Riccardo Invernizzi r98inver

## psidh.sage
from sage.all import *

from pwn import process, remote

# Challenge from https://github.com/dicegang/dicectf-quals-2024-challenges/tree/main/crypto/pee-side

proof.all(False)

x = var('x')

## csidh.sage
csidh_primes = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 587]

class CSIDH:

	def __init__(self, secret: list[int] = None, primes: list[int] = csidh_primes,  max_steps : int = 5, base_curve : int = 0):
		self.primes = primes
		if len(self.primes) != len(set(self.primes)):
			raise ValueError("duplicated primes")
		self.ln = len(self.primes)
		self.p = 4 * prod(self.primes) - 1

## iris24_manykeys.sage
# Recover signature parameters z, r, s from ecdsa format
def sig_params(msg, sig, pk):
	import ecdsa.keys
	def normalise_bytes(buffer_object):
		return memoryview(buffer_object).cast("B")

	h = pk.default_hashfunc(msg).digest()
	digest = normalise_bytes(h)
	z = ecdsa.keys._truncate_and_convert_digest(digest, pk.curve, True)
	r, s = ecdsa.keys.sigdecode_string(sig, pk.pubkey.order)

## CM_ecgen.sage
def generate_with_order(m, m_bigprimes=None):
	def get_q(m, D):
		# qfbsolve factos m every time - we need addprimes
		# qfbcornacchia(d, n) is faster but may miss imprimitive solutions
		# same holds for qfbsolve with flag 1
		all_sol = pari.qfbsolve(pari.Qfb(1, 0, -D), 4*m, 3)
		for t in set(map(lambda sol: int(sol[0]), all_sol)):
			if is_prime(m + 1 - t):
				return m + 1 - t
			if is_prime(m + 1 + t):

## htb23_mayday.sage
from Crypto.Util.number import getPrime, GCD, bytes_to_long, long_to_bytes
from sage.all import PolynomialRing, RationalField, Integers, inverse_mod, Zmod, gcd

N = 0x78fb80151a498704541b888b9ca21b9f159a45069b99b04befcb0e0403178dc243a66492771f057b28262332caecc673a2c68fd63e7c850dc534a74c705f865841c0b5af1e0791b8b5cc55ad3b04e25f20dedc15c36db46c328a61f3a10872d47d9426584f410fde4c8c2ebfaccc8d6a6bd1c067e5e8d8f107b56bf86ac06cd8a20661af832019de6e00ae6be24a946fe229476541b04b9a808375739681efd1888e44d41196e396af66f91f992383955f5faef0fc1fc7b5175135ab3ed62867a84843c49bdf83d0497b255e35432b332705cd09f01670815ce167aa35f7a454f8b26b6d6fd9a0006194ad2f8f33160c13c08c81fe8f74e13e84e9cdf6566d2f
e = 0x4b3393c9fe2e50e0c76920e1f34e0c86417f9a9ef8b5a3fa41b381355
c = 0x17f2b5a46e4122ff819807a9d92b6225c483cf93c9804381098ecd6b81f4670e94d8930001b760f1d26bc7aa7dda48c9e12809d20b33fdb4c4dd9190b105b7dab42e932b99aaff54023873381e7387f1b2b18b355d4476b664d44c40413d82a10635fe6e7322543943aed2dcfbe49764b8da70edeb88d6f63ee47f025be5f2f38319611ab74cd5db6f

## zero23_drsa0.sage
from sage.all import *

from pwn import remote, log

import re
import string
from hashlib import sha256
import itertools
import time
from Crypto.Util.number import *

## glacier23_slcg.py
from sage.all import gcd
from cip import ct
from encrypt import LCG

def lcg_get_m(ls):
	# https://security.stackexchange.com/questions/4268/cracking-a-linear-congruential-generator
	ti = []
	for i in range(1, len(ls)):
		ti.append(ls[i] - ls[i-1])

## glacier23_sea_side.sage
MAX_STEPS = 5
BASE_CURVE = 0

class CSIDH:
    def __init__(self, primes: list[int]):
        self.primes = set(primes)
        self.p = 4 * prod(self.primes) - 1
        if not is_prime(self.p):
            print("Error, p is not a prime")
            exit(1)

## lake23_invalid_curve.sage
from time import time

def get_invalid_point(p, a, known_factors = [], check_point = False):
	"""
	Input: the prime p, the fixed curve parameter a, and the already know factors
		that we do not want to repeat. Optionally we can check how much does it take
		to solve the dlp for a point before returning it with check_point=True.
	Output: an invalid point Q, the parameter b defining its curve, and the factors
		of its order.
	"""

