ROT256 : Cryptography & Other Random Bits.https://rot256.dev/Recent posts on ROT256 : Cryptography & Other Random Bits.en-usFri, 04 Jul 2025 00:00:00 +0000Multilinear Proofs, Part I: Cubes & Rootshttps://rot256.dev/post/mle-1-basics/Thu, 03 Jul 2025 00:00:00 +0000https://rot256.dev/post/mle-1-basics/<p><img src="./milano.png" alt="Milano"></p> <h1 id="introduction">Introduction</h1> <p>This series of posts aims to be a <em>comprehensive</em> collection of facts, protocols, and theorems related to the information-theoretic foundations of multilinear proof systems. By &ldquo;multilinear proof system&rdquo; we refer to a system with multilinear polynomials as the underlying &ldquo;arithmetization&rdquo; of the proof system: where satisfiability of the computation, a (RAM) machine or circuit, is expressed as randomized relations between multilinear polynomials and the witness is the evaluation of multilinear polynomials over some tensor product.</p>Spikey Elf @ HXP 38C3 CTFhttps://rot256.dev/post/spiky-elf/Thu, 02 Jan 2025 00:00:00 +0000https://rot256.dev/post/spiky-elf/<p><img src="./top.png" alt="top"></p> <p>Happy new year!</p> <p>Here is a writeup for the challenge <code>Spikey Elf</code> from the 38C3 CTF by HXP.</p> <h1 id="the-challenge">The Challenge</h1> <p>We are given the following code:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sage" data-lang="sage"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env sage</span> </span></span><span class="line"><span class="cl"><span class="n">proof</span><span class="o">.</span><span class="n">all</span><span class="p">(</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">bits</span> <span class="o">=</span> <span class="mi">1024</span> </span></span><span class="line"><span class="cl"><span class="n">errs</span> <span class="o">=</span> <span class="mi">16</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="n">random_prime</span><span class="p">(</span><span class="mi">2</span><span class="o">^</span><span class="p">(</span><span class="n">bits</span><span class="o">//</span><span class="mi">2</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">q</span> <span class="o">=</span> <span class="n">random_prime</span><span class="p">(</span><span class="mi">2</span><span class="o">^</span><span class="p">(</span><span class="n">bits</span><span class="o">//</span><span class="mi">2</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="n">p</span> <span class="o">*</span> <span class="n">q</span> </span></span><span class="line"><span class="cl"><span class="n">e</span> <span class="o">=</span> <span class="mh">0x10001</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">n</span> <span class="si">= :</span><span class="s1">#x</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">e</span> <span class="si">= :</span><span class="s1">#x</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">flag</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="s1">&#39;flag.txt&#39;</span><span class="p">,</span><span class="s1">&#39;rb&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">strip</span><span class="p">()),</span> <span class="n">e</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">flag</span> <span class="si">= :</span><span class="s1">#x</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">d</span> <span class="o">=</span> <span class="n">inverse_mod</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="n">lcm</span><span class="p">(</span><span class="n">p</span><span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">q</span><span class="o">-</span><span class="mi">1</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">locs</span> <span class="o">=</span> <span class="nb">sorted</span><span class="p">(</span><span class="n">Subsets</span><span class="p">(</span><span class="nb">range</span><span class="p">(</span><span class="n">bits</span><span class="p">),</span> <span class="n">errs</span><span class="p">)</span><span class="o">.</span><span class="n">random_element</span><span class="p">())</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">loc</span> <span class="ow">in</span> <span class="n">locs</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">d</span> <span class="o">^^=</span> <span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">loc</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">d</span> <span class="si">= :</span><span class="s1">#x</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span></code></pre></div><p>And the output:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-txt" data-lang="txt"><span class="line"><span class="cl">n = 0x639d87bf6a02786607d67741ebde10aa39746dc8ed22b191ff2 </span></span><span class="line"><span class="cl"> fefe9c210b3ee2ce68b185dc7f8069e78441bdec1d33e2b342c22 </span></span><span class="line"><span class="cl"> 6b5cde8a49f567ac11a3bcb7ff88eeededdd0d50eb981635920d2 </span></span><span class="line"><span class="cl"> 380a6b878d327b261821355d65b2ef9f807035a70c77252d09787 </span></span><span class="line"><span class="cl"> c2b3dfafdfa4f5c6b39a1c66c5b39fe9d1ee4b36d86d5 </span></span><span class="line"><span class="cl">e = 0x10001 </span></span><span class="line"><span class="cl">flag = 0x40208a7900b1575431a49690030e4eb8be6269edcd3c7b2d </span></span><span class="line"><span class="cl"> 97ae94a6eb744e9c622d81b95ea45b23ee6e0d773e3dd48adc6bb </span></span><span class="line"><span class="cl"> 2c7c6423d8fd52eddcc6c0710f607590d5fc57a45883a36ad0d85 </span></span><span class="line"><span class="cl"> 1f84d4bee86ffaf65bc1773f97430080926550dce3666051befa8 </span></span><span class="line"><span class="cl"> 7bacc01d44dd09baa6ae93a85cedde5933f7cbbe2cb56cdd </span></span><span class="line"><span class="cl">d = 0x1a54893799cd9805600cfaee1c8a408813525db268fbc29e7f2 </span></span><span class="line"><span class="cl"> a81eb47b64d2dd20dc8be52b6332e375f92a120957042a92a4bd4 </span></span><span class="line"><span class="cl"> f5e13ef14e9b398bec330602dc9dbbb63cf3dfe6d33bf95d08306 </span></span><span class="line"><span class="cl"> a894b052e005a57cc41673fe866f4f8b2ffb0aa26fc4c51a8f513 </span></span><span class="line"><span class="cl"> 5e40df2107e0259ddf4c1d9c1eb41b1f702b135c941 </span></span></code></pre></div><p>In other words:</p>Proof-Carrying Border Gateway Protocolhttps://rot256.dev/post/bgp-pcd/Wed, 25 Dec 2024 00:00:00 +0000https://rot256.dev/post/bgp-pcd/<p><img src="./top-mono.png" alt=""></p> <h1 id="introduction">Introduction</h1> <p>The Border Gateway Protocol (BGP) is <em>the central protocol</em> of the internet, responsible for configuring routing tables of autonomous systems (ASes) across the globe. Unfortunately, it is incredibly vulnerable, and attempts to bolt cryptography onto BGP have been largely unsuccessful. This is partly because of a mismatch between how BGP works and how cryptographic signatures work. In this post we will explore an alternate way of securing BGP using Proof-Carrying Data. This is particularly relevant because:</p>Multivariate Sum-Checkhttps://rot256.dev/post/multivariate-sum/Sun, 14 Apr 2024 00:00:00 +0000https://rot256.dev/post/multivariate-sum/<p><img src="./top-bw.png" alt=""></p> <p>This a short post explaining the <em>multivariate sum-check</em>: a fundamental subprotocol used throughout multivariate succinct arguments (e.g. Spartan, HyperPlonK, etc). Roughly speaking, it often serves the same role as the divisibility check in the univariate contexts.</p> <!-- The motivation for this post is simple: *I find the existing explanations of the multivariate sumcheck overly complicated/magical.* However, it is really a *very simple* and very intuitive protocol; as we will see. --> <p>This post assumes familiarity with finite fields, polynomials and lagrange interpolation/basis.</p>Fast Reed-Solomon IOP (FRI) Proximity Testhttps://rot256.dev/post/fri/Sun, 19 Nov 2023 00:00:00 +0000https://rot256.dev/post/fri/<!-- todo: move to head --> <script src="./sage.js" ></script> <script src="./fri.js" type="module"></script> <link rel="stylesheet" as="style" href="./style.css" /> <p><img src="top.jpg" alt=""></p> <h1 id="introduction">Introduction</h1> <p>In this post we will take a look at the <strong>F</strong>ast <strong>R</strong>eed-Solomon <strong>I</strong>OP (FRI) proximity test, which enables an untrusted prover to convince a verifier that a committed vector is <em>close</em> to a Reed-Solomon codeword with communication only poly-logarithmic in the dimension of the code. This is readily used to construct practically efficient zkSNARKs from just cryptographic hash functions (rather random oracles), <em>without the need for a trusted setup</em>.</p>Code Signing for Web Applications Using SXGhttps://rot256.dev/post/browser-crypto/Sun, 20 Aug 2023 00:00:00 +0000https://rot256.dev/post/browser-crypto/<p><img src="quill-write.svg" alt="Quill" title="Let's (reproducibly) build and sign web applications."></p> <p>Or, how to use <a href="https://web.dev/signed-exchanges/">Signed HTTP Exchanges (SXG)</a> for good by building a trustworthy software distribution method for the web.</p> <h1 id="intro-in-browser-crypto-its-everywhere">Intro. In-Browser Crypto: It&rsquo;s Everywhere.</h1> <p>In this post we will look at web applications deploying cryptography to protect users in the event of the service operator going rouge (or being hacked). Prominently among such applications are those offering end-to-end encryption (E2EE) for files storage, calls or messaging, wherein a malicious service provider cannot see the contents of the users communication because it is encrypted before being to the service. All such applications must use cryptography executed on the client-side, which in the case of web applications means Javascript or Web Assembly served by a webserver and executed in the users browser upon visiting the site hosting the application. Here is just a small selection of a diverse set of applications using this type of in-browser cryptography:</p>Mixed Trees: Trade-Off Between (In/Out-Of)-Circuit Costshttps://rot256.dev/post/mix-trees/Wed, 19 Apr 2023 00:00:00 +0000https://rot256.dev/post/mix-trees/<p><img src="https://rot256.dev/post/mix-trees/top-bw.jpg#center" alt="Top" title="Clock at Boston University Campus on a snowy January night."></p> <p>In applications where membership of the Merkle tree must be proved inside a SNARK, the concrete cost of expressing the compression function in the proof system (in terms of gates/R1CS constraints etc.) affects performance of the prover massively.</p> <p>This has lead to the study/creation of so-called SNARK-friendly hash functions: hash functions with &lsquo;&rsquo;nice algebraic&rsquo;&rsquo; descriptions over (large) finite fields, enabling an efficient description of the function as an arithmetic circuit over the field on which the SNARK operates. Unfortunately such compression functions are often inherently expensive to evaluate, due to their use of field operations in large finite fields &ndash; which is substantially slower than word/bit operations used in e.g. SHA256 or Blake2s.</p>Git-Ring: Easy & Flexible SSH Ring Signatures.https://rot256.dev/post/git-ring/Mon, 10 Oct 2022 00:00:00 +0000https://rot256.dev/post/git-ring/<img src="top.svg#center" alt="a key in the shape of a question mark" title="Image generated by DALLĀ·E and vectorized/simplified using Inkscape" width=150vh> <br> <p>This is the companion post to a tool, <a href="https://github.com/rot256/git-ring">git-ring</a>, that I recently released on Github.</p> <p>Github/Gitlab makes the public keys of its users publicly available (at github.com/USERNAME.keys and gitlab.com/USERNAME.keys), this means that these services bind the users identity to public keys via this endpoint. Git-ring &ldquo;exploits&rdquo; this to enable the creation of (cryptographic) proofs showing membership among a set of users (or organizations) without revealing the identity of the person generating the proof. The public keys of everyone (including the signer) is automatically downloaded from Github, while the tool finds the correct private key on the signers local computer. All this combined makes using the tool pretty easy, as shown below, where we sign a message and then verify the resulting signature.</p>H1 @ Google CTF 2021https://rot256.dev/post/h1/Sat, 24 Jul 2021 00:00:00 +0000https://rot256.dev/post/h1/<h1 id="the-h1-challenge">The &ldquo;H1&rdquo; Challenge</h1> <p>We are given two files. A python3 script (<code>chall.py</code>):</p> <details> <summary>Python Script (click to expand)</summary> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/python3</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">hashlib</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">cryptography.hazmat.backends</span> <span class="kn">import</span> <span class="n">default_backend</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">padding</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">cryptography.hazmat.primitives.ciphers</span> <span class="kn">import</span> <span class="n">Cipher</span><span class="p">,</span> <span class="n">algorithms</span><span class="p">,</span> <span class="n">modes</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">flag</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;flag.txt&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">INF</span> <span class="o">=</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">mod</span> <span class="o">=</span> <span class="mi">8948962207650232551656602815159153422162609644098354511344597187200057010413552439917934304191956942765446530386427345937963894309923928536070534607816947</span> </span></span><span class="line"><span class="cl"><span class="n">a</span> <span class="o">=</span> <span class="mi">6294860557973063227666421306476379324074715770622746227136910445450301914281276098027990968407983962691151853678563877834221834027439718238065725844264138</span> </span></span><span class="line"><span class="cl"><span class="n">b</span> <span class="o">=</span> <span class="mi">3245789008328967059274849584342077916531909009637501918328323668736179176583263496463525128488282611559800773506973771797764811498834995234341530862286627</span> </span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="mi">8948962207650232551656602815159153422162609644098354511344597187200057010413418528378981730643524959857451398370029280583094215613882043973354392115544169</span> </span></span><span class="line"><span class="cl"><span class="n">G</span> <span class="o">=</span> <span class="p">(</span><span class="mi">5139617820728399941653175323358137352238277428061991823713659546881441331696699723004749024403291797641521696406798421624364096550661311227399430098134141</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">1798860115416690485862271986832828064808333512613833729548071279524320966991708554765227095605106785724406691559310536469721469398449016850588110200884962</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="mi">5042518522433577951395875294780962682755843408950010956510838422057522452845550974098236475624683438351211176927595173916071040272153903968536756498306512</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Double</span><span class="p">(</span><span class="n">p</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="p">,</span> <span class="n">z</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">z</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">y</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">INF</span> </span></span><span class="line"><span class="cl"> <span class="n">ysqr</span> <span class="o">=</span> <span class="n">y</span> <span class="o">*</span> <span class="n">y</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">zsqr</span> <span class="o">=</span> <span class="n">z</span> <span class="o">*</span> <span class="n">z</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">x</span> <span class="o">*</span> <span class="n">ysqr</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">m</span> <span class="o">=</span> <span class="p">(</span><span class="mi">3</span> <span class="o">*</span> <span class="n">x</span> <span class="o">*</span> <span class="n">x</span> <span class="o">+</span> <span class="n">a</span> <span class="o">*</span> <span class="n">zsqr</span> <span class="o">*</span> <span class="n">zsqr</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">x2</span> <span class="o">=</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span> <span class="n">m</span> <span class="o">-</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">s</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">y2</span> <span class="o">=</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span> <span class="p">(</span><span class="n">s</span> <span class="o">-</span> <span class="n">x2</span><span class="p">)</span> <span class="o">-</span> <span class="mi">8</span> <span class="o">*</span> <span class="n">ysqr</span> <span class="o">*</span> <span class="n">ysqr</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">z2</span> <span class="o">=</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">y</span> <span class="o">*</span> <span class="n">z</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">x2</span><span class="p">,</span> <span class="n">y2</span><span class="p">,</span> <span class="n">z2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Add</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">q</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">q</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">q</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="n">x1</span><span class="p">,</span> <span class="n">y1</span><span class="p">,</span> <span class="n">z1</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="n">x2</span><span class="p">,</span> <span class="n">y2</span><span class="p">,</span> <span class="n">z2</span> <span class="o">=</span> <span class="n">q</span> </span></span><span class="line"><span class="cl"> <span class="n">z1sqr</span> <span class="o">=</span> <span class="n">z1</span> <span class="o">*</span> <span class="n">z1</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">z2sqr</span> <span class="o">=</span> <span class="n">z2</span> <span class="o">*</span> <span class="n">z2</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">u1</span> <span class="o">=</span> <span class="n">x1</span> <span class="o">*</span> <span class="n">z2sqr</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">u2</span> <span class="o">=</span> <span class="n">x2</span> <span class="o">*</span> <span class="n">z1sqr</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">s1</span> <span class="o">=</span> <span class="n">y1</span> <span class="o">*</span> <span class="n">z2</span> <span class="o">*</span> <span class="n">z2sqr</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">s2</span> <span class="o">=</span> <span class="n">y2</span> <span class="o">*</span> <span class="n">z1</span> <span class="o">*</span> <span class="n">z1sqr</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">u1</span> <span class="o">==</span> <span class="n">u2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">s1</span> <span class="o">!=</span> <span class="n">s2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">INF</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">Double</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">h</span> <span class="o">=</span> <span class="n">u2</span> <span class="o">-</span> <span class="n">u1</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">hsqr</span> <span class="o">=</span> <span class="n">h</span> <span class="o">*</span> <span class="n">h</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">hcube</span> <span class="o">=</span> <span class="n">hsqr</span> <span class="o">*</span> <span class="n">h</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="n">s2</span> <span class="o">-</span> <span class="n">s1</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">t</span> <span class="o">=</span> <span class="n">u1</span> <span class="o">*</span> <span class="n">hsqr</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">x3</span> <span class="o">=</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span> <span class="n">r</span> <span class="o">-</span> <span class="n">hcube</span> <span class="o">-</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">t</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">y3</span> <span class="o">=</span> <span class="p">(</span><span class="n">r</span> <span class="o">*</span> <span class="p">(</span><span class="n">t</span> <span class="o">-</span> <span class="n">x3</span><span class="p">)</span> <span class="o">-</span> <span class="n">s1</span> <span class="o">*</span> <span class="n">hcube</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="n">z3</span> <span class="o">=</span> <span class="n">h</span> <span class="o">*</span> <span class="n">z1</span> <span class="o">*</span> <span class="n">z2</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">x3</span><span class="p">,</span> <span class="n">y3</span><span class="p">,</span> <span class="n">z3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Multiply</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">x</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">p</span> <span class="o">==</span> <span class="n">INF</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="n">res</span> <span class="o">=</span> <span