Public-Key Encryption

In this challenge, you will perform an RSA decryption using a pre-defined secret key. Please find a ciphertext in ciphertext.txt and the private key in private_key.pem.

They are both generated using Python's hazmat modules. The private key is serialized in the PKCS8 format and protected using a password b'skpassword' via BestAvailableEncryption. The encrypted message is padded according to PKCS1v15.

You can verify your result by /challenge/solve.

In this challenge, you will decrypt a RSA ciphertext by leveraging the fact that the input message is relatively shorter than RSA parameters. You can find the parameters and the ciphertext in context.txt. No padding is used.

You can verify your result by /challenge/solve.

In this challenge, you will find three ciphertexts that encrypt the same message using different RSA parameters. You can find the parameters and the ciphertext in context.txt. No padding is used.

You can verify your result by /challenge/solve.

You can find two RSA ciphertexts and their parameters in context.txt. They are the encryption of the same message. The task is to decrypt them and get the message. No padding is used.

You can verify your result by /challenge/solve.

The textbook RSA algorithm (without any padding) allows multiple encrypted messages to be combined into a new encrypted message. In this challenge, you will find 10 ciphertexts c0, ..., c9, which are encryptions of messages m0, ..., m9. You will also find some constants c0, ..., c10. You need to create a new ciphertext that encrypts the message m0^c0 * ... m9^c9 * c10 mod N.

You can verify your result by /challenge/solve.

In El Gamal encryption, the encoding of a binary message into an integer can be performed in the following way. Define primes p,q which satisfy q = (p-1) / 2. The El Gamal operations are performed with mod p. Denote n as the bit-length of q.

To encode a message of bit-length smaller than n, we view a as the integer format of m (in big endian). Then the input to El Gamal is encoded as b = (a+1)^2 mod p.

In this challenge, we will find the value p and the encoded value b in context.txt. The task is to recover the original 30-byte binary message m.

You can verify your result by /challenge/solve.

In CCA-secure El Gamal encryption that composes El Gamal and AES-GCM, a receiver decrypts messages and checks its authenticity (tag). It is vulnerable if the receiver does not apply rate limiting, and provides feedback on whether the authentication succeeds.

Define parameters p,g as in context.txt. The receiver generates its sk and publishes its pk (see pk.txt). The encryption consists of the following steps.

• Sample a random value y in range [1,q], where q is the order of subgroup defined by g,p.
• Compute v = g^y and w = pk^y.
• Compute key k = H(v, w), where H is SHA-256.
• Sample a 12-byte nonce. Encrypt a message m by AES-GCM-ENC(k, nonce, m).

The decryption proceeds as follows.

• Compute w = v^sk.
• Compute key k = H(v, w), where H is SHA-256.
• Parse the ciphertext as nonce || c. Decrypt a message m by AES-GCM-DEC(k, nonce, c).

In this challenge, you will be given a decryption oracle that takes input a series of decryption queries and provides the feedback. The queries should be stored in a file, in which each line is one query El Gamal ciphertext v nonce || c). All fields are in the hex format. There is a space after v, but nonce and c are concatenated.

One example of a line in query file is adfc76e9a7f4e419d03fb6bfa314cfffe191 28826e689e22dffc158f1dac17466a2218e7e4226c6f8ff8a60edd9077c9c355fd11bb187ad5df2baad04204.

To make the challenge easier, the maximum bit-length of sk is 20. The associated data for AES-GCM is fixed as b"cse 539 applied cryptography". When encoding the integers as input strings to SHA-256, they are encoded as 18-byte string assuming big endian.

The oracle is invoked by /challenge/oracle PATH_TO_QUERY_FILE. It returns the index of the line that is decrypted successfully. The index starts from 1. You can verify your result by /challenge/solve.