Category: crypto

Description

Hey choom! I got my hands on some fresh new hardware, a chip that can do military-grade encryption at lightning speed.

I'm testing out it's signature features, and since you're a god-tier netrunner, maybe you can learn how to sign stuff yourself if you watch my bot do it enough?

Attachments: [ fast-rsa.zip ]

Problem

The program generates an RSA keypair and outputs the modulus \(n\) and the uppermost 32 bits of \(d\).

It then repeatedly reads \(m, b \in \mathbb Z\) and calculates the signature \(s = m^d \mod n\). This is done in Montgomery form. Then \(s\) and whether any of the two multiplications in the \(b\)th step of exponentiation required the conditional subtraction is revealed.

The goal is to determine \(d\).

Solution

Disclosure: I was not able to solve this challenge at the competition.

We can almost use an attack by Walter & Thompson¹. You can find my implementation here.

The only difference is that in each step it is not known which of the two subtractions were needed, i. e. the observation vector is “squashed”. The solution is simple: the algorithm has to be run on multiple squashed observation vectors simultaneously. In practice 2 are enough. The algorithm calculates \(d\) in ~1 s, however getting the observation vectors from the remote takes considerably more time.

Implementation

#!/usr/bin/env python3

import sys
import time
import pwn

sys.setrecursionlimit(2500)

# https://en.wikipedia.org/wiki/Montgomery_modular_multiplication
class Montgomery:
    def __init__(self, n):
        assert(n & 1)
        self.N = n
        self.nbits = self.N.bit_length()
        self.R = 1 << self.nbits
        self.R_inv = pow(self.R, -1, self.N)
        self.N_prime = -pow(self.N, -1, self.R)

    def to_montgomery(self, x):
        return (x << self.nbits) % self.N

    def from_montgomery(self, x):
        return (x * self.R_inv) % self.N

    def multiply(self, x, y):
        T = x * y
        m = ((T % self.R) * self.N_prime) % self.R
        t = (T + m * self.N) >> self.nbits
        return (t, False) if t < self.N else (t - self.N, True)

def parse_res(res, a, b):
    return int(res.split(a)[1].split(b)[0][2:], 16)

CUTOFF = 3

def Z_prime_next(M, A_bar, Y, bit):
    Y, z1 = M.multiply(Y, Y)
    z2 = False
    if bit:
        Y, z2 = M.multiply(Y, A_bar)
    return Y, z1 or z2

def attack_bruteforce(M, A_bar, Y, S_bar, dt):
    for _ in range(CUTOFF):
        Y, z1 = M.multiply(Y, Y)

    for i in range(1 << CUTOFF):
        if Y == S_bar:
            return True, dt + i
        Y, _ = M.multiply(Y, A_bar)

    return False, None

# inv: first t bits of dt are assumed to be correct
def attack_impl(M, As_bar, Ss_bar, Zs, Ys, Zs_prime, t, dt, H, guess = None):
    if not t % 10:
        print('attack_impl', t, dt)

    nbits = len(Zs[0])
    if guess != None:
        t += 1
        dt = dt | (guess << nbits - t)
        tmp = [Z_prime_next(M, A_bar, Y, guess) for A_bar, Y in zip(As_bar, Ys)]
        Ys = [Y for Y, _ in tmp]
        Zs_prime = [Z_prime + [z] for Z_prime, (_, z) in zip(Zs_prime, tmp)]

    if t == nbits - CUTOFF:
        return attack_bruteforce(M, As_bar[0], Ys[0], Ss_bar[0], dt)

    if any([Z[0:t] != Z_prime[0:t] for Z, Z_prime in zip(Zs, Zs_prime)]):
        return False, None

    if t < 32:
        guess = not not (H & (1 << (31 - t)))
        return attack_impl(M, As_bar, Ss_bar, Zs, Ys, Zs_prime, t, dt, H, guess)

    guess = int(any([Z[t-1] == Z_prime[t-1] for Z, Z_prime in zip(Zs, Zs_prime)]))
    s, d = attack_impl(M, As_bar, Ss_bar, Zs, Ys, Zs_prime, t, dt, H, guess)
    if not s:
        s, d = attack_impl(M, As_bar, Ss_bar, Zs, Ys, Zs_prime, t, dt, H, not guess)
    return s, d

def attack(N, As, Ss, Zs, d_upper):
    M = Montgomery(N)
    As_bar = [M.to_montgomery(A) for A in As]
    Ss_bar = [M.to_montgomery(S) for S in Ss]
    Ys = [M.to_montgomery(1) for _ in As]
    Zs_prime = [[] for _ in As]
    s, d = attack_impl(M, As_bar, Ss_bar, Zs, Ys, Zs_prime, 0, 0, d_upper)
    assert(s)
    return d

def get_sig(A):
    p.sendline(hex(A).encode() + b'\n0')
    return parse_res(p.readuntil(b'challenge: '), b'Signature: ', b'\n')

def is_expensive(res):
    GOOD = [
        b' is a cool number',
        b' is really quite something',
        b' likes to save me money'
    ]
    return not any([e in res for e in GOOD])

