id think it'd be interesting if apples grew like vinefruit

Crypto CTF 2023 Writeup (JA)

(English ver. https://shiho-elliptic.tumblr.com/post/722391959624433664/crypto-ctf-2023-writeup-en )

CryptoCTF 2023にieraeとして参加しました. 結果は13位(全完, 得点的には1位タイ)でした.

@ta1yak1_8926 視点: https://hackmd.io/@taiyaki/BJCWj0LKn

Solved by me

Bertrand (medium, 21 solves)

2nd solve.

暗号文は画像で提供される. 鍵の大きさに応じて回転するが, 回転は4種類しかない($$90\times n\lbrack\deg\rbrack$$)ので, 全パターンを列挙できる. また関数 sox は無視できる.

平文と暗号文はbyte-by-byteに対応するので, この暗号はtransposition cipherとして扱える. 鍵に依存したソート処理も存在するが, 鍵の長さは3に固定しているので, $$\lvert S _ 3\rvert = 3! = 6$$ パターンをすべて列挙すればよい.

後はフラグフォーマットを利用し, 鍵の各バイトを総当りすれば解ける. 最終的な計算量はちょうど$$4\times 6 + 256^3$$である.

Solver:

https://gist.github.com/elliptic-shiho/717b44cc1c5cc8b0707a81b7b345cdc9

Insights (medium, 88 solves)

d = next_prime(pow(n, 0.2919)) なので $$d$$ は $$n$$ から唯一定まる. Hardにしては簡単すぎると思っていたらmediumに落ちた. 作問ミス?

Solver:

https://gist.github.com/elliptic-shiho/6ec91e35e4a974572ecb1d576d446ba0

Shevid (hard, 17 solves)

SIDH. 構成からCastryck-Decru attackをそのまま適用できるように見えたため, https://github.com/GiacomoPope/Castryck-Decru-SageMath をもとにコードを少し書いて解いた.

Solver:

https://gist.github.com/elliptic-shiho/f5e694e2cf2233fccf3f199f60f45c6b

Barak (medium, 27 solves)

Hessian curveが与えられる. Hessian curveは楕円曲線と双有理同値なので, Marc Joye and Jean-Jacques Quisquater. 2001. Hessian Elliptic Curves and Side-Channel Attacks. 等を読みつつ楕円曲線上の点に変換.

楕円曲線の点として考えるとき, base point $$P$$とすると$$\lvert P\rvert = 3083219685676632130193959041477461850061047352503612$$である. この素因数はたかだか$$2^{35}$$程度でしかなく, ゆえにPohlig-Hellman attackを適用できる. 実際にはPari/GPの ellog 関数に任せた.

ただし, $$m\lt p$$ という制約しか存在しないにも関わらず$$\lvert P\rvert \lt p$$であるため, $$m$$を完全に復元することはできなかった. このため実際の解は$$x _ 0 + n\lvert P\rvert$$の形になる. ただし $$x _ 0$$ はECDLPの解, $$0\leq n\lt 25$$ ($$\because 24\lvert P\rvert \lt p \lt 25\lvert P\rvert$$).

Solver:

https://gist.github.com/elliptic-shiho/cf112ddf554ea9d447dff31cb40731bf

Byeween (hard, 22 solves)

楕円曲線$$E$$とその上の点$$Q$$が与えられる. $$2P = Q$$を満たす点をすべて計算すればフラグをもらえる.

楕円曲線における2分割点はdivision polynomialの解を計算すれば求められる. 実際SageMathの division_points もこれを利用したものである1. 完全にすべての解を求められない場合もあるようだが, ほとんどの場合うまく行く.

Solver:

https://gist.github.com/elliptic-shiho/deccae6523d5548086e237ee70f1ee42

Vinefruit (hard, 19 solves)

hash collisionを起こせばよい. 対象となるハッシュ関数$$\mathrm{vinefruit} _ {p, o, m}(m)$$はメッセージ$$(m _ i) _ {i = 1, \ldots, \ell}$$とパラメータ$$p, o, m$$に対し$$f(p)$$である. ただし

$$$ f(x) = ((o + m _ 1) x^\ell + m _ 2x^{\ell - 1} + \cdots + m _ \ell x) \bmod m. $$$

$$p, o, m$$を固定して考えるとき, 最も単純なのは $$\mathrm{vinefruit}(00^\ell)$$ への衝突である. これは$$\mathrm{vinefruit}(x) - \mathrm{vinefruit}(00^\ell)\equiv 0\pmod m$$の$$x$$を決定する問題を解くことで求められ, 特にModular knapsack problemに帰着できる. 次に示す格子はその解を与える:

$$$ \begin{pmatrix} 1 & 0 & \cdots & 0 & 0& p\cr 0 & 1 & \cdots& 0 & 0 & p^2\cr 0 & \vdots & \ddots & \cdots & \vdots & \vdots\cr 0 & 0 & \cdots & 1 & 0 & p^{\ell - k}\cr 0 & 0 & \cdots & 0 & 1 & c \cr 0 & 0 & \cdots & 0 & 0 & -m\cr \end{pmatrix} $$$

ただし $$$ c = ((o + m _ \ell)p^\ell + m _ {\ell - 1}p^{\ell - 1} + \cdots + m _ {\ell - k + 1}p^{\ell - k + 1} - \mathrm{vinefruit}(00^\ell)) \bmod m $$$

である. $$m _ \ell, m _ {\ell - 1}, \ldots, m _ {\ell - k + 1}$$は初期値としてランダムに選択する. 実際には重み付けをしているが割愛した. この格子のLLL簡約基底のうち, すべての値が0から255までに収まるようなものを取れば, hash collisionを引き起こせる.

ただし, この方針で進めた場合$$m$$が大きくなるほど衝突を構成しづらくなる. このため$$m = 2^{32}$$, $$m = 2^{64}$$ の場合のみを計算し, $$m = 2^{128}$$ の場合を無視することとした. 本問題は$$\ell\in\lbrace\,35, 34, \ldots, 17\,\rbrace$$に対してそれぞれ3通りの$$m$$が決まるため, $$(2/3)^{18} = 262144/387420489 = 1/(2^{10.52932\ldots}) \gt 1/1500$$より1500回に1回程度$$m \ne 2^{128}$$を仮定できる. これを利用して解いた.

Solver:

https://gist.github.com/elliptic-shiho/bc5cf7f519ad28f2369625ad49bd9089

After the comptetition:

本攻撃は第二原像攻撃を目指したものであったが, 実際には衝突攻撃を解けば十分である. 加えて vinefruit 関数はローリングハッシュとして扱えるため, よく知られたローリングハッシュの衝突実装を引用すれば簡単に解ける (この場合はSVPではなくCVPを解くことになる).

Solved with teammates

Risk (medium, 35 solves)

素因数分解は@ta1yak1_8926が終わらせていた(詳細: https://hackmd.io/@taiyaki/BJCWj0LKn#Risk-122-pts-35-solves-Medium )が, $$\gcd(\varphi(N), e) = 10728$$ な状況におけるRSAを解くところで詰まっていたのでそこだけ. $$\mathbb{F} _ q$$へと帰着して$$x^6 - A = 0$$の解として計算.

Solver:

https://gist.github.com/elliptic-shiho/cfd56e9dd47c7f2041157ffb6bb7477c

Big (hard, 23 solves)

パラメータ$$a, N = pq$$は既知. $$N$$の素因数分解は@ta1yak1_8926が終わらせていた(詳細: https://hackmd.io/@taiyaki/BJCWj0LKn#Big-169-pts-23-solves-Hard ). 最後の部分だけ.

各ビット$$b$$について$$\left(\frac{t}{N}\right) = 1\iff b = 1$$であるように$$t$$を選び, $$c := t - a/t \bmod N$$としている. $$c \equiv (t^2 - a)/t\pmod N$$より$$tc \equiv t^2 - a \pmod N \iff t^2 - tc - a \equiv 0\pmod N$$. 係数はすべて判明しているので, そのまま二次方程式として解けばよい.

Anca-Maria Nica. 2020. Quadratic Residues and Applications in Cryptography. - https://profs.info.uaic.ro/~webdata/doctorate/NicaAncaMaria/Rezumat-En.pdf §4.1.1 Cocks' IBE ciphertexts に同じものがある. フラグもそのことに触れていた.

Solver:

https://gist.github.com/elliptic-shiho/07b3440678135f0712d467925b9e81af

感想

本格的にCTFに取り組んだのは数年振りだったが, 良い結果になってよかった. 速度が落ちている感覚はあるので, リハビリがてら今年はいくらか参加していきたい.

https://github.com/sagemath/sage/blob/9.8/src/sage/schemes/elliptic_curves/ell_point.py#L886 ↩︎

Wynyard Thalycra Alicia Kravtsov Ragsdale Ducky Merman Calamine Corvid Qinling Sango Distance Singe Heorges Lembasada Penumbra Lemonhead Crisolita Wiedenheft Lifa Tabell Tranexamic Fan Rage Philomena Palmieri Rugstein Curtain Thallarcha Avery Ancestors Gentium Interpretation Sage Fuaahhh Atollo Glamping Ollivar Qumran Pickle Martin Thr Azayakana Agazzi Besproken Lymphonol Yim Leur Toilet Kaiki Microwave Decongestant Wyche Raccoon Clonorchiasis Milty Brygge Flatkey Vinefruit Tothpast Shuppo Ismoil Batton Agresto Giang Gaetano Brollio Hamolly Gerasim Hogstein Maggiore Rambaya Going Horwood Mideojunda More Complain Klath Kernel Markiki Distiller Spacious Jaegan Aurenc Fatab Gueddiq Baywindow Inthewoods Biscuit Stoplight Herzlich Asheho Lorley Hdrid Ashwani Giacinto Fashion Strungo Cpso Itacurubi Seattle Genzō Calliope Krone Scarona Slam van Ryuume Okassel Gibbonsville Ģirts Cowskull Altruisrno Komme Transit Tizic Gazelle Khalaf Bambi Gracida Jettha Ehak Piin Custard Encre Kabanda Skalkaho Ancientwarrior Entertaining Pecent Copic Ruleet Lampo Badir Gather Pupcake Datsky And Shinha Mahasena Cloris Poundit Fetran Milkoli Ooshoya Harpsichord Stek Monder Nortsa King Crisoprasa Zokai Gǎnlǎn de Adossa Nazeeh Mandala Sughd Mizoe Hoga Bernard Armando al Loratadine Phylogeny Glasswall Kilky Telecra Pretzelmaker Betet Liliko Tsorvid Kinling Strawbebbies Reach Peas Hwbie Villarp Solamin Wong Caeda Nikatury Xim Hodgkin Biolol Labf Villanueva Pepciw Omoshiro Marzoe Jace Ancientpanda Humidifier Debabrata Kosmos Eisenwurzen Regia Funskool Nazuci Stromple Feride Feuille Genyim Miogu Shoal Zoueyrat Ortonville Funiculus Tootolbay Dinham Yuzemard Atoth Lalaque Jugoya Vinter Takadanobaba Tatoe Highway Various Ramayana Breuci Shokoko Shordgin Malca Milkawo Mewon Osou Fulwar Talisov Gemeinde Clintail Thymus Imbler Gullagan Distonlan Lamp Basidiocarp Saruwa Keani Hogsana Scirtari Jaim Miraka Peach Afu Lebten Towing Falara Batabata Petrody Petro Jae Gaowen Metrorrhagia Hasselhof Rincon Molco Sogeha Haneun Andere Okpy Ruddigore Elleryana Sanofi Nidjah Platicando Banofee Vitae Gijea Woord Royaleona Eiia Lampo Lankford Rhinitis Pevana Rattrapage Riyoz Lamium Margemallow Schmilpey Clomma Zouérat Ollie Gijsbert Gerefereerd Hakala ImAwful Mulphosia Comprehensive Sassie Dolphus Saiire Tsuyoku Motorvei Habnoxious Sodappa Antlers Yonil Chaque AllTheBoys Kroceri Inesh Datakilde Dorbola Guetta Utainagara Show Mioletta Eissa Dake Brap Falemos Quinyeshinjill Kumi Henry Zoticus Jaego Kerid Harmon Shammo Umatilla Peridot Xihaigu Urigade Gmina Cosplay Mustafarrah Mistik Fashionable Ichiban Dodgson Tuesday Itstasse Millienne Trance Fantomes Nærheten Calling Vincent Sheith Lilique Kiyo Amantes Harose Luther Connections Gargoyle Nolvadex Anli Higgin Omg I Hope You Are Not Using A Screen Reader Sorry Thumbelina Pickella Shakarpara Rectus Bamba Scrollforever Yukinojo Linen Korgan Minakama Minkma Caveboy Aantal Cyathus Winckworth Nano Rer Doles Kunda Royce Rakkark Warren Pepto Tulsi Giantclaw Cahier Dawnset Social-feminist Khuzestan Distowell Mikamo Seminole Tambourine Mumusu Starvationmode Igpay Wadley Grangeville Kib Talys Sodapop Prescott Gherkin Scarab Maltic Lupin Tarawih Kurbonova Floor Lemonade Mugeort Funfetti Nenhum Chickwick Blevet Kurusu Meoshi Zulay Lilova Veludo Tatoe Bêtabloquant Clickick Mountainman Shannari Lilfi Amtliche Chinga Eiredd Filsh Jai Kabatta Haploporus Yababata Pterodactyl Wallachia Noopyon Ruccio Verity Karmabbey Hoopoe Grantsdale Schloss Huxley Nywos Eucerin Hunter-Gatherer Florfey Frumity Juglone Heffa Kababa Ripken Batpom Gralling Intelligence Vigorous Hyuga Carcinova Zorbid Corey Hadhramaut Platinum Anuradhapura Hokahoka Billyjoe Stripeyfish Autolavado Drammenshallen Laffo Musum Uatingara Gdbd Xoele Ceylon Tamoxifen Pacomo Fetai Getahun Jazzysky Pockle Mustafa Habjibidigooba Honkstein Yolpek Lamaze Noizu Verleihung Benzene-tetralin Atintani Glisten Eema H’wut Gaynor Backpain Eraldo Mimama Orthodontist Yplryr Foxglove Eikervei Lina Gianluigi Badname Bratz Hisui Doorway Lavendula Oank Professor Grapple Woja Gynger Pina Myrtle Praziquantel Laluka Papava Salted WowWow Sorao Horlath Stupit Guyu Tooloud Itswhat Whatist Shlipo Zutron Enerpak Grinkola Donruss Lindesnes Yukola Dupplin Racapi Biotène Pustard Qana Girlsdate Sorlala Hulalala Oakislandmystery Synthos Barfi Shax Tambourine Ziemowit Sendopopo Hafizullah Vimothy Minth Arcticmint Leolet Nega Julia Winterfest Lax Sirenix Rosisi Städte Mahtron Lilopo Babababa Spores Zeolite Cahill Yorpola Markham Platform Shuwa Henao Pekoko Napoli Hairdye Ayurveda Abasa Monsto Wakeman Richard Rhythm Akubi Okapia Sutton Lutidine Telekura Taxus Mithgur Minomon Güla Toluene Priah Byleth Caramelpudding Alistava Schmilp Frooties Yapiko Cosmê Cage Lurvo Pooloe Clompus Milffy Independent Tedora Rembran Going Thames Sincerity Triggerword Huwolt Oldo der Shulfush Huala Dragonhat Rapple Battaton America Margle Mountainleech Bedmonster Siguang Crinkle Wildboar Plinko Shiala Springley Kijae Wahab Videostore Justawful Clonei Jinko Wichnaight Voltron Ralfina Malicia Period Annas Nostalgia Calaraira Bushiroad Moldova Sherbet Algo Zuzana Secret Krostanovs the Weyer Willard Mariposa Stronger Candywoods Mouthwash Gandalf Mallom Chodstein Polident Tsudotte Coordmate Koe Silvie Neuhaus Howen Kowarz Saigo Worley Way

Our scuppernongs are doing well this year. "The scuppernong /ˈskʌpərˌnɒŋ/ is a large variety of muscadine (Vitis rotundifolia),a species of grape native to the Southern United States. It is usually a greenish or bronze color and is similar in appearance and texture to a white grape, but rounder and larger and first known as the 'big white grape'.The grape is commonly known as the "scuplin" in some areas of the Deep South. It is also known as the "scufalum", "scupanon", "scupadine", "scuppernine," "scupnun", or "scufadine" in some parts of the South. The scuppernong is the state fruit of North Carolina." Wikipedia #viticulture #grapes #scuppernongs #muscadines #southernfoods #fruit #vinefruit #Homestead #Farm #produce (at Saint Helena Island)

Thornless blackberry in our backyard. This plant fruits ripen almost one month after the regular blackberries with thorns and the yield is much better than regular one! #blackberries #blackberry #vinefruits #fruitvines #fruits #berries #berry (at San Jose, California) https://www.instagram.com/p/CChvp9_DSII/?igshid=hi2lu5rv1jiz

3 favorite foods

Muja fruit/vinefruit/ really any citrus fruit. I don’t care for sweets overly much, but citrus fruits make for a nice dessert, particularly if you’ve been in the field for a while and are dying to tear into a real life freshly grown plant before your body self-destructs. Berries are really nice for that too, actually.

