#crypto

for plagiarism can anybody explain the hxp code section where they say exponentiation is slow?

#g = (ZnX.X + ZnX(delta)) ** key.e - ZnX(Zn(c1)) #exponentiation is slow...
gs = [delta ** key.e]
for k in range(key.e):
gs.append(Zn(key.e - k) / (Zn(k + 1) * delta) * gs[-1])
g = ZnX(gs, 'little') - ZnX(Zn(c1))

it won't matter because their code

won't work

yeah i know we don't have the library

but I think it's just referring to the fact that

well

even if you had the library

it wouldn't work

but it's referring to the fact that computing out the expanded form of (x + m)^e

they're taking a polynomial and raising it to a high power

hence why it's slow

if you remember binomial expansion you would know why it's slow

why is what they do faster though

they do it manually i think

i haven't really looked at the code in depth

are they creating the binomial expansion in that for loop?

uh maybe idk their library and code is weird

just use Sage

hehj

if it was that easy it wouldn't have 7 solves

nah 7 solves bc no one wants to use sage

Now I'll just wait for solutions

Also for Tux crypto , that only Hellman solved :feelsbadman:

wondering what this "show solved" button should do

doesn’t trigger anything for me

it shows all challenges including the ones you have solved

well I thought the joke on the fact that I solved zero crypto challs was obvious 😅

ohhhh

damn it

3 hours on plagiarism and around 4 on benaloh

should have looked at garbled maybe

probably

~~our solution is a little ~~

if you can even call it a solution

looking forward to see the smart tricks in benaloh solution

i think our garbled time was spent like

10% actually working out solution

30% fixing stupid indexing errors

60% waiting for code to run so we could keep debugging it

will there be a newcrypt writeup

imagine not using pypy

That my experience overall for this CTF, waiting heavy algos to finish again and again. Not blamings orgs since my approaches were not optimal

and thats why idont do crypto

rip

i won't be able to make writeups

in time

err

i'll probably finish benaloh

s5 will be sparse tho

That's good news 🥳

not having writeups already done

WeirdChamp

i wanna see what i did wrong for benaloh

same

use grobner basis

benaloh and signature sheep scheming signature schemes: https://priv.pub/posts/dicectf-2021/

Is that some kind of fun number theory thingy owo

fml i shouldn't have procrastinated on writing this

fweaf

Lol

This site cannot provide a secure connection. priv.pub uses an unsupported protocol (-113)

fweaf

it's github pages + cloudflare

idk what to say

fweaf

cloudflare too secure

i tried grobner basis but my sage cried at me

how do you get rid of a and c

resultant?

how was plagiarism done

a is a constant

some c with a multiple of u, which I suppose counts as resultant

i guess i had the wrong

equations

What was newcryptv2? I was using the paper using Minkowski sums to find polynomials but couldn’t get any grobner or resultant computations done in time

it's the right paper

solve script posted here: #writeups message

?how

the one by aono is the right paper

it's a pain in the ass to implement though

i tried doing it for redpwnctf

What m did you use? And did you use all 5? Also did you prune their polynomial set at all or straight from the paper

how in the hell were you supposed to find that paper

all of the relevant papers suck to implement

I used bit-by-bit bruteforce instead of Grobner but there was something weird happening: I got 73 good polynomials out of 113 and still the bit-based search exploded, while the 74th poly was always overflowing modulo once, and using the poly with the correction magically helped.

m=1

use a faster gcd algorithm

"Cryptanalysis of RSA with Multiple Small Secret Exponents" sth like that

which

idk just look up faster gcd algorithm lul

Ya I had the 73 good polys after filtering the LLL rows cause my variety kept coming back empty, but my grobner bases in sage never finished. Guess I should’ve waited longer

I didn't use the heuristic and on dimension 112 LLL took 2h 23m 35s :/

the original writeup uses euclid gcd which is unfortunately too slow for the provided numbers

i believe ireland's intended sol used half gcd

Maybe try with 74th one +- modulus

Need more easy cryptos that can be solved with pen and paper

half gcd?

never heard of that

pen and paper crypto is dead

Reading a bit on gröbner basis and wikipedia says it's done on finite fields.
Correct me if I'm wrong but since n is not prime, Z/nZ is no field?

that's what my sage was complaining about it hink

Could it be the idea is "the chance of finding multiples of primes of n and it actually hindering the algorithm is so small we can say Z/nZ is essentially a field" ?

Which problem are you talking abt Grobner bases for

Benaloh

defund can you explain why a grobner base works

my intuition is that the space of monomials is rather limited so it quickly gets saturated and yields "nicest" basis

this is a good explanation, groebner basis is based on simple arithmetic

i guess fundamentally i don't understand what a grobner basis does

it combines multiples of polynomials into new polynomials in nice ways (such that high-degree terms are cancelled)

thanks that makes more sense

having many low degree polys is nice since you can do linear algebra on them

can someone show their gcd algorithm for plagarism

i'm assuming you also probably had to manually calculate the coefficients

my sage died after trying to generate the polynomail

weird, i used sage to multiply polynomials and it was reasonably fast

no i mean more it died trying to do (x + diff)^e - c1

i wanted to generate the coefficients manually but didn't really know what to do after that since i knew gcd would take too long

was <1 minute for me to generate the polynomials

really?

guess my sage sucks

lol

mind sharing your code? or just the relevant parts

I can share my soln

missing from binteger import Bin

huh i'm surprised this worked for you cause my just wouldn't get past it

pb = (x + mb)**e - ciphertext_Blex

thanks for the solution

I think I used SageMath 9.1, but during CTF I upgraded to 9.2, which had more bugs 😦

rip

reference solution, implements Half-GCD ( http://web.cs.iastate.edu/~cs577/handouts/polydivide.pdf )

that’s really not intuitive for me how all Ui can be represented as multiples of c in benaloh

i get the solution, but if that’s based on simple arithmetic shouldn’t we get an intuition without just trying out the groebner basis blackbox like it was some LLL magic

huh i really wish i found that paper

"subquadratic gcd algorithm" is the google-fu

it's surprisingly hard to find if you use other keywords

or u can be hellman and derive it from scratch

"fast polynomial gcd algorithm" and it's the 3rd link for me

:)))))))))))

deriving it from scratch sounds like some god tier math skills

@upbeat hazel any reason you only used 4 polynomials instead of 10

for the groebner basis

i assume 4 is faster and sufficient enough i guess

sorry I'm eating dinner rn

I'll answer stuff later

also the original franklin-reiter paper for plagiarism talks about groebner basis

to the best of my ability

i assume you're talking about this paper

https://0xdktb.top/2020/05/04/WriteUp-De1CTF2020-Crypto/howgrave-graham1999.pdf

it did talk about groebner basis

i was too stupid to input the correct polynomails

from hxp

link is borken xd

I found this document to create the correct polynomials and the diagonal matrix to balance the equation https://cr.yp.to/bib/1998/howgrave-graham.pdf

ono cr.yp.to

djb 🙏

But I couldnt decrypt the message with the d that i compute

which question was this

newcrypt v2

oh i tried that too

never got a good basis out of it

i assume the polyniomials and the diagonal matrix was wrong because delta was too big

what's the approximate runtime?

30 min on his computer

thanks!

4 is sufficient, you can't do any better than the polynomials they give I'm pretty sure

which part is unintuitive?

the multiplicative relation between u and c

for example to make the challenge did you just try it out with different r values until groebner basis gave smth good enough to solve?

no the r value doesn't really matter

besides increased time complexity

or maybe it’s good enough for all r values

!purge 20

✅ Deleted 20 messages!

lemme think about this

a bit more

smh defund nazi modding

wait I think i'm right

actually

because literally given

u^17 i was able to construct

the sequence of masks

rip

there goes the message history

!archive channel 805962661833474048 50

✅ Archived 60 messages from crypto.

thanks

but going back to the challenge it's not that

c is some multiple of u by design or anything

almost any number is a multiple of another number in the ring

so it's more just that the polynomials basis has that relation

see what i have a little trouble connecting is the linear relation between u, a, and c and how that extends to the power of 17

i can't see u, a, and c to the power of 17 having a linear relation

but i guess they do

grobner basis uses polynomial gcd

too

wait now that i htink about it all of thoes numbers will be different integers in the ring

so they all have to have some kind of relation

Yeah I get what you mean, I will have to dig a bit deeper into groebner basis to understand how these relations are found

thanks 🙂

yeah, sorry i can't provide sth more concrete

it's not entirely clear to me either why the polynomials can be reduced this far

besides the reasoning I laid out for why

the polynomial reduction

can't give you

the values completely

due to finding roots being hard*

as to why you can find a or c^17 or u^17 directly, for example - unclear to me too

that being said grobner basis is good to have in toolbox

So just out of curiosity on the challenge crafting did you end up on this setup by trying different ones basically?

i made the chall a couple days ago

and I guess I started from,

finding roots isnt unique so groebner wouldnt help

cant reduce x^16 - 1 uniquely

benaloh with bad nonce generation

and the first thing I thought of, what if we add 1 to u at every step

and that lead to, how about we just make that a random value 😛

actually I initially was doing goldwasser micali

which is just benaloh with r=2

sticking to the add 1 chall would have been nicer 😅

lol

anyway thanks for the explanations 🙂

I don't really like releasing challenges in series though

yeah np

I was just kidding that would have made the chall really classical whereas it brings smth nice here

😌

are there garbled writeups

https://www.josephsurin.me/posts/2021-02-08-dicectf-2021-garbled

thanks

I just woke up where is plagiarism solution ?