class="n">INF</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">x</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">x</span><span class="p">,</span> <span class="n">r</span> <span class="o">=</span> <span class="nb">divmod</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">r</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">res</span> <span class="o">=</span> <span class="n">Add</span><span class="p">(</span><span class="n">res</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">Double</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">res</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Transform</span><span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">l</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">z</span> <span class="o">=</span> <span class="n">m</span> </span></span><span class="line"><span class="cl"> <span class="n">shift</span> <span class="o">=</span> <span class="n">l</span> <span class="o">-</span> <span class="n">n</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">shift</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">z</span> <span class="o">&gt;&gt;=</span> <span class="n">shift</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">z</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">RNG</span><span class="p">(</span><span class="n">nbits</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">nbytes</span> <span class="o">=</span> <span class="n">nbits</span> <span class="o">//</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> <span class="n">B</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="n">nbytes</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">a</span> <span class="o">*</span> <span class="nb">sum</span><span class="p">([</span><span class="n">B</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">*</span> <span class="n">b</span> <span class="o">**</span> <span class="n">i</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">B</span><span class="p">))])</span> <span class="o">%</span> <span class="mi">2</span><span class="o">**</span><span class="n">nbits</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Sign</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">d</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">h</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha512</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">z</span> <span class="o">=</span> <span class="n">Transform</span><span class="p">(</span><span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="n">h</span><span class="o">.</span><span class="n">digest</span><span class="p">(),</span> <span class="s1">&#39;big&#39;</span><span class="p">),</span> <span class="n">h</span><span class="o">.</span><span class="n">digest_size</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">k</span> <span class="o">=</span> <span class="n">RNG</span><span class="p">(</span><span class="n">n</span><span class="o">.</span><span class="n">bit_length</span><span class="p">(),</span> <span class="mi">16843009</span><span class="p">,</span> <span class="mi">4294967296</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">x1</span><span class="p">,</span> <span class="n">y1</span><span class="p">,</span> <span class="n">z1</span> <span class="o">=</span> <span class="n">Multiply</span><span class="p">(</span><span class="n">G</span><span class="p">,</span> <span class="n">k</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="p">(</span><span class="n">x1</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="n">z1</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="n">mod</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span><span class="p">)</span> <span class="o">%</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">k</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="o">*</span> <span class="p">(</span><span class="n">z</span> <span class="o">+</span> <span class="n">r</span> <span class="o">*</span> <span class="n">d</span><span class="p">)</span> <span class="o">%</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> <span class="k">assert</span> <span class="nb">int</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">==</span> <span class="nb">pow</span><span class="p">(</span><span class="n">k</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="o">*</span> <span class="p">(</span><span class="n">z</span> <span class="o">+</span> <span class="n">r</span> <span class="o">*</span> <span class="n">d</span><span class="p">)</span> <span class="o">%</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">r</span><span class="p">,</span> <span class="n">s</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Verify</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">Q</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">s</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">h</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha512</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">z</span> <span class="o">=</span> <span class="n">Transform</span><span class="p">(</span><span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="n">h</span><span class="o">.</span><span class="n">digest</span><span class="p">(),</span> <span class="s1">&#39;big&#39;</span><span class="p">),</span> <span class="n">h</span><span class="o">.</span><span class="n">digest_size</span><span class="o">*</span><span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">u1</span> <span class="o">=</span> <span class="n">z</span><span class="o">*</span><span class="nb">pow</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="o">%</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> <span class="n">u2</span> <span class="o">=</span> <span class="n">r</span><span class="o">*</span><span class="nb">pow</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="o">%</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> <span class="n">x1</span><span class="p">,</span> <span class="n">y1</span><span class="p">,</span> <span class="n">z1</span> <span class="o">=</span> <span class="n">Add</span><span class="p">(</span><span class="n">Multiply</span><span class="p">(</span><span class="n">G</span><span class="p">,</span> <span class="n">u1</span><span class="p">),</span> <span class="n">Multiply</span><span class="p">(</span><span class="n">Q</span><span class="p">,</span> <span class="n">u2</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">r</span> <span class="o">==</span> <span class="p">(</span><span class="n">x1</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="n">z1</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="n">mod</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span><span class="p">)</span> <span class="o">%</span> <span class="n">n</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Encrypt</span><span class="p">(</span><span class="n">plaintext</span><span class="p">,</span> <span class="n">x</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha256</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">x</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">digest</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span> <span class="o">=</span> <span class="n">algorithms</span><span class="o">.</span><span class="n">AES</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">encryptor</span> <span class="o">=</span> <span class="n">Cipher</span><span class="p">(</span><span class="n">aes</span><span class="p">,</span> <span class="n">modes</span><span class="o">.</span><span class="n">ECB</span><span class="p">(),</span> <span class="n">default_backend</span><span class="p">())</span><span class="o">.</span><span class="n">encryptor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">padder</span> <span class="o">=</span> <span class="n">padding</span><span class="o">.</span><span class="n">PKCS7</span><span class="p">(</span><span class="n">aes</span><span class="o">.</span><span class="n">block_size</span><span class="p">)</span><span class="o">.</span><span class="n">padder</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">padded_data</span> <span class="o">=</span> <span class="n">padder</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> <span class="o">+</span> <span class="n">padder</span><span class="o">.</span><span class="n">finalize</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">encryptor</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">padded_data</span><span class="p">)</span> <span class="o">+</span> <span class="n">encryptor</span><span class="o">.</span><span class="n">finalize</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ciphertext</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">Decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">,</span> <span class="n">x</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha256</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">x</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">digest</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span> <span class="o">=</span> <span class="n">algorithms</span><span class="o">.</span><span class="n">AES</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">decryptor</span> <span class="o">=</span> <span class="n">Cipher</span><span class="p">(</span><span class="n">aes</span><span class="p">,</span> <span class="n">modes</span><span class="o">.</span><span class="n">ECB</span><span class="p">(),</span> <span class="n">default_backend</span><span class="p">())</span><span class="o">.</span><span class="n">decryptor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">unpadder</span> <span class="o">=</span> <span class="n">padding</span><span class="o">.</span><span class="n">PKCS7</span><span class="p">(</span><span class="n">aes</span><span class="o">.</span><span class="n">block_size</span><span class="p">)</span><span class="o">.</span><span class="n">unpadder</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">decrypted_data</span> <span class="o">=</span> <span class="n">decryptor</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="o">+</span> <span class="n">decryptor</span><span class="o">.</span><span class="n">finalize</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">unpadder</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">decrypted_data</span><span class="p">)</span> <span class="o">+</span> <span class="n">unpadder</span><span class="o">.</span><span class="n">finalize</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">plaintext</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Alice and Bob have their keys:</span> </span></span><span class="line"><span class="cl"><span class="n">da</span> <span class="o">=</span> <span class="n">RNG</span><span class="p">(</span><span class="n">n</span><span class="o">.</span><span class="n">bit_length</span><span class="p">(),</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">Qa</span> <span class="o">=</span> <span class="n">Multiply</span><span class="p">(</span><span class="n">G</span><span class="p">,</span> <span class="n">da</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">db</span> <span class="o">=</span> <span class="n">RNG</span><span class="p">(</span><span class="n">n</span><span class="o">.</span><span class="n">bit_length</span><span class="p">(),</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">Qb</span> <span class="o">=</span> <span class="n">Multiply</span><span class="p">(</span><span class="n">G</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">x1a</span><span class="p">,</span> <span class="n">y1a</span><span class="p">,</span> <span class="n">z1a</span> <span class="o">=</span> <span class="n">Multiply</span><span class="p">(</span><span class="n">Qb</span><span class="p">,</span> <span class="n">da</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ka</span> <span class="o">=</span> <span class="n">x1a</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="n">z1a</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="n">mod</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"><span class="n">x1b</span><span class="p">,</span> <span class="n">y1b</span><span class="p">,</span> <span class="n">z1b</span> <span class="o">=</span> <span class="n">Multiply</span><span class="p">(</span><span class="n">Qa</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">kb</span> <span class="o">=</span> <span class="n">x1b</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="n">z1b</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="n">mod</span><span class="p">)</span> <span class="o">%</span> <span class="n">mod</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Alice sends message to Bob:</span> </span></span><span class="line"><span class="cl"><span class="n">msga</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;Hello Bob.&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">ra</span><span class="p">,</span> <span class="n">sa</span> <span class="o">=</span> <span class="n">Sign</span><span class="p">(</span><span class="n">msga</span><span class="p">,</span> <span class="n">da</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ca</span> <span class="o">=</span> <span class="n">Encrypt</span><span class="p">(</span><span class="n">msga</span><span class="p">,</span> <span class="n">ka</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Alice -&gt; Bob:&#39;</span><span class="p">,</span> <span class="p">(</span><span class="n">ra</span><span class="p">,</span> <span class="n">sa</span><span class="p">,</span> <span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="n">ca</span><span class="p">,</span> <span class="s1">&#39;big&#39;</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Bob receives and verifies message:</span> </span></span><span class="line"><span class="cl"><span class="n">recv_msg</span> <span class="o">=</span> <span class="n">Decrypt</span><span class="p">(</span><span class="n">ca</span><span class="p">,</span> <span class="n">kb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">assert</span> <span class="n">Verify</span><span class="p">(</span><span class="n">recv_msg</span><span class="p">,</span> <span class="n">Qa</span><span class="p">,</span> <span class="n">ra</span><span class="p">,</span> <span class="n">sa</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Bob sends message to Alice:</span> </span></span><span class="line"><span class="cl"><span class="n">msgb</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;Hello Alice.&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">rb</span><span class="p">,</span> <span class="n">sb</span> <span class="o">=</span> <span class="n">Sign</span><span class="p">(</span><span class="n">msgb</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">cb</span> <span class="o">=</span> <span class="n">Encrypt</span><span class="p">(</span><span class="n">msgb</span><span class="p">,</span> <span class="n">kb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Bob -&gt; Alice:&#39;</span><span class="p">,</span> <span class="p">(</span><span class="n">rb</span><span class="p">,</span> <span class="n">sb</span><span class="p">,</span> <span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="n">cb</span><span class="p">,</span> <span class="s1">&#39;big&#39;</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Alice receives and verifies message:</span> </span></span><span class="line"><span class="cl"><span class="n">recv_msg</span> <span class="o">=</span> <span class="n">Decrypt</span><span class="p">(</span><span class="n">cb</span><span class="p">,</span> <span class="n">ka</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">assert</span> <span class="n">Verify</span><span class="p">(</span><span class="n">recv_msg</span><span class="p">,</span> <span class="n">Qb</span><span class="p">,</span> <span class="n">rb</span><span class="p">,</span> <span class="n">sb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Alice sends message to Bob:</span> </span></span><span class="line"><span class="cl"><span class="n">msga</span> <span class="o">=</span> <span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Dinner tonight? What about Tapioca? Btw, here is the flag: </span><span class="si">{</span><span class="n">flag</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">ra</span><span class="p">,</span> <span class="n">sa</span> <span class="o">=</span> <span class="n">Sign</span><span class="p">(</span><span class="n">msga</span><span class="p">,</span> <span class="n">da</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">ca</span> <span class="o">=</span> <span class="n">Encrypt</span><span class="p">(</span><span class="n">msga</span><span class="p">,</span> <span class="n">ka</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Alice -&gt; Bob:&#39;</span><span class="p">,</span> <span class="p">(</span><span class="n">ra</span><span class="p">,</span> <span class="n">sa</span><span class="p">,</span> <span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="n">ca</span><span class="p">,</span> <span class="s1">&#39;big&#39;</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Bob receives and verifies message:</span> </span></span><span class="line"><span class="cl"><span class="n">recv_msg</span> <span class="o">=</span> <span class="n">Decrypt</span><span class="p">(</span><span class="n">ca</span><span class="p">,</span> <span class="n">kb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">assert</span> <span class="n">Verify</span><span class="p">(</span><span class="n">recv_msg</span><span class="p">,</span> <span class="n">Qa</span><span class="p">,</span> <span class="n">ra</span><span class="p">,</span> <span class="n">sa</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Bob sends message to Alice:</span> </span></span><span class="line"><span class="cl"><span class="n">msgb</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;Dinner sounds good. Thanks for the flag.&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">rb</span><span class="p">,</span> <span class="n">sb</span> <span class="o">=</span> <span class="n">Sign</span><span class="p">(</span><span class="n">msgb</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">cb</span> <span class="o">=</span> <span class="n">Encrypt</span><span class="p">(</span><span class="n">msgb</span><span class="p">,</span> <span class="n">kb</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Bob -&gt; Alice:&#39;</span><span class="p">,</span> <span class="p">(</span><span class="n">rb</span><span class="p">,</span> <span class="n">sb</span><span class="p">,</span> <span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="n">cb</span><span class="p">,</span> <span class="s1">&#39;big&#39;</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Alice receives and verifies message:</span> </span></span><span class="line"><span class="cl"><span class="n">recv_msg</span> <span class="o">=</span> <span class="n">Decrypt</span><span class="p">(</span><span class="n">cb</span><span class="p">,</span> <span class="n">ka</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">assert</span> <span class="n">Verify</span><span class="p">(</span><span class="n">recv_msg</span><span class="p">,</span> <span class="n">Qb</span><span class="p">,</span> <span class="n">rb</span><span class="p">,</span> <span class="n">sb</span><span class="p">)</span></span></span></code></pre></td></tr></table> </div> </div> </details> <p>And the following output (stdout from the python script):</p>(In)Security of the "Pass" password managerhttps://rot256.dev/post/pass/Fri, 01 Jan 2021 00:00:00 +0000https://rot256.dev/post/pass/<p><img src="https://rot256.dev/post/pass/link.svg#center" alt="Pass" title="Pass provides no cryptographic binding between keys (services) and values (passwords)"></p> <h1 id="what-is-pass">What is Pass?</h1> <p>What is &ldquo;Pass; the standard unix password manager&rdquo;?</p> <blockquote> <p>Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.</p>Differential Fault Injection Against AES on Atmega328https://rot256.dev/post/glitch/Mon, 09 Mar 2020 00:00:00 +0000https://rot256.dev/post/glitch/<img src="top-simple.svg#center" width="50%"> <p>A walk-through of real-world AES fault injection for dummies on a shoestring budget.</p> <h1 id="introduction">Introduction</h1> <p>In the post we will setup a microcontroller which encrypts using AES with an unknown key, then explore how to recover the full AES key from simply (randomly) glitching the power-supply which will introduce faults in the arithmetic during the computation of AES encryption.</p> <p>This post is designed to serve as a tutorial and enable the reader to follow along. If you get stuck anywhere (or lack the hardware), just skip the current step and pick up the provided files which will enable you to continue from the next step onwards. To this end there is an <a href="https://github.com/rot256/aes-atmega328-glitching">associated Github repository</a> which contains the victim code, the attack and visualization scripts as well as the raw samples I collected &ndash; which can be used in lieu of setting up the hardware yourself.</p>HalfFeed @ Codegate 2020https://rot256.dev/post/halffeed/Thu, 13 Feb 2020 00:00:00 +0000https://rot256.dev/post/halffeed/<h1 id="halffeed">HalfFeed</h1> <p>The HalfFeed service allows us to encrypt almost any message. The only restriction is that it cannot contain the string &ldquo;cat flag&rdquo;:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">encrypt</span><span class="p">(</span><span class="n">halffeed</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">nonce</span> </span></span><span class="line"><span class="cl"> <span class="n">P</span> <span class="o">=</span> <span class="n">recv_data</span><span class="p">(</span><span class="s1">&#39;plaintext&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="sa">b</span><span class="s1">&#39;cat flag&#39;</span> <span class="ow">in</span> <span class="n">P</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;[EXCEPTION] Invalid Command &#34;cat flag&#34;&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">C</span><span class="p">,</span> <span class="n">T</span> <span class="o">=</span> <span class="n">halffeed</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">nonce</span><span class="o">.</span><span class="n">to_bytes</span><span class="p">(</span><span class="mi">16</span><span class="p">,</span> <span class="n">byteorder</span><span class="o">=</span><span class="s1">&#39;big&#39;</span><span class="p">),</span> <span class="n">P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">send_data</span><span class="p">(</span><span class="s1">&#39;ciphertext&#39;</span><span class="p">,</span> <span class="n">C</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">send_data</span><span class="p">(</span><span class="s1">&#39;tag&#39;</span><span class="p">,</span> <span class="n">T</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">nonce</span> <span class="o">+=</span> <span class="mi">1</span> </span></span></code></pre></div><p>We can also provide a ciphertext, that is split on &ldquo;;&rdquo;. If any of the segments is &ldquo;cat flag&rdquo; we win:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">execute</span><span class="p">(</span><span class="n">halffeed</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">N</span> <span class="o">=</span> <span class="n">recv_data</span><span class="p">(</span><span class="s1">&#39;nonce&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">C</span> <span class="o">=</span> <span class="n">recv_data</span><span class="p">(</span><span class="s1">&#39;ciphertext&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">T</span> <span class="o">=</span> <span class="n">recv_data</span><span class="p">(</span><span class="s1">&#39;tag&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">P</span> <span class="o">=</span> <span class="n">halffeed</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">N</span><span class="p">,</span> <span class="n">C</span><span class="p">,</span> <span class="n">T</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">P</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">cmds</span> <span class="o">=</span> <span class="n">P</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;;&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">cmd</span> <span class="ow">in</span> <span class="n">cmds</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">cmd</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;cat flag&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./flag&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">read</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;[EXCEPTION] Unknown Command&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;[EXCEPTION] Authentication Failed&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span></code></pre></div><p>We have our job cut out for us.</p>3DES-HMAC @ AU-CTFhttps://rot256.dev/post/3des-hmac/Thu, 16 May 2019 00:00:00 +0000https://rot256.dev/post/3des-hmac/<h1 id="the-3des-hmac-challenge">The &ldquo;3DES-HMAC&rdquo; challenge</h1> <blockquote> <p>This challenge is written in Rust. So it is automatically secure, right?</p> <p>&ndash; Challenge Text</p></blockquote> <p>Original challenge files can be found <a href="https://rot256.dev/post/3des-hmac/3des-hmac.tar.gz">here</a>.</p> <h2 id="setting-the-stage">Setting the stage</h2> <p>We are given a simple web-application written in Rust using the Actix framework.</p> <p><img src="https://rot256.dev/post/3des-hmac/page.png" alt="No Image?" title="3DES-HMAC Login Page"></p> <p>Looking at the server code we find a handler which allows us to retrieve the flag if we are logged in as &ldquo;<code>almighty_administrator</code>&rdquo; with the &ldquo;<code>is_admin</code>&rdquo; key set to &ldquo;<code>of_course</code>&rdquo;:</p>Zero-Correlation Linear Cryptanalysishttps://rot256.dev/post/zero-correlation/Sun, 01 Apr 2018 00:00:00 +0000https://rot256.dev/post/zero-correlation/<p><img src="top2.jpg#center" alt=""></p> <h1 id="introduction">Introduction</h1> <p><strong>Update:</strong> Slides from the related presentation at DTU, can now be found <a href="https://rot256.dev/post/zero-correlation/slides.pdf">here</a>.</p> <p>Those who have read <a href="https://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf">Howard M. Heys</a> excellent introduction to Linear and Differential cryptanalysis or even worked with linear hulls (e.g. read the <a href="https://www.springer.com/us/book/9783540425809">Rijndael book</a>) might be tempted to believe that the absence of linear approximations with a non-zero correlation implies that the cipher is immune to linear cryptanalysis. However the existence of linear hulls with correlation zero also allows an attacker to distinguish the cipher from a random permutation with high probability. In this entry we will explore the work by Andrey Bogdanov and Vincent Rijmen on so-called &ldquo;Zero-Correlation Linear Cryptanalysis&rdquo; and apply the technique to a toy cipher.</p>Software Update @ 34C3https://rot256.dev/post/software-update/Sat, 30 Dec 2017 15:00:00 +0000https://rot256.dev/post/software-update/<h1 id="the-34c3-ctf">The 34C3 CTF</h1> <p>34C3 has just ended and the year is quickly coming to an end. As usual I had the pleasure of playing the CTF at CCC. What I particularly like about the C3 CTF is the ingenuity and variety of challenges (not just binary reversing + exploitation and web).</p> <h1 id="the-software-update-challenge">The &ldquo;Software Update&rdquo; challenge</h1> <p>We are given 3 files:</p> <ul> <li>installer.py</li> <li>public_key.der</li> <li>sw_update.zip</li> </ul> <p>The challenge is a firmware updating service (provided in <code>installer.py</code>) and an example of a signed update (provided in <code>sw_update.zip</code>). The challenge is similar to <code>flash</code> from 32C3.</p>GSoC: WireGuardhttps://rot256.dev/post/gsoc/Thu, 07 Sep 2017 00:00:00 +0000https://rot256.dev/post/gsoc/<h1 id="introduction">Introduction</h1> <h2 id="google-summer-of-code">Google Summer of Code</h2> <p>Every year Google arranges their <a href="https://developers.google.com/open-source/gsoc">Summer of Code program</a>, giving students the opportunity of contributing to open source projects during the summer and receive a stipend. Over this summer I have completed the program with the WireGuard team (under the Linux foundation umbrella), with the goal to create a user space implementation of <a href="https://www.wireguard.com">WireGuard</a>.</p> <h2 id="wireguard">WireGuard</h2> <p>WireGuard is a simple (layer 3) VPN protocol based around a <a href="http://www.noiseprotocol.org">Noise pattern</a> (in particular Noise_IKpsk2). Among the primary features offered by WireGuard are:</p>Bornhack CTF (2017)https://rot256.dev/post/bornhack-2017/Wed, 30 Aug 2017 00:00:00 +0000https://rot256.dev/post/bornhack-2017/<h1 id="introduction">Introduction</h1> <p>Pwnies at Copenhagen University arranged this years <a href="https://ctftime.org/ctf-wtf">CTF</a> at <a href="https://bornhack.dk/bornhack-2017">Bornhack</a>.</p> <p>This is a short post detailing 2 of the crypto challenges I designed for this years CTF.</p> <h2 id="birthday-present">Birthday-PRESENT</h2> <p>The challenge (and solution) can be found <a href="https://github.com/kokjo/bornhack-ctf/tree/master/challenges/birthday-PRESENT">on github</a></p> <p>The Sweet16 / birthday-PRESENT challenge is based on a variant of the <a href="https://sweet32.info/">Sweet32</a> vulnability, with a block cipher (<a href="https://eprint.iacr.org/2010/143.pdf">small scale variant of PRESENT</a>) having a block size of 32-bit, which makes the attack more practical.</p> <p>Participants were given the C source code of a server which writes the flag into a large buffer (repeated), then allows the user to overwrite the start of the buffer with any plaintext of their choosing. The buffer is then encrypted under a random key using Small-PRESENT in CBC mode and the ciphertext is returned to the user.</p>Bluesound POWERNODEhttps://rot256.dev/post/bluesound-powernode/Fri, 23 Dec 2016 00:00:00 +0000https://rot256.dev/post/bluesound-powernode/<p>The Bluesound POWERNODE is a &ldquo;Wireless Stereo Component&rdquo;, which allows the user to stream to an older analogue sound system. It also includes an amp. I (sadly) happen to have such a device at home and decided to take a look at the firmware. The results were as expected.</p> <p>Most of the product line appears to be vulnerable, since they run mostly the same software. I would also be surprised if this is the only vulnerability in the device.</p>PAKE @ Hitcon 2016https://rot256.dev/post/pake/Tue, 15 Nov 2016 15:00:00 +0000https://rot256.dev/post/pake/<p>Writeup of a challenge completed some time ago. Modified challenge code <a href="https://github.com/rot256/Wargames/blob/master/hitcon/pake/pake.rb">here</a></p> <h1 id="the-challenge">The challenge</h1> <p>The protocol is essentially <a href="https://en.wikipedia.org/wiki/SPEKE_(cryptography)">SPEKE</a>, but rather than use one large password, a number of smaller passwords are used and combined to avoid online bruteforce.</p> <h1 id="talking-to-yourself">Talking to yourself</h1> <p>The first observation is that two sessions with the same server can convince each other that they know the passwords.</p> <p>This may not appear very useful. But this allows us to bruteforce one small password (with 4-bits of entropy) at a time. We guess the next unknown password and let the two connections convince each other they know the remaining passwords. There are some minor details to take care of before we can do this, observe the core loop of the server:</p>NeoDNShttps://rot256.dev/post/neodns/Sat, 20 Aug 2016 00:00:00 +0200https://rot256.dev/post/neodns/<h1 id="neodns--a-new-dns-like-the-one-we-know">NeoDNS : A new DNS like the one we know</h1> <h2 id="the-goal">The goal</h2> <p>We wish to design a new DNS solution which offers the following:</p> <ol> <li>Ease of migration: the solution must be able to coexists with the existing DNS and PKI. Adopting NeoDNS should not break backwards compatibility.</li> <li>Authentication of domains: users must be able to verify that they are talking to the legitimate service, without a globally trusted central authorit(y|ies). We relax this requirement and simple demand that an attempt at impersonation should become publicly known.</li> <li>Performant: minimal overhead when compared with the existing systems.</li> </ol> <h2 id="assumptions">Assumptions</h2> <p>It is assumed that the reader:</p>Proxy Server @ Pwnablehttps://rot256.dev/post/proxy-server/Fri, 29 Apr 2016 20:04:43 +0100https://rot256.dev/post/proxy-server/<h1 id="the-challenge">The challenge</h1> <p>The challenge text on pwntable:</p> <blockquote> <p>I made a multi-thread based HTTP proxy server written in C. It works fine for simple case, but it crashes occasionally. Can you find me the bug? (it has watchdog, proxy server will be respawned after crashing)</p> <p>* uname -a of server : FreeBSD bsd32 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 <a href="mailto:root@obrian.cse.buffalo.edu">root@obrian.cse.buffalo.edu</a>:/usr/obj/usr/src/sys/GENERIC i386</p> <p>Download : <a href="http://pwnable.kr/bin/myproxy">http://pwnable.kr/bin/myproxy</a></p> <p>Running at : nc pwnable.kr 9903</p>AEG @ Pwnablehttps://rot256.dev/post/aeg/Fri, 01 Apr 2016 15:54:08 +0200https://rot256.dev/post/aeg/<h1 id="the-challenge">The challenge</h1> <p>The challenge text on pwntable:</p> <blockquote> <p>How fast can you pwn me?</p> <p>Running at : nc pwnable.kr 9005</p></blockquote> <p>Connecting, we are given a base64 block.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">$ nc pwnable.kr 9005 </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl">- Welcome to AEG (Automatic Exploit Generation) - </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">I will send you a newly compiled binary (probably exploitable) in base64 format </span></span><span class="line"><span class="cl">after you get the binary, I will be waiting for your input as a plain text </span></span><span class="line"><span class="cl">when your input is given, I will execute the binary with your input as argv[1] </span></span><span class="line"><span class="cl">you have 10 seconds to build exploit payload </span></span><span class="line"><span class="cl">wait... </span></span><span class="line"><span class="cl">H52Qf4owMSIgQAAACBMmFADAB4CDCSHIgIgQiMKEiGJIuKjQIg4ACgBY5ABgAwA </span></span><span class="line"><span class="cl">... (many lines ommited) ... </span></span><span class="line"><span class="cl">ACGanhDCeu6EcUFELMSGUKXHojPmzOeQEivBIJYQmWKYXwR0YSgoB </span></span><span class="line"><span class="cl">here, get this binary and give me some crafted argv[1] for explotation </span></span><span class="line"><span class="cl">remember you only have 10 seconds... hurry up! </span></span></code></pre></div><p>Which turns out to be a gzip file containing a 64-bit elf binary:</p><link>https://rot256.dev/post/elrs-1/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://rot256.dev/post/elrs-1/</guid><description><h1 id="expresslrs-hello-world">ExpressLRS: Hello World</h1> <h2 id="introduction">Introduction</h2> <h2 id="ssfh-spread-spectrum-frequency-hopping">SSFH (Spread Spectrum Frequency Hopping)</h2> <h2 id="sync-packets">Sync Packets</h2></description></item><item><title/><link>https://rot256.dev/probset/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://rot256.dev/probset/</guid><description><!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>ProbSet</title> <link rel="stylesheet" href="styles.css"> <link rel="icon" type="image/png" href="icon.png"> </style> </head> <body> <script src="probset.js"></script> </body> </html></description></item></channel></rss>