# tonnerre

Describe: We were pretty sure the service at tonnerre.pwning.xxx:8561 source was totally secure. But then we came across this website and now we’re having second thoughts… We think they store the service users in the same database?

python版:

$$SHA256(re+SHA256(session\_secret)) == proof$$

$$re = ((g^r\ mod\ N) + v)\ mod\ N$$

$$(re - v)\ mod\ N = g^r\ mod\ N$$

$$(x * v)\ mod\ N = c = g^2$$

$$session\_secret = g^{2*r}\ mod\ N = (g^r\ mod\ N)^2\ mod\ N$$

$$(x * v)\ mod\ N = g^2$$

$$(x * v * g^{-2})\ mod\ N = 1$$

$$(x * v * A^{-1})\ mod\ N = ((x * v)\ mod\ N) * (A^{-1}\ mod\ N)\ mod\ N$$

$$x * (v * k) \equiv 1\ (mod\ N)$$

# rabit

Describe: Just give me a bit, the least significant’s enough. Just a second we’re not broken, just very, very insecure. Running at rabit.pwning.xxx:7763

$$x^{\frac{\phi(q)}{2}}\ mod\ q = 1$$
$$x^{\frac{\phi(p)}{2}}\ mod\ p = 1$$

$$x^{\frac{\phi(N)+4}{8}}\ mod\ N = m$$

## UPDATA: 4/19

$N = p * q$ => p和q是两个不相等的随机素数，且$q \equiv 3\ (mod\ 4)$和$p \equiv 3\ (mod\ 4)$同时满足

$$C = X^2\ mod\ N$$
$$X = C^{\frac{\phi(N)+4}{8}}\ mod\ N$$

$$a_{1}^{2} \equiv x\ (mod\ q)$$

$$a_{2}^{2} \equiv x\ (mod\ p)$$

## LSB oracle attack

$$\begin{cases} if\ ev < N\ then\ ev\ mod\ N = \{even\}\\ if\ 2N > ev > N\ then\ ev\ mod\ N = \{odd\}\\ if\ 3N > ev > 2N\ then\ ev\ mod\ N = \{even\}\\ \ldots \end{cases}$$

$m^e\ mod\ N = c$ 乘以 $2^e\ mod\ N = c_2$

$$(2*m)^e\ mod\ N = c * c_2\ mod\ N = CC$$

$$CC^d\ mod\ N = (2 * m)^{e*d}\ mod\ N = 2*m\ mod\ N = MM$$

$$\begin{cases} if\ MM\ is\ \{odd\}\ then\ 2*m > N\\ if\ MM\ is\ \{even\}\ then\ 2*m < N \end{cases}$$

$$(4*m)^e\ mod\ N = c * c_2\ mod\ N = CC_2$$

$$CC_{2}^{d}\ mod\ N = (4 * m)^{e*d}\ mod\ N = 4*m\ mod\ N = MM_2$$