# Part 1: PicoCTF excercises solution

# 1.1 The numbers (Done)

For the "The Numbers" challenge, the key observation was that the given numbers ranged from 1 to 26, which strongly suggested a simple substitution cipher known as A1Z26, where each number corresponds to a letter in the English alphabet (A=1, B=2, ..., Z=26).

# Method 1: Using ASCII Table and List Comprehension
I chose to use ASCII conversion because it provides a quick and efficient way to map numbers to letters. Since the ASCII value of 'A' is 65, the formula chr(num + 64) correctly maps numbers from 1–26 to their corresponding uppercase letters. Using list comprehension, I efficiently converted all numbers in one line.

# Method 2: Using a Dictionary for Mapping
I opted for this approach as an alternative to demonstrate a different way of solving the problem. Instead of relying on ASCII calculations, I explicitly created a dictionary mapping of numbers to letters. This method improves readability and can be useful when working with modified ciphers where direct ASCII manipulation is not applicable.


In [30]:
# Method 1: Using ASCII table and list comprehension
# List of numbers extracted from the image
numbers = [16, 9, 3, 15, 3, 20, 6, 20, 8, 5, 14, 21, 13, 2, 5, 18, 19, 13, 1, 19, 15, 14]

# Convert numbers to letters based on the A1Z26 cipher (A=1, B=2, ... Z=26)
decoded_text = ''.join(chr(num + 64) for num in numbers)  # Adjusting to match the ASCII table
flag = f"picoCTF{{{decoded_text}}}"
print("Method 1:", flag)  # Answer: picoCTF{THENUMBERSMASON}

# Method 2: Using a dictionary for mapping
# Create a dictionary that maps numbers to letters (A=1, B=2, ... Z=26)
mapping = {i: chr(i + 64) for i in range(1, 27)}

# List of numbers extracted from the image
numbers = [16, 9, 3, 15, 3, 20, 6, 20, 8, 5, 14, 21, 13, 2, 5, 18, 19, 13, 1, 19, 15, 14]

# Use the dictionary to convert each number to its corresponding letter
decoded_text = ''.join(mapping[num] for num in numbers)
flag = f"picoCTF{{{decoded_text}}}"
print("Method 2:", flag)  # Answer: picoCTF{THENUMBERSMASON}

Method 1: picoCTF{PICOCTFTHENUMBERSMASON}
Method 2: picoCTF{PICOCTFTHENUMBERSMASON}


# 1.2 interencdec (Done)

For the "interencdec" challenge, the main goal was to decode an encoded flag by applying multiple layers of encoding techniques. The two primary steps involved were Base64 decoding and Caesar cipher decryption.

# Method 1: Using an Iterative Caesar Shift Function
I initially chose this approach because it provides a step-by-step breakdown of the decryption process, making it easier to understand how each transformation affects the text.

Base64 Decoding (Twice):

The flag was encoded using Base64 two times, so the first step was to decode it twice to obtain the intermediate text.
I used Python’s base64.b64decode() function to achieve this.
Caesar Cipher Decryption (Shift of 7):

The resulting text was encoded with a Caesar cipher, which is a simple shift cipher that moves letters forward or backward in the alphabet.
By shifting the letters backward by 7, I was able to restore the original flag text.
I implemented a custom Caesar shift function that loops through each character, checking if it's a letter, and then shifting it accordingly while preserving the case (uppercase/lowercase).

# Method 2: Using a Translation Table for the Caesar Cipher
This method was chosen as a more efficient and Pythonic alternative to the first approach.

Base64 Decoding (Twice):

The same double Base64 decoding was applied.
Caesar Cipher Decryption with str.translate():

Instead of looping through each character manually, I used str.translate() with a precomputed translation table to map letters backward by 7 positions.
This approach improves performance because it eliminates the need for iterative character checks.

In [1]:
# Method 1: Using an Iterative Caesar Shift Function

import base64
import codecs

# Method 1: Using iterative Caesar shift with a loop

# Step 1: Read the encoded text from the file.
# Ensure that the file "enc_flag" contains exactly:
# YidkM0JxZGtwQlRYdHFhR3g2YUhsZmF6TnFlVGwzWVROclgyMHdNakV5TnpVNGZRPT0nCg==
with open("enc_flag", "r") as file:
    encoded_text = file.read().strip()

print("Original encoded text:", encoded_text)

# Step 2: Perform the first Base64 decoding.
decoded_bytes_1 = base64.b64decode(encoded_text)
decoded_text_1 = decoded_bytes_1.decode("utf-8", errors="ignore").strip()
print("After first Base64 decoding:", repr(decoded_text_1))

# Step 3: Remove extra byte-string delimiters if present.
if decoded_text_1.startswith("b'") and decoded_text_1.endswith("'"):
    decoded_text_1 = decoded_text_1[2:-1].strip()
    print("Removed extra delimiters. New string:", repr(decoded_text_1))
else:
    print("No extra delimiters found.")

# Step 4: Perform the second Base64 decoding.
try:
    decoded_bytes_2 = base64.b64decode(decoded_text_1)
    decoded_text_2 = decoded_bytes_2.decode("utf-8", errors="ignore").strip()
except Exception as e:
    print("Error during second Base64 decoding:", e)
    decoded_text_2 = ""

print("After second Base64 decoding:", decoded_text_2)

# Step 5: Define a Caesar shift function to shift letters backward by 7.
def caesar_shift(text, shift):
    result = ""
    for char in text:
        if char.isalpha():
            # Check if the character is uppercase or lowercase
            if char.isupper():
                base = ord('A')
                result += chr((ord(char) - base - shift) % 26 + base)
            else:
                base = ord('a')
                result += chr((ord(char) - base - shift) % 26 + base)
        else:
            result += char
    return result

# Apply the Caesar cipher with a shift of 7 (i.e., shifting letters 7 positions backward)
final_flag = caesar_shift(decoded_text_2, 7)
print("Final flag (Method 1):", final_flag) # Answer: picoCTF{caesar_d3cr9pt3d_f0212758}


Original encoded text: YidkM0JxZGtwQlRYdHFhR3g2YUhsZmF6TnFlVGwzWVROclgyMHdNakV5TnpVNGZRPT0nCg==
After first Base64 decoding: "b'd3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrX20wMjEyNzU4fQ=='"
Removed extra delimiters. New string: 'd3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrX20wMjEyNzU4fQ=='
After second Base64 decoding: wpjvJAM{jhlzhy_k3jy9wa3k_m0212758}
Final flag (Method 1): picoCTF{caesar_d3cr9pt3d_f0212758}


In [5]:
# Method 2: Using a Translation Table for the Caesar Cipher

import base64
import string

# Method 2: Using str.translate with a translation table for the Caesar cipher

# Step 1: Read the encoded text from the file.
with open("enc_flag", "r") as file:
    encoded_text = file.read().strip()

print("Original encoded text:", encoded_text)

# Step 2: Perform the first Base64 decoding.
decoded_bytes_1 = base64.b64decode(encoded_text)
decoded_text_1 = decoded_bytes_1.decode("utf-8", errors="ignore").strip()
print("After first Base64 decoding:", repr(decoded_text_1))

# Step 3: Remove extra byte-string delimiters if present.
if decoded_text_1.startswith("b'") and decoded_text_1.endswith("'"):
    decoded_text_1 = decoded_text_1[2:-1].strip()
    print("Removed extra delimiters. New string:", repr(decoded_text_1))
else:
    print("No extra delimiters found.")

# Step 4: Perform the second Base64 decoding.
try:
    decoded_bytes_2 = base64.b64decode(decoded_text_1)
    decoded_text_2 = decoded_bytes_2.decode("utf-8", errors="ignore").strip()
except Exception as e:
    print("Error during second Base64 decoding:", e)
    decoded_text_2 = ""

print("After second Base64 decoding:", decoded_text_2)

# Step 5: Create a translation table for the Caesar cipher that shifts letters backward by 7.
def caesar_shift_translate(text, shift):
    # Build mapping for lowercase letters
    mapping = {}
    for i, letter in enumerate(string.ascii_lowercase):
        mapping[letter] = string.ascii_lowercase[(i - shift) % 26]
    # Build mapping for uppercase letters
    for i, letter in enumerate(string.ascii_uppercase):
        mapping[letter] = string.ascii_uppercase[(i - shift) % 26]
    # Create a translation table and apply it
    trans_table = str.maketrans(mapping)
    return text.translate(trans_table)

# Apply the Caesar cipher using the translation table with a shift of 7.
final_flag = caesar_shift_translate(decoded_text_2, 7)
print("Final flag (Method 2):", final_flag) # Answer: picoCTF{caesar_d3cr9pt3d_f0212758}


Original encoded text: YidkM0JxZGtwQlRYdHFhR3g2YUhsZmF6TnFlVGwzWVROclgyMHdNakV5TnpVNGZRPT0nCg==
After first Base64 decoding: "b'd3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrX20wMjEyNzU4fQ=='"
Removed extra delimiters. New string: 'd3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrX20wMjEyNzU4fQ=='
After second Base64 decoding: wpjvJAM{jhlzhy_k3jy9wa3k_m0212758}
Final flag (Method 2): picoCTF{caesar_d3cr9pt3d_f0212758}


# 1.3 C3 (Done)

For the "C3" challenge, the goal was to decrypt an encrypted string using a custom lookup-based substitution cipher followed by extracting specific characters based on cube indices.

# Method 1: Iterative Approach (Using Loops)
This approach was chosen to break down the decryption process step by step for clarity.

Stage 1: Lookup Table Substitution Decryption

- The ciphertext consists of characters that must be mapped to a different set of characters using two lookup tables:
        * lookup2 contains the characters found in the encrypted text.
        * lookup1 holds the corresponding decrypted characters.
- For each character in the ciphertext:
        * Find its index in lookup2.
        * Compute a new index by adding the previous index (to introduce variability) and taking the modulo 40.
        * Use the new index to retrieve the decrypted character from lookup1.
    * This step transforms the ciphertext into a readable intermediate string.
      
Stage 2: Extracting Characters at Cube Indices

- The next step involves selecting characters at positions that are perfect cubes (1³, 2³, 3³, ...).
- This is done iteratively by looping and selecting characters at those computed indices.

Final Output

- The extracted characters form the final flag, wrapped in picoCTF{}.

# Method 2: Using List Comprehension for Cube Index Extraction
This method was implemented to make the second stage of extraction more efficient.

Stage 1: Same Lookup Table Decryption

The same decryption technique from Method 1 was applied.
Stage 2: Optimized Cube Index Extraction with List Comprehension

Instead of using a loop, I used list comprehension to compute valid cube indices up to the maximum cube root within the text length.
Then, the characters at these positions were extracted in a single line.
Final Output

The flag remains the same: picoCTF{adlibs}.

