Writeup for matdlp in CrewCTF 2022

I wrote this essay to record my idea for matdlp in CrewCTF 2022

It's a good challenge about Diffie-Hellman key exchange based matrix

• The subject attachment

This is a discrete logarithm problem on a matrix group,in the first time I find that p-1 is so smooth and X^p is a diagonal matrix , so maybe I can solve that with Pholig-Hellman .

• Some references

1.Find the exact value of t

A interesting part is the system use a pair of secrete keys , so I can't divide the X^t from U^sX^tU^-s . I try another way by mapped matrix to the determinant .

We know det(AB)=det(A)det(B) and det(U^-1)det(U)=1

=>det(U^sX^tU^-s)^p=det(X^tp)

∵det(X^tp)=det(X^p)^t so we only to solve dlp in F_p . That a good idea , but unfortunately it doesn't solve for t .

The reason is that the p-1 is too smooth , so for a element g in P* , ord(g) may not big enough and we can't get t accurately . Then we need more dlp equation get result of t(mod ord(g_i)) . And solve the problem by crt

In this case I chose to use the property that X^p as a diagonal matrix, which means that the parts of X^p are divided into powers of the eigenvalues of A

Later I found the author's explanation for the question

2.Construct a fake U^s

If we have got the t , we just need to solve eqution XAX^-1=B with knowing A and B .

In linear algebra we learn the invertible transformation matrix P of similar matrix is not unique

So if we only use XAX^-1=B as our constraint condition , we have a lot of solutions .

But wheather all solution is effective ?

Suppose we get a solution K satisfy KX^tK^-1=alice_pubkey , we want to use t₁ and K to calculate fake_share=K(bob_pubkey)^t1K^-1 .

Obviously if we want to match the real key we also need KU=UK

\(K(U^{s_2}X^{t_1t_2}U^{-s_2})K^{-1}=U^{s_2}(KX^{t_1*t_2}K^{-1})U^{-s_2}=U^{s_2}(KX^{t_1}K^{-1})^{t_2}U^{-s_2}=sharekey\)

Finally we just need to solve eqution uX=Au and uU=Uu

By compare all elements of Corresponding rows and columns . We can list the constraint eqution

\(\sum_{i,j=1}^nu_{ik}x_{kj}-\sum_{i,j=1}^na_{ik}u_{kj}=0\)

\(\sum_{i,j=1}^nu_{ik}U_{kj}-\sum_{i,j=1}^nU_{ik}u_{kj}=0\)

and solve linear homogeneous equation set TX=0

Just find T 's kernel !

• Some of the matrix usage I used in Sagemath

• exp