CSE 207B, Fall 2025
Homework 7: Repeated ECDSA nonces

The web application located here validates API queries using an ECDSA signature before executing the commands in the query string. To validate the token, the web server parses the full query as:

    query = token=token_string&rest_of_query_string
  

Unfortunately for this server, it didn't use a very good random number generator when generating the ECDSA signatures, and accidentally repeated the signature nonce k. Here is another valid token/query combo. Your task is to recover the server's secret signing key and forge a valid ECDSA signature on the query string user=admin&get_file=hw7.pdf that will allow you to download the rest of your homework.

Repeated DSA and ECDSA nonces have been found many times in the wild, including for Bitcoin (2013 and 2016) and other cryptocurrencies as well as in protocols like SSH.

You may discuss this assignment in small groups with classmates, but please code and write up your solutions yourself. Please credit any collaborators you discussed with and any references you used.

Submission requirements and autograder

• You may use pure Python (with the ecdsa package) or any version of Sage to implement your solution, just document what version you used for the graders.
• Python3 solver script named "hw7-sol.py." (for pure Python) or "hw7-sol.sage.py." (for Sagemath Python) that takes two command line arguments, which correspond to two urls with valid token/query combos which were made with a repeated nonce,..
• ... and prints a valid url on the query string user=admin&get_file=hw7.pdf (the grader uses a regex to search all program output for URLs and succeeds if any of them is correct).
• You do not need to implement elliptic curve addition or point multiplication yourself for this assignment. Feel free to use the Python ecdsa package or Sage's EllipticCurve class.
• LaTeX typed answer PDF called "hw7-solutions.pdf"

The autograder...

• ... runs your script on a Ubuntu 22.04 Docker image
• ... has a 10 minute time limit and resource constrained (0.5 vCPU, 0.75 RAM)
• ... will be using a different key pair than was used for encrypting the homework. Read the public key from "key.pub" if you need it.

#!/usr/bin/env python3

import ecdsa
import hashlib
import binascii

pubkey = b'a89e372866cd3f76b74edfa2b2e11549df8da056f6784d84905b5ac3fee063ee5b53c649c969668c7732c35e85ed29dac850b73fc6136e1d133a182a2c43fe6a'
signature = b'ecf1c3dc7453222791b80c1656fa196b8339062aa1c22fdbf105513a5a62d95475423b581fca4092f49b596fa692abbb8b16e76ce3520d8f74f767cb8d6b52ef'
query_string = b'user=admin&get_file=kitten.jpg'

vk = ecdsa.VerifyingKey.from_string(binascii.unhexlify(pubkey),curve=ecdsa.NIST256p)
vk.verify(binascii.unhexlify(signature),query_string,hashfunc=hashlib.sha256)