Attachmentscrypto - 2064 solves

Provable security just gives you this warm fuzzy feeling of cryptography you can rely on.


4 hours


We have the flag encrypted by ECB mode, and the service provide us an encryption/decryption oracle in OCB mode.



  1. Construct some plain/ciphertext pair.
  2. Forge last block and tag.
  3. Decrypt the flag.

The task download code of ocb from here But the download link in their website is not the same. Also, the algorithm in the code is different from what their FAQ says.

So, what's wrong?

It turns out that the code is actually OCB2, and an attack on it was just published recently.

Using the method in the paper, we can decrypt the flag.

Here's the script.