TTM4205: Weekly Problems Fall 2024

Tjerand Silde and Caroline Sandsbråten

{tjerand.silde, caroline.sandsbraten}@ntnu.no

Assignment
This is one out of three assignments in the course TTM4205 Secure Crypto-
graphic Implementations (ttm4205.iik.ntnu.no) during fall semester of 2024.
This assignment has to be solved individually, and the solutions must be your
own. It is, however, allowed to discuss the problems with other students and
ask for hints or pointers from the course staff.
The assignment contains problems related to most of the main topics from
the lectures, requiring both mathematical and coding skills. A selection of
the problems is taken from cryptohack.org. We recommend using Python
or Sage to implement your solutions.
All problems require detailed answers where you describe and document
what you have done to complete the task, e.g., written explanations, calcula-
tions, code, graphs, etc. It is allowed to rely on external resources; however,
these resources must be clearly referred to. Otherwise, it will be considered
cheating; see i.ntnu.no/wiki/-/wiki/English/Cheating+on+exams.
All submissions must be written in LATEX, and we provide a mandatory
template to be used at overleaf.com/read/xxnmbmnpxxfq#6ce4e3.
This assignment counts for at most 40 points, and each topic is marked with
how many points it is worth, roughly estimating how much work is expected.
Bonus problems are not expected to be solved but can give 2 additional
points each to make up for missed points elsewhere in the assignment. We
might give full or partial credit if you show that you understand a problem
and made an attempt to solve it even if you are not able to solve it entirely.
Submission deadline: December 6th at 23:59 in Ovsys2.

1
Contents
1 Randomness (16 points) 3
1.1 “It is truly random, I promise!” . . . . . . . . . . . . . . . . . 3
1.2 The Next of Your Kind . . . . . . . . . . . . . . . . . . . . . 3
1.3 This Destroyes the Schnorr Cryptosystem . . . . . . . . . . . 3
1.4 ElGusto ElGamal . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Ron was Wrong, Whit is Right . . . . . . . . . . . . . . . . . 4
1.6 No Random, No Bias . . . . . . . . . . . . . . . . . . . . . . . 5
1.7 Lo-Hi Card Game . . . . . . . . . . . . . . . . . . . . . . . . 5
1.8 Bonus Problems . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.8.1 Trust Games . . . . . . . . . . . . . . . . . . . . . . . 5
1.8.2 Prime and Prejudice . . . . . . . . . . . . . . . . . . . 6
1.8.3 RSA vs. RNG . . . . . . . . . . . . . . . . . . . . . . 6

2 Legacy Crypto (4 points) 6

2.1 Export Grade . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Oh SNAP! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Bonus Problems . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.1 Nothing up my Sleeve . . . . . . . . . . . . . . . . . . 7
2.3.2 MOVing Problems . . . . . . . . . . . . . . . . . . . . 7

3 Padding Oracles (4 points) 8

3.1 Endless Emails . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 Null or Never . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 Bonus Problems . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3.1 Paper Plane . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Protocols APIs (10 points) 8

4.1 Fool Me Once, Fool Me Twice . . . . . . . . . . . . . . . . . . 8
4.2 Faulty RSA Bites the Dust . . . . . . . . . . . . . . . . . . . 9
4.3 Parts of Me, Parts of You . . . . . . . . . . . . . . . . . . . . 9
4.4 Curveball . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.5 Let’s Decrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Commitments and Zero-Knowledge (4 points) 11

5.1 Trapdoor Backdoor . . . . . . . . . . . . . . . . . . . . . . . . 11
5.2 How to Steal an Election . . . . . . . . . . . . . . . . . . . . . 11

6 Protocol Composition (2 points) 12

6.1 Megalomaniac 1: . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2 Bonus Problems . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2.1 Megalomaniac 2: . . . . . . . . . . . . . . . . . . . . . 12

2
 1 Randomness (16 points)
1.1 “It is truly random, I promise!”
Intel published a cryptography library with the following C++ code snippet:
1 static void rand32u(std::vector<Ipp32u>& addr) {
2 std::random_device dev;
3 std::mt19937 rng(dev());
4 std::uniform_int_distribution<std::mt19937::
,→ result_type> dist(0, UINT_MAX);
5 for (auto& x : addr) x = (dist(rng) << 16) +
,→ dist(rng);
6 }

Question 1: Give a high-level explanation of each line of code.

Question 2: This code was used to generate cryptographic keys, which
are supposed to be of 128 bits entropy. However, there are two catastrophic
failures in this snippet. What is wrong?
Question 3: Describe (in words and/or pseudocode) how to fix this.

1.2 The Next of Your Kind

Let nextPrime take as input an integer x and output the smallest prime p such
that p > x. Let the RSA-3072 key generation procedure be implemented as
follows using a secure true random number generator (TRNG):
1. Securely sample a 1536 bit integer x using a TRNG.
2. Compute the first prime p = nextPrime(x).
3. Compute the second prime q = nextPrime(p).
4. Output the RSA-3072 modulus n = p · q.
Question 1: Describe an efficient attack against a RSA-3072 modulus n
computed using the above procedure.
Question 2: How can we update the procedure to generate a key securely?

1.3 This Destroyes the Schnorr Cryptosystem

Let Gp be a group of prime order p and let g be a generator for Gp . Denote
by pp the public parameters (Gp , g, p). Let the secret key sk ←$ Zp be
sampled uniformly at random, and let the public key be pk = g sk , where pk
is publicly available. Let H be a cryptographic hash function that outputs
elements in Zp . The Schnorr signature of a message m is computed as:

3
 1. Sample uniformly random r ←$ Zp and compute commitment R = g r .
2. Compute the output hashed challenge c = H(pp, pk, m, R).
3. Compute the response z = r − c · sk mod p. Output σ = (c, z).
To verify the signature, one computes R′ = g z · pkc and checks if challenge
?
c = H(pp, pk, m, R′ ). If correct, one accepts and otherwise rejects.
We consider the scheme to be broken if an adversary is able to extract the
secret key or forge signatures without knowing the secret key.
Question 1: How can we break the Schnorr signature scheme if the key
sk is sampled using a low-entropy randomness source? How can we break it
if the randomness r is sampled using a low-entropy randomness source?
Question 2: How can we break the Schnorr signature scheme if random-
ness r is re-used to produce signatures on different messages m and m′ ?
Question 3: How can we create a valid Schnorr signature without knowing
sk if a weak hash function H outputs easily predictable challenges c?
Question 4: What are possible ways to mitigate the above weaknesses?

1.4 ElGusto ElGamal

Let Gp be a group of prime order p and let g be a generator for Gp . Let
the secret key sk ←$ Zp be sampled uniformly at random and let the public
key be computed as pk = g sk , where pk is publicly available. The ElGamal
encryption and decryption of a message m ∈ Gp is computed as:
Enc : Sample a random x ←$ Zp and compute X = g x and Y = pkx · m.
Dec : Decrypt the ciphertext (X, Y ) to get the messages as m = Y · X −sk .
We denote ctx = (X, Y ) and consider the scheme to be broken if an adversary
is able to extract the secret key or can learn something about the encrypted
messages (breaking the IND-CPA security of the ElGamal scheme).
Question 1: How can we break the ElGamal encryption scheme if the key
sk is sampled using a low-entropy randomness source? How can we break it
if the randomness x is sampled using a low-entropy randomness source?
Question 2: What can we learn from two ElGamal ciphertexts if the same
randomness x is used to encrypt two different messages m and m′ ?

1.5 Ron was Wrong, Whit is Right

In this challenge, we get a bunch of public RSA keys. Can we decrypt any
of the messages?

4
Hint: There is seemingly little wrong with the challenge generation file.
However, a quick Google search might provide useful.
Question: Go to cryptohack.org, and find the challenge Ron was wrong,
Whit is right in the RSA category. Solve the challenge and give the flag.
How did you solve the challenge? Provide a short write-up, including the
main mathematical concepts, and some relevant code snippets.

1.6 No Random, No Bias

Try your hands on a famous attack we’ve covered in the lectures! Except,
this time, we’re using deterministic signatures, to be sure there’s no bias in
the randomness. Just don’t use the solution to steal Bitcoins and become a
cyber-criminal... or do, I don’t really care...
Hint (ROT13): Abgvpr gung gur bhgchg fvmr bs FUN-1 vf 160 ovgf. Guhf,
gur fbyhgvba gb guvf punyyratr jnf pbirerq ol Pnebyvar va gur guveq yrpgher.
Question: Go to cryptohack.org, and find the challenge No Random,
No Bias in the Elliptic Curve category. Solve the challenge and give the
flag. How did you solve the challenge? Provide a short write-up, including
the main mathematical concepts, and some relevant code snippets.

1.7 Lo-Hi Card Game

A Casino is using a homemade PRNG for shuffling their decks. Can we use
this to pull off a great heist?
Hint: This challenge (and many future challenges) features interaction with
a remote server. If you are using Python to solve this challenge, a good
option for easy socket interaction is using the library pwntools.
Question: Go to cryptohack.org, and find the challenge Lo-Hi Card
Game in the Misc category. Solve the challenge and give the flag. How
did you solve the challenge? Provide a short write-up, including the main
mathematical concepts, and some relevant code snippets.

1.8 Bonus Problems

1.8.1 Trust Games
Given that we stole all their money, it would only be fair if we would test
their new PRNG pro bono.
Question: Find the challenge Trust Games in the Misc category. Solve
the challenge and give the flag. How did you solve the challenge? Pro-
vide a short write-up, including the main mathematical concepts, and some
relevant code snippets.

5
 1.8.2 Prime and Prejudice
Can we construct a composite number that the Miller-Rabin test marks as
a prime?
Question: Find the challenge Prime and Prejudice in the Mathe-
matics category. Solve the challenge and give the flag. How did you solve
the challenge? Provide a short write-up, including the main mathematical
concepts, and some relevant code snippets.

1.8.3 RSA vs. RNG

Try to break this poorly generated RSA key.
Question: Find the challenge RSA vs. RNG in the Misc category.
Solve the challenge and give the flag. How did you solve the challenge?
Provide a short write-up, including the main mathematical concepts, and
some relevant code snippets.

2 Legacy Crypto (4 points)

2.1 Export Grade
Alice and Bob are both supporting lots of parameters for nice, backward
compatibility! You’ve MITM’d their communication. Can we use this to
recover the flag?
Hint 1: We know that the flag was encrypted with the following code:
1 import hashlib, os
2 from Crypto.Cipher import AES
3

4 def encrypt_flag(FLAG, shared_secret: int):

5 # Derive AES key from shared secret
6 sha1 = hashlib.sha1()
7 sha1.update(str(shared_secret).encode(’ascii’))
8 key = sha1.digest()[:16]
9 # Encrypt flag
10 iv = os.urandom(16)
11 cipher = AES.new(key, AES.MODE_CBC, iv)
12 ciphertext = cipher.encrypt(FLAG)
13 # Prepare data to send
14 data = {}
15 data[’iv’] = iv.hex()
16 data[’encrypted_flag’] = ciphertext.hex()
17 return data

6
Hint 2 (ROT13): Fntrzngu pna fbyir qvfpergr ybtf va snveyl ovt svryqf irel
dhvpxyl. Hfr ‘S = TS(c)‘ gb vafgnagvngr n svavgr svryq, gura ‘ybt(S(l),
S(t))‘ gb pbzchgr k fhpu gung tk = l
Question: Go to cryptohack.org, and find the challenge Export Grade
in the Diffie-Hellman category. Solve the challenge and give the flag. How
did you solve the challenge? Provide a short write-up, including the main
mathematical concepts, and some relevant code snippets.

2.2 Oh SNAP!
Can we break a classic cipher used for years, famously breaking one of
Kerckhoffs principles?
Hint (ROT13): Ybbx sbe vzcyrzragngvbaf bs gur “Syhuere, Znagva naq Fun-
zve nggnpx” bayvar.
Question: Go to cryptohack.org, and find the challenge Oh SNAP! in
the Symmetric Ciphers category. Solve the challenge and give the flag.
How did you solve the challenge? Provide a short write-up, including the
main mathematical concepts, and some relevant code snippets.

2.3 Bonus Problems

2.3.1 Nothing up my Sleeve
The casino is back yet again. This time using a real-world, provably secure
PRNG! Surely, we can’t swindle them yet again??
Question: Find the challenge Nothing up my Sleeve in the Misc cate-
gory. Solve the challenge and give the flag. How did you solve the challenge?
Provide a short write-up, including the main mathematical concepts, and
some relevant code snippets.

2.3.2 MOVing Problems

The famous MOV-attack prevents the use of supersingular elliptic curves in
discrete-log based systems. Luckily, this curve is ordinary, so there should
be no problems.
Question: Find the challenge MOVing Problems in the Elliptic Curve
category. Solve the challenge and give the flag. How did you solve the chal-
lenge? Provide a short write-up, including the main mathematical concepts,
and some relevant code snippets.

7
3 Padding Oracles (4 points)
3.1 Endless Emails
Here is a classic example you might have seen before in earlier courses of
what can go wrong when using RSA without padding.
Question: Go to cryptohack.org, and find the challenge Endless Emails
in the RSA category. Solve the challenge and give the flag. How did you
solve the challenge? Provide a short write-up, including the main mathe-
matical concepts, and some relevant code snippets.

3.2 Null or Never

This time, we padded RSA precisely to avoid something similar to the pre-
vious attack. Can we still break it?
Question: Go to cryptohack.org, and find the challenge Null or Never in
the RSA category. Solve the challenge and give the flag. How did you solve
the challenge? Provide a short write-up, including the main mathematical
concepts, and some relevant code snippets.

