# **Homework Assignment: Classical Cryptography**

Integrantes:
- Roberth Lara.
- Fabian de la Cruz.

## **Part I: Research Component**

*Asumiendo el alfabeto inglés (A–Z, 26 letras).*

### 1. Caesar Cipher
- **History:** The Caesar Cipher is one of the earliest known ciphers. Julius Caesar (100–44 BCE), the Roman general and statesman, used it to protect military messages by shifting each letter three positions forward in the alphabet. It represents the first documented use of substitution in cryptography. Variants of the Caesar Cipher were still seen centuries later in basic military communication, but it was largely abandoned as literacy and cryptanalysis advanced.   
- **Method:** Shift every letter by a fixed amount $k \bmod 26$.  
- **Encrypt:** $C = P + k \pmod{26}$  
- **Decrypt:** $P = C - k \pmod{26}$  
- **Key space:** 25 possible non-trivial keys.  
- **Vulnerabilities:** Easy brute-force search. Subject to frequency analysis.  
- **Current Usage:** Educational.

---

### 2. Affine Cipher
- **History:** The Affine Cipher emerged much later as an algebraic generalization of Caesar. It reflects the rise of modular arithmetic in 18th–19th century mathematics. By using both multiplication and addition in the encryption function, it was designed to appear more secure than a simple shift. Despite this, once modular arithmetic and frequency analysis were understood, the cipher’s weakness became clear. It was used mainly in recreational or educational contexts, not in state or military communication.   
- **Method:** Uses linear function with parameters $a$ and $b$ where $\gcd(a,26)=1$.  
- **Encrypt:** $C = aP + b \pmod{26}$  
- **Decrypt:** $P = a^{-1}(C-b) \pmod{26}$  
- **Key space:** 312 possible $(a,b)$ pairs.  
- **Vulnerabilities:** Two plaintext-ciphertext pairs reveal key. Subject to frequency analysis.  
- **Current Usage:** Educational.

---

### 3. Monoalphabetic Substitution
- **History:** Monoalphabetic substitution ciphers were the dominant cryptographic tool from the Middle Ages through the Renaissance. European diplomats and monarchs relied heavily on these ciphers to protect correspondence. The technique was seriously challenged after the Arab mathematician al-Kindī described frequency analysis in the 9th century, marking the birth of modern cryptanalysis. Despite this, simple substitution remained in use for centuries because many adversaries lacked the literacy or expertise to apply cryptanalysis.  
- **Method:** Any fixed permutation of the alphabet.  
- **Key space:** $26!$ (about $4 \times 10^{26}$).  
- **Vulnerabilities:** Frequency analysis and pattern recognition.  
- **Current Usage:** Educational, puzzles.

---

### 4. Polyalphabetic Substitution (Vigenère Cipher)
- **History:** First described in 1553 by Giovan Battista Bellaso and later popularized by Blaise de Vigenère in 1586, this polyalphabetic substitution cipher gained a reputation as “le chiffre indéchiffrable” (the indecipherable cipher). It resisted frequency analysis because multiple alphabets were used, masking single-letter statistics. For over 300 years, it was believed unbreakable until Charles Babbage and Friedrich Kasiski independently developed methods in the mid-1800s to determine key length and reduce the cipher to a set of Caesar ciphers. It was still used in the 19th century for private and military correspondence.  
- **Method:** Use a repeating keyword, each letter of the keyword indicates a Caesar shift.  
- **Key space:** $26^L$ for a key of length $L$.  
- **Vulnerabilities:** Kasiski examination and Friedman test can reveal key length; then frequency analysis breaks each Caesar stream.  
- **Usage:** 16th–19th century correspondence.

---

<!-- ## Transposition Ciphers -->

### 5. Columnar Transposition
- **History:** Transposition ciphers gained prominence in the late 19th and early 20th centuries, with columnar transposition becoming a standard field cipher. It was widely employed during World War I and II, sometimes in multiple layers to increase security. For instance, German and British forces both relied on transposition techniques before the development of rotor machines. Though stronger than simple substitution, single transpositions still yielded to frequency and pattern analysis.  
- **Method:** Write plaintext into a grid row-wise, permute columns according to a key, then read off column by column.  
- **Key space:** $n!$ where $n$ is the number of columns.  
- **Vulnerabilities:** Reconstructable via anagramming and statistical methods.  
- **Current Usage:** Educational, puzzles.

---

### 6. Rail Fence Cipher
- **History:** A transposition cipher dating back to at least the 18th–19th century. Its zig-zag writing method made it easy to perform without tables or machines, which gave it appeal for military use in the American Civil War. Despite its simplicity, it demonstrates the principle of transposition and diffusion of plaintext letters. Over time, it became more of a teaching example than a serious security measure.  
- **Method:** Write text diagonally across $r$ rails, then read row by row.  
- **Key space:** About $N-2$ keys for a message of length $N$.  
- **Vulnerabilities:** Brute force small number of rails; patterns are visible.  
- **Current Usage:** Educational, puzzles.

---

<!-- ## Advanced Classical Systems -->

### 7. Hill Cipher
- **History:** Introduced in 1929 by American mathematician Lester S. Hill, this was the first cipher to apply linear algebra to encryption. It was a step toward modern block ciphers, encrypting groups of letters as vectors multiplied by a key matrix. While mathematically innovative, its vulnerability to known-plaintext attacks limited its adoption. It never saw widespread military use, but it remains historically significant as a conceptual bridge between classical and modern cryptography.  
- **Method:** Block cipher using invertible matrix multiplication modulo 26.  
- **Encrypt:** $C = K \times P \pmod{26}$  
- **Decrypt:** $P = K^{-1} \times C \pmod{26}$  
- **Key space:** Number of invertible $n \times n$ matrices mod 26. For $n=2$, 157,248 keys; for $n=3$, about $1.6 \times 10^{12}$ keys.  
- **Vulnerabilities:** Known-plaintext attack can solve for key matrix; chosen-plaintext attacks trivial.  
- **Usage:** Educational.

---

### 8. One-Time Pad
- **History:** Patented by Gilbert Vernam in 1919 as a telegraph cipher using a repeating key. Joseph Mauborgne, a U.S. Army officer, realized that using a key only once would yield perfect secrecy, creating the one-time pad. During World War II and the Cold War, OTPs were used in espionage and diplomatic communications. The Soviet Union famously employed OTPs, but their repeated use of key material allowed U.S. and British cryptanalysts to break into their traffic in the VENONA project (1940s–1980s). Despite its impracticality for large-scale communication, it remains the only cipher with mathematically proven perfect secrecy.  
- **Method:** Key is truly random, as long as the message. Combine with plaintext by modular addition or XOR.  
- **Key space:** $26^N$ for $N$ letters, $2^N$ for $N$ bits.  
- **Security:** Provides perfect secrecy if the key is random, used once, and secret.  
- **Vulnerabilities:** Key reuse leads to devastating attacks; generating and sharing large keys is impractical.  
- **Usage:** Used historically in high-security communication; still used in rare niche applications.
MARKDOWN
echo "✅ Archivo 'part1_research.md' generado correctamente."
---

### Referencias

- Wikipedia contributors. (2023, August 27). Caesar cipher. In Wikipedia https://en.wikipedia.org/wiki/Caesar_cipher
- Wikipedia contributors. (2023, June 10). Affine cipher. In Wikipedia https://en.wikipedia.org/wiki/Affine_cipher
- Wikipedia contributors. (2023, August 28). Substitution cipher. In Wikipedia https://en.wikipedia.org/wiki/Substitution_cipher
- Wikipedia contributors. (2023, September 1). Vigenère cipher. In Wikipedia https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
- Wikipedia contributors. (2023, August 22). Transposition cipher. In Wikipedia https://en.wikipedia.org/wiki/Transposition_cipher
- Wikipedia contributors. (2023, August 13). Rail fence cipher. In Wikipedia https://en.wikipedia.org/wiki/Rail_fence_cipher
- Wikipedia contributors. (2023, August 30). Hill cipher. In Wikipedia https://en.wikipedia.org/wiki/Hill_cipher
- Wikipedia contributors. (2023, August 25). One-time pad. In Wikipedia https://en.wikipedia.org/wiki/One-time_pad


---


> **Nota.** En todas las ecuaciones, $P,C,K$ representan letras como enteros en $[0,25]$ o bits $\{0,1\}$; operaciones módulo 26 (letras) o XOR (bits).

## **Part II: Practical Exercises**

### **Exercise 1: Caesar Cipher Analysis**

**Given ciphertext:**
Al osk lzw twkl gx laewk, al osk lzw ogjkl gx laewk, al osk lzw syw gx oakvge,
al osk lzw syw gx xggdakzfwkk, al osk lzw whguz gx twdawx, al osk lzw whguz gx
afujwvmdalq, al osk lzw kwskgf gx Dayzl, al osk lzw kwskgf gx Vsjcfwkk, al osk
lzw khjafy gx zghw, al osk lzw oaflwj gx vwkhsaj, ow zsv wnwjqlzafy twxgjw mk,
ow zsv fglzafy twxgjw mk, ow owjw sdd ygafy vajwul lg Zwsnwf, ow owjw sdd ygafy
vajwul lzw glzwj osq…


**Tasks:**

#### a) Decrypt the message using frequency analysis (show your work)

Count frequencies in the ciphertext:  
w:47, l:34, k:28, a:27, g:26, s:22, z:22, o:20, x:14, j:14, (others lower)

In English, ‘E/e’ is the most common letter. The most frequent ciphertext letter is ‘w’, so assume w = e  
Compute the shift k using $C = P + k \bmod 26$  
$e=4$, $w=22$, so $k = 22 − 4 = 18$

Quick check with $k=18$

“al” → i(8) t(19) = “it”

“lzw” → t(19) h(7) e(4) = “the”

“osq” → w(22) a(0) y(24) = “way”

This confirms the shift

**Decryption (with $k=18$):**  
It was the best of times, it was the worst of times, it was the age of wisdom,  
it was the age of foolishness, it was the epoch of belief, it was the epoch of  
incredulity, it was the season of Light, it was the season of Darkness, it was  
the spring of hope, it was the winter of despair, we had everything before us,  
we had nothing before us, we were all going direct to Heaven, we were all going  
direct the other way...

#### b) What is the key used?

Encryption key $k = 18$

---


### **Exercise 2: Affine Cipher Implementation**

The Affine cipher uses the formula: $E(x) = (ax + b) \bmod 26$

**Given:** Plaintext = "CRYPTOGRAPHY", $a = 5$, $b = 8$

**Tasks:**

#### a) Encrypt the plaintext (show calculations for first 3 letters)

With $A = 0$ and $Z = 25$  
C → $x=2$ → $E(x) = (5·2 + 8) \bmod 26 = (10 + 8) \bmod 26 = 18$ → S  
R → $x=17$ → $E(x) = (5·17 + 8) \bmod 26 = (85 + 8) \bmod 26 = 93 \bmod 26 = 15$ → P  
Y → $x=24$ → $E(x) = (5·24 + 8) \bmod 26 = (120 + 8) \bmod 26 = 128 \bmod 26 = 24$ → Y

**Full encryption:**  
CRYPTOGRAPHY → SPYFZAMPIFRY

#### b) Find the decryption key values (multiplicative inverse of a)

Find $a^{-1}$ such that $5·a^{-1} \pmod{26} = 1$

$26×4 = 104$, $104 + 1 = 105$, $105 = 5×21$

$5·21 = 105$, $105 \pmod{26} = 1$, so $a^{-1} = 21$

#### c) Verify your encryption by decrypting the first 3 letters

S → $y=18$ → $D(y) = 21·(18 − 8) \bmod 26 = 21·10 \bmod 26 = 210 \bmod 26 = 2$ → C  
P → $y=15$ → $D(y) = 21·(15 − 8) \bmod 26 = 21·7 \bmod 26 = 147 \bmod 26 = 17$ → R  
Y → $y=24$ → $D(y) = 21·(24 − 8) \bmod 26 = 21·16 \bmod 26 = 336 \bmod 26 = 24$ → Y

CRY...

#### d) How many valid keys exist for the Affine cipher? Explain your reasoning.

Valid keys require $\gcd(a, 26) = 1$ and any $b \in \{0,…,25\}$.  
There are 12 choices for $a$ (1,3,5,7,9,11,15,17,19,21,23,25. Numbers not divisible by 2 or 13, coprimes with 26) and 26 choices for $b$.  
Total valid keys = $12 · 26 = 312$

---

### **Exercise 3: Perfect Secrecy Analysis**

Consider a simple cipher that operates on single bits where:

Key space: $\{0, 1\}$  
Plaintext space: $\{0, 1\}$  
Encryption: $C = P \oplus K$ (XOR operation)  
Each key is chosen with probability $1/2$

**Tasks:**

#### a) Create the complete encryption matrix showing all possible (plaintext, key, ciphertext) combinations

| P | K | C |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |

#### b) Calculate $P(C=0)$ and $P(C=1)$

$p = P(P=0)$. $P(P=1) = 1 − p$  
$P(K=0) = P(K=1) = 1/2$

$P(C=0) = P(P=0,K=0) + P(P=1,K=1)$  
$= P(P=0)·1/2 + P(P=1)·1/2$  
$= (p/2) + ((1−p)/2)$  
$= 1/2$

Similarly, $P(C=1) = 1/2$

#### c) Calculate $P(P=0|C=0)$ and $P(P=1|C=0)$

$P(C=0 \mid P=0) = P(K=0) = 1/2$  
$P(C=0) = 1/2$

$P(P=0 \mid C=0) = \dfrac{P(C=0 \mid P=0) · P(P=0)}{P(C=0)}$  
$= \dfrac{1/2 · p}{1/2}$  
$= p$  
$= P(P=0)$

Likewise, $P(P=1 \mid C=0) = P(P=1)$

#### d) Does this cipher achieve perfect secrecy? Prove your answer using Shannon's definition

Shannon’s definition: for all plaintext values $p$ and all ciphertext values $c$,  
$P(P=p \mid C=c) = P(P=p)$

From (c), we just showed exactly that:

$P(P=0 \mid C=c) = P(P=0)$

$P(P=1 \mid C=c) = P(P=1)$

This holds for any prior over $P$, because $P(C=c \mid P=p) = 1/2$ (the key flips or keeps the bit with equal chance) and $P(C=c) = 1/2$. Therefore, observing $C$ does not change the distribution of $P$. So this achieves perfect secrecy

#### e) What happens to perfect secrecy if we reuse the key for multiple bits?

Key reuse destroys perfect secrecy beyond a single bit

---

### **Exercise 4: Entropy and Key Analysis**

Consider the following scenarios:

**Scenario A:** A password system where:

Passwords are exactly 4 characters long  
Each character is chosen uniformly from {A, B, C, D}

**Scenario B:** A Vigenère cipher with:

Key length = 3  
Each key character chosen uniformly from 26-letter alphabet

**Tasks:**

#### a) Calculate the entropy (in bits) for Scenario A

Number of passwords = $4^4 = 256$  
Entropy $\log_2(256) = 8$ bits

#### b) Calculate the entropy (in bits) for Scenario B

Number of keys = $26^3 = 17,576$  
Entropy $H = \log_2(26^3) = 3·\log_2(26) \approx 3·4.70044 \approx 14.10$ bits. Let's say 15 bits

#### c) If an attacker can test 1000 keys per second, how long would it take to break each system in the worst case?

Scenario A: need up to 256 tries → $256 / 1000$ s = 0.256 seconds  
Scenario B: need up to 17 576 tries → $17\,576 / 1000$ s = 17.576 seconds

#### d) Calculate the "unicity distance" concept: If English text has entropy ≈ 1.5 bits per character, how much ciphertext would theoretically be needed to uniquely determine a 3-character Vigenère key?