Bilbringi cheesy meat pies with peppers. Listen, there is absolutely nothing healthy about the Belbringi meat pies your average lower level Coruscanti diner, much less the ones you find in Hutt space. I have never been to Billbringi to have the real thing, so I can’t speak to that.

But Master Fulier used to take us both for occasional treats to a few 24 hour diners after really long days on missions, and there’s nothing like them after you’ve been up going on 36 hours chasing cartel lackies. Meat and extra melty cheese wrapped up in a golden crust. Nothing like pure fat and protein and carbs to remind you that you’re not actually dead of exhaustion.

Caf.

I have been advised caf does not qualify as food. Nor does behot or Gatalentan tea. I obviously disagree, but as a runner up…

Roasted Chando peppers , Chandrillan style, are always nice, especially as an appetizer before something more substantial, or in a salad with some fresh herbs, a light sauce or tangy cheese, and some sort of crunchy seed. They’re good even if you just douse them in some wine vinegar and oil and eat them raw with other vegetables, but roasted are just a touch more delicious. 

I Would Rather Be In A Lovely Oasis Surrounded By Beautiful Women Drinking Wine And Ingesting Globe Vinefruit

Alas

Crypto CTF 2023 Writeup (EN)

(日本語版: https://shiho-elliptic.tumblr.com/post/722392022714073088/crypto-ctf-2023-writeup-ja )

I participated to CryptoCTF 2023 as a team "ierae". we're placed at 13th (we completed all challenges, so the score is equal to 1st team's that).

My teammate's writeup: @ta1yak1_8926: https://hackmd.io/@taiyaki/BJbEomuF2

Solved by me

Bertrand (medium, 21 solves)

2nd solve.

We have an image file which is encoded the ciphertext. The encrypt function has been applied rotation to that, but rotation degree is only four patterns ($$90\times n\lbrack\deg\rbrack$$, $$n\in \mathbb{Z}$$) so we can enumerate the all cases. More, we can ignore sox because it used at image generation phase only.

The plaintext (= flag) and ciphertext corresponded byte-by-byte, hence this cipher can interpret as a transposition cipher. Further, It has a key-based sort process, but the key-length is only three bytes so we can enumerate all cases of that easily (It's only $$\lvert S _ 3\rvert = 3! = 6$$ patterns!)

I used the flag prefix CCTF{ as "known plaintext" for brute-force the key of that. the allover complexity is just $$256^3$$.

Solver:

https://gist.github.com/elliptic-shiho/717b44cc1c5cc8b0707a81b7b345cdc9

Insights (medium, 88 solves)

$$d$$ is uniquely determined from $$n$$ since d = next_prime(pow(n, 0.2919)). that's all.

Note: the difficulty of this challenge is "hard" at first. I thought "too easy for hard" at solved, but it was changed to "medium" later. lol

Solver:

https://gist.github.com/elliptic-shiho/6ec91e35e4a974572ecb1d576d446ba0

Shevid (hard, 17 solves)

It's an instance of SIDH. We can apply Castryck-Decru attack. I wrote a script that used https://github.com/GiacomoPope/Castryck-Decru-SageMath and solved it.

Solver:

https://gist.github.com/elliptic-shiho/f5e694e2cf2233fccf3f199f60f45c6b

Barak (medium, 27 solves)

We have a Hessian curve. Hessian curve is birationally equivalent to Elliptic curve, so I transform given curve and points to corresponded Elliptic curve and the points on that. Marc Joye and Jean-Jacques Quisquater. 2001. Hessian Elliptic Curves and Side-Channel Attacks. was a good reference for me.

When transformed on the Elliptic curve, the base point $$P$$ holds $$\lvert P\rvert = 3083219685676632130193959041477461850061047352503612$$. Any its prime factor is smaller than $$2^{35}$$, therefore we can use Pohlig-Hellman attack to this ECDLP instance. In fact, I used ellog function of Pari/GP.

Nonetheless, We can't get the plaintext $$m$$ even solved ECDLP correctly. It caused by that holds $$m\lt \lvert P\rvert \lt p$$. so "actual solution" is formed "$$m = x _ 0 + n\lvert P\rvert$$" where $$x _ 0$$ is the solution of ECDLP and $$0\leq n\lt 25$$ ($$\because 24\lvert P\rvert \lt p \lt 25\lvert P\rvert$$).

Solver:

https://gist.github.com/elliptic-shiho/cf112ddf554ea9d447dff31cb40731bf

Byeween (hard, 22 solves)

We have an ellitic curve $$E$$ and a point $$Q$$ on $$E$$. We need to compute ALL $$P\in E$$ that satisfies $$2P = Q$$ to get the flag.

In general, the two-division points of a point can compute by compute the roots of division polynomial for that. SageMath's division_points method1 uses that too. It can solve this challenge with fail a few times, because that can't compute the all solutions sometimes.

Solver:

https://gist.github.com/elliptic-shiho/deccae6523d5548086e237ee70f1ee42

Vinefruit (hard, 19 solves)

We need to collide the given hash function. the target hash function is defined by $$\mathrm{vinefruit} _ {p, o, m}(m) := f(p)$$, where $$(m _ i) _ {i = 1, \ldots, \ell}$$ is target message, $$(p, o, m)$$ is parameter, and $$f(x)$$ is

$$$ f(x) = ((o + m _ 1) x^\ell + m _ 2x^{\ell - 1} + \cdots + m _ \ell x) \bmod m. $$$

For simple, we fixed $$(p, o, m)$$ and omit that in below discussion.

Set $$\mathrm{vinefruit}(00^\ell)$$ as a target to collide. In this situation, the challenge can transform to "Compute a $$x$$ that satisfies $$\mathrm{vinefruit}(x) - \mathrm{vinefruit}(00^\ell)\equiv 0\pmod m$$" . In fact, we can reduce this challenge to an instance of Modular knapsack problem, so we can solve this challenge by LLL-reducing following lattice:

$$$ \begin{pmatrix} 1 & 0 & \cdots & 0 & 0& p\cr 0 & 1 & \cdots& 0 & 0 & p^2\cr 0 & \vdots & \ddots & \cdots & \vdots & \vdots\cr 0 & 0 & \cdots & 1 & 0 & p^{\ell - k}\cr 0 & 0 & \cdots & 0 & 1 & c \cr 0 & 0 & \cdots & 0 & 0 & -m\cr \end{pmatrix} $$$

where

$$$ c = ((o + m _ \ell)p^\ell + m _ {\ell - 1}p^{\ell - 1} + \cdots + m _ {\ell - k + 1}p^{\ell - k + 1} - \mathrm{vinefruit}(00^\ell)) \bmod m $$$

and choose $$m _ \ell, m _ {\ell - 1}, \ldots, m _ {\ell - k + 1}$$ randomly as an initial state. In actual code, I decorated(i.e. weighted) to the lattice but omitted. We can collide the hash function by a message constructed by a vector, that is LLL-reduced basis of the lattice and all element of that is an unsigned 8-bit integer (i.e. it is the 0 to 255).

However, this strategy is not effetive when large $$m$$ because the constraint "unsigned 8-bit integer" becomes too hard. I decide to ignore the case of $$m = 2^{128}$$ and precompute the cases of $$m = 2^{32}$$ and $$m = 2^{64}$$ (Note: $$m$$ is only these three cases).

In this challenge, $$m$$ is determined for every $$\ell\in\lbrace\,35, 34, \ldots, 17\,\rbrace$$ so the probability of "All $$m$$ does not equals to $$2^{128}$$" is $$(2/3)^{18} = 262144/387420489 = 1/(2^{10.52932\ldots}) \gt 1/1500$$. Hence we can solve that with about 1500-times reconnect.

Solver:

https://gist.github.com/elliptic-shiho/bc5cf7f519ad28f2369625ad49bd9089

After the comptetition:

This attack is a second-preimage attack. However collision attack is enough to solve this actually. In addition, vinefruit function can interpret as rolling hash, so we can attack that using any famous implementation. In this strategy, It use the Closest Vector Problem to solve that whereas I used the Shortest Vector Problem.

Solved with teammates

Risk (medium, 35 solves)

Prime factorization is done by @ta1yak1_89262. but he stucked to solve the RSA with $$\gcd(\varphi(N), e) = 10728$$. I solved that using the cannonical map $$\mathbb{Z} / pq\mathbb{Z}\hookrightarrow \mathbb{F} _ q$$ and solve $$x^6 - A \equiv 0\pmod q$$ by SageMath's roots() method.

Solver:

https://gist.github.com/elliptic-shiho/cfd56e9dd47c7f2041157ffb6bb7477c

Big (hard, 23 solves)

We know parameters $$a$$ and $$N = pq$$. Prime factorization is done by @ta1yak1_89263, I solved only after that.

For every bit $$b\in\lbrace\,0, 1\,\rbrace$$, Select $$\left(\frac{t}{N}\right) = 2b - 1$$ as randomly, and put $$c := t - a/t \bmod N$$. Since $$c \equiv (t^2 - a)/t\pmod N$$ so we have $$tc \equiv t^2 - a \pmod N \iff t^2 - tc - a \equiv 0\pmod N$$. all coefficients are known so we can solve that as an ordinary quadratic equation (over $$\mathbb{F} _ p$$ and $$\mathbb{F} _ q$$). CRT is useful.

If you interested in the theoretical details, see §4.1.1 Cocks' IBE ciphertexts in Anca-Maria Nica. 2020. Quadratic Residues and Applications in Cryptography. - https://profs.info.uaic.ro/~webdata/doctorate/NicaAncaMaria/Rezumat-En.pdf

Solver:

https://gist.github.com/elliptic-shiho/07b3440678135f0712d467925b9e81af

Afterwords

It's been a while since I played CTF seriously, and I could get a good result. Feel Good Inc.

However It's taking longer than it did before to solve challenge. I wanna participate to CTF as much as possible in this year.

https://github.com/sagemath/sage/blob/9.8/src/sage/schemes/elliptic_curves/ell_point.py#L886 ↩︎

Details: https://hackmd.io/@taiyaki/BJbEomuF2#Risk-122-pts-35-solves-Medium (in Japanese). ↩︎

Details: https://hackmd.io/@taiyaki/BJbEomuF2#Big-169-pts-23-solves-Hard (in Japanese). ↩︎

🤖- How do they treat/view droids? Are there any significant droids in their life? 🧖🏽- Water Showers or Sonic Showers? Why? 🌯- What is their favorite food? Is there any significance to it? 🏢- Do they prefer densely populated planets or sparsely populated ones?

🤖- How do they treat/view droids?

answered here

🧖🏽- Water Showers or Sonic Showers? Why?

answered here

🌯- What is their favorite food? Is there any significance to it?

 Etain isn’t exactly a foodie, but at the same time, she can’t limit herself to one singular favorite food. 

A few of her favorites are citrus fruits like muja or vinefruit, which she actually prefers to sweets, roasted chando peppers for their flavor, and billbringi cheesy meat pies, which used to be something Master Fulier would treat her to at a series of greasy diners after a hard mission where he was satisfied with her work.  There’s a longer explanation of those here

She tends not to like sweets overly much, but the big exceptions are a) Corellian Apple Pie (which was Kast Fulier’s favorite and a staple of many of the diners they visited)  b) berries dipped in hardened chocolate (which she can’t explain liking except for the crunch and the fresh berry taste) and c) uj cake.

 she absolutely would not have enjoyed uj cake before she got pregnant- way too sweet- but she blames Darman’s genetic influence on Kad for giving her cravings during her pregnancy (even if it wasn’t how that actually worked.) (and truthfully, her fondness may equally have something to do with the fact that Rav was trying to show her affection through making uj cake for her and the mere gesture made her weepy after the disaster that her pregnancy had been to that point.)

🏢- Do they prefer densely populated planets or sparsely populated ones?

Definitely densely populated ones. Etain is Coruscanti by raising, even if she grew up in the less sparsely populated Jedi Temple District, and the patterns of a massive city planet will always feel like home to her.

Some Jedi dislike how loud the planet is but being surrounded by the clamor of that much life feels like home to Etain, and always will. It comes with a lot of conveniences, too, like being able to find food from cultures all over the galaxy and finding shops and restaurants to patronize at any point during the planet’s rotation.

After the purge happens, it’s a mater of safety, too. It’s easier to hide Etain and her three Jedi kids from the Sith on a planet with a massive life force signature like Nar Shaddaa, where they end up hiding, than on a remote back water where their presences will stand out like a beacon.