m0leCon CTF 2021 Teaser — Alternating key exchange
Challenge information
Files
chall.sage:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from hashlib import sha256
import random
n = 20
m = 42
G = AlternatingGroup(n)
pub_a = [G.random_element() for _ in range(m)]
pub_b = [G.random_element() for _ in range(m)]
eps_a = [random.choice([1,-1]) for _ in range(m)]
eps_b = [random.choice([1,-1]) for _ in range(m)]
A = prod([x^e for x,e in zip(pub_a, eps_a)])
B = prod([x^e for x,e in zip(pub_b, eps_b)])
abar = [A^(-1) * x * A for x in pub_b]
bbar = [B^(-1) * x * B for x in pub_a]
print(pub_a)
print(pub_b)
print(abar)
print(bbar)
K = A^(-1)*B^(-1)*A*B
shared = "_".join(str(K(i)) for i in range(1,n+1))
dig = sha256(shared.encode()).digest()
key = dig[:16]
iv = dig[16:]
aes = AES.new(key, AES.MODE_CBC, iv=iv)
with open("flag.txt", "rb") as f:
flag = f.read()
flag_enc = aes.encrypt(pad(flag,16))
print(flag_enc.hex())
output.txt:
[(1,7,9,12,3,19,16)(2,14,6,10,15)(4,18,5,11,8)(13,20,17), (1,20,3,12,4,13)(5,10,17)(6,19,14,9,18,16,7,8,15,11), (1,12,17,13,19,18,6)(2,14,15,7,3,5,11,4,16,8,9,10,20), (1,12,9,14,2,15,8,4,13,16,19,3,20)(5,18,10,6,7,11,17), (1,2,14,9,6,11,19,13,8,20)(3,7,18,10,17)(4,12)(5,16,15), (1,18,4,20,6,19,14)(2,3,17,5,11,15,7,16,12)(8,10,9), (1,9,17,2,4,5,15)(3,11,19,6,7,20,10,14,12,18,13,8,16), (1,8,6,10,17,20,15,5,18,14,13,11,9,2,16,4)(3,19,7,12), (1,18,8,3,16,11,17,19,7,2,12,10,15,14,4,20,6,13)(5,9), (1,6,5,7,8,18,2)(3,17,4,14,12,11,13,20,15,16,19,10,9), (2,13,16,5,8,20,3,18,17,6,14,10,4,12,19,7)(9,15), (1,16,6,19,13,9,15,10,2,18,14,11,17)(3,7,4,20,12), (1,11,3,6,19)(2,12,9,10,16,4,15,8,13,7,20)(5,14,17), (1,9,11,13,17,7,2,18,16,14,15)(3,4,10,8,5)(6,19)(12,20), (1,8,4,3,20,14,18)(2,13,17,6,9,12,7,11,15,19,10,5,16), (1,15,6,18,3,4,20,13,10,7,11,14,17)(2,19)(5,8,12)(9,16), (1,14,11,8,3,12,15,16,7,10,20,18,9)(2,5,13)(6,19,17), (1,2,10,11,9,8,14,15,17,6,18,7,3,5,20,12,4,13,16), (1,12,6,11,19,7,9,17,20,18,13,10,4,3,5,2,15,16,14), (1,12,13,14,16,7,15)(2,10,4,6,3,17,19,18)(5,11,20,8), (1,19,16,17,15,11,6,8,2,7,12,14,3,4,9)(5,20,18), (1,6,11,4,20,10,2,13,9,5,7,3,16,18,15,8)(14,17), (1,8,16,3,5,4,19,6,12,15)(2,9)(7,10,17)(11,18,20,13,14), (1,16,13,10,9,17,19,18,20,15,4,11,12,14)(2,6,8)(3,5), (1,6,18,5,10,4,8,12,11)(2,20,7,15,3,19,17,13,14,16,9), (2,15,20,12,4,13,8,19,17,18,7)(3,14)(5,9,10,6), (1,15,17,9,8,19,6)(2,11,10,12,18,20,7,14)(3,5,4,16), (1,7,20,5,18,8)(2,11,13,19,16,3,12,10,15,6)(4,9,14), (1,6,3,14,13,16)(2,11)(5,10,20,19,9,8,18,15,7,17,12), (1,11,5,17,18,15,8)(2,9,4,10,19,20,7,14,6,16,3