qss — b01lers CTF 2026

Description

quantum secret sharing is the way of the future!

Remote: ncat --ssl qss.opus4-7.b01le.rs 8443

Source: challenge.py

English summary: the service asks us to submit a normalized 1-qubit ancilla and a 3 x 3-qubit attack unitary, then interact with a 96-round protocol containing both test rounds and information rounds. To get the flag we must leak enough information about the hidden secret bit while keeping the induced disturbance low and close to the challenge's theoretical information-disturbance frontier.

Challenge Summary

This is not a standard "break the crypto primitive" problem. The server already defines the protocol and the score function; our job is to engineer an eavesdropping attack that looks good under those metrics.

The important public ingredients are four Bell-style states:

phi_minus = [1, 0, 0, -1] / sqrt(2)
psi_plus  = [0, 1, 1, 0] / sqrt(2)
psi_upper_plus = (phi_minus + psi_plus) / sqrt(2)
phi_upper_minus = (phi_minus - psi_plus) / sqrt(2)

They are indexed as:

• S0 = {|phi->, |psi+>}
• S1 = {|Phi->, |Psi+>}

Those four states span only a 2-dimensional logical subspace. That immediately suggests reducing the problem to a BB84-like two-state attack inside the basis

|0_L> = |phi->
|1_L> = |psi+>

and treating S1 as the logical X basis obtained from superpositions of |0_L> and |1_L>.

Analysis

Protocol structure

The server fixes:

• ROUNDS = 96
• TEST_RATIO = 0.40
• MAX_QBER = 0.32
• MIN_QBER_CHECKED = 4
• MIN_QBER_CHECKED_PER_BASIS = 2
• MIN_INFO_ROUNDS = 16
• MIN_MUTUAL_INFO_BITS = 0.5
• FRONTIER_GAP_TOL_BITS = 0.25
• MIN_RAW_INFO_ACCURACY = 0.60

For each round the server samples:

...