# CryptoCTF 2021 | Challenge | Category | Solved by | | -------- | --------- | ---------- | | Wolf | AES-GCM | dd | | Frozen | Signature Schemes | dd | | A | B | C | <!-- Template for writeup --> ## Challenge Name ##### Score ### Challenge ### Solution ##### Flag ## Wolf ##### 128 points ### Challenge When we connect to the server, it chooses a random length `niv` between 1 and 11, and a random nonce of that length. We can request the flag encrypted using AES-GCM with the key `HungryTimberWolf` and that IV, and ask for the server to encrypt our input with the same parameters. ~~~ #!/usr/bin/env python3 from Cryptodome.Cipher import AES import os, time, sys, random from flag import flag passphrase = b'HungryTimberWolf' def encrypt(msg, passphrase, niv): msg_header = 'EPOCH:' + str(int(time.time())) msg = msg_header + "\n" + msg + '=' * (15 - len(msg) % 16) aes = AES.new(passphrase, AES.MODE_GCM, nonce = niv) enc = aes.encrypt_and_digest(msg.encode('utf-8'))[0] return enc def die(*args): pr(*args) quit() def pr(*args): s = " ".join(map(str, args)) sys.stdout.write(s + "\n") sys.stdout.flush() def sc(): return sys.stdin.readline().strip() def main(): border = "+" pr(border*72) pr(border, " hi wolf hunters, welcome to the most dangerous hunting ground!! ", border) pr(border, " decrypt the encrypted message and get the flag as a nice prize! ", border) pr(border*72) niv = os.urandom(random.randint(1, 11)) flag_enc = encrypt(flag, passphrase, niv) while True: pr("| Options: \n|\t[G]et the encrypted flag \n|\t[T]est the encryption \n|\t[Q]uit") ans = sc().lower() if ans == 'g': pr(f'| encrypt(flag) = {flag_enc.hex()}') elif ans == 't': pr("| Please send your message to encrypt: ") msg_inp = sc() enc = encrypt(msg_inp, passphrase, niv).hex() pr(f'| enc = {enc}') elif ans == 'q': die("Quitting ...") else: die("Bye ...") if __name__ == '__main__': main() ~~~ ### Solution Since `niv` is uniformly random, in one out of 11 connections the nonce will only be one byte long. If this happens, we can easily bruteforce the encrypted flag: we already know the key, and can try all 256 nonce values to see if one of them gives a plaintext that looks like a flag. A quick Python script collects encrypted flags, which we can dump into a single file to process later: ~~~ #! /usr/bin/env python from pwn import * serv = pwnlib.tubes.remote.remote('01.cr.yp.toc.tf', 27010) serv.sendline('g') serv.sendline('q') for line in serv.recvall().decode('utf-8').split('\n'): if 'encrypt(flag)' in line: print(line.rstrip().split()[-1]) ~~~ The solver isn't much longer: ~~~ #! /usr/bin/env python from Cryptodome.Cipher import AES import binascii def trysolve(line): for iv in range(256): a = AES.new(b'HungryTimberWolf', AES.MODE_GCM, nonce=bytes([iv])) flag = a.decrypt(binascii.unhexlify(line)) if b'CTF' in flag: print(flag) with open('flags.txt', 'r') as f: for line in f.readlines(): if not line.startswith('['): trysolve(line.rstrip()) ~~~ ##### Flag `CCTF{____w0lveS____c4n____be____dan9er0uS____t0____p3oplE____!!!!!!}` ## Frozen ##### 142 points ### Challenge The server implements a signature scheme where we can get the parameters, the public key, and a signature for one sample message. We have to forge the signature for a second message. The key generation works as follows: * Start with a prime $p$ and random $r$, which we know. We work in $\mathbb{Z}_p$, so everything below is implicitly done modulo $p$. * Pick a random $r$, which we don't know. * Build the array $U_i = r^{i+1}s$. * For the public key $pub$, take $U$ and mask the bottom 32 bits of each element. * The remaining bottom 32 bits of each element are the private key $priv$. To sign a message $M_i$, interpreted as an array of 32-bit integers: * Let $q$ be a prime larger than all elements of $M$. * The signature is $sig_i = M_i priv_i \text{ mod } q$. ``` #!/usr/bin/env python3 from Crypto.Util.number import * from gmpy2 import * import sys, random, string flag = 'fakeflag{}' def genrandstr(N): return ''.join(random.choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(N)) def paramaker(nbit): p = getPrime(nbit) r = getRandomRange(1, p) return p, r def keygen(params, l, d): p, r = params s = getRandomRange(1, p) U = [pow(r, c + 1, p) * s % p for c in range(0,l)] V = [int(bin(u)[2:][:-d] + '0' * d, 2) for u in U] S = [int(bin(u)[2:][-d:], 2) for u in U] privkey, pubkey = S, V return pubkey, privkey def sign(msg, privkey, d): msg = msg.encode('utf-8') l = len(msg) // 4 M = [bytes_to_long(msg[4*i:4*(i+1)]) for i in range(l)] q = int(next_prime(max(M))) sign = [M[i]*privkey[i] % q for i in range(l)] return sign def die(*args): pr(*args) quit() def pr(*args): s = " ".join(map(str, args)) sys.stdout.write(s + "\n") sys.stdout.flush() def sc(): return sys.stdin.readline().strip() def main(): border = "+" pr(border*72) pr(border, " hi young cryptographers, welcome to the frozen signature battle!! ", border) pr(border, " Your mission is to forge the signature for a given message, ready?!", border) pr(border*72) randstr = genrandstr(20) nbit, dbit = 128, 32 params = paramaker(nbit) l = 5 pubkey, privkey = keygen(params, l, dbit) while True: pr("| Options: \n|\t[S]how the params \n|\t[P]rint pubkey \n|\t[E]xample signature \n|\t[F]orge the signature \n|\t[Q]uit") ans = sc().lower() if ans == 's': pr(f'| p = {params[0]}') pr(f'| r = {params[1]}') elif ans == 'p': pr(f'pubkey = {pubkey}') elif ans == 'e': pr(f'| the signature for "{randstr}" is :') pr(f'| signature = {sign(randstr, privkey, dbit)}') elif ans == 'f': randmsg = genrandstr(20) pr(f'| send the signature of the following message like example: {randmsg}') SIGN = sc() try: SIGN = [int(s) for s in SIGN.split(',')] except: die('| your signature is not valid! Bye!!') if SIGN == sign(randmsg, privkey, dbit): die(f'| Congrats, you got the flag: {FLAG}') else: die(f'| Your signature is not correct, try later! Bye!') elif ans == 'q': die("Quitting ...") else: die("Bye ...") if __name__ == '__main__': main() ``` ### Solution If we look at the first element of the signature, we have: $$ sig_0 = M_0 priv_0 \text{ mod } q $$ Since we can compute $q$ (as we know the message $M$), we can find the multiplicative inverse of $M_0$ and recover the first element of the private key modulo $q$: $$ priv_0 = M_0^{-1} sig_0 \text{ mod } q $$ The real private key is 32 bits long, and $q$ is around $2^{30}$, so around one try in four this will be the real value of $priv_0$. If this doesn't work, we can proceed by trying $M^0{-1} sig_0 + kq$ for increasing values of $k$, and will recover the correct $priv_0$ in a few tries. For each candidate value, we can combine it with $pub_0$ to get $U_0 = rs$. Since we know $r$, we have $s = U_0 r^{-1}$ (in $\mathbb{Z}_p$), which we can use to re-generate the entire public and private key and see if the public key matches the one we were given. Once we find one that does, all that's left is to use the provided signing function to forge the signature. Here is a hacky script written during the CTF -- it doesn't work properly when the recovered $priv_0$ is wrapped by the modulus, but that just means we need to run it a few times to get the flag: ~~~ #! /usr/bin/env python from pwn import * from Crypto.Util.number import * from gmpy2 import * l = 5 def keygen(params, l, d, s): p, r = params U = [pow(r, c + 1, p) * s % p for c in range(0,l)] V = [int(bin(u)[2:][:-d] + '0' * d, 2) for u in U] S = [int(bin(u)[2:][-d:], 2) for u in U] privkey, pubkey = S, V return pubkey, privkey def sign(msg, privkey, d): msg = msg.encode('utf-8') l = len(msg) // 4 M = [bytes_to_long(msg[4*i:4*(i+1)]) for i in range(l)] q = int(next_prime(max(M))) sign = [M[i]*privkey[i] % q for i in range(l)] return sign def break_key(p, r, pubkey, msg, sig): q = int(next_prime(max(msg))) pk0_base = (sig[0] * pow(msg[0], -1, q)) % q print(pk0_base, sig[0], pow(msg[0], -1, q)) for pk0 in range(pk0_base, q, 2**32): rs = pubkey[0] + pk0 s = (rs * pow(r, -1, p)) % p outpub, outpriv = keygen((p, r), 5, 32, s) print(pubkey, outpub) if outpub == pubkey: return outpub, outpriv raise Exception("Could not find key!") serv = pwnlib.tubes.remote.remote('03.cr.yp.toc.tf', 25010) #serv = pwnlib.tubes.process.process('./frozen.py') serv.recvuntil('[Q]uit') serv.sendline('s') serv.readline() p = int(serv.readline().rstrip().split()[-1]) r = int(serv.readline().rstrip().split()[-1]) print('p =', p) print('r =', r) serv.recvuntil('[Q]uit') serv.sendline('e') serv.readline() msg_b = serv.recvline().decode('utf-8').split('"')[1] sig = eval(serv.recvline().decode('utf-8').split('=')[1]) # lol msg = [bytes_to_long(msg_b.encode('utf-8')[4*i:4*(i+1)]) for i in range(l)] print('msg =', msg) print('sig =', sig) serv.recvuntil('[Q]uit') serv.sendline('p') serv.readline() pubkey = eval(serv.recvline().decode('utf-8').split('=')[1]) # lol again print('pubkey =', pubkey) pub, priv = break_key(p, r, pubkey, msg, sig) serv.recvuntil('[Q]uit') serv.sendline('f') serv.readline() forge = serv.recvline().rstrip().decode('utf-8').split()[-1] forge_sig = sign(forge, priv, 32) serv.sendline(','.join(str(x) for x in forge_sig)) serv.interactive() ~~~ ##### Flag `CCTF{Lattice_bA5eD_T3cHn1QuE_70_Br34K_LCG!!` ## Ecchimera ##### Points: 271 ### Challenge > The [mixed](https://cryp.toc.tf/tasks/ecchimera_da57494454cba7683105130b6161f4f65c41306f.txz) version is a hard version! ```python= #!/usr/bin/env python3 from sage.all import * from flag import flag n = 43216667049953267964807040003094883441902922285265979216983383601881964164181 U = 18230294945466842193029464818176109628473414458693455272527849780121431872221 V = 13100009444194791894141652184719316024656527520759416974806280188465496030062 W = 5543957019331266247602346710470760261172306141315670694208966786894467019982 flag = flag.lstrip(b'CCTF{').rstrip(b'}') s = int(flag.hex(), 16) assert s < n E = EllipticCurve(Zmod(n), [0, U, 0, V, W]) G = E(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) print(f'G = {G}') print(f's * G = {s * G}') ``` We have an elliptic curve defined over the ring of integers modulo n, or $Z_n$. Generally elliptic curves are defined over a field with a prime $p$, or $F_p$, but in this case we working with the ring $Z_n$. The rest of the question is a typical ECDLP (Elliptic Curve Discrete Log Problem) problem, where we're given a generator point $G$ on the curve and the point $s * G$, where $s$ is our flag and the value we need to solve for. Because $n$ isn't prime, we need to take a different approach to solve the discrete log problem. If we use [factordb](http://factordb.com/index.php?query=43216667049953267964807040003094883441902922285265979216983383601881964164181), we can factor $n$ into 2 primes $p$ and $q$. According to this link https://link.springer.com/content/pdf/10.1007%2FBFb0054116.pdf (pg. 4), the number of points on the elliptic curve ($\#E_{Z_n}$) is equivalent to the product of the order of the curve defined over $F_p$ and $F_q$. In other words, $$\#E_{Z_n} = \#E_{F_p} * \#E_{F_q}$$ Now because $p$ and $q$ are prime, it's very simple to figure out $\#E_{F_p}$ and $\#E_{F_q}$, we can do it directly in Sage ```python= #!/usr/bin/env python3 n = 43216667049953267964807040003094883441902922285265979216983383601881964164181 U = 18230294945466842193029464818176109628473414458693455272527849780121431872221 V = 13100009444194791894141652184719316024656527520759416974806280188465496030062 W = 5543957019331266247602346710470760261172306141315670694208966786894467019982 E = EllipticCurve(Zmod(n), [0, U, 0, V, W]) G = E(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sG = E(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) p = 190116434441822299465355144611018694747 q = 227316839687407660649258155239617355023 assert p * q == n # P and Q curves Ep = EllipticCurve(GF(p), [0, ZZ(U % p), 0, ZZ(V % p), ZZ(W % p)]) Eq = EllipticCurve(GF(q), [0, ZZ(U % q), 0, ZZ(V % q), ZZ(W % q)]) kp = Ep.order() kq = Eq.order() ``` Now in order to solve the discrete log on the curve over the ring $Z_n$, what we can do instead is solve the discrete log on the curve over the field $F_p$ and $F_q$ and then combine the results using the Chinese remainder theorem (from pg.11 of the same paper linked above). Another explanation is given here: https://crypto.stackexchange.com/questions/72613/elliptic-curve-discrete-log-in-a-composite-ring. If we look at the order of the curve over $F_p$ and $F_q$ we notice a few things. $$\#E_{F_p} = p = 190116434441822299465355144611018694747\\ \#E_{F_q} = 2^4 * 3 * 13 * 233 * 4253 * 49555349 * 7418313402470596923151 $$ If the order of a curve defined over a field $F_p$ is equal to $p$, then that means the curve is anomalous, and there's an attack (called Smart's attack) that we can apply to solve the discrete log easily. So we can apply this to the curve defined over $F_p$. This also implies that every point generated by the curve also has an order of $p$. For the other curve defined over $F_q$, notice that the order is somewhat smooth, meaning that the number can be decomposed into small-ish primes. Other than the last prime factor, the other numbers are fairly small primes. This kind of smooth order implies the Pohlig Hellman attack, where we solve the discrete log problem by solving the discrete log over the subgroups of the group generated by the point $G$. To summarize, we have a elliptic curve defined over $Z_n$ and we need to solve the discrete log problem to find a value $s$ given $G$ and $s*G$. We can split the curve into 2 curves defined over $F_p$ and $F_q$. Then we solve the discrete log over these 2 curves for $s_p$ and $s_q$ such that $$ s_p \equiv s \mod \#E_{F_p} \\ s_q \equiv s \mod \#E_{F_q} $$ Using the Chinese remainder theorem we combine these results to find $$s \mod \#E_{Z_n}$$ because $$\#E_{Z_n} = \#E_{F_p} * \#E_{F_q}$$ ### Pohlig Hellman We'll start with the curve defined over $F_q$. First we find the order of the point $G$ defined on the curve: ```python= #!/usr/bin/env python3 from Crypto.Util.number import * n = 43216667049953267964807040003094883441902922285265979216983383601881964164181 U = 18230294945466842193029464818176109628473414458693455272527849780121431872221 V = 13100009444194791894141652184719316024656527520759416974806280188465496030062 W = 5543957019331266247602346710470760261172306141315670694208966786894467019982 E = EllipticCurve(Zmod(n), [0, U, 0, V, W]) G = E(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sG = E(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) p = 190116434441822299465355144611018694747 q = 227316839687407660649258155239617355023 assert p * q == n # P curve Eq = EllipticCurve(GF(q), [0, ZZ(U % q), 0, ZZ(V % q), ZZ(W % q)]) kq = Eq.order() Gq = Eq(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sGq = Eq(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) print(Gq.order()) ``` Output is $$75772279895802553549752718413205785008 = 2^4 * 13 * 233 * 4253 * 49555349 * 7418313402470596923151$$ Other than the last factor, the number is fairly smooth. Also notice that the order of $G$ isn't equal to the order of the curve $\#E_{F_q}$ (there's a factor of 3 missing). We will run the Pohlig Hellman algorithm using every factor except the last one, because solving the discrete log in that prime-order subgroup will take too long. If $s_q$ is small enough, we don't have use the last prime and we will still find the correct value. Code below is to find $s_q$ ```python= primes = [2^4, 13, 233, 4253, 49555349, 7418313402470596923151] #don't use 3 and last one dlogs = [] for fac in primes[:-1]: t = int(Gq.order()) // int(fac) dlog = (t*Gq).discrete_log(t*sGq) #discrete_log(t*sGq, t*Gq, operation="+") dlogs += [dlog] #print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order q_secret = crt(dlogs, primes[:-1]) ``` Running this we get $s_q = 9092500866606561$. ### Smart's attack Onto the other curve. We know the order of the curve equals the prime $p$ (anomalous curve), so we can apply Smart's attack to solve the discrete log quickly. Code to apply this attack and solve for $s_p$ is below: ```python= n = 43216667049953267964807040003094883441902922285265979216983383601881964164181 U = 18230294945466842193029464818176109628473414458693455272527849780121431872221 V = 13100009444194791894141652184719316024656527520759416974806280188465496030062 W = 5543957019331266247602346710470760261172306141315670694208966786894467019982 E = EllipticCurve(Zmod(n), [0, U, 0, V, W]) G = E(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sG = E(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) p = 190116434441822299465355144611018694747 q = 227316839687407660649258155239617355023 assert p * q == n # P curve Ep = EllipticCurve(GF(p), [0, ZZ(U % p), 0, ZZ(V % p), ZZ(W % p)]) kp = Ep.order() Gp = Ep(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sGp = Ep(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) print(Gp.order()) def SmartAttack(P,Q,p): E = P.curve() Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ]) P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True) for P_Qp in P_Qps: if GF(p)(P_Qp.xy()[1]) == P.xy()[1]: break Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True) for Q_Qp in Q_Qps: if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]: break p_times_P = p*P_Qp p_times_Q = p*Q_Qp x_P,y_P = p_times_P.xy() x_Q,y_Q = p_times_Q.xy() phi_P = -(x_P/y_P) phi_Q = -(x_Q/y_Q) k = phi_Q/phi_P return ZZ(k) p_secret = SmartAttack(Gp,sGp,p) ``` Running that code we get $s_p = 35886536999264548257653961517736633452$ ### CRT All that's left is to combine our 2 answers with CRT and solve for the flag. Let the order of $G$ on $E_{F_p}$ be $n_p$ and the order of $G$ on $E_{F_q}$ be $n_q$. Also note that: $$\#E_{F_p} = n_p\\ \#E_{F_q} = n_q *3 * 7418313402470596923151$$ We have the following equations: $$ s_p \equiv s \mod n_p\\ s_q \equiv s \mod n_q $$ If the $s$ is small enough, CRT will be able to recover the flag. ```python= flag = long_to_bytes(int(crt([p_secret, q_secret], [Gp.order(), Gq.order() // 7418313402470596923151]))) print(flag) ``` ### Solution Full solution code below ```python= #!/usr/bin/env python3 from Crypto.Util.number import * n = 43216667049953267964807040003094883441902922285265979216983383601881964164181 U = 18230294945466842193029464818176109628473414458693455272527849780121431872221 V = 13100009444194791894141652184719316024656527520759416974806280188465496030062 W = 5543957019331266247602346710470760261172306141315670694208966786894467019982 E = EllipticCurve(Zmod(n), [0, U, 0, V, W]) G = E(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sG = E(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) p = 190116434441822299465355144611018694747 q = 227316839687407660649258155239617355023 assert p * q == n # P curve Ep = EllipticCurve(GF(p), [0, ZZ(U % p), 0, ZZ(V % p), ZZ(W % p)]) Eq = EllipticCurve(GF(q), [0, ZZ(U % q), 0, ZZ(V % q), ZZ(W % q)]) kp = Ep.order() kq = Eq.order() Gp = Ep(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) Gq = Eq(6907136022576092896571634972837671088049787669883537619895520267229978111036, 35183770197918519490131925119869132666355991678945374923783026655753112300226) sGp = Ep(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) sGq = Eq(14307615146512108428634858855432876073550684773654843931813155864728883306026, 4017273397399838235912099970694615152686460424982458188724369340441833733921) print(Gp.order()) print(Gq.order()) def SmartAttack(P,Q,p): E = P.curve() Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ]) P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True) for P_Qp in P_Qps: if GF(p)(P_Qp.xy()[1]) == P.xy()[1]: break Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True) for Q_Qp in Q_Qps: if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]: break p_times_P = p*P_Qp p_times_Q = p*Q_Qp x_P,y_P = p_times_P.xy() x_Q,y_Q = p_times_Q.xy() phi_P = -(x_P/y_P) phi_Q = -(x_Q/y_Q) k = phi_Q/phi_P return ZZ(k) primes = [2^4, 13, 233, 4253, 49555349, 7418313402470596923151] #don't use 3 and last one dlogs = [] for fac in primes[:-1]: t = int(Gq.order()) // int(fac) dlog = (t*Gq).discrete_log(t*sGq) #discrete_log(t*sGq, t*Gq, operation="+") dlogs += [dlog] #print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order p_secret = SmartAttack(Gp,sGp,p) q_secret = crt(dlogs, primes[:-1]) #Gq.discrete_log(sGq) #9092500866606561 #discrete_log(sGq, Gq, ord=Gq.order(), bounds=2^4 * 3 * 13 * 233 * 4253 * 49555349, operation="+") print(p_secret, q_secret) flag = long_to_bytes(int(crt([p_secret, q_secret], [Gp.order(), Gq.order() // 7418313402470596923151]))) print(flag) ``` ##### Flag `CCTF{m1X3d_VeR5!0n_oF_3Cc!}`