Weekly Problems
Weekly Problems
{tjerand.silde, caroline.sandsbraten}@ntnu.no
Assignment
This is one out of three assignments in the course TTM4205 Secure Crypto-
graphic Implementations (ttm4205.iik.ntnu.no) during fall semester of 2024.
This assignment has to be solved individually, and the solutions must be your
own. It is, however, allowed to discuss the problems with other students and
ask for hints or pointers from the course staff.
The assignment contains problems related to most of the main topics from
the lectures, requiring both mathematical and coding skills. A selection of
the problems is taken from cryptohack.org. We recommend using Python
or Sage to implement your solutions.
All problems require detailed answers where you describe and document
what you have done to complete the task, e.g., written explanations, calcula-
tions, code, graphs, etc. It is allowed to rely on external resources; however,
these resources must be clearly referred to. Otherwise, it will be considered
cheating; see i.ntnu.no/wiki/-/wiki/English/Cheating+on+exams.
All submissions must be written in LATEX, and we provide a mandatory
template to be used at overleaf.com/read/xxnmbmnpxxfq#6ce4e3.
This assignment counts for at most 40 points, and each topic is marked with
how many points it is worth, roughly estimating how much work is expected.
Bonus problems are not expected to be solved but can give 2 additional
points each to make up for missed points elsewhere in the assignment. We
might give full or partial credit if you show that you understand a problem
and made an attempt to solve it even if you are not able to solve it entirely.
Submission deadline: December 6th at 23:59 in Ovsys2.
1
Contents
1 Randomness (16 points) 3
1.1 “It is truly random, I promise!” . . . . . . . . . . . . . . . . . 3
1.2 The Next of Your Kind . . . . . . . . . . . . . . . . . . . . . 3
1.3 This Destroyes the Schnorr Cryptosystem . . . . . . . . . . . 3
1.4 ElGusto ElGamal . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Ron was Wrong, Whit is Right . . . . . . . . . . . . . . . . . 4
1.6 No Random, No Bias . . . . . . . . . . . . . . . . . . . . . . . 5
1.7 Lo-Hi Card Game . . . . . . . . . . . . . . . . . . . . . . . . 5
1.8 Bonus Problems . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.8.1 Trust Games . . . . . . . . . . . . . . . . . . . . . . . 5
1.8.2 Prime and Prejudice . . . . . . . . . . . . . . . . . . . 6
1.8.3 RSA vs. RNG . . . . . . . . . . . . . . . . . . . . . . 6
2
1 Randomness (16 points)
1.1 “It is truly random, I promise!”
Intel published a cryptography library with the following C++ code snippet:
1 static void rand32u(std::vector<Ipp32u>& addr) {
2 std::random_device dev;
3 std::mt19937 rng(dev());
4 std::uniform_int_distribution<std::mt19937::
,→ result_type> dist(0, UINT_MAX);
5 for (auto& x : addr) x = (dist(rng) << 16) +
,→ dist(rng);
6 }
3
1. Sample uniformly random r ←$ Zp and compute commitment R = g r .
2. Compute the output hashed challenge c = H(pp, pk, m, R).
3. Compute the response z = r − c · sk mod p. Output σ = (c, z).
To verify the signature, one computes R′ = g z · pkc and checks if challenge
?
c = H(pp, pk, m, R′ ). If correct, one accepts and otherwise rejects.
We consider the scheme to be broken if an adversary is able to extract the
secret key or forge signatures without knowing the secret key.
Question 1: How can we break the Schnorr signature scheme if the key
sk is sampled using a low-entropy randomness source? How can we break it
if the randomness r is sampled using a low-entropy randomness source?
Question 2: How can we break the Schnorr signature scheme if random-
ness r is re-used to produce signatures on different messages m and m′ ?
Question 3: How can we create a valid Schnorr signature without knowing
sk if a weak hash function H outputs easily predictable challenges c?
Question 4: What are possible ways to mitigate the above weaknesses?
4
Hint: There is seemingly little wrong with the challenge generation file.
However, a quick Google search might provide useful.
Question: Go to cryptohack.org, and find the challenge Ron was wrong,
Whit is right in the RSA category. Solve the challenge and give the flag.
How did you solve the challenge? Provide a short write-up, including the
main mathematical concepts, and some relevant code snippets.
5
1.8.2 Prime and Prejudice
Can we construct a composite number that the Miller-Rabin test marks as
a prime?
Question: Find the challenge Prime and Prejudice in the Mathe-
matics category. Solve the challenge and give the flag. How did you solve
the challenge? Provide a short write-up, including the main mathematical
concepts, and some relevant code snippets.
6
Hint 2 (ROT13): Fntrzngu pna fbyir qvfpergr ybtf va snveyl ovt svryqf irel
dhvpxyl. Hfr ‘S = TS(c)‘ gb vafgnagvngr n svavgr svryq, gura ‘ybt(S(l),
S(t))‘ gb pbzchgr k fhpu gung tk = l
Question: Go to cryptohack.org, and find the challenge Export Grade
in the Diffie-Hellman category. Solve the challenge and give the flag. How
did you solve the challenge? Provide a short write-up, including the main
mathematical concepts, and some relevant code snippets.
2.2 Oh SNAP!
Can we break a classic cipher used for years, famously breaking one of
Kerckhoffs principles?
Hint (ROT13): Ybbx sbe vzcyrzragngvbaf bs gur “Syhuere, Znagva naq Fun-
zve nggnpx” bayvar.
Question: Go to cryptohack.org, and find the challenge Oh SNAP! in
the Symmetric Ciphers category. Solve the challenge and give the flag.
How did you solve the challenge? Provide a short write-up, including the
main mathematical concepts, and some relevant code snippets.
7
3 Padding Oracles (4 points)
3.1 Endless Emails
Here is a classic example you might have seen before in earlier courses of
what can go wrong when using RSA without padding.
Question: Go to cryptohack.org, and find the challenge Endless Emails
in the RSA category. Solve the challenge and give the flag. How did you
solve the challenge? Provide a short write-up, including the main mathe-
matical concepts, and some relevant code snippets.
8
4.2 Faulty RSA Bites the Dust
Let (n, e) be a public RSA signature verification key and (n, e′ ) a public
RSA encryption key for the same user, where n = p · q for secret prime
numbers p, q and corresponding secret signing key d and decryption key d′ .
Assume that the signing API Sign is implemented in a faulty way so that
the signing key d leaks to malicious clients.
Question 1: How can the knowledge of the signing key d be used to
decrypt messages encrypted using the public encryption key (n, e′ )?
Assume now that the leakage in Sign be fixed so that d is stored securely.
Let µ be a secure padding function. The RSA signature is often computed
using the Chinese Reminder Theorem in the following way:
1. Compute dp ≡ d mod (p − 1) and dq ≡ d mod (q − 1).
2. Compute a such that a ≡ 1 mod p and a ≡ 0 mod q.
3. Compute b such that b ≡ 0 mod p and b ≡ 1 mod q.
4. Compute σp ≡ µ(m)dp mod p and σq ≡ µ(m)dq mod q.
5. Output the signature σ = a · σp + b · σq mod n.
This is more efficient than computing µ(m)d mod n directly since p and q
are much smaller than n and (dp , dq , a, b) can be pre-computed and stored
?
for later use. We can verify the signature as following: µ(m) ≡ σ e mod n.
Question 2: Assume that there is a bug in the implementation so that σp ≡
µ(m)dp mod p but σq ̸≡ µ(m)dq mod q. Show how the faulty signature σ,
where µ(m) ̸≡ σ e mod n, can be used to factor n.
Question 3: What are possible ways of avoiding the above RSA issues?
9
3. Otherwise, let x3 = λ2 − x1 − x2 and y3 = −y1 − λ · (x3 − x1 ), where
( 2
3x1 +a
if P = Q
λ = y 2y−y1
1 2
x1 −x2 otherwise,
4.4 Curveball
Can we prove that we own a public ECDSA key, by giving the corresponding
private key? This attack is so stupid, it could not have occurred in the real
world, right? RIGHT??!
Recommended listening while solving: Aretha Franklin - Chain of Fools
Question: Go to cryptohack.org, and find the challenge Curveball in the
Elliptic Curve category. Solve the challenge and give the flag. Solve the
challenge and give the flag. How did you solve the challenge? Provide a short
write-up, including the main mathematical concepts, and some relevant code
snippets.
10
Question: Go to cryptohack.org, and find the challenge Let’s Decrypt in
the RSA category. Solve the challenge and give the flag. How did you solve
the challenge? Provide a short write-up, including the main mathematical
concepts, and some relevant code snippets.
11
otherwise rejects. The proof is similar to Schnorr signatures, proving that
logg pk = logX T , and then m = Y · T −1 is the correctly decrypted message.
In this problem we assume that the malicious prover knows the secret key
sk, but want to provide a seemingly valid proof that the ElGamal ciphertext
ctx = (X, Y ) decrypts to a different message m′ than the real plaintext m.
Question 1: Assume c = H(pp, Y, R, S, T ), where the ciphertext compo-
nent X is not included. How can a malicious prover change the ciphertext
and create an accepting proof that it decrypts to a chosen message m′ ̸= m?
Question 2: Assume that c = H(pp, X, Y, R, S), where the decryption
component T is not included. How can a malicious prover create an accept-
ing proof where the given ciphertext decrypts to a random message m′ ̸= m?
12