Ctf Crypto

Name: Ctf Crypto
Author: ljagiello

ljagiello/ctf-skills

Apply competition-grade crypto attack recipes (RSA, ECC, LLL, Coppersmith, padding oracles) when solving CTF challenges or auditing weak custom crypto.

Overview

CTF Crypto is an agent skill for the Ship phase that documents advanced mathematical crypto attacks for CTF challenges and weak implementation review.

Install

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-crypto

What is this skill?

Table of contents spanning 15+ attack families (isogenies, Pohlig-Hellman, BSGS, LLL, Coppersmith, Manger, LWE CVP, and
Elliptic curve, RSA, knapsack, quaternion, and GF(2)[x] polynomial tooling patterns
CTF writeup anchors: LACTF 2026, Nullcon 2026, Google CTF 2017, ASIS 2014, EHAX 2026
Specialized topics: non-permutation S-box collisions, introspective CRC linear algebra, clock group DLP
RSA signing bug and padding-oracle attack walkthroughs
15+ documented attack sections in the table of contents
Multiple named CTF event references (LACTF 2026, Nullcon 2026, Google CTF 2017, ASIS 2014, EHAX 2026)

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 4.5k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You face a CTF crypto task or a suspicious custom cipher and do not know which attack (LLL, Coppersmith, oracle, DLP) fits the structure.

Who is it for?

Solo CTF players and security-curious builders who already use Sage or Python for crypto puzzles.

Skip if: Beginners learning AES-GCM for production apps, or teams needing compliance checklists instead of exploit math.

When should I use this skill?

Solving advanced crypto CTF challenges involving RSA, ECC, lattices, oracles, or custom algebraic structures.

What do I get? / Deliverables

You narrow to a documented attack path from the skill’s TOC and implement the corresponding mathematical break strategy.

Selected attack strategy matched to challenge structure
Implementation sketch or solver script for the break
Recovered flag, key, or plaintext in CTF context

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Shelved under Ship/security because content is exploit-oriented verification of broken or challenge cryptography—not product ideation or marketing. Security subphase matches mathematical attacks, oracle tricks, and lattice methods used to break implementations in CTF and review contexts.

Also useful

IdeaOpportunity & market research

How it compares

Attack encyclopedia for competitions—not a production cryptography design or key-management skill.

Common Questions / FAQ

Who is ctf-crypto for?

Advanced solo builders solving crypto CTF flags or reviewing intentionally weak crypto constructions with agent assistance.

When should I use ctf-crypto?

During Ship security when dissecting RSA/ECC challenges, lattice problems, padding oracles, or GF(2) polynomial systems—not for everyday app feature work.

Is ctf-crypto safe to install?

Use the Security Audits panel on this Prism page; attack scripts can be dangerous if run against systems you do not own—keep work in isolated CTF environments.

SKILL.md

READMESKILL.md - Ctf Crypto

# CTF Crypto - Advanced Mathematical Attacks

## Table of Contents
- [Elliptic Curve Isogenies](#elliptic-curve-isogenies)
- [Pohlig-Hellman Attack (Weak ECC)](#pohlig-hellman-attack-weak-ecc)
- [Baby-Step Giant-Step for General DLP](#baby-step-giant-step-for-general-dlp)
- [LLL Algorithm for Approximate GCD](#lll-algorithm-for-approximate-gcd)
- [Merkle-Hellman Knapsack Cryptosystem via LLL (ASIS 2014)](#merkle-hellman-knapsack-cryptosystem-via-lll-asis-2014)
- [Coppersmith's Method (Close Private Keys)](#coppersmiths-method-close-private-keys)
- [Coppersmith's Method (Structured Primes, LACTF 2026)](#coppersmiths-method-structured-primes-lactf-2026)
- [Clock Group (x^2+y^2=1 mod p) DLP (LACTF 2026)](#clock-group-x2y21-mod-p-dlp-lactf-2026)
- [Quaternion RSA](#quaternion-rsa)
- [Polynomial Arithmetic in GF(2)\[x\]](#polynomial-arithmetic-in-gf2x)
- [RSA Signing Bug](#rsa-signing-bug)
- [Non-Permutation S-box Collision Attack (Nullcon 2026)](#non-permutation-s-box-collision-attack-nullcon-2026)
- [Polynomial CRT in GF(2)\[x\] (Nullcon 2026)](#polynomial-crt-in-gf2x-nullcon-2026)
- [Manger's RSA Padding Oracle Attack (Nullcon 2026)](#mangers-rsa-padding-oracle-attack-nullcon-2026)
- [LWE Lattice Attack via CVP (EHAX 2026)](#lwe-lattice-attack-via-cvp-ehax-2026)
- [Affine Cipher over Non-Prime Modulus (Nullcon 2026)](#affine-cipher-over-non-prime-modulus-nullcon-2026)
- [Introspective CRC via GF(2) Linear Algebra (Google CTF 2017)](#introspective-crc-via-gf2-linear-algebra-google-ctf-2017)
- [Baby-Step Giant-Step for Sparse/Low Hamming Weight Exponents (SEC-T CTF 2017)](#baby-step-giant-step-for-sparselow-hamming-weight-exponents-sec-t-ctf-2017)
- [Hensel's Lemma: Polynomial Root Lifting mod p^k (CONFidence CTF 2019 Teaser)](#hensels-lemma-polynomial-root-lifting-mod-pk-confidence-ctf-2019-teaser)

---

## Elliptic Curve Isogenies

Isogeny-based crypto challenges are often **graph traversal problems in disguise**:

**Key concepts:**
- j-invariant uniquely identifies curve isomorphism class
- Curves connected by isogenies form a graph (often tree-like)
- Degree-2 isogenies: each node has ~3 neighbors (2 children + 1 parent)

**Modular polynomial approach:**
- Connected j-invariants j₁, j₂ satisfy Φ₂(j₁, j₂) = 0
- Find neighbors by computing roots of Φ₂(j, Y) in the finite field
- Much faster than computing actual isogenies

**Pathfinding in isogeny graphs:**
```python
# Height estimation via random walks to leaves
def estimate_height(j, neighbors_func, trials=100):
    min_depth = float('inf')
    for _ in range(trials):
        depth, curr = 0, j
        while True:
            nbrs = neighbors_func(curr)
            if len(nbrs) <= 1:  # leaf node
                break
            curr = random.choice(nbrs)
            depth += 1
        min_depth = min(min_depth, depth)
    return min_depth

# Find path between two nodes via LCA
def find_path(start, end):
    # Ascend from both nodes tracking heights
    # Find least common ancestor
    # Concatenate: path_up(start) + reversed(path_up(end))
```

**Complex multiplication (CM) curves:**
- Discriminant D = f² · D_K where D_K is fundamental discriminant
- Conductor f determines tree depth
- Look for special discriminants: -163, -67, -43, etc. (class number 1)

## Pohlig-Hellman Attack (Weak ECC)

For elliptic curves with smooth order (many small prime factors):

```python
from sage.all import *

# Factor curve order
E = EllipticCurve(GF(p), [a, b])
n = E.order()
factors = factor(n)

# Solve DLP in each small subgroup
partial_logs = []
for (prime, exp) in factors:
    # Compute subgroup generator
    cofactor = n // (prime ** exp)
    G_sub = cofactor * G
    P_sub = cofactor * P  # Target point

    # Solve small DLP
    d_sub = discrete_log(P_sub, G_sub, ord=prime**exp)
    partial_logs.append((d_sub, prime**exp))

# Combine with CRT
from sympy.ntheory.modular import crt
moduli = [m for (_, m) in partial_logs]
residues = [r for (r, _) in partial_logs]
private_key, _ = crt(moduli,

What is this skill?

Table of contents spanning 15+ attack families (isogenies, Pohlig-Hellman, BSGS, LLL, Coppersmith, Manger, LWE CVP, and

Elliptic curve, RSA, knapsack, quaternion, and GF(2)[x] polynomial tooling patterns

CTF writeup anchors: LACTF 2026, Nullcon 2026, Google CTF 2017, ASIS 2014, EHAX 2026

Specialized topics: non-permutation S-box collisions, introspective CRC linear algebra, clock group DLP

RSA signing bug and padding-oracle attack walkthroughs

15+ documented attack sections in the table of contents

Multiple named CTF event references (LACTF 2026, Nullcon 2026, Google CTF 2017, ASIS 2014, EHAX 2026)

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 4.5k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

Also useful

IdeaOpportunity & market research

SKILL.md

READMESKILL.md - Ctf Crypto

# CTF Crypto - Advanced Mathematical Attacks

## Table of Contents
- [Elliptic Curve Isogenies](#elliptic-curve-isogenies)
- [Pohlig-Hellman Attack (Weak ECC)](#pohlig-hellman-attack-weak-ecc)
- [Baby-Step Giant-Step for General DLP](#baby-step-giant-step-for-general-dlp)
- [LLL Algorithm for Approximate GCD](#lll-algorithm-for-approximate-gcd)
- [Merkle-Hellman Knapsack Cryptosystem via LLL (ASIS 2014)](#merkle-hellman-knapsack-cryptosystem-via-lll-asis-2014)
- [Coppersmith's Method (Close Private Keys)](#coppersmiths-method-close-private-keys)
- [Coppersmith's Method (Structured Primes, LACTF 2026)](#coppersmiths-method-structured-primes-lactf-2026)
- [Clock Group (x^2+y^2=1 mod p) DLP (LACTF 2026)](#clock-group-x2y21-mod-p-dlp-lactf-2026)
- [Quaternion RSA](#quaternion-rsa)
- [Polynomial Arithmetic in GF(2)\[x\]](#polynomial-arithmetic-in-gf2x)
- [RSA Signing Bug](#rsa-signing-bug)
- [Non-Permutation S-box Collision Attack (Nullcon 2026)](#non-permutation-s-box-collision-attack-nullcon-2026)
- [Polynomial CRT in GF(2)\[x\] (Nullcon 2026)](#polynomial-crt-in-gf2x-nullcon-2026)
- [Manger's RSA Padding Oracle Attack (Nullcon 2026)](#mangers-rsa-padding-oracle-attack-nullcon-2026)
- [LWE Lattice Attack via CVP (EHAX 2026)](#lwe-lattice-attack-via-cvp-ehax-2026)
- [Affine Cipher over Non-Prime Modulus (Nullcon 2026)](#affine-cipher-over-non-prime-modulus-nullcon-2026)
- [Introspective CRC via GF(2) Linear Algebra (Google CTF 2017)](#introspective-crc-via-gf2-linear-algebra-google-ctf-2017)
- [Baby-Step Giant-Step for Sparse/Low Hamming Weight Exponents (SEC-T CTF 2017)](#baby-step-giant-step-for-sparselow-hamming-weight-exponents-sec-t-ctf-2017)
- [Hensel's Lemma: Polynomial Root Lifting mod p^k (CONFidence CTF 2019 Teaser)](#hensels-lemma-polynomial-root-lifting-mod-pk-confidence-ctf-2019-teaser)

---

## Elliptic Curve Isogenies

Isogeny-based crypto challenges are often **graph traversal problems in disguise**:

**Key concepts:**
- j-invariant uniquely identifies curve isomorphism class
- Curves connected by isogenies form a graph (often tree-like)
- Degree-2 isogenies: each node has ~3 neighbors (2 children + 1 parent)

**Modular polynomial approach:**
- Connected j-invariants j₁, j₂ satisfy Φ₂(j₁, j₂) = 0
- Find neighbors by computing roots of Φ₂(j, Y) in the finite field
- Much faster than computing actual isogenies

**Pathfinding in isogeny graphs:**
```python
# Height estimation via random walks to leaves
def estimate_height(j, neighbors_func, trials=100):
    min_depth = float('inf')
    for _ in range(trials):
        depth, curr = 0, j
        while True:
            nbrs = neighbors_func(curr)
            if len(nbrs) <= 1:  # leaf node
                break
            curr = random.choice(nbrs)
            depth += 1
        min_depth = min(min_depth, depth)
    return min_depth

# Find path between two nodes via LCA
def find_path(start, end):
    # Ascend from both nodes tracking heights
    # Find least common ancestor
    # Concatenate: path_up(start) + reversed(path_up(end))
```

**Complex multiplication (CM) curves:**
- Discriminant D = f² · D_K where D_K is fundamental discriminant
- Conductor f determines tree depth
- Look for special discriminants: -163, -67, -43, etc. (class number 1)

## Pohlig-Hellman Attack (Weak ECC)

For elliptic curves with smooth order (many small prime factors):

```python
from sage.all import *

# Factor curve order
E = EllipticCurve(GF(p), [a, b])
n = E.order()
factors = factor(n)

# Solve DLP in each small subgroup
partial_logs = []
for (prime, exp) in factors:
    # Compute subgroup generator
    cofactor = n // (prime ** exp)
    G_sub = cofactor * G
    P_sub = cofactor * P  # Target point

    # Solve small DLP
    d_sub = discrete_log(P_sub, G_sub, ord=prime**exp)
    partial_logs.append((d_sub, prime**exp))

# Combine with CRT
from sympy.ntheory.modular import crt
moduli = [m for (_, m) in partial_logs]
residues = [r for (r, _) in partial_logs]
private_key, _ = crt(moduli,

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-crypto for?

When should I use ctf-crypto?

Is ctf-crypto safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-crypto for?

When should I use ctf-crypto?

Is ctf-crypto safe to install?

SKILL.md