def get_vec(A, bits):
    BATCH = 32
    Z = []
    for i in range(0, bits, BATCH):
        print(i)
        lines = [hex(A) + '\n' + str(i + j) for j in range(BATCH)]
        p.sendline('\n'.join(lines).encode())

        for _ in range(BATCH):
            Z.append(is_expensive(p.readuntil(b'challenge: ')))
    return Z[::-1]

p = pwn.remote('127.0.0.1', 5000)
res = p.readuntil('challenge: ')
n = parse_res(res, b'n=', b'\n')
d_upper = parse_res(res, b'd: ', b'\n')         # crib
As = [2, 3]                                     # messages
Ss = [get_sig(A) for A in As]                   # signatures
Zs = [get_vec(A, n.bit_length()) for A in As]   # observation vectors
t1 = time.time()
d = attack(n, As, Ss, Zs, d_upper)
t2 = time.time()

p.sendline(b'')
msg = parse_res(p.readline(), b'message: ', b'\n')
sig = pow(msg, d, n)
p.sendline(hex(sig).encode())

print('{d_upper = }')
print(f'{As = }')
print(f'{Ss = }')
print(f'{n = }')
print(f'{d = }')
print(f'{msg = }')
print(f'{sig = }')
print(f'{CUTOFF = }')
print('# calculated in ', t2 - t1, 's')
print(p.readline())

References

1. C. D. Walter and S. Thompson, “Distinguishing exponent digits by observing modular subtractions,” in Topics in Cryptology — CT-RSA 2001, ser. Lecture Notes in Computer Science, vol. 2020. Springer Verlag, 2001, pp. 192–207. subsection 3.3

I hate Vivado but I am forced to use it at university. It is notoriously complicated to set up on Linux and using NixOS has caused me extra difficulties.

In this post I will detail how to install Vivado 2019.2 on nixos-unstable. Other combinations of versions may or may not work.

Installing

1. Download Vivado HLx 2019.2: All OS installer Single-File Download from the Xilinx website.

2. Extract it using

   cd ~/Downloads && tar xzvf Xilinx_Vivado_2019.2_1106_2127.tar.gz
   

3. In the extracted directory create a shell.nix file with the following content:

   # shell.nix
   { pkgs ? import <nixpkgs> { } }:
   (pkgs.buildFHSEnv {
     name = "vivado-env";
     targetPkgs = pkgs: (
    with pkgs; [
      ncurses5
      zlib libuuid
      bash coreutils zlib stdenv.cc.cc
      xorg.libXext xorg.libX11 xorg.libXrender xorg.libXtst
      xorg.libXi xorg.libXft xorg.libxcb xorg.libxcb
      freetype fontconfig glib gtk2 gtk3
      graphviz gcc unzip nettools
    ]
     );
     runScript = ''
    env LIBRARY_PATH=/usr/lib \
      C_INCLUDE_PATH=/usr/include \
      CPLUS_INCLUDE_PATH=/usr/include \
      CMAKE_LIBRARY_PATH=/usr/lib \
      CMAKE_INCLUDE_PATH=/usr/include \
      bash
     '';
   }).env
   

4. Run nix-shell.

5. Run ./xsetup -b ConfigGen. Select Vivado HL WebPACK.

6. Edit the install config:

   nvim ~/.Xilinx/install_config.txt
   

   It seems advisable to change Destination to a path that we have read/write permissions for.
   I used <home directory>/opt/Xilinx.

7. Install Vivado with

   ./xsetup \
   -a XilinxEULA,3rdPartyEULA,WebTalkTerms \
   -b Install \
   -c $HOME/.Xilinx/install_config.txt
   

8. See Notes on libtinfo.so.5. Run

   ln -s /usr/lib/libtinfo.so.5 ~/opt/Xilinx/Vivado/2019.2/lib/lnx64.o/libtinfo.so.5
   

9. You can now launch Vivado with

   ~/opt/Xilinx/Vivado/2019.2/bin/vivado
   

Desktop Entry

1. Create a shell.nix in ~/opt/Xilinx/Vivado/2019.2/bin/ with the following content

   # shell.nix
   { pkgs ? import <nixpkgs> { } }:
   (pkgs.buildFHSEnv {
     name = "vivado-env";
     targetPkgs = pkgs: (
    with pkgs; [
      ncurses5
      zlib libuuid
      bash coreutils zlib stdenv.cc.cc
      xorg.libXext xorg.libX11 xorg.libXrender xorg.libXtst
      xorg.libXi xorg.libXft xorg.libxcb xorg.libxcb
      freetype fontconfig glib gtk2 gtk3
      graphviz gcc unzip nettools
    ]
     );
     runScript = ''
    env LIBRARY_PATH=/usr/lib \
      C_INCLUDE_PATH=/usr/include \
      CPLUS_INCLUDE_PATH=/usr/include \
      CMAKE_LIBRARY_PATH=/usr/lib \
      CMAKE_INCLUDE_PATH=/usr/include \
      $HOME/opt/Xilinx/Vivado/2019.2/bin/vivado
     '';
   }).env
   

2. Open the desktop entry for Vivado:

   nvim .local/share/applications/Vivado\ 2019.2_*.desktop
   

   Change the line starting with Exec to

   Exec=nix-shell <home directory>/opt/Xilinx/Vivado/2019.2/bin/shell.nix
   

Notes on libtinfo.so.5

If step 8. is omitted then running Vivado throws the following error:

application-specific initialization failed: couldn't load file "librdi_commontasks.so":
libtinfo.so.5: cannot open shared object file: No such file or directory

