CTFtime.org

Interceptor - Portugal

by unicornsasfuel / atx2600

Rating:

We are provided with three RSA moduli, three identical exponents (e = 3) and three ciphertexts. We are also provided a link to a profile page for Johan Håstad: http://www.nada.kth.se/~johanh/

This is clearly a reference to Håstad's broadcast attack on RSA. When X public keys are used to encrypt the same message with raw RSA (normally non-deterministic padding, as should always be used with RSA, should prevent this) and X is greater than or equal to the exponent used, it is possible to use the chinese remainder theorem algorithm to find the value of the unencrypted message raised to the public exponent. Once we find this value, we can take the e'th root and obtain the plaintext as a number.

The Cryptanalib module from FeatherDuster (https://github.com/nccgroup/featherduster) can do this for us, as shown in the following Python script:

~~~
import cryptanalib as ca

e = 3

c1 = 

<span>258166178649724503599487742934802526287669691117141193813325965154020153722514921601647187648221919500612597559946901707669147251080002815987547531468665467566717005154808254718275802205355468913739057891997227
n1 = </span>

<span>770208589881542620069464504676753940863383387375206105769618980879024439269509554947844785478530186900134626128158103023729084548188699148790609927825292033592633940440572111772824335381678715673885064259498347

c2 = </span>

<span>82342298625679176036356883676775402119977430710726682485896193234656155980362739001985197966750770180888029807855818454089816725548543443170829318551678199285146042967925331334056196451472012024481821115035402
n2 = </span>

<span>106029085775257663206752546375038215862082305275547745288123714455124823687650121623933685907396184977471397594827179834728616028018749658416501123200018793097004318016219287128691152925005220998650615458757301

c3 = </span>

<span>22930648200320670438709812150490964905599922007583385162042233495430878700029124482085825428033535726942144974904739350649202042807155611342972937745074828452371571955451553963306102347454278380033279926425450
n3 = </span>

<span>982308372262755389818559610780064346354778261071556063666893379698883592369924570665565343844555904810263378627630061263713965527697379617881447335759744375543004650980257156437858044538492769168139674955430611

answer_as_number = ca.hastad_broadcast_attack( [(c1, n1), (c2, n2), (c3, n3)], e)
print ca.long_to_string(answer_as_number)
~~~</span>

Comments