), (1,15,10,9,5,13,18,19,8,7,14,16,2,12)(3,11)(4,6)(17,20), (1,10,7,13,2,12,11,6,15,14,18,17,8,9,3,5,16)(4,19,20), (1,13,20,19,11,3,2,17,15,8,4,6,5,14)(9,18,10,12), (1,7,4,2)(3,14,9,19,16)(5,18,13,11,6,10,15,17), (1,14,13,2,12,11,17,7,10,9,20,5,19,3,6,8,16,4,18), (1,18,6,19,20,2,11,14,10,9,4,5)(3,7,16,8)(12,15)(13,17), (1,12,5,10)(2,20,19,15,16,7,14,13,8,18,17,6,11,3,9,4), (1,17,15,12,10,11,7,3,9,16,19,14,6,2,20,4,8,13,18), (1,10,19,12)(2,18,9,3,11,13,5,7)(4,6,20,8)(14,16,17,15), (1,12,8,11,19,9,10,2,18,4,7,17,6,15,14,16,13,20,3), (1,17,9,5,2,15,8,18,13,4,19,14,7,16,12,11,3,10)(6,20), (1,6,4,17,11,19,12,9,5,7)(3,13,8,18,16)(10,20,15,14)]
[(1,10,5,14,11,2)(3,6,8,18,15,17,12)(7,19,20,9), (1,5,9,11,4,17,14)(2,20,16,3,7,6,15,12)(8,13,10,18), (1,18,20,3,5)(2,12,10,13)(4,17,7,16,9,11,14,15), (1,7,20,9,6,4,14,17,10,16,18,15,19,5,12,11,2,3,13), (1,13,7,17,12)(2,4,6,9,20,15,10,11,5,3,8,16,19,18,14), (1,5,2,7,10,14,9,12,11,16)(3,18,17,6,8,20,15,4), (1,10,13,15,19,6,12,16,2,7,17)(3,9,11)(4,18)(5,14), (1,19,6,3,11,5,14,18,16,15,7,2,10,17,9,12)(4,8,13,20), (1,9,6,17,4,10,13,14,19,7,11,5,15,2,18,20,3,16,12), (1,17,15)(2,13,18,10,5,12,14)(4,8,20)(6,9,16,7)(11,19), (1,13,4,5,19,10,6,3,12,18,14,20,16,2,9,7)(8,11), (1,18,2,10,20,17,13,19,8,11,3,7,14,4,12,16)(6,9), (1,13,10,20,6,18)(3,4,16,15,9,19,17,11,7,14,12,5), (1,11,9,14,13,7,2,5,4,12,15,17,8,3)(6,18)(10,16)(19,20), (1,13,7,15,20,10,12,18,16,8,3,17)(2,5,4)(9,19,11,14), (1,15,11,10,17,20,2,13,14,4,9,19,5,7,12)(6,16,8), (1,16,3,19,9,13,15,6,12,7,18,2,11)(4,5,17,8,20,10,14), (1,13,20,9,19,8,3,16,11,5,12,17,10,7,15,6)(2,4), (1,11,18,13,17,14,16,5,19,8,10,3)(2,6,15,9)(4,7,20), (1,5,12,20,14,16,4,15,13,11,2,8,17,19,3)(6,10,7,9,18), (1,12,8,19,2,15,17,18,6,5,4,7,16,20,10,14,3,9,11), (1,12,10,15,14,16,7,2,11,6,4,5,18,17,19,20)(3,8), (1,3,16,8,9,4,19,13,5,10,12)(2,14,7,15,6,18,20,17,11), (1,7,6,18,9,3)(2,4,15,14,11,12,17,20,16,19,13,5,10,8), (2,14,20,10,16,3,6,17,11,18,9)(4,15,12,7,13,5,19), (1,9,12,17,20,5,14,4,15,10,18,6,16,19,8,2,3,7)(11,13), (1,15,16,19,11,6,9,20,4,18)(2,8,17,12,14,5,13,7), (1,16,19,20,4,5,8,6)(2,11,9,12,7,18,3,13,14,10,15,17), (1,4,5,19,10,8,18,13,12,2,16,14)(3,6,7,20)(9,17,15), (1,2,9,16,12,14,17,6,15,8,4,19,3,11,13,20,10,5)(7,18), (1,15,16,10,8,13)(2,7)(3,6,4,20,11,5,12,14)(18,19), (1,16,11,12,20)(2,17,4,8,10)(3,5,7,19,13,14,18,6,9), (1,2,10,6,17,19,3,14,4,5,12,16,9,11,20,7,18,8)(13,15), (1,11,13,14,17,5,6,19,12,9,3,8,7,10,18,2)(4,15,16,20), (1,19,2,14,4,6)(3,5,13,20,7,8,9,18,10)(11,16,15,12), (1,7,2,3,17,9,12,16,11,5,18,20,6,10,4,19,14,8,15), (1,16,3,10,4,13,7,8,12,11,5,19,9,6,18)(2,15)(14,20), (1,19,6,4)(2,10,3,11,20)(5,8,9,13,12,18,16,7,14,17), (1,20,12,17,8,13)(2,15,5,18,7,6)(3,16,10,19)(4,9), (1,19,17,5)(3,8,18,9,16,10)(4,11,12,6,15)(7,13,20), (1,18,5,11,2,10,7,14,12,9,16,15,20,6,3,17,4,13,19), (1,8,9,11,3,12)(2,4,20,16,19,6,18,10,13,5)(7,17)(14,15)]
[(1,10,9,11,19,12,7)(2,4,18,8,17,5)(6,13,15,20), (1,13,10,19,7,4,20,14)(2,16,12,5,18,17,6)(3,8,11,9), (1,17,18,11,20)(2,5,19,16,12,13,14,6)(3,4,7,8), (1,3,18,13,20,6,10,16,5,12,8,14,11,19,15,17,7,2,4), (1,9,14,15,11,5,4,16,10,6,20,19,8,2,17)(3,13,12,7,18), (1,11,12,10,9,20,19,16)(2,14,18,17,4,13,8,5,6,7), (1,6,2)(3,19,15,10,7,14,4,13,12,18,8)(5,17)(11,16), (1,2,17,5,11,14,19,13,4,8,12,6,7,18,15,10)(3,20,16,9), (1,14,7,18,6,10,12,16,8,3,5,15,13,2,17,19,4,11,20), (2,15)(3,11,8,17,7,5,4)(6,14,13,10)(9,20,16)(12,19,18), (1,7,11,5,20,14,4,6,13,18,3,16,17,15,8,10)(2,9), (1,13,5,16,7,14,18,11,4,8,20,12,3,15,9,2)(6,10), (1,16,14,19,6,15,12,2,13,5,7,17)(3,8,20,10,11,18), (1,18,2,6,5,3,13,4,17,16,7,19,12,9)(8,14)(10,11)(15,20), (1,12,18,3,13,19,20,8,7,11,14,9)(2,5,6,15)(4,17,16), (2,8,12,20,4,3,5,16,6,15,17,13,7,18,19)(9,10,14), (1,15,6,3,19,10,7,13,11,4,2,18,14)(5,16,17,12,9,20,8), (1,14,2,17,7,12,8,13,19,10,18,3,20,6,15,9)(4,16), (1,18,2,11,3,12,5,14,17,15,9,8)(4,10,19,6)(13,20,16), (1,18,17,7,20,5,14,16,19,3,2,4,9,12,15)(6,11,10,8,13), (1,6,2,18,7,9,15,4,19,12,11,10,17,16,13,14,20,8,5), (1,9)(2,10,16,17,11,12,15,20,18,7,8,19,5,14,13,4), (1,14,9,6,16,15,3,17,8,7,18)(2,4,5,13,19,10,11,20,12), (1,18,13,10,11,6)(2,7,12,20,14,15,3,17,8,9,4,16,19,5), (1,10,12,2,11,6,4,5,20,8,14)(3,17,15,16,19,7,13), (1,13,18,6,7,12,20,17,5,16,19,8,11,10,14,15,9,4)(2,3), (2,10,6,20,16,11,18,19,14,15)(3,13,4,9,12,7,5,17), (1,3,5,8,19,12,4,2,6,7,13,11)(9,10,18,14,15,20,16,17), (1,10,13,20)(3,7,4,14,5,18,16,17,15,8,9,11)(6,12,19), (1,2,3,20,8,17,18,4,6,14,7,5,12,10,19,9,16,15)(11,13), (1,10,16,20,2,17,7,5)(3,18,19,14,8,9)(4,13)(11,15), (1,17,13,15,3,5,11,10,6)(2,7,20,18,14)(4,12,16,9,8), (1,5,16,17,7,14,6,2,20,13,11,9,18,4,8,10,12,15)(3,19), (1,9,13,8,11,4,18,2,3,5,12,17,10,15,7,6)(14,20,16,19), (1,17,3,20,13,9,6,11,8)(2,14,19,7)(4,5,16,10,18,15), (1,12,6,7,14,2,17,11,20,10,8,16,15,5,9,19,18,13,4), (1,8,16,3,13,9,7,2,17,15,6,10,11,18,14)(4,19)(5,20), (1,2,20,4,8)(3,7,11,14,13,5,12,17,9,6)(10,16,18,15), (1,14,8,15)(3,18,20,7,12,9)(4,19,17,11,13,10)(6,16), (1,9,11,6,14,8)(2,7,10,19,16)(3,20,13)(12,17,18,15), (1,12,16,3,15,18,11,17,2,4,8,13,5,7,6,14,19,20,10), (1,7,18,9,6,2)(3,17,4,16,20,14,15,10,11,8)(5,19)(12,13)]
