# MODULAR MATH

### Quadratic residues

We say that integer x is quadratic residue if there exists a s.t. $a^2=x (\bmod p) $ , if there isn't such solution then x is quadratic non-residue

In [1]:
p = 29 
ints = [14,6,11]
for x in ints: 
    for a in range(1,p-1): 
        if(a**2%p== x): 
            print(a) 


8
21


### Legendre Symbol

Properties of quadratic residues 
1. let x,y be quadratic residues, xy = z , resulting in z being quadratic residue as well 
2. let x be a quadtratic residue and y quadratic non residue, z = xy , z is quadrtic non-residue
3. let x,y be quadratic non-residue, z = xy , z is quadratic residue 

just like positive and negative numbers 

- Legendre symbol: 

$ \biggl( \frac{a}{p} \biggr) \equiv a^{\frac{p-1}{2}} (\bmod p), \biggl( \frac{a}{p} \biggr) \in \{-1,0,1\} $<br>
$ \biggl( \frac{a}{p} \biggr) = 
\begin{cases} 
-1 \quad \text{if a is a quadratic non-residue mod p} \\
0 \quad \text{if} \quad a\equiv0 (\bmod p) \\ 
1 \quad \text{if a is a quadratic residue mod p and} \quad a \not\equiv 0 (\bmod p) \\ 
\end{cases}$

In [10]:
import gmpy2 

def lagrande(a,p): 
    return gmpy2.powmod(a,(p-1)//2,p) 

p = 101524035174539890485408575671085261788758965189060164484385690801466167356667036677932998889725476582421738788500738738503134356158197247473850273565349249573867251280253564698939768700489401960767007716413932851838937641880157263936985954881657889497583485535527613578457628399173971810541670838543309159139

ints = [25081841204695904475894082974192007718642931811040324543182130088804239047149283334700530600468528298920930150221871666297194395061462592781551275161695411167049544771049769000895119729307495913024360169904315078028798025169985966732789207320203861858234048872508633514498384390497048416012928086480326832803, 45471765180330439060504647480621449634904192839383897212809808339619841633826534856109999027962620381874878086991125854247108359699799913776917227058286090426484548349388138935504299609200377899052716663351188664096302672712078508601311725863678223874157861163196340391008634419348573975841578359355931590555, 17364140182001694956465593533200623738590196990236340894554145562517924989208719245429557645254953527658049246737589538280332010533027062477684237933221198639948938784244510469138826808187365678322547992099715229218615475923754896960363138890331502811292427146595752813297603265829581292183917027983351121325, 14388109104985808487337749876058284426747816961971581447380608277949200244660381570568531129775053684256071819837294436069133592772543582735985855506250660938574234958754211349215293281645205354069970790155237033436065434572020652955666855773232074749487007626050323967496732359278657193580493324467258802863, 4379499308310772821004090447650785095356643590411706358119239166662089428685562719233435615196994728767593223519226235062647670077854687031681041462632566890129595506430188602238753450337691441293042716909901692570971955078924699306873191983953501093343423248482960643055943413031768521782634679536276233318, 85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771, 50576597458517451578431293746926099486388286246142012476814190030935689430726042810458344828563913001012415702876199708216875020997112089693759638454900092580746638631062117961876611545851157613835724635005253792316142379239047654392970415343694657580353333217547079551304961116837545648785312490665576832987, 96868738830341112368094632337476840272563704408573054404213766500407517251810212494515862176356916912627172280446141202661640191237336568731069327906100896178776245311689857997012187599140875912026589672629935267844696976980890380730867520071059572350667913710344648377601017758188404474812654737363275994871, 4881261656846638800623549662943393234361061827128610120046315649707078244180313661063004390750821317096754282796876479695558644108492317407662131441224257537276274962372021273583478509416358764706098471849536036184924640593888902859441388472856822541452041181244337124767666161645827145408781917658423571721, 18237936726367556664171427575475596460727369368246286138804284742124256700367133250078608537129877968287885457417957868580553371999414227484737603688992620953200143688061024092623556471053006464123205133894607923801371986027458274343737860395496260538663183193877539815179246700525865152165600985105257601565]

residue = 0 
for x in ints: 
    if lagrande(x,p) == 1:
        residue = x 
    
residue


85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771

we know that

$ p \equiv 3 \bmod 4 $

$ p = 4k + 3 $

also we know from Lagrande that 

$ a^{\frac{(p-1)}{2}} \equiv 1 (\bmod p) \quad / a$

$ a^{\frac{p+1}{2}} \equiv a (\bmod p) $

$ a^{\frac{2(p+1)}{4}} \equiv a (\bmod p) $

$ \mp a^{\frac{(p+1)}{4}} \equiv \sqrt a (\bmod p) $

why can we do this? 
$\frac{p+1}{4} = \frac{4k+3+1}{4} = k+1$ which is an integer


In [9]:
def sqrt(a,p): 
    return -gmpy2.powmod(a,(p+1)//4,p)%p , gmpy2.powmod(a,(p+1)//4,p)

r1,r2 = sqrt(residue,p)
print(max(r1,r2))

30531851861994333252675935111487950694414332763909083514133769861350960895076504687261369815735742549428789138300843082086550059082835141454526618160634109969195486322015775943030060449557090064811940139431735209185996454739163555910726493597222646855506445602953689527405362207926990442391705014604777038685880527537489845359101552442292804398472642356609304810680731556542002301547846635101455995732584071355903010856718680732337369128498655255277003643669031694516851390505923416710601212618443109844041514942401969629158975457079026906304328749039997262960301209158175920051890620947063936347307238412281568760160


### Modular square roots

All primes, since they are odd, they obey, either: 
1. $ p \equiv 3 (\bmod 4)$, showed earlier
2. $ p \equiv 1 (\bmod 4)$

- for second case we use Tonelli-Shanks algorithm, doesn't work for composites, hard problem

In [1]:
def legendre(a, p):
    return pow(a, (p - 1) // 2, p)

def tonelli(n, p):
    assert legendre(n, p) == 1, "not a square (mod p)"
    q = p - 1
    s = 0
    while q % 2 == 0:
        q //= 2
        s += 1
    if s == 1:
        return pow(n, (p + 1) // 4, p)
    for z in range(2, p):
        if p - 1 == legendre(z, p):
            break
    c = pow(z, q, p)
    r = pow(n, (q + 1) // 2, p)
    t = pow(n, q, p)
    m = s
    t2 = 0
    while (t - 1) % p != 0:
        t2 = (t * t) % p
        for i in range(1, m):
            if (t2 - 1) % p == 0:
                break
            t2 = (t2 * t2) % p
        b = pow(c, 1 << (m - i - 1), p)
        r = (r * b) % p
        c = (b * b) % p
        t = (t * c) % p
        m = i
    return r


a = 8479994658316772151941616510097127087554541274812435112009425778595495359700244470400642403747058566807127814165396640215844192327900454116257979487432016769329970767046735091249898678088061634796559556704959846424131820416048436501387617211770124292793308079214153179977624440438616958575058361193975686620046439877308339989295604537867493683872778843921771307305602776398786978353866231661453376056771972069776398999013769588936194859344941268223184197231368887060609212875507518936172060702209557124430477137421847130682601666968691651447236917018634902407704797328509461854842432015009878011354022108661461024768
p = 30531851861994333252675935111487950694414332763909083514133769861350960895076504687261369815735742549428789138300843082086550059082835141454526618160634109969195486322015775943030060449557090064811940139431735209185996454739163555910726493597222646855506445602953689527405362207926990442391705014604777038685880527537489845359101552442292804398472642356609304810680731556542002301547846635101455995732584071355903010856718680732337369128498655255277003643669031694516851390505923416710601212618443109844041514942401969629158975457079026906304328749039997262960301209158175920051890620947063936347307238412281568760161

tonelli(a,p)

