## Functions

In [None]:
# Converts a number in base10 to base2.

def to_binary(num_10):
  N = num_10
  output = ''

  while N > 1:
    if N % 2 == 1:
      output += '1'
      N = (N-1) // 2
      continue

    N = N // 2
    output += '0'
  output += '1'

  return output[::-1]

# Euclid's algorithm.
def gcd(a, b):
  if a < b:
    a, b = b, a
  # Get the remainder when a is divided by b: a = b*k + r, where 0 <= r < b.
  r = a % b
  # If r = 0 then b | a and we are done.
  if r == 0:
    return b
  # If b does not divide a then the gcd(a, b) will be the largest integer dividing b and r.
  return gcd(b, r)

# (!) DO NOT USE. The Bezout coefficients are wrong.
# Need to figure out why this is wrong.
def wrong_ext_gcd(a, b):
  if a < b:
    a, b = b, a

  # Initialize.
  s_prev, t_prev = 1, 0
  s, t = 0, 1
  q = a // b
  r_prev, r = b, a % b

  while True:
    # We will need to update both s, t and s_next, t_next
    s_tmp, t_tmp = s, t
    # Update step is s_n = s_{n-2} - q_n*s_{n-1} and similarly for t_n.
    s, t = s_prev - q*s, t_prev - q*t
    # Update s, t
    s_prev, t_prev = s_tmp, t_tmp
    print(s_prev, t_prev)
    if r == 0:
      return r_prev, s, t
    # Else update r's and q.
    # r != 0
    q = r_prev // r
    r_prev, r = r, r_prev % r

# Correct implementation. This works for the same reason that the gcd algorithm works:
# because gcd(a, b) = gcd(b, a mod b). Assuming that gcd(b, a mod b) = bx + (a mod b)y,
# substitute a mod b = a - a // b to get that gcd(a, b) = ay + b(x - (a // b)*y).
def ext_gcd(a, b):
  if b == 0:
    return (a, 1, 0)
  gcd, x1, y1 = ext_gcd(b, a % b)
  x = y1
  y = x1 - (a // b) * y1
  return (gcd, x, y)

def legendre_symbol(a, p):
    """Compute the Legendre symbol (a | p)"""
    ls = pow(a, (p - 1) // 2, p)
    return -1 if ls == p - 1 else ls

# Tonelli-Shanks algorithm (ChatGPT)
def tonelli_shanks(a, p):
    """
    Solve for x such that x^2 ≡ a mod p, using the Tonelli–Shanks algorithm.
    Requires that p is an odd prime and a is a quadratic residue mod p.
    Returns one solution (the other is p - x).
    Raises ValueError if no square root exists.
    """
    if legendre_symbol(a, p) != 1:
        raise ValueError(f"{a} is not a square mod {p}")

    # Handle the easy case
    if p % 4 == 3:
        return pow(a, (p + 1) // 4, p)

    # Step 1: Factor p-1 = Q * 2^S with Q odd
    Q = p - 1
    S = 0
    while Q % 2 == 0:
        Q //= 2
        S += 1

    # Step 2: Find a non-residue z
    for z in range(2, p):
        if legendre_symbol(z, p) == -1:
            break
    c = pow(z, Q, p)

    # Step 3: Initialize variables
    R = pow(a, (Q + 1) // 2, p)
    t = pow(a, Q, p)
    M = S

    # Step 4: Loop until t == 1
    while t != 1:
        # Find the least i such that t^(2^i) ≡ 1
        i = 1
        temp = pow(t, 2, p)
        while temp != 1:
            temp = pow(temp, 2, p)
            i += 1
            if i == M:
                raise Exception("No solution found")

        # Update variables
        b = pow(c, 1 << (M - i - 1), p)
        R = (R * b) % p
        t = (t * b * b) % p
        c = (b * b) % p
        M = i

    return R


## GCD

In [None]:
import math

In [None]:
a, b = 66528, 52920

gcd(a, b)

1512

## Extended GCD

In [None]:
p = 26513
q = 32321

ext_gcd(p, q)

(1, 10245, -8404)

In [None]:
-1524*p + 125*q

1

## Modular Arithmetic 1

In [None]:
8146798528947 % 17

4

## Modular Inverting

In [None]:
3**11 % 13

9

## Quadratic Residues

In [None]:
p, ints = 29, [14, 6, 11]

