CTF Cryptography

Quick reference for crypto CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Prerequisites

Python packages (all platforms):

pip install pycryptodome z3-solver sympy gmpy2 hashpumpy fpylll py_ecc

Linux (apt):

apt install hashcat sagemath

macOS (Homebrew):

brew install hashcat

Manual install:

• SageMath — Linux: apt install sagemath, macOS: brew install --cask sage
• RsaCtfTool — git clone https://github.com/RsaCtfTool/RsaCtfTool (automated RSA attacks)

Note: gmpy2 requires libgmp — Linux: apt install libgmp-dev, macOS: brew install gmp.

Additional Resources

• classic-ciphers.md - Classic ciphers: Vigenere (+ Kasiski examination), Atbash, substitution wheels, XOR variants (+ multi-byte frequency analysis), deterministic OTP, cascade XOR, book cipher, OTP key reuse / many-time pad, variable-length homophonic substitution, grid permutation cipher keyspace reduction, image-based Caesar shift ciphers, XOR key recovery via file format headers
• modern-ciphers.md - Modern cipher attacks: AES (CFB-8, ECB leakage), CBC-MAC/OFB-MAC, padding oracle, S-box collisions, GF(2) elimination, LCG partial output recovery, affine cipher over composite modulus, AES-GCM with derived keys, AES-GCM nonce reuse (forbidden attack), Ascon-like reduced-round differential cryptanalysis, custom linear MAC forgery, CBC padding oracle (full block decryption), Bleichenbacher RSA PKCS#1 v1.5 padding oracle (ROBOT), birthday attack / meet-in-the-middle, CRC32 collision signature forgery, AES key recovery via byte-by-byte zeroing oracle, AES-CBC ciphertext forging via error-message decryption oracle
• modern-ciphers-2.md - Modern cipher attacks (continued): Blum-Goldwasser bit-extension oracle, hash length extension, compression oracle (CRIME-style), hash function time reversal via cycle detection, OFB mode invertible RNG backward decryption, weak key derivation via public key hash XOR, HMAC-CRC linearity attack, DES weak keys in OFB mode, SRP protocol bypass, modified AES S-Box brute-force, square attack on reduced-round AES, AES-ECB byte-at-a-time chosen plaintext, AES-ECB cut-and-paste block manipulation, AES-CBC IV bit-flip auth bypass, Rabin LSB parity oracle, PBKDF2 pre-hash bypass, MD5 multi-collision via fastcol, custom hash state reversal, CRC32 brute-force for small payloads, noisy RSA LSB oracle error correction, sponge hash MITM collision, CBC IV forgery + block truncation, padding oracle to CBC bitflip RCE, SPN S-box intersection attack, custom MAC forgery via XOR block cancellation, HMAC key recovery via XOR+addition arithmetic
• stream-ciphers.md - Stream cipher attacks: LFSR (Berlekamp-Massey, correlation attack, known-plaintext, Galois vs Fibonacci, Galois tap recovery via autocorrelation), RC4 second-byte bias, XOR consecutive byte correlation
• rsa-attacks.md - RSA attacks: small e (cube root), common modulus, Wiener's, Pollard's p-1, Hastad's broadcast, Hastad with linear padding (Coppersmith), Franklin-Reiter related message (e=3), Coppersmith linearly-related primes, Fermat/consecutive primes, multi-prime, restricted-digit, Coppersmith structured primes, Manger oracle, polynomial hash
• rsa-attacks-2.md - RSA attacks (specialized): RSA p=q validation bypass, cube root CRT gcd(e,phi)>1, factoring from phi(n) multiple, multiplicative homomorphism signature forgery, weak keygen via base representation, RSA with gcd(e,phi)>1 exponent reduction, batch GCD shared prime factoring, partial key recovery from dp/dq/qinv, RSA-CRT fault attack, homomorphic decryption oracle bypass, small prime CRT decomposition, Montgomery reduction timing attack, Bleichenbacher low-exponent signature forgery, RSA signature bypass with e=1 and crafted modulus
• ecc-attacks.md - ECC attacks: small subgroup, invalid curve, Smart's attack (anomalous, with Sage code), fault injection, clock group DLP, Pohlig-Hellman, ECDSA nonce reuse, Ed25519 torsion side channel, DSA nonce reuse, DSA key recovery via MD5 collision on k-generation
• zkp-and-advanced.md - ZKP/graph 3-coloring, Z3 solver guide, garbled circuits, Shamir SSS, bigram constraint solving, race conditions, Groth16 broken setup, DV-SNARG forgery, KZG pairing oracle for permutation recovery, Shamir SSS reused polynomial coefficients
• prng.md - PRNG attacks (MT19937, MT float recovery via GF(2) magic matrix for token prediction, LCG, GF(2) matrix PRNG, V8 XorShift128+ Math.random state recovery via Z3, middle-square, deterministic RNG hill climbing, random-mode oracle, time-based seeds, C srand/rand synchronization via ctypes, password cracking, logistic map chaotic PRNG)
• historical.md - Historical ciphers (Lorenz SZ40/42, book cipher implementation)
• advanced-math.md - Advanced mathematical attacks (isogenies, Pohlig-Hellman, baby-step giant-step (BSGS) for general DLP, LLL, Merkle-Hellman knapsack via LLL, Coppersmith, quaternion RSA, GF(2)[x] CRT, S-box collision code, LWE lattice CVP attack, affine cipher over non-prime modulus, introspective CRC via GF(2) linear algebra)
• lattice-and-lwe.md - Lattice attack triage and workflow: LLL/BKZ/Babai, HNP from partial or biased nonces, truncated LCG state recovery, LWE embedding and CVP, Ring-LWE / Module-LWE recognition, orthogonal lattices, subset sum / knapsack, and common failure modes
• exotic-crypto.md - Exotic algebraic structures (braid group DH / Alexander polynomial, monotone function inversion, tropical semiring residuation, Paillier cryptosystem, Hamming code helical interleaving, ElGamal universal re-encryption, FPE Feistel brute-force, icosahedral symmetry group cipher, Goldwasser-Micali replication oracle, BB-84 QKD MITM attack)

When to Pivot

• If the real blocker is understanding a binary, obfuscated client, or weird VM, switch to /ctf-reverse.
• If the challenge is mostly packet carving, disk recovery, or stego extraction before any decryption starts, switch to /ctf-forensics.
• If the task is just implementing an exploit against a vulnerable network service after the crypto part is solved, switch to /ctf-pwn or /ctf-web.
• If the crypto challenge involves adversarial ML, model extraction, or neural-network-based ciphers, switch to /ctf-ai-ml.
• If the challenge is really an encoding puzzle, esoteric cipher, or polyglot trick rather than true cryptanalysis, switch to /ctf-misc.

Quick Start Commands

# Identify cipher type
python3 -c "from Crypto.Util.number import *; n=<N>; print(f'bits={n.bit_length()}')"

# RSA quick check
python3 -c "from sympy import factorint; print(factorint(<n>))"  # Small factors?
openssl rsa -pubin -in key.pub -text -noout  # Extract n, e from PEM

# Quick factorization tools
python3 RsaCtfTool.py -n <n> -e <e> --uncipher <c>

# XOR analysis
python3 -c "from pwn import xor; print(xor(bytes.fromhex('<hex>'), b'flag{'))"

# Hash identification
hashid '<hash>'
hashcat --identify '<hash>'

# SageMath (for lattice/ECC)
sage -c "print(factor(<n>))"

Classic Ciphers

• Caesar: Frequency analysis or brute force 26 keys
• Vigenere: Known plaintext attack with flag format prefix; derive key from (ct - pt) mod 26. Kasiski examination for unknown key length (GCD of repeated sequence distances)
• Atbash: A<->Z substitution; look for "Abashed" hints in challenge name
• Substitution wheel: Brute force all rotations of inner/outer alphabet mapping
• Multi-byte XOR: Split ciphertext by key position, frequency-analyze each column independently; score by English letter frequency (space = 0x20)
• Cascade XOR: Brute force first byte (256 attempts), rest follows deterministically
• XOR rotation (power-of-2): Even/odd bits never mix; only 4 candidate states
• Weak XOR verification: Single-byte XOR check has 1/256 pass rate; brute force with enough budget
• Deterministic OTP: Known-plaintext XOR to recover keystream; match load-balanced backends
• OTP key reuse (many-time pad): C1 XOR C2 XOR known_P = unknown_P; crib dragging when no plaintext known
• Homophonic (variable-length): Multi-character ciphertext groups map to single plaintext chars. Find n-grams with identical sub-n-gram frequencies, replace with symbols, solve as monoalphabetic. See classic-ciphers.md.
• Grid permutation cipher: 5x5 grid with independent row/column permutations collapses keyspace to 5! x 5! = 14,400; brute-force in milliseconds. See classic-ciphers.md.
• Image-based Caesar shift: Pixel rows/columns shifted by per-strip offsets; compare original vs shifted image to extract ASCII-encoded flag from shift amounts. See classic-ciphers.md.
• Polybius square cipher: 5x5 grid maps letter pairs to plaintext; digits/coordinates encode positions. See classic-ciphers.md.
• XOR key recovery via file format headers: File claims to be PDF/PNG/ZIP but file reports "data". XOR first bytes against expected magic bytes to derive repeating key; extend using trailer structures (%%EOF, IEND marker). See classic-ciphers.md.

See classic-ciphers.md for full code examples.

Modern Cipher Attacks

• AES-ECB: Block shuffling, byte-at-a-time chosen-plaintext suffix recovery (256 queries per byte, tool: FeatherDuster ecb_cpa_decrypt); image ECB preserves visual patterns. ECB cut-and-paste: splice ciphertext blocks to forge JSON fields (e.g., is_admin: true). See modern-ciphers-2.md.
• AES-CBC: Bit flipping to change plaintext; padding oracle for decryption without key. IV bit-flip: flip specific bits in the IV to change first plaintext block (requires no MAC). See modern-ciphers-2.md.
• CBC IV forgery + block truncation: XOR IV bytes to change decrypted block 0; strip trailing ciphertext blocks (no length integrity in CBC). Forges authenticated tokens when MAC is embedded in the ciphertext. See modern-ciphers-2.md.
• Padding oracle to CBC bitflip RCE: Chain padding oracle (recover plaintext) with CBC bitflipping (inject shell metacharacters) for command injection via encrypted parameters. See modern-ciphers-2.md.
• AES-CFB-8: Static IV with 8-bit feedback allows state reconstruction after 16 known bytes
• CBC-MAC/OFB-MAC: XOR keystream for signature forgery: new_sig = old_sig XOR block_diff
• S-box collisions: Non-permutation S-box (len(set(sbox)) < 256) enables 4,097-query key recovery
• GF(2) elimination: Linear hash functions (XOR + rotations) solved via Gaussian elimination over GF(2)
• Padding oracle: Byte-by-byte decryption by modifying previous block and testing padding validity
• LFSR stream ciphers: Berlekamp-Massey recovers feedback polynomial from 2L keystream bits; correlation attack breaks combined generators with biased combining functions
• Galois LFSR tap recovery: XOR known file header (PNG/PDF/ZIP) with ciphertext to get keystream; split into N-bit windows, compute (state >> 1) XOR next_state for LSB=1 transitions to directly recover tap mask. Autocorrelation sliding finds correct length. See stream-ciphers.md.
• OFB with invertible RNG: Known plaintext in any block leaks RNG state; if state transition is bijective, run RNG backwards to decrypt all blocks. See modern-ciphers-2.md.
• Weak key derivation (public key hash XOR): AES key derived from SHA256(public_key) XOR seed is fully recoverable without private key; "hybrid" RSA+AES provides no security. See modern-ciphers-2.md.
• HMAC-CRC linearity: CRC is linear over GF(2), so HMAC-CRC key is recoverable from a single message-MAC pair via polynomial arithmetic. See modern-ciphers-2.md.
• DES weak keys in OFB: 4 DES weak keys make encryption self-inverse; OFB keystream cycles with period 2, reducing to 16-byte repeating XOR. See modern-ciphers-2.md.
• Square attack (reduced-round AES): 4-round AES broken by integral cryptanalysis: 256-plaintext lambda set, guess last round key bytes via XOR-sum = 0 distinguisher. See modern-ciphers-2.md.
• AES-GCM nonce reuse (forbidden attack): Same nonce = CTR keystream reuse + GHASH authentication key recovery via polynomial factoring over GF(2^128). Tool: nonce-disrespect. See modern-ciphers.md.
• SRP protocol bypass: Send A = 0 or A = n to force shared secret to 0, bypassing password verification entirely. See modern-ciphers-2.md.
• Modified AES S-Box brute force: Custom S-Box with only 16 unique outputs reduces key entropy; brute-force feasible key bytes per round. See modern-ciphers-2.md.
• Rabin LSB parity oracle: Rabin ciphertext c = m^2 mod n with LSB oracle enables binary search plaintext recovery in log2(n) queries via multiplicative homomorphism (c * 4 mod n doubles plaintext). See modern-ciphers-2.md.
• Noisy RSA LSB oracle error correction: When LSB oracle has sporadic errors, run standard attack then inspect output charset. Flip oracle results at error positions to correct remaining decryption. See modern-ciphers-2.md.
• PBKDF2 pre-hash bypass: HMAC pre-hashes keys > 64 bytes (SHA-1/SHA-256 block size). Login with SHA1(password) instead of password when original exceeds 64 bytes. See modern-ciphers-2.md.
• MD5 multi-collision (fastcol): Chain fastcol runs to produce 2^k files with identical MD5. Merkle-Damgard composition: collisions propagate through appended suffixes. See modern-ciphers-2.md.
• Custom hash state reversal: When iterative hash leaks intermediate states, isolate per-block hash values by inverting the state update equation, then brute-force each 4-byte block independently. See modern-ciphers-2.md.
• CRC32 brute-force (small payloads): ZIP CRC32 headers are unencrypted; brute-force co