In [None]:
!pip install pycryptodome



*F1*


Hexadecimal can be used in such a way to represent ASCII strings. First each letter is converted to an ordinal number according to the ASCII table (as in the previous challenge). Then the decimal numbers are converted to base-16 numbers, otherwise known as hexadecimal. The numbers can be combined together, into one long hex string.

Included below is a flag encoded as a hex string. Decode this back into bytes to get the flag.
```

63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974
685f6865785f737472696e67735f615f6c6f747d
```

In [1]:
# The hex string
hex_string = "63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d"

# Method 1: Using bytes.fromhex()
decoded = bytes.fromhex(hex_string).decode('ascii')
print(decoded)

# Method 2: Alternative way using int() and chr()
decoded2 = ""
for i in range(0, len(hex_string), 2):
    hex_pair = hex_string[i:i+2]
    decimal = int(hex_pair, 16)
    decoded2 += chr(decimal)
print(decoded2)


crypto{You_will_be_working_with_hex_strings_a_lot}
crypto{You_will_be_working_with_hex_strings_a_lot}


_______________________________________________________________________________________

*F2*


Another common encoding scheme is Base64, which allows us to represent binary data as an ASCII string using an alphabet of 64 characters. One character of a Base64 string encodes 6 binary digits (bits), and so 4 characters of Base64 encode three 8-bit bytes.

Base64 is most commonly used online, so binary data such as images can be easily included into HTML or CSS files.

Take the below hex string, decode it into bytes and then encode it into Base64.

```
72bca9b68fc16ac7beeb8f849dca
1d8a783e8acf9679bf9269f7bf
```

 In Python, after importing the base64 module with import base64, you can use the base64.b64encode() function. Remember to decode the hex first as the challenge description states.

In [2]:
import base64

# The hex string
hex_string = "72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf"

# Step 1: Convert hex to bytes
bytes_data = bytes.fromhex(hex_string)

# Step 2: Encode bytes to Base64
base64_encoded = base64.b64encode(bytes_data).decode()

print(base64_encoded)


crypto/Base+64+Encoding+is+Web+Safe/


_________________________________________________
*F3*

Cryptosystems like RSA works on numbers, but messages are made up of characters. How should we convert our messages into numbers so that mathematical operations can be applied?

The most common way is to take the ordinal bytes of the message, convert them into hexadecimal, and concatenate. This can be interpreted as a base-16/hexadecimal number, and also represented in base-10/decimal.

To illustrate:

message: HELLO
ascii bytes: [72, 69, 76, 76, 79]

hex bytes: [0x48, 0x45, 0x4c, 0x4c, 0x4f]

base-16: 0x48454c4c4f

base-10: 310400273487

 Python's PyCryptodome library implements this with the methods bytes_to_long() and long_to_bytes(). You will first have to install PyCryptodome and import it with from Crypto.Util.number import 


Convert the following integer back into a message:
```
11515195063862318899931685488813747
39577551628728968263649996528271463
7259206269
```

In [3]:
# Original message
message = "HELLO"

# Convert to ASCII bytes
ascii_bytes = [ord(c) for c in message]
print(f"ASCII bytes: {ascii_bytes}")

# Convert to hex bytes
hex_bytes = [hex(ord(c)) for c in message]
print(f"Hex bytes: {hex_bytes}")

# Create base-16 (hex) representation by concatenating
hex_string = "0x" + "".join([hex(ord(c))[2:] for c in message])
print(f"Base-16: {hex_string}")

# Convert to base-10 (decimal)
decimal = int(hex_string, 16)
print(f"Base-10: {decimal}")

# To convert back from decimal to text:
def decimal_to_text(decimal_num):
    hex_str = hex(decimal_num)[2:]  # Remove '0x' prefix
    # Ensure even length
    if len(hex_str) % 2 != 0:
        hex_str = '0' + hex_str
    # Convert back to bytes and then to string
    return bytes.fromhex(hex_str).decode('ascii')

# Test the conversion back
original = decimal_to_text(decimal)
print(f"Back to text: {original}")


ASCII bytes: [72, 69, 76, 76, 79]
Hex bytes: ['0x48', '0x45', '0x4c', '0x4c', '0x4f']
Base-16: 0x48454c4c4f
Base-10: 310400273487
Back to text: HELLO