## reply23_padding_oracle.py
import requests as rq
from base64 import b64decode as d64, b64encode as e64
from pwn import xor

s = rq.Session()
url = 'http://gamebox3.reply.it/crypto4-70cf7b2988c0641fd4726123c3321b57cfbc92ac/chall1'

ct = d64(b'SIxat1/+SgXODJy1m1vAIGN76NGLCnukTkdgCZTdrqAjibniPZimYN5Y45K8sngO')
iv = d64(b'JOzPL8nSk91FSyE1zDGzsQ==')
	from sage.all import *

	from pwn import process, remote

	# Challenge from https://github.com/dicegang/dicectf-quals-2024-challenges/tree/main/crypto/pee-side

	proof.all(False)

	x = var('x')
	csidh_primes = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 587]

	class CSIDH:

	def __init__(self, secret: list[int] = None, primes: list[int] = csidh_primes, max_steps : int = 5, base_curve : int = 0):
	self.primes = primes
	if len(self.primes) != len(set(self.primes)):
	raise ValueError("duplicated primes")
	self.ln = len(self.primes)
	self.p = 4 * prod(self.primes) - 1
	# Recover signature parameters z, r, s from ecdsa format
	def sig_params(msg, sig, pk):
	import ecdsa.keys
	def normalise_bytes(buffer_object):
	return memoryview(buffer_object).cast("B")

	h = pk.default_hashfunc(msg).digest()
	digest = normalise_bytes(h)
	z = ecdsa.keys._truncate_and_convert_digest(digest, pk.curve, True)
	r, s = ecdsa.keys.sigdecode_string(sig, pk.pubkey.order)
	def generate_with_order(m, m_bigprimes=None):
	def get_q(m, D):
	# qfbsolve factos m every time - we need addprimes
	# qfbcornacchia(d, n) is faster but may miss imprimitive solutions
	# same holds for qfbsolve with flag 1
	all_sol = pari.qfbsolve(pari.Qfb(1, 0, -D), 4*m, 3)
	for t in set(map(lambda sol: int(sol[0]), all_sol)):
	if is_prime(m + 1 - t):
	return m + 1 - t
	if is_prime(m + 1 + t):
	from Crypto.Util.number import getPrime, GCD, bytes_to_long, long_to_bytes
	from sage.all import PolynomialRing, RationalField, Integers, inverse_mod, Zmod, gcd

	N = 0x78fb80151a498704541b888b9ca21b9f159a45069b99b04befcb0e0403178dc243a66492771f057b28262332caecc673a2c68fd63e7c850dc534a74c705f865841c0b5af1e0791b8b5cc55ad3b04e25f20dedc15c36db46c328a61f3a10872d47d9426584f410fde4c8c2ebfaccc8d6a6bd1c067e5e8d8f107b56bf86ac06cd8a20661af832019de6e00ae6be24a946fe229476541b04b9a808375739681efd1888e44d41196e396af66f91f992383955f5faef0fc1fc7b5175135ab3ed62867a84843c49bdf83d0497b255e35432b332705cd09f01670815ce167aa35f7a454f8b26b6d6fd9a0006194ad2f8f33160c13c08c81fe8f74e13e84e9cdf6566d2f
	e = 0x4b3393c9fe2e50e0c76920e1f34e0c86417f9a9ef8b5a3fa41b381355
	c = 0x17f2b5a46e4122ff819807a9d92b6225c483cf93c9804381098ecd6b81f4670e94d8930001b760f1d26bc7aa7dda48c9e12809d20b33fdb4c4dd9190b105b7dab42e932b99aaff54023873381e7387f1b2b18b355d4476b664d44c40413d82a10635fe6e7322543943aed2dcfbe49764b8da70edeb88d6f63ee47f025be5f2f38319611ab74cd5db6f
	from sage.all import *

	from pwn import remote, log

	import re
	import string
	from hashlib import sha256
	import itertools
	import time
	from Crypto.Util.number import *
	from sage.all import gcd
	from cip import ct
	from encrypt import LCG

	def lcg_get_m(ls):
	# https://security.stackexchange.com/questions/4268/cracking-a-linear-congruential-generator
	ti = []
	for i in range(1, len(ls)):
	ti.append(ls[i] - ls[i-1])
	MAX_STEPS = 5
	BASE_CURVE = 0

	class CSIDH:
	def __init__(self, primes: list[int]):
	self.primes = set(primes)
	self.p = 4 * prod(self.primes) - 1
	if not is_prime(self.p):
	print("Error, p is not a prime")
	exit(1)
	from time import time

	def get_invalid_point(p, a, known_factors = [], check_point = False):
	"""
	Input: the prime p, the fixed curve parameter a, and the already know factors
	that we do not want to repeat. Optionally we can check how much does it take
	to solve the dlp for a point before returning it with check_point=True.
	Output: an invalid point Q, the parameter b defining its curve, and the factors
	of its order.
	"""
	import requests as rq
	from base64 import b64decode as d64, b64encode as e64
	from pwn import xor

	s = rq.Session()
	url = 'http://gamebox3.reply.it/crypto4-70cf7b2988c0641fd4726123c3321b57cfbc92ac/chall1'

	ct = d64(b'SIxat1/+SgXODJy1m1vAIGN76NGLCnukTkdgCZTdrqAjibniPZimYN5Y45K8sngO')
	iv = d64(b'JOzPL8nSk91FSyE1zDGzsQ==')