2020-06-25 12:00:37 +02:00
|
|
|
# In order to break lazarus, you would have to
|
|
|
|
# a) break AES
|
|
|
|
# b) break ECC
|
2020-06-25 12:15:49 +02:00
|
|
|
# c) break ChaCha20
|
2020-06-25 12:00:37 +02:00
|
|
|
# d) break prime-factorization
|
|
|
|
# e) break cbc (ok, that's quite doable...)
|
|
|
|
#
|
|
|
|
# And still here we are:
|
2020-06-25 12:15:49 +02:00
|
|
|
# This script is able to decrypt any ciphertext encrypted using lazarus :D
|
2020-06-25 12:00:37 +02:00
|
|
|
|
2020-06-25 11:44:13 +02:00
|
|
|
from fastecdsa.curve import P256
|
|
|
|
from fastecdsa.point import Point
|
|
|
|
from fastecdsa import util
|
|
|
|
|
|
|
|
from lazarus import Lazarus
|
|
|
|
|
|
|
|
class Bethany():
|
|
|
|
pass
|
|
|
|
|
|
|
|
#---
|
|
|
|
|
|
|
|
e = 31415926535987932384626433832795
|
|
|
|
Q = e*P256.G
|
|
|
|
|
|
|
|
class Generalised_Dual_EC_RBG(object):
|
|
|
|
def __init__(self, Q, seed, curve = P256):
|
|
|
|
self.curve = curve
|
|
|
|
self.state = seed
|
|
|
|
self.Q = Q
|
|
|
|
self.P = curve.G
|
|
|
|
self.tmp = None
|
|
|
|
|
|
|
|
assert Q.curve == curve
|
|
|
|
|
|
|
|
def gen(self):
|
|
|
|
new_point = self.state * self.P
|
|
|
|
sP = r = new_point.x # remember that the x value of the new point is used for the next point.
|
|
|
|
rQ = r * self.P
|
|
|
|
random_int_to_return = int(str(bin((rQ).x))[16:], 2)
|
|
|
|
self.state = (r*self.Q).x
|
|
|
|
self.lsb = str(bin((rQ).x))
|
|
|
|
self.rQ = rQ
|
|
|
|
return random_int_to_return
|
|
|
|
|
|
|
|
class breakEccPerm():
|
|
|
|
def __init__(self):
|
|
|
|
pass
|
|
|
|
|
|
|
|
def smash(omegaKey):
|
|
|
|
integer = int.from_bytes(omegaKey, "big", seed, signed=False )
|
|
|
|
breakEccPerm.get_identical_generator(integer, second_output, e, curve)
|
|
|
|
|
|
|
|
def get_identical_generator(output, second_output, e, curve):
|
|
|
|
# make a new generator and instantiate it with one possible state out of the 65535
|
|
|
|
for lsb in range(2**16):
|
|
|
|
# rudimentary progress bar
|
|
|
|
if (lsb % 2048) == 0:
|
|
|
|
print("{}% done checking\r".format(100*lsb/(2**16)))
|
|
|
|
# bit-shift and then concat to guess most significant bits that were discarded
|
|
|
|
overall_output = (lsb << (output.bit_length()) | output)
|
|
|
|
|
|
|
|
# zeroth check: is the value greater than p?
|
|
|
|
if overall_output > curve.p:
|
|
|
|
global first_rQ # this is only used for debugging and can be removed
|
|
|
|
# if it is greater, skip this number
|
|
|
|
# since the most significant bits are iterated through in ascending order.
|
|
|
|
# if it reaches that point that means we know something went wrong and we can break out
|
|
|
|
print("""Something went wrong. debugging info:
|
|
|
|
Output = {},
|
|
|
|
lsb = {},
|
|
|
|
rQ = {}""".format(output, lsb, first_rQ))
|
|
|
|
break
|
|
|
|
|
|
|
|
# calculate a value of y
|
|
|
|
for sol_to_y in util.mod_sqrt(overall_output**3 - 3*overall_output + curve.b, curve.p):
|
|
|
|
# there are either 2 or 0 real answers to the square root. We reject those greater than p.
|
|
|
|
if sol_to_y < curve.p:
|
|
|
|
possible_y = sol_to_y
|
|
|
|
else:
|
|
|
|
possible_y = None
|
|
|
|
# first check: if there were 0 solutions we can skip this iteration
|
|
|
|
if possible_y == None or type(possible_y) != int:
|
|
|
|
continue
|
|
|
|
|
|
|
|
# second check: is point on curve? if not then skip this iteration
|
|
|
|
try:
|
|
|
|
possible_point = Point(overall_output, possible_y, curve=curve)
|
|
|
|
except:
|
|
|
|
continue
|
|
|
|
|
|
|
|
# if checks were passed, exploit the relation between state to calculate the internal state
|
|
|
|
possible_state = (e * possible_point).x
|
|
|
|
# check if the state is correct by generating another output
|
|
|
|
possible_generator = Generalised_Dual_EC_RBG(Q=Q, seed=possible_state)
|
|
|
|
if possible_generator.gen() == second_output:
|
|
|
|
break
|
|
|
|
return possible_generator
|