HTB Cyber Apocalypse 2022 - Quantum Engine
- Author: Quintec
- Date:
Let’s take a look at the source code:
  1import socketserver
  2from secrets import flag
  3import signal
  4from qiskit import *
  5import itertools
  6
  7class CircuitException(Exception):
  8    pass
  9
 10
 11class Circuit:
 12
 13    def __init__(self, inputGates) -> None:
 14        self.a = 0
 15        self.b = 0
 16        self.c = 0
 17        self.inputGates = inputGates
 18    
 19    def append_HGate(self, qbit):
 20        qbit = int(qbit)
 21        if qbit in range(4):
 22            self.circuit.h(qbit)
 23        else:
 24            raise CircuitException('Non-valid qbit position given...')
 25    
 26    def append_TGate(self, qbit):
 27        qbit = int(qbit)
 28        if qbit in range(4):
 29            self.circuit.t(qbit)
 30        else:
 31            raise CircuitException('Non-valid qbit position given...')
 32
 33    def append_TdgGate(self, qbit):
 34        qbit = int(qbit)
 35        if qbit in range(4):
 36            self.circuit.tdg(qbit)
 37        else:
 38            raise CircuitException('Non-valid qbit position given...')
 39
 40    def append_CZGate(self, qbits):
 41        qbits = qbits.split(',')
 42        c_qubit = int(qbits[0])
 43        t_qubit = int(qbits[1])
 44
 45        if c_qubit in range(4) and t_qubit in range(4):
 46            self.circuit.cz(c_qubit, t_qubit)
 47        else:
 48            raise CircuitException('Non-valid qbit position given...')
 49
 50
 51    def generate_Circuit(self):
 52
 53        self.circuit = QuantumCircuit(4,3)
 54
 55        if self.a == 1:
 56            self.circuit.x(0)
 57        if self.b == 1:
 58            self.circuit.x(1)
 59        if self.c == 1:
 60            self.circuit.x(2)
 61        
 62        for gate in self.inputGates:
 63            gate = gate.split(':')
 64            if gate[0] == 'H':
 65                self.append_HGate(gate[1])
 66            elif gate[0] == 'T':
 67                self.append_TGate(gate[1])
 68            elif gate[0] == 'TDG':
 69                self.append_TdgGate(gate[1])
 70            elif gate[0] == 'CZ':
 71                self.append_CZGate(gate[1])
 72            else:
 73                raise CircuitException('Non-valid gate given...')
 74
 75        self.circuit.measure([0,2,3],[0,1,2])
 76        if self.circuit.depth() > 43:
 77            raise CircuitException('Circuit is too big...')
 78        
 79    def check_Circuit(self):
 80        inputs = list(itertools.product([0, 1], repeat=3))
 81
 82        for input in inputs:
 83            self.a = input[0]
 84            self.b = input[1]
 85            self.c = input[2]
 86
 87            self.generate_Circuit()
 88
 89            simulator = Aer.get_backend('qasm_simulator')
 90            counts = execute(self.circuit,backend=simulator, shots = 1).result().get_counts()
 91            counts = next(iter(counts))[::-1]
 92            if (int(counts[0]) == self.a) and int(counts[1]) == self.c ^self.a ^ self.b and (int(counts[2]) == self.a&self.b|self.b&self.c|self.c&self.a):
 93                pass
 94            else:
 95                return False
 96        return True
 97
 98        
 99
100def challenge(req):
101    try:
102        req.sendall(b'\lvert--------------------------------\lvert\n'+
103                    b'\lvert Phalcon\'s Accelaration System \lvert\n'+
104                    b'\lvert--------------------------------\lvert\n'+
105                    b'\lvert > Send quantum circuit for the \lvert\n'+
106                    b'\lvert system to analyze...           \lvert\n'+
107                    b'\lvert--------------------------------\lvert\n'+
108                    b'\n> '
109                    )
110        input = req.recv(4096).decode().strip().split(';')
111
112        if len(input) < 0 or len(input) > 100:
113            raise CircuitException('Non-valid circuit length...')
114        
115        quantumCircuit = Circuit(input)
116        
117        if quantumCircuit.check_Circuit():
118            req.sendall(flag.encode()+b"\n")
119            req.close()
120            exit()
121        else:
122            req.sendall(b'The circuit failed to pass the test...\n')
123            req.close()
124            exit()
125
126
127    except CircuitException as ce:
128        try:
129            req.sendall(ce.encode()+b'\n')
130            req.close()
131        except:
132            pass
133        exit()
134
135    except Exception as e:
136        try:
137            req.sendall(b'Unexpected error.\n')
138            req.close()
139        except:
140            pass
141        exit()
142
143class incoming(socketserver.BaseRequestHandler):
144    def handle(self):
145        signal.alarm(300)
146        req = self.request
147        print("starting server")
148        while True:
149            challenge(req)
150
151class ReusableTCPServer(socketserver.ForkingMixIn, socketserver.TCPServer):
152    pass
153
154socketserver.TCPServer.allow_reuse_address = False
155server = ReusableTCPServer(("0.0.0.0", 1337), incoming)
156server.serve_forever()
Alright, so the main part of the challenge is in the Circuit class. It looks like we’re implementing a quantum circuit that satisfies this:
 1def check_Circuit(self):
 2        inputs = list(itertools.product([0, 1], repeat=3))
 3
 4        for input in inputs:
 5            self.a = input[0]
 6            self.b = input[1]
 7            self.c = input[2]
 8
 9            self.generate_Circuit()
10
11            simulator = Aer.get_backend('qasm_simulator')
12            counts = execute(self.circuit,backend=simulator, shots = 1).result().get_counts()
13            counts = next(iter(counts))[::-1]
14            if (int(counts[0]) == self.a) and int(counts[1]) == self.c ^self.a ^ self.b and (int(counts[2]) == self.a&self.b|self.b&self.c|self.c&self.a):
15                pass
16            else:
17                return False
18        return True
So given 3 inputs $a, b, c$ and 4 total qubits to work with, we need to set the outputs to be $a$, $a \oplus b \oplus c$, and $(a\&b)\lvert(b\&c)\lvert(c\&a)$. And it looks like the only gates that we are able to use are $H, T, TDG$, and $CZ$.
Initial Thoughts
Note the line self.circuit.measure([0,2,3],[0,1,2]) in the generate_Circuit function. This means that the outputs need to be on qubits $0, 2, $ and $3$ (and the inputs are on qubits $0, 1, $ and $2$ as shown in the beginning of the function).
The first output is simple by itself - just don’t do anything to the input! This is actually a bit tricky once we implement the others, as you soon will see.
The second output needs to be the XOR of all the inputs. It turns out this isn’t too hard either - a $CNOT$ (or $CX$) gate effectively performs XOR. (Remember that a $CNOT$ gate flips the second qubit (across the $x$ axis, hence the name $CX$) iff the first qubit is $\lvert1\rangle$.) That is, for classical bits, $\text{CNOT}(a, b)$ takes $(a, b)$ to $(a, a \oplus b)$. There’s just one small problem - we aren’t allowed $CNOT$ gates! But we are allowed $CZ$ gates, which flips the second qubit across the $z$ axis iff the first qubit is $\lvert1\rangle$. These two operations only differ by an axis, and it turns out that $HZH = X$ (and $HXH = Z$), so we can implement $CNOT$ gates in this way. Remembering that this output needs to be on qubit 2, we can simply apply $CNOT$s with control qubits 0 and 1 targeting qubit 2, which would take $(a, b, c)$ to $(a, b, a \oplus b \oplus c)$ as desired.
 1qc = QuantumCircuit(4, 3)
 2qc.h(2)
 3qc.cz(0, 2)
 4qc.cz(1, 2)
 5qc.h(2)
 6qc.draw()
 7"""
 8q_0: ──────■─────────
 9           │         
10q_1: ──────┼──■──────
11     ┌───┐ │  │ ┌───┐
12q_2: ┤ H ├─■──■─┤ H ├
13     └───┘      └───┘
14q_3: ────────────────
15                     
16c: 3/════════════════   
17"""
The third output is a bit trickier. $(a\&b)\lvert(b\&c)\lvert(c\&a)$ is a complicated expression. While it is possible to construct circuits that simulate AND and OR, the main problem is that to be able to use the value of each input twice, we would need multiple ancillary qubits so that the value of the inputs aren’t lost. Instead, it helps to think of the expression as a whole rather than the individual parts. What it’s really saying is “set the output bit to $\lvert1\rangle$ if at least 2 of the input bits are $\lvert1\rangle$”. Or, if you think about it, “set the output bit to the majority of the input bits”. What does this sound like? To me, error correction comes to mind.
The basic single-qubit bit flip error correction circuit looks like this:
                ░           ┌───┐
q_0: ──■────■───░───■────■──┤ X ├
     ┌─┴─┐  │   ░ ┌─┴─┐  │  └─┬─┘
q_1: ┤ X ├──┼───░─┤ X ├──┼────■──
     └───┘┌─┴─┐ ░ └───┘┌─┴─┐  │  
q_2: ─────┤ X ├─░──────┤ X ├──■──
          └───┘ ░      └───┘     
where $q_0$ is the qubit to be transmitted, and $q_1$ and $q_2$ are ancilla qubits which start in state $\lvert0 \rangle$. The first 2 $CNOT$ gates essentially serve to copy the value of $q_0$ into $q_1$ and $q_2$, and then $q_0$ is potentially flipped. After a few more gates, no matter the starting value of $q_0$ and no matter if it is flipped or not, in the end $q_0$ will have the same value it started with. The last gate is a $CCNOT$ gate, a double-controlled not gate, also known as a Toffoli gate, which flips the target ($q_0$) iff both inputs ($q_1$ and $q_2$) are $\lvert1 \rangle$. It basically acts like an AND gate.
Now it turns out if you disregard the first half of the circuit (copying $q_0$ into $q_1$ and $q_2$), this circuit does exactly what we want it to. Try it yourself for some random inputs if you’re not convinced - it will set $q_0$ to the majority bit. Now how do we implement this? I’ve already shown how to implement $CNOT$ gates above, and for the $CCNOT$ gate, you could either look it up, or use qiskit’s decompose function to decompose it into gates we know how to make.
 1qc = QuantumCircuit(3)
 2qc.ccx(0, 1, 2)
 3qc.decompose().draw()
 4"""
 5                                                       ┌───┐      
 6q_0: ───────────────────■─────────────────────■────■───┤ T ├───■──
 7                        │             ┌───┐   │  ┌─┴─┐┌┴───┴┐┌─┴─┐
 8q_1: ───────■───────────┼─────────■───┤ T ├───┼──┤ X ├┤ TDG ├┤ X ├
 9     ┌───┐┌─┴─┐┌─────┐┌─┴─┐┌───┐┌─┴─┐┌┴───┴┐┌─┴─┐├───┤└┬───┬┘└───┘
10q_2: ┤ H ├┤ X ├┤ TDG ├┤ X ├┤ T ├┤ X ├┤ TDG ├┤ X ├┤ T ├─┤ H ├──────
11     └───┘└───┘└─────┘└───┘└───┘└───┘└─────┘└───┘└───┘ └───┘      
12"""
Putting it All Together
There are a few final issues to take care of. We have successfully calculated each output bit individually, but how to put it all together? First, note that our adapted error correction circuit has the potential to flip $q_1$ and $q_2$, so we need to track the original value of $q_0$ to see whether or not we need to re-flip $q_1$ and $q_2$ after performing the “error correction”. This is easy enough - since our extra 4th qubit $q_3$ is guaranteed to start at zero, performing a $CNOT$ to XOR the value of one of the qubits into the 4th qubit would copy it into the 4th qubit. We can actually then just run our adapted error correction circuit targeting this 4th qubit, since we want this output on $q_3$ in the end anyway. After that, since we have the original value of the qubit, we can reflip the other qubits if needed, and then use all 3 original inputs to calculate the other outputs, which is not hard. The final circuit looks like this:
  1from qiskit import *
  2from qiskit.extensions import *
  3
  4qc = QuantumCircuit(4, 3)
  5
  6#copy qubit 3 to qubit 2
  7qc.h(3)
  8qc.cz(2, 3)
  9qc.h(3)
 10
 11#"error correct" (output 3): convert qubit 3 to majority of (0, 1, 3), using two CX and one CCX 
 12qc.h(0)
 13qc.cz(3, 0)
 14qc.h(0)
 15qc.h(1)
 16qc.cz(3, 1)
 17qc.h(1)
 18
 19#CCX decomposed
 20qc.cz(1, 3)
 21qc.h(3)
 22qc.tdg(3)
 23qc.h(3)
 24qc.cz(0, 3)
 25qc.h(3)
 26qc.t(3)
 27qc.h(3)
 28qc.cz(1, 3)
 29qc.h(3)
 30qc.tdg(3)
 31qc.h(3)
 32qc.cz(0, 3)
 33qc.h(3)
 34qc.t(3)
 35qc.h(3)
 36qc.t(1)
 37qc.h(1)
 38qc.cz(0, 1)
 39qc.h(1)
 40qc.tdg(1)
 41qc.t(0)
 42qc.h(1)
 43qc.cz(0, 1)
 44qc.h(1)
 45
 46#reflip 0 and 1 if necessary
 47qc.h(0)
 48qc.cz(2, 0)
 49qc.h(0)
 50qc.h(1)
 51qc.cz(2, 1)
 52qc.h(1)
 53
 54#xor (output 2)
 55qc.h(2)
 56qc.cz(0, 2)
 57qc.cz(1, 2)
 58qc.h(2)
 59
 60qc.measure([0,2,3],[0,1,2])
 61
 62qc.draw()
 63"""
 64     ┌───┐           ┌───┐                    »
 65q_0: ┤ H ├─────────■─┤ H ├────────────────────»
 66     ├───┤         │ └───┘┌───┐               »
 67q_1: ┤ H ├─────────┼───■──┤ H ├─■─────────────»
 68     └───┘         │   │  └───┘ │             »
 69q_2: ──────■───────┼───┼────────┼─────────────»
 70     ┌───┐ │ ┌───┐ │   │        │ ┌───┐┌─────┐»
 71q_3: ┤ H ├─■─┤ H ├─■───■────────■─┤ H ├┤ TDG ├»
 72     └───┘   └───┘                └───┘└─────┘»
 73c: 3/═════════════════════════════════════════»
 74                                              »
 75«                                                »
 76«q_0: ──────■────────────────────────────────────»
 77«           │                   ┌───┐ ┌───┐      »
 78«q_1: ──────┼─────────────────■─┤ T ├─┤ H ├──────»
 79«           │                 │ └───┘ └───┘      »
 80«q_2: ──────┼─────────────────┼──────────────────»
 81«     ┌───┐ │ ┌───┐┌───┐┌───┐ │ ┌───┐┌─────┐┌───┐»
 82«q_3: ┤ H ├─■─┤ H ├┤ T ├┤ H ├─■─┤ H ├┤ TDG ├┤ H ├»
 83«     └───┘   └───┘└───┘└───┘   └───┘└─────┘└───┘»
 84«c: 3/═══════════════════════════════════════════»
 85«                                                »
 86«             ┌───┐               ┌───┐   ┌───┐»
 87«q_0: ─■───■──┤ T ├─────────────■─┤ H ├─■─┤ H ├»
 88«      │   │  ├───┤┌─────┐┌───┐ │ ├───┤ │ ├───┤»
 89«q_1: ─┼───■──┤ H ├┤ TDG ├┤ H ├─■─┤ H ├─┼─┤ H ├»
 90«      │      └───┘└─────┘└───┘   └───┘ │ └───┘»
 91«q_2: ─┼────────────────────────────────■──────»
 92«      │ ┌───┐┌───┐ ┌───┐  ┌─┐                 »
 93«q_3: ─■─┤ H ├┤ T ├─┤ H ├──┤M├─────────────────»
 94«        └───┘└───┘ └───┘  └╥┘                 »
 95«c: 3/══════════════════════╩══════════════════»
 96«                           2                  »
 97«                   ┌─┐        
 98«q_0: ─────────■────┤M├────────
 99«        ┌───┐ │    └╥┘        
100«q_1: ─■─┤ H ├─┼──■──╫─────────
101«      │ ├───┤ │  │  ║ ┌───┐┌─┐
102«q_2: ─■─┤ H ├─■──■──╫─┤ H ├┤M├
103«        └───┘       ║ └───┘└╥┘
104«q_3: ───────────────╫───────╫─
105«                    ║       ║ 
106«c: 3/═══════════════╩═══════╩═
107«                    0       1 
108"""
Converting this to the input format given in the source code and submitting it to the server gives us the flag.