We've looked at multiplication and division in modular arithmetic, but what does it mean to take the square root modulo an integer?

For the following discussion, let's work modulo $p = 29$. We can take the integer $a = 11$ and calculate $a^{2} = 5 \mod 29$.

As $a = 11, a^{2} = 5$, we say the square root of $5$ is $11$.

This feels good, but now let's think about the square root of $18$. From the above, we know we need to find some integer $a$ such that $a^{2} = 18$

Your first idea might be to start with $a = 1$ and loop to $a = p-1$. In this discussion $p$ isn't too large and we can quickly check all options.

Have a go, try coding this and see what you find. If you've coded it right, you'll find that for all $a \in \Fp^{*}$ you never find an $a$ such that $a^{2} = 18$.

What we are seeing, is that for the elements of $\Fp^{*}$, not every element has a square root. In fact, what we find is that for roughly one half of the elements of $\Fp^{*}$, there is no square root.

We say that an integer $x$ is a Quadratic Residue if there exists an $a$ such that $a^{2} \equiv x \mod p$. If there is no such solution, then the integer is a Quadratic Non-Residue.

In other words, $x$ is a quadratic residue when it is possible to take the square root of $x$ modulo an integer $p$.

In the below list there are two non-quadratic residues and one quadratic residue.

Find the quadratic residue and then calculate its square root. Of the two possible roots, submit the smaller one as the flag.

If $a^{2} = x$ then $(-a)^{2} = x$. So if $x$ is a quadratic residue in some finite field, then there are always two solutions for $a$.

$p = 29 \quad ints = [14, 6, 11]$

In Quadratic Residues we learnt what it means to take the square root modulo an integer. We also saw that taking a root isn't always possible.

In the previous case when $p = 29$, even the simplest method of calculating the square root was fast enough, but as $p$ gets larger, this method becomes wildly unreasonable.

Lucky for us, we have a way to check whether an integer is a quadratic residue with a single calculation thanks to Legendre. In the following, we will assume we are working modulo a prime $p$.

Before looking at Legendre's symbol, let's take a brief detour to see an interesting property of quadratic (non-)residues.

Quadratic Residue * Quadratic Residue = Quadratic Residue
Quadratic Residue * Quadratic Non-residue = Quadratic Non-residue
Quadratic Non-residue * Quadratic Non-residue = Quadratic Residue

Want an easy way to remember this? Replace "Quadratic Residue" with $+1$ and "Quadratic Non-residue" with $-1$, all three results are the same!

So what's the trick? The Legendre Symbol gives an efficient way to determine whether an integer is a quadratic residue modulo an odd prime $p$.

Legendre's Symbol: $(a / p) \equiv a^{(p-1)/2} \mod p$ obeys:

$(a / p) = 1$ if $a$ is a quadratic residue and $a \not\equiv 0 \mod p$
$(a / p) = -1$ if $a$ is a quadratic non-residue $\mod p$
$(a / p) = 0$ if $a \equiv 0 \mod p$

Which means given any integer $a$, calculating $a^{(p-1)/2} \mod p$ is enough to determine if $a$ is a quadratic residue.

Now for the flag. Given the following 1024 bit prime and 10 integers, find the quadratic residue and then calculate its square root; the square root is your flag. Of the two possible roots, submit the larger one as your answer.

So Legendre's symbol tells us which integer is a quadratic residue, but how do we find the square root?! The prime supplied obeys $p = 3 \mod 4$, which allows us easily compute the square root. The answer is online, but you can figure it out yourself if you think about Fermat's little theorem.

Challenge files:
  - output.txt

In Legendre Symbol we introduced a fast way to determine whether a number is a square root modulo a prime. We can go further: there are algorithms for efficiently calculating such roots. The best one in practice is called Tonelli-Shanks, which gets its funny name from the fact that it was first described by an Italian in the 19th century and rediscovered independently by Daniel Shanks in the 1970s.

All primes that aren't 2 are of the form $p \equiv 1 \mod 4$ or $p \equiv 3 \mod 4$, since all odd numbers obey these congruences. As the previous challenge hinted, in the $p \equiv 3 \mod 4$ case, a really simple formula for computing square roots can be derived directly from Fermat's little theorem. That leaves us still with the $p \equiv 1 \mod 4$ case, so a more general algorithm is required.

In a congruence of the form $r^2 \equiv a \mod p$, Tonelli-Shanks calculates $r$.

Tonelli-Shanks doesn't work for composite (non-prime) moduli. Finding square roots modulo composites is computationally equivalent to integer factorization - that is, it's a hard problem.

The main use-case for this algorithm is finding elliptic curve coordinates. Its operation is somewhat complex so we're not going to discuss the details, however, implementations are easy to find and Sage has one built-in.

Find the square root of $a$ modulo the 2048-bit prime $p$. Give the smaller of the two roots as your answer.

Challenge files:
  - output.txt

The Chinese Remainder Theorem gives a unique solution to a set of linear congruences if their moduli are coprime.

This means, that given a set of arbitrary integers $a^{i}$, and pairwise coprime integers $n^{i}$, such that the following linear congruences hold:

Note "pairwise coprime integers" means that if we have a set of integers $\{n^{1}, n^{2}, ..., n^{i}\}$, all pairs of integers selected from the set are coprime: $\gcd(n^{i}, n^{j}) = 1$.

$x \equiv a^{1} \mod n^{1}$
$x \equiv a^{2} \mod n^{2}$
$\ldots$
$x \equiv a^{n} \mod n^{n}$

There is a unique solution $x \equiv a \mod N$ where $N = n^{1} \cdot n^{2} \cdot ... \cdot n^{n}$.

In cryptography, we commonly use the Chinese Remainder Theorem to help us reduce a problem of very large integers into a set of several, easier problems.

Given the following set of linear congruences:

$x \equiv 2 \mod 5$
$x \equiv 3 \mod 11$
$x \equiv 5 \mod 17$

Find the integer $a$ such that $x \equiv a \mod 935$

Starting with the congruence with the largest modulus, use that for $x \equiv a \mod p$ we can write $x = a + k \cdot p$ for arbitrary integer $k$.

The following integers: $\{588, 665, 216, 113, 642, 4, 836, 114, 851, 492, 819, 237\}$ are successive large powers of an integer $x$, modulo a three digit prime $p$.

Find $p$ and $x$ to obtain the flag.

You can do this with a pen and paper. We've included this challenge as an excuse for you to get used to algebra and modular mathematics.

Adrien's been looking at ways to encrypt his messages with the help of symbols and minus signs. Can you find a way to recover the flag?

Challenge files:
  - source.py
  - output.txt

Rearrange the following equations to get the primes p,q

$N = p \cdot q$
$c_1 = (2 \cdot p + 3 \cdot q)^{e_1} \mod N$
$c_2 = (5 \cdot p + 7 \cdot q)^{e_2} \mod N$

Challenge files:
  - data.txt

I tried to send you an important message with RSA, however I messed up my RSA implementation really badly. Can you still recover the flag?

If you think you're doing the right thing but getting garbage, be sure to check all possible solutions.

Challenge files:
  - broken_rsa.txt

Quantum Computers are going to break some of the standard cryptosystems like RSA, ECC and others. We're in some trouble, so why don't we make our own Quantum-Safe Key Exchange Protocol?

Challenge files:
  - nowayback.py
  - out.txt


Challenge contributed by DCryp7

I overheard my professor talking about ellipse curve cryptography. I tried googling it, but didn't find anything so I implemented it myself.

Challenge files:
  - source.py
  - output.txt

Cracking discrete logarithms is hard. Change my mind. I'll even let you to use your own parameters, as long as the modulus is of the given order.

Connect at socket.cryptohack.org 13403

Challenge files:
  - 13403.py


Challenge contributed by Mystiz

I swear I knew what I was doing, but I encrypted some data on my hard drive and nothing happened? RSA is so confusing. Luckily my flag is safe, but it seems I have a lot more learning to do.

Challenge files:
  - source.py
  - output.txt


Challenge contributed by unblvr

Do you have the power to break out of my cofactor cofantasy?

Calculating the solution should take less than 15 minutes.

Connect at socket.cryptohack.org 13398

Challenge files:
  - 13398.py


Challenge contributed by Robin_Jadoul and Thunderlord

I've hidden my secret among the primes. Reducing the number back down to the flag shouldn't be possible!

Challenge files:
  - real_eisenstein.py


Challenge contributed by ariana

You may look through my window and see my flag, but to maintain my modesty, only the first character is available.

Connect at socket.cryptohack.org 13385

Challenge files:
  - 13385.py