not a guest challenge

writes impossible challenge
leaves without saying a word

Thanks for the response ❤️ that's unfortunate

Fermat's Last Crypto CTF Challenge... 100% solvable, but not enough free storage in the challenge author's webhost to post the full writeup 😂

found the solution for shor!!!!1!!

https://www.nature.com/articles/s41534-020-00309-7

Chat is this real

are you shor?

not shor😭

can someone actually solve the garbled circuits challenge this year

pls

The Vorpal challenge (x0 + 1) does not work

server seems up for me

wdym?

Doesn't even ask for page number

any hint for vorpal_sword?

Beware the Jabberwock, my son! The jaws that bite, the claws that catch!

I hope that's not a reference to some older challenge

||https://www.poetryfoundation.org/poems/42916/jabberwocky||

ohhh I remember this poem from high school, haha

why did i never question the chall name

i was like

thats prob some random string or something

lmaooao

... it's not helping me at all 🥲

ya hints arent allowed lol

ohh I see

so where is mea-shor-ment error's write up lol

the author has not been online since the end of last year's ctf

nsa containment too strong

unbelievable

crazy work

ohhh so that's where the names were from 😭

Wait that’s wild 💀

Did bro die

he got detained by the organization for possessing the forbidden knowledge

bro is vorpal-sword even solvable?

Yes!

are you sure an org didn't just leak the flag to 95 teams

oops mb

You never know

I actually do know because I was the one to leak

Ah

Makes sense

Did you send it to the 95 teams manually or did you put it on Reddit

He submitted himself in db

I thought it'd be too embarrassing that we released an unsolvable crypto so I gave out flags

Based

Can I be the 96th?

Not even playing but we ignore that

🤣

Yeah sure

Why couldnt you think of that last year?

have you considered that maybe mea-shor-ment is solvable

No

you're right it isn't

Can you please send me the flag of nil-circ?

Or also the solvescript would be appreciated

in 3.75 hours i can

why dont you send it now and we don't say it to anybody

lets keep it our secret

i think you'll enjoy the anticipation

it's a secret challene

I can control myself for not posting the solution, what the other users would do with that is out of my control and they didn't seem to behave enough during the challenge to make me believe they would in such case. Please, be patient

I can control myself for not posting the solution, what the other users would do with that is out of my control and they didn't seem to behave enough during the challenge to make me believe they would in such case. Please, be patient

are you the famous eboy of roma nord?

yeee i am :3

Only solvable crypto this time? o.0

all ever since the mrbeast collab...

jk fairy-ring is unsovable, that must be some ruse

Please give me the flag for GC one, I’ve got the solve in mind, but I don’t have enough towels to dry the sweat it takes to be implemented

I have a solve for mea-shor-ment in mind, but I don't have enough qubits.

Try to compress towels into qubits, might work

how long until i get writeups for vorpal?

fr fr I am going mad here trying to work it out

i thought i was the only one stuck at it

end of the CTF

and if you find any before send them here so we can ban them

You can have it now for 1 bitcoin. 😈

Do you have author write ups ready to go?

errrr

Some have them ready, but generally people will be around to answer questions

Fair enough. Like I'm assuming its something obvious I just don't know yet considering the top teams answered it almost instantly

tbh, I think winxy-pistol was easier

Wait really?

I looked at it and just thought it was a harder version

How vorpal sword has more solves than satisfied does my head in

i will have (brief) writeups ready

along with sol code

for all of my challenges

Thank you

I have just run out of ideas to try at this point

fairy-ring solve?

Drop the writeups
I need answers rn! xD

i have 0 ideas on this one

^^

nil-circ solve?

I didnt solve it, but i think i had the idea
send S/2 the first time so that the you can extract the xor of a wire
The GC implementation uses the free xor, and at that point u can get every pair of key

pls tell me fairy-ring wasnt find the paper

so many rabbitholes for me

I tried find the paper way and utterly failed, hope that at least it wasn't like that

this was my tldr solve for fairy-ring (mentioned blog was https://affine.group/writeup/2023-07-CorCTF-OilSpill)

was the solution to satisfied related to the fact that one of the generators had order 2q instead of q. Couldn't figure out how to leverage it

no the permutation can be a fake one, like you could send permutation=[1,1,1,1,1] to duplicate edges

wow I was in such a big rabbit hole then

Why did they do such sus things to the parameters lmao

i asked the author, it was unintended

nice

i don't think the order being 2q is exploitable

i have no idea what is this about xd
I'll have to wait for a writeup

at least not efficiently enough to get the flag

Agreed

My challenge writeups: https://priv.pub/posts/dicectf-quals-2025/
Solve code: https://github.com/defund/ctf/tree/master/dicectf-quals-2025

unbalanced oil and vinegar scheme lol

this is not a real ring signature scheme

fr spent so long on satisfied going down the wrong path before i realized the permute_graph function was exploitable 💀

oh sorry i confused the challenge

🤡

😭 are you kidding me how did I miss that with Vorpal sword

I'm going to go find a corner to cry in real quick

yeah, that much was obvious. what to do with no signatures given was another problem tho 😅

For vorpal-sword you could also do this :

# Craft v so that there is a relation (v - x0) = k^e * (v - x1)
k = 77777777777777777
ke = pow(k, e, n)
v = (ke * x1 - x0) * pow(ke - 1, -1, n) % n
assert (v - x0) % n == (ke * (v - x1)) % n
#assert pow(v - x0, d, n) == k * pow(v - x1, d, n) % n # This will be true

It is on a paper tho

you could simulate every signature tho, why would you need one?

yeah it's a well-known-ish trick

ok not actually well-known but

i don't think it's attributable to a specific paper

https://eprint.iacr.org/2024/720.pdf maybe?

https://priv.pub/posts/rainbow-attack/
so it was actually "find a paper"

and even with a hint of where to look for

and here i was almost modifying a generic attack to work on this

just needed a few more signers

very good challenges @upbeat hazel , thank you for the work

it's also mentioned in mayo: https://eprint.iacr.org/2021/1144.pdf

^^ enjoyed the crypto this ctf

can you guys please make writeups? 🥺

an end-to-end writeup for nil-circ would make my day

very curious to see what the human way of writing nil circ is

my way took way too long to write

wdym by "writing"?

like your solution?

sol code

the actual rust thing

i basically patched their

evaluator code

to inpesct things

while evaluating

Thanks for the challenges this was really nice 👍

so did I but I have no clue what traits are so I copied and created a new file called mycircuits.rs and removed all "subclasses" or whatever these things are

and rewrote everything from scratch using WireMod2 instead of Item, no templating etc

o

https://github.com/defund/ctf/tree/master/dicectf-quals-2025/nil-circ/solve/src

i'm not claiming this is pretty or anything

anyways i just exported a list of constraints, and then solved linear system in sage

ok actually mine is not that far off lmao, maybe there is no (significantly) better way of doing it

I also modifed rust code to print the 4 possible outputs of AND gates (using the free-xor key), then was parsing these logs from python. Most difficult was figuring how to pass the free-xor key around in global variables (also build setup).

Tried to do a correlation attack but failed, idk why.

I was also having that issue, ended up printing it from inside the OT and then gave it to stdin from outside the call stack

i think i patched like 10 files in the library while debugging this shit, then parsed the output into z3 to get key

doesnt breaking one bit to get the xor mask completely fuck up the first and gate it reaches?

i wasted so much time on that chall as i thought initially it had something to do with the fact that the OT was modified to run in not costant time

It does, but other 15 S-boxes should be fine

sure, but where would you do correlation then? at that point its way simpler to do it with the and gate

We found a paper that implements exactly that scheme: https://link.springer.com/chapter/10.1007/978-3-319-57339-7_1
xd

I tried to correlate with every other AND gate, the ones not corrupted.

I just hooked into circ.eval to print the gates and AND inputs and solved with z3.

oh wtf lol

i mean ig it's like an intuitive construction

that's funny

i wasn't aware of this

And they have a proof that it's safe. xd

erm

did it the same way. but i just passed it as the last input (i simply modified the OT to have a special case for the last index) so was pretty easy to get it in the gate eval one

making sure the gate indices/communication stayed sync was much more annoying in my impl

But I think that they don't consider the quadratic forms at all. That just count number of equations and number of variables and say it's ok according to state of the art generic algorithms.

But well, some MQ instances can be solved.

we wasted well over an hour because we didnt notice the gate number was getting incremented in that call... such a nice chall made painful because rust libraries doing rust library things

Yeah, I made that bug too, but didn't wasted much time there, I was making sure to only make small changes and verifying it's still works.

yeah whoever named that get_gatenum(?) function deserves a stern talking to

i called the and gate multiple times to get the results

exactly... who tf names a function that modifies shit like a getter

Yeah, I did that to at first. But because that was the only change I made and it broke I found the problem quickly.

in the end i hacked in a whole other trait that allows to modify the gate count and eval and's without communication, don't know how else to do it when everything's generic

I mean, when I knew there's same state in this function, that one was the most obvious one tbh.

and do they limit the number of signers? because this thing is breakable pretty easily with 15 signers, and i think it should be doable with 11

meanwhile

They have some other parameters for more signers there. Because yes, with like 11 signers there's a generic MQ algorithm that can solve it.

same! 😄

how many signers did i give

6

o

yep, and i spent like 5 hours trying to figure out if i can stretch it to what we have

So, for fairy-ring was it important for the solve that you can use the same public key more than once, or not?

i think so?

my solution relies on it

with 11 signers, you dont need that anymore

right

wtf is polar form? o.0

idk what the mathematical basis for it is

but in some sense it represents the derivative of the multivariate quadratic?

and it's bilinear

if your MQ is F(X) = x^t A x, then the polar form is G(x, y) = x^t (A + A^t) y

notice F(x + y) = (x + y)^t A (x + y) = x^T A x + x^T (A + A^t) y + y^T A y = F(x) + G(x, y) + F(y)

Oh, wow, it works! I was trying to come up by myself how to get linear equations from two (or more) quadratics but couldn't come up with anything. :C

Hmm, I guess it had many solves because ppl found your writeup? xd

I liked "satisfied", I had hamiltonian zkpok on uni like two weeks ago. xd

And was like, yo bro, that's totally correct, that lib must have a bug. :>

i tried to cheese the ch chall when it came out with the intended here, but sadly there it doesnt work by pure luck

Really liked the crypto challs. Thanks defund!

In winxy-pistol the same key is always used, unlike in vorpal-sword where it always generates a new one.

Yeah. Honestly I think I would have had better luck looking at it.

The Vorpal sword was just me being an idiot

And no amount of looking was going to fix the fact that I had forgotten that the relationship held even when you perform mods

for fairy ring i used messages of the form [(1,v), (1,0), (0,v)] with v a vector of unknowns, then everything just cancels out except something fully linear in v.
but i did get stuck in an interesting rabbit hole for a long time: i tried selecting 9 indices in the signatures, set everything else to 0, solve the linear equation system in the x_ix_j - where x_i is now a 6-dimensional vector (sig_j[i])_j - as variables (44 equations, 45 variables) and hope that the resulting system is solvable. unfortunately, the symmetric 9x9 matrix of those products would need rank <=6 (though not sure if that is even sufficient? basically, i'd need to find a "symmetrical" rank decomposition M * M^T) and that happens just a bit too rarely to be ctf-feasible (rank 7 is doable, but effort is something like ~256^(k²/2) for rank deficit k))

not sure if something along those lines could maybe be used for an attack with different keys too (with 7 keys at least)

i have no idea what i just read, but looking into it more, i also think this should actually be solvable with 7 keys without key reuse

It's probably only useful if you solved it and want to compare approach, but here's my solve for nil-circ. To compile that rust code you also need to patch swanky lib and make some of the fields public.

@upbeat hazel https://github.com/defund/ctf/blob/master/dicectf-quals-2025/nil-circ/solve/src/garble_evaluator.rs#L102
Wait, how did you make them equal? I've checked and all four were pairwise different. I've had to only look at the least significant bit (i.e. .color()).

it's checking whether any three are equal

Ah, wait, I think these were pairwise different before I noticed I had to add self.current_gate -= 1;. xd

And I think I haven't checked after I fixed it.

nvm

long writeup about nil-circ
https://blog.tanglee.top/2025/04/03/Revisiting-Garbled-Circuit.html

clean writeup dam

hi guys
Hi everyone 👋 I’m working on a CTF crypto challenge and I’m stuck
can someone help me plz find the flag code
the problem is that we dont have the secret_function()
plz any help

i have 30 min left plz

you shouldnt ask for help for active CTFs 👍

i would normally delete but I think it is funnier for everyone to see this and for there to be an example of what not to do

secret function

Would be helpful if you can share the total output.txt (im only trying to help cuz your nickname somehow looks similar to mine)

.

.

.

people should look at crypto/dot

it's actually about morse code

dots and dashes

is carry-the-flam up?

Looks good to me

i guess issue is from us

oh it works now

why did it have to be 65000 rounds

Why not 65537

Ragebait

wait why

why the change in rounds

@analog stump

niceness reasons

how kind

:3c

Ok I drink

can you put an instance up with 2^16 rounds i wanna flex

flex your gpu or did you actually solve the challenge

Wow you are so rich :3

no:)

nuh uh

these zkp challs so tuff huge respect to those who solve them

https://tenor.com/view/robot-robots-bot-bots-robot-army-gif-19992580

^ ppl who solved them = chatgpt or claude

modern Doraemon 😂

Saddening

Whoever made this flame crypto you’ve got my hate.😭 I hate you so much...

flame(your computer)

haha

HOOWWWW are you supposed to do carry the flame??????

P2w

No way

but what is the attack

5 mins on rtx 5090 were enough

By claude.

yes.

wu for dot pls

duuuuude

kill me

dot [crypto]

The vuln is that the verifier does not check a full proof. It only checks whether a single dervied group element lands in a precomputed lookup table. Because the CRS is public, we can build an honest proof locally for any correct addition. also for flipping one chosen output bit of c there is a fixed public correction in the proof coordinates that almost completely cancels the verifires hidden constraint contribution. leaving only 1 hidden scalar lambda on the base point. that scalar only depends on 2 small hidden coefficients.

so for a challenge (a,b compute the proof locally but instead of answering with the correct c flip one chosen bit of c and add the corresponding public correction to the proof. Then subtract a brute-forcedlambda *G. if the brute-forced value is correct the verifier sees exactly the same table point as for the proof. so it accepts the wrong answer and prints huh?. after getting lambda we repeat that forged wrong proof on 20 new challs to build the streak and gg

bruteforce lambda (im not crazy to do it in the 34 bit space)

we know that lambda = u * (1 + b * (u + w)) . where u and w are both only in [-256, 256]. So instead of searching an arbitrary 34-bit space, just used this. That gives only about 262k candidates, which is around 2^18, not 2^34.

was brute force intended?

are we serious 1152 cores

what the hell bro

😭

I was trying to actually solve it but then one of the teammates said wait it could be bruteforced

We just cuda'ed it

Yea cuda ftw

Are we for real

how do you empty out the market?
couldn't find any way within the contract for housing

me when amd

I didn't think of using a GPU. 😭

Me and @fossil forge tried cuda but got unlucky

Using this

same

any way to solve carry-the-flame without brute force? I tried the slide attack. But fetching 2^20 plaintexts takes too long

same

We trued that at first

it works locally but remote is a potato

our better attempts were around 0.02 % success odds per attempt

how is one meant to solve carry the flame without a trillion cpu cores or an rtx 6090

I thought theres something intended way not bruteforce

maybe optimizing silde attack is intended sol but bf 5bytes is..

yes

I cry

i used 14x 4090s, solve time ~1 minute, would have been an hour or so before the reduced rounds

first blood go brr

a challenge worth $14

the-2000s-american-housing-crisis

I tried a lot but no luck then we just bruteforced it

cost $5 btw

So without being pay to win, how can we solve the flame chall

fuh nag

Worth it

Lol I think we will need an official writeup to see if there is a poor man's solution

fr

yes

same, and to optimize it further, I implemented that cipher using bitslicing

#crypto message

check this image

again, $5

per hour 😉

bro aint no way people bruteforcing the last one like that 💀

pro optimizing man

It costed us 0.389 or smth but had to pay 5$ as the minimum

i got 18 billion keys per second

x1 A100 2 hours

💀

pay to win ctf

gosu

Bruhhh

keys per second unit crazy

and any tldr for american-house pls ?

You got nasa's server room access?

birthday for 2^20? just save 2^32 and connect 256 times smh

+1

vast.ai go brr

pow took longer per solve

i implemented multi connection like that

and threw it away once the rounds got reduced

did this, tried for hours, lady luck hates me

not worth it

just do 60 sessions and crack all of them at the same time. cracking the ones with high entropy using the gpu. i could solve it in 1:30m with my RX 9060 XT. btw i don't like tath chall

Did anyone attempt Planar without AI?

the-2000s-american-housing-crisis

1. market 1 can be bet/resolved before it is “created” (because bet/resolve don’t check nextMarketIndex).
2. createMarket() later sets marketResolution[1]=0 but does not clear yesVotes/noVotes/totalYesBet/totalNoBet/cashedOut.
3. This lets stale phase-1 bets be reused in phase-2 payout math, creating overpayment and draining the seeded 1 ETH.
4. DAO owner control was achieved via the proposal/tally proof flaws, then used to run resolve/create/resolve on market 1.
   Working amounts and sequence:

Phase 1 bets on market 1 :

• A(us): yes 0.6 ETH, B(unlocked dev acct): no 0.4 ETH
• Owner resolve yes, then A cashout -> market back to 1 ETH
• Owner createMarket(...) (re-inits market 1 resolution only)
• B adds second no 0.2 ETH
  Owner resolve no, then B cashout -> market balance 0, isSolved=true
  Gg

Could you tell me more about that idea?

