Tags: quantum crypto 

Rating: 5.0

tldr

1. The service asks to input a passwd that is sent and encoded by the LocalQuantumComuputer and decoded by RemoteQuantumComputer. This is pretty much useless for the challenge.

2. The returned bitstring is the measurement output (computational basis) of the flag encoded in qubits, with a Hadamard gate applied with 50% prob. (bit of key, from /dev/urandom), and a Hadamard gate (bit of passwd, user controlled, just make it 0).

3. There is a bias in the measurement towards the flag bit, as if the flag bit is 0, the probability to get the output 0 is 75%, same for bit 1. This is more than enough to recover the flag.

More details in the full writeup at [https://sectt.github.io/writeups/Pwn2Win20/crypto_lostqkeys/README](https://sectt.github.io/writeups/Pwn2Win20/crypto_lostqkeys/README)

Original writeup (https://sectt.github.io/writeups/Pwn2Win20/crypto_lostqkeys/README).