ALL the CTFS of Crypto2025 finally

crypto-asimmetric/RSA-1/factor.json

@@ -0,0 +1 @@
+{ 	"input-expression":"factor(176278749487742942508568320862050211633)", 	"input-decimal":"176278749487742942508568320862050211633", 	"factors-prime":["12271643243945501447","14364722473065221639"], 	"runtime" : {"total":0.7035, "siqs":0.0455}, 	"time-start" : "2025-05-14  16:39:45", 	"time-end" : "2025-05-14  16:39:46", 	"info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }

crypto-asimmetric/RSA-1/factor.log

@@ -0,0 +1,62 @@
+05/14/25 16:39:45, 
+05/14/25 16:39:45, ****************************
+05/14/25 16:39:45, Starting factorization of 176278749487742942508568320862050211633
+05/14/25 16:39:45, using pretesting plan: normal
+05/14/25 16:39:45, no tune info: using qs/gnfs crossover of 95 digits
+05/14/25 16:39:45, no tune info: using qs/snfs crossover of 95 digits
+05/14/25 16:39:45, ****************************
+05/14/25 16:39:45, rho: x^2 + 3, starting 1000 iterations on C39
+05/14/25 16:39:45, rho: x^2 + 2, starting 1000 iterations on C39
+05/14/25 16:39:45, rho: x^2 + 1, starting 1000 iterations on C39
+05/14/25 16:39:45, final ECM pretested depth: 0.000000
+05/14/25 16:39:45, scheduler: switching to sieve method
+05/14/25 16:39:46, starting SIQS on c39: 176278749487742942508568320862050211633
+05/14/25 16:39:46, random seed: 15381924001331922418
+05/14/25 16:39:46, ==== sieve params ====
+05/14/25 16:39:46, n = 39 digits, 128 bits
+05/14/25 16:39:46, factor base: 576 primes (max prime = 9473)
+05/14/25 16:39:46, single large prime cutoff: 473650 (50 * pmax)
+05/14/25 16:39:46, using SSE41 enabled 32k sieve core
+05/14/25 16:39:46, sieve interval: 1 blocks of size 32768
+05/14/25 16:39:46, polynomial A has ~ 4 factors
+05/14/25 16:39:46, using multiplier of 1
+05/14/25 16:39:46, using multiplier of 1
+05/14/25 16:39:46, using Q2(x) polynomials for kN mod 8 = 1
+05/14/25 16:39:46, using SPV correction of 18 bits, starting at offset 29
+05/14/25 16:39:46, trial factoring cutoff at 35 bits
+05/14/25 16:39:46, ==== sieving started (1 thread) ====
+05/14/25 16:39:46, trial division touched 85911 sieve locations out of 11665408
+05/14/25 16:39:46, total reports = 85911, total surviving reports = 15765
+05/14/25 16:39:46, total blocks sieved = 356, avg surviving reports per block = 44.28
+05/14/25 16:39:46, 686 relations found: 307 full + 379 from 3054 partial, using 178 polys (22 A polys)
+05/14/25 16:39:46, on average, sieving found 18.88 rels/poly and 107137.16 rels/sec
+05/14/25 16:39:46, trial division touched 85911 sieve locations out of 11665408
+05/14/25 16:39:46, ==== post processing stage (msieve-1.38) ====
+05/14/25 16:39:46, QS elapsed time = 0.0317 seconds.
+05/14/25 16:39:46, begin singleton removal with 3361 relations
+05/14/25 16:39:46, reduce to 1021 relations in 2 passes
+05/14/25 16:39:46, recovered 1021 relations
+05/14/25 16:39:46, recovered 154 polynomials
+05/14/25 16:39:46, attempting to build 686 cycles
+05/14/25 16:39:46, found 686 cycles from 1021 relations in 1 passes
+05/14/25 16:39:46, distribution of cycle lengths:
+05/14/25 16:39:46,    length 1 : 307
+05/14/25 16:39:46,    length 2 : 379
+05/14/25 16:39:46, largest cycle: 2 relations
+05/14/25 16:39:46, matrix is 576 x 686 (0.1 MB) with weight 11457 (16.70/col)
+05/14/25 16:39:46, sparse part has weight 11457 (16.70/col)
+05/14/25 16:39:46, filtering completed in 3 passes
+05/14/25 16:39:46, matrix is 545 x 609 (0.1 MB) with weight 9852 (16.18/col)
+05/14/25 16:39:46, sparse part has weight 9852 (16.18/col)
+05/14/25 16:39:46, commencing Lanczos iteration
+05/14/25 16:39:46, memory use: 0.1 MB
+05/14/25 16:39:46, lanczos halted after 10 iterations (dim = 545)
+05/14/25 16:39:46, recovered 64 nontrivial dependencies
+05/14/25 16:39:46, prp20 = 14364722473065221639
+05/14/25 16:39:46, prp20 = 12271643243945501447
+05/14/25 16:39:46, Lanczos elapsed time = 0.0130 seconds.
+05/14/25 16:39:46, Sqrt elapsed time = 0.0000 seconds.
+05/14/25 16:39:46, SIQS elapsed time = 0.0455 seconds.
+05/14/25 16:39:46, 
+05/14/25 16:39:46, 
+05/14/25 16:39:46, Total factoring time = 0.7035 seconds

crypto-asimmetric/RSA-1/rsa_1.py

@@ -0,0 +1,41 @@
+from Cryptodome.Util.number import bytes_to_long, getPrime
+#from secret import flag
+def egcd(a, b):
+    if (a == 0):
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b%a, a)
+        return (g, x - (b//a) * y, y)
+
+e = 65537
+
+"""p, q = getPrime(64), getPrime(64)
+n = p*q
+e = 65537
+print(n)
+m = bytes_to_long(flag)
+print(pow(m, e, n))"""
+
+#p = 14364722473065221639
+#q = 12271643243945501447
+
+p =  88824237363878748201253577036
+q = 866961515596671343895614356197
+
+n = p*q
+phi = (p-1)*(q-1)
+res = egcd(e, phi)
+
+#c = 46228309104141229075992607107041922411
+
+c = 388435672474892257936058543724812684332943095105091384265939
+u = res[1]
+v = res[2]
+
+decrypted = pow(c,u,n)
+
+print(decrypted.to_bytes(decrypted.bit_length()//8+1,byteorder='big').decode())
+#P20 = 14364722473065221639
+#P20 = 12271643243945501447
+# 176278749487742942508568320862050211633
+# 46228309104141229075992607107041922411

crypto-asimmetric/RSA-1/session.log

@@ -0,0 +1,13 @@
+05/14/25 16:39:25, =====================================
+05/14/25 16:39:25, System/Build Info: 
+05/14/25 16:39:25, YAFU Version 3.0
+05/14/25 16:39:25, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0 
+05/14/25 16:39:25, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
+05/14/25 16:39:25, detected AMD Ryzen 5 5600H with Radeon Graphics         
+detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
+05/14/25 16:39:25, CPU features enabled: 05/14/25 16:39:25, SSE41 05/14/25 16:39:25, 
+05/14/25 16:39:25, using 1 random witness for Rabin-Miller PRP checks
+05/14/25 16:39:25, Cached 664579 primes: max prime is 9999991
+05/14/25 16:39:25, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\RSA-1
+
+05/14/25 16:39:25, Random seed: 15435820894272445120

crypto-asimmetric/RSA-2/attack.py

@@ -0,0 +1,56 @@
+from Cryptodome.Util.number import bytes_to_long
+from Cryptodome.Util.number import isPrime
+from Cryptodome.Util.number import getPrime
+from Cryptodome.Util.number import getRandomInteger
+
+from gmpy2 import next_prime
+from gmpy2 import isqrt
+# p = getPrime(512)
+# q = next_prime(p)
+# n = p*q
+# c = print(pow(m, e, n))
+def egcd(a, b):
+    if (a == 0):
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b%a, a)
+        return (g, x - (b//a) * y, y)
+
+e = 65537
+n = 60509355275518728792864353034381323203712352065221533863094540755630035742080855136016830887120470658395455751858380183285852786807229077435165810022519265154399424311072791755790585544921699474779996198610853766677088209156457859301755313246598035577293799853256065979074343370064111263698164125580000165237
+c = 44695558076372490838321125335259117268430036823123326565653896322404966549742986308988778274388721345811255801305658387179978736924822440382730114598169989281210266972874387657989210875921956705640740514819089546339431934001119998309992280196600672180116219966257003764871670107271245284636072817194316693323
+
+
+
+a = b = isqrt(n)
+b2 = pow(a,2) - n
+
+i = 0
+
+while True:
+    print("Iteration # ="+str(i))
+    if b2 == pow(b,2):
+        print("solution found")
+        break
+    else:
+        a+=1
+        b2 = pow(a,2) - n
+        b = isqrt(b2)
+        print("a = " + str(a))
+        print("b = " + str(b))
+        print("b2 = " + str(b2))
+        print("delta-->"+str(pow(b,2)-b2 % n))
+        i+=1
+    p = a+b
+    q = a-b
+
+    print(f"P={p}")
+    print(f"Q={q}")
+
+phi = (p-1)*(q-1)
+res = egcd(e, phi)
+u = res[1]
+
+decrypted = pow(c,u,n)
+
+print(decrypted.to_bytes(decrypted.bit_length()//8+1,byteorder='big').decode())

crypto-asimmetric/RSA-2/chall.py

@@ -0,0 +1,20 @@
+from Cryptodome.Util.number import bytes_to_long, getPrime, isPrime
+from secret import flag
+
+
+def next_prime(p):
+    while True:
+        p = p+1
+        if isPrime(p):
+            return p
+
+#Close numbers so n = pq = (a^2 - b^2)
+p = getPrime(512)
+q = next_prime(p)
+n = p*q
+e = 65537
+print(n)
+m = bytes_to_long(flag.encode())
+print(pow(m, e, n))
+# Output: 6050935527551872879286435303438132320371235206522153386309454075563003574208085513601683088712047065839545575185838018328585278680722907743516581002251926515439942431107279175579058554492169947477999619861085376667708820915645785930175531324659803557729379985325606597907434337006411126369816412558000016523744695558076372490838321125335259117268430036823123326565653896322404966549742986308988778274388721345811255801305658387179978736924822440382730114598169989281210266972874387657989210875921956705640740514819089546339431934001119998309992280196600672180116219966257003764871670107271245284636072817194316693323
+#

crypto-asimmetric/RSA-3/attack.py

@@ -0,0 +1,32 @@
+from Cryptodome.Util.number import bytes_to_long, getPrime
+import numpy as np
+from gmpy2 import gcd
+def egcd(a, b):
+    if (a == 0):
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b%a, a)
+        return (g, x - (b//a) * y, y)
+
+
+#The array mods are the N utilized
+NArr = [121720186806296997800979538534610838374734751334685912810089377215004504057011542815350249589409126571557756347530275377081347144107627877648585982070305444757428430884386644436796681950522231862132460974829459908011848164947235675260429548827529963885145183776175424511145093559808770680388618014964869201199, 115798264708831001509831452282652377117247913406230481173932971530311207138289505609425951644808355060285770269148892080753105106723888042934884834817949996297119038125679794627407921510845406549274278284300830810036526628513928381076981701488991050846914184755737210682948322006955552194206666221556530254069, 129891916645136766954990840071239136459207498813379400672601426578831847656212739760321974414319624780647238243520795621558507340321036960603641016783930001933214554952892980985719766490723702259591820740126106443296808948516725137803993618809971215369272805623068723219777577178592979685247152887369080213469, 97440042627604058119462166311098928079074460477896227193167136164982689015461458211418231427974720780154163727230020238900390489255635496740913390712432413745693887138227178349326834808464939377520843058378484137633039051861149301719616738305187923502768381441541843160895988360219120088573263132711946135549, 118336797456007073778845583425765727519290931431629708341588136084005536094639394444055480793346537253211044225267352801744305543944594258715651884862219847349035909104973416940104288422933727439470796894321119143142352295983873128834400237669322455310392240839827948103230966843721381138542886809256064478583, 98830801478619438580886979231071793416086374828762996995335166178033453794813501043909349956992551774283648522075968950157876919261226385391203458862082192940317067631456258474770737562985117345952159996038314281257462262391260021194541096637417576244012229535327312563436777296722806384925044244352631380237]
+c = [20895232551321355357796559134923739063229897004564726534442560232700008579832934464588215412298797749098926607008145809365713546063372794478172028895900292570052597729451835013404932658115272822381857334883139192842405577893328881755205525477692528232932048522246106064845149790024188650659712186587302788822, 27487798811245911704259308821426340722272943834169278939573060705897180221981687550608201257369881749684155124541223818713952131057624098178538068959839121916786988723255740240218509529169521298543759721788383816540422333430292030883380440242469234903193688320192413698212154775026244244196587629215529349439, 122927173440180953444662433474083795911421352764116743651940370614018966430157645895292514403617065522903149995860646654893791607848456961010416154477471279012016689725167398900740981766252818136656875685057173271127364782254020078195020269591458290777871967505852847729147604365960804210570303285847704383838, 44233148033940554518432069693759033772383557137256208049342336728964649128201129418248029048455077888784420944572193219780439638707817230248572975335198314036583478516348610748201061630538604305891410474498186918257941528933343064918770597617988984498416891802978664061022237210655046967332587866256202949892, 93945101865165834651030752141276949991568628433520700392114189816600544396582708855981883777442770327027947418039728898637860073054781023087929128993917266453956464368053124527395745452407733825804653717528957214721157125830092515381862283410183665194322787464290673344883392992558759324619716952152651997162, 22730706116732432827726070874241713593369489580689310920350655818718408738470892188020509332323278263964591696394047978191938035115889175060327324556077501151083828817726795434554236484206095214626725550236661310998674664814342644753736805886350007323393028684328815053810466996924583341348546738433492053843]
+print(f"LEN:{len(NArr)}")
+e = 65537
+# I can try to find a common prime then it's the same thing
+for i in range(len(NArr)):
+    for j in range(len(NArr)):
+        if(i!=j):
+            p1 = gcd(NArr[i],NArr[j])
+            if(p1 != 1):
+                p2 = NArr[i] // p1
+                p3 = NArr[j] // p1
+                #print(f"P2:{p2} and P3:{p3}")
+                phi = (p1-1)*(p2-1)
+                res = egcd(e, phi)
+                u = res[1]
+                decrypted = pow(c[i],u,NArr[i])
+                print(decrypted.to_bytes(decrypted.bit_length()//8+1,byteorder='big').decode())
+                break
+

crypto-asimmetric/RSA-3/chall.py

@@ -0,0 +1,11 @@
+from Crypto.Util.number import bytes_to_long, getPrime
+from secret import flag
+import numpy as np
+
+primes = [getPrime(512) for _ in range(10)]
+mods = [np.random.choice(primes, 2, replace=False) for _ in range(6)]
+mods = [m[0]*m[1] for m in mods]
+e = 65537
+print(mods)
+m = bytes_to_long(flag.encode())
+print([pow(m, e, n) for n in mods])

