Crypto- Symmetric RSA

Who needs public keys? - w0152

Challenge

#!/usr/bin/env python3
from Crypto.Util.number import long_to_bytes as ltb, bytes_to_long as btl, getPrime

p = getPrime(1024)
q = getPrime(1024)

n = p*q

e = p

with open("flag.txt", "rb") as f:
	PT = btl(f.read())

CT = pow(PT, e, n)
print(f"{CT = }")

for _ in range(4):
	CT = pow(int(input("Plaintext: ")), e, n)
	print(f"{CT = }")

We are given the ciphertext and 4 chances to encrypt by the server, but no modulus. Additionally, they use e=p instead of 65537 which allows for some interesting exploits.

First, we need to find the modulus, which we can do by simply giving -1 as input and adding 1

1e mod n =n1 -1^{e} \ mod \ n \ = n-1

We actually have enough information to decrypt using univariate coppersmith. This approach is used to solve the next part, however in this part, we opt for the simpler method of finding p instead

From Fermat's Little Theorem, we have

ap11(modp)ap110(modp)ap11=k1pa^{p-1} \equiv 1 \pmod p \\ a^{p-1} - 1 \equiv 0 \pmod p \\ a^{p-1} -1 = k_1*p

for some arbitrary k1

If we can find k*p, then gcd(k*p,n) yields p

The server outputs a^p (mod n), so we multiply by a^-1 which gives is a^p-1 (mod n)

i1ap(modn)i1a1ap1(modn)i2=iia1   i21ap11(modn)i21=k1p +k2pqi21=p(k1+k2q)i_1 \equiv a^{p} \pmod n \\ i_1 * a^{-1} \equiv a^{p-1} \pmod n \\ i_2 = i_i * a^{-1} \ \ \ \\ i_2 -1 \equiv a^{p-1} - 1 \pmod n \\ i_2 -1 = k_1*p \ + k_2*p*q \\ i_2 - 1 = p*(k1+k2*q)

for some arbitrary k2

We can find p by gcd(i2-1,n) and find phi(n)

PreviousLITCTF 2024NextCrypto -Truly Symmetric RSA

Last updated