TSG CTF 2020 Modulus Amittendus Writeup

Problem

The flag encrypted with RSA and its public key are given.

But we are given

d

instead of

N

, by bug. Additionally, the coefficient

c = q^{- 1} mod p

is leaked.

The problem is to restore the plaintext from these information.

Solution

First, we have to restore

φ (N) = (p - 1) (q - 1)

From

e d = 1 mod φ (N)

, for some integer

k > 0

e d - 1 = k φ (N)

holds true. Then from

d < φ (N)

, we can observe

k < e = 65537

and we can brute-force the

k

which satisfies that condition. Now we got

φ (N)

Let's think about

φ (N) mod p

. Here:

\begin{aligned} φ (N) & = (p - 1) (q - 1) \\ = p (q - 1) - q + 1 \end{aligned}

and then,

φ (N) - 1 = - q mod p

and if we multiply both sides by

c = q^{- 1} mod p

\begin{aligned} (φ (N) - 1) c & = - q q^{- 1} & mod p \\ (φ (N) - 1) c + 1 & = 0 & mod p \end{aligned}

can be obtained. So

(φ (N) - 1) c + 1

is a multiple of

p

. We can calculate this and put it as

m

By the way, from Euler's theorem in number theory, the following holds for any integer

a

that is prime to

N

and each other.

a^{φ (N)} = 1 mod N

In particular, since

N

is a multiple of

p

a^{φ (N)} - 1

will also become a multiple of

p

Now if we calculate the following:

a^{φ (N)} - 1 mod m

the result will be also a multiple of

p

since the modulo and the original number is a mulitple of

p

In this formula we can get a multiple of

p

as many as we like, by changing the value of

a

. So we can obtain

p

by getting GCD of these values.

From

φ (N), p

we can get

q

, so all the information needed to decrypt RSA is given. Then we can get the flag.

Appendix

By the way, after we got

m

it seems we can obtain

q

by not using Euler's theorem and by using Coppersmith's Attack on the formula:

c q = 1 mod p

But this must be impossible. The following is the proof.

With Coppersmith's Attack, the condition required to get the solution

(x_{1}, \dots, x_{n})

of n-variable non-identical linear equations

a_{1} x_{1} + a_{2} x_{2} + \dots + a_{n} x_{n} \equiv C mod p

from

N

, a multiple of

p

and

p ≧ N^{β}

, the lower boundary

p

and

x_{i} ≦ X_{i}

, the upper boundary of

x

\frac{1}{\log N} \sum_{i = 1}^{n} \log X_{i} ≦ 1 - {(1 - β)}^{\frac{n + 1}{n}} - (n + 1) (1 -^{n} \sqrt{1 - β}) (1 - β)

In our situation

n = 1

, so by sorting out the formula we get

\frac{\log X_{1}}{\log N} ≦ β^{2}

Then we can evaluate that

c \approx p, φ (N) \approx p^{2}

, and we get

m \approx p^{3}

. Then if we put

N = m

, the lower boundary of

p

is:

p ≧ N^{1 / 3}

and we can assume

β \approx 1 / 3

And from

X_{1} = q, N \approx q^{3}

\frac{\log X_{1}}{\log N} \approx \frac{1}{3}

Considering the above, the above condition will become

\frac{1}{3} ≦ {(\frac{1}{3})}^{2}

which is clearly not satisfied even after considering the error.

TSG CTF 2020 Modulus Amittendus Writeup

Problem

Solution

Appendix

Read more

Learning with Exploitation author's writeup

BSides Ahmedabad CTF 2021 Writeup - SSSS.RNG, floorsa, Roda

TSG CTF 2021 Beginner's Web 2021 Writeup

TSG CTF 2021 Giita Writeup