src/MetaTrustCTF/ECDSA/exploit.py

#!/usr/bin/python3
from challenge.math_utils import *
from challenge.miniecdsa import *

LOCAL = False

pm1 = 0xCA1AD489AB60EA581E6C119CC39D94DDBFC5FAA0E178A23CA66202C8C2A72277
pm2 = 0x0F1AE6C77FEE73F3AC9BE1217F50C576C07D7E5FAA0E178A232DD33D09FF2CDE

if LOCAL:
    d = 0x87E01E2118B1C12B94C555A1726129C6209D386328994AF4BBF0FF8BB6CDBB0E
    pub = pubkey(d)
    pkx, pky = pub.x, pub.y
    print("d =", hex(d))

    (pr1, ps1) = sign_ecdsa(d, pm1)
    (pr2, ps2) = sign_ecdsa(d, pm2)

else:
    pkx = 0x209D386328994AF4BBF0FF8BB6CDBB0E87E01E2118B1C12B94C555A1726129C6
    pky = 0x76AC8F2FDA3A921BD3DCC1D2F0741B91DCD18D053A67A4ECE89761E64A0881B1
    pub = EPoint(pkx, pky)

    pr1 = 0x22C2921ACF3A393A0BBAF1F68EE7E02F8385FF60CA67C41A1DE3CFF3FDAA1A74
    ps1 = 0x1878DBC4684DE3A63A5975325B467CDBA846B24D949322016FE4C8FD2C0862A1

    pr2 = 0xB9201D2D40D63EB41D934C9D45280837CA09B03C4E063946CAA06EABEAACB944
    ps2 = 0xBA69F449ED11E3677AB37367D99EC3B399A006FE875941F5DA57156A8FE9C8E0


res = verify_ecdsa(pub, pm1, pr1, ps1)
print("res_pm1 =", res)

res = verify_ecdsa(pub, pm2, pr2, ps2)
print("res_pm2 =", res)
print()

pm3 = 0xD935BB512B4F5E4BCB07F2BE42EE5A54804379008B86B9C6C98FD605CCA64F55


x1 = 0x53B907251BC1CEB7AB0EB41323AFB7126600FE4CB2A9A2E8A797127508F97009
y1 = 0xC7B390484E2BAAE92DF41F50E537E57185CB18017650A6D3220A42A97727217D
x2 = 0xACBC2999FB58C6E9015A12A4C5F3849E301649B2271EAAAF21906ED03CAFDF45
y2 = 0x146AAC3F7F74047FD45CF0098FADEE5CD00F7F6871440387BA402F2390D7276F
P1 = EPoint(x1, y1)
P2 = EPoint(x2, y2)

z1 = pm1
z2 = pm2
s1 = ps1
s2 = ps2
r1 = pr1
r2 = pr2
D = (mult(P1, pm2).x - mult(P1, pm1).x) % SN
print(f"{D = }")

# k1 = ks[0]
# assert (s1 * k1 - (z1 + r1 * d)) % SN == 0
# assert (s2 * k1 + s2 * D - (z2 + r2 * d)) % SN == 0

k1 = (s2 * r1 * D - z2 * r1 + z1 * r2) * pow(s1 * r2 - s2 * r1, -1, SN) % SN
print(f"{k1 = }")
d = (s1 * k1 - z1) * pow(r1, -1, SN) % SN
print("d =", hex(d))

(pr3, ps3) = sign_ecdsa(d, pm3)

print("r =", hex(pr3))
print("s =", hex(ps3))