[crypto] DiceCTF 2026 - carry-the-flame Write-up
[+] Local verification passed!
[+] Server: flag: dice{t0g3th3r_br0k3n_4ab93cd2e17}Implementation NotesTwo main scripts were used.1. GPU CUDA Brute ForceThis solver included:a CUDA kernel using a 1280-entry SP lookup table in shared memorya brute_multi kernel that checked each candidate key against multiple ciphertexts at onceCuPy for compilation and kernel launchingThreadPoolExecutor for parallel PoW solvingThis was the script that recovered the flag fastest.2. Slide Attack SolverThis solver included:an incremental hash-join approachX_map keyed by Pi⊕CiP_i \oplus C_iPi⊕CiY_map keyed by D(Pi)⊕D(Ci)D(P_i) \oplus D(C_i)D(Pi)⊕D(Ci)bidirectional collision checks for early stopping2000-block batching to reduce query countThis was the script that best explained the structural weakness of the cipher.Lessons LearnedThis challenge is a good reminder that a cipher can fail in more than one way at the same time.1. Reusing the same round key is dangerousOnce every round becomes identical, the cipher starts exposing structural regularities. That is exactly the setting where slide attacks become viable.2. More rounds do not automatically mean more security“1024 rounds” sounds strong, but repetition without variation can be worse than a smaller number of well-designed rounds.3. A 40-bit key is no longer meaningful protectionEven if the cipher had not been vulnerable to a slide attack, the key space was simply too small. With GPU acceleration, brute force was already practical.4. The best theoretical attack is not always the best practical attackThe slide attack was the more elegant break.The GPU brute force was the faster one.That contrast is what made this challenge especially satisfying.Final Flagdice{t0g3th3r_br0k3n_4ab93cd2e17}