lazarus/bethany.py

98 lines
3.6 KiB
Python
Raw Normal View History

2020-06-25 12:00:37 +02:00
# In order to break lazarus, you would have to
# a) break AES
# b) break ECC
2020-06-25 12:15:49 +02:00
# c) break ChaCha20
2020-06-25 12:00:37 +02:00
# d) break prime-factorization
# e) break cbc (ok, that's quite doable...)
#
# And still here we are:
2020-06-25 12:15:49 +02:00
# This script is able to decrypt any ciphertext encrypted using lazarus :D
2020-06-25 12:00:37 +02:00
2020-06-25 11:44:13 +02:00
from fastecdsa.curve import P256
from fastecdsa.point import Point
from fastecdsa import util
from lazarus import Lazarus
class Bethany():
pass
#---
e = 31415926535987932384626433832795
Q = e*P256.G
class Generalised_Dual_EC_RBG(object):
def __init__(self, Q, seed, curve = P256):
self.curve = curve
self.state = seed
self.Q = Q
self.P = curve.G
self.tmp = None
assert Q.curve == curve
def gen(self):
new_point = self.state * self.P
sP = r = new_point.x # remember that the x value of the new point is used for the next point.
rQ = r * self.P
random_int_to_return = int(str(bin((rQ).x))[16:], 2)
self.state = (r*self.Q).x
self.lsb = str(bin((rQ).x))
self.rQ = rQ
return random_int_to_return
class breakEccPerm():
def __init__(self):
pass
def smash(omegaKey):
integer = int.from_bytes(omegaKey, "big", seed, signed=False )
breakEccPerm.get_identical_generator(integer, second_output, e, curve)
def get_identical_generator(output, second_output, e, curve):
# make a new generator and instantiate it with one possible state out of the 65535
for lsb in range(2**16):
# rudimentary progress bar
if (lsb % 2048) == 0:
print("{}% done checking\r".format(100*lsb/(2**16)))
# bit-shift and then concat to guess most significant bits that were discarded
overall_output = (lsb << (output.bit_length()) | output)
# zeroth check: is the value greater than p?
if overall_output > curve.p:
global first_rQ # this is only used for debugging and can be removed
# if it is greater, skip this number
# since the most significant bits are iterated through in ascending order.
# if it reaches that point that means we know something went wrong and we can break out
print("""Something went wrong. debugging info:
Output = {},
lsb = {},
rQ = {}""".format(output, lsb, first_rQ))
break
# calculate a value of y
for sol_to_y in util.mod_sqrt(overall_output**3 - 3*overall_output + curve.b, curve.p):
# there are either 2 or 0 real answers to the square root. We reject those greater than p.
if sol_to_y < curve.p:
possible_y = sol_to_y
else:
possible_y = None
# first check: if there were 0 solutions we can skip this iteration
if possible_y == None or type(possible_y) != int:
continue
# second check: is point on curve? if not then skip this iteration
try:
possible_point = Point(overall_output, possible_y, curve=curve)
except:
continue
# if checks were passed, exploit the relation between state to calculate the internal state
possible_state = (e * possible_point).x
# check if the state is correct by generating another output
possible_generator = Generalised_Dual_EC_RBG(Q=Q, seed=possible_state)
if possible_generator.gen() == second_output:
break
return possible_generator