CodeVinci CTF 2026 - galatical - Cryptography Writeup

Category: Cryptography Flag: CodeVinci{p0lyn0m14l_rs4_l34ks_r00t5_lm4o}

Challenge Description#

it isnt a CTF without RSA

Analysis#

The provided script looked like a normal RSA setup at first, but the key clue was that it also published ten polynomial points with an added random noise term and a matching RSA-encrypted version of that noise. Pulling the crucial lines out of galatical.py made the weakness obvious: the noise was only 16 bits, and the script output both y_noisy = y + r (mod n) and r_enc = r^e mod n.

1
python extract_core_lines.py

1
13: NOISE_BITS = 16
2
88:             y = poly_eval_mod(coeffs, x, n)
3
89:             r = secrets.randbelow(1 << NOISE_BITS)
4
90:             y_noisy = (y + r) % n
5
91:             r_enc = pow(r, E, n)
6
94:         f_m = poly_eval_mod(coeffs, m, n)
7
98:         c1 = pow(m, E, n)
8
99:         c2 = pow(f_m, E, n)

Then I checked the published parameters in output.txt to confirm the shape of the instance (e = 17, degree 9 polynomial, and 16-bit noise). Because r < 2^16, r^17 is far smaller than a 2048-bit modulus, so r_enc = r^17 mod n is just the exact integer power with no wraparound. That means each r can be recovered by exact integer 17th root, which instantly removes the noise from every point.

1
python -c "from pathlib import Path; t=Path('output.txt').read_text(); print('\n'.join([line for line in t.splitlines() if line.startswith(('n =','e =','deg =','noise_bits =','c1 =','c2 ='))]))"

1
n = 21795931982959810520942863253123932350006550281673221741324389746441489588991691784228362252631862821241876624167634299253224012371185010989980972276294863120930187293561186408413794501225854649333475546641202394219469315718499032427794894336784303091789112740065030697184580712820317698061315065029994965000331675762255319964208064800895206524399505312735194878932683089429730306737687182410525781623616904466313063331314814981761501664490445059865564935765420577375894805622643041732346768897425640062528994058910747278648497266970687062720587080127756482814143522566541416793580032910516069598797363246158893559203
2
e = 17
3
deg = 9
4
noise_bits = 16
5
c1 = 17069480607381333340837059621017041514461037312661575749074463467593711378468501917601145213696262157081974590275851364318126946432567619623442558856499278049000634859710386939661034781830101841558737028294620534431460584889198939890743582295134418218234863044625794900789252930749138452915364022716617829366398541818209985678600543910238332239757640924205524654998000872497132900300803106929276168403073803078292990833759803062978594282481693044544928540953522758918780829701611071981841179667387496533021549067145744230245674295353326670788674422134235059172059397648763177319296047417510386887263201663685604459270
6
c2 = 22017604496222855387400089488783882102774559652391746781635976591924702436082247234343029133767824949950873390768790867821809530150727619420302922605868959289862308167072315580390032286804422072742556634741359609108164215568204513995809834871745948638995210622023605193809961374191659533045113161205072671662931939694847470718069118230862749096690727993074315524642611506095071814885193074966029279617628571492730244236406415232861297020381115027941652762550708861288283690502892471616548245255984354646123110490438594329667864637941033723511769203613511959066641052710958145498270486098531267360662949728464981997

From there the solve is neat: recover every r_i by exact root, compute clean y_i, interpolate the degree-9 polynomial f(x) over Z_n, and use a Franklin-Reiter-style common-root trick with P(x)=x^17-c1 and Q(x)=f(x)^17-c2. Their gcd yields a linear factor containing m, which decodes directly to the flag. This one felt very clean once the tiny-noise leak clicked.

smile

Solution#

1
# !/usr/bin/env sage
2
import re
3
from math import gcd
4
from gmpy2 import iroot
5

6
def parse_output(path):
7
    vals = {}
8
    points = {}
9
    with open(path, "r", encoding="utf-8") as f:
10
        for line in f:
11
            line = line.strip()
12
            if not line or "=" not in line:
13
                continue
14
            k, v = [x.strip() for x in line.split("=", 1)]
15
            if k[0] in ("x", "y", "r") and k[1:].isdigit():
16
                idx = int(k[1:])
17
                points.setdefault(idx, {})[k[0]] = Integer(v)
18
            else:
19
                vals[k] = Integer(v)
20
    return vals, points
21

