Cicada 3301: Has The Illumination Been Concealed?

I’ve been spending some time analyzing Cicada 3301’s Liber Primus, the cryptographic puzzle that has remained mostly unsolved since 2014. After working through the known solutions and poking at the unsolved pages, I’ve come to an unfortunate conclusion: I’ll keep trying new ideas, but this is probably a dead end for now. Here’s my reasoning:

One little hash

Only a small portion of the Liber Primus has been decoded. The solved pages used a mix of ciphers - Atbash, Vigenere, and a prime totient shift. Page 56, one of the solved pages, contains this instruction:

Within the deep web there exists a page that hashes to

36367763ab73783c7af284446c
59466b4cd653239a311cb7116
d4618dee09a8425893dc7500b
464fdaf1672d7bef5e891c6e227
4568926a49fb4f45132c2a8b4

It is the duty of every pilgrim to seek out this page.

If we look at that briefly, it could be seen as a SHA-512: 512 bits, 128 hex characters. At first glance it looks like you’re supposed to find a web page whose SHA-512 digest matches. But I believe that there’s a more interesting interpretation.

While the community have went as far as to archive large portions of the web and build browser extensions for hashing content, I found this to be very much unlikely behavior for Cicada.

Cicada is about cryptography and thinking through problems. Referencing a hash on a random page on the internet simply doesn’t feel like something they’d do. It’d come off as a cheap way to arbitrarily slow down the puzzle.

Decomposing the hash

Cicada had already used Tor hidden services throughout their puzzles. Tor v2 onion addresses are derived from 160-bit SHA-1 hashes of the service’s RSA public key — base32-encoded into the 16-character .onion hostname. That’s a very specific number: 160 bits.

Look at how the hash is formatted above. It’s split across five lines. That’s not an accident — Cicada doesn’t do anything by accident. What first caught my attention was that the entropy of the first 8 hex characters on each line was noticeably different from the remaining characters.

Yet, if this were a single monolithic hash, you’d expect uniform distribution throughout. Its a small enough amount of data to be a coincidence, but I think its also the type of coincidence that Cicada would notice before publishing this puzzle.

The fact that there’s a visible statistical boundary at position 8 on every line suggests two different data sources were interleaved. If you take the first 8 hex characters of each of the lines, you get:

• 36367763
• 59466b4c
• d4618dee
• 464fdaf1
• 4568926a

Concatenate them: 3636776359466b4cd4618dee464fdaf14568926a. That’s 40 hex characters — exactly 160 bits. Base32-encode it, and you get gy3hoy2zizvuzvdb.onion.

That accounts for 160 of the 512 bits. The remaining 352 bits are what made me stop and pay attention, because 352 is not a common hash length or block size. It is, however, an exact fit for AES-256-GCM parameters:

• 256 bits — the symmetric key
• 96 bits — the GCM nonce
• 256 + 96 = 352

The theory is that the hash isn’t really a hash at all. It’s a composite payload: a Tor address to find the next page, and the AES-256-GCM key and nonce to decrypt whatever was served there.

Now, I’m not 100% convinced on the key+nonce part because they don’t line up with the over-extending lines in the original hash. The formatting has to mean something. There was probably another layer of complexity on top of this, but we won’t know what that is because we can’t access that page.

With that said, my opinion is that the instruction to “seek out this page” is surely literal. They wanted us to go to the onion, fetch the ciphertext, and use the embedded key material to decrypt it. When people started scouring the web for random sites, they even came out with a hint (rare for Cicada) to remind everyone that Cicada was the map. I take this to mean that we shouldn’t be searching everywhere else for something in Liber Primus itself.

The problem

As Tor v2 services were deprecated and fully shut down in October 2021, any v2 .onion address is now unreachable. Tor Project removed support for them entirely, which unfortunately affects Cicada.

Even in the case that you were to launch your own v2 network by building an old version of Tor - and, believe me, I did consider it - Cicada would have to risk their own opsec and join your network in order to bring back the page. Its likely not happening.

http://gy3hoy2zizvuzvdb.onion cannot be accessed. I think that’s the unfortunate state of things right now.

If the next step of the puzzle was hosted there, and nobody archived it before the v2 shutdown, that content is gone. The trail goes cold at a door that no longer exists.

What’s left

It’s possible someone archived the onion content before the shutdown, but - from what I can tell - that onion was never mentioned anywhere on the internet.

If I’m wrong about the v2 address, there’s definitely a hint in the form that the hash was provided in. The first and fourth line are definitely pointing to this being multi-part data - not a single hash. Making it look like SHA-512 is misdirection and it seems to have worked pretty well this time. The unsolved pages — the large majority of the document — remain uncracked.

I’ll probably revisit this, as I have some more leads on Liber Primus that I haven’t seen anyone talk about. With that said, if I’m being honest with myself, I’d say that the Liber Primus puzzle is stuck. Not because it’s unsolvable, but because the infrastructure it depends on is lost to time.

If anyone out there has a time machine, though, please go back and check that address. I’d like to know what’s on it.