AndyNovo/output.txt Secret

## output.txt
p = 792321885721039223055203621511476008103176341524490283402628477451813722842720337402795900165653052271349918359044973129279701490613980973589891701136745034631765803279015068621842643130239591656504870040900517665771748667093361827700044850800239770001931593567314982414093813968959529405924117755593099360943
g = 3
publicKey1 = 710875014521586133177240861275411954502274981112927572082940815173504661025454567548435293794165742619652743188632359986402946530631590657230251177397188927619054747566071728206203495270418156469763404027680754983935556040450591504717450568526386336795569263884391363832901921960805323527167470059092379137922
publicKey2 = 86808717570366690208001322718928001766858235317780650665971099731639395880622394873399919913452383015375795777766992061856799882891724137587626812205996726126687214822649405836057948017691771588599930195656541971950599498351114597484248265928053509884368193792562548264605997357667468561252551939668866774122
IV_hex = 631ff440abb855a36f856fc5b417cb29
ciphertext_hex = 2e794553fe3f29d5225d44a1319f1ee693a316f57e2335a4d3dc75c444490e36d53cb4f8eb463abdc2f3a0e880e64600

## pohlig.py
from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib
import random
import os
flag=b"REDACTEDFLAGHERE"

def getSmallPrimes(n):
    nums=range(2,n)
    primes=[]
    while len(nums) > 0:
        prime=nums[0]
        nums=list(filter(lambda x: x % prime, nums))
        primes.append(prime)
    return primes

primes = getSmallPrimes(100000)

def getWeakProd(nbits):
    temp=1
    cutoff= 1 << nbits
    while temp < cutoff:
        temp *= random.choice(primes)
    return temp

def getWeakPrime(nbits):
    p = 2*getWeakProd(nbits-1)+1
    while not isPrime(p):
        p = 2*getWeakProd(nbits-1)+1
    return p

p=getWeakPrime(1024)
assert(isPrime(p))
g=3
farts=[]
temp=g
for i in range(2000000):
    farts.append(temp)
    temp = (temp*g) % p
assert(len(farts)  == len(set(farts)))

def pickSecretKey(p):
    a = getRandomRange(3,p-2)
    while GCD(a,p-1) != 1:
        a = getRandomRange(3,p-2)
    return a

a=pickSecretKey(p)
publicKey1 = pow(g,a,p)
b=pickSecretKey(p)
publicKey2 = pow(g,b,p)

secretNum = pow(publicKey1, b, p)
secretNum2 = pow(publicKey2, a, p)
assert(secretNum == secretNum2)

skh=hashlib.sha256(long_to_bytes(secretNum)).digest()
IV=os.urandom(16)

cipher = AES.new(skh, IV=IV, mode=AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(flag,16))

testcipher=AES.new(skh, IV=IV, mode=AES.MODE_CBC)
assert(flag == unpad(testcipher.decrypt(ciphertext), 16))

print("p = %d" % p)
print("g = %d" % g)
print("publicKey1 = %d" % publicKey1)
print("publicKey2 = %d" % publicKey2)
print("IV_hex = %s" % IV.hex())
print("ciphertext_hex = %s" % ciphertext.hex())
	p = 792321885721039223055203621511476008103176341524490283402628477451813722842720337402795900165653052271349918359044973129279701490613980973589891701136745034631765803279015068621842643130239591656504870040900517665771748667093361827700044850800239770001931593567314982414093813968959529405924117755593099360943
	g = 3
	publicKey1 = 710875014521586133177240861275411954502274981112927572082940815173504661025454567548435293794165742619652743188632359986402946530631590657230251177397188927619054747566071728206203495270418156469763404027680754983935556040450591504717450568526386336795569263884391363832901921960805323527167470059092379137922
	publicKey2 = 86808717570366690208001322718928001766858235317780650665971099731639395880622394873399919913452383015375795777766992061856799882891724137587626812205996726126687214822649405836057948017691771588599930195656541971950599498351114597484248265928053509884368193792562548264605997357667468561252551939668866774122
	IV_hex = 631ff440abb855a36f856fc5b417cb29
	ciphertext_hex = 2e794553fe3f29d5225d44a1319f1ee693a316f57e2335a4d3dc75c444490e36d53cb4f8eb463abdc2f3a0e880e64600
	from Crypto.Util.number import *
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad, unpad
	import hashlib
	import random
	import os
	flag=b"REDACTEDFLAGHERE"

	def getSmallPrimes(n):
	nums=range(2,n)
	primes=[]
	while len(nums) > 0:
	prime=nums[0]
	nums=list(filter(lambda x: x % prime, nums))
	primes.append(prime)
	return primes

	primes = getSmallPrimes(100000)

	def getWeakProd(nbits):
	temp=1
	cutoff= 1 << nbits
	while temp < cutoff:
	temp *= random.choice(primes)
	return temp

	def getWeakPrime(nbits):
	p = 2*getWeakProd(nbits-1)+1
	while not isPrime(p):
	p = 2*getWeakProd(nbits-1)+1
	return p

	p=getWeakPrime(1024)
	assert(isPrime(p))
	g=3
	farts=[]
	temp=g
	for i in range(2000000):
	farts.append(temp)
	temp = (temp*g) % p
	assert(len(farts) == len(set(farts)))

	def pickSecretKey(p):
	a = getRandomRange(3,p-2)
	while GCD(a,p-1) != 1:
	a = getRandomRange(3,p-2)
	return a

	a=pickSecretKey(p)
	publicKey1 = pow(g,a,p)
	b=pickSecretKey(p)
	publicKey2 = pow(g,b,p)

	secretNum = pow(publicKey1, b, p)
	secretNum2 = pow(publicKey2, a, p)
	assert(secretNum == secretNum2)

	skh=hashlib.sha256(long_to_bytes(secretNum)).digest()
	IV=os.urandom(16)

	cipher = AES.new(skh, IV=IV, mode=AES.MODE_CBC)
	ciphertext = cipher.encrypt(pad(flag,16))

	testcipher=AES.new(skh, IV=IV, mode=AES.MODE_CBC)
	assert(flag == unpad(testcipher.decrypt(ciphertext), 16))

	print("p = %d" % p)
	print("g = %d" % g)
	print("publicKey1 = %d" % publicKey1)
	print("publicKey2 = %d" % publicKey2)
	print("IV_hex = %s" % IV.hex())
	print("ciphertext_hex = %s" % ciphertext.hex())