13

I need to decrypt c and I was given only n, e and c and computing p and q or phi(n) would be close to impossible so what other alternatives do I have? I tried calculating p and q but I made very little progress with the search in the last 24 hours of continuous running the program.
These are the values I was given:
n: 58900433780152059829684181006276669633073820320761216330291745734792546625247
e: 65537
c: 56191946659070299323432594589209132754159316947267240359739328886944131258862

Also, in another challenge only c and n were given and the values were a lot bigger. Do you have any suggestions for that too?

Teodor Vecerdi
  • 326
  • 1
  • 2
  • 13
  • 1
    @LukeJoshuaPark I understand that, but the challenge was supposed to be easy. The challenge description is `You've overheard a discussion between two classmates arguing whether the size really matters.` – Teodor Vecerdi Apr 17 '18 at 12:45
  • 2
    Clearly hinting at the fact that `n` isn't that big yes? That is your hint. – Luke Joshua Park Apr 17 '18 at 12:46
  • @LukeJoshuaPark I figured as much. But still, I have no idea what to do besides trying to bruteforce for the next years or so – Teodor Vecerdi Apr 17 '18 at 12:47
  • 1
    Your factors are: 176773485669509339371361332756951225661 and 333197218785800427026869958933009188427 - thanks to https://sourceforge.net/projects/msieve/ – Iridium Apr 17 '18 at 12:51
  • @Iridium Thanks a lot for the help. As for the second challenge, the hint is something about NP-completeness. Given only `n` and `c` this time do you think that I could use msieve to solve this one too? – Teodor Vecerdi Apr 17 '18 at 13:09
  • As the size of the modulus increases, the time it takes to factor increases dramatically, even using the fastest classical algorithms (according to https://en.wikipedia.org/wiki/General_number_field_sieve whilst it's sub-exponential, it's still super-polynomial). Whilst the above factorization took only 3 minutes, even just a few more digits would likely push that out to days/weeks/... – Iridium Apr 17 '18 at 13:23
  • @Iridium thanks for the help and information, I will try to find another solution since the new number is 311 digits long – Teodor Vecerdi Apr 17 '18 at 13:25
  • On the same PC I factored your number above (77 digits), I've managed to factor a 155 digit number in about 20 days. I very much doubt you'll be able to factor a 311 digit value in any reasonable amount of time. – Iridium Apr 17 '18 at 13:30
  • Note: challenge is from https://2021.redpwn.net/ – CrazyVideoGamer Jul 10 '21 at 17:42

2 Answers2

29

Well, it seems that this question is CTF related, because the patterns of n, e, and c are weak numbers.

You can solve it with RsaCtfTool:

python RsaCtfTool -n 58900433780152059829684181006276669633073820320761216330291745734792546625247 -e 65537 --uncipher 56191946659070299323432594589209132754159316947267240359739328886944131258862

timctf{CENSORED}

Felix An
  • 309
  • 4
  • 13
Dwi Mulia Mokoginta
  • 416
  • 5
  • 10
  • How do I call the RsaCtfTool library from within Python, so I can automate the submission into the challenge using pwnlib? – Felix An Jul 25 '22 at 05:15
  • @FelixAn You could implement that start on https://github.com/RsaCtfTool/RsaCtfTool/blob/master/RsaCtfTool.py#L22 and example of usages are in https://github.com/RsaCtfTool/RsaCtfTool/blob/master/RsaCtfTool.py#L213 – Dwi Mulia Mokoginta Aug 18 '22 at 20:33
3

https://www.dcode.fr/rsa-cipher Try this one but it need p and q. So I use the hand calculator to find p and q. Using Fact(n), ex: Fact(91)= 7x13, so p=7, q=13

Lê Thị Quỳnh Hương
  • 46
  • 2