Tags: mov-attack elliptic-curves sage sagemath 

Rating:

# Source:
```
from ecdsa import ellipticcurve as ecc
from random import randint

a = -35
b = 98
p = 434252269029337012720086440207
Gx = 16378704336066569231287640165
Gy = 377857010369614774097663166640
ec_order = 434252269029337012720086440208

E = ecc.CurveFp(p, a, b)
G = ecc.Point(E, Gx, Gy, ec_order)

def generateKeyPair():
private = randint(1, 2**64)
public = G * private
return(public, private)

def checkDestinationPoint(data: dict, P: ecc.Point, nQ: int, E: ecc.CurveFp) -> list:
destination_x, destination_y = checkCoordinates(data)
destination_point = ecc.Point(E, destination_x, destination_y, ec_order)
secret_point = P * nQ
same_x = destination_point.x() == secret_point.x()
same_y = destination_point.y() == secret_point.y()

if (same_x and same_y):
return True
else:
return False
```

# Solve:
We get given two points on a curve $P(x, y)$ and $Q(x, y)$ and are asked to find the value of $P \times nQ$, something ideally computationally impossible without knowledge of the private key $n$. In the source code we find the curve parameters $a$ and $b$ , and the generator point $G$. From the name we can summise that this is a MOV attack challenge. the idea behind the MOV attack is avoid compution the incredibly hard Elliptic Curve DLP(discrete logarithm problem) by shifting (or moving ... get it?) the group from a group of points on an eliptic curve to a finite feild, and then solve the now finite feild DLP there.

To do this, the embedding degree $(k)$ of the curve must be small, specifically $k \le 6$. From experimentation we find that the embedding degree of this curve is well within that range as $k=2$ . From here, we can use a standard MOV attack sage implementation (I used one i had made previously), and solve.

### Solve Script:
``` python
a = -35
b = 98
p = 434252269029337012720086440207
E = EllipticCurve(GF(p), [a,b])

G = E(16378704336066569231287640165, 377857010369614774097663166640)
A = E(int("0x54b35f407996eb8fc566d3b12", 16), int("0xc857b1b70d5ef09507bf8bd6", 16))
B = E(int("0x22afe63536a534077df811f1e", 16), int("0x16cd192948520687a521ae471",16))

order = G.order()
k = 1
while (p**k - 1) % order:
k += 1
print(k)

Ee = EllipticCurve(GF(p^k, 'y'), [a, b])
Ge = Ee(G)
Ae = Ee(A)

T = Ee.random_point()
M = T.order()
d = gcd(M, G.order())
Q = (M//d)*T

assert G.order() / Q.order() in ZZ

N = G.order()

a = Ge.weil_pairing(Q, N)
b = Ae.weil_pairing(Q, N)

na = b.log(a)
S = na*B

print(f"x: {hex(S.xy()[0])}")
print(f"y: {hex(S.xy()[1])}")
```

```
x: 0x456d53f3f1738a1d78429dc1b
y: 0x541ac0a09249f717fd9737f8f
```

#### Flag: `HTB{I7_5h0075_,1t_m0v5,_wh47_15_i7?}`