rkm0959

We participated in Paradigm CTF with KALOS team members and some friends (minaminao, taek, epist, gss1, pia).

During the competition, there were 2 challenges with the tag "cryptography" and I ended up getting first blood on both.

Oven

So we are given a random signature oracle. To be precise, we know $t, r, p, g, y$ such that $$c = \text{hash}(g, y, t), \quad r \equiv (v - c \cdot flag) \pmod{p-1}$$ The key part I used is that we know $c, r, p$ and that $flag < 2^{384}$ as well as $v < 2^{512}$. In other words, we are finding the $0 < flag < 2^{384}$ such that $c \cdot flag + r \pmod{p-1}$ is less than $2^{512}$. This is a classic task suitable for lattice reduction (a bit overkill, but it is) and similar tricks have appeared in CTFs so much that I have a whole repository on this (https://github.com/rkm0959/Inequality_Solving_with_CVP)

A good heuristic to why this would work is that the "probability" of a value $flag$ satisfying $c \cdot flag + r \pmod{p-1} < 2^{512}$ would be around $2^{512} / p$, which is far less than $1/2^{384}$ as $p$ is 1024 bits. This means that there would be a unique $flag$ that satisfies our needs. 

To understand how to solve this "linear inequality with modulo" task, see https://rkm0959.tistory.com/188 (korean).

Dragon Tyrant

The codebase is quite large, so I can't upload it all here. A quick summary - 

• The goal of the challenge is to slay the dragon
• To slay the dragon, one has get an NFT with max attack/defense, and predict the dragon's moves 60 times in a row.
• The dragon's moves, as well as the basic stats of a generated NFT, is done with a weird elliptic curve based RNG.
• To get max attack/defense, one can buy items from an item shop
• However, getting the max attack sword legit is too expensive
• but it suffices to buy items from a shop that has the same extcodehash as the provided one. 

Let's start with getting the max attack and defense. We just need matching extcodehash - so whatever we do in the constructor doesn't matter, as long as we return the same code. Therefore we can do some nice tricks as follows.

Now we can equip this accordingly to get max attack/defense. We now have to predict the moves. 

When the off-chain entity resolves the randomness, it first generates the random values for the mints' traits.

Only after that, it generates the random value for the dragon's move. This can be seen in the code below.

We can also fetch the traits, as the NFT contract provides a public function for it. This implies that we can fetch all the previously generated values for the off-chain provided seed. In other words, if we can compute $\text{rand}(seed, i + 1)$ from $\text{rand}(seed, i)$, we would be done. 

Now let's look at the randomness itself. 

So it first takes $r$ as 0x123456789 and sets $P = r \cdot G$ and $Q = \text{hash}(r) \cdot G$. Then, the randomness is generated by iterating $seed \leftarrow (seed \cdot P).x$ for $round$ number of times and finishing with $out \leftarrow (seed \cdot Q).x$. 

Now we see the idea - since we know the $(seed \cdot Q).x$ as the output, one can recover $seed \cdot Q$ where $seed$ is the result of $round$ iterations. Since we know the discrete-logarithm relations between $P$ and $Q$, this means that we can also recover $seed \cdot P$ - and taking the $x$ coordinate here would be the result of $round + 1$ iterations. Now doing $out \leftarrow (seed \cdot Q).x$ once again would be sufficient to get the randomness result for $\text{rand}(seed, round + 1)$. We have our theoretical exploit! Now on to the implementation.

To do this in a smart contract, the only hard part would be to recover the full elliptic curve point from the $x$ coordinate alone. To do this you need a modular square root, but since $p \equiv 3 \pmod{4}$ it's easy, (no Tonelli-Shanks) simply raise to $(p+1)/4$th power.  

https://twitter.com/Scroll_ZKP/status/1716781095138861158

https://github.com/kalos-xyz/Publications/blob/main/audit-reports-english/Scroll_zkEVM_-_Audit_Report.pdf

https://github.com/kalos-xyz/Publications/blob/main/audit-reports-english/Scroll_zkEVM_-_Part_2_-_Audit_Report.pdf

제가 참가한 보안감사 리포트가 공개되었습니다 :)

https://infossm.github.io/blog/2023/09/16/Brakedown/

https://infossm.github.io/blog/2023/07/14/Monolith/

We are given two polynomials $f, f_v$ such that $f \cdot f_v \equiv 1 \pmod{x^n - 1}$, but some $D$ of the coefficients are erased. We have to recover $f, f_v$ completely, in a relatively fast and reliable fashion. The erasure positions are also given by the server.

For the first task, $(n, D) = (2411, 83)$ and the erasure positions are completely random. 

For the second task, $(n, D) = (8501, 2125)$ and the erasure positions can be controlled by a user provided seed. 

Task 1

By setting a variable for each erased coefficient, we will have a system of $n$ quadratic equations over $2D$ variables in $\mathbb{F}_3$. However, the interesting part is that some of the quadratic equations are actually just linear. For example, if we denote $S_1$ and $S_2$ as the set of erased coefficient's degree in $f$ and $f_v$ respectively, we can see that the equation arising from computing the coefficient of $x^k$ in $f \cdot f_v \pmod{x^n - 1}$ will be simply linear if there are no $u \in S_1$ and $v \in S_2$ such that $u + v \equiv k \pmod{n}$. 

By collecting these equations and solving the linear system, we will be closer to finding the solutions for the $2D$ variables.

However, after implementing this you can see that there will be a nontrivial kernel, of size around 40 to 50. 

This can be resolved in two ways. 

• The author's intended solution is to modify the given system as a system of $n$ quadratic equations over $K$ variables, where $K$ is the size of the kernel. This can be done simply by expressing the solution set of the $2D$ variables as a single solution added with a vector in the span of the computed kernel basis. As $K$ is much smaller than $2D$, we can actually solve this quadratic equation system by linearization. In other words, we can regard all quadratic terms as a separate linear variable, and solve the linear system over $\mathcal{O}(K^2)$ variables. This fails if $K$ is large, but such probability is small enough so that you can just try repeatedly.  
• soon-haari's solution works by selecting variables so that fixing it will add as many linear equations as possible, then brute forcing them. Apparently, brute forcing around 3 to 7 variables makes it sufficient to solve everything with a linear system. This was considered by the author as well, but was considered to be of similar difficulty. Congratulations to soon-haari for the solve!

Task 2

From solving task 1, it should be clear that the goal should be to create as many linear equations as possible, and the best way to do it is by making the erased coefficients consecutive in their positions. Note that $D = n/4$. Now how do we do that?

Looking at the sample implementation, we can see that the random sampling works by 

• selecting a random number below $n - i$
• taking the value at that index
• swapping with the value at position $n - i - 1$ so it's not selected again

The first idea is that our consecutive selections should be between $3n/4$ and $n$ - this is because if we try to pick everything from the front, the whole swapping process with the elements from the back makes everything very complicated. By picking everything at the back, the swapping process doesn't matter. Our goal is that for each $0 \le i < 2D$, the $i$th randbelow call should return a value $x$ such that $$n - D \le x < n - (i \pmod{D})$$ To do this efficiently, we need to minimize the number of bits we constrain from the randbelow results.

This can be done by finding $t, e$ such that $$n - D \le t \cdot 2^e < (t + 1) \cdot 2^e \le n - (i \pmod{D})$$ and maximizing $e$. Now, it suffices to constrain that the randbelow result is equal to $t$ after being shifted right $e$ bits. 

With this constraint in mind, finding the random seed is a relatively standard & well-known part. Check 

• https://gist.github.com/maple3142/1e3e81411a791f85073c3d902b0f14ef    
• https://rbtree.blog/posts/2021-05-18-breaking-python-random-module/    

스트리밍

• Youtube Premium
• Spotify

음악 기기

• AT-LP60X + MR4
• 에듀플레이어 CD Player 

구매처

• Tower Records Shibuya
• Hyundai Card Vinyl & Plastic
• Doujin Stores
• Misc. Abroad Vinyl Stores

Hip Hop (Western)

• Kendrick Lamar
  • GKMC (CD + Vinyl) 
  • TPAB (CD + Vinyl)
  • DAMN (CD)
  • Mr. Morale & the Big Steppers (CD)
• Kanye West
  • MBDTF (Vinyl)
  • Kids See Ghosts (CD + Vinyl)
• Tyler, the Creator
  • Cherry Bomb (Vinyl)
  • Flower Boy (CD + Vinyl)
  • IGOR (Vinyl)
  • CALL ME IF YOU GET LOST (CD)
• N.W.A.
  • Straight Outta Compton (CD)
• Madvillian
  • Madvillainy (Vinyl)

Hip Hop (Japan)

• Samurai Champloo - Departure (Vinyl)
• Modal Soul (Vinyl)
• Metaphorical Music (Vinyl)
• Luv(sic) Hexalogy (CD)
• Hydeout Productions 2nd Collection (Vinyl)

Warp Records

• Aphex Twin
  • Selected Ambient Works 85-92 (Vinyl)
  • Selected Ambient Works Volumn II (CD)
  • Richard D James Album (CD)
  • drukqs (CD)
  • Syro (CD)
  • Collapse (CD)
  • Blackbox Life Recorder 21f (Vinyl)
  • Girl/Boy EP (Vinyl)
• Squarepusher
  • Feed Me Weird Things (CD, 25th Anniversary Version)
  • Be Up a Hello (CD)
  • Lamental EP (CD)
• Flying Lotus
  • Cosmogramma (CD)
  • Until the Quiet Comes (CD)
  • You're Dead! (CD)

City Pop

• Mignonne - Taeko Ohnuki (CD)
• Heaven Beach - Anri (CD)

Japanese 

• だから僕は音楽を辞めた - Yorushika (CD)
• Your Name - RADWIMPS (CD)
• Lemon - Kenshi Yonezu (CD)
• 極彩色 - Reol (CD)
• 世界はiに満ちている - CHiCO with HoneyWorks (CD)

J-Jazz

• Scenery - Fukui Ryo (Vinyl)
• Casiopea - Casiopea (CD)
• Mint Jams - Casiopea (CD)

Animation Related

• COWBOY BEBOP (CD)
• Evangelion Finally (CD)
• Howl's Moving Castle (Vinyl)

Japanese Rhythm Game or Doujin Music 

• See You Again, HOLLOWOOD - t+pazolite (CD)
• DJ Genki Best Collection - DJ Genki (CD)
• CRYSTAR Soundtrack - Sakuzyo (CD)
• AD:PIANO VI (CD)
• Thank You - Hoshina Haru (CD)
• "Cutie" Strikes Back - t+pazolite (CD)
• TANO*C Short Collection (CD)

Touhou Project

• ZUN's Music Collection vol 1~6 (CD)
• FELT
  • Sevens Head (CD)
  • Rising Nebula (CD)
  • Darkness Brightness (CD)
• Tokyo Active NEETs
  • Orchestral CDs - Compilation, TH07, TH08, TH09, TH10, TH11, TH12, TH13, TH14, TH16 (CD)

Misc

• Currents - Tame Impala (CD)
• WORLDS - Porter Robinson (CD)
• Nurture - Porter Robinson (CD)
• Donuts - J Dilla (Vinyl)
• Endtroducing... - DJ Shadow (Vinyl)
• Super Mario Bros 30th Anniversary (CD)
• Random Access Memories 10th Anniversary Edition (Vinyl)
• Hans Zimmer x Alan Walker Time (Vinyl)
• Untrue - Burial (Vinyl)
• OKNOTOK 1997 2017 (CD)
• Kid A - Radiohead (Vinyl)
• In Rainbows - Radiohead (Vinyl)
• Discovery - Daft Punk (Vinyl)
• Music has right to children - Boards of Canada (Vinyl)