weave — UMDCTF

Description

No organizer description was included in the provided workspace files.

English summary: the handout gives a field construction over GF(2^43), a leaked Moore-code structure (pegs, knot, shuttle), a noisy linear combination called bolt, and an AES-GCM-encrypted vault. The goal is to recover the hidden secret vector well enough to derive the AES key and decrypt the flag.

Analysis

Reading chall.sage shows that the challenge works in GF(2^43) with modulus:

x^43 + x^21 + x^3 + x + 1

The public code parameters are K = 8 and N = 40. The script samples N independent field elements called pegs and builds the K x N Moore matrix

loom[j, i] = pegs[i]^(2^j)

Then it samples an invertible knot, a structured invertible shuttle, and defines

warp = knot * loom * shuttle^{-1}
bolt = secret * warp + frays

The important leak is that knot and shuttle are both given to us, along with the original pegs. That means we can rewrite the received value into the natural Gabidulin code domain. Multiplying on the right by shuttle gives

y = bolt * shuttle
  = (secret * knot) * loom + frays * shuttle
  = t * loom + e

where t = secret * knot and e = frays * shuttle.

Now the structure of the error matters. In the generator, frays is built from a rank-<= 5 binary matrix, so its GF(2)-rank is at most 5. Also, every entry of shuttle lies in the GF(2)-span of only 3 leaked fibers, so multiplying by shuttle can enlarge the error support by at most a factor of 3. Therefore:

rank_GF(2)(e) <= 5 * 3 = 15

...