An RSA challenge with leakage of MSB from the CRT exponents of the private key. The parameters allow an attack described in a paper by May (hinted by the title), Nowakowski and Sarkar leveraging th...

An RSA challenge where the encryption is performed by both Alice and Bob with some extra noise, and we have different information on each one and some oracle calls. The solution relies on efficient...

A custom implementation of EC keysharing does not check if the provided public key lies on the curve. Due to the limited number of queries we have to find points of high enough order, and we can re...

We have to solve RSA with a leak from which we can recover quite easily $ed - 1$. Event Link: TeamItaly CTF 2023 Challenge Description First of all, we have a weird keygen function: p, q = ...

We have to provide a string that matches a specific value when hashed with FNV. Z3 is able to directly solve the challenge, if used carefully. Event Link: DownUnder CTF 2023 Challenge Descrip...

We face an implementation of a Graph Encryption Scheme (GAS) for Shortest Path queries. The challenge consists in three levels: in the first one we are given the key, and we just have to decrypt th...

The server accepts encrypted text, decrypts it using AES-CBC and an unknown key, and executes it. We are provided a sample script, that we can tamper in different points in order to get the key and...

We have to forge a DSA signature for the admin being able to ask the server a signature for an arbitrary username. We exploit the fact that the message is not hashed in the signature, and hence fin...

We are given some CRT reminders modulo primes of a secret number, together with some fake values. To recover the number, for small instances a simple brute-force solution is enough; for the easy la...

This is the second post about the Gurobi solver. We will explore a functionality called lazy constraints: instead of providing all the constraints to the solver at the beginning, we will start solv...