A custom implementation of EC keysharing does not check if the provided public key lies on the curve. Due to the limited number of queries we have to find points of high enough order, and we can re...

We have to solve RSA with a leak from which we can recover quite easily $ed - 1$. Event Link: TeamItaly CTF 2023 Challenge Description First of all, we have a weird keygen function: p, q = ...

We have to provide a string that matches a specific value when hashed with FNV. Z3 is able to directly solve the challenge, if used carefully. Event Link: DownUnder CTF 2023 Challenge Descrip...

We face an implementation of a Graph Encryption Scheme (GAS) for Shortest Path queries. The challenge consists in three levels: in the first one we are given the key, and we just have to decrypt th...

The server accepts encrypted text, decrypts it using AES-CBC and an unknown key, and executes it. We are provided a sample script, that we can tamper in different points in order to get the key and...

We have to forge a DSA signature for the admin being able to ask the server a signature for an arbitrary username. We exploit the fact that the message is not hashed in the signature, and hence fin...

We are given some CRT reminders modulo primes of a secret number, together with some fake values. To recover the number, for small instances a simple brute-force solution is enough; for the easy la...

This is the second post about the Gurobi solver. We will explore a functionality called lazy constraints: instead of providing all the constraints to the solver at the beginning, we will start solv...

I recently gave a talk at the Solving Polynomial Systems seminar about Linear Convex Optimization and the Gurobi software (here part of the material presented). Gurobi is a state-of-the-art optimiz...

Two interesting challenges about OneTimePassword (OTP) encription. In both cases we have a key reuse, which allows us to reduce to breaking single-key-xor in an obvious (BabyOTP) and less obvious (...