Challenge Description

I proved this cryptographic combiner to be super secure (specifically IND-CCA2) on my graduate cryptography final exam, but just to be safe, I'm making you break it with both primitives being computationally secure!

nc mc.ax 31493

Challenge Files

Solution

The challenge is based on an oracle. The oracle asks the following and provides two public keys:

If we go through the provided server script we see that when the user requests for choice 0, he is asked to guess the value of m_bit. The m_bit is generated using randbits(1) function which means the value can be either 0 or 1. For each iteration from 1 to 128, the correct value of m_bit has to be guessed for the loop to end and the flag file to be read.

If the user requests for choice 1, two 16 byte hexstrings-m0 and m1 are to be provided. If the value of m_bit is 0, m0 is chosen or else m1 is chosen. If the user requests for choice 2,the decryption function is carried out.

In the oracle the seen_ct.add(ct) function was broken. So given two messages we could decrypt the ciphertext and find out which one was encrypted in the first place. The below script does this: