod 4
    if p % 4 != 3:
        return None
    # Calculate square root
    root = pow(a, (p + 1) // 4, p)
    # Return the larger of the two roots
    return max(root, p - root)

# Find the quadratic residue and its square root
for x in ints:
    if legendre_symbol(x, p) == 1:  # x is a quadratic residue
        square_root = modular_square_root(x, p)
        print(f"Quadratic residue: {x}")
        print(f"Larger square root: {square_root}")
        break


Quadratic residue: 85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771
Larger square root: 93291799125366706806545638475797430512104976066103610269938025709952247020061090804870186195285998727680200979853848718589126765742550855954805290253592144209552123062161458584575060939481368210688629862036958857604707468372384278049741369153506182660264876115428251983455344219194133033177700490981696141526


In [40]:
# Modular Square Root

# Given large values of `a` and `p`
a = 8479994658316772151941616510097127087554541274812435112009425778595495359700244470400642403747058566807127814165396640215844192327900454116257979487432016769329970767046735091249898678088061634796559556704959846424131820416048436501387617211770124292793308079214153179977624440438616958575058361193975686620046439877308339989295604537867493683872778843921771307305602776398786978353866231661453376056771972069776398999013769588936194859344941268223184197231368887060609212875507518936172060702209557124430477137421847130682601666968691651447236917018634902407704797328509461854842432015009878011354022108661461024768
p = 30531851861994333252675935111487950694414332763909083514133769861350960895076504687261369815735742549428789138300843082086550059082835141454526618160634109969195486322015775943030060449557090064811940139431735209185996454739163555910726493597222646855506445602953689527405362207926990442391705014604777038685880527537489845359101552442292804398472642356609304810680731556542002301547846635101455995732584071355903010856718680732337369128498655255277003643669031694516851390505923416710601212618443109844041514942401969629158975457079026906304328749039997262960301209158175920051890620947063936347307238412281568760161

# Helper function for Tonelli-Shanks algorithm
def tonelli_shanks(a, p):
    # Step 1: Check if a is a quadratic residue modulo p
    if pow(a, (p - 1) // 2, p) != 1:
        return None  # No square root exists

    # Step 2: Check if p ≡ 3 mod 4, where a simpler method could be used
    if p % 4 == 3:
        root = pow(a, (p + 1) // 4, p)
        return min(root, p - root)

    # Tonelli-Shanks implementation for p ≡ 1 mod 4
    q = p - 1
    s = 0
    while q % 2 == 0:
        q //= 2
        s += 1

    # Find a non-quadratic residue z
    z = 2
    while pow(z, (p - 1) // 2, p) == 1:
        z += 1

    # Initialize variables
    m = s
    c = pow(z, q, p)
    t = pow(a, q, p)
    r = pow(a, (q + 1) // 2, p)

    while t != 0 and t != 1:
        # Find the least i (0 < i < m) such that t^(2^i) ≡ 1 mod p
        t2i = t
        i = 0
        for i in range(1, m):
            t2i = pow(t2i, 2, p)
            if t2i == 1:
                break

        # Update variables
        b = pow(c, 2 ** (m - i - 1), p)
        m = i
        c = pow(b, 2, p)
        t = (t * c) % p
        r = (r * b) % p

    # Return the smaller of the two roots
    return min(r, p - r)

# Run the Tonelli-Shanks algorithm to find the square root
square_root = tonelli_shanks(a, p)
if square_root is not None:
    print(f"The smaller square root of a modulo p is: {square_root}")
else:
    print("No square root exists for a modulo p.")


The smaller square root of a modulo p is: 2362339307683048638327773298580489298932137505520500388338271052053734747862351779647314176817953359071871560041125289919247146074907151612762640868199621186559522068338032600991311882224016021222672243139362180461232646732465848840425458257930887856583379600967761738596782877851318489355679822813155123045705285112099448146426755110160002515592418850432103641815811071548456284263507805589445073657565381850521367969675699760755310784623577076440037747681760302434924932113640061738777601194622244192758024180853916244427254065441962557282572849162772740798989647948645207349737457445440405057156897508368531939120


In [41]:
# Chinese Remainder Theorem

from sympy import mod_inverse

# Given values
congruences = [(2, 5), (3, 11), (5, 17)]
N = 5 * 11 * 17  # Total modulus

# Calculate each term for the CRT solution
x = 0
for a_i, n_i in congruences:
    # Compute the partial modulus N_i
    N_i = N // n_i
    # Find the modular inverse of N_i modulo n_i
    M_i = mod_inverse(N_i, n_i)
    # Add the term a_i * N_i * M_i to the solution
    x += a_i * N_i * M_i

# Reduce x modulo N to find the smallest positive solution
x = x % N

print(f"The solution to x ≡ a mod 935 is x = {x}")


The solution to x ≡ a mod 935 is x = 872


In [49]:
# Adrien's Signs

from random import randint

a = 288260533169915
p = 1007621497415251

FLAG = b'crypto{????????????????????}'


def encrypt_flag(flag):
    ciphertext = []
    plaintext = ''.join([bin(i)[2:].zfill(8) for i in flag])
    for b in plaintext:
        e = randint(1, p)
        n = pow(a, e, p)
        if b == '1':
            ciphertext.append(n)
        else:
            n = -n % p
            ciphertext.append(n)
    return ciphertext

print(encrypt_flag(FLAG))



[394611645735250, 261071857027019, 523235825198571, 179487736525191, 920444992763049, 782328543935997, 204592181569458, 505018845047567, 493189792002557, 12669244284113, 993090465841915, 15795276677442, 151214110920375, 734813258349958, 895357486615927, 96823534431547, 682328506726921, 105034267998005, 604254734942271, 783824784523279, 690816846548420, 837518314591783, 867141185837211, 998384313021052, 895376179631649, 200277816906603, 20827521299394, 220804872126137, 479890020480581, 278391089342586, 629863756447308, 458283668380142, 16555850274412, 580212671679185, 540430854294191, 173256166720767, 73899898455498, 662246690471475, 336277477825553, 627179362947593, 250138433467028, 436257525218115, 578663452413702, 128970643222757, 962664181741130, 807986930837630, 352478057247580, 195562030417913, 234304696627329, 207141000519440, 410705747812378, 980672058150660, 270092312053199, 892682913866565, 81597856024210, 995448539690524, 967781922434680, 656083847942890, 108462562337278, 121

In [61]:
# Adrien's Signs solution
from Crypto.Util.number import long_to_bytes
data = [67594220461269, 501237540280788, 718316769824518, 296304224247167, 48290626940198, 30829701196032, 521453693392074, 840985324383794, 770420008897119, 745131486581197, 729163531979577, 334563813238599, 289746215495432, 538664937794468, 894085795317163, 983410189487558, 863330928724430, 996272871140947, 352175210511707, 306237700811584, 631393408838583, 589243747914057, 538776819034934, 365364592128161, 454970171810424, 986711310037393, 657756453404881, 388329936724352, 90991447679370, 714742162831112, 62293519842555, 653941126489711, 448552658212336, 970169071154259, 339472870407614, 406225588145372, 205721593331090, 926225022409823, 904451547059845, 789074084078342, 886420071481685, 796827329208633, 433047156347276, 21271315846750, 719248860593631, 534059295222748, 879864647580512, 918055794962142, 635545050939893, 319549343320339, 93008646178282, 926080110625306, 385476640825005, 483740420173050, 866208659796189, 883359067574584, 913405110264883, 898864873510337, 208598541987988, 23412800024088, 911541450703474, 57446699305445, 513296484586451, 180356843554043, 756391301483653, 823695939808936, 452898981558365, 383286682802447, 381394258915860, 385482809649632, 357950424436020, 212891024562585, 906036654538589, 706766032862393, 500658491083279, 134746243085697, 240386541491998, 850341345692155, 826490944132718, 329513332018620, 41046816597282, 396581286424992, 488863267297267, 92023040998362, 529684488438507, 925328511390026, 524897846090435, 413156582909097, 840524616502482, 325719016994120, 402494835113608, 145033960690364, 43932113323388, 683561775499473, 434510534220939, 92584300328516, 763767269974656, 289837041593468, 11468527450938, 628247946152943, 8844724571683, 813851806959975, 72001988637120, 875394575395153, 70667866716476, 75304931994100, 226809172374264, 767059176444181, 45462007920789, 472607315695803, 325973946551448, 64200767729194, 534886246409921, 950408390792175, 492288777130394, 226746605380806, 944479111810431, 776057001143579, 658971626589122, 231918349590349, 699710172246548, 122457405264610, 643115611310737, 999072890586878, 203230862786955, 348112034218733, 240143417330886, 927148962961842, 661569511006072, 190334725550806, 763365444730995, 516228913786395, 846501182194443, 741210200995504, 511935604454925, 687689993302203, 631038090127480, 961606522916414, 138550017953034, 932105540686829, 215285284639233, 772628158955819, 496858298527292, 730971468815108, 896733219370353, 967083685727881, 607660822695530, 650953466617730, 133773994258132, 623283311953090, 436380836970128, 237114930094468, 115451711811481, 674593269112948, 140400921371770, 659335660634071, 536749311958781, 854645598266824, 303305169095255, 91430489108219, 573739385205188, 400604977158702, 728593782212529, 807432219147040, 893541884126828, 183964371201281, 422680633277230, 218817645778789, 313025293025224, 657253930848472, 747562211812373, 83456701182914, 470417289614736, 641146659305859, 468130225316006, 46960547227850, 875638267674897, 662661765336441, 186533085001285, 743250648436106, 451414956181714, 527954145201673, 922589993405001, 242119479617901, 865476357142231, 988987578447349, 430198555146088, 477890180119931, 844464003254807, 503374203275928, 775374254241792, 346653210679737, 789242808338116, 48503976498612, 604300186163323, 475930096252359, 860836853339514, 994513691290102, 591343659366796, 944852018048514, 82396968629164, 152776642436549, 916070996204621, 305574094667054, 981194179562189, 126174175810273, 55636640522694, 44670495393401, 74724541586529, 988608465654705, 870533906709633, 374564052429787, 486493568142979, 469485372072295, 221153171135022, 289713227465073, 952450431038075, 107298466441025, 938262809228861, 253919870663003, 835790485199226, 655456538877798, 595464842927075, 191621819564547]
p = 1007621497415251
result  = int(''.join([str(int(pow(element,(p-1)//2,p)==1)) for element in data]),base=2)
print(long_to_bytes(result).decode())

