2026-04-12 | #Crypto #CTF #FCSC2026
Macroplata : Just WHY man ? was my first reaction to this challenge… I usually don’t really like challenges with a lot of code :-)
Soooo, basically there are 3 KEMS and some sort of TAG/authentification thing, my first instinct was : I’m NOT looking into the details of the KEMs before I have something on the actual thing that we’re supposed to to which is: forging a tag.
2026-04-12 | #Crypto #CTF #FCSC2026
Splhash is a hash function presented as $H(x) = B \times S(A \times x)$ where $A$ is a $2n \times 5n$ matrix and $B$ is a $5n \times n$ matrix. The non-linear $S$-layer is comprised of $\cfrac{5n}{4}$ SBoxes each acting on $4$-bits nibbles. We recognize the SBox from the Present cipher. This challenge reminded me of One round crypto at ECSC2024 but this time with a hash function instead of a cipher.
2025-10-28 | #Crypto #Elliptic Curve
While replaying challenges from prior FCSC, I ended up trying to solve the challenge Surface, in this challenge we just have to solve the following equation over the rationals :
$$\begin{cases} a^2 + b^2 = c^2 \\ ab = 20478\end{cases}$$It turns out that such pair $(a, b) \in \mathbb Q^2$ are called congruent numbers and finding those is equivalent to finding some rational point on an elliptic curve, more specifically :
if $(a, b, c) \in \mathbb Q^3$ is a solution to
2025-08-12 | #Crypto #CTF #FCSC2025
Jafar is a SPN with 2 main aspect a round function $R$ and a middle part $M$. The Jafar Encryption can be simply decribed as $J = R \circ M \circ R$, where $M$ is the middle part and $R$ correspond to the 20 rounds of AddKey, Sbox and Permute. Since we are given only a limited amount of queries and that we have access to both encryption and decryption, boomerang attack comes to mind pretty quickly but in boomeran we need 2 encryptions and 2 decryptions…
2025-08-12 | #Crypto #CTF #FCSC2024
In this challenge we have a pretty single encryption scheme and very few relations to work with, smells like lattice to me…
There are only two blocks so let’s put it into a system:
$$b_1 \texttt{iv}_1 + k_1 s = c_1$$$$b_2 \texttt{iv}_2 + k_2 s = c_2$$
Here lattice will surely work because of the imbalance in term of coefficient sizes :
So the blocks are way smaller, let’s build a null combinaison and encourage LLL/BKZ to go towards it with scalling:
