Tags: forgery elgamal
Rating:
*See full writeup in the link provided*
This is an ElGamal signature scheme without hash function, which is vulnerable to forgery attacks (see Section 3.2 of [Chan's thesis](https://core.ac.uk/download/pdf/48535618.pdf)).
The idea is to create a message using Chan's technique with random integers B and C:
```
r' = g^B * y^C [p]
s' = -r'C [p-1]
m' = -r'B/C [p-1]
```
and then prepend `Cisco` to `m'` so it will be cut by the mask.
```python
from pwn import *
from Crypto.Util.number import *
sh = remote("crypto.chal.csaw.io", 5006)
sh.recvuntil("(p,g,y): ")
data = sh.recvline().decode()
data = [int(x) for x in data.split(" ")]
p,g,y = data[0],data[1],data[2]
r = g*y % p
s = (-r) % (p-1)
m = (-r) % (p-1)
signed_message = b"Cisco".hex() + long_to_bytes(m).hex().rjust(1024//4, "0")
sh.recvuntil("Answer:")
sh.sendline(signed_message)
sh.recvuntil("r:")
sh.sendline(str(r))
sh.recvuntil("s:")
sh.sendline(str(s))
sh.interactive()
```