Tags: aes-gcm 

Rating: 5.0

We use AES-GCM collision, from section 3.1, https://eprint.iacr.org/2017/664.pdf

Code https://gist.github.com/niklasb/0c3f4158208dae70547395f8b4d78559#file-0_frank-sage

Then send two messages to the bot with the same message ID (& ciphertext) but different keys. I didn't include the code, but it is as easy as changing the encrypt_inner and send functions to use hardcoded in and outputs. We will send a benign version of the message first, and then the abusive version. The bot will look up the message by message ID as follows for reporting (client.py):

(_, ts, ctxt, msg, fbtag) = [
x for x in self._all_messages[who] if x[0] == mid

We will have two messages with the same ID in this list, but the first one is benign, so the report will be invalid and we get the flag.

Pseudocode encryption for reference:

M = input message
kf, km = random keys
fbtag_key = server secret
# inner encryption with ephemeral key
cm = AES(key=km, M)
publish cm under message ID mid # <- this is the ciphertext that we reuse twice

# outer encryption (end-to-end)
M' = mid + km + H(cm)
com = HMAC(key=kf, M')
ctxt = RSA(M' + kf)
publish ctxt + com # <- this part we change between messages
# (specifically, we change km and compute
# a new commitment)

# server
fbtag = HMAC(key=fbtag_key, com + sender + receiver + time())
publish fbtag