Skip to content

Latest commit

 

History

History
46 lines (34 loc) · 2.81 KB

miniRSA.md

File metadata and controls

46 lines (34 loc) · 2.81 KB

PicoCTF 2019 - miniRSA

Author: PinkNoize

Cryptography - 300

Lets decrypt this: ciphertext? Something seems a bit small

Writeup

The contents of the file supplied is

N: 29331922499794985782735976045591164936683059380558950386560160105740343201513369939006307531165922708949619162698623675349030430859547825708994708321803705309459438099340427770580064400911431856656901982789948285309956111848686906152664473350940486507451771223435835260168971210087470894448460745593956840586530527915802541450092946574694809584880896601317519794442862977471129319781313161842056501715040555964011899589002863730868679527184420789010551475067862907739054966183120621407246398518098981106431219207697870293412176440482900183550467375190239898455201170831410460483829448603477361305838743852756938687673
e: 3

ciphertext (c): 2205316413931134031074603746928247799030155221252519872649604243394069216326314270624430181767863085854215545736160599718939066687544261205735290002239045830806570632200667142910415788763317978137702614731825117431700919216297401306846053

In the attacks section of the RSA wikipedia page in the hints section, the first bullet point listed is "When encrypting with low encryption exponents (e.g., e = 3) and small values of the m, (i.e., m < n^1/e) the result of me is strictly less than the modulus n. In this case, ciphertexts can be easily decrypted by taking the eth root of the ciphertext over the integers."

We can try this in python as shown below.

>>> m = int(pow(c, 1/e))
>>> int.to_bytes(m, 40, 'big')
b'\x00\x00\x00\x00\x00\x00\x00picoCS\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

As 'picoC' is in the result, we know our approach is the right one but we are losing precision by using pow as pow in python uses floats which is limited in size. We will need an implementation of pow or root that can deal with very large numbers. Gmpy has an implementation that will work for us.

>>> import gmpy
>>> c = 2205316413931134031074603746928247799030155221252519872649604243394069216326314270624430181767863085854215545736160599718939066687544261205735290002239045830806570632200667142910415788763317978137702614731825117431700919216297401306846053
>>> c = gmpy.mpz(c)
>>> c.root(3)
(mpz(13016382529449106065894479374027604750406953699090365388202785764091466430362237), 1)
>>> c.root(3)[0]
mpz(13016382529449106065894479374027604750406953699090365388202785764091466430362237)
>>> m = int(c.root(3)[0])
>>> m
13016382529449106065894479374027604750406953699090365388202785764091466430362237
>>> int.to_bytes(m, 40 , 'big')
b'\x00\x00\x00\x00\x00\x00\x00picoCTF{n33d_a_lArg3r_e_1dcea0a2}'

The flag is picoCTF{n33d_a_lArg3r_e_1dcea0a2}.