In [33]:
# stage1.py

# Texto del ciphertext proporcionado:
ciphertext = ("DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFl"
              "dbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAA"
              "AAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl")

# Código proporcionado:
import sys

lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

out = ""

prev = 0
for char in ciphertext:
  index_2 = lookup2.index(char)
  index_1 = (index_2 + prev) % 40
  out += lookup1[index_1]
  prev = index_1

sys.stdout.write(out)

# stage2.py

#asciiorder
#fortychars
#selfinput
#pythontwo

chars = ""
from fileinput import input
for line in input():
    chars += line
b = 1 / 1

for i in range(len(chars)):
    if i == b * b * b:
        print(chars[i]) #prints
        b += 1 / 1

# comando para correr el codigo "python3 stage1.py | python3 stage2.py"
# respuesta: picoCTF{adlibs}

'# stage1.py\n\n# Texto del ciphertext proporcionado:\nciphertext = ("DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFl"\n              "dbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAA"\n              "AAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl")\n\n# Código proporcionado:\nimport sys\n\nlookup1 = "\n "#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"\nlookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"\n\nout = ""\n\nprev = 0\nfor char in ciphertext:\n  index_2 = lookup2.index(char)\n  index_1 = (index_2 + prev) % 40\n  out += lookup1[index_1]\n  prev = index_1\n\nsys.stdout.write(out)\n\n# stage2.py\n\n#asciiorder\n#fortychars\n#selfinput\n#pythontwo\n\nchars = ""\nfrom fileinput import input\nfor line in input():\n    chars += line\nb = 1 / 1\n\nfor i in range(len(chars)):\n    if i == b * b * b:\n        print(chars[i]) #prints\n        b += 1 / 1\n\n# comando para correr el codigo "python3 sta

In [34]:
# Method 1: Iterative Approach (Using Loops for Both Stages)

import sys

# ----- Stage 1: Decryption using lookup tables -----

# Provided ciphertext string.
ciphertext = ("DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFl"
              "dbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAA"
              "AAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl")

# Lookup strings for decryption.
lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

# Initialize the output string and a variable to hold the previous index.
stage1_output = ""
prev = 0

# For each character in the ciphertext, find its index in lookup2.
# Then compute a new index by adding the previous value and taking modulo 40.
# Use that new index to pick a character from lookup1.
for char in ciphertext:
    index_2 = lookup2.index(char)
    index_1 = (index_2 + prev) % 40
    stage1_output += lookup1[index_1]
    prev = index_1

# At this point, stage1_output contains the decrypted message from stage1.
# For example, it might look like a long string of characters.

# ----- Stage 2: Extract characters at perfect cube indices -----
# This stage prints out characters at indices that are perfect cubes: 1^3, 2^3, 3^3, etc.
extracted_chars = ""
cube = 1
while (cube ** 3) < len(stage1_output):
    index = cube ** 3  # Calculate the cube index (e.g., 1, 8, 27, ...)
    extracted_chars += stage1_output[index]
    cube += 1

# The final flag is obtained by wrapping the extracted string in the picoCTF flag format.
flag = f"picoCTF{{{extracted_chars}}}"
print("Method 1 Final flag:", flag) # Answer: picoCTF{adlibs}


Method 1 Final flag: picoCTF{adlibs}


In [35]:
# Method 2: Using List Comprehension for Cube Index Extraction

import sys
import math

# ----- Stage 1: Decryption using lookup tables -----

# Provided ciphertext string.
ciphertext = ("DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFl"
              "dbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAA"
              "AAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl")

# Lookup strings for decryption.
lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

# Build the stage1 output string using a simple loop.
prev = 0
stage1_output = ""
for char in ciphertext:
    index_2 = lookup2.index(char)
    index_1 = (index_2 + prev) % 40
    stage1_output += lookup1[index_1]
    prev = index_1

# ----- Stage 2: Extract characters at cube indices using list comprehension -----
# Calculate the maximum cube value that is within the bounds of stage1_output.
max_cube_root = int(math.pow(len(stage1_output), 1/3))

# Build a list of cube indices (1^3, 2^3, 3^3, ...) that are valid indices in stage1_output.
cube_indices = [i**3 for i in range(1, max_cube_root + 1) if i**3 < len(stage1_output)]

# Extract the characters from stage1_output at those cube indices.
extracted_chars = "".join(stage1_output[i] for i in cube_indices)

# Combine the result into the final flag.
flag = f"picoCTF{{{extracted_chars}}}"
print("Method 2 Final flag:", flag) # Answer: picoCTF{adlibs}

Method 2 Final flag: picoCTF{adlibs}


# 1.4 HideToSee (Done)

First, we downloaded the image file and began by checking its metadata using ExifTool, which didn't reveal any clues. Next, we ran a strings analysis to look for hidden text sequences within the file, but that also didn't provide any leads. We then used Binwalk to inspect for embedded files or data and found nothing useful. Finally, we applied Steghide to extract hidden files, which prompted us for a passphrase (left blank) and successfully extracted an "encrypted.txt" file containing a suspicious string. We identified that the string was likely encoded using the Atbash cipher, which we then decoded to reveal the flag.

The cmd command to found the flag: steghide extract -sf atbash.jpg

For the "HideToSee" challenge, the goal was to decrypt a given Atbash cipher encoded message. The Atbash cipher is a simple monoalphabetic substitution cipher where each letter in the alphabet is replaced by its mirror image (e.g., A → Z, B → Y, ..., Z → A).

# Method 1: Using a Dictionary for Atbash Mapping
I chose this method to provide a clear and structured way to map letters to their reversed counterparts.

Atbash Cipher Mapping:

- I created two strings:
    - One with the normal alphabet (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
    - One with the reversed alphabet (ZYXWVUTSRQPONMLKJIHGFEDCBA).
- Then, I built a dictionary that maps each letter (both uppercase and lowercase) to its corresponding Atbash substitution.

Decryption Process:

- The program iterates over each character in the ciphertext.
- If the character exists in the mapping, it is replaced with its corresponding Atbash letter.
- Non-alphabetic characters (such as numbers, braces, and underscores) remain unchanged.


# Method 2: Using str.maketrans() for Translation
This method provides a more efficient and Pythonic approach using built-in translation functions.

Creating the Translation Table:

- I used Python’s str.maketrans() to create a mapping of normal to reversed alphabet.
- The table is constructed for both uppercase and lowercase letters.

Decryption Process:

- The function translate() is applied to the ciphertext, instantly replacing each letter with its Atbash counterpart in a single step.
- This approach improves performance by eliminating the need for loops and manual dictionary lookups.

In [2]:
# Method 1: Using a Dictionary for Atbash Mapping

#!/usr/bin/env python3

def atbash_decrypt(ciphertext):
    # Create an Atbash mapping dictionary:
    # A -> Z, B -> Y, C -> X, etc.
    alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    reverse_alphabet = alphabet[::-1]  # "ZYXWVUTSRQPONMLKJIHGFEDCBA"

    # Build the mapping for both uppercase and lowercase letters
    mapping = {}
    for i in range(len(alphabet)):
        # Map uppercase letters
        mapping[alphabet[i]] = reverse_alphabet[i]
        # Map lowercase letters
        mapping[alphabet[i].lower()] = reverse_alphabet[i].lower()

    # Decrypt the ciphertext using the mapping
    plaintext = []
    for char in ciphertext:
        if char in mapping:
            plaintext.append(mapping[char])
        else:
            # Leave characters that are not in the mapping (numbers, braces, underscores, etc.) unchanged
            plaintext.append(char)

    return "".join(plaintext)


text_to_decrypt = "krxlXGU{zgyzhs_xizxp_05y2z65z}" 
result = atbash_decrypt(text_to_decrypt)
print("Original encrypted text:", text_to_decrypt)
print("Decrypted text:", result)  # Answer: picoCTF{atbash_crack_ac751ec6}


Original encrypted text: krxlXGU{zgyzhs_xizxp_05y2z65z}
Decrypted text: picoCTF{atbash_crack_05b2a65a}


In [37]:
# Method 2: Using Python’s str.maketrans for Translation

#!/usr/bin/env python3
import string

def atbash_decrypt_translate(ciphertext):
    # Define the uppercase and lowercase alphabets
    upper = string.ascii_uppercase
    lower = string.ascii_lowercase

    # Create the reversed alphabets for the Atbash cipher
    upper_reversed = upper[::-1]
    lower_reversed = lower[::-1]

    # Create a translation table mapping each letter to its Atbash equivalent
    translation_table = str.maketrans(upper + lower, upper_reversed + lower_reversed)
    
    # Translate the ciphertext using the translation table
    return ciphertext.translate(translation_table)


text_to_decrypt = "krxlXGU{zgyzhs_xizxp_zx751vx6}"
result = atbash_decrypt_translate(text_to_decrypt)
print("Original encrypted text:", text_to_decrypt)
print("Decrypted text:", result)  # Answer: picoCTF{atbash_crack_ac751ec6}


Original encrypted text: krxlXGU{zgyzhs_xizxp_zx751vx6}
Decrypted text: picoCTF{atbash_crack_ac751ec6}


# 1.5 rsa_oracle (Done)

For the "rsa_oracle" challenge, the goal was to exploit an RSA decryption oracle vulnerability using a blinding attack to recover a secret password, which could then be used to decrypt a file.

# Method 1: Step-by-Step Inline Process
This method follows a sequential approach, executing each stage in order with inline processing.

Connecting to the RSA Oracle:

- The script establishes a connection to the remote RSA oracle server.
- It waits for an indication that the oracle is ready to decrypt messages.

Reading the Ciphertext from a File:

- The encrypted password is stored in password.enc, so it is read and converted into an integer.

Obtaining a Blinding Factor:

- The RSA oracle can encrypt arbitrary values.
- The script requests the encryption of the number 2 to obtain c_a, which is the ciphertext corresponding to 2.

Blinded Decryption Attack:

- The blinded ciphertext is calculated as $c' = c * c_a$.
- The script submits $c'$ to the oracle for decryption, which results in $2*m$ (the original plaintext multiplied by 2 due to the RSA properties).
- The output is divided by 2 to recover the original password as an integer.

Converting the Integer Back to a String:

- The decrypted integer is converted into a byte string and decoded into human-readable text.
- This password is then used to decrypt the final file via OpenSSL.

This approach follows a linear execution pattern and is easy to follow but less modular.

# Method 2: Function-Based Modular Approach
This method was implemented to improve reusability and organization by breaking the decryption attack into separate functions.

Function to Retrieve the Blinding Factor:

- Connects to the RSA oracle.
- Reads the ciphertext from the file.
- Requests encryption of 2 to obtain the blinding factor (c_a).

Function to Perform the Blinded Decryption:

- Sends the blinded ciphertext $(c' = c * c_a)$ to the oracle.
- Retrieves $2*m$ and extracts m by dividing by 2.

Function to Convert the Integer to a String:

- Converts the decrypted integer into a byte sequence and then decodes it into a human-readable password.

Execution Process:

- The script connects to the oracle, retrieves the necessary values, and decrypts the password using modularized functions.

This approach is more structured, reusable, and easier to debug than Method 1

In [8]:
# Method 1: Step‐by‐Step Inline Process

from pwn import *

# Set log level to suppress unnecessary output from pwntools.
context.log_level = 'critical'

# --- Stage 1: Connect to the RSA Oracle ---
# Connect to the remote RSA oracle service.
port = 55608 # this will change for each new instance
p = remote("titan.picoctf.net", port)

# Wait until the oracle sends a message that includes "decrypt."
p.recvuntil(b"decrypt.")

# --- Stage 2: Read the ciphertext from the file ---
# Open the file "password.enc" and convert its content to an integer.
with open("password.enc") as file:
    c = int(file.read())

# --- Stage 3: Obtain a blinding factor ---
# Choose the encryption option by sending "E".
p.sendline(b"E")
# Wait until the oracle prompts for "keysize):"
p.recvuntil(b"keysize): ")
# Send the keysize value (here, the byte value for 2).
p.sendline(b"\x02")
# Wait until the output shows "mod n)" (part of the modulus output).
p.recvuntil(b"mod n) ")
# Read the resulting ciphertext for the number 2.
c_a = int(p.recvline())

# --- Stage 4: Request the decryption of the blinded ciphertext ---
# Now select the decryption option by sending "D".
p.sendline(b"D")
# Wait until the oracle prompts with "decrypt: "
p.recvuntil(b"decrypt: ")
# Compute the blinded ciphertext: c' = c_a * c, and send it.
p.sendline(str(c_a * c).encode())
# Wait until the oracle prints "mod n): " then read its response.
p.recvuntil(b"mod n): ")

# The oracle returns 2*m (as a hexadecimal string), so convert it to an integer and divide by 2.
password_int = int(p.recvline(), 16) // 2

# --- Stage 5: Convert the integer back into a string ---
# The conversion uses the length trick (len(str(password_int)) - 7) to determine byte length.
password_bytes = password_int.to_bytes(len(str(password_int)) - 7, "big")
password = password_bytes.decode("utf-8")

# The recovered password is used as the key for decrypting secret.enc via OpenSSL.
# The expected output (when wrapped in picoCTF{}) is:
# picoCTF{su((3ss_(r@ck1ng_r3@_da099d93}
print("Password:", password)

# Command to run the code in the terminal and retrieve the flag (The flag will be in a new file "decrypted.txt"):
#       "openssl enc -aes-256-cbc -d -in secret.enc -out decrypted.txt -k <password>"

# Answer: picoCTF{su((3ss_(r@ck1ng_r3@_da099d93}

Password: 60f50


In [5]:
# Method 2: Function-Based Modular Approach

from pwn import *

# Function to connect to the RSA oracle and retrieve the blinded ciphertext encryption of 2.
def get_blinding_factor(remote_host, port):
    p = remote(remote_host, port)
    p.recvuntil(b"decrypt.")
    # Read the ciphertext from file and convert it to an integer.
    with open("password.enc") as file:
        c = int(file.read())
    
    # Select the encryption option.
    p.sendline(b"E")
    p.recvuntil(b"keysize): ")
    p.sendline(b"\x02")
    p.recvuntil(b"mod n) ")
    # Receive the ciphertext of 2.
    c_a = int(p.recvline())
    
    # Return the remote connection and the two ciphertext values.
    return p, c, c_a

# Function to perform the blinded decryption.
def rsa_oracle_decrypt(p, c, c_a):
    # Select the decryption option.
    p.sendline(b"D")
    p.recvuntil(b"decrypt: ")
    # Send the blinded ciphertext: c' = c_a * c.
    blinded_ciphertext = c_a * c
    p.sendline(str(blinded_ciphertext).encode())
    p.recvuntil(b"mod n): ")
    
    # The oracle returns 2*m (in hexadecimal), so convert and divide by 2.
    decrypted_int = int(p.recvline(), 16) // 2
    return decrypted_int

# Function to convert the decrypted integer into a string.
def int_to_string(decrypted_int):
    # Determine an approximate byte length.
    byte_length = len(str(decrypted_int)) - 7
    return decrypted_int.to_bytes(byte_length, "big").decode("utf-8")



# --- Stage 1: Connect and retrieve the blinding factor ---
remote_host = "titan.picoctf.net"
port = 61049 # this will change for each new instance 
p, c, c_a = get_blinding_factor(remote_host, port)

# --- Stage 2: Request decryption of the blinded ciphertext ---
decrypted_int = rsa_oracle_decrypt(p, c, c_a)

# --- Stage 3: Convert decrypted integer to string ---
password = int_to_string(decrypted_int)

# The recovered password (to be used with OpenSSL) when wrapped yields:
# picoCTF{su((3ss_(r@ck1ng_r3@_da099d93} 
print("Password:", password)
    
    
# Command to run the code in the terminal and retrieve the flag (The flag will be in a new file "decrypted.txt"):
#       "openssl enc -aes-256-cbc -d -in secret.enc -out decrypted.txt -k <password>"
# Answer: picoCTF{su((3ss_(r@ck1ng_r3@_da099d93}


Password: 92d53


# Part 2. Theory

# 2.1

**If an encryption function $e_K$ is identical to the decryption function $d_K$, then the key $K$ is said to be an involutor key. Find all the involutory keys in the Shift Cipher**

1. Understanding the Shift Cipher

- Each letter in the alphabet is replaced by another letter shifted by  𝐾 positions.

Mathematical formulas:

- Encryption 
    - $C = (P+K) \text{ mod }26$
- Decryption 
    - $P = (C−K) \text{ mod } 26$

2. Defining an Involutory Key

A key is involutory if encrypting and decrypting with the same key results in the original text. 

- Encryption function: $e_k(e_k(P))= P$
 
Substituting it into the shift cipher formula:

- $(P+K) + K ≡ P \text{ mod }  26$ ->  $P + 2K ≡ P \text{ mod }  26$ -> $2K ≡ 0 \text{ mod } 26$

3. Solving the Equation $2K ≡ 0 \text{ mod } 26$

This means that 2K must be a multiple of 26:

- $2K = 26m$ -> $K=13m$ -> $K=13$

4. Verification

In [41]:

import string
import pandas as pd

# Generate the Shift Cipher (K=13) conversion table
alphabet = string.ascii_uppercase  # Uppercase alphabet
shifted_alphabet = {char: alphabet[(i + 13) % 26] for i, char in enumerate(alphabet)}

# Create a DataFrame to visualize the table
df_shift_table = pd.DataFrame(list(shifted_alphabet.items()), columns=["Original Letter", "Shifted Letter"])

# Display the table
df_shift_table

Unnamed: 0,Original Letter,Shifted Letter
0,A,N
1,B,O
2,C,P
3,D,Q
4,E,R
5,F,S
6,G,T
7,H,U
8,I,V
9,J,W


In [42]:
import string

def shift_cipher_encrypt(text, key):
    """
    Encrypts a text using the Shift Cipher with the given 'key'.
    """
    alphabet = string.ascii_uppercase  # Uppercase alphabet
    encrypted_text = ""
    
    print(f"🔹 Original text: {text}")
    print(f"🔹 Shift key: {key}\n")

    for char in text:
        if char in alphabet:
            original_index = alphabet.index(char)
            new_index = (original_index + key) % 26
            encrypted_char = alphabet[new_index]

            print(f"Letter: {char} | Original index: {original_index} | New index: {new_index} | Encrypted letter: {encrypted_char}")

            encrypted_text += encrypted_char
        else:
            encrypted_text += char  # Keep non-alphabetic characters unchanged

    print(f"\n✅ Encrypted text: {encrypted_text}\n")
    return encrypted_text


def shift_cipher_decrypt(text, key):
    """
    Decrypts a text that was encrypted with the Shift Cipher using the same 'key'.
    """
    alphabet = string.ascii_uppercase  # Uppercase alphabet
    decrypted_text = ""

    print(f"🔹 Encrypted text: {text}")
    print(f"🔹 Shift key: {key}\n")

    for char in text:
        if char in alphabet:
            original_index = alphabet.index(char)
            new_index = (original_index - key) % 26
            decrypted_char = alphabet[new_index]

            print(f"Letter: {char} | Original index: {original_index} | New index: {new_index} | Decrypted letter: {decrypted_char}")

            decrypted_text += decrypted_char
        else:
            decrypted_text += char  # Keep non-alphabetic characters unchanged

    print(f"\n✅ Decrypted text: {decrypted_text}\n")
    return decrypted_text


# Test with the involutory key K=13
sample_text = "HELLO WORLD"

print("=== ENCRYPTION ===")
ciphertext = shift_cipher_encrypt(sample_text, 13)

print("=== DECRYPTION ===")
decrypted_text = shift_cipher_decrypt(ciphertext, 13)


=== ENCRYPTION ===
🔹 Original text: HELLO WORLD
🔹 Shift key: 13

Letter: H | Original index: 7 | New index: 20 | Encrypted letter: U
Letter: E | Original index: 4 | New index: 17 | Encrypted letter: R
Letter: L | Original index: 11 | New index: 24 | Encrypted letter: Y
Letter: L | Original index: 11 | New index: 24 | Encrypted letter: Y
Letter: O | Original index: 14 | New index: 1 | Encrypted letter: B
Letter: W | Original index: 22 | New index: 9 | Encrypted letter: J
Letter: O | Original index: 14 | New index: 1 | Encrypted letter: B
Letter: R | Original index: 17 | New index: 4 | Encrypted letter: E
Letter: L | Original index: 11 | New index: 24 | Encrypted letter: Y
Letter: D | Original index: 3 | New index: 16 | Encrypted letter: Q

✅ Encrypted text: URYYB JBEYQ

=== DECRYPTION ===
🔹 Encrypted text: URYYB JBEYQ
🔹 Shift key: 13

Letter: U | Original index: 20 | New index: 7 | Decrypted letter: H
Letter: R | Original index: 17 | New index: 4 | Decrypted letter: E
Letter: Y | Origin

# 2.2

**2. Suppose that π is the following permutation of $x \in \{1, 2, 3, 4, 5, 6, 7, 8\}: \pi(x) = \{4, 1, 6, 2, 7, 3, 8, 5\}$.**

- Compute $\pi^{-1}$
- Decrypt the following ciphertext, for a Permutation Cipher with m = 8, which was encrypted using the key $\pi$: TGEEMNELNNTDROEOAAHDOETCSHAEIRLM

1. Compute $𝜋^{-1}$ (Inverse Permutation)

The inverse permutation $𝜋^{-1}$ finds where each original position was mapped in 𝜋(x).

Given:  $$\pi(x) = \{4, 1, 6, 2, 7, 3, 8, 5\}$$

- The 1st element moved to position 4.
- The 2nd element moved to position 1.
- The 3rd element moved to position 6.
- The 4th element moved to position 2.
- The 5th element moved to position 7.
- The 6th element moved to position 3.
- The 7th element moved to position 8.
- The 8th element moved to position 5.

In [43]:
def compute_inverse_permutation(permutation):
    """
    Given a permutation π(x), compute its inverse π^(-1).
    """
    inverse_permutation = [0] * len(permutation)

    for index, value in enumerate(permutation):
        inverse_permutation[value - 1] = index + 1  # Adjust for 1-based index

    return inverse_permutation

# Given permutation π(x)
pi_x = [4, 1, 6, 2, 7, 3, 8, 5]

# Compute π^(-1)
pi_inverse = compute_inverse_permutation(pi_x)

# Display the inverse permutation
pi_inverse


[2, 4, 6, 1, 8, 3, 5, 7]

2. Compute $𝜋^{-1}$ (Inverse Permutation)

$$\pi^{-1}(x) = \{2, 4, 6, 1, 8, 3, 5, 7\}$$

- The 1st position in the original text was in the 2nd position in the encrypted text.
- The 2nd position in the original text was in the 4th position in the encrypted text.
- The 3rd position in the original text was in the 6th position in the encrypted text.
- The 4th position in the original text was in the 1st position in the encrypted text.
- The 5th position in the original text was in the 8th position in the encrypted text.
- The 6th position in the original text was in the 3rd position in the encrypted text.
- The 7th position in the original text was in the 5th position in the encrypted text.
- The 8th position in the original text was in the 7th position in the encrypted text.

2. Decrypt the following ciphertext, for a Permutation Cipher with m = 8, which was encrypted using the key $\pi$: TGEEMNELNNTDROEOAAHDOETCSHAEIRLM

In [44]:
import pandas as pd

def apply_permutation(text, pi):
    m = len(pi)  # Block size

    # Split the text into blocks of size m
    blocks = [text[i:i+m] for i in range(0, len(text), m)]
    permuted_blocks = []

    # Apply the permutation to each block
    for block in blocks:
        permuted_block = [''] * m
        for i, char in enumerate(block):
            permuted_block[pi[i] - 1] = char  # Apply π(x)
        permuted_blocks.append(''.join(permuted_block))

    # Return the fully permuted text
    return ''.join(permuted_blocks)

# Encrypted text
ciphertext = "TGEEMNELNNTDROEOAAHDOETCSHAEIRLM"
# Given permutation π(x)
pi = [4, 1, 6, 2, 7, 3, 8, 5]

decrypted_text = apply_permutation(ciphertext, pi)

# Split the decrypted text into blocks of size m
blocks = [ciphertext[i:i+len(pi)] for i in range(0, len(ciphertext), len(pi))]
decrypted_blocks = [decrypted_text[i:i+len(pi)] for i in range(0, len(decrypted_text), len(pi))]

# Create a DataFrame for each block
dfs = []
for i in range(len(blocks)):
    data = {
        "Original Position": list(range(1, len(pi) + 1)),
        "Encrypted Letter": list(blocks[i]),
        "Permutation π(x)": pi,
        "Decrypted Letter": list(decrypted_blocks[i])
    }
    df = pd.DataFrame(data)
    dfs.append(df)

# Print the permutation table
print("Permutation Table:")
df_permutation = pd.DataFrame({
    "Original Position": list(range(1, len(pi) + 1)),
    "Permutation π(x)": pi
})
print(df_permutation.to_string(index=False))
print()

# Print each block's table
for i, df in enumerate(dfs):
    print(f"Decryption Table for Block {i+1}:")
    print(df.to_string(index=False))
    print()

# Print the final encrypted and decrypted messages
print("Encrypted Message:", ciphertext)
print("Decrypted Message:", decrypted_text)
print("Decrypted Message (with spaces):", ' '.join(decrypted_blocks))
print('Final Message: GENTLEMEN DO NOT READ EACH OTHERS MAIL')


Permutation Table:
 Original Position  Permutation π(x)
                 1                 4
                 2                 1
                 3                 6
                 4                 2
                 5                 7
                 6                 3
                 7                 8
                 8                 5

Decryption Table for Block 1:
 Original Position Encrypted Letter  Permutation π(x) Decrypted Letter
                 1                T                 4                G
                 2                G                 1                E
                 3                E                 6                N
                 4                E                 2                T
                 5                M                 7                L
                 6                N                 3                E
                 7                E                 8                M
                 8                L              

# 2.3

# Substitution

In [19]:
# The ciphertext is provided as a continuous string.
cipher_sub = 'EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCKQPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCGOIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZUGFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNSACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNCIACZEJNCSHFZEJZEGMXCYHCJUMGKUCY'

In [20]:
from collections import Counter
import re

# Clean the ciphertext by removing any characters that are not uppercase letters.
ciphertext = re.sub(r'[^A-Z]', '', cipher_sub)  # Only uppercase letters remain

# Frequency analysis for single letters.
letter_counts = Counter(ciphertext)
# Sort letters by frequency in descending order.
sorted_letters = sorted(letter_counts.items(), key=lambda x: x[1], reverse=True)

print("\n Letter Frequency:")
for letter, freq in sorted_letters:
    print(f"{letter}: {freq}")

# Frequency analysis for bigrams (pairs of letters).
bigrams = [ciphertext[i:i+2] for i in range(len(ciphertext)-1)]
bigram_counts = Counter(bigrams)
# Sort bigrams by frequency.
sorted_bigrams = sorted(bigram_counts.items(), key=lambda x: x[1], reverse=True)

print("\n Bigram Frequency:")
# Display the top 15 most frequent bigrams.
for bigram, freq in sorted_bigrams[:15]:
    print(f"{bigram}: {freq}")

# Frequency analysis for trigrams (triplets of letters).
trigrams = [ciphertext[i:i+3] for i in range(len(ciphertext)-2)]
trigram_counts = Counter(trigrams)
# Sort trigrams by frequency.
sorted_trigrams = sorted(trigram_counts.items(), key=lambda x: x[1], reverse=True)

print("\n Trigram Frequency:")
# Display the top 15 most frequent trigrams.
for trigram, freq in sorted_trigrams[:15]:
    print(f"{trigram}: {freq}")


 Letter Frequency:
C: 37
G: 24
S: 20
K: 18
Y: 15
I: 15
U: 14
N: 13
Z: 13
E: 12
O: 10
F: 9
D: 8
L: 7
X: 7
J: 7
P: 6
M: 5
W: 5
H: 5
A: 5
Q: 1

 Bigram Frequency:
CG: 7
ZC: 7
NC: 5
YS: 5
CK: 5
GO: 5
AC: 5
CN: 5
SF: 4
CY: 4
GY: 4
GK: 4
FZ: 4
MG: 3
GL: 3

 Trigram Frequency:
YSF: 3
GOI: 3
FZC: 3
ZCC: 3
CCN: 3
CYK: 2
JCK: 2
GOL: 2
ICG: 2
CGI: 2
NCG: 2
GAC: 2
CKS: 2
SAC: 2
CKX: 2


In [21]:
# Initial substitution mapping based on frequency analysis:
# The mapping assigns cipher letters to probable plaintext letters.
substitution_mapping = {
    'C': 'E',
    'Z': 'H',
    'U': 'T'
}

# Define a function to apply a given substitution mapping to the text.
def apply_substitution(text, mapping):
    # For each character, replace it with the corresponding mapped letter,
    # or use an underscore if no mapping exists.
    return ''.join(mapping.get(char, '_') for char in text)

# Apply the initial mapping and display the result.
decoded_text = apply_substitution(ciphertext, substitution_mapping)
print("Decoded Text with Initial Mapping:")
print(ciphertext)
print(decoded_text)

Decoded Text with Initial Mapping:
EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCKQPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCGOIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZUGFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNSACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNCIACZEJNCSHFZEJZEGMXCYHCJUMGKUCY
______T_E___ET_________E____T______E_______E____T_______E___E__E______E__H_E___E_E______E______HE_____E____________________T_________HT__HEE_______T_HE______E______T___H__E_________E_____E__E_TE_THE_HEE________T__THE__E_HEE_E__EH___E___H__H____E__E_T___TE_


In [22]:
# Examine trigrams to gain more insight.
# For each trigram, if the second character is 'Z' and the third is 'C', print the trigram and its frequency.
for triple, freq in sorted_trigrams:
    if triple[2] == 'C' and triple[1] == 'Z':
        print(f"{triple}: {freq}")

FZC: 3
UZC: 2
KZC: 1
SZC: 1


In [23]:
# Look for sequences that start with 'FZ' to gather more context.
for i in range(len(ciphertext) - 3):
    if ciphertext[i:i + 2] == 'FZ':
        print(ciphertext[i:i + 5])

# Also, look at 4-letter sequences starting with 'FZ'.
for i in range(len(ciphertext) - 3):
    if ciphertext[i:i + 2] == 'FZ':
        print(ciphertext[i:i + 4])

FZCCN
FZCCN
FZCCN
FZEJZ
FZCC
FZCC
FZCC
FZEJ


In [24]:
# Similarly, check for sequences starting with 'UZ'.
for i in range(len(ciphertext) - 3):
    if ciphertext[i:i + 2] == 'UZ':
        print(ciphertext[i:i + 3])
for i in range(len(ciphertext) - 3):
    if ciphertext[i:i + 2] == 'UZ':
        print(ciphertext[i:i + 4])

UZC
UZC
UZCF
UZCS


In [25]:
# Update the substitution mapping with additional inferred letter mappings.
substitution_mapping = {
    'C': 'E',
    'Z': 'H',
    'U': 'T',
    'F': 'W',
    'N': 'L',
    'G': 'A',
    'O': 'N',
    'I': 'D'
}

# Apply the updated mapping and display the result.
decoded_text = apply_substitution(ciphertext, substitution_mapping)
print("Decoded Text with Updated Mapping (Step 1):")
print(ciphertext)
print(decoded_text)

Decoded Text with Updated Mapping (Step 1):
EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCKQPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCGOIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZUGFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNSACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNCIACZEJNCSHFZEJZEGMXCYHCJUMGKUCY
__A_N_T_EA_LET____W_L_WE____T___A_DEN___D__E____TA__AN_DEADLEA_E__LD__E__H_E___E_E______EAND___HEL___DEAD__A__A_AN___D__ANDT_DA______HTAWHEEL_A___WT_HEL__N_LEA__N__T___HA_EALWA__L__EDAND_E__E_TEDTHEWHEEL_A___W_T__THE_NEWHEELED_EH__LE__WH__H_A__E__E_T_A_TE_


In [26]:
# Further refine the mapping by adding more guessed substitutions based on frequency and context.
substitution_mapping = {
    'C': 'E',
    'Z': 'H',
    'U': 'T',
    'F': 'W',
    'N': 'L',
    'G': 'A',
    'O': 'N',
    'I': 'D',
    'S': 'O',
    'D': 'B',
    'Y': 'R',
}

