Key Exchange

A group with a prime order p consists of elements G={1, 2, ..., p-1}. A generator g defines a subgroup {g, g^2, ..., g^q}, which is a subset of G. In this challenge, you will find p in p.txt and g in g.txt. Your task is to find the order of the subgroup.

You can verify your result by /challenge/solve.

In this challenge, you will find p in p.txt. Your task is to find the smallest generator g that defines a subgroup {g, g^2, ..., g^{p-1}}.

You can verify your result by /challenge/solve.

In this challenge, you will find a group order p in p.txt and generator g in g.txt. There exists an exponent a and the value g^a is stored in g_to_a.txt. Your task is to find the smallest exponent a.

You can verify your result by /challenge/solve.

Similarly, you will find group information in p.txt, g.txt, and g_to_a.txt. Your task is to find the exponent a.

You can verify your result by /challenge/solve.

In this challenge, you will play the role of Alice to perform a Diffie-Hellman key exchange (without authentication). In this protocol, Alice samples a and computes A = g^a. Bob samples b and computes B = g^b. The final key is HKDF(g^{ab}), where HKDF uses SHA256 as the internal hash function, and the field info is b`DH key exchange`. You will find group parameters in parameters.pem, Alice's a in Alice_privkey.pem, and Bob's B in Bob_pubkey.pem. Additionally, Alice's a is encrypted using a password in Alice_password.txt.

To find out how the above works, please check the Diffie-Hellman key exchange in Python's hazmat module.

You can verify your result by /challenge/solve.

In this challenge, you will play the role of the eavesdropper (Eve) to perform a man-in-the-middle attack. You will locate in the middle of Alice and Bob, and perform a key exchange with each of them. Then, you will receive an encrypted packet sent by Alice, change the message it encrypts, re-encrypt it, and deliver that to Bob.

The key exchange and key derivation follows the previous Diffie-Hellman key exchange challenge.

• When Eve talks to Alice, it stores its temporary private key at Eve_Alice_privkey.pem, and receive Alice's temporary public key at Alice_pubkey.pem. The private key is encrypted using the password stored in Eve_Alice_password.txt. The Diffie-Hellman parameters can be found in Alice_parameters.pem
• When Eve talks to Bob, it stores its temporary private key at Eve_Bob_privkey.pem, and receive Bob's temporary public key at Bob_pubkey.pem. The private key is encrypted using the password stored in Eve_Bob_password.txt. The Diffie-Hellman parameters can be found in Bob_parameters.pem
• The final key is HKDF(g^{ab}), where HKDF uses SHA256 as the internal hash function, and the field info is b`DH key exchange`.
• Alice's packet encrypts two 16-bit blocks using AES-CTR-256. You can find the IV and ciphertexts in Alice_packet.txt. Denote two ciphetext blocks as b0 || b1, the goal of Eve is to swap them and send the encryption of b1 || b0 to Bob. When encrypting it, Eve needs to use a designated IV in Eve_iv.txt.

You can verify your result by /challenge/solve. Your ciphertext should be 32 bytes in the hex format.

The Oblivious Pseudorandom Function (OPRF) is an important building block of modern password-authenticated key exchange like OPAQUE. In OPAQUE, it helps computing the password hashing without the need to exchange the 'salt'.

In this challenge, a user will play with a OPRF based on a variant of Diffie-Hellman. The user stores a password at password.txt. The pre-agreed parameters are p (in p.txt) and q = (p-1) / 2. They define a group of order p and its element mostly like can generate a subgroup of order q. During the key exchange,

• The user samples a random r and sends X = Hash(password)^r to the server. The value r can be found in r.txt.
• The server returns with Y = X^k. The value Y can be found in hashed_pw_to_rk.txt.
• The user computes the final key material SHA256(password || Y^{1/r}), where || denotes the concatenation, Y^{1/r} is represented as a 256-byte integer with big endian, and 1/r is the multiplicative inverse of r.

Your task is to help this user finish the last step. Think about how the multiplicative inverse of r should be computed.

You can verify your result by /challenge/solve.