Key entropy for a 3-char Vigenère key = $\log_2(26^3) = 3·\log_2(26) \approx 14.10$ bits

English redundancy per character = $\log_2(26) − 1.5 \approx 4.70044 − 1.5 \approx 3.20044$ bits/char

Unicity distance $U \approx \dfrac{H(\text{key})}{\text{redundancy}} \approx \dfrac{14.10}{3.20044} \approx 4.41$ characters

## **Part III: Pico CTF**

Five problems have been posted in the Pico CTF platform. For each problem, find the flags using two different methods. For each method:

- Provide an explanation on what technique was used to solve it.
- Provide any code you used. If you need to apply brute-force, please write your own Python code to do so. Do not use online platforms.
- Provide screenshots showing that the platform accepted your flag.

### **Primer ejercicio: C3**


Estos son los dos archivos que me da el ejercicio:

**Ciphertext:**

```bash
DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFldbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAAAAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl
```

**Convert.py**
```python
import sys
chars = ""
from fileinput import input
for line in input():
  chars += line

lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

out = ""

prev = 0
for char in chars:
  cur = lookup1.index(char)
  out += lookup2[(cur - prev) % 40]
  prev = cur

sys.stdout.write(out)
```

#### **Método 1: Inversión algebraica del codificador (decoder por suma acumulada mod 40).**

Con lo que dieron (ciphertext y convert.py) el truco es que convert.py es el codificador (de lookup1 → lookup2). El ciphertext ya está en lookup2, así que para recuperar el texto claro necesitamos el proceso inverso (decodificador).

```bash
for char in chars:                      # cada caracter del plaintext
    cur = lookup1.index(char)           # posición del caracter en lookup1
    out += lookup2[(cur - prev) % 40]   # se calcula un “diferencial” y se guarda en lookup2
    prev = cur                          # actualiza la referencia
```

**Fórmula Clave:**
```bash
encoded_index = (cur - prev) % 40
```

Donde:
- cur = índice del caracter original en lookup1.
- prev = índice del caracter anterior en lookup1.
- encoded_index = índice en lookup2 (lo que ves en el ciphertext).

**Invertir la fórmula (para decodificar)**

Lo que necesitas es recuperar cur a partir de encoded_index y prev.

De la fórmula:
```bash
encoded_index = (cur - prev) % 40
```

Se despeja:
```bash
cur = (prev + encoded_index) % 40
```

**Implementar el decoder**
- El ciphertext contiene letras de lookup2.
- Entonces, en vez de lookup1.index(char), ahora hacemos lookup2.index(char) → encoded_index.
- Luego aplicamos la fórmula inversa: cur = (prev + encoded_index) % 40.
- Con cur recuperamos el caracter original de lookup1.
- Y actualizamos prev = cur.


Por eso el decoder luce así:
```bash
out = ""
prev = 0
for char in ciphertext:
    diff = lookup2.index(char)       # encoded_index
    cur = (prev + diff) % 40         # fórmula inversa
    out += lookup1[cur]              # caracter original
    prev = cur
```

In [5]:
lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

encoded = "DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFldbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAAAAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl"

out = ""
prev = 0
for char in encoded:
    diff = lookup2.index(char)
    cur = (prev + diff) % 40
    out += lookup1[cur]
    prev = cur

print(out)

#asciiorder
#fortychars
#selfinput
#pythontwo

chars = ""
from fileinput import input
for line in input():
    chars += line
b = 1 / 1

for i in range(len(chars)):
    if i == b * b * b:
        print chars[i] #prints
        b += 1 / 1



**Según las pistas de este output:**

- `#pythontwo` → correr en Python 2.  
- `#selfinput` → el script se debe ejecutar con su propio contenido como entrada.  

In [19]:
code = '''#asciiorder
#fortychars
#selfinput
#pythontwo

chars = ""
from fileinput import input
for line in input():
    chars += line
b = 1 // 1

for i in range(len(chars)):
    if i == b * b * b:
        print(chars[i])  # prints
        b += 1 // 1
'''

with open("stage2.py", "w", encoding="utf-8", newline="\n") as f:
    f.write(code)

In [18]:
!python3 stage2.py < stage2.py

a
d
l
i
b
r


Perfecto, resuelto, tenemos como resultado:
```
adlibs
```

#### **Método 2: Suma acumulada**

1. Observé que el archivo `convert.py` hacía siempre la operación:
   ```bash
   out += lookup2[(cur - prev) % 40]
   ```
   Es decir, tomaba la diferencia entre posiciones en el alfabeto.

