CTFs

Snails - CryptoCTF

This challenge implements ECDSA over a custom elliptic curve. The nonces that it generates for ECDSA are 512 bits long, while the order of the curve is 521 bits long. Therefore, the generated nonces are “small” compared to the order of the curve. We will use LLL to exploit this and recover the key. This is the code of the challenge: def sign(msg, skey): h = bytes_to_long(sha512(msg).digest()) k = getRandomNBitInteger(h.bit_length()) P = k * G r = int(P.xy()[0]) % n s = pow(k, -1, n) * (h + r * skey) % n return (r, s) def main(): border = "┃" pr( "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓") pr(border, " Hey! To solve the Snails cryptography challenges one often needs", border) pr(border, " to perform meticulous bit by bit analysis to uncover loopholes ", border) pr(border, " and ultimately extract the high value flag! Good luck ;) 🐌🐌🐌 ", border) pr( "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛") global flag, G, n skey = bytes_to_long(flag) p = 0x013835f64744f5f06c88c8d7ebfb55e127d790e5a7a58b7172f033db4afad4aca1ae1cdb891338cf963b30ff08d6af71327770d00c472c52290a60fb43f1d070025b a = 0x0109ec0177a5a57e7b7890993e11ba1bc7ba63c1f2afd904a1df35d1fda7363ea8e83f3291e25b69dac26d046dc5ba9a42ff74cd7e52c9df5dbe8d4d02755d26b111 b = 0x0037c84047a6cc14e36d180f9b688fe9959cb63f4ac37b22eb24559e83cfc658ff0ab753540b8ab8d85a62dd67aa92f79dec20d28e453d4663ef2882c7b031ddc0b9 n = 0x013835f64744f5f06c88c8d7ebfb55e127d790e5a7a58b7172f033db4afad4aca1aad8763fe2401b5189d1c449547a6b5295586ce30c94852845d468d52445548739 x = 0x00339495fdbeba9a9f695d6e93effeb937609ce2e628958cd59ba307eb3a43c4c3a54b9b951cd593c876df93a9b0ed7d64df641af94668cb594b6a636ae386e1ac1b y = 0x00038389f29ad8c87e79a8b854e78310b72febb6b1840e360b0a43733933529ee6a04f6d7ea0d91104eb83d1162d55c410eca1c7b45829925fb2a9bf9c1232c32972 E = EllipticCurve(GF(p), [a, b]) G = E(x, y) m = '✔✔✔ My signature is the priority'.encode() while True: pr(f"{border} Options: \n{border}\t[S]ign message! \n{border}\t[Q]uit") ans = sc().decode().strip().lower() if ans == 's': pr(border, f'Please send your message: ') msg = sc().strip() if m in msg and len(msg) == 40: r, s = sign(msg, skey) pr(border, f'{r = }') pr(border, f'{s = }') else: die(border, 'Not valid message! Bye!!') elif ans == 'q': die(border, "Quitting...") else: die(border, "Bye...") We note that the order of the curve is 521 bits long:

Saturday, January 3, 2026 | 3 minutes Read

ASIS Primes - CryptoCTF

This challenge is a RSA-style challenge, in which we can provide the prime numbers used for encryption as long as they satisfy specific conditions. First, standard parameters are generated: global flag nbit = 512 p, q = [getPrime(nbit) for _ in range(2)] e = 65537 Then, the main challenge’s logic goes into this loop: while True: pr(f"{border} Options: \n{border}\t[E]ncrypted the flag! \n{border}\t[S]ubmit primes! \n{border}\t[Q]uit") ans = sc().decode().strip().lower() if ans == 'e': m = bytes_to_long(flag) c = pow(m, e ^ 1, p * q) pr(f'{c = }') elif ans == 's': pinit = f'CCTF{{7H!S_iZ_th3_f1RSt_pRim3__P_f0R_oUr_{nbit}-bit_m0DulU5_{rand_str(randint(5, 40))}'.encode() qinit = f'CCTF{{7H!S_iZ_th3_s3c0Nd_pRim3_Q_f0R_oUr_{nbit}-bit_m0DulU5_{rand_str(randint(5, 40))}'.encode() pr(border, f'the condition for the first prime is: {pinit}') pr(border, f'the condition for the second prime is: {qinit}') pr(border, f'Please submit the primes p, q: ') inp = sc().decode().strip() try: _p, _q = [int(_) for _ in inp.split(',')] _pbytes, _qbytes = [long_to_bytes(_) for _ in (_p, _q)] if ( isPrime(_p) and isPrime(_q) and _pbytes.startswith(pinit) and _qbytes.startswith(qinit) and _pbytes.endswith(b'}') and _qbytes.endswith(b'}') and is_valid(_pbytes) and is_valid(_qbytes) and (9 * _p * _q).bit_length() == 2 * nbit ): p, q = _p, _q except: pr(border, f'The input you provided is not valid! Try again!!') nbit += 1¡ And the is_valid and rand_str functions are:

