Is post quantum cryptography too **complex** for you?

**Summary: **Ring-LWE with small error, hidden under a number field

Sep

30

Is post quantum cryptography too **complex** for you?

**Summary: **Ring-LWE with small error, hidden under a number field

Aug

11

Brief solution ideas to the least solved Crypto CTF challenges.

Jul

13

We, in SPbCTF meetups crew (guys from LC↯BC, SiBears, PeterPEN, Yozik), were invited to make a CTF together with some BRICS countries universities.

So we made one — and invite everyone to compete, have fun and win some prizes in **CyBRICS CTF 2019**. This one continues the tradition of **hack you** events, but this time it won’t be individual. Teams are welcome.

**28 challenges** ranging from easy pen-and-paper to interesting. Noobies will have a taste of what CTFs are, skilled will have fun and check if they can pwn everything the fastest, academic teams will compete for **10 000 USD** first place prize.

**Registration open:** now

**Game is live:** July 20th, 2019 10:00 UTC

**Game ends:** July 21st, 2019 10:00 UTC (24 hours)

**Sign up: https://cybrics.net/** (CTFtime page)

**Quals Prizes:****Top-5** academic teams from each BRICS country are invited to the on-site Attack-Defense Finals in St. Petersburg

**Top-1** team in Quals gets a spot in **XCTF Finals 2019** (September, China).

**Finals Prizes:**

**1st place:** 10 000 USD

**2nd place:** 5 000 USD

**3rd place:** 3 000 USD

So in just a few words: **New CTF by us. 28 good old Jeopardy tasks. July 20th.**

Sep

14

`Yikes, one of our finest cyberwarrior plugged into the wrong system. His mind is stuck in the kernel. Bring a plunger and your finest kernel exploit`

Service: nc 142.93.38.98 6666 | nc pwn.sect.ctf.rocks 6666

Download: gh0st.tar.gz

Author: likvidera

**Summary:** linux kernel exploitation using an out-of-bounds kernel memory write.

Read the rest of this entry »

Jun

27

In this challenge we have a stream cipher based on LFSR and nonlinear filtering function. It has 128-bit LFSR secret state and we are also given 1600 keystream bits. Our goal is simply to recover the key which is the initial state. Here is the nonlinear filtering function:

f(v) = v[0] ^ v[1] ^ v[2] ^ v[31] ^ v[1]&v[2]&v[3]&v[64]&v[123] ^ v[25]&v[31]&v[32]&v[126] |

We can see that the two nonlinear terms are products of 4 and 5 variables. With high probability these terms are equal to zero and the filtering function becomes linear. More precisely, define

L(v) = v[0] ^ v[1] ^ v[2] ^ v[31] |

Then the probability $p$ that $f(v) = L(v)$ equals to $15/16 \times 31/32 + 1/16 \times 1/32 = 233/256$. Moreover, for 128 keystream bits the approximation can be expected to hold with probability $p^{128} \approx 2^{-17.384}$ or roughly $1/171000$. That is, if we sample 128 keystream bits roughly 171000 times we can expect that once they all are filtered using the linear function $L$. Then we can solve the (noiseless) linear system and recover the key. We can sample bits from the 1600-bit keystream since we expect that roughly $233/256\times 1600$ of them are filtered using the linear function and we will succeed once we choose 128 bits out of them. We just need to know the linear function that maps the original key to each of output keystream bits (i.e. repeated LFSR step and linear filtering). This can be done simply by running Snurre with linear filtering function on keys with single bit set (i.e. basis vectors) and putting the resulting streams into columns of a matrix.

The solution may take some time, e.g. around 1 hour on a common laptop. But it can be easily parallelized simply by running multiple instances.

The problem of solving noisy linear equations is called Learning Parity with Noise (LPN). There are various methods for approaching it. A good recent paper on this topic is “LPN Decoded” by Esser et al. For example, the described above method is called Pooled Gauss in the paper.

Apr

02

0ops Cipher 4, hope you enjoy it:)

zer0C4.zip

nc 202.120.7.220 1234

**Summary:** related-key attack on weakened variant of RC4

Apr

02

0ops SPN, hope you enjoy it:)

zer0SPN.zip

**Summary:** linear cryptanalysis on toy block cipher

Apr

02

0ops Toy Cipher, hope you enjoy it:)

zer0TC.zip

**Summary:** meet-in-the-middle and key-schedule constraints

Oct

05

As a tradition, every fall we host a fun lightweight Jeopardy CTF for our freshmen to attract them into all the CTFey goodness. This one will be our **fifth year** (holy shit!)

We invite everyone to check out hack you ’17 this year. Just as always, two separate scoreboards: one for SPbCTF meetups, one for everyone on the world. And yeah, we have some **prizes** this year!

**28 challenges** ranging from easy pen-and-paper to interesting. Noobies will have a taste of what CTFs are, skilled will have fun and check if they can pwn everything the fastest.

**Registration open:** now (sign up individually — no teams)

**Game is live:** October 8th, 2017 18:00 UTC

**Game ends:** October 14th, 2017 18:00 UTC

**Sign up: https://hackyou.ctf.su/**

**Prizes:****Top-3** in the Overall board get a free ZeroNights 2017 entry each.

**Top-50** in the Overall scoreboard qualify to the Final event in Saint Petersburg on October 29th.

So in just a few words: **Fifth hack you. 28 good old speedhack tasks. October 8th.**

Sep

04

Scripts with short explanations:

- BabyPinhole (crypto 163)
- Liar’s Trap (crypto/ppc 281)
- Palindrome Pairs – Challenge Phase (ppc 63+337)

Jul

09

We implemented a random number generator. We’ve heard that rand()’s 32 bit seeds can be easily cracked, so we stayed on the safe side.

nc lucky.chall.polictf.it 31337

**Summary:** breaking truncated-to-MSB LCG with top-down bit-by-bit search.

Jun

19

A slow descent into the dark, into madness, futility, and despair.

**Summary:** DSA with short secrets, lattice + meet-in-the-middle attack.

Jun

19

Scripts with short explanations for all crypto tasks (except RSA) from Google CTF Quals 2017:

- Crypto Backdoor
- Introspective CRC
- Shake It
- RSA CTF Challenge (no writeup, but I think it’s similar to this old one)
- Rubik
- Bleichenbacher’s Lattice Task (full writeup here)

Mar

20

Talent Yang loves to customize his own obfuscator. Unfortunately, he lost his seed when he was watching Arsenal’s UEFA game. What a sad day! His team and his seed were lost together. To save him, could you help him to get back his seed? We can not save the game, but we may be able to find out his seed.

Compile: ollvm.clang -Xclang -load -Xclang lib0opsPass.so -mllvm -oopsSeed=THIS_IS_A_FAKE_SEED source.c

Clang && LLVM Version: 3.9.1

link

flag format: flag{seed}

**Summary:** deobfuscating and attacking AES parts.

Mar

20

I swear that the safest cryptosystem is used to encrypt the secret!

oneTimePad.zipWell, maybe the previous one is too simple. So I designed the ultimate one to protect the top secret!

oneTimePad2.zip

**Summary:** breaking a linear and an LCG-style exponential PRNGs.