HomeWriteupsResourcesCheatsheets

Modular Arithmetic

LogoCryptoHack – Modular Arithmetic -CryptoHack
LogoModular Arithmetic | Brilliant Math & Science Wikibrilliantorg

Greatest Common Divisor

Question

There are many tools to calculate the GCD of two integers, but for this task we recommend looking up Euclid's Algorithm. Try coding it up; it's only a couple of lines. Use a = 12, b = 8 to test it. Now calculate gcd(a,b) for a = 66528, b = 52920 and enter it below.

LogoGreatest Common Divisor | Brilliant Math & Science Wikibrilliantorg

Using Repititive Subtraction

LogoGreatest Common Divisor | Brilliant Math & Science Wikibrilliantorg

Using Modulo

LogoEuclidean Algorithm | Brilliant Math & Science Wikibrilliantorg

Using math.gcd()

Extended GCD

Using the two primes p = 26513, q = 32321, find the integers u,v such that p * u + q * v = gcd(p,q) Enter whichever of u and v is the lower number as the flag. Knowing that p,q are prime, what would you expect gcd(p,q) to be? For more details on the extended Euclidean algorithm, check out this page.

LogoModular Arithmetic | Brilliant Math & Science Wikibrilliantorg

Modular Arithmetic 1

Calculate the following integers:

11 ≡ x mod 6

8146798528947 ≡ y mod 17

The solution is the smaller of the two integers.

Modular Arithmetic 2

Now take the prime p = 65537. Calculate 273246787654 ^ 65536 mod 65537. Did you need a calculator?

Answer: 1

According to Fermat's Little Theorem,

If 'p' is a prime number and 'a' is a positive integer and not divisible by 'p', then

ap11    (  mod    p  )a^{p-1} \equiv 1 \;\;(\;mod\;\;p\;)

LogoFermat's Little Theorem | Brilliant Math & Science Wikibrilliantorg

Modular Inverting

Question

What is the inverse element: 3 * d ≡ 1 mod 13?

Using Fermat's Little Theorem

We can derive an equation from the Fermat's Little Theorem, that gives the multiplicative inverse of 3 * d ≡ 1 mod 13. The derivation is given below:

ap11modp  (  Fermats  Little  Theorem  )a^{p-1} \equiv 1 \mod p\;(\;Fermat's\;Little\;Theorem\;)

Multiplicating  a1  on  both  sidesMultiplicating\;a^{-1}\;on\;both\;sides

ap1a1a1modpa^{p-1} \cdot a^{-1} \equiv a^{-1} \mod p

Rewriting  ap1  as  ap2Rewriting\;a^{p-1}\;as\;a^{p-2}

ap2aa1a1modpa^{p-2} \cdot a \cdot a^{-1} \equiv a^{-1} \mod p

ap2a1modpa^{p-2} \equiv a^{-1} \mod p

The final implication:

ap2a1modp    ap2modp=a1a^{p-2} \equiv a^{-1} \mod p \iff a^{p-2} \mod p = a^{-1}

Using Extended Euclidean Algorithm

Using Crypto.Util.number.inverse()

Quadratic Residues

LogoQuadratic Residues | Brilliant Math & Science Wikibrilliantorg

Find the quadratic residue and then calculate its square root. Of the two possible roots, submit the smaller one as the flag.

p = 29

ints = [14, 6, 11]

Properties of Quadratic (Non-) Residues

Quadratic Residue * Quadratic Residue = Quadratic Residue

Quadratic Residue * Quadratic Non-residue = Quadratic Non-residue

Quadratic Non-residue * Quadratic Non-residue = Quadratic Residue

Legendre Symbol

Definition

where,

(a / p) = 1 if a is a quadratic residue and a ≢ 0 mod p

(a / p) = -1 if a is a quadratic non-residue mod p

(a / p) = 0 if a ≡ 0 mod p

Which means given any integer a, calculating pow(a, (p-1) // 2,p) is enough to determine if a is a quadratic residue.

Question

Given the following 1024 bit prime and 10 integers, find the quadratic residue and then calculate its square root; the square root is your flag. Of the two possible roots, submit the larger one as your answer.

Finding Square Rootsmathcenter.oxford.emory.edu

Formula for Finding Square Root

x±a(p+1)/4(modp)x \equiv \pm a^{(p+1)/4}\pmod{p}

Modular Square Root

Find the square root of a modulo the 2048-bit prime p. Give the smaller of the two roots as your answer.

