Tags: rsa jacobi 

Rating: 0

[Original writeup](https://room2042.rip/writeup/2019-09-09-n1ctf-part3-babyrsa/).

acut3 – Sept. 9, 2019, 10:53 p.m.

Correct me if I'm wrong, but I think both you and duks made the same mistake in your respective writeups: the cipher is not (2⋅r²+flag[i])^e but (2^(1+flag[i])⋅r²)^e. This is because (padding << 1 + m % 2) is really (padding << (1 + m % 2)) and not ((padding << 1) + m % 2)
But thank you very much for your writeup anyway, it was very useful and everything else is still valid.