Writeups
  • UMASS CTF 2024
    • Crypto-Brutal Mogging
    • Crypto - Shuffling as a Service
  • GPN CTF 2024
    • Crypto-Boombox
  • WANICTF 2024
    • Crypto - Replacement
    • Crypto - Easy Calc
    • Crypto - dance
    • Crypto - speedy
    • Crypto - Many Xor Shift
    • Crypto - uf
  • UIUCTF 2024
    • Crypto-Without a Trace
    • Crypto-Determined
    • Crypto-Naptime
    • Crypto-Snore Signatures
    • Crypto-Groups
  • DeadSec CTF 2024
    • Crypto - Raul Rosas
    • Crypto - SSP
    • Crypto - Password Guesser
  • corCTF 2024
    • Crypto - Steps
    • Crypto - Monkfish
    • Crypto - Anglerfish
  • LITCTF 2024
    • Crypto- Symmetric RSA
    • Crypto -Truly Symmetric RSA
  • IrisCTF 2025
    • Crypto - knutsacque
  • UofTCTF 2025
    • Misc - Simple Signing
  • HTB CyberApocalypse
    • Crypto - Copperbox
Powered by GitBook
On this page
  1. LITCTF 2024

Crypto -Truly Symmetric RSA

I just realized that it doesn't make sense for people without the key to be able to encrypt messages, so I fixed that. -w0152

PreviousCrypto- Symmetric RSANextIrisCTF 2025

Last updated 7 months ago

Challenge

#!/usr/bin/env python3
from Crypto.Util.number import long_to_bytes as ltb, bytes_to_long as btl, getPrime

p = getPrime(1536)
q = getPrime(1024)

n = p*q

e = p
with open("flag.txt", "rb") as f:
	PT = f.read()
CT = pow(btl(PT), e, n)
print(f"{len(PT) = }")
print(f"{CT = }")
print(f"{n = }")

I felt that this part was harder than the , yet it had 4 more solves. factordb :(

We are given the length of the plaintext, CT and the modulus. I initially wasted a lot of time thinking its an unbalanced primes question.

From Fermat's Little Theorem, we have

ap=a(modp)a^{p} = a \pmod pap=a(modp)

Let

f(x)=x −CTf(x) = x \ - CT f(x)=x −CT

Then can use coppersmith's theorem to find the roots of the equation mod p

We set the bounds to be 8*len(PT) and beta to be approximately log(n,p)

CT = 155493050716775929746785618157278421579720146882532893558466000717535926046092909584621507923553076649095497514130410050189555400358836998046081044415327506184740691954567311107014762610207180244423796639730694535767800541494145360577247063247119137256320461545818441676395182342388510060086729252654537845527572702464327741896730162340787947095811174459024431128743731633252208758986678350296534304083983866503070491947276444303695911718996791195956784045648557648959632902090924578632023471001254664039074367122198667591056089131284405036814647516681592384332538556252346304161289579455924108267311841638064619876494634608529368113300787897715026001565834469335741541960401988282636487460784948272367823992564019029521793367540589624327395326260393508859657691047658164
n = 237028545680596368677333357016590396778603231329606312133319254098208733503417614163018471600330539852278535558781335757092454348478277895444998391420951836414083931929543660193620339231857954511774305801482082186060819705746991373929339870834618962559270938577414515824433025347138433034154976346514196324140384652533471142168980983566738172498838845701175448130178229109792689495258819665948424614638218965001369917045965392087331282821560168428430483072251150471592683310976699404275393436993044069660277993965385069016086918288886820961158988512818677400870731542293709336997391721506341477144186272759517750420810063402971894683733280622802221309851227693291273838240078935620506525062275632158136289150493496782922917552121218970809807935684534511493363951811373931
P.<x> = PolynomialRing(Zmod(n))
print(RR(log(2^1536,2^(1536+1024))))
#0.600
roots = (x-CT).small_roots(bounds=2^496,beta=0.599)
print(long_to_bytes(roots[0]))
b'LITCTF{I_thought_the_bigger_the_prime_the_better_:(_72afea90}'
previous one