poka2019 writeup 1 - Lenstra-Lenstra-Lovász
I am not good at Linear Algebra : ( Can you tell me about Lenstra-Lenstra-Lovász lattice basis reduction algorithm? Add) e=151. This is for make challenge easy.
Notations
Before start, let’s make the notations clear.
-
n: RSA modulusp,q: two distinct prime factor ofn. -
e: RSA encryption exponentd: RSA decryption exponent -
dp = d % (p-1) -
bits: bit length ofdp -
shiftbits = bits//2 - bits//10 -
ct: ciphertext -
s,x:dp = s << shiftbits + x. i.e.,shiftbits-length leakeddpissand the remainder part isx.
Given values are n,e,ct,s. Of course the objective is getting the plaintext of this RSA encryption.
Modular Arithmetics
Since $ed \equiv 1 \mod ((p-1)(q-1)) $,
\[ed_p \equiv 1 \mod (p-1).\]Let $ed_p = 1 + (p-1)k $. Then
\[e(s \ll \texttt{shiftbits} + x ) = 1 + (p-1)k\]Range For bit and shiftbits
We have bit-length of secret which is approximately 6/10 bit-length of dp, which was 614. Therefore bits is either 1023 or 1024.
for bits in range (1010,1030):
print(bits, bits - (bits//2 - bits//10))
...
1018 610
1019 611
1020 612
1021 613
1022 613
1023 614 (*)
1024 614 (*)
1025 615
1026 615
1027 616
1028 616
...
Also note that $ed_p = k (p-1)+1$ and $d_p < p-1 $, so $k\le e=151$. So bound of k and bit-length of dp is reasonable.
Polynomial Modulo p
We now have appropriate range for shiftbits and k to solve
I used small_roots in SageMath to use Coppersmith’s Method to solve above this.
Where $e^{-1}$ is modular inverse of $e$ respect to $N$.
def coppersmith(shiftbits, k):
F.<x> = PolynomialRing(Zmod(n))
invE = inverse_mod(e, n)
f = (s << shiftbits) + x + (k - 1) * invE # make monic
x0 = f.small_roots(X=2 ** shiftbits, beta=0.44, epsilon=1/32)
return x0
Therefore we getdp and also p using $p = \frac {e d_p -1} k +1 $. By processing a simple RSA decryption, I could get a flag.
POKA{You_4r3_Crypt0_N00000B_XDD}
solve.sage is the full code.
Leave a comment