In [5]:
from Crypto.Util.number import bytes_to_long, long_to_bytes

# Original message
message = "HELLO"

# Method 1: Using PyCryptodome (easiest way)
message_bytes = message.encode('ascii')
number = bytes_to_long(message_bytes)
print(f"Using PyCryptodome bytes_to_long(): {number}")

# Converting back to text
recovered = long_to_bytes(number).decode('ascii')
print(f"Recovered message: {recovered}")



Using PyCryptodome bytes_to_long(): 310400273487
Recovered message: HELLO


In [7]:
from Crypto.Util.number import long_to_bytes

# The given number
number = 11515195063862318899931685488813747395775516287289682636499965282714637259206269

# Method 1: Using PyCryptodome (easier way)
message = long_to_bytes(number).decode()
print(f"Using PyCryptodome: {message}")

# Method 2: Manual conversion
def decimal_to_text(decimal_num):
    # Convert decimal to hex, remove '0x' prefix
    hex_str = hex(decimal_num)[2:]
    # Ensure even length
    if len(hex_str) % 2 != 0:
        hex_str = '0' + hex_str
    # Convert hex to bytes and then to string
    return bytes.fromhex(hex_str).decode('ascii')

manual_message = decimal_to_text(number)
print(f"Using manual conversion: {manual_message}")


Using PyCryptodome: crypto{3nc0d1n6_4ll_7h3_w4y_d0wn}
Using manual conversion: crypto{3nc0d1n6_4ll_7h3_w4y_d0wn}


___________________________________________________________________
*F4*



XOR is a bitwise operator which returns 0 if the bits are the same, and 1 otherwise. In textbooks the XOR operator is denoted by $\oplus$, but in most challenges and programming languages you will see the caret used instead.

A	B	A $\oplus$ B

0	0	0

0	1	1

1	0	1

1	1	0

For longer binary numbers we XOR bit by bit: $0110 \oplus 1010 = 1100$. We can XOR integers by first converting the integer from decimal to binary. We can XOR strings by first converting each character to the integer representing the Unicode character.

Given the string label, XOR each character with the integer 13. Convert these integers back to a string and submit the flag as crypto\{new\_string\}.

The Python pwntools library has a convenient xor() function that can XOR together data of different types and lengths. But first, you may want to implement your own function to solve this.

In [9]:
def xor_with_key(text, key):
    """
    XOR each character in text with the given key value
    Args:
        text (str): Input text to XOR
        key (int): Integer key to XOR with
    Returns:
        str: XORed result
    """
    return ''.join(chr(ord(c) ^ key) for c in text)

def make_flag(text):
    return f"crypto{{{text}}}"

# Solve the original problem (label XOR 13)
original_text = "label"
key = 13

result = xor_with_key(original_text, key)
flag = make_flag(result)

print(f"Original text: {original_text}")
print(f"XORed with {key}: {result}")
print(f"Flag: {flag}")



# Verify reversibility
reversed_text = xor_with_key(result, key)
print(f"XORing result again with {key}: {reversed_text}")


Original text: label
XORed with 13: aloha
Flag: crypto{aloha}
XORing result again with 13: label


In [10]:
# Demonstrate the process
print("\nStep by step process:")
for char in original_text:
    original_num = ord(char)
    xored = original_num ^ key
    new_char = chr(xored)
    print(f"Character: {char}")
    print(f"ASCII value: {original_num}")
    print(f"XORed with {key}: {xored}")
    print(f"New character: {new_char}")
    print()


Step by step process:
Character: l
ASCII value: 108
XORed with 13: 97
New character: a

Character: a
ASCII value: 97
XORed with 13: 108
New character: l

Character: b
ASCII value: 98
XORed with 13: 111
New character: o

Character: e
ASCII value: 101
XORed with 13: 104
New character: h

Character: l
ASCII value: 108
XORed with 13: 97
New character: a



In [18]:
# Install pwntools using pip
#!pip install pwntools;

from pwn import *

text = "label"
result = xor(text, 13)
flag = f"crypto{{{result.decode()}}}"
print(flag)


crypto{aloha}


___________________________________________________________________
*F5*



In the last challenge, you saw how XOR worked at the level of bits. In this one, we're going to cover the properties of the XOR operation and then use them to undo a chain of operations that have encrypted a flag. Gaining an intuition for how this works will help greatly when you come to attacking real cryptosystems later, especially in the block ciphers category.

There are four main properties we should consider when we solve challenges using the XOR operator

Commutative: $A \oplus B = B \oplus A$
Associative: $A \oplus (B \oplus C) = (A \oplus B) \oplus C$
Identity: $A \oplus 0 = A$
Self-Inverse: $A \oplus A = 0$

Let's break this down. Commutative means that the order of the XOR operations is not important. Associative means that a chain of operations can be carried out without order (we do not need to worry about brackets). The identity is 0, so XOR with 0 "does nothing", and lastly something XOR'd with itself returns zero.

Let's put this into practice! Below is a series of outputs where three random keys have been XOR'd together and with the flag. Use the above properties to undo the encryption in the final line to obtain the flag.

```
KEY1 = a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313
KEY2 ^ KEY1 = 37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e
KEY2 ^ KEY3 = c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1
FLAG ^ KEY1 ^ KEY3 ^ KEY2 = 04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf
```

Before you XOR these objects, be sure to decode from hex to bytes.

In [23]:
from Crypto.Util.number import *


# Convert hex strings to integers
KEY1 = int('a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313', 16)
KEY2_XOR_KEY1 = int('37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e', 16)
KEY2_XOR_KEY3 = int('c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1', 16)
FLAG_XOR_ALL = int('04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf', 16)

# Using the properties:
# 1. From KEY2 ^ KEY1 we can get KEY2 by XORing both sides with KEY1
# 2. From KEY2 ^ KEY3 we can get KEY3 by XORing with KEY2
# 3. Then we can solve for FLAG

# Get KEY2 using KEY2 ^ KEY1
KEY2 = KEY2_XOR_KEY1 ^ KEY1  

# Get KEY3 using KEY2 ^ KEY3
KEY3 = KEY2_XOR_KEY3 ^ KEY2

# The encrypted flag is FLAG ^ KEY1 ^ KEY3 ^ KEY2
# To get FLAG, XOR with the same keys again
FLAG = FLAG_XOR_ALL ^ KEY1 ^ KEY3 ^ KEY2

# Convert the result back to bytes and decode
flag = long_to_bytes(FLAG)
print(flag.decode())


crypto{x0r_i5_ass0c1at1v3}


In [26]:
from pwn import xor
k1=bytes.fromhex('a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313')
k2_3=bytes.fromhex('c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1')
flag=bytes.fromhex('04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf')
print(xor(k1,k2_3,flag)) 

b'crypto{x0r_i5_ass0c1at1v3}'


_______________________________________________________________

*F6*

I've hidden some data using XOR with a single byte, but that byte is a secret. Don't forget to decode from hex first.
```
73626960647f6b206821204f
21254f7d694f762466206562
2127234f726927756d
```

In [27]:
def try_single_byte_xor(hex_string):
    # Convert hex to bytes
    ciphertext = bytes.fromhex(hex_string)
    
    # Try every possible byte value (0-255)
    for key in range(256):
        # XOR each byte with the key
        result = ''
        valid = True
        
        # Create the decoded text
        decoded = ''.join(chr(b ^ key) for b in ciphertext)
        
        # Check if the result contains printable ASCII
        if all(32 <= ord(c) <= 126 for c in decoded):
            print(f"Key {key}: {decoded}")

# The encrypted hex string
hex_string = "73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d"

try_single_byte_xor(hex_string)


Key 1: rchae~j!i !N $N|hNw%g!dc &"Nsh&tl
Key 3: pajcg|h#k"#L"&L~jLu'e#fa"$ Lqj$vn
Key 4: wfmd`{o$l%$K%!KymKr b$af%#'Kvm#qi
Key 5: vgleazn%m$%J$ JxlJs!c%`g$"&Jwl"ph
Key 6: udofbym&n'&I'#I{oIp"`&cd'!%Ito!sk
Key 7: tengcxl'o&'H&"HznHq#a'be& $Hun rj
Key 8: {jahlwc(`)(G)-GuaG~,n(mj)/+Gza/}e
Key 11: xibkot`+c*+D*.DvbD}/m+ni*,(Dyb,~f
Key 14: }lgnjqe.f/.A/+AsgAx*h.kl/)-A|g){c
Key 15: |mfokpd/g./@.*@rf@y+i/jm.(,@}f(zb
Key 16: crypto{0x10_15_my_f4v0ur173_by7e}
Key 17: bsxqunz1y01^04^lx^g5w1ts062^cx6d|
Key 19: `qzswlx3{23\26\nz\e7u3vq240\az4f~
Key 21: fw|uqj~5}45Z40Zh|Zc1s5pw426Zg|2`x
Key 24: kzqx|gs8p98W9=WeqWn<~8}z9?;Wjq?mu
Key 28: o~u|xcw<t=<S=9SauSj8z<y~=;?Snu;iq
Key 30: m|w~zau>v?>Q?;QcwQh:x>{|?9=Qlw9ks


```
Key 16: crypto{0x10_15_my_f4v0ur173_by7e} is the answer
```

In [29]:
from pwn import xor
# Imports the xor function from the pwntools library, which makes XOR operations easy

cipher = bytes.fromhex("73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d")
# 1. Takes the hex string (the encrypted message)
# 2. bytes.fromhex() converts the hex string into bytes for processing
# For example: '73' becomes the byte value 0x73

for i in range(256):
    # Tries every possible single byte value (0-255)
    # Since a byte can be any value from 0 to 255, we try each one
    
    result = xor(cipher, i).decode()
    # 1. xor(cipher, i) - XORs each byte of the cipher with the value i
    # 2. .decode() - converts the resulting bytes back to a readable string
    
    if result.startswith('crypto{'):
        # Checks if the decoded result starts with 'crypto{'
        # This is how we know we found the correct key
        
        print(f"Found flag: {result}")
        # Prints the flag when found
        
        break
        # Exits the loop once we find the correct result



Found flag: crypto{0x10_15_my_f4v0ur173_by7e}


________________________________________________________________________________
*F7*


I've encrypted the flag with my secret key, you'll never be able to guess it.

Remember the flag format and how it might help you in this challenge!

```
0e0b213f26041e48
0b26217f27342e175
d0e070a3c5b103e25
26217f27342e175d0e
077e263451150104
```

In [34]:
from pwn import xor

# Convert hex to bytes
cipher = bytes.fromhex('0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104')

# Known start of the flag
known = b'crypto{'

# Find the key by XORing the first 7 bytes with 'crypto{'
key = xor(cipher[:7], known)
print(f"Key found: {key.decode()}")

# Try extending the key (it's probably repeating)
key = key.decode()
while len(key) < len(cipher):
    key += key



Key found: myXORke


In [31]:
from pwn import xor

cipher = bytes.fromhex('0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104')
key = b'myXORkey'  # We already know the key
flag = xor(cipher, key * (len(cipher)//len(key) + 1))
print(f"Flag: {flag.decode()}")


Flag: crypto{1f_y0u_Kn0w_En0uGH_y0u_Kn0w_1t_4ll}VDsTC}


____________________________________________________________________________________________
*F8*

calculate 
gcd
⁡
(
a
,
b
)
gcd(a,b) for 
a=66528,
b=52920
and enter it below.


In [36]:
def gcd(a, b):
    while b:
        a, b = b, a % b
    return a


# Calculate the actual challenge
a = 66528
b = 52920
result = gcd(a, b)
print(f"GCD of {a} and {b} is: {result}")

GCD of 12 and 8 is: 4
GCD of 66528 and 52920 is: 1512


___________________________________________________________

*F9*

In [38]:
def extended_gcd(a, b):
    if a == 0:
        return b, 0, 1
    else:
        gcd, x, y = extended_gcd(b % a, a)
        return gcd, y - (b//a) * x, x

# The primes
p = 26513
q = 32321

# Calculate GCD and coefficients
gcd, u, v = extended_gcd(p, q)

print(f"GCD: {gcd}")
print(f"u: {u}")
print(f"v: {v}")
print(f"Verification: {p*u + q*v}")  # Should equal GCD
print(f"Flag is the lower of u ({u}) and v ({v})")


GCD: 1
u: 10245
v: -8404
Verification: 1
Flag is the lower of u (10245) and v (-8404)


_______________________________________________________
*F10*


$11 \equiv x \pmod{6}$

$8146798528947 \equiv y \pmod{17}$

The solution is the smaller of the two integers, 
(x,y) you obtained after reducing by the modulus.

In [41]:
# For x ≡ 11 (mod 6)
x = 11 % 6

# For y ≡ 8146798528947 (mod 17)
y = 8146798528947 % 17

print(f"x = {x}")
print(f"y = {y}")



x = 5
y = 4


______________________________________________________________________
*F11*


Let $p = 17$. Calculate $3^{17} \pmod{17}$. Now do the same but with $5^{17} \pmod{17}$.

What would you expect to get for $7^{16} \pmod{17}$? Try calculating that.

This interesting fact is known as Fermat's little theorem. We'll be needing this (and its generalisations) when we look at RSA cryptography.

Now take the prime $p = 65537$. Calculate $273246787654^{65536} \pmod{65537}$.

In [42]:
# First part with p = 17
p = 17

# Calculate 3^17 mod 17
result1 = pow(3, 17, 17)
print(f"3^17 mod 17 = {result1}")  # Should be 3

# Calculate 5^17 mod 17
result2 = pow(5, 17, 17)
print(f"5^17 mod 17 = {result2}")  # Should be 5

# Calculate 7^16 mod 17
result3 = pow(7, 16, 17)
print(f"7^16 mod 17 = {result3}")  # Should be 1

# Final calculation with p = 65537
p = 65537
result4 = pow(273246787654, 65536, 65537)
print(f"273246787654^65536 mod 65537 = {result4}")  # Should be 1


3^17 mod 17 = 3
5^17 mod 17 = 5
7^16 mod 17 = 1
273246787654^65536 mod 65537 = 1


In [45]:
a=(3**17)%17
b=(5**17)%17
c=(7**16)%17
d=(273246787654**65536)%65537
print(a,b,c,d)

3 5 1 1


In [56]:
def is_prime(n):
    return n > 1 and all(n % i != 0 for i in range(2, int(n**0.5) + 1))

def check_fermat(base, exponent, p):
    return 1 if is_prime(p) and base % p != 0 and exponent == p-1 else "Conditions not met"

# Test
print(check_fermat(273246787654, 65536, 65537))


1


______________________________________________________________

*F12*


As we've seen, we can work within a finite field $\mathbb{F}_p$, adding and multiplying elements, and always obtain another element of the field.

For all elements $g$ in the field, there exists a unique integer $d$ such that $g \cdot d \equiv 1 \pmod{p}$

This is the multiplicative inverse of $g$

Example: $7 \cdot 8 = 56 \equiv 1 \pmod{11}$

What is the inverse element: $d = 3^{-1}$ such that $ 3 \cdot d \equiv 1 \pmod{13}$ ?


In [4]:
def pow_mod(base, exponent, modulus):
    result = 1
    base = base % modulus
    
    while exponent > 0:
        # If exponent is odd, multiply base with result
        if exponent & 1:
            result = (result * base) % modulus
        # Exponent = exponent/2
        exponent = exponent >> 1
        # Base = base^2
        base = (base * base) % modulus
    
    return result

# Find 3^(-1) mod 13 using Fermat's Little Theorem
base = 3
prime = 13
inverse = pow_mod(base, prime-2, prime)

print(f"The multiplicative inverse of {base} modulo {prime} is: {inverse}")
# Verify the result
print(f"Verification: ({base} * {inverse}) mod {prime} = {(base * inverse) % prime}")


The multiplicative inverse of 3 modulo 13 is: 9
Verification: (3 * 9) mod 13 = 1


___________________________________________________
*F13*



We've looked at multiplication and division in modular arithmetic, but what does it mean to take the square root modulo an integer?

For the following discussion, let's work modulo $p = 29$. We can take the integer $a = 11$ and calculate $a^2 = 5 \mod 29$.

As $a = 11$, $a^2 = 5$, we say the square root of $5$ is $11$.

This feels good, but now let's think about the square root of $18$. From the above, we know we need to find some integer $a$ such that $a^2 = 18$.

Your first idea might be to start with $a = 1$ and loop to $a = p - 1$. In this discussion $p$ isn't too large and we can quickly check all options.

Have a go, try coding this and see what you find. If you've coded it right, you'll find that for all $a \in F_p^*$, you never find an $a$ such that $a^2 = 18$.

What we are seeing, is that for the elements of $F_p^*$, not every element has a square root. In fact, what we find is that for roughly one half of the elements of $F_p^*$, there is no square root.

We say that an integer $x$ is a Quadratic Residue if there exists an $a$ such that $a^2 \equiv x \mod p$. If there is no such solution, then the integer is a Quadratic Non-Residue.


