2EM
t m p 1 = p b o x 1 ( p t ) ⊕ p b o x 1 ( k e y ) t m p 2 = p b o x 2 ( p b o x 1 ( p t ) ) ⊕ p b o x 2 ( p b o x 1 ( k e y ) ) ⊕ p b o x 2 ( k e y ) c t = p b o x 2 ( p b o x 1 ( p t ) ) ⊕ p b o x 2 ( p b o x 1 ( k e y ) ) ⊕ p b o x 2 ( k e y ) ⊕ k e y tmp1 = pbox1(pt) \oplus pbox1(key) \\ tmp2 = pbox2(pbox1(pt)) \oplus pbox2(pbox1(key)) \oplus pbox2(key) \\ ct = pbox2(pbox1(pt)) \oplus pbox2(pbox1(key)) \oplus pbox2(key) \oplus key tmp1=pbox1(pt)⊕pbox1(key)tmp2=pbox2(pbox1(pt))⊕pbox2(pbox1(key))⊕pbox2(key)ct=pbox2(pbox1(pt))⊕pbox2(pbox1(key))⊕pbox2(key)⊕key
其中 p b o x 2 ( p b o x 1 ( k e y ) ) ⊕ p b o x 2 ( k e y ) ⊕ k e y pbox2(pbox1(key)) \oplus pbox2(key) \oplus key pbox2(pbox1(key))⊕pbox2(key)⊕key在key不变时固定,考虑用攻击onetime-padding的方式攻击该方案
signsystemTask
代码审计后发现在传入明文,返回签名的过程中没有对input mod N,故可传入secret + k*N绕过对input == secret 的比较,从而获取secret的签名