Rating:
**Author's Solve**
This an ElGamal signature scheme. The issue is that the message needs to be hashed before it is signed using this system. Unfornuately, that was not done in this case. Also, another mistake made is that a `MASK` is applied to make the signature a certain size. But, the `MASK` is applied only after the checking the contents of the message. Therefore, you can place your message in the parts that will be masked out.
Therefore, you can do a one-parameter existential forgery for the given public key and get past the checking system. Usually, in one-parameter existential forgery, the message is pre-determined based on your calculations needed (see `https://en.wikipedia.org/wiki/ElGamal_signature_scheme#Existential_forgery` for the calculations). But, becuase of the `MASK`, it is easier to fool the system.
After submitting a forged signature, they would get the flag from the server.
For the script implementation, please check out `solution.py`.
