Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-17-2017, 23:15
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Armadillo ECDSA-113

Hi
A month ago I launched my first attack on a armadillo protected target that was using level 10 armadillo license system (ECDSA)

Level10 is ECDSA-113 which of course is using Elliptic Curve.
The curve size is 113 bit and the order of the public point is 112 bit.
Order: "5192296858534827627896703833467507"

The curve is a koblitz curve and the base is usually Optimal Normal Base Type 2 which is very slow when implemented in software. (Well. I was not able to speed it up to much)

To solve the ecdlp on such a curve I first thought that the number of iteration needed would be ~sqrt(2^112) == 2^56 but for the koblitz curve there are speedups.

First speedup would be using the frobenius map and second would be using negation map.
For this one can expect a speedup of ~sqrt(113*2) and this brings us to a total number of iteration ~2^52
For the slow ONB2 curve this woule be too much (I think) but now the fun starts.
There exist a isomorphic base (or there are many of them) but the fastest I could find is the polynomial base with the irreducible polynom x^113 + x^9 +1.
Going from ONB2 to polynomial base was a bit pain at first but when you know what to do it's pretty easy.

Also in 2010 intel introduced the CLMUL instruction that can do carry less multiplication (polynomial multiplication) in ASM and reducing modulo x^113 + x^9 +1 is pretty fast when using xmm registers.

So the speed of the first solver I tested using the ONB2 code was about 20.000 iterations/sec.
The one I ended up running did 46.000.000 iterations/sec running on a Core i7 CPU with 8 threads.
My total combined speed was about 600mill/sec and after 2^50 iterations I solved ECDLP for this curve/target.

I guess armadillo is not to much used any more so I guess all this was a bit to late. Or perhaps others have done this before me? I don't know.

But if anyone know of a good/cool target using this protection it would be fun to try again.

If any questions then just shoot.
Reply With Quote
The Following 3 Users Gave Reputation+1 to contextrax For This Useful Post:
deepzero (08-18-2017), nulli (08-22-2017), tonyweb (08-26-2017)
The Following 11 Users Say Thank You to contextrax For This Useful Post:
alekine322 (08-18-2017), cachito (09-25-2017), deepzero (08-18-2017), elephant (08-22-2017), jump (08-22-2017), niculaita (08-17-2017), nulli (08-22-2017), sendersu (08-18-2017), tonyweb (08-26-2017), WaSt3d_ByTes (08-18-2017), WRP (08-18-2017)
  #2  
Old 08-18-2017, 02:42
tofu-sensei tofu-sensei is offline
Friend
 
Join Date: Jul 2004
Posts: 113
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 24 Times in 13 Posts
tofu-sensei Reputation: 15
So... It effectively took three weeks to solve?
Reply With Quote
  #3  
Old 08-18-2017, 06:20
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Quote:
Originally Posted by tofu-sensei View Post
So... It effectively took three weeks to solve?
Lets say four weeks but I think I was lucky this time only needed 2^50 iterations. (or lets say extremely lucky)
ECDLP is based on the birthday paradox so you never know exactly the among of work.
2^52 iterations would required 4 times more work.
Reply With Quote
  #4  
Old 08-18-2017, 16:47
tofu-sensei tofu-sensei is offline
Friend
 
Join Date: Jul 2004
Posts: 113
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 24 Times in 13 Posts
tofu-sensei Reputation: 15
Quote:
Originally Posted by contextrax View Post
Lets say four weeks but I think I was lucky this time only needed 2^50 iterations. (or lets say extremely lucky)
ECDLP is based on the birthday paradox so you never know exactly the among of work.
2^52 iterations would required 4 times more work.
I'd say Armadillo is still secure enough then. Who's paying the electricity bill for your little experiment?
Reply With Quote
  #5  
Old 08-18-2017, 17:57
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Quote:
Originally Posted by tofu-sensei View Post
I'd say Armadillo is still secure enough then. Who's paying the electricity bill for your little experiment?
My total speed of 600mill/sec was spred over ~20 different computers including friends and family.
The power consummation on todays cpu is not that bad. My laptop Core i7 has a max TDP of 15w.

Lets play with some numbers.
My fastest PC did 46mill/sec. (a Core i7-6700 @ 3.4GHz)
Say we as a group can collect 90 of them
That should give a speed of ~2^32 / sec
After 12 days we would reach 2^52 iterations.
If we are as lucky as I and solve after 2^50 iterations then this would take only ~3 days

Some other attacked this curve before I did and implemented it on FPGS's
https://eprint.iacr.org/2014/368.pdf

If I where to release a product today then I would not rely on a 113 bit's koblitz curve. Using a different 113 bits curve would be a bit better and perhaps out of reach for reversers today but new cpu's are hitting the market as we speak and the new inlet with 18 cores and amd with 16 corse will probably be speed monsters.
Would also be fun to try implementing this on GPU.
I know they did some research on this when attacking ecc2k-131.
Reply With Quote
  #6  
Old 08-18-2017, 18:52
tofu-sensei tofu-sensei is offline
Friend
 
Join Date: Jul 2004
Posts: 113
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 24 Times in 13 Posts
tofu-sensei Reputation: 15
Quote:
Originally Posted by contextrax View Post
If we are as lucky as I and solve after 2^50 iterations then this would take only ~3 days
Point taken. I ran the numbers again and the power costs s̶h̶o̶u̶l̶d̶ could be well below the cost of a license for whatever software it is you're attacking.

Last edited by tofu-sensei; 08-19-2017 at 01:54.
Reply With Quote
  #7  
Old 08-19-2017, 00:27
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 326
Rept. Given: 0
Rept. Rcvd 277 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 321 Times in 98 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Quote:
Originally Posted by contextrax View Post
The power consummation on todays cpu is not that bad.
You're talking about 90 CPUs. Keygenning a single software (if you own that amount of hardware) will cost you like 1000+ US-$ for energy alone, if you have to rent cloud computing you will be at 5000+ US-$.
Reply With Quote
  #8  
Old 08-18-2017, 03:30
UniSoft's Avatar
UniSoft UniSoft is offline
Family
 
Join Date: May 2010
Location: Shenzhen, China
Posts: 124
Rept. Given: 23
Rept. Rcvd 259 Times in 42 Posts
Thanks Given: 23
Thanks Rcvd at 406 Times in 73 Posts
UniSoft Reputation: 200-299 UniSoft Reputation: 200-299 UniSoft Reputation: 200-299
Quote:
Originally Posted by contextrax View Post
But if anyone know of a good/cool target using this protection
Visual Assist X 10.9.2231.0
Reply With Quote
  #9  
Old 08-18-2017, 05:09
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 712 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Very interesting! I could integrate this in my Armadillo Key Tool (https://github.com/mrexodia/akt)...

The previous attack (as far as I know) was on a weak implementation by Baboon (http://baboon.rce.free.fr/index.php?post/2010/09/04/Armadillo-mange-des-ours-en-slips) but I don't think a brute force approach was tested in public.

You can get the best target by making your own unpackme, or try Armadillo itself...

The latest public (and custom) v9.60 uses:

Code:
  Short V3 Level 10:
    Chk : B5EC5364
    Sym: BDA4FA1C
  BaseP : 1570789295 (Size=50, Diff=112C, MD5=0F656698)
  Pub.X : 2127081270816270912006137526418476
  Pub.Y : 7206819234412870204027887633390168
Feel free to ping me if you need something...
Reply With Quote
The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
contextrax (08-18-2017)
  #10  
Old 08-18-2017, 06:30
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Quote:
Originally Posted by mr.exodia View Post
You can get the best target by making your own unpackme, or try Armadillo itself...
I would not find it to interested breaking my own ecc parameters

Quote:
Originally Posted by mr.exodia View Post
The latest public (and custom) v9.60 uses:

Code:
  Short V3 Level 10:
    Chk : B5EC5364
    Sym: BDA4FA1C
  BaseP : 1570789295 (Size=50, Diff=112C, MD5=0F656698)
  Pub.X : 2127081270816270912006137526418476
  Pub.Y : 7206819234412870204027887633390168
Feel free to ping me if you need something...
This is the real ecc parameters for armadillo itself?
I thought armadillo was obsolete
Reply With Quote
The Following User Says Thank You to contextrax For This Useful Post:
the_beginner (04-21-2019)
  #11  
Old 08-18-2017, 18:10
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Quote:
Originally Posted by mr.exodia View Post
Very interesting! I could integrate this in my Armadillo Key Tool (https://github.com/mrexodia/akt)...
Damn your tool roxx. I spend countless of hrs extracting the crypto params that your tool can do with just one click
Love it.

(Hope I wont get banned for this reply)
Reply With Quote
The Following 2 Users Say Thank You to contextrax For This Useful Post:
Apuromafo (03-05-2019), mr.exodia (08-18-2017)
  #12  
Old 08-20-2017, 20:15
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Quote:
Originally Posted by mr.exodia View Post

Code:
  Short V3 Level 10:
    Chk : B5EC5364
    Sym: BDA4FA1C
  BaseP : 1570789295 (Size=50, Diff=112C, MD5=0F656698)
  Pub.X : 2127081270816270912006137526418476
  Pub.Y : 7206819234412870204027887633390168
I see there are many more of these certs in Armadillo. Did you verify that this is the correct ones to break?

I calculated the base point from basepoint init using the armadillo keygen source "KeyMakerV420j.c".
Don't know if this is the latest code so if you could check and see if they matches yours.

Code:
Target: "Armadillo v9.64 Public"

Optimal Normal Base Type II
BasepointInit: 1570789295 (0x5DA057AF)
ONB2 Base.X  : 4089747062247003654720736468506441
ONB2 Base.Y  : 10111618751385367037406972360317044
ONB2 Pub.X   : 2127081270816270912006137526418476
ONB2 Pub.Y   : 7206819234412870204027887633390168
And here they are in polynomial base if anyone wants to play with them
Code:
Polynomial base (t^113 + t^9 + 1)
Poly Base.X  : 1C1A1BB26597755705B9D996CC209
Poly Base.Y  : 7229DDE3CDDFAC01016B1E84D648
Poly Pub.X   : 4CA5BE7E12F5B8C8CAA93744E99
Poly Pub.Y   : 788BCC901CC832FAA020610A14EB
Reply With Quote
The Following 2 Users Say Thank You to contextrax For This Useful Post:
Apuromafo (03-04-2019), tonyweb (08-26-2017)
  #13  
Old 08-18-2017, 06:54
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
Would anyone be interested in running an attack on say armadillo?
This require running the solver on their pc and collect distinguished points.
More CPU's will give faster result.

Also if anyone are familiar with GPU coding them perhaps this could also be implemented and run on gfx cards.
Reply With Quote
  #14  
Old 08-18-2017, 22:38
cachito cachito is offline
Friend
 
Join Date: Aug 2015
Location: argentina
Posts: 58
Rept. Given: 0
Rept. Rcvd 12 Times in 8 Posts
Thanks Given: 162
Thanks Rcvd at 81 Times in 44 Posts
cachito Reputation: 13
When hashing GPU is 100x over CPU, +/- depending of the kind of hash.
I can test in a 3 GPU computer if someone programs that option.
Good luck with this experiment, it is really interesting
Reply With Quote
  #15  
Old 08-19-2017, 00:16
contextrax contextrax is offline
Friend
 
Join Date: Aug 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 17 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 72 Times in 19 Posts
contextrax Reputation: 17
I can't find the latest armadillo version so if anyone can share that would be great.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Replacing ECDSA in Target (arma) Mynotos General Discussion 3 11-22-2019 00:49


All times are GMT +8. The time now is 13:58.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )