Wiretrace

Description

We pulled off a masterstroke, namely distributing secure phones to a large criminal organization, while having introduced a backdoor into them.

The vulnerability lies in the hardware accelerator responsible for modular computations. It produces a log of the computations performed, stored in dedicated memory and retrievable locally via a wireless exchange. The hardware-level modification ensures the backdoor remains even if the software is changed.

We provide the documentation for the hardware accelerator.

From one of these phones, we were able to obtain the log of the opening of a secure channel with another member of the organization. The secret key (of the channel) was obtained using a Diffie-Hellman exchange on a Weierstrass curve. It is up to you to analyze the computations performed on the hardware accelerator in order to recover the private key. However, the context is characterized by a total absence of usually public information, which must first be recovered: the multiplication algorithm on the curve, the curve parameters. Moreover, the accelerator is only used for modular multiplications, additions and subtractions do not go through the accelerator.

To validate the challenge, the expected value is the shared secret obtained for opening a channel with the public key: 0x4780808964040178689336247916707177737141148034059713798340268013864178089429 Only the x coordinate of points is used to define a public key or a shared secret.

The expected format is FCSC{value of the shared secret in hexadecimal without 0x}.