Codeblue CTF 2017 - Common Modulus 1
byNovember 10, 2017
Next in the series Common Modulus 2
Quick summary of RSA
$cipher text = message^e \mod N$
We have a message (the flag) encrypted with the same $N$, but with two different $e$. As the name suggests the solution to this problem is a common modulus attack
The idea of the attack is that if we know
- $m^{e_1} \mod N$
- $m^{e_2} \mod N$
- $MCD(e_1, e_2) = 1$
then we can recover $m$.
Luckily $e_1$ and $e_2$ and two random generated primes so it is very likely that (3) holds and we have (1) (2) because we have the two cipher texts.
Explanaition of the attack
The Bézout’s identity guarantees that we can find with the Extended Euclidean algorithm $x$ and $y$ so that $xe_1 + ye_2 = 1$. We can use this fact to compute $m$.
We are given the cipher texts $c_1 = m^{e_1} \mod N$ and $c_2 = m^{e_2} \mod N$
If we raise $c_1$ to the $x-th$ power modulo $N$ we get $c_1^{x} = (m^{e_1})^{x} = m^{xe_1} \mod N$ similary with $c_2$ and $y$ we get $c_2^{y} = m^{ye_2} \mod N$.
If we multiply them we get $m^{xe_1}m^{ye_2} = m^{xe_1 + ye_2} \mod N$, but we have proven that the exponent is actually equal to $1$! So what we really get is $m$!
N.B. One of $x$ and $y$ will be negative
Solution SageMath script
from binascii import unhexlify
def solve(e1, e2, n, c1, c2):
d, x, y = xgcd(e1, e2)
m = (pow(c1, x, n) * pow(c2, y, n)) % n
print unhexlify(hex(long(m))[2:-1])