search
HomeWriteupsResourcesCheatsheets

Modular Arithmetic

LogoCryptoHack – Modular Arithmetic -CryptoHackchevron-right
LogoModular Arithmetic | Brilliant Math & Science Wikibrilliantorgchevron-right

hashtag
Greatest Common Divisor

hashtag
Question

There are many tools to calculate the GCD of two integers, but for this task we recommend looking up Euclid's Algorithmarrow-up-right. Try coding it up; it's only a couple of lines. Use a = 12, b = 8 to test it. Now calculate gcd(a,b) for a = 66528, b = 52920 and enter it below.

LogoGreatest Common Divisor | Brilliant Math & Science Wikibrilliantorgchevron-right

hashtag
Using Repititive Subtraction

LogoGreatest Common Divisor | Brilliant Math & Science Wikibrilliantorgchevron-right

hashtag
Using Modulo

LogoEuclidean Algorithm | Brilliant Math & Science Wikibrilliantorgchevron-right

hashtag
Using math.gcd()

hashtag
Extended GCD

Using the two primes p = 26513, q = 32321, find the integers u,v such that p * u + q * v = gcd(p,q) Enter whichever of u and v is the lower number as the flag. Knowing that p,q are prime, what would you expect gcd(p,q) to be? For more details on the extended Euclidean algorithm, check out this pagearrow-up-right.

LogoModular Arithmetic | Brilliant Math & Science Wikibrilliantorgchevron-right

hashtag
Modular Arithmetic 1

Calculate the following integers:

11 ≡ x mod 6

8146798528947 ≡ y mod 17

The solution is the smaller of the two integers.

hashtag
Modular Arithmetic 2

Now take the prime p = 65537. Calculate 273246787654 ^ 65536 mod 65537. Did you need a calculator?

Answer: 1

circle-info

According to Fermat's Little Theorem,

If 'p' is a prime number and 'a' is a positive integer and not divisible by 'p', then

ap11    (  mod    p  )a^{p-1} \equiv 1 \;\;(\;mod\;\;p\;)

LogoFermat's Little Theorem | Brilliant Math & Science Wikibrilliantorgchevron-right

hashtag
Modular Inverting

hashtag
Question

What is the inverse element: 3 * d ≡ 1 mod 13?

hashtag
Using Fermat's Little Theorem

circle-info

We can derive an equation from the Fermat's Little Theorem, that gives the multiplicative inverse of 3 * d ≡ 1 mod 13. The derivation is given below:

ap11modp  (  Fermats  Little  Theorem  )a^{p-1} \equiv 1 \mod p\;(\;Fermat's\;Little\;Theorem\;)

Multiplicating  a1  on  both  sidesMultiplicating\;a^{-1}\;on\;both\;sides

ap1a1a1modpa^{p-1} \cdot a^{-1} \equiv a^{-1} \mod p

Rewriting  ap1  as  ap2Rewriting\;a^{p-1}\;as\;a^{p-2}

ap2aa1a1modpa^{p-2} \cdot a \cdot a^{-1} \equiv a^{-1} \mod p

ap2a1modpa^{p-2} \equiv a^{-1} \mod p

The final implication:

ap2a1modp    ap2modp=a1a^{p-2} \equiv a^{-1} \mod p \iff a^{p-2} \mod p = a^{-1}

hashtag
Using Extended Euclidean Algorithm

hashtag
Using Crypto.Util.number.inverse()

hashtag
Quadratic Residues

LogoQuadratic Residues | Brilliant Math & Science Wikibrilliantorgchevron-right

Find the quadratic residue and then calculate its square root. Of the two possible roots, submit the smaller one as the flag.

p = 29

ints = [14, 6, 11]

hashtag
Properties of Quadratic (Non-) Residues

Quadratic Residue * Quadratic Residue = Quadratic Residue

Quadratic Residue * Quadratic Non-residue = Quadratic Non-residue

Quadratic Non-residue * Quadratic Non-residue = Quadratic Residue

hashtag
Legendre Symbol

hashtag
Definition

where,

(a / p) = 1 if a is a quadratic residue and a ≢ 0 mod p

(a / p) = -1 if a is a quadratic non-residue mod p

(a / p) = 0 if a ≡ 0 mod p

Which means given any integer a, calculating pow(a, (p-1) // 2,p) is enough to determine if a is a quadratic residue.

hashtag
Question

Given the following 1024 bit prime and 10 integers, find the quadratic residue and then calculate its square root; the square root is your flag. Of the two possible roots, submit the larger one as your answer.

Finding Square Rootsmathcenter.oxford.emory.educhevron-right

hashtag
Formula for Finding Square Root

x±a(p+1)/4(modp)x \equiv \pm a^{(p+1)/4}\pmod{p}

hashtag
Modular Square Root

Find the square root of a modulo the 2048-bit prime p. Give the smaller of the two roots as your answer.

hashtag
Using Sympy

hashtag
Tonelli-Shanks Algorithm Implementation

hashtag
Using Sage

hashtag
Chinese Remainder Theorem

LogoChinese Remainder Theorem | Brilliant Math & Science Wikibrilliantorgchevron-right

In cryptography, we commonly use the Chinese Remainder Theorem to help us reduce a problem of very large integers into a set of several, easier problems.

hashtag
Formula

X=a  mod  NX = a\;mod\;N

where,

N=n1  ×  n2  ×  n3  ...  niN = n_{1}\;\times\;n_{2}\;\times\;n_{3}\;...\;n_{i}

Ni=NniN_{i} = \frac{N}{n_{i}}

a=a1N1N11  +  a2N2N21  +  a3N3N31  ...  aiNiNi1a = a_{1}N_{1}N_{1}^{-1}\;+\;a_{2}N_{2}N_{2}^{-1}\;+\;a_{3}N_{3}N_{3}^{-1}\;...\;a_{i}N_{i}N_{i}^{-1}

hashtag
Question

Given the following set of linear congruences: x ≡ 2 mod 5 x ≡ 3 mod 11 x ≡ 5 mod 17 Find the integer a such that x ≡ a mod 935

hashtag
Adrien's Signs

Adrien's been looking at ways to encrypt his messages with the help of symbols and minus signs. Can you find a way to recover the flag?

hashtag
source.py - Given

hashtag
output.txt - Given

hashtag
Solution

While the provided source.py script exponentiates the n value with random numbers, it's important to note that since a is a quadratic residue, its powers will also be quadratic residues. However, the script negates the sign of n when b is not equal to 1 (i.e., when b is 0). This implies that we can decode the 8-bit binary code by determining whether n is a quadratic residue. If it is, the function returns 1; otherwise, it returns 0. By doing this we can generate the binary string and then decode it to flag.

hashtag
Modular Binomials

Rearrange the following equations to get the primes p,q

N = pq

c1 = (2p + 3q)**e1 mod N

c2 = (5p + 7*q)**e2 mod N

hashtag
Explanation

Given,Given,

N=p×qN = p \times q

c1=((  2×p  )+(  3×q  ))e1  mod  N[1]c_1 = ((\;2 \times p\;) + (\;3 \times q\;))^{e_1}\;mod\;N \rightarrow [1]

c2=((  5×p  )+(  7×q  ))e2  mod  N[2]c_2 = ((\;5 \times p\;) + (\;7 \times q\;))^{e_2}\;mod\;N \rightarrow [2]

To get the values of p and q, we have to solve the given equations. First we have to make the equations exponentially same. To do that multiply equation [1] by 1e21^{e_2} and equation [2] by 1e11^{e_1}, which results in the following form,

c1e2=(  2×pe1.e2  )+(  3×qe1.e2  )  mod  N[3]c_1^{e_2} = (\;2 \times p^{e_1 . e_2}\;) + (\;3 \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [3]

c2e1=(  5×pe1.e2  )+(  7×qe1.e2  )  mod  N[4]c_2^{e_1} = (\;5 \times p^{e_1 . e_2}\;) + (\;7 \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [4]

Now to get the value of q, we have to eliminate p from equations [3] and [4]. To do that multiply equation [3] by and equation [4] by 2e1.e22^{e_1.e_2}.

5e1.e2×c1e2(  10e1.e2×pe1.e2  )+(  15e1.e2×qe1.e2  )  mod  N[5]5^{e1.e2} \times c_1^{e_2} \equiv (\;10^{e_1 . e_2} \times p^{e_1 . e_2}\;) + (\;15^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [5]

2e1.e2×c2e1(  10e1.e2×pe1.e2  )+(  14e1.e2×qe1.e2  )  mod  N[6]2^{e1.e2} \times c_2^{e_1} \equiv (\;10^{e_1 . e_2} \times p^{e_1 . e_2}\;) + (\;14^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [6]

Multiply eqution [6] with -, which results in the following equation,

  2e1.e2×c2e1  (  10e1.e2×pe1.e2  )(  14e1.e2×qe1.e2  )  mod  N[7]-\;2^{e1.e2} \times c_2^{e_1} \equiv -\;(\;10^{e_1 . e_2} \times p^{e_1 . e_2}\;) - (\;14^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N \rightarrow [7]

Solving equations [5] and [7], we get,

(  5e1.e2×c1e2  )  (  2e1.e2×c2e1  )(  15e1.e2×qe1.e2  )(  14e1.e2×qe1.e2  )  mod  N(\;5^{e1.e2} \times c_1^{e_2}\;)\; - (\;2^{e1.e2} \times c_2^{e_1}\;) \equiv (\;15^{e_1 . e_2} \times q^{e_1 . e_2}\;) - (\;14^{e_1 . e_2} \times q^{e_1 . e_2}\;)\;mod\;N