Using Sympy

Tonelli-Shanks Algorithm Implementation

Using Sage

Chinese Remainder Theorem

LogoChinese Remainder Theorem | Brilliant Math & Science Wikibrilliantorg

In cryptography, we commonly use the Chinese Remainder Theorem to help us reduce a problem of very large integers into a set of several, easier problems.

Formula

X=a  mod  NX = a\;mod\;N

where,

N=n1  ×  n2  ×  n3  ...  niN = n_{1}\;\times\;n_{2}\;\times\;n_{3}\;...\;n_{i}

Ni=NniN_{i} = \frac{N}{n_{i}}

a=a1N1N11  +  a2N2N21  +  a3N3N31  ...  aiNiNi1a = a_{1}N_{1}N_{1}^{-1}\;+\;a_{2}N_{2}N_{2}^{-1}\;+\;a_{3}N_{3}N_{3}^{-1}\;...\;a_{i}N_{i}N_{i}^{-1}

Question

Given the following set of linear congruences: x ≡ 2 mod 5 x ≡ 3 mod 11 x ≡ 5 mod 17 Find the integer a such that x ≡ a mod 935

Adrien's Signs

Adrien's been looking at ways to encrypt his messages with the help of symbols and minus signs. Can you find a way to recover the flag?

source.py - Given

output.txt - Given

Solution

While the provided source.py script exponentiates the n value with random numbers, it's important to note that since a is a quadratic residue, its powers will also be quadratic residues. However, the script negates the sign of n when b is not equal to 1 (i.e., when b is 0). This implies that we can decode the 8-bit binary code by determining whether n is a quadratic residue. If it is, the function returns 1; otherwise, it returns 0. By doing this we can generate the binary string and then decode it to flag.

Modular Binomials

Rearrange the following equations to get the primes p,q

N = pq

c1 = (2p + 3q)**e1 mod N

c2 = (5p + 7*q)**e2 mod N

Explanation

Given,Given,

N=p×qN = p \times q

c1=((  2×p  )+(  3×q  ))e1  mod  N[1]c_1 = ((\;2 \times p\;) + (\;3 \times q\;))^{e_1}\;mod\;N \rightarrow [1]

c2=((  5×p  )+(  7×q  ))e2  mod  N[2]c_2 = ((\;5 \times p\;) + (\;7 \times q\;))^{e_2}\;mod\;N \rightarrow [2]

To get the values of p and q, we have to solve the given equations. First we have to make the equations exponentially same. To do that multiply equation [1] by 1e21^{e_2} and equation [2] by 1e11^{e_1}, which results in the following form,

c1e2=(  2×pe1.e2  )+(  3×qe1.e2  )  mod  N[3]c_1^{e_2} = (\;2 \times p^{e_1 . e_2}\;) + (\;3 \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [3]

c2e1=(  5×pe1.e2  )+(  7×qe1.e2  )  mod  N[4]c_2^{e_1} = (\;5 \times p^{e_1 . e_2}\;) + (\;7 \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [4]

Now to get the value of q, we have to eliminate p from equations [3] and [4]. To do that multiply equation [3] by and equation [4] by 2e1.e22^{e_1.e_2}.

5e1.e2×c1e2(  10e1.e2×pe1.e2  )+(  15e1.e2×qe1.e2  )  mod  N[5]5^{e1.e2} \times c_1^{e_2} \equiv (\;10^{e_1 . e_2} \times p^{e_1 . e_2}\;) + (\;15^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [5]

2e1.e2×c2e1(  10e1.e2×pe1.e2  )+(  14e1.e2×qe1.e2  )  mod  N[6]2^{e1.e2} \times c_2^{e_1} \equiv (\;10^{e_1 . e_2} \times p^{e_1 . e_2}\;) + (\;14^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [6]

Multiply eqution [6] with -, which results in the following equation,

  2e1.e2×c2e1  (  10e1.e2×pe1.e2  )(  14e1.e2×qe1.e2  )  mod  N[7]-\;2^{e1.e2} \times c_2^{e_1} \equiv -\;(\;10^{e_1 . e_2} \times p^{e_1 . e_2}\;) - (\;14^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [7]

Solving equations [5] and [7], we get,

(  5e1.e2×c1e2  )  (  2e1.e2×c2e1  )(  15e1.e2×qe1.e2  )(  14e1.e2×qe1.e2  )  mod  N(\;5^{e1.e2} \times c_1^{e_2}\;)\; - (\;2^{e1.e2} \times c_2^{e_1}\;) \equiv (\;15^{e_1 . e_2} \times q^{e_1 . e_2}\;) - (\;14^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N

(  5e1.e2×c1e2  )  (  2e1.e2×c2e1  )qe1.e2  ×  (  15e1.e2    14e1.e2  )  mod  N[8](\;5^{e1.e2} \times c_1^{e_2}\;)\; - (\;2^{e1.e2} \times c_2^{e_1}\;) \equiv q^{e_1 . e_2} \;\times \;(\;15^{e_1 . e_2}\;-\; 14^{e_1 . e_2}\;)\;mod\;N \rightarrow [8]

From equation [8], we can get q by the following steps:

  • If a congruence holds modulo a product of two integers, it holds modulo each integer.

  • The right-hand side of the congruence is a multiple of q, so the expression c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2} is also a multiple of q.

  • N is a multiple of q, meaning q is a divisor of both the expression and N.

  • The only divisors of N are 1, p, q, and N. Since q divides only N and N, it's highly likely that gcd(c1e2×5e1e2c2e1×2e1e2,N)\text{gcd}(c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, N) is q, not N.

  • There's no particular reason for p to divide c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, making it very unlikely that gcd\text{gcd} would be N.

  • Therefore, it's highly probable that gcd(c1e2×5e1e2c2e1×2e1e2,N)\text{gcd}(c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, N) equals q.

After getting q, we can get p by p=nqp = \frac{n}{q}, which we derived from the given, .

Solution

Why gcd((pow(c1, e2, N) * pow(5, e1 * e2, N)) - (pow(c2, e1, N) * pow(2, e1 * e2, N)), N)?

The equation

gcd(c1e2×5e1e2c2e1×2e1e2,N)\text{gcd}(c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, N)

is equivalent to the expression

gcd((pow(c1, e2, N) * pow(5, e1 * e2, N)) - (pow(c2, e1, N) * pow(2, e1 * e2, N)), N)

Here's why:

  • Modular Property: Both expressions represent congruences modulo N, the modulus. So, we're ensuring that the arithmetic operations stay within the range of integers modulo N.

  • Exponential Terms: Each term involving 5, c_1, 2, and c_2 is raised to an exponent. In the first expression, 5e1e25^{e_1 \cdot e_2} means 5 raised to the power of e1e2e_1 \cdot e_2, and similarly for the others. In the second expression, pow(c1, e2, N) calculates c1e2modNc_1^{e_2} \mod N, and so forth. These are equivalent computations modulo N.

  • Subtraction of Terms: In both expressions, there's a subtraction operation between two terms.

  • GCD Calculation: The gcd function calculates the greatest common divisor of the difference between the two terms and N. This operation ensures that we're finding the greatest common divisor within the modular arithmetic context.

In summary, both expressions represent the same mathematical operation: finding the greatest common divisor of a certain expression and N, where the expression involves exponentiation modulo N.

Why are we taking the mod n on each term in the equation c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}?

Taking the modulo N of each term in Equation c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2} is essential because it ensures that the arithmetic operations stay within the range of integers modulo N. This practice is common in cryptographic operations, particularly in modular arithmetic used in RSA encryption and related algorithms.

Here's why each term is taken modulo N:

  1. pow(c1, e2, N): This computes c1e2modNc_1^{e_2} \mod N. Taking the exponentiation modulo N ensures that the result stays within the range of 0 to N-1.

  2. pow(5, e1 * e2, N): This computes 5e1e2modN5^{e_1 \cdot e_2} \mod N. Again, this ensures that the result remains within the range of integers modulo N.

  3. pow(c2, e1, N): This computes c2e1modNc_2^{e_1} \mod N. Similar to the previous terms, taking the exponentiation modulo N ensures that the result is within the range of integers modulo N.

  4. pow(2, e1 * e2, N): This computes 2e1e2modN2^{e_1 \cdot e_2} \mod N, ensuring the result remains within the range of integers modulo N.

  5. gcd(..., N): Finally, the gcd function is applied to the difference of the two terms, followed by taking modulo N. This ensures that the final result, the greatest common divisor, is also within the range of integers modulo N.

Taking each term modulo N is crucial for maintaining the correctness and security of cryptographic operations, preventing arithmetic overflow, and ensuring that the computations are performed within the finite field defined by N.

PreviousIntroduction to CryptoHackNextSymmetric Cryptography

Last updated

Was this helpful?