2362339307683048638327773298580489298932137505520500388338271052053734747862351779647314176817953359071871560041125289919247146074907151612762640868199621186559522068338032600991311882224016021222672243139362180461232646732465848840425458257930887856583379600967761738596782877851318489355679822813155123045705285112099448146426755110160002515592418850432103641815811071548456284263507805589445073657565381850521367969675699760755310784623577076440037747681760302434924932113640061738777601194622244192758024180853916244427254065441962557282572849162772740798989647948645207349737457445440405057156897508368531939120

### Chinese remainder theorem

Chinese remainder theorem, give us unique solution to a set of linear congurences if their moduli are coprime 
- Pairwise coprime integers, means that given integers set of integers $\{ n_1, n_2, ... , n_i\}$ every pair of integers taken from set is coprime, $gcd(n_i,n_j) = 1$
Given integers a set of arbitrary integers $a_i$  and pairwise coprime integers $n_i$ , such that linear congurence holds 

$x \equiv a_1 \bmod n_1$

$x \equiv a_2 \bmod n_2$

... 

$x \equiv a_n \bmod n_n$ 

there is a unique solution 

$x \equiv a \bmod N$ where $N = n_1 n_2 ... n_n$

In [11]:
for a in range(1,935): 
    x = a + 935
    if(x%5 == 2 and x%11 == 3 and x%17 == 5): 
        print(a) 
        

872


# BRAINTEASERS PART 1

### Succesive powers

$ x^n \equiv 588 \bmod p $

$ x^{(n+1)} \equiv 665 \bmod p $ 

<hr>

$x^n x \equiv 665 \bmod p$

$588 x \equiv 665 \bmod p$

$x \equiv 665 * 588^{-1}\bmod p$ 

Now for $ p \isin \{1, 999 \} $ try inverting each element and if same result we solved

We do this for each integer and put them in set, if we end up with one element we guessed the right p 

To optimize we check only for primes that are larger than our largest integer, only then will it satisfy all


In [50]:
import gmpy2 
from sympy import isprime 

integers = [588, 665, 216, 113, 642, 4, 836, 114, 851, 492, 819, 237]

primes = []
for i in range(max(integers),999):
        if(isprime(i)): 
            primes.append(i) 


for p in primes:
    s = []
    try: 
        for i in range(1,len(integers)):
            s.append((integers[i]*gmpy2.invert(integers[i-1],p))%p)

        s = set(s)
        if len(s) == 1:
        
            print(p,s)
    except: 
        pass 
        


919 {mpz(209)}


### Adrien's Signs

In [None]:
from random import randint

a = 288260533169915
p = 1007621497415251

FLAG = b'crypto{????????????????????}'


def encrypt_flag(flag):
    ciphertext = []
    plaintext = ''.join([bin(i)[2:].zfill(8) for i in flag])
    for b in plaintext:
        e = randint(1, p)
        n = pow(a, e, p)
        if b == '1':
            ciphertext.append(n)
        else:
            n = -n % p
            ciphertext.append(n)
    return ciphertext

Idea: square the ciphertexts and try taking the square root to find out the bits of original message
- To square we could use the easy method, when $ p \equiv 3 \bmod 4 $

In [12]:
p%4

3

In [13]:
ciphertexts = [67594220461269, 501237540280788, 718316769824518, 296304224247167, 48290626940198, 30829701196032, 521453693392074, 840985324383794, 770420008897119, 745131486581197, 729163531979577, 334563813238599, 289746215495432, 538664937794468, 894085795317163, 983410189487558, 863330928724430, 996272871140947, 352175210511707, 306237700811584, 631393408838583, 589243747914057, 538776819034934, 365364592128161, 454970171810424, 986711310037393, 657756453404881, 388329936724352, 90991447679370, 714742162831112, 62293519842555, 653941126489711, 448552658212336, 970169071154259, 339472870407614, 406225588145372, 205721593331090, 926225022409823, 904451547059845, 789074084078342, 886420071481685, 796827329208633, 433047156347276, 21271315846750, 719248860593631, 534059295222748, 879864647580512, 918055794962142, 635545050939893, 319549343320339, 93008646178282, 926080110625306, 385476640825005, 483740420173050, 866208659796189, 883359067574584, 913405110264883, 898864873510337, 208598541987988, 23412800024088, 911541450703474, 57446699305445, 513296484586451, 180356843554043, 756391301483653, 823695939808936, 452898981558365, 383286682802447, 381394258915860, 385482809649632, 357950424436020, 212891024562585, 906036654538589, 706766032862393, 500658491083279, 134746243085697, 240386541491998, 850341345692155, 826490944132718, 329513332018620, 41046816597282, 396581286424992, 488863267297267, 92023040998362, 529684488438507, 925328511390026, 524897846090435, 413156582909097, 840524616502482, 325719016994120, 402494835113608, 145033960690364, 43932113323388, 683561775499473, 434510534220939, 92584300328516, 763767269974656, 289837041593468, 11468527450938, 628247946152943, 8844724571683, 813851806959975, 72001988637120, 875394575395153, 70667866716476, 75304931994100, 226809172374264, 767059176444181, 45462007920789, 472607315695803, 325973946551448, 64200767729194, 534886246409921, 950408390792175, 492288777130394, 226746605380806, 944479111810431, 776057001143579, 658971626589122, 231918349590349, 699710172246548, 122457405264610, 643115611310737, 999072890586878, 203230862786955, 348112034218733, 240143417330886, 927148962961842, 661569511006072, 190334725550806, 763365444730995, 516228913786395, 846501182194443, 741210200995504, 511935604454925, 687689993302203, 631038090127480, 961606522916414, 138550017953034, 932105540686829, 215285284639233, 772628158955819, 496858298527292, 730971468815108, 896733219370353, 967083685727881, 607660822695530, 650953466617730, 133773994258132, 623283311953090, 436380836970128, 237114930094468, 115451711811481, 674593269112948, 140400921371770, 659335660634071, 536749311958781, 854645598266824, 303305169095255, 91430489108219, 573739385205188, 400604977158702, 728593782212529, 807432219147040, 893541884126828, 183964371201281, 422680633277230, 218817645778789, 313025293025224, 657253930848472, 747562211812373, 83456701182914, 470417289614736, 641146659305859, 468130225316006, 46960547227850, 875638267674897, 662661765336441, 186533085001285, 743250648436106, 451414956181714, 527954145201673, 922589993405001, 242119479617901, 865476357142231, 988987578447349, 430198555146088, 477890180119931, 844464003254807, 503374203275928, 775374254241792, 346653210679737, 789242808338116, 48503976498612, 604300186163323, 475930096252359, 860836853339514, 994513691290102, 591343659366796, 944852018048514, 82396968629164, 152776642436549, 916070996204621, 305574094667054, 981194179562189, 126174175810273, 55636640522694, 44670495393401, 74724541586529, 988608465654705, 870533906709633, 374564052429787, 486493568142979, 469485372072295, 221153171135022, 289713227465073, 952450431038075, 107298466441025, 938262809228861, 253919870663003, 835790485199226, 655456538877798, 595464842927075, 191621819564547]

a = 288260533169915
p = 1007621497415251

plaintext = [] 

for c in ciphertexts: 
    s = c*c%p 
    r1,r2 = sqrt(s,p) 
    
    if r1 == c: 
        plaintext.append(0) 
    else: 
        plaintext.append(1) 
        
binary = ''.join(str(p) for p in plaintext)
byte_array = bytearray([int(binary[i:i+8],2) for i in range(0,len(binary),8)]) 
print(bytes(byte_array))

b'crypto{p4tterns_1n_re5idu3s}'


### Modular Binomials

In [15]:
N = 14905562257842714057932724129575002825405393502650869767115942606408600343380327866258982402447992564988466588305174271674657844352454543958847568190372446723549627752274442789184236490768272313187410077124234699854724907039770193680822495470532218905083459730998003622926152590597710213127952141056029516116785229504645179830037937222022291571738973603920664929150436463632305664687903244972880062028301085749434688159905768052041207513149370212313943117665914802379158613359049957688563885391972151218676545972118494969247440489763431359679770422939441710783575668679693678435669541781490217731619224470152467768073
e1 = 12886657667389660800780796462970504910193928992888518978200029826975978624718627799215564700096007849924866627154987365059524315097631111242449314835868137
e2 = 12110586673991788415780355139635579057920926864887110308343229256046868242179445444897790171351302575188607117081580121488253540215781625598048021161675697
c1 = 14010729418703228234352465883041270611113735889838753433295478495763409056136734155612156934673988344882629541204985909650433819205298939877837314145082403528055884752079219150739849992921393509593620449489882380176216648401057401569934043087087362272303101549800941212057354903559653373299153430753882035233354304783275982332995766778499425529570008008029401325668301144188970480975565215953953985078281395545902102245755862663621187438677596628109967066418993851632543137353041712721919291521767262678140115188735994447949166616101182806820741928292882642234238450207472914232596747755261325098225968268926580993051
c2 = 14386997138637978860748278986945098648507142864584111124202580365103793165811666987664851210230009375267398957979494066880296418013345006977654742303441030008490816239306394492168516278328851513359596253775965916326353050138738183351643338294802012193721879700283088378587949921991198231956871429805847767716137817313612304833733918657887480468724409753522369325138502059408241232155633806496752350562284794715321835226991147547651155287812485862794935695241612676255374480132722940682140395725089329445356434489384831036205387293760789976615210310436732813848937666608611803196199865435145094486231635966885932646519

From Fermat's little theorem: 

$ a^{p-1} \equiv 1 \bmod p =>  a^p \equiv a \bmod p $

$ (a+b)^p \equiv a+b \bmod p$

$ => (a+b)^p \equiv a^p + b^p \bmod p$

<hr>

... to our problem

$ c_1 = (2p + 3q)^{e_1} \bmod N $

$ c_2 = (5p + 7q)^{e_2} \bmod N $ 

<hr>

$ c_1 = (2p)^{e_1} + (3q)^{e_1} \bmod N$

$ c_2 = (5p)^{e_2} + (7q)^{e_2} \bmod N$

<hr> 

$ c_1^{e_2} = ((2p)^{e_1} + (3q)^{e_1})^{e_2} \bmod N $

$ c_2^{e_1} = ((5p)^{e_2} + (7q)^{e_2})^{e_1} \bmod N $

<hr> 

$ c_1^{e_2} = ((2p)^{e_1e_2} + (3q)^{e_1e_2}) \bmod N $

$ c_2^{e_1} = ((5p)^{e_2e_1} + (7q)^{e_2e_1}) \bmod N $

<hr> 
we derive that 

$q^{e_1e_2} = 5^{e_1e_2}c_1^{e_2} - 2^{e_1e_2}c_2^{e_1}$

now to get q, we plug in quantity above, in gcd(.,N), since N=pq we will in result get gcd that is q


In [17]:
def gcd(a,b):
    if b == 0: 
        return a
    return gcd(b,a%b)


a = gmpy2.powmod(5,e1*e2,N) 
b = gmpy2.powmod(2,e1*e2,N) 
c = gmpy2.powmod(3,e1*e2,N)
c1_e2 = gmpy2.powmod(c1,e2,N)



q_e1_e2 = a*c1_e2 - b*gmpy2.powmod(c2,e1,N) 
q = gcd(q_e1_e2,N)

p_e1 = (c1 - gmpy2.powmod(3*q,e1,N))*gmpy2.invert(gmpy2.powmod(2,e1,N),N)
p = gcd(p_e1,N) 


print(f'crypto{{{p},{q}}}')

crypto{112274000169258486390262064441991200608556376127408952701514962644340921899196091557519382763356534106376906489445103255177593594898966250176773605432765983897105047795619470659157057093771407309168345670541418772427807148039207489900810013783673957984006269120652134007689272484517805398390277308001719431273,132760587806365301971479157072031448380135765794466787456948786731168095877956875295282661565488242190731593282663694728914945967253173047324353981530949360031535707374701705328450856944598803228299967009004598984671293494375599408764139743217465012770376728876547958852025425539298410751132782632817947101601}


### Broken RSA

$ c = m^{16} \bmod N$

$ t_0 = \sqrt{c} = m^8 \bmod N $

$ t_1 = \sqrt{t_0} = m^4 \bmod N $

$ t_2 = \sqrt{t_1} = m^2 \bmod N $

$ \sqrt{t_2} = m \bmod N $

we can do this because N is prime

In [44]:
from Cryptodome.Util.number import long_to_bytes
from sympy import isprime

n = 27772857409875257529415990911214211975844307184430241451899407838750503024323367895540981606586709985980003435082116995888017731426634845808624796292507989171497629109450825818587383112280639037484593490692935998202437639626747133650990603333094513531505209954273004473567193235535061942991750932725808679249964667090723480397916715320876867803719301313440005075056481203859010490836599717523664197112053206745235908610484907715210436413015546671034478367679465233737115549451849810421017181842615880836253875862101545582922437858358265964489786463923280312860843031914516061327752183283528015684588796400861331354873
e = 16
ct = 11303174761894431146735697569489134747234975144162172162401674567273034831391936916397234068346115459134602443963604063679379285919302225719050193590179240191429612072131629779948379821039610415099784351073443218911356328815458050694493726951231241096695626477586428880220528001269746547018741237131741255022371957489462380305100634600499204435763201371188769446054925748151987175656677342779043435047048130599123081581036362712208692748034620245590448762406543804069935873123161582756799517226666835316588896306926659321054276507714414876684738121421124177324568084533020088172040422767194971217814466953837590498718

print(n%4) # results in 1 so we have to use Tonelli shanks 
print(isprime(n))   

1
True


In [45]:
for i in range(4): 
    
    ct = tonelli(ct,n)

if b'crypto' not in long_to_bytes(ct):
    ct = - ct %n 

long_to_bytes(ct)


b"Hey, if you are reading this maybe I didn't mess up my code too much. Phew. I really should play more CryptoHack before rushing to code stuff from scratch again. Here's the flag: crypto{m0dul4r_squ4r3_r00t}"

### No Way Back Home

So by following the code provided 

$r_i$ - indicates a random number 

$v \equiv p * r_1 \bmod N $

$k_A = r_2 $

$v_{k_A} \equiv p*r_1*r_2 \bmod N$

$k_B = r_3 $

$v_{k_Ak_B} \equiv p*r_1*r_2*r_3 \bmod N $

$v_{k_B} \equiv p*r_1*r_3 \bmod N$ 

$v_s \equiv p*r_1 \bmod N $

Our goal: 

$v = ?$ 

Given: $v_{k_A},v_{k_B},v_{k_Ak_B}, p,q, n=pq$

<hr> 

We could try inverting $v_{k_B}$ and then multypling it with $v_{k_Ak_B}$ to get r_2 which we could use to invert and compute $p*r1$ from $v_{k_A}$

But good news is that we can divide p from both sides of $v_{k_B},v_{k_Ak_B}$ then invert modulo N, because we know that r1 and r3, are invertible so r1*r3 must be invertible as well

In [85]:
import gmpy2 
from hashlib import sha256
from Cryptodome.Util.Padding import unpad
from Cryptodome.Cipher import AES
from Cryptodome.Util.number import long_to_bytes

p, q = (10699940648196411028170713430726559470427113689721202803392638457920771439452897032229838317321639599506283870585924807089941510579727013041135771337631951, 11956676387836512151480744979869173960415735990945471431153245263360714040288733895951317727355037104240049869019766679351362643879028085294045007143623763) 
vka = 124641741967121300068241280971408306625050636261192655845274494695382484894973990899018981438824398885984003880665335336872849819983045790478166909381968949910717906136475842568208640203811766079825364974168541198988879036997489130022151352858776555178444457677074095521488219905950926757695656018450299948207 
vkakb = 114778245184091677576134046724609868204771151111446457870524843414356897479473739627212552495413311985409829523700919603502616667323311977056345059189257932050632105761365449853358722065048852091755612586569454771946427631498462394616623706064561443106503673008210435922340001958432623802886222040403262923652 
vkb = 6568897840127713147382345832798645667110237168011335640630440006583923102503659273104899584827637961921428677335180620421654712000512310008036693022785945317428066257236409339677041133038317088022368203160674699948914222030034711433252914821805540365972835274052062305301998463475108156010447054013166491083 
c = 'fef29e5ff72f28160027959474fc462e2a9e0b2d84b1508f7bd0e270bc98fac942e1402aa12db6e6a36fb380e7b53323' 

n = p*q 

vkakb//=p 
vkb//=p 

r2 = vkakb * gmpy2.invert(vkb,n) 
v = vka*gmpy2.invert(r2,n) %n 

k = sha256(long_to_bytes(v)).digest()
cipher = AES.new(k,AES.MODE_ECB)
m = cipher.decrypt(bytes.fromhex(c))

print(unpad(m,16))

b'crypto{1nv3rt1bl3_k3y_3xch4ng3_pr0t0c0l}'


# BRAINTEASERS PART 2

### Ellipse Curve Cryptography

https://web.archive.org/web/20210506165729/https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.66.8688&rep=rep1&type=pdf

In [9]:
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from hashlib import sha1
from collections import namedtuple
Point = namedtuple("Point", "x y")


def point_addition(P, Q):
    Rx = (P.x*Q.x + D*P.y*Q.y) % p
    Ry = (P.x*Q.y + P.y*Q.x) % p
    return Point(Rx, Ry)

def scalar_multiplication(P, n):
    Q = Point(1, 0)
    while n > 0:
        if n % 2 == 1:
            Q = point_addition(Q, P)
        P = point_addition(P, P)
        n = n//2
    return Q

def gen_shared_secret(P, d):
    return scalar_multiplication(P, d).x

a = 23 
p = 173754216895752892448109692432341061254596347285717132408796456167143559
D = 529
G = Point(29394812077144852405795385333766317269085018265469771684226884125940148, 
          94108086667844986046802106544375316173742538919949485639896613738390948)

A = Point(x=155781055760279718382374741001148850818103179141959728567110540865590463, y=73794785561346677848810778233901832813072697504335306937799336126503714)
B = Point(x=171226959585314864221294077932510094779925634276949970785138593200069419, y=54353971839516652938533335476115503436865545966356461292708042305317630)

phi_A = A.x - a*A.y 
phi_G = G.x - a*G.y 
n = discrete_log(GF(p)(phi_A),GF(p)(phi_G))

ss = gen_shared_secret(B,n) 

encrypted_flag =  {'iv': '64bc75c8b38017e1397c46f85d4e332b', 'encrypted_flag': '13e4d200708b786d8f7c3bd2dc5de0201f0d7879192e6603d7c5d6b963e1df2943e3ff75f7fda9c30a92171bbbc5acbf'}
iv = bytes.fromhex(encrypted_flag['iv'])
flag = bytes.fromhex(encrypted_flag['encrypted_flag'])

key = sha1(str(ss).encode('ascii')).digest()[:16]
cipher = AES.new(key, AES.MODE_CBC, iv)
print(unpad(cipher.decrypt(flag),16).decode())

crypto{c0n1c_s3ct10n5_4r3_f1n1t3_gr0up5}


### Roll your Own

Pallier cryptosystem
https://en.wikipedia.org/wiki/Paillier_cryptosystem

From the Wiki: 

$(1+n)^x = \sum^{x}_{k=0} \binom{x}{k} n^k = 1 + nx + \binom{x}{2} n^2 + \text{higher powers of} \space n$

$(1+n)^x \equiv 1 + nx  (\bmod n^2)$ 

Therefore if: 