@latent tiger pinned

Thanks

wonderful creative challenge!

glad you enjoyed it 😁

I can't believe I forgot to google the title of the chall for benaloh

I made the same mistake 😕

Although it is kinda late to say this, but seriously thanks for the wonderful crypto challenges!!!

thanks 😀

What is binteger? I can't get that to run

https://pypi.org/project/binteger/

does this have docs

considering it appears to be a library written by hellman himself and doesn't appear to have an associated github repository, i would suppose not

sad

just read the source

it's not that long

Hello !
Is there any recommendations ( book or paper or lecture ) for beginner of crypto?
It's too hard to solve a problem without background knowledge :’
I felt it every time I participated in the ctf
Thank you for reading this message : )

https://cryptohack.org

oh that seems like crypto ctf page?
Thanks for letting me know !

@everyone

you tried

@compact jacinth no one likes me ;p

need one play crypto join to my team

sorry in advance

For how hard the challs will be ?

best category in any case

😩 looking forward to it

Death time, be prepare

👀

how long the ctf will be ?

February 4 21:00 UTC to February 6 21:00 UTC

true crypto will be fun

Is there any quantum this year though?

and at the same time there is none

when dunfed apologizes in advance for the crypto

me scared

same

but hey at least ireland isnt apologizing for quantum

scary
But fun

true

Last year was awesomely great

yep I looked them up

prob easy for you given you do crypto 24/7 but

Don't say such things

what if defund is apologizing because he didn't write anything

👀

wild theories

:rooScream:

isogenies!!!

who is the author of baby-rsa?

@surreal coral

ireland

you can open a ticket though

Baby rsa is really doable ?

it has 23 solves

so probably

Yes

i never see that

🪢

🩸

I guess I used a hammer for the baby

👶 🔨

the horror

who solved pow-pow on galhacktic? nvm, found

courtesy of everyone's favorite pb-er http://cryptoiscryptocurrency.com/

I can't see this, only truth can live

@surreal coral can i dm ?

no but you can open a ticket

inside said ticket do we ping the challenge creator?

you don't have to

we usually do it

once someone triages

i get it, math is important to solving these 🤔

math? In my crypto?
It's more likely than you think

crypto is math :d

huh, this is why i've been completely lost

I've been trying to solve baby-rsa by reading The Count of Monte Cristo

you see crypto is just where the math nerds on our team get to flex how many papers they read every day

<Ireland frantically trying to defend themself>

pwn is where people compete on how much of glibc and linux kernel source code they can recite from memory

what the heck does the data.txt is for, is it supposed to be the original values? for baby-rsa

Yup

ikr

Ikr ?

its seems very undoable

but obv people has solved it

ive been scratching my brain for like 30 min

I think it’s possible but i never do that

same here lol, don't know what the heck I am supposed to be doing here

after spending the last few hours on baby-rsa, i can confirm that the cipher is divisible by 1

pog

It's also divisible by negative 1, but that requires quantum mechanics to explain

Its also divisible by itself

impossible

divisible by 2 numbers?! How much more could it be?!

I'm pretty sure that means it's prime

you might be right about that

A number is prime if it's divisible by one and itself

are we talking about n or p and q?

lmfao I got to <redacted> then just got stuck

N but mostly we're messing around

fun fact, n is divisible by p and q

not really sure how you can divide letters, this makes no sense

math goes from word problems, to numbers, to letter symbols, to word problems (but now you have to prove stuff and write complete sentences 😔 )

Im on normal symbols
and I hate ∫ D:

oh well

letter opener

... sort of

🤨

see im just ded in rsa

what about you guys?

the only challenge i have solved is the discord flag

Same

i will solve baby-rsa

maybe

Same maybe

idk

you got this

(•̀ᴗ•́)و ̑̑

another blood!

braid and psych left

I am going to have a great time reading the writeups and not understanding anything

well, and potentially unreleased challs

my free grammarly account does not know what to do with these numbers

oh yeah you need grammarly premium

https://tenor.com/view/sueñitosgifs-traumatized-mr-incredible-los-increibles-meme-gif-24305569

mfw i find papers that seem related to this and am still stuck

when you have p q e phi n and c but its 11:00 am and you forgot how to decrypt rsa

Bruh

Baby rsa makes me want to kms

It's so free I can tell

But I'm just monkeying it

Why couldn't they have done a normal babyrsa

Omg

honestly running out of lined paper for the brute-force by hand

it's the twist

Not a good one tho

0/10

very hard chall

Don't recommend

😦

U done it or still stuck like me?

its nice when you get the keys

stuck

defund I got the keys but im so tired I forgot rsa decrypting lmfao

@candid girder Only sanity completed

and I cant seem to remember frick

Cryptohack

If uve done any rsa already

the private key doesn't work

Steal code from the solutions

wat

you won't be able to do normal rsa decryption

WAT

WAT

wat

wat

Yeah obv

w a t

rip

nooo

Issue is to decrypt rsa u do pow(ciphertext, d, n)

rip

because this is dicectf 🙂

not picoctf

D is inverse (e, phi(n))

But that ain't gonna work round these parts

yeah there are so many challenges where you copy paste some cookie cutter rsa template and dont learn anything

oof private key ded how dare you defund

umm...

I mean that ain't a hint

these are getting into too technical

not yet...

Cause that's how to do normal rsa

This is some off brand infant shit

@candid girder Only sanity done

I didn't write the challenge 😨

the challenges are brainfuck

lots of teams only have welcome solved

Mfw I've done all the cryptohack rsa challs and can't do a fucking baby rsa chall

no worries

imagine if we put baby in front of the hardest challs

sike

Vote for Pedro was way easier than this shit

haha that's funny

I get the joke

because sike

nvm

quick write it down

I see you panda

i think it's past your bedtime kfb

all hard

U done any cryptohack man?

U should

Is v fun

And ACTUALLY POSSIBLE UNLIKE THIS IMMA KILL TBE CHALLENGE AUTHOR

no

oh no don't do that

he's a nice guy

same here

D:

I hope they go to diffie-hell

this challenge is def out of my league, but reading up on RSA very nice

i need to get back into cryptohack

school L 😔

Just do it during class

I'm in HS and all my classes become cryptohack from time to time

I'm in college, and I'm paying for class time

so...no

In the us?

this challenge is not out of your league!

out of mine lol

if you solved all the cryptohack rsa

you can solve this

yeah. $$$

yeah if you solved and understand all cryptohack rsa you can 100% solve it

eventually

ah fair, gotta get something out of it when u go 4 million into debt for a fancy cheet of paper

maybe 90%

yeah but im monke

number theory knowledge is helpful probably

fermat's little theorem 😍

I actually haven't seen the challenge

so idk

skill issues

did ireland write both baby challs?

eh i think it is

yeah ireland wroet babyrsa at least

yep

and babyrop

someone gotta teach em what baby means

I think that's the joke

nah next time we'll just not make baby challs 🙂

so he doesn't get bombarded with questions

well we gotta have a couple

is this fermat guy a smart dude? 🤔

the french one? yes very

very

smart

big brain

if we are talking about Fermat's little theorem fermat

are we talking about that fermat

yeah maybe, but he never did anything big. only came up with some little theorems

idk he left the proof for his last theorem as an exercise for the reader

sounds like something someone without a proof would do

little? do you realize how useful they are?
Litterally one of rsa's proofs use that little. theorem

Lmaooo Fermat's Last Theorem

yeah ik

The solution on that

was complex

xd

my computer doing matrix stuff woah

bruh

fully done with this

bru

baby rsa is gonna be the death of me

fr

😦

you know, you could also look at some of the other crypto

same

like rejected

f**k

nah but i started baby rsa

i needa finish

i feel like im close

o

but idk

tru

could i dm?

feel free to file a ticket

#create-ticket

or DM, idm either

wait a minute

ϕ may be dead to me

nope

my boy mike failed me to

or maybe i failed him

idk at this point

i am mentally running round in circles and regressing to a baby

me in every ctf

do u want me to delete those message btw, i think they are cryptic enough but obv your call

@sacred blade

i don't even know what those messages are saying 🤷‍♂️

fair

dm?

other orgs might delete them though

Where can you learn the maths for cryptic - rip. Cant even solve baby rsa xD

there's cryptohack

Oh, thank you 🙂

i've been trying to find the bridge between stuff like PicoCTF and this more advanced stuff, is CryptoHack that inbetween?

I would say so

@candid girder The Baby RSA is f**k i'm gonna suicide

yeah

ok maybe not a perfect bridge lmao

basically all challenges are suicide

moew over admin are rude and not helper

thats why the ctf has name

because its tooo hard

I

my guess is that using an on-screen keyboard for this is not recommended

my guess is that being bad is not recommended cause i am fully stuck

#badgang

all i need are the discord points ;-;

hellman 🙇‍♂️

author of babyrsa going to diffie-hell

hellman is busy today, so I have a chance to solve something too 🙂

are you on MSLC?

yep

wait

did you solve the crypto?

mslc op 🙇‍♂️

yes

oh sick

sorry I kinda just assumed hellman was only cryptographer for some reason

🙇‍♂️

what are you trying now

psych?

actually mslc didn't solve rejected yet either

rejected is so difficult..

good luck

they are hard

#!/usr/bin/env python

import z3

with open("data.txt") as f:
    for line in f:
        var, val = line.split(" = ")
        globals()[var] = int(val)

s = z3.Solver()

p, q = z3.Ints("p q")

s.add(p * q == N)

if s.check() == z3.sat:
    m = s.model()
    print(f"p = {m[p].as_long()}")
    print(f"q = {m[q].as_long()}")
else:
    print("Unsolvable")

dice_ctf/crypto/baby-rsa
➜ ./solve.py
p = 57996511214023134147551927572747727074259762800050285360155793732008227782157
q = 1