I spend all my time doing cryptanalysis on flame only to find out I was supposed turn off my brain and whip out my wallet 😭

hello, didnt play this ctf, just asking did the challenges resist ai?

assume first byte of the key is 0, build a dictionary of encryptions of a chosen plaintext (say all zeros) with all possible keys (only lower 32 bits), retry until oracle gives you an encryption you've saved

save enc(\x00 * 5, key) for 2^32 keys, and pray the key matches on remote (probability 1/256)

20GB by saving only the ciphertext as a plain binary file (with key being the index), search does become linear tho, but the bottleneck is still the pow lol

crazy omg

Thx

Thx

no

two or three did

Was trying this till I got rage baited

crazy out of the box thinking

Jerry did you manage to solve it that way?

not trying to be sarcastic or anything sorry but i dont feel this is anything close to a 6x 🔥 idea , what are the standards these days

wdym 6🔥 ide

is there a way to solve flame with cpu only?

what was the intended solve tho? i solved locally with same method, tho generated only 2^30 keys

ig slide attack was applicable there somehow, but my connection got reset all the time and i couldnt get enough cts

how long did you run it?

how many gpus did you use

this took 3 minutes (for saving 20GiB file) with 64 core cpu

my worst case was 15 mins with 8 4090s

so original 2^16 was doable as well with cpu

I'm fairly sure nobody who solved the challenge did it without just throwing compute at it so if there is one nobody but the author knows it

wdym 3 mintues lol. i generated 16 gib in like 5hrs i guess

idk llm helped me

14

eh couple of hours ig

remote didnt work out cuz of the PoWs

i mean, i left it solving PoW's today in the morning and wanted to see if it solved this evening, but i couldnt get to my laptop in time

ig there was a way to apply slide attack. it just cant leave my mind for some reason, same key and 65536 rounds

Yeah that's what I got too but still needed far too many pairs for remote to handle with normal compute

there is, just not feasible in python, reimplement in C/C++ and it works

it doesn't work due to data complexity
(unless you mean reimplementing the server)

I was having issues just getting pairs from the server

yes I mean the server

how th did you manage to keep the connection alive? it just couldnt generate enough pairs for me

I mean the existence of the attack theoretically

oh

yeah sure

nah same as you, I tried the 2^32 keys but wasn't lucky enough

so when you generated 2^32 keys, you bought gpu or smtn? I did it on my laptop's builtin lol

i mean that follows from the conversation, but seems somewhat cringy

CPU, i3-10110U

wth

took close to 2 hours but I obviously reimplemented the cipher in C++ with optimized sbox and pbox

and parallelized with openmp

might be WSL issue

we reimplemented cipher as well

bit slicing or avx512 gf2p8affineinvqb?

(I found that the former performed much better because the p-box was difficult to implement in parallel with the latter)

i wish rounds was 2^16

real

just precomputed lookup tables

as in aes fused s-box + mixcolumns?

yup

Me too it should be fare for everyone

Debatable.

Not everyone has access to paid LLMs/agents either

So unless that's banned, I don't really see much harm with p2w challs either

there's quite a difference between purchasing a $20/month plan online than buying a $2000 gpu?

400 times cheaper btw

as well as purchasing a $0.5/hour plan online for the duration of 30 minutes

You could hire vps for way less btw

hmm i suppose yeah

Even vps cost 1.1$/hour

Well yeah this chall takes like 15 mins on a vps(ours did at least)

So 1.1$

well surely the intended sol wasn't to rent a vps?

I hope so

still am curious what the intended is

I tried slide attacks and birthday attack for long time but got no luck

@upbeat hazel ‘s challenge was banger atleast, solved welcome and dots

Did you slop it

At a moment i thought it could be tmto attack

I slopped welcome

Sorry defund

Btw soon hari' solve, on the remote should take a few hours I assume? Given it takes all 256 attempts to hit the right probability at the worst case, and solving 256 pows should cost 2 hours at least?

Did you slop dots

Oh you remind me I should fill the survey now instead of curl-ing it for the flag

No I suffered

Hooray

i used 64thread

Ah

Yeah I told myself I will solve yours and gtfo

I think I know who did this

just use like

hetzner

yeah i wont recover

😭

still the goat

It’s alright @lime idol you can use my vps

Finally i can sleep now ..