crypto-asimmetric/RSA-4/attack.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python3
+
+from gmpy2 import gcd
+from Cryptodome.Util.number import bytes_to_long, getPrime
+
+def egcd(a, b):
+    if (a == 0):
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b%a, a)
+        return (g, x - (b//a) * y, y)
+
+# N is the same
+n = 136372941954692995052032614106416002216650352281441768759106047115825257661310123118558086046873251952204915740853517008372422353621244931366409094731856824295828106036399145756514345255241109944294641060644246049854296519101775880563276657142059245230769447888021843340822736997057074223723734593369646608283
+c = [88934261481985787316571946676203348514352494646042103159736155624287938096099586834729171652139440814472420307071476143907698982272593448957770236088603490101924827608944006107576740571416087954304061091614594794358854353419664581332745351113861171522629631586344259719016707622211007808872462656489173218734, 31191490339291402076171068036548032381977184741778243810947202097002026583133103229115040414216968980627919985794378128894603186334221963211692252394535977554990491215621733091487550326776298499502932523408287882489799200954692353162958794137970552454035789701538315132727860436887544051794011893682559545564]
+
+e = [31, 71]
+#Bezut
+#C1^u*C2^v = m mod n
+res = egcd(e[0],e[1])
+u = res[1]
+v = res[2]
+
+val = u*e[0] + v * e[1]
+print(val)
+
+decrypted = pow(c[0],u,n) * pow(c[1],v,n) % n
+
+print(decrypted.to_bytes(decrypted.bit_length()//8 + 1, byteorder='big').decode())

crypto-asimmetric/RSA-4/chall.py

@@ -0,0 +1,8 @@
+from Crypto.Util.number import bytes_to_long, getPrime
+from secret import flag
+p, q = getPrime(512), getPrime(512)
+n = p*q
+e = [31, 71]
+print(n)
+m = bytes_to_long(flag.encode())
+print([pow(m, ee, n) for ee in e])

crypto-asimmetric/RSA-6/attack.py

@@ -0,0 +1,22 @@
+from Cryptodome.Util.number import bytes_to_long, getPrime, inverse
+from pwn import *
+HOST = "130.192.5.212"
+PORT = "6646"
+e = 65537
+sleepT = 0.1
+server = remote(HOST,PORT)
+
+c = server.recv(1024).strip()
+sleep(sleepT)
+p = b'e4\n'
+server.send(p)
+sleep(sleepT)
+pe = server.recv(1024).strip()
+
+server.send(b'd')
+server.send(str(int(pe)*int(c)))
+server.send(b'\n')
+sleep(sleepT)
+d = int(server.recv(1024))
+print(bytearray.fromhex(format(d // 4, "x")).decode())
+#m = (pow(4, e, n) * c) % n

crypto-asimmetric/RSA-6/chall.py

@@ -0,0 +1,19 @@
+from Cryptodome.Util.number import bytes_to_long, getPrime, inverse
+from secret import flag
+
+p, q = getPrime(512), getPrime(512)
+n = p*q
+e = 65537
+m = bytes_to_long(flag.encode())
+print(pow(m, e, n))
+
+for _ in range(3):
+    req = input()
+    if req[0] == 'e':
+        print(pow(int(req[1:]), e, n))
+    elif req[0] == 'd':
+        phi = (p-1)*(q-1)
+        d = inverse(e, phi)
+        dec = pow(int(req[1:]), d, n)
+        assert dec != m
+        print(dec)

crypto-asimmetric/RSA-7/attack.py

@@ -0,0 +1,35 @@
+from pwn import *
+import decimal
+
+HOST = "130.192.5.212"
+PORT = "6647"
+server = remote(HOST,PORT)
+
+n = int(server.recv(1024).strip())
+c = int(server.recv(1024).strip())
+e = 65537
+
+def to_bytes(m,l=512):
+    return int.to_bytes(m, l=n.bit_length(), byteorder='big')
+def print_bounds(low, up):
+    print("[" + str(low) + "," + str(up) + "]")
+decimal.getcontext().prec = n.bit_length()
+upper_bound = decimal.Decimal(n)
+lower_bound = decimal.Decimal(0)
+m = c
+for i in range(n.bit_length()):
+    m = (pow(2, e, n) * m) % n
+    print(f"M:{m}")
+    server.send(str(m))
+    server.send(b'\n')
+    bit = server.recv(1024)
+    bit = int(bit)
+    print(f"Bit:{bit}")
+    if  bit == 1:
+        lower_bound = (upper_bound + lower_bound) / 2
+    else:
+        upper_bound = (upper_bound + lower_bound) / 2
+#lower_bound = 158107821233229568930984452875602183391823091373912004357129417626853988321867785934374974861174017194049484884
+upper_bound = int(upper_bound)
+print(f"UB:{upper_bound}")
+print(upper_bound.to_bytes(n.bit_length(),'big').decode())

crypto-asimmetric/RSA-7/chall.py

@@ -0,0 +1,16 @@
+from Crypto.Util.number import bytes_to_long, getPrime, inverse
+from secret import flag
+
+p, q = getPrime(512), getPrime(512)
+n = p*q
+e = 65537
+print(n)
+m = bytes_to_long(flag.encode())
+print(pow(m, e, n))
+phi = (p-1)*(q-1)
+d = inverse(e, phi)
+
+while True:
+    req = input()
+    dec = pow(int(req), d, n)
+    print(dec % 2)

crypto-asimmetric/RSA-8/attack.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python3
+def iroot(k, n):
+    u, s = n, n+1
+    while u < s:
+        s = u
+        t = (k-1) * s + n // pow(s, k-1)
+        u = t // k
+    return s
+
+def egcd(a, b):
+    if a == 0:
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b % a, a)
+        return (g, x - (b // a) * y, y)
+
+n = [103182582101088432221896723911959658810148642607491933315730960734118240195754769950819474607526761310491072435697251726703164265174774235724659738831757409760766157639161825762332534066038346404165315092057708788440973076257965331599855954578010994574159603470755148099351579202141225172980367799665476167847, 164529226839413559924976053055945999494164079991436306473401181675696469337231336487085545789574002739916229214459538703141568506814456513212890362327970644104020403940185072579976632642454837002305793830295185819162025725080875039582271289438064337645037739930310804010164136027800069917885200489266709851147, 101253463082304765569988541878936444188901784404118982304304492412707865403599337342671466935573442997065056100597392285699618123881764488797053967545477164493257618640769155601013044416777930811645230707542352289749878326865162201600174774219905814876248581859055603923729383992948817570153516220675788026019]
+c = [49061847403090198347871622684419440435020583765472679724043086578999237521080306057376530837215217884164240970675343921488615718206622981851071355344619510984897988244448903079728468570182192877366774485494180463301223638383404084085162769928604900840343104637519232149881136672689624849105790343296894169638, 69379335482793180476700701606108054426491112911094839088423398496436178476703250112662999759680953829050820926826348692673810360008347808961160090296815470631238301541316949142095598699542200662648425136888777434584579800116810012163027021559640993590961230761590447340796858130209448565431799660026498031809, 12703169327460384687002396982277926563609859240682417397412251404704813340279611932445729764372467798958975417752028956581609966062236180984581318736509577950218952687259759058038887912101360016831759532164596689952106890923630907107502607383301971789208757053392565264776050015020366373713225575559221036110]
+
+n1 = n[0]
+n2 = n[1]
+n3 = n[2]
+
+c1 = c[0]
+c2 = c[1]
+c3 = c[2]
+
+g, u1,v1 = egcd(n2*n3, n1)
+g, u2,v2 = egcd(n1*n3, n2)
+g, u3,v3 = egcd(n1*n2, n3)
+
+c = (c1 * u1 * n2*n3 + c2 * u2* n1*n3 + c3 * u3 * n1*n2) % (n1*n2*n3)
+e = 3
+dec_int = iroot(e, c)
+print(dec_int.to_bytes(dec_int.bit_length()//8 + 1, byteorder='big').decode())

crypto-asimmetric/RSA-8/chall.py

@@ -0,0 +1,11 @@
+from Crypto.Util.number import bytes_to_long, getPrime
+from secret import flag
+
+n1 = getPrime(512)*getPrime(512)
+n2 = getPrime(512)*getPrime(512)
+n3 = getPrime(512)*getPrime(512)
+n = [n1, n2, n3]
+print(n)
+e = 3
+m = bytes_to_long(flag.encode())
+print([pow(m, e, nn) for nn in n])

crypto-asimmetric/RSA-9/attack.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+
+from Cryptodome.Util.number import bytes_to_long, long_to_bytes,getPrime
+n = 138728501052719695830997827983870257879591108626209095010716818754108501959050430927220695106906763908822395818876460759364322997020222845247478635848425558793671347756842735011885094468024344931360037542098264527076663690119553302046205282212602106990248442514444587909723612295871002063257141634196430659767
+c = 40254592670056897412607628206293101688805220813070436291135637864728213056255791064749974976546612178688674369066366922740751516162695397004586912385306024596939610039396946106249406597089442755317018963104229975283670995939592563335766562761230485826833361814955946571348001305529987233069227384314146133493
+e = 60016485563460433620911462871489753027091796150597697863772440338904706321535832359517415034149374289955681381097544059467926029963755494161141305994584249448583991034102694954139120453335603006006970009433124857766494518747385902016093339683987307620366742481560543776055295663835860818720290861634213881385
+
+#m=8 in the sage script
+m = 8
+d = 130907063345211827271830776605143751868490159532968572514045305424799065327009793
+pt = pow(c, d, n)
+decrypted = long_to_bytes(pt).decode()
+
+print(decrypted)

crypto-asimmetric/RSA-9/chall.py

@@ -0,0 +1,9 @@
+from Crypto.Util.number import bytes_to_long, getPrime
+from secret import flag
+
+p, q = getPrime(512), getPrime(512)
+n = p*q
+print(n)
+e = 60016485563460433620911462871489753027091796150597697863772440338904706321535832359517415034149374289955681381097544059467926029963755494161141305994584249448583991034102694954139120453335603006006970009433124857766494518747385902016093339683987307620366742481560543776055295663835860818720290861634213881385
+m = bytes_to_long(flag.encode())
+print(pow(m, e, n))

crypto-asimmetric/inferious_prime/Arithmetic.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+
+'''
+Created on Dec 22, 2011
+
+@author: pablocelayes
+'''
+
+def egcd(a,b):
+    '''
+    Extended Euclidean Algorithm
+    returns x, y, gcd(a,b) such that ax + by = gcd(a,b)
+    '''
+    u, u1 = 1, 0
+    v, v1 = 0, 1
+    while b:
+        q = a // b
+        u, u1 = u1, u - q * u1
+        v, v1 = v1, v - q * v1
+        a, b = b, a - q * b
+    return u, v, a
+
+def gcd(a,b):
+    '''
+    2.8 times faster than egcd(a,b)[2]
+    '''
+    a,b=(b,a) if a<b else (a,b)
+    while b:
+        a,b=b,a%b
+    return a
+
+def modInverse(e,n):
+    '''
+    d such that de = 1 (mod n)
+    e must be coprime to n
+    this is assumed to be true
+    '''
+    return egcd(e,n)[0]%n
+
+def totient(p,q):
+    '''
+    Calculates the totient of pq
+    '''
+    return (p-1)*(q-1)
+
+def bitlength(x):
+    '''
+    Calculates the bitlength of x
+    '''
+    assert x >= 0
+    n = 0
+    while x > 0:
+        n = n+1
+        x = x>>1
+    return n
+
+
+def isqrt(n):
+    '''
+    Calculates the integer square root
+    for arbitrary large nonnegative integers
+    '''
+    if n < 0:
+        raise ValueError('square root not defined for negative numbers')
+
+    if n == 0:
+        return 0
+    a, b = divmod(bitlength(n), 2)
+    x = 2**(a+b)
+    while True:
+        y = (x + n//x)//2
+        if y >= x:
+            return x
+        x = y
+
+
+def is_perfect_square(n):
+    '''
+    If n is a perfect square it returns sqrt(n),
+
+    otherwise returns -1
+    '''
+    h = n & 0xF; #last hexadecimal "digit"
+
+    if h > 9:
+        return -1 # return immediately in 6 cases out of 16.
+
+    # Take advantage of Boolean short-circuit evaluation
+    if ( h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8 ):
+        # take square root if you must
+        t = isqrt(n)
+        if t*t == n:
+            return t
+        else:
+            return -1
+
+    return -1

crypto-asimmetric/inferious_prime/ContinuedFractions.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+
+'''
+Created on Dec 14, 2011
+
+@author: pablocelayes
+
+'''
+# Types
+CFListT = list[int]  # CF coefficients
+CVListT = list[tuple[int, int]]  # Convergents at each coefficient level
+
+def rational_to_contfrac(x: int, y: int) -> tuple[CFListT, CVListT]:
+    """
+    Converts a rational x/y fraction into
+    a list of partial coefficients [a0, ..., an], and
+    a list of convergents at each coefficient level [(n0, d0), (n1, d1), ...]
+
+    The algorithm of computing the convergents from left to right is available
+    in Section 9.1 of https://r-knott.surrey.ac.uk/Fibonacci/cfINTRO.html#CFtofract
+
+    Args:
+        x (int): numerator of the given rational number
+        y (int): denominator of the given rational number
+
+    Returns:
+        tuple[CFListT, CVListT]: a tuple of coefficients and convergents at each
+        coefficient level
+    """
+    a = x // y
+    cflist = [a]
+    cvlist = [(a, 1)]
+    ppn, ppd = 1, 0  # pre-pre numerator and denominator of convergent
+    pn, pd = a, 1  # pre numerator and denominator of convergent
+    while a * y != x:
+        x, y = y, x - a * y
+        a = x // y
+        cflist.append(a)
+        cn, cd = a * pn + ppn, a * pd + ppd
+        cvlist.append((cn, cd))
+        ppn, ppd = pn, pd
+        pn, pd = cn, cd
+    return cflist, cvlist

crypto-asimmetric/inferious_prime/attack.py

@@ -0,0 +1,16 @@
+import ContinuedFractions, Arithmetic
+from Cryptodome.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
+
+#flag len == 23
+n = 770071954467068028952709005868206184906970777429465364126693
+e = 3
+# ct = pow(pt, e, n)
+ct = 388435672474892257936058543724812684332943095105091384265939
+p =  888242373638787482012535770369
+q = 866961515596671343895614356197
+phi = (p - 1)*(q - 1)
+d = inverse(e, phi)
+#res = egcd(e, phi)
+pt = pow(ct,d,n)
+decrypted = long_to_bytes(pt)
+print(decrypted.decode())

crypto-asimmetric/inferious_prime/attack2.py

@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+
+import ContinuedFractions, Arithmetic
+from Cryptodome.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
+
+def hack_RSA(e,n):
+    '''
+    Finds d knowing (e,n)
+    applying the Wiener continued fraction attack
+    '''
+    _, convergents = ContinuedFractions.rational_to_contfrac(e, n)
+
+    for (k,d) in convergents:
+
+        #check if d is actually the key
+        if k!=0 and (e*d-1)%k == 0:
+            phi = (e*d-1)//k
+            s = n - phi + 1
+            # check if the equation x^2 - s*x + n = 0
+            # has integer roots
+            discr = s*s - 4*n
+            if(discr>=0):
+                t = Arithmetic.is_perfect_square(discr)
+                if t!=-1 and (s+t)%2==0:
+                    print("Hacked!")
+                    return d
+
+
+n = 138728501052719695830997827983870257879591108626209095010716818754108501959050430927220695106906763908822395818876460759364322997020222845247478635848425558793671347756842735011885094468024344931360037542098264527076663690119553302046205282212602106990248442514444587909723612295871002063257141634196430659767
+c = 40254592670056897412607628206293101688805220813070436291135637864728213056255791064749974976546612178688674369066366922740751516162695397004586912385306024596939610039396946106249406597089442755317018963104229975283670995939592563335766562761230485826833361814955946571348001305529987233069227384314146133493
+e = 60016485563460433620911462871489753027091796150597697863772440338904706321535832359517415034149374289955681381097544059467926029963755494161141305994584249448583991034102694954139120453335603006006970009433124857766494518747385902016093339683987307620366742481560543776055295663835860818720290861634213881385
+print(hack_RSA(e,n))

crypto-asimmetric/inferious_prime/challenge.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+from Cryptodome.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
+from secret import flag
+
+assert len(flag) == 23
+
+e = 3
+
+# n will be 8 * (100 + 100) = 1600 bits strong which is pretty good
+while True:
+    #getPrime is 100 bits not 100 Bytes
+    p = getPrime(100)
+    q = getPrime(100)
+    phi = (p - 1) * (q - 1)
+    d = inverse(e, phi)
+    if d != -1 and GCD(e, phi) == 1:
+        break
+
+n = p * q
+
+pt = bytes_to_long(flag)
+ct = pow(pt, e, n)
+
+print(f"n = {n}")
+print(f"e = {e}")
+print(f"ct = {ct}")
+
+pt = pow(ct, d, n)
+decrypted = long_to_bytes(pt)
+assert decrypted == flag

crypto-asimmetric/inferious_prime/ct.txt

@@ -0,0 +1,3 @@
+n = 770071954467068028952709005868206184906970777429465364126693
+e = 3
+ct = 388435672474892257936058543724812684332943095105091384265939

crypto-asimmetric/inferious_prime/factor.json

@@ -0,0 +1,4 @@
+{ 	"input-expression":"factor(770071954467068028952709005868206184906970777429465364126693)", 	"input-decimal":"770071954467068028952709005868206184906970777429465364126693", 	"factors-prime":["866961515596671343895614356197","888242373638787482012535770369"], 	"pm1-curves" : {"150000":1}, 	"ecm-curves" : {"2000":30,"11000":49}, 	"ecm-levels" : {"t15":5.08,"t20":0.70,"t25":0.03}, "ecm-sum":18.49, 	"runtime" : {"total":3.3668, "ecm":0.7145, "pm1":0.1709, "siqs":1.5859}, 	"time-start" : "2025-05-31  16:36:45", 	"time-end" : "2025-05-31  16:36:49", 	"info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }
+{ 	"input-expression":"factor(770071954467068028952709005868206184906970777429465364126693)", 	"input-decimal":"770071954467068028952709005868206184906970777429465364126693", 	"factors-prime":["866961515596671343895614356197","888242373638787482012535770369"], 	"pm1-curves" : {"150000":1}, 	"ecm-curves" : {"2000":30,"11000":49}, 	"ecm-levels" : {"t15":5.08,"t20":0.70,"t25":0.03}, "ecm-sum":18.49, 	"runtime" : {"total":3.4269, "ecm":0.7212, "pm1":0.1541, "siqs":1.6543}, 	"time-start" : "2025-05-31  16:41:17", 	"time-end" : "2025-05-31  16:41:20", 	"info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }
+{ 	"input-expression":"factor(770071954467068028952709005868206184906970777429465364126693)", 	"input-decimal":"770071954467068028952709005868206184906970777429465364126693", 	"factors-prime":["866961515596671343895614356197","888242373638787482012535770369"], 	"pm1-curves" : {"150000":1}, 	"ecm-curves" : {"2000":30,"11000":49}, 	"ecm-levels" : {"t15":5.08,"t20":0.70,"t25":0.03}, "ecm-sum":18.49, 	"runtime" : {"total":3.4194, "ecm":0.7182, "pm1":0.1517, "siqs":1.6473}, 	"time-start" : "2025-05-31  16:59:56", 	"time-end" : "2025-05-31  16:59:59", 	"info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }
+{ 	"input-expression":"factor(1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597)", 	"input-decimal":"1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597", 	"factors-prime":["3","24091","178873"], 	"factors-composite":["107311142968629109987106827924726849190727506922563506528296052606752554050570684149745249560701073047057673863013240005659733442526608459395106318894320211913016755833364378916165851253656368165804685947807602445392047856291998097447484713577830026745416939664870681389803184120274440801965548093"], 	"pm1-curves" : {"150000":1,"3750000":1}, 	"ecm-curves" : {"2000":30,"11000":74,"50000":214,"250000":331}, 	"ecm-levels" : {"t15":103.94,"t20":52.60,"t25":7.67,"t30":0.84,"t35":0.07}, "ecm-sum":29.18, 	"runtime" : {"total":674.1954, "ecm":582.0758, "pm1":3.8655}, 	"time-start" : "2025-05-31  17:16:44", 	"time-end" : "2025-05-31  17:27:58", 	"info":{"compiler":"MSVC 1931","ECM-version":"7.0.6","MPIR-version":"3.0.0","yafu-version":"3.0"} }

