search

Crypto-Groups

My friend told me that cryptography is unbreakable if moduli are Carmichael numbers instead of primes. I decided to use this CTF to test out this theory. - Nikhil

hashtag
Full Implementationarrow-up-right

hashtag
Challenge 

def check(n, iterations=50):
    if isPrime(n):
        return False

    i = 0
    while i < iterations:
        a = randint(2, n - 1)
        if gcd(a, n) == 1:
            i += 1
            if pow(a, n - 1, n) != 1:
                return False
    return True

def generate_challenge(c):
    a = randint(2, c - 1)
    while gcd(a, c) != 1:
        a = randint(2, c - 1)
    k = randint(2, c - 1)
    return (a, pow(a, k, c))
    
if __name__ == '__main__':
    c = int(input('c = '))

    if log(c, 2) < 512:
        print(f'c must be least 512 bits large.')
    elif not check(c):
        print(f'No cheating!')
    else:
        a, b = generate_challenge(c)
        print(f'a = {a}')
        print(f'a^k = {b} (mod c)')
        
        k = int(input('k = '))

        if pow(a, k, c) == b:
            print(get_flag())
        else:
            print('Wrong k')

The server first checks if the number we give is a Carmichael numberarrow-up-right having a bit length greater than 512. Then it asks us to compute the discrete log of a random number modulo the number we provide.

After extensive searching, I found this excellent repoarrow-up-right which has a large collection of Carmichael numbers along with their prime factors.

We choose a number which is atleast 512 bits long and has many small prime factors, which allows sage to directly calculate the discrete log.

PreviousCrypto-Snore SignaturesNextDeadSec CTF 2024

Last updated