crypto{p4tterns_1n_re5idu3s}


In [2]:
# Modular Binomials
from math import gcd

# Define the large constants
N = 14905562257842714057932724129575002825405393502650869767115942606408600343380327866258982402447992564988466588305174271674657844352454543958847568190372446723549627752274442789184236490768272313187410077124234699854724907039770193680822495470532218905083459730998003622926152590597710213127952141056029516116785229504645179830037937222022291571738973603920664929150436463632305664687903244972880062028301085749434688159905768052041207513149370212313943117665914802379158613359049957688563885391972151218676545972118494969247440489763431359679770422939441710783575668679693678435669541781490217731619224470152467768073
e1 = 12886657667389660800780796462970504910193928992888518978200029826975978624718627799215564700096007849924866627154987365059524315097631111242449314835868137
e2 = 12110586673991788415780355139635579057920926864887110308343229256046868242179445444897790171351302575188607117081580121488253540215781625598048021161675697
c1 = 14010729418703228234352465883041270611113735889838753433295478495763409056136734155612156934673988344882629541204985909650433819205298939877837314145082403528055884752079219150739849992921393509593620449489882380176216648401057401569934043087087362272303101549800941212057354903559653373299153430753882035233354304783275982332995766778499425529570008008029401325668301144188970480975565215953953985078281395545902102245755862663621187438677596628109967066418993851632543137353041712721919291521767262678140115188735994447949166616101182806820741928292882642234238450207472914232596747755261325098225968268926580993051
c2 = 14386997138637978860748278986945098648507142864584111124202580365103793165811666987664851210230009375267398957979494066880296418013345006977654742303441030008490816239306394492168516278328851513359596253775965916326353050138738183351643338294802012193721879700283088378587949921991198231956871429805847767716137817313612304833733918657887480468724409753522369325138502059408241232155633806496752350562284794715321835226991147547651155287812485862794935695241612676255374480132722940682140395725089329445356434489384831036205387293760789976615210310436732813848937666608611803196199865435145094486231635966885932646519

# Calculate left-hand side values
lhs1 = pow(c1, e2, N)
lhs2 = pow(c2, e1, N)

# Calculate right-hand side constants with exponents multiplied by e1 * e2
rhs_f1 = pow(5, e1 * e2, N)
rhs_f2 = pow(2, e1 * e2, N)

# Compute D and find q, then calculate p
D = (lhs1 * rhs_f1 - lhs2 * rhs_f2) % N
q = gcd(D, N)
p = N // q

# Output in specified format
print(f'crypto{{{p}, {q}}}')

crypto{112274000169258486390262064441991200608556376127408952701514962644340921899196091557519382763356534106376906489445103255177593594898966250176773605432765983897105047795619470659157057093771407309168345670541418772427807148039207489900810013783673957984006269120652134007689272484517805398390277308001719431273, 132760587806365301971479157072031448380135765794466787456948786731168095877956875295282661565488242190731593282663694728914945967253173047324353981530949360031535707374701705328450856944598803228299967009004598984671293494375599408764139743217465012770376728876547958852025425539298410751132782632817947101601}
