a good challenge in D-CTF 21-22. crypt 4 fun!

We try to search for relevant information about P2DPI , and find a paper in Github(The author is the author of this chal).

#### # Main Part:

choice 1: to encrypt something by $sk\cdot R$ , but $R$ can't be $g$ or $h$ . Also , you should sign the point.

choice 2: to encrypt secure message by compute_obfuscated_tokens

#### # Solution:

In this task,we act as a MB. And in this paper , we can see here( 3.3 Exhaustive message search vulnerability ).

And find you can become an SR in a sense to encrypt msg without getting sk (k_SR) .

The implication is that you can do an MITM(man-in-the-middle) attack here.

That's the 1st step what you should do.

The next step is how to decrypt this token. We can find that if the secure message never changes , we just need to get a set of data.

Then, let's analyse the tokenize & compute_obfuscated_tokens .

We find that tokenize is so weak if you can know a block in it. and it's expressed in paper.

The flag's format is CTF{sha256} . So we can get half a token block. But we don't know where the index of the flag is. It needs brute-force.( Only hexdigist(lower) * 4 * length(Ti) ).

#### # Appendix:

This question is really interesting. Thanks to Ephvuln a lot !!!

I am honored to help him revise the blasting complexity of ASCII in the paper