Tags: hash lsb-oracle crypto rsa 

Rating:

* RSA and the mysterious hash function is implemented
* We can encrypt any data and get its hash
* We can get hash of the result of the decryption of any data
* $N,e$ is known. $N$: 1024bit, $e=65537$
* The hash function is as follows:

```python
def _hash(self, m):
""" DIY Hash Function """
H = 0xcafebabe
M = m
# Stage 1
while M > 0:
H = (((H << 5) + H) + (M & 0xFFFFFFFF)) & 0xFFFFFFFF
M >>= 32
# Stage 2
M = H
while M > 0:
H = ((M & 0xFF) + (H << 6) + (H << 16) - H) & 0xFFFFFFFF
M >>= 8
# Stage 3
H = H | 1 if m & 1 else H & 0xfffffffe
return H
```

### Solution

* The hash funciton is somewhat tricky, but the awful thing is that they repaint the LSB of the hash value with the one of the input $m$.
* So we can know the LSB of the result of decryption of any data.
* **LSB Decryption Oracle Attack** can be applied

`zer0pts{n3v3r_r3v34l_7h3_LSB}`

{%gist hakatashi/0c30ac59b88927a452903f94d5a6f490 %}

I connect on the server 1024 times and worried if I may be banned :)

Original writeup (https://hackmd.io/@hakatashi/BkG7zhfSU#diysig-Crypto-394pts).