Add Codegate CTF 2024 Final

Author: pcw109550

README.md

@@ -1,5 +1,8 @@
 # my-ctf-challenges
 
+## [Codegate CTF 2024 Finals](https://ctftime.org/event/2347/)
+- [Quantitative-Easing](codegate2024/Final/Quantitative-Easing) (Blockchain, Crypto)
+
 ## [WACon 2023 Finals](https://wacon.world/)
 
 - [Blob Me Maybe](https://github.com/pcw109550/blob-me-maybe) (Blockchain, Crypto)

codegate2024/Final/Quantitative-Easing/README.md

@@ -0,0 +1,88 @@
+# Crypto - Quantitative Easing
+
+### Author
+- Park Changwan (@diff72840089)
+
+### Infra
+
+```sh
+cd prob/for_organizer
+# setup port by tweaking docker compose
+docker compose up --build -d
+```
+
+Connect with
+
+```sh
+nc 54.180.139.83 13337
+```
+
+### Description
+
+```
+I rolled my own b{lockchain|ank}. Please stimulate our economy!
+```
+
+### Writeup
+
+Keywords: Zero Knowledge, Range Proofs, Weak Fiat-Shamir Transformation, Mimblewimble Transaction
+
+The challenge implements basic blockchain with mimblewimble protocol enabled. Mimblewimble transactions gives privacy, by leveraging pederson commitments, schnorr signatures, and range proofs(or bulletproofs) scheme. Range proofs are zk scheme, which requires Fiat-Shamir transformation for non-interactive protocols.
+
+- [1] BulletProof paper: https://eprint.iacr.org/2017/1066.pdf
+- [2] Mimblewimble transactions: https://tlu.tarilabs.com/protocols/mimblewimble-transactions-explained
+
+When weak Fiat-Shamir transformation is used for range proofs, the attacker may forge range proofs and the scheme becomes provably insecure. Article [4] amounts the actual attack on range proofs(not aggregated).
+
+- [3] Weak Fiat-Shamir Attacks on
+Modern Proof Systems: Section 4: https://eprint.iacr.org/2023/691.pdf
+- [4] Frozen Heart Vulnerability in bulletproofs: https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/
+
+The challenge is implemented based on open source range proof implementations that is vulnerable to weak Fiat-Shamir transformation.
+
+- [5] Range proof implementation: https://github.com/wborgeaud/python-bulletproofs
+
+By mounting the attack introduced at [3], we may forge aggregated range proofs, eventually forging `tx_fees` to random value sampled at `GF(secp256k1.order)`.
+
+The main implementation of the attack is at `exploit/src/solve.py`'s `Agent::request_with_forgery` method implementation, which uses `exploit/src/rangeproofs/rangeproof_aggregate_prover_forgery.py`. You may compare the attack code with original `Agent::request` implementation.
+
+Run solver script by
+
+```sh
+cd exploit/src
+python3 -m pip install requirements.txt
+python3 solve.py
+```
+
+Example stdout:
+```log
+[<] Opening connection to localhost on port 13337: Trying 127.0.0.
+[+] Opening connection to localhost on port 13337: Done
+[*] PoW token = s.AAfQ.AACYZXwYSfPurIbV2NIn5pfw
+[*] PoW solution = s.AABRUfkKJVF9ume9LRFRTpRISn17UVySLaiRYfb3qHIuP17D7C8mfVEkeUF0ua6NM/uNU055KGNYBSZj7sQtx46IhvOtMibNyr1fBePF0pD7bYqcznHR4AzomzYOVAsvO0St91aFSSIwvUtY6IA4YxJGYPyR8EkJctgthXgJ7C591PCf4SJWBsjpmsu1ZRS2IR97G9Q8IOnwKX/3iDgoyvHX
+[*] PoW validation = 'Correct'
+[*] Received Protocol Parameters
+[*] Received transaction
+[*] Received spending key
+[*] Sent transaction
+[*] Check flag
+{'flag': 'CODEGATE{Times_29/Aug/2024_Chancellor_on_brink_of_third_bailout_for_banks}'}
+CODEGATE{Times_29/Aug/2024_Chancellor_on_brink_of_third_bailout_for_banks}
+[*] Switching to interactive mode
+[*] Got EOF while reading in interactive
+```
+
+### Flag
+
+```
+CODEGATE{Times_29/Aug/2024_Chancellor_on_brink_of_third_bailout_for_banks}
+```
+
+## Stats
+
+- General Division: 2 solves (DiceGang, Oops)
+
+### External Writeups
+
+- 0ops: https://github.com/hch257/CTF-Writeups/tree/main/2024-Codegate/Quantitative%20Easing
+    - Unintended using Arithmetic overflow attack

