Rocket Ship Academy

RSA Chosen Ciphertext Attack


Oracle: a person or thing regarded as an infallible authority on something.

Do we have one of those here?

nc 55002

The flag is in the flag format: STC{...}

Author: zeyu2001


We are given an RSA decryption oracle. We can supply any ciphertext to be decrypted, except the original, given ciphertext.

Textbook RSA is vulnerable to Chosen Ciphertext Attack (CCA), where a user is able to supply an arbitrary ciphertext to be decrypted.

Recall that


Therefore, suppose we supply a ciphertext


then decrypting this gives

mโ€ฒ=redcd(modn)mโ€ฒ=rm(modn)m'=r^{ed}c^d\pmod{n}\newline m'=rm\pmod{n}

Let r=2r=2 . The solve script is as follows:

from Crypto.Util.number import long_to_bytes
from pwn import *
from decimal import *
import re

getcontext().prec = 100000000

pattern = "n = (\d+)\ne = (\d+)\nc = (\d+)"

conn = remote('localhost', '12345')
received = conn.recv().decode()

matches =, received)
n, e, c = int(matches[1]), int(matches[2]), int(matches[3])

print('n =', n)
print('e =', e)
print('c =', c)

ciphertext = Decimal(c) * ((2 ** Decimal(e)) % Decimal(n)) % Decimal(n)
print('Ciphertext:', ciphertext)

conn.send(str(ciphertext) + '\r\n')

received = conn.recv().decode()
matches ="Decrypted: (\d+)\n", received)

decrypted = int(matches[1])

print(long_to_bytes(Decimal(decrypted) / 2))

The flag is STC{ch0s3n_c1ph3rt3xt_d7b593cd54baba9e2ffa49215d33e4c657cf230a}.

Last updated