# First use pow(a, (p-1)//2, p) to check if a quadratic residue can exist.
# If the result is 1, then a is a QR; if -1, it is not.
for a in ints:
  print(a, pow(a, (p-1)//2, p))

14 28
6 1
11 28


In [None]:
# So 6 is the QR mod 29. To find its square roots, we'll use brute force for now:
for n in range(29):
  if pow(n, 2, 29) == 6:
    print(n, 29-n)
    break

8 21


## Legendre Symbol

In [None]:
p = 101524035174539890485408575671085261788758965189060164484385690801466167356667036677932998889725476582421738788500738738503134356158197247473850273565349249573867251280253564698939768700489401960767007716413932851838937641880157263936985954881657889497583485535527613578457628399173971810541670838543309159139


In [None]:
ints = [25081841204695904475894082974192007718642931811040324543182130088804239047149283334700530600468528298920930150221871666297194395061462592781551275161695411167049544771049769000895119729307495913024360169904315078028798025169985966732789207320203861858234048872508633514498384390497048416012928086480326832803, 45471765180330439060504647480621449634904192839383897212809808339619841633826534856109999027962620381874878086991125854247108359699799913776917227058286090426484548349388138935504299609200377899052716663351188664096302672712078508601311725863678223874157861163196340391008634419348573975841578359355931590555, 17364140182001694956465593533200623738590196990236340894554145562517924989208719245429557645254953527658049246737589538280332010533027062477684237933221198639948938784244510469138826808187365678322547992099715229218615475923754896960363138890331502811292427146595752813297603265829581292183917027983351121325, 14388109104985808487337749876058284426747816961971581447380608277949200244660381570568531129775053684256071819837294436069133592772543582735985855506250660938574234958754211349215293281645205354069970790155237033436065434572020652955666855773232074749487007626050323967496732359278657193580493324467258802863, 4379499308310772821004090447650785095356643590411706358119239166662089428685562719233435615196994728767593223519226235062647670077854687031681041462632566890129595506430188602238753450337691441293042716909901692570971955078924699306873191983953501093343423248482960643055943413031768521782634679536276233318, 85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771, 50576597458517451578431293746926099486388286246142012476814190030935689430726042810458344828563913001012415702876199708216875020997112089693759638454900092580746638631062117961876611545851157613835724635005253792316142379239047654392970415343694657580353333217547079551304961116837545648785312490665576832987, 96868738830341112368094632337476840272563704408573054404213766500407517251810212494515862176356916912627172280446141202661640191237336568731069327906100896178776245311689857997012187599140875912026589672629935267844696976980890380730867520071059572350667913710344648377601017758188404474812654737363275994871, 4881261656846638800623549662943393234361061827128610120046315649707078244180313661063004390750821317096754282796876479695558644108492317407662131441224257537276274962372021273583478509416358764706098471849536036184924640593888902859441388472856822541452041181244337124767666161645827145408781917658423571721, 18237936726367556664171427575475596460727369368246286138804284742124256700367133250078608537129877968287885457417957868580553371999414227484737603688992620953200143688061024092623556471053006464123205133894607923801371986027458274343737860395496260538663183193877539815179246700525865152165600985105257601565]

In [None]:
# Note the following: if p = 3 mod 4 and (a/p) = 1 mod p, then the square roots of a are simply \pm a^{(p+1)//4}.
p % 4

3

In [None]:
# Check reciprocity of ints:
print("The following indices are quadratic residues:")
for i in range(len(ints)):
  if pow(ints[i], (p-1)//2, p) == 1:
    print(i)

The following indices are quadratic residues:
5


In [None]:
# Now since p = 3 mod 4 we can use the formula stated earlier.
a = ints[5]

print("The root with smallest magnitude is: ")
root = pow(a, (p+1)//4, p)
print(max(root, -root % p))

The root with smallest magnitude is: 
93291799125366706806545638475797430512104976066103610269938025709952247020061090804870186195285998727680200979853848718589126765742550855954805290253592144209552123062161458584575060939481368210688629862036958857604707468372384278049741369153506182660264876115428251983455344219194133033177700490981696141526


## Modular Square Root

In [None]:
a = 8479994658316772151941616510097127087554541274812435112009425778595495359700244470400642403747058566807127814165396640215844192327900454116257979487432016769329970767046735091249898678088061634796559556704959846424131820416048436501387617211770124292793308079214153179977624440438616958575058361193975686620046439877308339989295604537867493683872778843921771307305602776398786978353866231661453376056771972069776398999013769588936194859344941268223184197231368887060609212875507518936172060702209557124430477137421847130682601666968691651447236917018634902407704797328509461854842432015009878011354022108661461024768

In [None]:
p = 30531851861994333252675935111487950694414332763909083514133769861350960895076504687261369815735742549428789138300843082086550059082835141454526618160634109969195486322015775943030060449557090064811940139431735209185996454739163555910726493597222646855506445602953689527405362207926990442391705014604777038685880527537489845359101552442292804398472642356609304810680731556542002301547846635101455995732584071355903010856718680732337369128498655255277003643669031694516851390505923416710601212618443109844041514942401969629158975457079026906304328749039997262960301209158175920051890620947063936347307238412281568760161

In [None]:
# Can't use simple formula because p is not 3 mod 4. Have to use Tonelli-Shanks algorithm.
# Sage has Tonelli-Shanks built in.
p % 4

1

In [None]:
tonelli_shanks(a, p)

2362339307683048638327773298580489298932137505520500388338271052053734747862351779647314176817953359071871560041125289919247146074907151612762640868199621186559522068338032600991311882224016021222672243139362180461232646732465848840425458257930887856583379600967761738596782877851318489355679822813155123045705285112099448146426755110160002515592418850432103641815811071548456284263507805589445073657565381850521367969675699760755310784623577076440037747681760302434924932113640061738777601194622244192758024180853916244427254065441962557282572849162772740798989647948645207349737457445440405057156897508368531939120

## Chinese Remainder Theorem

In [None]:
pow(6, -1, 11)

2

In [None]:
17*51 + 5

872

In [None]:
ints = [5, 11, 17]

for n in ints:
  print(n, 872 % n)

5 2
11 3
17 5


## Adrien's Signs

In [None]:
output = [67594220461269, 501237540280788, 718316769824518, 296304224247167, 48290626940198, 30829701196032, 521453693392074, 840985324383794, 770420008897119, 745131486581197, 729163531979577, 334563813238599, 289746215495432, 538664937794468, 894085795317163, 983410189487558, 863330928724430, 996272871140947, 352175210511707, 306237700811584, 631393408838583, 589243747914057, 538776819034934, 365364592128161, 454970171810424, 986711310037393, 657756453404881, 388329936724352, 90991447679370, 714742162831112, 62293519842555, 653941126489711, 448552658212336, 970169071154259, 339472870407614, 406225588145372, 205721593331090, 926225022409823, 904451547059845, 789074084078342, 886420071481685, 796827329208633, 433047156347276, 21271315846750, 719248860593631, 534059295222748, 879864647580512, 918055794962142, 635545050939893, 319549343320339, 93008646178282, 926080110625306, 385476640825005, 483740420173050, 866208659796189, 883359067574584, 913405110264883, 898864873510337, 208598541987988, 23412800024088, 911541450703474, 57446699305445, 513296484586451, 180356843554043, 756391301483653, 823695939808936, 452898981558365, 383286682802447, 381394258915860, 385482809649632, 357950424436020, 212891024562585, 906036654538589, 706766032862393, 500658491083279, 134746243085697, 240386541491998, 850341345692155, 826490944132718, 329513332018620, 41046816597282, 396581286424992, 488863267297267, 92023040998362, 529684488438507, 925328511390026, 524897846090435, 413156582909097, 840524616502482, 325719016994120, 402494835113608, 145033960690364, 43932113323388, 683561775499473, 434510534220939, 92584300328516, 763767269974656, 289837041593468, 11468527450938, 628247946152943, 8844724571683, 813851806959975, 72001988637120, 875394575395153, 70667866716476, 75304931994100, 226809172374264, 767059176444181, 45462007920789, 472607315695803, 325973946551448, 64200767729194, 534886246409921, 950408390792175, 492288777130394, 226746605380806, 944479111810431, 776057001143579, 658971626589122, 231918349590349, 699710172246548, 122457405264610, 643115611310737, 999072890586878, 203230862786955, 348112034218733, 240143417330886, 927148962961842, 661569511006072, 190334725550806, 763365444730995, 516228913786395, 846501182194443, 741210200995504, 511935604454925, 687689993302203, 631038090127480, 961606522916414, 138550017953034, 932105540686829, 215285284639233, 772628158955819, 496858298527292, 730971468815108, 896733219370353, 967083685727881, 607660822695530, 650953466617730, 133773994258132, 623283311953090, 436380836970128, 237114930094468, 115451711811481, 674593269112948, 140400921371770, 659335660634071, 536749311958781, 854645598266824, 303305169095255, 91430489108219, 573739385205188, 400604977158702, 728593782212529, 807432219147040, 893541884126828, 183964371201281, 422680633277230, 218817645778789, 313025293025224, 657253930848472, 747562211812373, 83456701182914, 470417289614736, 641146659305859, 468130225316006, 46960547227850, 875638267674897, 662661765336441, 186533085001285, 743250648436106, 451414956181714, 527954145201673, 922589993405001, 242119479617901, 865476357142231, 988987578447349, 430198555146088, 477890180119931, 844464003254807, 503374203275928, 775374254241792, 346653210679737, 789242808338116, 48503976498612, 604300186163323, 475930096252359, 860836853339514, 994513691290102, 591343659366796, 944852018048514, 82396968629164, 152776642436549, 916070996204621, 305574094667054, 981194179562189, 126174175810273, 55636640522694, 44670495393401, 74724541586529, 988608465654705, 870533906709633, 374564052429787, 486493568142979, 469485372072295, 221153171135022, 289713227465073, 952450431038075, 107298466441025, 938262809228861, 253919870663003, 835790485199226, 655456538877798, 595464842927075, 191621819564547]

