Two Descent on Elliptic Curve

󰃭 2025-10-28 | #Crypto #Elliptic Curve

Motivation

While replaying challenges from prior FCSC, I ended up trying to solve the challenge Surface, in this challenge we just have to solve the following equation over the rationals :

$$\begin{cases} a^2 + b^2 = c^2 \\ ab = 20478\end{cases}$$

It turns out that such pair $(a, b) \in \mathbb Q^2$ are called congruent numbers and finding those is equivalent to finding some rational point on an elliptic curve, more specifically :

if $(a, b, c) \in \mathbb Q^3$ is a solution to

Continue reading 

Jafar - FCSC 2025

󰃭 2025-08-12 | #Crypto #CTF #FCSC2025

Overview

Jafar is a SPN with 2 main aspect a round function $R$ and a middle part $M$. The Jafar Encryption can be simply decribed as $J = R \circ M \circ R$, where $M$ is the middle part and $R$ correspond to the 20 rounds of AddKey, Sbox and Permute. Since we are given only a limited amount of queries and that we have access to both encryption and decryption, boomerang attack comes to mind pretty quickly but in boomeran we need 2 encryptions and 2 decryptions…

Continue reading 

La revanche de Sauron - FCSC 2024

󰃭 2025-08-12 | #Crypto #CTF #FCSC2024

At quick glance

In this challenge we have a pretty single encryption scheme and very few relations to work with, smells like lattice to me…

Analysis

There are only two blocks so let’s put it into a system:

$$b_1 \texttt{iv}_1 + k_1 s = c_1$$

$$b_2 \texttt{iv}_2 + k_2 s = c_2$$

Here lattice will surely work because of the imbalance in term of coefficient sizes :

  • $b_1, b_2$ are 256 bits
  • $s$ is 1024 bits
  • $\texttt{iv}_1, \texttt{iv}_2$ are 1024 as well
  • $k_1, k_2$ are 1024 bits

So the blocks are way smaller, let’s build a null combinaison and encourage LLL/BKZ to go towards it with scalling:

Continue reading 

Salade de fruits - FCSC2024

󰃭 2025-08-12 | #Crypto #CTF #FCSC2024

Problem statement

Curve isomorphism

This is a classic problem of cubic equation, it turns out that every cubic equation (that is not degenerate) is isomorphic to an elliptic curve, Sagemath has a conveniant function for that, so let’s quickly look at the isomorphism (and its inverse function) :

P = QQ["p, s, b"]
p, s, b = P.gens()

eq = p ** 3 - 94 * b ** 3 + s ** 3

f = EllipticCurve_from_cubic(eq)
print(f)
fi = f.inverse()
print(fi)

we get :

Continue reading 

Tight Schedule - FCSC 2024

󰃭 2025-08-12 | #Crypto #CTF #FCSC2024

Overview

In this chall we are presented with a cipher entierely based on the AES key schedule derivation function. Seing such a “well known” construction hints us towards the literature.

The paper

Indeed, one paper “New Representations of the AES Key Schedule” gives us most of what we need to solve.

Cipher description

AES Key derivation

Let’s denote by $D_i(k_0, k_1, \cdots, k_{15}) = (s_0, s_1, \cdots, s_{15})$ the AES key-derivation function on the 16 bytes of the key with the $i$-th RCON (taking $i=0$ being no round constant).

Continue reading 

[1] 2 >>>