# SVATTT 2019 Quals Crypto Writeups

## 1. append2019

This challenge requires basic knowledge about the RSA cryptosystem. The server allows us to sign (in textbook mode) only one message that ends with 0x2019 in hex-form but not `target = 0x63617420666c61672019` ("cat flag\x20\x19"), and asks us for the signature of `target`. Since the length of the message is not checked, we can feed the server with `m = target + n*256**2` which ends with 0x2019 and equals `target` modulo `n`, to obtain the signature of `target`.

## 2. base2019

This challenge is the generalized version of RSA LSB oracle attack. Considering $\frac{m}{n}$ in base-2019 representation:

$$
0,d_{-1}d_{-2}d_{-3}d_{-4}...
$$

For which, each $d_i$ is in the range $[0, 2019)$ and $\frac{m}{n} = \sum_{i=-1,-2,...} d_i2019^i$. Based on the least-significant-base-2019-digit oracle given, we can solve for each digit $d_{-j}; j = 1, 2, ...$ by taking the following actions:

1.  Send to the server $2019^{je}c \; \text{mod} \; n; j = 1, 2, 3, ...$
2.  Receive $r_j = 2019^{j}m - k_jn \; \text{mod} \; 2019$. Observe that $2019^j \frac{m}{n} = d_{-1}d_{-2}d_{-3}...d_{-j},d_{-(j+1)},d_{-(j+2)}...$ and $\left \lfloor{2019^j \frac{m}{n}}\right \rfloor = k_j$, we conclude that $d_{-j} = k_j \; \text{mod} \; 2019$
3.  Obtain $d_{-j} = -r_jn^{-1} \; \text{mod} \; 2019$

When all neccessary $d_{-j}$'s are obtained, derive $m$ from $\frac{m}{n}$ and $n$, and finally send $m$ to the server to get flag.

## 3. sha2019

A hash function named _sha2019_ which takes as input a binary string and ouputs a vector in $F_2^{2019}$, is designed to work as follows:

-  Cut input binary string into 4-byte blocks $m_i$'s. These blocks are arranged into 8 channels.
-  Blocks of the same channel would have their sha256 value xor'ed together to produce $h_i$, which is a partial result of _sha2019_.

<center><img src='3-1.png'></center>

To solve this challenge, for each channel, we need to find a set of blocks $\{b_0, b_1, ... b_{255}\}$ such that:
-   $\{f(b_0), f(b_1), ... f(b_{255})\}$ forms a basis for $F_2^{256}$.
-   Let $h$ be the desired output for the channel and $v = (v_0, v_1, ..., v_{255}) \in F_2^{256}$ such that $\sum v_if(b_i) = h$, then $\sum v_i$ (the number of $v_i$'s that equal to 1, modulo 2) must be the same for every channel.

After that, for each channel, we:
-   Remove $b_i$'s which have corresponding $v_i$'s equal to 0.
-   Stack the remaining blocks in any order.
-   Add an even number of zero blocks to make the stack height be the same for every channel (note that stacking a same block twice won't affect the channel output).

<center><img src='3-2.png'></center>

The binary string reconstructed from those stacks is guaranteed to have the desired _sha2019_ output value.

#### PS
Hope you enjoy the challenges :)