English [HackingWeek 2015] [Crypto3] Write-up

Description

Alice wants to use the ECDSA signature algorithm.
For this, she chooses to use the elliptic curve equation E where y2 = x3 – x, defined on the finite field with q elements, Fq, with q = 134747661567386867366256408824228742802669457 .

She chose P as a base point of order N = 2902021510595963727029 with:
P = (18185174461194872234733581786593019886770620, 74952280828346465277451545812645059041440154)

Then, she chooses as secret signature key a random integer d with 1<d<N.
The public key is the point Q=d⊗P where ⊗ is the scalar multiplication on the elliptic curve E.

The value of Q is:
Q=(76468233972358960368422190121977870066985660, 33884872380845276447083435959215308764231090)

The validation key is given by the value of d.

Resolution

This challenge is about solving the Elliptic Curve Discrete Logarithm Problem (ECDLP).

We used the excellent PARI/GP tool for calculus.

We first checked wether the given elliptic curve was a candidate for Smart’s attack, which leads to a linear algorithm for solving the ECDLP.

For this we need to have #E(Fq) = q.

? q = 134747661567386867366256408824228742802669457
%1 = 134747661567386867366256408824228742802669457
? E = ellinit([0,0,0,-1,0],134747661567386867366256408824228742802669457)
%2 = [Mod(0, 134747661567386867366256408824228742802669457), Mod(0, 134747661567386867366256408824228742802669457), Mod(0, 134747661567386867366256408824228742802669457), Mod(134747661567386867366256408824228742802669456, 134747661567386867366256408824228742802669457), Mod(0, 134747661567386867366256408824228742802669457), Mod(0, 134747661567386867366256408824228742802669457), Mod(134747661567386867366256408824228742802669455, 134747661567386867366256408824228742802669457), Mod(0, 134747661567386867366256408824228742802669457), Mod(134747661567386867366256408824228742802669456, 134747661567386867366256408824228742802669457), Mod(48, 134747661567386867366256408824228742802669457), Mod(0, 134747661567386867366256408824228742802669457), Mod(64, 134747661567386867366256408824228742802669457), Mod(1728, 134747661567386867366256408824228742802669457), Vecsmall([3]), [134747661567386867366256408824228742802669457, [134747661567386867366256408824228742802668161, 0, [6, 0, 0, 0]]], [0, 0, 0, 0]]
? ellcard(E)
%3 =134747661567386867366256408824228742802669456

We have #E(Fq) = q – 1, so we can’t use this attack.

So we decided to rely on PARI/GP’s algorithm to calculate the discrete logarithm :

? P = [18185174461194872234733581786593019886770620, 74952280828346465277451545812645059041440154]
%4 = [18185174461194872234733581786593019886770620, 74952280828346465277451545812645059041440154]
? G = [76468233972358960368422190121977870066985660, 33884872380845276447083435959215308764231090]
%5 = [76468233972358960368422190121977870066985660, 33884872380845276447083435959215308764231090]
? N = 2902021510595963727029
%6 = 2902021510595963727029
? ord = [N, factor(N)]
%7 = [2902021510595963727029, Mat([2902021510595963727029, 1])]
? d = elllog(E, G, P, ord)
%8 = 1598838546070749569403

Bingo ! The flag is 1598838546070749569403.

Leave a Reply

Your email address will not be published.