Skip to content

Instantly share code, notes, and snippets.

@StarLI-Trapdoor

StarLI-Trapdoor/Puzzle 2 Write Up.md Secret

Created November 7, 2021 09:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save StarLI-Trapdoor/06cf739c45290ca5bc62063376fa1522 to your computer and use it in GitHub Desktop.
Save StarLI-Trapdoor/06cf739c45290ca5bc62063376fa1522 to your computer and use it in GitHub Desktop.
Download ZIP
Puzzle 2 Write Up.md
Raw
Puzzle 2 Write Up.md

In general, we cannot extract the "s" because the DL problem on the right subgroup of ECC is hard. "Right subgroup" means the subgroup's order "r" is a expected large enough prime. If the order is composite, especially can be factorized as some small primes, the DL issue is much easier and some infomation may be leak.

So the key clue of this issue is to check the specific point is whether valid or not, which means the point's order is r or not. Moreover, the G1 and G2 deserialized method in source code is "deserialize_uncheck" which should not guarantee the point is valid. This implies the point may be invalid.

So the 1st, we check the point is valid or not. If not, we should try to find out the order of the point.

1. Call "is_in_correct_subgroup_assuming_on_curve" for every known G1 and G2 point. And all G1 and G2 points are invalid.

2. Find out the order of input G1 and G2:

   let ord(*) represents the order of *.

   G1 order:
   ord(G1) = 3 * 11 * 10177 * 859267 * 52437899 * 52435875175126190479447740508185965837690552500527637822603658699938581184513

   G2 order:
   ord(G2) = 13 * 23 * 2713 * 11953 * 262069 * 402096035359507321594726366720466575392706800671181159425656785868777272553337714697862511267018014931937703598282857976535744623203249 * 52435875175126190479447740508185965837690552500527637822603658699938581184513

According to the above results ord(G1) and ord(G2) are both very large composite but with some small prime factors and 1 or 2 large primes. Large primes mean we cannot solve the DL issue just only on G1 or G2 alone.

let _ts1[0] = g1, _ts2[0] = g2, such that ord(g1) = ord(G1), ord(g2) = ord(G2) and sg1 = _ts1[1] = s * g1, sg2 = _ts2[1] = s * g2.

So the 2nd, we try to extract s from (g1, sg1) and (g2, sg2) by following steps:

1. ord(G1) = 3 * 11 * 10177 * 859267 * 52437899 * r = 15132376222941642753 * r = k1 * r, so we try to find out "s mod k1".

   We try to resolve the following DL issue:

   [r]sg1 = k1' * ([r]g1). 

   So:

   k1' = s mod k1                     (1)

2. Similarly, for (g2, sg2), solve the DL issue sg2' = k2' * g2' with k2 = 13 * 23 * 2713 * 11953 * 262069 = 2541052003438559.

   k2' = s mod k2                     (2)

3. According (1), (2) and CRT, we can find out a solution s'. So the final s is

   s = s' + i * (k1 * k2) since (k1, k2) = 1.

4. Find out the "i" above by brute force such that

   s < 2^128
   sg1 = s * g1

After the above steps, finally, we find out the related "s" such that sg1 = s * g1 and sg2 = s * g2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment