[ARG] The Pizza Code Mystery

Hi,
Regarding the randomness of the 752 Hex Code, I consider it an almost dead-cert that it is not randomly generated, to the order of 10^(-200) (give or take a few orders of magnitude!).

I found how frequently each byte occured, and then found how many times did a byte only occur once, twice, etc. I then did the same with a randomly generated string of the same length. I then compared them (using a linear regression line) to find (approximately) what the relationship between number in a given category for random, and one for the code. In theory, if the hex code were random, this should be 1 (there should on average be the same number in each section). So, I repeated this test 10000 times, getting a mean of circa 0.976, and a standard deviation of 0.067. Assuming these values are normally distributed, and come from a distribution of mean 1, and the same standard deviation, this represents a sample mean z-score of -35, or not very likely at all.

If any statisticians can find errors in this argument, go ahead. And the code can be found here: https://pastebin.com/WWEbDcT8

Hopefully, this should give us the hope to go on.

I will have a look at the feasibility of this being a non-bijective substitution (i.e. A is converted to a variety of bytes, and likewise with B etc.) - see if the frequencies of a byte can be made suitably close to those that arise in english.

@Tuqz Your method fails. One doesn’t have to be a statistician to see it.

Always try your methods on real random data before jumping to conclusions: https://www.random.org/cgi-bin/randbyte?nbytes=376&format=h
I’ve tried it a few times and got all kinds of values ranging from 0.89 to 1.04.

You would have to repeat the test multiple times on multiple data sets to make conclusions. Unfortunately, 376 bytes is all we have.

EDIT: Also note that Python’s PRNG, while strong, is far from cryptographic randomness, or even true randomness random.org supposedly provides.

Thankyou for reminding me to test on random data (I knew I had forgotten something important…)!

I’m aware of PRNG’s shortcomings when it comes to randomness, I (probably incorrectly) assumed it was “good enough” on the scale of 376 bytes.

Yeah, consider that statistic nulled, as I have managed to get multiple even more “significant” data from the random source. I would have thought that on average, over thousands of tests, that any random distribution would be “similiar enough”. Oh well, I’ll stick to what I know - maths & physics, not cryptographic randomness…

I will continue to look at breaking homophonic subsitution ciphers (a simpler topic from a few pages back, as I’m green around the ears with codes and what not). Unless someone has already tried this, and failed (I didn’t think anyone had said as such, but my mind is like a sieve).

@Tuqz That was my idea. After reading this paper, I don’t think it’s a homophonic cipher anymore. 256 character alphabet is insane given the cipher length. (although I haven’t actually tried deciphering it)

@pointless ah, ok. I think I have found the “published” version of that paper - its slightly nicer on the eyes: https://www.cs.sjsu.edu/faculty/stamp/RUA/homophonic.pdf while it does seem excessive, 256 characters, it would be secure. Another problem is - how are we supposed to figure out the key (w/o brute force, which so far, none of them have needed, right?)? I’ll have a quick look, I doubt it’d work, it’s also to help me get my feet with cryptoanalysis - never really had an interest past caesar shifts.

EDIT: Based on a graph in that paper, it suggests that with 100 characters in 300 bytes of ciphertext the success rate is 10-20%, I’m not sure it is worth the time running the calculations with our hex code. I suspect with 2.5x the characters and that amount of ciphertext the odds of success are slim.

If we assume the code is AES or Rijndael with a block size of 256bits (from Code’s PM), Then there are ways to crack it without brute forcing or knowing the key, such as Dictionary attacks, Rainbow attacks, and others. We could compile a list of all the possible keys we can think of, use that as the dictionary, and run a Dictionary attack on it, if we’re all out of ideas.

Wouldn’t that be brute forcing?

No, brute forcing is trying all possible key combinations, even ones that aren’t words or letters. Even with a supercomputer bruteforceing takes billions of years. Dictionary attacks are faster.

But that would still mean it is possible to brute force it (even though it might take billions of years). I don’t think any method that ‘could’ be brute forced will work.
This is just from top of my head.

Anything execpt a One time pad can be theroeticly bruteforced. Storm said that the CIA couldn’t bruteforce it, which they can’t, in practice, if it’s AES.

edit:There is a comment on the wiki that leads to a wierd kxbm youtube channel

and it’s recent. The commenter also created a page with just the link to the channel.

I think I’m gonna call troll on that youtube channel.

It’s got two vids, one of which is just a “hl3.exe” icon and some simple ARG-styled error graphic. This has nothing to do with HL3, so I think someone’s just trying to put fuel to the fire.

It’s has the KXBM logo for a profile picture, but I agree, It does look like a troll.

It’s probably trolling, but I asked Storm on his Steam profile just to verify.
Also, has anyone watched ‘files’ video? Near the end, there is some kind of error, titled ‘[ASEM KCALB]’, does that mean anything?

It’s black mesa spelled backwards.

Oh, didn’t notice.
Still, we don’t know that it is trolling, it might be legit.

I googled the description of the files video and apperently it’s a quote from a 2001 tv show called “Six feet under”

EDIT: Yeah, It’s looking more and more like this is a troll, I mean look at the key words of the “background” video:<KXBM.net,KXBM,kxbm,Valve Corporation (Video Game Developer),valve,half life,half life 2,half life 3,Team Fortress 2 (Video Game),team fortress,team fortress 2,team fortress 3,dota,Dota 2 (Video Game),dota 2,dota 3,gabe,newell,gabe newell,Gabe Newell (Organization Leader),valve corporation,Half-Life (Video Game Series)>.

EDIT: It’s offical its a troll.
From storm’s steam account:
“I’ve not got anything to do with that youtube site personally, so as far as the Pizzacode ARG goes, its not to do with it.”

But then again, Don’t trust anyone…

That’s literally what did Scott Cawthon said.

I haven’t been following the ARG, therefore, I have no idea what the other clues are.

However, I just finished watching a documentary on Turing Machines and that gave me an idea. How do you break an unbreakable code? You use an algorithm to calculate the key. However, like any other equation - you have to know what at least one of variables is, before you can calculate the others. So what have we figured out so far that could help us CALCULATE the answer?

Correct me if I’m wrong: you’re suggesting something like (assuming we need an AES key) we need some clue, then use some sort of algorithm to get a 128, 192 or 256 bit key (32, 48 or 64 hex characters?) which would then be the AES key to the 752 hex code? So, aside from the AES algorithm and its input (the 752 hex code), we still need:

• some OTHER algorithm (although it could technically also be AES, this somehow seems unlikely as we have not seen many repeated methods before - I personally think this one is easier / less sophisticated than AES),
• that algorithm’s input, and
• probably some algorithm key (if applicable).
  The only real clue if the outcome of the above is correct (before trying) is that it needs to result in 128, 192 or 256 bits. It could of course be more or less, either padded or cut off to fit these lengths, but that would leave so many options it’d be near impossible to find the key.

I tried the above manually with some possible input and simple algorithms before, with no luck. As to what might help us find the correct answers: I’m currently drawing a blank. Hence me not commenting here for some time now. Feel free to throw any suggestions at me, I’ve got nothing.