EXETOOLS FORUM (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

 contextrax 08-17-2017 23:15

Hi
A month ago I launched my first attack on a armadillo protected target that was using level 10 armadillo license system (ECDSA)

Level10 is ECDSA-113 which of course is using Elliptic Curve.
The curve size is 113 bit and the order of the public point is 112 bit.
Order: "5192296858534827627896703833467507"

The curve is a koblitz curve and the base is usually Optimal Normal Base Type 2 which is very slow when implemented in software. (Well. I was not able to speed it up to much)

To solve the ecdlp on such a curve I first thought that the number of iteration needed would be ~sqrt(2^112) == 2^56 but for the koblitz curve there are speedups.

First speedup would be using the frobenius map and second would be using negation map.
For this one can expect a speedup of ~sqrt(113*2) and this brings us to a total number of iteration ~2^52
For the slow ONB2 curve this woule be too much (I think) but now the fun starts.
There exist a isomorphic base (or there are many of them) but the fastest I could find is the polynomial base with the irreducible polynom x^113 + x^9 +1.
Going from ONB2 to polynomial base was a bit pain at first but when you know what to do it's pretty easy.

Also in 2010 intel introduced the CLMUL instruction that can do carry less multiplication (polynomial multiplication) in ASM and reducing modulo x^113 + x^9 +1 is pretty fast when using xmm registers.

So the speed of the first solver I tested using the ONB2 code was about 20.000 iterations/sec.
The one I ended up running did 46.000.000 iterations/sec running on a Core i7 CPU with 8 threads.
My total combined speed was about 600mill/sec and after 2^50 iterations I solved ECDLP for this curve/target.

I guess armadillo is not to much used any more so I guess all this was a bit to late. Or perhaps others have done this before me? I don't know.

But if anyone know of a good/cool target using this protection it would be fun to try again.

If any questions then just shoot.

 tofu-sensei 08-18-2017 02:42

So... It effectively took three weeks to solve?

 UniSoft 08-18-2017 03:30

Quote:
 Originally Posted by contextrax (Post 110139) But if anyone know of a good/cool target using this protection
Visual Assist X 10.9.2231.0

 mr.exodia 08-18-2017 05:09

Very interesting! I could integrate this in my Armadillo Key Tool (https://github.com/mrexodia/akt)...

The previous attack (as far as I know) was on a weak implementation by Baboon (http://baboon.rce.free.fr/index.php?post/2010/09/04/Armadillo-mange-des-ours-en-slips) but I don't think a brute force approach was tested in public.

The latest public (and custom) v9.60 uses:

Code:

Short V3 Level 10:
Chk : B5EC5364
Sym: BDA4FA1C
BaseP : 1570789295 (Size=50, Diff=112C, MD5=0F656698)
Pub.X : 2127081270816270912006137526418476
Pub.Y : 7206819234412870204027887633390168

Feel free to ping me if you need something...

 contextrax 08-18-2017 06:20

Quote:
 Originally Posted by tofu-sensei (Post 110140) So... It effectively took three weeks to solve?
Lets say four weeks but I think I was lucky this time only needed 2^50 iterations. (or lets say extremely lucky)
ECDLP is based on the birthday paradox so you never know exactly the among of work.
2^52 iterations would required 4 times more work.

 contextrax 08-18-2017 06:30

Quote:
I would not find it to interested breaking my own ecc parameters :)

Quote:
 Originally Posted by mr.exodia (Post 110142) The latest public (and custom) v9.60 uses: Code:   Short V3 Level 10:     Chk : B5EC5364     Sym: BDA4FA1C   BaseP : 1570789295 (Size=50, Diff=112C, MD5=0F656698)   Pub.X : 2127081270816270912006137526418476   Pub.Y : 7206819234412870204027887633390168 Feel free to ping me if you need something...
This is the real ecc parameters for armadillo itself?

 contextrax 08-18-2017 06:54

Would anyone be interested in running an attack on say armadillo?
This require running the solver on their pc and collect distinguished points.
More CPU's will give faster result.

Also if anyone are familiar with GPU coding them perhaps this could also be implemented and run on gfx cards.

 tofu-sensei 08-18-2017 16:47

Quote:
 Originally Posted by contextrax (Post 110143) Lets say four weeks but I think I was lucky this time only needed 2^50 iterations. (or lets say extremely lucky) ECDLP is based on the birthday paradox so you never know exactly the among of work. 2^52 iterations would required 4 times more work.
I'd say Armadillo is still secure enough then. Who's paying the electricity bill for your little experiment? ;)

 contextrax 08-18-2017 17:57

Quote:
 Originally Posted by tofu-sensei (Post 110158) I'd say Armadillo is still secure enough then. Who's paying the electricity bill for your little experiment? ;)
My total speed of 600mill/sec was spred over ~20 different computers including friends and family.
The power consummation on todays cpu is not that bad. My laptop Core i7 has a max TDP of 15w.

Lets play with some numbers.
My fastest PC did 46mill/sec. (a Core i7-6700 @ 3.4GHz)
Say we as a group can collect 90 of them
That should give a speed of ~2^32 / sec
After 12 days we would reach 2^52 iterations.
If we are as lucky as I and solve after 2^50 iterations then this would take only ~3 days :)

Some other attacked this curve before I did and implemented it on FPGS's
https://eprint.iacr.org/2014/368.pdf

If I where to release a product today then I would not rely on a 113 bit's koblitz curve. Using a different 113 bits curve would be a bit better and perhaps out of reach for reversers today but new cpu's are hitting the market as we speak and the new inlet with 18 cores and amd with 16 corse will probably be speed monsters.
Would also be fun to try implementing this on GPU.
I know they did some research on this when attacking ecc2k-131.

 contextrax 08-18-2017 18:10

Quote:
 Originally Posted by mr.exodia (Post 110142) Very interesting! I could integrate this in my Armadillo Key Tool (https://github.com/mrexodia/akt)...
Damn your tool roxx. I spend countless of hrs extracting the crypto params that your tool can do with just one click :)
Love it.

(Hope I wont get banned for this reply)

 tofu-sensei 08-18-2017 18:52

Quote:
 Originally Posted by contextrax (Post 110161) If we are as lucky as I and solve after 2^50 iterations then this would take only ~3 days :)
Point taken. I ran the numbers again and the power costs s̶h̶o̶u̶l̶d̶ could be well below the cost of a license for whatever software it is you're attacking.

 deepzero 08-18-2017 22:23

Quote:
 Point taken. I ran the numbers again and the power costs should be well below the cost of a license for whatever software it is you're attacking.
It's not always about the monetary costs...

I think a true keygen for v9.6 would be a fitting end to the Armadillo saga.

 cachito 08-18-2017 22:38

When hashing GPU is 100x over CPU, +/- depending of the kind of hash.
I can test in a 3 GPU computer if someone programs that option.
Good luck with this experiment, it is really interesting :)

 contextrax 08-19-2017 00:16

I can't find the latest armadillo version so if anyone can share that would be great.

 Kerlingen 08-19-2017 00:27

Quote:
 Originally Posted by contextrax (Post 110161) The power consummation on todays cpu is not that bad.
You're talking about 90 CPUs. Keygenning a single software (if you own that amount of hardware) will cost you like 1000+ US-\$ for energy alone, if you have to rent cloud computing you will be at 5000+ US-\$.

All times are GMT +8. The time now is 11:20.