This seems to be a common issue and is usually solved by installing libtinfo-dev or symlinking /usr/lib/libtinfo.so.6 to /usr/lib/libtinfo.so.5. However this is not the solution in this case because libtinfo.so.5 is actually present at the reasonable locations (/usr/lib, /lib, …) but Vivado refuses to find it for some unknown reason. The only workaround I found is symlinking/copying libtinfo.so.5 to <install dir>/Xilinx/Vivado/2019.2/lib/lnx64.o

Solution

ln -s /usr/lib/libtinfo.so.5 ~/opt/Xilinx/Vivado/2019.2/lib/lnx64.o/libtinfo.so.5

Non-solution 1

I cannot even install libtinfo.

nix-shell -p libtinfo
# ...
ERROR: noBrokenSymlinks: the symlink /nix/store/l3sa8c1f03l84zkz6afbzgya3ad4jcmi-ncurses-6.5-dev/lib/pkgconfig/tic.pc points to a missing target: /nix/store/l3sa8c1f03l84zkz6afbzgya3ad4jcmi-ncurses-6.5-dev/lib/pkgconfig/ncurses.pc
ERROR: noBrokenSymlinks: the symlink /nix/store/l3sa8c1f03l84zkz6afbzgya3ad4jcmi-ncurses-6.5-dev/lib/pkgconfig/tinfo.pc points to a missing target: /nix/store/l3sa8c1f03l84zkz6afbzgya3ad4jcmi-ncurses-6.5-dev/lib/pkgconfig/ncurses.pc
ERROR: noBrokenSymlinks: found 2 dangling symlinks, 0 reflexive symlinks and 0 unreadable symlinks

Non-solution 2

Creating a symlink from /usr/lib/libtinfo.so.6 to /usr/lib/libtinfo.so.5 in an FHSEnv is not trivial at all because /usr is read-only. Therefore we have to use a package override so that the symlink is already created in the package.

# shell.nix
{ pkgs ? import <nixpkgs> { } }:
(
let
  custom-ncurses = pkgs.ncurses.overrideAttrs (finalAttrs: previousAttrs:  {
    postFixup = previousAttrs.postFixup + ''
        ln -svf $out/lib/libtinfo.so.6 $out/lib/libtinfo.so.5
    '';
  });
in
  pkgs.buildFHSEnv {
    name = "vivado-env";
    targetPkgs = pkgs: (
      with pkgs; [
        custom-ncurses
        zlib libuuid
        bash coreutils zlib stdenv.cc.cc
        xorg.libXext xorg.libX11 xorg.libXrender xorg.libXtst
        xorg.libXi xorg.libXft xorg.libxcb xorg.libxcb
        freetype fontconfig glib gtk2 gtk3
        graphviz gcc unzip nettools
      ]
    );
    runScript = ''
      env LIBRARY_PATH=/usr/lib \
        C_INCLUDE_PATH=/usr/include \
        CPLUS_INCLUDE_PATH=/usr/include \
        CMAKE_LIBRARY_PATH=/usr/lib \
        CMAKE_INCLUDE_PATH=/usr/include \
        $HOME/opt/Xilinx/Vivado/2019.2/bin/vivado
    '';
  }
).env

However as mentioned this still does not solve the problem.

Uninstalling

WARNING: This might be overkill for you. Read it carefully and use common sense!

rm -rf \
~/opt/Xilinx \
~/.Xilinx \
~/.config/menus/applications-merged/Xilinx\ Design\ Tools.menu \
~/.local/share/applications/*Vivado* \
~/.local/share/applications/*Xilinx* \
~/.local/share/applications/Uninstall\ 2019.2* \
~/.local/share/applications/Add\ Design\ Tools\ or\ Devices\ 2019.2* \
~/.local/share/applications/Documentation\ Navigator* \
~/.local/share/applications/Uninstall\ DocNav*

Resources

This post is largely based on kotatsuyaki’s excellent article Xilinx Vivado on NixOS.

Also check out Bruce Röttgers’ post on installing Vivado on Ubuntu.

This post details how to use a virtual private network (VPN) running on a separate (virtual) machine. This allows us to “pre-filter” the network traffic, effectively split tunneling using a full-tunnel VPN connection.

Some possible use cases include:

• You are required to use a full tunnel VPN connection but you don’t want to send all of your traffic through the VPN for privacy or performance reasons.
• You want to connect a machine to multiple VPNs simultaneously.
• You want to connect multiple machines to a VPN simultaneously.

Setup

The simplest setup is to use a virtual machine (VM) to connect to the VPN. However two different physical computers could also be used.

This post will assume you are running a KVM VM on a Linux host but it should be trivial to adapt it to other situations.

Create the VM

1. Choose a Linux distribution. You can use a distro optimized for networking like OpenWRT or a general purpose one like Debian or Arch.
2. Create a VM with for example virt-manager. If you are paranoid you can enable full disk encryption.
3. Install the VPN client you want to use inside the VM.

