A interesting challenge, we are given the modulus n, public exponent e and ciphertext ct. n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883 e = 3 ct = 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957 From this, denote $m$ as the plaintext, we need to solve the equation $$ m^e \equiv ct \mod N $$ The above equation is equivalent to: $$ m ^ e - ct = 0 \mod N $$ The idea that I had is to use Coppersmith attack for low-exponent 3, we can find the solution to the equation quickly.

In this challenge, we are acting as the MiTM which will intercept the key exchange messages between Alice and Bob. We are able to modify the A and B - each of the shared secret by doing g^a and g^b of Alice and Bob. The flag is sent from Alice to Bob, hence we only need to care about the response of the key exchange message from Bob to Alice. Recall that when Bob’s secret B is sent over to Alice, Alice will do B^a on her side, where a is the secret of Alice.

This takes much longer time than I would like to admit. It is known to me that ECB leads to poor diffusion of the plaintext - the classic example from the Linux penguin used in almost every cryptography book ever. The attack, however, is not exactly clear to me at the beginning. With fuzzy memory of how AES in ECB mode, I was thinking of a scheme that xor a plaintext block with a key block to generate the corresponding ciphertext block.

An embarrassing challenge for me. The solution to this challenge is quite simple. The symmetry of the xor operation enables us to decrypt the message/plaintext $P$ from the $IV$ and ciphertext $C$. Denote the output after running block cipher encryption with key k $E_k$ to be $O$, then we have: $$ O = E_k(IV) $$ $$ C = P \oplus O $$ xor both sides of the above equation, we have:

We are given the following Python code for encrypting the flag: from random import randint a = 288260533169915 p = 1007621497415251 FLAG = b'crypto{????????????????????}' def encrypt_flag(flag): ciphertext = [] plaintext = ''.join([bin(i)[2:].zfill(8) for i in flag]) print(plaintext) for b in plaintext: e = randint(1, p) n = pow(a, e, p) if b == '1': ciphertext.append(n) else: n = -n % p ciphertext.append(n) return ciphertext The way that the encryption works is that if it encounters a bit with value “1” in the binary representation of the plaintext (or the flag itself), then it appends $a^e \mod p$ to the ciphertext array, otherwise it appends $-a^e \mod p$.