Help!!! Our Crypto guy left in a furious rage and deleted our company private key and part of our signatures! We use that key to sign all of our important documents and such. This should be enough information for you to figure it out:
Curve: NIST256P
HASH: SHA256
Generator X: 48439561293906451759052585252797914202762949526041747995844080717082404635286
Generator Y: 36134250956749795798585127919587881956611106672985015071877198253568414405109
Group Order: 115792089210356248762697446949407573529996955224135760342422259061068512044369
Point X: 62642270921362628024101430148161419180734994811675578761489832783807341294140
Point Y: 620508080568073990375228521563014425211330352832293590138091382461067773777I was also told the following gobblygook may be helpful.
โโ-BEGIN PUBLIC KEYโโ-
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEin5E1fIJtTJ4ICIZ4leN0kT+QguW
zDv6xizjvWTqcjwBXzHz49NVqrXR1Be16ceYRgtW7iGx1ifF135T0E1HUQ==
โโ-END PUBLIC KEYโโ-Also so you can see some examples of our signaturesโฆ he always was yelling something about incrementing a value.
Message 1: "We are not uncertain with the vote."
Signature 1: (5469004757321565031662176892324365988603823594146568468219498508892601371422, 79937836276667565200355044792462693868454270095571952117096182814592269649296)Message 2: "We are uncertain with the vote."
Signature 2: (???, 30705201908992384075889316247635358307738190041386759684653850381547740770548)(just give private key in decimal)
First off, this challenge is about ECC (Elliptic Curve Cryptography). If you aren't familiar with that, read this. It's one of the best primers on the subject, and the third post specifically talks about the scheme this challenge uses: ECDSA.
This challenge uses a standard curve and hash, so we know those are safe. It also specifies a generator point and group order. Finally it gives the coordinates of a public key, which matches the decoded 'gobblygook'. Let's call the generator G
, the public point H
, and the private key d
. To summarize, H = d*G
.
We also have two ECDSA signatures (r1, s1), (r2, s2)
, but the second signature's r2
value is redacted. If you read the description carefully, you'll notice this part: "he always was yelling something about incrementing a value." One idea I had was that this referred to incrementing the nonce k
.
If the first signature uses nonce k
, we can check if the second signature uses nonce k+1
by lifting r1
to the point P
and adding G
to it. That point's x-coordinate should be r2
, and sure enough verifying (r2, s2)
as a signature works.
Cool, so we know all of the values as well as their relationships. Something that should stand out is the fact that the nonces are incremented. ECDSA dictates that nonces should be randomly generated, which is obviously not the case here. So how do we exploit that?
One thing you should have read about in the ECDSA post was the danger of repeating nonces. Specifically, we can take two signatures that use the same nonce and learn k
. This in turn fully leaks the private key d
.
Can we do something analogous with k
and k+1
? Some algebra will do the trick:
A full solve script: