Rating:

# Real EC

We use the elliptic curve P256 (NIST-standard).
The programme generates some random 1000-Byte secret (from urandom).
This is split into 250 32-bit Integers *e_i*.
Then for all 250 parts, we also generate some random *n = x0...0x0...0x* (8 bit unknown).
Finally, we get *g^(e_i * n)*.

Find the hash of the secret, you have 100 seconds.

## Solution

* We cannot break ECDSA.
* Each point has 40 Bit -> somehow brute-force

Before we get the 250 values, we have arbitrary time.
Create a lookup table, then just search for all of these points in table.

Table gets too large (some TB RAM), instead meet-in-the-middle.
* Create k bit table.
* Try 40-k bit in-time

In the end the following worked
* Use server, with 80 cores to lookup points in parallel
* Use 22 Bit table
* Compute inverses of possible n before
* try to use addition of points (instead of multiplication) for speedup

Finished Lookup table: 162.18 seconds
Finished with all points: 41.88 seconds

Original writeup (https://github.com/ENOFLAG/writeups/tree/master/pwn2win/real_ec).