Tags: crypto elliptic-curve
Rating:
The name of the task leads to the concusion, that it is about elliptic curve cryptography. In fact it is about obtaining $d$, such that $Q = d\times G$
From the task description we know the following values:
$p = 17459102747413984477$
$a = 2$
$b = 3$
$G = (15579091807671783999, 4313814846862507155)$
$Q = (8859996588597792495, 2628834476186361781)$
-----
The elliptic curve over a finite field can be described as follows:
$y^2 = x^3 +ax + b\ mod\ n$
In our case if looks like that: $y^2 = x^3 + 2x + 3\ mod\ 17459102747413984477$
Using SageMath we can build it in the following way:
```python
# Known parameters
p = 17459102747413984477
a, b = 2, 3
# Build an object that describes the ellliptic curve
ec = EllipticCurve(GF(p), [a, b])
# define points
G = ec(15579091807671783999, 4313814846862507155)
Q = ec(8859996588597792495, 2628834476186361781)
```
-----
As said before we need to find out $d$ such that $Q = d\times G$, that is known as Elliptic Curve Discrete Logarithm Problem (ECDLP).
In this case we'll try to use [Pohlig-Hellman algorithm](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjxp9rL4t_xAhXDs4sKHR_0AW8QFnoECAIQAA&url=https%3A%2F%2Fwww.researchgate.net%2Ffile.PostFileLoader.html%3Fid%3D5583faed6225ff040e8b458b%26assetKey%3DAS%253A273804985602059%25401442291603545&usg=AOvVaw3x4kWhwsAyL_QGrTe3UqCS) (page 64), because factoring the generator's order produces many (actually not, but it is enough) small primes:
```
[In] factor(G.order())
[Out] 2 * 5 * 11 * 22303 * 36209 * 196539307
```
-----
The generic idea of Pohling-Hellman algorithm is to build and solve the following system of congruences:
$d = d_1\ mod\ p_1^{e_1}$
$d = d_2\ mod\ p_2^{e_2}$
$...$
$d = d_k\ mod\ p_k^{e_k}$
where $d$ denotes the target value, $e_i$ denotes the exponent of $p_i$, each $d_i$ denotes discrete logarithm of $d$ modulo $p_i$ and can be expressed in the following way:
$d_i=z_0+z_1p_i+z_2p_i^2+...+z_{e_i-1}p_i^{e_i-1}\ mod\ p_i^{e_i}$, where $\forall k: z_k\in [0, p_i -1]$
Now let $G_i=\frac{x}{p_i}G$ and $Q_i=\frac{x}{p_i}Q$, where $x=\prod_{i=1}^{k}{p_i^{e_i}}$.
Using the fact that the order of $G_i$ is $p_i$ we can write the following equation: $Q_i=d\times G_i=z_i\times G_i$. Numbers $z_i$ can be obtained directly by calculating discrete logarithms, because all $p_i$ are relatively small.
The last step is to solve the system of congruences (mentioned above) using Chinese Remainder Theorem.
-----
These operations can be written in SageMath as follows:
```python
primes = [2 , 5 , 11 , 22303 , 36209 , 196539307] # factor(G.order())
dlogs = []
for fac in primes:
t = int(G.order()) // int(fac)
dlog = discrete_log(t*Q, t*G, operation="+")
dlogs += [dlog]
print(crt(dlogs, primes))
```
Because of small primes this task requires a small amount of time - just a few seconds. It yields the following result: `7868191182322623331`.
This number needs to be translated into hex and then decoded as ascii: `0x6d316e315f336363` => `flag{m1n1_3cc}`