def forgeSignature(message, sig1, sig2):
# definitions
r = sig1['r']
s1 = sig1['s']
s2 = sig2['s']
m1 = sig1['m']
m2 = sig2['m']
h1 = int(hashlib.sha384(m1.encode('ASCII')).hexdigest(), 16)
h2 = int(hashlib.sha384(m2.encode('ASCII')).hexdigest(), 16)
hNew = int(hashlib.sha384(message.encode('ASCII')).hexdigest(), 16)
# sanity checks
assert (sig1['r'] == sig2['r'])
assert (elgamal_verify(r, s1, m1))
assert (elgamal_verify(r, s2, m2))
# get k^(-1)
kInvCandidates = moddiv((s1 - s2) % (SAFEPRIME - 1),
(h1 - h2) % (SAFEPRIME - 1), SAFEPRIME - 1)
kInvCandidates = filter(lambda c: pow(r, c, SAFEPRIME) == GENERATOR,
kInvCandidates)
kInv = next(kInvCandidates)
# compute the new s value
s = (s1 + (hNew - h1) * kInv) % (SAFEPRIME - 1)
return {'r': r, 's': s}
def forgeSignature(message, sig1, sig2):
# definitions
r = sig1['r']
s1 = sig1['s']
s2 = sig2['s']
m1 = sig1['m']
m2 = sig2['m']
h1 = int(hashlib.sha384(m1.encode('ASCII')).hexdigest(), 16)
h2 = int(hashlib.sha384(m2.encode('ASCII')).hexdigest(), 16)
hNew = int(hashlib.sha384(message.encode('ASCII')).hexdigest(), 16)
# sanity checks
assert(sig1['r'] == sig2['r'])
assert(elgamal_verify(r, s1, m1))
assert(elgamal_verify(r, s2, m2))
# get k^(-1)
kInvCandidates = moddiv((s1 - s2) % (SAFEPRIME - 1), (h1 - h2) % (SAFEPRIME - 1), SAFEPRIME - 1)
kInvCandidates = filter(lambda c: pow(r, c, SAFEPRIME) == GENERATOR, kInvCandidates)
kInv = next(kInvCandidates)
# compute the new s value
s = (s1 + (hNew - h1) * kInv) % (SAFEPRIME - 1)
return {'r': r, 's' : s}
def submitSolution(m, sig):
assert(elgamal_verify(sig['r'], sig['s'], m))
#create a connection
TARGET = ('localhost', 60231)
s = socket.create_connection(TARGET);
#get past the captcha
challenge = s.recv(12)
captchaSolution = solveCaptcha(challenge)
s.send(captchaSolution)
#encode m and sig, then send them
encodedSolution = json.dumps({'m' : m, 's': sig['s'], 'r': sig['r']})
encodedSolution = encodedSolution.encode('ASCII')
s.send(encodedSolution)
#print the result and exit
response = s.recv(5000).decode('ASCII')
s.close()
return response
def submitSolution(m, sig):
assert (elgamal_verify(sig['r'], sig['s'], m))
#create a connection
TARGET = ('localhost', 60231)
s = socket.create_connection(TARGET)
#get past the captcha
challenge = s.recv(12)
captchaSolution = solveCaptcha(challenge)
s.send(captchaSolution)
#encode m and sig, then send them
encodedSolution = json.dumps({'m': m, 's': sig['s'], 'r': sig['r']})
encodedSolution = encodedSolution.encode('ASCII')
s.send(encodedSolution)
#print the result and exit
response = s.recv(5000).decode('ASCII')
s.close()
return response
if __name__ == "__main__":
#sanity checks
assert(SAFEPRIME % 2 == 1)
assert(is_probable_prime((SAFEPRIME - 1) // 2))
assert(pow(GENERATOR, SAFEPRIME - 1, SAFEPRIME) == 1)
# import signatures from file
import json
f = open("sigs.txt")
sigs = [ json.loads(line) for line in f ]
f.close()
# get signatures with identical r values
sigpairs = findDoubles(sigs)
# eleminate tuples that are no valid signatures
verify = lambda sig: elgamal_verify(sig['r'], sig['s'], sig['m'])
sigpairs = filter(lambda p: verify(p[0]) and verify(p[1]), sigpairs)
message = "There is no need to be upset"
for sigpair in sigpairs:
try:
forgedSig = forgeSignature(message, sigpair[0], sigpair[1])
print(submitSolution(message, forgedSig))
except ValueError as e:
print(e)
# FLAG{nonces_are_fucking_rad_amirite}
MSG = "There is no need to be upset" # From sigs.txt r1 = 15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794 r2 = 15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794 s1 = 20950544720225190240516588643124156640166137751307772794120839122642879744566309989204234525193060193095734419581892490241084064977398989989423034374978973475972879096343609617333859217032402467474794063367359126064209414247112196692749986283927599483857635906461630946699655333336064650658571060838418022831773012112148484373450539087980144060939705883970226872558602362137321434221468807558634789744082687788692428002582578979320390623784385653753663765668912704533244714593744067390408848738952250051111603136134591670549919971405683223154547996667007410471545395238084694224087888217638321220704877088996234667758 s2 = 20193160426525825914749944534502183854793246273057225225204130786954179606391520252397561856344584750457489718289118609515303464507510251417077403315954173676057341891301159286752647600395198190644724307893515345893595410667424425312908674343690968733843740920409803587443515922925501638028491932183400780974410265039483539351372898810463837406346416273301833999371981123383744331959625540606861187311099827640470542835373136973637049034852358457864170556183428016586548277807973991611705101720973851865311156212618466002189499709957796272187041939722207610584175170433726950035007314375587759506260786928657084551208 m1 = "'\"o%^W?GuXkB$4[>kW\">FK|9+K.];P6/fWW8TVbiJD2CYtpcnM" m2 = "O2,EmP|,!K5F?m]eI;;:V" assert 0 < r1 < p assert 0 < s1 < p - 1 assert 0 < r2 < p assert 0 < s2 < p - 1 assert elgamal_verify(r1, s1, m1) assert elgamal_verify(r2, s2, m2) m1 = int(hashlib.sha384(m1).hexdigest(), 16) m2 = int(hashlib.sha384(m2).hexdigest(), 16) half = (p - 1) / 2 ################### k = (modinv(s1 - s2, half) * (m1 - m2)) % (p - 1) k += half print 'k', k print assert r1 % p == pow(g, k, p) ################### xr = (m1 - k * s1) % (p - 1)
if __name__ == "__main__":
#sanity checks
assert (SAFEPRIME % 2 == 1)
assert (is_probable_prime((SAFEPRIME - 1) // 2))
assert (pow(GENERATOR, SAFEPRIME - 1, SAFEPRIME) == 1)
# import signatures from file
import json
f = open("sigs.txt")
sigs = [json.loads(line) for line in f]
f.close()
# get signatures with identical r values
sigpairs = findDoubles(sigs)
# eleminate tuples that are no valid signatures
verify = lambda sig: elgamal_verify(sig['r'], sig['s'], sig['m'])
sigpairs = filter(lambda p: verify(p[0]) and verify(p[1]), sigpairs)
message = "There is no need to be upset"
for sigpair in sigpairs:
try:
forgedSig = forgeSignature(message, sigpair[0], sigpair[1])
print(submitSolution(message, forgedSig))
except ValueError as e:
print(e)
# FLAG{nonces_are_fucking_rad_amirite}
MSG = "There is no need to be upset" # From sigs.txt r1 = 15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794 r2 = 15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794 s1 = 20950544720225190240516588643124156640166137751307772794120839122642879744566309989204234525193060193095734419581892490241084064977398989989423034374978973475972879096343609617333859217032402467474794063367359126064209414247112196692749986283927599483857635906461630946699655333336064650658571060838418022831773012112148484373450539087980144060939705883970226872558602362137321434221468807558634789744082687788692428002582578979320390623784385653753663765668912704533244714593744067390408848738952250051111603136134591670549919971405683223154547996667007410471545395238084694224087888217638321220704877088996234667758 s2 = 20193160426525825914749944534502183854793246273057225225204130786954179606391520252397561856344584750457489718289118609515303464507510251417077403315954173676057341891301159286752647600395198190644724307893515345893595410667424425312908674343690968733843740920409803587443515922925501638028491932183400780974410265039483539351372898810463837406346416273301833999371981123383744331959625540606861187311099827640470542835373136973637049034852358457864170556183428016586548277807973991611705101720973851865311156212618466002189499709957796272187041939722207610584175170433726950035007314375587759506260786928657084551208 m1 = "'\"o%^W?GuXkB$4[>kW\">FK|9+K.];P6/fWW8TVbiJD2CYtpcnM" m2 = "O2,EmP|,!K5F?m]eI;;:V" assert 0 < r1 < p assert 0 < s1 < p-1 assert 0 < r2 < p assert 0 < s2 < p-1 assert elgamal_verify(r1, s1, m1) assert elgamal_verify(r2, s2, m2) m1 = int(hashlib.sha384(m1).hexdigest(), 16) m2 = int(hashlib.sha384(m2).hexdigest(), 16) half = (p-1)/2 ################### k = (modinv(s1-s2, half) * (m1-m2)) % (p-1) k += half print 'k', k print assert r1 % p == pow(g, k, p) ################### xr = (m1 - k*s1) % (p-1)