2. Entonces pensé:
   - Si al cifrar se usa `cur - prev`,
   - al descifrar debería usarse la operación contraria: `prev + encoded`.

3. De esta forma, se puede resolver así:
   - Empiezo con `prev = 0`.
   - Recorro cada letra cifrada.
   - La convierto en número con `.index()`.
   - Le sumo el valor anterior (`prev`).
   - Tomo la letra de `lookup1`.
   - Actualizo `prev`.

In [22]:
lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

cipher = "DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFldbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAAAAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl"

out = []
suma = 0               
for ch in cipher:
    idx = lookup2.index(ch)    # número de la letra cifrada
    suma = (suma + idx) % 40   # sumita acumulada (mod 40)
    out.append(lookup1[suma])  # letra descifrada

plaintext = "".join(out)
print(plaintext)

#asciiorder
#fortychars
#selfinput
#pythontwo

chars = ""
from fileinput import input
for line in input():
    chars += line
b = 1 / 1

for i in range(len(chars)):
    if i == b * b * b:
        print chars[i] #prints
        b += 1 / 1



Como la salida es la misma que en el método anterior, se confirma que el procedimiento es correcto. Por lo tanto, al ejecutar este código con self-input se obtiene la flag final del reto -> ``` adlibs ```.

### **Segundo ejercicio: Easy Peasy**

#### Introducción (qué me dieron)
El reto entrega un servicio que implementa un esquema tipo OTP (One‑Time Pad). Al iniciar, el servidor:

1. Muestra el *ciphertext* de la flag (en hex).  
2. Luego pregunta: *“What data would you like to encrypt?”* y cifra lo que envíes con el mismo key‑stream (avanzando un puntero).  
3. Si el puntero llega al final del key (longitud 50 000), hace **wrap** y vuelve al inicio del key.

El archivo del servidor (`otp.py`) fue incluido en el reto y lo leí con atención para entender la mecánica del puntero/key y el wrap. 


#### Observación clave (la vulnerabilidad)
En un OTP seguro cada porción del key debe usarse una sola vez. En este servicio, por diseño (o por bug), el servidor puede volver a reutilizar la misma porción del key si el puntero hace wrap. Concretamente:

- El servidor cifra la flag con `key[k : k + len(flag)]` y avanza el puntero a `k + len(flag)`.  
- Si yo envío `FILL = KEY_LEN - len(flag)` bytes, el puntero llegará a `k + KEY_LEN` y al hacer wrap el siguiente cifrado volverá a usar `key[k : k + len(flag)]`.  
- Eso crea un **two‑time pad**: la misma porción del key `K` cifra la flag y mi mensaje posterior.

Esto es suficiente para recuperar la flag.


Al ver el `convert`/`encrypt` en el código, lo primero que hice fue identificar:

- `C1 = FLAG ^ K`  (cipher que nos muestra el servidor al inicio)  
- Si consigo que el servidor cifre otra vez con **la misma** porción `K` y yo controlo ese plaintext `P2`, obtendré `C2 = P2 ^ K`.

Dado `C1` y `C2` conocidos y `P2` elegido por mí, puedo recombinar:

```
C1 ^ C2 = (FLAG ^ K) ^ (P2 ^ K) = FLAG ^ P2
```

y por tanto

```
FLAG = C1 ^ C2 ^ P2
```

Eso es todo: con un XOR extra y mi `P2` conocido, recupero la `FLAG`.

#### Datos concretos del reto
- `KEY_LEN = 50000` (del código).  
- El ciphertext de la flag mostrado inicialmente tenía 64 hex → **32 bytes** de flag.  
- Por tanto: `FILL = 50000 - 32 = 49968`.

#### **Método 1: Two‑time pad con texto conocido “A”**

##### Idea (resumida)
Forzamos el wrap y pedimos que cifre `P2 = b"A"*32`. Con `C1` y `C2` calculamos `FLAG = C1 ^ C2 ^ P2`.

##### Pasos que ejecuté
1. Conectar al servicio y copiar `C1` (el hex que imprime al arrancar).
   ```bash
   nc mercury.picoctf.net 58913
   ```
   El servidor imprime algo como:
   ```
   Here ya go!
   1a2b3c...  (64 hex chars)
   ```
   Ese hex es `C1`.

2. En la primera interacción con el prompt, enviar `FILL = 49968` letras `'A'` para forzar el wrap.

3. Ahora el servidor pedirá otra vez *What data would you like to encrypt?* — enviar `32` `'A'`:

Ejecutamos este paso para hacer 2 y 3:
```bash
python3 -c 'import sys; sys.stdout.write("A"*49968 + "\n" + "A"*32 + "\n")' | nc mercury.picoctf.net 58913
```
   Copiar el hex que devuelve → ese es `C2`.

4. Localmente combinar `C1`, `C2` y `P2`:

In [24]:
C1_hex = "51124f4d194969633e4b52026f4c07513a6f4d05516e1e50536c4954066a1c57"
C2_hex = "23666b6f3a3c1a111d3971771d397122181d3927731d3925231d3924241d3924"

C1 = bytes.fromhex(C1_hex)
C2 = bytes.fromhex(C2_hex)
P2 = b"A" * len(C2)

flag = bytes(a ^ b ^ c for a,b,c in zip(C1, C2, P2))
print(flag.decode())

35ecb423b3b43472c35cc2f41011c6d2


Resultado: `picoCTF{35ecb423b3b43472c35cc2f41011c6d2}`

#### **Método 2**

**Falta**

### **Tercer ejercicio: New Caesar**

##### Resumen del cifrado observado

Del archivo `new_caesar.py` y del enunciado se deduce que:

1. Cada **byte** del *plaintext* se transforma a **dos nibbles** (base-16).
   - Ejemplo: el byte `0x41` (`'A'`) se convierte en `0x4` y `0x1`.
2. En vez del alfabeto hexadecimal estándar `0..f`, el reto **mapea** los 16 valores a letras:

```
ALPHABET = "abcdefghijklmnop"
```

Es decir, `a → 0x0`, `b → 0x1`, …, `p → 0xF`.


3. Sobre esa secuencia de letras (cada nibble representado por `a..p`) aplican un **desplazamiento tipo Caesar** de **longitud 1** (una sola letra de clave), es decir, cada carácter `c` se reemplaza por:

$$
c' = \text{ALPHABET}\big( (\text{idx}(c) + \text{idx}(k)) \bmod 16\big)
$$

donde `idx(x)` es el índice de la letra en `ALPHABET`, y `k` es la clave (una letra `a..p`).

4. Por tanto, el ciphertext que aparece en el reto es una secuencia sólo con letras `a..p`.\
   Para recuperar el *plaintext* hay que (i) revertir el shift y (ii) reensamblar nibbles en bytes.


##### Notación y fórmulas

- Sea el alfabeto  
  $ AL = \{a,b,c,\dots,p\} $
  con índices:

  $$
  \text{idx}(a)=0,\ \text{idx}(b)=1,\ \dots,\ \text{idx}(p)=15.
  $$

- Si \(c'\) es un carácter cifrado y \(k\) es la clave (una sola letra), la operación de **cifrado** en índices es:

  $$
  \text{idx}(c') \equiv \text{idx}(c) + \text{idx}(k) \pmod{16}.
  $$

- Para **deshacer** el cifrado (**descifrar**):

  $$
  \text{idx}(c) \equiv \text{idx}(c') - \text{idx}(k) \pmod{16}.
  $$

- Una vez que se obtiene la secuencia de *nibbles* (letras en `a..p`) **sin desplazamiento**, se toman **de 2 en 2** para formar bytes.  
  Si los nibbles son \( n_{\text{hi}}, n_{\text{lo}} \in \{0,\dots,15\} \), el byte reconstruido es:

  $$
  \text{byte} \;=\; (n_{\text{hi}} \ll 4)\ \big|\ n_{\text{lo}}.
  $$

> Nota: “\( ll \)” indica corrimiento a la izquierda 4 bits, y “\( | \)” el OR a nivel de bits.

#### **Método A — Reversión analítica (determinista)**

##### Idea

Dado que la clave es una sola letra y el alfabeto tiene tamaño 16, basta probar las 16 claves posibles. Para cada clave:

1. Revertir el desplazamiento (fórmula arriba).
2. Tomar pares de letras y convertirlos en bytes por concatenación de nibbles.
3. Convertir bytes a ASCII y comprobar si la salida contiene `picoCTF{`.

##### Complejidad

- Intentos: 16 claves.
- Trabajo por intento: O(N) para procesar N caracteres del ciphertext.
- Total: O(16·N) ≈ O(N) — trivialmente rápido.

In [None]:
ALPHABET = "abcdefghijklmnop"
A2I = {ch:i for i,ch in enumerate(ALPHABET)}

def unshift_char(c, k):
    """Revertir desplazamiento: devuelve caracter original en a..p."""
    return ALPHABET[(A2I[c] - A2I[k]) % 16]

def b16_decode(s):
    """Decodifica una cadena de letras a..p (longitud par) a bytes."""
    out = bytearray()
    for i in range(0, len(s), 2):
        hi = A2I[s[i]]
        lo = A2I[s[i+1]]
        out.append((hi << 4) | lo)
    return out

def decrypt_with_key(ct, k):
    """Desplaza todo el ciphertext 'ct' con clave 'k' y decodifica bytes."""
    unshifted = "".join(unshift_char(c, k) for c in ct)
    return b16_decode(unshifted).decode('latin1', errors='ignore')

if __name__ == "__main__":
    # ciphertext
    CT = "mlnklfnknljflfmhjimkmhjhmljhjomhmmjkjpmmjmjkjpjojgjmjpjojojnjojmmkmlmijimhjmmj"

    for k in ALPHABET:
        pt = decrypt_with_key(CT, k)
        if "picoCTF{" in pt:
            print("Clave encontrada:", k)
            print("Flag:", pt)
            break
        # Si desea ver todos los intentos:
        print(k, pt[:60])

a ËÚµÚÛµÇÊÇËÇÌÌÊËÈÇÉ
b ºÉ¤ÉÊ¤¶¹¶º¶»»¹º·¶¸
c ©¸¸¹s¥v¨¥u©u|¥ªx}ªzx}|tz}||{|z¨©¦v¥z§
d §§¨beddkgliglkcilkkjkiei
e qQqTSSZV[XV[ZRX[ZZYZXTX
f v`@`rCurBvBIrwEJwGEJIAGJIIHIGuvsCrGt
g et_tu?_a2da1e18af49f649806988786deb2a6c
h TcNcd.NP!SP T 'PU#(U%#('/%(''&'%STQ!P%R
i CR=RS=OBOCODDBC@OA
12?>02>33
k !001û-þ -ý!ýô-"ðõ"òðõôüòõôôóôò !.þ-ò/
l /
/ ê
íììãïäáïäãëáäããâãáíá
m ùÙùÜÛÛÒ ÞÓ ÐÞÓÒÚÐÓÒÒÑÒÐÜÐ
ÈèúËýúÊþÊÁúÿÍÂÿÏÍÂÁÉÏÂÁÁÀÁÏýþûËúÏü
o íü×üý·×éºìé¹í¹°éî¼±î¾¼±°¸¾±°°¿°¾ìíêºé¾ë
p ÜëÆëì¦ÆØ©ÛØ¨Ü¨¯ØÝ« Ý­« ¯§­ ¯¯®¯­ÛÜÙ©Ø­Ú


##### Resultado esperado

- Uno de los 16 intentos producirá una cadena legible que contiene `picoCTF{...}`.
- Ese valor es la flag válida para enviar al grader.
- En este caso la clave encontrada es la **g**.
- Tenemos el flag: **et_tu?_a2da1e18af49f649806988786deb2a6c**