GMO Goat

Problem statement

Curve isomorphism

This is a classic problem of cubic equation, it turns out that every cubic equation (that is not degenerate) is isomorphic to an elliptic curve, Sagemath has a conveniant function for that, so let’s quickly look at the isomorphism (and its inverse function) :

P = QQ["p, s, b"]
p, s, b = P.gens()

eq = p ** 3 - 94 * b ** 3 + s ** 3

f = EllipticCurve_from_cubic(eq)
print(f)
fi = f.inverse()
print(fi)

we get :

Continue reading 

Overview

In this chall we are presented with a cipher entierely based on the AES key schedule derivation function. Seing such a “well known” construction hints us towards the literature.

The paper

Indeed, one paper “New Representations of the AES Key Schedule” gives us most of what we need to solve.

Cipher description

AES Key derivation

Let’s denote by $D_i(k_0, k_1, \cdots, k_{15}) = (s_0, s_1, \cdots, s_{15})$ the AES key-derivation function on the 16 bytes of the key with the $i$-th RCON (taking $i=0$ being no round constant).

Continue reading 

Looking at the scheme used it is clear that we have a Winternitz-OTS but with a different encoding than the standard, so clearly this is the vulnerable part.

So all we have to do is find a 20-bytes plaintext that encode to a $40$-element vector with each coordinates being bigger then the ones present in the encoding of the known message.

However we are working $\pmod {257}$, so we are essentially trying to find a vector $v$ that is decodable, such that if we denote $e$ the $40$-element vector corresponding to the encoding of the string WINTERNITZ IS COMING then we want :

Continue reading 

Hello from the Crypto-quadrupede

Continue reading 