3.3 Bonus Problems

3.3.1 Paper Plane
Can we solve the following, using what we have learned so far?
Question: Go to cryptohack.org, and find the challenge Paper Plane in
the Symmetric Crypto category. Solve the challenge and give the flag.
How did you solve the challenge? Provide a short write-up, including the
main mathematical concepts, and some relevant code snippets.

4 Protocols APIs (10 points)

4.1 Fool Me Once, Fool Me Twice
Let the Schnorr signature scheme be defined as earlier but with a slight
change: the randomness r is not sampled randomly but deterministically
computed as the hash of the secret key and the message, i.e., r = H(sk, m).
Let Sign be an API where a client inputs an identity id, a message m and
a public key pkid and the server uses the secret key skid corresponding to id
(e.g. stored in a hardware security module) and output a signature σ.
Question 1: How can malicious clients use this API to extract secret keys?
Question 2: How can we protect this signing API against such attacks?

8
4.2 Faulty RSA Bites the Dust
Let (n, e) be a public RSA signature verification key and (n, e′ ) a public
RSA encryption key for the same user, where n = p · q for secret prime
numbers p, q and corresponding secret signing key d and decryption key d′ .
Assume that the signing API Sign is implemented in a faulty way so that
the signing key d leaks to malicious clients.
Question 1: How can the knowledge of the signing key d be used to
decrypt messages encrypted using the public encryption key (n, e′ )?
Assume now that the leakage in Sign be fixed so that d is stored securely.
Let µ be a secure padding function. The RSA signature is often computed
using the Chinese Reminder Theorem in the following way:
1. Compute dp ≡ d mod (p − 1) and dq ≡ d mod (q − 1).
2. Compute a such that a ≡ 1 mod p and a ≡ 0 mod q.
3. Compute b such that b ≡ 0 mod p and b ≡ 1 mod q.
4. Compute σp ≡ µ(m)dp mod p and σq ≡ µ(m)dq mod q.
5. Output the signature σ = a · σp + b · σq mod n.
This is more efficient than computing µ(m)d mod n directly since p and q
are much smaller than n and (dp , dq , a, b) can be pre-computed and stored
?
for later use. We can verify the signature as following: µ(m) ≡ σ e mod n.
Question 2: Assume that there is a bug in the implementation so that σp ≡
µ(m)dp mod p but σq ̸≡ µ(m)dq mod q. Show how the faulty signature σ,
where µ(m) ̸≡ σ e mod n, can be used to factor n.
Question 3: What are possible ways of avoiding the above RSA issues?

4.3 Parts of Me, Parts of You

Let Ea,b : y 2 = x3 + a · x + b be an elliptic curve over a finite field Fp of
prime order p where a, b ∈ Fp and the elliptic curve group Ea,b (Fp ) consists
of the point at infinity O and all pairs (x, y) ∈ Fp × Fp that satisfy the curve
equation of Ea,b . Denote the number of points in Ea,b (Fp ) by ηa,b and note
that ηa,b does not necessarily have to be a prime number.
Given two points P = (x1 , y1 ) and Q = (x2 , y2 ) in Ea,b (Fp ), then we compute
the sum P + Q in the following way:
1. If P = O, output Q. If Q = O, output P .
2. If x1 = x2 and y2 = −y1 , then output O.

9
 3. Otherwise, let x3 = λ2 − x1 − x2 and y3 = −y1 − λ · (x3 − x1 ), where
( 2
3x1 +a
if P = Q
λ = y 2y−y1
1 2
x1 −x2 otherwise,

and output R = (x3 , y3 ).

Let q be a large prime such that ηa,b = q ·h, then Ea,b (Fp ) has a subgroup Gq
of order q such that q · P = O if P is in Gq . Here, h is called the co-factor,
and is often a very small value compared to q.
The double-and-add algorithm can be used to efficiently compute the scalar
multiplication Q = s · P for s ∈ Zq and P ∈ Gq in at most 2 log2 q additions.
The discrete logarithm problem says it is hard to find s given P and Q.
Note that for each choice of a and b we get a new elliptic curve group of
different size ηa,b where ηa,b is roughly of the size p. We can efficiently
compute ηa,b using Schoof’s algorithm.
Let sMult be an API that takes a point P as input and outputs a point
Q = s · P for a fixed and secret value s of high entropy.
Question 1: Assume that sMult checks that P is on the curve Ea,b but
forget to check if it is the in the correct subgroup Gq . How can a malicious
client learn something about s in a API query?
Question 2: Describe an attack that completely breaks the sMult API
when it is not checking if P is on the curve Ea,b and explain why it works.

