down = pow1(down, 2**128-2) # inversion

]]>So the correct code is :

`print ("p =", t, "#", len(p.bits()), "bits")`

]]>You have to write a small script to bruteforce it basically. You roughly needed 2^24 attempts to solve each challenge.

]]>I contacted the author and he told that he had a mistake. The curves should have been anomalous. The challenge is unsolvable.

]]>I had a crazy idea to figure out the prime factors of C[0]. And based with this to make create sets i call x. And to solve: x = y^k mod n to find possible k that where on the range: “CCTF{XXXXXXXXXXXXXXXXXXXXXX”.

Second idea i had it could be python had a random generation bug when you found the 1e (variable y) and 3e(variable v) random number. Based with these variable that i could generate variable u?

Here my result: https://pastebin.com/7Ccba7TA

]]>Thank you :) I’ll try again :) ]]>

The factorization is easy since there are many common primes. The problem is that (apparently) the messages were encrypted with python’s Crypto.Cipher.PCKS_OAEP + Crypto.PublicKey.RSA. For some reason Crypto.PublicKey.RSA fails to decrypt if n is multi-prime. You have to decrypt manually and then use Crypto.Cipher.PKCS_OAEP to unpad.

]]>I’m very curious ]]>

I have followed linear cryptanalysis tutorial to solve this challenge. As going round by round, I spend lots of time to pick the mask. It still need to brute force 2 bytes each times QQ.

Thank you very much, I will start on it now :))

]]>I used MILP solver for this, but it is a quite complicated approach. See e.g. http://ask2017.nudt.edu.cn/file/slides/ask2017_08_Yu%20Sasaki.pdf

A simpler way would be to use Matsui algorithm, but it also needs to be implemented.

]]>Could I ask you, which algorithms/tools do you use to find linear trails? ]]>

That is the name of the military satellite being used by the terrorists who are comandeering the drone.

]]>