ECC 2011: Virtual tomato thrower
Note: The links below are broken, on purpose.
This copy of the page is only static, no real tomato server is
- Just head to this page and log in using the
login/password printed on your badge.
- Once logged in, you'll be presented with a list of hexadecimal
numbers, or tomato tokens.
- To throw a tomato, either click on the corresponding Throw it!
or copy/paste its token into the input box you'll find on
- Each tomato token can be used only once!
In order to protect this application against any kind of abuse or foul
play, our senior security experts at Bullsh't Tech, Inc.™ have
devised a revolutionary protocol based on bleeding-edge cryptographic
technology, namely the recent Rivest–Shamir–Adleman algorithm (or
RSA, for short).
Aware of the presence of internationally renowned—yet
malicious—cryptographers in the audience, the security parameters of this
cryptosystem were carefully picked so as to prevent even the most advanced
attacks against it: the chosen RSA modulus is indeed 103-digit
long, which is, well… very long, like, if you try to memorize it, or
just write it down on a piece of paper or something. No, really, it's huge.
Just have a look:
N := 3178596799904430539531118093572909377533245016659924241839251998632652703620411662777401318406813551573.
Just wow, isn't it? Not to brag, but it's larger than the number of
atoms in the Universe! It's even longer than the keys of those wankers who
use, er… what's-their-name… ecliptic curbs or something.
In fact, as a token of our confidence in the unbreakability of this
scheme, we at Bullsh't Tech, Inc.™ chose to fully disclose the inner
workings of our system:
- Generation of a tomato token:
(C source code here)
- Pick a random 32-bit unsigned integer 106 ≤ ID
- Compute the 160-bit SHA-1 digest of this integer (represented as
4 bytes, least-significant byte first):
H := SHA1(ID).
- Compute a random padding P of 148 bits.
- Construct the 340-bit word M as the concatenation of
H, P, and ID:
M := H ∥ P ∥ ID =
(H ≪ 180) + (P ≪ 32) + ID.
- Compute the token T as the RSA signature of M:
T := Md mod N,
where d ≡ 3-1 (mod ϕ(N)).
- Verification of a tomato token:
(C source code here)
- Retrieve the plaintext message M from the token T:
M := T3 mod N.
- Extract ID as the least-significant 32 bits of M:
ID := M mod 232.
- Extract H as the 160-bit word of M starting at
H := (M ≫ 180) mod 2160.
- Check that 106 ≤ ID < 107 and
that H = SHA1(ID).
- Note 1:
Since there aren't that many attendees at this conference,
the supplied tomato tokens were generated with 106 ≤
ID < 2·106. However, the token verification
process only ensures that 106 ≤ ID <
- Note 2:
Only the supplied tokens are checked against replay. Forging a
token with a distinct ID (for instance in the range
2·106 to 107) would grant a user an infinite
amount of tomatoes. However, forging such a token is of course utterly
impossible, so don't even try!