3

I have all parameter of elliptic curve. And the coordinate of points Q and P. I want to solve Q=k*P (where k is the unknown) by testing all possible k.

So i used this class

then:

a=-1
b=0
p=134747661567386867366256408824228742802669457
curve = EllipticCurve(a,b,p)
P=[18185174461194872234733581786593019886770620,74952280828346465277451545812645059041440154]
Q=[76468233972358960368422190121977870066985660, 33884872380845276447083435959215308764231090]
for i in range(2902021510595963727029):
    result = curve.multPoint(i,P)
    if result[0]==Q[0] and result[1]==Q[1]:
        print (i)
        break

Is this the right approach to solve this problem?

Chaker
  • 1,197
  • 9
  • 22
  • 1
    Note that in your parameters a=-1 and b=0, so the elliptic curve equation y^2 = x^3 + ax + b actually becomes y^2 = x^3 -1*x. This is not a strong elliptic curve any more. Good luck with your CTF! – Nils Pipenbrinck May 16 '15 at 03:24

2 Answers2

4

This is not a good approach because you are trying to do 2902021510595963727029 operations. Even if you managed to do a billion operations per second, it would take 92 thousand years to finish.

You are basically trying to break the security of ECDSA. If you figure out a way to do this, then it would be possible to figure out an ECDSA private key given the corresponding public key. It would be a breakthrough in cryptography and you would be famous. There are many smart people that have thought about this problem before you and failed to find a solution.

The problem you are trying to solve is called the discrete logarithm problem.

David Grayson
  • 84,103
  • 24
  • 152
  • 189
  • This is for a CTF challenge, so it is probably solvable. – b0fh May 15 '15 at 17:53
  • 1
    Well, it is solvable if they picked a small `k` value on purpose, or maybe if the curve parameters are chosen badly. Maybe you should ask in http://cryptography.stackexchange.com if no one here has any ideas. – David Grayson May 15 '15 at 20:01
0

The curve is vulnerable to both the MOV attack and the older FR attack that works similarly, So we can use Weil or Tate pairings (respectively).

q = 134747661567386867366256408824228742802669457
Zq = Zmod(q)
E = EllipticCurve(Zq, [0,0,0,-1,0])
P = E(18185174461194872234733581786593019886770620, 74952280828346465277451545812645059041440154)
Q = E(76468233972358960368422190121977870066985660, 33884872380845276447083435959215308764231090)
n = P.order()
k = GF(n)(q).multiplicative_order()
R = E.random_element()
w1 = P.tate_pairing(R, n, k)
w2 = Q.tate_pairing(R, n, k)
print w1, w2

with w2=w1^k we need to solve a discrete logarithm problem in a ring of integer mod p. It can take quite a while but is still feasible given the small modulus.

PS: This is eltrai answer.

Community
  • 1
  • 1
Chaker
  • 1,197
  • 9
  • 22