In [1]:
# let's initialize our P-192 first
p = 0xfffffffffffffffffffffffffffffffeffffffffffffffff
a = 0xfffffffffffffffffffffffffffffffefffffffffffffffc
b = 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1
ec0 = EllipticCurve(GF(p), [a,b])
ec0

Elliptic Curve defined by y^2 = x^3 + 6277101735386680763835789423207666416083908700390324961276*x + 2455155546008943817740293915197451784769108058161191238065 over Finite Field of size 6277101735386680763835789423207666416083908700390324961279

In [3]:
# we generate elliptic curves by picking random constant B's in the equation y^2 = x^3 + Ax + B
# and then factorize the order of the curves and see if it contains any prime factors whose size is to our liking
# I allowed the curves to have an order a little bit smaller than 2^48 to make discrete log substantially faster
# I will not be able to determine pk uniquely but the number of candidates for pk will be small enough to be solvable
ecs = []
for i in range(1, 5):
    print(f"Generating EC #{i}")
    while True:
        b = randint(0, p-1)
        ec_candidate = EllipticCurve(GF(p), [a, b])
        order_fact = factor(ec_candidate.order())
        good_curve = False
        for (prime, power) in order_fact:
            length = int(prime).bit_length()
            if length >= 42 and length <= 48:
                ecs.append((ec_candidate, prime))
                good_curve = True
                break
        if good_curve:
            break

Generating EC #1
Generating EC #2
Generating EC #3
Generating EC #4


In [4]:
ecs

[(Elliptic Curve defined by y^2 = x^3 + 6277101735386680763835789423207666416083908700390324961276*x + 3112050759649281189296378802695874518035971456751012767950 over Finite Field of size 6277101735386680763835789423207666416083908700390324961279,
  34896682396649),
 (Elliptic Curve defined by y^2 = x^3 + 6277101735386680763835789423207666416083908700390324961276*x + 5458782144827305110084501727858033448038556590674189810758 over Finite Field of size 6277101735386680763835789423207666416083908700390324961279,
  81137742608599),
 (Elliptic Curve defined by y^2 = x^3 + 6277101735386680763835789423207666416083908700390324961276*x + 5788461545499124759231725503804358686443296047091811786562 over Finite Field of size 6277101735386680763835789423207666416083908700390324961279,
  3545723088617),
 (Elliptic Curve defined by y^2 = x^3 + 6277101735386680763835789423207666416083908700390324961276*x + 6121708166136483077567998141312658973495749522543934264001 over Finite Field of size 627710173538

In [5]:
ec1 = ecs[0][0]
ec2 = ecs[1][0]
ec3 = ecs[2][0]
ec4 = ecs[3][0]

In [6]:
# we generate our elements of the desired prime order, within their respective "invalid" elliptic curves
p1 = (ec1.order()/ecs[0][1])*ec1.gen(0)
p2 = (ec2.order()/ecs[1][1])*ec2.gen(0)
p3 = (ec3.order()/ecs[2][1])*ec3.gen(0)
p4 = (ec4.order()/ecs[3][1])*ec4.gen(0)

In [7]:
p1

(2807111821753270235606952749555142290636243909870425884218 : 1844630281417213967453319791679056021580609118298319303618 : 1)

In [8]:
p2

(1521362811409649023155117926818594038554710541151944509982 : 5139835840888559120726224597204329955143025155951305015076 : 1)

In [9]:
p3

(2973424016325249905511073300106934126855998367618429681300 : 2995816855245136400104350751531029697342991291545621614807 : 1)

In [10]:
p4

(5496661980615164490588504558003381187721016101792754322524 : 3205869654254971744522332206255447147155280600991525420284 : 1)

In [11]:
p1.order()

34896682396649

In [12]:
p2.order()

81137742608599

In [13]:
p3.order()

3545723088617

In [14]:
p4.order()

126737131881907

In [15]:
# a calculation to show the number of possible candidates there are for pk
# 4933 may seem like a lot but we can try all the candidates and search for key terms in the flag - will be quite fast
int(ec0.order() / (p1.order() * p2.order() * p3.order() * p4.order()))

