Big kudos to ConnorM on the Cryptohack Discord for the help. This challenge is super sneaky, as the implementation looks very sound, and it bears great resemblance to the example of the Python-ecdsa module. I learnt two lessons from this. First, please do code fuzzing carefully - I was very close to the actual solution but simply missed the crucial idea. Second, do not make assumptions about one’s code - vulnerabilities can start from something very silly.

This challenge is simulating the infamous Logjam attack on many internet protocols like HTTPS, SSH, IPsec, SMTPS and protocols rely on TLS that uses Diffie-Hellman key exchange. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography, as there is an option for clients back when the paper is published to use DHE_EXPORT level of security. There is no indication of the cipher suites the server has chosen, so a MiTM can easily modify the client’s ciphersuite to be DHE_EXPORT.

The title of the challenge hints at a clue - the modulo used in the challenge is a smooth prime. There are no obvious weakness in the encryption scheme given in the source code. Again, revising the old lesson - Pohlig-Hellman algorithm is insane at solving DLP with primes of smooth order. Otherwise, the challenge is simply a matter of figuring out the proper Sage syntax to solve the challenge. discrete_log of Sage is powerful when it comes to solving DLP, as the underlying implementation of Sage involves both Pohlig-Hellman and BSGS.

Tricky challenge. The description is trying to throw me off from “My counter can go both upwards and downwards to throw off cryptanalysts”, which is not the case. The given code for encryption given is trying to simulate AES-CTR mode by doing AES-ECB block-by-block with the given IV. However, in the code of increment(), the method for changing the IV, there is a very sneaky bug: def increment(self): if self.stup: self.

The task is to find the generator of the finite field. There are multiple ways to do this: Naive implementation (brute-force). Credits to Landryl @ Cryptohack. ''' Rather than using a set and checking if every element of Fp has been generated, we can also rapidly disregard a number from being a generator by checking if the cycle it generates is smaller in size than p. If we detect a cycle before p elements, k can't be a generator of Fp.