In other words, $x$ is a quadratic residue when it is possible to take the square root of $x$ modulo an integer $p$.

In the below list there are two non-quadratic residues and one quadratic residue.

Find the quadratic residue and then calculate its square root. Of the two possible roots, submit the smaller one as the flag.

If $a^2 = x$ then $(-a)^2 = x$. So if $x$ is a quadratic residue in some finite field, then there are always two solutions for $a$.


$p = 29$

$integers = [14, 6, 11]$

In [6]:
def find_squares(p):
    squares = set()
    for i in range(p):
        squares.add((i * i) % p)
    return squares

def find_roots(n, p):
    roots = []
    for i in range(p):
        if (i * i) % p == n:
            roots.append(i)
    return roots

p = 29
ints = [14, 6, 11]

# Find all quadratic residues modulo p
squares = find_squares(p)

print(f"Quadratic residues modulo {p}: {sorted(squares)}")

# Check each number
for x in ints:
    if x in squares:
        print(f"\n{x} is a quadratic residue")
        roots = find_roots(x, p)
        print(f"Its square roots are: {roots}")
    else:
        print(f"\n{x} is not a quadratic residue")


Quadratic residues modulo 29: [0, 1, 4, 5, 6, 7, 9, 13, 16, 20, 22, 23, 24, 25, 28]

14 is not a quadratic residue

6 is a quadratic residue
Its square roots are: [8, 21]

11 is not a quadratic residue


```
Note,$21 \equiv -8$ essentially mod 29
```

________________________________________________________________________________________________

*F14*
We've looked at multiplication and division in modular arithmetic, but what does it mean to take the square root modulo an integer?

In Quadratic Residues we learnt what it means to take the square root modulo an integer. We also saw that taking a root isn't always possible.

In the previous case when $p = 29$, even the simplest method of calculating the square root was fast enough, but as $p$ gets larger, this method becomes wildly unreasonable.

Lucky for us, we have a way to check whether an integer is a quadratic residue with a single calculation thanks to Legendre. In the following, we will assume we are working modulo a prime $p$.

Before looking at Legendre's symbol, let's take a brief detour to see an interesting property of quadratic (non-)residues.

Quadratic Residue * Quadratic Residue = Quadratic Residue
Quadratic Residue * Quadratic Non-residue = Quadratic Non-residue
Quadratic Non-residue * Quadratic Non-residue = Quadratic Residue

Want an easy way to remember this? Replace "Quadratic Residue" with $+1$ and "Quadratic Non-residue" with $-1$, all three results are the same!


So what's the trick? The Legendre Symbol gives an efficient way to determine whether an integer is a quadratic residue modulo an odd prime $p$.

Legendre's Symbol: $\left(\frac{a}{p}\right) \equiv a^{(p-1)/2} \mod p$ obeys:

$\left(\frac{a}{p}\right) = 1$ if $a$ is a quadratic residue and $a \not\equiv 0 \mod p$
$\left(\frac{a}{p}\right) = -1$ if $a$ is a quadratic non-residue $\mod p$
$\left(\frac{a}{p}\right) = 0$ if $a \equiv 0 \mod p$

Which means given any integer $a$, calculating $a^{(p-1)/2} \mod p$ is enough to determine if $a$ is a quadratic residue.

Now for the flag. Given the following 1024 bit prime and 10 integers, find the quadratic residue and then calculate its square root; the square root is your flag. Of the two possible roots, submit the larger one as your answer.

So Legendre's symbol tells us which integer is a quadratic residue, but how do we find the square root?! The prime supplied obeys $p \equiv 3 \mod 4$, which allows us easily compute the square root. The answer is online, but you can figure it out yourself if you think about Fermat's little theorem.

p = 101524035174539890485408575671085261788758965189060164484385690801466167356667036677932998889725476582421738788500738738503134356158197247473850273565349249573867251280253564698939768700489401960767007716413932851838937641880157263936985954881657889497583485535527613578457628399173971810541670838543309159139

ints = [25081841204695904475894082974192007718642931811040324543182130088804239047149283334700530600468528298920930150221871666297194395061462592781551275161695411167049544771049769000895119729307495913024360169904315078028798025169985966732789207320203861858234048872508633514498384390497048416012928086480326832803, 45471765180330439060504647480621449634904192839383897212809808339619841633826534856109999027962620381874878086991125854247108359699799913776917227058286090426484548349388138935504299609200377899052716663351188664096302672712078508601311725863678223874157861163196340391008634419348573975841578359355931590555, 17364140182001694956465593533200623738590196990236340894554145562517924989208719245429557645254953527658049246737589538280332010533027062477684237933221198639948938784244510469138826808187365678322547992099715229218615475923754896960363138890331502811292427146595752813297603265829581292183917027983351121325, 14388109104985808487337749876058284426747816961971581447380608277949200244660381570568531129775053684256071819837294436069133592772543582735985855506250660938574234958754211349215293281645205354069970790155237033436065434572020652955666855773232074749487007626050323967496732359278657193580493324467258802863, 4379499308310772821004090447650785095356643590411706358119239166662089428685562719233435615196994728767593223519226235062647670077854687031681041462632566890129595506430188602238753450337691441293042716909901692570971955078924699306873191983953501093343423248482960643055943413031768521782634679536276233318, 85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771, 50576597458517451578431293746926099486388286246142012476814190030935689430726042810458344828563913001012415702876199708216875020997112089693759638454900092580746638631062117961876611545851157613835724635005253792316142379239047654392970415343694657580353333217547079551304961116837545648785312490665576832987, 96868738830341112368094632337476840272563704408573054404213766500407517251810212494515862176356916912627172280446141202661640191237336568731069327906100896178776245311689857997012187599140875912026589672629935267844696976980890380730867520071059572350667913710344648377601017758188404474812654737363275994871, 4881261656846638800623549662943393234361061827128610120046315649707078244180313661063004390750821317096754282796876479695558644108492317407662131441224257537276274962372021273583478509416358764706098471849536036184924640593888902859441388472856822541452041181244337124767666161645827145408781917658423571721, 18237936726367556664171427575475596460727369368246286138804284742124256700367133250078608537129877968287885457417957868580553371999414227484737603688992620953200143688061024092623556471053006464123205133894607923801371986027458274343737860395496260538663183193877539815179246700525865152165600985105257601565]

In [15]:
# Given prime p
p = 101524035174539890485408575671085261788758965189060164484385690801466167356667036677932998889725476582421738788500738738503134356158197247473850273565349249573867251280253564698939768700489401960767007716413932851838937641880157263936985954881657889497583485535527613578457628399173971810541670838543309159139

# Given integers
ints = [
    25081841204695904475894082974192007718642931811040324543182130088804239047149283334700530600468528298920930150221871666297194395061462592781551275161695411167049544771049769000895119729307495913024360169904315078028798025169985966732789207320203861858234048872508633514498384390497048416012928086480326832803,
    45471765180330439060504647480621449634904192839383897212809808339619841633826534856109999027962620381874878086991125854247108359699799913776917227058286090426484548349388138935504299609200377899052716663351188664096302672712078508601311725863678223874157861163196340391008634419348573975841578359355931590555,
    17364140182001694956465593533200623738590196990236340894554145562517924989208719245429557645254953527658049246737589538280332010533027062477684237933221198639948938784244510469138826808187365678322547992099715229218615475923754896960363138890331502811292427146595752813297603265829581292183917027983351121325,
    14388109104985808487337749876058284426747816961971581447380608277949200244660381570568531129775053684256071819837294436069133592772543582735985855506250660938574234958754211349215293281645205354069970790155237033436065434572020652955666855773232074749487007626050323967496732359278657193580493324467258802863,
    4379499308310772821004090447650785095356643590411706358119239166662089428685562719233435615196994728767593223519226235062647670077854687031681041462632566890129595506430188602238753450337691441293042716909901692570971955078924699306873191983953501093343423248482960643055943413031768521782634679536276233318,
    85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771,
    50576597458517451578431293746926099486388286246142012476814190030935689430726042810458344828563913001012415702876199708216875020997112089693759638454900092580746638631062117961876611545851157613835724635005253792316142379239047654392970415343694657580353333217547079551304961116837545648785312490665576832987,
    96868738830341112368094632337476840272563704408573054404213766500407517251810212494515862176356916912627172280446141202661640191237336568731069327906100896178776245311689857997012187599140875912026589672629935267844696976980890380730867520071059572350667913710344648377601017758188404474812654737363275994871,
    4881261656846638800623549662943393234361061827128610120046315649707078244180313661063004390750821317096754282796876479695558644108492317407662131441224257537276274962372021273583478509416358764706098471849536036184924640593888902859441388472856822541452041181244337124767666161645827145408781917658423571721,
    18237936726367556664171427575475596460727369368246286138804284742124256700367133250078608537129877968287885457417957868580553371999414227484737603688992620953200143688061024092623556471053006464123205133894607923801371986027458274343737860395496260538663183193877539815179246700525865152165600985105257601565
]