In [None]:
# Adrien's program
from random import randint

a = 288260533169915
p = 1007621497415251

FLAG = b'crypto{????????????????????}'


def encrypt_flag(flag):
    ciphertext = []
    plaintext = ''.join([bin(i)[2:].zfill(8) for i in flag])

    for b in plaintext:
        e = randint(1, p)
        n = pow(a, e, p)
        if b == '1':
            ciphertext.append(n)
        else:
            n = -n % p
            ciphertext.append(n)
    return ciphertext


print(encrypt_flag(FLAG))

[222077460479196, 659960485003165, 622290682245105, 876060884441065, 507767691509324, 664555958578766, 10857499316777, 402070165079339, 699051463573810, 568682646975967, 205075572723125, 705038875367195, 441756130250159, 701562553739620, 833485496836599, 87874892589906, 336201764642921, 632926285250828, 342486655840696, 882619167477204, 898446483864851, 896690794868564, 357725597665349, 113486214158379, 602206483133824, 914768969421198, 265961599935001, 55459714546728, 11505230606273, 814039500436172, 394519297314141, 931854088767082, 609315581263715, 17476012156087, 94168547551513, 553254150140289, 275871533204662, 12533206283573, 147134372069739, 893950019843093, 633489038591600, 913652113409190, 395864513876690, 937329013414054, 289698405152646, 797780990175452, 911314331958224, 289329795785310, 642025875419634, 11126921493349, 3145309732152, 639891509194546, 600006185635236, 279634191791805, 514709144074848, 481470686810954, 716794859938573, 216505193809525, 936787818251111, 608246

In [None]:
len(FLAG)

28

In [None]:
len(encrypt_flag(FLAG)) # 8*28 = 224. That's the length of the plaintext written in bits.

224

In [None]:

# Is there anyway for me to tell the difference between n and -n % p when e is random integer between 1 and p and n = a^e mod p?
# a < p
a / p

0.28608017386425405

In [None]:
# This is DL problem, but maybe a has a relatively low order mod p?
for n in range(1, p):
  if pow(a, n, p) == 1:
    print(n)
    break
# Nope

In [None]:
# Is a a quadratic residue?
print(f'p mod 4 is {p % 4}.')

legendre_symbol(a, p) # So a is a quadratic residue.

p mod 4 is 3.


1

In [None]:
# If a is a QR then a^e is as well, but -a^e won't be. So we can distinguish signs by computing the legendre symbols of the outputs.
output_legendre = [legendre_symbol(x, p) for x in output]
output_legendre[:8] # the first byte

[-1, 1, 1, -1, -1, -1, 1, 1]

In [None]:
# The -1's correspond to 0's:
bit_string = ''.join(['0' if x == -1 else '1' for x in output_legendre])
print(bit_string[:8], len(bit_string) / 8)

01100011 28.0


In [None]:
# So we have 28 bytes as expected.
flag_bytes = []
for n in range(28):
  # Convert each substring of 8 bits to a byte:
  value = int(bit_string[8*n : 8*(n+1)], 2) # converts to int first
  byte_val = value.to_bytes(1, byteorder='big') # big means most significant byte comes first.
  flag_bytes.append(byte_val)

In [None]:
# Let's append those bytes together:
flag = b''

for byt in flag_bytes:
  flag += byt

In [None]:
flag

b'crypto{p4tterns_1n_re5idu3s}'

## Modular Binomials

Rearrange the following equations to get the primes $p,\, q$.

$ N = p\cdot q $

$ c_1 = (2\cdot p + 3\cdot q)^{e_1} \mod N $

$ c_2 = (5\cdot p + 7\cdot q)^{e_2} \mod N $

In [None]:
N = 14905562257842714057932724129575002825405393502650869767115942606408600343380327866258982402447992564988466588305174271674657844352454543958847568190372446723549627752274442789184236490768272313187410077124234699854724907039770193680822495470532218905083459730998003622926152590597710213127952141056029516116785229504645179830037937222022291571738973603920664929150436463632305664687903244972880062028301085749434688159905768052041207513149370212313943117665914802379158613359049957688563885391972151218676545972118494969247440489763431359679770422939441710783575668679693678435669541781490217731619224470152467768073
e1 = 12886657667389660800780796462970504910193928992888518978200029826975978624718627799215564700096007849924866627154987365059524315097631111242449314835868137
e2 = 12110586673991788415780355139635579057920926864887110308343229256046868242179445444897790171351302575188607117081580121488253540215781625598048021161675697
c1 = 14010729418703228234352465883041270611113735889838753433295478495763409056136734155612156934673988344882629541204985909650433819205298939877837314145082403528055884752079219150739849992921393509593620449489882380176216648401057401569934043087087362272303101549800941212057354903559653373299153430753882035233354304783275982332995766778499425529570008008029401325668301144188970480975565215953953985078281395545902102245755862663621187438677596628109967066418993851632543137353041712721919291521767262678140115188735994447949166616101182806820741928292882642234238450207472914232596747755261325098225968268926580993051
c2 = 14386997138637978860748278986945098648507142864584111124202580365103793165811666987664851210230009375267398957979494066880296418013345006977654742303441030008490816239306394492168516278328851513359596253775965916326353050138738183351643338294802012193721879700283088378587949921991198231956871429805847767716137817313612304833733918657887480468724409753522369325138502059408241232155633806496752350562284794715321835226991147547651155287812485862794935695241612676255374480132722940682140395725089329445356434489384831036205387293760789976615210310436732813848937666608611803196199865435145094486231635966885932646519

In [None]:
# It would be convenient if we could just "invert" by finding x so that e_1 * x = 1 mod phi(N), but phi(N) = (p-1)(q-1), so we can't know that!

The idea is to first reduce the equations to the form $(p+Aq)^m \equiv C_1\mod N$ and $(p+Bq)^m \equiv C_2\mod N$. Note that since $N = pq$, we have $(p+Aq)^m \equiv p^m + A^mq^m \equiv C_1$ etc. Then we can subtract to solve for $q$, etc.

In [None]:
m = e1*e2
# First have the exponents equal m.
C1, C2 = pow(c1, e2, N), pow(c2, e1, N)
# Now multiply C1 and C2 by the inverses of 2^m and 5^m mod N, respectively. Then C1 and C2 will be in the form described above.
C1 = pow(2, -m, N) * C1 % N
C2 = pow(5, -m, N) * C2 % N

C = (C1-C2) % N

# Not strictly needed, but here for reference.
A = pow(2, -m, N) * 3 % N
B = pow(5, -m, N) * 7 % N

Now we have $C_1 - C_2 \equiv (A^m - B^m)\cdot q^m\mod N$ which is of the form $C \equiv q^m \cdot D\mod N $. Since $N = pq$, what will $\textrm{gcd}(C, N)$ be? If $C \ !\equiv 0\mod N$ then $\textrm{gcd}(C, N) = q$.

In [None]:
q = gcd(C, N)
q

132760587806365301971479157072031448380135765794466787456948786731168095877956875295282661565488242190731593282663694728914945967253173047324353981530949360031535707374701705328450856944598803228299967009004598984671293494375599408764139743217465012770376728876547958852025425539298410751132782632817947101601

In [None]:
# And p = N // q
p = N // q
p

112274000169258486390262064441991200608556376127408952701514962644340921899196091557519382763356534106376906489445103255177593594898966250176773605432765983897105047795619470659157057093771407309168345670541418772427807148039207489900810013783673957984006269120652134007689272484517805398390277308001719431273

## Successive Powers

nums is a list of successive powers of an integer x modulo a 3-digit prime p. So if we let $a=x^r$ this means we have the modular equations

\begin{align}
  a \equiv 588\mod p \\
  ax \equiv 665\mod p \\
  ax^2 \equiv 216\mod p \\
  ax^3 \equiv 113\mod p \\
  \vdots \\
  ax^{12} \equiv 237\mod p
\end{align}

Notice that $ax^5\equiv 4\mod p$ and that $ax^6\equiv 836\mod p$. Since 836/4 = 209, we get that $x\equiv 209\mod p$. Furthermore that implies that $588\cdot 209 - 665=122227$ is a multiple of $p$. The only 3-digit prime dividing 122227 is 919.

In [None]:
nums = [588,665,216,113,642,4,836,114,851,492,819,237]

In [None]:
588*209-665

122227

## Broken RSA

Notice that e is a power of 2. Maybe we can just take successive square roots.

In [None]:
n = 27772857409875257529415990911214211975844307184430241451899407838750503024323367895540981606586709985980003435082116995888017731426634845808624796292507989171497629109450825818587383112280639037484593490692935998202437639626747133650990603333094513531505209954273004473567193235535061942991750932725808679249964667090723480397916715320876867803719301313440005075056481203859010490836599717523664197112053206745235908610484907715210436413015546671034478367679465233737115549451849810421017181842615880836253875862101545582922437858358265964489786463923280312860843031914516061327752183283528015684588796400861331354873
e = 16
ct = 11303174761894431146735697569489134747234975144162172162401674567273034831391936916397234068346115459134602443963604063679379285919302225719050193590179240191429612072131629779948379821039610415099784351073443218911356328815458050694493726951231241096695626477586428880220528001269746547018741237131741255022371957489462380305100634600499204435763201371188769446054925748151987175656677342779043435047048130599123081581036362712208692748034620245590448762406543804069935873123161582756799517226666835316588896306926659321054276507714414876684738121421124177324568084533020088172040422767194971217814466953837590498718

In [None]:
import math

In [None]:
math.log(n)

1419.4138913829297

In [None]:
math.log(ct)

1418.5149158299766

In [None]:
print(n % 4)
legendre_symbol(ct, n) # note that n is not prime though

1


1

In [None]:
# For each iteration of the tonelli shanks algorithm, we have to take two roots: +root and -root mod n.
roots = {'root2': 0, 'root4': 0, 'root8': 0, 'root16': 0}

In [None]:
def roots(num): # returns both square roots mod n
  primitive_root = tonelli_shanks(num, n)
  return [primitive_root, (-primitive_root % n)]

In [None]:
root2 = roots(ct)

root2

[25896648132584848997586711135603893785415337101949225244631343481210405780811332119759307874059727010777167812035912372196575481842224645733061195132115112220159107703674501271473559970753594546204150685962550523843522413970644096008465829310813222999461562111843184013149599517813014050923809256205123632691855348385395308350697366794668591307747085387335341734086863787410869181572477318095841062013941906480427573647366672297300893346591531516627997796199042635223117454430097540639866770047391459705942440796647902108687843667674773561359583115940919066324629237139967028333486037894618590781065861597201909020864,
 1876209277290408531829279775610318190428970082481016207268064357540097243512035775781673732526982975202835623046204623691442249584410200075563601160392876951338521405776324547113823141527044491280442804730385474358915225656103037642524774022281290532043647842429820460417593717722047892067941676520685046558109318705328172047219348526208276495972215926104663340969617416448141309

