Authenticated Encryption

In this challenge, you will find a file challenge.txt, which contains a ciphertext block that encrypts a message using AES-ECB. The length of message is less than 16 bytes and it is padded with zeros while taken as the input of AES-ECB. Your mission is to find out this message and check its correctness by /chellenge/solve. Your result should be lowercase hexadecimal.

To help with that, you will find another file called ciphertext.txt, which contains some ciphertexts. The algorithm that encrypts and authenticates these messages is insecure. Define blocks of messages as $m_0, ... , m_{n-1}$, it is known that the algorithm operates in the following way.

• It encrypts messages using AES in the CTR mode. Namely, the $i$-th ciphertext block is $AES_k(r+i) XOR m_i$. It is implemented by Python's hazmat.
• It authenticates messages using a variate of universal hash function. Define a MAC key $k$, the tag is $t = m_0 * k^n + ... + m_{n-1} * k$. These operations are integer addition and multiplication modulo $2^{128}$, instead of the Galois field addition and multiplication.
• The MAC key $k$ is randomly sampled. The encryption key for AES-CTR is computed as $k' = AES_k(0)$.
• Each line in ciphertext.txt is a ciphertext in the form of $iv || cipher || tag$.

In this challenge, you will find a padding oracle represented by oracle.py. It receives ciphertexts in specific form and returns a ciphertext if its tag is correct.

The oracle assumes that the message is encrypted using AES-CBC and authenticated using CBC-MAC. The length of input message is a multiple of AES-128 block size. A CBC-MAC is firstly applied to the message to compute the tag. Then, a padding block of the form r || 0x0f is appended to the concatenation of message and its tag. Finally, the AES-CBC is applied to the message, tag, and padding to compute the final ciphertext.

In ciphertext.txt, you will find many ciphertexts that encrypts the same message blocks. You need to leverage them to generate your own query to the padding oracle. Your goal is to get the last byte of the first message block. The correctness of your answer can be checked by /chellenge/solve int_last_byte. Your result should be an integer in the range of [0,255].

The oracle applies a rate-limiting, hence, you are allowed to submit only 5 answers. If 5 chances are wasted, you need to restart the challenge.

In this challenge, you will find a message in old_message.txt and its ciphertext of form cipher || tag in ciphertext.txt. It is encrypted using AES-CBC. The tag is computed over the AES ciphertext blocks using the algorithm HMAC-SHA256.

You will find another message in new_message.txt. The mission is to generate a correct cipher || tag pair for the new message that can be decrypted and authenticated using the same set of keys used in the above old message.

You can verify your result by /chellenge/solve your_ciphertext_tag.

In this challenge, you will implement the AES-GCM AEAD algorithm using the given designated 12-byte nonce, 16-byte key, and a plaintext. These information can be found in files nonce.txt, key.txt, and plaintext.txt. You are required to use the PKCS7 standard to pad the message. The additional data for AEAD is "cse 539 applied cryptography".

To verify your answer, please store your ciphertext (in lowercase hexadecimal) in a file. Then, you can verify it by /challenge/solve PATH_TO_CIPHERTEXT.

In the file ciphertext.txt, each line consists of a 12-byte nonce and an AES-GCM ciphertext. These ciphertexts are repeated encryption of two 16-byte messages m0 and m1. No padding is used. You are required to get m0 XOR m1. The additional data for AEAD is "cse 539 applied ".

Please verify your answer (in lowercase hexadecimal) by /challenge/solve.