# Function to compute Legendre symbol (a/p)
def legendre_symbol(a, p):
    return pow(a, (p - 1) // 2, p)

# Find the quadratic residue
quadratic_residue = None
for a in ints:
    if legendre_symbol(a, p) == 1:
        quadratic_residue = a
        break

print(quadratic_residue)


85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771


In [16]:
legendre_symbol(quadratic_residue,p)

1

In [25]:
p%4
#for using (p+1)/4 exponentiation if p is of the form 4k+1 for some natural number k

3

In [24]:
# Compute the square root using (p+1)/4 exponentiation since p is of the form 4k+1 for some natural number k
sqrt_residue = pow(quadratic_residue, (p + 1) // 4, p)

# Since modular square roots have two solutions, we ensure we return the larger one
larger_root = max(sqrt_residue, p - sqrt_residue)
print(larger_root)


if (larger_root**2)%p == quadratic_residue%p:
    print("root of the quadratic residue verified")


93291799125366706806545638475797430512104976066103610269938025709952247020061090804870186195285998727680200979853848718589126765742550855954805290253592144209552123062161458584575060939481368210688629862036958857604707468372384278049741369153506182660264876115428251983455344219194133033177700490981696141526
root of the quadratic residue verified


__________________________________________________________________________________________
 *F15*



 

In Legendre Symbol we introduced a fast way to determine whether a number is a square root modulo a prime. We can go further: there are algorithms for efficiently calculating such roots. The best one in practice is called Tonelli-Shanks, which gets its funny name from the fact that it was first described by an Italian in the 19th century and rediscovered independently by Daniel Shanks in the 1970s.

All primes that aren't 2 are of the form $p \equiv 1 \mod 4$ or $p \equiv 3 \mod 4$, since all odd numbers obey these congruences. As the previous challenge hinted, in the $p \equiv 3 \mod 4$ case, a really simple formula for computing square roots can be derived directly from Fermat's little theorem. That leaves us still with the $p \equiv 1 \mod 4$ case, so a more general algorithm is required.

In a congruence of the form $r^2 \equiv a \mod p$, Tonelli-Shanks calculates $r$.

Tonelli-Shanks doesn't work for composite (non-prime) moduli. Finding square roots modulo composites is computationally equivalent to integer factorization - that is, it's a hard problem.


The main use-case for this algorithm is finding elliptic curve coordinates. Its operation is somewhat complex so we're not going to discuss the details, however, implementations are easy to find and Sage has one built-in.

Find the square root of $a$ modulo the 2048-bit prime $p$. Give the smaller of the two roots as your answer.

a = 8479994658316772151941616510097127087554541274812435112009425778595495359700244470400642403747058566807127814165396640215844192327900454116257979487432016769329970767046735091249898678088061634796559556704959846424131820416048436501387617211770124292793308079214153179977624440438616958575058361193975686620046439877308339989295604537867493683872778843921771307305602776398786978353866231661453376056771972069776398999013769588936194859344941268223184197231368887060609212875507518936172060702209557124430477137421847130682601666968691651447236917018634902407704797328509461854842432015009878011354022108661461024768
p = 30531851861994333252675935111487950694414332763909083514133769861350960895076504687261369815735742549428789138300843082086550059082835141454526618160634109969195486322015775943030060449557090064811940139431735209185996454739163555910726493597222646855506445602953689527405362207926990442391705014604777038685880527537489845359101552442292804398472642356609304810680731556542002301547846635101455995732584071355903010856718680732337369128498655255277003643669031694516851390505923416710601212618443109844041514942401969629158975457079026906304328749039997262960301209158175920051890620947063936347307238412281568760161

In [26]:
from sagemath.all import *
10.ndigits()

SyntaxError: invalid decimal literal (3746636715.py, line 2)