In [None]:
nested_list = list(map(roots, root2))
root4 = []
for sublist in nested_list:
  root4.extend(sublist)

root4

[133707155336421411889306987407657823691387782750625431175394153252389679328080550789263073137172912564340992728590367579804708323572982310728306699138641085703468154531798733428351933887786456051713245297094079388690616746062093049573187183364716359382354218025593597299832282017987715084510029925180603964551767250165996734205210361024457733153724288780129621535840550561094253066568716668078234729413851960531924024806179657367268083059650197486201419568082424106668229421873377157138969621534250468372797867838018492649279410989062081770301947482828608998471037916971693652955924340137443542520283778604352119898,
 276391502545388361175266839238065541521529194016796160207240136854981133449952873447517185334495370734156624423535266283082130231030618634978964895933693480857941609549190270851590311783928525814328802453958419188137470228806850406014174161497297971721228557362474108762673609535170742279072409028006280752854128998405574836637115049598524100705655770246598754535206406532979162377

In [None]:
# Repeat again for eighth roots.
nested_list = list(map(roots, root4))
root8 = []

for sublist in nested_list:
  root8.extend(sublist)

root8

[20058442271887390782341184553061693259218418956749367788824628331872951745693512666971057383133087145112672251544375693720903210309282292454435797503703963084282995922799267630989319592605415992771069804154505046471899368694387498398677671153177173001176232341893700315420538967289845800479312887797111470649358418178557722902634481957860132330775228811481649888112684228430126737629529135768061434048677678809834480772389209710436916268063442944861678775938178803409222396101086687028222333979529287399821437653336368165308841484432081379655209496176144360301915193174027514866451178023988032198572385093175849110662,
 7714415137987866747074806358152518716625888227680873663074779506877551278629855228569924223453622840867331183537741302167114521117352553354188998788804026087214633186651558187598063519675223044713523686538430951730538270932359635252312932179917340530328977612379304158146654268245216142512438044928697208600606248912165757495282233363016735472944072501958355186943796975428883753

In [None]:
# One more time to get the 16th roots.
nested_list = []

for num in root8:
  try:
    # Attempt to take the square root.
    nested_list.append(roots(num))
  except ValueError:
    print('Found a non-residue.')
    continue

root16 = []

for sublist in nested_list:
  root16.extend(sublist)

root16

Found a non-residue.
Found a non-residue.
Found a non-residue.
Found a non-residue.


[27772857409875257529415990911214211975844307184430241451899407838750503024323367895540981606586709985980003435082116995884478493648417679670782240786518871242668255973770988737167589482305554697589427755948133831217194514801188587815879226601454549604874476927252882744344317256396808255582550941978968312010016490081931048157003674361093215320945272838509986687284028991543505902180465028764465401474732603047959528463455521587693401684330259430026213913640315266928039931940062910914620141512756390510844994503754868094272416592656824961726496896913664170409316563677657113965998358809997237032168697425106457591932,
 3539237778217166137842555505989117928829373135679837081419793629975084339895165734744802166985243124825558545835111376731639963926630733027020121729222875979138253687409199990746840367239948177008792432240913040959783652482774028474930018387772452212315504588656134688759198795637320603697276380147029386127517034728685287241008264454039149966809075617511786899506397040329859490

In [None]:
# Now let's convert these to bytes and see if we can get the flag.
for num in root16:
  byte_length = (num.bit_length() + 7) // 8
  byte_data = num.to_bytes(byte_length, 'big')
  print(byte_data)

b'\xdc\x00\xdfe\xab\x84\x94\xc4{\x1a\'\xc0at\xf1~LL\x8d\xcc~J\x95\xa0i\xf0\xd1)\xf8\xa2\xd1 XS\x03\xd5\xcbDf\xe4!\xfa\x0b\x14\x0eH>i\x8b\xe3B\xcaT@\xcf$\xb6i\xb9N\xdeP\x19_\xbb\x93\x9c\xdc\x8e\xad\x8b97\xdea\x13\xc6+/\xa9@\\\xe8mI\x0b\xc6\xf4nz#\xe5\xcc\xce.W\x87\x14o\t\xf4\xb9z9\xc7-\xf7\xd1\x16\xa7\x11\x88}\xa1\x94$)\x9d\x94\xfb\x1c\xcbe\x7fo\xef+9\x9f4\xe0\xcc\xdfy\xba\x9c\xfac\x9a\xf0K\xa2\x16\xfd\x8a\xfbH%\x10\xae\xfb\x15\xf7\xebX:\xc9\xf1\xbeO\x8c\xe5\xad~7X\x17h\xc6\xd9\x1f.9\x10([8\x93y\xf4 \xe7\x8c\xb06\xc1\x0ex\xc8"i\xdc\xfcjJ\xcc\x9b(\xa2\x9f\x0f\x1c\x96\xa3\x16\x87Pw\x02\xab\xe6\xeaTm#\xda!\xc2\xc8Cw\xe2>\xa2U\x82j\xed\xf8U7\x8a!\x1cU\xab\x98\xad0\xd2\x9d\x92j\xa6\xbf\x89\xd0d\x97\xb0\x1ac\xf2x\x00|'
b"Hey, if you are reading this maybe I didn't mess up my code too much. Phew. I really should play more CryptoHack before rushing to code stuff from scratch again. Here's the flag: crypto{m0dul4r_squ4r3_r00t}"
b'$\xad\xf5\x99\x1e\x0c\x91\xd9\x13\x90F\xc4sx\x8f\xeaBk\xe9\x05h\x1

