404CTF — La Seine

Challenge

Solution

The output gives us two signatures. For the second one we know both the input message (which we can split into $x_0$, $y_0$) and $k$. Our first goal is therefore to recover $a$ and $b$ given $k$, $x_0$, $y_0$, and $p$.

The loop runs $k$ times, applying the same linear recurrence at each step. Writing out the first few iterations:

$$\begin{align*} x_1 &= ax_0 + by_0 \pmod{p}\\ y_1 &= bx_0 - ay_0 \pmod{p} \end{align*}$$ $$\begin{align*} x_2 &= ax_1 + by_1 = a(ax_0 + by_0) + b(bx_0 - ay_0) = (a^2 + b^2)x_0 \pmod{p}\\ y_2 &= bx_1 - ay_1 = b(ax_0 + by_0) - a(bx_0 - ay_0) = (a^2 + b^2)y_0 \pmod{p} \end{align*}$$ $$\begin{align*} x_3 &= ax_2 + by_2 = a(a^2 + b^2)x_0 + b(a^2 + b^2)y_0 \pmod{p}\\ y_3 &= bx_2 - ay_2 = b(a^2 + b^2)x_0 - a(a^2 + b^2)y_0 \pmod{p} \end{align*}$$

This is a matrix recurrence. Each step applies the matrix $A$:

$$\begin{bmatrix} x_k \\ y_k \end{bmatrix} = A^k \begin{bmatrix} x_0 \\ y_0 \end{bmatrix}, \qquad A = \begin{bmatrix} a & b \\ b & -a \end{bmatrix}$$

Even powers of A

Computing $A^2$:

$$A^2 = \begin{bmatrix} a^2 + b^2 & 0 \\ 0 & a^2 + b^2 \end{bmatrix}$$

$A^2$ is a scalar multiple of the identity. This means every even power is also diagonal:

$$A^{2n} = \begin{bmatrix} (a^2+b^2)^n & 0 \\ 0 & (a^2+b^2)^n \end{bmatrix}$$

Since $k = 929382$ is even, we get directly:

$$\begin{cases} x_k = (a^2+b^2)^{k/2}\, x_0 \pmod{p}\\ y_k = (a^2+b^2)^{k/2}\, y_0 \pmod{p} \end{cases}$$

Recovering $a^2 + b^2$

Isolating $(a^2+b^2)$ from each equation:

$$\begin{cases} (a^2+b^2) = \left(x_k \cdot x_0^{-1}\right)^{(k/2)^{-1}} \pmod{p}\\ (a^2+b^2) = \left(y_k \cdot y_0^{-1}\right)^{(k/2)^{-1}} \pmod{p} \end{cases}$$

Both expressions must agree, which gives us a sanity check. Let $c = a^2 + b^2$.

Solving the Diophantine equation

The remaining problem is finding all pairs $(a, b)$ with $a, b \in [2^{63}+1,\, 2^{64})$ such that $a^2 + b^2 = c$. This is a classical sum-of-two-squares Diophantine equation, solvable with sympy:

You can also verify with WolframAlpha or dcode.fr.

Recovering the flag (odd k case)

The flag was signed with b=1, meaning $k$ is odd. We therefore need the odd-power formula. Computing a few more cases:

$$A^3 = \begin{bmatrix} (a^2+b^2)\,a & (a^2+b^2)\,b \\ (a^2+b^2)\,b & -(a^2+b^2)\,a \end{bmatrix}$$ $$A^5 = \begin{bmatrix} (a^2+b^2)^2 a & (a^2+b^2)^2 b \\ (a^2+b^2)^2 b & -(a^2+b^2)^2 a \end{bmatrix}$$

The general formula for odd $k$ is:

$$A^k = \begin{bmatrix} (a^2+b^2)^{\lfloor k/2 \rfloor} a & (a^2+b^2)^{\lfloor k/2 \rfloor} b \\ (a^2+b^2)^{\lfloor k/2 \rfloor} b & -(a^2+b^2)^{\lfloor k/2 \rfloor} a \end{bmatrix}$$

Setting $I = (a^2+b^2)^{\lfloor k/2 \rfloor}$, the system becomes:

$$\begin{cases} x_k = I\,a\,x_0 + I\,b\,y_0 \pmod{p}\\ y_k = I\,b\,x_0 - I\,a\,y_0 \pmod{p} \end{cases}$$

Solving for $x_0$ by eliminating $y_0$:

$$x_0 = \frac{I\,b\,y_k + I\,a\,x_k}{(Ib)^2 + (Ia)^2} \pmod{p}$$

We then brute-force over all $(a, b)$ pairs from the Diophantine step and over candidate values of $k$ (odd, in the expected range), checking for the flag prefix 404CTF{ in the recovered bytes.

Solve script

Flag: 404CTF{F4u7_p4S_80iR3_l4_t4ss3...}