[(1,16,15)(2,3,4,11,6)(5,8,9,19,20,18,12)(7,14,13,10,17), (1,20,19,14,15,5)(2,9,13,12,8,7,11,17,3,18)(4,16,10), (1,6,2,11,8,20,10,17,14,12,7,9,4)(3,5,19,16,15,18,13), (1,5,19,9,2,6,11,7,14,15,12,18,20)(3,8,17,16,10,13,4), (1,5,6,2,9,3,17,18,15,7)(4,16,20,8,13)(10,12,11)(14,19), (1,3,18,2,5,13,14)(4,9,7)(6,20,16,10,17,11,8,12,19), (1,4,2,19,13,15,7,12,20,17,18,3,8)(5,9,16,6,14,10,11), (1,11,10,13,2,15,17,9,6,12,14,5,7,3,4,16)(8,19,20,18), (1,3,15,5,13,7,20,12,17,16,18,8,6,19,4,11,2,14)(9,10), (1,11,12,18,4,9,20,16,14,2,19,17,15)(3,10,8,7,13,6,5), (1,20,13,16,3,2,4,14,19,18,8,6,15,12,10,7)(9,11), (1,19,20,8,14)(2,17,16,5,12,3,18,15,9,11,4,6,13), (1,6,19,9,4,12,14,11,7,15,8)(2,16,10)(3,18,5,17,20), (1,19)(2,11,5,9,17,15,16,8,6,13,12)(3,18)(4,7,10,20,14), (1,2,13,5,7,14,20)(3,9,19,8,17,11,18,4,10,12,6,15,16), (1,15,4,8,17,2,16,5,11,3,13,20,14)(6,18)(7,19,10)(9,12), (1,13,9,5,2,17,7,20,19,11,12,8,4)(3,18,16)(6,10,15), (1,19,14,15,12,5,6,4,17,9,7,2,11,16,3,13,8,20,10), (1,13,15,4,14,20,10,6,11,12,2,5,19,3,17,18,8,9,16), (1,7,10,17)(2,12,8,11,5,19,15)(3,20,16,18,13,6,4,14), (1,13,10)(2,20,14,9,5,18,12,16,11,17,3,7,6,8,19), (1,4,6,15,9,10,8,20,12,13,11,7,5,3,17,14)(2,16), (1,15,2,17,13)(3,19,11,5,7,12,20,10,14,18)(4,16,8)(6,9), (1,11,14,17,19,2,5,12,15,4,9,16,18,13)(3,7,6)(10,20), (1,8,11,20,18,16,15,2,12,9,6)(3,13,10,4,14,7,19,17,5), (1,19,14,15,7,18,16,13,8,6,11)(2,20)(3,10,9,4), (1,8,2,6,17,4,19,13)(3,5,11,16,9,7,18)(10,14,12,20), (1,10,13,7,5,8)(2,14,9)(3,6,17,15,18,12,20,19,4,11), (1,18,9,7,13,11,8,16,19,10,4)(2,15,12,5,3,20)(6,17), (1,8,2,3,12,20,6,9,14,4,18)(5,17,10,16,13,11,7), (1,16)(2,12,6,19,5,11,4,9,10,15,13,18,7,8)(3,14)(17,20), (1,14,18)(2,13,16,7,9,20,10,12,5,4,8,15,6,19,17,3,11), (1,18,17,20,6,16,11,7,14,3,10,2,5,15)(4,19,9,13), (2,9,18,12,20)(3,4,11,16,10,13,15,17)(5,8,14,6), (1,10,18,20,3,7,12,14,13,5,2,15,6,19,17,16,8,4,9), (1,6,17,2,4,9,14,10,5,13,3,18)(7,20,8,12)(11,19)(15,16), (1,18,11,12,8,2,15,7,13,16,3,17,20,9,14,6)(4,5,19,10), (1,14,7,15,13,5,16,11,19,4,17,8,20,9,12,18,2,3,6), (1,7,14,3)(2,12,16,11)(4,18,19,5)(6,13,9,20,17,15,10,8), (1,20,5,19,7,17,18,9,4,6,13,14,8,16,3,11,2,12,15), (1,3)(2,8,12,19,17,20,4,5,16,9,10,6,11,7,13,15,14,18), (1,11,2,4)(3,14,16,17,18,19,9,10,8,5)(7,13,12,20,15)]
cb6c75ba0fd13f8c13cb650ad52302d381be36673e0689cac517c92e76e81492e4b1056ebcf8dcc277dc531402d410a0
Solution
First of all, let’s analyze the source code.
It looks like an analogue of Diffie-Hellman key exchange, but slightly different. It also uses the public keys for users $A$ and $B$, the private keys for them and the shared key. The main difference is in math operations: the classical Diffie-Hellman is based on the discrete logarithm problem, but there is nothing like this in the source code. Instead the challenge initializes an alternating group of degree $n$ and does some operations with its elements.
After the imitation of the key exchange, the challenge encrypts the flag using AES cipher with the derived shared key $K$. So, our goal is to get $K$ and decrypt the flag. Initially I thought about a weakness of the alternating group structure, because this group is rarely used in crypto challenges.
Let’s try to understand what the alternating group is.
The alternating group is the subgroup of the symmetric group, and the symmetric group is a group of all permutations of the fixed length $n$. For example, if $n = 3$, then symmetric group contains these elements:
$$ \{123, 132, 213, 231, 312, 321\} $$
The alternating group contains only even permutations (permutation is even if the number of its inversions is even). For $n = 3$ it will be: $\{123, 231, 312\}$. The order of the symmetric group is $n!$ (see factorial), and of the alternating group is $\dfrac{n!}{2}$. In the challenge $n = 20$ and the alternating group contains
$$ \dfrac{20!}{2} = 1216451004088320000 $$
elements. It’s not possible to enumerate all permutations and find the correct $K$.
Now let’s take a look at the group operations.
The first operation is exponentation $x^y$, only two exponents are used: $1$ and $-1$. One can deduce that $X^1$ is just $X$, and $X^{-1}$ is the multiplicative inverse of $X$.
The second operation is multiplication $x \cdot y$, it’s just a composition of permutations:
Note that $\cdot$ is non-commutative operation, it means that $X \cdot Y \neq Y \cdot X$. This property may be obvious from $K$ generation. If $\cdot$ would be commutative, then $K$ always be the same identical element:
$$ K = A^{-1} \cdot B^{-1} \cdot A \cdot B $$
Now it’s the time to recognize the cryptosystem (however it’s not too helpful). Since the operation is non-commutative, we can search for cryptography based on such type of operations and find the Wikipedia article Non-commutative cryptography . There is another link to the desired cryptosystem: Anshel–Anshel–Goldfeld key exchange. The algorithm is the same, and we can also find out what problem AAG cryptosystem is based on: the conjugation problem. After some searching one can find that this problem is NP-complete, so let’s try to use a primitive approach to solve it.
In short we need to recover the private key $A$ (or $B$) to derive $K$, it means that we need to recover the array of exponents $\varepsilon_a$ (or $\varepsilon_b$). The array $\varepsilon_a$ contains $m$ elements, and each element lies in ${1, -1}$, so we need to enumerate $2^m$ possible $\varepsilon_a$ arrays. How could we check the correctness of $A$? There is another array $\text{abar}$ that contains elements of type $A^{-1} \cdot \text{pub}_b[i] \cdot A$. Since we know $\text{pub}_b[0]$ and $\text{abar}[0]$ we can check $A$ that way. But bruteforce $2^m = 2^{42} = 4398046511104$ is too hard, so let’s use some well-known heuristics to reduce it.
Notice that $\varepsilon_a$ has almost equal numbers of $1$ and $-1$ elements. So we don’t need to enumerate all possible $\varepsilon_a$, we just need to enumerate all $\dfrac{m}{2}$-combinations on $m$ positions. The number of such combinations is equal to:
$$ \dfrac{m!}{\left(\dfrac{m}{2}\right)! \cdot \left(\dfrac{m}{2}\right)!} = \dfrac{42!}{21! \cdot 21!} = 538257874440 $$
A bit smaller, but not enough. Now let’s try to apply meet-in-the-middle attack. We can split $A$ that way:
A = mul(pub_a[i] ^ eps_a[i] for i in range(m))
A1 = mul(pub_a[i] ^ eps_a[i] for i in range(0, m // 2))
A2 = mul(pub_a[i] ^ eps_a[i] for i in range(m // 2, m))
A = A1 * A2
Now look at $\text{abar}[0]$:
$ \hspace{1cm}\text{abar}[0] = A^{-1} \cdot \text{pub}_b[0] \cdot A $
$ \hspace{1cm}\text{abar}[0] = (A_1 \cdot A_2)^{-1} \cdot \text{pub}_b[0] \cdot (A_1 \cdot A_2) $
$ \hspace{1cm}A_2 * \text{abar}[0] \cdot A_2^{-1} = A_1^{-1} \cdot \text{pub}_b[0] \cdot A_1 $
We can enumerate $A_1$ and $A_2$ differently and meet them in the middle, it means we need to bruteforce:
$$ 2 \cdot \dfrac{\left(\frac{m}{2}\right)!}{\left(\frac{m}{4}\right)! \cdot \left(\frac{m}{4}\right)!} = 2 \cdot \dfrac{21!}{10! \cdot 10!} = 705432 $$
and store half of it in the table. Looks great! Note that $\{1, -1\}$ are not equally distributed, so we need to add an additional bias (for example enumerate all 9-, 10-, 11-, 12- and 13-combinations on 21 elements). Here is an example algorithm in sage
:
def find_eps_a(pub_a, pub_b, abar):
import itertools
table = dict()
left, right = pub_a[:m // 2], pub_a[m // 2:]
for offset in range(-2, 3):
for combination in itertools.combinations(range(m // 2), m // 4 + offset):
eps = [1] * (m // 2)
for i in combination:
eps[i] = -1
A1 = prod([x^e for x, e in zip(left, eps)])
candidate = A1^(-1) * pub_b[0] * A1
table[candidate] = tuple(eps)
for offset in range(-2, 3):
for combination in itertools.combinations(range(m // 2), m // 4 + offset):
eps = [1] * (m // 2)
for i in combination:
eps[i] = -1
A2 = prod([x^e for x, e in zip(right, eps)])
candidate = A2 * abar[0] * A2^(-1)
if candidate in table:
return list(table[candidate]) + eps
When we found $\varepsilon_a$ we can calculate $K$ and decrypt the flag:
K = A^(-1) * prod([x^e for x, e in zip(bbar, eps_a)])
Note: I don’t know is it the indended solution.
Flag
ptm{c0njug4t10n_w1th_cycl35_1s_fun!}