Scribd
Upload
709 views4 pages

FlagYard - Challenge Writeup

Uploaded by

ahmedkhalifa8474hh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
709 views4 pages

FlagYard - Challenge Writeup

Uploaded by

ahmedkhalifa8474hh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

FlagYard | Challenge Writeup

Challenge Summary
This challenge presents a cryptographic puzzle based on the Diffie-Hellman key exchange setup
with modifications. The flag is encrypted using a small prime-based modular arithmetic, where the
main task is to recover the flag from provided cryptographic outputs. The challenge specifically
exploits the weakness in the construction of the hint value, which combines the secret flag raised
to a power with a XOR operation against a value derived from a small 8-bit random integer.

The vulnerability lies in the fact that the random integer is only 8 bits, making it feasible to brute-
force all possible values, recover the intermediate encrypted flag, and then solve for the flag using
modular arithmetic. Additionally, the smoothness of the prime group's order further simplifies the
potential to solve the discrete logarithm problem directly.

Learning Outcomes
● Understanding the weaknesses in cryptographic protocols that use small random values.
● Learning how to brute-force cryptographic keys when the key space is small.
● Gaining experience in solving discrete logarithm problems using modular arithmetic.
● Recognizing the importance of group order in cryptographic security and how smooth
orders can be exploited.
● Practical experience with Python's Crypto.Util.number module for handling large
integers and modular arithmetic.

This challenge is designed to reinforce the understanding of cryptographic vulnerabilities and the
practical application of number theory in breaking cryptographic systems.

2
FlagYard | Challenge Writeup

Solution
Summary of the Steps in Python Code:
from Crypto.Util.number import bytes_to_long, long_to_bytes, inverse
import random

# Provided values
p = 2**521 - 1
g = 3
h =
4032754735786959608993479828796037537696909683855161211524481832813601
9295570051803189794738412847161664976444067074795518901183546879003577
96448890587768319
hint =
4996271902668750386408967583218439425362940880833289971997165550999614
7989727319042067616849674645887443959775922317585878695666811814084058
27905235411423930

# Function to compute log2Int and eightBitBlock


def log2Int(num):
s = 0
while num >= 1:
num /= 2
s += 1
return s

def eightBitBlock(num):
return '0'*(8-log2Int(num))+bin(num)[2:]

# Brute-force the secretNum


for r in range(256):
secretNum = int(eightBitBlock(r)*65, 2)*2 + 1
possible_m7 = hint ^ secretNum

# Solve for m
d = inverse(7, p-1)
m = pow(possible_m7, d, p)

# Check if it matches h
if pow(g, m, p) == h:
flag = long_to_bytes(m).decode()
print("Flag:", flag)
break

3
FlagYard | Challenge Writeup

Step 1: Understanding the Challenge Setup

• The challenge gives us two key values:

o h, which is derived from h = gm mod p, where m is the secret flag converted to a


number, g is the generator, and p is a large prime.

o hint, which is derived from hint = m7 mod p ⊕ secretNum, where


secretNum is calculated from a small random 8-bit integer.

Step 2: Brute-Forcing the secretNum

• Since r is an 8-bit number, it has only 256 possible values. We can brute-force through
each possible value of r to reconstruct secretNum using the function provided in the
challenge:

def log2Int(num):
s = 0
while num >= 1:
num /= 2
s += 1
return s

def eightBitBlock(num):
return '0'*(8-log2Int(num))+bin(num)[2:]

• For each r from 0 to 255, compute secretNum as:

secretNum = int(eightBitBlock(r)*65, 2)*2 + 1

• XOR hint with each secretNum to recover possible values of m7 mod p:


possible_m7 = hint ^ secretNum

4
FlagYard | Challenge Writeup

Step 3: Solving for m


• With the possible values of m7mod p, compute m using the modular inverse of 7
modulo p−1:
from Crypto.Util.number import inverse

d = inverse(7, p-1)
m = pow(possible_m7, d, p)

• Validate each candidate for m by checking if it satisfies the equation gm mod p =h:
if pow(g, m, p) == h:
# Flag found
flag = long_to_bytes(m).decode()
break

• The correct m will convert back to the flag, revealing


FlagY{418c8886e081dcc8d18c0586136a1e63}.

Step 4: Alternative Solutions

1. Using RSA-style Decryption:


o Once all possible m7 \mod p values are recovered, treat the problem like an
RSA decryption problem where m7 is the ciphertext and 7 is the public exponent.
Use the modular inverse as described above to solve for m.

2. Direct Discrete Logarithm Approach:


o Given that ord(Fp)=2521−2 is smooth, advanced cryptographic techniques (like
Pollard's Rho) can be used to solve the discrete logarithm problem directly,
bypassing the brute-force approach.

Step 5: Final Verification


• Ensure that the computed flag matches the provided h and hint values, confirming the
correct solution.

Conclusion:
The challenge can be solved by either brute-forcing the small random value used in the
construction of secretNum or by employing a direct cryptographic attack using group
properties. Both methods should lead to the correct recovery of the flag
FlagY{418c8886e081dcc8d18c0586136a1e63}.

You might also like