CTF RSA decrypt using N, c, e

Question

Giving N, e, c as follows:

n = 35390004486354300347521848565413257959442624589297688131017877221807025004928966206454752329594506530598099849274956709610488234955109039874355077958460196991750855650029096905451

e = 65537

c = 34976328528100445602888072790831380493399287679380757676967266152942525578548886648293955777757882335796410272725253490310142371251759362170135820927390507970457244397459500624458

I have tried several methods to decrypt it, like factordb, yafu and even found a similar question which was solved by RsaCtfTool.Maybe the performance of my PC is suck...Could anyone help? Thanks a lot!

I personally love these questions, they are usually fun for me. Unfortunately they are off-topic. See this [note](https://stackoverflow.com/help/on-topic) to understand why. — President James K. Polk, Mar 29 '20 at 17:30

score 17 · Answer 1 · edited Apr 27 '20 at 23:33

I tried with latest RsaCtfTool version and it works :

python3 ./RsaCtfTool.py -n 3539000448635430034752184856541325795944262458929768813101787722180702500492896620645475232959450653059809984927495670961048
8234955109039874355077958460196991750855650029096905451 -e 65537 --uncipher 3497632852810044560288807279083138049339928767938075767696726615294252557854888664829395577775788
2335796410272725253490310142371251759362170135820927390507970457244397459500624458

[*] Testing key /tmp/tmpimxbt566.
[*] Performing londahl attack on /tmp/tmpimxbt566.
[*] Performing mersenne_primes attack on /tmp/tmpimxbt566.
[*] Performing cube_root attack on /tmp/tmpimxbt566.
[*] Performing pollard_p_1 attack on /tmp/tmpimxbt566.
[*] Performing smallfraction attack on /tmp/tmpimxbt566.

Results for /tmp/tmpimxbt566:

Unciphered data :
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00CISCN{XXXX_XX_X_XXXXX_XXXX}\n'

(spoiler: i'm the dev of RsaCtfTool)

The tool stop on success, so it's smallfraction. – Ganapati May 02 '20 at 10:03 — Ganapati, May 02 '20 at 10:03

score 0 · Answer 2 · answered Apr 01 '20 at 09:30

The performance of your PC isn't really an issue here. Your modulus n has 179 digits (594 bits), which would take an e x t r e m e l y long time to factor on a single desktop PC. In 2005, it took 15.2 CPU years to factor a 176-digit number. By comparison, the question you linked to only has a 256-bit modulus, which can be cracked in a few minutes using software like msieve.

The only way you stand a chance of solving this problem is by finding a short cut. Perhaps the problem contains other clues that you overlooked. Or perhaps it uses a flawed implementation of RSA. For a general overview of vulnerabilities in RSA, I would suggest reading Twenty Years of Attacks on the RSA Cryptosystem by Dan Boneh.

Thanks for your help! I kown the difficulty to factor a big integer, but this big number appeared in a CTF question.So I think there must be some method to crack it in the limited time. And finally I found the method.The N c e mentioned above is just a half information, and another half of info I got by sql-injection and they are N c1 e1. So the final method to crack it is Common Modulus Attack....Thank you guys anyway! — John L, Apr 06 '20 at 05:02

CTF RSA decrypt using N, c, e

2 Answers2