4933

```
[eugenelau@fedora key-sharer]$ nc chall.polygl0ts.ch 9025
Welcome to KeySharer™ using that good old NIST 192-P
=============================================
Alice wants to share her public key with you so that you both can have multiple shared secret keys !
Alice's public key is (2230074218083237901624079227276268727577628510634699020425,2080137031454700487859373151534825252983621476743808171976)
Now send over yours !

Gimme your pub key's x : 
2807111821753270235606952749555142290636243909870425884218
Gimme your pub key's y : 
1844630281417213967453319791679056021580609118298319303618
The shared key is
 (2240697313826872723889778085330388921589243294999535489068,1052224903629993970284779711343568051353265579172283445644)
Gimme your pub key's x : 
1521362811409649023155117926818594038554710541151944509982
Gimme your pub key's y : 
5139835840888559120726224597204329955143025155951305015076
The shared key is
 (1228015637516484564975993276770410580034968160058087543000,6166283703717522580698559397599408096300559499637125302681)
Gimme your pub key's x : 
2973424016325249905511073300106934126855998367618429681300
Gimme your pub key's y : 
2995816855245136400104350751531029697342991291545621614807
The shared key is
 (1797573844304149256961909813501197460237546388043825401843,3177599663402244866916153146024133541384272561809106859539)
Gimme your pub key's x : 
5496661980615164490588504558003381187721016101792754322524
Gimme your pub key's y : 
3205869654254971744522332206255447147155280600991525420284
The shared key is
 (1768748855691018876364169409317930220846102366474807688731,2481309930276743595455326773570701926731554231830000277680)
```

In [17]:
# now we figure out discrete log on each curve of each of our low-order points, and collect our modular congruences
q1 = ec1(2240697313826872723889778085330388921589243294999535489068,1052224903629993970284779711343568051353265579172283445644)
s1 = p1.discrete_log(q1)

In [18]:
q2 = ec2(1228015637516484564975993276770410580034968160058087543000,6166283703717522580698559397599408096300559499637125302681)
s2 = p2.discrete_log(q2)

In [19]:
q3 = ec3(1797573844304149256961909813501197460237546388043825401843,3177599663402244866916153146024133541384272561809106859539)
s3 = p3.discrete_log(q3)

In [20]:
q4 = ec4(1768748855691018876364169409317930220846102366474807688731,2481309930276743595455326773570701926731554231830000277680)
s4 = p4.discrete_log(q4)

In [21]:
# now that we collected our modular congruences we figure out what pk is congruent to mod p1.order() * p2.order() * p3.order() * p4.order()
base = crt([s1,s2,s3,s4], [p1.order(), p2.order(), p3.order(), p4.order()])
base

1055597310073078993719278169019471150804657928577721354

In [24]:
from Crypto.Util.number import long_to_bytes
# note we don't have a unique solution since p1.order() * p2.order() * p3.order() * p4.order() < ec0.order()
# but since int(ec0.order() / p1.order() * p2.order() * p3.order() * p4.order()) is only 4933, we can try all possible values
# from 0 to (ec0.order() - 1) which are congruent to the base modulo p1.order() * p2.order() * p3.order() * p4.order()
# (there will only be 4933 of them)
# and filter out the ones that don't have the flag header EPFL in them
public_key = ec0(2230074218083237901624079227276268727577628510634699020425,2080137031454700487859373151534825252983621476743808171976)
incr = p1.order() * p2.order() * p3.order() * p4.order()
candidate_PK = base
while True:
    # in this case, pow(candidate_PK, -1, ec0.order()) is the "decryption key" to the "private key" that we are guessing
    decrypt_attempt = pow(candidate_PK, -1, ec0.order()) * public_key
    decrypted_bytes = long_to_bytes(int(decrypt_attempt[0]))
    # if our guess for the private key is correct, then our decryption key will be correct
    # and we will get the flag (which will have the header "EPFL" in it)
    if b"EPFL" in decrypted_bytes:
        print(decrypted_bytes)
    candidate_PK += incr
    if candidate_PK >= p:
        break

b'EPFL{th1s_1s_1nv4lid}'