I mean, its not wrong 😂

bruh

it aint wrong

but ill tell ya this

you dont need z3 for p and q

yeah I know

I have p and q

was just curious to see if it could

Can I dm someone pls? I figured out a solution that works, but yet doesnt work for the flag xD

dice_ctf/crypto/baby-rsa
➜ ./solve.py
p = -1
q = -57996511214023134147551927572747727074259762800050285360155793732008227782157

it has mugged me off again but yeah it can't

~~doesn't work then does it 😂 ~~

I hate my life, it only works for a plaintext of length 1 xD

rippppppppppp

split flag.txt
cat * > /user/officialbenko

any hint for babyRSA 🥲

f

i am so close to just trying to bruteforce babyrsa

create a ticket and we may or may not help 🙃

any hint for BabyRSA ?

Dachshund, wiener attack doesn't even solve it

i'm literally crying 😢

😦

We can't solve baby rsa without finding p and q right?

or can we?

i can't solve it with even p and q

🤣

and here u r asking if u can solve it with p and q

same 💀

Who solved commitment issues 😅

Curious about your solution

ig someone outsmarted u.

just saying 🤷

Clearly hahah

I'm working on an algorithm solving baby_rsa without p & q, but python can't do all my calculations as longs get even longer.

lol

OverflowError: int too large to convert to float

!giveup

Who is on Nu1L

mensa-baby-%s

!fuck

!killmeplease

I found a lead for RSA but....couldnt solve it yet...

then i should just leave the CTF and solve cryptohack it seems

doesnt help

im a 🍋 that cant

Any admin available for sanity-check on baby_rsa please?

#create-ticket

Well done on solving shibari 🪢 !
Would you mind DM-ing me your solution?

see admins asking for writeups

we are curious 👁️ 👄 👁️

Im sitting on this baby_rsa challenges for hours, tried 100+ possible methods & did a lot of research. How come that it has soo many solves 😂

no one will be on fishing 😄

no one will be on fishing 😄

no one will be on fishing 😄

no one will be on fishing 😄

classic example of breaking the rules of RSA to implement RSA! smh

The first rule of RSA is you don't talk about RSA

Oh your online now

I can finally tell you to got to diffie-hell cause of babyrsa

Lmao

It is probably very simple

Seems it

ngl this sounds like a you kind of problem

But has caused hours of pain

Yeah it is

Pain is pleasure and pleasure is pain

So you're a masochist

Yes

We are

no u

what kink is this

🥺

This took a turn

https://tenor.com/view/angry-birds-dice-jumpscare-dice-jumpscare-angry-birds-gregory-gif-24379056

ono

Let's go back to wholesome family friendly content like shibari

also would like to say nice chall, I have seen a decent number of rsa challs (too many with the same name lol) and somehow never come across this

😆

rejected already not friendly

This chat is #crypto not #dicegangepsychosexualanalysis

petition to create one

Petition to ban Moriarty

*bean Moriarty

!bean @inland ruin kinky

✅ Moriarty#8077 (518674233484640256) was beaned. Reason: kinky

is it possible to mirror psych?

is unreasonably slow

@upbeat hazel

we are working on a fix, will be deployed with some other adjustments (to other challenges)

any idea abt this crypto/baby-rsa

1. open a ticket
2. try harder

so in said ticket can we ask for help or is it only for technical difficulties

like how do I get rustc on a mac

we don't give hints, but we sometimes clarify issues

it shows ELF, which implies that it's a binary file, and prob you need to pwn it

tthats a crypto chall

lmao

e l F

100% pwn

ignore the fact that elfs have ELF in the first 4 bytes

lol

Hi, in baby-rsa I think I got the correct way but I'm not sure because it doesn't work, can I msg anyone?

you can create a ticket, and ireland or others may choose to provide feedback

do I need to be a math major to solve rejected

you need to know what a LFSR is

:0

crypto is cleared

🎉

well, except for any yet-to-be-released challs

which are delayed

ok crypto is cleared

@full temple @dusk thunder
Would whoever solved correlated please DM me your solution?

the crypto challenges are driving me insane 👍

That means you're doing them right!

sanity and learn/gain are inversely proportional

i'm going insane and learning little at the same time so i know i'm doing a terrible job rn

That just means you're going to enjoy reading the write-ups even more

Any TBA for the writeups? Like immediately after the CTF or a couple of weeks

I'm going nutso lol

what does tba mean

Like expected timeframe or date

authors and other competitors may choose to publish writeups

but no guarantees

Gotcha

usually if the challenge is interesting enough then someone will post something

Yeah I'm super curious for the baby rsa one

we have a writeups channel that other competitors here can write writeups/link to writeups they made once the competition's over

err... we had a writeups channel

where'd it go?

#writeups

gonna keep that down there until end

or make a new one perhaps

oh ok

I will publish writeups for pow-pow and psych immediately after the ctf ends

hopefully

time to make #dicegangphsycosexualanalysis real except its just the writeups channel

Having an average of 4 bits of recovery error for correlated is quite infuriating

back the baby-rsa grind

running out of time oh god

running out of lined paper

this is a disaster

My TI-84 Plus CE can't handle this

Excited for writeuppssss 🎉

Can't wait to read the writeups to see how my brain is

Same

Anyone want to lend me a quantum computer for 33 min?

sorry mine broke last week

maybe if you ask nsa nicely they will lend their for you

im trying to figure out baby-rsa, i have the primes and created a finite ring that d has to be in. its still way to large to compute tho. any tips?

we can answer any questions you have in 23 minutes

IBM account

if it works it works ¯_(ツ)_/¯

Or you could actually just do the code

and not even make an account

would that even work?

I found a sure fire way to solve all cryptography, it will just take some time....

🤡

i found a way to solve a ctf flags, it will just take some time

no EZ just send a github RAT to the organizers

lmaoooo

things are becoming more desperate, anyone have a spare data center for 15 min?

🤡

yep need more proccessing power

i have access to a supercomputer, but it requires my physical presence

and its still icy here in texas

free cooling pog

pls run the following script:
<redacted since competition not over>

I have access to a quantum computer remotely
except for the hiccup that its too slow

author writeups for pow-pow and psych will likely be delayed by an hour

:x

!bean @upbeat hazel slow

🚫 Failed to parse the user param: multiple_potential_targets
🔧 Command usage: !bean <user> [reason]

expect for

stuck on pow-pow

XD

oh my pow-pow writeup is done

I just need to do psych

:d

Writeup for baby rsa?

Plss

https://blog.soreatu.com/posts/intended-solution-to-crypto-problems-in-nctf-2019/#easyrsa909pt-2solvers

English pls? :c

the idea is to implement an algorithm to take find e'th roots mod p and q, and then combine all possible roots with crt

(although most people probably didnt implement the algorithm, since sage has it build in with nth_root()

I was sticking with this: https://crypto.stackexchange.com/questions/43660/rsa-how-to-compute-the-number-of-possible-plaintexts-if-e-is-not-coprime-to/83593#83593
But was unable to retrieve x T_T

do commitment-issues needs to compute resultants and use coppersmith to solve for flag?

solution for commitment-issues ?

there are a lot of things online for e | p-1
but not for e^2 | p-1

essentially

I called roots() on a polynomial mod N and somehow it worked

my writeup of it should be there

Aren't these the same though

commitment issues, lots of computation + adaptive root with smooth exponent

https://eprint.iacr.org/2020/1059.pdf i'm p sure this is related to baby-rsa but i wasn't able to extend to higher powers

it says it's trivial to extend to higher powers but i couldn't figure it out

Indeed, I read this

nooo way more roots in both rings if e^2

huh, curious what you did to solve

lemme find the paper with the idea, lol

oh shoot theres a paper? lol

But the principle remains the same

can i see the solver

I think I confused two chals, nvm 😄

not sure

ayye

oh yeah, okay that sounds like pow-pow haha

Yepp

thats my commitment issues solver

but theres a much nicer explanation that is in the official writeup link, wherever that is

https://hackmd.io/fmdfFQ2iS6yoVpbR3KCiqQ

shibaru GPU bruteforce is intended?

no haha

solution is 2 parts:

1. the braid is already in normal form, so you can import it into LNF faster than computing LNF on it.

2. apply a length-based attack because the entire circuit is reversible.

if you guess that the first few gates are performing the subcircuit A := NOT bit 0; CCNOT(0,1,2)

then the length of the circuit A^-1 * Circuit should be "shorter" than the length of Circuit
where length is the length of the LNF canonical form

Whereas if you guess wrong and try the circuit B := NOT bit 0; NOT bit 1; CCNOT(0,1,2)
then the length of the circuit B^-1 * Circuit should be longer than the length of Circuit

so you can bruteforce the flag 2-bits at a time

the step 1) of importing into LNF is needed because computing the LNF is so slow for the obfuscated braids (it's pretty quick for the unobfuscated braids)

and the provided python bindings support quickly computing the LNF of LNF(a) * LNF(b)

in hindsight, I should have released the LNF form of the braids so that players didn't have to import it.

my solution doesn't actually use a length-based attack for 2) -- it uses an attack on the underlying Braid Conjugacy Problem.
This attack also requires having access to the braids in LNF

What was the intended solution for pow pow? Mine feels way too dirty

To whoever solved psych, did you manage to craft c0 which was "equal enough" to c0' to have a significant equality check time?

https://github.com/defund/ctf/tree/master/dicectf-2022

Thanks!