In [None]:
# LOL

## No Way Back Home

In [None]:
!pip install pycryptodome

Collecting pycryptodome
  Downloading pycryptodome-3.23.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.4 kB)
Downloading pycryptodome-3.23.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.3 MB)
[?25l   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/2.3 MB[0m [31m?[0m eta [36m-:--:--[0m[2K   [91m━━━━━[0m[90m╺[0m[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.3/2.3 MB[0m [31m8.1 MB/s[0m eta [36m0:00:01[0m[2K   [91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m[90m╺[0m[90m━━━━━[0m [32m1.9/2.3 MB[0m [31m27.5 MB/s[0m eta [36m0:00:01[0m[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m2.3/2.3 MB[0m [31m23.2 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: pycryptodome
Successfully installed pycryptodome-3.23.0


In [None]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from hashlib import sha256
from Crypto.Util.number import getPrime, GCD, bytes_to_long, long_to_bytes, inverse
from random import randint

FLAG = b'crypto{????????????????????????????????}'

p, q = getPrime(512), getPrime(512)
n = p * q

# Alice side
v = (p * randint(1, n)) % n
k_A = randint(1, n)
while GCD(k_A, n) != 1:
    k_A = randint(1, n)
vka = (v * k_A) % n

# Bob side
k_B = randint(1, n)
while GCD(k_B, n) != 1:
    k_B = randint(1, n)
vkakb = (vka * k_B) % n

# Alice side
vkb = (vkakb * inverse(k_A, n)) % n

# Bob side
v_s = (vkb * inverse(k_B, n)) % n

# Alice side
key = sha256(long_to_bytes(v)).digest()
cipher = AES.new(key, AES.MODE_ECB)
m = pad(FLAG, 16)
c = cipher.encrypt(m).hex()

out = ""
out += f"p, q = ({p}, {q}) \n"
out += f"vka = {vka} \n"
out += f"vkakb = {vkakb} \n"
out += f"vkb = {vkb} \n"
out += f"c = '{c}' \n"
with open("out.txt", "w") as f:
    f.write(out)


In [None]:
p, q = (10699940648196411028170713430726559470427113689721202803392638457920771439452897032229838317321639599506283870585924807089941510579727013041135771337631951, 11956676387836512151480744979869173960415735990945471431153245263360714040288733895951317727355037104240049869019766679351362643879028085294045007143623763)
vka = 124641741967121300068241280971408306625050636261192655845274494695382484894973990899018981438824398885984003880665335336872849819983045790478166909381968949910717906136475842568208640203811766079825364974168541198988879036997489130022151352858776555178444457677074095521488219905950926757695656018450299948207
vkakb = 114778245184091677576134046724609868204771151111446457870524843414356897479473739627212552495413311985409829523700919603502616667323311977056345059189257932050632105761365449853358722065048852091755612586569454771946427631498462394616623706064561443106503673008210435922340001958432623802886222040403262923652
vkb = 6568897840127713147382345832798645667110237168011335640630440006583923102503659273104899584827637961921428677335180620421654712000512310008036693022785945317428066257236409339677041133038317088022368203160674699948914222030034711433252914821805540365972835274052062305301998463475108156010447054013166491083
c = 'fef29e5ff72f28160027959474fc462e2a9e0b2d84b1508f7bd0e270bc98fac942e1402aa12db6e6a36fb380e7b53323'