$y = (1+n)^x \bmod n^2$ 

then 

$x \equiv \frac{y-1}{n} \bmod n$

In [68]:
from pwn import * 
import json 

context.log_level = 'ERROR'

ch = remote('socket.cryptohack.org', 13403) 

q = int(ch.recvline().decode().strip().split(': ')[1][1: -1],16)

g = q+1 
n = q^2 

ch.recv()

forgery = {'g': hex(g), 'n': hex(n)}
ch.sendline(json.dumps(forgery).encode())

y = int(ch.recvline().decode().strip().split(': ')[1][1: -1],16)

x = (y-1)//q 

forgery = {'x': hex(x)}
ch.sendline(json.dumps(forgery).encode()) 


print(ch.recvline().decode().strip().split("\"flag\": ")[1][1: -2])

crypto{Grabbing_Flags_with_Pascal_Paillier}


### Unencryptable

https://www.researchgate.net/publication/220153281_Fixed_points_of_the_RSA_encryption_algorithm



In [10]:
from Crypto.Util.number import long_to_bytes

N = 0x7fe8cafec59886e9318830f33747cafd200588406e7c42741859e15994ab62410438991ab5d9fc94f386219e3c27d6ffc73754f791e7b2c565611f8fe5054dd132b8c4f3eadcf1180cd8f2a3cc756b06996f2d5b67c390adcba9d444697b13d12b2badfc3c7d5459df16a047ca25f4d18570cd6fa727aed46394576cfdb56b41
e = 0x10001
c = 0x5233da71cc1dc1c5f21039f51eb51c80657e1af217d563aa25a8104a4e84a42379040ecdfdd5afa191156ccb40b6f188f4ad96c58922428c4c0bc17fd5384456853e139afde40c3f95988879629297f48d0efa6b335716a4c24bfee36f714d34a4e810a9689e93a0af8502528844ae578100b0188a2790518c695c095c9d677b


factors = [x, x-1] + [(x^(2^i)+1) for i in range(16)]
DATA  = 0x372f0e88f6f7189da7c06ed49e87e0664b988ecbee583586dfd1c6af99bf20345ae7442012c6807b3493d8936f5b48e553f614754deb3da6230fa1e16a8d5953a94c886699fc2bf409556264d5dced76a1780a90fd22f3701fdbcb183ddab4046affdc4dc6379090f79f4cd50673b24d0b08458cdbe509d60a4ad88a7b4e2921

for f in factors: 
    evaluation = f.subs(x=DATA) 
    p = gcd(evaluation, N) 
    if p!=1: 
        q = Integer(N)//Integer(p)
        phi = (p-1)*(q-1) 
        d = pow(e,-1,phi)
        print(long_to_bytes(pow(c,d,N)).decode())  
        break 

crypto{R3m3mb3r!_F1x3d_P0iNts_aR3_s3crE7s_t00}


### Cofactor Cofantasy

### Real Eisenstein

The reduction is the keyword in challenge description, the "Reduce", we will use Lattice Reduction algorithm LLL. 

So basically there exists a linear combination of given primes that is close to ciphertext in the challenge code, this is the SVP that we can solve with LLL. 

We built a matrix with 1 on the diagonals and last column being $\lfloor (2^4)^{64} \sqrt{p_i} \rfloor$ and $c$ is the last element

In [36]:
ciphertext = 1350995397927355657956786955603012410260017344805998076702828160316695004588429433
primes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103]
primes = [round(sqrt(p)*2^256) for p in primes]


M = identity_matrix(ZZ, len(primes))

M = M.augment(Matrix(ZZ, len(primes), 1, primes))

M = M.stack(Matrix(ZZ, 1, len(primes)+1, [0]*(len(primes)+1)))

M[-1,-1] = ciphertext
M = M.LLL()

''.join([chr(-1*(m<0)*m) for m in M[0]])

'crypto{r34l_t0_23D_m4p}\x00\x00\x00\x00\x00'

# PRIMES

### Prime and Prejudice

https://eprint.iacr.org/2018/749

In [1]:
def generate_basis(n):
    basis = [True] * n
    for i in range(3, int(n**0.5)+1, 2):
        if basis[i]:
            basis[i*i::2*i] = [False]*((n-i*i-1)//(2*i)+1)
    return [2] + [i for i in range(3, n, 2) if basis[i]]

basis = generate_basis(64)
print(basis)

[2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61]