crypto-asimmetric/inferious_prime/factor.log

@@ -0,0 +1,251 @@
+05/31/25 16:36:45, 
+05/31/25 16:36:45, ****************************
+05/31/25 16:36:45, Starting factorization of 770071954467068028952709005868206184906970777429465364126693
+05/31/25 16:36:45, using pretesting plan: normal
+05/31/25 16:36:45, no tune info: using qs/gnfs crossover of 95 digits
+05/31/25 16:36:45, no tune info: using qs/snfs crossover of 95 digits
+05/31/25 16:36:45, ****************************
+05/31/25 16:36:45, rho: x^2 + 3, starting 1000 iterations on C60
+05/31/25 16:36:45, rho: x^2 + 2, starting 1000 iterations on C60
+05/31/25 16:36:45, rho: x^2 + 1, starting 1000 iterations on C60
+05/31/25 16:36:45, pm1: starting B1 = 150K, B2 = gmp-ecm default on C60
+05/31/25 16:36:46, current ECM pretesting depth: 0.000000
+05/31/25 16:36:46, scheduled 30 curves at B1=2000 toward target pretesting depth of 18.461538
+05/31/25 16:36:46, Finished 30 curves using GMP-ECM method on C60 input, B1=2k, B2=gmp-ecm default
+05/31/25 16:36:46, current ECM pretesting depth: 15.177725
+05/31/25 16:36:46, scheduled 49 curves at B1=11000 toward target pretesting depth of 18.461538
+05/31/25 16:36:46, Finished 49 curves using GMP-ECM method on C60 input, B1=11k, B2=gmp-ecm default
+05/31/25 16:36:46, final ECM pretested depth: 18.488536
+05/31/25 16:36:46, scheduler: switching to sieve method
+05/31/25 16:36:47, starting SIQS on c60: 770071954467068028952709005868206184906970777429465364126693
+05/31/25 16:36:47, random seed: 9798781643487242962
+05/31/25 16:36:47, ==== sieve params ====
+05/31/25 16:36:47, n = 60 digits, 199 bits
+05/31/25 16:36:47, factor base: 3680 primes (max prime = 74821)
+05/31/25 16:36:47, single large prime cutoff: 5611575 (75 * pmax)
+05/31/25 16:36:47, allocating 2 large prime slices of factor base
+05/31/25 16:36:47, buckets hold 2048 elements
+05/31/25 16:36:47, large prime hashtables have 131072 bytes
+05/31/25 16:36:47, using SSE41 enabled 32k sieve core
+05/31/25 16:36:47, sieve interval: 4 blocks of size 32768
+05/31/25 16:36:47, polynomial A has ~ 7 factors
+05/31/25 16:36:47, using multiplier of 1
+05/31/25 16:36:47, using multiplier of 1 (kn mod 8 == 5)
+05/31/25 16:36:47, using SPV correction of 20 bits, starting at offset 31
+05/31/25 16:36:47, trial factoring cutoff at 66 bits
+05/31/25 16:36:47, ==== sieving started (1 thread) ====
+05/31/25 16:36:49, trial division touched 318827 sieve locations out of 2373976064
+05/31/25 16:36:49, total reports = 318827, total surviving reports = 52531
+05/31/25 16:36:49, total blocks sieved = 72448, avg surviving reports per block = 0.73
+05/31/25 16:36:49, 3751 relations found: 1751 full + 2000 from 19532 partial, using 9056 polys (160 A polys)
+05/31/25 16:36:49, on average, sieving found 2.35 rels/poly and 13965.63 rels/sec
+05/31/25 16:36:49, trial division touched 318827 sieve locations out of 2373976064
+05/31/25 16:36:49, ==== post processing stage (msieve-1.38) ====
+05/31/25 16:36:49, QS elapsed time = 1.5248 seconds.
+05/31/25 16:36:49, begin singleton removal with 21283 relations
+05/31/25 16:36:49, reduce to 5491 relations in 2 passes
+05/31/25 16:36:49, recovered 5491 relations
+05/31/25 16:36:49, recovered 4143 polynomials
+05/31/25 16:36:49, attempting to build 3751 cycles
+05/31/25 16:36:49, found 3751 cycles from 5491 relations in 1 passes
+05/31/25 16:36:49, distribution of cycle lengths:
+05/31/25 16:36:49,    length 1 : 1751
+05/31/25 16:36:49,    length 2 : 2000
+05/31/25 16:36:49, largest cycle: 2 relations
+05/31/25 16:36:49, matrix is 3680 x 3751 (0.5 MB) with weight 91090 (24.28/col)
+05/31/25 16:36:49, sparse part has weight 91090 (24.28/col)
+05/31/25 16:36:49, filtering completed in 3 passes
+05/31/25 16:36:49, matrix is 3423 x 3487 (0.4 MB) with weight 83804 (24.03/col)
+05/31/25 16:36:49, sparse part has weight 83804 (24.03/col)
+05/31/25 16:36:49, commencing Lanczos iteration
+05/31/25 16:36:49, memory use: 0.6 MB
+05/31/25 16:36:49, lanczos halted after 55 iterations (dim = 3419)
+05/31/25 16:36:49, recovered 62 nontrivial dependencies
+05/31/25 16:36:49, prp30 = 888242373638787482012535770369
+05/31/25 16:36:49, prp30 = 866961515596671343895614356197
+05/31/25 16:36:49, Lanczos elapsed time = 0.0590 seconds.
+05/31/25 16:36:49, Sqrt elapsed time = 0.0020 seconds.
+05/31/25 16:36:49, SIQS elapsed time = 1.5859 seconds.
+05/31/25 16:36:49, 
+05/31/25 16:36:49, 
+05/31/25 16:36:49, Total factoring time = 3.3668 seconds
+05/31/25 16:41:17, 
+05/31/25 16:41:17, ****************************
+05/31/25 16:41:17, Starting factorization of 770071954467068028952709005868206184906970777429465364126693
+05/31/25 16:41:17, using pretesting plan: normal
+05/31/25 16:41:17, no tune info: using qs/gnfs crossover of 95 digits
+05/31/25 16:41:17, no tune info: using qs/snfs crossover of 95 digits
+05/31/25 16:41:17, ****************************
+05/31/25 16:41:17, rho: x^2 + 3, starting 1000 iterations on C60
+05/31/25 16:41:17, rho: x^2 + 2, starting 1000 iterations on C60
+05/31/25 16:41:17, rho: x^2 + 1, starting 1000 iterations on C60
+05/31/25 16:41:17, pm1: starting B1 = 150K, B2 = gmp-ecm default on C60
+05/31/25 16:41:17, current ECM pretesting depth: 0.000000
+05/31/25 16:41:17, scheduled 30 curves at B1=2000 toward target pretesting depth of 18.461538
+05/31/25 16:41:17, Finished 30 curves using GMP-ECM method on C60 input, B1=2k, B2=gmp-ecm default
+05/31/25 16:41:17, current ECM pretesting depth: 15.177725
+05/31/25 16:41:17, scheduled 49 curves at B1=11000 toward target pretesting depth of 18.461538
+05/31/25 16:41:18, Finished 49 curves using GMP-ECM method on C60 input, B1=11k, B2=gmp-ecm default
+05/31/25 16:41:18, final ECM pretested depth: 18.488536
+05/31/25 16:41:18, scheduler: switching to sieve method
+05/31/25 16:41:19, starting SIQS on c60: 770071954467068028952709005868206184906970777429465364126693
+05/31/25 16:41:19, random seed: 2197617152253159330
+05/31/25 16:41:19, ==== sieve params ====
+05/31/25 16:41:19, n = 60 digits, 199 bits
+05/31/25 16:41:19, factor base: 3680 primes (max prime = 74821)
+05/31/25 16:41:19, single large prime cutoff: 5611575 (75 * pmax)
+05/31/25 16:41:19, allocating 2 large prime slices of factor base
+05/31/25 16:41:19, buckets hold 2048 elements
+05/31/25 16:41:19, large prime hashtables have 131072 bytes
+05/31/25 16:41:19, using SSE41 enabled 32k sieve core
+05/31/25 16:41:19, sieve interval: 4 blocks of size 32768
+05/31/25 16:41:19, polynomial A has ~ 7 factors
+05/31/25 16:41:19, using multiplier of 1
+05/31/25 16:41:19, using multiplier of 1 (kn mod 8 == 5)
+05/31/25 16:41:19, using SPV correction of 20 bits, starting at offset 31
+05/31/25 16:41:19, trial factoring cutoff at 66 bits
+05/31/25 16:41:19, ==== sieving started (1 thread) ====
+05/31/25 16:41:20, trial division touched 319551 sieve locations out of 2382364672
+05/31/25 16:41:20, total reports = 319551, total surviving reports = 86124
+05/31/25 16:41:20, total blocks sieved = 72704, avg surviving reports per block = 1.18
+05/31/25 16:41:20, 3751 relations found: 1775 full + 1976 from 19593 partial, using 9088 polys (160 A polys)
+05/31/25 16:41:20, on average, sieving found 2.35 rels/poly and 13449.19 rels/sec
+05/31/25 16:41:20, trial division touched 319551 sieve locations out of 2382364672
+05/31/25 16:41:20, ==== post processing stage (msieve-1.38) ====
+05/31/25 16:41:20, QS elapsed time = 1.5897 seconds.
+05/31/25 16:41:20, begin singleton removal with 21368 relations
+05/31/25 16:41:20, reduce to 5490 relations in 2 passes
+05/31/25 16:41:20, recovered 5490 relations
+05/31/25 16:41:20, recovered 4137 polynomials
+05/31/25 16:41:20, attempting to build 3751 cycles
+05/31/25 16:41:20, found 3751 cycles from 5490 relations in 1 passes
+05/31/25 16:41:20, distribution of cycle lengths:
+05/31/25 16:41:20,    length 1 : 1775
+05/31/25 16:41:20,    length 2 : 1976
+05/31/25 16:41:20, largest cycle: 2 relations
+05/31/25 16:41:20, matrix is 3680 x 3751 (0.5 MB) with weight 90726 (24.19/col)
+05/31/25 16:41:20, sparse part has weight 90726 (24.19/col)
+05/31/25 16:41:20, filtering completed in 3 passes
+05/31/25 16:41:20, matrix is 3382 x 3446 (0.4 MB) with weight 82607 (23.97/col)
+05/31/25 16:41:20, sparse part has weight 82607 (23.97/col)
+05/31/25 16:41:20, commencing Lanczos iteration
+05/31/25 16:41:20, memory use: 0.6 MB
+05/31/25 16:41:20, lanczos halted after 55 iterations (dim = 3380)
+05/31/25 16:41:20, recovered 63 nontrivial dependencies
+05/31/25 16:41:20, prp30 = 888242373638787482012535770369
+05/31/25 16:41:20, prp30 = 866961515596671343895614356197
+05/31/25 16:41:20, Lanczos elapsed time = 0.0580 seconds.
+05/31/25 16:41:20, Sqrt elapsed time = 0.0070 seconds.
+05/31/25 16:41:20, SIQS elapsed time = 1.6543 seconds.
+05/31/25 16:41:20, 
+05/31/25 16:41:20, 
+05/31/25 16:41:20, Total factoring time = 3.4269 seconds
+05/31/25 16:59:56, 
+05/31/25 16:59:56, ****************************
+05/31/25 16:59:56, Starting factorization of 770071954467068028952709005868206184906970777429465364126693
+05/31/25 16:59:56, using pretesting plan: normal
+05/31/25 16:59:56, no tune info: using qs/gnfs crossover of 95 digits
+05/31/25 16:59:56, no tune info: using qs/snfs crossover of 95 digits
+05/31/25 16:59:56, ****************************
+05/31/25 16:59:56, rho: x^2 + 3, starting 1000 iterations on C60
+05/31/25 16:59:56, rho: x^2 + 2, starting 1000 iterations on C60
+05/31/25 16:59:56, rho: x^2 + 1, starting 1000 iterations on C60
+05/31/25 16:59:56, pm1: starting B1 = 150K, B2 = gmp-ecm default on C60
+05/31/25 16:59:56, current ECM pretesting depth: 0.000000
+05/31/25 16:59:56, scheduled 30 curves at B1=2000 toward target pretesting depth of 18.461538
+05/31/25 16:59:57, Finished 30 curves using GMP-ECM method on C60 input, B1=2k, B2=gmp-ecm default
+05/31/25 16:59:57, current ECM pretesting depth: 15.177725
+05/31/25 16:59:57, scheduled 49 curves at B1=11000 toward target pretesting depth of 18.461538
+05/31/25 16:59:57, Finished 49 curves using GMP-ECM method on C60 input, B1=11k, B2=gmp-ecm default
+05/31/25 16:59:57, final ECM pretested depth: 18.488536
+05/31/25 16:59:57, scheduler: switching to sieve method
+05/31/25 16:59:58, starting SIQS on c60: 770071954467068028952709005868206184906970777429465364126693
+05/31/25 16:59:58, random seed: 5474488345592639154
+05/31/25 16:59:58, ==== sieve params ====
+05/31/25 16:59:58, n = 60 digits, 199 bits
+05/31/25 16:59:58, factor base: 3680 primes (max prime = 74821)
+05/31/25 16:59:58, single large prime cutoff: 5611575 (75 * pmax)
+05/31/25 16:59:58, allocating 2 large prime slices of factor base
+05/31/25 16:59:58, buckets hold 2048 elements
+05/31/25 16:59:58, large prime hashtables have 131072 bytes
+05/31/25 16:59:58, using SSE41 enabled 32k sieve core
+05/31/25 16:59:58, sieve interval: 4 blocks of size 32768
+05/31/25 16:59:58, polynomial A has ~ 7 factors
+05/31/25 16:59:58, using multiplier of 1
+05/31/25 16:59:58, using multiplier of 1 (kn mod 8 == 5)
+05/31/25 16:59:58, using SPV correction of 20 bits, starting at offset 31
+05/31/25 16:59:58, trial factoring cutoff at 66 bits
+05/31/25 16:59:58, ==== sieving started (1 thread) ====
+05/31/25 16:59:59, trial division touched 321806 sieve locations out of 2399666176
+05/31/25 16:59:59, total reports = 321806, total surviving reports = 87328
+05/31/25 16:59:59, total blocks sieved = 73232, avg surviving reports per block = 1.19
+05/31/25 16:59:59, 3747 relations found: 1688 full + 2059 from 19667 partial, using 9154 polys (158 A polys)
+05/31/25 16:59:59, on average, sieving found 2.33 rels/poly and 13473.45 rels/sec
+05/31/25 16:59:59, trial division touched 321806 sieve locations out of 2399666176
+05/31/25 16:59:59, ==== post processing stage (msieve-1.38) ====
+05/31/25 16:59:59, QS elapsed time = 1.5857 seconds.
+05/31/25 16:59:59, begin singleton removal with 21355 relations
+05/31/25 16:59:59, reduce to 5526 relations in 2 passes
+05/31/25 16:59:59, recovered 5526 relations
+05/31/25 16:59:59, recovered 4180 polynomials
+05/31/25 16:59:59, attempting to build 3747 cycles
+05/31/25 16:59:59, found 3747 cycles from 5526 relations in 1 passes
+05/31/25 16:59:59, distribution of cycle lengths:
+05/31/25 16:59:59,    length 1 : 1688
+05/31/25 16:59:59,    length 2 : 2059
+05/31/25 16:59:59, largest cycle: 2 relations
+05/31/25 16:59:59, matrix is 3680 x 3747 (0.5 MB) with weight 92151 (24.59/col)
+05/31/25 16:59:59, sparse part has weight 92151 (24.59/col)
+05/31/25 16:59:59, filtering completed in 3 passes
+05/31/25 16:59:59, matrix is 3383 x 3447 (0.4 MB) with weight 84068 (24.39/col)
+05/31/25 16:59:59, sparse part has weight 84068 (24.39/col)
+05/31/25 16:59:59, commencing Lanczos iteration
+05/31/25 16:59:59, memory use: 0.6 MB
+05/31/25 16:59:59, lanczos halted after 55 iterations (dim = 3381)
+05/31/25 16:59:59, recovered 63 nontrivial dependencies
+05/31/25 16:59:59, prp30 = 866961515596671343895614356197
+05/31/25 16:59:59, prp30 = 888242373638787482012535770369
+05/31/25 16:59:59, Lanczos elapsed time = 0.0580 seconds.
+05/31/25 16:59:59, Sqrt elapsed time = 0.0040 seconds.
+05/31/25 16:59:59, SIQS elapsed time = 1.6473 seconds.
+05/31/25 16:59:59, 
+05/31/25 16:59:59, 
+05/31/25 16:59:59, Total factoring time = 3.4194 seconds
+05/31/25 17:16:44, 
+05/31/25 17:16:44, ****************************
+05/31/25 17:16:44, Starting factorization of 1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597
+05/31/25 17:16:44, using pretesting plan: normal
+05/31/25 17:16:44, no tune info: using qs/gnfs crossover of 95 digits
+05/31/25 17:16:44, no tune info: using qs/snfs crossover of 95 digits
+05/31/25 17:16:44, ****************************
+05/31/25 17:16:44, div: found prime factor = 3
+05/31/25 17:16:44, rho: x^2 + 3, starting 1000 iterations on C306
+05/31/25 17:16:44, prp5 = 24091
+05/31/25 17:16:44, rho: x^2 + 3, starting 1000 iterations on C302
+05/31/25 17:16:44, prp6 = 178873
+05/31/25 17:16:44, rho: x^2 + 3, starting 1000 iterations on C297
+05/31/25 17:16:44, rho: x^2 + 2, starting 1000 iterations on C297
+05/31/25 17:16:44, rho: x^2 + 1, starting 1000 iterations on C297
+05/31/25 17:16:45, pm1: starting B1 = 150K, B2 = gmp-ecm default on C297
+05/31/25 17:16:45, current ECM pretesting depth: 0.000000
+05/31/25 17:16:45, scheduled 30 curves at B1=2000 toward target pretesting depth of 91.384615
+05/31/25 17:16:46, Finished 30 curves using GMP-ECM method on C297 input, B1=2k, B2=gmp-ecm default
+05/31/25 17:16:46, current ECM pretesting depth: 15.177725
+05/31/25 17:16:46, scheduled 74 curves at B1=11000 toward target pretesting depth of 91.384615
+05/31/25 17:16:52, Finished 74 curves using GMP-ECM method on C297 input, B1=11k, B2=gmp-ecm default
+05/31/25 17:16:52, current ECM pretesting depth: 20.242996
+05/31/25 17:16:52, scheduled 214 curves at B1=50000 toward target pretesting depth of 91.384615
+05/31/25 17:18:12, Finished 214 curves using GMP-ECM method on C297 input, B1=50k, B2=gmp-ecm default
+05/31/25 17:18:12, pm1: starting B1 = 3750K, B2 = gmp-ecm default on C297
+05/31/25 17:18:16, current ECM pretesting depth: 25.332854
+05/31/25 17:18:16, scheduled 430 curves at B1=250000 toward target pretesting depth of 91.384615
+05/31/25 17:27:58, Finished 331 curves using GMP-ECM method on C297 input, B1=250k, B2=gmp-ecm default
+05/31/25 17:27:58, ecm work completed:
+05/31/25 17:27:58, 	t15: 103.94
+05/31/25 17:27:58, 	t20: 52.60
+05/31/25 17:27:58, 	t25: 7.67
+05/31/25 17:27:58, 	t30: 0.84
+05/31/25 17:27:58, 	t35: 0.07
+05/31/25 17:27:58, 	estimated sum of completed work is t29.18
+05/31/25 17:27:58, c297 cofactor = 107311142968629109987106827924726849190727506922563506528296052606752554050570684149745249560701073047057673863013240005659733442526608459395106318894320211913016755833364378916165851253656368165804685947807602445392047856291998097447484713577830026745416939664870681389803184120274440801965548093
+05/31/25 17:27:58, Total factoring time = 674.1954 seconds

crypto-asimmetric/inferious_prime/session.log

@@ -0,0 +1,54 @@
+05/31/25 16:35:29, =====================================
+05/31/25 16:35:29, System/Build Info: 
+05/31/25 16:35:29, YAFU Version 3.0
+05/31/25 16:35:29, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0 
+05/31/25 16:35:29, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
+05/31/25 16:35:29, detected AMD Ryzen 5 5600H with Radeon Graphics         
+detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
+05/31/25 16:35:29, CPU features enabled: 05/31/25 16:35:29, SSE41 05/31/25 16:35:29, 
+05/31/25 16:35:29, using 1 random witness for Rabin-Miller PRP checks
+05/31/25 16:35:29, Cached 664579 primes: max prime is 9999991
+05/31/25 16:35:29, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
+
+05/31/25 16:35:29, Random seed: 11355864739165760672
+05/31/25 16:41:06, =====================================
+05/31/25 16:41:06, System/Build Info: 
+05/31/25 16:41:06, YAFU Version 3.0
+05/31/25 16:41:06, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0 
+05/31/25 16:41:06, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
+05/31/25 16:41:06, detected AMD Ryzen 5 5600H with Radeon Graphics         
+detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
+05/31/25 16:41:06, CPU features enabled: 05/31/25 16:41:06, SSE41 05/31/25 16:41:06, 
+05/31/25 16:41:06, using 1 random witness for Rabin-Miller PRP checks
+05/31/25 16:41:06, Cached 664579 primes: max prime is 9999991
+05/31/25 16:41:06, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
+
+05/31/25 16:41:06, Random seed: 2349589573457932528
+05/31/25 16:59:51, =====================================
+05/31/25 16:59:51, System/Build Info: 
+05/31/25 16:59:51, YAFU Version 3.0
+05/31/25 16:59:51, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0 
+05/31/25 16:59:51, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
+05/31/25 16:59:51, detected AMD Ryzen 5 5600H with Radeon Graphics         
+detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
+05/31/25 16:59:51, CPU features enabled: 05/31/25 16:59:51, SSE41 05/31/25 16:59:51, 
+05/31/25 16:59:51, using 1 random witness for Rabin-Miller PRP checks
+05/31/25 16:59:51, Cached 664579 primes: max prime is 9999991
+05/31/25 16:59:51, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
+
+05/31/25 16:59:51, Random seed: 13485483859696141696
+05/31/25 17:16:09, =====================================
+05/31/25 17:16:09, System/Build Info: 
+05/31/25 17:16:09, YAFU Version 3.0
+05/31/25 17:16:09, Built with Microsoft Visual Studio 1931 and LLVM Compiler 13.0.0 
+05/31/25 17:16:09, Using GMP-ECM 7.0.6, Powered by MPIR 3.0.0
+05/31/25 17:16:09, detected AMD Ryzen 5 5600H with Radeon Graphics         
+detected L1 = 32768 bytes, L2 = 16777216 bytes, CL = 64 bytes
+05/31/25 17:16:09, CPU features enabled: 05/31/25 17:16:09, SSE41 05/31/25 17:16:09, 
+05/31/25 17:16:09, using 1 random witness for Rabin-Miller PRP checks
+05/31/25 17:16:09, Cached 664579 primes: max prime is 9999991
+05/31/25 17:16:09, Could not parse yafu.ini from Z:\home\emln\Documents\crypto\ctf\crypto-asimmetric\inferious_prime
+
+05/31/25 17:16:09, Random seed: 10478636967936581680
+05/31/25 17:16:44, Processing: factor(1387285010527196958309978279838702578795911086262090950107168187541085019590504309272206951069067639088223958188764607593643229970202228452474786358484255587936713477568427350118850944680243449313600375420982645270766636901195533020462052822126021069902484425144445879097236122958710020632571416341964306597)
+05/31/25 17:27:58, Result    : 107311142968629109987106827924726849190727506922563506528296052606752554050570684149745249560701073047057673863013240005659733442526608459395106318894320211913016755833364378916165851253656368165804685947807602445392047856291998097447484713577830026745416939664870681389803184120274440801965548093

crypto-asimmetric/inferious_prime/test.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+from Cryptodome.PublicKey import RSA
+
+
+#kth root of the number n
+def iroot(k, n):
+    u, s = n, n+1
+    while u < s:
+        s = u
+        t = (k-1) * s + n // pow(s, k-1)
+        u = t // k
+    return s
+
+if __name__ == '__main__':
+
+    e = 3
+    # d = rsa_keypair.d
+    n = 388435672474892257936058543724812684332943095105091384265939
+    m = b'A'*8
+    m_int = int.from_bytes(m,byteorder='big')
+
+    c = pow(m_int,e,n)
+
+    decrypted_int = iroot(e, c)
+    print(decrypted_int)
+    print(decrypted_int.to_bytes(decrypted_int.bit_length() // 8 +1, byteorder='big').decode())
+
+    dec = pow(c, 1/3)
+    print(dec)

crypto-asimmetric/inferious_prime/wiener.py

@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+import ContinuedFractions, Arithmetic
+
+def hack_RSA(e,n):
+    '''
+    Finds d knowing (e,n)
+    applying the Wiener continued fraction attack
+    '''
+    _, convergents = ContinuedFractions.rational_to_contfrac(e, n)
+
+    for (k,d) in convergents:
+
+        #check if d is actually the key
+        if k!=0 and (e*d-1)%k == 0:
+            phi = (e*d-1)//k
+            s = n - phi + 1
+            # check if the equation x^2 - s*x + n = 0
+            # has integer roots
+            discr = s*s - 4*n
+            if(discr>=0):
+                t = Arithmetic.is_perfect_square(discr)
+                if t!=-1 and (s+t)%2==0:
+                    print("Hacked!")
+                    return d

crypto-hash/equality/attack.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+from pwn import *
+HOST = "130.192.5.212"
+PORT = 6631
+#Generate with MD4-Collision
+m1 = "c2a66ef939681a46895edbd696dec463691253412c051f4c147b955348bcb90d9721b08e22ee254c42f24fa7d6a946ca16a09caa7e71cc430c30f1448763b200"
+m2 = "c2a66ef939681ac6895edb4696dec463691253412c051f4c147b955348bcb90d9721b08e22ee254c42f24fa7d6a946ca16a09baa7e71cc430c30f1448763b200"
+server = remote(HOST,PORT)
+server.send(m1)
+server.send(b'\n')
+server.send(m2)
+server.send(b'\n')
+
+print(server.recv(1024))
+
+print(server.recv(1024))
+

crypto-hash/equality/chall.py

@@ -0,0 +1,27 @@
+from Crypto.Hash import MD4
+import hashlib
+from binascii import unhexlify
+from secret import flag
+
+
+def md4(data: bytes) -> str:
+    h = MD4.new()
+    h.update(data)
+    return h.hexdigest()
+
+
+print("Find two strings that are both equal and different! I'll use _optimized algorithms_ to check.")
+
+s1 = unhexlify(input("Enter the first string: "))
+s2 = unhexlify(input("Enter your second string: "))
+
+md4_s1 = md4(s1)
+md4_s2 = md4(s2)
+
+md5_s1 = hashlib.md5(s1).hexdigest()
+md5_s2 = hashlib.md5(s2).hexdigest()
+
+if md4_s1 == md4_s2 and md5_s1 != md5_s2:
+    print(f"Good job! {flag}")
+else:
+    print("Try again!")