Saturday, December 27, 2025 | 4 minutes Read

Ikkyu San - CryptoCTF

For this challenge, we are given the file Ikkyu_san.sage. First, it generates some parameters: def Ikkyu(nbit): p = getPrime(nbit) while True: a, b = [randint(1, p - 1) for _ in range(2)] E = EllipticCurve(GF(p), [a, b]) G, H = [E.random_point() for _ in range(2)] try: I = E.lift_x(1) except: if legendre_symbol(b - a - 1, p) < 0: return p, E, G, H nbit = 256 pr(border, f'Generating parameters, please wait... ') p, E, G, H = Ikkyu(nbit) F = GF(p) Then, the main loop goes as follows:

Saturday, December 27, 2025 | 5 minutes Read

Lowdown - CryptoCTF

In this challenge, we are given a file called lowdown.sage. The challenge implements a custom signature scheme. If we are able to forge a signature for a given message, we get the flag. The challenge first generates the key and the random message to sign: def makey(k): while True: g = random_matrix(F, k) if g.is_invertible(): ng = 1 << 192 # g.order() break r, a = [randint(2, ng - 2) for _ in '01'] gg = g ** r pkey, skey = (g, gg ** a), r return(pkey, skey) global F, k F = GF(256) k = 10 pkey, skey = makey(k) msg = ''.join([string.printable[randint(0, 85)] for _ in range(40)]).encode() It picks a random matrix $g \in GL(10, F)$ (invertible 10$\times$10 matrix with elements on the field $F$) and generates two random numbers $r$ and $a$. The private key is the random number $r$ and the public key is composed by the matrix $g$ and the matrix $g^{ra}$.

Saturday, December 27, 2025 | 5 minutes Read

Mechanic II - CryptoCTF

In this challenge, we need to analyze an oracle involving PQC. More specifically, involving MLKEM-1024. We are given a file mechanic_ii.py. First, it generates 1337 MLKEM key pairs: kem = MLKEM_1024() c, n = 0, 1337 KEY_PAIR = [kem.keygen() for _ in range(n)] SKEYS = [KEY_PAIR[_][1] for _ in range(n)] r = randint(0, n - 1) cipher, shasec = kem.encaps(KEY_PAIR[r][0]) secret = hashlib.sha3_256(shasec + hashlib.sha3_256(shasec + str(r).encode()).digest()).hexdigest() It picks one of those pairs at random, computes the shared secret, and then computes a secret string based on the shared secret and the random chosen index r. The main loop of the challenge goes like this:

Saturday, December 27, 2025 | 6 minutes Read

Mitram - CryptoCTF

This is a bit weird challenge in my opinion. It constructs some exotic matrices, mix them up a little bit and expects us to recover the flag from the output. This is the code: q, v, m = 256, 40, 14 _F = GF(q) def makeup(M, n): for i in range(n): for j in range(i, n): M[i, j] += M[j, i] M[j, i] = 0 return M def mitramap(): _M = [] for s in range(m): M = zero_matrix(_F, v + m, v + m) for i in range(0, v): M[i, (i + s + 1) % v] = _F.random_element() M[i, (i + s) % m + v] = _F.random_element() M = makeup(M, v + m) _M.append(M) return _M def n2F(n): x = _F.gen() e = sum(((n >> _) & 1) * x ** _ for _ in range(8)) return e def F2n(e): x = _F.gen() n = 0 for _ in range(8): n |= (int(e.coefficient(x, _)) << _) return n def embed_secret(msg, v, m): M = random_matrix(_F, v, m) for _ in range(v): M[_, 0] = n2F(msg[_]) return M def maketrig(): return block_matrix([[identity_matrix(_F, v), embed_secret(flag, v, m)], [zero_matrix(_F, m, v), identity_matrix(_F, m)]]) def makepub(F, S): S = S.submatrix(0, v, v, m) Z = zero_matrix(_F, m, v) return [ block_matrix([ [G := M.submatrix(0, 0, v, v), (G + G.transpose()) * S + (H := M.submatrix(0, v, v, m))], [Z, makeup(S.transpose() * G * S + S.transpose() * H, m)] ]) for M in F[:m] ] F, S = mitramap(), maketrig() P = makepub(F, S) print(f'{dumps(F) = }') print(f'{dumps(P) = }') Let’s forget about the specifics of the mitramap and makeup functions, as I won’t be using them in this solution. Note that the maketrig function creates a random matrix whose first column is the flag. Our goal is to recover this matrix $S$.

Saturday, December 27, 2025 | 3 minutes Read

Phoney - CryptoCTF

This is a (multi) RSA-type of challenge, in which we are given some relationships between the prime numbers used, and we have to recover them to decrypt the flag. This is the code: def keygen(nbit): p, q, r = [getPrime(nbit + (nbit >> 3) * _) for _ in range(3)] return p, q, r m = bytes_to_long(os.urandom(len(flag)) + flag + os.urandom(len(flag))) nbit = 512 p, q, r = keygen(nbit) n, s, e = p * q * r, inverse(p, q * r) + p, 1234567891 while True: pr(f"{border} Options: \n{border}\t[E]ncrypt the flag! \n{border}\t[P]ublic information \n{border}\t[Q]uit") ans = sc().decode().strip().lower() if ans == 'e': assert m < n c = pow(m, e, n) pr(f'{c = }') elif ans == 'p': pr(border, f'{n = }') pr(border, f'{s = }') pr(border, f'{q % p = }') So, the server generates three prime numbers, $r, s$ and $t$, of 512, 576 and 640 bits, respectively. Then, we are given $n = pqr$, $s$, which is computed as s = inverse(p, q*r) + p and q % p. First, note that as $qr$ is quite bigger than $p$, we can take the sum of $p$ into the modular expression and say that

Saturday, December 27, 2025 | 4 minutes Read

Silky - CryptoCTF

In this challenge, we are given the file Silky.sage. It starts by generating some parameters: def randroad(B): return vector(ZZ,[randint(-B, B) for _ in range(n)]) def main(): global flag, B, n, D, t B, n = 5, 19 D, t = 110, 128 l = int(4 * D * B / t) c, key = 0, randroad(B) In particular, it generates a key that is a vector of length 19 with integer values in $[-5, 5]$. Then, this is the main loop of the challenge:

Saturday, December 27, 2025 | 3 minutes Read

Sobata - CryptoCTF

For this challenge, we are given the file sobata.sage and a remote instance that runs this script. First, the challenge creates a set of parameters: nbit = 512 parameters = gen_params(nbit) E = parameters[1] m = bytes_to_long(FLAG) assert m < parameters[0] and this is the gen_params function: def gen_params(nbit): while True: p = getPrime(nbit) if p % 6 == 1: F = GF(p) R = [F.random_element() for _ in '01'] a, b = [R[_] ** ((p - 1) // (3 - _)) for _ in [0, 1]] if a != 1 and b != 1: c, d = [F.random_element() for _ in '01'] E = EllipticCurve(GF(p), [0, d]) return (p, E, a, b, c) So the challenge computes a random prime numer $p$ that satisifes $p \equiv 1 \ (mod \ p)$, a random number $c$, an elliptic curve $E: y^2 = x^3 + d$ over $\mathbb{Z}_p$ and two non-trivial numbers $a$ and $b$ such that $a^3 \equiv 1 \ (mod \ p)$ and $b^2 \equiv 1 \ (mod \ p)$. That is, $a$ is a cubic root of unity and $b$, a square root of unity.

