After the competition ended, I found out through the Discord channel that the code was an implementation of Eaglesign(seems not exactly same), and that there is a paper on attacks related to it.

Most of the solvers, aside from myself, seem to have either referenced the paper or figured out a similar method on their own to solve it.

Even though I only added a very short explanation along with my solver code on Discord channel, I sincerely thank @vishiswoz and @Neobeo for sharing their interpretations of my solution.

@vishiswoz's interpretation

@Neobeo's interpretation

Challenge

N = 1024, q = 12289
Key generation
- Private keys (
  $G, D$ ) are randomly generated polynomial on Quotient Ring
  $Z_{q} [x] / x^{N} + 1$
  - coefficients must be {-1, 0, 1}.
  - $G$ must be invertible.
- Public key
  $A$ is randomly generated polynomial on same Quotient Ring
- Public key
  $E = (A + D) G^{- 1}$
Sign
- Generate
  $Y 1, Y 2$ randomly
  - $Y 1$ has 140 nonzero coefficients, which are -1 or 1
  - $Y 2$ has bounded coefficients which absolute max are 64
- $P = A Y 1 + Y 2$ ,
  $r = H (P)$
- Generate
  $C$ with given message and
  $r$
  - $C$ has 38 nonzero coefficients, which are -1 or 1
- $U = Y 1 + C$
- $V = G U$ ,
  $W = Y 2 - D U$
- Signature is
  $(r, V, W)$
Verify
- Generate
  $C$ with given message and
  $r$ (same as Sign)
- $Z = E V - A C + W$
  - $E V - A C + W = E G U - A C + W = (A + D) U - A C + Y 2 - D U = A (U - C) + Y 2 = P$
- Check
  $r$ equals
  $H (Z)$
Keys are generated and public Keys are given when code starts.
We can sign for any message with no limit, and we need
$D$ for get the flag.

My approach

$G^{- 1} = (Y 1 + C) V^{- 1}$ (
$∵ V = G U = G (Y 1 + C)$ )
So,
$(Y 1_{i} + C_{i}) V_{i}^{- 1} = (Y 1_{0} + C_{0}) V_{0}^{- 1}$ for every signature.
We can express every
$Y 1_{i}$ as form
$A_{i} (Y 1_{0}) + B_{i}$
- $A_{i} = V_{i} V_{0}^{- 1}$
- $B_{i} = A_{i} C_{0} - C_{i}$

Building equation

Let
$A_{i} = \sum_{k = 0}^{N - 1} a_{i, k} x^{k}$ ,
$B_{i} = \sum_{k = 0}^{N - 1} b_{i, k} x^{k}$ ,
$Y 1_{i} = \sum_{k = 0}^{N - 1} c_{i, k} x^{k}$
- $x^{j} A_{i} = \sum_{k = 0}^{j - 1} - a_{i, N - j + k} x^{k} + \sum_{k = j}^{N - 1} a_{i, k - j} x^{k}$
$Y 1_{i} = A_{i} Y 1_{0} + B_{i} = \sum_{j = 0}^{N - 1} c_{0, j} (x^{j} A_{i}) + B_{i}$
Therefore, we can express it as Matrix equation below:

$(\begin{matrix} a_{i, 0} & - a_{i, N - 1} & - a_{i, N - 2} & \dots & - a_{i, 1} \\ a_{i, 1} & a_{i, 0} & - a_{i, N - 1} & \dots & - a_{i, 2} \\ a_{i, 2} & a_{i, 1} & a_{i, 0} & \dots & - a_{i, 3} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ a_{i, N - 1} & a_{i, N - 2} & a_{i, N - 3} & \dots & a_{i, 0} \end{matrix}) (\begin{matrix} c_{0, 0} \\ c_{0, 1} \\ c_{0, 2} \\ ⋮ \\ c_{0, N - 1} \end{matrix}) + (\begin{matrix} b_{0, 0} \\ b_{0, 1} \\ b_{0, 2} \\ ⋮ \\ b_{0, N - 1} \end{matrix}) = (\begin{matrix} c_{i, 0} \\ c_{i, 1} \\ c_{i, 2} \\ ⋮ \\ c_{i, N - 1} \end{matrix})$
Let matrix
$M_{i} = (\begin{matrix} a_{i, 0} & - a_{i, N - 1} & - a_{i, N - 2} & \dots & - a_{i, 1} \\ a_{i, 1} & a_{i, 0} & - a_{i, N - 1} & \dots & - a_{i, 2} \\ a_{i, 2} & a_{i, 1} & a_{i, 0} & \dots & - a_{i, 3} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ a_{i, N - 1} & a_{i, N - 2} & a_{i, N - 3} & \dots & a_{i, 0} \end{matrix}) = (\begin{matrix} | & | & | & | \\ \vec{v_{i, 0}} & \vec{v_{i, 1}} & \vec{v_{i, 2}} & \dots & \vec{v_{i, N - 1}} \\ | & | & | & | \end{matrix})$
Let vectors
$\vec{y_{i}} = (\begin{matrix} c_{i, 0} \\ c_{i, 1} \\ c_{i, 2} \\ ⋮ \\ c_{i, N - 1} \end{matrix})$ ,
$\vec{b_{i}} = (\begin{matrix} b_{0, 0} \\ b_{0, 1} \\ b_{0, 2} \\ ⋮ \\ b_{0, N - 1} \end{matrix})$
So we can express equation above as below:

$\sum_{j = 0}^{N - 1} c_{0, j} \vec{v_{i, j}} + \vec{b_{i}} = \vec{y_{i}}$
Since Y1 has 140 nonzero coefficients which are -1 or 1, sum of square of coefficients equals 140, so
$\vec{y_{i}} \cdot \vec{y_{i}} = 140$ . It leads to equation below:

$\vec{y_{i}} \cdot \vec{y_{i}} = (\sum_{j = 0}^{N - 1} c_{0, j} \vec{v_{i, j}} + \vec{b_{i}}) (\sum_{j = 0}^{N - 1} c_{0, j} \vec{v_{i, j}} + \vec{b_{i}})$

$= \sum_{0 \leq j, k < N} (\vec{v_{i, j}} \cdot \vec{v_{i, k}}) c_{0, j} c_{0, k} + 2 \sum_{j = 0}^{N - 1} (\vec{v_{i, j}} \cdot \vec{b_{i}}) c_{0, j} + (\vec{b_{i}} \cdot \vec{b_{i}}) = 140$

Linearization & reduce unknown variables

By linearization, we can treat equation above as linear equation of
$((\binom{N}{2}) + N) + N = N (N + 3) / 2$ unknown variables.
But we can reduce
$(\binom{N}{2}) + N$ unknown variables into
$N$ , because they shares same coefficients!
$\vec{v_{i, k}}$ expresses coefficients of
$x^{j} A_{i}$ as we announced ealier.
Let
$R = (\begin{matrix} 0 & 0 & \dots & 0 & - 1 \\ 1 & 0 & \dots & 0 & 0 \\ 0 & 1 & \dots & 0 & 0 \\ ⋮ & ⋮ & ⋱ & ⋮ & ⋮ \\ 0 & 0 & \dots & 1 & 0 \end{matrix})$ then
$R^{T} R = I$ ,
$\vec{v_{i, j}} = R^{j} \vec{v_{i, 0}}$
- be used to express the multiplication of
  $x$ .
$\vec{v_{i, j}} \cdot \vec{v_{i, k}} = (R^{j} \vec{v_{i, 0}})^{T} (R^{j} \vec{v_{i, k - j}}) = {\vec{v_{i, 0}}}^{T} (R^{j})^{T} (R^{j}) \vec{v_{i, k - j}} = \vec{v_{i, 0}} \cdot \vec{v_{i, k - j}}$
So, a lot of terms sharing same coefficients
$(\vec{v_{i, 0}} \cdot \vec{v_{i, j}})$ .
Therefore, we can express equation above as below:

$\vec{y_{i}} \cdot \vec{y_{i}} = \sum_{j = 0}^{N - 1} (\vec{v_{i, 0}} \cdot \vec{v_{i, j}}) c_{0, j}^{'} + 2 \sum_{j = 0}^{N - 1} (\vec{v_{i, j}} \cdot \vec{b_{i}}) c_{0, j} + (\vec{b_{i}} \cdot \vec{b_{i}}) = 140$
We can treat equation above as linear equation of
$N + N = 2 N$ unknown variables

Efficient calculation

If
$f = \sum_{i = 0}^{N - 1} a_{i} x^{i}$ , let
$f^{*} = \sum_{i = 0}^{N - 1} a_{N - 1 - i} x^{i}$
Let
$f = \sum_{i = 0}^{N - 1} a_{i} x^{i}$ ,
$g = \sum_{i = 0}^{N - 1} b_{i} x^{i}$ . Then
$\sum_{i = 0}^{N - 1} a_{i} b_{i}$ equals coefficient of term
$x^{N - 1}$ in
$f g^{*}$
$\vec{v_{i, j}} \cdot \vec{v_{i, 0}}$ equals coefficient of term
$x^{N - 1}$ in
$x^{j} A_{i} A_{i}^{*}$ , which is also coefficient of term
$x^{N - 1 - j}$ in
$A_{i} A_{i}^{*}$
As same reason,
$\vec{v_{i, j}} \cdot \vec{b_{i}}$ equals coefficient of term
$x^{N - 1 - j}$ in
$A_{i} B_{i}^{*}$
Therefore, we can
$2 N$ coefficients for linear equation by calculating
$A_{i} A_{i}^{*}$ and
$A_{i} B_{i}^{*}$
It reduces time for running solution
$O (N^{3})$ to
$O (N^{2} \log N)$

Implementation

import os;os.environ["TERM"] = 'linux'
from pwn import *
from ntt import NTTDomain, NTTPoints
import hashlib
from tqdm import trange

#r = process(["python", "challenge.py"])
r = remote("54.78.163.105", "30859")

N, Q, W, P = 1024, 12289, 4324, 9389
PR.<x_> = PolynomialRing(GF(Q))
QR.<x> = PR.quotient(x_^N + 1)

def l2p(A):
    t = []
    while A:
        t.append(A % Q)
        A //= Q
    return QR(t)

def HashBall(m: bytes, tau: int) -> list:
    """ Deterministically generates sparse polynomials with weight tau. """
    if isinstance(m, str):
        m = m.encode()
    h = hashlib.sha256(m).digest()
    c = N * [0]
    for i in range(N - tau, N):
        hi = int(hashlib.sha256(h + i.to_bytes(2, 'big')).hexdigest(), 16)
        hi //= i; j = hi % i; hi //= i
        hi //= 2; k = hi % 2; hi //= 2
        c[i] = c[j]
        c[j] = (1 - 2 * k) % Q
    return c

def ntt(c):
    c = QR(c).lift()
    return QR([c(P * pow(W, i, Q)) for i in range(N)])

def intt(c):
    c = QR(c).lift()
    c = [c(pow(W, -i, Q)) * pow(N, -1, Q) for i in range(N)]
    c = [c[i] * pow(P, -i, Q) for i in range(N)]
    return QR(c)



r.recvuntil(b'= ')
data = eval(r.recvline().decode())
A = intt(l2p(int(data["A"], 16)))
E = intt(l2p(int(data["E"], 16)))


def get_sig(msg):
    r.recvuntil(b'|  Sig = ')
    sig = eval(r.recvline()[:-1].decode())
    sig_r = bytes.fromhex(sig["r"])
    sig_V = intt(l2p(int(sig["V"], 16)))
    sig_W = intt(l2p(int(sig["W"], 16)))
    sig_C = QR(HashBall(msg + sig_r, 38))
    sig_P = E * sig_V - A * sig_C + sig_W
    sig_Pint = sum([ZZ(j) * Q ** i for i,j in enumerate(ntt(sig_P).list())])
    sig_Pbyt = sig_Pint.to_bytes(-(-len(bin(sig_Pint)[2:]) // 8), 'big')
    assert sig_r == hashlib.sha256(sig_Pbyt.hex().encode()).digest()
    return sig_r, sig_V, sig_W, sig_C, sig_P

def send_n(msg, n):
    payload = b'S\n' + msg + b'\n'
    r.send(payload * n)

    

rs, Vs, Ws, Cs, Ps = [], [], [], [], []
m = 2 * N + 100
send_n(b'asdf', m)
for i in trange(m):
    r0, V0, W0, C0, P0 = get_sig(b'asdf')
    rs.append(r0)
    Vs.append(V0)
    Ws.append(W0)
    Cs.append(C0)
    Ps.append(P0)
As, Bs = [QR(1)], [QR(0)]
for i in trange(1, m):
    As.append(Vs[i] / Vs[0])
    Bs.append(Vs[i] / Vs[0] * Cs[0] - Cs[i])

M = []
for i in trange(m):
    Av = list(As[i]) + list(-As[i])
    Bv = list(Bs[i])
    coeff = list(As[i] * QR(list(As[i])[::-1]))[::-1]
    coeff += list(As[i] * QR(list(Bs[i])[::-1]))[::-1]
    #coeff.append(vector(Bs[i]) * vector(Bs[i]))
    M.append(coeff)

M = Matrix(GF(Q), M)
target_v = vector(GF(Q), [140 - vector(Bs[i]) * vector(Bs[i]) for i in trange(m)])
x = M.solve_right(target_v)
Y1_0 = QR(list(x[N:])) / 2
U_0 = Y1_0 + Cs[0]
G = Vs[0] / U_0
D = E * G - A

sig_Dint = sum([ZZ(j) * Q ** i for i,j in enumerate(ntt(D).list())])
sig_Dbyt = sig_Dint.to_bytes(-(-len(bin(sig_Dint)[2:]) // 8), 'big')
r.sendlineafter(b'> ', b'c')
r.sendlineafter(b') ', sig_Dbyt.hex().encode())
r.interactive()

Is it useful?

I'm personally curious whether this approach can be useful for any other signature/encryption schemes that operate over quotient rings as well.

(Although it doesn't seem to work with the original Eaglesign, where

G

is a matrix not a ring element.)

At least, we should construct 2N equations

A_{i} X + B_{i} = Y_{i}

, where

X

is unknown, and the sum of the squared coefficients of

Y_{i}

is known.

(For example, we know number of nonzero coefficients and they must be -1 or 1)