Network interfaces

Inspect the network interfaces of the machines using ip addr or ifconfig. There are 3 interfaces of interest:

• On the host:
  • interface to the LAN:
    • wlp1s0 or similar if connected to wifi
    • enp1s0, eth0 or similar if connected to ethernet
  • interface like virbr0 to the VM
• On the VM:
  • interface like enp1s0 to the host

Furthermore if you start the VPN in the VM a new interface like tun0 should be created.

This is a diagramm of the setup:

       +------------------------------------------------------+
       |                                                      |
       |    Host                                              |
       |                                                      |
       |    +--------+    +------------------------------+    |
LAN <-----> | wlp1s0 |    |                              |    |
       |    +--------+    |    VM                        |    |
       |                  |                              |    |
       |    +--------+    |    +--------+  +--------+    |    |
       |    | virbr0 | <-----> | enp1s0 |  |  tun0  |    |    |
       |    +--------+    |    +--------+  +--------+    |    |
       |       ...        +------------------------------+    |
       +------------------------------------------------------+

The interfaces might be named a bit differently on your machines, you will have to adapt the following commands accordingly.

Routing

Linux uses a routing table to determine where to send packets. The routing table can be consulted using the route command.

Therefore:

1. The routing table of the host has to be modified so that it sends packets meant for the VPN to the VM.
2. The VM has to be adjusted so that it forwards these packets received from the host to the VPN.

VM

Enable IP forwarding:

echo '1' >> /proc/sys/net/ipv4/ip_forward

Adjust the firewall to forward enp1s0 to tun0:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A FORWARD -i enp1s0 -o tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

Host

There are two ways to set up the host:

Static

This is simpler if you only need to access a few resources. If there is a website called site.example that you need to access:

1. Look up the IP address of site.example using dig or nslookup. Let’s assume it is 10.10.10.10.
2. Add an entry to your /etc/hosts file:

   # /etc/hosts
   10.10.10.10     site.example
   

3. Find the IP address of the enp1s0 network interface of the VM. It must be on the same subnet as the virbr0 interface of the host. Let’s assume it is 192.168.100.100.
4. Add an entry to the routing table of the host specifying that packets bound for the IP of the website should use the VM as the gateway.

   route add 10.10.10.10/32 gw 192.168.100.100 metric 200 dev virbr0
   

5. You should be able to access the website.

   curl site.example
   

DNS

This is more complicated but might be necessary if a static setup would be too tedious.

1. Find the VPN name server using dig or nslookup.
2. Configure the host to use it for DNS resolution. The concrete steps to do this depend on your setup, but this is tricky:
   • You should restrict usage of the VPN name server to domains that it is actually needed for.
   • You might not know all of the domains this applies to.
   • You cannot use the name server on your router because it doesn’t have access to the VPN.
   • Therefore you might have to run a seperate name server on the host and configure the fallback logic between router and VPN name server there.
   • Failing to set this up correctly could leak your DNS queries to the VPN name server and break a DNS sinkholing setup.
3. Expose the VPN name server as well as the VPN subnets using the host routing table as explained in the static section.

Example

DNS using systemd-resolved with systemd-networkd

Run on the VM:

dig site1.example
# ...
# site1.example.	300	IN	A	10.10.10.10
# ...
# ;; SERVER: 10.10.10.53#53(10.10.10.53) (UDP)
# ...

Thus the VPN name server is 10.10.10.53.

Make sure you are actually using resolved for host resolution. The /etc/nsswitch.conf file should contain the following line:

hosts:  files resolve dns

See also man nss-resolve and man nsswitch.conf.

Set the VPN name server as the network DNS server in /etc/systemd/network/wlp1s0.network.

[Match]
Name=wlp1s0

[Network]
DNS=10.10.10.53
Domains=site1.example site2.example ~example

See also man systemd.network.

Set your prefered non-VPN name server as your global DNS server in /etc/systemd/resolved.conf:

[Resolve]
DNS=8.8.8.8

See also man systemd-resolved.service.

Reload:

systemctl daemon-reload
systemctl restart systemd-networkd
systemctl restart systemd-resolved

This has the effect that host1.site1.example will be resolved using 10.10.10.53 but on.the.internet using 8.8.8.8.

Add routing information for the VPN name server and other resources you need to access:

route add 10.10.10.53/32 gw 192.168.100.100 metric 200 dev virbr0
route add 10.10.10.10/32 gw 192.168.100.100 metric 200 dev virbr0

You can troubleshoot using:

resolvectl status

The output should look something like this:

Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: foreign
Current DNS Server: 8.8.8.8
       DNS Servers: 8.8.8.8

Link 2 (wlp1s0)
    Current Scopes: DNS
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.10.10.53
       DNS Servers: 10.10.10.53
        DNS Domain: site1.example site2.example ~example

# ...

Persistence

All of the commands are non-persistent. If you want them to survive a reboot you have to create a startup script running them on boot.

Ideally you want

• a startup script on the host setting up the routing table and starting the VM, and
• a startup script on the VM starting the VPN and adjusting the firewall.

The specifics will highly depend on your setup and use case.

Conclusion

Notice how you can use these techniques to

• split tunnel before a full tunnel VPN,
• share a VPN connection with multiple computers or
• use multiple VPNs simultaneously

without the arbiters of the VPN being able to do much about it.

My pre-scientific thesis (VWA), submitted in 2023.

Abstract

N-dimensional rendering is a fascinating but computationally expensive process. This makes it ill-suited for real-time applications. GPUs have been conventionally used to accelerate rendering workloads, however they are heavily optimized for 3D rendering. This thesis explains the mathematics underpinning n-dimensional rendering and takes a look at how it can be optimally realized on modern graphics hardware. It will give some workarounds to overcome the inherent limitations of components designed not with this use case in mind.

A reference implementation written in C++ and utilizing Vulkan is provided in the form of vulkan-xd, exemplifying some of the techniques discussed. Some basic performance analysis was conducted on the project giving a benchmark for the achievable efficiency.

Further research is required to come up with additional optimizations and to accurately assess the exact performance to be expected.

Note: This was originally published on Medium on Mar 31, 2021. I have since taken a numerics lecture and come to know that this is called “piecewise linear interpolation”. I have also learned that solving such a linear system of equations might give awful precision unless you represent your numbers as rationals.

Problem

Given a list of \(n\) Points \(\bold P = (P_1, P_2, …, P_n)\) where \(P_i = (P_{i,x}, P_{i,y})\) ordered along the \(x\)-axis, what function \(f(x)\), when graphed, connects the points in the domain \([P_{1,x}; P_{n,x}]\) with straight lines?

Solution

where

Note: I came up with this on my own so there are probably better ways to do this.

Explanation

Consider the function \(g(x) = a \lvert x - b \rvert\): it is like a linear function, \(a\) determines the steepness, but it’s mirrored at \(b\) along the \(y\) axis.

If you sum multiple of these functions with different \(a\) and \(b\) values together, you get a zigzagged line, something that could work as the function we are searching for.

Let’s assume we can use the \(x\)-values of the given points as values for \(b\). Then we get:

which is the same as

Now we need to find the values for \(a = (a_1, a_2, \ldots, a_n)\).

We know the values of \(f(x)\) at the given points:

which in simpler terms just means

From this we can construct a linear system of equations:

All values for \(P\) are known, so at this point, we could simply use an equation solver to get \(a\). However, it can also be rewritten as a matrix multiplication:

Solve for \(a\):

And that’s it.

Example

Let’s find \(f(x)\) for the points \((1, 1)\), \((2, 3)\) and \((4, 2)\). First, we need to find the values for \(a\).

Using the above formula, we get:

Simplify:

Solve using SageMath:

V = matrix(QQ, [1, 3, 2])
M = matrix(QQ, [[0, 1, 3], [1, 0, 2], [3, 2, 0]])
a = V * pow(M, -1)

a # [ 3/2 -5/4  3/4]

Now we can use the very first formula to get \(f(x)\):

Category: rev

Description

Good luck finding the secret word for my super secure program!

Attachments: anti-rev

Solution

import angr

project = angr.Project("anti-rev", auto_load_libs=True)
simgr = project.factory.simulation_manager(project.factory.full_init_state())
simgr.explore(find=0x401def, avoid=0x401df8)
print(simgr.found[0].posix.dumps(0))

Bonus

Use angr to disassemble and find address to search for.

import angr

project = angr.Project("anti-rev", auto_load_libs=False)
cfg = project.analyses.CFG(normalize=True)
for node in sorted(cfg.model.nodes(), key=lambda n: n.addr):
    if not node.is_simprocedure:
        node.block.pp()

Category: crypto

Description

Why using boring symmetric crypto for MACs when we can use fancy math?

Attachments: mathmac.py (see Appendix)

Probem

Let \(p = 8636821143825786083\) and \(M = 64\).
Let \(\bold k = k_0, \ldots,k_M\) where \(k_i \in \mathbb Z_{\lt p}\) be a private key chosen at random.
Let \(\bold x \in \{0, 1\}^M\) with \(\bold x = x_1, \ldots, x_M\) be an \(M\)-bit binary word.
Let \(h \colon \{0, 1\}^M \to \mathbb Z_p\) be a hash function defined as

The challenge is:

• The attacker can request an unlimited amount of word/hash pairs \((\bold x, h(\bold x))\) chosen at random.
• Then the attacker has to submit a word/hash pair \((\bold x ^\prime, h(\bold x ^\prime))\) that has not yet been revealed.
  • If the submission is correct the attacker obtains the flag.
  • Only a single submission can be made.

Solution

The first step involves solving the discrete logarithm problem (DLP).

DLP

Let \(h(\bold x)\) be an element of the cyclic subgroup \(\langle 4 \rangle\) of \(\mathbb Z_p^*\).
If \(4^n \equiv h(\bold x) \mod p\) then \(n\) is the discrete logarithm of \(h(\bold x)\) to the base \(4\) denoted as \(n = \log_4(h(\bold x))\).
Solving this is useful because \(n\) is directly related to \(k_0 + x_1 k_1 + \cdots x_M k_M\).

Some notes:

• \(\lvert \mathbb Z_p^*\rvert = p - 1\).
• From Lagrange’s theorem it follows that \(\lvert4\rvert\) divides \(\lvert \mathbb Z_p^*\rvert\)
  • This means that \(|4|\) is \(1\), \(2\), \(4318410571912893041\) or \(8636821143825786082\).
    It’s easy to see that in practice only the last two are possible.
• The DLP is easy to solve if the order of the group is smooth using the Pohlig-Hellman algorithm.
  • This is not the case because \(p = 8636821143825786083 = 2 \cdot 4318410571912893041 + 1\) is a safe prime.
• The base 4 doesn’t matter. Computing a logarithm to any base \(x\) is sufficient, because

The fastest known algorithm to compute the DLP in this case is a number field sieve.
One implementation is CADO-NFS.

CADO-NFS

Setup:

git clone https://gitlab.inria.fr/cado-nfs/cado-nfs
cd cado-nfs
make
# create paramter files for 19 bit
cp parameters/dlp/params.p30 parameters/dlp/params.p19
cp parameters/dlp/p30.hint parameters/dlp/p19.hint

Example: Compute the DLP of 4802397593893189429:

# ell is the order of ⟨4⟩
./cado-nfs.py --dlp \
    --ell 4318410571912893041 \
    target=4802397593893189429 \
    8636821143825786083
# 2192507630663880847

./cado-nfs.py --dlp \
    --ell 4318410571912893041 \
    target=4 \
    8636821143825786083
# 941720563644317575

Thus \(\log_4 4802397593893189429 = 2192507630663880847 \cdot 941720563644317575^{-1}\)

# python
p = 8636821143825786083
ell = 4318410571912893041
result = 2192507630663880847 * pow(941720563644317575, -1, ell) # 1234567890

# double check the result
pow(4, result, p)   # 4802397593893189429 → correct

Attack

Now we need the hashes of three words \(\bold a, \bold b, \bold c\) such that \(\bold a + \bold b - \bold c\) doesn’t under- or overflow any of the individual bits.
Then we can compute the hash of \(\bold z = \bold a + \bold b - \bold c\) as follows:

Note that we need two positive and one negative term so that the secret \(k_0\) contained in every hash occurs exactly once.

Conclusion

A high level overview of the exploit is:

• Generate around 1000 (word, hash) pairs.
• Do a bruteforce search to find 3 suitable words \(\bold a, \bold b, \bold c\).
• Compute the discrete logarithm of the hashes using CADO-NFS.
• Forge the hash of \(\bold z = \bold a + \bold b - \bold c\) as explained.
• Submit \((\bold z, h(\bold z))\).
• Profit.

A reference implementation can be found in the Appendix.

Appendix

solve.py

# this program expects an input file data.txt
# each line should contain a 'value,hash(value)' pair
# around 1000 pairs seem to be ideal
# this program outputs a value,hash(value) pair to submit

import subprocess
from pathlib import Path
from random import randint

p = 8636821143825786083
q = 4318410571912893041
g = 4

M = 64
N = 1000
MAX = 2**M - 1

# change as needed
CADO_PATH = "/home/user/opt/cado-nfs"
CADO = str(Path(CADO_PATH, 'cado-nfs.py'))

# given the multiplicative group of integers mod p (ℤ/pℤ)^*
# and the subgroup H generated by g where |g| = q and h ∈ H
# find x such that g^x ≡ h (mod p)  
def dlp(h, g, q, p):
    log_h = cado_nfs(h, q, p)
    log_g = cado_nfs(g, q, p)
    log_g_inv = pow(log_g, -1, q)
    log = log_h * log_g_inv % q
    return log

# precompute log 4
cache = { 4: 941720563644317575 }

def cado_nfs(t, o, p):
    cached = cache.get(t)
    if (cached != None): return cached

    cmd = [
        CADO,
        '--dlp',
        '--ell', str(o),
        'target=' + str(t),
        str(p)
    ]

    proc = subprocess.Popen(cmd,
        stdin=subprocess.PIPE,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE)

    out = proc.stdout.readline()
    out = int(out.decode('ascii')[0:-1])
    cache.update({ t: out })
    return int(out)

# brute-froce search
def search(arr):
    n = len(arr)
    for i1 in range(n):
        for i2 in range(i1 + 1, n):
            e1 = arr[i1]
            e2 = arr[i2]
            AND = e1 & e2
            NOR = MAX ^ (e1 | e2)
            for i3 in range(n):
                if (i3 == i1 or i3 == i2): continue
                e3 = arr[i3]
                INV = MAX ^ e3
                if (AND & e3 == AND and NOR & INV == NOR):
                    return (i1, i2, i3)

    print("failed")
    exit(-1)

def solve(array):
    print("p =", p)
    print("q =", q)
    print("g =", g)
    print("# searching for a, b, c...")

    i1, i2, i3 = search(list(map(lambda x: x[0], array)))
    x = array[i1][0] + array[i2][0] - array[i3][0]

    print("a =", array[i1][0])
    print("b =", array[i2][0])
    print("c =", array[i3][0])
    print("x =", x)
    print("hash_a =", array[i1][1])
    print("hash_b =", array[i2][1])
    print("hash_c =", array[i3][1])
    print("# solving dlp...")
    
    log_a = dlp(array[i1][1], g, q, p)
    log_b = dlp(array[i2][1], g, q, p)
    log_c = dlp(array[i3][1], g, q, p)
    log_c_inv = pow(log_c, -1, q)
    log_x = log_a * log_b * log_c_inv % q
    hash_x = pow(4, log_x, p)

    print("log_a =", log_a)
    print("log_b =", log_b)
    print("log_c =", log_c)
    print("log_x =", log_x)
    print("hash_x =", hash_x)

    return (x, hash_x)

with open('data.txt', 'r') as file:
    txt = file.read()
    lines = txt.split('\n')[0:-1]
    arr = list(map(lambda line: list(map(int, line.split(','))), lines))

x, log_x = solve(arr)
print(str(x) + ',' + str(log_x))

mathmac.py

#!/usr/bin/env python3

import os
from random import randint
import json

flag = os.getenv('FLAG', 'flag{redacted}')

class MAC:
    def __init__(self, n):
        self.p = 8636821143825786083
        self.n = n
        self.sk = [randint(0, self.p) for _ in range(n)]
        self.base = pow(4, randint(0, self.p), self.p)
    
    def sign(self, x):
        if x < 0 or x >= 2**self.n:
            return None
        x = list(map(int, bin(x)[2:].zfill(self.n)))
        assert len(x) == self.n
        res = self.base
        for ai, xi in zip(self.sk, x):
            if xi == 1:
                res = pow(res, ai, self.p)
        return res


def menu():
    print("1. Generate token")
    print("2. Validate token")
    print("3. Quit")
    return int(input("> "))


def main():
    print("Welcome to the magic MathMAC. Can you become a wizard and guess tokens?")
    M = 64
    mac = MAC(M)
    data = []
    while True:
        choice = menu()
        if choice == 1:
            x = randint(0, 2**M-1)
            data.append(x)
            tag = mac.sign(x)
            print(f"{x},{tag}")
        elif choice == 2:
            x, tag = input().strip().split(",")
            x = int(x)
            tag = int(tag)
            actual_tag = mac.sign(x)
            if actual_tag is None or tag != actual_tag:
                print("Unlucky")
                exit(1)

            if x in data:
                print("Yup. I know.")
            else:
                print(flag)
        else:
            exit(0)


if __name__ == "__main__":
    main()

Category: crypto

Description

I found an interesting way to generate numbers with someone. Wanna try?

Attachments: stealing-seeds.py (see Appendix)

Probem

Let \(s \in \mathbb{P}\) and \(k \in \mathbb{Z}\) with \(0 \le s, k \lt 2^{256}\) be two secret numbers chosen at random.

Let \(f_1, f_2 \colon \{0, 1\}^{256} \to \{0, 1\}^{256}\) be

where \(\oplus\) denotes bit-wise XOR.

Given that you can compute \(f_1(u)\) and \(f_2(u)\) for any \(u \in \{0, 1\}^{256}\), find \(s\).

Solution

This may not be the most elegant solution, however I will explain how to systematically find it without any advanced knowledge of cryptography and semi-formally argue why it is correct.

We first observe that \(\text{sha256} \colon \{0, 1\}^n \to \{0, 1\}^{256}\) is a hash function. It maps every sequence of bits to a sequence of 256 bits. Its outputs are distributed uniformly random, but the same input will always yield the same output. Furthermore we cannot find the pre-image of an output. That is, given \(\text{sha256}(x)\) there is no way of finding \(x\) other than trying every possible value. This is obviously only feasible if the search space is severly limited.

Let us define \(g_1, g_2\) as

Now we observe that the \(f_i\) has the following structure:

XOR can be interpreted as conditionally flipping a bit. More precisely, given two bits \(b, k \in \{0, 1\}\)

This is problematic because it means that even knowing \(g_i(u)\) the term \(g_i(u) \oplus k\) could still be any number. This implies that doing a brute-force search to find pre-images of \(\text{sha256}\) would require checking \(2^{256}\) (the amount of possible values of \(k\)) elements which is practically impossible.

To closer illustrate this consider that

could have any possible value depending on \(k\). This rules out a pre-image attack and thus extracting information from a single image is impossible.

But we observe that \(\text{sha256}\) behaves as if it were injective. A function \(f\) with the domain \(X\) is called injective if

Technically this is not true for \(\text{sha256}\) as there are infinitely many hash collisions (this is evident by the fact that the output is limited to a finite number of bits) but in practice it is extremely unlikely to observe a hash collision.

If we now define the function

for some constant \(k\) we can see that

therefore \(x_k = x_k^{-1}\) which implies that \(x_k\) is injective aswell.

It is easy to show that if two function \(f \colon B \to C, g \colon A \to B\) are injective then \(f \circ g \colon A \to C\) must also be injective.

We can now write

and use the definition of injectivity to show that

It is also worth to note that we can use the same arguments to show that

This gives us the crucial hint that we have to create an exploit by comparing the values of two different functions while trying out specific inputs. To craft this exploit we fix \(s\) to some number and consider \(g_i(0), g_i(1), \ldots\)

s = 1
u       0   1   2   3   4   5   6   7

g1      2   1   4   3   6   5   8   7
g2      0   3   2   5   4   7   6   9

Let \(p_s(u)\) be the number such that \(g_2(u) = g_1(p_s(u))\) or \(-1\) if no such number exists with \(s\) fixed to some value. This is well defined as from the above result it follows that \(\forall u, v \colon u \neq v \implies g_i(u) \neq g_i(v)\).

We now look at a table of \(p_s(u)\) with the axes \(u\) and odd \(s\). A . denotes \(-1\).

Only odd \(s\) are considered as \(s\) is prime and very unlikely to be \(2\).

u     0   1   2   3   4   5   6   7

p1    .   3   0   5   2   7   4   .
p3    .   7   0   1   2   .   4   5
p5    .   .   .   .   2   .   .   1
p7    .   .   0   1   2   3   4   5

We notice that

This means that by a single comparison we can halve the search space! A quick look at a larger table suggests that the method can be generalised.

u     0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15

p1    .   3   0   5   2   7   4   9   6  11   8  13  10  15  12   .
p3    .   7   0   1   2  11   4   5   6  15   8   9  10   .  12  13
p5    .   .   .  13   2  15  12   1   6   3   0   .  10   .   .   9
p7    .  15   0   1   2   3   4   5   6   .   8   9  10  11  12  13
p9    .   .   .   .   .   .   .   .   6   .   .   .   .   .   .   1
p11   .   .   .   .   .   .   4   5   6   .   .   .   .   3  12  13
p13   .   .   .   .   2   .   .   1   6   3   0   5  10   7   4   9
p15   .   .   0   1   2   3   4   5   6   7   8   9  10  11  12  13

To put this more concretely let us look at a slice of the above table:

u     ...   12  13        14  15
                         
p1    ...   10  15        12   .
p3    ...   10   .        12  13 (1)
p5    ...   10   .         .   9 (3)
p7    ...   10  11 (2)    12  13 (1)
p9    ...    .   .         .   1
p11   ...    .   3        12  13 (1)
p13   ...   10   7         4   9 (3)
p15   ...   10  11 (2)    12  13 (1)

The first comparison concerns the entries marked with (1).

1) If it returns true we get this subtable of possible values and use the comparison marked with (2):

u     ...   12  13        14  15
                          
p3    ...   10   .        12  13 (1)
p7    ...   10  11 (2)    12  13 (1)
p11   ...    .   3        12  13 (1)
p15   ...   10  11 (2)    12  13 (1)

2) If it returns false we get the opposite subtable and use the comparison marked with (3):

u     ...   12  13        14  15
                          
p1    ...   10  15        12   .
p5    ...   10   .         .   9 (3)
p9    ...    .   .         .   1
p13   ...   10   7         4   9 (3)

Thus with every comparison one bit is recovered, meaning that \(s\) can be computed with 255 comparisons. What remains is to reverse engineer the equation for the indices to compare at each step. One possible solution can be found in the Appendix. Then some automated way of submitting requests needs to be created to obtain the seed from the remote server.

Visualisation of the \(p_s(u)\) table obtained by coloring \(-1\) white.

Appendix

solve.py

def solve(k):
    last = 2**k - 1
    out = 1
    index = 1
    delta_x = 0
    delta_y = 0

    while (index < k):
        mask = 2 ** index
        delta_y |= mask
        
        # x y
        print(last - delta_y, last - delta_x)
    
        # compute f1(x) == f2(y)
        # write result to stdin
        equal = bool(int(input()))
        if (equal):
            out |= mask
            delta_x |= mask
            delta_y ^= mask

        index += 1

    print(f"{out = }")

solve(256)

stealing-seeds.py

#!/usr/bin/env python3

import os
import signal
import random
from Crypto.Util.number import getPrime, long_to_bytes, bytes_to_long
from hashlib import sha256

assert("FLAG" in os.environ)
FLAG = os.environ["FLAG"]
assert(FLAG.startswith("openECSC{"))
assert(FLAG.endswith("}"))

def main():

    seed_size = 256
    seed = getPrime(seed_size)
    seed = 11

    # Just to protect my seed
    k = random.randint(1, 2**seed_size - 1)

    print(f'{seed_size = }')
    print(f'{seed = }')
    print(f'{k = }')

    print("""I have my seed, if you give me yours we can generate some random numbers together!
Just don't try to steal mine...
""")

    while True:
        choice = int(input("""Which random do you want to use?
1) Secure
2) Even more secure
3) That's enough
> """))
        if choice not in [1, 2, 3]:
            print("We don't have that :(")
            continue
        if choice == 3:
            break
        user_seed = int(
            input("Give me your seed: "))
        if user_seed.bit_length() > seed_size:
            print(
                f"Your seed can be at most {seed_size} bits!")
            continue
        if choice == 1:
            final_seed = ((seed ^ user_seed) +
                           seed) ^ k
        else:
            final_seed = ((seed + user_seed) ^
                           seed) ^ k

        random_number = bytes_to_long(sha256(long_to_bytes(final_seed)).digest())

        print(f"Random number:", random_number)
    
    guess = int(input("Hey, did you steal my seed? "))

    if guess == seed:
        print(FLAG)
    else:
        print("Ok, I trust you")
    return


def handler(signum, frame):
    print("Time over!")
    exit()


if __name__ == "__main__":
    signal.signal(signal.SIGALRM, handler)
    signal.alarm(30000)
    main()