Introduction

Macroplata : Just WHY man ? was my first reaction to this challenge… I usually don’t really like challenges with a lot of code :-) Soooo, basically there are 3 KEMS and some sort of TAG/authentification thing, my first instinct was : I’m NOT looking into the details of the KEMs before I have something on the actual thing that we’re supposed to to which is: forging a tag.

All that we need to do is an existencial forgery from a tag with known plaintext…

The tagging

The tagging mecanism is basically a recursive AES enc with a few twists depending on the … block padding ? I hope ANSSI didn’t mean to change KEM depending on the padding when they recommened hybrid solutions :-)

Well let’s consider a seqences of 16 bytes blocks (meaning all of them are 16 bytes so don’t need padding), $b_1, \cdots, b_n$, then the tag is of the form:

And particular the known tag is exactly $32$-bytes so is of the form:

$T_0 = T(k_1, k_2 ) = E_{K_0} \left( E_{K_0} \left( k_1\right) \oplus k_2 \oplus K_1\right)$

Where $E_{K_0}$ is AES-ECB with key $K_0$ and $K_1$ is the key to the lattice KEM. Note that to win we can forge a tag of ANY length…

The KEMs

Well since the key to the AES seem to be the most important let’s look at the EC-KEM that derives it… Well its called ECElGamalKEM but it looks more like ECDH and … seems pretty secure. No luck here…

I didn’t really want to look at the lattice KEM too fast as it’s a LOT of code (Maybe I should have in retrospective hum hum…), so I thought that maybe I should look at the RSA KEM. The RSA KEM was SO simples that I was also convinced it had no real vulnerability.

BUT I SILL didn’t want to look at the lattice KEM until I actually find a forgery that requires only $K_1$ so I did that.

The forgery

We don’t know a lot… we know $k_1, k_2, T_0$ and possibly $K_1$ soooo what can we do. Well if we don’t want to involve $K_2$ we need full size blocks. So here I proceeded iterativly:

• Can I forge a TAG for one block ?

$T(b_1) = E_{K_0}(b_1 \oplus K_1)$, since I only know one encryption with $K_0$ then necessarly I need that $b_1 \oplus K_1 = E_{K_0} \left( k_1\right) \oplus b_2 \oplus K_1$ which is equivalent to $b_1 \oplus b_2 = E_{K_0} \left( k_1\right)$, unfortunatly, there is NO WAY I get my hands on $E_{K_0} \left( k_1\right)$…

• Can I forge a TAG for two blocks ?

Well I didn’t really try, since I assumed it would basically be the same as the given tag, maybe I’m wrong ?

• Can I forge a TAG for three blocks ?

Same process : $T(b_1, b_2, b_3) = E_{K_0} \left( E_{K_0} \left( E_{K_0} \left( b_1\right) \oplus b_2\right) \oplus b_3 \oplus K_1\right)$ … I didn’t succeed but I felt like with a little more degree of freedom I could do it…

• Can I forge a TAG for four blocks ?

$T(b_1, b_2, b_3, b_4) = E_{K_0}( E_{K_0}( E_{K_0}( E_{K_0}( b_1) \oplus b_2) \oplus b_3) \oplus b_4 \oplus K_1)$

As before, I’m forced to take $b_4 = k_2$ and $E_{K_0}( E_{K_0}( b_1) \oplus b_2) \oplus b_3 = b_1$ since it’s the only way that I can match the given tag, I get:

and applying the same logic, I’m forced to take: $b_1 \oplus b_3 = T_0$ and $b_2 = k_2 \oplus K_1$ which gives:

and clearly, now we want $b_1 = k_1$ which simplifies evrything to:

Just find $K_1$

Well, let’s just say I just printed $v$ from the lattice KEM, was met with:

[27967643, 27967643, 27967643, 27967643, 11189146, 11189146, 27967643, 11189146, 27967643, 11189146, 27967643, 27967643, 11189146, 11189146, 11189146, 11189146, 11189146, 27967643, ...]Z

Note that for this part I was SOOO lazy in my solve that i randomly pick one of the values to be $0$ and the other to be $1$ so the final solve works half the time.

Sooo yeah, it’s pretty obvious this is beyond broken…

Putting it all together

Here is the final solve:

from pwn import remote, process
from Crypto.Util.number import *
import pickle
from Crypto.Hash import SHAKE256, SHA256
import base64
import numpy as np
from Crypto.Protocol.KDF import HKDF
#io = process(["python", "macroplata.py"])
io = remote("challenges.fcsc.fr", 2158)

pk = pickle.loads(base64.b64decode(io.recvline().strip().decode()))
ct = base64.b64decode(io.recvline().strip().decode())
truth = io.recvline().strip()
tag = base64.b64decode(io.recvline().strip().decode())

l1 = int.from_bytes(ct[:4])
ct_ec = ct[4:4+l1]

l2 = int.from_bytes(ct[4+l1:8+l1])
ct_lat = ct[8+l1:8+l1+l2]

l3 = int.from_bytes(ct[8+l1+l2:12+l1+l2])
ct_rsa = ct[12+l1+l2:12+l1+l2+l3]

n = 512
q = 33556993
B = 2

seed, t = pk[1]
A = np.array([
            [int.from_bytes(SHAKE256.new(data=seed+i.to_bytes(2,'big')+j.to_bytes(2,'big')).read(2), 'big') % q for j in range(n)]
            for i in range(n)
        ])

u, v = pickle.loads(ct_lat)
v = list(v)

m = [el == v[0] for el in v]
z = b""

for i in range(0, len(m), 8):
    v = 0
    ii = i
    for j in range(7, -1, -1):
        v |= 2**j * m[ii]
        ii += 1
    z += bytes([v])
K1 = HKDF(z, 16, b"", SHA256)

b1, b2 = truth[:16], truth[16:]

def xor(a, b):
    return bytes(x ^ y for x, y in zip(a, b))

forged = b1 + xor(b2, K1) + xor(tag, b1) + b2

print(io.recvuntil(b":"))
io.sendline(base64.b64encode(forged))
io.sendline(base64.b64encode(tag))

print(io.recvline())

Introduction

Splhash is a hash function presented as $H(x) = B \times S(A \times x)$ where $A$ is a $2n \times 5n$ matrix and $B$ is a $5n \times n$ matrix. The non-linear $S$-layer is comprised of $\cfrac{5n}{4}$ SBoxes each acting on $4$-bits nibbles. We recognize the SBox from the Present cipher. This challenge reminded me of One round crypto at ECSC2024 but this time with a hash function instead of a cipher.

First attempt(s)

Bouncy

Since this hash function is comprised of one non-linear and 2 linear layer I thought about using a rebound attack : We want $x \ne y \in \mathbb F_2^{2n}$ s.t $H(x) = H(y)$. To but it in algebraic terms we have:

or since $B$ is $5n \times n$ (will have big kernel)

For the rebound we want some differential property of $S$, since its the present SBox we do have some differential at 25%, in particular if we consider the differential space in and out:

Then the inbound differential chains looks like:

This requires that $d_z \in \ker B$ and $d_y \in \text{Im } A$

Sooooo we need… $d_z \in \ker B \cap \Delta^S_z$ and $d_y \in \text{Im } A \cap \Delta^S_y$ which turns out… is pretty hard to find, for up to $n=32$ the SAT solver actually found it but it didn’t scale and I just couldn’t find my inbound otherwise…

Fun with the ANF

Since the challenge looks mostly algebraic, let’s look at the ANF of the Sbox:

from sage.all import *
from sage.crypto.sbox import SBox

def anf(s): # taken from the INRIA symmetric crypto tutorial
    result = []
    for i in range(4):
        result.append(P(s.component_function(1 << i).algebraic_normal_form()))
    return result

S = [12, 5, 6, 11, 9, 0, 10, 13, 3, 14, 15, 8, 4, 7, 1, 2]
pols = anf(SBox(S))
print(pols)

and we get:

[x1*x2 + x0 + x2 + x3, x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x3 + x2*x3 + x1 + x3, x0*x1*x3 + x0*x2*x3 + x0*x1 + x0*x3 + x1*x3 + x2 + x3 + 1, x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x2 + x0 + x1 + x3 + 1]

Here, a few things stand out, first there aren’t many terms of degree $3$ but also and thats what I realised at the time, if you substitute $x_1 = x_3 = 0$ then you get:

[x0 + x2, 0, x2 + 1, x0 + 1]

A perfectly linear SBox ! So in my collision I just have to fix the first two bits in the entrance of each SBox to 0 right ?

Except we have $\cfrac{5n}{4}$ SBoxes and with $2$ bits per SBox =, thats $\cfrac{5n}{2}$ constraints while the input is only $2n$ bits, urgh… Though if you replace the $5$ by a $2$ this solution does work in the end !

I got stuck there for a very long time afterwards…

Introducing the differential but like not the one you think about…

I discovered the next property a bit by accident, by fiddling with algebraic representation and realised that even though the algebraic degree of the SBox is $3$, for a fixed $\delta \in \mathbb F_2^{2n}$, $H(x + \delta) + H(x)$ is of degree… 2 ?? While both $H(x + \delta)$ and $H(x)$ are degree $3$ ??

Well it actually makes sense, you can see it as differentiating a polynomial thus reducing it’s degree by one, rigorously what’s happening is that since in $\mathbb F_2$ , $x^2 = x$ the monomials have independent degree $1$ so the differential always cancels at least a variable from each monom.

Well, we now have a MQ system, which… is not meant to be solved directly and is pretty much unusable (I tried linearising it: bad idea).

What to do next ?

Remember the ANF from earlier.. take a good look at it:

[x1*x2 + x0 + x2 + x3, x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x3 + x2*x3 + x1 + x3, x0*x1*x3 + x0*x2*x3 + x0*x1 + x0*x3 + x1*x3 + x2 + x3 + 1, x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x2 + x0 + x1 + x3 + 1]

Well yeah, evry monomial of degree $3$ has a $x_0$ innit ?! That means that by only fixing one bit per SBox the SBox become degree $2$ thus the differential degree $1$ and we can just solve a linear system !!

Well, again, STILL not enough but …

Trust me :-)

In fact just like before we’ll need $\cfrac{5n}{4}$ constraints for the $1$-bit fix plus $n$ for the solving at the end and unfortunatly $\cfrac{5n}{4} + n \gt 2n$…

But, in a desperate attempt we can try to do the $1$ bit constrain on as many Sbox as we can and look at the resulting polynomial degrees:

from sage.all import *
import random


F2 = GF(2)

n = 64
K = 5
random.seed(0)
A = [ random.choices([0, 1], k = 2 * n) for _ in range(K * n) ]
B = [ random.choices([0, 1], k = K * n) for _ in range(n) ]

S = [12, 5, 6, 11, 9, 0, 10, 13, 3, 14, 15, 8, 4, 7, 1, 2]

P = BooleanPolynomialRing(2*n,'x')
xs = vector(P.gens()), vector(F2, [random.randint(0, 1) for _ in range(2*n)])

pols = [lambda x0, x1, x2, x3: x1*x2 + x0 + x2 + x3, 
        lambda x0, x1, x2, x3: x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x3 + x2*x3 + x1 + x3, 
        lambda x0, x1, x2, x3: x0*x1*x3 + x0*x2*x3 + x0*x1 + x0*x3 + x1*x3 + x2 + x3 + 1, 
        lambda x0, x1, x2, x3: x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x2 + x0 + x1 + x3 + 1]


Af = matrix(F2, [A[i] for i in range(K * n) if i % 4 == 0][:n])
Ar = Af.right_kernel_matrix()
nbv = Ar.dimensions()[0]

P = BooleanPolynomialRing(nbv, 'x')

Af2 = matrix(F2, [A[i] for i in range(K * n) if i % 4 == 0][:n]) # can onkly have n here instead of 5n/4
Ar2 = Af2.right_kernel_matrix()
dxs = Ar2[0]

def H_pol(state):
    state = matrix(F2, A) * vector(state)
    ns = [0] * len(state)
    for i in range(0, len(state), 4):
        for j in range(4):
            ns[i + j] = pols[j](state[i], state[i + 1], state[i + 2], state[i + 3])
    return vector(ns)

xs = sum(v * ak for v, ak in zip(P.gens(), Ar))

diff_state = list(matrix(F2, B) *(H_pol(xs) + H_pol( xs + dxs)))
print([p.degree() for p in diff_state])

we get :

[2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2]

Well … all of them are affected, but if you try to solve this using Gröbner-basis, you….. atually succeed WTF ? up to like n=128 ???? But fail at n=256 (probably still doable for a big machine).

Solving such a big system (even for n=64) in matter of seconds means there is hidden linearity and… Well I was quite dumb not to see it but its the matrix $B$ mixing the degree $2$… If I remove the matrix mul in the final differential state this becomes clear :

diff_state = list((H_pol(xs) + H_pol( xs + dxs)))

gives :

[1, 1, 1, 1, -1, -1, -1, -1, 1, 1, 1, 1, -1, -1, -1, -1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, -1, -1, -1, -1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, -1, -1, -1, -1, 1, 1, 1, 1, -1, -1, -1, -1, -1, -1, -1, -1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, -1, -1, -1, -1, 1, 1, 1, 1, -1, -1, -1, -1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, -1, -1, -1, -1, -1, -1, -1, -1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 2, 2, 2, 1, 2, 2, 2, 1, 2, 2, 2, 1, 2, 1, 2, 1, 2, 2, 2, 1, 2, 2, 2, 1, 2, 2, 2, 1, 1, 2, 1, 1, 2, 2, 2, 1, 1, 2, 1, 1, 2, 2, 2, 1, 1, 2, 1, 1, 2, 2, 2, 1, 1, 2, 1, 1, 2, 2, 2, 1, 2, 2, 2]

And now…….

… Yes I did…

But after a few hours I realized that I was still chosing my differential randomly and that this was probably pretty dumb, so looking back at it… If you dont activate the SBoxes well you dont really care about the degree, having that in mind the code for choosing the differential not only should have the first bit of the degree-reduced SBoxes to $0$ but ALSO, ALL the bits of the non degree-reduced SBoxes to $0$.

Thats clearer when looking at the code, the previous choice was:

Af2 = matrix(F2, [A[i] for i in range(K * n) if i % 4 == 0][:n]) # can onkly have n here instead of 5n/4
dxs = Af2.right_kernel_matrix()[0]

and now:

Af2 = matrix(F2, [A[i] for i in range(K * n) if i % 4 == 0][:n] + [A[i] for i in range(K * n)][-n:])
dxs = Af2.right_kernel_matrix()[0]

Putting it all together

Putting it all together and you get the flag : b7691eedfcb698bf84bcf00e9fae9156f924bc95ecb73b6e0915a87b532549dff0ffbe4095d6cc5511ebbd4fcc293bbd67875657ae37075e13dd706c449a578a

Here is my quite dirty solve:

from Crypto.Util.number import *
from sage.all import *
from gmo.all import *
import random
from splhash import Splhash

def pack(bits, width):
    return [
        sum((bits[i + j]) << j for j in range(width))
        for i in range(0, len(bits), width)
    ]
F2 = GF(2)

n = 256
K = 5 # 5 in chall

random.seed(0)
A = [ random.choices([0, 1], k = 2 * n) for _ in range(K * n) ]
B = [ random.choices([0, 1], k = K * n) for _ in range(n) ]

H = Splhash(0, n, K)

S = [12, 5, 6, 11, 9, 0, 10, 13, 3, 14, 15, 8, 4, 7, 1, 2]

P = BooleanPolynomialRing(2*n,'x')
xs = vector(P.gens()), vector(F2, [random.randint(0, 1) for _ in range(2*n)])

pols = [lambda x0, x1, x2, x3: x1*x2 + x0 + x2 + x3, 
        lambda x0, x1, x2, x3: x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x3 + x2*x3 + x1 + x3, 
        lambda x0, x1, x2, x3: x0*x1*x3 + x0*x2*x3 + x0*x1 + x0*x3 + x1*x3 + x2 + x3 + 1, 
        lambda x0, x1, x2, x3: x0*x1*x2 + x0*x1*x3 + x0*x2*x3 + x1*x2 + x0 + x1 + x3 + 1]


Af = matrix(F2, [A[i] for i in range(K * n) if i % 4 == 0][:n])
Ar = Af.right_kernel_matrix()
nbv = Ar.dimensions()[0]

P = BooleanPolynomialRing(nbv, 'x')

Af2 = matrix(F2, [A[i] for i in range(K * n) if i % 4 == 0][:n] + [A[i] for i in range(K * n)][-n:])
dxs = Af2.right_kernel_matrix()[0]

def H_pol(state):
    state = matrix(F2, A) * vector(state)
    ns = [0] * len(state)
    for i in range(0, len(state), 4):
        if state[i] != 0: print(i)
        for j in range(4):
            ns[i + j] = pols[j](state[i], state[i + 1], state[i + 2], state[i + 3])
    state = vector(ns)
    return vector(state)

xs = sum(v * ak for v, ak in zip(P.gens(), Ar))
diff_state = list(matrix(F2, B) *(H_pol(xs) + H_pol( xs + dxs)))
csts = vector(F2, [pol.constant_coefficient() for pol in diff_state])
pl = Sequence(pol + cs for pol, cs in zip(diff_state, csts))
M, u = pl.coefficients_monomials()

print("solvring", u, flush=True)
print(f"{K = }")
print(f"{n = }")

print(M.dimensions(), M.rank())
us = M.solve_right(csts)

x = vector(F2, [xss.subs({ue: use for ue, use in zip(u, us)}) for xss in xs])
y = x + dxs

x, y = bytes(pack(list(map(int, x)), 8)), bytes(pack(list(map(int, y)), 8))
print("x =", x.hex())
print("y =", y.hex())
print(f"{H(x) == H(y)}")

While replaying challenges from prior FCSC, I ended up trying to solve the challenge Surface, in this challenge we just have to solve the following equation over the rationals :

It turns out that such pair $(a, b) \in \mathbb Q^2$ are called congruent numbers and finding those is equivalent to finding some rational point on an elliptic curve, more specifically :

if $(a, b, c) \in \mathbb Q^3$ is a solution to

For some fixed $n$ then, setting $x = \cfrac{n(a + c)}{b}$ and $y = \cfrac{2n^2(a + c)}{b^2}$ then :

And if one finds a rational point of this elliptic curve then they may use the previous parametrization to find a solution to our initial problem.

Easy enough right ? Elliptic curves have been studied enough that this shouldn’t be a problem right ?

n = 20478 // 2
E = EllipticCurve(QQ, [-n**2, 0])
print(E.gens())

annnnnd :

RuntimeError: Unable to compute the rank, hence generators, with certainty (lower bound=0, generators found=()).  This could be because Sha(E/Q)[2] is nontrivial.
Try increasing descent_second_limit then trying this command again.

Shoot.

The Ugly

Let’s just try and increase the thingy then… spoiler : I’ve been told that you can solve using mwrank in sage in something like 10 hours with a large sieve bound…

The bad

Then if we use the special credit card technique or use a free online version of Magma we get the awaited result in just…. 4.7 sec ON THE ONLINE VERSION !!

def free_QQ_EC_gen(C):
    magma_shot = f"P<x>:=PolynomialRing(RationalField());E:=EllipticCurve([{str(C.ainvs())[1:-1]}]);print Generators(E);"
    ret = magma_free(magma_shot)

    if not ":" in ret: return []
    
    gen_str = ret.replace(" ", "").split("\n")[0].strip()[1:-1]
    gens = [C([QQ(e) for e in k[1:-1].split(":")]) for k in gen_str.split(",")]
    return gens

n = 20478 // 2
E = EllipticCurve(QQ, [-n**2, 0])
G = free_QQ_EC_gen(E)[-1]
print(G)

and we get :

(737343773862301088045509418793921869066076/10893159238600577313677917228652511841 : 625862116444448047393458603029555713662450024330982757172975030/35952639365198540562613869494033558726733788804390127889 : 1)
real    0m4,791s
user    0m0,884s
sys     0m0,914s

Since the obscure black box technology behind Magma is much faster we must doing something wrong…

The good

As mentioned by multiple (way more knowledgeable) people on the Cryptohack discord, one can use Heegner point method in Pari with :

sage: %time pari.ellheegner(pari.ellinit([-(20478//2)**2, 0]))
CPU times: user 1h 2min 54s, sys: 2.67 s, total: 1h 2min 57s
Wall time: 1h 2min 52s
[282959610435444133053419204432698312602025/20373367074202226028933855008293414081, 101697826622235966740266840753050504440060542552224371758641460/91958994752272050466781940295842999799221523355897410271]

that still took like 1 hour on my machine…

Why ?

There exist a variety of algorithm for finding rational points on elliptic curves or more generally algebraic curves. Sadly, not enough of them have usable open-source implementation :

Sage :

• 2-descent via mwrank
• Some kind of sieving for algebraic curves sage.schemes.projective.projective_rational_point.sieve

Pari :

• 2-descent
• Heegner point

Magma :

• 2, 3, 4, 5-descent
• Heegner point
• Elkies LLL method

(Big thanks to @grhkm, @hellman, @genni for their explanations and writeups)

Can we do better ?

Well all we have to do is just implement right ? The papers are just there…

Problem here is just big skill issue on my side 🗿. So here is my tale of trying to implement these algorithm.

The basics of 2-descent

Before trying anything new and because the method we want to later implement rely on 2-descent, let’s start with that because boy do we have some things to do already.

The Setup

Let’s start with an Elliptic curve $E(\mathbb Q)$ with full 2-torsion to make things easier, what that means is if we take a short Weierstrass form :

Then the polynomial $x^3 + ax + b$ has $3$ roots $e_1$, $e_2$ and $e_3$ over $\mathbb Q$.

> Haven’t we found the point we so desired yet then ?? Was easy after all…

Well… Not really even though $(e_i, 0)$ are indeed points they are just torsion points on the curve they are not of any interest as they live alone in their own subgroup (by Mordell-Weil theorem $E(\mathbb Q) = E_{tors} \times \mathbb Z^r$)

In our case we are looking for non trivial-points, meaning those outside $E_{tors}$ (this assumes $r>0$ but we won’t worry about the rank for this time).

Do also note that recovering all the torsion points (not only 2-torsion) is easy thanks to the Nagell–Lutz theorem.

> Isn’t the assumption that our curve has full 2-torsion a bit strong ?

Yes and no, most paper just tell you that in the non full 2-torsion case, there exist some extension of $\mathbb Q$ s.t $x^3 + ax + b$ splits and everything works the same, in practice it’s less trivial to implement but our case of interest (the curve for the Surface challenge) is full 2-torsion so let’s start from there.

We may also consider that the curve has coefficients over $\mathbb Z$, by realizing that our curve is isomorphic to

Via the following isomorphism $\phi(x, y) = (x u^{-2}, y u^{-3})$, so all we have to do is choose $u$ s.t the denominator of $a$ and $b$ divides $u$ (there is actually a canonical way of doing that while trying to keep the coefficients as small as possible : minimal models).

The “descent”

The descent procedure that I present here might seem a little “had-hoc” but I do not understand the complicated math and fancy diagrams required to have the mathematical reasons for it 🗿 so let’s stick to and easy construction.

Let’s first consider a projective point on the curve $(x : y : z)$ with $(x, y, z) \in \mathbb Z^3$ (we can always scale $z$ s.t $x, y$ lies in $\mathbb Z$)

We can then decompose each coordinate into a product of a square-free rational times a square, we will be doing that for each $x - e_i z^2$ :

with $b_i \in \mathbb Z^* \setminus (\mathbb Z^*)^2$ and $z_i \in \mathbb Z$

Then we cancel out the $x$:

Ok so now we reduced our problem to finding even more random variables… but fortunately we can do a bit of number theory to deal with the $b_i$.

Not the $b$’s

By using the fact that $\ gcd(a, b) | ka + lb$ ; notice that $\gcd(x - e_1 z^2, x - e_2 z^2) | (e_2 - e_1) z^2$ and $\gcd(x - e_1 z^2, x - e_2 z^2) | (e_1 - e_2) x$.

But we also have that if $a | b$ and $a | c$ then $a | \gcd(b, c)$ so $\gcd(x - e_1z^2, x - e_2 z^2) | \gcd((e_2 - e_1) z^2, -(e_2 - e_1) x)$. Notice that w.l.o.g we can consider that $\gcd(x, z^2) = 1$ otherwise it means $z$ is not minimal (basically we can consider $x/z^2$ irreducible as a consequence of the projective representation).

So finally :

We may generalize $\forall (i, j) \in [\![1, 3]\!], i \ne j$ :

Now we come back to the initial definition of the $b_i$’s and plug it in the elliptic curve equation, we get :

which means despite each $b_i$ being square-free, their product must be a square.

Let’s consider some prime $p$ and some $i \in [\![1, 3]\!]$ s.t $p | b_i$ then because $b_i$ is square-free, $v_p(b_i) = 1$ (the exponent of $p$ in the prime decomposition of $b_i$ is $1$) but $b_1 b_2 b_3$ is a square ! That means that $p$ must divide exactly one of the other $b_i$, formally : $\exists j \in [\![1, 3]\!] \setminus {i}$ s.t $p | b_j$.

And now we can use our previous property because $p | \gcd(b_i, b_j)$ so $p | \gcd(b_i z_i^2, b_j z_j^2)$ which by definition means $p | \gcd(x - e_i z^2, x - e_j z^2)$ and finally :

which in turns mean :

Conclusion : we can iterate threw the square free divisors of $(e_1 - e_2)(e_2 - e_3)(e_1 - e_3)$, for $b_1$ and $b_2$ and take $b_3$ as the square-free part of $b_1 b_2$ : we only have a finite amounts of possibilities for the 🐝!

Ternary quadratic forms

Ok so now we consider that in our program we’ll just iterate over the values for $b_i$ so from now on, I consider them as fixed.

Building it

Let’s continue from the previous system of equations :

by dividing the equation to cancel the $z$ variable we get :

We can first simplify the fixed fraction (make irreducible) : $\cfrac{e_2 - e_1}{e_3 - e_1} = \cfrac{r_2}{r_3}$

and we get our desired ternary quadratic form which is already in diagonal form by cross multiplying :

Reducing it

Let’s consider a generic ternary quadratic form $ax^2 + by^2 + cz^2 = 0$, the important algebraic fact about this equation is that it has genus 0 which means Hasse principle applies, but before going down that road let’s simplify things a bit :

• First if $g = \gcd(a, b, c)$ is non trivial we can divide $a, b, c$ by $g$
• If for a prime $p$, $p^2 | a$ then see that if $x’, y, z$ is a solution to $\frac{a}{p^2}{x’}^2 + by^2 + cz^2 = 0$ then $x := px’$ is a solution to the original equation
• If for a prime $p$, $p | a$ and $p | b$ then we can multiply $a, b$ and $c$ by $p$ and apply the previous simplification to $a$ and $b$. This way a prime never divides more than one of the coefficient.

By symmetry on the roles of $a, b$, and $c$ one may apply these rules until $a, b$ and $c$ are pairwise coprime and $abc$ is square-free.

Solving it

as mentioned previously we then make use the the Hasse principle which if it applies (to a given curve) that if the equation is locally soluble over every $\mathbb Q_p$ and over $\mathbb R$ then it’s soluble over $\mathbb Q$.

Practically this means that if its soluble over $\mathbb R$ which in our case just means $a, b$ and $c$ don’t all have the same sign then we can solve $\mod p$ for multiple $p$ and pieces these solutions together using the chinese reminder theorem.

In particular, if we take $p$ a prime number s.t $p | a$ then :

Meaning

Then we can check the existence of such modular square root using Euler’s criterion and perform the square root using Tonelli-Shanks. The first interesting thing here is that if there is no square root then we know for sure the quadratic form has no solution.

In practice this is very useful as it helps narrowing down the set of $b_i$ that are worth keeping.

If such root exist ($r^2 \equiv \frac{-c}{b} \pmod p$) then :

$y - rz \equiv 0 \pmod p$

Doing that for several $p$ we accumulate relations which we can combine to get something of the form :

In practice because of the problems with $p = 2$ and a million boring disjunction of case later we can even get :

But… This is only a necessary condition ? Yes… but there is more to it, we actually know that the solution space of quadratic forms is … you guessed it … a lattice !

In particular the smallest vector satisfying $(1)$, will yield a solution to the original equation.

We want moooooooooooore

So we did indeed found a solution, but unsurprisingly, because we have a single equation and 3 free variables it is not unique. It’s still worth trying it before down parametrization though.

Let’s take an initial solution $ax_0^2 + by_0^2 + cz_0^2 = 0$, then taking $x = x_0 W + U$, $y = y_0 W + V$ and $z = z_0 W$ we get :

So it suffice to take $W = \cfrac{aU^2 + bV^2}{-2by_0V}$ and we have a parametrization !

Side note : John Cremona’s paper introduces an other parametrization (which is just a sub-parametrization of this one) with lower discriminant meaning it still parametrizes the same solution space but it does so with $Q’_i(U, V)$ being “generally smaller” than $Q_i(U, V)$ which is desirable for sieving afterwards.

Conclusion : for a ternary quadratic form $f$ we can find $Q_i(U, V) = r_iU^2 + s_i UV + t_i V^2$ with $i \in [\![1, 3]\!]$, s.t $(Q_1(U, V), Q_2(U, V), Q_3(U, V))$ is the set of solutions to $f(x, y, z) = 0$.

Up the genus

Now we just re-inject the previous parametrization for the quadratic form in the first equation of our system :

One can chec that $\forall (U, V) \in \mathbb Z^2, e_2 - e_1 | b_1 Q_1(U, V)^2 - b_2 Q_2(U, V)^2$ and because $Q_1$ and $Q_2$ are homogeneous we just have an equation for a hyperelliptic curve of genus $2$ or $3$ in projective coordinate !

We can now use some form of sieving to find points or do higher descent.

Conclusion

I am currently working on an implementation based on FLINT. If I have not released it yet, I’ll make the implementation open-source soon. There are a few things I’d like to be implemented :

• Factorization book-keeping
• The 2-descent itself
• Ternary quadratic form resolution (ideally the better algo that does not factor nor use LLL)
• Some solubility criterion on hyper-elliptic curve
• Some form of sieving either specific to hyper-elliptic curve or generic like in sage

This is a draft, I am no expert, do tell me if I wrote something wrong or unclear…

Jafar is a SPN with 2 main aspect a round function $R$ and a middle part $M$. The Jafar Encryption can be simply decribed as $J = R \circ M \circ R$, where $M$ is the middle part and $R$ correspond to the 20 rounds of AddKey, Sbox and Permute. Since we are given only a limited amount of queries and that we have access to both encryption and decryption, boomerang attack comes to mind pretty quickly but in boomeran we need 2 encryptions and 2 decryptions…

Analysis

The first thing to do when we have a SBox is to steal Poustouflan’s tool and run it…

SBox is not linear.
However, these equations hold with probability 100.0%:
  y7 = x4 
  y2 = x6 
  y7 ⊕ y2 = x6 ⊕ x4 
where y = S(x).
This can be considered as a cryptographic weakness and can lead to linear cryptanalysis.

SBox is differential! For all x,
  S(x)⊕129 = S(x⊕24)
  S(x)⊕7 = S(x⊕74)
  S(x)⊕134 = S(x⊕82)

Since we only have 3 queries, linear attack is unlickly (3 bits of linear is not enough). So let’s look into the differential attack.

Differential for the round function

When we have a differential for the SBox, it’s pretty common to just try to get a differential for the whole round.

A very lazy but fast way to do this without fancy MILP is realise that our differential for each byte is either 0, 24, 74 or 82. So since we have 16 bytes thats $4^{16} = 2^{32}$ possibilities. Let’s BF…

We can cut any differential path that end up having a non differential as the input of one of the SBox

delta = {0: 0, 24: 129, 74: 7, 82: 134}

pos = list(delta.keys())

for diff in product(pos, repeat=16):
    state = list(diff)
    good = True
    for rnd in range(20):
        for i in range(16):
            if not state[i] in pos: 
                good = False
                break
            else:
                state[i] = delta[state[i]]
        if not good: break
        state = Permute(state)
    if not good: continue

    print("GOOD :", diff, "|", state)

Eventually we find the differential pair:

full_diff_in  = (0, 0, 0, 0, 0, 74, 0, 0, 0, 0, 24, 0, 0, 74, 0, 0)
full_diff_out = (0, 0, 74, 0, 0, 0, 0, 0, 82, 0, 0, 24, 0, 0, 0, 0)

Full Cipher

What we are going to do is then very similar to boomerang, our goal will be to deduce a pair cleartext/ciphertext $P, C$ without asking for it.

Let’s recall some of the properties so far:

• $\forall P: R(P + \Delta) = R(P) + \Delta'$
• $\forall P: R^{-1}(P + \Delta’) = R^{-1}(P) + \Delta$
• $\forall P, Q: M(P + Q) = M(P) + M(Q)$ as $M$ is just a multiplication in a Galois field so it’s linear
• $\forall P, Q: M^{-1}(P + Q) = M^{-1}(P) + M^{-1}(Q)$ and so is it’s inverse

Let’s now consider a fixed plaintext $p$ that we know, the only two first reasonable queries we might do is either $J(p + \Delta)$ or $J^{-1}(p + \Delta’)$, let’s start with the first (I think both work by symmetry…):

From there again, logically the only thing we can do here is decrypt… Decrypting the same thing really doest make sense so let’s do the only sensible thing :

$C_2 = J^{-1}(C_1 + \Delta’) = R^{-1}(M^{-1}(R^{-1}(C_1 + \Delta’))) = R^{-1}(M^{-1}(R^{-1}(C_1) + \Delta)) = R^{-1}(M^{-1}(R^{-1}(C_1)) + M^{-1}(\Delta))$

and :

$C_2 = R^{-1}(M^{-1}(R^{-1}(C_1 +\Delta’))) = R^{-1}(M^{-1}(R^{-1}(C_1) +\Delta)) = R^{-1}(M^{-1}(M(R(p) + \Delta’) +\Delta))$

and…..

You get the idea, by elimination we should probably do $J(C_2 + \Delta)$

$ C_3 = J(C_2 + \Delta) = R(M(R(C_2 + \Delta))) = R(M(R(C_2) + \Delta’)) = R(M(R(p) + \Delta’ + M^{-1}(\Delta) + \Delta’)) = R(M(R(p) + M^{-1}(\Delta)))$

And good grief finally :

And boom here it is then $(p, C_3 + \Delta’)$ is a valid plaintext/ciphertext that’s not been queried before…

Wrap-up and code

Very fun challenge, knowning about boomerang really helped, the proof is longer than it needs to be but very pleasing.

from pwn import remote, process
from Crypto.Util.number import *
from sage.all import *
from itertools import product
import os
from chall import *


def xor(a, b):
    return bytes(k ^ l for k, l in zip(a, b))


delta = {0: 0, 24: 129, 74: 7, 82: 134}

pos = list(delta.keys())

for diff in product(pos, repeat=16):
    state = list(diff)
    good = True
    for rnd in range(20):
        for i in range(16):
            if not state[i] in pos: 
                good = False
                if rnd > 1: print(rnd)
                break
            else:
                state[i] = delta[state[i]]
        if not good: break
        state = Permute(state)
    if not good: continue

    print("GOOD :", diff, "|", state)

#io = process(["python", "chall.py"])
io = remote("chall.fcsc.fr", 2153)
full_diff_in  = (0, 0, 0, 0, 0, 74, 0, 0, 0, 0, 24, 0, 0, 74, 0, 0)
full_diff_out = (0, 0, 74, 0, 0, 0, 0, 0, 82, 0, 0, 24, 0, 0, 0, 0)

P = os.urandom(16)

####
io.recvuntil(b">>> ")
io.sendline(b"enc")
io.recvuntil(b">>> ")
io.sendline(xor(P, full_diff_in).hex().encode())
io.recvline()

C = bytes.fromhex(io.recvline().decode().strip())

####
io.recvuntil(b">>> ")
io.sendline(b"dec")
io.recvuntil(b">>> ")
io.sendline(xor(C, full_diff_out).hex().encode())
io.recvline()

A = bytes.fromhex(io.recvline().decode().strip())

####
io.recvuntil(b">>> ")
io.sendline(b"enc")
io.recvuntil(b">>> ")
io.sendline(xor(A, full_diff_in).hex().encode())
io.recvline()

B = bytes.fromhex(io.recvline().decode().strip())

###############
io.recvuntil(b">>> ")
io.sendline(P.hex().encode())

io.recvuntil(b">>> ")
io.sendline(xor(B, full_diff_out).hex().encode())

print(io.recvline())
print(io.recvline())

In this challenge we have a pretty single encryption scheme and very few relations to work with, smells like lattice to me…

Analysis

There are only two blocks so let’s put it into a system:

Here lattice will surely work because of the imbalance in term of coefficient sizes :

• $b_1, b_2$ are 256 bits
• $s$ is 1024 bits
• $\texttt{iv}_1, \texttt{iv}_2$ are 1024 as well
• $k_1, k_2$ are 1024 bits

So the blocks are way smaller, let’s build a null combinaison and encourage LLL/BKZ to go towards it with scalling:

So

The reason we want to eliminate $s$ is is because we want linear combinaisons of the unknowns and $k_1 s$ or $k_2 s$ prevent that.

LLL BKZ time

So from the equation above the coefficients we want in front of $c_1$ and $c_2$ should be 256 bits smaller than the ones in from of $\texttt{iv}_1$ and $\texttt{iv}_2$, so with the right scalling (scalling heavily on the null equation ofc) we can use the lattice :

The code

That is pretty much it (we also have to deal with the sign but that’s no big deal)

from pwn import remote, process
from Crypto.Util.number import *
from sage.all import *
from gmo.all import *
import json

f = json.loads(open("out.txt", "r").read())
bs = 1024 // 32

iv1 = f[0]["iv"]
c1 = f[0]["c"]

iv2 = f[1]["iv"]
c2 = f[1]["c"]

lattice = [[c1, c2, iv1, iv2],
           [1,  0,  0,   0],
           [0,  1,  0,   0],
           [0,  0,  1,   0],
           [0,  0,  0,   1]]


lat = matrix(ZZ, lattice).transpose()
scale = diagonal_matrix([2**1024, 2**256, 2**256, 1, 1])

r = (lat * scale).BKZ() / scale
flag = b""
for v in r:
    if v[0] == 0:
        print(v)
        k2, k1, k2b1, k1b2 = list(map(int, v[1:]))
        if k2b1 % k2 == 0 and k1b2 % k1 == 0:
            b2 = k1b2 // k1
            b1 = k2b1 // k2
            if b1 < 0:
                b1 *= -1
                b2 *= -1
            print(int.to_bytes(b1, bs,"big") + int.to_bytes(b2, bs,"big"))

And the flag: FCSC{8fd540e4620d3b873be4dcc074e3fb84f528a5800ffbb31dd158a8b7d5}

Curve isomorphism

This is a classic problem of cubic equation, it turns out that every cubic equation (that is not degenerate) is isomorphic to an elliptic curve, Sagemath has a conveniant function for that, so let’s quickly look at the isomorphism (and its inverse function) :

P = QQ["p, s, b"]
p, s, b = P.gens()

eq = p ** 3 - 94 * b ** 3 + s ** 3

f = EllipticCurve_from_cubic(eq)
print(f)
fi = f.inverse()
print(fi)

we get :

Scheme morphism:
  From: Projective Plane Curve over Rational Field defined by p^3 + s^3 - 94*b^3
  To:   Elliptic Curve defined by y^2 - 846*y = x^3 - 238572 over Rational Field
  Defn: Defined on coordinates by sending (p : s : b) to
        (-b : -3*p : -1/282*p - 1/282*s)
Scheme morphism:
  From: Elliptic Curve defined by y^2 - 846*y = x^3 - 238572 over Rational Field
  To:   Projective Plane Curve over Rational Field defined by p^3 + s^3 - 94*b^3
  Defn: Defined on coordinates by sending (x : y : z) to
        (-1/3*y : 1/3*y - 282*z : -x)

Solving the whole challenge

We want a solution with :

• $ 1 \le p$
• $ 1 \le s \le p$
• $ 1 \le b \le p$

We know its easy to find and iterate over points on an elliptic curve which by isomorphism will correspond to solutions of the equation, but we have to deal with the constraints…

Well, I just iterated from a generator of the curve until I found a solution with the constrains, not sure if it would work in the general case but it’s always good to try your first idea and see what comes next, I was lucky and that was an immediate flag.

And because we’re working in the projective plane normalized in $Z$ for elliptic curves, we have to bring back the solution from $\mathbb Q$ to $\mathbb Z$ which is done by multiplying $p_s$ and $s_s$ by their corresponding lcm.

from sage.all import *
from itertools import count
from hashlib import sha256

P = QQ["p, s, b"]
p, s, b = P.gens()
eq = p ** 3 - 94 * b ** 3 + s ** 3

f = EllipticCurve_from_cubic(eq)
fi = f.inverse()

E = f.codomain()
G = E.gen(0)

for i in count(start = 1):
    ps, ss, bs = fi(i*G)
    if (ps > 0 and ss > 0 and bs > 0):
        y = lcm(ps.denom(), ss.denom())
        ps *= y
        ss *= y
        bs *= y

        h = sha256(str(bs).encode()).hexdigest()

        print(f"FCSC{{{h}}}")
        exit()

flag : FCSC{2c69e5056f2a80af36c0880a2395472e51b448730a1c5c06b2b0d8e0a3b466b6}

In this chall we are presented with a cipher entierely based on the AES key schedule derivation function. Seing such a “well known” construction hints us towards the literature.

The paper

Indeed, one paper “New Representations of the AES Key Schedule” gives us most of what we need to solve.

Cipher description

AES Key derivation

Let’s denote by $D_i(k_0, k_1, \cdots, k_{15}) = (s_0, s_1, \cdots, s_{15})$ the AES key-derivation function on the 16 bytes of the key with the $i$-th RCON (taking $i=0$ being no round constant).

The full description of $D_i$ is a bit cumbersome to fully write down but each of the $s_i$ is a linear combinaison in $\text{GF}(2^8)$ (xor) of multiple $k_i$, $S[k_{12}], S[k_{13}], S[k_{14}], S[k_{15}]$ and $c_i$ where $c_i$ are the RCON constants and S is the AES SBox.

Graphically the AES derivation function looks like :

The cipher

Then the cipher simply derives round keys from the original key $k$ just like AES :

$k_i = (D_i \circ D_{i-1} \circ \cdots \circ D_2 \circ D_1)(k)$

The round function is then $R_i(B) = R_0^5(B \oplus k_i)$ And then the ciphertext $C$ can be expressed from the plaintext $P$ as :

$C = (R_9 \circ R_8 \circ \cdots \circ R_0)(P) \oplus k_{10}$

The main weakness here is the low number of SBox in the key derivation and the particular linear structure that propagates threw the cipher/

Exploiting the paper’s idea

The paper essentialy describes a way to “untwist” the key schedule and find a representation aka a morphisomorphismism that makes it so that each of the four 32-bit words of each key act independently.

The key thing her is that this isomorphism is a linear function, that we can indeed represent by a matrix and as the iso suggest, it is invertible.

And under this isomorphism the key schedule looks like this :

Because our cipher is only comprised of AES key derivation rounds and xor with other derived keys, if we “change basis” to using the isomorphism each block of 32 bit acts independently, we can test this by running :

def morph(l):
    k0, k1, k2, k3, k4, k5, k6, k7, k8, k9, k10, k11, k12, k13, k14, k15 = l
    return [k15,                 #s0
            k14 ^ k10 ^ k6 ^ k2, #s1
            k13 ^ k5,            #s2
            k12 ^ k8,            #s3

            k14,                 #s4
            k13 ^ k9 ^ k5 ^ k1,  #s5
            k12 ^ k4,            #s6
            k15 ^ k11,           #s7

            k13,                 #s8
            k12 ^ k8 ^ k4 ^ k0,  #s9
            k15 ^ k7,            #s10
            k14 ^ k10,           #s11

            k12,                 #s12
            k15 ^ k11 ^ k7 ^ k3, #s13
            k14 ^ k6,            #s14
            k13 ^ k9]            #s15

def unmorph(l):
    s0, s1, s2, s3, s4, s5, s6, s7, s8, s9, s10, s11, s12, s13, s14, s15 = l
    return [s9 ^ s6 ^ s3 ^ s12,
            s5 ^ s2 ^ s15 ^ s8,
            s1 ^ s14 ^ s11 ^ s4,
            s13 ^ s10 ^ s7 ^ s0,

            s6 ^ s12,
            s2 ^ s8,
            s4 ^ s14,
            s0 ^ s10,
            
            s3 ^ s12,
            s8 ^ s15,
            s4 ^ s11,
            s0 ^ s7,
            
            s12,
            s8,
            s4,
            s0]

assert unmorph(morph(k)) == k
assert morph(unmorph(k)) == k

p0 = os.urandom(4) + b"\x00" * 12
p1 = os.urandom(4) + b"\x00" * 12

T1 = TightSchedule(bytes(unmorph(p0)))
T2 = TightSchedule(bytes(unmorph(p1)))

P = os.urandom(16)
print(morph(T1.encrypt(P)))
print(morph(T2.encrypt(P)))

which gives :

[158, 26, 238, 6, 109, 180, 134, 118, 161, 162, 243, 21, 121, 190, 182, 230]
[158, 26, 238, 6, 109, 180, 134, 118, 160, 171, 167, 43, 121, 190, 182, 230]

and only the third block has changed under the morphism ! So then its just a matter of four 32-bit bruteforces

The solution

Nothing better than C++

Because python is going to be slow and CPU designers have done great things to include cryptography stuff, let’s use C++.

In particular we can benefit from the _mm_aeskeygenassist_si128 intrinsic to implement a very fast version of the cipher :

First the key stolen found on the internet :

template<auto R>
inline state aes_128_key_assist(state prev_key) 
{
    state temp = _mm_aeskeygenassist_si128(prev_key, R);
    temp = _mm_shuffle_epi32(temp, 0xff);
    state next_key = _mm_slli_si128(prev_key, 4);
    next_key = _mm_xor_si128(next_key, prev_key);
    next_key = _mm_slli_si128(next_key, 4);
    next_key = _mm_xor_si128(next_key, prev_key);
    next_key = _mm_slli_si128(next_key, 4);
    next_key = _mm_xor_si128(next_key, prev_key);
    return _mm_xor_si128(next_key, temp);
}

Then the cipher itself in a couple of lines

#define TSRound(p, k, rcon) do {p = _mm_xor_si128(p, k); \
                            for (uint8_t j = 0; j < 5; j++) \
                                p = aes_128_key_assist<0>(p); \
                            k = aes_128_key_assist<rcon>(k); } while (0)

state TSencrypt(state s, state k)
{
    state p = s;
    TSRound(p, k, RCON[1]);
    TSRound(p, k, RCON[2]);
    TSRound(p, k, RCON[3]);
    TSRound(p, k, RCON[4]);
    TSRound(p, k, RCON[5]);
    TSRound(p, k, RCON[6]);
    TSRound(p, k, RCON[7]);
    TSRound(p, k, RCON[8]);
    TSRound(p, k, RCON[9]);
    TSRound(p, k, RCON[10]);
    p = _mm_xor_si128(p, k);

    return p;
}

The morphism and it’s inverse as described by the paper :

void morph(uint8_t* out, uint8_t* in)
{
    out[0]  = in[15];
    out[1]  = in[14] ^ in[10] ^ in[6] ^ in[2];
    out[2]  = in[13] ^ in[5];
    out[3]  = in[12] ^ in[8];
    out[4]  = in[14];
    out[5]  = in[13] ^ in[9] ^ in[5] ^ in[1];
    out[6]  = in[12] ^ in[4];
    out[7]  = in[15] ^ in[11];
    out[8]  = in[13];
    out[9]  = in[12] ^ in[8] ^ in[4] ^ in[0];
    out[10] = in[15] ^ in[7];
    out[11] = in[14] ^ in[10];
    out[12] = in[12];
    out[13] = in[15] ^ in[11] ^ in[7] ^ in[3];
    out[14] = in[14] ^ in[6];
    out[15] = in[13] ^ in[9];       
}

void unmorph(uint8_t* out, uint8_t* in)
{
    out[0]  = in[9] ^ in[6] ^ in[3] ^ in[12];
    out[1]  = in[5] ^ in[2] ^ in[15] ^ in[8];
    out[2]  = in[1] ^ in[14] ^ in[11] ^ in[4];
    out[3]  = in[13] ^ in[10] ^ in[7] ^ in[0];
    out[4]  = in[6] ^ in[12];
    out[5]  = in[2] ^ in[8];
    out[6]  = in[4] ^ in[14];
    out[7]  = in[0] ^ in[10];
    out[8]  = in[3] ^ in[12];
    out[9]  = in[8] ^ in[15];
    out[10] = in[4] ^ in[11];
    out[11] = in[0] ^ in[7];
    out[12] = in[12];
    out[13] = in[8];
    out[14] = in[4];
    out[15] = in[0];    
}