# Apply the refined mapping.
decoded_text = apply_substitution(ciphertext, substitution_mapping)
print("Decoded Text with Updated Mapping (Step 2):")
print(ciphertext)
print(decoded_text)

Decoded Text with Updated Mapping (Step 2):
EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCKQPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCGOIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZUGFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNSACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNCIACZEJNCSHFZEJZEGMXCYHCJUMGKUCY
__A_NOTBEABLETO_ROW_LOWER_B_T___ARDEN_ROD__E____TA__AN_DEADLEA_E_OLDO_ER_HOE___E_E_O_RO_EANDB__HEL_O_DEAD_RA__A_AN_BOD__ANDTODA__BO__HTAWHEELBARROWTOHEL__N_LEAR_N__T___HA_EALWA__LO_EDANDRE__E_TEDTHEWHEELBARROW_T__THEONEWHEELED_EH__LEO_WH__H_A__ER_E_T_A_TER


In [27]:
# Add further mappings to improve the decryption result.
substitution_mapping = {
    'C': 'E',
    'Z': 'H',
    'U': 'T',
    'F': 'W',
    'N': 'L',
    'G': 'A',
    'O': 'N',
    'I': 'D',
    'S': 'O',
    'D': 'B',
    'Y': 'R',
    'E': 'I',
    'M': 'M',
    'L': 'Y',
    'P': 'U',
    'W': 'G'
}

# Apply and display the result.
decoded_text = apply_substitution(ciphertext, substitution_mapping)
print("Decoded Text with Updated Mapping (Step 3):")
print(ciphertext)
print(decoded_text)

Decoded Text with Updated Mapping (Step 3):
EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCKQPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCGOIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZUGFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNSACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNCIACZEJNCSHFZEJZEGMXCYHCJUMGKUCY
IMAYNOTBEABLETOGROW_LOWER_BUTMYGARDEN_RODU_E__U_TA_MANYDEADLEA_E_OLDO_ER_HOE__IE_E_O_RO_EANDBU_HEL_O_DEADGRA__A_ANYBODY_ANDTODAYIBOUGHTAWHEELBARROWTOHEL_IN_LEARINGITU_IHA_EALWAY_LO_EDANDRE__E_TEDTHEWHEELBARROWITI_THEONEWHEELED_EHI_LEO_WHI_HIAM_ER_E_TMA_TER


In [28]:
# Final refinement: add the remaining mappings to complete the substitution.
substitution_mapping = {
    'C': 'E',
    'Z': 'H',
    'U': 'T',
    'F': 'W',
    'N': 'L',
    'G': 'A',
    'O': 'N',
    'I': 'D',
    'S': 'O',
    'D': 'B',
    'Y': 'R',
    'E': 'I',
    'M': 'M',
    'L': 'Y',
    'P': 'U',
    'W': 'G',
    'H': 'F',
    'K': 'S',
    'X': 'P',
    'J': 'C',
    'A': 'V',
    'Q': 'J'
}

# Final application of the complete mapping.
decoded_text = apply_substitution(ciphertext, substitution_mapping)
print("Decoded Text with Final Mapping:")
print(ciphertext)
print(decoded_text)

Decoded Text with Final Mapping:
EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCKQPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCGOIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZUGFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNSACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNCIACZEJNCSHFZEJZEGMXCYHCJUMGKUCY
IMAYNOTBEABLETOGROWFLOWERSBUTMYGARDENPRODUCESJUSTASMANYDEADLEAVESOLDOVERSHOESPIECESOFROPEANDBUSHELSOFDEADGRASSASANYBODYSANDTODAYIBOUGHTAWHEELBARROWTOHELPINCLEARINGITUPIHAVEALWAYSLOVEDANDRESPECTEDTHEWHEELBARROWITISTHEONEWHEELEDVEHICLEOFWHICHIAMPERFECTMASTER


# Analysis and Justification for the Final Substitution Cipher Solution

This cell provides a detailed explanation of why the final substitution mapping is considered correct for decoding the given ciphertext. The approach is based on classical cryptanalysis techniques, combining frequency analysis with iterative mapping refinement and statistical validation.

---

### 1. Frequency Analysis

- **Letter Frequency:**  
  The ciphertext is first cleaned to include only uppercase letters. The frequency $\( f(L) \)$ of each letter $\( L \)$ is computed as:
  
  $$\[
  f(L) = \frac{\text{Count}(L)}{N}
  \]$$
  
  where $\( N \)$ is the total number of letters in the ciphertext. In English, certain letters (e.g., E, T, A, O) appear more frequently. By comparing the observed frequencies in the ciphertext with these expected frequencies, we make an initial hypothesis about the mappings.

- **Bigram and Trigram Frequencies:**  
  Bigrams (pairs of letters) and trigrams (triplets of letters) are extracted and their frequencies computed. Their frequencies are calculated similarly:
  
  $$\[
  f(\text{bigram}) = \frac{\text{Count}(\text{bigram})}{N-1} \quad \text{and} \quad f(\text{trigram}) = \frac{\text{Count}(\text{trigram})}{N-2}
  \]$$
  
  Common bigrams (like TH, HE) and trigrams (like THE, AND) in English help confirm or adjust the initial mapping based on observed patterns in the ciphertext.

---

### 2. Iterative Mapping Refinement

- **Initial Hypothesis:**  
  An initial substitution mapping is proposed based on the most frequent letters. For example, if the letter 'C' in the ciphertext is very frequent and E is the most common letter in English, one might map:
  
    'C' -> 'E'
  

Similar initial mappings are made for other high-frequency letters.

- **Pattern Recognition:**  
The analysis of bigrams and trigrams (e.g., checking for recurring sequences such as "FZ" or "UZ", or specific trigram patterns) provides clues about common words or letter combinations. Each observation leads to adjustments in the mapping.

- **Refinement Process:**  
The mapping is updated iteratively:
- **Step 1:** Begin with a few guessed mappings (e.g., {'C': 'E', 'Z': 'H', 'U': 'T'}).
- **Step 2:** Analyze additional patterns and update the mapping (e.g., add {'F': 'W', 'N': 'L', 'G': 'A', 'O': 'N', 'I': 'D'}).
- **Step 3:** Further refine by including more letters and their likely substitutes (e.g., {'S': 'O', 'D': 'B', 'Y': 'R'}).
- **Final Step:** Complete the mapping with all letters, ensuring the decoded text produces meaningful words.

The final mapping achieved is:

{ 'C': 'E', 'Z': 'H', 'U': 'T', 'F': 'W', 'N': 'L', 'G': 'A', 'O': 'N', 'I': 'D', 'S': 'O', 'D': 'B', 'Y': 'R', 'E': 'I', 'M': 'M', 'L': 'Y', 'P': 'U', 'W': 'G', 'H': 'F', 'K': 'S', 'X': 'P', 'J': 'C', 'A': 'V', 'Q': 'J' }  
    

This mapping is applied using the function:

$$\[
\text{Decoded Text} = \text{apply\_substitution(ciphertext, substitution\_mapping)}
\]$$

---

### 3. Mathematical and Statistical Validation

- **Chi-Square Test:**  
  Although not explicitly implemented in the code, one could use the Chi-square statistic to compare the observed letter frequency distribution of the decoded text with that of typical English. The Chi-square statistic is defined as:
  
  $$\[
  \chi^2 = \sum_{i=1}^{k} \frac{(O_i - E_i)^2}{E_i}
  \]$$
  
  where:
  - $\( O_i \)$ is the observed frequency of letter $\( i \)$ in the decoded text.
  - $\( E_i \)$ is the expected frequency of letter $\( i \)$ in English.
  
  A lower Chi-square value indicates a better match to the expected distribution, which supports the correctness of the mapping.

- **Coherence of the Decoded Text:**  
  The final decoded text is evaluated for the appearance of valid words and overall coherence. The mapping is considered correct if the resulting text aligns with English language patterns and contains recognizable words and phrases.

---

### 4. Conclusion

The final substitution mapping is justified because:

- It is derived from a thorough frequency analysis (letters, bigrams, trigrams) of the ciphertext.
- It follows an iterative refinement process, where each step is based on observed patterns and statistical clues.
- Mathematical validation methods (e.g., Chi-square test) can be used to confirm that the decoded text's letter distribution closely resembles that of typical English.
- The resulting decoded text is coherent and aligns with the expectations for an English message.

This comprehensive approach—combining statistical analysis, pattern recognition, and iterative refinement—forms the foundation for why this final mapping is the correct answer to the substitution cipher challenge.

 
  

# Vigenere Cipher

In [1]:
import string

# Letter frequency distribution in English (percentage)
english_freq = {
    'A': 8.167, 'B': 1.492, 'C': 2.782, 'D': 4.253, 'E': 12.702,
    'F': 2.228, 'G': 2.015, 'H': 6.094, 'I': 6.966, 'J': 0.153,
    'K': 0.772, 'L': 4.025, 'M': 2.406, 'N': 6.749, 'O': 7.507,
    'P': 1.929, 'Q': 0.095, 'R': 5.987, 'S': 6.327, 'T': 9.056,
    'U': 2.758, 'V': 0.978, 'W': 2.360, 'X': 0.150, 'Y': 1.974,
    'Z': 0.074
}

def clean_text(text):
    """
    Cleans the text by keeping only uppercase letters.
    """
    return ''.join([c for c in text.upper() if c in string.ascii_uppercase])

def chi_square_statistic(text_segment, shift):
    """
    For a given text segment (a column) and a shift value,
    applies the inverse shift and calculates the chi-square statistic.
    """
    # Shift each letter backward according to 'shift'
    shifted_text = ''.join([chr((ord(c) - ord('A') - shift) % 26 + ord('A')) for c in text_segment])
    
    # Count occurrences of each letter
    count = {letter: 0 for letter in string.ascii_uppercase}
    for c in shifted_text:
        count[c] += 1
    total = len(shifted_text)
    
    # Compute chi-square statistic
    chi_sq = 0.0
    for letter in string.ascii_uppercase:
        observed = count[letter]
        expected = total * (english_freq[letter] / 100)
        if expected > 0:
            chi_sq += ((observed - expected) ** 2) / expected
    return chi_sq

def find_key_for_length(ciphertext, key_length):
    """
    Given a specific key length, splits the ciphertext into 'key_length' columns and
    determines the best letter (shift) for each column based on the minimum chi-square value.
    """
    key = ""
    for i in range(key_length):
        # Extract the i-th column: letters at positions i, i+key_length, i+2*key_length, ...
        col = ciphertext[i::key_length]
        best_shift = None
        best_chi = float('inf')
        # Try all possible shifts (0 to 25)
        for shift in range(26):
            chi = chi_square_statistic(col, shift)
            if chi < best_chi:
                best_chi = chi
                best_shift = shift
        # The key letter corresponds to the best shift
        key += chr(best_shift + ord('A'))
    return key

def decrypt_vigenere(ciphertext, key):
    """
    Decrypts the ciphertext using the given key.
    """
    plaintext = ""
    key_length = len(key)
    for i, c in enumerate(ciphertext):
        # Compute the shift corresponding to the key letter
        shift = ord(key[i % key_length]) - ord('A')
        # Decrypt the letter
        p = (ord(c) - ord('A') - shift) % 26
        plaintext += chr(p + ord('A'))
    return plaintext

# Ciphertext (Vigenère Cipher)
ciphertext_raw = """KCCPKBGUFDPHQTYAVINRRTMVGRKDNBVFDETDGILTXRGUD
DKOTFMBPVGEGLTGCKQRACQCWDNAWCRXIZAKFTLEWRPTYC
QKYVXCHKFTPONCQQRHJVAJUWETMCMSPKQDYHJVDAHCTRL
SVSKCGCZQQDZXGSFRLSWCWSJTBHAFSIASPRJAHKJRJUMV
GKMITZHFPDISPZLVLGWTFPLKKEBDPGCEBSHCTJRWXBAFS
PEZQNRWXCVYCGAONWDDKACKAWBBIKFTIOVKCGGHJVLNHI
FFSQESVYCLACNVRWBBIREPBBVFEXOSCDYGZWPFDTKFQIY
CWHJVLNHIQIBTKHJVNPIST"""

# Clean the ciphertext
ciphertext = clean_text(ciphertext_raw)

# Search for the key by testing different lengths (e.g., from 2 to 16)
results = []
for key_length in range(2, 17):
    key_candidate = find_key_for_length(ciphertext, key_length)
    plaintext_candidate = decrypt_vigenere(ciphertext, key_candidate)
    
    # Compute the total chi-square sum for each column with the obtained shift
    chi_total = 0.0
    for i in range(key_length):
        col = ciphertext[i::key_length]
        shift = ord(key_candidate[i]) - ord('A')
        chi_total += chi_square_statistic(col, shift)
    
    results.append((key_length, key_candidate, chi_total, plaintext_candidate[:100]))

# Display results for each candidate key length
for r in results:
    print("Key length:", r[0], "| Key:", r[1], "| Total chi-square:", round(r[2], 2))
    print("Decrypted text (first 100 characters):")
    print(r[3])
    print("-" * 70)


Key length: 2 | Key: YO | Total chi-square: 898.78
Decrypted text (first 100 characters):
MOEBMNIGHPRTSFAMXUPDTFOHIDMPPNXRFQVPIUNFZDIGFPMAVRONRHIQIXVSEWSDCOSOYPPMYOTJKLCWHFNQYDRFAOSWAHZOJWHF
----------------------------------------------------------------------
Key length: 3 | Key: PTO | Total chi-square: 679.7
Decrypted text (first 100 characters):
VJOARNRBROWTBAKLCUYYDETHRYWOUNGMPPAPRPXEEDRBPORAEMYMWHRLSWASNRCCHOBJIOUMHJDIPLLRRESQHYBEFOBRKGEOSRRE
----------------------------------------------------------------------
Key length: 4 | Key: PPJA | Total chi-square: 846.56
Decrypted text (first 100 characters):
VNTPVMXUQOGHBEPAGTERCEDVRCBDYMMFOPKDRTCTICXUOOBOEQDBAGXERWKGNVHRLNHCHOEAHNIXTKRKQECEHCGTJNHKJGOCSVWT
----------------------------------------------------------------------
Key length: 5 | Key: XOFCP | Total chi-square: 1019.82
Decrypted text (first 100 characters):
NOXNVESPDOSTLRJDHDLCUFHTRUWYLMYRYCEGSDJEADBSOGWJRQPNKTRHSGRRFWLPLFCXUOQMRACAUUYVIFGCHUBOWNTWTTIFTFDE
-----------------

# Explanation for Selecting "CRYPTO" as the Correct Decryption Key

This cell provides an in-depth explanation, including the mathematical and statistical reasoning, for why the candidate key **"CRYPTO"** (with a key length of 6) is considered the correct decryption key for the provided Vigenère cipher.

## 1. Overview of the Vigenere Cipher

The Vigenère cipher is a polyalphabetic cipher where each letter of the plaintext is shifted by a number determined by a repeating key. For a key of length $\( L \)$, the cipher applies a cyclic shift:
- The first letter of the plaintext is shifted by the numerical value of the first letter of the key.
- The second letter is shifted by the second letter of the key, and so on.
- After $\( L \)$ letters, the key repeats.

## 2. Preprocessing and Column Division

**Preprocessing:**
- The ciphertext is sanitized by removing any non-alphabetical characters and converting all letters to uppercase.
- This is crucial because the statistical analysis (frequency counts) relies on the standard 26-letter English alphabet.

**Column Division:**
- For a given candidate key length $\( L \)$, the ciphertext is divided into $\( L \)$ groups (columns).
- Each column consists of every $\( L \)-th$ letter of the ciphertext. 
- Since each column is encrypted with a single letter (shift), the statistical properties (letter frequencies) of the original plaintext are partially preserved.

## 3. Chi-Square Statistical Analysis

For each column, the following process is applied:

### 3.1. Calculating Expected Frequencies
- English text has a known distribution of letters (e.g., $\( E \)$ is approximately 12.7%).
- For a column of $\( N \)$ letters, the expected count $\( E_i \)$ for a letter $\( i \)$ is given by:
  $$
  E_i = N \times \left(\frac{p_i}{100}\right)
  $$
  where $\( p_i \)$ is the percentage frequency of letter $\( i \)$ in English.

### 3.2. Applying a Shift and Computing Chi-Square
- For each possible shift $\( s \)$ (from 0 to 25), the ciphertext column is shifted in the reverse direction (i.e., decryption).
- The chi-square statistic for the shifted text is computed as:
  $$
  \chi^2 = \sum_{i=1}^{26} \frac{(O_i - E_i)^2}{E_i}
  $$
  where:
  - $\( O_i \)$ is the observed frequency (the count of letter $\( i \)$ in the shifted column).
  - $\( E_i \)$ is the expected frequency for that letter.
- A lower chi-square value indicates that the observed letter distribution closely matches that of typical English, suggesting a correct decryption for that column.

## 4. Key Reconstruction

- The optimal shift for each column is determined by selecting the shift $\( s \)$ that minimizes the chi-square statistic.
- These optimal shifts are then converted to their corresponding letters, forming a candidate key.
- The total chi-square value for a candidate key is the sum of the chi-square values from each column.

## 5. Evaluation of Candidate Keys

The algorithm tested candidate key lengths from 2 to 16. Notably:
- For a key length of **6**, the candidate key obtained was **"CRYPTO"**, with an exceptionally low chi-square total of **141.92**.
- The decrypted text for this candidate key began with:
    
    ```
    ILEARNEDHOWTOCALCULATETHEAMOUNTOFPAPERNEEDEDFORAROOMWHENIWASATSCHOOLYOUMULTIPLYTHESQUAREFOOTAGEOFTHE
    ```
  
which is syntactically and semantically coherent, indicating a proper decryption.

- For a key length of **12**, the key **"CRYPTOCRYPTO"** was produced. Although this repetition yields the same plaintext, the chi-square value is higher. This occurs because the same key repeated over more columns results in fewer data points per column, reducing the statistical reliability of the chi-square measure.

## 6. Conclusion

The selection of **"CRYPTO"** is based on both statistical evidence and the legibility of the resulting plaintext:
- **Statistical Evidence:** The candidate key "CRYPTO" minimizes the chi-square statistic, indicating that the frequency distribution of the decrypted text closely aligns with that of standard English.
- **Legibility:** The decrypted text is meaningful and syntactically correct, which validates the key selection process.
- **Redundancy Check:** The fact that "CRYPTOCRYPTO" (key length 12) produces the same plaintext confirms that the underlying repeating unit is indeed "CRYPTO".

Thus, the combination of rigorous statistical analysis and the production of coherent plaintext provides strong evidence that **"CRYPTO"** is the correct decryption key for the given Vigenère cipher.


# Affine Cipher

In [3]:
import math

# Ciphertext (newlines removed)
ciphertext = """KQEREJEBCPPCJCRKIEACUZBKRVPKRBCIBQCARBJCVFCUP
KRIOFKPACUZQEPBKRXPEIIEABDKPBCPFCDCCAFIEABDKP
BCPFEQPKAZBKRHAIBKAPCCIBURCCDKDCCJCIDFUIXPAFF
ERBICZDFKABICBBENEFCUPJCVKABPCYDCCDPKBCOCPERK
IVKSCPICBRKIJPKABI"""
ciphertext = ciphertext.replace("\n", "")

# Function to obtain the values of 'a' that are coprime with 26
def get_valid_a():
    valid = []
    for a in range(1, 26):
        if math.gcd(a, 26) == 1:
            valid.append(a)
    return valid

# Function to calculate the modular inverse of a modulo m
def modinv(a, m):
    a = a % m
    for x in range(1, m):
        if (a * x) % m == 1:
            return x
    return None

# English letter frequencies (used for statistical analysis)
freq_en = {
    'A': 0.08167, 'B': 0.01492, 'C': 0.02782, 'D': 0.04253, 
    'E': 0.12702, 'F': 0.02228, 'G': 0.02015, 'H': 0.06094, 
    'I': 0.06966, 'J': 0.00153, 'K': 0.00772, 'L': 0.04025, 
    'M': 0.02406, 'N': 0.06749, 'O': 0.07507, 'P': 0.01929, 
    'Q': 0.00095, 'R': 0.05987, 'S': 0.06327, 'T': 0.09056, 
    'U': 0.02758, 'V': 0.00978, 'W': 0.02360, 'X': 0.00150, 
    'Y': 0.01974, 'Z': 0.00074
}

# Function to compute the chi-squared statistic for a given text
def chi_squared(text):
    text = text.upper()
    total = len(text)
    counts = {letter: 0 for letter in freq_en.keys()}
    for char in text:
        if char in counts:
            counts[char] += 1
    chi2 = 0.0
    for letter in freq_en:
        observed = counts[letter]
        expected = freq_en[letter] * total
        chi2 += ((observed - expected) ** 2) / expected
    return chi2

# List to store the results for each key pair (a, b)
results = []

# Get valid values of 'a' (those that are coprime with 26)
valid_a = get_valid_a()

# Try all combinations of 'a' and 'b'
for a in valid_a:
    a_inv = modinv(a, 26)
    for b in range(26):
        decrypted = ""
        for char in ciphertext:
            if char.isalpha():
                # Convert letter to number (A=0, B=1, ..., Z=25)
                num = ord(char) - ord('A')
                # Apply the decryption formula: D(y) = a_inv * (y - b) mod 26
                dec_num = (a_inv * (num - b)) % 26
                decrypted += chr(dec_num + ord('A'))
            else:
                decrypted += char
        # Calculate the chi-squared statistic to evaluate how close the result is to expected frequencies
        chi2 = chi_squared(decrypted)
        results.append((a, b, chi2, decrypted))

