$ cat writeup.md…
$ cat writeup.md…
tjctf
Task: ECDSA P-256 timing side-channel attack with 1600 signatures leaking nonce bit-length (Minerva / CVE-2024-23342). Solution: calibrate timing model, solve Hidden Number Problem via CVP lattice with fpylll, decrypt flag using SHA256-CTR custom stream cipher.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
listen closely, it has a lot to say
We are given three files:
trace.csv — 1600 ECDSA P-256 signatures with columns: id, msg_hex, h, r, s, elapsed_nspublic_key.txt — P-256 public key coordinates (Qx, Qy)flag.enc — 35 bytes of hex-encoded ciphertextThe goal is to recover the ECDSA private key using the timing side-channel and decrypt the flag.
The challenge name "Minerva's Stopwatch" and the elapsed_ns column directly reference CVE-2024-23342 — the Minerva timing vulnerability in the python-ecdsa library. The core issue: the time taken to compute an ECDSA signature leaks information about the bit-length of the nonce k, because scalar multiplication time is proportional to the number of bits in k.
The timing side-channel leaks the bit-length of each nonce. By analyzing the distribution of elapsed_ns values, we calibrate a linear timing model:
est_bits = round(256 - (197530 - elapsed_ns) / 265)The resulting distribution matches the expected geometric distribution perfectly:
Crucially, 6 extreme outliers have very short nonces: 38-bit, 73-bit, 73-bit, 89-bit, 90-bit, and 129-bit — these provide massive leakage.
The ECDSA signing equation is:
s_i * k_i ≡ h_i + d * r_i (mod n)
Rearranging: k_i = s_i^{-1} * h_i + s_i^{-1} * r_i * d (mod n)
...
$ grep --similar