yes, I'm making the writeup right now. The solve script is also in that repo

I'm so sorry :((((

writeups will be published in half an hour

I made the first point (P) fully equal, which adds +110 to time on correct match. So only 1 query / bit

oh and my psych solve script is unnecessarily complicated

because I obsesively optimized montgomery curve arithmetic

you can just use sage's libraries

I quickly gave up on montgomery stuff and switched to sage 🙂

my solve script runs in 5 seconds locally 😎

Hm interesting, so it's possible to do the adaptive attack using just Q and P-Q?

yeah because sibc does not check anything

except the hash in the KEM, which should thwart all such attacks (unless leakage)

https://gist.github.com/hellman/5c2deab6dfcb179b101237471e7450ca

Basically keep P and make Q low order. I don't know what sibc's formulas compute on such inputs, but the output range is just the order of Q

which by comparison leaks LSBs of the secret

Ahhhh this makes so much sense, I was going with the full ceremony from the original paper of passing through weil and all which doesn't leave much wiggle room. Thanks!

someone for the rsa pls ?

Yeah my first solution was to match 1-2 bytes in c0 and then GPST. But I messed up and recovered garbage in 2 hours... Had to improve

Hey hellman

Staying up all night to solve correlated was a thing I did

I think my solution passes those sorts of checks

but yeah those are irrelevant

in the context of SIKE

Sounds interesting, in 500 queries?

it varies, but on average yes

(but I only know the basic GPST attack on static keys)

I like your solution more though

maybe I'll just link it in my writeup

and call it a day

💀

no, I need to know how what I am missing 😛

ok welp, I'll include a brief note at the end

https://priv.pub/posts/dicectf-2022

my explanation is probably quite terrible

I'm going to ✨KMS✨ after seeing a baby rsa writeup. I forgot that sage had functions for that and was trying to fucking monke brute force the CRT with python. Omfg that challenge fried my brain

https://www.lifeline.org.au/

Lol

understandable

How did people solve correlated? I just wait on the event that the first 48 bit of the stream has <= 5 wrong bits and bruteforce... hope this is not the official solution lol

it seems like many people solved it this way

it is not the intended solution

what's the intended?

https://hackmd.io/fmdfFQ2iS6yoVpbR3KCiqQ?view#crypto/correlated

tbh the intended was super complicated, and i'm happier with this challenge being a fairly accessible filtered-LFSR challenge than it being a super hard one that no one attempts

Why the fuck are y'all smart

We can extend by enumerating two variable from two groups with ord=e^2

I tried it and it worked

But it seems to be unintended after I looked at the writeup

can anyone tell me what was the theoreom/using what method was the pow-pow chall made?

See the author's writeup: https://priv.pub/posts/dicectf-2022

Thanks!

oh it's Wesolowski’s verifiable delay function

i see, intersting crypto challs@

in the author's writeup why did you also multiply with some small number less than 256?

for rejected approximately how many bits would one need to obtain for the attack to work? would the linear system to solve have like 32k variables or is it usually much less than that

in case m has repeated small factors, like it's divisible by 4

Doesn't the linear system have exactly n variables, where n is the bit length of the key?

oh i assumed we were solving for the output of the lfsr instead of the key

oops

so given an output 1 at the xth bit of the output you represent it as a sum of the (x-tap[j])th bits in GF(2) and keep doing that until you reach the first n bits of the key? or is there a simpler method

In rejected you aren't given the outputs

You are told whether its greater or lower than some threshold

And when you know the output is greater than the threshold, if said threshold starts with b 1 bits then you get that the output must start with b bits to 1 as well

And then you can solve like this

And that's exactly what you said and I'm too tired please ignore me

lol

so i guess around n bits need to be leaked for the linear system to be solved?

At least n bits yes

ok thanks

hello, anyone has writeup for crypto/baby-rsa

N is quite small so you can use alpetron or factordb to get two prime. Next brute force every single possibility and stop once you have clear plaintext because e and phi are not coprime (see: https://crypto.stackexchange.com/questions/81949/how-to-compute-m-value-from-rsa-if-phin-is-not-relative-prime-with-the-e/81966#81966)

actually, GF(p)(c).nth_root(e, all=True) works for this challenge since e is small

from Crypto.Util.number import long_to_bytes, bytes_to_long

p = 172036442175296373253148927105725488217
q = 337117592532677714973555912658569668821
N = 57996511214023134147551927572747727074259762800050285360155793732008227782157
e = 17
c = 19441066986971115501070184268860318480501957407683654861466353590162062492971
Z = ZZ.quotient_ring(N)
phi = (p-1)*(q-1)
d = inverse_mod(e, phi//e^4)

a = pow(c, d, N)

_phi = phi // e^4    
g_2 = pow(2, _phi, N)
g_3 = pow(3, _phi, N)
assert g_2 ^ e^2 == 1
assert g_3 ^ e^2 == 1


for i in range(0, e^2):
    for j in range(0, e^2):
        x, y = g_2^i, g_3^j
        m = long_to_bytes(int(a*x*y))
        if b"dice" in m:
            print(m)

This works

Generalization of this paper(https://eprint.iacr.org/2020/1059.pdf)

Z = ZZ.quotient_ring(N)

I'm pretty sure that's not standard python, nor exists in the libs you imported

Its sagemath script

In pure python

Remove the line and replace ^ with **

Side note: Interesting that rsactftool couldn't solve this one

That would be actually baby

Not dice baby

If running a pre-existing tool can solve the chall

rsactftool 👎

from Crypto.Util.number import long_to_bytes

N = 0xba8cb3257c0c83edf4f56f5b7e139d3d6ac8adf71618b5f16a02d61b63426c2c275ce631a0927b2725c6cc7bdbe30cd8a8494bc7c7f6601bcee5d005b86016e79919e22da4c431cec16be1ee72c056723fbbec1543c70bff8042630c5a9c23f390e2221bed075be6a6ac71ad89a3905f6c706b4fb6605c08f154ff8b8e28445a7be24cb184cb0f648db5c70dc3581419b165414395ae4282285c04d6a00a0ce8c06a678181c3a3c37b426824a5a5528ee532bdd90f1f28b7ec65e6658cb463e867eb5280bda80cbdb066cbdb4019a6a2305a03fd29825158ce32487651d9bfa675f2a6b31b7d05e7bd74d0f366cbfb0eb711a57e56e6db6d6f1969d52bf1b27b
c1 = 0x75240fcc256f1e2fc347f75bba11a271514dd6c4e58814e1cb20913195db3bd0440c2ca47a72efee41b0f9a2674f6f46a335fd7e54ba8cd1625daeaaaa45cc9550c566f6f302b7c4c3a4694c0f5bb05cd461b5ca9017f2eb0e5f60fb0c65e0a67f3a1674d74990fd594de692951d4eed32eac543f193b70777b14e86cf8fa1927fe27535e727613f9e4cd00acb8fab336894caa43ad40a99b222236afc219397620ca766cef2fe47d53b07e302410063eae3d0bf0a9d67793237281e0bfdd48255b58b2c1f8674a21754cf62fab0ba56557fa276241ce99140473483f3e5772fcb75b206b3e7dfb756005cec2c19a3cb7fa17a4d17f5edd10a8673607047a0d1
c2 = 0xdb8f645b98f71b93f248442cfc871f9410be7efee5cff548f2626d12a81ee58c1a65096a042db31a051904d7746a56147cc02958480f3b5d5234b738a1fb01dc8bf1dffad7f045cac803fa44f51cbf8abc74a17ee3d0b9ed59c844a23274345c16ba56d43f17d16d303bb1541ee1c15b9c984708a4a002d10188ccc5829940dd7f76107760550fac5c8ab532ff9f034f4fc6aab5ecc15d5512a84288d6fbe4b2d58ab6e326500c046580420d0a1b474deca052ebd93aaa2ef972aceba7e6fa75b3234463a68db78fff85c3a1673881dcb7452390a538dfa92e7ff61f57edf48662991b8dd251c0474b59c6f73d4a23fe9191ac8e52c8c409cf4902eeaa71714
e = 281840717167239017970190225734406156171

P.<x,y> = PolynomialRing(Zmod(N))
f1 = y + x - c1
f2 = x ^ 5 - c2
I = Ideal([f1,f2])
G = I.groebner_basis()
g1 = G[0]
g1 = g1.univariate_polynomial()

M = Matrix.companion(g1)
M2 = M^e
f = M2.charpoly()

print(long_to_bytes(int(f.small_roots(epsilon=0.05)[0])))```
took me a while to understand , but it's my `commitment-issues` solver

they know.......

Root of unity works well

What’s the trick you’re doing with the companion matrix? Does this help with how M^e is computed?

That is how I originally solved it. Using the groebner basis/however else, you can get a polynomial with s = m^d as a root. If we place this polynomial f into a matrix M that has characteristic poly f, then any root x of f is an eigenvalue of M. Then for any polynomial p, p(x) is an eigenvalue of p(M). Thus the characteristic poly of M^e has (m^d)^e = m as a root

Ahh! Thanks for the explanation

We solved by taking the quotient ring with k^5 - c2 and so could make degree 4 polynomials which with linear algebra can be combined to give a univariate polynomial with m as a small root

Yea, thats the explanation I included in the official writeup because I think its a lot better way to solve. The companion matrix thing is kinda quirky. I haven't had time to think about it, but I suspect these are the same computations somehow packaged in different ways

are there official writeups?

https://hackmd.io/fmdfFQ2iS6yoVpbR3KCiqQ

More will be added overtime

thx

It is

Maybe my approach is unintended way

https://org.anize.rs/dicectf-2022/crypto/powpow

If people want another version of pow pow write up

nice

Write up for commitment issues 🙂 — hopefully people can follow along and enjoy the challenge

https://org.anize.rs/dicectf-2022/crypto/commitment_issues