$ cat writeup.md…
$ cat writeup.md…
umdctf
Task: a rank-metric crypto challenge leaks the Moore evaluation points, knot matrix, and shuttle matrix over GF(2^43), while the ciphertext is masked by a bounded-rank error. Solution: convert the received vector into a Gabidulin codeword, decode it with linearized interpolation, recover the secret, derive the AES-GCM key, and decrypt the vault.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
No organizer description was included in the provided workspace files.
English summary: the handout gives a field construction over GF(2^43), a leaked Moore-code structure (pegs, knot, shuttle), a noisy linear combination called bolt, and an AES-GCM-encrypted vault. The goal is to recover the hidden secret vector well enough to derive the AES key and decrypt the flag.
Reading chall.sage shows that the challenge works in GF(2^43) with modulus:
x^43 + x^21 + x^3 + x + 1
The public code parameters are K = 8 and N = 40. The script samples N independent field elements called pegs and builds the K x N Moore matrix
loom[j, i] = pegs[i]^(2^j)
Then it samples an invertible knot, a structured invertible shuttle, and defines
warp = knot * loom * shuttle^{-1} bolt = secret * warp + frays
The important leak is that knot and shuttle are both given to us, along with the original pegs. That means we can rewrite the received value into the natural Gabidulin code domain. Multiplying on the right by shuttle gives
y = bolt * shuttle = (secret * knot) * loom + frays * shuttle = t * loom + e
where t = secret * knot and e = frays * shuttle.
Now the structure of the error matters. In the generator, frays is built from a rank-<= 5 binary matrix, so its GF(2)-rank is at most 5. Also, every entry of shuttle lies in the GF(2)-span of only 3 leaked fibers, so multiplying by shuttle can enlarge the error support by at most a factor of 3. Therefore:
rank_GF(2)(e) <= 5 * 3 = 15
...
$ grep --similar