22
def interpolate_mod_n(points, n):
23
    Zn = Zmod(n)
24
    R = PolynomialRing(Zn, "X")
25
    X = R.gen()
26

27
    f = R(0)
28
    m = len(points)
29
    for i in range(m):
30
        xi, yi = points[i]
31
        num = R(1)
32
        den = Zn(1)
33
        for j in range(m):
34
            if i == j:
35
                continue
36
            xj, _ = points[j]
37
            num *= (X - xj)
38
            den *= (xi - xj)
39

40
        den_int = int(den)
41
        g = gcd(den_int, n)
42
        if g != 1:
43
            raise ValueError(f"Non-invertible interpolation denominator; gcd={g}")
44
        f += yi * num * den.inverse_of_unit()
45
    return f
46

47
def gcd_over_zn(a, b, n):
48
    R = a.parent()
49
    while b != 0:
50
        lc = b.leading_coefficient()
51
        g = gcd(int(lc), n)
52
        if g != 1:
53
            return None, g
54
        b = b * lc.inverse_of_unit()
55
        a, b = b, a % b
56

57
    if a == 0:
58
        return R(0), None
59

60
    lc = a.leading_coefficient()
61
    g = gcd(int(lc), n)
62
    if g != 1:
63
        return None, g
64
    a = a * lc.inverse_of_unit()
65
    return a, None
66

67
def int_to_bytes(x):
68
    x = int(x)
69
    if x == 0:
70
        return b"\x00"
71
    return x.to_bytes((x.bit_length() + 7) // 8, "big")
72

73
def main():
74
    vals, raw_points = parse_output("output.txt")
75
    n = int(vals["n"])
76
    e = int(vals["e"])
77
    c1 = int(vals["c1"])
78
    c2 = int(vals["c2"])
79

80
    points = []
81
    for idx in sorted(raw_points):
82
        x = int(raw_points[idx]["x"])
83
        y_noisy = int(raw_points[idx]["y"])
84
        r_enc = int(raw_points[idx]["r"])
85

86
        r, exact = iroot(r_enc, e)
87
        if not exact:
88
            raise ValueError(f"r{idx} root is not exact")
89
        r = int(r)
90
        y = (y_noisy - r) % n
91
        points.append((x, y))
92

93
    f = interpolate_mod_n([(Zmod(n)(x), Zmod(n)(y)) for x, y in points], n)
94

95
    R = f.parent()
96
    X = R.gen()
97
    P = X**e - Zmod(n)(c1)
98
    Q = f**e - Zmod(n)(c2)
99

100
    g, nontrivial = gcd_over_zn(P, Q, n)
101

102
    m = None
103
    if g is not None and g.degree() == 1:
104
        b = g[0]
105
        m = int((-b) % n)
106
    elif nontrivial is not None and 1 < nontrivial < n:
107
        p = int(nontrivial)
108
        q = n // p
109
        phi = (p - 1) * (q - 1)
110
        d = inverse_mod(e, phi)
111
        m = int(pow(c1, int(d), n))
112
    else:
113
        gg = P.gcd(Q)
114
        if gg.degree() == 1:
115
            m = int((-gg[0] / gg[1]) % n)
116

117
    if m is None:
118
        raise RuntimeError("Failed to recover m")
119

120
    msg = int_to_bytes(m)
121
    print("m_bytes:", msg)
122

123
    try:
124
        s = msg.decode()
125
    except Exception:
126
        s = msg.decode(errors="ignore")
127

128
    print("decoded:", s)
129
    mm = re.search(r"CodeVinci\{[^}]+\}", s)
130
    if mm:
131
        print("FLAG:", mm.group(0))
132

133
if __name__ == "__main__":
134
    main()

1
sage solve_galatical.sage

1
m_bytes: b'CodeVinci{p0lyn0m14l_rs4_l34ks_r00t5_lm4o}'
2
decoded: CodeVinci{p0lyn0m14l_rs4_l34ks_r00t5_lm4o}
3
FLAG: CodeVinci{p0lyn0m14l_rs4_l34ks_r00t5_lm4o}