Score:6

Crypto

RSA with exponent being a factor of modulus

limeeattack

7/29/23, 8:30 AM

This weekend I participated in a CTF, but came across a task that I wasn't able to solve. I can't find any write-ups so I hope you can help me.

Given: $$ n = pq\\ c_1\cong m_1^{\hspace{.3em}p} \mod n\\ c_2\cong m_2^{\hspace{.3em}q} \mod n $$ Knowing the values of $c_1,c_2,n$ and that $p$ is 1024 bit and $q$ is 1000 bit, with $p,q$ being prime. Is there an efficient way to recover $m_1,m_2$?

I know that if I'm able to recover $p,q$ it's trivial due to Fermat's theorem, but then again that problem is what makes RSAP hard.

The only other information given was that both $m_1,m_2$ were 25 bytes (200 bits). There was no service that could act as an oracle.

489

0 + 0

rsa

public-key

number-theory

modular-arithmetic

Maarten Bodewes

7/29/23, 9:00 AM

Please note that as a CTF we should treat this as an assignment and only provide hints, preferably in the comments.

limeeattack

7/29/23, 9:05 AM

The CTF has ended, so I wouldn't consider it an assignment. But hints are more than welcome as well.

Score:5

Crypto

Samuel Neves

7/29/23, 3:41 PM

The key idea here is that $m_1$ (or $m_2$) is very small relatively to the modulus. This lets us apply the usual Coppersmith techniques.

We know that $c_1 = m_1^p \bmod n$, which entails $c_1 \equiv m_1 \bmod p$. From this we know that $c_1 - m_1 = t\cdot p$, for some $t$. In other words, $\gcd(c_1 - x, n) = p \ge n^{1/2}$ for some $x = m_1 \le n^{1/4}$. Here our expected $x = m_1$ is much smaller than $n^{1/4}$, in fact, which makes things easier to compute.

This is easily reproducible in Sage:

sage: p = random_prime(2^1024, lbound=2^1023+2^1022)                                                                                                          
sage: q = random_prime(2^1000, lbound=2^999+2^998)                                                                                                            
sage: n = p*q                                                                                                                                                 
sage:                                                                                                                                                         
sage: m1 = randint(0, 2^200)                                                                                                                                  
sage: m2 = randint(0, 2^200)                                                                                                                                  
sage: c1 = power_mod(m1, p, n)                                                                                                                                
sage: c2 = power_mod(m2, q, n)                                                                                                                                
sage:                                                                                                                                                         
sage: P.<x> = Zmod(n)[]                                                                                                                                       
sage: f = (c1 - x).monic()                                                                                                                                    
sage: f.small_roots(beta=0.5)                                                                                                                                 
[1106883791702122199703869965196585780508362129433642126297878]
sage: m1                                                                                                                                                      
1106883791702122199703869965196585780508362129433642126297878

Recovering $m_2$ can be done the same way, or by recovering the factors once $m_1$ is recovered—$p = \gcd(c_1 - m_1, n)$—and decrypting $m_2$ normally.

0 + 0

Hagen von Eitzen

7/29/23, 5:00 PM

I do not see from the problem statement why $m_1$, $m_2$ are expected to be small?

AJM

7/29/23, 6:06 PM

@HagenvonEitzen In a comment on another answer, OP writes: *"The only other information given is that both m_1,m_2 are 25 bytes, and of course that p,q are prime. There was no service that could act as an oracle."* Since this wasn't in a question, I'm guessing the answerer either saw that comment or had encountered this sort of CTF exercise elsewhere.

Samuel Neves

7/30/23, 12:35 AM

Correct, I saw the comment. Arguably this is also the sort of assumption you are usually expected to guess/try on CTFs.

Score:1

Crypto

poncho

7/29/23, 1:21 PM

I don't believe that, as stated, that problem is solvable; in the CTF contest, there may have been some additional information, or the exact values given for $n, c_1, c_2$ may have included some weakness.

I believe that the Clifford Cox [1] scheme (where the ciphertext is $m^n \bmod n$ is believed to be secure for $n$ of secret factorization); if you can solve the above problem for generate $n, c_1, c_2$, here is how to break that scheme:

Given $c, n$, invoke the Oracle with $c_1 = c$, and $c_2$ arbitrary; that gives you a value $m_1$
Then, invoke the Oracle again with $c_2 = m_1$ and $c_1$ arbitrary; the value $m_2$ that returns will be the decryption of the Cox encryption, that is, the value $m$ with $m^n \equiv c$.

[1] or Cocks; I've seen both spellings...

0 + 0

limeeattack

7/29/23, 1:44 PM

The only other information given is that both $m_1,m_2$ are 25 bytes, and of cause that $p,q$ are prime. There was no service that could act as an oracle.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: RSA with exponent being a factor of modulus

TH: RSA ที่มีเลขชี้กำลังเป็นปัจจัยของโมดูลัส

RO: RSA cu exponentul fiind un factor de modul

RU: RSA с показателем степени, являющимся коэффициентом модуля

VI: RSA với số mũ là một yếu tố của mô đun

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.