secdsa.py had a vulnerability in line 165: return int(self.hotp.at( (now.minute + 1) * (now.second // 10) ))
In the first 10 seconds of a minute it will return hotp.at( 0 ) that enables the ECDSA attack with repeated k.
The challenge had a 10 second cooldown so it wasn't possible to get immediately 2 signatures with the same k.
The solution was to get the first signature in the 10 first seconds of a minute, then wait around a minute and get the second siganture (again in the first 10 seconds of the minute).
https://gist.github.com/jimouris/8d3cb83fdbfd4053b6e1d3200c459dc2
N was very small and thus discrete logarithm was easy. Adding the base point to itself will get you the public key. Neat solution from CommandMaster:
base_point = Point(1341, 854)
curve = CurveOverFp(0, 1, 1, 2833)
o = curve.order(base_point)
print(o)
target = Point(1220,1620)
cur = Point(base_point.x, base_point.y)
l = 1
while not cur == target:
l += 1
cur = curve.add(cur, base_point)
print(l)
print(curve)
sign("Can I just get my BlueHens CTF points????", curve, base_point, o, (l, target))
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
Blue Hens |