codegate2024/Final/Quantitative-Easing/exploit/src/innerproduct/__init__.py

@@ -0,0 +1,112 @@
+"""Contains classes for the prover of an inner-product argument"""
+
+from typing import Optional
+
+from utils.commitments import vector_commitment
+from utils.transcript import Transcript
+from utils.utils import inner_product
+
+from .inner_product_verifier import Proof1, Proof2
+
+
+class NIProver:
+    """Class simulating a NI prover for the inner-product argument (Protocol 1)"""
+
+    def __init__(self, g, h, u, P, c, a, b, group, seed=b""):
+        assert len(g) == len(h) == len(a) == len(b)
+        self.g = g
+        self.h = h
+        self.u = u
+        self.P = P
+        self.c = c
+        self.a = a
+        self.b = b
+        self.group = group
+        self.transcript = Transcript(seed)
+
+    def prove(self) -> Proof1:
+        """
+        Proves the inner-product argument following Protocol 1 in the paper
+        Returns a Proof1 object.
+        """
+        # x = mod_hash(self.transcript.digest, self.group.order)
+        x = self.transcript.get_modp(self.group.q)
+        self.transcript.add_number(x)
+        P_new = self.P + (x * self.c) * self.u
+        u_new = x * self.u
+        Prov2 = FastNIProver2(
+            self.g,
+            self.h,
+            u_new,
+            P_new,
+            self.a,
+            self.b,
+            self.group,
+            self.transcript.digest,
+        )
+        return Proof1(u_new, P_new, Prov2.prove(), self.transcript.digest)
+
+
+class FastNIProver2:
+    """Class simulating a NI prover for the inner-product argument (Protocol 2)"""
+
+    def __init__(self, g, h, u, P, a, b, group, transcript: Optional[bytes] = None):
+        assert len(g) == len(h) == len(a) == len(b)
+        assert len(a) & (len(a) - 1) == 0
+        self.log_n = len(a).bit_length() - 1
+        self.n = len(a)
+        self.g = g
+        self.h = h
+        self.u = u
+        self.P = P
+        self.a = a
+        self.b = b
+        self.group = group
+        self.transcript = Transcript()
+        if transcript:
+            self.transcript.digest += transcript
+            self.init_transcript_length = len(transcript.split(b"&"))
+        else:
+            self.init_transcript_length = 1
+
+    def prove(self):
+        """
+        Proves the inner-product argument following Protocol 2 in the paper
+        Returns a Proof2 object.
+        """
+        gp = self.g
+        hp = self.h
+        ap = self.a
+        bp = self.b
+
+        xs = []
+        Ls = []
+        Rs = []
+
+        while True:
+            if len(ap) == len(bp) == len(gp) == len(hp) == 1:
+                return Proof2(
+                    ap[0],
+                    bp[0],
+                    xs,
+                    Ls,
+                    Rs,
+                    self.transcript.digest,
+                    self.init_transcript_length,
+                )
+            np = len(ap) // 2
+            cl = inner_product(ap[:np], bp[np:])
+            cr = inner_product(ap[np:], bp[:np])
+            L = vector_commitment(gp[np:], hp[:np], ap[:np], bp[np:]) + cl * self.u
+            R = vector_commitment(gp[:np], hp[np:], ap[np:], bp[:np]) + cr * self.u
+            Ls.append(L)
+            Rs.append(R)
+            self.transcript.add_list_points([L, R])
+            # x = mod_hash(self.transcript.digest, self.group.order)
+            x = self.transcript.get_modp(self.group.q)
+            xs.append(x)
+            self.transcript.add_number(x)
+            gp = [x.inv() * gi_fh + x * gi_sh for gi_fh, gi_sh in zip(gp[:np], gp[np:])]
+            hp = [x * hi_fh + x.inv() * hi_sh for hi_fh, hi_sh in zip(hp[:np], hp[np:])]
+            ap = [x * ai_fh + x.inv() * ai_sh for ai_fh, ai_sh in zip(ap[:np], ap[np:])]
+            bp = [x.inv() * bi_fh + x * bi_sh for bi_fh, bi_sh in zip(bp[:np], bp[np:])]