lazarus/bethany.py

104 lines
4.0 KiB
Python
Raw Normal View History

2020-06-25 12:00:37 +02:00
# In order to break lazarus, you would have to
# a) break AES
# b) break ECC
2020-06-25 12:15:49 +02:00
# c) break ChaCha20
2020-06-25 12:00:37 +02:00
# d) break prime-factorization
# e) break cbc (ok, that's quite doable...)
#
# And still here we are:
2020-06-25 12:15:49 +02:00
# This script is able to decrypt any ciphertext encrypted using lazarus :D
2020-06-25 12:00:37 +02:00
2020-07-04 10:53:09 +02:00
# Note: Thats the idea; its not functional yet... Mostly because CBC turns out
# to be a harder opponent then I throught, even for stream-ciphers...
# Im probably going to need to make some changes to the implementation-specifics
# in order to make breaking it possible without adding artificual correlations
# in the pre-Omega ciphertext...
2020-06-25 11:44:13 +02:00
from fastecdsa.curve import P256
from fastecdsa.point import Point
from fastecdsa import util
from lazarus import Lazarus
class Bethany():
pass
#---
e = 31415926535987932384626433832795
Q = e*P256.G
class Generalised_Dual_EC_RBG(object):
def __init__(self, Q, seed, curve = P256):
self.curve = curve
self.state = seed
self.Q = Q
self.P = curve.G
self.tmp = None
assert Q.curve == curve
def gen(self):
new_point = self.state * self.P
sP = r = new_point.x # remember that the x value of the new point is used for the next point.
rQ = r * self.P
random_int_to_return = int(str(bin((rQ).x))[16:], 2)
self.state = (r*self.Q).x
self.lsb = str(bin((rQ).x))
self.rQ = rQ
return random_int_to_return
class breakEccPerm():
def __init__(self):
pass
def smash(omegaKey):
integer = int.from_bytes(omegaKey, "big", seed, signed=False )
breakEccPerm.get_identical_generator(integer, second_output, e, curve)
def get_identical_generator(output, second_output, e, curve):
# make a new generator and instantiate it with one possible state out of the 65535
for lsb in range(2**16):
# rudimentary progress bar
if (lsb % 2048) == 0:
print("{}% done checking\r".format(100*lsb/(2**16)))
# bit-shift and then concat to guess most significant bits that were discarded
overall_output = (lsb << (output.bit_length()) | output)
# zeroth check: is the value greater than p?
if overall_output > curve.p:
global first_rQ # this is only used for debugging and can be removed
# if it is greater, skip this number
# since the most significant bits are iterated through in ascending order.
# if it reaches that point that means we know something went wrong and we can break out
print("""Something went wrong. debugging info:
Output = {},
lsb = {},
rQ = {}""".format(output, lsb, first_rQ))
break
# calculate a value of y
for sol_to_y in util.mod_sqrt(overall_output**3 - 3*overall_output + curve.b, curve.p):
# there are either 2 or 0 real answers to the square root. We reject those greater than p.
if sol_to_y < curve.p:
possible_y = sol_to_y
else:
possible_y = None
# first check: if there were 0 solutions we can skip this iteration
if possible_y == None or type(possible_y) != int:
continue
# second check: is point on curve? if not then skip this iteration
try:
possible_point = Point(overall_output, possible_y, curve=curve)
except:
continue
# if checks were passed, exploit the relation between state to calculate the internal state
possible_state = (e * possible_point).x
# check if the state is correct by generating another output
possible_generator = Generalised_Dual_EC_RBG(Q=Q, seed=possible_state)
if possible_generator.gen() == second_output:
break
return possible_generator