MOVs Like Jagger - HTB Cyber Apocalypse CTF 2022
The challenge title hints at the MOV attack which works on curves with a small embedding degree.
First we can define the curve and calculate the embedding degree (k):
# curve
a = -35
b = 98
p = 434252269029337012720086440207
E = EllipticCurve(GF(p), [a,b])
# generator
Gx = 16378704336066569231287640165
Gy = 377857010369614774097663166640
G = E(Gx, Gy)
# public keys
A = E(0x53aa256fca975b0e2fd527aac, 0x1d4f956ec8a4458cfda8dff15)
B = E(0x21cd699755718698a1963cd50, 0x21e48edd5538758b156ee9328)
# embedding degree
k = 1
while (p**k - 1) % E.order() != 0:
k += 1
print(k)
We get k = 2, small enough for the MOV attack to work. It transfers the discrete log from \(E(F_p)\) to \(F_{p^2}^\times\), which is much easier.
def MOV_attack(E, G, A, k):
E2 = EllipticCurve(GF(p**k), [a,b])
T = E2.random_point()
M = T.order()
N = G.order()
T1 = (M//gcd(M, N)) * T
_G = E2(G).weil_pairing(T1, N)
_A = E2(A).weil_pairing(T1, N)
nA = _A.log(_G)
return nA
nA = MOV_attack(E, G, A, k)
secret = nA * B
print(secret.xy()) # (338674607206389654805492721792, 390828491586972541331184235565)
The secret would be different depending on the public keys the server gives you.
Submit to get flag HTB{I7_5h0075_,1t_m0v5,_wh47_15_i7?}