alice_bob_dave

Problem

Alice and Bob are sending their flags to Dave. But sadly Dave lost the modulus :( Try to retrieve the flag!

Solution

We are given the following source code:

from Crypto.Util.number import *
from secret import msg_a,msg_b

e=65537
p,q,r=[getStrongPrime(1024,e) for _ in range(3)]
pt_a=bytes_to_long(msg_a)
pt_b=bytes_to_long(msg_b)

n_a=p*q
n_b=p*r
phin_a=(p-1)*(q-1)
phin_b=(p-1)*(r-1)
d_a=inverse(e,phin_a)
d_b=inverse(e,phin_b)

ct_a=pow(pt_a,e,n_a)
ct_b=pow(pt_b,e,n_b)

print(f"{ct_a=}\n{ct_b=}\n{d_a=}\n{d_b=}\n{e=}")

And the output:

Notice the way that the modulus is chosen. Three primes (p, q, and r) are chosen. The first modulus is $n_a=p\times q$ , and the second is $n_b=p\times r$.

Our first observation should be that both moduli share $p$ as a common factor.

Recall that in RSA, for $n=p\times q$, the private exponent$d$ is chosen such that

i.e. for some$k\in\mathbb{Z}$,

For $n_a=p\times q$ and $n_b=p\times r$,

Since we are given $e$, $d_a$ and $d_b$, we know the values of $k_a(p-1)(q-1)$ and $k_b(p-1)(r-1)$. It is trivial to deduce that the greatest common divisor (GCD) between these two values is a multiple of $(p-1)$. Let's call this $\alpha(p-1)$.

We can write the following code to obtain $\alpha(p-1)$:

We could then iteratively test for the value of $\alpha$ by asserting that $p$ must be prime.

After finding $p$, we simply note that

and use a similar method to find $q$. Then, we attempt to decode the ciphertext:

The method to find $r$ and decode the second part of the flag is exactly the same.

Here's the output: