def main():
assert flag.startswith("flag{")
assert flag.endswith("}")
mask = int(flag[5:-1])
assert mask.bit_length() == N
state = random.randint(0, MASK)
print(state)
outputs = ''
for _ in range(N**2):
state, output_bit = lfsr(state, mask)
outputs += str(output_bit)
with open("output.txt", "w") as f:
f.write(outputs)
155, 174, 246, 219, 248, 121, 46, 149, 241, 33, 145, 147, 54, 106, 215,
192, 61, 55, 164, 130, 214, 41, 29, 193, 220, 154, 137, 162, 73, 210,
104, 157, 60, 151, 158, 24, 205, 228, 207, 112, 25, 170, 9, 171, 244,
247, 27, 124, 224, 211, 35, 30, 198, 225, 202, 57, 88, 122, 242, 213,
84, 97, 232, 234, 87, 175, 143, 39, 194, 173, 153, 78, 63, 229, 95, 81,
255, 231, 1, 226, 62, 150, 47, 178, 13
]
else:
import random
from secret import flag
pt = list(range(256))
random.shuffle(pt)
assert flag.startswith("SCTF{") and flag.endswith("}")
#mangling function, C and k are 5 short integers
def shuffle(C, k, perm):
A = [0] * 5
B = [0] * 5
B[0] = perm[C[0] ^ k[0]]
for i in range(1, 5):
B[i] = perm[B[i - 1] ^ C[i] ^ k[i]]
A[0] = perm[B[4] ^ B[0] ^ k[0]]
for i in range(1, 5):
A[i] = perm[A[i - 1] ^ B[i] ^ k[i]]
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import gmpy2
from secret import Sbox, flag
assert set(range(256)) == set(Sbox)
assert flag.startswith(b'hgame{') and flag.endswith(b'}')
def Subs(S, X):
return bytes([S[x] for x in X])
def Mul(A, B):
assert len(A) == len(B)
return Subs(A, B)
def Pow(X, E):
Y = X
E = bin(E)[3:]
for e in E:
Y = Mul(Y, Y)
if e == '1':
Y = Mul(X, Y)
return Y
s = bytes(Sbox)
print(Pow(s, 595))
print(Pow(s, 739))
def vector_to_double_char(v):
assert len(v) == 2
return CHARSET[v[0]] + CHARSET[v[1]]
def encrypt(msg, K):
assert all(c in CHARSET for c in msg)
assert len(msg) % 2 == 0
A, v = K
ciphertext = ""
for i in range(0, len(msg), 2):
tmp = A * double_char_to_vector(msg[i:i + 2]) + v
ciphertext += vector_to_double_char(tmp)
return ciphertext
if __name__ == '__main__':
from secret import flag
assert flag.startswith('kmactf')
A = MatrixSpace(Fp, 2, 2).random_element()
v = VectorSpace(Fp, 2).random_element()
assert A.determinant() != 0
print('ciphertext =', repr(encrypt(flag, (A, v))))
# Output:
# ciphertext = 'u_rm3eefa}_7det1znb{sce{qo0h7yf0b}sktse8xtr6'
from secret import flag
assert flag.startswith("flag{")
assert flag.endswith("}")
assert len(flag) == 22
def lfsr(R, mask):
output = (R << 1) & 0xffffffffffff
i = (R & mask) & 0xffffffffffff
lastbit = 0
while i != 0:
lastbit ^= (i & 1)
i = i >> 1
output ^= lastbit
return (output, lastbit)
f = open('key', 'w')
R = int(flag[5:-1], 8)
mask = 0b101010001000010001001000100000101000100011000010
for i in range(1000):
tmp = 0
for j in range(8):
(R, out) = lfsr(R, mask)
tmp = (tmp << 1) ^ out
f.write(chr(tmp))
f.close
from secret import flag, key
assert len(key) == len(flag) == 57
assert flag.startswith("FLAG{") and flag.endswith("}")
assert key[0:3] * 19 == key
def encrypt(s1, s2):
assert len(s1) == len(s2)
result = ""
for c1, c2 in zip(s1, s2):
result += chr(ord(c1) ^ ord(c2))
return result
ciphertext = encrypt(flag, key)
print(ciphertext, end="")
from Crypto.Util.number import bytes_to_long, isPrime
from secret import flag, p
def encrypt(m, k, p):
return pow(m, 1 << k, p)
assert flag.startswith("TWCTF{")
assert len(flag) == 42
assert isPrime(p)
k = 64
pt = bytes_to_long(flag.encode())
ct = encrypt(pt, k, p)
with open("output.txt", "w") as f:
f.write(str(ct) + "\n")
f.write(str(p) + "\n")
from sage.all import *
from Crypto.Util.number import bytes_to_long
from secret import flag
assert flag.startswith("TQLCTF{")
assert flag.endswith("}")
beta = 0.223
delta = 0.226
gama = 0.292
n_size = 1024
bound_q = 2**int(n_size * beta)
bound_p = 2**int(n_size * (1 - beta))
while True:
p = random_prime(bound_p, proof=False)
q = random_prime(bound_q, proof=False)
N = p * q
if q < pow(N, beta) and gcd(p - 1, (q - 1) / 2) == 1:
break
assert p.is_prime()
assert q.is_prime()
while True:
dp = randint(0, 2**int(n_size * delta))
dq = randint(0, (q - 1))
if gcd(dp, p - 1) == 1 and gcd(dq, (q - 1) / 2) == 1:
break
d = crt([dp, dq], [p - 1, (q - 1) / 2])
from secret import flag
from Crypto.Util.number import *
assert flag.startswith('flag{')
assert flag.endswith('}')
pt = int(flag[5:-1].encode('hex'), 16)
p = getPrime(30)
q = getPrime(25)
n = p * q
e = 65537
assert pt < n
print 'e:', e
print 'n:', n
print 'ct:', pow(pt, e, n)
now_m = large_m % now_p
c1, c2 = elgamal_encrypt(now_m, p, g, y)
f.write('c1, c2 = {}, {}\n'.format(c1, c2))
f.close()
def elgamal_sig_lab(large_m):
f = open('sig', 'wb')
y, x = elgamal_sig_keygen(p, g)
f.write('y = {}\n'.format(y))
for i in range(large_m.bit_length()):
now_m = (large_m >> i) & 1
r, s = elgamal_sig_signify(1024, p, g, x)
if now_m == 1:
f.write('r, s = {}, {}\n'.format(r, s))
else:
f.write('r, s = {}, {}\n'.format(r, randint(0, p - 2)))
f.close()
if __name__ == '__main__':
print 'elgamal_test()', elgamal_test()
print 'elgamal_sig_test()', elgamal_sig_test()
from secret import flag
assert flag.startswith('flag{') and flag.endswith('}')
flag = flag[5:-1]
f1, f2 = s2n(flag[:len(flag) // 2]), s2n(flag[len(flag) // 2:])
elgamal_enc_lab(f1)
elgamal_sig_lab(f2)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from hashlib import md5
from secret import flag
assert flag.startswith(b'hgame) and flag.endswith(b')
class Oo0:
def __init__(self):
self.O0 = [0] * 256
self.Ooo = 0
self.Ooo0 = [0] * 256
for i in range(256):
self.O0[i] = i
self.oO0 = 0
def OO0(self, oO0):
l = len(oO0)
for i in range(256):
self.Ooo0[i] = oO0[i % l]
for i in range(256):
self.oO0 = (self.oO0 + self.O0[i] + self.Ooo0[i]) % 256
self.O0[i], self.O0[self.oO0] = self.O0[self.oO0], self.O0[i]
self.Ooo = self.oO0 = 0
def OO0o(self, length):
O = []
for _ in range(length):
self.Ooo = (self.Ooo + 1) % 256
self.oO0 = (self.oO0 + self.O0[self.Ooo]) % 256
self.O0[self.Ooo], self.O0[self.oO0] = self.O0[self.oO0], self.O0[