Is post quantum cryptography too complex for you? wrong_ring.sage Summary: Ring-LWE with small error, hidden under a number field
In this challenge we have a stream cipher based on LFSR and nonlinear filtering function. It has 128-bit LFSR secret state and we are also given 1600 keystream bits. Our goal is simply to recover the key which is the initial state. Here is the nonlinear filtering function: f(v) = v ^ v ^ v …
Scripts with short explanations: BabyPinhole (crypto 163) Liar’s Trap (crypto/ppc 281) Palindrome Pairs – Challenge Phase (ppc 63+337)
A slow descent into the dark, into madness, futility, and despair. BLT.jar (not necessary) STDOUT Flag.java Summary: DSA with short secrets, lattice + meet-in-the-middle attack.
Scripts with short explanations for all crypto tasks (except RSA) from Google CTF Quals 2017: Crypto Backdoor Introspective CRC Shake It RSA CTF Challenge (no writeup, but I think it’s similar to this old one) Rubik Bleichenbacher’s Lattice Task (full writeup here)
Talent Yang loves to customize his own obfuscator. Unfortunately, he lost his seed when he was watching Arsenal’s UEFA game. What a sad day! His team and his seed were lost together. To save him, could you help him to get back his seed? We can not save the game, but we may be able …
I swear that the safest cryptosystem is used to encrypt the secret! oneTimePad.zip Well, maybe the previous one is too simple. So I designed the ultimate one to protect the top secret! oneTimePad2.zip Summary: breaking a linear and an LCG-style exponential PRNGs.
Oh great shaman! Somehow the village idiot got his hands on this fancy control machine controlling things. Obviously, we also want to control things (who wouldn’t?), so we reverse-engineered the code. Unfortunately, the machine is cryptographically protected against misuse. Could you please maybe spend a few seconds of your inestimably valuable time to break that …
All my fine arts and philosophy student friends claim discrete logarithms are hard. Prove them wrong. nc 184.108.40.206 1729 vuln_tacos.py Summary: bypassing Fermat primality test with Carmichael numbers and solving discrete logarithm using Pohlig-Hellman algorithm.
I made a RSA signature box, but the hardware is too old that sometimes it returns me different answers… can you fix it for me?} e = 0x10001 nc crypto.chal.csaw.io 8002 Summary: fault attack on RSA signatures, factoring using private exponent exposure.
If you need to securely grant execution privileges, what better way to do it than sexec? This is running on sexec.pwning.xxx:9999 sexec.tar.gz Summary: attacking a small instance of Ring-LWE based cryptosystem with Babai’s Nearest Vector algorithm.
We just got this fancy new cryptographic device and it seems to work great… for the most part. But sometimes the values it gives me are wrong. Maybe you could take a look for me. radioactive.tar.bz2 Summary: fault attack on RSA signature (not RSA-CRT)
 : gsilvis counting magic – 9 – 4 solves : crypto: Here’s a verification/decryption server: gcm.ctf.bostonkey.party:32768 . Get the GCM MAC key (the thing the server prints out on startup). We’ve given you one valid ciphertext to get you started. It has iv: [102 97 110 116 97 115 116 105 99 32 105 …
 : hmac_crc – 5 – 36 solves : crypto: We’re trying a new mac here at BKP—HMAC-CRC. The hmac (with our key) of “zupe zecret” is ‘0xa57d43a032feb286’. What’s the hmac of “BKPCTF”? hmac-task.py Summary: breaking HMAC-CRC (again)