# Sort the results from lowest to highest chi-squared value
results = sorted(results, key=lambda x: x[2])

# Print the 5 results with the lowest chi-squared values (the most promising candidates)
for a, b, chi2, decrypted in results[:5]:
    print("Key a =", a, ", b =", b, "-> Chi-squared =", round(chi2, 2))
    print(decrypted)
    print("\n" + "-"*60 + "\n")


Key a = 19 , b = 4 -> Chi-squared = 90.33
OCANADATERREDENOSAIEUXTONFRONTESTCEINTDEFLEURONSGLORIEUXCARTONBRASSAITPORTERLEPEEILSAITPORTERLACROIXTONHISTOIREESTUNEEPOPEEDESPLUSBRILLANTSEXPLOITSETTAVALEURDEFOITREMPEEPROTEGERANOSFOYERSETNOSDROITS

------------------------------------------------------------

Key a = 23 , b = 15 -> Chi-squared = 253.11
TRVIVCVWNAANCNITLVFNHOWTIYATIWNLWRNFIWCNYMNHATILJMTAFNHORVAWTIGAVLLVFWETAWNAMNENNFMLVFWETAWNAMVRATFOWTIUFLWTFANNLWHINNETENNCNLEMHLGAFMMVIWLNOEMTFWLNWWVSVMNHACNYTFWANXENNEATWNJNAVITLYTZNALNWITLCATFWL

------------------------------------------------------------

Key a = 3 , b = 15 -> Chi-squared = 254.36
HJFSFYFENAANYNSHPFVNTMEHSCAHSENPEJNVSEYNCONTAHSPROHAVNTMJFAEHSUAFPPFVEWHAENAONWNNVOPFVEWHAENAOFJAHVMEHSGVPEHVANNPETSNNWHWNNYNPWOTPUAVOOFSEPNMWOHVEPNEEFIFONTAYNCHVEANDWNNWAHENRNAFSHPCHBNAPNESHPYAHVEP

------------------------------------------------------------

Key a = 11 , b = 3 -> Chi-squared = 283.55
DNTGTKTOHUUHKHGDRTVHLCODGEUDGOHRONHVGOKHEM

# Analysis of the Affine Cipher Decryption

The Affine Cipher encryption function is defined as:

$$
E(x) = (a \cdot x + b) \mod 26
$$

and the decryption function is:

$$
D(y) = a^{-1}(y - b) \mod 26
$$

where:
- $\( a \)$ must be coprime with 26 (i.e., $\( \gcd(a,26)=1 \))$,
- $\( a^{-1} \)$ is the modular inverse of $\( a \)$ modulo 26.

## Methodology

1. **Key Space Exploration:**  
   All valid pairs of keys \((a, b)\) were tested. The valid values for \( a \) are those for which $\( \gcd(a,26)=1 \)$. For each $\( a \)$, every $\( b \)$ in the range 0 to 25 was considered.

2. **Decryption Process:**  
   For each candidate key, every letter of the ciphertext is converted to its numerical equivalent (A=0, B=1, …, Z=25) and decrypted using:

   $$
   D(y) = a^{-1}(y - b) \mod 26
   $$

3. **Statistical Analysis with Chi-Squared Test:**  
   The chi-squared statistic was computed for each decryption result to compare the observed letter frequency distribution with the expected distribution (derived from typical language usage—in this case, French, since the resulting text hints at the Canadian national anthem). The formula used is:

   $$
   \chi^2 = \sum_{i=1}^{26} \frac{(O_i - E_i)^2}{E_i}
   $$

   where:
   - $\( O_i \)$ is the observed count of the $\( i^{th} \)$ letter,
   - $\( E_i \)$ is the expected count based on standard language frequencies,
   - A lower chi-squared value indicates a closer match to the expected frequency distribution.

## Results and Justification

Among all key pairs, the pair \((a = 19, b = 4)\) produced a chi-squared value of **90.33**—substantially lower than the values for other candidates. This indicates that the letter frequencies in the decrypted text are very close to those expected in natural language.

The decrypted text with \((a = 19, b = 4)\) is:

OCANADATERREDENOSAIEUXTONFRONTESTCEINTDEFLEURONSGLORIEUXCARTONBRASSAITPORTERLEPEEILSAITPORTERLACROIXTONHISTOIREESTUNEEPOPEEDESPLUSBRILLANTSEXPLOITSETTAVALEURDEFOITREMPEEPROTEGERANOSFOYERSETNOSDROITS


This output is clearly intelligible and corresponds to the famous French lyrics of the Canadian national anthem ("Ô Canada, terre de nos aïeux..."). The fact that the plaintext is coherent and contextually relevant confirms that the correct decryption key has been identified.

## Conclusion

- **Mathematical Validity:** The decryption process uses the proper modular arithmetic and the correct formula.
- **Exhaustive Search:** All potential key pairs were examined, ensuring that no possibility was overlooked.
- **Statistical Support:** The chi-squared test confirms that the decryption with \((a = 19, b = 4)\) yields a letter frequency distribution very close to that expected in natural language.
- **Intelligible Output:** The decrypted message is recognizable and contextually appropriate.

Thus, the key \((a = 19, b = 4)\) is confirmed to be the correct decryption key for the given Affine Cipher ciphertext.


# Other cipher:

In [4]:
import string
import math
from collections import Counter

# Function to clean the text: keep only uppercase letters.
def clean_text(text):
    return ''.join(filter(str.isalpha, text.upper()))

# Typical English letter frequencies 
english_freq = {
    'A': 0.08167, 'B': 0.01492, 'C': 0.02782, 'D': 0.04253,
    'E': 0.12702, 'F': 0.02228, 'G': 0.02015, 'H': 0.06094,
    'I': 0.06966, 'J': 0.00153, 'K': 0.00772, 'L': 0.04025,
    'M': 0.02406, 'N': 0.06749, 'O': 0.07507, 'P': 0.01929,
    'Q': 0.00095, 'R': 0.05987, 'S': 0.06327, 'T': 0.09056,
    'U': 0.02758, 'V': 0.00978, 'W': 0.02360, 'X': 0.00150,
    'Y': 0.01974, 'Z': 0.00074
}

# Calculate the Index of Coincidence
def index_of_coincidence(text):
    N = len(text)
    freqs = Counter(text)
    ic = sum(f * (f - 1) for f in freqs.values()) / (N * (N - 1)) if N > 1 else 0
    return ic

# Friedman test to estimate the key length
def friedman_test(text):
    N = len(text)
    ic = index_of_coincidence(text)
    # Formula to estimate the key length
    if ((N - 1) * ic - 0.038 * N + 0.065) == 0:
        return None
    return (0.027 * N) / ((N - 1) * ic - 0.038 * N + 0.065)

# Extract the subtext corresponding to the nth letter of the key
def get_nth_subtext(text, n, offset):
    return text[offset::n]

# Calculate the chi-squared statistic for a fragment of text
def chi_squared(text):
    N = len(text)
    freqs = Counter(text)
    chi_sq = 0
    for letter in string.ascii_uppercase:
        observed = freqs.get(letter, 0)
        expected = english_freq[letter] * N
        if expected:
            chi_sq += ((observed - expected) ** 2) / expected
    return chi_sq

# For each segment, attempt to guess the optimal shift (as in a Caesar cipher)
def guess_shift(segment):
    best_shift = None
    best_chi = float('inf')
    for shift in range(26):
        # Shift each letter in the segment
        shifted = ''.join(chr(((ord(c) - ord('A') - shift) % 26) + ord('A')) for c in segment)
        current_chi = chi_squared(shifted)
        if current_chi < best_chi:
            best_chi = current_chi
            best_shift = shift
    return best_shift

# Function to break the Vigenère cipher given a key length
def break_vigenere(ciphertext, key_length):
    key = []
    for i in range(key_length):
        segment = get_nth_subtext(ciphertext, key_length, i)
        shift = guess_shift(segment)
        key_letter = chr((shift % 26) + ord('A'))
        key.append(key_letter)
    return ''.join(key)

# Function to decrypt using the found key
def decrypt_vigenere(ciphertext, key):
    plaintext = []
    key_length = len(key)
    for i, c in enumerate(ciphertext):
        shift = ord(key[i % key_length]) - ord('A')
        p = chr(((ord(c) - ord('A') - shift) % 26) + ord('A'))
        plaintext.append(p)
    return ''.join(plaintext)


ciphertext = """BNVSNSIHQCEELSSKKYERIFJKXUMBGYKAMQLJTYAVFBKVT
DVBPVVRJYYLAOKYMPQSCGDLFSRLLPROYGESEBUUALRWXM
MASAZLGLEDFJBZAVVPXWICGJXASCBYEHOSNMULKCEAHTQ
OKMFLEBKFXLRRFDTZXCIWBJSICBGAWDVYDHAVFJXZIBKC
GJIWEAHTTOEWTUHKRQVVRGZBXYIREMMASCSPBNLHJMBLR
FFJELHWEYLWISTFVVYFJCMHYUYRUFSFMGESIGRLWALSWM
NUHSIMYYITCCQPZSICEHBCCMZFEGVJYOCDEMMPGHVAAUM
ELCMOEHVLTIPSUYILVGFLMVWDVYDBTHFRAYISYSGKVSUU
HYHGGCKTMBLRX"""

# Clean the text (keep only uppercase letters)
ciphertext = clean_text(ciphertext)

print("Length of ciphertext:", len(ciphertext))
ic = index_of_coincidence(ciphertext)
print("Index of Coincidence:", ic)
friedman_est = friedman_test(ciphertext)
print("Friedman estimated key length:", friedman_est)

# Test different key lengths (for example, from 2 to 15)
for key_length in range(2, 16):
    key = break_vigenere(ciphertext, key_length)
    decrypted = decrypt_vigenere(ciphertext, key)
    print("Key length:", key_length, "Estimated key:", key)
    print("Decrypted text (first 200 characters):")
    print(decrypted[:200])
    print("-" * 50)


Length of ciphertext: 373
Index of Coincidence: 0.04138199429213872
Friedman estimated key length: 7.836732777989865
Key length: 2 Estimated key: EA
Decrypted text (first 200 characters):
XNRSJSEHMCAEHSOKGYAREFFKTUIBCYGAIQHJPYWVBBGVPDRBLVRRFYULWOGYIPMSYGZLBSNLHPNOUGASABQUWLNWTMIAOAVLCLADBJXZWVRPTWECCJTAOCXYAHKSJMQLGCAADTMOGMBLABGFTLNRBDPZTCEWXJOIYBCASDRYZHWVBJTZEBGCCJEWAADTPOAWPUDKNQRV
--------------------------------------------------
Key length: 3 Estimated key: ZNE
Decrypted text (first 200 characters):
CARTAOJUMDRAMFOLXUFEEGWGYHICTULNIRYFULWWSXLIPEIXQIRSWUZYWPXUNCMTPCEYBTEHMCNPLCFFACHQBYNXKINNOBMHHYAESFCMWWILYJEDTFYNODOUFUKTAIVYGDRWIGMPXIGYACXBYYNSSZUMTDVSCWOJPXHNSEIUEUWWSFYMECXYHWEXRWIGPPRSUHDLEMWI
--------------------------------------------------
Key length: 4 Estimated key: EUXH
Decrypted text (first 200 characters):
XTYLJYLAMIHXHYVDGEHKELMDTAPUCENTIWOCPEDOBHNOPJYULBYKFEBEWUNRIVTLYMGEBYUEHVUHUMHLAHXNWRUPTSPTOGCECRHWBPESWBYITCLVCPATOIERANRLJSXEGIHTDZTHGSIEAHNYTRUKBJWSTILPXPVBYHJ

# Analysis and Justification of the Decryption Process

This notebook explains in detail how we determined that the ciphertext is encrypted using a Vigenere cipher and that the correct key is **"THEORY"**. It includes statistical analyses, formulas, and code segments that support this conclusion.

