picoCTF Solutions
CryptographyAdvanced

Advanced Cryptography

Beyond classical ciphers, modern crypto breaks because of how it is implemented, not the math itself. You will factor RSA moduli with Pollard's p-1 and shared-prime GCDs, mount differential power-analysis attacks on AES, exploit nonce reuse in ECDSA, and apply lattice reduction to recover secrets from too few shares. This path assumes you are comfortable with encoding, hashing, and basic RSA.

New to this category? Start withCryptographyfirst.
5 steps·19 challenges
  1. Step 01

    RSA Factoring Attacks

    Textbook RSA is secure; the implementations in CTFs are not. These challenges exploit specific structural weaknesses: a tiny exponent that lets you take a plain cube root, a smooth p-1 that falls to Pollard's algorithm, a leaked sum and product of the primes, and moduli that share a prime factor recoverable by GCD.

    miniRSA

    picoCTF 2019

    Hard

    Very Smooth

    picoCTF 2022

    Hard

    Sum-O-Primes

    picoCTF 2022

    Hard

    triple-secure

    picoMini by redpwn

    Hard
  2. Step 02

    Broken Key Generation and Recovery

    When key generation uses bad randomness or the key file is partially corrupted, the private key becomes recoverable. These challenges make you exploit a weak exponent choice, reconstruct a damaged RSA key from its intact fields and the CRT relationships, and rebuild missing prime factors from partial data.

    b00tl3gRSA2

    picoCTF 2019

    Hard

    SRA

    picoCTF 2023

    Hard

    corrupt-key-1

    picoMini by redpwn

    Hard

    corrupt-key-2

    picoMini by redpwn

    Hard
  3. Step 03

    Symmetric and Mode Attacks

    Symmetric crypto fails when a mode is misused. AES-ABC chains blocks in a broken way you can unwind, Double DES collapses to a meet-in-the-middle search, ChaCha Slide loses integrity when you tamper with a Poly1305 ciphertext, and XtraORdinary falls to the parity property of repeated XOR.

    AES-ABC

    picoCTF 2019

    Hard

    Double DES

    picoCTF 2021

    Hard

    ChaCha Slide

    picoCTF 2025

    Hard

    XtraORdinary

    picoMini by redpwn

    Hard
  4. Step 04

    Side-Channel and Oracle Attacks

    You do not always attack the algorithm directly. Power analysis correlates simulated power traces against predicted SubBytes outputs to recover an AES key byte by byte, a compression oracle leaks plaintext through ciphertext length, and a biased ECDSA nonce gives up the private key across signatures.

    PowerAnalysis: Warmup

    picoCTF 2023

    Hard

    PowerAnalysis: Part 1

    picoCTF 2023

    Hard

    Compress and Attack

    picoCTF 2021

    Hard

    It's Not My Fault 1

    picoCTF 2021

    Hard
  5. Step 05

    Lattices and Advanced Number Theory

    The hardest crypto challenges reach for heavier mathematics. You reconstruct secrets from partial outputs with the Chinese Remainder Theorem and polynomial interpolation, tame fast-growing sequences with matrix exponentiation, and apply lattice-based attacks to recover a Shamir secret from insufficient shares.

    Sequences

    picoCTF 2022

    Hard

    flag_printer

    picoCTF 2024

    Hard

    MSS_ADVANCE Revenge

    picoCTF 2026

    Hard
All guided paths