Saturday, December 27, 2025 | 4 minutes Read

Toffee - CryptoCTF

In this challenge, we are given the file Toffee.sage, which implements a custom signature scheme using elliptic curves. First, it generates some parameters: global flag, u, v, k, _n, G skey = bytes_to_long(flag) p = 0xaeaf714c13bfbff63dd6c4f07dd366674ebe93f6ec6ea51ac8584d9982c41882ebea6f6e7b0e959d2c36ba5e27705daffacd9a49b39d5beedc74976b30a260c9 a, b = -7, 0xd3f1356a42265cb4aec98a80b713fb724f44e747fe73d907bdc598557e0d96c5 _n = 0xaeaf714c13bfbff63dd6c4f07dd366674ebe93f6ec6ea51ac8584d9982c41881d942f0dddae61b0641e2a2cf144534c42bf8a9c3cb7bdc2a4392fcb2cc01ef87 x = 0xa0e29c8968e02582d98219ce07dd043270b27e06568cb309131701b3b61c5c374d0dda5ad341baa9d533c17c8a8227df3f7e613447f01e17abbc2645fe5465b0 y = 0x5ee57d33874773dd18f22f9a81b615976a9687222c392801ed9ad96aa6ed364e973edda16c6a3b64760ca74390bb44088bf7156595f5b39bfee3c5cef31c45e1 F = FiniteField(p) E = EllipticCurve(F, [a, b]) G = E(x, y) u, v, k = [randint(1, _n) for _ in ';-)'] Then, we have the main challenge’s loop: while True: pr(f"{border} Options: \n{border}\t[G]et toffee! \n{border}\t[S]ign message! \n{border}\t[Q]uit") ans = sc().decode().strip().lower() if ans == 'g': pr(border, f'Please let me know your seed: ') _k = sc().decode().strip() try: _k = int(_k) except: die(border, 'Your seed is not valid! Bye!!') pr(f'{toffee(u, v, _k) = }') elif ans == 's': pr(border, f'Please send your message: ') msg = sc().strip() r, s = sign(msg, skey) pr(border, f'{r = }') pr(border, f'{s = }') elif ans == 'q': die(border, "Quitting...") else: die(border, "Bye...") The secret key used to sign the messages is the flag. We can:

Saturday, December 27, 2025 | 3 minutes Read

Interpol - CryptoCTF

In this challenge, we are given two files: interpol.sage and output.raw. This is the challenge’s code: from Crypto.Util.number import * from flag import flag def randpos(n): if randint(0, 1): return True, [(-(1 + (19*n - 14) % len(flag)), ord(flag[(63 * n - 40) % len(flag)]))] else: return False, [(randint(0, 313), (-1) ** randint(0, 1) * Rational(str(getPrime(32)) + '/' + str(getPrime(32))))] c, n, DATA = 0, 0, [] while True: _b, _d = randpos(n) H = [d[0] for d in DATA] if _b: n += 1 DATA += _d else: if _d[0][0] in H: continue else: DATA += _d c += 1 if n >= len(flag): break A = [DATA[_][0] for _ in range(len(DATA))] poly = QQ['x'].lagrange_polynomial(DATA).dumps() f = open('output.raw', 'wb') f.write(poly) f.close() The challenge creates an array whose entries are the (x,y) coordinates of rational points. Every time a new point is added to the array, there are two possibilities:

Wednesday, December 24, 2025 | 2 minutes Read

Mancity - CryptoCTF

This challenge is another RSA-style challenge, in which we need to factor n. We are given the files mancity.py and output.txt. This is the main code: nbit = 256 p, q = keygen(nbit) m = bytes_to_long(flag) assert m < n--- title: "Ikkyu San - CryptoCTF" date: 2025-12-27 hero: hero.jpg menu: sidebar: name: Ikkyu San identifier: cryptoctf-2025-ikkyu-san parent: cryptoctf-2025 weight: 11 --- e, n = 1234567891, p * q c = pow(m, e, n) print(f'n = {n}') print(f'c = {c}') And these, the functions used to generate the prime numbers:

Wednesday, December 24, 2025 | 2 minutes Read