(  5e1.e2×c1e2  )  (  2e1.e2×c2e1  )qe1.e2  ×  (  15e1.e2    14e1.e2  )  mod  N[8](\;5^{e1.e2} \times c_1^{e_2}\;)\; - (\;2^{e1.e2} \times c_2^{e_1}\;) \equiv q^{e_1 . e_2} \;\times \;(\;15^{e_1 . e_2}\;-\; 14^{e_1 . e_2}\;)\;mod\;N \rightarrow [8]

From equation [8], we can get q by the following steps:

  • If a congruence holds modulo a product of two integers, it holds modulo each integer.

  • The right-hand side of the congruence is a multiple of q, so the expression c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2} is also a multiple of q.

  • N is a multiple of q, meaning q is a divisor of both the expression and N.

  • The only divisors of N are 1, p, q, and N. Since q divides only N and N, it's highly likely that gcd(c1e2×5e1e2c2e1×2e1e2,N)\text{gcd}(c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, N) is q, not N.

  • There's no particular reason for p to divide c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, making it very unlikely that gcd\text{gcd} would be N.

  • Therefore, it's highly probable that gcd(c1e2×5e1e2c2e1×2e1e2,N)\text{gcd}(c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, N) equals q.

After getting q, we can get p by p=nqp = \frac{n}{q}, which we derived from the given, .

hashtag
Solution

circle-info

Why gcd((pow(c1, e2, N) * pow(5, e1 * e2, N)) - (pow(c2, e1, N) * pow(2, e1 * e2, N)), N)?

The equation

gcd(c1e2×5e1e2c2e1×2e1e2,N)\text{gcd}(c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}, N)

is equivalent to the expression

gcd((pow(c1, e2, N) * pow(5, e1 * e2, N)) - (pow(c2, e1, N) * pow(2, e1 * e2, N)), N)

Here's why:

  • Modular Property: Both expressions represent congruences modulo N, the modulus. So, we're ensuring that the arithmetic operations stay within the range of integers modulo N.

  • Exponential Terms: Each term involving 5, c_1, 2, and c_2 is raised to an exponent. In the first expression, 5e1e25^{e_1 \cdot e_2} means 5 raised to the power of e1e2e_1 \cdot e_2, and similarly for the others. In the second expression, pow(c1, e2, N) calculates c1e2modNc_1^{e_2} \mod N, and so forth. These are equivalent computations modulo N.

  • Subtraction of Terms: In both expressions, there's a subtraction operation between two terms.

  • GCD Calculation: The gcd function calculates the greatest common divisor of the difference between the two terms and N. This operation ensures that we're finding the greatest common divisor within the modular arithmetic context.

In summary, both expressions represent the same mathematical operation: finding the greatest common divisor of a certain expression and N, where the expression involves exponentiation modulo N.

circle-info

Why are we taking the mod n on each term in the equation c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2}?

Taking the modulo N of each term in Equation c1e2×5e1e2c2e1×2e1e2c_1^{e_2} \times 5^{e_1 \cdot e_2} - c_2^{e_1} \times 2^{e_1 \cdot e_2} is essential because it ensures that the arithmetic operations stay within the range of integers modulo N. This practice is common in cryptographic operations, particularly in modular arithmetic used in RSA encryption and related algorithms.

Here's why each term is taken modulo N:

  1. pow(c1, e2, N): This computes c1e2modNc_1^{e_2} \mod N. Taking the exponentiation modulo N ensures that the result stays within the range of 0 to N-1.

  2. pow(5, e1 * e2, N): This computes 5e1e2modN5^{e_1 \cdot e_2} \mod N. Again, this ensures that the result remains within the range of integers modulo N.

  3. pow(c2, e1, N): This computes c2e1modNc_2^{e_1} \mod N. Similar to the previous terms, taking the exponentiation modulo N ensures that the result is within the range of integers modulo N.

  4. pow(2, e1 * e2, N): This computes 2e1e2modN2^{e_1 \cdot e_2} \mod N, ensuring the result remains within the range of integers modulo N.

  5. gcd(..., N): Finally, the gcd function is applied to the difference of the two terms, followed by taking modulo N. This ensures that the final result, the greatest common divisor, is also within the range of integers modulo N.

Taking each term modulo N is crucial for maintaining the correctness and security of cryptographic operations, preventing arithmetic overflow, and ensuring that the computations are performed within the finite field defined by N.

PreviousIntroduction to CryptoHackNextSymmetric Cryptography

Last updated