And finally the attack made up of the four 32-bit BFs :

int main()
{
    const char plaintext[] = "0dfa4c6052fb87ef0a8f03f705dd5101";
    const char ciphrtext[] = "d4ed19e0694101b6b151e11c2db973bf";
    uint8_t pt[16];
    uint8_t ct[16];
    hex_to_bytes((uint8_t*)pt, (char*)plaintext);
    hex_to_bytes((uint8_t*)ct, (char*)ciphrtext);

    uint8_t ct_morph[16];
    uint8_t enc_bytes[16];
    morph(ct_morph, ct);

    uint8_t key[16] = {0};
    uint8_t key_bf[16] = {0};

    uint32_t* key_bf_blck = (uint32_t*)key_bf;
    
    uint32_t* ct_morph_blck = (uint32_t*)ct_morph;
    state state_pt = _mm_loadu_si128((state*)pt);

    uint8_t morph_enc[16];
    uint32_t* morph_enc_blck = (uint32_t*)morph_enc;

    printf("BF first part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[2] == ct_morph_blck[2])
            break;
        key_bf_blck[0]++;
    }
    
    printf("BF second part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[3] == ct_morph_blck[3])
            break;
        key_bf_blck[1]++;
    }

    printf("BF third part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[0] == ct_morph_blck[0])
            break;
        key_bf_blck[2]++;
    }

    printf("BF last part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[1] == ct_morph_blck[1])
            break;
        key_bf_blck[3]++;
    }

    printf("KEY =");
    for (uint8_t i = 0; i < 16; i++)
        printf("%02x", key[i]);
    printf("\n");

    return 0;
}

Running it :

>>> time ./solve
BF first part
BF second part
BF third part
BF last part

The End

With this we can recover the main key wich is 6c08d6d62cce26530b3f22b34c40995a

And get our flag :

from Crypto.Cipher import AES

flag_enc = bytes.fromhex("653ec0cdd7e3a98c33414be8ef07c583d87b876afbff1d960f8f43b5a338e9ff96d87da4406ebe39a439dab3a84697d40c24557cd1ea6f433053451d20ce1fbf191270f4b8cc7891f8779eb615d35c9f")
key = bytes.fromhex("6c08d6d62cce26530b3f22b34c40995a")
iv = bytes.fromhex("cd31cb6e6ded184efbb9a398e31ffdbb")

E = AES.new(key, AES.MODE_CBC, iv = iv)
print(E.decrypt(flag_enc))

Hurray FCSC{1efc507f987a19a5925b85e8dcc78c7011ef22e8f23bd7ebadf6aff3ed1416f9} !!!

Full code of “solve.cpp”

Don’t forget to use march=native for intrisics

#include <stdio.h>
#include <wmmintrin.h>
#include <immintrin.h>
#include <stdint.h>

typedef __m128i state;
constexpr uint8_t RCON[] = {0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36};

void hex_to_bytes(uint8_t* bytes, char* hex_string) 
{
    for (int i = 0; i < 16; ++i)
        sscanf(hex_string + 2 * i, "%2hhx", &bytes[i]);
}

state hex_to_m128i(char* hex_string) 
{
    uint8_t bytes[16];
    hex_to_bytes(bytes, hex_string);
    return _mm_loadu_si128((state*)bytes);
}

void print_m128i_hex(state value) 
{
    uint8_t bytes[16];
    _mm_storeu_si128((state*)bytes, value);

    for (int i = 0; i < 16; ++i)
        printf("%02x", bytes[i]);
    
    printf("\n");
}

template<auto R>
inline state aes_128_key_assist(state prev_key) 
{
    state temp = _mm_aeskeygenassist_si128(prev_key, R);
    temp = _mm_shuffle_epi32(temp, 0xff);
    state next_key = _mm_slli_si128(prev_key, 4);
    next_key = _mm_xor_si128(next_key, prev_key);
    next_key = _mm_slli_si128(next_key, 4);
    next_key = _mm_xor_si128(next_key, prev_key);
    next_key = _mm_slli_si128(next_key, 4);
    next_key = _mm_xor_si128(next_key, prev_key);
    return _mm_xor_si128(next_key, temp);
}

#define TSRound(p, k, rcon) do {p = _mm_xor_si128(p, k); \
                            for (uint8_t j = 0; j < 5; j++) \
                                p = aes_128_key_assist<0>(p); \
                            k = aes_128_key_assist<rcon>(k); } while (0)

state TSencrypt(state s, state k)
{
    state p = s;
    TSRound(p, k, RCON[1]);
    TSRound(p, k, RCON[2]);
    TSRound(p, k, RCON[3]);
    TSRound(p, k, RCON[4]);
    TSRound(p, k, RCON[5]);
    TSRound(p, k, RCON[6]);
    TSRound(p, k, RCON[7]);
    TSRound(p, k, RCON[8]);
    TSRound(p, k, RCON[9]);
    TSRound(p, k, RCON[10]);
    p = _mm_xor_si128(p, k);

    return p;
}

void morph(uint8_t* out, uint8_t* in)
{
    out[0]  = in[15];
    out[1]  = in[14] ^ in[10] ^ in[6] ^ in[2];
    out[2]  = in[13] ^ in[5];
    out[3]  = in[12] ^ in[8];
    out[4]  = in[14];
    out[5]  = in[13] ^ in[9] ^ in[5] ^ in[1];
    out[6]  = in[12] ^ in[4];
    out[7]  = in[15] ^ in[11];
    out[8]  = in[13];
    out[9]  = in[12] ^ in[8] ^ in[4] ^ in[0];
    out[10] = in[15] ^ in[7];
    out[11] = in[14] ^ in[10];
    out[12] = in[12];
    out[13] = in[15] ^ in[11] ^ in[7] ^ in[3];
    out[14] = in[14] ^ in[6];
    out[15] = in[13] ^ in[9];       
}

void unmorph(uint8_t* out, uint8_t* in)
{
    out[0]  = in[9] ^ in[6] ^ in[3] ^ in[12];
    out[1]  = in[5] ^ in[2] ^ in[15] ^ in[8];
    out[2]  = in[1] ^ in[14] ^ in[11] ^ in[4];
    out[3]  = in[13] ^ in[10] ^ in[7] ^ in[0];
    out[4]  = in[6] ^ in[12];
    out[5]  = in[2] ^ in[8];
    out[6]  = in[4] ^ in[14];
    out[7]  = in[0] ^ in[10];
    out[8]  = in[3] ^ in[12];
    out[9]  = in[8] ^ in[15];
    out[10] = in[4] ^ in[11];
    out[11] = in[0] ^ in[7];
    out[12] = in[12];
    out[13] = in[8];
    out[14] = in[4];
    out[15] = in[0];    
}

int main()
{
    const char plaintext[] = "0dfa4c6052fb87ef0a8f03f705dd5101";
    const char ciphrtext[] = "d4ed19e0694101b6b151e11c2db973bf";
    uint8_t pt[16];
    uint8_t ct[16];
    hex_to_bytes((uint8_t*)pt, (char*)plaintext);
    hex_to_bytes((uint8_t*)ct, (char*)ciphrtext);

    uint8_t ct_morph[16];
    uint8_t enc_bytes[16];
    morph(ct_morph, ct);

    uint8_t key[16] = {0};
    uint8_t key_bf[16] = {0};

    uint32_t* key_bf_blck = (uint32_t*)key_bf;
    
    uint32_t* ct_morph_blck = (uint32_t*)ct_morph;
    state state_pt = _mm_loadu_si128((state*)pt);

    uint8_t morph_enc[16];
    uint32_t* morph_enc_blck = (uint32_t*)morph_enc;

    printf("BF first part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[2] == ct_morph_blck[2])
            break;
        key_bf_blck[0]++;
    }
    
    printf("BF second part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[3] == ct_morph_blck[3])
            break;
        key_bf_blck[1]++;
    }

    printf("BF third part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[0] == ct_morph_blck[0])
            break;
        key_bf_blck[2]++;
    }

    printf("BF last part\n");
    while (1)
    {
        unmorph(key, key_bf);
        state enc = TSencrypt(state_pt, _mm_loadu_si128((state*)key));
        _mm_storeu_si128((state*)enc_bytes, enc);
        morph(morph_enc, enc_bytes);
        if (morph_enc_blck[1] == ct_morph_blck[1])
            break;
        key_bf_blck[3]++;
    }

    printf("KEY =");
    for (uint8_t i = 0; i < 16; i++)
        printf("%02x", key[i]);
    printf("\n");

    return 0;
}

So all we have to do is find a 20-bytes plaintext that encode to a $40$-element vector with each coordinates being bigger then the ones present in the encoding of the known message.

However we are working $\pmod {257}$, so we are essentially trying to find a vector $v$ that is decodable, such that if we denote $e$ the $40$-element vector corresponding to the encoding of the string WINTERNITZ IS COMING then we want :

What I mean by decodable is that, because the matrix that is used in the encoding step isn’t square, not every 40-element vector will have a corresponding 20-byte plaintext, so if we denote $M$ the matrix used in the encoding step :

Using $S_i : \text{Support[i - 1]}$

We need to find $v$ such that $v \in \text{Im}(M^T)$ Meaning we want a reduced basis of $M^T$ that has coordinates that satisfies (E). Thus we want a vector close to :

All thats that is left is to plug this into a Babai solver, but don’t forget we’re working in $\mathbb Z / 257 \mathbb Z$ so the lattice will be :

So now $A = \text{Babai_CVP}(\mathcal L, T)$ should do the trick however :

A = Babai_CVP(B2, T)
print(A)
for i in range(40):
    if not A[i] < 257:
        print(i, "too big :", A[i])
    if not (A[i] >= e[i]):
        print(i, "too small :", A[i])

returns that one or two components are slightly off $\dots$ Manual tweaking and trial and error ended up working for me.

# hand tweaking is dirty but works
Tv = [(k + 257 - 1) // 2 for k in e]
Tv[23] -= 3
Tv[38] -= 1
Tv[23] += 1
T = vector(ZZ, Tv)

A = Babai_CVP(B2, T)
print(A)
for i in range(40):
    if not A[i] < 257:
        print(i, "too big :", A[i])
    if not (A[i] >= e[i]):
        print(i, "too small :", A[i])

After that all I had to do was recover the plaintext :

K = GF(257, proof=False)
def _decoding(w):
    m_enc = vector(K, list(w))
    return bytes([ int(k) % 256 for k in M.solve_right(m_enc)])
Mess = _decoding(A)

However, another annoying thing… since converting to byte is mod 256 and not mod 257, we have to have a decoded $v$ with no component being 256, again this is rare (but happened to me 🐐) so manual tweaking again…

# hand tweaking is dirty but works
Tv = [(k + 257 - 1) // 2 for k in e]
Tv[23] -= 3
Tv[38] -= 1
Tv[23] += 1
T = vector(ZZ, Tv)

A = Babai_CVP(B2, T)
print(A)
for i in range(40):
    if not A[i] < 257:
        print(i, "too big :", A[i])
    if not (A[i] >= e[i]):
        print(i, "too small :", A[i])

de = _decoding_partial(A)
if 256 in de:
    print("unlucky !! ")

And with that we can construct a valid plaintext, and “build up” the given signature to another one :

for i in range(40):
    for j in range(e[i]+1, A[i]+1):
        sig[i] = _H(sig[i], pk[0], i, j)

and with that we get the flag : FCSC{e2987e3e48e51343df63218484d5e760faf5cf15c9f01a8649a483a91c31ce11}

Complete script :

from sage.all import *
from hashlib import sha256
from pwn import remote
from ast import literal_eval
message = b"WINTERNITZ IS COMING"

########################
conn = remote("challenges.france-cybersecurity-challenge.fr", 2153)
print(conn.recvline())
print(conn.recvuntil(b" = "))
sig = literal_eval(conn.recvline().strip().decode())
print(conn.recvuntil(b" = "))
pk = literal_eval(conn.recvline().strip().decode())
########################

sig = [bytes.fromhex(k) for k in sig]
pk = (bytes.fromhex(pk[0]), [bytes.fromhex(k) for k in pk[1]])

Support =  [
            8,   17,  26,  32,  52,  53,  57,  58,
            59,  63,  64,  66,  67,  71,  73,  76,
            79,  81,  111, 115, 132, 135, 141, 144,
            151, 157, 170, 176, 191, 192, 200, 201,
            202, 207, 216, 224, 228, 237, 241, 252,
           ]
W = 257

def _encoding(msg):
    w = [0] * len(Support)
    for i in range(len(Support)):
        for j in range(len(msg)):
            # Constant coefficient is zero
            w[i] += msg[j] * Support[i] ** (j + 1)
        w[i] %= W
    return w

### encoding done : is NOT bijective ...
K = Zmod(W)
M = [[pow(Support[i], (j + 1), W) for j in range(20)] for i in range(len(Support))]
M = matrix(K, M)

print(M)

def _decoding(w):
    m_enc = vector(K, list(w))
    return bytes([ int(k) % 256 for k in M.solve_right(m_enc)])

def _decoding_partial(w):
    m_enc = vector(K, list(w))
    return [ int(k) for k in M.solve_right(m_enc)]

###############
def _byte_xor(b1, b2):
    assert len(b1) == len(b2), "Error: byte strings of different length."
    return bytes([x ^ y for x, y in zip(b1, b2)])

def _H(s, m, i, j):
    return sha256(
        _byte_xor(
            s,
            sha256(
                m + i.to_bytes(1, "big") + j.to_bytes(2, "big")
            ).digest()
        )
    ).digest()

e = _encoding(message)

from tqdm import tqdm
load("solver.sage")

def vec1(n):
    a = [0] * 40
    a[n] = 257
    return a

B2L = [vector(ZZ, list(l)) for l in M.transpose()]

for i in range(40):
    B2L.append(vector(ZZ, vec1(i)))
B2 = matrix(ZZ, B2L)

# hand tweaking is dirty but works
Tv = [(k + 257 - 1) // 2 for k in e]
Tv[23] -= 3
Tv[38] -= 1
Tv[23] += 1
T = vector(ZZ, Tv)

A = Babai_CVP(B2, T)
print(A)
for i in range(40):
    if not A[i] < 257:
        print(i, "too big :", A[i])
    if not (A[i] >= e[i]):
        print(i, "too small :", A[i])

de = _decoding_partial(A)
if 256 in de:
    print("unlucky !! ")

assert _encoding(_decoding(A)) == list(A) # wont work if we get 256 in decoding_partial
A = [int(k) for k in list(A)]

for i in range(40):
    for j in range(e[i]+1, A[i]+1):
        sig[i] = _H(sig[i], pk[0], i, j)

def verif(message, signature):
    if len(message) > 20:
        print("Error: message too long.")
        return None
    sig2 = signature.copy()
    mask_seed, PK = pk

    w = _encoding(message)
    for i in range(40):
        for j in range(w[i] + 1, 257):
            sig2[i] = _H(sig2[i], mask_seed, i, j)

    return all(s == pk for s, pk in zip(sig2, PK))

Mess = _decoding(A)
print(verif(Mess, sig))

print("MESSAGE :", Mess.hex())
conn.recvuntil(b">>> ")
conn.sendline(Mess.hex().encode())
conn.recvuntil(b">>> ")
conn.sendline(str([k.hex() for k in sig]).encode())
print("SIGNATURE :", str([k.hex() for k in sig]) )

conn.interactive()