4.4 Curveball
Can we prove that we own a public ECDSA key, by giving the corresponding
private key? This attack is so stupid, it could not have occurred in the real
world, right? RIGHT??!
Recommended listening while solving: Aretha Franklin - Chain of Fools
Question: Go to cryptohack.org, and find the challenge Curveball in the
Elliptic Curve category. Solve the challenge and give the flag. Solve the
challenge and give the flag. How did you solve the challenge? Provide a short
write-up, including the main mathematical concepts, and some relevant code
snippets.

4.5 Let’s Decrypt

In this challenge, we should make a given RSA signature verify a different
message. Luckily, the RSA signing operation is a bijection from (Z/nZ)× to
itself, so this should be impossible.

10
Question: Go to cryptohack.org, and find the challenge Let’s Decrypt in
the RSA category. Solve the challenge and give the flag. How did you solve
the challenge? Provide a short write-up, including the main mathematical
concepts, and some relevant code snippets.

5 Commitments and Zero-Knowledge (4 points)

5.1 Trapdoor Backdoor
Let Gp be a group of prime order p and let g and h be independent generators
for Gp . Let m be a message and w be uniform randomness, both elements
in Zp . A Pedersen commitment is computed as com = g m hw .
A commitment is hiding if it is hard to decide if com is a commitment to
m or if com is sampled uniformly at random from Gp . A commitment is
binding if it is hard to find to valid openings (m, w) and (m′ , w′ ) such that
′ ′
com = g m hw = g m hw and m ̸= m′ .
Question 1: Provide some simple or high-level arguments to explain why
the Pedersen commitment is both hiding and binding.
Question 2: Let g = ht . Show how the knowledge of t can break binding.
Question 3: How can we ensure that g and h are independently sampled
so that no one knows a value t such that g = ht ?

5.2 How to Steal an Election

Let the ElGamal encryption scheme be defined as earlier. A prover has the
secret key sk corresponding to the public key pk and wants to prove in zero-
knowledge that m is the correct decryption of a ciphertext ctx = (X, Y ).
This can be used in an electronic voting scheme where we want to prove that
the tally is correct without making the decryption key publicly available.
The decryption proof is computed as follows, where pp = (Gp , g, p, pk) is
public information (the public key pk is fixed but the ciphertext ctx is not):
1. Compute T = X sk , such that the decrypted message is m = Y · T −1 .
2. Sample a uniformly random r ←$ Zp and compute R = g r and S = X r .
3. Compute the hashed challenge as c = H(pp, X, Y, R, S, T ).
4. Compute the response z = r − c · sk mod p. Define proof π = (T, c, z).
5. The prover outputs ctx and π for anyone to verify the correctness.
To verify the proof π one computes R′ = g z · pkc and S ′ = X z · T c and
checks if c = H(pp, X, Y, R′ , S ′ , T ). If correct, one outputs m = Y · T −1 and

11
otherwise rejects. The proof is similar to Schnorr signatures, proving that
logg pk = logX T , and then m = Y · T −1 is the correctly decrypted message.
In this problem we assume that the malicious prover knows the secret key
sk, but want to provide a seemingly valid proof that the ElGamal ciphertext
ctx = (X, Y ) decrypts to a different message m′ than the real plaintext m.
Question 1: Assume c = H(pp, Y, R, S, T ), where the ciphertext compo-
nent X is not included. How can a malicious prover change the ciphertext
and create an accepting proof that it decrypts to a chosen message m′ ̸= m?
Question 2: Assume that c = H(pp, X, Y, R, S), where the decryption
component T is not included. How can a malicious prover create an accept-
ing proof where the given ciphertext decrypts to a random message m′ ̸= m?

6 Protocol Composition (2 points)

6.1 Megalomaniac 1:
The first challenge, introducing a simplified Mega vulnerability.
Question: Go to cryptohack.org, and find the challenge Megalomaniac
1 in the Crypto on the web category. Solve the challenge and give the
flag. How did you solve the challenge? Provide a short write-up, including
the main mathematical concepts, and some relevant code snippets.

6.2 Bonus Problems

6.2.1 Megalomaniac 2:
The second challenge is also related to the Mega vulnerability.
Question: Go to cryptohack.org, and find the challenge Megalomaniac
2 in the Crypto on the web category. Solve the challenge and give the
flag. How did you solve the challenge? Provide a short write-up, including
the main mathematical concepts, and some relevant code snippets.

12