But I’m wondering… What if the author didn’t reduce the rounds? Within 1200 seconds, it might be hard, right? And it would also be a more expensive challenge..

most of the quick enough solves just need 1~2 pair of ciphertext so i dont think it matters much

oh

lol

3 dollars total :p

had to fix some bugs in the cuda kernel

what was the bug tho

"together broken" almost certainly refers to the slide attack breaking the cipher
through its repeated structure but getting it to work is another thing

ngl

it doesn't

I came up with that flag because it was funny

That's all there is to it

was it meant to be brute forced like that? I'm still trying to figure it out

@analog stump

got to like 0,1% and it was at times random enough that i thought it might have a decent shot (after all its ~quadratic in the succesful runtime)

did you track how many blocks you were getting per attempt? we had ~10000

so just open 1000 connections in parallel

well the compute is on the server so feels a bit wrong to do that

Huh who were you playing with @old sage

Waddup manf

oh... hopefully they have 1000 cores

im sure that would just make it a lot less unstable

femc

wasnt really very actively playing though

for obvious reasons not very motivated

Yooo based

Good to see you here horse man

#writeups message

waitt no way

any news for mea-shor-ment-error?

maybe once quantum computers are better

I think we should try to clank it at this point in time

unsloppable

crypto more like rot52

http://rot26.org

Nice

Its backdoored by the NSA 😮

newcrypt 2.0

sorry in advance

ok defund

damn, it really be that way

:(

oh no

although none of my challs are coming out at the start

well, except

did you add guess the cipher

👶

can't guess the cipher if it's made up

not sure if that’s announcing guess the encoding or bruce password 2

Bruce password 3

bruce password 2

I choked when reading the 1st one

the first one i need to implement

i have a ton of crypto challenges to do 🙂

there are moreyet to be released

yeah, only two crypto challenges iykwim

should be three?

so bold of you to assume i would do newcrypt

btw, this might be tangentially useful for newcrypt v2: https://priv.pub/posts/redpwnctf-2020/#newcrypt

ok defund

plugging your blog

defund plugging everything

wait like

i just don't wanna give unfair advantage

to redpwnctf participants

that helps a lot thanks lmao

unfair advantage, i see

thanks defund

yeah well

that's hard

shouldn't be too bad if i'm reading this paper right

lot of equations which is annoying

I would talk about difficulty curves but it is clearly all difficulty and no curve

tuxic challenges

blame defund

TRUE

@upbeat hazel explain yourself

@upbeat hazel mean

tf

i didn't write any of them

that's the issue

making us suffer

with tux challenges

oh

😭

i'll have a challenge

coming up

and then another

all of my challs are certified no paper needed™

I'd rather play UHC than do crypto

aplet omg curvy 🥰

newcrypt will be solved soon

Kappa

👀

my head is spinning after reading these equations

daring claim

surely there's an easier way

it was made by our lord and savior tux the penguin

🙏🐧🙏

I wish I was smart enough

my head bork

he made it tuxic

af

aplet pickle?

tbh this is just algebra at this point

if i knew how to use sage i think i would save myself this manual analysis

I wish I understood newcrypt write-ups

crypto challs tuxic

the funny thing is, there are two problems which could've been called plagiarism, because both change another CTF chall slightly

I wonder if they had to actively choose which to call that

huh, which ones

plagiarism and newcrypt v2

huh which ones

oh

newcrypt v1 was written by the same person

tbf newcrypt v2 is same author

dang sniped

self-plagiarism

tux was just sad that it got cheesed

"cheesed"

nice reordering of the problems

if I stole my own intellectual property I would be quite angry

and to think, it wasn't even cited as plagiarism

the lack of irony!

you would be quite angry at who may I ask

god

ok, i'm god

thank you, i appreciate it

hi god

im EvilMuffinHa

i have to point out that you just assumed my gender

i guess i'll pardon you

uh

I don't see it

https://www.youtube.com/watch?v=BZqWUyh1ugw

motivating music

power on!

I prefer https://www.youtube.com/watch?v=eY52Zsg-KVI

some more motivation: https://www.youtube.com/watch?v=WVErYPCmmeA

I would recommend https://youtu.be/Sagg08DrO5U

Big Dirty Stinkin Sax

ok gink

hoy it's just gandalf

nothing wrong here

i failed

rip

F

i might've manually copied and pasted wrong

can i dm tux cause i think i have a solution that works

yeah he's online right now

https://ginkoid.is-inside.me/Ih1EcXFv.png

made some good progress

gg too hard

hmm i think there is some error on chall 😦

which chall?

newcrypt v2

actually I think all crypto authors are offline rn 😦

dm @compact jacinth

ok thx

tbh any chall i cant solve has an error

anyways im 0.08% of the way to getting a flag 😎

mood

on that note, would anybody like to lend me a supercomputer

I'm sure that output file is wrong on newcrypt v2, but author is gone 😦 so sad😭

how many cores i need for plagiarism chall ? 👀

e is too big in plagiarism

the challenge™️

I mean it has a solve, so the chall is working

i'll give some more time on this then will switch back to pwn 😔

what if they just got root on quantum and used that to factor 🤔

what if the chall is to guess the flag from the former chall flag

lmao

i still think my solution is correct but it's very compute intensive

:O

nice bloods on the crypto

while I was asleep

yeah same I would be interested to know the approximate running time of the solving script for plagiarism

^

I think this is fair game for me to answer

on the order of an hour

allright thanks

one of my cryptos is live

cheese solution for quantum : wait for ibm to build a fault-tolerant quantum computer and then just run the circuit

🤪

Mslc 🙏

see #announcements

newcrypt v2 update

not sure if this is relevant to you, but ^

wow.. it fixed! Thx

Same, mine is gonna take like days to finish cuz of the complexity

wow almost like its designed to take more than 48 hours to run

most likely there's some optimization you have to make use of but my google skills are failing me

just get a faster computer 4head

the intended solution for all of the rsa challenges is to factor N on a quantum computer

if there's an optimization I would really like to know the solution

time complexity has no practical applications, just wait for moore's law to catch up to whatever hard problem you're doing

tru

and when moores law plateues, just add more cores

because literally everything is parallelizable

is the public key missing from crypto/plagiarism?

or are we supposed to generate it ourselfs from N and E?

shouldnt be? N and e are provided

the public key is N and e

that is provided

thats... thats the definition of the public key

yeah sry, got confused by this sentence 1) They used RSA with this public key

polynomial gcd on fpga ftw

oh yeah that's a hangover from the RuCTF copy-paste

from the looks of it the challenge seems do-able

from the bloods i would agree

i've found some ways to optimize but nowhere near flag 😔

just eliminate more constant factors smh

4Head

the hxp solution already runs in polynomial time, my computational complexity class told me that that always means its fast

isn't gcd supposed ot be logarithmic

it's logarithmic with respect to a constant

my brain just died while you guys where talking about math principles

math? in MY crypto?! it's more likely than you think

wtf, i thought crypto was guess the cipher ?!!??!

I know, yet my understanding of the field is not as high as I hoped it to be

it's guess the paper now

just get a phd in math

nuthin like a good ol ctf to remind me my python skills need some SERIOUS work! lol. im sitting here for an hour with the error that it cant find local module

it do be like that

local module isn't meant to be found

it just contains the flag

it's just for the challenge setup D:

@upbeat hazel it gives me this when i try to run the python script:
from local import flag
ModuleNotFoundError: No module named 'local'
***like i said my python skills need serious work. im a total noob with it and maybe it is because i have been up all night long, but my brain has pretty much stopped computing common sense hahaha

so if you want to make your own public/private key and encrypt a fake flag, you can just create your own file called local.py and place flag = b'dice{this_is_a_test}' into it

but otherwise all that's saying is that I ran the script locally with my own flag, which you need to recover

sorry if that's unclear 😭

nah its all good. so could i technically just comment it out then?

yeah sure

you can just remove the entire if __name__ == '__main__' block if you don't want to generate your own data

oki thanks 🙂 hopefully that will get my brain back on track a bit

np

lol imagine PFS is actually carrying RSA factoring 0-day

lol

rsa 0day 👁‍🗨

can you guys release an easy question so i don't feel like an idiot

whuz 9+10?

21

u STOOPID

im with ya lol. I have done many CTF's before and done very well but this one is kicking my butt. at least im learning a lot

I am struggeling as well with finding some kind of alternative for the algebra import hxp explicitly said the following about: Using my Python algebra library (that, by the way, only came into existence while solving this challenge since I was unable to find packages that could properly handle polynomials over arbitrary rings), the required computation is easily implemented:

no luck so far

Is there any chance of a 17th root over some ring to complete in a reasonable time?

no

i was able to import algebra with no problem. check your path settings

what python version are you using?

3.9.1

sad

huhm okay

.

what does this mean

oh

i made a baby crypto

but apparently

is it getting released

it was already a thing in a previous ctf

so we scrapped it last second

bruh

so theres no baby crypto

truly a msfrowning moment

😦

yeah we don't like any plagiarism in our chals, even unintentional

what was it? 🙂

^

guess flag

it was called

ah of course

https://activities.tjhsst.edu/csc/writeups/damctf-2020-guess

babypad

benaloh is cool btw

ah thanks 🙂

I have another crypto that will likely be released

😦 maybe try taking off the text before pip? so pip install algebra

will install for python2 then I guess

lemme give it a try

plz stop trying to install hxp's custom algebra library that isn't on pip

lmao

why

not

hey that's me

sad

great. welp lets get back to the math PhD then

o.o

imma dm yyyyyyy and ask for his python library , ez pz lemon squeeze

presumably their library won't help you solve this challenge

kekw

the point of the challenge is to pwn yyyyyy and steal their uber secret crypto lib

https://cdn.discordapp.com/emojis/615215498875109377.gif

oh, so it's not forbidden?

👀

👀

Depends on your country of residence 👀

my main concern is to not be disqualified

tbh with 1 point on my track record for this ctf

waiting for the crypto writeups

i give up

I don’t get the hype on this library, I don’t think it would provide anything useful for the chall 🤷‍♂️

same

my script just ran for 10 mins and I quit

but how else do we copy paste their code 😒

you had to copy paste and run it 2 weeks ago 😅

what if i just enjoy watching my ram dump to pagefile 😄

nice way to spend a saturday afternoon

smh shoulda just released the baby crypto anyway

at least give us some sense of happiness

someone wanna teach me LLL

poortho is good at taking L

L

it's just continued fractions

is that a hint ? , cuz i've already wasted about 1 hr on continued fraction

Nah mathematically LLL in 2 dimensions is just continued fractions

may the entire country of ireland roasts you for not giving hint

i thought defund's question would be easy

i was wrong

oof

before or after release?

both

easy as in low amount of solves easy not some baby question

i know what to do just not how to do it

o

at damctf, we pride ourselves on pushing flag guessers to the next level

P A I N

that is all

more crypto?

garbled

lmao

we have nonzero crypto in our next release i think?

👀

how many papers that are older than me does it require reading

no idea, ididnt write it

why so few solves for crypto, highest solved has 4 solves

no papers, I made it up

o nice

b/c our easy crypto turned out to already be in a previous ctf

oof

well

I took params from somewhere

crypto is easy so everybody leaves it for the dessert

but w/e

yes, i've only spent 7 hours on one challenge

lmao me too

although 2 of those is just waiting for things to run lol

digging through standford 2009 libraries

how long did you wait?

2 hours and counting 😩

did it finish?

I stopped at 30 mins

not yet lol

Accidently restared my pc

actually i had another script which was slated to finish in around 80 days

lol

so if you count that then i've run scripts for around 4 hours

i also found out that some time ago when i reorganized my ctf stuff, it broke my sage install

yeah is this the intended solution or are we in the wrong place

so i reinstalled it

that was fun

idk

watch this script terminate with no result

same. my linux thought it was cool and fukd the whole path up

have you tested it localy with smaller values?

mm yes

i'm like

what's your expected time

sort of sure that it works?

3 months

it's around 70% done 👀

:

or like 9 hours

oh nice

but that is not intended right?

no

tbh if i removed the prints it would probably be a bit faster

but im impatient

and i need to know that its doing something

mental health is important

the prints are worth sth

sth?

something*

hm

when you guys solve cryptos based on papers

do you like

actually read the reasoning behind the algorithms

just a matter of finding the paper

if the paper is clear

and the algorithm is clear

no

most important thing is flag 🙂

lol

most important thing is to learn

:3

for somebody who claims to specialize in crypto i have an awful math background

currently taking alg2/trig

high school?

mm ye

nice

(no longer needed) Can everyone who solved plagiarism DM me your solve scipt?

👀

uh oh my script should be terminating now but it isn't

sad!

sad!

oh wait its gotta do like 20 massive operations

🙏

wait im dumb

i'm actually only 2/3 of the way there

😩

sad!

..

Does removing prints help with speed

yes

by how much?

depends how many print statements you have

well like 1 or 2

if you're printing in a loop

i mean, it won't hurt your performance

it can be incredibly slow

the rule of thumb is if your terminal can catch up to your print statements then it probably isn't impacting performance very much

well it goes 1.8 s for every print

yeah it probably won't impact performance much

Ill just exclude it tbh

mm

script terminated while i was eating lunch

oh nice, you solved!

also I just realized, we don't have an interactive server on a crypto chall yet

yet

when the garbled script finally reaches the end, and promptly crashes just before printing because you compared a list to an integer

😢

damn

mfw i can't do crypto bc i have algebra hw

mfw i can't do the algebra i want to do and instead need to do the algebra im assigned to do

SAME

except my math hw is not algebra

but eh

flex