---

## 1. Cleaning and Preparation of the Text

To analyze the ciphertext properly, we first remove spaces, line breaks, and any non-alphabetical characters. This is done with the following function:

```python
def clean_text(text):
    return ''.join(filter(str.isalpha, text.upper()))
```

This function returns a continuous string composed solely of uppercase letters

---

# 2. Calculation of the Index of Coincidence (IC)

The **Index of Coincidence (IC)** is a statistical measure used to estimate the probability that two randomly selected letters from the text are the same. Its formula is:

$$
IC = \frac{\sum_{i=1}^{26} f_i (f_i - 1)}{N (N - 1)}
$$

where:
- $$f_i$$ is the frequency of the i-th letter in the text.
- $$N$$ is the total number of letters in the text.

For an English text encrypted with a monoalphabetic cipher (like a simple substitution), the IC is close to 0.0667. In contrast, a polyalphabetic cipher such as Vigenère typically yields an IC near 0.038, which is similar to that of a random text.

For our ciphertext:
- **Text length (N):** 373  
- **IC:** 0.04138

This low IC value suggests a polyalphabetic cipher, supporting the hypothesis that the encryption method is Vigenère.

---

# 3. Estimation of the Key Length: Friedman Test

The **Friedman Test** uses the IC to provide an estimate of the key length \( K \) with the formula:

$$
K \approx \frac{0.027N}{(N-1) \times IC - 0.038N + 0.065}
$$

Substituting \( N = 373 \) and \( IC \approx 0.04138 \) yields:

$$
K \approx \frac{0.027 \times 373}{(372) \times 0.04138 - 0.038 \times 373 + 0.065} \approx 7.84
$$

This estimation suggests that the key length is approximately 8, which helps to narrow down the range of key lengths we need to test.

---

# 4. Segment Analysis and Chi-Squared Statistic

Assuming the cipher is Vigenère, we then perform the following steps:

## Dividing the Text into Segments
For a key of length \( k \), we split the ciphertext into \( k \) sequences. Each sequence is effectively encrypted with a Caesar cipher (a constant shift).

## Determining the Optimal Shift for Each Segment
For each segment, we calculate the **Chi-Squared statistic** to compare the observed letter frequencies with the expected frequencies based on typical English usage. The Chi-Squared formula is:

$$
\chi^2 = \sum_{i=1}^{26} \frac{(O_i - E_i)^2}{E_i}
$$

where:
- $O_i$ is the observed frequency of letter $i$ in the segment.
- $E_i$ is the expected frequency computed as $(typical English frequency) \times N_{\text{segment}}$.


The shift that minimizes the Chi-Squared value is chosen as the best candidate for that segment.

---

# 5. Evaluation of Different Key Lengths

The code tests key lengths ranging from 2 to 15. Notably:

- **For \( k = 6 \):**  
  The key `"THEORY"` is obtained, and the decrypted text is legible and coherent in English.

- **For \( k = 12 \):**  
  The key `"THEORYTHEORY"` is produced, which is simply the repetition of the 6-character key. This confirms the solution.

The decrypted output with `"THEORY"` (or its repetition for a key length of 12) is the only one that yields a coherent and understandable English text. This validates the methodology and confirms that the correct decryption key is **"THEORY"**.

---

# Conclusion

To summarize:

- **Text Cleaning:** We removed all irrelevant characters to work with a continuous sequence of uppercase letters.
- **Index of Coincidence:** The calculated IC of approximately 0.04138 indicates a polyalphabetic cipher.
- **Friedman Test:** The estimated key length of about 7.84 suggests a key length near 8.
- **Segment Analysis:** By splitting the text into segments and minimizing the Chi-Squared statistic, we determined the optimal shifts.
- **Key Identification:** The only key that produces a legible English text is `"THEORY"` (or its repetition `"THEORYTHEORY"` when the key length is 12).

These combined analyses and statistical evaluations demonstrate that the cipher is indeed Vigenère and that the correct decryption key is **"THEORY"**.


# 2.4

**4. Prove that the Affine Cipher achieves perfect secrecy if every key is used with equal probability $\frac{1}{312}$ .**

## Proof of Perfect Secrecy for the Affine Cipher

To prove that the **Affine Cipher** achieves **perfect secrecy** under the condition that each key is used with equal probability $\frac{1}{312}$, we must verify whether it satisfies **Claude Shannon's** definition of perfect secrecy:


$$P(M | C) = P(M)$$


for all plaintext messages $M$ and ciphertexts $C$, where $P(M | C)$ is the conditional probability of a plaintext given a ciphertext.

### **1: Understanding the Affine Cipher**

The **Affine Cipher** is a substitution cipher that encrypts a plaintext letter $x$ using the formula:


$$C = E_K(x) = (ax + b) \mod 26$$


where:
- $a$ and $b$ are integers,
- $a$ must be coprime to 26 ($\gcd(a,26) = 1$) to ensure the cipher is reversible,
- $b$ can be any number between 0 and 25.

The key $K$ consists of the pair $(a, b)$, where:
- $a$ has **12 possible values** (the numbers coprime to 26: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25),
- $b$ has **26 possible values**.

The total number of keys is:


$$|K| = 12 \times 26 = 312.$$

### **1: Understanding the Affine Cipher**

The **Affine Cipher** is a substitution cipher that encrypts a plaintext letter $x$ using the formula:


$$C = E_K(x) = (ax + b) \mod 26$$


where:
- $a$ and $b$ are integers,
- $a$ must be coprime to 26 ($\gcd(a,26) = 1$) to ensure the cipher is reversible,
- $b$ can be any number between 0 and 25.

The key $K$ consists of the pair $(a, b)$, where:
- $a$ has **12 possible values** (the numbers coprime to 26: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25),
- $b$ has **26 possible values**.

The total number of keys is:


$$|K| = 12 \times 26 = 312.$$


### **2: Verifying the Perfect Secrecy Condition**

Perfect secrecy requires that the probability distribution of plaintexts, given the observation of a ciphertext, is identical to the initial distribution of plaintexts.

We need to verify that:

$$P(M | C) = P(M)$$

for every plaintext $M$ and ciphertext $C$.

With **Bayes' theorem** we can express $P(M | C)$ as:


$$P(M | C) = \frac{P(C | M) P(M)}{P(C)}$$


**Assumption:** For a uniform distribution of plaintexts:


$$P(M) = \frac{1}{26}, \quad \text{for all } M.$$



### **3: Computing $P(C | M)$**

Since each key is chosen with equal probability $P(K) = \frac{1}{312}$, the encryption function is a **one-to-one mapping** for each specific key. Given a plaintext $M$, each key produces a unique ciphertext $C$.

Thus, the conditional probability that a plaintext $M$ encrypts to $C$ is:


$$ P(C | M) = \frac{1}{26}, \quad \text{for all } C.$$



### **4: Computing $P(C)$**

Since encryption is a **permutation** under any valid key, each ciphertext $C$ is equally probable:


$$P(C) = \sum_{M} P(C | M) P(M) = \sum_{M} \frac{1}{26} \times \frac{1}{26} = \frac{1}{26}.$$




### **5. Verifying the Perfect Secrecy Condition**

Now we compute:

$$P(M | C) = \frac{P(C | M) P(M)}{P(C)} = \frac{\frac{1}{26} \times \frac{1}{26}}{\frac{1}{26}} = \frac{1}{26} = P(M).$$

Since this equality holds for **all** plaintexts $M$ and ciphertexts $C$, we conclude that the **Affine Cipher satisfies perfect secrecy** when all keys are used with equal probability $\frac{1}{312}$.



# 2.5

**5. Prove that if a cryptosystem has perfect secrecy and |K|= |C|= |P|, then every ciphertext is equally probable.**



## **1. Definition of Perfect Secrecy**
A cryptosystem has **perfect secrecy** if for every plaintext \( p \) and every ciphertext \( c \):

$$P(P = p | C = c) = P(P = p)$$

This means that observing the ciphertext does not change the probability distribution of the plaintext.

Using **Bayes' theorem**, this can be rewritten as:

$$P(C = c | P = p) = P(C = c)$$

for all $( p \in P )$ and $( c \in C ).$


## **Step 2: Expressing the Probability of a Ciphertext**
Using the law of total probability, the probability of a ciphertext \( c \) is given by:

$$P(C = c) = \sum_{p \in P} P(C = c | P = p) P(P = p).$$

Since we assume a **uniform plaintext distribution**, we have:

$$P(P = p) = \frac{1}{|P|}$$

for all $( p \in P )$. Given that perfect secrecy implies that $( P(C = c | P = p))$ is independent of $( p )$, let’s define:


$$P(C = c | P = p) = q_c$$


for some constant $( q_c )$, independent of $( p )$. Substituting this into our probability equation:

$$P(C = c) = \sum_{p \in P} q_c P(P = p) = \sum_{p \in P} q_c \frac{1}{|P|}$$

Since there are $( |P| )$ possible plaintexts, this simplifies to:

$$P(C = c) = q_c \cdot |P| \cdot \frac{1}{|P|} = q_c.$$

## **Step 3: Proving Equal Probability for Each Ciphertext**
For the system to satisfy perfect secrecy, every ciphertext must appear with the same probability. Given that \( |K| = |C| = |P| \), each plaintext is encrypted uniformly across the key space. Thus, each ciphertext is equally probable:

$$P(C = c) = \frac{1}{|C|}$$

for all $( c \in C )$. Since $( |C| = |P| )$ , we conclude:

$$P(C = c) = \frac{1}{|P|}$$

for all $( c )$, meaning **every ciphertext occurs with equal probability**.


## **Conclusion**
We have shown that under the given conditions, every ciphertext is equally likely to occur, meaning the ciphertext follows a **uniform distribution**:

$$P(C = c) = \frac{1}{|C|}$$

for all $( c \in C )$, completing the proof.